@steedos/accounts 2.5.3-beta.21 → 2.5.3-beta.23

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@steedos/accounts",
   "private": false,
-  "version": "2.5.3-beta.21",
+  "version": "2.5.3-beta.23",
   "main": "lib/index.js",
   "files": [
     "/package.json",
@@ -56,20 +56,20 @@
     "validator": "^13.6.0"
   },
   "devDependencies": {
-    "@steedos/auth": "2.5.3-beta.21",
-    "@steedos/meteor-bundle-runner": "2.5.3-beta.21",
-    "@steedos/objectql": "2.5.3-beta.21",
+    "@steedos/auth": "2.5.3-beta.23",
+    "@steedos/meteor-bundle-runner": "2.5.3-beta.23",
+    "@steedos/objectql": "2.5.3-beta.23",
     "@types/dotenv-flow": "^3.0.0",
     "@types/node": "12.6.8",
     "cross-env": "^7.0.3",
     "dotenv": "^8.2.0",
     "dotenv-flow": "^3.1.0",
     "nodemon": "^2.0.19",
-    "steedos-server": "2.5.3-beta.21",
+    "steedos-server": "2.5.3-beta.23",
     "typescript": "4.6.3"
   },
   "publishConfig": {
     "access": "public"
   },
-  "gitHead": "b4313a2ef5d18ef1cf9271bd3c89b2d6fe52d65b"
+  "gitHead": "8fd9cf35d29f8f71e11790bd010bf5b045e7ebc4"
 }

package/lib/oauth2/client.js

@@ -1 +0,0 @@
-//# sourceMappingURL=client.js.map

package/lib/oauth2/client.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"client.js","sourceRoot":"","sources":["../../src/oauth2/client.ts"],"names":[],"mappings":""}

package/lib/oauth2/config.js

@@ -1,14 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.hydraAdmin = void 0;
-var hydra_client_1 = require("@oryd/hydra-client");
-var baseOptions = {};
-if (process.env.STEEDOS_MOCK_TLS_TERMINATION) {
-    baseOptions.headers = { 'X-Forwarded-Proto': 'https' };
-}
-var hydraAdmin = new hydra_client_1.AdminApi(new hydra_client_1.Configuration({
-    basePath: process.env.STEEDOS_HYDRA_ADMIN_URL,
-    baseOptions: baseOptions
-}));
-exports.hydraAdmin = hydraAdmin;
-//# sourceMappingURL=config.js.map

package/lib/oauth2/config.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/oauth2/config.ts"],"names":[],"mappings":";;;AAAA,mDAA4D;AAC5D,IAAM,WAAW,GAAQ,EAAE,CAAA;AAE3B,IAAI,OAAO,CAAC,GAAG,CAAC,4BAA4B,EAAE;IAC5C,WAAW,CAAC,OAAO,GAAG,EAAE,mBAAmB,EAAE,OAAO,EAAE,CAAA;CACvD;AAED,IAAM,UAAU,GAAG,IAAI,uBAAQ,CAC7B,IAAI,4BAAa,CAAC;IAChB,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,uBAAuB;IAC7C,WAAW,aAAA;CACZ,CAAC,CACH,CAAA;AAEQ,gCAAU"}

package/lib/oauth2/consent.js

@@ -1,192 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-var express = require("express");
-var url = require("url");
-var config_1 = require("./config");
-var oidc_cert_1 = require("./stub/oidc-cert");
-var _ = require('lodash');
-var csrf = require('csurf');
-var urljoin = require('url-join');
-var pug = require('pug');
-var path = require('path');
-// Sets up csrf protection
-var csrfProtection = csrf({ cookie: true });
-var router = express.Router();
-var getOAuthSession = function (user, grantScope) {
-    // The session allows us to set session data for id and access tokens
-    var session = {
-        // This data will be available when introspecting the token. Try to avoid sensitive information here,
-        // unless you limit who can introspect tokens.
-        access_token: {
-        // foo: 'bar'
-        },
-        // This data will be available in the ID token.
-        id_token: {
-        // baz: 'bar'
-        }
-    };
-    var _grantScope = grantScope;
-    if (!_.isArray(_grantScope)) {
-        _grantScope = [_grantScope];
-    }
-    _.each(_grantScope, function (scope) {
-        if (scope === 'profile') {
-            session.id_token.steedos_id = user.steedos_id;
-            session.id_token.name = user.name;
-            session.id_token.username = user.username;
-            session.id_token.mobile = user.mobile;
-            session.id_token.email = user.email;
-            // (session.id_token as any).job_number = user.job_number;
-            session.id_token.locale = user.locale;
-            session.id_token.space = user.spaces && user.spaces.length > 0 ? user.spaces[0] : null;
-            // (session.id_token as any).profile = user.profile;
-            session.id_token.userId = user.userId;
-            session.id_token.mobile_verified = user.mobile_verified;
-            session.id_token.email_verified = user.email_verified;
-            session.id_token.utcOffset = user.utcOffset;
-        }
-    });
-    return session;
-};
-router.get('/', csrfProtection, function (req, res, next) {
-    // Parses the URL query
-    var query = url.parse(req.url, true).query;
-    // The challenge is used to fetch information about the consent request from ORY hydraAdmin.
-    var challenge = String(query.consent_challenge);
-    if (!challenge) {
-        next(new Error('Expected a consent challenge to be set but received none.'));
-        return;
-    }
-    var user = req.user;
-    if (!user) {
-        return res.redirect("/accounts/a/#/login?redirect_uri=" + encodeURIComponent(Meteor.absoluteUrl("/oauth2/consent?consent_challenge=".concat(challenge))));
-    }
-    // This section processes consent requests and either shows the consent UI or
-    // accepts the consent request right away if the user has given consent to this
-    // app before
-    config_1.hydraAdmin
-        .getConsentRequest(challenge)
-        // This will be called if the HTTP request was successful
-        .then(function (_a) {
-        var body = _a.data;
-        // If a user has granted this application the requested scope, hydra will tell us to not show the UI.
-        if (body.skip) {
-            // You can apply logic here, for example grant another scope, or do whatever...
-            // ...
-            // Now it's time to grant the consent request. You could also deny the request if something went terribly wrong
-            return config_1.hydraAdmin
-                .acceptConsentRequest(challenge, {
-                // We can grant all scopes that have been requested - hydra already checked for us that no additional scopes
-                // are requested accidentally.
-                grant_scope: body.requested_scope,
-                // ORY Hydra checks if requested audiences are allowed by the client, so we can simply echo this.
-                grant_access_token_audience: body.requested_access_token_audience,
-                // The session allows us to set session data for id and access tokens
-                session: getOAuthSession(user, body.requested_scope)
-            })
-                .then(function (_a) {
-                var body = _a.data;
-                // All we need to do now is to redirect the user back to hydra!
-                res.redirect(String(body.redirect_to));
-            });
-        }
-        // If consent can't be skipped we MUST show the consent UI.
-        // return res.status(200).send({
-        //   csrfToken: (req as any).csrfToken(),
-        //   challenge: challenge,
-        //   // We have a bunch of data available from the response, check out the API docs to find what these values mean
-        //   // and what additional data you have available.
-        //   requested_scope: body.requested_scope,
-        //   user: body.subject,
-        //   client: body.client,
-        //   action: urljoin(process.env.BASE_URL || '', '/consent')
-        // })
-        var fn = pug.compileFile(path.join(__dirname, '..', '..', './views/oauth2/consent.pug'), {});
-        return res.status(200).send(fn({
-            csrfToken: req.csrfToken(),
-            challenge: challenge,
-            // We have a bunch of data available from the response, check out the API docs to find what these values mean
-            // and what additional data you have available.
-            requested_scope: body.requested_scope,
-            user: body.subject,
-            userInfo: user,
-            client: body.client,
-            action: Meteor.absoluteUrl("/oauth2/consent")
-        }));
-    })
-        // This will handle any error that happens when making HTTP calls to hydra
-        .catch(next);
-    // The consent request has now either been accepted automatically or rendered.
-});
-router.post('/', csrfProtection, function (req, res, next) {
-    var user = req.user;
-    // The challenge is now a hidden input field, so let's take it from the request body instead
-    var challenge = req.body.challenge;
-    if (!challenge) {
-        next(new Error('Expected a consent challenge to be set but received none.'));
-        return;
-    }
-    if (!user) {
-        return res.redirect("/accounts/a/#/login?redirect_uri=" + encodeURIComponent(Meteor.absoluteUrl("/oauth2/consent?consent_challenge=".concat(challenge))));
-    }
-    // Let's see if the user decided to accept or reject the consent request..
-    if (req.body.submit === 'Deny access') {
-        // Looks like the consent request was denied by the user
-        return (config_1.hydraAdmin
-            .rejectConsentRequest(challenge, {
-            error: 'access_denied',
-            error_description: 'The resource owner denied the request'
-        })
-            .then(function (_a) {
-            var body = _a.data;
-            // All we need to do now is to redirect the browser back to hydra!
-            res.redirect(String(body.redirect_to));
-        })
-            // This will handle any error that happens when making HTTP calls to hydra
-            .catch(next));
-    }
-    // label:consent-deny-end
-    var grantScope = req.body.grant_scope;
-    if (!Array.isArray(grantScope)) {
-        grantScope = [grantScope];
-    }
-    // The session allows us to set session data for id and access tokens
-    var session = getOAuthSession(user, grantScope);
-    // Let's fetch the consent request again to be able to set `grantAccessTokenAudience` properly.
-    config_1.hydraAdmin
-        .getConsentRequest(challenge)
-        // This will be called if the HTTP request was successful
-        .then(function (_a) {
-        var body = _a.data;
-        return config_1.hydraAdmin
-            .acceptConsentRequest(challenge, {
-            // We can grant all scopes that have been requested - hydra already checked for us that no additional scopes
-            // are requested accidentally.
-            grant_scope: grantScope,
-            // If the environment variable CONFORMITY_FAKE_CLAIMS is set we are assuming that
-            // the app is built for the automated OpenID Connect Conformity Test Suite. You
-            // can peak inside the code for some ideas, but be aware that all data is fake
-            // and this only exists to fake a login system which works in accordance to OpenID Connect.
-            //
-            // If that variable is not set, the session will be used as-is.
-            session: (0, oidc_cert_1.oidcConformityMaybeFakeSession)(grantScope, body, session),
-            // ORY Hydra checks if requested audiences are allowed by the client, so we can simply echo this.
-            grant_access_token_audience: body.requested_access_token_audience,
-            // This tells hydra to remember this consent request and allow the same client to request the same
-            // scopes from the same user, without showing the UI, in the future.
-            remember: Boolean(req.body.remember),
-            // When this "remember" sesion expires, in seconds. Set this to 0 so it will never expire.
-            remember_for: 3600
-        })
-            .then(function (_a) {
-            var body = _a.data;
-            // All we need to do now is to redirect the user back to hydra!
-            res.redirect(String(body.redirect_to));
-        });
-    })
-        // This will handle any error that happens when making HTTP calls to hydra
-        .catch(next);
-    // label:docs-accept-consent
-});
-exports.default = router;
-//# sourceMappingURL=consent.js.map

package/lib/oauth2/consent.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"consent.js","sourceRoot":"","sources":["../../src/oauth2/consent.ts"],"names":[],"mappings":";;AAAA,iCAAkC;AAClC,yBAA0B;AAC1B,mCAAqC;AACrC,8CAAiE;AAEjE,IAAM,CAAC,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;AAC5B,IAAM,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;AAC9B,IAAM,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;AACpC,IAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC;AAC3B,IAAM,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;AAC7B,0BAA0B;AAC1B,IAAM,cAAc,GAAG,IAAI,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAA;AAC7C,IAAM,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAA;AAG/B,IAAM,eAAe,GAAG,UAAC,IAAI,EAAE,UAAU;IACvC,qEAAqE;IACrE,IAAI,OAAO,GAA0B;QACnC,qGAAqG;QACrG,8CAA8C;QAC9C,YAAY,EAAE;QACZ,aAAa;SACd;QAED,+CAA+C;QAC/C,QAAQ,EAAE;QACR,aAAa;SACd;KACF,CAAA;IACD,IAAI,WAAW,GAAG,UAAU,CAAA;IAC5B,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE;QAC3B,WAAW,GAAG,CAAC,WAAW,CAAC,CAAC;KAC7B;IACD,CAAC,CAAC,IAAI,CAAC,WAAW,EAAE,UAAC,KAAK;QACxB,IAAI,KAAK,KAAK,SAAS,EAAE;YACtB,OAAO,CAAC,QAAgB,CAAC,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC;YACtD,OAAO,CAAC,QAAgB,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;YAC1C,OAAO,CAAC,QAAgB,CAAC,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC;YAClD,OAAO,CAAC,QAAgB,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;YAC9C,OAAO,CAAC,QAAgB,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;YAC7C,0DAA0D;YACzD,OAAO,CAAC,QAAgB,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;YAC9C,OAAO,CAAC,QAAgB,CAAC,KAAK,GAAG,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;YAChG,oDAAoD;YACnD,OAAO,CAAC,QAAgB,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;YAC9C,OAAO,CAAC,QAAgB,CAAC,eAAe,GAAG,IAAI,CAAC,eAAe,CAAC;YAChE,OAAO,CAAC,QAAgB,CAAC,cAAc,GAAG,IAAI,CAAC,cAAc,CAAC;YAC9D,OAAO,CAAC,QAAgB,CAAC,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC;SACtD;IACH,CAAC,CAAC,CAAA;IAEF,OAAO,OAAO,CAAC;AACjB,CAAC,CAAA;AAED,MAAM,CAAC,GAAG,CAAC,GAAG,EAAE,cAAc,EAAE,UAAC,GAAG,EAAE,GAAG,EAAE,IAAI;IAC7C,uBAAuB;IACvB,IAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC,KAAK,CAAA;IAE5C,4FAA4F;IAC5F,IAAM,SAAS,GAAG,MAAM,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAA;IACjD,IAAI,CAAC,SAAS,EAAE;QACd,IAAI,CAAC,IAAI,KAAK,CAAC,2DAA2D,CAAC,CAAC,CAAA;QAC5E,OAAM;KACP;IACD,IAAM,IAAI,GAAI,GAAW,CAAC,IAAI,CAAA;IAC9B,IAAI,CAAC,IAAI,EAAE;QACT,OAAO,GAAG,CAAC,QAAQ,CAAC,mCAAmC,GAAG,kBAAkB,CAAC,MAAM,CAAC,WAAW,CAAC,4CAAqC,SAAS,CAAE,CAAC,CAAC,CAAC,CAAA;KACpJ;IACD,6EAA6E;IAC7E,+EAA+E;IAC/E,aAAa;IACZ,mBAAU;SACR,iBAAiB,CAAC,SAAS,CAAS;QACrC,yDAAyD;SACxD,IAAI,CAAC,UAAC,EAAc;YAAN,IAAI,UAAA;QACjB,qGAAqG;QACrG,IAAI,IAAI,CAAC,IAAI,EAAE;YACb,+EAA+E;YAC/E,MAAM;YAEN,+GAA+G;YAC/G,OAAO,mBAAU;iBACd,oBAAoB,CAAC,SAAS,EAAE;gBAC/B,4GAA4G;gBAC5G,8BAA8B;gBAC9B,WAAW,EAAE,IAAI,CAAC,eAAe;gBAEjC,iGAAiG;gBACjG,2BAA2B,EAAE,IAAI,CAAC,+BAA+B;gBAEjE,qEAAqE;gBACrE,OAAO,EAAE,eAAe,CAAC,IAAI,EAAE,IAAI,CAAC,eAAe,CAAC;aACrD,CAAC;iBACD,IAAI,CAAC,UAAC,EAAc;oBAAN,IAAI,UAAA;gBACjB,+DAA+D;gBAC/D,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAA;YACxC,CAAC,CAAC,CAAA;SACL;QAED,2DAA2D;QAC3D,gCAAgC;QAChC,yCAAyC;QACzC,0BAA0B;QAC1B,kHAAkH;QAClH,oDAAoD;QACpD,2CAA2C;QAC3C,wBAAwB;QACxB,yBAAyB;QACzB,4DAA4D;QAC5D,KAAK;QACL,IAAI,EAAE,GAAG,GAAG,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,4BAA4B,CAAC,EAAE,EAAE,CAAC,CAAC;QAC7F,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC;YAC7B,SAAS,EAAG,GAAW,CAAC,SAAS,EAAE;YACnC,SAAS,EAAE,SAAS;YACpB,6GAA6G;YAC7G,+CAA+C;YAC/C,eAAe,EAAE,IAAI,CAAC,eAAe;YACrC,IAAI,EAAE,IAAI,CAAC,OAAO;YAClB,QAAQ,EAAE,IAAI;YACd,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,MAAM,EAAE,MAAM,CAAC,WAAW,CAAC,iBAAiB,CAAC;SAC9C,CAAC,CAAC,CAAC;IACN,CAAC,CAAC;QACF,0EAA0E;SACzE,KAAK,CAAC,IAAI,CAAC,CAAA;IACd,8EAA8E;AAChF,CAAC,CAAC,CAAA;AAEF,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,cAAc,EAAE,UAAC,GAAG,EAAE,GAAG,EAAE,IAAI;IAC9C,IAAM,IAAI,GAAI,GAAW,CAAC,IAAI,CAAA;IAE9B,4FAA4F;IAC5F,IAAM,SAAS,GAAG,GAAG,CAAC,IAAI,CAAC,SAAS,CAAA;IACpC,IAAI,CAAC,SAAS,EAAE;QACd,IAAI,CAAC,IAAI,KAAK,CAAC,2DAA2D,CAAC,CAAC,CAAA;QAC5E,OAAM;KACP;IACD,IAAI,CAAC,IAAI,EAAE;QACT,OAAO,GAAG,CAAC,QAAQ,CAAC,mCAAmC,GAAG,kBAAkB,CAAC,MAAM,CAAC,WAAW,CAAC,4CAAqC,SAAS,CAAE,CAAC,CAAC,CAAC,CAAA;KACpJ;IAED,0EAA0E;IAC1E,IAAI,GAAG,CAAC,IAAI,CAAC,MAAM,KAAK,aAAa,EAAE;QACrC,wDAAwD;QACxD,OAAO,CACL,mBAAU;aACP,oBAAoB,CAAC,SAAS,EAAE;YAC/B,KAAK,EAAE,eAAe;YACtB,iBAAiB,EAAE,uCAAuC;SAC3D,CAAC;aACD,IAAI,CAAC,UAAC,EAAc;gBAAN,IAAI,UAAA;YACjB,kEAAkE;YAClE,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAA;QACxC,CAAC,CAAC;YACF,0EAA0E;aACzE,KAAK,CAAC,IAAI,CAAC,CACf,CAAA;KACF;IACD,yBAAyB;IAEzB,IAAI,UAAU,GAAG,GAAG,CAAC,IAAI,CAAC,WAAW,CAAA;IACrC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE;QAC9B,UAAU,GAAG,CAAC,UAAU,CAAC,CAAA;KAC1B;IAED,qEAAqE;IACrE,IAAI,OAAO,GAA0B,eAAe,CAAC,IAAI,EAAE,UAAU,CAAC,CAAA;IAEtE,+FAA+F;IAC/F,mBAAU;SACP,iBAAiB,CAAC,SAAS,CAAC;QAC7B,yDAAyD;SACxD,IAAI,CAAC,UAAC,EAAc;YAAN,IAAI,UAAA;QACjB,OAAO,mBAAU;aACd,oBAAoB,CAAC,SAAS,EAAE;YAC/B,4GAA4G;YAC5G,8BAA8B;YAC9B,WAAW,EAAE,UAAU;YAEvB,iFAAiF;YACjF,+EAA+E;YAC/E,8EAA8E;YAC9E,2FAA2F;YAC3F,EAAE;YACF,+DAA+D;YAC/D,OAAO,EAAE,IAAA,0CAA8B,EAAC,UAAU,EAAE,IAAI,EAAE,OAAO,CAAC;YAElE,iGAAiG;YACjG,2BAA2B,EAAE,IAAI,CAAC,+BAA+B;YAEjE,kGAAkG;YAClG,oEAAoE;YACpE,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC;YAEpC,0FAA0F;YAC1F,YAAY,EAAE,IAAI;SACnB,CAAC;aACD,IAAI,CAAC,UAAC,EAAc;gBAAN,IAAI,UAAA;YACjB,+DAA+D;YAC/D,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAA;QACxC,CAAC,CAAC,CAAA;IACN,CAAC,CAAC;QACF,0EAA0E;SACzE,KAAK,CAAC,IAAI,CAAC,CAAA;IACd,4BAA4B;AAC9B,CAAC,CAAC,CAAA;AAEF,kBAAe,MAAM,CAAA"}

package/lib/oauth2/login.js

@@ -1,166 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-var express = require("express");
-var url = require("url");
-var config_1 = require("./config");
-var oidc_cert_1 = require("./stub/oidc-cert");
-var csrf = require('csurf');
-var urljoin = require('url-join');
-// Sets up csrf protection
-var csrfProtection = csrf({ cookie: true });
-var router = express.Router();
-router.get('/', csrfProtection, function (req, res, next) {
-    // Parses the URL query
-    var query = url.parse(req.url, true).query;
-    // The challenge is used to fetch information about the login request from ORY Hydra.
-    var challenge = String(query.login_challenge);
-    if (!challenge) {
-        next(new Error('Expected a login challenge to be set but received none.'));
-        return;
-    }
-    config_1.hydraAdmin.getLoginRequest(challenge)
-        .then(function (_a) {
-        var body = _a.data;
-        // If hydra was already able to authenticate the user, skip will be true and we do not need to re-authenticate
-        // the user.
-        if (body.skip) {
-            // You can apply logic here, for example update the number of times the user logged in.
-            // ...
-            // Now it's time to grant the login request. You could also deny the request if something went terribly wrong
-            // (e.g. your arch-enemy logging in...)
-            return config_1.hydraAdmin
-                .acceptLoginRequest(challenge, {
-                // All we need to do is to confirm that we indeed want to log in the user.
-                subject: String(body.subject)
-            })
-                .then(function (_a) {
-                var body = _a.data;
-                // All we need to do now is to redirect the user back to hydra!
-                res.redirect(String(body.redirect_to));
-            });
-        }
-        // If authentication can't be skipped we MUST show the login UI.
-        // return res.json({
-        //     csrfToken: (req as any).csrfToken(),
-        //     challenge: challenge,
-        //     action: urljoin(process.env.BASE_URL || '', '/login'),
-        //     hint: body.oidc_context?.login_hint || ''
-        // })
-        var user = req.user;
-        if (user) {
-            config_1.hydraAdmin
-                .acceptLoginRequest(challenge, {
-                // Subject is an alias for user ID. A subject can be a random string, a UUID, an email address, ....
-                subject: user.userId,
-                // This tells hydra to remember the browser and automatically authenticate the user in future requests. This will
-                // set the "skip" parameter in the other route to true on subsequent requests!
-                remember: Boolean(req.body.remember),
-                // When the session expires, in seconds. Set this to 0 so it will never expire.
-                remember_for: 3600,
-                // Sets which "level" (e.g. 2-factor authentication) of authentication the user has. The value is really arbitrary
-                // and optional. In the context of OpenID Connect, a value of 0 indicates the lowest authorization level.
-                // acr: '0',
-                //
-                // If the environment variable CONFORMITY_FAKE_CLAIMS is set we are assuming that
-                // the app is built for the automated OpenID Connect Conformity Test Suite. You
-                // can peak inside the code for some ideas, but be aware that all data is fake
-                // and this only exists to fake a login system which works in accordance to OpenID Connect.
-                //
-                // If that variable is not set, the ACR value will be set to the default passed here ('0')
-                acr: (0, oidc_cert_1.oidcConformityMaybeFakeAcr)(body, '0')
-            })
-                .then(function (_a) {
-                var body = _a.data;
-                // All we need to do now is to redirect the user back to hydra!
-                res.redirect(String(body.redirect_to));
-            }).catch(function (error) {
-                console.log("oauth2 login acceptLoginRequest error", error.message);
-                next();
-            });
-        }
-        else {
-            res.redirect("/accounts/a/#/login?redirect_uri=" + encodeURIComponent(Meteor.absoluteUrl("/oauth2/login?login_challenge=".concat(challenge))));
-        }
-    })
-        // This will handle any error that happens when making HTTP calls to hydra
-        .catch(function (error) {
-        console.log("oauth2 login error", error.message);
-        next();
-    });
-});
-// router.post('/', csrfProtection, (req, res, next) => {
-//     // The challenge is now a hidden input field, so let's take it from the request body instead
-//     const challenge = req.body.challenge
-//     // Let's see if the user decided to accept or reject the consent request..
-//     if (req.body.submit === 'Deny access') {
-//         // Looks like the consent request was denied by the user
-//         return (
-//             hydraAdmin
-//                 .rejectLoginRequest(challenge, {
-//                     error: 'access_denied',
-//                     error_description: 'The resource owner denied the request'
-//                 })
-//                 .then(({ data: body }) => {
-//                     // All we need to do now is to redirect the browser back to hydra!
-//                     res.redirect(String(body.redirect_to))
-//                 })
-//                 // This will handle any error that happens when making HTTP calls to hydra
-//                 .catch(next)
-//         )
-//     }
-//     // Let's check if the user provided valid credentials. Of course, you'd use a database or some third-party service
-//     // for this!
-//     if (!(req.body.email === 'foo@bar.com' && req.body.password === 'foobar')) {
-//         // Looks like the user provided invalid credentials, let's show the ui again...
-//         return res.json({
-//             csrfToken: (req as any).csrfToken(),
-//             challenge: challenge,
-//             error: 'The username / password combination is not correct'
-//         });
-//     }
-//     // Seems like the user authenticated! Let's tell hydra...
-//     hydraAdmin
-//         .getLoginRequest(challenge)
-//         .then(({ data: loginRequest }) =>
-//             hydraAdmin
-//                 .acceptLoginRequest(challenge, {
-//                     // Subject is an alias for user ID. A subject can be a random string, a UUID, an email address, ....
-//                     subject: 'foo@bar.com',
-//                     // This tells hydra to remember the browser and automatically authenticate the user in future requests. This will
-//                     // set the "skip" parameter in the other route to true on subsequent requests!
-//                     remember: Boolean(req.body.remember),
-//                     // When the session expires, in seconds. Set this to 0 so it will never expire.
-//                     remember_for: 3600,
-//                     // Sets which "level" (e.g. 2-factor authentication) of authentication the user has. The value is really arbitrary
-//                     // and optional. In the context of OpenID Connect, a value of 0 indicates the lowest authorization level.
-//                     // acr: '0',
-//                     //
-//                     // If the environment variable CONFORMITY_FAKE_CLAIMS is set we are assuming that
-//                     // the app is built for the automated OpenID Connect Conformity Test Suite. You
-//                     // can peak inside the code for some ideas, but be aware that all data is fake
-//                     // and this only exists to fake a login system which works in accordance to OpenID Connect.
-//                     //
-//                     // If that variable is not set, the ACR value will be set to the default passed here ('0')
-//                     acr: oidcConformityMaybeFakeAcr(loginRequest, '0')
-//                 })
-//                 .then(({ data: body }) => {
-//                     // All we need to do now is to redirect the user back to hydra!
-//                     res.redirect(String(body.redirect_to))
-//                 })
-//         )
-//         // This will handle any error that happens when making HTTP calls to hydra
-//         .catch(next)
-//     // You could also deny the login request which tells hydra that no one authenticated!
-//     // hydra.rejectLoginRequest(challenge, {
-//     //   error: 'invalid_request',
-//     //   errorDescription: 'The user did something stupid...'
-//     // })
-//     //   .then(({body}) => {
-//     //     // All we need to do now is to redirect the browser back to hydra!
-//     //     res.redirect(String(body.redirectTo));
-//     //   })
-//     //   // This will handle any error that happens when making HTTP calls to hydra
-//     //   .catch(next);
-// })
-exports.default = router;
-//# sourceMappingURL=login.js.map

package/lib/oauth2/login.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"login.js","sourceRoot":"","sources":["../../src/oauth2/login.ts"],"names":[],"mappings":";;AAAA,iCAAkC;AAClC,yBAA0B;AAC1B,mCAAqC;AACrC,8CAA6D;AAC7D,IAAM,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;AAC9B,IAAM,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;AACpC,0BAA0B;AAC1B,IAAM,cAAc,GAAG,IAAI,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAA;AAC7C,IAAM,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAA;AAI/B,MAAM,CAAC,GAAG,CAAC,GAAG,EAAE,cAAc,EAAE,UAAC,GAAG,EAAE,GAAG,EAAE,IAAI;IAC3C,uBAAuB;IACvB,IAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC,KAAK,CAAA;IAE5C,qFAAqF;IACrF,IAAM,SAAS,GAAG,MAAM,CAAC,KAAK,CAAC,eAAe,CAAC,CAAA;IAC/C,IAAI,CAAC,SAAS,EAAE;QACZ,IAAI,CAAC,IAAI,KAAK,CAAC,yDAAyD,CAAC,CAAC,CAAA;QAC1E,OAAM;KACT;IACA,mBAAU,CAAC,eAAe,CAAC,SAAS,CAAS;SACzC,IAAI,CAAC,UAAC,EAAc;YAAN,IAAI,UAAA;QACf,8GAA8G;QAC9G,YAAY;QACZ,IAAI,IAAI,CAAC,IAAI,EAAE;YACX,uFAAuF;YACvF,MAAM;YAEN,6GAA6G;YAC7G,uCAAuC;YACvC,OAAO,mBAAU;iBACZ,kBAAkB,CAAC,SAAS,EAAE;gBAC3B,0EAA0E;gBAC1E,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC;aAChC,CAAC;iBACD,IAAI,CAAC,UAAC,EAAc;oBAAN,IAAI,UAAA;gBACf,+DAA+D;gBAC/D,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAA;YAC1C,CAAC,CAAC,CAAA;SACT;QAED,gEAAgE;QAChE,oBAAoB;QACpB,2CAA2C;QAC3C,4BAA4B;QAC5B,6DAA6D;QAC7D,gDAAgD;QAChD,KAAK;QACL,IAAM,IAAI,GAAI,GAAW,CAAC,IAAI,CAAA;QAC9B,IAAI,IAAI,EAAE;YACN,mBAAU;iBACL,kBAAkB,CAAC,SAAS,EAAE;gBAC3B,oGAAoG;gBACpG,OAAO,EAAE,IAAI,CAAC,MAAM;gBAEpB,iHAAiH;gBACjH,8EAA8E;gBAC9E,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC;gBAEpC,+EAA+E;gBAC/E,YAAY,EAAE,IAAI;gBAElB,kHAAkH;gBAClH,yGAAyG;gBACzG,YAAY;gBACZ,EAAE;gBACF,iFAAiF;gBACjF,+EAA+E;gBAC/E,8EAA8E;gBAC9E,2FAA2F;gBAC3F,EAAE;gBACF,0FAA0F;gBAC1F,GAAG,EAAE,IAAA,sCAA0B,EAAC,IAAI,EAAE,GAAG,CAAC;aAC7C,CAAC;iBACD,IAAI,CAAC,UAAC,EAAc;oBAAN,IAAI,UAAA;gBACf,+DAA+D;gBAC/D,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAA;YAC1C,CAAC,CAAC,CAAC,KAAK,CAAC,UAAC,KAAK;gBACX,OAAO,CAAC,GAAG,CAAC,uCAAuC,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;gBACpE,IAAI,EAAE,CAAA;YACV,CAAC,CAAC,CAAA;SACT;aAAM;YACH,GAAG,CAAC,QAAQ,CAAC,mCAAmC,GAAG,kBAAkB,CAAC,MAAM,CAAC,WAAW,CAAC,wCAAiC,SAAS,CAAE,CAAC,CAAC,CAAC,CAAA;SAC3I;IACL,CAAC,CAAC;QACF,0EAA0E;SACzE,KAAK,CAAC,UAAC,KAAK;QACT,OAAO,CAAC,GAAG,CAAC,oBAAoB,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;QACjD,IAAI,EAAE,CAAA;IACV,CAAC,CAAC,CAAA;AACV,CAAC,CAAC,CAAA;AAEF,yDAAyD;AACzD,mGAAmG;AACnG,2CAA2C;AAE3C,iFAAiF;AACjF,+CAA+C;AAC/C,mEAAmE;AACnE,mBAAmB;AACnB,yBAAyB;AACzB,mDAAmD;AACnD,8CAA8C;AAC9C,iFAAiF;AACjF,qBAAqB;AACrB,8CAA8C;AAC9C,yFAAyF;AACzF,6DAA6D;AAC7D,qBAAqB;AACrB,6FAA6F;AAC7F,+BAA+B;AAC/B,YAAY;AACZ,QAAQ;AAER,yHAAyH;AACzH,mBAAmB;AACnB,mFAAmF;AACnF,0FAA0F;AAE1F,4BAA4B;AAC5B,mDAAmD;AACnD,oCAAoC;AACpC,0EAA0E;AAC1E,cAAc;AACd,QAAQ;AAER,gEAAgE;AAEhE,iBAAiB;AACjB,sCAAsC;AACtC,4CAA4C;AAC5C,yBAAyB;AACzB,mDAAmD;AACnD,2HAA2H;AAC3H,8CAA8C;AAE9C,wIAAwI;AACxI,qGAAqG;AACrG,4DAA4D;AAE5D,sGAAsG;AACtG,0CAA0C;AAE1C,yIAAyI;AACzI,gIAAgI;AAChI,mCAAmC;AACnC,yBAAyB;AACzB,wGAAwG;AACxG,sGAAsG;AACtG,qGAAqG;AACrG,kHAAkH;AAClH,yBAAyB;AACzB,iHAAiH;AACjH,yEAAyE;AACzE,qBAAqB;AACrB,8CAA8C;AAC9C,sFAAsF;AACtF,6DAA6D;AAC7D,qBAAqB;AACrB,YAAY;AACZ,qFAAqF;AACrF,uBAAuB;AAEvB,4FAA4F;AAC5F,+CAA+C;AAC/C,qCAAqC;AACrC,gEAAgE;AAChE,YAAY;AACZ,+BAA+B;AAC/B,gFAAgF;AAChF,oDAAoD;AACpD,cAAc;AACd,sFAAsF;AACtF,yBAAyB;AACzB,KAAK;AAEL,kBAAe,MAAM,CAAA"}

package/lib/oauth2/logout.js

@@ -1,60 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-var express = require("express");
-var url = require("url");
-var config_1 = require("./config");
-var csrf = require('csurf');
-var urljoin = require('url-join');
-// Sets up csrf protection
-var csrfProtection = csrf({ cookie: true });
-var router = express.Router();
-router.get('/', csrfProtection, function (req, res, next) {
-    // Parses the URL query
-    var query = url.parse(req.url, true).query;
-    // The challenge is used to fetch information about the logout request from ORY Hydra.
-    var challenge = String(query.logout_challenge);
-    if (!challenge) {
-        next(new Error('Expected a logout challenge to be set but received none.'));
-        return;
-    }
-    config_1.hydraAdmin
-        .getLogoutRequest(challenge)
-        // This will be called if the HTTP request was successful
-        .then(function () {
-        // Here we have access to e.g. response.subject, response.sid, ...
-        // The most secure way to perform a logout request is by asking the user if he/she really want to log out.
-        return res.status(200).send({
-            csrfToken: req.csrfToken(),
-            challenge: challenge,
-            action: urljoin(process.env.BASE_URL || '', '/logout')
-        });
-    })
-        // This will handle any error that happens when making HTTP calls to hydra
-        .catch(next);
-});
-router.post('/', csrfProtection, function (req, res, next) {
-    // The challenge is now a hidden input field, so let's take it from the request body instead
-    var challenge = req.body.challenge;
-    if (req.body.submit === 'No') {
-        return (config_1.hydraAdmin
-            .rejectLogoutRequest(challenge)
-            .then(function () {
-            // The user did not want to log out. Let's redirect him back somewhere or do something else.
-            res.redirect('https://www.ory.sh/');
-        })
-            // This will handle any error that happens when making HTTP calls to hydra
-            .catch(next));
-    }
-    // The user agreed to log out, let's accept the logout request.
-    config_1.hydraAdmin
-        .acceptLogoutRequest(challenge)
-        .then(function (_a) {
-        var body = _a.data;
-        // All we need to do now is to redirect the user back to hydra!
-        res.redirect(String(body.redirect_to));
-    })
-        // This will handle any error that happens when making HTTP calls to hydra
-        .catch(next);
-});
-exports.default = router;
-//# sourceMappingURL=logout.js.map

package/lib/oauth2/logout.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"logout.js","sourceRoot":"","sources":["../../src/oauth2/logout.ts"],"names":[],"mappings":";;AAAA,iCAAkC;AAClC,yBAA0B;AAC1B,mCAAqC;AACrC,IAAM,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;AAC9B,IAAM,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;AACpC,0BAA0B;AAC1B,IAAM,cAAc,GAAG,IAAI,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAA;AAC7C,IAAM,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAA;AAE/B,MAAM,CAAC,GAAG,CAAC,GAAG,EAAE,cAAc,EAAE,UAAC,GAAG,EAAE,GAAG,EAAE,IAAI;IAC7C,uBAAuB;IACvB,IAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC,KAAK,CAAA;IAE5C,sFAAsF;IACtF,IAAM,SAAS,GAAG,MAAM,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAA;IAChD,IAAI,CAAC,SAAS,EAAE;QACd,IAAI,CAAC,IAAI,KAAK,CAAC,0DAA0D,CAAC,CAAC,CAAA;QAC3E,OAAM;KACP;IAED,mBAAU;SACP,gBAAgB,CAAC,SAAS,CAAC;QAC5B,yDAAyD;SACxD,IAAI,CAAC;QACJ,kEAAkE;QAElE,0GAA0G;QAC1G,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YAC1B,SAAS,EAAG,GAAW,CAAC,SAAS,EAAE;YACnC,SAAS,EAAE,SAAS;YACpB,MAAM,EAAE,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,IAAI,EAAE,EAAE,SAAS,CAAC;SACvD,CAAC,CAAA;IACJ,CAAC,CAAC;QACF,0EAA0E;SACzE,KAAK,CAAC,IAAI,CAAC,CAAA;AAChB,CAAC,CAAC,CAAA;AAEF,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,cAAc,EAAE,UAAC,GAAG,EAAE,GAAG,EAAE,IAAI;IAC9C,4FAA4F;IAC5F,IAAM,SAAS,GAAG,GAAG,CAAC,IAAI,CAAC,SAAS,CAAA;IAEpC,IAAI,GAAG,CAAC,IAAI,CAAC,MAAM,KAAK,IAAI,EAAE;QAC5B,OAAO,CACL,mBAAU;aACP,mBAAmB,CAAC,SAAS,CAAC;aAC9B,IAAI,CAAC;YACJ,4FAA4F;YAC5F,GAAG,CAAC,QAAQ,CAAC,qBAAqB,CAAC,CAAA;QACrC,CAAC,CAAC;YACF,0EAA0E;aACzE,KAAK,CAAC,IAAI,CAAC,CACf,CAAA;KACF;IAED,+DAA+D;IAC/D,mBAAU;SACP,mBAAmB,CAAC,SAAS,CAAC;SAC9B,IAAI,CAAC,UAAC,EAAc;YAAN,IAAI,UAAA;QACjB,+DAA+D;QAC/D,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAA;IACxC,CAAC,CAAC;QACF,0EAA0E;SACzE,KAAK,CAAC,IAAI,CAAC,CAAA;AAChB,CAAC,CAAC,CAAA;AAEF,kBAAe,MAAM,CAAA"}

package/lib/oauth2/stub/oidc-cert.js

@@ -1,67 +0,0 @@
-"use strict";
-// This file contains logic which is used when running this application as part of the
-// OpenID Connect Conformance test suite. You can use it for inspiration, but please
-// do not use it in production as is.
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.oidcConformityMaybeFakeSession = exports.oidcConformityMaybeFakeAcr = void 0;
-var tslib_1 = require("tslib");
-var oidcConformityMaybeFakeAcr = function (request, fallback) {
-    var _a;
-    if (process.env.CONFORMITY_FAKE_CLAIMS !== '1') {
-        return fallback;
-    }
-    return ((_a = request.oidc_context) === null || _a === void 0 ? void 0 : _a.acr_values) &&
-        request.oidc_context.acr_values.length > 0
-        ? request.oidc_context.acr_values[request.oidc_context.acr_values.length - 1]
-        : fallback;
-};
-exports.oidcConformityMaybeFakeAcr = oidcConformityMaybeFakeAcr;
-var oidcConformityMaybeFakeSession = function (grantScope, request, session) {
-    if (process.env.CONFORMITY_FAKE_CLAIMS !== '1') {
-        return session;
-    }
-    var idToken = {};
-    // If the email scope was granted, fake the email claims.
-    if (grantScope.indexOf('email') > -1) {
-        // But only do so if the email was requested!
-        idToken.email = 'foo@bar.com';
-        idToken.email_verified = true;
-    }
-    // If the phone scope was granted, fake the phone claims.
-    if (grantScope.indexOf('phone') > -1) {
-        idToken.phone_number = '1337133713371337';
-        idToken.phone_number_verified = true;
-    }
-    // If the profile scope was granted, fake the profile claims.
-    if (grantScope.indexOf('profile') > -1) {
-        idToken.name = 'Foo Bar';
-        idToken.given_name = 'Foo';
-        idToken.family_name = 'Bar';
-        idToken.website = 'https://www.ory.sh';
-        idToken.zoneinfo = 'Europe/Belrin';
-        idToken.birthdate = '1.1.2014';
-        idToken.gender = 'robot';
-        idToken.profile = 'https://www.ory.sh';
-        idToken.preferred_username = 'robot';
-        idToken.middle_name = 'Baz';
-        idToken.locale = 'en-US';
-        idToken.picture =
-            'https://raw.githubusercontent.com/ory/web/master/static/images/favico.png';
-        idToken.updated_at = 1604416603;
-        idToken.nickname = 'foobot';
-    }
-    // If the address scope was granted, fake the address claims.
-    if (grantScope.indexOf('address') > -1) {
-        idToken.address = {
-            country: 'Localhost',
-            region: 'Intranet',
-            street_address: 'Local Street 1337'
-        };
-    }
-    return {
-        access_token: session.access_token,
-        id_token: tslib_1.__assign(tslib_1.__assign({}, idToken), session.id_token)
-    };
-};
-exports.oidcConformityMaybeFakeSession = oidcConformityMaybeFakeSession;
-//# sourceMappingURL=oidc-cert.js.map

package/lib/oauth2/stub/oidc-cert.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"oidc-cert.js","sourceRoot":"","sources":["../../../src/oauth2/stub/oidc-cert.ts"],"names":[],"mappings":";AAAA,sFAAsF;AACtF,oFAAoF;AACpF,qCAAqC;;;;AAQ9B,IAAM,0BAA0B,GAAG,UACxC,OAAqB,EACrB,QAAgB;;IAEhB,IAAI,OAAO,CAAC,GAAG,CAAC,sBAAsB,KAAK,GAAG,EAAE;QAC9C,OAAO,QAAQ,CAAA;KAChB;IAED,OAAO,CAAA,MAAA,OAAO,CAAC,YAAY,0CAAE,UAAU;QACrC,OAAO,CAAC,YAAY,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC;QAC1C,CAAC,CAAC,OAAO,CAAC,YAAY,CAAC,UAAU,CAC7B,OAAO,CAAC,YAAY,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,CAC3C;QACH,CAAC,CAAC,QAAQ,CAAA;AACd,CAAC,CAAA;AAdY,QAAA,0BAA0B,8BActC;AAEM,IAAM,8BAA8B,GAAG,UAC5C,UAAoB,EACpB,OAAuB,EACvB,OAA8B;IAE9B,IAAI,OAAO,CAAC,GAAG,CAAC,sBAAsB,KAAK,GAAG,EAAE;QAC9C,OAAO,OAAO,CAAA;KACf;IAED,IAAM,OAAO,GAA2B,EAAE,CAAA;IAE1C,yDAAyD;IACzD,IAAI,UAAU,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,EAAE;QACpC,6CAA6C;QAC7C,OAAO,CAAC,KAAK,GAAG,aAAa,CAAA;QAC7B,OAAO,CAAC,cAAc,GAAG,IAAI,CAAA;KAC9B;IAED,yDAAyD;IACzD,IAAI,UAAU,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,EAAE;QACpC,OAAO,CAAC,YAAY,GAAG,kBAAkB,CAAA;QACzC,OAAO,CAAC,qBAAqB,GAAG,IAAI,CAAA;KACrC;IAED,6DAA6D;IAC7D,IAAI,UAAU,CAAC,OAAO,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,EAAE;QACtC,OAAO,CAAC,IAAI,GAAG,SAAS,CAAA;QACxB,OAAO,CAAC,UAAU,GAAG,KAAK,CAAA;QAC1B,OAAO,CAAC,WAAW,GAAG,KAAK,CAAA;QAC3B,OAAO,CAAC,OAAO,GAAG,oBAAoB,CAAA;QACtC,OAAO,CAAC,QAAQ,GAAG,eAAe,CAAA;QAClC,OAAO,CAAC,SAAS,GAAG,UAAU,CAAA;QAC9B,OAAO,CAAC,MAAM,GAAG,OAAO,CAAA;QACxB,OAAO,CAAC,OAAO,GAAG,oBAAoB,CAAA;QACtC,OAAO,CAAC,kBAAkB,GAAG,OAAO,CAAA;QACpC,OAAO,CAAC,WAAW,GAAG,KAAK,CAAA;QAC3B,OAAO,CAAC,MAAM,GAAG,OAAO,CAAA;QACxB,OAAO,CAAC,OAAO;YACb,2EAA2E,CAAA;QAC7E,OAAO,CAAC,UAAU,GAAG,UAAU,CAAA;QAC/B,OAAO,CAAC,QAAQ,GAAG,QAAQ,CAAA;KAC5B;IAED,6DAA6D;IAC7D,IAAI,UAAU,CAAC,OAAO,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,EAAE;QACtC,OAAO,CAAC,OAAO,GAAG;YAChB,OAAO,EAAE,WAAW;YACpB,MAAM,EAAE,UAAU;YAClB,cAAc,EAAE,mBAAmB;SACpC,CAAA;KACF;IAED,OAAO;QACL,YAAY,EAAE,OAAO,CAAC,YAAY;QAClC,QAAQ,wCACH,OAAO,GACP,OAAO,CAAC,QAAQ,CACpB;KACF,CAAA;AACH,CAAC,CAAA;AA3DY,QAAA,8BAA8B,kCA2D1C"}