@veloxts/auth 0.3.3 → 0.3.5

package/dist/rate-limit.js

@@ -0,0 +1,352 @@
+/**
+ * Authentication-specific rate limiting
+ *
+ * Provides specialized rate limiters for authentication endpoints with:
+ * - Per-email+IP tracking (prevents brute force on specific accounts)
+ * - Account lockout detection
+ * - Separate limits for login, register, and password reset
+ * - Progressive backoff support
+ *
+ * @module auth/rate-limit
+ */
+import { AuthError } from './types.js';
+// ============================================================================
+// Rate Limit Store
+// ============================================================================
+/**
+ * In-memory rate limit store
+ *
+ * PRODUCTION NOTE: Replace with Redis for horizontal scaling:
+ * ```typescript
+ * import Redis from 'ioredis';
+ * const redis = new Redis(process.env.REDIS_URL);
+ *
+ * // Store entry as JSON with TTL
+ * await redis.setex(`ratelimit:${key}`, ttlSeconds, JSON.stringify(entry));
+ *
+ * // Get entry
+ * const data = await redis.get(`ratelimit:${key}`);
+ * const entry = data ? JSON.parse(data) : null;
+ * ```
+ */
+const authRateLimitStore = new Map();
+/**
+ * Cleanup interval reference
+ */
+let cleanupInterval = null;
+/**
+ * Start periodic cleanup of expired entries
+ */
+function startCleanup() {
+    if (cleanupInterval)
+        return;
+    cleanupInterval = setInterval(() => {
+        const now = Date.now();
+        for (const [key, entry] of authRateLimitStore.entries()) {
+            // Remove if both window and lockout have expired
+            const windowExpired = entry.windowResetAt <= now;
+            const lockoutExpired = !entry.lockoutUntil || entry.lockoutUntil <= now;
+            if (windowExpired && lockoutExpired) {
+                authRateLimitStore.delete(key);
+            }
+        }
+    }, 60000); // Run every minute
+}
+/**
+ * Stop cleanup interval (for testing)
+ */
+export function stopAuthRateLimitCleanup() {
+    if (cleanupInterval) {
+        clearInterval(cleanupInterval);
+        cleanupInterval = null;
+    }
+}
+/**
+ * Clear all rate limit entries (for testing)
+ */
+export function clearAuthRateLimitStore() {
+    authRateLimitStore.clear();
+}
+// Start cleanup on module load
+startCleanup();
+// ============================================================================
+// Auth Rate Limiter
+// ============================================================================
+/**
+ * Creates an authentication rate limiter
+ *
+ * This factory returns rate limit middlewares configured for different
+ * auth operations with sensible defaults.
+ *
+ * @example
+ * ```typescript
+ * const authRateLimiter = createAuthRateLimiter({
+ *   login: { maxAttempts: 5, windowMs: 15 * 60 * 1000 },
+ *   register: { maxAttempts: 3, windowMs: 60 * 60 * 1000 },
+ * });
+ *
+ * // Apply to procedures
+ * const login = procedure()
+ *   .use(authRateLimiter.login(ctx => ctx.input.email))
+ *   .mutation(loginHandler);
+ *
+ * const register = procedure()
+ *   .use(authRateLimiter.register())
+ *   .mutation(registerHandler);
+ * ```
+ */
+export function createAuthRateLimiter(config = {}) {
+    // Default configurations
+    const loginConfig = {
+        maxAttempts: config.login?.maxAttempts ?? 5,
+        windowMs: config.login?.windowMs ?? 15 * 60 * 1000, // 15 minutes
+        lockoutDurationMs: config.login?.lockoutDurationMs ?? 15 * 60 * 1000,
+        keyGenerator: config.login?.keyGenerator ?? defaultKeyGenerator,
+        message: config.login?.message ?? 'Too many login attempts. Please try again later.',
+        progressiveBackoff: config.login?.progressiveBackoff ?? true,
+    };
+    const registerConfig = {
+        maxAttempts: config.register?.maxAttempts ?? 3,
+        windowMs: config.register?.windowMs ?? 60 * 60 * 1000, // 1 hour
+        lockoutDurationMs: config.register?.lockoutDurationMs ?? 60 * 60 * 1000,
+        keyGenerator: config.register?.keyGenerator ?? ((ctx) => ctx.request.ip ?? 'unknown'),
+        message: config.register?.message ?? 'Too many registration attempts. Please try again later.',
+        progressiveBackoff: config.register?.progressiveBackoff ?? false,
+    };
+    const passwordResetConfig = {
+        maxAttempts: config.passwordReset?.maxAttempts ?? 3,
+        windowMs: config.passwordReset?.windowMs ?? 60 * 60 * 1000, // 1 hour
+        lockoutDurationMs: config.passwordReset?.lockoutDurationMs ?? 60 * 60 * 1000,
+        keyGenerator: config.passwordReset?.keyGenerator ?? ((ctx) => ctx.request.ip ?? 'unknown'),
+        message: config.passwordReset?.message ?? 'Too many password reset attempts. Please try again later.',
+        progressiveBackoff: config.passwordReset?.progressiveBackoff ?? false,
+    };
+    const refreshConfig = {
+        maxAttempts: config.refresh?.maxAttempts ?? 10,
+        windowMs: config.refresh?.windowMs ?? 60 * 1000, // 1 minute
+        lockoutDurationMs: config.refresh?.lockoutDurationMs ?? 60 * 1000,
+        keyGenerator: config.refresh?.keyGenerator ?? ((ctx) => ctx.request.ip ?? 'unknown'),
+        message: config.refresh?.message ?? 'Too many token refresh attempts. Please try again later.',
+        progressiveBackoff: config.refresh?.progressiveBackoff ?? false,
+    };
+    return {
+        /**
+         * Rate limiter for login attempts
+         *
+         * @param identifierFn - Function to extract identifier (email) from context
+         *
+         * @example
+         * ```typescript
+         * login: procedure()
+         *   .use(authRateLimiter.login((ctx) => (ctx.input as { email: string }).email))
+         *   .input(LoginSchema)
+         *   .mutation(handler)
+         * ```
+         */
+        login: (identifierFn) => {
+            return createRateLimitMiddleware(loginConfig, 'login', identifierFn);
+        },
+        /**
+         * Rate limiter for registration attempts
+         * Uses IP-only by default (no identifier needed)
+         */
+        register: () => {
+            return createRateLimitMiddleware(registerConfig, 'register');
+        },
+        /**
+         * Rate limiter for password reset requests
+         *
+         * @param identifierFn - Optional function to extract identifier (email)
+         */
+        passwordReset: (identifierFn) => {
+            return createRateLimitMiddleware(passwordResetConfig, 'password-reset', identifierFn);
+        },
+        /**
+         * Rate limiter for token refresh
+         */
+        refresh: () => {
+            return createRateLimitMiddleware(refreshConfig, 'refresh');
+        },
+        /**
+         * Record a failed attempt (call after authentication fails)
+         *
+         * This allows tracking failures even when rate limit hasn't been hit,
+         * enabling account lockout after X failed passwords.
+         *
+         * @param key - Rate limit key (usually IP:email or IP)
+         * @param operation - Operation type for key namespacing
+         */
+        recordFailure: (key, operation) => {
+            const fullKey = `auth:${operation}:${key}`;
+            const config = operation === 'login'
+                ? loginConfig
+                : operation === 'register'
+                    ? registerConfig
+                    : passwordResetConfig;
+            const now = Date.now();
+            const entry = authRateLimitStore.get(fullKey);
+            if (!entry || entry.windowResetAt <= now) {
+                // Start new window
+                authRateLimitStore.set(fullKey, {
+                    attempts: 1,
+                    windowResetAt: now + config.windowMs,
+                    lockoutUntil: null,
+                    lockoutCount: entry?.lockoutCount ?? 0,
+                });
+            }
+            else {
+                // Increment in current window
+                entry.attempts++;
+                // Check if lockout should trigger
+                if (entry.attempts >= config.maxAttempts) {
+                    const lockoutMultiplier = config.progressiveBackoff ? 2 ** entry.lockoutCount : 1;
+                    entry.lockoutUntil = now + config.lockoutDurationMs * lockoutMultiplier;
+                    entry.lockoutCount++;
+                }
+            }
+        },
+        /**
+         * Reset rate limit for a key (call after successful auth)
+         */
+        resetLimit: (key, operation) => {
+            const fullKey = `auth:${operation}:${key}`;
+            authRateLimitStore.delete(fullKey);
+        },
+        /**
+         * Check if a key is currently locked out
+         */
+        isLockedOut: (key, operation) => {
+            const fullKey = `auth:${operation}:${key}`;
+            const entry = authRateLimitStore.get(fullKey);
+            if (!entry || !entry.lockoutUntil)
+                return false;
+            if (entry.lockoutUntil <= Date.now()) {
+                // Lockout expired
+                return false;
+            }
+            return true;
+        },
+        /**
+         * Get remaining attempts for a key
+         */
+        getRemainingAttempts: (key, operation) => {
+            const fullKey = `auth:${operation}:${key}`;
+            const config = operation === 'login'
+                ? loginConfig
+                : operation === 'register'
+                    ? registerConfig
+                    : operation === 'refresh'
+                        ? refreshConfig
+                        : passwordResetConfig;
+            const entry = authRateLimitStore.get(fullKey);
+            if (!entry || entry.windowResetAt <= Date.now()) {
+                return config.maxAttempts;
+            }
+            return Math.max(0, config.maxAttempts - entry.attempts);
+        },
+    };
+}
+// ============================================================================
+// Internal Helpers
+// ============================================================================
+/**
+ * Default key generator combining IP and identifier
+ */
+function defaultKeyGenerator(ctx, identifier) {
+    const ip = ctx.request.ip ?? 'unknown';
+    return identifier ? `${ip}:${identifier.toLowerCase()}` : ip;
+}
+/**
+ * Creates the actual rate limit middleware
+ */
+function createRateLimitMiddleware(config, operation, identifierFn) {
+    return async ({ ctx, input, next }) => {
+        const now = Date.now();
+        // Generate rate limit key
+        const identifier = identifierFn ? identifierFn({ ...ctx, input }) : undefined;
+        const baseKey = config.keyGenerator(ctx, identifier);
+        const key = `auth:${operation}:${baseKey}`;
+        // Get or create entry
+        let entry = authRateLimitStore.get(key);
+        // Check if currently locked out
+        if (entry?.lockoutUntil && entry.lockoutUntil > now) {
+            const retryAfter = Math.ceil((entry.lockoutUntil - now) / 1000);
+            // Set headers
+            ctx.reply.header('X-RateLimit-Limit', String(config.maxAttempts));
+            ctx.reply.header('X-RateLimit-Remaining', '0');
+            ctx.reply.header('X-RateLimit-Reset', String(Math.ceil(entry.lockoutUntil / 1000)));
+            ctx.reply.header('Retry-After', String(retryAfter));
+            throw new AuthError(`${config.message} Try again in ${formatDuration(retryAfter * 1000)}.`, 429, 'RATE_LIMIT_EXCEEDED');
+        }
+        // Clean up expired window
+        if (entry && entry.windowResetAt <= now) {
+            // Preserve lockout count for progressive backoff
+            const lockoutCount = entry.lockoutCount;
+            entry = {
+                attempts: 0,
+                windowResetAt: now + config.windowMs,
+                lockoutUntil: null,
+                lockoutCount,
+            };
+            authRateLimitStore.set(key, entry);
+        }
+        // Initialize if no entry
+        if (!entry) {
+            entry = {
+                attempts: 0,
+                windowResetAt: now + config.windowMs,
+                lockoutUntil: null,
+                lockoutCount: 0,
+            };
+            authRateLimitStore.set(key, entry);
+        }
+        // Increment attempt count
+        entry.attempts++;
+        // Set rate limit headers
+        const remaining = Math.max(0, config.maxAttempts - entry.attempts);
+        ctx.reply.header('X-RateLimit-Limit', String(config.maxAttempts));
+        ctx.reply.header('X-RateLimit-Remaining', String(remaining));
+        ctx.reply.header('X-RateLimit-Reset', String(Math.ceil(entry.windowResetAt / 1000)));
+        // Check if limit exceeded
+        if (entry.attempts > config.maxAttempts) {
+            // Apply lockout
+            const lockoutMultiplier = config.progressiveBackoff ? 2 ** entry.lockoutCount : 1;
+            entry.lockoutUntil = now + config.lockoutDurationMs * lockoutMultiplier;
+            entry.lockoutCount++;
+            const retryAfter = Math.ceil((entry.lockoutUntil - now) / 1000);
+            ctx.reply.header('Retry-After', String(retryAfter));
+            throw new AuthError(`${config.message} Try again in ${formatDuration(retryAfter * 1000)}.`, 429, 'RATE_LIMIT_EXCEEDED');
+        }
+        return next();
+    };
+}
+/**
+ * Format duration in human-readable form
+ */
+function formatDuration(ms) {
+    const seconds = Math.ceil(ms / 1000);
+    if (seconds < 60)
+        return `${seconds} second${seconds !== 1 ? 's' : ''}`;
+    const minutes = Math.ceil(seconds / 60);
+    if (minutes < 60)
+        return `${minutes} minute${minutes !== 1 ? 's' : ''}`;
+    const hours = Math.ceil(minutes / 60);
+    return `${hours} hour${hours !== 1 ? 's' : ''}`;
+}
+// ============================================================================
+// Convenience Export
+// ============================================================================
+/**
+ * Pre-configured auth rate limiter with sensible defaults
+ *
+ * @example
+ * ```typescript
+ * import { authRateLimiter } from '@veloxts/auth';
+ *
+ * const login = procedure()
+ *   .use(authRateLimiter.login((ctx) => ctx.input.email))
+ *   .mutation(handler);
+ * ```
+ */
+export const authRateLimiter = createAuthRateLimiter();
+//# sourceMappingURL=rate-limit.js.map

package/dist/rate-limit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limit.js","sourceRoot":"","sources":["../src/rate-limit.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAKH,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AA0FvC,+EAA+E;AAC/E,mBAAmB;AACnB,+EAA+E;AAE/E;;;;;;;;;;;;;;;GAeG;AACH,MAAM,kBAAkB,GAAG,IAAI,GAAG,EAA0B,CAAC;AAE7D;;GAEG;AACH,IAAI,eAAe,GAA0B,IAAI,CAAC;AAElD;;GAEG;AACH,SAAS,YAAY;IACnB,IAAI,eAAe;QAAE,OAAO;IAE5B,eAAe,GAAG,WAAW,CAAC,GAAG,EAAE;QACjC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,kBAAkB,CAAC,OAAO,EAAE,EAAE,CAAC;YACxD,iDAAiD;YACjD,MAAM,aAAa,GAAG,KAAK,CAAC,aAAa,IAAI,GAAG,CAAC;YACjD,MAAM,cAAc,GAAG,CAAC,KAAK,CAAC,YAAY,IAAI,KAAK,CAAC,YAAY,IAAI,GAAG,CAAC;YAExE,IAAI,aAAa,IAAI,cAAc,EAAE,CAAC;gBACpC,kBAAkB,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjC,CAAC;QACH,CAAC;IACH,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC,mBAAmB;AAChC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,wBAAwB;IACtC,IAAI,eAAe,EAAE,CAAC;QACpB,aAAa,CAAC,eAAe,CAAC,CAAC;QAC/B,eAAe,GAAG,IAAI,CAAC;IACzB,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,uBAAuB;IACrC,kBAAkB,CAAC,KAAK,EAAE,CAAC;AAC7B,CAAC;AAED,+BAA+B;AAC/B,YAAY,EAAE,CAAC;AAEf,+EAA+E;AAC/E,oBAAoB;AACpB,+EAA+E;AAE/E;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,MAAM,UAAU,qBAAqB,CAAC,SAAgC,EAAE;IACtE,yBAAyB;IACzB,MAAM,WAAW,GAAkC;QACjD,WAAW,EAAE,MAAM,CAAC,KAAK,EAAE,WAAW,IAAI,CAAC;QAC3C,QAAQ,EAAE,MAAM,CAAC,KAAK,EAAE,QAAQ,IAAI,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE,aAAa;QACjE,iBAAiB,EAAE,MAAM,CAAC,KAAK,EAAE,iBAAiB,IAAI,EAAE,GAAG,EAAE,GAAG,IAAI;QACpE,YAAY,EAAE,MAAM,CAAC,KAAK,EAAE,YAAY,IAAI,mBAAmB;QAC/D,OAAO,EAAE,MAAM,CAAC,KAAK,EAAE,OAAO,IAAI,kDAAkD;QACpF,kBAAkB,EAAE,MAAM,CAAC,KAAK,EAAE,kBAAkB,IAAI,IAAI;KAC7D,CAAC;IAEF,MAAM,cAAc,GAAkC;QACpD,WAAW,EAAE,MAAM,CAAC,QAAQ,EAAE,WAAW,IAAI,CAAC;QAC9C,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,QAAQ,IAAI,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE,SAAS;QAChE,iBAAiB,EAAE,MAAM,CAAC,QAAQ,EAAE,iBAAiB,IAAI,EAAE,GAAG,EAAE,GAAG,IAAI;QACvE,YAAY,EAAE,MAAM,CAAC,QAAQ,EAAE,YAAY,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,IAAI,SAAS,CAAC;QACrF,OAAO,EAAE,MAAM,CAAC,QAAQ,EAAE,OAAO,IAAI,yDAAyD;QAC9F,kBAAkB,EAAE,MAAM,CAAC,QAAQ,EAAE,kBAAkB,IAAI,KAAK;KACjE,CAAC;IAEF,MAAM,mBAAmB,GAAkC;QACzD,WAAW,EAAE,MAAM,CAAC,aAAa,EAAE,WAAW,IAAI,CAAC;QACnD,QAAQ,EAAE,MAAM,CAAC,aAAa,EAAE,QAAQ,IAAI,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE,SAAS;QACrE,iBAAiB,EAAE,MAAM,CAAC,aAAa,EAAE,iBAAiB,IAAI,EAAE,GAAG,EAAE,GAAG,IAAI;QAC5E,YAAY,EAAE,MAAM,CAAC,aAAa,EAAE,YAAY,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,IAAI,SAAS,CAAC;QAC1F,OAAO,EACL,MAAM,CAAC,aAAa,EAAE,OAAO,IAAI,2DAA2D;QAC9F,kBAAkB,EAAE,MAAM,CAAC,aAAa,EAAE,kBAAkB,IAAI,KAAK;KACtE,CAAC;IAEF,MAAM,aAAa,GAAkC;QACnD,WAAW,EAAE,MAAM,CAAC,OAAO,EAAE,WAAW,IAAI,EAAE;QAC9C,QAAQ,EAAE,MAAM,CAAC,OAAO,EAAE,QAAQ,IAAI,EAAE,GAAG,IAAI,EAAE,WAAW;QAC5D,iBAAiB,EAAE,MAAM,CAAC,OAAO,EAAE,iBAAiB,IAAI,EAAE,GAAG,IAAI;QACjE,YAAY,EAAE,MAAM,CAAC,OAAO,EAAE,YAAY,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,IAAI,SAAS,CAAC;QACpF,OAAO,EAAE,MAAM,CAAC,OAAO,EAAE,OAAO,IAAI,0DAA0D;QAC9F,kBAAkB,EAAE,MAAM,CAAC,OAAO,EAAE,kBAAkB,IAAI,KAAK;KAChE,CAAC;IAEF,OAAO;QACL;;;;;;;;;;;;WAYG;QACH,KAAK,EAAE,CACL,YAA8D,EACL,EAAE;YAC3D,OAAO,yBAAyB,CAAC,WAAW,EAAE,OAAO,EAAE,YAAY,CAAC,CAAC;QACvE,CAAC;QAED;;;WAGG;QACH,QAAQ,EAAE,GAKR,EAAE;YACF,OAAO,yBAAyB,CAAC,cAAc,EAAE,UAAU,CAAC,CAAC;QAC/D,CAAC;QAED;;;;WAIG;QACH,aAAa,EAAE,CACb,YAA8D,EACL,EAAE;YAC3D,OAAO,yBAAyB,CAAC,mBAAmB,EAAE,gBAAgB,EAAE,YAAY,CAAC,CAAC;QACxF,CAAC;QAED;;WAEG;QACH,OAAO,EAAE,GAKP,EAAE;YACF,OAAO,yBAAyB,CAAC,aAAa,EAAE,SAAS,CAAC,CAAC;QAC7D,CAAC;QAED;;;;;;;;WAQG;QACH,aAAa,EAAE,CAAC,GAAW,EAAE,SAAkD,EAAE,EAAE;YACjF,MAAM,OAAO,GAAG,QAAQ,SAAS,IAAI,GAAG,EAAE,CAAC;YAC3C,MAAM,MAAM,GACV,SAAS,KAAK,OAAO;gBACnB,CAAC,CAAC,WAAW;gBACb,CAAC,CAAC,SAAS,KAAK,UAAU;oBACxB,CAAC,CAAC,cAAc;oBAChB,CAAC,CAAC,mBAAmB,CAAC;YAE5B,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YACvB,MAAM,KAAK,GAAG,kBAAkB,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YAE9C,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,aAAa,IAAI,GAAG,EAAE,CAAC;gBACzC,mBAAmB;gBACnB,kBAAkB,CAAC,GAAG,CAAC,OAAO,EAAE;oBAC9B,QAAQ,EAAE,CAAC;oBACX,aAAa,EAAE,GAAG,GAAG,MAAM,CAAC,QAAQ;oBACpC,YAAY,EAAE,IAAI;oBAClB,YAAY,EAAE,KAAK,EAAE,YAAY,IAAI,CAAC;iBACvC,CAAC,CAAC;YACL,CAAC;iBAAM,CAAC;gBACN,8BAA8B;gBAC9B,KAAK,CAAC,QAAQ,EAAE,CAAC;gBAEjB,kCAAkC;gBAClC,IAAI,KAAK,CAAC,QAAQ,IAAI,MAAM,CAAC,WAAW,EAAE,CAAC;oBACzC,MAAM,iBAAiB,GAAG,MAAM,CAAC,kBAAkB,CAAC,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC;oBAClF,KAAK,CAAC,YAAY,GAAG,GAAG,GAAG,MAAM,CAAC,iBAAiB,GAAG,iBAAiB,CAAC;oBACxE,KAAK,CAAC,YAAY,EAAE,CAAC;gBACvB,CAAC;YACH,CAAC;QACH,CAAC;QAED;;WAEG;QACH,UAAU,EAAE,CAAC,GAAW,EAAE,SAAkD,EAAE,EAAE;YAC9E,MAAM,OAAO,GAAG,QAAQ,SAAS,IAAI,GAAG,EAAE,CAAC;YAC3C,kBAAkB,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QACrC,CAAC;QAED;;WAEG;QACH,WAAW,EAAE,CAAC,GAAW,EAAE,SAAkD,EAAW,EAAE;YACxF,MAAM,OAAO,GAAG,QAAQ,SAAS,IAAI,GAAG,EAAE,CAAC;YAC3C,MAAM,KAAK,GAAG,kBAAkB,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YAE9C,IAAI,CAAC,KAAK,IAAI,CAAC,KAAK,CAAC,YAAY;gBAAE,OAAO,KAAK,CAAC;YAChD,IAAI,KAAK,CAAC,YAAY,IAAI,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;gBACrC,kBAAkB;gBAClB,OAAO,KAAK,CAAC;YACf,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC;QAED;;WAEG;QACH,oBAAoB,EAAE,CACpB,GAAW,EACX,SAA8D,EACtD,EAAE;YACV,MAAM,OAAO,GAAG,QAAQ,SAAS,IAAI,GAAG,EAAE,CAAC;YAC3C,MAAM,MAAM,GACV,SAAS,KAAK,OAAO;gBACnB,CAAC,CAAC,WAAW;gBACb,CAAC,CAAC,SAAS,KAAK,UAAU;oBACxB,CAAC,CAAC,cAAc;oBAChB,CAAC,CAAC,SAAS,KAAK,SAAS;wBACvB,CAAC,CAAC,aAAa;wBACf,CAAC,CAAC,mBAAmB,CAAC;YAE9B,MAAM,KAAK,GAAG,kBAAkB,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YAC9C,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,aAAa,IAAI,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;gBAChD,OAAO,MAAM,CAAC,WAAW,CAAC;YAC5B,CAAC;YACD,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,WAAW,GAAG,KAAK,CAAC,QAAQ,CAAC,CAAC;QAC1D,CAAC;KACF,CAAC;AACJ,CAAC;AAED,+EAA+E;AAC/E,mBAAmB;AACnB,+EAA+E;AAE/E;;GAEG;AACH,SAAS,mBAAmB,CAAC,GAAgB,EAAE,UAAmB;IAChE,MAAM,EAAE,GAAG,GAAG,CAAC,OAAO,CAAC,EAAE,IAAI,SAAS,CAAC;IACvC,OAAO,UAAU,CAAC,CAAC,CAAC,GAAG,EAAE,IAAI,UAAU,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;AAC/D,CAAC;AAED;;GAEG;AACH,SAAS,yBAAyB,CAChC,MAAqC,EACrC,SAAiB,EACjB,YAA8D;IAE9D,OAAO,KAAK,EAAE,EAAE,GAAG,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,EAAE;QACpC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAEvB,0BAA0B;QAC1B,MAAM,UAAU,GAAG,YAAY,CAAC,CAAC,CAAC,YAAY,CAAC,EAAE,GAAG,GAAG,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QAC9E,MAAM,OAAO,GAAG,MAAM,CAAC,YAAY,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;QACrD,MAAM,GAAG,GAAG,QAAQ,SAAS,IAAI,OAAO,EAAE,CAAC;QAE3C,sBAAsB;QACtB,IAAI,KAAK,GAAG,kBAAkB,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAExC,gCAAgC;QAChC,IAAI,KAAK,EAAE,YAAY,IAAI,KAAK,CAAC,YAAY,GAAG,GAAG,EAAE,CAAC;YACpD,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,YAAY,GAAG,GAAG,CAAC,GAAG,IAAI,CAAC,CAAC;YAEhE,cAAc;YACd,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,mBAAmB,EAAE,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC;YAClE,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,uBAAuB,EAAE,GAAG,CAAC,CAAC;YAC/C,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,mBAAmB,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,YAAY,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;YACpF,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,aAAa,EAAE,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC;YAEpD,MAAM,IAAI,SAAS,CACjB,GAAG,MAAM,CAAC,OAAO,iBAAiB,cAAc,CAAC,UAAU,GAAG,IAAI,CAAC,GAAG,EACtE,GAAG,EACH,qBAAqB,CACtB,CAAC;QACJ,CAAC;QAED,0BAA0B;QAC1B,IAAI,KAAK,IAAI,KAAK,CAAC,aAAa,IAAI,GAAG,EAAE,CAAC;YACxC,iDAAiD;YACjD,MAAM,YAAY,GAAG,KAAK,CAAC,YAAY,CAAC;YACxC,KAAK,GAAG;gBACN,QAAQ,EAAE,CAAC;gBACX,aAAa,EAAE,GAAG,GAAG,MAAM,CAAC,QAAQ;gBACpC,YAAY,EAAE,IAAI;gBAClB,YAAY;aACb,CAAC;YACF,kBAAkB,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QACrC,CAAC;QAED,yBAAyB;QACzB,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,KAAK,GAAG;gBACN,QAAQ,EAAE,CAAC;gBACX,aAAa,EAAE,GAAG,GAAG,MAAM,CAAC,QAAQ;gBACpC,YAAY,EAAE,IAAI;gBAClB,YAAY,EAAE,CAAC;aAChB,CAAC;YACF,kBAAkB,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QACrC,CAAC;QAED,0BAA0B;QAC1B,KAAK,CAAC,QAAQ,EAAE,CAAC;QAEjB,yBAAyB;QACzB,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,WAAW,GAAG,KAAK,CAAC,QAAQ,CAAC,CAAC;QACnE,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,mBAAmB,EAAE,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC;QAClE,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,uBAAuB,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC;QAC7D,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,mBAAmB,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,aAAa,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;QAErF,0BAA0B;QAC1B,IAAI,KAAK,CAAC,QAAQ,GAAG,MAAM,CAAC,WAAW,EAAE,CAAC;YACxC,gBAAgB;YAChB,MAAM,iBAAiB,GAAG,MAAM,CAAC,kBAAkB,CAAC,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC;YAClF,KAAK,CAAC,YAAY,GAAG,GAAG,GAAG,MAAM,CAAC,iBAAiB,GAAG,iBAAiB,CAAC;YACxE,KAAK,CAAC,YAAY,EAAE,CAAC;YAErB,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,YAAY,GAAG,GAAG,CAAC,GAAG,IAAI,CAAC,CAAC;YAChE,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,aAAa,EAAE,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC;YAEpD,MAAM,IAAI,SAAS,CACjB,GAAG,MAAM,CAAC,OAAO,iBAAiB,cAAc,CAAC,UAAU,GAAG,IAAI,CAAC,GAAG,EACtE,GAAG,EACH,qBAAqB,CACtB,CAAC;QACJ,CAAC;QAED,OAAO,IAAI,EAAE,CAAC;IAChB,CAAC,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,cAAc,CAAC,EAAU;IAChC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,GAAG,IAAI,CAAC,CAAC;IACrC,IAAI,OAAO,GAAG,EAAE;QAAE,OAAO,GAAG,OAAO,UAAU,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;IAExE,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,GAAG,EAAE,CAAC,CAAC;IACxC,IAAI,OAAO,GAAG,EAAE;QAAE,OAAO,GAAG,OAAO,UAAU,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;IAExE,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,GAAG,EAAE,CAAC,CAAC;IACtC,OAAO,GAAG,KAAK,QAAQ,KAAK,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;AAClD,CAAC;AAED,+EAA+E;AAC/E,qBAAqB;AACrB,+EAA+E;AAE/E;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,MAAM,eAAe,GAAG,qBAAqB,EAAE,CAAC"}