@workos-inc/authkit-nextjs 4.1.0 → 4.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/esm/middleware-helpers.js +14 -2
- package/dist/esm/middleware-helpers.js.map +1 -1
- package/dist/esm/pkce.js +66 -0
- package/dist/esm/pkce.js.map +1 -1
- package/dist/esm/session.js +4 -26
- package/dist/esm/session.js.map +1 -1
- package/dist/esm/types/pkce.d.ts +17 -0
- package/package.json +1 -1
- package/src/middleware-helpers.spec.ts +37 -0
- package/src/middleware-helpers.ts +23 -2
- package/src/pkce.ts +80 -0
- package/src/session.spec.ts +139 -1
- package/src/session.ts +9 -34
|
@@ -1,4 +1,5 @@
|
|
|
1
1
|
import { NextResponse } from 'next/server';
|
|
2
|
+
import { PKCE_AUTHORIZATION_URL_HEADER, PKCE_STATE_HEADER, appendPKCESetCookieHeader, stripPKCESetCookieHeaders, } from './pkce.js';
|
|
2
3
|
/** Internal AuthKit headers - forwarded to downstream requests but never sent to browser. */
|
|
3
4
|
export const AUTHKIT_REQUEST_HEADERS = [
|
|
4
5
|
'x-workos-middleware',
|
|
@@ -81,16 +82,27 @@ export function applyResponseHeaders(response, responseHeaders) {
|
|
|
81
82
|
* Creates a NextResponse with properly merged AuthKit headers.
|
|
82
83
|
*/
|
|
83
84
|
export function handleAuthkitProxy(request, authkitHeaders, options = {}) {
|
|
84
|
-
const { requestHeaders, responseHeaders } = partitionAuthkitHeaders(request, authkitHeaders);
|
|
85
85
|
const { redirect, redirectStatus } = options;
|
|
86
|
+
const headers = new Headers(authkitHeaders);
|
|
87
|
+
let redirectUrl;
|
|
88
|
+
const pkceAuthorizationUrl = headers.get(PKCE_AUTHORIZATION_URL_HEADER);
|
|
89
|
+
const sealedState = headers.get(PKCE_STATE_HEADER);
|
|
90
|
+
if (pkceAuthorizationUrl && sealedState) {
|
|
91
|
+
stripPKCESetCookieHeaders(headers);
|
|
92
|
+
}
|
|
86
93
|
if (redirect != null && redirect !== '') {
|
|
87
|
-
let redirectUrl;
|
|
88
94
|
try {
|
|
89
95
|
redirectUrl = redirect instanceof URL ? redirect : new URL(redirect, request.url);
|
|
90
96
|
}
|
|
91
97
|
catch {
|
|
92
98
|
throw new Error(`Invalid redirect URL: "${redirect}". Must be a valid absolute or relative URL.`);
|
|
93
99
|
}
|
|
100
|
+
if (pkceAuthorizationUrl && sealedState && redirectUrl.toString() === new URL(pkceAuthorizationUrl).toString()) {
|
|
101
|
+
appendPKCESetCookieHeader(request, headers, sealedState);
|
|
102
|
+
}
|
|
103
|
+
}
|
|
104
|
+
const { requestHeaders, responseHeaders } = partitionAuthkitHeaders(request, headers);
|
|
105
|
+
if (redirectUrl) {
|
|
94
106
|
const method = request.method.toUpperCase();
|
|
95
107
|
const status = redirectStatus ?? (method === 'GET' || method === 'HEAD' ? 307 : 303);
|
|
96
108
|
return applyResponseHeaders(NextResponse.redirect(redirectUrl, status), responseHeaders);
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"middleware-helpers.js","sourceRoot":"","sources":["../../src/middleware-helpers.ts"],"names":[],"mappings":"AAAA,OAAO,EAAe,YAAY,EAAE,MAAM,aAAa,CAAC;
|
|
1
|
+
{"version":3,"file":"middleware-helpers.js","sourceRoot":"","sources":["../../src/middleware-helpers.ts"],"names":[],"mappings":"AAAA,OAAO,EAAe,YAAY,EAAE,MAAM,aAAa,CAAC;AACxD,OAAO,EACL,6BAA6B,EAC7B,iBAAiB,EACjB,yBAAyB,EACzB,yBAAyB,GAC1B,MAAM,WAAW,CAAC;AAEnB,6FAA6F;AAC7F,MAAM,CAAC,MAAM,uBAAuB,GAAG;IACrC,qBAAqB;IACrB,OAAO;IACP,gBAAgB;IAChB,iBAAiB;IACjB,kBAAkB;CACV,CAAC;AAIX,MAAM,wBAAwB,GAAsB;IAClD,YAAY;IACZ,eAAe;IACf,MAAM;IACN,kBAAkB;IAClB,oBAAoB;IACpB,MAAM;IACN,oBAAoB;CACrB,CAAC;AAEF,MAAM,mBAAmB,GAAsB,CAAC,YAAY,EAAE,kBAAkB,EAAE,oBAAoB,EAAE,MAAM,CAAC,CAAC;AAEhH,MAAM,UAAU,sBAAsB,CAAC,IAAY;IACjD,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;IACjC,OAAQ,uBAA6C,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC;AACzG,CAAC;AAED,SAAS,SAAS,CAAC,OAAgB,EAAE,IAAY,EAAE,KAAa;IAC9D,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;IACjC,IAAI,mBAAmB,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QACxC,OAAO,CAAC,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IAC9B,CAAC;SAAM,IAAI,KAAK,KAAK,MAAM,EAAE,CAAC;QAC5B,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACnC,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC;YACrB,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAC7D,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;SACzC,CAAC,CAAC;QACH,OAAO,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,GAAG,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;IAC5C,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IAC3B,CAAC;AACH,CAAC;AAOD;;GAEG;AACH,MAAM,UAAU,uBAAuB,CAAC,OAAoB,EAAE,cAAuB;IACnF,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,cAAc,CAAC,CAAC;IAC5C,MAAM,cAAc,GAAG,IAAI,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IAEpD,0EAA0E;IAC1E,MAAM,iBAAiB,GAAG,KAAK,CAAC,IAAI,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC,CAAC;IAC5D,KAAK,MAAM,IAAI,IAAI,iBAAiB,EAAE,CAAC;QACrC,IAAI,sBAAsB,CAAC,IAAI,CAAC,EAAE,CAAC;YACjC,cAAc,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAC9B,CAAC;IACH,CAAC;IACD,KAAK,MAAM,UAAU,IAAI,uBAAuB,EAAE,CAAC;QACjD,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QACtC,IAAI,KAAK,IAAI,IAAI,EAAE,CAAC;YAClB,cAAc,CAAC,GAAG,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;QACxC,CAAC;IACH,CAAC;IAED,6CAA6C;IAC7C,MAAM,eAAe,GAAG,IAAI,OAAO,EAAE,CAAC;IACtC,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,OAAO,EAAE,CAAC;QACpC,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;QACjC,IAAI,CAAC,sBAAsB,CAAC,KAAK,CAAC,IAAI,wBAAwB,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YAC/E,SAAS,CAAC,eAAe,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC;QAC1C,CAAC;IACH,CAAC;IAED,8CAA8C;IAC9C,IAAI,eAAe,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,eAAe,CAAC,EAAE,CAAC;QAC/E,eAAe,CAAC,GAAG,CAAC,eAAe,EAAE,UAAU,CAAC,CAAC;IACnD,CAAC;IAED,OAAO,EAAE,cAAc,EAAE,eAAe,EAAE,CAAC;AAC7C,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,QAAsB,EAAE,eAAwB;IACnF,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,eAAe,EAAE,CAAC;QAC5C,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC;IAC3C,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAYD;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAChC,OAAoB,EACpB,cAAuB,EACvB,UAAuC,EAAE;IAEzC,MAAM,EAAE,QAAQ,EAAE,cAAc,EAAE,GAAG,OAAO,CAAC;IAC7C,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,cAAc,CAAC,CAAC;IAC5C,IAAI,WAA4B,CAAC;IAEjC,MAAM,oBAAoB,GAAG,OAAO,CAAC,GAAG,CAAC,6BAA6B,CAAC,CAAC;IACxE,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;IACnD,IAAI,oBAAoB,IAAI,WAAW,EAAE,CAAC;QACxC,yBAAyB,CAAC,OAAO,CAAC,CAAC;IACrC,CAAC;IAED,IAAI,QAAQ,IAAI,IAAI,IAAI,QAAQ,KAAK,EAAE,EAAE,CAAC;QACxC,IAAI,CAAC;YACH,WAAW,GAAG,QAAQ,YAAY,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC;QACpF,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,KAAK,CAAC,0BAA0B,QAAQ,8CAA8C,CAAC,CAAC;QACpG,CAAC;QAED,IAAI,oBAAoB,IAAI,WAAW,IAAI,WAAW,CAAC,QAAQ,EAAE,KAAK,IAAI,GAAG,CAAC,oBAAoB,CAAC,CAAC,QAAQ,EAAE,EAAE,CAAC;YAC/G,yBAAyB,CAAC,OAAO,EAAE,OAAO,EAAE,WAAW,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC;IAED,MAAM,EAAE,cAAc,EAAE,eAAe,EAAE,GAAG,uBAAuB,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IAEtF,IAAI,WAAW,EAAE,CAAC;QAChB,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;QAC5C,MAAM,MAAM,GAAG,cAAc,IAAI,CAAC,MAAM,KAAK,KAAK,IAAI,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;QACrF,OAAO,oBAAoB,CAAC,YAAY,CAAC,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC,EAAE,eAAe,CAAC,CAAC;IAC3F,CAAC;IAED,OAAO,oBAAoB,CAAC,YAAY,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,EAAE,OAAO,EAAE,cAAc,EAAE,EAAE,CAAC,EAAE,eAAe,CAAC,CAAC;AAC5G,CAAC;AAED,oDAAoD;AACpD,MAAM,CAAC,MAAM,oBAAoB,GAA8B,kBAAkB,CAAC"}
|
package/dist/esm/pkce.js
CHANGED
|
@@ -6,6 +6,9 @@ import { getPKCECookieOptions } from './cookie.js';
|
|
|
6
6
|
import { WORKOS_COOKIE_PASSWORD } from './env-variables.js';
|
|
7
7
|
import { StateSchema } from './interfaces.js';
|
|
8
8
|
export const PKCE_COOKIE_NAME = 'wos-auth-verifier';
|
|
9
|
+
export const PKCE_STATE_HEADER = 'x-workos-pkce-state';
|
|
10
|
+
export const PKCE_AUTHORIZATION_URL_HEADER = 'x-workos-authorization-url';
|
|
11
|
+
const MAX_PKCE_COOKIES = 5;
|
|
9
12
|
/**
|
|
10
13
|
* Short, deterministic hex fingerprint of an arbitrary string.
|
|
11
14
|
* Used to give each PKCE flow its own cookie name without depending
|
|
@@ -36,6 +39,69 @@ export async function setPKCECookie(sealedState) {
|
|
|
36
39
|
httpOnly: true,
|
|
37
40
|
});
|
|
38
41
|
}
|
|
42
|
+
/**
|
|
43
|
+
* Store pending PKCE state in internal middleware headers until the response
|
|
44
|
+
* actually redirects to AuthKit. These headers are stripped before reaching the
|
|
45
|
+
* browser or downstream request handlers.
|
|
46
|
+
*/
|
|
47
|
+
export function setPendingPKCERedirectHeaders(headers, authorizationUrl, sealedState) {
|
|
48
|
+
headers.set(PKCE_AUTHORIZATION_URL_HEADER, authorizationUrl);
|
|
49
|
+
headers.set(PKCE_STATE_HEADER, sealedState);
|
|
50
|
+
}
|
|
51
|
+
/**
|
|
52
|
+
* Only set the PKCE cookie for initial document navigations that redirect to
|
|
53
|
+
* AuthKit. Fetch/XHR/RSC/prefetch requests never follow cross-origin redirects
|
|
54
|
+
* to complete OAuth, so they do not need verifier cookies.
|
|
55
|
+
*/
|
|
56
|
+
export function appendPKCESetCookieHeader(request, headers, sealedState) {
|
|
57
|
+
if (!isInitialDocumentRequest(request)) {
|
|
58
|
+
return;
|
|
59
|
+
}
|
|
60
|
+
const newCookieName = getPKCECookieNameForState(sealedState);
|
|
61
|
+
const pkceCookies = request.cookies
|
|
62
|
+
.getAll()
|
|
63
|
+
.filter(({ name }) => name === PKCE_COOKIE_NAME || name.startsWith(`${PKCE_COOKIE_NAME}-`));
|
|
64
|
+
// A small number of concurrent PKCE cookies is normal (multiple tabs each
|
|
65
|
+
// starting an OAuth flow). Only purge when accumulation risks HTTP 431.
|
|
66
|
+
if (pkceCookies.length >= MAX_PKCE_COOKIES) {
|
|
67
|
+
const expiredOptions = getPKCECookieOptions(request.url, true, true);
|
|
68
|
+
for (const { name } of pkceCookies) {
|
|
69
|
+
if (name !== newCookieName) {
|
|
70
|
+
headers.append('Set-Cookie', `${name}=; ${expiredOptions}`);
|
|
71
|
+
}
|
|
72
|
+
}
|
|
73
|
+
}
|
|
74
|
+
headers.append('Set-Cookie', `${newCookieName}=${sealedState}; ${getPKCECookieOptions(request.url, true)}`);
|
|
75
|
+
}
|
|
76
|
+
export function stripPKCESetCookieHeaders(headers) {
|
|
77
|
+
const setCookieHeaders = headers.getSetCookie();
|
|
78
|
+
if (setCookieHeaders.length === 0) {
|
|
79
|
+
return;
|
|
80
|
+
}
|
|
81
|
+
headers.delete('Set-Cookie');
|
|
82
|
+
for (const setCookieHeader of setCookieHeaders) {
|
|
83
|
+
if (!isPKCESetCookieHeader(setCookieHeader)) {
|
|
84
|
+
headers.append('Set-Cookie', setCookieHeader);
|
|
85
|
+
}
|
|
86
|
+
}
|
|
87
|
+
}
|
|
88
|
+
export function isInitialDocumentRequest(request) {
|
|
89
|
+
const accept = request.headers.get('accept') || '';
|
|
90
|
+
const isDocumentRequest = accept.includes('text/html');
|
|
91
|
+
const isRSCRequest = request.headers.has('RSC') || request.headers.has('Next-Router-State-Tree');
|
|
92
|
+
const isPrefetch = request.headers.get('Purpose') === 'prefetch' ||
|
|
93
|
+
request.headers.get('Sec-Purpose') === 'prefetch' ||
|
|
94
|
+
request.headers.has('Next-Router-Prefetch');
|
|
95
|
+
return isDocumentRequest && !isRSCRequest && !isPrefetch;
|
|
96
|
+
}
|
|
97
|
+
function isPKCESetCookieHeader(setCookieHeader) {
|
|
98
|
+
const separatorIndex = setCookieHeader.indexOf('=');
|
|
99
|
+
if (separatorIndex === -1) {
|
|
100
|
+
return false;
|
|
101
|
+
}
|
|
102
|
+
const cookieName = setCookieHeader.slice(0, separatorIndex);
|
|
103
|
+
return cookieName === PKCE_COOKIE_NAME || cookieName.startsWith(`${PKCE_COOKIE_NAME}-`);
|
|
104
|
+
}
|
|
39
105
|
/**
|
|
40
106
|
* Read and unseal the auth cookie containing PKCE code verifier and OAuth state.
|
|
41
107
|
* Throws if the cookie is not in the required state
|
package/dist/esm/pkce.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"pkce.js","sourceRoot":"","sources":["../../src/pkce.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,qBAAqB,CAAC;AACxC,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAC1C,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;
|
|
1
|
+
{"version":3,"file":"pkce.js","sourceRoot":"","sources":["../../src/pkce.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,qBAAqB,CAAC;AACxC,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAC1C,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAEvC,OAAO,KAAK,CAAC,MAAM,SAAS,CAAC;AAC7B,OAAO,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AACnD,OAAO,EAAE,sBAAsB,EAAE,MAAM,oBAAoB,CAAC;AAC5D,OAAO,EAAS,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAErD,MAAM,CAAC,MAAM,gBAAgB,GAAG,mBAAmB,CAAC;AACpD,MAAM,CAAC,MAAM,iBAAiB,GAAG,qBAAqB,CAAC;AACvD,MAAM,CAAC,MAAM,6BAA6B,GAAG,4BAA4B,CAAC;AAE1E,MAAM,gBAAgB,GAAG,CAAC,CAAC;AAE3B;;;;GAIG;AACH,SAAS,SAAS,CAAC,KAAa;IAC9B,4EAA4E;IAC5E,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK,CAAC,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC;IAEhD,6CAA6C;IAC7C,OAAO,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;AAC5C,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,yBAAyB,CAAC,KAAa;IACrD,OAAO,GAAG,gBAAgB,IAAI,SAAS,CAAC,KAAK,CAAC,EAAE,CAAC;AACnD,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,WAAmB;IACrD,MAAM,WAAW,GAAG,MAAM,OAAO,EAAE,CAAC;IACpC,MAAM,OAAO,GAAG,oBAAoB,EAAE,CAAC;IAEvC,WAAW,CAAC,GAAG,CAAC,yBAAyB,CAAC,WAAW,CAAC,EAAE,WAAW,EAAE;QACnE,GAAG,OAAO;QACV,QAAQ,EAAE,IAAI;KACf,CAAC,CAAC;AACL,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,6BAA6B,CAAC,OAAgB,EAAE,gBAAwB,EAAE,WAAmB;IAC3G,OAAO,CAAC,GAAG,CAAC,6BAA6B,EAAE,gBAAgB,CAAC,CAAC;IAC7D,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE,WAAW,CAAC,CAAC;AAC9C,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,yBAAyB,CAAC,OAAoB,EAAE,OAAgB,EAAE,WAAmB;IACnG,IAAI,CAAC,wBAAwB,CAAC,OAAO,CAAC,EAAE,CAAC;QACvC,OAAO;IACT,CAAC;IAED,MAAM,aAAa,GAAG,yBAAyB,CAAC,WAAW,CAAC,CAAC;IAC7D,MAAM,WAAW,GAAG,OAAO,CAAC,OAAO;SAChC,MAAM,EAAE;SACR,MAAM,CAAC,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,IAAI,KAAK,gBAAgB,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,gBAAgB,GAAG,CAAC,CAAC,CAAC;IAE9F,0EAA0E;IAC1E,wEAAwE;IACxE,IAAI,WAAW,CAAC,MAAM,IAAI,gBAAgB,EAAE,CAAC;QAC3C,MAAM,cAAc,GAAG,oBAAoB,CAAC,OAAO,CAAC,GAAG,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;QACrE,KAAK,MAAM,EAAE,IAAI,EAAE,IAAI,WAAW,EAAE,CAAC;YACnC,IAAI,IAAI,KAAK,aAAa,EAAE,CAAC;gBAC3B,OAAO,CAAC,MAAM,CAAC,YAAY,EAAE,GAAG,IAAI,MAAM,cAAc,EAAE,CAAC,CAAC;YAC9D,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,CAAC,MAAM,CAAC,YAAY,EAAE,GAAG,aAAa,IAAI,WAAW,KAAK,oBAAoB,CAAC,OAAO,CAAC,GAAG,EAAE,IAAI,CAAC,EAAE,CAAC,CAAC;AAC9G,CAAC;AAED,MAAM,UAAU,yBAAyB,CAAC,OAAgB;IACxD,MAAM,gBAAgB,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC;IAChD,IAAI,gBAAgB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAClC,OAAO;IACT,CAAC;IAED,OAAO,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;IAE7B,KAAK,MAAM,eAAe,IAAI,gBAAgB,EAAE,CAAC;QAC/C,IAAI,CAAC,qBAAqB,CAAC,eAAe,CAAC,EAAE,CAAC;YAC5C,OAAO,CAAC,MAAM,CAAC,YAAY,EAAE,eAAe,CAAC,CAAC;QAChD,CAAC;IACH,CAAC;AACH,CAAC;AAED,MAAM,UAAU,wBAAwB,CAAC,OAAoB;IAC3D,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;IACnD,MAAM,iBAAiB,GAAG,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IACvD,MAAM,YAAY,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC,CAAC;IACjG,MAAM,UAAU,GACd,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,KAAK,UAAU;QAC7C,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,KAAK,UAAU;QACjD,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;IAE9C,OAAO,iBAAiB,IAAI,CAAC,YAAY,IAAI,CAAC,UAAU,CAAC;AAC3D,CAAC;AAED,SAAS,qBAAqB,CAAC,eAAuB;IACpD,MAAM,cAAc,GAAG,eAAe,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACpD,IAAI,cAAc,KAAK,CAAC,CAAC,EAAE,CAAC;QAC1B,OAAO,KAAK,CAAC;IACf,CAAC;IACD,MAAM,UAAU,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC,EAAE,cAAc,CAAC,CAAC;IAC5D,OAAO,UAAU,KAAK,gBAAgB,IAAI,UAAU,CAAC,UAAU,CAAC,GAAG,gBAAgB,GAAG,CAAC,CAAC;AAC1F,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,2BAA2B,CAAC,WAAmB;IACnE,mFAAmF;IACnF,0FAA0F;IAC1F,mEAAmE;IACnE,MAAM,QAAQ,GAAG,MAAM,UAAU,CAAC,WAAW,EAAE;QAC7C,QAAQ,EAAE,sBAAsB;KACjC,CAAC,CAAC;IAEH,OAAO,CAAC,CAAC,KAAK,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;AACxC,CAAC"}
|
package/dist/esm/session.js
CHANGED
|
@@ -3,27 +3,15 @@ import { sealData, unsealData } from 'iron-session';
|
|
|
3
3
|
import { createRemoteJWKSet, decodeJwt, jwtVerify } from 'jose';
|
|
4
4
|
import { cookies, headers } from 'next/headers';
|
|
5
5
|
import { redirect } from 'next/navigation';
|
|
6
|
-
import { getCookieOptions, getJwtCookie
|
|
6
|
+
import { getCookieOptions, getJwtCookie } from './cookie.js';
|
|
7
7
|
import { WORKOS_CLIENT_ID, WORKOS_COOKIE_NAME, WORKOS_COOKIE_PASSWORD, WORKOS_REDIRECT_URI } from './env-variables.js';
|
|
8
8
|
import { TokenRefreshError, getSessionErrorContext } from './errors.js';
|
|
9
9
|
import { getAuthorizationUrl } from './get-authorization-url.js';
|
|
10
|
-
import {
|
|
10
|
+
import { appendPKCESetCookieHeader, isInitialDocumentRequest, setPKCECookie, setPendingPKCERedirectHeaders, } from './pkce.js';
|
|
11
11
|
import { getWorkOS } from './workos.js';
|
|
12
12
|
import { parse, tokensToRegexp } from 'path-to-regexp';
|
|
13
13
|
import { handleAuthkitHeaders } from './middleware-helpers.js';
|
|
14
14
|
import { lazy, setCachePreventionHeaders } from './utils.js';
|
|
15
|
-
// Only set the PKCE cookie for initial document navigations — fetch/XHR/RSC/prefetch
|
|
16
|
-
// requests never follow cross-origin redirects so they'll never complete the OAuth
|
|
17
|
-
// flow and therefore don't need the cookie set.
|
|
18
|
-
// This prevents cookie bloat (HTTP 431) when multiple requests fire concurrently
|
|
19
|
-
// now that we are generating unique cookie names per flow, they add up quickly if
|
|
20
|
-
// we don't limit to just the initial navigation request
|
|
21
|
-
function appendPKCESetCookieHeader(request, headers, sealedState) {
|
|
22
|
-
if (!isInitialDocumentRequest(request)) {
|
|
23
|
-
return;
|
|
24
|
-
}
|
|
25
|
-
headers.append('Set-Cookie', `${getPKCECookieNameForState(sealedState)}=${sealedState}; ${getPKCECookieOptions(request.url, true)}`);
|
|
26
|
-
}
|
|
27
15
|
const sessionHeaderName = 'x-workos-session';
|
|
28
16
|
const middlewareHeaderName = 'x-workos-middleware';
|
|
29
17
|
const signUpPathsHeaderName = 'x-sign-up-paths';
|
|
@@ -60,18 +48,6 @@ function applyCacheSecurityHeaders(headers, request, sessionData) {
|
|
|
60
48
|
.join(', '));
|
|
61
49
|
setCachePreventionHeaders(headers);
|
|
62
50
|
}
|
|
63
|
-
/**
|
|
64
|
-
* Determines if a request is for an initial document load (not API/RSC/prefetch)
|
|
65
|
-
*/
|
|
66
|
-
function isInitialDocumentRequest(request) {
|
|
67
|
-
const accept = request.headers.get('accept') || '';
|
|
68
|
-
const isDocumentRequest = accept.includes('text/html');
|
|
69
|
-
const isRSCRequest = request.headers.has('RSC') || request.headers.has('Next-Router-State-Tree');
|
|
70
|
-
const isPrefetch = request.headers.get('Purpose') === 'prefetch' ||
|
|
71
|
-
request.headers.get('Sec-Purpose') === 'prefetch' ||
|
|
72
|
-
request.headers.has('Next-Router-Prefetch');
|
|
73
|
-
return isDocumentRequest && !isRSCRequest && !isPrefetch;
|
|
74
|
-
}
|
|
75
51
|
async function encryptSession(session) {
|
|
76
52
|
return sealData(session, {
|
|
77
53
|
password: WORKOS_COOKIE_PASSWORD,
|
|
@@ -155,6 +131,7 @@ async function updateSession(request, options = { debug: false }) {
|
|
|
155
131
|
redirectUri: options.redirectUri || WORKOS_REDIRECT_URI,
|
|
156
132
|
screenHint: options.screenHint,
|
|
157
133
|
});
|
|
134
|
+
setPendingPKCERedirectHeaders(newRequestHeaders, authorizationUrl, sealedState);
|
|
158
135
|
appendPKCESetCookieHeader(request, newRequestHeaders, sealedState);
|
|
159
136
|
return {
|
|
160
137
|
session: { user: null },
|
|
@@ -257,6 +234,7 @@ async function updateSession(request, options = { debug: false }) {
|
|
|
257
234
|
returnPathname: getReturnPathname(request.url),
|
|
258
235
|
redirectUri: options.redirectUri || WORKOS_REDIRECT_URI,
|
|
259
236
|
});
|
|
237
|
+
setPendingPKCERedirectHeaders(newRequestHeaders, authorizationUrl, sealedState);
|
|
260
238
|
appendPKCESetCookieHeader(request, newRequestHeaders, sealedState);
|
|
261
239
|
return {
|
|
262
240
|
session: { user: null },
|
package/dist/esm/session.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"session.js","sourceRoot":"","sources":["../../src/session.ts"],"names":[],"mappings":"AAAA,YAAY,CAAC;AAEb,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AACpD,OAAO,EAAc,kBAAkB,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,MAAM,CAAC;AAC5E,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAE3C,OAAO,EAAE,gBAAgB,EAAE,YAAY,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AACnF,OAAO,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,sBAAsB,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACvH,OAAO,EAAE,iBAAiB,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAC;AACxE,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AAUjE,OAAO,EAAE,yBAAyB,EAAE,aAAa,EAAE,MAAM,WAAW,CAAC;AACrE,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAGxC,OAAO,EAAE,KAAK,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AACvD,OAAO,EAAE,oBAAoB,EAAE,MAAM,yBAAyB,CAAC;AAC/D,OAAO,EAAE,IAAI,EAAE,yBAAyB,EAAE,MAAM,YAAY,CAAC;AAE7D,qFAAqF;AACrF,mFAAmF;AACnF,gDAAgD;AAChD,iFAAiF;AACjF,kFAAkF;AAClF,wDAAwD;AACxD,SAAS,yBAAyB,CAAC,OAAoB,EAAE,OAAgB,EAAE,WAAmB;IAC5F,IAAI,CAAC,wBAAwB,CAAC,OAAO,CAAC,EAAE,CAAC;QACvC,OAAO;IACT,CAAC;IAED,OAAO,CAAC,MAAM,CACZ,YAAY,EACZ,GAAG,yBAAyB,CAAC,WAAW,CAAC,IAAI,WAAW,KAAK,oBAAoB,CAAC,OAAO,CAAC,GAAG,EAAE,IAAI,CAAC,EAAE,CACvG,CAAC;AACJ,CAAC;AAED,MAAM,iBAAiB,GAAG,kBAAkB,CAAC;AAC7C,MAAM,oBAAoB,GAAG,qBAAqB,CAAC;AACnD,MAAM,qBAAqB,GAAG,iBAAiB,CAAC;AAChD,MAAM,aAAa,GAAG,qBAAqB,CAAC;AAE5C,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,kBAAkB,CAAC,IAAI,GAAG,CAAC,SAAS,EAAE,CAAC,cAAc,CAAC,UAAU,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC,CAAC;AAE9G;;;;;;;GAOG;AACH,SAAS,yBAAyB,CAChC,OAAgB,EAChB,OAAoB,EACpB,WAAgD;IAEhD,MAAM,UAAU,GAAG,kBAAkB,IAAI,aAAa,CAAC;IAEvD,sDAAsD;IACtD,IAAI,CAAC,WAAW,EAAE,WAAW,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,EAAE,CAAC;QAC3G,OAAO;IACT,CAAC;IAED,MAAM,UAAU,GAAG,IAAI,GAAG,CAAS,CAAC,QAAQ,CAAC,CAAC,CAAC;IAC/C,IAAI,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,EAAE,CAAC;QACzC,UAAU,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IAClC,CAAC;IAED,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACxC,IAAI,WAAW,EAAE,CAAC;QAChB,WAAW,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE;YACnC,MAAM,OAAO,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;YACvC,IAAI,OAAO;gBAAE,UAAU,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACvC,CAAC,CAAC,CAAC;IACL,CAAC;IAED,OAAO,CAAC,GAAG,CACT,MAAM,EACN,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC;SACnB,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;SAClD,IAAI,CAAC,IAAI,CAAC,CACd,CAAC;IAEF,yBAAyB,CAAC,OAAO,CAAC,CAAC;AACrC,CAAC;AAED;;GAEG;AACH,SAAS,wBAAwB,CAAC,OAAoB;IACpD,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;IACnD,MAAM,iBAAiB,GAAG,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IACvD,MAAM,YAAY,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC,CAAC;IACjG,MAAM,UAAU,GACd,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,KAAK,UAAU;QAC7C,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,KAAK,UAAU;QACjD,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;IAE9C,OAAO,iBAAiB,IAAI,CAAC,YAAY,IAAI,CAAC,UAAU,CAAC;AAC3D,CAAC;AAED,KAAK,UAAU,cAAc,CAAC,OAAgB;IAC5C,OAAO,QAAQ,CAAC,OAAO,EAAE;QACvB,QAAQ,EAAE,sBAAsB;QAChC,GAAG,EAAE,CAAC;KACP,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,uBAAuB,CACpC,OAAoB,EACpB,KAAc,EACd,cAAqC,EACrC,WAAmB,EACnB,WAAqB,EACrB,SAAS,GAAG,KAAK;IAEjB,IAAI,CAAC,WAAW,IAAI,CAAC,mBAAmB,EAAE,CAAC;QACzC,MAAM,IAAI,KAAK,CAAC,4FAA4F,CAAC,CAAC;IAChH,CAAC;IAED,IAAI,CAAC,sBAAsB,IAAI,sBAAsB,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QAClE,MAAM,IAAI,KAAK,CACb,uGAAuG,CACxG,CAAC;IACJ,CAAC;IAED,IAAI,GAAG,CAAC;IAER,IAAI,WAAW,EAAE,CAAC;QAChB,GAAG,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,CAAC;IAC7B,CAAC;SAAM,CAAC;QACN,GAAG,GAAG,IAAI,GAAG,CAAC,mBAAmB,CAAC,CAAC;IACrC,CAAC;IAED,IACE,cAAc,CAAC,OAAO;QACtB,GAAG,CAAC,QAAQ,KAAK,OAAO,CAAC,OAAO,CAAC,QAAQ;QACzC,CAAC,cAAc,CAAC,oBAAoB,CAAC,QAAQ,CAAC,GAAG,CAAC,QAAQ,CAAC,EAC3D,CAAC;QACD,qBAAqB;QACrB,qCAAqC;QACrC,kDAAkD;QAClD,6DAA6D;QAC7D,EAAE;QACF,mGAAmG;QACnG,4GAA4G;QAC5G,cAAc,CAAC,oBAAoB,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACzD,CAAC;IAED,MAAM,YAAY,GAAa,cAAc,CAAC,oBAAoB,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,EAAE;QACrF,MAAM,SAAS,GAAG,0BAA0B,CAAC,QAAQ,CAAC,CAAC;QAEvD,OAAO,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IAClD,CAAC,CAAC,CAAC;IAEH,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,gBAAgB,EAAE,GAAG,MAAM,aAAa,CAAC,OAAO,EAAE;QAC1E,KAAK;QACL,WAAW;QACX,UAAU,EAAE,aAAa,CAAC,WAAW,EAAE,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC;QAChE,SAAS;KACV,CAAC,CAAC;IAEH,oDAAoD;IACpD,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC3B,OAAO,CAAC,GAAG,CAAC,qBAAqB,EAAE,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5D,CAAC;IAED,yBAAyB,CAAC,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;IAErD,4GAA4G;IAC5G,IAAI,cAAc,CAAC,OAAO,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QACzE,IAAI,KAAK,EAAE,CAAC;YACV,OAAO,CAAC,GAAG,CAAC,2CAA2C,OAAO,CAAC,GAAG,0BAA0B,CAAC,CAAC;QAChG,CAAC;QAED,OAAO,oBAAoB,CAAC,OAAO,EAAE,OAAO,EAAE,EAAE,QAAQ,EAAE,gBAA0B,EAAE,CAAC,CAAC;IAC1F,CAAC;IAED,OAAO,oBAAoB,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;AAChD,CAAC;AAED,KAAK,UAAU,aAAa,CAC1B,OAAoB,EACpB,UAA0B,EAAE,KAAK,EAAE,KAAK,EAAE;IAE1C,MAAM,OAAO,GAAG,MAAM,oBAAoB,CAAC,OAAO,CAAC,CAAC;IAEpD,0GAA0G;IAC1G,uBAAuB;IACvB,6EAA6E;IAC7E,MAAM,iBAAiB,GAAG,IAAI,OAAO,EAAE,CAAC;IAExC,kGAAkG;IAClG,iBAAiB,CAAC,GAAG,CAAC,oBAAoB,EAAE,MAAM,CAAC,CAAC;IAEpD,0FAA0F;IAC1F,qGAAqG;IACrG,gFAAgF;IAChF,iBAAiB,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC;IAE5C,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;QACxB,mGAAmG;QACnG,gEAAgE;QAChE,iBAAiB,CAAC,GAAG,CAAC,gBAAgB,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC;IAC/D,CAAC;IAED,iBAAiB,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC;IAE5C,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YAClB,OAAO,CAAC,GAAG,CAAC,8BAA8B,CAAC,CAAC;QAC9C,CAAC;QAED,MAAM,EAAE,GAAG,EAAE,gBAAgB,EAAE,WAAW,EAAE,GAAG,MAAM,mBAAmB,CAAC;YACvE,cAAc,EAAE,iBAAiB,CAAC,OAAO,CAAC,GAAG,CAAC;YAC9C,WAAW,EAAE,OAAO,CAAC,WAAW,IAAI,mBAAmB;YACvD,UAAU,EAAE,OAAO,CAAC,UAAU;SAC/B,CAAC,CAAC;QAEH,yBAAyB,CAAC,OAAO,EAAE,iBAAiB,EAAE,WAAW,CAAC,CAAC;QAEnE,OAAO;YACL,OAAO,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE;YACvB,OAAO,EAAE,iBAAiB;YAC1B,gBAAgB;SACjB,CAAC;IACJ,CAAC;IAED,MAAM,eAAe,GAAG,MAAM,iBAAiB,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;IAErE,MAAM,UAAU,GAAG,kBAAkB,IAAI,aAAa,CAAC;IAEvD,yBAAyB,CAAC,iBAAiB,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;IAE/D,IAAI,eAAe,EAAE,CAAC;QACpB,iBAAiB,CAAC,GAAG,CAAC,iBAAiB,EAAE,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAE,CAAC,KAAK,CAAC,CAAC;QAEjF,MAAM,EACJ,GAAG,EAAE,SAAS,EACd,MAAM,EAAE,cAAc,EACtB,IAAI,EACJ,KAAK,EACL,WAAW,EACX,YAAY,EACZ,aAAa,EAAE,YAAY,GAC5B,GAAG,SAAS,CAAc,OAAO,CAAC,WAAW,CAAC,CAAC;QAEhD,yCAAyC;QACzC,8EAA8E;QAC9E,IAAI,OAAO,CAAC,SAAS,IAAI,wBAAwB,CAAC,OAAO,CAAC,EAAE,CAAC;YAC3D,MAAM,iBAAiB,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;YAC7D,0DAA0D;YAC1D,IAAI,CAAC,iBAAiB,IAAI,iBAAiB,CAAC,KAAK,KAAK,OAAO,CAAC,WAAW,EAAE,CAAC;gBAC1E,iBAAiB,CAAC,MAAM,CAAC,YAAY,EAAE,YAAY,CAAC,OAAO,CAAC,WAAW,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;YACzF,CAAC;QACH,CAAC;QAED,OAAO;YACL,OAAO,EAAE;gBACP,SAAS;gBACT,IAAI,EAAE,OAAO,CAAC,IAAI;gBAClB,cAAc;gBACd,IAAI;gBACJ,KAAK;gBACL,WAAW;gBACX,YAAY;gBACZ,YAAY;gBACZ,YAAY,EAAE,OAAO,CAAC,YAAY;gBAClC,WAAW,EAAE,OAAO,CAAC,WAAW;aACjC;YACD,OAAO,EAAE,iBAAiB;SAC3B,CAAC;IACJ,CAAC;IAED,IAAI,CAAC;QACH,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YAClB,uBAAuB;YACvB,OAAO,CAAC,GAAG,CACT,oBAAoB,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC,wCAAwC,OAAO,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC,uBAAuB,EAAE,CAC/I,CAAC;QACJ,CAAC;QAED,MAAM,EAAE,MAAM,EAAE,6BAA6B,EAAE,GAAG,SAAS,CAAc,OAAO,CAAC,WAAW,CAAC,CAAC;QAE9F,MAAM,EAAE,WAAW,EAAE,YAAY,EAAE,IAAI,EAAE,YAAY,EAAE,oBAAoB,EAAE,GAC3E,MAAM,SAAS,EAAE,CAAC,cAAc,CAAC,4BAA4B,CAAC;YAC5D,QAAQ,EAAE,gBAAgB;YAC1B,YAAY,EAAE,OAAO,CAAC,YAAY;YAClC,cAAc,EAAE,6BAA6B;SAC9C,CAAC,CAAC;QAEL,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YAClB,OAAO,CAAC,GAAG,CAAC,gCAAgC,CAAC,CAAC;QAChD,CAAC;QACD,qDAAqD;QACrD,MAAM,gBAAgB,GAAG,MAAM,cAAc,CAAC;YAC5C,WAAW;YACX,YAAY;YACZ,IAAI;YACJ,YAAY;YACZ,oBAAoB;SACrB,CAAC,CAAC;QAEH,iBAAiB,CAAC,MAAM,CAAC,YAAY,EAAE,GAAG,UAAU,IAAI,gBAAgB,KAAK,gBAAgB,CAAC,OAAO,CAAC,GAAG,EAAE,IAAI,CAAC,EAAE,CAAC,CAAC;QACpH,iBAAiB,CAAC,GAAG,CAAC,iBAAiB,EAAE,gBAAgB,CAAC,CAAC;QAE3D,yCAAyC;QACzC,8EAA8E;QAC9E,IAAI,OAAO,CAAC,SAAS,IAAI,wBAAwB,CAAC,OAAO,CAAC,EAAE,CAAC;YAC3D,iBAAiB,CAAC,MAAM,CAAC,YAAY,EAAE,YAAY,CAAC,WAAW,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;QACjF,CAAC;QAED,MAAM,EACJ,GAAG,EAAE,SAAS,EACd,MAAM,EAAE,cAAc,EACtB,IAAI,EACJ,KAAK,EACL,WAAW,EACX,YAAY,EACZ,aAAa,EAAE,YAAY,GAC5B,GAAG,SAAS,CAAc,WAAW,CAAC,CAAC;QAExC,OAAO,CAAC,uBAAuB,EAAE,CAAC,EAAE,WAAW,EAAE,IAAI,EAAE,YAAY,EAAE,cAAc,EAAE,CAAC,CAAC;QAEvF,OAAO;YACL,OAAO,EAAE;gBACP,SAAS;gBACT,IAAI;gBACJ,cAAc;gBACd,IAAI;gBACJ,KAAK;gBACL,WAAW;gBACX,YAAY;gBACZ,YAAY;gBACZ,YAAY;gBACZ,WAAW;aACZ;YACD,OAAO,EAAE,iBAAiB;SAC3B,CAAC;IACJ,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YAClB,OAAO,CAAC,GAAG,CAAC,qCAAqC,EAAE,CAAC,CAAC,CAAC;QACxD,CAAC;QAED,0GAA0G;QAC1G,MAAM,YAAY,GAAG,GAAG,UAAU,cAAc,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,KAAK,gBAAgB,CAAC,OAAO,CAAC,GAAG,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE,CAAC;QAC1H,iBAAiB,CAAC,MAAM,CAAC,YAAY,EAAE,YAAY,CAAC,CAAC;QAErD,4CAA4C;QAC5C,IAAI,OAAO,CAAC,SAAS,EAAE,CAAC;YACtB,MAAM,eAAe,GAAG,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;YAC9D,iBAAiB,CAAC,MAAM,CAAC,YAAY,EAAE,eAAe,CAAC,CAAC;QAC1D,CAAC;QAED,OAAO,CAAC,qBAAqB,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC;QAEvD,MAAM,EAAE,GAAG,EAAE,gBAAgB,EAAE,WAAW,EAAE,GAAG,MAAM,mBAAmB,CAAC;YACvE,cAAc,EAAE,iBAAiB,CAAC,OAAO,CAAC,GAAG,CAAC;YAC9C,WAAW,EAAE,OAAO,CAAC,WAAW,IAAI,mBAAmB;SACxD,CAAC,CAAC;QAEH,yBAAyB,CAAC,OAAO,EAAE,iBAAiB,EAAE,WAAW,CAAC,CAAC;QAEnE,OAAO;YACL,OAAO,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE;YACvB,OAAO,EAAE,iBAAiB;YAC1B,gBAAgB;SACjB,CAAC;IACJ,CAAC;AACH,CAAC;AAOD,KAAK,UAAU,cAAc,CAAC,EAC5B,cAAc,EAAE,kBAAkB,EAClC,cAAc,GAAG,KAAK,MAIpB,EAAE;IACJ,MAAM,OAAO,GAAG,MAAM,oBAAoB,EAAE,CAAC;IAC7C,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,IAAI,cAAc,EAAE,CAAC;YACnB,MAAM,gBAAgB,EAAE,CAAC;QAC3B,CAAC;QACD,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;IACxB,CAAC;IAED,MAAM,EAAE,MAAM,EAAE,6BAA6B,EAAE,GAAG,SAAS,CAAc,OAAO,CAAC,WAAW,CAAC,CAAC;IAE9F,IAAI,aAAa,CAAC;IAElB,IAAI,CAAC;QACH,aAAa,GAAG,MAAM,SAAS,EAAE,CAAC,cAAc,CAAC,4BAA4B,CAAC;YAC5E,QAAQ,EAAE,gBAAgB;YAC1B,YAAY,EAAE,OAAO,CAAC,YAAY;YAClC,cAAc,EAAE,kBAAkB,IAAI,6BAA6B;SACpE,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,IAAI,iBAAiB,CACzB,8BAA8B,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,EACtF,KAAK,EACL,sBAAsB,CAAC,OAAO,CAAC,CAChC,CAAC;IACJ,CAAC;IAED,MAAM,WAAW,GAAG,MAAM,OAAO,EAAE,CAAC;IACpC,MAAM,GAAG,GAAG,WAAW,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IAErC,MAAM,WAAW,CAAC,aAAa,EAAE,GAAG,IAAI,mBAAmB,CAAC,CAAC;IAE7D,MAAM,EAAE,WAAW,EAAE,IAAI,EAAE,YAAY,EAAE,GAAG,aAAa,CAAC;IAE1D,MAAM,EACJ,GAAG,EAAE,SAAS,EACd,MAAM,EAAE,cAAc,EACtB,IAAI,EACJ,KAAK,EACL,WAAW,EACX,YAAY,EACZ,aAAa,EAAE,YAAY,GAC5B,GAAG,SAAS,CAAc,WAAW,CAAC,CAAC;IAExC,OAAO;QACL,SAAS;QACT,IAAI;QACJ,cAAc;QACd,IAAI;QACJ,KAAK;QACL,WAAW;QACX,YAAY;QACZ,YAAY;QACZ,YAAY;QACZ,WAAW;KACZ,CAAC;AACJ,CAAC;AAED,SAAS,0BAA0B,CAAC,QAAgB;IAClD,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,QAAQ,EAAE,qBAAqB,CAAC,CAAC;QACrD,MAAM,IAAI,GAAG,GAAG,GAAG,CAAC,QAAS,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,EAAE,CAAC;QAEjD,MAAM,MAAM,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC;QAC3B,MAAM,KAAK,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC;QAE5C,OAAO,IAAI,MAAM,CAAC,KAAK,CAAC,CAAC;IAC3B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QACxB,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAEjE,MAAM,IAAI,KAAK,CAAC,qDAAqD,OAAO,EAAE,CAAC,CAAC;IAClF,CAAC;AACH,CAAC;AAED,KAAK,UAAU,gBAAgB;IAC7B,MAAM,WAAW,GAAG,MAAM,OAAO,EAAE,CAAC;IACpC,MAAM,GAAG,GAAG,WAAW,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IAErC,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;IACjD,CAAC;IAED,yDAAyD;IACzD,MAAM,WAAW,GAAG,WAAW,CAAC,GAAG,CAAC,qBAAqB,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC;IAEvE,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC;IACvC,MAAM,UAAU,GAAG,aAAa,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;IAExD,MAAM,cAAc,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;IAE9C,MAAM,EAAE,GAAG,EAAE,UAAU,EAAE,WAAW,EAAE,GAAG,MAAM,mBAAmB,CAAC,EAAE,cAAc,EAAE,UAAU,EAAE,CAAC,CAAC;IACnG,MAAM,aAAa,CAAC,WAAW,CAAC,CAAC;IACjC,QAAQ,CAAC,UAAU,CAAC,CAAC;AACvB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,WAAoB;IAEpB,MAAM,KAAK,GAAG,WAAW,IAAI,CAAC,MAAM,QAAQ,EAAE,CAAC,CAAC,WAAW,CAAC;IAC5D,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,OAAO,SAAS,CAAI,KAAK,CAAC,CAAC;AAC7B,CAAC;AAID,KAAK,UAAU,QAAQ,CAAC,OAAsC;IAC5D,MAAM,OAAO,GAAG,MAAM,oBAAoB,EAAE,CAAC;IAE7C,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,IAAI,OAAO,EAAE,cAAc,EAAE,CAAC;YAC5B,MAAM,gBAAgB,EAAE,CAAC;QAC3B,CAAC;QACD,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;IACxB,CAAC;IAED,MAAM,EACJ,GAAG,EAAE,SAAS,EACd,MAAM,EAAE,cAAc,EACtB,IAAI,EACJ,KAAK,EACL,WAAW,EACX,YAAY,EACZ,aAAa,EAAE,YAAY,GAC5B,GAAG,SAAS,CAAc,OAAO,CAAC,WAAW,CAAC,CAAC;IAEhD,OAAO;QACL,SAAS;QACT,IAAI,EAAE,OAAO,CAAC,IAAI;QAClB,cAAc;QACd,IAAI;QACJ,KAAK;QACL,WAAW;QACX,YAAY;QACZ,YAAY;QACZ,YAAY,EAAE,OAAO,CAAC,YAAY;QAClC,WAAW,EAAE,OAAO,CAAC,WAAW;KACjC,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,iBAAiB,CAAC,WAAmB;IAClD,IAAI,CAAC;QACH,MAAM,SAAS,CAAC,WAAW,EAAE,IAAI,EAAE,CAAC,CAAC;QACrC,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,oBAAoB,CAAC,OAAqB;IAC9D,MAAM,UAAU,GAAG,kBAAkB,IAAI,aAAa,CAAC;IACvD,IAAI,MAAM,CAAC;IAEX,IAAI,OAAO,EAAE,CAAC;QACZ,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAC3C,CAAC;SAAM,CAAC;QACN,MAAM,WAAW,GAAG,MAAM,OAAO,EAAE,CAAC;QACpC,MAAM,GAAG,WAAW,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IACvC,CAAC;IAED,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,UAAU,CAAU,MAAM,CAAC,KAAK,EAAE;YACvC,QAAQ,EAAE,sBAAsB;SACjC,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED,KAAK,UAAU,oBAAoB;IACjC,MAAM,WAAW,GAAG,MAAM,OAAO,EAAE,CAAC;IACpC,MAAM,aAAa,GAAG,OAAO,CAAC,WAAW,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC,CAAC;IAErE,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,MAAM,GAAG,GAAG,WAAW,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACrC,MAAM,IAAI,KAAK,CACb,iCAAiC,GAAG,IAAI,SAAS,iLAAiL,CACnO,CAAC;IACJ,CAAC;IAED,MAAM,UAAU,GAAG,WAAW,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;IACtD,IAAI,CAAC,UAAU;QAAE,OAAO;IAExB,OAAO,UAAU,CAAU,UAAU,EAAE,EAAE,QAAQ,EAAE,sBAAsB,EAAE,CAAC,CAAC;AAC/E,CAAC;AAED,SAAS,iBAAiB,CAAC,GAAW;IACpC,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;IAE5B,OAAO,GAAG,MAAM,CAAC,QAAQ,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC;AAC9C,CAAC;AAED,SAAS,aAAa,CAAC,WAAiC,EAAE,QAAgB;IACxE,IAAI,CAAC,WAAW;QAAE,OAAO,SAAS,CAAC;IAEnC,MAAM,eAAe,GAAa,WAAW,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,EAAE;QAChE,MAAM,SAAS,GAAG,0BAA0B,CAAC,QAAQ,CAAC,CAAC;QACvD,OAAO,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;AAC5D,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,iBAAmD,EACnD,OAA6B;IAE7B,MAAM,UAAU,GAAG,kBAAkB,IAAI,aAAa,CAAC;IACvD,MAAM,gBAAgB,GAAG,MAAM,cAAc,CAAC,iBAAiB,CAAC,CAAC;IACjE,MAAM,WAAW,GAAG,MAAM,OAAO,EAAE,CAAC;IACpC,MAAM,GAAG,GAAG,OAAO,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC;IAChE,WAAW,CAAC,GAAG,CAAC,UAAU,EAAE,gBAAgB,EAAE,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC;AACvE,CAAC;AAED,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,aAAa,EAAE,uBAAuB,EAAE,QAAQ,EAAE,CAAC"}
|
|
1
|
+
{"version":3,"file":"session.js","sourceRoot":"","sources":["../../src/session.ts"],"names":[],"mappings":"AAAA,YAAY,CAAC;AAEb,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AACpD,OAAO,EAAc,kBAAkB,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,MAAM,CAAC;AAC5E,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAE3C,OAAO,EAAE,gBAAgB,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC7D,OAAO,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,sBAAsB,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACvH,OAAO,EAAE,iBAAiB,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAC;AACxE,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AAUjE,OAAO,EACL,yBAAyB,EACzB,wBAAwB,EACxB,aAAa,EACb,6BAA6B,GAC9B,MAAM,WAAW,CAAC;AACnB,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAGxC,OAAO,EAAE,KAAK,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AACvD,OAAO,EAAE,oBAAoB,EAAE,MAAM,yBAAyB,CAAC;AAC/D,OAAO,EAAE,IAAI,EAAE,yBAAyB,EAAE,MAAM,YAAY,CAAC;AAE7D,MAAM,iBAAiB,GAAG,kBAAkB,CAAC;AAC7C,MAAM,oBAAoB,GAAG,qBAAqB,CAAC;AACnD,MAAM,qBAAqB,GAAG,iBAAiB,CAAC;AAChD,MAAM,aAAa,GAAG,qBAAqB,CAAC;AAE5C,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,kBAAkB,CAAC,IAAI,GAAG,CAAC,SAAS,EAAE,CAAC,cAAc,CAAC,UAAU,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC,CAAC;AAE9G;;;;;;;GAOG;AACH,SAAS,yBAAyB,CAChC,OAAgB,EAChB,OAAoB,EACpB,WAAgD;IAEhD,MAAM,UAAU,GAAG,kBAAkB,IAAI,aAAa,CAAC;IAEvD,sDAAsD;IACtD,IAAI,CAAC,WAAW,EAAE,WAAW,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,EAAE,CAAC;QAC3G,OAAO;IACT,CAAC;IAED,MAAM,UAAU,GAAG,IAAI,GAAG,CAAS,CAAC,QAAQ,CAAC,CAAC,CAAC;IAC/C,IAAI,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,EAAE,CAAC;QACzC,UAAU,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IAClC,CAAC;IAED,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACxC,IAAI,WAAW,EAAE,CAAC;QAChB,WAAW,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE;YACnC,MAAM,OAAO,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;YACvC,IAAI,OAAO;gBAAE,UAAU,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACvC,CAAC,CAAC,CAAC;IACL,CAAC;IAED,OAAO,CAAC,GAAG,CACT,MAAM,EACN,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC;SACnB,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;SAClD,IAAI,CAAC,IAAI,CAAC,CACd,CAAC;IAEF,yBAAyB,CAAC,OAAO,CAAC,CAAC;AACrC,CAAC;AAED,KAAK,UAAU,cAAc,CAAC,OAAgB;IAC5C,OAAO,QAAQ,CAAC,OAAO,EAAE;QACvB,QAAQ,EAAE,sBAAsB;QAChC,GAAG,EAAE,CAAC;KACP,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,uBAAuB,CACpC,OAAoB,EACpB,KAAc,EACd,cAAqC,EACrC,WAAmB,EACnB,WAAqB,EACrB,SAAS,GAAG,KAAK;IAEjB,IAAI,CAAC,WAAW,IAAI,CAAC,mBAAmB,EAAE,CAAC;QACzC,MAAM,IAAI,KAAK,CAAC,4FAA4F,CAAC,CAAC;IAChH,CAAC;IAED,IAAI,CAAC,sBAAsB,IAAI,sBAAsB,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QAClE,MAAM,IAAI,KAAK,CACb,uGAAuG,CACxG,CAAC;IACJ,CAAC;IAED,IAAI,GAAG,CAAC;IAER,IAAI,WAAW,EAAE,CAAC;QAChB,GAAG,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,CAAC;IAC7B,CAAC;SAAM,CAAC;QACN,GAAG,GAAG,IAAI,GAAG,CAAC,mBAAmB,CAAC,CAAC;IACrC,CAAC;IAED,IACE,cAAc,CAAC,OAAO;QACtB,GAAG,CAAC,QAAQ,KAAK,OAAO,CAAC,OAAO,CAAC,QAAQ;QACzC,CAAC,cAAc,CAAC,oBAAoB,CAAC,QAAQ,CAAC,GAAG,CAAC,QAAQ,CAAC,EAC3D,CAAC;QACD,qBAAqB;QACrB,qCAAqC;QACrC,kDAAkD;QAClD,6DAA6D;QAC7D,EAAE;QACF,mGAAmG;QACnG,4GAA4G;QAC5G,cAAc,CAAC,oBAAoB,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACzD,CAAC;IAED,MAAM,YAAY,GAAa,cAAc,CAAC,oBAAoB,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,EAAE;QACrF,MAAM,SAAS,GAAG,0BAA0B,CAAC,QAAQ,CAAC,CAAC;QAEvD,OAAO,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IAClD,CAAC,CAAC,CAAC;IAEH,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,gBAAgB,EAAE,GAAG,MAAM,aAAa,CAAC,OAAO,EAAE;QAC1E,KAAK;QACL,WAAW;QACX,UAAU,EAAE,aAAa,CAAC,WAAW,EAAE,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC;QAChE,SAAS;KACV,CAAC,CAAC;IAEH,oDAAoD;IACpD,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC3B,OAAO,CAAC,GAAG,CAAC,qBAAqB,EAAE,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5D,CAAC;IAED,yBAAyB,CAAC,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;IAErD,4GAA4G;IAC5G,IAAI,cAAc,CAAC,OAAO,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QACzE,IAAI,KAAK,EAAE,CAAC;YACV,OAAO,CAAC,GAAG,CAAC,2CAA2C,OAAO,CAAC,GAAG,0BAA0B,CAAC,CAAC;QAChG,CAAC;QAED,OAAO,oBAAoB,CAAC,OAAO,EAAE,OAAO,EAAE,EAAE,QAAQ,EAAE,gBAA0B,EAAE,CAAC,CAAC;IAC1F,CAAC;IAED,OAAO,oBAAoB,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;AAChD,CAAC;AAED,KAAK,UAAU,aAAa,CAC1B,OAAoB,EACpB,UAA0B,EAAE,KAAK,EAAE,KAAK,EAAE;IAE1C,MAAM,OAAO,GAAG,MAAM,oBAAoB,CAAC,OAAO,CAAC,CAAC;IAEpD,0GAA0G;IAC1G,uBAAuB;IACvB,6EAA6E;IAC7E,MAAM,iBAAiB,GAAG,IAAI,OAAO,EAAE,CAAC;IAExC,kGAAkG;IAClG,iBAAiB,CAAC,GAAG,CAAC,oBAAoB,EAAE,MAAM,CAAC,CAAC;IAEpD,0FAA0F;IAC1F,qGAAqG;IACrG,gFAAgF;IAChF,iBAAiB,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC;IAE5C,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;QACxB,mGAAmG;QACnG,gEAAgE;QAChE,iBAAiB,CAAC,GAAG,CAAC,gBAAgB,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC;IAC/D,CAAC;IAED,iBAAiB,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC;IAE5C,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YAClB,OAAO,CAAC,GAAG,CAAC,8BAA8B,CAAC,CAAC;QAC9C,CAAC;QAED,MAAM,EAAE,GAAG,EAAE,gBAAgB,EAAE,WAAW,EAAE,GAAG,MAAM,mBAAmB,CAAC;YACvE,cAAc,EAAE,iBAAiB,CAAC,OAAO,CAAC,GAAG,CAAC;YAC9C,WAAW,EAAE,OAAO,CAAC,WAAW,IAAI,mBAAmB;YACvD,UAAU,EAAE,OAAO,CAAC,UAAU;SAC/B,CAAC,CAAC;QAEH,6BAA6B,CAAC,iBAAiB,EAAE,gBAAgB,EAAE,WAAW,CAAC,CAAC;QAChF,yBAAyB,CAAC,OAAO,EAAE,iBAAiB,EAAE,WAAW,CAAC,CAAC;QAEnE,OAAO;YACL,OAAO,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE;YACvB,OAAO,EAAE,iBAAiB;YAC1B,gBAAgB;SACjB,CAAC;IACJ,CAAC;IAED,MAAM,eAAe,GAAG,MAAM,iBAAiB,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;IAErE,MAAM,UAAU,GAAG,kBAAkB,IAAI,aAAa,CAAC;IAEvD,yBAAyB,CAAC,iBAAiB,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;IAE/D,IAAI,eAAe,EAAE,CAAC;QACpB,iBAAiB,CAAC,GAAG,CAAC,iBAAiB,EAAE,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAE,CAAC,KAAK,CAAC,CAAC;QAEjF,MAAM,EACJ,GAAG,EAAE,SAAS,EACd,MAAM,EAAE,cAAc,EACtB,IAAI,EACJ,KAAK,EACL,WAAW,EACX,YAAY,EACZ,aAAa,EAAE,YAAY,GAC5B,GAAG,SAAS,CAAc,OAAO,CAAC,WAAW,CAAC,CAAC;QAEhD,yCAAyC;QACzC,8EAA8E;QAC9E,IAAI,OAAO,CAAC,SAAS,IAAI,wBAAwB,CAAC,OAAO,CAAC,EAAE,CAAC;YAC3D,MAAM,iBAAiB,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;YAC7D,0DAA0D;YAC1D,IAAI,CAAC,iBAAiB,IAAI,iBAAiB,CAAC,KAAK,KAAK,OAAO,CAAC,WAAW,EAAE,CAAC;gBAC1E,iBAAiB,CAAC,MAAM,CAAC,YAAY,EAAE,YAAY,CAAC,OAAO,CAAC,WAAW,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;YACzF,CAAC;QACH,CAAC;QAED,OAAO;YACL,OAAO,EAAE;gBACP,SAAS;gBACT,IAAI,EAAE,OAAO,CAAC,IAAI;gBAClB,cAAc;gBACd,IAAI;gBACJ,KAAK;gBACL,WAAW;gBACX,YAAY;gBACZ,YAAY;gBACZ,YAAY,EAAE,OAAO,CAAC,YAAY;gBAClC,WAAW,EAAE,OAAO,CAAC,WAAW;aACjC;YACD,OAAO,EAAE,iBAAiB;SAC3B,CAAC;IACJ,CAAC;IAED,IAAI,CAAC;QACH,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YAClB,uBAAuB;YACvB,OAAO,CAAC,GAAG,CACT,oBAAoB,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC,wCAAwC,OAAO,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC,uBAAuB,EAAE,CAC/I,CAAC;QACJ,CAAC;QAED,MAAM,EAAE,MAAM,EAAE,6BAA6B,EAAE,GAAG,SAAS,CAAc,OAAO,CAAC,WAAW,CAAC,CAAC;QAE9F,MAAM,EAAE,WAAW,EAAE,YAAY,EAAE,IAAI,EAAE,YAAY,EAAE,oBAAoB,EAAE,GAC3E,MAAM,SAAS,EAAE,CAAC,cAAc,CAAC,4BAA4B,CAAC;YAC5D,QAAQ,EAAE,gBAAgB;YAC1B,YAAY,EAAE,OAAO,CAAC,YAAY;YAClC,cAAc,EAAE,6BAA6B;SAC9C,CAAC,CAAC;QAEL,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YAClB,OAAO,CAAC,GAAG,CAAC,gCAAgC,CAAC,CAAC;QAChD,CAAC;QACD,qDAAqD;QACrD,MAAM,gBAAgB,GAAG,MAAM,cAAc,CAAC;YAC5C,WAAW;YACX,YAAY;YACZ,IAAI;YACJ,YAAY;YACZ,oBAAoB;SACrB,CAAC,CAAC;QAEH,iBAAiB,CAAC,MAAM,CAAC,YAAY,EAAE,GAAG,UAAU,IAAI,gBAAgB,KAAK,gBAAgB,CAAC,OAAO,CAAC,GAAG,EAAE,IAAI,CAAC,EAAE,CAAC,CAAC;QACpH,iBAAiB,CAAC,GAAG,CAAC,iBAAiB,EAAE,gBAAgB,CAAC,CAAC;QAE3D,yCAAyC;QACzC,8EAA8E;QAC9E,IAAI,OAAO,CAAC,SAAS,IAAI,wBAAwB,CAAC,OAAO,CAAC,EAAE,CAAC;YAC3D,iBAAiB,CAAC,MAAM,CAAC,YAAY,EAAE,YAAY,CAAC,WAAW,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;QACjF,CAAC;QAED,MAAM,EACJ,GAAG,EAAE,SAAS,EACd,MAAM,EAAE,cAAc,EACtB,IAAI,EACJ,KAAK,EACL,WAAW,EACX,YAAY,EACZ,aAAa,EAAE,YAAY,GAC5B,GAAG,SAAS,CAAc,WAAW,CAAC,CAAC;QAExC,OAAO,CAAC,uBAAuB,EAAE,CAAC,EAAE,WAAW,EAAE,IAAI,EAAE,YAAY,EAAE,cAAc,EAAE,CAAC,CAAC;QAEvF,OAAO;YACL,OAAO,EAAE;gBACP,SAAS;gBACT,IAAI;gBACJ,cAAc;gBACd,IAAI;gBACJ,KAAK;gBACL,WAAW;gBACX,YAAY;gBACZ,YAAY;gBACZ,YAAY;gBACZ,WAAW;aACZ;YACD,OAAO,EAAE,iBAAiB;SAC3B,CAAC;IACJ,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YAClB,OAAO,CAAC,GAAG,CAAC,qCAAqC,EAAE,CAAC,CAAC,CAAC;QACxD,CAAC;QAED,0GAA0G;QAC1G,MAAM,YAAY,GAAG,GAAG,UAAU,cAAc,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,KAAK,gBAAgB,CAAC,OAAO,CAAC,GAAG,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE,CAAC;QAC1H,iBAAiB,CAAC,MAAM,CAAC,YAAY,EAAE,YAAY,CAAC,CAAC;QAErD,4CAA4C;QAC5C,IAAI,OAAO,CAAC,SAAS,EAAE,CAAC;YACtB,MAAM,eAAe,GAAG,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;YAC9D,iBAAiB,CAAC,MAAM,CAAC,YAAY,EAAE,eAAe,CAAC,CAAC;QAC1D,CAAC;QAED,OAAO,CAAC,qBAAqB,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC;QAEvD,MAAM,EAAE,GAAG,EAAE,gBAAgB,EAAE,WAAW,EAAE,GAAG,MAAM,mBAAmB,CAAC;YACvE,cAAc,EAAE,iBAAiB,CAAC,OAAO,CAAC,GAAG,CAAC;YAC9C,WAAW,EAAE,OAAO,CAAC,WAAW,IAAI,mBAAmB;SACxD,CAAC,CAAC;QAEH,6BAA6B,CAAC,iBAAiB,EAAE,gBAAgB,EAAE,WAAW,CAAC,CAAC;QAChF,yBAAyB,CAAC,OAAO,EAAE,iBAAiB,EAAE,WAAW,CAAC,CAAC;QAEnE,OAAO;YACL,OAAO,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE;YACvB,OAAO,EAAE,iBAAiB;YAC1B,gBAAgB;SACjB,CAAC;IACJ,CAAC;AACH,CAAC;AAOD,KAAK,UAAU,cAAc,CAAC,EAC5B,cAAc,EAAE,kBAAkB,EAClC,cAAc,GAAG,KAAK,MAIpB,EAAE;IACJ,MAAM,OAAO,GAAG,MAAM,oBAAoB,EAAE,CAAC;IAC7C,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,IAAI,cAAc,EAAE,CAAC;YACnB,MAAM,gBAAgB,EAAE,CAAC;QAC3B,CAAC;QACD,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;IACxB,CAAC;IAED,MAAM,EAAE,MAAM,EAAE,6BAA6B,EAAE,GAAG,SAAS,CAAc,OAAO,CAAC,WAAW,CAAC,CAAC;IAE9F,IAAI,aAAa,CAAC;IAElB,IAAI,CAAC;QACH,aAAa,GAAG,MAAM,SAAS,EAAE,CAAC,cAAc,CAAC,4BAA4B,CAAC;YAC5E,QAAQ,EAAE,gBAAgB;YAC1B,YAAY,EAAE,OAAO,CAAC,YAAY;YAClC,cAAc,EAAE,kBAAkB,IAAI,6BAA6B;SACpE,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,IAAI,iBAAiB,CACzB,8BAA8B,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,EACtF,KAAK,EACL,sBAAsB,CAAC,OAAO,CAAC,CAChC,CAAC;IACJ,CAAC;IAED,MAAM,WAAW,GAAG,MAAM,OAAO,EAAE,CAAC;IACpC,MAAM,GAAG,GAAG,WAAW,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IAErC,MAAM,WAAW,CAAC,aAAa,EAAE,GAAG,IAAI,mBAAmB,CAAC,CAAC;IAE7D,MAAM,EAAE,WAAW,EAAE,IAAI,EAAE,YAAY,EAAE,GAAG,aAAa,CAAC;IAE1D,MAAM,EACJ,GAAG,EAAE,SAAS,EACd,MAAM,EAAE,cAAc,EACtB,IAAI,EACJ,KAAK,EACL,WAAW,EACX,YAAY,EACZ,aAAa,EAAE,YAAY,GAC5B,GAAG,SAAS,CAAc,WAAW,CAAC,CAAC;IAExC,OAAO;QACL,SAAS;QACT,IAAI;QACJ,cAAc;QACd,IAAI;QACJ,KAAK;QACL,WAAW;QACX,YAAY;QACZ,YAAY;QACZ,YAAY;QACZ,WAAW;KACZ,CAAC;AACJ,CAAC;AAED,SAAS,0BAA0B,CAAC,QAAgB;IAClD,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,QAAQ,EAAE,qBAAqB,CAAC,CAAC;QACrD,MAAM,IAAI,GAAG,GAAG,GAAG,CAAC,QAAS,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,EAAE,CAAC;QAEjD,MAAM,MAAM,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC;QAC3B,MAAM,KAAK,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC;QAE5C,OAAO,IAAI,MAAM,CAAC,KAAK,CAAC,CAAC;IAC3B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QACxB,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAEjE,MAAM,IAAI,KAAK,CAAC,qDAAqD,OAAO,EAAE,CAAC,CAAC;IAClF,CAAC;AACH,CAAC;AAED,KAAK,UAAU,gBAAgB;IAC7B,MAAM,WAAW,GAAG,MAAM,OAAO,EAAE,CAAC;IACpC,MAAM,GAAG,GAAG,WAAW,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IAErC,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;IACjD,CAAC;IAED,yDAAyD;IACzD,MAAM,WAAW,GAAG,WAAW,CAAC,GAAG,CAAC,qBAAqB,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC;IAEvE,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC;IACvC,MAAM,UAAU,GAAG,aAAa,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;IAExD,MAAM,cAAc,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;IAE9C,MAAM,EAAE,GAAG,EAAE,UAAU,EAAE,WAAW,EAAE,GAAG,MAAM,mBAAmB,CAAC,EAAE,cAAc,EAAE,UAAU,EAAE,CAAC,CAAC;IACnG,MAAM,aAAa,CAAC,WAAW,CAAC,CAAC;IACjC,QAAQ,CAAC,UAAU,CAAC,CAAC;AACvB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,WAAoB;IAEpB,MAAM,KAAK,GAAG,WAAW,IAAI,CAAC,MAAM,QAAQ,EAAE,CAAC,CAAC,WAAW,CAAC;IAC5D,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,OAAO,SAAS,CAAI,KAAK,CAAC,CAAC;AAC7B,CAAC;AAID,KAAK,UAAU,QAAQ,CAAC,OAAsC;IAC5D,MAAM,OAAO,GAAG,MAAM,oBAAoB,EAAE,CAAC;IAE7C,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,IAAI,OAAO,EAAE,cAAc,EAAE,CAAC;YAC5B,MAAM,gBAAgB,EAAE,CAAC;QAC3B,CAAC;QACD,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;IACxB,CAAC;IAED,MAAM,EACJ,GAAG,EAAE,SAAS,EACd,MAAM,EAAE,cAAc,EACtB,IAAI,EACJ,KAAK,EACL,WAAW,EACX,YAAY,EACZ,aAAa,EAAE,YAAY,GAC5B,GAAG,SAAS,CAAc,OAAO,CAAC,WAAW,CAAC,CAAC;IAEhD,OAAO;QACL,SAAS;QACT,IAAI,EAAE,OAAO,CAAC,IAAI;QAClB,cAAc;QACd,IAAI;QACJ,KAAK;QACL,WAAW;QACX,YAAY;QACZ,YAAY;QACZ,YAAY,EAAE,OAAO,CAAC,YAAY;QAClC,WAAW,EAAE,OAAO,CAAC,WAAW;KACjC,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,iBAAiB,CAAC,WAAmB;IAClD,IAAI,CAAC;QACH,MAAM,SAAS,CAAC,WAAW,EAAE,IAAI,EAAE,CAAC,CAAC;QACrC,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,oBAAoB,CAAC,OAAqB;IAC9D,MAAM,UAAU,GAAG,kBAAkB,IAAI,aAAa,CAAC;IACvD,IAAI,MAAM,CAAC;IAEX,IAAI,OAAO,EAAE,CAAC;QACZ,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAC3C,CAAC;SAAM,CAAC;QACN,MAAM,WAAW,GAAG,MAAM,OAAO,EAAE,CAAC;QACpC,MAAM,GAAG,WAAW,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IACvC,CAAC;IAED,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,UAAU,CAAU,MAAM,CAAC,KAAK,EAAE;YACvC,QAAQ,EAAE,sBAAsB;SACjC,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED,KAAK,UAAU,oBAAoB;IACjC,MAAM,WAAW,GAAG,MAAM,OAAO,EAAE,CAAC;IACpC,MAAM,aAAa,GAAG,OAAO,CAAC,WAAW,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC,CAAC;IAErE,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,MAAM,GAAG,GAAG,WAAW,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACrC,MAAM,IAAI,KAAK,CACb,iCAAiC,GAAG,IAAI,SAAS,iLAAiL,CACnO,CAAC;IACJ,CAAC;IAED,MAAM,UAAU,GAAG,WAAW,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;IACtD,IAAI,CAAC,UAAU;QAAE,OAAO;IAExB,OAAO,UAAU,CAAU,UAAU,EAAE,EAAE,QAAQ,EAAE,sBAAsB,EAAE,CAAC,CAAC;AAC/E,CAAC;AAED,SAAS,iBAAiB,CAAC,GAAW;IACpC,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;IAE5B,OAAO,GAAG,MAAM,CAAC,QAAQ,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC;AAC9C,CAAC;AAED,SAAS,aAAa,CAAC,WAAiC,EAAE,QAAgB;IACxE,IAAI,CAAC,WAAW;QAAE,OAAO,SAAS,CAAC;IAEnC,MAAM,eAAe,GAAa,WAAW,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,EAAE;QAChE,MAAM,SAAS,GAAG,0BAA0B,CAAC,QAAQ,CAAC,CAAC;QACvD,OAAO,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;AAC5D,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,iBAAmD,EACnD,OAA6B;IAE7B,MAAM,UAAU,GAAG,kBAAkB,IAAI,aAAa,CAAC;IACvD,MAAM,gBAAgB,GAAG,MAAM,cAAc,CAAC,iBAAiB,CAAC,CAAC;IACjE,MAAM,WAAW,GAAG,MAAM,OAAO,EAAE,CAAC;IACpC,MAAM,GAAG,GAAG,OAAO,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC;IAChE,WAAW,CAAC,GAAG,CAAC,UAAU,EAAE,gBAAgB,EAAE,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC;AACvE,CAAC;AAED,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,aAAa,EAAE,uBAAuB,EAAE,QAAQ,EAAE,CAAC"}
|
package/dist/esm/types/pkce.d.ts
CHANGED
|
@@ -1,5 +1,8 @@
|
|
|
1
|
+
import { NextRequest } from 'next/server';
|
|
1
2
|
import { State } from './interfaces.js';
|
|
2
3
|
export declare const PKCE_COOKIE_NAME = "wos-auth-verifier";
|
|
4
|
+
export declare const PKCE_STATE_HEADER = "x-workos-pkce-state";
|
|
5
|
+
export declare const PKCE_AUTHORIZATION_URL_HEADER = "x-workos-authorization-url";
|
|
3
6
|
/**
|
|
4
7
|
* Derive a flow-specific cookie name so concurrent auth flows don't overwrite
|
|
5
8
|
* each other's PKCE cookies. Uses an FNV-1a hash of the full sealed state
|
|
@@ -10,6 +13,20 @@ export declare function getPKCECookieNameForState(state: string): string;
|
|
|
10
13
|
* In middleware context, callers must set the cookie via Set-Cookie headers instead.
|
|
11
14
|
*/
|
|
12
15
|
export declare function setPKCECookie(sealedState: string): Promise<void>;
|
|
16
|
+
/**
|
|
17
|
+
* Store pending PKCE state in internal middleware headers until the response
|
|
18
|
+
* actually redirects to AuthKit. These headers are stripped before reaching the
|
|
19
|
+
* browser or downstream request handlers.
|
|
20
|
+
*/
|
|
21
|
+
export declare function setPendingPKCERedirectHeaders(headers: Headers, authorizationUrl: string, sealedState: string): void;
|
|
22
|
+
/**
|
|
23
|
+
* Only set the PKCE cookie for initial document navigations that redirect to
|
|
24
|
+
* AuthKit. Fetch/XHR/RSC/prefetch requests never follow cross-origin redirects
|
|
25
|
+
* to complete OAuth, so they do not need verifier cookies.
|
|
26
|
+
*/
|
|
27
|
+
export declare function appendPKCESetCookieHeader(request: NextRequest, headers: Headers, sealedState: string): void;
|
|
28
|
+
export declare function stripPKCESetCookieHeaders(headers: Headers): void;
|
|
29
|
+
export declare function isInitialDocumentRequest(request: NextRequest): boolean;
|
|
13
30
|
/**
|
|
14
31
|
* Read and unseal the auth cookie containing PKCE code verifier and OAuth state.
|
|
15
32
|
* Throws if the cookie is not in the required state
|
package/package.json
CHANGED
|
@@ -7,6 +7,7 @@ import {
|
|
|
7
7
|
isAuthkitRequestHeader,
|
|
8
8
|
AUTHKIT_REQUEST_HEADERS,
|
|
9
9
|
} from './middleware-helpers.js';
|
|
10
|
+
import { appendPKCESetCookieHeader, setPendingPKCERedirectHeaders } from './pkce.js';
|
|
10
11
|
|
|
11
12
|
describe('middleware-helpers', () => {
|
|
12
13
|
function createMockRequest(url = 'https://example.com/test', method = 'GET'): NextRequest {
|
|
@@ -211,6 +212,42 @@ describe('middleware-helpers', () => {
|
|
|
211
212
|
expect(handleAuthkitHeaders(request, headers, { redirect: '' }).status).toBe(200);
|
|
212
213
|
expect(handleAuthkitHeaders(request, headers, { redirect: undefined }).status).toBe(200);
|
|
213
214
|
});
|
|
215
|
+
|
|
216
|
+
it('should set pending PKCE cookie when redirecting to the generated authorization URL', () => {
|
|
217
|
+
const request = new NextRequest('https://example.com/app', {
|
|
218
|
+
headers: { accept: 'text/html' },
|
|
219
|
+
});
|
|
220
|
+
const authorizationUrl = 'https://api.workos.com/user_management/authorize?client_id=client_123&state=abc';
|
|
221
|
+
const headers = new Headers();
|
|
222
|
+
setPendingPKCERedirectHeaders(headers, authorizationUrl, 'sealed-state');
|
|
223
|
+
appendPKCESetCookieHeader(request, headers, 'sealed-state');
|
|
224
|
+
|
|
225
|
+
const response = handleAuthkitHeaders(request, headers, { redirect: authorizationUrl });
|
|
226
|
+
const setCookies = response.headers.getSetCookie();
|
|
227
|
+
|
|
228
|
+
expect(setCookies.filter((c) => /^wos-auth-verifier-[0-9a-f]{8}=sealed-state;/.test(c))).toHaveLength(1);
|
|
229
|
+
expect(response.headers.get('x-workos-pkce-state')).toBeNull();
|
|
230
|
+
expect(response.headers.get('x-workos-authorization-url')).toBeNull();
|
|
231
|
+
});
|
|
232
|
+
|
|
233
|
+
it('should not set pending PKCE cookie without a matching AuthKit redirect', () => {
|
|
234
|
+
const request = new NextRequest('https://example.com/app', {
|
|
235
|
+
headers: { accept: 'text/html' },
|
|
236
|
+
});
|
|
237
|
+
const authorizationUrl = 'https://api.workos.com/user_management/authorize?client_id=client_123&state=abc';
|
|
238
|
+
const headers = new Headers();
|
|
239
|
+
setPendingPKCERedirectHeaders(headers, authorizationUrl, 'sealed-state');
|
|
240
|
+
appendPKCESetCookieHeader(request, headers, 'sealed-state');
|
|
241
|
+
headers.append('Set-Cookie', 'other=value; Path=/; HttpOnly');
|
|
242
|
+
|
|
243
|
+
const nextResponse = handleAuthkitHeaders(request, headers);
|
|
244
|
+
const customRedirectResponse = handleAuthkitHeaders(request, headers, { redirect: '/new-path' });
|
|
245
|
+
|
|
246
|
+
expect(nextResponse.headers.getSetCookie().some((c) => c.includes('wos-auth-verifier'))).toBe(false);
|
|
247
|
+
expect(customRedirectResponse.headers.getSetCookie().some((c) => c.includes('wos-auth-verifier'))).toBe(false);
|
|
248
|
+
expect(nextResponse.headers.getSetCookie().some((c) => c.startsWith('other=value;'))).toBe(true);
|
|
249
|
+
expect(customRedirectResponse.headers.getSetCookie().some((c) => c.startsWith('other=value;'))).toBe(true);
|
|
250
|
+
});
|
|
214
251
|
});
|
|
215
252
|
|
|
216
253
|
describe('applyResponseHeaders', () => {
|
|
@@ -1,4 +1,10 @@
|
|
|
1
1
|
import { NextRequest, NextResponse } from 'next/server';
|
|
2
|
+
import {
|
|
3
|
+
PKCE_AUTHORIZATION_URL_HEADER,
|
|
4
|
+
PKCE_STATE_HEADER,
|
|
5
|
+
appendPKCESetCookieHeader,
|
|
6
|
+
stripPKCESetCookieHeaders,
|
|
7
|
+
} from './pkce.js';
|
|
2
8
|
|
|
3
9
|
/** Internal AuthKit headers - forwarded to downstream requests but never sent to browser. */
|
|
4
10
|
export const AUTHKIT_REQUEST_HEADERS = [
|
|
@@ -112,16 +118,31 @@ export function handleAuthkitProxy(
|
|
|
112
118
|
authkitHeaders: Headers,
|
|
113
119
|
options: HandleAuthkitHeadersOptions = {},
|
|
114
120
|
): NextResponse {
|
|
115
|
-
const { requestHeaders, responseHeaders } = partitionAuthkitHeaders(request, authkitHeaders);
|
|
116
121
|
const { redirect, redirectStatus } = options;
|
|
122
|
+
const headers = new Headers(authkitHeaders);
|
|
123
|
+
let redirectUrl: URL | undefined;
|
|
124
|
+
|
|
125
|
+
const pkceAuthorizationUrl = headers.get(PKCE_AUTHORIZATION_URL_HEADER);
|
|
126
|
+
const sealedState = headers.get(PKCE_STATE_HEADER);
|
|
127
|
+
if (pkceAuthorizationUrl && sealedState) {
|
|
128
|
+
stripPKCESetCookieHeaders(headers);
|
|
129
|
+
}
|
|
117
130
|
|
|
118
131
|
if (redirect != null && redirect !== '') {
|
|
119
|
-
let redirectUrl: URL;
|
|
120
132
|
try {
|
|
121
133
|
redirectUrl = redirect instanceof URL ? redirect : new URL(redirect, request.url);
|
|
122
134
|
} catch {
|
|
123
135
|
throw new Error(`Invalid redirect URL: "${redirect}". Must be a valid absolute or relative URL.`);
|
|
124
136
|
}
|
|
137
|
+
|
|
138
|
+
if (pkceAuthorizationUrl && sealedState && redirectUrl.toString() === new URL(pkceAuthorizationUrl).toString()) {
|
|
139
|
+
appendPKCESetCookieHeader(request, headers, sealedState);
|
|
140
|
+
}
|
|
141
|
+
}
|
|
142
|
+
|
|
143
|
+
const { requestHeaders, responseHeaders } = partitionAuthkitHeaders(request, headers);
|
|
144
|
+
|
|
145
|
+
if (redirectUrl) {
|
|
125
146
|
const method = request.method.toUpperCase();
|
|
126
147
|
const status = redirectStatus ?? (method === 'GET' || method === 'HEAD' ? 307 : 303);
|
|
127
148
|
return applyResponseHeaders(NextResponse.redirect(redirectUrl, status), responseHeaders);
|
package/src/pkce.ts
CHANGED
|
@@ -1,12 +1,17 @@
|
|
|
1
1
|
import fnv1a from '@sindresorhus/fnv1a';
|
|
2
2
|
import { unsealData } from 'iron-session';
|
|
3
3
|
import { cookies } from 'next/headers';
|
|
4
|
+
import { NextRequest } from 'next/server';
|
|
4
5
|
import * as v from 'valibot';
|
|
5
6
|
import { getPKCECookieOptions } from './cookie.js';
|
|
6
7
|
import { WORKOS_COOKIE_PASSWORD } from './env-variables.js';
|
|
7
8
|
import { State, StateSchema } from './interfaces.js';
|
|
8
9
|
|
|
9
10
|
export const PKCE_COOKIE_NAME = 'wos-auth-verifier';
|
|
11
|
+
export const PKCE_STATE_HEADER = 'x-workos-pkce-state';
|
|
12
|
+
export const PKCE_AUTHORIZATION_URL_HEADER = 'x-workos-authorization-url';
|
|
13
|
+
|
|
14
|
+
const MAX_PKCE_COOKIES = 5;
|
|
10
15
|
|
|
11
16
|
/**
|
|
12
17
|
* Short, deterministic hex fingerprint of an arbitrary string.
|
|
@@ -43,6 +48,81 @@ export async function setPKCECookie(sealedState: string): Promise<void> {
|
|
|
43
48
|
});
|
|
44
49
|
}
|
|
45
50
|
|
|
51
|
+
/**
|
|
52
|
+
* Store pending PKCE state in internal middleware headers until the response
|
|
53
|
+
* actually redirects to AuthKit. These headers are stripped before reaching the
|
|
54
|
+
* browser or downstream request handlers.
|
|
55
|
+
*/
|
|
56
|
+
export function setPendingPKCERedirectHeaders(headers: Headers, authorizationUrl: string, sealedState: string): void {
|
|
57
|
+
headers.set(PKCE_AUTHORIZATION_URL_HEADER, authorizationUrl);
|
|
58
|
+
headers.set(PKCE_STATE_HEADER, sealedState);
|
|
59
|
+
}
|
|
60
|
+
|
|
61
|
+
/**
|
|
62
|
+
* Only set the PKCE cookie for initial document navigations that redirect to
|
|
63
|
+
* AuthKit. Fetch/XHR/RSC/prefetch requests never follow cross-origin redirects
|
|
64
|
+
* to complete OAuth, so they do not need verifier cookies.
|
|
65
|
+
*/
|
|
66
|
+
export function appendPKCESetCookieHeader(request: NextRequest, headers: Headers, sealedState: string): void {
|
|
67
|
+
if (!isInitialDocumentRequest(request)) {
|
|
68
|
+
return;
|
|
69
|
+
}
|
|
70
|
+
|
|
71
|
+
const newCookieName = getPKCECookieNameForState(sealedState);
|
|
72
|
+
const pkceCookies = request.cookies
|
|
73
|
+
.getAll()
|
|
74
|
+
.filter(({ name }) => name === PKCE_COOKIE_NAME || name.startsWith(`${PKCE_COOKIE_NAME}-`));
|
|
75
|
+
|
|
76
|
+
// A small number of concurrent PKCE cookies is normal (multiple tabs each
|
|
77
|
+
// starting an OAuth flow). Only purge when accumulation risks HTTP 431.
|
|
78
|
+
if (pkceCookies.length >= MAX_PKCE_COOKIES) {
|
|
79
|
+
const expiredOptions = getPKCECookieOptions(request.url, true, true);
|
|
80
|
+
for (const { name } of pkceCookies) {
|
|
81
|
+
if (name !== newCookieName) {
|
|
82
|
+
headers.append('Set-Cookie', `${name}=; ${expiredOptions}`);
|
|
83
|
+
}
|
|
84
|
+
}
|
|
85
|
+
}
|
|
86
|
+
|
|
87
|
+
headers.append('Set-Cookie', `${newCookieName}=${sealedState}; ${getPKCECookieOptions(request.url, true)}`);
|
|
88
|
+
}
|
|
89
|
+
|
|
90
|
+
export function stripPKCESetCookieHeaders(headers: Headers): void {
|
|
91
|
+
const setCookieHeaders = headers.getSetCookie();
|
|
92
|
+
if (setCookieHeaders.length === 0) {
|
|
93
|
+
return;
|
|
94
|
+
}
|
|
95
|
+
|
|
96
|
+
headers.delete('Set-Cookie');
|
|
97
|
+
|
|
98
|
+
for (const setCookieHeader of setCookieHeaders) {
|
|
99
|
+
if (!isPKCESetCookieHeader(setCookieHeader)) {
|
|
100
|
+
headers.append('Set-Cookie', setCookieHeader);
|
|
101
|
+
}
|
|
102
|
+
}
|
|
103
|
+
}
|
|
104
|
+
|
|
105
|
+
export function isInitialDocumentRequest(request: NextRequest): boolean {
|
|
106
|
+
const accept = request.headers.get('accept') || '';
|
|
107
|
+
const isDocumentRequest = accept.includes('text/html');
|
|
108
|
+
const isRSCRequest = request.headers.has('RSC') || request.headers.has('Next-Router-State-Tree');
|
|
109
|
+
const isPrefetch =
|
|
110
|
+
request.headers.get('Purpose') === 'prefetch' ||
|
|
111
|
+
request.headers.get('Sec-Purpose') === 'prefetch' ||
|
|
112
|
+
request.headers.has('Next-Router-Prefetch');
|
|
113
|
+
|
|
114
|
+
return isDocumentRequest && !isRSCRequest && !isPrefetch;
|
|
115
|
+
}
|
|
116
|
+
|
|
117
|
+
function isPKCESetCookieHeader(setCookieHeader: string): boolean {
|
|
118
|
+
const separatorIndex = setCookieHeader.indexOf('=');
|
|
119
|
+
if (separatorIndex === -1) {
|
|
120
|
+
return false;
|
|
121
|
+
}
|
|
122
|
+
const cookieName = setCookieHeader.slice(0, separatorIndex);
|
|
123
|
+
return cookieName === PKCE_COOKIE_NAME || cookieName.startsWith(`${PKCE_COOKIE_NAME}-`);
|
|
124
|
+
}
|
|
125
|
+
|
|
46
126
|
/**
|
|
47
127
|
* Read and unseal the auth cookie containing PKCE code verifier and OAuth state.
|
|
48
128
|
* Throws if the cookie is not in the required state
|
package/src/session.spec.ts
CHANGED
|
@@ -16,6 +16,7 @@ function setEnvVar(mod: Record<string, unknown>, key: string, value: unknown) {
|
|
|
16
16
|
import { sealData } from 'iron-session';
|
|
17
17
|
import { User } from '@workos-inc/node';
|
|
18
18
|
import { getStateFromPKCECookieValue } from './pkce.js';
|
|
19
|
+
import { handleAuthkitHeaders } from './middleware-helpers.js';
|
|
19
20
|
|
|
20
21
|
vi.mock('jose', async () => {
|
|
21
22
|
const actual = await vi.importActual<typeof import('jose')>('jose');
|
|
@@ -615,7 +616,10 @@ describe('session.ts', () => {
|
|
|
615
616
|
|
|
616
617
|
describe('updateSession', () => {
|
|
617
618
|
it('should return an authorization url if the session is invalid', async () => {
|
|
618
|
-
const
|
|
619
|
+
const request = new NextRequest(new URL('http://example.com/protected'), {
|
|
620
|
+
headers: { accept: 'text/html' },
|
|
621
|
+
});
|
|
622
|
+
const result = await updateSession(request, {
|
|
619
623
|
debug: true,
|
|
620
624
|
screenHint: 'sign-up',
|
|
621
625
|
});
|
|
@@ -623,6 +627,12 @@ describe('session.ts', () => {
|
|
|
623
627
|
expect(result.authorizationUrl).toBeDefined();
|
|
624
628
|
expect(result.authorizationUrl).toContain('screen_hint=sign-up');
|
|
625
629
|
expect(result.session.user).toBeNull();
|
|
630
|
+
expect(result.headers.getSetCookie().some((c) => c.includes('wos-auth-verifier'))).toBe(true);
|
|
631
|
+
expect(
|
|
632
|
+
handleAuthkitHeaders(request, result.headers)
|
|
633
|
+
.headers.getSetCookie()
|
|
634
|
+
.some((c) => c.includes('wos-auth-verifier')),
|
|
635
|
+
).toBe(false);
|
|
626
636
|
expect(console.log).toHaveBeenCalledWith('No session found from cookie');
|
|
627
637
|
});
|
|
628
638
|
|
|
@@ -698,6 +708,134 @@ describe('session.ts', () => {
|
|
|
698
708
|
expect(console.log).toHaveBeenCalledWith('Failed to refresh. Deleting cookie.', expect.any(Error));
|
|
699
709
|
});
|
|
700
710
|
|
|
711
|
+
describe('PKCE cookie cleanup', () => {
|
|
712
|
+
function documentRequest(url = 'http://example.com/protected'): NextRequest {
|
|
713
|
+
return new NextRequest(new URL(url), {
|
|
714
|
+
headers: { accept: 'text/html' },
|
|
715
|
+
});
|
|
716
|
+
}
|
|
717
|
+
|
|
718
|
+
function getRedirectSetCookieHeaders(
|
|
719
|
+
request: NextRequest,
|
|
720
|
+
result: Awaited<ReturnType<typeof updateSession>>,
|
|
721
|
+
): string[] {
|
|
722
|
+
return handleAuthkitHeaders(request, result.headers, {
|
|
723
|
+
redirect: result.authorizationUrl,
|
|
724
|
+
}).headers.getSetCookie();
|
|
725
|
+
}
|
|
726
|
+
|
|
727
|
+
function addStalePKCECookies(request: NextRequest, count: number): void {
|
|
728
|
+
for (let i = 0; i < count; i++) {
|
|
729
|
+
request.cookies.set(`wos-auth-verifier-${i.toString(16).padStart(8, '0')}`, `stale-state-${i}`);
|
|
730
|
+
}
|
|
731
|
+
}
|
|
732
|
+
|
|
733
|
+
it('should not expire PKCE cookies when below the threshold (concurrent flows preserved)', async () => {
|
|
734
|
+
const request = documentRequest();
|
|
735
|
+
request.cookies.set('wos-auth-verifier-aaaaaaaa', 'stale-sealed-state-a');
|
|
736
|
+
request.cookies.set('wos-auth-verifier-bbbbbbbb', 'stale-sealed-state-b');
|
|
737
|
+
|
|
738
|
+
const result = await updateSession(request);
|
|
739
|
+
|
|
740
|
+
expect(result.session.user).toBeNull();
|
|
741
|
+
const setCookies = getRedirectSetCookieHeaders(request, result);
|
|
742
|
+
expect(setCookies.some((c) => c.startsWith('wos-auth-verifier-aaaaaaaa=;'))).toBe(false);
|
|
743
|
+
expect(setCookies.some((c) => c.startsWith('wos-auth-verifier-bbbbbbbb=;'))).toBe(false);
|
|
744
|
+
// The new PKCE cookie should still be set
|
|
745
|
+
expect(
|
|
746
|
+
setCookies.some(
|
|
747
|
+
(c) =>
|
|
748
|
+
c.match(/^wos-auth-verifier-[0-9a-f]{8}=.+/) &&
|
|
749
|
+
!c.startsWith('wos-auth-verifier-aaaaaaaa') &&
|
|
750
|
+
!c.startsWith('wos-auth-verifier-bbbbbbbb'),
|
|
751
|
+
),
|
|
752
|
+
).toBe(true);
|
|
753
|
+
});
|
|
754
|
+
|
|
755
|
+
it('should expire all PKCE cookies when at or above the threshold', async () => {
|
|
756
|
+
const request = documentRequest();
|
|
757
|
+
addStalePKCECookies(request, 5);
|
|
758
|
+
|
|
759
|
+
const result = await updateSession(request);
|
|
760
|
+
|
|
761
|
+
expect(result.session.user).toBeNull();
|
|
762
|
+
const setCookies = getRedirectSetCookieHeaders(request, result);
|
|
763
|
+
for (let i = 0; i < 5; i++) {
|
|
764
|
+
const name = `wos-auth-verifier-${i.toString(16).padStart(8, '0')}`;
|
|
765
|
+
expect(setCookies.some((c) => c.startsWith(`${name}=;`))).toBe(true);
|
|
766
|
+
}
|
|
767
|
+
// The new PKCE cookie should also be present
|
|
768
|
+
expect(setCookies.some((c) => c.match(/^wos-auth-verifier-[0-9a-f]{8}=.+/) && !c.includes('=;'))).toBe(true);
|
|
769
|
+
});
|
|
770
|
+
|
|
771
|
+
it('should expire stale PKCE cookies when refresh fails and threshold exceeded', async () => {
|
|
772
|
+
mockSession.accessToken = await generateTestToken({}, true);
|
|
773
|
+
|
|
774
|
+
(jwtVerify as Mock).mockImplementation(() => {
|
|
775
|
+
throw new Error('Invalid token');
|
|
776
|
+
});
|
|
777
|
+
|
|
778
|
+
vi.spyOn(workos.userManagement, 'authenticateWithRefreshToken').mockRejectedValue(new Error('Refresh failed'));
|
|
779
|
+
|
|
780
|
+
const request = documentRequest();
|
|
781
|
+
request.cookies.set(
|
|
782
|
+
'wos-session',
|
|
783
|
+
await sealData(mockSession, { password: process.env.WORKOS_COOKIE_PASSWORD as string }),
|
|
784
|
+
);
|
|
785
|
+
addStalePKCECookies(request, 5);
|
|
786
|
+
|
|
787
|
+
const result = await updateSession(request);
|
|
788
|
+
|
|
789
|
+
expect(result.session.user).toBeNull();
|
|
790
|
+
const setCookies = getRedirectSetCookieHeaders(request, result);
|
|
791
|
+
expect(setCookies.some((c) => c.startsWith('wos-auth-verifier-00000000=;'))).toBe(true);
|
|
792
|
+
});
|
|
793
|
+
|
|
794
|
+
it('should not expire PKCE cookies for non-document requests', async () => {
|
|
795
|
+
const request = new NextRequest(new URL('http://example.com/protected'), {
|
|
796
|
+
headers: { RSC: '1' },
|
|
797
|
+
});
|
|
798
|
+
addStalePKCECookies(request, 10);
|
|
799
|
+
|
|
800
|
+
const result = await updateSession(request);
|
|
801
|
+
|
|
802
|
+
const setCookies = getRedirectSetCookieHeaders(request, result);
|
|
803
|
+
expect(setCookies.some((c) => c.includes('wos-auth-verifier'))).toBe(false);
|
|
804
|
+
});
|
|
805
|
+
|
|
806
|
+
it('should not expire non-PKCE cookies', async () => {
|
|
807
|
+
const request = documentRequest();
|
|
808
|
+
request.cookies.set('some-other-cookie', 'value');
|
|
809
|
+
addStalePKCECookies(request, 5);
|
|
810
|
+
|
|
811
|
+
const result = await updateSession(request);
|
|
812
|
+
|
|
813
|
+
const setCookies = getRedirectSetCookieHeaders(request, result);
|
|
814
|
+
expect(setCookies.some((c) => c.startsWith('some-other-cookie=;'))).toBe(false);
|
|
815
|
+
});
|
|
816
|
+
|
|
817
|
+
it('should not expire legacy wos-auth-verifier cookie when below threshold', async () => {
|
|
818
|
+
const request = documentRequest();
|
|
819
|
+
request.cookies.set('wos-auth-verifier', 'legacy-sealed-state');
|
|
820
|
+
|
|
821
|
+
const result = await updateSession(request);
|
|
822
|
+
|
|
823
|
+
const setCookies = getRedirectSetCookieHeaders(request, result);
|
|
824
|
+
expect(setCookies.some((c) => c.startsWith('wos-auth-verifier=;'))).toBe(false);
|
|
825
|
+
});
|
|
826
|
+
|
|
827
|
+
it('should expire legacy wos-auth-verifier cookie when threshold exceeded', async () => {
|
|
828
|
+
const request = documentRequest();
|
|
829
|
+
request.cookies.set('wos-auth-verifier', 'legacy-sealed-state');
|
|
830
|
+
addStalePKCECookies(request, 5);
|
|
831
|
+
|
|
832
|
+
const result = await updateSession(request);
|
|
833
|
+
|
|
834
|
+
const setCookies = getRedirectSetCookieHeaders(request, result);
|
|
835
|
+
expect(setCookies.some((c) => c.startsWith('wos-auth-verifier=;'))).toBe(true);
|
|
836
|
+
});
|
|
837
|
+
});
|
|
838
|
+
|
|
701
839
|
it('should call onSessionRefreshSuccess when refresh succeeds', async () => {
|
|
702
840
|
// Setup invalid session
|
|
703
841
|
mockSession.accessToken = await generateTestToken({}, true);
|
package/src/session.ts
CHANGED
|
@@ -5,7 +5,7 @@ import { JWTPayload, createRemoteJWKSet, decodeJwt, jwtVerify } from 'jose';
|
|
|
5
5
|
import { cookies, headers } from 'next/headers';
|
|
6
6
|
import { redirect } from 'next/navigation';
|
|
7
7
|
import { NextRequest } from 'next/server';
|
|
8
|
-
import { getCookieOptions, getJwtCookie
|
|
8
|
+
import { getCookieOptions, getJwtCookie } from './cookie.js';
|
|
9
9
|
import { WORKOS_CLIENT_ID, WORKOS_COOKIE_NAME, WORKOS_COOKIE_PASSWORD, WORKOS_REDIRECT_URI } from './env-variables.js';
|
|
10
10
|
import { TokenRefreshError, getSessionErrorContext } from './errors.js';
|
|
11
11
|
import { getAuthorizationUrl } from './get-authorization-url.js';
|
|
@@ -18,7 +18,12 @@ import {
|
|
|
18
18
|
Session,
|
|
19
19
|
UserInfo,
|
|
20
20
|
} from './interfaces.js';
|
|
21
|
-
import {
|
|
21
|
+
import {
|
|
22
|
+
appendPKCESetCookieHeader,
|
|
23
|
+
isInitialDocumentRequest,
|
|
24
|
+
setPKCECookie,
|
|
25
|
+
setPendingPKCERedirectHeaders,
|
|
26
|
+
} from './pkce.js';
|
|
22
27
|
import { getWorkOS } from './workos.js';
|
|
23
28
|
|
|
24
29
|
import type { AuthenticationResponse } from '@workos-inc/node';
|
|
@@ -26,23 +31,6 @@ import { parse, tokensToRegexp } from 'path-to-regexp';
|
|
|
26
31
|
import { handleAuthkitHeaders } from './middleware-helpers.js';
|
|
27
32
|
import { lazy, setCachePreventionHeaders } from './utils.js';
|
|
28
33
|
|
|
29
|
-
// Only set the PKCE cookie for initial document navigations — fetch/XHR/RSC/prefetch
|
|
30
|
-
// requests never follow cross-origin redirects so they'll never complete the OAuth
|
|
31
|
-
// flow and therefore don't need the cookie set.
|
|
32
|
-
// This prevents cookie bloat (HTTP 431) when multiple requests fire concurrently
|
|
33
|
-
// now that we are generating unique cookie names per flow, they add up quickly if
|
|
34
|
-
// we don't limit to just the initial navigation request
|
|
35
|
-
function appendPKCESetCookieHeader(request: NextRequest, headers: Headers, sealedState: string): void {
|
|
36
|
-
if (!isInitialDocumentRequest(request)) {
|
|
37
|
-
return;
|
|
38
|
-
}
|
|
39
|
-
|
|
40
|
-
headers.append(
|
|
41
|
-
'Set-Cookie',
|
|
42
|
-
`${getPKCECookieNameForState(sealedState)}=${sealedState}; ${getPKCECookieOptions(request.url, true)}`,
|
|
43
|
-
);
|
|
44
|
-
}
|
|
45
|
-
|
|
46
34
|
const sessionHeaderName = 'x-workos-session';
|
|
47
35
|
const middlewareHeaderName = 'x-workos-middleware';
|
|
48
36
|
const signUpPathsHeaderName = 'x-sign-up-paths';
|
|
@@ -93,21 +81,6 @@ function applyCacheSecurityHeaders(
|
|
|
93
81
|
setCachePreventionHeaders(headers);
|
|
94
82
|
}
|
|
95
83
|
|
|
96
|
-
/**
|
|
97
|
-
* Determines if a request is for an initial document load (not API/RSC/prefetch)
|
|
98
|
-
*/
|
|
99
|
-
function isInitialDocumentRequest(request: NextRequest): boolean {
|
|
100
|
-
const accept = request.headers.get('accept') || '';
|
|
101
|
-
const isDocumentRequest = accept.includes('text/html');
|
|
102
|
-
const isRSCRequest = request.headers.has('RSC') || request.headers.has('Next-Router-State-Tree');
|
|
103
|
-
const isPrefetch =
|
|
104
|
-
request.headers.get('Purpose') === 'prefetch' ||
|
|
105
|
-
request.headers.get('Sec-Purpose') === 'prefetch' ||
|
|
106
|
-
request.headers.has('Next-Router-Prefetch');
|
|
107
|
-
|
|
108
|
-
return isDocumentRequest && !isRSCRequest && !isPrefetch;
|
|
109
|
-
}
|
|
110
|
-
|
|
111
84
|
async function encryptSession(session: Session) {
|
|
112
85
|
return sealData(session, {
|
|
113
86
|
password: WORKOS_COOKIE_PASSWORD,
|
|
@@ -226,6 +199,7 @@ async function updateSession(
|
|
|
226
199
|
screenHint: options.screenHint,
|
|
227
200
|
});
|
|
228
201
|
|
|
202
|
+
setPendingPKCERedirectHeaders(newRequestHeaders, authorizationUrl, sealedState);
|
|
229
203
|
appendPKCESetCookieHeader(request, newRequestHeaders, sealedState);
|
|
230
204
|
|
|
231
205
|
return {
|
|
@@ -368,6 +342,7 @@ async function updateSession(
|
|
|
368
342
|
redirectUri: options.redirectUri || WORKOS_REDIRECT_URI,
|
|
369
343
|
});
|
|
370
344
|
|
|
345
|
+
setPendingPKCERedirectHeaders(newRequestHeaders, authorizationUrl, sealedState);
|
|
371
346
|
appendPKCESetCookieHeader(request, newRequestHeaders, sealedState);
|
|
372
347
|
|
|
373
348
|
return {
|