@workos-inc/authkit-nextjs 3.0.0-beta.1 → 3.0.0

package/dist/esm/pkce.js

@@ -0,0 +1,38 @@
+import { unsealData } from 'iron-session';
+import { cookies } from 'next/headers';
+import * as v from 'valibot';
+import { getPKCECookieOptions } from './cookie.js';
+import { WORKOS_COOKIE_PASSWORD } from './env-variables.js';
+import { StateSchema } from './interfaces.js';
+export const PKCE_COOKIE_NAME = 'wos-auth-verifier';
+const PKCE_COOKIE_MAX_AGE = 600; // 10 minutes
+/**
+ * Set the PKCE verifier cookie in server action context.
+ * In middleware context, callers must set the cookie via Set-Cookie headers instead.
+ */
+export async function setPKCECookie(sealedState) {
+    const nextCookies = await cookies();
+    const { domain, path, sameSite, secure } = getPKCECookieOptions();
+    nextCookies.set(PKCE_COOKIE_NAME, sealedState, {
+        domain,
+        path,
+        sameSite,
+        secure,
+        httpOnly: true,
+        maxAge: PKCE_COOKIE_MAX_AGE,
+    });
+}
+/**
+ * Read and unseal the auth cookie containing PKCE code verifier and OAuth state.
+ * Throws if the cookie is not in the required state
+ */
+export async function getStateFromPKCECookieValue(cookieValue) {
+    // NOTE: TypeScript compiler won't flag if we Seal different data in than we Unseal
+    // Also, this function is not in a critically-high-performance path, so runtime validation
+    // is an acceptable tradeoff for increased security and type-safety
+    const unsealed = await unsealData(cookieValue, {
+        password: WORKOS_COOKIE_PASSWORD,
+    });
+    return v.parse(StateSchema, unsealed);
+}
+//# sourceMappingURL=pkce.js.map

package/dist/esm/pkce.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pkce.js","sourceRoot":"","sources":["../../src/pkce.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAC1C,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AACvC,OAAO,KAAK,CAAC,MAAM,SAAS,CAAC;AAC7B,OAAO,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AACnD,OAAO,EAAE,sBAAsB,EAAE,MAAM,oBAAoB,CAAC;AAC5D,OAAO,EAAS,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAErD,MAAM,CAAC,MAAM,gBAAgB,GAAG,mBAAmB,CAAC;AACpD,MAAM,mBAAmB,GAAG,GAAG,CAAC,CAAC,aAAa;AAE9C;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,WAAmB;IACrD,MAAM,WAAW,GAAG,MAAM,OAAO,EAAE,CAAC;IACpC,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,oBAAoB,EAAE,CAAC;IAElE,WAAW,CAAC,GAAG,CAAC,gBAAgB,EAAE,WAAW,EAAE;QAC7C,MAAM;QACN,IAAI;QACJ,QAAQ;QACR,MAAM;QACN,QAAQ,EAAE,IAAI;QACd,MAAM,EAAE,mBAAmB;KAC5B,CAAC,CAAC;AACL,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,2BAA2B,CAAC,WAAmB;IACnE,mFAAmF;IACnF,0FAA0F;IAC1F,mEAAmE;IACnE,MAAM,QAAQ,GAAG,MAAM,UAAU,CAAC,WAAW,EAAE;QAC7C,QAAQ,EAAE,sBAAsB;KACjC,CAAC,CAAC;IAEH,OAAO,CAAC,CAAC,KAAK,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;AACxC,CAAC"}

package/dist/esm/session.js

@@ -3,18 +3,54 @@ import { sealData, unsealData } from 'iron-session';
 import { createRemoteJWKSet, decodeJwt, jwtVerify } from 'jose';
 import { cookies, headers } from 'next/headers';
 import { redirect } from 'next/navigation';
-import { NextResponse } from 'next/server';
-import { getCookieOptions, getJwtCookie } from './cookie.js';
+import { getCookieOptions, getJwtCookie, getPKCECookieOptions } from './cookie.js';
 import { WORKOS_CLIENT_ID, WORKOS_COOKIE_NAME, WORKOS_COOKIE_PASSWORD, WORKOS_REDIRECT_URI } from './env-variables.js';
+import { TokenRefreshError, getSessionErrorContext } from './errors.js';
 import { getAuthorizationUrl } from './get-authorization-url.js';
+import { PKCE_COOKIE_NAME, setPKCECookie } from './pkce.js';
 import { getWorkOS } from './workos.js';
 import { parse, tokensToRegexp } from 'path-to-regexp';
-import { lazy, redirectWithFallback } from './utils.js';
+import { handleAuthkitHeaders } from './middleware-helpers.js';
+import { lazy, setCachePreventionHeaders } from './utils.js';
+function appendPKCESetCookieHeader(headers, sealedState, requestUrl) {
+    headers.append('Set-Cookie', `${PKCE_COOKIE_NAME}=${sealedState}; ${getPKCECookieOptions(requestUrl, true)}`);
+}
 const sessionHeaderName = 'x-workos-session';
 const middlewareHeaderName = 'x-workos-middleware';
 const signUpPathsHeaderName = 'x-sign-up-paths';
 const jwtCookieName = 'workos-access-token';
 const JWKS = lazy(() => createRemoteJWKSet(new URL(getWorkOS().userManagement.getJwksUrl(WORKOS_CLIENT_ID))));
+/**
+ * Applies cache security headers with Vary header deduplication.
+ * Only applies headers if the request is authenticated (has session, cookie, or Authorization header).
+ * Used in middleware where existing Vary headers may already be present.
+ * @param headers - The Headers object to set the cache security headers on.
+ * @param request - The NextRequest object to check for authentication.
+ * @param sessionData - Optional session data to check for authentication.
+ */
+function applyCacheSecurityHeaders(headers, request, sessionData) {
+    const cookieName = WORKOS_COOKIE_NAME || 'wos-session';
+    // Only apply cache headers for authenticated requests
+    if (!sessionData?.accessToken && !request.cookies.has(cookieName) && !request.headers.has('authorization')) {
+        return;
+    }
+    const varyValues = new Set(['cookie']);
+    if (request.headers.has('authorization')) {
+        varyValues.add('authorization');
+    }
+    const currentVary = headers.get('Vary');
+    if (currentVary) {
+        currentVary.split(',').forEach((v) => {
+            const trimmed = v.trim().toLowerCase();
+            if (trimmed)
+                varyValues.add(trimmed);
+        });
+    }
+    headers.set('Vary', Array.from(varyValues)
+        .map((v) => v.charAt(0).toUpperCase() + v.slice(1))
+        .join(', '));
+    setCachePreventionHeaders(headers);
+}
 /**
  * Determines if a request is for an initial document load (not API/RSC/prefetch)
  */
@@ -69,23 +105,21 @@ async function updateSessionMiddleware(request, debug, middlewareAuth, redirectU
         screenHint: getScreenHint(signUpPaths, request.nextUrl.pathname),
         eagerAuth,
     });
+    // Record the sign up paths so we can use them later
+    if (signUpPaths.length > 0) {
+        headers.set(signUpPathsHeaderName, signUpPaths.join(','));
+    }
+    applyCacheSecurityHeaders(headers, request, session);
     // If the user is logged out and this path isn't on the allowlist for logged out paths, redirect to AuthKit.
     if (middlewareAuth.enabled && matchedPaths.length === 0 && !session.user) {
         if (debug) {
             console.log(`Unauthenticated user on protected route ${request.url}, redirecting to AuthKit`);
         }
-        return redirectWithFallback(authorizationUrl, headers);
+        return handleAuthkitHeaders(request, headers, { redirect: authorizationUrl });
     }
-    // Record the sign up paths so we can use them later
-    if (signUpPaths.length > 0) {
-        headers.set(signUpPathsHeaderName, signUpPaths.join(','));
-    }
-    return NextResponse.next({
-        headers,
-    });
+    return handleAuthkitHeaders(request, headers);
 }
 async function updateSession(request, options = { debug: false }) {
-    var _a, _b;
     const session = await getSessionFromCookie(request);
     // Since we're setting the headers in the response, we need to create a new Headers object without copying
     // the request headers.
@@ -107,18 +141,21 @@ async function updateSession(request, options = { debug: false }) {
         if (options.debug) {
             console.log('No session found from cookie');
         }
+        const { url: authorizationUrl, sealedState } = await getAuthorizationUrl({
+            returnPathname: getReturnPathname(request.url),
+            redirectUri: options.redirectUri || WORKOS_REDIRECT_URI,
+            screenHint: options.screenHint,
+        });
+        appendPKCESetCookieHeader(newRequestHeaders, sealedState, request.url);
         return {
             session: { user: null },
             headers: newRequestHeaders,
-            authorizationUrl: await getAuthorizationUrl({
-                returnPathname: getReturnPathname(request.url),
-                redirectUri: options.redirectUri || WORKOS_REDIRECT_URI,
-                screenHint: options.screenHint,
-            }),
+            authorizationUrl,
         };
     }
     const hasValidSession = await verifyAccessToken(session.accessToken);
     const cookieName = WORKOS_COOKIE_NAME || 'wos-session';
+    applyCacheSecurityHeaders(newRequestHeaders, request, session);
     if (hasValidSession) {
         newRequestHeaders.set(sessionHeaderName, request.cookies.get(cookieName).value);
         const { sid: sessionId, org_id: organizationId, role, roles, permissions, entitlements, feature_flags: featureFlags, } = decodeJwt(session.accessToken);
@@ -176,7 +213,7 @@ async function updateSession(request, options = { debug: false }) {
             newRequestHeaders.append('Set-Cookie', getJwtCookie(accessToken, request.url));
         }
         const { sid: sessionId, org_id: organizationId, role, roles, permissions, entitlements, feature_flags: featureFlags, } = decodeJwt(accessToken);
-        (_a = options.onSessionRefreshSuccess) === null || _a === void 0 ? void 0 : _a.call(options, { accessToken, user, impersonator, organizationId });
+        options.onSessionRefreshSuccess?.({ accessToken, user, impersonator, organizationId });
         return {
             session: {
                 sessionId,
@@ -205,14 +242,16 @@ async function updateSession(request, options = { debug: false }) {
             const deleteJwtCookie = getJwtCookie(null, request.url, true);
             newRequestHeaders.append('Set-Cookie', deleteJwtCookie);
         }
-        (_b = options.onSessionRefreshError) === null || _b === void 0 ? void 0 : _b.call(options, { error: e, request });
+        options.onSessionRefreshError?.({ error: e, request });
+        const { url: authorizationUrl, sealedState } = await getAuthorizationUrl({
+            returnPathname: getReturnPathname(request.url),
+            redirectUri: options.redirectUri || WORKOS_REDIRECT_URI,
+        });
+        appendPKCESetCookieHeader(newRequestHeaders, sealedState, request.url);
         return {
             session: { user: null },
             headers: newRequestHeaders,
-            authorizationUrl: await getAuthorizationUrl({
-                returnPathname: getReturnPathname(request.url),
-                redirectUri: options.redirectUri || WORKOS_REDIRECT_URI,
-            }),
+            authorizationUrl,
         };
     }
 }
@@ -230,13 +269,11 @@ async function refreshSession({ organizationId: nextOrganizationId, ensureSigned
         refreshResult = await getWorkOS().userManagement.authenticateWithRefreshToken({
             clientId: WORKOS_CLIENT_ID,
             refreshToken: session.refreshToken,
-            organizationId: nextOrganizationId !== null && nextOrganizationId !== void 0 ? nextOrganizationId : organizationIdFromAccessToken,
+            organizationId: nextOrganizationId ?? organizationIdFromAccessToken,
         });
     }
     catch (error) {
-        throw new Error(`Failed to refresh session: ${error instanceof Error ? error.message : String(error)}`, {
-            cause: error,
-        });
+        throw new TokenRefreshError(`Failed to refresh session: ${error instanceof Error ? error.message : String(error)}`, error, getSessionErrorContext(session));
     }
     const headersList = await headers();
     const url = headersList.get('x-url');
@@ -271,21 +308,22 @@ function getMiddlewareAuthPathRegex(pathGlob) {
     }
 }
 async function redirectToSignIn() {
-    var _a;
     const headersList = await headers();
     const url = headersList.get('x-url');
     if (!url) {
         throw new Error('No URL found in the headers');
     }
     // Determine if the current route is in the sign up paths
-    const signUpPaths = (_a = headersList.get(signUpPathsHeaderName)) === null || _a === void 0 ? void 0 : _a.split(',');
+    const signUpPaths = headersList.get(signUpPathsHeaderName)?.split(',');
     const pathname = new URL(url).pathname;
     const screenHint = getScreenHint(signUpPaths, pathname);
     const returnPathname = getReturnPathname(url);
-    redirect(await getAuthorizationUrl({ returnPathname, screenHint }));
+    const { url: authkitUrl, sealedState } = await getAuthorizationUrl({ returnPathname, screenHint });
+    await setPKCECookie(sealedState);
+    redirect(authkitUrl);
 }
 export async function getTokenClaims(accessToken) {
-    const token = accessToken !== null && accessToken !== void 0 ? accessToken : (await withAuth()).accessToken;
+    const token = accessToken ?? (await withAuth()).accessToken;
     if (!token) {
         return {};
     }
@@ -294,7 +332,7 @@ export async function getTokenClaims(accessToken) {
 async function withAuth(options) {
     const session = await getSessionFromHeader();
     if (!session) {
-        if (options === null || options === void 0 ? void 0 : options.ensureSignedIn) {
+        if (options?.ensureSignedIn) {
             await redirectToSignIn();
         }
         return { user: null };
@@ -318,7 +356,7 @@ async function verifyAccessToken(accessToken) {
         await jwtVerify(accessToken, JWKS());
         return true;
     }
-    catch (_a) {
+    catch {
         return false;
     }
 }
@@ -343,7 +381,7 @@ async function getSessionFromHeader() {
     const hasMiddleware = Boolean(headersList.get(middlewareHeaderName));
     if (!hasMiddleware) {
         const url = headersList.get('x-url');
-        throw new Error(`You are calling 'withAuth' on ${url !== null && url !== void 0 ? url : 'a route'} that isn’t covered by the AuthKit middleware. Make sure it is running on all paths you are calling 'withAuth' from by updating your middleware config in 'middleware.(js|ts)'.`);
+        throw new Error(`You are calling 'withAuth' on ${url ?? 'a route'} that isn't covered by the AuthKit middleware. Make sure it is running on all paths you are calling 'withAuth' from by updating your middleware config in 'middleware.(js|ts)'.`);
     }
     const authHeader = headersList.get(sessionHeaderName);
     if (!authHeader)
@@ -352,7 +390,7 @@ async function getSessionFromHeader() {
 }
 function getReturnPathname(url) {
     const newUrl = new URL(url);
-    return `${newUrl.pathname}${newUrl.searchParams.size > 0 ? '?' + newUrl.searchParams.toString() : ''}`;
+    return `${newUrl.pathname}${newUrl.search}`;
 }
 function getScreenHint(signUpPaths, pathname) {
     if (!signUpPaths)

package/dist/esm/session.js.map

@@ -1 +1 @@
-{"version":3,"file":"session.js","sourceRoot":"","sources":["../../src/session.ts"],"names":[],"mappings":"AAAA,YAAY,CAAC;AAEb,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AACpD,OAAO,EAAc,kBAAkB,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,MAAM,CAAC;AAC5E,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAC3C,OAAO,EAAe,YAAY,EAAE,MAAM,aAAa,CAAC;AACxD,OAAO,EAAE,gBAAgB,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC7D,OAAO,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,sBAAsB,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACvH,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AAUjE,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAGxC,OAAO,EAAE,KAAK,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AACvD,OAAO,EAAE,IAAI,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAC;AAExD,MAAM,iBAAiB,GAAG,kBAAkB,CAAC;AAC7C,MAAM,oBAAoB,GAAG,qBAAqB,CAAC;AACnD,MAAM,qBAAqB,GAAG,iBAAiB,CAAC;AAChD,MAAM,aAAa,GAAG,qBAAqB,CAAC;AAE5C,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,kBAAkB,CAAC,IAAI,GAAG,CAAC,SAAS,EAAE,CAAC,cAAc,CAAC,UAAU,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC,CAAC;AAE9G;;GAEG;AACH,SAAS,wBAAwB,CAAC,OAAoB;IACpD,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;IACnD,MAAM,iBAAiB,GAAG,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IACvD,MAAM,YAAY,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC,CAAC;IACjG,MAAM,UAAU,GACd,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,KAAK,UAAU;QAC7C,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,KAAK,UAAU;QACjD,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;IAE9C,OAAO,iBAAiB,IAAI,CAAC,YAAY,IAAI,CAAC,UAAU,CAAC;AAC3D,CAAC;AAED,KAAK,UAAU,cAAc,CAAC,OAAgB;IAC5C,OAAO,QAAQ,CAAC,OAAO,EAAE;QACvB,QAAQ,EAAE,sBAAsB;QAChC,GAAG,EAAE,CAAC;KACP,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,uBAAuB,CACpC,OAAoB,EACpB,KAAc,EACd,cAAqC,EACrC,WAAmB,EACnB,WAAqB,EACrB,SAAS,GAAG,KAAK;IAEjB,IAAI,CAAC,WAAW,IAAI,CAAC,mBAAmB,EAAE,CAAC;QACzC,MAAM,IAAI,KAAK,CAAC,4FAA4F,CAAC,CAAC;IAChH,CAAC;IAED,IAAI,CAAC,sBAAsB,IAAI,sBAAsB,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QAClE,MAAM,IAAI,KAAK,CACb,uGAAuG,CACxG,CAAC;IACJ,CAAC;IAED,IAAI,GAAG,CAAC;IAER,IAAI,WAAW,EAAE,CAAC;QAChB,GAAG,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,CAAC;IAC7B,CAAC;SAAM,CAAC;QACN,GAAG,GAAG,IAAI,GAAG,CAAC,mBAAmB,CAAC,CAAC;IACrC,CAAC;IAED,IACE,cAAc,CAAC,OAAO;QACtB,GAAG,CAAC,QAAQ,KAAK,OAAO,CAAC,OAAO,CAAC,QAAQ;QACzC,CAAC,cAAc,CAAC,oBAAoB,CAAC,QAAQ,CAAC,GAAG,CAAC,QAAQ,CAAC,EAC3D,CAAC;QACD,qBAAqB;QACrB,qCAAqC;QACrC,kDAAkD;QAClD,6DAA6D;QAC7D,EAAE;QACF,mGAAmG;QACnG,4GAA4G;QAC5G,cAAc,CAAC,oBAAoB,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACzD,CAAC;IAED,MAAM,YAAY,GAAa,cAAc,CAAC,oBAAoB,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,EAAE;QACrF,MAAM,SAAS,GAAG,0BAA0B,CAAC,QAAQ,CAAC,CAAC;QAEvD,OAAO,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IAClD,CAAC,CAAC,CAAC;IAEH,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,gBAAgB,EAAE,GAAG,MAAM,aAAa,CAAC,OAAO,EAAE;QAC1E,KAAK;QACL,WAAW;QACX,UAAU,EAAE,aAAa,CAAC,WAAW,EAAE,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC;QAChE,SAAS;KACV,CAAC,CAAC;IAEH,4GAA4G;IAC5G,IAAI,cAAc,CAAC,OAAO,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QACzE,IAAI,KAAK,EAAE,CAAC;YACV,OAAO,CAAC,GAAG,CAAC,2CAA2C,OAAO,CAAC,GAAG,0BAA0B,CAAC,CAAC;QAChG,CAAC;QAED,OAAO,oBAAoB,CAAC,gBAA0B,EAAE,OAAO,CAAC,CAAC;IACnE,CAAC;IAED,oDAAoD;IACpD,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC3B,OAAO,CAAC,GAAG,CAAC,qBAAqB,EAAE,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5D,CAAC;IAED,OAAO,YAAY,CAAC,IAAI,CAAC;QACvB,OAAO;KACR,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,aAAa,CAC1B,OAAoB,EACpB,UAA0B,EAAE,KAAK,EAAE,KAAK,EAAE;;IAE1C,MAAM,OAAO,GAAG,MAAM,oBAAoB,CAAC,OAAO,CAAC,CAAC;IAEpD,0GAA0G;IAC1G,uBAAuB;IACvB,6EAA6E;IAC7E,MAAM,iBAAiB,GAAG,IAAI,OAAO,EAAE,CAAC;IAExC,kGAAkG;IAClG,iBAAiB,CAAC,GAAG,CAAC,oBAAoB,EAAE,MAAM,CAAC,CAAC;IAEpD,0FAA0F;IAC1F,qGAAqG;IACrG,gFAAgF;IAChF,iBAAiB,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC;IAE5C,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;QACxB,mGAAmG;QACnG,gEAAgE;QAChE,iBAAiB,CAAC,GAAG,CAAC,gBAAgB,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC;IAC/D,CAAC;IAED,iBAAiB,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC;IAE5C,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YAClB,OAAO,CAAC,GAAG,CAAC,8BAA8B,CAAC,CAAC;QAC9C,CAAC;QAED,OAAO;YACL,OAAO,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE;YACvB,OAAO,EAAE,iBAAiB;YAC1B,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;gBAC1C,cAAc,EAAE,iBAAiB,CAAC,OAAO,CAAC,GAAG,CAAC;gBAC9C,WAAW,EAAE,OAAO,CAAC,WAAW,IAAI,mBAAmB;gBACvD,UAAU,EAAE,OAAO,CAAC,UAAU;aAC/B,CAAC;SACH,CAAC;IACJ,CAAC;IAED,MAAM,eAAe,GAAG,MAAM,iBAAiB,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;IAErE,MAAM,UAAU,GAAG,kBAAkB,IAAI,aAAa,CAAC;IAEvD,IAAI,eAAe,EAAE,CAAC;QACpB,iBAAiB,CAAC,GAAG,CAAC,iBAAiB,EAAE,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAE,CAAC,KAAK,CAAC,CAAC;QAEjF,MAAM,EACJ,GAAG,EAAE,SAAS,EACd,MAAM,EAAE,cAAc,EACtB,IAAI,EACJ,KAAK,EACL,WAAW,EACX,YAAY,EACZ,aAAa,EAAE,YAAY,GAC5B,GAAG,SAAS,CAAc,OAAO,CAAC,WAAW,CAAC,CAAC;QAEhD,yCAAyC;QACzC,8EAA8E;QAC9E,IAAI,OAAO,CAAC,SAAS,IAAI,wBAAwB,CAAC,OAAO,CAAC,EAAE,CAAC;YAC3D,MAAM,iBAAiB,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;YAC7D,0DAA0D;YAC1D,IAAI,CAAC,iBAAiB,IAAI,iBAAiB,CAAC,KAAK,KAAK,OAAO,CAAC,WAAW,EAAE,CAAC;gBAC1E,iBAAiB,CAAC,MAAM,CAAC,YAAY,EAAE,YAAY,CAAC,OAAO,CAAC,WAAW,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;YACzF,CAAC;QACH,CAAC;QAED,OAAO;YACL,OAAO,EAAE;gBACP,SAAS;gBACT,IAAI,EAAE,OAAO,CAAC,IAAI;gBAClB,cAAc;gBACd,IAAI;gBACJ,KAAK;gBACL,WAAW;gBACX,YAAY;gBACZ,YAAY;gBACZ,YAAY,EAAE,OAAO,CAAC,YAAY;gBAClC,WAAW,EAAE,OAAO,CAAC,WAAW;aACjC;YACD,OAAO,EAAE,iBAAiB;SAC3B,CAAC;IACJ,CAAC;IAED,IAAI,CAAC;QACH,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YAClB,uBAAuB;YACvB,OAAO,CAAC,GAAG,CACT,oBAAoB,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC,wCAAwC,OAAO,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC,uBAAuB,EAAE,CAC/I,CAAC;QACJ,CAAC;QAED,MAAM,EAAE,MAAM,EAAE,6BAA6B,EAAE,GAAG,SAAS,CAAc,OAAO,CAAC,WAAW,CAAC,CAAC;QAE9F,MAAM,EAAE,WAAW,EAAE,YAAY,EAAE,IAAI,EAAE,YAAY,EAAE,GACrD,MAAM,SAAS,EAAE,CAAC,cAAc,CAAC,4BAA4B,CAAC;YAC5D,QAAQ,EAAE,gBAAgB;YAC1B,YAAY,EAAE,OAAO,CAAC,YAAY;YAClC,cAAc,EAAE,6BAA6B;SAC9C,CAAC,CAAC;QAEL,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YAClB,OAAO,CAAC,GAAG,CAAC,gCAAgC,CAAC,CAAC;QAChD,CAAC;QACD,qDAAqD;QACrD,MAAM,gBAAgB,GAAG,MAAM,cAAc,CAAC;YAC5C,WAAW;YACX,YAAY;YACZ,IAAI;YACJ,YAAY;SACb,CAAC,CAAC;QAEH,iBAAiB,CAAC,MAAM,CAAC,YAAY,EAAE,GAAG,UAAU,IAAI,gBAAgB,KAAK,gBAAgB,CAAC,OAAO,CAAC,GAAG,EAAE,IAAI,CAAC,EAAE,CAAC,CAAC;QACpH,iBAAiB,CAAC,GAAG,CAAC,iBAAiB,EAAE,gBAAgB,CAAC,CAAC;QAE3D,yCAAyC;QACzC,8EAA8E;QAC9E,IAAI,OAAO,CAAC,SAAS,IAAI,wBAAwB,CAAC,OAAO,CAAC,EAAE,CAAC;YAC3D,iBAAiB,CAAC,MAAM,CAAC,YAAY,EAAE,YAAY,CAAC,WAAW,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;QACjF,CAAC;QAED,MAAM,EACJ,GAAG,EAAE,SAAS,EACd,MAAM,EAAE,cAAc,EACtB,IAAI,EACJ,KAAK,EACL,WAAW,EACX,YAAY,EACZ,aAAa,EAAE,YAAY,GAC5B,GAAG,SAAS,CAAc,WAAW,CAAC,CAAC;QAExC,MAAA,OAAO,CAAC,uBAAuB,wDAAG,EAAE,WAAW,EAAE,IAAI,EAAE,YAAY,EAAE,cAAc,EAAE,CAAC,CAAC;QAEvF,OAAO;YACL,OAAO,EAAE;gBACP,SAAS;gBACT,IAAI;gBACJ,cAAc;gBACd,IAAI;gBACJ,KAAK;gBACL,WAAW;gBACX,YAAY;gBACZ,YAAY;gBACZ,YAAY;gBACZ,WAAW;aACZ;YACD,OAAO,EAAE,iBAAiB;SAC3B,CAAC;IACJ,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YAClB,OAAO,CAAC,GAAG,CAAC,qCAAqC,EAAE,CAAC,CAAC,CAAC;QACxD,CAAC;QAED,0GAA0G;QAC1G,MAAM,YAAY,GAAG,GAAG,UAAU,cAAc,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,KAAK,gBAAgB,CAAC,OAAO,CAAC,GAAG,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE,CAAC;QAC1H,iBAAiB,CAAC,MAAM,CAAC,YAAY,EAAE,YAAY,CAAC,CAAC;QAErD,4CAA4C;QAC5C,IAAI,OAAO,CAAC,SAAS,EAAE,CAAC;YACtB,MAAM,eAAe,GAAG,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;YAC9D,iBAAiB,CAAC,MAAM,CAAC,YAAY,EAAE,eAAe,CAAC,CAAC;QAC1D,CAAC;QAED,MAAA,OAAO,CAAC,qBAAqB,wDAAG,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC;QAEvD,OAAO;YACL,OAAO,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE;YACvB,OAAO,EAAE,iBAAiB;YAC1B,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;gBAC1C,cAAc,EAAE,iBAAiB,CAAC,OAAO,CAAC,GAAG,CAAC;gBAC9C,WAAW,EAAE,OAAO,CAAC,WAAW,IAAI,mBAAmB;aACxD,CAAC;SACH,CAAC;IACJ,CAAC;AACH,CAAC;AAOD,KAAK,UAAU,cAAc,CAAC,EAC5B,cAAc,EAAE,kBAAkB,EAClC,cAAc,GAAG,KAAK,MAIpB,EAAE;IACJ,MAAM,OAAO,GAAG,MAAM,oBAAoB,EAAE,CAAC;IAC7C,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,IAAI,cAAc,EAAE,CAAC;YACnB,MAAM,gBAAgB,EAAE,CAAC;QAC3B,CAAC;QACD,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;IACxB,CAAC;IAED,MAAM,EAAE,MAAM,EAAE,6BAA6B,EAAE,GAAG,SAAS,CAAc,OAAO,CAAC,WAAW,CAAC,CAAC;IAE9F,IAAI,aAAa,CAAC;IAElB,IAAI,CAAC;QACH,aAAa,GAAG,MAAM,SAAS,EAAE,CAAC,cAAc,CAAC,4BAA4B,CAAC;YAC5E,QAAQ,EAAE,gBAAgB;YAC1B,YAAY,EAAE,OAAO,CAAC,YAAY;YAClC,cAAc,EAAE,kBAAkB,aAAlB,kBAAkB,cAAlB,kBAAkB,GAAI,6BAA6B;SACpE,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CAAC,8BAA8B,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,EAAE;YACtG,KAAK,EAAE,KAAK;SACb,CAAC,CAAC;IACL,CAAC;IAED,MAAM,WAAW,GAAG,MAAM,OAAO,EAAE,CAAC;IACpC,MAAM,GAAG,GAAG,WAAW,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IAErC,MAAM,WAAW,CAAC,aAAa,EAAE,GAAG,IAAI,mBAAmB,CAAC,CAAC;IAE7D,MAAM,EAAE,WAAW,EAAE,IAAI,EAAE,YAAY,EAAE,GAAG,aAAa,CAAC;IAE1D,MAAM,EACJ,GAAG,EAAE,SAAS,EACd,MAAM,EAAE,cAAc,EACtB,IAAI,EACJ,KAAK,EACL,WAAW,EACX,YAAY,EACZ,aAAa,EAAE,YAAY,GAC5B,GAAG,SAAS,CAAc,WAAW,CAAC,CAAC;IAExC,OAAO;QACL,SAAS;QACT,IAAI;QACJ,cAAc;QACd,IAAI;QACJ,KAAK;QACL,WAAW;QACX,YAAY;QACZ,YAAY;QACZ,YAAY;QACZ,WAAW;KACZ,CAAC;AACJ,CAAC;AAED,SAAS,0BAA0B,CAAC,QAAgB;IAClD,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,QAAQ,EAAE,qBAAqB,CAAC,CAAC;QACrD,MAAM,IAAI,GAAG,GAAG,GAAG,CAAC,QAAS,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,EAAE,CAAC;QAEjD,MAAM,MAAM,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC;QAC3B,MAAM,KAAK,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC;QAE5C,OAAO,IAAI,MAAM,CAAC,KAAK,CAAC,CAAC;IAC3B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QACxB,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAEjE,MAAM,IAAI,KAAK,CAAC,qDAAqD,OAAO,EAAE,CAAC,CAAC;IAClF,CAAC;AACH,CAAC;AAED,KAAK,UAAU,gBAAgB;;IAC7B,MAAM,WAAW,GAAG,MAAM,OAAO,EAAE,CAAC;IACpC,MAAM,GAAG,GAAG,WAAW,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IAErC,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;IACjD,CAAC;IAED,yDAAyD;IACzD,MAAM,WAAW,GAAG,MAAA,WAAW,CAAC,GAAG,CAAC,qBAAqB,CAAC,0CAAE,KAAK,CAAC,GAAG,CAAC,CAAC;IAEvE,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC;IACvC,MAAM,UAAU,GAAG,aAAa,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;IAExD,MAAM,cAAc,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;IAE9C,QAAQ,CAAC,MAAM,mBAAmB,CAAC,EAAE,cAAc,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC;AACtE,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,WAAoB;IAEpB,MAAM,KAAK,GAAG,WAAW,aAAX,WAAW,cAAX,WAAW,GAAI,CAAC,MAAM,QAAQ,EAAE,CAAC,CAAC,WAAW,CAAC;IAC5D,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,OAAO,SAAS,CAAI,KAAK,CAAC,CAAC;AAC7B,CAAC;AAID,KAAK,UAAU,QAAQ,CAAC,OAAsC;IAC5D,MAAM,OAAO,GAAG,MAAM,oBAAoB,EAAE,CAAC;IAE7C,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,IAAI,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,cAAc,EAAE,CAAC;YAC5B,MAAM,gBAAgB,EAAE,CAAC;QAC3B,CAAC;QACD,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;IACxB,CAAC;IAED,MAAM,EACJ,GAAG,EAAE,SAAS,EACd,MAAM,EAAE,cAAc,EACtB,IAAI,EACJ,KAAK,EACL,WAAW,EACX,YAAY,EACZ,aAAa,EAAE,YAAY,GAC5B,GAAG,SAAS,CAAc,OAAO,CAAC,WAAW,CAAC,CAAC;IAEhD,OAAO;QACL,SAAS;QACT,IAAI,EAAE,OAAO,CAAC,IAAI;QAClB,cAAc;QACd,IAAI;QACJ,KAAK;QACL,WAAW;QACX,YAAY;QACZ,YAAY;QACZ,YAAY,EAAE,OAAO,CAAC,YAAY;QAClC,WAAW,EAAE,OAAO,CAAC,WAAW;KACjC,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,iBAAiB,CAAC,WAAmB;IAClD,IAAI,CAAC;QACH,MAAM,SAAS,CAAC,WAAW,EAAE,IAAI,EAAE,CAAC,CAAC;QACrC,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,WAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,oBAAoB,CAAC,OAAqB;IAC9D,MAAM,UAAU,GAAG,kBAAkB,IAAI,aAAa,CAAC;IACvD,IAAI,MAAM,CAAC;IAEX,IAAI,OAAO,EAAE,CAAC;QACZ,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAC3C,CAAC;SAAM,CAAC;QACN,MAAM,WAAW,GAAG,MAAM,OAAO,EAAE,CAAC;QACpC,MAAM,GAAG,WAAW,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IACvC,CAAC;IAED,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,UAAU,CAAU,MAAM,CAAC,KAAK,EAAE;YACvC,QAAQ,EAAE,sBAAsB;SACjC,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED,KAAK,UAAU,oBAAoB;IACjC,MAAM,WAAW,GAAG,MAAM,OAAO,EAAE,CAAC;IACpC,MAAM,aAAa,GAAG,OAAO,CAAC,WAAW,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC,CAAC;IAErE,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,MAAM,GAAG,GAAG,WAAW,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACrC,MAAM,IAAI,KAAK,CACb,iCAAiC,GAAG,aAAH,GAAG,cAAH,GAAG,GAAI,SAAS,iLAAiL,CACnO,CAAC;IACJ,CAAC;IAED,MAAM,UAAU,GAAG,WAAW,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;IACtD,IAAI,CAAC,UAAU;QAAE,OAAO;IAExB,OAAO,UAAU,CAAU,UAAU,EAAE,EAAE,QAAQ,EAAE,sBAAsB,EAAE,CAAC,CAAC;AAC/E,CAAC;AAED,SAAS,iBAAiB,CAAC,GAAW;IACpC,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;IAE5B,OAAO,GAAG,MAAM,CAAC,QAAQ,GAAG,MAAM,CAAC,YAAY,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,GAAG,MAAM,CAAC,YAAY,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;AACzG,CAAC;AAED,SAAS,aAAa,CAAC,WAAiC,EAAE,QAAgB;IACxE,IAAI,CAAC,WAAW;QAAE,OAAO,SAAS,CAAC;IAEnC,MAAM,eAAe,GAAa,WAAW,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,EAAE;QAChE,MAAM,SAAS,GAAG,0BAA0B,CAAC,QAAQ,CAAC,CAAC;QACvD,OAAO,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;AAC5D,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,iBAAmD,EACnD,OAA6B;IAE7B,MAAM,UAAU,GAAG,kBAAkB,IAAI,aAAa,CAAC;IACvD,MAAM,gBAAgB,GAAG,MAAM,cAAc,CAAC,iBAAiB,CAAC,CAAC;IACjE,MAAM,WAAW,GAAG,MAAM,OAAO,EAAE,CAAC;IACpC,MAAM,GAAG,GAAG,OAAO,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC;IAChE,WAAW,CAAC,GAAG,CAAC,UAAU,EAAE,gBAAgB,EAAE,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC;AACvE,CAAC;AAED,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,aAAa,EAAE,uBAAuB,EAAE,QAAQ,EAAE,CAAC"}
+{"version":3,"file":"session.js","sourceRoot":"","sources":["../../src/session.ts"],"names":[],"mappings":"AAAA,YAAY,CAAC;AAEb,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AACpD,OAAO,EAAc,kBAAkB,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,MAAM,CAAC;AAC5E,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAE3C,OAAO,EAAE,gBAAgB,EAAE,YAAY,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AACnF,OAAO,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,sBAAsB,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACvH,OAAO,EAAE,iBAAiB,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAC;AACxE,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AAUjE,OAAO,EAAE,gBAAgB,EAAE,aAAa,EAAE,MAAM,WAAW,CAAC;AAC5D,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAGxC,OAAO,EAAE,KAAK,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AACvD,OAAO,EAAE,oBAAoB,EAAE,MAAM,yBAAyB,CAAC;AAC/D,OAAO,EAAE,IAAI,EAAE,yBAAyB,EAAE,MAAM,YAAY,CAAC;AAE7D,SAAS,yBAAyB,CAAC,OAAgB,EAAE,WAAmB,EAAE,UAAkB;IAC1F,OAAO,CAAC,MAAM,CAAC,YAAY,EAAE,GAAG,gBAAgB,IAAI,WAAW,KAAK,oBAAoB,CAAC,UAAU,EAAE,IAAI,CAAC,EAAE,CAAC,CAAC;AAChH,CAAC;AAED,MAAM,iBAAiB,GAAG,kBAAkB,CAAC;AAC7C,MAAM,oBAAoB,GAAG,qBAAqB,CAAC;AACnD,MAAM,qBAAqB,GAAG,iBAAiB,CAAC;AAChD,MAAM,aAAa,GAAG,qBAAqB,CAAC;AAE5C,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,kBAAkB,CAAC,IAAI,GAAG,CAAC,SAAS,EAAE,CAAC,cAAc,CAAC,UAAU,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC,CAAC;AAE9G;;;;;;;GAOG;AACH,SAAS,yBAAyB,CAChC,OAAgB,EAChB,OAAoB,EACpB,WAAgD;IAEhD,MAAM,UAAU,GAAG,kBAAkB,IAAI,aAAa,CAAC;IAEvD,sDAAsD;IACtD,IAAI,CAAC,WAAW,EAAE,WAAW,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,EAAE,CAAC;QAC3G,OAAO;IACT,CAAC;IAED,MAAM,UAAU,GAAG,IAAI,GAAG,CAAS,CAAC,QAAQ,CAAC,CAAC,CAAC;IAC/C,IAAI,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,EAAE,CAAC;QACzC,UAAU,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IAClC,CAAC;IAED,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACxC,IAAI,WAAW,EAAE,CAAC;QAChB,WAAW,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE;YACnC,MAAM,OAAO,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;YACvC,IAAI,OAAO;gBAAE,UAAU,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACvC,CAAC,CAAC,CAAC;IACL,CAAC;IAED,OAAO,CAAC,GAAG,CACT,MAAM,EACN,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC;SACnB,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;SAClD,IAAI,CAAC,IAAI,CAAC,CACd,CAAC;IAEF,yBAAyB,CAAC,OAAO,CAAC,CAAC;AACrC,CAAC;AAED;;GAEG;AACH,SAAS,wBAAwB,CAAC,OAAoB;IACpD,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;IACnD,MAAM,iBAAiB,GAAG,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IACvD,MAAM,YAAY,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC,CAAC;IACjG,MAAM,UAAU,GACd,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,KAAK,UAAU;QAC7C,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,KAAK,UAAU;QACjD,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;IAE9C,OAAO,iBAAiB,IAAI,CAAC,YAAY,IAAI,CAAC,UAAU,CAAC;AAC3D,CAAC;AAED,KAAK,UAAU,cAAc,CAAC,OAAgB;IAC5C,OAAO,QAAQ,CAAC,OAAO,EAAE;QACvB,QAAQ,EAAE,sBAAsB;QAChC,GAAG,EAAE,CAAC;KACP,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,uBAAuB,CACpC,OAAoB,EACpB,KAAc,EACd,cAAqC,EACrC,WAAmB,EACnB,WAAqB,EACrB,SAAS,GAAG,KAAK;IAEjB,IAAI,CAAC,WAAW,IAAI,CAAC,mBAAmB,EAAE,CAAC;QACzC,MAAM,IAAI,KAAK,CAAC,4FAA4F,CAAC,CAAC;IAChH,CAAC;IAED,IAAI,CAAC,sBAAsB,IAAI,sBAAsB,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QAClE,MAAM,IAAI,KAAK,CACb,uGAAuG,CACxG,CAAC;IACJ,CAAC;IAED,IAAI,GAAG,CAAC;IAER,IAAI,WAAW,EAAE,CAAC;QAChB,GAAG,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,CAAC;IAC7B,CAAC;SAAM,CAAC;QACN,GAAG,GAAG,IAAI,GAAG,CAAC,mBAAmB,CAAC,CAAC;IACrC,CAAC;IAED,IACE,cAAc,CAAC,OAAO;QACtB,GAAG,CAAC,QAAQ,KAAK,OAAO,CAAC,OAAO,CAAC,QAAQ;QACzC,CAAC,cAAc,CAAC,oBAAoB,CAAC,QAAQ,CAAC,GAAG,CAAC,QAAQ,CAAC,EAC3D,CAAC;QACD,qBAAqB;QACrB,qCAAqC;QACrC,kDAAkD;QAClD,6DAA6D;QAC7D,EAAE;QACF,mGAAmG;QACnG,4GAA4G;QAC5G,cAAc,CAAC,oBAAoB,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACzD,CAAC;IAED,MAAM,YAAY,GAAa,cAAc,CAAC,oBAAoB,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,EAAE;QACrF,MAAM,SAAS,GAAG,0BAA0B,CAAC,QAAQ,CAAC,CAAC;QAEvD,OAAO,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IAClD,CAAC,CAAC,CAAC;IAEH,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,gBAAgB,EAAE,GAAG,MAAM,aAAa,CAAC,OAAO,EAAE;QAC1E,KAAK;QACL,WAAW;QACX,UAAU,EAAE,aAAa,CAAC,WAAW,EAAE,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC;QAChE,SAAS;KACV,CAAC,CAAC;IAEH,oDAAoD;IACpD,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC3B,OAAO,CAAC,GAAG,CAAC,qBAAqB,EAAE,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5D,CAAC;IAED,yBAAyB,CAAC,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;IAErD,4GAA4G;IAC5G,IAAI,cAAc,CAAC,OAAO,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QACzE,IAAI,KAAK,EAAE,CAAC;YACV,OAAO,CAAC,GAAG,CAAC,2CAA2C,OAAO,CAAC,GAAG,0BAA0B,CAAC,CAAC;QAChG,CAAC;QAED,OAAO,oBAAoB,CAAC,OAAO,EAAE,OAAO,EAAE,EAAE,QAAQ,EAAE,gBAA0B,EAAE,CAAC,CAAC;IAC1F,CAAC;IAED,OAAO,oBAAoB,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;AAChD,CAAC;AAED,KAAK,UAAU,aAAa,CAC1B,OAAoB,EACpB,UAA0B,EAAE,KAAK,EAAE,KAAK,EAAE;IAE1C,MAAM,OAAO,GAAG,MAAM,oBAAoB,CAAC,OAAO,CAAC,CAAC;IAEpD,0GAA0G;IAC1G,uBAAuB;IACvB,6EAA6E;IAC7E,MAAM,iBAAiB,GAAG,IAAI,OAAO,EAAE,CAAC;IAExC,kGAAkG;IAClG,iBAAiB,CAAC,GAAG,CAAC,oBAAoB,EAAE,MAAM,CAAC,CAAC;IAEpD,0FAA0F;IAC1F,qGAAqG;IACrG,gFAAgF;IAChF,iBAAiB,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC;IAE5C,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;QACxB,mGAAmG;QACnG,gEAAgE;QAChE,iBAAiB,CAAC,GAAG,CAAC,gBAAgB,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC;IAC/D,CAAC;IAED,iBAAiB,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC;IAE5C,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YAClB,OAAO,CAAC,GAAG,CAAC,8BAA8B,CAAC,CAAC;QAC9C,CAAC;QAED,MAAM,EAAE,GAAG,EAAE,gBAAgB,EAAE,WAAW,EAAE,GAAG,MAAM,mBAAmB,CAAC;YACvE,cAAc,EAAE,iBAAiB,CAAC,OAAO,CAAC,GAAG,CAAC;YAC9C,WAAW,EAAE,OAAO,CAAC,WAAW,IAAI,mBAAmB;YACvD,UAAU,EAAE,OAAO,CAAC,UAAU;SAC/B,CAAC,CAAC;QAEH,yBAAyB,CAAC,iBAAiB,EAAE,WAAW,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC;QAEvE,OAAO;YACL,OAAO,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE;YACvB,OAAO,EAAE,iBAAiB;YAC1B,gBAAgB;SACjB,CAAC;IACJ,CAAC;IAED,MAAM,eAAe,GAAG,MAAM,iBAAiB,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;IAErE,MAAM,UAAU,GAAG,kBAAkB,IAAI,aAAa,CAAC;IAEvD,yBAAyB,CAAC,iBAAiB,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;IAE/D,IAAI,eAAe,EAAE,CAAC;QACpB,iBAAiB,CAAC,GAAG,CAAC,iBAAiB,EAAE,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAE,CAAC,KAAK,CAAC,CAAC;QAEjF,MAAM,EACJ,GAAG,EAAE,SAAS,EACd,MAAM,EAAE,cAAc,EACtB,IAAI,EACJ,KAAK,EACL,WAAW,EACX,YAAY,EACZ,aAAa,EAAE,YAAY,GAC5B,GAAG,SAAS,CAAc,OAAO,CAAC,WAAW,CAAC,CAAC;QAEhD,yCAAyC;QACzC,8EAA8E;QAC9E,IAAI,OAAO,CAAC,SAAS,IAAI,wBAAwB,CAAC,OAAO,CAAC,EAAE,CAAC;YAC3D,MAAM,iBAAiB,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;YAC7D,0DAA0D;YAC1D,IAAI,CAAC,iBAAiB,IAAI,iBAAiB,CAAC,KAAK,KAAK,OAAO,CAAC,WAAW,EAAE,CAAC;gBAC1E,iBAAiB,CAAC,MAAM,CAAC,YAAY,EAAE,YAAY,CAAC,OAAO,CAAC,WAAW,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;YACzF,CAAC;QACH,CAAC;QAED,OAAO;YACL,OAAO,EAAE;gBACP,SAAS;gBACT,IAAI,EAAE,OAAO,CAAC,IAAI;gBAClB,cAAc;gBACd,IAAI;gBACJ,KAAK;gBACL,WAAW;gBACX,YAAY;gBACZ,YAAY;gBACZ,YAAY,EAAE,OAAO,CAAC,YAAY;gBAClC,WAAW,EAAE,OAAO,CAAC,WAAW;aACjC;YACD,OAAO,EAAE,iBAAiB;SAC3B,CAAC;IACJ,CAAC;IAED,IAAI,CAAC;QACH,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YAClB,uBAAuB;YACvB,OAAO,CAAC,GAAG,CACT,oBAAoB,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC,wCAAwC,OAAO,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC,uBAAuB,EAAE,CAC/I,CAAC;QACJ,CAAC;QAED,MAAM,EAAE,MAAM,EAAE,6BAA6B,EAAE,GAAG,SAAS,CAAc,OAAO,CAAC,WAAW,CAAC,CAAC;QAE9F,MAAM,EAAE,WAAW,EAAE,YAAY,EAAE,IAAI,EAAE,YAAY,EAAE,GACrD,MAAM,SAAS,EAAE,CAAC,cAAc,CAAC,4BAA4B,CAAC;YAC5D,QAAQ,EAAE,gBAAgB;YAC1B,YAAY,EAAE,OAAO,CAAC,YAAY;YAClC,cAAc,EAAE,6BAA6B;SAC9C,CAAC,CAAC;QAEL,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YAClB,OAAO,CAAC,GAAG,CAAC,gCAAgC,CAAC,CAAC;QAChD,CAAC;QACD,qDAAqD;QACrD,MAAM,gBAAgB,GAAG,MAAM,cAAc,CAAC;YAC5C,WAAW;YACX,YAAY;YACZ,IAAI;YACJ,YAAY;SACb,CAAC,CAAC;QAEH,iBAAiB,CAAC,MAAM,CAAC,YAAY,EAAE,GAAG,UAAU,IAAI,gBAAgB,KAAK,gBAAgB,CAAC,OAAO,CAAC,GAAG,EAAE,IAAI,CAAC,EAAE,CAAC,CAAC;QACpH,iBAAiB,CAAC,GAAG,CAAC,iBAAiB,EAAE,gBAAgB,CAAC,CAAC;QAE3D,yCAAyC;QACzC,8EAA8E;QAC9E,IAAI,OAAO,CAAC,SAAS,IAAI,wBAAwB,CAAC,OAAO,CAAC,EAAE,CAAC;YAC3D,iBAAiB,CAAC,MAAM,CAAC,YAAY,EAAE,YAAY,CAAC,WAAW,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;QACjF,CAAC;QAED,MAAM,EACJ,GAAG,EAAE,SAAS,EACd,MAAM,EAAE,cAAc,EACtB,IAAI,EACJ,KAAK,EACL,WAAW,EACX,YAAY,EACZ,aAAa,EAAE,YAAY,GAC5B,GAAG,SAAS,CAAc,WAAW,CAAC,CAAC;QAExC,OAAO,CAAC,uBAAuB,EAAE,CAAC,EAAE,WAAW,EAAE,IAAI,EAAE,YAAY,EAAE,cAAc,EAAE,CAAC,CAAC;QAEvF,OAAO;YACL,OAAO,EAAE;gBACP,SAAS;gBACT,IAAI;gBACJ,cAAc;gBACd,IAAI;gBACJ,KAAK;gBACL,WAAW;gBACX,YAAY;gBACZ,YAAY;gBACZ,YAAY;gBACZ,WAAW;aACZ;YACD,OAAO,EAAE,iBAAiB;SAC3B,CAAC;IACJ,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YAClB,OAAO,CAAC,GAAG,CAAC,qCAAqC,EAAE,CAAC,CAAC,CAAC;QACxD,CAAC;QAED,0GAA0G;QAC1G,MAAM,YAAY,GAAG,GAAG,UAAU,cAAc,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,KAAK,gBAAgB,CAAC,OAAO,CAAC,GAAG,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE,CAAC;QAC1H,iBAAiB,CAAC,MAAM,CAAC,YAAY,EAAE,YAAY,CAAC,CAAC;QAErD,4CAA4C;QAC5C,IAAI,OAAO,CAAC,SAAS,EAAE,CAAC;YACtB,MAAM,eAAe,GAAG,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;YAC9D,iBAAiB,CAAC,MAAM,CAAC,YAAY,EAAE,eAAe,CAAC,CAAC;QAC1D,CAAC;QAED,OAAO,CAAC,qBAAqB,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC;QAEvD,MAAM,EAAE,GAAG,EAAE,gBAAgB,EAAE,WAAW,EAAE,GAAG,MAAM,mBAAmB,CAAC;YACvE,cAAc,EAAE,iBAAiB,CAAC,OAAO,CAAC,GAAG,CAAC;YAC9C,WAAW,EAAE,OAAO,CAAC,WAAW,IAAI,mBAAmB;SACxD,CAAC,CAAC;QAEH,yBAAyB,CAAC,iBAAiB,EAAE,WAAW,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC;QAEvE,OAAO;YACL,OAAO,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE;YACvB,OAAO,EAAE,iBAAiB;YAC1B,gBAAgB;SACjB,CAAC;IACJ,CAAC;AACH,CAAC;AAOD,KAAK,UAAU,cAAc,CAAC,EAC5B,cAAc,EAAE,kBAAkB,EAClC,cAAc,GAAG,KAAK,MAIpB,EAAE;IACJ,MAAM,OAAO,GAAG,MAAM,oBAAoB,EAAE,CAAC;IAC7C,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,IAAI,cAAc,EAAE,CAAC;YACnB,MAAM,gBAAgB,EAAE,CAAC;QAC3B,CAAC;QACD,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;IACxB,CAAC;IAED,MAAM,EAAE,MAAM,EAAE,6BAA6B,EAAE,GAAG,SAAS,CAAc,OAAO,CAAC,WAAW,CAAC,CAAC;IAE9F,IAAI,aAAa,CAAC;IAElB,IAAI,CAAC;QACH,aAAa,GAAG,MAAM,SAAS,EAAE,CAAC,cAAc,CAAC,4BAA4B,CAAC;YAC5E,QAAQ,EAAE,gBAAgB;YAC1B,YAAY,EAAE,OAAO,CAAC,YAAY;YAClC,cAAc,EAAE,kBAAkB,IAAI,6BAA6B;SACpE,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,IAAI,iBAAiB,CACzB,8BAA8B,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,EACtF,KAAK,EACL,sBAAsB,CAAC,OAAO,CAAC,CAChC,CAAC;IACJ,CAAC;IAED,MAAM,WAAW,GAAG,MAAM,OAAO,EAAE,CAAC;IACpC,MAAM,GAAG,GAAG,WAAW,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IAErC,MAAM,WAAW,CAAC,aAAa,EAAE,GAAG,IAAI,mBAAmB,CAAC,CAAC;IAE7D,MAAM,EAAE,WAAW,EAAE,IAAI,EAAE,YAAY,EAAE,GAAG,aAAa,CAAC;IAE1D,MAAM,EACJ,GAAG,EAAE,SAAS,EACd,MAAM,EAAE,cAAc,EACtB,IAAI,EACJ,KAAK,EACL,WAAW,EACX,YAAY,EACZ,aAAa,EAAE,YAAY,GAC5B,GAAG,SAAS,CAAc,WAAW,CAAC,CAAC;IAExC,OAAO;QACL,SAAS;QACT,IAAI;QACJ,cAAc;QACd,IAAI;QACJ,KAAK;QACL,WAAW;QACX,YAAY;QACZ,YAAY;QACZ,YAAY;QACZ,WAAW;KACZ,CAAC;AACJ,CAAC;AAED,SAAS,0BAA0B,CAAC,QAAgB;IAClD,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,QAAQ,EAAE,qBAAqB,CAAC,CAAC;QACrD,MAAM,IAAI,GAAG,GAAG,GAAG,CAAC,QAAS,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,EAAE,CAAC;QAEjD,MAAM,MAAM,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC;QAC3B,MAAM,KAAK,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC;QAE5C,OAAO,IAAI,MAAM,CAAC,KAAK,CAAC,CAAC;IAC3B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QACxB,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAEjE,MAAM,IAAI,KAAK,CAAC,qDAAqD,OAAO,EAAE,CAAC,CAAC;IAClF,CAAC;AACH,CAAC;AAED,KAAK,UAAU,gBAAgB;IAC7B,MAAM,WAAW,GAAG,MAAM,OAAO,EAAE,CAAC;IACpC,MAAM,GAAG,GAAG,WAAW,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IAErC,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;IACjD,CAAC;IAED,yDAAyD;IACzD,MAAM,WAAW,GAAG,WAAW,CAAC,GAAG,CAAC,qBAAqB,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC;IAEvE,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC;IACvC,MAAM,UAAU,GAAG,aAAa,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;IAExD,MAAM,cAAc,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;IAE9C,MAAM,EAAE,GAAG,EAAE,UAAU,EAAE,WAAW,EAAE,GAAG,MAAM,mBAAmB,CAAC,EAAE,cAAc,EAAE,UAAU,EAAE,CAAC,CAAC;IACnG,MAAM,aAAa,CAAC,WAAW,CAAC,CAAC;IACjC,QAAQ,CAAC,UAAU,CAAC,CAAC;AACvB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,WAAoB;IAEpB,MAAM,KAAK,GAAG,WAAW,IAAI,CAAC,MAAM,QAAQ,EAAE,CAAC,CAAC,WAAW,CAAC;IAC5D,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,OAAO,SAAS,CAAI,KAAK,CAAC,CAAC;AAC7B,CAAC;AAID,KAAK,UAAU,QAAQ,CAAC,OAAsC;IAC5D,MAAM,OAAO,GAAG,MAAM,oBAAoB,EAAE,CAAC;IAE7C,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,IAAI,OAAO,EAAE,cAAc,EAAE,CAAC;YAC5B,MAAM,gBAAgB,EAAE,CAAC;QAC3B,CAAC;QACD,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;IACxB,CAAC;IAED,MAAM,EACJ,GAAG,EAAE,SAAS,EACd,MAAM,EAAE,cAAc,EACtB,IAAI,EACJ,KAAK,EACL,WAAW,EACX,YAAY,EACZ,aAAa,EAAE,YAAY,GAC5B,GAAG,SAAS,CAAc,OAAO,CAAC,WAAW,CAAC,CAAC;IAEhD,OAAO;QACL,SAAS;QACT,IAAI,EAAE,OAAO,CAAC,IAAI;QAClB,cAAc;QACd,IAAI;QACJ,KAAK;QACL,WAAW;QACX,YAAY;QACZ,YAAY;QACZ,YAAY,EAAE,OAAO,CAAC,YAAY;QAClC,WAAW,EAAE,OAAO,CAAC,WAAW;KACjC,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,iBAAiB,CAAC,WAAmB;IAClD,IAAI,CAAC;QACH,MAAM,SAAS,CAAC,WAAW,EAAE,IAAI,EAAE,CAAC,CAAC;QACrC,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,oBAAoB,CAAC,OAAqB;IAC9D,MAAM,UAAU,GAAG,kBAAkB,IAAI,aAAa,CAAC;IACvD,IAAI,MAAM,CAAC;IAEX,IAAI,OAAO,EAAE,CAAC;QACZ,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAC3C,CAAC;SAAM,CAAC;QACN,MAAM,WAAW,GAAG,MAAM,OAAO,EAAE,CAAC;QACpC,MAAM,GAAG,WAAW,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IACvC,CAAC;IAED,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,UAAU,CAAU,MAAM,CAAC,KAAK,EAAE;YACvC,QAAQ,EAAE,sBAAsB;SACjC,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED,KAAK,UAAU,oBAAoB;IACjC,MAAM,WAAW,GAAG,MAAM,OAAO,EAAE,CAAC;IACpC,MAAM,aAAa,GAAG,OAAO,CAAC,WAAW,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC,CAAC;IAErE,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,MAAM,GAAG,GAAG,WAAW,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACrC,MAAM,IAAI,KAAK,CACb,iCAAiC,GAAG,IAAI,SAAS,iLAAiL,CACnO,CAAC;IACJ,CAAC;IAED,MAAM,UAAU,GAAG,WAAW,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;IACtD,IAAI,CAAC,UAAU;QAAE,OAAO;IAExB,OAAO,UAAU,CAAU,UAAU,EAAE,EAAE,QAAQ,EAAE,sBAAsB,EAAE,CAAC,CAAC;AAC/E,CAAC;AAED,SAAS,iBAAiB,CAAC,GAAW;IACpC,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;IAE5B,OAAO,GAAG,MAAM,CAAC,QAAQ,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC;AAC9C,CAAC;AAED,SAAS,aAAa,CAAC,WAAiC,EAAE,QAAgB;IACxE,IAAI,CAAC,WAAW;QAAE,OAAO,SAAS,CAAC;IAEnC,MAAM,eAAe,GAAa,WAAW,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,EAAE;QAChE,MAAM,SAAS,GAAG,0BAA0B,CAAC,QAAQ,CAAC,CAAC;QACvD,OAAO,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;AAC5D,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,iBAAmD,EACnD,OAA6B;IAE7B,MAAM,UAAU,GAAG,kBAAkB,IAAI,aAAa,CAAC;IACvD,MAAM,gBAAgB,GAAG,MAAM,cAAc,CAAC,iBAAiB,CAAC,CAAC;IACjE,MAAM,WAAW,GAAG,MAAM,OAAO,EAAE,CAAC;IACpC,MAAM,GAAG,GAAG,OAAO,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC;IAChE,WAAW,CAAC,GAAG,CAAC,UAAU,EAAE,gBAAgB,EAAE,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC;AACvE,CAAC;AAED,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,aAAa,EAAE,uBAAuB,EAAE,QAAQ,EAAE,CAAC"}

package/dist/esm/test-helpers.js

@@ -35,9 +35,9 @@ export async function generateSession(overrides = {}) {
         createdAt: '2024-01-01T00:00:00Z',
         updatedAt: '2024-01-01T00:00:00Z',
         lastSignInAt: '2024-01-01T00:00:00Z',
-        locale: null,
         externalId: null,
         metadata: {},
+        locale: null,
         ...overrides,
     };
     const accessToken = await generateTestToken({

package/dist/esm/test-helpers.js.map

@@ -1 +1 @@
-{"version":3,"file":"test-helpers.js","sourceRoot":"","sources":["../../src/test-helpers.ts"],"names":[],"mappings":"AAAA,uBAAuB;AAEvB,OAAO,EAAE,QAAQ,EAAE,MAAM,cAAc,CAAC;AACxC,OAAO,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAC/B,OAAO,EAAE,kBAAkB,EAAE,sBAAsB,EAAE,MAAM,oBAAoB,CAAC;AAChF,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAGvC,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,OAAO,GAAG,EAAE,EAAE,OAAO,GAAG,KAAK;IACnE,MAAM,cAAc,GAAG;QACrB,GAAG,EAAE,aAAa;QAClB,MAAM,EAAE,SAAS;QACjB,IAAI,EAAE,QAAQ;QACd,KAAK,EAAE,CAAC,QAAQ,CAAC;QACjB,WAAW,EAAE,CAAC,cAAc,EAAE,cAAc,CAAC;QAC7C,YAAY,EAAE,CAAC,YAAY,CAAC;QAC5B,aAAa,EAAE,CAAC,4BAA4B,CAAC;KAC9C,CAAC;IAEF,MAAM,aAAa,GAAG,EAAE,GAAG,cAAc,EAAE,GAAG,OAAO,EAAE,CAAC;IAExD,MAAM,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,sBAAgC,CAAC,CAAC;IAEtF,MAAM,KAAK,GAAG,MAAM,IAAI,OAAO,CAAC,aAAa,CAAC;SAC3C,kBAAkB,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC;SACpC,WAAW,EAAE;SACb,SAAS,CAAC,oBAAoB,CAAC;SAC/B,iBAAiB,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC;SACxC,IAAI,CAAC,MAAM,CAAC,CAAC;IAEhB,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,YAA2B,EAAE;IACjE,MAAM,QAAQ,GAAG;QACf,EAAE,EAAE,UAAU;QACd,KAAK,EAAE,kBAAkB;QACzB,aAAa,EAAE,IAAI;QACnB,iBAAiB,EAAE,IAAI;QACvB,SAAS,EAAE,MAAM;QACjB,QAAQ,EAAE,MAAM;QAChB,MAAM,EAAE,MAAM;QACd,SAAS,EAAE,sBAAsB;QACjC,SAAS,EAAE,sBAAsB;QACjC,YAAY,EAAE,sBAAsB;QACpC,MAAM,EAAE,IAAI;QACZ,UAAU,EAAE,IAAI;QAChB,QAAQ,EAAE,EAAE;QACZ,GAAG,SAAS;KACE,CAAC;IAEjB,MAAM,WAAW,GAAG,MAAM,iBAAiB,CAAC;QAC1C,GAAG,EAAE,aAAa;QAClB,MAAM,EAAE,SAAS;KAClB,CAAC,CAAC;IAEH,kCAAkC;IAClC,MAAM,gBAAgB,GAAG,MAAM,QAAQ,CACrC;QACE,WAAW;QACX,YAAY,EAAE,mBAAmB;QACjC,IAAI,EAAE,QAAQ;KACf,EACD;QACE,QAAQ,EAAE,sBAAgC;KAC3C,CACF,CAAC;IAEF,MAAM,UAAU,GAAG,kBAAkB,IAAI,aAAa,CAAC;IACvD,MAAM,WAAW,GAAG,MAAM,OAAO,EAAE,CAAC;IACpC,WAAW,CAAC,GAAG,CAAC,UAAU,EAAE,gBAAgB,CAAC,CAAC;AAChD,CAAC"}
+{"version":3,"file":"test-helpers.js","sourceRoot":"","sources":["../../src/test-helpers.ts"],"names":[],"mappings":"AAAA,uBAAuB;AAEvB,OAAO,EAAE,QAAQ,EAAE,MAAM,cAAc,CAAC;AACxC,OAAO,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAC/B,OAAO,EAAE,kBAAkB,EAAE,sBAAsB,EAAE,MAAM,oBAAoB,CAAC;AAChF,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAGvC,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,OAAO,GAAG,EAAE,EAAE,OAAO,GAAG,KAAK;IACnE,MAAM,cAAc,GAAG;QACrB,GAAG,EAAE,aAAa;QAClB,MAAM,EAAE,SAAS;QACjB,IAAI,EAAE,QAAQ;QACd,KAAK,EAAE,CAAC,QAAQ,CAAC;QACjB,WAAW,EAAE,CAAC,cAAc,EAAE,cAAc,CAAC;QAC7C,YAAY,EAAE,CAAC,YAAY,CAAC;QAC5B,aAAa,EAAE,CAAC,4BAA4B,CAAC;KAC9C,CAAC;IAEF,MAAM,aAAa,GAAG,EAAE,GAAG,cAAc,EAAE,GAAG,OAAO,EAAE,CAAC;IAExD,MAAM,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,sBAAgC,CAAC,CAAC;IAEtF,MAAM,KAAK,GAAG,MAAM,IAAI,OAAO,CAAC,aAAa,CAAC;SAC3C,kBAAkB,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC;SACpC,WAAW,EAAE;SACb,SAAS,CAAC,oBAAoB,CAAC;SAC/B,iBAAiB,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC;SACxC,IAAI,CAAC,MAAM,CAAC,CAAC;IAEhB,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,YAA2B,EAAE;IACjE,MAAM,QAAQ,GAAG;QACf,EAAE,EAAE,UAAU;QACd,KAAK,EAAE,kBAAkB;QACzB,aAAa,EAAE,IAAI;QACnB,iBAAiB,EAAE,IAAI;QACvB,SAAS,EAAE,MAAM;QACjB,QAAQ,EAAE,MAAM;QAChB,MAAM,EAAE,MAAM;QACd,SAAS,EAAE,sBAAsB;QACjC,SAAS,EAAE,sBAAsB;QACjC,YAAY,EAAE,sBAAsB;QACpC,UAAU,EAAE,IAAI;QAChB,QAAQ,EAAE,EAAE;QACZ,MAAM,EAAE,IAAI;QACZ,GAAG,SAAS;KACE,CAAC;IAEjB,MAAM,WAAW,GAAG,MAAM,iBAAiB,CAAC;QAC1C,GAAG,EAAE,aAAa;QAClB,MAAM,EAAE,SAAS;KAClB,CAAC,CAAC;IAEH,kCAAkC;IAClC,MAAM,gBAAgB,GAAG,MAAM,QAAQ,CACrC;QACE,WAAW;QACX,YAAY,EAAE,mBAAmB;QACjC,IAAI,EAAE,QAAQ;KACf,EACD;QACE,QAAQ,EAAE,sBAAgC;KAC3C,CACF,CAAC;IAEF,MAAM,UAAU,GAAG,kBAAkB,IAAI,aAAa,CAAC;IACvD,MAAM,WAAW,GAAG,MAAM,OAAO,EAAE,CAAC;IACpC,WAAW,CAAC,GAAG,CAAC,UAAU,EAAE,gBAAgB,CAAC,CAAC;AAChD,CAAC"}

package/dist/esm/types/actions.d.ts

@@ -1,4 +1,8 @@
 import { NoUserInfo, UserInfo, SwitchToOrganizationOptions } from './interfaces.js';
+export interface RefreshAccessTokenActionResult {
+    accessToken: string | undefined;
+    error?: string;
+}
 /**
  * This action is only accessible to authenticated users,
  * there is no need to check the session here as the middleware will
@@ -6,16 +10,38 @@ import { NoUserInfo, UserInfo, SwitchToOrganizationOptions } from './interfaces.
  */
 export declare const checkSessionAction: () => Promise<boolean>;
 export declare const handleSignOutAction: ({ returnTo }?: {
-    returnTo?: string | undefined;
+    returnTo?: string;
 }) => Promise<void>;
 export declare const getOrganizationAction: (organizationId: string) => Promise<import("@workos-inc/node").Organization>;
 export declare const getAuthAction: (options?: {
     ensureSignedIn?: boolean;
-}) => Promise<Omit<UserInfo | NoUserInfo, "accessToken">>;
+}) => Promise<Omit<UserInfo | NoUserInfo, "accessToken"> | {
+    signInUrl: import("./interfaces.js").GetAuthURLResult;
+    organizationId?: string | undefined;
+    role?: string | undefined;
+    roles?: string[] | undefined;
+    permissions?: string[] | undefined;
+    user: import("@workos-inc/node").User | null;
+    sessionId?: string | undefined;
+    entitlements?: string[] | undefined;
+    featureFlags?: string[] | undefined;
+    impersonator?: import("./interfaces.js").Impersonator | undefined;
+}>;
 export declare const refreshAuthAction: ({ ensureSignedIn, organizationId, }: {
-    ensureSignedIn?: boolean | undefined;
+    ensureSignedIn?: boolean;
+    organizationId?: string;
+}) => Promise<Omit<UserInfo | NoUserInfo, "accessToken"> | {
+    signInUrl: import("./interfaces.js").GetAuthURLResult;
     organizationId?: string | undefined;
-}) => Promise<Omit<UserInfo | NoUserInfo, "accessToken">>;
+    role?: string | undefined;
+    roles?: string[] | undefined;
+    permissions?: string[] | undefined;
+    user: import("@workos-inc/node").User | null;
+    sessionId?: string | undefined;
+    entitlements?: string[] | undefined;
+    featureFlags?: string[] | undefined;
+    impersonator?: import("./interfaces.js").Impersonator | undefined;
+}>;
 export declare const switchToOrganizationAction: (organizationId: string, options?: SwitchToOrganizationOptions) => Promise<Omit<UserInfo, "accessToken">>;
 /**
  * This action is used to get the access token from the auth object.
@@ -25,5 +51,8 @@ export declare function getAccessTokenAction(): Promise<string | undefined>;
 /**
  * This action is used to refresh the access token from the auth object.
  * It is used to fetch the access token from the server.
+ *
+ * Errors are caught and returned as data rather than thrown, to prevent
+ * Next.js from returning 500 responses for server action failures.
  */
-export declare function refreshAccessTokenAction(): Promise<string | undefined>;
+export declare function refreshAccessTokenAction(): Promise<RefreshAccessTokenActionResult>;

package/dist/esm/types/auth.d.ts

@@ -1,18 +1,9 @@
-import type { SwitchToOrganizationOptions, UserInfo } from './interfaces.js';
-export declare function getSignInUrl({ organizationId, loginHint, redirectUri, prompt, state, }?: {
-    organizationId?: string;
-    loginHint?: string;
-    redirectUri?: string;
-    prompt?: 'consent';
-    state?: string;
-}): Promise<string>;
-export declare function getSignUpUrl({ organizationId, loginHint, redirectUri, prompt, state, }?: {
-    organizationId?: string;
-    loginHint?: string;
-    redirectUri?: string;
-    prompt?: 'consent';
-    state?: string;
-}): Promise<string>;
+import type { GetAuthURLOptions, SwitchToOrganizationOptions, UserInfo } from './interfaces.js';
+type GetSignUrlOptions = Omit<GetAuthURLOptions, 'screenHint' | 'returnPathname'> & {
+    returnTo?: string;
+};
+export declare function getSignInUrl(authUrlOptions?: GetSignUrlOptions): Promise<string>;
+export declare function getSignUpUrl(authUrlOptions?: GetSignUrlOptions): Promise<string>;
 /**
  * Sign out the user and delete the session cookie.
  * @param options Options for signing out.
@@ -22,3 +13,4 @@ export declare function signOut({ returnTo }?: {
     returnTo?: string;
 }): Promise<void>;
 export declare function switchToOrganization(organizationId: string, options?: SwitchToOrganizationOptions): Promise<UserInfo>;
+export {};

package/dist/esm/types/components/authkit-provider.d.ts

@@ -1,6 +1,6 @@
 import React, { ReactNode } from 'react';
 import type { Impersonator, User } from '@workos-inc/node';
-import type { UserInfo, SwitchToOrganizationOptions } from '../interfaces.js';
+import type { UserInfo, SwitchToOrganizationOptions, NoUserInfo } from '../interfaces.js';
 type AuthContextType = {
     user: User | null;
     sessionId: string | undefined;
@@ -35,8 +35,12 @@ interface AuthKitProviderProps {
      * You can also pass this as `false` to disable the expired session checks.
      */
     onSessionExpired?: false | (() => void);
+    /**
+     * Initial auth data from the server. If provided, the provider will skip the initial client-side fetch.
+     */
+    initialAuth?: Omit<UserInfo | NoUserInfo, 'accessToken'>;
 }
-export declare const AuthKitProvider: ({ children, onSessionExpired }: AuthKitProviderProps) => React.JSX.Element;
+export declare const AuthKitProvider: ({ children, onSessionExpired, initialAuth }: AuthKitProviderProps) => React.JSX.Element;
 export declare function useAuth(options: {
     ensureSignedIn: true;
 }): AuthContextType & ({

package/dist/esm/types/components/impersonation.d.ts

@@ -1,6 +1,7 @@
 import * as React from 'react';
 interface ImpersonationProps extends React.ComponentPropsWithoutRef<'div'> {
     side?: 'top' | 'bottom';
+    returnTo?: string;
 }
-export declare function Impersonation({ side, ...props }: ImpersonationProps): React.JSX.Element | null;
+export declare function Impersonation({ side, returnTo, ...props }: ImpersonationProps): React.JSX.Element | null;
 export {};

package/dist/esm/types/cookie.d.ts

@@ -4,4 +4,12 @@ export declare function getCookieOptions(redirectUri?: string | null): CookieOpt
 export declare function getCookieOptions(redirectUri: string | null | undefined, asString: true, expired?: boolean): string;
 export declare function getCookieOptions(redirectUri: string | null | undefined, asString: false, expired?: boolean): CookieOptions;
 export declare function getCookieOptions(redirectUri?: string | null, asString?: boolean, expired?: boolean): CookieOptions | string;
+/**
+ * Cookie options for the PKCE verifier cookie.
+ * 'strict' blocks the cookie on the cross-site redirect back from WorkOS; downgrade to 'lax'.
+ * 'none' is more permissive and must be preserved for iframe/cross-origin embed flows.
+ */
+export declare function getPKCECookieOptions(): CookieOptions;
+export declare function getPKCECookieOptions(redirectUri: string | null | undefined, asString: true, expired?: boolean): string;
+export declare function getPKCECookieOptions(redirectUri?: string | null, asString?: boolean, expired?: boolean): CookieOptions | string;
 export declare function getJwtCookie(body: string | null, requestUrlOrRedirectUri?: string | null, expired?: boolean): string;

package/dist/esm/types/env-variables.d.ts

@@ -5,8 +5,9 @@ declare const WORKOS_COOKIE_DOMAIN: string | undefined;
 declare const WORKOS_COOKIE_MAX_AGE: string | undefined;
 declare const WORKOS_COOKIE_NAME: string | undefined;
 declare const WORKOS_COOKIE_SAMESITE: "lax" | "strict" | "none" | undefined;
+declare const WORKOS_CLAIM_TOKEN: string | undefined;
 declare const WORKOS_API_KEY: string;
 declare const WORKOS_CLIENT_ID: string;
 declare const WORKOS_COOKIE_PASSWORD: string;
 declare const WORKOS_REDIRECT_URI: string;
-export { WORKOS_API_HOSTNAME, WORKOS_API_HTTPS, WORKOS_API_KEY, WORKOS_API_PORT, WORKOS_CLIENT_ID, WORKOS_COOKIE_DOMAIN, WORKOS_COOKIE_MAX_AGE, WORKOS_COOKIE_NAME, WORKOS_COOKIE_PASSWORD, WORKOS_REDIRECT_URI, WORKOS_COOKIE_SAMESITE, };
+export { WORKOS_API_HOSTNAME, WORKOS_API_HTTPS, WORKOS_API_KEY, WORKOS_API_PORT, WORKOS_CLAIM_TOKEN, WORKOS_CLIENT_ID, WORKOS_COOKIE_DOMAIN, WORKOS_COOKIE_MAX_AGE, WORKOS_COOKIE_NAME, WORKOS_COOKIE_PASSWORD, WORKOS_REDIRECT_URI, WORKOS_COOKIE_SAMESITE, };

package/dist/esm/types/errors.d.ts

@@ -0,0 +1,15 @@
+import type { Session } from './interfaces.js';
+export declare class AuthKitError extends Error {
+    data?: Record<string, unknown>;
+    constructor(message: string, cause?: unknown, data?: Record<string, unknown>);
+}
+export interface TokenRefreshErrorContext {
+    userId?: string;
+    sessionId?: string;
+}
+export declare class TokenRefreshError extends AuthKitError {
+    readonly userId?: string;
+    readonly sessionId?: string;
+    constructor(message: string, cause?: unknown, context?: TokenRefreshErrorContext);
+}
+export declare function getSessionErrorContext(session?: Session | null): TokenRefreshErrorContext;

package/dist/esm/types/get-authorization-url.d.ts

@@ -1,3 +1,3 @@
-import { GetAuthURLOptions } from './interfaces.js';
-declare function getAuthorizationUrl(options?: GetAuthURLOptions): Promise<string>;
+import { GetAuthURLOptions, GetAuthURLResult } from './interfaces.js';
+declare function getAuthorizationUrl({ returnPathname, screenHint, organizationId, loginHint, prompt, state: customState, redirectUri, }?: GetAuthURLOptions): Promise<GetAuthURLResult>;
 export { getAuthorizationUrl };

package/dist/esm/types/index.d.ts

@@ -1,7 +1,10 @@
 import { getSignInUrl, getSignUpUrl, signOut, switchToOrganization } from './auth.js';
 import { handleAuth } from './authkit-callback-route.js';
-import { authkit, authkitMiddleware } from './middleware.js';
+import { AuthKitError, TokenRefreshError } from './errors.js';
+import { authkit, authkitMiddleware, authkitProxy } from './middleware.js';
+export { applyResponseHeaders, handleAuthkitHeaders, handleAuthkitProxy, partitionAuthkitHeaders, isAuthkitRequestHeader, AUTHKIT_REQUEST_HEADERS, type AuthkitHeadersResult, type AuthkitRedirectStatus, type AuthkitRequestHeader, type HandleAuthkitHeadersOptions, } from './middleware-helpers.js';
 import { getTokenClaims, refreshSession, saveSession, withAuth } from './session.js';
+import { validateApiKey } from './validate-api-key.js';
 import { getWorkOS } from './workos.js';
 export * from './interfaces.js';
-export { authkit, authkitMiddleware, getSignInUrl, getSignUpUrl, getWorkOS, handleAuth, refreshSession, saveSession, signOut, switchToOrganization, withAuth, getTokenClaims, };
+export { AuthKitError, TokenRefreshError, authkit, authkitMiddleware, authkitProxy, getSignInUrl, getSignUpUrl, getTokenClaims, getWorkOS, handleAuth, refreshSession, saveSession, signOut, switchToOrganization, validateApiKey, withAuth, };

package/dist/esm/types/interfaces.d.ts

@@ -1,5 +1,6 @@
 import type { AuthenticationResponse, OauthTokens, User } from '@workos-inc/node';
 import { type NextRequest } from 'next/server';
+import * as v from 'valibot';
 export interface HandleAuthOptions {
     returnPathname?: string;
     baseURL?: string;
@@ -58,6 +59,17 @@ export interface AccessToken {
     entitlements?: string[];
     feature_flags?: string[];
 }
+export declare const StateSchema: v.ObjectSchema<{
+    readonly nonce: v.StringSchema<undefined>;
+    readonly customState: v.OptionalSchema<v.StringSchema<undefined>, undefined>;
+    readonly returnPathname: v.OptionalSchema<v.StringSchema<undefined>, undefined>;
+    readonly codeVerifier: v.StringSchema<undefined>;
+}, undefined>;
+export type State = v.InferOutput<typeof StateSchema>;
+export interface GetAuthURLResult {
+    url: string;
+    sealedState: string;
+}
 export interface GetAuthURLOptions {
     screenHint?: 'sign-up' | 'sign-in';
     returnPathname?: string;

package/dist/esm/types/jwt.d.ts

@@ -2,16 +2,16 @@
  * JWT (JSON Web Token) Interface Definitions
  */
 export interface JWTHeader {
-    'alg': string;
-    'typ'?: string | undefined;
-    'cty'?: string | undefined;
-    'crit'?: Array<string | Exclude<keyof JWTHeader, 'crit'>> | undefined;
-    'kid'?: string | undefined;
-    'jku'?: string | undefined;
-    'x5u'?: string | string[] | undefined;
+    alg: string;
+    typ?: string | undefined;
+    cty?: string | undefined;
+    crit?: Array<string | Exclude<keyof JWTHeader, 'crit'>> | undefined;
+    kid?: string | undefined;
+    jku?: string | undefined;
+    x5u?: string | string[] | undefined;
     'x5t#S256'?: string | undefined;
-    'x5t'?: string | undefined;
-    'x5c'?: string | string[] | undefined;
+    x5t?: string | undefined;
+    x5c?: string | string[] | undefined;
 }
 /**
  * JWT Payload Interface

package/dist/esm/types/middleware-helpers.d.ts

@@ -0,0 +1,27 @@
+import { NextRequest, NextResponse } from 'next/server';
+/** Internal AuthKit headers - forwarded to downstream requests but never sent to browser. */
+export declare const AUTHKIT_REQUEST_HEADERS: readonly ["x-workos-middleware", "x-url", "x-redirect-uri", "x-sign-up-paths", "x-workos-session"];
+export type AuthkitRequestHeader = (typeof AUTHKIT_REQUEST_HEADERS)[number];
+export declare function isAuthkitRequestHeader(name: string): boolean;
+export interface AuthkitHeadersResult {
+    requestHeaders: Headers;
+    responseHeaders: Headers;
+}
+/**
+ * Partitions AuthKit headers into request headers (for withAuth) and response headers (for browser).
+ */
+export declare function partitionAuthkitHeaders(request: NextRequest, authkitHeaders: Headers): AuthkitHeadersResult;
+export declare function applyResponseHeaders(response: NextResponse, responseHeaders: Headers): NextResponse;
+export type AuthkitRedirectStatus = 302 | 303 | 307 | 308;
+export interface HandleAuthkitHeadersOptions {
+    /** URL to redirect to (relative or absolute). */
+    redirect?: string | URL;
+    /** Redirect status code. @default 307 for GET/HEAD, 303 for POST/PUT/DELETE */
+    redirectStatus?: AuthkitRedirectStatus;
+}
+/**
+ * Creates a NextResponse with properly merged AuthKit headers.
+ */
+export declare function handleAuthkitProxy(request: NextRequest, authkitHeaders: Headers, options?: HandleAuthkitHeadersOptions): NextResponse;
+/** @deprecated Use `handleAuthkitProxy` instead. */
+export declare const handleAuthkitHeaders: typeof handleAuthkitProxy;

package/dist/esm/types/middleware.d.ts

@@ -1,4 +1,6 @@
 import { NextMiddleware, NextRequest } from 'next/server';
 import { AuthkitMiddlewareOptions, AuthkitOptions, AuthkitResponse } from './interfaces.js';
-export declare function authkitMiddleware({ debug, middlewareAuth, redirectUri, signUpPaths, eagerAuth, }?: AuthkitMiddlewareOptions): NextMiddleware;
+export declare function authkitProxy({ debug, middlewareAuth, redirectUri, signUpPaths, eagerAuth, }?: AuthkitMiddlewareOptions): NextMiddleware;
+/** @deprecated Use `authkitProxy` instead. */
+export declare const authkitMiddleware: typeof authkitProxy;
 export declare function authkit(request: NextRequest, options?: AuthkitOptions): Promise<AuthkitResponse>;