@sync-in/server 1.3.0

package/server/authentication/services/auth-manager.service.js

@@ -0,0 +1,174 @@
+/*
+ * Copyright (C) 2012-2025 Johan Legrand <johan.legrand@sync-in.com>
+ * This file is part of Sync-in | The open source file sync and share solution
+ * See the LICENSE file for licensing details
+ */ "use strict";
+Object.defineProperty(exports, "__esModule", {
+    value: true
+});
+Object.defineProperty(exports, "AuthManager", {
+    enumerable: true,
+    get: function() {
+        return AuthManager;
+    }
+});
+const _cookie = require("@fastify/cookie");
+const _common = require("@nestjs/common");
+const _config = require("@nestjs/config");
+const _jwt = require("@nestjs/jwt");
+const _nodecrypto = /*#__PURE__*/ _interop_require_default(require("node:crypto"));
+const _applicationsconstants = require("../../applications/applications.constants");
+const _functions = require("../../common/functions");
+const _shared = require("../../common/shared");
+const _auth = require("../constants/auth");
+const _loginresponsedto = require("../dto/login-response.dto");
+const _tokeninterface = require("../interfaces/token.interface");
+function _interop_require_default(obj) {
+    return obj && obj.__esModule ? obj : {
+        default: obj
+    };
+}
+function _ts_decorate(decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for(var i = decorators.length - 1; i >= 0; i--)if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+}
+function _ts_metadata(k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+}
+let AuthManager = class AuthManager {
+    async getTokens(user, refresh = false) {
+        const currentTime = (0, _shared.currentTimeStamp)();
+        if (refresh && user.exp < currentTime) {
+            this.logger.error(`${this.getTokens.name} - token refresh has incorrect expiration : *${user.login}*`);
+            throw new _common.HttpException('Token has expired', _common.HttpStatus.FORBIDDEN);
+        }
+        const accessExpiration = (0, _functions.convertHumanTimeToSeconds)(this.authConfig.token.access.expiration);
+        const refreshExpiration = refresh ? user.exp - currentTime : (0, _functions.convertHumanTimeToSeconds)(this.authConfig.token.refresh.expiration);
+        return {
+            [_tokeninterface.TOKEN_TYPE.ACCESS]: await this.jwtSign(user, _tokeninterface.TOKEN_TYPE.ACCESS, accessExpiration),
+            [_tokeninterface.TOKEN_TYPE.REFRESH]: await this.jwtSign(user, _tokeninterface.TOKEN_TYPE.REFRESH, refreshExpiration),
+            [`${_tokeninterface.TOKEN_TYPE.ACCESS}_expiration`]: accessExpiration + currentTime,
+            [`${_tokeninterface.TOKEN_TYPE.REFRESH}_expiration`]: refreshExpiration + currentTime
+        };
+    }
+    async setCookies(user, res) {
+        const response = new _loginresponsedto.LoginResponseDto(user);
+        const currentTime = (0, _shared.currentTimeStamp)();
+        const csrfToken = _nodecrypto.default.randomUUID();
+        for (const type of _auth.TOKEN_TYPES){
+            const tokenExpiration = (0, _functions.convertHumanTimeToSeconds)(this.authConfig.token[type].expiration);
+            const cookieValue = type === _tokeninterface.TOKEN_TYPE.CSRF ? csrfToken : await this.jwtSign(user, type, tokenExpiration, csrfToken);
+            res.setCookie(this.authConfig.token[type].name, cookieValue, {
+                signed: type === _tokeninterface.TOKEN_TYPE.CSRF,
+                path: _auth.TOKEN_PATHS[type],
+                maxAge: (0, _functions.convertHumanTimeToSeconds)(this.authConfig.token[type].cookieMaxAge),
+                httpOnly: type !== _tokeninterface.TOKEN_TYPE.CSRF
+            });
+            if (type === _tokeninterface.TOKEN_TYPE.ACCESS || type === _tokeninterface.TOKEN_TYPE.REFRESH) {
+                response.token[`${type}_expiration`] = tokenExpiration + currentTime;
+            }
+        }
+        return response;
+    }
+    async refreshCookies(user, res) {
+        const response = {};
+        const currentTime = (0, _shared.currentTimeStamp)();
+        let refreshTokenExpiration;
+        let refreshMaxAge;
+        // refresh cookie must have the `exp` attribute
+        // reuse token expiration to make it final
+        if (user.exp && user.exp > currentTime) {
+            refreshTokenExpiration = user.exp - currentTime;
+            refreshMaxAge = refreshTokenExpiration;
+        } else {
+            this.logger.error(`${this.refreshCookies.name} - token ${_tokeninterface.TOKEN_TYPE.REFRESH} has incorrect expiration : *${user.login}*`);
+            throw new _common.HttpException('Token has expired', _common.HttpStatus.FORBIDDEN);
+        }
+        const csrfToken = _nodecrypto.default.randomUUID();
+        for (const type of _auth.TOKEN_TYPES){
+            const tokenExpiration = type === _tokeninterface.TOKEN_TYPE.REFRESH ? refreshTokenExpiration : (0, _functions.convertHumanTimeToSeconds)(this.authConfig.token[type].expiration);
+            const maxAge = type === _tokeninterface.TOKEN_TYPE.REFRESH ? refreshMaxAge : (0, _functions.convertHumanTimeToSeconds)(this.authConfig.token[type].cookieMaxAge);
+            const cookieValue = type === _tokeninterface.TOKEN_TYPE.CSRF ? csrfToken : await this.jwtSign(user, type, tokenExpiration, csrfToken);
+            res.setCookie(this.authConfig.token[type].name, cookieValue, {
+                signed: type === _tokeninterface.TOKEN_TYPE.CSRF,
+                path: _auth.TOKEN_PATHS[type],
+                maxAge: maxAge,
+                httpOnly: type !== _tokeninterface.TOKEN_TYPE.CSRF
+            });
+            if (type === _tokeninterface.TOKEN_TYPE.ACCESS || type === _tokeninterface.TOKEN_TYPE.REFRESH) {
+                response[`${type}_expiration`] = tokenExpiration + currentTime;
+            }
+        }
+        return response;
+    }
+    async clearCookies(res) {
+        for (const [type, path] of Object.entries(_auth.TOKEN_PATHS)){
+            res.clearCookie(this.authConfig.token[type].name, {
+                path: path,
+                httpOnly: type !== _tokeninterface.TOKEN_TYPE.CSRF
+            });
+        }
+    }
+    jwtSign(user, type, expiration, csrfToken) {
+        return this.jwt.signAsync({
+            identity: {
+                id: user.id,
+                login: user.login,
+                email: user.email,
+                fullName: user.fullName,
+                role: user.role,
+                applications: user.applications,
+                impersonatedFromId: user.impersonatedFromId || undefined,
+                impersonatedClientId: user.impersonatedClientId || undefined,
+                clientId: user.clientId || undefined
+            },
+            ...(type === _tokeninterface.TOKEN_TYPE.ACCESS || type === _tokeninterface.TOKEN_TYPE.REFRESH) && {
+                csrf: csrfToken
+            }
+        }, {
+            secret: this.authConfig.token[type].secret,
+            expiresIn: expiration
+        });
+    }
+    csrfValidation(req, jwtPayload, type) {
+        // ignore safe methods
+        if (_applicationsconstants.HTTP_CSRF_IGNORED_METHODS.has(req.method)) {
+            return;
+        }
+        // check csrf only for access & refresh cookies
+        if (typeof req.cookies !== 'object' || req.cookies[this.authConfig.token[type].name] === undefined) {
+            return;
+        }
+        if (!jwtPayload.csrf) {
+            this.logger.warn(`${this.csrfValidation.name} - ${_auth.CSRF_ERROR.MISSING_JWT}`);
+            throw new _common.HttpException(_auth.CSRF_ERROR.MISSING_JWT, _common.HttpStatus.FORBIDDEN);
+        }
+        if (!req.headers[_auth.CSRF_KEY]) {
+            this.logger.warn(`${this.csrfValidation.name} - ${_auth.CSRF_ERROR.MISSING_HEADERS}`);
+            throw new _common.HttpException(_auth.CSRF_ERROR.MISSING_HEADERS, _common.HttpStatus.FORBIDDEN);
+        }
+        const csrfHeader = (0, _cookie.unsign)(req.headers[_auth.CSRF_KEY], this.authConfig.token.csrf.secret);
+        if (jwtPayload.csrf !== csrfHeader.value) {
+            this.logger.warn(`${this.csrfValidation.name} - ${_auth.CSRF_ERROR.MISMATCH}`);
+            throw new _common.HttpException(_auth.CSRF_ERROR.MISMATCH, _common.HttpStatus.FORBIDDEN);
+        }
+    }
+    constructor(jwt, config){
+        this.jwt = jwt;
+        this.config = config;
+        this.logger = new _common.Logger(AuthManager.name);
+        this.authConfig = this.config.get('auth');
+    }
+};
+AuthManager = _ts_decorate([
+    (0, _common.Injectable)(),
+    _ts_metadata("design:type", Function),
+    _ts_metadata("design:paramtypes", [
+        typeof _jwt.JwtService === "undefined" ? Object : _jwt.JwtService,
+        typeof _config.ConfigService === "undefined" ? Object : _config.ConfigService
+    ])
+], AuthManager);
+
+//# sourceMappingURL=auth-manager.service.js.map

package/server/authentication/services/auth-manager.service.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../../backend/src/authentication/services/auth-manager.service.ts"],"sourcesContent":["/*\n * Copyright (C) 2012-2025 Johan Legrand <johan.legrand@sync-in.com>\n * This file is part of Sync-in | The open source file sync and share solution\n * See the LICENSE file for licensing details\n */\nimport { unsign, UnsignResult } from '@fastify/cookie'\nimport { HttpException, HttpStatus, Injectable, Logger } from '@nestjs/common'\nimport { ConfigService } from '@nestjs/config'\nimport { JwtService } from '@nestjs/jwt'\nimport { FastifyReply, FastifyRequest } from 'fastify'\nimport crypto from 'node:crypto'\nimport { HTTP_CSRF_IGNORED_METHODS } from '../../applications/applications.constants'\nimport { UserModel } from '../../applications/users/models/user.model'\nimport { convertHumanTimeToSeconds } from '../../common/functions'\nimport { currentTimeStamp } from '../../common/shared'\nimport { AuthConfig } from '../auth.config'\nimport { CSRF_ERROR, CSRF_KEY, TOKEN_PATHS, TOKEN_TYPES } from '../constants/auth'\nimport { LoginResponseDto } from '../dto/login-response.dto'\nimport { TokenResponseDto } from '../dto/token-response.dto'\nimport { JwtIdentityPayload, JwtPayload } from '../interfaces/jwt-payload.interface'\nimport { TOKEN_TYPE } from '../interfaces/token.interface'\n\n@Injectable()\nexport class AuthManager {\n  private readonly logger = new Logger(AuthManager.name)\n  public readonly authConfig: AuthConfig\n\n  constructor(\n    private readonly jwt: JwtService,\n    private readonly config: ConfigService\n  ) {\n    this.authConfig = this.config.get<AuthConfig>('auth')\n  }\n\n  async getTokens(user: UserModel, refresh = false): Promise<TokenResponseDto> {\n    const currentTime = currentTimeStamp()\n    if (refresh && user.exp < currentTime) {\n      this.logger.error(`${this.getTokens.name} - token refresh has incorrect expiration : *${user.login}*`)\n      throw new HttpException('Token has expired', HttpStatus.FORBIDDEN)\n    }\n    const accessExpiration = convertHumanTimeToSeconds(this.authConfig.token.access.expiration)\n    const refreshExpiration = refresh ? user.exp - currentTime : convertHumanTimeToSeconds(this.authConfig.token.refresh.expiration)\n    return {\n      [TOKEN_TYPE.ACCESS]: await this.jwtSign(user, TOKEN_TYPE.ACCESS, accessExpiration),\n      [TOKEN_TYPE.REFRESH]: await this.jwtSign(user, TOKEN_TYPE.REFRESH, refreshExpiration),\n      [`${TOKEN_TYPE.ACCESS}_expiration`]: accessExpiration + currentTime,\n      [`${TOKEN_TYPE.REFRESH}_expiration`]: refreshExpiration + currentTime\n    }\n  }\n\n  async setCookies(user: UserModel, res: FastifyReply): Promise<LoginResponseDto> {\n    const response = new LoginResponseDto(user)\n    const currentTime = currentTimeStamp()\n    const csrfToken: string = crypto.randomUUID()\n    for (const type of TOKEN_TYPES) {\n      const tokenExpiration = convertHumanTimeToSeconds(this.authConfig.token[type].expiration)\n      const cookieValue: string = type === TOKEN_TYPE.CSRF ? csrfToken : await this.jwtSign(user, type, tokenExpiration, csrfToken)\n      res.setCookie(this.authConfig.token[type].name, cookieValue, {\n        signed: type === TOKEN_TYPE.CSRF,\n        path: TOKEN_PATHS[type],\n        maxAge: convertHumanTimeToSeconds(this.authConfig.token[type].cookieMaxAge),\n        httpOnly: type !== TOKEN_TYPE.CSRF\n      })\n      if (type === TOKEN_TYPE.ACCESS || type === TOKEN_TYPE.REFRESH) {\n        response.token[`${type}_expiration`] = tokenExpiration + currentTime\n      }\n    }\n    return response\n  }\n\n  async refreshCookies(user: UserModel, res: FastifyReply): Promise<TokenResponseDto> {\n    const response = {} as TokenResponseDto\n    const currentTime = currentTimeStamp()\n    let refreshTokenExpiration: number\n    let refreshMaxAge: number\n    // refresh cookie must have the `exp` attribute\n    // reuse token expiration to make it final\n    if (user.exp && user.exp > currentTime) {\n      refreshTokenExpiration = user.exp - currentTime\n      refreshMaxAge = refreshTokenExpiration\n    } else {\n      this.logger.error(`${this.refreshCookies.name} - token ${TOKEN_TYPE.REFRESH} has incorrect expiration : *${user.login}*`)\n      throw new HttpException('Token has expired', HttpStatus.FORBIDDEN)\n    }\n    const csrfToken: string = crypto.randomUUID()\n    for (const type of TOKEN_TYPES) {\n      const tokenExpiration = type === TOKEN_TYPE.REFRESH ? refreshTokenExpiration : convertHumanTimeToSeconds(this.authConfig.token[type].expiration)\n      const maxAge = type === TOKEN_TYPE.REFRESH ? refreshMaxAge : convertHumanTimeToSeconds(this.authConfig.token[type].cookieMaxAge)\n      const cookieValue: string = type === TOKEN_TYPE.CSRF ? csrfToken : await this.jwtSign(user, type, tokenExpiration, csrfToken)\n      res.setCookie(this.authConfig.token[type].name, cookieValue, {\n        signed: type === TOKEN_TYPE.CSRF,\n        path: TOKEN_PATHS[type],\n        maxAge: maxAge,\n        httpOnly: type !== TOKEN_TYPE.CSRF\n      })\n      if (type === TOKEN_TYPE.ACCESS || type === TOKEN_TYPE.REFRESH) {\n        response[`${type}_expiration`] = tokenExpiration + currentTime\n      }\n    }\n    return response\n  }\n\n  async clearCookies(res: FastifyReply) {\n    for (const [type, path] of Object.entries(TOKEN_PATHS)) {\n      res.clearCookie(this.authConfig.token[type].name, { path: path, httpOnly: type !== TOKEN_TYPE.CSRF })\n    }\n  }\n\n  private jwtSign(user: UserModel, type: TOKEN_TYPE, expiration: number, csrfToken?: string): Promise<string> {\n    return this.jwt.signAsync(\n      {\n        identity: {\n          id: user.id,\n          login: user.login,\n          email: user.email,\n          fullName: user.fullName,\n          role: user.role,\n          applications: user.applications,\n          impersonatedFromId: user.impersonatedFromId || undefined,\n          impersonatedClientId: user.impersonatedClientId || undefined,\n          clientId: user.clientId || undefined\n        } satisfies JwtIdentityPayload,\n        ...((type === TOKEN_TYPE.ACCESS || type === TOKEN_TYPE.REFRESH) && { csrf: csrfToken })\n      },\n      {\n        secret: this.authConfig.token[type].secret,\n        expiresIn: expiration\n      }\n    )\n  }\n\n  csrfValidation(req: FastifyRequest, jwtPayload: JwtPayload, type: TOKEN_TYPE.ACCESS | TOKEN_TYPE.REFRESH): void {\n    // ignore safe methods\n    if (HTTP_CSRF_IGNORED_METHODS.has(req.method)) {\n      return\n    }\n\n    // check csrf only for access & refresh cookies\n    if (typeof req.cookies !== 'object' || req.cookies[this.authConfig.token[type].name] === undefined) {\n      return\n    }\n\n    if (!jwtPayload.csrf) {\n      this.logger.warn(`${this.csrfValidation.name} - ${CSRF_ERROR.MISSING_JWT}`)\n      throw new HttpException(CSRF_ERROR.MISSING_JWT, HttpStatus.FORBIDDEN)\n    }\n\n    if (!req.headers[CSRF_KEY]) {\n      this.logger.warn(`${this.csrfValidation.name} - ${CSRF_ERROR.MISSING_HEADERS}`)\n      throw new HttpException(CSRF_ERROR.MISSING_HEADERS, HttpStatus.FORBIDDEN)\n    }\n\n    const csrfHeader: UnsignResult = unsign(req.headers[CSRF_KEY] as string, this.authConfig.token.csrf.secret)\n    if (jwtPayload.csrf !== csrfHeader.value) {\n      this.logger.warn(`${this.csrfValidation.name} - ${CSRF_ERROR.MISMATCH}`)\n      throw new HttpException(CSRF_ERROR.MISMATCH, HttpStatus.FORBIDDEN)\n    }\n  }\n}\n"],"names":["AuthManager","getTokens","user","refresh","currentTime","currentTimeStamp","exp","logger","error","name","login","HttpException","HttpStatus","FORBIDDEN","accessExpiration","convertHumanTimeToSeconds","authConfig","token","access","expiration","refreshExpiration","TOKEN_TYPE","ACCESS","jwtSign","REFRESH","setCookies","res","response","LoginResponseDto","csrfToken","crypto","randomUUID","type","TOKEN_TYPES","tokenExpiration","cookieValue","CSRF","setCookie","signed","path","TOKEN_PATHS","maxAge","cookieMaxAge","httpOnly","refreshCookies","refreshTokenExpiration","refreshMaxAge","clearCookies","Object","entries","clearCookie","jwt","signAsync","identity","id","email","fullName","role","applications","impersonatedFromId","undefined","impersonatedClientId","clientId","csrf","secret","expiresIn","csrfValidation","req","jwtPayload","HTTP_CSRF_IGNORED_METHODS","has","method","cookies","warn","CSRF_ERROR","MISSING_JWT","headers","CSRF_KEY","MISSING_HEADERS","csrfHeader","unsign","value","MISMATCH","config","Logger","get"],"mappings":"AAAA;;;;CAIC;;;;+BAmBYA;;;eAAAA;;;wBAlBwB;wBACyB;wBAChC;qBACH;mEAER;uCACuB;2BAEA;wBACT;sBAE8B;kCAC9B;gCAGN;;;;;;;;;;;;;;;AAGpB,IAAA,AAAMA,cAAN,MAAMA;IAWX,MAAMC,UAAUC,IAAe,EAAEC,UAAU,KAAK,EAA6B;QAC3E,MAAMC,cAAcC,IAAAA,wBAAgB;QACpC,IAAIF,WAAWD,KAAKI,GAAG,GAAGF,aAAa;YACrC,IAAI,CAACG,MAAM,CAACC,KAAK,CAAC,GAAG,IAAI,CAACP,SAAS,CAACQ,IAAI,CAAC,6CAA6C,EAAEP,KAAKQ,KAAK,CAAC,CAAC,CAAC;YACrG,MAAM,IAAIC,qBAAa,CAAC,qBAAqBC,kBAAU,CAACC,SAAS;QACnE;QACA,MAAMC,mBAAmBC,IAAAA,oCAAyB,EAAC,IAAI,CAACC,UAAU,CAACC,KAAK,CAACC,MAAM,CAACC,UAAU;QAC1F,MAAMC,oBAAoBjB,UAAUD,KAAKI,GAAG,GAAGF,cAAcW,IAAAA,oCAAyB,EAAC,IAAI,CAACC,UAAU,CAACC,KAAK,CAACd,OAAO,CAACgB,UAAU;QAC/H,OAAO;YACL,CAACE,0BAAU,CAACC,MAAM,CAAC,EAAE,MAAM,IAAI,CAACC,OAAO,CAACrB,MAAMmB,0BAAU,CAACC,MAAM,EAAER;YACjE,CAACO,0BAAU,CAACG,OAAO,CAAC,EAAE,MAAM,IAAI,CAACD,OAAO,CAACrB,MAAMmB,0BAAU,CAACG,OAAO,EAAEJ;YACnE,CAAC,GAAGC,0BAAU,CAACC,MAAM,CAAC,WAAW,CAAC,CAAC,EAAER,mBAAmBV;YACxD,CAAC,GAAGiB,0BAAU,CAACG,OAAO,CAAC,WAAW,CAAC,CAAC,EAAEJ,oBAAoBhB;QAC5D;IACF;IAEA,MAAMqB,WAAWvB,IAAe,EAAEwB,GAAiB,EAA6B;QAC9E,MAAMC,WAAW,IAAIC,kCAAgB,CAAC1B;QACtC,MAAME,cAAcC,IAAAA,wBAAgB;QACpC,MAAMwB,YAAoBC,mBAAM,CAACC,UAAU;QAC3C,KAAK,MAAMC,QAAQC,iBAAW,CAAE;YAC9B,MAAMC,kBAAkBnB,IAAAA,oCAAyB,EAAC,IAAI,CAACC,UAAU,CAACC,KAAK,CAACe,KAAK,CAACb,UAAU;YACxF,MAAMgB,cAAsBH,SAASX,0BAAU,CAACe,IAAI,GAAGP,YAAY,MAAM,IAAI,CAACN,OAAO,CAACrB,MAAM8B,MAAME,iBAAiBL;YACnHH,IAAIW,SAAS,CAAC,IAAI,CAACrB,UAAU,CAACC,KAAK,CAACe,KAAK,CAACvB,IAAI,EAAE0B,aAAa;gBAC3DG,QAAQN,SAASX,0BAAU,CAACe,IAAI;gBAChCG,MAAMC,iBAAW,CAACR,KAAK;gBACvBS,QAAQ1B,IAAAA,oCAAyB,EAAC,IAAI,CAACC,UAAU,CAACC,KAAK,CAACe,KAAK,CAACU,YAAY;gBAC1EC,UAAUX,SAASX,0BAAU,CAACe,IAAI;YACpC;YACA,IAAIJ,SAASX,0BAAU,CAACC,MAAM,IAAIU,SAASX,0BAAU,CAACG,OAAO,EAAE;gBAC7DG,SAASV,KAAK,CAAC,GAAGe,KAAK,WAAW,CAAC,CAAC,GAAGE,kBAAkB9B;YAC3D;QACF;QACA,OAAOuB;IACT;IAEA,MAAMiB,eAAe1C,IAAe,EAAEwB,GAAiB,EAA6B;QAClF,MAAMC,WAAW,CAAC;QAClB,MAAMvB,cAAcC,IAAAA,wBAAgB;QACpC,IAAIwC;QACJ,IAAIC;QACJ,+CAA+C;QAC/C,0CAA0C;QAC1C,IAAI5C,KAAKI,GAAG,IAAIJ,KAAKI,GAAG,GAAGF,aAAa;YACtCyC,yBAAyB3C,KAAKI,GAAG,GAAGF;YACpC0C,gBAAgBD;QAClB,OAAO;YACL,IAAI,CAACtC,MAAM,CAACC,KAAK,CAAC,GAAG,IAAI,CAACoC,cAAc,CAACnC,IAAI,CAAC,SAAS,EAAEY,0BAAU,CAACG,OAAO,CAAC,6BAA6B,EAAEtB,KAAKQ,KAAK,CAAC,CAAC,CAAC;YACxH,MAAM,IAAIC,qBAAa,CAAC,qBAAqBC,kBAAU,CAACC,SAAS;QACnE;QACA,MAAMgB,YAAoBC,mBAAM,CAACC,UAAU;QAC3C,KAAK,MAAMC,QAAQC,iBAAW,CAAE;YAC9B,MAAMC,kBAAkBF,SAASX,0BAAU,CAACG,OAAO,GAAGqB,yBAAyB9B,IAAAA,oCAAyB,EAAC,IAAI,CAACC,UAAU,CAACC,KAAK,CAACe,KAAK,CAACb,UAAU;YAC/I,MAAMsB,SAAST,SAASX,0BAAU,CAACG,OAAO,GAAGsB,gBAAgB/B,IAAAA,oCAAyB,EAAC,IAAI,CAACC,UAAU,CAACC,KAAK,CAACe,KAAK,CAACU,YAAY;YAC/H,MAAMP,cAAsBH,SAASX,0BAAU,CAACe,IAAI,GAAGP,YAAY,MAAM,IAAI,CAACN,OAAO,CAACrB,MAAM8B,MAAME,iBAAiBL;YACnHH,IAAIW,SAAS,CAAC,IAAI,CAACrB,UAAU,CAACC,KAAK,CAACe,KAAK,CAACvB,IAAI,EAAE0B,aAAa;gBAC3DG,QAAQN,SAASX,0BAAU,CAACe,IAAI;gBAChCG,MAAMC,iBAAW,CAACR,KAAK;gBACvBS,QAAQA;gBACRE,UAAUX,SAASX,0BAAU,CAACe,IAAI;YACpC;YACA,IAAIJ,SAASX,0BAAU,CAACC,MAAM,IAAIU,SAASX,0BAAU,CAACG,OAAO,EAAE;gBAC7DG,QAAQ,CAAC,GAAGK,KAAK,WAAW,CAAC,CAAC,GAAGE,kBAAkB9B;YACrD;QACF;QACA,OAAOuB;IACT;IAEA,MAAMoB,aAAarB,GAAiB,EAAE;QACpC,KAAK,MAAM,CAACM,MAAMO,KAAK,IAAIS,OAAOC,OAAO,CAACT,iBAAW,EAAG;YACtDd,IAAIwB,WAAW,CAAC,IAAI,CAAClC,UAAU,CAACC,KAAK,CAACe,KAAK,CAACvB,IAAI,EAAE;gBAAE8B,MAAMA;gBAAMI,UAAUX,SAASX,0BAAU,CAACe,IAAI;YAAC;QACrG;IACF;IAEQb,QAAQrB,IAAe,EAAE8B,IAAgB,EAAEb,UAAkB,EAAEU,SAAkB,EAAmB;QAC1G,OAAO,IAAI,CAACsB,GAAG,CAACC,SAAS,CACvB;YACEC,UAAU;gBACRC,IAAIpD,KAAKoD,EAAE;gBACX5C,OAAOR,KAAKQ,KAAK;gBACjB6C,OAAOrD,KAAKqD,KAAK;gBACjBC,UAAUtD,KAAKsD,QAAQ;gBACvBC,MAAMvD,KAAKuD,IAAI;gBACfC,cAAcxD,KAAKwD,YAAY;gBAC/BC,oBAAoBzD,KAAKyD,kBAAkB,IAAIC;gBAC/CC,sBAAsB3D,KAAK2D,oBAAoB,IAAID;gBACnDE,UAAU5D,KAAK4D,QAAQ,IAAIF;YAC7B;YACA,GAAI,AAAC5B,CAAAA,SAASX,0BAAU,CAACC,MAAM,IAAIU,SAASX,0BAAU,CAACG,OAAO,AAAD,KAAM;gBAAEuC,MAAMlC;YAAU,CAAC;QACxF,GACA;YACEmC,QAAQ,IAAI,CAAChD,UAAU,CAACC,KAAK,CAACe,KAAK,CAACgC,MAAM;YAC1CC,WAAW9C;QACb;IAEJ;IAEA+C,eAAeC,GAAmB,EAAEC,UAAsB,EAAEpC,IAA4C,EAAQ;QAC9G,sBAAsB;QACtB,IAAIqC,gDAAyB,CAACC,GAAG,CAACH,IAAII,MAAM,GAAG;YAC7C;QACF;QAEA,+CAA+C;QAC/C,IAAI,OAAOJ,IAAIK,OAAO,KAAK,YAAYL,IAAIK,OAAO,CAAC,IAAI,CAACxD,UAAU,CAACC,KAAK,CAACe,KAAK,CAACvB,IAAI,CAAC,KAAKmD,WAAW;YAClG;QACF;QAEA,IAAI,CAACQ,WAAWL,IAAI,EAAE;YACpB,IAAI,CAACxD,MAAM,CAACkE,IAAI,CAAC,GAAG,IAAI,CAACP,cAAc,CAACzD,IAAI,CAAC,GAAG,EAAEiE,gBAAU,CAACC,WAAW,EAAE;YAC1E,MAAM,IAAIhE,qBAAa,CAAC+D,gBAAU,CAACC,WAAW,EAAE/D,kBAAU,CAACC,SAAS;QACtE;QAEA,IAAI,CAACsD,IAAIS,OAAO,CAACC,cAAQ,CAAC,EAAE;YAC1B,IAAI,CAACtE,MAAM,CAACkE,IAAI,CAAC,GAAG,IAAI,CAACP,cAAc,CAACzD,IAAI,CAAC,GAAG,EAAEiE,gBAAU,CAACI,eAAe,EAAE;YAC9E,MAAM,IAAInE,qBAAa,CAAC+D,gBAAU,CAACI,eAAe,EAAElE,kBAAU,CAACC,SAAS;QAC1E;QAEA,MAAMkE,aAA2BC,IAAAA,cAAM,EAACb,IAAIS,OAAO,CAACC,cAAQ,CAAC,EAAY,IAAI,CAAC7D,UAAU,CAACC,KAAK,CAAC8C,IAAI,CAACC,MAAM;QAC1G,IAAII,WAAWL,IAAI,KAAKgB,WAAWE,KAAK,EAAE;YACxC,IAAI,CAAC1E,MAAM,CAACkE,IAAI,CAAC,GAAG,IAAI,CAACP,cAAc,CAACzD,IAAI,CAAC,GAAG,EAAEiE,gBAAU,CAACQ,QAAQ,EAAE;YACvE,MAAM,IAAIvE,qBAAa,CAAC+D,gBAAU,CAACQ,QAAQ,EAAEtE,kBAAU,CAACC,SAAS;QACnE;IACF;IAlIA,YACE,AAAiBsC,GAAe,EAChC,AAAiBgC,MAAqB,CACtC;aAFiBhC,MAAAA;aACAgC,SAAAA;aALF5E,SAAS,IAAI6E,cAAM,CAACpF,YAAYS,IAAI;QAOnD,IAAI,CAACO,UAAU,GAAG,IAAI,CAACmE,MAAM,CAACE,GAAG,CAAa;IAChD;AA8HF"}

package/server/authentication/services/auth-manager.service.spec.js

@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) 2012-2025 Johan Legrand <johan.legrand@sync-in.com>
+ * This file is part of Sync-in | The open source file sync and share solution
+ * See the LICENSE file for licensing details
+ */ "use strict";
+Object.defineProperty(exports, "__esModule", {
+    value: true
+});
+const _config = require("@nestjs/config");
+const _jwt = require("@nestjs/jwt");
+const _testing = require("@nestjs/testing");
+const _authmanagerservice = require("./auth-manager.service");
+describe(_authmanagerservice.AuthManager.name, ()=>{
+    let authManager;
+    beforeAll(async ()=>{
+        const module = await _testing.Test.createTestingModule({
+            providers: [
+                _authmanagerservice.AuthManager,
+                {
+                    provide: _jwt.JwtService,
+                    useValue: {}
+                },
+                {
+                    provide: _config.ConfigService,
+                    useValue: {
+                        get: ()=>null
+                    }
+                }
+            ]
+        }).compile();
+        module.useLogger([
+            'fatal'
+        ]);
+        authManager = module.get(_authmanagerservice.AuthManager);
+    });
+    it('should be defined', ()=>{
+        expect(authManager).toBeDefined();
+    });
+});
+
+//# sourceMappingURL=auth-manager.service.spec.js.map

package/server/authentication/services/auth-manager.service.spec.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../../backend/src/authentication/services/auth-manager.service.spec.ts"],"sourcesContent":["/*\n * Copyright (C) 2012-2025 Johan Legrand <johan.legrand@sync-in.com>\n * This file is part of Sync-in | The open source file sync and share solution\n * See the LICENSE file for licensing details\n */\n\nimport { ConfigService } from '@nestjs/config'\nimport { JwtService } from '@nestjs/jwt'\nimport { Test, TestingModule } from '@nestjs/testing'\nimport { AuthManager } from './auth-manager.service'\n\ndescribe(AuthManager.name, () => {\n  let authManager: AuthManager\n\n  beforeAll(async () => {\n    const module: TestingModule = await Test.createTestingModule({\n      providers: [AuthManager, { provide: JwtService, useValue: {} }, { provide: ConfigService, useValue: { get: () => null } }]\n    }).compile()\n\n    module.useLogger(['fatal'])\n    authManager = module.get<AuthManager>(AuthManager)\n  })\n\n  it('should be defined', () => {\n    expect(authManager).toBeDefined()\n  })\n})\n"],"names":["describe","AuthManager","name","authManager","beforeAll","module","Test","createTestingModule","providers","provide","JwtService","useValue","ConfigService","get","compile","useLogger","it","expect","toBeDefined"],"mappings":"AAAA;;;;CAIC;;;;wBAE6B;qBACH;yBACS;oCACR;AAE5BA,SAASC,+BAAW,CAACC,IAAI,EAAE;IACzB,IAAIC;IAEJC,UAAU;QACR,MAAMC,SAAwB,MAAMC,aAAI,CAACC,mBAAmB,CAAC;YAC3DC,WAAW;gBAACP,+BAAW;gBAAE;oBAAEQ,SAASC,eAAU;oBAAEC,UAAU,CAAC;gBAAE;gBAAG;oBAAEF,SAASG,qBAAa;oBAAED,UAAU;wBAAEE,KAAK,IAAM;oBAAK;gBAAE;aAAE;QAC5H,GAAGC,OAAO;QAEVT,OAAOU,SAAS,CAAC;YAAC;SAAQ;QAC1BZ,cAAcE,OAAOQ,GAAG,CAAcZ,+BAAW;IACnD;IAEAe,GAAG,qBAAqB;QACtBC,OAAOd,aAAae,WAAW;IACjC;AACF"}

package/server/authentication/services/auth-methods/auth-method-database.service.js

@@ -0,0 +1,55 @@
+/*
+ * Copyright (C) 2012-2025 Johan Legrand <johan.legrand@sync-in.com>
+ * This file is part of Sync-in | The open source file sync and share solution
+ * See the LICENSE file for licensing details
+ */ "use strict";
+Object.defineProperty(exports, "__esModule", {
+    value: true
+});
+Object.defineProperty(exports, "AuthMethodDatabase", {
+    enumerable: true,
+    get: function() {
+        return AuthMethodDatabase;
+    }
+});
+const _common = require("@nestjs/common");
+const _appconstants = require("../../../app.constants");
+const _usersmanagerservice = require("../../../applications/users/services/users-manager.service");
+function _ts_decorate(decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for(var i = decorators.length - 1; i >= 0; i--)if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+}
+function _ts_metadata(k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+}
+let AuthMethodDatabase = class AuthMethodDatabase {
+    async validateUser(loginOrEmail, password, ip) {
+        let user;
+        try {
+            user = await this.usersManager.findUser(loginOrEmail, false);
+        } catch (e) {
+            this.logger.error(`${this.validateUser.name} - ${e}`);
+            throw new _common.HttpException(_appconstants.CONNECT_ERROR_CODE.has(e.cause?.code) ? 'Authentication service connection error' : e.message, _common.HttpStatus.INTERNAL_SERVER_ERROR);
+        }
+        if (!user) {
+            this.logger.warn(`${this.validateUser.name} - login or email not found for *${loginOrEmail}*`);
+            return null;
+        }
+        return await this.usersManager.logUser(user, password, ip);
+    }
+    constructor(usersManager){
+        this.usersManager = usersManager;
+        this.logger = new _common.Logger(AuthMethodDatabase.name);
+    }
+};
+AuthMethodDatabase = _ts_decorate([
+    (0, _common.Injectable)(),
+    _ts_metadata("design:type", Function),
+    _ts_metadata("design:paramtypes", [
+        typeof _usersmanagerservice.UsersManager === "undefined" ? Object : _usersmanagerservice.UsersManager
+    ])
+], AuthMethodDatabase);
+
+//# sourceMappingURL=auth-method-database.service.js.map

package/server/authentication/services/auth-methods/auth-method-database.service.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../../../backend/src/authentication/services/auth-methods/auth-method-database.service.ts"],"sourcesContent":["/*\n * Copyright (C) 2012-2025 Johan Legrand <johan.legrand@sync-in.com>\n * This file is part of Sync-in | The open source file sync and share solution\n * See the LICENSE file for licensing details\n */\n\nimport { HttpException, HttpStatus, Injectable, Logger } from '@nestjs/common'\nimport { CONNECT_ERROR_CODE } from '../../../app.constants'\nimport { UserModel } from '../../../applications/users/models/user.model'\nimport { UsersManager } from '../../../applications/users/services/users-manager.service'\nimport { AuthMethod } from '../../models/auth-method'\n\n@Injectable()\nexport class AuthMethodDatabase implements AuthMethod {\n  private readonly logger = new Logger(AuthMethodDatabase.name)\n\n  constructor(private readonly usersManager: UsersManager) {}\n\n  async validateUser(loginOrEmail: string, password: string, ip?: string): Promise<UserModel> {\n    let user: UserModel\n    try {\n      user = await this.usersManager.findUser(loginOrEmail, false)\n    } catch (e) {\n      this.logger.error(`${this.validateUser.name} - ${e}`)\n      throw new HttpException(\n        CONNECT_ERROR_CODE.has(e.cause?.code) ? 'Authentication service connection error' : e.message,\n        HttpStatus.INTERNAL_SERVER_ERROR\n      )\n    }\n    if (!user) {\n      this.logger.warn(`${this.validateUser.name} - login or email not found for *${loginOrEmail}*`)\n      return null\n    }\n    return await this.usersManager.logUser(user, password, ip)\n  }\n}\n"],"names":["AuthMethodDatabase","validateUser","loginOrEmail","password","ip","user","usersManager","findUser","e","logger","error","name","HttpException","CONNECT_ERROR_CODE","has","cause","code","message","HttpStatus","INTERNAL_SERVER_ERROR","warn","logUser","Logger"],"mappings":"AAAA;;;;CAIC;;;;+BASYA;;;eAAAA;;;wBAPiD;8BAC3B;qCAEN;;;;;;;;;;AAItB,IAAA,AAAMA,qBAAN,MAAMA;IAKX,MAAMC,aAAaC,YAAoB,EAAEC,QAAgB,EAAEC,EAAW,EAAsB;QAC1F,IAAIC;QACJ,IAAI;YACFA,OAAO,MAAM,IAAI,CAACC,YAAY,CAACC,QAAQ,CAACL,cAAc;QACxD,EAAE,OAAOM,GAAG;YACV,IAAI,CAACC,MAAM,CAACC,KAAK,CAAC,GAAG,IAAI,CAACT,YAAY,CAACU,IAAI,CAAC,GAAG,EAAEH,GAAG;YACpD,MAAM,IAAII,qBAAa,CACrBC,gCAAkB,CAACC,GAAG,CAACN,EAAEO,KAAK,EAAEC,QAAQ,4CAA4CR,EAAES,OAAO,EAC7FC,kBAAU,CAACC,qBAAqB;QAEpC;QACA,IAAI,CAACd,MAAM;YACT,IAAI,CAACI,MAAM,CAACW,IAAI,CAAC,GAAG,IAAI,CAACnB,YAAY,CAACU,IAAI,CAAC,iCAAiC,EAAET,aAAa,CAAC,CAAC;YAC7F,OAAO;QACT;QACA,OAAO,MAAM,IAAI,CAACI,YAAY,CAACe,OAAO,CAAChB,MAAMF,UAAUC;IACzD;IAlBA,YAAY,AAAiBE,YAA0B,CAAE;aAA5BA,eAAAA;aAFZG,SAAS,IAAIa,cAAM,CAACtB,mBAAmBW,IAAI;IAEF;AAmB5D"}

package/server/authentication/services/auth-methods/auth-method-database.service.spec.js

@@ -0,0 +1,88 @@
+/*
+ * Copyright (C) 2012-2025 Johan Legrand <johan.legrand@sync-in.com>
+ * This file is part of Sync-in | The open source file sync and share solution
+ * See the LICENSE file for licensing details
+ */ "use strict";
+Object.defineProperty(exports, "__esModule", {
+    value: true
+});
+const _testing = require("@nestjs/testing");
+const _usermodel = require("../../../applications/users/models/user.model");
+const _adminusersmanagerservice = require("../../../applications/users/services/admin-users-manager.service");
+const _adminusersqueriesservice = require("../../../applications/users/services/admin-users-queries.service");
+const _usersmanagerservice = require("../../../applications/users/services/users-manager.service");
+const _usersqueriesservice = require("../../../applications/users/services/users-queries.service");
+const _test = require("../../../applications/users/utils/test");
+const _functions = require("../../../common/functions");
+const _cacheservice = require("../../../infrastructure/cache/services/cache.service");
+const _constants = require("../../../infrastructure/database/constants");
+const _authmanagerservice = require("../auth-manager.service");
+const _authmethoddatabaseservice = require("./auth-method-database.service");
+describe(_authmethoddatabaseservice.AuthMethodDatabase.name, ()=>{
+    let authMethodDatabase;
+    let usersManager;
+    let userTest;
+    beforeAll(async ()=>{
+        const module = await _testing.Test.createTestingModule({
+            providers: [
+                _authmethoddatabaseservice.AuthMethodDatabase,
+                _usersmanagerservice.UsersManager,
+                _usersqueriesservice.UsersQueries,
+                _adminusersmanagerservice.AdminUsersManager,
+                _adminusersqueriesservice.AdminUsersQueries,
+                {
+                    provide: _authmanagerservice.AuthManager,
+                    useValue: {}
+                },
+                {
+                    provide: _constants.DB_TOKEN_PROVIDER,
+                    useValue: {}
+                },
+                {
+                    provide: _cacheservice.Cache,
+                    useValue: {}
+                }
+            ]
+        }).compile();
+        authMethodDatabase = module.get(_authmethoddatabaseservice.AuthMethodDatabase);
+        usersManager = module.get(_usersmanagerservice.UsersManager);
+        module.useLogger([
+            'fatal'
+        ]);
+        // mocks
+        userTest = new _usermodel.UserModel((0, _test.generateUserTest)(), false);
+        usersManager.updateAccesses = jest.fn(()=>Promise.resolve());
+    });
+    it('should be defined', ()=>{
+        expect(authMethodDatabase).toBeDefined();
+        expect(usersManager).toBeDefined();
+        expect(userTest).toBeDefined();
+    });
+    it('should validate the user', async ()=>{
+        userTest.makePaths = jest.fn();
+        usersManager.findUser = jest.fn().mockReturnValue({
+            ...userTest,
+            password: await (0, _functions.hashPassword)(userTest.password)
+        });
+        expect(await authMethodDatabase.validateUser(userTest.login, userTest.password)).toBeDefined();
+        expect(userTest.makePaths).toHaveBeenCalled();
+    });
+    it('should not validate the user', async ()=>{
+        usersManager.findUser = jest.fn().mockReturnValueOnce(null).mockReturnValueOnce({
+            ...userTest,
+            password: await (0, _functions.hashPassword)('bar')
+        }).mockRejectedValueOnce({
+            message: 'db error',
+            code: 'ECONNREFUSED'
+        }).mockRejectedValueOnce({
+            message: 'db error',
+            code: 'OTHER'
+        });
+        expect(await authMethodDatabase.validateUser(userTest.login, userTest.password)).toBeNull();
+        expect(await authMethodDatabase.validateUser(userTest.login, userTest.password)).toBeNull();
+        await expect(authMethodDatabase.validateUser(userTest.login, userTest.password)).rejects.toThrow();
+        await expect(authMethodDatabase.validateUser(userTest.login, userTest.password)).rejects.toThrow();
+    });
+});
+
+//# sourceMappingURL=auth-method-database.service.spec.js.map

package/server/authentication/services/auth-methods/auth-method-database.service.spec.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../../../backend/src/authentication/services/auth-methods/auth-method-database.service.spec.ts"],"sourcesContent":["/*\n * Copyright (C) 2012-2025 Johan Legrand <johan.legrand@sync-in.com>\n * This file is part of Sync-in | The open source file sync and share solution\n * See the LICENSE file for licensing details\n */\n\nimport { Test, TestingModule } from '@nestjs/testing'\nimport { UserModel } from '../../../applications/users/models/user.model'\nimport { AdminUsersManager } from '../../../applications/users/services/admin-users-manager.service'\nimport { AdminUsersQueries } from '../../../applications/users/services/admin-users-queries.service'\nimport { UsersManager } from '../../../applications/users/services/users-manager.service'\nimport { UsersQueries } from '../../../applications/users/services/users-queries.service'\nimport { generateUserTest } from '../../../applications/users/utils/test'\nimport { hashPassword } from '../../../common/functions'\nimport { Cache } from '../../../infrastructure/cache/services/cache.service'\nimport { DB_TOKEN_PROVIDER } from '../../../infrastructure/database/constants'\nimport { AuthManager } from '../auth-manager.service'\nimport { AuthMethodDatabase } from './auth-method-database.service'\n\ndescribe(AuthMethodDatabase.name, () => {\n  let authMethodDatabase: AuthMethodDatabase\n  let usersManager: UsersManager\n  let userTest: UserModel\n\n  beforeAll(async () => {\n    const module: TestingModule = await Test.createTestingModule({\n      providers: [\n        AuthMethodDatabase,\n        UsersManager,\n        UsersQueries,\n        AdminUsersManager,\n        AdminUsersQueries,\n        { provide: AuthManager, useValue: {} },\n        { provide: DB_TOKEN_PROVIDER, useValue: {} },\n        {\n          provide: Cache,\n          useValue: {}\n        }\n      ]\n    }).compile()\n\n    authMethodDatabase = module.get<AuthMethodDatabase>(AuthMethodDatabase)\n    usersManager = module.get<UsersManager>(UsersManager)\n    module.useLogger(['fatal'])\n    // mocks\n    userTest = new UserModel(generateUserTest(), false)\n    usersManager.updateAccesses = jest.fn(() => Promise.resolve())\n  })\n\n  it('should be defined', () => {\n    expect(authMethodDatabase).toBeDefined()\n    expect(usersManager).toBeDefined()\n    expect(userTest).toBeDefined()\n  })\n\n  it('should validate the user', async () => {\n    userTest.makePaths = jest.fn()\n    usersManager.findUser = jest.fn().mockReturnValue({ ...userTest, password: await hashPassword(userTest.password) })\n    expect(await authMethodDatabase.validateUser(userTest.login, userTest.password)).toBeDefined()\n    expect(userTest.makePaths).toHaveBeenCalled()\n  })\n\n  it('should not validate the user', async () => {\n    usersManager.findUser = jest\n      .fn()\n      .mockReturnValueOnce(null)\n      .mockReturnValueOnce({ ...userTest, password: await hashPassword('bar') })\n      .mockRejectedValueOnce({ message: 'db error', code: 'ECONNREFUSED' })\n      .mockRejectedValueOnce({ message: 'db error', code: 'OTHER' })\n    expect(await authMethodDatabase.validateUser(userTest.login, userTest.password)).toBeNull()\n    expect(await authMethodDatabase.validateUser(userTest.login, userTest.password)).toBeNull()\n    await expect(authMethodDatabase.validateUser(userTest.login, userTest.password)).rejects.toThrow()\n    await expect(authMethodDatabase.validateUser(userTest.login, userTest.password)).rejects.toThrow()\n  })\n})\n"],"names":["describe","AuthMethodDatabase","name","authMethodDatabase","usersManager","userTest","beforeAll","module","Test","createTestingModule","providers","UsersManager","UsersQueries","AdminUsersManager","AdminUsersQueries","provide","AuthManager","useValue","DB_TOKEN_PROVIDER","Cache","compile","get","useLogger","UserModel","generateUserTest","updateAccesses","jest","fn","Promise","resolve","it","expect","toBeDefined","makePaths","findUser","mockReturnValue","password","hashPassword","validateUser","login","toHaveBeenCalled","mockReturnValueOnce","mockRejectedValueOnce","message","code","toBeNull","rejects","toThrow"],"mappings":"AAAA;;;;CAIC;;;;yBAEmC;2BACV;0CACQ;0CACA;qCACL;qCACA;sBACI;2BACJ;8BACP;2BACY;oCACN;2CACO;AAEnCA,SAASC,6CAAkB,CAACC,IAAI,EAAE;IAChC,IAAIC;IACJ,IAAIC;IACJ,IAAIC;IAEJC,UAAU;QACR,MAAMC,SAAwB,MAAMC,aAAI,CAACC,mBAAmB,CAAC;YAC3DC,WAAW;gBACTT,6CAAkB;gBAClBU,iCAAY;gBACZC,iCAAY;gBACZC,2CAAiB;gBACjBC,2CAAiB;gBACjB;oBAAEC,SAASC,+BAAW;oBAAEC,UAAU,CAAC;gBAAE;gBACrC;oBAAEF,SAASG,4BAAiB;oBAAED,UAAU,CAAC;gBAAE;gBAC3C;oBACEF,SAASI,mBAAK;oBACdF,UAAU,CAAC;gBACb;aACD;QACH,GAAGG,OAAO;QAEVjB,qBAAqBI,OAAOc,GAAG,CAAqBpB,6CAAkB;QACtEG,eAAeG,OAAOc,GAAG,CAAeV,iCAAY;QACpDJ,OAAOe,SAAS,CAAC;YAAC;SAAQ;QAC1B,QAAQ;QACRjB,WAAW,IAAIkB,oBAAS,CAACC,IAAAA,sBAAgB,KAAI;QAC7CpB,aAAaqB,cAAc,GAAGC,KAAKC,EAAE,CAAC,IAAMC,QAAQC,OAAO;IAC7D;IAEAC,GAAG,qBAAqB;QACtBC,OAAO5B,oBAAoB6B,WAAW;QACtCD,OAAO3B,cAAc4B,WAAW;QAChCD,OAAO1B,UAAU2B,WAAW;IAC9B;IAEAF,GAAG,4BAA4B;QAC7BzB,SAAS4B,SAAS,GAAGP,KAAKC,EAAE;QAC5BvB,aAAa8B,QAAQ,GAAGR,KAAKC,EAAE,GAAGQ,eAAe,CAAC;YAAE,GAAG9B,QAAQ;YAAE+B,UAAU,MAAMC,IAAAA,uBAAY,EAAChC,SAAS+B,QAAQ;QAAE;QACjHL,OAAO,MAAM5B,mBAAmBmC,YAAY,CAACjC,SAASkC,KAAK,EAAElC,SAAS+B,QAAQ,GAAGJ,WAAW;QAC5FD,OAAO1B,SAAS4B,SAAS,EAAEO,gBAAgB;IAC7C;IAEAV,GAAG,gCAAgC;QACjC1B,aAAa8B,QAAQ,GAAGR,KACrBC,EAAE,GACFc,mBAAmB,CAAC,MACpBA,mBAAmB,CAAC;YAAE,GAAGpC,QAAQ;YAAE+B,UAAU,MAAMC,IAAAA,uBAAY,EAAC;QAAO,GACvEK,qBAAqB,CAAC;YAAEC,SAAS;YAAYC,MAAM;QAAe,GAClEF,qBAAqB,CAAC;YAAEC,SAAS;YAAYC,MAAM;QAAQ;QAC9Db,OAAO,MAAM5B,mBAAmBmC,YAAY,CAACjC,SAASkC,KAAK,EAAElC,SAAS+B,QAAQ,GAAGS,QAAQ;QACzFd,OAAO,MAAM5B,mBAAmBmC,YAAY,CAACjC,SAASkC,KAAK,EAAElC,SAAS+B,QAAQ,GAAGS,QAAQ;QACzF,MAAMd,OAAO5B,mBAAmBmC,YAAY,CAACjC,SAASkC,KAAK,EAAElC,SAAS+B,QAAQ,GAAGU,OAAO,CAACC,OAAO;QAChG,MAAMhB,OAAO5B,mBAAmBmC,YAAY,CAACjC,SAASkC,KAAK,EAAElC,SAAS+B,QAAQ,GAAGU,OAAO,CAACC,OAAO;IAClG;AACF"}

package/server/authentication/services/auth-methods/auth-method-ldap.service.js

@@ -0,0 +1,185 @@
+/*
+ * Copyright (C) 2012-2025 Johan Legrand <johan.legrand@sync-in.com>
+ * This file is part of Sync-in | The open source file sync and share solution
+ * See the LICENSE file for licensing details
+ */ "use strict";
+Object.defineProperty(exports, "__esModule", {
+    value: true
+});
+Object.defineProperty(exports, "AuthMethodLdapService", {
+    enumerable: true,
+    get: function() {
+        return AuthMethodLdapService;
+    }
+});
+const _common = require("@nestjs/common");
+const _ldapts = require("ldapts");
+const _appconstants = require("../../../app.constants");
+const _user = require("../../../applications/users/constants/user");
+const _adminusersmanagerservice = require("../../../applications/users/services/admin-users-manager.service");
+const _usersmanagerservice = require("../../../applications/users/services/users-manager.service");
+const _functions = require("../../../common/functions");
+const _configenvironment = require("../../../configuration/config.environment");
+function _ts_decorate(decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for(var i = decorators.length - 1; i >= 0; i--)if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+}
+function _ts_metadata(k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+}
+let AuthMethodLdapService = class AuthMethodLdapService {
+    async validateUser(loginOrEmail, password, ip) {
+        let user = await this.usersManager.findUser(loginOrEmail, false);
+        if (user) {
+            if (user.isGuest) {
+                // allow guests to be authenticated from db & check if current user is defined as active
+                return this.usersManager.logUser(user, password, ip);
+            }
+            if (!user.isActive) {
+                this.logger.error(`${this.validateUser.name} - user *${user.login}* is locked`);
+                throw new _common.HttpException('Account locked', _common.HttpStatus.FORBIDDEN);
+            }
+        }
+        const entry = await this.checkAuth(loginOrEmail, password);
+        if (entry === false) {
+            if (user) {
+                this.usersManager.updateAccesses(user, ip, false).catch((e)=>this.logger.error(`${this.validateUser.name} : ${e}`));
+            }
+            return null;
+        } else if (!entry.mail || !entry.uid) {
+            this.logger.error(`${this.validateUser.name} - ${loginOrEmail} : some ldap fields are missing => (${JSON.stringify(entry)})`);
+            return null;
+        }
+        const identity = {
+            login: entry.uid,
+            email: entry.mail,
+            password: password,
+            ...(0, _functions.splitFullName)(entry.cn)
+        };
+        user = await this.updateOrCreateUser(identity, user);
+        this.usersManager.updateAccesses(user, ip, true).catch((e)=>this.logger.error(`${this.validateUser.name} : ${e}`));
+        return user;
+    }
+    async checkAuth(uid, password) {
+        const servers = _configenvironment.configuration.auth.ldap.servers;
+        const bindUserDN = `${_configenvironment.configuration.auth.ldap.loginAttribute}=${uid},${_configenvironment.configuration.auth.ldap.baseDN}`;
+        let client;
+        let error;
+        for (const s of servers){
+            client = new _ldapts.Client({
+                ...this.clientOptions,
+                url: s
+            });
+            try {
+                await client.bind(bindUserDN, password);
+                return await this.checkAccess(client, uid);
+            } catch (e) {
+                if (e.errors?.length) {
+                    for (const err of e.errors){
+                        this.logger.warn(`${this.checkAuth.name} - ${uid} : ${err}`);
+                        error = err;
+                    }
+                } else {
+                    error = e;
+                    this.logger.warn(`${this.checkAuth.name} - ${uid} : ${e}`);
+                }
+                if (error instanceof _ldapts.InvalidCredentialsError) {
+                    return false;
+                }
+            } finally{
+                await client.unbind();
+            }
+        }
+        if (error && _appconstants.CONNECT_ERROR_CODE.has(error.code)) {
+            throw new _common.HttpException('Authentication service connection error', _common.HttpStatus.INTERNAL_SERVER_ERROR);
+        }
+        return false;
+    }
+    async checkAccess(client, uid) {
+        const searchFilter = `(&(${_configenvironment.configuration.auth.ldap.loginAttribute}=${uid})${_configenvironment.configuration.auth.ldap.filter || ''})`;
+        try {
+            const { searchEntries } = await client.search(_configenvironment.configuration.auth.ldap.baseDN, {
+                scope: 'sub',
+                filter: searchFilter,
+                attributes: this.entryAttributes
+            });
+            for (const entry of searchEntries){
+                if (entry[_configenvironment.configuration.auth.ldap.loginAttribute] === uid) {
+                    if (Array.isArray(entry.mail)) {
+                        // handles the case of multiple emails, keep the first
+                        entry.mail = entry.mail[0];
+                    }
+                    return entry;
+                }
+            }
+            return false;
+        } catch (e) {
+            this.logger.warn(`${this.checkAccess.name} - ${uid} : ${e}`);
+            return false;
+        }
+    }
+    async updateOrCreateUser(identity, user) {
+        if (user === null) {
+            return this.adminUsersManager.createUserOrGuest(identity, _user.USER_ROLE.USER);
+        } else {
+            if (identity.login !== user.login) {
+                this.logger.error(`${this.updateOrCreateUser.name} - user id mismatch : ${identity.login} !== ${user.login}`);
+                throw new _common.HttpException('Account matching error', _common.HttpStatus.FORBIDDEN);
+            }
+            // check if user information has changed
+            const identityHasChanged = Object.fromEntries((await Promise.all(Object.keys(identity).map(async (key)=>{
+                if (key === 'password') {
+                    const isSame = await (0, _functions.comparePassword)(identity[key], user.password);
+                    return isSame ? null : [
+                        key,
+                        identity[key]
+                    ];
+                }
+                return identity[key] !== user[key] ? [
+                    key,
+                    identity[key]
+                ] : null;
+            }))).filter(Boolean));
+            if (Object.keys(identityHasChanged).length > 0) {
+                try {
+                    await this.adminUsersManager.updateUserOrGuest(user.id, identityHasChanged);
+                    if (identityHasChanged?.password) {
+                        delete identityHasChanged.password;
+                    }
+                    Object.assign(user, identityHasChanged);
+                } catch (e) {
+                    this.logger.warn(`${this.updateOrCreateUser.name} - unable to update user *${user.login}* : ${e}`);
+                }
+            }
+            await user.makePaths();
+            return user;
+        }
+    }
+    constructor(usersManager, adminUsersManager){
+        this.usersManager = usersManager;
+        this.adminUsersManager = adminUsersManager;
+        this.logger = new _common.Logger(AuthMethodLdapService.name);
+        this.entryAttributes = [
+            'uid',
+            'mail',
+            'cn'
+        ];
+        this.clientOptions = {
+            timeout: 6000,
+            connectTimeout: 6000,
+            url: ''
+        };
+    }
+};
+AuthMethodLdapService = _ts_decorate([
+    (0, _common.Injectable)(),
+    _ts_metadata("design:type", Function),
+    _ts_metadata("design:paramtypes", [
+        typeof _usersmanagerservice.UsersManager === "undefined" ? Object : _usersmanagerservice.UsersManager,
+        typeof _adminusersmanagerservice.AdminUsersManager === "undefined" ? Object : _adminusersmanagerservice.AdminUsersManager
+    ])
+], AuthMethodLdapService);
+
+//# sourceMappingURL=auth-method-ldap.service.js.map

package/server/authentication/services/auth-methods/auth-method-ldap.service.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../../../backend/src/authentication/services/auth-methods/auth-method-ldap.service.ts"],"sourcesContent":["/*\n * Copyright (C) 2012-2025 Johan Legrand <johan.legrand@sync-in.com>\n * This file is part of Sync-in | The open source file sync and share solution\n * See the LICENSE file for licensing details\n */\n\nimport { HttpException, HttpStatus, Injectable, Logger } from '@nestjs/common'\nimport { Client, ClientOptions, Entry, InvalidCredentialsError } from 'ldapts'\nimport { CONNECT_ERROR_CODE } from '../../../app.constants'\nimport { USER_ROLE } from '../../../applications/users/constants/user'\nimport { CreateUserDto, UpdateUserDto } from '../../../applications/users/dto/create-or-update-user.dto'\nimport { UserModel } from '../../../applications/users/models/user.model'\nimport { AdminUsersManager } from '../../../applications/users/services/admin-users-manager.service'\nimport { UsersManager } from '../../../applications/users/services/users-manager.service'\nimport { comparePassword, splitFullName } from '../../../common/functions'\nimport { configuration } from '../../../configuration/config.environment'\nimport { AuthMethod } from '../../models/auth-method'\n\ntype LdapUserEntry = Entry & { uid: string; mail: string; cn: string }\n\n@Injectable()\nexport class AuthMethodLdapService implements AuthMethod {\n  private readonly logger = new Logger(AuthMethodLdapService.name)\n  private readonly entryAttributes = ['uid', 'mail', 'cn']\n  private clientOptions: ClientOptions = { timeout: 6000, connectTimeout: 6000, url: '' }\n\n  constructor(\n    private readonly usersManager: UsersManager,\n    private readonly adminUsersManager: AdminUsersManager\n  ) {}\n\n  async validateUser(loginOrEmail: string, password: string, ip?: string): Promise<UserModel> {\n    let user = await this.usersManager.findUser(loginOrEmail, false)\n    if (user) {\n      if (user.isGuest) {\n        // allow guests to be authenticated from db & check if current user is defined as active\n        return this.usersManager.logUser(user, password, ip)\n      }\n      if (!user.isActive) {\n        this.logger.error(`${this.validateUser.name} - user *${user.login}* is locked`)\n        throw new HttpException('Account locked', HttpStatus.FORBIDDEN)\n      }\n    }\n    const entry = await this.checkAuth(loginOrEmail, password)\n    if (entry === false) {\n      if (user) {\n        this.usersManager.updateAccesses(user, ip, false).catch((e: Error) => this.logger.error(`${this.validateUser.name} : ${e}`))\n      }\n      return null\n    } else if (!entry.mail || !entry.uid) {\n      this.logger.error(`${this.validateUser.name} - ${loginOrEmail} : some ldap fields are missing => (${JSON.stringify(entry)})`)\n      return null\n    }\n    const identity = { login: entry.uid, email: entry.mail, password: password, ...splitFullName(entry.cn) } satisfies CreateUserDto\n    user = await this.updateOrCreateUser(identity, user)\n    this.usersManager.updateAccesses(user, ip, true).catch((e: Error) => this.logger.error(`${this.validateUser.name} : ${e}`))\n    return user\n  }\n\n  private async checkAuth(uid: string, password: string): Promise<LdapUserEntry | false> {\n    const servers = configuration.auth.ldap.servers\n    const bindUserDN = `${configuration.auth.ldap.loginAttribute}=${uid},${configuration.auth.ldap.baseDN}`\n    let client: Client\n    let error: any\n    for (const s of servers) {\n      client = new Client({ ...this.clientOptions, url: s })\n      try {\n        await client.bind(bindUserDN, password)\n        return await this.checkAccess(client, uid)\n      } catch (e) {\n        if (e.errors?.length) {\n          for (const err of e.errors) {\n            this.logger.warn(`${this.checkAuth.name} - ${uid} : ${err}`)\n            error = err\n          }\n        } else {\n          error = e\n          this.logger.warn(`${this.checkAuth.name} - ${uid} : ${e}`)\n        }\n        if (error instanceof InvalidCredentialsError) {\n          return false\n        }\n      } finally {\n        await client.unbind()\n      }\n    }\n    if (error && CONNECT_ERROR_CODE.has(error.code)) {\n      throw new HttpException('Authentication service connection error', HttpStatus.INTERNAL_SERVER_ERROR)\n    }\n    return false\n  }\n\n  private async checkAccess(client: Client, uid: string): Promise<LdapUserEntry | false> {\n    const searchFilter = `(&(${configuration.auth.ldap.loginAttribute}=${uid})${configuration.auth.ldap.filter || ''})`\n    try {\n      const { searchEntries } = await client.search(configuration.auth.ldap.baseDN, {\n        scope: 'sub',\n        filter: searchFilter,\n        attributes: this.entryAttributes\n      })\n      for (const entry of searchEntries) {\n        if (entry[configuration.auth.ldap.loginAttribute] === uid) {\n          if (Array.isArray(entry.mail)) {\n            // handles the case of multiple emails, keep the first\n            entry.mail = entry.mail[0]\n          }\n          return entry as LdapUserEntry\n        }\n      }\n      return false\n    } catch (e) {\n      this.logger.warn(`${this.checkAccess.name} - ${uid} : ${e}`)\n      return false\n    }\n  }\n\n  private async updateOrCreateUser(identity: CreateUserDto, user: UserModel): Promise<UserModel> {\n    if (user === null) {\n      return this.adminUsersManager.createUserOrGuest(identity, USER_ROLE.USER)\n    } else {\n      if (identity.login !== user.login) {\n        this.logger.error(`${this.updateOrCreateUser.name} - user id mismatch : ${identity.login} !== ${user.login}`)\n        throw new HttpException('Account matching error', HttpStatus.FORBIDDEN)\n      }\n      // check if user information has changed\n      const identityHasChanged: UpdateUserDto = Object.fromEntries(\n        (\n          await Promise.all(\n            Object.keys(identity).map(async (key: string) => {\n              if (key === 'password') {\n                const isSame = await comparePassword(identity[key], user.password)\n                return isSame ? null : [key, identity[key]]\n              }\n              return identity[key] !== user[key] ? [key, identity[key]] : null\n            })\n          )\n        ).filter(Boolean)\n      )\n      if (Object.keys(identityHasChanged).length > 0) {\n        try {\n          await this.adminUsersManager.updateUserOrGuest(user.id, identityHasChanged)\n          if (identityHasChanged?.password) {\n            delete identityHasChanged.password\n          }\n          Object.assign(user, identityHasChanged)\n        } catch (e) {\n          this.logger.warn(`${this.updateOrCreateUser.name} - unable to update user *${user.login}* : ${e}`)\n        }\n      }\n      await user.makePaths()\n      return user\n    }\n  }\n}\n"],"names":["AuthMethodLdapService","validateUser","loginOrEmail","password","ip","user","usersManager","findUser","isGuest","logUser","isActive","logger","error","name","login","HttpException","HttpStatus","FORBIDDEN","entry","checkAuth","updateAccesses","catch","e","mail","uid","JSON","stringify","identity","email","splitFullName","cn","updateOrCreateUser","servers","configuration","auth","ldap","bindUserDN","loginAttribute","baseDN","client","s","Client","clientOptions","url","bind","checkAccess","errors","length","err","warn","InvalidCredentialsError","unbind","CONNECT_ERROR_CODE","has","code","INTERNAL_SERVER_ERROR","searchFilter","filter","searchEntries","search","scope","attributes","entryAttributes","Array","isArray","adminUsersManager","createUserOrGuest","USER_ROLE","USER","identityHasChanged","Object","fromEntries","Promise","all","keys","map","key","isSame","comparePassword","Boolean","updateUserOrGuest","id","assign","makePaths","Logger","timeout","connectTimeout"],"mappings":"AAAA;;;;CAIC;;;;+BAiBYA;;;eAAAA;;;wBAfiD;wBACQ;8BACnC;sBACT;0CAGQ;qCACL;2BACkB;mCACjB;;;;;;;;;;AAMvB,IAAA,AAAMA,wBAAN,MAAMA;IAUX,MAAMC,aAAaC,YAAoB,EAAEC,QAAgB,EAAEC,EAAW,EAAsB;QAC1F,IAAIC,OAAO,MAAM,IAAI,CAACC,YAAY,CAACC,QAAQ,CAACL,cAAc;QAC1D,IAAIG,MAAM;YACR,IAAIA,KAAKG,OAAO,EAAE;gBAChB,wFAAwF;gBACxF,OAAO,IAAI,CAACF,YAAY,CAACG,OAAO,CAACJ,MAAMF,UAAUC;YACnD;YACA,IAAI,CAACC,KAAKK,QAAQ,EAAE;gBAClB,IAAI,CAACC,MAAM,CAACC,KAAK,CAAC,GAAG,IAAI,CAACX,YAAY,CAACY,IAAI,CAAC,SAAS,EAAER,KAAKS,KAAK,CAAC,WAAW,CAAC;gBAC9E,MAAM,IAAIC,qBAAa,CAAC,kBAAkBC,kBAAU,CAACC,SAAS;YAChE;QACF;QACA,MAAMC,QAAQ,MAAM,IAAI,CAACC,SAAS,CAACjB,cAAcC;QACjD,IAAIe,UAAU,OAAO;YACnB,IAAIb,MAAM;gBACR,IAAI,CAACC,YAAY,CAACc,cAAc,CAACf,MAAMD,IAAI,OAAOiB,KAAK,CAAC,CAACC,IAAa,IAAI,CAACX,MAAM,CAACC,KAAK,CAAC,GAAG,IAAI,CAACX,YAAY,CAACY,IAAI,CAAC,GAAG,EAAES,GAAG;YAC5H;YACA,OAAO;QACT,OAAO,IAAI,CAACJ,MAAMK,IAAI,IAAI,CAACL,MAAMM,GAAG,EAAE;YACpC,IAAI,CAACb,MAAM,CAACC,KAAK,CAAC,GAAG,IAAI,CAACX,YAAY,CAACY,IAAI,CAAC,GAAG,EAAEX,aAAa,oCAAoC,EAAEuB,KAAKC,SAAS,CAACR,OAAO,CAAC,CAAC;YAC5H,OAAO;QACT;QACA,MAAMS,WAAW;YAAEb,OAAOI,MAAMM,GAAG;YAAEI,OAAOV,MAAMK,IAAI;YAAEpB,UAAUA;YAAU,GAAG0B,IAAAA,wBAAa,EAACX,MAAMY,EAAE,CAAC;QAAC;QACvGzB,OAAO,MAAM,IAAI,CAAC0B,kBAAkB,CAACJ,UAAUtB;QAC/C,IAAI,CAACC,YAAY,CAACc,cAAc,CAACf,MAAMD,IAAI,MAAMiB,KAAK,CAAC,CAACC,IAAa,IAAI,CAACX,MAAM,CAACC,KAAK,CAAC,GAAG,IAAI,CAACX,YAAY,CAACY,IAAI,CAAC,GAAG,EAAES,GAAG;QACzH,OAAOjB;IACT;IAEA,MAAcc,UAAUK,GAAW,EAAErB,QAAgB,EAAkC;QACrF,MAAM6B,UAAUC,gCAAa,CAACC,IAAI,CAACC,IAAI,CAACH,OAAO;QAC/C,MAAMI,aAAa,GAAGH,gCAAa,CAACC,IAAI,CAACC,IAAI,CAACE,cAAc,CAAC,CAAC,EAAEb,IAAI,CAAC,EAAES,gCAAa,CAACC,IAAI,CAACC,IAAI,CAACG,MAAM,EAAE;QACvG,IAAIC;QACJ,IAAI3B;QACJ,KAAK,MAAM4B,KAAKR,QAAS;YACvBO,SAAS,IAAIE,cAAM,CAAC;gBAAE,GAAG,IAAI,CAACC,aAAa;gBAAEC,KAAKH;YAAE;YACpD,IAAI;gBACF,MAAMD,OAAOK,IAAI,CAACR,YAAYjC;gBAC9B,OAAO,MAAM,IAAI,CAAC0C,WAAW,CAACN,QAAQf;YACxC,EAAE,OAAOF,GAAG;gBACV,IAAIA,EAAEwB,MAAM,EAAEC,QAAQ;oBACpB,KAAK,MAAMC,OAAO1B,EAAEwB,MAAM,CAAE;wBAC1B,IAAI,CAACnC,MAAM,CAACsC,IAAI,CAAC,GAAG,IAAI,CAAC9B,SAAS,CAACN,IAAI,CAAC,GAAG,EAAEW,IAAI,GAAG,EAAEwB,KAAK;wBAC3DpC,QAAQoC;oBACV;gBACF,OAAO;oBACLpC,QAAQU;oBACR,IAAI,CAACX,MAAM,CAACsC,IAAI,CAAC,GAAG,IAAI,CAAC9B,SAAS,CAACN,IAAI,CAAC,GAAG,EAAEW,IAAI,GAAG,EAAEF,GAAG;gBAC3D;gBACA,IAAIV,iBAAiBsC,+BAAuB,EAAE;oBAC5C,OAAO;gBACT;YACF,SAAU;gBACR,MAAMX,OAAOY,MAAM;YACrB;QACF;QACA,IAAIvC,SAASwC,gCAAkB,CAACC,GAAG,CAACzC,MAAM0C,IAAI,GAAG;YAC/C,MAAM,IAAIvC,qBAAa,CAAC,2CAA2CC,kBAAU,CAACuC,qBAAqB;QACrG;QACA,OAAO;IACT;IAEA,MAAcV,YAAYN,MAAc,EAAEf,GAAW,EAAkC;QACrF,MAAMgC,eAAe,CAAC,GAAG,EAAEvB,gCAAa,CAACC,IAAI,CAACC,IAAI,CAACE,cAAc,CAAC,CAAC,EAAEb,IAAI,CAAC,EAAES,gCAAa,CAACC,IAAI,CAACC,IAAI,CAACsB,MAAM,IAAI,GAAG,CAAC,CAAC;QACnH,IAAI;YACF,MAAM,EAAEC,aAAa,EAAE,GAAG,MAAMnB,OAAOoB,MAAM,CAAC1B,gCAAa,CAACC,IAAI,CAACC,IAAI,CAACG,MAAM,EAAE;gBAC5EsB,OAAO;gBACPH,QAAQD;gBACRK,YAAY,IAAI,CAACC,eAAe;YAClC;YACA,KAAK,MAAM5C,SAASwC,cAAe;gBACjC,IAAIxC,KAAK,CAACe,gCAAa,CAACC,IAAI,CAACC,IAAI,CAACE,cAAc,CAAC,KAAKb,KAAK;oBACzD,IAAIuC,MAAMC,OAAO,CAAC9C,MAAMK,IAAI,GAAG;wBAC7B,sDAAsD;wBACtDL,MAAMK,IAAI,GAAGL,MAAMK,IAAI,CAAC,EAAE;oBAC5B;oBACA,OAAOL;gBACT;YACF;YACA,OAAO;QACT,EAAE,OAAOI,GAAG;YACV,IAAI,CAACX,MAAM,CAACsC,IAAI,CAAC,GAAG,IAAI,CAACJ,WAAW,CAAChC,IAAI,CAAC,GAAG,EAAEW,IAAI,GAAG,EAAEF,GAAG;YAC3D,OAAO;QACT;IACF;IAEA,MAAcS,mBAAmBJ,QAAuB,EAAEtB,IAAe,EAAsB;QAC7F,IAAIA,SAAS,MAAM;YACjB,OAAO,IAAI,CAAC4D,iBAAiB,CAACC,iBAAiB,CAACvC,UAAUwC,eAAS,CAACC,IAAI;QAC1E,OAAO;YACL,IAAIzC,SAASb,KAAK,KAAKT,KAAKS,KAAK,EAAE;gBACjC,IAAI,CAACH,MAAM,CAACC,KAAK,CAAC,GAAG,IAAI,CAACmB,kBAAkB,CAAClB,IAAI,CAAC,sBAAsB,EAAEc,SAASb,KAAK,CAAC,KAAK,EAAET,KAAKS,KAAK,EAAE;gBAC5G,MAAM,IAAIC,qBAAa,CAAC,0BAA0BC,kBAAU,CAACC,SAAS;YACxE;YACA,wCAAwC;YACxC,MAAMoD,qBAAoCC,OAAOC,WAAW,CAC1D,AACE,CAAA,MAAMC,QAAQC,GAAG,CACfH,OAAOI,IAAI,CAAC/C,UAAUgD,GAAG,CAAC,OAAOC;gBAC/B,IAAIA,QAAQ,YAAY;oBACtB,MAAMC,SAAS,MAAMC,IAAAA,0BAAe,EAACnD,QAAQ,CAACiD,IAAI,EAAEvE,KAAKF,QAAQ;oBACjE,OAAO0E,SAAS,OAAO;wBAACD;wBAAKjD,QAAQ,CAACiD,IAAI;qBAAC;gBAC7C;gBACA,OAAOjD,QAAQ,CAACiD,IAAI,KAAKvE,IAAI,CAACuE,IAAI,GAAG;oBAACA;oBAAKjD,QAAQ,CAACiD,IAAI;iBAAC,GAAG;YAC9D,GACF,EACAnB,MAAM,CAACsB;YAEX,IAAIT,OAAOI,IAAI,CAACL,oBAAoBtB,MAAM,GAAG,GAAG;gBAC9C,IAAI;oBACF,MAAM,IAAI,CAACkB,iBAAiB,CAACe,iBAAiB,CAAC3E,KAAK4E,EAAE,EAAEZ;oBACxD,IAAIA,oBAAoBlE,UAAU;wBAChC,OAAOkE,mBAAmBlE,QAAQ;oBACpC;oBACAmE,OAAOY,MAAM,CAAC7E,MAAMgE;gBACtB,EAAE,OAAO/C,GAAG;oBACV,IAAI,CAACX,MAAM,CAACsC,IAAI,CAAC,GAAG,IAAI,CAAClB,kBAAkB,CAAClB,IAAI,CAAC,0BAA0B,EAAER,KAAKS,KAAK,CAAC,IAAI,EAAEQ,GAAG;gBACnG;YACF;YACA,MAAMjB,KAAK8E,SAAS;YACpB,OAAO9E;QACT;IACF;IA9HA,YACE,AAAiBC,YAA0B,EAC3C,AAAiB2D,iBAAoC,CACrD;aAFiB3D,eAAAA;aACA2D,oBAAAA;aANFtD,SAAS,IAAIyE,cAAM,CAACpF,sBAAsBa,IAAI;aAC9CiD,kBAAkB;YAAC;YAAO;YAAQ;SAAK;aAChDpB,gBAA+B;YAAE2C,SAAS;YAAMC,gBAAgB;YAAM3C,KAAK;QAAG;IAKnF;AA4HL"}