@strapi/core 0.0.0-experimental.008123965da692a55d02a1df63facc54077c6bde → 0.0.0-experimental.00b482b8dcda6164537baf70d52b4b2535560c36

package/dist/services/session-manager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-manager.d.ts","sourceRoot":"","sources":["../../src/services/session-manager.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,SAAS,EAAiB,MAAM,cAAc,CAAC;AAC7D,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAGjD,MAAM,WAAW,eAAe;IAC9B,MAAM,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC,CAAC;IACnD,eAAe,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;IAChE,iBAAiB,CAAC,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,CAAC,WAAW,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAChF,iBAAiB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACpD,aAAa,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IAC/B,QAAQ,CAAC,QAAQ,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CAC5F;AAED,MAAM,WAAW,WAAW;IAC1B,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,OAAO,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,IAAI,CAAC,EAAE,SAAS,GAAG,SAAS,CAAC;IAC7B,MAAM,CAAC,EAAE,QAAQ,GAAG,SAAS,GAAG,SAAS,CAAC;IAC1C,SAAS,EAAE,IAAI,CAAC;IAChB,iBAAiB,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IAChC,SAAS,CAAC,EAAE,IAAI,CAAC;IACjB,SAAS,CAAC,EAAE,IAAI,CAAC;CAClB;AAED,MAAM,WAAW,mBAAmB;IAClC,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,SAAS,CAAC;IAChB,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;CACb;AAED,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,QAAQ,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;CACb;AAED,MAAM,MAAM,YAAY,GAAG,mBAAmB,GAAG,kBAAkB,CAAC;AAEpE,MAAM,WAAW,0BAA0B;IACzC,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EACF,eAAe,GACf,eAAe,GACf,mBAAmB,GACnB,iBAAiB,GACjB,kBAAkB,CAAC;CACxB;AAqDD,MAAM,WAAW,oBAAoB;IACnC,SAAS,EAAE,MAAM,CAAC;IAClB,mBAAmB,EAAE,MAAM,CAAC;IAC5B,uBAAuB,EAAE,MAAM,CAAC;IAChC,wBAAwB,EAAE,MAAM,CAAC;IACjC,kBAAkB,EAAE,MAAM,CAAC;IAC3B,mBAAmB,EAAE,MAAM,CAAC;IAC5B;;OAEG;IACH,SAAS,CAAC,EAAE,SAAS,CAAC;CACvB;AAED,cAAM,cAAc;IAClB,OAAO,CAAC,QAAQ,CAAkB;IAElC,OAAO,CAAC,MAAM,CAAuB;IAGrC,OAAO,CAAC,wBAAwB,CAAa;IAE7C,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAc;gBAEpC,QAAQ,EAAE,eAAe,EAAE,MAAM,EAAE,oBAAoB;IAKnE,iBAAiB,IAAI,MAAM;YAIb,mBAAmB;IAS3B,oBAAoB,CACxB,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,EACd,OAAO,CAAC,EAAE;QAAE,UAAU,CAAC,EAAE,SAAS,GAAG,SAAS,CAAA;KAAE,GAC/C,OAAO,CAAC;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAC;QAAC,iBAAiB,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE,CAAC;IA0D7F,mBAAmB,CACjB,KAAK,EAAE,MAAM,GACZ;QAAE,OAAO,EAAE,IAAI,CAAC;QAAC,OAAO,EAAE,kBAAkB,CAAA;KAAE,GAAG;QAAE,OAAO,EAAE,KAAK,CAAC;QAAC,OAAO,EAAE,IAAI,CAAA;KAAE;IAiB/E,oBAAoB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,0BAA0B,CAAC;IAsDxE,sBAAsB,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIxF,mBAAmB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,KAAK,EAAE,MAAM,CAAA;KAAE,GAAG;QAAE,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC;IAqBzF,kBAAkB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CACnD;QACE,KAAK,EAAE,MAAM,CAAC;QACd,SAAS,EAAE,MAAM,CAAC;QAClB,iBAAiB,EAAE,MAAM,CAAC;QAC1B,QAAQ,EAAE,MAAM,CAAC;QACjB,IAAI,EAAE,SAAS,GAAG,SAAS,CAAC;KAC7B,GACD;QAAE,KAAK,EAAE,MAAM,CAAA;KAAE,CACpB;IAuID;;;OAGG;IACG,eAAe,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;CAe3D;AAED,QAAA,MAAM,sBAAsB,OAAQ,QAAQ,eAAe,MAAM,KAAG,eAEnE,CAAC;AAEF,QAAA,MAAM,oBAAoB,mBAAoB;IAAE,EAAE,EAAE,QAAQ,CAAC;IAAC,MAAM,EAAE,oBAAoB,CAAA;CAAE,mBAG3F,CAAC;AAEF,OAAO,EAAE,oBAAoB,EAAE,sBAAsB,EAAE,CAAC"}

package/dist/services/session-manager.js

@@ -0,0 +1,380 @@
+'use strict';
+
+var crypto = require('crypto');
+var jwt = require('jsonwebtoken');
+var constants = require('../constants.js');
+
+class DatabaseSessionProvider {
+    async create(session) {
+        const result = await this.db.query(this.contentType).create({
+            data: session
+        });
+        return result;
+    }
+    async findBySessionId(sessionId) {
+        const result = await this.db.query(this.contentType).findOne({
+            where: {
+                sessionId
+            }
+        });
+        return result;
+    }
+    async updateBySessionId(sessionId, data) {
+        await this.db.query(this.contentType).update({
+            where: {
+                sessionId
+            },
+            data
+        });
+    }
+    async deleteBySessionId(sessionId) {
+        await this.db.query(this.contentType).delete({
+            where: {
+                sessionId
+            }
+        });
+    }
+    async deleteExpired() {
+        await this.db.query(this.contentType).deleteMany({
+            where: {
+                absoluteExpiresAt: {
+                    $lt: new Date()
+                }
+            }
+        });
+    }
+    async deleteBy(criteria) {
+        await this.db.query(this.contentType).deleteMany({
+            where: {
+                ...criteria.userId ? {
+                    userId: criteria.userId
+                } : {},
+                ...criteria.origin ? {
+                    origin: criteria.origin
+                } : {},
+                ...criteria.deviceId ? {
+                    deviceId: criteria.deviceId
+                } : {}
+            }
+        });
+    }
+    constructor(db, contentType){
+        this.db = db;
+        this.contentType = contentType;
+    }
+}
+class SessionManager {
+    generateSessionId() {
+        return crypto.randomBytes(16).toString('hex');
+    }
+    async maybeCleanupExpired() {
+        this.cleanupInvocationCounter += 1;
+        if (this.cleanupInvocationCounter >= this.cleanupEveryCalls) {
+            this.cleanupInvocationCounter = 0;
+            await this.provider.deleteExpired();
+        }
+    }
+    async generateRefreshToken(userId, deviceId, origin, options) {
+        await this.maybeCleanupExpired();
+        const sessionId = this.generateSessionId();
+        const familyType = options?.familyType ?? 'refresh';
+        const isRefresh = familyType === 'refresh';
+        const idleLifespan = isRefresh ? this.config.idleRefreshTokenLifespan : this.config.idleSessionLifespan;
+        const maxLifespan = isRefresh ? this.config.maxRefreshTokenLifespan : this.config.maxSessionLifespan;
+        const now = Date.now();
+        const expiresAt = new Date(now + idleLifespan * 1000);
+        const absoluteExpiresAt = new Date(now + maxLifespan * 1000);
+        // Create the root record first so createdAt can be used for signing.
+        const record = await this.provider.create({
+            userId,
+            sessionId,
+            deviceId,
+            origin,
+            parentId: null,
+            childId: null,
+            familyId: sessionId,
+            type: familyType,
+            status: 'active',
+            expiresAt,
+            absoluteExpiresAt
+        });
+        const issuedAtSeconds = Math.floor(new Date(record.createdAt ?? new Date()).getTime() / 1000);
+        const expiresAtSeconds = Math.floor(new Date(record.expiresAt).getTime() / 1000);
+        const payload = {
+            userId,
+            sessionId,
+            type: 'refresh',
+            iat: issuedAtSeconds,
+            exp: expiresAtSeconds
+        };
+        const token = jwt.sign(payload, this.config.jwtSecret, {
+            algorithm: this.config.algorithm ?? constants.DEFAULT_ALGORITHM,
+            noTimestamp: true
+        });
+        return {
+            token,
+            sessionId,
+            absoluteExpiresAt: absoluteExpiresAt.toISOString(),
+            familyId: record.familyId
+        };
+    }
+    validateAccessToken(token) {
+        try {
+            const payload = jwt.verify(token, this.config.jwtSecret, {
+                algorithms: [
+                    this.config.algorithm ?? constants.DEFAULT_ALGORITHM
+                ]
+            });
+            // Ensure this is an access token
+            if (!payload || payload.type !== 'access') {
+                return {
+                    isValid: false,
+                    payload: null
+                };
+            }
+            return {
+                isValid: true,
+                payload
+            };
+        } catch (err) {
+            return {
+                isValid: false,
+                payload: null
+            };
+        }
+    }
+    async validateRefreshToken(token) {
+        try {
+            const verifyOptions = {
+                algorithms: [
+                    this.config.algorithm ?? constants.DEFAULT_ALGORITHM
+                ]
+            };
+            const payload = jwt.verify(token, this.config.jwtSecret, verifyOptions);
+            if (payload.type !== 'refresh') {
+                return {
+                    isValid: false
+                };
+            }
+            const session = await this.provider.findBySessionId(payload.sessionId);
+            if (!session) {
+                return {
+                    isValid: false
+                };
+            }
+            const now = new Date();
+            if (new Date(session.expiresAt) <= now) {
+                return {
+                    isValid: false
+                };
+            }
+            // Absolute family expiry check
+            if (session.absoluteExpiresAt && new Date(session.absoluteExpiresAt) <= now) {
+                return {
+                    isValid: false
+                };
+            }
+            // Only 'active' sessions are eligible to create access tokens.
+            if (session.status !== 'active') {
+                return {
+                    isValid: false
+                };
+            }
+            if (session.userId !== payload.userId) {
+                return {
+                    isValid: false
+                };
+            }
+            return {
+                isValid: true,
+                userId: payload.userId,
+                sessionId: payload.sessionId
+            };
+        } catch (error) {
+            if (error instanceof jwt.JsonWebTokenError) {
+                return {
+                    isValid: false
+                };
+            }
+            throw error;
+        }
+    }
+    async invalidateRefreshToken(origin, userId, deviceId) {
+        await this.provider.deleteBy({
+            userId,
+            origin,
+            deviceId
+        });
+    }
+    async generateAccessToken(refreshToken) {
+        const validation = await this.validateRefreshToken(refreshToken);
+        if (!validation.isValid) {
+            return {
+                error: 'invalid_refresh_token'
+            };
+        }
+        const payload = {
+            userId: String(validation.userId),
+            sessionId: validation.sessionId,
+            type: 'access'
+        };
+        const token = jwt.sign(payload, this.config.jwtSecret, {
+            algorithm: this.config.algorithm ?? constants.DEFAULT_ALGORITHM,
+            expiresIn: this.config.accessTokenLifespan
+        });
+        return {
+            token
+        };
+    }
+    async rotateRefreshToken(refreshToken) {
+        try {
+            const payload = jwt.verify(refreshToken, this.config.jwtSecret, {
+                algorithms: [
+                    this.config.algorithm ?? constants.DEFAULT_ALGORITHM
+                ]
+            });
+            if (!payload || payload.type !== 'refresh') {
+                return {
+                    error: 'invalid_refresh_token'
+                };
+            }
+            const current = await this.provider.findBySessionId(payload.sessionId);
+            if (!current) {
+                return {
+                    error: 'invalid_refresh_token'
+                };
+            }
+            // If parent already has a child, return the same child token
+            if (current.childId) {
+                const child = await this.provider.findBySessionId(current.childId);
+                if (child) {
+                    const childIat = Math.floor(new Date(child.createdAt ?? new Date()).getTime() / 1000);
+                    const childExp = Math.floor(new Date(child.expiresAt).getTime() / 1000);
+                    const childPayload = {
+                        userId: child.userId,
+                        sessionId: child.sessionId,
+                        type: 'refresh',
+                        iat: childIat,
+                        exp: childExp
+                    };
+                    const childToken = jwt.sign(childPayload, this.config.jwtSecret, {
+                        algorithm: this.config.algorithm ?? constants.DEFAULT_ALGORITHM,
+                        noTimestamp: true
+                    });
+                    let absoluteExpiresAt;
+                    if (child.absoluteExpiresAt) {
+                        absoluteExpiresAt = typeof child.absoluteExpiresAt === 'string' ? child.absoluteExpiresAt : child.absoluteExpiresAt.toISOString();
+                    } else {
+                        absoluteExpiresAt = new Date(0).toISOString();
+                    }
+                    return {
+                        token: childToken,
+                        sessionId: child.sessionId,
+                        absoluteExpiresAt,
+                        familyId: String(child.familyId ?? child.sessionId),
+                        type: child.type ?? 'refresh'
+                    };
+                }
+            }
+            const now = Date.now();
+            const familyType = current.type ?? 'refresh';
+            const idleLifespan = familyType === 'refresh' ? this.config.idleRefreshTokenLifespan : this.config.idleSessionLifespan;
+            // Enforce idle window since creation of the current token
+            if (current.createdAt && now - new Date(current.createdAt).getTime() > idleLifespan * 1000) {
+                return {
+                    error: 'idle_window_elapsed'
+                };
+            }
+            // Enforce max family window using absoluteExpiresAt
+            const absolute = current.absoluteExpiresAt ? new Date(current.absoluteExpiresAt).getTime() : now;
+            if (absolute <= now) {
+                return {
+                    error: 'max_window_elapsed'
+                };
+            }
+            // Create child token
+            const childSessionId = this.generateSessionId();
+            const childExpiresAt = new Date(now + idleLifespan * 1000);
+            const childRecord = await this.provider.create({
+                userId: current.userId,
+                sessionId: childSessionId,
+                deviceId: current.deviceId,
+                origin: current.origin,
+                parentId: current.sessionId,
+                childId: null,
+                familyId: current.familyId ?? current.sessionId,
+                type: familyType,
+                status: 'active',
+                expiresAt: childExpiresAt,
+                absoluteExpiresAt: current.absoluteExpiresAt ?? new Date(absolute)
+            });
+            const childIat = Math.floor(new Date(childRecord.createdAt ?? new Date()).getTime() / 1000);
+            const childExp = Math.floor(new Date(childRecord.expiresAt).getTime() / 1000);
+            const payloadOut = {
+                userId: current.userId,
+                sessionId: childSessionId,
+                type: 'refresh',
+                iat: childIat,
+                exp: childExp
+            };
+            const childToken = jwt.sign(payloadOut, this.config.jwtSecret, {
+                algorithm: this.config.algorithm ?? constants.DEFAULT_ALGORITHM,
+                noTimestamp: true
+            });
+            await this.provider.updateBySessionId(current.sessionId, {
+                status: 'rotated',
+                childId: childSessionId
+            });
+            let absoluteExpiresAt;
+            if (childRecord.absoluteExpiresAt) {
+                absoluteExpiresAt = typeof childRecord.absoluteExpiresAt === 'string' ? childRecord.absoluteExpiresAt : childRecord.absoluteExpiresAt.toISOString();
+            } else {
+                absoluteExpiresAt = new Date(absolute).toISOString();
+            }
+            return {
+                token: childToken,
+                sessionId: childSessionId,
+                absoluteExpiresAt,
+                familyId: String(childRecord.familyId ?? childRecord.sessionId),
+                type: familyType
+            };
+        } catch  {
+            return {
+                error: 'invalid_refresh_token'
+            };
+        }
+    }
+    /**
+   * Returns true when a session exists and is not expired.
+   * If the session exists but is expired, it will be deleted as part of this check.
+   */ async isSessionActive(sessionId) {
+        const session = await this.provider.findBySessionId(sessionId);
+        if (!session) {
+            return false;
+        }
+        if (new Date(session.expiresAt) <= new Date()) {
+            // Clean up expired session eagerly
+            await this.provider.deleteBySessionId(sessionId);
+            return false;
+        }
+        return true;
+    }
+    constructor(provider, config){
+        // Run expired cleanup only every N calls to avoid extra queries
+        this.cleanupInvocationCounter = 0;
+        this.cleanupEveryCalls = 50;
+        this.provider = provider;
+        this.config = config;
+    }
+}
+const createDatabaseProvider = (db, contentType)=>{
+    return new DatabaseSessionProvider(db, contentType);
+};
+const createSessionManager = ({ db, config })=>{
+    const provider = createDatabaseProvider(db, 'admin::session');
+    return new SessionManager(provider, config);
+};
+
+exports.createDatabaseProvider = createDatabaseProvider;
+exports.createSessionManager = createSessionManager;
+//# sourceMappingURL=session-manager.js.map

package/dist/services/session-manager.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-manager.js","sources":["../../src/services/session-manager.ts"],"sourcesContent":["import crypto from 'crypto';\nimport jwt from 'jsonwebtoken';\nimport type { Algorithm, VerifyOptions } from 'jsonwebtoken';\nimport type { Database } from '@strapi/database';\nimport { DEFAULT_ALGORITHM } from '../constants';\n\nexport interface SessionProvider {\n  create(session: SessionData): Promise<SessionData>;\n  findBySessionId(sessionId: string): Promise<SessionData | null>;\n  updateBySessionId(sessionId: string, data: Partial<SessionData>): Promise<void>;\n  deleteBySessionId(sessionId: string): Promise<void>;\n  deleteExpired(): Promise<void>;\n  deleteBy(criteria: { userId?: string; origin?: string; deviceId?: string }): Promise<void>;\n}\n\nexport interface SessionData {\n  id?: string;\n  userId: string; // User ID stored as string (key-value store)\n  sessionId: string;\n  deviceId: string;\n  origin: string;\n  parentId?: string | null;\n  childId?: string | null;\n  familyId?: string | null;\n  type?: 'refresh' | 'session';\n  status?: 'active' | 'rotated' | 'revoked';\n  expiresAt: Date;\n  absoluteExpiresAt?: Date | null;\n  createdAt?: Date;\n  updatedAt?: Date;\n}\n\nexport interface RefreshTokenPayload {\n  userId: string;\n  sessionId: string;\n  type: 'refresh';\n  exp: number;\n  iat: number;\n}\n\nexport interface AccessTokenPayload {\n  userId: string;\n  sessionId: string;\n  type: 'access';\n  exp: number;\n  iat: number;\n}\n\nexport type TokenPayload = RefreshTokenPayload | AccessTokenPayload;\n\nexport interface ValidateRefreshTokenResult {\n  isValid: boolean;\n  userId?: string;\n  sessionId?: string;\n  error?:\n    | 'invalid_token'\n    | 'token_expired'\n    | 'session_not_found'\n    | 'session_expired'\n    | 'wrong_token_type';\n}\n\nclass DatabaseSessionProvider implements SessionProvider {\n  private db: Database;\n\n  private contentType: string;\n\n  constructor(db: Database, contentType: string) {\n    this.db = db;\n    this.contentType = contentType;\n  }\n\n  async create(session: SessionData): Promise<SessionData> {\n    const result = await this.db.query(this.contentType).create({\n      data: session,\n    });\n    return result as SessionData;\n  }\n\n  async findBySessionId(sessionId: string): Promise<SessionData | null> {\n    const result = await this.db.query(this.contentType).findOne({\n      where: { sessionId },\n    });\n    return result as SessionData | null;\n  }\n\n  async updateBySessionId(sessionId: string, data: Partial<SessionData>): Promise<void> {\n    await this.db.query(this.contentType).update({ where: { sessionId }, data });\n  }\n\n  async deleteBySessionId(sessionId: string): Promise<void> {\n    await this.db.query(this.contentType).delete({\n      where: { sessionId },\n    });\n  }\n\n  async deleteExpired(): Promise<void> {\n    await this.db.query(this.contentType).deleteMany({\n      where: { absoluteExpiresAt: { $lt: new Date() } },\n    });\n  }\n\n  async deleteBy(criteria: { userId?: string; origin?: string; deviceId?: string }): Promise<void> {\n    await this.db.query(this.contentType).deleteMany({\n      where: {\n        ...(criteria.userId ? { userId: criteria.userId } : {}),\n        ...(criteria.origin ? { origin: criteria.origin } : {}),\n        ...(criteria.deviceId ? { deviceId: criteria.deviceId } : {}),\n      },\n    });\n  }\n}\n\nexport interface SessionManagerConfig {\n  jwtSecret: string;\n  accessTokenLifespan: number;\n  maxRefreshTokenLifespan: number;\n  idleRefreshTokenLifespan: number;\n  maxSessionLifespan: number;\n  idleSessionLifespan: number;\n  /**\n   * JWT signing/verification algorithm. Defaults to 'HS256' when not provided.\n   */\n  algorithm?: Algorithm;\n}\n\nclass SessionManager {\n  private provider: SessionProvider;\n\n  private config: SessionManagerConfig;\n\n  // Run expired cleanup only every N calls to avoid extra queries\n  private cleanupInvocationCounter: number = 0;\n\n  private readonly cleanupEveryCalls: number = 50;\n\n  constructor(provider: SessionProvider, config: SessionManagerConfig) {\n    this.provider = provider;\n    this.config = config;\n  }\n\n  generateSessionId(): string {\n    return crypto.randomBytes(16).toString('hex');\n  }\n\n  private async maybeCleanupExpired(): Promise<void> {\n    this.cleanupInvocationCounter += 1;\n    if (this.cleanupInvocationCounter >= this.cleanupEveryCalls) {\n      this.cleanupInvocationCounter = 0;\n\n      await this.provider.deleteExpired();\n    }\n  }\n\n  async generateRefreshToken(\n    userId: string,\n    deviceId: string,\n    origin: string,\n    options?: { familyType?: 'refresh' | 'session' }\n  ): Promise<{ token: string; sessionId: string; absoluteExpiresAt: string; familyId: string }> {\n    await this.maybeCleanupExpired();\n\n    const sessionId = this.generateSessionId();\n    const familyType = options?.familyType ?? 'refresh';\n    const isRefresh = familyType === 'refresh';\n\n    const idleLifespan = isRefresh\n      ? this.config.idleRefreshTokenLifespan\n      : this.config.idleSessionLifespan;\n\n    const maxLifespan = isRefresh\n      ? this.config.maxRefreshTokenLifespan\n      : this.config.maxSessionLifespan;\n\n    const now = Date.now();\n    const expiresAt = new Date(now + idleLifespan * 1000);\n    const absoluteExpiresAt = new Date(now + maxLifespan * 1000);\n\n    // Create the root record first so createdAt can be used for signing.\n    const record = await this.provider.create({\n      userId,\n      sessionId,\n      deviceId,\n      origin,\n      parentId: null,\n      childId: null,\n      familyId: sessionId,\n      type: familyType,\n      status: 'active',\n      expiresAt,\n      absoluteExpiresAt,\n    });\n\n    const issuedAtSeconds = Math.floor(new Date(record.createdAt ?? new Date()).getTime() / 1000);\n    const expiresAtSeconds = Math.floor(new Date(record.expiresAt).getTime() / 1000);\n\n    const payload: RefreshTokenPayload = {\n      userId,\n      sessionId,\n      type: 'refresh',\n      iat: issuedAtSeconds,\n      exp: expiresAtSeconds,\n    };\n\n    const token = jwt.sign(payload, this.config.jwtSecret, {\n      algorithm: this.config.algorithm ?? DEFAULT_ALGORITHM,\n      noTimestamp: true,\n    });\n\n    return {\n      token,\n      sessionId,\n      absoluteExpiresAt: absoluteExpiresAt.toISOString(),\n      familyId: record.familyId!,\n    };\n  }\n\n  validateAccessToken(\n    token: string\n  ): { isValid: true; payload: AccessTokenPayload } | { isValid: false; payload: null } {\n    try {\n      const payload = jwt.verify(token, this.config.jwtSecret, {\n        algorithms: [this.config.algorithm ?? DEFAULT_ALGORITHM],\n      }) as TokenPayload;\n\n      // Ensure this is an access token\n      if (!payload || payload.type !== 'access') {\n        return { isValid: false, payload: null };\n      }\n\n      return { isValid: true, payload };\n    } catch (err) {\n      return { isValid: false, payload: null };\n    }\n  }\n\n  async validateRefreshToken(token: string): Promise<ValidateRefreshTokenResult> {\n    try {\n      const verifyOptions: VerifyOptions = {\n        algorithms: [this.config.algorithm ?? DEFAULT_ALGORITHM],\n      };\n\n      const payload = jwt.verify(\n        token,\n        this.config.jwtSecret,\n        verifyOptions\n      ) as RefreshTokenPayload;\n\n      if (payload.type !== 'refresh') {\n        return { isValid: false };\n      }\n\n      const session = await this.provider.findBySessionId(payload.sessionId);\n      if (!session) {\n        return { isValid: false };\n      }\n\n      const now = new Date();\n      if (new Date(session.expiresAt) <= now) {\n        return { isValid: false };\n      }\n\n      // Absolute family expiry check\n      if (session.absoluteExpiresAt && new Date(session.absoluteExpiresAt) <= now) {\n        return { isValid: false };\n      }\n\n      // Only 'active' sessions are eligible to create access tokens.\n      if (session.status !== 'active') {\n        return { isValid: false };\n      }\n\n      if (session.userId !== payload.userId) {\n        return { isValid: false };\n      }\n\n      return {\n        isValid: true,\n        userId: payload.userId,\n        sessionId: payload.sessionId,\n      };\n    } catch (error: any) {\n      if (error instanceof jwt.JsonWebTokenError) {\n        return { isValid: false };\n      }\n\n      throw error;\n    }\n  }\n\n  async invalidateRefreshToken(origin: string, userId: string, deviceId?: string): Promise<void> {\n    await this.provider.deleteBy({ userId, origin, deviceId });\n  }\n\n  async generateAccessToken(refreshToken: string): Promise<{ token: string } | { error: string }> {\n    const validation = await this.validateRefreshToken(refreshToken);\n\n    if (!validation.isValid) {\n      return { error: 'invalid_refresh_token' };\n    }\n\n    const payload: Omit<AccessTokenPayload, 'iat' | 'exp'> = {\n      userId: String(validation.userId!),\n      sessionId: validation.sessionId!,\n      type: 'access',\n    };\n\n    const token = jwt.sign(payload, this.config.jwtSecret, {\n      algorithm: this.config.algorithm ?? DEFAULT_ALGORITHM,\n      expiresIn: this.config.accessTokenLifespan,\n    });\n\n    return { token };\n  }\n\n  async rotateRefreshToken(refreshToken: string): Promise<\n    | {\n        token: string;\n        sessionId: string;\n        absoluteExpiresAt: string;\n        familyId: string;\n        type: 'refresh' | 'session';\n      }\n    | { error: string }\n  > {\n    try {\n      const payload = jwt.verify(refreshToken, this.config.jwtSecret, {\n        algorithms: [this.config.algorithm ?? DEFAULT_ALGORITHM],\n      }) as RefreshTokenPayload;\n\n      if (!payload || payload.type !== 'refresh') {\n        return { error: 'invalid_refresh_token' };\n      }\n\n      const current = await this.provider.findBySessionId(payload.sessionId);\n      if (!current) {\n        return { error: 'invalid_refresh_token' };\n      }\n\n      // If parent already has a child, return the same child token\n      if (current.childId) {\n        const child = await this.provider.findBySessionId(current.childId);\n\n        if (child) {\n          const childIat = Math.floor(new Date(child.createdAt ?? new Date()).getTime() / 1000);\n          const childExp = Math.floor(new Date(child.expiresAt).getTime() / 1000);\n\n          const childPayload: RefreshTokenPayload = {\n            userId: child.userId,\n            sessionId: child.sessionId,\n            type: 'refresh',\n            iat: childIat,\n            exp: childExp,\n          };\n\n          const childToken = jwt.sign(childPayload, this.config.jwtSecret, {\n            algorithm: this.config.algorithm ?? DEFAULT_ALGORITHM,\n            noTimestamp: true,\n          });\n\n          let absoluteExpiresAt;\n          if (child.absoluteExpiresAt) {\n            absoluteExpiresAt =\n              typeof child.absoluteExpiresAt === 'string'\n                ? child.absoluteExpiresAt\n                : child.absoluteExpiresAt.toISOString();\n          } else {\n            absoluteExpiresAt = new Date(0).toISOString();\n          }\n\n          return {\n            token: childToken,\n            sessionId: child.sessionId,\n            absoluteExpiresAt,\n            familyId: String(child.familyId ?? child.sessionId),\n            type: child.type ?? 'refresh',\n          };\n        }\n      }\n\n      const now = Date.now();\n      const familyType = current.type ?? 'refresh';\n      const idleLifespan =\n        familyType === 'refresh'\n          ? this.config.idleRefreshTokenLifespan\n          : this.config.idleSessionLifespan;\n\n      // Enforce idle window since creation of the current token\n      if (current.createdAt && now - new Date(current.createdAt).getTime() > idleLifespan * 1000) {\n        return { error: 'idle_window_elapsed' };\n      }\n\n      // Enforce max family window using absoluteExpiresAt\n      const absolute = current.absoluteExpiresAt\n        ? new Date(current.absoluteExpiresAt).getTime()\n        : now;\n      if (absolute <= now) {\n        return { error: 'max_window_elapsed' };\n      }\n\n      // Create child token\n      const childSessionId = this.generateSessionId();\n      const childExpiresAt = new Date(now + idleLifespan * 1000);\n\n      const childRecord = await this.provider.create({\n        userId: current.userId,\n        sessionId: childSessionId,\n        deviceId: current.deviceId,\n        origin: current.origin,\n        parentId: current.sessionId,\n        childId: null,\n        familyId: current.familyId ?? current.sessionId,\n        type: familyType,\n        status: 'active',\n        expiresAt: childExpiresAt,\n        absoluteExpiresAt: current.absoluteExpiresAt ?? new Date(absolute),\n      });\n\n      const childIat = Math.floor(new Date(childRecord.createdAt ?? new Date()).getTime() / 1000);\n      const childExp = Math.floor(new Date(childRecord.expiresAt).getTime() / 1000);\n      const payloadOut: RefreshTokenPayload = {\n        userId: current.userId,\n        sessionId: childSessionId,\n        type: 'refresh',\n        iat: childIat,\n        exp: childExp,\n      };\n      const childToken = jwt.sign(payloadOut, this.config.jwtSecret, {\n        algorithm: this.config.algorithm ?? DEFAULT_ALGORITHM,\n        noTimestamp: true,\n      });\n\n      await this.provider.updateBySessionId(current.sessionId, {\n        status: 'rotated',\n        childId: childSessionId,\n      });\n\n      let absoluteExpiresAt;\n      if (childRecord.absoluteExpiresAt) {\n        absoluteExpiresAt =\n          typeof childRecord.absoluteExpiresAt === 'string'\n            ? childRecord.absoluteExpiresAt\n            : childRecord.absoluteExpiresAt.toISOString();\n      } else {\n        absoluteExpiresAt = new Date(absolute).toISOString();\n      }\n\n      return {\n        token: childToken,\n        sessionId: childSessionId,\n        absoluteExpiresAt,\n        familyId: String(childRecord.familyId ?? childRecord.sessionId),\n        type: familyType,\n      };\n    } catch {\n      return { error: 'invalid_refresh_token' };\n    }\n  }\n\n  /**\n   * Returns true when a session exists and is not expired.\n   * If the session exists but is expired, it will be deleted as part of this check.\n   */\n  async isSessionActive(sessionId: string): Promise<boolean> {\n    const session = await this.provider.findBySessionId(sessionId);\n    if (!session) {\n      return false;\n    }\n\n    if (new Date(session.expiresAt) <= new Date()) {\n      // Clean up expired session eagerly\n      await this.provider.deleteBySessionId(sessionId);\n\n      return false;\n    }\n\n    return true;\n  }\n}\n\nconst createDatabaseProvider = (db: Database, contentType: string): SessionProvider => {\n  return new DatabaseSessionProvider(db, contentType);\n};\n\nconst createSessionManager = ({ db, config }: { db: Database; config: SessionManagerConfig }) => {\n  const provider = createDatabaseProvider(db, 'admin::session');\n  return new SessionManager(provider, config);\n};\n\nexport { createSessionManager, createDatabaseProvider };\n"],"names":["DatabaseSessionProvider","create","session","result","db","query","contentType","data","findBySessionId","sessionId","findOne","where","updateBySessionId","update","deleteBySessionId","delete","deleteExpired","deleteMany","absoluteExpiresAt","$lt","Date","deleteBy","criteria","userId","origin","deviceId","constructor","SessionManager","generateSessionId","crypto","randomBytes","toString","maybeCleanupExpired","cleanupInvocationCounter","cleanupEveryCalls","provider","generateRefreshToken","options","familyType","isRefresh","idleLifespan","config","idleRefreshTokenLifespan","idleSessionLifespan","maxLifespan","maxRefreshTokenLifespan","maxSessionLifespan","now","expiresAt","record","parentId","childId","familyId","type","status","issuedAtSeconds","Math","floor","createdAt","getTime","expiresAtSeconds","payload","iat","exp","token","jwt","sign","jwtSecret","algorithm","DEFAULT_ALGORITHM","noTimestamp","toISOString","validateAccessToken","verify","algorithms","isValid","err","validateRefreshToken","verifyOptions","error","JsonWebTokenError","invalidateRefreshToken","generateAccessToken","refreshToken","validation","String","expiresIn","accessTokenLifespan","rotateRefreshToken","current","child","childIat","childExp","childPayload","childToken","absolute","childSessionId","childExpiresAt","childRecord","payloadOut","isSessionActive","createDatabaseProvider","createSessionManager"],"mappings":";;;;;;AA8DA,MAAMA,uBAAAA,CAAAA;IAUJ,MAAMC,MAAAA,CAAOC,OAAoB,EAAwB;AACvD,QAAA,MAAMC,MAAS,GAAA,MAAM,IAAI,CAACC,EAAE,CAACC,KAAK,CAAC,IAAI,CAACC,WAAW,CAAA,CAAEL,MAAM,CAAC;YAC1DM,IAAML,EAAAA;AACR,SAAA,CAAA;QACA,OAAOC,MAAAA;AACT;IAEA,MAAMK,eAAAA,CAAgBC,SAAiB,EAA+B;AACpE,QAAA,MAAMN,MAAS,GAAA,MAAM,IAAI,CAACC,EAAE,CAACC,KAAK,CAAC,IAAI,CAACC,WAAW,CAAA,CAAEI,OAAO,CAAC;YAC3DC,KAAO,EAAA;AAAEF,gBAAAA;AAAU;AACrB,SAAA,CAAA;QACA,OAAON,MAAAA;AACT;AAEA,IAAA,MAAMS,iBAAkBH,CAAAA,SAAiB,EAAEF,IAA0B,EAAiB;QACpF,MAAM,IAAI,CAACH,EAAE,CAACC,KAAK,CAAC,IAAI,CAACC,WAAW,CAAEO,CAAAA,MAAM,CAAC;YAAEF,KAAO,EAAA;AAAEF,gBAAAA;AAAU,aAAA;AAAGF,YAAAA;AAAK,SAAA,CAAA;AAC5E;IAEA,MAAMO,iBAAAA,CAAkBL,SAAiB,EAAiB;QACxD,MAAM,IAAI,CAACL,EAAE,CAACC,KAAK,CAAC,IAAI,CAACC,WAAW,CAAES,CAAAA,MAAM,CAAC;YAC3CJ,KAAO,EAAA;AAAEF,gBAAAA;AAAU;AACrB,SAAA,CAAA;AACF;AAEA,IAAA,MAAMO,aAA+B,GAAA;QACnC,MAAM,IAAI,CAACZ,EAAE,CAACC,KAAK,CAAC,IAAI,CAACC,WAAW,CAAEW,CAAAA,UAAU,CAAC;YAC/CN,KAAO,EAAA;gBAAEO,iBAAmB,EAAA;AAAEC,oBAAAA,GAAAA,EAAK,IAAIC,IAAAA;AAAO;AAAE;AAClD,SAAA,CAAA;AACF;IAEA,MAAMC,QAAAA,CAASC,QAAiE,EAAiB;QAC/F,MAAM,IAAI,CAAClB,EAAE,CAACC,KAAK,CAAC,IAAI,CAACC,WAAW,CAAEW,CAAAA,UAAU,CAAC;YAC/CN,KAAO,EAAA;gBACL,GAAIW,QAAAA,CAASC,MAAM,GAAG;AAAEA,oBAAAA,MAAAA,EAAQD,SAASC;AAAO,iBAAA,GAAI,EAAE;gBACtD,GAAID,QAAAA,CAASE,MAAM,GAAG;AAAEA,oBAAAA,MAAAA,EAAQF,SAASE;AAAO,iBAAA,GAAI,EAAE;gBACtD,GAAIF,QAAAA,CAASG,QAAQ,GAAG;AAAEA,oBAAAA,QAAAA,EAAUH,SAASG;AAAS,iBAAA,GAAI;AAC5D;AACF,SAAA,CAAA;AACF;IA3CAC,WAAYtB,CAAAA,EAAY,EAAEE,WAAmB,CAAE;QAC7C,IAAI,CAACF,EAAE,GAAGA,EAAAA;QACV,IAAI,CAACE,WAAW,GAAGA,WAAAA;AACrB;AAyCF;AAeA,MAAMqB,cAAAA,CAAAA;IAeJC,iBAA4B,GAAA;AAC1B,QAAA,OAAOC,MAAOC,CAAAA,WAAW,CAAC,EAAA,CAAA,CAAIC,QAAQ,CAAC,KAAA,CAAA;AACzC;AAEA,IAAA,MAAcC,mBAAqC,GAAA;QACjD,IAAI,CAACC,wBAAwB,IAAI,CAAA;AACjC,QAAA,IAAI,IAAI,CAACA,wBAAwB,IAAI,IAAI,CAACC,iBAAiB,EAAE;YAC3D,IAAI,CAACD,wBAAwB,GAAG,CAAA;AAEhC,YAAA,MAAM,IAAI,CAACE,QAAQ,CAACnB,aAAa,EAAA;AACnC;AACF;IAEA,MAAMoB,oBAAAA,CACJb,MAAc,EACdE,QAAgB,EAChBD,MAAc,EACda,OAAgD,EAC4C;QAC5F,MAAM,IAAI,CAACL,mBAAmB,EAAA;QAE9B,MAAMvB,SAAAA,GAAY,IAAI,CAACmB,iBAAiB,EAAA;QACxC,MAAMU,UAAAA,GAAaD,SAASC,UAAc,IAAA,SAAA;AAC1C,QAAA,MAAMC,YAAYD,UAAe,KAAA,SAAA;AAEjC,QAAA,MAAME,YAAeD,GAAAA,SAAAA,GACjB,IAAI,CAACE,MAAM,CAACC,wBAAwB,GACpC,IAAI,CAACD,MAAM,CAACE,mBAAmB;AAEnC,QAAA,MAAMC,WAAcL,GAAAA,SAAAA,GAChB,IAAI,CAACE,MAAM,CAACI,uBAAuB,GACnC,IAAI,CAACJ,MAAM,CAACK,kBAAkB;QAElC,MAAMC,GAAAA,GAAM3B,KAAK2B,GAAG,EAAA;AACpB,QAAA,MAAMC,SAAY,GAAA,IAAI5B,IAAK2B,CAAAA,GAAAA,GAAMP,YAAe,GAAA,IAAA,CAAA;AAChD,QAAA,MAAMtB,iBAAoB,GAAA,IAAIE,IAAK2B,CAAAA,GAAAA,GAAMH,WAAc,GAAA,IAAA,CAAA;;AAGvD,QAAA,MAAMK,SAAS,MAAM,IAAI,CAACd,QAAQ,CAAClC,MAAM,CAAC;AACxCsB,YAAAA,MAAAA;AACAd,YAAAA,SAAAA;AACAgB,YAAAA,QAAAA;AACAD,YAAAA,MAAAA;YACA0B,QAAU,EAAA,IAAA;YACVC,OAAS,EAAA,IAAA;YACTC,QAAU3C,EAAAA,SAAAA;YACV4C,IAAMf,EAAAA,UAAAA;YACNgB,MAAQ,EAAA,QAAA;AACRN,YAAAA,SAAAA;AACA9B,YAAAA;AACF,SAAA,CAAA;AAEA,QAAA,MAAMqC,eAAkBC,GAAAA,IAAAA,CAAKC,KAAK,CAAC,IAAIrC,IAAAA,CAAK6B,MAAOS,CAAAA,SAAS,IAAI,IAAItC,IAAQuC,EAAAA,CAAAA,CAAAA,OAAO,EAAK,GAAA,IAAA,CAAA;QACxF,MAAMC,gBAAAA,GAAmBJ,IAAKC,CAAAA,KAAK,CAAC,IAAIrC,KAAK6B,MAAOD,CAAAA,SAAS,CAAEW,CAAAA,OAAO,EAAK,GAAA,IAAA,CAAA;AAE3E,QAAA,MAAME,OAA+B,GAAA;AACnCtC,YAAAA,MAAAA;AACAd,YAAAA,SAAAA;YACA4C,IAAM,EAAA,SAAA;YACNS,GAAKP,EAAAA,eAAAA;YACLQ,GAAKH,EAAAA;AACP,SAAA;QAEA,MAAMI,KAAAA,GAAQC,GAAIC,CAAAA,IAAI,CAACL,OAAAA,EAAS,IAAI,CAACpB,MAAM,CAAC0B,SAAS,EAAE;AACrDC,YAAAA,SAAAA,EAAW,IAAI,CAAC3B,MAAM,CAAC2B,SAAS,IAAIC,2BAAAA;YACpCC,WAAa,EAAA;AACf,SAAA,CAAA;QAEA,OAAO;AACLN,YAAAA,KAAAA;AACAvD,YAAAA,SAAAA;AACAS,YAAAA,iBAAAA,EAAmBA,kBAAkBqD,WAAW,EAAA;AAChDnB,YAAAA,QAAAA,EAAUH,OAAOG;AACnB,SAAA;AACF;AAEAoB,IAAAA,mBAAAA,CACER,KAAa,EACuE;QACpF,IAAI;YACF,MAAMH,OAAAA,GAAUI,GAAIQ,CAAAA,MAAM,CAACT,KAAAA,EAAO,IAAI,CAACvB,MAAM,CAAC0B,SAAS,EAAE;gBACvDO,UAAY,EAAA;AAAC,oBAAA,IAAI,CAACjC,MAAM,CAAC2B,SAAS,IAAIC;AAAkB;AAC1D,aAAA,CAAA;;AAGA,YAAA,IAAI,CAACR,OAAAA,IAAWA,OAAQR,CAAAA,IAAI,KAAK,QAAU,EAAA;gBACzC,OAAO;oBAAEsB,OAAS,EAAA,KAAA;oBAAOd,OAAS,EAAA;AAAK,iBAAA;AACzC;YAEA,OAAO;gBAAEc,OAAS,EAAA,IAAA;AAAMd,gBAAAA;AAAQ,aAAA;AAClC,SAAA,CAAE,OAAOe,GAAK,EAAA;YACZ,OAAO;gBAAED,OAAS,EAAA,KAAA;gBAAOd,OAAS,EAAA;AAAK,aAAA;AACzC;AACF;IAEA,MAAMgB,oBAAAA,CAAqBb,KAAa,EAAuC;QAC7E,IAAI;AACF,YAAA,MAAMc,aAA+B,GAAA;gBACnCJ,UAAY,EAAA;AAAC,oBAAA,IAAI,CAACjC,MAAM,CAAC2B,SAAS,IAAIC;AAAkB;AAC1D,aAAA;YAEA,MAAMR,OAAAA,GAAUI,GAAIQ,CAAAA,MAAM,CACxBT,KAAAA,EACA,IAAI,CAACvB,MAAM,CAAC0B,SAAS,EACrBW,aAAAA,CAAAA;YAGF,IAAIjB,OAAAA,CAAQR,IAAI,KAAK,SAAW,EAAA;gBAC9B,OAAO;oBAAEsB,OAAS,EAAA;AAAM,iBAAA;AAC1B;YAEA,MAAMzE,OAAAA,GAAU,MAAM,IAAI,CAACiC,QAAQ,CAAC3B,eAAe,CAACqD,OAAAA,CAAQpD,SAAS,CAAA;AACrE,YAAA,IAAI,CAACP,OAAS,EAAA;gBACZ,OAAO;oBAAEyE,OAAS,EAAA;AAAM,iBAAA;AAC1B;AAEA,YAAA,MAAM5B,MAAM,IAAI3B,IAAAA,EAAAA;AAChB,YAAA,IAAI,IAAIA,IAAAA,CAAKlB,OAAQ8C,CAAAA,SAAS,KAAKD,GAAK,EAAA;gBACtC,OAAO;oBAAE4B,OAAS,EAAA;AAAM,iBAAA;AAC1B;;YAGA,IAAIzE,OAAAA,CAAQgB,iBAAiB,IAAI,IAAIE,KAAKlB,OAAQgB,CAAAA,iBAAiB,KAAK6B,GAAK,EAAA;gBAC3E,OAAO;oBAAE4B,OAAS,EAAA;AAAM,iBAAA;AAC1B;;YAGA,IAAIzE,OAAAA,CAAQoD,MAAM,KAAK,QAAU,EAAA;gBAC/B,OAAO;oBAAEqB,OAAS,EAAA;AAAM,iBAAA;AAC1B;AAEA,YAAA,IAAIzE,OAAQqB,CAAAA,MAAM,KAAKsC,OAAAA,CAAQtC,MAAM,EAAE;gBACrC,OAAO;oBAAEoD,OAAS,EAAA;AAAM,iBAAA;AAC1B;YAEA,OAAO;gBACLA,OAAS,EAAA,IAAA;AACTpD,gBAAAA,MAAAA,EAAQsC,QAAQtC,MAAM;AACtBd,gBAAAA,SAAAA,EAAWoD,QAAQpD;AACrB,aAAA;AACF,SAAA,CAAE,OAAOsE,KAAY,EAAA;YACnB,IAAIA,KAAAA,YAAiBd,GAAIe,CAAAA,iBAAiB,EAAE;gBAC1C,OAAO;oBAAEL,OAAS,EAAA;AAAM,iBAAA;AAC1B;YAEA,MAAMI,KAAAA;AACR;AACF;AAEA,IAAA,MAAME,uBAAuBzD,MAAc,EAAED,MAAc,EAAEE,QAAiB,EAAiB;AAC7F,QAAA,MAAM,IAAI,CAACU,QAAQ,CAACd,QAAQ,CAAC;AAAEE,YAAAA,MAAAA;AAAQC,YAAAA,MAAAA;AAAQC,YAAAA;AAAS,SAAA,CAAA;AAC1D;IAEA,MAAMyD,mBAAAA,CAAoBC,YAAoB,EAAkD;AAC9F,QAAA,MAAMC,UAAa,GAAA,MAAM,IAAI,CAACP,oBAAoB,CAACM,YAAAA,CAAAA;QAEnD,IAAI,CAACC,UAAWT,CAAAA,OAAO,EAAE;YACvB,OAAO;gBAAEI,KAAO,EAAA;AAAwB,aAAA;AAC1C;AAEA,QAAA,MAAMlB,OAAmD,GAAA;YACvDtC,MAAQ8D,EAAAA,MAAAA,CAAOD,WAAW7D,MAAM,CAAA;AAChCd,YAAAA,SAAAA,EAAW2E,WAAW3E,SAAS;YAC/B4C,IAAM,EAAA;AACR,SAAA;QAEA,MAAMW,KAAAA,GAAQC,GAAIC,CAAAA,IAAI,CAACL,OAAAA,EAAS,IAAI,CAACpB,MAAM,CAAC0B,SAAS,EAAE;AACrDC,YAAAA,SAAAA,EAAW,IAAI,CAAC3B,MAAM,CAAC2B,SAAS,IAAIC,2BAAAA;AACpCiB,YAAAA,SAAAA,EAAW,IAAI,CAAC7C,MAAM,CAAC8C;AACzB,SAAA,CAAA;QAEA,OAAO;AAAEvB,YAAAA;AAAM,SAAA;AACjB;IAEA,MAAMwB,kBAAAA,CAAmBL,YAAoB,EAS3C;QACA,IAAI;YACF,MAAMtB,OAAAA,GAAUI,GAAIQ,CAAAA,MAAM,CAACU,YAAAA,EAAc,IAAI,CAAC1C,MAAM,CAAC0B,SAAS,EAAE;gBAC9DO,UAAY,EAAA;AAAC,oBAAA,IAAI,CAACjC,MAAM,CAAC2B,SAAS,IAAIC;AAAkB;AAC1D,aAAA,CAAA;AAEA,YAAA,IAAI,CAACR,OAAAA,IAAWA,OAAQR,CAAAA,IAAI,KAAK,SAAW,EAAA;gBAC1C,OAAO;oBAAE0B,KAAO,EAAA;AAAwB,iBAAA;AAC1C;YAEA,MAAMU,OAAAA,GAAU,MAAM,IAAI,CAACtD,QAAQ,CAAC3B,eAAe,CAACqD,OAAAA,CAAQpD,SAAS,CAAA;AACrE,YAAA,IAAI,CAACgF,OAAS,EAAA;gBACZ,OAAO;oBAAEV,KAAO,EAAA;AAAwB,iBAAA;AAC1C;;YAGA,IAAIU,OAAAA,CAAQtC,OAAO,EAAE;gBACnB,MAAMuC,KAAAA,GAAQ,MAAM,IAAI,CAACvD,QAAQ,CAAC3B,eAAe,CAACiF,OAAAA,CAAQtC,OAAO,CAAA;AAEjE,gBAAA,IAAIuC,KAAO,EAAA;AACT,oBAAA,MAAMC,QAAWnC,GAAAA,IAAAA,CAAKC,KAAK,CAAC,IAAIrC,IAAAA,CAAKsE,KAAMhC,CAAAA,SAAS,IAAI,IAAItC,IAAQuC,EAAAA,CAAAA,CAAAA,OAAO,EAAK,GAAA,IAAA,CAAA;oBAChF,MAAMiC,QAAAA,GAAWpC,IAAKC,CAAAA,KAAK,CAAC,IAAIrC,KAAKsE,KAAM1C,CAAAA,SAAS,CAAEW,CAAAA,OAAO,EAAK,GAAA,IAAA,CAAA;AAElE,oBAAA,MAAMkC,YAAoC,GAAA;AACxCtE,wBAAAA,MAAAA,EAAQmE,MAAMnE,MAAM;AACpBd,wBAAAA,SAAAA,EAAWiF,MAAMjF,SAAS;wBAC1B4C,IAAM,EAAA,SAAA;wBACNS,GAAK6B,EAAAA,QAAAA;wBACL5B,GAAK6B,EAAAA;AACP,qBAAA;oBAEA,MAAME,UAAAA,GAAa7B,GAAIC,CAAAA,IAAI,CAAC2B,YAAAA,EAAc,IAAI,CAACpD,MAAM,CAAC0B,SAAS,EAAE;AAC/DC,wBAAAA,SAAAA,EAAW,IAAI,CAAC3B,MAAM,CAAC2B,SAAS,IAAIC,2BAAAA;wBACpCC,WAAa,EAAA;AACf,qBAAA,CAAA;oBAEA,IAAIpD,iBAAAA;oBACJ,IAAIwE,KAAAA,CAAMxE,iBAAiB,EAAE;wBAC3BA,iBACE,GAAA,OAAOwE,KAAMxE,CAAAA,iBAAiB,KAAK,QAAA,GAC/BwE,KAAMxE,CAAAA,iBAAiB,GACvBwE,KAAAA,CAAMxE,iBAAiB,CAACqD,WAAW,EAAA;qBACpC,MAAA;wBACLrD,iBAAoB,GAAA,IAAIE,IAAK,CAAA,CAAA,CAAA,CAAGmD,WAAW,EAAA;AAC7C;oBAEA,OAAO;wBACLP,KAAO8B,EAAAA,UAAAA;AACPrF,wBAAAA,SAAAA,EAAWiF,MAAMjF,SAAS;AAC1BS,wBAAAA,iBAAAA;AACAkC,wBAAAA,QAAAA,EAAUiC,MAAOK,CAAAA,KAAAA,CAAMtC,QAAQ,IAAIsC,MAAMjF,SAAS,CAAA;wBAClD4C,IAAMqC,EAAAA,KAAAA,CAAMrC,IAAI,IAAI;AACtB,qBAAA;AACF;AACF;YAEA,MAAMN,GAAAA,GAAM3B,KAAK2B,GAAG,EAAA;YACpB,MAAMT,UAAAA,GAAamD,OAAQpC,CAAAA,IAAI,IAAI,SAAA;AACnC,YAAA,MAAMb,YACJF,GAAAA,UAAAA,KAAe,SACX,GAAA,IAAI,CAACG,MAAM,CAACC,wBAAwB,GACpC,IAAI,CAACD,MAAM,CAACE,mBAAmB;;AAGrC,YAAA,IAAI8C,OAAQ/B,CAAAA,SAAS,IAAIX,GAAAA,GAAM,IAAI3B,IAAAA,CAAKqE,OAAQ/B,CAAAA,SAAS,CAAEC,CAAAA,OAAO,EAAKnB,GAAAA,YAAAA,GAAe,IAAM,EAAA;gBAC1F,OAAO;oBAAEuC,KAAO,EAAA;AAAsB,iBAAA;AACxC;;YAGA,MAAMgB,QAAAA,GAAWN,OAAQvE,CAAAA,iBAAiB,GACtC,IAAIE,KAAKqE,OAAQvE,CAAAA,iBAAiB,CAAEyC,CAAAA,OAAO,EAC3CZ,GAAAA,GAAAA;AACJ,YAAA,IAAIgD,YAAYhD,GAAK,EAAA;gBACnB,OAAO;oBAAEgC,KAAO,EAAA;AAAqB,iBAAA;AACvC;;YAGA,MAAMiB,cAAAA,GAAiB,IAAI,CAACpE,iBAAiB,EAAA;AAC7C,YAAA,MAAMqE,cAAiB,GAAA,IAAI7E,IAAK2B,CAAAA,GAAAA,GAAMP,YAAe,GAAA,IAAA,CAAA;AAErD,YAAA,MAAM0D,cAAc,MAAM,IAAI,CAAC/D,QAAQ,CAAClC,MAAM,CAAC;AAC7CsB,gBAAAA,MAAAA,EAAQkE,QAAQlE,MAAM;gBACtBd,SAAWuF,EAAAA,cAAAA;AACXvE,gBAAAA,QAAAA,EAAUgE,QAAQhE,QAAQ;AAC1BD,gBAAAA,MAAAA,EAAQiE,QAAQjE,MAAM;AACtB0B,gBAAAA,QAAAA,EAAUuC,QAAQhF,SAAS;gBAC3B0C,OAAS,EAAA,IAAA;AACTC,gBAAAA,QAAAA,EAAUqC,OAAQrC,CAAAA,QAAQ,IAAIqC,OAAAA,CAAQhF,SAAS;gBAC/C4C,IAAMf,EAAAA,UAAAA;gBACNgB,MAAQ,EAAA,QAAA;gBACRN,SAAWiD,EAAAA,cAAAA;AACX/E,gBAAAA,iBAAAA,EAAmBuE,OAAQvE,CAAAA,iBAAiB,IAAI,IAAIE,IAAK2E,CAAAA,QAAAA;AAC3D,aAAA,CAAA;AAEA,YAAA,MAAMJ,QAAWnC,GAAAA,IAAAA,CAAKC,KAAK,CAAC,IAAIrC,IAAAA,CAAK8E,WAAYxC,CAAAA,SAAS,IAAI,IAAItC,IAAQuC,EAAAA,CAAAA,CAAAA,OAAO,EAAK,GAAA,IAAA,CAAA;YACtF,MAAMiC,QAAAA,GAAWpC,IAAKC,CAAAA,KAAK,CAAC,IAAIrC,KAAK8E,WAAYlD,CAAAA,SAAS,CAAEW,CAAAA,OAAO,EAAK,GAAA,IAAA,CAAA;AACxE,YAAA,MAAMwC,UAAkC,GAAA;AACtC5E,gBAAAA,MAAAA,EAAQkE,QAAQlE,MAAM;gBACtBd,SAAWuF,EAAAA,cAAAA;gBACX3C,IAAM,EAAA,SAAA;gBACNS,GAAK6B,EAAAA,QAAAA;gBACL5B,GAAK6B,EAAAA;AACP,aAAA;YACA,MAAME,UAAAA,GAAa7B,GAAIC,CAAAA,IAAI,CAACiC,UAAAA,EAAY,IAAI,CAAC1D,MAAM,CAAC0B,SAAS,EAAE;AAC7DC,gBAAAA,SAAAA,EAAW,IAAI,CAAC3B,MAAM,CAAC2B,SAAS,IAAIC,2BAAAA;gBACpCC,WAAa,EAAA;AACf,aAAA,CAAA;YAEA,MAAM,IAAI,CAACnC,QAAQ,CAACvB,iBAAiB,CAAC6E,OAAAA,CAAQhF,SAAS,EAAE;gBACvD6C,MAAQ,EAAA,SAAA;gBACRH,OAAS6C,EAAAA;AACX,aAAA,CAAA;YAEA,IAAI9E,iBAAAA;YACJ,IAAIgF,WAAAA,CAAYhF,iBAAiB,EAAE;gBACjCA,iBACE,GAAA,OAAOgF,WAAYhF,CAAAA,iBAAiB,KAAK,QAAA,GACrCgF,WAAYhF,CAAAA,iBAAiB,GAC7BgF,WAAAA,CAAYhF,iBAAiB,CAACqD,WAAW,EAAA;aAC1C,MAAA;gBACLrD,iBAAoB,GAAA,IAAIE,IAAK2E,CAAAA,QAAAA,CAAAA,CAAUxB,WAAW,EAAA;AACpD;YAEA,OAAO;gBACLP,KAAO8B,EAAAA,UAAAA;gBACPrF,SAAWuF,EAAAA,cAAAA;AACX9E,gBAAAA,iBAAAA;AACAkC,gBAAAA,QAAAA,EAAUiC,MAAOa,CAAAA,WAAAA,CAAY9C,QAAQ,IAAI8C,YAAYzF,SAAS,CAAA;gBAC9D4C,IAAMf,EAAAA;AACR,aAAA;AACF,SAAA,CAAE,OAAM;YACN,OAAO;gBAAEyC,KAAO,EAAA;AAAwB,aAAA;AAC1C;AACF;AAEA;;;MAIA,MAAMqB,eAAgB3F,CAAAA,SAAiB,EAAoB;AACzD,QAAA,MAAMP,UAAU,MAAM,IAAI,CAACiC,QAAQ,CAAC3B,eAAe,CAACC,SAAAA,CAAAA;AACpD,QAAA,IAAI,CAACP,OAAS,EAAA;YACZ,OAAO,KAAA;AACT;AAEA,QAAA,IAAI,IAAIkB,IAAKlB,CAAAA,OAAAA,CAAQ8C,SAAS,CAAA,IAAK,IAAI5B,IAAQ,EAAA,EAAA;;AAE7C,YAAA,MAAM,IAAI,CAACe,QAAQ,CAACrB,iBAAiB,CAACL,SAAAA,CAAAA;YAEtC,OAAO,KAAA;AACT;QAEA,OAAO,IAAA;AACT;IArVAiB,WAAYS,CAAAA,QAAyB,EAAEM,MAA4B,CAAE;;aAJ7DR,wBAAmC,GAAA,CAAA;aAE1BC,iBAA4B,GAAA,EAAA;QAG3C,IAAI,CAACC,QAAQ,GAAGA,QAAAA;QAChB,IAAI,CAACM,MAAM,GAAGA,MAAAA;AAChB;AAmVF;AAEM4D,MAAAA,sBAAAA,GAAyB,CAACjG,EAAcE,EAAAA,WAAAA,GAAAA;IAC5C,OAAO,IAAIN,wBAAwBI,EAAIE,EAAAA,WAAAA,CAAAA;AACzC;AAEA,MAAMgG,uBAAuB,CAAC,EAAElG,EAAE,EAAEqC,MAAM,EAAkD,GAAA;IAC1F,MAAMN,QAAAA,GAAWkE,uBAAuBjG,EAAI,EAAA,gBAAA,CAAA;IAC5C,OAAO,IAAIuB,eAAeQ,QAAUM,EAAAA,MAAAA,CAAAA;AACtC;;;;;"}