@tinyrack/tinyauth-server 0.0.7

package/dist/services/totp.service.js

@@ -0,0 +1,244 @@
+import { generateSecret, generateSync, generateURI, verifySync } from 'otplib';
+import qrcode from 'qrcode';
+import { getRandomBytes } from "../lib/crypto.js";
+import { e } from "../schemas/error.js";
+/** Number of recovery codes to generate */
+const RECOVERY_CODE_COUNT = 8;
+const RECOVERY_CODE_ALPHABET = 'ABCDEFGHJKMNPQRSTVWXYZ23456789';
+const RECOVERY_CODE_LENGTH = 16;
+const RECOVERY_CODE_GROUP_LENGTH = 4;
+export class TotpService {
+    mikro;
+    config;
+    securityService;
+    constructor(mikro, config, securityService) {
+        this.mikro = mikro;
+        this.config = config;
+        this.securityService = securityService;
+    }
+    /**
+     * Generate a new TOTP secret for a user
+     */
+    generateSecret() {
+        return generateSecret();
+    }
+    /**
+     * Generate OTP auth URL for QR code
+     */
+    generateOtpAuthUrl(email, secret) {
+        return generateURI({
+            issuer: this.config.auth.password.totp.issuer ||
+                this.config.server.public_origin,
+            label: email,
+            secret,
+        });
+    }
+    /**
+     * Generate QR code data URL from OTP auth URL
+     */
+    async generateQrCode(otpauthUrl) {
+        return qrcode.toDataURL(otpauthUrl);
+    }
+    /**
+     * Verify a TOTP token against a secret
+     */
+    verifyToken(token, secret) {
+        try {
+            const result = verifySync({ token, secret, epochTolerance: 1 });
+            if (!result.valid) {
+                throw new e.InvalidTotpCode.Error();
+            }
+            return result.valid;
+        }
+        catch {
+            throw new e.InvalidTotpCode.Error();
+        }
+    }
+    /**
+     * Generate a TOTP token for a secret (used for testing)
+     */
+    generateToken(secret) {
+        return generateSync({ secret });
+    }
+    /**
+     * Start TOTP setup for a user
+     * Creates or updates unverified TOTP record
+     */
+    async startSetup(user) {
+        const existingTotp = await this.mikro.userTotp.findByUserSub(user.sub);
+        // Only throw if TOTP is fully registered (verified AND recovery confirmed)
+        // If user verified but didn't confirm recovery codes, allow re-setup
+        if (existingTotp?.verified && existingTotp?.recovery_confirmed) {
+            throw new e.TotpAlreadyEnabled.Error();
+        }
+        const secret = this.generateSecret();
+        const otpauthUrl = this.generateOtpAuthUrl(user.email, secret);
+        const qrCodeDataUrl = await this.generateQrCode(otpauthUrl);
+        // If there's an existing unverified TOTP, delete it first to avoid
+        // unique constraint violation (handles race conditions and retries)
+        if (existingTotp) {
+            await this.mikro.userTotp.nativeDelete({ user: { sub: user.sub } });
+            this.mikro.em.clear();
+        }
+        // Create new TOTP record
+        const totp = this.mikro.userTotp.create({
+            user: user.sub,
+            secret: secret,
+        });
+        this.mikro.em.persist(totp);
+        await this.mikro.em.flush();
+        return {
+            secret,
+            otpauthUrl,
+            qrCodeDataUrl,
+        };
+    }
+    /**
+     * Verify and complete TOTP setup.
+     * Also generates recovery codes upon successful verification.
+     *
+     * @returns Array of plain-text recovery codes (shown only once)
+     */
+    async verifySetup(userId, token) {
+        const totp = await this.mikro.userTotp.findByUserSub(userId);
+        if (!totp) {
+            throw new e.TotpNotSetup.Error();
+        }
+        // Only throw if TOTP is fully registered (verified AND recovery confirmed)
+        // If user verified but didn't confirm recovery codes, allow re-verification
+        if (totp.verified && totp.recovery_confirmed) {
+            throw new e.TotpAlreadyEnabled.Error();
+        }
+        if (!this.verifyToken(token, totp.secret)) {
+            throw new e.InvalidTotpCode.Error();
+        }
+        // Flush verified status before generating recovery codes,
+        // because generateRecoveryCodes calls em.clear() which
+        // would discard the pending verified change.
+        totp.verified = true;
+        await this.mikro.em.flush();
+        // Generate recovery codes on TOTP setup completion
+        const user = await this.mikro.user.findOneOrFail({
+            sub: userId,
+        });
+        const recoveryCodes = await this.generateRecoveryCodes(user);
+        return recoveryCodes;
+    }
+    /**
+     * Confirm TOTP setup by acknowledging recovery codes.
+     * This marks the TOTP setup as fully complete.
+     */
+    async confirmSetup(userId) {
+        const totp = await this.mikro.userTotp.findVerifiedByUserSub(userId);
+        if (!totp) {
+            throw new e.TotpNotSetup.Error();
+        }
+        if (totp.recovery_confirmed) {
+            throw new e.TotpAlreadyEnabled.Error();
+        }
+        totp.recovery_confirmed = true;
+        await this.mikro.em.flush();
+    }
+    /**
+     * Disable TOTP for a user
+     * Also deletes all recovery codes
+     */
+    async disable(userId, token, options) {
+        const totp = await this.mikro.userTotp.findFullyRegisteredByUserSub(userId);
+        if (!totp) {
+            throw new e.TotpNotEnabled.Error();
+        }
+        if (!this.verifyToken(token, totp.secret)) {
+            throw new e.InvalidTotpCode.Error();
+        }
+        // Prevent disabling TOTP when 2FA is required and no other 2FA method exists
+        if (options.secondFactorRequired && !options.hasOtherSecondFactor) {
+            throw new e.CannotRemoveLastSecondFactor.Error();
+        }
+        await this.mikro.userTotp.deleteByUserSub(userId);
+        await this.mikro.userTotpRecoveryCode.deleteByUserSub(userId);
+    }
+    async verifyForAuth(userId, token) {
+        const totp = await this.mikro.userTotp.findFullyRegisteredByUserSub(userId);
+        if (!totp) {
+            throw new e.TotpNotEnabled.Error();
+        }
+        this.verifyToken(token, totp.secret);
+    }
+    /**
+     * Generate a single recovery code in the format XXXX-XXXX-XXXX-XXXX.
+     */
+    generateRecoveryCodeString() {
+        const bytes = getRandomBytes(RECOVERY_CODE_LENGTH);
+        const code = Array.from(bytes)
+            .map((byte) => RECOVERY_CODE_ALPHABET[byte % RECOVERY_CODE_ALPHABET.length])
+            .join('');
+        return Array.from({ length: RECOVERY_CODE_LENGTH / RECOVERY_CODE_GROUP_LENGTH }, (_, index) => code.slice(index * RECOVERY_CODE_GROUP_LENGTH, (index + 1) * RECOVERY_CODE_GROUP_LENGTH)).join('-');
+    }
+    /**
+     * Generate recovery codes for a user.
+     * Deletes any existing recovery codes first, then creates new ones.
+     *
+     * @returns Array of plain-text recovery codes (shown only once)
+     */
+    async generateRecoveryCodes(user) {
+        // Delete any existing recovery codes
+        await this.mikro.userTotpRecoveryCode.deleteByUserSub(user.sub);
+        this.mikro.em.clear();
+        // Re-fetch user after clearing identity map
+        const freshUser = await this.mikro.user.findOneOrFail({
+            sub: user.sub,
+        });
+        const plainCodes = [];
+        for (let i = 0; i < RECOVERY_CODE_COUNT; i++) {
+            const code = this.generateRecoveryCodeString();
+            plainCodes.push(code);
+            const codeHash = await this.securityService.hashOpaqueToken('totp-recovery', code);
+            const entity = this.mikro.userTotpRecoveryCode.create({
+                user: freshUser.sub,
+                code_hash: codeHash,
+            });
+            this.mikro.em.persist(entity);
+        }
+        await this.mikro.em.flush();
+        return plainCodes;
+    }
+    /**
+     * Verify a recovery code for authentication.
+     * The code is single-use: once verified, it is marked as used.
+     */
+    async verifyRecoveryCode(userId, code) {
+        const normalizedCode = code.toUpperCase();
+        // Ensure TOTP is actually fully enabled for this user
+        const totp = await this.mikro.userTotp.findFullyRegisteredByUserSub(userId);
+        if (!totp) {
+            throw new e.TotpNotEnabled.Error();
+        }
+        const unusedCodeCount = await this.mikro.userTotpRecoveryCode.countUnusedByUserSub(userId);
+        if (unusedCodeCount === 0) {
+            throw new e.NoRecoveryCodesAvailable.Error();
+        }
+        const codeHash = await this.securityService.hashOpaqueToken('totp-recovery', normalizedCode);
+        const recoveryCode = await this.mikro.userTotpRecoveryCode.findUnusedByUserSubAndCodeHash(userId, codeHash);
+        if (!recoveryCode) {
+            throw new e.InvalidRecoveryCode.Error();
+        }
+        recoveryCode.used = true;
+        recoveryCode.used_at = new Date();
+        await this.mikro.em.flush();
+    }
+    async regenerateRecoveryCodes(userId, token) {
+        const totp = await this.mikro.userTotp.findFullyRegisteredByUserSub(userId);
+        if (!totp) {
+            throw new e.TotpNotEnabled.Error();
+        }
+        this.verifyToken(token, totp.secret);
+        const user = await this.mikro.user.findOneOrFail({
+            sub: userId,
+        }, {
+            failHandler: () => new e.UserNotFound.Error(),
+        });
+        return this.generateRecoveryCodes(user);
+    }
+}
+//# sourceMappingURL=totp.service.js.map

package/dist/services/totp.service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"totp.service.js","sourceRoot":"","sources":["../../src/services/totp.service.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,YAAY,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAC/E,OAAO,MAAM,MAAM,QAAQ,CAAC;AAG5B,OAAO,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAClD,OAAO,EAAE,CAAC,EAAE,MAAM,qBAAqB,CAAC;AAiBxC,2CAA2C;AAC3C,MAAM,mBAAmB,GAAG,CAAC,CAAC;AAC9B,MAAM,sBAAsB,GAAG,gCAAgC,CAAC;AAChE,MAAM,oBAAoB,GAAG,EAAE,CAAC;AAChC,MAAM,0BAA0B,GAAG,CAAC,CAAC;AAErC,MAAM,OAAO,WAAW;IACL,KAAK,CAAe;IACpB,MAAM,CAAwB;IAC9B,eAAe,CAAkB;IAClD,YACE,KAAmB,EACnB,MAA6B,EAC7B,eAAgC;QAEhC,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;QACnB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,eAAe,GAAG,eAAe,CAAC;IACzC,CAAC;IAED;;OAEG;IACI,cAAc;QACnB,OAAO,cAAc,EAAE,CAAC;IAC1B,CAAC;IAED;;OAEG;IACI,kBAAkB,CAAC,KAAa,EAAE,MAAc;QACrD,OAAO,WAAW,CAAC;YACjB,MAAM,EACJ,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM;gBACrC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,aAAa;YAClC,KAAK,EAAE,KAAK;YACZ,MAAM;SACP,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACI,KAAK,CAAC,cAAc,CAAC,UAAkB;QAC5C,OAAO,MAAM,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;IACtC,CAAC;IAED;;OAEG;IACI,WAAW,CAAC,KAAa,EAAE,MAAc;QAC9C,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,UAAU,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,cAAc,EAAE,CAAC,EAAE,CAAC,CAAC;YAChE,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;gBAClB,MAAM,IAAI,CAAC,CAAC,eAAe,CAAC,KAAK,EAAE,CAAC;YACtC,CAAC;YACD,OAAO,MAAM,CAAC,KAAK,CAAC;QACtB,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,CAAC,CAAC,eAAe,CAAC,KAAK,EAAE,CAAC;QACtC,CAAC;IACH,CAAC;IAED;;OAEG;IACI,aAAa,CAAC,MAAc;QACjC,OAAO,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC;IAClC,CAAC;IAED;;;OAGG;IACI,KAAK,CAAC,UAAU,CAAC,IAAgB;QACtC,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAEvE,2EAA2E;QAC3E,qEAAqE;QACrE,IAAI,YAAY,EAAE,QAAQ,IAAI,YAAY,EAAE,kBAAkB,EAAE,CAAC;YAC/D,MAAM,IAAI,CAAC,CAAC,kBAAkB,CAAC,KAAK,EAAE,CAAC;QACzC,CAAC;QAED,MAAM,MAAM,GAAG,IAAI,CAAC,cAAc,EAAE,CAAC;QACrC,MAAM,UAAU,GAAG,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAC/D,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC;QAE5D,mEAAmE;QACnE,oEAAoE;QACpE,IAAI,YAAY,EAAE,CAAC;YACjB,MAAM,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,IAAI,EAAE,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;YACpE,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;QACxB,CAAC;QAED,yBAAyB;QACzB,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC;YACtC,IAAI,EAAE,IAAI,CAAC,GAAG;YACd,MAAM,EAAE,MAAM;SACf,CAAC,CAAC;QACH,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAC5B,MAAM,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;QAE5B,OAAO;YACL,MAAM;YACN,UAAU;YACV,aAAa;SACd,CAAC;IACJ,CAAC;IAED;;;;;OAKG;IACI,KAAK,CAAC,WAAW,CAAC,MAAc,EAAE,KAAa;QACpD,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC;QAC7D,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,MAAM,IAAI,CAAC,CAAC,YAAY,CAAC,KAAK,EAAE,CAAC;QACnC,CAAC;QAED,2EAA2E;QAC3E,4EAA4E;QAC5E,IAAI,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,kBAAkB,EAAE,CAAC;YAC7C,MAAM,IAAI,CAAC,CAAC,kBAAkB,CAAC,KAAK,EAAE,CAAC;QACzC,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;YAC1C,MAAM,IAAI,CAAC,CAAC,eAAe,CAAC,KAAK,EAAE,CAAC;QACtC,CAAC;QAED,0DAA0D;QAC1D,uDAAuD;QACvD,6CAA6C;QAC7C,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC;QACrB,MAAM,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;QAE5B,mDAAmD;QACnD,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC;YAC/C,GAAG,EAAE,MAAM;SACZ,CAAC,CAAC;QACH,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,IAAI,CAAC,CAAC;QAE7D,OAAO,aAAa,CAAC;IACvB,CAAC;IAED;;;OAGG;IACI,KAAK,CAAC,YAAY,CAAC,MAAc;QACtC,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,qBAAqB,CAAC,MAAM,CAAC,CAAC;QACrE,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,MAAM,IAAI,CAAC,CAAC,YAAY,CAAC,KAAK,EAAE,CAAC;QACnC,CAAC;QAED,IAAI,IAAI,CAAC,kBAAkB,EAAE,CAAC;YAC5B,MAAM,IAAI,CAAC,CAAC,kBAAkB,CAAC,KAAK,EAAE,CAAC;QACzC,CAAC;QAED,IAAI,CAAC,kBAAkB,GAAG,IAAI,CAAC;QAC/B,MAAM,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;IAC9B,CAAC;IAED;;;OAGG;IACI,KAAK,CAAC,OAAO,CAClB,MAAc,EACd,KAAa,EACb,OAGC;QAED,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,4BAA4B,CAAC,MAAM,CAAC,CAAC;QAC5E,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,MAAM,IAAI,CAAC,CAAC,cAAc,CAAC,KAAK,EAAE,CAAC;QACrC,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;YAC1C,MAAM,IAAI,CAAC,CAAC,eAAe,CAAC,KAAK,EAAE,CAAC;QACtC,CAAC;QAED,6EAA6E;QAC7E,IAAI,OAAO,CAAC,oBAAoB,IAAI,CAAC,OAAO,CAAC,oBAAoB,EAAE,CAAC;YAClE,MAAM,IAAI,CAAC,CAAC,4BAA4B,CAAC,KAAK,EAAE,CAAC;QACnD,CAAC;QAED,MAAM,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC;QAClD,MAAM,IAAI,CAAC,KAAK,CAAC,oBAAoB,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC;IAChE,CAAC;IAEM,KAAK,CAAC,aAAa,CAAC,MAAc,EAAE,KAAa;QACtD,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,4BAA4B,CAAC,MAAM,CAAC,CAAC;QAC5E,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,MAAM,IAAI,CAAC,CAAC,cAAc,CAAC,KAAK,EAAE,CAAC;QACrC,CAAC;QACD,IAAI,CAAC,WAAW,CAAC,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;IACvC,CAAC;IAED;;OAEG;IACI,0BAA0B;QAC/B,MAAM,KAAK,GAAG,cAAc,CAAC,oBAAoB,CAAC,CAAC;QACnD,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC;aAC3B,GAAG,CACF,CAAC,IAAI,EAAE,EAAE,CAAC,sBAAsB,CAAC,IAAI,GAAG,sBAAsB,CAAC,MAAM,CAAC,CACvE;aACA,IAAI,CAAC,EAAE,CAAC,CAAC;QACZ,OAAO,KAAK,CAAC,IAAI,CACf,EAAE,MAAM,EAAE,oBAAoB,GAAG,0BAA0B,EAAE,EAC7D,CAAC,CAAC,EAAE,KAAK,EAAE,EAAE,CACX,IAAI,CAAC,KAAK,CACR,KAAK,GAAG,0BAA0B,EAClC,CAAC,KAAK,GAAG,CAAC,CAAC,GAAG,0BAA0B,CACzC,CACJ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACd,CAAC;IAED;;;;;OAKG;IACI,KAAK,CAAC,qBAAqB,CAAC,IAAgB;QACjD,qCAAqC;QACrC,MAAM,IAAI,CAAC,KAAK,CAAC,oBAAoB,CAAC,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAChE,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;QAEtB,4CAA4C;QAC5C,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC;YACpD,GAAG,EAAE,IAAI,CAAC,GAAG;SACd,CAAC,CAAC;QAEH,MAAM,UAAU,GAAa,EAAE,CAAC;QAEhC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,mBAAmB,EAAE,CAAC,EAAE,EAAE,CAAC;YAC7C,MAAM,IAAI,GAAG,IAAI,CAAC,0BAA0B,EAAE,CAAC;YAC/C,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAEtB,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,eAAe,CACzD,eAAe,EACf,IAAI,CACL,CAAC;YACF,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,oBAAoB,CAAC,MAAM,CAAC;gBACpD,IAAI,EAAE,SAAS,CAAC,GAAG;gBACnB,SAAS,EAAE,QAAQ;aACpB,CAAC,CAAC;YACH,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAChC,CAAC;QAED,MAAM,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;QAE5B,OAAO,UAAU,CAAC;IACpB,CAAC;IAED;;;OAGG;IACI,KAAK,CAAC,kBAAkB,CAAC,MAAc,EAAE,IAAY;QAC1D,MAAM,cAAc,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;QAE1C,sDAAsD;QACtD,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,4BAA4B,CAAC,MAAM,CAAC,CAAC;QAC5E,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,MAAM,IAAI,CAAC,CAAC,cAAc,CAAC,KAAK,EAAE,CAAC;QACrC,CAAC;QAED,MAAM,eAAe,GACnB,MAAM,IAAI,CAAC,KAAK,CAAC,oBAAoB,CAAC,oBAAoB,CAAC,MAAM,CAAC,CAAC;QAErE,IAAI,eAAe,KAAK,CAAC,EAAE,CAAC;YAC1B,MAAM,IAAI,CAAC,CAAC,wBAAwB,CAAC,KAAK,EAAE,CAAC;QAC/C,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,eAAe,CACzD,eAAe,EACf,cAAc,CACf,CAAC;QACF,MAAM,YAAY,GAChB,MAAM,IAAI,CAAC,KAAK,CAAC,oBAAoB,CAAC,8BAA8B,CAClE,MAAM,EACN,QAAQ,CACT,CAAC;QAEJ,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,MAAM,IAAI,CAAC,CAAC,mBAAmB,CAAC,KAAK,EAAE,CAAC;QAC1C,CAAC;QAED,YAAY,CAAC,IAAI,GAAG,IAAI,CAAC;QACzB,YAAY,CAAC,OAAO,GAAG,IAAI,IAAI,EAAE,CAAC;QAClC,MAAM,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;IAC9B,CAAC;IAEM,KAAK,CAAC,uBAAuB,CAClC,MAAc,EACd,KAAa;QAEb,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,4BAA4B,CAAC,MAAM,CAAC,CAAC;QAC5E,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,MAAM,IAAI,CAAC,CAAC,cAAc,CAAC,KAAK,EAAE,CAAC;QACrC,CAAC;QAED,IAAI,CAAC,WAAW,CAAC,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;QAErC,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,aAAa,CAC9C;YACE,GAAG,EAAE,MAAM;SACZ,EACD;YACE,WAAW,EAAE,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC,YAAY,CAAC,KAAK,EAAE;SAC9C,CACF,CAAC;QAEF,OAAO,IAAI,CAAC,qBAAqB,CAAC,IAAI,CAAC,CAAC;IAC1C,CAAC;CACF"}

package/dist/services/user-consent.service.d.ts

@@ -0,0 +1,34 @@
+import type z from 'zod';
+import type { UserConsentEntity } from '../entities/user-consent.entity.ts';
+import type { f } from '../schemas/field.ts';
+import type { MikroService } from './mikro.service.ts';
+export declare class UserConsentService {
+    private readonly mikro;
+    constructor(mikro: MikroService);
+    /**
+     * Check if user has already consented to the requested scopes for a client.
+     */
+    hasConsent(userSub: string, clientId: string, requestedScopes: string[]): Promise<boolean>;
+    /**
+     * Determine if consent screen is required based on:
+     * - User's existing consent
+     * - The `prompt` parameter from the authorization request
+     *
+     * @returns true if consent screen should be shown
+     */
+    requiresConsent(params: {
+        userSub: string;
+        clientId: string;
+        requestedScopes: string[];
+        prompt?: z.infer<typeof f.prompt> | undefined;
+    }): Promise<boolean>;
+    /**
+     * Grant consent for a user to a client with specific scopes.
+     */
+    grantConsent(params: {
+        userSub: string;
+        clientId: string;
+        scopes: string[];
+    }): Promise<UserConsentEntity>;
+}
+//# sourceMappingURL=user-consent.service.d.ts.map

package/dist/services/user-consent.service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"user-consent.service.d.ts","sourceRoot":"","sources":["../../src/services/user-consent.service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,CAAC,MAAM,KAAK,CAAC;AACzB,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,oCAAoC,CAAC;AAC5E,OAAO,KAAK,EAAE,CAAC,EAAE,MAAM,qBAAqB,CAAC;AAC7C,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAEvD,qBAAa,kBAAkB;IAC7B,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAe;gBAClB,KAAK,EAAE,YAAY;IAItC;;OAEG;IACU,UAAU,CACrB,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,eAAe,EAAE,MAAM,EAAE,GACxB,OAAO,CAAC,OAAO,CAAC;IAQnB;;;;;;OAMG;IACU,eAAe,CAAC,MAAM,EAAE;QACnC,OAAO,EAAE,MAAM,CAAC;QAChB,QAAQ,EAAE,MAAM,CAAC;QACjB,eAAe,EAAE,MAAM,EAAE,CAAC;QAC1B,MAAM,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,GAAG,SAAS,CAAC;KAC/C,GAAG,OAAO,CAAC,OAAO,CAAC;IAmBpB;;OAEG;IACU,YAAY,CAAC,MAAM,EAAE;QAChC,OAAO,EAAE,MAAM,CAAC;QAChB,QAAQ,EAAE,MAAM,CAAC;QACjB,MAAM,EAAE,MAAM,EAAE,CAAC;KAClB,GAAG,OAAO,CAAC,iBAAiB,CAAC;CAS/B"}

package/dist/services/user-consent.service.js

@@ -0,0 +1,42 @@
+export class UserConsentService {
+    mikro;
+    constructor(mikro) {
+        this.mikro = mikro;
+    }
+    /**
+     * Check if user has already consented to the requested scopes for a client.
+     */
+    async hasConsent(userSub, clientId, requestedScopes) {
+        return this.mikro.userConsent.hasConsent(userSub, clientId, requestedScopes);
+    }
+    /**
+     * Determine if consent screen is required based on:
+     * - User's existing consent
+     * - The `prompt` parameter from the authorization request
+     *
+     * @returns true if consent screen should be shown
+     */
+    async requiresConsent(params) {
+        const { userSub, clientId, requestedScopes, prompt } = params;
+        // If prompt=consent, always show consent screen
+        if (prompt === 'consent') {
+            return true;
+        }
+        // Check if user has already consented to all requested scopes
+        const hasExistingConsent = await this.hasConsent(userSub, clientId, requestedScopes);
+        // If user has existing consent for all scopes, no need to show consent screen
+        return !hasExistingConsent;
+    }
+    /**
+     * Grant consent for a user to a client with specific scopes.
+     */
+    async grantConsent(params) {
+        const { userSub, clientId, scopes } = params;
+        return this.mikro.userConsent.grantConsent({
+            userSub,
+            clientId,
+            scopes,
+        });
+    }
+}
+//# sourceMappingURL=user-consent.service.js.map

package/dist/services/user-consent.service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"user-consent.service.js","sourceRoot":"","sources":["../../src/services/user-consent.service.ts"],"names":[],"mappings":"AAKA,MAAM,OAAO,kBAAkB;IACZ,KAAK,CAAe;IACrC,YAAmB,KAAmB;QACpC,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;IACrB,CAAC;IAED;;OAEG;IACI,KAAK,CAAC,UAAU,CACrB,OAAe,EACf,QAAgB,EAChB,eAAyB;QAEzB,OAAO,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,UAAU,CACtC,OAAO,EACP,QAAQ,EACR,eAAe,CAChB,CAAC;IACJ,CAAC;IAED;;;;;;OAMG;IACI,KAAK,CAAC,eAAe,CAAC,MAK5B;QACC,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,eAAe,EAAE,MAAM,EAAE,GAAG,MAAM,CAAC;QAE9D,gDAAgD;QAChD,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;YACzB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,8DAA8D;QAC9D,MAAM,kBAAkB,GAAG,MAAM,IAAI,CAAC,UAAU,CAC9C,OAAO,EACP,QAAQ,EACR,eAAe,CAChB,CAAC;QAEF,8EAA8E;QAC9E,OAAO,CAAC,kBAAkB,CAAC;IAC7B,CAAC;IAED;;OAEG;IACI,KAAK,CAAC,YAAY,CAAC,MAIzB;QACC,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,MAAM,CAAC;QAE7C,OAAO,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,YAAY,CAAC;YACzC,OAAO;YACP,QAAQ;YACR,MAAM;SACP,CAAC,CAAC;IACL,CAAC;CACF"}

package/dist/services/user.service.d.ts

@@ -0,0 +1,60 @@
+import type { Loaded } from '@mikro-orm/core';
+import type z from 'zod';
+import type { UserEntity } from '../entities/user.entity.ts';
+import type { TinyAuthRuntimeConfig } from '../lib/config/index.ts';
+import type { Locale } from '../lib/locale.ts';
+import type { r } from '../schemas/response.ts';
+import type { EmailService } from './email.service.ts';
+import type { MikroService } from './mikro.service.ts';
+import type { PasswordAuthService } from './password-auth.service.ts';
+import type { TermsService } from './terms.service.ts';
+export declare class UserService {
+    private readonly mikro;
+    private readonly config;
+    private readonly emailService;
+    private readonly passwordAuthService;
+    private readonly termsService?;
+    constructor(mikro: MikroService, config: TinyAuthRuntimeConfig, emailService: EmailService, passwordAuthService: PasswordAuthService, termsService?: TermsService);
+    userEntityToSessionUser(user: Loaded<UserEntity, 'password_hash' | 'passkeys' | 'totps', '*', never>): Promise<z.infer<typeof r.UserSession>>;
+    getSessionUserBySub(userSub: string): Promise<z.infer<typeof r.UserSession>>;
+    buildSessionUser(params: {
+        user: Pick<UserEntity, 'sub' | 'managed_by' | 'email' | 'email_verified'> & {
+            hasPassword(): boolean;
+        };
+        totpRegistered: boolean;
+        passkeyCount: number;
+    }): Promise<z.infer<typeof r.UserSession>>;
+    register(params: {
+        email: string;
+        password: string;
+        consents?: Array<{
+            termsId: string;
+            agreed: boolean;
+        }>;
+        locale?: Locale | undefined;
+    }): Promise<z.infer<typeof r.UserSession>>;
+    /**
+     * @description
+     * Request account deletion (soft delete).
+     * Config-managed users cannot be deleted.
+     */
+    requestDeletion(userSub: string): Promise<{
+        deleted_at: Date;
+    }>;
+    userEmailVerificationRequired(userLike: {
+        managed_by: UserEntity['managed_by'];
+    }): boolean;
+    /**
+     * Determines if second factor setup is required for a user.
+     */
+    user2FASetupRequired(userLike: {
+        managed_by: UserEntity['managed_by'];
+    }): boolean;
+    userRegistered2FAMethods(userSub: string): Promise<('totp' | 'passkey')[]>;
+    /**
+     * Returns the available 2FA setup methods based on config.
+     * Only returns methods that are enabled in config.
+     */
+    getAvailable2FASetupMethods(): ('totp' | 'passkey')[];
+}
+//# sourceMappingURL=user.service.d.ts.map

package/dist/services/user.service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"user.service.d.ts","sourceRoot":"","sources":["../../src/services/user.service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,iBAAiB,CAAC;AAC9C,OAAO,KAAK,CAAC,MAAM,KAAK,CAAC;AACzB,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,4BAA4B,CAAC;AAC7D,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,wBAAwB,CAAC;AACpE,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AAE/C,OAAO,KAAK,EAAE,CAAC,EAAE,MAAM,wBAAwB,CAAC;AAChD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AACvD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AACvD,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AACtE,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAEvD,qBAAa,WAAW;IACtB,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAe;IACrC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAwB;IAC/C,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAe;IAC5C,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAsB;IAC1D,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC,CAA2B;gBAEvD,KAAK,EAAE,YAAY,EACnB,MAAM,EAAE,qBAAqB,EAC7B,YAAY,EAAE,YAAY,EAC1B,mBAAmB,EAAE,mBAAmB,EACxC,YAAY,CAAC,EAAE,YAAY;IAShB,uBAAuB,CAClC,IAAI,EAAE,MAAM,CACV,UAAU,EACV,eAAe,GAAG,UAAU,GAAG,OAAO,EACtC,GAAG,EACH,KAAK,CACN,GACA,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,WAAW,CAAC,CAAC;IAa5B,mBAAmB,CAC9B,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,WAAW,CAAC,CAAC;IAK5B,gBAAgB,CAAC,MAAM,EAAE;QACpC,IAAI,EAAE,IAAI,CACR,UAAU,EACV,KAAK,GAAG,YAAY,GAAG,OAAO,GAAG,gBAAgB,CAClD,GAAG;YACF,WAAW,IAAI,OAAO,CAAC;SACxB,CAAC;QACF,cAAc,EAAE,OAAO,CAAC;QACxB,YAAY,EAAE,MAAM,CAAC;KACtB,GAAG,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,WAAW,CAAC,CAAC;IAoB7B,QAAQ,CAAC,MAAM,EAAE;QAC5B,KAAK,EAAE,MAAM,CAAC;QACd,QAAQ,EAAE,MAAM,CAAC;QACjB,QAAQ,CAAC,EAAE,KAAK,CAAC;YAAE,OAAO,EAAE,MAAM,CAAC;YAAC,MAAM,EAAE,OAAO,CAAA;SAAE,CAAC,CAAC;QACvD,MAAM,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;KAC7B,GAAG,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,WAAW,CAAC,CAAC;IAkF1C;;;;OAIG;IACU,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC;QACrD,UAAU,EAAE,IAAI,CAAC;KAClB,CAAC;IAoBK,6BAA6B,CAAC,QAAQ,EAAE;QAC7C,UAAU,EAAE,UAAU,CAAC,YAAY,CAAC,CAAC;KACtC,GAAG,OAAO;IAQX;;OAEG;IACI,oBAAoB,CAAC,QAAQ,EAAE;QACpC,UAAU,EAAE,UAAU,CAAC,YAAY,CAAC,CAAC;KACtC,GAAG,OAAO;IAOE,wBAAwB,CACnC,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,CAAC,MAAM,GAAG,SAAS,CAAC,EAAE,CAAC;IAgBlC;;;OAGG;IACI,2BAA2B,IAAI,CAAC,MAAM,GAAG,SAAS,CAAC,EAAE;CAU7D"}

package/dist/services/user.service.js

@@ -0,0 +1,176 @@
+import { e } from "../schemas/error.js";
+export class UserService {
+    mikro;
+    config;
+    emailService;
+    passwordAuthService;
+    termsService;
+    constructor(mikro, config, emailService, passwordAuthService, termsService) {
+        this.mikro = mikro;
+        this.config = config;
+        this.emailService = emailService;
+        this.passwordAuthService = passwordAuthService;
+        this.termsService = termsService;
+    }
+    async userEntityToSessionUser(user) {
+        // Check if TOTP is fully registered (verified AND recovery_confirmed)
+        const totpFullyRegistered = user.totps
+            .getItems()
+            .some((totp) => totp.verified && totp.recovery_confirmed);
+        return this.buildSessionUser({
+            user,
+            totpRegistered: totpFullyRegistered,
+            passkeyCount: user.passkeys.length,
+        });
+    }
+    async getSessionUserBySub(userSub) {
+        const user = await this.mikro.user.verifyBySub(userSub);
+        return this.userEntityToSessionUser(user);
+    }
+    async buildSessionUser(params) {
+        const { user, totpRegistered, passkeyCount } = params;
+        const recoveryCodeCount = totpRegistered
+            ? await this.mikro.userTotpRecoveryCode.countUnusedByUserSub(user.sub)
+            : 0;
+        return {
+            sub: user.sub,
+            managed_by: user.managed_by,
+            email: user.email,
+            email_verified: user.email_verified,
+            email_verification_required: this.userEmailVerificationRequired(user),
+            has_password: user.hasPassword(),
+            totp_registered: totpRegistered,
+            totp_recovery_codes_missing: totpRegistered && recoveryCodeCount === 0,
+            second_factor_required: this.user2FASetupRequired(user),
+            passkey_count: passkeyCount,
+        };
+    }
+    async register(params) {
+        // 1. Validate explicit terms consent before user creation
+        // Load terms once and reuse across validation and recording
+        const terms = this.termsService
+            ? await this.termsService.getGlobalTerms()
+            : undefined;
+        if (this.termsService && terms) {
+            const explicitTerms = await this.termsService.getExplicitTerms(terms);
+            const hasRequiredExplicitTerms = explicitTerms.some((t) => t.required);
+            if (hasRequiredExplicitTerms) {
+                if (!params.consents || params.consents.length === 0) {
+                    throw new e.ValidationError.Error('Terms consent is required for registration');
+                }
+                const validation = await this.termsService.validateExplicitConsents(params.consents, terms);
+                if (!validation.valid) {
+                    throw new e.ValidationError.Error(`Missing required terms: ${validation.missingTerms.join(', ')}`);
+                }
+            }
+        }
+        // 2. Register the user
+        const user = await this.passwordAuthService.createDatabaseUser({
+            email: params.email,
+            password: params.password,
+        });
+        // 3. Generate email verification token and send email
+        if (this.config.email) {
+            const verification = await this.emailService.generateToken({
+                userSub: user.sub,
+            });
+            await this.mikro.em.flush();
+            this.emailService.sendVerificationEmailAsync({
+                email: user.email,
+                token: verification.token,
+                locale: params.locale,
+            });
+        }
+        // 4. Record terms consent after successful registration
+        if (this.termsService && terms) {
+            // Record explicit consents provided by user
+            if (params.consents && params.consents.length > 0) {
+                await this.termsService.recordConsents({
+                    userSub: user.sub,
+                    consents: params.consents,
+                    terms,
+                });
+            }
+            // Record implicit consents for terms with implicit consent mode
+            await this.termsService.recordImplicitConsents({
+                userSub: user.sub,
+                terms,
+            });
+        }
+        // 5. Return session info
+        return {
+            sub: user.sub,
+            managed_by: 'database',
+            email: user.email,
+            email_verified: user.email_verified,
+            email_verification_required: this.userEmailVerificationRequired(user),
+            has_password: user.hasPassword(),
+            totp_registered: false,
+            totp_recovery_codes_missing: false,
+            second_factor_required: this.user2FASetupRequired(user),
+            passkey_count: 0,
+        };
+    }
+    /**
+     * @description
+     * Request account deletion (soft delete).
+     * Config-managed users cannot be deleted.
+     */
+    async requestDeletion(userSub) {
+        // Check if user exists and is not config-managed
+        const user = await this.mikro.user.findOneOrFail({ sub: userSub, deleted_at: null }, { failHandler: () => new e.UserNotFound.Error() });
+        if (user.managed_by === 'config') {
+            throw new e.UserNotEditable.Error();
+        }
+        // Soft delete the user
+        user.deleted_at = new Date();
+        await this.mikro.em.flush();
+        return {
+            deleted_at: user.deleted_at,
+        };
+    }
+    userEmailVerificationRequired(userLike) {
+        return (userLike.managed_by !== 'config' &&
+            this.config.registration.email_verification_required &&
+            !!this.config.email);
+    }
+    /**
+     * Determines if second factor setup is required for a user.
+     */
+    user2FASetupRequired(userLike) {
+        if (userLike.managed_by === 'config') {
+            return false;
+        }
+        return this.config.auth.password.two_factor.enrollment_required;
+    }
+    async userRegistered2FAMethods(userSub) {
+        const user = await this.mikro.user.findOneOrFail({
+            sub: userSub,
+        });
+        const methods = [];
+        const totpEnabled = await this.mikro.userTotp.isRegistered(user.sub);
+        if (totpEnabled) {
+            methods.push('totp');
+        }
+        const passkeyCount = await this.mikro.userPasskey.countByUserSub(user.sub);
+        if (passkeyCount > 0) {
+            methods.push('passkey');
+        }
+        return methods;
+    }
+    /**
+     * Returns the available 2FA setup methods based on config.
+     * Only returns methods that are enabled in config.
+     */
+    getAvailable2FASetupMethods() {
+        const methods = [];
+        if (this.config.auth.password.totp.enabled) {
+            methods.push('totp');
+        }
+        if (this.config.auth.passkey.enabled) {
+            methods.push('passkey');
+        }
+        return methods;
+    }
+}
+//# sourceMappingURL=user.service.js.map

package/dist/services/user.service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"user.service.js","sourceRoot":"","sources":["../../src/services/user.service.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,CAAC,EAAE,MAAM,qBAAqB,CAAC;AAOxC,MAAM,OAAO,WAAW;IACL,KAAK,CAAe;IACpB,MAAM,CAAwB;IAC9B,YAAY,CAAe;IAC3B,mBAAmB,CAAsB;IACzC,YAAY,CAA4B;IACzD,YACE,KAAmB,EACnB,MAA6B,EAC7B,YAA0B,EAC1B,mBAAwC,EACxC,YAA2B;QAE3B,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;QACnB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,YAAY,GAAG,YAAY,CAAC;QACjC,IAAI,CAAC,mBAAmB,GAAG,mBAAmB,CAAC;QAC/C,IAAI,CAAC,YAAY,GAAG,YAAY,CAAC;IACnC,CAAC;IAEM,KAAK,CAAC,uBAAuB,CAClC,IAKC;QAED,sEAAsE;QACtE,MAAM,mBAAmB,GAAG,IAAI,CAAC,KAAK;aACnC,QAAQ,EAAE;aACV,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,kBAAkB,CAAC,CAAC;QAE5D,OAAO,IAAI,CAAC,gBAAgB,CAAC;YAC3B,IAAI;YACJ,cAAc,EAAE,mBAAmB;YACnC,YAAY,EAAE,IAAI,CAAC,QAAQ,CAAC,MAAM;SACnC,CAAC,CAAC;IACL,CAAC;IAEM,KAAK,CAAC,mBAAmB,CAC9B,OAAe;QAEf,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;QACxD,OAAO,IAAI,CAAC,uBAAuB,CAAC,IAAI,CAAC,CAAC;IAC5C,CAAC;IAEM,KAAK,CAAC,gBAAgB,CAAC,MAS7B;QACC,MAAM,EAAE,IAAI,EAAE,cAAc,EAAE,YAAY,EAAE,GAAG,MAAM,CAAC;QACtD,MAAM,iBAAiB,GAAG,cAAc;YACtC,CAAC,CAAC,MAAM,IAAI,CAAC,KAAK,CAAC,oBAAoB,CAAC,oBAAoB,CAAC,IAAI,CAAC,GAAG,CAAC;YACtE,CAAC,CAAC,CAAC,CAAC;QAEN,OAAO;YACL,GAAG,EAAE,IAAI,CAAC,GAAG;YACb,UAAU,EAAE,IAAI,CAAC,UAAU;YAC3B,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,cAAc,EAAE,IAAI,CAAC,cAAc;YACnC,2BAA2B,EAAE,IAAI,CAAC,6BAA6B,CAAC,IAAI,CAAC;YACrE,YAAY,EAAE,IAAI,CAAC,WAAW,EAAE;YAChC,eAAe,EAAE,cAAc;YAC/B,2BAA2B,EAAE,cAAc,IAAI,iBAAiB,KAAK,CAAC;YACtE,sBAAsB,EAAE,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC;YACvD,aAAa,EAAE,YAAY;SAC5B,CAAC;IACJ,CAAC;IAEM,KAAK,CAAC,QAAQ,CAAC,MAKrB;QACC,0DAA0D;QAC1D,4DAA4D;QAC5D,MAAM,KAAK,GAAG,IAAI,CAAC,YAAY;YAC7B,CAAC,CAAC,MAAM,IAAI,CAAC,YAAY,CAAC,cAAc,EAAE;YAC1C,CAAC,CAAC,SAAS,CAAC;QAEd,IAAI,IAAI,CAAC,YAAY,IAAI,KAAK,EAAE,CAAC;YAC/B,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,gBAAgB,CAAC,KAAK,CAAC,CAAC;YACtE,MAAM,wBAAwB,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;YAEvE,IAAI,wBAAwB,EAAE,CAAC;gBAC7B,IAAI,CAAC,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;oBACrD,MAAM,IAAI,CAAC,CAAC,eAAe,CAAC,KAAK,CAC/B,4CAA4C,CAC7C,CAAC;gBACJ,CAAC;gBAED,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,wBAAwB,CACjE,MAAM,CAAC,QAAQ,EACf,KAAK,CACN,CAAC;gBACF,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;oBACtB,MAAM,IAAI,CAAC,CAAC,eAAe,CAAC,KAAK,CAC/B,2BAA2B,UAAU,CAAC,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAChE,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAED,uBAAuB;QACvB,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,mBAAmB,CAAC,kBAAkB,CAAC;YAC7D,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,QAAQ,EAAE,MAAM,CAAC,QAAQ;SAC1B,CAAC,CAAC;QAEH,sDAAsD;QACtD,IAAI,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YACtB,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,aAAa,CAAC;gBACzD,OAAO,EAAE,IAAI,CAAC,GAAG;aAClB,CAAC,CAAC;YACH,MAAM,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;YAC5B,IAAI,CAAC,YAAY,CAAC,0BAA0B,CAAC;gBAC3C,KAAK,EAAE,IAAI,CAAC,KAAK;gBACjB,KAAK,EAAE,YAAY,CAAC,KAAK;gBACzB,MAAM,EAAE,MAAM,CAAC,MAAM;aACtB,CAAC,CAAC;QACL,CAAC;QAED,wDAAwD;QACxD,IAAI,IAAI,CAAC,YAAY,IAAI,KAAK,EAAE,CAAC;YAC/B,4CAA4C;YAC5C,IAAI,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAClD,MAAM,IAAI,CAAC,YAAY,CAAC,cAAc,CAAC;oBACrC,OAAO,EAAE,IAAI,CAAC,GAAG;oBACjB,QAAQ,EAAE,MAAM,CAAC,QAAQ;oBACzB,KAAK;iBACN,CAAC,CAAC;YACL,CAAC;YAED,gEAAgE;YAChE,MAAM,IAAI,CAAC,YAAY,CAAC,sBAAsB,CAAC;gBAC7C,OAAO,EAAE,IAAI,CAAC,GAAG;gBACjB,KAAK;aACN,CAAC,CAAC;QACL,CAAC;QAED,yBAAyB;QACzB,OAAO;YACL,GAAG,EAAE,IAAI,CAAC,GAAG;YACb,UAAU,EAAE,UAAU;YACtB,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,cAAc,EAAE,IAAI,CAAC,cAAc;YACnC,2BAA2B,EAAE,IAAI,CAAC,6BAA6B,CAAC,IAAI,CAAC;YACrE,YAAY,EAAE,IAAI,CAAC,WAAW,EAAE;YAChC,eAAe,EAAE,KAAK;YACtB,2BAA2B,EAAE,KAAK;YAClC,sBAAsB,EAAE,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC;YACvD,aAAa,EAAE,CAAC;SACjB,CAAC;IACJ,CAAC;IAED;;;;OAIG;IACI,KAAK,CAAC,eAAe,CAAC,OAAe;QAG1C,iDAAiD;QACjD,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,aAAa,CAC9C,EAAE,GAAG,EAAE,OAAO,EAAE,UAAU,EAAE,IAAI,EAAE,EAClC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC,YAAY,CAAC,KAAK,EAAE,EAAE,CAClD,CAAC;QAEF,IAAI,IAAI,CAAC,UAAU,KAAK,QAAQ,EAAE,CAAC;YACjC,MAAM,IAAI,CAAC,CAAC,eAAe,CAAC,KAAK,EAAE,CAAC;QACtC,CAAC;QAED,uBAAuB;QACvB,IAAI,CAAC,UAAU,GAAG,IAAI,IAAI,EAAE,CAAC;QAC7B,MAAM,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;QAE5B,OAAO;YACL,UAAU,EAAE,IAAI,CAAC,UAAU;SAC5B,CAAC;IACJ,CAAC;IAEM,6BAA6B,CAAC,QAEpC;QACC,OAAO,CACL,QAAQ,CAAC,UAAU,KAAK,QAAQ;YAChC,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,2BAA2B;YACpD,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CACpB,CAAC;IACJ,CAAC;IAED;;OAEG;IACI,oBAAoB,CAAC,QAE3B;QACC,IAAI,QAAQ,CAAC,UAAU,KAAK,QAAQ,EAAE,CAAC;YACrC,OAAO,KAAK,CAAC;QACf,CAAC;QACD,OAAO,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,mBAAmB,CAAC;IAClE,CAAC;IAEM,KAAK,CAAC,wBAAwB,CACnC,OAAe;QAEf,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC;YAC/C,GAAG,EAAE,OAAO;SACb,CAAC,CAAC;QACH,MAAM,OAAO,GAA2B,EAAE,CAAC;QAC3C,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACrE,IAAI,WAAW,EAAE,CAAC;YAChB,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACvB,CAAC;QACD,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC3E,IAAI,YAAY,GAAG,CAAC,EAAE,CAAC;YACrB,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAC1B,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;;OAGG;IACI,2BAA2B;QAChC,MAAM,OAAO,GAA2B,EAAE,CAAC;QAC3C,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YAC3C,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACvB,CAAC;QACD,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;YACrC,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAC1B,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;CACF"}