npm - alepha - Versions diffs - 0.14.0 → 0.14.2 - Mend

alepha 0.14.0 → 0.14.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (149) hide show

package/README.md +3 -3
package/dist/api/audits/index.d.ts +80 -1
package/dist/api/audits/index.d.ts.map +1 -1
package/dist/api/audits/index.js.map +1 -1
package/dist/api/files/index.d.ts +80 -1
package/dist/api/files/index.d.ts.map +1 -1
package/dist/api/files/index.js.map +1 -1
package/dist/api/jobs/index.d.ts +236 -157
package/dist/api/jobs/index.d.ts.map +1 -1
package/dist/api/jobs/index.js.map +1 -1
package/dist/api/notifications/index.d.ts +21 -1
package/dist/api/notifications/index.d.ts.map +1 -1
package/dist/api/parameters/index.d.ts +451 -4
package/dist/api/parameters/index.d.ts.map +1 -1
package/dist/api/parameters/index.js.map +1 -1
package/dist/api/users/index.d.ts +252 -249
package/dist/api/users/index.d.ts.map +1 -1
package/dist/api/users/index.js +4 -0
package/dist/api/users/index.js.map +1 -1
package/dist/api/verifications/index.d.ts +128 -128
package/dist/api/verifications/index.d.ts.map +1 -1
package/dist/batch/index.js.map +1 -1
package/dist/cache/core/index.js.map +1 -1
package/dist/cli/index.d.ts +304 -115
package/dist/cli/index.d.ts.map +1 -1
package/dist/cli/index.js +650 -531
package/dist/cli/index.js.map +1 -1
package/dist/command/index.d.ts +210 -13
package/dist/command/index.d.ts.map +1 -1
package/dist/command/index.js +306 -69
package/dist/command/index.js.map +1 -1
package/dist/core/index.browser.js.map +1 -1
package/dist/core/index.d.ts +1 -1
package/dist/core/index.d.ts.map +1 -1
package/dist/core/index.js +7 -6
package/dist/core/index.js.map +1 -1
package/dist/core/index.native.js +7 -6
package/dist/core/index.native.js.map +1 -1
package/dist/datetime/index.js.map +1 -1
package/dist/fake/index.js.map +1 -1
package/dist/file/index.d.ts.map +1 -1
package/dist/file/index.js.map +1 -1
package/dist/lock/redis/index.js.map +1 -1
package/dist/logger/index.js.map +1 -1
package/dist/mcp/index.js.map +1 -1
package/dist/orm/index.browser.js +26 -5
package/dist/orm/index.browser.js.map +1 -1
package/dist/orm/index.d.ts +294 -215
package/dist/orm/index.d.ts.map +1 -1
package/dist/orm/index.js +522 -523
package/dist/orm/index.js.map +1 -1
package/dist/queue/redis/index.js +2 -4
package/dist/queue/redis/index.js.map +1 -1
package/dist/redis/index.d.ts +400 -29
package/dist/redis/index.d.ts.map +1 -1
package/dist/redis/index.js +412 -21
package/dist/redis/index.js.map +1 -1
package/dist/retry/index.js.map +1 -1
package/dist/router/index.js.map +1 -1
package/dist/scheduler/index.js.map +1 -1
package/dist/security/index.d.ts.map +1 -1
package/dist/security/index.js.map +1 -1
package/dist/server/auth/index.d.ts +155 -155
package/dist/server/auth/index.js.map +1 -1
package/dist/server/cache/index.js.map +1 -1
package/dist/server/cookies/index.browser.js.map +1 -1
package/dist/server/cookies/index.js.map +1 -1
package/dist/server/core/index.browser.js.map +1 -1
package/dist/server/core/index.d.ts +0 -1
package/dist/server/core/index.d.ts.map +1 -1
package/dist/server/core/index.js.map +1 -1
package/dist/server/helmet/index.d.ts +4 -1
package/dist/server/helmet/index.d.ts.map +1 -1
package/dist/server/helmet/index.js.map +1 -1
package/dist/server/links/index.browser.js.map +1 -1
package/dist/server/links/index.js.map +1 -1
package/dist/server/multipart/index.d.ts.map +1 -1
package/dist/server/multipart/index.js.map +1 -1
package/dist/server/proxy/index.js.map +1 -1
package/dist/server/rate-limit/index.js.map +1 -1
package/dist/server/security/index.d.ts +9 -9
package/dist/server/security/index.js.map +1 -1
package/dist/server/swagger/index.js.map +1 -1
package/dist/thread/index.js.map +1 -1
package/dist/topic/core/index.js.map +1 -1
package/dist/topic/redis/index.js +3 -3
package/dist/topic/redis/index.js.map +1 -1
package/dist/vite/index.js +9 -6
package/dist/vite/index.js.map +1 -1
package/dist/websocket/index.browser.js.map +1 -1
package/dist/websocket/index.d.ts +7 -7
package/dist/websocket/index.js.map +1 -1
package/package.json +3 -3
package/src/api/users/index.ts +4 -0
package/src/cli/apps/AlephaCli.ts +36 -14
package/src/cli/apps/AlephaPackageBuilderCli.ts +5 -1
package/src/cli/assets/appRouterTs.ts +1 -1
package/src/cli/atoms/changelogOptions.ts +45 -0
package/src/cli/commands/{ViteCommands.ts → build.ts} +4 -93
package/src/cli/commands/changelog.ts +244 -0
package/src/cli/commands/clean.ts +14 -0
package/src/cli/commands/{DrizzleCommands.ts → db.ts} +37 -124
package/src/cli/commands/deploy.ts +118 -0
package/src/cli/commands/dev.ts +57 -0
package/src/cli/commands/format.ts +17 -0
package/src/cli/commands/{CoreCommands.ts → init.ts} +2 -40
package/src/cli/commands/lint.ts +17 -0
package/src/cli/commands/root.ts +32 -0
package/src/cli/commands/run.ts +24 -0
package/src/cli/commands/test.ts +42 -0
package/src/cli/commands/typecheck.ts +19 -0
package/src/cli/commands/{VerifyCommands.ts → verify.ts} +1 -13
package/src/cli/defineConfig.ts +24 -0
package/src/cli/index.ts +17 -5
package/src/cli/services/AlephaCliUtils.ts +4 -21
package/src/cli/services/GitMessageParser.ts +77 -0
package/src/command/helpers/EnvUtils.ts +37 -0
package/src/command/index.ts +3 -1
package/src/command/primitives/$command.ts +172 -6
package/src/command/providers/CliProvider.ts +424 -91
package/src/core/Alepha.ts +8 -5
package/src/file/providers/NodeFileSystemProvider.ts +3 -1
package/src/orm/index.browser.ts +1 -1
package/src/orm/index.ts +18 -10
package/src/orm/interfaces/PgQueryWhere.ts +1 -26
package/src/orm/providers/{PostgresTypeProvider.ts → DatabaseTypeProvider.ts} +25 -3
package/src/orm/providers/drivers/BunPostgresProvider.ts +225 -0
package/src/orm/providers/drivers/BunSqliteProvider.ts +180 -0
package/src/orm/providers/drivers/DatabaseProvider.ts +25 -0
package/src/orm/providers/drivers/NodePostgresProvider.ts +0 -25
package/src/orm/services/QueryManager.ts +10 -125
package/src/queue/redis/providers/RedisQueueProvider.ts +2 -7
package/src/redis/index.ts +65 -3
package/src/redis/providers/BunRedisProvider.ts +304 -0
package/src/redis/providers/BunRedisSubscriberProvider.ts +94 -0
package/src/redis/providers/NodeRedisProvider.ts +280 -0
package/src/redis/providers/NodeRedisSubscriberProvider.ts +94 -0
package/src/redis/providers/RedisProvider.ts +134 -140
package/src/redis/providers/RedisSubscriberProvider.ts +58 -49
package/src/server/core/providers/BunHttpServerProvider.ts +0 -3
package/src/server/core/providers/ServerBodyParserProvider.ts +3 -1
package/src/server/core/providers/ServerProvider.ts +7 -4
package/src/server/multipart/providers/ServerMultipartProvider.ts +3 -1
package/src/server/proxy/providers/ServerProxyProvider.ts +1 -1
package/src/topic/redis/providers/RedisTopicProvider.ts +3 -3
package/src/vite/tasks/buildServer.ts +1 -0
package/src/cli/commands/BiomeCommands.ts +0 -29
package/src/cli/commands/ChangelogCommands.ts +0 -389
package/src/orm/services/PgJsonQueryManager.ts +0 -511

package/dist/retry/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.js","names":["lastError: Error \| undefined"],"sources":["../../src/retry/errors/RetryCancelError.ts","../../src/retry/errors/RetryTimeoutError.ts","../../src/retry/providers/RetryProvider.ts","../../src/retry/primitives/$retry.ts","../../src/retry/index.ts"],"sourcesContent":["import { AlephaError } from \"alepha\";\n\nexport class RetryCancelError extends AlephaError {\n constructor() {\n super(\"Retry operation was cancelled.\");\n this.name = \"RetryCancelError\";\n }\n}\n","import { AlephaError } from \"alepha\";\n\nexport class RetryTimeoutError extends AlephaError {\n constructor(duration: number) {\n super(`Retry operation timed out after ${duration}ms.`);\n this.name = \"RetryTimeoutError\";\n }\n}\n","import { $inject } from \"alepha\";\nimport { DateTimeProvider, type DurationLike } from \"alepha/datetime\";\nimport { $logger } from \"alepha/logger\";\nimport { RetryCancelError } from \"../errors/RetryCancelError.ts\";\nimport { RetryTimeoutError } from \"../errors/RetryTimeoutError.ts\";\n\nexport interface RetryOptions<T extends (...args: any[]) => any> {\n /*\n The function to retry.\n /\n handler: T;\n\n /\n The maximum number of attempts.\n \n @default 3\n /\n max?: number;\n\n /\n The backoff strategy for delays between retries.\n * Can be a fixed number (in ms) or a configuration object for exponential backoff.\n \n @default { initial: 200, factor: 2, jitter: true }\n /\n backoff?: number \| RetryBackoffOptions;\n\n /\n An overall time limit for all retry attempts combined.\n \n e.g., `[5, 'seconds']`\n /\n maxDuration?: DurationLike;\n\n /\n A function that determines if a retry should be attempted based on the error.\n \n @default (error) => true (retries on any error)\n /\n when?: (error: Error) => boolean;\n\n /\n A custom callback for when a retry attempt fails.\n * This is called before the delay.\n /\n onError?: (error: Error, attempt: number, ...args: Parameters<T>) => void;\n\n /\n An AbortSignal to allow for external cancellation of the retry loop.\n /\n signal?: AbortSignal;\n\n /\n An additional AbortSignal to combine with the provided signal.\n * Used internally by $retry to handle app lifecycle.\n /\n additionalSignal?: AbortSignal;\n}\n\nexport interface RetryBackoffOptions {\n /\n Initial delay in milliseconds.\n \n @default 200\n /\n initial?: number;\n\n /\n Multiplier for each subsequent delay.\n \n @default 2\n /\n factor?: number;\n\n /\n Maximum delay in milliseconds.\n /\n max?: number;\n\n /\n If true, adds a random jitter to the delay to prevent thundering herd.\n \n @default true\n /\n jitter?: boolean;\n}\n\n/\n Service for executing functions with automatic retry logic.\n * Supports exponential backoff, max duration, conditional retries, and cancellation.\n /\nexport class RetryProvider {\n protected readonly log = $logger();\n protected readonly dateTime = $inject(DateTimeProvider);\n\n /\n Execute a function with automatic retry logic.\n /\n async retry<T extends (...args: any[]) => any>(\n options: RetryOptions<T>,\n ...args: Parameters<T>\n ): Promise<ReturnType<T>> {\n const maxAttempts = options.max ?? 3;\n const when = options.when ?? (() => true);\n const { handler, onError } = options;\n\n let lastError: Error \| undefined;\n const startTime = Date.now();\n\n const maxDurationMs = options.maxDuration\n ? this.dateTime.duration(options.maxDuration).asMilliseconds()\n : Infinity;\n\n // Combine user-provided signal with additional signal (e.g., app lifecycle)\n const signals = [options.signal, options.additionalSignal].filter(Boolean);\n const onAbort = () => {\n // Always set RetryCancelError when aborted, even if another error exists\n // This ensures cancellation takes precedence over retry errors\n lastError = new RetryCancelError();\n };\n\n // Add abort listeners to all signals\n for (const signal of signals) {\n signal?.addEventListener(\"abort\", onAbort);\n }\n\n // FIX BUG #8: Create combined signal ONCE at the start instead of on each backoff\n // This prevents memory leak from creating multiple AbortSignal.any() instances\n const waitSignals = [options.signal, options.additionalSignal].filter(\n Boolean,\n ) as AbortSignal[];\n const combinedSignal =\n waitSignals.length > 0 ? AbortSignal.any(waitSignals) : undefined;\n\n try {\n for (let attempt = 1; attempt <= maxAttempts; attempt++) {\n // Check for cancellation\n if (signals.some((signal) => signal?.aborted)) {\n throw new RetryCancelError();\n }\n\n // Check for timeout before attempting\n if (Date.now() - startTime >= maxDurationMs) {\n throw new RetryTimeoutError(maxDurationMs);\n }\n\n try {\n const result = await handler(...args);\n\n // Check for timeout after handler execution\n if (Date.now() - startTime >= maxDurationMs) {\n throw new RetryTimeoutError(maxDurationMs);\n }\n\n return result;\n } catch (err) {\n lastError = err as Error;\n\n // Check for timeout after error\n if (Date.now() - startTime >= maxDurationMs) {\n throw new RetryTimeoutError(maxDurationMs);\n }\n\n // Log the error with warning level\n this.log.warn(\"Retry attempt failed\", {\n attempt,\n maxAttempts,\n remainingAttempts: maxAttempts - attempt,\n error: lastError.message,\n errorName: lastError.name,\n });\n\n if (!(err instanceof Error) \|\| !when(err)) {\n throw err; // don't retry if it's not an Error or `when` returns false\n }\n\n // FIX BUG #7: Call onError BEFORE checking if this is the final attempt\n // This ensures onError is called for ALL failed attempts, including the last one\n if (onError) {\n onError(err, attempt, ...args);\n }\n\n if (attempt >= maxAttempts) {\n break; // will throw lastError after the loop\n }\n\n // Calculate and wait for backoff delay\n const delay = this.calculateBackoff(attempt, options.backoff);\n if (delay > 0) {\n await this.dateTime.wait(delay, { signal: combinedSignal });\n }\n\n // Check for timeout after backoff wait before next attempt\n if (Date.now() - startTime >= maxDurationMs) {\n throw new RetryTimeoutError(maxDurationMs);\n }\n }\n }\n } finally {\n // Clean up listeners to prevent memory leaks\n for (const signal of signals) {\n signal?.removeEventListener(\"abort\", onAbort);\n }\n }\n\n throw lastError;\n }\n\n /\n Calculate the backoff delay for a given attempt.\n /\n protected calculateBackoff(\n attempt: number,\n options?: number \| RetryBackoffOptions,\n ): number {\n if (typeof options === \"number\") {\n return options;\n }\n\n const initial = options?.initial ?? 200;\n const factor = options?.factor ?? 2;\n const max = options?.max ?? 10000;\n const useJitter = options?.jitter !== false;\n\n const exponential = initial factor ** (attempt - 1);\n let delay = Math.min(exponential, max);\n\n if (useJitter) {\n // Add a random amount of jitter (e.g., up to 50% of the delay)\n delay = delay * (1 + Math.random() * 0.5);\n }\n\n return Math.floor(delay);\n }\n}\n","import {\n $inject,\n createPrimitive,\n KIND,\n Primitive,\n type PrimitiveArgs,\n} from \"alepha\";\nimport type { DurationLike } from \"alepha/datetime\";\nimport type { RetryBackoffOptions } from \"../providers/RetryProvider.ts\";\nimport { RetryProvider } from \"../providers/RetryProvider.ts\";\n\n/*\n Creates a function that automatically retries a handler upon failure,\n * with support for exponential backoff, max duration, and cancellation.\n /\nexport const $retry = <T extends (...args: any[]) => any>(\n options: RetryPrimitiveOptions<T>,\n): RetryPrimitiveFn<T> => {\n const instance = createPrimitive(RetryPrimitive, options);\n const fn = (...args: Parameters<T>) => instance.run(...args);\n return Object.setPrototypeOf(fn, instance) as RetryPrimitiveFn<T>;\n};\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport interface RetryPrimitiveOptions<T extends (...args: any[]) => any> {\n /\n The function to retry.\n /\n handler: T;\n\n /\n The maximum number of attempts.\n \n @default 3\n /\n max?: number;\n\n /\n The backoff strategy for delays between retries.\n * Can be a fixed number (in ms) or a configuration object for exponential backoff.\n \n @default { initial: 200, factor: 2, jitter: true }\n /\n backoff?: number \| RetryBackoffOptions;\n\n /\n An overall time limit for all retry attempts combined.\n \n e.g., `[5, 'seconds']`\n /\n maxDuration?: DurationLike;\n\n /\n A function that determines if a retry should be attempted based on the error.\n \n @default (error) => true (retries on any error)\n /\n when?: (error: Error) => boolean;\n\n /\n A custom callback for when a retry attempt fails.\n * This is called before the delay.\n /\n onError?: (error: Error, attempt: number, ...args: Parameters<T>) => void;\n\n /\n An AbortSignal to allow for external cancellation of the retry loop.\n /\n signal?: AbortSignal;\n}\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport class RetryPrimitive<\n T extends (...args: any[]) => any,\n> extends Primitive<RetryPrimitiveOptions<T>> {\n protected readonly retryProvider = $inject(RetryProvider);\n protected appAbortController?: AbortController;\n\n constructor(args: PrimitiveArgs<RetryPrimitiveOptions<T>>) {\n super(args);\n\n this.alepha.events.on(\"stop\", () => {\n this.appAbortController?.abort();\n });\n }\n\n async run(...args: Parameters<T>): Promise<ReturnType<T>> {\n // Nov 25: Cloudflare does not like 'new AbortController' outside main handler, we can't pre-create it in the constructor.\n this.appAbortController ??= new AbortController();\n\n return this.retryProvider.retry(\n {\n ...this.options,\n additionalSignal: this.appAbortController.signal,\n },\n ...args,\n );\n }\n}\n\nexport interface RetryPrimitiveFn<T extends (...args: any[]) => any>\n extends RetryPrimitive<T> {\n (...args: Parameters<T>): Promise<ReturnType<T>>;\n}\n\n$retry[KIND] = RetryPrimitive;\n","import { $module } from \"alepha\";\nimport { $retry } from \"./primitives/$retry.ts\";\nimport { RetryProvider } from \"./providers/RetryProvider.ts\";\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport from \"./errors/RetryCancelError.ts\";\nexport * from \"./errors/RetryTimeoutError.ts\";\nexport * from \"./primitives/$retry.ts\";\nexport * from \"./providers/RetryProvider.ts\";\n\n// ---------------------------------------------------------------------------------------------------------------------\n\n/*\n Retry mechanism provider for Alepha applications.\n \n @see {@link RetryProvider}\n * @module alepha.retry\n */\nexport const AlephaRetry = $module({\n name: \"alepha.retry\",\n primitives: [$retry],\n services: [RetryProvider],\n});\n"],"mappings":";;;;;AAEA,IAAa,mBAAb,cAAsC,YAAY;CAChD,cAAc;AACZ,QAAM,iCAAiC;AACvC,OAAK,OAAO;;;;;;ACHhB,IAAa,oBAAb,cAAuC,YAAY;CACjD,YAAY,UAAkB;AAC5B,QAAM,mCAAmC,SAAS,KAAK;AACvD,OAAK,OAAO;;;;;;;;;;ACsFhB,IAAa,gBAAb,MAA2B;CACzB,AAAmB,MAAM,SAAS;CAClC,AAAmB,WAAW,QAAQ,iBAAiB;;;;CAKvD,MAAM,MACJ,SACA,GAAG,MACqB;EACxB,MAAM,cAAc,QAAQ,OAAO;EACnC,MAAM,OAAO,QAAQ,eAAe;EACpC,MAAM,EAAE,SAAS,YAAY;EAE7B,IAAIA;EACJ,MAAM,YAAY,KAAK,KAAK;EAE5B,MAAM,gBAAgB,QAAQ,cAC1B,KAAK,SAAS,SAAS,QAAQ,YAAY,CAAC,gBAAgB,GAC5D;EAGJ,MAAM,UAAU,CAAC,QAAQ,QAAQ,QAAQ,iBAAiB,CAAC,OAAO,QAAQ;EAC1E,MAAM,gBAAgB;AAGpB,eAAY,IAAI,kBAAkB;;AAIpC,OAAK,MAAM,UAAU,QACnB,SAAQ,iBAAiB,SAAS,QAAQ;EAK5C,MAAM,cAAc,CAAC,QAAQ,QAAQ,QAAQ,iBAAiB,CAAC,OAC7D,QACD;EACD,MAAM,iBACJ,YAAY,SAAS,IAAI,YAAY,IAAI,YAAY,GAAG;AAE1D,MAAI;AACF,QAAK,IAAI,UAAU,GAAG,WAAW,aAAa,WAAW;AAEvD,QAAI,QAAQ,MAAM,WAAW,QAAQ,QAAQ,CAC3C,OAAM,IAAI,kBAAkB;AAI9B,QAAI,KAAK,KAAK,GAAG,aAAa,cAC5B,OAAM,IAAI,kBAAkB,cAAc;AAG5C,QAAI;KACF,MAAM,SAAS,MAAM,QAAQ,GAAG,KAAK;AAGrC,SAAI,KAAK,KAAK,GAAG,aAAa,cAC5B,OAAM,IAAI,kBAAkB,cAAc;AAG5C,YAAO;aACA,KAAK;AACZ,iBAAY;AAGZ,SAAI,KAAK,KAAK,GAAG,aAAa,cAC5B,OAAM,IAAI,kBAAkB,cAAc;AAI5C,UAAK,IAAI,KAAK,wBAAwB;MACpC;MACA;MACA,mBAAmB,cAAc;MACjC,OAAO,UAAU;MACjB,WAAW,UAAU;MACtB,CAAC;AAEF,SAAI,EAAE,eAAe,UAAU,CAAC,KAAK,IAAI,CACvC,OAAM;AAKR,SAAI,QACF,SAAQ,KAAK,SAAS,GAAG,KAAK;AAGhC,SAAI,WAAW,YACb;KAIF,MAAM,QAAQ,KAAK,iBAAiB,SAAS,QAAQ,QAAQ;AAC7D,SAAI,QAAQ,EACV,OAAM,KAAK,SAAS,KAAK,OAAO,EAAE,QAAQ,gBAAgB,CAAC;AAI7D,SAAI,KAAK,KAAK,GAAG,aAAa,cAC5B,OAAM,IAAI,kBAAkB,cAAc;;;YAIxC;AAER,QAAK,MAAM,UAAU,QACnB,SAAQ,oBAAoB,SAAS,QAAQ;;AAIjD,QAAM;;;;;CAMR,AAAU,iBACR,SACA,SACQ;AACR,MAAI,OAAO,YAAY,SACrB,QAAO;EAGT,MAAM,UAAU,SAAS,WAAW;EACpC,MAAM,SAAS,SAAS,UAAU;EAClC,MAAM,MAAM,SAAS,OAAO;EAC5B,MAAM,YAAY,SAAS,WAAW;EAEtC,MAAM,cAAc,UAAU,WAAW,UAAU;EACnD,IAAI,QAAQ,KAAK,IAAI,aAAa,IAAI;AAEtC,MAAI,UAEF,SAAQ,SAAS,IAAI,KAAK,QAAQ,GAAG;AAGvC,SAAO,KAAK,MAAM,MAAM;;;;;;;;;;ACzN5B,MAAa,UACX,YACwB;CACxB,MAAM,WAAW,gBAAgB,gBAAgB,QAAQ;CACzD,MAAM,MAAM,GAAG,SAAwB,SAAS,IAAI,GAAG,KAAK;AAC5D,QAAO,OAAO,eAAe,IAAI,SAAS;;AAsD5C,IAAa,iBAAb,cAEU,UAAoC;CAC5C,AAAmB,gBAAgB,QAAQ,cAAc;CACzD,AAAU;CAEV,YAAY,MAA+C;AACzD,QAAM,KAAK;AAEX,OAAK,OAAO,OAAO,GAAG,cAAc;AAClC,QAAK,oBAAoB,OAAO;IAChC;;CAGJ,MAAM,IAAI,GAAG,MAA6C;AAExD,OAAK,uBAAuB,IAAI,iBAAiB;AAEjD,SAAO,KAAK,cAAc,MACxB;GACE,GAAG,KAAK;GACR,kBAAkB,KAAK,mBAAmB;GAC3C,EACD,GAAG,KACJ;;;AASL,OAAO,QAAQ;;;;;;;;;;ACxFf,MAAa,cAAc,QAAQ;CACjC,MAAM;CACN,YAAY,CAAC,OAAO;CACpB,UAAU,CAAC,cAAc;CAC1B,CAAC"}
1	+ {"version":3,"file":"index.js","names":[],"sources":["../../src/retry/errors/RetryCancelError.ts","../../src/retry/errors/RetryTimeoutError.ts","../../src/retry/providers/RetryProvider.ts","../../src/retry/primitives/$retry.ts","../../src/retry/index.ts"],"sourcesContent":["import { AlephaError } from \"alepha\";\n\nexport class RetryCancelError extends AlephaError {\n constructor() {\n super(\"Retry operation was cancelled.\");\n this.name = \"RetryCancelError\";\n }\n}\n","import { AlephaError } from \"alepha\";\n\nexport class RetryTimeoutError extends AlephaError {\n constructor(duration: number) {\n super(`Retry operation timed out after ${duration}ms.`);\n this.name = \"RetryTimeoutError\";\n }\n}\n","import { $inject } from \"alepha\";\nimport { DateTimeProvider, type DurationLike } from \"alepha/datetime\";\nimport { $logger } from \"alepha/logger\";\nimport { RetryCancelError } from \"../errors/RetryCancelError.ts\";\nimport { RetryTimeoutError } from \"../errors/RetryTimeoutError.ts\";\n\nexport interface RetryOptions<T extends (...args: any[]) => any> {\n /*\n The function to retry.\n /\n handler: T;\n\n /\n The maximum number of attempts.\n \n @default 3\n /\n max?: number;\n\n /\n The backoff strategy for delays between retries.\n * Can be a fixed number (in ms) or a configuration object for exponential backoff.\n \n @default { initial: 200, factor: 2, jitter: true }\n /\n backoff?: number \| RetryBackoffOptions;\n\n /\n An overall time limit for all retry attempts combined.\n \n e.g., `[5, 'seconds']`\n /\n maxDuration?: DurationLike;\n\n /\n A function that determines if a retry should be attempted based on the error.\n \n @default (error) => true (retries on any error)\n /\n when?: (error: Error) => boolean;\n\n /\n A custom callback for when a retry attempt fails.\n * This is called before the delay.\n /\n onError?: (error: Error, attempt: number, ...args: Parameters<T>) => void;\n\n /\n An AbortSignal to allow for external cancellation of the retry loop.\n /\n signal?: AbortSignal;\n\n /\n An additional AbortSignal to combine with the provided signal.\n * Used internally by $retry to handle app lifecycle.\n /\n additionalSignal?: AbortSignal;\n}\n\nexport interface RetryBackoffOptions {\n /\n Initial delay in milliseconds.\n \n @default 200\n /\n initial?: number;\n\n /\n Multiplier for each subsequent delay.\n \n @default 2\n /\n factor?: number;\n\n /\n Maximum delay in milliseconds.\n /\n max?: number;\n\n /\n If true, adds a random jitter to the delay to prevent thundering herd.\n \n @default true\n /\n jitter?: boolean;\n}\n\n/\n Service for executing functions with automatic retry logic.\n * Supports exponential backoff, max duration, conditional retries, and cancellation.\n /\nexport class RetryProvider {\n protected readonly log = $logger();\n protected readonly dateTime = $inject(DateTimeProvider);\n\n /\n Execute a function with automatic retry logic.\n /\n async retry<T extends (...args: any[]) => any>(\n options: RetryOptions<T>,\n ...args: Parameters<T>\n ): Promise<ReturnType<T>> {\n const maxAttempts = options.max ?? 3;\n const when = options.when ?? (() => true);\n const { handler, onError } = options;\n\n let lastError: Error \| undefined;\n const startTime = Date.now();\n\n const maxDurationMs = options.maxDuration\n ? this.dateTime.duration(options.maxDuration).asMilliseconds()\n : Infinity;\n\n // Combine user-provided signal with additional signal (e.g., app lifecycle)\n const signals = [options.signal, options.additionalSignal].filter(Boolean);\n const onAbort = () => {\n // Always set RetryCancelError when aborted, even if another error exists\n // This ensures cancellation takes precedence over retry errors\n lastError = new RetryCancelError();\n };\n\n // Add abort listeners to all signals\n for (const signal of signals) {\n signal?.addEventListener(\"abort\", onAbort);\n }\n\n // FIX BUG #8: Create combined signal ONCE at the start instead of on each backoff\n // This prevents memory leak from creating multiple AbortSignal.any() instances\n const waitSignals = [options.signal, options.additionalSignal].filter(\n Boolean,\n ) as AbortSignal[];\n const combinedSignal =\n waitSignals.length > 0 ? AbortSignal.any(waitSignals) : undefined;\n\n try {\n for (let attempt = 1; attempt <= maxAttempts; attempt++) {\n // Check for cancellation\n if (signals.some((signal) => signal?.aborted)) {\n throw new RetryCancelError();\n }\n\n // Check for timeout before attempting\n if (Date.now() - startTime >= maxDurationMs) {\n throw new RetryTimeoutError(maxDurationMs);\n }\n\n try {\n const result = await handler(...args);\n\n // Check for timeout after handler execution\n if (Date.now() - startTime >= maxDurationMs) {\n throw new RetryTimeoutError(maxDurationMs);\n }\n\n return result;\n } catch (err) {\n lastError = err as Error;\n\n // Check for timeout after error\n if (Date.now() - startTime >= maxDurationMs) {\n throw new RetryTimeoutError(maxDurationMs);\n }\n\n // Log the error with warning level\n this.log.warn(\"Retry attempt failed\", {\n attempt,\n maxAttempts,\n remainingAttempts: maxAttempts - attempt,\n error: lastError.message,\n errorName: lastError.name,\n });\n\n if (!(err instanceof Error) \|\| !when(err)) {\n throw err; // don't retry if it's not an Error or `when` returns false\n }\n\n // FIX BUG #7: Call onError BEFORE checking if this is the final attempt\n // This ensures onError is called for ALL failed attempts, including the last one\n if (onError) {\n onError(err, attempt, ...args);\n }\n\n if (attempt >= maxAttempts) {\n break; // will throw lastError after the loop\n }\n\n // Calculate and wait for backoff delay\n const delay = this.calculateBackoff(attempt, options.backoff);\n if (delay > 0) {\n await this.dateTime.wait(delay, { signal: combinedSignal });\n }\n\n // Check for timeout after backoff wait before next attempt\n if (Date.now() - startTime >= maxDurationMs) {\n throw new RetryTimeoutError(maxDurationMs);\n }\n }\n }\n } finally {\n // Clean up listeners to prevent memory leaks\n for (const signal of signals) {\n signal?.removeEventListener(\"abort\", onAbort);\n }\n }\n\n throw lastError;\n }\n\n /\n Calculate the backoff delay for a given attempt.\n /\n protected calculateBackoff(\n attempt: number,\n options?: number \| RetryBackoffOptions,\n ): number {\n if (typeof options === \"number\") {\n return options;\n }\n\n const initial = options?.initial ?? 200;\n const factor = options?.factor ?? 2;\n const max = options?.max ?? 10000;\n const useJitter = options?.jitter !== false;\n\n const exponential = initial factor ** (attempt - 1);\n let delay = Math.min(exponential, max);\n\n if (useJitter) {\n // Add a random amount of jitter (e.g., up to 50% of the delay)\n delay = delay * (1 + Math.random() * 0.5);\n }\n\n return Math.floor(delay);\n }\n}\n","import {\n $inject,\n createPrimitive,\n KIND,\n Primitive,\n type PrimitiveArgs,\n} from \"alepha\";\nimport type { DurationLike } from \"alepha/datetime\";\nimport type { RetryBackoffOptions } from \"../providers/RetryProvider.ts\";\nimport { RetryProvider } from \"../providers/RetryProvider.ts\";\n\n/*\n Creates a function that automatically retries a handler upon failure,\n * with support for exponential backoff, max duration, and cancellation.\n /\nexport const $retry = <T extends (...args: any[]) => any>(\n options: RetryPrimitiveOptions<T>,\n): RetryPrimitiveFn<T> => {\n const instance = createPrimitive(RetryPrimitive, options);\n const fn = (...args: Parameters<T>) => instance.run(...args);\n return Object.setPrototypeOf(fn, instance) as RetryPrimitiveFn<T>;\n};\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport interface RetryPrimitiveOptions<T extends (...args: any[]) => any> {\n /\n The function to retry.\n /\n handler: T;\n\n /\n The maximum number of attempts.\n \n @default 3\n /\n max?: number;\n\n /\n The backoff strategy for delays between retries.\n * Can be a fixed number (in ms) or a configuration object for exponential backoff.\n \n @default { initial: 200, factor: 2, jitter: true }\n /\n backoff?: number \| RetryBackoffOptions;\n\n /\n An overall time limit for all retry attempts combined.\n \n e.g., `[5, 'seconds']`\n /\n maxDuration?: DurationLike;\n\n /\n A function that determines if a retry should be attempted based on the error.\n \n @default (error) => true (retries on any error)\n /\n when?: (error: Error) => boolean;\n\n /\n A custom callback for when a retry attempt fails.\n * This is called before the delay.\n /\n onError?: (error: Error, attempt: number, ...args: Parameters<T>) => void;\n\n /\n An AbortSignal to allow for external cancellation of the retry loop.\n /\n signal?: AbortSignal;\n}\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport class RetryPrimitive<\n T extends (...args: any[]) => any,\n> extends Primitive<RetryPrimitiveOptions<T>> {\n protected readonly retryProvider = $inject(RetryProvider);\n protected appAbortController?: AbortController;\n\n constructor(args: PrimitiveArgs<RetryPrimitiveOptions<T>>) {\n super(args);\n\n this.alepha.events.on(\"stop\", () => {\n this.appAbortController?.abort();\n });\n }\n\n async run(...args: Parameters<T>): Promise<ReturnType<T>> {\n // Nov 25: Cloudflare does not like 'new AbortController' outside main handler, we can't pre-create it in the constructor.\n this.appAbortController ??= new AbortController();\n\n return this.retryProvider.retry(\n {\n ...this.options,\n additionalSignal: this.appAbortController.signal,\n },\n ...args,\n );\n }\n}\n\nexport interface RetryPrimitiveFn<T extends (...args: any[]) => any>\n extends RetryPrimitive<T> {\n (...args: Parameters<T>): Promise<ReturnType<T>>;\n}\n\n$retry[KIND] = RetryPrimitive;\n","import { $module } from \"alepha\";\nimport { $retry } from \"./primitives/$retry.ts\";\nimport { RetryProvider } from \"./providers/RetryProvider.ts\";\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport from \"./errors/RetryCancelError.ts\";\nexport * from \"./errors/RetryTimeoutError.ts\";\nexport * from \"./primitives/$retry.ts\";\nexport * from \"./providers/RetryProvider.ts\";\n\n// ---------------------------------------------------------------------------------------------------------------------\n\n/*\n Retry mechanism provider for Alepha applications.\n \n @see {@link RetryProvider}\n * @module alepha.retry\n */\nexport const AlephaRetry = $module({\n name: \"alepha.retry\",\n primitives: [$retry],\n services: [RetryProvider],\n});\n"],"mappings":";;;;;AAEA,IAAa,mBAAb,cAAsC,YAAY;CAChD,cAAc;AACZ,QAAM,iCAAiC;AACvC,OAAK,OAAO;;;;;;ACHhB,IAAa,oBAAb,cAAuC,YAAY;CACjD,YAAY,UAAkB;AAC5B,QAAM,mCAAmC,SAAS,KAAK;AACvD,OAAK,OAAO;;;;;;;;;;ACsFhB,IAAa,gBAAb,MAA2B;CACzB,AAAmB,MAAM,SAAS;CAClC,AAAmB,WAAW,QAAQ,iBAAiB;;;;CAKvD,MAAM,MACJ,SACA,GAAG,MACqB;EACxB,MAAM,cAAc,QAAQ,OAAO;EACnC,MAAM,OAAO,QAAQ,eAAe;EACpC,MAAM,EAAE,SAAS,YAAY;EAE7B,IAAI;EACJ,MAAM,YAAY,KAAK,KAAK;EAE5B,MAAM,gBAAgB,QAAQ,cAC1B,KAAK,SAAS,SAAS,QAAQ,YAAY,CAAC,gBAAgB,GAC5D;EAGJ,MAAM,UAAU,CAAC,QAAQ,QAAQ,QAAQ,iBAAiB,CAAC,OAAO,QAAQ;EAC1E,MAAM,gBAAgB;AAGpB,eAAY,IAAI,kBAAkB;;AAIpC,OAAK,MAAM,UAAU,QACnB,SAAQ,iBAAiB,SAAS,QAAQ;EAK5C,MAAM,cAAc,CAAC,QAAQ,QAAQ,QAAQ,iBAAiB,CAAC,OAC7D,QACD;EACD,MAAM,iBACJ,YAAY,SAAS,IAAI,YAAY,IAAI,YAAY,GAAG;AAE1D,MAAI;AACF,QAAK,IAAI,UAAU,GAAG,WAAW,aAAa,WAAW;AAEvD,QAAI,QAAQ,MAAM,WAAW,QAAQ,QAAQ,CAC3C,OAAM,IAAI,kBAAkB;AAI9B,QAAI,KAAK,KAAK,GAAG,aAAa,cAC5B,OAAM,IAAI,kBAAkB,cAAc;AAG5C,QAAI;KACF,MAAM,SAAS,MAAM,QAAQ,GAAG,KAAK;AAGrC,SAAI,KAAK,KAAK,GAAG,aAAa,cAC5B,OAAM,IAAI,kBAAkB,cAAc;AAG5C,YAAO;aACA,KAAK;AACZ,iBAAY;AAGZ,SAAI,KAAK,KAAK,GAAG,aAAa,cAC5B,OAAM,IAAI,kBAAkB,cAAc;AAI5C,UAAK,IAAI,KAAK,wBAAwB;MACpC;MACA;MACA,mBAAmB,cAAc;MACjC,OAAO,UAAU;MACjB,WAAW,UAAU;MACtB,CAAC;AAEF,SAAI,EAAE,eAAe,UAAU,CAAC,KAAK,IAAI,CACvC,OAAM;AAKR,SAAI,QACF,SAAQ,KAAK,SAAS,GAAG,KAAK;AAGhC,SAAI,WAAW,YACb;KAIF,MAAM,QAAQ,KAAK,iBAAiB,SAAS,QAAQ,QAAQ;AAC7D,SAAI,QAAQ,EACV,OAAM,KAAK,SAAS,KAAK,OAAO,EAAE,QAAQ,gBAAgB,CAAC;AAI7D,SAAI,KAAK,KAAK,GAAG,aAAa,cAC5B,OAAM,IAAI,kBAAkB,cAAc;;;YAIxC;AAER,QAAK,MAAM,UAAU,QACnB,SAAQ,oBAAoB,SAAS,QAAQ;;AAIjD,QAAM;;;;;CAMR,AAAU,iBACR,SACA,SACQ;AACR,MAAI,OAAO,YAAY,SACrB,QAAO;EAGT,MAAM,UAAU,SAAS,WAAW;EACpC,MAAM,SAAS,SAAS,UAAU;EAClC,MAAM,MAAM,SAAS,OAAO;EAC5B,MAAM,YAAY,SAAS,WAAW;EAEtC,MAAM,cAAc,UAAU,WAAW,UAAU;EACnD,IAAI,QAAQ,KAAK,IAAI,aAAa,IAAI;AAEtC,MAAI,UAEF,SAAQ,SAAS,IAAI,KAAK,QAAQ,GAAG;AAGvC,SAAO,KAAK,MAAM,MAAM;;;;;;;;;;ACzN5B,MAAa,UACX,YACwB;CACxB,MAAM,WAAW,gBAAgB,gBAAgB,QAAQ;CACzD,MAAM,MAAM,GAAG,SAAwB,SAAS,IAAI,GAAG,KAAK;AAC5D,QAAO,OAAO,eAAe,IAAI,SAAS;;AAsD5C,IAAa,iBAAb,cAEU,UAAoC;CAC5C,AAAmB,gBAAgB,QAAQ,cAAc;CACzD,AAAU;CAEV,YAAY,MAA+C;AACzD,QAAM,KAAK;AAEX,OAAK,OAAO,OAAO,GAAG,cAAc;AAClC,QAAK,oBAAoB,OAAO;IAChC;;CAGJ,MAAM,IAAI,GAAG,MAA6C;AAExD,OAAK,uBAAuB,IAAI,iBAAiB;AAEjD,SAAO,KAAK,cAAc,MACxB;GACE,GAAG,KAAK;GACR,kBAAkB,KAAK,mBAAmB;GAC3C,EACD,GAAG,KACJ;;;AASL,OAAO,QAAQ;;;;;;;;;;ACxFf,MAAa,cAAc,QAAQ;CACjC,MAAM;CACN,YAAY,CAAC,OAAO;CACpB,UAAU,CAAC,cAAc;CAC1B,CAAC"}

package/dist/router/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.js","names":[~~"wildcard: { route: T } \| undefined","params: Record<string, string>"~~],"sources":["../../src/router/providers/RouterProvider.ts"],"sourcesContent":["import { AlephaError } from \"alepha\";\n\nexport abstract class RouterProvider<T extends Route = Route> {\n protected routePathRegex: RegExp = /^\\/[A-Za-z0-9._~!$&%'()+,;=:@{}?/-]$/;\n\n protected tree: Tree<T> = { children: {} };\n protected cache = new Map<string, RouteMatch<T>>();\n\n public match(path: string): RouteMatch<T> {\n if (this.cache.has(path)) {\n return this.cache.get(path)!;\n }\n const result = this.mapParams(this.createRouteMatch(path));\n this.cache.set(path, result);\n return result;\n }\n\n protected test(path: string): void {\n if (!this.routePathRegex.test(path)) {\n throw new AlephaError(`Route '${path}' is not valid`);\n }\n }\n\n protected push(route: T): void {\n const path = route.path.replaceAll(\"//\", \"/\");\n\n this.test(path);\n\n const parts = this.createParts(path);\n\n let cursor = this.tree;\n for (let i = 0; i < parts.length; i++) {\n const isLast = i === parts.length - 1;\n let part = parts[i].toLowerCase(); // url is case-insensitive\n if (part === \"\" && isLast) {\n cursor.wildcard = { route };\n break;\n }\n\n if (part.includes(\"\")) {\n throw new AlephaError(`Route '${path}' has an invalid wildcard syntax`);\n }\n\n if (part.includes(\"{\") \|\| part.includes(\"}\")) {\n if (part.startsWith(\"{\") && part.endsWith(\"}\")) {\n part = `:${part.slice(1, -1)}`; // convert {param} to :param\n } else {\n throw new AlephaError(`Route '${path}' has an invalid param syntax`);\n }\n }\n\n if (part.startsWith(\":\")) {\n const name = parts[i].slice(1).replaceAll(\"}\", \"\");\n if (!name) {\n throw new AlephaError(`Route '${path}' has an empty param name`);\n }\n if (!cursor.param) {\n cursor.param = { name, children: {} };\n } else if (cursor.param.name !== name) {\n // damn, 2 url params with different names\n // got this case with /customers/:id and /customers/:userId/payments\n route.mapParams ??= {};\n route.mapParams[cursor.param.name] = name;\n }\n\n if (isLast) {\n cursor.param.route = route;\n }\n\n cursor = cursor.param;\n continue;\n }\n\n if (!cursor.children[part]) {\n cursor.children[part] = { children: {} };\n }\n\n if (isLast) {\n cursor.children[part].route = route;\n }\n\n cursor = cursor.children[part];\n }\n }\n\n protected createRouteMatch(path: string): RouteMatch<T> {\n if (path[0] !== \"/\") {\n throw new AlephaError(`Path '${path}' must start with \"/\"`);\n }\n\n const parts = this.createParts(path);\n\n let cursor = this.tree;\n let wildcard: { route: T } \| undefined;\n const params: Record<string, string> = {};\n\n for (let i = 0; i < parts.length; i++) {\n const part = parts[i].toLowerCase(); // url is case-insensitive\n if (cursor.children[part]) {\n if (cursor.wildcard) {\n wildcard = cursor.wildcard;\n }\n cursor = cursor.children[part];\n } else if (cursor.param) {\n if (cursor.wildcard) {\n wildcard = cursor.wildcard;\n }\n params[cursor.param.name] = parts[i];\n cursor = cursor.param;\n } else if (cursor.wildcard) {\n params[\"\"] = parts.slice(i).join(\"/\");\n return { route: cursor.wildcard.route, params };\n } else {\n return { route: wildcard?.route, params };\n }\n }\n\n if (!cursor?.route) {\n // when \"/a/\" - trigger if \"/a\"\n if (cursor.wildcard) {\n return { route: cursor.wildcard.route, params };\n }\n // return deep wildcard or nothing\n return { route: wildcard?.route, params };\n }\n\n return { route: cursor.route, params };\n }\n\n protected mapParams(match: RouteMatch<T>): RouteMatch<T> {\n if (match.route?.mapParams && match.params) {\n for (const [key, value] of Object.entries(match.route.mapParams)) {\n if (match.params[key]) {\n match.params[value] = match.params[key];\n delete match.params[key];\n }\n }\n }\n\n return match;\n }\n\n protected createParts(path: string): string[] {\n let pathname = path.split(\"?\")[0].replaceAll(\"//\", \"/\");\n\n // remove trailing slash\n if (pathname.endsWith(\"/\") && pathname.length > 1) {\n pathname = pathname.slice(0, -1);\n }\n\n return pathname.split(\"/\").slice(1);\n }\n}\n\nexport interface RouteMatch<T extends Route> {\n route?: T;\n params?: Record<string, string>;\n}\n\nexport interface Route {\n path: string;\n\n /*\n Rename a param in the route.\n * This is automatically filled when you have scenarios like:\n * `/customers/:id` and `/customers/:userId/payments`\n \n In this case, `:id` will be renamed to `:userId` in the second route.\n */\n mapParams?: Record<string, string>;\n}\n\nexport interface Tree<T extends Route> {\n route?: T;\n children: {\n [key: string]: Tree<T>;\n };\n param?: {\n route?: T;\n name: string;\n children: {\n [key: string]: Tree<T>;\n };\n };\n wildcard?: {\n route: T;\n };\n}\n"],"mappings":";;;AAEA,IAAsB,iBAAtB,MAA8D;CAC5D,AAAU,iBAAyB;CAEnC,AAAU,OAAgB,EAAE,UAAU,EAAE,EAAE;CAC1C,AAAU,wBAAQ,IAAI,KAA4B;CAElD,AAAO,MAAM,MAA6B;AACxC,MAAI,KAAK,MAAM,IAAI,KAAK,CACtB,QAAO,KAAK,MAAM,IAAI,KAAK;EAE7B,MAAM,SAAS,KAAK,UAAU,KAAK,iBAAiB,KAAK,CAAC;AAC1D,OAAK,MAAM,IAAI,MAAM,OAAO;AAC5B,SAAO;;CAGT,AAAU,KAAK,MAAoB;AACjC,MAAI,CAAC,KAAK,eAAe,KAAK,KAAK,CACjC,OAAM,IAAI,YAAY,UAAU,KAAK,gBAAgB;;CAIzD,AAAU,KAAK,OAAgB;EAC7B,MAAM,OAAO,MAAM,KAAK,WAAW,MAAM,IAAI;AAE7C,OAAK,KAAK,KAAK;EAEf,MAAM,QAAQ,KAAK,YAAY,KAAK;EAEpC,IAAI,SAAS,KAAK;AAClB,OAAK,IAAI,IAAI,GAAG,IAAI,MAAM,QAAQ,KAAK;GACrC,MAAM,SAAS,MAAM,MAAM,SAAS;GACpC,IAAI,OAAO,MAAM,GAAG,aAAa;AACjC,OAAI,SAAS,OAAO,QAAQ;AAC1B,WAAO,WAAW,EAAE,OAAO;AAC3B;;AAGF,OAAI,KAAK,SAAS,IAAI,CACpB,OAAM,IAAI,YAAY,UAAU,KAAK,kCAAkC;AAGzE,OAAI,KAAK,SAAS,IAAI,IAAI,KAAK,SAAS,IAAI,CAC1C,KAAI,KAAK,WAAW,IAAI,IAAI,KAAK,SAAS,IAAI,CAC5C,QAAO,IAAI,KAAK,MAAM,GAAG,GAAG;OAE5B,OAAM,IAAI,YAAY,UAAU,KAAK,+BAA+B;AAIxE,OAAI,KAAK,WAAW,IAAI,EAAE;IACxB,MAAM,OAAO,MAAM,GAAG,MAAM,EAAE,CAAC,WAAW,KAAK,GAAG;AAClD,QAAI,CAAC,KACH,OAAM,IAAI,YAAY,UAAU,KAAK,2BAA2B;AAElE,QAAI,CAAC,OAAO,MACV,QAAO,QAAQ;KAAE;KAAM,UAAU,EAAE;KAAE;aAC5B,OAAO,MAAM,SAAS,MAAM;AAGrC,WAAM,cAAc,EAAE;AACtB,WAAM,UAAU,OAAO,MAAM,QAAQ;;AAGvC,QAAI,OACF,QAAO,MAAM,QAAQ;AAGvB,aAAS,OAAO;AAChB;;AAGF,OAAI,CAAC,OAAO,SAAS,MACnB,QAAO,SAAS,QAAQ,EAAE,UAAU,EAAE,EAAE;AAG1C,OAAI,OACF,QAAO,SAAS,MAAM,QAAQ;AAGhC,YAAS,OAAO,SAAS;;;CAI7B,AAAU,iBAAiB,MAA6B;AACtD,MAAI,KAAK,OAAO,IACd,OAAM,IAAI,YAAY,SAAS,KAAK,uBAAuB;EAG7D,MAAM,QAAQ,KAAK,YAAY,KAAK;EAEpC,IAAI,SAAS,KAAK;EAClB,~~IAAIA~~;EACJ,~~MAAMC~~,SAAiC,EAAE;AAEzC,OAAK,IAAI,IAAI,GAAG,IAAI,MAAM,QAAQ,KAAK;GACrC,MAAM,OAAO,MAAM,GAAG,aAAa;AACnC,OAAI,OAAO,SAAS,OAAO;AACzB,QAAI,OAAO,SACT,YAAW,OAAO;AAEpB,aAAS,OAAO,SAAS;cAChB,OAAO,OAAO;AACvB,QAAI,OAAO,SACT,YAAW,OAAO;AAEpB,WAAO,OAAO,MAAM,QAAQ,MAAM;AAClC,aAAS,OAAO;cACP,OAAO,UAAU;AAC1B,WAAO,OAAO,MAAM,MAAM,EAAE,CAAC,KAAK,IAAI;AACtC,WAAO;KAAE,OAAO,OAAO,SAAS;KAAO;KAAQ;SAE/C,QAAO;IAAE,OAAO,UAAU;IAAO;IAAQ;;AAI7C,MAAI,CAAC,QAAQ,OAAO;AAElB,OAAI,OAAO,SACT,QAAO;IAAE,OAAO,OAAO,SAAS;IAAO;IAAQ;AAGjD,UAAO;IAAE,OAAO,UAAU;IAAO;IAAQ;;AAG3C,SAAO;GAAE,OAAO,OAAO;GAAO;GAAQ;;CAGxC,AAAU,UAAU,OAAqC;AACvD,MAAI,MAAM,OAAO,aAAa,MAAM,QAClC;QAAK,MAAM,CAAC,KAAK,UAAU,OAAO,QAAQ,MAAM,MAAM,UAAU,CAC9D,KAAI,MAAM,OAAO,MAAM;AACrB,UAAM,OAAO,SAAS,MAAM,OAAO;AACnC,WAAO,MAAM,OAAO;;;AAK1B,SAAO;;CAGT,AAAU,YAAY,MAAwB;EAC5C,IAAI,WAAW,KAAK,MAAM,IAAI,CAAC,GAAG,WAAW,MAAM,IAAI;AAGvD,MAAI,SAAS,SAAS,IAAI,IAAI,SAAS,SAAS,EAC9C,YAAW,SAAS,MAAM,GAAG,GAAG;AAGlC,SAAO,SAAS,MAAM,IAAI,CAAC,MAAM,EAAE"}
1	+ {"version":3,"file":"index.js","names":[],"sources":["../../src/router/providers/RouterProvider.ts"],"sourcesContent":["import { AlephaError } from \"alepha\";\n\nexport abstract class RouterProvider<T extends Route = Route> {\n protected routePathRegex: RegExp = /^\\/[A-Za-z0-9._~!$&%'()+,;=:@{}?/-]$/;\n\n protected tree: Tree<T> = { children: {} };\n protected cache = new Map<string, RouteMatch<T>>();\n\n public match(path: string): RouteMatch<T> {\n if (this.cache.has(path)) {\n return this.cache.get(path)!;\n }\n const result = this.mapParams(this.createRouteMatch(path));\n this.cache.set(path, result);\n return result;\n }\n\n protected test(path: string): void {\n if (!this.routePathRegex.test(path)) {\n throw new AlephaError(`Route '${path}' is not valid`);\n }\n }\n\n protected push(route: T): void {\n const path = route.path.replaceAll(\"//\", \"/\");\n\n this.test(path);\n\n const parts = this.createParts(path);\n\n let cursor = this.tree;\n for (let i = 0; i < parts.length; i++) {\n const isLast = i === parts.length - 1;\n let part = parts[i].toLowerCase(); // url is case-insensitive\n if (part === \"\" && isLast) {\n cursor.wildcard = { route };\n break;\n }\n\n if (part.includes(\"\")) {\n throw new AlephaError(`Route '${path}' has an invalid wildcard syntax`);\n }\n\n if (part.includes(\"{\") \|\| part.includes(\"}\")) {\n if (part.startsWith(\"{\") && part.endsWith(\"}\")) {\n part = `:${part.slice(1, -1)}`; // convert {param} to :param\n } else {\n throw new AlephaError(`Route '${path}' has an invalid param syntax`);\n }\n }\n\n if (part.startsWith(\":\")) {\n const name = parts[i].slice(1).replaceAll(\"}\", \"\");\n if (!name) {\n throw new AlephaError(`Route '${path}' has an empty param name`);\n }\n if (!cursor.param) {\n cursor.param = { name, children: {} };\n } else if (cursor.param.name !== name) {\n // damn, 2 url params with different names\n // got this case with /customers/:id and /customers/:userId/payments\n route.mapParams ??= {};\n route.mapParams[cursor.param.name] = name;\n }\n\n if (isLast) {\n cursor.param.route = route;\n }\n\n cursor = cursor.param;\n continue;\n }\n\n if (!cursor.children[part]) {\n cursor.children[part] = { children: {} };\n }\n\n if (isLast) {\n cursor.children[part].route = route;\n }\n\n cursor = cursor.children[part];\n }\n }\n\n protected createRouteMatch(path: string): RouteMatch<T> {\n if (path[0] !== \"/\") {\n throw new AlephaError(`Path '${path}' must start with \"/\"`);\n }\n\n const parts = this.createParts(path);\n\n let cursor = this.tree;\n let wildcard: { route: T } \| undefined;\n const params: Record<string, string> = {};\n\n for (let i = 0; i < parts.length; i++) {\n const part = parts[i].toLowerCase(); // url is case-insensitive\n if (cursor.children[part]) {\n if (cursor.wildcard) {\n wildcard = cursor.wildcard;\n }\n cursor = cursor.children[part];\n } else if (cursor.param) {\n if (cursor.wildcard) {\n wildcard = cursor.wildcard;\n }\n params[cursor.param.name] = parts[i];\n cursor = cursor.param;\n } else if (cursor.wildcard) {\n params[\"\"] = parts.slice(i).join(\"/\");\n return { route: cursor.wildcard.route, params };\n } else {\n return { route: wildcard?.route, params };\n }\n }\n\n if (!cursor?.route) {\n // when \"/a/\" - trigger if \"/a\"\n if (cursor.wildcard) {\n return { route: cursor.wildcard.route, params };\n }\n // return deep wildcard or nothing\n return { route: wildcard?.route, params };\n }\n\n return { route: cursor.route, params };\n }\n\n protected mapParams(match: RouteMatch<T>): RouteMatch<T> {\n if (match.route?.mapParams && match.params) {\n for (const [key, value] of Object.entries(match.route.mapParams)) {\n if (match.params[key]) {\n match.params[value] = match.params[key];\n delete match.params[key];\n }\n }\n }\n\n return match;\n }\n\n protected createParts(path: string): string[] {\n let pathname = path.split(\"?\")[0].replaceAll(\"//\", \"/\");\n\n // remove trailing slash\n if (pathname.endsWith(\"/\") && pathname.length > 1) {\n pathname = pathname.slice(0, -1);\n }\n\n return pathname.split(\"/\").slice(1);\n }\n}\n\nexport interface RouteMatch<T extends Route> {\n route?: T;\n params?: Record<string, string>;\n}\n\nexport interface Route {\n path: string;\n\n /*\n Rename a param in the route.\n * This is automatically filled when you have scenarios like:\n * `/customers/:id` and `/customers/:userId/payments`\n \n In this case, `:id` will be renamed to `:userId` in the second route.\n */\n mapParams?: Record<string, string>;\n}\n\nexport interface Tree<T extends Route> {\n route?: T;\n children: {\n [key: string]: Tree<T>;\n };\n param?: {\n route?: T;\n name: string;\n children: {\n [key: string]: Tree<T>;\n };\n };\n wildcard?: {\n route: T;\n };\n}\n"],"mappings":";;;AAEA,IAAsB,iBAAtB,MAA8D;CAC5D,AAAU,iBAAyB;CAEnC,AAAU,OAAgB,EAAE,UAAU,EAAE,EAAE;CAC1C,AAAU,wBAAQ,IAAI,KAA4B;CAElD,AAAO,MAAM,MAA6B;AACxC,MAAI,KAAK,MAAM,IAAI,KAAK,CACtB,QAAO,KAAK,MAAM,IAAI,KAAK;EAE7B,MAAM,SAAS,KAAK,UAAU,KAAK,iBAAiB,KAAK,CAAC;AAC1D,OAAK,MAAM,IAAI,MAAM,OAAO;AAC5B,SAAO;;CAGT,AAAU,KAAK,MAAoB;AACjC,MAAI,CAAC,KAAK,eAAe,KAAK,KAAK,CACjC,OAAM,IAAI,YAAY,UAAU,KAAK,gBAAgB;;CAIzD,AAAU,KAAK,OAAgB;EAC7B,MAAM,OAAO,MAAM,KAAK,WAAW,MAAM,IAAI;AAE7C,OAAK,KAAK,KAAK;EAEf,MAAM,QAAQ,KAAK,YAAY,KAAK;EAEpC,IAAI,SAAS,KAAK;AAClB,OAAK,IAAI,IAAI,GAAG,IAAI,MAAM,QAAQ,KAAK;GACrC,MAAM,SAAS,MAAM,MAAM,SAAS;GACpC,IAAI,OAAO,MAAM,GAAG,aAAa;AACjC,OAAI,SAAS,OAAO,QAAQ;AAC1B,WAAO,WAAW,EAAE,OAAO;AAC3B;;AAGF,OAAI,KAAK,SAAS,IAAI,CACpB,OAAM,IAAI,YAAY,UAAU,KAAK,kCAAkC;AAGzE,OAAI,KAAK,SAAS,IAAI,IAAI,KAAK,SAAS,IAAI,CAC1C,KAAI,KAAK,WAAW,IAAI,IAAI,KAAK,SAAS,IAAI,CAC5C,QAAO,IAAI,KAAK,MAAM,GAAG,GAAG;OAE5B,OAAM,IAAI,YAAY,UAAU,KAAK,+BAA+B;AAIxE,OAAI,KAAK,WAAW,IAAI,EAAE;IACxB,MAAM,OAAO,MAAM,GAAG,MAAM,EAAE,CAAC,WAAW,KAAK,GAAG;AAClD,QAAI,CAAC,KACH,OAAM,IAAI,YAAY,UAAU,KAAK,2BAA2B;AAElE,QAAI,CAAC,OAAO,MACV,QAAO,QAAQ;KAAE;KAAM,UAAU,EAAE;KAAE;aAC5B,OAAO,MAAM,SAAS,MAAM;AAGrC,WAAM,cAAc,EAAE;AACtB,WAAM,UAAU,OAAO,MAAM,QAAQ;;AAGvC,QAAI,OACF,QAAO,MAAM,QAAQ;AAGvB,aAAS,OAAO;AAChB;;AAGF,OAAI,CAAC,OAAO,SAAS,MACnB,QAAO,SAAS,QAAQ,EAAE,UAAU,EAAE,EAAE;AAG1C,OAAI,OACF,QAAO,SAAS,MAAM,QAAQ;AAGhC,YAAS,OAAO,SAAS;;;CAI7B,AAAU,iBAAiB,MAA6B;AACtD,MAAI,KAAK,OAAO,IACd,OAAM,IAAI,YAAY,SAAS,KAAK,uBAAuB;EAG7D,MAAM,QAAQ,KAAK,YAAY,KAAK;EAEpC,IAAI,SAAS,KAAK;EAClB,IAAI;EACJ,MAAM,SAAiC,EAAE;AAEzC,OAAK,IAAI,IAAI,GAAG,IAAI,MAAM,QAAQ,KAAK;GACrC,MAAM,OAAO,MAAM,GAAG,aAAa;AACnC,OAAI,OAAO,SAAS,OAAO;AACzB,QAAI,OAAO,SACT,YAAW,OAAO;AAEpB,aAAS,OAAO,SAAS;cAChB,OAAO,OAAO;AACvB,QAAI,OAAO,SACT,YAAW,OAAO;AAEpB,WAAO,OAAO,MAAM,QAAQ,MAAM;AAClC,aAAS,OAAO;cACP,OAAO,UAAU;AAC1B,WAAO,OAAO,MAAM,MAAM,EAAE,CAAC,KAAK,IAAI;AACtC,WAAO;KAAE,OAAO,OAAO,SAAS;KAAO;KAAQ;SAE/C,QAAO;IAAE,OAAO,UAAU;IAAO;IAAQ;;AAI7C,MAAI,CAAC,QAAQ,OAAO;AAElB,OAAI,OAAO,SACT,QAAO;IAAE,OAAO,OAAO,SAAS;IAAO;IAAQ;AAGjD,UAAO;IAAE,OAAO,UAAU;IAAO;IAAQ;;AAG3C,SAAO;GAAE,OAAO,OAAO;GAAO;GAAQ;;CAGxC,AAAU,UAAU,OAAqC;AACvD,MAAI,MAAM,OAAO,aAAa,MAAM,QAClC;QAAK,MAAM,CAAC,KAAK,UAAU,OAAO,QAAQ,MAAM,MAAM,UAAU,CAC9D,KAAI,MAAM,OAAO,MAAM;AACrB,UAAM,OAAO,SAAS,MAAM,OAAO;AACnC,WAAO,MAAM,OAAO;;;AAK1B,SAAO;;CAGT,AAAU,YAAY,MAAwB;EAC5C,IAAI,WAAW,KAAK,MAAM,IAAI,CAAC,GAAG,WAAW,MAAM,IAAI;AAGvD,MAAI,SAAS,SAAS,IAAI,IAAI,SAAS,SAAS,EAC9C,YAAW,SAAS,MAAM,GAAG,GAAG;AAGlC,SAAO,SAAS,MAAM,IAAI,CAAC,MAAM,EAAE"}

package/dist/scheduler/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.js","names":["cron: CronJob"],"sources":["../../src/scheduler/providers/CronProvider.ts","../../src/scheduler/primitives/$scheduler.ts","../../src/scheduler/constants/CRON.ts","../../src/scheduler/index.ts"],"sourcesContent":["import { $hook, $inject, Alepha } from \"alepha\";\nimport { type DateTime, DateTimeProvider } from \"alepha/datetime\";\nimport { $logger } from \"alepha/logger\";\nimport { type Cron, parseCronExpression } from \"cron-schedule\";\n\nexport class CronProvider {\n protected readonly dt = $inject(DateTimeProvider);\n protected readonly alepha = $inject(Alepha);\n protected readonly log = $logger();\n protected readonly cronJobs: Array<CronJob> = [];\n\n public getCronJobs(): Array<CronJob> {\n return this.cronJobs;\n }\n\n protected readonly start = $hook({\n on: \"start\",\n handler: () => {\n for (const cron of this.cronJobs) {\n if (!cron.running) {\n cron.running = true;\n this.log.debug(\n `Starting cron task '${cron.name}' with '${cron.expression}'`,\n );\n this.run(cron);\n }\n }\n },\n });\n\n protected readonly stop = $hook({\n on: \"stop\",\n handler: () => {\n for (const cron of this.cronJobs) {\n this.abort(cron);\n }\n },\n });\n\n protected boot(name: string \| CronJob) {\n const cron =\n typeof name === \"string\"\n ? this.cronJobs.find((c) => c.name === name)\n : name;\n\n if (!cron) {\n return;\n }\n\n cron.running = true;\n\n this.log.debug(\n `Starting cron task '${cron.name}' with '${cron.expression}'`,\n );\n\n this.run(cron);\n }\n\n public abort(name: string \| CronJob): void {\n const cron =\n typeof name === \"string\"\n ? this.cronJobs.find((c) => c.name === name)\n : name;\n\n if (!cron) {\n return;\n }\n\n cron.running = false;\n cron.abort.abort();\n this.log.debug(`Cron task '${cron.name}' stopped`);\n }\n\n /*\n Registers a cron job.\n \n It's automatically done when using the `$scheduler` primitive but can also be used manually.\n /\n public createCronJob(\n name: string,\n expression: string,\n handler: (context: { now: DateTime }) => Promise<void>,\n start?: boolean,\n ): void {\n const cron: CronJob = {\n name,\n cron: parseCronExpression(expression),\n expression,\n handler,\n loop: true,\n abort: new AbortController(),\n };\n\n this.cronJobs.push(cron);\n\n if (start && this.alepha.isStarted()) {\n this.boot(cron);\n }\n }\n\n protected run(task: CronJob, now = this.dt.now()): void {\n if (!task.running) {\n return;\n }\n\n const [next] = task.cron.getNextDates(1, now.toDate());\n if (!next) {\n return;\n }\n\n const duration = next.getTime() - now.toDate().getTime();\n\n task.abort = new AbortController();\n\n this.dt\n .wait(duration, {\n now: now.valueOf(),\n signal: task.abort.signal,\n })\n .then(() => {\n if (!task.running) {\n this.log.trace(\"Cron task stopped before execution\");\n return;\n }\n\n this.log.trace(\"Running cron task\");\n\n task.handler({ now: this.dt.of(next) }).catch((err) => {\n if (task.onError) {\n task.onError(err);\n } else {\n this.log.error(\"Error in cron task:\", err);\n }\n });\n\n if (task.loop) {\n this.run(task, this.dt.of(next));\n }\n })\n .catch((err) => {\n this.log.warn(\"Issue during cron waiting timer\", err as Error);\n });\n }\n}\n\nexport interface CronJob {\n name: string;\n expression: string;\n handler: (context: { now: DateTime }) => Promise<void>;\n cron: Cron;\n loop: boolean;\n running?: boolean;\n onError?: (error: Error) => void;\n abort: AbortController;\n}\n","import {\n $env,\n $inject,\n Alepha,\n type Async,\n createPrimitive,\n KIND,\n Primitive,\n type Static,\n t,\n} from \"alepha\";\nimport {\n type DateTime,\n DateTimeProvider,\n type DurationLike,\n} from \"alepha/datetime\";\nimport { $lock } from \"alepha/lock\";\nimport { $logger } from \"alepha/logger\";\nimport { CronProvider } from \"../providers/CronProvider.ts\";\n\n/\n Scheduler primitive.\n /\nexport const $scheduler = (\n options: SchedulerPrimitiveOptions,\n): SchedulerPrimitive => {\n return createPrimitive(SchedulerPrimitive, options);\n};\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport type SchedulerPrimitiveOptions = {\n /\n Function to run on schedule.\n /\n handler: (args: SchedulerHandlerArguments) => Async<void>;\n\n /\n Name of the scheduler. Defaults to the function name.\n /\n name?: string;\n\n /\n Optional description of the scheduler.\n /\n description?: string;\n\n /\n Cron expression or interval to run the scheduler.\n /\n cron?: string;\n\n /\n Cron expression or interval to run the scheduler.\n /\n interval?: DurationLike;\n\n /\n If true, the scheduler will be locked and only one instance will run at a time.\n * You probably need to import {@link AlephaLockRedis} for distributed locking.\n \n @default true\n /\n lock?: boolean;\n};\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nconst envSchema = t.object({\n SCHEDULER_PREFIX: t.optional(\n t.text({\n description: \"Prefix store key\",\n }),\n ),\n});\n\ndeclare module \"alepha\" {\n interface Env extends Partial<Static<typeof envSchema>> {}\n}\n\nexport class SchedulerPrimitive extends Primitive<SchedulerPrimitiveOptions> {\n protected readonly log = $logger();\n protected readonly env = $env(envSchema);\n protected readonly alepha = $inject(Alepha);\n protected readonly dateTimeProvider = $inject(DateTimeProvider);\n protected readonly cronProvider = $inject(CronProvider);\n\n public get name(): string {\n return (\n this.options.name ??\n `${this.config.service.name}.${this.config.propertyKey}`\n );\n }\n\n protected onInit() {\n if (this.options.interval) {\n this.dateTimeProvider.createInterval(\n () => this.trigger(),\n this.options.interval,\n );\n }\n if (this.options.cron) {\n this.cronProvider.createCronJob(this.name, this.options.cron, () =>\n this.trigger(),\n );\n }\n }\n\n public async trigger(): Promise<void> {\n if (!this.alepha.isStarted()) {\n return;\n }\n\n const context = this.alepha.context.createContextId();\n\n await this.alepha.context.run(\n async () => {\n try {\n const now = this.dateTimeProvider.now();\n\n await this.alepha.events.emit(\"scheduler:begin\", {\n name: this.name,\n now,\n context,\n });\n\n if (this.options.lock !== false) {\n await this.schedulerLock.run({ now });\n } else {\n await this.options.handler({ now });\n }\n\n await this.alepha.events.emit(\n \"scheduler:success\",\n {\n name: this.name,\n context,\n },\n {\n catch: true,\n },\n );\n } catch (error) {\n await this.alepha.events.emit(\n \"scheduler:error\",\n {\n name: this.name,\n error: error as Error,\n context,\n },\n {\n catch: true,\n },\n );\n\n this.log.error(\"Error running scheduler:\", error);\n }\n\n await this.alepha.events.emit(\n \"scheduler:end\",\n {\n name: this.name,\n context,\n },\n {\n catch: true,\n },\n );\n },\n {\n context,\n },\n );\n }\n\n protected schedulerLock = $lock({\n name: () => {\n const prefix = this.env.SCHEDULER_PREFIX\n ? `${this.env.SCHEDULER_PREFIX}:`\n : \"\";\n return `${prefix}scheduler:${this.name}`;\n },\n handler: async (args: SchedulerHandlerArguments) => {\n await this.options.handler(args);\n },\n });\n}\n\n$scheduler[KIND] = SchedulerPrimitive;\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport interface SchedulerHandlerArguments {\n now: DateTime;\n}\n","export const CRON = {\n EVERY_MINUTE: \" * * * \",\n EVERY_5_MINUTES: \"/5 * * * \",\n EVERY_15_MINUTES: \"/15 * * * \",\n EVERY_30_MINUTES: \"/30 * * * \",\n EVERY_HOUR: \"0 * * \",\n EVERY_DAY_AT_MIDNIGHT: \"0 0 * \",\n};\n","import { $module } from \"alepha\";\nimport type { DateTime } from \"alepha/datetime\";\nimport { AlephaLock } from \"alepha/lock\";\nimport { $scheduler } from \"./primitives/$scheduler.ts\";\nimport { CronProvider } from \"./providers/CronProvider.ts\";\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport from \"./constants/CRON.ts\";\nexport * from \"./primitives/$scheduler.ts\";\nexport * from \"./providers/CronProvider.ts\";\n\n// ---------------------------------------------------------------------------------------------------------------------\n\ndeclare module \"alepha\" {\n interface Hooks {\n \"scheduler:begin\": {\n name: string;\n now: DateTime;\n context: string;\n };\n\n \"scheduler:success\": { name: string; context: string };\n\n \"scheduler:error\": {\n name: string;\n error: Error;\n context: string;\n };\n\n \"scheduler:end\": { name: string; context: string };\n }\n}\n\n// ---------------------------------------------------------------------------------------------------------------------\n\n/*\n Generic interface for scheduling tasks.\n \n @see {@link $scheduler}\n * @module alepha.scheduler\n */\nexport const AlephaScheduler = $module({\n name: \"alepha.scheduler\",\n primitives: [$scheduler],\n services: [AlephaLock, CronProvider],\n});\n"],"mappings":";;;;;;;AAKA,IAAa,eAAb,MAA0B;CACxB,AAAmB,KAAK,QAAQ,iBAAiB;CACjD,AAAmB,SAAS,QAAQ,OAAO;CAC3C,AAAmB,MAAM,SAAS;CAClC,AAAmB,WAA2B,EAAE;CAEhD,AAAO,cAA8B;AACnC,SAAO,KAAK;;CAGd,AAAmB,QAAQ,MAAM;EAC/B,IAAI;EACJ,eAAe;AACb,QAAK,MAAM,QAAQ,KAAK,SACtB,KAAI,CAAC,KAAK,SAAS;AACjB,SAAK,UAAU;AACf,SAAK,IAAI,MACP,uBAAuB,KAAK,KAAK,UAAU,KAAK,WAAW,GAC5D;AACD,SAAK,IAAI,KAAK;;;EAIrB,CAAC;CAEF,AAAmB,OAAO,MAAM;EAC9B,IAAI;EACJ,eAAe;AACb,QAAK,MAAM,QAAQ,KAAK,SACtB,MAAK,MAAM,KAAK;;EAGrB,CAAC;CAEF,AAAU,KAAK,MAAwB;EACrC,MAAM,OACJ,OAAO,SAAS,WACZ,KAAK,SAAS,MAAM,MAAM,EAAE,SAAS,KAAK,GAC1C;AAEN,MAAI,CAAC,KACH;AAGF,OAAK,UAAU;AAEf,OAAK,IAAI,MACP,uBAAuB,KAAK,KAAK,UAAU,KAAK,WAAW,GAC5D;AAED,OAAK,IAAI,KAAK;;CAGhB,AAAO,MAAM,MAA8B;EACzC,MAAM,OACJ,OAAO,SAAS,WACZ,KAAK,SAAS,MAAM,MAAM,EAAE,SAAS,KAAK,GAC1C;AAEN,MAAI,CAAC,KACH;AAGF,OAAK,UAAU;AACf,OAAK,MAAM,OAAO;AAClB,OAAK,IAAI,MAAM,cAAc,KAAK,KAAK,WAAW;;;;;;;CAQpD,AAAO,cACL,MACA,YACA,SACA,OACM;EACN,MAAMA,OAAgB;GACpB;GACA,MAAM,oBAAoB,WAAW;GACrC;GACA;GACA,MAAM;GACN,OAAO,IAAI,iBAAiB;GAC7B;AAED,OAAK,SAAS,KAAK,KAAK;AAExB,MAAI,SAAS,KAAK,OAAO,WAAW,CAClC,MAAK,KAAK,KAAK;;CAInB,AAAU,IAAI,MAAe,MAAM,KAAK,GAAG,KAAK,EAAQ;AACtD,MAAI,CAAC,KAAK,QACR;EAGF,MAAM,CAAC,QAAQ,KAAK,KAAK,aAAa,GAAG,IAAI,QAAQ,CAAC;AACtD,MAAI,CAAC,KACH;EAGF,MAAM,WAAW,KAAK,SAAS,GAAG,IAAI,QAAQ,CAAC,SAAS;AAExD,OAAK,QAAQ,IAAI,iBAAiB;AAElC,OAAK,GACF,KAAK,UAAU;GACd,KAAK,IAAI,SAAS;GAClB,QAAQ,KAAK,MAAM;GACpB,CAAC,CACD,WAAW;AACV,OAAI,CAAC,KAAK,SAAS;AACjB,SAAK,IAAI,MAAM,qCAAqC;AACpD;;AAGF,QAAK,IAAI,MAAM,oBAAoB;AAEnC,QAAK,QAAQ,EAAE,KAAK,KAAK,GAAG,GAAG,KAAK,EAAE,CAAC,CAAC,OAAO,QAAQ;AACrD,QAAI,KAAK,QACP,MAAK,QAAQ,IAAI;QAEjB,MAAK,IAAI,MAAM,uBAAuB,IAAI;KAE5C;AAEF,OAAI,KAAK,KACP,MAAK,IAAI,MAAM,KAAK,GAAG,GAAG,KAAK,CAAC;IAElC,CACD,OAAO,QAAQ;AACd,QAAK,IAAI,KAAK,mCAAmC,IAAa;IAC9D;;;;;;;;;ACtHR,MAAa,cACX,YACuB;AACvB,QAAO,gBAAgB,oBAAoB,QAAQ;;AA0CrD,MAAM,YAAY,EAAE,OAAO,EACzB,kBAAkB,EAAE,SAClB,EAAE,KAAK,EACL,aAAa,oBACd,CAAC,CACH,EACF,CAAC;AAMF,IAAa,qBAAb,cAAwC,UAAqC;CAC3E,AAAmB,MAAM,SAAS;CAClC,AAAmB,MAAM,KAAK,UAAU;CACxC,AAAmB,SAAS,QAAQ,OAAO;CAC3C,AAAmB,mBAAmB,QAAQ,iBAAiB;CAC/D,AAAmB,eAAe,QAAQ,aAAa;CAEvD,IAAW,OAAe;AACxB,SACE,KAAK,QAAQ,QACb,GAAG,KAAK,OAAO,QAAQ,KAAK,GAAG,KAAK,OAAO;;CAI/C,AAAU,SAAS;AACjB,MAAI,KAAK,QAAQ,SACf,MAAK,iBAAiB,qBACd,KAAK,SAAS,EACpB,KAAK,QAAQ,SACd;AAEH,MAAI,KAAK,QAAQ,KACf,MAAK,aAAa,cAAc,KAAK,MAAM,KAAK,QAAQ,YACtD,KAAK,SAAS,CACf;;CAIL,MAAa,UAAyB;AACpC,MAAI,CAAC,KAAK,OAAO,WAAW,CAC1B;EAGF,MAAM,UAAU,KAAK,OAAO,QAAQ,iBAAiB;AAErD,QAAM,KAAK,OAAO,QAAQ,IACxB,YAAY;AACV,OAAI;IACF,MAAM,MAAM,KAAK,iBAAiB,KAAK;AAEvC,UAAM,KAAK,OAAO,OAAO,KAAK,mBAAmB;KAC/C,MAAM,KAAK;KACX;KACA;KACD,CAAC;AAEF,QAAI,KAAK,QAAQ,SAAS,MACxB,OAAM,KAAK,cAAc,IAAI,EAAE,KAAK,CAAC;QAErC,OAAM,KAAK,QAAQ,QAAQ,EAAE,KAAK,CAAC;AAGrC,UAAM,KAAK,OAAO,OAAO,KACvB,qBACA;KACE,MAAM,KAAK;KACX;KACD,EACD,EACE,OAAO,MACR,CACF;YACM,OAAO;AACd,UAAM,KAAK,OAAO,OAAO,KACvB,mBACA;KACE,MAAM,KAAK;KACJ;KACP;KACD,EACD,EACE,OAAO,MACR,CACF;AAED,SAAK,IAAI,MAAM,4BAA4B,MAAM;;AAGnD,SAAM,KAAK,OAAO,OAAO,KACvB,iBACA;IACE,MAAM,KAAK;IACX;IACD,EACD,EACE,OAAO,MACR,CACF;KAEH,EACE,SACD,CACF;;CAGH,AAAU,gBAAgB,MAAM;EAC9B,YAAY;AAIV,UAAO,GAHQ,KAAK,IAAI,mBACpB,GAAG,KAAK,IAAI,iBAAiB,KAC7B,GACa,YAAY,KAAK;;EAEpC,SAAS,OAAO,SAAoC;AAClD,SAAM,KAAK,QAAQ,QAAQ,KAAK;;EAEnC,CAAC;;AAGJ,WAAW,QAAQ;;;;AC5LnB,MAAa,OAAO;CAClB,cAAc;CACd,iBAAiB;CACjB,kBAAkB;CAClB,kBAAkB;CAClB,YAAY;CACZ,uBAAuB;CACxB;;;;;;;;;;ACmCD,MAAa,kBAAkB,QAAQ;CACrC,MAAM;CACN,YAAY,CAAC,WAAW;CACxB,UAAU,CAAC,YAAY,aAAa;CACrC,CAAC"}
1	+ {"version":3,"file":"index.js","names":[],"sources":["../../src/scheduler/providers/CronProvider.ts","../../src/scheduler/primitives/$scheduler.ts","../../src/scheduler/constants/CRON.ts","../../src/scheduler/index.ts"],"sourcesContent":["import { $hook, $inject, Alepha } from \"alepha\";\nimport { type DateTime, DateTimeProvider } from \"alepha/datetime\";\nimport { $logger } from \"alepha/logger\";\nimport { type Cron, parseCronExpression } from \"cron-schedule\";\n\nexport class CronProvider {\n protected readonly dt = $inject(DateTimeProvider);\n protected readonly alepha = $inject(Alepha);\n protected readonly log = $logger();\n protected readonly cronJobs: Array<CronJob> = [];\n\n public getCronJobs(): Array<CronJob> {\n return this.cronJobs;\n }\n\n protected readonly start = $hook({\n on: \"start\",\n handler: () => {\n for (const cron of this.cronJobs) {\n if (!cron.running) {\n cron.running = true;\n this.log.debug(\n `Starting cron task '${cron.name}' with '${cron.expression}'`,\n );\n this.run(cron);\n }\n }\n },\n });\n\n protected readonly stop = $hook({\n on: \"stop\",\n handler: () => {\n for (const cron of this.cronJobs) {\n this.abort(cron);\n }\n },\n });\n\n protected boot(name: string \| CronJob) {\n const cron =\n typeof name === \"string\"\n ? this.cronJobs.find((c) => c.name === name)\n : name;\n\n if (!cron) {\n return;\n }\n\n cron.running = true;\n\n this.log.debug(\n `Starting cron task '${cron.name}' with '${cron.expression}'`,\n );\n\n this.run(cron);\n }\n\n public abort(name: string \| CronJob): void {\n const cron =\n typeof name === \"string\"\n ? this.cronJobs.find((c) => c.name === name)\n : name;\n\n if (!cron) {\n return;\n }\n\n cron.running = false;\n cron.abort.abort();\n this.log.debug(`Cron task '${cron.name}' stopped`);\n }\n\n /*\n Registers a cron job.\n \n It's automatically done when using the `$scheduler` primitive but can also be used manually.\n /\n public createCronJob(\n name: string,\n expression: string,\n handler: (context: { now: DateTime }) => Promise<void>,\n start?: boolean,\n ): void {\n const cron: CronJob = {\n name,\n cron: parseCronExpression(expression),\n expression,\n handler,\n loop: true,\n abort: new AbortController(),\n };\n\n this.cronJobs.push(cron);\n\n if (start && this.alepha.isStarted()) {\n this.boot(cron);\n }\n }\n\n protected run(task: CronJob, now = this.dt.now()): void {\n if (!task.running) {\n return;\n }\n\n const [next] = task.cron.getNextDates(1, now.toDate());\n if (!next) {\n return;\n }\n\n const duration = next.getTime() - now.toDate().getTime();\n\n task.abort = new AbortController();\n\n this.dt\n .wait(duration, {\n now: now.valueOf(),\n signal: task.abort.signal,\n })\n .then(() => {\n if (!task.running) {\n this.log.trace(\"Cron task stopped before execution\");\n return;\n }\n\n this.log.trace(\"Running cron task\");\n\n task.handler({ now: this.dt.of(next) }).catch((err) => {\n if (task.onError) {\n task.onError(err);\n } else {\n this.log.error(\"Error in cron task:\", err);\n }\n });\n\n if (task.loop) {\n this.run(task, this.dt.of(next));\n }\n })\n .catch((err) => {\n this.log.warn(\"Issue during cron waiting timer\", err as Error);\n });\n }\n}\n\nexport interface CronJob {\n name: string;\n expression: string;\n handler: (context: { now: DateTime }) => Promise<void>;\n cron: Cron;\n loop: boolean;\n running?: boolean;\n onError?: (error: Error) => void;\n abort: AbortController;\n}\n","import {\n $env,\n $inject,\n Alepha,\n type Async,\n createPrimitive,\n KIND,\n Primitive,\n type Static,\n t,\n} from \"alepha\";\nimport {\n type DateTime,\n DateTimeProvider,\n type DurationLike,\n} from \"alepha/datetime\";\nimport { $lock } from \"alepha/lock\";\nimport { $logger } from \"alepha/logger\";\nimport { CronProvider } from \"../providers/CronProvider.ts\";\n\n/\n Scheduler primitive.\n /\nexport const $scheduler = (\n options: SchedulerPrimitiveOptions,\n): SchedulerPrimitive => {\n return createPrimitive(SchedulerPrimitive, options);\n};\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport type SchedulerPrimitiveOptions = {\n /\n Function to run on schedule.\n /\n handler: (args: SchedulerHandlerArguments) => Async<void>;\n\n /\n Name of the scheduler. Defaults to the function name.\n /\n name?: string;\n\n /\n Optional description of the scheduler.\n /\n description?: string;\n\n /\n Cron expression or interval to run the scheduler.\n /\n cron?: string;\n\n /\n Cron expression or interval to run the scheduler.\n /\n interval?: DurationLike;\n\n /\n If true, the scheduler will be locked and only one instance will run at a time.\n * You probably need to import {@link AlephaLockRedis} for distributed locking.\n \n @default true\n /\n lock?: boolean;\n};\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nconst envSchema = t.object({\n SCHEDULER_PREFIX: t.optional(\n t.text({\n description: \"Prefix store key\",\n }),\n ),\n});\n\ndeclare module \"alepha\" {\n interface Env extends Partial<Static<typeof envSchema>> {}\n}\n\nexport class SchedulerPrimitive extends Primitive<SchedulerPrimitiveOptions> {\n protected readonly log = $logger();\n protected readonly env = $env(envSchema);\n protected readonly alepha = $inject(Alepha);\n protected readonly dateTimeProvider = $inject(DateTimeProvider);\n protected readonly cronProvider = $inject(CronProvider);\n\n public get name(): string {\n return (\n this.options.name ??\n `${this.config.service.name}.${this.config.propertyKey}`\n );\n }\n\n protected onInit() {\n if (this.options.interval) {\n this.dateTimeProvider.createInterval(\n () => this.trigger(),\n this.options.interval,\n );\n }\n if (this.options.cron) {\n this.cronProvider.createCronJob(this.name, this.options.cron, () =>\n this.trigger(),\n );\n }\n }\n\n public async trigger(): Promise<void> {\n if (!this.alepha.isStarted()) {\n return;\n }\n\n const context = this.alepha.context.createContextId();\n\n await this.alepha.context.run(\n async () => {\n try {\n const now = this.dateTimeProvider.now();\n\n await this.alepha.events.emit(\"scheduler:begin\", {\n name: this.name,\n now,\n context,\n });\n\n if (this.options.lock !== false) {\n await this.schedulerLock.run({ now });\n } else {\n await this.options.handler({ now });\n }\n\n await this.alepha.events.emit(\n \"scheduler:success\",\n {\n name: this.name,\n context,\n },\n {\n catch: true,\n },\n );\n } catch (error) {\n await this.alepha.events.emit(\n \"scheduler:error\",\n {\n name: this.name,\n error: error as Error,\n context,\n },\n {\n catch: true,\n },\n );\n\n this.log.error(\"Error running scheduler:\", error);\n }\n\n await this.alepha.events.emit(\n \"scheduler:end\",\n {\n name: this.name,\n context,\n },\n {\n catch: true,\n },\n );\n },\n {\n context,\n },\n );\n }\n\n protected schedulerLock = $lock({\n name: () => {\n const prefix = this.env.SCHEDULER_PREFIX\n ? `${this.env.SCHEDULER_PREFIX}:`\n : \"\";\n return `${prefix}scheduler:${this.name}`;\n },\n handler: async (args: SchedulerHandlerArguments) => {\n await this.options.handler(args);\n },\n });\n}\n\n$scheduler[KIND] = SchedulerPrimitive;\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport interface SchedulerHandlerArguments {\n now: DateTime;\n}\n","export const CRON = {\n EVERY_MINUTE: \" * * * \",\n EVERY_5_MINUTES: \"/5 * * * \",\n EVERY_15_MINUTES: \"/15 * * * \",\n EVERY_30_MINUTES: \"/30 * * * \",\n EVERY_HOUR: \"0 * * \",\n EVERY_DAY_AT_MIDNIGHT: \"0 0 * \",\n};\n","import { $module } from \"alepha\";\nimport type { DateTime } from \"alepha/datetime\";\nimport { AlephaLock } from \"alepha/lock\";\nimport { $scheduler } from \"./primitives/$scheduler.ts\";\nimport { CronProvider } from \"./providers/CronProvider.ts\";\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport from \"./constants/CRON.ts\";\nexport * from \"./primitives/$scheduler.ts\";\nexport * from \"./providers/CronProvider.ts\";\n\n// ---------------------------------------------------------------------------------------------------------------------\n\ndeclare module \"alepha\" {\n interface Hooks {\n \"scheduler:begin\": {\n name: string;\n now: DateTime;\n context: string;\n };\n\n \"scheduler:success\": { name: string; context: string };\n\n \"scheduler:error\": {\n name: string;\n error: Error;\n context: string;\n };\n\n \"scheduler:end\": { name: string; context: string };\n }\n}\n\n// ---------------------------------------------------------------------------------------------------------------------\n\n/*\n Generic interface for scheduling tasks.\n \n @see {@link $scheduler}\n * @module alepha.scheduler\n */\nexport const AlephaScheduler = $module({\n name: \"alepha.scheduler\",\n primitives: [$scheduler],\n services: [AlephaLock, CronProvider],\n});\n"],"mappings":";;;;;;;AAKA,IAAa,eAAb,MAA0B;CACxB,AAAmB,KAAK,QAAQ,iBAAiB;CACjD,AAAmB,SAAS,QAAQ,OAAO;CAC3C,AAAmB,MAAM,SAAS;CAClC,AAAmB,WAA2B,EAAE;CAEhD,AAAO,cAA8B;AACnC,SAAO,KAAK;;CAGd,AAAmB,QAAQ,MAAM;EAC/B,IAAI;EACJ,eAAe;AACb,QAAK,MAAM,QAAQ,KAAK,SACtB,KAAI,CAAC,KAAK,SAAS;AACjB,SAAK,UAAU;AACf,SAAK,IAAI,MACP,uBAAuB,KAAK,KAAK,UAAU,KAAK,WAAW,GAC5D;AACD,SAAK,IAAI,KAAK;;;EAIrB,CAAC;CAEF,AAAmB,OAAO,MAAM;EAC9B,IAAI;EACJ,eAAe;AACb,QAAK,MAAM,QAAQ,KAAK,SACtB,MAAK,MAAM,KAAK;;EAGrB,CAAC;CAEF,AAAU,KAAK,MAAwB;EACrC,MAAM,OACJ,OAAO,SAAS,WACZ,KAAK,SAAS,MAAM,MAAM,EAAE,SAAS,KAAK,GAC1C;AAEN,MAAI,CAAC,KACH;AAGF,OAAK,UAAU;AAEf,OAAK,IAAI,MACP,uBAAuB,KAAK,KAAK,UAAU,KAAK,WAAW,GAC5D;AAED,OAAK,IAAI,KAAK;;CAGhB,AAAO,MAAM,MAA8B;EACzC,MAAM,OACJ,OAAO,SAAS,WACZ,KAAK,SAAS,MAAM,MAAM,EAAE,SAAS,KAAK,GAC1C;AAEN,MAAI,CAAC,KACH;AAGF,OAAK,UAAU;AACf,OAAK,MAAM,OAAO;AAClB,OAAK,IAAI,MAAM,cAAc,KAAK,KAAK,WAAW;;;;;;;CAQpD,AAAO,cACL,MACA,YACA,SACA,OACM;EACN,MAAM,OAAgB;GACpB;GACA,MAAM,oBAAoB,WAAW;GACrC;GACA;GACA,MAAM;GACN,OAAO,IAAI,iBAAiB;GAC7B;AAED,OAAK,SAAS,KAAK,KAAK;AAExB,MAAI,SAAS,KAAK,OAAO,WAAW,CAClC,MAAK,KAAK,KAAK;;CAInB,AAAU,IAAI,MAAe,MAAM,KAAK,GAAG,KAAK,EAAQ;AACtD,MAAI,CAAC,KAAK,QACR;EAGF,MAAM,CAAC,QAAQ,KAAK,KAAK,aAAa,GAAG,IAAI,QAAQ,CAAC;AACtD,MAAI,CAAC,KACH;EAGF,MAAM,WAAW,KAAK,SAAS,GAAG,IAAI,QAAQ,CAAC,SAAS;AAExD,OAAK,QAAQ,IAAI,iBAAiB;AAElC,OAAK,GACF,KAAK,UAAU;GACd,KAAK,IAAI,SAAS;GAClB,QAAQ,KAAK,MAAM;GACpB,CAAC,CACD,WAAW;AACV,OAAI,CAAC,KAAK,SAAS;AACjB,SAAK,IAAI,MAAM,qCAAqC;AACpD;;AAGF,QAAK,IAAI,MAAM,oBAAoB;AAEnC,QAAK,QAAQ,EAAE,KAAK,KAAK,GAAG,GAAG,KAAK,EAAE,CAAC,CAAC,OAAO,QAAQ;AACrD,QAAI,KAAK,QACP,MAAK,QAAQ,IAAI;QAEjB,MAAK,IAAI,MAAM,uBAAuB,IAAI;KAE5C;AAEF,OAAI,KAAK,KACP,MAAK,IAAI,MAAM,KAAK,GAAG,GAAG,KAAK,CAAC;IAElC,CACD,OAAO,QAAQ;AACd,QAAK,IAAI,KAAK,mCAAmC,IAAa;IAC9D;;;;;;;;;ACtHR,MAAa,cACX,YACuB;AACvB,QAAO,gBAAgB,oBAAoB,QAAQ;;AA0CrD,MAAM,YAAY,EAAE,OAAO,EACzB,kBAAkB,EAAE,SAClB,EAAE,KAAK,EACL,aAAa,oBACd,CAAC,CACH,EACF,CAAC;AAMF,IAAa,qBAAb,cAAwC,UAAqC;CAC3E,AAAmB,MAAM,SAAS;CAClC,AAAmB,MAAM,KAAK,UAAU;CACxC,AAAmB,SAAS,QAAQ,OAAO;CAC3C,AAAmB,mBAAmB,QAAQ,iBAAiB;CAC/D,AAAmB,eAAe,QAAQ,aAAa;CAEvD,IAAW,OAAe;AACxB,SACE,KAAK,QAAQ,QACb,GAAG,KAAK,OAAO,QAAQ,KAAK,GAAG,KAAK,OAAO;;CAI/C,AAAU,SAAS;AACjB,MAAI,KAAK,QAAQ,SACf,MAAK,iBAAiB,qBACd,KAAK,SAAS,EACpB,KAAK,QAAQ,SACd;AAEH,MAAI,KAAK,QAAQ,KACf,MAAK,aAAa,cAAc,KAAK,MAAM,KAAK,QAAQ,YACtD,KAAK,SAAS,CACf;;CAIL,MAAa,UAAyB;AACpC,MAAI,CAAC,KAAK,OAAO,WAAW,CAC1B;EAGF,MAAM,UAAU,KAAK,OAAO,QAAQ,iBAAiB;AAErD,QAAM,KAAK,OAAO,QAAQ,IACxB,YAAY;AACV,OAAI;IACF,MAAM,MAAM,KAAK,iBAAiB,KAAK;AAEvC,UAAM,KAAK,OAAO,OAAO,KAAK,mBAAmB;KAC/C,MAAM,KAAK;KACX;KACA;KACD,CAAC;AAEF,QAAI,KAAK,QAAQ,SAAS,MACxB,OAAM,KAAK,cAAc,IAAI,EAAE,KAAK,CAAC;QAErC,OAAM,KAAK,QAAQ,QAAQ,EAAE,KAAK,CAAC;AAGrC,UAAM,KAAK,OAAO,OAAO,KACvB,qBACA;KACE,MAAM,KAAK;KACX;KACD,EACD,EACE,OAAO,MACR,CACF;YACM,OAAO;AACd,UAAM,KAAK,OAAO,OAAO,KACvB,mBACA;KACE,MAAM,KAAK;KACJ;KACP;KACD,EACD,EACE,OAAO,MACR,CACF;AAED,SAAK,IAAI,MAAM,4BAA4B,MAAM;;AAGnD,SAAM,KAAK,OAAO,OAAO,KACvB,iBACA;IACE,MAAM,KAAK;IACX;IACD,EACD,EACE,OAAO,MACR,CACF;KAEH,EACE,SACD,CACF;;CAGH,AAAU,gBAAgB,MAAM;EAC9B,YAAY;AAIV,UAAO,GAHQ,KAAK,IAAI,mBACpB,GAAG,KAAK,IAAI,iBAAiB,KAC7B,GACa,YAAY,KAAK;;EAEpC,SAAS,OAAO,SAAoC;AAClD,SAAM,KAAK,QAAQ,QAAQ,KAAK;;EAEnC,CAAC;;AAGJ,WAAW,QAAQ;;;;AC5LnB,MAAa,OAAO;CAClB,cAAc;CACd,iBAAiB;CACjB,kBAAkB;CAClB,kBAAkB;CAClB,YAAY;CACZ,uBAAuB;CACxB;;;;;;;;;;ACmCD,MAAa,kBAAkB,QAAQ;CACrC,MAAM;CACN,YAAY,CAAC,WAAW;CACxB,UAAU,CAAC,YAAY,aAAa;CACrC,CAAC"}

package/dist/security/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","names":[],"sources":["../../src/security/schemas/userAccountInfoSchema.ts","../../src/security/errors/InvalidCredentialsError.ts","../../src/security/errors/InvalidPermissionError.ts","../../src/security/errors/SecurityError.ts","../../src/security/interfaces/UserAccountToken.ts","../../src/security/schemas/permissionSchema.ts","../../src/security/schemas/roleSchema.ts","../../src/security/providers/JwtProvider.ts","../../src/security/providers/SecurityProvider.ts","../../src/security/primitives/$permission.ts","../../src/security/primitives/$realm.ts","../../src/security/primitives/$role.ts","../../src/security/primitives/$serviceAccount.ts","../../src/security/providers/CryptoProvider.ts","../../src/security/index.ts"],"sourcesContent":[],"mappings":";;;;;;;;;cAGa,+BAAqB;MAiDhC,OAAA,CAAA;;;;;;;EAjDW,KAAA,mBAiDX,eAAA,iBAAA,CAAA;CAAA,CAAA;KAEU,WAAA,GAAc,cAAc;;;;;;;;;cC9C3B,uBAAA,SAAgC,iBAAA;;EDLhC,WAAA,CAAA;;;;cEHA,sBAAA,SAA+B,KAAA;;;;;cCA/B,aAAA,SAAsB,KAAA;;;;;;;;;;UCMlB,gBAAA,SAAyB;;;;EJH7B,KAAA,CAAA,EAAA,MAAA;EAiDX;;;;;;;;;;;;cKjDW,0BAAgB;QA8B3B,OAAA,CAAA;;;;;;KAEU,UAAA,GAAa,cAAc;;;cChC1B,oBAAU;QAqCrB,OAAA,CAAA;;;;;;;ENrCW,CAAA,CAAA,CAAA;CAiDX,CAAA;KMVU,IAAA,GAAO,cAAc;;;;;;cCjBpB,WAAA;0BAAW,cAAA,CACA;+BACO;EPxBlB,mBAAA,gBAiDX,EOxBmC,gBPwBnC;EAAA,mBAAA,OAAA,EOvB0B,WPuB1B;;;;;;;uDOf4D;;;;;;;;mDAwChD,mBACT,QAAQ;;;;APxBb;;;;AC9CA;;kBM+Ha,oDAEK,iBACb;;AL1IL;;;;ACAA;;;KIwKY,SAAA,sBACQ,6BACV,sBACL,QAAQ,YAAY;AHrKR,UGuKA,eAAA,CHvKiB;;aGyKrB;;AF5Kb;AA8BE,UEkJe,cAAA,CFlJf;WEmJS,QAAQ;;UAGF,kBAAA,SAA2B;;;;;;cFpLf,CAAA,EAAA;IAAA,KAAA,EAAA,MAAA,EAAA;EAgCjB,CAAA;;UE+JK,cAAA;;ED/LJ,MAAA,ECiMH,eD5JR,CC4JwB,kBD5JxB,CAAA;;;;cEjBW,kBAAA;ARpBb,cQsBM,SRtBO,EQ0BX,OAAA,CAJa,OR2Bb,CAAA;EAAA,UAAA,EQvBA,OAAA,CAAA,ORuBA;;;wBQpBsB,QAAQ,cAAc;;cAGjC,gBAAA;;wCAEyB;iDACS;0BAAA,cAAA,CAGvB;0BACA;;;;6BAEG;;;;ARU3B;kCQDkC;;;AP7ClC;6BOkD6B;mBAAK,OAAA,CAmBjB;;AN7EjB;;;;ACAA;mBKsG0B,4BAA4B;;;AJhGtD;;;wBIgK+B,sBAAsB;EHnKxC,WAAA,CAAA,KAAA,EGkOe,KHpM1B,CAAA,EAAA,IAAA;EAAA;;;;;;;;oCGqN+C,SAAS;;;AHnN1D;;;;AChCA;;iCE2Qa,iCAER;;;;;;;;;2CA4CwB,uCAExB;;;;EF3TkB,mBAAA,CAAA,aAAA,CAAA,EAAA,MAAA,EAAA,QAAA,EAAA;IAuCX,UAAI,CAAA,EE+WG,UF/Wc,~~GAAA~~,~~MAAd~~;;aEiXJ;MAEV,QAAQ;EDpYA;;;;;;;EAqDA,GAAA,CAAA,QAAA,EAAA,MAAA,EAAA,UAAA,EAAA,MAAA,GC0YuC,UD1YvC,CAAA,EAAA,OAAA;EAAR;;;EA4DA,SAAA,CAAA,QAAA,EAAA,MAAA,EAAA,UAAA,EAAA,MAAA,GCuVoB,UDvVpB,CAAA,EAAA,MAAA,GAAA,OAAA,GAAA,SAAA;EAAO;AA8BZ;;;;EAGyB,kBAAA,CAAA,UAAA,ECgUe,UDhUf,GAAA,MAAA,CAAA,EAAA,MAAA;EAApB,SAAA,CAAA,CAAA,ECmViB,KDnVjB,EAAA;EAAO;AAEZ;AAMA;AAIA;AAWA;4BCqUmC;;;AAhfnC;AAAqE;AAEtD;;;EAO+B,cAAA,CAAA,IAAf,CAAe,EAAA;IAAd,KAAA,CAAA,EAufpB,KAvfoB,CAufd,IAvfc,GAAA,MAAA,CAAA;IAAR,KAAA,CAAA,EAAA,MAAA;EAAO,CAAA,CAAA,EAyfzB,UAzfyB,EAAA;EAAA;;AAG/B;;;;EAOwB,gBAAA,CAAA,OAAA,EA8kBW,MA9kBX,CAAA,MAAA,EAAA,GAAA,CAAA,CAAA,EAAA,MAAA;EAEG,uBAAA,CAAA,OAAA,EA6lBd,MA7lBc,CAAA,MAAA,EAAA,GAAA,CAAA,CAAA,EAAA,MAAA,GAAA,SAAA;EASO;;;;;EAiHH,mBAAA,CAAA,OAAA,EAkfO,MAlfP,CAAA,MAAA,EAAA,GAAA,CAAA,CAAA,EAAA,MAAA,EAAA;EAAsB,qBAAA,CAAA,OAAA,EAufxC,MAvfwC,CAAA,MAAA,EAAA,GAAA,CAAA,CAAA,EAAA,MAAA,GAAA,SAAA;EA+DzB,sBAAA,CAAA,OAAA,EA8cf,MA9ce,CAAA,MAAA,EAAA,GAAA,CAAA,CAAA,EAAA,MAAA,GAAA,SAAA;EAiBqB,mBAAA,CAAA,OAAA,EA8cX,MA9cW,CAAA,MAAA,EAAA,GAAA,CAAA,CAAA,EAAA,MAAA,GAAA,SAAA;EAAS;;;;;;EAqK3C,kBAAA,CAAA,OAAA,EA2TsB,MA3TtB,CAAA,MAAA,EAAA,GAAA,CAAA,CAAA,EAAA,MAAA;EAEF,2BAAA,CAAA,OAAA,EA6UA,MA7UA,CAAA,MAAA,EAAA,GAAA,CAAA,CAAA,EAAA,MAAA,EAAA,GAAA,SAAA;;;;;AAiGS,UAkQL,KAAA,CAlQK;EASa,IAAA,EAAA,MAAA;EAgBjB,KAAA,EA4OT,IA5OS,EAAA;EAAN;;;;;EAsIC,MAAA,CAAA,EAAA,MAAA,GA6GO,aA7GP,GAAA,CAAA,GAAA,GAAA,MAAA,CAAA;EAsBA;;;;EAuDM,OAAA,CAAA,EAAA,CAAA,GAAA,EAsCD,MAtCC,CAAA,MAAA,EAAA,GAAA,CAAA,EAAA,GAsCuB,WAtCvB;AAsBnB;AAGS,UAgBQ,mBAAA,CAhBR;EAOW,YAAA,EAAA,OAAA;EAMF,SAAA,EAAA,MAAA,GAAA,OAAA,GAAA,SAAA;;;;;;;cCzwBL;aACF,6BACR;;ATNH,CAAA;AAiDE,USrCe,0BAAA,CTqCf;;;;;;;;;;;;;;cSlBW,mBAAA,SAA4B,UAAU;uCACd;;WThCH,CAAA,CAAA,EAAA,MAAA;EAAA,QAAA,CAAA,CAAA,EAAA,MAAA;EAmDtB,UAAA,MAAW,CAAA,CAAA,EAAA,IAAA;;;;EC9CV,GAAA,CAAA,IAAA,EQoDM,WRpDN,CAAA,EAAA,OAAwB;;;;;;ADLrC;AAiDE,cUnCW,MVmCX,EAAA;YUnC8B,wBAAwB;;;KAM5C,qBAAA;;;;;;;;;;;;;OVpBsB,CAAA,EUmCxB,KVnCwB,CAAA,MAAA,GUmCT,IVnCS,CAAA;EAAA;AAmDlC;;aUXa;;ATnCb;;yBSwCyB,wBAAwB;KAC5C,gBAAgB;ARjDR,UQmDI,aAAA,CRnDmB;;;;ACApC;;iBOyDiB;;ENnDA,YAAA,CAAA,EAAA;;;;ACHjB;IA8BE,UAAA,CAAA,EKgCe,YLhCf;;2BKsCQ;;QAIH;;;;+CAKwC;QL7ElB,EK8EnB,WL9EmB;IAAA,SAAA,EAAA,MAAA;IAgCjB,SAAU,CAAA,EAAA,MAAA;;8CKmDwB;;AJnFjC,KIsFD,aAAA,GJjDV;EAAA;;;;;UIwDe,aAAA;;;;yBAIQ;;cAKZ,cAAA,SAAuB,UAAU;uCACT;qBJvGd,gBAAA,EIwGc,gBJxGd;EAAA,mBAAA,GAAA,EIyGC,WJzGD;EAuCX,mBAAqB,GAAA,EIkET,cAAA,CACA,MJnEC;;+BIyEa;gCAMC;EHhG1B,UAAA,MAAW,CAAA,CAAA,EAAA,IAAA;EAAA;;;EAII,QAAA,CAAA,CAAA,EG2HP,IH3HO,EAAA;EAQkC;;;EAyCzD,QAAA,CAAA,KAAA,EGiF0B,IHjF1B,EAAA,CAAA,EGiFmC,OHjFnC,CAAA,IAAA,CAAA;EAyDQ;;;EAGD,aAAA,CAAA,IAAA,EAAA,MAAA,CAAA,EG4B0B,IH5B1B;EA8BA,UAAA,CAAA,KAAS,EAAA,MAAA,CAAA,EGMqB,OHNrB,CGM6B,UHN7B,CAAA;EACD;;;EAEK,WAAA,CAAA,IAAA,EGYf,WHZe,EAAA,YAQR,CARQ,EAAA;IAApB,GAAA,CAAA,EAAA,MAAA;IAAO,aAAA,CAAA,EAAA,MAAA;IAEK,wBAAe,CAAA,EAEnB,MAAA;EAII,CAAA,CAAA,EGUZ,OHVY,CGUJ,mBHTM,CAAA;EAGF,YAAA,CAAA,YAAmB,EAAA,MAAQ,EAAA,WAAU,CAAA,EAAA,MAAA,CAAA,EG6FjD,OH7FiD,CAAA;IAWrC,MAAA,EGmFL,mBHjFc;UGkFhB;;;AF/PG,UE+TI,kBAAA,CF/Tc;EAEzB,GAAA,EAAA,MAAA;EAAS,KAAA,CAAA,EAAA,MAAA,EAAA;EAAA,KAAA,CAAA,EAAA,MAAA;;AAO+B,UE4T7B,mBAAA,CF5T6B;EAAd,YAAA,EAAA,MAAA;EAAR,UAAA,EAAA,MAAA;EAAO,UAAA,CAAA,EAAA,MAAA;EAAA,SAAA,EAAA,MAAA;EAAA,aAAA,CAAA,EAAA,MAAA;EAGlB,wBAAgB,CAAA,EAAA,MAAA;EAES,KAAA,CAAA,EAAA,MAAA;;;;;;;cG7BzB;aAAkB,uBAA4B;EXL9C,MAAA,EAAA,oBAiDX;CAAA;UWtCe,oBAAA;;;;;;;;;mBAWE;gBAEH;;;;;;cAUH,aAAA,SAAsB,SXlCD,CWkCW,oBXlCX,CAAA,CAAA;EAAA,mBAAA,gBAAA,EWmCG,gBXnCH;EAmDtB,IAAA,IAAA,CAAA,CAAA,EAAA,MAAW;;;;AC9CvB;wBUwD+B;2BAIG;6BAIE,sBAAmB;ATxEvD;;;;;;;;;;AFGA;;;;;;;;;;;;;;;;;;;;AAmDA;cYrBa,2BACF,mCACR;KAqHS,8BAAA;;AXhJZ,CAAA,GAAa,CAAA;UWoJC;;SAGD;EV/JA,IAAA,EUgKD,WVhKC;;UUoKI,oCAAA;;ATpKjB;;;;ACMA;;;;ACHA;;;;UOkLiB,uBAAA;eACF;;UAGE,mBAAA;aACJ;;;;cCrLA,cAAA;kCACkC;oDAS1C;;;;;;;;;YCaO;;;;;;;;;;Ad0BZ;;;;AC9CA;;caqCa,gBAAc,OAAA,CAAA,QAIzB,OAAA,CAJyB,MAAA"}
1	+ {"version":3,"file":"index.d.ts","names":[],"sources":["../../src/security/schemas/userAccountInfoSchema.ts","../../src/security/errors/InvalidCredentialsError.ts","../../src/security/errors/InvalidPermissionError.ts","../../src/security/errors/SecurityError.ts","../../src/security/interfaces/UserAccountToken.ts","../../src/security/schemas/permissionSchema.ts","../../src/security/schemas/roleSchema.ts","../../src/security/providers/JwtProvider.ts","../../src/security/providers/SecurityProvider.ts","../../src/security/primitives/$permission.ts","../../src/security/primitives/$realm.ts","../../src/security/primitives/$role.ts","../../src/security/primitives/$serviceAccount.ts","../../src/security/providers/CryptoProvider.ts","../../src/security/index.ts"],"sourcesContent":[],"mappings":";;;;;;;;;cAGa,+BAAqB;MAiDhC,OAAA,CAAA;;;;;;;EAjDW,KAAA,mBAiDX,eAAA,iBAAA,CAAA;CAAA,CAAA;KAEU,WAAA,GAAc,cAAc;;;;;;;;;cC9C3B,uBAAA,SAAgC,iBAAA;;EDLhC,WAAA,CAAA;;;;cEHA,sBAAA,SAA+B,KAAA;;;;;cCA/B,aAAA,SAAsB,KAAA;;;;;;;;;;UCMlB,gBAAA,SAAyB;;;;EJH7B,KAAA,CAAA,EAAA,MAAA;EAiDX;;;;;;;;;;;;cKjDW,0BAAgB;QA8B3B,OAAA,CAAA;;;;;;KAEU,UAAA,GAAa,cAAc;;;cChC1B,oBAAU;QAqCrB,OAAA,CAAA;;;;;;;ENrCW,CAAA,CAAA,CAAA;CAiDX,CAAA;KMVU,IAAA,GAAO,cAAc;;;;;;cCjBpB,WAAA;0BAAW,cAAA,CACA;+BACO;EPxBlB,mBAAA,gBAiDX,EOxBmC,gBPwBnC;EAAA,mBAAA,OAAA,EOvB0B,WPuB1B;;;;;;;uDOf4D;;;;;;;;mDAwChD,mBACT,QAAQ;;;;APxBb;;;;AC9CA;;kBM+Ha,oDAEK,iBACb;;AL1IL;;;;ACAA;;;KIwKY,SAAA,sBACQ,6BACV,sBACL,QAAQ,YAAY;AHrKR,UGuKA,eAAA,CHvKiB;;aGyKrB;;AF5Kb;AA8BE,UEkJe,cAAA,CFlJf;WEmJS,QAAQ;;UAGF,kBAAA,SAA2B;;;;;;cFpLf,CAAA,EAAA;IAAA,KAAA,EAAA,MAAA,EAAA;EAgCjB,CAAA;;UE+JK,cAAA;;ED/LJ,MAAA,ECiMH,eD5JR,CC4JwB,kBD5JxB,CAAA;;;;cEjBW,kBAAA;ARpBb,cQsBM,SRtBO,EQ0BX,OAAA,CAJa,OR2Bb,CAAA;EAAA,UAAA,EQvBA,OAAA,CAAA,ORuBA;;;wBQpBsB,QAAQ,cAAc;;cAGjC,gBAAA;;wCAEyB;iDACS;0BAAA,cAAA,CAGvB;0BACA;;;;6BAEG;;;;ARU3B;kCQDkC;;;AP7ClC;6BOkD6B;mBAAK,OAAA,CAmBjB;;AN7EjB;;;;ACAA;mBKsG0B,4BAA4B;;;AJhGtD;;;wBIgK+B,sBAAsB;EHnKxC,WAAA,CAAA,KAAA,EGkOe,KHpM1B,CAAA,EAAA,IAAA;EAAA;;;;;;;;oCGqN+C,SAAS;;;AHnN1D;;;;AChCA;;iCE2Qa,iCAER;;;;;;;;;2CA4CwB,uCAExB;;;;EF3TkB,mBAAA,CAAA,aAAA,CAAA,EAAA,MAAA,EAAA,QAAA,EAAA;IAuCX,UAAI,CAAA,EE+WG,UF/Wc,GAAd,MAAA;;aEiXJ;MAEV,QAAQ;EDpYA;;;;;;;EAqDA,GAAA,CAAA,QAAA,EAAA,MAAA,EAAA,UAAA,EAAA,MAAA,GC0YuC,UD1YvC,CAAA,EAAA,OAAA;EAAR;;;EA4DA,SAAA,CAAA,QAAA,EAAA,MAAA,EAAA,UAAA,EAAA,MAAA,GCuVoB,UDvVpB,CAAA,EAAA,MAAA,GAAA,OAAA,GAAA,SAAA;EAAO;AA8BZ;;;;EAGyB,kBAAA,CAAA,UAAA,ECgUe,UDhUf,GAAA,MAAA,CAAA,EAAA,MAAA;EAApB,SAAA,CAAA,CAAA,ECmViB,KDnVjB,EAAA;EAAO;AAEZ;AAMA;AAIA;AAWA;4BCqUmC;;;AAhfnC;AAAqE;AAEtD;;;EAO+B,cAAA,CAAA,IAAf,CAAe,EAAA;IAAd,KAAA,CAAA,EAufpB,KAvfoB,CAufd,IAvfc,GAAA,MAAA,CAAA;IAAR,KAAA,CAAA,EAAA,MAAA;EAAO,CAAA,CAAA,EAyfzB,UAzfyB,EAAA;EAAA;;AAG/B;;;;EAOwB,gBAAA,CAAA,OAAA,EA8kBW,MA9kBX,CAAA,MAAA,EAAA,GAAA,CAAA,CAAA,EAAA,MAAA;EAEG,uBAAA,CAAA,OAAA,EA6lBd,MA7lBc,CAAA,MAAA,EAAA,GAAA,CAAA,CAAA,EAAA,MAAA,GAAA,SAAA;EASO;;;;;EAiHH,mBAAA,CAAA,OAAA,EAkfO,MAlfP,CAAA,MAAA,EAAA,GAAA,CAAA,CAAA,EAAA,MAAA,EAAA;EAAsB,qBAAA,CAAA,OAAA,EAufxC,MAvfwC,CAAA,MAAA,EAAA,GAAA,CAAA,CAAA,EAAA,MAAA,GAAA,SAAA;EA+DzB,sBAAA,CAAA,OAAA,EA8cf,MA9ce,CAAA,MAAA,EAAA,GAAA,CAAA,CAAA,EAAA,MAAA,GAAA,SAAA;EAiBqB,mBAAA,CAAA,OAAA,EA8cX,MA9cW,CAAA,MAAA,EAAA,GAAA,CAAA,CAAA,EAAA,MAAA,GAAA,SAAA;EAAS;;;;;;EAqK3C,kBAAA,CAAA,OAAA,EA2TsB,MA3TtB,CAAA,MAAA,EAAA,GAAA,CAAA,CAAA,EAAA,MAAA;EAEF,2BAAA,CAAA,OAAA,EA6UA,MA7UA,CAAA,MAAA,EAAA,GAAA,CAAA,CAAA,EAAA,MAAA,EAAA,GAAA,SAAA;;;;;AAiGS,UAkQL,KAAA,CAlQK;EASa,IAAA,EAAA,MAAA;EAgBjB,KAAA,EA4OT,IA5OS,EAAA;EAAN;;;;;EAsIC,MAAA,CAAA,EAAA,MAAA,GA6GO,aA7GP,GAAA,CAAA,GAAA,GAAA,MAAA,CAAA;EAsBA;;;;EAuDM,OAAA,CAAA,EAAA,CAAA,GAAA,EAsCD,MAtCC,CAAA,MAAA,EAAA,GAAA,CAAA,EAAA,GAsCuB,WAtCvB;AAsBnB;AAGS,UAgBQ,mBAAA,CAhBR;EAOW,YAAA,EAAA,OAAA;EAMF,SAAA,EAAA,MAAA,GAAA,OAAA,GAAA,SAAA;;;;;;;cCzwBL;aACF,6BACR;;ATNH,CAAA;AAiDE,USrCe,0BAAA,CTqCf;;;;;;;;;;;;;;cSlBW,mBAAA,SAA4B,UAAU;uCACd;;WThCH,CAAA,CAAA,EAAA,MAAA;EAAA,QAAA,CAAA,CAAA,EAAA,MAAA;EAmDtB,UAAA,MAAW,CAAA,CAAA,EAAA,IAAA;;;;EC9CV,GAAA,CAAA,IAAA,EQoDM,WRpDN,CAAA,EAAA,OAAwB;;;;;;ADLrC;AAiDE,cUnCW,MVmCX,EAAA;YUnC8B,wBAAwB;;;KAM5C,qBAAA;;;;;;;;;;;;;OVpBsB,CAAA,EUmCxB,KVnCwB,CAAA,MAAA,GUmCT,IVnCS,CAAA;EAAA;AAmDlC;;aUXa;;ATnCb;;yBSwCyB,wBAAwB;KAC5C,gBAAgB;ARjDR,UQmDI,aAAA,CRnDmB;;;;ACApC;;iBOyDiB;;ENnDA,YAAA,CAAA,EAAA;;;;ACHjB;IA8BE,UAAA,CAAA,EKgCe,YLhCf;;2BKsCQ;;QAIH;;;;+CAKwC;QL7ElB,EK8EnB,WL9EmB;IAAA,SAAA,EAAA,MAAA;IAgCjB,SAAU,CAAA,EAAA,MAAA;;8CKmDwB;;AJnFjC,KIsFD,aAAA,GJjDV;EAAA;;;;;UIwDe,aAAA;;;;yBAIQ;;cAKZ,cAAA,SAAuB,UAAU;uCACT;qBJvGd,gBAAA,EIwGc,gBJxGd;EAAA,mBAAA,GAAA,EIyGC,WJzGD;EAuCX,mBAAqB,GAAA,EIkET,cAAA,CACA,MJnEC;;+BIyEa;gCAMC;EHhG1B,UAAA,MAAW,CAAA,CAAA,EAAA,IAAA;EAAA;;;EAII,QAAA,CAAA,CAAA,EG2HP,IH3HO,EAAA;EAQkC;;;EAyCzD,QAAA,CAAA,KAAA,EGiF0B,IHjF1B,EAAA,CAAA,EGiFmC,OHjFnC,CAAA,IAAA,CAAA;EAyDQ;;;EAGD,aAAA,CAAA,IAAA,EAAA,MAAA,CAAA,EG4B0B,IH5B1B;EA8BA,UAAA,CAAA,KAAS,EAAA,MAAA,CAAA,EGMqB,OHNrB,CGM6B,UHN7B,CAAA;EACD;;;EAEK,WAAA,CAAA,IAAA,EGYf,WHZe,EAAA,YAQR,CARQ,EAAA;IAApB,GAAA,CAAA,EAAA,MAAA;IAAO,aAAA,CAAA,EAAA,MAAA;IAEK,wBAAe,CAAA,EAEnB,MAAA;EAII,CAAA,CAAA,EGUZ,OHVY,CGUJ,mBHTM,CAAA;EAGF,YAAA,CAAA,YAAmB,EAAA,MAAQ,EAAA,WAAU,CAAA,EAAA,MAAA,CAAA,EG6FjD,OH7FiD,CAAA;IAWrC,MAAA,EGmFL,mBHjFc;UGkFhB;;;AF/PG,UE+TI,kBAAA,CF/Tc;EAEzB,GAAA,EAAA,MAAA;EAAS,KAAA,CAAA,EAAA,MAAA,EAAA;EAAA,KAAA,CAAA,EAAA,MAAA;;AAO+B,UE4T7B,mBAAA,CF5T6B;EAAd,YAAA,EAAA,MAAA;EAAR,UAAA,EAAA,MAAA;EAAO,UAAA,CAAA,EAAA,MAAA;EAAA,SAAA,EAAA,MAAA;EAAA,aAAA,CAAA,EAAA,MAAA;EAGlB,wBAAgB,CAAA,EAAA,MAAA;EAES,KAAA,CAAA,EAAA,MAAA;;;;;;;cG7BzB;aAAkB,uBAA4B;EXL9C,MAAA,EAAA,oBAiDX;CAAA;UWtCe,oBAAA;;;;;;;;;mBAWE;gBAEH;;;;;;cAUH,aAAA,SAAsB,SXlCD,CWkCW,oBXlCX,CAAA,CAAA;EAAA,mBAAA,gBAAA,EWmCG,gBXnCH;EAmDtB,IAAA,IAAA,CAAA,CAAA,EAAA,MAAW;;;;AC9CvB;wBUwD+B;2BAIG;6BAIE,sBAAmB;ATxEvD;;;;;;;;;;AFGA;;;;;;;;;;;;;;;;;;;;AAmDA;cYrBa,2BACF,mCACR;KAqHS,8BAAA;;AXhJZ,CAAA,GAAa,CAAA;UWoJC;;SAGD;EV/JA,IAAA,EUgKD,WVhKC;;UUoKI,oCAAA;;ATpKjB;;;;ACMA;;;;ACHA;;;;UOkLiB,uBAAA;eACF;;UAGE,mBAAA;aACJ;;;;cCrLA,cAAA;kCACkC;oDAS1C;;;;;;;;;YCaO;;;;;;;;;;Ad0BZ;;;;AC9CA;;caqCa,gBAAc,OAAA,CAAA,QAIzB,OAAA,CAJyB,MAAA"}

package/dist/security/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.js","names":["permission: Permission","roles: Role[]","role","it","result: SecurityCheckResult","ownership: string \| boolean \| undefined","permissions: Permission[]","ref: Permission[]","role","sid: string \| undefined","refresh_token: string \| undefined","refresh_token_expires_in: number \| undefined","refreshToken","user","expiresIn","store: {\n cache?: AccessTokenResponse;\n }","response: Response","json: any"],"sources":["../../src/security/errors/InvalidPermissionError.ts","../../src/security/errors/InvalidTokenError.ts","../../src/security/errors/RealmNotFoundError.ts","../../src/security/errors/SecurityError.ts","../../src/security/providers/JwtProvider.ts","../../src/security/providers/SecurityProvider.ts","../../src/security/primitives/$permission.ts","../../src/security/primitives/$realm.ts","../../src/security/primitives/$role.ts","../../src/security/providers/CryptoProvider.ts","../../src/security/errors/InvalidCredentialsError.ts","../../src/security/primitives/$serviceAccount.ts","../../src/security/schemas/permissionSchema.ts","../../src/security/schemas/roleSchema.ts","../../src/security/schemas/userAccountInfoSchema.ts","../../src/security/index.ts"],"sourcesContent":["export class InvalidPermissionError extends Error {\n constructor(name: string) {\n super(`Permission '${name}' is invalid`);\n }\n}\n","export class InvalidTokenError extends Error {\n public readonly status = 401;\n}\n","export class RealmNotFoundError extends Error {\n constructor(realm: string) {\n super(`Realm '${realm}' not found`);\n }\n}\n","export class SecurityError extends Error {\n public name = \"SecurityError\";\n public readonly status = 403;\n}\n","import { createSecretKey } from \"node:crypto\";\nimport { $inject, AlephaError } from \"alepha\";\nimport { DateTimeProvider } from \"alepha/datetime\";\nimport { $logger } from \"alepha/logger\";\nimport {\n type CryptoKey,\n createLocalJWKSet,\n createRemoteJWKSet,\n type FlattenedJWSInput,\n type JSONWebKeySet,\n type JWSHeaderParameters,\n type JWTHeaderParameters,\n type JWTPayload,\n type JWTVerifyResult,\n jwtVerify,\n type KeyObject,\n SignJWT,\n} from \"jose\";\nimport { JWTClaimValidationFailed, JWTExpired } from \"jose/errors\";\nimport type { JWTVerifyOptions } from \"jose/jwt/verify\";\nimport { SecurityError } from \"../errors/SecurityError.ts\";\n\n/*\n Provides utilities for working with JSON Web Tokens (JWT).\n /\nexport class JwtProvider {\n protected readonly log = $logger();\n protected readonly keystore: KeyLoaderHolder[] = [];\n protected readonly dateTimeProvider = $inject(DateTimeProvider);\n protected readonly encoder = new TextEncoder();\n\n /\n Adds a key loader to the embedded keystore.\n \n @param name\n * @param secretKeyOrJwks\n /\n public setKeyLoader(name: string, secretKeyOrJwks: string \| JSONWebKeySet) {\n if (typeof secretKeyOrJwks === \"object\") {\n this.log.info(\n `will verify JWTs from key '${name}' with JWKS object (x${secretKeyOrJwks.keys.length})`,\n );\n this.keystore.push({\n name,\n keyLoader: createLocalJWKSet(secretKeyOrJwks),\n });\n } else if (this.isSecretKey(secretKeyOrJwks)) {\n const secretKey = this.encoder.encode(secretKeyOrJwks);\n this.log.info(\n `will verify JWTs from '${name}' with secret a key (${secretKey.length} bytes)`,\n );\n this.keystore.push({\n name,\n secretKey: secretKeyOrJwks,\n keyLoader: () => Promise.resolve(createSecretKey(secretKey)),\n });\n } else {\n this.log.info(\n `will verify JWTs from '${name}' with JWKS ${secretKeyOrJwks}`,\n );\n this.keystore.push({\n name,\n keyLoader: createRemoteJWKSet(new URL(secretKeyOrJwks)),\n });\n }\n }\n\n /\n Retrieves the payload from a JSON Web Token (JWT).\n \n @param token - The JWT to extract the payload from.\n \n @return A Promise that resolves with the payload object from the token.\n /\n public async parse(\n token: string,\n keyName?: string,\n options?: JWTVerifyOptions,\n ): Promise<JwtParseResult> {\n for (const it of this.keystore) {\n if (keyName && it.name !== keyName) {\n continue;\n }\n\n this.log.trace(`Trying to verify token`, {\n keyName: it.name,\n options,\n });\n\n try {\n const verified = {\n keyName: it.name,\n result: await jwtVerify(token, it.keyLoader, {\n currentDate: this.dateTimeProvider.now().toDate(),\n ...options,\n }),\n };\n\n this.log.trace(\"Token verified successfully\", {\n keyName: verified.keyName,\n });\n\n return verified;\n } catch (error) {\n this.log.trace(\"Token verification has failed\", error);\n\n if (error instanceof JWTExpired) {\n throw new SecurityError(\"Token expired\", { cause: error });\n }\n\n if (error instanceof JWTClaimValidationFailed) {\n throw new SecurityError(\"Token claim validation failed\", {\n cause: error,\n });\n }\n }\n }\n\n this.log.warn(\n `No valid key loader found to verify the token (keystore size: ${this.keystore.length})`,\n );\n\n throw new SecurityError(\"Invalid token\");\n }\n\n /\n Creates a JWT token with the provided payload and secret key.\n \n @param payload - The payload to be encoded in the token.\n * \tIt should include the `realm_access` property which contains an array of roles.\n * @param keyName - The name of the key to use when signing the token.\n \n @returns The signed JWT token.\n /\n public async create(\n payload: ExtendedJWTPayload,\n keyName?: string,\n signOptions?: JwtSignOptions,\n ): Promise<string> {\n const secretKey = keyName\n ? this.keystore.find((it) => it.name === keyName)?.secretKey\n : this.keystore[0]?.secretKey;\n\n if (!secretKey) {\n throw new AlephaError(\"No secret key found in the keystore\");\n }\n\n const signJwt = new SignJWT(payload);\n\n signJwt.setProtectedHeader({\n alg: \"HS256\",\n ...signOptions?.header,\n });\n\n return await signJwt.sign(this.encoder.encode(secretKey));\n }\n\n /\n Determines if the provided key is a secret key.\n \n @param key\n * @protected\n /\n protected isSecretKey(key: string): boolean {\n return !key.startsWith(\"http\");\n }\n}\n\nexport type KeyLoader = (\n protectedHeader?: JWSHeaderParameters,\n token?: FlattenedJWSInput,\n) => Promise<CryptoKey \| KeyObject>;\n\nexport interface KeyLoaderHolder {\n name: string;\n keyLoader: KeyLoader;\n secretKey?: string;\n}\n\nexport interface JwtSignOptions {\n header?: Partial<JWTHeaderParameters>;\n}\n\nexport interface ExtendedJWTPayload extends JWTPayload {\n sid?: string;\n //\n name?: string;\n roles?: string[];\n email?: string;\n organizations?: string[];\n // keycloak specific\n realm_access?: { roles: string[] };\n}\n\nexport interface JwtParseResult {\n keyName: string;\n result: JWTVerifyResult<ExtendedJWTPayload>;\n}\n","import {\n $env,\n $hook,\n $inject,\n Alepha,\n AppNotStartedError,\n ContainerLockedError,\n type Static,\n t,\n} from \"alepha\";\nimport { $logger } from \"alepha/logger\";\nimport type { JSONWebKeySet, JWTPayload } from \"jose\";\nimport type { JWTVerifyOptions } from \"jose/jwt/verify\";\nimport { InvalidPermissionError } from \"../errors/InvalidPermissionError.ts\";\nimport { InvalidTokenError } from \"../errors/InvalidTokenError.ts\";\nimport { RealmNotFoundError } from \"../errors/RealmNotFoundError.ts\";\nimport { SecurityError } from \"../errors/SecurityError.ts\";\nimport type { UserAccountToken } from \"../interfaces/UserAccountToken.ts\";\nimport type { Permission } from \"../schemas/permissionSchema.ts\";\nimport type { Role } from \"../schemas/roleSchema.ts\";\nimport type { UserAccount } from \"../schemas/userAccountInfoSchema.ts\";\nimport { JwtProvider } from \"./JwtProvider.ts\";\n\nexport const DEFAULT_APP_SECRET = \"05759934015388327323179852515731\"; // (32)\n\nconst envSchema = t.object({\n APP_SECRET: t.text({\n default: DEFAULT_APP_SECRET,\n }),\n});\n\ndeclare module \"alepha\" {\n interface Env extends Partial<Static<typeof envSchema>> {}\n}\n\nexport class SecurityProvider {\n protected readonly UNKNOWN_USER_NAME = \"Anonymous User\";\n protected readonly PERMISSION_REGEXP = /^[\\w-]+((:[\\w-]+)+)?$/;\n protected readonly PERMISSION_REGEXP_WILDCARD =\n /^[\\w-]+((:[\\w-]+):\\\|(:[\\w-]+)+)?$/;\n\n protected readonly log = $logger();\n protected readonly jwt = $inject(JwtProvider);\n protected readonly env = $env(envSchema);\n protected readonly alepha = $inject(Alepha);\n\n public get secretKey() {\n return this.env.APP_SECRET;\n }\n\n /\n The permissions configured for the security provider.\n /\n protected readonly permissions: Permission[] = [];\n\n /\n The realms configured for the security provider.\n /\n protected readonly realms: Realm[] = this.alepha.isTest()\n ? [\n {\n name: \"default\",\n secret: this.env.APP_SECRET,\n roles: [\n {\n name: \"admin\",\n permissions: [\n {\n name: \"\",\n },\n ],\n },\n ],\n },\n ]\n : [];\n\n protected start = $hook({\n on: \"start\",\n handler: async () => {\n if (this.alepha.isProduction() && this.secretKey === DEFAULT_APP_SECRET) {\n this.log.warn(\n \"Using default APP_SECRET in production is not recommended. Please set a strong APP_SECRET value.\",\n );\n }\n\n for (const realm of this.realms) {\n if (realm.secret) {\n const secret =\n typeof realm.secret === \"function\" ? realm.secret() : realm.secret;\n this.jwt.setKeyLoader(realm.name, secret);\n }\n }\n },\n });\n\n /*\n Adds a role to one or more realms.\n \n @param role\n * @param realms\n /\n public createRole(role: Role, ...realms: string[]): Role {\n const list = realms.length\n ? realms.map((it) => {\n const item = this.realms.find((realm) => realm.name === it);\n if (!item) {\n throw new RealmNotFoundError(it);\n }\n return item;\n })\n : this.realms;\n\n for (const realm of list) {\n for (const { name } of role.permissions) {\n if (this.alepha.isStarted()) {\n // Check if permission exists or matches a wildcard pattern\n if (name === \"\") {\n // Global wildcard is always allowed\n continue;\n }\n\n // Check for exact match first\n const existingExact = this.permissions.find(\n (it) => this.permissionToString(it) === name,\n );\n if (existingExact) {\n continue;\n }\n\n // Check if it's a wildcard pattern (e.g., \"admin:api:\")\n if (name.endsWith(\":\")) {\n const groupPrefix = name.slice(0, -2); // Remove \":\"\n // Check if any permission exists with this group prefix\n const existingWithPrefix = this.permissions.find((it) => {\n if (!it.group) return false;\n return (\n it.group === groupPrefix \|\|\n it.group.startsWith(`${groupPrefix}:`)\n );\n });\n if (existingWithPrefix) {\n continue;\n }\n }\n\n // Permission not found\n throw new SecurityError(`Permission '${name}' not found`);\n } else {\n if (name !== \"\" && !this.PERMISSION_REGEXP_WILDCARD.test(name)) {\n throw new InvalidPermissionError(name);\n }\n }\n }\n\n realm.roles.push(role);\n }\n\n return role;\n }\n\n /*\n Adds a permission to the security provider.\n \n @param raw - The permission to add.\n /\n public createPermission(raw: Permission \| string): Permission {\n if (this.alepha.isStarted()) {\n throw new ContainerLockedError();\n }\n\n let permission: Permission;\n if (typeof raw === \"string\") {\n if (!this.PERMISSION_REGEXP.test(raw)) {\n throw new InvalidPermissionError(raw);\n }\n\n const parts = raw.split(\":\");\n if (parts.length === 1) {\n // No group, just name (e.g., \"read\")\n permission = { name: parts[0] };\n } else {\n // Has group(s) (e.g., \"users:read\" or \"admin:api:users:read\")\n // The last part is the name, everything else is the group\n const name = parts[parts.length - 1];\n const groupParts = parts.slice(0, -1);\n\n if (groupParts.length === 1) {\n permission = {\n group: groupParts[0],\n name,\n };\n } else {\n // Multi-layer group\n permission = {\n group: groupParts.join(\":\"),\n name,\n };\n }\n }\n } else {\n permission = raw;\n }\n\n const asString = this.permissionToString(permission);\n if (!this.PERMISSION_REGEXP.test(asString)) {\n throw new InvalidPermissionError(asString);\n }\n\n const existing = this.permissions.find(\n (it) => this.permissionToString(it) === asString,\n );\n\n if (existing) {\n this.log.warn(`Permission '${asString}' already exists. Skipping.`, {\n current: existing,\n new: permission,\n });\n\n return existing;\n }\n\n this.log.trace(`Creating permission '${asString}'`);\n\n this.permissions.push(permission);\n\n return permission;\n }\n\n public createRealm(realm: Realm) {\n if (this.realms.length === 1 && this.realms[0].name === \"default\") {\n // if the default realm is the only one, we remove it to allow creating new realms\n this.realms.pop();\n }\n\n this.realms.push(realm);\n }\n\n /\n Updates the roles for a realm then synchronizes the user account provider if available.\n \n Only available when the app is started.\n \n @param realm - The realm to update the roles for.\n * @param roles - The roles to update.\n /\n public async updateRealm(realm: string, roles: Role[]): Promise<void> {\n if (!this.alepha.isStarted()) {\n throw new AppNotStartedError();\n }\n\n const realmInstance = this.realms.find((it) => it.name === realm);\n if (!realmInstance) {\n throw new RealmNotFoundError(realm);\n }\n\n realmInstance.roles = roles;\n }\n\n // -------------------------------------------------------------------------------------------------------------------\n\n /\n Creates a user account from the provided payload.\n \n @param payload - The payload to create the user account from.\n * @param [realmName] - The realm containing the roles. Default is all.\n \n @returns The user info created from the payload.\n /\n public createUserFromPayload(\n payload: JWTPayload,\n realmName?: string,\n ): UserAccount {\n const id = this.getIdFromPayload(payload);\n const sessionId = this.getSessionIdFromPayload(payload);\n const rolesFromPayload = this.getRolesFromPayload(payload);\n const email = this.getEmailFromPayload(payload);\n const username = this.getUsernameFromPayload(payload);\n const picture = this.getPictureFromPayload(payload);\n const name = this.getNameFromPayload(payload);\n const organizations = this.getOrganizationsFromPayload(payload);\n const rolesFromSystem = this.getRoles(realmName);\n const roles = rolesFromPayload\n .reduce<Role[]>(\n (arr, roleName) =>\n arr.concat(rolesFromSystem.filter((it) => it.name === roleName)),\n [],\n )\n .map((it) => it.name);\n\n const realm = this.realms.find((it) => it.name === realmName);\n if (realm?.profile) {\n return realm.profile(payload);\n }\n\n return {\n id,\n roles,\n name,\n email,\n username,\n picture,\n organizations,\n sessionId,\n };\n }\n\n /\n Checks if the user has the specified permission.\n \n Bonus: we check also if the user has \"ownership\" flag.\n \n @param permissionLike - The permission to check for.\n * @param roleEntries - The roles to check for the permission.\n /\n public checkPermission(\n permissionLike: string \| Permission,\n ...roleEntries: string[]\n ): SecurityCheckResult {\n const roles: Role[] = roleEntries.map((it) => {\n const role = this.getRoles().find((role) => role.name === it);\n if (!role) {\n throw new SecurityError(`Role '${it}' not found`);\n }\n return role;\n });\n\n const permission = this.permissionToString(permissionLike);\n const isAdmin = roles.find((it) =>\n it.permissions.find(\n (it) => it.name === \"\" && !it.exclude && !it.ownership,\n ),\n );\n\n // if the user is an admin, we can return early\n if (isAdmin) {\n return {\n isAuthorized: true,\n ownership: false,\n };\n }\n\n const result: SecurityCheckResult = {\n isAuthorized: false,\n ownership: undefined,\n };\n\n // Helper function to check if a permission matches a pattern with multi-layer wildcard support\n const matchesPattern = (\n permissionName: string,\n pattern: string,\n ): boolean => {\n if (pattern === \"\") return true;\n if (pattern === permissionName) return true;\n\n // Handle multi-layer wildcards (e.g., \"admin:api:\" matches \"admin:api:users:read\")\n if (pattern.endsWith(\":\")) {\n const patternPrefix = pattern.slice(0, -2);\n // Check if permission starts with the pattern prefix\n if (permissionName === patternPrefix) return false; // \"admin:api\" doesn't match \"admin:api:\"\n return permissionName.startsWith(`${patternPrefix}:`);\n }\n\n return false;\n };\n\n for (const role of roles) {\n // for each role candidate\n for (const rolePermission of role.permissions) {\n // for each permission in the role\n if (matchesPattern(permission, rolePermission.name)) {\n // [feature]: exclude permissions including wildcards\n if (rolePermission.exclude) {\n let isExcluded = false;\n for (const excludePattern of rolePermission.exclude) {\n if (matchesPattern(permission, excludePattern)) {\n isExcluded = true;\n break;\n }\n }\n if (isExcluded) {\n continue;\n }\n }\n\n result.isAuthorized = true; // OK !\n\n // but we also need to check if the user has ownership\n if (rolePermission.ownership) {\n // if ownership is true, we have to check all other matching permissions in case of ownership === false ...\n result.ownership = rolePermission.ownership;\n } else {\n // but if isAuthorized && ownership === false, we can break the loop \\ :D /\n result.ownership = false;\n return result;\n }\n }\n }\n }\n\n return result;\n }\n\n /*\n Creates a user account from the provided payload.\n /\n public async createUserFromToken(\n headerOrToken?: string,\n options: {\n permission?: Permission \| string;\n realm?: string;\n verify?: JWTVerifyOptions;\n } = {},\n ): Promise<UserAccountToken> {\n const token = headerOrToken?.replace(\"Bearer\", \"\").trim();\n if (typeof token !== \"string\" \|\| token === \"\") {\n throw new InvalidTokenError(\n \"Invalid authorization header, maybe token is missing ?\",\n );\n }\n\n const { result, keyName: realm } = await this.jwt.parse(\n token,\n options.realm,\n options.verify,\n );\n\n const info = this.createUserFromPayload(result.payload, realm);\n const realmRoles = this.getRoles(realm).filter((it) => it.default);\n const roles = info.roles ?? [];\n\n for (const role of realmRoles) {\n if (!roles.includes(role.name)) {\n roles.push(role.name);\n }\n }\n\n info.roles = roles;\n\n await this.alepha.events.emit(\"security:user:created\", {\n realm,\n user: info,\n });\n\n let ownership: string \| boolean \| undefined;\n\n if (options.permission) {\n const check = this.checkPermission(options.permission, ...roles);\n if (!check.isAuthorized) {\n throw new SecurityError(\n `User is not allowed to access '${this.permissionToString(options.permission)}'`,\n );\n }\n\n ownership = check.ownership;\n }\n\n return {\n ...info,\n ownership,\n token,\n realm,\n };\n }\n\n /\n Checks if a user has a specific role.\n \n @param roleName - The role to check for.\n * @param permission - The permission to check for.\n * @returns True if the user has the role, false otherwise.\n /\n public can(roleName: string, permission: string \| Permission): boolean {\n return this.checkPermission(permission, roleName).isAuthorized;\n }\n\n /\n Checks if a user has ownership of a specific permission.\n /\n public ownership(\n roleName: string,\n permission: string \| Permission,\n ): string \| boolean \| undefined {\n return this.checkPermission(permission, roleName).ownership;\n }\n\n /\n Converts a permission object to a string.\n \n @param permission\n /\n public permissionToString(permission: Permission \| string): string {\n if (typeof permission === \"string\") {\n return permission;\n }\n\n if (!permission.group) {\n return permission.name;\n }\n\n // Handle multi-layer groups (e.g., \"admin:api\" or \"management:users\")\n const groupParts = Array.isArray(permission.group)\n ? permission.group\n : [permission.group];\n\n return `${groupParts.join(\":\")}:${permission.name}`;\n }\n\n // accessors\n\n public getRealms(): Realm[] {\n return this.realms;\n }\n\n /\n Retrieves the user account from the provided user ID.\n \n @param realm\n /\n public getRoles(realm?: string): Role[] {\n if (realm) {\n return [...(this.realms.find((it) => it.name === realm)?.roles ?? [])];\n }\n\n return this.realms.reduce<Role[]>((arr, it) => arr.concat(it.roles), []);\n }\n\n /\n Returns all permissions.\n \n @param user - Filter permissions by user.\n \n @return An array containing all permissions.\n /\n public getPermissions(user?: {\n roles?: Array<Role \| string>;\n realm?: string;\n }): Permission[] {\n if (user?.roles) {\n const permissions: Permission[] = [];\n const roles = user.roles ?? [];\n\n for (const roleOrString of roles) {\n const role =\n typeof roleOrString === \"string\"\n ? this.getRoles(user.realm).find((it) => it.name === roleOrString)\n : roleOrString;\n\n if (!role) {\n throw new SecurityError(`Role '${roleOrString}' not found`);\n }\n\n if (role.permissions.some((it) => it.name === \"\" && !it.exclude)) {\n return this.getPermissions();\n }\n\n for (const permission of role.permissions) {\n let ref: Permission[] = [];\n if (permission.name === \"\") {\n ref.push(...this.permissions);\n } else if (permission.name.includes(\":\")) {\n // Handle multi-layer wildcards (e.g., \"admin:api:\" or \"users:read\")\n const parts = permission.name.split(\":\");\n const lastPart = parts[parts.length - 1];\n\n if (lastPart === \"\") {\n // Wildcard at any level (e.g., \"admin:\", \"admin:api:\")\n const groupPrefix = parts.slice(0, -1).join(\":\");\n\n ref.push(\n ...this.permissions.filter((it) => {\n if (!it.group) return false;\n // Match exact group or any sub-group\n return (\n it.group === groupPrefix \|\|\n it.group.startsWith(`${groupPrefix}:`)\n );\n }),\n );\n } else {\n // Specific permission (e.g., \"users:read\" or \"admin:api:users:read\")\n const name = lastPart;\n const groupParts = parts.slice(0, -1);\n const group = groupParts.join(\":\");\n\n ref.push(\n ...this.permissions.filter((it) => {\n if (it.name !== name) return false;\n if (!it.group) return false;\n return it.group === group;\n }),\n );\n }\n } else {\n // all permissions without a group\n ref.push(\n ...this.permissions.filter(\n (it) => it.name === permission.name && !it.group,\n ),\n );\n }\n const exclude = permission.exclude;\n if (exclude) {\n // exclude permissions with multi-layer wildcard support\n ref = ref.filter((it) => {\n const permString = this.permissionToString(it);\n return !exclude.some((excludePattern) => {\n if (excludePattern === permString) return true;\n if (excludePattern.endsWith(\":\")) {\n const excludePrefix = excludePattern.slice(0, -2);\n return permString.startsWith(`${excludePrefix}:`);\n }\n return false;\n });\n });\n }\n permissions.push(...ref);\n }\n }\n\n return [...new Set(permissions.filter((it) => it != null))];\n }\n\n return this.permissions;\n }\n\n /*\n Retrieves the user ID from the provided payload object.\n \n @param payload - The payload object from which to extract the user ID.\n * @return The user ID as a string.\n /\n public getIdFromPayload(payload: Record<string, any>): string {\n if (payload.sub != null) {\n return String(payload.sub);\n }\n\n if (payload.id != null) {\n return String(payload.id);\n }\n\n if (payload.userId != null) {\n return String(payload.userId);\n }\n\n throw new SecurityError(\"Invalid JWT - missing id\");\n }\n\n public getSessionIdFromPayload(\n payload: Record<string, any>,\n ): string \| undefined {\n if (!payload) {\n return;\n }\n if (payload.sid) {\n return String(payload.sid);\n }\n }\n\n /\n Retrieves the roles from the provided payload object.\n * @param payload - The payload object from which to extract the roles.\n * @return An array of role strings.\n /\n public getRolesFromPayload(payload: Record<string, any>): string[] {\n return payload?.realm_access?.roles ?? payload?.roles ?? [];\n }\n\n public getPictureFromPayload(\n payload: Record<string, any>,\n ): string \| undefined {\n if (!payload) {\n return;\n }\n\n if (payload.picture) {\n return payload.picture;\n }\n\n if (payload.avatar_url) {\n return payload.avatar_url;\n }\n\n if (payload.user_picture) {\n return payload.user_picture;\n }\n\n return undefined;\n }\n\n public getUsernameFromPayload(\n payload: Record<string, any>,\n ): string \| undefined {\n if (!payload) {\n return;\n }\n\n if (payload.preferred_username) {\n return payload.preferred_username;\n }\n\n if (payload.username) {\n return payload.username;\n }\n\n return undefined;\n }\n\n public getEmailFromPayload(payload: Record<string, any>): string \| undefined {\n if (!payload) {\n return;\n }\n\n if (payload.email) {\n return payload.email;\n }\n\n return undefined;\n }\n\n /\n Returns the name from the given payload.\n \n @param payload - The payload object.\n * @returns The name extracted from the payload, or an empty string if the payload is falsy or no name is found.\n /\n public getNameFromPayload(payload: Record<string, any>): string {\n if (!payload) {\n return this.UNKNOWN_USER_NAME;\n }\n\n if (payload.name) {\n return payload.name;\n }\n\n if (\n typeof payload.given_name === \"string\" &&\n typeof payload.family_name === \"string\"\n ) {\n return `${payload.given_name} ${payload.family_name}`.trim();\n }\n\n return this.UNKNOWN_USER_NAME;\n }\n\n public getOrganizationsFromPayload(\n payload: Record<string, any>,\n ): string[] \| undefined {\n if (!payload) {\n return;\n }\n\n if (payload.organization) {\n if (typeof payload.organization === \"string\") {\n return [payload.organization];\n }\n if (Array.isArray(payload.organization)) {\n return payload.organization;\n }\n }\n }\n}\n\n// =====================================================================================================================\n\n/\n A realm definition.\n /\nexport interface Realm {\n name: string;\n\n roles: Role[];\n\n /\n The secret key for the realm.\n \n Can be also a JWKS URL.\n /\n secret?: string \| JSONWebKeySet \| (() => string);\n\n /\n Create the user account info based on the raw JWT payload.\n * By default, SecurityProvider has his own implementation, but this method allow to override it.\n /\n profile?: (raw: Record<string, any>) => UserAccount;\n}\n\nexport interface SecurityCheckResult {\n isAuthorized: boolean;\n ownership: string \| boolean \| undefined;\n}\n","import { $inject, createPrimitive, KIND, Primitive } from \"alepha\";\nimport { SecurityProvider } from \"../providers/SecurityProvider.ts\";\nimport type { UserAccount } from \"../schemas/userAccountInfoSchema.ts\";\n\n/\n Create a new permission.\n /\nexport const $permission = (\n options: PermissionPrimitiveOptions = {},\n): PermissionPrimitive => {\n return createPrimitive(PermissionPrimitive, options);\n};\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport interface PermissionPrimitiveOptions {\n /\n Name of the permission. Use Property name is not provided.\n /\n name?: string;\n\n /\n Group of the permission. Use Class name is not provided.\n /\n group?: string;\n\n /\n Describe the permission.\n /\n description?: string;\n}\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport class PermissionPrimitive extends Primitive<PermissionPrimitiveOptions> {\n protected readonly securityProvider = $inject(SecurityProvider);\n\n public get name(): string {\n return this.options.name \|\| this.config.propertyKey;\n }\n\n public get group(): string {\n return this.options.group \|\| this.config.service.name;\n }\n\n public toString(): string {\n return `${this.group}:${this.name}`;\n }\n\n protected onInit() {\n this.securityProvider.createPermission({\n name: this.name,\n group: this.group,\n description: this.options.description,\n });\n }\n\n /\n Check if the user has the permission.\n /\n public can(user: UserAccount): boolean {\n if (!user.roles) {\n return false;\n }\n const check = this.securityProvider.checkPermission(this, ...user.roles);\n return check.isAuthorized;\n }\n}\n\n$permission[KIND] = PermissionPrimitive;\n","import { $inject, AlephaError, createPrimitive, KIND, Primitive } from \"alepha\";\nimport {\n DateTimeProvider,\n type Duration,\n type DurationLike,\n} from \"alepha/datetime\";\nimport { $logger } from \"alepha/logger\";\nimport type { JSONWebKeySet, JWTPayload } from \"jose\";\nimport { SecurityError } from \"../errors/SecurityError.ts\";\nimport { JwtProvider } from \"../providers/JwtProvider.ts\";\nimport { SecurityProvider } from \"../providers/SecurityProvider.ts\";\nimport type { Role } from \"../schemas/roleSchema.ts\";\nimport type { UserAccount } from \"../schemas/userAccountInfoSchema.ts\";\n\n/\n Create a new realm.\n /\nexport const $realm = (options: RealmPrimitiveOptions): RealmPrimitive => {\n return createPrimitive(RealmPrimitive, options);\n};\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport type RealmPrimitiveOptions = {\n /\n Define the realm name.\n * If not provided, it will use the property key.\n /\n name?: string;\n\n /\n Short description about the realm.\n /\n description?: string;\n\n /\n All roles available in the realm. Role is a string (role name) or a Role object (embedded role).\n /\n roles?: Array<string \| Role>;\n\n /\n Realm settings.\n /\n settings?: RealmSettings;\n\n /\n Parse the JWT payload to create a user account info.\n /\n profile?: (jwtPayload: Record<string, any>) => UserAccount;\n} & (RealmInternal \| RealmExternal);\n\nexport interface RealmSettings {\n accessToken?: {\n /\n Lifetime of the access token.\n * @default 15 minutes\n /\n expiration?: DurationLike;\n };\n\n refreshToken?: {\n /\n Lifetime of the refresh token.\n * @default 30 days\n /\n expiration?: DurationLike;\n\n // TODO: expirationIdle (max inactive time before the token is invalidated)\n };\n\n onCreateSession?: (\n user: UserAccount,\n config: {\n expiresIn: number;\n },\n ) => Promise<{\n refreshToken: string;\n sessionId?: string;\n }>;\n\n onRefreshSession?: (refreshToken: string) => Promise<{\n user: UserAccount;\n expiresIn: number;\n sessionId?: string;\n }>;\n\n onDeleteSession?: (refreshToken: string) => Promise<void>;\n}\n\nexport type RealmInternal = {\n /\n Internal secret to sign JWT tokens and verify them.\n /\n secret: string;\n};\n\nexport interface RealmExternal {\n /\n URL to the JWKS (JSON Web Key Set) to verify JWT tokens from external providers.\n /\n jwks: (() => string) \| JSONWebKeySet;\n}\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport class RealmPrimitive extends Primitive<RealmPrimitiveOptions> {\n protected readonly securityProvider = $inject(SecurityProvider);\n protected readonly dateTimeProvider = $inject(DateTimeProvider);\n protected readonly jwt = $inject(JwtProvider);\n protected readonly log = $logger();\n\n public get name(): string {\n return this.options.name \|\| this.config.propertyKey;\n }\n\n public get accessTokenExpiration(): Duration {\n return this.dateTimeProvider.duration(\n this.options.settings?.accessToken?.expiration ?? [15, \"minutes\"],\n );\n }\n\n public get refreshTokenExpiration(): Duration {\n return this.dateTimeProvider.duration(\n this.options.settings?.refreshToken?.expiration ?? [30, \"days\"],\n );\n }\n\n protected onInit() {\n const roles =\n this.options.roles?.map((it) => {\n if (typeof it === \"string\") {\n const role = this.getRoles().find((role) => role.name === it);\n if (!role) {\n throw new SecurityError(`Role '${it}' not found`);\n }\n return role;\n }\n\n return it;\n }) ?? [];\n\n this.securityProvider.createRealm({\n name: this.name,\n profile: this.options.profile,\n secret: \"jwks\" in this.options ? this.options.jwks : this.options.secret,\n roles,\n });\n }\n\n /\n Get all roles in the realm.\n /\n public getRoles(): Role[] {\n return this.securityProvider.getRoles(this.name);\n }\n\n /\n Set all roles in the realm.\n /\n public async setRoles(roles: Role[]): Promise<void> {\n await this.securityProvider.updateRealm(this.name, roles);\n }\n\n /\n Get a role by name, throws an error if not found.\n /\n public getRoleByName(name: string): Role {\n const role = this.getRoles().find((it) => it.name === name);\n if (!role) {\n throw new SecurityError(`Role '${name}' not found`);\n }\n return role;\n }\n\n public async parseToken(token: string): Promise<JWTPayload> {\n const { result } = await this.jwt.parse(token, this.name);\n return result.payload;\n }\n\n /\n Create a token for the subject.\n /\n public async createToken(\n user: UserAccount,\n refreshToken?: {\n sid?: string;\n refresh_token?: string;\n refresh_token_expires_in?: number;\n },\n ): Promise<AccessTokenResponse> {\n let sid: string \| undefined = refreshToken?.sid;\n let refresh_token: string \| undefined = refreshToken?.refresh_token;\n let refresh_token_expires_in: number \| undefined =\n refreshToken?.refresh_token_expires_in;\n\n const iat = this.dateTimeProvider.now().unix();\n const exp = iat + this.accessTokenExpiration.asSeconds();\n\n if (!refreshToken) {\n const create = this.options.settings?.onCreateSession;\n if (create) {\n // -----------------------------------------------------------------------------------------------------------------\n // managed by the application\n const expiresIn = this.refreshTokenExpiration.asSeconds();\n const { refreshToken, sessionId } = await create(user, {\n expiresIn,\n });\n\n refresh_token = refreshToken;\n refresh_token_expires_in = expiresIn;\n sid = sessionId;\n } else {\n // -----------------------------------------------------------------------------------------------------------------\n // token based\n\n const payload = {\n sub: user.id,\n exp: iat + this.refreshTokenExpiration.asSeconds(),\n iat,\n aud: this.name,\n };\n\n this.log.trace(\"Creating refresh token\", payload);\n\n sid = crypto.randomUUID();\n refresh_token_expires_in = this.refreshTokenExpiration.asSeconds();\n refresh_token = await this.jwt.create(payload, this.name, {\n header: {\n typ: \"refresh\",\n },\n });\n }\n }\n\n this.log.trace(\"Creating access token\", {\n sub: user.id,\n exp,\n iat,\n aud: this.name,\n });\n\n const access_token = await this.jwt.create(\n {\n // jwt\n sub: user.id,\n exp,\n iat,\n aud: this.name,\n sid, // session id, if available\n // oidc\n name: user.name,\n email: user.email,\n preferred_username: user.username,\n picture: user.picture,\n // our claims\n organizations: user.organizations,\n roles: user.roles,\n },\n this.name,\n );\n\n const response: AccessTokenResponse = {\n access_token,\n token_type: \"Bearer\",\n expires_in: this.accessTokenExpiration.asSeconds(),\n issued_at: iat,\n refresh_token,\n refresh_token_expires_in,\n };\n\n return response;\n }\n\n public async refreshToken(\n refreshToken: string,\n accessToken?: string,\n ): Promise<{\n tokens: AccessTokenResponse;\n user: UserAccount;\n }> {\n // -----------------------------------------------------------------------------------------------------------------\n // session based\n\n if (this.options.settings?.onRefreshSession) {\n // get user and expiration from the session\n const { user, expiresIn, sessionId } =\n await this.options.settings.onRefreshSession(refreshToken);\n\n // then, create a new access token\n const tokens = await this.createToken(user, {\n sid: sessionId,\n refresh_token: refreshToken,\n refresh_token_expires_in: expiresIn,\n });\n\n return { user, tokens };\n }\n\n // -----------------------------------------------------------------------------------------------------------------\n // token based\n\n if (!accessToken) {\n throw new AlephaError(\"An access token is required for refreshing\");\n }\n\n // extract user from an expired token\n const user = await this.securityProvider.createUserFromToken(accessToken, {\n realm: this.name,\n verify: {\n currentDate: new Date(0), // don't verify expiration, it's expected to be expired...\n },\n });\n\n // check if the refresh token is valid + match access token user\n const {\n result: { payload },\n } = await this.jwt.parse(refreshToken, this.name, {\n typ: \"refresh\",\n audience: this.name,\n subject: user.id,\n });\n\n const iat = this.dateTimeProvider.now().unix();\n const expiresIn = payload.exp\n ? payload.exp - iat\n : this.refreshTokenExpiration.asSeconds();\n\n return {\n user,\n tokens: await this.createToken(user, {\n sid: payload.sid,\n refresh_token: refreshToken,\n refresh_token_expires_in: expiresIn,\n }),\n };\n }\n}\n\n$realm[KIND] = RealmPrimitive;\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport interface CreateTokenOptions {\n sub: string;\n roles?: string[];\n email?: string;\n}\n\nexport interface AccessTokenResponse {\n access_token: string;\n token_type: string;\n expires_in?: number;\n issued_at: number;\n refresh_token?: string;\n refresh_token_expires_in?: number;\n scope?: string;\n}\n","import { $inject, createPrimitive, KIND, Primitive } from \"alepha\";\nimport { SecurityProvider } from \"../providers/SecurityProvider.ts\";\nimport type { PermissionPrimitive } from \"./$permission.ts\";\nimport type { RealmPrimitive } from \"./$realm.ts\";\n\n/\n Create a new role.\n /\nexport const $role = (options: RolePrimitiveOptions = {}): RolePrimitive => {\n return createPrimitive(RolePrimitive, options);\n};\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport interface RolePrimitiveOptions {\n /\n Name of the role.\n /\n name?: string;\n\n /\n Describe the role.\n /\n description?: string;\n\n realm?: string \| RealmPrimitive;\n\n permissions?: Array<\n \| string\n \| {\n name: string;\n ownership?: boolean;\n exclude?: string[];\n }\n >;\n}\n\nexport class RolePrimitive extends Primitive<RolePrimitiveOptions> {\n protected readonly securityProvider = $inject(SecurityProvider);\n\n public get name(): string {\n return this.options.name \|\| this.config.propertyKey;\n }\n\n protected onInit() {\n this.securityProvider.createRole({\n ...this.options,\n name: this.name,\n permissions:\n this.options.permissions?.map((it) => {\n if (typeof it === \"string\") {\n return {\n name: it,\n };\n }\n\n return it;\n }) ?? [],\n });\n }\n\n /\n Get the realm of the role.\n /\n public get realm(): string \| RealmPrimitive \| undefined {\n return this.options.realm;\n }\n\n public can(permission: string \| PermissionPrimitive): boolean {\n return this.securityProvider.can(this.name, permission);\n }\n\n public check(permission: string \| PermissionPrimitive) {\n return this.securityProvider.checkPermission(permission, this.name);\n }\n}\n\n// ---------------------------------------------------------------------------------------------------------------------\n\n$role[KIND] = RolePrimitive;\n","import { randomBytes, randomUUID, scrypt, timingSafeEqual } from \"node:crypto\";\nimport { promisify } from \"node:util\";\n\nconst scryptAsync = promisify(scrypt);\n\nexport class CryptoProvider {\n public async hashPassword(password: string): Promise<string> {\n const salt = randomBytes(16).toString(\"hex\"); // 128-bit salt\n const derivedKey = (await scryptAsync(password, salt, 64)) as Buffer;\n return `${salt}:${derivedKey.toString(\"hex\")}`;\n }\n\n public async verifyPassword(\n password: string,\n stored: string,\n ): Promise<boolean> {\n // Validate input format\n if (!stored \|\| typeof stored !== \"string\") {\n return false;\n }\n\n const parts = stored.split(\":\");\n if (parts.length !== 2) {\n return false;\n }\n\n const [salt, originalHex] = parts;\n\n // Validate salt and hash are non-empty\n if (!salt \|\| !originalHex) {\n return false;\n }\n\n // Validate hex format (must be even length and valid hex)\n if (originalHex.length % 2 !== 0 \|\| !/^[0-9a-f]+$/i.test(originalHex)) {\n return false;\n }\n\n try {\n const derivedKey = (await scryptAsync(password, salt, 64)) as Buffer;\n const originalKey = Buffer.from(originalHex, \"hex\");\n\n // Validate buffer lengths match (scrypt should produce 64 bytes)\n if (derivedKey.length !== originalKey.length) {\n return false;\n }\n\n // Important: prevent timing attacks\n return timingSafeEqual(derivedKey, originalKey);\n } catch (error) {\n // Handle any errors during verification (e.g., invalid salt encoding)\n return false;\n }\n }\n\n public randomUUID(): string {\n return randomUUID();\n }\n}\n","import { UnauthorizedError } from \"alepha/server\";\n\n/\n Error thrown when the provided credentials are invalid.\n \n Message can not be changed to avoid leaking information.\n * Cause is omitted for the same reason.\n /\nexport class InvalidCredentialsError extends UnauthorizedError {\n readonly name = \"UnauthorizedError\";\n constructor() {\n super(\"Invalid credentials\");\n }\n}\n","import { $context } from \"alepha\";\nimport { DateTimeProvider } from \"alepha/datetime\";\nimport type { UserAccount } from \"../schemas/userAccountInfoSchema.ts\";\nimport type { AccessTokenResponse, RealmPrimitive } from \"./$realm.ts\";\n\n/\n Allow to get an access token for a service account.\n \n You have some options to configure the service account:\n * - a OAUTH2 URL using client credentials grant type\n * - a JWT secret shared between the services\n \n @example\n * ```ts\n * import { $serviceAccount } from \"alepha/security\";\n \n class MyService {\n * serviceAccount = $serviceAccount({\n * oauth2: {\n * url: \"https://example.com/oauth2/token\",\n * clientId: \"your-client-id\",\n * clientSecret: \"your-client-secret\",\n * }\n * });\n \n async fetchData() {\n * const token = await this.serviceAccount.token();\n * // or\n * const response = await this.serviceAccount.fetch(\"https://api.example.com/data\");\n * }\n * }\n * ```\n /\nexport const $serviceAccount = (\n options: ServiceAccountPrimitiveOptions,\n): ServiceAccountPrimitive => {\n const { alepha } = $context();\n const store: {\n cache?: AccessTokenResponse;\n } = {};\n const dateTimeProvider = alepha.inject(DateTimeProvider);\n const gracePeriod = options.gracePeriod ?? 30;\n\n const cacheToken = (response: Omit<AccessTokenResponse, \"at\">) => {\n store.cache = {\n ...response,\n issued_at: dateTimeProvider.now().unix(),\n };\n };\n\n const getTokenFromCache = () => {\n if (store.cache) {\n const { access_token, expires_in, issued_at } = store.cache;\n if (!expires_in) {\n return access_token;\n }\n\n const now = dateTimeProvider.now().unix();\n const expires = issued_at + expires_in;\n\n if (expires - gracePeriod > now) {\n return access_token;\n }\n }\n };\n\n if (\"oauth2\" in options) {\n const { url, clientId, clientSecret } = options.oauth2;\n\n const token = async () => {\n const tokenFromCache = getTokenFromCache();\n if (tokenFromCache) {\n return tokenFromCache;\n }\n\n let response: Response;\n try {\n response = await fetch(url, {\n method: \"POST\",\n headers: {\n \"Content-Type\": \"application/x-www-form-urlencoded\",\n },\n body: new URLSearchParams({\n grant_type: \"client_credentials\",\n client_id: clientId,\n client_secret: clientSecret,\n }),\n });\n } catch (error) {\n throw new Error(\n `Failed to fetch access token from ${url}: ${error instanceof Error ? error.message : String(error)}`,\n );\n }\n\n // Check HTTP status\n if (!response.ok) {\n let errorMessage = `HTTP ${response.status} ${response.statusText}`;\n try {\n const errorBody = await response.text();\n errorMessage += `: ${errorBody}`;\n } catch {\n // Ignore error reading body\n }\n throw new Error(`Failed to fetch access token: ${errorMessage}`);\n }\n\n // Parse JSON response\n let json: any;\n try {\n json = await response.json();\n } catch (error) {\n throw new Error(\n `Failed to parse access token response as JSON: ${error instanceof Error ? error.message : String(error)}`,\n );\n }\n\n // Validate response structure\n if (!json.access_token \|\| !json.expires_in) {\n throw new Error(\n `Invalid access token response: missing access_token or expires_in. Response: ${JSON.stringify(json)}`,\n );\n }\n\n cacheToken(json);\n\n return json.access_token;\n };\n\n return {\n token,\n };\n }\n\n return {\n token: async () => {\n const tokenFromCache = getTokenFromCache();\n if (tokenFromCache) {\n return tokenFromCache;\n }\n\n const token = await options.realm.createToken(options.user);\n\n cacheToken({\n ...token,\n issued_at: dateTimeProvider.now().unix(),\n });\n\n return token.access_token;\n },\n };\n};\n\nexport type ServiceAccountPrimitiveOptions = {\n gracePeriod?: number; // Grace period in milliseconds before token expiration\n} & (\n \| {\n oauth2: Oauth2ServiceAccountPrimitiveOptions;\n }\n \| {\n realm: RealmPrimitive;\n user: UserAccount;\n }\n);\n\nexport interface Oauth2ServiceAccountPrimitiveOptions {\n /\n Get Token URL.\n /\n url: string;\n\n /\n Client ID.\n /\n clientId: string;\n\n /\n Client Secret.\n /\n clientSecret: string;\n}\n\nexport interface ServiceAccountPrimitive {\n token: () => Promise<string>;\n}\n\nexport interface ServiceAccountStore {\n response?: AccessTokenResponse;\n}\n","import type { Static } from \"alepha\";\nimport { t } from \"alepha\";\n\nexport const permissionSchema = t.object({\n name: t.text({\n description: \"Name of the permission.\",\n }),\n\n group: t.optional(\n t.text({\n description: \"Group of the permission.\",\n }),\n ),\n\n description: t.optional(\n t.text({\n description: \"Describe the permission.\",\n }),\n ),\n\n // HTTP Only\n\n method: t.optional(\n t.text({\n description: \"HTTP method of the permission. When available.\",\n }),\n ),\n\n path: t.optional(\n t.text({\n description: \"Pathname of the permission. When available.\",\n }),\n ),\n});\n\nexport type Permission = Static<typeof permissionSchema>;\n","import type { Static } from \"alepha\";\nimport { t } from \"alepha\";\n\nexport const roleSchema = t.object({\n name: t.text({\n description: \"Name of the role.\",\n }),\n\n description: t.optional(\n t.text({\n description: \"Describe the role.\",\n }),\n ),\n\n default: t.optional(\n t.boolean({\n description:\n \"If true, this role will be assigned to all users by default.\",\n }),\n ),\n\n permissions: t.array(\n t.object({\n name: t.text({\n description: \"Name of the permission.\",\n }),\n ownership: t.optional(\n t.boolean({\n description:\n \"If true, user will only have access to it's own resources.\",\n }),\n ),\n exclude: t.optional(\n t.array(t.text(), {\n description:\n \"Exclude some permissions. Useful when 'name' is a wildcard.\",\n }),\n ),\n }),\n ),\n});\n\nexport type Role = Static<typeof roleSchema>;\n","import type { Static } from \"alepha\";\nimport { t } from \"alepha\";\n\nexport const userAccountInfoSchema = t.object({\n id: t.text({\n description: \"Unique identifier for the user.\",\n }),\n\n name: t.optional(\n t.text({\n description: \"Full name of the user.\",\n }),\n ),\n\n email: t.optional(\n t.text({\n description: \"Email address of the user.\",\n format: \"email\",\n }),\n ),\n\n username: t.optional(\n t.text({\n description: \"Preferred username of the user.\",\n }),\n ),\n\n picture: t.optional(\n t.text({\n description: \"URL to the user's profile picture.\",\n }),\n ),\n\n sessionId: t.optional(\n t.text({\n description: \"Session identifier for the user, if applicable.\",\n }),\n ),\n\n // -------------------------------------------------------------------------------------------------------------------\n\n organizations: t.optional(\n t.array(t.text(), {\n description: \"List of organizations the user belongs to.\",\n }),\n ),\n\n roles: t.optional(\n t.array(t.text(), {\n description: \"List of roles assigned to the user.\",\n }),\n ),\n});\n\nexport type UserAccount = Static<typeof userAccountInfoSchema>;\n","import { $module } from \"alepha\";\nimport { $permission } from \"./primitives/$permission.ts\";\nimport { $realm } from \"./primitives/$realm.ts\";\nimport { $role } from \"./primitives/$role.ts\";\nimport { CryptoProvider } from \"./providers/CryptoProvider.ts\";\nimport { JwtProvider } from \"./providers/JwtProvider.ts\";\nimport { SecurityProvider } from \"./providers/SecurityProvider.ts\";\nimport type { UserAccount } from \"./schemas/userAccountInfoSchema.ts\";\n\nexport from \"./errors/InvalidCredentialsError.ts\";\nexport * from \"./errors/InvalidPermissionError.ts\";\nexport * from \"./errors/SecurityError.ts\";\nexport * from \"./interfaces/UserAccountToken.ts\";\nexport * from \"./primitives/$permission.ts\";\nexport * from \"./primitives/$realm.ts\";\nexport * from \"./primitives/$role.ts\";\nexport * from \"./primitives/$serviceAccount.ts\";\nexport * from \"./providers/CryptoProvider.ts\";\nexport * from \"./providers/JwtProvider.ts\";\nexport * from \"./providers/SecurityProvider.ts\";\nexport * from \"./schemas/permissionSchema.ts\";\nexport * from \"./schemas/roleSchema.ts\";\nexport * from \"./schemas/userAccountInfoSchema.ts\";\n\ndeclare module \"alepha\" {\n interface Hooks {\n \"security:user:created\": {\n realm: string;\n user: UserAccount;\n };\n }\n}\n\n/*\n Provides comprehensive authentication and authorization capabilities with JWT tokens, role-based access control, and user management.\n \n The security module enables building secure applications using primitives like `$realm`, `$role`, and `$permission`\n * on class properties. It offers JWT-based authentication, fine-grained permissions, service accounts, and seamless\n * integration with various authentication providers and user management systems.\n \n @see {@link $realm}\n * @see {@link $role}\n * @see {@link $permission}\n * @module alepha.security\n */\nexport const AlephaSecurity = $module({\n name: \"alepha.security\",\n primitives: [$realm, $role, $permission],\n services: [SecurityProvider, JwtProvider, CryptoProvider],\n});\n"],"mappings":";;;;;;;;;;AAAA,IAAa,yBAAb,cAA4C,MAAM;CAChD,YAAY,MAAc;AACxB,QAAM,eAAe,KAAK,cAAc;;;;;;ACF5C,IAAa,oBAAb,cAAuC,MAAM;CAC3C,AAAgB,SAAS;;;;;ACD3B,IAAa,qBAAb,cAAwC,MAAM;CAC5C,YAAY,OAAe;AACzB,QAAM,UAAU,MAAM,aAAa;;;;;;ACFvC,IAAa,gBAAb,cAAmC,MAAM;CACvC,AAAO,OAAO;CACd,AAAgB,SAAS;;;;;;;;ACuB3B,IAAa,cAAb,MAAyB;CACvB,AAAmB,MAAM,SAAS;CAClC,AAAmB,WAA8B,EAAE;CACnD,AAAmB,mBAAmB,QAAQ,iBAAiB;CAC/D,AAAmB,UAAU,IAAI,aAAa;;;;;;;CAQ9C,AAAO,aAAa,MAAc,iBAAyC;AACzE,MAAI,OAAO,oBAAoB,UAAU;AACvC,QAAK,IAAI,KACP,8BAA8B,KAAK,uBAAuB,gBAAgB,KAAK,OAAO,GACvF;AACD,QAAK,SAAS,KAAK;IACjB;IACA,WAAW,kBAAkB,gBAAgB;IAC9C,CAAC;aACO,KAAK,YAAY,gBAAgB,EAAE;GAC5C,MAAM,YAAY,KAAK,QAAQ,OAAO,gBAAgB;AACtD,QAAK,IAAI,KACP,0BAA0B,KAAK,uBAAuB,UAAU,OAAO,SACxE;AACD,QAAK,SAAS,KAAK;IACjB;IACA,WAAW;IACX,iBAAiB,QAAQ,QAAQ,gBAAgB,UAAU,CAAC;IAC7D,CAAC;SACG;AACL,QAAK,IAAI,KACP,0BAA0B,KAAK,cAAc,kBAC9C;AACD,QAAK,SAAS,KAAK;IACjB;IACA,WAAW,mBAAmB,IAAI,IAAI,gBAAgB,CAAC;IACxD,CAAC;;;;;;;;;;CAWN,MAAa,MACX,OACA,SACA,SACyB;AACzB,OAAK,MAAM,MAAM,KAAK,UAAU;AAC9B,OAAI,WAAW,GAAG,SAAS,QACzB;AAGF,QAAK,IAAI,MAAM,0BAA0B;IACvC,SAAS,GAAG;IACZ;IACD,CAAC;AAEF,OAAI;IACF,MAAM,WAAW;KACf,SAAS,GAAG;KACZ,QAAQ,MAAM,UAAU,OAAO,GAAG,WAAW;MAC3C,aAAa,KAAK,iBAAiB,KAAK,CAAC,QAAQ;MACjD,GAAG;MACJ,CAAC;KACH;AAED,SAAK,IAAI,MAAM,+BAA+B,EAC5C,SAAS,SAAS,SACnB,CAAC;AAEF,WAAO;YACA,OAAO;AACd,SAAK,IAAI,MAAM,iCAAiC,MAAM;AAEtD,QAAI,iBAAiB,WACnB,OAAM,IAAI,cAAc,iBAAiB,EAAE,OAAO,OAAO,CAAC;AAG5D,QAAI,iBAAiB,yBACnB,OAAM,IAAI,cAAc,iCAAiC,EACvD,OAAO,OACR,CAAC;;;AAKR,OAAK,IAAI,KACP,iEAAiE,KAAK,SAAS,OAAO,GACvF;AAED,QAAM,IAAI,cAAc,gBAAgB;;;;;;;;;;;CAY1C,MAAa,OACX,SACA,SACA,aACiB;EACjB,MAAM,YAAY,UACd,KAAK,SAAS,MAAM,OAAO,GAAG,SAAS,QAAQ,EAAE,YACjD,KAAK,SAAS,IAAI;AAEtB,MAAI,CAAC,UACH,OAAM,IAAI,YAAY,sCAAsC;EAG9D,MAAM,UAAU,IAAI,QAAQ,QAAQ;AAEpC,UAAQ,mBAAmB;GACzB,KAAK;GACL,GAAG,aAAa;GACjB,CAAC;AAEF,SAAO,MAAM,QAAQ,KAAK,KAAK,QAAQ,OAAO,UAAU,CAAC;;;;;;;;CAS3D,AAAU,YAAY,KAAsB;AAC1C,SAAO,CAAC,IAAI,WAAW,OAAO;;;;;;AC7IlC,MAAa,qBAAqB;AAElC,MAAM,YAAY,EAAE,OAAO,EACzB,YAAY,EAAE,KAAK,EACjB,SAAS,oBACV,CAAC,EACH,CAAC;AAMF,IAAa,mBAAb,MAA8B;CAC5B,AAAmB,oBAAoB;CACvC,AAAmB,oBAAoB;CACvC,AAAmB,6BACjB;CAEF,AAAmB,MAAM,SAAS;CAClC,AAAmB,MAAM,QAAQ,YAAY;CAC7C,AAAmB,MAAM,KAAK,UAAU;CACxC,AAAmB,SAAS,QAAQ,OAAO;CAE3C,IAAW,YAAY;AACrB,SAAO,KAAK,IAAI;;;;;CAMlB,AAAmB,cAA4B,EAAE;;;;CAKjD,AAAmB,SAAkB,KAAK,OAAO,QAAQ,GACrD,CACE;EACE,MAAM;EACN,QAAQ,KAAK,IAAI;EACjB,OAAO,CACL;GACE,MAAM;GACN,aAAa,CACX,EACE,MAAM,KACP,CACF;GACF,CACF;EACF,CACF,GACD,EAAE;CAEN,AAAU,QAAQ,MAAM;EACtB,IAAI;EACJ,SAAS,YAAY;AACnB,OAAI,KAAK,OAAO,cAAc,IAAI,KAAK,cAAc,mBACnD,MAAK,IAAI,KACP,mGACD;AAGH,QAAK,MAAM,SAAS,KAAK,OACvB,KAAI,MAAM,QAAQ;IAChB,MAAM,SACJ,OAAO,MAAM,WAAW,aAAa,MAAM,QAAQ,GAAG,MAAM;AAC9D,SAAK,IAAI,aAAa,MAAM,MAAM,OAAO;;;EAIhD,CAAC;;;;;;;CAQF,AAAO,WAAW,MAAY,GAAG,QAAwB;EACvD,MAAM,OAAO,OAAO,SAChB,OAAO,KAAK,OAAO;GACjB,MAAM,OAAO,KAAK,OAAO,MAAM,UAAU,MAAM,SAAS,GAAG;AAC3D,OAAI,CAAC,KACH,OAAM,IAAI,mBAAmB,GAAG;AAElC,UAAO;IACP,GACF,KAAK;AAET,OAAK,MAAM,SAAS,MAAM;AACxB,QAAK,MAAM,EAAE,UAAU,KAAK,YAC1B,KAAI,KAAK,OAAO,WAAW,EAAE;AAE3B,QAAI,SAAS,IAEX;AAOF,QAHsB,KAAK,YAAY,MACpC,OAAO,KAAK,mBAAmB,GAAG,KAAK,KACzC,CAEC;AAIF,QAAI,KAAK,SAAS,KAAK,EAAE;KACvB,MAAM,cAAc,KAAK,MAAM,GAAG,GAAG;AASrC,SAP2B,KAAK,YAAY,MAAM,OAAO;AACvD,UAAI,CAAC,GAAG,MAAO,QAAO;AACtB,aACE,GAAG,UAAU,eACb,GAAG,MAAM,WAAW,GAAG,YAAY,GAAG;OAExC,CAEA;;AAKJ,UAAM,IAAI,cAAc,eAAe,KAAK,aAAa;cAErD,SAAS,OAAO,CAAC,KAAK,2BAA2B,KAAK,KAAK,CAC7D,OAAM,IAAI,uBAAuB,KAAK;AAK5C,SAAM,MAAM,KAAK,KAAK;;AAGxB,SAAO;;;;;;;CAQT,AAAO,iBAAiB,KAAsC;AAC5D,MAAI,KAAK,OAAO,WAAW,CACzB,OAAM,IAAI,sBAAsB;EAGlC,IAAIA;AACJ,MAAI,OAAO,QAAQ,UAAU;AAC3B,OAAI,CAAC,KAAK,kBAAkB,KAAK,IAAI,CACnC,OAAM,IAAI,uBAAuB,IAAI;GAGvC,MAAM,QAAQ,IAAI,MAAM,IAAI;AAC5B,OAAI,MAAM,WAAW,EAEnB,cAAa,EAAE,MAAM,MAAM,IAAI;QAC1B;IAGL,MAAM,OAAO,MAAM,MAAM,SAAS;IAClC,MAAM,aAAa,MAAM,MAAM,GAAG,GAAG;AAErC,QAAI,WAAW,WAAW,EACxB,cAAa;KACX,OAAO,WAAW;KAClB;KACD;QAGD,cAAa;KACX,OAAO,WAAW,KAAK,IAAI;KAC3B;KACD;;QAIL,cAAa;EAGf,MAAM,WAAW,KAAK,mBAAmB,WAAW;AACpD,MAAI,CAAC,KAAK,kBAAkB,KAAK,SAAS,CACxC,OAAM,IAAI,uBAAuB,SAAS;EAG5C,MAAM,WAAW,KAAK,YAAY,MAC/B,OAAO,KAAK,mBAAmB,GAAG,KAAK,SACzC;AAED,MAAI,UAAU;AACZ,QAAK,IAAI,KAAK,eAAe,SAAS,8BAA8B;IAClE,SAAS;IACT,KAAK;IACN,CAAC;AAEF,UAAO;;AAGT,OAAK,IAAI,MAAM,wBAAwB,SAAS,GAAG;AAEnD,OAAK,YAAY,KAAK,WAAW;AAEjC,SAAO;;CAGT,AAAO,YAAY,OAAc;AAC/B,MAAI,KAAK,OAAO,WAAW,KAAK,KAAK,OAAO,GAAG,SAAS,UAEtD,MAAK,OAAO,KAAK;AAGnB,OAAK,OAAO,KAAK,MAAM;;;;;;;;;;CAWzB,MAAa,YAAY,OAAe,OAA8B;AACpE,MAAI,CAAC,KAAK,OAAO,WAAW,CAC1B,OAAM,IAAI,oBAAoB;EAGhC,MAAM,gBAAgB,KAAK,OAAO,MAAM,OAAO,GAAG,SAAS,MAAM;AACjE,MAAI,CAAC,cACH,OAAM,IAAI,mBAAmB,MAAM;AAGrC,gBAAc,QAAQ;;;;;;;;;;CAaxB,AAAO,sBACL,SACA,WACa;EACb,MAAM,KAAK,KAAK,iBAAiB,QAAQ;EACzC,MAAM,YAAY,KAAK,wBAAwB,QAAQ;EACvD,MAAM,mBAAmB,KAAK,oBAAoB,QAAQ;EAC1D,MAAM,QAAQ,KAAK,oBAAoB,QAAQ;EAC/C,MAAM,WAAW,KAAK,uBAAuB,QAAQ;EACrD,MAAM,UAAU,KAAK,sBAAsB,QAAQ;EACnD,MAAM,OAAO,KAAK,mBAAmB,QAAQ;EAC7C,MAAM,gBAAgB,KAAK,4BAA4B,QAAQ;EAC/D,MAAM,kBAAkB,KAAK,SAAS,UAAU;EAChD,MAAM,QAAQ,iBACX,QACE,KAAK,aACJ,IAAI,OAAO,gBAAgB,QAAQ,OAAO,GAAG,SAAS,SAAS,CAAC,EAClE,EAAE,CACH,CACA,KAAK,OAAO,GAAG,KAAK;EAEvB,MAAM,QAAQ,KAAK,OAAO,MAAM,OAAO,GAAG,SAAS,UAAU;AAC7D,MAAI,OAAO,QACT,QAAO,MAAM,QAAQ,QAAQ;AAG/B,SAAO;GACL;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GACD;;;;;;;;;;CAWH,AAAO,gBACL,gBACA,GAAG,aACkB;EACrB,MAAMC,QAAgB,YAAY,KAAK,OAAO;GAC5C,MAAM,OAAO,KAAK,UAAU,CAAC,MAAM,WAASC,OAAK,SAAS,GAAG;AAC7D,OAAI,CAAC,KACH,OAAM,IAAI,cAAc,SAAS,GAAG,aAAa;AAEnD,UAAO;IACP;EAEF,MAAM,aAAa,KAAK,mBAAmB,eAAe;AAQ1D,MAPgB,MAAM,MAAM,OAC1B,GAAG,YAAY,MACZ,SAAOC,KAAG,SAAS,OAAO,CAACA,KAAG,WAAW,CAACA,KAAG,UAC/C,CACF,CAIC,QAAO;GACL,cAAc;GACd,WAAW;GACZ;EAGH,MAAMC,SAA8B;GAClC,cAAc;GACd,WAAW;GACZ;EAGD,MAAM,kBACJ,gBACA,YACY;AACZ,OAAI,YAAY,IAAK,QAAO;AAC5B,OAAI,YAAY,eAAgB,QAAO;AAGvC,OAAI,QAAQ,SAAS,KAAK,EAAE;IAC1B,MAAM,gBAAgB,QAAQ,MAAM,GAAG,GAAG;AAE1C,QAAI,mBAAmB,cAAe,QAAO;AAC7C,WAAO,eAAe,WAAW,GAAG,cAAc,GAAG;;AAGvD,UAAO;;AAGT,OAAK,MAAM,QAAQ,MAEjB,MAAK,MAAM,kBAAkB,KAAK,YAEhC,KAAI,eAAe,YAAY,eAAe,KAAK,EAAE;AAEnD,OAAI,eAAe,SAAS;IAC1B,IAAI,aAAa;AACjB,SAAK,MAAM,kBAAkB,eAAe,QAC1C,KAAI,eAAe,YAAY,eAAe,EAAE;AAC9C,kBAAa;AACb;;AAGJ,QAAI,WACF;;AAIJ,UAAO,eAAe;AAGtB,OAAI,eAAe,UAEjB,QAAO,YAAY,eAAe;QAC7B;AAEL,WAAO,YAAY;AACnB,WAAO;;;AAMf,SAAO;;;;;CAMT,MAAa,oBACX,eACA,UAII,EAAE,EACqB;EAC3B,MAAM,QAAQ,eAAe,QAAQ,UAAU,GAAG,CAAC,MAAM;AACzD,MAAI,OAAO,UAAU,YAAY,UAAU,GACzC,OAAM,IAAI,kBACR,yDACD;EAGH,MAAM,EAAE,QAAQ,SAAS,UAAU,MAAM,KAAK,IAAI,MAChD,OACA,QAAQ,OACR,QAAQ,OACT;EAED,MAAM,OAAO,KAAK,sBAAsB,OAAO,SAAS,MAAM;EAC9D,MAAM,aAAa,KAAK,SAAS,MAAM,CAAC,QAAQ,OAAO,GAAG,QAAQ;EAClE,MAAM,QAAQ,KAAK,SAAS,EAAE;AAE9B,OAAK,MAAM,QAAQ,WACjB,KAAI,CAAC,MAAM,SAAS,KAAK,KAAK,CAC5B,OAAM,KAAK,KAAK,KAAK;AAIzB,OAAK,QAAQ;AAEb,QAAM,KAAK,OAAO,OAAO,KAAK,yBAAyB;GACrD;GACA,MAAM;GACP,CAAC;EAEF,IAAIC;AAEJ,MAAI,QAAQ,YAAY;GACtB,MAAM,QAAQ,KAAK,gBAAgB,QAAQ,YAAY,GAAG,MAAM;AAChE,OAAI,CAAC,MAAM,aACT,OAAM,IAAI,cACR,kCAAkC,KAAK,mBAAmB,QAAQ,WAAW,CAAC,GAC/E;AAGH,eAAY,MAAM;;AAGpB,SAAO;GACL,GAAG;GACH;GACA;GACA;GACD;;;;;;;;;CAUH,AAAO,IAAI,UAAkB,YAA0C;AACrE,SAAO,KAAK,gBAAgB,YAAY,SAAS,CAAC;;;;;CAMpD,AAAO,UACL,UACA,YAC8B;AAC9B,SAAO,KAAK,gBAAgB,YAAY,SAAS,CAAC;;;;;;;CAQpD,AAAO,mBAAmB,YAAyC;AACjE,MAAI,OAAO,eAAe,SACxB,QAAO;AAGT,MAAI,CAAC,WAAW,MACd,QAAO,WAAW;AAQpB,SAAO,IAJY,MAAM,QAAQ,WAAW,MAAM,GAC9C,WAAW,QACX,CAAC,WAAW,MAAM,EAED,KAAK,IAAI,CAAC,GAAG,WAAW;;CAK/C,AAAO,YAAqB;AAC1B,SAAO,KAAK;;;;;;;CAQd,AAAO,SAAS,OAAwB;AACtC,MAAI,MACF,QAAO,CAAC,GAAI,KAAK,OAAO,MAAM,OAAO,GAAG,SAAS,MAAM,EAAE,SAAS,EAAE,CAAE;AAGxE,SAAO,KAAK,OAAO,QAAgB,KAAK,OAAO,IAAI,OAAO,GAAG,MAAM,EAAE,EAAE,CAAC;;;;;;;;;CAU1E,AAAO,eAAe,MAGL;AACf,MAAI,MAAM,OAAO;GACf,MAAMC,cAA4B,EAAE;GACpC,MAAM,QAAQ,KAAK,SAAS,EAAE;AAE9B,QAAK,MAAM,gBAAgB,OAAO;IAChC,MAAM,OACJ,OAAO,iBAAiB,WACpB,KAAK,SAAS,KAAK,MAAM,CAAC,MAAM,OAAO,GAAG,SAAS,aAAa,GAChE;AAEN,QAAI,CAAC,KACH,OAAM,IAAI,cAAc,SAAS,aAAa,aAAa;AAG7D,QAAI,KAAK,YAAY,MAAM,OAAO,GAAG,SAAS,OAAO,CAAC,GAAG,QAAQ,CAC/D,QAAO,KAAK,gBAAgB;AAG9B,SAAK,MAAM,cAAc,KAAK,aAAa;KACzC,IAAIC,MAAoB,EAAE;AAC1B,SAAI,WAAW,SAAS,IACtB,KAAI,KAAK,GAAG,KAAK,YAAY;cACpB,WAAW,KAAK,SAAS,IAAI,EAAE;MAExC,MAAM,QAAQ,WAAW,KAAK,MAAM,IAAI;MACxC,MAAM,WAAW,MAAM,MAAM,SAAS;AAEtC,UAAI,aAAa,KAAK;OAEpB,MAAM,cAAc,MAAM,MAAM,GAAG,GAAG,CAAC,KAAK,IAAI;AAEhD,WAAI,KACF,GAAG,KAAK,YAAY,QAAQ,OAAO;AACjC,YAAI,CAAC,GAAG,MAAO,QAAO;AAEtB,eACE,GAAG,UAAU,eACb,GAAG,MAAM,WAAW,GAAG,YAAY,GAAG;SAExC,CACH;aACI;OAEL,MAAM,OAAO;OAEb,MAAM,QADa,MAAM,MAAM,GAAG,GAAG,CACZ,KAAK,IAAI;AAElC,WAAI,KACF,GAAG,KAAK,YAAY,QAAQ,OAAO;AACjC,YAAI,GAAG,SAAS,KAAM,QAAO;AAC7B,YAAI,CAAC,GAAG,MAAO,QAAO;AACtB,eAAO,GAAG,UAAU;SACpB,CACH;;WAIH,KAAI,KACF,GAAG,KAAK,YAAY,QACjB,OAAO,GAAG,SAAS,WAAW,QAAQ,CAAC,GAAG,MAC5C,CACF;KAEH,MAAM,UAAU,WAAW;AAC3B,SAAI,QAEF,OAAM,IAAI,QAAQ,OAAO;MACvB,MAAM,aAAa,KAAK,mBAAmB,GAAG;AAC9C,aAAO,CAAC,QAAQ,MAAM,mBAAmB;AACvC,WAAI,mBAAmB,WAAY,QAAO;AAC1C,WAAI,eAAe,SAAS,KAAK,EAAE;QACjC,MAAM,gBAAgB,eAAe,MAAM,GAAG,GAAG;AACjD,eAAO,WAAW,WAAW,GAAG,cAAc,GAAG;;AAEnD,cAAO;QACP;OACF;AAEJ,iBAAY,KAAK,GAAG,IAAI;;;AAI5B,UAAO,CAAC,GAAG,IAAI,IAAI,YAAY,QAAQ,OAAO,MAAM,KAAK,CAAC,CAAC;;AAG7D,SAAO,KAAK;;;;;;;;CASd,AAAO,iBAAiB,SAAsC;AAC5D,MAAI,QAAQ,OAAO,KACjB,QAAO,OAAO,QAAQ,IAAI;AAG5B,MAAI,QAAQ,MAAM,KAChB,QAAO,OAAO,QAAQ,GAAG;AAG3B,MAAI,QAAQ,UAAU,KACpB,QAAO,OAAO,QAAQ,OAAO;AAG/B,QAAM,IAAI,cAAc,2BAA2B;;CAGrD,AAAO,wBACL,SACoB;AACpB,MAAI,CAAC,QACH;AAEF,MAAI,QAAQ,IACV,QAAO,OAAO,QAAQ,IAAI;;;;;;;CAS9B,AAAO,oBAAoB,SAAwC;AACjE,SAAO,SAAS,cAAc,SAAS,SAAS,SAAS,EAAE;;CAG7D,AAAO,sBACL,SACoB;AACpB,MAAI,CAAC,QACH;AAGF,MAAI,QAAQ,QACV,QAAO,QAAQ;AAGjB,MAAI,QAAQ,WACV,QAAO,QAAQ;AAGjB,MAAI,QAAQ,aACV,QAAO,QAAQ;;CAMnB,AAAO,uBACL,SACoB;AACpB,MAAI,CAAC,QACH;AAGF,MAAI,QAAQ,mBACV,QAAO,QAAQ;AAGjB,MAAI,QAAQ,SACV,QAAO,QAAQ;;CAMnB,AAAO,oBAAoB,SAAkD;AAC3E,MAAI,CAAC,QACH;AAGF,MAAI,QAAQ,MACV,QAAO,QAAQ;;;;;;;;CAYnB,AAAO,mBAAmB,SAAsC;AAC9D,MAAI,CAAC,QACH,QAAO,KAAK;AAGd,MAAI,QAAQ,KACV,QAAO,QAAQ;AAGjB,MACE,OAAO,QAAQ,eAAe,YAC9B,OAAO,QAAQ,gBAAgB,SAE/B,QAAO,GAAG,QAAQ,WAAW,GAAG,QAAQ,cAAc,MAAM;AAG9D,SAAO,KAAK;;CAGd,AAAO,4BACL,SACsB;AACtB,MAAI,CAAC,QACH;AAGF,MAAI,QAAQ,cAAc;AACxB,OAAI,OAAO,QAAQ,iBAAiB,SAClC,QAAO,CAAC,QAAQ,aAAa;AAE/B,OAAI,MAAM,QAAQ,QAAQ,aAAa,CACrC,QAAO,QAAQ;;;;;;;;;;AC9uBvB,MAAa,eACX,UAAsC,EAAE,KAChB;AACxB,QAAO,gBAAgB,qBAAqB,QAAQ;;AAwBtD,IAAa,sBAAb,cAAyC,UAAsC;CAC7E,AAAmB,mBAAmB,QAAQ,iBAAiB;CAE/D,IAAW,OAAe;AACxB,SAAO,KAAK,QAAQ,QAAQ,KAAK,OAAO;;CAG1C,IAAW,QAAgB;AACzB,SAAO,KAAK,QAAQ,SAAS,KAAK,OAAO,QAAQ;;CAGnD,AAAO,WAAmB;AACxB,SAAO,GAAG,KAAK,MAAM,GAAG,KAAK;;CAG/B,AAAU,SAAS;AACjB,OAAK,iBAAiB,iBAAiB;GACrC,MAAM,KAAK;GACX,OAAO,KAAK;GACZ,aAAa,KAAK,QAAQ;GAC3B,CAAC;;;;;CAMJ,AAAO,IAAI,MAA4B;AACrC,MAAI,CAAC,KAAK,MACR,QAAO;AAGT,SADc,KAAK,iBAAiB,gBAAgB,MAAM,GAAG,KAAK,MAAM,CAC3D;;;AAIjB,YAAY,QAAQ;;;;;;;ACpDpB,MAAa,UAAU,YAAmD;AACxE,QAAO,gBAAgB,gBAAgB,QAAQ;;AAuFjD,IAAa,iBAAb,cAAoC,UAAiC;CACnE,AAAmB,mBAAmB,QAAQ,iBAAiB;CAC/D,AAAmB,mBAAmB,QAAQ,iBAAiB;CAC/D,AAAmB,MAAM,QAAQ,YAAY;CAC7C,AAAmB,MAAM,SAAS;CAElC,IAAW,OAAe;AACxB,SAAO,KAAK,QAAQ,QAAQ,KAAK,OAAO;;CAG1C,IAAW,wBAAkC;AAC3C,SAAO,KAAK,iBAAiB,SAC3B,KAAK,QAAQ,UAAU,aAAa,cAAc,CAAC,IAAI,UAAU,CAClE;;CAGH,IAAW,yBAAmC;AAC5C,SAAO,KAAK,iBAAiB,SAC3B,KAAK,QAAQ,UAAU,cAAc,cAAc,CAAC,IAAI,OAAO,CAChE;;CAGH,AAAU,SAAS;EACjB,MAAM,QACJ,KAAK,QAAQ,OAAO,KAAK,OAAO;AAC9B,OAAI,OAAO,OAAO,UAAU;IAC1B,MAAM,OAAO,KAAK,UAAU,CAAC,MAAM,WAASC,OAAK,SAAS,GAAG;AAC7D,QAAI,CAAC,KACH,OAAM,IAAI,cAAc,SAAS,GAAG,aAAa;AAEnD,WAAO;;AAGT,UAAO;IACP,IAAI,EAAE;AAEV,OAAK,iBAAiB,YAAY;GAChC,MAAM,KAAK;GACX,SAAS,KAAK,QAAQ;GACtB,QAAQ,UAAU,KAAK,UAAU,KAAK,QAAQ,OAAO,KAAK,QAAQ;GAClE;GACD,CAAC;;;;;CAMJ,AAAO,WAAmB;AACxB,SAAO,KAAK,iBAAiB,SAAS,KAAK,KAAK;;;;;CAMlD,MAAa,SAAS,OAA8B;AAClD,QAAM,KAAK,iBAAiB,YAAY,KAAK,MAAM,MAAM;;;;;CAM3D,AAAO,cAAc,MAAoB;EACvC,MAAM,OAAO,KAAK,UAAU,CAAC,MAAM,OAAO,GAAG,SAAS,KAAK;AAC3D,MAAI,CAAC,KACH,OAAM,IAAI,cAAc,SAAS,KAAK,aAAa;AAErD,SAAO;;CAGT,MAAa,WAAW,OAAoC;EAC1D,MAAM,EAAE,WAAW,MAAM,KAAK,IAAI,MAAM,OAAO,KAAK,KAAK;AACzD,SAAO,OAAO;;;;;CAMhB,MAAa,YACX,MACA,cAK8B;EAC9B,IAAIC,MAA0B,cAAc;EAC5C,IAAIC,gBAAoC,cAAc;EACtD,IAAIC,2BACF,cAAc;EAEhB,MAAM,MAAM,KAAK,iBAAiB,KAAK,CAAC,MAAM;EAC9C,MAAM,MAAM,MAAM,KAAK,sBAAsB,WAAW;AAExD,MAAI,CAAC,cAAc;GACjB,MAAM,SAAS,KAAK,QAAQ,UAAU;AACtC,OAAI,QAAQ;IAGV,MAAM,YAAY,KAAK,uBAAuB,WAAW;IACzD,MAAM,EAAE,8BAAc,cAAc,MAAM,OAAO,MAAM,EACrD,WACD,CAAC;AAEF,oBAAgBC;AAChB,+BAA2B;AAC3B,UAAM;UACD;IAIL,MAAM,UAAU;KACd,KAAK,KAAK;KACV,KAAK,MAAM,KAAK,uBAAuB,WAAW;KAClD;KACA,KAAK,KAAK;KACX;AAED,SAAK,IAAI,MAAM,0BAA0B,QAAQ;AAEjD,UAAM,OAAO,YAAY;AACzB,+BAA2B,KAAK,uBAAuB,WAAW;AAClE,oBAAgB,MAAM,KAAK,IAAI,OAAO,SAAS,KAAK,MAAM,EACxD,QAAQ,EACN,KAAK,WACN,EACF,CAAC;;;AAIN,OAAK,IAAI,MAAM,yBAAyB;GACtC,KAAK,KAAK;GACV;GACA;GACA,KAAK,KAAK;GACX,CAAC;AA+BF,SATsC;GACpC,cArBmB,MAAM,KAAK,IAAI,OAClC;IAEE,KAAK,KAAK;IACV;IACA;IACA,KAAK,KAAK;IACV;IAEA,MAAM,KAAK;IACX,OAAO,KAAK;IACZ,oBAAoB,KAAK;IACzB,SAAS,KAAK;IAEd,eAAe,KAAK;IACpB,OAAO,KAAK;IACb,EACD,KAAK,KACN;GAIC,YAAY;GACZ,YAAY,KAAK,sBAAsB,WAAW;GAClD,WAAW;GACX;GACA;GACD;;CAKH,MAAa,aACX,cACA,aAIC;AAID,MAAI,KAAK,QAAQ,UAAU,kBAAkB;GAE3C,MAAM,EAAE,cAAM,wBAAW,cACvB,MAAM,KAAK,QAAQ,SAAS,iBAAiB,aAAa;AAS5D,UAAO;IAAE;IAAM,QANA,MAAM,KAAK,YAAYC,QAAM;KAC1C,KAAK;KACL,eAAe;KACf,0BAA0BC;KAC3B,CAAC;IAEqB;;AAMzB,MAAI,CAAC,YACH,OAAM,IAAI,YAAY,6CAA6C;EAIrE,MAAM,OAAO,MAAM,KAAK,iBAAiB,oBAAoB,aAAa;GACxE,OAAO,KAAK;GACZ,QAAQ,EACN,6BAAa,IAAI,KAAK,EAAE,EACzB;GACF,CAAC;EAGF,MAAM,EACJ,QAAQ,EAAE,cACR,MAAM,KAAK,IAAI,MAAM,cAAc,KAAK,MAAM;GAChD,KAAK;GACL,UAAU,KAAK;GACf,SAAS,KAAK;GACf,CAAC;EAEF,MAAM,MAAM,KAAK,iBAAiB,KAAK,CAAC,MAAM;EAC9C,MAAM,YAAY,QAAQ,MACtB,QAAQ,MAAM,MACd,KAAK,uBAAuB,WAAW;AAE3C,SAAO;GACL;GACA,QAAQ,MAAM,KAAK,YAAY,MAAM;IACnC,KAAK,QAAQ;IACb,eAAe;IACf,0BAA0B;IAC3B,CAAC;GACH;;;AAIL,OAAO,QAAQ;;;;;;;AC1Uf,MAAa,SAAS,UAAgC,EAAE,KAAoB;AAC1E,QAAO,gBAAgB,eAAe,QAAQ;;AA4BhD,IAAa,gBAAb,cAAmC,UAAgC;CACjE,AAAmB,mBAAmB,QAAQ,iBAAiB;CAE/D,IAAW,OAAe;AACxB,SAAO,KAAK,QAAQ,QAAQ,KAAK,OAAO;;CAG1C,AAAU,SAAS;AACjB,OAAK,iBAAiB,WAAW;GAC/B,GAAG,KAAK;GACR,MAAM,KAAK;GACX,aACE,KAAK,QAAQ,aAAa,KAAK,OAAO;AACpC,QAAI,OAAO,OAAO,SAChB,QAAO,EACL,MAAM,IACP;AAGH,WAAO;KACP,IAAI,EAAE;GACX,CAAC;;;;;CAMJ,IAAW,QAA6C;AACtD,SAAO,KAAK,QAAQ;;CAGtB,AAAO,IAAI,YAAmD;AAC5D,SAAO,KAAK,iBAAiB,IAAI,KAAK,MAAM,WAAW;;CAGzD,AAAO,MAAM,YAA0C;AACrD,SAAO,KAAK,iBAAiB,gBAAgB,YAAY,KAAK,KAAK;;;AAMvE,MAAM,QAAQ;;;;AC5Ed,MAAM,cAAc,UAAU,OAAO;AAErC,IAAa,iBAAb,MAA4B;CAC1B,MAAa,aAAa,UAAmC;EAC3D,MAAM,OAAO,YAAY,GAAG,CAAC,SAAS,MAAM;AAE5C,SAAO,GAAG,KAAK,IADK,MAAM,YAAY,UAAU,MAAM,GAAG,EAC5B,SAAS,MAAM;;CAG9C,MAAa,eACX,UACA,QACkB;AAElB,MAAI,CAAC,UAAU,OAAO,WAAW,SAC/B,QAAO;EAGT,MAAM,QAAQ,OAAO,MAAM,IAAI;AAC/B,MAAI,MAAM,WAAW,EACnB,QAAO;EAGT,MAAM,CAAC,MAAM,eAAe;AAG5B,MAAI,CAAC,QAAQ,CAAC,YACZ,QAAO;AAIT,MAAI,YAAY,SAAS,MAAM,KAAK,CAAC,eAAe,KAAK,YAAY,CACnE,QAAO;AAGT,MAAI;GACF,MAAM,aAAc,MAAM,YAAY,UAAU,MAAM,GAAG;GACzD,MAAM,cAAc,OAAO,KAAK,aAAa,MAAM;AAGnD,OAAI,WAAW,WAAW,YAAY,OACpC,QAAO;AAIT,UAAO,gBAAgB,YAAY,YAAY;WACxC,OAAO;AAEd,UAAO;;;CAIX,AAAO,aAAqB;AAC1B,SAAO,YAAY;;;;;;;;;;;;AChDvB,IAAa,0BAAb,cAA6C,kBAAkB;CAC7D,AAAS,OAAO;CAChB,cAAc;AACZ,QAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;ACsBhC,MAAa,mBACX,YAC4B;CAC5B,MAAM,EAAE,WAAW,UAAU;CAC7B,MAAMC,QAEF,EAAE;CACN,MAAM,mBAAmB,OAAO,OAAO,iBAAiB;CACxD,MAAM,cAAc,QAAQ,eAAe;CAE3C,MAAM,cAAc,aAA8C;AAChE,QAAM,QAAQ;GACZ,GAAG;GACH,WAAW,iBAAiB,KAAK,CAAC,MAAM;GACzC;;CAGH,MAAM,0BAA0B;AAC9B,MAAI,MAAM,OAAO;GACf,MAAM,EAAE,cAAc,YAAY,cAAc,MAAM;AACtD,OAAI,CAAC,WACH,QAAO;GAGT,MAAM,MAAM,iBAAiB,KAAK,CAAC,MAAM;AAGzC,OAFgB,YAAY,aAEd,cAAc,IAC1B,QAAO;;;AAKb,KAAI,YAAY,SAAS;EACvB,MAAM,EAAE,KAAK,UAAU,iBAAiB,QAAQ;EAEhD,MAAM,QAAQ,YAAY;GACxB,MAAM,iBAAiB,mBAAmB;AAC1C,OAAI,eACF,QAAO;GAGT,IAAIC;AACJ,OAAI;AACF,eAAW,MAAM,MAAM,KAAK;KAC1B,QAAQ;KACR,SAAS,EACP,gBAAgB,qCACjB;KACD,MAAM,IAAI,gBAAgB;MACxB,YAAY;MACZ,WAAW;MACX,eAAe;MAChB,CAAC;KACH,CAAC;YACK,OAAO;AACd,UAAM,IAAI,MACR,qCAAqC,IAAI,IAAI,iBAAiB,QAAQ,MAAM,UAAU,OAAO,MAAM,GACpG;;AAIH,OAAI,CAAC,SAAS,IAAI;IAChB,IAAI,eAAe,QAAQ,SAAS,OAAO,GAAG,SAAS;AACvD,QAAI;KACF,MAAM,YAAY,MAAM,SAAS,MAAM;AACvC,qBAAgB,KAAK;YACf;AAGR,UAAM,IAAI,MAAM,iCAAiC,eAAe;;GAIlE,IAAIC;AACJ,OAAI;AACF,WAAO,MAAM,SAAS,MAAM;YACrB,OAAO;AACd,UAAM,IAAI,MACR,kDAAkD,iBAAiB,QAAQ,MAAM,UAAU,OAAO,MAAM,GACzG;;AAIH,OAAI,CAAC,KAAK,gBAAgB,CAAC,KAAK,WAC9B,OAAM,IAAI,MACR,gFAAgF,KAAK,UAAU,KAAK,GACrG;AAGH,cAAW,KAAK;AAEhB,UAAO,KAAK;;AAGd,SAAO,EACL,OACD;;AAGH,QAAO,EACL,OAAO,YAAY;EACjB,MAAM,iBAAiB,mBAAmB;AAC1C,MAAI,eACF,QAAO;EAGT,MAAM,QAAQ,MAAM,QAAQ,MAAM,YAAY,QAAQ,KAAK;AAE3D,aAAW;GACT,GAAG;GACH,WAAW,iBAAiB,KAAK,CAAC,MAAM;GACzC,CAAC;AAEF,SAAO,MAAM;IAEhB;;;;;AClJH,MAAa,mBAAmB,EAAE,OAAO;CACvC,MAAM,EAAE,KAAK,EACX,aAAa,2BACd,CAAC;CAEF,OAAO,EAAE,SACP,EAAE,KAAK,EACL,aAAa,4BACd,CAAC,CACH;CAED,aAAa,EAAE,SACb,EAAE,KAAK,EACL,aAAa,4BACd,CAAC,CACH;CAID,QAAQ,EAAE,SACR,EAAE,KAAK,EACL,aAAa,kDACd,CAAC,CACH;CAED,MAAM,EAAE,SACN,EAAE,KAAK,EACL,aAAa,+CACd,CAAC,CACH;CACF,CAAC;;;;AC9BF,MAAa,aAAa,EAAE,OAAO;CACjC,MAAM,EAAE,KAAK,EACX,aAAa,qBACd,CAAC;CAEF,aAAa,EAAE,SACb,EAAE,KAAK,EACL,aAAa,sBACd,CAAC,CACH;CAED,SAAS,EAAE,SACT,EAAE,QAAQ,EACR,aACE,gEACH,CAAC,CACH;CAED,aAAa,EAAE,MACb,EAAE,OAAO;EACP,MAAM,EAAE,KAAK,EACX,aAAa,2BACd,CAAC;EACF,WAAW,EAAE,SACX,EAAE,QAAQ,EACR,aACE,8DACH,CAAC,CACH;EACD,SAAS,EAAE,SACT,EAAE,MAAM,EAAE,MAAM,EAAE,EAChB,aACE,+DACH,CAAC,CACH;EACF,CAAC,CACH;CACF,CAAC;;;;ACrCF,MAAa,wBAAwB,EAAE,OAAO;CAC5C,IAAI,EAAE,KAAK,EACT,aAAa,mCACd,CAAC;CAEF,MAAM,EAAE,SACN,EAAE,KAAK,EACL,aAAa,0BACd,CAAC,CACH;CAED,OAAO,EAAE,SACP,EAAE,KAAK;EACL,aAAa;EACb,QAAQ;EACT,CAAC,CACH;CAED,UAAU,EAAE,SACV,EAAE,KAAK,EACL,aAAa,mCACd,CAAC,CACH;CAED,SAAS,EAAE,SACT,EAAE,KAAK,EACL,aAAa,sCACd,CAAC,CACH;CAED,WAAW,EAAE,SACX,EAAE,KAAK,EACL,aAAa,mDACd,CAAC,CACH;CAID,eAAe,EAAE,SACf,EAAE,MAAM,EAAE,MAAM,EAAE,EAChB,aAAa,8CACd,CAAC,CACH;CAED,OAAO,EAAE,SACP,EAAE,MAAM,EAAE,MAAM,EAAE,EAChB,aAAa,uCACd,CAAC,CACH;CACF,CAAC;;;;;;;;;;;;;;;;ACPF,MAAa,iBAAiB,QAAQ;CACpC,MAAM;CACN,YAAY;EAAC;EAAQ;EAAO;EAAY;CACxC,UAAU;EAAC;EAAkB;EAAa;EAAe;CAC1D,CAAC"}
1	+ {"version":3,"file":"index.js","names":["role","it","role","refreshToken","user","expiresIn"],"sources":["../../src/security/errors/InvalidPermissionError.ts","../../src/security/errors/InvalidTokenError.ts","../../src/security/errors/RealmNotFoundError.ts","../../src/security/errors/SecurityError.ts","../../src/security/providers/JwtProvider.ts","../../src/security/providers/SecurityProvider.ts","../../src/security/primitives/$permission.ts","../../src/security/primitives/$realm.ts","../../src/security/primitives/$role.ts","../../src/security/providers/CryptoProvider.ts","../../src/security/errors/InvalidCredentialsError.ts","../../src/security/primitives/$serviceAccount.ts","../../src/security/schemas/permissionSchema.ts","../../src/security/schemas/roleSchema.ts","../../src/security/schemas/userAccountInfoSchema.ts","../../src/security/index.ts"],"sourcesContent":["export class InvalidPermissionError extends Error {\n constructor(name: string) {\n super(`Permission '${name}' is invalid`);\n }\n}\n","export class InvalidTokenError extends Error {\n public readonly status = 401;\n}\n","export class RealmNotFoundError extends Error {\n constructor(realm: string) {\n super(`Realm '${realm}' not found`);\n }\n}\n","export class SecurityError extends Error {\n public name = \"SecurityError\";\n public readonly status = 403;\n}\n","import { createSecretKey } from \"node:crypto\";\nimport { $inject, AlephaError } from \"alepha\";\nimport { DateTimeProvider } from \"alepha/datetime\";\nimport { $logger } from \"alepha/logger\";\nimport {\n type CryptoKey,\n createLocalJWKSet,\n createRemoteJWKSet,\n type FlattenedJWSInput,\n type JSONWebKeySet,\n type JWSHeaderParameters,\n type JWTHeaderParameters,\n type JWTPayload,\n type JWTVerifyResult,\n jwtVerify,\n type KeyObject,\n SignJWT,\n} from \"jose\";\nimport { JWTClaimValidationFailed, JWTExpired } from \"jose/errors\";\nimport type { JWTVerifyOptions } from \"jose/jwt/verify\";\nimport { SecurityError } from \"../errors/SecurityError.ts\";\n\n/*\n Provides utilities for working with JSON Web Tokens (JWT).\n /\nexport class JwtProvider {\n protected readonly log = $logger();\n protected readonly keystore: KeyLoaderHolder[] = [];\n protected readonly dateTimeProvider = $inject(DateTimeProvider);\n protected readonly encoder = new TextEncoder();\n\n /\n Adds a key loader to the embedded keystore.\n \n @param name\n * @param secretKeyOrJwks\n /\n public setKeyLoader(name: string, secretKeyOrJwks: string \| JSONWebKeySet) {\n if (typeof secretKeyOrJwks === \"object\") {\n this.log.info(\n `will verify JWTs from key '${name}' with JWKS object (x${secretKeyOrJwks.keys.length})`,\n );\n this.keystore.push({\n name,\n keyLoader: createLocalJWKSet(secretKeyOrJwks),\n });\n } else if (this.isSecretKey(secretKeyOrJwks)) {\n const secretKey = this.encoder.encode(secretKeyOrJwks);\n this.log.info(\n `will verify JWTs from '${name}' with secret a key (${secretKey.length} bytes)`,\n );\n this.keystore.push({\n name,\n secretKey: secretKeyOrJwks,\n keyLoader: () => Promise.resolve(createSecretKey(secretKey)),\n });\n } else {\n this.log.info(\n `will verify JWTs from '${name}' with JWKS ${secretKeyOrJwks}`,\n );\n this.keystore.push({\n name,\n keyLoader: createRemoteJWKSet(new URL(secretKeyOrJwks)),\n });\n }\n }\n\n /\n Retrieves the payload from a JSON Web Token (JWT).\n \n @param token - The JWT to extract the payload from.\n \n @return A Promise that resolves with the payload object from the token.\n /\n public async parse(\n token: string,\n keyName?: string,\n options?: JWTVerifyOptions,\n ): Promise<JwtParseResult> {\n for (const it of this.keystore) {\n if (keyName && it.name !== keyName) {\n continue;\n }\n\n this.log.trace(`Trying to verify token`, {\n keyName: it.name,\n options,\n });\n\n try {\n const verified = {\n keyName: it.name,\n result: await jwtVerify(token, it.keyLoader, {\n currentDate: this.dateTimeProvider.now().toDate(),\n ...options,\n }),\n };\n\n this.log.trace(\"Token verified successfully\", {\n keyName: verified.keyName,\n });\n\n return verified;\n } catch (error) {\n this.log.trace(\"Token verification has failed\", error);\n\n if (error instanceof JWTExpired) {\n throw new SecurityError(\"Token expired\", { cause: error });\n }\n\n if (error instanceof JWTClaimValidationFailed) {\n throw new SecurityError(\"Token claim validation failed\", {\n cause: error,\n });\n }\n }\n }\n\n this.log.warn(\n `No valid key loader found to verify the token (keystore size: ${this.keystore.length})`,\n );\n\n throw new SecurityError(\"Invalid token\");\n }\n\n /\n Creates a JWT token with the provided payload and secret key.\n \n @param payload - The payload to be encoded in the token.\n * \tIt should include the `realm_access` property which contains an array of roles.\n * @param keyName - The name of the key to use when signing the token.\n \n @returns The signed JWT token.\n /\n public async create(\n payload: ExtendedJWTPayload,\n keyName?: string,\n signOptions?: JwtSignOptions,\n ): Promise<string> {\n const secretKey = keyName\n ? this.keystore.find((it) => it.name === keyName)?.secretKey\n : this.keystore[0]?.secretKey;\n\n if (!secretKey) {\n throw new AlephaError(\"No secret key found in the keystore\");\n }\n\n const signJwt = new SignJWT(payload);\n\n signJwt.setProtectedHeader({\n alg: \"HS256\",\n ...signOptions?.header,\n });\n\n return await signJwt.sign(this.encoder.encode(secretKey));\n }\n\n /\n Determines if the provided key is a secret key.\n \n @param key\n * @protected\n /\n protected isSecretKey(key: string): boolean {\n return !key.startsWith(\"http\");\n }\n}\n\nexport type KeyLoader = (\n protectedHeader?: JWSHeaderParameters,\n token?: FlattenedJWSInput,\n) => Promise<CryptoKey \| KeyObject>;\n\nexport interface KeyLoaderHolder {\n name: string;\n keyLoader: KeyLoader;\n secretKey?: string;\n}\n\nexport interface JwtSignOptions {\n header?: Partial<JWTHeaderParameters>;\n}\n\nexport interface ExtendedJWTPayload extends JWTPayload {\n sid?: string;\n //\n name?: string;\n roles?: string[];\n email?: string;\n organizations?: string[];\n // keycloak specific\n realm_access?: { roles: string[] };\n}\n\nexport interface JwtParseResult {\n keyName: string;\n result: JWTVerifyResult<ExtendedJWTPayload>;\n}\n","import {\n $env,\n $hook,\n $inject,\n Alepha,\n AppNotStartedError,\n ContainerLockedError,\n type Static,\n t,\n} from \"alepha\";\nimport { $logger } from \"alepha/logger\";\nimport type { JSONWebKeySet, JWTPayload } from \"jose\";\nimport type { JWTVerifyOptions } from \"jose/jwt/verify\";\nimport { InvalidPermissionError } from \"../errors/InvalidPermissionError.ts\";\nimport { InvalidTokenError } from \"../errors/InvalidTokenError.ts\";\nimport { RealmNotFoundError } from \"../errors/RealmNotFoundError.ts\";\nimport { SecurityError } from \"../errors/SecurityError.ts\";\nimport type { UserAccountToken } from \"../interfaces/UserAccountToken.ts\";\nimport type { Permission } from \"../schemas/permissionSchema.ts\";\nimport type { Role } from \"../schemas/roleSchema.ts\";\nimport type { UserAccount } from \"../schemas/userAccountInfoSchema.ts\";\nimport { JwtProvider } from \"./JwtProvider.ts\";\n\nexport const DEFAULT_APP_SECRET = \"05759934015388327323179852515731\"; // (32)\n\nconst envSchema = t.object({\n APP_SECRET: t.text({\n default: DEFAULT_APP_SECRET,\n }),\n});\n\ndeclare module \"alepha\" {\n interface Env extends Partial<Static<typeof envSchema>> {}\n}\n\nexport class SecurityProvider {\n protected readonly UNKNOWN_USER_NAME = \"Anonymous User\";\n protected readonly PERMISSION_REGEXP = /^[\\w-]+((:[\\w-]+)+)?$/;\n protected readonly PERMISSION_REGEXP_WILDCARD =\n /^[\\w-]+((:[\\w-]+):\\\|(:[\\w-]+)+)?$/;\n\n protected readonly log = $logger();\n protected readonly jwt = $inject(JwtProvider);\n protected readonly env = $env(envSchema);\n protected readonly alepha = $inject(Alepha);\n\n public get secretKey() {\n return this.env.APP_SECRET;\n }\n\n /\n The permissions configured for the security provider.\n /\n protected readonly permissions: Permission[] = [];\n\n /\n The realms configured for the security provider.\n /\n protected readonly realms: Realm[] = this.alepha.isTest()\n ? [\n {\n name: \"default\",\n secret: this.env.APP_SECRET,\n roles: [\n {\n name: \"admin\",\n permissions: [\n {\n name: \"\",\n },\n ],\n },\n ],\n },\n ]\n : [];\n\n protected start = $hook({\n on: \"start\",\n handler: async () => {\n if (this.alepha.isProduction() && this.secretKey === DEFAULT_APP_SECRET) {\n this.log.warn(\n \"Using default APP_SECRET in production is not recommended. Please set a strong APP_SECRET value.\",\n );\n }\n\n for (const realm of this.realms) {\n if (realm.secret) {\n const secret =\n typeof realm.secret === \"function\" ? realm.secret() : realm.secret;\n this.jwt.setKeyLoader(realm.name, secret);\n }\n }\n },\n });\n\n /*\n Adds a role to one or more realms.\n \n @param role\n * @param realms\n /\n public createRole(role: Role, ...realms: string[]): Role {\n const list = realms.length\n ? realms.map((it) => {\n const item = this.realms.find((realm) => realm.name === it);\n if (!item) {\n throw new RealmNotFoundError(it);\n }\n return item;\n })\n : this.realms;\n\n for (const realm of list) {\n for (const { name } of role.permissions) {\n if (this.alepha.isStarted()) {\n // Check if permission exists or matches a wildcard pattern\n if (name === \"\") {\n // Global wildcard is always allowed\n continue;\n }\n\n // Check for exact match first\n const existingExact = this.permissions.find(\n (it) => this.permissionToString(it) === name,\n );\n if (existingExact) {\n continue;\n }\n\n // Check if it's a wildcard pattern (e.g., \"admin:api:\")\n if (name.endsWith(\":\")) {\n const groupPrefix = name.slice(0, -2); // Remove \":\"\n // Check if any permission exists with this group prefix\n const existingWithPrefix = this.permissions.find((it) => {\n if (!it.group) return false;\n return (\n it.group === groupPrefix \|\|\n it.group.startsWith(`${groupPrefix}:`)\n );\n });\n if (existingWithPrefix) {\n continue;\n }\n }\n\n // Permission not found\n throw new SecurityError(`Permission '${name}' not found`);\n } else {\n if (name !== \"\" && !this.PERMISSION_REGEXP_WILDCARD.test(name)) {\n throw new InvalidPermissionError(name);\n }\n }\n }\n\n realm.roles.push(role);\n }\n\n return role;\n }\n\n /*\n Adds a permission to the security provider.\n \n @param raw - The permission to add.\n /\n public createPermission(raw: Permission \| string): Permission {\n if (this.alepha.isStarted()) {\n throw new ContainerLockedError();\n }\n\n let permission: Permission;\n if (typeof raw === \"string\") {\n if (!this.PERMISSION_REGEXP.test(raw)) {\n throw new InvalidPermissionError(raw);\n }\n\n const parts = raw.split(\":\");\n if (parts.length === 1) {\n // No group, just name (e.g., \"read\")\n permission = { name: parts[0] };\n } else {\n // Has group(s) (e.g., \"users:read\" or \"admin:api:users:read\")\n // The last part is the name, everything else is the group\n const name = parts[parts.length - 1];\n const groupParts = parts.slice(0, -1);\n\n if (groupParts.length === 1) {\n permission = {\n group: groupParts[0],\n name,\n };\n } else {\n // Multi-layer group\n permission = {\n group: groupParts.join(\":\"),\n name,\n };\n }\n }\n } else {\n permission = raw;\n }\n\n const asString = this.permissionToString(permission);\n if (!this.PERMISSION_REGEXP.test(asString)) {\n throw new InvalidPermissionError(asString);\n }\n\n const existing = this.permissions.find(\n (it) => this.permissionToString(it) === asString,\n );\n\n if (existing) {\n this.log.warn(`Permission '${asString}' already exists. Skipping.`, {\n current: existing,\n new: permission,\n });\n\n return existing;\n }\n\n this.log.trace(`Creating permission '${asString}'`);\n\n this.permissions.push(permission);\n\n return permission;\n }\n\n public createRealm(realm: Realm) {\n if (this.realms.length === 1 && this.realms[0].name === \"default\") {\n // if the default realm is the only one, we remove it to allow creating new realms\n this.realms.pop();\n }\n\n this.realms.push(realm);\n }\n\n /\n Updates the roles for a realm then synchronizes the user account provider if available.\n \n Only available when the app is started.\n \n @param realm - The realm to update the roles for.\n * @param roles - The roles to update.\n /\n public async updateRealm(realm: string, roles: Role[]): Promise<void> {\n if (!this.alepha.isStarted()) {\n throw new AppNotStartedError();\n }\n\n const realmInstance = this.realms.find((it) => it.name === realm);\n if (!realmInstance) {\n throw new RealmNotFoundError(realm);\n }\n\n realmInstance.roles = roles;\n }\n\n // -------------------------------------------------------------------------------------------------------------------\n\n /\n Creates a user account from the provided payload.\n \n @param payload - The payload to create the user account from.\n * @param [realmName] - The realm containing the roles. Default is all.\n \n @returns The user info created from the payload.\n /\n public createUserFromPayload(\n payload: JWTPayload,\n realmName?: string,\n ): UserAccount {\n const id = this.getIdFromPayload(payload);\n const sessionId = this.getSessionIdFromPayload(payload);\n const rolesFromPayload = this.getRolesFromPayload(payload);\n const email = this.getEmailFromPayload(payload);\n const username = this.getUsernameFromPayload(payload);\n const picture = this.getPictureFromPayload(payload);\n const name = this.getNameFromPayload(payload);\n const organizations = this.getOrganizationsFromPayload(payload);\n const rolesFromSystem = this.getRoles(realmName);\n const roles = rolesFromPayload\n .reduce<Role[]>(\n (arr, roleName) =>\n arr.concat(rolesFromSystem.filter((it) => it.name === roleName)),\n [],\n )\n .map((it) => it.name);\n\n const realm = this.realms.find((it) => it.name === realmName);\n if (realm?.profile) {\n return realm.profile(payload);\n }\n\n return {\n id,\n roles,\n name,\n email,\n username,\n picture,\n organizations,\n sessionId,\n };\n }\n\n /\n Checks if the user has the specified permission.\n \n Bonus: we check also if the user has \"ownership\" flag.\n \n @param permissionLike - The permission to check for.\n * @param roleEntries - The roles to check for the permission.\n /\n public checkPermission(\n permissionLike: string \| Permission,\n ...roleEntries: string[]\n ): SecurityCheckResult {\n const roles: Role[] = roleEntries.map((it) => {\n const role = this.getRoles().find((role) => role.name === it);\n if (!role) {\n throw new SecurityError(`Role '${it}' not found`);\n }\n return role;\n });\n\n const permission = this.permissionToString(permissionLike);\n const isAdmin = roles.find((it) =>\n it.permissions.find(\n (it) => it.name === \"\" && !it.exclude && !it.ownership,\n ),\n );\n\n // if the user is an admin, we can return early\n if (isAdmin) {\n return {\n isAuthorized: true,\n ownership: false,\n };\n }\n\n const result: SecurityCheckResult = {\n isAuthorized: false,\n ownership: undefined,\n };\n\n // Helper function to check if a permission matches a pattern with multi-layer wildcard support\n const matchesPattern = (\n permissionName: string,\n pattern: string,\n ): boolean => {\n if (pattern === \"\") return true;\n if (pattern === permissionName) return true;\n\n // Handle multi-layer wildcards (e.g., \"admin:api:\" matches \"admin:api:users:read\")\n if (pattern.endsWith(\":\")) {\n const patternPrefix = pattern.slice(0, -2);\n // Check if permission starts with the pattern prefix\n if (permissionName === patternPrefix) return false; // \"admin:api\" doesn't match \"admin:api:\"\n return permissionName.startsWith(`${patternPrefix}:`);\n }\n\n return false;\n };\n\n for (const role of roles) {\n // for each role candidate\n for (const rolePermission of role.permissions) {\n // for each permission in the role\n if (matchesPattern(permission, rolePermission.name)) {\n // [feature]: exclude permissions including wildcards\n if (rolePermission.exclude) {\n let isExcluded = false;\n for (const excludePattern of rolePermission.exclude) {\n if (matchesPattern(permission, excludePattern)) {\n isExcluded = true;\n break;\n }\n }\n if (isExcluded) {\n continue;\n }\n }\n\n result.isAuthorized = true; // OK !\n\n // but we also need to check if the user has ownership\n if (rolePermission.ownership) {\n // if ownership is true, we have to check all other matching permissions in case of ownership === false ...\n result.ownership = rolePermission.ownership;\n } else {\n // but if isAuthorized && ownership === false, we can break the loop \\ :D /\n result.ownership = false;\n return result;\n }\n }\n }\n }\n\n return result;\n }\n\n /*\n Creates a user account from the provided payload.\n /\n public async createUserFromToken(\n headerOrToken?: string,\n options: {\n permission?: Permission \| string;\n realm?: string;\n verify?: JWTVerifyOptions;\n } = {},\n ): Promise<UserAccountToken> {\n const token = headerOrToken?.replace(\"Bearer\", \"\").trim();\n if (typeof token !== \"string\" \|\| token === \"\") {\n throw new InvalidTokenError(\n \"Invalid authorization header, maybe token is missing ?\",\n );\n }\n\n const { result, keyName: realm } = await this.jwt.parse(\n token,\n options.realm,\n options.verify,\n );\n\n const info = this.createUserFromPayload(result.payload, realm);\n const realmRoles = this.getRoles(realm).filter((it) => it.default);\n const roles = info.roles ?? [];\n\n for (const role of realmRoles) {\n if (!roles.includes(role.name)) {\n roles.push(role.name);\n }\n }\n\n info.roles = roles;\n\n await this.alepha.events.emit(\"security:user:created\", {\n realm,\n user: info,\n });\n\n let ownership: string \| boolean \| undefined;\n\n if (options.permission) {\n const check = this.checkPermission(options.permission, ...roles);\n if (!check.isAuthorized) {\n throw new SecurityError(\n `User is not allowed to access '${this.permissionToString(options.permission)}'`,\n );\n }\n\n ownership = check.ownership;\n }\n\n return {\n ...info,\n ownership,\n token,\n realm,\n };\n }\n\n /\n Checks if a user has a specific role.\n \n @param roleName - The role to check for.\n * @param permission - The permission to check for.\n * @returns True if the user has the role, false otherwise.\n /\n public can(roleName: string, permission: string \| Permission): boolean {\n return this.checkPermission(permission, roleName).isAuthorized;\n }\n\n /\n Checks if a user has ownership of a specific permission.\n /\n public ownership(\n roleName: string,\n permission: string \| Permission,\n ): string \| boolean \| undefined {\n return this.checkPermission(permission, roleName).ownership;\n }\n\n /\n Converts a permission object to a string.\n \n @param permission\n /\n public permissionToString(permission: Permission \| string): string {\n if (typeof permission === \"string\") {\n return permission;\n }\n\n if (!permission.group) {\n return permission.name;\n }\n\n // Handle multi-layer groups (e.g., \"admin:api\" or \"management:users\")\n const groupParts = Array.isArray(permission.group)\n ? permission.group\n : [permission.group];\n\n return `${groupParts.join(\":\")}:${permission.name}`;\n }\n\n // accessors\n\n public getRealms(): Realm[] {\n return this.realms;\n }\n\n /\n Retrieves the user account from the provided user ID.\n \n @param realm\n /\n public getRoles(realm?: string): Role[] {\n if (realm) {\n return [...(this.realms.find((it) => it.name === realm)?.roles ?? [])];\n }\n\n return this.realms.reduce<Role[]>((arr, it) => arr.concat(it.roles), []);\n }\n\n /\n Returns all permissions.\n \n @param user - Filter permissions by user.\n \n @return An array containing all permissions.\n /\n public getPermissions(user?: {\n roles?: Array<Role \| string>;\n realm?: string;\n }): Permission[] {\n if (user?.roles) {\n const permissions: Permission[] = [];\n const roles = user.roles ?? [];\n\n for (const roleOrString of roles) {\n const role =\n typeof roleOrString === \"string\"\n ? this.getRoles(user.realm).find((it) => it.name === roleOrString)\n : roleOrString;\n\n if (!role) {\n throw new SecurityError(`Role '${roleOrString}' not found`);\n }\n\n if (role.permissions.some((it) => it.name === \"\" && !it.exclude)) {\n return this.getPermissions();\n }\n\n for (const permission of role.permissions) {\n let ref: Permission[] = [];\n if (permission.name === \"\") {\n ref.push(...this.permissions);\n } else if (permission.name.includes(\":\")) {\n // Handle multi-layer wildcards (e.g., \"admin:api:\" or \"users:read\")\n const parts = permission.name.split(\":\");\n const lastPart = parts[parts.length - 1];\n\n if (lastPart === \"\") {\n // Wildcard at any level (e.g., \"admin:\", \"admin:api:\")\n const groupPrefix = parts.slice(0, -1).join(\":\");\n\n ref.push(\n ...this.permissions.filter((it) => {\n if (!it.group) return false;\n // Match exact group or any sub-group\n return (\n it.group === groupPrefix \|\|\n it.group.startsWith(`${groupPrefix}:`)\n );\n }),\n );\n } else {\n // Specific permission (e.g., \"users:read\" or \"admin:api:users:read\")\n const name = lastPart;\n const groupParts = parts.slice(0, -1);\n const group = groupParts.join(\":\");\n\n ref.push(\n ...this.permissions.filter((it) => {\n if (it.name !== name) return false;\n if (!it.group) return false;\n return it.group === group;\n }),\n );\n }\n } else {\n // all permissions without a group\n ref.push(\n ...this.permissions.filter(\n (it) => it.name === permission.name && !it.group,\n ),\n );\n }\n const exclude = permission.exclude;\n if (exclude) {\n // exclude permissions with multi-layer wildcard support\n ref = ref.filter((it) => {\n const permString = this.permissionToString(it);\n return !exclude.some((excludePattern) => {\n if (excludePattern === permString) return true;\n if (excludePattern.endsWith(\":\")) {\n const excludePrefix = excludePattern.slice(0, -2);\n return permString.startsWith(`${excludePrefix}:`);\n }\n return false;\n });\n });\n }\n permissions.push(...ref);\n }\n }\n\n return [...new Set(permissions.filter((it) => it != null))];\n }\n\n return this.permissions;\n }\n\n /*\n Retrieves the user ID from the provided payload object.\n \n @param payload - The payload object from which to extract the user ID.\n * @return The user ID as a string.\n /\n public getIdFromPayload(payload: Record<string, any>): string {\n if (payload.sub != null) {\n return String(payload.sub);\n }\n\n if (payload.id != null) {\n return String(payload.id);\n }\n\n if (payload.userId != null) {\n return String(payload.userId);\n }\n\n throw new SecurityError(\"Invalid JWT - missing id\");\n }\n\n public getSessionIdFromPayload(\n payload: Record<string, any>,\n ): string \| undefined {\n if (!payload) {\n return;\n }\n if (payload.sid) {\n return String(payload.sid);\n }\n }\n\n /\n Retrieves the roles from the provided payload object.\n * @param payload - The payload object from which to extract the roles.\n * @return An array of role strings.\n /\n public getRolesFromPayload(payload: Record<string, any>): string[] {\n return payload?.realm_access?.roles ?? payload?.roles ?? [];\n }\n\n public getPictureFromPayload(\n payload: Record<string, any>,\n ): string \| undefined {\n if (!payload) {\n return;\n }\n\n if (payload.picture) {\n return payload.picture;\n }\n\n if (payload.avatar_url) {\n return payload.avatar_url;\n }\n\n if (payload.user_picture) {\n return payload.user_picture;\n }\n\n return undefined;\n }\n\n public getUsernameFromPayload(\n payload: Record<string, any>,\n ): string \| undefined {\n if (!payload) {\n return;\n }\n\n if (payload.preferred_username) {\n return payload.preferred_username;\n }\n\n if (payload.username) {\n return payload.username;\n }\n\n return undefined;\n }\n\n public getEmailFromPayload(payload: Record<string, any>): string \| undefined {\n if (!payload) {\n return;\n }\n\n if (payload.email) {\n return payload.email;\n }\n\n return undefined;\n }\n\n /\n Returns the name from the given payload.\n \n @param payload - The payload object.\n * @returns The name extracted from the payload, or an empty string if the payload is falsy or no name is found.\n /\n public getNameFromPayload(payload: Record<string, any>): string {\n if (!payload) {\n return this.UNKNOWN_USER_NAME;\n }\n\n if (payload.name) {\n return payload.name;\n }\n\n if (\n typeof payload.given_name === \"string\" &&\n typeof payload.family_name === \"string\"\n ) {\n return `${payload.given_name} ${payload.family_name}`.trim();\n }\n\n return this.UNKNOWN_USER_NAME;\n }\n\n public getOrganizationsFromPayload(\n payload: Record<string, any>,\n ): string[] \| undefined {\n if (!payload) {\n return;\n }\n\n if (payload.organization) {\n if (typeof payload.organization === \"string\") {\n return [payload.organization];\n }\n if (Array.isArray(payload.organization)) {\n return payload.organization;\n }\n }\n }\n}\n\n// =====================================================================================================================\n\n/\n A realm definition.\n /\nexport interface Realm {\n name: string;\n\n roles: Role[];\n\n /\n The secret key for the realm.\n \n Can be also a JWKS URL.\n /\n secret?: string \| JSONWebKeySet \| (() => string);\n\n /\n Create the user account info based on the raw JWT payload.\n * By default, SecurityProvider has his own implementation, but this method allow to override it.\n /\n profile?: (raw: Record<string, any>) => UserAccount;\n}\n\nexport interface SecurityCheckResult {\n isAuthorized: boolean;\n ownership: string \| boolean \| undefined;\n}\n","import { $inject, createPrimitive, KIND, Primitive } from \"alepha\";\nimport { SecurityProvider } from \"../providers/SecurityProvider.ts\";\nimport type { UserAccount } from \"../schemas/userAccountInfoSchema.ts\";\n\n/\n Create a new permission.\n /\nexport const $permission = (\n options: PermissionPrimitiveOptions = {},\n): PermissionPrimitive => {\n return createPrimitive(PermissionPrimitive, options);\n};\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport interface PermissionPrimitiveOptions {\n /\n Name of the permission. Use Property name is not provided.\n /\n name?: string;\n\n /\n Group of the permission. Use Class name is not provided.\n /\n group?: string;\n\n /\n Describe the permission.\n /\n description?: string;\n}\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport class PermissionPrimitive extends Primitive<PermissionPrimitiveOptions> {\n protected readonly securityProvider = $inject(SecurityProvider);\n\n public get name(): string {\n return this.options.name \|\| this.config.propertyKey;\n }\n\n public get group(): string {\n return this.options.group \|\| this.config.service.name;\n }\n\n public toString(): string {\n return `${this.group}:${this.name}`;\n }\n\n protected onInit() {\n this.securityProvider.createPermission({\n name: this.name,\n group: this.group,\n description: this.options.description,\n });\n }\n\n /\n Check if the user has the permission.\n /\n public can(user: UserAccount): boolean {\n if (!user.roles) {\n return false;\n }\n const check = this.securityProvider.checkPermission(this, ...user.roles);\n return check.isAuthorized;\n }\n}\n\n$permission[KIND] = PermissionPrimitive;\n","import { $inject, AlephaError, createPrimitive, KIND, Primitive } from \"alepha\";\nimport {\n DateTimeProvider,\n type Duration,\n type DurationLike,\n} from \"alepha/datetime\";\nimport { $logger } from \"alepha/logger\";\nimport type { JSONWebKeySet, JWTPayload } from \"jose\";\nimport { SecurityError } from \"../errors/SecurityError.ts\";\nimport { JwtProvider } from \"../providers/JwtProvider.ts\";\nimport { SecurityProvider } from \"../providers/SecurityProvider.ts\";\nimport type { Role } from \"../schemas/roleSchema.ts\";\nimport type { UserAccount } from \"../schemas/userAccountInfoSchema.ts\";\n\n/\n Create a new realm.\n /\nexport const $realm = (options: RealmPrimitiveOptions): RealmPrimitive => {\n return createPrimitive(RealmPrimitive, options);\n};\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport type RealmPrimitiveOptions = {\n /\n Define the realm name.\n * If not provided, it will use the property key.\n /\n name?: string;\n\n /\n Short description about the realm.\n /\n description?: string;\n\n /\n All roles available in the realm. Role is a string (role name) or a Role object (embedded role).\n /\n roles?: Array<string \| Role>;\n\n /\n Realm settings.\n /\n settings?: RealmSettings;\n\n /\n Parse the JWT payload to create a user account info.\n /\n profile?: (jwtPayload: Record<string, any>) => UserAccount;\n} & (RealmInternal \| RealmExternal);\n\nexport interface RealmSettings {\n accessToken?: {\n /\n Lifetime of the access token.\n * @default 15 minutes\n /\n expiration?: DurationLike;\n };\n\n refreshToken?: {\n /\n Lifetime of the refresh token.\n * @default 30 days\n /\n expiration?: DurationLike;\n\n // TODO: expirationIdle (max inactive time before the token is invalidated)\n };\n\n onCreateSession?: (\n user: UserAccount,\n config: {\n expiresIn: number;\n },\n ) => Promise<{\n refreshToken: string;\n sessionId?: string;\n }>;\n\n onRefreshSession?: (refreshToken: string) => Promise<{\n user: UserAccount;\n expiresIn: number;\n sessionId?: string;\n }>;\n\n onDeleteSession?: (refreshToken: string) => Promise<void>;\n}\n\nexport type RealmInternal = {\n /\n Internal secret to sign JWT tokens and verify them.\n /\n secret: string;\n};\n\nexport interface RealmExternal {\n /\n URL to the JWKS (JSON Web Key Set) to verify JWT tokens from external providers.\n /\n jwks: (() => string) \| JSONWebKeySet;\n}\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport class RealmPrimitive extends Primitive<RealmPrimitiveOptions> {\n protected readonly securityProvider = $inject(SecurityProvider);\n protected readonly dateTimeProvider = $inject(DateTimeProvider);\n protected readonly jwt = $inject(JwtProvider);\n protected readonly log = $logger();\n\n public get name(): string {\n return this.options.name \|\| this.config.propertyKey;\n }\n\n public get accessTokenExpiration(): Duration {\n return this.dateTimeProvider.duration(\n this.options.settings?.accessToken?.expiration ?? [15, \"minutes\"],\n );\n }\n\n public get refreshTokenExpiration(): Duration {\n return this.dateTimeProvider.duration(\n this.options.settings?.refreshToken?.expiration ?? [30, \"days\"],\n );\n }\n\n protected onInit() {\n const roles =\n this.options.roles?.map((it) => {\n if (typeof it === \"string\") {\n const role = this.getRoles().find((role) => role.name === it);\n if (!role) {\n throw new SecurityError(`Role '${it}' not found`);\n }\n return role;\n }\n\n return it;\n }) ?? [];\n\n this.securityProvider.createRealm({\n name: this.name,\n profile: this.options.profile,\n secret: \"jwks\" in this.options ? this.options.jwks : this.options.secret,\n roles,\n });\n }\n\n /\n Get all roles in the realm.\n /\n public getRoles(): Role[] {\n return this.securityProvider.getRoles(this.name);\n }\n\n /\n Set all roles in the realm.\n /\n public async setRoles(roles: Role[]): Promise<void> {\n await this.securityProvider.updateRealm(this.name, roles);\n }\n\n /\n Get a role by name, throws an error if not found.\n /\n public getRoleByName(name: string): Role {\n const role = this.getRoles().find((it) => it.name === name);\n if (!role) {\n throw new SecurityError(`Role '${name}' not found`);\n }\n return role;\n }\n\n public async parseToken(token: string): Promise<JWTPayload> {\n const { result } = await this.jwt.parse(token, this.name);\n return result.payload;\n }\n\n /\n Create a token for the subject.\n /\n public async createToken(\n user: UserAccount,\n refreshToken?: {\n sid?: string;\n refresh_token?: string;\n refresh_token_expires_in?: number;\n },\n ): Promise<AccessTokenResponse> {\n let sid: string \| undefined = refreshToken?.sid;\n let refresh_token: string \| undefined = refreshToken?.refresh_token;\n let refresh_token_expires_in: number \| undefined =\n refreshToken?.refresh_token_expires_in;\n\n const iat = this.dateTimeProvider.now().unix();\n const exp = iat + this.accessTokenExpiration.asSeconds();\n\n if (!refreshToken) {\n const create = this.options.settings?.onCreateSession;\n if (create) {\n // -----------------------------------------------------------------------------------------------------------------\n // managed by the application\n const expiresIn = this.refreshTokenExpiration.asSeconds();\n const { refreshToken, sessionId } = await create(user, {\n expiresIn,\n });\n\n refresh_token = refreshToken;\n refresh_token_expires_in = expiresIn;\n sid = sessionId;\n } else {\n // -----------------------------------------------------------------------------------------------------------------\n // token based\n\n const payload = {\n sub: user.id,\n exp: iat + this.refreshTokenExpiration.asSeconds(),\n iat,\n aud: this.name,\n };\n\n this.log.trace(\"Creating refresh token\", payload);\n\n sid = crypto.randomUUID();\n refresh_token_expires_in = this.refreshTokenExpiration.asSeconds();\n refresh_token = await this.jwt.create(payload, this.name, {\n header: {\n typ: \"refresh\",\n },\n });\n }\n }\n\n this.log.trace(\"Creating access token\", {\n sub: user.id,\n exp,\n iat,\n aud: this.name,\n });\n\n const access_token = await this.jwt.create(\n {\n // jwt\n sub: user.id,\n exp,\n iat,\n aud: this.name,\n sid, // session id, if available\n // oidc\n name: user.name,\n email: user.email,\n preferred_username: user.username,\n picture: user.picture,\n // our claims\n organizations: user.organizations,\n roles: user.roles,\n },\n this.name,\n );\n\n const response: AccessTokenResponse = {\n access_token,\n token_type: \"Bearer\",\n expires_in: this.accessTokenExpiration.asSeconds(),\n issued_at: iat,\n refresh_token,\n refresh_token_expires_in,\n };\n\n return response;\n }\n\n public async refreshToken(\n refreshToken: string,\n accessToken?: string,\n ): Promise<{\n tokens: AccessTokenResponse;\n user: UserAccount;\n }> {\n // -----------------------------------------------------------------------------------------------------------------\n // session based\n\n if (this.options.settings?.onRefreshSession) {\n // get user and expiration from the session\n const { user, expiresIn, sessionId } =\n await this.options.settings.onRefreshSession(refreshToken);\n\n // then, create a new access token\n const tokens = await this.createToken(user, {\n sid: sessionId,\n refresh_token: refreshToken,\n refresh_token_expires_in: expiresIn,\n });\n\n return { user, tokens };\n }\n\n // -----------------------------------------------------------------------------------------------------------------\n // token based\n\n if (!accessToken) {\n throw new AlephaError(\"An access token is required for refreshing\");\n }\n\n // extract user from an expired token\n const user = await this.securityProvider.createUserFromToken(accessToken, {\n realm: this.name,\n verify: {\n currentDate: new Date(0), // don't verify expiration, it's expected to be expired...\n },\n });\n\n // check if the refresh token is valid + match access token user\n const {\n result: { payload },\n } = await this.jwt.parse(refreshToken, this.name, {\n typ: \"refresh\",\n audience: this.name,\n subject: user.id,\n });\n\n const iat = this.dateTimeProvider.now().unix();\n const expiresIn = payload.exp\n ? payload.exp - iat\n : this.refreshTokenExpiration.asSeconds();\n\n return {\n user,\n tokens: await this.createToken(user, {\n sid: payload.sid,\n refresh_token: refreshToken,\n refresh_token_expires_in: expiresIn,\n }),\n };\n }\n}\n\n$realm[KIND] = RealmPrimitive;\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport interface CreateTokenOptions {\n sub: string;\n roles?: string[];\n email?: string;\n}\n\nexport interface AccessTokenResponse {\n access_token: string;\n token_type: string;\n expires_in?: number;\n issued_at: number;\n refresh_token?: string;\n refresh_token_expires_in?: number;\n scope?: string;\n}\n","import { $inject, createPrimitive, KIND, Primitive } from \"alepha\";\nimport { SecurityProvider } from \"../providers/SecurityProvider.ts\";\nimport type { PermissionPrimitive } from \"./$permission.ts\";\nimport type { RealmPrimitive } from \"./$realm.ts\";\n\n/\n Create a new role.\n /\nexport const $role = (options: RolePrimitiveOptions = {}): RolePrimitive => {\n return createPrimitive(RolePrimitive, options);\n};\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport interface RolePrimitiveOptions {\n /\n Name of the role.\n /\n name?: string;\n\n /\n Describe the role.\n /\n description?: string;\n\n realm?: string \| RealmPrimitive;\n\n permissions?: Array<\n \| string\n \| {\n name: string;\n ownership?: boolean;\n exclude?: string[];\n }\n >;\n}\n\nexport class RolePrimitive extends Primitive<RolePrimitiveOptions> {\n protected readonly securityProvider = $inject(SecurityProvider);\n\n public get name(): string {\n return this.options.name \|\| this.config.propertyKey;\n }\n\n protected onInit() {\n this.securityProvider.createRole({\n ...this.options,\n name: this.name,\n permissions:\n this.options.permissions?.map((it) => {\n if (typeof it === \"string\") {\n return {\n name: it,\n };\n }\n\n return it;\n }) ?? [],\n });\n }\n\n /\n Get the realm of the role.\n /\n public get realm(): string \| RealmPrimitive \| undefined {\n return this.options.realm;\n }\n\n public can(permission: string \| PermissionPrimitive): boolean {\n return this.securityProvider.can(this.name, permission);\n }\n\n public check(permission: string \| PermissionPrimitive) {\n return this.securityProvider.checkPermission(permission, this.name);\n }\n}\n\n// ---------------------------------------------------------------------------------------------------------------------\n\n$role[KIND] = RolePrimitive;\n","import { randomBytes, randomUUID, scrypt, timingSafeEqual } from \"node:crypto\";\nimport { promisify } from \"node:util\";\n\nconst scryptAsync = promisify(scrypt);\n\nexport class CryptoProvider {\n public async hashPassword(password: string): Promise<string> {\n const salt = randomBytes(16).toString(\"hex\"); // 128-bit salt\n const derivedKey = (await scryptAsync(password, salt, 64)) as Buffer;\n return `${salt}:${derivedKey.toString(\"hex\")}`;\n }\n\n public async verifyPassword(\n password: string,\n stored: string,\n ): Promise<boolean> {\n // Validate input format\n if (!stored \|\| typeof stored !== \"string\") {\n return false;\n }\n\n const parts = stored.split(\":\");\n if (parts.length !== 2) {\n return false;\n }\n\n const [salt, originalHex] = parts;\n\n // Validate salt and hash are non-empty\n if (!salt \|\| !originalHex) {\n return false;\n }\n\n // Validate hex format (must be even length and valid hex)\n if (originalHex.length % 2 !== 0 \|\| !/^[0-9a-f]+$/i.test(originalHex)) {\n return false;\n }\n\n try {\n const derivedKey = (await scryptAsync(password, salt, 64)) as Buffer;\n const originalKey = Buffer.from(originalHex, \"hex\");\n\n // Validate buffer lengths match (scrypt should produce 64 bytes)\n if (derivedKey.length !== originalKey.length) {\n return false;\n }\n\n // Important: prevent timing attacks\n return timingSafeEqual(derivedKey, originalKey);\n } catch (error) {\n // Handle any errors during verification (e.g., invalid salt encoding)\n return false;\n }\n }\n\n public randomUUID(): string {\n return randomUUID();\n }\n}\n","import { UnauthorizedError } from \"alepha/server\";\n\n/\n Error thrown when the provided credentials are invalid.\n \n Message can not be changed to avoid leaking information.\n * Cause is omitted for the same reason.\n /\nexport class InvalidCredentialsError extends UnauthorizedError {\n readonly name = \"UnauthorizedError\";\n constructor() {\n super(\"Invalid credentials\");\n }\n}\n","import { $context } from \"alepha\";\nimport { DateTimeProvider } from \"alepha/datetime\";\nimport type { UserAccount } from \"../schemas/userAccountInfoSchema.ts\";\nimport type { AccessTokenResponse, RealmPrimitive } from \"./$realm.ts\";\n\n/\n Allow to get an access token for a service account.\n \n You have some options to configure the service account:\n * - a OAUTH2 URL using client credentials grant type\n * - a JWT secret shared between the services\n \n @example\n * ```ts\n * import { $serviceAccount } from \"alepha/security\";\n \n class MyService {\n * serviceAccount = $serviceAccount({\n * oauth2: {\n * url: \"https://example.com/oauth2/token\",\n * clientId: \"your-client-id\",\n * clientSecret: \"your-client-secret\",\n * }\n * });\n \n async fetchData() {\n * const token = await this.serviceAccount.token();\n * // or\n * const response = await this.serviceAccount.fetch(\"https://api.example.com/data\");\n * }\n * }\n * ```\n /\nexport const $serviceAccount = (\n options: ServiceAccountPrimitiveOptions,\n): ServiceAccountPrimitive => {\n const { alepha } = $context();\n const store: {\n cache?: AccessTokenResponse;\n } = {};\n const dateTimeProvider = alepha.inject(DateTimeProvider);\n const gracePeriod = options.gracePeriod ?? 30;\n\n const cacheToken = (response: Omit<AccessTokenResponse, \"at\">) => {\n store.cache = {\n ...response,\n issued_at: dateTimeProvider.now().unix(),\n };\n };\n\n const getTokenFromCache = () => {\n if (store.cache) {\n const { access_token, expires_in, issued_at } = store.cache;\n if (!expires_in) {\n return access_token;\n }\n\n const now = dateTimeProvider.now().unix();\n const expires = issued_at + expires_in;\n\n if (expires - gracePeriod > now) {\n return access_token;\n }\n }\n };\n\n if (\"oauth2\" in options) {\n const { url, clientId, clientSecret } = options.oauth2;\n\n const token = async () => {\n const tokenFromCache = getTokenFromCache();\n if (tokenFromCache) {\n return tokenFromCache;\n }\n\n let response: Response;\n try {\n response = await fetch(url, {\n method: \"POST\",\n headers: {\n \"Content-Type\": \"application/x-www-form-urlencoded\",\n },\n body: new URLSearchParams({\n grant_type: \"client_credentials\",\n client_id: clientId,\n client_secret: clientSecret,\n }),\n });\n } catch (error) {\n throw new Error(\n `Failed to fetch access token from ${url}: ${error instanceof Error ? error.message : String(error)}`,\n );\n }\n\n // Check HTTP status\n if (!response.ok) {\n let errorMessage = `HTTP ${response.status} ${response.statusText}`;\n try {\n const errorBody = await response.text();\n errorMessage += `: ${errorBody}`;\n } catch {\n // Ignore error reading body\n }\n throw new Error(`Failed to fetch access token: ${errorMessage}`);\n }\n\n // Parse JSON response\n let json: any;\n try {\n json = await response.json();\n } catch (error) {\n throw new Error(\n `Failed to parse access token response as JSON: ${error instanceof Error ? error.message : String(error)}`,\n );\n }\n\n // Validate response structure\n if (!json.access_token \|\| !json.expires_in) {\n throw new Error(\n `Invalid access token response: missing access_token or expires_in. Response: ${JSON.stringify(json)}`,\n );\n }\n\n cacheToken(json);\n\n return json.access_token;\n };\n\n return {\n token,\n };\n }\n\n return {\n token: async () => {\n const tokenFromCache = getTokenFromCache();\n if (tokenFromCache) {\n return tokenFromCache;\n }\n\n const token = await options.realm.createToken(options.user);\n\n cacheToken({\n ...token,\n issued_at: dateTimeProvider.now().unix(),\n });\n\n return token.access_token;\n },\n };\n};\n\nexport type ServiceAccountPrimitiveOptions = {\n gracePeriod?: number; // Grace period in milliseconds before token expiration\n} & (\n \| {\n oauth2: Oauth2ServiceAccountPrimitiveOptions;\n }\n \| {\n realm: RealmPrimitive;\n user: UserAccount;\n }\n);\n\nexport interface Oauth2ServiceAccountPrimitiveOptions {\n /\n Get Token URL.\n /\n url: string;\n\n /\n Client ID.\n /\n clientId: string;\n\n /\n Client Secret.\n /\n clientSecret: string;\n}\n\nexport interface ServiceAccountPrimitive {\n token: () => Promise<string>;\n}\n\nexport interface ServiceAccountStore {\n response?: AccessTokenResponse;\n}\n","import type { Static } from \"alepha\";\nimport { t } from \"alepha\";\n\nexport const permissionSchema = t.object({\n name: t.text({\n description: \"Name of the permission.\",\n }),\n\n group: t.optional(\n t.text({\n description: \"Group of the permission.\",\n }),\n ),\n\n description: t.optional(\n t.text({\n description: \"Describe the permission.\",\n }),\n ),\n\n // HTTP Only\n\n method: t.optional(\n t.text({\n description: \"HTTP method of the permission. When available.\",\n }),\n ),\n\n path: t.optional(\n t.text({\n description: \"Pathname of the permission. When available.\",\n }),\n ),\n});\n\nexport type Permission = Static<typeof permissionSchema>;\n","import type { Static } from \"alepha\";\nimport { t } from \"alepha\";\n\nexport const roleSchema = t.object({\n name: t.text({\n description: \"Name of the role.\",\n }),\n\n description: t.optional(\n t.text({\n description: \"Describe the role.\",\n }),\n ),\n\n default: t.optional(\n t.boolean({\n description:\n \"If true, this role will be assigned to all users by default.\",\n }),\n ),\n\n permissions: t.array(\n t.object({\n name: t.text({\n description: \"Name of the permission.\",\n }),\n ownership: t.optional(\n t.boolean({\n description:\n \"If true, user will only have access to it's own resources.\",\n }),\n ),\n exclude: t.optional(\n t.array(t.text(), {\n description:\n \"Exclude some permissions. Useful when 'name' is a wildcard.\",\n }),\n ),\n }),\n ),\n});\n\nexport type Role = Static<typeof roleSchema>;\n","import type { Static } from \"alepha\";\nimport { t } from \"alepha\";\n\nexport const userAccountInfoSchema = t.object({\n id: t.text({\n description: \"Unique identifier for the user.\",\n }),\n\n name: t.optional(\n t.text({\n description: \"Full name of the user.\",\n }),\n ),\n\n email: t.optional(\n t.text({\n description: \"Email address of the user.\",\n format: \"email\",\n }),\n ),\n\n username: t.optional(\n t.text({\n description: \"Preferred username of the user.\",\n }),\n ),\n\n picture: t.optional(\n t.text({\n description: \"URL to the user's profile picture.\",\n }),\n ),\n\n sessionId: t.optional(\n t.text({\n description: \"Session identifier for the user, if applicable.\",\n }),\n ),\n\n // -------------------------------------------------------------------------------------------------------------------\n\n organizations: t.optional(\n t.array(t.text(), {\n description: \"List of organizations the user belongs to.\",\n }),\n ),\n\n roles: t.optional(\n t.array(t.text(), {\n description: \"List of roles assigned to the user.\",\n }),\n ),\n});\n\nexport type UserAccount = Static<typeof userAccountInfoSchema>;\n","import { $module } from \"alepha\";\nimport { $permission } from \"./primitives/$permission.ts\";\nimport { $realm } from \"./primitives/$realm.ts\";\nimport { $role } from \"./primitives/$role.ts\";\nimport { CryptoProvider } from \"./providers/CryptoProvider.ts\";\nimport { JwtProvider } from \"./providers/JwtProvider.ts\";\nimport { SecurityProvider } from \"./providers/SecurityProvider.ts\";\nimport type { UserAccount } from \"./schemas/userAccountInfoSchema.ts\";\n\nexport from \"./errors/InvalidCredentialsError.ts\";\nexport * from \"./errors/InvalidPermissionError.ts\";\nexport * from \"./errors/SecurityError.ts\";\nexport * from \"./interfaces/UserAccountToken.ts\";\nexport * from \"./primitives/$permission.ts\";\nexport * from \"./primitives/$realm.ts\";\nexport * from \"./primitives/$role.ts\";\nexport * from \"./primitives/$serviceAccount.ts\";\nexport * from \"./providers/CryptoProvider.ts\";\nexport * from \"./providers/JwtProvider.ts\";\nexport * from \"./providers/SecurityProvider.ts\";\nexport * from \"./schemas/permissionSchema.ts\";\nexport * from \"./schemas/roleSchema.ts\";\nexport * from \"./schemas/userAccountInfoSchema.ts\";\n\ndeclare module \"alepha\" {\n interface Hooks {\n \"security:user:created\": {\n realm: string;\n user: UserAccount;\n };\n }\n}\n\n/*\n Provides comprehensive authentication and authorization capabilities with JWT tokens, role-based access control, and user management.\n \n The security module enables building secure applications using primitives like `$realm`, `$role`, and `$permission`\n * on class properties. It offers JWT-based authentication, fine-grained permissions, service accounts, and seamless\n * integration with various authentication providers and user management systems.\n \n @see {@link $realm}\n * @see {@link $role}\n * @see {@link $permission}\n * @module alepha.security\n */\nexport const AlephaSecurity = $module({\n name: \"alepha.security\",\n primitives: [$realm, $role, $permission],\n services: [SecurityProvider, JwtProvider, CryptoProvider],\n});\n"],"mappings":";;;;;;;;;;AAAA,IAAa,yBAAb,cAA4C,MAAM;CAChD,YAAY,MAAc;AACxB,QAAM,eAAe,KAAK,cAAc;;;;;;ACF5C,IAAa,oBAAb,cAAuC,MAAM;CAC3C,AAAgB,SAAS;;;;;ACD3B,IAAa,qBAAb,cAAwC,MAAM;CAC5C,YAAY,OAAe;AACzB,QAAM,UAAU,MAAM,aAAa;;;;;;ACFvC,IAAa,gBAAb,cAAmC,MAAM;CACvC,AAAO,OAAO;CACd,AAAgB,SAAS;;;;;;;;ACuB3B,IAAa,cAAb,MAAyB;CACvB,AAAmB,MAAM,SAAS;CAClC,AAAmB,WAA8B,EAAE;CACnD,AAAmB,mBAAmB,QAAQ,iBAAiB;CAC/D,AAAmB,UAAU,IAAI,aAAa;;;;;;;CAQ9C,AAAO,aAAa,MAAc,iBAAyC;AACzE,MAAI,OAAO,oBAAoB,UAAU;AACvC,QAAK,IAAI,KACP,8BAA8B,KAAK,uBAAuB,gBAAgB,KAAK,OAAO,GACvF;AACD,QAAK,SAAS,KAAK;IACjB;IACA,WAAW,kBAAkB,gBAAgB;IAC9C,CAAC;aACO,KAAK,YAAY,gBAAgB,EAAE;GAC5C,MAAM,YAAY,KAAK,QAAQ,OAAO,gBAAgB;AACtD,QAAK,IAAI,KACP,0BAA0B,KAAK,uBAAuB,UAAU,OAAO,SACxE;AACD,QAAK,SAAS,KAAK;IACjB;IACA,WAAW;IACX,iBAAiB,QAAQ,QAAQ,gBAAgB,UAAU,CAAC;IAC7D,CAAC;SACG;AACL,QAAK,IAAI,KACP,0BAA0B,KAAK,cAAc,kBAC9C;AACD,QAAK,SAAS,KAAK;IACjB;IACA,WAAW,mBAAmB,IAAI,IAAI,gBAAgB,CAAC;IACxD,CAAC;;;;;;;;;;CAWN,MAAa,MACX,OACA,SACA,SACyB;AACzB,OAAK,MAAM,MAAM,KAAK,UAAU;AAC9B,OAAI,WAAW,GAAG,SAAS,QACzB;AAGF,QAAK,IAAI,MAAM,0BAA0B;IACvC,SAAS,GAAG;IACZ;IACD,CAAC;AAEF,OAAI;IACF,MAAM,WAAW;KACf,SAAS,GAAG;KACZ,QAAQ,MAAM,UAAU,OAAO,GAAG,WAAW;MAC3C,aAAa,KAAK,iBAAiB,KAAK,CAAC,QAAQ;MACjD,GAAG;MACJ,CAAC;KACH;AAED,SAAK,IAAI,MAAM,+BAA+B,EAC5C,SAAS,SAAS,SACnB,CAAC;AAEF,WAAO;YACA,OAAO;AACd,SAAK,IAAI,MAAM,iCAAiC,MAAM;AAEtD,QAAI,iBAAiB,WACnB,OAAM,IAAI,cAAc,iBAAiB,EAAE,OAAO,OAAO,CAAC;AAG5D,QAAI,iBAAiB,yBACnB,OAAM,IAAI,cAAc,iCAAiC,EACvD,OAAO,OACR,CAAC;;;AAKR,OAAK,IAAI,KACP,iEAAiE,KAAK,SAAS,OAAO,GACvF;AAED,QAAM,IAAI,cAAc,gBAAgB;;;;;;;;;;;CAY1C,MAAa,OACX,SACA,SACA,aACiB;EACjB,MAAM,YAAY,UACd,KAAK,SAAS,MAAM,OAAO,GAAG,SAAS,QAAQ,EAAE,YACjD,KAAK,SAAS,IAAI;AAEtB,MAAI,CAAC,UACH,OAAM,IAAI,YAAY,sCAAsC;EAG9D,MAAM,UAAU,IAAI,QAAQ,QAAQ;AAEpC,UAAQ,mBAAmB;GACzB,KAAK;GACL,GAAG,aAAa;GACjB,CAAC;AAEF,SAAO,MAAM,QAAQ,KAAK,KAAK,QAAQ,OAAO,UAAU,CAAC;;;;;;;;CAS3D,AAAU,YAAY,KAAsB;AAC1C,SAAO,CAAC,IAAI,WAAW,OAAO;;;;;;AC7IlC,MAAa,qBAAqB;AAElC,MAAM,YAAY,EAAE,OAAO,EACzB,YAAY,EAAE,KAAK,EACjB,SAAS,oBACV,CAAC,EACH,CAAC;AAMF,IAAa,mBAAb,MAA8B;CAC5B,AAAmB,oBAAoB;CACvC,AAAmB,oBAAoB;CACvC,AAAmB,6BACjB;CAEF,AAAmB,MAAM,SAAS;CAClC,AAAmB,MAAM,QAAQ,YAAY;CAC7C,AAAmB,MAAM,KAAK,UAAU;CACxC,AAAmB,SAAS,QAAQ,OAAO;CAE3C,IAAW,YAAY;AACrB,SAAO,KAAK,IAAI;;;;;CAMlB,AAAmB,cAA4B,EAAE;;;;CAKjD,AAAmB,SAAkB,KAAK,OAAO,QAAQ,GACrD,CACE;EACE,MAAM;EACN,QAAQ,KAAK,IAAI;EACjB,OAAO,CACL;GACE,MAAM;GACN,aAAa,CACX,EACE,MAAM,KACP,CACF;GACF,CACF;EACF,CACF,GACD,EAAE;CAEN,AAAU,QAAQ,MAAM;EACtB,IAAI;EACJ,SAAS,YAAY;AACnB,OAAI,KAAK,OAAO,cAAc,IAAI,KAAK,cAAc,mBACnD,MAAK,IAAI,KACP,mGACD;AAGH,QAAK,MAAM,SAAS,KAAK,OACvB,KAAI,MAAM,QAAQ;IAChB,MAAM,SACJ,OAAO,MAAM,WAAW,aAAa,MAAM,QAAQ,GAAG,MAAM;AAC9D,SAAK,IAAI,aAAa,MAAM,MAAM,OAAO;;;EAIhD,CAAC;;;;;;;CAQF,AAAO,WAAW,MAAY,GAAG,QAAwB;EACvD,MAAM,OAAO,OAAO,SAChB,OAAO,KAAK,OAAO;GACjB,MAAM,OAAO,KAAK,OAAO,MAAM,UAAU,MAAM,SAAS,GAAG;AAC3D,OAAI,CAAC,KACH,OAAM,IAAI,mBAAmB,GAAG;AAElC,UAAO;IACP,GACF,KAAK;AAET,OAAK,MAAM,SAAS,MAAM;AACxB,QAAK,MAAM,EAAE,UAAU,KAAK,YAC1B,KAAI,KAAK,OAAO,WAAW,EAAE;AAE3B,QAAI,SAAS,IAEX;AAOF,QAHsB,KAAK,YAAY,MACpC,OAAO,KAAK,mBAAmB,GAAG,KAAK,KACzC,CAEC;AAIF,QAAI,KAAK,SAAS,KAAK,EAAE;KACvB,MAAM,cAAc,KAAK,MAAM,GAAG,GAAG;AASrC,SAP2B,KAAK,YAAY,MAAM,OAAO;AACvD,UAAI,CAAC,GAAG,MAAO,QAAO;AACtB,aACE,GAAG,UAAU,eACb,GAAG,MAAM,WAAW,GAAG,YAAY,GAAG;OAExC,CAEA;;AAKJ,UAAM,IAAI,cAAc,eAAe,KAAK,aAAa;cAErD,SAAS,OAAO,CAAC,KAAK,2BAA2B,KAAK,KAAK,CAC7D,OAAM,IAAI,uBAAuB,KAAK;AAK5C,SAAM,MAAM,KAAK,KAAK;;AAGxB,SAAO;;;;;;;CAQT,AAAO,iBAAiB,KAAsC;AAC5D,MAAI,KAAK,OAAO,WAAW,CACzB,OAAM,IAAI,sBAAsB;EAGlC,IAAI;AACJ,MAAI,OAAO,QAAQ,UAAU;AAC3B,OAAI,CAAC,KAAK,kBAAkB,KAAK,IAAI,CACnC,OAAM,IAAI,uBAAuB,IAAI;GAGvC,MAAM,QAAQ,IAAI,MAAM,IAAI;AAC5B,OAAI,MAAM,WAAW,EAEnB,cAAa,EAAE,MAAM,MAAM,IAAI;QAC1B;IAGL,MAAM,OAAO,MAAM,MAAM,SAAS;IAClC,MAAM,aAAa,MAAM,MAAM,GAAG,GAAG;AAErC,QAAI,WAAW,WAAW,EACxB,cAAa;KACX,OAAO,WAAW;KAClB;KACD;QAGD,cAAa;KACX,OAAO,WAAW,KAAK,IAAI;KAC3B;KACD;;QAIL,cAAa;EAGf,MAAM,WAAW,KAAK,mBAAmB,WAAW;AACpD,MAAI,CAAC,KAAK,kBAAkB,KAAK,SAAS,CACxC,OAAM,IAAI,uBAAuB,SAAS;EAG5C,MAAM,WAAW,KAAK,YAAY,MAC/B,OAAO,KAAK,mBAAmB,GAAG,KAAK,SACzC;AAED,MAAI,UAAU;AACZ,QAAK,IAAI,KAAK,eAAe,SAAS,8BAA8B;IAClE,SAAS;IACT,KAAK;IACN,CAAC;AAEF,UAAO;;AAGT,OAAK,IAAI,MAAM,wBAAwB,SAAS,GAAG;AAEnD,OAAK,YAAY,KAAK,WAAW;AAEjC,SAAO;;CAGT,AAAO,YAAY,OAAc;AAC/B,MAAI,KAAK,OAAO,WAAW,KAAK,KAAK,OAAO,GAAG,SAAS,UAEtD,MAAK,OAAO,KAAK;AAGnB,OAAK,OAAO,KAAK,MAAM;;;;;;;;;;CAWzB,MAAa,YAAY,OAAe,OAA8B;AACpE,MAAI,CAAC,KAAK,OAAO,WAAW,CAC1B,OAAM,IAAI,oBAAoB;EAGhC,MAAM,gBAAgB,KAAK,OAAO,MAAM,OAAO,GAAG,SAAS,MAAM;AACjE,MAAI,CAAC,cACH,OAAM,IAAI,mBAAmB,MAAM;AAGrC,gBAAc,QAAQ;;;;;;;;;;CAaxB,AAAO,sBACL,SACA,WACa;EACb,MAAM,KAAK,KAAK,iBAAiB,QAAQ;EACzC,MAAM,YAAY,KAAK,wBAAwB,QAAQ;EACvD,MAAM,mBAAmB,KAAK,oBAAoB,QAAQ;EAC1D,MAAM,QAAQ,KAAK,oBAAoB,QAAQ;EAC/C,MAAM,WAAW,KAAK,uBAAuB,QAAQ;EACrD,MAAM,UAAU,KAAK,sBAAsB,QAAQ;EACnD,MAAM,OAAO,KAAK,mBAAmB,QAAQ;EAC7C,MAAM,gBAAgB,KAAK,4BAA4B,QAAQ;EAC/D,MAAM,kBAAkB,KAAK,SAAS,UAAU;EAChD,MAAM,QAAQ,iBACX,QACE,KAAK,aACJ,IAAI,OAAO,gBAAgB,QAAQ,OAAO,GAAG,SAAS,SAAS,CAAC,EAClE,EAAE,CACH,CACA,KAAK,OAAO,GAAG,KAAK;EAEvB,MAAM,QAAQ,KAAK,OAAO,MAAM,OAAO,GAAG,SAAS,UAAU;AAC7D,MAAI,OAAO,QACT,QAAO,MAAM,QAAQ,QAAQ;AAG/B,SAAO;GACL;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GACD;;;;;;;;;;CAWH,AAAO,gBACL,gBACA,GAAG,aACkB;EACrB,MAAM,QAAgB,YAAY,KAAK,OAAO;GAC5C,MAAM,OAAO,KAAK,UAAU,CAAC,MAAM,WAASA,OAAK,SAAS,GAAG;AAC7D,OAAI,CAAC,KACH,OAAM,IAAI,cAAc,SAAS,GAAG,aAAa;AAEnD,UAAO;IACP;EAEF,MAAM,aAAa,KAAK,mBAAmB,eAAe;AAQ1D,MAPgB,MAAM,MAAM,OAC1B,GAAG,YAAY,MACZ,SAAOC,KAAG,SAAS,OAAO,CAACA,KAAG,WAAW,CAACA,KAAG,UAC/C,CACF,CAIC,QAAO;GACL,cAAc;GACd,WAAW;GACZ;EAGH,MAAM,SAA8B;GAClC,cAAc;GACd,WAAW;GACZ;EAGD,MAAM,kBACJ,gBACA,YACY;AACZ,OAAI,YAAY,IAAK,QAAO;AAC5B,OAAI,YAAY,eAAgB,QAAO;AAGvC,OAAI,QAAQ,SAAS,KAAK,EAAE;IAC1B,MAAM,gBAAgB,QAAQ,MAAM,GAAG,GAAG;AAE1C,QAAI,mBAAmB,cAAe,QAAO;AAC7C,WAAO,eAAe,WAAW,GAAG,cAAc,GAAG;;AAGvD,UAAO;;AAGT,OAAK,MAAM,QAAQ,MAEjB,MAAK,MAAM,kBAAkB,KAAK,YAEhC,KAAI,eAAe,YAAY,eAAe,KAAK,EAAE;AAEnD,OAAI,eAAe,SAAS;IAC1B,IAAI,aAAa;AACjB,SAAK,MAAM,kBAAkB,eAAe,QAC1C,KAAI,eAAe,YAAY,eAAe,EAAE;AAC9C,kBAAa;AACb;;AAGJ,QAAI,WACF;;AAIJ,UAAO,eAAe;AAGtB,OAAI,eAAe,UAEjB,QAAO,YAAY,eAAe;QAC7B;AAEL,WAAO,YAAY;AACnB,WAAO;;;AAMf,SAAO;;;;;CAMT,MAAa,oBACX,eACA,UAII,EAAE,EACqB;EAC3B,MAAM,QAAQ,eAAe,QAAQ,UAAU,GAAG,CAAC,MAAM;AACzD,MAAI,OAAO,UAAU,YAAY,UAAU,GACzC,OAAM,IAAI,kBACR,yDACD;EAGH,MAAM,EAAE,QAAQ,SAAS,UAAU,MAAM,KAAK,IAAI,MAChD,OACA,QAAQ,OACR,QAAQ,OACT;EAED,MAAM,OAAO,KAAK,sBAAsB,OAAO,SAAS,MAAM;EAC9D,MAAM,aAAa,KAAK,SAAS,MAAM,CAAC,QAAQ,OAAO,GAAG,QAAQ;EAClE,MAAM,QAAQ,KAAK,SAAS,EAAE;AAE9B,OAAK,MAAM,QAAQ,WACjB,KAAI,CAAC,MAAM,SAAS,KAAK,KAAK,CAC5B,OAAM,KAAK,KAAK,KAAK;AAIzB,OAAK,QAAQ;AAEb,QAAM,KAAK,OAAO,OAAO,KAAK,yBAAyB;GACrD;GACA,MAAM;GACP,CAAC;EAEF,IAAI;AAEJ,MAAI,QAAQ,YAAY;GACtB,MAAM,QAAQ,KAAK,gBAAgB,QAAQ,YAAY,GAAG,MAAM;AAChE,OAAI,CAAC,MAAM,aACT,OAAM,IAAI,cACR,kCAAkC,KAAK,mBAAmB,QAAQ,WAAW,CAAC,GAC/E;AAGH,eAAY,MAAM;;AAGpB,SAAO;GACL,GAAG;GACH;GACA;GACA;GACD;;;;;;;;;CAUH,AAAO,IAAI,UAAkB,YAA0C;AACrE,SAAO,KAAK,gBAAgB,YAAY,SAAS,CAAC;;;;;CAMpD,AAAO,UACL,UACA,YAC8B;AAC9B,SAAO,KAAK,gBAAgB,YAAY,SAAS,CAAC;;;;;;;CAQpD,AAAO,mBAAmB,YAAyC;AACjE,MAAI,OAAO,eAAe,SACxB,QAAO;AAGT,MAAI,CAAC,WAAW,MACd,QAAO,WAAW;AAQpB,SAAO,IAJY,MAAM,QAAQ,WAAW,MAAM,GAC9C,WAAW,QACX,CAAC,WAAW,MAAM,EAED,KAAK,IAAI,CAAC,GAAG,WAAW;;CAK/C,AAAO,YAAqB;AAC1B,SAAO,KAAK;;;;;;;CAQd,AAAO,SAAS,OAAwB;AACtC,MAAI,MACF,QAAO,CAAC,GAAI,KAAK,OAAO,MAAM,OAAO,GAAG,SAAS,MAAM,EAAE,SAAS,EAAE,CAAE;AAGxE,SAAO,KAAK,OAAO,QAAgB,KAAK,OAAO,IAAI,OAAO,GAAG,MAAM,EAAE,EAAE,CAAC;;;;;;;;;CAU1E,AAAO,eAAe,MAGL;AACf,MAAI,MAAM,OAAO;GACf,MAAM,cAA4B,EAAE;GACpC,MAAM,QAAQ,KAAK,SAAS,EAAE;AAE9B,QAAK,MAAM,gBAAgB,OAAO;IAChC,MAAM,OACJ,OAAO,iBAAiB,WACpB,KAAK,SAAS,KAAK,MAAM,CAAC,MAAM,OAAO,GAAG,SAAS,aAAa,GAChE;AAEN,QAAI,CAAC,KACH,OAAM,IAAI,cAAc,SAAS,aAAa,aAAa;AAG7D,QAAI,KAAK,YAAY,MAAM,OAAO,GAAG,SAAS,OAAO,CAAC,GAAG,QAAQ,CAC/D,QAAO,KAAK,gBAAgB;AAG9B,SAAK,MAAM,cAAc,KAAK,aAAa;KACzC,IAAI,MAAoB,EAAE;AAC1B,SAAI,WAAW,SAAS,IACtB,KAAI,KAAK,GAAG,KAAK,YAAY;cACpB,WAAW,KAAK,SAAS,IAAI,EAAE;MAExC,MAAM,QAAQ,WAAW,KAAK,MAAM,IAAI;MACxC,MAAM,WAAW,MAAM,MAAM,SAAS;AAEtC,UAAI,aAAa,KAAK;OAEpB,MAAM,cAAc,MAAM,MAAM,GAAG,GAAG,CAAC,KAAK,IAAI;AAEhD,WAAI,KACF,GAAG,KAAK,YAAY,QAAQ,OAAO;AACjC,YAAI,CAAC,GAAG,MAAO,QAAO;AAEtB,eACE,GAAG,UAAU,eACb,GAAG,MAAM,WAAW,GAAG,YAAY,GAAG;SAExC,CACH;aACI;OAEL,MAAM,OAAO;OAEb,MAAM,QADa,MAAM,MAAM,GAAG,GAAG,CACZ,KAAK,IAAI;AAElC,WAAI,KACF,GAAG,KAAK,YAAY,QAAQ,OAAO;AACjC,YAAI,GAAG,SAAS,KAAM,QAAO;AAC7B,YAAI,CAAC,GAAG,MAAO,QAAO;AACtB,eAAO,GAAG,UAAU;SACpB,CACH;;WAIH,KAAI,KACF,GAAG,KAAK,YAAY,QACjB,OAAO,GAAG,SAAS,WAAW,QAAQ,CAAC,GAAG,MAC5C,CACF;KAEH,MAAM,UAAU,WAAW;AAC3B,SAAI,QAEF,OAAM,IAAI,QAAQ,OAAO;MACvB,MAAM,aAAa,KAAK,mBAAmB,GAAG;AAC9C,aAAO,CAAC,QAAQ,MAAM,mBAAmB;AACvC,WAAI,mBAAmB,WAAY,QAAO;AAC1C,WAAI,eAAe,SAAS,KAAK,EAAE;QACjC,MAAM,gBAAgB,eAAe,MAAM,GAAG,GAAG;AACjD,eAAO,WAAW,WAAW,GAAG,cAAc,GAAG;;AAEnD,cAAO;QACP;OACF;AAEJ,iBAAY,KAAK,GAAG,IAAI;;;AAI5B,UAAO,CAAC,GAAG,IAAI,IAAI,YAAY,QAAQ,OAAO,MAAM,KAAK,CAAC,CAAC;;AAG7D,SAAO,KAAK;;;;;;;;CASd,AAAO,iBAAiB,SAAsC;AAC5D,MAAI,QAAQ,OAAO,KACjB,QAAO,OAAO,QAAQ,IAAI;AAG5B,MAAI,QAAQ,MAAM,KAChB,QAAO,OAAO,QAAQ,GAAG;AAG3B,MAAI,QAAQ,UAAU,KACpB,QAAO,OAAO,QAAQ,OAAO;AAG/B,QAAM,IAAI,cAAc,2BAA2B;;CAGrD,AAAO,wBACL,SACoB;AACpB,MAAI,CAAC,QACH;AAEF,MAAI,QAAQ,IACV,QAAO,OAAO,QAAQ,IAAI;;;;;;;CAS9B,AAAO,oBAAoB,SAAwC;AACjE,SAAO,SAAS,cAAc,SAAS,SAAS,SAAS,EAAE;;CAG7D,AAAO,sBACL,SACoB;AACpB,MAAI,CAAC,QACH;AAGF,MAAI,QAAQ,QACV,QAAO,QAAQ;AAGjB,MAAI,QAAQ,WACV,QAAO,QAAQ;AAGjB,MAAI,QAAQ,aACV,QAAO,QAAQ;;CAMnB,AAAO,uBACL,SACoB;AACpB,MAAI,CAAC,QACH;AAGF,MAAI,QAAQ,mBACV,QAAO,QAAQ;AAGjB,MAAI,QAAQ,SACV,QAAO,QAAQ;;CAMnB,AAAO,oBAAoB,SAAkD;AAC3E,MAAI,CAAC,QACH;AAGF,MAAI,QAAQ,MACV,QAAO,QAAQ;;;;;;;;CAYnB,AAAO,mBAAmB,SAAsC;AAC9D,MAAI,CAAC,QACH,QAAO,KAAK;AAGd,MAAI,QAAQ,KACV,QAAO,QAAQ;AAGjB,MACE,OAAO,QAAQ,eAAe,YAC9B,OAAO,QAAQ,gBAAgB,SAE/B,QAAO,GAAG,QAAQ,WAAW,GAAG,QAAQ,cAAc,MAAM;AAG9D,SAAO,KAAK;;CAGd,AAAO,4BACL,SACsB;AACtB,MAAI,CAAC,QACH;AAGF,MAAI,QAAQ,cAAc;AACxB,OAAI,OAAO,QAAQ,iBAAiB,SAClC,QAAO,CAAC,QAAQ,aAAa;AAE/B,OAAI,MAAM,QAAQ,QAAQ,aAAa,CACrC,QAAO,QAAQ;;;;;;;;;;AC9uBvB,MAAa,eACX,UAAsC,EAAE,KAChB;AACxB,QAAO,gBAAgB,qBAAqB,QAAQ;;AAwBtD,IAAa,sBAAb,cAAyC,UAAsC;CAC7E,AAAmB,mBAAmB,QAAQ,iBAAiB;CAE/D,IAAW,OAAe;AACxB,SAAO,KAAK,QAAQ,QAAQ,KAAK,OAAO;;CAG1C,IAAW,QAAgB;AACzB,SAAO,KAAK,QAAQ,SAAS,KAAK,OAAO,QAAQ;;CAGnD,AAAO,WAAmB;AACxB,SAAO,GAAG,KAAK,MAAM,GAAG,KAAK;;CAG/B,AAAU,SAAS;AACjB,OAAK,iBAAiB,iBAAiB;GACrC,MAAM,KAAK;GACX,OAAO,KAAK;GACZ,aAAa,KAAK,QAAQ;GAC3B,CAAC;;;;;CAMJ,AAAO,IAAI,MAA4B;AACrC,MAAI,CAAC,KAAK,MACR,QAAO;AAGT,SADc,KAAK,iBAAiB,gBAAgB,MAAM,GAAG,KAAK,MAAM,CAC3D;;;AAIjB,YAAY,QAAQ;;;;;;;ACpDpB,MAAa,UAAU,YAAmD;AACxE,QAAO,gBAAgB,gBAAgB,QAAQ;;AAuFjD,IAAa,iBAAb,cAAoC,UAAiC;CACnE,AAAmB,mBAAmB,QAAQ,iBAAiB;CAC/D,AAAmB,mBAAmB,QAAQ,iBAAiB;CAC/D,AAAmB,MAAM,QAAQ,YAAY;CAC7C,AAAmB,MAAM,SAAS;CAElC,IAAW,OAAe;AACxB,SAAO,KAAK,QAAQ,QAAQ,KAAK,OAAO;;CAG1C,IAAW,wBAAkC;AAC3C,SAAO,KAAK,iBAAiB,SAC3B,KAAK,QAAQ,UAAU,aAAa,cAAc,CAAC,IAAI,UAAU,CAClE;;CAGH,IAAW,yBAAmC;AAC5C,SAAO,KAAK,iBAAiB,SAC3B,KAAK,QAAQ,UAAU,cAAc,cAAc,CAAC,IAAI,OAAO,CAChE;;CAGH,AAAU,SAAS;EACjB,MAAM,QACJ,KAAK,QAAQ,OAAO,KAAK,OAAO;AAC9B,OAAI,OAAO,OAAO,UAAU;IAC1B,MAAM,OAAO,KAAK,UAAU,CAAC,MAAM,WAASC,OAAK,SAAS,GAAG;AAC7D,QAAI,CAAC,KACH,OAAM,IAAI,cAAc,SAAS,GAAG,aAAa;AAEnD,WAAO;;AAGT,UAAO;IACP,IAAI,EAAE;AAEV,OAAK,iBAAiB,YAAY;GAChC,MAAM,KAAK;GACX,SAAS,KAAK,QAAQ;GACtB,QAAQ,UAAU,KAAK,UAAU,KAAK,QAAQ,OAAO,KAAK,QAAQ;GAClE;GACD,CAAC;;;;;CAMJ,AAAO,WAAmB;AACxB,SAAO,KAAK,iBAAiB,SAAS,KAAK,KAAK;;;;;CAMlD,MAAa,SAAS,OAA8B;AAClD,QAAM,KAAK,iBAAiB,YAAY,KAAK,MAAM,MAAM;;;;;CAM3D,AAAO,cAAc,MAAoB;EACvC,MAAM,OAAO,KAAK,UAAU,CAAC,MAAM,OAAO,GAAG,SAAS,KAAK;AAC3D,MAAI,CAAC,KACH,OAAM,IAAI,cAAc,SAAS,KAAK,aAAa;AAErD,SAAO;;CAGT,MAAa,WAAW,OAAoC;EAC1D,MAAM,EAAE,WAAW,MAAM,KAAK,IAAI,MAAM,OAAO,KAAK,KAAK;AACzD,SAAO,OAAO;;;;;CAMhB,MAAa,YACX,MACA,cAK8B;EAC9B,IAAI,MAA0B,cAAc;EAC5C,IAAI,gBAAoC,cAAc;EACtD,IAAI,2BACF,cAAc;EAEhB,MAAM,MAAM,KAAK,iBAAiB,KAAK,CAAC,MAAM;EAC9C,MAAM,MAAM,MAAM,KAAK,sBAAsB,WAAW;AAExD,MAAI,CAAC,cAAc;GACjB,MAAM,SAAS,KAAK,QAAQ,UAAU;AACtC,OAAI,QAAQ;IAGV,MAAM,YAAY,KAAK,uBAAuB,WAAW;IACzD,MAAM,EAAE,8BAAc,cAAc,MAAM,OAAO,MAAM,EACrD,WACD,CAAC;AAEF,oBAAgBC;AAChB,+BAA2B;AAC3B,UAAM;UACD;IAIL,MAAM,UAAU;KACd,KAAK,KAAK;KACV,KAAK,MAAM,KAAK,uBAAuB,WAAW;KAClD;KACA,KAAK,KAAK;KACX;AAED,SAAK,IAAI,MAAM,0BAA0B,QAAQ;AAEjD,UAAM,OAAO,YAAY;AACzB,+BAA2B,KAAK,uBAAuB,WAAW;AAClE,oBAAgB,MAAM,KAAK,IAAI,OAAO,SAAS,KAAK,MAAM,EACxD,QAAQ,EACN,KAAK,WACN,EACF,CAAC;;;AAIN,OAAK,IAAI,MAAM,yBAAyB;GACtC,KAAK,KAAK;GACV;GACA;GACA,KAAK,KAAK;GACX,CAAC;AA+BF,SATsC;GACpC,cArBmB,MAAM,KAAK,IAAI,OAClC;IAEE,KAAK,KAAK;IACV;IACA;IACA,KAAK,KAAK;IACV;IAEA,MAAM,KAAK;IACX,OAAO,KAAK;IACZ,oBAAoB,KAAK;IACzB,SAAS,KAAK;IAEd,eAAe,KAAK;IACpB,OAAO,KAAK;IACb,EACD,KAAK,KACN;GAIC,YAAY;GACZ,YAAY,KAAK,sBAAsB,WAAW;GAClD,WAAW;GACX;GACA;GACD;;CAKH,MAAa,aACX,cACA,aAIC;AAID,MAAI,KAAK,QAAQ,UAAU,kBAAkB;GAE3C,MAAM,EAAE,cAAM,wBAAW,cACvB,MAAM,KAAK,QAAQ,SAAS,iBAAiB,aAAa;AAS5D,UAAO;IAAE;IAAM,QANA,MAAM,KAAK,YAAYC,QAAM;KAC1C,KAAK;KACL,eAAe;KACf,0BAA0BC;KAC3B,CAAC;IAEqB;;AAMzB,MAAI,CAAC,YACH,OAAM,IAAI,YAAY,6CAA6C;EAIrE,MAAM,OAAO,MAAM,KAAK,iBAAiB,oBAAoB,aAAa;GACxE,OAAO,KAAK;GACZ,QAAQ,EACN,6BAAa,IAAI,KAAK,EAAE,EACzB;GACF,CAAC;EAGF,MAAM,EACJ,QAAQ,EAAE,cACR,MAAM,KAAK,IAAI,MAAM,cAAc,KAAK,MAAM;GAChD,KAAK;GACL,UAAU,KAAK;GACf,SAAS,KAAK;GACf,CAAC;EAEF,MAAM,MAAM,KAAK,iBAAiB,KAAK,CAAC,MAAM;EAC9C,MAAM,YAAY,QAAQ,MACtB,QAAQ,MAAM,MACd,KAAK,uBAAuB,WAAW;AAE3C,SAAO;GACL;GACA,QAAQ,MAAM,KAAK,YAAY,MAAM;IACnC,KAAK,QAAQ;IACb,eAAe;IACf,0BAA0B;IAC3B,CAAC;GACH;;;AAIL,OAAO,QAAQ;;;;;;;AC1Uf,MAAa,SAAS,UAAgC,EAAE,KAAoB;AAC1E,QAAO,gBAAgB,eAAe,QAAQ;;AA4BhD,IAAa,gBAAb,cAAmC,UAAgC;CACjE,AAAmB,mBAAmB,QAAQ,iBAAiB;CAE/D,IAAW,OAAe;AACxB,SAAO,KAAK,QAAQ,QAAQ,KAAK,OAAO;;CAG1C,AAAU,SAAS;AACjB,OAAK,iBAAiB,WAAW;GAC/B,GAAG,KAAK;GACR,MAAM,KAAK;GACX,aACE,KAAK,QAAQ,aAAa,KAAK,OAAO;AACpC,QAAI,OAAO,OAAO,SAChB,QAAO,EACL,MAAM,IACP;AAGH,WAAO;KACP,IAAI,EAAE;GACX,CAAC;;;;;CAMJ,IAAW,QAA6C;AACtD,SAAO,KAAK,QAAQ;;CAGtB,AAAO,IAAI,YAAmD;AAC5D,SAAO,KAAK,iBAAiB,IAAI,KAAK,MAAM,WAAW;;CAGzD,AAAO,MAAM,YAA0C;AACrD,SAAO,KAAK,iBAAiB,gBAAgB,YAAY,KAAK,KAAK;;;AAMvE,MAAM,QAAQ;;;;AC5Ed,MAAM,cAAc,UAAU,OAAO;AAErC,IAAa,iBAAb,MAA4B;CAC1B,MAAa,aAAa,UAAmC;EAC3D,MAAM,OAAO,YAAY,GAAG,CAAC,SAAS,MAAM;AAE5C,SAAO,GAAG,KAAK,IADK,MAAM,YAAY,UAAU,MAAM,GAAG,EAC5B,SAAS,MAAM;;CAG9C,MAAa,eACX,UACA,QACkB;AAElB,MAAI,CAAC,UAAU,OAAO,WAAW,SAC/B,QAAO;EAGT,MAAM,QAAQ,OAAO,MAAM,IAAI;AAC/B,MAAI,MAAM,WAAW,EACnB,QAAO;EAGT,MAAM,CAAC,MAAM,eAAe;AAG5B,MAAI,CAAC,QAAQ,CAAC,YACZ,QAAO;AAIT,MAAI,YAAY,SAAS,MAAM,KAAK,CAAC,eAAe,KAAK,YAAY,CACnE,QAAO;AAGT,MAAI;GACF,MAAM,aAAc,MAAM,YAAY,UAAU,MAAM,GAAG;GACzD,MAAM,cAAc,OAAO,KAAK,aAAa,MAAM;AAGnD,OAAI,WAAW,WAAW,YAAY,OACpC,QAAO;AAIT,UAAO,gBAAgB,YAAY,YAAY;WACxC,OAAO;AAEd,UAAO;;;CAIX,AAAO,aAAqB;AAC1B,SAAO,YAAY;;;;;;;;;;;;AChDvB,IAAa,0BAAb,cAA6C,kBAAkB;CAC7D,AAAS,OAAO;CAChB,cAAc;AACZ,QAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;ACsBhC,MAAa,mBACX,YAC4B;CAC5B,MAAM,EAAE,WAAW,UAAU;CAC7B,MAAM,QAEF,EAAE;CACN,MAAM,mBAAmB,OAAO,OAAO,iBAAiB;CACxD,MAAM,cAAc,QAAQ,eAAe;CAE3C,MAAM,cAAc,aAA8C;AAChE,QAAM,QAAQ;GACZ,GAAG;GACH,WAAW,iBAAiB,KAAK,CAAC,MAAM;GACzC;;CAGH,MAAM,0BAA0B;AAC9B,MAAI,MAAM,OAAO;GACf,MAAM,EAAE,cAAc,YAAY,cAAc,MAAM;AACtD,OAAI,CAAC,WACH,QAAO;GAGT,MAAM,MAAM,iBAAiB,KAAK,CAAC,MAAM;AAGzC,OAFgB,YAAY,aAEd,cAAc,IAC1B,QAAO;;;AAKb,KAAI,YAAY,SAAS;EACvB,MAAM,EAAE,KAAK,UAAU,iBAAiB,QAAQ;EAEhD,MAAM,QAAQ,YAAY;GACxB,MAAM,iBAAiB,mBAAmB;AAC1C,OAAI,eACF,QAAO;GAGT,IAAI;AACJ,OAAI;AACF,eAAW,MAAM,MAAM,KAAK;KAC1B,QAAQ;KACR,SAAS,EACP,gBAAgB,qCACjB;KACD,MAAM,IAAI,gBAAgB;MACxB,YAAY;MACZ,WAAW;MACX,eAAe;MAChB,CAAC;KACH,CAAC;YACK,OAAO;AACd,UAAM,IAAI,MACR,qCAAqC,IAAI,IAAI,iBAAiB,QAAQ,MAAM,UAAU,OAAO,MAAM,GACpG;;AAIH,OAAI,CAAC,SAAS,IAAI;IAChB,IAAI,eAAe,QAAQ,SAAS,OAAO,GAAG,SAAS;AACvD,QAAI;KACF,MAAM,YAAY,MAAM,SAAS,MAAM;AACvC,qBAAgB,KAAK;YACf;AAGR,UAAM,IAAI,MAAM,iCAAiC,eAAe;;GAIlE,IAAI;AACJ,OAAI;AACF,WAAO,MAAM,SAAS,MAAM;YACrB,OAAO;AACd,UAAM,IAAI,MACR,kDAAkD,iBAAiB,QAAQ,MAAM,UAAU,OAAO,MAAM,GACzG;;AAIH,OAAI,CAAC,KAAK,gBAAgB,CAAC,KAAK,WAC9B,OAAM,IAAI,MACR,gFAAgF,KAAK,UAAU,KAAK,GACrG;AAGH,cAAW,KAAK;AAEhB,UAAO,KAAK;;AAGd,SAAO,EACL,OACD;;AAGH,QAAO,EACL,OAAO,YAAY;EACjB,MAAM,iBAAiB,mBAAmB;AAC1C,MAAI,eACF,QAAO;EAGT,MAAM,QAAQ,MAAM,QAAQ,MAAM,YAAY,QAAQ,KAAK;AAE3D,aAAW;GACT,GAAG;GACH,WAAW,iBAAiB,KAAK,CAAC,MAAM;GACzC,CAAC;AAEF,SAAO,MAAM;IAEhB;;;;;AClJH,MAAa,mBAAmB,EAAE,OAAO;CACvC,MAAM,EAAE,KAAK,EACX,aAAa,2BACd,CAAC;CAEF,OAAO,EAAE,SACP,EAAE,KAAK,EACL,aAAa,4BACd,CAAC,CACH;CAED,aAAa,EAAE,SACb,EAAE,KAAK,EACL,aAAa,4BACd,CAAC,CACH;CAID,QAAQ,EAAE,SACR,EAAE,KAAK,EACL,aAAa,kDACd,CAAC,CACH;CAED,MAAM,EAAE,SACN,EAAE,KAAK,EACL,aAAa,+CACd,CAAC,CACH;CACF,CAAC;;;;AC9BF,MAAa,aAAa,EAAE,OAAO;CACjC,MAAM,EAAE,KAAK,EACX,aAAa,qBACd,CAAC;CAEF,aAAa,EAAE,SACb,EAAE,KAAK,EACL,aAAa,sBACd,CAAC,CACH;CAED,SAAS,EAAE,SACT,EAAE,QAAQ,EACR,aACE,gEACH,CAAC,CACH;CAED,aAAa,EAAE,MACb,EAAE,OAAO;EACP,MAAM,EAAE,KAAK,EACX,aAAa,2BACd,CAAC;EACF,WAAW,EAAE,SACX,EAAE,QAAQ,EACR,aACE,8DACH,CAAC,CACH;EACD,SAAS,EAAE,SACT,EAAE,MAAM,EAAE,MAAM,EAAE,EAChB,aACE,+DACH,CAAC,CACH;EACF,CAAC,CACH;CACF,CAAC;;;;ACrCF,MAAa,wBAAwB,EAAE,OAAO;CAC5C,IAAI,EAAE,KAAK,EACT,aAAa,mCACd,CAAC;CAEF,MAAM,EAAE,SACN,EAAE,KAAK,EACL,aAAa,0BACd,CAAC,CACH;CAED,OAAO,EAAE,SACP,EAAE,KAAK;EACL,aAAa;EACb,QAAQ;EACT,CAAC,CACH;CAED,UAAU,EAAE,SACV,EAAE,KAAK,EACL,aAAa,mCACd,CAAC,CACH;CAED,SAAS,EAAE,SACT,EAAE,KAAK,EACL,aAAa,sCACd,CAAC,CACH;CAED,WAAW,EAAE,SACX,EAAE,KAAK,EACL,aAAa,mDACd,CAAC,CACH;CAID,eAAe,EAAE,SACf,EAAE,MAAM,EAAE,MAAM,EAAE,EAChB,aAAa,8CACd,CAAC,CACH;CAED,OAAO,EAAE,SACP,EAAE,MAAM,EAAE,MAAM,EAAE,EAChB,aAAa,uCACd,CAAC,CACH;CACF,CAAC;;;;;;;;;;;;;;;;ACPF,MAAa,iBAAiB,QAAQ;CACpC,MAAM;CACN,YAAY;EAAC;EAAQ;EAAO;EAAY;CACxC,UAAU;EAAC;EAAkB;EAAa;EAAe;CAC1D,CAAC"}