@webex/plugin-authorization-browser-first-party 3.12.0-next.18 → 3.12.0-next.19
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/authorization.js +72 -18
- package/dist/authorization.js.map +1 -1
- package/package.json +13 -13
- package/src/authorization.js +64 -22
- package/test/unit/spec/authorization.js +231 -3
package/dist/authorization.js
CHANGED
|
@@ -6,12 +6,12 @@ _Object$defineProperty(exports, "__esModule", {
|
|
|
6
6
|
value: true
|
|
7
7
|
});
|
|
8
8
|
exports.default = exports.Events = void 0;
|
|
9
|
+
var _objectWithoutProperties2 = _interopRequireDefault(require("@babel/runtime-corejs2/helpers/objectWithoutProperties"));
|
|
9
10
|
var _apply = _interopRequireDefault(require("@babel/runtime-corejs2/core-js/reflect/apply"));
|
|
10
11
|
var _promise = _interopRequireDefault(require("@babel/runtime-corejs2/core-js/promise"));
|
|
11
12
|
var _assign = _interopRequireDefault(require("@babel/runtime-corejs2/core-js/object/assign"));
|
|
12
13
|
var _entries = _interopRequireDefault(require("@babel/runtime-corejs2/core-js/object/entries"));
|
|
13
14
|
var _deleteProperty = _interopRequireDefault(require("@babel/runtime-corejs2/core-js/reflect/delete-property"));
|
|
14
|
-
var _stringify = _interopRequireDefault(require("@babel/runtime-corejs2/core-js/json/stringify"));
|
|
15
15
|
var _getOwnPropertyDescriptor = _interopRequireDefault(require("@babel/runtime-corejs2/core-js/object/get-own-property-descriptor"));
|
|
16
16
|
var _slicedToArray2 = _interopRequireDefault(require("@babel/runtime-corejs2/helpers/slicedToArray"));
|
|
17
17
|
var _typeof2 = _interopRequireDefault(require("@babel/runtime-corejs2/helpers/typeof"));
|
|
@@ -25,6 +25,7 @@ var _lodash = require("lodash");
|
|
|
25
25
|
var _uuid = _interopRequireDefault(require("uuid"));
|
|
26
26
|
var _encBase64url = _interopRequireDefault(require("crypto-js/enc-base64url"));
|
|
27
27
|
var _cryptoJs = _interopRequireDefault(require("crypto-js"));
|
|
28
|
+
var _excluded = ["csrf_token"];
|
|
28
29
|
var _dec, _dec2, _obj; // @ts-nocheck
|
|
29
30
|
/* eslint-disable */
|
|
30
31
|
/*!
|
|
@@ -208,7 +209,7 @@ var Authorization = _webexCore.WebexPlugin.extend((_dec = (0, _common.whileInFli
|
|
|
208
209
|
|
|
209
210
|
// Decode and parse state object (if present)
|
|
210
211
|
if (location.query.state) {
|
|
211
|
-
location.query.state =
|
|
212
|
+
location.query.state = (0, _common.decodeState)(location.query.state);
|
|
212
213
|
} else {
|
|
213
214
|
location.query.state = {};
|
|
214
215
|
}
|
|
@@ -348,23 +349,27 @@ var Authorization = _webexCore.WebexPlugin.extend((_dec = (0, _common.whileInFli
|
|
|
348
349
|
return _promise.default.resolve();
|
|
349
350
|
},
|
|
350
351
|
/**
|
|
351
|
-
* Initiates third-party (social provider) login
|
|
352
|
-
*
|
|
353
|
-
*
|
|
354
|
-
* Mirrors `initiateLogin`'s role for the standard `/authorize` flow.
|
|
355
|
-
* Delegates to `initiateThirdPartyLoginRedirect` so any pre-redirect
|
|
356
|
-
* security plumbing (CSRF / `state`) can be added here without changing
|
|
357
|
-
* the navigation method.
|
|
352
|
+
* Initiates third-party (social provider) login. Generates a CSRF token,
|
|
353
|
+
* embeds it in `options.state.csrf_token`, and delegates to
|
|
354
|
+
* `initiateThirdPartyLoginRedirect` for navigation.
|
|
358
355
|
*
|
|
359
356
|
* @instance
|
|
360
357
|
* @memberof AuthorizationBrowserFirstParty
|
|
361
358
|
* @param {Object} options
|
|
362
359
|
* @param {string} options.oauth2provider
|
|
363
360
|
* @param {string} options.returnURL
|
|
361
|
+
* @param {Object} [options.state] - Caller-supplied state object. Merged
|
|
362
|
+
* with the generated `csrf_token`.
|
|
364
363
|
* @returns {Promise<void>}
|
|
365
364
|
*/
|
|
366
365
|
initiateThirdPartyLogin: function initiateThirdPartyLogin() {
|
|
367
366
|
var options = arguments.length > 0 && arguments[0] !== undefined ? arguments[0] : {};
|
|
367
|
+
options = (0, _lodash.cloneDeep)(options);
|
|
368
|
+
if (options.state !== undefined && !(0, _lodash.isObject)(options.state)) {
|
|
369
|
+
throw new Error('if specified, `options.state` must be an object');
|
|
370
|
+
}
|
|
371
|
+
options.state = options.state || {};
|
|
372
|
+
options.state.csrf_token = this._generateSecurityToken();
|
|
368
373
|
return this.initiateThirdPartyLoginRedirect(options);
|
|
369
374
|
},
|
|
370
375
|
/**
|
|
@@ -394,6 +399,45 @@ var Authorization = _webexCore.WebexPlugin.extend((_dec = (0, _common.whileInFli
|
|
|
394
399
|
}
|
|
395
400
|
return _promise.default.resolve();
|
|
396
401
|
},
|
|
402
|
+
/**
|
|
403
|
+
* Handles the third-party (social provider) login callback. Reads the
|
|
404
|
+
* current `window.location`, decodes `state`, validates the CSRF token
|
|
405
|
+
* (`state.csrf_token`), scrubs sensitive parameters from the URL via
|
|
406
|
+
* `_cleanUrl`, and returns the parsed payload.
|
|
407
|
+
*
|
|
408
|
+
* Mirrors `initialize()` in always operating on the live
|
|
409
|
+
* `window.location`
|
|
410
|
+
*
|
|
411
|
+
* `idToken` is single-use: it is parsed out of the URL exactly once and
|
|
412
|
+
* the calling client is expected to exchange it (or discard it)
|
|
413
|
+
* immediately. The returned `state` has `csrf_token` removed.
|
|
414
|
+
*
|
|
415
|
+
* @instance
|
|
416
|
+
* @memberof AuthorizationBrowserFirstParty
|
|
417
|
+
* @returns {{idToken: string|undefined, email: string|undefined,
|
|
418
|
+
* error: string|undefined, state: Object}}
|
|
419
|
+
*/
|
|
420
|
+
handleThirdPartyCallback: function handleThirdPartyCallback() {
|
|
421
|
+
var location = _url2.default.parse(this.webex.getWindow().location.href, true);
|
|
422
|
+
location.query.state = (0, _common.decodeState)(location.query.state || 'e30');
|
|
423
|
+
this._verifySecurityToken(location.query, {
|
|
424
|
+
requireMatch: true
|
|
425
|
+
});
|
|
426
|
+
this._cleanUrl(location);
|
|
427
|
+
var _location$query = location.query,
|
|
428
|
+
idToken = _location$query.id_token,
|
|
429
|
+
email = _location$query.email,
|
|
430
|
+
error = _location$query.error,
|
|
431
|
+
_location$query$state = _location$query.state,
|
|
432
|
+
csrf_token = _location$query$state.csrf_token,
|
|
433
|
+
state = (0, _objectWithoutProperties2.default)(_location$query$state, _excluded);
|
|
434
|
+
return {
|
|
435
|
+
idToken: idToken,
|
|
436
|
+
email: email,
|
|
437
|
+
error: error,
|
|
438
|
+
state: state
|
|
439
|
+
};
|
|
440
|
+
},
|
|
397
441
|
/**
|
|
398
442
|
* Called by {@link WebexCore#logout()}.
|
|
399
443
|
* Constructs logout URL and (unless suppressed) navigates away to ensure
|
|
@@ -743,8 +787,9 @@ var Authorization = _webexCore.WebexPlugin.extend((_dec = (0, _common.whileInFli
|
|
|
743
787
|
* - HTTP referrer headers to third-party content
|
|
744
788
|
*
|
|
745
789
|
* Approach:
|
|
746
|
-
* - Remove 'code'
|
|
747
|
-
*
|
|
790
|
+
* - Remove 'code' (OAuth code-grant), 'id_token', and 'email'
|
|
791
|
+
* (third-party callback).
|
|
792
|
+
* - Remove 'state' entirely if it only contained csrf_token.
|
|
748
793
|
* - Else, re-encode remaining state fields (minus csrf_token).
|
|
749
794
|
* - Replace current history entry (no page reload).
|
|
750
795
|
*
|
|
@@ -758,10 +803,12 @@ var Authorization = _webexCore.WebexPlugin.extend((_dec = (0, _common.whileInFli
|
|
|
758
803
|
location = (0, _lodash.cloneDeep)(location);
|
|
759
804
|
if (this.webex.getWindow().history && this.webex.getWindow().history.replaceState) {
|
|
760
805
|
(0, _deleteProperty.default)(location.query, 'code');
|
|
806
|
+
(0, _deleteProperty.default)(location.query, 'id_token');
|
|
807
|
+
(0, _deleteProperty.default)(location.query, 'email');
|
|
761
808
|
if ((0, _lodash.isEmpty)((0, _lodash.omit)(location.query.state, 'csrf_token'))) {
|
|
762
809
|
(0, _deleteProperty.default)(location.query, 'state');
|
|
763
810
|
} else {
|
|
764
|
-
location.query.state =
|
|
811
|
+
location.query.state = (0, _common.encodeState)((0, _lodash.omit)(location.query.state, 'csrf_token'));
|
|
765
812
|
}
|
|
766
813
|
location.search = _querystring.default.stringify(location.query);
|
|
767
814
|
(0, _deleteProperty.default)(location, 'query');
|
|
@@ -820,24 +867,31 @@ var Authorization = _webexCore.WebexPlugin.extend((_dec = (0, _common.whileInFli
|
|
|
820
867
|
* - Ensure state + state.csrf_token exist.
|
|
821
868
|
* - Compare values; throw descriptive errors on mismatch / absence.
|
|
822
869
|
*
|
|
823
|
-
* If no stored token (e.g., user navigated directly), silently returns
|
|
870
|
+
* If no stored token (e.g., user navigated directly), silently returns
|
|
871
|
+
* unless `options.requireMatch` is `true`, in which case absence of a
|
|
872
|
+
* stored token is treated as a CSRF failure.
|
|
824
873
|
*
|
|
825
874
|
* @instance
|
|
826
875
|
* @memberof AuthorizationBrowserFirstParty
|
|
827
876
|
* @param {Object} query - Parsed query (location.query)
|
|
877
|
+
* @param {Object} [options]
|
|
878
|
+
* @param {boolean} [options.requireMatch=false] - When true, throws if
|
|
879
|
+
* no stored sessionToken is present.
|
|
828
880
|
* @private
|
|
829
881
|
* @returns {void}
|
|
830
882
|
*/
|
|
831
883
|
_verifySecurityToken: function _verifySecurityToken(query) {
|
|
884
|
+
var _query$state;
|
|
885
|
+
var options = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : {};
|
|
832
886
|
var sessionToken = this.webex.getWindow().sessionStorage.getItem(OAUTH2_CSRF_TOKEN);
|
|
833
887
|
this.webex.getWindow().sessionStorage.removeItem(OAUTH2_CSRF_TOKEN);
|
|
834
888
|
if (!sessionToken) {
|
|
889
|
+
if (options.requireMatch) {
|
|
890
|
+
throw new Error('CSRF token missing from session storage');
|
|
891
|
+
}
|
|
835
892
|
return;
|
|
836
893
|
}
|
|
837
|
-
if (!query.state) {
|
|
838
|
-
throw new Error("Expected CSRF token ".concat(sessionToken, ", but not found in redirect query"));
|
|
839
|
-
}
|
|
840
|
-
if (!query.state.csrf_token) {
|
|
894
|
+
if (!((_query$state = query.state) !== null && _query$state !== void 0 && _query$state.csrf_token)) {
|
|
841
895
|
throw new Error("Expected CSRF token ".concat(sessionToken, ", but not found in redirect query"));
|
|
842
896
|
}
|
|
843
897
|
var token = query.state.csrf_token;
|
|
@@ -845,7 +899,7 @@ var Authorization = _webexCore.WebexPlugin.extend((_dec = (0, _common.whileInFli
|
|
|
845
899
|
throw new Error("CSRF token ".concat(token, " does not match stored token ").concat(sessionToken));
|
|
846
900
|
}
|
|
847
901
|
},
|
|
848
|
-
version: "3.12.0-next.
|
|
902
|
+
version: "3.12.0-next.19"
|
|
849
903
|
}, (0, _applyDecoratedDescriptor2.default)(_obj, "initiateAuthorizationCodeGrant", [_dec], (0, _getOwnPropertyDescriptor.default)(_obj, "initiateAuthorizationCodeGrant"), _obj), (0, _applyDecoratedDescriptor2.default)(_obj, "requestAuthorizationCodeGrant", [_dec2, _common.oneFlight], (0, _getOwnPropertyDescriptor.default)(_obj, "requestAuthorizationCodeGrant"), _obj), _obj));
|
|
850
904
|
var _default = exports.default = Authorization;
|
|
851
905
|
//# sourceMappingURL=authorization.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"names":["_querystring","_interopRequireDefault","require","_url2","_events","_common","_webexCore","_lodash","_uuid","_encBase64url","_cryptoJs","_dec","_dec2","_obj","lodash","OAUTH2_CSRF_TOKEN","OAUTH2_CODE_VERIFIER","Events","exports","login","qRCodeLogin","Authorization","WebexPlugin","extend","whileInFlight","derived","isAuthenticating","deps","fn","isAuthorizing","session","default","type","ready","namespace","eventEmitter","EventEmitter","pollingTimer","pollingExpirationTimer","pollingId","currentPollingId","initialize","_this","_len","arguments","length","attrs","Array","_key","ret","_apply","prototype","location","url","parse","webex","getWindow","href","_checkForErrors","code","query","state","JSON","base64","decode","codeVerifier","sessionStorage","getItem","removeItem","emailhash","_verifySecurityToken","_cleanUrl","preauthCatalogParams","orgId","_extractOrgIdFromCode","process","nextTick","internal","services","collectPreauthCatalog","catch","_promise","resolve","then","requestAuthorizationCodeGrant","error","logger","warn","initiateLogin","options","undefined","emit","eventType","data","hasEmail","email","hasState","cloneDeep","emailHash","CryptoJS","SHA256","toString","csrf_token","_generateSecurityToken","code_challenge","_generateCodeChallenge","code_challenge_method","initiateAuthorizationCodeGrant","info","loginUrl","credentials","buildLoginUrl","_assign","response_type","separateWindow","defaultWindowSettings","width","height","windowSettings","_typeof2","windowFeatures","_entries","map","_ref","_ref2","_slicedToArray2","key","value","concat","join","open","initiateThirdPartyLogin","initiateThirdPartyLoginRedirect","buildThirdPartyLoginUrl","err","reject","logout","noRedirect","buildLogoutUrl","_this2","Error","form","grant_type","redirect_uri","config","self_contained_token","code_verifier","request","method","uri","tokenUrl","auth","user","client_id","pass","client_secret","sendImmediately","shouldRefreshAccessToken","res","set","supertoken","body","statusCode","ErrorConstructor","grantErrors","select","_res","_generateQRCodeVerificationUrl","verificationUrl","baseUrl","urlParams","URLSearchParams","URL","search","userCode","get","oauthHelperUrl","newVerificationUrl","searchParams","initQRCodeLogin","_this3","message","service","resource","scope","_res$body","user_code","verification_uri","verification_uri_complete","verificationUriComplete","userData","verificationUri","_startQRCodePolling","_options$interval","_this4","device_code","deviceCode","_options$expires_in","expires_in","expiresIn","interval","setTimeout","cancelQRCodePolling","polling","schedulePolling","withCancelEvent","clearTimeout","split","history","replaceState","_deleteProperty","isEmpty","omit","encode","_stringify","querystring","stringify","format","safeCharacterMap","base64url","_safe_map","times","random","codeChallenge","setItem","token","uuid","v4","sessionToken","version","_applyDecoratedDescriptor2","_getOwnPropertyDescriptor","oneFlight","_default"],"sources":["authorization.js"],"sourcesContent":["// @ts-nocheck\n/* eslint-disable */\n/*!\n * Copyright (c) 2015-2020 Cisco Systems, Inc. See LICENSE file.\n */\n\n/* eslint camelcase: [0] */\n/**\n * TS checking disabled: file uses legacy decorator syntax inside an object literal\n * transformed by Babel. Safe to ignore for now.\n */\n\nimport querystring from 'querystring';\nimport url from 'url';\nimport {EventEmitter} from 'events';\n\nimport {base64, oneFlight, whileInFlight} from '@webex/common';\nimport {grantErrors, WebexPlugin} from '@webex/webex-core';\nimport {cloneDeep, isEmpty, omit} from 'lodash';\nimport uuid from 'uuid';\nimport base64url from 'crypto-js/enc-base64url';\nimport CryptoJS from 'crypto-js';\n\n// Necessary to require lodash this way in order to stub\n// methods in the unit test\nconst lodash = require('lodash');\n\nconst OAUTH2_CSRF_TOKEN = 'oauth2-csrf-token';\nconst OAUTH2_CODE_VERIFIER = 'oauth2-code-verifier';\n\n/**\n * Authorization plugin events\n */\nexport const Events = {\n login: 'login',\n /**\n * QR code login events\n */\n qRCodeLogin: 'qRCodeLogin',\n};\n\n/**\n * Browser support for OAuth2 for first-party (Webex Web Client) usage.\n *\n * High-level flow handled by this module:\n * 1. initiateLogin() constructs authorization request (adds CSRF + PKCE).\n * 2. Browser navigates to IdBroker (login).\n * 3. IdBroker redirects back with ?code=... (&state=...).\n * 4. initialize() detects code, validates state/CSRF, cleans URL, optionally\n * pre-fetches a preauth catalog, then exchanges the code via\n * requestAuthorizationCodeGrant().\n * 5. Sets resulting supertoken (access/refresh token bundle) on credentials.\n *\n * Additional supported flow:\n * - Device Authorization (QR Code login):\n * initQRCodeLogin() obtains device + user codes and begins polling\n * _startQRCodePolling() until tokens are issued or timeout/cancel occurs.\n *\n * Security considerations implemented:\n * - CSRF token (state.csrf_token) generation + verification.\n * - PKCE (S256) code verifier + challenge generation and consumption.\n * - URL cleanup after redirect (removes code & CSRF to prevent leakage).\n *\n * Use of this plugin for anything other than the Webex Web Client is discouraged.\n *\n * @class\n * @name AuthorizationBrowserFirstParty\n * @private\n */\nconst Authorization = WebexPlugin.extend({\n derived: {\n /**\n * Alias of {@link AuthorizationBrowserFirstParty#isAuthorizing}\n * @instance\n * @memberof AuthorizationBrowserFirstParty\n * @type {boolean}\n */\n isAuthenticating: {\n deps: ['isAuthorizing'],\n fn() {\n return this.isAuthorizing;\n },\n },\n },\n\n session: {\n /**\n * Indicates if an Authorization Code exchange is inflight\n * @instance\n * @memberof AuthorizationBrowserFirstParty\n * @type {boolean}\n */\n isAuthorizing: {\n default: false,\n type: 'boolean',\n },\n /**\n * Indicates that the plugin has finished any automatic startup\n * processing (e.g., exchanging a returned authorization code)\n */\n ready: {\n default: false,\n type: 'boolean',\n },\n },\n\n namespace: 'Credentials',\n\n /**\n * EventEmitter for authorization events such as QR code login progress\n * @instance\n * @memberof AuthorizationBrowserFirstParty\n * @type {EventEmitter}\n * @public\n */\n eventEmitter: new EventEmitter(),\n\n /**\n * Stores the timer ID for QR code polling (device authorization)\n * @instance\n * @memberof AuthorizationBrowserFirstParty\n * @type {?number}\n * @private\n */\n pollingTimer: null,\n /**\n * Stores the expiration timer ID for QR code polling (overall timeout)\n * @instance\n * @memberof AuthorizationBrowserFirstParty\n * @type {?number}\n * @private\n */\n pollingExpirationTimer: null,\n\n /**\n * Monotonically increasing id to identify the current polling request.\n * Used to safely ignore late poll responses after a cancel/reset.\n * @instance\n * @memberof AuthorizationBrowserFirstParty\n * @type {number}\n * @private\n */\n pollingId: 0,\n\n /**\n * Identifier for the current polling request (snapshot of pollingId)\n * @instance\n * @memberof AuthorizationBrowserFirstParty\n * @type {?number}\n * @private\n */\n currentPollingId: null,\n\n /**\n * Auto executes during Webex.init() – you do NOT call this yourself.\n *\n * Purpose: Seamless \"redirect completion\" of the OAuth Authorization Code (+ PKCE) flow.\n *\n * Simple summary:\n * - You call initiateLogin() which redirects user to IdBroker.\n * - User signs in; IdBroker redirects back to your redirect_uri with ?code=... (&state=...).\n * - During SDK startup this initialize() runs automatically, sees the code, and\n * silently finishes the login (validates state/CSRF + PKCE, scrubs URL, exchanges code).\n * - When done, webex.credentials.supertoken holds access+refresh and ready=true.\n *\n * Step-by-step:\n * 1. Inspect current window.location for ?code= (& state=).\n * 2. If no code: set ready=true immediately (nothing to complete).\n * 3. If code present:\n * - Decode base64 state JSON.\n * - Verify CSRF token matches sessionStorage value.\n * - Retrieve then delete PKCE code_verifier (single use).\n * - Optionally derive preauth hint (emailhash in state OR orgId parsed from code).\n * - Clean the URL (history.replaceState) to remove code & csrf token data.\n * - nextTick:\n * a. Best‑effort preauth catalog fetch (non-blocking).\n * b. Exchange authorization code (with code_verifier if any) for supertoken\n * and store on webex.credentials.\n * 4. Set ready=true after the async sequence finishes (or immediately if step 2).\n *\n * Result: If the redirect included a valid code the token exchange is completed\n * automatically—no extra API call needed after Webex.init().\n */\n // eslint-disable-next-line complexity\n initialize(...attrs) {\n const ret = Reflect.apply(WebexPlugin.prototype.initialize, this, attrs);\n const location = url.parse(this.webex.getWindow().location.href, true);\n\n // Check if redirect includes error\n this._checkForErrors(location);\n\n const {code} = location.query;\n\n // If no authorization code returned, nothing to do\n if (!code) {\n this.ready = true;\n return ret;\n }\n\n // Decode and parse state object (if present)\n if (location.query.state) {\n location.query.state = JSON.parse(base64.decode(location.query.state));\n } else {\n location.query.state = {};\n }\n\n // Retrieve PKCE code verifier (if a PKCE flow was initiated)\n const codeVerifier = this.webex.getWindow().sessionStorage.getItem(OAUTH2_CODE_VERIFIER);\n // Immediately remove code verifier to minimize exposure\n this.webex.getWindow().sessionStorage.removeItem(OAUTH2_CODE_VERIFIER);\n\n const {emailhash} = location.query.state;\n\n // Validate CSRF token included in state\n this._verifySecurityToken(location.query);\n // Remove code + CSRF token remnants from URL (history replace)\n this._cleanUrl(location);\n\n let preauthCatalogParams;\n\n // Attempt to extract orgId from structured authorization code (if present)\n const orgId = this._extractOrgIdFromCode(code);\n\n if (emailhash) {\n preauthCatalogParams = {emailhash};\n } else if (orgId) {\n preauthCatalogParams = {orgId};\n }\n\n // Defer token exchange until next tick in case credentials plugin not ready yet\n process.nextTick(() => {\n this.webex.internal.services\n .collectPreauthCatalog(preauthCatalogParams)\n .catch(() => Promise.resolve()) // Non-fatal if catalog collection fails\n .then(() => this.requestAuthorizationCodeGrant({code, codeVerifier}))\n .catch((error) => {\n this.logger.warn('authorization: failed initial authorization code grant request', error);\n })\n .then(() => {\n // Mark plugin ready regardless of success/failure of token exchange\n this.ready = true;\n });\n });\n\n return ret;\n },\n\n /**\n * Kicks off an OAuth authorization code flow (first party).\n *\n * Adds security + PKCE properties:\n * - SHA256(email) (emailHash & emailhash) for preauth and redirect flows\n * - state.csrf_token for CSRF protection\n * - PKCE code_challenge (S256)\n *\n * NOTE: This does not itself perform the redirect; it calls\n * initiateAuthorizationCodeGrant() which changes window location or opens\n * a separate window as configured.\n *\n * @instance\n * @memberof AuthorizationBrowserFirstParty\n * @param {Object} options\n * @returns {Promise}\n */\n initiateLogin(options = {}) {\n this.eventEmitter.emit(Events.login, {\n eventType: 'initiateLogin',\n data: {\n hasEmail: !!options.email,\n hasState: !!options.state,\n },\n });\n\n options = cloneDeep(options);\n\n // Optionally compute heuristic email hash for preauth usage\n if (options.email) {\n options.emailHash = CryptoJS.SHA256(options.email).toString();\n }\n delete options.email; // Ensure raw email not propagated further\n\n options.state = options.state || {};\n // Embed CSRF token\n options.state.csrf_token = this._generateSecurityToken();\n // Provide email hash in lower-case key used by catalog service\n // (Note: catalog uses emailhash and redirectCI uses emailHash)\n options.state.emailhash = options.emailHash;\n\n // PKCE - produce code_challenge (S256) and persist code_verifier\n options.code_challenge = this._generateCodeChallenge();\n options.code_challenge_method = 'S256';\n\n return this.initiateAuthorizationCodeGrant(options);\n },\n\n @whileInFlight('isAuthorizing')\n /**\n * Performs the navigation step of the Authorization Code flow.\n * Builds login URL and either:\n * - Replaces current window location (default), or\n * - Opens a separate window (popup) if options.separateWindow supplied.\n *\n * Decorated with whileInFlight('isAuthorizing') to set isAuthorizing=true\n * during execution to prevent concurrent overlapping attempts.\n *\n * @instance\n * @memberof AuthorizationBrowserFirstParty\n * @param {Object} options - Already augmented with state + PKCE info\n * @returns {Promise<void>}\n */\n initiateAuthorizationCodeGrant(options) {\n this.logger.info('authorization: initiating authorization code grant flow');\n const loginUrl = this.webex.credentials.buildLoginUrl(\n Object.assign({response_type: 'code'}, options)\n );\n\n this.eventEmitter.emit(Events.login, {\n eventType: 'redirectToLoginUrl',\n data: {loginUrl},\n });\n\n if (options?.separateWindow) {\n // If a separate popup window is requested, combine user supplied window features\n const defaultWindowSettings = {\n width: 600,\n height: 800,\n };\n\n const windowSettings = Object.assign(\n defaultWindowSettings,\n typeof options.separateWindow === 'object' ? options.separateWindow : {}\n );\n\n const windowFeatures = Object.entries(windowSettings)\n .map(([key, value]) => `${key}=${value}`)\n .join(',');\n this.webex.getWindow().open(loginUrl, '_blank', windowFeatures);\n } else {\n // Normal (in-tab) redirect\n this.webex.getWindow().location = loginUrl;\n }\n\n return Promise.resolve();\n },\n\n /**\n * Initiates third-party (social provider) login by redirecting the user\n * to IdBroker's `/idb/ThirdPartyLogin` endpoint.\n *\n * Mirrors `initiateLogin`'s role for the standard `/authorize` flow.\n * Delegates to `initiateThirdPartyLoginRedirect` so any pre-redirect\n * security plumbing (CSRF / `state`) can be added here without changing\n * the navigation method.\n *\n * @instance\n * @memberof AuthorizationBrowserFirstParty\n * @param {Object} options\n * @param {string} options.oauth2provider\n * @param {string} options.returnURL\n * @returns {Promise<void>}\n */\n initiateThirdPartyLogin(options = {}) {\n return this.initiateThirdPartyLoginRedirect(options);\n },\n\n /**\n * Performs the navigation step of the third-party login flow. Builds the\n * IdBroker URL via `Credentials#buildThirdPartyLoginUrl` and assigns it\n * to `getWindow().location`.\n *\n * Mirrors `initiateAuthorizationCodeGrant` for the `/authorize` flow.\n * Consumers may override this method for custom navigation handling\n * (e.g. postMessage in iframed contexts).\n *\n * @instance\n * @memberof AuthorizationBrowserFirstParty\n * @param {Object} options\n * @param {string} options.oauth2provider\n * @param {string} options.returnURL\n * @returns {Promise<void>}\n */\n initiateThirdPartyLoginRedirect(options = {}) {\n this.logger.info('authorization: initiating third-party login redirect');\n\n try {\n const url = this.webex.credentials.buildThirdPartyLoginUrl(options);\n\n this.webex.getWindow().location = url;\n } catch (err) {\n return Promise.reject(err);\n }\n\n return Promise.resolve();\n },\n\n /**\n * Called by {@link WebexCore#logout()}.\n * Constructs logout URL and (unless suppressed) navigates away to ensure\n * server-side session termination.\n *\n * @instance\n * @memberof AuthorizationBrowserFirstParty\n * @param {Object} options\n * @param {boolean} options.noRedirect if true, does not redirect\n * @returns {Promise<void>}\n */\n logout(options = {}) {\n if (!options.noRedirect) {\n this.webex.getWindow().location = this.webex.credentials.buildLogoutUrl(options);\n }\n },\n\n @whileInFlight('isAuthorizing')\n @oneFlight\n /**\n * Exchanges an authorization code for an access (super) token bundle.\n *\n * Decorators:\n * - @whileInFlight('isAuthorizing'): prevents overlapping exchanges.\n * - @oneFlight: collapses simultaneous calls into one network request.\n *\n * Includes PKCE code_verifier if present from earlier login initiation.\n *\n * Error Handling:\n * - Non-400 responses are propagated.\n * - 400 responses map to OAuth-specific grantErrors.\n *\n * @instance\n * @memberof AuthorizationBrowserFirstParty\n * @param {Object} options\n * @param {string} options.code - Authorization code from redirect\n * @param {string} [options.codeVerifier] - PKCE code verifier if used\n * @returns {Promise}\n */\n requestAuthorizationCodeGrant(options = {}) {\n this.logger.info('credentials: requesting authorization code grant');\n\n if (!options.code) {\n return Promise.reject(new Error('`options.code` is required'));\n }\n\n const form = {\n grant_type: 'authorization_code',\n redirect_uri: this.config.redirect_uri,\n code: options.code,\n self_contained_token: true, // Request combined access/refresh response\n };\n\n if (options.codeVerifier) {\n form.code_verifier = options.codeVerifier;\n }\n\n return this.webex\n .request({\n method: 'POST',\n uri: this.config.tokenUrl,\n form,\n auth: {\n user: this.config.client_id,\n pass: this.config.client_secret,\n sendImmediately: true,\n },\n shouldRefreshAccessToken: false, // This is the token acquisition call itself\n })\n .then((res) => {\n // Store supertoken into credentials (includes refresh token)\n this.webex.credentials.set({supertoken: res.body});\n })\n .catch((res) => {\n if (res.statusCode !== 400) {\n return Promise.reject(res);\n }\n\n // Map standard OAuth error to strongly typed error class\n const ErrorConstructor = grantErrors.select(res.body.error);\n\n return Promise.reject(new ErrorConstructor(res._res || res));\n });\n },\n\n /**\n * Generate a QR code verification URL for device authorization flow.\n * When a user scans the QR code with a mobile device, this deep-links into\n * Webex (web) to continue login, including passing along userCode and the\n * helper service base URL.\n *\n * @instance\n * @memberof AuthorizationBrowserFirstParty\n * @param {String} verificationUrl - Original verification URI (complete)\n * @returns {String} Possibly rewritten verification URL\n */\n _generateQRCodeVerificationUrl(verificationUrl) {\n const baseUrl = 'https://web.webex.com/deviceAuth';\n const urlParams = new URLSearchParams(new URL(verificationUrl).search);\n const userCode = urlParams.get('userCode');\n\n if (userCode) {\n const {services} = this.webex.internal;\n const oauthHelperUrl = services.get('oauth-helper');\n const newVerificationUrl = new URL(baseUrl);\n newVerificationUrl.searchParams.set('usercode', userCode);\n newVerificationUrl.searchParams.set('oauthhelper', oauthHelperUrl);\n return newVerificationUrl.toString();\n } else {\n return verificationUrl;\n }\n },\n\n /**\n * Initiates Device Authorization (QR Code) flow.\n *\n * Steps:\n * 1. Obtain device_code, user_code, verification URLs from oauth-helper.\n * 2. Emit getUserCodeSuccess (provides data for generating QR code).\n * 3. Start polling token endpoint with device_code.\n *\n * Emits qRCodeLogin events for UI to react (success, failure, pending, etc.).\n *\n * @instance\n * @memberof AuthorizationBrowserFirstParty\n * @emits #qRCodeLogin\n */\n initQRCodeLogin() {\n if (this.pollingTimer) {\n // Prevent concurrent device authorization attempts\n this.eventEmitter.emit(Events.qRCodeLogin, {\n eventType: 'getUserCodeFailure',\n data: {message: 'There is already a polling request'},\n });\n return;\n }\n\n this.webex\n .request({\n method: 'POST',\n service: 'oauth-helper',\n resource: '/actions/device/authorize',\n form: {\n client_id: this.config.client_id,\n scope: this.config.scope,\n },\n auth: {\n user: this.config.client_id,\n pass: this.config.client_secret,\n sendImmediately: true,\n },\n })\n .then((res) => {\n const {user_code, verification_uri, verification_uri_complete} = res.body;\n const verificationUriComplete =\n this._generateQRCodeVerificationUrl(verification_uri_complete);\n this.eventEmitter.emit(Events.qRCodeLogin, {\n eventType: 'getUserCodeSuccess',\n userData: {\n userCode: user_code,\n verificationUri: verification_uri,\n verificationUriComplete,\n },\n });\n // Begin polling for authorization completion\n this._startQRCodePolling(res.body);\n })\n .catch((res) => {\n this.eventEmitter.emit(Events.qRCodeLogin, {\n eventType: 'getUserCodeFailure',\n data: res.body,\n });\n });\n },\n\n /**\n * Poll the device token endpoint until user authorizes, an error occurs,\n * or timeout happens.\n *\n * Polling behavior:\n * - Interval provided by server (default 2s). 'slow_down' doubles interval once.\n * - 428 status => pending (continue).\n * - Success => set credentials + emit authorizationSuccess + stop polling.\n * - Any other error => emit authorizationFailure + stop polling.\n *\n * Cancellation:\n * - cancelQRCodePolling() resets timers and polling ids so late responses are ignored.\n *\n * @instance\n * @memberof AuthorizationBrowserFirstParty\n * @param {Object} options - Must include device_code, may include interval/expires_in\n * @emits #qRCodeLogin\n */\n _startQRCodePolling(options = {}) {\n if (!options.device_code) {\n this.eventEmitter.emit(Events.qRCodeLogin, {\n eventType: 'authorizationFailure',\n data: {message: 'A deviceCode is required'},\n });\n return;\n }\n\n if (this.pollingTimer) {\n // Already polling; avoid starting a duplicate cycle\n this.eventEmitter.emit(Events.qRCodeLogin, {\n eventType: 'authorizationFailure',\n data: {message: 'There is already a polling request'},\n });\n return;\n }\n\n const {device_code: deviceCode, expires_in: expiresIn = 300} = options;\n // Server recommended polling interval (seconds)\n let interval = options.interval ?? 2;\n\n // Global timeout for entire device authorization attempt\n this.pollingExpirationTimer = setTimeout(() => {\n this.cancelQRCodePolling(false);\n this.eventEmitter.emit(Events.qRCodeLogin, {\n eventType: 'authorizationFailure',\n data: {message: 'Authorization timed out'},\n });\n }, expiresIn * 1000);\n\n const polling = () => {\n // Increment id so any previous poll loops can be invalidated\n this.pollingId += 1;\n this.currentPollingId = this.pollingId;\n\n this.webex\n .request({\n method: 'POST',\n service: 'oauth-helper',\n resource: '/actions/device/token',\n form: {\n grant_type: 'urn:ietf:params:oauth:grant-type:device_code',\n device_code: deviceCode,\n client_id: this.config.client_id,\n },\n auth: {\n user: this.config.client_id,\n pass: this.config.client_secret,\n sendImmediately: true,\n },\n })\n .then((res) => {\n // If polling canceled (id changed), ignore this response\n if (this.currentPollingId !== this.pollingId) return;\n\n this.eventEmitter.emit(Events.qRCodeLogin, {\n eventType: 'authorizationSuccess',\n data: res.body,\n });\n this.webex.credentials.set({supertoken: res.body});\n this.cancelQRCodePolling();\n })\n .catch((res) => {\n if (this.currentPollingId !== this.pollingId) return;\n\n // Backoff signal from server; increase interval just once for next cycle\n if (res.statusCode === 400 && res.body.message === 'slow_down') {\n schedulePolling(interval * 2);\n return;\n }\n\n // Pending: keep polling\n if (res.statusCode === 428) {\n this.eventEmitter.emit(Events.qRCodeLogin, {\n eventType: 'authorizationPending',\n data: res.body,\n });\n schedulePolling(interval);\n return;\n }\n\n // Terminal error\n this.cancelQRCodePolling();\n\n this.eventEmitter.emit(Events.qRCodeLogin, {\n eventType: 'authorizationFailure',\n data: res.body,\n });\n });\n };\n\n // Schedules next poll invocation\n const schedulePolling = (interval) =>\n (this.pollingTimer = setTimeout(polling, interval * 1000));\n\n schedulePolling(interval);\n },\n\n /**\n * Cancel active device authorization polling loop.\n *\n * @param {boolean} withCancelEvent emit a pollingCanceled event (default true)\n * @instance\n * @memberof AuthorizationBrowserFirstParty\n * @returns {void}\n */\n cancelQRCodePolling(withCancelEvent = true) {\n if (this.pollingTimer && withCancelEvent) {\n this.eventEmitter.emit(Events.qRCodeLogin, {\n eventType: 'pollingCanceled',\n });\n }\n\n this.currentPollingId = null;\n\n clearTimeout(this.pollingExpirationTimer);\n this.pollingExpirationTimer = null;\n clearTimeout(this.pollingTimer);\n this.pollingTimer = null;\n },\n\n /**\n * Extracts the orgId from the returned code from idbroker.\n *\n * Certain authorization codes encode organization info in a structured\n * underscore-delimited format. This method parses out the 3rd segment.\n *\n * For undocumented formats or unexpected code shapes, returns undefined.\n *\n * @instance\n * @memberof AuthorizationBrowserFirstParty\n * @param {String} code\n * @private\n * @returns {String|undefined}\n */\n _extractOrgIdFromCode(code) {\n return code?.split('_')[2] || undefined;\n },\n\n /**\n * Checks if the result of the login redirect contains an OAuth error.\n * Throws a mapped grant error if encountered.\n *\n * @instance\n * @memberof AuthorizationBrowserFirstParty\n * @param {Object} location\n * @private\n * @returns {void}\n */\n _checkForErrors(location) {\n const {query} = location;\n\n if (query && query.error) {\n const ErrorConstructor = grantErrors.select(query.error);\n\n throw new ErrorConstructor(query);\n }\n },\n\n /**\n * Removes no-longer needed values from the URL (authorization code, CSRF token).\n * This is important to avoid leaking sensitive parameters via:\n * - Browser history\n * - Copy/paste of URL\n * - HTTP referrer headers to third-party content\n *\n * Approach:\n * - Remove 'code'.\n * - Remove 'state' entirely if only contained csrf_token.\n * - Else, re-encode remaining state fields (minus csrf_token).\n * - Replace current history entry (no page reload).\n *\n * @instance\n * @memberof AuthorizationBrowserFirstParty\n * @param {Object} location\n * @private\n * @returns {void}\n */\n _cleanUrl(location) {\n location = cloneDeep(location);\n if (this.webex.getWindow().history && this.webex.getWindow().history.replaceState) {\n Reflect.deleteProperty(location.query, 'code');\n if (isEmpty(omit(location.query.state, 'csrf_token'))) {\n Reflect.deleteProperty(location.query, 'state');\n } else {\n location.query.state = base64.encode(\n JSON.stringify(omit(location.query.state, 'csrf_token'))\n );\n }\n location.search = querystring.stringify(location.query);\n Reflect.deleteProperty(location, 'query');\n this.webex.getWindow().history.replaceState({}, null, url.format(location));\n }\n },\n\n /**\n * Generates a PKCE (RFC 7636) code verifier and corresponding S256 code challenge.\n * Persists the verifier in sessionStorage (single-use) for later retrieval\n * during authorization code exchange; removes it once consumed.\n *\n * Implementation details:\n * - Creates a 128 character string using base64url safe alphabet.\n * - Computes SHA256 hash, encodes to base64url (no padding).\n *\n * @instance\n * @memberof AuthorizationBrowserFirstParty\n * @private\n * @returns {string} code_challenge\n */\n _generateCodeChallenge() {\n this.logger.info('authorization: generating PKCE code challenge');\n\n // eslint-disable-next-line no-underscore-dangle\n const safeCharacterMap = base64url._safe_map;\n\n const codeVerifier = lodash\n .times(128, () => safeCharacterMap[lodash.random(0, safeCharacterMap.length - 1)])\n .join('');\n\n const codeChallenge = CryptoJS.SHA256(codeVerifier).toString(base64url);\n\n this.webex.getWindow().sessionStorage.setItem(OAUTH2_CODE_VERIFIER, codeVerifier);\n\n return codeChallenge;\n },\n\n /**\n * Generates a CSRF token and stores it in sessionStorage.\n * Token is embedded in 'state' and validated upon redirect return.\n *\n * Uses UUID v4 for randomness.\n *\n * @instance\n * @memberof AuthorizationBrowserFirstParty\n * @private\n * @returns {string} token\n */\n _generateSecurityToken() {\n this.logger.info('authorization: generating csrf token');\n\n const token = uuid.v4();\n\n this.webex.getWindow().sessionStorage.setItem('oauth2-csrf-token', token);\n\n return token;\n },\n\n /**\n * Verifies that the CSRF token returned in the 'state' matches the one\n * previously stored in sessionStorage.\n *\n * Steps:\n * - Retrieve and immediately remove stored token (one-time use).\n * - Ensure state + state.csrf_token exist.\n * - Compare values; throw descriptive errors on mismatch / absence.\n *\n * If no stored token (e.g., user navigated directly), silently returns.\n *\n * @instance\n * @memberof AuthorizationBrowserFirstParty\n * @param {Object} query - Parsed query (location.query)\n * @private\n * @returns {void}\n */\n _verifySecurityToken(query) {\n const sessionToken = this.webex.getWindow().sessionStorage.getItem(OAUTH2_CSRF_TOKEN);\n\n this.webex.getWindow().sessionStorage.removeItem(OAUTH2_CSRF_TOKEN);\n if (!sessionToken) {\n return;\n }\n\n if (!query.state) {\n throw new Error(`Expected CSRF token ${sessionToken}, but not found in redirect query`);\n }\n\n if (!query.state.csrf_token) {\n throw new Error(`Expected CSRF token ${sessionToken}, but not found in redirect query`);\n }\n\n const token = query.state.csrf_token;\n\n if (token !== sessionToken) {\n throw new Error(`CSRF token ${token} does not match stored token ${sessionToken}`);\n }\n },\n});\n\nexport default Authorization;\n"],"mappings":";;;;;;;;;;;;;;;;;;AAYA,IAAAA,YAAA,GAAAC,sBAAA,CAAAC,OAAA;AACA,IAAAC,KAAA,GAAAF,sBAAA,CAAAC,OAAA;AACA,IAAAE,OAAA,GAAAF,OAAA;AAEA,IAAAG,OAAA,GAAAH,OAAA;AACA,IAAAI,UAAA,GAAAJ,OAAA;AACA,IAAAK,OAAA,GAAAL,OAAA;AACA,IAAAM,KAAA,GAAAP,sBAAA,CAAAC,OAAA;AACA,IAAAO,aAAA,GAAAR,sBAAA,CAAAC,OAAA;AACA,IAAAQ,SAAA,GAAAT,sBAAA,CAAAC,OAAA;AAAiC,IAAAS,IAAA,EAAAC,KAAA,EAAAC,IAAA,EArBjC;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AAaA;AACA;AACA,IAAMC,MAAM,GAAGZ,OAAO,CAAC,QAAQ,CAAC;AAEhC,IAAMa,iBAAiB,GAAG,mBAAmB;AAC7C,IAAMC,oBAAoB,GAAG,sBAAsB;;AAEnD;AACA;AACA;AACO,IAAMC,MAAM,GAAAC,OAAA,CAAAD,MAAA,GAAG;EACpBE,KAAK,EAAE,OAAO;EACd;AACF;AACA;EACEC,WAAW,EAAE;AACf,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,IAAMC,aAAa,GAAGC,sBAAW,CAACC,MAAM,EAAAZ,IAAA,GAkOrC,IAAAa,qBAAa,EAAC,eAAe,CAAC,EAAAZ,KAAA,GAqH9B,IAAAY,qBAAa,EAAC,eAAe,CAAC,EAAAX,IAAA,GAvVQ;EACvCY,OAAO,EAAE;IACP;AACJ;AACA;AACA;AACA;AACA;IACIC,gBAAgB,EAAE;MAChBC,IAAI,EAAE,CAAC,eAAe,CAAC;MACvBC,EAAE,WAAFA,EAAEA,CAAA,EAAG;QACH,OAAO,IAAI,CAACC,aAAa;MAC3B;IACF;EACF,CAAC;EAEDC,OAAO,EAAE;IACP;AACJ;AACA;AACA;AACA;AACA;IACID,aAAa,EAAE;MACbE,OAAO,EAAE,KAAK;MACdC,IAAI,EAAE;IACR,CAAC;IACD;AACJ;AACA;AACA;IACIC,KAAK,EAAE;MACLF,OAAO,EAAE,KAAK;MACdC,IAAI,EAAE;IACR;EACF,CAAC;EAEDE,SAAS,EAAE,aAAa;EAExB;AACF;AACA;AACA;AACA;AACA;AACA;EACEC,YAAY,EAAE,IAAIC,oBAAY,CAAC,CAAC;EAEhC;AACF;AACA;AACA;AACA;AACA;AACA;EACEC,YAAY,EAAE,IAAI;EAClB;AACF;AACA;AACA;AACA;AACA;AACA;EACEC,sBAAsB,EAAE,IAAI;EAE5B;AACF;AACA;AACA;AACA;AACA;AACA;AACA;EACEC,SAAS,EAAE,CAAC;EAEZ;AACF;AACA;AACA;AACA;AACA;AACA;EACEC,gBAAgB,EAAE,IAAI;EAEtB;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACE;EACAC,UAAU,WAAVA,UAAUA,CAAA,EAAW;IAAA,IAAAC,KAAA;IAAA,SAAAC,IAAA,GAAAC,SAAA,CAAAC,MAAA,EAAPC,KAAK,OAAAC,KAAA,CAAAJ,IAAA,GAAAK,IAAA,MAAAA,IAAA,GAAAL,IAAA,EAAAK,IAAA;MAALF,KAAK,CAAAE,IAAA,IAAAJ,SAAA,CAAAI,IAAA;IAAA;IACjB,IAAMC,GAAG,GAAG,IAAAC,MAAA,CAAAnB,OAAA,EAAcT,sBAAW,CAAC6B,SAAS,CAACV,UAAU,EAAE,IAAI,EAAEK,KAAK,CAAC;IACxE,IAAMM,QAAQ,GAAGC,aAAG,CAACC,KAAK,CAAC,IAAI,CAACC,KAAK,CAACC,SAAS,CAAC,CAAC,CAACJ,QAAQ,CAACK,IAAI,EAAE,IAAI,CAAC;;IAEtE;IACA,IAAI,CAACC,eAAe,CAACN,QAAQ,CAAC;IAE9B,IAAOO,IAAI,GAAIP,QAAQ,CAACQ,KAAK,CAAtBD,IAAI;;IAEX;IACA,IAAI,CAACA,IAAI,EAAE;MACT,IAAI,CAAC1B,KAAK,GAAG,IAAI;MACjB,OAAOgB,GAAG;IACZ;;IAEA;IACA,IAAIG,QAAQ,CAACQ,KAAK,CAACC,KAAK,EAAE;MACxBT,QAAQ,CAACQ,KAAK,CAACC,KAAK,GAAGC,IAAI,CAACR,KAAK,CAACS,cAAM,CAACC,MAAM,CAACZ,QAAQ,CAACQ,KAAK,CAACC,KAAK,CAAC,CAAC;IACxE,CAAC,MAAM;MACLT,QAAQ,CAACQ,KAAK,CAACC,KAAK,GAAG,CAAC,CAAC;IAC3B;;IAEA;IACA,IAAMI,YAAY,GAAG,IAAI,CAACV,KAAK,CAACC,SAAS,CAAC,CAAC,CAACU,cAAc,CAACC,OAAO,CAACnD,oBAAoB,CAAC;IACxF;IACA,IAAI,CAACuC,KAAK,CAACC,SAAS,CAAC,CAAC,CAACU,cAAc,CAACE,UAAU,CAACpD,oBAAoB,CAAC;IAEtE,IAAOqD,SAAS,GAAIjB,QAAQ,CAACQ,KAAK,CAACC,KAAK,CAAjCQ,SAAS;;IAEhB;IACA,IAAI,CAACC,oBAAoB,CAAClB,QAAQ,CAACQ,KAAK,CAAC;IACzC;IACA,IAAI,CAACW,SAAS,CAACnB,QAAQ,CAAC;IAExB,IAAIoB,oBAAoB;;IAExB;IACA,IAAMC,KAAK,GAAG,IAAI,CAACC,qBAAqB,CAACf,IAAI,CAAC;IAE9C,IAAIU,SAAS,EAAE;MACbG,oBAAoB,GAAG;QAACH,SAAS,EAATA;MAAS,CAAC;IACpC,CAAC,MAAM,IAAII,KAAK,EAAE;MAChBD,oBAAoB,GAAG;QAACC,KAAK,EAALA;MAAK,CAAC;IAChC;;IAEA;IACAE,OAAO,CAACC,QAAQ,CAAC,YAAM;MACrBlC,KAAI,CAACa,KAAK,CAACsB,QAAQ,CAACC,QAAQ,CACzBC,qBAAqB,CAACP,oBAAoB,CAAC,CAC3CQ,KAAK,CAAC;QAAA,OAAMC,QAAA,CAAAlD,OAAA,CAAQmD,OAAO,CAAC,CAAC;MAAA,EAAC,CAAC;MAAA,CAC/BC,IAAI,CAAC;QAAA,OAAMzC,KAAI,CAAC0C,6BAA6B,CAAC;UAACzB,IAAI,EAAJA,IAAI;UAAEM,YAAY,EAAZA;QAAY,CAAC,CAAC;MAAA,EAAC,CACpEe,KAAK,CAAC,UAACK,KAAK,EAAK;QAChB3C,KAAI,CAAC4C,MAAM,CAACC,IAAI,CAAC,gEAAgE,EAAEF,KAAK,CAAC;MAC3F,CAAC,CAAC,CACDF,IAAI,CAAC,YAAM;QACV;QACAzC,KAAI,CAACT,KAAK,GAAG,IAAI;MACnB,CAAC,CAAC;IACN,CAAC,CAAC;IAEF,OAAOgB,GAAG;EACZ,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACEuC,aAAa,WAAbA,aAAaA,CAAA,EAAe;IAAA,IAAdC,OAAO,GAAA7C,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAA8C,SAAA,GAAA9C,SAAA,MAAG,CAAC,CAAC;IACxB,IAAI,CAACT,YAAY,CAACwD,IAAI,CAAC1E,MAAM,CAACE,KAAK,EAAE;MACnCyE,SAAS,EAAE,eAAe;MAC1BC,IAAI,EAAE;QACJC,QAAQ,EAAE,CAAC,CAACL,OAAO,CAACM,KAAK;QACzBC,QAAQ,EAAE,CAAC,CAACP,OAAO,CAAC5B;MACtB;IACF,CAAC,CAAC;IAEF4B,OAAO,GAAG,IAAAQ,iBAAS,EAACR,OAAO,CAAC;;IAE5B;IACA,IAAIA,OAAO,CAACM,KAAK,EAAE;MACjBN,OAAO,CAACS,SAAS,GAAGC,iBAAQ,CAACC,MAAM,CAACX,OAAO,CAACM,KAAK,CAAC,CAACM,QAAQ,CAAC,CAAC;IAC/D;IACA,OAAOZ,OAAO,CAACM,KAAK,CAAC,CAAC;;IAEtBN,OAAO,CAAC5B,KAAK,GAAG4B,OAAO,CAAC5B,KAAK,IAAI,CAAC,CAAC;IACnC;IACA4B,OAAO,CAAC5B,KAAK,CAACyC,UAAU,GAAG,IAAI,CAACC,sBAAsB,CAAC,CAAC;IACxD;IACA;IACAd,OAAO,CAAC5B,KAAK,CAACQ,SAAS,GAAGoB,OAAO,CAACS,SAAS;;IAE3C;IACAT,OAAO,CAACe,cAAc,GAAG,IAAI,CAACC,sBAAsB,CAAC,CAAC;IACtDhB,OAAO,CAACiB,qBAAqB,GAAG,MAAM;IAEtC,OAAO,IAAI,CAACC,8BAA8B,CAAClB,OAAO,CAAC;EACrD,CAAC;EAGD;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACEkB,8BAA8B,WAA9BA,8BAA8BA,CAAClB,OAAO,EAAE;IACtC,IAAI,CAACH,MAAM,CAACsB,IAAI,CAAC,yDAAyD,CAAC;IAC3E,IAAMC,QAAQ,GAAG,IAAI,CAACtD,KAAK,CAACuD,WAAW,CAACC,aAAa,CACnD,IAAAC,OAAA,CAAAjF,OAAA,EAAc;MAACkF,aAAa,EAAE;IAAM,CAAC,EAAExB,OAAO,CAChD,CAAC;IAED,IAAI,CAACtD,YAAY,CAACwD,IAAI,CAAC1E,MAAM,CAACE,KAAK,EAAE;MACnCyE,SAAS,EAAE,oBAAoB;MAC/BC,IAAI,EAAE;QAACgB,QAAQ,EAARA;MAAQ;IACjB,CAAC,CAAC;IAEF,IAAIpB,OAAO,aAAPA,OAAO,eAAPA,OAAO,CAAEyB,cAAc,EAAE;MAC3B;MACA,IAAMC,qBAAqB,GAAG;QAC5BC,KAAK,EAAE,GAAG;QACVC,MAAM,EAAE;MACV,CAAC;MAED,IAAMC,cAAc,GAAG,IAAAN,OAAA,CAAAjF,OAAA,EACrBoF,qBAAqB,EACrB,IAAAI,QAAA,CAAAxF,OAAA,EAAO0D,OAAO,CAACyB,cAAc,MAAK,QAAQ,GAAGzB,OAAO,CAACyB,cAAc,GAAG,CAAC,CACzE,CAAC;MAED,IAAMM,cAAc,GAAG,IAAAC,QAAA,CAAA1F,OAAA,EAAeuF,cAAc,CAAC,CAClDI,GAAG,CAAC,UAAAC,IAAA;QAAA,IAAAC,KAAA,OAAAC,eAAA,CAAA9F,OAAA,EAAA4F,IAAA;UAAEG,GAAG,GAAAF,KAAA;UAAEG,KAAK,GAAAH,KAAA;QAAA,UAAAI,MAAA,CAASF,GAAG,OAAAE,MAAA,CAAID,KAAK;MAAA,CAAE,CAAC,CACxCE,IAAI,CAAC,GAAG,CAAC;MACZ,IAAI,CAAC1E,KAAK,CAACC,SAAS,CAAC,CAAC,CAAC0E,IAAI,CAACrB,QAAQ,EAAE,QAAQ,EAAEW,cAAc,CAAC;IACjE,CAAC,MAAM;MACL;MACA,IAAI,CAACjE,KAAK,CAACC,SAAS,CAAC,CAAC,CAACJ,QAAQ,GAAGyD,QAAQ;IAC5C;IAEA,OAAO5B,QAAA,CAAAlD,OAAA,CAAQmD,OAAO,CAAC,CAAC;EAC1B,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACEiD,uBAAuB,WAAvBA,uBAAuBA,CAAA,EAAe;IAAA,IAAd1C,OAAO,GAAA7C,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAA8C,SAAA,GAAA9C,SAAA,MAAG,CAAC,CAAC;IAClC,OAAO,IAAI,CAACwF,+BAA+B,CAAC3C,OAAO,CAAC;EACtD,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACE2C,+BAA+B,WAA/BA,+BAA+BA,CAAA,EAAe;IAAA,IAAd3C,OAAO,GAAA7C,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAA8C,SAAA,GAAA9C,SAAA,MAAG,CAAC,CAAC;IAC1C,IAAI,CAAC0C,MAAM,CAACsB,IAAI,CAAC,sDAAsD,CAAC;IAExE,IAAI;MACF,IAAMvD,IAAG,GAAG,IAAI,CAACE,KAAK,CAACuD,WAAW,CAACuB,uBAAuB,CAAC5C,OAAO,CAAC;MAEnE,IAAI,CAAClC,KAAK,CAACC,SAAS,CAAC,CAAC,CAACJ,QAAQ,GAAGC,IAAG;IACvC,CAAC,CAAC,OAAOiF,GAAG,EAAE;MACZ,OAAOrD,QAAA,CAAAlD,OAAA,CAAQwG,MAAM,CAACD,GAAG,CAAC;IAC5B;IAEA,OAAOrD,QAAA,CAAAlD,OAAA,CAAQmD,OAAO,CAAC,CAAC;EAC1B,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACEsD,MAAM,WAANA,MAAMA,CAAA,EAAe;IAAA,IAAd/C,OAAO,GAAA7C,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAA8C,SAAA,GAAA9C,SAAA,MAAG,CAAC,CAAC;IACjB,IAAI,CAAC6C,OAAO,CAACgD,UAAU,EAAE;MACvB,IAAI,CAAClF,KAAK,CAACC,SAAS,CAAC,CAAC,CAACJ,QAAQ,GAAG,IAAI,CAACG,KAAK,CAACuD,WAAW,CAAC4B,cAAc,CAACjD,OAAO,CAAC;IAClF;EACF,CAAC;EAID;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACEL,6BAA6B,WAA7BA,6BAA6BA,CAAA,EAAe;IAAA,IAAAuD,MAAA;IAAA,IAAdlD,OAAO,GAAA7C,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAA8C,SAAA,GAAA9C,SAAA,MAAG,CAAC,CAAC;IACxC,IAAI,CAAC0C,MAAM,CAACsB,IAAI,CAAC,kDAAkD,CAAC;IAEpE,IAAI,CAACnB,OAAO,CAAC9B,IAAI,EAAE;MACjB,OAAOsB,QAAA,CAAAlD,OAAA,CAAQwG,MAAM,CAAC,IAAIK,KAAK,CAAC,4BAA4B,CAAC,CAAC;IAChE;IAEA,IAAMC,IAAI,GAAG;MACXC,UAAU,EAAE,oBAAoB;MAChCC,YAAY,EAAE,IAAI,CAACC,MAAM,CAACD,YAAY;MACtCpF,IAAI,EAAE8B,OAAO,CAAC9B,IAAI;MAClBsF,oBAAoB,EAAE,IAAI,CAAE;IAC9B,CAAC;IAED,IAAIxD,OAAO,CAACxB,YAAY,EAAE;MACxB4E,IAAI,CAACK,aAAa,GAAGzD,OAAO,CAACxB,YAAY;IAC3C;IAEA,OAAO,IAAI,CAACV,KAAK,CACd4F,OAAO,CAAC;MACPC,MAAM,EAAE,MAAM;MACdC,GAAG,EAAE,IAAI,CAACL,MAAM,CAACM,QAAQ;MACzBT,IAAI,EAAJA,IAAI;MACJU,IAAI,EAAE;QACJC,IAAI,EAAE,IAAI,CAACR,MAAM,CAACS,SAAS;QAC3BC,IAAI,EAAE,IAAI,CAACV,MAAM,CAACW,aAAa;QAC/BC,eAAe,EAAE;MACnB,CAAC;MACDC,wBAAwB,EAAE,KAAK,CAAE;IACnC,CAAC,CAAC,CACD1E,IAAI,CAAC,UAAC2E,GAAG,EAAK;MACb;MACAnB,MAAI,CAACpF,KAAK,CAACuD,WAAW,CAACiD,GAAG,CAAC;QAACC,UAAU,EAAEF,GAAG,CAACG;MAAI,CAAC,CAAC;IACpD,CAAC,CAAC,CACDjF,KAAK,CAAC,UAAC8E,GAAG,EAAK;MACd,IAAIA,GAAG,CAACI,UAAU,KAAK,GAAG,EAAE;QAC1B,OAAOjF,QAAA,CAAAlD,OAAA,CAAQwG,MAAM,CAACuB,GAAG,CAAC;MAC5B;;MAEA;MACA,IAAMK,gBAAgB,GAAGC,sBAAW,CAACC,MAAM,CAACP,GAAG,CAACG,IAAI,CAAC5E,KAAK,CAAC;MAE3D,OAAOJ,QAAA,CAAAlD,OAAA,CAAQwG,MAAM,CAAC,IAAI4B,gBAAgB,CAACL,GAAG,CAACQ,IAAI,IAAIR,GAAG,CAAC,CAAC;IAC9D,CAAC,CAAC;EACN,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACES,8BAA8B,WAA9BA,8BAA8BA,CAACC,eAAe,EAAE;IAC9C,IAAMC,OAAO,GAAG,kCAAkC;IAClD,IAAMC,SAAS,GAAG,IAAIC,eAAe,CAAC,IAAIC,GAAG,CAACJ,eAAe,CAAC,CAACK,MAAM,CAAC;IACtE,IAAMC,QAAQ,GAAGJ,SAAS,CAACK,GAAG,CAAC,UAAU,CAAC;IAE1C,IAAID,QAAQ,EAAE;MACZ,IAAOhG,QAAQ,GAAI,IAAI,CAACvB,KAAK,CAACsB,QAAQ,CAA/BC,QAAQ;MACf,IAAMkG,cAAc,GAAGlG,QAAQ,CAACiG,GAAG,CAAC,cAAc,CAAC;MACnD,IAAME,kBAAkB,GAAG,IAAIL,GAAG,CAACH,OAAO,CAAC;MAC3CQ,kBAAkB,CAACC,YAAY,CAACnB,GAAG,CAAC,UAAU,EAAEe,QAAQ,CAAC;MACzDG,kBAAkB,CAACC,YAAY,CAACnB,GAAG,CAAC,aAAa,EAAEiB,cAAc,CAAC;MAClE,OAAOC,kBAAkB,CAAC5E,QAAQ,CAAC,CAAC;IACtC,CAAC,MAAM;MACL,OAAOmE,eAAe;IACxB;EACF,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACEW,eAAe,WAAfA,eAAeA,CAAA,EAAG;IAAA,IAAAC,MAAA;IAChB,IAAI,IAAI,CAAC/I,YAAY,EAAE;MACrB;MACA,IAAI,CAACF,YAAY,CAACwD,IAAI,CAAC1E,MAAM,CAACG,WAAW,EAAE;QACzCwE,SAAS,EAAE,oBAAoB;QAC/BC,IAAI,EAAE;UAACwF,OAAO,EAAE;QAAoC;MACtD,CAAC,CAAC;MACF;IACF;IAEA,IAAI,CAAC9H,KAAK,CACP4F,OAAO,CAAC;MACPC,MAAM,EAAE,MAAM;MACdkC,OAAO,EAAE,cAAc;MACvBC,QAAQ,EAAE,2BAA2B;MACrC1C,IAAI,EAAE;QACJY,SAAS,EAAE,IAAI,CAACT,MAAM,CAACS,SAAS;QAChC+B,KAAK,EAAE,IAAI,CAACxC,MAAM,CAACwC;MACrB,CAAC;MACDjC,IAAI,EAAE;QACJC,IAAI,EAAE,IAAI,CAACR,MAAM,CAACS,SAAS;QAC3BC,IAAI,EAAE,IAAI,CAACV,MAAM,CAACW,aAAa;QAC/BC,eAAe,EAAE;MACnB;IACF,CAAC,CAAC,CACDzE,IAAI,CAAC,UAAC2E,GAAG,EAAK;MACb,IAAA2B,SAAA,GAAiE3B,GAAG,CAACG,IAAI;QAAlEyB,SAAS,GAAAD,SAAA,CAATC,SAAS;QAAEC,gBAAgB,GAAAF,SAAA,CAAhBE,gBAAgB;QAAEC,yBAAyB,GAAAH,SAAA,CAAzBG,yBAAyB;MAC7D,IAAMC,uBAAuB,GAC3BT,MAAI,CAACb,8BAA8B,CAACqB,yBAAyB,CAAC;MAChER,MAAI,CAACjJ,YAAY,CAACwD,IAAI,CAAC1E,MAAM,CAACG,WAAW,EAAE;QACzCwE,SAAS,EAAE,oBAAoB;QAC/BkG,QAAQ,EAAE;UACRhB,QAAQ,EAAEY,SAAS;UACnBK,eAAe,EAAEJ,gBAAgB;UACjCE,uBAAuB,EAAvBA;QACF;MACF,CAAC,CAAC;MACF;MACAT,MAAI,CAACY,mBAAmB,CAAClC,GAAG,CAACG,IAAI,CAAC;IACpC,CAAC,CAAC,CACDjF,KAAK,CAAC,UAAC8E,GAAG,EAAK;MACdsB,MAAI,CAACjJ,YAAY,CAACwD,IAAI,CAAC1E,MAAM,CAACG,WAAW,EAAE;QACzCwE,SAAS,EAAE,oBAAoB;QAC/BC,IAAI,EAAEiE,GAAG,CAACG;MACZ,CAAC,CAAC;IACJ,CAAC,CAAC;EACN,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACE+B,mBAAmB,WAAnBA,mBAAmBA,CAAA,EAAe;IAAA,IAAAC,iBAAA;MAAAC,MAAA;IAAA,IAAdzG,OAAO,GAAA7C,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAA8C,SAAA,GAAA9C,SAAA,MAAG,CAAC,CAAC;IAC9B,IAAI,CAAC6C,OAAO,CAAC0G,WAAW,EAAE;MACxB,IAAI,CAAChK,YAAY,CAACwD,IAAI,CAAC1E,MAAM,CAACG,WAAW,EAAE;QACzCwE,SAAS,EAAE,sBAAsB;QACjCC,IAAI,EAAE;UAACwF,OAAO,EAAE;QAA0B;MAC5C,CAAC,CAAC;MACF;IACF;IAEA,IAAI,IAAI,CAAChJ,YAAY,EAAE;MACrB;MACA,IAAI,CAACF,YAAY,CAACwD,IAAI,CAAC1E,MAAM,CAACG,WAAW,EAAE;QACzCwE,SAAS,EAAE,sBAAsB;QACjCC,IAAI,EAAE;UAACwF,OAAO,EAAE;QAAoC;MACtD,CAAC,CAAC;MACF;IACF;IAEA,IAAoBe,UAAU,GAAiC3G,OAAO,CAA/D0G,WAAW;MAAAE,mBAAA,GAA6C5G,OAAO,CAAtC6G,UAAU;MAAEC,SAAS,GAAAF,mBAAA,cAAG,GAAG,GAAAA,mBAAA;IAC3D;IACA,IAAIG,QAAQ,IAAAP,iBAAA,GAAGxG,OAAO,CAAC+G,QAAQ,cAAAP,iBAAA,cAAAA,iBAAA,GAAI,CAAC;;IAEpC;IACA,IAAI,CAAC3J,sBAAsB,GAAGmK,UAAU,CAAC,YAAM;MAC7CP,MAAI,CAACQ,mBAAmB,CAAC,KAAK,CAAC;MAC/BR,MAAI,CAAC/J,YAAY,CAACwD,IAAI,CAAC1E,MAAM,CAACG,WAAW,EAAE;QACzCwE,SAAS,EAAE,sBAAsB;QACjCC,IAAI,EAAE;UAACwF,OAAO,EAAE;QAAyB;MAC3C,CAAC,CAAC;IACJ,CAAC,EAAEkB,SAAS,GAAG,IAAI,CAAC;IAEpB,IAAMI,OAAO,GAAG,SAAVA,OAAOA,CAAA,EAAS;MACpB;MACAT,MAAI,CAAC3J,SAAS,IAAI,CAAC;MACnB2J,MAAI,CAAC1J,gBAAgB,GAAG0J,MAAI,CAAC3J,SAAS;MAEtC2J,MAAI,CAAC3I,KAAK,CACP4F,OAAO,CAAC;QACPC,MAAM,EAAE,MAAM;QACdkC,OAAO,EAAE,cAAc;QACvBC,QAAQ,EAAE,uBAAuB;QACjC1C,IAAI,EAAE;UACJC,UAAU,EAAE,8CAA8C;UAC1DqD,WAAW,EAAEC,UAAU;UACvB3C,SAAS,EAAEyC,MAAI,CAAClD,MAAM,CAACS;QACzB,CAAC;QACDF,IAAI,EAAE;UACJC,IAAI,EAAE0C,MAAI,CAAClD,MAAM,CAACS,SAAS;UAC3BC,IAAI,EAAEwC,MAAI,CAAClD,MAAM,CAACW,aAAa;UAC/BC,eAAe,EAAE;QACnB;MACF,CAAC,CAAC,CACDzE,IAAI,CAAC,UAAC2E,GAAG,EAAK;QACb;QACA,IAAIoC,MAAI,CAAC1J,gBAAgB,KAAK0J,MAAI,CAAC3J,SAAS,EAAE;QAE9C2J,MAAI,CAAC/J,YAAY,CAACwD,IAAI,CAAC1E,MAAM,CAACG,WAAW,EAAE;UACzCwE,SAAS,EAAE,sBAAsB;UACjCC,IAAI,EAAEiE,GAAG,CAACG;QACZ,CAAC,CAAC;QACFiC,MAAI,CAAC3I,KAAK,CAACuD,WAAW,CAACiD,GAAG,CAAC;UAACC,UAAU,EAAEF,GAAG,CAACG;QAAI,CAAC,CAAC;QAClDiC,MAAI,CAACQ,mBAAmB,CAAC,CAAC;MAC5B,CAAC,CAAC,CACD1H,KAAK,CAAC,UAAC8E,GAAG,EAAK;QACd,IAAIoC,MAAI,CAAC1J,gBAAgB,KAAK0J,MAAI,CAAC3J,SAAS,EAAE;;QAE9C;QACA,IAAIuH,GAAG,CAACI,UAAU,KAAK,GAAG,IAAIJ,GAAG,CAACG,IAAI,CAACoB,OAAO,KAAK,WAAW,EAAE;UAC9DuB,eAAe,CAACJ,QAAQ,GAAG,CAAC,CAAC;UAC7B;QACF;;QAEA;QACA,IAAI1C,GAAG,CAACI,UAAU,KAAK,GAAG,EAAE;UAC1BgC,MAAI,CAAC/J,YAAY,CAACwD,IAAI,CAAC1E,MAAM,CAACG,WAAW,EAAE;YACzCwE,SAAS,EAAE,sBAAsB;YACjCC,IAAI,EAAEiE,GAAG,CAACG;UACZ,CAAC,CAAC;UACF2C,eAAe,CAACJ,QAAQ,CAAC;UACzB;QACF;;QAEA;QACAN,MAAI,CAACQ,mBAAmB,CAAC,CAAC;QAE1BR,MAAI,CAAC/J,YAAY,CAACwD,IAAI,CAAC1E,MAAM,CAACG,WAAW,EAAE;UACzCwE,SAAS,EAAE,sBAAsB;UACjCC,IAAI,EAAEiE,GAAG,CAACG;QACZ,CAAC,CAAC;MACJ,CAAC,CAAC;IACN,CAAC;;IAED;IACA,IAAM2C,eAAe,GAAG,SAAlBA,eAAeA,CAAIJ,QAAQ;MAAA,OAC9BN,MAAI,CAAC7J,YAAY,GAAGoK,UAAU,CAACE,OAAO,EAAEH,QAAQ,GAAG,IAAI,CAAC;IAAA,CAAC;IAE5DI,eAAe,CAACJ,QAAQ,CAAC;EAC3B,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;AACA;EACEE,mBAAmB,WAAnBA,mBAAmBA,CAAA,EAAyB;IAAA,IAAxBG,eAAe,GAAAjK,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAA8C,SAAA,GAAA9C,SAAA,MAAG,IAAI;IACxC,IAAI,IAAI,CAACP,YAAY,IAAIwK,eAAe,EAAE;MACxC,IAAI,CAAC1K,YAAY,CAACwD,IAAI,CAAC1E,MAAM,CAACG,WAAW,EAAE;QACzCwE,SAAS,EAAE;MACb,CAAC,CAAC;IACJ;IAEA,IAAI,CAACpD,gBAAgB,GAAG,IAAI;IAE5BsK,YAAY,CAAC,IAAI,CAACxK,sBAAsB,CAAC;IACzC,IAAI,CAACA,sBAAsB,GAAG,IAAI;IAClCwK,YAAY,CAAC,IAAI,CAACzK,YAAY,CAAC;IAC/B,IAAI,CAACA,YAAY,GAAG,IAAI;EAC1B,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACEqC,qBAAqB,WAArBA,qBAAqBA,CAACf,IAAI,EAAE;IAC1B,OAAO,CAAAA,IAAI,aAAJA,IAAI,uBAAJA,IAAI,CAAEoJ,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,KAAIrH,SAAS;EACzC,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACEhC,eAAe,WAAfA,eAAeA,CAACN,QAAQ,EAAE;IACxB,IAAOQ,KAAK,GAAIR,QAAQ,CAAjBQ,KAAK;IAEZ,IAAIA,KAAK,IAAIA,KAAK,CAACyB,KAAK,EAAE;MACxB,IAAM8E,gBAAgB,GAAGC,sBAAW,CAACC,MAAM,CAACzG,KAAK,CAACyB,KAAK,CAAC;MAExD,MAAM,IAAI8E,gBAAgB,CAACvG,KAAK,CAAC;IACnC;EACF,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACEW,SAAS,WAATA,SAASA,CAACnB,QAAQ,EAAE;IAClBA,QAAQ,GAAG,IAAA6C,iBAAS,EAAC7C,QAAQ,CAAC;IAC9B,IAAI,IAAI,CAACG,KAAK,CAACC,SAAS,CAAC,CAAC,CAACwJ,OAAO,IAAI,IAAI,CAACzJ,KAAK,CAACC,SAAS,CAAC,CAAC,CAACwJ,OAAO,CAACC,YAAY,EAAE;MACjF,IAAAC,eAAA,CAAAnL,OAAA,EAAuBqB,QAAQ,CAACQ,KAAK,EAAE,MAAM,CAAC;MAC9C,IAAI,IAAAuJ,eAAO,EAAC,IAAAC,YAAI,EAAChK,QAAQ,CAACQ,KAAK,CAACC,KAAK,EAAE,YAAY,CAAC,CAAC,EAAE;QACrD,IAAAqJ,eAAA,CAAAnL,OAAA,EAAuBqB,QAAQ,CAACQ,KAAK,EAAE,OAAO,CAAC;MACjD,CAAC,MAAM;QACLR,QAAQ,CAACQ,KAAK,CAACC,KAAK,GAAGE,cAAM,CAACsJ,MAAM,CAClC,IAAAC,UAAA,CAAAvL,OAAA,EAAe,IAAAqL,YAAI,EAAChK,QAAQ,CAACQ,KAAK,CAACC,KAAK,EAAE,YAAY,CAAC,CACzD,CAAC;MACH;MACAT,QAAQ,CAACyH,MAAM,GAAG0C,oBAAW,CAACC,SAAS,CAACpK,QAAQ,CAACQ,KAAK,CAAC;MACvD,IAAAsJ,eAAA,CAAAnL,OAAA,EAAuBqB,QAAQ,EAAE,OAAO,CAAC;MACzC,IAAI,CAACG,KAAK,CAACC,SAAS,CAAC,CAAC,CAACwJ,OAAO,CAACC,YAAY,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE5J,aAAG,CAACoK,MAAM,CAACrK,QAAQ,CAAC,CAAC;IAC7E;EACF,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACEqD,sBAAsB,WAAtBA,sBAAsBA,CAAA,EAAG;IACvB,IAAI,CAACnB,MAAM,CAACsB,IAAI,CAAC,+CAA+C,CAAC;;IAEjE;IACA,IAAM8G,gBAAgB,GAAGC,qBAAS,CAACC,SAAS;IAE5C,IAAM3J,YAAY,GAAGnD,MAAM,CACxB+M,KAAK,CAAC,GAAG,EAAE;MAAA,OAAMH,gBAAgB,CAAC5M,MAAM,CAACgN,MAAM,CAAC,CAAC,EAAEJ,gBAAgB,CAAC7K,MAAM,GAAG,CAAC,CAAC,CAAC;IAAA,EAAC,CACjFoF,IAAI,CAAC,EAAE,CAAC;IAEX,IAAM8F,aAAa,GAAG5H,iBAAQ,CAACC,MAAM,CAACnC,YAAY,CAAC,CAACoC,QAAQ,CAACsH,qBAAS,CAAC;IAEvE,IAAI,CAACpK,KAAK,CAACC,SAAS,CAAC,CAAC,CAACU,cAAc,CAAC8J,OAAO,CAAChN,oBAAoB,EAAEiD,YAAY,CAAC;IAEjF,OAAO8J,aAAa;EACtB,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACExH,sBAAsB,WAAtBA,sBAAsBA,CAAA,EAAG;IACvB,IAAI,CAACjB,MAAM,CAACsB,IAAI,CAAC,sCAAsC,CAAC;IAExD,IAAMqH,KAAK,GAAGC,aAAI,CAACC,EAAE,CAAC,CAAC;IAEvB,IAAI,CAAC5K,KAAK,CAACC,SAAS,CAAC,CAAC,CAACU,cAAc,CAAC8J,OAAO,CAAC,mBAAmB,EAAEC,KAAK,CAAC;IAEzE,OAAOA,KAAK;EACd,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACE3J,oBAAoB,WAApBA,oBAAoBA,CAACV,KAAK,EAAE;IAC1B,IAAMwK,YAAY,GAAG,IAAI,CAAC7K,KAAK,CAACC,SAAS,CAAC,CAAC,CAACU,cAAc,CAACC,OAAO,CAACpD,iBAAiB,CAAC;IAErF,IAAI,CAACwC,KAAK,CAACC,SAAS,CAAC,CAAC,CAACU,cAAc,CAACE,UAAU,CAACrD,iBAAiB,CAAC;IACnE,IAAI,CAACqN,YAAY,EAAE;MACjB;IACF;IAEA,IAAI,CAACxK,KAAK,CAACC,KAAK,EAAE;MAChB,MAAM,IAAI+E,KAAK,wBAAAZ,MAAA,CAAwBoG,YAAY,sCAAmC,CAAC;IACzF;IAEA,IAAI,CAACxK,KAAK,CAACC,KAAK,CAACyC,UAAU,EAAE;MAC3B,MAAM,IAAIsC,KAAK,wBAAAZ,MAAA,CAAwBoG,YAAY,sCAAmC,CAAC;IACzF;IAEA,IAAMH,KAAK,GAAGrK,KAAK,CAACC,KAAK,CAACyC,UAAU;IAEpC,IAAI2H,KAAK,KAAKG,YAAY,EAAE;MAC1B,MAAM,IAAIxF,KAAK,eAAAZ,MAAA,CAAeiG,KAAK,mCAAAjG,MAAA,CAAgCoG,YAAY,CAAE,CAAC;IACpF;EACF,CAAC;EAAAC,OAAA;AACH,CAAC,MAAAC,0BAAA,CAAAvM,OAAA,EAAAlB,IAAA,qCAAAF,IAAA,OAAA4N,yBAAA,CAAAxM,OAAA,EAAAlB,IAAA,qCAAAA,IAAA,OAAAyN,0BAAA,CAAAvM,OAAA,EAAAlB,IAAA,oCAAAD,KAAA,EA9cE4N,iBAAS,OAAAD,yBAAA,CAAAxM,OAAA,EAAAlB,IAAA,oCAAAA,IAAA,GAAAA,IAAA,CA8cX,CAAC;AAAC,IAAA4N,QAAA,GAAAvN,OAAA,CAAAa,OAAA,GAEYV,aAAa","ignoreList":[]}
|
|
1
|
+
{"version":3,"names":["_querystring","_interopRequireDefault","require","_url2","_events","_common","_webexCore","_lodash","_uuid","_encBase64url","_cryptoJs","_excluded","_dec","_dec2","_obj","lodash","OAUTH2_CSRF_TOKEN","OAUTH2_CODE_VERIFIER","Events","exports","login","qRCodeLogin","Authorization","WebexPlugin","extend","whileInFlight","derived","isAuthenticating","deps","fn","isAuthorizing","session","default","type","ready","namespace","eventEmitter","EventEmitter","pollingTimer","pollingExpirationTimer","pollingId","currentPollingId","initialize","_this","_len","arguments","length","attrs","Array","_key","ret","_apply","prototype","location","url","parse","webex","getWindow","href","_checkForErrors","code","query","state","decodeState","codeVerifier","sessionStorage","getItem","removeItem","emailhash","_verifySecurityToken","_cleanUrl","preauthCatalogParams","orgId","_extractOrgIdFromCode","process","nextTick","internal","services","collectPreauthCatalog","catch","_promise","resolve","then","requestAuthorizationCodeGrant","error","logger","warn","initiateLogin","options","undefined","emit","eventType","data","hasEmail","email","hasState","cloneDeep","emailHash","CryptoJS","SHA256","toString","csrf_token","_generateSecurityToken","code_challenge","_generateCodeChallenge","code_challenge_method","initiateAuthorizationCodeGrant","info","loginUrl","credentials","buildLoginUrl","_assign","response_type","separateWindow","defaultWindowSettings","width","height","windowSettings","_typeof2","windowFeatures","_entries","map","_ref","_ref2","_slicedToArray2","key","value","concat","join","open","initiateThirdPartyLogin","isObject","Error","initiateThirdPartyLoginRedirect","buildThirdPartyLoginUrl","err","reject","handleThirdPartyCallback","requireMatch","_location$query","idToken","id_token","_location$query$state","_objectWithoutProperties2","logout","noRedirect","buildLogoutUrl","_this2","form","grant_type","redirect_uri","config","self_contained_token","code_verifier","request","method","uri","tokenUrl","auth","user","client_id","pass","client_secret","sendImmediately","shouldRefreshAccessToken","res","set","supertoken","body","statusCode","ErrorConstructor","grantErrors","select","_res","_generateQRCodeVerificationUrl","verificationUrl","baseUrl","urlParams","URLSearchParams","URL","search","userCode","get","oauthHelperUrl","newVerificationUrl","searchParams","initQRCodeLogin","_this3","message","service","resource","scope","_res$body","user_code","verification_uri","verification_uri_complete","verificationUriComplete","userData","verificationUri","_startQRCodePolling","_options$interval","_this4","device_code","deviceCode","_options$expires_in","expires_in","expiresIn","interval","setTimeout","cancelQRCodePolling","polling","schedulePolling","withCancelEvent","clearTimeout","split","history","replaceState","_deleteProperty","isEmpty","omit","encodeState","querystring","stringify","format","safeCharacterMap","base64url","_safe_map","times","random","codeChallenge","setItem","token","uuid","v4","_query$state","sessionToken","version","_applyDecoratedDescriptor2","_getOwnPropertyDescriptor","oneFlight","_default"],"sources":["authorization.js"],"sourcesContent":["// @ts-nocheck\n/* eslint-disable */\n/*!\n * Copyright (c) 2015-2020 Cisco Systems, Inc. See LICENSE file.\n */\n\n/* eslint camelcase: [0] */\n/**\n * TS checking disabled: file uses legacy decorator syntax inside an object literal\n * transformed by Babel. Safe to ignore for now.\n */\n\nimport querystring from 'querystring';\nimport url from 'url';\nimport {EventEmitter} from 'events';\n\nimport {decodeState, encodeState, oneFlight, whileInFlight} from '@webex/common';\nimport {grantErrors, WebexPlugin} from '@webex/webex-core';\nimport {cloneDeep, isEmpty, omit, isObject} from 'lodash';\nimport uuid from 'uuid';\nimport base64url from 'crypto-js/enc-base64url';\nimport CryptoJS from 'crypto-js';\n\n// Necessary to require lodash this way in order to stub\n// methods in the unit test\nconst lodash = require('lodash');\n\nconst OAUTH2_CSRF_TOKEN = 'oauth2-csrf-token';\nconst OAUTH2_CODE_VERIFIER = 'oauth2-code-verifier';\n\n/**\n * Authorization plugin events\n */\nexport const Events = {\n login: 'login',\n /**\n * QR code login events\n */\n qRCodeLogin: 'qRCodeLogin',\n};\n\n/**\n * Browser support for OAuth2 for first-party (Webex Web Client) usage.\n *\n * High-level flow handled by this module:\n * 1. initiateLogin() constructs authorization request (adds CSRF + PKCE).\n * 2. Browser navigates to IdBroker (login).\n * 3. IdBroker redirects back with ?code=... (&state=...).\n * 4. initialize() detects code, validates state/CSRF, cleans URL, optionally\n * pre-fetches a preauth catalog, then exchanges the code via\n * requestAuthorizationCodeGrant().\n * 5. Sets resulting supertoken (access/refresh token bundle) on credentials.\n *\n * Additional supported flow:\n * - Device Authorization (QR Code login):\n * initQRCodeLogin() obtains device + user codes and begins polling\n * _startQRCodePolling() until tokens are issued or timeout/cancel occurs.\n *\n * Security considerations implemented:\n * - CSRF token (state.csrf_token) generation + verification.\n * - PKCE (S256) code verifier + challenge generation and consumption.\n * - URL cleanup after redirect (removes code & CSRF to prevent leakage).\n *\n * Use of this plugin for anything other than the Webex Web Client is discouraged.\n *\n * @class\n * @name AuthorizationBrowserFirstParty\n * @private\n */\nconst Authorization = WebexPlugin.extend({\n derived: {\n /**\n * Alias of {@link AuthorizationBrowserFirstParty#isAuthorizing}\n * @instance\n * @memberof AuthorizationBrowserFirstParty\n * @type {boolean}\n */\n isAuthenticating: {\n deps: ['isAuthorizing'],\n fn() {\n return this.isAuthorizing;\n },\n },\n },\n\n session: {\n /**\n * Indicates if an Authorization Code exchange is inflight\n * @instance\n * @memberof AuthorizationBrowserFirstParty\n * @type {boolean}\n */\n isAuthorizing: {\n default: false,\n type: 'boolean',\n },\n /**\n * Indicates that the plugin has finished any automatic startup\n * processing (e.g., exchanging a returned authorization code)\n */\n ready: {\n default: false,\n type: 'boolean',\n },\n },\n\n namespace: 'Credentials',\n\n /**\n * EventEmitter for authorization events such as QR code login progress\n * @instance\n * @memberof AuthorizationBrowserFirstParty\n * @type {EventEmitter}\n * @public\n */\n eventEmitter: new EventEmitter(),\n\n /**\n * Stores the timer ID for QR code polling (device authorization)\n * @instance\n * @memberof AuthorizationBrowserFirstParty\n * @type {?number}\n * @private\n */\n pollingTimer: null,\n /**\n * Stores the expiration timer ID for QR code polling (overall timeout)\n * @instance\n * @memberof AuthorizationBrowserFirstParty\n * @type {?number}\n * @private\n */\n pollingExpirationTimer: null,\n\n /**\n * Monotonically increasing id to identify the current polling request.\n * Used to safely ignore late poll responses after a cancel/reset.\n * @instance\n * @memberof AuthorizationBrowserFirstParty\n * @type {number}\n * @private\n */\n pollingId: 0,\n\n /**\n * Identifier for the current polling request (snapshot of pollingId)\n * @instance\n * @memberof AuthorizationBrowserFirstParty\n * @type {?number}\n * @private\n */\n currentPollingId: null,\n\n /**\n * Auto executes during Webex.init() – you do NOT call this yourself.\n *\n * Purpose: Seamless \"redirect completion\" of the OAuth Authorization Code (+ PKCE) flow.\n *\n * Simple summary:\n * - You call initiateLogin() which redirects user to IdBroker.\n * - User signs in; IdBroker redirects back to your redirect_uri with ?code=... (&state=...).\n * - During SDK startup this initialize() runs automatically, sees the code, and\n * silently finishes the login (validates state/CSRF + PKCE, scrubs URL, exchanges code).\n * - When done, webex.credentials.supertoken holds access+refresh and ready=true.\n *\n * Step-by-step:\n * 1. Inspect current window.location for ?code= (& state=).\n * 2. If no code: set ready=true immediately (nothing to complete).\n * 3. If code present:\n * - Decode base64 state JSON.\n * - Verify CSRF token matches sessionStorage value.\n * - Retrieve then delete PKCE code_verifier (single use).\n * - Optionally derive preauth hint (emailhash in state OR orgId parsed from code).\n * - Clean the URL (history.replaceState) to remove code & csrf token data.\n * - nextTick:\n * a. Best‑effort preauth catalog fetch (non-blocking).\n * b. Exchange authorization code (with code_verifier if any) for supertoken\n * and store on webex.credentials.\n * 4. Set ready=true after the async sequence finishes (or immediately if step 2).\n *\n * Result: If the redirect included a valid code the token exchange is completed\n * automatically—no extra API call needed after Webex.init().\n */\n // eslint-disable-next-line complexity\n initialize(...attrs) {\n const ret = Reflect.apply(WebexPlugin.prototype.initialize, this, attrs);\n const location = url.parse(this.webex.getWindow().location.href, true);\n\n // Check if redirect includes error\n this._checkForErrors(location);\n\n const {code} = location.query;\n\n // If no authorization code returned, nothing to do\n if (!code) {\n this.ready = true;\n return ret;\n }\n\n // Decode and parse state object (if present)\n if (location.query.state) {\n location.query.state = decodeState(location.query.state);\n } else {\n location.query.state = {};\n }\n\n // Retrieve PKCE code verifier (if a PKCE flow was initiated)\n const codeVerifier = this.webex.getWindow().sessionStorage.getItem(OAUTH2_CODE_VERIFIER);\n // Immediately remove code verifier to minimize exposure\n this.webex.getWindow().sessionStorage.removeItem(OAUTH2_CODE_VERIFIER);\n\n const {emailhash} = location.query.state;\n\n // Validate CSRF token included in state\n this._verifySecurityToken(location.query);\n // Remove code + CSRF token remnants from URL (history replace)\n this._cleanUrl(location);\n\n let preauthCatalogParams;\n\n // Attempt to extract orgId from structured authorization code (if present)\n const orgId = this._extractOrgIdFromCode(code);\n\n if (emailhash) {\n preauthCatalogParams = {emailhash};\n } else if (orgId) {\n preauthCatalogParams = {orgId};\n }\n\n // Defer token exchange until next tick in case credentials plugin not ready yet\n process.nextTick(() => {\n this.webex.internal.services\n .collectPreauthCatalog(preauthCatalogParams)\n .catch(() => Promise.resolve()) // Non-fatal if catalog collection fails\n .then(() => this.requestAuthorizationCodeGrant({code, codeVerifier}))\n .catch((error) => {\n this.logger.warn('authorization: failed initial authorization code grant request', error);\n })\n .then(() => {\n // Mark plugin ready regardless of success/failure of token exchange\n this.ready = true;\n });\n });\n\n return ret;\n },\n\n /**\n * Kicks off an OAuth authorization code flow (first party).\n *\n * Adds security + PKCE properties:\n * - SHA256(email) (emailHash & emailhash) for preauth and redirect flows\n * - state.csrf_token for CSRF protection\n * - PKCE code_challenge (S256)\n *\n * NOTE: This does not itself perform the redirect; it calls\n * initiateAuthorizationCodeGrant() which changes window location or opens\n * a separate window as configured.\n *\n * @instance\n * @memberof AuthorizationBrowserFirstParty\n * @param {Object} options\n * @returns {Promise}\n */\n initiateLogin(options = {}) {\n this.eventEmitter.emit(Events.login, {\n eventType: 'initiateLogin',\n data: {\n hasEmail: !!options.email,\n hasState: !!options.state,\n },\n });\n\n options = cloneDeep(options);\n\n // Optionally compute heuristic email hash for preauth usage\n if (options.email) {\n options.emailHash = CryptoJS.SHA256(options.email).toString();\n }\n delete options.email; // Ensure raw email not propagated further\n\n options.state = options.state || {};\n // Embed CSRF token\n options.state.csrf_token = this._generateSecurityToken();\n // Provide email hash in lower-case key used by catalog service\n // (Note: catalog uses emailhash and redirectCI uses emailHash)\n options.state.emailhash = options.emailHash;\n\n // PKCE - produce code_challenge (S256) and persist code_verifier\n options.code_challenge = this._generateCodeChallenge();\n options.code_challenge_method = 'S256';\n\n return this.initiateAuthorizationCodeGrant(options);\n },\n\n @whileInFlight('isAuthorizing')\n /**\n * Performs the navigation step of the Authorization Code flow.\n * Builds login URL and either:\n * - Replaces current window location (default), or\n * - Opens a separate window (popup) if options.separateWindow supplied.\n *\n * Decorated with whileInFlight('isAuthorizing') to set isAuthorizing=true\n * during execution to prevent concurrent overlapping attempts.\n *\n * @instance\n * @memberof AuthorizationBrowserFirstParty\n * @param {Object} options - Already augmented with state + PKCE info\n * @returns {Promise<void>}\n */\n initiateAuthorizationCodeGrant(options) {\n this.logger.info('authorization: initiating authorization code grant flow');\n const loginUrl = this.webex.credentials.buildLoginUrl(\n Object.assign({response_type: 'code'}, options)\n );\n\n this.eventEmitter.emit(Events.login, {\n eventType: 'redirectToLoginUrl',\n data: {loginUrl},\n });\n\n if (options?.separateWindow) {\n // If a separate popup window is requested, combine user supplied window features\n const defaultWindowSettings = {\n width: 600,\n height: 800,\n };\n\n const windowSettings = Object.assign(\n defaultWindowSettings,\n typeof options.separateWindow === 'object' ? options.separateWindow : {}\n );\n\n const windowFeatures = Object.entries(windowSettings)\n .map(([key, value]) => `${key}=${value}`)\n .join(',');\n this.webex.getWindow().open(loginUrl, '_blank', windowFeatures);\n } else {\n // Normal (in-tab) redirect\n this.webex.getWindow().location = loginUrl;\n }\n\n return Promise.resolve();\n },\n\n /**\n * Initiates third-party (social provider) login. Generates a CSRF token,\n * embeds it in `options.state.csrf_token`, and delegates to\n * `initiateThirdPartyLoginRedirect` for navigation.\n *\n * @instance\n * @memberof AuthorizationBrowserFirstParty\n * @param {Object} options\n * @param {string} options.oauth2provider\n * @param {string} options.returnURL\n * @param {Object} [options.state] - Caller-supplied state object. Merged\n * with the generated `csrf_token`.\n * @returns {Promise<void>}\n */\n initiateThirdPartyLogin(options = {}) {\n options = cloneDeep(options);\n if (options.state !== undefined && !isObject(options.state)) {\n throw new Error('if specified, `options.state` must be an object');\n }\n options.state = options.state || {};\n options.state.csrf_token = this._generateSecurityToken();\n\n return this.initiateThirdPartyLoginRedirect(options);\n },\n\n /**\n * Performs the navigation step of the third-party login flow. Builds the\n * IdBroker URL via `Credentials#buildThirdPartyLoginUrl` and assigns it\n * to `getWindow().location`.\n *\n * Mirrors `initiateAuthorizationCodeGrant` for the `/authorize` flow.\n * Consumers may override this method for custom navigation handling\n * (e.g. postMessage in iframed contexts).\n *\n * @instance\n * @memberof AuthorizationBrowserFirstParty\n * @param {Object} options\n * @param {string} options.oauth2provider\n * @param {string} options.returnURL\n * @returns {Promise<void>}\n */\n initiateThirdPartyLoginRedirect(options = {}) {\n this.logger.info('authorization: initiating third-party login redirect');\n\n try {\n const url = this.webex.credentials.buildThirdPartyLoginUrl(options);\n\n this.webex.getWindow().location = url;\n } catch (err) {\n return Promise.reject(err);\n }\n\n return Promise.resolve();\n },\n\n /**\n * Handles the third-party (social provider) login callback. Reads the\n * current `window.location`, decodes `state`, validates the CSRF token\n * (`state.csrf_token`), scrubs sensitive parameters from the URL via\n * `_cleanUrl`, and returns the parsed payload.\n *\n * Mirrors `initialize()` in always operating on the live\n * `window.location`\n *\n * `idToken` is single-use: it is parsed out of the URL exactly once and\n * the calling client is expected to exchange it (or discard it)\n * immediately. The returned `state` has `csrf_token` removed.\n *\n * @instance\n * @memberof AuthorizationBrowserFirstParty\n * @returns {{idToken: string|undefined, email: string|undefined,\n * error: string|undefined, state: Object}}\n */\n handleThirdPartyCallback() {\n const location = url.parse(this.webex.getWindow().location.href, true);\n\n location.query.state = decodeState(location.query.state || 'e30');\n\n this._verifySecurityToken(location.query, {requireMatch: true});\n this._cleanUrl(location);\n\n const {id_token: idToken, email, error, state: {csrf_token, ...state}} = location.query;\n\n return {idToken, email, error, state};\n },\n\n /**\n * Called by {@link WebexCore#logout()}.\n * Constructs logout URL and (unless suppressed) navigates away to ensure\n * server-side session termination.\n *\n * @instance\n * @memberof AuthorizationBrowserFirstParty\n * @param {Object} options\n * @param {boolean} options.noRedirect if true, does not redirect\n * @returns {Promise<void>}\n */\n logout(options = {}) {\n if (!options.noRedirect) {\n this.webex.getWindow().location = this.webex.credentials.buildLogoutUrl(options);\n }\n },\n\n @whileInFlight('isAuthorizing')\n @oneFlight\n /**\n * Exchanges an authorization code for an access (super) token bundle.\n *\n * Decorators:\n * - @whileInFlight('isAuthorizing'): prevents overlapping exchanges.\n * - @oneFlight: collapses simultaneous calls into one network request.\n *\n * Includes PKCE code_verifier if present from earlier login initiation.\n *\n * Error Handling:\n * - Non-400 responses are propagated.\n * - 400 responses map to OAuth-specific grantErrors.\n *\n * @instance\n * @memberof AuthorizationBrowserFirstParty\n * @param {Object} options\n * @param {string} options.code - Authorization code from redirect\n * @param {string} [options.codeVerifier] - PKCE code verifier if used\n * @returns {Promise}\n */\n requestAuthorizationCodeGrant(options = {}) {\n this.logger.info('credentials: requesting authorization code grant');\n\n if (!options.code) {\n return Promise.reject(new Error('`options.code` is required'));\n }\n\n const form = {\n grant_type: 'authorization_code',\n redirect_uri: this.config.redirect_uri,\n code: options.code,\n self_contained_token: true, // Request combined access/refresh response\n };\n\n if (options.codeVerifier) {\n form.code_verifier = options.codeVerifier;\n }\n\n return this.webex\n .request({\n method: 'POST',\n uri: this.config.tokenUrl,\n form,\n auth: {\n user: this.config.client_id,\n pass: this.config.client_secret,\n sendImmediately: true,\n },\n shouldRefreshAccessToken: false, // This is the token acquisition call itself\n })\n .then((res) => {\n // Store supertoken into credentials (includes refresh token)\n this.webex.credentials.set({supertoken: res.body});\n })\n .catch((res) => {\n if (res.statusCode !== 400) {\n return Promise.reject(res);\n }\n\n // Map standard OAuth error to strongly typed error class\n const ErrorConstructor = grantErrors.select(res.body.error);\n\n return Promise.reject(new ErrorConstructor(res._res || res));\n });\n },\n\n /**\n * Generate a QR code verification URL for device authorization flow.\n * When a user scans the QR code with a mobile device, this deep-links into\n * Webex (web) to continue login, including passing along userCode and the\n * helper service base URL.\n *\n * @instance\n * @memberof AuthorizationBrowserFirstParty\n * @param {String} verificationUrl - Original verification URI (complete)\n * @returns {String} Possibly rewritten verification URL\n */\n _generateQRCodeVerificationUrl(verificationUrl) {\n const baseUrl = 'https://web.webex.com/deviceAuth';\n const urlParams = new URLSearchParams(new URL(verificationUrl).search);\n const userCode = urlParams.get('userCode');\n\n if (userCode) {\n const {services} = this.webex.internal;\n const oauthHelperUrl = services.get('oauth-helper');\n const newVerificationUrl = new URL(baseUrl);\n newVerificationUrl.searchParams.set('usercode', userCode);\n newVerificationUrl.searchParams.set('oauthhelper', oauthHelperUrl);\n return newVerificationUrl.toString();\n } else {\n return verificationUrl;\n }\n },\n\n /**\n * Initiates Device Authorization (QR Code) flow.\n *\n * Steps:\n * 1. Obtain device_code, user_code, verification URLs from oauth-helper.\n * 2. Emit getUserCodeSuccess (provides data for generating QR code).\n * 3. Start polling token endpoint with device_code.\n *\n * Emits qRCodeLogin events for UI to react (success, failure, pending, etc.).\n *\n * @instance\n * @memberof AuthorizationBrowserFirstParty\n * @emits #qRCodeLogin\n */\n initQRCodeLogin() {\n if (this.pollingTimer) {\n // Prevent concurrent device authorization attempts\n this.eventEmitter.emit(Events.qRCodeLogin, {\n eventType: 'getUserCodeFailure',\n data: {message: 'There is already a polling request'},\n });\n return;\n }\n\n this.webex\n .request({\n method: 'POST',\n service: 'oauth-helper',\n resource: '/actions/device/authorize',\n form: {\n client_id: this.config.client_id,\n scope: this.config.scope,\n },\n auth: {\n user: this.config.client_id,\n pass: this.config.client_secret,\n sendImmediately: true,\n },\n })\n .then((res) => {\n const {user_code, verification_uri, verification_uri_complete} = res.body;\n const verificationUriComplete =\n this._generateQRCodeVerificationUrl(verification_uri_complete);\n this.eventEmitter.emit(Events.qRCodeLogin, {\n eventType: 'getUserCodeSuccess',\n userData: {\n userCode: user_code,\n verificationUri: verification_uri,\n verificationUriComplete,\n },\n });\n // Begin polling for authorization completion\n this._startQRCodePolling(res.body);\n })\n .catch((res) => {\n this.eventEmitter.emit(Events.qRCodeLogin, {\n eventType: 'getUserCodeFailure',\n data: res.body,\n });\n });\n },\n\n /**\n * Poll the device token endpoint until user authorizes, an error occurs,\n * or timeout happens.\n *\n * Polling behavior:\n * - Interval provided by server (default 2s). 'slow_down' doubles interval once.\n * - 428 status => pending (continue).\n * - Success => set credentials + emit authorizationSuccess + stop polling.\n * - Any other error => emit authorizationFailure + stop polling.\n *\n * Cancellation:\n * - cancelQRCodePolling() resets timers and polling ids so late responses are ignored.\n *\n * @instance\n * @memberof AuthorizationBrowserFirstParty\n * @param {Object} options - Must include device_code, may include interval/expires_in\n * @emits #qRCodeLogin\n */\n _startQRCodePolling(options = {}) {\n if (!options.device_code) {\n this.eventEmitter.emit(Events.qRCodeLogin, {\n eventType: 'authorizationFailure',\n data: {message: 'A deviceCode is required'},\n });\n return;\n }\n\n if (this.pollingTimer) {\n // Already polling; avoid starting a duplicate cycle\n this.eventEmitter.emit(Events.qRCodeLogin, {\n eventType: 'authorizationFailure',\n data: {message: 'There is already a polling request'},\n });\n return;\n }\n\n const {device_code: deviceCode, expires_in: expiresIn = 300} = options;\n // Server recommended polling interval (seconds)\n let interval = options.interval ?? 2;\n\n // Global timeout for entire device authorization attempt\n this.pollingExpirationTimer = setTimeout(() => {\n this.cancelQRCodePolling(false);\n this.eventEmitter.emit(Events.qRCodeLogin, {\n eventType: 'authorizationFailure',\n data: {message: 'Authorization timed out'},\n });\n }, expiresIn * 1000);\n\n const polling = () => {\n // Increment id so any previous poll loops can be invalidated\n this.pollingId += 1;\n this.currentPollingId = this.pollingId;\n\n this.webex\n .request({\n method: 'POST',\n service: 'oauth-helper',\n resource: '/actions/device/token',\n form: {\n grant_type: 'urn:ietf:params:oauth:grant-type:device_code',\n device_code: deviceCode,\n client_id: this.config.client_id,\n },\n auth: {\n user: this.config.client_id,\n pass: this.config.client_secret,\n sendImmediately: true,\n },\n })\n .then((res) => {\n // If polling canceled (id changed), ignore this response\n if (this.currentPollingId !== this.pollingId) return;\n\n this.eventEmitter.emit(Events.qRCodeLogin, {\n eventType: 'authorizationSuccess',\n data: res.body,\n });\n this.webex.credentials.set({supertoken: res.body});\n this.cancelQRCodePolling();\n })\n .catch((res) => {\n if (this.currentPollingId !== this.pollingId) return;\n\n // Backoff signal from server; increase interval just once for next cycle\n if (res.statusCode === 400 && res.body.message === 'slow_down') {\n schedulePolling(interval * 2);\n return;\n }\n\n // Pending: keep polling\n if (res.statusCode === 428) {\n this.eventEmitter.emit(Events.qRCodeLogin, {\n eventType: 'authorizationPending',\n data: res.body,\n });\n schedulePolling(interval);\n return;\n }\n\n // Terminal error\n this.cancelQRCodePolling();\n\n this.eventEmitter.emit(Events.qRCodeLogin, {\n eventType: 'authorizationFailure',\n data: res.body,\n });\n });\n };\n\n // Schedules next poll invocation\n const schedulePolling = (interval) =>\n (this.pollingTimer = setTimeout(polling, interval * 1000));\n\n schedulePolling(interval);\n },\n\n /**\n * Cancel active device authorization polling loop.\n *\n * @param {boolean} withCancelEvent emit a pollingCanceled event (default true)\n * @instance\n * @memberof AuthorizationBrowserFirstParty\n * @returns {void}\n */\n cancelQRCodePolling(withCancelEvent = true) {\n if (this.pollingTimer && withCancelEvent) {\n this.eventEmitter.emit(Events.qRCodeLogin, {\n eventType: 'pollingCanceled',\n });\n }\n\n this.currentPollingId = null;\n\n clearTimeout(this.pollingExpirationTimer);\n this.pollingExpirationTimer = null;\n clearTimeout(this.pollingTimer);\n this.pollingTimer = null;\n },\n\n /**\n * Extracts the orgId from the returned code from idbroker.\n *\n * Certain authorization codes encode organization info in a structured\n * underscore-delimited format. This method parses out the 3rd segment.\n *\n * For undocumented formats or unexpected code shapes, returns undefined.\n *\n * @instance\n * @memberof AuthorizationBrowserFirstParty\n * @param {String} code\n * @private\n * @returns {String|undefined}\n */\n _extractOrgIdFromCode(code) {\n return code?.split('_')[2] || undefined;\n },\n\n /**\n * Checks if the result of the login redirect contains an OAuth error.\n * Throws a mapped grant error if encountered.\n *\n * @instance\n * @memberof AuthorizationBrowserFirstParty\n * @param {Object} location\n * @private\n * @returns {void}\n */\n _checkForErrors(location) {\n const {query} = location;\n\n if (query && query.error) {\n const ErrorConstructor = grantErrors.select(query.error);\n\n throw new ErrorConstructor(query);\n }\n },\n\n /**\n * Removes no-longer needed values from the URL (authorization code, CSRF token).\n * This is important to avoid leaking sensitive parameters via:\n * - Browser history\n * - Copy/paste of URL\n * - HTTP referrer headers to third-party content\n *\n * Approach:\n * - Remove 'code' (OAuth code-grant), 'id_token', and 'email'\n * (third-party callback).\n * - Remove 'state' entirely if it only contained csrf_token.\n * - Else, re-encode remaining state fields (minus csrf_token).\n * - Replace current history entry (no page reload).\n *\n * @instance\n * @memberof AuthorizationBrowserFirstParty\n * @param {Object} location\n * @private\n * @returns {void}\n */\n _cleanUrl(location) {\n location = cloneDeep(location);\n if (this.webex.getWindow().history && this.webex.getWindow().history.replaceState) {\n Reflect.deleteProperty(location.query, 'code');\n Reflect.deleteProperty(location.query, 'id_token');\n Reflect.deleteProperty(location.query, 'email');\n if (isEmpty(omit(location.query.state, 'csrf_token'))) {\n Reflect.deleteProperty(location.query, 'state');\n } else {\n location.query.state = encodeState(omit(location.query.state, 'csrf_token'));\n }\n location.search = querystring.stringify(location.query);\n Reflect.deleteProperty(location, 'query');\n this.webex.getWindow().history.replaceState({}, null, url.format(location));\n }\n },\n\n /**\n * Generates a PKCE (RFC 7636) code verifier and corresponding S256 code challenge.\n * Persists the verifier in sessionStorage (single-use) for later retrieval\n * during authorization code exchange; removes it once consumed.\n *\n * Implementation details:\n * - Creates a 128 character string using base64url safe alphabet.\n * - Computes SHA256 hash, encodes to base64url (no padding).\n *\n * @instance\n * @memberof AuthorizationBrowserFirstParty\n * @private\n * @returns {string} code_challenge\n */\n _generateCodeChallenge() {\n this.logger.info('authorization: generating PKCE code challenge');\n\n // eslint-disable-next-line no-underscore-dangle\n const safeCharacterMap = base64url._safe_map;\n\n const codeVerifier = lodash\n .times(128, () => safeCharacterMap[lodash.random(0, safeCharacterMap.length - 1)])\n .join('');\n\n const codeChallenge = CryptoJS.SHA256(codeVerifier).toString(base64url);\n\n this.webex.getWindow().sessionStorage.setItem(OAUTH2_CODE_VERIFIER, codeVerifier);\n\n return codeChallenge;\n },\n\n /**\n * Generates a CSRF token and stores it in sessionStorage.\n * Token is embedded in 'state' and validated upon redirect return.\n *\n * Uses UUID v4 for randomness.\n *\n * @instance\n * @memberof AuthorizationBrowserFirstParty\n * @private\n * @returns {string} token\n */\n _generateSecurityToken() {\n this.logger.info('authorization: generating csrf token');\n\n const token = uuid.v4();\n\n this.webex.getWindow().sessionStorage.setItem('oauth2-csrf-token', token);\n\n return token;\n },\n\n /**\n * Verifies that the CSRF token returned in the 'state' matches the one\n * previously stored in sessionStorage.\n *\n * Steps:\n * - Retrieve and immediately remove stored token (one-time use).\n * - Ensure state + state.csrf_token exist.\n * - Compare values; throw descriptive errors on mismatch / absence.\n *\n * If no stored token (e.g., user navigated directly), silently returns\n * unless `options.requireMatch` is `true`, in which case absence of a\n * stored token is treated as a CSRF failure.\n *\n * @instance\n * @memberof AuthorizationBrowserFirstParty\n * @param {Object} query - Parsed query (location.query)\n * @param {Object} [options]\n * @param {boolean} [options.requireMatch=false] - When true, throws if\n * no stored sessionToken is present.\n * @private\n * @returns {void}\n */\n _verifySecurityToken(query, options = {}) {\n const sessionToken = this.webex.getWindow().sessionStorage.getItem(OAUTH2_CSRF_TOKEN);\n\n this.webex.getWindow().sessionStorage.removeItem(OAUTH2_CSRF_TOKEN);\n if (!sessionToken) {\n if (options.requireMatch) {\n throw new Error('CSRF token missing from session storage');\n }\n\n return;\n }\n\n if (!query.state?.csrf_token) {\n throw new Error(`Expected CSRF token ${sessionToken}, but not found in redirect query`);\n }\n\n const token = query.state.csrf_token;\n\n if (token !== sessionToken) {\n throw new Error(`CSRF token ${token} does not match stored token ${sessionToken}`);\n }\n },\n});\n\nexport default Authorization;\n"],"mappings":";;;;;;;;;;;;;;;;;;AAYA,IAAAA,YAAA,GAAAC,sBAAA,CAAAC,OAAA;AACA,IAAAC,KAAA,GAAAF,sBAAA,CAAAC,OAAA;AACA,IAAAE,OAAA,GAAAF,OAAA;AAEA,IAAAG,OAAA,GAAAH,OAAA;AACA,IAAAI,UAAA,GAAAJ,OAAA;AACA,IAAAK,OAAA,GAAAL,OAAA;AACA,IAAAM,KAAA,GAAAP,sBAAA,CAAAC,OAAA;AACA,IAAAO,aAAA,GAAAR,sBAAA,CAAAC,OAAA;AACA,IAAAQ,SAAA,GAAAT,sBAAA,CAAAC,OAAA;AAAiC,IAAAS,SAAA;AAAA,IAAAC,IAAA,EAAAC,KAAA,EAAAC,IAAA,EArBjC;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AAaA;AACA;AACA,IAAMC,MAAM,GAAGb,OAAO,CAAC,QAAQ,CAAC;AAEhC,IAAMc,iBAAiB,GAAG,mBAAmB;AAC7C,IAAMC,oBAAoB,GAAG,sBAAsB;;AAEnD;AACA;AACA;AACO,IAAMC,MAAM,GAAAC,OAAA,CAAAD,MAAA,GAAG;EACpBE,KAAK,EAAE,OAAO;EACd;AACF;AACA;EACEC,WAAW,EAAE;AACf,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,IAAMC,aAAa,GAAGC,sBAAW,CAACC,MAAM,EAAAZ,IAAA,GAkOrC,IAAAa,qBAAa,EAAC,eAAe,CAAC,EAAAZ,KAAA,GAyJ9B,IAAAY,qBAAa,EAAC,eAAe,CAAC,EAAAX,IAAA,GA3XQ;EACvCY,OAAO,EAAE;IACP;AACJ;AACA;AACA;AACA;AACA;IACIC,gBAAgB,EAAE;MAChBC,IAAI,EAAE,CAAC,eAAe,CAAC;MACvBC,EAAE,WAAFA,EAAEA,CAAA,EAAG;QACH,OAAO,IAAI,CAACC,aAAa;MAC3B;IACF;EACF,CAAC;EAEDC,OAAO,EAAE;IACP;AACJ;AACA;AACA;AACA;AACA;IACID,aAAa,EAAE;MACbE,OAAO,EAAE,KAAK;MACdC,IAAI,EAAE;IACR,CAAC;IACD;AACJ;AACA;AACA;IACIC,KAAK,EAAE;MACLF,OAAO,EAAE,KAAK;MACdC,IAAI,EAAE;IACR;EACF,CAAC;EAEDE,SAAS,EAAE,aAAa;EAExB;AACF;AACA;AACA;AACA;AACA;AACA;EACEC,YAAY,EAAE,IAAIC,oBAAY,CAAC,CAAC;EAEhC;AACF;AACA;AACA;AACA;AACA;AACA;EACEC,YAAY,EAAE,IAAI;EAClB;AACF;AACA;AACA;AACA;AACA;AACA;EACEC,sBAAsB,EAAE,IAAI;EAE5B;AACF;AACA;AACA;AACA;AACA;AACA;AACA;EACEC,SAAS,EAAE,CAAC;EAEZ;AACF;AACA;AACA;AACA;AACA;AACA;EACEC,gBAAgB,EAAE,IAAI;EAEtB;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACE;EACAC,UAAU,WAAVA,UAAUA,CAAA,EAAW;IAAA,IAAAC,KAAA;IAAA,SAAAC,IAAA,GAAAC,SAAA,CAAAC,MAAA,EAAPC,KAAK,OAAAC,KAAA,CAAAJ,IAAA,GAAAK,IAAA,MAAAA,IAAA,GAAAL,IAAA,EAAAK,IAAA;MAALF,KAAK,CAAAE,IAAA,IAAAJ,SAAA,CAAAI,IAAA;IAAA;IACjB,IAAMC,GAAG,GAAG,IAAAC,MAAA,CAAAnB,OAAA,EAAcT,sBAAW,CAAC6B,SAAS,CAACV,UAAU,EAAE,IAAI,EAAEK,KAAK,CAAC;IACxE,IAAMM,QAAQ,GAAGC,aAAG,CAACC,KAAK,CAAC,IAAI,CAACC,KAAK,CAACC,SAAS,CAAC,CAAC,CAACJ,QAAQ,CAACK,IAAI,EAAE,IAAI,CAAC;;IAEtE;IACA,IAAI,CAACC,eAAe,CAACN,QAAQ,CAAC;IAE9B,IAAOO,IAAI,GAAIP,QAAQ,CAACQ,KAAK,CAAtBD,IAAI;;IAEX;IACA,IAAI,CAACA,IAAI,EAAE;MACT,IAAI,CAAC1B,KAAK,GAAG,IAAI;MACjB,OAAOgB,GAAG;IACZ;;IAEA;IACA,IAAIG,QAAQ,CAACQ,KAAK,CAACC,KAAK,EAAE;MACxBT,QAAQ,CAACQ,KAAK,CAACC,KAAK,GAAG,IAAAC,mBAAW,EAACV,QAAQ,CAACQ,KAAK,CAACC,KAAK,CAAC;IAC1D,CAAC,MAAM;MACLT,QAAQ,CAACQ,KAAK,CAACC,KAAK,GAAG,CAAC,CAAC;IAC3B;;IAEA;IACA,IAAME,YAAY,GAAG,IAAI,CAACR,KAAK,CAACC,SAAS,CAAC,CAAC,CAACQ,cAAc,CAACC,OAAO,CAACjD,oBAAoB,CAAC;IACxF;IACA,IAAI,CAACuC,KAAK,CAACC,SAAS,CAAC,CAAC,CAACQ,cAAc,CAACE,UAAU,CAAClD,oBAAoB,CAAC;IAEtE,IAAOmD,SAAS,GAAIf,QAAQ,CAACQ,KAAK,CAACC,KAAK,CAAjCM,SAAS;;IAEhB;IACA,IAAI,CAACC,oBAAoB,CAAChB,QAAQ,CAACQ,KAAK,CAAC;IACzC;IACA,IAAI,CAACS,SAAS,CAACjB,QAAQ,CAAC;IAExB,IAAIkB,oBAAoB;;IAExB;IACA,IAAMC,KAAK,GAAG,IAAI,CAACC,qBAAqB,CAACb,IAAI,CAAC;IAE9C,IAAIQ,SAAS,EAAE;MACbG,oBAAoB,GAAG;QAACH,SAAS,EAATA;MAAS,CAAC;IACpC,CAAC,MAAM,IAAII,KAAK,EAAE;MAChBD,oBAAoB,GAAG;QAACC,KAAK,EAALA;MAAK,CAAC;IAChC;;IAEA;IACAE,OAAO,CAACC,QAAQ,CAAC,YAAM;MACrBhC,KAAI,CAACa,KAAK,CAACoB,QAAQ,CAACC,QAAQ,CACzBC,qBAAqB,CAACP,oBAAoB,CAAC,CAC3CQ,KAAK,CAAC;QAAA,OAAMC,QAAA,CAAAhD,OAAA,CAAQiD,OAAO,CAAC,CAAC;MAAA,EAAC,CAAC;MAAA,CAC/BC,IAAI,CAAC;QAAA,OAAMvC,KAAI,CAACwC,6BAA6B,CAAC;UAACvB,IAAI,EAAJA,IAAI;UAAEI,YAAY,EAAZA;QAAY,CAAC,CAAC;MAAA,EAAC,CACpEe,KAAK,CAAC,UAACK,KAAK,EAAK;QAChBzC,KAAI,CAAC0C,MAAM,CAACC,IAAI,CAAC,gEAAgE,EAAEF,KAAK,CAAC;MAC3F,CAAC,CAAC,CACDF,IAAI,CAAC,YAAM;QACV;QACAvC,KAAI,CAACT,KAAK,GAAG,IAAI;MACnB,CAAC,CAAC;IACN,CAAC,CAAC;IAEF,OAAOgB,GAAG;EACZ,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACEqC,aAAa,WAAbA,aAAaA,CAAA,EAAe;IAAA,IAAdC,OAAO,GAAA3C,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAA4C,SAAA,GAAA5C,SAAA,MAAG,CAAC,CAAC;IACxB,IAAI,CAACT,YAAY,CAACsD,IAAI,CAACxE,MAAM,CAACE,KAAK,EAAE;MACnCuE,SAAS,EAAE,eAAe;MAC1BC,IAAI,EAAE;QACJC,QAAQ,EAAE,CAAC,CAACL,OAAO,CAACM,KAAK;QACzBC,QAAQ,EAAE,CAAC,CAACP,OAAO,CAAC1B;MACtB;IACF,CAAC,CAAC;IAEF0B,OAAO,GAAG,IAAAQ,iBAAS,EAACR,OAAO,CAAC;;IAE5B;IACA,IAAIA,OAAO,CAACM,KAAK,EAAE;MACjBN,OAAO,CAACS,SAAS,GAAGC,iBAAQ,CAACC,MAAM,CAACX,OAAO,CAACM,KAAK,CAAC,CAACM,QAAQ,CAAC,CAAC;IAC/D;IACA,OAAOZ,OAAO,CAACM,KAAK,CAAC,CAAC;;IAEtBN,OAAO,CAAC1B,KAAK,GAAG0B,OAAO,CAAC1B,KAAK,IAAI,CAAC,CAAC;IACnC;IACA0B,OAAO,CAAC1B,KAAK,CAACuC,UAAU,GAAG,IAAI,CAACC,sBAAsB,CAAC,CAAC;IACxD;IACA;IACAd,OAAO,CAAC1B,KAAK,CAACM,SAAS,GAAGoB,OAAO,CAACS,SAAS;;IAE3C;IACAT,OAAO,CAACe,cAAc,GAAG,IAAI,CAACC,sBAAsB,CAAC,CAAC;IACtDhB,OAAO,CAACiB,qBAAqB,GAAG,MAAM;IAEtC,OAAO,IAAI,CAACC,8BAA8B,CAAClB,OAAO,CAAC;EACrD,CAAC;EAGD;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACEkB,8BAA8B,WAA9BA,8BAA8BA,CAAClB,OAAO,EAAE;IACtC,IAAI,CAACH,MAAM,CAACsB,IAAI,CAAC,yDAAyD,CAAC;IAC3E,IAAMC,QAAQ,GAAG,IAAI,CAACpD,KAAK,CAACqD,WAAW,CAACC,aAAa,CACnD,IAAAC,OAAA,CAAA/E,OAAA,EAAc;MAACgF,aAAa,EAAE;IAAM,CAAC,EAAExB,OAAO,CAChD,CAAC;IAED,IAAI,CAACpD,YAAY,CAACsD,IAAI,CAACxE,MAAM,CAACE,KAAK,EAAE;MACnCuE,SAAS,EAAE,oBAAoB;MAC/BC,IAAI,EAAE;QAACgB,QAAQ,EAARA;MAAQ;IACjB,CAAC,CAAC;IAEF,IAAIpB,OAAO,aAAPA,OAAO,eAAPA,OAAO,CAAEyB,cAAc,EAAE;MAC3B;MACA,IAAMC,qBAAqB,GAAG;QAC5BC,KAAK,EAAE,GAAG;QACVC,MAAM,EAAE;MACV,CAAC;MAED,IAAMC,cAAc,GAAG,IAAAN,OAAA,CAAA/E,OAAA,EACrBkF,qBAAqB,EACrB,IAAAI,QAAA,CAAAtF,OAAA,EAAOwD,OAAO,CAACyB,cAAc,MAAK,QAAQ,GAAGzB,OAAO,CAACyB,cAAc,GAAG,CAAC,CACzE,CAAC;MAED,IAAMM,cAAc,GAAG,IAAAC,QAAA,CAAAxF,OAAA,EAAeqF,cAAc,CAAC,CAClDI,GAAG,CAAC,UAAAC,IAAA;QAAA,IAAAC,KAAA,OAAAC,eAAA,CAAA5F,OAAA,EAAA0F,IAAA;UAAEG,GAAG,GAAAF,KAAA;UAAEG,KAAK,GAAAH,KAAA;QAAA,UAAAI,MAAA,CAASF,GAAG,OAAAE,MAAA,CAAID,KAAK;MAAA,CAAE,CAAC,CACxCE,IAAI,CAAC,GAAG,CAAC;MACZ,IAAI,CAACxE,KAAK,CAACC,SAAS,CAAC,CAAC,CAACwE,IAAI,CAACrB,QAAQ,EAAE,QAAQ,EAAEW,cAAc,CAAC;IACjE,CAAC,MAAM;MACL;MACA,IAAI,CAAC/D,KAAK,CAACC,SAAS,CAAC,CAAC,CAACJ,QAAQ,GAAGuD,QAAQ;IAC5C;IAEA,OAAO5B,QAAA,CAAAhD,OAAA,CAAQiD,OAAO,CAAC,CAAC;EAC1B,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACEiD,uBAAuB,WAAvBA,uBAAuBA,CAAA,EAAe;IAAA,IAAd1C,OAAO,GAAA3C,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAA4C,SAAA,GAAA5C,SAAA,MAAG,CAAC,CAAC;IAClC2C,OAAO,GAAG,IAAAQ,iBAAS,EAACR,OAAO,CAAC;IAC5B,IAAIA,OAAO,CAAC1B,KAAK,KAAK2B,SAAS,IAAI,CAAC,IAAA0C,gBAAQ,EAAC3C,OAAO,CAAC1B,KAAK,CAAC,EAAE;MAC3D,MAAM,IAAIsE,KAAK,CAAC,iDAAiD,CAAC;IACpE;IACA5C,OAAO,CAAC1B,KAAK,GAAG0B,OAAO,CAAC1B,KAAK,IAAI,CAAC,CAAC;IACnC0B,OAAO,CAAC1B,KAAK,CAACuC,UAAU,GAAG,IAAI,CAACC,sBAAsB,CAAC,CAAC;IAExD,OAAO,IAAI,CAAC+B,+BAA+B,CAAC7C,OAAO,CAAC;EACtD,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACE6C,+BAA+B,WAA/BA,+BAA+BA,CAAA,EAAe;IAAA,IAAd7C,OAAO,GAAA3C,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAA4C,SAAA,GAAA5C,SAAA,MAAG,CAAC,CAAC;IAC1C,IAAI,CAACwC,MAAM,CAACsB,IAAI,CAAC,sDAAsD,CAAC;IAExE,IAAI;MACF,IAAMrD,IAAG,GAAG,IAAI,CAACE,KAAK,CAACqD,WAAW,CAACyB,uBAAuB,CAAC9C,OAAO,CAAC;MAEnE,IAAI,CAAChC,KAAK,CAACC,SAAS,CAAC,CAAC,CAACJ,QAAQ,GAAGC,IAAG;IACvC,CAAC,CAAC,OAAOiF,GAAG,EAAE;MACZ,OAAOvD,QAAA,CAAAhD,OAAA,CAAQwG,MAAM,CAACD,GAAG,CAAC;IAC5B;IAEA,OAAOvD,QAAA,CAAAhD,OAAA,CAAQiD,OAAO,CAAC,CAAC;EAC1B,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACEwD,wBAAwB,WAAxBA,wBAAwBA,CAAA,EAAG;IACzB,IAAMpF,QAAQ,GAAGC,aAAG,CAACC,KAAK,CAAC,IAAI,CAACC,KAAK,CAACC,SAAS,CAAC,CAAC,CAACJ,QAAQ,CAACK,IAAI,EAAE,IAAI,CAAC;IAEtEL,QAAQ,CAACQ,KAAK,CAACC,KAAK,GAAG,IAAAC,mBAAW,EAACV,QAAQ,CAACQ,KAAK,CAACC,KAAK,IAAI,KAAK,CAAC;IAEjE,IAAI,CAACO,oBAAoB,CAAChB,QAAQ,CAACQ,KAAK,EAAE;MAAC6E,YAAY,EAAE;IAAI,CAAC,CAAC;IAC/D,IAAI,CAACpE,SAAS,CAACjB,QAAQ,CAAC;IAExB,IAAAsF,eAAA,GAAyEtF,QAAQ,CAACQ,KAAK;MAAtE+E,OAAO,GAAAD,eAAA,CAAjBE,QAAQ;MAAW/C,KAAK,GAAA6C,eAAA,CAAL7C,KAAK;MAAEV,KAAK,GAAAuD,eAAA,CAALvD,KAAK;MAAA0D,qBAAA,GAAAH,eAAA,CAAE7E,KAAK;MAAGuC,UAAU,GAAAyC,qBAAA,CAAVzC,UAAU;MAAKvC,KAAK,OAAAiF,yBAAA,CAAA/G,OAAA,EAAA8G,qBAAA,EAAAnI,SAAA;IAEpE,OAAO;MAACiI,OAAO,EAAPA,OAAO;MAAE9C,KAAK,EAALA,KAAK;MAAEV,KAAK,EAALA,KAAK;MAAEtB,KAAK,EAALA;IAAK,CAAC;EACvC,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACEkF,MAAM,WAANA,MAAMA,CAAA,EAAe;IAAA,IAAdxD,OAAO,GAAA3C,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAA4C,SAAA,GAAA5C,SAAA,MAAG,CAAC,CAAC;IACjB,IAAI,CAAC2C,OAAO,CAACyD,UAAU,EAAE;MACvB,IAAI,CAACzF,KAAK,CAACC,SAAS,CAAC,CAAC,CAACJ,QAAQ,GAAG,IAAI,CAACG,KAAK,CAACqD,WAAW,CAACqC,cAAc,CAAC1D,OAAO,CAAC;IAClF;EACF,CAAC;EAID;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACEL,6BAA6B,WAA7BA,6BAA6BA,CAAA,EAAe;IAAA,IAAAgE,MAAA;IAAA,IAAd3D,OAAO,GAAA3C,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAA4C,SAAA,GAAA5C,SAAA,MAAG,CAAC,CAAC;IACxC,IAAI,CAACwC,MAAM,CAACsB,IAAI,CAAC,kDAAkD,CAAC;IAEpE,IAAI,CAACnB,OAAO,CAAC5B,IAAI,EAAE;MACjB,OAAOoB,QAAA,CAAAhD,OAAA,CAAQwG,MAAM,CAAC,IAAIJ,KAAK,CAAC,4BAA4B,CAAC,CAAC;IAChE;IAEA,IAAMgB,IAAI,GAAG;MACXC,UAAU,EAAE,oBAAoB;MAChCC,YAAY,EAAE,IAAI,CAACC,MAAM,CAACD,YAAY;MACtC1F,IAAI,EAAE4B,OAAO,CAAC5B,IAAI;MAClB4F,oBAAoB,EAAE,IAAI,CAAE;IAC9B,CAAC;IAED,IAAIhE,OAAO,CAACxB,YAAY,EAAE;MACxBoF,IAAI,CAACK,aAAa,GAAGjE,OAAO,CAACxB,YAAY;IAC3C;IAEA,OAAO,IAAI,CAACR,KAAK,CACdkG,OAAO,CAAC;MACPC,MAAM,EAAE,MAAM;MACdC,GAAG,EAAE,IAAI,CAACL,MAAM,CAACM,QAAQ;MACzBT,IAAI,EAAJA,IAAI;MACJU,IAAI,EAAE;QACJC,IAAI,EAAE,IAAI,CAACR,MAAM,CAACS,SAAS;QAC3BC,IAAI,EAAE,IAAI,CAACV,MAAM,CAACW,aAAa;QAC/BC,eAAe,EAAE;MACnB,CAAC;MACDC,wBAAwB,EAAE,KAAK,CAAE;IACnC,CAAC,CAAC,CACDlF,IAAI,CAAC,UAACmF,GAAG,EAAK;MACb;MACAlB,MAAI,CAAC3F,KAAK,CAACqD,WAAW,CAACyD,GAAG,CAAC;QAACC,UAAU,EAAEF,GAAG,CAACG;MAAI,CAAC,CAAC;IACpD,CAAC,CAAC,CACDzF,KAAK,CAAC,UAACsF,GAAG,EAAK;MACd,IAAIA,GAAG,CAACI,UAAU,KAAK,GAAG,EAAE;QAC1B,OAAOzF,QAAA,CAAAhD,OAAA,CAAQwG,MAAM,CAAC6B,GAAG,CAAC;MAC5B;;MAEA;MACA,IAAMK,gBAAgB,GAAGC,sBAAW,CAACC,MAAM,CAACP,GAAG,CAACG,IAAI,CAACpF,KAAK,CAAC;MAE3D,OAAOJ,QAAA,CAAAhD,OAAA,CAAQwG,MAAM,CAAC,IAAIkC,gBAAgB,CAACL,GAAG,CAACQ,IAAI,IAAIR,GAAG,CAAC,CAAC;IAC9D,CAAC,CAAC;EACN,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACES,8BAA8B,WAA9BA,8BAA8BA,CAACC,eAAe,EAAE;IAC9C,IAAMC,OAAO,GAAG,kCAAkC;IAClD,IAAMC,SAAS,GAAG,IAAIC,eAAe,CAAC,IAAIC,GAAG,CAACJ,eAAe,CAAC,CAACK,MAAM,CAAC;IACtE,IAAMC,QAAQ,GAAGJ,SAAS,CAACK,GAAG,CAAC,UAAU,CAAC;IAE1C,IAAID,QAAQ,EAAE;MACZ,IAAOxG,QAAQ,GAAI,IAAI,CAACrB,KAAK,CAACoB,QAAQ,CAA/BC,QAAQ;MACf,IAAM0G,cAAc,GAAG1G,QAAQ,CAACyG,GAAG,CAAC,cAAc,CAAC;MACnD,IAAME,kBAAkB,GAAG,IAAIL,GAAG,CAACH,OAAO,CAAC;MAC3CQ,kBAAkB,CAACC,YAAY,CAACnB,GAAG,CAAC,UAAU,EAAEe,QAAQ,CAAC;MACzDG,kBAAkB,CAACC,YAAY,CAACnB,GAAG,CAAC,aAAa,EAAEiB,cAAc,CAAC;MAClE,OAAOC,kBAAkB,CAACpF,QAAQ,CAAC,CAAC;IACtC,CAAC,MAAM;MACL,OAAO2E,eAAe;IACxB;EACF,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACEW,eAAe,WAAfA,eAAeA,CAAA,EAAG;IAAA,IAAAC,MAAA;IAChB,IAAI,IAAI,CAACrJ,YAAY,EAAE;MACrB;MACA,IAAI,CAACF,YAAY,CAACsD,IAAI,CAACxE,MAAM,CAACG,WAAW,EAAE;QACzCsE,SAAS,EAAE,oBAAoB;QAC/BC,IAAI,EAAE;UAACgG,OAAO,EAAE;QAAoC;MACtD,CAAC,CAAC;MACF;IACF;IAEA,IAAI,CAACpI,KAAK,CACPkG,OAAO,CAAC;MACPC,MAAM,EAAE,MAAM;MACdkC,OAAO,EAAE,cAAc;MACvBC,QAAQ,EAAE,2BAA2B;MACrC1C,IAAI,EAAE;QACJY,SAAS,EAAE,IAAI,CAACT,MAAM,CAACS,SAAS;QAChC+B,KAAK,EAAE,IAAI,CAACxC,MAAM,CAACwC;MACrB,CAAC;MACDjC,IAAI,EAAE;QACJC,IAAI,EAAE,IAAI,CAACR,MAAM,CAACS,SAAS;QAC3BC,IAAI,EAAE,IAAI,CAACV,MAAM,CAACW,aAAa;QAC/BC,eAAe,EAAE;MACnB;IACF,CAAC,CAAC,CACDjF,IAAI,CAAC,UAACmF,GAAG,EAAK;MACb,IAAA2B,SAAA,GAAiE3B,GAAG,CAACG,IAAI;QAAlEyB,SAAS,GAAAD,SAAA,CAATC,SAAS;QAAEC,gBAAgB,GAAAF,SAAA,CAAhBE,gBAAgB;QAAEC,yBAAyB,GAAAH,SAAA,CAAzBG,yBAAyB;MAC7D,IAAMC,uBAAuB,GAC3BT,MAAI,CAACb,8BAA8B,CAACqB,yBAAyB,CAAC;MAChER,MAAI,CAACvJ,YAAY,CAACsD,IAAI,CAACxE,MAAM,CAACG,WAAW,EAAE;QACzCsE,SAAS,EAAE,oBAAoB;QAC/B0G,QAAQ,EAAE;UACRhB,QAAQ,EAAEY,SAAS;UACnBK,eAAe,EAAEJ,gBAAgB;UACjCE,uBAAuB,EAAvBA;QACF;MACF,CAAC,CAAC;MACF;MACAT,MAAI,CAACY,mBAAmB,CAAClC,GAAG,CAACG,IAAI,CAAC;IACpC,CAAC,CAAC,CACDzF,KAAK,CAAC,UAACsF,GAAG,EAAK;MACdsB,MAAI,CAACvJ,YAAY,CAACsD,IAAI,CAACxE,MAAM,CAACG,WAAW,EAAE;QACzCsE,SAAS,EAAE,oBAAoB;QAC/BC,IAAI,EAAEyE,GAAG,CAACG;MACZ,CAAC,CAAC;IACJ,CAAC,CAAC;EACN,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACE+B,mBAAmB,WAAnBA,mBAAmBA,CAAA,EAAe;IAAA,IAAAC,iBAAA;MAAAC,MAAA;IAAA,IAAdjH,OAAO,GAAA3C,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAA4C,SAAA,GAAA5C,SAAA,MAAG,CAAC,CAAC;IAC9B,IAAI,CAAC2C,OAAO,CAACkH,WAAW,EAAE;MACxB,IAAI,CAACtK,YAAY,CAACsD,IAAI,CAACxE,MAAM,CAACG,WAAW,EAAE;QACzCsE,SAAS,EAAE,sBAAsB;QACjCC,IAAI,EAAE;UAACgG,OAAO,EAAE;QAA0B;MAC5C,CAAC,CAAC;MACF;IACF;IAEA,IAAI,IAAI,CAACtJ,YAAY,EAAE;MACrB;MACA,IAAI,CAACF,YAAY,CAACsD,IAAI,CAACxE,MAAM,CAACG,WAAW,EAAE;QACzCsE,SAAS,EAAE,sBAAsB;QACjCC,IAAI,EAAE;UAACgG,OAAO,EAAE;QAAoC;MACtD,CAAC,CAAC;MACF;IACF;IAEA,IAAoBe,UAAU,GAAiCnH,OAAO,CAA/DkH,WAAW;MAAAE,mBAAA,GAA6CpH,OAAO,CAAtCqH,UAAU;MAAEC,SAAS,GAAAF,mBAAA,cAAG,GAAG,GAAAA,mBAAA;IAC3D;IACA,IAAIG,QAAQ,IAAAP,iBAAA,GAAGhH,OAAO,CAACuH,QAAQ,cAAAP,iBAAA,cAAAA,iBAAA,GAAI,CAAC;;IAEpC;IACA,IAAI,CAACjK,sBAAsB,GAAGyK,UAAU,CAAC,YAAM;MAC7CP,MAAI,CAACQ,mBAAmB,CAAC,KAAK,CAAC;MAC/BR,MAAI,CAACrK,YAAY,CAACsD,IAAI,CAACxE,MAAM,CAACG,WAAW,EAAE;QACzCsE,SAAS,EAAE,sBAAsB;QACjCC,IAAI,EAAE;UAACgG,OAAO,EAAE;QAAyB;MAC3C,CAAC,CAAC;IACJ,CAAC,EAAEkB,SAAS,GAAG,IAAI,CAAC;IAEpB,IAAMI,OAAO,GAAG,SAAVA,OAAOA,CAAA,EAAS;MACpB;MACAT,MAAI,CAACjK,SAAS,IAAI,CAAC;MACnBiK,MAAI,CAAChK,gBAAgB,GAAGgK,MAAI,CAACjK,SAAS;MAEtCiK,MAAI,CAACjJ,KAAK,CACPkG,OAAO,CAAC;QACPC,MAAM,EAAE,MAAM;QACdkC,OAAO,EAAE,cAAc;QACvBC,QAAQ,EAAE,uBAAuB;QACjC1C,IAAI,EAAE;UACJC,UAAU,EAAE,8CAA8C;UAC1DqD,WAAW,EAAEC,UAAU;UACvB3C,SAAS,EAAEyC,MAAI,CAAClD,MAAM,CAACS;QACzB,CAAC;QACDF,IAAI,EAAE;UACJC,IAAI,EAAE0C,MAAI,CAAClD,MAAM,CAACS,SAAS;UAC3BC,IAAI,EAAEwC,MAAI,CAAClD,MAAM,CAACW,aAAa;UAC/BC,eAAe,EAAE;QACnB;MACF,CAAC,CAAC,CACDjF,IAAI,CAAC,UAACmF,GAAG,EAAK;QACb;QACA,IAAIoC,MAAI,CAAChK,gBAAgB,KAAKgK,MAAI,CAACjK,SAAS,EAAE;QAE9CiK,MAAI,CAACrK,YAAY,CAACsD,IAAI,CAACxE,MAAM,CAACG,WAAW,EAAE;UACzCsE,SAAS,EAAE,sBAAsB;UACjCC,IAAI,EAAEyE,GAAG,CAACG;QACZ,CAAC,CAAC;QACFiC,MAAI,CAACjJ,KAAK,CAACqD,WAAW,CAACyD,GAAG,CAAC;UAACC,UAAU,EAAEF,GAAG,CAACG;QAAI,CAAC,CAAC;QAClDiC,MAAI,CAACQ,mBAAmB,CAAC,CAAC;MAC5B,CAAC,CAAC,CACDlI,KAAK,CAAC,UAACsF,GAAG,EAAK;QACd,IAAIoC,MAAI,CAAChK,gBAAgB,KAAKgK,MAAI,CAACjK,SAAS,EAAE;;QAE9C;QACA,IAAI6H,GAAG,CAACI,UAAU,KAAK,GAAG,IAAIJ,GAAG,CAACG,IAAI,CAACoB,OAAO,KAAK,WAAW,EAAE;UAC9DuB,eAAe,CAACJ,QAAQ,GAAG,CAAC,CAAC;UAC7B;QACF;;QAEA;QACA,IAAI1C,GAAG,CAACI,UAAU,KAAK,GAAG,EAAE;UAC1BgC,MAAI,CAACrK,YAAY,CAACsD,IAAI,CAACxE,MAAM,CAACG,WAAW,EAAE;YACzCsE,SAAS,EAAE,sBAAsB;YACjCC,IAAI,EAAEyE,GAAG,CAACG;UACZ,CAAC,CAAC;UACF2C,eAAe,CAACJ,QAAQ,CAAC;UACzB;QACF;;QAEA;QACAN,MAAI,CAACQ,mBAAmB,CAAC,CAAC;QAE1BR,MAAI,CAACrK,YAAY,CAACsD,IAAI,CAACxE,MAAM,CAACG,WAAW,EAAE;UACzCsE,SAAS,EAAE,sBAAsB;UACjCC,IAAI,EAAEyE,GAAG,CAACG;QACZ,CAAC,CAAC;MACJ,CAAC,CAAC;IACN,CAAC;;IAED;IACA,IAAM2C,eAAe,GAAG,SAAlBA,eAAeA,CAAIJ,QAAQ;MAAA,OAC9BN,MAAI,CAACnK,YAAY,GAAG0K,UAAU,CAACE,OAAO,EAAEH,QAAQ,GAAG,IAAI,CAAC;IAAA,CAAC;IAE5DI,eAAe,CAACJ,QAAQ,CAAC;EAC3B,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;AACA;EACEE,mBAAmB,WAAnBA,mBAAmBA,CAAA,EAAyB;IAAA,IAAxBG,eAAe,GAAAvK,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAA4C,SAAA,GAAA5C,SAAA,MAAG,IAAI;IACxC,IAAI,IAAI,CAACP,YAAY,IAAI8K,eAAe,EAAE;MACxC,IAAI,CAAChL,YAAY,CAACsD,IAAI,CAACxE,MAAM,CAACG,WAAW,EAAE;QACzCsE,SAAS,EAAE;MACb,CAAC,CAAC;IACJ;IAEA,IAAI,CAAClD,gBAAgB,GAAG,IAAI;IAE5B4K,YAAY,CAAC,IAAI,CAAC9K,sBAAsB,CAAC;IACzC,IAAI,CAACA,sBAAsB,GAAG,IAAI;IAClC8K,YAAY,CAAC,IAAI,CAAC/K,YAAY,CAAC;IAC/B,IAAI,CAACA,YAAY,GAAG,IAAI;EAC1B,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACEmC,qBAAqB,WAArBA,qBAAqBA,CAACb,IAAI,EAAE;IAC1B,OAAO,CAAAA,IAAI,aAAJA,IAAI,uBAAJA,IAAI,CAAE0J,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,KAAI7H,SAAS;EACzC,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACE9B,eAAe,WAAfA,eAAeA,CAACN,QAAQ,EAAE;IACxB,IAAOQ,KAAK,GAAIR,QAAQ,CAAjBQ,KAAK;IAEZ,IAAIA,KAAK,IAAIA,KAAK,CAACuB,KAAK,EAAE;MACxB,IAAMsF,gBAAgB,GAAGC,sBAAW,CAACC,MAAM,CAAC/G,KAAK,CAACuB,KAAK,CAAC;MAExD,MAAM,IAAIsF,gBAAgB,CAAC7G,KAAK,CAAC;IACnC;EACF,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACES,SAAS,WAATA,SAASA,CAACjB,QAAQ,EAAE;IAClBA,QAAQ,GAAG,IAAA2C,iBAAS,EAAC3C,QAAQ,CAAC;IAC9B,IAAI,IAAI,CAACG,KAAK,CAACC,SAAS,CAAC,CAAC,CAAC8J,OAAO,IAAI,IAAI,CAAC/J,KAAK,CAACC,SAAS,CAAC,CAAC,CAAC8J,OAAO,CAACC,YAAY,EAAE;MACjF,IAAAC,eAAA,CAAAzL,OAAA,EAAuBqB,QAAQ,CAACQ,KAAK,EAAE,MAAM,CAAC;MAC9C,IAAA4J,eAAA,CAAAzL,OAAA,EAAuBqB,QAAQ,CAACQ,KAAK,EAAE,UAAU,CAAC;MAClD,IAAA4J,eAAA,CAAAzL,OAAA,EAAuBqB,QAAQ,CAACQ,KAAK,EAAE,OAAO,CAAC;MAC/C,IAAI,IAAA6J,eAAO,EAAC,IAAAC,YAAI,EAACtK,QAAQ,CAACQ,KAAK,CAACC,KAAK,EAAE,YAAY,CAAC,CAAC,EAAE;QACrD,IAAA2J,eAAA,CAAAzL,OAAA,EAAuBqB,QAAQ,CAACQ,KAAK,EAAE,OAAO,CAAC;MACjD,CAAC,MAAM;QACLR,QAAQ,CAACQ,KAAK,CAACC,KAAK,GAAG,IAAA8J,mBAAW,EAAC,IAAAD,YAAI,EAACtK,QAAQ,CAACQ,KAAK,CAACC,KAAK,EAAE,YAAY,CAAC,CAAC;MAC9E;MACAT,QAAQ,CAAC+H,MAAM,GAAGyC,oBAAW,CAACC,SAAS,CAACzK,QAAQ,CAACQ,KAAK,CAAC;MACvD,IAAA4J,eAAA,CAAAzL,OAAA,EAAuBqB,QAAQ,EAAE,OAAO,CAAC;MACzC,IAAI,CAACG,KAAK,CAACC,SAAS,CAAC,CAAC,CAAC8J,OAAO,CAACC,YAAY,CAAC,CAAC,CAAC,EAAE,IAAI,EAAElK,aAAG,CAACyK,MAAM,CAAC1K,QAAQ,CAAC,CAAC;IAC7E;EACF,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACEmD,sBAAsB,WAAtBA,sBAAsBA,CAAA,EAAG;IACvB,IAAI,CAACnB,MAAM,CAACsB,IAAI,CAAC,+CAA+C,CAAC;;IAEjE;IACA,IAAMqH,gBAAgB,GAAGC,qBAAS,CAACC,SAAS;IAE5C,IAAMlK,YAAY,GAAGjD,MAAM,CACxBoN,KAAK,CAAC,GAAG,EAAE;MAAA,OAAMH,gBAAgB,CAACjN,MAAM,CAACqN,MAAM,CAAC,CAAC,EAAEJ,gBAAgB,CAAClL,MAAM,GAAG,CAAC,CAAC,CAAC;IAAA,EAAC,CACjFkF,IAAI,CAAC,EAAE,CAAC;IAEX,IAAMqG,aAAa,GAAGnI,iBAAQ,CAACC,MAAM,CAACnC,YAAY,CAAC,CAACoC,QAAQ,CAAC6H,qBAAS,CAAC;IAEvE,IAAI,CAACzK,KAAK,CAACC,SAAS,CAAC,CAAC,CAACQ,cAAc,CAACqK,OAAO,CAACrN,oBAAoB,EAAE+C,YAAY,CAAC;IAEjF,OAAOqK,aAAa;EACtB,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACE/H,sBAAsB,WAAtBA,sBAAsBA,CAAA,EAAG;IACvB,IAAI,CAACjB,MAAM,CAACsB,IAAI,CAAC,sCAAsC,CAAC;IAExD,IAAM4H,KAAK,GAAGC,aAAI,CAACC,EAAE,CAAC,CAAC;IAEvB,IAAI,CAACjL,KAAK,CAACC,SAAS,CAAC,CAAC,CAACQ,cAAc,CAACqK,OAAO,CAAC,mBAAmB,EAAEC,KAAK,CAAC;IAEzE,OAAOA,KAAK;EACd,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACElK,oBAAoB,WAApBA,oBAAoBA,CAACR,KAAK,EAAgB;IAAA,IAAA6K,YAAA;IAAA,IAAdlJ,OAAO,GAAA3C,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAA4C,SAAA,GAAA5C,SAAA,MAAG,CAAC,CAAC;IACtC,IAAM8L,YAAY,GAAG,IAAI,CAACnL,KAAK,CAACC,SAAS,CAAC,CAAC,CAACQ,cAAc,CAACC,OAAO,CAAClD,iBAAiB,CAAC;IAErF,IAAI,CAACwC,KAAK,CAACC,SAAS,CAAC,CAAC,CAACQ,cAAc,CAACE,UAAU,CAACnD,iBAAiB,CAAC;IACnE,IAAI,CAAC2N,YAAY,EAAE;MACjB,IAAInJ,OAAO,CAACkD,YAAY,EAAE;QACxB,MAAM,IAAIN,KAAK,CAAC,yCAAyC,CAAC;MAC5D;MAEA;IACF;IAEA,IAAI,GAAAsG,YAAA,GAAC7K,KAAK,CAACC,KAAK,cAAA4K,YAAA,eAAXA,YAAA,CAAarI,UAAU,GAAE;MAC5B,MAAM,IAAI+B,KAAK,wBAAAL,MAAA,CAAwB4G,YAAY,sCAAmC,CAAC;IACzF;IAEA,IAAMJ,KAAK,GAAG1K,KAAK,CAACC,KAAK,CAACuC,UAAU;IAEpC,IAAIkI,KAAK,KAAKI,YAAY,EAAE;MAC1B,MAAM,IAAIvG,KAAK,eAAAL,MAAA,CAAewG,KAAK,mCAAAxG,MAAA,CAAgC4G,YAAY,CAAE,CAAC;IACpF;EACF,CAAC;EAAAC,OAAA;AACH,CAAC,MAAAC,0BAAA,CAAA7M,OAAA,EAAAlB,IAAA,qCAAAF,IAAA,OAAAkO,yBAAA,CAAA9M,OAAA,EAAAlB,IAAA,qCAAAA,IAAA,OAAA+N,0BAAA,CAAA7M,OAAA,EAAAlB,IAAA,oCAAAD,KAAA,EApdEkO,iBAAS,OAAAD,yBAAA,CAAA9M,OAAA,EAAAlB,IAAA,oCAAAA,IAAA,GAAAA,IAAA,CAodX,CAAC;AAAC,IAAAkO,QAAA,GAAA7N,OAAA,CAAAa,OAAA,GAEYV,aAAa","ignoreList":[]}
|
package/package.json
CHANGED
|
@@ -26,23 +26,23 @@
|
|
|
26
26
|
"@webex/eslint-config-legacy": "0.0.0",
|
|
27
27
|
"@webex/jest-config-legacy": "0.0.0",
|
|
28
28
|
"@webex/legacy-tools": "0.0.0",
|
|
29
|
-
"@webex/test-helper-chai": "3.12.0-next.
|
|
30
|
-
"@webex/test-helper-mocha": "3.12.0-next.
|
|
31
|
-
"@webex/test-helper-mock-webex": "3.12.0-next.
|
|
32
|
-
"@webex/test-helper-test-users": "3.12.0-next.
|
|
29
|
+
"@webex/test-helper-chai": "3.12.0-next.3",
|
|
30
|
+
"@webex/test-helper-mocha": "3.12.0-next.3",
|
|
31
|
+
"@webex/test-helper-mock-webex": "3.12.0-next.3",
|
|
32
|
+
"@webex/test-helper-test-users": "3.12.0-next.3",
|
|
33
33
|
"eslint": "^8.24.0",
|
|
34
34
|
"prettier": "^2.7.1",
|
|
35
35
|
"sinon": "^9.2.4"
|
|
36
36
|
},
|
|
37
37
|
"dependencies": {
|
|
38
|
-
"@webex/common": "3.12.0-next.
|
|
39
|
-
"@webex/storage-adapter-local-storage": "3.12.0-next.
|
|
40
|
-
"@webex/test-helper-automation": "3.12.0-next.
|
|
41
|
-
"@webex/test-helper-chai": "3.12.0-next.
|
|
42
|
-
"@webex/test-helper-mocha": "3.12.0-next.
|
|
43
|
-
"@webex/test-helper-mock-webex": "3.12.0-next.
|
|
44
|
-
"@webex/test-helper-test-users": "3.12.0-next.
|
|
45
|
-
"@webex/webex-core": "3.12.0-next.
|
|
38
|
+
"@webex/common": "3.12.0-next.3",
|
|
39
|
+
"@webex/storage-adapter-local-storage": "3.12.0-next.19",
|
|
40
|
+
"@webex/test-helper-automation": "3.12.0-next.3",
|
|
41
|
+
"@webex/test-helper-chai": "3.12.0-next.3",
|
|
42
|
+
"@webex/test-helper-mocha": "3.12.0-next.3",
|
|
43
|
+
"@webex/test-helper-mock-webex": "3.12.0-next.3",
|
|
44
|
+
"@webex/test-helper-test-users": "3.12.0-next.3",
|
|
45
|
+
"@webex/webex-core": "3.12.0-next.19",
|
|
46
46
|
"crypto-js": "^4.1.1",
|
|
47
47
|
"lodash": "^4.17.21",
|
|
48
48
|
"uuid": "^3.3.2"
|
|
@@ -56,5 +56,5 @@
|
|
|
56
56
|
"test:style": "eslint ./src/**/*.*",
|
|
57
57
|
"test:unit": "webex-legacy-tools test --unit --runner jest"
|
|
58
58
|
},
|
|
59
|
-
"version": "3.12.0-next.
|
|
59
|
+
"version": "3.12.0-next.19"
|
|
60
60
|
}
|
package/src/authorization.js
CHANGED
|
@@ -14,9 +14,9 @@ import querystring from 'querystring';
|
|
|
14
14
|
import url from 'url';
|
|
15
15
|
import {EventEmitter} from 'events';
|
|
16
16
|
|
|
17
|
-
import {
|
|
17
|
+
import {decodeState, encodeState, oneFlight, whileInFlight} from '@webex/common';
|
|
18
18
|
import {grantErrors, WebexPlugin} from '@webex/webex-core';
|
|
19
|
-
import {cloneDeep, isEmpty, omit} from 'lodash';
|
|
19
|
+
import {cloneDeep, isEmpty, omit, isObject} from 'lodash';
|
|
20
20
|
import uuid from 'uuid';
|
|
21
21
|
import base64url from 'crypto-js/enc-base64url';
|
|
22
22
|
import CryptoJS from 'crypto-js';
|
|
@@ -199,7 +199,7 @@ const Authorization = WebexPlugin.extend({
|
|
|
199
199
|
|
|
200
200
|
// Decode and parse state object (if present)
|
|
201
201
|
if (location.query.state) {
|
|
202
|
-
location.query.state =
|
|
202
|
+
location.query.state = decodeState(location.query.state);
|
|
203
203
|
} else {
|
|
204
204
|
location.query.state = {};
|
|
205
205
|
}
|
|
@@ -344,22 +344,27 @@ const Authorization = WebexPlugin.extend({
|
|
|
344
344
|
},
|
|
345
345
|
|
|
346
346
|
/**
|
|
347
|
-
* Initiates third-party (social provider) login
|
|
348
|
-
*
|
|
349
|
-
*
|
|
350
|
-
* Mirrors `initiateLogin`'s role for the standard `/authorize` flow.
|
|
351
|
-
* Delegates to `initiateThirdPartyLoginRedirect` so any pre-redirect
|
|
352
|
-
* security plumbing (CSRF / `state`) can be added here without changing
|
|
353
|
-
* the navigation method.
|
|
347
|
+
* Initiates third-party (social provider) login. Generates a CSRF token,
|
|
348
|
+
* embeds it in `options.state.csrf_token`, and delegates to
|
|
349
|
+
* `initiateThirdPartyLoginRedirect` for navigation.
|
|
354
350
|
*
|
|
355
351
|
* @instance
|
|
356
352
|
* @memberof AuthorizationBrowserFirstParty
|
|
357
353
|
* @param {Object} options
|
|
358
354
|
* @param {string} options.oauth2provider
|
|
359
355
|
* @param {string} options.returnURL
|
|
356
|
+
* @param {Object} [options.state] - Caller-supplied state object. Merged
|
|
357
|
+
* with the generated `csrf_token`.
|
|
360
358
|
* @returns {Promise<void>}
|
|
361
359
|
*/
|
|
362
360
|
initiateThirdPartyLogin(options = {}) {
|
|
361
|
+
options = cloneDeep(options);
|
|
362
|
+
if (options.state !== undefined && !isObject(options.state)) {
|
|
363
|
+
throw new Error('if specified, `options.state` must be an object');
|
|
364
|
+
}
|
|
365
|
+
options.state = options.state || {};
|
|
366
|
+
options.state.csrf_token = this._generateSecurityToken();
|
|
367
|
+
|
|
363
368
|
return this.initiateThirdPartyLoginRedirect(options);
|
|
364
369
|
},
|
|
365
370
|
|
|
@@ -393,6 +398,37 @@ const Authorization = WebexPlugin.extend({
|
|
|
393
398
|
return Promise.resolve();
|
|
394
399
|
},
|
|
395
400
|
|
|
401
|
+
/**
|
|
402
|
+
* Handles the third-party (social provider) login callback. Reads the
|
|
403
|
+
* current `window.location`, decodes `state`, validates the CSRF token
|
|
404
|
+
* (`state.csrf_token`), scrubs sensitive parameters from the URL via
|
|
405
|
+
* `_cleanUrl`, and returns the parsed payload.
|
|
406
|
+
*
|
|
407
|
+
* Mirrors `initialize()` in always operating on the live
|
|
408
|
+
* `window.location`
|
|
409
|
+
*
|
|
410
|
+
* `idToken` is single-use: it is parsed out of the URL exactly once and
|
|
411
|
+
* the calling client is expected to exchange it (or discard it)
|
|
412
|
+
* immediately. The returned `state` has `csrf_token` removed.
|
|
413
|
+
*
|
|
414
|
+
* @instance
|
|
415
|
+
* @memberof AuthorizationBrowserFirstParty
|
|
416
|
+
* @returns {{idToken: string|undefined, email: string|undefined,
|
|
417
|
+
* error: string|undefined, state: Object}}
|
|
418
|
+
*/
|
|
419
|
+
handleThirdPartyCallback() {
|
|
420
|
+
const location = url.parse(this.webex.getWindow().location.href, true);
|
|
421
|
+
|
|
422
|
+
location.query.state = decodeState(location.query.state || 'e30');
|
|
423
|
+
|
|
424
|
+
this._verifySecurityToken(location.query, {requireMatch: true});
|
|
425
|
+
this._cleanUrl(location);
|
|
426
|
+
|
|
427
|
+
const {id_token: idToken, email, error, state: {csrf_token, ...state}} = location.query;
|
|
428
|
+
|
|
429
|
+
return {idToken, email, error, state};
|
|
430
|
+
},
|
|
431
|
+
|
|
396
432
|
/**
|
|
397
433
|
* Called by {@link WebexCore#logout()}.
|
|
398
434
|
* Constructs logout URL and (unless suppressed) navigates away to ensure
|
|
@@ -754,8 +790,9 @@ const Authorization = WebexPlugin.extend({
|
|
|
754
790
|
* - HTTP referrer headers to third-party content
|
|
755
791
|
*
|
|
756
792
|
* Approach:
|
|
757
|
-
* - Remove 'code'
|
|
758
|
-
*
|
|
793
|
+
* - Remove 'code' (OAuth code-grant), 'id_token', and 'email'
|
|
794
|
+
* (third-party callback).
|
|
795
|
+
* - Remove 'state' entirely if it only contained csrf_token.
|
|
759
796
|
* - Else, re-encode remaining state fields (minus csrf_token).
|
|
760
797
|
* - Replace current history entry (no page reload).
|
|
761
798
|
*
|
|
@@ -769,12 +806,12 @@ const Authorization = WebexPlugin.extend({
|
|
|
769
806
|
location = cloneDeep(location);
|
|
770
807
|
if (this.webex.getWindow().history && this.webex.getWindow().history.replaceState) {
|
|
771
808
|
Reflect.deleteProperty(location.query, 'code');
|
|
809
|
+
Reflect.deleteProperty(location.query, 'id_token');
|
|
810
|
+
Reflect.deleteProperty(location.query, 'email');
|
|
772
811
|
if (isEmpty(omit(location.query.state, 'csrf_token'))) {
|
|
773
812
|
Reflect.deleteProperty(location.query, 'state');
|
|
774
813
|
} else {
|
|
775
|
-
location.query.state =
|
|
776
|
-
JSON.stringify(omit(location.query.state, 'csrf_token'))
|
|
777
|
-
);
|
|
814
|
+
location.query.state = encodeState(omit(location.query.state, 'csrf_token'));
|
|
778
815
|
}
|
|
779
816
|
location.search = querystring.stringify(location.query);
|
|
780
817
|
Reflect.deleteProperty(location, 'query');
|
|
@@ -843,27 +880,32 @@ const Authorization = WebexPlugin.extend({
|
|
|
843
880
|
* - Ensure state + state.csrf_token exist.
|
|
844
881
|
* - Compare values; throw descriptive errors on mismatch / absence.
|
|
845
882
|
*
|
|
846
|
-
* If no stored token (e.g., user navigated directly), silently returns
|
|
883
|
+
* If no stored token (e.g., user navigated directly), silently returns
|
|
884
|
+
* unless `options.requireMatch` is `true`, in which case absence of a
|
|
885
|
+
* stored token is treated as a CSRF failure.
|
|
847
886
|
*
|
|
848
887
|
* @instance
|
|
849
888
|
* @memberof AuthorizationBrowserFirstParty
|
|
850
889
|
* @param {Object} query - Parsed query (location.query)
|
|
890
|
+
* @param {Object} [options]
|
|
891
|
+
* @param {boolean} [options.requireMatch=false] - When true, throws if
|
|
892
|
+
* no stored sessionToken is present.
|
|
851
893
|
* @private
|
|
852
894
|
* @returns {void}
|
|
853
895
|
*/
|
|
854
|
-
_verifySecurityToken(query) {
|
|
896
|
+
_verifySecurityToken(query, options = {}) {
|
|
855
897
|
const sessionToken = this.webex.getWindow().sessionStorage.getItem(OAUTH2_CSRF_TOKEN);
|
|
856
898
|
|
|
857
899
|
this.webex.getWindow().sessionStorage.removeItem(OAUTH2_CSRF_TOKEN);
|
|
858
900
|
if (!sessionToken) {
|
|
859
|
-
|
|
860
|
-
|
|
901
|
+
if (options.requireMatch) {
|
|
902
|
+
throw new Error('CSRF token missing from session storage');
|
|
903
|
+
}
|
|
861
904
|
|
|
862
|
-
|
|
863
|
-
throw new Error(`Expected CSRF token ${sessionToken}, but not found in redirect query`);
|
|
905
|
+
return;
|
|
864
906
|
}
|
|
865
907
|
|
|
866
|
-
if (!query.state
|
|
908
|
+
if (!query.state?.csrf_token) {
|
|
867
909
|
throw new Error(`Expected CSRF token ${sessionToken}, but not found in redirect query`);
|
|
868
910
|
}
|
|
869
911
|
|
|
@@ -573,12 +573,13 @@ describe('plugin-authorization-browser-first-party', () => {
|
|
|
573
573
|
});
|
|
574
574
|
|
|
575
575
|
describe('#initiateThirdPartyLogin()', () => {
|
|
576
|
-
it('
|
|
576
|
+
it('generates a csrf_token, embeds it in state, and delegates to #initiateThirdPartyLoginRedirect', () => {
|
|
577
577
|
const webex = makeWebex();
|
|
578
578
|
const expected = Promise.resolve();
|
|
579
579
|
const stub = sinon
|
|
580
580
|
.stub(webex.authorization, 'initiateThirdPartyLoginRedirect')
|
|
581
581
|
.returns(expected);
|
|
582
|
+
sinon.stub(webex.authorization, '_generateSecurityToken').returns('csrf-1234');
|
|
582
583
|
const options = {
|
|
583
584
|
oauth2provider: 'google',
|
|
584
585
|
returnURL: 'https://web.webex.com',
|
|
@@ -587,10 +588,64 @@ describe('plugin-authorization-browser-first-party', () => {
|
|
|
587
588
|
const result = webex.authorization.initiateThirdPartyLogin(options);
|
|
588
589
|
|
|
589
590
|
assert.equal(result, expected);
|
|
590
|
-
assert.
|
|
591
|
+
assert.calledOnce(webex.authorization._generateSecurityToken);
|
|
592
|
+
assert.calledOnce(stub);
|
|
593
|
+
const passed = stub.getCall(0).args[0];
|
|
594
|
+
|
|
595
|
+
assert.deepEqual(passed, {
|
|
596
|
+
oauth2provider: 'google',
|
|
597
|
+
returnURL: 'https://web.webex.com',
|
|
598
|
+
state: {csrf_token: 'csrf-1234'},
|
|
599
|
+
});
|
|
600
|
+
// Caller's options object is not mutated
|
|
601
|
+
assert.notProperty(options, 'state');
|
|
591
602
|
|
|
592
603
|
return result;
|
|
593
604
|
});
|
|
605
|
+
|
|
606
|
+
it('merges generated csrf_token into caller-supplied state without mutating the caller object', () => {
|
|
607
|
+
const webex = makeWebex();
|
|
608
|
+
sinon
|
|
609
|
+
.stub(webex.authorization, 'initiateThirdPartyLoginRedirect')
|
|
610
|
+
.returns(Promise.resolve());
|
|
611
|
+
sinon.stub(webex.authorization, '_generateSecurityToken').returns('csrf-1234');
|
|
612
|
+
const options = {
|
|
613
|
+
oauth2provider: 'google',
|
|
614
|
+
returnURL: 'https://web.webex.com',
|
|
615
|
+
state: {popUpSignIn: true, mode: 'meeting'},
|
|
616
|
+
};
|
|
617
|
+
|
|
618
|
+
return webex.authorization.initiateThirdPartyLogin(options).then(() => {
|
|
619
|
+
const passed = webex.authorization.initiateThirdPartyLoginRedirect.getCall(0).args[0];
|
|
620
|
+
|
|
621
|
+
assert.deepEqual(passed.state, {
|
|
622
|
+
popUpSignIn: true,
|
|
623
|
+
mode: 'meeting',
|
|
624
|
+
csrf_token: 'csrf-1234',
|
|
625
|
+
});
|
|
626
|
+
// Caller-supplied state is not mutated
|
|
627
|
+
assert.deepEqual(options.state, {popUpSignIn: true, mode: 'meeting'});
|
|
628
|
+
});
|
|
629
|
+
});
|
|
630
|
+
|
|
631
|
+
it('throws (before generating a csrf_token) when state is supplied but is not an object', () => {
|
|
632
|
+
const webex = makeWebex();
|
|
633
|
+
const redirectStub = sinon.stub(webex.authorization, 'initiateThirdPartyLoginRedirect');
|
|
634
|
+
const tokenStub = sinon.stub(webex.authorization, '_generateSecurityToken');
|
|
635
|
+
|
|
636
|
+
assert.throws(
|
|
637
|
+
() =>
|
|
638
|
+
webex.authorization.initiateThirdPartyLogin({
|
|
639
|
+
oauth2provider: 'google',
|
|
640
|
+
returnURL: 'https://web.webex.com',
|
|
641
|
+
state: 'not-an-object',
|
|
642
|
+
}),
|
|
643
|
+
/`options.state` must be an object/
|
|
644
|
+
);
|
|
645
|
+
|
|
646
|
+
assert.notCalled(tokenStub);
|
|
647
|
+
assert.notCalled(redirectStub);
|
|
648
|
+
});
|
|
594
649
|
});
|
|
595
650
|
|
|
596
651
|
describe('#initiateThirdPartyLoginRedirect()', () => {
|
|
@@ -627,6 +682,153 @@ describe('plugin-authorization-browser-first-party', () => {
|
|
|
627
682
|
});
|
|
628
683
|
});
|
|
629
684
|
|
|
685
|
+
describe('#_verifySecurityToken() requireMatch', () => {
|
|
686
|
+
it('silently returns undefined when no stored token and requireMatch is false', () => {
|
|
687
|
+
const webex = makeWebex();
|
|
688
|
+
webex.getWindow().sessionStorage.getItem = sinon.stub().returns(null);
|
|
689
|
+
|
|
690
|
+
const result = webex.authorization._verifySecurityToken({});
|
|
691
|
+
|
|
692
|
+
assert.isUndefined(result);
|
|
693
|
+
});
|
|
694
|
+
|
|
695
|
+
it('throws when no stored token and requireMatch is true', () => {
|
|
696
|
+
const webex = makeWebex();
|
|
697
|
+
webex.getWindow().sessionStorage.getItem = sinon.stub().returns(null);
|
|
698
|
+
|
|
699
|
+
assert.throws(() => {
|
|
700
|
+
webex.authorization._verifySecurityToken({}, {requireMatch: true});
|
|
701
|
+
}, /CSRF token missing from session storage/);
|
|
702
|
+
});
|
|
703
|
+
});
|
|
704
|
+
|
|
705
|
+
describe('#handleThirdPartyCallback()', () => {
|
|
706
|
+
const buildState = (state) => base64.toBase64Url(JSON.stringify(state));
|
|
707
|
+
|
|
708
|
+
// Mirror the SDK behaviour: replaceState writes the cleaned URL to
|
|
709
|
+
// location.href, so we can re-parse it and assert against named query
|
|
710
|
+
// params instead of substring-matching the raw URL.
|
|
711
|
+
const parseLocationQuery = (webex) => url.parse(webex.getWindow().location.href, true).query;
|
|
712
|
+
|
|
713
|
+
it('CSRF round-trip succeeds, scrubs sensitive params, and resolves with payload', () => {
|
|
714
|
+
const storedToken = 'csrf-abc';
|
|
715
|
+
const state = {csrf_token: storedToken, popUpSignIn: true, mode: 'meeting'};
|
|
716
|
+
const search = `?id_token=id-1&email=user%40example.com&state=${buildState(state)}`;
|
|
717
|
+
const webex = makeWebex(`http://example.com/${search}`, storedToken);
|
|
718
|
+
webex.getWindow().sessionStorage.getItem = sinon.stub().returns(storedToken);
|
|
719
|
+
|
|
720
|
+
const result = webex.authorization.handleThirdPartyCallback();
|
|
721
|
+
|
|
722
|
+
assert.deepEqual(result, {
|
|
723
|
+
idToken: 'id-1',
|
|
724
|
+
email: 'user@example.com',
|
|
725
|
+
error: undefined,
|
|
726
|
+
state: {popUpSignIn: true, mode: 'meeting'},
|
|
727
|
+
});
|
|
728
|
+
// Stored token consumed
|
|
729
|
+
assert.calledWith(webex.getWindow().sessionStorage.removeItem, 'oauth2-csrf-token');
|
|
730
|
+
// URL scrubbed: no id_token/email/csrf_token left, residual state re-encoded.
|
|
731
|
+
assert.called(webex.getWindow().history.replaceState);
|
|
732
|
+
const cleanedQuery = parseLocationQuery(webex);
|
|
733
|
+
|
|
734
|
+
assert.notProperty(cleanedQuery, 'id_token');
|
|
735
|
+
assert.notProperty(cleanedQuery, 'email');
|
|
736
|
+
assert.deepEqual(JSON.parse(base64.decode(cleanedQuery.state)), {
|
|
737
|
+
popUpSignIn: true,
|
|
738
|
+
mode: 'meeting',
|
|
739
|
+
});
|
|
740
|
+
});
|
|
741
|
+
|
|
742
|
+
it('throws when no stored CSRF token (treated as CSRF failure)', () => {
|
|
743
|
+
const search = `?id_token=id-1&state=${buildState({csrf_token: 'csrf-abc'})}`;
|
|
744
|
+
const webex = makeWebex(`http://example.com/${search}`);
|
|
745
|
+
webex.getWindow().sessionStorage.getItem = sinon.stub().returns(null);
|
|
746
|
+
|
|
747
|
+
assert.throws(
|
|
748
|
+
() => webex.authorization.handleThirdPartyCallback(),
|
|
749
|
+
/CSRF token missing from session storage/
|
|
750
|
+
);
|
|
751
|
+
});
|
|
752
|
+
|
|
753
|
+
it('throws when state.csrf_token does not match stored token', () => {
|
|
754
|
+
const search = `?id_token=id-1&state=${buildState({csrf_token: 'attacker'})}`;
|
|
755
|
+
const webex = makeWebex(`http://example.com/${search}`, 'real-token');
|
|
756
|
+
webex.getWindow().sessionStorage.getItem = sinon.stub().returns('real-token');
|
|
757
|
+
|
|
758
|
+
assert.throws(
|
|
759
|
+
() => webex.authorization.handleThirdPartyCallback(),
|
|
760
|
+
/CSRF token attacker does not match stored token real-token/
|
|
761
|
+
);
|
|
762
|
+
});
|
|
763
|
+
|
|
764
|
+
it('throws the native decode error (not a wrapped message) when state is malformed', () => {
|
|
765
|
+
// base64('not json') decodes to 'not json' which is not valid JSON
|
|
766
|
+
const search = `?id_token=id-1&state=bm90IGpzb24%3D`;
|
|
767
|
+
const webex = makeWebex(`http://example.com/${search}`, 'csrf-abc');
|
|
768
|
+
webex.getWindow().sessionStorage.getItem = sinon.stub().returns('csrf-abc');
|
|
769
|
+
|
|
770
|
+
// _verifySecurityToken is never reached because decode throws first;
|
|
771
|
+
// surface the underlying SyntaxError untouched.
|
|
772
|
+
assert.throws(() => webex.authorization.handleThirdPartyCallback(), SyntaxError);
|
|
773
|
+
});
|
|
774
|
+
|
|
775
|
+
it('throws on error responses that lack a valid state (still verifies CSRF)', () => {
|
|
776
|
+
// Social provider returned ?error=... without echoing state. We must
|
|
777
|
+
// not silently treat this as a successful callback.
|
|
778
|
+
const search = `?error=FailedToCallOAuthProvider`;
|
|
779
|
+
const webex = makeWebex('http://example.com', 'csrf-abc');
|
|
780
|
+
webex.getWindow().location.href = `http://example.com/${search}`;
|
|
781
|
+
webex.getWindow().sessionStorage.getItem = sinon.stub().returns('csrf-abc');
|
|
782
|
+
|
|
783
|
+
assert.throws(
|
|
784
|
+
() => webex.authorization.handleThirdPartyCallback(),
|
|
785
|
+
/Expected CSRF token csrf-abc, but not found in redirect query/
|
|
786
|
+
);
|
|
787
|
+
});
|
|
788
|
+
|
|
789
|
+
it('throws CSRF error when location has no query params at all', () => {
|
|
790
|
+
const webex = makeWebex('http://example.com/', 'csrf-abc');
|
|
791
|
+
webex.getWindow().sessionStorage.getItem = sinon.stub().returns('csrf-abc');
|
|
792
|
+
|
|
793
|
+
assert.throws(
|
|
794
|
+
() => webex.authorization.handleThirdPartyCallback(),
|
|
795
|
+
/Expected CSRF token csrf-abc, but not found in redirect query/
|
|
796
|
+
);
|
|
797
|
+
});
|
|
798
|
+
|
|
799
|
+
it('throws when state is absent even if no stored CSRF token exists (requireMatch)', () => {
|
|
800
|
+
const webex = makeWebex('http://example.com/?id_token=id-1');
|
|
801
|
+
webex.getWindow().sessionStorage.getItem = sinon.stub().returns(null);
|
|
802
|
+
|
|
803
|
+
assert.throws(
|
|
804
|
+
() => webex.authorization.handleThirdPartyCallback(),
|
|
805
|
+
/CSRF token missing from session storage/
|
|
806
|
+
);
|
|
807
|
+
});
|
|
808
|
+
|
|
809
|
+
it('returns error value in the result and preserves non-csrf state', () => {
|
|
810
|
+
const storedToken = 'csrf-abc';
|
|
811
|
+
const search = `?error=FailedToCallOAuthProvider&state=${buildState({
|
|
812
|
+
csrf_token: storedToken,
|
|
813
|
+
popUpSignIn: true,
|
|
814
|
+
})}`;
|
|
815
|
+
const webex = makeWebex('http://example.com', storedToken);
|
|
816
|
+
webex.getWindow().location.href = `http://example.com/${search}`;
|
|
817
|
+
webex.getWindow().sessionStorage.getItem = sinon.stub().returns(storedToken);
|
|
818
|
+
|
|
819
|
+
const result = webex.authorization.handleThirdPartyCallback();
|
|
820
|
+
|
|
821
|
+
assert.deepEqual(result, {
|
|
822
|
+
idToken: undefined,
|
|
823
|
+
email: undefined,
|
|
824
|
+
error: 'FailedToCallOAuthProvider',
|
|
825
|
+
state: {popUpSignIn: true},
|
|
826
|
+
});
|
|
827
|
+
// `error` is non-sensitive; not scrubbed from the URL.
|
|
828
|
+
assert.equal(parseLocationQuery(webex).error, 'FailedToCallOAuthProvider');
|
|
829
|
+
});
|
|
830
|
+
});
|
|
831
|
+
|
|
630
832
|
describe('#_generateQRCodeVerificationUrl()', () => {
|
|
631
833
|
it('should generate a QR code URL when a userCode is present', () => {
|
|
632
834
|
const verificationUrl = 'https://example.com/verify?userCode=123456';
|
|
@@ -1095,7 +1297,33 @@ describe('plugin-authorization-browser-first-party', () => {
|
|
|
1095
1297
|
|
|
1096
1298
|
assert.isDefined(href);
|
|
1097
1299
|
assert.equal(href, `?state=${base64.encode(JSON.stringify({key: 'value'}))}`);
|
|
1098
|
-
|
|
1300
|
+
});
|
|
1301
|
+
|
|
1302
|
+
it('strips id_token and email from the query string', () => {
|
|
1303
|
+
const webex = makeWebex(undefined, undefined, {
|
|
1304
|
+
credentials: {
|
|
1305
|
+
clientType: 'confidential',
|
|
1306
|
+
},
|
|
1307
|
+
});
|
|
1308
|
+
const location = {
|
|
1309
|
+
query: {
|
|
1310
|
+
code: 'code',
|
|
1311
|
+
id_token: 'id-token-value',
|
|
1312
|
+
email: 'user@example.com',
|
|
1313
|
+
state: {
|
|
1314
|
+
csrf_token: 'token',
|
|
1315
|
+
key: 'value',
|
|
1316
|
+
},
|
|
1317
|
+
},
|
|
1318
|
+
};
|
|
1319
|
+
|
|
1320
|
+
webex.authorization._cleanUrl(location);
|
|
1321
|
+
assert.called(webex.getWindow().history.replaceState);
|
|
1322
|
+
const {href} = webex.getWindow().location;
|
|
1323
|
+
|
|
1324
|
+
assert.notInclude(href, 'id_token');
|
|
1325
|
+
assert.notInclude(href, 'email');
|
|
1326
|
+
assert.notInclude(href, 'code');
|
|
1099
1327
|
});
|
|
1100
1328
|
});
|
|
1101
1329
|
|