@venturekit/auth 0.0.1 → 0.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (54) hide show
  1. package/dist/index.d.ts +2 -1
  2. package/dist/index.d.ts.map +1 -1
  3. package/dist/index.js +5 -1
  4. package/dist/index.js.map +1 -1
  5. package/dist/migrations/vk_auth_003_role_scopes.sql +43 -0
  6. package/dist/roles/index.d.ts +5 -1
  7. package/dist/roles/index.d.ts.map +1 -1
  8. package/dist/roles/index.js +4 -1
  9. package/dist/roles/index.js.map +1 -1
  10. package/dist/roles/role-scopes.d.ts +92 -0
  11. package/dist/roles/role-scopes.d.ts.map +1 -0
  12. package/dist/roles/role-scopes.js +122 -0
  13. package/dist/roles/role-scopes.js.map +1 -0
  14. package/dist/server/cookies.d.ts +77 -6
  15. package/dist/server/cookies.d.ts.map +1 -1
  16. package/dist/server/cookies.js +55 -13
  17. package/dist/server/cookies.js.map +1 -1
  18. package/dist/server/federated-routes.d.ts +29 -22
  19. package/dist/server/federated-routes.d.ts.map +1 -1
  20. package/dist/server/federated-routes.js +31 -4
  21. package/dist/server/federated-routes.js.map +1 -1
  22. package/dist/server/federated.d.ts.map +1 -1
  23. package/dist/server/federated.js +7 -11
  24. package/dist/server/federated.js.map +1 -1
  25. package/dist/server/handoff-routes.d.ts +130 -0
  26. package/dist/server/handoff-routes.d.ts.map +1 -0
  27. package/dist/server/handoff-routes.js +178 -0
  28. package/dist/server/handoff-routes.js.map +1 -0
  29. package/dist/server/handoff.d.ts +112 -0
  30. package/dist/server/handoff.d.ts.map +1 -0
  31. package/dist/server/handoff.js +102 -0
  32. package/dist/server/handoff.js.map +1 -0
  33. package/dist/server/index.d.ts +10 -3
  34. package/dist/server/index.d.ts.map +1 -1
  35. package/dist/server/index.js +8 -2
  36. package/dist/server/index.js.map +1 -1
  37. package/dist/server/passwordless.d.ts +68 -0
  38. package/dist/server/passwordless.d.ts.map +1 -0
  39. package/dist/server/passwordless.js +136 -0
  40. package/dist/server/passwordless.js.map +1 -0
  41. package/dist/server/revoke.d.ts +10 -0
  42. package/dist/server/revoke.d.ts.map +1 -1
  43. package/dist/server/revoke.js +19 -1
  44. package/dist/server/revoke.js.map +1 -1
  45. package/dist/server/store/postgres.d.ts +35 -0
  46. package/dist/server/store/postgres.d.ts.map +1 -0
  47. package/dist/server/store/postgres.js +88 -0
  48. package/dist/server/store/postgres.js.map +1 -0
  49. package/dist/server/token-utils.d.ts +12 -2
  50. package/dist/server/token-utils.d.ts.map +1 -1
  51. package/dist/server/token-utils.js +9 -4
  52. package/dist/server/token-utils.js.map +1 -1
  53. package/package.json +13 -4
  54. package/src/migrations/vk_auth_003_role_scopes.sql +43 -0
@@ -25,6 +25,7 @@
25
25
  */
26
26
  import { type APIGatewayProxyEventV2, type APIGatewayProxyResultV2, type Context as LambdaContext } from 'aws-lambda';
27
27
  import { type RequestContext } from '@venturekit/runtime';
28
+ import { type CookieOptions } from './cookies.js';
28
29
  import { type AuthServerConfig } from './config.js';
29
30
  import { type FederatedProfile, type FederatedProvider } from './federated.js';
30
31
  /**
@@ -97,6 +98,34 @@ export interface FederatedAuthRoutesOptions {
97
98
  * which reads from env. Pass an explicit config in tests.
98
99
  */
99
100
  config?: AuthServerConfig;
101
+ /**
102
+ * Cookie attributes for EVERY cookie these routes emit — the session
103
+ * trio, its clears, and the OAuth `state` cookie. Accepts a static
104
+ * bag or a per-request function of the live context (needed when the
105
+ * `domain` depends on the request host, e.g. white-label tenants —
106
+ * combine `getRequestHost` from `@venturekit/runtime` with
107
+ * {@link resolveCookieDomain}).
108
+ *
109
+ * The state cookie's `Path` follows {@link CookieOptions.refreshPath}:
110
+ * both cookies live under "the auth prefix as the browser sees it",
111
+ * so an app behind a same-origin `/api` proxy sets
112
+ * `refreshPath: '/api/auth'` once and both are scoped correctly.
113
+ *
114
+ * Omit for VK defaults (host-only, `Path=/auth`, Secure outside
115
+ * `vk dev`).
116
+ *
117
+ * @example
118
+ * ```ts
119
+ * createFederatedAuthRoutes({
120
+ * provider: 'linkedin',
121
+ * cookieOptions: (ctx) => ({
122
+ * refreshPath: '/api/auth',
123
+ * domain: resolveCookieDomain(getRequestHost(ctx), { platformApex: 'example.com' }),
124
+ * }),
125
+ * });
126
+ * ```
127
+ */
128
+ cookieOptions?: CookieOptions | ((ctx: RequestContext) => CookieOptions);
100
129
  }
101
130
  export interface FederatedCallbackResult<App = unknown> {
102
131
  user: {
@@ -112,27 +141,5 @@ export interface FederatedAuthRoutes {
112
141
  callback: (event: APIGatewayProxyEventV2, context: LambdaContext) => Promise<APIGatewayProxyResultV2>;
113
142
  logout: (event: APIGatewayProxyEventV2, context: LambdaContext) => Promise<APIGatewayProxyResultV2>;
114
143
  }
115
- /**
116
- * Build the start / callback / logout Lambda handlers for a given
117
- * federated provider.
118
- *
119
- * The returned handlers are ready to drop into a VentureKit route
120
- * tree:
121
- *
122
- * ```ts
123
- * // src/routes/auth/linkedin/start/post.ts
124
- * import { createFederatedAuthRoutes } from '@venturekit/auth/server';
125
- * import { onLinkedInSignIn } from '../../../../lib/users.js';
126
- * import { tenancy } from '../../../../lib/tenancy.js';
127
- *
128
- * const routes = createFederatedAuthRoutes({
129
- * provider: 'linkedin',
130
- * onSignIn: onLinkedInSignIn,
131
- * middleware: [tenancy],
132
- * });
133
- *
134
- * export const main = routes.start;
135
- * ```
136
- */
137
144
  export declare function createFederatedAuthRoutes(options: FederatedAuthRoutesOptions): FederatedAuthRoutes;
138
145
  //# sourceMappingURL=federated-routes.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"federated-routes.d.ts","sourceRoot":"","sources":["../../src/server/federated-routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,OAAO,EACL,KAAK,sBAAsB,EAC3B,KAAK,uBAAuB,EAC5B,KAAK,OAAO,IAAI,aAAa,EAC9B,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,KAAK,cAAc,EAMpB,MAAM,qBAAqB,CAAC;AAW7B,OAAO,EAAwB,KAAK,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAC1E,OAAO,EACL,KAAK,gBAAgB,EACrB,KAAK,iBAAiB,EAMvB,MAAM,gBAAgB,CAAC;AAIxB;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC;;;OAGG;IACH,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;;GAGG;AACH,MAAM,WAAW,qBAAqB;IACpC,6DAA6D;IAC7D,OAAO,EAAE,gBAAgB,CAAC;IAC1B,0DAA0D;IAC1D,UAAU,EAAE,MAAM,CAAC;IACnB;;;;OAIG;IACH,GAAG,EAAE,cAAc,CAAC;CACrB;AAED;;;;GAIG;AACH,MAAM,MAAM,uBAAuB,GAAG,OAAO,CAAC;AAE9C,MAAM,WAAW,0BAA0B;IACzC,uCAAuC;IACvC,QAAQ,EAAE,iBAAiB,CAAC;IAC5B;;;;;;OAMG;IACH,QAAQ,CAAC,EAAE,CACT,IAAI,EAAE,qBAAqB,KACxB,OAAO,CAAC,uBAAuB,CAAC,GAAG,uBAAuB,CAAC;IAChE;;;;;;OAMG;IACH,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB;;;;OAIG;IACH,UAAU,CAAC,EAAE,OAAO,qBAAqB,EAAE,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;IACxE;;;OAGG;IACH,MAAM,CAAC,EAAE,gBAAgB,CAAC;CAC3B;AAED,MAAM,WAAW,uBAAuB,CAAC,GAAG,GAAG,OAAO;IACpD,IAAI,EAAE;QACJ,EAAE,EAAE,MAAM,CAAC;QACX,KAAK,EAAE,MAAM,CAAC;QACd,IAAI,CAAC,EAAE,MAAM,CAAC;KACf,CAAC;IACF,gEAAgE;IAChE,GAAG,CAAC,EAAE,GAAG,CAAC;CACX;AAED,MAAM,WAAW,mBAAmB;IAClC,KAAK,EAAE,CACL,KAAK,EAAE,sBAAsB,EAC7B,OAAO,EAAE,aAAa,KACnB,OAAO,CAAC,uBAAuB,CAAC,CAAC;IACtC,QAAQ,EAAE,CACR,KAAK,EAAE,sBAAsB,EAC7B,OAAO,EAAE,aAAa,KACnB,OAAO,CAAC,uBAAuB,CAAC,CAAC;IACtC,MAAM,EAAE,CACN,KAAK,EAAE,sBAAsB,EAC7B,OAAO,EAAE,aAAa,KACnB,OAAO,CAAC,uBAAuB,CAAC,CAAC;CACvC;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAgB,yBAAyB,CACvC,OAAO,EAAE,0BAA0B,GAClC,mBAAmB,CA2HrB"}
1
+ {"version":3,"file":"federated-routes.d.ts","sourceRoot":"","sources":["../../src/server/federated-routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,OAAO,EACL,KAAK,sBAAsB,EAC3B,KAAK,uBAAuB,EAC5B,KAAK,OAAO,IAAI,aAAa,EAC9B,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,KAAK,cAAc,EAMpB,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EACL,KAAK,aAAa,EASnB,MAAM,cAAc,CAAC;AACtB,OAAO,EAAwB,KAAK,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAC1E,OAAO,EACL,KAAK,gBAAgB,EACrB,KAAK,iBAAiB,EAMvB,MAAM,gBAAgB,CAAC;AAIxB;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC;;;OAGG;IACH,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;;GAGG;AACH,MAAM,WAAW,qBAAqB;IACpC,6DAA6D;IAC7D,OAAO,EAAE,gBAAgB,CAAC;IAC1B,0DAA0D;IAC1D,UAAU,EAAE,MAAM,CAAC;IACnB;;;;OAIG;IACH,GAAG,EAAE,cAAc,CAAC;CACrB;AAED;;;;GAIG;AACH,MAAM,MAAM,uBAAuB,GAAG,OAAO,CAAC;AAE9C,MAAM,WAAW,0BAA0B;IACzC,uCAAuC;IACvC,QAAQ,EAAE,iBAAiB,CAAC;IAC5B;;;;;;OAMG;IACH,QAAQ,CAAC,EAAE,CACT,IAAI,EAAE,qBAAqB,KACxB,OAAO,CAAC,uBAAuB,CAAC,GAAG,uBAAuB,CAAC;IAChE;;;;;;OAMG;IACH,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB;;;;OAIG;IACH,UAAU,CAAC,EAAE,OAAO,qBAAqB,EAAE,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;IACxE;;;OAGG;IACH,MAAM,CAAC,EAAE,gBAAgB,CAAC;IAC1B;;;;;;;;;;;;;;;;;;;;;;;;;;OA0BG;IACH,aAAa,CAAC,EAAE,aAAa,GAAG,CAAC,CAAC,GAAG,EAAE,cAAc,KAAK,aAAa,CAAC,CAAC;CAC1E;AAED,MAAM,WAAW,uBAAuB,CAAC,GAAG,GAAG,OAAO;IACpD,IAAI,EAAE;QACJ,EAAE,EAAE,MAAM,CAAC;QACX,KAAK,EAAE,MAAM,CAAC;QACd,IAAI,CAAC,EAAE,MAAM,CAAC;KACf,CAAC;IACF,gEAAgE;IAChE,GAAG,CAAC,EAAE,GAAG,CAAC;CACX;AAED,MAAM,WAAW,mBAAmB;IAClC,KAAK,EAAE,CACL,KAAK,EAAE,sBAAsB,EAC7B,OAAO,EAAE,aAAa,KACnB,OAAO,CAAC,uBAAuB,CAAC,CAAC;IACtC,QAAQ,EAAE,CACR,KAAK,EAAE,sBAAsB,EAC7B,OAAO,EAAE,aAAa,KACnB,OAAO,CAAC,uBAAuB,CAAC,CAAC;IACtC,MAAM,EAAE,CACN,KAAK,EAAE,sBAAsB,EAC7B,OAAO,EAAE,aAAa,KACnB,OAAO,CAAC,uBAAuB,CAAC,CAAC;CACvC;AAwCD,wBAAgB,yBAAyB,CACvC,OAAO,EAAE,0BAA0B,GAClC,mBAAmB,CA4IrB"}
@@ -26,9 +26,32 @@ import { verifyAndDecode } from './verify.js';
26
26
  * export const main = routes.start;
27
27
  * ```
28
28
  */
29
+ /**
30
+ * Map a {@link CookieOptions} bag onto the OAuth state cookie's option
31
+ * shape: `refreshPath` becomes the state cookie `path` (both are "the
32
+ * auth prefix as the browser sees it"), `secure`/`domain` carry over.
33
+ */
34
+ function toStateCookieOptions(co) {
35
+ if (!co)
36
+ return undefined;
37
+ return {
38
+ ...(co.secure !== undefined ? { secure: co.secure } : {}),
39
+ ...(co.refreshPath !== undefined ? { path: co.refreshPath } : {}),
40
+ ...(co.domain !== undefined ? { domain: co.domain } : {}),
41
+ };
42
+ }
29
43
  export function createFederatedAuthRoutes(options) {
30
44
  const { provider, transactional = true } = options;
31
45
  const extraMiddleware = options.middleware ?? [];
46
+ // Resolved per request: the right Domain attribute can differ by
47
+ // request host (white-label tenants), so a function option is
48
+ // re-evaluated on every call. Start and callback are separate
49
+ // requests from the same browser origin, so both resolve to the
50
+ // same attributes and the callback's state-cookie clear matches
51
+ // the start's set.
52
+ const cookieOptionsFor = (ctx) => typeof options.cookieOptions === 'function'
53
+ ? options.cookieOptions(ctx)
54
+ : options.cookieOptions;
32
55
  // ─── start ──────────────────────────────────────────────
33
56
  // The handler body owns the `state` so it can both stash the
34
57
  // CSRF cookie and embed the value in the authorize URL. A
@@ -44,7 +67,7 @@ export function createFederatedAuthRoutes(options) {
44
67
  redirectUri: body.redirectUri,
45
68
  state,
46
69
  });
47
- setCookie(ctx, buildOAuthStateCookie(provider, state));
70
+ setCookie(ctx, buildOAuthStateCookie(provider, state, toStateCookieOptions(cookieOptionsFor(ctx))));
48
71
  return { authorizeUrl };
49
72
  }, { status: 200, middleware: extraMiddleware });
50
73
  // ─── callback ───────────────────────────────────────────
@@ -82,10 +105,11 @@ export function createFederatedAuthRoutes(options) {
82
105
  if (options.onSignIn) {
83
106
  appResult = await options.onSignIn({ profile, cognitoSub, ctx });
84
107
  }
85
- for (const cookie of buildSessionCookies(tokens)) {
108
+ const cookieOptions = cookieOptionsFor(ctx);
109
+ for (const cookie of buildSessionCookies(tokens, cookieOptions)) {
86
110
  setCookie(ctx, cookie);
87
111
  }
88
- setCookie(ctx, clearOAuthStateCookie(provider));
112
+ setCookie(ctx, clearOAuthStateCookie(provider, toStateCookieOptions(cookieOptions)));
89
113
  return {
90
114
  user: {
91
115
  id: cognitoSub,
@@ -108,7 +132,10 @@ export function createFederatedAuthRoutes(options) {
108
132
  if (refreshToken) {
109
133
  await revokeRefreshToken(refreshToken, options.config);
110
134
  }
111
- for (const cookie of buildClearSessionCookies()) {
135
+ // Clears must carry the same Domain/Path attributes as the set
136
+ // cookies, or the browser keeps the originals — hence the same
137
+ // per-request options resolution.
138
+ for (const cookie of buildClearSessionCookies(cookieOptionsFor(ctx))) {
112
139
  setCookie(ctx, cookie);
113
140
  }
114
141
  return { ok: true };
@@ -1 +1 @@
1
- {"version":3,"file":"federated-routes.js","sourceRoot":"","sources":["../../src/server/federated-routes.ts"],"names":[],"mappings":"AA+BA,OAAO,EAEL,eAAe,EACf,aAAa,EACb,iBAAiB,EACjB,OAAO,EACP,SAAS,GACV,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EACL,qBAAqB,EACrB,wBAAwB,EACxB,mBAAmB,EACnB,qBAAqB,EACrB,oBAAoB,EACpB,oBAAoB,EACpB,oBAAoB,GACrB,MAAM,cAAc,CAAC;AACtB,OAAO,EAAE,oBAAoB,EAAyB,MAAM,aAAa,CAAC;AAC1E,OAAO,EAGL,iBAAiB,EACjB,yBAAyB,EACzB,kBAAkB,EAClB,qBAAqB,EACrB,gBAAgB,GACjB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AACjD,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAyG9C;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,MAAM,UAAU,yBAAyB,CACvC,OAAmC;IAEnC,MAAM,EAAE,QAAQ,EAAE,aAAa,GAAG,IAAI,EAAE,GAAG,OAAO,CAAC;IACnD,MAAM,eAAe,GAAG,OAAO,CAAC,UAAU,IAAI,EAAE,CAAC;IAEjD,2DAA2D;IAC3D,6DAA6D;IAC7D,0DAA0D;IAC1D,iEAAiE;IACjE,iEAAiE;IACjE,MAAM,KAAK,GAAG,OAAO,CACnB,KAAK,EAAE,IAAI,EAAE,GAAG,EAAE,EAAE;QAClB,IAAI,CAAC,IAAI,EAAE,WAAW,IAAI,OAAO,IAAI,CAAC,WAAW,KAAK,QAAQ,EAAE,CAAC;YAC/D,MAAM,IAAI,eAAe,CAAC,yBAAyB,CAAC,CAAC;QACvD,CAAC;QACD,MAAM,KAAK,GAAG,kBAAkB,EAAE,CAAC;QACnC,MAAM,YAAY,GAAG,MAAM,iBAAiB,CAAC;YAC3C,QAAQ;YACR,WAAW,EAAE,IAAI,CAAC,WAAW;YAC7B,KAAK;SACN,CAAC,CAAC;QACH,SAAS,CAAC,GAAG,EAAE,qBAAqB,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAC;QACvD,OAAO,EAAE,YAAY,EAAE,CAAC;IAC1B,CAAC,EACD,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,EAAE,eAAe,EAAE,CAC7C,CAAC;IAEF,2DAA2D;IAC3D,MAAM,QAAQ,GAAG,OAAO,CAItB,KAAK,EAAE,IAAI,EAAE,GAAG,EAAE,EAAE;QAClB,IAAI,CAAC,IAAI,EAAE,IAAI,IAAI,CAAC,IAAI,EAAE,KAAK,IAAI,CAAC,IAAI,EAAE,WAAW,EAAE,CAAC;YACtD,MAAM,IAAI,eAAe,CAAC,0CAA0C,CAAC,CAAC;QACxE,CAAC;QAED,MAAM,YAAY,GAChB,GAAG,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,QAAQ,CAAC;YAChC,GAAG,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,QAAQ,CAAC;YAChC,IAAI,CAAC;QACP,MAAM,WAAW,GAAG,oBAAoB,CACtC,YAAY,EACZ,oBAAoB,CAAC,QAAQ,CAAC,CAC/B,CAAC;QACF,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,KAAK,EAAE,WAAW,IAAI,SAAS,CAAC,EAAE,CAAC;YAC5D,MAAM,IAAI,iBAAiB,CAAC,qBAAqB,CAAC,CAAC;QACrD,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,yBAAyB,CAAC;YAC9C,QAAQ;YACR,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,WAAW,EAAE,IAAI,CAAC,WAAW;SAC9B,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,MAAM,qBAAqB,CACxC,EAAE,QAAQ,EAAE,OAAO,EAAE,EACrB,OAAO,CAAC,MAAM,CACf,CAAC;QAEF,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,oBAAoB,EAAE,CAAC;QACxD,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,MAAM,CAAC,OAAO,EAAE;YACnD,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,QAAQ,EAAE,MAAM,CAAC,WAAW;YAC5B,QAAQ,EAAE,IAAI;YACd,QAAQ,EAAE,MAAM,CAAC,QAAQ;SAC1B,CAAC,CAAC;QACH,MAAM,UAAU,GACd,MAAM,IAAI,OAAO,MAAM,CAAC,KAAK,CAAC,KAAK,QAAQ;YACzC,CAAC,CAAE,MAAM,CAAC,KAAK,CAAY;YAC3B,CAAC,CAAC,IAAI,CAAC;QACX,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,MAAM,IAAI,aAAa,CAAC,oCAAoC,CAAC,CAAC;QAChE,CAAC;QAED,IAAI,SAA8C,CAAC;QACnD,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;YACrB,SAAS,GAAG,MAAM,OAAO,CAAC,QAAQ,CAAC,EAAE,OAAO,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC,CAAC;QACnE,CAAC;QAED,KAAK,MAAM,MAAM,IAAI,mBAAmB,CAAC,MAAM,CAAC,EAAE,CAAC;YACjD,SAAS,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;QACzB,CAAC;QACD,SAAS,CAAC,GAAG,EAAE,qBAAqB,CAAC,QAAQ,CAAC,CAAC,CAAC;QAEhD,OAAO;YACL,IAAI,EAAE;gBACJ,EAAE,EAAE,UAAU;gBACd,KAAK,EAAE,OAAO,CAAC,KAAK;gBACpB,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aAChD;YACD,GAAG,CAAC,SAAS,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACvD,CAAC;IACJ,CAAC,EACD;QACE,MAAM,EAAE,GAAG;QACX,aAAa;QACb,UAAU,EAAE,eAAe;KAC5B,CACF,CAAC;IAEF,2DAA2D;IAC3D,MAAM,MAAM,GAAG,OAAO,CACpB,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE;QACnB,MAAM,YAAY,GAChB,GAAG,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,QAAQ,CAAC;YAChC,GAAG,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,QAAQ,CAAC;YAChC,IAAI,CAAC;QACP,MAAM,YAAY,GAAG,oBAAoB,CACvC,YAAY,EACZ,oBAAoB,CACrB,CAAC;QACF,IAAI,YAAY,EAAE,CAAC;YACjB,MAAM,kBAAkB,CAAC,YAAY,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;QACzD,CAAC;QACD,KAAK,MAAM,MAAM,IAAI,wBAAwB,EAAE,EAAE,CAAC;YAChD,SAAS,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;QACzB,CAAC;QACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;IACtB,CAAC,EACD,EAAE,MAAM,EAAE,GAAG,EAAE,CAChB,CAAC;IAEF,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC;AACrC,CAAC"}
1
+ {"version":3,"file":"federated-routes.js","sourceRoot":"","sources":["../../src/server/federated-routes.ts"],"names":[],"mappings":"AA+BA,OAAO,EAEL,eAAe,EACf,aAAa,EACb,iBAAiB,EACjB,OAAO,EACP,SAAS,GACV,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EAGL,qBAAqB,EACrB,wBAAwB,EACxB,mBAAmB,EACnB,qBAAqB,EACrB,oBAAoB,EACpB,oBAAoB,EACpB,oBAAoB,GACrB,MAAM,cAAc,CAAC;AACtB,OAAO,EAAE,oBAAoB,EAAyB,MAAM,aAAa,CAAC;AAC1E,OAAO,EAGL,iBAAiB,EACjB,yBAAyB,EACzB,kBAAkB,EAClB,qBAAqB,EACrB,gBAAgB,GACjB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AACjD,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAqI9C;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH;;;;GAIG;AACH,SAAS,oBAAoB,CAC3B,EAA6B;IAE7B,IAAI,CAAC,EAAE;QAAE,OAAO,SAAS,CAAC;IAC1B,OAAO;QACL,GAAG,CAAC,EAAE,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACzD,GAAG,CAAC,EAAE,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,EAAE,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACjE,GAAG,CAAC,EAAE,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC1D,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,yBAAyB,CACvC,OAAmC;IAEnC,MAAM,EAAE,QAAQ,EAAE,aAAa,GAAG,IAAI,EAAE,GAAG,OAAO,CAAC;IACnD,MAAM,eAAe,GAAG,OAAO,CAAC,UAAU,IAAI,EAAE,CAAC;IACjD,iEAAiE;IACjE,8DAA8D;IAC9D,8DAA8D;IAC9D,gEAAgE;IAChE,gEAAgE;IAChE,mBAAmB;IACnB,MAAM,gBAAgB,GAAG,CAAC,GAAmB,EAA6B,EAAE,CAC1E,OAAO,OAAO,CAAC,aAAa,KAAK,UAAU;QACzC,CAAC,CAAC,OAAO,CAAC,aAAa,CAAC,GAAG,CAAC;QAC5B,CAAC,CAAC,OAAO,CAAC,aAAa,CAAC;IAE5B,2DAA2D;IAC3D,6DAA6D;IAC7D,0DAA0D;IAC1D,iEAAiE;IACjE,iEAAiE;IACjE,MAAM,KAAK,GAAG,OAAO,CACnB,KAAK,EAAE,IAAI,EAAE,GAAG,EAAE,EAAE;QAClB,IAAI,CAAC,IAAI,EAAE,WAAW,IAAI,OAAO,IAAI,CAAC,WAAW,KAAK,QAAQ,EAAE,CAAC;YAC/D,MAAM,IAAI,eAAe,CAAC,yBAAyB,CAAC,CAAC;QACvD,CAAC;QACD,MAAM,KAAK,GAAG,kBAAkB,EAAE,CAAC;QACnC,MAAM,YAAY,GAAG,MAAM,iBAAiB,CAAC;YAC3C,QAAQ;YACR,WAAW,EAAE,IAAI,CAAC,WAAW;YAC7B,KAAK;SACN,CAAC,CAAC;QACH,SAAS,CACP,GAAG,EACH,qBAAqB,CAAC,QAAQ,EAAE,KAAK,EAAE,oBAAoB,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,CACpF,CAAC;QACF,OAAO,EAAE,YAAY,EAAE,CAAC;IAC1B,CAAC,EACD,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,EAAE,eAAe,EAAE,CAC7C,CAAC;IAEF,2DAA2D;IAC3D,MAAM,QAAQ,GAAG,OAAO,CAItB,KAAK,EAAE,IAAI,EAAE,GAAG,EAAE,EAAE;QAClB,IAAI,CAAC,IAAI,EAAE,IAAI,IAAI,CAAC,IAAI,EAAE,KAAK,IAAI,CAAC,IAAI,EAAE,WAAW,EAAE,CAAC;YACtD,MAAM,IAAI,eAAe,CAAC,0CAA0C,CAAC,CAAC;QACxE,CAAC;QAED,MAAM,YAAY,GAChB,GAAG,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,QAAQ,CAAC;YAChC,GAAG,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,QAAQ,CAAC;YAChC,IAAI,CAAC;QACP,MAAM,WAAW,GAAG,oBAAoB,CACtC,YAAY,EACZ,oBAAoB,CAAC,QAAQ,CAAC,CAC/B,CAAC;QACF,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,KAAK,EAAE,WAAW,IAAI,SAAS,CAAC,EAAE,CAAC;YAC5D,MAAM,IAAI,iBAAiB,CAAC,qBAAqB,CAAC,CAAC;QACrD,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,yBAAyB,CAAC;YAC9C,QAAQ;YACR,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,WAAW,EAAE,IAAI,CAAC,WAAW;SAC9B,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,MAAM,qBAAqB,CACxC,EAAE,QAAQ,EAAE,OAAO,EAAE,EACrB,OAAO,CAAC,MAAM,CACf,CAAC;QAEF,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,oBAAoB,EAAE,CAAC;QACxD,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,MAAM,CAAC,OAAO,EAAE;YACnD,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,QAAQ,EAAE,MAAM,CAAC,WAAW;YAC5B,QAAQ,EAAE,IAAI;YACd,QAAQ,EAAE,MAAM,CAAC,QAAQ;SAC1B,CAAC,CAAC;QACH,MAAM,UAAU,GACd,MAAM,IAAI,OAAO,MAAM,CAAC,KAAK,CAAC,KAAK,QAAQ;YACzC,CAAC,CAAE,MAAM,CAAC,KAAK,CAAY;YAC3B,CAAC,CAAC,IAAI,CAAC;QACX,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,MAAM,IAAI,aAAa,CAAC,oCAAoC,CAAC,CAAC;QAChE,CAAC;QAED,IAAI,SAA8C,CAAC;QACnD,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;YACrB,SAAS,GAAG,MAAM,OAAO,CAAC,QAAQ,CAAC,EAAE,OAAO,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC,CAAC;QACnE,CAAC;QAED,MAAM,aAAa,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAC;QAC5C,KAAK,MAAM,MAAM,IAAI,mBAAmB,CAAC,MAAM,EAAE,aAAa,CAAC,EAAE,CAAC;YAChE,SAAS,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;QACzB,CAAC;QACD,SAAS,CAAC,GAAG,EAAE,qBAAqB,CAAC,QAAQ,EAAE,oBAAoB,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;QAErF,OAAO;YACL,IAAI,EAAE;gBACJ,EAAE,EAAE,UAAU;gBACd,KAAK,EAAE,OAAO,CAAC,KAAK;gBACpB,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aAChD;YACD,GAAG,CAAC,SAAS,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACvD,CAAC;IACJ,CAAC,EACD;QACE,MAAM,EAAE,GAAG;QACX,aAAa;QACb,UAAU,EAAE,eAAe;KAC5B,CACF,CAAC;IAEF,2DAA2D;IAC3D,MAAM,MAAM,GAAG,OAAO,CACpB,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE;QACnB,MAAM,YAAY,GAChB,GAAG,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,QAAQ,CAAC;YAChC,GAAG,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,QAAQ,CAAC;YAChC,IAAI,CAAC;QACP,MAAM,YAAY,GAAG,oBAAoB,CACvC,YAAY,EACZ,oBAAoB,CACrB,CAAC;QACF,IAAI,YAAY,EAAE,CAAC;YACjB,MAAM,kBAAkB,CAAC,YAAY,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;QACzD,CAAC;QACD,+DAA+D;QAC/D,+DAA+D;QAC/D,kCAAkC;QAClC,KAAK,MAAM,MAAM,IAAI,wBAAwB,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;YACrE,SAAS,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;QACzB,CAAC;QACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;IACtB,CAAC,EACD,EAAE,MAAM,EAAE,GAAG,EAAE,CAChB,CAAC;IAEF,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC;AACrC,CAAC"}
@@ -1 +1 @@
1
- {"version":3,"file":"federated.d.ts","sourceRoot":"","sources":["../../src/server/federated.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AAYH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAIpD,OAAO,EAAuB,KAAK,YAAY,EAAE,MAAM,aAAa,CAAC;AAErE,MAAM,MAAM,iBAAiB,GAAG,QAAQ,GAAG,UAAU,GAAG,OAAO,GAAG,UAAU,CAAC;AAE7E;;;GAGG;AACH,MAAM,WAAW,gBAAgB;IAC/B,mEAAmE;IACnE,UAAU,EAAE,MAAM,CAAC;IACnB,qEAAqE;IACrE,KAAK,EAAE,MAAM,CAAC;IACd,sEAAsE;IACtE,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,4BAA4B;IAC3C,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;CACtB;AAQD;;;;;;;;;;;;GAYG;AACH,wBAAsB,gCAAgC,CACpD,QAAQ,EAAE,iBAAiB,EAC3B,GAAG,GAAE,MAAM,CAAC,UAAU,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAe,GACxE,OAAO,CAAC,4BAA4B,CAAC,CA+EvC;AAED,mEAAmE;AACnE,wBAAgB,oCAAoC,IAAI,IAAI,CAE3D;AAMD;;;;;;GAMG;AACH,wBAAgB,kBAAkB,IAAI,MAAM,CAE3C;AAED;;;;GAIG;AACH,wBAAgB,gBAAgB,CAC9B,SAAS,EAAE,MAAM,GAAG,SAAS,EAC7B,UAAU,EAAE,MAAM,GAAG,SAAS,GAC7B,OAAO,CAMT;AAoDD,MAAM,WAAW,sBAAsB;IACrC,QAAQ,EAAE,iBAAiB,CAAC;IAC5B;;;;OAIG;IACH,WAAW,EAAE,MAAM,CAAC;IACpB,4CAA4C;IAC5C,KAAK,EAAE,MAAM,CAAC;IACd,iEAAiE;IACjE,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB;;;;OAIG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACtC;AAED;;;;;;GAMG;AACH,wBAAsB,iBAAiB,CACrC,KAAK,EAAE,sBAAsB,EAC7B,GAAG,GAAE,MAAM,CAAC,UAAU,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAe,GACxE,OAAO,CAAC,MAAM,CAAC,CAejB;AAMD,MAAM,WAAW,8BAA8B;IAC7C,QAAQ,EAAE,iBAAiB,CAAC;IAC5B,gEAAgE;IAChE,IAAI,EAAE,MAAM,CAAC;IACb;;;;OAIG;IACH,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;;;GAIG;AACH,wBAAsB,yBAAyB,CAC7C,KAAK,EAAE,8BAA8B,EACrC,GAAG,GAAE,MAAM,CAAC,UAAU,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAe,GACxE,OAAO,CAAC,gBAAgB,CAAC,CA+B3B;AAkOD,MAAM,WAAW,0BAA0B;IACzC,+DAA+D;IAC/D,OAAO,EAAE,gBAAgB,CAAC;IAC1B,+DAA+D;IAC/D,QAAQ,EAAE,iBAAiB,CAAC;IAC5B;;;OAGG;IACH,iBAAiB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC3C;;;OAGG;IACH,uBAAuB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClD;AAED;;;;;;;GAOG;AACH,wBAAsB,qBAAqB,CACzC,KAAK,EAAE,0BAA0B,EACjC,MAAM,GAAE,gBAAyC,GAChD,OAAO,CAAC,YAAY,CAAC,CA6HvB"}
1
+ {"version":3,"file":"federated.d.ts","sourceRoot":"","sources":["../../src/server/federated.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AAYH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAKpD,OAAO,EAAuB,KAAK,YAAY,EAAE,MAAM,aAAa,CAAC;AAErE,MAAM,MAAM,iBAAiB,GAAG,QAAQ,GAAG,UAAU,GAAG,OAAO,GAAG,UAAU,CAAC;AAE7E;;;GAGG;AACH,MAAM,WAAW,gBAAgB;IAC/B,mEAAmE;IACnE,UAAU,EAAE,MAAM,CAAC;IACnB,qEAAqE;IACrE,KAAK,EAAE,MAAM,CAAC;IACd,sEAAsE;IACtE,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,4BAA4B;IAC3C,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;CACtB;AAQD;;;;;;;;;;;;GAYG;AACH,wBAAsB,gCAAgC,CACpD,QAAQ,EAAE,iBAAiB,EAC3B,GAAG,GAAE,MAAM,CAAC,UAAU,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAe,GACxE,OAAO,CAAC,4BAA4B,CAAC,CA+EvC;AAED,mEAAmE;AACnE,wBAAgB,oCAAoC,IAAI,IAAI,CAE3D;AAMD;;;;;;GAMG;AACH,wBAAgB,kBAAkB,IAAI,MAAM,CAE3C;AAED;;;;GAIG;AACH,wBAAgB,gBAAgB,CAC9B,SAAS,EAAE,MAAM,GAAG,SAAS,EAC7B,UAAU,EAAE,MAAM,GAAG,SAAS,GAC7B,OAAO,CAMT;AAoDD,MAAM,WAAW,sBAAsB;IACrC,QAAQ,EAAE,iBAAiB,CAAC;IAC5B;;;;OAIG;IACH,WAAW,EAAE,MAAM,CAAC;IACpB,4CAA4C;IAC5C,KAAK,EAAE,MAAM,CAAC;IACd,iEAAiE;IACjE,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB;;;;OAIG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACtC;AAED;;;;;;GAMG;AACH,wBAAsB,iBAAiB,CACrC,KAAK,EAAE,sBAAsB,EAC7B,GAAG,GAAE,MAAM,CAAC,UAAU,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAe,GACxE,OAAO,CAAC,MAAM,CAAC,CAejB;AAMD,MAAM,WAAW,8BAA8B;IAC7C,QAAQ,EAAE,iBAAiB,CAAC;IAC5B,gEAAgE;IAChE,IAAI,EAAE,MAAM,CAAC;IACb;;;;OAIG;IACH,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;;;GAIG;AACH,wBAAsB,yBAAyB,CAC7C,KAAK,EAAE,8BAA8B,EACrC,GAAG,GAAE,MAAM,CAAC,UAAU,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAe,GACxE,OAAO,CAAC,gBAAgB,CAAC,CA+B3B;AA8ND,MAAM,WAAW,0BAA0B;IACzC,+DAA+D;IAC/D,OAAO,EAAE,gBAAgB,CAAC;IAC1B,+DAA+D;IAC/D,QAAQ,EAAE,iBAAiB,CAAC;IAC5B;;;OAGG;IACH,iBAAiB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC3C;;;OAGG;IACH,uBAAuB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClD;AAED;;;;;;;GAOG;AACH,wBAAsB,qBAAqB,CACzC,KAAK,EAAE,0BAA0B,EACjC,MAAM,GAAE,gBAAyC,GAChD,OAAO,CAAC,YAAY,CAAC,CA6HvB"}
@@ -41,6 +41,7 @@ import { createHmac, randomBytes, timingSafeEqual } from 'node:crypto';
41
41
  import { loadAuthServerConfig } from './config.js';
42
42
  import { getCognitoClient } from './cognito-client.js';
43
43
  import { AuthError, mapProviderError } from './errors.js';
44
+ import { decodeJwtClaims } from './token-utils.js';
44
45
  import { extractSignInTokens } from './tokens.js';
45
46
  // ────────────────────────────────────────────────────────────────────
46
47
  // Provider-credential resolution (Secrets Manager → cached)
@@ -359,22 +360,17 @@ async function exchangeLinkedIn(code, redirectUri, clientId, clientSecret) {
359
360
  return profile;
360
361
  }
361
362
  /**
362
- * Decode a JWT payload **without** verifying the signature. Safe here
363
+ * Decode a JWT payload **without** verifying the signature safe here
363
364
  * because the caller just fetched the token over TLS from the IdP's
364
- * own token endpoint; the decoder is internal-only.
365
+ * own token endpoint. Thin throwing wrapper over the shared
366
+ * `decodeJwtClaims` (token-utils.ts).
365
367
  */
366
368
  function decodeJwtPayload(jwt) {
367
- const parts = jwt.split('.');
368
- if (parts.length < 2) {
369
- throw new AuthError('federated_token_invalid', 'Malformed JWT', 401);
370
- }
371
- try {
372
- const payload = Buffer.from(parts[1], 'base64url').toString('utf-8');
373
- return JSON.parse(payload);
374
- }
375
- catch {
369
+ const claims = decodeJwtClaims(jwt);
370
+ if (!claims) {
376
371
  throw new AuthError('federated_token_invalid', 'Malformed JWT', 401);
377
372
  }
373
+ return claims;
378
374
  }
379
375
  /**
380
376
  * Sign a verified federated user in. Creates the Cognito user on
@@ -1 +1 @@
1
- {"version":3,"file":"federated.js","sourceRoot":"","sources":["../../src/server/federated.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AAEH,OAAO,EACL,sBAAsB,EACtB,mBAAmB,EACnB,wBAAwB,EACxB,2BAA2B,EAC3B,gCAAgC,GAGjC,MAAM,2CAA2C,CAAC;AACnD,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAEvE,OAAO,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AACnD,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AACvD,OAAO,EAAE,SAAS,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAC1D,OAAO,EAAE,mBAAmB,EAAqB,MAAM,aAAa,CAAC;AAsBrE,uEAAuE;AACvE,4DAA4D;AAC5D,uEAAuE;AAEvE,MAAM,gBAAgB,GAAG,IAAI,GAAG,EAAmD,CAAC;AAEpF;;;;;;;;;;;;GAYG;AACH,MAAM,CAAC,KAAK,UAAU,gCAAgC,CACpD,QAA2B,EAC3B,MAA8D,OAAO,CAAC,GAAG;IAEzE,MAAM,MAAM,GAAG,gBAAgB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAC9C,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAE1B,qEAAqE;IACrE,yDAAyD;IACzD,MAAM,WAAW,GAAG,qBAAqB,QAAQ,CAAC,WAAW,EAAE,YAAY,CAAC;IAC5E,MAAM,eAAe,GAAG,qBAAqB,QAAQ,CAAC,WAAW,EAAE,gBAAgB,CAAC;IACpF,MAAM,WAAW,GAAG,GAAG,CAAC,WAAW,CAAC,CAAC;IACrC,MAAM,eAAe,GAAG,GAAG,CAAC,eAAe,CAAC,CAAC;IAC7C,IAAI,WAAW,IAAI,eAAe,EAAE,CAAC;QACnC,MAAM,KAAK,GAAiC;YAC1C,QAAQ,EAAE,WAAW;YACrB,YAAY,EAAE,eAAe;SAC9B,CAAC;QACF,gBAAgB,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;QACtC,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,MAAM,GAAG,qBAAqB,QAAQ,CAAC,WAAW,EAAE,aAAa,CAAC;IACxE,MAAM,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC;IACxB,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,IAAI,SAAS,CACjB,mCAAmC,EACnC,IAAI,QAAQ,qBAAqB,MAAM,aAAa;YAClD,kBAAkB,QAAQ,0CAA0C;YACpE,iEAAiE;YACjE,qEAAqE,EACvE,GAAG,CACJ,CAAC;IACJ,CAAC;IAED,MAAM,EAAE,oBAAoB,EAAE,qBAAqB,EAAE,GAAG,MAAM,MAAM,CAClE,iCAAiC,CAClC,CAAC;IACF,MAAM,MAAM,GAAG,IAAI,oBAAoB,CAAC;QACtC,MAAM,EAAE,GAAG,CAAC,YAAY,CAAC,IAAI,GAAG,CAAC,gBAAgB,CAAC;KACnD,CAAC,CAAC;IACH,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,IAAI,qBAAqB,CAAC,EAAE,QAAQ,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC;IAC5E,IAAI,CAAC,GAAG,CAAC,YAAY,EAAE,CAAC;QACtB,MAAM,IAAI,SAAS,CACjB,mCAAmC,EACnC,IAAI,QAAQ,2BAA2B,GAAG,WAAW,EACrD,GAAG,CACJ,CAAC;IACJ,CAAC;IAED,IAAI,MAAoD,CAAC;IACzD,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,YAAY,CAAkB,CAAC;IACzD,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,SAAS,CACjB,mCAAmC,EACnC,IAAI,QAAQ,2BAA2B,GAAG,oBAAoB,EAC9D,GAAG,CACJ,CAAC;IACJ,CAAC;IACD,IACE,CAAC,MAAM,CAAC,QAAQ;QAChB,CAAC,MAAM,CAAC,YAAY;QACpB,MAAM,CAAC,QAAQ,KAAK,aAAa;QACjC,MAAM,CAAC,YAAY,KAAK,aAAa,EACrC,CAAC;QACD,MAAM,IAAI,SAAS,CACjB,mCAAmC,EACnC,IAAI,QAAQ,2BAA2B,GAAG,mBAAmB;YAC3D,6DAA6D;YAC7D,4DAA4D;YAC5D,eAAe,GAAG,wDAAwD,EAC5E,GAAG,CACJ,CAAC;IACJ,CAAC;IAED,MAAM,KAAK,GAAiC;QAC1C,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,YAAY,EAAE,MAAM,CAAC,YAAY;KAClC,CAAC;IACF,gBAAgB,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IACtC,OAAO,KAAK,CAAC;AACf,CAAC;AAED,mEAAmE;AACnE,MAAM,UAAU,oCAAoC;IAClD,gBAAgB,CAAC,KAAK,EAAE,CAAC;AAC3B,CAAC;AAED,uEAAuE;AACvE,2CAA2C;AAC3C,uEAAuE;AAEvE;;;;;;GAMG;AACH,MAAM,UAAU,kBAAkB;IAChC,OAAO,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AAC/C,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,gBAAgB,CAC9B,SAA6B,EAC7B,UAA8B;IAE9B,IAAI,CAAC,SAAS,IAAI,CAAC,UAAU;QAAE,OAAO,KAAK,CAAC;IAC5C,MAAM,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACjC,MAAM,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAClC,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IACxC,OAAO,eAAe,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;AAC/B,CAAC;AAaD,MAAM,kBAAkB,GAAiD;IACvE,MAAM,EAAE;QACN,SAAS,EAAE,8CAA8C;QACzD,KAAK,EAAE,qCAAqC;QAC5C,mEAAmE;QACnE,8DAA8D;QAC9D,aAAa,EAAE,CAAC,QAAQ,EAAE,OAAO,EAAE,SAAS,CAAC;KAC9C;IACD,QAAQ,EAAE;QACR,SAAS,EAAE,6CAA6C;QACxD,KAAK,EAAE,qDAAqD;QAC5D,+DAA+D;QAC/D,6DAA6D;QAC7D,aAAa,EAAE,CAAC,OAAO,EAAE,gBAAgB,CAAC;KAC3C;IACD,KAAK,EAAE;QACL,SAAS,EAAE,0CAA0C;QACrD,KAAK,EAAE,sCAAsC;QAC7C,kEAAkE;QAClE,8DAA8D;QAC9D,aAAa,EAAE,CAAC,MAAM,EAAE,OAAO,CAAC;KACjC;IACD,QAAQ,EAAE;QACR,+DAA+D;QAC/D,+DAA+D;QAC/D,kEAAkE;QAClE,wEAAwE;QACxE,SAAS,EAAE,iDAAiD;QAC5D,KAAK,EAAE,+CAA+C;QACtD,8DAA8D;QAC9D,4DAA4D;QAC5D,aAAa,EAAE,CAAC,QAAQ,EAAE,SAAS,EAAE,OAAO,CAAC;KAC9C;CACF,CAAC;AA0BF;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,KAA6B,EAC7B,MAA8D,OAAO,CAAC,GAAG;IAEzE,MAAM,EAAE,QAAQ,EAAE,WAAW,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,GAAG,KAAK,CAAC;IACpE,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,gCAAgC,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;IAC3E,MAAM,SAAS,GAAG,kBAAkB,CAAC,QAAQ,CAAC,CAAC;IAE/C,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;IACzC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;IAC9C,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;IAC5C,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,WAAW,CAAC,CAAC;IAClD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC,MAAM,IAAI,SAAS,CAAC,aAAa,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IAC7E,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IACrC,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,WAAW,IAAI,EAAE,CAAC,EAAE,CAAC;QACvD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IAC7B,CAAC;IACD,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAC;AACxB,CAAC;AAkBD;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC7C,KAAqC,EACrC,MAA8D,OAAO,CAAC,GAAG;IAEzE,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE,WAAW,EAAE,GAAG,KAAK,CAAC;IAC9C,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,GAAG,MAAM,gCAAgC,CACvE,QAAQ,EACR,GAAG,CACJ,CAAC;IACF,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,QAAQ;YACX,OAAO,cAAc,CAAC,IAAI,EAAE,WAAW,EAAE,QAAQ,EAAE,YAAY,CAAC,CAAC;QACnE,KAAK,UAAU;YACb,OAAO,gBAAgB,CAAC,IAAI,EAAE,WAAW,EAAE,QAAQ,EAAE,YAAY,CAAC,CAAC;QACrE,KAAK,UAAU;YACb,OAAO,gBAAgB,CAAC,IAAI,EAAE,WAAW,EAAE,QAAQ,EAAE,YAAY,CAAC,CAAC;QACrE,KAAK,OAAO;YACV,MAAM,IAAI,SAAS,CACjB,mCAAmC,EACnC,iEAAiE;gBAC/D,iEAAiE;gBACjE,uDAAuD,EACzD,GAAG,CACJ,CAAC;QACJ,OAAO,CAAC,CAAC,CAAC;YACR,MAAM,WAAW,GAAU,QAAQ,CAAC;YACpC,KAAK,WAAW,CAAC;YACjB,MAAM,IAAI,SAAS,CACjB,mCAAmC,EACnC,+BAA+B,MAAM,CAAC,QAAQ,CAAC,EAAE,EACjD,GAAG,CACJ,CAAC;QACJ,CAAC;IACH,CAAC;AACH,CAAC;AAED,KAAK,UAAU,cAAc,CAC3B,IAAY,EACZ,WAAmB,EACnB,QAAgB,EAChB,YAAoB;IAEpB,oEAAoE;IACpE,qEAAqE;IACrE,gEAAgE;IAChE,kEAAkE;IAClE,gEAAgE;IAChE,kEAAkE;IAClE,wCAAwC;IACxC,4FAA4F;IAC5F,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;QAC/B,IAAI;QACJ,SAAS,EAAE,QAAQ;QACnB,aAAa,EAAE,YAAY;QAC3B,YAAY,EAAE,WAAW;QACzB,UAAU,EAAE,oBAAoB;KACjC,CAAC,CAAC;IACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,kBAAkB,CAAC,MAAM,CAAC,KAAK,EAAE;QAC5D,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;QAChE,IAAI;KACL,CAAC,CAAC;IACH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,SAAS,CACjB,yBAAyB,EACzB,sCAAsC,QAAQ,CAAC,MAAM,KAAK;YACxD,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC,EACzC,GAAG,CACJ,CAAC;IACJ,CAAC;IACD,MAAM,SAAS,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAGvC,CAAC;IACF,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,CAAC;QACxB,MAAM,IAAI,SAAS,CACjB,yBAAyB,EACzB,4CAA4C,EAC5C,GAAG,CACJ,CAAC;IACJ,CAAC;IACD,MAAM,MAAM,GAAG,gBAAgB,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;IACpD,MAAM,GAAG,GAAG,OAAO,MAAM,CAAC,KAAK,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAE,MAAM,CAAC,KAAK,CAAY,CAAC,CAAC,CAAC,IAAI,CAAC;IACjF,MAAM,KAAK,GACT,OAAO,MAAM,CAAC,OAAO,CAAC,KAAK,QAAQ;QACjC,CAAC,CAAE,MAAM,CAAC,OAAO,CAAY,CAAC,WAAW,EAAE;QAC3C,CAAC,CAAC,IAAI,CAAC;IACX,MAAM,aAAa,GAAG,MAAM,CAAC,gBAAgB,CAAC,KAAK,IAAI,CAAC;IACxD,IAAI,CAAC,GAAG,IAAI,CAAC,KAAK,IAAI,CAAC,aAAa,EAAE,CAAC;QACrC,MAAM,IAAI,SAAS,CACjB,yBAAyB,EACzB,uDAAuD,EACvD,GAAG,CACJ,CAAC;IACJ,CAAC;IACD,MAAM,IAAI,GACR,OAAO,MAAM,CAAC,MAAM,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAE,MAAM,CAAC,MAAM,CAAY,CAAC,CAAC,CAAC,SAAS,CAAC;IAC9E,OAAO,EAAE,UAAU,EAAE,GAAG,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;AAC1C,CAAC;AAED,KAAK,UAAU,gBAAgB,CAC7B,IAAY,EACZ,WAAmB,EACnB,QAAgB,EAChB,YAAoB;IAEpB,kEAAkE;IAClE,kEAAkE;IAClE,wDAAwD;IACxD,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,kBAAkB,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAC5D,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;IACxC,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;IACjD,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,EAAE,YAAY,CAAC,CAAC;IACzD,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,WAAW,CAAC,CAAC;IACvD,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,QAAQ,CAAC,CAAC;IACvC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,SAAS,CACjB,yBAAyB,EACzB,wCAAwC,QAAQ,CAAC,MAAM,KAAK;YAC1D,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC,EACzC,GAAG,CACJ,CAAC;IACJ,CAAC;IACD,MAAM,SAAS,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA8B,CAAC;IACvE,IAAI,CAAC,SAAS,CAAC,YAAY,EAAE,CAAC;QAC5B,MAAM,IAAI,SAAS,CACjB,yBAAyB,EACzB,kDAAkD,EAClD,GAAG,CACJ,CAAC;IACJ,CAAC;IACD,iEAAiE;IACjE,qEAAqE;IACrE,MAAM,KAAK,GAAG,UAAU,CAAC,QAAQ,EAAE,YAAY,CAAC;SAC7C,MAAM,CAAC,SAAS,CAAC,YAAY,CAAC;SAC9B,MAAM,CAAC,KAAK,CAAC,CAAC;IACjB,MAAM,KAAK,GAAG,IAAI,GAAG,CAAC,qCAAqC,CAAC,CAAC;IAC7D,KAAK,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,EAAE,eAAe,CAAC,CAAC;IAClD,KAAK,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,SAAS,CAAC,YAAY,CAAC,CAAC;IAC/D,KAAK,CAAC,YAAY,CAAC,GAAG,CAAC,iBAAiB,EAAE,KAAK,CAAC,CAAC;IACjD,MAAM,KAAK,GAAG,MAAM,KAAK,CAAC,KAAK,CAAC,CAAC;IACjC,IAAI,CAAC,KAAK,CAAC,EAAE,EAAE,CAAC;QACd,MAAM,IAAI,SAAS,CACjB,yBAAyB,EACzB,6BAA6B,KAAK,CAAC,MAAM,GAAG,EAC5C,GAAG,CACJ,CAAC;IACJ,CAAC;IACD,MAAM,EAAE,GAAG,CAAC,MAAM,KAAK,CAAC,IAAI,EAAE,CAI7B,CAAC;IACF,IAAI,CAAC,EAAE,CAAC,EAAE,IAAI,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;QACxB,MAAM,IAAI,SAAS,CACjB,yBAAyB,EACzB,mEAAmE,EACnE,GAAG,CACJ,CAAC;IACJ,CAAC;IACD,OAAO;QACL,UAAU,EAAE,EAAE,CAAC,EAAE;QACjB,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,WAAW,EAAE;QAC7B,IAAI,EAAE,EAAE,CAAC,IAAI;KACd,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,gBAAgB,CAC7B,IAAY,EACZ,WAAmB,EACnB,QAAgB,EAChB,YAAoB;IAEpB,sEAAsE;IACtE,oEAAoE;IACpE,gEAAgE;IAChE,iEAAiE;IACjE,qEAAqE;IACrE,oEAAoE;IACpE,iEAAiE;IACjE,gCAAgC;IAChC,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;QAC/B,IAAI;QACJ,SAAS,EAAE,QAAQ;QACnB,aAAa,EAAE,YAAY;QAC3B,YAAY,EAAE,WAAW;QACzB,UAAU,EAAE,oBAAoB;KACjC,CAAC,CAAC;IACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,kBAAkB,CAAC,QAAQ,CAAC,KAAK,EAAE;QAC9D,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;QAChE,IAAI;KACL,CAAC,CAAC;IACH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,SAAS,CACjB,yBAAyB,EACzB,wCAAwC,QAAQ,CAAC,MAAM,KAAK;YAC1D,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC,EACzC,GAAG,CACJ,CAAC;IACJ,CAAC;IACD,MAAM,SAAS,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAGvC,CAAC;IACF,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,CAAC;QACxB,MAAM,IAAI,SAAS,CACjB,yBAAyB,EACzB,+DAA+D;YAC7D,gEAAgE;YAChE,iDAAiD,EACnD,GAAG,CACJ,CAAC;IACJ,CAAC;IACD,MAAM,MAAM,GAAG,gBAAgB,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;IACpD,MAAM,GAAG,GAAG,OAAO,MAAM,CAAC,KAAK,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAE,MAAM,CAAC,KAAK,CAAY,CAAC,CAAC,CAAC,IAAI,CAAC;IACjF,MAAM,KAAK,GACT,OAAO,MAAM,CAAC,OAAO,CAAC,KAAK,QAAQ;QACjC,CAAC,CAAE,MAAM,CAAC,OAAO,CAAY,CAAC,WAAW,EAAE;QAC3C,CAAC,CAAC,IAAI,CAAC;IACX,iEAAiE;IACjE,yDAAyD;IACzD,MAAM,aAAa,GACjB,MAAM,CAAC,gBAAgB,CAAC,KAAK,IAAI,IAAI,MAAM,CAAC,gBAAgB,CAAC,KAAK,MAAM,CAAC;IAC3E,IAAI,CAAC,GAAG,IAAI,CAAC,KAAK,IAAI,CAAC,aAAa,EAAE,CAAC;QACrC,MAAM,IAAI,SAAS,CACjB,yBAAyB,EACzB,oEAAoE;YAClE,yCAAyC,EAC3C,GAAG,CACJ,CAAC;IACJ,CAAC;IACD,MAAM,IAAI,GACR,OAAO,MAAM,CAAC,MAAM,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAE,MAAM,CAAC,MAAM,CAAY,CAAC,CAAC,CAAC,SAAS,CAAC;IAC9E,MAAM,OAAO,GAAG,EAAE,UAAU,EAAE,GAAG,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IACjD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;;GAIG;AACH,SAAS,gBAAgB,CAAC,GAAW;IACnC,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC7B,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACrB,MAAM,IAAI,SAAS,CAAC,yBAAyB,EAAE,eAAe,EAAE,GAAG,CAAC,CAAC;IACvE,CAAC;IACD,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAE,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QACtE,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAA4B,CAAC;IACxD,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,SAAS,CAAC,yBAAyB,EAAE,eAAe,EAAE,GAAG,CAAC,CAAC;IACvE,CAAC;AACH,CAAC;AAuBD;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,KAAiC,EACjC,SAA2B,oBAAoB,EAAE;IAEjD,MAAM,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IAChE,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC;IAEhD,kEAAkE;IAClE,gEAAgE;IAChE,kEAAkE;IAClE,8DAA8D;IAC9D,kCAAkC;IAClC,MAAM,QAAQ,GAAG,sBAAsB,EAAE,CAAC;IAE1C,IAAI,UAAmB,CAAC;IACxB,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,IAAI,CACf,IAAI,mBAAmB,CAAC;YACtB,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,QAAQ,EAAE,KAAK;SAChB,CAAC,CACH,CAAC;QACF,UAAU,GAAG,IAAI,CAAC;IACpB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAK,GAAyB,CAAC,IAAI,KAAK,uBAAuB,EAAE,CAAC;YAChE,UAAU,GAAG,KAAK,CAAC;QACrB,CAAC;aAAM,CAAC;YACN,MAAM,gBAAgB,CAAC,GAAG,EAAE,yBAAyB,CAAC,CAAC;QACzD,CAAC;IACH,CAAC;IAED,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,MAAM,KAAK,GAAoB;YAC7B,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE;YAC/B,EAAE,IAAI,EAAE,gBAAgB,EAAE,KAAK,EAAE,MAAM,EAAE;SAC1C,CAAC;QACF,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;YACvB,KAAK,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;QAC1D,CAAC;QACD,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,iBAAiB,IAAI,EAAE,CAAC,EAAE,CAAC;YACnE,IAAI,CAAC,KAAK,OAAO,IAAI,CAAC,KAAK,gBAAgB,IAAI,CAAC,KAAK,MAAM;gBAAE,SAAS;YACtE,KAAK,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC,CAAC;QACpC,CAAC;QACD,KAAK,CAAC,IAAI,CAAC;YACT,IAAI,EAAE,2BAA2B;YACjC,KAAK,EAAE,KAAK,CAAC,QAAQ;SACtB,CAAC,CAAC;QACH,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,uBAAuB,IAAI,EAAE,CAAC,EAAE,CAAC;YACzE,KAAK,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,UAAU,CAAC,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC,CAAC;QAChD,CAAC;QACD,IAAI,CAAC;YACH,MAAM,MAAM,CAAC,IAAI,CACf,IAAI,sBAAsB,CAAC;gBACzB,UAAU,EAAE,MAAM,CAAC,UAAU;gBAC7B,QAAQ,EAAE,KAAK;gBACf,cAAc,EAAE,KAAK;gBACrB,2DAA2D;gBAC3D,4DAA4D;gBAC5D,aAAa,EAAE,UAAU;gBACzB,iBAAiB,EAAE,QAAQ;aAC5B,CAAC,CACH,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,gEAAgE;YAChE,8DAA8D;YAC9D,iDAAiD;YACjD,IAAK,GAAyB,CAAC,IAAI,KAAK,yBAAyB,EAAE,CAAC;gBAClE,MAAM,gBAAgB,CAAC,GAAG,EAAE,yBAAyB,CAAC,CAAC;YACzD,CAAC;QACH,CAAC;IACH,CAAC;SAAM,CAAC;QACN,4DAA4D;QAC5D,+DAA+D;QAC/D,+DAA+D;QAC/D,0CAA0C;QAC1C,IAAI,CAAC;YACH,MAAM,MAAM,CAAC,IAAI,CACf,IAAI,gCAAgC,CAAC;gBACnC,UAAU,EAAE,MAAM,CAAC,UAAU;gBAC7B,QAAQ,EAAE,KAAK;gBACf,cAAc,EAAE;oBACd,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE;oBAC/B,EAAE,IAAI,EAAE,gBAAgB,EAAE,KAAK,EAAE,MAAM,EAAE;iBAC1C;aACF,CAAC,CACH,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,gBAAgB,CAAC,GAAG,EAAE,yBAAyB,CAAC,CAAC;QACzD,CAAC;IACH,CAAC;IAED,8DAA8D;IAC9D,gEAAgE;IAChE,iEAAiE;IACjE,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,IAAI,CACf,IAAI,2BAA2B,CAAC;YAC9B,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,QAAQ,EAAE,KAAK;YACf,QAAQ,EAAE,QAAQ;YAClB,SAAS,EAAE,IAAI;SAChB,CAAC,CACH,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,gBAAgB,CAAC,GAAG,EAAE,yBAAyB,CAAC,CAAC;IACzD,CAAC;IAED,IAAI,GAAmC,CAAC;IACxC,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,MAAM,CAAC,IAAI,CACrB,IAAI,wBAAwB,CAAC;YAC3B,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,QAAQ,EAAE,MAAM,CAAC,WAAW;YAC5B,QAAQ,EAAE,0BAA0B;YACpC,cAAc,EAAE,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE;SACxD,CAAC,CACH,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,gBAAgB,CAAC,GAAG,EAAE,yBAAyB,CAAC,CAAC;IACzD,CAAC;IACD,IAAI,GAAG,CAAC,aAAa,EAAE,CAAC;QACtB,MAAM,IAAI,SAAS,CACjB,yBAAyB,EACzB,qEAAqE,GAAG,CAAC,aAAa,EAAE,EACxF,GAAG,CACJ,CAAC;IACJ,CAAC;IACD,OAAO,mBAAmB,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;AACvD,CAAC;AAED;;;;GAIG;AACH,SAAS,sBAAsB;IAC7B,MAAM,IAAI,GAAG,WAAW,CAAC,EAAE,CAAC;SACzB,QAAQ,CAAC,QAAQ,CAAC;SAClB,OAAO,CAAC,eAAe,EAAE,EAAE,CAAC;SAC5B,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAChB,OAAO,OAAO,IAAI,EAAE,CAAC;AACvB,CAAC"}
1
+ {"version":3,"file":"federated.js","sourceRoot":"","sources":["../../src/server/federated.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AAEH,OAAO,EACL,sBAAsB,EACtB,mBAAmB,EACnB,wBAAwB,EACxB,2BAA2B,EAC3B,gCAAgC,GAGjC,MAAM,2CAA2C,CAAC;AACnD,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAEvE,OAAO,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AACnD,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AACvD,OAAO,EAAE,SAAS,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAC1D,OAAO,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AACnD,OAAO,EAAE,mBAAmB,EAAqB,MAAM,aAAa,CAAC;AAsBrE,uEAAuE;AACvE,4DAA4D;AAC5D,uEAAuE;AAEvE,MAAM,gBAAgB,GAAG,IAAI,GAAG,EAAmD,CAAC;AAEpF;;;;;;;;;;;;GAYG;AACH,MAAM,CAAC,KAAK,UAAU,gCAAgC,CACpD,QAA2B,EAC3B,MAA8D,OAAO,CAAC,GAAG;IAEzE,MAAM,MAAM,GAAG,gBAAgB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAC9C,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAE1B,qEAAqE;IACrE,yDAAyD;IACzD,MAAM,WAAW,GAAG,qBAAqB,QAAQ,CAAC,WAAW,EAAE,YAAY,CAAC;IAC5E,MAAM,eAAe,GAAG,qBAAqB,QAAQ,CAAC,WAAW,EAAE,gBAAgB,CAAC;IACpF,MAAM,WAAW,GAAG,GAAG,CAAC,WAAW,CAAC,CAAC;IACrC,MAAM,eAAe,GAAG,GAAG,CAAC,eAAe,CAAC,CAAC;IAC7C,IAAI,WAAW,IAAI,eAAe,EAAE,CAAC;QACnC,MAAM,KAAK,GAAiC;YAC1C,QAAQ,EAAE,WAAW;YACrB,YAAY,EAAE,eAAe;SAC9B,CAAC;QACF,gBAAgB,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;QACtC,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,MAAM,GAAG,qBAAqB,QAAQ,CAAC,WAAW,EAAE,aAAa,CAAC;IACxE,MAAM,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC;IACxB,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,IAAI,SAAS,CACjB,mCAAmC,EACnC,IAAI,QAAQ,qBAAqB,MAAM,aAAa;YAClD,kBAAkB,QAAQ,0CAA0C;YACpE,iEAAiE;YACjE,qEAAqE,EACvE,GAAG,CACJ,CAAC;IACJ,CAAC;IAED,MAAM,EAAE,oBAAoB,EAAE,qBAAqB,EAAE,GAAG,MAAM,MAAM,CAClE,iCAAiC,CAClC,CAAC;IACF,MAAM,MAAM,GAAG,IAAI,oBAAoB,CAAC;QACtC,MAAM,EAAE,GAAG,CAAC,YAAY,CAAC,IAAI,GAAG,CAAC,gBAAgB,CAAC;KACnD,CAAC,CAAC;IACH,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,IAAI,qBAAqB,CAAC,EAAE,QAAQ,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC;IAC5E,IAAI,CAAC,GAAG,CAAC,YAAY,EAAE,CAAC;QACtB,MAAM,IAAI,SAAS,CACjB,mCAAmC,EACnC,IAAI,QAAQ,2BAA2B,GAAG,WAAW,EACrD,GAAG,CACJ,CAAC;IACJ,CAAC;IAED,IAAI,MAAoD,CAAC;IACzD,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,YAAY,CAAkB,CAAC;IACzD,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,SAAS,CACjB,mCAAmC,EACnC,IAAI,QAAQ,2BAA2B,GAAG,oBAAoB,EAC9D,GAAG,CACJ,CAAC;IACJ,CAAC;IACD,IACE,CAAC,MAAM,CAAC,QAAQ;QAChB,CAAC,MAAM,CAAC,YAAY;QACpB,MAAM,CAAC,QAAQ,KAAK,aAAa;QACjC,MAAM,CAAC,YAAY,KAAK,aAAa,EACrC,CAAC;QACD,MAAM,IAAI,SAAS,CACjB,mCAAmC,EACnC,IAAI,QAAQ,2BAA2B,GAAG,mBAAmB;YAC3D,6DAA6D;YAC7D,4DAA4D;YAC5D,eAAe,GAAG,wDAAwD,EAC5E,GAAG,CACJ,CAAC;IACJ,CAAC;IAED,MAAM,KAAK,GAAiC;QAC1C,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,YAAY,EAAE,MAAM,CAAC,YAAY;KAClC,CAAC;IACF,gBAAgB,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IACtC,OAAO,KAAK,CAAC;AACf,CAAC;AAED,mEAAmE;AACnE,MAAM,UAAU,oCAAoC;IAClD,gBAAgB,CAAC,KAAK,EAAE,CAAC;AAC3B,CAAC;AAED,uEAAuE;AACvE,2CAA2C;AAC3C,uEAAuE;AAEvE;;;;;;GAMG;AACH,MAAM,UAAU,kBAAkB;IAChC,OAAO,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AAC/C,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,gBAAgB,CAC9B,SAA6B,EAC7B,UAA8B;IAE9B,IAAI,CAAC,SAAS,IAAI,CAAC,UAAU;QAAE,OAAO,KAAK,CAAC;IAC5C,MAAM,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACjC,MAAM,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAClC,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IACxC,OAAO,eAAe,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;AAC/B,CAAC;AAaD,MAAM,kBAAkB,GAAiD;IACvE,MAAM,EAAE;QACN,SAAS,EAAE,8CAA8C;QACzD,KAAK,EAAE,qCAAqC;QAC5C,mEAAmE;QACnE,8DAA8D;QAC9D,aAAa,EAAE,CAAC,QAAQ,EAAE,OAAO,EAAE,SAAS,CAAC;KAC9C;IACD,QAAQ,EAAE;QACR,SAAS,EAAE,6CAA6C;QACxD,KAAK,EAAE,qDAAqD;QAC5D,+DAA+D;QAC/D,6DAA6D;QAC7D,aAAa,EAAE,CAAC,OAAO,EAAE,gBAAgB,CAAC;KAC3C;IACD,KAAK,EAAE;QACL,SAAS,EAAE,0CAA0C;QACrD,KAAK,EAAE,sCAAsC;QAC7C,kEAAkE;QAClE,8DAA8D;QAC9D,aAAa,EAAE,CAAC,MAAM,EAAE,OAAO,CAAC;KACjC;IACD,QAAQ,EAAE;QACR,+DAA+D;QAC/D,+DAA+D;QAC/D,kEAAkE;QAClE,wEAAwE;QACxE,SAAS,EAAE,iDAAiD;QAC5D,KAAK,EAAE,+CAA+C;QACtD,8DAA8D;QAC9D,4DAA4D;QAC5D,aAAa,EAAE,CAAC,QAAQ,EAAE,SAAS,EAAE,OAAO,CAAC;KAC9C;CACF,CAAC;AA0BF;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,KAA6B,EAC7B,MAA8D,OAAO,CAAC,GAAG;IAEzE,MAAM,EAAE,QAAQ,EAAE,WAAW,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,GAAG,KAAK,CAAC;IACpE,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,gCAAgC,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;IAC3E,MAAM,SAAS,GAAG,kBAAkB,CAAC,QAAQ,CAAC,CAAC;IAE/C,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;IACzC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;IAC9C,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;IAC5C,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,WAAW,CAAC,CAAC;IAClD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC,MAAM,IAAI,SAAS,CAAC,aAAa,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IAC7E,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IACrC,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,WAAW,IAAI,EAAE,CAAC,EAAE,CAAC;QACvD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IAC7B,CAAC;IACD,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAC;AACxB,CAAC;AAkBD;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC7C,KAAqC,EACrC,MAA8D,OAAO,CAAC,GAAG;IAEzE,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE,WAAW,EAAE,GAAG,KAAK,CAAC;IAC9C,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,GAAG,MAAM,gCAAgC,CACvE,QAAQ,EACR,GAAG,CACJ,CAAC;IACF,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,QAAQ;YACX,OAAO,cAAc,CAAC,IAAI,EAAE,WAAW,EAAE,QAAQ,EAAE,YAAY,CAAC,CAAC;QACnE,KAAK,UAAU;YACb,OAAO,gBAAgB,CAAC,IAAI,EAAE,WAAW,EAAE,QAAQ,EAAE,YAAY,CAAC,CAAC;QACrE,KAAK,UAAU;YACb,OAAO,gBAAgB,CAAC,IAAI,EAAE,WAAW,EAAE,QAAQ,EAAE,YAAY,CAAC,CAAC;QACrE,KAAK,OAAO;YACV,MAAM,IAAI,SAAS,CACjB,mCAAmC,EACnC,iEAAiE;gBAC/D,iEAAiE;gBACjE,uDAAuD,EACzD,GAAG,CACJ,CAAC;QACJ,OAAO,CAAC,CAAC,CAAC;YACR,MAAM,WAAW,GAAU,QAAQ,CAAC;YACpC,KAAK,WAAW,CAAC;YACjB,MAAM,IAAI,SAAS,CACjB,mCAAmC,EACnC,+BAA+B,MAAM,CAAC,QAAQ,CAAC,EAAE,EACjD,GAAG,CACJ,CAAC;QACJ,CAAC;IACH,CAAC;AACH,CAAC;AAED,KAAK,UAAU,cAAc,CAC3B,IAAY,EACZ,WAAmB,EACnB,QAAgB,EAChB,YAAoB;IAEpB,oEAAoE;IACpE,qEAAqE;IACrE,gEAAgE;IAChE,kEAAkE;IAClE,gEAAgE;IAChE,kEAAkE;IAClE,wCAAwC;IACxC,4FAA4F;IAC5F,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;QAC/B,IAAI;QACJ,SAAS,EAAE,QAAQ;QACnB,aAAa,EAAE,YAAY;QAC3B,YAAY,EAAE,WAAW;QACzB,UAAU,EAAE,oBAAoB;KACjC,CAAC,CAAC;IACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,kBAAkB,CAAC,MAAM,CAAC,KAAK,EAAE;QAC5D,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;QAChE,IAAI;KACL,CAAC,CAAC;IACH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,SAAS,CACjB,yBAAyB,EACzB,sCAAsC,QAAQ,CAAC,MAAM,KAAK;YACxD,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC,EACzC,GAAG,CACJ,CAAC;IACJ,CAAC;IACD,MAAM,SAAS,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAGvC,CAAC;IACF,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,CAAC;QACxB,MAAM,IAAI,SAAS,CACjB,yBAAyB,EACzB,4CAA4C,EAC5C,GAAG,CACJ,CAAC;IACJ,CAAC;IACD,MAAM,MAAM,GAAG,gBAAgB,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;IACpD,MAAM,GAAG,GAAG,OAAO,MAAM,CAAC,KAAK,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAE,MAAM,CAAC,KAAK,CAAY,CAAC,CAAC,CAAC,IAAI,CAAC;IACjF,MAAM,KAAK,GACT,OAAO,MAAM,CAAC,OAAO,CAAC,KAAK,QAAQ;QACjC,CAAC,CAAE,MAAM,CAAC,OAAO,CAAY,CAAC,WAAW,EAAE;QAC3C,CAAC,CAAC,IAAI,CAAC;IACX,MAAM,aAAa,GAAG,MAAM,CAAC,gBAAgB,CAAC,KAAK,IAAI,CAAC;IACxD,IAAI,CAAC,GAAG,IAAI,CAAC,KAAK,IAAI,CAAC,aAAa,EAAE,CAAC;QACrC,MAAM,IAAI,SAAS,CACjB,yBAAyB,EACzB,uDAAuD,EACvD,GAAG,CACJ,CAAC;IACJ,CAAC;IACD,MAAM,IAAI,GACR,OAAO,MAAM,CAAC,MAAM,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAE,MAAM,CAAC,MAAM,CAAY,CAAC,CAAC,CAAC,SAAS,CAAC;IAC9E,OAAO,EAAE,UAAU,EAAE,GAAG,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;AAC1C,CAAC;AAED,KAAK,UAAU,gBAAgB,CAC7B,IAAY,EACZ,WAAmB,EACnB,QAAgB,EAChB,YAAoB;IAEpB,kEAAkE;IAClE,kEAAkE;IAClE,wDAAwD;IACxD,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,kBAAkB,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAC5D,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;IACxC,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;IACjD,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,EAAE,YAAY,CAAC,CAAC;IACzD,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,WAAW,CAAC,CAAC;IACvD,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,QAAQ,CAAC,CAAC;IACvC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,SAAS,CACjB,yBAAyB,EACzB,wCAAwC,QAAQ,CAAC,MAAM,KAAK;YAC1D,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC,EACzC,GAAG,CACJ,CAAC;IACJ,CAAC;IACD,MAAM,SAAS,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA8B,CAAC;IACvE,IAAI,CAAC,SAAS,CAAC,YAAY,EAAE,CAAC;QAC5B,MAAM,IAAI,SAAS,CACjB,yBAAyB,EACzB,kDAAkD,EAClD,GAAG,CACJ,CAAC;IACJ,CAAC;IACD,iEAAiE;IACjE,qEAAqE;IACrE,MAAM,KAAK,GAAG,UAAU,CAAC,QAAQ,EAAE,YAAY,CAAC;SAC7C,MAAM,CAAC,SAAS,CAAC,YAAY,CAAC;SAC9B,MAAM,CAAC,KAAK,CAAC,CAAC;IACjB,MAAM,KAAK,GAAG,IAAI,GAAG,CAAC,qCAAqC,CAAC,CAAC;IAC7D,KAAK,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,EAAE,eAAe,CAAC,CAAC;IAClD,KAAK,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,SAAS,CAAC,YAAY,CAAC,CAAC;IAC/D,KAAK,CAAC,YAAY,CAAC,GAAG,CAAC,iBAAiB,EAAE,KAAK,CAAC,CAAC;IACjD,MAAM,KAAK,GAAG,MAAM,KAAK,CAAC,KAAK,CAAC,CAAC;IACjC,IAAI,CAAC,KAAK,CAAC,EAAE,EAAE,CAAC;QACd,MAAM,IAAI,SAAS,CACjB,yBAAyB,EACzB,6BAA6B,KAAK,CAAC,MAAM,GAAG,EAC5C,GAAG,CACJ,CAAC;IACJ,CAAC;IACD,MAAM,EAAE,GAAG,CAAC,MAAM,KAAK,CAAC,IAAI,EAAE,CAI7B,CAAC;IACF,IAAI,CAAC,EAAE,CAAC,EAAE,IAAI,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;QACxB,MAAM,IAAI,SAAS,CACjB,yBAAyB,EACzB,mEAAmE,EACnE,GAAG,CACJ,CAAC;IACJ,CAAC;IACD,OAAO;QACL,UAAU,EAAE,EAAE,CAAC,EAAE;QACjB,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,WAAW,EAAE;QAC7B,IAAI,EAAE,EAAE,CAAC,IAAI;KACd,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,gBAAgB,CAC7B,IAAY,EACZ,WAAmB,EACnB,QAAgB,EAChB,YAAoB;IAEpB,sEAAsE;IACtE,oEAAoE;IACpE,gEAAgE;IAChE,iEAAiE;IACjE,qEAAqE;IACrE,oEAAoE;IACpE,iEAAiE;IACjE,gCAAgC;IAChC,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;QAC/B,IAAI;QACJ,SAAS,EAAE,QAAQ;QACnB,aAAa,EAAE,YAAY;QAC3B,YAAY,EAAE,WAAW;QACzB,UAAU,EAAE,oBAAoB;KACjC,CAAC,CAAC;IACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,kBAAkB,CAAC,QAAQ,CAAC,KAAK,EAAE;QAC9D,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;QAChE,IAAI;KACL,CAAC,CAAC;IACH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,SAAS,CACjB,yBAAyB,EACzB,wCAAwC,QAAQ,CAAC,MAAM,KAAK;YAC1D,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC,EACzC,GAAG,CACJ,CAAC;IACJ,CAAC;IACD,MAAM,SAAS,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAGvC,CAAC;IACF,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,CAAC;QACxB,MAAM,IAAI,SAAS,CACjB,yBAAyB,EACzB,+DAA+D;YAC7D,gEAAgE;YAChE,iDAAiD,EACnD,GAAG,CACJ,CAAC;IACJ,CAAC;IACD,MAAM,MAAM,GAAG,gBAAgB,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;IACpD,MAAM,GAAG,GAAG,OAAO,MAAM,CAAC,KAAK,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAE,MAAM,CAAC,KAAK,CAAY,CAAC,CAAC,CAAC,IAAI,CAAC;IACjF,MAAM,KAAK,GACT,OAAO,MAAM,CAAC,OAAO,CAAC,KAAK,QAAQ;QACjC,CAAC,CAAE,MAAM,CAAC,OAAO,CAAY,CAAC,WAAW,EAAE;QAC3C,CAAC,CAAC,IAAI,CAAC;IACX,iEAAiE;IACjE,yDAAyD;IACzD,MAAM,aAAa,GACjB,MAAM,CAAC,gBAAgB,CAAC,KAAK,IAAI,IAAI,MAAM,CAAC,gBAAgB,CAAC,KAAK,MAAM,CAAC;IAC3E,IAAI,CAAC,GAAG,IAAI,CAAC,KAAK,IAAI,CAAC,aAAa,EAAE,CAAC;QACrC,MAAM,IAAI,SAAS,CACjB,yBAAyB,EACzB,oEAAoE;YAClE,yCAAyC,EAC3C,GAAG,CACJ,CAAC;IACJ,CAAC;IACD,MAAM,IAAI,GACR,OAAO,MAAM,CAAC,MAAM,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAE,MAAM,CAAC,MAAM,CAAY,CAAC,CAAC,CAAC,SAAS,CAAC;IAC9E,MAAM,OAAO,GAAG,EAAE,UAAU,EAAE,GAAG,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IACjD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;;;GAKG;AACH,SAAS,gBAAgB,CAAC,GAAW;IACnC,MAAM,MAAM,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;IACpC,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,SAAS,CAAC,yBAAyB,EAAE,eAAe,EAAE,GAAG,CAAC,CAAC;IACvE,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAuBD;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,KAAiC,EACjC,SAA2B,oBAAoB,EAAE;IAEjD,MAAM,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IAChE,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC;IAEhD,kEAAkE;IAClE,gEAAgE;IAChE,kEAAkE;IAClE,8DAA8D;IAC9D,kCAAkC;IAClC,MAAM,QAAQ,GAAG,sBAAsB,EAAE,CAAC;IAE1C,IAAI,UAAmB,CAAC;IACxB,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,IAAI,CACf,IAAI,mBAAmB,CAAC;YACtB,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,QAAQ,EAAE,KAAK;SAChB,CAAC,CACH,CAAC;QACF,UAAU,GAAG,IAAI,CAAC;IACpB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAK,GAAyB,CAAC,IAAI,KAAK,uBAAuB,EAAE,CAAC;YAChE,UAAU,GAAG,KAAK,CAAC;QACrB,CAAC;aAAM,CAAC;YACN,MAAM,gBAAgB,CAAC,GAAG,EAAE,yBAAyB,CAAC,CAAC;QACzD,CAAC;IACH,CAAC;IAED,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,MAAM,KAAK,GAAoB;YAC7B,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE;YAC/B,EAAE,IAAI,EAAE,gBAAgB,EAAE,KAAK,EAAE,MAAM,EAAE;SAC1C,CAAC;QACF,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;YACvB,KAAK,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;QAC1D,CAAC;QACD,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,iBAAiB,IAAI,EAAE,CAAC,EAAE,CAAC;YACnE,IAAI,CAAC,KAAK,OAAO,IAAI,CAAC,KAAK,gBAAgB,IAAI,CAAC,KAAK,MAAM;gBAAE,SAAS;YACtE,KAAK,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC,CAAC;QACpC,CAAC;QACD,KAAK,CAAC,IAAI,CAAC;YACT,IAAI,EAAE,2BAA2B;YACjC,KAAK,EAAE,KAAK,CAAC,QAAQ;SACtB,CAAC,CAAC;QACH,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,uBAAuB,IAAI,EAAE,CAAC,EAAE,CAAC;YACzE,KAAK,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,UAAU,CAAC,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC,CAAC;QAChD,CAAC;QACD,IAAI,CAAC;YACH,MAAM,MAAM,CAAC,IAAI,CACf,IAAI,sBAAsB,CAAC;gBACzB,UAAU,EAAE,MAAM,CAAC,UAAU;gBAC7B,QAAQ,EAAE,KAAK;gBACf,cAAc,EAAE,KAAK;gBACrB,2DAA2D;gBAC3D,4DAA4D;gBAC5D,aAAa,EAAE,UAAU;gBACzB,iBAAiB,EAAE,QAAQ;aAC5B,CAAC,CACH,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,gEAAgE;YAChE,8DAA8D;YAC9D,iDAAiD;YACjD,IAAK,GAAyB,CAAC,IAAI,KAAK,yBAAyB,EAAE,CAAC;gBAClE,MAAM,gBAAgB,CAAC,GAAG,EAAE,yBAAyB,CAAC,CAAC;YACzD,CAAC;QACH,CAAC;IACH,CAAC;SAAM,CAAC;QACN,4DAA4D;QAC5D,+DAA+D;QAC/D,+DAA+D;QAC/D,0CAA0C;QAC1C,IAAI,CAAC;YACH,MAAM,MAAM,CAAC,IAAI,CACf,IAAI,gCAAgC,CAAC;gBACnC,UAAU,EAAE,MAAM,CAAC,UAAU;gBAC7B,QAAQ,EAAE,KAAK;gBACf,cAAc,EAAE;oBACd,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE;oBAC/B,EAAE,IAAI,EAAE,gBAAgB,EAAE,KAAK,EAAE,MAAM,EAAE;iBAC1C;aACF,CAAC,CACH,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,gBAAgB,CAAC,GAAG,EAAE,yBAAyB,CAAC,CAAC;QACzD,CAAC;IACH,CAAC;IAED,8DAA8D;IAC9D,gEAAgE;IAChE,iEAAiE;IACjE,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,IAAI,CACf,IAAI,2BAA2B,CAAC;YAC9B,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,QAAQ,EAAE,KAAK;YACf,QAAQ,EAAE,QAAQ;YAClB,SAAS,EAAE,IAAI;SAChB,CAAC,CACH,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,gBAAgB,CAAC,GAAG,EAAE,yBAAyB,CAAC,CAAC;IACzD,CAAC;IAED,IAAI,GAAmC,CAAC;IACxC,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,MAAM,CAAC,IAAI,CACrB,IAAI,wBAAwB,CAAC;YAC3B,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,QAAQ,EAAE,MAAM,CAAC,WAAW;YAC5B,QAAQ,EAAE,0BAA0B;YACpC,cAAc,EAAE,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE;SACxD,CAAC,CACH,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,gBAAgB,CAAC,GAAG,EAAE,yBAAyB,CAAC,CAAC;IACzD,CAAC;IACD,IAAI,GAAG,CAAC,aAAa,EAAE,CAAC;QACtB,MAAM,IAAI,SAAS,CACjB,yBAAyB,EACzB,qEAAqE,GAAG,CAAC,aAAa,EAAE,EACxF,GAAG,CACJ,CAAC;IACJ,CAAC;IACD,OAAO,mBAAmB,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;AACvD,CAAC;AAED;;;;GAIG;AACH,SAAS,sBAAsB;IAC7B,MAAM,IAAI,GAAG,WAAW,CAAC,EAAE,CAAC;SACzB,QAAQ,CAAC,QAAQ,CAAC;SAClB,OAAO,CAAC,eAAe,EAAE,EAAE,CAAC;SAC5B,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAChB,OAAO,OAAO,IAAI,EAAE,CAAC;AACvB,CAAC"}
@@ -0,0 +1,130 @@
1
+ /**
2
+ * Session handoff route factory — the SSO flow that moves a session
3
+ * between hosts that cannot share cookies (different registrable
4
+ * domains, e.g. a platform subdomain and a white-label custom domain).
5
+ *
6
+ * Emits two Lambda handlers:
7
+ *
8
+ * - `start` — `POST /auth/handoff/start` on the host WITH a session.
9
+ * Body `{ target: "https://tenant.io/dashboard" }`.
10
+ * Verifies the session cookies, runs the app's
11
+ * `authorize` hook (membership check — THE gate that
12
+ * keeps foreign domains out), stashes a single-use
13
+ * code via the app's `HandoffStore`, and returns
14
+ * `{ url }` for the SPA to navigate to.
15
+ * - `complete` — `GET /auth/handoff?code=…&next=…` on the TARGET
16
+ * host (a top-level browser navigation, typically
17
+ * through the app's same-origin API proxy). Redeems
18
+ * the code, mints fresh tokens from the stashed
19
+ * refresh token, sets first-party session cookies for
20
+ * THIS host, and 302-redirects to `next`. Every
21
+ * failure redirects to `failurePath` — the user is
22
+ * mid-navigation, JSON errors would dead-end them.
23
+ *
24
+ * The refresh token moves server→store→server; only the opaque
25
+ * single-use code (256-bit, 60s TTL, host-bound, hashed at rest)
26
+ * transits the browser. See `handoff.ts` for the security model.
27
+ */
28
+ import { type APIGatewayProxyEventV2, type APIGatewayProxyResultV2, type Context as LambdaContext } from 'aws-lambda';
29
+ import { type RequestContext } from '@venturekit/runtime';
30
+ import { type CookieOptions } from './cookies.js';
31
+ import { type AuthServerConfig } from './config.js';
32
+ import { type HandoffStore } from './handoff.js';
33
+ /** Body shape for the `start` route. */
34
+ export interface HandoffStartBody {
35
+ /**
36
+ * Absolute URL the user wants to land on, on the other host —
37
+ * `https://tenant.io/dashboard`. The host is what `authorize` gets
38
+ * to approve; path + query become the post-handoff redirect.
39
+ */
40
+ target: string;
41
+ }
42
+ /** Argument bag for the app's `authorize` hook. */
43
+ export interface HandoffAuthorizeArgs {
44
+ /** Cognito `sub` from the verified id token. */
45
+ userSub: string;
46
+ /** All claims of the verified id token. */
47
+ claims: Record<string, unknown>;
48
+ /** Host (lowercased, port included) the user wants a session on. */
49
+ targetHost: string;
50
+ /** Live request context (tenancy middleware output, headers, …). */
51
+ ctx: RequestContext;
52
+ }
53
+ export interface SessionHandoffRoutesOptions {
54
+ /** App-provided single-use code storage. See {@link HandoffStore}. */
55
+ store: HandoffStore;
56
+ /**
57
+ * THE authorization gate: may this user get a session on
58
+ * `targetHost`? Apps typically map the host to a tenant and check
59
+ * membership. Return `false` to refuse (403). Unknown hosts MUST
60
+ * return `false` — this hook is the only thing standing between a
61
+ * session and an arbitrary domain.
62
+ */
63
+ authorize: (args: HandoffAuthorizeArgs) => Promise<boolean>;
64
+ /**
65
+ * Builds the absolute URL of the `complete` endpoint on a target
66
+ * host, WITHOUT query string. Defaults to
67
+ * `https://<targetHost><completePath>`. Override in dev (http, ports)
68
+ * or when the browser-visible API prefix differs per host.
69
+ */
70
+ completeUrl?: (targetHost: string, ctx: RequestContext) => string;
71
+ /**
72
+ * Browser-visible path of the `complete` route used by the default
73
+ * `completeUrl`. Include the app's proxy prefix if there is one
74
+ * (mycohort: `/api/auth/handoff`). Default `/auth/handoff`.
75
+ */
76
+ completePath?: string;
77
+ /**
78
+ * Where `complete` redirects when redemption fails (missing /
79
+ * expired / wrong-host code). Relative path on the target host.
80
+ * Default `/login`.
81
+ */
82
+ failurePath?: string;
83
+ /**
84
+ * Cookie attributes for the session cookies minted on the target
85
+ * host — same semantics as the federated factory: pass a function
86
+ * to resolve per request (Domain depends on the host being landed
87
+ * on). Defaults to VK's host-only defaults.
88
+ */
89
+ cookieOptions?: CookieOptions | ((ctx: RequestContext) => CookieOptions);
90
+ /**
91
+ * Resolve the current (browser-facing) host on the `complete` leg.
92
+ *
93
+ * NOTE: `complete` is a top-level GET navigation — there is no
94
+ * `origin` header and `referer` still points at the ISSUING host,
95
+ * so the general-purpose `getRequestHost()` chain would pick the
96
+ * wrong host. The default here reads `x-forwarded-host` (set by
97
+ * same-origin proxies) then `host`. Override when your proxy uses
98
+ * a different header.
99
+ */
100
+ resolveRequestHost?: (ctx: RequestContext) => string;
101
+ /** Code lifetime in seconds. Default {@link DEFAULT_HANDOFF_TTL_SECONDS}. */
102
+ ttlSeconds?: number;
103
+ /** Explicit Cognito config; defaults to env-var loading per request. */
104
+ config?: AuthServerConfig;
105
+ /** Extra middleware for both routes (tenancy, rate limiting, …). */
106
+ middleware?: import('@venturekit/runtime').Middleware<RequestContext>[];
107
+ }
108
+ /** Route bundle returned by {@link createSessionHandoffRoutes}. */
109
+ export interface SessionHandoffRoutes {
110
+ start: (event: APIGatewayProxyEventV2, context: LambdaContext) => Promise<APIGatewayProxyResultV2>;
111
+ complete: (event: APIGatewayProxyEventV2, context: LambdaContext) => Promise<APIGatewayProxyResultV2>;
112
+ }
113
+ /** Default browser-facing path of the `complete` route. */
114
+ export declare const DEFAULT_HANDOFF_COMPLETE_PATH = "/auth/handoff";
115
+ /**
116
+ * Build the session-handoff route pair. See module docs for the flow.
117
+ *
118
+ * @example
119
+ * ```typescript
120
+ * export const handoffRoutes = createSessionHandoffRoutes({
121
+ * store: postgresHandoffStore,
122
+ * authorize: async ({ userSub, targetHost }) =>
123
+ * isApprovedMemberOfTenantOwning(targetHost, userSub),
124
+ * completeUrl: (host) => `https://${host}/api/auth/handoff`,
125
+ * cookieOptions: (ctx) => sessionCookieOptions(getRequestHost(ctx)),
126
+ * });
127
+ * ```
128
+ */
129
+ export declare function createSessionHandoffRoutes(options: SessionHandoffRoutesOptions): SessionHandoffRoutes;
130
+ //# sourceMappingURL=handoff-routes.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"handoff-routes.d.ts","sourceRoot":"","sources":["../../src/server/handoff-routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,OAAO,EACL,KAAK,sBAAsB,EAC3B,KAAK,uBAAuB,EAC5B,KAAK,OAAO,IAAI,aAAa,EAC9B,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,KAAK,cAAc,EAQpB,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EACL,KAAK,aAAa,EAKnB,MAAM,cAAc,CAAC;AACtB,OAAO,EAAwB,KAAK,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAC1E,OAAO,EACL,KAAK,YAAY,EAIlB,MAAM,cAAc,CAAC;AAItB,wCAAwC;AACxC,MAAM,WAAW,gBAAgB;IAC/B;;;;OAIG;IACH,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,mDAAmD;AACnD,MAAM,WAAW,oBAAoB;IACnC,gDAAgD;IAChD,OAAO,EAAE,MAAM,CAAC;IAChB,2CAA2C;IAC3C,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAChC,oEAAoE;IACpE,UAAU,EAAE,MAAM,CAAC;IACnB,oEAAoE;IACpE,GAAG,EAAE,cAAc,CAAC;CACrB;AAED,MAAM,WAAW,2BAA2B;IAC1C,sEAAsE;IACtE,KAAK,EAAE,YAAY,CAAC;IACpB;;;;;;OAMG;IACH,SAAS,EAAE,CAAC,IAAI,EAAE,oBAAoB,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;IAC5D;;;;;OAKG;IACH,WAAW,CAAC,EAAE,CAAC,UAAU,EAAE,MAAM,EAAE,GAAG,EAAE,cAAc,KAAK,MAAM,CAAC;IAClE;;;;OAIG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB;;;;OAIG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB;;;;;OAKG;IACH,aAAa,CAAC,EAAE,aAAa,GAAG,CAAC,CAAC,GAAG,EAAE,cAAc,KAAK,aAAa,CAAC,CAAC;IACzE;;;;;;;;;OASG;IACH,kBAAkB,CAAC,EAAE,CAAC,GAAG,EAAE,cAAc,KAAK,MAAM,CAAC;IACrD,6EAA6E;IAC7E,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,wEAAwE;IACxE,MAAM,CAAC,EAAE,gBAAgB,CAAC;IAC1B,oEAAoE;IACpE,UAAU,CAAC,EAAE,OAAO,qBAAqB,EAAE,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;CACzE;AAED,mEAAmE;AACnE,MAAM,WAAW,oBAAoB;IACnC,KAAK,EAAE,CACL,KAAK,EAAE,sBAAsB,EAC7B,OAAO,EAAE,aAAa,KACnB,OAAO,CAAC,uBAAuB,CAAC,CAAC;IACtC,QAAQ,EAAE,CACR,KAAK,EAAE,sBAAsB,EAC7B,OAAO,EAAE,aAAa,KACnB,OAAO,CAAC,uBAAuB,CAAC,CAAC;CACvC;AAED,2DAA2D;AAC3D,eAAO,MAAM,6BAA6B,kBAAkB,CAAC;AA6D7D;;;;;;;;;;;;;GAaG;AACH,wBAAgB,0BAA0B,CACxC,OAAO,EAAE,2BAA2B,GACnC,oBAAoB,CAgJtB"}
@@ -0,0 +1,178 @@
1
+ import { BadRequestError, ForbiddenError, UnauthorizedError, handler, setCookie, rawResult, redirect, } from '@venturekit/runtime';
2
+ import { buildSessionCookies, readCookieFromHeader, ID_TOKEN_COOKIE, REFRESH_TOKEN_COOKIE, } from './cookies.js';
3
+ import { loadAuthServerConfig } from './config.js';
4
+ import { DEFAULT_HANDOFF_TTL_SECONDS, issueHandoffCode, redeemHandoffCode, } from './handoff.js';
5
+ import { refreshSession } from './refresh.js';
6
+ import { verifyAndDecode } from './verify.js';
7
+ /** Default browser-facing path of the `complete` route. */
8
+ export const DEFAULT_HANDOFF_COMPLETE_PATH = '/auth/handoff';
9
+ function headersOf(ctx) {
10
+ return (ctx.rawEvent
11
+ ?.headers ?? {});
12
+ }
13
+ function headerValue(headers, name) {
14
+ for (const [key, value] of Object.entries(headers)) {
15
+ if (key.toLowerCase() === name && value)
16
+ return value;
17
+ }
18
+ return undefined;
19
+ }
20
+ /** Default current-host resolution for the `complete` navigation leg. */
21
+ function defaultResolveRequestHost(ctx) {
22
+ const headers = headersOf(ctx);
23
+ return (headerValue(headers, 'x-forwarded-host') ??
24
+ headerValue(headers, 'host') ??
25
+ '');
26
+ }
27
+ /**
28
+ * `next` must be a same-host path: absolute (`/dashboard`), not
29
+ * protocol-relative (`//evil.io`), not an absolute URL, and not a
30
+ * backslash variant (`/\evil.io` — browsers normalize `\` to `/` in
31
+ * URLs, turning it protocol-relative). Otherwise `complete` would be
32
+ * an open redirector.
33
+ */
34
+ function sanitizeNextPath(next, fallback) {
35
+ if (!next)
36
+ return fallback;
37
+ if (!/^\/(?![/\\])/.test(next))
38
+ return fallback;
39
+ return next;
40
+ }
41
+ /**
42
+ * Redirect for the browser-navigation legs, with cache/referrer
43
+ * hygiene: the request URL carries the one-time code, so the response
44
+ * must never be cached by shared caches (`no-store`) and the landing
45
+ * page must not leak the code onward via `Referer`.
46
+ */
47
+ function navRedirect(location) {
48
+ const base = redirect(location);
49
+ const result = typeof base === 'string' ? { statusCode: 302, body: '' } : base;
50
+ return rawResult({
51
+ ...result,
52
+ headers: {
53
+ ...(typeof base === 'string' ? {} : base.headers),
54
+ 'Cache-Control': 'no-store',
55
+ 'Referrer-Policy': 'no-referrer',
56
+ },
57
+ });
58
+ }
59
+ /**
60
+ * Build the session-handoff route pair. See module docs for the flow.
61
+ *
62
+ * @example
63
+ * ```typescript
64
+ * export const handoffRoutes = createSessionHandoffRoutes({
65
+ * store: postgresHandoffStore,
66
+ * authorize: async ({ userSub, targetHost }) =>
67
+ * isApprovedMemberOfTenantOwning(targetHost, userSub),
68
+ * completeUrl: (host) => `https://${host}/api/auth/handoff`,
69
+ * cookieOptions: (ctx) => sessionCookieOptions(getRequestHost(ctx)),
70
+ * });
71
+ * ```
72
+ */
73
+ export function createSessionHandoffRoutes(options) {
74
+ const { store, authorize, completePath = DEFAULT_HANDOFF_COMPLETE_PATH, failurePath = '/login', ttlSeconds = DEFAULT_HANDOFF_TTL_SECONDS, resolveRequestHost = defaultResolveRequestHost, middleware: extraMiddleware = [], } = options;
75
+ const cookieOptionsFor = (ctx) => {
76
+ if (!options.cookieOptions)
77
+ return {};
78
+ return typeof options.cookieOptions === 'function'
79
+ ? options.cookieOptions(ctx)
80
+ : options.cookieOptions;
81
+ };
82
+ const buildCompleteUrl = (targetHost, ctx) => options.completeUrl
83
+ ? options.completeUrl(targetHost, ctx)
84
+ : `https://${targetHost}${completePath}`;
85
+ // ─── start ──────────────────────────────────────────────
86
+ const start = handler(async (body, ctx) => {
87
+ if (!body?.target) {
88
+ throw new BadRequestError('target is required');
89
+ }
90
+ let target;
91
+ try {
92
+ target = new URL(body.target);
93
+ }
94
+ catch {
95
+ throw new BadRequestError('target must be an absolute URL');
96
+ }
97
+ if (target.protocol !== 'https:' && target.protocol !== 'http:') {
98
+ throw new BadRequestError('target must be http(s)');
99
+ }
100
+ const targetHost = target.host.toLowerCase();
101
+ const nextPath = sanitizeNextPath(`${target.pathname}${target.search}`, '/');
102
+ // The session being handed off — both cookies are required: the
103
+ // id token proves WHO is asking, the refresh token is what the
104
+ // target host will mint its session from.
105
+ const cookieHeader = ctx.rawEvent.headers?.['cookie'] ?? ctx.rawEvent.headers?.['Cookie'] ?? null;
106
+ const idToken = readCookieFromHeader(cookieHeader, ID_TOKEN_COOKIE);
107
+ const refreshToken = readCookieFromHeader(cookieHeader, REFRESH_TOKEN_COOKIE);
108
+ if (!idToken || !refreshToken) {
109
+ throw new UnauthorizedError('No session to hand off');
110
+ }
111
+ const config = options.config ?? loadAuthServerConfig();
112
+ const claims = await verifyAndDecode(idToken, {
113
+ userPoolId: config.userPoolId,
114
+ clientId: config.appClientId,
115
+ tokenUse: 'id',
116
+ endpoint: config.endpoint,
117
+ });
118
+ const userSub = claims && typeof claims['sub'] === 'string' ? claims['sub'] : null;
119
+ if (!userSub) {
120
+ throw new UnauthorizedError('Invalid session');
121
+ }
122
+ const allowed = await authorize({
123
+ userSub,
124
+ claims: claims,
125
+ targetHost,
126
+ ctx,
127
+ });
128
+ if (!allowed) {
129
+ throw new ForbiddenError('Not authorized for this destination');
130
+ }
131
+ const code = await issueHandoffCode(store, { sub: userSub, refreshToken, targetHost }, ttlSeconds);
132
+ const url = `${buildCompleteUrl(targetHost, ctx)}?code=${encodeURIComponent(code)}` +
133
+ `&next=${encodeURIComponent(nextPath)}`;
134
+ return { url };
135
+ }, {
136
+ status: 200,
137
+ middleware: extraMiddleware,
138
+ });
139
+ // ─── complete ───────────────────────────────────────────
140
+ const complete = handler(async (_body, ctx) => {
141
+ const code = ctx.queryParams?.['code'] ?? '';
142
+ const next = sanitizeNextPath(ctx.queryParams?.['next'], '/');
143
+ const currentHost = resolveRequestHost(ctx);
144
+ const payload = await redeemHandoffCode(store, code, currentHost);
145
+ if (!payload) {
146
+ // Missing / expired / wrong-host code. The user is mid-
147
+ // navigation on the target host: land them on the login page,
148
+ // never on a JSON error.
149
+ return navRedirect(failurePath);
150
+ }
151
+ const config = options.config ?? loadAuthServerConfig();
152
+ let tokens;
153
+ try {
154
+ tokens = await refreshSession(payload.refreshToken, config);
155
+ }
156
+ catch {
157
+ return navRedirect(failurePath);
158
+ }
159
+ // `refreshSession` never returns a refresh token (Cognito does
160
+ // not rotate it) — carry the original over so the target host
161
+ // can refresh on its own later.
162
+ const cookieOptions = cookieOptionsFor(ctx);
163
+ const sessionCookies = buildSessionCookies({
164
+ idToken: tokens.idToken,
165
+ accessToken: tokens.accessToken,
166
+ refreshToken: payload.refreshToken,
167
+ expiresIn: tokens.expiresIn,
168
+ }, cookieOptions);
169
+ for (const cookie of sessionCookies) {
170
+ setCookie(ctx, cookie);
171
+ }
172
+ return navRedirect(next);
173
+ }, {
174
+ middleware: extraMiddleware,
175
+ });
176
+ return { start, complete };
177
+ }
178
+ //# sourceMappingURL=handoff-routes.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"handoff-routes.js","sourceRoot":"","sources":["../../src/server/handoff-routes.ts"],"names":[],"mappings":"AAiCA,OAAO,EAEL,eAAe,EACf,cAAc,EACd,iBAAiB,EACjB,OAAO,EACP,SAAS,EACT,SAAS,EACT,QAAQ,GACT,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EAEL,mBAAmB,EACnB,oBAAoB,EACpB,eAAe,EACf,oBAAoB,GACrB,MAAM,cAAc,CAAC;AACtB,OAAO,EAAE,oBAAoB,EAAyB,MAAM,aAAa,CAAC;AAC1E,OAAO,EAEL,2BAA2B,EAC3B,gBAAgB,EAChB,iBAAiB,GAClB,MAAM,cAAc,CAAC;AACtB,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAC9C,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AA4F9C,2DAA2D;AAC3D,MAAM,CAAC,MAAM,6BAA6B,GAAG,eAAe,CAAC;AAE7D,SAAS,SAAS,CAAC,GAAmB;IACpC,OAAO,CACJ,GAAG,CAAC,QAAyE;QAC5E,EAAE,OAAO,IAAI,EAAE,CAClB,CAAC;AACJ,CAAC;AAED,SAAS,WAAW,CAClB,OAA2C,EAC3C,IAAY;IAEZ,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QACnD,IAAI,GAAG,CAAC,WAAW,EAAE,KAAK,IAAI,IAAI,KAAK;YAAE,OAAO,KAAK,CAAC;IACxD,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,yEAAyE;AACzE,SAAS,yBAAyB,CAAC,GAAmB;IACpD,MAAM,OAAO,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC;IAC/B,OAAO,CACL,WAAW,CAAC,OAAO,EAAE,kBAAkB,CAAC;QACxC,WAAW,CAAC,OAAO,EAAE,MAAM,CAAC;QAC5B,EAAE,CACH,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,SAAS,gBAAgB,CAAC,IAAwB,EAAE,QAAgB;IAClE,IAAI,CAAC,IAAI;QAAE,OAAO,QAAQ,CAAC;IAC3B,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,QAAQ,CAAC;IAChD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;GAKG;AACH,SAAS,WAAW,CAAC,QAAgB;IACnC,MAAM,IAAI,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAChC,MAAM,MAAM,GAAG,OAAO,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;IAC/E,OAAO,SAAS,CAAC;QACf,GAAG,MAAM;QACT,OAAO,EAAE;YACP,GAAG,CAAC,OAAO,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC;YACjD,eAAe,EAAE,UAAU;YAC3B,iBAAiB,EAAE,aAAa;SACjC;KACF,CAAC,CAAC;AACL,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,0BAA0B,CACxC,OAAoC;IAEpC,MAAM,EACJ,KAAK,EACL,SAAS,EACT,YAAY,GAAG,6BAA6B,EAC5C,WAAW,GAAG,QAAQ,EACtB,UAAU,GAAG,2BAA2B,EACxC,kBAAkB,GAAG,yBAAyB,EAC9C,UAAU,EAAE,eAAe,GAAG,EAAE,GACjC,GAAG,OAAO,CAAC;IAEZ,MAAM,gBAAgB,GAAG,CAAC,GAAmB,EAAiB,EAAE;QAC9D,IAAI,CAAC,OAAO,CAAC,aAAa;YAAE,OAAO,EAAE,CAAC;QACtC,OAAO,OAAO,OAAO,CAAC,aAAa,KAAK,UAAU;YAChD,CAAC,CAAC,OAAO,CAAC,aAAa,CAAC,GAAG,CAAC;YAC5B,CAAC,CAAC,OAAO,CAAC,aAAa,CAAC;IAC5B,CAAC,CAAC;IAEF,MAAM,gBAAgB,GAAG,CAAC,UAAkB,EAAE,GAAmB,EAAU,EAAE,CAC3E,OAAO,CAAC,WAAW;QACjB,CAAC,CAAC,OAAO,CAAC,WAAW,CAAC,UAAU,EAAE,GAAG,CAAC;QACtC,CAAC,CAAC,WAAW,UAAU,GAAG,YAAY,EAAE,CAAC;IAE7C,2DAA2D;IAC3D,MAAM,KAAK,GAAG,OAAO,CACnB,KAAK,EAAE,IAAI,EAAE,GAAG,EAAE,EAAE;QAClB,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,CAAC;YAClB,MAAM,IAAI,eAAe,CAAC,oBAAoB,CAAC,CAAC;QAClD,CAAC;QAED,IAAI,MAAW,CAAC;QAChB,IAAI,CAAC;YACH,MAAM,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAChC,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,eAAe,CAAC,gCAAgC,CAAC,CAAC;QAC9D,CAAC;QACD,IAAI,MAAM,CAAC,QAAQ,KAAK,QAAQ,IAAI,MAAM,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;YAChE,MAAM,IAAI,eAAe,CAAC,wBAAwB,CAAC,CAAC;QACtD,CAAC;QACD,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;QAC7C,MAAM,QAAQ,GAAG,gBAAgB,CAC/B,GAAG,MAAM,CAAC,QAAQ,GAAG,MAAM,CAAC,MAAM,EAAE,EACpC,GAAG,CACJ,CAAC;QAEF,gEAAgE;QAChE,+DAA+D;QAC/D,0CAA0C;QAC1C,MAAM,YAAY,GAChB,GAAG,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,QAAQ,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC;QAC/E,MAAM,OAAO,GAAG,oBAAoB,CAAC,YAAY,EAAE,eAAe,CAAC,CAAC;QACpE,MAAM,YAAY,GAAG,oBAAoB,CAAC,YAAY,EAAE,oBAAoB,CAAC,CAAC;QAC9E,IAAI,CAAC,OAAO,IAAI,CAAC,YAAY,EAAE,CAAC;YAC9B,MAAM,IAAI,iBAAiB,CAAC,wBAAwB,CAAC,CAAC;QACxD,CAAC;QAED,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,oBAAoB,EAAE,CAAC;QACxD,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,OAAO,EAAE;YAC5C,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,QAAQ,EAAE,MAAM,CAAC,WAAW;YAC5B,QAAQ,EAAE,IAAI;YACd,QAAQ,EAAE,MAAM,CAAC,QAAQ;SAC1B,CAAC,CAAC;QACH,MAAM,OAAO,GACX,MAAM,IAAI,OAAO,MAAM,CAAC,KAAK,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAE,MAAM,CAAC,KAAK,CAAY,CAAC,CAAC,CAAC,IAAI,CAAC;QACjF,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,iBAAiB,CAAC,iBAAiB,CAAC,CAAC;QACjD,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,SAAS,CAAC;YAC9B,OAAO;YACP,MAAM,EAAE,MAAiC;YACzC,UAAU;YACV,GAAG;SACJ,CAAC,CAAC;QACH,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,cAAc,CAAC,qCAAqC,CAAC,CAAC;QAClE,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,gBAAgB,CACjC,KAAK,EACL,EAAE,GAAG,EAAE,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,EAC1C,UAAU,CACX,CAAC;QAEF,MAAM,GAAG,GACP,GAAG,gBAAgB,CAAC,UAAU,EAAE,GAAG,CAAC,SAAS,kBAAkB,CAAC,IAAI,CAAC,EAAE;YACvE,SAAS,kBAAkB,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC1C,OAAO,EAAE,GAAG,EAAE,CAAC;IACjB,CAAC,EACD;QACE,MAAM,EAAE,GAAG;QACX,UAAU,EAAE,eAAe;KAC5B,CACF,CAAC;IAEF,2DAA2D;IAC3D,MAAM,QAAQ,GAAG,OAAO,CACtB,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE;QACnB,MAAM,IAAI,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;QAC7C,MAAM,IAAI,GAAG,gBAAgB,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,MAAM,CAAC,EAAE,GAAG,CAAC,CAAC;QAE9D,MAAM,WAAW,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAC;QAC5C,MAAM,OAAO,GAAG,MAAM,iBAAiB,CAAC,KAAK,EAAE,IAAI,EAAE,WAAW,CAAC,CAAC;QAClE,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,wDAAwD;YACxD,8DAA8D;YAC9D,yBAAyB;YACzB,OAAO,WAAW,CAAC,WAAW,CAAC,CAAC;QAClC,CAAC;QAED,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,oBAAoB,EAAE,CAAC;QACxD,IAAI,MAAM,CAAC;QACX,IAAI,CAAC;YACH,MAAM,GAAG,MAAM,cAAc,CAAC,OAAO,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;QAC9D,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,WAAW,CAAC,WAAW,CAAC,CAAC;QAClC,CAAC;QAED,+DAA+D;QAC/D,8DAA8D;QAC9D,gCAAgC;QAChC,MAAM,aAAa,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAC;QAC5C,MAAM,cAAc,GAAG,mBAAmB,CACxC;YACE,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,YAAY,EAAE,OAAO,CAAC,YAAY;YAClC,SAAS,EAAE,MAAM,CAAC,SAAS;SAC5B,EACD,aAAa,CACd,CAAC;QACF,KAAK,MAAM,MAAM,IAAI,cAAc,EAAE,CAAC;YACpC,SAAS,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;QACzB,CAAC;QAED,OAAO,WAAW,CAAC,IAAI,CAAC,CAAC;IAC3B,CAAC,EACD;QACE,UAAU,EAAE,eAAe;KAC5B,CACF,CAAC;IAEF,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC;AAC7B,CAAC"}