npm - @sync-in/server - Versions diffs - 1.10.1 → 2.0.0 - Mend

@sync-in/server 1.10.1 → 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1057) hide show

package/server/authentication/providers/oidc/auth-provider-oidc.module.js ADDED Viewed

@@ -0,0 +1,36 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", {
+    value: true
+});
+Object.defineProperty(exports, "AuthProviderOIDCModule", {
+    enumerable: true,
+    get: function() {
+        return AuthProviderOIDCModule;
+    }
+});
+const _common = require("@nestjs/common");
+const _authoidccontroller = require("./auth-oidc.controller");
+const _authprovideroidcservice = require("./auth-provider-oidc.service");
+function _ts_decorate(decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for(var i = decorators.length - 1; i >= 0; i--)if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+}
+let AuthProviderOIDCModule = class AuthProviderOIDCModule {
+};
+AuthProviderOIDCModule = _ts_decorate([
+    (0, _common.Module)({
+        controllers: [
+            _authoidccontroller.AuthOIDCController
+        ],
+        providers: [
+            _authprovideroidcservice.AuthProviderOIDC
+        ],
+        exports: [
+            _authprovideroidcservice.AuthProviderOIDC
+        ]
+    })
+], AuthProviderOIDCModule);
+//# sourceMappingURL=auth-provider-oidc.module.js.map

package/server/authentication/providers/oidc/auth-provider-oidc.module.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../../../../backend/src/authentication/providers/oidc/auth-provider-oidc.module.ts"],"sourcesContent":["import { Module } from '@nestjs/common'\nimport { AuthOIDCController } from './auth-oidc.controller'\nimport { AuthProviderOIDC } from './auth-provider-oidc.service'\n\n@Module({\n controllers: [AuthOIDCController],\n providers: [AuthProviderOIDC],\n exports: [AuthProviderOIDC]\n})\nexport class AuthProviderOIDCModule {}\n"],"names":["AuthProviderOIDCModule","controllers","AuthOIDCController","providers","AuthProviderOIDC","exports"],"mappings":";;;;+BASaA;;;eAAAA;;;wBATU;oCACY;yCACF;;;;;;;AAO1B,IAAA,AAAMA,yBAAN,MAAMA;AAAwB;;;QAJnCC,aAAa;YAACC,sCAAkB;SAAC;QACjCC,WAAW;YAACC,yCAAgB;SAAC;QAC7BC,SAAS;YAACD,yCAAgB;SAAC"}

package/server/authentication/providers/oidc/auth-provider-oidc.service.js ADDED Viewed

@@ -0,0 +1,373 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", {
+    value: true
+});
+Object.defineProperty(exports, "AuthProviderOIDC", {
+    enumerable: true,
+    get: function() {
+        return AuthProviderOIDC;
+    }
+});
+const _common = require("@nestjs/common");
+const _openidclient = require("openid-client");
+const _user = require("../../../applications/users/constants/user");
+const _adminusersmanagerservice = require("../../../applications/users/services/admin-users-manager.service");
+const _usersmanagerservice = require("../../../applications/users/services/users-manager.service");
+const _functions = require("../../../common/functions");
+const _configenvironment = require("../../../configuration/config.environment");
+const _routes = require("../../constants/routes");
+const _tokeninterface = require("../../interfaces/token.interface");
+const _authprovidersconstants = require("../auth-providers.constants");
+const _authoidcdesktopconstants = require("./auth-oidc-desktop.constants");
+const _authoidcconstants = require("./auth-oidc.constants");
+function _ts_decorate(decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for(var i = decorators.length - 1; i >= 0; i--)if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+}
+function _ts_metadata(k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+}
+let AuthProviderOIDC = class AuthProviderOIDC {
+    async validateUser(login, password, ip, scope) {
+        // Local password authentication path (non-OIDC)
+        const user = await this.usersManager.findUser(login, false);
+        if (!user) {
+            return null;
+        }
+        if (user.isGuest || user.isAdmin || scope || this.oidcConfig.options.enablePasswordAuth) {
+            // Allow local password authentication for:
+            // - guest users
+            // - admin users (break-glass access)
+            // - application scopes (app passwords)
+            // - regular users when password authentication is enabled
+            return this.usersManager.logUser(user, password, ip, scope);
+        }
+        return null;
+    }
+    async getConfig() {
+        if (!this.config) {
+            this.config = await this.initializeOIDCClient();
+        }
+        return this.config;
+    }
+    async getAuthorizationUrl(res, desktopPort) {
+        const redirectURI = this.getRedirectURI(desktopPort);
+        const config = await this.getConfig();
+        // state: CSRF protection, nonce: binds the ID Token to this auth request (replay protection)
+        const state = (0, _openidclient.randomState)();
+        const nonce = (0, _openidclient.randomNonce)();
+        const supportsPKCE = config.serverMetadata().supportsPKCE();
+        const codeVerifier = supportsPKCE ? (0, _openidclient.randomPKCECodeVerifier)() : undefined;
+        const authUrl = new URL(config.serverMetadata().authorization_endpoint);
+        authUrl.searchParams.set('client_id', this.oidcConfig.clientId);
+        authUrl.searchParams.set('redirect_uri', redirectURI);
+        authUrl.searchParams.set('response_type', 'code');
+        authUrl.searchParams.set('scope', this.oidcConfig.security.scope);
+        authUrl.searchParams.set('state', state);
+        authUrl.searchParams.set('nonce', nonce);
+        if (supportsPKCE) {
+            const codeChallenge = await (0, _openidclient.calculatePKCECodeChallenge)(codeVerifier);
+            authUrl.searchParams.set('code_challenge', codeChallenge);
+            authUrl.searchParams.set('code_challenge_method', 'S256');
+        }
+        // Avoid cache
+        res.header('Cache-Control', 'no-store, no-cache, must-revalidate, max-age=0').header('Pragma', 'no-cache').header('Expires', '0').header('X-Robots-Tag', 'noindex, nofollow').header('Referrer-Policy', 'no-referrer');
+        // Store state, nonce, and codeVerifier in httpOnly cookies (expires in 10 minutes)
+        res.setCookie(_authoidcconstants.OAuthCookie.State, state, _authoidcconstants.OAuthCookieSettings);
+        res.setCookie(_authoidcconstants.OAuthCookie.Nonce, nonce, _authoidcconstants.OAuthCookieSettings);
+        if (supportsPKCE) {
+            res.setCookie(_authoidcconstants.OAuthCookie.CodeVerifier, codeVerifier, _authoidcconstants.OAuthCookieSettings);
+        }
+        return authUrl.toString();
+    }
+    async handleCallback(req, res, query) {
+        const config = await this.getConfig();
+        const supportsPKCE = config.serverMetadata().supportsPKCE();
+        const [expectedState, expectedNonce, codeVerifier] = [
+            req.cookies[_authoidcconstants.OAuthCookie.State],
+            req.cookies[_authoidcconstants.OAuthCookie.Nonce],
+            req.cookies[_authoidcconstants.OAuthCookie.CodeVerifier]
+        ];
+        try {
+            if (!expectedState?.length) {
+                throw new _common.HttpException('OAuth state is missing', _common.HttpStatus.BAD_REQUEST);
+            }
+            if (supportsPKCE && !codeVerifier?.length) {
+                throw new _common.HttpException('OAuth code verifier is missing', _common.HttpStatus.BAD_REQUEST);
+            }
+            const pkceCodeVerifier = supportsPKCE ? codeVerifier : undefined;
+            const callbackParams = new URLSearchParams(query);
+            // Get Desktop Port if defined
+            const desktopPort = callbackParams.get(_authoidcdesktopconstants.OAuthDesktopPortParam);
+            if (desktopPort) {
+                callbackParams.delete(_authoidcdesktopconstants.OAuthDesktopPortParam);
+            }
+            // Exchange authorization code for tokens
+            const callbackUrl = new URL(this.getRedirectURI(desktopPort));
+            callbackUrl.search = callbackParams.toString();
+            const tokens = await (0, _openidclient.authorizationCodeGrant)(config, callbackUrl, {
+                expectedState,
+                pkceCodeVerifier,
+                expectedNonce
+            });
+            // Get validated ID token claims
+            const claims = tokens.claims();
+            if (!claims) {
+                throw new _common.HttpException('No ID token claims found', _common.HttpStatus.BAD_REQUEST);
+            }
+            if (!claims.sub) {
+                throw new _common.HttpException('Unexpected profile response, no `sub`', _common.HttpStatus.BAD_REQUEST);
+            }
+            // ID token claims may be minimal depending on the IdP; use the UserInfo endpoint to retrieve user details.
+            // Get user info from the userinfo endpoint (requires access token and subject from ID token).
+            const subject = this.oidcConfig.security.skipSubjectCheck ? _openidclient.skipSubjectCheck : claims.sub;
+            const userInfo = await (0, _openidclient.fetchUserInfo)(config, tokens.access_token, subject);
+            if (!userInfo.sub) {
+                throw new Error('Unexpected profile response, no `sub`');
+            }
+            // Process the user info and create/update the user
+            return await this.processUserInfo(userInfo, req.ip);
+        } catch (error) {
+            if (error instanceof _openidclient.AuthorizationResponseError) {
+                this.logger.error({
+                    tag: this.handleCallback.name,
+                    msg: `OIDC callback error: ${error.code} - ${error.error_description}`
+                });
+                throw new _common.HttpException(error.error_description, _common.HttpStatus.BAD_REQUEST);
+            } else {
+                this.logger.error({
+                    tag: this.handleCallback.name,
+                    msg: `OIDC callback error: ${error}`
+                });
+                throw new _common.HttpException(error.error_description ?? 'OIDC authentication failed', error instanceof _common.HttpException ? error.getStatus() : error.status ?? _common.HttpStatus.INTERNAL_SERVER_ERROR);
+            }
+        } finally{
+            // Always clear temporary OIDC cookies (success or failure)
+            Object.values(_authoidcconstants.OAuthCookie).forEach((value)=>{
+                res.clearCookie(value, {
+                    path: '/'
+                });
+            });
+        }
+    }
+    getRedirectCallbackUrl(accessExpiration, refreshExpiration) {
+        if (!this.frontendBaseUrl) {
+            const url = new URL(this.oidcConfig.redirectUri);
+            const apiIndex = url.pathname.indexOf(_routes.AUTH_ROUTE.BASE);
+            this.frontendBaseUrl = apiIndex >= 0 ? `${url.origin}${url.pathname.slice(0, apiIndex)}` : url.origin;
+        }
+        const url = new URL(this.frontendBaseUrl);
+        const params = new URLSearchParams({
+            [_authprovidersconstants.AUTH_PROVIDER.OIDC]: 'true',
+            [`${_tokeninterface.TOKEN_TYPE.ACCESS}_expiration`]: `${accessExpiration}`,
+            [`${_tokeninterface.TOKEN_TYPE.REFRESH}_expiration`]: `${refreshExpiration}`
+        });
+        url.hash = `/?${params.toString()}`;
+        return url.toString();
+    }
+    getRedirectURI(desktopPort) {
+        // web / default callback
+        if (!desktopPort) return this.oidcConfig.redirectUri;
+        // desktop app callback
+        if (typeof desktopPort === 'string') {
+            desktopPort = Number(desktopPort);
+        }
+        if (!Number.isInteger(desktopPort) || !_authoidcdesktopconstants.OAuthDesktopLoopbackPorts.has(desktopPort)) {
+            throw new _common.HttpException('Invalid desktop_port', _common.HttpStatus.BAD_REQUEST);
+        }
+        // The redirect url must be known from provider
+        return `http://127.0.0.1:${desktopPort}${_authoidcdesktopconstants.OAuthDesktopCallBackURI}`;
+    }
+    async initializeOIDCClient() {
+        try {
+            const issuerUrl = new URL(this.oidcConfig.issuerUrl);
+            const config = await (0, _openidclient.discovery)(issuerUrl, this.oidcConfig.clientId, {
+                client_secret: this.oidcConfig.clientSecret,
+                response_types: [
+                    'code'
+                ],
+                id_token_signed_response_alg: this.oidcConfig.security.tokenSigningAlg,
+                userinfo_signed_response_alg: this.oidcConfig.security.userInfoSigningAlg
+            }, this.getTokenAuthMethod(this.oidcConfig.security.tokenEndpointAuthMethod, this.oidcConfig.clientSecret), {
+                execute: [
+                    _openidclient.allowInsecureRequests
+                ],
+                timeout: 6000
+            });
+            this.logger.log({
+                tag: this.initializeOIDCClient.name,
+                msg: `OIDC client initialized successfully for issuer: ${this.oidcConfig.issuerUrl}`
+            });
+            return config;
+        } catch (error) {
+            this.logger.error({
+                tag: this.initializeOIDCClient.name,
+                msg: `OIDC client initialization failed: ${error?.cause || error}`
+            });
+            switch(error.cause?.code){
+                case 'ECONNREFUSED':
+                case 'ENOTFOUND':
+                    throw new _common.HttpException('OIDC provider unavailable', _common.HttpStatus.SERVICE_UNAVAILABLE);
+                case 'ETIMEDOUT':
+                    throw new _common.HttpException('OIDC provider timeout', _common.HttpStatus.GATEWAY_TIMEOUT);
+                default:
+                    throw new _common.HttpException('OIDC client initialization failed', _common.HttpStatus.INTERNAL_SERVER_ERROR);
+            }
+        }
+    }
+    getTokenAuthMethod(tokenEndpointAuthMethod, clientSecret) {
+        if (!clientSecret) {
+            return (0, _openidclient.None)();
+        }
+        switch(tokenEndpointAuthMethod){
+            case _authoidcconstants.OAuthTokenEndpoint.ClientSecretPost:
+                {
+                    return (0, _openidclient.ClientSecretPost)(clientSecret);
+                }
+            case _authoidcconstants.OAuthTokenEndpoint.ClientSecretBasic:
+                {
+                    return (0, _openidclient.ClientSecretBasic)(clientSecret);
+                }
+            default:
+                {
+                    return (0, _openidclient.None)();
+                }
+        }
+    }
+    async processUserInfo(userInfo, ip) {
+        // Extract user information
+        const { login, email } = this.extractLoginAndEmail(userInfo);
+        // Check if user exists
+        let user = await this.usersManager.findUser(email || login, false);
+        if (!user && !this.oidcConfig.options.autoCreateUser) {
+            this.logger.warn({
+                tag: this.processUserInfo.name,
+                msg: `User not found and autoCreateUser is disabled`
+            });
+            throw new _common.HttpException('User not found', _common.HttpStatus.UNAUTHORIZED);
+        }
+        // Determine if user should be admin based on groups/roles
+        const isAdmin = this.checkAdminRole(userInfo);
+        // Create identity
+        const identity = this.createIdentity(login, email, userInfo, isAdmin);
+        // Create or update user
+        user = await this.updateOrCreateUser(identity, user);
+        // Update user access log
+        this.usersManager.updateAccesses(user, ip, true).catch((e)=>this.logger.error({
+                tag: this.processUserInfo.name,
+                msg: `${e}`
+            }));
+        return user;
+    }
+    checkAdminRole(userInfo) {
+        if (!this.oidcConfig.options.adminRoleOrGroup) {
+            return false;
+        }
+        // Check claims
+        const claims = [
+            ...Array.isArray(userInfo.groups) ? userInfo.groups : [],
+            ...Array.isArray(userInfo.roles) ? userInfo.roles : []
+        ];
+        return claims.includes(this.oidcConfig.options.adminRoleOrGroup);
+    }
+    createIdentity(login, email, userInfo, isAdmin) {
+        // Get first name and last name
+        let firstName = userInfo.given_name || '';
+        let lastName = userInfo.family_name || '';
+        // If structured names not available, try to split the full name
+        if (!firstName && !lastName && userInfo.name) {
+            const names = (0, _functions.splitFullName)(userInfo.name);
+            firstName = names.firstName;
+            lastName = names.lastName;
+        }
+        return {
+            login,
+            email,
+            role: isAdmin ? _user.USER_ROLE.ADMINISTRATOR : _user.USER_ROLE.USER,
+            firstName,
+            lastName
+        };
+    }
+    async updateOrCreateUser(identity, user) {
+        if (user === null) {
+            // Create new user with a random password (required by the system but not used for OIDC login)
+            const userWithPassword = {
+                ...identity,
+                password: (0, _functions.generateShortUUID)(24),
+                permissions: this.oidcConfig.options.autoCreatePermissions.join(',')
+            };
+            const createdUser = await this.adminUsersManager.createUserOrGuest(userWithPassword, identity.role);
+            const freshUser = await this.usersManager.fromUserId(createdUser.id);
+            if (!freshUser) {
+                this.logger.error({
+                    tag: this.updateOrCreateUser.name,
+                    msg: `user was not found : ${createdUser.login} (${createdUser.id})`
+                });
+                throw new _common.HttpException('User not found', _common.HttpStatus.NOT_FOUND);
+            }
+            return freshUser;
+        }
+        // Check if user information has changed (excluding password)
+        const identityHasChanged = Object.fromEntries(Object.keys(identity).filter((key)=>key !== 'password').map((key)=>identity[key] !== user[key] ? [
+                key,
+                identity[key]
+            ] : null).filter(Boolean));
+        if (Object.keys(identityHasChanged).length > 0) {
+            try {
+                if (identityHasChanged?.role != null) {
+                    if (user.role === _user.USER_ROLE.ADMINISTRATOR && !this.oidcConfig.options.adminRoleOrGroup) {
+                        // Prevent removing the admin role when adminGroup was removed or not defined
+                        delete identityHasChanged.role;
+                    }
+                }
+                // Update user properties
+                await this.adminUsersManager.updateUserOrGuest(user.id, identityHasChanged);
+                // Update local user object
+                Object.assign(user, identityHasChanged);
+                if ('lastName' in identityHasChanged || 'firstName' in identityHasChanged) {
+                    // Force fullName update in the current user model
+                    user.setFullName(true);
+                }
+            } catch (e) {
+                this.logger.warn({
+                    tag: this.updateOrCreateUser.name,
+                    msg: `unable to update user *${user.login}* : ${e}`
+                });
+            }
+        }
+        return user;
+    }
+    extractLoginAndEmail(userInfo) {
+        const email = userInfo.email ? userInfo.email.trim() : undefined;
+        if (!email) {
+            throw new _common.HttpException('No email address found in the OIDC profile', _common.HttpStatus.BAD_REQUEST);
+        }
+        const login = userInfo.preferred_username ?? (email ? email.split('@')[0] : undefined) ?? userInfo.sub;
+        if (!login) {
+            throw new _common.HttpException('Unable to determine the OIDC profile login', _common.HttpStatus.BAD_REQUEST);
+        }
+        return {
+            login: login.trim().toLowerCase(),
+            email
+        };
+    }
+    constructor(usersManager, adminUsersManager){
+        this.usersManager = usersManager;
+        this.adminUsersManager = adminUsersManager;
+        this.logger = new _common.Logger(AuthProviderOIDC.name);
+        this.oidcConfig = _configenvironment.configuration.auth.oidc;
+        this.config = null;
+    }
+};
+AuthProviderOIDC = _ts_decorate([
+    (0, _common.Injectable)(),
+    _ts_metadata("design:type", Function),
+    _ts_metadata("design:paramtypes", [
+        typeof _usersmanagerservice.UsersManager === "undefined" ? Object : _usersmanagerservice.UsersManager,
+        typeof _adminusersmanagerservice.AdminUsersManager === "undefined" ? Object : _adminusersmanagerservice.AdminUsersManager
+    ])
+], AuthProviderOIDC);
+//# sourceMappingURL=auth-provider-oidc.service.js.map

package/server/authentication/providers/oidc/auth-provider-oidc.service.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../../../../backend/src/authentication/providers/oidc/auth-provider-oidc.service.ts"],"sourcesContent":["import { HttpException, HttpStatus, Injectable, Logger } from '@nestjs/common'\nimport { FastifyReply, FastifyRequest } from 'fastify'\nimport {\n allowInsecureRequests,\n authorizationCodeGrant,\n AuthorizationResponseError,\n calculatePKCECodeChallenge,\n ClientSecretBasic,\n ClientSecretPost,\n Configuration,\n discovery,\n fetchUserInfo,\n IDToken,\n None,\n randomNonce,\n randomPKCECodeVerifier,\n randomState,\n skipSubjectCheck,\n UserInfoResponse\n} from 'openid-client'\nimport { USER_ROLE } from '../../../applications/users/constants/user'\nimport type { CreateUserDto, UpdateUserDto } from '../../../applications/users/dto/create-or-update-user.dto'\nimport { UserModel } from '../../../applications/users/models/user.model'\nimport { AdminUsersManager } from '../../../applications/users/services/admin-users-manager.service'\nimport { UsersManager } from '../../../applications/users/services/users-manager.service'\nimport { generateShortUUID, splitFullName } from '../../../common/functions'\nimport { configuration } from '../../../configuration/config.environment'\nimport { AUTH_ROUTE } from '../../constants/routes'\nimport type { AUTH_SCOPE } from '../../constants/scope'\nimport { TOKEN_TYPE } from '../../interfaces/token.interface'\nimport { AUTH_PROVIDER } from '../auth-providers.constants'\nimport { AuthProvider } from '../auth-providers.models'\nimport { OAuthDesktopCallBackURI, OAuthDesktopLoopbackPorts, OAuthDesktopPortParam } from './auth-oidc-desktop.constants'\nimport type { AuthProviderOIDCConfig } from './auth-oidc.config'\nimport { OAuthCookie, OAuthCookieSettings, OAuthTokenEndpoint } from './auth-oidc.constants'\n\n@Injectable()\nexport class AuthProviderOIDC implements AuthProvider {\n private readonly logger = new Logger(AuthProviderOIDC.name)\n private readonly oidcConfig: AuthProviderOIDCConfig = configuration.auth.oidc\n private frontendBaseUrl: string\n private config: Configuration = null\n\n constructor(\n private readonly usersManager: UsersManager,\n private readonly adminUsersManager: AdminUsersManager\n ) {}\n\n async validateUser(login: string, password: string, ip?: string, scope?: AUTH_SCOPE): Promise<UserModel> {\n // Local password authentication path (non-OIDC)\n const user: UserModel = await this.usersManager.findUser(login, false)\n\n if (!user) {\n return null\n }\n\n if (user.isGuest || user.isAdmin || scope || this.oidcConfig.options.enablePasswordAuth) {\n // Allow local password authentication for:\n // - guest users\n // - admin users (break-glass access)\n // - application scopes (app passwords)\n // - regular users when password authentication is enabled\n return this.usersManager.logUser(user, password, ip, scope)\n }\n\n return null\n }\n\n async getConfig(): Promise<Configuration> {\n if (!this.config) {\n this.config = await this.initializeOIDCClient()\n }\n return this.config\n }\n\n async getAuthorizationUrl(res: FastifyReply, desktopPort?: number): Promise<string> {\n const redirectURI = this.getRedirectURI(desktopPort)\n const config = await this.getConfig()\n\n // state: CSRF protection, nonce: binds the ID Token to this auth request (replay protection)\n const state = randomState()\n const nonce = randomNonce()\n\n const supportsPKCE = config.serverMetadata().supportsPKCE()\n const codeVerifier = supportsPKCE ? randomPKCECodeVerifier() : undefined\n\n const authUrl = new URL(config.serverMetadata().authorization_endpoint!)\n authUrl.searchParams.set('client_id', this.oidcConfig.clientId!)\n authUrl.searchParams.set('redirect_uri', redirectURI)\n authUrl.searchParams.set('response_type', 'code')\n authUrl.searchParams.set('scope', this.oidcConfig.security.scope)\n authUrl.searchParams.set('state', state)\n authUrl.searchParams.set('nonce', nonce)\n if (supportsPKCE) {\n const codeChallenge = await calculatePKCECodeChallenge(codeVerifier!)\n authUrl.searchParams.set('code_challenge', codeChallenge)\n authUrl.searchParams.set('code_challenge_method', 'S256')\n }\n\n // Avoid cache\n res\n .header('Cache-Control', 'no-store, no-cache, must-revalidate, max-age=0')\n .header('Pragma', 'no-cache')\n .header('Expires', '0')\n .header('X-Robots-Tag', 'noindex, nofollow')\n .header('Referrer-Policy', 'no-referrer')\n\n // Store state, nonce, and codeVerifier in httpOnly cookies (expires in 10 minutes)\n res.setCookie(OAuthCookie.State, state, OAuthCookieSettings)\n res.setCookie(OAuthCookie.Nonce, nonce, OAuthCookieSettings)\n if (supportsPKCE) {\n res.setCookie(OAuthCookie.CodeVerifier, codeVerifier, OAuthCookieSettings)\n }\n return authUrl.toString()\n }\n\n async handleCallback(req: FastifyRequest, res: FastifyReply, query: Record<string, string>): Promise<UserModel> {\n const config = await this.getConfig()\n const supportsPKCE = config.serverMetadata().supportsPKCE()\n const [expectedState, expectedNonce, codeVerifier] = [\n req.cookies[OAuthCookie.State],\n req.cookies[OAuthCookie.Nonce],\n req.cookies[OAuthCookie.CodeVerifier]\n ]\n\n try {\n if (!expectedState?.length) {\n throw new HttpException('OAuth state is missing', HttpStatus.BAD_REQUEST)\n }\n\n if (supportsPKCE && !codeVerifier?.length) {\n throw new HttpException('OAuth code verifier is missing', HttpStatus.BAD_REQUEST)\n }\n\n const pkceCodeVerifier = supportsPKCE ? codeVerifier : undefined\n const callbackParams = new URLSearchParams(query)\n\n // Get Desktop Port if defined\n const desktopPort: string | null = callbackParams.get(OAuthDesktopPortParam)\n if (desktopPort) {\n callbackParams.delete(OAuthDesktopPortParam)\n }\n\n // Exchange authorization code for tokens\n const callbackUrl = new URL(this.getRedirectURI(desktopPort))\n callbackUrl.search = callbackParams.toString()\n const tokens = await authorizationCodeGrant(config, callbackUrl, {\n expectedState,\n pkceCodeVerifier,\n expectedNonce\n })\n\n // Get validated ID token claims\n const claims: IDToken = tokens.claims()\n if (!claims) {\n throw new HttpException('No ID token claims found', HttpStatus.BAD_REQUEST)\n }\n if (!claims.sub) {\n throw new HttpException('Unexpected profile response, no `sub`', HttpStatus.BAD_REQUEST)\n }\n\n // ID token claims may be minimal depending on the IdP; use the UserInfo endpoint to retrieve user details.\n // Get user info from the userinfo endpoint (requires access token and subject from ID token).\n const subject = this.oidcConfig.security.skipSubjectCheck ? skipSubjectCheck : claims.sub\n const userInfo: UserInfoResponse = await fetchUserInfo(config, tokens.access_token, subject)\n\n if (!userInfo.sub) {\n throw new Error('Unexpected profile response, no `sub`')\n }\n\n // Process the user info and create/update the user\n return await this.processUserInfo(userInfo, req.ip)\n } catch (error: AuthorizationResponseError | HttpException | any) {\n if (error instanceof AuthorizationResponseError) {\n this.logger.error({ tag: this.handleCallback.name, msg: `OIDC callback error: ${error.code} - ${error.error_description}` })\n throw new HttpException(error.error_description, HttpStatus.BAD_REQUEST)\n } else {\n this.logger.error({ tag: this.handleCallback.name, msg: `OIDC callback error: ${error}` })\n throw new HttpException(\n error.error_description ?? 'OIDC authentication failed',\n error instanceof HttpException ? error.getStatus() : (error.status ?? HttpStatus.INTERNAL_SERVER_ERROR)\n )\n }\n } finally {\n // Always clear temporary OIDC cookies (success or failure)\n Object.values(OAuthCookie).forEach((value) => {\n res.clearCookie(value, { path: '/' })\n })\n }\n }\n\n getRedirectCallbackUrl(accessExpiration: number, refreshExpiration: number) {\n if (!this.frontendBaseUrl) {\n const url = new URL(this.oidcConfig.redirectUri)\n const apiIndex = url.pathname.indexOf(AUTH_ROUTE.BASE)\n this.frontendBaseUrl = apiIndex >= 0 ? `${url.origin}${url.pathname.slice(0, apiIndex)}` : url.origin\n }\n const url = new URL(this.frontendBaseUrl)\n const params = new URLSearchParams({\n [AUTH_PROVIDER.OIDC]: 'true',\n [`${TOKEN_TYPE.ACCESS}_expiration`]: `${accessExpiration}`,\n [`${TOKEN_TYPE.REFRESH}_expiration`]: `${refreshExpiration}`\n })\n url.hash = `/?${params.toString()}`\n return url.toString()\n }\n\n getRedirectURI(desktopPort?: number | string): string {\n // web / default callback\n if (!desktopPort) return this.oidcConfig.redirectUri\n // desktop app callback\n if (typeof desktopPort === 'string') {\n desktopPort = Number(desktopPort)\n }\n if (!Number.isInteger(desktopPort) || !OAuthDesktopLoopbackPorts.has(desktopPort)) {\n throw new HttpException('Invalid desktop_port', HttpStatus.BAD_REQUEST)\n }\n // The redirect url must be known from provider\n return `http://127.0.0.1:${desktopPort}${OAuthDesktopCallBackURI}`\n }\n\n private async initializeOIDCClient(): Promise<Configuration> {\n try {\n const issuerUrl = new URL(this.oidcConfig.issuerUrl)\n const config: Configuration = await discovery(\n issuerUrl,\n this.oidcConfig.clientId,\n {\n client_secret: this.oidcConfig.clientSecret,\n response_types: ['code'],\n id_token_signed_response_alg: this.oidcConfig.security.tokenSigningAlg,\n userinfo_signed_response_alg: this.oidcConfig.security.userInfoSigningAlg\n },\n this.getTokenAuthMethod(this.oidcConfig.security.tokenEndpointAuthMethod, this.oidcConfig.clientSecret),\n {\n execute: [allowInsecureRequests],\n timeout: 6000\n }\n )\n this.logger.log({ tag: this.initializeOIDCClient.name, msg: `OIDC client initialized successfully for issuer: ${this.oidcConfig.issuerUrl}` })\n return config\n } catch (error) {\n this.logger.error({ tag: this.initializeOIDCClient.name, msg: `OIDC client initialization failed: ${error?.cause || error}` })\n switch (error.cause?.code) {\n case 'ECONNREFUSED':\n case 'ENOTFOUND':\n throw new HttpException('OIDC provider unavailable', HttpStatus.SERVICE_UNAVAILABLE)\n\n case 'ETIMEDOUT':\n throw new HttpException('OIDC provider timeout', HttpStatus.GATEWAY_TIMEOUT)\n\n default:\n throw new HttpException('OIDC client initialization failed', HttpStatus.INTERNAL_SERVER_ERROR)\n }\n }\n }\n\n private getTokenAuthMethod(tokenEndpointAuthMethod: OAuthTokenEndpoint, clientSecret?: string) {\n if (!clientSecret) {\n return None()\n }\n\n switch (tokenEndpointAuthMethod) {\n case OAuthTokenEndpoint.ClientSecretPost: {\n return ClientSecretPost(clientSecret)\n }\n\n case OAuthTokenEndpoint.ClientSecretBasic: {\n return ClientSecretBasic(clientSecret)\n }\n\n default: {\n return None()\n }\n }\n }\n\n private async processUserInfo(userInfo: UserInfoResponse, ip?: string): Promise<UserModel> {\n // Extract user information\n const { login, email } = this.extractLoginAndEmail(userInfo)\n\n // Check if user exists\n let user: UserModel = await this.usersManager.findUser(email || login, false)\n\n if (!user && !this.oidcConfig.options.autoCreateUser) {\n this.logger.warn({ tag: this.processUserInfo.name, msg: `User not found and autoCreateUser is disabled` })\n throw new HttpException('User not found', HttpStatus.UNAUTHORIZED)\n }\n\n // Determine if user should be admin based on groups/roles\n const isAdmin = this.checkAdminRole(userInfo)\n\n // Create identity\n const identity = this.createIdentity(login, email, userInfo, isAdmin)\n\n // Create or update user\n user = await this.updateOrCreateUser(identity, user)\n\n // Update user access log\n this.usersManager.updateAccesses(user, ip, true).catch((e: Error) => this.logger.error({ tag: this.processUserInfo.name, msg: `${e}` }))\n\n return user\n }\n\n private checkAdminRole(userInfo: UserInfoResponse): boolean {\n if (!this.oidcConfig.options.adminRoleOrGroup) {\n return false\n }\n\n // Check claims\n const claims = [...(Array.isArray(userInfo.groups) ? userInfo.groups : []), ...(Array.isArray(userInfo.roles) ? userInfo.roles : [])]\n\n return claims.includes(this.oidcConfig.options.adminRoleOrGroup)\n }\n\n private createIdentity(\n login: string,\n email: string,\n userInfo: UserInfoResponse,\n isAdmin: boolean\n ): Omit<CreateUserDto, 'password'> & { password?: string } {\n // Get first name and last name\n let firstName = userInfo.given_name || ''\n let lastName = userInfo.family_name || ''\n\n // If structured names not available, try to split the full name\n if (!firstName && !lastName && userInfo.name) {\n const names = splitFullName(userInfo.name)\n firstName = names.firstName\n lastName = names.lastName\n }\n\n return {\n login,\n email,\n role: isAdmin ? USER_ROLE.ADMINISTRATOR : USER_ROLE.USER,\n firstName,\n lastName\n }\n }\n\n private async updateOrCreateUser(identity: Omit<CreateUserDto, 'password'> & { password?: string }, user: UserModel | null): Promise<UserModel> {\n if (user === null) {\n // Create new user with a random password (required by the system but not used for OIDC login)\n const userWithPassword = {\n ...identity,\n password: generateShortUUID(24),\n permissions: this.oidcConfig.options.autoCreatePermissions.join(',')\n } as CreateUserDto\n const createdUser = await this.adminUsersManager.createUserOrGuest(userWithPassword, identity.role)\n const freshUser = await this.usersManager.fromUserId(createdUser.id)\n if (!freshUser) {\n this.logger.error({ tag: this.updateOrCreateUser.name, msg: `user was not found : ${createdUser.login} (${createdUser.id})` })\n throw new HttpException('User not found', HttpStatus.NOT_FOUND)\n }\n return freshUser\n }\n\n // Check if user information has changed (excluding password)\n const identityHasChanged: UpdateUserDto = Object.fromEntries(\n Object.keys(identity)\n .filter((key) => key !== 'password')\n .map((key: string) => (identity[key] !== user[key] ? [key, identity[key]] : null))\n .filter(Boolean)\n )\n\n if (Object.keys(identityHasChanged).length > 0) {\n try {\n if (identityHasChanged?.role != null) {\n if (user.role === USER_ROLE.ADMINISTRATOR && !this.oidcConfig.options.adminRoleOrGroup) {\n // Prevent removing the admin role when adminGroup was removed or not defined\n delete identityHasChanged.role\n }\n }\n\n // Update user properties\n await this.adminUsersManager.updateUserOrGuest(user.id, identityHasChanged)\n\n // Update local user object\n Object.assign(user, identityHasChanged)\n\n if ('lastName' in identityHasChanged || 'firstName' in identityHasChanged) {\n // Force fullName update in the current user model\n user.setFullName(true)\n }\n } catch (e) {\n this.logger.warn({ tag: this.updateOrCreateUser.name, msg: `unable to update user *${user.login}* : ${e}` })\n }\n }\n\n return user\n }\n\n private extractLoginAndEmail(userInfo: UserInfoResponse) {\n const email = userInfo.email ? userInfo.email.trim() : undefined\n if (!email) {\n throw new HttpException('No email address found in the OIDC profile', HttpStatus.BAD_REQUEST)\n }\n\n const login = userInfo.preferred_username ?? (email ? email.split('@')[0] : undefined) ?? userInfo.sub\n if (!login) {\n throw new HttpException('Unable to determine the OIDC profile login', HttpStatus.BAD_REQUEST)\n }\n\n return { login: login.trim().toLowerCase(), email }\n }\n}\n"],"names":["AuthProviderOIDC","validateUser","login","password","ip","scope","user","usersManager","findUser","isGuest","isAdmin","oidcConfig","options","enablePasswordAuth","logUser","getConfig","config","initializeOIDCClient","getAuthorizationUrl","res","desktopPort","redirectURI","getRedirectURI","state","randomState","nonce","randomNonce","supportsPKCE","serverMetadata","codeVerifier","randomPKCECodeVerifier","undefined","authUrl","URL","authorization_endpoint","searchParams","set","clientId","security","codeChallenge","calculatePKCECodeChallenge","header","setCookie","OAuthCookie","State","OAuthCookieSettings","Nonce","CodeVerifier","toString","handleCallback","req","query","expectedState","expectedNonce","cookies","length","HttpException","HttpStatus","BAD_REQUEST","pkceCodeVerifier","callbackParams","URLSearchParams","get","OAuthDesktopPortParam","delete","callbackUrl","search","tokens","authorizationCodeGrant","claims","sub","subject","skipSubjectCheck","userInfo","fetchUserInfo","access_token","Error","processUserInfo","error","AuthorizationResponseError","logger","tag","name","msg","code","error_description","getStatus","status","INTERNAL_SERVER_ERROR","Object","values","forEach","value","clearCookie","path","getRedirectCallbackUrl","accessExpiration","refreshExpiration","frontendBaseUrl","url","redirectUri","apiIndex","pathname","indexOf","AUTH_ROUTE","BASE","origin","slice","params","AUTH_PROVIDER","OIDC","TOKEN_TYPE","ACCESS","REFRESH","hash","Number","isInteger","OAuthDesktopLoopbackPorts","has","OAuthDesktopCallBackURI","issuerUrl","discovery","client_secret","clientSecret","response_types","id_token_signed_response_alg","tokenSigningAlg","userinfo_signed_response_alg","userInfoSigningAlg","getTokenAuthMethod","tokenEndpointAuthMethod","execute","allowInsecureRequests","timeout","log","cause","SERVICE_UNAVAILABLE","GATEWAY_TIMEOUT","None","OAuthTokenEndpoint","ClientSecretPost","ClientSecretBasic","email","extractLoginAndEmail","autoCreateUser","warn","UNAUTHORIZED","checkAdminRole","identity","createIdentity","updateOrCreateUser","updateAccesses","catch","e","adminRoleOrGroup","Array","isArray","groups","roles","includes","firstName","given_name","lastName","family_name","names","splitFullName","role","USER_ROLE","ADMINISTRATOR","USER","userWithPassword","generateShortUUID","permissions","autoCreatePermissions","join","createdUser","adminUsersManager","createUserOrGuest","freshUser","fromUserId","id","NOT_FOUND","identityHasChanged","fromEntries","keys","filter","key","map","Boolean","updateUserOrGuest","assign","setFullName","trim","preferred_username","split","toLowerCase","Logger","configuration","auth","oidc"],"mappings":";;;;+BAqCaA;;;eAAAA;;;wBArCiD;8BAmBvD;sBACmB;0CAGQ;qCACL;2BACoB;mCACnB;wBACH;gCAEA;wCACG;0CAE4D;mCAErB;;;;;;;;;;AAG9D,IAAA,AAAMA,mBAAN,MAAMA;IAWX,MAAMC,aAAaC,KAAa,EAAEC,QAAgB,EAAEC,EAAW,EAAEC,KAAkB,EAAsB;QACvG,gDAAgD;QAChD,MAAMC,OAAkB,MAAM,IAAI,CAACC,YAAY,CAACC,QAAQ,CAACN,OAAO;QAEhE,IAAI,CAACI,MAAM;YACT,OAAO;QACT;QAEA,IAAIA,KAAKG,OAAO,IAAIH,KAAKI,OAAO,IAAIL,SAAS,IAAI,CAACM,UAAU,CAACC,OAAO,CAACC,kBAAkB,EAAE;YACvF,2CAA2C;YAC3C,gBAAgB;YAChB,qCAAqC;YACrC,uCAAuC;YACvC,0DAA0D;YAC1D,OAAO,IAAI,CAACN,YAAY,CAACO,OAAO,CAACR,MAAMH,UAAUC,IAAIC;QACvD;QAEA,OAAO;IACT;IAEA,MAAMU,YAAoC;QACxC,IAAI,CAAC,IAAI,CAACC,MAAM,EAAE;YAChB,IAAI,CAACA,MAAM,GAAG,MAAM,IAAI,CAACC,oBAAoB;QAC/C;QACA,OAAO,IAAI,CAACD,MAAM;IACpB;IAEA,MAAME,oBAAoBC,GAAiB,EAAEC,WAAoB,EAAmB;QAClF,MAAMC,cAAc,IAAI,CAACC,cAAc,CAACF;QACxC,MAAMJ,SAAS,MAAM,IAAI,CAACD,SAAS;QAEnC,6FAA6F;QAC7F,MAAMQ,QAAQC,IAAAA,yBAAW;QACzB,MAAMC,QAAQC,IAAAA,yBAAW;QAEzB,MAAMC,eAAeX,OAAOY,cAAc,GAAGD,YAAY;QACzD,MAAME,eAAeF,eAAeG,IAAAA,oCAAsB,MAAKC;QAE/D,MAAMC,UAAU,IAAIC,IAAIjB,OAAOY,cAAc,GAAGM,sBAAsB;QACtEF,QAAQG,YAAY,CAACC,GAAG,CAAC,aAAa,IAAI,CAACzB,UAAU,CAAC0B,QAAQ;QAC9DL,QAAQG,YAAY,CAACC,GAAG,CAAC,gBAAgBf;QACzCW,QAAQG,YAAY,CAACC,GAAG,CAAC,iBAAiB;QAC1CJ,QAAQG,YAAY,CAACC,GAAG,CAAC,SAAS,IAAI,CAACzB,UAAU,CAAC2B,QAAQ,CAACjC,KAAK;QAChE2B,QAAQG,YAAY,CAACC,GAAG,CAAC,SAASb;QAClCS,QAAQG,YAAY,CAACC,GAAG,CAAC,SAASX;QAClC,IAAIE,cAAc;YAChB,MAAMY,gBAAgB,MAAMC,IAAAA,wCAA0B,EAACX;YACvDG,QAAQG,YAAY,CAACC,GAAG,CAAC,kBAAkBG;YAC3CP,QAAQG,YAAY,CAACC,GAAG,CAAC,yBAAyB;QACpD;QAEA,cAAc;QACdjB,IACGsB,MAAM,CAAC,iBAAiB,kDACxBA,MAAM,CAAC,UAAU,YACjBA,MAAM,CAAC,WAAW,KAClBA,MAAM,CAAC,gBAAgB,qBACvBA,MAAM,CAAC,mBAAmB;QAE7B,mFAAmF;QACnFtB,IAAIuB,SAAS,CAACC,8BAAW,CAACC,KAAK,EAAErB,OAAOsB,sCAAmB;QAC3D1B,IAAIuB,SAAS,CAACC,8BAAW,CAACG,KAAK,EAAErB,OAAOoB,sCAAmB;QAC3D,IAAIlB,cAAc;YAChBR,IAAIuB,SAAS,CAACC,8BAAW,CAACI,YAAY,EAAElB,cAAcgB,sCAAmB;QAC3E;QACA,OAAOb,QAAQgB,QAAQ;IACzB;IAEA,MAAMC,eAAeC,GAAmB,EAAE/B,GAAiB,EAAEgC,KAA6B,EAAsB;QAC9G,MAAMnC,SAAS,MAAM,IAAI,CAACD,SAAS;QACnC,MAAMY,eAAeX,OAAOY,cAAc,GAAGD,YAAY;QACzD,MAAM,CAACyB,eAAeC,eAAexB,aAAa,GAAG;YACnDqB,IAAII,OAAO,CAACX,8BAAW,CAACC,KAAK,CAAC;YAC9BM,IAAII,OAAO,CAACX,8BAAW,CAACG,KAAK,CAAC;YAC9BI,IAAII,OAAO,CAACX,8BAAW,CAACI,YAAY,CAAC;SACtC;QAED,IAAI;YACF,IAAI,CAACK,eAAeG,QAAQ;gBAC1B,MAAM,IAAIC,qBAAa,CAAC,0BAA0BC,kBAAU,CAACC,WAAW;YAC1E;YAEA,IAAI/B,gBAAgB,CAACE,cAAc0B,QAAQ;gBACzC,MAAM,IAAIC,qBAAa,CAAC,kCAAkCC,kBAAU,CAACC,WAAW;YAClF;YAEA,MAAMC,mBAAmBhC,eAAeE,eAAeE;YACvD,MAAM6B,iBAAiB,IAAIC,gBAAgBV;YAE3C,8BAA8B;YAC9B,MAAM/B,cAA6BwC,eAAeE,GAAG,CAACC,+CAAqB;YAC3E,IAAI3C,aAAa;gBACfwC,eAAeI,MAAM,CAACD,+CAAqB;YAC7C;YAEA,yCAAyC;YACzC,MAAME,cAAc,IAAIhC,IAAI,IAAI,CAACX,cAAc,CAACF;YAChD6C,YAAYC,MAAM,GAAGN,eAAeZ,QAAQ;YAC5C,MAAMmB,SAAS,MAAMC,IAAAA,oCAAsB,EAACpD,QAAQiD,aAAa;gBAC/Db;gBACAO;gBACAN;YACF;YAEA,gCAAgC;YAChC,MAAMgB,SAAkBF,OAAOE,MAAM;YACrC,IAAI,CAACA,QAAQ;gBACX,MAAM,IAAIb,qBAAa,CAAC,4BAA4BC,kBAAU,CAACC,WAAW;YAC5E;YACA,IAAI,CAACW,OAAOC,GAAG,EAAE;gBACf,MAAM,IAAId,qBAAa,CAAC,yCAAyCC,kBAAU,CAACC,WAAW;YACzF;YAEA,2GAA2G;YAC3G,8FAA8F;YAC9F,MAAMa,UAAU,IAAI,CAAC5D,UAAU,CAAC2B,QAAQ,CAACkC,gBAAgB,GAAGA,8BAAgB,GAAGH,OAAOC,GAAG;YACzF,MAAMG,WAA6B,MAAMC,IAAAA,2BAAa,EAAC1D,QAAQmD,OAAOQ,YAAY,EAAEJ;YAEpF,IAAI,CAACE,SAASH,GAAG,EAAE;gBACjB,MAAM,IAAIM,MAAM;YAClB;YAEA,mDAAmD;YACnD,OAAO,MAAM,IAAI,CAACC,eAAe,CAACJ,UAAUvB,IAAI9C,EAAE;QACpD,EAAE,OAAO0E,OAAyD;YAChE,IAAIA,iBAAiBC,wCAA0B,EAAE;gBAC/C,IAAI,CAACC,MAAM,CAACF,KAAK,CAAC;oBAAEG,KAAK,IAAI,CAAChC,cAAc,CAACiC,IAAI;oBAAEC,KAAK,CAAC,qBAAqB,EAAEL,MAAMM,IAAI,CAAC,GAAG,EAAEN,MAAMO,iBAAiB,EAAE;gBAAC;gBAC1H,MAAM,IAAI7B,qBAAa,CAACsB,MAAMO,iBAAiB,EAAE5B,kBAAU,CAACC,WAAW;YACzE,OAAO;gBACL,IAAI,CAACsB,MAAM,CAACF,KAAK,CAAC;oBAAEG,KAAK,IAAI,CAAChC,cAAc,CAACiC,IAAI;oBAAEC,KAAK,CAAC,qBAAqB,EAAEL,OAAO;gBAAC;gBACxF,MAAM,IAAItB,qBAAa,CACrBsB,MAAMO,iBAAiB,IAAI,8BAC3BP,iBAAiBtB,qBAAa,GAAGsB,MAAMQ,SAAS,KAAMR,MAAMS,MAAM,IAAI9B,kBAAU,CAAC+B,qBAAqB;YAE1G;QACF,SAAU;YACR,2DAA2D;YAC3DC,OAAOC,MAAM,CAAC/C,8BAAW,EAAEgD,OAAO,CAAC,CAACC;gBAClCzE,IAAI0E,WAAW,CAACD,OAAO;oBAAEE,MAAM;gBAAI;YACrC;QACF;IACF;IAEAC,uBAAuBC,gBAAwB,EAAEC,iBAAyB,EAAE;QAC1E,IAAI,CAAC,IAAI,CAACC,eAAe,EAAE;YACzB,MAAMC,MAAM,IAAIlE,IAAI,IAAI,CAACtB,UAAU,CAACyF,WAAW;YAC/C,MAAMC,WAAWF,IAAIG,QAAQ,CAACC,OAAO,CAACC,kBAAU,CAACC,IAAI;YACrD,IAAI,CAACP,eAAe,GAAGG,YAAY,IAAI,GAAGF,IAAIO,MAAM,GAAGP,IAAIG,QAAQ,CAACK,KAAK,CAAC,GAAGN,WAAW,GAAGF,IAAIO,MAAM;QACvG;QACA,MAAMP,MAAM,IAAIlE,IAAI,IAAI,CAACiE,eAAe;QACxC,MAAMU,SAAS,IAAI/C,gBAAgB;YACjC,CAACgD,qCAAa,CAACC,IAAI,CAAC,EAAE;YACtB,CAAC,GAAGC,0BAAU,CAACC,MAAM,CAAC,WAAW,CAAC,CAAC,EAAE,GAAGhB,kBAAkB;YAC1D,CAAC,GAAGe,0BAAU,CAACE,OAAO,CAAC,WAAW,CAAC,CAAC,EAAE,GAAGhB,mBAAmB;QAC9D;QACAE,IAAIe,IAAI,GAAG,CAAC,EAAE,EAAEN,OAAO5D,QAAQ,IAAI;QACnC,OAAOmD,IAAInD,QAAQ;IACrB;IAEA1B,eAAeF,WAA6B,EAAU;QACpD,yBAAyB;QACzB,IAAI,CAACA,aAAa,OAAO,IAAI,CAACT,UAAU,CAACyF,WAAW;QACpD,uBAAuB;QACvB,IAAI,OAAOhF,gBAAgB,UAAU;YACnCA,cAAc+F,OAAO/F;QACvB;QACA,IAAI,CAAC+F,OAAOC,SAAS,CAAChG,gBAAgB,CAACiG,mDAAyB,CAACC,GAAG,CAAClG,cAAc;YACjF,MAAM,IAAIoC,qBAAa,CAAC,wBAAwBC,kBAAU,CAACC,WAAW;QACxE;QACA,+CAA+C;QAC/C,OAAO,CAAC,iBAAiB,EAAEtC,cAAcmG,iDAAuB,EAAE;IACpE;IAEA,MAActG,uBAA+C;QAC3D,IAAI;YACF,MAAMuG,YAAY,IAAIvF,IAAI,IAAI,CAACtB,UAAU,CAAC6G,SAAS;YACnD,MAAMxG,SAAwB,MAAMyG,IAAAA,uBAAS,EAC3CD,WACA,IAAI,CAAC7G,UAAU,CAAC0B,QAAQ,EACxB;gBACEqF,eAAe,IAAI,CAAC/G,UAAU,CAACgH,YAAY;gBAC3CC,gBAAgB;oBAAC;iBAAO;gBACxBC,8BAA8B,IAAI,CAAClH,UAAU,CAAC2B,QAAQ,CAACwF,eAAe;gBACtEC,8BAA8B,IAAI,CAACpH,UAAU,CAAC2B,QAAQ,CAAC0F,kBAAkB;YAC3E,GACA,IAAI,CAACC,kBAAkB,CAAC,IAAI,CAACtH,UAAU,CAAC2B,QAAQ,CAAC4F,uBAAuB,EAAE,IAAI,CAACvH,UAAU,CAACgH,YAAY,GACtG;gBACEQ,SAAS;oBAACC,mCAAqB;iBAAC;gBAChCC,SAAS;YACX;YAEF,IAAI,CAACrD,MAAM,CAACsD,GAAG,CAAC;gBAAErD,KAAK,IAAI,CAAChE,oBAAoB,CAACiE,IAAI;gBAAEC,KAAK,CAAC,iDAAiD,EAAE,IAAI,CAACxE,UAAU,CAAC6G,SAAS,EAAE;YAAC;YAC5I,OAAOxG;QACT,EAAE,OAAO8D,OAAO;YACd,IAAI,CAACE,MAAM,CAACF,KAAK,CAAC;gBAAEG,KAAK,IAAI,CAAChE,oBAAoB,CAACiE,IAAI;gBAAEC,KAAK,CAAC,mCAAmC,EAAEL,OAAOyD,SAASzD,OAAO;YAAC;YAC5H,OAAQA,MAAMyD,KAAK,EAAEnD;gBACnB,KAAK;gBACL,KAAK;oBACH,MAAM,IAAI5B,qBAAa,CAAC,6BAA6BC,kBAAU,CAAC+E,mBAAmB;gBAErF,KAAK;oBACH,MAAM,IAAIhF,qBAAa,CAAC,yBAAyBC,kBAAU,CAACgF,eAAe;gBAE7E;oBACE,MAAM,IAAIjF,qBAAa,CAAC,qCAAqCC,kBAAU,CAAC+B,qBAAqB;YACjG;QACF;IACF;IAEQyC,mBAAmBC,uBAA2C,EAAEP,YAAqB,EAAE;QAC7F,IAAI,CAACA,cAAc;YACjB,OAAOe,IAAAA,kBAAI;QACb;QAEA,OAAQR;YACN,KAAKS,qCAAkB,CAACC,gBAAgB;gBAAE;oBACxC,OAAOA,IAAAA,8BAAgB,EAACjB;gBAC1B;YAEA,KAAKgB,qCAAkB,CAACE,iBAAiB;gBAAE;oBACzC,OAAOA,IAAAA,+BAAiB,EAAClB;gBAC3B;YAEA;gBAAS;oBACP,OAAOe,IAAAA,kBAAI;gBACb;QACF;IACF;IAEA,MAAc7D,gBAAgBJ,QAA0B,EAAErE,EAAW,EAAsB;QACzF,2BAA2B;QAC3B,MAAM,EAAEF,KAAK,EAAE4I,KAAK,EAAE,GAAG,IAAI,CAACC,oBAAoB,CAACtE;QAEnD,uBAAuB;QACvB,IAAInE,OAAkB,MAAM,IAAI,CAACC,YAAY,CAACC,QAAQ,CAACsI,SAAS5I,OAAO;QAEvE,IAAI,CAACI,QAAQ,CAAC,IAAI,CAACK,UAAU,CAACC,OAAO,CAACoI,cAAc,EAAE;YACpD,IAAI,CAAChE,MAAM,CAACiE,IAAI,CAAC;gBAAEhE,KAAK,IAAI,CAACJ,eAAe,CAACK,IAAI;gBAAEC,KAAK,CAAC,6CAA6C,CAAC;YAAC;YACxG,MAAM,IAAI3B,qBAAa,CAAC,kBAAkBC,kBAAU,CAACyF,YAAY;QACnE;QAEA,0DAA0D;QAC1D,MAAMxI,UAAU,IAAI,CAACyI,cAAc,CAAC1E;QAEpC,kBAAkB;QAClB,MAAM2E,WAAW,IAAI,CAACC,cAAc,CAACnJ,OAAO4I,OAAOrE,UAAU/D;QAE7D,wBAAwB;QACxBJ,OAAO,MAAM,IAAI,CAACgJ,kBAAkB,CAACF,UAAU9I;QAE/C,yBAAyB;QACzB,IAAI,CAACC,YAAY,CAACgJ,cAAc,CAACjJ,MAAMF,IAAI,MAAMoJ,KAAK,CAAC,CAACC,IAAa,IAAI,CAACzE,MAAM,CAACF,KAAK,CAAC;gBAAEG,KAAK,IAAI,CAACJ,eAAe,CAACK,IAAI;gBAAEC,KAAK,GAAGsE,GAAG;YAAC;QAErI,OAAOnJ;IACT;IAEQ6I,eAAe1E,QAA0B,EAAW;QAC1D,IAAI,CAAC,IAAI,CAAC9D,UAAU,CAACC,OAAO,CAAC8I,gBAAgB,EAAE;YAC7C,OAAO;QACT;QAEA,eAAe;QACf,MAAMrF,SAAS;eAAKsF,MAAMC,OAAO,CAACnF,SAASoF,MAAM,IAAIpF,SAASoF,MAAM,GAAG,EAAE;eAAOF,MAAMC,OAAO,CAACnF,SAASqF,KAAK,IAAIrF,SAASqF,KAAK,GAAG,EAAE;SAAE;QAErI,OAAOzF,OAAO0F,QAAQ,CAAC,IAAI,CAACpJ,UAAU,CAACC,OAAO,CAAC8I,gBAAgB;IACjE;IAEQL,eACNnJ,KAAa,EACb4I,KAAa,EACbrE,QAA0B,EAC1B/D,OAAgB,EACyC;QACzD,+BAA+B;QAC/B,IAAIsJ,YAAYvF,SAASwF,UAAU,IAAI;QACvC,IAAIC,WAAWzF,SAAS0F,WAAW,IAAI;QAEvC,gEAAgE;QAChE,IAAI,CAACH,aAAa,CAACE,YAAYzF,SAASS,IAAI,EAAE;YAC5C,MAAMkF,QAAQC,IAAAA,wBAAa,EAAC5F,SAASS,IAAI;YACzC8E,YAAYI,MAAMJ,SAAS;YAC3BE,WAAWE,MAAMF,QAAQ;QAC3B;QAEA,OAAO;YACLhK;YACA4I;YACAwB,MAAM5J,UAAU6J,eAAS,CAACC,aAAa,GAAGD,eAAS,CAACE,IAAI;YACxDT;YACAE;QACF;IACF;IAEA,MAAcZ,mBAAmBF,QAAiE,EAAE9I,IAAsB,EAAsB;QAC9I,IAAIA,SAAS,MAAM;YACjB,8FAA8F;YAC9F,MAAMoK,mBAAmB;gBACvB,GAAGtB,QAAQ;gBACXjJ,UAAUwK,IAAAA,4BAAiB,EAAC;gBAC5BC,aAAa,IAAI,CAACjK,UAAU,CAACC,OAAO,CAACiK,qBAAqB,CAACC,IAAI,CAAC;YAClE;YACA,MAAMC,cAAc,MAAM,IAAI,CAACC,iBAAiB,CAACC,iBAAiB,CAACP,kBAAkBtB,SAASkB,IAAI;YAClG,MAAMY,YAAY,MAAM,IAAI,CAAC3K,YAAY,CAAC4K,UAAU,CAACJ,YAAYK,EAAE;YACnE,IAAI,CAACF,WAAW;gBACd,IAAI,CAAClG,MAAM,CAACF,KAAK,CAAC;oBAAEG,KAAK,IAAI,CAACqE,kBAAkB,CAACpE,IAAI;oBAAEC,KAAK,CAAC,qBAAqB,EAAE4F,YAAY7K,KAAK,CAAC,EAAE,EAAE6K,YAAYK,EAAE,CAAC,CAAC,CAAC;gBAAC;gBAC5H,MAAM,IAAI5H,qBAAa,CAAC,kBAAkBC,kBAAU,CAAC4H,SAAS;YAChE;YACA,OAAOH;QACT;QAEA,6DAA6D;QAC7D,MAAMI,qBAAoC7F,OAAO8F,WAAW,CAC1D9F,OAAO+F,IAAI,CAACpC,UACTqC,MAAM,CAAC,CAACC,MAAQA,QAAQ,YACxBC,GAAG,CAAC,CAACD,MAAiBtC,QAAQ,CAACsC,IAAI,KAAKpL,IAAI,CAACoL,IAAI,GAAG;gBAACA;gBAAKtC,QAAQ,CAACsC,IAAI;aAAC,GAAG,MAC3ED,MAAM,CAACG;QAGZ,IAAInG,OAAO+F,IAAI,CAACF,oBAAoB/H,MAAM,GAAG,GAAG;YAC9C,IAAI;gBACF,IAAI+H,oBAAoBhB,QAAQ,MAAM;oBACpC,IAAIhK,KAAKgK,IAAI,KAAKC,eAAS,CAACC,aAAa,IAAI,CAAC,IAAI,CAAC7J,UAAU,CAACC,OAAO,CAAC8I,gBAAgB,EAAE;wBACtF,6EAA6E;wBAC7E,OAAO4B,mBAAmBhB,IAAI;oBAChC;gBACF;gBAEA,yBAAyB;gBACzB,MAAM,IAAI,CAACU,iBAAiB,CAACa,iBAAiB,CAACvL,KAAK8K,EAAE,EAAEE;gBAExD,2BAA2B;gBAC3B7F,OAAOqG,MAAM,CAACxL,MAAMgL;gBAEpB,IAAI,cAAcA,sBAAsB,eAAeA,oBAAoB;oBACzE,kDAAkD;oBAClDhL,KAAKyL,WAAW,CAAC;gBACnB;YACF,EAAE,OAAOtC,GAAG;gBACV,IAAI,CAACzE,MAAM,CAACiE,IAAI,CAAC;oBAAEhE,KAAK,IAAI,CAACqE,kBAAkB,CAACpE,IAAI;oBAAEC,KAAK,CAAC,uBAAuB,EAAE7E,KAAKJ,KAAK,CAAC,IAAI,EAAEuJ,GAAG;gBAAC;YAC5G;QACF;QAEA,OAAOnJ;IACT;IAEQyI,qBAAqBtE,QAA0B,EAAE;QACvD,MAAMqE,QAAQrE,SAASqE,KAAK,GAAGrE,SAASqE,KAAK,CAACkD,IAAI,KAAKjK;QACvD,IAAI,CAAC+G,OAAO;YACV,MAAM,IAAItF,qBAAa,CAAC,8CAA8CC,kBAAU,CAACC,WAAW;QAC9F;QAEA,MAAMxD,QAAQuE,SAASwH,kBAAkB,IAAKnD,CAAAA,QAAQA,MAAMoD,KAAK,CAAC,IAAI,CAAC,EAAE,GAAGnK,SAAQ,KAAM0C,SAASH,GAAG;QACtG,IAAI,CAACpE,OAAO;YACV,MAAM,IAAIsD,qBAAa,CAAC,8CAA8CC,kBAAU,CAACC,WAAW;QAC9F;QAEA,OAAO;YAAExD,OAAOA,MAAM8L,IAAI,GAAGG,WAAW;YAAIrD;QAAM;IACpD;IA1WA,YACE,AAAiBvI,YAA0B,EAC3C,AAAiByK,iBAAoC,CACrD;aAFiBzK,eAAAA;aACAyK,oBAAAA;aAPFhG,SAAS,IAAIoH,cAAM,CAACpM,iBAAiBkF,IAAI;aACzCvE,aAAqC0L,gCAAa,CAACC,IAAI,CAACC,IAAI;aAErEvL,SAAwB;IAK7B;AAwWL"}