@sphereon/ssi-express-support 0.37.2-next.24 → 0.37.2-next.28

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (9) hide show
  1. package/dist/index.cjs +13 -2
  2. package/dist/index.cjs.map +1 -1
  3. package/dist/index.d.cts +3 -0
  4. package/dist/index.d.ts +3 -0
  5. package/dist/index.js +13 -2
  6. package/dist/index.js.map +1 -1
  7. package/package.json +3 -3
  8. package/src/express-builders.ts +14 -2
  9. package/src/types.ts +1 -0
package/dist/index.cjs CHANGED
@@ -554,6 +554,7 @@ function env(key, prefix) {
554
554
  __name(env, "env");
555
555
 
556
556
  // src/express-builders.ts
557
+ var DEFAULT_MAX_BODYPARSER_REQUEST_BODY_SIZE = "5mb";
557
558
  var ExpressBuilder = class _ExpressBuilder {
558
559
  static {
559
560
  __name(this, "ExpressBuilder");
@@ -574,6 +575,7 @@ var ExpressBuilder = class _ExpressBuilder {
574
575
  _server;
575
576
  _terminator;
576
577
  _morgan;
578
+ _maxRequestBodySize;
577
579
  constructor(opts) {
578
580
  const { existingExpress, envVarPrefix } = opts ?? {};
579
581
  if (existingExpress) {
@@ -589,6 +591,9 @@ var ExpressBuilder = class _ExpressBuilder {
589
591
  existingExpress: opts?.existingExpress,
590
592
  envVarPrefix: opts?.envVarPrefix
591
593
  });
594
+ if (opts.maxRequestBodySize) {
595
+ builder.withMaxRequestBodySize(opts.maxRequestBodySize);
596
+ }
592
597
  return builder.withEnableListenOpts({
593
598
  ...opts,
594
599
  hostnameOrIP: opts.hostname,
@@ -651,6 +656,10 @@ var ExpressBuilder = class _ExpressBuilder {
651
656
  this._enforcer = enforcer;
652
657
  return this;
653
658
  }
659
+ withMaxRequestBodySize(limit) {
660
+ this._maxRequestBodySize = limit;
661
+ return this;
662
+ }
654
663
  startListening(express3) {
655
664
  this._server = express3.listen(this.getPort(), this.getHostname(), this.listenCallback);
656
665
  this._terminator = (0, import_http_terminator.createHttpTerminator)({
@@ -760,11 +769,13 @@ var ExpressBuilder = class _ExpressBuilder {
760
769
  }
761
770
  this._handlers && this._handlers.length > 0 && app.use(this._handlers);
762
771
  opts?.handlers && app.use(opts.handlers);
772
+ const limit = this._maxRequestBodySize ?? DEFAULT_MAX_BODYPARSER_REQUEST_BODY_SIZE;
763
773
  app.use(import_body_parser.default.urlencoded({
764
- extended: true
774
+ extended: true,
775
+ limit
765
776
  }));
766
777
  app.use(import_body_parser.default.json({
767
- limit: "5mb"
778
+ limit
768
779
  }));
769
780
  return app;
770
781
  }
package/dist/index.cjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/index.ts","../src/entra-id-auth.ts","../src/oidc-bearer-auth.ts","../src/static-bearer-auth.ts","../src/auth-utils.ts","../src/express-utils.ts","../src/types.ts","../src/express-builders.ts","../src/functions.ts","../src/openid-connect-rp.ts"],"sourcesContent":["export * from './entra-id-auth'\nexport * from './oidc-bearer-auth'\nexport * from './static-bearer-auth'\nexport * from './auth-utils'\nexport * from './express-builders'\nexport * from './types'\nexport { sendErrorResponse, jsonErrorHandler } from './express-utils'\nexport * from './functions'\nexport * from './openid-connect-rp'\n","import passport from 'passport'\nimport { IBearerStrategyOption, IBearerStrategyOptionWithRequest, ITokenPayload, VerifyCallback } from './types'\n\nexport class EntraIDAuth {\n private readonly strategy: string\n private options?: IBearerStrategyOptionWithRequest\n\n public static init(strategy: string) {\n return new EntraIDAuth(strategy)\n }\n\n private constructor(strategy: string) {\n this.strategy = strategy\n }\n\n public withOptions(options: IBearerStrategyOption | IBearerStrategyOptionWithRequest): this {\n this.options = {\n ...options,\n passReqToCallback: 'passReqToCallback' in options ? options.passReqToCallback : false,\n }\n return this\n }\n\n connectPassport() {\n const _options = this.options\n if (!_options) {\n throw Error('No options supplied for EntraID')\n }\n import('passport-azure-ad')\n .then((entraID) =>\n passport.use(\n this.strategy,\n new entraID.BearerStrategy(_options, function (token: ITokenPayload, cb: VerifyCallback): void {\n if (token) {\n // console.log(`token: ${JSON.stringify(token, null, 2)}`)\n return cb(null, token)\n }\n return cb('bearer token not found or incorrect', null)\n }),\n ),\n )\n .catch((reason) => {\n console.log(reason)\n throw Error('Could not create bearer strategy. Did you include the \"passport-azure-ad/bearer-strategy\" dependency in package.json?')\n })\n }\n}\n","import passport from 'passport'\n\nexport type OIDCAlgorithm = 'RS256' | 'RS384' | 'RS512' | 'ES256' | 'ES384' | 'ES512' | 'PS256' | 'PS384' | 'PS512'\n\nexport interface IOIDCBearerOptions {\n issuer: string\n audience?: string | string[]\n jwksUri?: string\n algorithms?: OIDCAlgorithm[]\n}\n\nexport interface IOIDCTokenPayload {\n /** Issuer identifier */\n iss?: string\n /** Subject identifier */\n sub?: string\n /** Audience(s) */\n aud?: string | string[]\n /** Expiration time */\n exp?: number\n /** Not before */\n nbf?: number\n /** Issued at */\n iat?: number\n /** JWT ID */\n jti?: string\n /** Authorized party */\n azp?: string\n /** Scope */\n scope?: string\n /** Client ID */\n client_id?: string\n /** Additional claims */\n [key: string]: unknown\n}\n\nexport class OIDCBearerAuth {\n private readonly strategy: string\n private options: Partial<IOIDCBearerOptions> = {}\n\n public static init(strategy: string) {\n return new OIDCBearerAuth(strategy)\n }\n\n private constructor(strategy: string) {\n this.strategy = strategy\n }\n\n public withIssuer(issuer: string): this {\n this.options = { ...this.options, issuer }\n return this\n }\n\n public withAudience(audience: string | string[]): this {\n this.options = { ...this.options, audience }\n return this\n }\n\n public withJwksUri(jwksUri: string): this {\n this.options = { ...this.options, jwksUri }\n return this\n }\n\n public withAlgorithms(algorithms: OIDCAlgorithm[]): this {\n this.options = { ...this.options, algorithms }\n return this\n }\n\n public withOptions(options: Partial<IOIDCBearerOptions>): this {\n this.options = { ...this.options, ...options }\n return this\n }\n\n async connectPassport(): Promise<void> {\n const { issuer, audience, algorithms } = this.options\n\n if (!issuer) {\n return Promise.reject(new Error('No issuer supplied for OIDC Bearer Auth'))\n }\n\n let jwksUri = this.options.jwksUri\n if (!jwksUri) {\n jwksUri = await this.discoverJwksUri(issuer)\n }\n\n try {\n const [passportJwt, jwksRsa] = await Promise.all([import('passport-jwt'), import('jwks-rsa')])\n\n const { Strategy: JwtStrategy, ExtractJwt } = passportJwt\n const { passportJwtSecret } = jwksRsa\n\n const jwtOptions = {\n jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),\n secretOrKeyProvider: passportJwtSecret({\n cache: true,\n rateLimit: true,\n jwksRequestsPerMinute: 5,\n jwksUri,\n }),\n issuer,\n audience,\n algorithms: algorithms ?? (['RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512'] as OIDCAlgorithm[]),\n }\n\n passport.use(\n this.strategy,\n new JwtStrategy(jwtOptions, (payload: IOIDCTokenPayload, done: (error: any, user?: any, info?: any) => void) => {\n if (payload) {\n return done(null, payload)\n }\n return done('Bearer token not found or incorrect', null)\n })\n )\n } catch (error) {\n console.error('Failed to initialize OIDC Bearer Auth:', error)\n return Promise.reject(\n new Error(\n 'Could not create JWT bearer strategy. Did you include \"passport-jwt\" and \"jwks-rsa\" dependencies in package.json?',\n { cause: error }\n )\n )\n }\n }\n\n private async discoverJwksUri(issuer: string): Promise<string> {\n const wellKnownUrl = `${issuer}${issuer.endsWith('/') ? '' : '/'}.well-known/openid-configuration`\n\n try {\n const response = await fetch(wellKnownUrl)\n if (!response.ok) {\n return Promise.reject(\n new Error(`Failed to fetch OIDC configuration from ${wellKnownUrl}: ${response.status} ${response.statusText}`)\n )\n }\n\n const config = (await response.json()) as { jwks_uri?: string }\n if (!config.jwks_uri) {\n return Promise.reject(new Error(`OIDC configuration at ${wellKnownUrl} does not contain jwks_uri`))\n }\n\n return config.jwks_uri\n } catch (error) {\n return Promise.reject(\n new Error(`Failed to discover JWKS URI from OIDC configuration at ${wellKnownUrl}`, { cause: error })\n )\n }\n }\n}\n","import passport from 'passport'\n// @ts-ignore\nimport { toString } from 'uint8arrays/to-string'\nimport { BearerUser, IStaticBearerVerifyOptions } from './types'\n\nexport class StaticBearerAuth {\n private readonly strategy: string\n private static providers: Map<string, StaticBearerUserProvider> = new Map()\n private static verifyOptions: Map<string, IStaticBearerVerifyOptions | string> = new Map()\n private hashTokens?: boolean = false\n\n public static init(strategy: string, provider?: StaticBearerUserProvider) {\n return new StaticBearerAuth(strategy ?? 'bearer', provider ?? new MapBasedStaticBearerUserProvider(strategy))\n }\n\n private constructor(strategy: string, provider: StaticBearerUserProvider) {\n this.strategy = strategy\n if (StaticBearerAuth.providers.has(strategy)) {\n if (StaticBearerAuth.providers.get(strategy) !== provider) {\n throw Error('Cannot register another user provider for strategy: ' + strategy)\n }\n } else {\n StaticBearerAuth.providers.set(strategy, provider)\n }\n }\n\n get provider() {\n const provider = StaticBearerAuth.providers.get(this.strategy)\n if (!provider) {\n throw Error('Could not get user provider for ' + this.strategy)\n }\n return provider\n }\n\n withHashTokens(hashTokens: boolean): this {\n this.hashTokens = hashTokens\n return this\n }\n\n withUsers(users: BearerUser[] | BearerUser): this {\n this.addUser(users)\n return this\n }\n\n addUser(user: BearerUser[] | BearerUser): this {\n this.provider.addUser(user)\n return this\n }\n\n withVerifyOptions(options: IStaticBearerVerifyOptions | string): this {\n StaticBearerAuth.verifyOptions.set(this.strategy, options)\n return this\n }\n\n connectPassport() {\n const _provider = this.provider\n function findUser(token: string, cb: (error: any, user: any, options?: IStaticBearerVerifyOptions | string) => void) {\n const user = _provider.getUser(token)\n if (user) {\n return cb(null, user)\n }\n return cb('bearer token not found or incorrect', false)\n }\n\n import('passport-http-bearer')\n .then((httpBearer) => {\n const hashTokens = this.hashTokens ?? false\n passport.use(\n this.strategy,\n new httpBearer.Strategy({ passReqToCallback: false }, function (\n token: string,\n cb: (error: any, user: any, options?: IStaticBearerVerifyOptions | string) => void,\n ): void {\n if (hashTokens) {\n import('@noble/hashes/sha256')\n .then((hash) => {\n findUser(toString(hash.sha256(token)), cb)\n })\n .catch((error) => {\n console.log(`hash problem: ${error}`)\n throw Error('Did you include @noble/hashes in package.json?')\n })\n } else {\n findUser(token, cb)\n }\n }),\n )\n })\n .catch((error) => {\n console.log(`passport-http-bearer package problem: ${error}`)\n throw Error('Did you include passport-http-bearer in package.json?')\n })\n }\n}\n\nexport interface StaticBearerUserProvider {\n strategy: string\n\n addUser(user: BearerUser | BearerUser[], hashToken?: boolean): void\n\n getUser(token: string): BearerUser | undefined\n\n hashedTokens?: boolean\n}\n\nexport class MapBasedStaticBearerUserProvider implements StaticBearerUserProvider {\n private readonly _strategy: string\n private readonly _users: BearerUser[] = []\n private readonly _hashedTokens: boolean\n\n constructor(strategy: string, hashedTokens?: boolean) {\n this._strategy = strategy\n this._hashedTokens = hashedTokens ?? false\n }\n\n get users(): BearerUser[] {\n return this._users\n }\n\n get hashedTokens(): boolean {\n return this._hashedTokens\n }\n\n get strategy(): string {\n return this._strategy\n }\n\n getUser(token: string): BearerUser | undefined {\n return this.users.find((user) => user.token === token)\n }\n\n addUser(user: BearerUser | BearerUser[], hashToken?: boolean): void {\n const users = Array.isArray(user) ? user : [user]\n if (hashToken) {\n if (!this.hashedTokens) {\n throw Error('Cannot hash token, when hashed tokens is not enabled on the user provider for strategy ' + this.strategy)\n }\n import('@noble/hashes/sha256')\n .then((hash) => {\n users.forEach((user) => (user.token = toString(hash.sha256(user.token))))\n })\n .catch((error) => {\n console.log(`hash problem: ${error}`)\n throw Error('Did you include @noble/hashes in package.json?')\n })\n }\n this._users.push(...users)\n }\n\n getUsers(): BearerUser[] {\n return this._users\n }\n}\n","import express, { NextFunction, RequestHandler } from 'express'\nimport { ParamsDictionary } from 'express-serve-static-core'\nimport passport from 'passport'\nimport { ParsedQs } from 'qs'\nimport { sendErrorResponse } from './express-utils'\nimport { EndpointArgs, hasEndpointOpts, HasEndpointOpts } from './types'\n\nexport const checkUserIsInRole = (opts: { roles: string | string[] }) => (req: express.Request, res: express.Response, next: NextFunction) => {\n if (!opts?.roles || opts.roles.length === 0) {\n return next()\n }\n const roles = Array.isArray(opts.roles) ? opts.roles : [opts.roles]\n if (!req?.user || !('role' in req.user)) {\n return res.status(401).end()\n }\n\n // @ts-ignore\n const hasRole = roles.find((role) => req.user.role.toLowerCase() === role.toLowerCase())\n if (!hasRole) {\n return res.status(403).end()\n }\n\n return next()\n}\n\nconst checkAuthenticationImpl = (req: express.Request, res: express.Response, next: express.NextFunction, opts?: EndpointArgs) => {\n const defaultCallback = (\n err: any,\n user?: Express.User | false | null,\n _info?: object | string | Array<string | undefined>,\n _status?: number | Array<number | undefined>,\n ) => {\n if (err) {\n const message = 'message' in err ? err.message : err\n console.log('Authentication failed, error: ' + JSON.stringify(message))\n return next({ statusCode: 403, message })\n } else if (!user) {\n console.log('Authentication failed, no user object present in request. Redirecting to /login')\n // todo: configuration option\n return res.redirect('/authentication/login')\n }\n if (options.session) {\n req.logIn(user, function (err) {\n if (err) {\n return next(err)\n }\n })\n }\n /* /!*if (options.session) {\n req.logIn(user, function (err) {\n if (err) {\n return next(err)\n }\n return res.redirect('/')\n })\n }*!/*/\n return next()\n }\n\n if (!opts || !opts.authentication || opts.authentication.enabled === false) {\n return next()\n }\n if (!opts.authentication.strategy) {\n console.log(`Authentication enabled, but no strategy configured. All auth request will be denied!`)\n return res.status(401).end()\n }\n const options = {\n ...opts?.authentication?.strategyOptions,\n authInfo: opts?.authentication?.authInfo !== false,\n session: opts?.authentication?.session !== false,\n }\n\n const callback = opts?.authentication?.callback ?? (opts?.authentication?.useDefaultCallback ? defaultCallback : undefined)\n\n passport.authenticate(opts.authentication.strategy, options, callback).call(this, req, res, next)\n}\nconst checkAuthorizationImpl = (req: express.Request, res: express.Response, next: express.NextFunction, opts?: EndpointArgs) => {\n if (!opts || !opts.authentication || !opts.authorization || opts.authentication.enabled === false || opts?.authorization.enabled === false) {\n return next()\n }\n /*if (!req.isAuthenticated()) {\n return sendErrorResponse(res, 403, 'Authorization with an unauthenticated request is not possible')\n }*/\n const authorization = opts.authorization\n\n if (!authorization.enforcer && (!authorization.requireUserInRoles || authorization.requireUserInRoles.length === 0)) {\n console.log(`Authorization enabled for endpoint, but no enforcer or roles supplied`)\n return res.status(401).end()\n }\n if (authorization.requireUserInRoles && authorization.requireUserInRoles.length > 0) {\n checkUserIsInRole({ roles: authorization.requireUserInRoles })\n }\n if (authorization.enforcer) {\n const enforcer = authorization.enforcer\n const permitted = enforcer.enforceSync(req.user, opts.resource, opts.operation)\n if (!permitted) {\n console.log(`Access to ${opts.resource} and op ${opts.operation} not allowed for ${req.user}`)\n return res.status(403).end()\n }\n }\n return next()\n}\n\nexport const checkAuthenticationOnly = (opts?: EndpointArgs) => (req: express.Request, res: express.Response, next: express.NextFunction) => {\n // executeRequestHandlers(req, res, next, opts)\n return checkAuthenticationImpl(req, res, next, opts)\n}\n\nexport const checkAuthorizationOnly = (opts?: EndpointArgs) => (req: express.Request, res: express.Response, next: express.NextFunction) => {\n // executeRequestHandlers(req, res, next, opts)\n return checkAuthorizationImpl(req, res, next, opts)\n}\n\nexport const isUserNotAuthenticated = (req: express.Request, res: express.Response, next: express.NextFunction) => {\n if (!req.user) {\n next()\n }\n}\n\nexport const isUserAuthenticated = (req: express.Request, res: express.Response, next: express.NextFunction) => {\n if (!req.user) {\n return sendErrorResponse(res, 401, 'Authentication required')\n } else {\n return next()\n }\n}\n\nexport const checkAuth = (opts?: EndpointArgs): RequestHandler<ParamsDictionary, any, any, ParsedQs, Record<string, any>>[] => {\n const handlers: RequestHandler<ParamsDictionary, any, any, ParsedQs, Record<string, any>>[] = []\n handlers.push(checkAuthenticationOnly(opts))\n handlers.push(checkAuthorizationOnly(opts))\n opts?.handlers && handlers.push(...opts.handlers)\n return handlers\n}\n\nexport function copyGlobalAuthToEndpoint(args?: { opts?: HasEndpointOpts; key: string }) {\n const opts = args?.opts\n const key = args?.key\n if (!opts || !key || !hasEndpointOpts(opts)) {\n return\n }\n if (key === 'basePath') {\n // make sure to not copy base path over, as we use these at the global router, and this would repeat the path\n return\n }\n if (opts.endpointOpts?.globalAuth) {\n if (opts.endpointOpts[key]?.disableGlobalAuth === true) {\n return\n }\n opts.endpointOpts[key] = {\n ...opts.endpointOpts[key],\n endpoint: { ...opts.endpointOpts.globalAuth, ...opts.endpointOpts[key]?.endpoint },\n }\n }\n}\n\nexport function copyGlobalAuthToEndpoints(args?: { opts?: HasEndpointOpts; keys: string[] }) {\n args?.keys.forEach((key) => copyGlobalAuthToEndpoint({ opts: args?.opts, key }))\n}\n","import express, { NextFunction } from 'express'\n\nexport function sendErrorResponse(response: express.Response, statusCode: number, message: string | object, error?: any) {\n let msg = message\n if (!msg) {\n console.error('Message was null when calling sendErrorResponse. This should not happen')\n msg = 'An unexpected error occurred'\n statusCode = 500\n } else {\n console.error(`sendErrorResponse (${statusCode}): ${typeof msg === 'string' ? msg : JSON.stringify(msg)}`)\n }\n if (error) {\n if (error instanceof Error) {\n console.error(`error message: ${error.message}`)\n }\n console.error(`error object: ${JSON.stringify(error)}`)\n }\n if (statusCode >= 500) {\n console.error('Original error stack (if any) and REST API error stack:')\n console.error(error?.stack)\n console.error(Error().stack)\n }\n if (response.headersSent) {\n console.error(`sendErrorResponse headers already sent`)\n return response\n }\n response.statusCode = statusCode\n if (typeof msg === 'string' && !msg.startsWith('{')) {\n msg = { error: msg }\n }\n if (typeof msg === 'string' && msg.startsWith('{')) {\n response.header('Content-Type', 'application/json')\n return response.status(statusCode).end(msg)\n }\n return response.status(statusCode).json(msg)\n}\n\nexport const jsonErrorHandler = (err: any, req: express.Request, res: express.Response, next: NextFunction) => {\n const statusCode: number = 'statusCode' in err ? err.statusCode : 500\n let errorMsg = typeof err === 'string' ? err : (err.message ?? err)\n if (typeof errorMsg !== 'string') {\n errorMsg = JSON.stringify(errorMsg)\n }\n if (res.headersSent) {\n console.log('Headers already sent, when calling error handler. Will defer to next error handler')\n console.log(`Error was: ${JSON.stringify(err)}`)\n return next(err)\n }\n return sendErrorResponse(res, statusCode, errorMsg, err)\n}\n","import { Enforcer } from 'casbin'\nimport { Express, RequestHandler } from 'express'\nimport { ParamsDictionary } from 'express-serve-static-core'\nimport http from 'http'\nimport { HttpTerminator } from 'http-terminator'\nimport { AuthenticateCallback, Strategy } from 'passport'\nimport { ParsedQs } from 'qs'\n\nexport interface IExpressServerOpts {\n port?: number // The port to listen on\n cookieSigningKey?: string\n hostname?: string // defaults to \"0.0.0.0\", meaning it will listen on all IP addresses. Can be an IP address or hostname\n basePath?: string\n existingExpress?: Express\n listenCallback?: () => void\n startListening?: boolean\n // externalBaseUrl?: string // In case an external base URL needs to be exposed\n}\n\nexport function hasEndpointOpts(opts: any) {\n return 'endpointOpts' in opts && opts.endpointOpts\n}\n\nexport type HasEndpointOpts = { endpointOpts?: IEndpointOpts & SingleEndpoints } & Record<string, any>\n\nexport type SingleEndpoints = Record<string, ISingleEndpointOpts | any>\nexport interface IEndpointOpts {\n basePath?: string // The base path used to construct the router\n baseUrl?: string | URL // Typically the external base URL\n globalAuth?: GenericAuthArgs\n}\nexport interface ExpressSupport {\n express: Express\n port: number\n hostname: string\n userIsInRole?: string | string[]\n startListening: boolean\n server?: http.Server\n enforcer?: Enforcer\n start: (opts?: { disableErrorHandler?: boolean; doNotStartListening?: boolean }) => { server: http.Server; terminator: HttpTerminator }\n stop: (terminator?: HttpTerminator) => Promise<boolean>\n}\n\nexport interface ISingleEndpointOpts extends GenericAuthArgs {\n endpoint?: EndpointArgs\n enabled?: boolean\n path?: string\n disableGlobalAuth?: boolean\n}\n\nexport interface GenericAuthArgs {\n authentication?: {\n callback?: AuthenticateCallback | ((...args: any[]) => any)\n useDefaultCallback?: boolean\n enabled?: boolean\n strategy?: string | string[] | Strategy\n strategyOptions?: Record<string, any> | any\n authInfo?: boolean\n session?: boolean\n }\n authorization?: {\n enabled?: boolean\n requireUserInRoles?: string | string[]\n enforcer?: Enforcer\n }\n}\n\nexport interface EndpointArgs extends GenericAuthArgs {\n resource?: string\n operation?: string\n handlers?: RequestHandler<ParamsDictionary, any, any, ParsedQs, Record<string, any>>[]\n}\n\nexport interface BearerUser extends Express.User {\n id: string | number\n name?: string\n token: string\n}\n\nexport interface IStaticBearerVerifyOptions {\n message?: string | undefined\n scope: string | Array<string>\n}\n\nexport interface IBaseStrategyOption {\n identityMetadata: string\n clientID: string\n isB2C?: boolean | undefined\n validateIssuer?: boolean | undefined\n issuer?: string | string[] | undefined\n loggingLevel?: 'info' | 'warn' | 'error' | undefined\n loggingNoPII?: boolean | undefined\n clockSkew?: number | undefined\n}\n\nexport interface ITokenPayload {\n /** An App ID URI. Identifies the intended recipient of the token. */\n aud?: string | undefined\n /** A security token service(STS) URI. Identifies the STS that constructs and returns the token,\n * and the Azure AD tenant in which the user was authenticated.*/\n iss?: string | undefined\n /** The identity provider that authenticated the subject of the token*/\n idp?: string | undefined\n /** \"Issued At\" indicates when the authentication for this token occurred. */\n iat?: number | undefined\n /** The \"nbf\" (not before) claim identifies the time before which the JWT must not be accepted for processing. */\n nbf?: number | undefined\n /** The \"exp\" (expiration time) claim identifies the expiration time on or after which the JWT must not be accepted for processing. */\n exp?: number | undefined\n /** An internal claim used by Azure AD to record data for token reuse. */\n aio?: string | undefined\n /** Only present in v1.0 tokens. The \"Authentication context class\" claim. A value of \"0\" indicates the end-user authentication did not meet the requirements of ISO/IEC 29115. */\n acr?: '0' | '1' | undefined\n /** Only present in v1.0 tokens. Identifies how the subject of the token was authenticated. */\n amr?: string[] | undefined\n /** Only present in v1.0 tokens. GUID represents the application ID of the client using the token. */\n appid?: string | undefined\n /** Only present in v2.0 tokens. The application ID of the client using the token. */\n azp?: string | undefined\n /** Only present in v1.0 tokens. Indicates how the client was authenticated. For a public client, the value is \"0\".\n * If client ID and client secret are used, the value is \"1\". If a client certificate was used for authentication, the value is \"2\". */\n appidacr?: '0' | '1' | '2' | undefined\n /** Only present in v2.0 tokens. Indicates how the client was authenticated.\n * For a public client, the value is \"0\". If client ID and client secret are used, the value is \"1\". If a client certificate was used for authentication, the value is \"2\". */\n azpacr?: '0' | '1' | '2' | undefined\n /** Only present in v2.0 tokens. The primary username that represents the user. It could be an email address, phone number, or a generic username without a specified format */\n preferred_username?: string | undefined\n /** Provides a human-readable value that identifies the subject of the token.\n * The value is not guaranteed to be unique, it is mutable, and it's designed to be used only for display purposes. The profile scope is required in order to receive this claim. */\n name?: string | undefined\n /** The set of scopes exposed by your application for which the client application has requested (and received) consent. */\n scp?: string | undefined\n /** The set of permissions exposed by your application that the requesting application has been given permission to call. */\n roles?: string[] | undefined\n /** Provides object IDs that represent the subject's group memberships. */\n groups?: string | string[] | undefined\n /** Denoting the user is in at least one group. */\n hasgroups?: true | undefined\n /** The principal about which the token asserts information, such as the user of an app. This value is immutable and cannot be reassigned or reused.\n * It can be used to perform authorization checks safely, such as when the token is used to access a resource,\n * and can be used as a key in database tables. Because the subject is always present in the tokens that Azure AD issues,\n * we recommend using this value in a general-purpose authorization system. The subject is, however, a pairwise identifier - it is unique to a particular application ID. */\n sub?: string | undefined\n /** GUID represents a user. This ID uniquely identifies the user across applications. */\n oid?: string | undefined\n /** Represents the Azure AD tenant that the user is from. */\n tid?: string | undefined\n /** Only present in v1.0 tokens. Provides a human readable value that identifies the subject of the token. */\n unique_name?: string | undefined\n /** An internal claim used by Azure to revalidate tokens. */\n uti?: string | undefined\n /** An internal claim used by Azure to revalidate tokens. */\n rh?: string | undefined\n /** Indicates the version of the access token. */\n ver?: '1.0' | '2.0' | undefined\n\n /** v1.0 basic claims */\n\n /** The IP address the user authenticated from. */\n ipaddr?: string | undefined\n /** In cases where the user has an on-premises authentication, this claim provides their SID. */\n onprem_sid?: string | undefined\n /** Indicates when the user's password expires. */\n pwd_exp?: number | undefined\n /** A URL where users can be sent to reset their password. */\n pwd_url?: string | undefined\n /** Signals if the client is logging in from the corporate network. If they aren't, the claim isn't included. */\n in_corp?: string | undefined\n /** An additional name for the user, separate from first or last name */\n nickname?: string | undefined\n /** Provides the last name, surname, or family name of the user as defined on the user object. */\n family_name?: string | undefined\n /** Provides the first or given name of the user, as set on the user object. */\n given_name?: string | undefined\n /** The username of the user. May be a phone number, email address, or unformatted string. */\n upn?: string | undefined\n}\nexport interface IBaseStrategyOption {\n identityMetadata: string\n clientID: string\n isB2C?: boolean | undefined\n validateIssuer?: boolean | undefined\n issuer?: string | string[] | undefined\n loggingLevel?: 'info' | 'warn' | 'error' | undefined\n loggingNoPII?: boolean | undefined\n clockSkew?: number | undefined\n}\n\nexport interface IBearerStrategyOption extends IBaseStrategyOption {\n audience?: string | string[] | undefined\n policyName?: String | undefined\n allowMultiAudiencesInToken?: boolean | undefined\n scope?: string[] | undefined\n}\n\nexport interface IBearerStrategyOptionWithRequest extends IBearerStrategyOption {\n passReqToCallback: boolean\n}\nexport type VerifyBearerFunction = (token: ITokenPayload, done: VerifyCallback) => void\nexport interface VerifyCallback {\n (error: any, user?: any, info?: any): void\n}\n","/**\n * @public\n */\nimport bodyParser from 'body-parser'\nimport { Enforcer } from 'casbin'\nimport cors, { CorsOptions } from 'cors'\n\nimport express, { Express } from 'express'\nimport { Application, ApplicationRequestHandler } from 'express-serve-static-core'\nimport expressSession from 'express-session'\nimport session from 'express-session'\nimport http from 'http'\nimport { createHttpTerminator, HttpTerminator } from 'http-terminator'\nimport morgan from 'morgan'\nimport passport, { InitializeOptions } from 'passport'\nimport { checkUserIsInRole } from './auth-utils'\nimport { jsonErrorHandler } from './express-utils'\nimport { env } from './functions'\nimport { ExpressSupport, IExpressServerOpts } from './types'\n\ntype Handler<Request extends http.IncomingMessage, Response extends http.ServerResponse> = (\n req: Request,\n res: Response,\n callback: (err?: Error) => void,\n) => void\n\nexport class ExpressBuilder {\n private existingExpress?: Express\n private hostnameOrIP?: string\n private port?: number\n private _handlers?: ApplicationRequestHandler<Application>[] = []\n private listenCallback?: () => void\n private _startListen?: boolean | undefined = undefined\n private readonly envVarPrefix?: string\n private _corsConfigurer?: ExpressCorsConfigurer\n private _sessionOpts?: session.SessionOptions\n private _usePassportAuth?: boolean = false\n private _passportInitOpts?: InitializeOptions\n private _userIsInRole?: string | string[]\n private _enforcer?: Enforcer\n private _server?: http.Server | undefined\n private _terminator?: HttpTerminator\n private _morgan?: Handler<any, any> | undefined\n\n private constructor(opts?: { existingExpress?: Express; envVarPrefix?: string }) {\n const { existingExpress, envVarPrefix } = opts ?? {}\n if (existingExpress) {\n this.withExpress(existingExpress)\n }\n this.envVarPrefix = envVarPrefix ?? ''\n }\n\n public static fromExistingExpress(opts?: { existingExpress?: Express; envVarPrefix?: string }) {\n return new ExpressBuilder(opts ?? {})\n }\n\n public static fromServerOpts(opts: IExpressServerOpts & { envVarPrefix?: string }) {\n const builder = new ExpressBuilder({ existingExpress: opts?.existingExpress, envVarPrefix: opts?.envVarPrefix })\n return builder.withEnableListenOpts({ ...opts, hostnameOrIP: opts.hostname, startOnBuild: opts.startListening ?? false })\n }\n\n public enableListen(startOnBuild?: boolean): this {\n if (startOnBuild !== undefined) {\n this._startListen = startOnBuild\n }\n return this\n }\n\n public withMorganLogging(opts?: { existingMorgan?: Handler<any, any>; format?: string; options?: morgan.Options<any, any> }): this {\n if (opts?.existingMorgan && (opts.format || opts.options)) {\n throw Error('Cannot using an existing morgan with either a format or options')\n }\n this._morgan = opts?.existingMorgan ?? morgan(opts?.format ?? 'dev', opts?.options)\n return this\n }\n\n public withEnableListenOpts({\n port,\n hostnameOrIP,\n callback,\n startOnBuild,\n }: {\n port?: number\n hostnameOrIP?: string\n startOnBuild?: boolean\n callback?: () => void\n }): this {\n port && this.withPort(port)\n hostnameOrIP && this.withHostname(hostnameOrIP)\n if (typeof callback === 'function') {\n this.withListenCallback(callback)\n }\n this._startListen = startOnBuild === true\n return this\n }\n\n public withPort(port: number): this {\n this.port = port\n return this\n }\n\n public withHostname(hostnameOrIP: string): this {\n this.hostnameOrIP = hostnameOrIP\n return this\n }\n\n public withListenCallback(callback: () => void): this {\n this.listenCallback = callback\n return this\n }\n\n public withExpress(existingExpress: Express): this {\n this.existingExpress = existingExpress\n this._startListen = false\n return this\n }\n\n public withCorsConfigurer(configurer: ExpressCorsConfigurer): this {\n this._corsConfigurer = configurer\n return this\n }\n\n public withPassportAuth(usePassport: boolean, initializeOptions?: InitializeOptions): this {\n this._usePassportAuth = usePassport\n this._passportInitOpts = initializeOptions\n return this\n }\n\n public withGlobalUserIsInRole(userIsInRole: string | string[]): this {\n this._userIsInRole = userIsInRole\n return this\n }\n\n public withEnforcer(enforcer: Enforcer): this {\n this._enforcer = enforcer\n return this\n }\n\n public startListening(express: Express) {\n this._server = express.listen(this.getPort(), this.getHostname(), this.listenCallback)\n this._terminator = createHttpTerminator({\n server: this._server,\n // gracefulTerminationTimeout: 10\n })\n\n return { server: this._server, terminator: this._terminator }\n }\n\n public getHostname(): string {\n return this.hostnameOrIP ?? env('HOSTNAME', this.envVarPrefix) ?? '0.0.0.0'\n }\n\n public getPort(): number {\n return (this.port ?? env('PORT', this.envVarPrefix) ?? 5000) as number\n }\n\n public setHandlers(handlers: ApplicationRequestHandler<any> | ApplicationRequestHandler<any>[]): this {\n if (Array.isArray(handlers)) {\n this._handlers = handlers\n } else if (handlers) {\n if (!this._handlers) {\n this._handlers = []\n }\n this._handlers.push(handlers)\n } else {\n this._handlers = []\n }\n\n return this\n }\n\n public addHandler(handler: ApplicationRequestHandler<any>): this {\n if (!this._handlers) {\n this._handlers = []\n }\n this._handlers.push(handler)\n return this\n }\n\n public withSessionOptions(sessionOpts: session.SessionOptions): this {\n this._sessionOpts = sessionOpts\n return this\n }\n\n public build<T extends Application>(opts?: {\n express?: Express\n startListening?: boolean\n handlers?: ApplicationRequestHandler<T> | ApplicationRequestHandler<T>[]\n }): ExpressSupport {\n const express = this.buildExpress(opts)\n const startListening = opts?.startListening === undefined ? this._startListen !== true : opts.startListening\n let started = this._server !== undefined\n if (startListening && !started) {\n this.startListening(express)\n started = true\n }\n\n return {\n express,\n port: this.getPort(),\n hostname: this.getHostname(),\n userIsInRole: this._userIsInRole,\n startListening,\n enforcer: this._enforcer,\n start: (opts) => {\n if (opts?.doNotStartListening) {\n console.log('Express will not start listening. You will have to start it yourself')\n } else {\n if (!started) {\n this.startListening(express)\n started = true\n }\n }\n\n if (opts?.disableErrorHandler !== true) {\n express.use(jsonErrorHandler)\n }\n return { server: this._server!, terminator: this._terminator! }\n },\n stop: async (terminator?: HttpTerminator) => {\n const term = terminator ?? this._terminator\n if (!term) {\n return false\n }\n return await term.terminate().then(() => true)\n },\n }\n }\n\n protected buildExpress<T extends Application>(opts?: {\n express?: Express\n startListening?: boolean\n handlers?: ApplicationRequestHandler<T> | ApplicationRequestHandler<T>[]\n }): express.Express {\n const app: express.Express = opts?.express ?? this.existingExpress ?? express()\n if (this._morgan) {\n app.use(this._morgan)\n }\n if (this._sessionOpts) {\n const store = this._sessionOpts.store ?? new expressSession.MemoryStore()\n this._sessionOpts.store = store\n app.use(expressSession(this._sessionOpts))\n }\n if (this._usePassportAuth) {\n app.use(passport.initialize(this._passportInitOpts))\n if (this._sessionOpts) {\n // app.use(passport.authenticate('session'))\n //_sessionOpts are not for passport session, they are for express above\n app.use(passport.session())\n }\n }\n if (this._userIsInRole) {\n app.use(checkUserIsInRole({ roles: this._userIsInRole }))\n }\n if (this._corsConfigurer) {\n this._corsConfigurer.configure({ existingExpress: app })\n }\n\n // @ts-ignore\n this._handlers && this._handlers.length > 0 && app.use(this._handlers)\n // @ts-ignore\n opts?.handlers && app.use(opts.handlers)\n //fixme: this should come from the config\n app.use(bodyParser.urlencoded({ extended: true }))\n app.use(bodyParser.json({ limit: '5mb' }))\n return app\n }\n}\n\nexport class ExpressCorsConfigurer {\n private _disableCors?: boolean\n private _enablePreflightOptions?: boolean\n private _allowOrigin?: boolean | string | RegExp | Array<boolean | string | RegExp>\n private _allowMethods?: string | string[]\n private _allowedHeaders?: string | string[]\n private _allowCredentials?: boolean\n private readonly _express?: Express\n private readonly _envVarPrefix?: string\n\n constructor(args?: { existingExpress?: Express; envVarPrefix?: string }) {\n const { existingExpress, envVarPrefix } = args ?? {}\n this._express = existingExpress\n this._envVarPrefix = envVarPrefix\n }\n\n public allowOrigin(value: string | boolean | RegExp | Array<string | boolean | RegExp>): this {\n this._allowOrigin = value\n return this\n }\n\n public disableCors(value: boolean): this {\n this._disableCors = value\n return this\n }\n\n public allowMethods(value: string | string[]): this {\n this._allowMethods = value\n return this\n }\n\n public allowedHeaders(value: string | string[]): this {\n this._allowedHeaders = value\n return this\n }\n\n public allowCredentials(value: boolean): this {\n this._allowCredentials = value\n return this\n }\n\n public configure({ existingExpress }: { existingExpress?: Express }) {\n const express = existingExpress ?? this._express\n if (!express) {\n throw Error('No express passed in during construction or configure')\n }\n\n const disableCorsEnv = env('CORS_DISABLE', this._envVarPrefix)\n const corsDisabled = this._disableCors ?? (disableCorsEnv ? /true/.test(disableCorsEnv) : false)\n if (corsDisabled) {\n return\n }\n const envAllowOriginStr = env('CORS_ALLOW_ORIGIN', this._envVarPrefix) ?? '*'\n let envAllowOrigin: string[] | string\n if (envAllowOriginStr.includes(',')) {\n envAllowOrigin = envAllowOriginStr.split(',')\n } else if (envAllowOriginStr.includes(' ')) {\n envAllowOrigin = envAllowOriginStr.split(' ')\n } else {\n envAllowOrigin = envAllowOriginStr\n }\n if (Array.isArray(envAllowOrigin) && envAllowOrigin.length === 1) {\n envAllowOrigin = envAllowOrigin[0]\n }\n const corsOptions: CorsOptions = {\n origin: this._allowOrigin ?? envAllowOrigin,\n // todo: env vars\n ...(this._allowMethods && { methods: this._allowMethods }),\n ...(this._allowedHeaders && { allowedHeaders: this._allowedHeaders }),\n ...(this._allowCredentials !== undefined && { credentials: this._allowCredentials }),\n optionsSuccessStatus: 204,\n }\n\n if (this._enablePreflightOptions) {\n express.options('*', cors(corsOptions))\n }\n express.use(cors(corsOptions))\n }\n}\n","export function env(key?: string, prefix?: string): string | undefined {\n if (!key) {\n return undefined\n }\n return process.env[`${prefix ? prefix.trim() : ''}${key}`]\n}\n","import { TAgent } from '@veramo/core'\nimport express, { Express, NextFunction, Router } from 'express'\nimport { BaseClient, ClientMetadata, ClientOptions, Issuer } from 'openid-client'\nimport passport from 'passport'\nimport { JsonWebKey } from '@sphereon/ssi-types'\nimport { copyGlobalAuthToEndpoints, isUserAuthenticated } from './auth-utils'\nimport { sendErrorResponse } from './express-utils'\nimport { env } from './functions'\nimport { ExpressSupport, GenericAuthArgs, ISingleEndpointOpts } from './types'\n\nconst PREFIX = process.env.PREFIX ?? ''\nexport async function oidcDiscoverIssuer(opts?: { issuerUrl?: string }) {\n const issuerUrl = opts?.issuerUrl ?? env('OIDC_ISSUER', PREFIX) ?? 'https://auth01.test.sphereon.com/auth/realms/energy-shr'\n const issuer = await Issuer.discover(issuerUrl)\n console.log('Discovered issuer %s %O', issuer.issuer, issuer.metadata)\n return { issuer, issuerUrl }\n}\n\nexport async function oidcGetClient(\n issuer: Issuer<BaseClient>,\n metadata: ClientMetadata,\n opts?: {\n jwks?: { keys: JsonWebKey[] }\n options?: ClientOptions\n },\n) {\n // @ts-ignore\n return new issuer.Client(metadata, opts?.jwks, opts?.options)\n}\n\nexport function getLoginEndpoint(router: Router, opts?: ISingleEndpointOpts & { redirectUrl?: string }) {\n if (opts?.enabled === false) {\n console.log(`Login endpoint is disabled`)\n return\n }\n const strategy = opts?.endpoint?.authentication?.strategy\n if (!strategy) {\n throw Error('strategy needs to be provided')\n }\n const path = opts?.path ?? '/authentication/login'\n router.get(\n path,\n (req: any, res: any, next: NextFunction) => {\n const redirectPage = req.get('referer') ?? '/'\n req.session.redirectPage = redirectPage\n next()\n },\n passport.authenticate(\n strategy,\n { ...opts.authentication?.strategyOptions, ...opts.endpoint?.authentication?.strategyOptions, keepSessionInfo: false },\n undefined,\n ),\n )\n}\n\nexport function getLoginCallbackEndpoint(router: Router, opts?: ISingleEndpointOpts) {\n if (opts?.enabled === false) {\n console.log(`Auth callback endpoint is disabled`)\n return\n }\n const strategy = opts?.endpoint?.authentication?.strategy\n if (!strategy) {\n throw Error('strategy needs to be provided')\n }\n const path = opts?.path ?? '/authentication/callback'\n router.get(\n path,\n passport.authenticate(\n strategy,\n { ...opts.authentication?.strategyOptions, ...opts.endpoint?.authentication?.strategyOptions, keepSessionInfo: true },\n undefined,\n ),\n (req: any, res: any, next) => {\n if (req.user) {\n console.log('User authenticated', req.user?.name)\n // console.log(req.session)\n const redirectPage = req.session.redirectPage ?? '/search'\n // console.log(`PRE LOGIN PAGE in callback: ${redirectPage}`)\n delete req.session.redirectPage\n return res.redirect(redirectPage)\n } else {\n return res.redirect(env('OIDC_FRONTEND_LOGIN_URL', PREFIX) ?? 'http://localhost:3001/authentication/login')\n }\n },\n )\n}\n\nexport function getLogoutEndpoint(router: Router, client: BaseClient, opts?: ISingleEndpointOpts) {\n if (opts?.enabled === false) {\n console.log(`Logout endpoint is disabled`)\n return\n }\n const path = opts?.path ?? '/authentication/logout'\n router.get(path, (req, res) => {\n try {\n if (client.endSessionUrl()) {\n return res.redirect(client.endSessionUrl())\n } else {\n console.log('IDP does not support end session url')\n return res.redirect('/authentication/logout-callback')\n }\n } catch (error) {\n console.log(error)\n return res.redirect('/authentication/logout-callback')\n }\n })\n}\n\nexport function getLogoutCallbackEndpoint(router: Router, opts?: ISingleEndpointOpts) {\n if (opts?.enabled === false) {\n console.log(`Logout callback endpoint is disabled`)\n return\n }\n const path = opts?.path ?? '/authentication/logout-callback'\n router.get(path, (req, res, next) => {\n try {\n req.logout((err) => {\n if (err) {\n console.log(`Error during calling logout-callback: ${JSON.stringify(err)}`)\n }\n })\n return res.redirect(env('OIDC_FRONTEND_LOGOUT_REDIRECT_URL', PREFIX) ?? '/')\n } catch (e) {\n return sendErrorResponse(res, 500, 'An unexpected error occurred during logout callback', e)\n }\n })\n}\n\nexport function getIdTokenEndpoint(router: Router, client: BaseClient, opts: ISingleEndpointOpts) {\n if (opts?.enabled === false) {\n console.log(`ID Token endpoint is disabled`)\n return\n }\n const path = opts.path ?? '/authentication/tokens/id'\n router.get(path, isUserAuthenticated, (req: any, res: any) => {\n if (req.session.tokens.id_token) {\n return res.json({ id_token: req.session.tokens.id_token })\n } else {\n return sendErrorResponse(res, 401, 'Authentication required')\n }\n })\n}\n\nexport function getAuthenticatedUserEndpoint(router: Router, opts?: ISingleEndpointOpts) {\n if (opts?.enabled === false) {\n console.log(`Authenticated User endpoint is disabled`)\n return\n }\n const path = opts?.path ?? '/authentication/user'\n router.get(path, isUserAuthenticated, (req: any, res: any, next: any) => {\n if (!req.user) {\n return sendErrorResponse(res, 401, 'Authentication required')\n }\n let user = req.user\n return res.json(user)\n })\n}\n\nexport interface IAuthenticationOpts {\n enabledFeatures?: AuthenticationApiFeatures\n endpointOpts?: IAuthenticationEndpointOpts\n}\n\nexport interface IAuthenticationEndpointOpts {\n basePath?: string\n globalAuth?: GenericAuthArgs\n getAuthenticatedUser?: ISingleEndpointOpts\n getLogin?: ISingleEndpointOpts\n getLogout?: ISingleEndpointOpts\n getIdToken?: ISingleEndpointOpts\n}\n\nexport type AuthenticationApiFeatures = 'login' | 'logout' | 'id-token' | 'authenticated-user'\n\nexport class OpenIDConnectAuthApi {\n get router(): express.Router {\n return this._router\n }\n\n private readonly _express: Express\n private readonly _agent?: TAgent<any>\n private readonly _opts?: IAuthenticationOpts\n private readonly _router: Router\n\n constructor(args: { agent?: TAgent<any>; expressSupport: ExpressSupport; client: BaseClient; opts: IAuthenticationOpts }) {\n const { agent, opts } = args\n this._agent = agent\n copyGlobalAuthToEndpoints({ opts, keys: ['getLogin'] })\n copyGlobalAuthToEndpoints({ opts, keys: ['getIdToken'] })\n copyGlobalAuthToEndpoints({ opts, keys: ['getAuthenticatedUser'] })\n // no need for the logout, as you these are not protected by auth\n this._opts = opts\n this._express = args.expressSupport.express\n this._router = express.Router()\n const features = opts?.enabledFeatures ?? ['login', 'logout', 'id-token', 'authenticated-user']\n console.log(`Authentication API enabled`)\n\n if (features.includes('login')) {\n getLoginEndpoint(this.router, opts?.endpointOpts?.getLogin)\n getLoginCallbackEndpoint(this.router, opts?.endpointOpts?.getLogin)\n }\n if (features.includes('logout')) {\n getLogoutEndpoint(this.router, args.client, opts?.endpointOpts?.getLogout)\n getLogoutCallbackEndpoint(this.router, opts?.endpointOpts?.getLogout)\n }\n if (features.includes('id-token')) {\n if (opts.endpointOpts?.getIdToken === undefined) {\n throw Error('Cannot enable id-token endpoint without providing id-token endpoint options')\n }\n getIdTokenEndpoint(this.router, args.client, opts?.endpointOpts?.getIdToken)\n }\n if (features.includes('authenticated-user')) {\n getAuthenticatedUserEndpoint(this.router, opts?.endpointOpts?.getAuthenticatedUser)\n }\n this._express.use(opts?.endpointOpts?.basePath ?? '', this.router)\n }\n\n get agent(): TAgent<any> | undefined {\n return this._agent\n }\n\n get opts(): IAuthenticationOpts | undefined {\n return this._opts\n }\n\n get express(): Express {\n return this._express\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;ACAA,sBAAqB;AAGd,IAAMA,cAAN,MAAMA,aAAAA;EAHb,OAGaA;;;EACMC;EACTC;EAER,OAAcC,KAAKF,UAAkB;AACnC,WAAO,IAAID,aAAYC,QAAAA;EACzB;EAEA,YAAoBA,UAAkB;AACpC,SAAKA,WAAWA;EAClB;EAEOG,YAAYF,SAAyE;AAC1F,SAAKA,UAAU;MACb,GAAGA;MACHG,mBAAmB,uBAAuBH,UAAUA,QAAQG,oBAAoB;IAClF;AACA,WAAO;EACT;EAEAC,kBAAkB;AAChB,UAAMC,WAAW,KAAKL;AACtB,QAAI,CAACK,UAAU;AACb,YAAMC,MAAM,iCAAA;IACd;AACA,WAAO,mBAAA,EACJC,KAAK,CAACC,YACLC,gBAAAA,QAASC,IACP,KAAKX,UACL,IAAIS,QAAQG,eAAeN,UAAU,SAAUO,OAAsBC,IAAkB;AACrF,UAAID,OAAO;AAET,eAAOC,GAAG,MAAMD,KAAAA;MAClB;AACA,aAAOC,GAAG,uCAAuC,IAAA;IACnD,CAAA,CAAA,CAAA,EAGHC,MAAM,CAACC,WAAAA;AACNC,cAAQC,IAAIF,MAAAA;AACZ,YAAMT,MAAM,uHAAA;IACd,CAAA;EACJ;AACF;;;AC9CA,IAAAY,mBAAqB;AAoCd,IAAMC,iBAAN,MAAMA,gBAAAA;EApCb,OAoCaA;;;EACMC;EACTC,UAAuC,CAAC;EAEhD,OAAcC,KAAKF,UAAkB;AACnC,WAAO,IAAID,gBAAeC,QAAAA;EAC5B;EAEA,YAAoBA,UAAkB;AACpC,SAAKA,WAAWA;EAClB;EAEOG,WAAWC,QAAsB;AACtC,SAAKH,UAAU;MAAE,GAAG,KAAKA;MAASG;IAAO;AACzC,WAAO;EACT;EAEOC,aAAaC,UAAmC;AACrD,SAAKL,UAAU;MAAE,GAAG,KAAKA;MAASK;IAAS;AAC3C,WAAO;EACT;EAEOC,YAAYC,SAAuB;AACxC,SAAKP,UAAU;MAAE,GAAG,KAAKA;MAASO;IAAQ;AAC1C,WAAO;EACT;EAEOC,eAAeC,YAAmC;AACvD,SAAKT,UAAU;MAAE,GAAG,KAAKA;MAASS;IAAW;AAC7C,WAAO;EACT;EAEOC,YAAYV,SAA4C;AAC7D,SAAKA,UAAU;MAAE,GAAG,KAAKA;MAAS,GAAGA;IAAQ;AAC7C,WAAO;EACT;EAEA,MAAMW,kBAAiC;AACrC,UAAM,EAAER,QAAQE,UAAUI,WAAU,IAAK,KAAKT;AAE9C,QAAI,CAACG,QAAQ;AACX,aAAOS,QAAQC,OAAO,IAAIC,MAAM,yCAAA,CAAA;IAClC;AAEA,QAAIP,UAAU,KAAKP,QAAQO;AAC3B,QAAI,CAACA,SAAS;AACZA,gBAAU,MAAM,KAAKQ,gBAAgBZ,MAAAA;IACvC;AAEA,QAAI;AACF,YAAM,CAACa,aAAaC,OAAAA,IAAW,MAAML,QAAQM,IAAI;QAAC,OAAO,cAAA;QAAiB,OAAO,UAAA;OAAY;AAE7F,YAAM,EAAEC,UAAUC,aAAaC,WAAU,IAAKL;AAC9C,YAAM,EAAEM,kBAAiB,IAAKL;AAE9B,YAAMM,aAAa;QACjBC,gBAAgBH,WAAWI,4BAA2B;QACtDC,qBAAqBJ,kBAAkB;UACrCK,OAAO;UACPC,WAAW;UACXC,uBAAuB;UACvBtB;QACF,CAAA;QACAJ;QACAE;QACAI,YAAYA,cAAe;UAAC;UAAS;UAAS;UAAS;UAAS;UAAS;;MAC3E;AAEAqB,uBAAAA,QAASC,IACP,KAAKhC,UACL,IAAIqB,YAAYG,YAAY,CAACS,SAA4BC,SAAAA;AACvD,YAAID,SAAS;AACX,iBAAOC,KAAK,MAAMD,OAAAA;QACpB;AACA,eAAOC,KAAK,uCAAuC,IAAA;MACrD,CAAA,CAAA;IAEJ,SAASC,OAAO;AACdC,cAAQD,MAAM,0CAA0CA,KAAAA;AACxD,aAAOtB,QAAQC,OACb,IAAIC,MACF,qHACA;QAAEsB,OAAOF;MAAM,CAAA,CAAA;IAGrB;EACF;EAEA,MAAcnB,gBAAgBZ,QAAiC;AAC7D,UAAMkC,eAAe,GAAGlC,MAAAA,GAASA,OAAOmC,SAAS,GAAA,IAAO,KAAK,GAAA;AAE7D,QAAI;AACF,YAAMC,WAAW,MAAMC,MAAMH,YAAAA;AAC7B,UAAI,CAACE,SAASE,IAAI;AAChB,eAAO7B,QAAQC,OACb,IAAIC,MAAM,2CAA2CuB,YAAAA,KAAiBE,SAASG,MAAM,IAAIH,SAASI,UAAU,EAAE,CAAA;MAElH;AAEA,YAAMC,SAAU,MAAML,SAASM,KAAI;AACnC,UAAI,CAACD,OAAOE,UAAU;AACpB,eAAOlC,QAAQC,OAAO,IAAIC,MAAM,yBAAyBuB,YAAAA,4BAAwC,CAAA;MACnG;AAEA,aAAOO,OAAOE;IAChB,SAASZ,OAAO;AACd,aAAOtB,QAAQC,OACb,IAAIC,MAAM,0DAA0DuB,YAAAA,IAAgB;QAAED,OAAOF;MAAM,CAAA,CAAA;IAEvG;EACF;AACF;;;ACnJA,IAAAa,mBAAqB;AAErB,uBAAyB;AAGlB,IAAMC,mBAAN,MAAMA,kBAAAA;EALb,OAKaA;;;EACMC;EACjB,OAAeC,YAAmD,oBAAIC,IAAAA;EACtE,OAAeC,gBAAkE,oBAAID,IAAAA;EAC7EE,aAAuB;EAE/B,OAAcC,KAAKL,UAAkBM,UAAqC;AACxE,WAAO,IAAIP,kBAAiBC,YAAY,UAAUM,YAAY,IAAIC,iCAAiCP,QAAAA,CAAAA;EACrG;EAEA,YAAoBA,UAAkBM,UAAoC;AACxE,SAAKN,WAAWA;AAChB,QAAID,kBAAiBE,UAAUO,IAAIR,QAAAA,GAAW;AAC5C,UAAID,kBAAiBE,UAAUQ,IAAIT,QAAAA,MAAcM,UAAU;AACzD,cAAMI,MAAM,yDAAyDV,QAAAA;MACvE;IACF,OAAO;AACLD,wBAAiBE,UAAUU,IAAIX,UAAUM,QAAAA;IAC3C;EACF;EAEA,IAAIA,WAAW;AACb,UAAMA,WAAWP,kBAAiBE,UAAUQ,IAAI,KAAKT,QAAQ;AAC7D,QAAI,CAACM,UAAU;AACb,YAAMI,MAAM,qCAAqC,KAAKV,QAAQ;IAChE;AACA,WAAOM;EACT;EAEAM,eAAeR,YAA2B;AACxC,SAAKA,aAAaA;AAClB,WAAO;EACT;EAEAS,UAAUC,OAAwC;AAChD,SAAKC,QAAQD,KAAAA;AACb,WAAO;EACT;EAEAC,QAAQC,MAAuC;AAC7C,SAAKV,SAASS,QAAQC,IAAAA;AACtB,WAAO;EACT;EAEAC,kBAAkBC,SAAoD;AACpEnB,sBAAiBI,cAAcQ,IAAI,KAAKX,UAAUkB,OAAAA;AAClD,WAAO;EACT;EAEAC,kBAAkB;AAChB,UAAMC,YAAY,KAAKd;AACvB,aAASe,SAASC,OAAeC,IAAkF;AACjH,YAAMP,OAAOI,UAAUI,QAAQF,KAAAA;AAC/B,UAAIN,MAAM;AACR,eAAOO,GAAG,MAAMP,IAAAA;MAClB;AACA,aAAOO,GAAG,uCAAuC,KAAA;IACnD;AANSF;AAQT,WAAO,sBAAA,EACJI,KAAK,CAACC,eAAAA;AACL,YAAMtB,aAAa,KAAKA,cAAc;AACtCuB,uBAAAA,QAASC,IACP,KAAK5B,UACL,IAAI0B,WAAWG,SAAS;QAAEC,mBAAmB;MAAM,GAAG,SACpDR,OACAC,IAAkF;AAElF,YAAInB,YAAY;AACd,iBAAO,sBAAA,EACJqB,KAAK,CAACM,SAAAA;AACLV,yBAASW,2BAASD,KAAKE,OAAOX,KAAAA,CAAAA,GAASC,EAAAA;UACzC,CAAA,EACCW,MAAM,CAACC,UAAAA;AACNC,oBAAQC,IAAI,iBAAiBF,KAAAA,EAAO;AACpC,kBAAMzB,MAAM,gDAAA;UACd,CAAA;QACJ,OAAO;AACLW,mBAASC,OAAOC,EAAAA;QAClB;MACF,CAAA,CAAA;IAEJ,CAAA,EACCW,MAAM,CAACC,UAAAA;AACNC,cAAQC,IAAI,yCAAyCF,KAAAA,EAAO;AAC5D,YAAMzB,MAAM,uDAAA;IACd,CAAA;EACJ;AACF;AAYO,IAAMH,mCAAN,MAAMA;EAzGb,OAyGaA;;;EACM+B;EACAC,SAAuB,CAAA;EACvBC;EAEjB,YAAYxC,UAAkByC,cAAwB;AACpD,SAAKH,YAAYtC;AACjB,SAAKwC,gBAAgBC,gBAAgB;EACvC;EAEA,IAAI3B,QAAsB;AACxB,WAAO,KAAKyB;EACd;EAEA,IAAIE,eAAwB;AAC1B,WAAO,KAAKD;EACd;EAEA,IAAIxC,WAAmB;AACrB,WAAO,KAAKsC;EACd;EAEAd,QAAQF,OAAuC;AAC7C,WAAO,KAAKR,MAAM4B,KAAK,CAAC1B,SAASA,KAAKM,UAAUA,KAAAA;EAClD;EAEAP,QAAQC,MAAiC2B,WAA2B;AAClE,UAAM7B,QAAQ8B,MAAMC,QAAQ7B,IAAAA,IAAQA,OAAO;MAACA;;AAC5C,QAAI2B,WAAW;AACb,UAAI,CAAC,KAAKF,cAAc;AACtB,cAAM/B,MAAM,4FAA4F,KAAKV,QAAQ;MACvH;AACA,aAAO,sBAAA,EACJyB,KAAK,CAACM,SAAAA;AACLjB,cAAMgC,QAAQ,CAAC9B,UAAUA,MAAKM,YAAQU,2BAASD,KAAKE,OAAOjB,MAAKM,KAAK,CAAA,CAAA;MACvE,CAAA,EACCY,MAAM,CAACC,UAAAA;AACNC,gBAAQC,IAAI,iBAAiBF,KAAAA,EAAO;AACpC,cAAMzB,MAAM,gDAAA;MACd,CAAA;IACJ;AACA,SAAK6B,OAAOQ,KAAI,GAAIjC,KAAAA;EACtB;EAEAkC,WAAyB;AACvB,WAAO,KAAKT;EACd;AACF;;;ACtJA,IAAAU,mBAAqB;;;ACAd,SAASC,kBAAkBC,UAA4BC,YAAoBC,SAA0BC,OAAW;AACrH,MAAIC,MAAMF;AACV,MAAI,CAACE,KAAK;AACRC,YAAQF,MAAM,yEAAA;AACdC,UAAM;AACNH,iBAAa;EACf,OAAO;AACLI,YAAQF,MAAM,sBAAsBF,UAAAA,MAAgB,OAAOG,QAAQ,WAAWA,MAAME,KAAKC,UAAUH,GAAAA,CAAAA,EAAM;EAC3G;AACA,MAAID,OAAO;AACT,QAAIA,iBAAiBK,OAAO;AAC1BH,cAAQF,MAAM,kBAAkBA,MAAMD,OAAO,EAAE;IACjD;AACAG,YAAQF,MAAM,iBAAiBG,KAAKC,UAAUJ,KAAAA,CAAAA,EAAQ;EACxD;AACA,MAAIF,cAAc,KAAK;AACrBI,YAAQF,MAAM,yDAAA;AACdE,YAAQF,MAAMA,OAAOM,KAAAA;AACrBJ,YAAQF,MAAMK,MAAAA,EAAQC,KAAK;EAC7B;AACA,MAAIT,SAASU,aAAa;AACxBL,YAAQF,MAAM,wCAAwC;AACtD,WAAOH;EACT;AACAA,WAASC,aAAaA;AACtB,MAAI,OAAOG,QAAQ,YAAY,CAACA,IAAIO,WAAW,GAAA,GAAM;AACnDP,UAAM;MAAED,OAAOC;IAAI;EACrB;AACA,MAAI,OAAOA,QAAQ,YAAYA,IAAIO,WAAW,GAAA,GAAM;AAClDX,aAASY,OAAO,gBAAgB,kBAAA;AAChC,WAAOZ,SAASa,OAAOZ,UAAAA,EAAYa,IAAIV,GAAAA;EACzC;AACA,SAAOJ,SAASa,OAAOZ,UAAAA,EAAYc,KAAKX,GAAAA;AAC1C;AAjCgBL;AAmCT,IAAMiB,mBAAmB,wBAACC,KAAUC,KAAsBC,KAAuBC,SAAAA;AACtF,QAAMnB,aAAqB,gBAAgBgB,MAAMA,IAAIhB,aAAa;AAClE,MAAIoB,WAAW,OAAOJ,QAAQ,WAAWA,MAAOA,IAAIf,WAAWe;AAC/D,MAAI,OAAOI,aAAa,UAAU;AAChCA,eAAWf,KAAKC,UAAUc,QAAAA;EAC5B;AACA,MAAIF,IAAIT,aAAa;AACnBL,YAAQiB,IAAI,oFAAA;AACZjB,YAAQiB,IAAI,cAAchB,KAAKC,UAAUU,GAAAA,CAAAA,EAAM;AAC/C,WAAOG,KAAKH,GAAAA;EACd;AACA,SAAOlB,kBAAkBoB,KAAKlB,YAAYoB,UAAUJ,GAAAA;AACtD,GAZgC;;;AClBzB,SAASM,gBAAgBC,MAAS;AACvC,SAAO,kBAAkBA,QAAQA,KAAKC;AACxC;AAFgBF;;;AFZT,IAAMG,oBAAoB,wBAACC,SAAuC,CAACC,KAAsBC,KAAuBC,SAAAA;AACrH,MAAI,CAACH,MAAMI,SAASJ,KAAKI,MAAMC,WAAW,GAAG;AAC3C,WAAOF,KAAAA;EACT;AACA,QAAMC,QAAQE,MAAMC,QAAQP,KAAKI,KAAK,IAAIJ,KAAKI,QAAQ;IAACJ,KAAKI;;AAC7D,MAAI,CAACH,KAAKO,QAAQ,EAAE,UAAUP,IAAIO,OAAO;AACvC,WAAON,IAAIO,OAAO,GAAA,EAAKC,IAAG;EAC5B;AAGA,QAAMC,UAAUP,MAAMQ,KAAK,CAACC,SAASZ,IAAIO,KAAKK,KAAKC,YAAW,MAAOD,KAAKC,YAAW,CAAA;AACrF,MAAI,CAACH,SAAS;AACZ,WAAOT,IAAIO,OAAO,GAAA,EAAKC,IAAG;EAC5B;AAEA,SAAOP,KAAAA;AACT,GAhBiC;AAkBjC,IAAMY,0BAA0B,wBAACd,KAAsBC,KAAuBC,MAA4BH,SAAAA;AACxG,QAAMgB,kBAAkB,wBACtBC,KACAT,MACAU,OACAC,YAAAA;AAEA,QAAIF,KAAK;AACP,YAAMG,UAAU,aAAaH,MAAMA,IAAIG,UAAUH;AACjDI,cAAQC,IAAI,mCAAmCC,KAAKC,UAAUJ,OAAAA,CAAAA;AAC9D,aAAOjB,KAAK;QAAEsB,YAAY;QAAKL;MAAQ,CAAA;IACzC,WAAW,CAACZ,MAAM;AAChBa,cAAQC,IAAI,iFAAA;AAEZ,aAAOpB,IAAIwB,SAAS,uBAAA;IACtB;AACA,QAAIC,QAAQC,SAAS;AACnB3B,UAAI4B,MAAMrB,MAAM,SAAUS,MAAG;AAC3B,YAAIA,MAAK;AACP,iBAAOd,KAAKc,IAAAA;QACd;MACF,CAAA;IACF;AASA,WAAOd,KAAAA;EACT,GA/BwB;AAiCxB,MAAI,CAACH,QAAQ,CAACA,KAAK8B,kBAAkB9B,KAAK8B,eAAeC,YAAY,OAAO;AAC1E,WAAO5B,KAAAA;EACT;AACA,MAAI,CAACH,KAAK8B,eAAeE,UAAU;AACjCX,YAAQC,IAAI,sFAAsF;AAClG,WAAOpB,IAAIO,OAAO,GAAA,EAAKC,IAAG;EAC5B;AACA,QAAMiB,UAAU;IACd,GAAG3B,MAAM8B,gBAAgBG;IACzBC,UAAUlC,MAAM8B,gBAAgBI,aAAa;IAC7CN,SAAS5B,MAAM8B,gBAAgBF,YAAY;EAC7C;AAEA,QAAMO,WAAWnC,MAAM8B,gBAAgBK,aAAanC,MAAM8B,gBAAgBM,qBAAqBpB,kBAAkBqB;AAEjHC,mBAAAA,QAASC,aAAavC,KAAK8B,eAAeE,UAAUL,SAASQ,QAAAA,EAAUK,KAAK,QAAMvC,KAAKC,KAAKC,IAAAA;AAC9F,GAlDgC;AAmDhC,IAAMsC,yBAAyB,wBAACxC,KAAsBC,KAAuBC,MAA4BH,SAAAA;AACvG,MAAI,CAACA,QAAQ,CAACA,KAAK8B,kBAAkB,CAAC9B,KAAK0C,iBAAiB1C,KAAK8B,eAAeC,YAAY,SAAS/B,MAAM0C,cAAcX,YAAY,OAAO;AAC1I,WAAO5B,KAAAA;EACT;AAIA,QAAMuC,gBAAgB1C,KAAK0C;AAE3B,MAAI,CAACA,cAAcC,aAAa,CAACD,cAAcE,sBAAsBF,cAAcE,mBAAmBvC,WAAW,IAAI;AACnHgB,YAAQC,IAAI,uEAAuE;AACnF,WAAOpB,IAAIO,OAAO,GAAA,EAAKC,IAAG;EAC5B;AACA,MAAIgC,cAAcE,sBAAsBF,cAAcE,mBAAmBvC,SAAS,GAAG;AACnFN,sBAAkB;MAAEK,OAAOsC,cAAcE;IAAmB,CAAA;EAC9D;AACA,MAAIF,cAAcC,UAAU;AAC1B,UAAMA,WAAWD,cAAcC;AAC/B,UAAME,YAAYF,SAASG,YAAY7C,IAAIO,MAAMR,KAAK+C,UAAU/C,KAAKgD,SAAS;AAC9E,QAAI,CAACH,WAAW;AACdxB,cAAQC,IAAI,aAAatB,KAAK+C,QAAQ,WAAW/C,KAAKgD,SAAS,oBAAoB/C,IAAIO,IAAI,EAAE;AAC7F,aAAON,IAAIO,OAAO,GAAA,EAAKC,IAAG;IAC5B;EACF;AACA,SAAOP,KAAAA;AACT,GAzB+B;AA2BxB,IAAM8C,0BAA0B,wBAACjD,SAAwB,CAACC,KAAsBC,KAAuBC,SAAAA;AAE5G,SAAOY,wBAAwBd,KAAKC,KAAKC,MAAMH,IAAAA;AACjD,GAHuC;AAKhC,IAAMkD,yBAAyB,wBAAClD,SAAwB,CAACC,KAAsBC,KAAuBC,SAAAA;AAE3G,SAAOsC,uBAAuBxC,KAAKC,KAAKC,MAAMH,IAAAA;AAChD,GAHsC;AAK/B,IAAMmD,yBAAyB,wBAAClD,KAAsBC,KAAuBC,SAAAA;AAClF,MAAI,CAACF,IAAIO,MAAM;AACbL,SAAAA;EACF;AACF,GAJsC;AAM/B,IAAMiD,sBAAsB,wBAACnD,KAAsBC,KAAuBC,SAAAA;AAC/E,MAAI,CAACF,IAAIO,MAAM;AACb,WAAO6C,kBAAkBnD,KAAK,KAAK,yBAAA;EACrC,OAAO;AACL,WAAOC,KAAAA;EACT;AACF,GANmC;AAQ5B,IAAMmD,YAAY,wBAACtD,SAAAA;AACxB,QAAMuD,WAAwF,CAAA;AAC9FA,WAASC,KAAKP,wBAAwBjD,IAAAA,CAAAA;AACtCuD,WAASC,KAAKN,uBAAuBlD,IAAAA,CAAAA;AACrCA,QAAMuD,YAAYA,SAASC,KAAI,GAAIxD,KAAKuD,QAAQ;AAChD,SAAOA;AACT,GANyB;AAQlB,SAASE,yBAAyBC,MAA8C;AACrF,QAAM1D,OAAO0D,MAAM1D;AACnB,QAAM2D,MAAMD,MAAMC;AAClB,MAAI,CAAC3D,QAAQ,CAAC2D,OAAO,CAACC,gBAAgB5D,IAAAA,GAAO;AAC3C;EACF;AACA,MAAI2D,QAAQ,YAAY;AAEtB;EACF;AACA,MAAI3D,KAAK6D,cAAcC,YAAY;AACjC,QAAI9D,KAAK6D,aAAaF,GAAAA,GAAMI,sBAAsB,MAAM;AACtD;IACF;AACA/D,SAAK6D,aAAaF,GAAAA,IAAO;MACvB,GAAG3D,KAAK6D,aAAaF,GAAAA;MACrBK,UAAU;QAAE,GAAGhE,KAAK6D,aAAaC;QAAY,GAAG9D,KAAK6D,aAAaF,GAAAA,GAAMK;MAAS;IACnF;EACF;AACF;AAnBgBP;AAqBT,SAASQ,0BAA0BP,MAAiD;AACzFA,QAAMQ,KAAKC,QAAQ,CAACR,QAAQF,yBAAyB;IAAEzD,MAAM0D,MAAM1D;IAAM2D;EAAI,CAAA,CAAA;AAC/E;AAFgBM;;;AGzJhB,yBAAuB;AAEvB,kBAAkC;AAElC,qBAAiC;AAEjC,6BAA2B;AAG3B,6BAAqD;AACrD,oBAAmB;AACnB,IAAAG,mBAA4C;;;ACdrC,SAASC,IAAIC,KAAcC,QAAe;AAC/C,MAAI,CAACD,KAAK;AACR,WAAOE;EACT;AACA,SAAOC,QAAQJ,IAAI,GAAGE,SAASA,OAAOG,KAAI,IAAK,EAAA,GAAKJ,GAAAA,EAAK;AAC3D;AALgBD;;;AD0BT,IAAMM,iBAAN,MAAMA,gBAAAA;EA1Bb,OA0BaA;;;EACHC;EACAC;EACAC;EACAC,YAAuD,CAAA;EACvDC;EACAC,eAAqCC;EAC5BC;EACTC;EACAC;EACAC,mBAA6B;EAC7BC;EACAC;EACAC;EACAC;EACAC;EACAC;EAER,YAAoBC,MAA6D;AAC/E,UAAM,EAAEjB,iBAAiBO,aAAY,IAAKU,QAAQ,CAAC;AACnD,QAAIjB,iBAAiB;AACnB,WAAKkB,YAAYlB,eAAAA;IACnB;AACA,SAAKO,eAAeA,gBAAgB;EACtC;EAEA,OAAcY,oBAAoBF,MAA6D;AAC7F,WAAO,IAAIlB,gBAAekB,QAAQ,CAAC,CAAA;EACrC;EAEA,OAAcG,eAAeH,MAAsD;AACjF,UAAMI,UAAU,IAAItB,gBAAe;MAAEC,iBAAiBiB,MAAMjB;MAAiBO,cAAcU,MAAMV;IAAa,CAAA;AAC9G,WAAOc,QAAQC,qBAAqB;MAAE,GAAGL;MAAMhB,cAAcgB,KAAKM;MAAUC,cAAcP,KAAKQ,kBAAkB;IAAM,CAAA;EACzH;EAEOC,aAAaF,cAA8B;AAChD,QAAIA,iBAAiBlB,QAAW;AAC9B,WAAKD,eAAemB;IACtB;AACA,WAAO;EACT;EAEOG,kBAAkBV,MAA0G;AACjI,QAAIA,MAAMW,mBAAmBX,KAAKY,UAAUZ,KAAKa,UAAU;AACzD,YAAMC,MAAM,iEAAA;IACd;AACA,SAAKf,UAAUC,MAAMW,sBAAkBI,cAAAA,SAAOf,MAAMY,UAAU,OAAOZ,MAAMa,OAAAA;AAC3E,WAAO;EACT;EAEOR,qBAAqB,EAC1BpB,MACAD,cACAgC,UACAT,aAAY,GAML;AACPtB,YAAQ,KAAKgC,SAAShC,IAAAA;AACtBD,oBAAgB,KAAKkC,aAAalC,YAAAA;AAClC,QAAI,OAAOgC,aAAa,YAAY;AAClC,WAAKG,mBAAmBH,QAAAA;IAC1B;AACA,SAAK5B,eAAemB,iBAAiB;AACrC,WAAO;EACT;EAEOU,SAAShC,MAAoB;AAClC,SAAKA,OAAOA;AACZ,WAAO;EACT;EAEOiC,aAAalC,cAA4B;AAC9C,SAAKA,eAAeA;AACpB,WAAO;EACT;EAEOmC,mBAAmBH,UAA4B;AACpD,SAAK7B,iBAAiB6B;AACtB,WAAO;EACT;EAEOf,YAAYlB,iBAAgC;AACjD,SAAKA,kBAAkBA;AACvB,SAAKK,eAAe;AACpB,WAAO;EACT;EAEOgC,mBAAmBC,YAAyC;AACjE,SAAK9B,kBAAkB8B;AACvB,WAAO;EACT;EAEOC,iBAAiBC,aAAsBC,mBAA6C;AACzF,SAAK/B,mBAAmB8B;AACxB,SAAK7B,oBAAoB8B;AACzB,WAAO;EACT;EAEOC,uBAAuBC,cAAuC;AACnE,SAAK/B,gBAAgB+B;AACrB,WAAO;EACT;EAEOC,aAAaC,UAA0B;AAC5C,SAAKhC,YAAYgC;AACjB,WAAO;EACT;EAEOpB,eAAeqB,UAAkB;AACtC,SAAKhC,UAAUgC,SAAQC,OAAO,KAAKC,QAAO,GAAI,KAAKC,YAAW,GAAI,KAAK7C,cAAc;AACrF,SAAKW,kBAAcmC,6CAAqB;MACtCC,QAAQ,KAAKrC;IAEf,CAAA;AAEA,WAAO;MAAEqC,QAAQ,KAAKrC;MAASsC,YAAY,KAAKrC;IAAY;EAC9D;EAEOkC,cAAsB;AAC3B,WAAO,KAAKhD,gBAAgBoD,IAAI,YAAY,KAAK9C,YAAY,KAAK;EACpE;EAEOyC,UAAkB;AACvB,WAAQ,KAAK9C,QAAQmD,IAAI,QAAQ,KAAK9C,YAAY,KAAK;EACzD;EAEO+C,YAAYC,UAAmF;AACpG,QAAIC,MAAMC,QAAQF,QAAAA,GAAW;AAC3B,WAAKpD,YAAYoD;IACnB,WAAWA,UAAU;AACnB,UAAI,CAAC,KAAKpD,WAAW;AACnB,aAAKA,YAAY,CAAA;MACnB;AACA,WAAKA,UAAUuD,KAAKH,QAAAA;IACtB,OAAO;AACL,WAAKpD,YAAY,CAAA;IACnB;AAEA,WAAO;EACT;EAEOwD,WAAWC,SAA+C;AAC/D,QAAI,CAAC,KAAKzD,WAAW;AACnB,WAAKA,YAAY,CAAA;IACnB;AACA,SAAKA,UAAUuD,KAAKE,OAAAA;AACpB,WAAO;EACT;EAEOC,mBAAmBC,aAA2C;AACnE,SAAKrD,eAAeqD;AACpB,WAAO;EACT;EAEOC,MAA6B9C,MAIjB;AACjB,UAAM6B,WAAU,KAAKkB,aAAa/C,IAAAA;AAClC,UAAMQ,iBAAiBR,MAAMQ,mBAAmBnB,SAAY,KAAKD,iBAAiB,OAAOY,KAAKQ;AAC9F,QAAIwC,UAAU,KAAKnD,YAAYR;AAC/B,QAAImB,kBAAkB,CAACwC,SAAS;AAC9B,WAAKxC,eAAeqB,QAAAA;AACpBmB,gBAAU;IACZ;AAEA,WAAO;MACLnB,SAAAA;MACA5C,MAAM,KAAK8C,QAAO;MAClBzB,UAAU,KAAK0B,YAAW;MAC1BN,cAAc,KAAK/B;MACnBa;MACAoB,UAAU,KAAKhC;MACfqD,OAAO,wBAACjD,UAAAA;AACN,YAAIA,OAAMkD,qBAAqB;AAC7BC,kBAAQC,IAAI,sEAAA;QACd,OAAO;AACL,cAAI,CAACJ,SAAS;AACZ,iBAAKxC,eAAeqB,QAAAA;AACpBmB,sBAAU;UACZ;QACF;AAEA,YAAIhD,OAAMqD,wBAAwB,MAAM;AACtCxB,UAAAA,SAAQyB,IAAIC,gBAAAA;QACd;AACA,eAAO;UAAErB,QAAQ,KAAKrC;UAAUsC,YAAY,KAAKrC;QAAa;MAChE,GAdO;MAeP0D,MAAM,8BAAOrB,eAAAA;AACX,cAAMsB,OAAOtB,cAAc,KAAKrC;AAChC,YAAI,CAAC2D,MAAM;AACT,iBAAO;QACT;AACA,eAAO,MAAMA,KAAKC,UAAS,EAAGC,KAAK,MAAM,IAAA;MAC3C,GANM;IAOR;EACF;EAEUZ,aAAoC/C,MAI1B;AAClB,UAAM4D,MAAuB5D,MAAM6B,WAAW,KAAK9C,uBAAmB8C,eAAAA,SAAAA;AACtE,QAAI,KAAK9B,SAAS;AAChB6D,UAAIN,IAAI,KAAKvD,OAAO;IACtB;AACA,QAAI,KAAKP,cAAc;AACrB,YAAMqE,QAAQ,KAAKrE,aAAaqE,SAAS,IAAIC,uBAAAA,QAAeC,YAAW;AACvE,WAAKvE,aAAaqE,QAAQA;AAC1BD,UAAIN,QAAIQ,uBAAAA,SAAe,KAAKtE,YAAY,CAAA;IAC1C;AACA,QAAI,KAAKC,kBAAkB;AACzBmE,UAAIN,IAAIU,iBAAAA,QAASC,WAAW,KAAKvE,iBAAiB,CAAA;AAClD,UAAI,KAAKF,cAAc;AAGrBoE,YAAIN,IAAIU,iBAAAA,QAASE,QAAO,CAAA;MAC1B;IACF;AACA,QAAI,KAAKvE,eAAe;AACtBiE,UAAIN,IAAIa,kBAAkB;QAAEC,OAAO,KAAKzE;MAAc,CAAA,CAAA;IACxD;AACA,QAAI,KAAKJ,iBAAiB;AACxB,WAAKA,gBAAgB8E,UAAU;QAAEtF,iBAAiB6E;MAAI,CAAA;IACxD;AAGA,SAAK1E,aAAa,KAAKA,UAAUoF,SAAS,KAAKV,IAAIN,IAAI,KAAKpE,SAAS;AAErEc,UAAMsC,YAAYsB,IAAIN,IAAItD,KAAKsC,QAAQ;AAEvCsB,QAAIN,IAAIiB,mBAAAA,QAAWC,WAAW;MAAEC,UAAU;IAAK,CAAA,CAAA;AAC/Cb,QAAIN,IAAIiB,mBAAAA,QAAWG,KAAK;MAAEC,OAAO;IAAM,CAAA,CAAA;AACvC,WAAOf;EACT;AACF;AAEO,IAAMgB,wBAAN,MAAMA;EA7Qb,OA6QaA;;;EACHC;EACAC;EACAC;EACAC;EACAC;EACAC;EACSC;EACAC;EAEjB,YAAYC,MAA6D;AACvE,UAAM,EAAEtG,iBAAiBO,aAAY,IAAK+F,QAAQ,CAAC;AACnD,SAAKF,WAAWpG;AAChB,SAAKqG,gBAAgB9F;EACvB;EAEOgG,YAAYC,OAA2E;AAC5F,SAAKR,eAAeQ;AACpB,WAAO;EACT;EAEOC,YAAYD,OAAsB;AACvC,SAAKV,eAAeU;AACpB,WAAO;EACT;EAEOE,aAAaF,OAAgC;AAClD,SAAKP,gBAAgBO;AACrB,WAAO;EACT;EAEOG,eAAeH,OAAgC;AACpD,SAAKN,kBAAkBM;AACvB,WAAO;EACT;EAEOI,iBAAiBJ,OAAsB;AAC5C,SAAKL,oBAAoBK;AACzB,WAAO;EACT;EAEOlB,UAAU,EAAEtF,gBAAe,GAAmC;AACnE,UAAM8C,WAAU9C,mBAAmB,KAAKoG;AACxC,QAAI,CAACtD,UAAS;AACZ,YAAMf,MAAM,uDAAA;IACd;AAEA,UAAM8E,iBAAiBxD,IAAI,gBAAgB,KAAKgD,aAAa;AAC7D,UAAMS,eAAe,KAAKhB,iBAAiBe,iBAAiB,OAAOE,KAAKF,cAAAA,IAAkB;AAC1F,QAAIC,cAAc;AAChB;IACF;AACA,UAAME,oBAAoB3D,IAAI,qBAAqB,KAAKgD,aAAa,KAAK;AAC1E,QAAIY;AACJ,QAAID,kBAAkBE,SAAS,GAAA,GAAM;AACnCD,uBAAiBD,kBAAkBG,MAAM,GAAA;IAC3C,WAAWH,kBAAkBE,SAAS,GAAA,GAAM;AAC1CD,uBAAiBD,kBAAkBG,MAAM,GAAA;IAC3C,OAAO;AACLF,uBAAiBD;IACnB;AACA,QAAIxD,MAAMC,QAAQwD,cAAAA,KAAmBA,eAAe1B,WAAW,GAAG;AAChE0B,uBAAiBA,eAAe,CAAA;IAClC;AACA,UAAMG,cAA2B;MAC/BC,QAAQ,KAAKrB,gBAAgBiB;;MAE7B,GAAI,KAAKhB,iBAAiB;QAAEqB,SAAS,KAAKrB;MAAc;MACxD,GAAI,KAAKC,mBAAmB;QAAES,gBAAgB,KAAKT;MAAgB;MACnE,GAAI,KAAKC,sBAAsB7F,UAAa;QAAEiH,aAAa,KAAKpB;MAAkB;MAClFqB,sBAAsB;IACxB;AAEA,QAAI,KAAKzB,yBAAyB;AAChCjD,MAAAA,SAAQhB,QAAQ,SAAK2F,YAAAA,SAAKL,WAAAA,CAAAA;IAC5B;AACAtE,IAAAA,SAAQyB,QAAIkD,YAAAA,SAAKL,WAAAA,CAAAA;EACnB;AACF;;;AE1VA,IAAAM,kBAAuD;AACvD,2BAAkE;AAClE,IAAAC,mBAAqB;AAOrB,IAAMC,SAASC,QAAQC,IAAIF,UAAU;AACrC,eAAsBG,mBAAmBC,MAA6B;AACpE,QAAMC,YAAYD,MAAMC,aAAaH,IAAI,eAAeF,MAAAA,KAAW;AACnE,QAAMM,SAAS,MAAMC,4BAAOC,SAASH,SAAAA;AACrCI,UAAQC,IAAI,2BAA2BJ,OAAOA,QAAQA,OAAOK,QAAQ;AACrE,SAAO;IAAEL;IAAQD;EAAU;AAC7B;AALsBF;AAOtB,eAAsBS,cACpBN,QACAK,UACAP,MAGC;AAGD,SAAO,IAAIE,OAAOO,OAAOF,UAAUP,MAAMU,MAAMV,MAAMW,OAAAA;AACvD;AAVsBH;AAYf,SAASI,iBAAiBC,QAAgBb,MAAqD;AACpG,MAAIA,MAAMc,YAAY,OAAO;AAC3BT,YAAQC,IAAI,4BAA4B;AACxC;EACF;AACA,QAAMS,WAAWf,MAAMgB,UAAUC,gBAAgBF;AACjD,MAAI,CAACA,UAAU;AACb,UAAMG,MAAM,+BAAA;EACd;AACA,QAAMC,OAAOnB,MAAMmB,QAAQ;AAC3BN,SAAOO,IACLD,MACA,CAACE,KAAUC,KAAUC,SAAAA;AACnB,UAAMC,eAAeH,IAAID,IAAI,SAAA,KAAc;AAC3CC,QAAII,QAAQD,eAAeA;AAC3BD,SAAAA;EACF,GACAG,iBAAAA,QAASC,aACPZ,UACA;IAAE,GAAGf,KAAKiB,gBAAgBW;IAAiB,GAAG5B,KAAKgB,UAAUC,gBAAgBW;IAAiBC,iBAAiB;EAAM,GACrHC,MAAAA,CAAAA;AAGN;AAvBgBlB;AAyBT,SAASmB,yBAAyBlB,QAAgBb,MAA0B;AACjF,MAAIA,MAAMc,YAAY,OAAO;AAC3BT,YAAQC,IAAI,oCAAoC;AAChD;EACF;AACA,QAAMS,WAAWf,MAAMgB,UAAUC,gBAAgBF;AACjD,MAAI,CAACA,UAAU;AACb,UAAMG,MAAM,+BAAA;EACd;AACA,QAAMC,OAAOnB,MAAMmB,QAAQ;AAC3BN,SAAOO,IACLD,MACAO,iBAAAA,QAASC,aACPZ,UACA;IAAE,GAAGf,KAAKiB,gBAAgBW;IAAiB,GAAG5B,KAAKgB,UAAUC,gBAAgBW;IAAiBC,iBAAiB;EAAK,GACpHC,MAAAA,GAEF,CAACT,KAAUC,KAAUC,SAAAA;AACnB,QAAIF,IAAIW,MAAM;AACZ3B,cAAQC,IAAI,sBAAsBe,IAAIW,MAAMC,IAAAA;AAE5C,YAAMT,eAAeH,IAAII,QAAQD,gBAAgB;AAEjD,aAAOH,IAAII,QAAQD;AACnB,aAAOF,IAAIY,SAASV,YAAAA;IACtB,OAAO;AACL,aAAOF,IAAIY,SAASpC,IAAI,2BAA2BF,MAAAA,KAAW,4CAAA;IAChE;EACF,CAAA;AAEJ;AA9BgBmC;AAgCT,SAASI,kBAAkBtB,QAAgBuB,QAAoBpC,MAA0B;AAC9F,MAAIA,MAAMc,YAAY,OAAO;AAC3BT,YAAQC,IAAI,6BAA6B;AACzC;EACF;AACA,QAAMa,OAAOnB,MAAMmB,QAAQ;AAC3BN,SAAOO,IAAID,MAAM,CAACE,KAAKC,QAAAA;AACrB,QAAI;AACF,UAAIc,OAAOC,cAAa,GAAI;AAC1B,eAAOf,IAAIY,SAASE,OAAOC,cAAa,CAAA;MAC1C,OAAO;AACLhC,gBAAQC,IAAI,sCAAA;AACZ,eAAOgB,IAAIY,SAAS,iCAAA;MACtB;IACF,SAASI,OAAO;AACdjC,cAAQC,IAAIgC,KAAAA;AACZ,aAAOhB,IAAIY,SAAS,iCAAA;IACtB;EACF,CAAA;AACF;AAnBgBC;AAqBT,SAASI,0BAA0B1B,QAAgBb,MAA0B;AAClF,MAAIA,MAAMc,YAAY,OAAO;AAC3BT,YAAQC,IAAI,sCAAsC;AAClD;EACF;AACA,QAAMa,OAAOnB,MAAMmB,QAAQ;AAC3BN,SAAOO,IAAID,MAAM,CAACE,KAAKC,KAAKC,SAAAA;AAC1B,QAAI;AACFF,UAAImB,OAAO,CAACC,QAAAA;AACV,YAAIA,KAAK;AACPpC,kBAAQC,IAAI,yCAAyCoC,KAAKC,UAAUF,GAAAA,CAAAA,EAAM;QAC5E;MACF,CAAA;AACA,aAAOnB,IAAIY,SAASpC,IAAI,qCAAqCF,MAAAA,KAAW,GAAA;IAC1E,SAASgD,GAAG;AACV,aAAOC,kBAAkBvB,KAAK,KAAK,uDAAuDsB,CAAAA;IAC5F;EACF,CAAA;AACF;AAlBgBL;AAoBT,SAASO,mBAAmBjC,QAAgBuB,QAAoBpC,MAAyB;AAC9F,MAAIA,MAAMc,YAAY,OAAO;AAC3BT,YAAQC,IAAI,+BAA+B;AAC3C;EACF;AACA,QAAMa,OAAOnB,KAAKmB,QAAQ;AAC1BN,SAAOO,IAAID,MAAM4B,qBAAqB,CAAC1B,KAAUC,QAAAA;AAC/C,QAAID,IAAII,QAAQuB,OAAOC,UAAU;AAC/B,aAAO3B,IAAI4B,KAAK;QAAED,UAAU5B,IAAII,QAAQuB,OAAOC;MAAS,CAAA;IAC1D,OAAO;AACL,aAAOJ,kBAAkBvB,KAAK,KAAK,yBAAA;IACrC;EACF,CAAA;AACF;AAbgBwB;AAeT,SAASK,6BAA6BtC,QAAgBb,MAA0B;AACrF,MAAIA,MAAMc,YAAY,OAAO;AAC3BT,YAAQC,IAAI,yCAAyC;AACrD;EACF;AACA,QAAMa,OAAOnB,MAAMmB,QAAQ;AAC3BN,SAAOO,IAAID,MAAM4B,qBAAqB,CAAC1B,KAAUC,KAAUC,SAAAA;AACzD,QAAI,CAACF,IAAIW,MAAM;AACb,aAAOa,kBAAkBvB,KAAK,KAAK,yBAAA;IACrC;AACA,QAAIU,OAAOX,IAAIW;AACf,WAAOV,IAAI4B,KAAKlB,IAAAA;EAClB,CAAA;AACF;AAbgBmB;AA+BT,IAAMC,uBAAN,MAAMA;EA7Kb,OA6KaA;;;EACX,IAAIvC,SAAyB;AAC3B,WAAO,KAAKwC;EACd;EAEiBC;EACAC;EACAC;EACAH;EAEjB,YAAYI,MAA8G;AACxH,UAAM,EAAEC,OAAO1D,KAAI,IAAKyD;AACxB,SAAKF,SAASG;AACdC,8BAA0B;MAAE3D;MAAM4D,MAAM;QAAC;;IAAY,CAAA;AACrDD,8BAA0B;MAAE3D;MAAM4D,MAAM;QAAC;;IAAc,CAAA;AACvDD,8BAA0B;MAAE3D;MAAM4D,MAAM;QAAC;;IAAwB,CAAA;AAEjE,SAAKJ,QAAQxD;AACb,SAAKsD,WAAWG,KAAKI,eAAeC;AACpC,SAAKT,UAAUS,gBAAAA,QAAQC,OAAM;AAC7B,UAAMC,WAAWhE,MAAMiE,mBAAmB;MAAC;MAAS;MAAU;MAAY;;AAC1E5D,YAAQC,IAAI,4BAA4B;AAExC,QAAI0D,SAASE,SAAS,OAAA,GAAU;AAC9BtD,uBAAiB,KAAKC,QAAQb,MAAMmE,cAAcC,QAAAA;AAClDrC,+BAAyB,KAAKlB,QAAQb,MAAMmE,cAAcC,QAAAA;IAC5D;AACA,QAAIJ,SAASE,SAAS,QAAA,GAAW;AAC/B/B,wBAAkB,KAAKtB,QAAQ4C,KAAKrB,QAAQpC,MAAMmE,cAAcE,SAAAA;AAChE9B,gCAA0B,KAAK1B,QAAQb,MAAMmE,cAAcE,SAAAA;IAC7D;AACA,QAAIL,SAASE,SAAS,UAAA,GAAa;AACjC,UAAIlE,KAAKmE,cAAcG,eAAexC,QAAW;AAC/C,cAAMZ,MAAM,6EAAA;MACd;AACA4B,yBAAmB,KAAKjC,QAAQ4C,KAAKrB,QAAQpC,MAAMmE,cAAcG,UAAAA;IACnE;AACA,QAAIN,SAASE,SAAS,oBAAA,GAAuB;AAC3Cf,mCAA6B,KAAKtC,QAAQb,MAAMmE,cAAcI,oBAAAA;IAChE;AACA,SAAKjB,SAASkB,IAAIxE,MAAMmE,cAAcM,YAAY,IAAI,KAAK5D,MAAM;EACnE;EAEA,IAAI6C,QAAiC;AACnC,WAAO,KAAKH;EACd;EAEA,IAAIvD,OAAwC;AAC1C,WAAO,KAAKwD;EACd;EAEA,IAAIM,UAAmB;AACrB,WAAO,KAAKR;EACd;AACF;","names":["EntraIDAuth","strategy","options","init","withOptions","passReqToCallback","connectPassport","_options","Error","then","entraID","passport","use","BearerStrategy","token","cb","catch","reason","console","log","import_passport","OIDCBearerAuth","strategy","options","init","withIssuer","issuer","withAudience","audience","withJwksUri","jwksUri","withAlgorithms","algorithms","withOptions","connectPassport","Promise","reject","Error","discoverJwksUri","passportJwt","jwksRsa","all","Strategy","JwtStrategy","ExtractJwt","passportJwtSecret","jwtOptions","jwtFromRequest","fromAuthHeaderAsBearerToken","secretOrKeyProvider","cache","rateLimit","jwksRequestsPerMinute","passport","use","payload","done","error","console","cause","wellKnownUrl","endsWith","response","fetch","ok","status","statusText","config","json","jwks_uri","import_passport","StaticBearerAuth","strategy","providers","Map","verifyOptions","hashTokens","init","provider","MapBasedStaticBearerUserProvider","has","get","Error","set","withHashTokens","withUsers","users","addUser","user","withVerifyOptions","options","connectPassport","_provider","findUser","token","cb","getUser","then","httpBearer","passport","use","Strategy","passReqToCallback","hash","toString","sha256","catch","error","console","log","_strategy","_users","_hashedTokens","hashedTokens","find","hashToken","Array","isArray","forEach","push","getUsers","import_passport","sendErrorResponse","response","statusCode","message","error","msg","console","JSON","stringify","Error","stack","headersSent","startsWith","header","status","end","json","jsonErrorHandler","err","req","res","next","errorMsg","log","hasEndpointOpts","opts","endpointOpts","checkUserIsInRole","opts","req","res","next","roles","length","Array","isArray","user","status","end","hasRole","find","role","toLowerCase","checkAuthenticationImpl","defaultCallback","err","_info","_status","message","console","log","JSON","stringify","statusCode","redirect","options","session","logIn","authentication","enabled","strategy","strategyOptions","authInfo","callback","useDefaultCallback","undefined","passport","authenticate","call","checkAuthorizationImpl","authorization","enforcer","requireUserInRoles","permitted","enforceSync","resource","operation","checkAuthenticationOnly","checkAuthorizationOnly","isUserNotAuthenticated","isUserAuthenticated","sendErrorResponse","checkAuth","handlers","push","copyGlobalAuthToEndpoint","args","key","hasEndpointOpts","endpointOpts","globalAuth","disableGlobalAuth","endpoint","copyGlobalAuthToEndpoints","keys","forEach","import_passport","env","key","prefix","undefined","process","trim","ExpressBuilder","existingExpress","hostnameOrIP","port","_handlers","listenCallback","_startListen","undefined","envVarPrefix","_corsConfigurer","_sessionOpts","_usePassportAuth","_passportInitOpts","_userIsInRole","_enforcer","_server","_terminator","_morgan","opts","withExpress","fromExistingExpress","fromServerOpts","builder","withEnableListenOpts","hostname","startOnBuild","startListening","enableListen","withMorganLogging","existingMorgan","format","options","Error","morgan","callback","withPort","withHostname","withListenCallback","withCorsConfigurer","configurer","withPassportAuth","usePassport","initializeOptions","withGlobalUserIsInRole","userIsInRole","withEnforcer","enforcer","express","listen","getPort","getHostname","createHttpTerminator","server","terminator","env","setHandlers","handlers","Array","isArray","push","addHandler","handler","withSessionOptions","sessionOpts","build","buildExpress","started","start","doNotStartListening","console","log","disableErrorHandler","use","jsonErrorHandler","stop","term","terminate","then","app","store","expressSession","MemoryStore","passport","initialize","session","checkUserIsInRole","roles","configure","length","bodyParser","urlencoded","extended","json","limit","ExpressCorsConfigurer","_disableCors","_enablePreflightOptions","_allowOrigin","_allowMethods","_allowedHeaders","_allowCredentials","_express","_envVarPrefix","args","allowOrigin","value","disableCors","allowMethods","allowedHeaders","allowCredentials","disableCorsEnv","corsDisabled","test","envAllowOriginStr","envAllowOrigin","includes","split","corsOptions","origin","methods","credentials","optionsSuccessStatus","cors","import_express","import_passport","PREFIX","process","env","oidcDiscoverIssuer","opts","issuerUrl","issuer","Issuer","discover","console","log","metadata","oidcGetClient","Client","jwks","options","getLoginEndpoint","router","enabled","strategy","endpoint","authentication","Error","path","get","req","res","next","redirectPage","session","passport","authenticate","strategyOptions","keepSessionInfo","undefined","getLoginCallbackEndpoint","user","name","redirect","getLogoutEndpoint","client","endSessionUrl","error","getLogoutCallbackEndpoint","logout","err","JSON","stringify","e","sendErrorResponse","getIdTokenEndpoint","isUserAuthenticated","tokens","id_token","json","getAuthenticatedUserEndpoint","OpenIDConnectAuthApi","_router","_express","_agent","_opts","args","agent","copyGlobalAuthToEndpoints","keys","expressSupport","express","Router","features","enabledFeatures","includes","endpointOpts","getLogin","getLogout","getIdToken","getAuthenticatedUser","use","basePath"]}
1
+ {"version":3,"sources":["../src/index.ts","../src/entra-id-auth.ts","../src/oidc-bearer-auth.ts","../src/static-bearer-auth.ts","../src/auth-utils.ts","../src/express-utils.ts","../src/types.ts","../src/express-builders.ts","../src/functions.ts","../src/openid-connect-rp.ts"],"sourcesContent":["export * from './entra-id-auth'\nexport * from './oidc-bearer-auth'\nexport * from './static-bearer-auth'\nexport * from './auth-utils'\nexport * from './express-builders'\nexport * from './types'\nexport { sendErrorResponse, jsonErrorHandler } from './express-utils'\nexport * from './functions'\nexport * from './openid-connect-rp'\n","import passport from 'passport'\nimport { IBearerStrategyOption, IBearerStrategyOptionWithRequest, ITokenPayload, VerifyCallback } from './types'\n\nexport class EntraIDAuth {\n private readonly strategy: string\n private options?: IBearerStrategyOptionWithRequest\n\n public static init(strategy: string) {\n return new EntraIDAuth(strategy)\n }\n\n private constructor(strategy: string) {\n this.strategy = strategy\n }\n\n public withOptions(options: IBearerStrategyOption | IBearerStrategyOptionWithRequest): this {\n this.options = {\n ...options,\n passReqToCallback: 'passReqToCallback' in options ? options.passReqToCallback : false,\n }\n return this\n }\n\n connectPassport() {\n const _options = this.options\n if (!_options) {\n throw Error('No options supplied for EntraID')\n }\n import('passport-azure-ad')\n .then((entraID) =>\n passport.use(\n this.strategy,\n new entraID.BearerStrategy(_options, function (token: ITokenPayload, cb: VerifyCallback): void {\n if (token) {\n // console.log(`token: ${JSON.stringify(token, null, 2)}`)\n return cb(null, token)\n }\n return cb('bearer token not found or incorrect', null)\n }),\n ),\n )\n .catch((reason) => {\n console.log(reason)\n throw Error('Could not create bearer strategy. Did you include the \"passport-azure-ad/bearer-strategy\" dependency in package.json?')\n })\n }\n}\n","import passport from 'passport'\n\nexport type OIDCAlgorithm = 'RS256' | 'RS384' | 'RS512' | 'ES256' | 'ES384' | 'ES512' | 'PS256' | 'PS384' | 'PS512'\n\nexport interface IOIDCBearerOptions {\n issuer: string\n audience?: string | string[]\n jwksUri?: string\n algorithms?: OIDCAlgorithm[]\n}\n\nexport interface IOIDCTokenPayload {\n /** Issuer identifier */\n iss?: string\n /** Subject identifier */\n sub?: string\n /** Audience(s) */\n aud?: string | string[]\n /** Expiration time */\n exp?: number\n /** Not before */\n nbf?: number\n /** Issued at */\n iat?: number\n /** JWT ID */\n jti?: string\n /** Authorized party */\n azp?: string\n /** Scope */\n scope?: string\n /** Client ID */\n client_id?: string\n /** Additional claims */\n [key: string]: unknown\n}\n\nexport class OIDCBearerAuth {\n private readonly strategy: string\n private options: Partial<IOIDCBearerOptions> = {}\n\n public static init(strategy: string) {\n return new OIDCBearerAuth(strategy)\n }\n\n private constructor(strategy: string) {\n this.strategy = strategy\n }\n\n public withIssuer(issuer: string): this {\n this.options = { ...this.options, issuer }\n return this\n }\n\n public withAudience(audience: string | string[]): this {\n this.options = { ...this.options, audience }\n return this\n }\n\n public withJwksUri(jwksUri: string): this {\n this.options = { ...this.options, jwksUri }\n return this\n }\n\n public withAlgorithms(algorithms: OIDCAlgorithm[]): this {\n this.options = { ...this.options, algorithms }\n return this\n }\n\n public withOptions(options: Partial<IOIDCBearerOptions>): this {\n this.options = { ...this.options, ...options }\n return this\n }\n\n async connectPassport(): Promise<void> {\n const { issuer, audience, algorithms } = this.options\n\n if (!issuer) {\n return Promise.reject(new Error('No issuer supplied for OIDC Bearer Auth'))\n }\n\n let jwksUri = this.options.jwksUri\n if (!jwksUri) {\n jwksUri = await this.discoverJwksUri(issuer)\n }\n\n try {\n const [passportJwt, jwksRsa] = await Promise.all([import('passport-jwt'), import('jwks-rsa')])\n\n const { Strategy: JwtStrategy, ExtractJwt } = passportJwt\n const { passportJwtSecret } = jwksRsa\n\n const jwtOptions = {\n jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),\n secretOrKeyProvider: passportJwtSecret({\n cache: true,\n rateLimit: true,\n jwksRequestsPerMinute: 5,\n jwksUri,\n }),\n issuer,\n audience,\n algorithms: algorithms ?? (['RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512'] as OIDCAlgorithm[]),\n }\n\n passport.use(\n this.strategy,\n new JwtStrategy(jwtOptions, (payload: IOIDCTokenPayload, done: (error: any, user?: any, info?: any) => void) => {\n if (payload) {\n return done(null, payload)\n }\n return done('Bearer token not found or incorrect', null)\n })\n )\n } catch (error) {\n console.error('Failed to initialize OIDC Bearer Auth:', error)\n return Promise.reject(\n new Error(\n 'Could not create JWT bearer strategy. Did you include \"passport-jwt\" and \"jwks-rsa\" dependencies in package.json?',\n { cause: error }\n )\n )\n }\n }\n\n private async discoverJwksUri(issuer: string): Promise<string> {\n const wellKnownUrl = `${issuer}${issuer.endsWith('/') ? '' : '/'}.well-known/openid-configuration`\n\n try {\n const response = await fetch(wellKnownUrl)\n if (!response.ok) {\n return Promise.reject(\n new Error(`Failed to fetch OIDC configuration from ${wellKnownUrl}: ${response.status} ${response.statusText}`)\n )\n }\n\n const config = (await response.json()) as { jwks_uri?: string }\n if (!config.jwks_uri) {\n return Promise.reject(new Error(`OIDC configuration at ${wellKnownUrl} does not contain jwks_uri`))\n }\n\n return config.jwks_uri\n } catch (error) {\n return Promise.reject(\n new Error(`Failed to discover JWKS URI from OIDC configuration at ${wellKnownUrl}`, { cause: error })\n )\n }\n }\n}\n","import passport from 'passport'\n// @ts-ignore\nimport { toString } from 'uint8arrays/to-string'\nimport { BearerUser, IStaticBearerVerifyOptions } from './types'\n\nexport class StaticBearerAuth {\n private readonly strategy: string\n private static providers: Map<string, StaticBearerUserProvider> = new Map()\n private static verifyOptions: Map<string, IStaticBearerVerifyOptions | string> = new Map()\n private hashTokens?: boolean = false\n\n public static init(strategy: string, provider?: StaticBearerUserProvider) {\n return new StaticBearerAuth(strategy ?? 'bearer', provider ?? new MapBasedStaticBearerUserProvider(strategy))\n }\n\n private constructor(strategy: string, provider: StaticBearerUserProvider) {\n this.strategy = strategy\n if (StaticBearerAuth.providers.has(strategy)) {\n if (StaticBearerAuth.providers.get(strategy) !== provider) {\n throw Error('Cannot register another user provider for strategy: ' + strategy)\n }\n } else {\n StaticBearerAuth.providers.set(strategy, provider)\n }\n }\n\n get provider() {\n const provider = StaticBearerAuth.providers.get(this.strategy)\n if (!provider) {\n throw Error('Could not get user provider for ' + this.strategy)\n }\n return provider\n }\n\n withHashTokens(hashTokens: boolean): this {\n this.hashTokens = hashTokens\n return this\n }\n\n withUsers(users: BearerUser[] | BearerUser): this {\n this.addUser(users)\n return this\n }\n\n addUser(user: BearerUser[] | BearerUser): this {\n this.provider.addUser(user)\n return this\n }\n\n withVerifyOptions(options: IStaticBearerVerifyOptions | string): this {\n StaticBearerAuth.verifyOptions.set(this.strategy, options)\n return this\n }\n\n connectPassport() {\n const _provider = this.provider\n function findUser(token: string, cb: (error: any, user: any, options?: IStaticBearerVerifyOptions | string) => void) {\n const user = _provider.getUser(token)\n if (user) {\n return cb(null, user)\n }\n return cb('bearer token not found or incorrect', false)\n }\n\n import('passport-http-bearer')\n .then((httpBearer) => {\n const hashTokens = this.hashTokens ?? false\n passport.use(\n this.strategy,\n new httpBearer.Strategy({ passReqToCallback: false }, function (\n token: string,\n cb: (error: any, user: any, options?: IStaticBearerVerifyOptions | string) => void,\n ): void {\n if (hashTokens) {\n import('@noble/hashes/sha256')\n .then((hash) => {\n findUser(toString(hash.sha256(token)), cb)\n })\n .catch((error) => {\n console.log(`hash problem: ${error}`)\n throw Error('Did you include @noble/hashes in package.json?')\n })\n } else {\n findUser(token, cb)\n }\n }),\n )\n })\n .catch((error) => {\n console.log(`passport-http-bearer package problem: ${error}`)\n throw Error('Did you include passport-http-bearer in package.json?')\n })\n }\n}\n\nexport interface StaticBearerUserProvider {\n strategy: string\n\n addUser(user: BearerUser | BearerUser[], hashToken?: boolean): void\n\n getUser(token: string): BearerUser | undefined\n\n hashedTokens?: boolean\n}\n\nexport class MapBasedStaticBearerUserProvider implements StaticBearerUserProvider {\n private readonly _strategy: string\n private readonly _users: BearerUser[] = []\n private readonly _hashedTokens: boolean\n\n constructor(strategy: string, hashedTokens?: boolean) {\n this._strategy = strategy\n this._hashedTokens = hashedTokens ?? false\n }\n\n get users(): BearerUser[] {\n return this._users\n }\n\n get hashedTokens(): boolean {\n return this._hashedTokens\n }\n\n get strategy(): string {\n return this._strategy\n }\n\n getUser(token: string): BearerUser | undefined {\n return this.users.find((user) => user.token === token)\n }\n\n addUser(user: BearerUser | BearerUser[], hashToken?: boolean): void {\n const users = Array.isArray(user) ? user : [user]\n if (hashToken) {\n if (!this.hashedTokens) {\n throw Error('Cannot hash token, when hashed tokens is not enabled on the user provider for strategy ' + this.strategy)\n }\n import('@noble/hashes/sha256')\n .then((hash) => {\n users.forEach((user) => (user.token = toString(hash.sha256(user.token))))\n })\n .catch((error) => {\n console.log(`hash problem: ${error}`)\n throw Error('Did you include @noble/hashes in package.json?')\n })\n }\n this._users.push(...users)\n }\n\n getUsers(): BearerUser[] {\n return this._users\n }\n}\n","import express, { NextFunction, RequestHandler } from 'express'\nimport { ParamsDictionary } from 'express-serve-static-core'\nimport passport from 'passport'\nimport { ParsedQs } from 'qs'\nimport { sendErrorResponse } from './express-utils'\nimport { EndpointArgs, hasEndpointOpts, HasEndpointOpts } from './types'\n\nexport const checkUserIsInRole = (opts: { roles: string | string[] }) => (req: express.Request, res: express.Response, next: NextFunction) => {\n if (!opts?.roles || opts.roles.length === 0) {\n return next()\n }\n const roles = Array.isArray(opts.roles) ? opts.roles : [opts.roles]\n if (!req?.user || !('role' in req.user)) {\n return res.status(401).end()\n }\n\n // @ts-ignore\n const hasRole = roles.find((role) => req.user.role.toLowerCase() === role.toLowerCase())\n if (!hasRole) {\n return res.status(403).end()\n }\n\n return next()\n}\n\nconst checkAuthenticationImpl = (req: express.Request, res: express.Response, next: express.NextFunction, opts?: EndpointArgs) => {\n const defaultCallback = (\n err: any,\n user?: Express.User | false | null,\n _info?: object | string | Array<string | undefined>,\n _status?: number | Array<number | undefined>,\n ) => {\n if (err) {\n const message = 'message' in err ? err.message : err\n console.log('Authentication failed, error: ' + JSON.stringify(message))\n return next({ statusCode: 403, message })\n } else if (!user) {\n console.log('Authentication failed, no user object present in request. Redirecting to /login')\n // todo: configuration option\n return res.redirect('/authentication/login')\n }\n if (options.session) {\n req.logIn(user, function (err) {\n if (err) {\n return next(err)\n }\n })\n }\n /* /!*if (options.session) {\n req.logIn(user, function (err) {\n if (err) {\n return next(err)\n }\n return res.redirect('/')\n })\n }*!/*/\n return next()\n }\n\n if (!opts || !opts.authentication || opts.authentication.enabled === false) {\n return next()\n }\n if (!opts.authentication.strategy) {\n console.log(`Authentication enabled, but no strategy configured. All auth request will be denied!`)\n return res.status(401).end()\n }\n const options = {\n ...opts?.authentication?.strategyOptions,\n authInfo: opts?.authentication?.authInfo !== false,\n session: opts?.authentication?.session !== false,\n }\n\n const callback = opts?.authentication?.callback ?? (opts?.authentication?.useDefaultCallback ? defaultCallback : undefined)\n\n passport.authenticate(opts.authentication.strategy, options, callback).call(this, req, res, next)\n}\nconst checkAuthorizationImpl = (req: express.Request, res: express.Response, next: express.NextFunction, opts?: EndpointArgs) => {\n if (!opts || !opts.authentication || !opts.authorization || opts.authentication.enabled === false || opts?.authorization.enabled === false) {\n return next()\n }\n /*if (!req.isAuthenticated()) {\n return sendErrorResponse(res, 403, 'Authorization with an unauthenticated request is not possible')\n }*/\n const authorization = opts.authorization\n\n if (!authorization.enforcer && (!authorization.requireUserInRoles || authorization.requireUserInRoles.length === 0)) {\n console.log(`Authorization enabled for endpoint, but no enforcer or roles supplied`)\n return res.status(401).end()\n }\n if (authorization.requireUserInRoles && authorization.requireUserInRoles.length > 0) {\n checkUserIsInRole({ roles: authorization.requireUserInRoles })\n }\n if (authorization.enforcer) {\n const enforcer = authorization.enforcer\n const permitted = enforcer.enforceSync(req.user, opts.resource, opts.operation)\n if (!permitted) {\n console.log(`Access to ${opts.resource} and op ${opts.operation} not allowed for ${req.user}`)\n return res.status(403).end()\n }\n }\n return next()\n}\n\nexport const checkAuthenticationOnly = (opts?: EndpointArgs) => (req: express.Request, res: express.Response, next: express.NextFunction) => {\n // executeRequestHandlers(req, res, next, opts)\n return checkAuthenticationImpl(req, res, next, opts)\n}\n\nexport const checkAuthorizationOnly = (opts?: EndpointArgs) => (req: express.Request, res: express.Response, next: express.NextFunction) => {\n // executeRequestHandlers(req, res, next, opts)\n return checkAuthorizationImpl(req, res, next, opts)\n}\n\nexport const isUserNotAuthenticated = (req: express.Request, res: express.Response, next: express.NextFunction) => {\n if (!req.user) {\n next()\n }\n}\n\nexport const isUserAuthenticated = (req: express.Request, res: express.Response, next: express.NextFunction) => {\n if (!req.user) {\n return sendErrorResponse(res, 401, 'Authentication required')\n } else {\n return next()\n }\n}\n\nexport const checkAuth = (opts?: EndpointArgs): RequestHandler<ParamsDictionary, any, any, ParsedQs, Record<string, any>>[] => {\n const handlers: RequestHandler<ParamsDictionary, any, any, ParsedQs, Record<string, any>>[] = []\n handlers.push(checkAuthenticationOnly(opts))\n handlers.push(checkAuthorizationOnly(opts))\n opts?.handlers && handlers.push(...opts.handlers)\n return handlers\n}\n\nexport function copyGlobalAuthToEndpoint(args?: { opts?: HasEndpointOpts; key: string }) {\n const opts = args?.opts\n const key = args?.key\n if (!opts || !key || !hasEndpointOpts(opts)) {\n return\n }\n if (key === 'basePath') {\n // make sure to not copy base path over, as we use these at the global router, and this would repeat the path\n return\n }\n if (opts.endpointOpts?.globalAuth) {\n if (opts.endpointOpts[key]?.disableGlobalAuth === true) {\n return\n }\n opts.endpointOpts[key] = {\n ...opts.endpointOpts[key],\n endpoint: { ...opts.endpointOpts.globalAuth, ...opts.endpointOpts[key]?.endpoint },\n }\n }\n}\n\nexport function copyGlobalAuthToEndpoints(args?: { opts?: HasEndpointOpts; keys: string[] }) {\n args?.keys.forEach((key) => copyGlobalAuthToEndpoint({ opts: args?.opts, key }))\n}\n","import express, { NextFunction } from 'express'\n\nexport function sendErrorResponse(response: express.Response, statusCode: number, message: string | object, error?: any) {\n let msg = message\n if (!msg) {\n console.error('Message was null when calling sendErrorResponse. This should not happen')\n msg = 'An unexpected error occurred'\n statusCode = 500\n } else {\n console.error(`sendErrorResponse (${statusCode}): ${typeof msg === 'string' ? msg : JSON.stringify(msg)}`)\n }\n if (error) {\n if (error instanceof Error) {\n console.error(`error message: ${error.message}`)\n }\n console.error(`error object: ${JSON.stringify(error)}`)\n }\n if (statusCode >= 500) {\n console.error('Original error stack (if any) and REST API error stack:')\n console.error(error?.stack)\n console.error(Error().stack)\n }\n if (response.headersSent) {\n console.error(`sendErrorResponse headers already sent`)\n return response\n }\n response.statusCode = statusCode\n if (typeof msg === 'string' && !msg.startsWith('{')) {\n msg = { error: msg }\n }\n if (typeof msg === 'string' && msg.startsWith('{')) {\n response.header('Content-Type', 'application/json')\n return response.status(statusCode).end(msg)\n }\n return response.status(statusCode).json(msg)\n}\n\nexport const jsonErrorHandler = (err: any, req: express.Request, res: express.Response, next: NextFunction) => {\n const statusCode: number = 'statusCode' in err ? err.statusCode : 500\n let errorMsg = typeof err === 'string' ? err : (err.message ?? err)\n if (typeof errorMsg !== 'string') {\n errorMsg = JSON.stringify(errorMsg)\n }\n if (res.headersSent) {\n console.log('Headers already sent, when calling error handler. Will defer to next error handler')\n console.log(`Error was: ${JSON.stringify(err)}`)\n return next(err)\n }\n return sendErrorResponse(res, statusCode, errorMsg, err)\n}\n","import { Enforcer } from 'casbin'\nimport { Express, RequestHandler } from 'express'\nimport { ParamsDictionary } from 'express-serve-static-core'\nimport http from 'http'\nimport { HttpTerminator } from 'http-terminator'\nimport { AuthenticateCallback, Strategy } from 'passport'\nimport { ParsedQs } from 'qs'\n\nexport interface IExpressServerOpts {\n port?: number // The port to listen on\n cookieSigningKey?: string\n hostname?: string // defaults to \"0.0.0.0\", meaning it will listen on all IP addresses. Can be an IP address or hostname\n basePath?: string\n existingExpress?: Express\n listenCallback?: () => void\n startListening?: boolean\n maxRequestBodySize?: string\n // externalBaseUrl?: string // In case an external base URL needs to be exposed\n}\n\nexport function hasEndpointOpts(opts: any) {\n return 'endpointOpts' in opts && opts.endpointOpts\n}\n\nexport type HasEndpointOpts = { endpointOpts?: IEndpointOpts & SingleEndpoints } & Record<string, any>\n\nexport type SingleEndpoints = Record<string, ISingleEndpointOpts | any>\nexport interface IEndpointOpts {\n basePath?: string // The base path used to construct the router\n baseUrl?: string | URL // Typically the external base URL\n globalAuth?: GenericAuthArgs\n}\nexport interface ExpressSupport {\n express: Express\n port: number\n hostname: string\n userIsInRole?: string | string[]\n startListening: boolean\n server?: http.Server\n enforcer?: Enforcer\n start: (opts?: { disableErrorHandler?: boolean; doNotStartListening?: boolean }) => { server: http.Server; terminator: HttpTerminator }\n stop: (terminator?: HttpTerminator) => Promise<boolean>\n}\n\nexport interface ISingleEndpointOpts extends GenericAuthArgs {\n endpoint?: EndpointArgs\n enabled?: boolean\n path?: string\n disableGlobalAuth?: boolean\n}\n\nexport interface GenericAuthArgs {\n authentication?: {\n callback?: AuthenticateCallback | ((...args: any[]) => any)\n useDefaultCallback?: boolean\n enabled?: boolean\n strategy?: string | string[] | Strategy\n strategyOptions?: Record<string, any> | any\n authInfo?: boolean\n session?: boolean\n }\n authorization?: {\n enabled?: boolean\n requireUserInRoles?: string | string[]\n enforcer?: Enforcer\n }\n}\n\nexport interface EndpointArgs extends GenericAuthArgs {\n resource?: string\n operation?: string\n handlers?: RequestHandler<ParamsDictionary, any, any, ParsedQs, Record<string, any>>[]\n}\n\nexport interface BearerUser extends Express.User {\n id: string | number\n name?: string\n token: string\n}\n\nexport interface IStaticBearerVerifyOptions {\n message?: string | undefined\n scope: string | Array<string>\n}\n\nexport interface IBaseStrategyOption {\n identityMetadata: string\n clientID: string\n isB2C?: boolean | undefined\n validateIssuer?: boolean | undefined\n issuer?: string | string[] | undefined\n loggingLevel?: 'info' | 'warn' | 'error' | undefined\n loggingNoPII?: boolean | undefined\n clockSkew?: number | undefined\n}\n\nexport interface ITokenPayload {\n /** An App ID URI. Identifies the intended recipient of the token. */\n aud?: string | undefined\n /** A security token service(STS) URI. Identifies the STS that constructs and returns the token,\n * and the Azure AD tenant in which the user was authenticated.*/\n iss?: string | undefined\n /** The identity provider that authenticated the subject of the token*/\n idp?: string | undefined\n /** \"Issued At\" indicates when the authentication for this token occurred. */\n iat?: number | undefined\n /** The \"nbf\" (not before) claim identifies the time before which the JWT must not be accepted for processing. */\n nbf?: number | undefined\n /** The \"exp\" (expiration time) claim identifies the expiration time on or after which the JWT must not be accepted for processing. */\n exp?: number | undefined\n /** An internal claim used by Azure AD to record data for token reuse. */\n aio?: string | undefined\n /** Only present in v1.0 tokens. The \"Authentication context class\" claim. A value of \"0\" indicates the end-user authentication did not meet the requirements of ISO/IEC 29115. */\n acr?: '0' | '1' | undefined\n /** Only present in v1.0 tokens. Identifies how the subject of the token was authenticated. */\n amr?: string[] | undefined\n /** Only present in v1.0 tokens. GUID represents the application ID of the client using the token. */\n appid?: string | undefined\n /** Only present in v2.0 tokens. The application ID of the client using the token. */\n azp?: string | undefined\n /** Only present in v1.0 tokens. Indicates how the client was authenticated. For a public client, the value is \"0\".\n * If client ID and client secret are used, the value is \"1\". If a client certificate was used for authentication, the value is \"2\". */\n appidacr?: '0' | '1' | '2' | undefined\n /** Only present in v2.0 tokens. Indicates how the client was authenticated.\n * For a public client, the value is \"0\". If client ID and client secret are used, the value is \"1\". If a client certificate was used for authentication, the value is \"2\". */\n azpacr?: '0' | '1' | '2' | undefined\n /** Only present in v2.0 tokens. The primary username that represents the user. It could be an email address, phone number, or a generic username without a specified format */\n preferred_username?: string | undefined\n /** Provides a human-readable value that identifies the subject of the token.\n * The value is not guaranteed to be unique, it is mutable, and it's designed to be used only for display purposes. The profile scope is required in order to receive this claim. */\n name?: string | undefined\n /** The set of scopes exposed by your application for which the client application has requested (and received) consent. */\n scp?: string | undefined\n /** The set of permissions exposed by your application that the requesting application has been given permission to call. */\n roles?: string[] | undefined\n /** Provides object IDs that represent the subject's group memberships. */\n groups?: string | string[] | undefined\n /** Denoting the user is in at least one group. */\n hasgroups?: true | undefined\n /** The principal about which the token asserts information, such as the user of an app. This value is immutable and cannot be reassigned or reused.\n * It can be used to perform authorization checks safely, such as when the token is used to access a resource,\n * and can be used as a key in database tables. Because the subject is always present in the tokens that Azure AD issues,\n * we recommend using this value in a general-purpose authorization system. The subject is, however, a pairwise identifier - it is unique to a particular application ID. */\n sub?: string | undefined\n /** GUID represents a user. This ID uniquely identifies the user across applications. */\n oid?: string | undefined\n /** Represents the Azure AD tenant that the user is from. */\n tid?: string | undefined\n /** Only present in v1.0 tokens. Provides a human readable value that identifies the subject of the token. */\n unique_name?: string | undefined\n /** An internal claim used by Azure to revalidate tokens. */\n uti?: string | undefined\n /** An internal claim used by Azure to revalidate tokens. */\n rh?: string | undefined\n /** Indicates the version of the access token. */\n ver?: '1.0' | '2.0' | undefined\n\n /** v1.0 basic claims */\n\n /** The IP address the user authenticated from. */\n ipaddr?: string | undefined\n /** In cases where the user has an on-premises authentication, this claim provides their SID. */\n onprem_sid?: string | undefined\n /** Indicates when the user's password expires. */\n pwd_exp?: number | undefined\n /** A URL where users can be sent to reset their password. */\n pwd_url?: string | undefined\n /** Signals if the client is logging in from the corporate network. If they aren't, the claim isn't included. */\n in_corp?: string | undefined\n /** An additional name for the user, separate from first or last name */\n nickname?: string | undefined\n /** Provides the last name, surname, or family name of the user as defined on the user object. */\n family_name?: string | undefined\n /** Provides the first or given name of the user, as set on the user object. */\n given_name?: string | undefined\n /** The username of the user. May be a phone number, email address, or unformatted string. */\n upn?: string | undefined\n}\nexport interface IBaseStrategyOption {\n identityMetadata: string\n clientID: string\n isB2C?: boolean | undefined\n validateIssuer?: boolean | undefined\n issuer?: string | string[] | undefined\n loggingLevel?: 'info' | 'warn' | 'error' | undefined\n loggingNoPII?: boolean | undefined\n clockSkew?: number | undefined\n}\n\nexport interface IBearerStrategyOption extends IBaseStrategyOption {\n audience?: string | string[] | undefined\n policyName?: String | undefined\n allowMultiAudiencesInToken?: boolean | undefined\n scope?: string[] | undefined\n}\n\nexport interface IBearerStrategyOptionWithRequest extends IBearerStrategyOption {\n passReqToCallback: boolean\n}\nexport type VerifyBearerFunction = (token: ITokenPayload, done: VerifyCallback) => void\nexport interface VerifyCallback {\n (error: any, user?: any, info?: any): void\n}\n","/**\n * @public\n */\nimport bodyParser from 'body-parser'\nimport { Enforcer } from 'casbin'\nimport cors, { CorsOptions } from 'cors'\n\nimport express, { Express } from 'express'\nimport { Application, ApplicationRequestHandler } from 'express-serve-static-core'\nimport expressSession from 'express-session'\nimport session from 'express-session'\nimport http from 'http'\nimport { createHttpTerminator, HttpTerminator } from 'http-terminator'\nimport morgan from 'morgan'\nimport passport, { InitializeOptions } from 'passport'\nimport { checkUserIsInRole } from './auth-utils'\nimport { jsonErrorHandler } from './express-utils'\nimport { env } from './functions'\nimport { ExpressSupport, IExpressServerOpts } from './types'\n\ntype Handler<Request extends http.IncomingMessage, Response extends http.ServerResponse> = (\n req: Request,\n res: Response,\n callback: (err?: Error) => void,\n) => void\n\nconst DEFAULT_MAX_BODYPARSER_REQUEST_BODY_SIZE = '5mb'\n\nexport class ExpressBuilder {\n private existingExpress?: Express\n private hostnameOrIP?: string\n private port?: number\n private _handlers?: ApplicationRequestHandler<Application>[] = []\n private listenCallback?: () => void\n private _startListen?: boolean | undefined = undefined\n private readonly envVarPrefix?: string\n private _corsConfigurer?: ExpressCorsConfigurer\n private _sessionOpts?: session.SessionOptions\n private _usePassportAuth?: boolean = false\n private _passportInitOpts?: InitializeOptions\n private _userIsInRole?: string | string[]\n private _enforcer?: Enforcer\n private _server?: http.Server | undefined\n private _terminator?: HttpTerminator\n private _morgan?: Handler<any, any> | undefined\n private _maxRequestBodySize?: string\n\n private constructor(opts?: { existingExpress?: Express; envVarPrefix?: string }) {\n const { existingExpress, envVarPrefix } = opts ?? {}\n if (existingExpress) {\n this.withExpress(existingExpress)\n }\n this.envVarPrefix = envVarPrefix ?? ''\n }\n\n public static fromExistingExpress(opts?: { existingExpress?: Express; envVarPrefix?: string }) {\n return new ExpressBuilder(opts ?? {})\n }\n\n public static fromServerOpts(opts: IExpressServerOpts & { envVarPrefix?: string }) {\n const builder = new ExpressBuilder({ existingExpress: opts?.existingExpress, envVarPrefix: opts?.envVarPrefix })\n if (opts.maxRequestBodySize) {\n builder.withMaxRequestBodySize(opts.maxRequestBodySize)\n }\n return builder.withEnableListenOpts({ ...opts, hostnameOrIP: opts.hostname, startOnBuild: opts.startListening ?? false })\n }\n\n public enableListen(startOnBuild?: boolean): this {\n if (startOnBuild !== undefined) {\n this._startListen = startOnBuild\n }\n return this\n }\n\n public withMorganLogging(opts?: { existingMorgan?: Handler<any, any>; format?: string; options?: morgan.Options<any, any> }): this {\n if (opts?.existingMorgan && (opts.format || opts.options)) {\n throw Error('Cannot using an existing morgan with either a format or options')\n }\n this._morgan = opts?.existingMorgan ?? morgan(opts?.format ?? 'dev', opts?.options)\n return this\n }\n\n public withEnableListenOpts({\n port,\n hostnameOrIP,\n callback,\n startOnBuild,\n }: {\n port?: number\n hostnameOrIP?: string\n startOnBuild?: boolean\n callback?: () => void\n }): this {\n port && this.withPort(port)\n hostnameOrIP && this.withHostname(hostnameOrIP)\n if (typeof callback === 'function') {\n this.withListenCallback(callback)\n }\n this._startListen = startOnBuild === true\n return this\n }\n\n public withPort(port: number): this {\n this.port = port\n return this\n }\n\n public withHostname(hostnameOrIP: string): this {\n this.hostnameOrIP = hostnameOrIP\n return this\n }\n\n public withListenCallback(callback: () => void): this {\n this.listenCallback = callback\n return this\n }\n\n public withExpress(existingExpress: Express): this {\n this.existingExpress = existingExpress\n this._startListen = false\n return this\n }\n\n public withCorsConfigurer(configurer: ExpressCorsConfigurer): this {\n this._corsConfigurer = configurer\n return this\n }\n\n public withPassportAuth(usePassport: boolean, initializeOptions?: InitializeOptions): this {\n this._usePassportAuth = usePassport\n this._passportInitOpts = initializeOptions\n return this\n }\n\n public withGlobalUserIsInRole(userIsInRole: string | string[]): this {\n this._userIsInRole = userIsInRole\n return this\n }\n\n public withEnforcer(enforcer: Enforcer): this {\n this._enforcer = enforcer\n return this\n }\n\n public withMaxRequestBodySize(limit: string): this {\n this._maxRequestBodySize = limit\n return this\n }\n\n public startListening(express: Express) {\n this._server = express.listen(this.getPort(), this.getHostname(), this.listenCallback)\n this._terminator = createHttpTerminator({\n server: this._server,\n // gracefulTerminationTimeout: 10\n })\n\n return { server: this._server, terminator: this._terminator }\n }\n\n public getHostname(): string {\n return this.hostnameOrIP ?? env('HOSTNAME', this.envVarPrefix) ?? '0.0.0.0'\n }\n\n public getPort(): number {\n return (this.port ?? env('PORT', this.envVarPrefix) ?? 5000) as number\n }\n\n public setHandlers(handlers: ApplicationRequestHandler<any> | ApplicationRequestHandler<any>[]): this {\n if (Array.isArray(handlers)) {\n this._handlers = handlers\n } else if (handlers) {\n if (!this._handlers) {\n this._handlers = []\n }\n this._handlers.push(handlers)\n } else {\n this._handlers = []\n }\n\n return this\n }\n\n public addHandler(handler: ApplicationRequestHandler<any>): this {\n if (!this._handlers) {\n this._handlers = []\n }\n this._handlers.push(handler)\n return this\n }\n\n public withSessionOptions(sessionOpts: session.SessionOptions): this {\n this._sessionOpts = sessionOpts\n return this\n }\n\n public build<T extends Application>(opts?: {\n express?: Express\n startListening?: boolean\n handlers?: ApplicationRequestHandler<T> | ApplicationRequestHandler<T>[]\n }): ExpressSupport {\n const express = this.buildExpress(opts)\n const startListening = opts?.startListening === undefined ? this._startListen !== true : opts.startListening\n let started = this._server !== undefined\n if (startListening && !started) {\n this.startListening(express)\n started = true\n }\n\n return {\n express,\n port: this.getPort(),\n hostname: this.getHostname(),\n userIsInRole: this._userIsInRole,\n startListening,\n enforcer: this._enforcer,\n start: (opts) => {\n if (opts?.doNotStartListening) {\n console.log('Express will not start listening. You will have to start it yourself')\n } else {\n if (!started) {\n this.startListening(express)\n started = true\n }\n }\n\n if (opts?.disableErrorHandler !== true) {\n express.use(jsonErrorHandler)\n }\n return { server: this._server!, terminator: this._terminator! }\n },\n stop: async (terminator?: HttpTerminator) => {\n const term = terminator ?? this._terminator\n if (!term) {\n return false\n }\n return await term.terminate().then(() => true)\n },\n }\n }\n\n protected buildExpress<T extends Application>(opts?: {\n express?: Express\n startListening?: boolean\n handlers?: ApplicationRequestHandler<T> | ApplicationRequestHandler<T>[]\n }): express.Express {\n const app: express.Express = opts?.express ?? this.existingExpress ?? express()\n if (this._morgan) {\n app.use(this._morgan)\n }\n if (this._sessionOpts) {\n const store = this._sessionOpts.store ?? new expressSession.MemoryStore()\n this._sessionOpts.store = store\n app.use(expressSession(this._sessionOpts))\n }\n if (this._usePassportAuth) {\n app.use(passport.initialize(this._passportInitOpts))\n if (this._sessionOpts) {\n // app.use(passport.authenticate('session'))\n //_sessionOpts are not for passport session, they are for express above\n app.use(passport.session())\n }\n }\n if (this._userIsInRole) {\n app.use(checkUserIsInRole({ roles: this._userIsInRole }))\n }\n if (this._corsConfigurer) {\n this._corsConfigurer.configure({ existingExpress: app })\n }\n\n // @ts-ignore\n this._handlers && this._handlers.length > 0 && app.use(this._handlers)\n // @ts-ignore\n opts?.handlers && app.use(opts.handlers)\n //fixme: this should come from the config\n const limit = this._maxRequestBodySize ?? DEFAULT_MAX_BODYPARSER_REQUEST_BODY_SIZE\n app.use(bodyParser.urlencoded({ extended: true, limit }))\n app.use(bodyParser.json({ limit }))\n return app\n }\n}\n\nexport class ExpressCorsConfigurer {\n private _disableCors?: boolean\n private _enablePreflightOptions?: boolean\n private _allowOrigin?: boolean | string | RegExp | Array<boolean | string | RegExp>\n private _allowMethods?: string | string[]\n private _allowedHeaders?: string | string[]\n private _allowCredentials?: boolean\n private readonly _express?: Express\n private readonly _envVarPrefix?: string\n\n constructor(args?: { existingExpress?: Express; envVarPrefix?: string }) {\n const { existingExpress, envVarPrefix } = args ?? {}\n this._express = existingExpress\n this._envVarPrefix = envVarPrefix\n }\n\n public allowOrigin(value: string | boolean | RegExp | Array<string | boolean | RegExp>): this {\n this._allowOrigin = value\n return this\n }\n\n public disableCors(value: boolean): this {\n this._disableCors = value\n return this\n }\n\n public allowMethods(value: string | string[]): this {\n this._allowMethods = value\n return this\n }\n\n public allowedHeaders(value: string | string[]): this {\n this._allowedHeaders = value\n return this\n }\n\n public allowCredentials(value: boolean): this {\n this._allowCredentials = value\n return this\n }\n\n public configure({ existingExpress }: { existingExpress?: Express }) {\n const express = existingExpress ?? this._express\n if (!express) {\n throw Error('No express passed in during construction or configure')\n }\n\n const disableCorsEnv = env('CORS_DISABLE', this._envVarPrefix)\n const corsDisabled = this._disableCors ?? (disableCorsEnv ? /true/.test(disableCorsEnv) : false)\n if (corsDisabled) {\n return\n }\n const envAllowOriginStr = env('CORS_ALLOW_ORIGIN', this._envVarPrefix) ?? '*'\n let envAllowOrigin: string[] | string\n if (envAllowOriginStr.includes(',')) {\n envAllowOrigin = envAllowOriginStr.split(',')\n } else if (envAllowOriginStr.includes(' ')) {\n envAllowOrigin = envAllowOriginStr.split(' ')\n } else {\n envAllowOrigin = envAllowOriginStr\n }\n if (Array.isArray(envAllowOrigin) && envAllowOrigin.length === 1) {\n envAllowOrigin = envAllowOrigin[0]\n }\n const corsOptions: CorsOptions = {\n origin: this._allowOrigin ?? envAllowOrigin,\n // todo: env vars\n ...(this._allowMethods && { methods: this._allowMethods }),\n ...(this._allowedHeaders && { allowedHeaders: this._allowedHeaders }),\n ...(this._allowCredentials !== undefined && { credentials: this._allowCredentials }),\n optionsSuccessStatus: 204,\n }\n\n if (this._enablePreflightOptions) {\n express.options('*', cors(corsOptions))\n }\n express.use(cors(corsOptions))\n }\n}\n","export function env(key?: string, prefix?: string): string | undefined {\n if (!key) {\n return undefined\n }\n return process.env[`${prefix ? prefix.trim() : ''}${key}`]\n}\n","import { TAgent } from '@veramo/core'\nimport express, { Express, NextFunction, Router } from 'express'\nimport { BaseClient, ClientMetadata, ClientOptions, Issuer } from 'openid-client'\nimport passport from 'passport'\nimport { JsonWebKey } from '@sphereon/ssi-types'\nimport { copyGlobalAuthToEndpoints, isUserAuthenticated } from './auth-utils'\nimport { sendErrorResponse } from './express-utils'\nimport { env } from './functions'\nimport { ExpressSupport, GenericAuthArgs, ISingleEndpointOpts } from './types'\n\nconst PREFIX = process.env.PREFIX ?? ''\nexport async function oidcDiscoverIssuer(opts?: { issuerUrl?: string }) {\n const issuerUrl = opts?.issuerUrl ?? env('OIDC_ISSUER', PREFIX) ?? 'https://auth01.test.sphereon.com/auth/realms/energy-shr'\n const issuer = await Issuer.discover(issuerUrl)\n console.log('Discovered issuer %s %O', issuer.issuer, issuer.metadata)\n return { issuer, issuerUrl }\n}\n\nexport async function oidcGetClient(\n issuer: Issuer<BaseClient>,\n metadata: ClientMetadata,\n opts?: {\n jwks?: { keys: JsonWebKey[] }\n options?: ClientOptions\n },\n) {\n // @ts-ignore\n return new issuer.Client(metadata, opts?.jwks, opts?.options)\n}\n\nexport function getLoginEndpoint(router: Router, opts?: ISingleEndpointOpts & { redirectUrl?: string }) {\n if (opts?.enabled === false) {\n console.log(`Login endpoint is disabled`)\n return\n }\n const strategy = opts?.endpoint?.authentication?.strategy\n if (!strategy) {\n throw Error('strategy needs to be provided')\n }\n const path = opts?.path ?? '/authentication/login'\n router.get(\n path,\n (req: any, res: any, next: NextFunction) => {\n const redirectPage = req.get('referer') ?? '/'\n req.session.redirectPage = redirectPage\n next()\n },\n passport.authenticate(\n strategy,\n { ...opts.authentication?.strategyOptions, ...opts.endpoint?.authentication?.strategyOptions, keepSessionInfo: false },\n undefined,\n ),\n )\n}\n\nexport function getLoginCallbackEndpoint(router: Router, opts?: ISingleEndpointOpts) {\n if (opts?.enabled === false) {\n console.log(`Auth callback endpoint is disabled`)\n return\n }\n const strategy = opts?.endpoint?.authentication?.strategy\n if (!strategy) {\n throw Error('strategy needs to be provided')\n }\n const path = opts?.path ?? '/authentication/callback'\n router.get(\n path,\n passport.authenticate(\n strategy,\n { ...opts.authentication?.strategyOptions, ...opts.endpoint?.authentication?.strategyOptions, keepSessionInfo: true },\n undefined,\n ),\n (req: any, res: any, next) => {\n if (req.user) {\n console.log('User authenticated', req.user?.name)\n // console.log(req.session)\n const redirectPage = req.session.redirectPage ?? '/search'\n // console.log(`PRE LOGIN PAGE in callback: ${redirectPage}`)\n delete req.session.redirectPage\n return res.redirect(redirectPage)\n } else {\n return res.redirect(env('OIDC_FRONTEND_LOGIN_URL', PREFIX) ?? 'http://localhost:3001/authentication/login')\n }\n },\n )\n}\n\nexport function getLogoutEndpoint(router: Router, client: BaseClient, opts?: ISingleEndpointOpts) {\n if (opts?.enabled === false) {\n console.log(`Logout endpoint is disabled`)\n return\n }\n const path = opts?.path ?? '/authentication/logout'\n router.get(path, (req, res) => {\n try {\n if (client.endSessionUrl()) {\n return res.redirect(client.endSessionUrl())\n } else {\n console.log('IDP does not support end session url')\n return res.redirect('/authentication/logout-callback')\n }\n } catch (error) {\n console.log(error)\n return res.redirect('/authentication/logout-callback')\n }\n })\n}\n\nexport function getLogoutCallbackEndpoint(router: Router, opts?: ISingleEndpointOpts) {\n if (opts?.enabled === false) {\n console.log(`Logout callback endpoint is disabled`)\n return\n }\n const path = opts?.path ?? '/authentication/logout-callback'\n router.get(path, (req, res, next) => {\n try {\n req.logout((err) => {\n if (err) {\n console.log(`Error during calling logout-callback: ${JSON.stringify(err)}`)\n }\n })\n return res.redirect(env('OIDC_FRONTEND_LOGOUT_REDIRECT_URL', PREFIX) ?? '/')\n } catch (e) {\n return sendErrorResponse(res, 500, 'An unexpected error occurred during logout callback', e)\n }\n })\n}\n\nexport function getIdTokenEndpoint(router: Router, client: BaseClient, opts: ISingleEndpointOpts) {\n if (opts?.enabled === false) {\n console.log(`ID Token endpoint is disabled`)\n return\n }\n const path = opts.path ?? '/authentication/tokens/id'\n router.get(path, isUserAuthenticated, (req: any, res: any) => {\n if (req.session.tokens.id_token) {\n return res.json({ id_token: req.session.tokens.id_token })\n } else {\n return sendErrorResponse(res, 401, 'Authentication required')\n }\n })\n}\n\nexport function getAuthenticatedUserEndpoint(router: Router, opts?: ISingleEndpointOpts) {\n if (opts?.enabled === false) {\n console.log(`Authenticated User endpoint is disabled`)\n return\n }\n const path = opts?.path ?? '/authentication/user'\n router.get(path, isUserAuthenticated, (req: any, res: any, next: any) => {\n if (!req.user) {\n return sendErrorResponse(res, 401, 'Authentication required')\n }\n let user = req.user\n return res.json(user)\n })\n}\n\nexport interface IAuthenticationOpts {\n enabledFeatures?: AuthenticationApiFeatures\n endpointOpts?: IAuthenticationEndpointOpts\n}\n\nexport interface IAuthenticationEndpointOpts {\n basePath?: string\n globalAuth?: GenericAuthArgs\n getAuthenticatedUser?: ISingleEndpointOpts\n getLogin?: ISingleEndpointOpts\n getLogout?: ISingleEndpointOpts\n getIdToken?: ISingleEndpointOpts\n}\n\nexport type AuthenticationApiFeatures = 'login' | 'logout' | 'id-token' | 'authenticated-user'\n\nexport class OpenIDConnectAuthApi {\n get router(): express.Router {\n return this._router\n }\n\n private readonly _express: Express\n private readonly _agent?: TAgent<any>\n private readonly _opts?: IAuthenticationOpts\n private readonly _router: Router\n\n constructor(args: { agent?: TAgent<any>; expressSupport: ExpressSupport; client: BaseClient; opts: IAuthenticationOpts }) {\n const { agent, opts } = args\n this._agent = agent\n copyGlobalAuthToEndpoints({ opts, keys: ['getLogin'] })\n copyGlobalAuthToEndpoints({ opts, keys: ['getIdToken'] })\n copyGlobalAuthToEndpoints({ opts, keys: ['getAuthenticatedUser'] })\n // no need for the logout, as you these are not protected by auth\n this._opts = opts\n this._express = args.expressSupport.express\n this._router = express.Router()\n const features = opts?.enabledFeatures ?? ['login', 'logout', 'id-token', 'authenticated-user']\n console.log(`Authentication API enabled`)\n\n if (features.includes('login')) {\n getLoginEndpoint(this.router, opts?.endpointOpts?.getLogin)\n getLoginCallbackEndpoint(this.router, opts?.endpointOpts?.getLogin)\n }\n if (features.includes('logout')) {\n getLogoutEndpoint(this.router, args.client, opts?.endpointOpts?.getLogout)\n getLogoutCallbackEndpoint(this.router, opts?.endpointOpts?.getLogout)\n }\n if (features.includes('id-token')) {\n if (opts.endpointOpts?.getIdToken === undefined) {\n throw Error('Cannot enable id-token endpoint without providing id-token endpoint options')\n }\n getIdTokenEndpoint(this.router, args.client, opts?.endpointOpts?.getIdToken)\n }\n if (features.includes('authenticated-user')) {\n getAuthenticatedUserEndpoint(this.router, opts?.endpointOpts?.getAuthenticatedUser)\n }\n this._express.use(opts?.endpointOpts?.basePath ?? '', this.router)\n }\n\n get agent(): TAgent<any> | undefined {\n return this._agent\n }\n\n get opts(): IAuthenticationOpts | undefined {\n return this._opts\n }\n\n get express(): Express {\n return this._express\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;ACAA,sBAAqB;AAGd,IAAMA,cAAN,MAAMA,aAAAA;EAHb,OAGaA;;;EACMC;EACTC;EAER,OAAcC,KAAKF,UAAkB;AACnC,WAAO,IAAID,aAAYC,QAAAA;EACzB;EAEA,YAAoBA,UAAkB;AACpC,SAAKA,WAAWA;EAClB;EAEOG,YAAYF,SAAyE;AAC1F,SAAKA,UAAU;MACb,GAAGA;MACHG,mBAAmB,uBAAuBH,UAAUA,QAAQG,oBAAoB;IAClF;AACA,WAAO;EACT;EAEAC,kBAAkB;AAChB,UAAMC,WAAW,KAAKL;AACtB,QAAI,CAACK,UAAU;AACb,YAAMC,MAAM,iCAAA;IACd;AACA,WAAO,mBAAA,EACJC,KAAK,CAACC,YACLC,gBAAAA,QAASC,IACP,KAAKX,UACL,IAAIS,QAAQG,eAAeN,UAAU,SAAUO,OAAsBC,IAAkB;AACrF,UAAID,OAAO;AAET,eAAOC,GAAG,MAAMD,KAAAA;MAClB;AACA,aAAOC,GAAG,uCAAuC,IAAA;IACnD,CAAA,CAAA,CAAA,EAGHC,MAAM,CAACC,WAAAA;AACNC,cAAQC,IAAIF,MAAAA;AACZ,YAAMT,MAAM,uHAAA;IACd,CAAA;EACJ;AACF;;;AC9CA,IAAAY,mBAAqB;AAoCd,IAAMC,iBAAN,MAAMA,gBAAAA;EApCb,OAoCaA;;;EACMC;EACTC,UAAuC,CAAC;EAEhD,OAAcC,KAAKF,UAAkB;AACnC,WAAO,IAAID,gBAAeC,QAAAA;EAC5B;EAEA,YAAoBA,UAAkB;AACpC,SAAKA,WAAWA;EAClB;EAEOG,WAAWC,QAAsB;AACtC,SAAKH,UAAU;MAAE,GAAG,KAAKA;MAASG;IAAO;AACzC,WAAO;EACT;EAEOC,aAAaC,UAAmC;AACrD,SAAKL,UAAU;MAAE,GAAG,KAAKA;MAASK;IAAS;AAC3C,WAAO;EACT;EAEOC,YAAYC,SAAuB;AACxC,SAAKP,UAAU;MAAE,GAAG,KAAKA;MAASO;IAAQ;AAC1C,WAAO;EACT;EAEOC,eAAeC,YAAmC;AACvD,SAAKT,UAAU;MAAE,GAAG,KAAKA;MAASS;IAAW;AAC7C,WAAO;EACT;EAEOC,YAAYV,SAA4C;AAC7D,SAAKA,UAAU;MAAE,GAAG,KAAKA;MAAS,GAAGA;IAAQ;AAC7C,WAAO;EACT;EAEA,MAAMW,kBAAiC;AACrC,UAAM,EAAER,QAAQE,UAAUI,WAAU,IAAK,KAAKT;AAE9C,QAAI,CAACG,QAAQ;AACX,aAAOS,QAAQC,OAAO,IAAIC,MAAM,yCAAA,CAAA;IAClC;AAEA,QAAIP,UAAU,KAAKP,QAAQO;AAC3B,QAAI,CAACA,SAAS;AACZA,gBAAU,MAAM,KAAKQ,gBAAgBZ,MAAAA;IACvC;AAEA,QAAI;AACF,YAAM,CAACa,aAAaC,OAAAA,IAAW,MAAML,QAAQM,IAAI;QAAC,OAAO,cAAA;QAAiB,OAAO,UAAA;OAAY;AAE7F,YAAM,EAAEC,UAAUC,aAAaC,WAAU,IAAKL;AAC9C,YAAM,EAAEM,kBAAiB,IAAKL;AAE9B,YAAMM,aAAa;QACjBC,gBAAgBH,WAAWI,4BAA2B;QACtDC,qBAAqBJ,kBAAkB;UACrCK,OAAO;UACPC,WAAW;UACXC,uBAAuB;UACvBtB;QACF,CAAA;QACAJ;QACAE;QACAI,YAAYA,cAAe;UAAC;UAAS;UAAS;UAAS;UAAS;UAAS;;MAC3E;AAEAqB,uBAAAA,QAASC,IACP,KAAKhC,UACL,IAAIqB,YAAYG,YAAY,CAACS,SAA4BC,SAAAA;AACvD,YAAID,SAAS;AACX,iBAAOC,KAAK,MAAMD,OAAAA;QACpB;AACA,eAAOC,KAAK,uCAAuC,IAAA;MACrD,CAAA,CAAA;IAEJ,SAASC,OAAO;AACdC,cAAQD,MAAM,0CAA0CA,KAAAA;AACxD,aAAOtB,QAAQC,OACb,IAAIC,MACF,qHACA;QAAEsB,OAAOF;MAAM,CAAA,CAAA;IAGrB;EACF;EAEA,MAAcnB,gBAAgBZ,QAAiC;AAC7D,UAAMkC,eAAe,GAAGlC,MAAAA,GAASA,OAAOmC,SAAS,GAAA,IAAO,KAAK,GAAA;AAE7D,QAAI;AACF,YAAMC,WAAW,MAAMC,MAAMH,YAAAA;AAC7B,UAAI,CAACE,SAASE,IAAI;AAChB,eAAO7B,QAAQC,OACb,IAAIC,MAAM,2CAA2CuB,YAAAA,KAAiBE,SAASG,MAAM,IAAIH,SAASI,UAAU,EAAE,CAAA;MAElH;AAEA,YAAMC,SAAU,MAAML,SAASM,KAAI;AACnC,UAAI,CAACD,OAAOE,UAAU;AACpB,eAAOlC,QAAQC,OAAO,IAAIC,MAAM,yBAAyBuB,YAAAA,4BAAwC,CAAA;MACnG;AAEA,aAAOO,OAAOE;IAChB,SAASZ,OAAO;AACd,aAAOtB,QAAQC,OACb,IAAIC,MAAM,0DAA0DuB,YAAAA,IAAgB;QAAED,OAAOF;MAAM,CAAA,CAAA;IAEvG;EACF;AACF;;;ACnJA,IAAAa,mBAAqB;AAErB,uBAAyB;AAGlB,IAAMC,mBAAN,MAAMA,kBAAAA;EALb,OAKaA;;;EACMC;EACjB,OAAeC,YAAmD,oBAAIC,IAAAA;EACtE,OAAeC,gBAAkE,oBAAID,IAAAA;EAC7EE,aAAuB;EAE/B,OAAcC,KAAKL,UAAkBM,UAAqC;AACxE,WAAO,IAAIP,kBAAiBC,YAAY,UAAUM,YAAY,IAAIC,iCAAiCP,QAAAA,CAAAA;EACrG;EAEA,YAAoBA,UAAkBM,UAAoC;AACxE,SAAKN,WAAWA;AAChB,QAAID,kBAAiBE,UAAUO,IAAIR,QAAAA,GAAW;AAC5C,UAAID,kBAAiBE,UAAUQ,IAAIT,QAAAA,MAAcM,UAAU;AACzD,cAAMI,MAAM,yDAAyDV,QAAAA;MACvE;IACF,OAAO;AACLD,wBAAiBE,UAAUU,IAAIX,UAAUM,QAAAA;IAC3C;EACF;EAEA,IAAIA,WAAW;AACb,UAAMA,WAAWP,kBAAiBE,UAAUQ,IAAI,KAAKT,QAAQ;AAC7D,QAAI,CAACM,UAAU;AACb,YAAMI,MAAM,qCAAqC,KAAKV,QAAQ;IAChE;AACA,WAAOM;EACT;EAEAM,eAAeR,YAA2B;AACxC,SAAKA,aAAaA;AAClB,WAAO;EACT;EAEAS,UAAUC,OAAwC;AAChD,SAAKC,QAAQD,KAAAA;AACb,WAAO;EACT;EAEAC,QAAQC,MAAuC;AAC7C,SAAKV,SAASS,QAAQC,IAAAA;AACtB,WAAO;EACT;EAEAC,kBAAkBC,SAAoD;AACpEnB,sBAAiBI,cAAcQ,IAAI,KAAKX,UAAUkB,OAAAA;AAClD,WAAO;EACT;EAEAC,kBAAkB;AAChB,UAAMC,YAAY,KAAKd;AACvB,aAASe,SAASC,OAAeC,IAAkF;AACjH,YAAMP,OAAOI,UAAUI,QAAQF,KAAAA;AAC/B,UAAIN,MAAM;AACR,eAAOO,GAAG,MAAMP,IAAAA;MAClB;AACA,aAAOO,GAAG,uCAAuC,KAAA;IACnD;AANSF;AAQT,WAAO,sBAAA,EACJI,KAAK,CAACC,eAAAA;AACL,YAAMtB,aAAa,KAAKA,cAAc;AACtCuB,uBAAAA,QAASC,IACP,KAAK5B,UACL,IAAI0B,WAAWG,SAAS;QAAEC,mBAAmB;MAAM,GAAG,SACpDR,OACAC,IAAkF;AAElF,YAAInB,YAAY;AACd,iBAAO,sBAAA,EACJqB,KAAK,CAACM,SAAAA;AACLV,yBAASW,2BAASD,KAAKE,OAAOX,KAAAA,CAAAA,GAASC,EAAAA;UACzC,CAAA,EACCW,MAAM,CAACC,UAAAA;AACNC,oBAAQC,IAAI,iBAAiBF,KAAAA,EAAO;AACpC,kBAAMzB,MAAM,gDAAA;UACd,CAAA;QACJ,OAAO;AACLW,mBAASC,OAAOC,EAAAA;QAClB;MACF,CAAA,CAAA;IAEJ,CAAA,EACCW,MAAM,CAACC,UAAAA;AACNC,cAAQC,IAAI,yCAAyCF,KAAAA,EAAO;AAC5D,YAAMzB,MAAM,uDAAA;IACd,CAAA;EACJ;AACF;AAYO,IAAMH,mCAAN,MAAMA;EAzGb,OAyGaA;;;EACM+B;EACAC,SAAuB,CAAA;EACvBC;EAEjB,YAAYxC,UAAkByC,cAAwB;AACpD,SAAKH,YAAYtC;AACjB,SAAKwC,gBAAgBC,gBAAgB;EACvC;EAEA,IAAI3B,QAAsB;AACxB,WAAO,KAAKyB;EACd;EAEA,IAAIE,eAAwB;AAC1B,WAAO,KAAKD;EACd;EAEA,IAAIxC,WAAmB;AACrB,WAAO,KAAKsC;EACd;EAEAd,QAAQF,OAAuC;AAC7C,WAAO,KAAKR,MAAM4B,KAAK,CAAC1B,SAASA,KAAKM,UAAUA,KAAAA;EAClD;EAEAP,QAAQC,MAAiC2B,WAA2B;AAClE,UAAM7B,QAAQ8B,MAAMC,QAAQ7B,IAAAA,IAAQA,OAAO;MAACA;;AAC5C,QAAI2B,WAAW;AACb,UAAI,CAAC,KAAKF,cAAc;AACtB,cAAM/B,MAAM,4FAA4F,KAAKV,QAAQ;MACvH;AACA,aAAO,sBAAA,EACJyB,KAAK,CAACM,SAAAA;AACLjB,cAAMgC,QAAQ,CAAC9B,UAAUA,MAAKM,YAAQU,2BAASD,KAAKE,OAAOjB,MAAKM,KAAK,CAAA,CAAA;MACvE,CAAA,EACCY,MAAM,CAACC,UAAAA;AACNC,gBAAQC,IAAI,iBAAiBF,KAAAA,EAAO;AACpC,cAAMzB,MAAM,gDAAA;MACd,CAAA;IACJ;AACA,SAAK6B,OAAOQ,KAAI,GAAIjC,KAAAA;EACtB;EAEAkC,WAAyB;AACvB,WAAO,KAAKT;EACd;AACF;;;ACtJA,IAAAU,mBAAqB;;;ACAd,SAASC,kBAAkBC,UAA4BC,YAAoBC,SAA0BC,OAAW;AACrH,MAAIC,MAAMF;AACV,MAAI,CAACE,KAAK;AACRC,YAAQF,MAAM,yEAAA;AACdC,UAAM;AACNH,iBAAa;EACf,OAAO;AACLI,YAAQF,MAAM,sBAAsBF,UAAAA,MAAgB,OAAOG,QAAQ,WAAWA,MAAME,KAAKC,UAAUH,GAAAA,CAAAA,EAAM;EAC3G;AACA,MAAID,OAAO;AACT,QAAIA,iBAAiBK,OAAO;AAC1BH,cAAQF,MAAM,kBAAkBA,MAAMD,OAAO,EAAE;IACjD;AACAG,YAAQF,MAAM,iBAAiBG,KAAKC,UAAUJ,KAAAA,CAAAA,EAAQ;EACxD;AACA,MAAIF,cAAc,KAAK;AACrBI,YAAQF,MAAM,yDAAA;AACdE,YAAQF,MAAMA,OAAOM,KAAAA;AACrBJ,YAAQF,MAAMK,MAAAA,EAAQC,KAAK;EAC7B;AACA,MAAIT,SAASU,aAAa;AACxBL,YAAQF,MAAM,wCAAwC;AACtD,WAAOH;EACT;AACAA,WAASC,aAAaA;AACtB,MAAI,OAAOG,QAAQ,YAAY,CAACA,IAAIO,WAAW,GAAA,GAAM;AACnDP,UAAM;MAAED,OAAOC;IAAI;EACrB;AACA,MAAI,OAAOA,QAAQ,YAAYA,IAAIO,WAAW,GAAA,GAAM;AAClDX,aAASY,OAAO,gBAAgB,kBAAA;AAChC,WAAOZ,SAASa,OAAOZ,UAAAA,EAAYa,IAAIV,GAAAA;EACzC;AACA,SAAOJ,SAASa,OAAOZ,UAAAA,EAAYc,KAAKX,GAAAA;AAC1C;AAjCgBL;AAmCT,IAAMiB,mBAAmB,wBAACC,KAAUC,KAAsBC,KAAuBC,SAAAA;AACtF,QAAMnB,aAAqB,gBAAgBgB,MAAMA,IAAIhB,aAAa;AAClE,MAAIoB,WAAW,OAAOJ,QAAQ,WAAWA,MAAOA,IAAIf,WAAWe;AAC/D,MAAI,OAAOI,aAAa,UAAU;AAChCA,eAAWf,KAAKC,UAAUc,QAAAA;EAC5B;AACA,MAAIF,IAAIT,aAAa;AACnBL,YAAQiB,IAAI,oFAAA;AACZjB,YAAQiB,IAAI,cAAchB,KAAKC,UAAUU,GAAAA,CAAAA,EAAM;AAC/C,WAAOG,KAAKH,GAAAA;EACd;AACA,SAAOlB,kBAAkBoB,KAAKlB,YAAYoB,UAAUJ,GAAAA;AACtD,GAZgC;;;ACjBzB,SAASM,gBAAgBC,MAAS;AACvC,SAAO,kBAAkBA,QAAQA,KAAKC;AACxC;AAFgBF;;;AFbT,IAAMG,oBAAoB,wBAACC,SAAuC,CAACC,KAAsBC,KAAuBC,SAAAA;AACrH,MAAI,CAACH,MAAMI,SAASJ,KAAKI,MAAMC,WAAW,GAAG;AAC3C,WAAOF,KAAAA;EACT;AACA,QAAMC,QAAQE,MAAMC,QAAQP,KAAKI,KAAK,IAAIJ,KAAKI,QAAQ;IAACJ,KAAKI;;AAC7D,MAAI,CAACH,KAAKO,QAAQ,EAAE,UAAUP,IAAIO,OAAO;AACvC,WAAON,IAAIO,OAAO,GAAA,EAAKC,IAAG;EAC5B;AAGA,QAAMC,UAAUP,MAAMQ,KAAK,CAACC,SAASZ,IAAIO,KAAKK,KAAKC,YAAW,MAAOD,KAAKC,YAAW,CAAA;AACrF,MAAI,CAACH,SAAS;AACZ,WAAOT,IAAIO,OAAO,GAAA,EAAKC,IAAG;EAC5B;AAEA,SAAOP,KAAAA;AACT,GAhBiC;AAkBjC,IAAMY,0BAA0B,wBAACd,KAAsBC,KAAuBC,MAA4BH,SAAAA;AACxG,QAAMgB,kBAAkB,wBACtBC,KACAT,MACAU,OACAC,YAAAA;AAEA,QAAIF,KAAK;AACP,YAAMG,UAAU,aAAaH,MAAMA,IAAIG,UAAUH;AACjDI,cAAQC,IAAI,mCAAmCC,KAAKC,UAAUJ,OAAAA,CAAAA;AAC9D,aAAOjB,KAAK;QAAEsB,YAAY;QAAKL;MAAQ,CAAA;IACzC,WAAW,CAACZ,MAAM;AAChBa,cAAQC,IAAI,iFAAA;AAEZ,aAAOpB,IAAIwB,SAAS,uBAAA;IACtB;AACA,QAAIC,QAAQC,SAAS;AACnB3B,UAAI4B,MAAMrB,MAAM,SAAUS,MAAG;AAC3B,YAAIA,MAAK;AACP,iBAAOd,KAAKc,IAAAA;QACd;MACF,CAAA;IACF;AASA,WAAOd,KAAAA;EACT,GA/BwB;AAiCxB,MAAI,CAACH,QAAQ,CAACA,KAAK8B,kBAAkB9B,KAAK8B,eAAeC,YAAY,OAAO;AAC1E,WAAO5B,KAAAA;EACT;AACA,MAAI,CAACH,KAAK8B,eAAeE,UAAU;AACjCX,YAAQC,IAAI,sFAAsF;AAClG,WAAOpB,IAAIO,OAAO,GAAA,EAAKC,IAAG;EAC5B;AACA,QAAMiB,UAAU;IACd,GAAG3B,MAAM8B,gBAAgBG;IACzBC,UAAUlC,MAAM8B,gBAAgBI,aAAa;IAC7CN,SAAS5B,MAAM8B,gBAAgBF,YAAY;EAC7C;AAEA,QAAMO,WAAWnC,MAAM8B,gBAAgBK,aAAanC,MAAM8B,gBAAgBM,qBAAqBpB,kBAAkBqB;AAEjHC,mBAAAA,QAASC,aAAavC,KAAK8B,eAAeE,UAAUL,SAASQ,QAAAA,EAAUK,KAAK,QAAMvC,KAAKC,KAAKC,IAAAA;AAC9F,GAlDgC;AAmDhC,IAAMsC,yBAAyB,wBAACxC,KAAsBC,KAAuBC,MAA4BH,SAAAA;AACvG,MAAI,CAACA,QAAQ,CAACA,KAAK8B,kBAAkB,CAAC9B,KAAK0C,iBAAiB1C,KAAK8B,eAAeC,YAAY,SAAS/B,MAAM0C,cAAcX,YAAY,OAAO;AAC1I,WAAO5B,KAAAA;EACT;AAIA,QAAMuC,gBAAgB1C,KAAK0C;AAE3B,MAAI,CAACA,cAAcC,aAAa,CAACD,cAAcE,sBAAsBF,cAAcE,mBAAmBvC,WAAW,IAAI;AACnHgB,YAAQC,IAAI,uEAAuE;AACnF,WAAOpB,IAAIO,OAAO,GAAA,EAAKC,IAAG;EAC5B;AACA,MAAIgC,cAAcE,sBAAsBF,cAAcE,mBAAmBvC,SAAS,GAAG;AACnFN,sBAAkB;MAAEK,OAAOsC,cAAcE;IAAmB,CAAA;EAC9D;AACA,MAAIF,cAAcC,UAAU;AAC1B,UAAMA,WAAWD,cAAcC;AAC/B,UAAME,YAAYF,SAASG,YAAY7C,IAAIO,MAAMR,KAAK+C,UAAU/C,KAAKgD,SAAS;AAC9E,QAAI,CAACH,WAAW;AACdxB,cAAQC,IAAI,aAAatB,KAAK+C,QAAQ,WAAW/C,KAAKgD,SAAS,oBAAoB/C,IAAIO,IAAI,EAAE;AAC7F,aAAON,IAAIO,OAAO,GAAA,EAAKC,IAAG;IAC5B;EACF;AACA,SAAOP,KAAAA;AACT,GAzB+B;AA2BxB,IAAM8C,0BAA0B,wBAACjD,SAAwB,CAACC,KAAsBC,KAAuBC,SAAAA;AAE5G,SAAOY,wBAAwBd,KAAKC,KAAKC,MAAMH,IAAAA;AACjD,GAHuC;AAKhC,IAAMkD,yBAAyB,wBAAClD,SAAwB,CAACC,KAAsBC,KAAuBC,SAAAA;AAE3G,SAAOsC,uBAAuBxC,KAAKC,KAAKC,MAAMH,IAAAA;AAChD,GAHsC;AAK/B,IAAMmD,yBAAyB,wBAAClD,KAAsBC,KAAuBC,SAAAA;AAClF,MAAI,CAACF,IAAIO,MAAM;AACbL,SAAAA;EACF;AACF,GAJsC;AAM/B,IAAMiD,sBAAsB,wBAACnD,KAAsBC,KAAuBC,SAAAA;AAC/E,MAAI,CAACF,IAAIO,MAAM;AACb,WAAO6C,kBAAkBnD,KAAK,KAAK,yBAAA;EACrC,OAAO;AACL,WAAOC,KAAAA;EACT;AACF,GANmC;AAQ5B,IAAMmD,YAAY,wBAACtD,SAAAA;AACxB,QAAMuD,WAAwF,CAAA;AAC9FA,WAASC,KAAKP,wBAAwBjD,IAAAA,CAAAA;AACtCuD,WAASC,KAAKN,uBAAuBlD,IAAAA,CAAAA;AACrCA,QAAMuD,YAAYA,SAASC,KAAI,GAAIxD,KAAKuD,QAAQ;AAChD,SAAOA;AACT,GANyB;AAQlB,SAASE,yBAAyBC,MAA8C;AACrF,QAAM1D,OAAO0D,MAAM1D;AACnB,QAAM2D,MAAMD,MAAMC;AAClB,MAAI,CAAC3D,QAAQ,CAAC2D,OAAO,CAACC,gBAAgB5D,IAAAA,GAAO;AAC3C;EACF;AACA,MAAI2D,QAAQ,YAAY;AAEtB;EACF;AACA,MAAI3D,KAAK6D,cAAcC,YAAY;AACjC,QAAI9D,KAAK6D,aAAaF,GAAAA,GAAMI,sBAAsB,MAAM;AACtD;IACF;AACA/D,SAAK6D,aAAaF,GAAAA,IAAO;MACvB,GAAG3D,KAAK6D,aAAaF,GAAAA;MACrBK,UAAU;QAAE,GAAGhE,KAAK6D,aAAaC;QAAY,GAAG9D,KAAK6D,aAAaF,GAAAA,GAAMK;MAAS;IACnF;EACF;AACF;AAnBgBP;AAqBT,SAASQ,0BAA0BP,MAAiD;AACzFA,QAAMQ,KAAKC,QAAQ,CAACR,QAAQF,yBAAyB;IAAEzD,MAAM0D,MAAM1D;IAAM2D;EAAI,CAAA,CAAA;AAC/E;AAFgBM;;;AGzJhB,yBAAuB;AAEvB,kBAAkC;AAElC,qBAAiC;AAEjC,6BAA2B;AAG3B,6BAAqD;AACrD,oBAAmB;AACnB,IAAAG,mBAA4C;;;ACdrC,SAASC,IAAIC,KAAcC,QAAe;AAC/C,MAAI,CAACD,KAAK;AACR,WAAOE;EACT;AACA,SAAOC,QAAQJ,IAAI,GAAGE,SAASA,OAAOG,KAAI,IAAK,EAAA,GAAKJ,GAAAA,EAAK;AAC3D;AALgBD;;;AD0BhB,IAAMM,2CAA2C;AAE1C,IAAMC,iBAAN,MAAMA,gBAAAA;EA5Bb,OA4BaA;;;EACHC;EACAC;EACAC;EACAC,YAAuD,CAAA;EACvDC;EACAC,eAAqCC;EAC5BC;EACTC;EACAC;EACAC,mBAA6B;EAC7BC;EACAC;EACAC;EACAC;EACAC;EACAC;EACAC;EAER,YAAoBC,MAA6D;AAC/E,UAAM,EAAElB,iBAAiBO,aAAY,IAAKW,QAAQ,CAAC;AACnD,QAAIlB,iBAAiB;AACnB,WAAKmB,YAAYnB,eAAAA;IACnB;AACA,SAAKO,eAAeA,gBAAgB;EACtC;EAEA,OAAca,oBAAoBF,MAA6D;AAC7F,WAAO,IAAInB,gBAAemB,QAAQ,CAAC,CAAA;EACrC;EAEA,OAAcG,eAAeH,MAAsD;AACjF,UAAMI,UAAU,IAAIvB,gBAAe;MAAEC,iBAAiBkB,MAAMlB;MAAiBO,cAAcW,MAAMX;IAAa,CAAA;AAC9G,QAAIW,KAAKK,oBAAoB;AAC3BD,cAAQE,uBAAuBN,KAAKK,kBAAkB;IACxD;AACA,WAAOD,QAAQG,qBAAqB;MAAE,GAAGP;MAAMjB,cAAciB,KAAKQ;MAAUC,cAAcT,KAAKU,kBAAkB;IAAM,CAAA;EACzH;EAEOC,aAAaF,cAA8B;AAChD,QAAIA,iBAAiBrB,QAAW;AAC9B,WAAKD,eAAesB;IACtB;AACA,WAAO;EACT;EAEOG,kBAAkBZ,MAA0G;AACjI,QAAIA,MAAMa,mBAAmBb,KAAKc,UAAUd,KAAKe,UAAU;AACzD,YAAMC,MAAM,iEAAA;IACd;AACA,SAAKlB,UAAUE,MAAMa,sBAAkBI,cAAAA,SAAOjB,MAAMc,UAAU,OAAOd,MAAMe,OAAAA;AAC3E,WAAO;EACT;EAEOR,qBAAqB,EAC1BvB,MACAD,cACAmC,UACAT,aAAY,GAML;AACPzB,YAAQ,KAAKmC,SAASnC,IAAAA;AACtBD,oBAAgB,KAAKqC,aAAarC,YAAAA;AAClC,QAAI,OAAOmC,aAAa,YAAY;AAClC,WAAKG,mBAAmBH,QAAAA;IAC1B;AACA,SAAK/B,eAAesB,iBAAiB;AACrC,WAAO;EACT;EAEOU,SAASnC,MAAoB;AAClC,SAAKA,OAAOA;AACZ,WAAO;EACT;EAEOoC,aAAarC,cAA4B;AAC9C,SAAKA,eAAeA;AACpB,WAAO;EACT;EAEOsC,mBAAmBH,UAA4B;AACpD,SAAKhC,iBAAiBgC;AACtB,WAAO;EACT;EAEOjB,YAAYnB,iBAAgC;AACjD,SAAKA,kBAAkBA;AACvB,SAAKK,eAAe;AACpB,WAAO;EACT;EAEOmC,mBAAmBC,YAAyC;AACjE,SAAKjC,kBAAkBiC;AACvB,WAAO;EACT;EAEOC,iBAAiBC,aAAsBC,mBAA6C;AACzF,SAAKlC,mBAAmBiC;AACxB,SAAKhC,oBAAoBiC;AACzB,WAAO;EACT;EAEOC,uBAAuBC,cAAuC;AACnE,SAAKlC,gBAAgBkC;AACrB,WAAO;EACT;EAEOC,aAAaC,UAA0B;AAC5C,SAAKnC,YAAYmC;AACjB,WAAO;EACT;EAEOxB,uBAAuByB,OAAqB;AACjD,SAAKhC,sBAAsBgC;AAC3B,WAAO;EACT;EAEOrB,eAAesB,UAAkB;AACtC,SAAKpC,UAAUoC,SAAQC,OAAO,KAAKC,QAAO,GAAI,KAAKC,YAAW,GAAI,KAAKjD,cAAc;AACrF,SAAKW,kBAAcuC,6CAAqB;MACtCC,QAAQ,KAAKzC;IAEf,CAAA;AAEA,WAAO;MAAEyC,QAAQ,KAAKzC;MAAS0C,YAAY,KAAKzC;IAAY;EAC9D;EAEOsC,cAAsB;AAC3B,WAAO,KAAKpD,gBAAgBwD,IAAI,YAAY,KAAKlD,YAAY,KAAK;EACpE;EAEO6C,UAAkB;AACvB,WAAQ,KAAKlD,QAAQuD,IAAI,QAAQ,KAAKlD,YAAY,KAAK;EACzD;EAEOmD,YAAYC,UAAmF;AACpG,QAAIC,MAAMC,QAAQF,QAAAA,GAAW;AAC3B,WAAKxD,YAAYwD;IACnB,WAAWA,UAAU;AACnB,UAAI,CAAC,KAAKxD,WAAW;AACnB,aAAKA,YAAY,CAAA;MACnB;AACA,WAAKA,UAAU2D,KAAKH,QAAAA;IACtB,OAAO;AACL,WAAKxD,YAAY,CAAA;IACnB;AAEA,WAAO;EACT;EAEO4D,WAAWC,SAA+C;AAC/D,QAAI,CAAC,KAAK7D,WAAW;AACnB,WAAKA,YAAY,CAAA;IACnB;AACA,SAAKA,UAAU2D,KAAKE,OAAAA;AACpB,WAAO;EACT;EAEOC,mBAAmBC,aAA2C;AACnE,SAAKzD,eAAeyD;AACpB,WAAO;EACT;EAEOC,MAA6BjD,MAIjB;AACjB,UAAMgC,WAAU,KAAKkB,aAAalD,IAAAA;AAClC,UAAMU,iBAAiBV,MAAMU,mBAAmBtB,SAAY,KAAKD,iBAAiB,OAAOa,KAAKU;AAC9F,QAAIyC,UAAU,KAAKvD,YAAYR;AAC/B,QAAIsB,kBAAkB,CAACyC,SAAS;AAC9B,WAAKzC,eAAesB,QAAAA;AACpBmB,gBAAU;IACZ;AAEA,WAAO;MACLnB,SAAAA;MACAhD,MAAM,KAAKkD,QAAO;MAClB1B,UAAU,KAAK2B,YAAW;MAC1BP,cAAc,KAAKlC;MACnBgB;MACAoB,UAAU,KAAKnC;MACfyD,OAAO,wBAACpD,UAAAA;AACN,YAAIA,OAAMqD,qBAAqB;AAC7BC,kBAAQC,IAAI,sEAAA;QACd,OAAO;AACL,cAAI,CAACJ,SAAS;AACZ,iBAAKzC,eAAesB,QAAAA;AACpBmB,sBAAU;UACZ;QACF;AAEA,YAAInD,OAAMwD,wBAAwB,MAAM;AACtCxB,UAAAA,SAAQyB,IAAIC,gBAAAA;QACd;AACA,eAAO;UAAErB,QAAQ,KAAKzC;UAAU0C,YAAY,KAAKzC;QAAa;MAChE,GAdO;MAeP8D,MAAM,8BAAOrB,eAAAA;AACX,cAAMsB,OAAOtB,cAAc,KAAKzC;AAChC,YAAI,CAAC+D,MAAM;AACT,iBAAO;QACT;AACA,eAAO,MAAMA,KAAKC,UAAS,EAAGC,KAAK,MAAM,IAAA;MAC3C,GANM;IAOR;EACF;EAEUZ,aAAoClD,MAI1B;AAClB,UAAM+D,MAAuB/D,MAAMgC,WAAW,KAAKlD,uBAAmBkD,eAAAA,SAAAA;AACtE,QAAI,KAAKlC,SAAS;AAChBiE,UAAIN,IAAI,KAAK3D,OAAO;IACtB;AACA,QAAI,KAAKP,cAAc;AACrB,YAAMyE,QAAQ,KAAKzE,aAAayE,SAAS,IAAIC,uBAAAA,QAAeC,YAAW;AACvE,WAAK3E,aAAayE,QAAQA;AAC1BD,UAAIN,QAAIQ,uBAAAA,SAAe,KAAK1E,YAAY,CAAA;IAC1C;AACA,QAAI,KAAKC,kBAAkB;AACzBuE,UAAIN,IAAIU,iBAAAA,QAASC,WAAW,KAAK3E,iBAAiB,CAAA;AAClD,UAAI,KAAKF,cAAc;AAGrBwE,YAAIN,IAAIU,iBAAAA,QAASE,QAAO,CAAA;MAC1B;IACF;AACA,QAAI,KAAK3E,eAAe;AACtBqE,UAAIN,IAAIa,kBAAkB;QAAEC,OAAO,KAAK7E;MAAc,CAAA,CAAA;IACxD;AACA,QAAI,KAAKJ,iBAAiB;AACxB,WAAKA,gBAAgBkF,UAAU;QAAE1F,iBAAiBiF;MAAI,CAAA;IACxD;AAGA,SAAK9E,aAAa,KAAKA,UAAUwF,SAAS,KAAKV,IAAIN,IAAI,KAAKxE,SAAS;AAErEe,UAAMyC,YAAYsB,IAAIN,IAAIzD,KAAKyC,QAAQ;AAEvC,UAAMV,QAAQ,KAAKhC,uBAAuBnB;AAC1CmF,QAAIN,IAAIiB,mBAAAA,QAAWC,WAAW;MAAEC,UAAU;MAAM7C;IAAM,CAAA,CAAA;AACtDgC,QAAIN,IAAIiB,mBAAAA,QAAWG,KAAK;MAAE9C;IAAM,CAAA,CAAA;AAChC,WAAOgC;EACT;AACF;AAEO,IAAMe,wBAAN,MAAMA;EAzRb,OAyRaA;;;EACHC;EACAC;EACAC;EACAC;EACAC;EACAC;EACSC;EACAC;EAEjB,YAAYC,MAA6D;AACvE,UAAM,EAAEzG,iBAAiBO,aAAY,IAAKkG,QAAQ,CAAC;AACnD,SAAKF,WAAWvG;AAChB,SAAKwG,gBAAgBjG;EACvB;EAEOmG,YAAYC,OAA2E;AAC5F,SAAKR,eAAeQ;AACpB,WAAO;EACT;EAEOC,YAAYD,OAAsB;AACvC,SAAKV,eAAeU;AACpB,WAAO;EACT;EAEOE,aAAaF,OAAgC;AAClD,SAAKP,gBAAgBO;AACrB,WAAO;EACT;EAEOG,eAAeH,OAAgC;AACpD,SAAKN,kBAAkBM;AACvB,WAAO;EACT;EAEOI,iBAAiBJ,OAAsB;AAC5C,SAAKL,oBAAoBK;AACzB,WAAO;EACT;EAEOjB,UAAU,EAAE1F,gBAAe,GAAmC;AACnE,UAAMkD,WAAUlD,mBAAmB,KAAKuG;AACxC,QAAI,CAACrD,UAAS;AACZ,YAAMhB,MAAM,uDAAA;IACd;AAEA,UAAM8E,iBAAiBvD,IAAI,gBAAgB,KAAK+C,aAAa;AAC7D,UAAMS,eAAe,KAAKhB,iBAAiBe,iBAAiB,OAAOE,KAAKF,cAAAA,IAAkB;AAC1F,QAAIC,cAAc;AAChB;IACF;AACA,UAAME,oBAAoB1D,IAAI,qBAAqB,KAAK+C,aAAa,KAAK;AAC1E,QAAIY;AACJ,QAAID,kBAAkBE,SAAS,GAAA,GAAM;AACnCD,uBAAiBD,kBAAkBG,MAAM,GAAA;IAC3C,WAAWH,kBAAkBE,SAAS,GAAA,GAAM;AAC1CD,uBAAiBD,kBAAkBG,MAAM,GAAA;IAC3C,OAAO;AACLF,uBAAiBD;IACnB;AACA,QAAIvD,MAAMC,QAAQuD,cAAAA,KAAmBA,eAAezB,WAAW,GAAG;AAChEyB,uBAAiBA,eAAe,CAAA;IAClC;AACA,UAAMG,cAA2B;MAC/BC,QAAQ,KAAKrB,gBAAgBiB;;MAE7B,GAAI,KAAKhB,iBAAiB;QAAEqB,SAAS,KAAKrB;MAAc;MACxD,GAAI,KAAKC,mBAAmB;QAAES,gBAAgB,KAAKT;MAAgB;MACnE,GAAI,KAAKC,sBAAsBhG,UAAa;QAAEoH,aAAa,KAAKpB;MAAkB;MAClFqB,sBAAsB;IACxB;AAEA,QAAI,KAAKzB,yBAAyB;AAChChD,MAAAA,SAAQjB,QAAQ,SAAK2F,YAAAA,SAAKL,WAAAA,CAAAA;IAC5B;AACArE,IAAAA,SAAQyB,QAAIiD,YAAAA,SAAKL,WAAAA,CAAAA;EACnB;AACF;;;AEtWA,IAAAM,kBAAuD;AACvD,2BAAkE;AAClE,IAAAC,mBAAqB;AAOrB,IAAMC,SAASC,QAAQC,IAAIF,UAAU;AACrC,eAAsBG,mBAAmBC,MAA6B;AACpE,QAAMC,YAAYD,MAAMC,aAAaH,IAAI,eAAeF,MAAAA,KAAW;AACnE,QAAMM,SAAS,MAAMC,4BAAOC,SAASH,SAAAA;AACrCI,UAAQC,IAAI,2BAA2BJ,OAAOA,QAAQA,OAAOK,QAAQ;AACrE,SAAO;IAAEL;IAAQD;EAAU;AAC7B;AALsBF;AAOtB,eAAsBS,cACpBN,QACAK,UACAP,MAGC;AAGD,SAAO,IAAIE,OAAOO,OAAOF,UAAUP,MAAMU,MAAMV,MAAMW,OAAAA;AACvD;AAVsBH;AAYf,SAASI,iBAAiBC,QAAgBb,MAAqD;AACpG,MAAIA,MAAMc,YAAY,OAAO;AAC3BT,YAAQC,IAAI,4BAA4B;AACxC;EACF;AACA,QAAMS,WAAWf,MAAMgB,UAAUC,gBAAgBF;AACjD,MAAI,CAACA,UAAU;AACb,UAAMG,MAAM,+BAAA;EACd;AACA,QAAMC,OAAOnB,MAAMmB,QAAQ;AAC3BN,SAAOO,IACLD,MACA,CAACE,KAAUC,KAAUC,SAAAA;AACnB,UAAMC,eAAeH,IAAID,IAAI,SAAA,KAAc;AAC3CC,QAAII,QAAQD,eAAeA;AAC3BD,SAAAA;EACF,GACAG,iBAAAA,QAASC,aACPZ,UACA;IAAE,GAAGf,KAAKiB,gBAAgBW;IAAiB,GAAG5B,KAAKgB,UAAUC,gBAAgBW;IAAiBC,iBAAiB;EAAM,GACrHC,MAAAA,CAAAA;AAGN;AAvBgBlB;AAyBT,SAASmB,yBAAyBlB,QAAgBb,MAA0B;AACjF,MAAIA,MAAMc,YAAY,OAAO;AAC3BT,YAAQC,IAAI,oCAAoC;AAChD;EACF;AACA,QAAMS,WAAWf,MAAMgB,UAAUC,gBAAgBF;AACjD,MAAI,CAACA,UAAU;AACb,UAAMG,MAAM,+BAAA;EACd;AACA,QAAMC,OAAOnB,MAAMmB,QAAQ;AAC3BN,SAAOO,IACLD,MACAO,iBAAAA,QAASC,aACPZ,UACA;IAAE,GAAGf,KAAKiB,gBAAgBW;IAAiB,GAAG5B,KAAKgB,UAAUC,gBAAgBW;IAAiBC,iBAAiB;EAAK,GACpHC,MAAAA,GAEF,CAACT,KAAUC,KAAUC,SAAAA;AACnB,QAAIF,IAAIW,MAAM;AACZ3B,cAAQC,IAAI,sBAAsBe,IAAIW,MAAMC,IAAAA;AAE5C,YAAMT,eAAeH,IAAII,QAAQD,gBAAgB;AAEjD,aAAOH,IAAII,QAAQD;AACnB,aAAOF,IAAIY,SAASV,YAAAA;IACtB,OAAO;AACL,aAAOF,IAAIY,SAASpC,IAAI,2BAA2BF,MAAAA,KAAW,4CAAA;IAChE;EACF,CAAA;AAEJ;AA9BgBmC;AAgCT,SAASI,kBAAkBtB,QAAgBuB,QAAoBpC,MAA0B;AAC9F,MAAIA,MAAMc,YAAY,OAAO;AAC3BT,YAAQC,IAAI,6BAA6B;AACzC;EACF;AACA,QAAMa,OAAOnB,MAAMmB,QAAQ;AAC3BN,SAAOO,IAAID,MAAM,CAACE,KAAKC,QAAAA;AACrB,QAAI;AACF,UAAIc,OAAOC,cAAa,GAAI;AAC1B,eAAOf,IAAIY,SAASE,OAAOC,cAAa,CAAA;MAC1C,OAAO;AACLhC,gBAAQC,IAAI,sCAAA;AACZ,eAAOgB,IAAIY,SAAS,iCAAA;MACtB;IACF,SAASI,OAAO;AACdjC,cAAQC,IAAIgC,KAAAA;AACZ,aAAOhB,IAAIY,SAAS,iCAAA;IACtB;EACF,CAAA;AACF;AAnBgBC;AAqBT,SAASI,0BAA0B1B,QAAgBb,MAA0B;AAClF,MAAIA,MAAMc,YAAY,OAAO;AAC3BT,YAAQC,IAAI,sCAAsC;AAClD;EACF;AACA,QAAMa,OAAOnB,MAAMmB,QAAQ;AAC3BN,SAAOO,IAAID,MAAM,CAACE,KAAKC,KAAKC,SAAAA;AAC1B,QAAI;AACFF,UAAImB,OAAO,CAACC,QAAAA;AACV,YAAIA,KAAK;AACPpC,kBAAQC,IAAI,yCAAyCoC,KAAKC,UAAUF,GAAAA,CAAAA,EAAM;QAC5E;MACF,CAAA;AACA,aAAOnB,IAAIY,SAASpC,IAAI,qCAAqCF,MAAAA,KAAW,GAAA;IAC1E,SAASgD,GAAG;AACV,aAAOC,kBAAkBvB,KAAK,KAAK,uDAAuDsB,CAAAA;IAC5F;EACF,CAAA;AACF;AAlBgBL;AAoBT,SAASO,mBAAmBjC,QAAgBuB,QAAoBpC,MAAyB;AAC9F,MAAIA,MAAMc,YAAY,OAAO;AAC3BT,YAAQC,IAAI,+BAA+B;AAC3C;EACF;AACA,QAAMa,OAAOnB,KAAKmB,QAAQ;AAC1BN,SAAOO,IAAID,MAAM4B,qBAAqB,CAAC1B,KAAUC,QAAAA;AAC/C,QAAID,IAAII,QAAQuB,OAAOC,UAAU;AAC/B,aAAO3B,IAAI4B,KAAK;QAAED,UAAU5B,IAAII,QAAQuB,OAAOC;MAAS,CAAA;IAC1D,OAAO;AACL,aAAOJ,kBAAkBvB,KAAK,KAAK,yBAAA;IACrC;EACF,CAAA;AACF;AAbgBwB;AAeT,SAASK,6BAA6BtC,QAAgBb,MAA0B;AACrF,MAAIA,MAAMc,YAAY,OAAO;AAC3BT,YAAQC,IAAI,yCAAyC;AACrD;EACF;AACA,QAAMa,OAAOnB,MAAMmB,QAAQ;AAC3BN,SAAOO,IAAID,MAAM4B,qBAAqB,CAAC1B,KAAUC,KAAUC,SAAAA;AACzD,QAAI,CAACF,IAAIW,MAAM;AACb,aAAOa,kBAAkBvB,KAAK,KAAK,yBAAA;IACrC;AACA,QAAIU,OAAOX,IAAIW;AACf,WAAOV,IAAI4B,KAAKlB,IAAAA;EAClB,CAAA;AACF;AAbgBmB;AA+BT,IAAMC,uBAAN,MAAMA;EA7Kb,OA6KaA;;;EACX,IAAIvC,SAAyB;AAC3B,WAAO,KAAKwC;EACd;EAEiBC;EACAC;EACAC;EACAH;EAEjB,YAAYI,MAA8G;AACxH,UAAM,EAAEC,OAAO1D,KAAI,IAAKyD;AACxB,SAAKF,SAASG;AACdC,8BAA0B;MAAE3D;MAAM4D,MAAM;QAAC;;IAAY,CAAA;AACrDD,8BAA0B;MAAE3D;MAAM4D,MAAM;QAAC;;IAAc,CAAA;AACvDD,8BAA0B;MAAE3D;MAAM4D,MAAM;QAAC;;IAAwB,CAAA;AAEjE,SAAKJ,QAAQxD;AACb,SAAKsD,WAAWG,KAAKI,eAAeC;AACpC,SAAKT,UAAUS,gBAAAA,QAAQC,OAAM;AAC7B,UAAMC,WAAWhE,MAAMiE,mBAAmB;MAAC;MAAS;MAAU;MAAY;;AAC1E5D,YAAQC,IAAI,4BAA4B;AAExC,QAAI0D,SAASE,SAAS,OAAA,GAAU;AAC9BtD,uBAAiB,KAAKC,QAAQb,MAAMmE,cAAcC,QAAAA;AAClDrC,+BAAyB,KAAKlB,QAAQb,MAAMmE,cAAcC,QAAAA;IAC5D;AACA,QAAIJ,SAASE,SAAS,QAAA,GAAW;AAC/B/B,wBAAkB,KAAKtB,QAAQ4C,KAAKrB,QAAQpC,MAAMmE,cAAcE,SAAAA;AAChE9B,gCAA0B,KAAK1B,QAAQb,MAAMmE,cAAcE,SAAAA;IAC7D;AACA,QAAIL,SAASE,SAAS,UAAA,GAAa;AACjC,UAAIlE,KAAKmE,cAAcG,eAAexC,QAAW;AAC/C,cAAMZ,MAAM,6EAAA;MACd;AACA4B,yBAAmB,KAAKjC,QAAQ4C,KAAKrB,QAAQpC,MAAMmE,cAAcG,UAAAA;IACnE;AACA,QAAIN,SAASE,SAAS,oBAAA,GAAuB;AAC3Cf,mCAA6B,KAAKtC,QAAQb,MAAMmE,cAAcI,oBAAAA;IAChE;AACA,SAAKjB,SAASkB,IAAIxE,MAAMmE,cAAcM,YAAY,IAAI,KAAK5D,MAAM;EACnE;EAEA,IAAI6C,QAAiC;AACnC,WAAO,KAAKH;EACd;EAEA,IAAIvD,OAAwC;AAC1C,WAAO,KAAKwD;EACd;EAEA,IAAIM,UAAmB;AACrB,WAAO,KAAKR;EACd;AACF;","names":["EntraIDAuth","strategy","options","init","withOptions","passReqToCallback","connectPassport","_options","Error","then","entraID","passport","use","BearerStrategy","token","cb","catch","reason","console","log","import_passport","OIDCBearerAuth","strategy","options","init","withIssuer","issuer","withAudience","audience","withJwksUri","jwksUri","withAlgorithms","algorithms","withOptions","connectPassport","Promise","reject","Error","discoverJwksUri","passportJwt","jwksRsa","all","Strategy","JwtStrategy","ExtractJwt","passportJwtSecret","jwtOptions","jwtFromRequest","fromAuthHeaderAsBearerToken","secretOrKeyProvider","cache","rateLimit","jwksRequestsPerMinute","passport","use","payload","done","error","console","cause","wellKnownUrl","endsWith","response","fetch","ok","status","statusText","config","json","jwks_uri","import_passport","StaticBearerAuth","strategy","providers","Map","verifyOptions","hashTokens","init","provider","MapBasedStaticBearerUserProvider","has","get","Error","set","withHashTokens","withUsers","users","addUser","user","withVerifyOptions","options","connectPassport","_provider","findUser","token","cb","getUser","then","httpBearer","passport","use","Strategy","passReqToCallback","hash","toString","sha256","catch","error","console","log","_strategy","_users","_hashedTokens","hashedTokens","find","hashToken","Array","isArray","forEach","push","getUsers","import_passport","sendErrorResponse","response","statusCode","message","error","msg","console","JSON","stringify","Error","stack","headersSent","startsWith","header","status","end","json","jsonErrorHandler","err","req","res","next","errorMsg","log","hasEndpointOpts","opts","endpointOpts","checkUserIsInRole","opts","req","res","next","roles","length","Array","isArray","user","status","end","hasRole","find","role","toLowerCase","checkAuthenticationImpl","defaultCallback","err","_info","_status","message","console","log","JSON","stringify","statusCode","redirect","options","session","logIn","authentication","enabled","strategy","strategyOptions","authInfo","callback","useDefaultCallback","undefined","passport","authenticate","call","checkAuthorizationImpl","authorization","enforcer","requireUserInRoles","permitted","enforceSync","resource","operation","checkAuthenticationOnly","checkAuthorizationOnly","isUserNotAuthenticated","isUserAuthenticated","sendErrorResponse","checkAuth","handlers","push","copyGlobalAuthToEndpoint","args","key","hasEndpointOpts","endpointOpts","globalAuth","disableGlobalAuth","endpoint","copyGlobalAuthToEndpoints","keys","forEach","import_passport","env","key","prefix","undefined","process","trim","DEFAULT_MAX_BODYPARSER_REQUEST_BODY_SIZE","ExpressBuilder","existingExpress","hostnameOrIP","port","_handlers","listenCallback","_startListen","undefined","envVarPrefix","_corsConfigurer","_sessionOpts","_usePassportAuth","_passportInitOpts","_userIsInRole","_enforcer","_server","_terminator","_morgan","_maxRequestBodySize","opts","withExpress","fromExistingExpress","fromServerOpts","builder","maxRequestBodySize","withMaxRequestBodySize","withEnableListenOpts","hostname","startOnBuild","startListening","enableListen","withMorganLogging","existingMorgan","format","options","Error","morgan","callback","withPort","withHostname","withListenCallback","withCorsConfigurer","configurer","withPassportAuth","usePassport","initializeOptions","withGlobalUserIsInRole","userIsInRole","withEnforcer","enforcer","limit","express","listen","getPort","getHostname","createHttpTerminator","server","terminator","env","setHandlers","handlers","Array","isArray","push","addHandler","handler","withSessionOptions","sessionOpts","build","buildExpress","started","start","doNotStartListening","console","log","disableErrorHandler","use","jsonErrorHandler","stop","term","terminate","then","app","store","expressSession","MemoryStore","passport","initialize","session","checkUserIsInRole","roles","configure","length","bodyParser","urlencoded","extended","json","ExpressCorsConfigurer","_disableCors","_enablePreflightOptions","_allowOrigin","_allowMethods","_allowedHeaders","_allowCredentials","_express","_envVarPrefix","args","allowOrigin","value","disableCors","allowMethods","allowedHeaders","allowCredentials","disableCorsEnv","corsDisabled","test","envAllowOriginStr","envAllowOrigin","includes","split","corsOptions","origin","methods","credentials","optionsSuccessStatus","cors","import_express","import_passport","PREFIX","process","env","oidcDiscoverIssuer","opts","issuerUrl","issuer","Issuer","discover","console","log","metadata","oidcGetClient","Client","jwks","options","getLoginEndpoint","router","enabled","strategy","endpoint","authentication","Error","path","get","req","res","next","redirectPage","session","passport","authenticate","strategyOptions","keepSessionInfo","undefined","getLoginCallbackEndpoint","user","name","redirect","getLogoutEndpoint","client","endSessionUrl","error","getLogoutCallbackEndpoint","logout","err","JSON","stringify","e","sendErrorResponse","getIdTokenEndpoint","isUserAuthenticated","tokens","id_token","json","getAuthenticatedUserEndpoint","OpenIDConnectAuthApi","_router","_express","_agent","_opts","args","agent","copyGlobalAuthToEndpoints","keys","expressSupport","express","Router","features","enabledFeatures","includes","endpointOpts","getLogin","getLogout","getIdToken","getAuthenticatedUser","use","basePath"]}
package/dist/index.d.cts CHANGED
@@ -19,6 +19,7 @@ interface IExpressServerOpts {
19
19
  existingExpress?: Express;
20
20
  listenCallback?: () => void;
21
21
  startListening?: boolean;
22
+ maxRequestBodySize?: string;
22
23
  }
23
24
  declare function hasEndpointOpts(opts: any): any;
24
25
  type HasEndpointOpts = {
@@ -319,6 +320,7 @@ declare class ExpressBuilder {
319
320
  private _server?;
320
321
  private _terminator?;
321
322
  private _morgan?;
323
+ private _maxRequestBodySize?;
322
324
  private constructor();
323
325
  static fromExistingExpress(opts?: {
324
326
  existingExpress?: Express;
@@ -347,6 +349,7 @@ declare class ExpressBuilder {
347
349
  withPassportAuth(usePassport: boolean, initializeOptions?: InitializeOptions): this;
348
350
  withGlobalUserIsInRole(userIsInRole: string | string[]): this;
349
351
  withEnforcer(enforcer: Enforcer): this;
352
+ withMaxRequestBodySize(limit: string): this;
350
353
  startListening(express: Express): {
351
354
  server: http.Server<typeof http.IncomingMessage, typeof http.ServerResponse>;
352
355
  terminator: HttpTerminator;
package/dist/index.d.ts CHANGED
@@ -19,6 +19,7 @@ interface IExpressServerOpts {
19
19
  existingExpress?: Express;
20
20
  listenCallback?: () => void;
21
21
  startListening?: boolean;
22
+ maxRequestBodySize?: string;
22
23
  }
23
24
  declare function hasEndpointOpts(opts: any): any;
24
25
  type HasEndpointOpts = {
@@ -319,6 +320,7 @@ declare class ExpressBuilder {
319
320
  private _server?;
320
321
  private _terminator?;
321
322
  private _morgan?;
323
+ private _maxRequestBodySize?;
322
324
  private constructor();
323
325
  static fromExistingExpress(opts?: {
324
326
  existingExpress?: Express;
@@ -347,6 +349,7 @@ declare class ExpressBuilder {
347
349
  withPassportAuth(usePassport: boolean, initializeOptions?: InitializeOptions): this;
348
350
  withGlobalUserIsInRole(userIsInRole: string | string[]): this;
349
351
  withEnforcer(enforcer: Enforcer): this;
352
+ withMaxRequestBodySize(limit: string): this;
350
353
  startListening(express: Express): {
351
354
  server: http.Server<typeof http.IncomingMessage, typeof http.ServerResponse>;
352
355
  terminator: HttpTerminator;
package/dist/index.js CHANGED
@@ -494,6 +494,7 @@ function env(key, prefix) {
494
494
  __name(env, "env");
495
495
 
496
496
  // src/express-builders.ts
497
+ var DEFAULT_MAX_BODYPARSER_REQUEST_BODY_SIZE = "5mb";
497
498
  var ExpressBuilder = class _ExpressBuilder {
498
499
  static {
499
500
  __name(this, "ExpressBuilder");
@@ -514,6 +515,7 @@ var ExpressBuilder = class _ExpressBuilder {
514
515
  _server;
515
516
  _terminator;
516
517
  _morgan;
518
+ _maxRequestBodySize;
517
519
  constructor(opts) {
518
520
  const { existingExpress, envVarPrefix } = opts ?? {};
519
521
  if (existingExpress) {
@@ -529,6 +531,9 @@ var ExpressBuilder = class _ExpressBuilder {
529
531
  existingExpress: opts?.existingExpress,
530
532
  envVarPrefix: opts?.envVarPrefix
531
533
  });
534
+ if (opts.maxRequestBodySize) {
535
+ builder.withMaxRequestBodySize(opts.maxRequestBodySize);
536
+ }
532
537
  return builder.withEnableListenOpts({
533
538
  ...opts,
534
539
  hostnameOrIP: opts.hostname,
@@ -591,6 +596,10 @@ var ExpressBuilder = class _ExpressBuilder {
591
596
  this._enforcer = enforcer;
592
597
  return this;
593
598
  }
599
+ withMaxRequestBodySize(limit) {
600
+ this._maxRequestBodySize = limit;
601
+ return this;
602
+ }
594
603
  startListening(express3) {
595
604
  this._server = express3.listen(this.getPort(), this.getHostname(), this.listenCallback);
596
605
  this._terminator = createHttpTerminator({
@@ -700,11 +709,13 @@ var ExpressBuilder = class _ExpressBuilder {
700
709
  }
701
710
  this._handlers && this._handlers.length > 0 && app.use(this._handlers);
702
711
  opts?.handlers && app.use(opts.handlers);
712
+ const limit = this._maxRequestBodySize ?? DEFAULT_MAX_BODYPARSER_REQUEST_BODY_SIZE;
703
713
  app.use(bodyParser.urlencoded({
704
- extended: true
714
+ extended: true,
715
+ limit
705
716
  }));
706
717
  app.use(bodyParser.json({
707
- limit: "5mb"
718
+ limit
708
719
  }));
709
720
  return app;
710
721
  }
package/dist/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/entra-id-auth.ts","../src/oidc-bearer-auth.ts","../src/static-bearer-auth.ts","../src/auth-utils.ts","../src/express-utils.ts","../src/types.ts","../src/express-builders.ts","../src/functions.ts","../src/openid-connect-rp.ts"],"sourcesContent":["import passport from 'passport'\nimport { IBearerStrategyOption, IBearerStrategyOptionWithRequest, ITokenPayload, VerifyCallback } from './types'\n\nexport class EntraIDAuth {\n private readonly strategy: string\n private options?: IBearerStrategyOptionWithRequest\n\n public static init(strategy: string) {\n return new EntraIDAuth(strategy)\n }\n\n private constructor(strategy: string) {\n this.strategy = strategy\n }\n\n public withOptions(options: IBearerStrategyOption | IBearerStrategyOptionWithRequest): this {\n this.options = {\n ...options,\n passReqToCallback: 'passReqToCallback' in options ? options.passReqToCallback : false,\n }\n return this\n }\n\n connectPassport() {\n const _options = this.options\n if (!_options) {\n throw Error('No options supplied for EntraID')\n }\n import('passport-azure-ad')\n .then((entraID) =>\n passport.use(\n this.strategy,\n new entraID.BearerStrategy(_options, function (token: ITokenPayload, cb: VerifyCallback): void {\n if (token) {\n // console.log(`token: ${JSON.stringify(token, null, 2)}`)\n return cb(null, token)\n }\n return cb('bearer token not found or incorrect', null)\n }),\n ),\n )\n .catch((reason) => {\n console.log(reason)\n throw Error('Could not create bearer strategy. Did you include the \"passport-azure-ad/bearer-strategy\" dependency in package.json?')\n })\n }\n}\n","import passport from 'passport'\n\nexport type OIDCAlgorithm = 'RS256' | 'RS384' | 'RS512' | 'ES256' | 'ES384' | 'ES512' | 'PS256' | 'PS384' | 'PS512'\n\nexport interface IOIDCBearerOptions {\n issuer: string\n audience?: string | string[]\n jwksUri?: string\n algorithms?: OIDCAlgorithm[]\n}\n\nexport interface IOIDCTokenPayload {\n /** Issuer identifier */\n iss?: string\n /** Subject identifier */\n sub?: string\n /** Audience(s) */\n aud?: string | string[]\n /** Expiration time */\n exp?: number\n /** Not before */\n nbf?: number\n /** Issued at */\n iat?: number\n /** JWT ID */\n jti?: string\n /** Authorized party */\n azp?: string\n /** Scope */\n scope?: string\n /** Client ID */\n client_id?: string\n /** Additional claims */\n [key: string]: unknown\n}\n\nexport class OIDCBearerAuth {\n private readonly strategy: string\n private options: Partial<IOIDCBearerOptions> = {}\n\n public static init(strategy: string) {\n return new OIDCBearerAuth(strategy)\n }\n\n private constructor(strategy: string) {\n this.strategy = strategy\n }\n\n public withIssuer(issuer: string): this {\n this.options = { ...this.options, issuer }\n return this\n }\n\n public withAudience(audience: string | string[]): this {\n this.options = { ...this.options, audience }\n return this\n }\n\n public withJwksUri(jwksUri: string): this {\n this.options = { ...this.options, jwksUri }\n return this\n }\n\n public withAlgorithms(algorithms: OIDCAlgorithm[]): this {\n this.options = { ...this.options, algorithms }\n return this\n }\n\n public withOptions(options: Partial<IOIDCBearerOptions>): this {\n this.options = { ...this.options, ...options }\n return this\n }\n\n async connectPassport(): Promise<void> {\n const { issuer, audience, algorithms } = this.options\n\n if (!issuer) {\n return Promise.reject(new Error('No issuer supplied for OIDC Bearer Auth'))\n }\n\n let jwksUri = this.options.jwksUri\n if (!jwksUri) {\n jwksUri = await this.discoverJwksUri(issuer)\n }\n\n try {\n const [passportJwt, jwksRsa] = await Promise.all([import('passport-jwt'), import('jwks-rsa')])\n\n const { Strategy: JwtStrategy, ExtractJwt } = passportJwt\n const { passportJwtSecret } = jwksRsa\n\n const jwtOptions = {\n jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),\n secretOrKeyProvider: passportJwtSecret({\n cache: true,\n rateLimit: true,\n jwksRequestsPerMinute: 5,\n jwksUri,\n }),\n issuer,\n audience,\n algorithms: algorithms ?? (['RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512'] as OIDCAlgorithm[]),\n }\n\n passport.use(\n this.strategy,\n new JwtStrategy(jwtOptions, (payload: IOIDCTokenPayload, done: (error: any, user?: any, info?: any) => void) => {\n if (payload) {\n return done(null, payload)\n }\n return done('Bearer token not found or incorrect', null)\n })\n )\n } catch (error) {\n console.error('Failed to initialize OIDC Bearer Auth:', error)\n return Promise.reject(\n new Error(\n 'Could not create JWT bearer strategy. Did you include \"passport-jwt\" and \"jwks-rsa\" dependencies in package.json?',\n { cause: error }\n )\n )\n }\n }\n\n private async discoverJwksUri(issuer: string): Promise<string> {\n const wellKnownUrl = `${issuer}${issuer.endsWith('/') ? '' : '/'}.well-known/openid-configuration`\n\n try {\n const response = await fetch(wellKnownUrl)\n if (!response.ok) {\n return Promise.reject(\n new Error(`Failed to fetch OIDC configuration from ${wellKnownUrl}: ${response.status} ${response.statusText}`)\n )\n }\n\n const config = (await response.json()) as { jwks_uri?: string }\n if (!config.jwks_uri) {\n return Promise.reject(new Error(`OIDC configuration at ${wellKnownUrl} does not contain jwks_uri`))\n }\n\n return config.jwks_uri\n } catch (error) {\n return Promise.reject(\n new Error(`Failed to discover JWKS URI from OIDC configuration at ${wellKnownUrl}`, { cause: error })\n )\n }\n }\n}\n","import passport from 'passport'\n// @ts-ignore\nimport { toString } from 'uint8arrays/to-string'\nimport { BearerUser, IStaticBearerVerifyOptions } from './types'\n\nexport class StaticBearerAuth {\n private readonly strategy: string\n private static providers: Map<string, StaticBearerUserProvider> = new Map()\n private static verifyOptions: Map<string, IStaticBearerVerifyOptions | string> = new Map()\n private hashTokens?: boolean = false\n\n public static init(strategy: string, provider?: StaticBearerUserProvider) {\n return new StaticBearerAuth(strategy ?? 'bearer', provider ?? new MapBasedStaticBearerUserProvider(strategy))\n }\n\n private constructor(strategy: string, provider: StaticBearerUserProvider) {\n this.strategy = strategy\n if (StaticBearerAuth.providers.has(strategy)) {\n if (StaticBearerAuth.providers.get(strategy) !== provider) {\n throw Error('Cannot register another user provider for strategy: ' + strategy)\n }\n } else {\n StaticBearerAuth.providers.set(strategy, provider)\n }\n }\n\n get provider() {\n const provider = StaticBearerAuth.providers.get(this.strategy)\n if (!provider) {\n throw Error('Could not get user provider for ' + this.strategy)\n }\n return provider\n }\n\n withHashTokens(hashTokens: boolean): this {\n this.hashTokens = hashTokens\n return this\n }\n\n withUsers(users: BearerUser[] | BearerUser): this {\n this.addUser(users)\n return this\n }\n\n addUser(user: BearerUser[] | BearerUser): this {\n this.provider.addUser(user)\n return this\n }\n\n withVerifyOptions(options: IStaticBearerVerifyOptions | string): this {\n StaticBearerAuth.verifyOptions.set(this.strategy, options)\n return this\n }\n\n connectPassport() {\n const _provider = this.provider\n function findUser(token: string, cb: (error: any, user: any, options?: IStaticBearerVerifyOptions | string) => void) {\n const user = _provider.getUser(token)\n if (user) {\n return cb(null, user)\n }\n return cb('bearer token not found or incorrect', false)\n }\n\n import('passport-http-bearer')\n .then((httpBearer) => {\n const hashTokens = this.hashTokens ?? false\n passport.use(\n this.strategy,\n new httpBearer.Strategy({ passReqToCallback: false }, function (\n token: string,\n cb: (error: any, user: any, options?: IStaticBearerVerifyOptions | string) => void,\n ): void {\n if (hashTokens) {\n import('@noble/hashes/sha256')\n .then((hash) => {\n findUser(toString(hash.sha256(token)), cb)\n })\n .catch((error) => {\n console.log(`hash problem: ${error}`)\n throw Error('Did you include @noble/hashes in package.json?')\n })\n } else {\n findUser(token, cb)\n }\n }),\n )\n })\n .catch((error) => {\n console.log(`passport-http-bearer package problem: ${error}`)\n throw Error('Did you include passport-http-bearer in package.json?')\n })\n }\n}\n\nexport interface StaticBearerUserProvider {\n strategy: string\n\n addUser(user: BearerUser | BearerUser[], hashToken?: boolean): void\n\n getUser(token: string): BearerUser | undefined\n\n hashedTokens?: boolean\n}\n\nexport class MapBasedStaticBearerUserProvider implements StaticBearerUserProvider {\n private readonly _strategy: string\n private readonly _users: BearerUser[] = []\n private readonly _hashedTokens: boolean\n\n constructor(strategy: string, hashedTokens?: boolean) {\n this._strategy = strategy\n this._hashedTokens = hashedTokens ?? false\n }\n\n get users(): BearerUser[] {\n return this._users\n }\n\n get hashedTokens(): boolean {\n return this._hashedTokens\n }\n\n get strategy(): string {\n return this._strategy\n }\n\n getUser(token: string): BearerUser | undefined {\n return this.users.find((user) => user.token === token)\n }\n\n addUser(user: BearerUser | BearerUser[], hashToken?: boolean): void {\n const users = Array.isArray(user) ? user : [user]\n if (hashToken) {\n if (!this.hashedTokens) {\n throw Error('Cannot hash token, when hashed tokens is not enabled on the user provider for strategy ' + this.strategy)\n }\n import('@noble/hashes/sha256')\n .then((hash) => {\n users.forEach((user) => (user.token = toString(hash.sha256(user.token))))\n })\n .catch((error) => {\n console.log(`hash problem: ${error}`)\n throw Error('Did you include @noble/hashes in package.json?')\n })\n }\n this._users.push(...users)\n }\n\n getUsers(): BearerUser[] {\n return this._users\n }\n}\n","import express, { NextFunction, RequestHandler } from 'express'\nimport { ParamsDictionary } from 'express-serve-static-core'\nimport passport from 'passport'\nimport { ParsedQs } from 'qs'\nimport { sendErrorResponse } from './express-utils'\nimport { EndpointArgs, hasEndpointOpts, HasEndpointOpts } from './types'\n\nexport const checkUserIsInRole = (opts: { roles: string | string[] }) => (req: express.Request, res: express.Response, next: NextFunction) => {\n if (!opts?.roles || opts.roles.length === 0) {\n return next()\n }\n const roles = Array.isArray(opts.roles) ? opts.roles : [opts.roles]\n if (!req?.user || !('role' in req.user)) {\n return res.status(401).end()\n }\n\n // @ts-ignore\n const hasRole = roles.find((role) => req.user.role.toLowerCase() === role.toLowerCase())\n if (!hasRole) {\n return res.status(403).end()\n }\n\n return next()\n}\n\nconst checkAuthenticationImpl = (req: express.Request, res: express.Response, next: express.NextFunction, opts?: EndpointArgs) => {\n const defaultCallback = (\n err: any,\n user?: Express.User | false | null,\n _info?: object | string | Array<string | undefined>,\n _status?: number | Array<number | undefined>,\n ) => {\n if (err) {\n const message = 'message' in err ? err.message : err\n console.log('Authentication failed, error: ' + JSON.stringify(message))\n return next({ statusCode: 403, message })\n } else if (!user) {\n console.log('Authentication failed, no user object present in request. Redirecting to /login')\n // todo: configuration option\n return res.redirect('/authentication/login')\n }\n if (options.session) {\n req.logIn(user, function (err) {\n if (err) {\n return next(err)\n }\n })\n }\n /* /!*if (options.session) {\n req.logIn(user, function (err) {\n if (err) {\n return next(err)\n }\n return res.redirect('/')\n })\n }*!/*/\n return next()\n }\n\n if (!opts || !opts.authentication || opts.authentication.enabled === false) {\n return next()\n }\n if (!opts.authentication.strategy) {\n console.log(`Authentication enabled, but no strategy configured. All auth request will be denied!`)\n return res.status(401).end()\n }\n const options = {\n ...opts?.authentication?.strategyOptions,\n authInfo: opts?.authentication?.authInfo !== false,\n session: opts?.authentication?.session !== false,\n }\n\n const callback = opts?.authentication?.callback ?? (opts?.authentication?.useDefaultCallback ? defaultCallback : undefined)\n\n passport.authenticate(opts.authentication.strategy, options, callback).call(this, req, res, next)\n}\nconst checkAuthorizationImpl = (req: express.Request, res: express.Response, next: express.NextFunction, opts?: EndpointArgs) => {\n if (!opts || !opts.authentication || !opts.authorization || opts.authentication.enabled === false || opts?.authorization.enabled === false) {\n return next()\n }\n /*if (!req.isAuthenticated()) {\n return sendErrorResponse(res, 403, 'Authorization with an unauthenticated request is not possible')\n }*/\n const authorization = opts.authorization\n\n if (!authorization.enforcer && (!authorization.requireUserInRoles || authorization.requireUserInRoles.length === 0)) {\n console.log(`Authorization enabled for endpoint, but no enforcer or roles supplied`)\n return res.status(401).end()\n }\n if (authorization.requireUserInRoles && authorization.requireUserInRoles.length > 0) {\n checkUserIsInRole({ roles: authorization.requireUserInRoles })\n }\n if (authorization.enforcer) {\n const enforcer = authorization.enforcer\n const permitted = enforcer.enforceSync(req.user, opts.resource, opts.operation)\n if (!permitted) {\n console.log(`Access to ${opts.resource} and op ${opts.operation} not allowed for ${req.user}`)\n return res.status(403).end()\n }\n }\n return next()\n}\n\nexport const checkAuthenticationOnly = (opts?: EndpointArgs) => (req: express.Request, res: express.Response, next: express.NextFunction) => {\n // executeRequestHandlers(req, res, next, opts)\n return checkAuthenticationImpl(req, res, next, opts)\n}\n\nexport const checkAuthorizationOnly = (opts?: EndpointArgs) => (req: express.Request, res: express.Response, next: express.NextFunction) => {\n // executeRequestHandlers(req, res, next, opts)\n return checkAuthorizationImpl(req, res, next, opts)\n}\n\nexport const isUserNotAuthenticated = (req: express.Request, res: express.Response, next: express.NextFunction) => {\n if (!req.user) {\n next()\n }\n}\n\nexport const isUserAuthenticated = (req: express.Request, res: express.Response, next: express.NextFunction) => {\n if (!req.user) {\n return sendErrorResponse(res, 401, 'Authentication required')\n } else {\n return next()\n }\n}\n\nexport const checkAuth = (opts?: EndpointArgs): RequestHandler<ParamsDictionary, any, any, ParsedQs, Record<string, any>>[] => {\n const handlers: RequestHandler<ParamsDictionary, any, any, ParsedQs, Record<string, any>>[] = []\n handlers.push(checkAuthenticationOnly(opts))\n handlers.push(checkAuthorizationOnly(opts))\n opts?.handlers && handlers.push(...opts.handlers)\n return handlers\n}\n\nexport function copyGlobalAuthToEndpoint(args?: { opts?: HasEndpointOpts; key: string }) {\n const opts = args?.opts\n const key = args?.key\n if (!opts || !key || !hasEndpointOpts(opts)) {\n return\n }\n if (key === 'basePath') {\n // make sure to not copy base path over, as we use these at the global router, and this would repeat the path\n return\n }\n if (opts.endpointOpts?.globalAuth) {\n if (opts.endpointOpts[key]?.disableGlobalAuth === true) {\n return\n }\n opts.endpointOpts[key] = {\n ...opts.endpointOpts[key],\n endpoint: { ...opts.endpointOpts.globalAuth, ...opts.endpointOpts[key]?.endpoint },\n }\n }\n}\n\nexport function copyGlobalAuthToEndpoints(args?: { opts?: HasEndpointOpts; keys: string[] }) {\n args?.keys.forEach((key) => copyGlobalAuthToEndpoint({ opts: args?.opts, key }))\n}\n","import express, { NextFunction } from 'express'\n\nexport function sendErrorResponse(response: express.Response, statusCode: number, message: string | object, error?: any) {\n let msg = message\n if (!msg) {\n console.error('Message was null when calling sendErrorResponse. This should not happen')\n msg = 'An unexpected error occurred'\n statusCode = 500\n } else {\n console.error(`sendErrorResponse (${statusCode}): ${typeof msg === 'string' ? msg : JSON.stringify(msg)}`)\n }\n if (error) {\n if (error instanceof Error) {\n console.error(`error message: ${error.message}`)\n }\n console.error(`error object: ${JSON.stringify(error)}`)\n }\n if (statusCode >= 500) {\n console.error('Original error stack (if any) and REST API error stack:')\n console.error(error?.stack)\n console.error(Error().stack)\n }\n if (response.headersSent) {\n console.error(`sendErrorResponse headers already sent`)\n return response\n }\n response.statusCode = statusCode\n if (typeof msg === 'string' && !msg.startsWith('{')) {\n msg = { error: msg }\n }\n if (typeof msg === 'string' && msg.startsWith('{')) {\n response.header('Content-Type', 'application/json')\n return response.status(statusCode).end(msg)\n }\n return response.status(statusCode).json(msg)\n}\n\nexport const jsonErrorHandler = (err: any, req: express.Request, res: express.Response, next: NextFunction) => {\n const statusCode: number = 'statusCode' in err ? err.statusCode : 500\n let errorMsg = typeof err === 'string' ? err : (err.message ?? err)\n if (typeof errorMsg !== 'string') {\n errorMsg = JSON.stringify(errorMsg)\n }\n if (res.headersSent) {\n console.log('Headers already sent, when calling error handler. Will defer to next error handler')\n console.log(`Error was: ${JSON.stringify(err)}`)\n return next(err)\n }\n return sendErrorResponse(res, statusCode, errorMsg, err)\n}\n","import { Enforcer } from 'casbin'\nimport { Express, RequestHandler } from 'express'\nimport { ParamsDictionary } from 'express-serve-static-core'\nimport http from 'http'\nimport { HttpTerminator } from 'http-terminator'\nimport { AuthenticateCallback, Strategy } from 'passport'\nimport { ParsedQs } from 'qs'\n\nexport interface IExpressServerOpts {\n port?: number // The port to listen on\n cookieSigningKey?: string\n hostname?: string // defaults to \"0.0.0.0\", meaning it will listen on all IP addresses. Can be an IP address or hostname\n basePath?: string\n existingExpress?: Express\n listenCallback?: () => void\n startListening?: boolean\n // externalBaseUrl?: string // In case an external base URL needs to be exposed\n}\n\nexport function hasEndpointOpts(opts: any) {\n return 'endpointOpts' in opts && opts.endpointOpts\n}\n\nexport type HasEndpointOpts = { endpointOpts?: IEndpointOpts & SingleEndpoints } & Record<string, any>\n\nexport type SingleEndpoints = Record<string, ISingleEndpointOpts | any>\nexport interface IEndpointOpts {\n basePath?: string // The base path used to construct the router\n baseUrl?: string | URL // Typically the external base URL\n globalAuth?: GenericAuthArgs\n}\nexport interface ExpressSupport {\n express: Express\n port: number\n hostname: string\n userIsInRole?: string | string[]\n startListening: boolean\n server?: http.Server\n enforcer?: Enforcer\n start: (opts?: { disableErrorHandler?: boolean; doNotStartListening?: boolean }) => { server: http.Server; terminator: HttpTerminator }\n stop: (terminator?: HttpTerminator) => Promise<boolean>\n}\n\nexport interface ISingleEndpointOpts extends GenericAuthArgs {\n endpoint?: EndpointArgs\n enabled?: boolean\n path?: string\n disableGlobalAuth?: boolean\n}\n\nexport interface GenericAuthArgs {\n authentication?: {\n callback?: AuthenticateCallback | ((...args: any[]) => any)\n useDefaultCallback?: boolean\n enabled?: boolean\n strategy?: string | string[] | Strategy\n strategyOptions?: Record<string, any> | any\n authInfo?: boolean\n session?: boolean\n }\n authorization?: {\n enabled?: boolean\n requireUserInRoles?: string | string[]\n enforcer?: Enforcer\n }\n}\n\nexport interface EndpointArgs extends GenericAuthArgs {\n resource?: string\n operation?: string\n handlers?: RequestHandler<ParamsDictionary, any, any, ParsedQs, Record<string, any>>[]\n}\n\nexport interface BearerUser extends Express.User {\n id: string | number\n name?: string\n token: string\n}\n\nexport interface IStaticBearerVerifyOptions {\n message?: string | undefined\n scope: string | Array<string>\n}\n\nexport interface IBaseStrategyOption {\n identityMetadata: string\n clientID: string\n isB2C?: boolean | undefined\n validateIssuer?: boolean | undefined\n issuer?: string | string[] | undefined\n loggingLevel?: 'info' | 'warn' | 'error' | undefined\n loggingNoPII?: boolean | undefined\n clockSkew?: number | undefined\n}\n\nexport interface ITokenPayload {\n /** An App ID URI. Identifies the intended recipient of the token. */\n aud?: string | undefined\n /** A security token service(STS) URI. Identifies the STS that constructs and returns the token,\n * and the Azure AD tenant in which the user was authenticated.*/\n iss?: string | undefined\n /** The identity provider that authenticated the subject of the token*/\n idp?: string | undefined\n /** \"Issued At\" indicates when the authentication for this token occurred. */\n iat?: number | undefined\n /** The \"nbf\" (not before) claim identifies the time before which the JWT must not be accepted for processing. */\n nbf?: number | undefined\n /** The \"exp\" (expiration time) claim identifies the expiration time on or after which the JWT must not be accepted for processing. */\n exp?: number | undefined\n /** An internal claim used by Azure AD to record data for token reuse. */\n aio?: string | undefined\n /** Only present in v1.0 tokens. The \"Authentication context class\" claim. A value of \"0\" indicates the end-user authentication did not meet the requirements of ISO/IEC 29115. */\n acr?: '0' | '1' | undefined\n /** Only present in v1.0 tokens. Identifies how the subject of the token was authenticated. */\n amr?: string[] | undefined\n /** Only present in v1.0 tokens. GUID represents the application ID of the client using the token. */\n appid?: string | undefined\n /** Only present in v2.0 tokens. The application ID of the client using the token. */\n azp?: string | undefined\n /** Only present in v1.0 tokens. Indicates how the client was authenticated. For a public client, the value is \"0\".\n * If client ID and client secret are used, the value is \"1\". If a client certificate was used for authentication, the value is \"2\". */\n appidacr?: '0' | '1' | '2' | undefined\n /** Only present in v2.0 tokens. Indicates how the client was authenticated.\n * For a public client, the value is \"0\". If client ID and client secret are used, the value is \"1\". If a client certificate was used for authentication, the value is \"2\". */\n azpacr?: '0' | '1' | '2' | undefined\n /** Only present in v2.0 tokens. The primary username that represents the user. It could be an email address, phone number, or a generic username without a specified format */\n preferred_username?: string | undefined\n /** Provides a human-readable value that identifies the subject of the token.\n * The value is not guaranteed to be unique, it is mutable, and it's designed to be used only for display purposes. The profile scope is required in order to receive this claim. */\n name?: string | undefined\n /** The set of scopes exposed by your application for which the client application has requested (and received) consent. */\n scp?: string | undefined\n /** The set of permissions exposed by your application that the requesting application has been given permission to call. */\n roles?: string[] | undefined\n /** Provides object IDs that represent the subject's group memberships. */\n groups?: string | string[] | undefined\n /** Denoting the user is in at least one group. */\n hasgroups?: true | undefined\n /** The principal about which the token asserts information, such as the user of an app. This value is immutable and cannot be reassigned or reused.\n * It can be used to perform authorization checks safely, such as when the token is used to access a resource,\n * and can be used as a key in database tables. Because the subject is always present in the tokens that Azure AD issues,\n * we recommend using this value in a general-purpose authorization system. The subject is, however, a pairwise identifier - it is unique to a particular application ID. */\n sub?: string | undefined\n /** GUID represents a user. This ID uniquely identifies the user across applications. */\n oid?: string | undefined\n /** Represents the Azure AD tenant that the user is from. */\n tid?: string | undefined\n /** Only present in v1.0 tokens. Provides a human readable value that identifies the subject of the token. */\n unique_name?: string | undefined\n /** An internal claim used by Azure to revalidate tokens. */\n uti?: string | undefined\n /** An internal claim used by Azure to revalidate tokens. */\n rh?: string | undefined\n /** Indicates the version of the access token. */\n ver?: '1.0' | '2.0' | undefined\n\n /** v1.0 basic claims */\n\n /** The IP address the user authenticated from. */\n ipaddr?: string | undefined\n /** In cases where the user has an on-premises authentication, this claim provides their SID. */\n onprem_sid?: string | undefined\n /** Indicates when the user's password expires. */\n pwd_exp?: number | undefined\n /** A URL where users can be sent to reset their password. */\n pwd_url?: string | undefined\n /** Signals if the client is logging in from the corporate network. If they aren't, the claim isn't included. */\n in_corp?: string | undefined\n /** An additional name for the user, separate from first or last name */\n nickname?: string | undefined\n /** Provides the last name, surname, or family name of the user as defined on the user object. */\n family_name?: string | undefined\n /** Provides the first or given name of the user, as set on the user object. */\n given_name?: string | undefined\n /** The username of the user. May be a phone number, email address, or unformatted string. */\n upn?: string | undefined\n}\nexport interface IBaseStrategyOption {\n identityMetadata: string\n clientID: string\n isB2C?: boolean | undefined\n validateIssuer?: boolean | undefined\n issuer?: string | string[] | undefined\n loggingLevel?: 'info' | 'warn' | 'error' | undefined\n loggingNoPII?: boolean | undefined\n clockSkew?: number | undefined\n}\n\nexport interface IBearerStrategyOption extends IBaseStrategyOption {\n audience?: string | string[] | undefined\n policyName?: String | undefined\n allowMultiAudiencesInToken?: boolean | undefined\n scope?: string[] | undefined\n}\n\nexport interface IBearerStrategyOptionWithRequest extends IBearerStrategyOption {\n passReqToCallback: boolean\n}\nexport type VerifyBearerFunction = (token: ITokenPayload, done: VerifyCallback) => void\nexport interface VerifyCallback {\n (error: any, user?: any, info?: any): void\n}\n","/**\n * @public\n */\nimport bodyParser from 'body-parser'\nimport { Enforcer } from 'casbin'\nimport cors, { CorsOptions } from 'cors'\n\nimport express, { Express } from 'express'\nimport { Application, ApplicationRequestHandler } from 'express-serve-static-core'\nimport expressSession from 'express-session'\nimport session from 'express-session'\nimport http from 'http'\nimport { createHttpTerminator, HttpTerminator } from 'http-terminator'\nimport morgan from 'morgan'\nimport passport, { InitializeOptions } from 'passport'\nimport { checkUserIsInRole } from './auth-utils'\nimport { jsonErrorHandler } from './express-utils'\nimport { env } from './functions'\nimport { ExpressSupport, IExpressServerOpts } from './types'\n\ntype Handler<Request extends http.IncomingMessage, Response extends http.ServerResponse> = (\n req: Request,\n res: Response,\n callback: (err?: Error) => void,\n) => void\n\nexport class ExpressBuilder {\n private existingExpress?: Express\n private hostnameOrIP?: string\n private port?: number\n private _handlers?: ApplicationRequestHandler<Application>[] = []\n private listenCallback?: () => void\n private _startListen?: boolean | undefined = undefined\n private readonly envVarPrefix?: string\n private _corsConfigurer?: ExpressCorsConfigurer\n private _sessionOpts?: session.SessionOptions\n private _usePassportAuth?: boolean = false\n private _passportInitOpts?: InitializeOptions\n private _userIsInRole?: string | string[]\n private _enforcer?: Enforcer\n private _server?: http.Server | undefined\n private _terminator?: HttpTerminator\n private _morgan?: Handler<any, any> | undefined\n\n private constructor(opts?: { existingExpress?: Express; envVarPrefix?: string }) {\n const { existingExpress, envVarPrefix } = opts ?? {}\n if (existingExpress) {\n this.withExpress(existingExpress)\n }\n this.envVarPrefix = envVarPrefix ?? ''\n }\n\n public static fromExistingExpress(opts?: { existingExpress?: Express; envVarPrefix?: string }) {\n return new ExpressBuilder(opts ?? {})\n }\n\n public static fromServerOpts(opts: IExpressServerOpts & { envVarPrefix?: string }) {\n const builder = new ExpressBuilder({ existingExpress: opts?.existingExpress, envVarPrefix: opts?.envVarPrefix })\n return builder.withEnableListenOpts({ ...opts, hostnameOrIP: opts.hostname, startOnBuild: opts.startListening ?? false })\n }\n\n public enableListen(startOnBuild?: boolean): this {\n if (startOnBuild !== undefined) {\n this._startListen = startOnBuild\n }\n return this\n }\n\n public withMorganLogging(opts?: { existingMorgan?: Handler<any, any>; format?: string; options?: morgan.Options<any, any> }): this {\n if (opts?.existingMorgan && (opts.format || opts.options)) {\n throw Error('Cannot using an existing morgan with either a format or options')\n }\n this._morgan = opts?.existingMorgan ?? morgan(opts?.format ?? 'dev', opts?.options)\n return this\n }\n\n public withEnableListenOpts({\n port,\n hostnameOrIP,\n callback,\n startOnBuild,\n }: {\n port?: number\n hostnameOrIP?: string\n startOnBuild?: boolean\n callback?: () => void\n }): this {\n port && this.withPort(port)\n hostnameOrIP && this.withHostname(hostnameOrIP)\n if (typeof callback === 'function') {\n this.withListenCallback(callback)\n }\n this._startListen = startOnBuild === true\n return this\n }\n\n public withPort(port: number): this {\n this.port = port\n return this\n }\n\n public withHostname(hostnameOrIP: string): this {\n this.hostnameOrIP = hostnameOrIP\n return this\n }\n\n public withListenCallback(callback: () => void): this {\n this.listenCallback = callback\n return this\n }\n\n public withExpress(existingExpress: Express): this {\n this.existingExpress = existingExpress\n this._startListen = false\n return this\n }\n\n public withCorsConfigurer(configurer: ExpressCorsConfigurer): this {\n this._corsConfigurer = configurer\n return this\n }\n\n public withPassportAuth(usePassport: boolean, initializeOptions?: InitializeOptions): this {\n this._usePassportAuth = usePassport\n this._passportInitOpts = initializeOptions\n return this\n }\n\n public withGlobalUserIsInRole(userIsInRole: string | string[]): this {\n this._userIsInRole = userIsInRole\n return this\n }\n\n public withEnforcer(enforcer: Enforcer): this {\n this._enforcer = enforcer\n return this\n }\n\n public startListening(express: Express) {\n this._server = express.listen(this.getPort(), this.getHostname(), this.listenCallback)\n this._terminator = createHttpTerminator({\n server: this._server,\n // gracefulTerminationTimeout: 10\n })\n\n return { server: this._server, terminator: this._terminator }\n }\n\n public getHostname(): string {\n return this.hostnameOrIP ?? env('HOSTNAME', this.envVarPrefix) ?? '0.0.0.0'\n }\n\n public getPort(): number {\n return (this.port ?? env('PORT', this.envVarPrefix) ?? 5000) as number\n }\n\n public setHandlers(handlers: ApplicationRequestHandler<any> | ApplicationRequestHandler<any>[]): this {\n if (Array.isArray(handlers)) {\n this._handlers = handlers\n } else if (handlers) {\n if (!this._handlers) {\n this._handlers = []\n }\n this._handlers.push(handlers)\n } else {\n this._handlers = []\n }\n\n return this\n }\n\n public addHandler(handler: ApplicationRequestHandler<any>): this {\n if (!this._handlers) {\n this._handlers = []\n }\n this._handlers.push(handler)\n return this\n }\n\n public withSessionOptions(sessionOpts: session.SessionOptions): this {\n this._sessionOpts = sessionOpts\n return this\n }\n\n public build<T extends Application>(opts?: {\n express?: Express\n startListening?: boolean\n handlers?: ApplicationRequestHandler<T> | ApplicationRequestHandler<T>[]\n }): ExpressSupport {\n const express = this.buildExpress(opts)\n const startListening = opts?.startListening === undefined ? this._startListen !== true : opts.startListening\n let started = this._server !== undefined\n if (startListening && !started) {\n this.startListening(express)\n started = true\n }\n\n return {\n express,\n port: this.getPort(),\n hostname: this.getHostname(),\n userIsInRole: this._userIsInRole,\n startListening,\n enforcer: this._enforcer,\n start: (opts) => {\n if (opts?.doNotStartListening) {\n console.log('Express will not start listening. You will have to start it yourself')\n } else {\n if (!started) {\n this.startListening(express)\n started = true\n }\n }\n\n if (opts?.disableErrorHandler !== true) {\n express.use(jsonErrorHandler)\n }\n return { server: this._server!, terminator: this._terminator! }\n },\n stop: async (terminator?: HttpTerminator) => {\n const term = terminator ?? this._terminator\n if (!term) {\n return false\n }\n return await term.terminate().then(() => true)\n },\n }\n }\n\n protected buildExpress<T extends Application>(opts?: {\n express?: Express\n startListening?: boolean\n handlers?: ApplicationRequestHandler<T> | ApplicationRequestHandler<T>[]\n }): express.Express {\n const app: express.Express = opts?.express ?? this.existingExpress ?? express()\n if (this._morgan) {\n app.use(this._morgan)\n }\n if (this._sessionOpts) {\n const store = this._sessionOpts.store ?? new expressSession.MemoryStore()\n this._sessionOpts.store = store\n app.use(expressSession(this._sessionOpts))\n }\n if (this._usePassportAuth) {\n app.use(passport.initialize(this._passportInitOpts))\n if (this._sessionOpts) {\n // app.use(passport.authenticate('session'))\n //_sessionOpts are not for passport session, they are for express above\n app.use(passport.session())\n }\n }\n if (this._userIsInRole) {\n app.use(checkUserIsInRole({ roles: this._userIsInRole }))\n }\n if (this._corsConfigurer) {\n this._corsConfigurer.configure({ existingExpress: app })\n }\n\n // @ts-ignore\n this._handlers && this._handlers.length > 0 && app.use(this._handlers)\n // @ts-ignore\n opts?.handlers && app.use(opts.handlers)\n //fixme: this should come from the config\n app.use(bodyParser.urlencoded({ extended: true }))\n app.use(bodyParser.json({ limit: '5mb' }))\n return app\n }\n}\n\nexport class ExpressCorsConfigurer {\n private _disableCors?: boolean\n private _enablePreflightOptions?: boolean\n private _allowOrigin?: boolean | string | RegExp | Array<boolean | string | RegExp>\n private _allowMethods?: string | string[]\n private _allowedHeaders?: string | string[]\n private _allowCredentials?: boolean\n private readonly _express?: Express\n private readonly _envVarPrefix?: string\n\n constructor(args?: { existingExpress?: Express; envVarPrefix?: string }) {\n const { existingExpress, envVarPrefix } = args ?? {}\n this._express = existingExpress\n this._envVarPrefix = envVarPrefix\n }\n\n public allowOrigin(value: string | boolean | RegExp | Array<string | boolean | RegExp>): this {\n this._allowOrigin = value\n return this\n }\n\n public disableCors(value: boolean): this {\n this._disableCors = value\n return this\n }\n\n public allowMethods(value: string | string[]): this {\n this._allowMethods = value\n return this\n }\n\n public allowedHeaders(value: string | string[]): this {\n this._allowedHeaders = value\n return this\n }\n\n public allowCredentials(value: boolean): this {\n this._allowCredentials = value\n return this\n }\n\n public configure({ existingExpress }: { existingExpress?: Express }) {\n const express = existingExpress ?? this._express\n if (!express) {\n throw Error('No express passed in during construction or configure')\n }\n\n const disableCorsEnv = env('CORS_DISABLE', this._envVarPrefix)\n const corsDisabled = this._disableCors ?? (disableCorsEnv ? /true/.test(disableCorsEnv) : false)\n if (corsDisabled) {\n return\n }\n const envAllowOriginStr = env('CORS_ALLOW_ORIGIN', this._envVarPrefix) ?? '*'\n let envAllowOrigin: string[] | string\n if (envAllowOriginStr.includes(',')) {\n envAllowOrigin = envAllowOriginStr.split(',')\n } else if (envAllowOriginStr.includes(' ')) {\n envAllowOrigin = envAllowOriginStr.split(' ')\n } else {\n envAllowOrigin = envAllowOriginStr\n }\n if (Array.isArray(envAllowOrigin) && envAllowOrigin.length === 1) {\n envAllowOrigin = envAllowOrigin[0]\n }\n const corsOptions: CorsOptions = {\n origin: this._allowOrigin ?? envAllowOrigin,\n // todo: env vars\n ...(this._allowMethods && { methods: this._allowMethods }),\n ...(this._allowedHeaders && { allowedHeaders: this._allowedHeaders }),\n ...(this._allowCredentials !== undefined && { credentials: this._allowCredentials }),\n optionsSuccessStatus: 204,\n }\n\n if (this._enablePreflightOptions) {\n express.options('*', cors(corsOptions))\n }\n express.use(cors(corsOptions))\n }\n}\n","export function env(key?: string, prefix?: string): string | undefined {\n if (!key) {\n return undefined\n }\n return process.env[`${prefix ? prefix.trim() : ''}${key}`]\n}\n","import { TAgent } from '@veramo/core'\nimport express, { Express, NextFunction, Router } from 'express'\nimport { BaseClient, ClientMetadata, ClientOptions, Issuer } from 'openid-client'\nimport passport from 'passport'\nimport { JsonWebKey } from '@sphereon/ssi-types'\nimport { copyGlobalAuthToEndpoints, isUserAuthenticated } from './auth-utils'\nimport { sendErrorResponse } from './express-utils'\nimport { env } from './functions'\nimport { ExpressSupport, GenericAuthArgs, ISingleEndpointOpts } from './types'\n\nconst PREFIX = process.env.PREFIX ?? ''\nexport async function oidcDiscoverIssuer(opts?: { issuerUrl?: string }) {\n const issuerUrl = opts?.issuerUrl ?? env('OIDC_ISSUER', PREFIX) ?? 'https://auth01.test.sphereon.com/auth/realms/energy-shr'\n const issuer = await Issuer.discover(issuerUrl)\n console.log('Discovered issuer %s %O', issuer.issuer, issuer.metadata)\n return { issuer, issuerUrl }\n}\n\nexport async function oidcGetClient(\n issuer: Issuer<BaseClient>,\n metadata: ClientMetadata,\n opts?: {\n jwks?: { keys: JsonWebKey[] }\n options?: ClientOptions\n },\n) {\n // @ts-ignore\n return new issuer.Client(metadata, opts?.jwks, opts?.options)\n}\n\nexport function getLoginEndpoint(router: Router, opts?: ISingleEndpointOpts & { redirectUrl?: string }) {\n if (opts?.enabled === false) {\n console.log(`Login endpoint is disabled`)\n return\n }\n const strategy = opts?.endpoint?.authentication?.strategy\n if (!strategy) {\n throw Error('strategy needs to be provided')\n }\n const path = opts?.path ?? '/authentication/login'\n router.get(\n path,\n (req: any, res: any, next: NextFunction) => {\n const redirectPage = req.get('referer') ?? '/'\n req.session.redirectPage = redirectPage\n next()\n },\n passport.authenticate(\n strategy,\n { ...opts.authentication?.strategyOptions, ...opts.endpoint?.authentication?.strategyOptions, keepSessionInfo: false },\n undefined,\n ),\n )\n}\n\nexport function getLoginCallbackEndpoint(router: Router, opts?: ISingleEndpointOpts) {\n if (opts?.enabled === false) {\n console.log(`Auth callback endpoint is disabled`)\n return\n }\n const strategy = opts?.endpoint?.authentication?.strategy\n if (!strategy) {\n throw Error('strategy needs to be provided')\n }\n const path = opts?.path ?? '/authentication/callback'\n router.get(\n path,\n passport.authenticate(\n strategy,\n { ...opts.authentication?.strategyOptions, ...opts.endpoint?.authentication?.strategyOptions, keepSessionInfo: true },\n undefined,\n ),\n (req: any, res: any, next) => {\n if (req.user) {\n console.log('User authenticated', req.user?.name)\n // console.log(req.session)\n const redirectPage = req.session.redirectPage ?? '/search'\n // console.log(`PRE LOGIN PAGE in callback: ${redirectPage}`)\n delete req.session.redirectPage\n return res.redirect(redirectPage)\n } else {\n return res.redirect(env('OIDC_FRONTEND_LOGIN_URL', PREFIX) ?? 'http://localhost:3001/authentication/login')\n }\n },\n )\n}\n\nexport function getLogoutEndpoint(router: Router, client: BaseClient, opts?: ISingleEndpointOpts) {\n if (opts?.enabled === false) {\n console.log(`Logout endpoint is disabled`)\n return\n }\n const path = opts?.path ?? '/authentication/logout'\n router.get(path, (req, res) => {\n try {\n if (client.endSessionUrl()) {\n return res.redirect(client.endSessionUrl())\n } else {\n console.log('IDP does not support end session url')\n return res.redirect('/authentication/logout-callback')\n }\n } catch (error) {\n console.log(error)\n return res.redirect('/authentication/logout-callback')\n }\n })\n}\n\nexport function getLogoutCallbackEndpoint(router: Router, opts?: ISingleEndpointOpts) {\n if (opts?.enabled === false) {\n console.log(`Logout callback endpoint is disabled`)\n return\n }\n const path = opts?.path ?? '/authentication/logout-callback'\n router.get(path, (req, res, next) => {\n try {\n req.logout((err) => {\n if (err) {\n console.log(`Error during calling logout-callback: ${JSON.stringify(err)}`)\n }\n })\n return res.redirect(env('OIDC_FRONTEND_LOGOUT_REDIRECT_URL', PREFIX) ?? '/')\n } catch (e) {\n return sendErrorResponse(res, 500, 'An unexpected error occurred during logout callback', e)\n }\n })\n}\n\nexport function getIdTokenEndpoint(router: Router, client: BaseClient, opts: ISingleEndpointOpts) {\n if (opts?.enabled === false) {\n console.log(`ID Token endpoint is disabled`)\n return\n }\n const path = opts.path ?? '/authentication/tokens/id'\n router.get(path, isUserAuthenticated, (req: any, res: any) => {\n if (req.session.tokens.id_token) {\n return res.json({ id_token: req.session.tokens.id_token })\n } else {\n return sendErrorResponse(res, 401, 'Authentication required')\n }\n })\n}\n\nexport function getAuthenticatedUserEndpoint(router: Router, opts?: ISingleEndpointOpts) {\n if (opts?.enabled === false) {\n console.log(`Authenticated User endpoint is disabled`)\n return\n }\n const path = opts?.path ?? '/authentication/user'\n router.get(path, isUserAuthenticated, (req: any, res: any, next: any) => {\n if (!req.user) {\n return sendErrorResponse(res, 401, 'Authentication required')\n }\n let user = req.user\n return res.json(user)\n })\n}\n\nexport interface IAuthenticationOpts {\n enabledFeatures?: AuthenticationApiFeatures\n endpointOpts?: IAuthenticationEndpointOpts\n}\n\nexport interface IAuthenticationEndpointOpts {\n basePath?: string\n globalAuth?: GenericAuthArgs\n getAuthenticatedUser?: ISingleEndpointOpts\n getLogin?: ISingleEndpointOpts\n getLogout?: ISingleEndpointOpts\n getIdToken?: ISingleEndpointOpts\n}\n\nexport type AuthenticationApiFeatures = 'login' | 'logout' | 'id-token' | 'authenticated-user'\n\nexport class OpenIDConnectAuthApi {\n get router(): express.Router {\n return this._router\n }\n\n private readonly _express: Express\n private readonly _agent?: TAgent<any>\n private readonly _opts?: IAuthenticationOpts\n private readonly _router: Router\n\n constructor(args: { agent?: TAgent<any>; expressSupport: ExpressSupport; client: BaseClient; opts: IAuthenticationOpts }) {\n const { agent, opts } = args\n this._agent = agent\n copyGlobalAuthToEndpoints({ opts, keys: ['getLogin'] })\n copyGlobalAuthToEndpoints({ opts, keys: ['getIdToken'] })\n copyGlobalAuthToEndpoints({ opts, keys: ['getAuthenticatedUser'] })\n // no need for the logout, as you these are not protected by auth\n this._opts = opts\n this._express = args.expressSupport.express\n this._router = express.Router()\n const features = opts?.enabledFeatures ?? ['login', 'logout', 'id-token', 'authenticated-user']\n console.log(`Authentication API enabled`)\n\n if (features.includes('login')) {\n getLoginEndpoint(this.router, opts?.endpointOpts?.getLogin)\n getLoginCallbackEndpoint(this.router, opts?.endpointOpts?.getLogin)\n }\n if (features.includes('logout')) {\n getLogoutEndpoint(this.router, args.client, opts?.endpointOpts?.getLogout)\n getLogoutCallbackEndpoint(this.router, opts?.endpointOpts?.getLogout)\n }\n if (features.includes('id-token')) {\n if (opts.endpointOpts?.getIdToken === undefined) {\n throw Error('Cannot enable id-token endpoint without providing id-token endpoint options')\n }\n getIdTokenEndpoint(this.router, args.client, opts?.endpointOpts?.getIdToken)\n }\n if (features.includes('authenticated-user')) {\n getAuthenticatedUserEndpoint(this.router, opts?.endpointOpts?.getAuthenticatedUser)\n }\n this._express.use(opts?.endpointOpts?.basePath ?? '', this.router)\n }\n\n get agent(): TAgent<any> | undefined {\n return this._agent\n }\n\n get opts(): IAuthenticationOpts | undefined {\n return this._opts\n }\n\n get express(): Express {\n return this._express\n }\n}\n"],"mappings":";;;;AAAA,OAAOA,cAAc;AAGd,IAAMC,cAAN,MAAMA,aAAAA;EAHb,OAGaA;;;EACMC;EACTC;EAER,OAAcC,KAAKF,UAAkB;AACnC,WAAO,IAAID,aAAYC,QAAAA;EACzB;EAEA,YAAoBA,UAAkB;AACpC,SAAKA,WAAWA;EAClB;EAEOG,YAAYF,SAAyE;AAC1F,SAAKA,UAAU;MACb,GAAGA;MACHG,mBAAmB,uBAAuBH,UAAUA,QAAQG,oBAAoB;IAClF;AACA,WAAO;EACT;EAEAC,kBAAkB;AAChB,UAAMC,WAAW,KAAKL;AACtB,QAAI,CAACK,UAAU;AACb,YAAMC,MAAM,iCAAA;IACd;AACA,WAAO,mBAAA,EACJC,KAAK,CAACC,YACLC,SAASC,IACP,KAAKX,UACL,IAAIS,QAAQG,eAAeN,UAAU,SAAUO,OAAsBC,IAAkB;AACrF,UAAID,OAAO;AAET,eAAOC,GAAG,MAAMD,KAAAA;MAClB;AACA,aAAOC,GAAG,uCAAuC,IAAA;IACnD,CAAA,CAAA,CAAA,EAGHC,MAAM,CAACC,WAAAA;AACNC,cAAQC,IAAIF,MAAAA;AACZ,YAAMT,MAAM,uHAAA;IACd,CAAA;EACJ;AACF;;;AC9CA,OAAOY,eAAc;AAoCd,IAAMC,iBAAN,MAAMA,gBAAAA;EApCb,OAoCaA;;;EACMC;EACTC,UAAuC,CAAC;EAEhD,OAAcC,KAAKF,UAAkB;AACnC,WAAO,IAAID,gBAAeC,QAAAA;EAC5B;EAEA,YAAoBA,UAAkB;AACpC,SAAKA,WAAWA;EAClB;EAEOG,WAAWC,QAAsB;AACtC,SAAKH,UAAU;MAAE,GAAG,KAAKA;MAASG;IAAO;AACzC,WAAO;EACT;EAEOC,aAAaC,UAAmC;AACrD,SAAKL,UAAU;MAAE,GAAG,KAAKA;MAASK;IAAS;AAC3C,WAAO;EACT;EAEOC,YAAYC,SAAuB;AACxC,SAAKP,UAAU;MAAE,GAAG,KAAKA;MAASO;IAAQ;AAC1C,WAAO;EACT;EAEOC,eAAeC,YAAmC;AACvD,SAAKT,UAAU;MAAE,GAAG,KAAKA;MAASS;IAAW;AAC7C,WAAO;EACT;EAEOC,YAAYV,SAA4C;AAC7D,SAAKA,UAAU;MAAE,GAAG,KAAKA;MAAS,GAAGA;IAAQ;AAC7C,WAAO;EACT;EAEA,MAAMW,kBAAiC;AACrC,UAAM,EAAER,QAAQE,UAAUI,WAAU,IAAK,KAAKT;AAE9C,QAAI,CAACG,QAAQ;AACX,aAAOS,QAAQC,OAAO,IAAIC,MAAM,yCAAA,CAAA;IAClC;AAEA,QAAIP,UAAU,KAAKP,QAAQO;AAC3B,QAAI,CAACA,SAAS;AACZA,gBAAU,MAAM,KAAKQ,gBAAgBZ,MAAAA;IACvC;AAEA,QAAI;AACF,YAAM,CAACa,aAAaC,OAAAA,IAAW,MAAML,QAAQM,IAAI;QAAC,OAAO,cAAA;QAAiB,OAAO,UAAA;OAAY;AAE7F,YAAM,EAAEC,UAAUC,aAAaC,WAAU,IAAKL;AAC9C,YAAM,EAAEM,kBAAiB,IAAKL;AAE9B,YAAMM,aAAa;QACjBC,gBAAgBH,WAAWI,4BAA2B;QACtDC,qBAAqBJ,kBAAkB;UACrCK,OAAO;UACPC,WAAW;UACXC,uBAAuB;UACvBtB;QACF,CAAA;QACAJ;QACAE;QACAI,YAAYA,cAAe;UAAC;UAAS;UAAS;UAAS;UAAS;UAAS;;MAC3E;AAEAqB,MAAAA,UAASC,IACP,KAAKhC,UACL,IAAIqB,YAAYG,YAAY,CAACS,SAA4BC,SAAAA;AACvD,YAAID,SAAS;AACX,iBAAOC,KAAK,MAAMD,OAAAA;QACpB;AACA,eAAOC,KAAK,uCAAuC,IAAA;MACrD,CAAA,CAAA;IAEJ,SAASC,OAAO;AACdC,cAAQD,MAAM,0CAA0CA,KAAAA;AACxD,aAAOtB,QAAQC,OACb,IAAIC,MACF,qHACA;QAAEsB,OAAOF;MAAM,CAAA,CAAA;IAGrB;EACF;EAEA,MAAcnB,gBAAgBZ,QAAiC;AAC7D,UAAMkC,eAAe,GAAGlC,MAAAA,GAASA,OAAOmC,SAAS,GAAA,IAAO,KAAK,GAAA;AAE7D,QAAI;AACF,YAAMC,WAAW,MAAMC,MAAMH,YAAAA;AAC7B,UAAI,CAACE,SAASE,IAAI;AAChB,eAAO7B,QAAQC,OACb,IAAIC,MAAM,2CAA2CuB,YAAAA,KAAiBE,SAASG,MAAM,IAAIH,SAASI,UAAU,EAAE,CAAA;MAElH;AAEA,YAAMC,SAAU,MAAML,SAASM,KAAI;AACnC,UAAI,CAACD,OAAOE,UAAU;AACpB,eAAOlC,QAAQC,OAAO,IAAIC,MAAM,yBAAyBuB,YAAAA,4BAAwC,CAAA;MACnG;AAEA,aAAOO,OAAOE;IAChB,SAASZ,OAAO;AACd,aAAOtB,QAAQC,OACb,IAAIC,MAAM,0DAA0DuB,YAAAA,IAAgB;QAAED,OAAOF;MAAM,CAAA,CAAA;IAEvG;EACF;AACF;;;ACnJA,OAAOa,eAAc;AAErB,SAASC,gBAAgB;AAGlB,IAAMC,mBAAN,MAAMA,kBAAAA;EALb,OAKaA;;;EACMC;EACjB,OAAeC,YAAmD,oBAAIC,IAAAA;EACtE,OAAeC,gBAAkE,oBAAID,IAAAA;EAC7EE,aAAuB;EAE/B,OAAcC,KAAKL,UAAkBM,UAAqC;AACxE,WAAO,IAAIP,kBAAiBC,YAAY,UAAUM,YAAY,IAAIC,iCAAiCP,QAAAA,CAAAA;EACrG;EAEA,YAAoBA,UAAkBM,UAAoC;AACxE,SAAKN,WAAWA;AAChB,QAAID,kBAAiBE,UAAUO,IAAIR,QAAAA,GAAW;AAC5C,UAAID,kBAAiBE,UAAUQ,IAAIT,QAAAA,MAAcM,UAAU;AACzD,cAAMI,MAAM,yDAAyDV,QAAAA;MACvE;IACF,OAAO;AACLD,wBAAiBE,UAAUU,IAAIX,UAAUM,QAAAA;IAC3C;EACF;EAEA,IAAIA,WAAW;AACb,UAAMA,WAAWP,kBAAiBE,UAAUQ,IAAI,KAAKT,QAAQ;AAC7D,QAAI,CAACM,UAAU;AACb,YAAMI,MAAM,qCAAqC,KAAKV,QAAQ;IAChE;AACA,WAAOM;EACT;EAEAM,eAAeR,YAA2B;AACxC,SAAKA,aAAaA;AAClB,WAAO;EACT;EAEAS,UAAUC,OAAwC;AAChD,SAAKC,QAAQD,KAAAA;AACb,WAAO;EACT;EAEAC,QAAQC,MAAuC;AAC7C,SAAKV,SAASS,QAAQC,IAAAA;AACtB,WAAO;EACT;EAEAC,kBAAkBC,SAAoD;AACpEnB,sBAAiBI,cAAcQ,IAAI,KAAKX,UAAUkB,OAAAA;AAClD,WAAO;EACT;EAEAC,kBAAkB;AAChB,UAAMC,YAAY,KAAKd;AACvB,aAASe,SAASC,OAAeC,IAAkF;AACjH,YAAMP,OAAOI,UAAUI,QAAQF,KAAAA;AAC/B,UAAIN,MAAM;AACR,eAAOO,GAAG,MAAMP,IAAAA;MAClB;AACA,aAAOO,GAAG,uCAAuC,KAAA;IACnD;AANSF;AAQT,WAAO,sBAAA,EACJI,KAAK,CAACC,eAAAA;AACL,YAAMtB,aAAa,KAAKA,cAAc;AACtCuB,MAAAA,UAASC,IACP,KAAK5B,UACL,IAAI0B,WAAWG,SAAS;QAAEC,mBAAmB;MAAM,GAAG,SACpDR,OACAC,IAAkF;AAElF,YAAInB,YAAY;AACd,iBAAO,sBAAA,EACJqB,KAAK,CAACM,SAAAA;AACLV,qBAASW,SAASD,KAAKE,OAAOX,KAAAA,CAAAA,GAASC,EAAAA;UACzC,CAAA,EACCW,MAAM,CAACC,UAAAA;AACNC,oBAAQC,IAAI,iBAAiBF,KAAAA,EAAO;AACpC,kBAAMzB,MAAM,gDAAA;UACd,CAAA;QACJ,OAAO;AACLW,mBAASC,OAAOC,EAAAA;QAClB;MACF,CAAA,CAAA;IAEJ,CAAA,EACCW,MAAM,CAACC,UAAAA;AACNC,cAAQC,IAAI,yCAAyCF,KAAAA,EAAO;AAC5D,YAAMzB,MAAM,uDAAA;IACd,CAAA;EACJ;AACF;AAYO,IAAMH,mCAAN,MAAMA;EAzGb,OAyGaA;;;EACM+B;EACAC,SAAuB,CAAA;EACvBC;EAEjB,YAAYxC,UAAkByC,cAAwB;AACpD,SAAKH,YAAYtC;AACjB,SAAKwC,gBAAgBC,gBAAgB;EACvC;EAEA,IAAI3B,QAAsB;AACxB,WAAO,KAAKyB;EACd;EAEA,IAAIE,eAAwB;AAC1B,WAAO,KAAKD;EACd;EAEA,IAAIxC,WAAmB;AACrB,WAAO,KAAKsC;EACd;EAEAd,QAAQF,OAAuC;AAC7C,WAAO,KAAKR,MAAM4B,KAAK,CAAC1B,SAASA,KAAKM,UAAUA,KAAAA;EAClD;EAEAP,QAAQC,MAAiC2B,WAA2B;AAClE,UAAM7B,QAAQ8B,MAAMC,QAAQ7B,IAAAA,IAAQA,OAAO;MAACA;;AAC5C,QAAI2B,WAAW;AACb,UAAI,CAAC,KAAKF,cAAc;AACtB,cAAM/B,MAAM,4FAA4F,KAAKV,QAAQ;MACvH;AACA,aAAO,sBAAA,EACJyB,KAAK,CAACM,SAAAA;AACLjB,cAAMgC,QAAQ,CAAC9B,UAAUA,MAAKM,QAAQU,SAASD,KAAKE,OAAOjB,MAAKM,KAAK,CAAA,CAAA;MACvE,CAAA,EACCY,MAAM,CAACC,UAAAA;AACNC,gBAAQC,IAAI,iBAAiBF,KAAAA,EAAO;AACpC,cAAMzB,MAAM,gDAAA;MACd,CAAA;IACJ;AACA,SAAK6B,OAAOQ,KAAI,GAAIjC,KAAAA;EACtB;EAEAkC,WAAyB;AACvB,WAAO,KAAKT;EACd;AACF;;;ACtJA,OAAOU,eAAc;;;ACAd,SAASC,kBAAkBC,UAA4BC,YAAoBC,SAA0BC,OAAW;AACrH,MAAIC,MAAMF;AACV,MAAI,CAACE,KAAK;AACRC,YAAQF,MAAM,yEAAA;AACdC,UAAM;AACNH,iBAAa;EACf,OAAO;AACLI,YAAQF,MAAM,sBAAsBF,UAAAA,MAAgB,OAAOG,QAAQ,WAAWA,MAAME,KAAKC,UAAUH,GAAAA,CAAAA,EAAM;EAC3G;AACA,MAAID,OAAO;AACT,QAAIA,iBAAiBK,OAAO;AAC1BH,cAAQF,MAAM,kBAAkBA,MAAMD,OAAO,EAAE;IACjD;AACAG,YAAQF,MAAM,iBAAiBG,KAAKC,UAAUJ,KAAAA,CAAAA,EAAQ;EACxD;AACA,MAAIF,cAAc,KAAK;AACrBI,YAAQF,MAAM,yDAAA;AACdE,YAAQF,MAAMA,OAAOM,KAAAA;AACrBJ,YAAQF,MAAMK,MAAAA,EAAQC,KAAK;EAC7B;AACA,MAAIT,SAASU,aAAa;AACxBL,YAAQF,MAAM,wCAAwC;AACtD,WAAOH;EACT;AACAA,WAASC,aAAaA;AACtB,MAAI,OAAOG,QAAQ,YAAY,CAACA,IAAIO,WAAW,GAAA,GAAM;AACnDP,UAAM;MAAED,OAAOC;IAAI;EACrB;AACA,MAAI,OAAOA,QAAQ,YAAYA,IAAIO,WAAW,GAAA,GAAM;AAClDX,aAASY,OAAO,gBAAgB,kBAAA;AAChC,WAAOZ,SAASa,OAAOZ,UAAAA,EAAYa,IAAIV,GAAAA;EACzC;AACA,SAAOJ,SAASa,OAAOZ,UAAAA,EAAYc,KAAKX,GAAAA;AAC1C;AAjCgBL;AAmCT,IAAMiB,mBAAmB,wBAACC,KAAUC,KAAsBC,KAAuBC,SAAAA;AACtF,QAAMnB,aAAqB,gBAAgBgB,MAAMA,IAAIhB,aAAa;AAClE,MAAIoB,WAAW,OAAOJ,QAAQ,WAAWA,MAAOA,IAAIf,WAAWe;AAC/D,MAAI,OAAOI,aAAa,UAAU;AAChCA,eAAWf,KAAKC,UAAUc,QAAAA;EAC5B;AACA,MAAIF,IAAIT,aAAa;AACnBL,YAAQiB,IAAI,oFAAA;AACZjB,YAAQiB,IAAI,cAAchB,KAAKC,UAAUU,GAAAA,CAAAA,EAAM;AAC/C,WAAOG,KAAKH,GAAAA;EACd;AACA,SAAOlB,kBAAkBoB,KAAKlB,YAAYoB,UAAUJ,GAAAA;AACtD,GAZgC;;;AClBzB,SAASM,gBAAgBC,MAAS;AACvC,SAAO,kBAAkBA,QAAQA,KAAKC;AACxC;AAFgBF;;;AFZT,IAAMG,oBAAoB,wBAACC,SAAuC,CAACC,KAAsBC,KAAuBC,SAAAA;AACrH,MAAI,CAACH,MAAMI,SAASJ,KAAKI,MAAMC,WAAW,GAAG;AAC3C,WAAOF,KAAAA;EACT;AACA,QAAMC,QAAQE,MAAMC,QAAQP,KAAKI,KAAK,IAAIJ,KAAKI,QAAQ;IAACJ,KAAKI;;AAC7D,MAAI,CAACH,KAAKO,QAAQ,EAAE,UAAUP,IAAIO,OAAO;AACvC,WAAON,IAAIO,OAAO,GAAA,EAAKC,IAAG;EAC5B;AAGA,QAAMC,UAAUP,MAAMQ,KAAK,CAACC,SAASZ,IAAIO,KAAKK,KAAKC,YAAW,MAAOD,KAAKC,YAAW,CAAA;AACrF,MAAI,CAACH,SAAS;AACZ,WAAOT,IAAIO,OAAO,GAAA,EAAKC,IAAG;EAC5B;AAEA,SAAOP,KAAAA;AACT,GAhBiC;AAkBjC,IAAMY,0BAA0B,wBAACd,KAAsBC,KAAuBC,MAA4BH,SAAAA;AACxG,QAAMgB,kBAAkB,wBACtBC,KACAT,MACAU,OACAC,YAAAA;AAEA,QAAIF,KAAK;AACP,YAAMG,UAAU,aAAaH,MAAMA,IAAIG,UAAUH;AACjDI,cAAQC,IAAI,mCAAmCC,KAAKC,UAAUJ,OAAAA,CAAAA;AAC9D,aAAOjB,KAAK;QAAEsB,YAAY;QAAKL;MAAQ,CAAA;IACzC,WAAW,CAACZ,MAAM;AAChBa,cAAQC,IAAI,iFAAA;AAEZ,aAAOpB,IAAIwB,SAAS,uBAAA;IACtB;AACA,QAAIC,QAAQC,SAAS;AACnB3B,UAAI4B,MAAMrB,MAAM,SAAUS,MAAG;AAC3B,YAAIA,MAAK;AACP,iBAAOd,KAAKc,IAAAA;QACd;MACF,CAAA;IACF;AASA,WAAOd,KAAAA;EACT,GA/BwB;AAiCxB,MAAI,CAACH,QAAQ,CAACA,KAAK8B,kBAAkB9B,KAAK8B,eAAeC,YAAY,OAAO;AAC1E,WAAO5B,KAAAA;EACT;AACA,MAAI,CAACH,KAAK8B,eAAeE,UAAU;AACjCX,YAAQC,IAAI,sFAAsF;AAClG,WAAOpB,IAAIO,OAAO,GAAA,EAAKC,IAAG;EAC5B;AACA,QAAMiB,UAAU;IACd,GAAG3B,MAAM8B,gBAAgBG;IACzBC,UAAUlC,MAAM8B,gBAAgBI,aAAa;IAC7CN,SAAS5B,MAAM8B,gBAAgBF,YAAY;EAC7C;AAEA,QAAMO,WAAWnC,MAAM8B,gBAAgBK,aAAanC,MAAM8B,gBAAgBM,qBAAqBpB,kBAAkBqB;AAEjHC,EAAAA,UAASC,aAAavC,KAAK8B,eAAeE,UAAUL,SAASQ,QAAAA,EAAUK,KAAK,QAAMvC,KAAKC,KAAKC,IAAAA;AAC9F,GAlDgC;AAmDhC,IAAMsC,yBAAyB,wBAACxC,KAAsBC,KAAuBC,MAA4BH,SAAAA;AACvG,MAAI,CAACA,QAAQ,CAACA,KAAK8B,kBAAkB,CAAC9B,KAAK0C,iBAAiB1C,KAAK8B,eAAeC,YAAY,SAAS/B,MAAM0C,cAAcX,YAAY,OAAO;AAC1I,WAAO5B,KAAAA;EACT;AAIA,QAAMuC,gBAAgB1C,KAAK0C;AAE3B,MAAI,CAACA,cAAcC,aAAa,CAACD,cAAcE,sBAAsBF,cAAcE,mBAAmBvC,WAAW,IAAI;AACnHgB,YAAQC,IAAI,uEAAuE;AACnF,WAAOpB,IAAIO,OAAO,GAAA,EAAKC,IAAG;EAC5B;AACA,MAAIgC,cAAcE,sBAAsBF,cAAcE,mBAAmBvC,SAAS,GAAG;AACnFN,sBAAkB;MAAEK,OAAOsC,cAAcE;IAAmB,CAAA;EAC9D;AACA,MAAIF,cAAcC,UAAU;AAC1B,UAAMA,WAAWD,cAAcC;AAC/B,UAAME,YAAYF,SAASG,YAAY7C,IAAIO,MAAMR,KAAK+C,UAAU/C,KAAKgD,SAAS;AAC9E,QAAI,CAACH,WAAW;AACdxB,cAAQC,IAAI,aAAatB,KAAK+C,QAAQ,WAAW/C,KAAKgD,SAAS,oBAAoB/C,IAAIO,IAAI,EAAE;AAC7F,aAAON,IAAIO,OAAO,GAAA,EAAKC,IAAG;IAC5B;EACF;AACA,SAAOP,KAAAA;AACT,GAzB+B;AA2BxB,IAAM8C,0BAA0B,wBAACjD,SAAwB,CAACC,KAAsBC,KAAuBC,SAAAA;AAE5G,SAAOY,wBAAwBd,KAAKC,KAAKC,MAAMH,IAAAA;AACjD,GAHuC;AAKhC,IAAMkD,yBAAyB,wBAAClD,SAAwB,CAACC,KAAsBC,KAAuBC,SAAAA;AAE3G,SAAOsC,uBAAuBxC,KAAKC,KAAKC,MAAMH,IAAAA;AAChD,GAHsC;AAK/B,IAAMmD,yBAAyB,wBAAClD,KAAsBC,KAAuBC,SAAAA;AAClF,MAAI,CAACF,IAAIO,MAAM;AACbL,SAAAA;EACF;AACF,GAJsC;AAM/B,IAAMiD,sBAAsB,wBAACnD,KAAsBC,KAAuBC,SAAAA;AAC/E,MAAI,CAACF,IAAIO,MAAM;AACb,WAAO6C,kBAAkBnD,KAAK,KAAK,yBAAA;EACrC,OAAO;AACL,WAAOC,KAAAA;EACT;AACF,GANmC;AAQ5B,IAAMmD,YAAY,wBAACtD,SAAAA;AACxB,QAAMuD,WAAwF,CAAA;AAC9FA,WAASC,KAAKP,wBAAwBjD,IAAAA,CAAAA;AACtCuD,WAASC,KAAKN,uBAAuBlD,IAAAA,CAAAA;AACrCA,QAAMuD,YAAYA,SAASC,KAAI,GAAIxD,KAAKuD,QAAQ;AAChD,SAAOA;AACT,GANyB;AAQlB,SAASE,yBAAyBC,MAA8C;AACrF,QAAM1D,OAAO0D,MAAM1D;AACnB,QAAM2D,MAAMD,MAAMC;AAClB,MAAI,CAAC3D,QAAQ,CAAC2D,OAAO,CAACC,gBAAgB5D,IAAAA,GAAO;AAC3C;EACF;AACA,MAAI2D,QAAQ,YAAY;AAEtB;EACF;AACA,MAAI3D,KAAK6D,cAAcC,YAAY;AACjC,QAAI9D,KAAK6D,aAAaF,GAAAA,GAAMI,sBAAsB,MAAM;AACtD;IACF;AACA/D,SAAK6D,aAAaF,GAAAA,IAAO;MACvB,GAAG3D,KAAK6D,aAAaF,GAAAA;MACrBK,UAAU;QAAE,GAAGhE,KAAK6D,aAAaC;QAAY,GAAG9D,KAAK6D,aAAaF,GAAAA,GAAMK;MAAS;IACnF;EACF;AACF;AAnBgBP;AAqBT,SAASQ,0BAA0BP,MAAiD;AACzFA,QAAMQ,KAAKC,QAAQ,CAACR,QAAQF,yBAAyB;IAAEzD,MAAM0D,MAAM1D;IAAM2D;EAAI,CAAA,CAAA;AAC/E;AAFgBM;;;AGzJhB,OAAOG,gBAAgB;AAEvB,OAAOC,UAA2B;AAElC,OAAOC,aAA0B;AAEjC,OAAOC,oBAAoB;AAG3B,SAASC,4BAA4C;AACrD,OAAOC,YAAY;AACnB,OAAOC,eAAqC;;;ACdrC,SAASC,IAAIC,KAAcC,QAAe;AAC/C,MAAI,CAACD,KAAK;AACR,WAAOE;EACT;AACA,SAAOC,QAAQJ,IAAI,GAAGE,SAASA,OAAOG,KAAI,IAAK,EAAA,GAAKJ,GAAAA,EAAK;AAC3D;AALgBD;;;AD0BT,IAAMM,iBAAN,MAAMA,gBAAAA;EA1Bb,OA0BaA;;;EACHC;EACAC;EACAC;EACAC,YAAuD,CAAA;EACvDC;EACAC,eAAqCC;EAC5BC;EACTC;EACAC;EACAC,mBAA6B;EAC7BC;EACAC;EACAC;EACAC;EACAC;EACAC;EAER,YAAoBC,MAA6D;AAC/E,UAAM,EAAEjB,iBAAiBO,aAAY,IAAKU,QAAQ,CAAC;AACnD,QAAIjB,iBAAiB;AACnB,WAAKkB,YAAYlB,eAAAA;IACnB;AACA,SAAKO,eAAeA,gBAAgB;EACtC;EAEA,OAAcY,oBAAoBF,MAA6D;AAC7F,WAAO,IAAIlB,gBAAekB,QAAQ,CAAC,CAAA;EACrC;EAEA,OAAcG,eAAeH,MAAsD;AACjF,UAAMI,UAAU,IAAItB,gBAAe;MAAEC,iBAAiBiB,MAAMjB;MAAiBO,cAAcU,MAAMV;IAAa,CAAA;AAC9G,WAAOc,QAAQC,qBAAqB;MAAE,GAAGL;MAAMhB,cAAcgB,KAAKM;MAAUC,cAAcP,KAAKQ,kBAAkB;IAAM,CAAA;EACzH;EAEOC,aAAaF,cAA8B;AAChD,QAAIA,iBAAiBlB,QAAW;AAC9B,WAAKD,eAAemB;IACtB;AACA,WAAO;EACT;EAEOG,kBAAkBV,MAA0G;AACjI,QAAIA,MAAMW,mBAAmBX,KAAKY,UAAUZ,KAAKa,UAAU;AACzD,YAAMC,MAAM,iEAAA;IACd;AACA,SAAKf,UAAUC,MAAMW,kBAAkBI,OAAOf,MAAMY,UAAU,OAAOZ,MAAMa,OAAAA;AAC3E,WAAO;EACT;EAEOR,qBAAqB,EAC1BpB,MACAD,cACAgC,UACAT,aAAY,GAML;AACPtB,YAAQ,KAAKgC,SAAShC,IAAAA;AACtBD,oBAAgB,KAAKkC,aAAalC,YAAAA;AAClC,QAAI,OAAOgC,aAAa,YAAY;AAClC,WAAKG,mBAAmBH,QAAAA;IAC1B;AACA,SAAK5B,eAAemB,iBAAiB;AACrC,WAAO;EACT;EAEOU,SAAShC,MAAoB;AAClC,SAAKA,OAAOA;AACZ,WAAO;EACT;EAEOiC,aAAalC,cAA4B;AAC9C,SAAKA,eAAeA;AACpB,WAAO;EACT;EAEOmC,mBAAmBH,UAA4B;AACpD,SAAK7B,iBAAiB6B;AACtB,WAAO;EACT;EAEOf,YAAYlB,iBAAgC;AACjD,SAAKA,kBAAkBA;AACvB,SAAKK,eAAe;AACpB,WAAO;EACT;EAEOgC,mBAAmBC,YAAyC;AACjE,SAAK9B,kBAAkB8B;AACvB,WAAO;EACT;EAEOC,iBAAiBC,aAAsBC,mBAA6C;AACzF,SAAK/B,mBAAmB8B;AACxB,SAAK7B,oBAAoB8B;AACzB,WAAO;EACT;EAEOC,uBAAuBC,cAAuC;AACnE,SAAK/B,gBAAgB+B;AACrB,WAAO;EACT;EAEOC,aAAaC,UAA0B;AAC5C,SAAKhC,YAAYgC;AACjB,WAAO;EACT;EAEOpB,eAAeqB,UAAkB;AACtC,SAAKhC,UAAUgC,SAAQC,OAAO,KAAKC,QAAO,GAAI,KAAKC,YAAW,GAAI,KAAK7C,cAAc;AACrF,SAAKW,cAAcmC,qBAAqB;MACtCC,QAAQ,KAAKrC;IAEf,CAAA;AAEA,WAAO;MAAEqC,QAAQ,KAAKrC;MAASsC,YAAY,KAAKrC;IAAY;EAC9D;EAEOkC,cAAsB;AAC3B,WAAO,KAAKhD,gBAAgBoD,IAAI,YAAY,KAAK9C,YAAY,KAAK;EACpE;EAEOyC,UAAkB;AACvB,WAAQ,KAAK9C,QAAQmD,IAAI,QAAQ,KAAK9C,YAAY,KAAK;EACzD;EAEO+C,YAAYC,UAAmF;AACpG,QAAIC,MAAMC,QAAQF,QAAAA,GAAW;AAC3B,WAAKpD,YAAYoD;IACnB,WAAWA,UAAU;AACnB,UAAI,CAAC,KAAKpD,WAAW;AACnB,aAAKA,YAAY,CAAA;MACnB;AACA,WAAKA,UAAUuD,KAAKH,QAAAA;IACtB,OAAO;AACL,WAAKpD,YAAY,CAAA;IACnB;AAEA,WAAO;EACT;EAEOwD,WAAWC,SAA+C;AAC/D,QAAI,CAAC,KAAKzD,WAAW;AACnB,WAAKA,YAAY,CAAA;IACnB;AACA,SAAKA,UAAUuD,KAAKE,OAAAA;AACpB,WAAO;EACT;EAEOC,mBAAmBC,aAA2C;AACnE,SAAKrD,eAAeqD;AACpB,WAAO;EACT;EAEOC,MAA6B9C,MAIjB;AACjB,UAAM6B,WAAU,KAAKkB,aAAa/C,IAAAA;AAClC,UAAMQ,iBAAiBR,MAAMQ,mBAAmBnB,SAAY,KAAKD,iBAAiB,OAAOY,KAAKQ;AAC9F,QAAIwC,UAAU,KAAKnD,YAAYR;AAC/B,QAAImB,kBAAkB,CAACwC,SAAS;AAC9B,WAAKxC,eAAeqB,QAAAA;AACpBmB,gBAAU;IACZ;AAEA,WAAO;MACLnB,SAAAA;MACA5C,MAAM,KAAK8C,QAAO;MAClBzB,UAAU,KAAK0B,YAAW;MAC1BN,cAAc,KAAK/B;MACnBa;MACAoB,UAAU,KAAKhC;MACfqD,OAAO,wBAACjD,UAAAA;AACN,YAAIA,OAAMkD,qBAAqB;AAC7BC,kBAAQC,IAAI,sEAAA;QACd,OAAO;AACL,cAAI,CAACJ,SAAS;AACZ,iBAAKxC,eAAeqB,QAAAA;AACpBmB,sBAAU;UACZ;QACF;AAEA,YAAIhD,OAAMqD,wBAAwB,MAAM;AACtCxB,UAAAA,SAAQyB,IAAIC,gBAAAA;QACd;AACA,eAAO;UAAErB,QAAQ,KAAKrC;UAAUsC,YAAY,KAAKrC;QAAa;MAChE,GAdO;MAeP0D,MAAM,8BAAOrB,eAAAA;AACX,cAAMsB,OAAOtB,cAAc,KAAKrC;AAChC,YAAI,CAAC2D,MAAM;AACT,iBAAO;QACT;AACA,eAAO,MAAMA,KAAKC,UAAS,EAAGC,KAAK,MAAM,IAAA;MAC3C,GANM;IAOR;EACF;EAEUZ,aAAoC/C,MAI1B;AAClB,UAAM4D,MAAuB5D,MAAM6B,WAAW,KAAK9C,mBAAmB8C,QAAAA;AACtE,QAAI,KAAK9B,SAAS;AAChB6D,UAAIN,IAAI,KAAKvD,OAAO;IACtB;AACA,QAAI,KAAKP,cAAc;AACrB,YAAMqE,QAAQ,KAAKrE,aAAaqE,SAAS,IAAIC,eAAeC,YAAW;AACvE,WAAKvE,aAAaqE,QAAQA;AAC1BD,UAAIN,IAAIQ,eAAe,KAAKtE,YAAY,CAAA;IAC1C;AACA,QAAI,KAAKC,kBAAkB;AACzBmE,UAAIN,IAAIU,UAASC,WAAW,KAAKvE,iBAAiB,CAAA;AAClD,UAAI,KAAKF,cAAc;AAGrBoE,YAAIN,IAAIU,UAASE,QAAO,CAAA;MAC1B;IACF;AACA,QAAI,KAAKvE,eAAe;AACtBiE,UAAIN,IAAIa,kBAAkB;QAAEC,OAAO,KAAKzE;MAAc,CAAA,CAAA;IACxD;AACA,QAAI,KAAKJ,iBAAiB;AACxB,WAAKA,gBAAgB8E,UAAU;QAAEtF,iBAAiB6E;MAAI,CAAA;IACxD;AAGA,SAAK1E,aAAa,KAAKA,UAAUoF,SAAS,KAAKV,IAAIN,IAAI,KAAKpE,SAAS;AAErEc,UAAMsC,YAAYsB,IAAIN,IAAItD,KAAKsC,QAAQ;AAEvCsB,QAAIN,IAAIiB,WAAWC,WAAW;MAAEC,UAAU;IAAK,CAAA,CAAA;AAC/Cb,QAAIN,IAAIiB,WAAWG,KAAK;MAAEC,OAAO;IAAM,CAAA,CAAA;AACvC,WAAOf;EACT;AACF;AAEO,IAAMgB,wBAAN,MAAMA;EA7Qb,OA6QaA;;;EACHC;EACAC;EACAC;EACAC;EACAC;EACAC;EACSC;EACAC;EAEjB,YAAYC,MAA6D;AACvE,UAAM,EAAEtG,iBAAiBO,aAAY,IAAK+F,QAAQ,CAAC;AACnD,SAAKF,WAAWpG;AAChB,SAAKqG,gBAAgB9F;EACvB;EAEOgG,YAAYC,OAA2E;AAC5F,SAAKR,eAAeQ;AACpB,WAAO;EACT;EAEOC,YAAYD,OAAsB;AACvC,SAAKV,eAAeU;AACpB,WAAO;EACT;EAEOE,aAAaF,OAAgC;AAClD,SAAKP,gBAAgBO;AACrB,WAAO;EACT;EAEOG,eAAeH,OAAgC;AACpD,SAAKN,kBAAkBM;AACvB,WAAO;EACT;EAEOI,iBAAiBJ,OAAsB;AAC5C,SAAKL,oBAAoBK;AACzB,WAAO;EACT;EAEOlB,UAAU,EAAEtF,gBAAe,GAAmC;AACnE,UAAM8C,WAAU9C,mBAAmB,KAAKoG;AACxC,QAAI,CAACtD,UAAS;AACZ,YAAMf,MAAM,uDAAA;IACd;AAEA,UAAM8E,iBAAiBxD,IAAI,gBAAgB,KAAKgD,aAAa;AAC7D,UAAMS,eAAe,KAAKhB,iBAAiBe,iBAAiB,OAAOE,KAAKF,cAAAA,IAAkB;AAC1F,QAAIC,cAAc;AAChB;IACF;AACA,UAAME,oBAAoB3D,IAAI,qBAAqB,KAAKgD,aAAa,KAAK;AAC1E,QAAIY;AACJ,QAAID,kBAAkBE,SAAS,GAAA,GAAM;AACnCD,uBAAiBD,kBAAkBG,MAAM,GAAA;IAC3C,WAAWH,kBAAkBE,SAAS,GAAA,GAAM;AAC1CD,uBAAiBD,kBAAkBG,MAAM,GAAA;IAC3C,OAAO;AACLF,uBAAiBD;IACnB;AACA,QAAIxD,MAAMC,QAAQwD,cAAAA,KAAmBA,eAAe1B,WAAW,GAAG;AAChE0B,uBAAiBA,eAAe,CAAA;IAClC;AACA,UAAMG,cAA2B;MAC/BC,QAAQ,KAAKrB,gBAAgBiB;;MAE7B,GAAI,KAAKhB,iBAAiB;QAAEqB,SAAS,KAAKrB;MAAc;MACxD,GAAI,KAAKC,mBAAmB;QAAES,gBAAgB,KAAKT;MAAgB;MACnE,GAAI,KAAKC,sBAAsB7F,UAAa;QAAEiH,aAAa,KAAKpB;MAAkB;MAClFqB,sBAAsB;IACxB;AAEA,QAAI,KAAKzB,yBAAyB;AAChCjD,MAAAA,SAAQhB,QAAQ,KAAK2F,KAAKL,WAAAA,CAAAA;IAC5B;AACAtE,IAAAA,SAAQyB,IAAIkD,KAAKL,WAAAA,CAAAA;EACnB;AACF;;;AE1VA,OAAOM,cAAgD;AACvD,SAAoDC,cAAc;AAClE,OAAOC,eAAc;AAOrB,IAAMC,SAASC,QAAQC,IAAIF,UAAU;AACrC,eAAsBG,mBAAmBC,MAA6B;AACpE,QAAMC,YAAYD,MAAMC,aAAaH,IAAI,eAAeF,MAAAA,KAAW;AACnE,QAAMM,SAAS,MAAMC,OAAOC,SAASH,SAAAA;AACrCI,UAAQC,IAAI,2BAA2BJ,OAAOA,QAAQA,OAAOK,QAAQ;AACrE,SAAO;IAAEL;IAAQD;EAAU;AAC7B;AALsBF;AAOtB,eAAsBS,cACpBN,QACAK,UACAP,MAGC;AAGD,SAAO,IAAIE,OAAOO,OAAOF,UAAUP,MAAMU,MAAMV,MAAMW,OAAAA;AACvD;AAVsBH;AAYf,SAASI,iBAAiBC,QAAgBb,MAAqD;AACpG,MAAIA,MAAMc,YAAY,OAAO;AAC3BT,YAAQC,IAAI,4BAA4B;AACxC;EACF;AACA,QAAMS,WAAWf,MAAMgB,UAAUC,gBAAgBF;AACjD,MAAI,CAACA,UAAU;AACb,UAAMG,MAAM,+BAAA;EACd;AACA,QAAMC,OAAOnB,MAAMmB,QAAQ;AAC3BN,SAAOO,IACLD,MACA,CAACE,KAAUC,KAAUC,SAAAA;AACnB,UAAMC,eAAeH,IAAID,IAAI,SAAA,KAAc;AAC3CC,QAAII,QAAQD,eAAeA;AAC3BD,SAAAA;EACF,GACAG,UAASC,aACPZ,UACA;IAAE,GAAGf,KAAKiB,gBAAgBW;IAAiB,GAAG5B,KAAKgB,UAAUC,gBAAgBW;IAAiBC,iBAAiB;EAAM,GACrHC,MAAAA,CAAAA;AAGN;AAvBgBlB;AAyBT,SAASmB,yBAAyBlB,QAAgBb,MAA0B;AACjF,MAAIA,MAAMc,YAAY,OAAO;AAC3BT,YAAQC,IAAI,oCAAoC;AAChD;EACF;AACA,QAAMS,WAAWf,MAAMgB,UAAUC,gBAAgBF;AACjD,MAAI,CAACA,UAAU;AACb,UAAMG,MAAM,+BAAA;EACd;AACA,QAAMC,OAAOnB,MAAMmB,QAAQ;AAC3BN,SAAOO,IACLD,MACAO,UAASC,aACPZ,UACA;IAAE,GAAGf,KAAKiB,gBAAgBW;IAAiB,GAAG5B,KAAKgB,UAAUC,gBAAgBW;IAAiBC,iBAAiB;EAAK,GACpHC,MAAAA,GAEF,CAACT,KAAUC,KAAUC,SAAAA;AACnB,QAAIF,IAAIW,MAAM;AACZ3B,cAAQC,IAAI,sBAAsBe,IAAIW,MAAMC,IAAAA;AAE5C,YAAMT,eAAeH,IAAII,QAAQD,gBAAgB;AAEjD,aAAOH,IAAII,QAAQD;AACnB,aAAOF,IAAIY,SAASV,YAAAA;IACtB,OAAO;AACL,aAAOF,IAAIY,SAASpC,IAAI,2BAA2BF,MAAAA,KAAW,4CAAA;IAChE;EACF,CAAA;AAEJ;AA9BgBmC;AAgCT,SAASI,kBAAkBtB,QAAgBuB,QAAoBpC,MAA0B;AAC9F,MAAIA,MAAMc,YAAY,OAAO;AAC3BT,YAAQC,IAAI,6BAA6B;AACzC;EACF;AACA,QAAMa,OAAOnB,MAAMmB,QAAQ;AAC3BN,SAAOO,IAAID,MAAM,CAACE,KAAKC,QAAAA;AACrB,QAAI;AACF,UAAIc,OAAOC,cAAa,GAAI;AAC1B,eAAOf,IAAIY,SAASE,OAAOC,cAAa,CAAA;MAC1C,OAAO;AACLhC,gBAAQC,IAAI,sCAAA;AACZ,eAAOgB,IAAIY,SAAS,iCAAA;MACtB;IACF,SAASI,OAAO;AACdjC,cAAQC,IAAIgC,KAAAA;AACZ,aAAOhB,IAAIY,SAAS,iCAAA;IACtB;EACF,CAAA;AACF;AAnBgBC;AAqBT,SAASI,0BAA0B1B,QAAgBb,MAA0B;AAClF,MAAIA,MAAMc,YAAY,OAAO;AAC3BT,YAAQC,IAAI,sCAAsC;AAClD;EACF;AACA,QAAMa,OAAOnB,MAAMmB,QAAQ;AAC3BN,SAAOO,IAAID,MAAM,CAACE,KAAKC,KAAKC,SAAAA;AAC1B,QAAI;AACFF,UAAImB,OAAO,CAACC,QAAAA;AACV,YAAIA,KAAK;AACPpC,kBAAQC,IAAI,yCAAyCoC,KAAKC,UAAUF,GAAAA,CAAAA,EAAM;QAC5E;MACF,CAAA;AACA,aAAOnB,IAAIY,SAASpC,IAAI,qCAAqCF,MAAAA,KAAW,GAAA;IAC1E,SAASgD,GAAG;AACV,aAAOC,kBAAkBvB,KAAK,KAAK,uDAAuDsB,CAAAA;IAC5F;EACF,CAAA;AACF;AAlBgBL;AAoBT,SAASO,mBAAmBjC,QAAgBuB,QAAoBpC,MAAyB;AAC9F,MAAIA,MAAMc,YAAY,OAAO;AAC3BT,YAAQC,IAAI,+BAA+B;AAC3C;EACF;AACA,QAAMa,OAAOnB,KAAKmB,QAAQ;AAC1BN,SAAOO,IAAID,MAAM4B,qBAAqB,CAAC1B,KAAUC,QAAAA;AAC/C,QAAID,IAAII,QAAQuB,OAAOC,UAAU;AAC/B,aAAO3B,IAAI4B,KAAK;QAAED,UAAU5B,IAAII,QAAQuB,OAAOC;MAAS,CAAA;IAC1D,OAAO;AACL,aAAOJ,kBAAkBvB,KAAK,KAAK,yBAAA;IACrC;EACF,CAAA;AACF;AAbgBwB;AAeT,SAASK,6BAA6BtC,QAAgBb,MAA0B;AACrF,MAAIA,MAAMc,YAAY,OAAO;AAC3BT,YAAQC,IAAI,yCAAyC;AACrD;EACF;AACA,QAAMa,OAAOnB,MAAMmB,QAAQ;AAC3BN,SAAOO,IAAID,MAAM4B,qBAAqB,CAAC1B,KAAUC,KAAUC,SAAAA;AACzD,QAAI,CAACF,IAAIW,MAAM;AACb,aAAOa,kBAAkBvB,KAAK,KAAK,yBAAA;IACrC;AACA,QAAIU,OAAOX,IAAIW;AACf,WAAOV,IAAI4B,KAAKlB,IAAAA;EAClB,CAAA;AACF;AAbgBmB;AA+BT,IAAMC,uBAAN,MAAMA;EA7Kb,OA6KaA;;;EACX,IAAIvC,SAAyB;AAC3B,WAAO,KAAKwC;EACd;EAEiBC;EACAC;EACAC;EACAH;EAEjB,YAAYI,MAA8G;AACxH,UAAM,EAAEC,OAAO1D,KAAI,IAAKyD;AACxB,SAAKF,SAASG;AACdC,8BAA0B;MAAE3D;MAAM4D,MAAM;QAAC;;IAAY,CAAA;AACrDD,8BAA0B;MAAE3D;MAAM4D,MAAM;QAAC;;IAAc,CAAA;AACvDD,8BAA0B;MAAE3D;MAAM4D,MAAM;QAAC;;IAAwB,CAAA;AAEjE,SAAKJ,QAAQxD;AACb,SAAKsD,WAAWG,KAAKI,eAAeC;AACpC,SAAKT,UAAUS,SAAQC,OAAM;AAC7B,UAAMC,WAAWhE,MAAMiE,mBAAmB;MAAC;MAAS;MAAU;MAAY;;AAC1E5D,YAAQC,IAAI,4BAA4B;AAExC,QAAI0D,SAASE,SAAS,OAAA,GAAU;AAC9BtD,uBAAiB,KAAKC,QAAQb,MAAMmE,cAAcC,QAAAA;AAClDrC,+BAAyB,KAAKlB,QAAQb,MAAMmE,cAAcC,QAAAA;IAC5D;AACA,QAAIJ,SAASE,SAAS,QAAA,GAAW;AAC/B/B,wBAAkB,KAAKtB,QAAQ4C,KAAKrB,QAAQpC,MAAMmE,cAAcE,SAAAA;AAChE9B,gCAA0B,KAAK1B,QAAQb,MAAMmE,cAAcE,SAAAA;IAC7D;AACA,QAAIL,SAASE,SAAS,UAAA,GAAa;AACjC,UAAIlE,KAAKmE,cAAcG,eAAexC,QAAW;AAC/C,cAAMZ,MAAM,6EAAA;MACd;AACA4B,yBAAmB,KAAKjC,QAAQ4C,KAAKrB,QAAQpC,MAAMmE,cAAcG,UAAAA;IACnE;AACA,QAAIN,SAASE,SAAS,oBAAA,GAAuB;AAC3Cf,mCAA6B,KAAKtC,QAAQb,MAAMmE,cAAcI,oBAAAA;IAChE;AACA,SAAKjB,SAASkB,IAAIxE,MAAMmE,cAAcM,YAAY,IAAI,KAAK5D,MAAM;EACnE;EAEA,IAAI6C,QAAiC;AACnC,WAAO,KAAKH;EACd;EAEA,IAAIvD,OAAwC;AAC1C,WAAO,KAAKwD;EACd;EAEA,IAAIM,UAAmB;AACrB,WAAO,KAAKR;EACd;AACF;","names":["passport","EntraIDAuth","strategy","options","init","withOptions","passReqToCallback","connectPassport","_options","Error","then","entraID","passport","use","BearerStrategy","token","cb","catch","reason","console","log","passport","OIDCBearerAuth","strategy","options","init","withIssuer","issuer","withAudience","audience","withJwksUri","jwksUri","withAlgorithms","algorithms","withOptions","connectPassport","Promise","reject","Error","discoverJwksUri","passportJwt","jwksRsa","all","Strategy","JwtStrategy","ExtractJwt","passportJwtSecret","jwtOptions","jwtFromRequest","fromAuthHeaderAsBearerToken","secretOrKeyProvider","cache","rateLimit","jwksRequestsPerMinute","passport","use","payload","done","error","console","cause","wellKnownUrl","endsWith","response","fetch","ok","status","statusText","config","json","jwks_uri","passport","toString","StaticBearerAuth","strategy","providers","Map","verifyOptions","hashTokens","init","provider","MapBasedStaticBearerUserProvider","has","get","Error","set","withHashTokens","withUsers","users","addUser","user","withVerifyOptions","options","connectPassport","_provider","findUser","token","cb","getUser","then","httpBearer","passport","use","Strategy","passReqToCallback","hash","toString","sha256","catch","error","console","log","_strategy","_users","_hashedTokens","hashedTokens","find","hashToken","Array","isArray","forEach","push","getUsers","passport","sendErrorResponse","response","statusCode","message","error","msg","console","JSON","stringify","Error","stack","headersSent","startsWith","header","status","end","json","jsonErrorHandler","err","req","res","next","errorMsg","log","hasEndpointOpts","opts","endpointOpts","checkUserIsInRole","opts","req","res","next","roles","length","Array","isArray","user","status","end","hasRole","find","role","toLowerCase","checkAuthenticationImpl","defaultCallback","err","_info","_status","message","console","log","JSON","stringify","statusCode","redirect","options","session","logIn","authentication","enabled","strategy","strategyOptions","authInfo","callback","useDefaultCallback","undefined","passport","authenticate","call","checkAuthorizationImpl","authorization","enforcer","requireUserInRoles","permitted","enforceSync","resource","operation","checkAuthenticationOnly","checkAuthorizationOnly","isUserNotAuthenticated","isUserAuthenticated","sendErrorResponse","checkAuth","handlers","push","copyGlobalAuthToEndpoint","args","key","hasEndpointOpts","endpointOpts","globalAuth","disableGlobalAuth","endpoint","copyGlobalAuthToEndpoints","keys","forEach","bodyParser","cors","express","expressSession","createHttpTerminator","morgan","passport","env","key","prefix","undefined","process","trim","ExpressBuilder","existingExpress","hostnameOrIP","port","_handlers","listenCallback","_startListen","undefined","envVarPrefix","_corsConfigurer","_sessionOpts","_usePassportAuth","_passportInitOpts","_userIsInRole","_enforcer","_server","_terminator","_morgan","opts","withExpress","fromExistingExpress","fromServerOpts","builder","withEnableListenOpts","hostname","startOnBuild","startListening","enableListen","withMorganLogging","existingMorgan","format","options","Error","morgan","callback","withPort","withHostname","withListenCallback","withCorsConfigurer","configurer","withPassportAuth","usePassport","initializeOptions","withGlobalUserIsInRole","userIsInRole","withEnforcer","enforcer","express","listen","getPort","getHostname","createHttpTerminator","server","terminator","env","setHandlers","handlers","Array","isArray","push","addHandler","handler","withSessionOptions","sessionOpts","build","buildExpress","started","start","doNotStartListening","console","log","disableErrorHandler","use","jsonErrorHandler","stop","term","terminate","then","app","store","expressSession","MemoryStore","passport","initialize","session","checkUserIsInRole","roles","configure","length","bodyParser","urlencoded","extended","json","limit","ExpressCorsConfigurer","_disableCors","_enablePreflightOptions","_allowOrigin","_allowMethods","_allowedHeaders","_allowCredentials","_express","_envVarPrefix","args","allowOrigin","value","disableCors","allowMethods","allowedHeaders","allowCredentials","disableCorsEnv","corsDisabled","test","envAllowOriginStr","envAllowOrigin","includes","split","corsOptions","origin","methods","credentials","optionsSuccessStatus","cors","express","Issuer","passport","PREFIX","process","env","oidcDiscoverIssuer","opts","issuerUrl","issuer","Issuer","discover","console","log","metadata","oidcGetClient","Client","jwks","options","getLoginEndpoint","router","enabled","strategy","endpoint","authentication","Error","path","get","req","res","next","redirectPage","session","passport","authenticate","strategyOptions","keepSessionInfo","undefined","getLoginCallbackEndpoint","user","name","redirect","getLogoutEndpoint","client","endSessionUrl","error","getLogoutCallbackEndpoint","logout","err","JSON","stringify","e","sendErrorResponse","getIdTokenEndpoint","isUserAuthenticated","tokens","id_token","json","getAuthenticatedUserEndpoint","OpenIDConnectAuthApi","_router","_express","_agent","_opts","args","agent","copyGlobalAuthToEndpoints","keys","expressSupport","express","Router","features","enabledFeatures","includes","endpointOpts","getLogin","getLogout","getIdToken","getAuthenticatedUser","use","basePath"]}
1
+ {"version":3,"sources":["../src/entra-id-auth.ts","../src/oidc-bearer-auth.ts","../src/static-bearer-auth.ts","../src/auth-utils.ts","../src/express-utils.ts","../src/types.ts","../src/express-builders.ts","../src/functions.ts","../src/openid-connect-rp.ts"],"sourcesContent":["import passport from 'passport'\nimport { IBearerStrategyOption, IBearerStrategyOptionWithRequest, ITokenPayload, VerifyCallback } from './types'\n\nexport class EntraIDAuth {\n private readonly strategy: string\n private options?: IBearerStrategyOptionWithRequest\n\n public static init(strategy: string) {\n return new EntraIDAuth(strategy)\n }\n\n private constructor(strategy: string) {\n this.strategy = strategy\n }\n\n public withOptions(options: IBearerStrategyOption | IBearerStrategyOptionWithRequest): this {\n this.options = {\n ...options,\n passReqToCallback: 'passReqToCallback' in options ? options.passReqToCallback : false,\n }\n return this\n }\n\n connectPassport() {\n const _options = this.options\n if (!_options) {\n throw Error('No options supplied for EntraID')\n }\n import('passport-azure-ad')\n .then((entraID) =>\n passport.use(\n this.strategy,\n new entraID.BearerStrategy(_options, function (token: ITokenPayload, cb: VerifyCallback): void {\n if (token) {\n // console.log(`token: ${JSON.stringify(token, null, 2)}`)\n return cb(null, token)\n }\n return cb('bearer token not found or incorrect', null)\n }),\n ),\n )\n .catch((reason) => {\n console.log(reason)\n throw Error('Could not create bearer strategy. Did you include the \"passport-azure-ad/bearer-strategy\" dependency in package.json?')\n })\n }\n}\n","import passport from 'passport'\n\nexport type OIDCAlgorithm = 'RS256' | 'RS384' | 'RS512' | 'ES256' | 'ES384' | 'ES512' | 'PS256' | 'PS384' | 'PS512'\n\nexport interface IOIDCBearerOptions {\n issuer: string\n audience?: string | string[]\n jwksUri?: string\n algorithms?: OIDCAlgorithm[]\n}\n\nexport interface IOIDCTokenPayload {\n /** Issuer identifier */\n iss?: string\n /** Subject identifier */\n sub?: string\n /** Audience(s) */\n aud?: string | string[]\n /** Expiration time */\n exp?: number\n /** Not before */\n nbf?: number\n /** Issued at */\n iat?: number\n /** JWT ID */\n jti?: string\n /** Authorized party */\n azp?: string\n /** Scope */\n scope?: string\n /** Client ID */\n client_id?: string\n /** Additional claims */\n [key: string]: unknown\n}\n\nexport class OIDCBearerAuth {\n private readonly strategy: string\n private options: Partial<IOIDCBearerOptions> = {}\n\n public static init(strategy: string) {\n return new OIDCBearerAuth(strategy)\n }\n\n private constructor(strategy: string) {\n this.strategy = strategy\n }\n\n public withIssuer(issuer: string): this {\n this.options = { ...this.options, issuer }\n return this\n }\n\n public withAudience(audience: string | string[]): this {\n this.options = { ...this.options, audience }\n return this\n }\n\n public withJwksUri(jwksUri: string): this {\n this.options = { ...this.options, jwksUri }\n return this\n }\n\n public withAlgorithms(algorithms: OIDCAlgorithm[]): this {\n this.options = { ...this.options, algorithms }\n return this\n }\n\n public withOptions(options: Partial<IOIDCBearerOptions>): this {\n this.options = { ...this.options, ...options }\n return this\n }\n\n async connectPassport(): Promise<void> {\n const { issuer, audience, algorithms } = this.options\n\n if (!issuer) {\n return Promise.reject(new Error('No issuer supplied for OIDC Bearer Auth'))\n }\n\n let jwksUri = this.options.jwksUri\n if (!jwksUri) {\n jwksUri = await this.discoverJwksUri(issuer)\n }\n\n try {\n const [passportJwt, jwksRsa] = await Promise.all([import('passport-jwt'), import('jwks-rsa')])\n\n const { Strategy: JwtStrategy, ExtractJwt } = passportJwt\n const { passportJwtSecret } = jwksRsa\n\n const jwtOptions = {\n jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),\n secretOrKeyProvider: passportJwtSecret({\n cache: true,\n rateLimit: true,\n jwksRequestsPerMinute: 5,\n jwksUri,\n }),\n issuer,\n audience,\n algorithms: algorithms ?? (['RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512'] as OIDCAlgorithm[]),\n }\n\n passport.use(\n this.strategy,\n new JwtStrategy(jwtOptions, (payload: IOIDCTokenPayload, done: (error: any, user?: any, info?: any) => void) => {\n if (payload) {\n return done(null, payload)\n }\n return done('Bearer token not found or incorrect', null)\n })\n )\n } catch (error) {\n console.error('Failed to initialize OIDC Bearer Auth:', error)\n return Promise.reject(\n new Error(\n 'Could not create JWT bearer strategy. Did you include \"passport-jwt\" and \"jwks-rsa\" dependencies in package.json?',\n { cause: error }\n )\n )\n }\n }\n\n private async discoverJwksUri(issuer: string): Promise<string> {\n const wellKnownUrl = `${issuer}${issuer.endsWith('/') ? '' : '/'}.well-known/openid-configuration`\n\n try {\n const response = await fetch(wellKnownUrl)\n if (!response.ok) {\n return Promise.reject(\n new Error(`Failed to fetch OIDC configuration from ${wellKnownUrl}: ${response.status} ${response.statusText}`)\n )\n }\n\n const config = (await response.json()) as { jwks_uri?: string }\n if (!config.jwks_uri) {\n return Promise.reject(new Error(`OIDC configuration at ${wellKnownUrl} does not contain jwks_uri`))\n }\n\n return config.jwks_uri\n } catch (error) {\n return Promise.reject(\n new Error(`Failed to discover JWKS URI from OIDC configuration at ${wellKnownUrl}`, { cause: error })\n )\n }\n }\n}\n","import passport from 'passport'\n// @ts-ignore\nimport { toString } from 'uint8arrays/to-string'\nimport { BearerUser, IStaticBearerVerifyOptions } from './types'\n\nexport class StaticBearerAuth {\n private readonly strategy: string\n private static providers: Map<string, StaticBearerUserProvider> = new Map()\n private static verifyOptions: Map<string, IStaticBearerVerifyOptions | string> = new Map()\n private hashTokens?: boolean = false\n\n public static init(strategy: string, provider?: StaticBearerUserProvider) {\n return new StaticBearerAuth(strategy ?? 'bearer', provider ?? new MapBasedStaticBearerUserProvider(strategy))\n }\n\n private constructor(strategy: string, provider: StaticBearerUserProvider) {\n this.strategy = strategy\n if (StaticBearerAuth.providers.has(strategy)) {\n if (StaticBearerAuth.providers.get(strategy) !== provider) {\n throw Error('Cannot register another user provider for strategy: ' + strategy)\n }\n } else {\n StaticBearerAuth.providers.set(strategy, provider)\n }\n }\n\n get provider() {\n const provider = StaticBearerAuth.providers.get(this.strategy)\n if (!provider) {\n throw Error('Could not get user provider for ' + this.strategy)\n }\n return provider\n }\n\n withHashTokens(hashTokens: boolean): this {\n this.hashTokens = hashTokens\n return this\n }\n\n withUsers(users: BearerUser[] | BearerUser): this {\n this.addUser(users)\n return this\n }\n\n addUser(user: BearerUser[] | BearerUser): this {\n this.provider.addUser(user)\n return this\n }\n\n withVerifyOptions(options: IStaticBearerVerifyOptions | string): this {\n StaticBearerAuth.verifyOptions.set(this.strategy, options)\n return this\n }\n\n connectPassport() {\n const _provider = this.provider\n function findUser(token: string, cb: (error: any, user: any, options?: IStaticBearerVerifyOptions | string) => void) {\n const user = _provider.getUser(token)\n if (user) {\n return cb(null, user)\n }\n return cb('bearer token not found or incorrect', false)\n }\n\n import('passport-http-bearer')\n .then((httpBearer) => {\n const hashTokens = this.hashTokens ?? false\n passport.use(\n this.strategy,\n new httpBearer.Strategy({ passReqToCallback: false }, function (\n token: string,\n cb: (error: any, user: any, options?: IStaticBearerVerifyOptions | string) => void,\n ): void {\n if (hashTokens) {\n import('@noble/hashes/sha256')\n .then((hash) => {\n findUser(toString(hash.sha256(token)), cb)\n })\n .catch((error) => {\n console.log(`hash problem: ${error}`)\n throw Error('Did you include @noble/hashes in package.json?')\n })\n } else {\n findUser(token, cb)\n }\n }),\n )\n })\n .catch((error) => {\n console.log(`passport-http-bearer package problem: ${error}`)\n throw Error('Did you include passport-http-bearer in package.json?')\n })\n }\n}\n\nexport interface StaticBearerUserProvider {\n strategy: string\n\n addUser(user: BearerUser | BearerUser[], hashToken?: boolean): void\n\n getUser(token: string): BearerUser | undefined\n\n hashedTokens?: boolean\n}\n\nexport class MapBasedStaticBearerUserProvider implements StaticBearerUserProvider {\n private readonly _strategy: string\n private readonly _users: BearerUser[] = []\n private readonly _hashedTokens: boolean\n\n constructor(strategy: string, hashedTokens?: boolean) {\n this._strategy = strategy\n this._hashedTokens = hashedTokens ?? false\n }\n\n get users(): BearerUser[] {\n return this._users\n }\n\n get hashedTokens(): boolean {\n return this._hashedTokens\n }\n\n get strategy(): string {\n return this._strategy\n }\n\n getUser(token: string): BearerUser | undefined {\n return this.users.find((user) => user.token === token)\n }\n\n addUser(user: BearerUser | BearerUser[], hashToken?: boolean): void {\n const users = Array.isArray(user) ? user : [user]\n if (hashToken) {\n if (!this.hashedTokens) {\n throw Error('Cannot hash token, when hashed tokens is not enabled on the user provider for strategy ' + this.strategy)\n }\n import('@noble/hashes/sha256')\n .then((hash) => {\n users.forEach((user) => (user.token = toString(hash.sha256(user.token))))\n })\n .catch((error) => {\n console.log(`hash problem: ${error}`)\n throw Error('Did you include @noble/hashes in package.json?')\n })\n }\n this._users.push(...users)\n }\n\n getUsers(): BearerUser[] {\n return this._users\n }\n}\n","import express, { NextFunction, RequestHandler } from 'express'\nimport { ParamsDictionary } from 'express-serve-static-core'\nimport passport from 'passport'\nimport { ParsedQs } from 'qs'\nimport { sendErrorResponse } from './express-utils'\nimport { EndpointArgs, hasEndpointOpts, HasEndpointOpts } from './types'\n\nexport const checkUserIsInRole = (opts: { roles: string | string[] }) => (req: express.Request, res: express.Response, next: NextFunction) => {\n if (!opts?.roles || opts.roles.length === 0) {\n return next()\n }\n const roles = Array.isArray(opts.roles) ? opts.roles : [opts.roles]\n if (!req?.user || !('role' in req.user)) {\n return res.status(401).end()\n }\n\n // @ts-ignore\n const hasRole = roles.find((role) => req.user.role.toLowerCase() === role.toLowerCase())\n if (!hasRole) {\n return res.status(403).end()\n }\n\n return next()\n}\n\nconst checkAuthenticationImpl = (req: express.Request, res: express.Response, next: express.NextFunction, opts?: EndpointArgs) => {\n const defaultCallback = (\n err: any,\n user?: Express.User | false | null,\n _info?: object | string | Array<string | undefined>,\n _status?: number | Array<number | undefined>,\n ) => {\n if (err) {\n const message = 'message' in err ? err.message : err\n console.log('Authentication failed, error: ' + JSON.stringify(message))\n return next({ statusCode: 403, message })\n } else if (!user) {\n console.log('Authentication failed, no user object present in request. Redirecting to /login')\n // todo: configuration option\n return res.redirect('/authentication/login')\n }\n if (options.session) {\n req.logIn(user, function (err) {\n if (err) {\n return next(err)\n }\n })\n }\n /* /!*if (options.session) {\n req.logIn(user, function (err) {\n if (err) {\n return next(err)\n }\n return res.redirect('/')\n })\n }*!/*/\n return next()\n }\n\n if (!opts || !opts.authentication || opts.authentication.enabled === false) {\n return next()\n }\n if (!opts.authentication.strategy) {\n console.log(`Authentication enabled, but no strategy configured. All auth request will be denied!`)\n return res.status(401).end()\n }\n const options = {\n ...opts?.authentication?.strategyOptions,\n authInfo: opts?.authentication?.authInfo !== false,\n session: opts?.authentication?.session !== false,\n }\n\n const callback = opts?.authentication?.callback ?? (opts?.authentication?.useDefaultCallback ? defaultCallback : undefined)\n\n passport.authenticate(opts.authentication.strategy, options, callback).call(this, req, res, next)\n}\nconst checkAuthorizationImpl = (req: express.Request, res: express.Response, next: express.NextFunction, opts?: EndpointArgs) => {\n if (!opts || !opts.authentication || !opts.authorization || opts.authentication.enabled === false || opts?.authorization.enabled === false) {\n return next()\n }\n /*if (!req.isAuthenticated()) {\n return sendErrorResponse(res, 403, 'Authorization with an unauthenticated request is not possible')\n }*/\n const authorization = opts.authorization\n\n if (!authorization.enforcer && (!authorization.requireUserInRoles || authorization.requireUserInRoles.length === 0)) {\n console.log(`Authorization enabled for endpoint, but no enforcer or roles supplied`)\n return res.status(401).end()\n }\n if (authorization.requireUserInRoles && authorization.requireUserInRoles.length > 0) {\n checkUserIsInRole({ roles: authorization.requireUserInRoles })\n }\n if (authorization.enforcer) {\n const enforcer = authorization.enforcer\n const permitted = enforcer.enforceSync(req.user, opts.resource, opts.operation)\n if (!permitted) {\n console.log(`Access to ${opts.resource} and op ${opts.operation} not allowed for ${req.user}`)\n return res.status(403).end()\n }\n }\n return next()\n}\n\nexport const checkAuthenticationOnly = (opts?: EndpointArgs) => (req: express.Request, res: express.Response, next: express.NextFunction) => {\n // executeRequestHandlers(req, res, next, opts)\n return checkAuthenticationImpl(req, res, next, opts)\n}\n\nexport const checkAuthorizationOnly = (opts?: EndpointArgs) => (req: express.Request, res: express.Response, next: express.NextFunction) => {\n // executeRequestHandlers(req, res, next, opts)\n return checkAuthorizationImpl(req, res, next, opts)\n}\n\nexport const isUserNotAuthenticated = (req: express.Request, res: express.Response, next: express.NextFunction) => {\n if (!req.user) {\n next()\n }\n}\n\nexport const isUserAuthenticated = (req: express.Request, res: express.Response, next: express.NextFunction) => {\n if (!req.user) {\n return sendErrorResponse(res, 401, 'Authentication required')\n } else {\n return next()\n }\n}\n\nexport const checkAuth = (opts?: EndpointArgs): RequestHandler<ParamsDictionary, any, any, ParsedQs, Record<string, any>>[] => {\n const handlers: RequestHandler<ParamsDictionary, any, any, ParsedQs, Record<string, any>>[] = []\n handlers.push(checkAuthenticationOnly(opts))\n handlers.push(checkAuthorizationOnly(opts))\n opts?.handlers && handlers.push(...opts.handlers)\n return handlers\n}\n\nexport function copyGlobalAuthToEndpoint(args?: { opts?: HasEndpointOpts; key: string }) {\n const opts = args?.opts\n const key = args?.key\n if (!opts || !key || !hasEndpointOpts(opts)) {\n return\n }\n if (key === 'basePath') {\n // make sure to not copy base path over, as we use these at the global router, and this would repeat the path\n return\n }\n if (opts.endpointOpts?.globalAuth) {\n if (opts.endpointOpts[key]?.disableGlobalAuth === true) {\n return\n }\n opts.endpointOpts[key] = {\n ...opts.endpointOpts[key],\n endpoint: { ...opts.endpointOpts.globalAuth, ...opts.endpointOpts[key]?.endpoint },\n }\n }\n}\n\nexport function copyGlobalAuthToEndpoints(args?: { opts?: HasEndpointOpts; keys: string[] }) {\n args?.keys.forEach((key) => copyGlobalAuthToEndpoint({ opts: args?.opts, key }))\n}\n","import express, { NextFunction } from 'express'\n\nexport function sendErrorResponse(response: express.Response, statusCode: number, message: string | object, error?: any) {\n let msg = message\n if (!msg) {\n console.error('Message was null when calling sendErrorResponse. This should not happen')\n msg = 'An unexpected error occurred'\n statusCode = 500\n } else {\n console.error(`sendErrorResponse (${statusCode}): ${typeof msg === 'string' ? msg : JSON.stringify(msg)}`)\n }\n if (error) {\n if (error instanceof Error) {\n console.error(`error message: ${error.message}`)\n }\n console.error(`error object: ${JSON.stringify(error)}`)\n }\n if (statusCode >= 500) {\n console.error('Original error stack (if any) and REST API error stack:')\n console.error(error?.stack)\n console.error(Error().stack)\n }\n if (response.headersSent) {\n console.error(`sendErrorResponse headers already sent`)\n return response\n }\n response.statusCode = statusCode\n if (typeof msg === 'string' && !msg.startsWith('{')) {\n msg = { error: msg }\n }\n if (typeof msg === 'string' && msg.startsWith('{')) {\n response.header('Content-Type', 'application/json')\n return response.status(statusCode).end(msg)\n }\n return response.status(statusCode).json(msg)\n}\n\nexport const jsonErrorHandler = (err: any, req: express.Request, res: express.Response, next: NextFunction) => {\n const statusCode: number = 'statusCode' in err ? err.statusCode : 500\n let errorMsg = typeof err === 'string' ? err : (err.message ?? err)\n if (typeof errorMsg !== 'string') {\n errorMsg = JSON.stringify(errorMsg)\n }\n if (res.headersSent) {\n console.log('Headers already sent, when calling error handler. Will defer to next error handler')\n console.log(`Error was: ${JSON.stringify(err)}`)\n return next(err)\n }\n return sendErrorResponse(res, statusCode, errorMsg, err)\n}\n","import { Enforcer } from 'casbin'\nimport { Express, RequestHandler } from 'express'\nimport { ParamsDictionary } from 'express-serve-static-core'\nimport http from 'http'\nimport { HttpTerminator } from 'http-terminator'\nimport { AuthenticateCallback, Strategy } from 'passport'\nimport { ParsedQs } from 'qs'\n\nexport interface IExpressServerOpts {\n port?: number // The port to listen on\n cookieSigningKey?: string\n hostname?: string // defaults to \"0.0.0.0\", meaning it will listen on all IP addresses. Can be an IP address or hostname\n basePath?: string\n existingExpress?: Express\n listenCallback?: () => void\n startListening?: boolean\n maxRequestBodySize?: string\n // externalBaseUrl?: string // In case an external base URL needs to be exposed\n}\n\nexport function hasEndpointOpts(opts: any) {\n return 'endpointOpts' in opts && opts.endpointOpts\n}\n\nexport type HasEndpointOpts = { endpointOpts?: IEndpointOpts & SingleEndpoints } & Record<string, any>\n\nexport type SingleEndpoints = Record<string, ISingleEndpointOpts | any>\nexport interface IEndpointOpts {\n basePath?: string // The base path used to construct the router\n baseUrl?: string | URL // Typically the external base URL\n globalAuth?: GenericAuthArgs\n}\nexport interface ExpressSupport {\n express: Express\n port: number\n hostname: string\n userIsInRole?: string | string[]\n startListening: boolean\n server?: http.Server\n enforcer?: Enforcer\n start: (opts?: { disableErrorHandler?: boolean; doNotStartListening?: boolean }) => { server: http.Server; terminator: HttpTerminator }\n stop: (terminator?: HttpTerminator) => Promise<boolean>\n}\n\nexport interface ISingleEndpointOpts extends GenericAuthArgs {\n endpoint?: EndpointArgs\n enabled?: boolean\n path?: string\n disableGlobalAuth?: boolean\n}\n\nexport interface GenericAuthArgs {\n authentication?: {\n callback?: AuthenticateCallback | ((...args: any[]) => any)\n useDefaultCallback?: boolean\n enabled?: boolean\n strategy?: string | string[] | Strategy\n strategyOptions?: Record<string, any> | any\n authInfo?: boolean\n session?: boolean\n }\n authorization?: {\n enabled?: boolean\n requireUserInRoles?: string | string[]\n enforcer?: Enforcer\n }\n}\n\nexport interface EndpointArgs extends GenericAuthArgs {\n resource?: string\n operation?: string\n handlers?: RequestHandler<ParamsDictionary, any, any, ParsedQs, Record<string, any>>[]\n}\n\nexport interface BearerUser extends Express.User {\n id: string | number\n name?: string\n token: string\n}\n\nexport interface IStaticBearerVerifyOptions {\n message?: string | undefined\n scope: string | Array<string>\n}\n\nexport interface IBaseStrategyOption {\n identityMetadata: string\n clientID: string\n isB2C?: boolean | undefined\n validateIssuer?: boolean | undefined\n issuer?: string | string[] | undefined\n loggingLevel?: 'info' | 'warn' | 'error' | undefined\n loggingNoPII?: boolean | undefined\n clockSkew?: number | undefined\n}\n\nexport interface ITokenPayload {\n /** An App ID URI. Identifies the intended recipient of the token. */\n aud?: string | undefined\n /** A security token service(STS) URI. Identifies the STS that constructs and returns the token,\n * and the Azure AD tenant in which the user was authenticated.*/\n iss?: string | undefined\n /** The identity provider that authenticated the subject of the token*/\n idp?: string | undefined\n /** \"Issued At\" indicates when the authentication for this token occurred. */\n iat?: number | undefined\n /** The \"nbf\" (not before) claim identifies the time before which the JWT must not be accepted for processing. */\n nbf?: number | undefined\n /** The \"exp\" (expiration time) claim identifies the expiration time on or after which the JWT must not be accepted for processing. */\n exp?: number | undefined\n /** An internal claim used by Azure AD to record data for token reuse. */\n aio?: string | undefined\n /** Only present in v1.0 tokens. The \"Authentication context class\" claim. A value of \"0\" indicates the end-user authentication did not meet the requirements of ISO/IEC 29115. */\n acr?: '0' | '1' | undefined\n /** Only present in v1.0 tokens. Identifies how the subject of the token was authenticated. */\n amr?: string[] | undefined\n /** Only present in v1.0 tokens. GUID represents the application ID of the client using the token. */\n appid?: string | undefined\n /** Only present in v2.0 tokens. The application ID of the client using the token. */\n azp?: string | undefined\n /** Only present in v1.0 tokens. Indicates how the client was authenticated. For a public client, the value is \"0\".\n * If client ID and client secret are used, the value is \"1\". If a client certificate was used for authentication, the value is \"2\". */\n appidacr?: '0' | '1' | '2' | undefined\n /** Only present in v2.0 tokens. Indicates how the client was authenticated.\n * For a public client, the value is \"0\". If client ID and client secret are used, the value is \"1\". If a client certificate was used for authentication, the value is \"2\". */\n azpacr?: '0' | '1' | '2' | undefined\n /** Only present in v2.0 tokens. The primary username that represents the user. It could be an email address, phone number, or a generic username without a specified format */\n preferred_username?: string | undefined\n /** Provides a human-readable value that identifies the subject of the token.\n * The value is not guaranteed to be unique, it is mutable, and it's designed to be used only for display purposes. The profile scope is required in order to receive this claim. */\n name?: string | undefined\n /** The set of scopes exposed by your application for which the client application has requested (and received) consent. */\n scp?: string | undefined\n /** The set of permissions exposed by your application that the requesting application has been given permission to call. */\n roles?: string[] | undefined\n /** Provides object IDs that represent the subject's group memberships. */\n groups?: string | string[] | undefined\n /** Denoting the user is in at least one group. */\n hasgroups?: true | undefined\n /** The principal about which the token asserts information, such as the user of an app. This value is immutable and cannot be reassigned or reused.\n * It can be used to perform authorization checks safely, such as when the token is used to access a resource,\n * and can be used as a key in database tables. Because the subject is always present in the tokens that Azure AD issues,\n * we recommend using this value in a general-purpose authorization system. The subject is, however, a pairwise identifier - it is unique to a particular application ID. */\n sub?: string | undefined\n /** GUID represents a user. This ID uniquely identifies the user across applications. */\n oid?: string | undefined\n /** Represents the Azure AD tenant that the user is from. */\n tid?: string | undefined\n /** Only present in v1.0 tokens. Provides a human readable value that identifies the subject of the token. */\n unique_name?: string | undefined\n /** An internal claim used by Azure to revalidate tokens. */\n uti?: string | undefined\n /** An internal claim used by Azure to revalidate tokens. */\n rh?: string | undefined\n /** Indicates the version of the access token. */\n ver?: '1.0' | '2.0' | undefined\n\n /** v1.0 basic claims */\n\n /** The IP address the user authenticated from. */\n ipaddr?: string | undefined\n /** In cases where the user has an on-premises authentication, this claim provides their SID. */\n onprem_sid?: string | undefined\n /** Indicates when the user's password expires. */\n pwd_exp?: number | undefined\n /** A URL where users can be sent to reset their password. */\n pwd_url?: string | undefined\n /** Signals if the client is logging in from the corporate network. If they aren't, the claim isn't included. */\n in_corp?: string | undefined\n /** An additional name for the user, separate from first or last name */\n nickname?: string | undefined\n /** Provides the last name, surname, or family name of the user as defined on the user object. */\n family_name?: string | undefined\n /** Provides the first or given name of the user, as set on the user object. */\n given_name?: string | undefined\n /** The username of the user. May be a phone number, email address, or unformatted string. */\n upn?: string | undefined\n}\nexport interface IBaseStrategyOption {\n identityMetadata: string\n clientID: string\n isB2C?: boolean | undefined\n validateIssuer?: boolean | undefined\n issuer?: string | string[] | undefined\n loggingLevel?: 'info' | 'warn' | 'error' | undefined\n loggingNoPII?: boolean | undefined\n clockSkew?: number | undefined\n}\n\nexport interface IBearerStrategyOption extends IBaseStrategyOption {\n audience?: string | string[] | undefined\n policyName?: String | undefined\n allowMultiAudiencesInToken?: boolean | undefined\n scope?: string[] | undefined\n}\n\nexport interface IBearerStrategyOptionWithRequest extends IBearerStrategyOption {\n passReqToCallback: boolean\n}\nexport type VerifyBearerFunction = (token: ITokenPayload, done: VerifyCallback) => void\nexport interface VerifyCallback {\n (error: any, user?: any, info?: any): void\n}\n","/**\n * @public\n */\nimport bodyParser from 'body-parser'\nimport { Enforcer } from 'casbin'\nimport cors, { CorsOptions } from 'cors'\n\nimport express, { Express } from 'express'\nimport { Application, ApplicationRequestHandler } from 'express-serve-static-core'\nimport expressSession from 'express-session'\nimport session from 'express-session'\nimport http from 'http'\nimport { createHttpTerminator, HttpTerminator } from 'http-terminator'\nimport morgan from 'morgan'\nimport passport, { InitializeOptions } from 'passport'\nimport { checkUserIsInRole } from './auth-utils'\nimport { jsonErrorHandler } from './express-utils'\nimport { env } from './functions'\nimport { ExpressSupport, IExpressServerOpts } from './types'\n\ntype Handler<Request extends http.IncomingMessage, Response extends http.ServerResponse> = (\n req: Request,\n res: Response,\n callback: (err?: Error) => void,\n) => void\n\nconst DEFAULT_MAX_BODYPARSER_REQUEST_BODY_SIZE = '5mb'\n\nexport class ExpressBuilder {\n private existingExpress?: Express\n private hostnameOrIP?: string\n private port?: number\n private _handlers?: ApplicationRequestHandler<Application>[] = []\n private listenCallback?: () => void\n private _startListen?: boolean | undefined = undefined\n private readonly envVarPrefix?: string\n private _corsConfigurer?: ExpressCorsConfigurer\n private _sessionOpts?: session.SessionOptions\n private _usePassportAuth?: boolean = false\n private _passportInitOpts?: InitializeOptions\n private _userIsInRole?: string | string[]\n private _enforcer?: Enforcer\n private _server?: http.Server | undefined\n private _terminator?: HttpTerminator\n private _morgan?: Handler<any, any> | undefined\n private _maxRequestBodySize?: string\n\n private constructor(opts?: { existingExpress?: Express; envVarPrefix?: string }) {\n const { existingExpress, envVarPrefix } = opts ?? {}\n if (existingExpress) {\n this.withExpress(existingExpress)\n }\n this.envVarPrefix = envVarPrefix ?? ''\n }\n\n public static fromExistingExpress(opts?: { existingExpress?: Express; envVarPrefix?: string }) {\n return new ExpressBuilder(opts ?? {})\n }\n\n public static fromServerOpts(opts: IExpressServerOpts & { envVarPrefix?: string }) {\n const builder = new ExpressBuilder({ existingExpress: opts?.existingExpress, envVarPrefix: opts?.envVarPrefix })\n if (opts.maxRequestBodySize) {\n builder.withMaxRequestBodySize(opts.maxRequestBodySize)\n }\n return builder.withEnableListenOpts({ ...opts, hostnameOrIP: opts.hostname, startOnBuild: opts.startListening ?? false })\n }\n\n public enableListen(startOnBuild?: boolean): this {\n if (startOnBuild !== undefined) {\n this._startListen = startOnBuild\n }\n return this\n }\n\n public withMorganLogging(opts?: { existingMorgan?: Handler<any, any>; format?: string; options?: morgan.Options<any, any> }): this {\n if (opts?.existingMorgan && (opts.format || opts.options)) {\n throw Error('Cannot using an existing morgan with either a format or options')\n }\n this._morgan = opts?.existingMorgan ?? morgan(opts?.format ?? 'dev', opts?.options)\n return this\n }\n\n public withEnableListenOpts({\n port,\n hostnameOrIP,\n callback,\n startOnBuild,\n }: {\n port?: number\n hostnameOrIP?: string\n startOnBuild?: boolean\n callback?: () => void\n }): this {\n port && this.withPort(port)\n hostnameOrIP && this.withHostname(hostnameOrIP)\n if (typeof callback === 'function') {\n this.withListenCallback(callback)\n }\n this._startListen = startOnBuild === true\n return this\n }\n\n public withPort(port: number): this {\n this.port = port\n return this\n }\n\n public withHostname(hostnameOrIP: string): this {\n this.hostnameOrIP = hostnameOrIP\n return this\n }\n\n public withListenCallback(callback: () => void): this {\n this.listenCallback = callback\n return this\n }\n\n public withExpress(existingExpress: Express): this {\n this.existingExpress = existingExpress\n this._startListen = false\n return this\n }\n\n public withCorsConfigurer(configurer: ExpressCorsConfigurer): this {\n this._corsConfigurer = configurer\n return this\n }\n\n public withPassportAuth(usePassport: boolean, initializeOptions?: InitializeOptions): this {\n this._usePassportAuth = usePassport\n this._passportInitOpts = initializeOptions\n return this\n }\n\n public withGlobalUserIsInRole(userIsInRole: string | string[]): this {\n this._userIsInRole = userIsInRole\n return this\n }\n\n public withEnforcer(enforcer: Enforcer): this {\n this._enforcer = enforcer\n return this\n }\n\n public withMaxRequestBodySize(limit: string): this {\n this._maxRequestBodySize = limit\n return this\n }\n\n public startListening(express: Express) {\n this._server = express.listen(this.getPort(), this.getHostname(), this.listenCallback)\n this._terminator = createHttpTerminator({\n server: this._server,\n // gracefulTerminationTimeout: 10\n })\n\n return { server: this._server, terminator: this._terminator }\n }\n\n public getHostname(): string {\n return this.hostnameOrIP ?? env('HOSTNAME', this.envVarPrefix) ?? '0.0.0.0'\n }\n\n public getPort(): number {\n return (this.port ?? env('PORT', this.envVarPrefix) ?? 5000) as number\n }\n\n public setHandlers(handlers: ApplicationRequestHandler<any> | ApplicationRequestHandler<any>[]): this {\n if (Array.isArray(handlers)) {\n this._handlers = handlers\n } else if (handlers) {\n if (!this._handlers) {\n this._handlers = []\n }\n this._handlers.push(handlers)\n } else {\n this._handlers = []\n }\n\n return this\n }\n\n public addHandler(handler: ApplicationRequestHandler<any>): this {\n if (!this._handlers) {\n this._handlers = []\n }\n this._handlers.push(handler)\n return this\n }\n\n public withSessionOptions(sessionOpts: session.SessionOptions): this {\n this._sessionOpts = sessionOpts\n return this\n }\n\n public build<T extends Application>(opts?: {\n express?: Express\n startListening?: boolean\n handlers?: ApplicationRequestHandler<T> | ApplicationRequestHandler<T>[]\n }): ExpressSupport {\n const express = this.buildExpress(opts)\n const startListening = opts?.startListening === undefined ? this._startListen !== true : opts.startListening\n let started = this._server !== undefined\n if (startListening && !started) {\n this.startListening(express)\n started = true\n }\n\n return {\n express,\n port: this.getPort(),\n hostname: this.getHostname(),\n userIsInRole: this._userIsInRole,\n startListening,\n enforcer: this._enforcer,\n start: (opts) => {\n if (opts?.doNotStartListening) {\n console.log('Express will not start listening. You will have to start it yourself')\n } else {\n if (!started) {\n this.startListening(express)\n started = true\n }\n }\n\n if (opts?.disableErrorHandler !== true) {\n express.use(jsonErrorHandler)\n }\n return { server: this._server!, terminator: this._terminator! }\n },\n stop: async (terminator?: HttpTerminator) => {\n const term = terminator ?? this._terminator\n if (!term) {\n return false\n }\n return await term.terminate().then(() => true)\n },\n }\n }\n\n protected buildExpress<T extends Application>(opts?: {\n express?: Express\n startListening?: boolean\n handlers?: ApplicationRequestHandler<T> | ApplicationRequestHandler<T>[]\n }): express.Express {\n const app: express.Express = opts?.express ?? this.existingExpress ?? express()\n if (this._morgan) {\n app.use(this._morgan)\n }\n if (this._sessionOpts) {\n const store = this._sessionOpts.store ?? new expressSession.MemoryStore()\n this._sessionOpts.store = store\n app.use(expressSession(this._sessionOpts))\n }\n if (this._usePassportAuth) {\n app.use(passport.initialize(this._passportInitOpts))\n if (this._sessionOpts) {\n // app.use(passport.authenticate('session'))\n //_sessionOpts are not for passport session, they are for express above\n app.use(passport.session())\n }\n }\n if (this._userIsInRole) {\n app.use(checkUserIsInRole({ roles: this._userIsInRole }))\n }\n if (this._corsConfigurer) {\n this._corsConfigurer.configure({ existingExpress: app })\n }\n\n // @ts-ignore\n this._handlers && this._handlers.length > 0 && app.use(this._handlers)\n // @ts-ignore\n opts?.handlers && app.use(opts.handlers)\n //fixme: this should come from the config\n const limit = this._maxRequestBodySize ?? DEFAULT_MAX_BODYPARSER_REQUEST_BODY_SIZE\n app.use(bodyParser.urlencoded({ extended: true, limit }))\n app.use(bodyParser.json({ limit }))\n return app\n }\n}\n\nexport class ExpressCorsConfigurer {\n private _disableCors?: boolean\n private _enablePreflightOptions?: boolean\n private _allowOrigin?: boolean | string | RegExp | Array<boolean | string | RegExp>\n private _allowMethods?: string | string[]\n private _allowedHeaders?: string | string[]\n private _allowCredentials?: boolean\n private readonly _express?: Express\n private readonly _envVarPrefix?: string\n\n constructor(args?: { existingExpress?: Express; envVarPrefix?: string }) {\n const { existingExpress, envVarPrefix } = args ?? {}\n this._express = existingExpress\n this._envVarPrefix = envVarPrefix\n }\n\n public allowOrigin(value: string | boolean | RegExp | Array<string | boolean | RegExp>): this {\n this._allowOrigin = value\n return this\n }\n\n public disableCors(value: boolean): this {\n this._disableCors = value\n return this\n }\n\n public allowMethods(value: string | string[]): this {\n this._allowMethods = value\n return this\n }\n\n public allowedHeaders(value: string | string[]): this {\n this._allowedHeaders = value\n return this\n }\n\n public allowCredentials(value: boolean): this {\n this._allowCredentials = value\n return this\n }\n\n public configure({ existingExpress }: { existingExpress?: Express }) {\n const express = existingExpress ?? this._express\n if (!express) {\n throw Error('No express passed in during construction or configure')\n }\n\n const disableCorsEnv = env('CORS_DISABLE', this._envVarPrefix)\n const corsDisabled = this._disableCors ?? (disableCorsEnv ? /true/.test(disableCorsEnv) : false)\n if (corsDisabled) {\n return\n }\n const envAllowOriginStr = env('CORS_ALLOW_ORIGIN', this._envVarPrefix) ?? '*'\n let envAllowOrigin: string[] | string\n if (envAllowOriginStr.includes(',')) {\n envAllowOrigin = envAllowOriginStr.split(',')\n } else if (envAllowOriginStr.includes(' ')) {\n envAllowOrigin = envAllowOriginStr.split(' ')\n } else {\n envAllowOrigin = envAllowOriginStr\n }\n if (Array.isArray(envAllowOrigin) && envAllowOrigin.length === 1) {\n envAllowOrigin = envAllowOrigin[0]\n }\n const corsOptions: CorsOptions = {\n origin: this._allowOrigin ?? envAllowOrigin,\n // todo: env vars\n ...(this._allowMethods && { methods: this._allowMethods }),\n ...(this._allowedHeaders && { allowedHeaders: this._allowedHeaders }),\n ...(this._allowCredentials !== undefined && { credentials: this._allowCredentials }),\n optionsSuccessStatus: 204,\n }\n\n if (this._enablePreflightOptions) {\n express.options('*', cors(corsOptions))\n }\n express.use(cors(corsOptions))\n }\n}\n","export function env(key?: string, prefix?: string): string | undefined {\n if (!key) {\n return undefined\n }\n return process.env[`${prefix ? prefix.trim() : ''}${key}`]\n}\n","import { TAgent } from '@veramo/core'\nimport express, { Express, NextFunction, Router } from 'express'\nimport { BaseClient, ClientMetadata, ClientOptions, Issuer } from 'openid-client'\nimport passport from 'passport'\nimport { JsonWebKey } from '@sphereon/ssi-types'\nimport { copyGlobalAuthToEndpoints, isUserAuthenticated } from './auth-utils'\nimport { sendErrorResponse } from './express-utils'\nimport { env } from './functions'\nimport { ExpressSupport, GenericAuthArgs, ISingleEndpointOpts } from './types'\n\nconst PREFIX = process.env.PREFIX ?? ''\nexport async function oidcDiscoverIssuer(opts?: { issuerUrl?: string }) {\n const issuerUrl = opts?.issuerUrl ?? env('OIDC_ISSUER', PREFIX) ?? 'https://auth01.test.sphereon.com/auth/realms/energy-shr'\n const issuer = await Issuer.discover(issuerUrl)\n console.log('Discovered issuer %s %O', issuer.issuer, issuer.metadata)\n return { issuer, issuerUrl }\n}\n\nexport async function oidcGetClient(\n issuer: Issuer<BaseClient>,\n metadata: ClientMetadata,\n opts?: {\n jwks?: { keys: JsonWebKey[] }\n options?: ClientOptions\n },\n) {\n // @ts-ignore\n return new issuer.Client(metadata, opts?.jwks, opts?.options)\n}\n\nexport function getLoginEndpoint(router: Router, opts?: ISingleEndpointOpts & { redirectUrl?: string }) {\n if (opts?.enabled === false) {\n console.log(`Login endpoint is disabled`)\n return\n }\n const strategy = opts?.endpoint?.authentication?.strategy\n if (!strategy) {\n throw Error('strategy needs to be provided')\n }\n const path = opts?.path ?? '/authentication/login'\n router.get(\n path,\n (req: any, res: any, next: NextFunction) => {\n const redirectPage = req.get('referer') ?? '/'\n req.session.redirectPage = redirectPage\n next()\n },\n passport.authenticate(\n strategy,\n { ...opts.authentication?.strategyOptions, ...opts.endpoint?.authentication?.strategyOptions, keepSessionInfo: false },\n undefined,\n ),\n )\n}\n\nexport function getLoginCallbackEndpoint(router: Router, opts?: ISingleEndpointOpts) {\n if (opts?.enabled === false) {\n console.log(`Auth callback endpoint is disabled`)\n return\n }\n const strategy = opts?.endpoint?.authentication?.strategy\n if (!strategy) {\n throw Error('strategy needs to be provided')\n }\n const path = opts?.path ?? '/authentication/callback'\n router.get(\n path,\n passport.authenticate(\n strategy,\n { ...opts.authentication?.strategyOptions, ...opts.endpoint?.authentication?.strategyOptions, keepSessionInfo: true },\n undefined,\n ),\n (req: any, res: any, next) => {\n if (req.user) {\n console.log('User authenticated', req.user?.name)\n // console.log(req.session)\n const redirectPage = req.session.redirectPage ?? '/search'\n // console.log(`PRE LOGIN PAGE in callback: ${redirectPage}`)\n delete req.session.redirectPage\n return res.redirect(redirectPage)\n } else {\n return res.redirect(env('OIDC_FRONTEND_LOGIN_URL', PREFIX) ?? 'http://localhost:3001/authentication/login')\n }\n },\n )\n}\n\nexport function getLogoutEndpoint(router: Router, client: BaseClient, opts?: ISingleEndpointOpts) {\n if (opts?.enabled === false) {\n console.log(`Logout endpoint is disabled`)\n return\n }\n const path = opts?.path ?? '/authentication/logout'\n router.get(path, (req, res) => {\n try {\n if (client.endSessionUrl()) {\n return res.redirect(client.endSessionUrl())\n } else {\n console.log('IDP does not support end session url')\n return res.redirect('/authentication/logout-callback')\n }\n } catch (error) {\n console.log(error)\n return res.redirect('/authentication/logout-callback')\n }\n })\n}\n\nexport function getLogoutCallbackEndpoint(router: Router, opts?: ISingleEndpointOpts) {\n if (opts?.enabled === false) {\n console.log(`Logout callback endpoint is disabled`)\n return\n }\n const path = opts?.path ?? '/authentication/logout-callback'\n router.get(path, (req, res, next) => {\n try {\n req.logout((err) => {\n if (err) {\n console.log(`Error during calling logout-callback: ${JSON.stringify(err)}`)\n }\n })\n return res.redirect(env('OIDC_FRONTEND_LOGOUT_REDIRECT_URL', PREFIX) ?? '/')\n } catch (e) {\n return sendErrorResponse(res, 500, 'An unexpected error occurred during logout callback', e)\n }\n })\n}\n\nexport function getIdTokenEndpoint(router: Router, client: BaseClient, opts: ISingleEndpointOpts) {\n if (opts?.enabled === false) {\n console.log(`ID Token endpoint is disabled`)\n return\n }\n const path = opts.path ?? '/authentication/tokens/id'\n router.get(path, isUserAuthenticated, (req: any, res: any) => {\n if (req.session.tokens.id_token) {\n return res.json({ id_token: req.session.tokens.id_token })\n } else {\n return sendErrorResponse(res, 401, 'Authentication required')\n }\n })\n}\n\nexport function getAuthenticatedUserEndpoint(router: Router, opts?: ISingleEndpointOpts) {\n if (opts?.enabled === false) {\n console.log(`Authenticated User endpoint is disabled`)\n return\n }\n const path = opts?.path ?? '/authentication/user'\n router.get(path, isUserAuthenticated, (req: any, res: any, next: any) => {\n if (!req.user) {\n return sendErrorResponse(res, 401, 'Authentication required')\n }\n let user = req.user\n return res.json(user)\n })\n}\n\nexport interface IAuthenticationOpts {\n enabledFeatures?: AuthenticationApiFeatures\n endpointOpts?: IAuthenticationEndpointOpts\n}\n\nexport interface IAuthenticationEndpointOpts {\n basePath?: string\n globalAuth?: GenericAuthArgs\n getAuthenticatedUser?: ISingleEndpointOpts\n getLogin?: ISingleEndpointOpts\n getLogout?: ISingleEndpointOpts\n getIdToken?: ISingleEndpointOpts\n}\n\nexport type AuthenticationApiFeatures = 'login' | 'logout' | 'id-token' | 'authenticated-user'\n\nexport class OpenIDConnectAuthApi {\n get router(): express.Router {\n return this._router\n }\n\n private readonly _express: Express\n private readonly _agent?: TAgent<any>\n private readonly _opts?: IAuthenticationOpts\n private readonly _router: Router\n\n constructor(args: { agent?: TAgent<any>; expressSupport: ExpressSupport; client: BaseClient; opts: IAuthenticationOpts }) {\n const { agent, opts } = args\n this._agent = agent\n copyGlobalAuthToEndpoints({ opts, keys: ['getLogin'] })\n copyGlobalAuthToEndpoints({ opts, keys: ['getIdToken'] })\n copyGlobalAuthToEndpoints({ opts, keys: ['getAuthenticatedUser'] })\n // no need for the logout, as you these are not protected by auth\n this._opts = opts\n this._express = args.expressSupport.express\n this._router = express.Router()\n const features = opts?.enabledFeatures ?? ['login', 'logout', 'id-token', 'authenticated-user']\n console.log(`Authentication API enabled`)\n\n if (features.includes('login')) {\n getLoginEndpoint(this.router, opts?.endpointOpts?.getLogin)\n getLoginCallbackEndpoint(this.router, opts?.endpointOpts?.getLogin)\n }\n if (features.includes('logout')) {\n getLogoutEndpoint(this.router, args.client, opts?.endpointOpts?.getLogout)\n getLogoutCallbackEndpoint(this.router, opts?.endpointOpts?.getLogout)\n }\n if (features.includes('id-token')) {\n if (opts.endpointOpts?.getIdToken === undefined) {\n throw Error('Cannot enable id-token endpoint without providing id-token endpoint options')\n }\n getIdTokenEndpoint(this.router, args.client, opts?.endpointOpts?.getIdToken)\n }\n if (features.includes('authenticated-user')) {\n getAuthenticatedUserEndpoint(this.router, opts?.endpointOpts?.getAuthenticatedUser)\n }\n this._express.use(opts?.endpointOpts?.basePath ?? '', this.router)\n }\n\n get agent(): TAgent<any> | undefined {\n return this._agent\n }\n\n get opts(): IAuthenticationOpts | undefined {\n return this._opts\n }\n\n get express(): Express {\n return this._express\n }\n}\n"],"mappings":";;;;AAAA,OAAOA,cAAc;AAGd,IAAMC,cAAN,MAAMA,aAAAA;EAHb,OAGaA;;;EACMC;EACTC;EAER,OAAcC,KAAKF,UAAkB;AACnC,WAAO,IAAID,aAAYC,QAAAA;EACzB;EAEA,YAAoBA,UAAkB;AACpC,SAAKA,WAAWA;EAClB;EAEOG,YAAYF,SAAyE;AAC1F,SAAKA,UAAU;MACb,GAAGA;MACHG,mBAAmB,uBAAuBH,UAAUA,QAAQG,oBAAoB;IAClF;AACA,WAAO;EACT;EAEAC,kBAAkB;AAChB,UAAMC,WAAW,KAAKL;AACtB,QAAI,CAACK,UAAU;AACb,YAAMC,MAAM,iCAAA;IACd;AACA,WAAO,mBAAA,EACJC,KAAK,CAACC,YACLC,SAASC,IACP,KAAKX,UACL,IAAIS,QAAQG,eAAeN,UAAU,SAAUO,OAAsBC,IAAkB;AACrF,UAAID,OAAO;AAET,eAAOC,GAAG,MAAMD,KAAAA;MAClB;AACA,aAAOC,GAAG,uCAAuC,IAAA;IACnD,CAAA,CAAA,CAAA,EAGHC,MAAM,CAACC,WAAAA;AACNC,cAAQC,IAAIF,MAAAA;AACZ,YAAMT,MAAM,uHAAA;IACd,CAAA;EACJ;AACF;;;AC9CA,OAAOY,eAAc;AAoCd,IAAMC,iBAAN,MAAMA,gBAAAA;EApCb,OAoCaA;;;EACMC;EACTC,UAAuC,CAAC;EAEhD,OAAcC,KAAKF,UAAkB;AACnC,WAAO,IAAID,gBAAeC,QAAAA;EAC5B;EAEA,YAAoBA,UAAkB;AACpC,SAAKA,WAAWA;EAClB;EAEOG,WAAWC,QAAsB;AACtC,SAAKH,UAAU;MAAE,GAAG,KAAKA;MAASG;IAAO;AACzC,WAAO;EACT;EAEOC,aAAaC,UAAmC;AACrD,SAAKL,UAAU;MAAE,GAAG,KAAKA;MAASK;IAAS;AAC3C,WAAO;EACT;EAEOC,YAAYC,SAAuB;AACxC,SAAKP,UAAU;MAAE,GAAG,KAAKA;MAASO;IAAQ;AAC1C,WAAO;EACT;EAEOC,eAAeC,YAAmC;AACvD,SAAKT,UAAU;MAAE,GAAG,KAAKA;MAASS;IAAW;AAC7C,WAAO;EACT;EAEOC,YAAYV,SAA4C;AAC7D,SAAKA,UAAU;MAAE,GAAG,KAAKA;MAAS,GAAGA;IAAQ;AAC7C,WAAO;EACT;EAEA,MAAMW,kBAAiC;AACrC,UAAM,EAAER,QAAQE,UAAUI,WAAU,IAAK,KAAKT;AAE9C,QAAI,CAACG,QAAQ;AACX,aAAOS,QAAQC,OAAO,IAAIC,MAAM,yCAAA,CAAA;IAClC;AAEA,QAAIP,UAAU,KAAKP,QAAQO;AAC3B,QAAI,CAACA,SAAS;AACZA,gBAAU,MAAM,KAAKQ,gBAAgBZ,MAAAA;IACvC;AAEA,QAAI;AACF,YAAM,CAACa,aAAaC,OAAAA,IAAW,MAAML,QAAQM,IAAI;QAAC,OAAO,cAAA;QAAiB,OAAO,UAAA;OAAY;AAE7F,YAAM,EAAEC,UAAUC,aAAaC,WAAU,IAAKL;AAC9C,YAAM,EAAEM,kBAAiB,IAAKL;AAE9B,YAAMM,aAAa;QACjBC,gBAAgBH,WAAWI,4BAA2B;QACtDC,qBAAqBJ,kBAAkB;UACrCK,OAAO;UACPC,WAAW;UACXC,uBAAuB;UACvBtB;QACF,CAAA;QACAJ;QACAE;QACAI,YAAYA,cAAe;UAAC;UAAS;UAAS;UAAS;UAAS;UAAS;;MAC3E;AAEAqB,MAAAA,UAASC,IACP,KAAKhC,UACL,IAAIqB,YAAYG,YAAY,CAACS,SAA4BC,SAAAA;AACvD,YAAID,SAAS;AACX,iBAAOC,KAAK,MAAMD,OAAAA;QACpB;AACA,eAAOC,KAAK,uCAAuC,IAAA;MACrD,CAAA,CAAA;IAEJ,SAASC,OAAO;AACdC,cAAQD,MAAM,0CAA0CA,KAAAA;AACxD,aAAOtB,QAAQC,OACb,IAAIC,MACF,qHACA;QAAEsB,OAAOF;MAAM,CAAA,CAAA;IAGrB;EACF;EAEA,MAAcnB,gBAAgBZ,QAAiC;AAC7D,UAAMkC,eAAe,GAAGlC,MAAAA,GAASA,OAAOmC,SAAS,GAAA,IAAO,KAAK,GAAA;AAE7D,QAAI;AACF,YAAMC,WAAW,MAAMC,MAAMH,YAAAA;AAC7B,UAAI,CAACE,SAASE,IAAI;AAChB,eAAO7B,QAAQC,OACb,IAAIC,MAAM,2CAA2CuB,YAAAA,KAAiBE,SAASG,MAAM,IAAIH,SAASI,UAAU,EAAE,CAAA;MAElH;AAEA,YAAMC,SAAU,MAAML,SAASM,KAAI;AACnC,UAAI,CAACD,OAAOE,UAAU;AACpB,eAAOlC,QAAQC,OAAO,IAAIC,MAAM,yBAAyBuB,YAAAA,4BAAwC,CAAA;MACnG;AAEA,aAAOO,OAAOE;IAChB,SAASZ,OAAO;AACd,aAAOtB,QAAQC,OACb,IAAIC,MAAM,0DAA0DuB,YAAAA,IAAgB;QAAED,OAAOF;MAAM,CAAA,CAAA;IAEvG;EACF;AACF;;;ACnJA,OAAOa,eAAc;AAErB,SAASC,gBAAgB;AAGlB,IAAMC,mBAAN,MAAMA,kBAAAA;EALb,OAKaA;;;EACMC;EACjB,OAAeC,YAAmD,oBAAIC,IAAAA;EACtE,OAAeC,gBAAkE,oBAAID,IAAAA;EAC7EE,aAAuB;EAE/B,OAAcC,KAAKL,UAAkBM,UAAqC;AACxE,WAAO,IAAIP,kBAAiBC,YAAY,UAAUM,YAAY,IAAIC,iCAAiCP,QAAAA,CAAAA;EACrG;EAEA,YAAoBA,UAAkBM,UAAoC;AACxE,SAAKN,WAAWA;AAChB,QAAID,kBAAiBE,UAAUO,IAAIR,QAAAA,GAAW;AAC5C,UAAID,kBAAiBE,UAAUQ,IAAIT,QAAAA,MAAcM,UAAU;AACzD,cAAMI,MAAM,yDAAyDV,QAAAA;MACvE;IACF,OAAO;AACLD,wBAAiBE,UAAUU,IAAIX,UAAUM,QAAAA;IAC3C;EACF;EAEA,IAAIA,WAAW;AACb,UAAMA,WAAWP,kBAAiBE,UAAUQ,IAAI,KAAKT,QAAQ;AAC7D,QAAI,CAACM,UAAU;AACb,YAAMI,MAAM,qCAAqC,KAAKV,QAAQ;IAChE;AACA,WAAOM;EACT;EAEAM,eAAeR,YAA2B;AACxC,SAAKA,aAAaA;AAClB,WAAO;EACT;EAEAS,UAAUC,OAAwC;AAChD,SAAKC,QAAQD,KAAAA;AACb,WAAO;EACT;EAEAC,QAAQC,MAAuC;AAC7C,SAAKV,SAASS,QAAQC,IAAAA;AACtB,WAAO;EACT;EAEAC,kBAAkBC,SAAoD;AACpEnB,sBAAiBI,cAAcQ,IAAI,KAAKX,UAAUkB,OAAAA;AAClD,WAAO;EACT;EAEAC,kBAAkB;AAChB,UAAMC,YAAY,KAAKd;AACvB,aAASe,SAASC,OAAeC,IAAkF;AACjH,YAAMP,OAAOI,UAAUI,QAAQF,KAAAA;AAC/B,UAAIN,MAAM;AACR,eAAOO,GAAG,MAAMP,IAAAA;MAClB;AACA,aAAOO,GAAG,uCAAuC,KAAA;IACnD;AANSF;AAQT,WAAO,sBAAA,EACJI,KAAK,CAACC,eAAAA;AACL,YAAMtB,aAAa,KAAKA,cAAc;AACtCuB,MAAAA,UAASC,IACP,KAAK5B,UACL,IAAI0B,WAAWG,SAAS;QAAEC,mBAAmB;MAAM,GAAG,SACpDR,OACAC,IAAkF;AAElF,YAAInB,YAAY;AACd,iBAAO,sBAAA,EACJqB,KAAK,CAACM,SAAAA;AACLV,qBAASW,SAASD,KAAKE,OAAOX,KAAAA,CAAAA,GAASC,EAAAA;UACzC,CAAA,EACCW,MAAM,CAACC,UAAAA;AACNC,oBAAQC,IAAI,iBAAiBF,KAAAA,EAAO;AACpC,kBAAMzB,MAAM,gDAAA;UACd,CAAA;QACJ,OAAO;AACLW,mBAASC,OAAOC,EAAAA;QAClB;MACF,CAAA,CAAA;IAEJ,CAAA,EACCW,MAAM,CAACC,UAAAA;AACNC,cAAQC,IAAI,yCAAyCF,KAAAA,EAAO;AAC5D,YAAMzB,MAAM,uDAAA;IACd,CAAA;EACJ;AACF;AAYO,IAAMH,mCAAN,MAAMA;EAzGb,OAyGaA;;;EACM+B;EACAC,SAAuB,CAAA;EACvBC;EAEjB,YAAYxC,UAAkByC,cAAwB;AACpD,SAAKH,YAAYtC;AACjB,SAAKwC,gBAAgBC,gBAAgB;EACvC;EAEA,IAAI3B,QAAsB;AACxB,WAAO,KAAKyB;EACd;EAEA,IAAIE,eAAwB;AAC1B,WAAO,KAAKD;EACd;EAEA,IAAIxC,WAAmB;AACrB,WAAO,KAAKsC;EACd;EAEAd,QAAQF,OAAuC;AAC7C,WAAO,KAAKR,MAAM4B,KAAK,CAAC1B,SAASA,KAAKM,UAAUA,KAAAA;EAClD;EAEAP,QAAQC,MAAiC2B,WAA2B;AAClE,UAAM7B,QAAQ8B,MAAMC,QAAQ7B,IAAAA,IAAQA,OAAO;MAACA;;AAC5C,QAAI2B,WAAW;AACb,UAAI,CAAC,KAAKF,cAAc;AACtB,cAAM/B,MAAM,4FAA4F,KAAKV,QAAQ;MACvH;AACA,aAAO,sBAAA,EACJyB,KAAK,CAACM,SAAAA;AACLjB,cAAMgC,QAAQ,CAAC9B,UAAUA,MAAKM,QAAQU,SAASD,KAAKE,OAAOjB,MAAKM,KAAK,CAAA,CAAA;MACvE,CAAA,EACCY,MAAM,CAACC,UAAAA;AACNC,gBAAQC,IAAI,iBAAiBF,KAAAA,EAAO;AACpC,cAAMzB,MAAM,gDAAA;MACd,CAAA;IACJ;AACA,SAAK6B,OAAOQ,KAAI,GAAIjC,KAAAA;EACtB;EAEAkC,WAAyB;AACvB,WAAO,KAAKT;EACd;AACF;;;ACtJA,OAAOU,eAAc;;;ACAd,SAASC,kBAAkBC,UAA4BC,YAAoBC,SAA0BC,OAAW;AACrH,MAAIC,MAAMF;AACV,MAAI,CAACE,KAAK;AACRC,YAAQF,MAAM,yEAAA;AACdC,UAAM;AACNH,iBAAa;EACf,OAAO;AACLI,YAAQF,MAAM,sBAAsBF,UAAAA,MAAgB,OAAOG,QAAQ,WAAWA,MAAME,KAAKC,UAAUH,GAAAA,CAAAA,EAAM;EAC3G;AACA,MAAID,OAAO;AACT,QAAIA,iBAAiBK,OAAO;AAC1BH,cAAQF,MAAM,kBAAkBA,MAAMD,OAAO,EAAE;IACjD;AACAG,YAAQF,MAAM,iBAAiBG,KAAKC,UAAUJ,KAAAA,CAAAA,EAAQ;EACxD;AACA,MAAIF,cAAc,KAAK;AACrBI,YAAQF,MAAM,yDAAA;AACdE,YAAQF,MAAMA,OAAOM,KAAAA;AACrBJ,YAAQF,MAAMK,MAAAA,EAAQC,KAAK;EAC7B;AACA,MAAIT,SAASU,aAAa;AACxBL,YAAQF,MAAM,wCAAwC;AACtD,WAAOH;EACT;AACAA,WAASC,aAAaA;AACtB,MAAI,OAAOG,QAAQ,YAAY,CAACA,IAAIO,WAAW,GAAA,GAAM;AACnDP,UAAM;MAAED,OAAOC;IAAI;EACrB;AACA,MAAI,OAAOA,QAAQ,YAAYA,IAAIO,WAAW,GAAA,GAAM;AAClDX,aAASY,OAAO,gBAAgB,kBAAA;AAChC,WAAOZ,SAASa,OAAOZ,UAAAA,EAAYa,IAAIV,GAAAA;EACzC;AACA,SAAOJ,SAASa,OAAOZ,UAAAA,EAAYc,KAAKX,GAAAA;AAC1C;AAjCgBL;AAmCT,IAAMiB,mBAAmB,wBAACC,KAAUC,KAAsBC,KAAuBC,SAAAA;AACtF,QAAMnB,aAAqB,gBAAgBgB,MAAMA,IAAIhB,aAAa;AAClE,MAAIoB,WAAW,OAAOJ,QAAQ,WAAWA,MAAOA,IAAIf,WAAWe;AAC/D,MAAI,OAAOI,aAAa,UAAU;AAChCA,eAAWf,KAAKC,UAAUc,QAAAA;EAC5B;AACA,MAAIF,IAAIT,aAAa;AACnBL,YAAQiB,IAAI,oFAAA;AACZjB,YAAQiB,IAAI,cAAchB,KAAKC,UAAUU,GAAAA,CAAAA,EAAM;AAC/C,WAAOG,KAAKH,GAAAA;EACd;AACA,SAAOlB,kBAAkBoB,KAAKlB,YAAYoB,UAAUJ,GAAAA;AACtD,GAZgC;;;ACjBzB,SAASM,gBAAgBC,MAAS;AACvC,SAAO,kBAAkBA,QAAQA,KAAKC;AACxC;AAFgBF;;;AFbT,IAAMG,oBAAoB,wBAACC,SAAuC,CAACC,KAAsBC,KAAuBC,SAAAA;AACrH,MAAI,CAACH,MAAMI,SAASJ,KAAKI,MAAMC,WAAW,GAAG;AAC3C,WAAOF,KAAAA;EACT;AACA,QAAMC,QAAQE,MAAMC,QAAQP,KAAKI,KAAK,IAAIJ,KAAKI,QAAQ;IAACJ,KAAKI;;AAC7D,MAAI,CAACH,KAAKO,QAAQ,EAAE,UAAUP,IAAIO,OAAO;AACvC,WAAON,IAAIO,OAAO,GAAA,EAAKC,IAAG;EAC5B;AAGA,QAAMC,UAAUP,MAAMQ,KAAK,CAACC,SAASZ,IAAIO,KAAKK,KAAKC,YAAW,MAAOD,KAAKC,YAAW,CAAA;AACrF,MAAI,CAACH,SAAS;AACZ,WAAOT,IAAIO,OAAO,GAAA,EAAKC,IAAG;EAC5B;AAEA,SAAOP,KAAAA;AACT,GAhBiC;AAkBjC,IAAMY,0BAA0B,wBAACd,KAAsBC,KAAuBC,MAA4BH,SAAAA;AACxG,QAAMgB,kBAAkB,wBACtBC,KACAT,MACAU,OACAC,YAAAA;AAEA,QAAIF,KAAK;AACP,YAAMG,UAAU,aAAaH,MAAMA,IAAIG,UAAUH;AACjDI,cAAQC,IAAI,mCAAmCC,KAAKC,UAAUJ,OAAAA,CAAAA;AAC9D,aAAOjB,KAAK;QAAEsB,YAAY;QAAKL;MAAQ,CAAA;IACzC,WAAW,CAACZ,MAAM;AAChBa,cAAQC,IAAI,iFAAA;AAEZ,aAAOpB,IAAIwB,SAAS,uBAAA;IACtB;AACA,QAAIC,QAAQC,SAAS;AACnB3B,UAAI4B,MAAMrB,MAAM,SAAUS,MAAG;AAC3B,YAAIA,MAAK;AACP,iBAAOd,KAAKc,IAAAA;QACd;MACF,CAAA;IACF;AASA,WAAOd,KAAAA;EACT,GA/BwB;AAiCxB,MAAI,CAACH,QAAQ,CAACA,KAAK8B,kBAAkB9B,KAAK8B,eAAeC,YAAY,OAAO;AAC1E,WAAO5B,KAAAA;EACT;AACA,MAAI,CAACH,KAAK8B,eAAeE,UAAU;AACjCX,YAAQC,IAAI,sFAAsF;AAClG,WAAOpB,IAAIO,OAAO,GAAA,EAAKC,IAAG;EAC5B;AACA,QAAMiB,UAAU;IACd,GAAG3B,MAAM8B,gBAAgBG;IACzBC,UAAUlC,MAAM8B,gBAAgBI,aAAa;IAC7CN,SAAS5B,MAAM8B,gBAAgBF,YAAY;EAC7C;AAEA,QAAMO,WAAWnC,MAAM8B,gBAAgBK,aAAanC,MAAM8B,gBAAgBM,qBAAqBpB,kBAAkBqB;AAEjHC,EAAAA,UAASC,aAAavC,KAAK8B,eAAeE,UAAUL,SAASQ,QAAAA,EAAUK,KAAK,QAAMvC,KAAKC,KAAKC,IAAAA;AAC9F,GAlDgC;AAmDhC,IAAMsC,yBAAyB,wBAACxC,KAAsBC,KAAuBC,MAA4BH,SAAAA;AACvG,MAAI,CAACA,QAAQ,CAACA,KAAK8B,kBAAkB,CAAC9B,KAAK0C,iBAAiB1C,KAAK8B,eAAeC,YAAY,SAAS/B,MAAM0C,cAAcX,YAAY,OAAO;AAC1I,WAAO5B,KAAAA;EACT;AAIA,QAAMuC,gBAAgB1C,KAAK0C;AAE3B,MAAI,CAACA,cAAcC,aAAa,CAACD,cAAcE,sBAAsBF,cAAcE,mBAAmBvC,WAAW,IAAI;AACnHgB,YAAQC,IAAI,uEAAuE;AACnF,WAAOpB,IAAIO,OAAO,GAAA,EAAKC,IAAG;EAC5B;AACA,MAAIgC,cAAcE,sBAAsBF,cAAcE,mBAAmBvC,SAAS,GAAG;AACnFN,sBAAkB;MAAEK,OAAOsC,cAAcE;IAAmB,CAAA;EAC9D;AACA,MAAIF,cAAcC,UAAU;AAC1B,UAAMA,WAAWD,cAAcC;AAC/B,UAAME,YAAYF,SAASG,YAAY7C,IAAIO,MAAMR,KAAK+C,UAAU/C,KAAKgD,SAAS;AAC9E,QAAI,CAACH,WAAW;AACdxB,cAAQC,IAAI,aAAatB,KAAK+C,QAAQ,WAAW/C,KAAKgD,SAAS,oBAAoB/C,IAAIO,IAAI,EAAE;AAC7F,aAAON,IAAIO,OAAO,GAAA,EAAKC,IAAG;IAC5B;EACF;AACA,SAAOP,KAAAA;AACT,GAzB+B;AA2BxB,IAAM8C,0BAA0B,wBAACjD,SAAwB,CAACC,KAAsBC,KAAuBC,SAAAA;AAE5G,SAAOY,wBAAwBd,KAAKC,KAAKC,MAAMH,IAAAA;AACjD,GAHuC;AAKhC,IAAMkD,yBAAyB,wBAAClD,SAAwB,CAACC,KAAsBC,KAAuBC,SAAAA;AAE3G,SAAOsC,uBAAuBxC,KAAKC,KAAKC,MAAMH,IAAAA;AAChD,GAHsC;AAK/B,IAAMmD,yBAAyB,wBAAClD,KAAsBC,KAAuBC,SAAAA;AAClF,MAAI,CAACF,IAAIO,MAAM;AACbL,SAAAA;EACF;AACF,GAJsC;AAM/B,IAAMiD,sBAAsB,wBAACnD,KAAsBC,KAAuBC,SAAAA;AAC/E,MAAI,CAACF,IAAIO,MAAM;AACb,WAAO6C,kBAAkBnD,KAAK,KAAK,yBAAA;EACrC,OAAO;AACL,WAAOC,KAAAA;EACT;AACF,GANmC;AAQ5B,IAAMmD,YAAY,wBAACtD,SAAAA;AACxB,QAAMuD,WAAwF,CAAA;AAC9FA,WAASC,KAAKP,wBAAwBjD,IAAAA,CAAAA;AACtCuD,WAASC,KAAKN,uBAAuBlD,IAAAA,CAAAA;AACrCA,QAAMuD,YAAYA,SAASC,KAAI,GAAIxD,KAAKuD,QAAQ;AAChD,SAAOA;AACT,GANyB;AAQlB,SAASE,yBAAyBC,MAA8C;AACrF,QAAM1D,OAAO0D,MAAM1D;AACnB,QAAM2D,MAAMD,MAAMC;AAClB,MAAI,CAAC3D,QAAQ,CAAC2D,OAAO,CAACC,gBAAgB5D,IAAAA,GAAO;AAC3C;EACF;AACA,MAAI2D,QAAQ,YAAY;AAEtB;EACF;AACA,MAAI3D,KAAK6D,cAAcC,YAAY;AACjC,QAAI9D,KAAK6D,aAAaF,GAAAA,GAAMI,sBAAsB,MAAM;AACtD;IACF;AACA/D,SAAK6D,aAAaF,GAAAA,IAAO;MACvB,GAAG3D,KAAK6D,aAAaF,GAAAA;MACrBK,UAAU;QAAE,GAAGhE,KAAK6D,aAAaC;QAAY,GAAG9D,KAAK6D,aAAaF,GAAAA,GAAMK;MAAS;IACnF;EACF;AACF;AAnBgBP;AAqBT,SAASQ,0BAA0BP,MAAiD;AACzFA,QAAMQ,KAAKC,QAAQ,CAACR,QAAQF,yBAAyB;IAAEzD,MAAM0D,MAAM1D;IAAM2D;EAAI,CAAA,CAAA;AAC/E;AAFgBM;;;AGzJhB,OAAOG,gBAAgB;AAEvB,OAAOC,UAA2B;AAElC,OAAOC,aAA0B;AAEjC,OAAOC,oBAAoB;AAG3B,SAASC,4BAA4C;AACrD,OAAOC,YAAY;AACnB,OAAOC,eAAqC;;;ACdrC,SAASC,IAAIC,KAAcC,QAAe;AAC/C,MAAI,CAACD,KAAK;AACR,WAAOE;EACT;AACA,SAAOC,QAAQJ,IAAI,GAAGE,SAASA,OAAOG,KAAI,IAAK,EAAA,GAAKJ,GAAAA,EAAK;AAC3D;AALgBD;;;AD0BhB,IAAMM,2CAA2C;AAE1C,IAAMC,iBAAN,MAAMA,gBAAAA;EA5Bb,OA4BaA;;;EACHC;EACAC;EACAC;EACAC,YAAuD,CAAA;EACvDC;EACAC,eAAqCC;EAC5BC;EACTC;EACAC;EACAC,mBAA6B;EAC7BC;EACAC;EACAC;EACAC;EACAC;EACAC;EACAC;EAER,YAAoBC,MAA6D;AAC/E,UAAM,EAAElB,iBAAiBO,aAAY,IAAKW,QAAQ,CAAC;AACnD,QAAIlB,iBAAiB;AACnB,WAAKmB,YAAYnB,eAAAA;IACnB;AACA,SAAKO,eAAeA,gBAAgB;EACtC;EAEA,OAAca,oBAAoBF,MAA6D;AAC7F,WAAO,IAAInB,gBAAemB,QAAQ,CAAC,CAAA;EACrC;EAEA,OAAcG,eAAeH,MAAsD;AACjF,UAAMI,UAAU,IAAIvB,gBAAe;MAAEC,iBAAiBkB,MAAMlB;MAAiBO,cAAcW,MAAMX;IAAa,CAAA;AAC9G,QAAIW,KAAKK,oBAAoB;AAC3BD,cAAQE,uBAAuBN,KAAKK,kBAAkB;IACxD;AACA,WAAOD,QAAQG,qBAAqB;MAAE,GAAGP;MAAMjB,cAAciB,KAAKQ;MAAUC,cAAcT,KAAKU,kBAAkB;IAAM,CAAA;EACzH;EAEOC,aAAaF,cAA8B;AAChD,QAAIA,iBAAiBrB,QAAW;AAC9B,WAAKD,eAAesB;IACtB;AACA,WAAO;EACT;EAEOG,kBAAkBZ,MAA0G;AACjI,QAAIA,MAAMa,mBAAmBb,KAAKc,UAAUd,KAAKe,UAAU;AACzD,YAAMC,MAAM,iEAAA;IACd;AACA,SAAKlB,UAAUE,MAAMa,kBAAkBI,OAAOjB,MAAMc,UAAU,OAAOd,MAAMe,OAAAA;AAC3E,WAAO;EACT;EAEOR,qBAAqB,EAC1BvB,MACAD,cACAmC,UACAT,aAAY,GAML;AACPzB,YAAQ,KAAKmC,SAASnC,IAAAA;AACtBD,oBAAgB,KAAKqC,aAAarC,YAAAA;AAClC,QAAI,OAAOmC,aAAa,YAAY;AAClC,WAAKG,mBAAmBH,QAAAA;IAC1B;AACA,SAAK/B,eAAesB,iBAAiB;AACrC,WAAO;EACT;EAEOU,SAASnC,MAAoB;AAClC,SAAKA,OAAOA;AACZ,WAAO;EACT;EAEOoC,aAAarC,cAA4B;AAC9C,SAAKA,eAAeA;AACpB,WAAO;EACT;EAEOsC,mBAAmBH,UAA4B;AACpD,SAAKhC,iBAAiBgC;AACtB,WAAO;EACT;EAEOjB,YAAYnB,iBAAgC;AACjD,SAAKA,kBAAkBA;AACvB,SAAKK,eAAe;AACpB,WAAO;EACT;EAEOmC,mBAAmBC,YAAyC;AACjE,SAAKjC,kBAAkBiC;AACvB,WAAO;EACT;EAEOC,iBAAiBC,aAAsBC,mBAA6C;AACzF,SAAKlC,mBAAmBiC;AACxB,SAAKhC,oBAAoBiC;AACzB,WAAO;EACT;EAEOC,uBAAuBC,cAAuC;AACnE,SAAKlC,gBAAgBkC;AACrB,WAAO;EACT;EAEOC,aAAaC,UAA0B;AAC5C,SAAKnC,YAAYmC;AACjB,WAAO;EACT;EAEOxB,uBAAuByB,OAAqB;AACjD,SAAKhC,sBAAsBgC;AAC3B,WAAO;EACT;EAEOrB,eAAesB,UAAkB;AACtC,SAAKpC,UAAUoC,SAAQC,OAAO,KAAKC,QAAO,GAAI,KAAKC,YAAW,GAAI,KAAKjD,cAAc;AACrF,SAAKW,cAAcuC,qBAAqB;MACtCC,QAAQ,KAAKzC;IAEf,CAAA;AAEA,WAAO;MAAEyC,QAAQ,KAAKzC;MAAS0C,YAAY,KAAKzC;IAAY;EAC9D;EAEOsC,cAAsB;AAC3B,WAAO,KAAKpD,gBAAgBwD,IAAI,YAAY,KAAKlD,YAAY,KAAK;EACpE;EAEO6C,UAAkB;AACvB,WAAQ,KAAKlD,QAAQuD,IAAI,QAAQ,KAAKlD,YAAY,KAAK;EACzD;EAEOmD,YAAYC,UAAmF;AACpG,QAAIC,MAAMC,QAAQF,QAAAA,GAAW;AAC3B,WAAKxD,YAAYwD;IACnB,WAAWA,UAAU;AACnB,UAAI,CAAC,KAAKxD,WAAW;AACnB,aAAKA,YAAY,CAAA;MACnB;AACA,WAAKA,UAAU2D,KAAKH,QAAAA;IACtB,OAAO;AACL,WAAKxD,YAAY,CAAA;IACnB;AAEA,WAAO;EACT;EAEO4D,WAAWC,SAA+C;AAC/D,QAAI,CAAC,KAAK7D,WAAW;AACnB,WAAKA,YAAY,CAAA;IACnB;AACA,SAAKA,UAAU2D,KAAKE,OAAAA;AACpB,WAAO;EACT;EAEOC,mBAAmBC,aAA2C;AACnE,SAAKzD,eAAeyD;AACpB,WAAO;EACT;EAEOC,MAA6BjD,MAIjB;AACjB,UAAMgC,WAAU,KAAKkB,aAAalD,IAAAA;AAClC,UAAMU,iBAAiBV,MAAMU,mBAAmBtB,SAAY,KAAKD,iBAAiB,OAAOa,KAAKU;AAC9F,QAAIyC,UAAU,KAAKvD,YAAYR;AAC/B,QAAIsB,kBAAkB,CAACyC,SAAS;AAC9B,WAAKzC,eAAesB,QAAAA;AACpBmB,gBAAU;IACZ;AAEA,WAAO;MACLnB,SAAAA;MACAhD,MAAM,KAAKkD,QAAO;MAClB1B,UAAU,KAAK2B,YAAW;MAC1BP,cAAc,KAAKlC;MACnBgB;MACAoB,UAAU,KAAKnC;MACfyD,OAAO,wBAACpD,UAAAA;AACN,YAAIA,OAAMqD,qBAAqB;AAC7BC,kBAAQC,IAAI,sEAAA;QACd,OAAO;AACL,cAAI,CAACJ,SAAS;AACZ,iBAAKzC,eAAesB,QAAAA;AACpBmB,sBAAU;UACZ;QACF;AAEA,YAAInD,OAAMwD,wBAAwB,MAAM;AACtCxB,UAAAA,SAAQyB,IAAIC,gBAAAA;QACd;AACA,eAAO;UAAErB,QAAQ,KAAKzC;UAAU0C,YAAY,KAAKzC;QAAa;MAChE,GAdO;MAeP8D,MAAM,8BAAOrB,eAAAA;AACX,cAAMsB,OAAOtB,cAAc,KAAKzC;AAChC,YAAI,CAAC+D,MAAM;AACT,iBAAO;QACT;AACA,eAAO,MAAMA,KAAKC,UAAS,EAAGC,KAAK,MAAM,IAAA;MAC3C,GANM;IAOR;EACF;EAEUZ,aAAoClD,MAI1B;AAClB,UAAM+D,MAAuB/D,MAAMgC,WAAW,KAAKlD,mBAAmBkD,QAAAA;AACtE,QAAI,KAAKlC,SAAS;AAChBiE,UAAIN,IAAI,KAAK3D,OAAO;IACtB;AACA,QAAI,KAAKP,cAAc;AACrB,YAAMyE,QAAQ,KAAKzE,aAAayE,SAAS,IAAIC,eAAeC,YAAW;AACvE,WAAK3E,aAAayE,QAAQA;AAC1BD,UAAIN,IAAIQ,eAAe,KAAK1E,YAAY,CAAA;IAC1C;AACA,QAAI,KAAKC,kBAAkB;AACzBuE,UAAIN,IAAIU,UAASC,WAAW,KAAK3E,iBAAiB,CAAA;AAClD,UAAI,KAAKF,cAAc;AAGrBwE,YAAIN,IAAIU,UAASE,QAAO,CAAA;MAC1B;IACF;AACA,QAAI,KAAK3E,eAAe;AACtBqE,UAAIN,IAAIa,kBAAkB;QAAEC,OAAO,KAAK7E;MAAc,CAAA,CAAA;IACxD;AACA,QAAI,KAAKJ,iBAAiB;AACxB,WAAKA,gBAAgBkF,UAAU;QAAE1F,iBAAiBiF;MAAI,CAAA;IACxD;AAGA,SAAK9E,aAAa,KAAKA,UAAUwF,SAAS,KAAKV,IAAIN,IAAI,KAAKxE,SAAS;AAErEe,UAAMyC,YAAYsB,IAAIN,IAAIzD,KAAKyC,QAAQ;AAEvC,UAAMV,QAAQ,KAAKhC,uBAAuBnB;AAC1CmF,QAAIN,IAAIiB,WAAWC,WAAW;MAAEC,UAAU;MAAM7C;IAAM,CAAA,CAAA;AACtDgC,QAAIN,IAAIiB,WAAWG,KAAK;MAAE9C;IAAM,CAAA,CAAA;AAChC,WAAOgC;EACT;AACF;AAEO,IAAMe,wBAAN,MAAMA;EAzRb,OAyRaA;;;EACHC;EACAC;EACAC;EACAC;EACAC;EACAC;EACSC;EACAC;EAEjB,YAAYC,MAA6D;AACvE,UAAM,EAAEzG,iBAAiBO,aAAY,IAAKkG,QAAQ,CAAC;AACnD,SAAKF,WAAWvG;AAChB,SAAKwG,gBAAgBjG;EACvB;EAEOmG,YAAYC,OAA2E;AAC5F,SAAKR,eAAeQ;AACpB,WAAO;EACT;EAEOC,YAAYD,OAAsB;AACvC,SAAKV,eAAeU;AACpB,WAAO;EACT;EAEOE,aAAaF,OAAgC;AAClD,SAAKP,gBAAgBO;AACrB,WAAO;EACT;EAEOG,eAAeH,OAAgC;AACpD,SAAKN,kBAAkBM;AACvB,WAAO;EACT;EAEOI,iBAAiBJ,OAAsB;AAC5C,SAAKL,oBAAoBK;AACzB,WAAO;EACT;EAEOjB,UAAU,EAAE1F,gBAAe,GAAmC;AACnE,UAAMkD,WAAUlD,mBAAmB,KAAKuG;AACxC,QAAI,CAACrD,UAAS;AACZ,YAAMhB,MAAM,uDAAA;IACd;AAEA,UAAM8E,iBAAiBvD,IAAI,gBAAgB,KAAK+C,aAAa;AAC7D,UAAMS,eAAe,KAAKhB,iBAAiBe,iBAAiB,OAAOE,KAAKF,cAAAA,IAAkB;AAC1F,QAAIC,cAAc;AAChB;IACF;AACA,UAAME,oBAAoB1D,IAAI,qBAAqB,KAAK+C,aAAa,KAAK;AAC1E,QAAIY;AACJ,QAAID,kBAAkBE,SAAS,GAAA,GAAM;AACnCD,uBAAiBD,kBAAkBG,MAAM,GAAA;IAC3C,WAAWH,kBAAkBE,SAAS,GAAA,GAAM;AAC1CD,uBAAiBD,kBAAkBG,MAAM,GAAA;IAC3C,OAAO;AACLF,uBAAiBD;IACnB;AACA,QAAIvD,MAAMC,QAAQuD,cAAAA,KAAmBA,eAAezB,WAAW,GAAG;AAChEyB,uBAAiBA,eAAe,CAAA;IAClC;AACA,UAAMG,cAA2B;MAC/BC,QAAQ,KAAKrB,gBAAgBiB;;MAE7B,GAAI,KAAKhB,iBAAiB;QAAEqB,SAAS,KAAKrB;MAAc;MACxD,GAAI,KAAKC,mBAAmB;QAAES,gBAAgB,KAAKT;MAAgB;MACnE,GAAI,KAAKC,sBAAsBhG,UAAa;QAAEoH,aAAa,KAAKpB;MAAkB;MAClFqB,sBAAsB;IACxB;AAEA,QAAI,KAAKzB,yBAAyB;AAChChD,MAAAA,SAAQjB,QAAQ,KAAK2F,KAAKL,WAAAA,CAAAA;IAC5B;AACArE,IAAAA,SAAQyB,IAAIiD,KAAKL,WAAAA,CAAAA;EACnB;AACF;;;AEtWA,OAAOM,cAAgD;AACvD,SAAoDC,cAAc;AAClE,OAAOC,eAAc;AAOrB,IAAMC,SAASC,QAAQC,IAAIF,UAAU;AACrC,eAAsBG,mBAAmBC,MAA6B;AACpE,QAAMC,YAAYD,MAAMC,aAAaH,IAAI,eAAeF,MAAAA,KAAW;AACnE,QAAMM,SAAS,MAAMC,OAAOC,SAASH,SAAAA;AACrCI,UAAQC,IAAI,2BAA2BJ,OAAOA,QAAQA,OAAOK,QAAQ;AACrE,SAAO;IAAEL;IAAQD;EAAU;AAC7B;AALsBF;AAOtB,eAAsBS,cACpBN,QACAK,UACAP,MAGC;AAGD,SAAO,IAAIE,OAAOO,OAAOF,UAAUP,MAAMU,MAAMV,MAAMW,OAAAA;AACvD;AAVsBH;AAYf,SAASI,iBAAiBC,QAAgBb,MAAqD;AACpG,MAAIA,MAAMc,YAAY,OAAO;AAC3BT,YAAQC,IAAI,4BAA4B;AACxC;EACF;AACA,QAAMS,WAAWf,MAAMgB,UAAUC,gBAAgBF;AACjD,MAAI,CAACA,UAAU;AACb,UAAMG,MAAM,+BAAA;EACd;AACA,QAAMC,OAAOnB,MAAMmB,QAAQ;AAC3BN,SAAOO,IACLD,MACA,CAACE,KAAUC,KAAUC,SAAAA;AACnB,UAAMC,eAAeH,IAAID,IAAI,SAAA,KAAc;AAC3CC,QAAII,QAAQD,eAAeA;AAC3BD,SAAAA;EACF,GACAG,UAASC,aACPZ,UACA;IAAE,GAAGf,KAAKiB,gBAAgBW;IAAiB,GAAG5B,KAAKgB,UAAUC,gBAAgBW;IAAiBC,iBAAiB;EAAM,GACrHC,MAAAA,CAAAA;AAGN;AAvBgBlB;AAyBT,SAASmB,yBAAyBlB,QAAgBb,MAA0B;AACjF,MAAIA,MAAMc,YAAY,OAAO;AAC3BT,YAAQC,IAAI,oCAAoC;AAChD;EACF;AACA,QAAMS,WAAWf,MAAMgB,UAAUC,gBAAgBF;AACjD,MAAI,CAACA,UAAU;AACb,UAAMG,MAAM,+BAAA;EACd;AACA,QAAMC,OAAOnB,MAAMmB,QAAQ;AAC3BN,SAAOO,IACLD,MACAO,UAASC,aACPZ,UACA;IAAE,GAAGf,KAAKiB,gBAAgBW;IAAiB,GAAG5B,KAAKgB,UAAUC,gBAAgBW;IAAiBC,iBAAiB;EAAK,GACpHC,MAAAA,GAEF,CAACT,KAAUC,KAAUC,SAAAA;AACnB,QAAIF,IAAIW,MAAM;AACZ3B,cAAQC,IAAI,sBAAsBe,IAAIW,MAAMC,IAAAA;AAE5C,YAAMT,eAAeH,IAAII,QAAQD,gBAAgB;AAEjD,aAAOH,IAAII,QAAQD;AACnB,aAAOF,IAAIY,SAASV,YAAAA;IACtB,OAAO;AACL,aAAOF,IAAIY,SAASpC,IAAI,2BAA2BF,MAAAA,KAAW,4CAAA;IAChE;EACF,CAAA;AAEJ;AA9BgBmC;AAgCT,SAASI,kBAAkBtB,QAAgBuB,QAAoBpC,MAA0B;AAC9F,MAAIA,MAAMc,YAAY,OAAO;AAC3BT,YAAQC,IAAI,6BAA6B;AACzC;EACF;AACA,QAAMa,OAAOnB,MAAMmB,QAAQ;AAC3BN,SAAOO,IAAID,MAAM,CAACE,KAAKC,QAAAA;AACrB,QAAI;AACF,UAAIc,OAAOC,cAAa,GAAI;AAC1B,eAAOf,IAAIY,SAASE,OAAOC,cAAa,CAAA;MAC1C,OAAO;AACLhC,gBAAQC,IAAI,sCAAA;AACZ,eAAOgB,IAAIY,SAAS,iCAAA;MACtB;IACF,SAASI,OAAO;AACdjC,cAAQC,IAAIgC,KAAAA;AACZ,aAAOhB,IAAIY,SAAS,iCAAA;IACtB;EACF,CAAA;AACF;AAnBgBC;AAqBT,SAASI,0BAA0B1B,QAAgBb,MAA0B;AAClF,MAAIA,MAAMc,YAAY,OAAO;AAC3BT,YAAQC,IAAI,sCAAsC;AAClD;EACF;AACA,QAAMa,OAAOnB,MAAMmB,QAAQ;AAC3BN,SAAOO,IAAID,MAAM,CAACE,KAAKC,KAAKC,SAAAA;AAC1B,QAAI;AACFF,UAAImB,OAAO,CAACC,QAAAA;AACV,YAAIA,KAAK;AACPpC,kBAAQC,IAAI,yCAAyCoC,KAAKC,UAAUF,GAAAA,CAAAA,EAAM;QAC5E;MACF,CAAA;AACA,aAAOnB,IAAIY,SAASpC,IAAI,qCAAqCF,MAAAA,KAAW,GAAA;IAC1E,SAASgD,GAAG;AACV,aAAOC,kBAAkBvB,KAAK,KAAK,uDAAuDsB,CAAAA;IAC5F;EACF,CAAA;AACF;AAlBgBL;AAoBT,SAASO,mBAAmBjC,QAAgBuB,QAAoBpC,MAAyB;AAC9F,MAAIA,MAAMc,YAAY,OAAO;AAC3BT,YAAQC,IAAI,+BAA+B;AAC3C;EACF;AACA,QAAMa,OAAOnB,KAAKmB,QAAQ;AAC1BN,SAAOO,IAAID,MAAM4B,qBAAqB,CAAC1B,KAAUC,QAAAA;AAC/C,QAAID,IAAII,QAAQuB,OAAOC,UAAU;AAC/B,aAAO3B,IAAI4B,KAAK;QAAED,UAAU5B,IAAII,QAAQuB,OAAOC;MAAS,CAAA;IAC1D,OAAO;AACL,aAAOJ,kBAAkBvB,KAAK,KAAK,yBAAA;IACrC;EACF,CAAA;AACF;AAbgBwB;AAeT,SAASK,6BAA6BtC,QAAgBb,MAA0B;AACrF,MAAIA,MAAMc,YAAY,OAAO;AAC3BT,YAAQC,IAAI,yCAAyC;AACrD;EACF;AACA,QAAMa,OAAOnB,MAAMmB,QAAQ;AAC3BN,SAAOO,IAAID,MAAM4B,qBAAqB,CAAC1B,KAAUC,KAAUC,SAAAA;AACzD,QAAI,CAACF,IAAIW,MAAM;AACb,aAAOa,kBAAkBvB,KAAK,KAAK,yBAAA;IACrC;AACA,QAAIU,OAAOX,IAAIW;AACf,WAAOV,IAAI4B,KAAKlB,IAAAA;EAClB,CAAA;AACF;AAbgBmB;AA+BT,IAAMC,uBAAN,MAAMA;EA7Kb,OA6KaA;;;EACX,IAAIvC,SAAyB;AAC3B,WAAO,KAAKwC;EACd;EAEiBC;EACAC;EACAC;EACAH;EAEjB,YAAYI,MAA8G;AACxH,UAAM,EAAEC,OAAO1D,KAAI,IAAKyD;AACxB,SAAKF,SAASG;AACdC,8BAA0B;MAAE3D;MAAM4D,MAAM;QAAC;;IAAY,CAAA;AACrDD,8BAA0B;MAAE3D;MAAM4D,MAAM;QAAC;;IAAc,CAAA;AACvDD,8BAA0B;MAAE3D;MAAM4D,MAAM;QAAC;;IAAwB,CAAA;AAEjE,SAAKJ,QAAQxD;AACb,SAAKsD,WAAWG,KAAKI,eAAeC;AACpC,SAAKT,UAAUS,SAAQC,OAAM;AAC7B,UAAMC,WAAWhE,MAAMiE,mBAAmB;MAAC;MAAS;MAAU;MAAY;;AAC1E5D,YAAQC,IAAI,4BAA4B;AAExC,QAAI0D,SAASE,SAAS,OAAA,GAAU;AAC9BtD,uBAAiB,KAAKC,QAAQb,MAAMmE,cAAcC,QAAAA;AAClDrC,+BAAyB,KAAKlB,QAAQb,MAAMmE,cAAcC,QAAAA;IAC5D;AACA,QAAIJ,SAASE,SAAS,QAAA,GAAW;AAC/B/B,wBAAkB,KAAKtB,QAAQ4C,KAAKrB,QAAQpC,MAAMmE,cAAcE,SAAAA;AAChE9B,gCAA0B,KAAK1B,QAAQb,MAAMmE,cAAcE,SAAAA;IAC7D;AACA,QAAIL,SAASE,SAAS,UAAA,GAAa;AACjC,UAAIlE,KAAKmE,cAAcG,eAAexC,QAAW;AAC/C,cAAMZ,MAAM,6EAAA;MACd;AACA4B,yBAAmB,KAAKjC,QAAQ4C,KAAKrB,QAAQpC,MAAMmE,cAAcG,UAAAA;IACnE;AACA,QAAIN,SAASE,SAAS,oBAAA,GAAuB;AAC3Cf,mCAA6B,KAAKtC,QAAQb,MAAMmE,cAAcI,oBAAAA;IAChE;AACA,SAAKjB,SAASkB,IAAIxE,MAAMmE,cAAcM,YAAY,IAAI,KAAK5D,MAAM;EACnE;EAEA,IAAI6C,QAAiC;AACnC,WAAO,KAAKH;EACd;EAEA,IAAIvD,OAAwC;AAC1C,WAAO,KAAKwD;EACd;EAEA,IAAIM,UAAmB;AACrB,WAAO,KAAKR;EACd;AACF;","names":["passport","EntraIDAuth","strategy","options","init","withOptions","passReqToCallback","connectPassport","_options","Error","then","entraID","passport","use","BearerStrategy","token","cb","catch","reason","console","log","passport","OIDCBearerAuth","strategy","options","init","withIssuer","issuer","withAudience","audience","withJwksUri","jwksUri","withAlgorithms","algorithms","withOptions","connectPassport","Promise","reject","Error","discoverJwksUri","passportJwt","jwksRsa","all","Strategy","JwtStrategy","ExtractJwt","passportJwtSecret","jwtOptions","jwtFromRequest","fromAuthHeaderAsBearerToken","secretOrKeyProvider","cache","rateLimit","jwksRequestsPerMinute","passport","use","payload","done","error","console","cause","wellKnownUrl","endsWith","response","fetch","ok","status","statusText","config","json","jwks_uri","passport","toString","StaticBearerAuth","strategy","providers","Map","verifyOptions","hashTokens","init","provider","MapBasedStaticBearerUserProvider","has","get","Error","set","withHashTokens","withUsers","users","addUser","user","withVerifyOptions","options","connectPassport","_provider","findUser","token","cb","getUser","then","httpBearer","passport","use","Strategy","passReqToCallback","hash","toString","sha256","catch","error","console","log","_strategy","_users","_hashedTokens","hashedTokens","find","hashToken","Array","isArray","forEach","push","getUsers","passport","sendErrorResponse","response","statusCode","message","error","msg","console","JSON","stringify","Error","stack","headersSent","startsWith","header","status","end","json","jsonErrorHandler","err","req","res","next","errorMsg","log","hasEndpointOpts","opts","endpointOpts","checkUserIsInRole","opts","req","res","next","roles","length","Array","isArray","user","status","end","hasRole","find","role","toLowerCase","checkAuthenticationImpl","defaultCallback","err","_info","_status","message","console","log","JSON","stringify","statusCode","redirect","options","session","logIn","authentication","enabled","strategy","strategyOptions","authInfo","callback","useDefaultCallback","undefined","passport","authenticate","call","checkAuthorizationImpl","authorization","enforcer","requireUserInRoles","permitted","enforceSync","resource","operation","checkAuthenticationOnly","checkAuthorizationOnly","isUserNotAuthenticated","isUserAuthenticated","sendErrorResponse","checkAuth","handlers","push","copyGlobalAuthToEndpoint","args","key","hasEndpointOpts","endpointOpts","globalAuth","disableGlobalAuth","endpoint","copyGlobalAuthToEndpoints","keys","forEach","bodyParser","cors","express","expressSession","createHttpTerminator","morgan","passport","env","key","prefix","undefined","process","trim","DEFAULT_MAX_BODYPARSER_REQUEST_BODY_SIZE","ExpressBuilder","existingExpress","hostnameOrIP","port","_handlers","listenCallback","_startListen","undefined","envVarPrefix","_corsConfigurer","_sessionOpts","_usePassportAuth","_passportInitOpts","_userIsInRole","_enforcer","_server","_terminator","_morgan","_maxRequestBodySize","opts","withExpress","fromExistingExpress","fromServerOpts","builder","maxRequestBodySize","withMaxRequestBodySize","withEnableListenOpts","hostname","startOnBuild","startListening","enableListen","withMorganLogging","existingMorgan","format","options","Error","morgan","callback","withPort","withHostname","withListenCallback","withCorsConfigurer","configurer","withPassportAuth","usePassport","initializeOptions","withGlobalUserIsInRole","userIsInRole","withEnforcer","enforcer","limit","express","listen","getPort","getHostname","createHttpTerminator","server","terminator","env","setHandlers","handlers","Array","isArray","push","addHandler","handler","withSessionOptions","sessionOpts","build","buildExpress","started","start","doNotStartListening","console","log","disableErrorHandler","use","jsonErrorHandler","stop","term","terminate","then","app","store","expressSession","MemoryStore","passport","initialize","session","checkUserIsInRole","roles","configure","length","bodyParser","urlencoded","extended","json","ExpressCorsConfigurer","_disableCors","_enablePreflightOptions","_allowOrigin","_allowMethods","_allowedHeaders","_allowCredentials","_express","_envVarPrefix","args","allowOrigin","value","disableCors","allowMethods","allowedHeaders","allowCredentials","disableCorsEnv","corsDisabled","test","envAllowOriginStr","envAllowOrigin","includes","split","corsOptions","origin","methods","credentials","optionsSuccessStatus","cors","express","Issuer","passport","PREFIX","process","env","oidcDiscoverIssuer","opts","issuerUrl","issuer","Issuer","discover","console","log","metadata","oidcGetClient","Client","jwks","options","getLoginEndpoint","router","enabled","strategy","endpoint","authentication","Error","path","get","req","res","next","redirectPage","session","passport","authenticate","strategyOptions","keepSessionInfo","undefined","getLoginCallbackEndpoint","user","name","redirect","getLogoutEndpoint","client","endSessionUrl","error","getLogoutCallbackEndpoint","logout","err","JSON","stringify","e","sendErrorResponse","getIdTokenEndpoint","isUserAuthenticated","tokens","id_token","json","getAuthenticatedUserEndpoint","OpenIDConnectAuthApi","_router","_express","_agent","_opts","args","agent","copyGlobalAuthToEndpoints","keys","expressSupport","express","Router","features","enabledFeatures","includes","endpointOpts","getLogin","getLogout","getIdToken","getAuthenticatedUser","use","basePath"]}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@sphereon/ssi-express-support",
3
- "version": "0.37.2-next.24+325bcbab",
3
+ "version": "0.37.2-next.28+0fa1686a",
4
4
  "source": "src/index.ts",
5
5
  "type": "module",
6
6
  "main": "./dist/index.cjs",
@@ -23,7 +23,7 @@
23
23
  "start:energyshr": "cross-env ENVIRONMENT=EnergySHR NODE_ENV=energyshr node --experimental-specifier-resolution=node --loader ts-node/esm __tests__/index.ts"
24
24
  },
25
25
  "dependencies": {
26
- "@sphereon/ssi-types": "0.37.2-next.24+325bcbab",
26
+ "@sphereon/ssi-types": "0.37.2-next.28+0fa1686a",
27
27
  "body-parser": "^1.20.2",
28
28
  "casbin": "^5.30.0",
29
29
  "cookie-session": "^2.1.0",
@@ -100,5 +100,5 @@
100
100
  "SSI",
101
101
  "Agent"
102
102
  ],
103
- "gitHead": "325bcbab3e9b773459b932dad38d39f7fc3c3cba"
103
+ "gitHead": "0fa1686a6609f7a0aed8bbc8c7594639071cf88b"
104
104
  }
package/src/express-builders.ts CHANGED
@@ -24,6 +24,8 @@ type Handler<Request extends http.IncomingMessage, Response extends http.ServerR
24
24
  callback: (err?: Error) => void,
25
25
  ) => void
26
26
 
27
+ const DEFAULT_MAX_BODYPARSER_REQUEST_BODY_SIZE = '5mb'
28
+
27
29
  export class ExpressBuilder {
28
30
  private existingExpress?: Express
29
31
  private hostnameOrIP?: string
@@ -41,6 +43,7 @@ export class ExpressBuilder {
41
43
  private _server?: http.Server | undefined
42
44
  private _terminator?: HttpTerminator
43
45
  private _morgan?: Handler<any, any> | undefined
46
+ private _maxRequestBodySize?: string
44
47
 
45
48
  private constructor(opts?: { existingExpress?: Express; envVarPrefix?: string }) {
46
49
  const { existingExpress, envVarPrefix } = opts ?? {}
@@ -56,6 +59,9 @@ export class ExpressBuilder {
56
59
 
57
60
  public static fromServerOpts(opts: IExpressServerOpts & { envVarPrefix?: string }) {
58
61
  const builder = new ExpressBuilder({ existingExpress: opts?.existingExpress, envVarPrefix: opts?.envVarPrefix })
62
+ if (opts.maxRequestBodySize) {
63
+ builder.withMaxRequestBodySize(opts.maxRequestBodySize)
64
+ }
59
65
  return builder.withEnableListenOpts({ ...opts, hostnameOrIP: opts.hostname, startOnBuild: opts.startListening ?? false })
60
66
  }
61
67
 
@@ -136,6 +142,11 @@ export class ExpressBuilder {
136
142
  return this
137
143
  }
138
144
 
145
+ public withMaxRequestBodySize(limit: string): this {
146
+ this._maxRequestBodySize = limit
147
+ return this
148
+ }
149
+
139
150
  public startListening(express: Express) {
140
151
  this._server = express.listen(this.getPort(), this.getHostname(), this.listenCallback)
141
152
  this._terminator = createHttpTerminator({
@@ -261,8 +272,9 @@ export class ExpressBuilder {
261
272
  // @ts-ignore
262
273
  opts?.handlers && app.use(opts.handlers)
263
274
  //fixme: this should come from the config
264
- app.use(bodyParser.urlencoded({ extended: true }))
265
- app.use(bodyParser.json({ limit: '5mb' }))
275
+ const limit = this._maxRequestBodySize ?? DEFAULT_MAX_BODYPARSER_REQUEST_BODY_SIZE
276
+ app.use(bodyParser.urlencoded({ extended: true, limit }))
277
+ app.use(bodyParser.json({ limit }))
266
278
  return app
267
279
  }
268
280
  }
package/src/types.ts CHANGED
@@ -14,6 +14,7 @@ export interface IExpressServerOpts {
14
14
  existingExpress?: Express
15
15
  listenCallback?: () => void
16
16
  startListening?: boolean
17
+ maxRequestBodySize?: string
17
18
  // externalBaseUrl?: string // In case an external base URL needs to be exposed
18
19
  }
19
20