alepha 0.21.2 → 0.23.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +0 -1
- package/dist/api/audits/index.browser.js.map +1 -1
- package/dist/api/audits/index.d.ts +393 -403
- package/dist/api/audits/index.d.ts.map +1 -1
- package/dist/api/audits/index.js +25 -56
- package/dist/api/audits/index.js.map +1 -1
- package/dist/api/files/index.browser.js +31 -1
- package/dist/api/files/index.browser.js.map +1 -1
- package/dist/api/files/index.d.ts +313 -208
- package/dist/api/files/index.d.ts.map +1 -1
- package/dist/api/files/index.js +152 -42
- package/dist/api/files/index.js.map +1 -1
- package/dist/api/jobs/index.browser.js +2 -2
- package/dist/api/jobs/index.browser.js.map +1 -1
- package/dist/api/jobs/index.d.ts +282 -285
- package/dist/api/jobs/index.d.ts.map +1 -1
- package/dist/api/jobs/index.js +39 -33
- package/dist/api/jobs/index.js.map +1 -1
- package/dist/api/keys/index.d.ts +217 -222
- package/dist/api/keys/index.d.ts.map +1 -1
- package/dist/api/keys/index.js.map +1 -1
- package/dist/api/notifications/index.browser.js.map +1 -1
- package/dist/api/notifications/index.d.ts +188 -195
- package/dist/api/notifications/index.d.ts.map +1 -1
- package/dist/api/notifications/index.js.map +1 -1
- package/dist/api/oauth/index.d.ts +71 -76
- package/dist/api/oauth/index.d.ts.map +1 -1
- package/dist/api/oauth/index.js.map +1 -1
- package/dist/api/organizations/index.browser.js.map +1 -1
- package/dist/api/organizations/index.d.ts +104 -109
- package/dist/api/organizations/index.d.ts.map +1 -1
- package/dist/api/organizations/index.js.map +1 -1
- package/dist/api/parameters/index.browser.js +43 -16
- package/dist/api/parameters/index.browser.js.map +1 -1
- package/dist/api/parameters/index.d.ts +488 -344
- package/dist/api/parameters/index.d.ts.map +1 -1
- package/dist/api/parameters/index.js +175 -35
- package/dist/api/parameters/index.js.map +1 -1
- package/dist/api/payments/index.d.ts +396 -402
- package/dist/api/payments/index.d.ts.map +1 -1
- package/dist/api/payments/index.js.map +1 -1
- package/dist/api/subscriptions/index.d.ts +644 -652
- package/dist/api/subscriptions/index.d.ts.map +1 -1
- package/dist/api/subscriptions/index.js +1 -1
- package/dist/api/subscriptions/index.js.map +1 -1
- package/dist/api/users/index.browser.js +7 -0
- package/dist/api/users/index.browser.js.map +1 -1
- package/dist/api/users/index.d.ts +1106 -1005
- package/dist/api/users/index.d.ts.map +1 -1
- package/dist/api/users/index.js +307 -64
- package/dist/api/users/index.js.map +1 -1
- package/dist/api/verifications/index.browser.js.map +1 -1
- package/dist/api/verifications/index.d.ts +137 -143
- package/dist/api/verifications/index.d.ts.map +1 -1
- package/dist/api/verifications/index.js.map +1 -1
- package/dist/background/index.d.ts +95 -0
- package/dist/background/index.d.ts.map +1 -0
- package/dist/background/index.js +121 -0
- package/dist/background/index.js.map +1 -0
- package/dist/background/index.workerd.js +110 -0
- package/dist/background/index.workerd.js.map +1 -0
- package/dist/batch/index.d.ts +5 -7
- package/dist/batch/index.d.ts.map +1 -1
- package/dist/batch/index.js.map +1 -1
- package/dist/bin/index.js.map +1 -1
- package/dist/bucket/index.d.ts +76 -54
- package/dist/bucket/index.d.ts.map +1 -1
- package/dist/bucket/index.js +58 -11
- package/dist/bucket/index.js.map +1 -1
- package/dist/bucket/index.workerd.js +200 -5
- package/dist/bucket/index.workerd.js.map +1 -1
- package/dist/cache/core/index.d.ts +7 -10
- package/dist/cache/core/index.d.ts.map +1 -1
- package/dist/cache/core/index.js.map +1 -1
- package/dist/cache/core/index.workerd.js.map +1 -1
- package/dist/cache/database/index.d.ts +22 -26
- package/dist/cache/database/index.d.ts.map +1 -1
- package/dist/cache/database/index.js.map +1 -1
- package/dist/cache/redis/index.d.ts +4 -7
- package/dist/cache/redis/index.d.ts.map +1 -1
- package/dist/cache/redis/index.js.map +1 -1
- package/dist/captcha/index.d.ts +3 -6
- package/dist/captcha/index.d.ts.map +1 -1
- package/dist/captcha/index.js.map +1 -1
- package/dist/cli/config/index.d.ts.map +1 -1
- package/dist/cli/config/index.js.map +1 -1
- package/dist/cli/core/index.d.ts +458 -249
- package/dist/cli/core/index.d.ts.map +1 -1
- package/dist/cli/core/index.js +372 -660
- package/dist/cli/core/index.js.map +1 -1
- package/dist/cli/devtools/index.d.ts +3 -5
- package/dist/cli/devtools/index.d.ts.map +1 -1
- package/dist/cli/devtools/index.js.map +1 -1
- package/dist/cli/i18n/index.d.ts +20 -17
- package/dist/cli/i18n/index.d.ts.map +1 -1
- package/dist/cli/i18n/index.js +45 -11
- package/dist/cli/i18n/index.js.map +1 -1
- package/dist/cli/platform/index.d.ts +126 -1342
- package/dist/cli/platform/index.d.ts.map +1 -1
- package/dist/cli/platform/index.js +136 -2374
- package/dist/cli/platform/index.js.map +1 -1
- package/dist/cli/platform-lib/index.d.ts +1472 -0
- package/dist/cli/platform-lib/index.d.ts.map +1 -0
- package/dist/cli/platform-lib/index.js +2660 -0
- package/dist/cli/platform-lib/index.js.map +1 -0
- package/dist/cli/vendor/index.d.ts +17 -21
- package/dist/cli/vendor/index.d.ts.map +1 -1
- package/dist/cli/vendor/index.js.map +1 -1
- package/dist/command/index.d.ts +20 -19
- package/dist/command/index.d.ts.map +1 -1
- package/dist/command/index.js +39 -10
- package/dist/command/index.js.map +1 -1
- package/dist/{containers → container}/core/index.d.ts +13 -15
- package/dist/container/core/index.d.ts.map +1 -0
- package/dist/{containers → container}/core/index.js +23 -14
- package/dist/container/core/index.js.map +1 -0
- package/dist/{containers → container}/core/index.workerd.js +37 -22
- package/dist/container/core/index.workerd.js.map +1 -0
- package/dist/core/index.browser.js +27 -1
- package/dist/core/index.browser.js.map +1 -1
- package/dist/core/index.d.ts +48 -24
- package/dist/core/index.d.ts.map +1 -1
- package/dist/core/index.js +27 -1
- package/dist/core/index.js.map +1 -1
- package/dist/core/index.native.js +27 -1
- package/dist/core/index.native.js.map +1 -1
- package/dist/core/index.workerd.js +27 -1
- package/dist/core/index.workerd.js.map +1 -1
- package/dist/crypto/index.browser.js.map +1 -1
- package/dist/crypto/index.d.ts +5 -8
- package/dist/crypto/index.d.ts.map +1 -1
- package/dist/crypto/index.js.map +1 -1
- package/dist/datetime/index.d.ts +3 -4
- package/dist/datetime/index.d.ts.map +1 -1
- package/dist/datetime/index.js.map +1 -1
- package/dist/email/brevo/index.d.ts +2 -4
- package/dist/email/brevo/index.d.ts.map +1 -1
- package/dist/email/brevo/index.js.map +1 -1
- package/dist/email/cloudflare/index.d.ts +20 -7
- package/dist/email/cloudflare/index.d.ts.map +1 -1
- package/dist/email/cloudflare/index.js +46 -9
- package/dist/email/cloudflare/index.js.map +1 -1
- package/dist/email/core/index.d.ts +6 -9
- package/dist/email/core/index.d.ts.map +1 -1
- package/dist/email/core/index.js.map +1 -1
- package/dist/email/core/index.workerd.js.map +1 -1
- package/dist/email/smtp/index.d.ts +10 -13
- package/dist/email/smtp/index.d.ts.map +1 -1
- package/dist/email/smtp/index.js +107 -32
- package/dist/email/smtp/index.js.map +1 -1
- package/dist/fake/index.d.ts +1 -2
- package/dist/fake/index.d.ts.map +1 -1
- package/dist/fake/index.js.map +1 -1
- package/dist/lock/core/index.d.ts +9 -14
- package/dist/lock/core/index.d.ts.map +1 -1
- package/dist/lock/core/index.js.map +1 -1
- package/dist/lock/redis/index.d.ts +2 -4
- package/dist/lock/redis/index.d.ts.map +1 -1
- package/dist/lock/redis/index.js.map +1 -1
- package/dist/logger/index.d.ts +105 -76
- package/dist/logger/index.d.ts.map +1 -1
- package/dist/logger/index.js +196 -174
- package/dist/logger/index.js.map +1 -1
- package/dist/mcp/index.d.ts +25 -20
- package/dist/mcp/index.d.ts.map +1 -1
- package/dist/mcp/index.js +23 -0
- package/dist/mcp/index.js.map +1 -1
- package/dist/orm/core/index.browser.js.map +1 -1
- package/dist/orm/core/index.bun.js +19 -1
- package/dist/orm/core/index.bun.js.map +1 -1
- package/dist/orm/core/index.d.ts +76 -62
- package/dist/orm/core/index.d.ts.map +1 -1
- package/dist/orm/core/index.js +20 -2
- package/dist/orm/core/index.js.map +1 -1
- package/dist/orm/postgres/index.bun.js.map +1 -1
- package/dist/orm/postgres/index.d.ts +28 -20
- package/dist/orm/postgres/index.d.ts.map +1 -1
- package/dist/orm/postgres/index.js.map +1 -1
- package/dist/queue/core/index.d.ts +12 -15
- package/dist/queue/core/index.d.ts.map +1 -1
- package/dist/queue/core/index.js.map +1 -1
- package/dist/queue/core/index.workerd.js.map +1 -1
- package/dist/queue/redis/index.d.ts +3 -5
- package/dist/queue/redis/index.d.ts.map +1 -1
- package/dist/queue/redis/index.js.map +1 -1
- package/dist/react/auth/index.browser.js +9 -2
- package/dist/react/auth/index.browser.js.map +1 -1
- package/dist/react/auth/index.d.ts +14 -9
- package/dist/react/auth/index.d.ts.map +1 -1
- package/dist/react/auth/index.js +9 -2
- package/dist/react/auth/index.js.map +1 -1
- package/dist/react/core/index.d.ts +7 -8
- package/dist/react/core/index.d.ts.map +1 -1
- package/dist/react/core/index.js +6 -3
- package/dist/react/core/index.js.map +1 -1
- package/dist/react/form/index.d.ts +2 -5
- package/dist/react/form/index.d.ts.map +1 -1
- package/dist/react/form/index.js +16 -15
- package/dist/react/form/index.js.map +1 -1
- package/dist/react/head/index.browser.js.map +1 -1
- package/dist/react/head/index.d.ts +2 -4
- package/dist/react/head/index.d.ts.map +1 -1
- package/dist/react/head/index.js.map +1 -1
- package/dist/react/i18n/index.d.ts +90 -11
- package/dist/react/i18n/index.d.ts.map +1 -1
- package/dist/react/i18n/index.js +147 -11
- package/dist/react/i18n/index.js.map +1 -1
- package/dist/react/intro/index.d.ts +1 -2
- package/dist/react/intro/index.d.ts.map +1 -1
- package/dist/react/intro/index.js +2 -2
- package/dist/react/intro/index.js.map +1 -1
- package/dist/react/router/index.browser.js +193 -24
- package/dist/react/router/index.browser.js.map +1 -1
- package/dist/react/router/index.d.ts +434 -222
- package/dist/react/router/index.d.ts.map +1 -1
- package/dist/react/router/index.js +249 -35
- package/dist/react/router/index.js.map +1 -1
- package/dist/react/sitemap/index.browser.js +35 -0
- package/dist/react/sitemap/index.browser.js.map +1 -0
- package/dist/react/sitemap/index.d.ts +92 -0
- package/dist/react/sitemap/index.d.ts.map +1 -0
- package/dist/react/sitemap/index.js +131 -0
- package/dist/react/sitemap/index.js.map +1 -0
- package/dist/react/testing/index.d.ts +1 -2
- package/dist/react/testing/index.d.ts.map +1 -1
- package/dist/react/testing/index.js +16 -17
- package/dist/react/testing/index.js.map +1 -1
- package/dist/react/ui/index.d.ts +20 -25
- package/dist/react/ui/index.d.ts.map +1 -1
- package/dist/react/ui/index.js.map +1 -1
- package/dist/redis/index.bun.js.map +1 -1
- package/dist/redis/index.d.ts +17 -19
- package/dist/redis/index.d.ts.map +1 -1
- package/dist/redis/index.js.map +1 -1
- package/dist/retry/index.d.ts +2 -4
- package/dist/retry/index.d.ts.map +1 -1
- package/dist/retry/index.js.map +1 -1
- package/dist/router/index.d.ts.map +1 -1
- package/dist/router/index.js.map +1 -1
- package/dist/scheduler/index.d.ts +10 -13
- package/dist/scheduler/index.d.ts.map +1 -1
- package/dist/scheduler/index.js.map +1 -1
- package/dist/scheduler/index.workerd.js.map +1 -1
- package/dist/security/index.browser.js.map +1 -1
- package/dist/security/index.d.ts +45 -48
- package/dist/security/index.d.ts.map +1 -1
- package/dist/security/index.js.map +1 -1
- package/dist/server/auth/index.browser.js.map +1 -1
- package/dist/server/auth/index.d.ts +272 -173
- package/dist/server/auth/index.d.ts.map +1 -1
- package/dist/server/auth/index.js +1608 -15
- package/dist/server/auth/index.js.map +1 -1
- package/dist/server/cookies/index.browser.js.map +1 -1
- package/dist/server/cookies/index.d.ts +20 -7
- package/dist/server/cookies/index.d.ts.map +1 -1
- package/dist/server/cookies/index.js +22 -3
- package/dist/server/cookies/index.js.map +1 -1
- package/dist/server/core/index.browser.js.map +1 -1
- package/dist/server/core/index.d.ts +106 -73
- package/dist/server/core/index.d.ts.map +1 -1
- package/dist/server/core/index.js +44 -0
- package/dist/server/core/index.js.map +1 -1
- package/dist/server/cors/index.d.ts +11 -14
- package/dist/server/cors/index.d.ts.map +1 -1
- package/dist/server/cors/index.js.map +1 -1
- package/dist/server/etag/index.d.ts +6 -9
- package/dist/server/etag/index.d.ts.map +1 -1
- package/dist/server/etag/index.js.map +1 -1
- package/dist/server/health/index.d.ts +18 -21
- package/dist/server/health/index.d.ts.map +1 -1
- package/dist/server/health/index.js.map +1 -1
- package/dist/server/links/index.browser.js +2 -0
- package/dist/server/links/index.browser.js.map +1 -1
- package/dist/server/links/index.d.ts +63 -67
- package/dist/server/links/index.d.ts.map +1 -1
- package/dist/server/links/index.js +2 -0
- package/dist/server/links/index.js.map +1 -1
- package/dist/server/metrics/index.d.ts +5 -7
- package/dist/server/metrics/index.d.ts.map +1 -1
- package/dist/server/metrics/index.js.map +1 -1
- package/dist/server/proxy/index.d.ts +3 -5
- package/dist/server/proxy/index.d.ts.map +1 -1
- package/dist/server/proxy/index.js.map +1 -1
- package/dist/server/rate-limit/index.d.ts +10 -13
- package/dist/server/rate-limit/index.d.ts.map +1 -1
- package/dist/server/rate-limit/index.js.map +1 -1
- package/dist/server/static/index.d.ts +3 -5
- package/dist/server/static/index.d.ts.map +1 -1
- package/dist/server/static/index.js.map +1 -1
- package/dist/server/swagger/index.d.ts +5 -8
- package/dist/server/swagger/index.d.ts.map +1 -1
- package/dist/server/swagger/index.js.map +1 -1
- package/dist/sms/index.d.ts +3 -5
- package/dist/sms/index.d.ts.map +1 -1
- package/dist/sms/index.js.map +1 -1
- package/dist/system/index.browser.js.map +1 -1
- package/dist/system/index.d.ts +2 -4
- package/dist/system/index.d.ts.map +1 -1
- package/dist/system/index.js.map +1 -1
- package/dist/system/index.workerd.js.map +1 -1
- package/dist/topic/core/index.d.ts +4 -6
- package/dist/topic/core/index.d.ts.map +1 -1
- package/dist/topic/core/index.js.map +1 -1
- package/dist/topic/redis/index.d.ts +5 -8
- package/dist/topic/redis/index.d.ts.map +1 -1
- package/dist/topic/redis/index.js.map +1 -1
- package/package.json +59 -23
- package/src/api/audits/__tests__/AuditService.spec.ts +18 -110
- package/src/api/audits/controllers/AdminAuditController.ts +14 -0
- package/src/api/audits/services/AuditService.ts +21 -88
- package/src/api/files/__tests__/FileService.spec.ts +207 -2
- package/src/api/files/index.ts +3 -0
- package/src/api/files/schemas/fileCreatorSummarySchema.ts +22 -0
- package/src/api/files/schemas/fileResourceSchema.ts +10 -1
- package/src/api/files/services/FileService.ts +170 -72
- package/src/api/jobs/__tests__/$job.spec.ts +24 -1
- package/src/api/jobs/index.ts +4 -3
- package/src/api/jobs/primitives/$job.ts +7 -3
- package/src/api/jobs/providers/DirectJobDispatcher.ts +17 -36
- package/src/api/jobs/providers/JobProvider.ts +53 -24
- package/src/api/jobs/schemas/jobConfigAtom.ts +1 -1
- package/src/api/jobs/schemas/jobExecutionResourceSchema.ts +4 -1
- package/src/api/keys/schemas/adminApiKeyResourceSchema.ts +3 -1
- package/src/api/parameters/__tests__/$parameter.spec.ts +19 -2
- package/src/api/parameters/audits/ParameterAudits.ts +17 -0
- package/src/api/parameters/controllers/AdminParameterController.ts +95 -19
- package/src/api/parameters/index.ts +3 -0
- package/src/api/parameters/schemas/activateParameterBodySchema.ts +3 -3
- package/src/api/parameters/schemas/createParameterVersionBodySchema.ts +3 -2
- package/src/api/parameters/schemas/parameterCreatorSummarySchema.ts +25 -0
- package/src/api/parameters/schemas/parameterResponseSchema.ts +5 -0
- package/src/api/parameters/schemas/rollbackParameterBodySchema.ts +4 -2
- package/src/api/parameters/services/ParameterProvider.ts +69 -6
- package/src/api/subscriptions/jobs/SubscriptionJobs.ts +1 -1
- package/src/api/users/__tests__/AdminSessionController.spec.ts +37 -0
- package/src/api/users/audits/SessionAudits.ts +33 -0
- package/src/api/users/audits/UserAudits.ts +19 -43
- package/src/api/users/controllers/AdminUserController.ts +66 -1
- package/src/api/users/controllers/RealmController.ts +1 -0
- package/src/api/users/entities/sessions.ts +6 -0
- package/src/api/users/entities/users.ts +2 -0
- package/src/api/users/index.ts +9 -1
- package/src/api/users/primitives/$realm.ts +29 -0
- package/src/api/users/providers/RealmProvider.ts +15 -0
- package/src/api/users/schemas/realmConfigSchema.ts +14 -0
- package/src/api/users/schemas/sessionResourceSchema.ts +16 -0
- package/src/api/users/schemas/updateUserSchema.ts +1 -8
- package/src/api/users/schemas/userQuerySchema.ts +7 -0
- package/src/api/users/services/CredentialService.ts +15 -6
- package/src/api/users/services/IdentityService.ts +2 -1
- package/src/api/users/services/RegistrationService.ts +2 -1
- package/src/api/users/services/SessionCrudService.ts +19 -2
- package/src/api/users/services/SessionService.ts +39 -19
- package/src/api/users/services/UserService.ts +106 -8
- package/src/background/__tests__/BackgroundTaskProvider.spec.ts +96 -0
- package/src/background/index.ts +37 -0
- package/src/background/index.workerd.ts +28 -0
- package/src/background/providers/BackgroundTaskProvider.ts +70 -0
- package/src/background/providers/WorkerdBackgroundTaskProvider.ts +43 -0
- package/src/bucket/__tests__/$bucket.spec.ts +18 -0
- package/src/bucket/__tests__/LocalFileStorageProvider.spec.ts +5 -0
- package/src/bucket/__tests__/MemoryFileStorageProvider.spec.ts +5 -0
- package/src/bucket/__tests__/NodeS3BucketProvider.spec.ts +23 -4
- package/src/bucket/__tests__/shared.ts +30 -0
- package/src/bucket/index.ts +5 -5
- package/src/bucket/index.workerd.ts +11 -4
- package/src/bucket/primitives/$bucket.ts +27 -0
- package/src/bucket/providers/FileStorageProvider.ts +13 -0
- package/src/bucket/providers/LocalFileStorageProvider.ts +17 -1
- package/src/bucket/providers/MemoryFileStorageProvider.ts +7 -0
- package/src/bucket/providers/{CloudflareR2Provider.ts → R2FileStorageProvider.ts} +10 -1
- package/src/bucket/providers/{NodeS3BucketProvider.ts → S3FileStorageProvider.ts} +27 -5
- package/src/cli/core/__tests__/BuildDockerTask.spec.ts +25 -1
- package/src/cli/core/__tests__/init.spec.ts +0 -219
- package/src/cli/core/atoms/buildOptions.ts +0 -12
- package/src/cli/core/commands/__tests__/BuildCommand.spec.ts +43 -0
- package/src/cli/core/commands/build.ts +105 -37
- package/src/cli/core/commands/init.ts +0 -12
- package/src/cli/core/commands/pack.ts +133 -0
- package/src/cli/core/index.ts +3 -3
- package/src/cli/core/providers/ViteDevServerProvider.ts +40 -16
- package/src/cli/core/services/PackageManagerUtils.ts +0 -16
- package/src/cli/core/services/ProjectScaffolder.ts +29 -291
- package/src/cli/core/tasks/BuildCloudflareTask.ts +382 -56
- package/src/cli/core/tasks/BuildDockerTask.ts +33 -3
- package/src/cli/core/tasks/BuildPrerenderTask.ts +44 -7
- package/src/cli/core/tasks/BuildTask.ts +34 -0
- package/src/cli/core/templates/apiIndexTs.ts +1 -22
- package/src/cli/core/templates/mainCss.ts +0 -1
- package/src/cli/core/templates/webAppRouterTs.ts +0 -99
- package/src/cli/core/templates/webIndexTs.ts +1 -22
- package/src/cli/i18n/__tests__/I18nCheckService.spec.ts +48 -0
- package/src/cli/i18n/services/I18nCheckService.ts +65 -11
- package/src/cli/platform/__tests__/SecretsCommand.spec.ts +5 -3
- package/src/cli/platform/commands/SecretsCommand.ts +8 -6
- package/src/cli/platform/commands/platform.ts +192 -46
- package/src/cli/platform/index.ts +12 -52
- package/src/cli/{platform → platform-lib}/__tests__/CloudflareAdapter.spec.ts +426 -169
- package/src/cli/{platform → platform-lib}/__tests__/NamingService.spec.ts +91 -4
- package/src/cli/{platform → platform-lib}/__tests__/VercelAdapter.spec.ts +56 -85
- package/src/cli/{platform → platform-lib}/adapters/CloudflareAdapter.ts +519 -190
- package/src/cli/{platform → platform-lib}/adapters/PlatformAdapter.ts +62 -35
- package/src/cli/{platform → platform-lib}/adapters/VercelAdapter.ts +6 -10
- package/src/cli/{platform → platform-lib}/atoms/platformOptions.ts +34 -1
- package/src/cli/platform-lib/index.ts +67 -0
- package/src/cli/platform-lib/services/NamingService.ts +136 -0
- package/src/cli/{platform → platform-lib}/services/PlatformInspector.ts +60 -13
- package/src/cli/{platform → platform-lib}/services/PlatformOrchestrator.ts +54 -43
- package/src/cli/{platform → platform-lib}/services/WranglerApi.ts +4 -2
- package/src/command/__tests__/Runner.spec.ts +20 -0
- package/src/command/helpers/EnvUtils.ts +19 -3
- package/src/command/helpers/Runner.ts +12 -2
- package/src/command/providers/CliProvider.ts +34 -1
- package/src/{containers → container}/core/__tests__/$container.spec.ts +5 -5
- package/src/{containers → container}/core/index.ts +4 -4
- package/src/{containers → container}/core/index.workerd.ts +19 -3
- package/src/{containers → container}/core/primitives/$container.ts +1 -1
- package/src/{containers → container}/core/providers/CloudflareContainerProvider.ts +17 -19
- package/src/{containers → container}/core/providers/ContainerProvider.ts +16 -2
- package/src/{containers → container}/core/providers/MockContainerProvider.ts +1 -1
- package/src/core/Alepha.ts +49 -1
- package/src/core/__tests__/$env.spec.ts +42 -0
- package/src/core/__tests__/dump.spec.ts +47 -0
- package/src/email/cloudflare/__tests__/CloudflareEmailProvider.spec.ts +42 -10
- package/src/email/cloudflare/index.ts +14 -5
- package/src/email/cloudflare/providers/CloudflareEmailProvider.ts +54 -9
- package/src/logger/__tests__/Logger.spec.ts +55 -0
- package/src/logger/index.ts +13 -0
- package/src/logger/services/Logger.ts +31 -1
- package/src/mcp/__tests__/McpServerProvider.spec.ts +71 -0
- package/src/mcp/providers/McpServerProvider.ts +55 -0
- package/src/orm/__tests__/orm-showcase-tests.ts +27 -0
- package/src/orm/__tests__/orm-showcase.spec.ts +12 -0
- package/src/orm/core/interfaces/PgQuery.ts +4 -1
- package/src/orm/core/services/Repository.ts +27 -11
- package/src/react/auth/hooks/useAuth.ts +10 -5
- package/src/react/core/__tests__/useQuery.browser.spec.tsx +25 -0
- package/src/react/core/hooks/useAction.ts +14 -3
- package/src/react/core/hooks/useQuery.ts +24 -4
- package/src/react/form/__tests__/FormModel-submit-loading.spec.ts +71 -0
- package/src/react/form/__tests__/form-submitting-reactive.browser.spec.tsx +96 -0
- package/src/react/form/services/FormModel.ts +57 -39
- package/src/react/i18n/__tests__/I18nProvider.spec.ts +89 -0
- package/src/react/i18n/__tests__/locale-routing.spec.ts +107 -0
- package/src/react/i18n/components/Translate.tsx +47 -0
- package/src/react/i18n/index.ts +2 -0
- package/src/react/i18n/providers/I18nProvider.ts +171 -12
- package/src/react/intro/components/GettingStartedAdminSlide.tsx +2 -2
- package/src/react/router/__tests__/$page.spec.tsx +3 -2
- package/src/react/router/__tests__/RouterLocaleProvider.spec.ts +127 -0
- package/src/react/router/__tests__/page-can.spec.ts +18 -13
- package/src/react/router/hooks/useQueryParams.ts +114 -14
- package/src/react/router/index.browser.ts +4 -0
- package/src/react/router/index.shared.ts +1 -0
- package/src/react/router/index.ts +9 -0
- package/src/react/router/primitives/$page.ts +85 -4
- package/src/react/router/providers/ReactBrowserRouterProvider.ts +18 -8
- package/src/react/router/providers/ReactPageProvider.ts +12 -1
- package/src/react/router/providers/ReactServerProvider.ts +96 -14
- package/src/react/router/providers/RootComponentsProvider.ts +13 -0
- package/src/react/router/providers/RouterLocaleProvider.ts +125 -0
- package/src/react/router/providers/__tests__/RootComponentsProvider.spec.ts +15 -0
- package/src/react/router/providers/__tests__/rootComponents.ssr.browser.spec.tsx +67 -0
- package/src/react/sitemap/__tests__/$sitemap.spec.ts +131 -0
- package/src/react/sitemap/index.browser.ts +21 -0
- package/src/react/sitemap/index.ts +25 -0
- package/src/react/sitemap/primitives/$sitemap.browser.ts +26 -0
- package/src/react/sitemap/primitives/$sitemap.ts +196 -0
- package/src/react/ui/services/SchemaControl.ts +3 -4
- package/src/server/auth/__tests__/appleClientSecret.spec.ts +34 -0
- package/src/server/auth/__tests__/authFederationClient.spec.ts +40 -0
- package/src/server/auth/__tests__/federationAssertion.spec.ts +146 -0
- package/src/server/auth/__tests__/federationRedirectReplay.spec.ts +44 -0
- package/src/server/auth/helpers/appleClientSecret.ts +24 -0
- package/src/server/auth/helpers/federationAssertion.ts +74 -0
- package/src/server/auth/helpers/jtiReplayGuard.ts +41 -0
- package/src/server/auth/helpers/safeRedirectPath.ts +19 -0
- package/src/server/auth/index.ts +4 -0
- package/src/server/auth/primitives/$authFederationBroker.ts +273 -0
- package/src/server/auth/primitives/$authFederationClient.ts +89 -0
- package/src/server/auth/providers/ServerAuthProvider.ts +18 -4
- package/src/server/cookies/__tests__/ServerCookiesProvider.spec.ts +70 -0
- package/src/server/cookies/providers/ServerCookiesProvider.ts +23 -3
- package/src/server/core/interfaces/ServerRequest.ts +8 -0
- package/src/server/core/primitives/$route.ts +27 -0
- package/src/server/core/providers/ServerMultipartProvider.ts +19 -0
- package/src/server/links/providers/LinkProvider.ts +10 -0
- package/dist/containers/core/index.d.ts.map +0 -1
- package/dist/containers/core/index.js.map +0 -1
- package/dist/containers/core/index.workerd.js.map +0 -1
- package/src/cli/core/tasks/BuildSitemapTask.ts +0 -130
- package/src/cli/core/templates/componentsJsonTs.ts +0 -39
- package/src/cli/core/templates/saasAdminLayoutTsx.ts +0 -77
- package/src/cli/core/templates/saasAdminPagesTsx.ts +0 -26
- package/src/cli/core/templates/saasAuthLayoutTsx.ts +0 -22
- package/src/cli/core/templates/saasAuthPagesTsx.ts +0 -62
- package/src/cli/core/templates/saasRealmProviderTs.ts +0 -52
- package/src/cli/platform/services/NamingService.ts +0 -54
- /package/dist/orm/core/{chunk-o8xxKEmq.js → chunk-B4FMCO8f.js} +0 -0
- /package/dist/react/testing/{chunk-6Ep1yQYe.js → chunk-BpyX8vjI.js} +0 -0
- /package/src/cli/{platform → platform-lib}/__tests__/GitHubSecretStore.spec.ts +0 -0
- /package/src/cli/{platform → platform-lib}/__tests__/PlatformCacheProvider.spec.ts +0 -0
- /package/src/cli/{platform → platform-lib}/__tests__/PlatformInspector.spec.ts +0 -0
- /package/src/cli/{platform → platform-lib}/__tests__/PlatformOrchestrator.spec.ts +0 -0
- /package/src/cli/{platform → platform-lib}/__tests__/SecretFilterService.spec.ts +0 -0
- /package/src/cli/{platform → platform-lib}/__tests__/detectResources.spec.ts +0 -0
- /package/src/cli/{platform → platform-lib}/providers/GitHubSecretStore.ts +0 -0
- /package/src/cli/{platform → platform-lib}/providers/MemorySecretStore.ts +0 -0
- /package/src/cli/{platform → platform-lib}/providers/PlatformCacheProvider.ts +0 -0
- /package/src/cli/{platform → platform-lib}/providers/SecretStoreProvider.ts +0 -0
- /package/src/cli/{platform → platform-lib}/schemas/cloudflare.ts +0 -0
- /package/src/cli/{platform → platform-lib}/schemas/platform.ts +0 -0
- /package/src/cli/{platform → platform-lib}/schemas/vercel.ts +0 -0
- /package/src/cli/{platform → platform-lib}/services/CloudflareApi.ts +0 -0
- /package/src/cli/{platform → platform-lib}/services/SecretFilterService.ts +0 -0
- /package/src/cli/{platform → platform-lib}/services/VercelApi.ts +0 -0
- /package/src/cli/{platform → platform-lib}/services/VercelCli.ts +0 -0
- /package/src/{containers → container}/core/interfaces/ContainerOptions.ts +0 -0
- /package/src/{containers → container}/core/providers/NodeContainerProvider.ts +0 -0
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","names":["USER_AGENT","ERR_INVALID_ARG_VALUE","ERR_INVALID_ARG_TYPE","CodedTypeError","allowInsecureRequests","customFetch","decoder","signal","performDiscovery","assertString","calculatePKCECodeChallenge","ClientSecretPost","None","oauth.ClientSecretPost","oauth.None","oauth.customFetch","oauth.calculatePKCECodeChallenge","oauth.generateRandomCodeVerifier","oauth.generateRandomState","oauth.ResponseBodyError","oauth.AuthorizationResponseError","oauth.WWWAuthenticateChallengeError","oauth.OperationProcessingError","oauth.HTTP_REQUEST_FORBIDDEN","oauth.REQUEST_PROTOCOL_FORBIDDEN","oauth.RESPONSE_IS_NOT_CONFORM","oauth.RESPONSE_IS_NOT_JSON","oauth.PARSE_ERROR","oauth.INVALID_RESPONSE","oauth.JWT_CLAIM_COMPARISON","oauth.JSON_ATTRIBUTE_COMPARISON","oauth.JWT_TIMESTAMP_CHECK","oauth.UnsupportedOperationError","oauth.UNSUPPORTED_OPERATION","oauth.discoveryRequest","oauth.allowInsecureRequests","oauth.processDiscoveryResponse","oauth._nodiscoverycheck","oauth.clockSkew","oauth.clockTolerance","oauth._expectedIssuer","oauth.getValidatedIdTokenClaims","oauth.formPostResponse","oauth.validateAuthResponse","oauth\n .authorizationCodeGrantRequest","oauth.nopkce","oauth.processAuthorizationCodeResponse","oauth.jweDecrypt","oauth\n .refreshTokenGrantRequest","oauth.processRefreshTokenResponse","oauth.resolveEndpoint","oauth.isDPoPNonceError"],"sources":["../../../../../node_modules/oauth4webapi/build/index.js","../../../../../node_modules/openid-client/build/index.js","../../../src/server/auth/primitives/$auth.ts","../../../src/server/auth/constants/routes.ts","../../../src/server/auth/schemas/tokensSchema.ts","../../../src/server/auth/schemas/tokenResponseSchema.ts","../../../src/server/auth/schemas/userinfoResponseSchema.ts","../../../src/server/auth/providers/ServerAuthProvider.ts","../../../src/server/auth/schemas/authenticationProviderSchema.ts","../../../src/server/auth/primitives/$authApple.ts","../../../src/server/auth/primitives/$authCredentials.ts","../../../src/server/auth/primitives/$authFacebook.ts","../../../src/server/auth/primitives/$authFranceConnect.ts","../../../src/server/auth/primitives/$authGithub.ts","../../../src/server/auth/primitives/$authGoogle.ts","../../../src/server/auth/primitives/$authMicrosoft.ts","../../../src/server/auth/index.ts"],"sourcesContent":["let USER_AGENT;\nif (typeof navigator === 'undefined' || !navigator.userAgent?.startsWith?.('Mozilla/5.0 ')) {\n const NAME = 'oauth4webapi';\n const VERSION = 'v3.8.5';\n USER_AGENT = `${NAME}/${VERSION}`;\n}\nfunction looseInstanceOf(input, expected) {\n if (input == null) {\n return false;\n }\n try {\n return (input instanceof expected ||\n Object.getPrototypeOf(input)[Symbol.toStringTag] === expected.prototype[Symbol.toStringTag]);\n }\n catch {\n return false;\n }\n}\nconst ERR_INVALID_ARG_VALUE = 'ERR_INVALID_ARG_VALUE';\nconst ERR_INVALID_ARG_TYPE = 'ERR_INVALID_ARG_TYPE';\nfunction CodedTypeError(message, code, cause) {\n const err = new TypeError(message, { cause });\n Object.assign(err, { code });\n return err;\n}\nexport const allowInsecureRequests = Symbol();\nexport const clockSkew = Symbol();\nexport const clockTolerance = Symbol();\nexport const customFetch = Symbol();\nexport const modifyAssertion = Symbol();\nexport const jweDecrypt = Symbol();\nexport const jwksCache = Symbol();\nconst encoder = new TextEncoder();\nconst decoder = new TextDecoder();\nfunction buf(input) {\n if (typeof input === 'string') {\n return encoder.encode(input);\n }\n return decoder.decode(input);\n}\nlet encodeBase64Url;\nif (Uint8Array.prototype.toBase64) {\n encodeBase64Url = (input) => {\n if (input instanceof ArrayBuffer) {\n input = new Uint8Array(input);\n }\n return input.toBase64({ alphabet: 'base64url', omitPadding: true });\n };\n}\nelse {\n const CHUNK_SIZE = 0x8000;\n encodeBase64Url = (input) => {\n if (input instanceof ArrayBuffer) {\n input = new Uint8Array(input);\n }\n const arr = [];\n for (let i = 0; i < input.byteLength; i += CHUNK_SIZE) {\n arr.push(String.fromCharCode.apply(null, input.subarray(i, i + CHUNK_SIZE)));\n }\n return btoa(arr.join('')).replace(/=/g, '').replace(/\\+/g, '-').replace(/\\//g, '_');\n };\n}\nlet decodeBase64Url;\nif (Uint8Array.fromBase64) {\n decodeBase64Url = (input) => {\n try {\n return Uint8Array.fromBase64(input, { alphabet: 'base64url' });\n }\n catch (cause) {\n throw CodedTypeError('The input to be decoded is not correctly encoded.', ERR_INVALID_ARG_VALUE, cause);\n }\n };\n}\nelse {\n decodeBase64Url = (input) => {\n try {\n const binary = atob(input.replace(/-/g, '+').replace(/_/g, '/').replace(/\\s/g, ''));\n const bytes = new Uint8Array(binary.length);\n for (let i = 0; i < binary.length; i++) {\n bytes[i] = binary.charCodeAt(i);\n }\n return bytes;\n }\n catch (cause) {\n throw CodedTypeError('The input to be decoded is not correctly encoded.', ERR_INVALID_ARG_VALUE, cause);\n }\n };\n}\nfunction b64u(input) {\n if (typeof input === 'string') {\n return decodeBase64Url(input);\n }\n return encodeBase64Url(input);\n}\nexport class UnsupportedOperationError extends Error {\n code;\n constructor(message, options) {\n super(message, options);\n this.name = this.constructor.name;\n this.code = UNSUPPORTED_OPERATION;\n Error.captureStackTrace?.(this, this.constructor);\n }\n}\nexport class OperationProcessingError extends Error {\n code;\n constructor(message, options) {\n super(message, options);\n this.name = this.constructor.name;\n if (options?.code) {\n this.code = options?.code;\n }\n Error.captureStackTrace?.(this, this.constructor);\n }\n}\nfunction OPE(message, code, cause) {\n return new OperationProcessingError(message, { code, cause });\n}\nasync function calculateJwkThumbprint(jwk) {\n let components;\n switch (jwk.kty) {\n case 'EC':\n components = {\n crv: jwk.crv,\n kty: jwk.kty,\n x: jwk.x,\n y: jwk.y,\n };\n break;\n case 'OKP':\n components = {\n crv: jwk.crv,\n kty: jwk.kty,\n x: jwk.x,\n };\n break;\n case 'AKP':\n components = {\n alg: jwk.alg,\n kty: jwk.kty,\n pub: jwk.pub,\n };\n break;\n case 'RSA':\n components = {\n e: jwk.e,\n kty: jwk.kty,\n n: jwk.n,\n };\n break;\n default:\n throw new UnsupportedOperationError('unsupported JWK key type', { cause: jwk });\n }\n return b64u(await crypto.subtle.digest('SHA-256', buf(JSON.stringify(components))));\n}\nfunction assertCryptoKey(key, it) {\n if (!(key instanceof CryptoKey)) {\n throw CodedTypeError(`${it} must be a CryptoKey`, ERR_INVALID_ARG_TYPE);\n }\n}\nfunction assertPrivateKey(key, it) {\n assertCryptoKey(key, it);\n if (key.type !== 'private') {\n throw CodedTypeError(`${it} must be a private CryptoKey`, ERR_INVALID_ARG_VALUE);\n }\n}\nfunction assertPublicKey(key, it) {\n assertCryptoKey(key, it);\n if (key.type !== 'public') {\n throw CodedTypeError(`${it} must be a public CryptoKey`, ERR_INVALID_ARG_VALUE);\n }\n}\nfunction normalizeTyp(value) {\n return value.toLowerCase().replace(/^application\\//, '');\n}\nfunction isJsonObject(input) {\n if (input === null || typeof input !== 'object' || Array.isArray(input)) {\n return false;\n }\n return true;\n}\nfunction prepareHeaders(input) {\n if (looseInstanceOf(input, Headers)) {\n input = Object.fromEntries(input.entries());\n }\n const headers = new Headers(input ?? {});\n if (USER_AGENT && !headers.has('user-agent')) {\n headers.set('user-agent', USER_AGENT);\n }\n if (headers.has('authorization')) {\n throw CodedTypeError('\"options.headers\" must not include the \"authorization\" header name', ERR_INVALID_ARG_VALUE);\n }\n return headers;\n}\nfunction signal(url, value) {\n if (value !== undefined) {\n if (typeof value === 'function') {\n value = value(url.href);\n }\n if (!(value instanceof AbortSignal)) {\n throw CodedTypeError('\"options.signal\" must return or be an instance of AbortSignal', ERR_INVALID_ARG_TYPE);\n }\n return value;\n }\n return undefined;\n}\nfunction replaceDoubleSlash(pathname) {\n if (pathname.includes('//')) {\n return pathname.replace('//', '/');\n }\n return pathname;\n}\nfunction prependWellKnown(url, wellKnown, allowTerminatingSlash = false) {\n if (url.pathname === '/') {\n url.pathname = wellKnown;\n }\n else {\n url.pathname = replaceDoubleSlash(`${wellKnown}/${allowTerminatingSlash ? url.pathname : url.pathname.replace(/(\\/)$/, '')}`);\n }\n return url;\n}\nfunction appendWellKnown(url, wellKnown) {\n url.pathname = replaceDoubleSlash(`${url.pathname}/${wellKnown}`);\n return url;\n}\nasync function performDiscovery(input, urlName, transform, options) {\n if (!(input instanceof URL)) {\n throw CodedTypeError(`\"${urlName}\" must be an instance of URL`, ERR_INVALID_ARG_TYPE);\n }\n checkProtocol(input, options?.[allowInsecureRequests] !== true);\n const url = transform(new URL(input.href));\n const headers = prepareHeaders(options?.headers);\n headers.set('accept', 'application/json');\n return (options?.[customFetch] || fetch)(url.href, {\n body: undefined,\n headers: Object.fromEntries(headers.entries()),\n method: 'GET',\n redirect: 'manual',\n signal: signal(url, options?.signal),\n });\n}\nexport async function discoveryRequest(issuerIdentifier, options) {\n return performDiscovery(issuerIdentifier, 'issuerIdentifier', (url) => {\n switch (options?.algorithm) {\n case undefined:\n case 'oidc':\n appendWellKnown(url, '.well-known/openid-configuration');\n break;\n case 'oauth2':\n prependWellKnown(url, '.well-known/oauth-authorization-server');\n break;\n default:\n throw CodedTypeError('\"options.algorithm\" must be \"oidc\" (default), or \"oauth2\"', ERR_INVALID_ARG_VALUE);\n }\n return url;\n }, options);\n}\nfunction assertNumber(input, allow0, it, code, cause) {\n try {\n if (typeof input !== 'number' || !Number.isFinite(input)) {\n throw CodedTypeError(`${it} must be a number`, ERR_INVALID_ARG_TYPE, cause);\n }\n if (input > 0)\n return;\n if (allow0) {\n if (input !== 0) {\n throw CodedTypeError(`${it} must be a non-negative number`, ERR_INVALID_ARG_VALUE, cause);\n }\n return;\n }\n throw CodedTypeError(`${it} must be a positive number`, ERR_INVALID_ARG_VALUE, cause);\n }\n catch (err) {\n if (code) {\n throw OPE(err.message, code, cause);\n }\n throw err;\n }\n}\nfunction assertString(input, it, code, cause) {\n try {\n if (typeof input !== 'string') {\n throw CodedTypeError(`${it} must be a string`, ERR_INVALID_ARG_TYPE, cause);\n }\n if (input.length === 0) {\n throw CodedTypeError(`${it} must not be empty`, ERR_INVALID_ARG_VALUE, cause);\n }\n }\n catch (err) {\n if (code) {\n throw OPE(err.message, code, cause);\n }\n throw err;\n }\n}\nexport async function processDiscoveryResponse(expectedIssuerIdentifier, response) {\n const expected = expectedIssuerIdentifier;\n if (!(expected instanceof URL) && expected !== _nodiscoverycheck) {\n throw CodedTypeError('\"expectedIssuerIdentifier\" must be an instance of URL', ERR_INVALID_ARG_TYPE);\n }\n if (!looseInstanceOf(response, Response)) {\n throw CodedTypeError('\"response\" must be an instance of Response', ERR_INVALID_ARG_TYPE);\n }\n if (response.status !== 200) {\n throw OPE('\"response\" is not a conform Authorization Server Metadata response (unexpected HTTP status code)', RESPONSE_IS_NOT_CONFORM, response);\n }\n assertReadableResponse(response);\n const json = await getResponseJsonBody(response);\n assertString(json.issuer, '\"response\" body \"issuer\" property', INVALID_RESPONSE, { body: json });\n if (expected !== _nodiscoverycheck && new URL(json.issuer).href !== expected.href) {\n throw OPE('\"response\" body \"issuer\" property does not match the expected value', JSON_ATTRIBUTE_COMPARISON, { expected: expected.href, body: json, attribute: 'issuer' });\n }\n return json;\n}\nfunction assertApplicationJson(response) {\n assertContentType(response, 'application/json');\n}\nfunction notJson(response, ...types) {\n let msg = '\"response\" content-type must be ';\n if (types.length > 2) {\n const last = types.pop();\n msg += `${types.join(', ')}, or ${last}`;\n }\n else if (types.length === 2) {\n msg += `${types[0]} or ${types[1]}`;\n }\n else {\n msg += types[0];\n }\n return OPE(msg, RESPONSE_IS_NOT_JSON, response);\n}\nfunction assertContentTypes(response, ...types) {\n if (!types.includes(getContentType(response))) {\n throw notJson(response, ...types);\n }\n}\nfunction assertContentType(response, contentType) {\n if (getContentType(response) !== contentType) {\n throw notJson(response, contentType);\n }\n}\nfunction randomBytes() {\n return b64u(crypto.getRandomValues(new Uint8Array(32)));\n}\nexport function generateRandomCodeVerifier() {\n return randomBytes();\n}\nexport function generateRandomState() {\n return randomBytes();\n}\nexport function generateRandomNonce() {\n return randomBytes();\n}\nexport async function calculatePKCECodeChallenge(codeVerifier) {\n assertString(codeVerifier, 'codeVerifier');\n return b64u(await crypto.subtle.digest('SHA-256', buf(codeVerifier)));\n}\nfunction getKeyAndKid(input) {\n if (input instanceof CryptoKey) {\n return { key: input };\n }\n if (!(input?.key instanceof CryptoKey)) {\n return {};\n }\n if (input.kid !== undefined) {\n assertString(input.kid, '\"kid\"');\n }\n return {\n key: input.key,\n kid: input.kid,\n };\n}\nfunction psAlg(key) {\n switch (key.algorithm.hash.name) {\n case 'SHA-256':\n return 'PS256';\n case 'SHA-384':\n return 'PS384';\n case 'SHA-512':\n return 'PS512';\n default:\n throw new UnsupportedOperationError('unsupported RsaHashedKeyAlgorithm hash name', {\n cause: key,\n });\n }\n}\nfunction rsAlg(key) {\n switch (key.algorithm.hash.name) {\n case 'SHA-256':\n return 'RS256';\n case 'SHA-384':\n return 'RS384';\n case 'SHA-512':\n return 'RS512';\n default:\n throw new UnsupportedOperationError('unsupported RsaHashedKeyAlgorithm hash name', {\n cause: key,\n });\n }\n}\nfunction esAlg(key) {\n switch (key.algorithm.namedCurve) {\n case 'P-256':\n return 'ES256';\n case 'P-384':\n return 'ES384';\n case 'P-521':\n return 'ES512';\n default:\n throw new UnsupportedOperationError('unsupported EcKeyAlgorithm namedCurve', { cause: key });\n }\n}\nfunction keyToJws(key) {\n switch (key.algorithm.name) {\n case 'RSA-PSS':\n return psAlg(key);\n case 'RSASSA-PKCS1-v1_5':\n return rsAlg(key);\n case 'ECDSA':\n return esAlg(key);\n case 'Ed25519':\n case 'ML-DSA-44':\n case 'ML-DSA-65':\n case 'ML-DSA-87':\n return key.algorithm.name;\n case 'EdDSA':\n return 'Ed25519';\n default:\n throw new UnsupportedOperationError('unsupported CryptoKey algorithm name', { cause: key });\n }\n}\nfunction getClockSkew(client) {\n const skew = client?.[clockSkew];\n return typeof skew === 'number' && Number.isFinite(skew) ? skew : 0;\n}\nfunction getClockTolerance(client) {\n const tolerance = client?.[clockTolerance];\n return typeof tolerance === 'number' && Number.isFinite(tolerance) && Math.sign(tolerance) !== -1\n ? tolerance\n : 30;\n}\nfunction epochTime() {\n return Math.floor(Date.now() / 1000);\n}\nfunction assertAs(as) {\n if (typeof as !== 'object' || as === null) {\n throw CodedTypeError('\"as\" must be an object', ERR_INVALID_ARG_TYPE);\n }\n assertString(as.issuer, '\"as.issuer\"');\n}\nfunction assertClient(client) {\n if (typeof client !== 'object' || client === null) {\n throw CodedTypeError('\"client\" must be an object', ERR_INVALID_ARG_TYPE);\n }\n assertString(client.client_id, '\"client.client_id\"');\n}\nfunction formUrlEncode(token) {\n return encodeURIComponent(token).replace(/(?:[-_.!~*'()]|%20)/g, (substring) => {\n switch (substring) {\n case '-':\n case '_':\n case '.':\n case '!':\n case '~':\n case '*':\n case \"'\":\n case '(':\n case ')':\n return `%${substring.charCodeAt(0).toString(16).toUpperCase()}`;\n case '%20':\n return '+';\n default:\n throw new Error();\n }\n });\n}\nexport function ClientSecretPost(clientSecret) {\n assertString(clientSecret, '\"clientSecret\"');\n return (_as, client, body, _headers) => {\n body.set('client_id', client.client_id);\n body.set('client_secret', clientSecret);\n };\n}\nexport function ClientSecretBasic(clientSecret) {\n assertString(clientSecret, '\"clientSecret\"');\n return (_as, client, _body, headers) => {\n const username = formUrlEncode(client.client_id);\n const password = formUrlEncode(clientSecret);\n const credentials = btoa(`${username}:${password}`);\n headers.set('authorization', `Basic ${credentials}`);\n };\n}\nfunction clientAssertionPayload(as, client) {\n const now = epochTime() + getClockSkew(client);\n return {\n jti: randomBytes(),\n aud: as.issuer,\n exp: now + 60,\n iat: now,\n nbf: now,\n iss: client.client_id,\n sub: client.client_id,\n };\n}\nexport function PrivateKeyJwt(clientPrivateKey, options) {\n const { key, kid } = getKeyAndKid(clientPrivateKey);\n assertPrivateKey(key, '\"clientPrivateKey.key\"');\n return async (as, client, body, _headers) => {\n const header = { alg: keyToJws(key), kid };\n const payload = clientAssertionPayload(as, client);\n options?.[modifyAssertion]?.(header, payload);\n body.set('client_id', client.client_id);\n body.set('client_assertion_type', 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer');\n body.set('client_assertion', await signJwt(header, payload, key));\n };\n}\nexport function ClientSecretJwt(clientSecret, options) {\n assertString(clientSecret, '\"clientSecret\"');\n const modify = options?.[modifyAssertion];\n let key;\n return async (as, client, body, _headers) => {\n key ||= await crypto.subtle.importKey('raw', buf(clientSecret), { hash: 'SHA-256', name: 'HMAC' }, false, ['sign']);\n const header = { alg: 'HS256' };\n const payload = clientAssertionPayload(as, client);\n modify?.(header, payload);\n const data = `${b64u(buf(JSON.stringify(header)))}.${b64u(buf(JSON.stringify(payload)))}`;\n const hmac = await crypto.subtle.sign(key.algorithm, key, buf(data));\n body.set('client_id', client.client_id);\n body.set('client_assertion_type', 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer');\n body.set('client_assertion', `${data}.${b64u(new Uint8Array(hmac))}`);\n };\n}\nexport function None() {\n return (_as, client, body, _headers) => {\n body.set('client_id', client.client_id);\n };\n}\nexport function TlsClientAuth() {\n return None();\n}\nasync function signJwt(header, payload, key) {\n if (!key.usages.includes('sign')) {\n throw CodedTypeError('CryptoKey instances used for signing assertions must include \"sign\" in their \"usages\"', ERR_INVALID_ARG_VALUE);\n }\n const input = `${b64u(buf(JSON.stringify(header)))}.${b64u(buf(JSON.stringify(payload)))}`;\n const signature = b64u(await crypto.subtle.sign(keyToSubtle(key), key, buf(input)));\n return `${input}.${signature}`;\n}\nexport async function issueRequestObject(as, client, parameters, privateKey, options) {\n assertAs(as);\n assertClient(client);\n parameters = new URLSearchParams(parameters);\n const { key, kid } = getKeyAndKid(privateKey);\n assertPrivateKey(key, '\"privateKey.key\"');\n parameters.set('client_id', client.client_id);\n const now = epochTime() + getClockSkew(client);\n const claims = {\n ...Object.fromEntries(parameters.entries()),\n jti: randomBytes(),\n aud: as.issuer,\n exp: now + 60,\n iat: now,\n nbf: now,\n iss: client.client_id,\n };\n let resource;\n if (parameters.has('resource') &&\n (resource = parameters.getAll('resource')) &&\n resource.length > 1) {\n claims.resource = resource;\n }\n {\n let value = parameters.get('max_age');\n if (value !== null) {\n claims.max_age = parseInt(value, 10);\n assertNumber(claims.max_age, true, '\"max_age\" parameter');\n }\n }\n {\n let value = parameters.get('claims');\n if (value !== null) {\n try {\n claims.claims = JSON.parse(value);\n }\n catch (cause) {\n throw OPE('failed to parse the \"claims\" parameter as JSON', PARSE_ERROR, cause);\n }\n if (!isJsonObject(claims.claims)) {\n throw CodedTypeError('\"claims\" parameter must be a JSON with a top level object', ERR_INVALID_ARG_VALUE);\n }\n }\n }\n {\n let value = parameters.get('authorization_details');\n if (value !== null) {\n try {\n claims.authorization_details = JSON.parse(value);\n }\n catch (cause) {\n throw OPE('failed to parse the \"authorization_details\" parameter as JSON', PARSE_ERROR, cause);\n }\n if (!Array.isArray(claims.authorization_details)) {\n throw CodedTypeError('\"authorization_details\" parameter must be a JSON with a top level array', ERR_INVALID_ARG_VALUE);\n }\n }\n }\n const header = {\n alg: keyToJws(key),\n typ: 'oauth-authz-req+jwt',\n kid,\n };\n options?.[modifyAssertion]?.(header, claims);\n return signJwt(header, claims, key);\n}\nlet jwkCache;\nasync function getSetPublicJwkCache(key, alg) {\n const { kty, e, n, x, y, crv, pub } = await crypto.subtle.exportKey('jwk', key);\n const jwk = { kty, e, n, x, y, crv, pub };\n if (kty === 'AKP')\n jwk.alg = alg;\n jwkCache.set(key, jwk);\n return jwk;\n}\nasync function publicJwk(key, alg) {\n jwkCache ||= new WeakMap();\n return jwkCache.get(key) || getSetPublicJwkCache(key, alg);\n}\nconst URLParse = URL.parse\n ?\n (url, base) => URL.parse(url, base)\n : (url, base) => {\n try {\n return new URL(url, base);\n }\n catch {\n return null;\n }\n };\nexport function checkProtocol(url, enforceHttps) {\n if (enforceHttps && url.protocol !== 'https:') {\n throw OPE('only requests to HTTPS are allowed', HTTP_REQUEST_FORBIDDEN, url);\n }\n if (url.protocol !== 'https:' && url.protocol !== 'http:') {\n throw OPE('only HTTP and HTTPS requests are allowed', REQUEST_PROTOCOL_FORBIDDEN, url);\n }\n}\nfunction validateEndpoint(value, endpoint, useMtlsAlias, enforceHttps) {\n let url;\n if (typeof value !== 'string' || !(url = URLParse(value))) {\n throw OPE(`authorization server metadata does not contain a valid ${useMtlsAlias ? `\"as.mtls_endpoint_aliases.${endpoint}\"` : `\"as.${endpoint}\"`}`, value === undefined ? MISSING_SERVER_METADATA : INVALID_SERVER_METADATA, { attribute: useMtlsAlias ? `mtls_endpoint_aliases.${endpoint}` : endpoint });\n }\n checkProtocol(url, enforceHttps);\n return url;\n}\nexport function resolveEndpoint(as, endpoint, useMtlsAlias, enforceHttps) {\n if (useMtlsAlias && as.mtls_endpoint_aliases && endpoint in as.mtls_endpoint_aliases) {\n return validateEndpoint(as.mtls_endpoint_aliases[endpoint], endpoint, useMtlsAlias, enforceHttps);\n }\n return validateEndpoint(as[endpoint], endpoint, useMtlsAlias, enforceHttps);\n}\nexport async function pushedAuthorizationRequest(as, client, clientAuthentication, parameters, options) {\n assertAs(as);\n assertClient(client);\n const url = resolveEndpoint(as, 'pushed_authorization_request_endpoint', client.use_mtls_endpoint_aliases, options?.[allowInsecureRequests] !== true);\n const body = new URLSearchParams(parameters);\n body.set('client_id', client.client_id);\n const headers = prepareHeaders(options?.headers);\n headers.set('accept', 'application/json');\n if (options?.DPoP !== undefined) {\n assertDPoP(options.DPoP);\n await options.DPoP.addProof(url, headers, 'POST');\n }\n const response = await authenticatedRequest(as, client, clientAuthentication, url, body, headers, options);\n options?.DPoP?.cacheNonce(response, url);\n return response;\n}\nclass DPoPHandler {\n #header;\n #privateKey;\n #publicKey;\n #clockSkew;\n #modifyAssertion;\n #map;\n #jkt;\n constructor(client, keyPair, options) {\n assertPrivateKey(keyPair?.privateKey, '\"DPoP.privateKey\"');\n assertPublicKey(keyPair?.publicKey, '\"DPoP.publicKey\"');\n if (!keyPair.publicKey.extractable) {\n throw CodedTypeError('\"DPoP.publicKey.extractable\" must be true', ERR_INVALID_ARG_VALUE);\n }\n this.#modifyAssertion = options?.[modifyAssertion];\n this.#clockSkew = getClockSkew(client);\n this.#privateKey = keyPair.privateKey;\n this.#publicKey = keyPair.publicKey;\n branded.add(this);\n }\n #get(key) {\n this.#map ||= new Map();\n let item = this.#map.get(key);\n if (item) {\n this.#map.delete(key);\n this.#map.set(key, item);\n }\n return item;\n }\n #set(key, val) {\n this.#map ||= new Map();\n this.#map.delete(key);\n if (this.#map.size === 100) {\n this.#map.delete(this.#map.keys().next().value);\n }\n this.#map.set(key, val);\n }\n async calculateThumbprint() {\n if (!this.#jkt) {\n const jwk = await crypto.subtle.exportKey('jwk', this.#publicKey);\n this.#jkt ||= await calculateJwkThumbprint(jwk);\n }\n return this.#jkt;\n }\n async addProof(url, headers, htm, accessToken) {\n const alg = keyToJws(this.#privateKey);\n this.#header ||= {\n alg,\n typ: 'dpop+jwt',\n jwk: await publicJwk(this.#publicKey, alg),\n };\n const nonce = this.#get(url.origin);\n const now = epochTime() + this.#clockSkew;\n const payload = {\n iat: now,\n jti: randomBytes(),\n htm,\n nonce,\n htu: `${url.origin}${url.pathname}`,\n ath: accessToken\n ? b64u(await crypto.subtle.digest('SHA-256', buf(accessToken)))\n : undefined,\n };\n this.#modifyAssertion?.(this.#header, payload);\n headers.set('dpop', await signJwt(this.#header, payload, this.#privateKey));\n }\n cacheNonce(response, url) {\n try {\n const nonce = response.headers.get('dpop-nonce');\n if (nonce) {\n this.#set(url.origin, nonce);\n }\n }\n catch { }\n }\n}\nexport function isDPoPNonceError(err) {\n if (err instanceof WWWAuthenticateChallengeError) {\n const { 0: challenge, length } = err.cause;\n return (length === 1 && challenge.scheme === 'dpop' && challenge.parameters.error === 'use_dpop_nonce');\n }\n if (err instanceof ResponseBodyError) {\n return err.error === 'use_dpop_nonce';\n }\n return false;\n}\nexport function DPoP(client, keyPair, options) {\n return new DPoPHandler(client, keyPair, options);\n}\nexport class ResponseBodyError extends Error {\n cause;\n code;\n error;\n status;\n error_description;\n response;\n constructor(message, options) {\n super(message, options);\n this.name = this.constructor.name;\n this.code = RESPONSE_BODY_ERROR;\n this.cause = options.cause;\n this.error = options.cause.error;\n this.status = options.response.status;\n this.error_description = options.cause.error_description;\n Object.defineProperty(this, 'response', { enumerable: false, value: options.response });\n Error.captureStackTrace?.(this, this.constructor);\n }\n}\nexport class AuthorizationResponseError extends Error {\n cause;\n code;\n error;\n error_description;\n constructor(message, options) {\n super(message, options);\n this.name = this.constructor.name;\n this.code = AUTHORIZATION_RESPONSE_ERROR;\n this.cause = options.cause;\n this.error = options.cause.get('error');\n this.error_description = options.cause.get('error_description') ?? undefined;\n Error.captureStackTrace?.(this, this.constructor);\n }\n}\nexport class WWWAuthenticateChallengeError extends Error {\n cause;\n code;\n response;\n status;\n constructor(message, options) {\n super(message, options);\n this.name = this.constructor.name;\n this.code = WWW_AUTHENTICATE_CHALLENGE;\n this.cause = options.cause;\n this.status = options.response.status;\n this.response = options.response;\n Object.defineProperty(this, 'response', { enumerable: false });\n Error.captureStackTrace?.(this, this.constructor);\n }\n}\nconst tokenMatch = \"[a-zA-Z0-9!#$%&\\\\'\\\\*\\\\+\\\\-\\\\.\\\\^_`\\\\|~]+\";\nconst token68Match = '[a-zA-Z0-9\\\\-\\\\._\\\\~\\\\+\\\\/]+={0,2}';\nconst quotedMatch = '\"((?:[^\"\\\\\\\\]|\\\\\\\\[\\\\s\\\\S])*)\"';\nconst quotedParamMatcher = '(' + tokenMatch + ')\\\\s*=\\\\s*' + quotedMatch;\nconst paramMatcher = '(' + tokenMatch + ')\\\\s*=\\\\s*(' + tokenMatch + ')';\nconst schemeRE = new RegExp('^[,\\\\s]*(' + tokenMatch + ')');\nconst quotedParamRE = new RegExp('^[,\\\\s]*' + quotedParamMatcher + '[,\\\\s]*(.*)');\nconst unquotedParamRE = new RegExp('^[,\\\\s]*' + paramMatcher + '[,\\\\s]*(.*)');\nconst token68ParamRE = new RegExp('^(' + token68Match + ')(?:$|[,\\\\s])(.*)');\nfunction parseWwwAuthenticateChallenges(response) {\n if (!looseInstanceOf(response, Response)) {\n throw CodedTypeError('\"response\" must be an instance of Response', ERR_INVALID_ARG_TYPE);\n }\n const header = response.headers.get('www-authenticate');\n if (header === null) {\n return undefined;\n }\n const challenges = [];\n let rest = header;\n while (rest) {\n let match = rest.match(schemeRE);\n const scheme = match?.['1'].toLowerCase();\n if (!scheme) {\n return undefined;\n }\n const afterScheme = rest.substring(match[0].length);\n if (afterScheme && !afterScheme.match(/^[\\s,]/)) {\n return undefined;\n }\n const spaceMatch = afterScheme.match(/^\\s+(.*)$/);\n const hasParameters = !!spaceMatch;\n rest = spaceMatch ? spaceMatch[1] : undefined;\n const parameters = {};\n let token68;\n if (hasParameters) {\n while (rest) {\n let key;\n let value;\n if ((match = rest.match(quotedParamRE))) {\n ;\n [, key, value, rest] = match;\n if (value.includes('\\\\')) {\n try {\n value = JSON.parse(`\"${value}\"`);\n }\n catch { }\n }\n parameters[key.toLowerCase()] = value;\n continue;\n }\n if ((match = rest.match(unquotedParamRE))) {\n ;\n [, key, value, rest] = match;\n parameters[key.toLowerCase()] = value;\n continue;\n }\n if ((match = rest.match(token68ParamRE))) {\n if (Object.keys(parameters).length) {\n break;\n }\n ;\n [, token68, rest] = match;\n break;\n }\n return undefined;\n }\n }\n else {\n rest = afterScheme || undefined;\n }\n const challenge = { scheme, parameters };\n if (token68) {\n challenge.token68 = token68;\n }\n challenges.push(challenge);\n }\n if (!challenges.length) {\n return undefined;\n }\n return challenges;\n}\nexport async function processPushedAuthorizationResponse(as, client, response) {\n assertAs(as);\n assertClient(client);\n if (!looseInstanceOf(response, Response)) {\n throw CodedTypeError('\"response\" must be an instance of Response', ERR_INVALID_ARG_TYPE);\n }\n await checkOAuthBodyError(response, 201, 'Pushed Authorization Request Endpoint');\n assertReadableResponse(response);\n const json = await getResponseJsonBody(response);\n assertString(json.request_uri, '\"response\" body \"request_uri\" property', INVALID_RESPONSE, {\n body: json,\n });\n let expiresIn = typeof json.expires_in !== 'number' ? parseFloat(json.expires_in) : json.expires_in;\n assertNumber(expiresIn, true, '\"response\" body \"expires_in\" property', INVALID_RESPONSE, {\n body: json,\n });\n json.expires_in = expiresIn;\n return json;\n}\nasync function parseOAuthResponseErrorBody(response) {\n if (response.status > 399 && response.status < 500) {\n assertReadableResponse(response);\n assertApplicationJson(response);\n try {\n const json = await response.clone().json();\n if (isJsonObject(json) && typeof json.error === 'string' && json.error.length) {\n return json;\n }\n }\n catch { }\n }\n return undefined;\n}\nasync function checkOAuthBodyError(response, expected, label) {\n if (response.status !== expected) {\n checkAuthenticationChallenges(response);\n let err;\n if ((err = await parseOAuthResponseErrorBody(response))) {\n await response.body?.cancel();\n throw new ResponseBodyError('server responded with an error in the response body', {\n cause: err,\n response,\n });\n }\n throw OPE(`\"response\" is not a conform ${label} response (unexpected HTTP status code)`, RESPONSE_IS_NOT_CONFORM, response);\n }\n}\nfunction assertDPoP(option) {\n if (!branded.has(option)) {\n throw CodedTypeError('\"options.DPoP\" is not a valid DPoPHandle', ERR_INVALID_ARG_VALUE);\n }\n}\nasync function resourceRequest(accessToken, method, url, headers, body, options) {\n assertString(accessToken, '\"accessToken\"');\n if (!(url instanceof URL)) {\n throw CodedTypeError('\"url\" must be an instance of URL', ERR_INVALID_ARG_TYPE);\n }\n checkProtocol(url, options?.[allowInsecureRequests] !== true);\n headers = prepareHeaders(headers);\n if (options?.DPoP) {\n assertDPoP(options.DPoP);\n await options.DPoP.addProof(url, headers, method.toUpperCase(), accessToken);\n }\n headers.set('authorization', `${headers.has('dpop') ? 'DPoP' : 'Bearer'} ${accessToken}`);\n const response = await (options?.[customFetch] || fetch)(url.href, {\n duplex: looseInstanceOf(body, ReadableStream) ? 'half' : undefined,\n body,\n headers: Object.fromEntries(headers.entries()),\n method,\n redirect: 'manual',\n signal: signal(url, options?.signal),\n });\n options?.DPoP?.cacheNonce(response, url);\n return response;\n}\nexport async function protectedResourceRequest(accessToken, method, url, headers, body, options) {\n const response = await resourceRequest(accessToken, method, url, headers, body, options);\n checkAuthenticationChallenges(response);\n return response;\n}\nexport async function userInfoRequest(as, client, accessToken, options) {\n assertAs(as);\n assertClient(client);\n const url = resolveEndpoint(as, 'userinfo_endpoint', client.use_mtls_endpoint_aliases, options?.[allowInsecureRequests] !== true);\n const headers = prepareHeaders(options?.headers);\n if (client.userinfo_signed_response_alg) {\n headers.set('accept', 'application/jwt');\n }\n else {\n headers.set('accept', 'application/json');\n headers.append('accept', 'application/jwt');\n }\n return resourceRequest(accessToken, 'GET', url, headers, null, {\n ...options,\n [clockSkew]: getClockSkew(client),\n });\n}\nlet jwksMap;\nfunction setJwksCache(as, jwks, uat, cache) {\n jwksMap ||= new WeakMap();\n jwksMap.set(as, {\n jwks,\n uat,\n get age() {\n return epochTime() - this.uat;\n },\n });\n if (cache) {\n Object.assign(cache, { jwks: structuredClone(jwks), uat });\n }\n}\nfunction isFreshJwksCache(input) {\n if (typeof input !== 'object' || input === null) {\n return false;\n }\n if (!('uat' in input) || typeof input.uat !== 'number' || epochTime() - input.uat >= 300) {\n return false;\n }\n if (!('jwks' in input) ||\n !isJsonObject(input.jwks) ||\n !Array.isArray(input.jwks.keys) ||\n !Array.prototype.every.call(input.jwks.keys, isJsonObject)) {\n return false;\n }\n return true;\n}\nfunction clearJwksCache(as, cache) {\n jwksMap?.delete(as);\n delete cache?.jwks;\n delete cache?.uat;\n}\nasync function getPublicSigKeyFromIssuerJwksUri(as, options, header) {\n const { alg, kid } = header;\n checkSupportedJwsAlg(header);\n if (!jwksMap?.has(as) && isFreshJwksCache(options?.[jwksCache])) {\n setJwksCache(as, options?.[jwksCache].jwks, options?.[jwksCache].uat);\n }\n let jwks;\n let age;\n if (jwksMap?.has(as)) {\n ;\n ({ jwks, age } = jwksMap.get(as));\n if (age >= 300) {\n clearJwksCache(as, options?.[jwksCache]);\n return getPublicSigKeyFromIssuerJwksUri(as, options, header);\n }\n }\n else {\n jwks = await jwksRequest(as, options).then(processJwksResponse);\n age = 0;\n setJwksCache(as, jwks, epochTime(), options?.[jwksCache]);\n }\n let kty;\n switch (alg.slice(0, 2)) {\n case 'RS':\n case 'PS':\n kty = 'RSA';\n break;\n case 'ES':\n kty = 'EC';\n break;\n case 'Ed':\n kty = 'OKP';\n break;\n case 'ML':\n kty = 'AKP';\n break;\n default:\n throw new UnsupportedOperationError('unsupported JWS algorithm', { cause: { alg } });\n }\n const candidates = jwks.keys.filter((jwk) => {\n if (jwk.kty !== kty) {\n return false;\n }\n if (kid !== undefined && kid !== jwk.kid) {\n return false;\n }\n if (jwk.alg !== undefined && alg !== jwk.alg) {\n return false;\n }\n if (jwk.use !== undefined && jwk.use !== 'sig') {\n return false;\n }\n if (jwk.key_ops?.includes('verify') === false) {\n return false;\n }\n switch (true) {\n case alg === 'ES256' && jwk.crv !== 'P-256':\n case alg === 'ES384' && jwk.crv !== 'P-384':\n case alg === 'ES512' && jwk.crv !== 'P-521':\n case alg === 'Ed25519' && jwk.crv !== 'Ed25519':\n case alg === 'EdDSA' && jwk.crv !== 'Ed25519':\n return false;\n }\n return true;\n });\n const { 0: jwk, length } = candidates;\n if (!length) {\n if (age >= 60) {\n clearJwksCache(as, options?.[jwksCache]);\n return getPublicSigKeyFromIssuerJwksUri(as, options, header);\n }\n throw OPE('error when selecting a JWT verification key, no applicable keys found', KEY_SELECTION, { header, candidates, jwks_uri: new URL(as.jwks_uri) });\n }\n if (length !== 1) {\n throw OPE('error when selecting a JWT verification key, multiple applicable keys found, a \"kid\" JWT Header Parameter is required', KEY_SELECTION, { header, candidates, jwks_uri: new URL(as.jwks_uri) });\n }\n return importJwk(alg, jwk);\n}\nexport const skipSubjectCheck = Symbol();\nexport function getContentType(input) {\n return input.headers.get('content-type')?.split(';')[0];\n}\nexport async function processUserInfoResponse(as, client, expectedSubject, response, options) {\n assertAs(as);\n assertClient(client);\n if (!looseInstanceOf(response, Response)) {\n throw CodedTypeError('\"response\" must be an instance of Response', ERR_INVALID_ARG_TYPE);\n }\n checkAuthenticationChallenges(response);\n if (response.status !== 200) {\n throw OPE('\"response\" is not a conform UserInfo Endpoint response (unexpected HTTP status code)', RESPONSE_IS_NOT_CONFORM, response);\n }\n assertReadableResponse(response);\n let json;\n if (getContentType(response) === 'application/jwt') {\n const { claims, jwt } = await validateJwt(await response.text(), checkSigningAlgorithm.bind(undefined, client.userinfo_signed_response_alg, as.userinfo_signing_alg_values_supported, undefined), getClockSkew(client), getClockTolerance(client), options?.[jweDecrypt])\n .then(validateOptionalAudience.bind(undefined, client.client_id))\n .then(validateOptionalIssuer.bind(undefined, as));\n jwtRefs.set(response, jwt);\n json = claims;\n }\n else {\n if (client.userinfo_signed_response_alg) {\n throw OPE('JWT UserInfo Response expected', JWT_USERINFO_EXPECTED, response);\n }\n json = await getResponseJsonBody(response);\n }\n assertString(json.sub, '\"response\" body \"sub\" property', INVALID_RESPONSE, { body: json });\n switch (expectedSubject) {\n case skipSubjectCheck:\n break;\n default:\n assertString(expectedSubject, '\"expectedSubject\"');\n if (json.sub !== expectedSubject) {\n throw OPE('unexpected \"response\" body \"sub\" property value', JSON_ATTRIBUTE_COMPARISON, {\n expected: expectedSubject,\n body: json,\n attribute: 'sub',\n });\n }\n }\n return json;\n}\nasync function authenticatedRequest(as, client, clientAuthentication, url, body, headers, options) {\n await clientAuthentication(as, client, body, headers);\n headers.set('content-type', 'application/x-www-form-urlencoded;charset=UTF-8');\n return (options?.[customFetch] || fetch)(url.href, {\n body,\n headers: Object.fromEntries(headers.entries()),\n method: 'POST',\n redirect: 'manual',\n signal: signal(url, options?.signal),\n });\n}\nasync function tokenEndpointRequest(as, client, clientAuthentication, grantType, parameters, options) {\n const url = resolveEndpoint(as, 'token_endpoint', client.use_mtls_endpoint_aliases, options?.[allowInsecureRequests] !== true);\n parameters.set('grant_type', grantType);\n const headers = prepareHeaders(options?.headers);\n headers.set('accept', 'application/json');\n if (options?.DPoP !== undefined) {\n assertDPoP(options.DPoP);\n await options.DPoP.addProof(url, headers, 'POST');\n }\n const response = await authenticatedRequest(as, client, clientAuthentication, url, parameters, headers, options);\n options?.DPoP?.cacheNonce(response, url);\n return response;\n}\nexport async function refreshTokenGrantRequest(as, client, clientAuthentication, refreshToken, options) {\n assertAs(as);\n assertClient(client);\n assertString(refreshToken, '\"refreshToken\"');\n const parameters = new URLSearchParams(options?.additionalParameters);\n parameters.set('refresh_token', refreshToken);\n return tokenEndpointRequest(as, client, clientAuthentication, 'refresh_token', parameters, options);\n}\nconst idTokenClaims = new WeakMap();\nconst jwtRefs = new WeakMap();\nexport function getValidatedIdTokenClaims(ref) {\n if (!ref.id_token) {\n return undefined;\n }\n const claims = idTokenClaims.get(ref);\n if (!claims) {\n throw CodedTypeError('\"ref\" was already garbage collected or did not resolve from the proper sources', ERR_INVALID_ARG_VALUE);\n }\n return claims;\n}\nexport async function validateApplicationLevelSignature(as, ref, options) {\n assertAs(as);\n if (!jwtRefs.has(ref)) {\n throw CodedTypeError('\"ref\" does not contain a processed JWT Response to verify the signature of', ERR_INVALID_ARG_VALUE);\n }\n const { 0: protectedHeader, 1: payload, 2: encodedSignature } = jwtRefs.get(ref).split('.');\n const header = JSON.parse(buf(b64u(protectedHeader)));\n if (header.alg.startsWith('HS')) {\n throw new UnsupportedOperationError('unsupported JWS algorithm', { cause: { alg: header.alg } });\n }\n let key;\n key = await getPublicSigKeyFromIssuerJwksUri(as, options, header);\n await validateJwsSignature(protectedHeader, payload, key, b64u(encodedSignature));\n}\nasync function processGenericAccessTokenResponse(as, client, response, additionalRequiredIdTokenClaims, decryptFn, recognizedTokenTypes) {\n assertAs(as);\n assertClient(client);\n if (!looseInstanceOf(response, Response)) {\n throw CodedTypeError('\"response\" must be an instance of Response', ERR_INVALID_ARG_TYPE);\n }\n await checkOAuthBodyError(response, 200, 'Token Endpoint');\n assertReadableResponse(response);\n const json = await getResponseJsonBody(response);\n assertString(json.access_token, '\"response\" body \"access_token\" property', INVALID_RESPONSE, {\n body: json,\n });\n assertString(json.token_type, '\"response\" body \"token_type\" property', INVALID_RESPONSE, {\n body: json,\n });\n json.token_type = json.token_type.toLowerCase();\n if (json.expires_in !== undefined) {\n let expiresIn = typeof json.expires_in !== 'number' ? parseFloat(json.expires_in) : json.expires_in;\n assertNumber(expiresIn, true, '\"response\" body \"expires_in\" property', INVALID_RESPONSE, {\n body: json,\n });\n json.expires_in = expiresIn;\n }\n if (json.refresh_token !== undefined) {\n assertString(json.refresh_token, '\"response\" body \"refresh_token\" property', INVALID_RESPONSE, {\n body: json,\n });\n }\n if (json.scope !== undefined && typeof json.scope !== 'string') {\n throw OPE('\"response\" body \"scope\" property must be a string', INVALID_RESPONSE, { body: json });\n }\n if (json.id_token !== undefined) {\n assertString(json.id_token, '\"response\" body \"id_token\" property', INVALID_RESPONSE, {\n body: json,\n });\n const requiredClaims = ['aud', 'exp', 'iat', 'iss', 'sub'];\n if (client.require_auth_time === true) {\n requiredClaims.push('auth_time');\n }\n if (client.default_max_age !== undefined) {\n assertNumber(client.default_max_age, true, '\"client.default_max_age\"');\n requiredClaims.push('auth_time');\n }\n if (additionalRequiredIdTokenClaims?.length) {\n requiredClaims.push(...additionalRequiredIdTokenClaims);\n }\n const { claims, jwt } = await validateJwt(json.id_token, checkSigningAlgorithm.bind(undefined, client.id_token_signed_response_alg, as.id_token_signing_alg_values_supported, 'RS256'), getClockSkew(client), getClockTolerance(client), decryptFn)\n .then(validatePresence.bind(undefined, requiredClaims))\n .then(validateIssuer.bind(undefined, as))\n .then(validateAudience.bind(undefined, client.client_id));\n if (Array.isArray(claims.aud) && claims.aud.length !== 1) {\n if (claims.azp === undefined) {\n throw OPE('ID Token \"aud\" (audience) claim includes additional untrusted audiences', JWT_CLAIM_COMPARISON, { claims, claim: 'aud' });\n }\n if (claims.azp !== client.client_id) {\n throw OPE('unexpected ID Token \"azp\" (authorized party) claim value', JWT_CLAIM_COMPARISON, { expected: client.client_id, claims, claim: 'azp' });\n }\n }\n if (claims.auth_time !== undefined) {\n assertNumber(claims.auth_time, true, 'ID Token \"auth_time\" (authentication time)', INVALID_RESPONSE, { claims });\n }\n jwtRefs.set(response, jwt);\n idTokenClaims.set(json, claims);\n }\n if (recognizedTokenTypes?.[json.token_type] !== undefined) {\n recognizedTokenTypes[json.token_type](response, json);\n }\n else if (json.token_type !== 'dpop' && json.token_type !== 'bearer') {\n throw new UnsupportedOperationError('unsupported `token_type` value', { cause: { body: json } });\n }\n return json;\n}\nfunction checkAuthenticationChallenges(response) {\n let challenges;\n if ((challenges = parseWwwAuthenticateChallenges(response))) {\n throw new WWWAuthenticateChallengeError('server responded with a challenge in the WWW-Authenticate HTTP Header', { cause: challenges, response });\n }\n}\nexport async function processRefreshTokenResponse(as, client, response, options) {\n return processGenericAccessTokenResponse(as, client, response, undefined, options?.[jweDecrypt], options?.recognizedTokenTypes);\n}\nfunction validateOptionalAudience(expected, result) {\n if (result.claims.aud !== undefined) {\n return validateAudience(expected, result);\n }\n return result;\n}\nfunction validateAudience(expected, result) {\n if (Array.isArray(result.claims.aud)) {\n if (!result.claims.aud.includes(expected)) {\n throw OPE('unexpected JWT \"aud\" (audience) claim value', JWT_CLAIM_COMPARISON, {\n expected,\n claims: result.claims,\n claim: 'aud',\n });\n }\n }\n else if (result.claims.aud !== expected) {\n throw OPE('unexpected JWT \"aud\" (audience) claim value', JWT_CLAIM_COMPARISON, {\n expected,\n claims: result.claims,\n claim: 'aud',\n });\n }\n return result;\n}\nfunction validateOptionalIssuer(as, result) {\n if (result.claims.iss !== undefined) {\n return validateIssuer(as, result);\n }\n return result;\n}\nfunction validateIssuer(as, result) {\n const expected = as[_expectedIssuer]?.(result) ?? as.issuer;\n if (result.claims.iss !== expected) {\n throw OPE('unexpected JWT \"iss\" (issuer) claim value', JWT_CLAIM_COMPARISON, {\n expected,\n claims: result.claims,\n claim: 'iss',\n });\n }\n return result;\n}\nconst branded = new WeakSet();\nfunction brand(searchParams) {\n branded.add(searchParams);\n return searchParams;\n}\nexport const nopkce = Symbol();\nexport async function authorizationCodeGrantRequest(as, client, clientAuthentication, callbackParameters, redirectUri, codeVerifier, options) {\n assertAs(as);\n assertClient(client);\n if (!branded.has(callbackParameters)) {\n throw CodedTypeError('\"callbackParameters\" must be an instance of URLSearchParams obtained from \"validateAuthResponse()\", or \"validateJwtAuthResponse()', ERR_INVALID_ARG_VALUE);\n }\n assertString(redirectUri, '\"redirectUri\"');\n const code = getURLSearchParameter(callbackParameters, 'code');\n if (!code) {\n throw OPE('no authorization code in \"callbackParameters\"', INVALID_RESPONSE);\n }\n const parameters = new URLSearchParams(options?.additionalParameters);\n parameters.set('redirect_uri', redirectUri);\n parameters.set('code', code);\n if (codeVerifier !== nopkce) {\n assertString(codeVerifier, '\"codeVerifier\"');\n parameters.set('code_verifier', codeVerifier);\n }\n return tokenEndpointRequest(as, client, clientAuthentication, 'authorization_code', parameters, options);\n}\nconst jwtClaimNames = {\n aud: 'audience',\n c_hash: 'code hash',\n client_id: 'client id',\n exp: 'expiration time',\n iat: 'issued at',\n iss: 'issuer',\n jti: 'jwt id',\n nonce: 'nonce',\n s_hash: 'state hash',\n sub: 'subject',\n ath: 'access token hash',\n htm: 'http method',\n htu: 'http uri',\n cnf: 'confirmation',\n auth_time: 'authentication time',\n};\nfunction validatePresence(required, result) {\n for (const claim of required) {\n if (result.claims[claim] === undefined) {\n throw OPE(`JWT \"${claim}\" (${jwtClaimNames[claim]}) claim missing`, INVALID_RESPONSE, {\n claims: result.claims,\n });\n }\n }\n return result;\n}\nexport const expectNoNonce = Symbol();\nexport const skipAuthTimeCheck = Symbol();\nexport async function processAuthorizationCodeResponse(as, client, response, options) {\n if (typeof options?.expectedNonce === 'string' ||\n typeof options?.maxAge === 'number' ||\n options?.requireIdToken) {\n return processAuthorizationCodeOpenIDResponse(as, client, response, options.expectedNonce, options.maxAge, options[jweDecrypt], options.recognizedTokenTypes);\n }\n return processAuthorizationCodeOAuth2Response(as, client, response, options?.[jweDecrypt], options?.recognizedTokenTypes);\n}\nasync function processAuthorizationCodeOpenIDResponse(as, client, response, expectedNonce, maxAge, decryptFn, recognizedTokenTypes) {\n const additionalRequiredClaims = [];\n switch (expectedNonce) {\n case undefined:\n expectedNonce = expectNoNonce;\n break;\n case expectNoNonce:\n break;\n default:\n assertString(expectedNonce, '\"expectedNonce\" argument');\n additionalRequiredClaims.push('nonce');\n }\n maxAge ??= client.default_max_age;\n switch (maxAge) {\n case undefined:\n maxAge = skipAuthTimeCheck;\n break;\n case skipAuthTimeCheck:\n break;\n default:\n assertNumber(maxAge, true, '\"maxAge\" argument');\n additionalRequiredClaims.push('auth_time');\n }\n const result = await processGenericAccessTokenResponse(as, client, response, additionalRequiredClaims, decryptFn, recognizedTokenTypes);\n assertString(result.id_token, '\"response\" body \"id_token\" property', INVALID_RESPONSE, {\n body: result,\n });\n const claims = getValidatedIdTokenClaims(result);\n if (maxAge !== skipAuthTimeCheck) {\n const now = epochTime() + getClockSkew(client);\n const tolerance = getClockTolerance(client);\n if (claims.auth_time + maxAge < now - tolerance) {\n throw OPE('too much time has elapsed since the last End-User authentication', JWT_TIMESTAMP_CHECK, { claims, now, tolerance, claim: 'auth_time' });\n }\n }\n if (expectedNonce === expectNoNonce) {\n if (claims.nonce !== undefined) {\n throw OPE('unexpected ID Token \"nonce\" claim value', JWT_CLAIM_COMPARISON, {\n expected: undefined,\n claims,\n claim: 'nonce',\n });\n }\n }\n else if (claims.nonce !== expectedNonce) {\n throw OPE('unexpected ID Token \"nonce\" claim value', JWT_CLAIM_COMPARISON, {\n expected: expectedNonce,\n claims,\n claim: 'nonce',\n });\n }\n return result;\n}\nasync function processAuthorizationCodeOAuth2Response(as, client, response, decryptFn, recognizedTokenTypes) {\n const result = await processGenericAccessTokenResponse(as, client, response, undefined, decryptFn, recognizedTokenTypes);\n const claims = getValidatedIdTokenClaims(result);\n if (claims) {\n if (client.default_max_age !== undefined) {\n assertNumber(client.default_max_age, true, '\"client.default_max_age\"');\n const now = epochTime() + getClockSkew(client);\n const tolerance = getClockTolerance(client);\n if (claims.auth_time + client.default_max_age < now - tolerance) {\n throw OPE('too much time has elapsed since the last End-User authentication', JWT_TIMESTAMP_CHECK, { claims, now, tolerance, claim: 'auth_time' });\n }\n }\n if (claims.nonce !== undefined) {\n throw OPE('unexpected ID Token \"nonce\" claim value', JWT_CLAIM_COMPARISON, {\n expected: undefined,\n claims,\n claim: 'nonce',\n });\n }\n }\n return result;\n}\nexport const WWW_AUTHENTICATE_CHALLENGE = 'OAUTH_WWW_AUTHENTICATE_CHALLENGE';\nexport const RESPONSE_BODY_ERROR = 'OAUTH_RESPONSE_BODY_ERROR';\nexport const UNSUPPORTED_OPERATION = 'OAUTH_UNSUPPORTED_OPERATION';\nexport const AUTHORIZATION_RESPONSE_ERROR = 'OAUTH_AUTHORIZATION_RESPONSE_ERROR';\nexport const JWT_USERINFO_EXPECTED = 'OAUTH_JWT_USERINFO_EXPECTED';\nexport const PARSE_ERROR = 'OAUTH_PARSE_ERROR';\nexport const INVALID_RESPONSE = 'OAUTH_INVALID_RESPONSE';\nexport const INVALID_REQUEST = 'OAUTH_INVALID_REQUEST';\nexport const RESPONSE_IS_NOT_JSON = 'OAUTH_RESPONSE_IS_NOT_JSON';\nexport const RESPONSE_IS_NOT_CONFORM = 'OAUTH_RESPONSE_IS_NOT_CONFORM';\nexport const HTTP_REQUEST_FORBIDDEN = 'OAUTH_HTTP_REQUEST_FORBIDDEN';\nexport const REQUEST_PROTOCOL_FORBIDDEN = 'OAUTH_REQUEST_PROTOCOL_FORBIDDEN';\nexport const JWT_TIMESTAMP_CHECK = 'OAUTH_JWT_TIMESTAMP_CHECK_FAILED';\nexport const JWT_CLAIM_COMPARISON = 'OAUTH_JWT_CLAIM_COMPARISON_FAILED';\nexport const JSON_ATTRIBUTE_COMPARISON = 'OAUTH_JSON_ATTRIBUTE_COMPARISON_FAILED';\nexport const KEY_SELECTION = 'OAUTH_KEY_SELECTION_FAILED';\nexport const MISSING_SERVER_METADATA = 'OAUTH_MISSING_SERVER_METADATA';\nexport const INVALID_SERVER_METADATA = 'OAUTH_INVALID_SERVER_METADATA';\nfunction checkJwtType(expected, result) {\n if (typeof result.header.typ !== 'string' || normalizeTyp(result.header.typ) !== expected) {\n throw OPE('unexpected JWT \"typ\" header parameter value', INVALID_RESPONSE, {\n header: result.header,\n });\n }\n return result;\n}\nexport async function clientCredentialsGrantRequest(as, client, clientAuthentication, parameters, options) {\n assertAs(as);\n assertClient(client);\n return tokenEndpointRequest(as, client, clientAuthentication, 'client_credentials', new URLSearchParams(parameters), options);\n}\nexport async function genericTokenEndpointRequest(as, client, clientAuthentication, grantType, parameters, options) {\n assertAs(as);\n assertClient(client);\n assertString(grantType, '\"grantType\"');\n return tokenEndpointRequest(as, client, clientAuthentication, grantType, new URLSearchParams(parameters), options);\n}\nexport async function processGenericTokenEndpointResponse(as, client, response, options) {\n return processGenericAccessTokenResponse(as, client, response, undefined, options?.[jweDecrypt], options?.recognizedTokenTypes);\n}\nexport async function processClientCredentialsResponse(as, client, response, options) {\n return processGenericAccessTokenResponse(as, client, response, undefined, options?.[jweDecrypt], options?.recognizedTokenTypes);\n}\nexport async function revocationRequest(as, client, clientAuthentication, token, options) {\n assertAs(as);\n assertClient(client);\n assertString(token, '\"token\"');\n const url = resolveEndpoint(as, 'revocation_endpoint', client.use_mtls_endpoint_aliases, options?.[allowInsecureRequests] !== true);\n const body = new URLSearchParams(options?.additionalParameters);\n body.set('token', token);\n const headers = prepareHeaders(options?.headers);\n headers.delete('accept');\n return authenticatedRequest(as, client, clientAuthentication, url, body, headers, options);\n}\nexport async function processRevocationResponse(response) {\n if (!looseInstanceOf(response, Response)) {\n throw CodedTypeError('\"response\" must be an instance of Response', ERR_INVALID_ARG_TYPE);\n }\n await checkOAuthBodyError(response, 200, 'Revocation Endpoint');\n return undefined;\n}\nfunction assertReadableResponse(response) {\n if (response.bodyUsed) {\n throw CodedTypeError('\"response\" body has been used already', ERR_INVALID_ARG_VALUE);\n }\n}\nexport async function introspectionRequest(as, client, clientAuthentication, token, options) {\n assertAs(as);\n assertClient(client);\n assertString(token, '\"token\"');\n const url = resolveEndpoint(as, 'introspection_endpoint', client.use_mtls_endpoint_aliases, options?.[allowInsecureRequests] !== true);\n const body = new URLSearchParams(options?.additionalParameters);\n body.set('token', token);\n const headers = prepareHeaders(options?.headers);\n if (options?.requestJwtResponse ?? client.introspection_signed_response_alg) {\n headers.set('accept', 'application/token-introspection+jwt');\n }\n else {\n headers.set('accept', 'application/json');\n }\n return authenticatedRequest(as, client, clientAuthentication, url, body, headers, options);\n}\nexport async function processIntrospectionResponse(as, client, response, options) {\n assertAs(as);\n assertClient(client);\n if (!looseInstanceOf(response, Response)) {\n throw CodedTypeError('\"response\" must be an instance of Response', ERR_INVALID_ARG_TYPE);\n }\n await checkOAuthBodyError(response, 200, 'Introspection Endpoint');\n let json;\n if (getContentType(response) === 'application/token-introspection+jwt') {\n assertReadableResponse(response);\n const { claims, jwt } = await validateJwt(await response.text(), checkSigningAlgorithm.bind(undefined, client.introspection_signed_response_alg, as.introspection_signing_alg_values_supported, 'RS256'), getClockSkew(client), getClockTolerance(client), options?.[jweDecrypt])\n .then(checkJwtType.bind(undefined, 'token-introspection+jwt'))\n .then(validatePresence.bind(undefined, ['aud', 'iat', 'iss']))\n .then(validateIssuer.bind(undefined, as))\n .then(validateAudience.bind(undefined, client.client_id));\n jwtRefs.set(response, jwt);\n if (!isJsonObject(claims.token_introspection)) {\n throw OPE('JWT \"token_introspection\" claim must be a JSON object', INVALID_RESPONSE, {\n claims,\n });\n }\n json = claims.token_introspection;\n }\n else {\n assertReadableResponse(response);\n json = await getResponseJsonBody(response);\n }\n if (typeof json.active !== 'boolean') {\n throw OPE('\"response\" body \"active\" property must be a boolean', INVALID_RESPONSE, {\n body: json,\n });\n }\n return json;\n}\nasync function jwksRequest(as, options) {\n assertAs(as);\n const url = resolveEndpoint(as, 'jwks_uri', false, options?.[allowInsecureRequests] !== true);\n const headers = prepareHeaders(options?.headers);\n headers.set('accept', 'application/json');\n headers.append('accept', 'application/jwk-set+json');\n return (options?.[customFetch] || fetch)(url.href, {\n body: undefined,\n headers: Object.fromEntries(headers.entries()),\n method: 'GET',\n redirect: 'manual',\n signal: signal(url, options?.signal),\n });\n}\nasync function processJwksResponse(response) {\n if (!looseInstanceOf(response, Response)) {\n throw CodedTypeError('\"response\" must be an instance of Response', ERR_INVALID_ARG_TYPE);\n }\n if (response.status !== 200) {\n throw OPE('\"response\" is not a conform JSON Web Key Set response (unexpected HTTP status code)', RESPONSE_IS_NOT_CONFORM, response);\n }\n assertReadableResponse(response);\n const json = await getResponseJsonBody(response, (response) => assertContentTypes(response, 'application/json', 'application/jwk-set+json'));\n if (!Array.isArray(json.keys)) {\n throw OPE('\"response\" body \"keys\" property must be an array', INVALID_RESPONSE, { body: json });\n }\n if (!Array.prototype.every.call(json.keys, isJsonObject)) {\n throw OPE('\"response\" body \"keys\" property members must be JWK formatted objects', INVALID_RESPONSE, { body: json });\n }\n return json;\n}\nfunction supported(alg) {\n switch (alg) {\n case 'PS256':\n case 'ES256':\n case 'RS256':\n case 'PS384':\n case 'ES384':\n case 'RS384':\n case 'PS512':\n case 'ES512':\n case 'RS512':\n case 'Ed25519':\n case 'EdDSA':\n case 'ML-DSA-44':\n case 'ML-DSA-65':\n case 'ML-DSA-87':\n return true;\n default:\n return false;\n }\n}\nfunction checkSupportedJwsAlg(header) {\n if (!supported(header.alg)) {\n throw new UnsupportedOperationError('unsupported JWS \"alg\" identifier', {\n cause: { alg: header.alg },\n });\n }\n}\nfunction checkRsaKeyAlgorithm(key) {\n const { algorithm } = key;\n if (typeof algorithm.modulusLength !== 'number' || algorithm.modulusLength < 2048) {\n throw new UnsupportedOperationError(`unsupported ${algorithm.name} modulusLength`, {\n cause: key,\n });\n }\n}\nfunction ecdsaHashName(key) {\n const { algorithm } = key;\n switch (algorithm.namedCurve) {\n case 'P-256':\n return 'SHA-256';\n case 'P-384':\n return 'SHA-384';\n case 'P-521':\n return 'SHA-512';\n default:\n throw new UnsupportedOperationError('unsupported ECDSA namedCurve', { cause: key });\n }\n}\nfunction keyToSubtle(key) {\n switch (key.algorithm.name) {\n case 'ECDSA':\n return {\n name: key.algorithm.name,\n hash: ecdsaHashName(key),\n };\n case 'RSA-PSS': {\n checkRsaKeyAlgorithm(key);\n switch (key.algorithm.hash.name) {\n case 'SHA-256':\n case 'SHA-384':\n case 'SHA-512':\n return {\n name: key.algorithm.name,\n saltLength: parseInt(key.algorithm.hash.name.slice(-3), 10) >> 3,\n };\n default:\n throw new UnsupportedOperationError('unsupported RSA-PSS hash name', { cause: key });\n }\n }\n case 'RSASSA-PKCS1-v1_5':\n checkRsaKeyAlgorithm(key);\n return key.algorithm.name;\n case 'ML-DSA-44':\n case 'ML-DSA-65':\n case 'ML-DSA-87':\n case 'Ed25519':\n return key.algorithm.name;\n }\n throw new UnsupportedOperationError('unsupported CryptoKey algorithm name', { cause: key });\n}\nasync function validateJwsSignature(protectedHeader, payload, key, signature) {\n const data = buf(`${protectedHeader}.${payload}`);\n const algorithm = keyToSubtle(key);\n const verified = await crypto.subtle.verify(algorithm, key, signature, data);\n if (!verified) {\n throw OPE('JWT signature verification failed', INVALID_RESPONSE, {\n key,\n data,\n signature,\n algorithm,\n });\n }\n}\nasync function validateJwt(jws, checkAlg, clockSkew, clockTolerance, decryptJwt) {\n let { 0: protectedHeader, 1: payload, length } = jws.split('.');\n if (length === 5) {\n if (decryptJwt !== undefined) {\n jws = await decryptJwt(jws);\n ({ 0: protectedHeader, 1: payload, length } = jws.split('.'));\n }\n else {\n throw new UnsupportedOperationError('JWE decryption is not configured', { cause: jws });\n }\n }\n if (length !== 3) {\n throw OPE('Invalid JWT', INVALID_RESPONSE, jws);\n }\n let header;\n try {\n header = JSON.parse(buf(b64u(protectedHeader)));\n }\n catch (cause) {\n throw OPE('failed to parse JWT Header body as base64url encoded JSON', PARSE_ERROR, cause);\n }\n if (!isJsonObject(header)) {\n throw OPE('JWT Header must be a top level object', INVALID_RESPONSE, jws);\n }\n checkAlg(header);\n if (header.crit !== undefined) {\n throw new UnsupportedOperationError('no JWT \"crit\" header parameter extensions are supported', {\n cause: { header },\n });\n }\n let claims;\n try {\n claims = JSON.parse(buf(b64u(payload)));\n }\n catch (cause) {\n throw OPE('failed to parse JWT Payload body as base64url encoded JSON', PARSE_ERROR, cause);\n }\n if (!isJsonObject(claims)) {\n throw OPE('JWT Payload must be a top level object', INVALID_RESPONSE, jws);\n }\n const now = epochTime() + clockSkew;\n if (claims.exp !== undefined) {\n if (typeof claims.exp !== 'number') {\n throw OPE('unexpected JWT \"exp\" (expiration time) claim type', INVALID_RESPONSE, { claims });\n }\n if (claims.exp <= now - clockTolerance) {\n throw OPE('unexpected JWT \"exp\" (expiration time) claim value, expiration is past current timestamp', JWT_TIMESTAMP_CHECK, { claims, now, tolerance: clockTolerance, claim: 'exp' });\n }\n }\n if (claims.iat !== undefined) {\n if (typeof claims.iat !== 'number') {\n throw OPE('unexpected JWT \"iat\" (issued at) claim type', INVALID_RESPONSE, { claims });\n }\n }\n if (claims.iss !== undefined) {\n if (typeof claims.iss !== 'string') {\n throw OPE('unexpected JWT \"iss\" (issuer) claim type', INVALID_RESPONSE, { claims });\n }\n }\n if (claims.nbf !== undefined) {\n if (typeof claims.nbf !== 'number') {\n throw OPE('unexpected JWT \"nbf\" (not before) claim type', INVALID_RESPONSE, { claims });\n }\n if (claims.nbf > now + clockTolerance) {\n throw OPE('unexpected JWT \"nbf\" (not before) claim value', JWT_TIMESTAMP_CHECK, {\n claims,\n now,\n tolerance: clockTolerance,\n claim: 'nbf',\n });\n }\n }\n if (claims.aud !== undefined) {\n if (typeof claims.aud !== 'string' && !Array.isArray(claims.aud)) {\n throw OPE('unexpected JWT \"aud\" (audience) claim type', INVALID_RESPONSE, { claims });\n }\n }\n return { header, claims, jwt: jws };\n}\nexport async function validateJwtAuthResponse(as, client, parameters, expectedState, options) {\n assertAs(as);\n assertClient(client);\n if (parameters instanceof URL) {\n parameters = parameters.searchParams;\n }\n if (!(parameters instanceof URLSearchParams)) {\n throw CodedTypeError('\"parameters\" must be an instance of URLSearchParams, or URL', ERR_INVALID_ARG_TYPE);\n }\n const response = getURLSearchParameter(parameters, 'response');\n if (!response) {\n throw OPE('\"parameters\" does not contain a JARM response', INVALID_RESPONSE);\n }\n const { claims, header, jwt } = await validateJwt(response, checkSigningAlgorithm.bind(undefined, client.authorization_signed_response_alg, as.authorization_signing_alg_values_supported, 'RS256'), getClockSkew(client), getClockTolerance(client), options?.[jweDecrypt])\n .then(validatePresence.bind(undefined, ['aud', 'exp', 'iss']))\n .then(validateIssuer.bind(undefined, as))\n .then(validateAudience.bind(undefined, client.client_id));\n const { 0: protectedHeader, 1: payload, 2: encodedSignature } = jwt.split('.');\n const signature = b64u(encodedSignature);\n const key = await getPublicSigKeyFromIssuerJwksUri(as, options, header);\n await validateJwsSignature(protectedHeader, payload, key, signature);\n const result = new URLSearchParams();\n for (const [key, value] of Object.entries(claims)) {\n if (typeof value === 'string' && key !== 'aud') {\n result.set(key, value);\n }\n }\n return validateAuthResponse(as, client, result, expectedState);\n}\nasync function idTokenHash(data, header, claimName) {\n let algorithm;\n switch (header.alg) {\n case 'RS256':\n case 'PS256':\n case 'ES256':\n algorithm = 'SHA-256';\n break;\n case 'RS384':\n case 'PS384':\n case 'ES384':\n algorithm = 'SHA-384';\n break;\n case 'RS512':\n case 'PS512':\n case 'ES512':\n case 'Ed25519':\n case 'EdDSA':\n algorithm = 'SHA-512';\n break;\n case 'ML-DSA-44':\n case 'ML-DSA-65':\n case 'ML-DSA-87':\n algorithm = { name: 'cSHAKE256', length: 512, outputLength: 512 };\n break;\n default:\n throw new UnsupportedOperationError(`unsupported JWS algorithm for ${claimName} calculation`, { cause: { alg: header.alg } });\n }\n const digest = await crypto.subtle.digest(algorithm, buf(data));\n return b64u(digest.slice(0, digest.byteLength / 2));\n}\nasync function idTokenHashMatches(data, actual, header, claimName) {\n const expected = await idTokenHash(data, header, claimName);\n return actual === expected;\n}\nexport async function validateDetachedSignatureResponse(as, client, parameters, expectedNonce, expectedState, maxAge, options) {\n return validateHybridResponse(as, client, parameters, expectedNonce, expectedState, maxAge, options, true);\n}\nexport async function validateCodeIdTokenResponse(as, client, parameters, expectedNonce, expectedState, maxAge, options) {\n return validateHybridResponse(as, client, parameters, expectedNonce, expectedState, maxAge, options, false);\n}\nasync function consumeStream(request) {\n if (request.bodyUsed) {\n throw CodedTypeError('form_post Request instances must contain a readable body', ERR_INVALID_ARG_VALUE, { cause: request });\n }\n return request.text();\n}\nexport async function formPostResponse(request) {\n if (request.method !== 'POST') {\n throw CodedTypeError('form_post responses are expected to use the POST method', ERR_INVALID_ARG_VALUE, { cause: request });\n }\n if (getContentType(request) !== 'application/x-www-form-urlencoded') {\n throw CodedTypeError('form_post responses are expected to use the application/x-www-form-urlencoded content-type', ERR_INVALID_ARG_VALUE, { cause: request });\n }\n return consumeStream(request);\n}\nasync function validateHybridResponse(as, client, parameters, expectedNonce, expectedState, maxAge, options, fapi) {\n assertAs(as);\n assertClient(client);\n if (parameters instanceof URL) {\n if (!parameters.hash.length) {\n throw CodedTypeError('\"parameters\" as an instance of URL must contain a hash (fragment) with the Authorization Response parameters', ERR_INVALID_ARG_VALUE);\n }\n parameters = new URLSearchParams(parameters.hash.slice(1));\n }\n else if (looseInstanceOf(parameters, Request)) {\n parameters = new URLSearchParams(await formPostResponse(parameters));\n }\n else if (parameters instanceof URLSearchParams) {\n parameters = new URLSearchParams(parameters);\n }\n else {\n throw CodedTypeError('\"parameters\" must be an instance of URLSearchParams, URL, or Response', ERR_INVALID_ARG_TYPE);\n }\n const id_token = getURLSearchParameter(parameters, 'id_token');\n parameters.delete('id_token');\n switch (expectedState) {\n case undefined:\n case expectNoState:\n break;\n default:\n assertString(expectedState, '\"expectedState\" argument');\n }\n const result = validateAuthResponse({\n ...as,\n authorization_response_iss_parameter_supported: false,\n }, client, parameters, expectedState);\n if (!id_token) {\n throw OPE('\"parameters\" does not contain an ID Token', INVALID_RESPONSE);\n }\n const code = getURLSearchParameter(parameters, 'code');\n if (!code) {\n throw OPE('\"parameters\" does not contain an Authorization Code', INVALID_RESPONSE);\n }\n const requiredClaims = [\n 'aud',\n 'exp',\n 'iat',\n 'iss',\n 'sub',\n 'nonce',\n 'c_hash',\n ];\n const state = parameters.get('state');\n if (fapi && (typeof expectedState === 'string' || state !== null)) {\n requiredClaims.push('s_hash');\n }\n if (maxAge !== undefined) {\n assertNumber(maxAge, true, '\"maxAge\" argument');\n }\n else if (client.default_max_age !== undefined) {\n assertNumber(client.default_max_age, true, '\"client.default_max_age\"');\n }\n maxAge ??= client.default_max_age ?? skipAuthTimeCheck;\n if (client.require_auth_time || maxAge !== skipAuthTimeCheck) {\n requiredClaims.push('auth_time');\n }\n const { claims, header, jwt } = await validateJwt(id_token, checkSigningAlgorithm.bind(undefined, client.id_token_signed_response_alg, as.id_token_signing_alg_values_supported, 'RS256'), getClockSkew(client), getClockTolerance(client), options?.[jweDecrypt])\n .then(validatePresence.bind(undefined, requiredClaims))\n .then(validateIssuer.bind(undefined, as))\n .then(validateAudience.bind(undefined, client.client_id));\n const clockSkew = getClockSkew(client);\n const now = epochTime() + clockSkew;\n if (claims.iat < now - 3600) {\n throw OPE('unexpected JWT \"iat\" (issued at) claim value, it is too far in the past', JWT_TIMESTAMP_CHECK, { now, claims, claim: 'iat' });\n }\n assertString(claims.c_hash, 'ID Token \"c_hash\" (code hash) claim value', INVALID_RESPONSE, {\n claims,\n });\n if (claims.auth_time !== undefined) {\n assertNumber(claims.auth_time, true, 'ID Token \"auth_time\" (authentication time)', INVALID_RESPONSE, { claims });\n }\n if (maxAge !== skipAuthTimeCheck) {\n const now = epochTime() + getClockSkew(client);\n const tolerance = getClockTolerance(client);\n if (claims.auth_time + maxAge < now - tolerance) {\n throw OPE('too much time has elapsed since the last End-User authentication', JWT_TIMESTAMP_CHECK, { claims, now, tolerance, claim: 'auth_time' });\n }\n }\n assertString(expectedNonce, '\"expectedNonce\" argument');\n if (claims.nonce !== expectedNonce) {\n throw OPE('unexpected ID Token \"nonce\" claim value', JWT_CLAIM_COMPARISON, {\n expected: expectedNonce,\n claims,\n claim: 'nonce',\n });\n }\n if (Array.isArray(claims.aud) && claims.aud.length !== 1) {\n if (claims.azp === undefined) {\n throw OPE('ID Token \"aud\" (audience) claim includes additional untrusted audiences', JWT_CLAIM_COMPARISON, { claims, claim: 'aud' });\n }\n if (claims.azp !== client.client_id) {\n throw OPE('unexpected ID Token \"azp\" (authorized party) claim value', JWT_CLAIM_COMPARISON, {\n expected: client.client_id,\n claims,\n claim: 'azp',\n });\n }\n }\n const { 0: protectedHeader, 1: payload, 2: encodedSignature } = jwt.split('.');\n const signature = b64u(encodedSignature);\n const key = await getPublicSigKeyFromIssuerJwksUri(as, options, header);\n await validateJwsSignature(protectedHeader, payload, key, signature);\n if ((await idTokenHashMatches(code, claims.c_hash, header, 'c_hash')) !== true) {\n throw OPE('invalid ID Token \"c_hash\" (code hash) claim value', JWT_CLAIM_COMPARISON, {\n code,\n alg: header.alg,\n claim: 'c_hash',\n claims,\n });\n }\n if ((fapi && state !== null) || claims.s_hash !== undefined) {\n assertString(claims.s_hash, 'ID Token \"s_hash\" (state hash) claim value', INVALID_RESPONSE, {\n claims,\n });\n assertString(state, '\"state\" response parameter', INVALID_RESPONSE, { parameters });\n if ((await idTokenHashMatches(state, claims.s_hash, header, 's_hash')) !== true) {\n throw OPE('invalid ID Token \"s_hash\" (state hash) claim value', JWT_CLAIM_COMPARISON, {\n state,\n alg: header.alg,\n claim: 's_hash',\n claims,\n });\n }\n }\n return result;\n}\nfunction checkSigningAlgorithm(client, issuer, fallback, header) {\n if (client !== undefined) {\n if (typeof client === 'string' ? header.alg !== client : !client.includes(header.alg)) {\n throw OPE('unexpected JWT \"alg\" header parameter', INVALID_RESPONSE, {\n header,\n expected: client,\n reason: 'client configuration',\n });\n }\n return;\n }\n if (Array.isArray(issuer)) {\n if (!issuer.includes(header.alg)) {\n throw OPE('unexpected JWT \"alg\" header parameter', INVALID_RESPONSE, {\n header,\n expected: issuer,\n reason: 'authorization server metadata',\n });\n }\n return;\n }\n if (fallback !== undefined) {\n if (typeof fallback === 'string'\n ? header.alg !== fallback\n : typeof fallback === 'function'\n ? !fallback(header.alg)\n : !fallback.includes(header.alg)) {\n throw OPE('unexpected JWT \"alg\" header parameter', INVALID_RESPONSE, {\n header,\n expected: fallback,\n reason: 'default value',\n });\n }\n return;\n }\n throw OPE('missing client or server configuration to verify used JWT \"alg\" header parameter', undefined, { client, issuer, fallback });\n}\nfunction getURLSearchParameter(parameters, name) {\n const { 0: value, length } = parameters.getAll(name);\n if (length > 1) {\n throw OPE(`\"${name}\" parameter must be provided only once`, INVALID_RESPONSE);\n }\n return value;\n}\nexport const skipStateCheck = Symbol();\nexport const expectNoState = Symbol();\nexport function validateAuthResponse(as, client, parameters, expectedState) {\n assertAs(as);\n assertClient(client);\n if (parameters instanceof URL) {\n parameters = parameters.searchParams;\n }\n if (!(parameters instanceof URLSearchParams)) {\n throw CodedTypeError('\"parameters\" must be an instance of URLSearchParams, or URL', ERR_INVALID_ARG_TYPE);\n }\n if (getURLSearchParameter(parameters, 'response')) {\n throw OPE('\"parameters\" contains a JARM response, use validateJwtAuthResponse() instead of validateAuthResponse()', INVALID_RESPONSE, { parameters });\n }\n const iss = getURLSearchParameter(parameters, 'iss');\n const state = getURLSearchParameter(parameters, 'state');\n if (!iss && as.authorization_response_iss_parameter_supported) {\n throw OPE('response parameter \"iss\" (issuer) missing', INVALID_RESPONSE, { parameters });\n }\n if (iss && iss !== as.issuer) {\n throw OPE('unexpected \"iss\" (issuer) response parameter value', INVALID_RESPONSE, {\n expected: as.issuer,\n parameters,\n });\n }\n switch (expectedState) {\n case undefined:\n case expectNoState:\n if (state !== undefined) {\n throw OPE('unexpected \"state\" response parameter encountered', INVALID_RESPONSE, {\n expected: undefined,\n parameters,\n });\n }\n break;\n case skipStateCheck:\n break;\n default:\n assertString(expectedState, '\"expectedState\" argument');\n if (state !== expectedState) {\n throw OPE(state === undefined\n ? 'response parameter \"state\" missing'\n : 'unexpected \"state\" response parameter value', INVALID_RESPONSE, { expected: expectedState, parameters });\n }\n }\n const error = getURLSearchParameter(parameters, 'error');\n if (error) {\n throw new AuthorizationResponseError('authorization response from the server is an error', {\n cause: parameters,\n });\n }\n const id_token = getURLSearchParameter(parameters, 'id_token');\n const token = getURLSearchParameter(parameters, 'token');\n if (id_token !== undefined || token !== undefined) {\n throw new UnsupportedOperationError('implicit and hybrid flows are not supported');\n }\n return brand(new URLSearchParams(parameters));\n}\nfunction algToSubtle(alg) {\n switch (alg) {\n case 'PS256':\n case 'PS384':\n case 'PS512':\n return { name: 'RSA-PSS', hash: `SHA-${alg.slice(-3)}` };\n case 'RS256':\n case 'RS384':\n case 'RS512':\n return { name: 'RSASSA-PKCS1-v1_5', hash: `SHA-${alg.slice(-3)}` };\n case 'ES256':\n case 'ES384':\n return { name: 'ECDSA', namedCurve: `P-${alg.slice(-3)}` };\n case 'ES512':\n return { name: 'ECDSA', namedCurve: 'P-521' };\n case 'EdDSA':\n return 'Ed25519';\n case 'Ed25519':\n case 'ML-DSA-44':\n case 'ML-DSA-65':\n case 'ML-DSA-87':\n return alg;\n default:\n throw new UnsupportedOperationError('unsupported JWS algorithm', { cause: { alg } });\n }\n}\nasync function importJwk(alg, jwk) {\n const { ext, key_ops, use, ...key } = jwk;\n return crypto.subtle.importKey('jwk', key, algToSubtle(alg), true, ['verify']);\n}\nexport async function deviceAuthorizationRequest(as, client, clientAuthentication, parameters, options) {\n assertAs(as);\n assertClient(client);\n const url = resolveEndpoint(as, 'device_authorization_endpoint', client.use_mtls_endpoint_aliases, options?.[allowInsecureRequests] !== true);\n const body = new URLSearchParams(parameters);\n body.set('client_id', client.client_id);\n const headers = prepareHeaders(options?.headers);\n headers.set('accept', 'application/json');\n return authenticatedRequest(as, client, clientAuthentication, url, body, headers, options);\n}\nexport async function processDeviceAuthorizationResponse(as, client, response) {\n assertAs(as);\n assertClient(client);\n if (!looseInstanceOf(response, Response)) {\n throw CodedTypeError('\"response\" must be an instance of Response', ERR_INVALID_ARG_TYPE);\n }\n await checkOAuthBodyError(response, 200, 'Device Authorization Endpoint');\n assertReadableResponse(response);\n const json = await getResponseJsonBody(response);\n assertString(json.device_code, '\"response\" body \"device_code\" property', INVALID_RESPONSE, {\n body: json,\n });\n assertString(json.user_code, '\"response\" body \"user_code\" property', INVALID_RESPONSE, {\n body: json,\n });\n assertString(json.verification_uri, '\"response\" body \"verification_uri\" property', INVALID_RESPONSE, { body: json });\n let expiresIn = typeof json.expires_in !== 'number' ? parseFloat(json.expires_in) : json.expires_in;\n assertNumber(expiresIn, true, '\"response\" body \"expires_in\" property', INVALID_RESPONSE, {\n body: json,\n });\n json.expires_in = expiresIn;\n if (json.verification_uri_complete !== undefined) {\n assertString(json.verification_uri_complete, '\"response\" body \"verification_uri_complete\" property', INVALID_RESPONSE, { body: json });\n }\n if (json.interval !== undefined) {\n assertNumber(json.interval, false, '\"response\" body \"interval\" property', INVALID_RESPONSE, {\n body: json,\n });\n }\n return json;\n}\nexport async function deviceCodeGrantRequest(as, client, clientAuthentication, deviceCode, options) {\n assertAs(as);\n assertClient(client);\n assertString(deviceCode, '\"deviceCode\"');\n const parameters = new URLSearchParams(options?.additionalParameters);\n parameters.set('device_code', deviceCode);\n return tokenEndpointRequest(as, client, clientAuthentication, 'urn:ietf:params:oauth:grant-type:device_code', parameters, options);\n}\nexport async function processDeviceCodeResponse(as, client, response, options) {\n return processGenericAccessTokenResponse(as, client, response, undefined, options?.[jweDecrypt], options?.recognizedTokenTypes);\n}\nexport async function generateKeyPair(alg, options) {\n assertString(alg, '\"alg\"');\n const algorithm = algToSubtle(alg);\n if (alg.startsWith('PS') || alg.startsWith('RS')) {\n Object.assign(algorithm, {\n modulusLength: options?.modulusLength ?? 2048,\n publicExponent: new Uint8Array([0x01, 0x00, 0x01]),\n });\n }\n return crypto.subtle.generateKey(algorithm, options?.extractable ?? false, [\n 'sign',\n 'verify',\n ]);\n}\nfunction normalizeHtu(htu) {\n const url = new URL(htu);\n url.search = '';\n url.hash = '';\n return url.href;\n}\nasync function validateDPoP(request, accessToken, accessTokenClaims, options) {\n const headerValue = request.headers.get('dpop');\n if (headerValue === null) {\n throw OPE('operation indicated DPoP use but the request has no DPoP HTTP Header', INVALID_REQUEST, { headers: request.headers });\n }\n if (request.headers.get('authorization')?.toLowerCase().startsWith('dpop ') === false) {\n throw OPE(`operation indicated DPoP use but the request's Authorization HTTP Header scheme is not DPoP`, INVALID_REQUEST, { headers: request.headers });\n }\n if (typeof accessTokenClaims.cnf?.jkt !== 'string') {\n throw OPE('operation indicated DPoP use but the JWT Access Token has no jkt confirmation claim', INVALID_REQUEST, { claims: accessTokenClaims });\n }\n const clockSkew = getClockSkew(options);\n const proof = await validateJwt(headerValue, checkSigningAlgorithm.bind(undefined, options?.signingAlgorithms, undefined, supported), clockSkew, getClockTolerance(options), undefined)\n .then(checkJwtType.bind(undefined, 'dpop+jwt'))\n .then(validatePresence.bind(undefined, ['iat', 'jti', 'ath', 'htm', 'htu']));\n const now = epochTime() + clockSkew;\n const diff = Math.abs(now - proof.claims.iat);\n if (diff > 300) {\n throw OPE('DPoP Proof iat is not recent enough', JWT_TIMESTAMP_CHECK, {\n now,\n claims: proof.claims,\n claim: 'iat',\n });\n }\n if (proof.claims.htm !== request.method) {\n throw OPE('DPoP Proof htm mismatch', JWT_CLAIM_COMPARISON, {\n expected: request.method,\n claims: proof.claims,\n claim: 'htm',\n });\n }\n if (typeof proof.claims.htu !== 'string' ||\n normalizeHtu(proof.claims.htu) !== normalizeHtu(request.url)) {\n throw OPE('DPoP Proof htu mismatch', JWT_CLAIM_COMPARISON, {\n expected: normalizeHtu(request.url),\n claims: proof.claims,\n claim: 'htu',\n });\n }\n {\n const expected = b64u(await crypto.subtle.digest('SHA-256', buf(accessToken)));\n if (proof.claims.ath !== expected) {\n throw OPE('DPoP Proof ath mismatch', JWT_CLAIM_COMPARISON, {\n expected,\n claims: proof.claims,\n claim: 'ath',\n });\n }\n }\n {\n const expected = await calculateJwkThumbprint(proof.header.jwk);\n if (accessTokenClaims.cnf.jkt !== expected) {\n throw OPE('JWT Access Token confirmation mismatch', JWT_CLAIM_COMPARISON, {\n expected,\n claims: accessTokenClaims,\n claim: 'cnf.jkt',\n });\n }\n }\n const { 0: protectedHeader, 1: payload, 2: encodedSignature } = headerValue.split('.');\n const signature = b64u(encodedSignature);\n const { jwk, alg } = proof.header;\n if (!jwk) {\n throw OPE('DPoP Proof is missing the jwk header parameter', INVALID_REQUEST, {\n header: proof.header,\n });\n }\n const key = await importJwk(alg, jwk);\n if (key.type !== 'public') {\n throw OPE('DPoP Proof jwk header parameter must contain a public key', INVALID_REQUEST, {\n header: proof.header,\n });\n }\n await validateJwsSignature(protectedHeader, payload, key, signature);\n}\nexport async function validateJwtAccessToken(as, request, expectedAudience, options) {\n assertAs(as);\n if (!looseInstanceOf(request, Request)) {\n throw CodedTypeError('\"request\" must be an instance of Request', ERR_INVALID_ARG_TYPE);\n }\n assertString(expectedAudience, '\"expectedAudience\"');\n const authorization = request.headers.get('authorization');\n if (authorization === null) {\n throw OPE('\"request\" is missing an Authorization HTTP Header', INVALID_REQUEST, {\n headers: request.headers,\n });\n }\n let { 0: scheme, 1: accessToken, length } = authorization.split(' ');\n scheme = scheme.toLowerCase();\n switch (scheme) {\n case 'dpop':\n case 'bearer':\n break;\n default:\n throw new UnsupportedOperationError('unsupported Authorization HTTP Header scheme', {\n cause: { headers: request.headers },\n });\n }\n if (length !== 2) {\n throw OPE('invalid Authorization HTTP Header format', INVALID_REQUEST, {\n headers: request.headers,\n });\n }\n const requiredClaims = [\n 'iss',\n 'exp',\n 'aud',\n 'sub',\n 'iat',\n 'jti',\n 'client_id',\n ];\n if (options?.requireDPoP || scheme === 'dpop' || request.headers.has('dpop')) {\n requiredClaims.push('cnf');\n }\n const { claims, header } = await validateJwt(accessToken, checkSigningAlgorithm.bind(undefined, options?.signingAlgorithms, undefined, supported), getClockSkew(options), getClockTolerance(options), undefined)\n .then(checkJwtType.bind(undefined, 'at+jwt'))\n .then(validatePresence.bind(undefined, requiredClaims))\n .then(validateIssuer.bind(undefined, as))\n .then(validateAudience.bind(undefined, expectedAudience))\n .catch(reassignRSCode);\n for (const claim of ['client_id', 'jti', 'sub']) {\n if (typeof claims[claim] !== 'string') {\n throw OPE(`unexpected JWT \"${claim}\" claim type`, INVALID_REQUEST, { claims });\n }\n }\n if ('cnf' in claims) {\n if (!isJsonObject(claims.cnf)) {\n throw OPE('unexpected JWT \"cnf\" (confirmation) claim value', INVALID_REQUEST, { claims });\n }\n const { 0: cnf, length } = Object.keys(claims.cnf);\n if (length) {\n if (length !== 1) {\n throw new UnsupportedOperationError('multiple confirmation claims are not supported', {\n cause: { claims },\n });\n }\n if (cnf !== 'jkt') {\n throw new UnsupportedOperationError('unsupported JWT Confirmation method', {\n cause: { claims },\n });\n }\n }\n }\n const { 0: protectedHeader, 1: payload, 2: encodedSignature } = accessToken.split('.');\n const signature = b64u(encodedSignature);\n const key = await getPublicSigKeyFromIssuerJwksUri(as, options, header);\n await validateJwsSignature(protectedHeader, payload, key, signature);\n if (options?.requireDPoP ||\n scheme === 'dpop' ||\n claims.cnf?.jkt !== undefined ||\n request.headers.has('dpop')) {\n await validateDPoP(request, accessToken, claims, options).catch(reassignRSCode);\n }\n return claims;\n}\nfunction reassignRSCode(err) {\n if (err instanceof OperationProcessingError && err?.code === INVALID_REQUEST) {\n err.code = INVALID_RESPONSE;\n }\n throw err;\n}\nexport async function backchannelAuthenticationRequest(as, client, clientAuthentication, parameters, options) {\n assertAs(as);\n assertClient(client);\n const url = resolveEndpoint(as, 'backchannel_authentication_endpoint', client.use_mtls_endpoint_aliases, options?.[allowInsecureRequests] !== true);\n const body = new URLSearchParams(parameters);\n body.set('client_id', client.client_id);\n const headers = prepareHeaders(options?.headers);\n headers.set('accept', 'application/json');\n return authenticatedRequest(as, client, clientAuthentication, url, body, headers, options);\n}\nexport async function processBackchannelAuthenticationResponse(as, client, response) {\n assertAs(as);\n assertClient(client);\n if (!looseInstanceOf(response, Response)) {\n throw CodedTypeError('\"response\" must be an instance of Response', ERR_INVALID_ARG_TYPE);\n }\n await checkOAuthBodyError(response, 200, 'Backchannel Authentication Endpoint');\n assertReadableResponse(response);\n const json = await getResponseJsonBody(response);\n assertString(json.auth_req_id, '\"response\" body \"auth_req_id\" property', INVALID_RESPONSE, {\n body: json,\n });\n let expiresIn = typeof json.expires_in !== 'number' ? parseFloat(json.expires_in) : json.expires_in;\n assertNumber(expiresIn, true, '\"response\" body \"expires_in\" property', INVALID_RESPONSE, {\n body: json,\n });\n json.expires_in = expiresIn;\n if (json.interval !== undefined) {\n assertNumber(json.interval, false, '\"response\" body \"interval\" property', INVALID_RESPONSE, {\n body: json,\n });\n }\n return json;\n}\nexport async function backchannelAuthenticationGrantRequest(as, client, clientAuthentication, authReqId, options) {\n assertAs(as);\n assertClient(client);\n assertString(authReqId, '\"authReqId\"');\n const parameters = new URLSearchParams(options?.additionalParameters);\n parameters.set('auth_req_id', authReqId);\n return tokenEndpointRequest(as, client, clientAuthentication, 'urn:openid:params:grant-type:ciba', parameters, options);\n}\nexport async function processBackchannelAuthenticationGrantResponse(as, client, response, options) {\n return processGenericAccessTokenResponse(as, client, response, undefined, options?.[jweDecrypt], options?.recognizedTokenTypes);\n}\nexport async function dynamicClientRegistrationRequest(as, metadata, options) {\n assertAs(as);\n const url = resolveEndpoint(as, 'registration_endpoint', metadata.use_mtls_endpoint_aliases, options?.[allowInsecureRequests] !== true);\n const headers = prepareHeaders(options?.headers);\n headers.set('accept', 'application/json');\n headers.set('content-type', 'application/json');\n const method = 'POST';\n if (options?.DPoP) {\n assertDPoP(options.DPoP);\n await options.DPoP.addProof(url, headers, method, options.initialAccessToken);\n }\n if (options?.initialAccessToken) {\n headers.set('authorization', `${headers.has('dpop') ? 'DPoP' : 'Bearer'} ${options.initialAccessToken}`);\n }\n const response = await (options?.[customFetch] || fetch)(url.href, {\n body: JSON.stringify(metadata),\n headers: Object.fromEntries(headers.entries()),\n method,\n redirect: 'manual',\n signal: signal(url, options?.signal),\n });\n options?.DPoP?.cacheNonce(response, url);\n return response;\n}\nexport async function processDynamicClientRegistrationResponse(response) {\n if (!looseInstanceOf(response, Response)) {\n throw CodedTypeError('\"response\" must be an instance of Response', ERR_INVALID_ARG_TYPE);\n }\n await checkOAuthBodyError(response, 201, 'Dynamic Client Registration Endpoint');\n assertReadableResponse(response);\n const json = await getResponseJsonBody(response);\n assertString(json.client_id, '\"response\" body \"client_id\" property', INVALID_RESPONSE, {\n body: json,\n });\n if (json.client_secret !== undefined) {\n assertString(json.client_secret, '\"response\" body \"client_secret\" property', INVALID_RESPONSE, {\n body: json,\n });\n }\n if (json.client_secret) {\n assertNumber(json.client_secret_expires_at, true, '\"response\" body \"client_secret_expires_at\" property', INVALID_RESPONSE, {\n body: json,\n });\n }\n return json;\n}\nexport async function resourceDiscoveryRequest(resourceIdentifier, options) {\n return performDiscovery(resourceIdentifier, 'resourceIdentifier', (url) => {\n prependWellKnown(url, '.well-known/oauth-protected-resource', true);\n return url;\n }, options);\n}\nexport async function processResourceDiscoveryResponse(expectedResourceIdentifier, response) {\n const expected = expectedResourceIdentifier;\n if (!(expected instanceof URL) && expected !== _nodiscoverycheck) {\n throw CodedTypeError('\"expectedResourceIdentifier\" must be an instance of URL', ERR_INVALID_ARG_TYPE);\n }\n if (!looseInstanceOf(response, Response)) {\n throw CodedTypeError('\"response\" must be an instance of Response', ERR_INVALID_ARG_TYPE);\n }\n if (response.status !== 200) {\n throw OPE('\"response\" is not a conform Resource Server Metadata response (unexpected HTTP status code)', RESPONSE_IS_NOT_CONFORM, response);\n }\n assertReadableResponse(response);\n const json = await getResponseJsonBody(response);\n assertString(json.resource, '\"response\" body \"resource\" property', INVALID_RESPONSE, {\n body: json,\n });\n if (expected !== _nodiscoverycheck && new URL(json.resource).href !== expected.href) {\n throw OPE('\"response\" body \"resource\" property does not match the expected value', JSON_ATTRIBUTE_COMPARISON, { expected: expected.href, body: json, attribute: 'resource' });\n }\n return json;\n}\nasync function getResponseJsonBody(response, check = assertApplicationJson) {\n let json;\n try {\n json = await response.json();\n }\n catch (cause) {\n check(response);\n throw OPE('failed to parse \"response\" body as JSON', PARSE_ERROR, cause);\n }\n if (!isJsonObject(json)) {\n throw OPE('\"response\" body must be a top level object', INVALID_RESPONSE, { body: json });\n }\n return json;\n}\nexport const _nopkce = nopkce;\nexport const _nodiscoverycheck = Symbol();\nexport const _expectedIssuer = Symbol();\n//# sourceMappingURL=index.js.map","import * as oauth from 'oauth4webapi';\nimport { compactDecrypt } from 'jose/jwe/compact/decrypt';\nimport { JOSEError } from 'jose/errors';\nlet headers;\nlet USER_AGENT;\nif (typeof navigator === 'undefined' || !navigator.userAgent?.startsWith?.('Mozilla/5.0 ')) {\n const NAME = 'openid-client';\n const VERSION = 'v6.8.4';\n USER_AGENT = `${NAME}/${VERSION}`;\n headers = { 'user-agent': USER_AGENT };\n}\nconst int = (config) => {\n return props.get(config);\n};\nlet props;\nexport { AuthorizationResponseError, ResponseBodyError, WWWAuthenticateChallengeError, } from 'oauth4webapi';\nlet tbi;\nexport function ClientSecretPost(clientSecret) {\n if (clientSecret !== undefined) {\n return oauth.ClientSecretPost(clientSecret);\n }\n tbi ||= new WeakMap();\n return (as, client, body, headers) => {\n let auth;\n if (!(auth = tbi.get(client))) {\n assertString(client.client_secret, '\"metadata.client_secret\"');\n auth = oauth.ClientSecretPost(client.client_secret);\n tbi.set(client, auth);\n }\n return auth(as, client, body, headers);\n };\n}\nfunction assertString(input, it) {\n if (typeof input !== 'string') {\n throw CodedTypeError(`${it} must be a string`, ERR_INVALID_ARG_TYPE);\n }\n if (input.length === 0) {\n throw CodedTypeError(`${it} must not be empty`, ERR_INVALID_ARG_VALUE);\n }\n}\nexport function ClientSecretBasic(clientSecret) {\n if (clientSecret !== undefined) {\n return oauth.ClientSecretBasic(clientSecret);\n }\n tbi ||= new WeakMap();\n return (as, client, body, headers) => {\n let auth;\n if (!(auth = tbi.get(client))) {\n assertString(client.client_secret, '\"metadata.client_secret\"');\n auth = oauth.ClientSecretBasic(client.client_secret);\n tbi.set(client, auth);\n }\n return auth(as, client, body, headers);\n };\n}\nexport function ClientSecretJwt(clientSecret, options) {\n if (clientSecret !== undefined) {\n return oauth.ClientSecretJwt(clientSecret, options);\n }\n tbi ||= new WeakMap();\n return (as, client, body, headers) => {\n let auth;\n if (!(auth = tbi.get(client))) {\n assertString(client.client_secret, '\"metadata.client_secret\"');\n auth = oauth.ClientSecretJwt(client.client_secret, options);\n tbi.set(client, auth);\n }\n return auth(as, client, body, headers);\n };\n}\nexport function None() {\n return oauth.None();\n}\nexport function PrivateKeyJwt(clientPrivateKey, options) {\n return oauth.PrivateKeyJwt(clientPrivateKey, options);\n}\nexport function TlsClientAuth() {\n return oauth.TlsClientAuth();\n}\nexport const skipStateCheck = oauth.skipStateCheck;\nexport const skipSubjectCheck = oauth.skipSubjectCheck;\nexport const customFetch = oauth.customFetch;\nexport const modifyAssertion = oauth.modifyAssertion;\nexport const clockSkew = oauth.clockSkew;\nexport const clockTolerance = oauth.clockTolerance;\nconst ERR_INVALID_ARG_VALUE = 'ERR_INVALID_ARG_VALUE';\nconst ERR_INVALID_ARG_TYPE = 'ERR_INVALID_ARG_TYPE';\nfunction CodedTypeError(message, code, cause) {\n const err = new TypeError(message, { cause });\n Object.assign(err, { code });\n return err;\n}\nexport function calculatePKCECodeChallenge(codeVerifier) {\n return oauth.calculatePKCECodeChallenge(codeVerifier);\n}\nexport function randomPKCECodeVerifier() {\n return oauth.generateRandomCodeVerifier();\n}\nexport function randomNonce() {\n return oauth.generateRandomNonce();\n}\nexport function randomState() {\n return oauth.generateRandomState();\n}\nexport class ClientError extends Error {\n code;\n constructor(message, options) {\n super(message, options);\n this.name = this.constructor.name;\n this.code = options?.code;\n Error.captureStackTrace?.(this, this.constructor);\n }\n}\nconst decoder = new TextDecoder();\nfunction e(msg, cause, code) {\n return new ClientError(msg, { cause, code });\n}\nfunction errorHandler(err) {\n if (err instanceof TypeError ||\n err instanceof ClientError ||\n err instanceof oauth.ResponseBodyError ||\n err instanceof oauth.AuthorizationResponseError ||\n err instanceof oauth.WWWAuthenticateChallengeError) {\n throw err;\n }\n if (err instanceof oauth.OperationProcessingError) {\n switch (err.code) {\n case oauth.HTTP_REQUEST_FORBIDDEN:\n throw e('only requests to HTTPS are allowed', err, err.code);\n case oauth.REQUEST_PROTOCOL_FORBIDDEN:\n throw e('only requests to HTTP or HTTPS are allowed', err, err.code);\n case oauth.RESPONSE_IS_NOT_CONFORM:\n throw e('unexpected HTTP response status code', err.cause, err.code);\n case oauth.RESPONSE_IS_NOT_JSON:\n throw e('unexpected response content-type', err.cause, err.code);\n case oauth.PARSE_ERROR:\n throw e('parsing error occured', err, err.code);\n case oauth.INVALID_RESPONSE:\n throw e('invalid response encountered', err, err.code);\n case oauth.JWT_CLAIM_COMPARISON:\n throw e('unexpected JWT claim value encountered', err, err.code);\n case oauth.JSON_ATTRIBUTE_COMPARISON:\n throw e('unexpected JSON attribute value encountered', err, err.code);\n case oauth.JWT_TIMESTAMP_CHECK:\n throw e('JWT timestamp claim value failed validation', err, err.code);\n default:\n throw e(err.message, err, err.code);\n }\n }\n if (err instanceof oauth.UnsupportedOperationError) {\n throw e('unsupported operation', err, err.code);\n }\n if (err instanceof DOMException) {\n switch (err.name) {\n case 'OperationError':\n throw e('runtime operation error', err, oauth.UNSUPPORTED_OPERATION);\n case 'NotSupportedError':\n throw e('runtime unsupported operation', err, oauth.UNSUPPORTED_OPERATION);\n case 'TimeoutError':\n throw e('operation timed out', err, 'OAUTH_TIMEOUT');\n case 'AbortError':\n throw e('operation aborted', err, 'OAUTH_ABORT');\n }\n }\n throw new ClientError('something went wrong', { cause: err });\n}\nexport function randomDPoPKeyPair(alg, options) {\n return oauth\n .generateKeyPair(alg ?? 'ES256', {\n extractable: options?.extractable,\n })\n .catch(errorHandler);\n}\nfunction handleEntraId(server, as, options) {\n if (server.origin === 'https://login.microsoftonline.com' &&\n (!options?.algorithm || options.algorithm === 'oidc')) {\n as[kEntraId] = true;\n return true;\n }\n return false;\n}\nfunction handleB2Clogin(server, options) {\n if (server.hostname.endsWith('.b2clogin.com') &&\n (!options?.algorithm || options.algorithm === 'oidc')) {\n return true;\n }\n return false;\n}\nexport async function dynamicClientRegistration(server, metadata, clientAuthentication, options) {\n let as;\n if (options?.flag === retry) {\n as = options.as;\n }\n else {\n as = await performDiscovery(server, options);\n }\n const clockSkew = metadata[oauth.clockSkew] ?? 0;\n const clockTolerance = metadata[oauth.clockTolerance] ?? 30;\n metadata = structuredClone(metadata);\n const timeout = options?.timeout ?? 30;\n const signal = AbortSignal.timeout(timeout * 1000);\n let registered;\n try {\n registered = await oauth\n .dynamicClientRegistrationRequest(as, metadata, {\n initialAccessToken: options?.initialAccessToken,\n DPoP: options?.DPoP,\n headers: new Headers(headers),\n [oauth.customFetch]: options?.[customFetch],\n [oauth.allowInsecureRequests]: options?.execute?.includes(allowInsecureRequests),\n signal,\n })\n .then(oauth.processDynamicClientRegistrationResponse);\n }\n catch (err) {\n if (retryable(err, options)) {\n return dynamicClientRegistration(server, metadata, clientAuthentication, {\n ...options,\n flag: retry,\n as,\n });\n }\n errorHandler(err);\n }\n registered[oauth.clockSkew] = clockSkew;\n registered[oauth.clockTolerance] = clockTolerance;\n const instance = new Configuration(as, registered.client_id, registered, clientAuthentication);\n let internals = int(instance);\n if (options?.[customFetch]) {\n internals.fetch = options[customFetch];\n }\n if (options?.timeout) {\n internals.timeout = options.timeout;\n }\n if (options?.execute) {\n for (const extension of options.execute) {\n extension(instance);\n }\n }\n return instance;\n}\nexport async function discovery(server, clientId, metadata, clientAuthentication, options) {\n const as = await performDiscovery(server, options);\n const instance = new Configuration(as, clientId, metadata, clientAuthentication);\n let internals = int(instance);\n if (options?.[customFetch]) {\n internals.fetch = options[customFetch];\n }\n if (options?.timeout) {\n internals.timeout = options.timeout;\n }\n if (options?.execute) {\n for (const extension of options.execute) {\n extension(instance);\n }\n }\n return instance;\n}\nasync function performDiscovery(server, options) {\n if (!(server instanceof URL)) {\n throw CodedTypeError('\"server\" must be an instance of URL', ERR_INVALID_ARG_TYPE);\n }\n const resolve = !server.href.includes('/.well-known/');\n const timeout = options?.timeout ?? 30;\n const signal = AbortSignal.timeout(timeout * 1000);\n const as = await (resolve\n ? oauth.discoveryRequest(server, {\n algorithm: options?.algorithm,\n [oauth.customFetch]: options?.[customFetch],\n [oauth.allowInsecureRequests]: options?.execute?.includes(allowInsecureRequests),\n signal,\n headers: new Headers(headers),\n })\n : (options?.[customFetch] || fetch)((() => {\n oauth.checkProtocol(server, options?.execute?.includes(allowInsecureRequests) ? false : true);\n return server.href;\n })(), {\n headers: Object.fromEntries(new Headers({ accept: 'application/json', ...headers }).entries()),\n body: undefined,\n method: 'GET',\n redirect: 'manual',\n signal,\n }))\n .then((response) => oauth.processDiscoveryResponse(oauth._nodiscoverycheck, response))\n .catch(errorHandler);\n if (resolve && new URL(as.issuer).href !== server.href) {\n handleEntraId(server, as, options) ||\n handleB2Clogin(server, options) ||\n (() => {\n throw new ClientError('discovered metadata issuer does not match the expected issuer', {\n code: oauth.JSON_ATTRIBUTE_COMPARISON,\n cause: {\n expected: server.href,\n body: as,\n attribute: 'issuer',\n },\n });\n })();\n }\n return as;\n}\nfunction isRsaOaep(input) {\n return input.name === 'RSA-OAEP';\n}\nfunction isEcdh(input) {\n return input.name === 'ECDH';\n}\nconst ecdhEs = 'ECDH-ES';\nconst ecdhEsA128Kw = 'ECDH-ES+A128KW';\nconst ecdhEsA192Kw = 'ECDH-ES+A192KW';\nconst ecdhEsA256Kw = 'ECDH-ES+A256KW';\nfunction checkEcdhAlg(algs, alg, pk) {\n switch (alg) {\n case undefined:\n algs.add(ecdhEs);\n algs.add(ecdhEsA128Kw);\n algs.add(ecdhEsA192Kw);\n algs.add(ecdhEsA256Kw);\n break;\n case ecdhEs:\n case ecdhEsA128Kw:\n case ecdhEsA192Kw:\n case ecdhEsA256Kw:\n algs.add(alg);\n break;\n default:\n throw CodedTypeError('invalid key alg', ERR_INVALID_ARG_VALUE, { pk });\n }\n}\nexport function enableDecryptingResponses(config, contentEncryptionAlgorithms = [\n 'A128GCM',\n 'A192GCM',\n 'A256GCM',\n 'A128CBC-HS256',\n 'A192CBC-HS384',\n 'A256CBC-HS512',\n], ...keys) {\n if (int(config).decrypt !== undefined) {\n throw new TypeError('enableDecryptingResponses can only be called on a given Configuration instance once');\n }\n if (keys.length === 0) {\n throw CodedTypeError('no keys were provided', ERR_INVALID_ARG_VALUE);\n }\n const algs = new Set();\n const normalized = [];\n for (const pk of keys) {\n let key;\n if ('key' in pk) {\n key = { key: pk.key };\n if (typeof pk.alg === 'string')\n key.alg = pk.alg;\n if (typeof pk.kid === 'string')\n key.kid = pk.kid;\n }\n else {\n key = { key: pk };\n }\n if (key.key.type !== 'private') {\n throw CodedTypeError('only private keys must be provided', ERR_INVALID_ARG_VALUE);\n }\n if (isRsaOaep(key.key.algorithm)) {\n switch (key.key.algorithm.hash.name) {\n case 'SHA-1':\n case 'SHA-256':\n case 'SHA-384':\n case 'SHA-512': {\n let alg = 'RSA-OAEP';\n let sha;\n if ((sha = parseInt(key.key.algorithm.hash.name.slice(-3), 10))) {\n alg = `${alg}-${sha}`;\n }\n key.alg ||= alg;\n if (alg !== key.alg)\n throw CodedTypeError('invalid key alg', ERR_INVALID_ARG_VALUE, {\n pk,\n });\n algs.add(key.alg);\n break;\n }\n default:\n throw CodedTypeError('only SHA-512, SHA-384, SHA-256, and SHA-1 RSA-OAEP keys are supported', ERR_INVALID_ARG_VALUE);\n }\n }\n else if (isEcdh(key.key.algorithm)) {\n if (key.key.algorithm.namedCurve !== 'P-256') {\n throw CodedTypeError('Only P-256 ECDH keys are supported', ERR_INVALID_ARG_VALUE);\n }\n checkEcdhAlg(algs, key.alg, pk);\n }\n else if (key.key.algorithm.name === 'X25519') {\n checkEcdhAlg(algs, key.alg, pk);\n }\n else {\n throw CodedTypeError('only RSA-OAEP, ECDH, or X25519 keys are supported', ERR_INVALID_ARG_VALUE);\n }\n normalized.push(key);\n }\n int(config).decrypt = async (jwe) => decrypt(normalized, jwe, contentEncryptionAlgorithms, [...algs]).catch(errorHandler);\n}\nfunction checkCryptoKey(key, alg, epk) {\n if (alg.startsWith('RSA-OAEP')) {\n return key.algorithm.name === 'RSA-OAEP';\n }\n if (alg.startsWith('ECDH-ES')) {\n if (key.algorithm.name !== 'ECDH' && key.algorithm.name !== 'X25519') {\n return false;\n }\n if (key.algorithm.name === 'ECDH') {\n return epk?.crv === key.algorithm.namedCurve;\n }\n if (key.algorithm.name === 'X25519') {\n return epk?.crv === 'X25519';\n }\n }\n return false;\n}\nfunction selectCryptoKeyForDecryption(keys, alg, kid, epk) {\n const { 0: key, length } = keys.filter((key) => {\n if (kid !== key.kid) {\n return false;\n }\n if (key.alg && alg !== key.alg) {\n return false;\n }\n return checkCryptoKey(key.key, alg, epk);\n });\n if (!key) {\n throw e('no applicable decryption key selected', undefined, 'OAUTH_DECRYPTION_FAILED');\n }\n if (length !== 1) {\n throw e('multiple applicable decryption keys selected', undefined, 'OAUTH_DECRYPTION_FAILED');\n }\n return key.key;\n}\nasync function decrypt(keys, jwe, contentEncryptionAlgorithms, keyManagementAlgorithms) {\n return decoder.decode((await compactDecrypt(jwe, (header) => {\n const { kid, alg, epk } = header;\n return selectCryptoKeyForDecryption(keys, alg, kid, epk);\n }, { keyManagementAlgorithms, contentEncryptionAlgorithms }).catch((err) => {\n if (err instanceof JOSEError) {\n throw e('decryption failed', err, 'OAUTH_DECRYPTION_FAILED');\n }\n errorHandler(err);\n })).plaintext);\n}\nfunction getServerHelpers(metadata) {\n return {\n supportsPKCE: {\n __proto__: null,\n value(method = 'S256') {\n return (metadata.code_challenge_methods_supported?.includes(method) === true);\n },\n },\n };\n}\nfunction addServerHelpers(metadata) {\n Object.defineProperties(metadata, getServerHelpers(metadata));\n}\nconst kEntraId = Symbol();\nexport class Configuration {\n constructor(server, clientId, metadata, clientAuthentication) {\n if (typeof clientId !== 'string' || !clientId.length) {\n throw CodedTypeError('\"clientId\" must be a non-empty string', ERR_INVALID_ARG_TYPE);\n }\n if (typeof metadata === 'string') {\n metadata = { client_secret: metadata };\n }\n if (metadata?.client_id !== undefined && clientId !== metadata.client_id) {\n throw CodedTypeError('\"clientId\" and \"metadata.client_id\" must be the same', ERR_INVALID_ARG_VALUE);\n }\n const client = {\n ...structuredClone(metadata),\n client_id: clientId,\n };\n client[oauth.clockSkew] = metadata?.[oauth.clockSkew] ?? 0;\n client[oauth.clockTolerance] = metadata?.[oauth.clockTolerance] ?? 30;\n let auth;\n if (clientAuthentication) {\n auth = clientAuthentication;\n }\n else {\n if (typeof client.client_secret === 'string' &&\n client.client_secret.length) {\n auth = ClientSecretPost(client.client_secret);\n }\n else {\n auth = None();\n }\n }\n let c = Object.freeze(client);\n const clone = structuredClone(server);\n if (kEntraId in server) {\n clone[oauth._expectedIssuer] = ({ claims: { tid } }) => server.issuer.replace('{tenantid}', tid);\n }\n let as = Object.freeze(clone);\n props ||= new WeakMap();\n props.set(this, {\n __proto__: null,\n as,\n c,\n auth,\n tlsOnly: true,\n jwksCache: {},\n });\n }\n serverMetadata() {\n const metadata = structuredClone(int(this).as);\n addServerHelpers(metadata);\n return metadata;\n }\n clientMetadata() {\n const metadata = structuredClone(int(this).c);\n return metadata;\n }\n get timeout() {\n return int(this).timeout;\n }\n set timeout(value) {\n int(this).timeout = value;\n }\n get [customFetch]() {\n return int(this).fetch;\n }\n set [customFetch](value) {\n int(this).fetch = value;\n }\n}\nObject.freeze(Configuration.prototype);\nfunction getHelpers(response) {\n let exp = undefined;\n if (response.expires_in !== undefined) {\n const now = new Date();\n now.setSeconds(now.getSeconds() + response.expires_in);\n exp = now.getTime();\n }\n return {\n expiresIn: {\n __proto__: null,\n value() {\n if (exp) {\n const now = Date.now();\n if (exp > now) {\n return Math.floor((exp - now) / 1000);\n }\n return 0;\n }\n return undefined;\n },\n },\n claims: {\n __proto__: null,\n value() {\n try {\n return oauth.getValidatedIdTokenClaims(this);\n }\n catch {\n return undefined;\n }\n },\n },\n };\n}\nfunction addHelpers(response) {\n Object.defineProperties(response, getHelpers(response));\n}\nexport function getDPoPHandle(config, keyPair, options) {\n checkConfig(config);\n return oauth.DPoP(int(config).c, keyPair, options);\n}\nasync function handleRetryAfter(response, currentInterval, signal, throwIfInvalid = false) {\n const retryAfter = response.headers.get('retry-after')?.trim();\n if (retryAfter === undefined)\n return;\n let delaySeconds;\n if (/^\\d+$/.test(retryAfter)) {\n delaySeconds = parseInt(retryAfter, 10);\n }\n else {\n const retryDate = new Date(retryAfter);\n if (Number.isFinite(retryDate.getTime())) {\n const now = new Date();\n const delayMs = retryDate.getTime() - now.getTime();\n if (delayMs > 0) {\n delaySeconds = Math.ceil(delayMs / 1000);\n }\n }\n }\n if (throwIfInvalid && !Number.isFinite(delaySeconds)) {\n throw new oauth.OperationProcessingError('invalid Retry-After header value', { cause: response });\n }\n if (delaySeconds > currentInterval) {\n await wait(delaySeconds - currentInterval, signal);\n }\n}\nfunction wait(duration, signal) {\n return new Promise((resolve, reject) => {\n const waitStep = (remaining) => {\n try {\n signal.throwIfAborted();\n }\n catch (err) {\n reject(err);\n return;\n }\n if (remaining <= 0) {\n resolve();\n return;\n }\n const currentWait = Math.min(remaining, 5);\n setTimeout(() => waitStep(remaining - currentWait), currentWait * 1000);\n };\n waitStep(duration);\n });\n}\nfunction pollRequestSignal(pollingSignal, timeout) {\n const timeoutSignal = signal(timeout);\n if (!timeoutSignal) {\n return {\n signal: pollingSignal,\n cleanup() { },\n };\n }\n const controller = new AbortController();\n const abort = (event) => {\n const source = event.target;\n controller.abort(source.reason);\n };\n if (pollingSignal.aborted) {\n controller.abort(pollingSignal.reason);\n }\n else if (timeoutSignal.aborted) {\n controller.abort(timeoutSignal.reason);\n }\n else {\n pollingSignal.addEventListener('abort', abort, { once: true });\n timeoutSignal.addEventListener('abort', abort, { once: true });\n }\n return {\n signal: controller.signal,\n cleanup() {\n pollingSignal.removeEventListener('abort', abort);\n timeoutSignal.removeEventListener('abort', abort);\n },\n };\n}\nexport async function pollDeviceAuthorizationGrant(config, deviceAuthorizationResponse, parameters, options) {\n checkConfig(config);\n parameters = new URLSearchParams(parameters);\n let interval = deviceAuthorizationResponse.interval ?? 5;\n const pollingSignal = options?.signal ??\n AbortSignal.timeout(deviceAuthorizationResponse.expires_in * 1000);\n try {\n await wait(interval, pollingSignal);\n }\n catch (err) {\n errorHandler(err);\n }\n const { as, c, auth, fetch, tlsOnly, nonRepudiation, timeout, decrypt } = int(config);\n const retryPoll = (updatedInterval, flag) => pollDeviceAuthorizationGrant(config, {\n ...deviceAuthorizationResponse,\n interval: updatedInterval,\n }, parameters, {\n ...options,\n signal: pollingSignal,\n flag,\n });\n const requestSignal = pollRequestSignal(pollingSignal, timeout);\n const response = await oauth\n .deviceCodeGrantRequest(as, c, auth, deviceAuthorizationResponse.device_code, {\n [oauth.customFetch]: fetch,\n [oauth.allowInsecureRequests]: !tlsOnly,\n additionalParameters: parameters,\n DPoP: options?.DPoP,\n headers: new Headers(headers),\n signal: requestSignal.signal,\n })\n .catch(errorHandler)\n .finally(requestSignal.cleanup);\n if (response.status === 503 && response.headers.has('retry-after')) {\n await handleRetryAfter(response, interval, pollingSignal, true);\n await response.body?.cancel();\n return retryPoll(interval);\n }\n const p = oauth.processDeviceCodeResponse(as, c, response, {\n [oauth.jweDecrypt]: decrypt,\n });\n let result;\n try {\n result = await p;\n }\n catch (err) {\n if (retryable(err, options)) {\n return retryPoll(interval, retry);\n }\n if (err instanceof oauth.ResponseBodyError) {\n switch (err.error) {\n case 'slow_down':\n interval += 5;\n case 'authorization_pending':\n await handleRetryAfter(err.response, interval, pollingSignal);\n return retryPoll(interval);\n }\n }\n errorHandler(err);\n }\n result.id_token && (await nonRepudiation?.(response));\n addHelpers(result);\n return result;\n}\nexport async function initiateDeviceAuthorization(config, parameters) {\n checkConfig(config);\n const { as, c, auth, fetch, tlsOnly, timeout } = int(config);\n return oauth\n .deviceAuthorizationRequest(as, c, auth, parameters, {\n [oauth.customFetch]: fetch,\n [oauth.allowInsecureRequests]: !tlsOnly,\n headers: new Headers(headers),\n signal: signal(timeout),\n })\n .then((response) => oauth.processDeviceAuthorizationResponse(as, c, response))\n .catch(errorHandler);\n}\nexport async function initiateBackchannelAuthentication(config, parameters) {\n checkConfig(config);\n const { as, c, auth, fetch, tlsOnly, timeout } = int(config);\n return oauth\n .backchannelAuthenticationRequest(as, c, auth, parameters, {\n [oauth.customFetch]: fetch,\n [oauth.allowInsecureRequests]: !tlsOnly,\n headers: new Headers(headers),\n signal: signal(timeout),\n })\n .then((response) => oauth.processBackchannelAuthenticationResponse(as, c, response))\n .catch(errorHandler);\n}\nexport async function pollBackchannelAuthenticationGrant(config, backchannelAuthenticationResponse, parameters, options) {\n checkConfig(config);\n parameters = new URLSearchParams(parameters);\n let interval = backchannelAuthenticationResponse.interval ?? 5;\n const pollingSignal = options?.signal ??\n AbortSignal.timeout(backchannelAuthenticationResponse.expires_in * 1000);\n try {\n await wait(interval, pollingSignal);\n }\n catch (err) {\n errorHandler(err);\n }\n const { as, c, auth, fetch, tlsOnly, nonRepudiation, timeout, decrypt } = int(config);\n const retryPoll = (updatedInterval, flag) => pollBackchannelAuthenticationGrant(config, {\n ...backchannelAuthenticationResponse,\n interval: updatedInterval,\n }, parameters, {\n ...options,\n signal: pollingSignal,\n flag,\n });\n const requestSignal = pollRequestSignal(pollingSignal, timeout);\n const response = await oauth\n .backchannelAuthenticationGrantRequest(as, c, auth, backchannelAuthenticationResponse.auth_req_id, {\n [oauth.customFetch]: fetch,\n [oauth.allowInsecureRequests]: !tlsOnly,\n additionalParameters: parameters,\n DPoP: options?.DPoP,\n headers: new Headers(headers),\n signal: requestSignal.signal,\n })\n .catch(errorHandler)\n .finally(requestSignal.cleanup);\n if (response.status === 503 && response.headers.has('retry-after')) {\n await handleRetryAfter(response, interval, pollingSignal, true);\n await response.body?.cancel();\n return retryPoll(interval);\n }\n const p = oauth.processBackchannelAuthenticationGrantResponse(as, c, response, {\n [oauth.jweDecrypt]: decrypt,\n });\n let result;\n try {\n result = await p;\n }\n catch (err) {\n if (retryable(err, options)) {\n return retryPoll(interval, retry);\n }\n if (err instanceof oauth.ResponseBodyError) {\n switch (err.error) {\n case 'slow_down':\n interval += 5;\n case 'authorization_pending':\n await handleRetryAfter(err.response, interval, pollingSignal);\n return retryPoll(interval);\n }\n }\n errorHandler(err);\n }\n result.id_token && (await nonRepudiation?.(response));\n addHelpers(result);\n return result;\n}\nexport function allowInsecureRequests(config) {\n int(config).tlsOnly = false;\n}\nexport function setJwksCache(config, jwksCache) {\n int(config).jwksCache = structuredClone(jwksCache);\n}\nexport function getJwksCache(config) {\n const cache = int(config).jwksCache;\n if (cache.uat) {\n return cache;\n }\n return undefined;\n}\nexport function enableNonRepudiationChecks(config) {\n checkConfig(config);\n int(config).nonRepudiation = (response) => {\n const { as, fetch, tlsOnly, timeout, jwksCache } = int(config);\n return oauth\n .validateApplicationLevelSignature(as, response, {\n [oauth.customFetch]: fetch,\n [oauth.allowInsecureRequests]: !tlsOnly,\n headers: new Headers(headers),\n signal: signal(timeout),\n [oauth.jwksCache]: jwksCache,\n })\n .catch(errorHandler);\n };\n}\nexport function useJwtResponseMode(config) {\n checkConfig(config);\n const { hybrid, implicit } = int(config);\n if (hybrid || implicit) {\n throw e('JARM cannot be combined with a hybrid or implicit response types', undefined, oauth.UNSUPPORTED_OPERATION);\n }\n int(config).jarm = (authorizationResponse, expectedState) => validateJARMResponse(config, authorizationResponse, expectedState);\n}\nexport function enableDetachedSignatureResponseChecks(config) {\n if (!int(config).hybrid) {\n throw e('\"code id_token\" response type must be configured to be used first', undefined, oauth.UNSUPPORTED_OPERATION);\n }\n int(config).hybrid = (authorizationResponse, expectedNonce, expectedState, maxAge) => validateCodeIdTokenResponse(config, authorizationResponse, expectedNonce, expectedState, maxAge, true);\n}\nexport async function implicitAuthentication(config, currentUrl, expectedNonce, checks) {\n checkConfig(config);\n if (!(currentUrl instanceof URL) &&\n !webInstanceOf(currentUrl, 'Request')) {\n throw CodedTypeError('\"currentUrl\" must be an instance of URL, or Request', ERR_INVALID_ARG_TYPE);\n }\n if (typeof expectedNonce !== 'string') {\n throw CodedTypeError('\"expectedNonce\" must be a string', ERR_INVALID_ARG_TYPE);\n }\n const { as, c, fetch, tlsOnly, timeout, decrypt, implicit, jwksCache } = int(config);\n if (!implicit) {\n throw new TypeError('implicitAuthentication() cannot be used by clients using flows other than response_type=id_token');\n }\n let params;\n if (!(currentUrl instanceof URL)) {\n const request = currentUrl;\n switch (request.method) {\n case 'GET':\n params = new URLSearchParams(new URL(request.url).hash.slice(1));\n break;\n case 'POST':\n params = new URLSearchParams(await oauth.formPostResponse(request));\n break;\n default:\n throw CodedTypeError('unexpected Request HTTP method', ERR_INVALID_ARG_VALUE);\n }\n }\n else {\n params = new URLSearchParams(currentUrl.hash.slice(1));\n }\n try {\n {\n const decoy = new URLSearchParams(params);\n decoy.delete('id_token');\n oauth.validateAuthResponse({\n ...as,\n authorization_response_iss_parameter_supported: undefined,\n }, c, decoy, checks?.expectedState);\n }\n {\n const decoy = new Response(JSON.stringify({\n access_token: 'decoy',\n token_type: 'bearer',\n id_token: params.get('id_token'),\n }), {\n headers: new Headers({ 'content-type': 'application/json' }),\n });\n const ref = await oauth.processAuthorizationCodeResponse(as, c, decoy, {\n expectedNonce,\n maxAge: checks?.maxAge,\n [oauth.jweDecrypt]: decrypt,\n });\n await oauth.validateApplicationLevelSignature(as, decoy, {\n [oauth.customFetch]: fetch,\n [oauth.allowInsecureRequests]: !tlsOnly,\n headers: new Headers(headers),\n signal: signal(timeout),\n [oauth.jwksCache]: jwksCache,\n });\n return oauth.getValidatedIdTokenClaims(ref);\n }\n }\n catch (err) {\n errorHandler(err);\n }\n}\nexport function useCodeIdTokenResponseType(config) {\n checkConfig(config);\n const { jarm, implicit } = int(config);\n if (jarm || implicit) {\n throw e('\"code id_token\" response type cannot be combined with JARM or implicit response type', undefined, oauth.UNSUPPORTED_OPERATION);\n }\n int(config).hybrid = (authorizationResponse, expectedNonce, expectedState, maxAge) => validateCodeIdTokenResponse(config, authorizationResponse, expectedNonce, expectedState, maxAge, false);\n}\nexport function useIdTokenResponseType(config) {\n checkConfig(config);\n const { jarm, hybrid } = int(config);\n if (jarm || hybrid) {\n throw e('\"id_token\" response type cannot be combined with JARM or hybrid response type', undefined, oauth.UNSUPPORTED_OPERATION);\n }\n int(config).implicit = true;\n}\nfunction stripParams(url) {\n url = new URL(url);\n url.search = '';\n url.hash = '';\n return url.href;\n}\nfunction webInstanceOf(input, toStringTag) {\n try {\n return Object.getPrototypeOf(input)[Symbol.toStringTag] === toStringTag;\n }\n catch {\n return false;\n }\n}\nexport async function authorizationCodeGrant(config, currentUrl, checks, tokenEndpointParameters, options) {\n checkConfig(config);\n if (options?.flag !== retry &&\n !(currentUrl instanceof URL) &&\n !webInstanceOf(currentUrl, 'Request')) {\n throw CodedTypeError('\"currentUrl\" must be an instance of URL, or Request', ERR_INVALID_ARG_TYPE);\n }\n let authResponse;\n let redirectUri;\n const { as, c, auth, fetch, tlsOnly, jarm, hybrid, nonRepudiation, timeout, decrypt, implicit } = int(config);\n if (options?.flag === retry) {\n authResponse = options.authResponse;\n redirectUri = options.redirectUri;\n }\n else {\n if (!(currentUrl instanceof URL)) {\n const request = currentUrl;\n currentUrl = new URL(currentUrl.url);\n switch (request.method) {\n case 'GET':\n break;\n case 'POST':\n const params = new URLSearchParams(await oauth.formPostResponse(request));\n if (hybrid) {\n currentUrl.hash = params.toString();\n }\n else {\n for (const [k, v] of params.entries()) {\n currentUrl.searchParams.append(k, v);\n }\n }\n break;\n default:\n throw CodedTypeError('unexpected Request HTTP method', ERR_INVALID_ARG_VALUE);\n }\n }\n redirectUri = stripParams(currentUrl);\n switch (true) {\n case !!jarm:\n authResponse = await jarm(currentUrl, checks?.expectedState);\n break;\n case !!hybrid:\n authResponse = await hybrid(currentUrl, checks?.expectedNonce, checks?.expectedState, checks?.maxAge);\n break;\n case !!implicit:\n throw new TypeError('authorizationCodeGrant() cannot be used by response_type=id_token clients');\n default:\n try {\n authResponse = oauth.validateAuthResponse(as, c, currentUrl.searchParams, checks?.expectedState);\n }\n catch (err) {\n errorHandler(err);\n }\n }\n }\n const response = await oauth\n .authorizationCodeGrantRequest(as, c, auth, authResponse, redirectUri, checks?.pkceCodeVerifier || oauth.nopkce, {\n additionalParameters: tokenEndpointParameters,\n [oauth.customFetch]: fetch,\n [oauth.allowInsecureRequests]: !tlsOnly,\n DPoP: options?.DPoP,\n headers: new Headers(headers),\n signal: signal(timeout),\n })\n .catch(errorHandler);\n if (typeof checks?.expectedNonce === 'string' ||\n typeof checks?.maxAge === 'number') {\n checks.idTokenExpected = true;\n }\n const p = oauth.processAuthorizationCodeResponse(as, c, response, {\n expectedNonce: checks?.expectedNonce,\n maxAge: checks?.maxAge,\n requireIdToken: checks?.idTokenExpected,\n [oauth.jweDecrypt]: decrypt,\n });\n let result;\n try {\n result = await p;\n }\n catch (err) {\n if (retryable(err, options)) {\n return authorizationCodeGrant(config, undefined, checks, tokenEndpointParameters, {\n ...options,\n flag: retry,\n authResponse: authResponse,\n redirectUri: redirectUri,\n });\n }\n errorHandler(err);\n }\n result.id_token && (await nonRepudiation?.(response));\n addHelpers(result);\n return result;\n}\nasync function validateJARMResponse(config, authorizationResponse, expectedState) {\n const { as, c, fetch, tlsOnly, timeout, decrypt, jwksCache } = int(config);\n return oauth\n .validateJwtAuthResponse(as, c, authorizationResponse, expectedState, {\n [oauth.customFetch]: fetch,\n [oauth.allowInsecureRequests]: !tlsOnly,\n headers: new Headers(headers),\n signal: signal(timeout),\n [oauth.jweDecrypt]: decrypt,\n [oauth.jwksCache]: jwksCache,\n })\n .catch(errorHandler);\n}\nasync function validateCodeIdTokenResponse(config, authorizationResponse, expectedNonce, expectedState, maxAge, fapi) {\n if (typeof expectedNonce !== 'string') {\n throw CodedTypeError('\"expectedNonce\" must be a string', ERR_INVALID_ARG_TYPE);\n }\n if (expectedState !== undefined && typeof expectedState !== 'string') {\n throw CodedTypeError('\"expectedState\" must be a string', ERR_INVALID_ARG_TYPE);\n }\n const { as, c, fetch, tlsOnly, timeout, decrypt, jwksCache } = int(config);\n return (fapi\n ? oauth.validateDetachedSignatureResponse\n : oauth.validateCodeIdTokenResponse)(as, c, authorizationResponse, expectedNonce, expectedState, maxAge, {\n [oauth.customFetch]: fetch,\n [oauth.allowInsecureRequests]: !tlsOnly,\n headers: new Headers(headers),\n signal: signal(timeout),\n [oauth.jweDecrypt]: decrypt,\n [oauth.jwksCache]: jwksCache,\n }).catch(errorHandler);\n}\nexport async function refreshTokenGrant(config, refreshToken, parameters, options) {\n checkConfig(config);\n parameters = new URLSearchParams(parameters);\n const { as, c, auth, fetch, tlsOnly, nonRepudiation, timeout, decrypt } = int(config);\n const response = await oauth\n .refreshTokenGrantRequest(as, c, auth, refreshToken, {\n [oauth.customFetch]: fetch,\n [oauth.allowInsecureRequests]: !tlsOnly,\n additionalParameters: parameters,\n DPoP: options?.DPoP,\n headers: new Headers(headers),\n signal: signal(timeout),\n })\n .catch(errorHandler);\n const p = oauth.processRefreshTokenResponse(as, c, response, {\n [oauth.jweDecrypt]: decrypt,\n });\n let result;\n try {\n result = await p;\n }\n catch (err) {\n if (retryable(err, options)) {\n return refreshTokenGrant(config, refreshToken, parameters, {\n ...options,\n flag: retry,\n });\n }\n errorHandler(err);\n }\n result.id_token && (await nonRepudiation?.(response));\n addHelpers(result);\n return result;\n}\nexport async function clientCredentialsGrant(config, parameters, options) {\n checkConfig(config);\n parameters = new URLSearchParams(parameters);\n const { as, c, auth, fetch, tlsOnly, timeout } = int(config);\n const response = await oauth\n .clientCredentialsGrantRequest(as, c, auth, parameters, {\n [oauth.customFetch]: fetch,\n [oauth.allowInsecureRequests]: !tlsOnly,\n DPoP: options?.DPoP,\n headers: new Headers(headers),\n signal: signal(timeout),\n })\n .catch(errorHandler);\n const p = oauth.processClientCredentialsResponse(as, c, response);\n let result;\n try {\n result = await p;\n }\n catch (err) {\n if (retryable(err, options)) {\n return clientCredentialsGrant(config, parameters, {\n ...options,\n flag: retry,\n });\n }\n errorHandler(err);\n }\n addHelpers(result);\n return result;\n}\nexport function buildAuthorizationUrl(config, parameters) {\n checkConfig(config);\n const { as, c, tlsOnly, hybrid, jarm, implicit } = int(config);\n const authorizationEndpoint = oauth.resolveEndpoint(as, 'authorization_endpoint', false, tlsOnly);\n parameters = new URLSearchParams(parameters);\n if (!parameters.has('client_id')) {\n parameters.set('client_id', c.client_id);\n }\n if (!parameters.has('request_uri') && !parameters.has('request')) {\n if (!parameters.has('response_type')) {\n parameters.set('response_type', hybrid ? 'code id_token' : implicit ? 'id_token' : 'code');\n }\n if (implicit && !parameters.has('nonce')) {\n throw CodedTypeError('response_type=id_token clients must provide a nonce parameter in their authorization request parameters', ERR_INVALID_ARG_VALUE);\n }\n if (jarm) {\n parameters.set('response_mode', 'jwt');\n }\n }\n for (const [k, v] of parameters.entries()) {\n authorizationEndpoint.searchParams.append(k, v);\n }\n return authorizationEndpoint;\n}\nexport async function buildAuthorizationUrlWithJAR(config, parameters, signingKey, options) {\n checkConfig(config);\n const authorizationEndpoint = buildAuthorizationUrl(config, parameters);\n parameters = authorizationEndpoint.searchParams;\n if (!signingKey) {\n throw CodedTypeError('\"signingKey\" must be provided', ERR_INVALID_ARG_VALUE);\n }\n const { as, c } = int(config);\n const request = await oauth\n .issueRequestObject(as, c, parameters, signingKey, options)\n .catch(errorHandler);\n return buildAuthorizationUrl(config, { request });\n}\nexport async function buildAuthorizationUrlWithPAR(config, parameters, options) {\n checkConfig(config);\n const authorizationEndpoint = buildAuthorizationUrl(config, parameters);\n const { as, c, auth, fetch, tlsOnly, timeout } = int(config);\n const response = await oauth\n .pushedAuthorizationRequest(as, c, auth, authorizationEndpoint.searchParams, {\n [oauth.customFetch]: fetch,\n [oauth.allowInsecureRequests]: !tlsOnly,\n DPoP: options?.DPoP,\n headers: new Headers(headers),\n signal: signal(timeout),\n })\n .catch(errorHandler);\n const p = oauth.processPushedAuthorizationResponse(as, c, response);\n let result;\n try {\n result = await p;\n }\n catch (err) {\n if (retryable(err, options)) {\n return buildAuthorizationUrlWithPAR(config, parameters, {\n ...options,\n flag: retry,\n });\n }\n errorHandler(err);\n }\n return buildAuthorizationUrl(config, { request_uri: result.request_uri });\n}\nexport function buildEndSessionUrl(config, parameters) {\n checkConfig(config);\n const { as, c, tlsOnly } = int(config);\n const endSessionEndpoint = oauth.resolveEndpoint(as, 'end_session_endpoint', false, tlsOnly);\n parameters = new URLSearchParams(parameters);\n if (!parameters.has('client_id')) {\n parameters.set('client_id', c.client_id);\n }\n for (const [k, v] of parameters.entries()) {\n endSessionEndpoint.searchParams.append(k, v);\n }\n return endSessionEndpoint;\n}\nfunction checkConfig(input) {\n if (!(input instanceof Configuration)) {\n throw CodedTypeError('\"config\" must be an instance of Configuration', ERR_INVALID_ARG_TYPE);\n }\n if (Object.getPrototypeOf(input) !== Configuration.prototype) {\n throw CodedTypeError('subclassing Configuration is not allowed', ERR_INVALID_ARG_VALUE);\n }\n}\nfunction signal(timeout) {\n return timeout ? AbortSignal.timeout(timeout * 1000) : undefined;\n}\nexport async function fetchUserInfo(config, accessToken, expectedSubject, options) {\n checkConfig(config);\n const { as, c, fetch, tlsOnly, nonRepudiation, timeout, decrypt } = int(config);\n const response = await oauth\n .userInfoRequest(as, c, accessToken, {\n [oauth.customFetch]: fetch,\n [oauth.allowInsecureRequests]: !tlsOnly,\n DPoP: options?.DPoP,\n headers: new Headers(headers),\n signal: signal(timeout),\n })\n .catch(errorHandler);\n let exec = oauth.processUserInfoResponse(as, c, expectedSubject, response, {\n [oauth.jweDecrypt]: decrypt,\n });\n let result;\n try {\n result = await exec;\n }\n catch (err) {\n if (retryable(err, options)) {\n return fetchUserInfo(config, accessToken, expectedSubject, {\n ...options,\n flag: retry,\n });\n }\n errorHandler(err);\n }\n oauth.getContentType(response) === 'application/jwt' &&\n (await nonRepudiation?.(response));\n return result;\n}\nfunction retryable(err, options) {\n if (options?.DPoP && options.flag !== retry) {\n return oauth.isDPoPNonceError(err);\n }\n return false;\n}\nexport async function tokenIntrospection(config, token, parameters) {\n checkConfig(config);\n const { as, c, auth, fetch, tlsOnly, nonRepudiation, timeout, decrypt } = int(config);\n const response = await oauth\n .introspectionRequest(as, c, auth, token, {\n [oauth.customFetch]: fetch,\n [oauth.allowInsecureRequests]: !tlsOnly,\n additionalParameters: new URLSearchParams(parameters),\n headers: new Headers(headers),\n signal: signal(timeout),\n })\n .catch(errorHandler);\n const result = await oauth\n .processIntrospectionResponse(as, c, response, {\n [oauth.jweDecrypt]: decrypt,\n })\n .catch(errorHandler);\n oauth.getContentType(response) === 'application/token-introspection+jwt' &&\n (await nonRepudiation?.(response));\n return result;\n}\nconst retry = Symbol();\nexport async function genericGrantRequest(config, grantType, parameters, options) {\n checkConfig(config);\n const { as, c, auth, fetch, tlsOnly, timeout, decrypt, nonRepudiation } = int(config);\n const response = await oauth\n .genericTokenEndpointRequest(as, c, auth, grantType, new URLSearchParams(parameters), {\n [oauth.customFetch]: fetch,\n [oauth.allowInsecureRequests]: !tlsOnly,\n DPoP: options?.DPoP,\n headers: new Headers(headers),\n signal: signal(timeout),\n })\n .catch(errorHandler);\n let recognizedTokenTypes;\n if (grantType === 'urn:ietf:params:oauth:grant-type:token-exchange') {\n recognizedTokenTypes = { n_a: () => { } };\n }\n const p = oauth.processGenericTokenEndpointResponse(as, c, response, {\n [oauth.jweDecrypt]: decrypt,\n recognizedTokenTypes,\n });\n let result;\n try {\n result = await p;\n }\n catch (err) {\n if (retryable(err, options)) {\n return genericGrantRequest(config, grantType, parameters, {\n ...options,\n flag: retry,\n });\n }\n errorHandler(err);\n }\n result.id_token && (await nonRepudiation?.(response));\n addHelpers(result);\n return result;\n}\nexport async function tokenRevocation(config, token, parameters) {\n checkConfig(config);\n const { as, c, auth, fetch, tlsOnly, timeout } = int(config);\n return oauth\n .revocationRequest(as, c, auth, token, {\n [oauth.customFetch]: fetch,\n [oauth.allowInsecureRequests]: !tlsOnly,\n additionalParameters: new URLSearchParams(parameters),\n headers: new Headers(headers),\n signal: signal(timeout),\n })\n .then(oauth.processRevocationResponse)\n .catch(errorHandler);\n}\nexport async function fetchProtectedResource(config, accessToken, url, method, body, headers, options) {\n checkConfig(config);\n headers ||= new Headers();\n if (!headers.has('user-agent')) {\n headers.set('user-agent', USER_AGENT);\n }\n const { fetch, tlsOnly, timeout } = int(config);\n const exec = oauth.protectedResourceRequest(accessToken, method, url, headers, body, {\n [oauth.customFetch]: fetch,\n [oauth.allowInsecureRequests]: !tlsOnly,\n DPoP: options?.DPoP,\n signal: signal(timeout),\n });\n let result;\n try {\n result = await exec;\n }\n catch (err) {\n if (retryable(err, options)) {\n return fetchProtectedResource(config, accessToken, url, method, body, headers, {\n ...options,\n flag: retry,\n });\n }\n errorHandler(err);\n }\n return result;\n}\n//# sourceMappingURL=index.js.map","import {\n $inject,\n AlephaError,\n type Async,\n createPrimitive,\n KIND,\n Primitive,\n} from \"alepha\";\nimport { DateTimeProvider } from \"alepha/datetime\";\nimport {\n type AccessTokenResponse,\n type IssuerPrimitive,\n SecurityError,\n SecurityProvider,\n type UserAccount,\n} from \"alepha/security\";\nimport {\n allowInsecureRequests,\n Configuration,\n discovery,\n refreshTokenGrant,\n} from \"openid-client\";\nimport type { OAuth2Profile } from \"../providers/ServerAuthProvider.ts\";\nimport type { Tokens } from \"../schemas/tokensSchema.ts\";\n\n/**\n * Creates an authentication provider primitive for handling user login flows.\n *\n * Supports multiple authentication strategies: credentials (username/password), OAuth2,\n * and OIDC (OpenID Connect). Handles token management, user profile retrieval, and\n * integration with both external identity providers (Auth0, Keycloak) and internal realms.\n *\n * **Authentication Types**: Credentials, OAuth2 (Google, GitHub), OIDC, External providers\n *\n * @example\n * ```ts\n * class AuthProviders {\n * // Internal credentials-based auth\n * credentials = $auth({\n * realm: this.userRealm,\n * credentials: {\n * account: async ({ username, password }) => {\n * return await this.validateUser(username, password);\n * }\n * }\n * });\n *\n * // External OIDC provider\n * keycloak = $auth({\n * oidc: {\n * issuer: \"https://auth.example.com\",\n * clientId: \"my-app\",\n * clientSecret: \"secret\",\n * redirectUri: \"/auth/callback\"\n * }\n * });\n * }\n * ```\n */\nexport const $auth = (options: AuthPrimitiveOptions): AuthPrimitive => {\n return createPrimitive(AuthPrimitive, options);\n};\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport type AuthPrimitiveOptions = {\n /**\n * Name of the identity provider.\n * If not provided, it will be derived from the property key.\n */\n name?: string;\n\n /**\n * If true, auth provider will be skipped.\n */\n disabled?: boolean;\n} & (AuthExternal | AuthInternal);\n\n/**\n * When you let an external service handle authentication. (e.g. Keycloak, Auth0, etc.)\n */\nexport type AuthExternal = {\n /**\n * Only OIDC is supported for external authentication.\n */\n oidc: OidcOptions;\n\n /**\n * For anonymous access, this will expect a service account access token.\n *\n * ```ts\n * class App {\n * anonymous = $serviceAccount(...);\n * auth = $auth({\n * // ... config ...\n * fallback: this.anonymous,\n * })\n * }\n * ```\n */\n fallback?: () => Async<AccessToken>;\n};\n\n/**\n * When using your own authentication system, e.g. using a database to store user accounts.\n * This is usually used with a custom login form.\n *\n * This relies on the `issuer`, which is used to create/verify the access token.\n */\nexport type AuthInternal = {\n issuer: IssuerPrimitive;\n} & (\n | {\n /**\n * The common username/password authentication.\n *\n * - It uses the OAuth2 Client Credentials flow to obtain an access token.\n *\n * This is usually used with a custom login form on your website or mobile app.\n */\n credentials: CredentialsOptions;\n }\n | {\n /**\n * OAuth2 authentication. Delegates authentication to an OAuth2 provider. (e.g. Google, GitHub, etc.)\n *\n * - It uses the OAuth2 Authorization Code flow to obtain an access token and user information.\n *\n * This is usually used with a login button that redirects to the OAuth2 provider.\n */\n oauth: OAuth2Options;\n }\n | {\n /**\n * Like OAuth2, but uses OIDC (OpenID Connect) for authentication and user information retrieval.\n * OIDC is an identity layer on top of OAuth2, providing user authentication and profile information.\n *\n * - It uses the OAuth2 Authorization Code flow to obtain an access token and user information.\n * - PCKE (Proof Key for Code Exchange) is recommended for security.\n *\n * This is usually used with a login button that redirects to the OIDC provider.\n */\n oidc: OidcOptions;\n }\n);\n\nexport type CredentialsOptions = {\n account: CredentialsFn;\n};\n\nexport type CredentialsFn = (\n credentials: Credentials,\n) => Async<UserAccount | undefined>;\n\nexport interface Credentials {\n username: string;\n password: string;\n}\n\nexport interface OidcOptions {\n /**\n * URL of the OIDC issuer.\n */\n issuer: string;\n\n /**\n * Client ID for the OIDC client.\n */\n clientId: string;\n\n /**\n * Client secret for the OIDC client.\n * Optional if PKCE (Proof Key for Code Exchange) is used.\n */\n clientSecret?: string;\n\n /**\n * Redirect URI for the OIDC client.\n * This is where the user will be redirected after authentication.\n */\n redirectUri?: string;\n\n /**\n * For external auth providers only.\n * Take the ID token instead of the access token for validation.\n */\n useIdToken?: boolean;\n\n /**\n * URI to redirect the user after logout.\n */\n logoutUri?: string;\n\n /**\n * Optional scope for the OIDC client.\n * @default \"openid profile email\".\n */\n scope?: string;\n\n account?: LinkAccountFn;\n\n /**\n * OAuth2 response mode.\n * Apple requires \"form_post\" which sends the authorization code via POST body\n * instead of URL query parameters.\n */\n responseMode?: \"query\" | \"fragment\" | \"form_post\";\n\n /**\n * Additional parameters to include in the authorization URL.\n * Useful for provider-specific parameters.\n */\n authorizationParameters?: Record<string, string>;\n}\n\nexport interface LinkAccountOptions {\n access_token: string;\n user: OAuth2Profile;\n id_token?: string;\n expires_in?: number;\n scope?: string;\n}\n\nexport type LinkAccountFn = (tokens: LinkAccountOptions) => Async<UserAccount>;\n\nexport interface OAuth2Options {\n /**\n * URL of the OAuth2 authorization endpoint.\n */\n clientId: string;\n\n /**\n * Client secret for the OAuth2 client.\n */\n clientSecret: string;\n\n /**\n * URL of the OAuth2 authorization endpoint.\n */\n authorization: string;\n\n /**\n * URL of the OAuth2 token endpoint.\n */\n token: string;\n\n /**\n * Function to retrieve user profile information from the OAuth2 tokens.\n */\n userinfo: (tokens: Tokens) => Async<OAuth2Profile>;\n\n account?: LinkAccountFn;\n\n /**\n * URL of the OAuth2 authorization endpoint.\n */\n redirectUri?: string;\n\n /**\n * URL of the OAuth2 authorization endpoint.\n */\n scope?: string;\n}\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport class AuthPrimitive extends Primitive<AuthPrimitiveOptions> {\n protected readonly securityProvider = $inject(SecurityProvider);\n protected readonly dateTimeProvider = $inject(DateTimeProvider);\n\n protected oauthConfig?: Configuration;\n protected oauthInitializer?: () => Promise<Configuration>;\n\n public get oauth(): Configuration | undefined {\n return this.oauthConfig;\n }\n\n /**\n * Get the OAuth2/OIDC configuration, initializing lazily if needed (serverless mode).\n */\n public async getOAuth(): Promise<Configuration | undefined> {\n if (this.oauthConfig) {\n return this.oauthConfig;\n }\n\n if (this.oauthInitializer) {\n this.oauthConfig = await this.oauthInitializer();\n this.oauthInitializer = undefined;\n return this.oauthConfig;\n }\n\n return undefined;\n }\n\n public get name() {\n return this.options.name ?? this.config.propertyKey;\n }\n\n public get issuer(): IssuerPrimitive | undefined {\n if (\"issuer\" in this.options) {\n return this.options.issuer;\n }\n return undefined;\n }\n\n public get jwks_uri(): string {\n const jwks = this.oauth?.serverMetadata().jwks_uri;\n if (!jwks) {\n throw new AlephaError(\"No JWKS URI available for the auth provider\");\n }\n return jwks;\n }\n\n public get scope(): string | undefined {\n if (\"oauth\" in this.options) {\n return this.options.oauth.scope;\n }\n if (\"oidc\" in this.options) {\n return this.options.oidc.scope || \"openid profile email\";\n }\n throw new AlephaError(\n \"No OAuth2 or OIDC configuration available for the auth provider\",\n );\n }\n\n public get redirect_uri() {\n if (\"oauth\" in this.options) {\n return this.options.oauth.redirectUri;\n }\n if (\"oidc\" in this.options) {\n return this.options.oidc.redirectUri;\n }\n throw new AlephaError(\n \"No OAuth2 or OIDC configuration available for the auth provider\",\n );\n }\n\n /**\n * Refreshes the access token using the refresh token.\n * Can be used on oauth2, oidc or credentials auth providers.\n */\n public async refresh(\n refreshToken: string,\n accessToken?: string,\n ): Promise<AccessTokenResponse> {\n if (\"issuer\" in this.options) {\n return this.options.issuer\n .refreshToken(refreshToken, accessToken)\n .then((it) => it.tokens)\n .catch((error) => {\n throw new SecurityError(\n \"Failed to refresh access token using the refresh token (issuer)\",\n {\n cause: error,\n },\n );\n });\n }\n\n const oauth = await this.getOAuth();\n if (oauth) {\n try {\n return {\n ...(await refreshTokenGrant(oauth, refreshToken)),\n issued_at: this.dateTimeProvider.now().unix(),\n };\n } catch (error) {\n throw new SecurityError(\n \"Failed to refresh access token using the refresh token (oauth2)\",\n {\n cause: error,\n },\n );\n }\n }\n\n throw new AlephaError(\n \"No issuer or OAuth2 configuration available for refreshing the access token\",\n );\n }\n\n /**\n * Extracts user information from the access token.\n * This is used to create a user account from the access token.\n *\n * `externalProfile` carries extra profile fields that cannot be derived from the\n * ID token or userinfo endpoint — e.g. Apple's `user` form field that is only\n * delivered once, on first authorization. ID token / userinfo fields take\n * precedence; externalProfile only fills gaps.\n */\n public async user(\n tokens: Tokens,\n externalProfile?: Record<string, unknown>,\n ): Promise<UserAccount> {\n try {\n if (\"oauth\" in this.options) {\n const profile = {\n ...externalProfile,\n ...(await this.options.oauth.userinfo(tokens)),\n } as OAuth2Profile;\n\n if (this.options.oauth.account) {\n return this.options.oauth.account({\n ...tokens,\n user: profile,\n });\n }\n\n return this.securityProvider.createUserFromPayload(profile);\n }\n\n if (\"oidc\" in this.options) {\n const payload = {\n ...externalProfile,\n ...this.getUserFromIdToken(tokens.id_token || \"\"),\n } as OAuth2Profile;\n\n if (this.options.oidc.account) {\n return this.options.oidc.account({\n ...tokens,\n user: payload,\n });\n }\n\n return this.securityProvider.createUserFromPayload(payload);\n }\n } catch (error) {\n throw new SecurityError(\n \"Failed to extract user from identity provider tokens\",\n {\n cause: error,\n },\n );\n }\n\n throw new AlephaError(\n \"This authentication does not support user extraction from tokens\",\n );\n }\n\n // Security note: No JWT signature verification here is intentional and safe.\n // The id_token is received via authorizationCodeGrant() which fetches it over a\n // back-channel TLS connection directly from the IdP's token endpoint. TLS authenticates\n // the channel. openid-client/oauth4webapi validates claims (issuer, audience, nonce,\n // expiry) during the grant. Per OIDC spec, cryptographic signature verification is\n // not required for back-channel token responses — only for implicit/hybrid flows.\n // See: openid-client index.d.ts enableNonRepudiationChecks() docs.\n protected getUserFromIdToken(idToken: string): OAuth2Profile {\n try {\n return JSON.parse(\n Buffer.from(idToken.split(\".\")[1], \"base64\").toString(\"utf8\"),\n ) as OAuth2Profile;\n } catch (error) {\n throw new AlephaError(\"Failed to parse ID Token payload\", {\n cause: error,\n });\n }\n }\n\n public async prepare() {\n if (\"oidc\" in this.options) {\n const { oidc } = this.options;\n\n const discoverOidc = async () => {\n const execute: Array<(config: Configuration) => void> = [];\n execute.push(allowInsecureRequests);\n\n return discovery(\n new URL(oidc.issuer),\n oidc.clientId,\n {\n client_secret: oidc.clientSecret,\n },\n undefined,\n {\n execute,\n },\n );\n };\n\n // Defer OIDC discovery in serverless/dev to avoid cold start penalty\n if (this.alepha.isServerless() || !this.alepha.isProduction()) {\n this.oauthInitializer = discoverOidc;\n } else {\n this.oauthConfig = await discoverOidc();\n }\n }\n\n if (\"oauth\" in this.options) {\n const { oauth } = this.options;\n\n this.oauthConfig = new Configuration(\n {\n authorization_endpoint: oauth.authorization,\n token_endpoint: oauth.token,\n issuer: oauth.authorization, // use authorization URL as a pseudo-issuer?\n // we don't need all of these endpoints\n jwks_uri: undefined,\n end_session_endpoint: undefined,\n },\n oauth.clientId,\n {\n client_secret: oauth.clientSecret,\n },\n );\n }\n }\n}\n\n$auth[KIND] = AuthPrimitive;\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport type AccessToken = string | { token: () => Async<string> };\n\nexport interface WithLinkFn {\n link?: (name: string) => (opts: LinkAccountOptions) => Async<UserAccount>;\n}\n\nexport interface WithLoginFn {\n login?: (\n provider: string,\n ) => (creds: Credentials) => Async<UserAccount | undefined>;\n}\n","export const alephaServerAuthRoutes = {\n login: \"/oauth/login\",\n callback: \"/oauth/callback\",\n logout: \"/oauth/logout\",\n token: \"/_auth/token\",\n refresh: \"/_auth/refresh\",\n userinfo: \"/_auth/userinfo\",\n};\n","import type { Static } from \"alepha\";\nimport { t } from \"alepha\";\n\nexport const tokensSchema = t.object({\n provider: t.text(),\n access_token: t.text({ size: \"rich\" }),\n issued_at: t.number(),\n expires_in: t.optional(t.number()),\n refresh_token: t.optional(t.text({ size: \"rich\" })),\n refresh_token_expires_in: t.optional(t.number()),\n refresh_expires_in: t.optional(\n t.number({\n description:\n \"Alias of `refresh_token_expires_in` for compatibility with some providers.\",\n }),\n ),\n id_token: t.optional(t.text({ size: \"rich\" })),\n scope: t.optional(t.text()),\n});\n\nexport type Tokens = Static<typeof tokensSchema>;\n","import { type Static, t } from \"alepha\";\nimport { userAccountInfoSchema } from \"alepha/security\";\nimport { apiRegistryResponseSchema } from \"alepha/server/links\";\nimport { tokensSchema } from \"./tokensSchema.ts\";\n\nexport const tokenResponseSchema = t.extend(tokensSchema, {\n user: userAccountInfoSchema,\n api: apiRegistryResponseSchema,\n});\n\nexport type TokenResponse = Static<typeof tokenResponseSchema>;\n","import { type Static, t } from \"alepha\";\nimport { userAccountInfoSchema } from \"alepha/security\";\nimport { apiRegistryResponseSchema } from \"alepha/server/links\";\n\nexport const userinfoResponseSchema = t.object({\n user: t.optional(userAccountInfoSchema),\n api: apiRegistryResponseSchema,\n});\n\nexport type UserinfoResponse = Static<typeof userinfoResponseSchema>;\n","import { $hook, $inject, Alepha, t } from \"alepha\";\nimport { DateTimeProvider } from \"alepha/datetime\";\nimport { $logger } from \"alepha/logger\";\nimport {\n InvalidCredentialsError,\n SecurityError,\n type UserAccount,\n} from \"alepha/security\";\nimport {\n $route,\n BadRequestError,\n type ServerRawRequest,\n type ServerReply,\n} from \"alepha/server\";\nimport {\n $cookie,\n type Cookies,\n ServerCookiesProvider,\n} from \"alepha/server/cookies\";\nimport { ServerLinksProvider } from \"alepha/server/links\";\nimport {\n authorizationCodeGrant,\n buildAuthorizationUrl,\n buildEndSessionUrl,\n calculatePKCECodeChallenge,\n randomPKCECodeVerifier,\n randomState,\n} from \"openid-client\";\nimport { alephaServerAuthRoutes } from \"../constants/routes.ts\";\nimport { $auth, type AuthPrimitive } from \"../primitives/$auth.ts\";\nimport type { AuthenticationProvider } from \"../schemas/authenticationProviderSchema.ts\";\nimport { tokenResponseSchema } from \"../schemas/tokenResponseSchema.ts\";\nimport { type Tokens, tokensSchema } from \"../schemas/tokensSchema.ts\";\nimport { userinfoResponseSchema } from \"../schemas/userinfoResponseSchema.ts\";\n\nexport class ServerAuthProvider {\n protected readonly log = $logger();\n protected readonly alepha = $inject(Alepha);\n protected readonly serverCookiesProvider = $inject(ServerCookiesProvider);\n protected readonly dateTimeProvider = $inject(DateTimeProvider);\n protected readonly serverLinksProvider = $inject(ServerLinksProvider);\n\n /**\n * Validates that a redirect URI is a safe relative path, or — when\n * COOKIE_PARENT_DOMAIN is configured — an https URL whose host is the\n * parent domain or a subdomain of it. Used by SaaS deployments where the\n * OAuth callback dispatches users back to their tenant subdomain.\n *\n * Prevents open redirect attacks by rejecting any other absolute URL.\n */\n protected validateRedirectUri(uri: string): string {\n if (uri.startsWith(\"/\") && !uri.startsWith(\"//\")) {\n return uri;\n }\n const parent = this.alepha.env.COOKIE_PARENT_DOMAIN;\n if (typeof parent === \"string\" && parent) {\n try {\n const parsed = new URL(uri);\n const parentHost = parent.startsWith(\".\") ? parent.slice(1) : parent;\n if (parsed.protocol !== \"https:\") return \"/\";\n if (parsed.host === parentHost) return uri;\n if (parsed.host.endsWith(`.${parentHost}`)) return uri;\n } catch {\n // fall through\n }\n }\n return \"/\";\n }\n\n public get identities(): Array<AuthPrimitive> {\n return this.alepha\n .primitives($auth)\n .filter((auth) => !auth.options.disabled);\n }\n\n protected readonly authorizationCode = $cookie({\n name: \"authorizationCode\",\n ttl: [15, \"minutes\"],\n httpOnly: true,\n encrypt: true,\n schema: t.object({\n provider: t.text(),\n realm: t.optional(t.text()),\n codeVerifier: t.optional(t.text({ size: \"long\" })),\n redirectUri: t.optional(t.text({ size: \"long\" })),\n loginUri: t.optional(t.text({ size: \"long\" })),\n state: t.optional(t.text()),\n nonce: t.optional(t.text()),\n }),\n });\n\n public readonly tokens = $cookie({\n name: \"tokens\",\n ttl: [30, \"days\"],\n httpOnly: true,\n compress: true,\n encrypt: true,\n schema: tokensSchema,\n });\n\n protected readonly configure = $hook({\n on: \"configure\",\n handler: async () => {\n for (const identity of this.identities) {\n await identity.prepare();\n }\n },\n });\n\n /**\n * Fill request headers with access token from cookies or fallback to provider's fallback function.\n */\n protected readonly onRequest = $hook({\n on: \"server:onRequest\",\n after: this.serverCookiesProvider,\n handler: async ({ request }) => {\n const cookies = request.cookies;\n\n // [feature] forward cookies to request headers\n if (cookies) {\n const tokens = await this.cookiesToTokens(cookies);\n if (tokens) {\n request.headers.authorization = `Bearer ${this.extractAccessToken(tokens)}`;\n this.log.trace(\"Access token set in request headers\", {\n provider: tokens.provider,\n });\n }\n }\n\n // [feature] support for auth providers with fallback\n if (!request.headers.authorization) {\n for (const provider of this.identities) {\n if (\"fallback\" in provider.options && provider.options.fallback) {\n const token = await provider.options.fallback();\n if (token) {\n request.headers.authorization = `Bearer ${token}`;\n break;\n }\n }\n }\n }\n },\n });\n\n // -------------------------------------------------------------------------------------------------------------------\n\n /**\n * Get user information.\n */\n public readonly userinfo = $route({\n path: alephaServerAuthRoutes.userinfo,\n use: [],\n schema: {\n response: userinfoResponseSchema,\n },\n handler: async ({ user, headers, cookies }) => {\n const tokens = this.getTokens(cookies);\n if (tokens) {\n const provider = this.provider(tokens);\n if (!(\"issuer\" in provider.options)) {\n const user = await provider.user(tokens);\n const api = await this.serverLinksProvider.getUserApiLinks({\n authorization: headers.authorization,\n user,\n });\n return {\n api,\n user,\n };\n }\n }\n\n const api = await this.serverLinksProvider.getUserApiLinks({\n authorization: headers.authorization,\n user,\n });\n\n return {\n api,\n user,\n };\n },\n });\n\n /**\n * Refresh a token for internal providers.\n */\n public readonly refresh = $route({\n path: alephaServerAuthRoutes.refresh,\n method: \"POST\",\n schema: {\n query: t.object({\n provider: t.text(),\n }),\n body: t.object({\n refresh_token: t.text({\n size: \"rich\",\n }),\n access_token: t.optional(\n t.text({\n size: \"rich\",\n description:\n \"Required if provider has stateless refresh token on credentials mode\",\n }),\n ),\n }),\n response: tokensSchema,\n },\n handler: async ({ query, body, cookies }) => {\n const provider = this.provider(query);\n\n const tokens = {\n provider: query.provider,\n ...(await provider.refresh(body.refresh_token, body.access_token)),\n };\n\n // for web applications, we store tokens in cookies\n this.setTokens(tokens, cookies);\n\n return tokens;\n },\n });\n\n /**\n * Login for local password-based authentication.\n */\n public readonly token = $route({\n path: alephaServerAuthRoutes.token,\n method: \"POST\",\n schema: {\n query: t.object({\n provider: t.text(),\n realm: t.optional(\n t.text({ description: \"Realm name for multi-realm setups\" }),\n ),\n }),\n body: t.object({\n username: t.text(),\n password: t.text(),\n }),\n response: tokenResponseSchema,\n },\n handler: async ({ query, body, cookies }) => {\n const provider = this.provider({\n provider: query.provider,\n realm: query.realm,\n });\n\n const issuer = provider.issuer;\n if (!issuer) {\n throw new SecurityError(\n `Auth provider '${query.provider}' does not support password grant`,\n );\n }\n\n const credentials =\n \"credentials\" in provider.options && provider.options.credentials;\n\n if (!credentials) {\n throw new SecurityError(\n `Auth provider '${query.provider}' does not support password grant`,\n );\n }\n\n let user: UserAccount | undefined;\n try {\n user = await credentials.account(body);\n } catch (e) {\n if (e instanceof InvalidCredentialsError) {\n throw e;\n }\n this.log.error(\"Failed to authenticate user\", e);\n throw new InvalidCredentialsError();\n }\n\n if (!user) {\n throw new InvalidCredentialsError();\n }\n\n const tokens = {\n provider: query.provider,\n ...(await issuer.createToken(user)),\n };\n\n // for web applications, we store tokens in cookies\n this.setTokens(tokens, cookies);\n\n const api = await this.serverLinksProvider.getUserApiLinks({\n user,\n });\n\n // mobile apps require this\n return {\n ...tokens,\n user,\n api,\n };\n },\n });\n\n /**\n * Oauth2/OIDC login route.\n */\n public readonly login = $route({\n path: alephaServerAuthRoutes.login,\n schema: {\n query: t.object({\n provider: t.text(),\n realm: t.optional(\n t.text({ description: \"Realm name for multi-realm setups\" }),\n ),\n redirect_uri: t.optional(t.text({ size: \"rich\" })),\n }),\n },\n handler: async ({ query, url, reply, headers }) => {\n const loginUri = headers.referer\n ? new URL(headers.referer).pathname + new URL(headers.referer).search\n : undefined;\n\n const provider = this.provider({\n provider: query.provider,\n realm: query.realm,\n });\n const oauth = await provider.getOAuth();\n if (!oauth) {\n throw new SecurityError(\n `Auth provider '${query.provider}' does not support OAuth2`,\n );\n }\n\n const scope = provider.scope;\n let redirect_uri =\n provider.redirect_uri || alephaServerAuthRoutes.callback;\n if (redirect_uri.startsWith(\"/\")) {\n redirect_uri = `${url.protocol}//${url.host}${redirect_uri}`;\n }\n\n const oidc = \"oidc\" in provider.options && provider.options.oidc;\n\n if (!oauth.serverMetadata().supportsPKCE()) {\n const state = randomState();\n const parameters: Record<string, string> = {\n redirect_uri,\n state,\n };\n\n if (oidc) {\n parameters.nonce = randomState();\n }\n\n if (scope) {\n parameters.scope = scope;\n }\n\n // biome-ignore lint/complexity/useOptionalChain: oidc is `false | OidcOptions`; optional chaining doesn't narrow `false`\n if (oidc && oidc.responseMode) {\n parameters.response_mode = oidc.responseMode;\n }\n\n // biome-ignore lint/complexity/useOptionalChain: oidc is `false | OidcOptions`; optional chaining doesn't narrow `false`\n if (oidc && oidc.authorizationParameters) {\n Object.assign(parameters, oidc.authorizationParameters);\n }\n\n this.authorizationCode.set({\n state,\n nonce: parameters.nonce,\n redirectUri: this.validateRedirectUri(query.redirect_uri ?? \"/\"),\n loginUri,\n provider: query.provider,\n realm: query.realm,\n });\n\n reply.redirect(\n buildAuthorizationUrl(oauth, parameters).toString(),\n 302,\n );\n return;\n }\n\n // Security note: No state or nonce in the PKCE path is intentional.\n // PKCE provides equivalent CSRF protection to state: the code_verifier is bound\n // to the session cookie, and the authorization code is bound to the code_challenge.\n // An attacker cannot forge the callback without the code_verifier. OAuth 2.1 (RFC 9126)\n // makes PKCE mandatory and state optional. For OIDC nonce: the id_token is received\n // over back-channel TLS from the token endpoint, making nonce replay irrelevant.\n // openid-client/oauth4webapi correctly validates that no state is in the response\n // when none was sent (expectNoState).\n const codeVerifier = randomPKCECodeVerifier();\n const codeChallenge = await calculatePKCECodeChallenge(codeVerifier);\n\n const parameters: Record<string, string> = {\n redirect_uri,\n code_challenge: codeChallenge,\n code_challenge_method: \"S256\",\n };\n\n if (scope) {\n parameters.scope = scope;\n }\n\n // biome-ignore lint/complexity/useOptionalChain: oidc is `false | OidcOptions`; optional chaining doesn't narrow `false`\n if (oidc && oidc.responseMode) {\n parameters.response_mode = oidc.responseMode;\n }\n\n // biome-ignore lint/complexity/useOptionalChain: oidc is `false | OidcOptions`; optional chaining doesn't narrow `false`\n if (oidc && oidc.authorizationParameters) {\n Object.assign(parameters, oidc.authorizationParameters);\n }\n\n this.authorizationCode.set({\n codeVerifier,\n redirectUri: this.validateRedirectUri(query.redirect_uri ?? \"/\"),\n loginUri,\n provider: query.provider,\n realm: query.realm,\n });\n\n reply.redirect(buildAuthorizationUrl(oauth, parameters).toString(), 302);\n },\n });\n\n /**\n * Extracts provider-specific extra profile fields delivered via the\n * authorization callback form body rather than the ID token or userinfo\n * endpoint. Currently handles Apple Sign In's `user` field, which is sent\n * only on the user's first authorization and contains their name.\n */\n protected async extractFormPostProfile(\n req: Request,\n ): Promise<Record<string, unknown> | undefined> {\n try {\n const form = await req.formData();\n const userField = form.get(\"user\");\n if (typeof userField !== \"string\") {\n return undefined;\n }\n const parsed = JSON.parse(userField) as {\n name?: { firstName?: string; lastName?: string };\n email?: string;\n };\n const profile: Record<string, unknown> = {};\n if (parsed.name?.firstName) {\n profile.given_name = parsed.name.firstName;\n }\n if (parsed.name?.lastName) {\n profile.family_name = parsed.name.lastName;\n }\n if (parsed.name?.firstName || parsed.name?.lastName) {\n profile.name = [parsed.name?.firstName, parsed.name?.lastName]\n .filter(Boolean)\n .join(\" \");\n }\n if (parsed.email) {\n profile.email = parsed.email;\n }\n return Object.keys(profile).length > 0 ? profile : undefined;\n } catch (e) {\n this.log.warn(\"Failed to parse form_post profile from callback body\", e);\n return undefined;\n }\n }\n\n /**\n * Shared callback logic for both GET and POST OAuth2/OIDC callbacks.\n * For form_post response mode (e.g. Apple Sign In), the raw Request object\n * is passed so openid-client can read the authorization code from the POST body.\n */\n protected async handleCallback(\n url: URL,\n reply: ServerReply,\n cookies: Cookies,\n raw?: ServerRawRequest,\n ) {\n const authorizationCode = this.authorizationCode.get({ cookies });\n if (!authorizationCode) {\n throw new BadRequestError(\"Missing code verifier\");\n }\n\n const provider = this.provider(authorizationCode);\n const oauth = await provider.getOAuth();\n if (!oauth) {\n throw new SecurityError(\n `Auth provider '${provider.name}' does not support OAuth2`,\n );\n }\n\n const redirectUri = authorizationCode.redirectUri ?? \"/\";\n const loginUri = authorizationCode.loginUri;\n\n // For form_post response mode (e.g. Apple), pass the raw Request object\n // so openid-client can read the authorization code from the POST body.\n // Clone first so we can also extract provider-specific fields (e.g. Apple's\n // `user` form field, only sent once on first authorization) without\n // consuming the body that openid-client needs to read.\n let currentUrl: URL | Request = url;\n let externalProfile: Record<string, unknown> | undefined;\n if (raw?.web?.req && raw.web.req.method === \"POST\") {\n const cloned = raw.web.req.clone();\n currentUrl = raw.web.req;\n externalProfile = await this.extractFormPostProfile(cloned);\n }\n\n const externalTokens = await authorizationCodeGrant(oauth, currentUrl, {\n pkceCodeVerifier: authorizationCode.codeVerifier,\n expectedState: authorizationCode.state,\n expectedNonce: authorizationCode.nonce,\n })\n .then((tokens) => ({\n issued_at: this.dateTimeProvider.now().unix(),\n provider: provider.name,\n ...tokens,\n }))\n .catch((e) => {\n this.log.error(\"Failed to get access token\", e);\n throw new SecurityError(\"Failed to get access token\", {\n cause: e,\n });\n });\n\n this.authorizationCode.del({ cookies });\n\n const issuer = provider.issuer;\n\n // external, full OIDC System (e.g. Keycloak, Auth0)\n if (!issuer) {\n this.setTokens(externalTokens, cookies);\n reply.redirect(redirectUri, 302);\n return;\n }\n\n // internal, we need to create our own tokens\n\n let user: UserAccount;\n try {\n user = await provider.user(externalTokens, externalProfile);\n } catch (e) {\n this.log.warn(\"OAuth2 account linking failed\", e);\n const errorTarget = loginUri || redirectUri;\n const errorUrl = new URL(errorTarget, url.origin);\n errorUrl.searchParams.set(\n \"error\",\n e instanceof BadRequestError ? e.message : \"Authentication failed\",\n );\n reply.redirect(errorUrl.pathname + errorUrl.search, 302);\n return;\n }\n\n const tokens = await issuer.createToken(user);\n\n this.setTokens(\n {\n ...tokens,\n issued_at: this.dateTimeProvider.now().unix(),\n provider: provider.name,\n },\n cookies,\n );\n\n reply.redirect(redirectUri, 302);\n }\n\n /**\n * Callback for OAuth2/OIDC providers.\n * It handles the authorization code flow and retrieves the access token.\n */\n public readonly callback = $route({\n path: alephaServerAuthRoutes.callback,\n handler: async ({ url, reply, cookies }) => {\n await this.handleCallback(url, reply, cookies);\n },\n });\n\n /**\n * POST callback for OAuth2/OIDC providers using form_post response mode.\n * Apple Sign In sends the authorization code via POST body instead of URL query parameters.\n */\n public readonly callbackPost = $route({\n path: alephaServerAuthRoutes.callback,\n method: \"POST\",\n handler: async ({ url, reply, cookies, raw }) => {\n await this.handleCallback(url, reply, cookies, raw);\n },\n });\n\n /**\n * Logout route for OAuth2/OIDC providers.\n */\n public readonly logout = $route({\n path: alephaServerAuthRoutes.logout,\n method: \"POST\",\n schema: {\n query: t.object({\n post_logout_redirect_uri: t.optional(t.text()),\n }),\n },\n handler: async ({ query, reply, cookies }) => {\n const redirect = this.validateRedirectUri(\n query.post_logout_redirect_uri ?? \"/\",\n );\n const tokens = this.getTokens(cookies);\n if (!tokens) {\n reply.redirect(redirect, 302);\n return;\n }\n\n const provider = this.provider(tokens.provider);\n\n this.tokens.del({ cookies });\n\n // for internal providers, we can delete the session - if available\n if (provider.issuer && tokens.refresh_token) {\n const onDeleteSession =\n provider.issuer.options.settings?.onDeleteSession;\n if (onDeleteSession) {\n try {\n await onDeleteSession(tokens.refresh_token);\n } catch (e) {\n this.log.error(\"Failed to delete session\", e);\n }\n }\n }\n\n const oauth = await provider.getOAuth();\n if (!oauth) {\n reply.redirect(redirect, 302);\n return;\n }\n\n const params = new URLSearchParams();\n const idToken = tokens?.id_token;\n\n params.set(\"post_logout_redirect_uri\", redirect);\n if (idToken) {\n params.set(\"id_token_hint\", idToken);\n }\n\n const customLogoutUri =\n \"oidc\" in provider.options\n ? provider.options.oidc?.logoutUri\n : undefined;\n\n if (customLogoutUri) {\n reply.redirect(`${customLogoutUri}?${params}`, 302);\n return;\n }\n\n if (!oauth.serverMetadata().end_session_endpoint) {\n // await tokenRevocation(\n // \toauth,\n // \ttokens?.refresh_token ?? tokens.access_token,\n // );\n reply.redirect(redirect, 302);\n return;\n }\n\n reply.redirect(buildEndSessionUrl(oauth, params).toString(), 302);\n },\n });\n\n // -------------------------------------------------------------------------------------------------------------------\n\n public getAuthenticationProviders(\n filters: { realmName?: string } = {},\n ): AuthenticationProvider[] {\n const providers: AuthenticationProvider[] = [];\n\n for (const identity of this.identities) {\n if (filters.realmName) {\n const issuer = identity.issuer;\n if (!issuer || issuer.name !== filters.realmName) {\n continue;\n }\n }\n\n const type =\n \"oidc\" in identity.options\n ? \"OIDC\"\n : \"oauth\" in identity.options\n ? \"OAUTH2\"\n : \"credentials\" in identity.options\n ? \"CREDENTIALS\"\n : undefined;\n\n if (!type) {\n continue;\n }\n\n providers.push({\n name: identity.name,\n type,\n });\n }\n\n return providers;\n }\n\n // -------------------------------------------------------------------------------------------------------------------\n\n /**\n * Find an auth provider by name and optionally by realm.\n * When realm is specified, it filters providers by both name and realm.\n * This enables multi-realm setups where multiple providers share the same name (e.g., \"credentials\").\n */\n protected provider(\n opts: string | { provider: string; realm?: string },\n ): AuthPrimitive {\n const name = typeof opts === \"string\" ? opts : opts.provider;\n const realmName = typeof opts === \"string\" ? undefined : opts.realm;\n\n const identity = this.identities.find((identity) => {\n if (identity.name !== name) {\n return false;\n }\n\n // If realm filter is specified, match against provider's issuer\n if (realmName && identity.issuer?.name !== realmName) {\n return false;\n }\n\n return true;\n });\n\n if (!identity) {\n const realmInfo = realmName ? ` for realm '${realmName}'` : \"\";\n throw new SecurityError(`Auth provider '${name}'${realmInfo} not found`);\n }\n\n return identity;\n }\n\n /**\n * Convert cookies to tokens.\n * If the tokens are expired, try to refresh them using the refresh token.\n */\n protected async cookiesToTokens(\n cookies: Cookies,\n ): Promise<Tokens | undefined> {\n const tokens = this.getTokens(cookies);\n if (!tokens) {\n // no cookie, no tokens\n this.log.trace(\"No tokens found in cookies\");\n return;\n }\n\n this.log.trace(\"Tokens found in cookies\", {\n expires_in: tokens.expires_in,\n issued_at: tokens.issued_at,\n });\n\n // check if tokens are expired\n const refreshedTokens = await this.refreshTokens(tokens);\n if (!refreshedTokens) {\n this.tokens.del({ cookies });\n // 08/25: exception here will go to Server error handler, not the React one\n // better to remove cookie & session and let the page handle 401 Unauthorized\n //throw new SessionExpiredError(\"Session expired. Please login again.\");\n return;\n }\n\n // Non-constant-time comparison is fine here — this determines whether to update\n // the cookie, not whether to grant access. No authentication decision is made.\n if (refreshedTokens.access_token !== tokens.access_token) {\n this.setTokens(refreshedTokens, cookies);\n }\n\n return refreshedTokens;\n }\n\n protected getTokens(cookies?: Cookies): Tokens | undefined {\n return this.tokens.get({ cookies });\n }\n\n protected setTokens(tokens: Tokens, cookies?: Cookies): void {\n const exp =\n tokens.refresh_token_expires_in ||\n tokens.refresh_expires_in ||\n tokens.expires_in;\n\n const ttl = exp\n ? this.dateTimeProvider.duration(exp, \"seconds\")\n : undefined;\n\n this.tokens.set(tokens, {\n cookies,\n ttl,\n });\n }\n\n protected extractAccessToken(tokens: Tokens) {\n const idp = this.provider(tokens.provider);\n\n if (\n \"oidc\" in idp.options &&\n !(\"issuer\" in idp.options) &&\n idp.options.oidc?.useIdToken\n ) {\n return tokens.id_token;\n }\n\n return tokens.access_token;\n }\n\n protected async refreshTokens(tokens: Tokens): Promise<Tokens | undefined> {\n // Note: concurrent requests refreshing with the same token is safe here because\n // Alepha does not rotate refresh tokens — the same token is reused across refreshes\n // (session-based: same UUID in the session row; token-based: same JWT).\n // If single-use rotation is ever added (e.g., for SPA/public clients per OAuth 2.1),\n // a reuse grace window (à la Auth0) should be implemented to avoid race conditions.\n\n if (tokens.expires_in && tokens.issued_at) {\n const gracePeriodSec = 10;\n const expiresAt = tokens.issued_at + (tokens.expires_in - gracePeriodSec);\n\n if (expiresAt < this.dateTimeProvider.now().unix()) {\n this.log.trace(\"Tokens are expired\");\n\n // oh no, it is expired\n if (tokens.refresh_token) {\n this.log.trace(\"Trying to refresh tokens using refresh token\");\n // but has refresh token!\n try {\n const provider = this.provider(tokens);\n const result = await provider.refresh(\n tokens.refresh_token,\n tokens.access_token,\n );\n const newTokens = {\n ...result,\n provider: tokens.provider,\n issued_at: this.dateTimeProvider.now().unix(),\n };\n\n this.log.debug(\"Tokens refreshed successfully\");\n\n return newTokens;\n } catch (e) {\n this.log.warn(\"Failed to refresh token\", e);\n }\n }\n\n // session expired and no (valid) refresh token\n return;\n }\n }\n\n if (!tokens.issued_at && tokens.access_token) {\n return;\n }\n\n return tokens;\n }\n}\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport interface OAuth2Profile {\n sub: string; // Subject - unique ID per user (required by OpenID)\n email?: string;\n name?: string;\n given_name?: string;\n family_name?: string;\n middle_name?: string;\n nickname?: string;\n preferred_username?: string;\n profile?: string;\n picture?: string;\n website?: string;\n email_verified?: boolean;\n gender?: string;\n birthdate?: string; // ISO 8601: YYYY-MM-DD\n zoneinfo?: string;\n locale?: string;\n phone_number?: string;\n phone_number_verified?: boolean;\n address?: {\n formatted?: string;\n street_address?: string;\n locality?: string;\n region?: string;\n postal_code?: string;\n country?: string;\n };\n updated_at?: number; // seconds since epoch\n // Allow additional fields (provider-specific)\n [key: string]: unknown;\n}\n","import { type Static, t } from \"alepha\";\n\nexport const authenticationProviderSchema = t.object(\n {\n name: t.text({\n description: \"Name of the authentication provider.\",\n }),\n type: t.enum([\"OAUTH2\", \"OIDC\", \"CREDENTIALS\"], {\n description: \"Type of the authentication provider.\",\n }),\n },\n {\n title: \"AuthenticationProvider\",\n },\n);\n\nexport type AuthenticationProvider = Static<\n typeof authenticationProviderSchema\n>;\n","import { $context, AlephaError, t } from \"alepha\";\nimport type { IssuerPrimitive } from \"alepha/security\";\nimport type { OAuth2Profile } from \"../providers/ServerAuthProvider.ts\";\nimport {\n $auth,\n type LinkAccountFn,\n type LinkAccountOptions,\n type OidcOptions,\n type WithLinkFn,\n} from \"./$auth.ts\";\n\n/**\n * Already configured Apple authentication primitive.\n *\n * Uses OpenID Connect (OIDC) to authenticate users via their Apple accounts.\n * Upon successful authentication, it links the Apple account to a user session.\n *\n * Apple-specific behavior:\n * - `response_mode=form_post` (required by Apple when requesting `email`/`name`).\n * - Scope: `name email` (Apple does not support the standard `profile` scope).\n * - The user's name is only provided on the first authorization, as a `user`\n * form field on the POST callback. The framework extracts it and injects\n * `given_name` / `family_name` / `name` into the profile before linking.\n * Subsequent logins only return `sub` and `email` in the ID token.\n * - `email_verified` and `is_private_email` are normalized from Apple's\n * string (\"true\"/\"false\") representation to booleans.\n *\n * Client secret:\n * Apple requires the client secret to be a signed ES256 JWT generated from\n * your Apple private key, team ID, and key ID. This JWT is valid for up to 6\n * months; you must rotate it before expiration. Generate it out of band and\n * set it via `APPLE_CLIENT_SECRET`.\n *\n * See: https://developer.apple.com/documentation/accountorganizationaldatasharing/creating-a-client-secret\n *\n * Environment Variables:\n * - `APPLE_CLIENT_ID`: The Service ID obtained from the Apple Developer Console.\n * - `APPLE_CLIENT_SECRET`: The signed ES256 JWT client secret generated from your\n * Apple private key.\n */\nexport const $authApple = (\n realm: IssuerPrimitive & WithLinkFn,\n options: Partial<OidcOptions> = {},\n) => {\n const { alepha } = $context();\n\n const env = alepha.parseEnv(\n t.object({\n APPLE_CLIENT_ID: t.optional(\n t.text({\n description:\n \"The Service ID obtained from the Apple Developer Console.\",\n }),\n ),\n APPLE_CLIENT_SECRET: t.optional(\n t.text({\n description:\n \"The signed ES256 JWT client secret generated from your Apple private key.\",\n }),\n ),\n }),\n );\n\n const disabled = !env.APPLE_CLIENT_ID || !env.APPLE_CLIENT_SECRET;\n\n const name = \"apple\";\n\n const userAccount: LinkAccountFn | undefined =\n options.account ?? (realm.link ? realm.link(name) : undefined);\n\n if (!userAccount) {\n throw new AlephaError(\n \"Authentication requires a link function in the realm primitive.\",\n );\n }\n\n const account: LinkAccountFn = async (opts) => {\n return userAccount(normalizeApplePayload(opts));\n };\n\n return $auth({\n issuer: realm,\n name,\n oidc: {\n issuer: \"https://appleid.apple.com\",\n clientId: env.APPLE_CLIENT_ID!,\n clientSecret: env.APPLE_CLIENT_SECRET,\n scope: \"name email\",\n responseMode: \"form_post\",\n ...options,\n account,\n },\n disabled,\n });\n};\n\n/**\n * Normalize Apple-specific profile quirks before handing off to the\n * user-provided link function.\n *\n * Why: Apple's ID token non-conformities — `email_verified` and\n * `is_private_email` are delivered as the strings \"true\"/\"false\" rather than\n * booleans. Normalize so downstream code can rely on standard OIDC shapes.\n */\nconst normalizeApplePayload = (\n opts: LinkAccountOptions,\n): LinkAccountOptions => {\n const user: OAuth2Profile = { ...opts.user };\n\n for (const key of [\"email_verified\", \"is_private_email\"] as const) {\n const raw = user[key] as unknown;\n if (typeof raw === \"string\") {\n user[key] = raw === \"true\";\n }\n }\n\n return { ...opts, user };\n};\n","import { AlephaError } from \"alepha\";\nimport type { IssuerPrimitive } from \"alepha/security\";\nimport {\n $auth,\n type CredentialsFn,\n type CredentialsOptions,\n type WithLoginFn,\n} from \"./$auth.ts\";\n\n/**\n * Already configured Credentials authentication primitive.\n *\n * Uses username and password to authenticate users.\n */\nexport const $authCredentials = (\n realm: IssuerPrimitive & WithLoginFn,\n options: Partial<CredentialsOptions> = {},\n) => {\n const name = \"credentials\";\n\n const account: CredentialsFn | undefined = realm.login\n ? realm.login(name)\n : options.account;\n\n if (!account) {\n throw new AlephaError(\n \"Credentials authentication requires a login function in the realm primitive.\",\n );\n }\n\n return $auth({\n issuer: realm,\n name,\n credentials: {\n account,\n },\n });\n};\n","import { $context, AlephaError, t } from \"alepha\";\nimport type { IssuerPrimitive } from \"alepha/security\";\nimport type { OAuth2Profile } from \"../providers/ServerAuthProvider.ts\";\nimport {\n $auth,\n type LinkAccountFn,\n type OidcOptions,\n type WithLinkFn,\n} from \"./$auth.ts\";\n\n/**\n * Already configured Facebook authentication primitive.\n *\n * Uses OAuth2 to authenticate users via their Facebook accounts.\n * Upon successful authentication, it links the Facebook account to a user session.\n *\n * Environment Variables:\n * - `FACEBOOK_CLIENT_ID`: The App ID obtained from the Meta Developer Console.\n * - `FACEBOOK_CLIENT_SECRET`: The App Secret obtained from the Meta Developer Console.\n */\nexport const $authFacebook = (\n realm: IssuerPrimitive & WithLinkFn,\n options: Partial<OidcOptions> = {},\n) => {\n const { alepha } = $context();\n\n const env = alepha.parseEnv(\n t.object({\n FACEBOOK_CLIENT_ID: t.optional(\n t.text({\n description: \"The App ID obtained from the Meta Developer Console.\",\n }),\n ),\n FACEBOOK_CLIENT_SECRET: t.optional(\n t.text({\n description:\n \"The App Secret obtained from the Meta Developer Console.\",\n }),\n ),\n }),\n );\n\n const disabled = !env.FACEBOOK_CLIENT_ID || !env.FACEBOOK_CLIENT_SECRET;\n\n const name = \"facebook\";\n\n const account: LinkAccountFn | undefined =\n options.account ?? (realm.link ? realm.link(name) : undefined);\n\n if (!account) {\n throw new AlephaError(\n \"Authentication requires a link function in the realm primitive.\",\n );\n }\n\n return $auth({\n issuer: realm,\n name,\n oauth: {\n clientId: env.FACEBOOK_CLIENT_ID!,\n clientSecret: env.FACEBOOK_CLIENT_SECRET!,\n authorization: \"https://www.facebook.com/v25.0/dialog/oauth\",\n token: \"https://graph.facebook.com/v25.0/oauth/access_token\",\n scope: \"email\",\n userinfo: async (tokens) => {\n const res = await fetch(\n \"https://graph.facebook.com/v25.0/me?fields=id,name,email,picture.width(200).height(200)\",\n {\n headers: {\n Authorization: `Bearer ${tokens.access_token}`,\n },\n },\n ).then((res) => res.json());\n\n const user: OAuth2Profile = {\n sub: res.id,\n };\n\n if (res.email) {\n user.email = res.email;\n }\n\n if (res.name) {\n user.name = res.name.trim();\n }\n\n if (res.picture?.data?.url) {\n user.picture = res.picture.data.url;\n }\n\n return user;\n },\n ...options,\n account,\n },\n disabled,\n });\n};\n","import { $context, AlephaError, t } from \"alepha\";\nimport type { IssuerPrimitive } from \"alepha/security\";\nimport {\n $auth,\n type LinkAccountFn,\n type OidcOptions,\n type WithLinkFn,\n} from \"./$auth.ts\";\n\n/**\n * Creates an authentication provider primitive for France Connect.\n *\n * Uses OpenID Connect (OIDC) to authenticate users via France Connect,\n * the French government's identity federation system. It provides verified\n * identity data (name, email, birthdate) sourced directly from government\n * databases.\n *\n * **France Connect-specific behaviour**:\n * - Scopes use individual claim names (`given_name`, `family_name`) rather\n * than the standard grouped `profile` scope.\n * - The `acr_values=eidas1` authorization parameter is mandatory and is\n * included automatically.\n * - Logout is mandatory in France Connect integrations. Store the `id_token`\n * returned at login and pass it to the logout endpoint when the session ends.\n *\n * **Environment Variables** (obtain from partenaires.franceconnect.gouv.fr):\n * - `FRANCECONNECT_CLIENT_ID` — OAuth 2.0 client ID for your France Connect service provider.\n * - `FRANCECONNECT_CLIENT_SECRET` — OAuth 2.0 client secret for your France Connect service provider.\n *\n * @example\n * ```ts\n * class AuthProviders {\n * franceconnect = $authFranceConnect(this.userRealm);\n * }\n * ```\n */\nexport const $authFranceConnect = (\n realm: IssuerPrimitive & WithLinkFn,\n options: Partial<OidcOptions> = {},\n) => {\n const { alepha } = $context();\n\n const env = alepha.parseEnv(\n t.object({\n FRANCECONNECT_CLIENT_ID: t.optional(\n t.text({\n description:\n \"The OAuth 2.0 client ID for your France Connect service provider, obtained from partenaires.franceconnect.gouv.fr.\",\n }),\n ),\n FRANCECONNECT_CLIENT_SECRET: t.optional(\n t.text({\n description:\n \"The OAuth 2.0 client secret for your France Connect service provider, obtained from partenaires.franceconnect.gouv.fr.\",\n }),\n ),\n }),\n );\n\n const disabled =\n !env.FRANCECONNECT_CLIENT_ID || !env.FRANCECONNECT_CLIENT_SECRET;\n\n const name = \"franceconnect\";\n\n const account: LinkAccountFn | undefined =\n options.account ?? (realm.link ? realm.link(name) : undefined);\n\n if (!account) {\n throw new AlephaError(\n \"Authentication requires a link function in the realm primitive.\",\n );\n }\n\n return $auth({\n issuer: realm,\n name,\n oidc: {\n /**\n * France Connect production OIDC issuer.\n * Discovery: https://oidc.franceconnect.gouv.fr/api/v2/.well-known/openid-configuration\n *\n * Note: `oidc.franceconnect.gouv.fr` is standard FranceConnect (eidas1).\n * `auth.franceconnect.gouv.fr` is FranceConnect+ (eidas2/eidas3).\n */\n issuer: \"https://oidc.franceconnect.gouv.fr/api/v2\",\n clientId: env.FRANCECONNECT_CLIENT_ID!,\n clientSecret: env.FRANCECONNECT_CLIENT_SECRET,\n /**\n * France Connect requires individual claim names as scopes.\n * The standard grouped `profile` scope is NOT supported.\n */\n scope: \"openid given_name family_name email\",\n /**\n * `acr_values=eidas1` is mandatory for all France Connect integrations.\n */\n ...options,\n authorizationParameters: {\n acr_values: \"eidas1\",\n ...options.authorizationParameters,\n },\n account,\n },\n disabled,\n });\n};\n","import { $context, AlephaError, t } from \"alepha\";\nimport type { IssuerPrimitive } from \"alepha/security\";\nimport type { OAuth2Profile } from \"../providers/ServerAuthProvider.ts\";\nimport {\n $auth,\n type LinkAccountFn,\n type OidcOptions,\n type WithLinkFn,\n} from \"./$auth.ts\";\n\n/**\n * Already configured GitHub authentication primitive.\n *\n * Uses OAuth2 to authenticate users via their GitHub accounts.\n * Upon successful authentication, it links the GitHub account to a user session.\n *\n * Environment Variables:\n * - `GITHUB_CLIENT_ID`: The client ID obtained from the GitHub Developer Settings.\n * - `GITHUB_CLIENT_SECRET`: The client secret obtained from the GitHub Developer Settings.\n */\nexport const $authGithub = (\n realm: IssuerPrimitive & WithLinkFn,\n options: Partial<OidcOptions> = {},\n) => {\n const { alepha } = $context();\n\n const env = alepha.parseEnv(\n t.object({\n GITHUB_CLIENT_ID: t.optional(\n t.text({\n description:\n \"The OAuth App client ID obtained from GitHub Developer Settings.\",\n }),\n ),\n GITHUB_CLIENT_SECRET: t.optional(\n t.text({\n description:\n \"The OAuth App client secret obtained from GitHub Developer Settings.\",\n }),\n ),\n }),\n );\n\n const disabled = !env.GITHUB_CLIENT_ID || !env.GITHUB_CLIENT_SECRET;\n\n const name = \"github\";\n\n const account: LinkAccountFn | undefined =\n options.account ?? (realm.link ? realm.link(name) : undefined);\n\n if (!account) {\n throw new AlephaError(\n \"Authentication requires a link function in the realm primitive.\",\n );\n }\n\n return $auth({\n issuer: realm,\n name,\n oauth: {\n clientId: env.GITHUB_CLIENT_ID!,\n clientSecret: env.GITHUB_CLIENT_SECRET!,\n authorization: \"https://github.com/login/oauth/authorize\",\n token: \"https://github.com/login/oauth/access_token\",\n scope: \"read:user user:email\",\n userinfo: async (tokens) => {\n const BASE_URL = \"https://api.github.com\";\n const headers = {\n Authorization: `Bearer ${tokens.access_token}`,\n \"User-Agent\": \"Alepha\",\n };\n const res = await fetch(`${BASE_URL}/user`, { headers }).then((res) =>\n res.json(),\n );\n\n const user: OAuth2Profile = {\n sub: res.id.toString(),\n };\n\n if (res.email) {\n user.email = res.email;\n }\n\n if (res.name) {\n user.name = res.name.trim();\n }\n\n if (res.avatar_url) {\n user.picture = res.avatar_url;\n }\n\n // `/user` omits the email if the user's public profile hides it, and\n // never exposes `verified`. Fetch `/user/emails` to fill in both.\n const emailsRes = await fetch(`${BASE_URL}/user/emails`, { headers });\n if (emailsRes.ok) {\n const emails: Array<{\n email: string;\n primary: boolean;\n verified: boolean;\n }> = await emailsRes.json();\n if (!user.email) {\n user.email = (emails.find((e) => e.primary) ?? emails[0])?.email;\n }\n if (user.email) {\n user.email_verified =\n emails.find((e) => e.email === user.email)?.verified ?? false;\n }\n }\n\n return user;\n },\n ...options,\n account,\n },\n disabled,\n });\n};\n","import { $context, AlephaError, t } from \"alepha\";\nimport type { IssuerPrimitive } from \"alepha/security\";\nimport {\n $auth,\n type LinkAccountFn,\n type OidcOptions,\n type WithLinkFn,\n} from \"./$auth.ts\";\n\n/**\n * Already configured Google authentication primitive.\n *\n * Uses OpenID Connect (OIDC) to authenticate users via their Google accounts.\n * Upon successful authentication, it links the Google account to a user session.\n *\n * Environment Variables:\n * - `GOOGLE_CLIENT_ID`: The client ID obtained from the Google Developer Console.\n * - `GOOGLE_CLIENT_SECRET`: The client secret obtained from the Google Developer Console.\n */\nexport const $authGoogle = (\n realm: IssuerPrimitive & WithLinkFn,\n options: Partial<OidcOptions> = {},\n) => {\n const { alepha } = $context();\n\n const env = alepha.parseEnv(\n t.object({\n GOOGLE_CLIENT_ID: t.optional(\n t.text({\n description:\n \"The OAuth 2.0 client ID obtained from the Google Developer Console.\",\n }),\n ),\n GOOGLE_CLIENT_SECRET: t.optional(\n t.text({\n description:\n \"The OAuth 2.0 client secret obtained from the Google Developer Console.\",\n }),\n ),\n }),\n );\n\n const disabled = !env.GOOGLE_CLIENT_ID || !env.GOOGLE_CLIENT_SECRET;\n\n const name = \"google\";\n\n const account: LinkAccountFn | undefined =\n options.account ?? (realm.link ? realm.link(name) : undefined);\n\n if (!account) {\n throw new AlephaError(\n \"Authentication requires a link function in the realm primitive.\",\n );\n }\n\n return $auth({\n issuer: realm,\n name,\n oidc: {\n issuer: \"https://accounts.google.com\",\n clientId: env.GOOGLE_CLIENT_ID!,\n clientSecret: env.GOOGLE_CLIENT_SECRET,\n ...options,\n account,\n },\n disabled,\n });\n};\n","import { $context, AlephaError, t } from \"alepha\";\nimport type { IssuerPrimitive } from \"alepha/security\";\nimport {\n $auth,\n type LinkAccountFn,\n type OidcOptions,\n type WithLinkFn,\n} from \"./$auth.ts\";\n\n/**\n * Already configured Microsoft Entra ID (Azure AD) authentication primitive.\n *\n * Uses OpenID Connect (OIDC) to authenticate users via their Microsoft accounts.\n * Supports personal Microsoft accounts, work/school (Azure AD) accounts, and\n * multi-tenant applications.\n *\n * The tenant ID defaults to `\"common\"`, which allows all Microsoft account types\n * (personal, work, school). To restrict to a specific Azure AD tenant, set\n * `MICROSOFT_TENANT_ID` to your tenant's GUID or domain.\n *\n * **Note on multi-tenant issuer validation**: Microsoft's OIDC discovery document\n * for the `common` endpoint returns `{tenantid}` as a literal placeholder in the\n * `issuer` field. This is expected behavior for multi-tenant endpoints. The\n * openid-client library handles this during token validation automatically.\n *\n * Environment Variables:\n * - `MICROSOFT_CLIENT_ID`: The application (client) ID from the Azure Portal.\n * - `MICROSOFT_CLIENT_SECRET`: The client secret value from the Azure Portal.\n * - `MICROSOFT_TENANT_ID`: (Optional) Azure AD tenant ID or `\"common\"` for\n * multi-tenant. Defaults to `\"common\"`.\n */\nexport const $authMicrosoft = (\n realm: IssuerPrimitive & WithLinkFn,\n options: Partial<OidcOptions> = {},\n) => {\n const { alepha } = $context();\n\n const env = alepha.parseEnv(\n t.object({\n MICROSOFT_CLIENT_ID: t.optional(\n t.text({\n description:\n \"The application (client) ID obtained from the Azure Portal.\",\n }),\n ),\n MICROSOFT_CLIENT_SECRET: t.optional(\n t.text({\n description:\n \"The client secret value obtained from the Azure Portal.\",\n }),\n ),\n MICROSOFT_TENANT_ID: t.optional(\n t.text({\n description:\n \"The Azure AD tenant ID or 'common' for multi-tenant. Defaults to 'common'.\",\n }),\n ),\n }),\n );\n\n const disabled = !env.MICROSOFT_CLIENT_ID || !env.MICROSOFT_CLIENT_SECRET;\n\n const tenantId = env.MICROSOFT_TENANT_ID ?? \"common\";\n\n const name = \"microsoft\";\n\n const account: LinkAccountFn | undefined =\n options.account ?? (realm.link ? realm.link(name) : undefined);\n\n if (!account) {\n throw new AlephaError(\n \"Authentication requires a link function in the realm primitive.\",\n );\n }\n\n return $auth({\n issuer: realm,\n name,\n oidc: {\n issuer: `https://login.microsoftonline.com/${tenantId}/v2.0`,\n clientId: env.MICROSOFT_CLIENT_ID!,\n clientSecret: env.MICROSOFT_CLIENT_SECRET,\n ...options,\n account,\n },\n disabled,\n });\n};\n","import { $module } from \"alepha\";\nimport { AlephaServerCookies } from \"alepha/server/cookies\";\nimport { $auth } from \"./primitives/$auth.ts\";\nimport { ServerAuthProvider } from \"./providers/ServerAuthProvider.ts\";\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport * from \"./index.shared.ts\";\nexport * from \"./primitives/$auth.ts\";\nexport * from \"./primitives/$authApple.ts\";\nexport * from \"./primitives/$authCredentials.ts\";\nexport * from \"./primitives/$authFacebook.ts\";\nexport * from \"./primitives/$authFranceConnect.ts\";\nexport * from \"./primitives/$authGithub.ts\";\nexport * from \"./primitives/$authGoogle.ts\";\nexport * from \"./primitives/$authMicrosoft.ts\";\nexport * from \"./providers/ServerAuthProvider.ts\";\n\n// ---------------------------------------------------------------------------------------------------------------------\n\n/**\n * OAuth2/OIDC authentication with social login providers.\n *\n * **Features:**\n * - OAuth authentication provider\n * - Username/password authentication\n * - Google OAuth integration\n * - GitHub OAuth integration\n * - Apple OAuth integration\n * - Facebook OAuth integration\n * - Microsoft Entra ID (Azure AD) integration\n * - France Connect integration\n * - Cookie-based, SSR-friendly authentication\n * - Token management and refresh\n *\n * @module alepha.server.auth\n */\nexport const AlephaServerAuth = $module({\n name: \"alepha.server.auth\",\n primitives: [$auth],\n services: [AlephaServerCookies, ServerAuthProvider],\n});\n"],"x_google_ignoreList":[0,1],"mappings":";;;;;;;;AAAA,IAAIA;AACJ,IAAI,OAAO,cAAc,eAAe,CAAC,UAAU,WAAW,aAAa,eAAe,EAGtF,eAAa;AAEjB,SAAS,gBAAgB,OAAO,UAAU;CACtC,IAAI,SAAS,MACT,OAAO;CAEX,IAAI;EACA,OAAQ,iBAAiB,YACrB,OAAO,eAAe,MAAM,CAAC,OAAO,iBAAiB,SAAS,UAAU,OAAO;SAEjF;EACF,OAAO;;;AAGf,MAAMC,0BAAwB;AAC9B,MAAMC,yBAAuB;AAC7B,SAASC,iBAAe,SAAS,MAAM,OAAO;CAC1C,MAAM,MAAM,IAAI,UAAU,SAAS,EAAE,OAAO,CAAC;CAC7C,OAAO,OAAO,KAAK,EAAE,MAAM,CAAC;CAC5B,OAAO;;AAEX,MAAaC,0BAAwB,QAAQ;AAC7C,MAAa,YAAY,QAAQ;AACjC,MAAa,iBAAiB,QAAQ;AACtC,MAAaC,gBAAc,QAAQ;AAEnC,MAAa,aAAa,QAAQ;AAElC,MAAM,UAAU,IAAI,aAAa;AACjC,MAAMC,YAAU,IAAI,aAAa;AACjC,SAAS,IAAI,OAAO;CAChB,IAAI,OAAO,UAAU,UACjB,OAAO,QAAQ,OAAO,MAAM;CAEhC,OAAOA,UAAQ,OAAO,MAAM;;AAEhC,IAAI;AACJ,IAAI,WAAW,UAAU,UACrB,mBAAmB,UAAU;CACzB,IAAI,iBAAiB,aACjB,QAAQ,IAAI,WAAW,MAAM;CAEjC,OAAO,MAAM,SAAS;EAAE,UAAU;EAAa,aAAa;EAAM,CAAC;;KAGtE;CACD,MAAM,aAAa;CACnB,mBAAmB,UAAU;EACzB,IAAI,iBAAiB,aACjB,QAAQ,IAAI,WAAW,MAAM;EAEjC,MAAM,MAAM,EAAE;EACd,KAAK,IAAI,IAAI,GAAG,IAAI,MAAM,YAAY,KAAK,YACvC,IAAI,KAAK,OAAO,aAAa,MAAM,MAAM,MAAM,SAAS,GAAG,IAAI,WAAW,CAAC,CAAC;EAEhF,OAAO,KAAK,IAAI,KAAK,GAAG,CAAC,CAAC,QAAQ,MAAM,GAAG,CAAC,QAAQ,OAAO,IAAI,CAAC,QAAQ,OAAO,IAAI;;;AAG3F,IAAI;AACJ,IAAI,WAAW,YACX,mBAAmB,UAAU;CACzB,IAAI;EACA,OAAO,WAAW,WAAW,OAAO,EAAE,UAAU,aAAa,CAAC;UAE3D,OAAO;EACV,MAAMH,iBAAe,qDAAqDF,yBAAuB,MAAM;;;KAK/G,mBAAmB,UAAU;CACzB,IAAI;EACA,MAAM,SAAS,KAAK,MAAM,QAAQ,MAAM,IAAI,CAAC,QAAQ,MAAM,IAAI,CAAC,QAAQ,OAAO,GAAG,CAAC;EACnF,MAAM,QAAQ,IAAI,WAAW,OAAO,OAAO;EAC3C,KAAK,IAAI,IAAI,GAAG,IAAI,OAAO,QAAQ,KAC/B,MAAM,KAAK,OAAO,WAAW,EAAE;EAEnC,OAAO;UAEJ,OAAO;EACV,MAAME,iBAAe,qDAAqDF,yBAAuB,MAAM;;;AAInH,SAAS,KAAK,OAAO;CACjB,IAAI,OAAO,UAAU,UACjB,OAAO,gBAAgB,MAAM;CAEjC,OAAO,gBAAgB,MAAM;;AAEjC,IAAa,4BAAb,cAA+C,MAAM;CACjD;CACA,YAAY,SAAS,SAAS;EAC1B,MAAM,SAAS,QAAQ;EACvB,KAAK,OAAO,KAAK,YAAY;EAC7B,KAAK,OAAO;EACZ,MAAM,oBAAoB,MAAM,KAAK,YAAY;;;AAGzD,IAAa,2BAAb,cAA8C,MAAM;CAChD;CACA,YAAY,SAAS,SAAS;EAC1B,MAAM,SAAS,QAAQ;EACvB,KAAK,OAAO,KAAK,YAAY;EAC7B,IAAI,SAAS,MACT,KAAK,OAAO,SAAS;EAEzB,MAAM,oBAAoB,MAAM,KAAK,YAAY;;;AAGzD,SAAS,IAAI,SAAS,MAAM,OAAO;CAC/B,OAAO,IAAI,yBAAyB,SAAS;EAAE;EAAM;EAAO,CAAC;;AA2DjE,SAAS,aAAa,OAAO;CACzB,IAAI,UAAU,QAAQ,OAAO,UAAU,YAAY,MAAM,QAAQ,MAAM,EACnE,OAAO;CAEX,OAAO;;AAEX,SAAS,eAAe,OAAO;CAC3B,IAAI,gBAAgB,OAAO,QAAQ,EAC/B,QAAQ,OAAO,YAAY,MAAM,SAAS,CAAC;CAE/C,MAAM,UAAU,IAAI,QAAQ,SAAS,EAAE,CAAC;CACxC,IAAID,gBAAc,CAAC,QAAQ,IAAI,aAAa,EACxC,QAAQ,IAAI,cAAcA,aAAW;CAEzC,IAAI,QAAQ,IAAI,gBAAgB,EAC5B,MAAMG,iBAAe,0EAAsEF,wBAAsB;CAErH,OAAO;;AAEX,SAASM,SAAO,KAAK,OAAO;CACxB,IAAI,UAAU,KAAA,GAAW;EACrB,IAAI,OAAO,UAAU,YACjB,QAAQ,MAAM,IAAI,KAAK;EAE3B,IAAI,EAAE,iBAAiB,cACnB,MAAMJ,iBAAe,mEAAiED,uBAAqB;EAE/G,OAAO;;;AAIf,SAAS,mBAAmB,UAAU;CAClC,IAAI,SAAS,SAAS,KAAK,EACvB,OAAO,SAAS,QAAQ,MAAM,IAAI;CAEtC,OAAO;;AAEX,SAAS,iBAAiB,KAAK,WAAW,wBAAwB,OAAO;CACrE,IAAI,IAAI,aAAa,KACjB,IAAI,WAAW;MAGf,IAAI,WAAW,mBAAmB,GAAG,UAAU,GAAG,wBAAwB,IAAI,WAAW,IAAI,SAAS,QAAQ,SAAS,GAAG,GAAG;CAEjI,OAAO;;AAEX,SAAS,gBAAgB,KAAK,WAAW;CACrC,IAAI,WAAW,mBAAmB,GAAG,IAAI,SAAS,GAAG,YAAY;CACjE,OAAO;;AAEX,eAAeM,mBAAiB,OAAO,SAAS,WAAW,SAAS;CAChE,IAAI,EAAE,iBAAiB,MACnB,MAAML,iBAAe,IAAI,QAAQ,+BAA+BD,uBAAqB;CAEzF,cAAc,OAAO,UAAUE,6BAA2B,KAAK;CAC/D,MAAM,MAAM,UAAU,IAAI,IAAI,MAAM,KAAK,CAAC;CAC1C,MAAM,UAAU,eAAe,SAAS,QAAQ;CAChD,QAAQ,IAAI,UAAU,mBAAmB;CACzC,QAAQ,UAAUC,kBAAgB,OAAO,IAAI,MAAM;EAC/C,MAAM,KAAA;EACN,SAAS,OAAO,YAAY,QAAQ,SAAS,CAAC;EAC9C,QAAQ;EACR,UAAU;EACV,QAAQE,SAAO,KAAK,SAAS,OAAO;EACvC,CAAC;;AAEN,eAAsB,iBAAiB,kBAAkB,SAAS;CAC9D,OAAOC,mBAAiB,kBAAkB,qBAAqB,QAAQ;EACnE,QAAQ,SAAS,WAAjB;GACI,KAAK,KAAA;GACL,KAAK;IACD,gBAAgB,KAAK,mCAAmC;IACxD;GACJ,KAAK;IACD,iBAAiB,KAAK,yCAAyC;IAC/D;GACJ,SACI,MAAML,iBAAe,mEAA6DF,wBAAsB;;EAEhH,OAAO;IACR,QAAQ;;AAEf,SAAS,aAAa,OAAO,QAAQ,IAAI,MAAM,OAAO;CAClD,IAAI;EACA,IAAI,OAAO,UAAU,YAAY,CAAC,OAAO,SAAS,MAAM,EACpD,MAAME,iBAAe,GAAG,GAAG,oBAAoBD,wBAAsB,MAAM;EAE/E,IAAI,QAAQ,GACR;EACJ,IAAI,QAAQ;GACR,IAAI,UAAU,GACV,MAAMC,iBAAe,GAAG,GAAG,iCAAiCF,yBAAuB,MAAM;GAE7F;;EAEJ,MAAME,iBAAe,GAAG,GAAG,6BAA6BF,yBAAuB,MAAM;UAElF,KAAK;EACR,IAAI,MACA,MAAM,IAAI,IAAI,SAAS,MAAM,MAAM;EAEvC,MAAM;;;AAGd,SAASQ,eAAa,OAAO,IAAI,MAAM,OAAO;CAC1C,IAAI;EACA,IAAI,OAAO,UAAU,UACjB,MAAMN,iBAAe,GAAG,GAAG,oBAAoBD,wBAAsB,MAAM;EAE/E,IAAI,MAAM,WAAW,GACjB,MAAMC,iBAAe,GAAG,GAAG,qBAAqBF,yBAAuB,MAAM;UAG9E,KAAK;EACR,IAAI,MACA,MAAM,IAAI,IAAI,SAAS,MAAM,MAAM;EAEvC,MAAM;;;AAGd,eAAsB,yBAAyB,0BAA0B,UAAU;CAC/E,MAAM,WAAW;CACjB,IAAI,EAAE,oBAAoB,QAAQ,aAAa,mBAC3C,MAAME,iBAAe,2DAAyDD,uBAAqB;CAEvG,IAAI,CAAC,gBAAgB,UAAU,SAAS,EACpC,MAAMC,iBAAe,gDAA8CD,uBAAqB;CAE5F,IAAI,SAAS,WAAW,KACpB,MAAM,IAAI,sGAAoG,yBAAyB,SAAS;CAEpJ,uBAAuB,SAAS;CAChC,MAAM,OAAO,MAAM,oBAAoB,SAAS;CAChD,eAAa,KAAK,QAAQ,yCAAqC,kBAAkB,EAAE,MAAM,MAAM,CAAC;CAChG,IAAI,aAAa,qBAAqB,IAAI,IAAI,KAAK,OAAO,CAAC,SAAS,SAAS,MACzE,MAAM,IAAI,2EAAuE,2BAA2B;EAAE,UAAU,SAAS;EAAM,MAAM;EAAM,WAAW;EAAU,CAAC;CAE7K,OAAO;;AAEX,SAAS,sBAAsB,UAAU;CACrC,kBAAkB,UAAU,mBAAmB;;AAEnD,SAAS,QAAQ,UAAU,GAAG,OAAO;CACjC,IAAI,MAAM;CACV,IAAI,MAAM,SAAS,GAAG;EAClB,MAAM,OAAO,MAAM,KAAK;EACxB,OAAO,GAAG,MAAM,KAAK,KAAK,CAAC,OAAO;QAEjC,IAAI,MAAM,WAAW,GACtB,OAAO,GAAG,MAAM,GAAG,MAAM,MAAM;MAG/B,OAAO,MAAM;CAEjB,OAAO,IAAI,KAAK,sBAAsB,SAAS;;AAOnD,SAAS,kBAAkB,UAAU,aAAa;CAC9C,IAAI,eAAe,SAAS,KAAK,aAC7B,MAAM,QAAQ,UAAU,YAAY;;AAG5C,SAAS,cAAc;CACnB,OAAO,KAAK,OAAO,gBAAgB,IAAI,WAAW,GAAG,CAAC,CAAC;;AAE3D,SAAgB,6BAA6B;CACzC,OAAO,aAAa;;AAExB,SAAgB,sBAAsB;CAClC,OAAO,aAAa;;AAKxB,eAAsBQ,6BAA2B,cAAc;CAC3D,eAAa,cAAc,eAAe;CAC1C,OAAO,KAAK,MAAM,OAAO,OAAO,OAAO,WAAW,IAAI,aAAa,CAAC,CAAC;;AA4EzE,SAAS,aAAa,QAAQ;CAC1B,MAAM,OAAO,SAAS;CACtB,OAAO,OAAO,SAAS,YAAY,OAAO,SAAS,KAAK,GAAG,OAAO;;AAEtE,SAAS,kBAAkB,QAAQ;CAC/B,MAAM,YAAY,SAAS;CAC3B,OAAO,OAAO,cAAc,YAAY,OAAO,SAAS,UAAU,IAAI,KAAK,KAAK,UAAU,KAAK,KACzF,YACA;;AAEV,SAAS,YAAY;CACjB,OAAO,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK;;AAExC,SAAS,SAAS,IAAI;CAClB,IAAI,OAAO,OAAO,YAAY,OAAO,MACjC,MAAMP,iBAAe,4BAA0BD,uBAAqB;CAExE,eAAa,GAAG,QAAQ,gBAAc;;AAE1C,SAAS,aAAa,QAAQ;CAC1B,IAAI,OAAO,WAAW,YAAY,WAAW,MACzC,MAAMC,iBAAe,gCAA8BD,uBAAqB;CAE5E,eAAa,OAAO,WAAW,uBAAqB;;AAsBxD,SAAgBS,mBAAiB,cAAc;CAC3C,eAAa,cAAc,mBAAiB;CAC5C,QAAQ,KAAK,QAAQ,MAAM,aAAa;EACpC,KAAK,IAAI,aAAa,OAAO,UAAU;EACvC,KAAK,IAAI,iBAAiB,aAAa;;;AAoD/C,SAAgBC,SAAO;CACnB,QAAQ,KAAK,QAAQ,MAAM,aAAa;EACpC,KAAK,IAAI,aAAa,OAAO,UAAU;;;AA6F/C,MAAM,WAAW,IAAI,SAEZ,KAAK,SAAS,IAAI,MAAM,KAAK,KAAK,IACpC,KAAK,SAAS;CACb,IAAI;EACA,OAAO,IAAI,IAAI,KAAK,KAAK;SAEvB;EACF,OAAO;;;AAGnB,SAAgB,cAAc,KAAK,cAAc;CAC7C,IAAI,gBAAgB,IAAI,aAAa,UACjC,MAAM,IAAI,sCAAsC,wBAAwB,IAAI;CAEhF,IAAI,IAAI,aAAa,YAAY,IAAI,aAAa,SAC9C,MAAM,IAAI,4CAA4C,4BAA4B,IAAI;;AAG9F,SAAS,iBAAiB,OAAO,UAAU,cAAc,cAAc;CACnE,IAAI;CACJ,IAAI,OAAO,UAAU,YAAY,EAAE,MAAM,SAAS,MAAM,GACpD,MAAM,IAAI,0DAA0D,eAAe,6BAA6B,SAAS,KAAK,OAAO,SAAS,MAAM,UAAU,KAAA,IAAY,0BAA0B,yBAAyB,EAAE,WAAW,eAAe,yBAAyB,aAAa,UAAU,CAAC;CAE9S,cAAc,KAAK,aAAa;CAChC,OAAO;;AAEX,SAAgB,gBAAgB,IAAI,UAAU,cAAc,cAAc;CACtE,IAAI,gBAAgB,GAAG,yBAAyB,YAAY,GAAG,uBAC3D,OAAO,iBAAiB,GAAG,sBAAsB,WAAW,UAAU,cAAc,aAAa;CAErG,OAAO,iBAAiB,GAAG,WAAW,UAAU,cAAc,aAAa;;AA8F/E,SAAgB,iBAAiB,KAAK;CAClC,IAAI,eAAe,+BAA+B;EAC9C,MAAM,EAAE,GAAG,WAAW,WAAW,IAAI;EACrC,OAAQ,WAAW,KAAK,UAAU,WAAW,UAAU,UAAU,WAAW,UAAU;;CAE1F,IAAI,eAAe,mBACf,OAAO,IAAI,UAAU;CAEzB,OAAO;;AAKX,IAAa,oBAAb,cAAuC,MAAM;CACzC;CACA;CACA;CACA;CACA;CACA;CACA,YAAY,SAAS,SAAS;EAC1B,MAAM,SAAS,QAAQ;EACvB,KAAK,OAAO,KAAK,YAAY;EAC7B,KAAK,OAAO;EACZ,KAAK,QAAQ,QAAQ;EACrB,KAAK,QAAQ,QAAQ,MAAM;EAC3B,KAAK,SAAS,QAAQ,SAAS;EAC/B,KAAK,oBAAoB,QAAQ,MAAM;EACvC,OAAO,eAAe,MAAM,YAAY;GAAE,YAAY;GAAO,OAAO,QAAQ;GAAU,CAAC;EACvF,MAAM,oBAAoB,MAAM,KAAK,YAAY;;;AAGzD,IAAa,6BAAb,cAAgD,MAAM;CAClD;CACA;CACA;CACA;CACA,YAAY,SAAS,SAAS;EAC1B,MAAM,SAAS,QAAQ;EACvB,KAAK,OAAO,KAAK,YAAY;EAC7B,KAAK,OAAO;EACZ,KAAK,QAAQ,QAAQ;EACrB,KAAK,QAAQ,QAAQ,MAAM,IAAI,QAAQ;EACvC,KAAK,oBAAoB,QAAQ,MAAM,IAAI,oBAAoB,IAAI,KAAA;EACnE,MAAM,oBAAoB,MAAM,KAAK,YAAY;;;AAGzD,IAAa,gCAAb,cAAmD,MAAM;CACrD;CACA;CACA;CACA;CACA,YAAY,SAAS,SAAS;EAC1B,MAAM,SAAS,QAAQ;EACvB,KAAK,OAAO,KAAK,YAAY;EAC7B,KAAK,OAAO;EACZ,KAAK,QAAQ,QAAQ;EACrB,KAAK,SAAS,QAAQ,SAAS;EAC/B,KAAK,WAAW,QAAQ;EACxB,OAAO,eAAe,MAAM,YAAY,EAAE,YAAY,OAAO,CAAC;EAC9D,MAAM,oBAAoB,MAAM,KAAK,YAAY;;;AAGzD,MAAM,aAAa;AACnB,MAAM,eAAe;AAErB,MAAM,qBAAqB,MAAM,aAAa;AAC9C,MAAM,eAAe,MAAM,aAAa;AACxC,MAAM,WAAW,IAAI,OAAO,cAAc,aAAa,IAAI;AAC3D,MAAM,gBAAgB,IAAI,OAAO,aAAa,qBAAqB,cAAc;AACjF,MAAM,kBAAkB,IAAI,OAAO,aAAa,eAAe,cAAc;AAC7E,MAAM,iBAAiB,IAAI,OAAO,OAAO,eAAe,oBAAoB;AAC5E,SAAS,+BAA+B,UAAU;CAC9C,IAAI,CAAC,gBAAgB,UAAU,SAAS,EACpC,MAAMT,iBAAe,gDAA8CD,uBAAqB;CAE5F,MAAM,SAAS,SAAS,QAAQ,IAAI,mBAAmB;CACvD,IAAI,WAAW,MACX;CAEJ,MAAM,aAAa,EAAE;CACrB,IAAI,OAAO;CACX,OAAO,MAAM;EACT,IAAI,QAAQ,KAAK,MAAM,SAAS;EAChC,MAAM,SAAS,QAAQ,KAAK,aAAa;EACzC,IAAI,CAAC,QACD;EAEJ,MAAM,cAAc,KAAK,UAAU,MAAM,GAAG,OAAO;EACnD,IAAI,eAAe,CAAC,YAAY,MAAM,SAAS,EAC3C;EAEJ,MAAM,aAAa,YAAY,MAAM,YAAY;EACjD,MAAM,gBAAgB,CAAC,CAAC;EACxB,OAAO,aAAa,WAAW,KAAK,KAAA;EACpC,MAAM,aAAa,EAAE;EACrB,IAAI;EACJ,IAAI,eACA,OAAO,MAAM;GACT,IAAI;GACJ,IAAI;GACJ,IAAK,QAAQ,KAAK,MAAM,cAAc,EAAG;IAErC,GAAG,KAAK,OAAO,QAAQ;IACvB,IAAI,MAAM,SAAS,KAAK,EACpB,IAAI;KACA,QAAQ,KAAK,MAAM,IAAI,MAAM,GAAG;YAE9B;IAEV,WAAW,IAAI,aAAa,IAAI;IAChC;;GAEJ,IAAK,QAAQ,KAAK,MAAM,gBAAgB,EAAG;IAEvC,GAAG,KAAK,OAAO,QAAQ;IACvB,WAAW,IAAI,aAAa,IAAI;IAChC;;GAEJ,IAAK,QAAQ,KAAK,MAAM,eAAe,EAAG;IACtC,IAAI,OAAO,KAAK,WAAW,CAAC,QACxB;IAGJ,GAAG,SAAS,QAAQ;IACpB;;GAEJ;;OAIJ,OAAO,eAAe,KAAA;EAE1B,MAAM,YAAY;GAAE;GAAQ;GAAY;EACxC,IAAI,SACA,UAAU,UAAU;EAExB,WAAW,KAAK,UAAU;;CAE9B,IAAI,CAAC,WAAW,QACZ;CAEJ,OAAO;;AAqBX,eAAe,4BAA4B,UAAU;CACjD,IAAI,SAAS,SAAS,OAAO,SAAS,SAAS,KAAK;EAChD,uBAAuB,SAAS;EAChC,sBAAsB,SAAS;EAC/B,IAAI;GACA,MAAM,OAAO,MAAM,SAAS,OAAO,CAAC,MAAM;GAC1C,IAAI,aAAa,KAAK,IAAI,OAAO,KAAK,UAAU,YAAY,KAAK,MAAM,QACnE,OAAO;UAGT;;;AAId,eAAe,oBAAoB,UAAU,UAAU,OAAO;CAC1D,IAAI,SAAS,WAAW,UAAU;EAC9B,8BAA8B,SAAS;EACvC,IAAI;EACJ,IAAK,MAAM,MAAM,4BAA4B,SAAS,EAAG;GACrD,MAAM,SAAS,MAAM,QAAQ;GAC7B,MAAM,IAAI,kBAAkB,uDAAuD;IAC/E,OAAO;IACP;IACH,CAAC;;EAEN,MAAM,IAAI,+BAA+B,MAAM,0CAA0C,yBAAyB,SAAS;;;AAGnI,SAAS,WAAW,QAAQ;CACxB,IAAI,CAAC,QAAQ,IAAI,OAAO,EACpB,MAAMC,iBAAe,8CAA4CF,wBAAsB;;AAiK/F,SAAgB,eAAe,OAAO;CAClC,OAAO,MAAM,QAAQ,IAAI,eAAe,EAAE,MAAM,IAAI,CAAC;;AA2CzD,eAAe,qBAAqB,IAAI,QAAQ,sBAAsB,KAAK,MAAM,SAAS,SAAS;CAC/F,MAAM,qBAAqB,IAAI,QAAQ,MAAM,QAAQ;CACrD,QAAQ,IAAI,gBAAgB,kDAAkD;CAC9E,QAAQ,UAAUI,kBAAgB,OAAO,IAAI,MAAM;EAC/C;EACA,SAAS,OAAO,YAAY,QAAQ,SAAS,CAAC;EAC9C,QAAQ;EACR,UAAU;EACV,QAAQE,SAAO,KAAK,SAAS,OAAO;EACvC,CAAC;;AAEN,eAAe,qBAAqB,IAAI,QAAQ,sBAAsB,WAAW,YAAY,SAAS;CAClG,MAAM,MAAM,gBAAgB,IAAI,kBAAkB,OAAO,2BAA2B,UAAUH,6BAA2B,KAAK;CAC9H,WAAW,IAAI,cAAc,UAAU;CACvC,MAAM,UAAU,eAAe,SAAS,QAAQ;CAChD,QAAQ,IAAI,UAAU,mBAAmB;CACzC,IAAI,SAAS,SAAS,KAAA,GAAW;EAC7B,WAAW,QAAQ,KAAK;EACxB,MAAM,QAAQ,KAAK,SAAS,KAAK,SAAS,OAAO;;CAErD,MAAM,WAAW,MAAM,qBAAqB,IAAI,QAAQ,sBAAsB,KAAK,YAAY,SAAS,QAAQ;CAChH,SAAS,MAAM,WAAW,UAAU,IAAI;CACxC,OAAO;;AAEX,eAAsB,yBAAyB,IAAI,QAAQ,sBAAsB,cAAc,SAAS;CACpG,SAAS,GAAG;CACZ,aAAa,OAAO;CACpB,eAAa,cAAc,mBAAiB;CAC5C,MAAM,aAAa,IAAI,gBAAgB,SAAS,qBAAqB;CACrE,WAAW,IAAI,iBAAiB,aAAa;CAC7C,OAAO,qBAAqB,IAAI,QAAQ,sBAAsB,iBAAiB,YAAY,QAAQ;;AAEvG,MAAM,gCAAgB,IAAI,SAAS;AACnC,MAAM,0BAAU,IAAI,SAAS;AAC7B,SAAgB,0BAA0B,KAAK;CAC3C,IAAI,CAAC,IAAI,UACL;CAEJ,MAAM,SAAS,cAAc,IAAI,IAAI;CACrC,IAAI,CAAC,QACD,MAAMD,iBAAe,oFAAkFF,wBAAsB;CAEjI,OAAO;;AAgBX,eAAe,kCAAkC,IAAI,QAAQ,UAAU,iCAAiC,WAAW,sBAAsB;CACrI,SAAS,GAAG;CACZ,aAAa,OAAO;CACpB,IAAI,CAAC,gBAAgB,UAAU,SAAS,EACpC,MAAME,iBAAe,gDAA8CD,uBAAqB;CAE5F,MAAM,oBAAoB,UAAU,KAAK,iBAAiB;CAC1D,uBAAuB,SAAS;CAChC,MAAM,OAAO,MAAM,oBAAoB,SAAS;CAChD,eAAa,KAAK,cAAc,+CAA2C,kBAAkB,EACzF,MAAM,MACT,CAAC;CACF,eAAa,KAAK,YAAY,6CAAyC,kBAAkB,EACrF,MAAM,MACT,CAAC;CACF,KAAK,aAAa,KAAK,WAAW,aAAa;CAC/C,IAAI,KAAK,eAAe,KAAA,GAAW;EAC/B,IAAI,YAAY,OAAO,KAAK,eAAe,WAAW,WAAW,KAAK,WAAW,GAAG,KAAK;EACzF,aAAa,WAAW,MAAM,6CAAyC,kBAAkB,EACrF,MAAM,MACT,CAAC;EACF,KAAK,aAAa;;CAEtB,IAAI,KAAK,kBAAkB,KAAA,GACvB,eAAa,KAAK,eAAe,gDAA4C,kBAAkB,EAC3F,MAAM,MACT,CAAC;CAEN,IAAI,KAAK,UAAU,KAAA,KAAa,OAAO,KAAK,UAAU,UAClD,MAAM,IAAI,yDAAqD,kBAAkB,EAAE,MAAM,MAAM,CAAC;CAEpG,IAAI,KAAK,aAAa,KAAA,GAAW;EAC7B,eAAa,KAAK,UAAU,2CAAuC,kBAAkB,EACjF,MAAM,MACT,CAAC;EACF,MAAM,iBAAiB;GAAC;GAAO;GAAO;GAAO;GAAO;GAAM;EAC1D,IAAI,OAAO,sBAAsB,MAC7B,eAAe,KAAK,YAAY;EAEpC,IAAI,OAAO,oBAAoB,KAAA,GAAW;GACtC,aAAa,OAAO,iBAAiB,MAAM,6BAA2B;GACtE,eAAe,KAAK,YAAY;;EAEpC,IAAI,iCAAiC,QACjC,eAAe,KAAK,GAAG,gCAAgC;EAE3D,MAAM,EAAE,QAAQ,QAAQ,MAAM,YAAY,KAAK,UAAU,sBAAsB,KAAK,KAAA,GAAW,OAAO,8BAA8B,GAAG,uCAAuC,QAAQ,EAAE,aAAa,OAAO,EAAE,kBAAkB,OAAO,EAAE,UAAU,CAC9O,KAAK,iBAAiB,KAAK,KAAA,GAAW,eAAe,CAAC,CACtD,KAAK,eAAe,KAAK,KAAA,GAAW,GAAG,CAAC,CACxC,KAAK,iBAAiB,KAAK,KAAA,GAAW,OAAO,UAAU,CAAC;EAC7D,IAAI,MAAM,QAAQ,OAAO,IAAI,IAAI,OAAO,IAAI,WAAW,GAAG;GACtD,IAAI,OAAO,QAAQ,KAAA,GACf,MAAM,IAAI,6EAA2E,sBAAsB;IAAE;IAAQ,OAAO;IAAO,CAAC;GAExI,IAAI,OAAO,QAAQ,OAAO,WACtB,MAAM,IAAI,8DAA4D,sBAAsB;IAAE,UAAU,OAAO;IAAW;IAAQ,OAAO;IAAO,CAAC;;EAGzJ,IAAI,OAAO,cAAc,KAAA,GACrB,aAAa,OAAO,WAAW,MAAM,gDAA8C,kBAAkB,EAAE,QAAQ,CAAC;EAEpH,QAAQ,IAAI,UAAU,IAAI;EAC1B,cAAc,IAAI,MAAM,OAAO;;CAEnC,IAAI,uBAAuB,KAAK,gBAAgB,KAAA,GAC5C,qBAAqB,KAAK,YAAY,UAAU,KAAK;MAEpD,IAAI,KAAK,eAAe,UAAU,KAAK,eAAe,UACvD,MAAM,IAAI,0BAA0B,kCAAkC,EAAE,OAAO,EAAE,MAAM,MAAM,EAAE,CAAC;CAEpG,OAAO;;AAEX,SAAS,8BAA8B,UAAU;CAC7C,IAAI;CACJ,IAAK,aAAa,+BAA+B,SAAS,EACtD,MAAM,IAAI,8BAA8B,yEAAyE;EAAE,OAAO;EAAY;EAAU,CAAC;;AAGzJ,eAAsB,4BAA4B,IAAI,QAAQ,UAAU,SAAS;CAC7E,OAAO,kCAAkC,IAAI,QAAQ,UAAU,KAAA,GAAW,UAAU,aAAa,SAAS,qBAAqB;;AAQnI,SAAS,iBAAiB,UAAU,QAAQ;CACxC,IAAI,MAAM,QAAQ,OAAO,OAAO,IAAI;MAC5B,CAAC,OAAO,OAAO,IAAI,SAAS,SAAS,EACrC,MAAM,IAAI,iDAA+C,sBAAsB;GAC3E;GACA,QAAQ,OAAO;GACf,OAAO;GACV,CAAC;QAGL,IAAI,OAAO,OAAO,QAAQ,UAC3B,MAAM,IAAI,iDAA+C,sBAAsB;EAC3E;EACA,QAAQ,OAAO;EACf,OAAO;EACV,CAAC;CAEN,OAAO;;AAQX,SAAS,eAAe,IAAI,QAAQ;CAChC,MAAM,WAAW,GAAG,mBAAmB,OAAO,IAAI,GAAG;CACrD,IAAI,OAAO,OAAO,QAAQ,UACtB,MAAM,IAAI,+CAA6C,sBAAsB;EACzE;EACA,QAAQ,OAAO;EACf,OAAO;EACV,CAAC;CAEN,OAAO;;AAEX,MAAM,0BAAU,IAAI,SAAS;AAC7B,SAAS,MAAM,cAAc;CACzB,QAAQ,IAAI,aAAa;CACzB,OAAO;;AAEX,MAAa,SAAS,QAAQ;AAC9B,eAAsB,8BAA8B,IAAI,QAAQ,sBAAsB,oBAAoB,aAAa,cAAc,SAAS;CAC1I,SAAS,GAAG;CACZ,aAAa,OAAO;CACpB,IAAI,CAAC,QAAQ,IAAI,mBAAmB,EAChC,MAAMC,iBAAe,0IAAqIF,wBAAsB;CAEpL,eAAa,aAAa,kBAAgB;CAC1C,MAAM,OAAO,sBAAsB,oBAAoB,OAAO;CAC9D,IAAI,CAAC,MACD,MAAM,IAAI,mDAAiD,iBAAiB;CAEhF,MAAM,aAAa,IAAI,gBAAgB,SAAS,qBAAqB;CACrE,WAAW,IAAI,gBAAgB,YAAY;CAC3C,WAAW,IAAI,QAAQ,KAAK;CAC5B,IAAI,iBAAiB,QAAQ;EACzB,eAAa,cAAc,mBAAiB;EAC5C,WAAW,IAAI,iBAAiB,aAAa;;CAEjD,OAAO,qBAAqB,IAAI,QAAQ,sBAAsB,sBAAsB,YAAY,QAAQ;;AAE5G,MAAM,gBAAgB;CAClB,KAAK;CACL,QAAQ;CACR,WAAW;CACX,KAAK;CACL,KAAK;CACL,KAAK;CACL,KAAK;CACL,OAAO;CACP,QAAQ;CACR,KAAK;CACL,KAAK;CACL,KAAK;CACL,KAAK;CACL,KAAK;CACL,WAAW;CACd;AACD,SAAS,iBAAiB,UAAU,QAAQ;CACxC,KAAK,MAAM,SAAS,UAChB,IAAI,OAAO,OAAO,WAAW,KAAA,GACzB,MAAM,IAAI,QAAQ,MAAM,KAAK,cAAc,OAAO,kBAAkB,kBAAkB,EAClF,QAAQ,OAAO,QAClB,CAAC;CAGV,OAAO;;AAEX,MAAa,gBAAgB,QAAQ;AACrC,MAAa,oBAAoB,QAAQ;AACzC,eAAsB,iCAAiC,IAAI,QAAQ,UAAU,SAAS;CAClF,IAAI,OAAO,SAAS,kBAAkB,YAClC,OAAO,SAAS,WAAW,YAC3B,SAAS,gBACT,OAAO,uCAAuC,IAAI,QAAQ,UAAU,QAAQ,eAAe,QAAQ,QAAQ,QAAQ,aAAa,QAAQ,qBAAqB;CAEjK,OAAO,uCAAuC,IAAI,QAAQ,UAAU,UAAU,aAAa,SAAS,qBAAqB;;AAE7H,eAAe,uCAAuC,IAAI,QAAQ,UAAU,eAAe,QAAQ,WAAW,sBAAsB;CAChI,MAAM,2BAA2B,EAAE;CACnC,QAAQ,eAAR;EACI,KAAK,KAAA;GACD,gBAAgB;GAChB;EACJ,KAAK,eACD;EACJ;GACI,eAAa,eAAe,6BAA2B;GACvD,yBAAyB,KAAK,QAAQ;;CAE9C,WAAW,OAAO;CAClB,QAAQ,QAAR;EACI,KAAK,KAAA;GACD,SAAS;GACT;EACJ,KAAK,mBACD;EACJ;GACI,aAAa,QAAQ,MAAM,sBAAoB;GAC/C,yBAAyB,KAAK,YAAY;;CAElD,MAAM,SAAS,MAAM,kCAAkC,IAAI,QAAQ,UAAU,0BAA0B,WAAW,qBAAqB;CACvI,eAAa,OAAO,UAAU,2CAAuC,kBAAkB,EACnF,MAAM,QACT,CAAC;CACF,MAAM,SAAS,0BAA0B,OAAO;CAChD,IAAI,WAAW,mBAAmB;EAC9B,MAAM,MAAM,WAAW,GAAG,aAAa,OAAO;EAC9C,MAAM,YAAY,kBAAkB,OAAO;EAC3C,IAAI,OAAO,YAAY,SAAS,MAAM,WAClC,MAAM,IAAI,oEAAoE,qBAAqB;GAAE;GAAQ;GAAK;GAAW,OAAO;GAAa,CAAC;;CAG1J,IAAI,kBAAkB;MACd,OAAO,UAAU,KAAA,GACjB,MAAM,IAAI,6CAA2C,sBAAsB;GACvE,UAAU,KAAA;GACV;GACA,OAAO;GACV,CAAC;QAGL,IAAI,OAAO,UAAU,eACtB,MAAM,IAAI,6CAA2C,sBAAsB;EACvE,UAAU;EACV;EACA,OAAO;EACV,CAAC;CAEN,OAAO;;AAEX,eAAe,uCAAuC,IAAI,QAAQ,UAAU,WAAW,sBAAsB;CACzG,MAAM,SAAS,MAAM,kCAAkC,IAAI,QAAQ,UAAU,KAAA,GAAW,WAAW,qBAAqB;CACxH,MAAM,SAAS,0BAA0B,OAAO;CAChD,IAAI,QAAQ;EACR,IAAI,OAAO,oBAAoB,KAAA,GAAW;GACtC,aAAa,OAAO,iBAAiB,MAAM,6BAA2B;GACtE,MAAM,MAAM,WAAW,GAAG,aAAa,OAAO;GAC9C,MAAM,YAAY,kBAAkB,OAAO;GAC3C,IAAI,OAAO,YAAY,OAAO,kBAAkB,MAAM,WAClD,MAAM,IAAI,oEAAoE,qBAAqB;IAAE;IAAQ;IAAK;IAAW,OAAO;IAAa,CAAC;;EAG1J,IAAI,OAAO,UAAU,KAAA,GACjB,MAAM,IAAI,6CAA2C,sBAAsB;GACvE,UAAU,KAAA;GACV;GACA,OAAO;GACV,CAAC;;CAGV,OAAO;;AAEX,MAAa,6BAA6B;AAC1C,MAAa,sBAAsB;AACnC,MAAa,wBAAwB;AACrC,MAAa,+BAA+B;AAE5C,MAAa,cAAc;AAC3B,MAAa,mBAAmB;AAEhC,MAAa,uBAAuB;AACpC,MAAa,0BAA0B;AACvC,MAAa,yBAAyB;AACtC,MAAa,6BAA6B;AAC1C,MAAa,sBAAsB;AACnC,MAAa,uBAAuB;AACpC,MAAa,4BAA4B;AAEzC,MAAa,0BAA0B;AACvC,MAAa,0BAA0B;AA4CvC,SAAS,uBAAuB,UAAU;CACtC,IAAI,SAAS,UACT,MAAME,iBAAe,2CAAyCF,wBAAsB;;AAkL5F,eAAe,YAAY,KAAK,UAAU,WAAW,gBAAgB,YAAY;CAC7E,IAAI,EAAE,GAAG,iBAAiB,GAAG,SAAS,WAAW,IAAI,MAAM,IAAI;CAC/D,IAAI,WAAW,GACX,IAAI,eAAe,KAAA,GAAW;EAC1B,MAAM,MAAM,WAAW,IAAI;EAC3B,CAAC,CAAE,GAAG,iBAAiB,GAAG,SAAS,UAAW,IAAI,MAAM,IAAI;QAG5D,MAAM,IAAI,0BAA0B,oCAAoC,EAAE,OAAO,KAAK,CAAC;CAG/F,IAAI,WAAW,GACX,MAAM,IAAI,eAAe,kBAAkB,IAAI;CAEnD,IAAI;CACJ,IAAI;EACA,SAAS,KAAK,MAAM,IAAI,KAAK,gBAAgB,CAAC,CAAC;UAE5C,OAAO;EACV,MAAM,IAAI,6DAA6D,aAAa,MAAM;;CAE9F,IAAI,CAAC,aAAa,OAAO,EACrB,MAAM,IAAI,yCAAyC,kBAAkB,IAAI;CAE7E,SAAS,OAAO;CAChB,IAAI,OAAO,SAAS,KAAA,GAChB,MAAM,IAAI,0BAA0B,6DAA2D,EAC3F,OAAO,EAAE,QAAQ,EACpB,CAAC;CAEN,IAAI;CACJ,IAAI;EACA,SAAS,KAAK,MAAM,IAAI,KAAK,QAAQ,CAAC,CAAC;UAEpC,OAAO;EACV,MAAM,IAAI,8DAA8D,aAAa,MAAM;;CAE/F,IAAI,CAAC,aAAa,OAAO,EACrB,MAAM,IAAI,0CAA0C,kBAAkB,IAAI;CAE9E,MAAM,MAAM,WAAW,GAAG;CAC1B,IAAI,OAAO,QAAQ,KAAA,GAAW;EAC1B,IAAI,OAAO,OAAO,QAAQ,UACtB,MAAM,IAAI,uDAAqD,kBAAkB,EAAE,QAAQ,CAAC;EAEhG,IAAI,OAAO,OAAO,MAAM,gBACpB,MAAM,IAAI,8FAA4F,qBAAqB;GAAE;GAAQ;GAAK,WAAW;GAAgB,OAAO;GAAO,CAAC;;CAG5L,IAAI,OAAO,QAAQ,KAAA;MACX,OAAO,OAAO,QAAQ,UACtB,MAAM,IAAI,iDAA+C,kBAAkB,EAAE,QAAQ,CAAC;;CAG9F,IAAI,OAAO,QAAQ,KAAA;MACX,OAAO,OAAO,QAAQ,UACtB,MAAM,IAAI,8CAA4C,kBAAkB,EAAE,QAAQ,CAAC;;CAG3F,IAAI,OAAO,QAAQ,KAAA,GAAW;EAC1B,IAAI,OAAO,OAAO,QAAQ,UACtB,MAAM,IAAI,kDAAgD,kBAAkB,EAAE,QAAQ,CAAC;EAE3F,IAAI,OAAO,MAAM,MAAM,gBACnB,MAAM,IAAI,mDAAiD,qBAAqB;GAC5E;GACA;GACA,WAAW;GACX,OAAO;GACV,CAAC;;CAGV,IAAI,OAAO,QAAQ,KAAA;MACX,OAAO,OAAO,QAAQ,YAAY,CAAC,MAAM,QAAQ,OAAO,IAAI,EAC5D,MAAM,IAAI,gDAA8C,kBAAkB,EAAE,QAAQ,CAAC;;CAG7F,OAAO;EAAE;EAAQ;EAAQ,KAAK;EAAK;;AAwEvC,eAAe,cAAc,SAAS;CAClC,IAAI,QAAQ,UACR,MAAME,iBAAe,4DAA4DF,yBAAuB,EAAE,OAAO,SAAS,CAAC;CAE/H,OAAO,QAAQ,MAAM;;AAEzB,eAAsB,iBAAiB,SAAS;CAC5C,IAAI,QAAQ,WAAW,QACnB,MAAME,iBAAe,2DAA2DF,yBAAuB,EAAE,OAAO,SAAS,CAAC;CAE9H,IAAI,eAAe,QAAQ,KAAK,qCAC5B,MAAME,iBAAe,8FAA8FF,yBAAuB,EAAE,OAAO,SAAS,CAAC;CAEjK,OAAO,cAAc,QAAQ;;AAqIjC,SAAS,sBAAsB,QAAQ,QAAQ,UAAU,QAAQ;CAC7D,IAAI,WAAW,KAAA,GAAW;EACtB,IAAI,OAAO,WAAW,WAAW,OAAO,QAAQ,SAAS,CAAC,OAAO,SAAS,OAAO,IAAI,EACjF,MAAM,IAAI,2CAAyC,kBAAkB;GACjE;GACA,UAAU;GACV,QAAQ;GACX,CAAC;EAEN;;CAEJ,IAAI,MAAM,QAAQ,OAAO,EAAE;EACvB,IAAI,CAAC,OAAO,SAAS,OAAO,IAAI,EAC5B,MAAM,IAAI,2CAAyC,kBAAkB;GACjE;GACA,UAAU;GACV,QAAQ;GACX,CAAC;EAEN;;CAEJ,IAAI,aAAa,KAAA,GAAW;EACxB,IAAI,OAAO,aAAa,WAClB,OAAO,QAAQ,WACf,OAAO,aAAa,aAChB,CAAC,SAAS,OAAO,IAAI,GACrB,CAAC,SAAS,SAAS,OAAO,IAAI,EACpC,MAAM,IAAI,2CAAyC,kBAAkB;GACjE;GACA,UAAU;GACV,QAAQ;GACX,CAAC;EAEN;;CAEJ,MAAM,IAAI,sFAAoF,KAAA,GAAW;EAAE;EAAQ;EAAQ;EAAU,CAAC;;AAE1I,SAAS,sBAAsB,YAAY,MAAM;CAC7C,MAAM,EAAE,GAAG,OAAO,WAAW,WAAW,OAAO,KAAK;CACpD,IAAI,SAAS,GACT,MAAM,IAAI,IAAI,KAAK,yCAAyC,iBAAiB;CAEjF,OAAO;;AAEX,MAAa,iBAAiB,QAAQ;AACtC,MAAa,gBAAgB,QAAQ;AACrC,SAAgB,qBAAqB,IAAI,QAAQ,YAAY,eAAe;CACxE,SAAS,GAAG;CACZ,aAAa,OAAO;CACpB,IAAI,sBAAsB,KACtB,aAAa,WAAW;CAE5B,IAAI,EAAE,sBAAsB,kBACxB,MAAME,iBAAe,iEAA+DD,uBAAqB;CAE7G,IAAI,sBAAsB,YAAY,WAAW,EAC7C,MAAM,IAAI,4GAA0G,kBAAkB,EAAE,YAAY,CAAC;CAEzJ,MAAM,MAAM,sBAAsB,YAAY,MAAM;CACpD,MAAM,QAAQ,sBAAsB,YAAY,QAAQ;CACxD,IAAI,CAAC,OAAO,GAAG,gDACX,MAAM,IAAI,+CAA6C,kBAAkB,EAAE,YAAY,CAAC;CAE5F,IAAI,OAAO,QAAQ,GAAG,QAClB,MAAM,IAAI,wDAAsD,kBAAkB;EAC9E,UAAU,GAAG;EACb;EACH,CAAC;CAEN,QAAQ,eAAR;EACI,KAAK,KAAA;EACL,KAAK;GACD,IAAI,UAAU,KAAA,GACV,MAAM,IAAI,uDAAqD,kBAAkB;IAC7E,UAAU,KAAA;IACV;IACH,CAAC;GAEN;EACJ,KAAK,gBACD;EACJ;GACI,eAAa,eAAe,6BAA2B;GACvD,IAAI,UAAU,eACV,MAAM,IAAI,UAAU,KAAA,IACd,yCACA,iDAA+C,kBAAkB;IAAE,UAAU;IAAe;IAAY,CAAC;;CAI3H,IADc,sBAAsB,YAAY,QACvC,EACL,MAAM,IAAI,2BAA2B,sDAAsD,EACvF,OAAO,YACV,CAAC;CAEN,MAAM,WAAW,sBAAsB,YAAY,WAAW;CAC9D,MAAM,QAAQ,sBAAsB,YAAY,QAAQ;CACxD,IAAI,aAAa,KAAA,KAAa,UAAU,KAAA,GACpC,MAAM,IAAI,0BAA0B,8CAA8C;CAEtF,OAAO,MAAM,IAAI,gBAAgB,WAAW,CAAC;;AAgYjD,eAAe,oBAAoB,UAAU,QAAQ,uBAAuB;CACxE,IAAI;CACJ,IAAI;EACA,OAAO,MAAM,SAAS,MAAM;UAEzB,OAAO;EACV,MAAM,SAAS;EACf,MAAM,IAAI,6CAA2C,aAAa,MAAM;;CAE5E,IAAI,CAAC,aAAa,KAAK,EACnB,MAAM,IAAI,gDAA8C,kBAAkB,EAAE,MAAM,MAAM,CAAC;CAE7F,OAAO;;AAGX,MAAa,oBAAoB,QAAQ;AACzC,MAAa,kBAAkB,QAAQ;;;ACr8EvC,IAAI;AACJ,IAAI;AACJ,IAAI,OAAO,cAAc,eAAe,CAAC,UAAU,WAAW,aAAa,eAAe,EAAE;CAGxF,aAAa;CACb,UAAU,EAAE,cAAc,YAAY;;AAE1C,MAAM,OAAO,WAAW;CACpB,OAAO,MAAM,IAAI,OAAO;;AAE5B,IAAI;AAEJ,IAAI;AACJ,SAAgB,iBAAiB,cAAc;CAC3C,IAAI,iBAAiB,KAAA,GACjB,OAAOW,mBAAuB,aAAa;CAE/C,wBAAQ,IAAI,SAAS;CACrB,QAAQ,IAAI,QAAQ,MAAM,YAAY;EAClC,IAAI;EACJ,IAAI,EAAE,OAAO,IAAI,IAAI,OAAO,GAAG;GAC3B,aAAa,OAAO,eAAe,6BAA2B;GAC9D,OAAOA,mBAAuB,OAAO,cAAc;GACnD,IAAI,IAAI,QAAQ,KAAK;;EAEzB,OAAO,KAAK,IAAI,QAAQ,MAAM,QAAQ;;;AAG9C,SAAS,aAAa,OAAO,IAAI;CAC7B,IAAI,OAAO,UAAU,UACjB,MAAM,eAAe,GAAG,GAAG,oBAAoB,qBAAqB;CAExE,IAAI,MAAM,WAAW,GACjB,MAAM,eAAe,GAAG,GAAG,qBAAqB,sBAAsB;;AAiC9E,SAAgB,OAAO;CACnB,OAAOC,QAAY;;AAUvB,MAAa,cAAcC;AAI3B,MAAM,wBAAwB;AAC9B,MAAM,uBAAuB;AAC7B,SAAS,eAAe,SAAS,MAAM,OAAO;CAC1C,MAAM,MAAM,IAAI,UAAU,SAAS,EAAE,OAAO,CAAC;CAC7C,OAAO,OAAO,KAAK,EAAE,MAAM,CAAC;CAC5B,OAAO;;AAEX,SAAgB,2BAA2B,cAAc;CACrD,OAAOC,6BAAiC,aAAa;;AAEzD,SAAgB,yBAAyB;CACrC,OAAOC,4BAAkC;;AAK7C,SAAgB,cAAc;CAC1B,OAAOC,qBAA2B;;AAEtC,IAAa,cAAb,cAAiC,MAAM;CACnC;CACA,YAAY,SAAS,SAAS;EAC1B,MAAM,SAAS,QAAQ;EACvB,KAAK,OAAO,KAAK,YAAY;EAC7B,KAAK,OAAO,SAAS;EACrB,MAAM,oBAAoB,MAAM,KAAK,YAAY;;;AAGzC,IAAI,aAAa;AACjC,SAAS,EAAE,KAAK,OAAO,MAAM;CACzB,OAAO,IAAI,YAAY,KAAK;EAAE;EAAO;EAAM,CAAC;;AAEhD,SAAS,aAAa,KAAK;CACvB,IAAI,eAAe,aACf,eAAe,eACf,eAAeC,qBACf,eAAeC,8BACf,eAAeC,+BACf,MAAM;CAEV,IAAI,eAAeC,0BACf,QAAQ,IAAI,MAAZ;EACI,KAAKC,wBACD,MAAM,EAAE,sCAAsC,KAAK,IAAI,KAAK;EAChE,KAAKC,4BACD,MAAM,EAAE,8CAA8C,KAAK,IAAI,KAAK;EACxE,KAAKC,yBACD,MAAM,EAAE,wCAAwC,IAAI,OAAO,IAAI,KAAK;EACxE,KAAKC,sBACD,MAAM,EAAE,oCAAoC,IAAI,OAAO,IAAI,KAAK;EACpE,KAAKC,aACD,MAAM,EAAE,yBAAyB,KAAK,IAAI,KAAK;EACnD,KAAKC,kBACD,MAAM,EAAE,gCAAgC,KAAK,IAAI,KAAK;EAC1D,KAAKC,sBACD,MAAM,EAAE,0CAA0C,KAAK,IAAI,KAAK;EACpE,KAAKC,2BACD,MAAM,EAAE,+CAA+C,KAAK,IAAI,KAAK;EACzE,KAAKC,qBACD,MAAM,EAAE,+CAA+C,KAAK,IAAI,KAAK;EACzE,SACI,MAAM,EAAE,IAAI,SAAS,KAAK,IAAI,KAAK;;CAG/C,IAAI,eAAeC,2BACf,MAAM,EAAE,yBAAyB,KAAK,IAAI,KAAK;CAEnD,IAAI,eAAe,cACf,QAAQ,IAAI,MAAZ;EACI,KAAK,kBACD,MAAM,EAAE,2BAA2B,KAAKC,sBAA4B;EACxE,KAAK,qBACD,MAAM,EAAE,iCAAiC,KAAKA,sBAA4B;EAC9E,KAAK,gBACD,MAAM,EAAE,uBAAuB,KAAK,gBAAgB;EACxD,KAAK,cACD,MAAM,EAAE,qBAAqB,KAAK,cAAc;;CAG5D,MAAM,IAAI,YAAY,wBAAwB,EAAE,OAAO,KAAK,CAAC;;AASjE,SAAS,cAAc,QAAQ,IAAI,SAAS;CACxC,IAAI,OAAO,WAAW,wCACjB,CAAC,SAAS,aAAa,QAAQ,cAAc,SAAS;EACvD,GAAG,YAAY;EACf,OAAO;;CAEX,OAAO;;AAEX,SAAS,eAAe,QAAQ,SAAS;CACrC,IAAI,OAAO,SAAS,SAAS,gBAAgB,KACxC,CAAC,SAAS,aAAa,QAAQ,cAAc,SAC9C,OAAO;CAEX,OAAO;;AAuDX,eAAsB,UAAU,QAAQ,UAAU,UAAU,sBAAsB,SAAS;CAEvF,MAAM,WAAW,IAAI,cAAc,MADlB,iBAAiB,QAAQ,QAAQ,EACX,UAAU,UAAU,qBAAqB;CAChF,IAAI,YAAY,IAAI,SAAS;CAC7B,IAAI,UAAU,cACV,UAAU,QAAQ,QAAQ;CAE9B,IAAI,SAAS,SACT,UAAU,UAAU,QAAQ;CAEhC,IAAI,SAAS,SACT,KAAK,MAAM,aAAa,QAAQ,SAC5B,UAAU,SAAS;CAG3B,OAAO;;AAEX,eAAe,iBAAiB,QAAQ,SAAS;CAC7C,IAAI,EAAE,kBAAkB,MACpB,MAAM,eAAe,yCAAuC,qBAAqB;CAErF,MAAM,UAAU,CAAC,OAAO,KAAK,SAAS,gBAAgB;CACtD,MAAM,UAAU,SAAS,WAAW;CACpC,MAAM,SAAS,YAAY,QAAQ,UAAU,IAAK;CAClD,MAAM,KAAK,OAAO,UACZC,iBAAuB,QAAQ;EAC7B,WAAW,SAAS;GACnBnB,gBAAoB,UAAU;GAC9BoB,0BAA8B,SAAS,SAAS,SAAS,sBAAsB;EAChF;EACA,SAAS,IAAI,QAAQ,QAAQ;EAChC,CAAC,IACC,UAAU,gBAAgB,cAAc;EACvC,cAAoB,QAAQ,SAAS,SAAS,SAAS,sBAAsB,GAAG,QAAQ,KAAK;EAC7F,OAAO,OAAO;KACd,EAAE;EACF,SAAS,OAAO,YAAY,IAAI,QAAQ;GAAE,QAAQ;GAAoB,GAAG;GAAS,CAAC,CAAC,SAAS,CAAC;EAC9F,MAAM,KAAA;EACN,QAAQ;EACR,UAAU;EACV;EACH,CAAC,EACD,MAAM,aAAaC,yBAA+BC,mBAAyB,SAAS,CAAC,CACrF,MAAM,aAAa;CACxB,IAAI,WAAW,IAAI,IAAI,GAAG,OAAO,CAAC,SAAS,OAAO,MAC9C,cAAc,QAAQ,IAAI,QAAQ,IAC9B,eAAe,QAAQ,QAAQ,WACxB;EACH,MAAM,IAAI,YAAY,iEAAiE;GACnF,MAAM;GACN,OAAO;IACH,UAAU,OAAO;IACjB,MAAM;IACN,WAAW;IACd;GACJ,CAAC;KACF;CAEZ,OAAO;;AAkJX,SAAS,iBAAiB,UAAU;CAChC,OAAO,EACH,cAAc;EACV,WAAW;EACX,MAAM,SAAS,QAAQ;GACnB,OAAQ,SAAS,kCAAkC,SAAS,OAAO,KAAK;;EAE/E,EACJ;;AAEL,SAAS,iBAAiB,UAAU;CAChC,OAAO,iBAAiB,UAAU,iBAAiB,SAAS,CAAC;;AAEjE,MAAM,WAAW,QAAQ;AACzB,IAAa,gBAAb,MAA2B;CACvB,YAAY,QAAQ,UAAU,UAAU,sBAAsB;EAC1D,IAAI,OAAO,aAAa,YAAY,CAAC,SAAS,QAC1C,MAAM,eAAe,2CAAyC,qBAAqB;EAEvF,IAAI,OAAO,aAAa,UACpB,WAAW,EAAE,eAAe,UAAU;EAE1C,IAAI,UAAU,cAAc,KAAA,KAAa,aAAa,SAAS,WAC3D,MAAM,eAAe,4DAAwD,sBAAsB;EAEvG,MAAM,SAAS;GACX,GAAG,gBAAgB,SAAS;GAC5B,WAAW;GACd;EACD,OAAOC,aAAmB,WAAWA,cAAoB;EACzD,OAAOC,kBAAwB,WAAWA,mBAAyB;EACnE,IAAI;EACJ,IAAI,sBACA,OAAO;OAGP,IAAI,OAAO,OAAO,kBAAkB,YAChC,OAAO,cAAc,QACrB,OAAO,iBAAiB,OAAO,cAAc;OAG7C,OAAO,MAAM;EAGrB,IAAI,IAAI,OAAO,OAAO,OAAO;EAC7B,MAAM,QAAQ,gBAAgB,OAAO;EACrC,IAAI,YAAY,QACZ,MAAMC,oBAA0B,EAAE,QAAQ,EAAE,YAAY,OAAO,OAAO,QAAQ,cAAc,IAAI;EAEpG,IAAI,KAAK,OAAO,OAAO,MAAM;EAC7B,0BAAU,IAAI,SAAS;EACvB,MAAM,IAAI,MAAM;GACZ,WAAW;GACX;GACA;GACA;GACA,SAAS;GACT,WAAW,EAAE;GAChB,CAAC;;CAEN,iBAAiB;EACb,MAAM,WAAW,gBAAgB,IAAI,KAAK,CAAC,GAAG;EAC9C,iBAAiB,SAAS;EAC1B,OAAO;;CAEX,iBAAiB;EAEb,OADiB,gBAAgB,IAAI,KAAK,CAAC,EAC5B;;CAEnB,IAAI,UAAU;EACV,OAAO,IAAI,KAAK,CAAC;;CAErB,IAAI,QAAQ,OAAO;EACf,IAAI,KAAK,CAAC,UAAU;;CAExB,KAAK,eAAe;EAChB,OAAO,IAAI,KAAK,CAAC;;CAErB,KAAK,aAAa,OAAO;EACrB,IAAI,KAAK,CAAC,QAAQ;;;AAG1B,OAAO,OAAO,cAAc,UAAU;AACtC,SAAS,WAAW,UAAU;CAC1B,IAAI,MAAM,KAAA;CACV,IAAI,SAAS,eAAe,KAAA,GAAW;EACnC,MAAM,sBAAM,IAAI,MAAM;EACtB,IAAI,WAAW,IAAI,YAAY,GAAG,SAAS,WAAW;EACtD,MAAM,IAAI,SAAS;;CAEvB,OAAO;EACH,WAAW;GACP,WAAW;GACX,QAAQ;IACJ,IAAI,KAAK;KACL,MAAM,MAAM,KAAK,KAAK;KACtB,IAAI,MAAM,KACN,OAAO,KAAK,OAAO,MAAM,OAAO,IAAK;KAEzC,OAAO;;;GAIlB;EACD,QAAQ;GACJ,WAAW;GACX,QAAQ;IACJ,IAAI;KACA,OAAOC,0BAAgC,KAAK;YAE1C;KACF;;;GAGX;EACJ;;AAEL,SAAS,WAAW,UAAU;CAC1B,OAAO,iBAAiB,UAAU,WAAW,SAAS,CAAC;;AA4O3D,SAAgB,sBAAsB,QAAQ;CAC1C,IAAI,OAAO,CAAC,UAAU;;AA2H1B,SAAS,YAAY,KAAK;CACtB,MAAM,IAAI,IAAI,IAAI;CAClB,IAAI,SAAS;CACb,IAAI,OAAO;CACX,OAAO,IAAI;;AAEf,SAAS,cAAc,OAAO,aAAa;CACvC,IAAI;EACA,OAAO,OAAO,eAAe,MAAM,CAAC,OAAO,iBAAiB;SAE1D;EACF,OAAO;;;AAGf,eAAsB,uBAAuB,QAAQ,YAAY,QAAQ,yBAAyB,SAAS;CACvG,YAAY,OAAO;CACnB,IAAI,SAAS,SAAS,SAClB,EAAE,sBAAsB,QACxB,CAAC,cAAc,YAAY,UAAU,EACrC,MAAM,eAAe,yDAAuD,qBAAqB;CAErG,IAAI;CACJ,IAAI;CACJ,MAAM,EAAE,IAAI,GAAG,MAAM,OAAO,SAAS,MAAM,QAAQ,gBAAgB,SAAS,SAAS,aAAa,IAAI,OAAO;CAC7G,IAAI,SAAS,SAAS,OAAO;EACzB,eAAe,QAAQ;EACvB,cAAc,QAAQ;QAErB;EACD,IAAI,EAAE,sBAAsB,MAAM;GAC9B,MAAM,UAAU;GAChB,aAAa,IAAI,IAAI,WAAW,IAAI;GACpC,QAAQ,QAAQ,QAAhB;IACI,KAAK,OACD;IACJ,KAAK;KACD,MAAM,SAAS,IAAI,gBAAgB,MAAMC,iBAAuB,QAAQ,CAAC;KACzE,IAAI,QACA,WAAW,OAAO,OAAO,UAAU;UAGnC,KAAK,MAAM,CAAC,GAAG,MAAM,OAAO,SAAS,EACjC,WAAW,aAAa,OAAO,GAAG,EAAE;KAG5C;IACJ,SACI,MAAM,eAAe,kCAAkC,sBAAsB;;;EAGzF,cAAc,YAAY,WAAW;EACrC,QAAQ,MAAR;GACI,KAAK,CAAC,CAAC;IACH,eAAe,MAAM,KAAK,YAAY,QAAQ,cAAc;IAC5D;GACJ,KAAK,CAAC,CAAC;IACH,eAAe,MAAM,OAAO,YAAY,QAAQ,eAAe,QAAQ,eAAe,QAAQ,OAAO;IACrG;GACJ,KAAK,CAAC,CAAC,UACH,MAAM,IAAI,UAAU,4EAA4E;GACpG,SACI,IAAI;IACA,eAAeC,qBAA2B,IAAI,GAAG,WAAW,cAAc,QAAQ,cAAc;YAE7F,KAAK;IACR,aAAa,IAAI;;;;CAIjC,MAAM,WAAW,MAAMC,8BACY,IAAI,GAAG,MAAM,cAAc,aAAa,QAAQ,oBAAoBC,QAAc;EACjH,sBAAsB;GACrB9B,gBAAoB;GACpBoB,0BAA8B,CAAC;EAChC,MAAM,SAAS;EACf,SAAS,IAAI,QAAQ,QAAQ;EAC7B,QAAQ,OAAO,QAAQ;EAC1B,CAAC,CACG,MAAM,aAAa;CACxB,IAAI,OAAO,QAAQ,kBAAkB,YACjC,OAAO,QAAQ,WAAW,UAC1B,OAAO,kBAAkB;CAE7B,MAAM,IAAIW,iCAAuC,IAAI,GAAG,UAAU;EAC9D,eAAe,QAAQ;EACvB,QAAQ,QAAQ;EAChB,gBAAgB,QAAQ;GACvBC,aAAmB;EACvB,CAAC;CACF,IAAI;CACJ,IAAI;EACA,SAAS,MAAM;UAEZ,KAAK;EACR,IAAI,UAAU,KAAK,QAAQ,EACvB,OAAO,uBAAuB,QAAQ,KAAA,GAAW,QAAQ,yBAAyB;GAC9E,GAAG;GACH,MAAM;GACQ;GACD;GAChB,CAAC;EAEN,aAAa,IAAI;;CAErB,OAAO,YAAa,MAAM,iBAAiB,SAAS;CACpD,WAAW,OAAO;CAClB,OAAO;;AAkCX,eAAsB,kBAAkB,QAAQ,cAAc,YAAY,SAAS;CAC/E,YAAY,OAAO;CACnB,aAAa,IAAI,gBAAgB,WAAW;CAC5C,MAAM,EAAE,IAAI,GAAG,MAAM,OAAO,SAAS,gBAAgB,SAAS,YAAY,IAAI,OAAO;CACrF,MAAM,WAAW,MAAMC,yBACO,IAAI,GAAG,MAAM,cAAc;GACpDjC,gBAAoB;GACpBoB,0BAA8B,CAAC;EAChC,sBAAsB;EACtB,MAAM,SAAS;EACf,SAAS,IAAI,QAAQ,QAAQ;EAC7B,QAAQ,OAAO,QAAQ;EAC1B,CAAC,CACG,MAAM,aAAa;CACxB,MAAM,IAAIc,4BAAkC,IAAI,GAAG,UAAU,GACxDF,aAAmB,SACvB,CAAC;CACF,IAAI;CACJ,IAAI;EACA,SAAS,MAAM;UAEZ,KAAK;EACR,IAAI,UAAU,KAAK,QAAQ,EACvB,OAAO,kBAAkB,QAAQ,cAAc,YAAY;GACvD,GAAG;GACH,MAAM;GACT,CAAC;EAEN,aAAa,IAAI;;CAErB,OAAO,YAAa,MAAM,iBAAiB,SAAS;CACpD,WAAW,OAAO;CAClB,OAAO;;AAgCX,SAAgB,sBAAsB,QAAQ,YAAY;CACtD,YAAY,OAAO;CACnB,MAAM,EAAE,IAAI,GAAG,SAAS,QAAQ,MAAM,aAAa,IAAI,OAAO;CAC9D,MAAM,wBAAwBG,gBAAsB,IAAI,0BAA0B,OAAO,QAAQ;CACjG,aAAa,IAAI,gBAAgB,WAAW;CAC5C,IAAI,CAAC,WAAW,IAAI,YAAY,EAC5B,WAAW,IAAI,aAAa,EAAE,UAAU;CAE5C,IAAI,CAAC,WAAW,IAAI,cAAc,IAAI,CAAC,WAAW,IAAI,UAAU,EAAE;EAC9D,IAAI,CAAC,WAAW,IAAI,gBAAgB,EAChC,WAAW,IAAI,iBAAiB,SAAS,kBAAkB,WAAW,aAAa,OAAO;EAE9F,IAAI,YAAY,CAAC,WAAW,IAAI,QAAQ,EACpC,MAAM,eAAe,2GAA2G,sBAAsB;EAE1J,IAAI,MACA,WAAW,IAAI,iBAAiB,MAAM;;CAG9C,KAAK,MAAM,CAAC,GAAG,MAAM,WAAW,SAAS,EACrC,sBAAsB,aAAa,OAAO,GAAG,EAAE;CAEnD,OAAO;;AA4CX,SAAgB,mBAAmB,QAAQ,YAAY;CACnD,YAAY,OAAO;CACnB,MAAM,EAAE,IAAI,GAAG,YAAY,IAAI,OAAO;CACtC,MAAM,qBAAqBA,gBAAsB,IAAI,wBAAwB,OAAO,QAAQ;CAC5F,aAAa,IAAI,gBAAgB,WAAW;CAC5C,IAAI,CAAC,WAAW,IAAI,YAAY,EAC5B,WAAW,IAAI,aAAa,EAAE,UAAU;CAE5C,KAAK,MAAM,CAAC,GAAG,MAAM,WAAW,SAAS,EACrC,mBAAmB,aAAa,OAAO,GAAG,EAAE;CAEhD,OAAO;;AAEX,SAAS,YAAY,OAAO;CACxB,IAAI,EAAE,iBAAiB,gBACnB,MAAM,eAAe,mDAAiD,qBAAqB;CAE/F,IAAI,OAAO,eAAe,MAAM,KAAK,cAAc,WAC/C,MAAM,eAAe,4CAA4C,sBAAsB;;AAG/F,SAAS,OAAO,SAAS;CACrB,OAAO,UAAU,YAAY,QAAQ,UAAU,IAAK,GAAG,KAAA;;AAkC3D,SAAS,UAAU,KAAK,SAAS;CAC7B,IAAI,SAAS,QAAQ,QAAQ,SAAS,OAClC,OAAOC,iBAAuB,IAAI;CAEtC,OAAO;;AAuBX,MAAM,QAAQ,QAAQ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;ACjsCtB,MAAa,SAAS,YAAiD;CACrE,OAAO,gBAAgB,eAAe,QAAQ;;AA8MhD,IAAa,gBAAb,cAAmC,UAAgC;CACjE,mBAAsC,QAAQ,iBAAiB;CAC/D,mBAAsC,QAAQ,iBAAiB;CAE/D;CACA;CAEA,IAAW,QAAmC;EAC5C,OAAO,KAAK;;;;;CAMd,MAAa,WAA+C;EAC1D,IAAI,KAAK,aACP,OAAO,KAAK;EAGd,IAAI,KAAK,kBAAkB;GACzB,KAAK,cAAc,MAAM,KAAK,kBAAkB;GAChD,KAAK,mBAAmB,KAAA;GACxB,OAAO,KAAK;;;CAMhB,IAAW,OAAO;EAChB,OAAO,KAAK,QAAQ,QAAQ,KAAK,OAAO;;CAG1C,IAAW,SAAsC;EAC/C,IAAI,YAAY,KAAK,SACnB,OAAO,KAAK,QAAQ;;CAKxB,IAAW,WAAmB;EAC5B,MAAM,OAAO,KAAK,OAAO,gBAAgB,CAAC;EAC1C,IAAI,CAAC,MACH,MAAM,IAAI,YAAY,8CAA8C;EAEtE,OAAO;;CAGT,IAAW,QAA4B;EACrC,IAAI,WAAW,KAAK,SAClB,OAAO,KAAK,QAAQ,MAAM;EAE5B,IAAI,UAAU,KAAK,SACjB,OAAO,KAAK,QAAQ,KAAK,SAAS;EAEpC,MAAM,IAAI,YACR,kEACD;;CAGH,IAAW,eAAe;EACxB,IAAI,WAAW,KAAK,SAClB,OAAO,KAAK,QAAQ,MAAM;EAE5B,IAAI,UAAU,KAAK,SACjB,OAAO,KAAK,QAAQ,KAAK;EAE3B,MAAM,IAAI,YACR,kEACD;;;;;;CAOH,MAAa,QACX,cACA,aAC8B;EAC9B,IAAI,YAAY,KAAK,SACnB,OAAO,KAAK,QAAQ,OACjB,aAAa,cAAc,YAAY,CACvC,MAAM,OAAO,GAAG,OAAO,CACvB,OAAO,UAAU;GAChB,MAAM,IAAI,cACR,mEACA,EACE,OAAO,OACR,CACF;IACD;EAGN,MAAM,QAAQ,MAAM,KAAK,UAAU;EACnC,IAAI,OACF,IAAI;GACF,OAAO;IACL,GAAI,MAAM,kBAAkB,OAAO,aAAa;IAChD,WAAW,KAAK,iBAAiB,KAAK,CAAC,MAAM;IAC9C;WACM,OAAO;GACd,MAAM,IAAI,cACR,mEACA,EACE,OAAO,OACR,CACF;;EAIL,MAAM,IAAI,YACR,8EACD;;;;;;;;;;;CAYH,MAAa,KACX,QACA,iBACsB;EACtB,IAAI;GACF,IAAI,WAAW,KAAK,SAAS;IAC3B,MAAM,UAAU;KACd,GAAG;KACH,GAAI,MAAM,KAAK,QAAQ,MAAM,SAAS,OAAO;KAC9C;IAED,IAAI,KAAK,QAAQ,MAAM,SACrB,OAAO,KAAK,QAAQ,MAAM,QAAQ;KAChC,GAAG;KACH,MAAM;KACP,CAAC;IAGJ,OAAO,KAAK,iBAAiB,sBAAsB,QAAQ;;GAG7D,IAAI,UAAU,KAAK,SAAS;IAC1B,MAAM,UAAU;KACd,GAAG;KACH,GAAG,KAAK,mBAAmB,OAAO,YAAY,GAAG;KAClD;IAED,IAAI,KAAK,QAAQ,KAAK,SACpB,OAAO,KAAK,QAAQ,KAAK,QAAQ;KAC/B,GAAG;KACH,MAAM;KACP,CAAC;IAGJ,OAAO,KAAK,iBAAiB,sBAAsB,QAAQ;;WAEtD,OAAO;GACd,MAAM,IAAI,cACR,wDACA,EACE,OAAO,OACR,CACF;;EAGH,MAAM,IAAI,YACR,mEACD;;CAUH,mBAA6B,SAAgC;EAC3D,IAAI;GACF,OAAO,KAAK,MACV,OAAO,KAAK,QAAQ,MAAM,IAAI,CAAC,IAAI,SAAS,CAAC,SAAS,OAAO,CAC9D;WACM,OAAO;GACd,MAAM,IAAI,YAAY,oCAAoC,EACxD,OAAO,OACR,CAAC;;;CAIN,MAAa,UAAU;EACrB,IAAI,UAAU,KAAK,SAAS;GAC1B,MAAM,EAAE,SAAS,KAAK;GAEtB,MAAM,eAAe,YAAY;IAC/B,MAAM,UAAkD,EAAE;IAC1D,QAAQ,KAAK,sBAAsB;IAEnC,OAAO,UACL,IAAI,IAAI,KAAK,OAAO,EACpB,KAAK,UACL,EACE,eAAe,KAAK,cACrB,EACD,KAAA,GACA,EACE,SACD,CACF;;GAIH,IAAI,KAAK,OAAO,cAAc,IAAI,CAAC,KAAK,OAAO,cAAc,EAC3D,KAAK,mBAAmB;QAExB,KAAK,cAAc,MAAM,cAAc;;EAI3C,IAAI,WAAW,KAAK,SAAS;GAC3B,MAAM,EAAE,UAAU,KAAK;GAEvB,KAAK,cAAc,IAAI,cACrB;IACE,wBAAwB,MAAM;IAC9B,gBAAgB,MAAM;IACtB,QAAQ,MAAM;IAEd,UAAU,KAAA;IACV,sBAAsB,KAAA;IACvB,EACD,MAAM,UACN,EACE,eAAe,MAAM,cACtB,CACF;;;;AAKP,MAAM,QAAQ;;;AC7fd,MAAa,yBAAyB;CACpC,OAAO;CACP,UAAU;CACV,QAAQ;CACR,OAAO;CACP,SAAS;CACT,UAAU;CACX;;;ACJD,MAAa,eAAe,EAAE,OAAO;CACnC,UAAU,EAAE,MAAM;CAClB,cAAc,EAAE,KAAK,EAAE,MAAM,QAAQ,CAAC;CACtC,WAAW,EAAE,QAAQ;CACrB,YAAY,EAAE,SAAS,EAAE,QAAQ,CAAC;CAClC,eAAe,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,QAAQ,CAAC,CAAC;CACnD,0BAA0B,EAAE,SAAS,EAAE,QAAQ,CAAC;CAChD,oBAAoB,EAAE,SACpB,EAAE,OAAO,EACP,aACE,8EACH,CAAC,CACH;CACD,UAAU,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,QAAQ,CAAC,CAAC;CAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,CAAC;CAC5B,CAAC;;;ACbF,MAAa,sBAAsB,EAAE,OAAO,cAAc;CACxD,MAAM;CACN,KAAK;CACN,CAAC;;;ACJF,MAAa,yBAAyB,EAAE,OAAO;CAC7C,MAAM,EAAE,SAAS,sBAAsB;CACvC,KAAK;CACN,CAAC;;;AC4BF,IAAa,qBAAb,MAAgC;CAC9B,MAAyB,SAAS;CAClC,SAA4B,QAAQ,OAAO;CAC3C,wBAA2C,QAAQ,sBAAsB;CACzE,mBAAsC,QAAQ,iBAAiB;CAC/D,sBAAyC,QAAQ,oBAAoB;;;;;;;;;CAUrE,oBAA8B,KAAqB;EACjD,IAAI,IAAI,WAAW,IAAI,IAAI,CAAC,IAAI,WAAW,KAAK,EAC9C,OAAO;EAET,MAAM,SAAS,KAAK,OAAO,IAAI;EAC/B,IAAI,OAAO,WAAW,YAAY,QAChC,IAAI;GACF,MAAM,SAAS,IAAI,IAAI,IAAI;GAC3B,MAAM,aAAa,OAAO,WAAW,IAAI,GAAG,OAAO,MAAM,EAAE,GAAG;GAC9D,IAAI,OAAO,aAAa,UAAU,OAAO;GACzC,IAAI,OAAO,SAAS,YAAY,OAAO;GACvC,IAAI,OAAO,KAAK,SAAS,IAAI,aAAa,EAAE,OAAO;UAC7C;EAIV,OAAO;;CAGT,IAAW,aAAmC;EAC5C,OAAO,KAAK,OACT,WAAW,MAAM,CACjB,QAAQ,SAAS,CAAC,KAAK,QAAQ,SAAS;;CAG7C,oBAAuC,QAAQ;EAC7C,MAAM;EACN,KAAK,CAAC,IAAI,UAAU;EACpB,UAAU;EACV,SAAS;EACT,QAAQ,EAAE,OAAO;GACf,UAAU,EAAE,MAAM;GAClB,OAAO,EAAE,SAAS,EAAE,MAAM,CAAC;GAC3B,cAAc,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,QAAQ,CAAC,CAAC;GAClD,aAAa,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,QAAQ,CAAC,CAAC;GACjD,UAAU,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,QAAQ,CAAC,CAAC;GAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,CAAC;GAC3B,OAAO,EAAE,SAAS,EAAE,MAAM,CAAC;GAC5B,CAAC;EACH,CAAC;CAEF,SAAyB,QAAQ;EAC/B,MAAM;EACN,KAAK,CAAC,IAAI,OAAO;EACjB,UAAU;EACV,UAAU;EACV,SAAS;EACT,QAAQ;EACT,CAAC;CAEF,YAA+B,MAAM;EACnC,IAAI;EACJ,SAAS,YAAY;GACnB,KAAK,MAAM,YAAY,KAAK,YAC1B,MAAM,SAAS,SAAS;;EAG7B,CAAC;;;;CAKF,YAA+B,MAAM;EACnC,IAAI;EACJ,OAAO,KAAK;EACZ,SAAS,OAAO,EAAE,cAAc;GAC9B,MAAM,UAAU,QAAQ;GAGxB,IAAI,SAAS;IACX,MAAM,SAAS,MAAM,KAAK,gBAAgB,QAAQ;IAClD,IAAI,QAAQ;KACV,QAAQ,QAAQ,gBAAgB,UAAU,KAAK,mBAAmB,OAAO;KACzE,KAAK,IAAI,MAAM,uCAAuC,EACpD,UAAU,OAAO,UAClB,CAAC;;;GAKN,IAAI,CAAC,QAAQ,QAAQ;SACd,MAAM,YAAY,KAAK,YAC1B,IAAI,cAAc,SAAS,WAAW,SAAS,QAAQ,UAAU;KAC/D,MAAM,QAAQ,MAAM,SAAS,QAAQ,UAAU;KAC/C,IAAI,OAAO;MACT,QAAQ,QAAQ,gBAAgB,UAAU;MAC1C;;;;;EAMX,CAAC;;;;CAOF,WAA2B,OAAO;EAChC,MAAM,uBAAuB;EAC7B,KAAK,EAAE;EACP,QAAQ,EACN,UAAU,wBACX;EACD,SAAS,OAAO,EAAE,MAAM,SAAS,cAAc;GAC7C,MAAM,SAAS,KAAK,UAAU,QAAQ;GACtC,IAAI,QAAQ;IACV,MAAM,WAAW,KAAK,SAAS,OAAO;IACtC,IAAI,EAAE,YAAY,SAAS,UAAU;KACnC,MAAM,OAAO,MAAM,SAAS,KAAK,OAAO;KAKxC,OAAO;MACL,KAAA,MALgB,KAAK,oBAAoB,gBAAgB;OACzD,eAAe,QAAQ;OACvB;OACD,CAAC;MAGA;MACD;;;GASL,OAAO;IACL,KAAA,MANgB,KAAK,oBAAoB,gBAAgB;KACzD,eAAe,QAAQ;KACvB;KACD,CAAC;IAIA;IACD;;EAEJ,CAAC;;;;CAKF,UAA0B,OAAO;EAC/B,MAAM,uBAAuB;EAC7B,QAAQ;EACR,QAAQ;GACN,OAAO,EAAE,OAAO,EACd,UAAU,EAAE,MAAM,EACnB,CAAC;GACF,MAAM,EAAE,OAAO;IACb,eAAe,EAAE,KAAK,EACpB,MAAM,QACP,CAAC;IACF,cAAc,EAAE,SACd,EAAE,KAAK;KACL,MAAM;KACN,aACE;KACH,CAAC,CACH;IACF,CAAC;GACF,UAAU;GACX;EACD,SAAS,OAAO,EAAE,OAAO,MAAM,cAAc;GAC3C,MAAM,WAAW,KAAK,SAAS,MAAM;GAErC,MAAM,SAAS;IACb,UAAU,MAAM;IAChB,GAAI,MAAM,SAAS,QAAQ,KAAK,eAAe,KAAK,aAAa;IAClE;GAGD,KAAK,UAAU,QAAQ,QAAQ;GAE/B,OAAO;;EAEV,CAAC;;;;CAKF,QAAwB,OAAO;EAC7B,MAAM,uBAAuB;EAC7B,QAAQ;EACR,QAAQ;GACN,OAAO,EAAE,OAAO;IACd,UAAU,EAAE,MAAM;IAClB,OAAO,EAAE,SACP,EAAE,KAAK,EAAE,aAAa,qCAAqC,CAAC,CAC7D;IACF,CAAC;GACF,MAAM,EAAE,OAAO;IACb,UAAU,EAAE,MAAM;IAClB,UAAU,EAAE,MAAM;IACnB,CAAC;GACF,UAAU;GACX;EACD,SAAS,OAAO,EAAE,OAAO,MAAM,cAAc;GAC3C,MAAM,WAAW,KAAK,SAAS;IAC7B,UAAU,MAAM;IAChB,OAAO,MAAM;IACd,CAAC;GAEF,MAAM,SAAS,SAAS;GACxB,IAAI,CAAC,QACH,MAAM,IAAI,cACR,kBAAkB,MAAM,SAAS,mCAClC;GAGH,MAAM,cACJ,iBAAiB,SAAS,WAAW,SAAS,QAAQ;GAExD,IAAI,CAAC,aACH,MAAM,IAAI,cACR,kBAAkB,MAAM,SAAS,mCAClC;GAGH,IAAI;GACJ,IAAI;IACF,OAAO,MAAM,YAAY,QAAQ,KAAK;YAC/B,GAAG;IACV,IAAI,aAAa,yBACf,MAAM;IAER,KAAK,IAAI,MAAM,+BAA+B,EAAE;IAChD,MAAM,IAAI,yBAAyB;;GAGrC,IAAI,CAAC,MACH,MAAM,IAAI,yBAAyB;GAGrC,MAAM,SAAS;IACb,UAAU,MAAM;IAChB,GAAI,MAAM,OAAO,YAAY,KAAK;IACnC;GAGD,KAAK,UAAU,QAAQ,QAAQ;GAE/B,MAAM,MAAM,MAAM,KAAK,oBAAoB,gBAAgB,EACzD,MACD,CAAC;GAGF,OAAO;IACL,GAAG;IACH;IACA;IACD;;EAEJ,CAAC;;;;CAKF,QAAwB,OAAO;EAC7B,MAAM,uBAAuB;EAC7B,QAAQ,EACN,OAAO,EAAE,OAAO;GACd,UAAU,EAAE,MAAM;GAClB,OAAO,EAAE,SACP,EAAE,KAAK,EAAE,aAAa,qCAAqC,CAAC,CAC7D;GACD,cAAc,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,QAAQ,CAAC,CAAC;GACnD,CAAC,EACH;EACD,SAAS,OAAO,EAAE,OAAO,KAAK,OAAO,cAAc;GACjD,MAAM,WAAW,QAAQ,UACrB,IAAI,IAAI,QAAQ,QAAQ,CAAC,WAAW,IAAI,IAAI,QAAQ,QAAQ,CAAC,SAC7D,KAAA;GAEJ,MAAM,WAAW,KAAK,SAAS;IAC7B,UAAU,MAAM;IAChB,OAAO,MAAM;IACd,CAAC;GACF,MAAM,QAAQ,MAAM,SAAS,UAAU;GACvC,IAAI,CAAC,OACH,MAAM,IAAI,cACR,kBAAkB,MAAM,SAAS,2BAClC;GAGH,MAAM,QAAQ,SAAS;GACvB,IAAI,eACF,SAAS,gBAAgB,uBAAuB;GAClD,IAAI,aAAa,WAAW,IAAI,EAC9B,eAAe,GAAG,IAAI,SAAS,IAAI,IAAI,OAAO;GAGhD,MAAM,OAAO,UAAU,SAAS,WAAW,SAAS,QAAQ;GAE5D,IAAI,CAAC,MAAM,gBAAgB,CAAC,cAAc,EAAE;IAC1C,MAAM,QAAQ,aAAa;IAC3B,MAAM,aAAqC;KACzC;KACA;KACD;IAED,IAAI,MACF,WAAW,QAAQ,aAAa;IAGlC,IAAI,OACF,WAAW,QAAQ;IAIrB,IAAI,QAAQ,KAAK,cACf,WAAW,gBAAgB,KAAK;IAIlC,IAAI,QAAQ,KAAK,yBACf,OAAO,OAAO,YAAY,KAAK,wBAAwB;IAGzD,KAAK,kBAAkB,IAAI;KACzB;KACA,OAAO,WAAW;KAClB,aAAa,KAAK,oBAAoB,MAAM,gBAAgB,IAAI;KAChE;KACA,UAAU,MAAM;KAChB,OAAO,MAAM;KACd,CAAC;IAEF,MAAM,SACJ,sBAAsB,OAAO,WAAW,CAAC,UAAU,EACnD,IACD;IACD;;GAWF,MAAM,eAAe,wBAAwB;GAC7C,MAAM,gBAAgB,MAAM,2BAA2B,aAAa;GAEpE,MAAM,aAAqC;IACzC;IACA,gBAAgB;IAChB,uBAAuB;IACxB;GAED,IAAI,OACF,WAAW,QAAQ;GAIrB,IAAI,QAAQ,KAAK,cACf,WAAW,gBAAgB,KAAK;GAIlC,IAAI,QAAQ,KAAK,yBACf,OAAO,OAAO,YAAY,KAAK,wBAAwB;GAGzD,KAAK,kBAAkB,IAAI;IACzB;IACA,aAAa,KAAK,oBAAoB,MAAM,gBAAgB,IAAI;IAChE;IACA,UAAU,MAAM;IAChB,OAAO,MAAM;IACd,CAAC;GAEF,MAAM,SAAS,sBAAsB,OAAO,WAAW,CAAC,UAAU,EAAE,IAAI;;EAE3E,CAAC;;;;;;;CAQF,MAAgB,uBACd,KAC8C;EAC9C,IAAI;GAEF,MAAM,aAAY,MADC,IAAI,UAAU,EACV,IAAI,OAAO;GAClC,IAAI,OAAO,cAAc,UACvB;GAEF,MAAM,SAAS,KAAK,MAAM,UAAU;GAIpC,MAAM,UAAmC,EAAE;GAC3C,IAAI,OAAO,MAAM,WACf,QAAQ,aAAa,OAAO,KAAK;GAEnC,IAAI,OAAO,MAAM,UACf,QAAQ,cAAc,OAAO,KAAK;GAEpC,IAAI,OAAO,MAAM,aAAa,OAAO,MAAM,UACzC,QAAQ,OAAO,CAAC,OAAO,MAAM,WAAW,OAAO,MAAM,SAAS,CAC3D,OAAO,QAAQ,CACf,KAAK,IAAI;GAEd,IAAI,OAAO,OACT,QAAQ,QAAQ,OAAO;GAEzB,OAAO,OAAO,KAAK,QAAQ,CAAC,SAAS,IAAI,UAAU,KAAA;WAC5C,GAAG;GACV,KAAK,IAAI,KAAK,wDAAwD,EAAE;GACxE;;;;;;;;CASJ,MAAgB,eACd,KACA,OACA,SACA,KACA;EACA,MAAM,oBAAoB,KAAK,kBAAkB,IAAI,EAAE,SAAS,CAAC;EACjE,IAAI,CAAC,mBACH,MAAM,IAAI,gBAAgB,wBAAwB;EAGpD,MAAM,WAAW,KAAK,SAAS,kBAAkB;EACjD,MAAM,QAAQ,MAAM,SAAS,UAAU;EACvC,IAAI,CAAC,OACH,MAAM,IAAI,cACR,kBAAkB,SAAS,KAAK,2BACjC;EAGH,MAAM,cAAc,kBAAkB,eAAe;EACrD,MAAM,WAAW,kBAAkB;EAOnC,IAAI,aAA4B;EAChC,IAAI;EACJ,IAAI,KAAK,KAAK,OAAO,IAAI,IAAI,IAAI,WAAW,QAAQ;GAClD,MAAM,SAAS,IAAI,IAAI,IAAI,OAAO;GAClC,aAAa,IAAI,IAAI;GACrB,kBAAkB,MAAM,KAAK,uBAAuB,OAAO;;EAG7D,MAAM,iBAAiB,MAAM,uBAAuB,OAAO,YAAY;GACrE,kBAAkB,kBAAkB;GACpC,eAAe,kBAAkB;GACjC,eAAe,kBAAkB;GAClC,CAAC,CACC,MAAM,YAAY;GACjB,WAAW,KAAK,iBAAiB,KAAK,CAAC,MAAM;GAC7C,UAAU,SAAS;GACnB,GAAG;GACJ,EAAE,CACF,OAAO,MAAM;GACZ,KAAK,IAAI,MAAM,8BAA8B,EAAE;GAC/C,MAAM,IAAI,cAAc,8BAA8B,EACpD,OAAO,GACR,CAAC;IACF;EAEJ,KAAK,kBAAkB,IAAI,EAAE,SAAS,CAAC;EAEvC,MAAM,SAAS,SAAS;EAGxB,IAAI,CAAC,QAAQ;GACX,KAAK,UAAU,gBAAgB,QAAQ;GACvC,MAAM,SAAS,aAAa,IAAI;GAChC;;EAKF,IAAI;EACJ,IAAI;GACF,OAAO,MAAM,SAAS,KAAK,gBAAgB,gBAAgB;WACpD,GAAG;GACV,KAAK,IAAI,KAAK,iCAAiC,EAAE;GAEjD,MAAM,WAAW,IAAI,IADD,YAAY,aACM,IAAI,OAAO;GACjD,SAAS,aAAa,IACpB,SACA,aAAa,kBAAkB,EAAE,UAAU,wBAC5C;GACD,MAAM,SAAS,SAAS,WAAW,SAAS,QAAQ,IAAI;GACxD;;EAGF,MAAM,SAAS,MAAM,OAAO,YAAY,KAAK;EAE7C,KAAK,UACH;GACE,GAAG;GACH,WAAW,KAAK,iBAAiB,KAAK,CAAC,MAAM;GAC7C,UAAU,SAAS;GACpB,EACD,QACD;EAED,MAAM,SAAS,aAAa,IAAI;;;;;;CAOlC,WAA2B,OAAO;EAChC,MAAM,uBAAuB;EAC7B,SAAS,OAAO,EAAE,KAAK,OAAO,cAAc;GAC1C,MAAM,KAAK,eAAe,KAAK,OAAO,QAAQ;;EAEjD,CAAC;;;;;CAMF,eAA+B,OAAO;EACpC,MAAM,uBAAuB;EAC7B,QAAQ;EACR,SAAS,OAAO,EAAE,KAAK,OAAO,SAAS,UAAU;GAC/C,MAAM,KAAK,eAAe,KAAK,OAAO,SAAS,IAAI;;EAEtD,CAAC;;;;CAKF,SAAyB,OAAO;EAC9B,MAAM,uBAAuB;EAC7B,QAAQ;EACR,QAAQ,EACN,OAAO,EAAE,OAAO,EACd,0BAA0B,EAAE,SAAS,EAAE,MAAM,CAAC,EAC/C,CAAC,EACH;EACD,SAAS,OAAO,EAAE,OAAO,OAAO,cAAc;GAC5C,MAAM,WAAW,KAAK,oBACpB,MAAM,4BAA4B,IACnC;GACD,MAAM,SAAS,KAAK,UAAU,QAAQ;GACtC,IAAI,CAAC,QAAQ;IACX,MAAM,SAAS,UAAU,IAAI;IAC7B;;GAGF,MAAM,WAAW,KAAK,SAAS,OAAO,SAAS;GAE/C,KAAK,OAAO,IAAI,EAAE,SAAS,CAAC;GAG5B,IAAI,SAAS,UAAU,OAAO,eAAe;IAC3C,MAAM,kBACJ,SAAS,OAAO,QAAQ,UAAU;IACpC,IAAI,iBACF,IAAI;KACF,MAAM,gBAAgB,OAAO,cAAc;aACpC,GAAG;KACV,KAAK,IAAI,MAAM,4BAA4B,EAAE;;;GAKnD,MAAM,QAAQ,MAAM,SAAS,UAAU;GACvC,IAAI,CAAC,OAAO;IACV,MAAM,SAAS,UAAU,IAAI;IAC7B;;GAGF,MAAM,SAAS,IAAI,iBAAiB;GACpC,MAAM,UAAU,QAAQ;GAExB,OAAO,IAAI,4BAA4B,SAAS;GAChD,IAAI,SACF,OAAO,IAAI,iBAAiB,QAAQ;GAGtC,MAAM,kBACJ,UAAU,SAAS,UACf,SAAS,QAAQ,MAAM,YACvB,KAAA;GAEN,IAAI,iBAAiB;IACnB,MAAM,SAAS,GAAG,gBAAgB,GAAG,UAAU,IAAI;IACnD;;GAGF,IAAI,CAAC,MAAM,gBAAgB,CAAC,sBAAsB;IAKhD,MAAM,SAAS,UAAU,IAAI;IAC7B;;GAGF,MAAM,SAAS,mBAAmB,OAAO,OAAO,CAAC,UAAU,EAAE,IAAI;;EAEpE,CAAC;CAIF,2BACE,UAAkC,EAAE,EACV;EAC1B,MAAM,YAAsC,EAAE;EAE9C,KAAK,MAAM,YAAY,KAAK,YAAY;GACtC,IAAI,QAAQ,WAAW;IACrB,MAAM,SAAS,SAAS;IACxB,IAAI,CAAC,UAAU,OAAO,SAAS,QAAQ,WACrC;;GAIJ,MAAM,OACJ,UAAU,SAAS,UACf,SACA,WAAW,SAAS,UAClB,WACA,iBAAiB,SAAS,UACxB,gBACA,KAAA;GAEV,IAAI,CAAC,MACH;GAGF,UAAU,KAAK;IACb,MAAM,SAAS;IACf;IACD,CAAC;;EAGJ,OAAO;;;;;;;CAUT,SACE,MACe;EACf,MAAM,OAAO,OAAO,SAAS,WAAW,OAAO,KAAK;EACpD,MAAM,YAAY,OAAO,SAAS,WAAW,KAAA,IAAY,KAAK;EAE9D,MAAM,WAAW,KAAK,WAAW,MAAM,aAAa;GAClD,IAAI,SAAS,SAAS,MACpB,OAAO;GAIT,IAAI,aAAa,SAAS,QAAQ,SAAS,WACzC,OAAO;GAGT,OAAO;IACP;EAEF,IAAI,CAAC,UAEH,MAAM,IAAI,cAAc,kBAAkB,KAAK,GAD7B,YAAY,eAAe,UAAU,KAAK,GACA,YAAY;EAG1E,OAAO;;;;;;CAOT,MAAgB,gBACd,SAC6B;EAC7B,MAAM,SAAS,KAAK,UAAU,QAAQ;EACtC,IAAI,CAAC,QAAQ;GAEX,KAAK,IAAI,MAAM,6BAA6B;GAC5C;;EAGF,KAAK,IAAI,MAAM,2BAA2B;GACxC,YAAY,OAAO;GACnB,WAAW,OAAO;GACnB,CAAC;EAGF,MAAM,kBAAkB,MAAM,KAAK,cAAc,OAAO;EACxD,IAAI,CAAC,iBAAiB;GACpB,KAAK,OAAO,IAAI,EAAE,SAAS,CAAC;GAI5B;;EAKF,IAAI,gBAAgB,iBAAiB,OAAO,cAC1C,KAAK,UAAU,iBAAiB,QAAQ;EAG1C,OAAO;;CAGT,UAAoB,SAAuC;EACzD,OAAO,KAAK,OAAO,IAAI,EAAE,SAAS,CAAC;;CAGrC,UAAoB,QAAgB,SAAyB;EAC3D,MAAM,MACJ,OAAO,4BACP,OAAO,sBACP,OAAO;EAET,MAAM,MAAM,MACR,KAAK,iBAAiB,SAAS,KAAK,UAAU,GAC9C,KAAA;EAEJ,KAAK,OAAO,IAAI,QAAQ;GACtB;GACA;GACD,CAAC;;CAGJ,mBAA6B,QAAgB;EAC3C,MAAM,MAAM,KAAK,SAAS,OAAO,SAAS;EAE1C,IACE,UAAU,IAAI,WACd,EAAE,YAAY,IAAI,YAClB,IAAI,QAAQ,MAAM,YAElB,OAAO,OAAO;EAGhB,OAAO,OAAO;;CAGhB,MAAgB,cAAc,QAA6C;EAOzE,IAAI,OAAO,cAAc,OAAO;OAEZ,OAAO,aAAa,OAAO,aAAa,MAE1C,KAAK,iBAAiB,KAAK,CAAC,MAAM,EAAE;IAClD,KAAK,IAAI,MAAM,qBAAqB;IAGpC,IAAI,OAAO,eAAe;KACxB,KAAK,IAAI,MAAM,+CAA+C;KAE9D,IAAI;MAMF,MAAM,YAAY;OAChB,GAAG,MANY,KAAK,SAAS,OACF,CAAC,QAC5B,OAAO,eACP,OAAO,aACR;OAGC,UAAU,OAAO;OACjB,WAAW,KAAK,iBAAiB,KAAK,CAAC,MAAM;OAC9C;MAED,KAAK,IAAI,MAAM,gCAAgC;MAE/C,OAAO;cACA,GAAG;MACV,KAAK,IAAI,KAAK,2BAA2B,EAAE;;;IAK/C;;;EAIJ,IAAI,CAAC,OAAO,aAAa,OAAO,cAC9B;EAGF,OAAO;;;;;ACj1BX,MAAa,+BAA+B,EAAE,OAC5C;CACE,MAAM,EAAE,KAAK,EACX,aAAa,wCACd,CAAC;CACF,MAAM,EAAE,KAAK;EAAC;EAAU;EAAQ;EAAc,EAAE,EAC9C,aAAa,wCACd,CAAC;CACH,EACD,EACE,OAAO,0BACR,CACF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AC0BD,MAAa,cACX,OACA,UAAgC,EAAE,KAC/B;CACH,MAAM,EAAE,WAAW,UAAU;CAE7B,MAAM,MAAM,OAAO,SACjB,EAAE,OAAO;EACP,iBAAiB,EAAE,SACjB,EAAE,KAAK,EACL,aACE,6DACH,CAAC,CACH;EACD,qBAAqB,EAAE,SACrB,EAAE,KAAK,EACL,aACE,6EACH,CAAC,CACH;EACF,CAAC,CACH;CAED,MAAM,WAAW,CAAC,IAAI,mBAAmB,CAAC,IAAI;CAE9C,MAAM,OAAO;CAEb,MAAM,cACJ,QAAQ,YAAY,MAAM,OAAO,MAAM,KAAK,KAAK,GAAG,KAAA;CAEtD,IAAI,CAAC,aACH,MAAM,IAAI,YACR,kEACD;CAGH,MAAM,UAAyB,OAAO,SAAS;EAC7C,OAAO,YAAY,sBAAsB,KAAK,CAAC;;CAGjD,OAAO,MAAM;EACX,QAAQ;EACR;EACA,MAAM;GACJ,QAAQ;GACR,UAAU,IAAI;GACd,cAAc,IAAI;GAClB,OAAO;GACP,cAAc;GACd,GAAG;GACH;GACD;EACD;EACD,CAAC;;;;;;;;;;AAWJ,MAAM,yBACJ,SACuB;CACvB,MAAM,OAAsB,EAAE,GAAG,KAAK,MAAM;CAE5C,KAAK,MAAM,OAAO,CAAC,kBAAkB,mBAAmB,EAAW;EACjE,MAAM,MAAM,KAAK;EACjB,IAAI,OAAO,QAAQ,UACjB,KAAK,OAAO,QAAQ;;CAIxB,OAAO;EAAE,GAAG;EAAM;EAAM;;;;;;;;;ACtG1B,MAAa,oBACX,OACA,UAAuC,EAAE,KACtC;CACH,MAAM,OAAO;CAEb,MAAM,UAAqC,MAAM,QAC7C,MAAM,MAAM,KAAK,GACjB,QAAQ;CAEZ,IAAI,CAAC,SACH,MAAM,IAAI,YACR,+EACD;CAGH,OAAO,MAAM;EACX,QAAQ;EACR;EACA,aAAa,EACX,SACD;EACF,CAAC;;;;;;;;;;;;;;AChBJ,MAAa,iBACX,OACA,UAAgC,EAAE,KAC/B;CACH,MAAM,EAAE,WAAW,UAAU;CAE7B,MAAM,MAAM,OAAO,SACjB,EAAE,OAAO;EACP,oBAAoB,EAAE,SACpB,EAAE,KAAK,EACL,aAAa,wDACd,CAAC,CACH;EACD,wBAAwB,EAAE,SACxB,EAAE,KAAK,EACL,aACE,4DACH,CAAC,CACH;EACF,CAAC,CACH;CAED,MAAM,WAAW,CAAC,IAAI,sBAAsB,CAAC,IAAI;CAEjD,MAAM,OAAO;CAEb,MAAM,UACJ,QAAQ,YAAY,MAAM,OAAO,MAAM,KAAK,KAAK,GAAG,KAAA;CAEtD,IAAI,CAAC,SACH,MAAM,IAAI,YACR,kEACD;CAGH,OAAO,MAAM;EACX,QAAQ;EACR;EACA,OAAO;GACL,UAAU,IAAI;GACd,cAAc,IAAI;GAClB,eAAe;GACf,OAAO;GACP,OAAO;GACP,UAAU,OAAO,WAAW;IAC1B,MAAM,MAAM,MAAM,MAChB,2FACA,EACE,SAAS,EACP,eAAe,UAAU,OAAO,gBACjC,EACF,CACF,CAAC,MAAM,QAAQ,IAAI,MAAM,CAAC;IAE3B,MAAM,OAAsB,EAC1B,KAAK,IAAI,IACV;IAED,IAAI,IAAI,OACN,KAAK,QAAQ,IAAI;IAGnB,IAAI,IAAI,MACN,KAAK,OAAO,IAAI,KAAK,MAAM;IAG7B,IAAI,IAAI,SAAS,MAAM,KACrB,KAAK,UAAU,IAAI,QAAQ,KAAK;IAGlC,OAAO;;GAET,GAAG;GACH;GACD;EACD;EACD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AC5DJ,MAAa,sBACX,OACA,UAAgC,EAAE,KAC/B;CACH,MAAM,EAAE,WAAW,UAAU;CAE7B,MAAM,MAAM,OAAO,SACjB,EAAE,OAAO;EACP,yBAAyB,EAAE,SACzB,EAAE,KAAK,EACL,aACE,sHACH,CAAC,CACH;EACD,6BAA6B,EAAE,SAC7B,EAAE,KAAK,EACL,aACE,0HACH,CAAC,CACH;EACF,CAAC,CACH;CAED,MAAM,WACJ,CAAC,IAAI,2BAA2B,CAAC,IAAI;CAEvC,MAAM,OAAO;CAEb,MAAM,UACJ,QAAQ,YAAY,MAAM,OAAO,MAAM,KAAK,KAAK,GAAG,KAAA;CAEtD,IAAI,CAAC,SACH,MAAM,IAAI,YACR,kEACD;CAGH,OAAO,MAAM;EACX,QAAQ;EACR;EACA,MAAM;;;;;;;;GAQJ,QAAQ;GACR,UAAU,IAAI;GACd,cAAc,IAAI;;;;;GAKlB,OAAO;;;;GAIP,GAAG;GACH,yBAAyB;IACvB,YAAY;IACZ,GAAG,QAAQ;IACZ;GACD;GACD;EACD;EACD,CAAC;;;;;;;;;;;;;;ACnFJ,MAAa,eACX,OACA,UAAgC,EAAE,KAC/B;CACH,MAAM,EAAE,WAAW,UAAU;CAE7B,MAAM,MAAM,OAAO,SACjB,EAAE,OAAO;EACP,kBAAkB,EAAE,SAClB,EAAE,KAAK,EACL,aACE,oEACH,CAAC,CACH;EACD,sBAAsB,EAAE,SACtB,EAAE,KAAK,EACL,aACE,wEACH,CAAC,CACH;EACF,CAAC,CACH;CAED,MAAM,WAAW,CAAC,IAAI,oBAAoB,CAAC,IAAI;CAE/C,MAAM,OAAO;CAEb,MAAM,UACJ,QAAQ,YAAY,MAAM,OAAO,MAAM,KAAK,KAAK,GAAG,KAAA;CAEtD,IAAI,CAAC,SACH,MAAM,IAAI,YACR,kEACD;CAGH,OAAO,MAAM;EACX,QAAQ;EACR;EACA,OAAO;GACL,UAAU,IAAI;GACd,cAAc,IAAI;GAClB,eAAe;GACf,OAAO;GACP,OAAO;GACP,UAAU,OAAO,WAAW;IAC1B,MAAM,WAAW;IACjB,MAAM,UAAU;KACd,eAAe,UAAU,OAAO;KAChC,cAAc;KACf;IACD,MAAM,MAAM,MAAM,MAAM,GAAG,SAAS,QAAQ,EAAE,SAAS,CAAC,CAAC,MAAM,QAC7D,IAAI,MAAM,CACX;IAED,MAAM,OAAsB,EAC1B,KAAK,IAAI,GAAG,UAAU,EACvB;IAED,IAAI,IAAI,OACN,KAAK,QAAQ,IAAI;IAGnB,IAAI,IAAI,MACN,KAAK,OAAO,IAAI,KAAK,MAAM;IAG7B,IAAI,IAAI,YACN,KAAK,UAAU,IAAI;IAKrB,MAAM,YAAY,MAAM,MAAM,GAAG,SAAS,eAAe,EAAE,SAAS,CAAC;IACrE,IAAI,UAAU,IAAI;KAChB,MAAM,SAID,MAAM,UAAU,MAAM;KAC3B,IAAI,CAAC,KAAK,OACR,KAAK,SAAS,OAAO,MAAM,MAAM,EAAE,QAAQ,IAAI,OAAO,KAAK;KAE7D,IAAI,KAAK,OACP,KAAK,iBACH,OAAO,MAAM,MAAM,EAAE,UAAU,KAAK,MAAM,EAAE,YAAY;;IAI9D,OAAO;;GAET,GAAG;GACH;GACD;EACD;EACD,CAAC;;;;;;;;;;;;;;AChGJ,MAAa,eACX,OACA,UAAgC,EAAE,KAC/B;CACH,MAAM,EAAE,WAAW,UAAU;CAE7B,MAAM,MAAM,OAAO,SACjB,EAAE,OAAO;EACP,kBAAkB,EAAE,SAClB,EAAE,KAAK,EACL,aACE,uEACH,CAAC,CACH;EACD,sBAAsB,EAAE,SACtB,EAAE,KAAK,EACL,aACE,2EACH,CAAC,CACH;EACF,CAAC,CACH;CAED,MAAM,WAAW,CAAC,IAAI,oBAAoB,CAAC,IAAI;CAE/C,MAAM,OAAO;CAEb,MAAM,UACJ,QAAQ,YAAY,MAAM,OAAO,MAAM,KAAK,KAAK,GAAG,KAAA;CAEtD,IAAI,CAAC,SACH,MAAM,IAAI,YACR,kEACD;CAGH,OAAO,MAAM;EACX,QAAQ;EACR;EACA,MAAM;GACJ,QAAQ;GACR,UAAU,IAAI;GACd,cAAc,IAAI;GAClB,GAAG;GACH;GACD;EACD;EACD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;ACnCJ,MAAa,kBACX,OACA,UAAgC,EAAE,KAC/B;CACH,MAAM,EAAE,WAAW,UAAU;CAE7B,MAAM,MAAM,OAAO,SACjB,EAAE,OAAO;EACP,qBAAqB,EAAE,SACrB,EAAE,KAAK,EACL,aACE,+DACH,CAAC,CACH;EACD,yBAAyB,EAAE,SACzB,EAAE,KAAK,EACL,aACE,2DACH,CAAC,CACH;EACD,qBAAqB,EAAE,SACrB,EAAE,KAAK,EACL,aACE,8EACH,CAAC,CACH;EACF,CAAC,CACH;CAED,MAAM,WAAW,CAAC,IAAI,uBAAuB,CAAC,IAAI;CAElD,MAAM,WAAW,IAAI,uBAAuB;CAE5C,MAAM,OAAO;CAEb,MAAM,UACJ,QAAQ,YAAY,MAAM,OAAO,MAAM,KAAK,KAAK,GAAG,KAAA;CAEtD,IAAI,CAAC,SACH,MAAM,IAAI,YACR,kEACD;CAGH,OAAO,MAAM;EACX,QAAQ;EACR;EACA,MAAM;GACJ,QAAQ,qCAAqC,SAAS;GACtD,UAAU,IAAI;GACd,cAAc,IAAI;GAClB,GAAG;GACH;GACD;EACD;EACD,CAAC;;;;;;;;;;;;;;;;;;;;;ACjDJ,MAAa,mBAAmB,QAAQ;CACtC,MAAM;CACN,YAAY,CAAC,MAAM;CACnB,UAAU,CAAC,qBAAqB,mBAAmB;CACpD,CAAC"}
|
|
1
|
+
{"version":3,"file":"index.js","names":["USER_AGENT","ERR_INVALID_ARG_VALUE","ERR_INVALID_ARG_TYPE","CodedTypeError","allowInsecureRequests","customFetch","encoder","decoder","signal","performDiscovery","assertString","calculatePKCECodeChallenge","ClientSecretPost","None","oauth.ClientSecretPost","oauth.None","oauth.customFetch","oauth.calculatePKCECodeChallenge","oauth.generateRandomCodeVerifier","oauth.generateRandomState","decoder","oauth.ResponseBodyError","oauth.AuthorizationResponseError","oauth.WWWAuthenticateChallengeError","oauth.OperationProcessingError","oauth.HTTP_REQUEST_FORBIDDEN","oauth.REQUEST_PROTOCOL_FORBIDDEN","oauth.RESPONSE_IS_NOT_CONFORM","oauth.RESPONSE_IS_NOT_JSON","oauth.PARSE_ERROR","oauth.INVALID_RESPONSE","oauth.JWT_CLAIM_COMPARISON","oauth.JSON_ATTRIBUTE_COMPARISON","oauth.JWT_TIMESTAMP_CHECK","oauth.UnsupportedOperationError","oauth.UNSUPPORTED_OPERATION","oauth.discoveryRequest","oauth.allowInsecureRequests","oauth.processDiscoveryResponse","oauth._nodiscoverycheck","oauth.clockSkew","oauth.clockTolerance","oauth._expectedIssuer","oauth.getValidatedIdTokenClaims","oauth.formPostResponse","oauth.validateAuthResponse","oauth\n .authorizationCodeGrantRequest","oauth.nopkce","oauth.processAuthorizationCodeResponse","oauth.jweDecrypt","oauth\n .refreshTokenGrantRequest","oauth.processRefreshTokenResponse","oauth.resolveEndpoint","oauth.isDPoPNonceError","encode","jwk.isJWK","jwk.isSecretJWK","invalidKeyInput","jwk.isPrivateJWK","jwk.isPublicJWK","b64u","encode","#payload","#payload","#protectedHeader","#unprotectedHeader","b64u","encode","#flattened","#jwt","#protectedHeader"],"sources":["../../../../../node_modules/oauth4webapi/build/index.js","../../../../../node_modules/openid-client/build/index.js","../../../src/server/auth/primitives/$auth.ts","../../../src/server/auth/constants/routes.ts","../../../src/server/auth/schemas/tokensSchema.ts","../../../src/server/auth/schemas/tokenResponseSchema.ts","../../../src/server/auth/schemas/userinfoResponseSchema.ts","../../../src/server/auth/providers/ServerAuthProvider.ts","../../../../../node_modules/jose/dist/webapi/lib/buffer_utils.js","../../../../../node_modules/jose/dist/webapi/lib/base64.js","../../../../../node_modules/jose/dist/webapi/util/base64url.js","../../../../../node_modules/jose/dist/webapi/lib/crypto_key.js","../../../../../node_modules/jose/dist/webapi/lib/invalid_key_input.js","../../../../../node_modules/jose/dist/webapi/util/errors.js","../../../../../node_modules/jose/dist/webapi/lib/is_key_like.js","../../../../../node_modules/jose/dist/webapi/lib/helpers.js","../../../../../node_modules/jose/dist/webapi/lib/type_checks.js","../../../../../node_modules/jose/dist/webapi/lib/signing.js","../../../../../node_modules/jose/dist/webapi/lib/jwk_to_key.js","../../../../../node_modules/jose/dist/webapi/lib/normalize_key.js","../../../../../node_modules/jose/dist/webapi/lib/asn1.js","../../../../../node_modules/jose/dist/webapi/key/import.js","../../../../../node_modules/jose/dist/webapi/lib/validate_crit.js","../../../../../node_modules/jose/dist/webapi/lib/validate_algorithms.js","../../../../../node_modules/jose/dist/webapi/lib/check_key_type.js","../../../../../node_modules/jose/dist/webapi/jws/flattened/verify.js","../../../../../node_modules/jose/dist/webapi/jws/compact/verify.js","../../../../../node_modules/jose/dist/webapi/lib/jwt_claims_set.js","../../../../../node_modules/jose/dist/webapi/jwt/verify.js","../../../../../node_modules/jose/dist/webapi/jws/flattened/sign.js","../../../../../node_modules/jose/dist/webapi/jws/compact/sign.js","../../../../../node_modules/jose/dist/webapi/jwt/sign.js","../../../src/server/auth/helpers/appleClientSecret.ts","../../../src/server/auth/helpers/federationAssertion.ts","../../../src/server/auth/schemas/authenticationProviderSchema.ts","../../../src/server/auth/primitives/$authApple.ts","../../../src/server/auth/primitives/$authCredentials.ts","../../../src/server/auth/primitives/$authFacebook.ts","../../../src/server/auth/helpers/safeRedirectPath.ts","../../../src/server/auth/primitives/$authFederationBroker.ts","../../../src/server/auth/helpers/jtiReplayGuard.ts","../../../src/server/auth/primitives/$authFederationClient.ts","../../../src/server/auth/primitives/$authFranceConnect.ts","../../../src/server/auth/primitives/$authGithub.ts","../../../src/server/auth/primitives/$authGoogle.ts","../../../src/server/auth/primitives/$authMicrosoft.ts","../../../src/server/auth/index.ts"],"sourcesContent":["let USER_AGENT;\nif (typeof navigator === 'undefined' || !navigator.userAgent?.startsWith?.('Mozilla/5.0 ')) {\n const NAME = 'oauth4webapi';\n const VERSION = 'v3.8.5';\n USER_AGENT = `${NAME}/${VERSION}`;\n}\nfunction looseInstanceOf(input, expected) {\n if (input == null) {\n return false;\n }\n try {\n return (input instanceof expected ||\n Object.getPrototypeOf(input)[Symbol.toStringTag] === expected.prototype[Symbol.toStringTag]);\n }\n catch {\n return false;\n }\n}\nconst ERR_INVALID_ARG_VALUE = 'ERR_INVALID_ARG_VALUE';\nconst ERR_INVALID_ARG_TYPE = 'ERR_INVALID_ARG_TYPE';\nfunction CodedTypeError(message, code, cause) {\n const err = new TypeError(message, { cause });\n Object.assign(err, { code });\n return err;\n}\nexport const allowInsecureRequests = Symbol();\nexport const clockSkew = Symbol();\nexport const clockTolerance = Symbol();\nexport const customFetch = Symbol();\nexport const modifyAssertion = Symbol();\nexport const jweDecrypt = Symbol();\nexport const jwksCache = Symbol();\nconst encoder = new TextEncoder();\nconst decoder = new TextDecoder();\nfunction buf(input) {\n if (typeof input === 'string') {\n return encoder.encode(input);\n }\n return decoder.decode(input);\n}\nlet encodeBase64Url;\nif (Uint8Array.prototype.toBase64) {\n encodeBase64Url = (input) => {\n if (input instanceof ArrayBuffer) {\n input = new Uint8Array(input);\n }\n return input.toBase64({ alphabet: 'base64url', omitPadding: true });\n };\n}\nelse {\n const CHUNK_SIZE = 0x8000;\n encodeBase64Url = (input) => {\n if (input instanceof ArrayBuffer) {\n input = new Uint8Array(input);\n }\n const arr = [];\n for (let i = 0; i < input.byteLength; i += CHUNK_SIZE) {\n arr.push(String.fromCharCode.apply(null, input.subarray(i, i + CHUNK_SIZE)));\n }\n return btoa(arr.join('')).replace(/=/g, '').replace(/\\+/g, '-').replace(/\\//g, '_');\n };\n}\nlet decodeBase64Url;\nif (Uint8Array.fromBase64) {\n decodeBase64Url = (input) => {\n try {\n return Uint8Array.fromBase64(input, { alphabet: 'base64url' });\n }\n catch (cause) {\n throw CodedTypeError('The input to be decoded is not correctly encoded.', ERR_INVALID_ARG_VALUE, cause);\n }\n };\n}\nelse {\n decodeBase64Url = (input) => {\n try {\n const binary = atob(input.replace(/-/g, '+').replace(/_/g, '/').replace(/\\s/g, ''));\n const bytes = new Uint8Array(binary.length);\n for (let i = 0; i < binary.length; i++) {\n bytes[i] = binary.charCodeAt(i);\n }\n return bytes;\n }\n catch (cause) {\n throw CodedTypeError('The input to be decoded is not correctly encoded.', ERR_INVALID_ARG_VALUE, cause);\n }\n };\n}\nfunction b64u(input) {\n if (typeof input === 'string') {\n return decodeBase64Url(input);\n }\n return encodeBase64Url(input);\n}\nexport class UnsupportedOperationError extends Error {\n code;\n constructor(message, options) {\n super(message, options);\n this.name = this.constructor.name;\n this.code = UNSUPPORTED_OPERATION;\n Error.captureStackTrace?.(this, this.constructor);\n }\n}\nexport class OperationProcessingError extends Error {\n code;\n constructor(message, options) {\n super(message, options);\n this.name = this.constructor.name;\n if (options?.code) {\n this.code = options?.code;\n }\n Error.captureStackTrace?.(this, this.constructor);\n }\n}\nfunction OPE(message, code, cause) {\n return new OperationProcessingError(message, { code, cause });\n}\nasync function calculateJwkThumbprint(jwk) {\n let components;\n switch (jwk.kty) {\n case 'EC':\n components = {\n crv: jwk.crv,\n kty: jwk.kty,\n x: jwk.x,\n y: jwk.y,\n };\n break;\n case 'OKP':\n components = {\n crv: jwk.crv,\n kty: jwk.kty,\n x: jwk.x,\n };\n break;\n case 'AKP':\n components = {\n alg: jwk.alg,\n kty: jwk.kty,\n pub: jwk.pub,\n };\n break;\n case 'RSA':\n components = {\n e: jwk.e,\n kty: jwk.kty,\n n: jwk.n,\n };\n break;\n default:\n throw new UnsupportedOperationError('unsupported JWK key type', { cause: jwk });\n }\n return b64u(await crypto.subtle.digest('SHA-256', buf(JSON.stringify(components))));\n}\nfunction assertCryptoKey(key, it) {\n if (!(key instanceof CryptoKey)) {\n throw CodedTypeError(`${it} must be a CryptoKey`, ERR_INVALID_ARG_TYPE);\n }\n}\nfunction assertPrivateKey(key, it) {\n assertCryptoKey(key, it);\n if (key.type !== 'private') {\n throw CodedTypeError(`${it} must be a private CryptoKey`, ERR_INVALID_ARG_VALUE);\n }\n}\nfunction assertPublicKey(key, it) {\n assertCryptoKey(key, it);\n if (key.type !== 'public') {\n throw CodedTypeError(`${it} must be a public CryptoKey`, ERR_INVALID_ARG_VALUE);\n }\n}\nfunction normalizeTyp(value) {\n return value.toLowerCase().replace(/^application\\//, '');\n}\nfunction isJsonObject(input) {\n if (input === null || typeof input !== 'object' || Array.isArray(input)) {\n return false;\n }\n return true;\n}\nfunction prepareHeaders(input) {\n if (looseInstanceOf(input, Headers)) {\n input = Object.fromEntries(input.entries());\n }\n const headers = new Headers(input ?? {});\n if (USER_AGENT && !headers.has('user-agent')) {\n headers.set('user-agent', USER_AGENT);\n }\n if (headers.has('authorization')) {\n throw CodedTypeError('\"options.headers\" must not include the \"authorization\" header name', ERR_INVALID_ARG_VALUE);\n }\n return headers;\n}\nfunction signal(url, value) {\n if (value !== undefined) {\n if (typeof value === 'function') {\n value = value(url.href);\n }\n if (!(value instanceof AbortSignal)) {\n throw CodedTypeError('\"options.signal\" must return or be an instance of AbortSignal', ERR_INVALID_ARG_TYPE);\n }\n return value;\n }\n return undefined;\n}\nfunction replaceDoubleSlash(pathname) {\n if (pathname.includes('//')) {\n return pathname.replace('//', '/');\n }\n return pathname;\n}\nfunction prependWellKnown(url, wellKnown, allowTerminatingSlash = false) {\n if (url.pathname === '/') {\n url.pathname = wellKnown;\n }\n else {\n url.pathname = replaceDoubleSlash(`${wellKnown}/${allowTerminatingSlash ? url.pathname : url.pathname.replace(/(\\/)$/, '')}`);\n }\n return url;\n}\nfunction appendWellKnown(url, wellKnown) {\n url.pathname = replaceDoubleSlash(`${url.pathname}/${wellKnown}`);\n return url;\n}\nasync function performDiscovery(input, urlName, transform, options) {\n if (!(input instanceof URL)) {\n throw CodedTypeError(`\"${urlName}\" must be an instance of URL`, ERR_INVALID_ARG_TYPE);\n }\n checkProtocol(input, options?.[allowInsecureRequests] !== true);\n const url = transform(new URL(input.href));\n const headers = prepareHeaders(options?.headers);\n headers.set('accept', 'application/json');\n return (options?.[customFetch] || fetch)(url.href, {\n body: undefined,\n headers: Object.fromEntries(headers.entries()),\n method: 'GET',\n redirect: 'manual',\n signal: signal(url, options?.signal),\n });\n}\nexport async function discoveryRequest(issuerIdentifier, options) {\n return performDiscovery(issuerIdentifier, 'issuerIdentifier', (url) => {\n switch (options?.algorithm) {\n case undefined:\n case 'oidc':\n appendWellKnown(url, '.well-known/openid-configuration');\n break;\n case 'oauth2':\n prependWellKnown(url, '.well-known/oauth-authorization-server');\n break;\n default:\n throw CodedTypeError('\"options.algorithm\" must be \"oidc\" (default), or \"oauth2\"', ERR_INVALID_ARG_VALUE);\n }\n return url;\n }, options);\n}\nfunction assertNumber(input, allow0, it, code, cause) {\n try {\n if (typeof input !== 'number' || !Number.isFinite(input)) {\n throw CodedTypeError(`${it} must be a number`, ERR_INVALID_ARG_TYPE, cause);\n }\n if (input > 0)\n return;\n if (allow0) {\n if (input !== 0) {\n throw CodedTypeError(`${it} must be a non-negative number`, ERR_INVALID_ARG_VALUE, cause);\n }\n return;\n }\n throw CodedTypeError(`${it} must be a positive number`, ERR_INVALID_ARG_VALUE, cause);\n }\n catch (err) {\n if (code) {\n throw OPE(err.message, code, cause);\n }\n throw err;\n }\n}\nfunction assertString(input, it, code, cause) {\n try {\n if (typeof input !== 'string') {\n throw CodedTypeError(`${it} must be a string`, ERR_INVALID_ARG_TYPE, cause);\n }\n if (input.length === 0) {\n throw CodedTypeError(`${it} must not be empty`, ERR_INVALID_ARG_VALUE, cause);\n }\n }\n catch (err) {\n if (code) {\n throw OPE(err.message, code, cause);\n }\n throw err;\n }\n}\nexport async function processDiscoveryResponse(expectedIssuerIdentifier, response) {\n const expected = expectedIssuerIdentifier;\n if (!(expected instanceof URL) && expected !== _nodiscoverycheck) {\n throw CodedTypeError('\"expectedIssuerIdentifier\" must be an instance of URL', ERR_INVALID_ARG_TYPE);\n }\n if (!looseInstanceOf(response, Response)) {\n throw CodedTypeError('\"response\" must be an instance of Response', ERR_INVALID_ARG_TYPE);\n }\n if (response.status !== 200) {\n throw OPE('\"response\" is not a conform Authorization Server Metadata response (unexpected HTTP status code)', RESPONSE_IS_NOT_CONFORM, response);\n }\n assertReadableResponse(response);\n const json = await getResponseJsonBody(response);\n assertString(json.issuer, '\"response\" body \"issuer\" property', INVALID_RESPONSE, { body: json });\n if (expected !== _nodiscoverycheck && new URL(json.issuer).href !== expected.href) {\n throw OPE('\"response\" body \"issuer\" property does not match the expected value', JSON_ATTRIBUTE_COMPARISON, { expected: expected.href, body: json, attribute: 'issuer' });\n }\n return json;\n}\nfunction assertApplicationJson(response) {\n assertContentType(response, 'application/json');\n}\nfunction notJson(response, ...types) {\n let msg = '\"response\" content-type must be ';\n if (types.length > 2) {\n const last = types.pop();\n msg += `${types.join(', ')}, or ${last}`;\n }\n else if (types.length === 2) {\n msg += `${types[0]} or ${types[1]}`;\n }\n else {\n msg += types[0];\n }\n return OPE(msg, RESPONSE_IS_NOT_JSON, response);\n}\nfunction assertContentTypes(response, ...types) {\n if (!types.includes(getContentType(response))) {\n throw notJson(response, ...types);\n }\n}\nfunction assertContentType(response, contentType) {\n if (getContentType(response) !== contentType) {\n throw notJson(response, contentType);\n }\n}\nfunction randomBytes() {\n return b64u(crypto.getRandomValues(new Uint8Array(32)));\n}\nexport function generateRandomCodeVerifier() {\n return randomBytes();\n}\nexport function generateRandomState() {\n return randomBytes();\n}\nexport function generateRandomNonce() {\n return randomBytes();\n}\nexport async function calculatePKCECodeChallenge(codeVerifier) {\n assertString(codeVerifier, 'codeVerifier');\n return b64u(await crypto.subtle.digest('SHA-256', buf(codeVerifier)));\n}\nfunction getKeyAndKid(input) {\n if (input instanceof CryptoKey) {\n return { key: input };\n }\n if (!(input?.key instanceof CryptoKey)) {\n return {};\n }\n if (input.kid !== undefined) {\n assertString(input.kid, '\"kid\"');\n }\n return {\n key: input.key,\n kid: input.kid,\n };\n}\nfunction psAlg(key) {\n switch (key.algorithm.hash.name) {\n case 'SHA-256':\n return 'PS256';\n case 'SHA-384':\n return 'PS384';\n case 'SHA-512':\n return 'PS512';\n default:\n throw new UnsupportedOperationError('unsupported RsaHashedKeyAlgorithm hash name', {\n cause: key,\n });\n }\n}\nfunction rsAlg(key) {\n switch (key.algorithm.hash.name) {\n case 'SHA-256':\n return 'RS256';\n case 'SHA-384':\n return 'RS384';\n case 'SHA-512':\n return 'RS512';\n default:\n throw new UnsupportedOperationError('unsupported RsaHashedKeyAlgorithm hash name', {\n cause: key,\n });\n }\n}\nfunction esAlg(key) {\n switch (key.algorithm.namedCurve) {\n case 'P-256':\n return 'ES256';\n case 'P-384':\n return 'ES384';\n case 'P-521':\n return 'ES512';\n default:\n throw new UnsupportedOperationError('unsupported EcKeyAlgorithm namedCurve', { cause: key });\n }\n}\nfunction keyToJws(key) {\n switch (key.algorithm.name) {\n case 'RSA-PSS':\n return psAlg(key);\n case 'RSASSA-PKCS1-v1_5':\n return rsAlg(key);\n case 'ECDSA':\n return esAlg(key);\n case 'Ed25519':\n case 'ML-DSA-44':\n case 'ML-DSA-65':\n case 'ML-DSA-87':\n return key.algorithm.name;\n case 'EdDSA':\n return 'Ed25519';\n default:\n throw new UnsupportedOperationError('unsupported CryptoKey algorithm name', { cause: key });\n }\n}\nfunction getClockSkew(client) {\n const skew = client?.[clockSkew];\n return typeof skew === 'number' && Number.isFinite(skew) ? skew : 0;\n}\nfunction getClockTolerance(client) {\n const tolerance = client?.[clockTolerance];\n return typeof tolerance === 'number' && Number.isFinite(tolerance) && Math.sign(tolerance) !== -1\n ? tolerance\n : 30;\n}\nfunction epochTime() {\n return Math.floor(Date.now() / 1000);\n}\nfunction assertAs(as) {\n if (typeof as !== 'object' || as === null) {\n throw CodedTypeError('\"as\" must be an object', ERR_INVALID_ARG_TYPE);\n }\n assertString(as.issuer, '\"as.issuer\"');\n}\nfunction assertClient(client) {\n if (typeof client !== 'object' || client === null) {\n throw CodedTypeError('\"client\" must be an object', ERR_INVALID_ARG_TYPE);\n }\n assertString(client.client_id, '\"client.client_id\"');\n}\nfunction formUrlEncode(token) {\n return encodeURIComponent(token).replace(/(?:[-_.!~*'()]|%20)/g, (substring) => {\n switch (substring) {\n case '-':\n case '_':\n case '.':\n case '!':\n case '~':\n case '*':\n case \"'\":\n case '(':\n case ')':\n return `%${substring.charCodeAt(0).toString(16).toUpperCase()}`;\n case '%20':\n return '+';\n default:\n throw new Error();\n }\n });\n}\nexport function ClientSecretPost(clientSecret) {\n assertString(clientSecret, '\"clientSecret\"');\n return (_as, client, body, _headers) => {\n body.set('client_id', client.client_id);\n body.set('client_secret', clientSecret);\n };\n}\nexport function ClientSecretBasic(clientSecret) {\n assertString(clientSecret, '\"clientSecret\"');\n return (_as, client, _body, headers) => {\n const username = formUrlEncode(client.client_id);\n const password = formUrlEncode(clientSecret);\n const credentials = btoa(`${username}:${password}`);\n headers.set('authorization', `Basic ${credentials}`);\n };\n}\nfunction clientAssertionPayload(as, client) {\n const now = epochTime() + getClockSkew(client);\n return {\n jti: randomBytes(),\n aud: as.issuer,\n exp: now + 60,\n iat: now,\n nbf: now,\n iss: client.client_id,\n sub: client.client_id,\n };\n}\nexport function PrivateKeyJwt(clientPrivateKey, options) {\n const { key, kid } = getKeyAndKid(clientPrivateKey);\n assertPrivateKey(key, '\"clientPrivateKey.key\"');\n return async (as, client, body, _headers) => {\n const header = { alg: keyToJws(key), kid };\n const payload = clientAssertionPayload(as, client);\n options?.[modifyAssertion]?.(header, payload);\n body.set('client_id', client.client_id);\n body.set('client_assertion_type', 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer');\n body.set('client_assertion', await signJwt(header, payload, key));\n };\n}\nexport function ClientSecretJwt(clientSecret, options) {\n assertString(clientSecret, '\"clientSecret\"');\n const modify = options?.[modifyAssertion];\n let key;\n return async (as, client, body, _headers) => {\n key ||= await crypto.subtle.importKey('raw', buf(clientSecret), { hash: 'SHA-256', name: 'HMAC' }, false, ['sign']);\n const header = { alg: 'HS256' };\n const payload = clientAssertionPayload(as, client);\n modify?.(header, payload);\n const data = `${b64u(buf(JSON.stringify(header)))}.${b64u(buf(JSON.stringify(payload)))}`;\n const hmac = await crypto.subtle.sign(key.algorithm, key, buf(data));\n body.set('client_id', client.client_id);\n body.set('client_assertion_type', 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer');\n body.set('client_assertion', `${data}.${b64u(new Uint8Array(hmac))}`);\n };\n}\nexport function None() {\n return (_as, client, body, _headers) => {\n body.set('client_id', client.client_id);\n };\n}\nexport function TlsClientAuth() {\n return None();\n}\nasync function signJwt(header, payload, key) {\n if (!key.usages.includes('sign')) {\n throw CodedTypeError('CryptoKey instances used for signing assertions must include \"sign\" in their \"usages\"', ERR_INVALID_ARG_VALUE);\n }\n const input = `${b64u(buf(JSON.stringify(header)))}.${b64u(buf(JSON.stringify(payload)))}`;\n const signature = b64u(await crypto.subtle.sign(keyToSubtle(key), key, buf(input)));\n return `${input}.${signature}`;\n}\nexport async function issueRequestObject(as, client, parameters, privateKey, options) {\n assertAs(as);\n assertClient(client);\n parameters = new URLSearchParams(parameters);\n const { key, kid } = getKeyAndKid(privateKey);\n assertPrivateKey(key, '\"privateKey.key\"');\n parameters.set('client_id', client.client_id);\n const now = epochTime() + getClockSkew(client);\n const claims = {\n ...Object.fromEntries(parameters.entries()),\n jti: randomBytes(),\n aud: as.issuer,\n exp: now + 60,\n iat: now,\n nbf: now,\n iss: client.client_id,\n };\n let resource;\n if (parameters.has('resource') &&\n (resource = parameters.getAll('resource')) &&\n resource.length > 1) {\n claims.resource = resource;\n }\n {\n let value = parameters.get('max_age');\n if (value !== null) {\n claims.max_age = parseInt(value, 10);\n assertNumber(claims.max_age, true, '\"max_age\" parameter');\n }\n }\n {\n let value = parameters.get('claims');\n if (value !== null) {\n try {\n claims.claims = JSON.parse(value);\n }\n catch (cause) {\n throw OPE('failed to parse the \"claims\" parameter as JSON', PARSE_ERROR, cause);\n }\n if (!isJsonObject(claims.claims)) {\n throw CodedTypeError('\"claims\" parameter must be a JSON with a top level object', ERR_INVALID_ARG_VALUE);\n }\n }\n }\n {\n let value = parameters.get('authorization_details');\n if (value !== null) {\n try {\n claims.authorization_details = JSON.parse(value);\n }\n catch (cause) {\n throw OPE('failed to parse the \"authorization_details\" parameter as JSON', PARSE_ERROR, cause);\n }\n if (!Array.isArray(claims.authorization_details)) {\n throw CodedTypeError('\"authorization_details\" parameter must be a JSON with a top level array', ERR_INVALID_ARG_VALUE);\n }\n }\n }\n const header = {\n alg: keyToJws(key),\n typ: 'oauth-authz-req+jwt',\n kid,\n };\n options?.[modifyAssertion]?.(header, claims);\n return signJwt(header, claims, key);\n}\nlet jwkCache;\nasync function getSetPublicJwkCache(key, alg) {\n const { kty, e, n, x, y, crv, pub } = await crypto.subtle.exportKey('jwk', key);\n const jwk = { kty, e, n, x, y, crv, pub };\n if (kty === 'AKP')\n jwk.alg = alg;\n jwkCache.set(key, jwk);\n return jwk;\n}\nasync function publicJwk(key, alg) {\n jwkCache ||= new WeakMap();\n return jwkCache.get(key) || getSetPublicJwkCache(key, alg);\n}\nconst URLParse = URL.parse\n ?\n (url, base) => URL.parse(url, base)\n : (url, base) => {\n try {\n return new URL(url, base);\n }\n catch {\n return null;\n }\n };\nexport function checkProtocol(url, enforceHttps) {\n if (enforceHttps && url.protocol !== 'https:') {\n throw OPE('only requests to HTTPS are allowed', HTTP_REQUEST_FORBIDDEN, url);\n }\n if (url.protocol !== 'https:' && url.protocol !== 'http:') {\n throw OPE('only HTTP and HTTPS requests are allowed', REQUEST_PROTOCOL_FORBIDDEN, url);\n }\n}\nfunction validateEndpoint(value, endpoint, useMtlsAlias, enforceHttps) {\n let url;\n if (typeof value !== 'string' || !(url = URLParse(value))) {\n throw OPE(`authorization server metadata does not contain a valid ${useMtlsAlias ? `\"as.mtls_endpoint_aliases.${endpoint}\"` : `\"as.${endpoint}\"`}`, value === undefined ? MISSING_SERVER_METADATA : INVALID_SERVER_METADATA, { attribute: useMtlsAlias ? `mtls_endpoint_aliases.${endpoint}` : endpoint });\n }\n checkProtocol(url, enforceHttps);\n return url;\n}\nexport function resolveEndpoint(as, endpoint, useMtlsAlias, enforceHttps) {\n if (useMtlsAlias && as.mtls_endpoint_aliases && endpoint in as.mtls_endpoint_aliases) {\n return validateEndpoint(as.mtls_endpoint_aliases[endpoint], endpoint, useMtlsAlias, enforceHttps);\n }\n return validateEndpoint(as[endpoint], endpoint, useMtlsAlias, enforceHttps);\n}\nexport async function pushedAuthorizationRequest(as, client, clientAuthentication, parameters, options) {\n assertAs(as);\n assertClient(client);\n const url = resolveEndpoint(as, 'pushed_authorization_request_endpoint', client.use_mtls_endpoint_aliases, options?.[allowInsecureRequests] !== true);\n const body = new URLSearchParams(parameters);\n body.set('client_id', client.client_id);\n const headers = prepareHeaders(options?.headers);\n headers.set('accept', 'application/json');\n if (options?.DPoP !== undefined) {\n assertDPoP(options.DPoP);\n await options.DPoP.addProof(url, headers, 'POST');\n }\n const response = await authenticatedRequest(as, client, clientAuthentication, url, body, headers, options);\n options?.DPoP?.cacheNonce(response, url);\n return response;\n}\nclass DPoPHandler {\n #header;\n #privateKey;\n #publicKey;\n #clockSkew;\n #modifyAssertion;\n #map;\n #jkt;\n constructor(client, keyPair, options) {\n assertPrivateKey(keyPair?.privateKey, '\"DPoP.privateKey\"');\n assertPublicKey(keyPair?.publicKey, '\"DPoP.publicKey\"');\n if (!keyPair.publicKey.extractable) {\n throw CodedTypeError('\"DPoP.publicKey.extractable\" must be true', ERR_INVALID_ARG_VALUE);\n }\n this.#modifyAssertion = options?.[modifyAssertion];\n this.#clockSkew = getClockSkew(client);\n this.#privateKey = keyPair.privateKey;\n this.#publicKey = keyPair.publicKey;\n branded.add(this);\n }\n #get(key) {\n this.#map ||= new Map();\n let item = this.#map.get(key);\n if (item) {\n this.#map.delete(key);\n this.#map.set(key, item);\n }\n return item;\n }\n #set(key, val) {\n this.#map ||= new Map();\n this.#map.delete(key);\n if (this.#map.size === 100) {\n this.#map.delete(this.#map.keys().next().value);\n }\n this.#map.set(key, val);\n }\n async calculateThumbprint() {\n if (!this.#jkt) {\n const jwk = await crypto.subtle.exportKey('jwk', this.#publicKey);\n this.#jkt ||= await calculateJwkThumbprint(jwk);\n }\n return this.#jkt;\n }\n async addProof(url, headers, htm, accessToken) {\n const alg = keyToJws(this.#privateKey);\n this.#header ||= {\n alg,\n typ: 'dpop+jwt',\n jwk: await publicJwk(this.#publicKey, alg),\n };\n const nonce = this.#get(url.origin);\n const now = epochTime() + this.#clockSkew;\n const payload = {\n iat: now,\n jti: randomBytes(),\n htm,\n nonce,\n htu: `${url.origin}${url.pathname}`,\n ath: accessToken\n ? b64u(await crypto.subtle.digest('SHA-256', buf(accessToken)))\n : undefined,\n };\n this.#modifyAssertion?.(this.#header, payload);\n headers.set('dpop', await signJwt(this.#header, payload, this.#privateKey));\n }\n cacheNonce(response, url) {\n try {\n const nonce = response.headers.get('dpop-nonce');\n if (nonce) {\n this.#set(url.origin, nonce);\n }\n }\n catch { }\n }\n}\nexport function isDPoPNonceError(err) {\n if (err instanceof WWWAuthenticateChallengeError) {\n const { 0: challenge, length } = err.cause;\n return (length === 1 && challenge.scheme === 'dpop' && challenge.parameters.error === 'use_dpop_nonce');\n }\n if (err instanceof ResponseBodyError) {\n return err.error === 'use_dpop_nonce';\n }\n return false;\n}\nexport function DPoP(client, keyPair, options) {\n return new DPoPHandler(client, keyPair, options);\n}\nexport class ResponseBodyError extends Error {\n cause;\n code;\n error;\n status;\n error_description;\n response;\n constructor(message, options) {\n super(message, options);\n this.name = this.constructor.name;\n this.code = RESPONSE_BODY_ERROR;\n this.cause = options.cause;\n this.error = options.cause.error;\n this.status = options.response.status;\n this.error_description = options.cause.error_description;\n Object.defineProperty(this, 'response', { enumerable: false, value: options.response });\n Error.captureStackTrace?.(this, this.constructor);\n }\n}\nexport class AuthorizationResponseError extends Error {\n cause;\n code;\n error;\n error_description;\n constructor(message, options) {\n super(message, options);\n this.name = this.constructor.name;\n this.code = AUTHORIZATION_RESPONSE_ERROR;\n this.cause = options.cause;\n this.error = options.cause.get('error');\n this.error_description = options.cause.get('error_description') ?? undefined;\n Error.captureStackTrace?.(this, this.constructor);\n }\n}\nexport class WWWAuthenticateChallengeError extends Error {\n cause;\n code;\n response;\n status;\n constructor(message, options) {\n super(message, options);\n this.name = this.constructor.name;\n this.code = WWW_AUTHENTICATE_CHALLENGE;\n this.cause = options.cause;\n this.status = options.response.status;\n this.response = options.response;\n Object.defineProperty(this, 'response', { enumerable: false });\n Error.captureStackTrace?.(this, this.constructor);\n }\n}\nconst tokenMatch = \"[a-zA-Z0-9!#$%&\\\\'\\\\*\\\\+\\\\-\\\\.\\\\^_`\\\\|~]+\";\nconst token68Match = '[a-zA-Z0-9\\\\-\\\\._\\\\~\\\\+\\\\/]+={0,2}';\nconst quotedMatch = '\"((?:[^\"\\\\\\\\]|\\\\\\\\[\\\\s\\\\S])*)\"';\nconst quotedParamMatcher = '(' + tokenMatch + ')\\\\s*=\\\\s*' + quotedMatch;\nconst paramMatcher = '(' + tokenMatch + ')\\\\s*=\\\\s*(' + tokenMatch + ')';\nconst schemeRE = new RegExp('^[,\\\\s]*(' + tokenMatch + ')');\nconst quotedParamRE = new RegExp('^[,\\\\s]*' + quotedParamMatcher + '[,\\\\s]*(.*)');\nconst unquotedParamRE = new RegExp('^[,\\\\s]*' + paramMatcher + '[,\\\\s]*(.*)');\nconst token68ParamRE = new RegExp('^(' + token68Match + ')(?:$|[,\\\\s])(.*)');\nfunction parseWwwAuthenticateChallenges(response) {\n if (!looseInstanceOf(response, Response)) {\n throw CodedTypeError('\"response\" must be an instance of Response', ERR_INVALID_ARG_TYPE);\n }\n const header = response.headers.get('www-authenticate');\n if (header === null) {\n return undefined;\n }\n const challenges = [];\n let rest = header;\n while (rest) {\n let match = rest.match(schemeRE);\n const scheme = match?.['1'].toLowerCase();\n if (!scheme) {\n return undefined;\n }\n const afterScheme = rest.substring(match[0].length);\n if (afterScheme && !afterScheme.match(/^[\\s,]/)) {\n return undefined;\n }\n const spaceMatch = afterScheme.match(/^\\s+(.*)$/);\n const hasParameters = !!spaceMatch;\n rest = spaceMatch ? spaceMatch[1] : undefined;\n const parameters = {};\n let token68;\n if (hasParameters) {\n while (rest) {\n let key;\n let value;\n if ((match = rest.match(quotedParamRE))) {\n ;\n [, key, value, rest] = match;\n if (value.includes('\\\\')) {\n try {\n value = JSON.parse(`\"${value}\"`);\n }\n catch { }\n }\n parameters[key.toLowerCase()] = value;\n continue;\n }\n if ((match = rest.match(unquotedParamRE))) {\n ;\n [, key, value, rest] = match;\n parameters[key.toLowerCase()] = value;\n continue;\n }\n if ((match = rest.match(token68ParamRE))) {\n if (Object.keys(parameters).length) {\n break;\n }\n ;\n [, token68, rest] = match;\n break;\n }\n return undefined;\n }\n }\n else {\n rest = afterScheme || undefined;\n }\n const challenge = { scheme, parameters };\n if (token68) {\n challenge.token68 = token68;\n }\n challenges.push(challenge);\n }\n if (!challenges.length) {\n return undefined;\n }\n return challenges;\n}\nexport async function processPushedAuthorizationResponse(as, client, response) {\n assertAs(as);\n assertClient(client);\n if (!looseInstanceOf(response, Response)) {\n throw CodedTypeError('\"response\" must be an instance of Response', ERR_INVALID_ARG_TYPE);\n }\n await checkOAuthBodyError(response, 201, 'Pushed Authorization Request Endpoint');\n assertReadableResponse(response);\n const json = await getResponseJsonBody(response);\n assertString(json.request_uri, '\"response\" body \"request_uri\" property', INVALID_RESPONSE, {\n body: json,\n });\n let expiresIn = typeof json.expires_in !== 'number' ? parseFloat(json.expires_in) : json.expires_in;\n assertNumber(expiresIn, true, '\"response\" body \"expires_in\" property', INVALID_RESPONSE, {\n body: json,\n });\n json.expires_in = expiresIn;\n return json;\n}\nasync function parseOAuthResponseErrorBody(response) {\n if (response.status > 399 && response.status < 500) {\n assertReadableResponse(response);\n assertApplicationJson(response);\n try {\n const json = await response.clone().json();\n if (isJsonObject(json) && typeof json.error === 'string' && json.error.length) {\n return json;\n }\n }\n catch { }\n }\n return undefined;\n}\nasync function checkOAuthBodyError(response, expected, label) {\n if (response.status !== expected) {\n checkAuthenticationChallenges(response);\n let err;\n if ((err = await parseOAuthResponseErrorBody(response))) {\n await response.body?.cancel();\n throw new ResponseBodyError('server responded with an error in the response body', {\n cause: err,\n response,\n });\n }\n throw OPE(`\"response\" is not a conform ${label} response (unexpected HTTP status code)`, RESPONSE_IS_NOT_CONFORM, response);\n }\n}\nfunction assertDPoP(option) {\n if (!branded.has(option)) {\n throw CodedTypeError('\"options.DPoP\" is not a valid DPoPHandle', ERR_INVALID_ARG_VALUE);\n }\n}\nasync function resourceRequest(accessToken, method, url, headers, body, options) {\n assertString(accessToken, '\"accessToken\"');\n if (!(url instanceof URL)) {\n throw CodedTypeError('\"url\" must be an instance of URL', ERR_INVALID_ARG_TYPE);\n }\n checkProtocol(url, options?.[allowInsecureRequests] !== true);\n headers = prepareHeaders(headers);\n if (options?.DPoP) {\n assertDPoP(options.DPoP);\n await options.DPoP.addProof(url, headers, method.toUpperCase(), accessToken);\n }\n headers.set('authorization', `${headers.has('dpop') ? 'DPoP' : 'Bearer'} ${accessToken}`);\n const response = await (options?.[customFetch] || fetch)(url.href, {\n duplex: looseInstanceOf(body, ReadableStream) ? 'half' : undefined,\n body,\n headers: Object.fromEntries(headers.entries()),\n method,\n redirect: 'manual',\n signal: signal(url, options?.signal),\n });\n options?.DPoP?.cacheNonce(response, url);\n return response;\n}\nexport async function protectedResourceRequest(accessToken, method, url, headers, body, options) {\n const response = await resourceRequest(accessToken, method, url, headers, body, options);\n checkAuthenticationChallenges(response);\n return response;\n}\nexport async function userInfoRequest(as, client, accessToken, options) {\n assertAs(as);\n assertClient(client);\n const url = resolveEndpoint(as, 'userinfo_endpoint', client.use_mtls_endpoint_aliases, options?.[allowInsecureRequests] !== true);\n const headers = prepareHeaders(options?.headers);\n if (client.userinfo_signed_response_alg) {\n headers.set('accept', 'application/jwt');\n }\n else {\n headers.set('accept', 'application/json');\n headers.append('accept', 'application/jwt');\n }\n return resourceRequest(accessToken, 'GET', url, headers, null, {\n ...options,\n [clockSkew]: getClockSkew(client),\n });\n}\nlet jwksMap;\nfunction setJwksCache(as, jwks, uat, cache) {\n jwksMap ||= new WeakMap();\n jwksMap.set(as, {\n jwks,\n uat,\n get age() {\n return epochTime() - this.uat;\n },\n });\n if (cache) {\n Object.assign(cache, { jwks: structuredClone(jwks), uat });\n }\n}\nfunction isFreshJwksCache(input) {\n if (typeof input !== 'object' || input === null) {\n return false;\n }\n if (!('uat' in input) || typeof input.uat !== 'number' || epochTime() - input.uat >= 300) {\n return false;\n }\n if (!('jwks' in input) ||\n !isJsonObject(input.jwks) ||\n !Array.isArray(input.jwks.keys) ||\n !Array.prototype.every.call(input.jwks.keys, isJsonObject)) {\n return false;\n }\n return true;\n}\nfunction clearJwksCache(as, cache) {\n jwksMap?.delete(as);\n delete cache?.jwks;\n delete cache?.uat;\n}\nasync function getPublicSigKeyFromIssuerJwksUri(as, options, header) {\n const { alg, kid } = header;\n checkSupportedJwsAlg(header);\n if (!jwksMap?.has(as) && isFreshJwksCache(options?.[jwksCache])) {\n setJwksCache(as, options?.[jwksCache].jwks, options?.[jwksCache].uat);\n }\n let jwks;\n let age;\n if (jwksMap?.has(as)) {\n ;\n ({ jwks, age } = jwksMap.get(as));\n if (age >= 300) {\n clearJwksCache(as, options?.[jwksCache]);\n return getPublicSigKeyFromIssuerJwksUri(as, options, header);\n }\n }\n else {\n jwks = await jwksRequest(as, options).then(processJwksResponse);\n age = 0;\n setJwksCache(as, jwks, epochTime(), options?.[jwksCache]);\n }\n let kty;\n switch (alg.slice(0, 2)) {\n case 'RS':\n case 'PS':\n kty = 'RSA';\n break;\n case 'ES':\n kty = 'EC';\n break;\n case 'Ed':\n kty = 'OKP';\n break;\n case 'ML':\n kty = 'AKP';\n break;\n default:\n throw new UnsupportedOperationError('unsupported JWS algorithm', { cause: { alg } });\n }\n const candidates = jwks.keys.filter((jwk) => {\n if (jwk.kty !== kty) {\n return false;\n }\n if (kid !== undefined && kid !== jwk.kid) {\n return false;\n }\n if (jwk.alg !== undefined && alg !== jwk.alg) {\n return false;\n }\n if (jwk.use !== undefined && jwk.use !== 'sig') {\n return false;\n }\n if (jwk.key_ops?.includes('verify') === false) {\n return false;\n }\n switch (true) {\n case alg === 'ES256' && jwk.crv !== 'P-256':\n case alg === 'ES384' && jwk.crv !== 'P-384':\n case alg === 'ES512' && jwk.crv !== 'P-521':\n case alg === 'Ed25519' && jwk.crv !== 'Ed25519':\n case alg === 'EdDSA' && jwk.crv !== 'Ed25519':\n return false;\n }\n return true;\n });\n const { 0: jwk, length } = candidates;\n if (!length) {\n if (age >= 60) {\n clearJwksCache(as, options?.[jwksCache]);\n return getPublicSigKeyFromIssuerJwksUri(as, options, header);\n }\n throw OPE('error when selecting a JWT verification key, no applicable keys found', KEY_SELECTION, { header, candidates, jwks_uri: new URL(as.jwks_uri) });\n }\n if (length !== 1) {\n throw OPE('error when selecting a JWT verification key, multiple applicable keys found, a \"kid\" JWT Header Parameter is required', KEY_SELECTION, { header, candidates, jwks_uri: new URL(as.jwks_uri) });\n }\n return importJwk(alg, jwk);\n}\nexport const skipSubjectCheck = Symbol();\nexport function getContentType(input) {\n return input.headers.get('content-type')?.split(';')[0];\n}\nexport async function processUserInfoResponse(as, client, expectedSubject, response, options) {\n assertAs(as);\n assertClient(client);\n if (!looseInstanceOf(response, Response)) {\n throw CodedTypeError('\"response\" must be an instance of Response', ERR_INVALID_ARG_TYPE);\n }\n checkAuthenticationChallenges(response);\n if (response.status !== 200) {\n throw OPE('\"response\" is not a conform UserInfo Endpoint response (unexpected HTTP status code)', RESPONSE_IS_NOT_CONFORM, response);\n }\n assertReadableResponse(response);\n let json;\n if (getContentType(response) === 'application/jwt') {\n const { claims, jwt } = await validateJwt(await response.text(), checkSigningAlgorithm.bind(undefined, client.userinfo_signed_response_alg, as.userinfo_signing_alg_values_supported, undefined), getClockSkew(client), getClockTolerance(client), options?.[jweDecrypt])\n .then(validateOptionalAudience.bind(undefined, client.client_id))\n .then(validateOptionalIssuer.bind(undefined, as));\n jwtRefs.set(response, jwt);\n json = claims;\n }\n else {\n if (client.userinfo_signed_response_alg) {\n throw OPE('JWT UserInfo Response expected', JWT_USERINFO_EXPECTED, response);\n }\n json = await getResponseJsonBody(response);\n }\n assertString(json.sub, '\"response\" body \"sub\" property', INVALID_RESPONSE, { body: json });\n switch (expectedSubject) {\n case skipSubjectCheck:\n break;\n default:\n assertString(expectedSubject, '\"expectedSubject\"');\n if (json.sub !== expectedSubject) {\n throw OPE('unexpected \"response\" body \"sub\" property value', JSON_ATTRIBUTE_COMPARISON, {\n expected: expectedSubject,\n body: json,\n attribute: 'sub',\n });\n }\n }\n return json;\n}\nasync function authenticatedRequest(as, client, clientAuthentication, url, body, headers, options) {\n await clientAuthentication(as, client, body, headers);\n headers.set('content-type', 'application/x-www-form-urlencoded;charset=UTF-8');\n return (options?.[customFetch] || fetch)(url.href, {\n body,\n headers: Object.fromEntries(headers.entries()),\n method: 'POST',\n redirect: 'manual',\n signal: signal(url, options?.signal),\n });\n}\nasync function tokenEndpointRequest(as, client, clientAuthentication, grantType, parameters, options) {\n const url = resolveEndpoint(as, 'token_endpoint', client.use_mtls_endpoint_aliases, options?.[allowInsecureRequests] !== true);\n parameters.set('grant_type', grantType);\n const headers = prepareHeaders(options?.headers);\n headers.set('accept', 'application/json');\n if (options?.DPoP !== undefined) {\n assertDPoP(options.DPoP);\n await options.DPoP.addProof(url, headers, 'POST');\n }\n const response = await authenticatedRequest(as, client, clientAuthentication, url, parameters, headers, options);\n options?.DPoP?.cacheNonce(response, url);\n return response;\n}\nexport async function refreshTokenGrantRequest(as, client, clientAuthentication, refreshToken, options) {\n assertAs(as);\n assertClient(client);\n assertString(refreshToken, '\"refreshToken\"');\n const parameters = new URLSearchParams(options?.additionalParameters);\n parameters.set('refresh_token', refreshToken);\n return tokenEndpointRequest(as, client, clientAuthentication, 'refresh_token', parameters, options);\n}\nconst idTokenClaims = new WeakMap();\nconst jwtRefs = new WeakMap();\nexport function getValidatedIdTokenClaims(ref) {\n if (!ref.id_token) {\n return undefined;\n }\n const claims = idTokenClaims.get(ref);\n if (!claims) {\n throw CodedTypeError('\"ref\" was already garbage collected or did not resolve from the proper sources', ERR_INVALID_ARG_VALUE);\n }\n return claims;\n}\nexport async function validateApplicationLevelSignature(as, ref, options) {\n assertAs(as);\n if (!jwtRefs.has(ref)) {\n throw CodedTypeError('\"ref\" does not contain a processed JWT Response to verify the signature of', ERR_INVALID_ARG_VALUE);\n }\n const { 0: protectedHeader, 1: payload, 2: encodedSignature } = jwtRefs.get(ref).split('.');\n const header = JSON.parse(buf(b64u(protectedHeader)));\n if (header.alg.startsWith('HS')) {\n throw new UnsupportedOperationError('unsupported JWS algorithm', { cause: { alg: header.alg } });\n }\n let key;\n key = await getPublicSigKeyFromIssuerJwksUri(as, options, header);\n await validateJwsSignature(protectedHeader, payload, key, b64u(encodedSignature));\n}\nasync function processGenericAccessTokenResponse(as, client, response, additionalRequiredIdTokenClaims, decryptFn, recognizedTokenTypes) {\n assertAs(as);\n assertClient(client);\n if (!looseInstanceOf(response, Response)) {\n throw CodedTypeError('\"response\" must be an instance of Response', ERR_INVALID_ARG_TYPE);\n }\n await checkOAuthBodyError(response, 200, 'Token Endpoint');\n assertReadableResponse(response);\n const json = await getResponseJsonBody(response);\n assertString(json.access_token, '\"response\" body \"access_token\" property', INVALID_RESPONSE, {\n body: json,\n });\n assertString(json.token_type, '\"response\" body \"token_type\" property', INVALID_RESPONSE, {\n body: json,\n });\n json.token_type = json.token_type.toLowerCase();\n if (json.expires_in !== undefined) {\n let expiresIn = typeof json.expires_in !== 'number' ? parseFloat(json.expires_in) : json.expires_in;\n assertNumber(expiresIn, true, '\"response\" body \"expires_in\" property', INVALID_RESPONSE, {\n body: json,\n });\n json.expires_in = expiresIn;\n }\n if (json.refresh_token !== undefined) {\n assertString(json.refresh_token, '\"response\" body \"refresh_token\" property', INVALID_RESPONSE, {\n body: json,\n });\n }\n if (json.scope !== undefined && typeof json.scope !== 'string') {\n throw OPE('\"response\" body \"scope\" property must be a string', INVALID_RESPONSE, { body: json });\n }\n if (json.id_token !== undefined) {\n assertString(json.id_token, '\"response\" body \"id_token\" property', INVALID_RESPONSE, {\n body: json,\n });\n const requiredClaims = ['aud', 'exp', 'iat', 'iss', 'sub'];\n if (client.require_auth_time === true) {\n requiredClaims.push('auth_time');\n }\n if (client.default_max_age !== undefined) {\n assertNumber(client.default_max_age, true, '\"client.default_max_age\"');\n requiredClaims.push('auth_time');\n }\n if (additionalRequiredIdTokenClaims?.length) {\n requiredClaims.push(...additionalRequiredIdTokenClaims);\n }\n const { claims, jwt } = await validateJwt(json.id_token, checkSigningAlgorithm.bind(undefined, client.id_token_signed_response_alg, as.id_token_signing_alg_values_supported, 'RS256'), getClockSkew(client), getClockTolerance(client), decryptFn)\n .then(validatePresence.bind(undefined, requiredClaims))\n .then(validateIssuer.bind(undefined, as))\n .then(validateAudience.bind(undefined, client.client_id));\n if (Array.isArray(claims.aud) && claims.aud.length !== 1) {\n if (claims.azp === undefined) {\n throw OPE('ID Token \"aud\" (audience) claim includes additional untrusted audiences', JWT_CLAIM_COMPARISON, { claims, claim: 'aud' });\n }\n if (claims.azp !== client.client_id) {\n throw OPE('unexpected ID Token \"azp\" (authorized party) claim value', JWT_CLAIM_COMPARISON, { expected: client.client_id, claims, claim: 'azp' });\n }\n }\n if (claims.auth_time !== undefined) {\n assertNumber(claims.auth_time, true, 'ID Token \"auth_time\" (authentication time)', INVALID_RESPONSE, { claims });\n }\n jwtRefs.set(response, jwt);\n idTokenClaims.set(json, claims);\n }\n if (recognizedTokenTypes?.[json.token_type] !== undefined) {\n recognizedTokenTypes[json.token_type](response, json);\n }\n else if (json.token_type !== 'dpop' && json.token_type !== 'bearer') {\n throw new UnsupportedOperationError('unsupported `token_type` value', { cause: { body: json } });\n }\n return json;\n}\nfunction checkAuthenticationChallenges(response) {\n let challenges;\n if ((challenges = parseWwwAuthenticateChallenges(response))) {\n throw new WWWAuthenticateChallengeError('server responded with a challenge in the WWW-Authenticate HTTP Header', { cause: challenges, response });\n }\n}\nexport async function processRefreshTokenResponse(as, client, response, options) {\n return processGenericAccessTokenResponse(as, client, response, undefined, options?.[jweDecrypt], options?.recognizedTokenTypes);\n}\nfunction validateOptionalAudience(expected, result) {\n if (result.claims.aud !== undefined) {\n return validateAudience(expected, result);\n }\n return result;\n}\nfunction validateAudience(expected, result) {\n if (Array.isArray(result.claims.aud)) {\n if (!result.claims.aud.includes(expected)) {\n throw OPE('unexpected JWT \"aud\" (audience) claim value', JWT_CLAIM_COMPARISON, {\n expected,\n claims: result.claims,\n claim: 'aud',\n });\n }\n }\n else if (result.claims.aud !== expected) {\n throw OPE('unexpected JWT \"aud\" (audience) claim value', JWT_CLAIM_COMPARISON, {\n expected,\n claims: result.claims,\n claim: 'aud',\n });\n }\n return result;\n}\nfunction validateOptionalIssuer(as, result) {\n if (result.claims.iss !== undefined) {\n return validateIssuer(as, result);\n }\n return result;\n}\nfunction validateIssuer(as, result) {\n const expected = as[_expectedIssuer]?.(result) ?? as.issuer;\n if (result.claims.iss !== expected) {\n throw OPE('unexpected JWT \"iss\" (issuer) claim value', JWT_CLAIM_COMPARISON, {\n expected,\n claims: result.claims,\n claim: 'iss',\n });\n }\n return result;\n}\nconst branded = new WeakSet();\nfunction brand(searchParams) {\n branded.add(searchParams);\n return searchParams;\n}\nexport const nopkce = Symbol();\nexport async function authorizationCodeGrantRequest(as, client, clientAuthentication, callbackParameters, redirectUri, codeVerifier, options) {\n assertAs(as);\n assertClient(client);\n if (!branded.has(callbackParameters)) {\n throw CodedTypeError('\"callbackParameters\" must be an instance of URLSearchParams obtained from \"validateAuthResponse()\", or \"validateJwtAuthResponse()', ERR_INVALID_ARG_VALUE);\n }\n assertString(redirectUri, '\"redirectUri\"');\n const code = getURLSearchParameter(callbackParameters, 'code');\n if (!code) {\n throw OPE('no authorization code in \"callbackParameters\"', INVALID_RESPONSE);\n }\n const parameters = new URLSearchParams(options?.additionalParameters);\n parameters.set('redirect_uri', redirectUri);\n parameters.set('code', code);\n if (codeVerifier !== nopkce) {\n assertString(codeVerifier, '\"codeVerifier\"');\n parameters.set('code_verifier', codeVerifier);\n }\n return tokenEndpointRequest(as, client, clientAuthentication, 'authorization_code', parameters, options);\n}\nconst jwtClaimNames = {\n aud: 'audience',\n c_hash: 'code hash',\n client_id: 'client id',\n exp: 'expiration time',\n iat: 'issued at',\n iss: 'issuer',\n jti: 'jwt id',\n nonce: 'nonce',\n s_hash: 'state hash',\n sub: 'subject',\n ath: 'access token hash',\n htm: 'http method',\n htu: 'http uri',\n cnf: 'confirmation',\n auth_time: 'authentication time',\n};\nfunction validatePresence(required, result) {\n for (const claim of required) {\n if (result.claims[claim] === undefined) {\n throw OPE(`JWT \"${claim}\" (${jwtClaimNames[claim]}) claim missing`, INVALID_RESPONSE, {\n claims: result.claims,\n });\n }\n }\n return result;\n}\nexport const expectNoNonce = Symbol();\nexport const skipAuthTimeCheck = Symbol();\nexport async function processAuthorizationCodeResponse(as, client, response, options) {\n if (typeof options?.expectedNonce === 'string' ||\n typeof options?.maxAge === 'number' ||\n options?.requireIdToken) {\n return processAuthorizationCodeOpenIDResponse(as, client, response, options.expectedNonce, options.maxAge, options[jweDecrypt], options.recognizedTokenTypes);\n }\n return processAuthorizationCodeOAuth2Response(as, client, response, options?.[jweDecrypt], options?.recognizedTokenTypes);\n}\nasync function processAuthorizationCodeOpenIDResponse(as, client, response, expectedNonce, maxAge, decryptFn, recognizedTokenTypes) {\n const additionalRequiredClaims = [];\n switch (expectedNonce) {\n case undefined:\n expectedNonce = expectNoNonce;\n break;\n case expectNoNonce:\n break;\n default:\n assertString(expectedNonce, '\"expectedNonce\" argument');\n additionalRequiredClaims.push('nonce');\n }\n maxAge ??= client.default_max_age;\n switch (maxAge) {\n case undefined:\n maxAge = skipAuthTimeCheck;\n break;\n case skipAuthTimeCheck:\n break;\n default:\n assertNumber(maxAge, true, '\"maxAge\" argument');\n additionalRequiredClaims.push('auth_time');\n }\n const result = await processGenericAccessTokenResponse(as, client, response, additionalRequiredClaims, decryptFn, recognizedTokenTypes);\n assertString(result.id_token, '\"response\" body \"id_token\" property', INVALID_RESPONSE, {\n body: result,\n });\n const claims = getValidatedIdTokenClaims(result);\n if (maxAge !== skipAuthTimeCheck) {\n const now = epochTime() + getClockSkew(client);\n const tolerance = getClockTolerance(client);\n if (claims.auth_time + maxAge < now - tolerance) {\n throw OPE('too much time has elapsed since the last End-User authentication', JWT_TIMESTAMP_CHECK, { claims, now, tolerance, claim: 'auth_time' });\n }\n }\n if (expectedNonce === expectNoNonce) {\n if (claims.nonce !== undefined) {\n throw OPE('unexpected ID Token \"nonce\" claim value', JWT_CLAIM_COMPARISON, {\n expected: undefined,\n claims,\n claim: 'nonce',\n });\n }\n }\n else if (claims.nonce !== expectedNonce) {\n throw OPE('unexpected ID Token \"nonce\" claim value', JWT_CLAIM_COMPARISON, {\n expected: expectedNonce,\n claims,\n claim: 'nonce',\n });\n }\n return result;\n}\nasync function processAuthorizationCodeOAuth2Response(as, client, response, decryptFn, recognizedTokenTypes) {\n const result = await processGenericAccessTokenResponse(as, client, response, undefined, decryptFn, recognizedTokenTypes);\n const claims = getValidatedIdTokenClaims(result);\n if (claims) {\n if (client.default_max_age !== undefined) {\n assertNumber(client.default_max_age, true, '\"client.default_max_age\"');\n const now = epochTime() + getClockSkew(client);\n const tolerance = getClockTolerance(client);\n if (claims.auth_time + client.default_max_age < now - tolerance) {\n throw OPE('too much time has elapsed since the last End-User authentication', JWT_TIMESTAMP_CHECK, { claims, now, tolerance, claim: 'auth_time' });\n }\n }\n if (claims.nonce !== undefined) {\n throw OPE('unexpected ID Token \"nonce\" claim value', JWT_CLAIM_COMPARISON, {\n expected: undefined,\n claims,\n claim: 'nonce',\n });\n }\n }\n return result;\n}\nexport const WWW_AUTHENTICATE_CHALLENGE = 'OAUTH_WWW_AUTHENTICATE_CHALLENGE';\nexport const RESPONSE_BODY_ERROR = 'OAUTH_RESPONSE_BODY_ERROR';\nexport const UNSUPPORTED_OPERATION = 'OAUTH_UNSUPPORTED_OPERATION';\nexport const AUTHORIZATION_RESPONSE_ERROR = 'OAUTH_AUTHORIZATION_RESPONSE_ERROR';\nexport const JWT_USERINFO_EXPECTED = 'OAUTH_JWT_USERINFO_EXPECTED';\nexport const PARSE_ERROR = 'OAUTH_PARSE_ERROR';\nexport const INVALID_RESPONSE = 'OAUTH_INVALID_RESPONSE';\nexport const INVALID_REQUEST = 'OAUTH_INVALID_REQUEST';\nexport const RESPONSE_IS_NOT_JSON = 'OAUTH_RESPONSE_IS_NOT_JSON';\nexport const RESPONSE_IS_NOT_CONFORM = 'OAUTH_RESPONSE_IS_NOT_CONFORM';\nexport const HTTP_REQUEST_FORBIDDEN = 'OAUTH_HTTP_REQUEST_FORBIDDEN';\nexport const REQUEST_PROTOCOL_FORBIDDEN = 'OAUTH_REQUEST_PROTOCOL_FORBIDDEN';\nexport const JWT_TIMESTAMP_CHECK = 'OAUTH_JWT_TIMESTAMP_CHECK_FAILED';\nexport const JWT_CLAIM_COMPARISON = 'OAUTH_JWT_CLAIM_COMPARISON_FAILED';\nexport const JSON_ATTRIBUTE_COMPARISON = 'OAUTH_JSON_ATTRIBUTE_COMPARISON_FAILED';\nexport const KEY_SELECTION = 'OAUTH_KEY_SELECTION_FAILED';\nexport const MISSING_SERVER_METADATA = 'OAUTH_MISSING_SERVER_METADATA';\nexport const INVALID_SERVER_METADATA = 'OAUTH_INVALID_SERVER_METADATA';\nfunction checkJwtType(expected, result) {\n if (typeof result.header.typ !== 'string' || normalizeTyp(result.header.typ) !== expected) {\n throw OPE('unexpected JWT \"typ\" header parameter value', INVALID_RESPONSE, {\n header: result.header,\n });\n }\n return result;\n}\nexport async function clientCredentialsGrantRequest(as, client, clientAuthentication, parameters, options) {\n assertAs(as);\n assertClient(client);\n return tokenEndpointRequest(as, client, clientAuthentication, 'client_credentials', new URLSearchParams(parameters), options);\n}\nexport async function genericTokenEndpointRequest(as, client, clientAuthentication, grantType, parameters, options) {\n assertAs(as);\n assertClient(client);\n assertString(grantType, '\"grantType\"');\n return tokenEndpointRequest(as, client, clientAuthentication, grantType, new URLSearchParams(parameters), options);\n}\nexport async function processGenericTokenEndpointResponse(as, client, response, options) {\n return processGenericAccessTokenResponse(as, client, response, undefined, options?.[jweDecrypt], options?.recognizedTokenTypes);\n}\nexport async function processClientCredentialsResponse(as, client, response, options) {\n return processGenericAccessTokenResponse(as, client, response, undefined, options?.[jweDecrypt], options?.recognizedTokenTypes);\n}\nexport async function revocationRequest(as, client, clientAuthentication, token, options) {\n assertAs(as);\n assertClient(client);\n assertString(token, '\"token\"');\n const url = resolveEndpoint(as, 'revocation_endpoint', client.use_mtls_endpoint_aliases, options?.[allowInsecureRequests] !== true);\n const body = new URLSearchParams(options?.additionalParameters);\n body.set('token', token);\n const headers = prepareHeaders(options?.headers);\n headers.delete('accept');\n return authenticatedRequest(as, client, clientAuthentication, url, body, headers, options);\n}\nexport async function processRevocationResponse(response) {\n if (!looseInstanceOf(response, Response)) {\n throw CodedTypeError('\"response\" must be an instance of Response', ERR_INVALID_ARG_TYPE);\n }\n await checkOAuthBodyError(response, 200, 'Revocation Endpoint');\n return undefined;\n}\nfunction assertReadableResponse(response) {\n if (response.bodyUsed) {\n throw CodedTypeError('\"response\" body has been used already', ERR_INVALID_ARG_VALUE);\n }\n}\nexport async function introspectionRequest(as, client, clientAuthentication, token, options) {\n assertAs(as);\n assertClient(client);\n assertString(token, '\"token\"');\n const url = resolveEndpoint(as, 'introspection_endpoint', client.use_mtls_endpoint_aliases, options?.[allowInsecureRequests] !== true);\n const body = new URLSearchParams(options?.additionalParameters);\n body.set('token', token);\n const headers = prepareHeaders(options?.headers);\n if (options?.requestJwtResponse ?? client.introspection_signed_response_alg) {\n headers.set('accept', 'application/token-introspection+jwt');\n }\n else {\n headers.set('accept', 'application/json');\n }\n return authenticatedRequest(as, client, clientAuthentication, url, body, headers, options);\n}\nexport async function processIntrospectionResponse(as, client, response, options) {\n assertAs(as);\n assertClient(client);\n if (!looseInstanceOf(response, Response)) {\n throw CodedTypeError('\"response\" must be an instance of Response', ERR_INVALID_ARG_TYPE);\n }\n await checkOAuthBodyError(response, 200, 'Introspection Endpoint');\n let json;\n if (getContentType(response) === 'application/token-introspection+jwt') {\n assertReadableResponse(response);\n const { claims, jwt } = await validateJwt(await response.text(), checkSigningAlgorithm.bind(undefined, client.introspection_signed_response_alg, as.introspection_signing_alg_values_supported, 'RS256'), getClockSkew(client), getClockTolerance(client), options?.[jweDecrypt])\n .then(checkJwtType.bind(undefined, 'token-introspection+jwt'))\n .then(validatePresence.bind(undefined, ['aud', 'iat', 'iss']))\n .then(validateIssuer.bind(undefined, as))\n .then(validateAudience.bind(undefined, client.client_id));\n jwtRefs.set(response, jwt);\n if (!isJsonObject(claims.token_introspection)) {\n throw OPE('JWT \"token_introspection\" claim must be a JSON object', INVALID_RESPONSE, {\n claims,\n });\n }\n json = claims.token_introspection;\n }\n else {\n assertReadableResponse(response);\n json = await getResponseJsonBody(response);\n }\n if (typeof json.active !== 'boolean') {\n throw OPE('\"response\" body \"active\" property must be a boolean', INVALID_RESPONSE, {\n body: json,\n });\n }\n return json;\n}\nasync function jwksRequest(as, options) {\n assertAs(as);\n const url = resolveEndpoint(as, 'jwks_uri', false, options?.[allowInsecureRequests] !== true);\n const headers = prepareHeaders(options?.headers);\n headers.set('accept', 'application/json');\n headers.append('accept', 'application/jwk-set+json');\n return (options?.[customFetch] || fetch)(url.href, {\n body: undefined,\n headers: Object.fromEntries(headers.entries()),\n method: 'GET',\n redirect: 'manual',\n signal: signal(url, options?.signal),\n });\n}\nasync function processJwksResponse(response) {\n if (!looseInstanceOf(response, Response)) {\n throw CodedTypeError('\"response\" must be an instance of Response', ERR_INVALID_ARG_TYPE);\n }\n if (response.status !== 200) {\n throw OPE('\"response\" is not a conform JSON Web Key Set response (unexpected HTTP status code)', RESPONSE_IS_NOT_CONFORM, response);\n }\n assertReadableResponse(response);\n const json = await getResponseJsonBody(response, (response) => assertContentTypes(response, 'application/json', 'application/jwk-set+json'));\n if (!Array.isArray(json.keys)) {\n throw OPE('\"response\" body \"keys\" property must be an array', INVALID_RESPONSE, { body: json });\n }\n if (!Array.prototype.every.call(json.keys, isJsonObject)) {\n throw OPE('\"response\" body \"keys\" property members must be JWK formatted objects', INVALID_RESPONSE, { body: json });\n }\n return json;\n}\nfunction supported(alg) {\n switch (alg) {\n case 'PS256':\n case 'ES256':\n case 'RS256':\n case 'PS384':\n case 'ES384':\n case 'RS384':\n case 'PS512':\n case 'ES512':\n case 'RS512':\n case 'Ed25519':\n case 'EdDSA':\n case 'ML-DSA-44':\n case 'ML-DSA-65':\n case 'ML-DSA-87':\n return true;\n default:\n return false;\n }\n}\nfunction checkSupportedJwsAlg(header) {\n if (!supported(header.alg)) {\n throw new UnsupportedOperationError('unsupported JWS \"alg\" identifier', {\n cause: { alg: header.alg },\n });\n }\n}\nfunction checkRsaKeyAlgorithm(key) {\n const { algorithm } = key;\n if (typeof algorithm.modulusLength !== 'number' || algorithm.modulusLength < 2048) {\n throw new UnsupportedOperationError(`unsupported ${algorithm.name} modulusLength`, {\n cause: key,\n });\n }\n}\nfunction ecdsaHashName(key) {\n const { algorithm } = key;\n switch (algorithm.namedCurve) {\n case 'P-256':\n return 'SHA-256';\n case 'P-384':\n return 'SHA-384';\n case 'P-521':\n return 'SHA-512';\n default:\n throw new UnsupportedOperationError('unsupported ECDSA namedCurve', { cause: key });\n }\n}\nfunction keyToSubtle(key) {\n switch (key.algorithm.name) {\n case 'ECDSA':\n return {\n name: key.algorithm.name,\n hash: ecdsaHashName(key),\n };\n case 'RSA-PSS': {\n checkRsaKeyAlgorithm(key);\n switch (key.algorithm.hash.name) {\n case 'SHA-256':\n case 'SHA-384':\n case 'SHA-512':\n return {\n name: key.algorithm.name,\n saltLength: parseInt(key.algorithm.hash.name.slice(-3), 10) >> 3,\n };\n default:\n throw new UnsupportedOperationError('unsupported RSA-PSS hash name', { cause: key });\n }\n }\n case 'RSASSA-PKCS1-v1_5':\n checkRsaKeyAlgorithm(key);\n return key.algorithm.name;\n case 'ML-DSA-44':\n case 'ML-DSA-65':\n case 'ML-DSA-87':\n case 'Ed25519':\n return key.algorithm.name;\n }\n throw new UnsupportedOperationError('unsupported CryptoKey algorithm name', { cause: key });\n}\nasync function validateJwsSignature(protectedHeader, payload, key, signature) {\n const data = buf(`${protectedHeader}.${payload}`);\n const algorithm = keyToSubtle(key);\n const verified = await crypto.subtle.verify(algorithm, key, signature, data);\n if (!verified) {\n throw OPE('JWT signature verification failed', INVALID_RESPONSE, {\n key,\n data,\n signature,\n algorithm,\n });\n }\n}\nasync function validateJwt(jws, checkAlg, clockSkew, clockTolerance, decryptJwt) {\n let { 0: protectedHeader, 1: payload, length } = jws.split('.');\n if (length === 5) {\n if (decryptJwt !== undefined) {\n jws = await decryptJwt(jws);\n ({ 0: protectedHeader, 1: payload, length } = jws.split('.'));\n }\n else {\n throw new UnsupportedOperationError('JWE decryption is not configured', { cause: jws });\n }\n }\n if (length !== 3) {\n throw OPE('Invalid JWT', INVALID_RESPONSE, jws);\n }\n let header;\n try {\n header = JSON.parse(buf(b64u(protectedHeader)));\n }\n catch (cause) {\n throw OPE('failed to parse JWT Header body as base64url encoded JSON', PARSE_ERROR, cause);\n }\n if (!isJsonObject(header)) {\n throw OPE('JWT Header must be a top level object', INVALID_RESPONSE, jws);\n }\n checkAlg(header);\n if (header.crit !== undefined) {\n throw new UnsupportedOperationError('no JWT \"crit\" header parameter extensions are supported', {\n cause: { header },\n });\n }\n let claims;\n try {\n claims = JSON.parse(buf(b64u(payload)));\n }\n catch (cause) {\n throw OPE('failed to parse JWT Payload body as base64url encoded JSON', PARSE_ERROR, cause);\n }\n if (!isJsonObject(claims)) {\n throw OPE('JWT Payload must be a top level object', INVALID_RESPONSE, jws);\n }\n const now = epochTime() + clockSkew;\n if (claims.exp !== undefined) {\n if (typeof claims.exp !== 'number') {\n throw OPE('unexpected JWT \"exp\" (expiration time) claim type', INVALID_RESPONSE, { claims });\n }\n if (claims.exp <= now - clockTolerance) {\n throw OPE('unexpected JWT \"exp\" (expiration time) claim value, expiration is past current timestamp', JWT_TIMESTAMP_CHECK, { claims, now, tolerance: clockTolerance, claim: 'exp' });\n }\n }\n if (claims.iat !== undefined) {\n if (typeof claims.iat !== 'number') {\n throw OPE('unexpected JWT \"iat\" (issued at) claim type', INVALID_RESPONSE, { claims });\n }\n }\n if (claims.iss !== undefined) {\n if (typeof claims.iss !== 'string') {\n throw OPE('unexpected JWT \"iss\" (issuer) claim type', INVALID_RESPONSE, { claims });\n }\n }\n if (claims.nbf !== undefined) {\n if (typeof claims.nbf !== 'number') {\n throw OPE('unexpected JWT \"nbf\" (not before) claim type', INVALID_RESPONSE, { claims });\n }\n if (claims.nbf > now + clockTolerance) {\n throw OPE('unexpected JWT \"nbf\" (not before) claim value', JWT_TIMESTAMP_CHECK, {\n claims,\n now,\n tolerance: clockTolerance,\n claim: 'nbf',\n });\n }\n }\n if (claims.aud !== undefined) {\n if (typeof claims.aud !== 'string' && !Array.isArray(claims.aud)) {\n throw OPE('unexpected JWT \"aud\" (audience) claim type', INVALID_RESPONSE, { claims });\n }\n }\n return { header, claims, jwt: jws };\n}\nexport async function validateJwtAuthResponse(as, client, parameters, expectedState, options) {\n assertAs(as);\n assertClient(client);\n if (parameters instanceof URL) {\n parameters = parameters.searchParams;\n }\n if (!(parameters instanceof URLSearchParams)) {\n throw CodedTypeError('\"parameters\" must be an instance of URLSearchParams, or URL', ERR_INVALID_ARG_TYPE);\n }\n const response = getURLSearchParameter(parameters, 'response');\n if (!response) {\n throw OPE('\"parameters\" does not contain a JARM response', INVALID_RESPONSE);\n }\n const { claims, header, jwt } = await validateJwt(response, checkSigningAlgorithm.bind(undefined, client.authorization_signed_response_alg, as.authorization_signing_alg_values_supported, 'RS256'), getClockSkew(client), getClockTolerance(client), options?.[jweDecrypt])\n .then(validatePresence.bind(undefined, ['aud', 'exp', 'iss']))\n .then(validateIssuer.bind(undefined, as))\n .then(validateAudience.bind(undefined, client.client_id));\n const { 0: protectedHeader, 1: payload, 2: encodedSignature } = jwt.split('.');\n const signature = b64u(encodedSignature);\n const key = await getPublicSigKeyFromIssuerJwksUri(as, options, header);\n await validateJwsSignature(protectedHeader, payload, key, signature);\n const result = new URLSearchParams();\n for (const [key, value] of Object.entries(claims)) {\n if (typeof value === 'string' && key !== 'aud') {\n result.set(key, value);\n }\n }\n return validateAuthResponse(as, client, result, expectedState);\n}\nasync function idTokenHash(data, header, claimName) {\n let algorithm;\n switch (header.alg) {\n case 'RS256':\n case 'PS256':\n case 'ES256':\n algorithm = 'SHA-256';\n break;\n case 'RS384':\n case 'PS384':\n case 'ES384':\n algorithm = 'SHA-384';\n break;\n case 'RS512':\n case 'PS512':\n case 'ES512':\n case 'Ed25519':\n case 'EdDSA':\n algorithm = 'SHA-512';\n break;\n case 'ML-DSA-44':\n case 'ML-DSA-65':\n case 'ML-DSA-87':\n algorithm = { name: 'cSHAKE256', length: 512, outputLength: 512 };\n break;\n default:\n throw new UnsupportedOperationError(`unsupported JWS algorithm for ${claimName} calculation`, { cause: { alg: header.alg } });\n }\n const digest = await crypto.subtle.digest(algorithm, buf(data));\n return b64u(digest.slice(0, digest.byteLength / 2));\n}\nasync function idTokenHashMatches(data, actual, header, claimName) {\n const expected = await idTokenHash(data, header, claimName);\n return actual === expected;\n}\nexport async function validateDetachedSignatureResponse(as, client, parameters, expectedNonce, expectedState, maxAge, options) {\n return validateHybridResponse(as, client, parameters, expectedNonce, expectedState, maxAge, options, true);\n}\nexport async function validateCodeIdTokenResponse(as, client, parameters, expectedNonce, expectedState, maxAge, options) {\n return validateHybridResponse(as, client, parameters, expectedNonce, expectedState, maxAge, options, false);\n}\nasync function consumeStream(request) {\n if (request.bodyUsed) {\n throw CodedTypeError('form_post Request instances must contain a readable body', ERR_INVALID_ARG_VALUE, { cause: request });\n }\n return request.text();\n}\nexport async function formPostResponse(request) {\n if (request.method !== 'POST') {\n throw CodedTypeError('form_post responses are expected to use the POST method', ERR_INVALID_ARG_VALUE, { cause: request });\n }\n if (getContentType(request) !== 'application/x-www-form-urlencoded') {\n throw CodedTypeError('form_post responses are expected to use the application/x-www-form-urlencoded content-type', ERR_INVALID_ARG_VALUE, { cause: request });\n }\n return consumeStream(request);\n}\nasync function validateHybridResponse(as, client, parameters, expectedNonce, expectedState, maxAge, options, fapi) {\n assertAs(as);\n assertClient(client);\n if (parameters instanceof URL) {\n if (!parameters.hash.length) {\n throw CodedTypeError('\"parameters\" as an instance of URL must contain a hash (fragment) with the Authorization Response parameters', ERR_INVALID_ARG_VALUE);\n }\n parameters = new URLSearchParams(parameters.hash.slice(1));\n }\n else if (looseInstanceOf(parameters, Request)) {\n parameters = new URLSearchParams(await formPostResponse(parameters));\n }\n else if (parameters instanceof URLSearchParams) {\n parameters = new URLSearchParams(parameters);\n }\n else {\n throw CodedTypeError('\"parameters\" must be an instance of URLSearchParams, URL, or Response', ERR_INVALID_ARG_TYPE);\n }\n const id_token = getURLSearchParameter(parameters, 'id_token');\n parameters.delete('id_token');\n switch (expectedState) {\n case undefined:\n case expectNoState:\n break;\n default:\n assertString(expectedState, '\"expectedState\" argument');\n }\n const result = validateAuthResponse({\n ...as,\n authorization_response_iss_parameter_supported: false,\n }, client, parameters, expectedState);\n if (!id_token) {\n throw OPE('\"parameters\" does not contain an ID Token', INVALID_RESPONSE);\n }\n const code = getURLSearchParameter(parameters, 'code');\n if (!code) {\n throw OPE('\"parameters\" does not contain an Authorization Code', INVALID_RESPONSE);\n }\n const requiredClaims = [\n 'aud',\n 'exp',\n 'iat',\n 'iss',\n 'sub',\n 'nonce',\n 'c_hash',\n ];\n const state = parameters.get('state');\n if (fapi && (typeof expectedState === 'string' || state !== null)) {\n requiredClaims.push('s_hash');\n }\n if (maxAge !== undefined) {\n assertNumber(maxAge, true, '\"maxAge\" argument');\n }\n else if (client.default_max_age !== undefined) {\n assertNumber(client.default_max_age, true, '\"client.default_max_age\"');\n }\n maxAge ??= client.default_max_age ?? skipAuthTimeCheck;\n if (client.require_auth_time || maxAge !== skipAuthTimeCheck) {\n requiredClaims.push('auth_time');\n }\n const { claims, header, jwt } = await validateJwt(id_token, checkSigningAlgorithm.bind(undefined, client.id_token_signed_response_alg, as.id_token_signing_alg_values_supported, 'RS256'), getClockSkew(client), getClockTolerance(client), options?.[jweDecrypt])\n .then(validatePresence.bind(undefined, requiredClaims))\n .then(validateIssuer.bind(undefined, as))\n .then(validateAudience.bind(undefined, client.client_id));\n const clockSkew = getClockSkew(client);\n const now = epochTime() + clockSkew;\n if (claims.iat < now - 3600) {\n throw OPE('unexpected JWT \"iat\" (issued at) claim value, it is too far in the past', JWT_TIMESTAMP_CHECK, { now, claims, claim: 'iat' });\n }\n assertString(claims.c_hash, 'ID Token \"c_hash\" (code hash) claim value', INVALID_RESPONSE, {\n claims,\n });\n if (claims.auth_time !== undefined) {\n assertNumber(claims.auth_time, true, 'ID Token \"auth_time\" (authentication time)', INVALID_RESPONSE, { claims });\n }\n if (maxAge !== skipAuthTimeCheck) {\n const now = epochTime() + getClockSkew(client);\n const tolerance = getClockTolerance(client);\n if (claims.auth_time + maxAge < now - tolerance) {\n throw OPE('too much time has elapsed since the last End-User authentication', JWT_TIMESTAMP_CHECK, { claims, now, tolerance, claim: 'auth_time' });\n }\n }\n assertString(expectedNonce, '\"expectedNonce\" argument');\n if (claims.nonce !== expectedNonce) {\n throw OPE('unexpected ID Token \"nonce\" claim value', JWT_CLAIM_COMPARISON, {\n expected: expectedNonce,\n claims,\n claim: 'nonce',\n });\n }\n if (Array.isArray(claims.aud) && claims.aud.length !== 1) {\n if (claims.azp === undefined) {\n throw OPE('ID Token \"aud\" (audience) claim includes additional untrusted audiences', JWT_CLAIM_COMPARISON, { claims, claim: 'aud' });\n }\n if (claims.azp !== client.client_id) {\n throw OPE('unexpected ID Token \"azp\" (authorized party) claim value', JWT_CLAIM_COMPARISON, {\n expected: client.client_id,\n claims,\n claim: 'azp',\n });\n }\n }\n const { 0: protectedHeader, 1: payload, 2: encodedSignature } = jwt.split('.');\n const signature = b64u(encodedSignature);\n const key = await getPublicSigKeyFromIssuerJwksUri(as, options, header);\n await validateJwsSignature(protectedHeader, payload, key, signature);\n if ((await idTokenHashMatches(code, claims.c_hash, header, 'c_hash')) !== true) {\n throw OPE('invalid ID Token \"c_hash\" (code hash) claim value', JWT_CLAIM_COMPARISON, {\n code,\n alg: header.alg,\n claim: 'c_hash',\n claims,\n });\n }\n if ((fapi && state !== null) || claims.s_hash !== undefined) {\n assertString(claims.s_hash, 'ID Token \"s_hash\" (state hash) claim value', INVALID_RESPONSE, {\n claims,\n });\n assertString(state, '\"state\" response parameter', INVALID_RESPONSE, { parameters });\n if ((await idTokenHashMatches(state, claims.s_hash, header, 's_hash')) !== true) {\n throw OPE('invalid ID Token \"s_hash\" (state hash) claim value', JWT_CLAIM_COMPARISON, {\n state,\n alg: header.alg,\n claim: 's_hash',\n claims,\n });\n }\n }\n return result;\n}\nfunction checkSigningAlgorithm(client, issuer, fallback, header) {\n if (client !== undefined) {\n if (typeof client === 'string' ? header.alg !== client : !client.includes(header.alg)) {\n throw OPE('unexpected JWT \"alg\" header parameter', INVALID_RESPONSE, {\n header,\n expected: client,\n reason: 'client configuration',\n });\n }\n return;\n }\n if (Array.isArray(issuer)) {\n if (!issuer.includes(header.alg)) {\n throw OPE('unexpected JWT \"alg\" header parameter', INVALID_RESPONSE, {\n header,\n expected: issuer,\n reason: 'authorization server metadata',\n });\n }\n return;\n }\n if (fallback !== undefined) {\n if (typeof fallback === 'string'\n ? header.alg !== fallback\n : typeof fallback === 'function'\n ? !fallback(header.alg)\n : !fallback.includes(header.alg)) {\n throw OPE('unexpected JWT \"alg\" header parameter', INVALID_RESPONSE, {\n header,\n expected: fallback,\n reason: 'default value',\n });\n }\n return;\n }\n throw OPE('missing client or server configuration to verify used JWT \"alg\" header parameter', undefined, { client, issuer, fallback });\n}\nfunction getURLSearchParameter(parameters, name) {\n const { 0: value, length } = parameters.getAll(name);\n if (length > 1) {\n throw OPE(`\"${name}\" parameter must be provided only once`, INVALID_RESPONSE);\n }\n return value;\n}\nexport const skipStateCheck = Symbol();\nexport const expectNoState = Symbol();\nexport function validateAuthResponse(as, client, parameters, expectedState) {\n assertAs(as);\n assertClient(client);\n if (parameters instanceof URL) {\n parameters = parameters.searchParams;\n }\n if (!(parameters instanceof URLSearchParams)) {\n throw CodedTypeError('\"parameters\" must be an instance of URLSearchParams, or URL', ERR_INVALID_ARG_TYPE);\n }\n if (getURLSearchParameter(parameters, 'response')) {\n throw OPE('\"parameters\" contains a JARM response, use validateJwtAuthResponse() instead of validateAuthResponse()', INVALID_RESPONSE, { parameters });\n }\n const iss = getURLSearchParameter(parameters, 'iss');\n const state = getURLSearchParameter(parameters, 'state');\n if (!iss && as.authorization_response_iss_parameter_supported) {\n throw OPE('response parameter \"iss\" (issuer) missing', INVALID_RESPONSE, { parameters });\n }\n if (iss && iss !== as.issuer) {\n throw OPE('unexpected \"iss\" (issuer) response parameter value', INVALID_RESPONSE, {\n expected: as.issuer,\n parameters,\n });\n }\n switch (expectedState) {\n case undefined:\n case expectNoState:\n if (state !== undefined) {\n throw OPE('unexpected \"state\" response parameter encountered', INVALID_RESPONSE, {\n expected: undefined,\n parameters,\n });\n }\n break;\n case skipStateCheck:\n break;\n default:\n assertString(expectedState, '\"expectedState\" argument');\n if (state !== expectedState) {\n throw OPE(state === undefined\n ? 'response parameter \"state\" missing'\n : 'unexpected \"state\" response parameter value', INVALID_RESPONSE, { expected: expectedState, parameters });\n }\n }\n const error = getURLSearchParameter(parameters, 'error');\n if (error) {\n throw new AuthorizationResponseError('authorization response from the server is an error', {\n cause: parameters,\n });\n }\n const id_token = getURLSearchParameter(parameters, 'id_token');\n const token = getURLSearchParameter(parameters, 'token');\n if (id_token !== undefined || token !== undefined) {\n throw new UnsupportedOperationError('implicit and hybrid flows are not supported');\n }\n return brand(new URLSearchParams(parameters));\n}\nfunction algToSubtle(alg) {\n switch (alg) {\n case 'PS256':\n case 'PS384':\n case 'PS512':\n return { name: 'RSA-PSS', hash: `SHA-${alg.slice(-3)}` };\n case 'RS256':\n case 'RS384':\n case 'RS512':\n return { name: 'RSASSA-PKCS1-v1_5', hash: `SHA-${alg.slice(-3)}` };\n case 'ES256':\n case 'ES384':\n return { name: 'ECDSA', namedCurve: `P-${alg.slice(-3)}` };\n case 'ES512':\n return { name: 'ECDSA', namedCurve: 'P-521' };\n case 'EdDSA':\n return 'Ed25519';\n case 'Ed25519':\n case 'ML-DSA-44':\n case 'ML-DSA-65':\n case 'ML-DSA-87':\n return alg;\n default:\n throw new UnsupportedOperationError('unsupported JWS algorithm', { cause: { alg } });\n }\n}\nasync function importJwk(alg, jwk) {\n const { ext, key_ops, use, ...key } = jwk;\n return crypto.subtle.importKey('jwk', key, algToSubtle(alg), true, ['verify']);\n}\nexport async function deviceAuthorizationRequest(as, client, clientAuthentication, parameters, options) {\n assertAs(as);\n assertClient(client);\n const url = resolveEndpoint(as, 'device_authorization_endpoint', client.use_mtls_endpoint_aliases, options?.[allowInsecureRequests] !== true);\n const body = new URLSearchParams(parameters);\n body.set('client_id', client.client_id);\n const headers = prepareHeaders(options?.headers);\n headers.set('accept', 'application/json');\n return authenticatedRequest(as, client, clientAuthentication, url, body, headers, options);\n}\nexport async function processDeviceAuthorizationResponse(as, client, response) {\n assertAs(as);\n assertClient(client);\n if (!looseInstanceOf(response, Response)) {\n throw CodedTypeError('\"response\" must be an instance of Response', ERR_INVALID_ARG_TYPE);\n }\n await checkOAuthBodyError(response, 200, 'Device Authorization Endpoint');\n assertReadableResponse(response);\n const json = await getResponseJsonBody(response);\n assertString(json.device_code, '\"response\" body \"device_code\" property', INVALID_RESPONSE, {\n body: json,\n });\n assertString(json.user_code, '\"response\" body \"user_code\" property', INVALID_RESPONSE, {\n body: json,\n });\n assertString(json.verification_uri, '\"response\" body \"verification_uri\" property', INVALID_RESPONSE, { body: json });\n let expiresIn = typeof json.expires_in !== 'number' ? parseFloat(json.expires_in) : json.expires_in;\n assertNumber(expiresIn, true, '\"response\" body \"expires_in\" property', INVALID_RESPONSE, {\n body: json,\n });\n json.expires_in = expiresIn;\n if (json.verification_uri_complete !== undefined) {\n assertString(json.verification_uri_complete, '\"response\" body \"verification_uri_complete\" property', INVALID_RESPONSE, { body: json });\n }\n if (json.interval !== undefined) {\n assertNumber(json.interval, false, '\"response\" body \"interval\" property', INVALID_RESPONSE, {\n body: json,\n });\n }\n return json;\n}\nexport async function deviceCodeGrantRequest(as, client, clientAuthentication, deviceCode, options) {\n assertAs(as);\n assertClient(client);\n assertString(deviceCode, '\"deviceCode\"');\n const parameters = new URLSearchParams(options?.additionalParameters);\n parameters.set('device_code', deviceCode);\n return tokenEndpointRequest(as, client, clientAuthentication, 'urn:ietf:params:oauth:grant-type:device_code', parameters, options);\n}\nexport async function processDeviceCodeResponse(as, client, response, options) {\n return processGenericAccessTokenResponse(as, client, response, undefined, options?.[jweDecrypt], options?.recognizedTokenTypes);\n}\nexport async function generateKeyPair(alg, options) {\n assertString(alg, '\"alg\"');\n const algorithm = algToSubtle(alg);\n if (alg.startsWith('PS') || alg.startsWith('RS')) {\n Object.assign(algorithm, {\n modulusLength: options?.modulusLength ?? 2048,\n publicExponent: new Uint8Array([0x01, 0x00, 0x01]),\n });\n }\n return crypto.subtle.generateKey(algorithm, options?.extractable ?? false, [\n 'sign',\n 'verify',\n ]);\n}\nfunction normalizeHtu(htu) {\n const url = new URL(htu);\n url.search = '';\n url.hash = '';\n return url.href;\n}\nasync function validateDPoP(request, accessToken, accessTokenClaims, options) {\n const headerValue = request.headers.get('dpop');\n if (headerValue === null) {\n throw OPE('operation indicated DPoP use but the request has no DPoP HTTP Header', INVALID_REQUEST, { headers: request.headers });\n }\n if (request.headers.get('authorization')?.toLowerCase().startsWith('dpop ') === false) {\n throw OPE(`operation indicated DPoP use but the request's Authorization HTTP Header scheme is not DPoP`, INVALID_REQUEST, { headers: request.headers });\n }\n if (typeof accessTokenClaims.cnf?.jkt !== 'string') {\n throw OPE('operation indicated DPoP use but the JWT Access Token has no jkt confirmation claim', INVALID_REQUEST, { claims: accessTokenClaims });\n }\n const clockSkew = getClockSkew(options);\n const proof = await validateJwt(headerValue, checkSigningAlgorithm.bind(undefined, options?.signingAlgorithms, undefined, supported), clockSkew, getClockTolerance(options), undefined)\n .then(checkJwtType.bind(undefined, 'dpop+jwt'))\n .then(validatePresence.bind(undefined, ['iat', 'jti', 'ath', 'htm', 'htu']));\n const now = epochTime() + clockSkew;\n const diff = Math.abs(now - proof.claims.iat);\n if (diff > 300) {\n throw OPE('DPoP Proof iat is not recent enough', JWT_TIMESTAMP_CHECK, {\n now,\n claims: proof.claims,\n claim: 'iat',\n });\n }\n if (proof.claims.htm !== request.method) {\n throw OPE('DPoP Proof htm mismatch', JWT_CLAIM_COMPARISON, {\n expected: request.method,\n claims: proof.claims,\n claim: 'htm',\n });\n }\n if (typeof proof.claims.htu !== 'string' ||\n normalizeHtu(proof.claims.htu) !== normalizeHtu(request.url)) {\n throw OPE('DPoP Proof htu mismatch', JWT_CLAIM_COMPARISON, {\n expected: normalizeHtu(request.url),\n claims: proof.claims,\n claim: 'htu',\n });\n }\n {\n const expected = b64u(await crypto.subtle.digest('SHA-256', buf(accessToken)));\n if (proof.claims.ath !== expected) {\n throw OPE('DPoP Proof ath mismatch', JWT_CLAIM_COMPARISON, {\n expected,\n claims: proof.claims,\n claim: 'ath',\n });\n }\n }\n {\n const expected = await calculateJwkThumbprint(proof.header.jwk);\n if (accessTokenClaims.cnf.jkt !== expected) {\n throw OPE('JWT Access Token confirmation mismatch', JWT_CLAIM_COMPARISON, {\n expected,\n claims: accessTokenClaims,\n claim: 'cnf.jkt',\n });\n }\n }\n const { 0: protectedHeader, 1: payload, 2: encodedSignature } = headerValue.split('.');\n const signature = b64u(encodedSignature);\n const { jwk, alg } = proof.header;\n if (!jwk) {\n throw OPE('DPoP Proof is missing the jwk header parameter', INVALID_REQUEST, {\n header: proof.header,\n });\n }\n const key = await importJwk(alg, jwk);\n if (key.type !== 'public') {\n throw OPE('DPoP Proof jwk header parameter must contain a public key', INVALID_REQUEST, {\n header: proof.header,\n });\n }\n await validateJwsSignature(protectedHeader, payload, key, signature);\n}\nexport async function validateJwtAccessToken(as, request, expectedAudience, options) {\n assertAs(as);\n if (!looseInstanceOf(request, Request)) {\n throw CodedTypeError('\"request\" must be an instance of Request', ERR_INVALID_ARG_TYPE);\n }\n assertString(expectedAudience, '\"expectedAudience\"');\n const authorization = request.headers.get('authorization');\n if (authorization === null) {\n throw OPE('\"request\" is missing an Authorization HTTP Header', INVALID_REQUEST, {\n headers: request.headers,\n });\n }\n let { 0: scheme, 1: accessToken, length } = authorization.split(' ');\n scheme = scheme.toLowerCase();\n switch (scheme) {\n case 'dpop':\n case 'bearer':\n break;\n default:\n throw new UnsupportedOperationError('unsupported Authorization HTTP Header scheme', {\n cause: { headers: request.headers },\n });\n }\n if (length !== 2) {\n throw OPE('invalid Authorization HTTP Header format', INVALID_REQUEST, {\n headers: request.headers,\n });\n }\n const requiredClaims = [\n 'iss',\n 'exp',\n 'aud',\n 'sub',\n 'iat',\n 'jti',\n 'client_id',\n ];\n if (options?.requireDPoP || scheme === 'dpop' || request.headers.has('dpop')) {\n requiredClaims.push('cnf');\n }\n const { claims, header } = await validateJwt(accessToken, checkSigningAlgorithm.bind(undefined, options?.signingAlgorithms, undefined, supported), getClockSkew(options), getClockTolerance(options), undefined)\n .then(checkJwtType.bind(undefined, 'at+jwt'))\n .then(validatePresence.bind(undefined, requiredClaims))\n .then(validateIssuer.bind(undefined, as))\n .then(validateAudience.bind(undefined, expectedAudience))\n .catch(reassignRSCode);\n for (const claim of ['client_id', 'jti', 'sub']) {\n if (typeof claims[claim] !== 'string') {\n throw OPE(`unexpected JWT \"${claim}\" claim type`, INVALID_REQUEST, { claims });\n }\n }\n if ('cnf' in claims) {\n if (!isJsonObject(claims.cnf)) {\n throw OPE('unexpected JWT \"cnf\" (confirmation) claim value', INVALID_REQUEST, { claims });\n }\n const { 0: cnf, length } = Object.keys(claims.cnf);\n if (length) {\n if (length !== 1) {\n throw new UnsupportedOperationError('multiple confirmation claims are not supported', {\n cause: { claims },\n });\n }\n if (cnf !== 'jkt') {\n throw new UnsupportedOperationError('unsupported JWT Confirmation method', {\n cause: { claims },\n });\n }\n }\n }\n const { 0: protectedHeader, 1: payload, 2: encodedSignature } = accessToken.split('.');\n const signature = b64u(encodedSignature);\n const key = await getPublicSigKeyFromIssuerJwksUri(as, options, header);\n await validateJwsSignature(protectedHeader, payload, key, signature);\n if (options?.requireDPoP ||\n scheme === 'dpop' ||\n claims.cnf?.jkt !== undefined ||\n request.headers.has('dpop')) {\n await validateDPoP(request, accessToken, claims, options).catch(reassignRSCode);\n }\n return claims;\n}\nfunction reassignRSCode(err) {\n if (err instanceof OperationProcessingError && err?.code === INVALID_REQUEST) {\n err.code = INVALID_RESPONSE;\n }\n throw err;\n}\nexport async function backchannelAuthenticationRequest(as, client, clientAuthentication, parameters, options) {\n assertAs(as);\n assertClient(client);\n const url = resolveEndpoint(as, 'backchannel_authentication_endpoint', client.use_mtls_endpoint_aliases, options?.[allowInsecureRequests] !== true);\n const body = new URLSearchParams(parameters);\n body.set('client_id', client.client_id);\n const headers = prepareHeaders(options?.headers);\n headers.set('accept', 'application/json');\n return authenticatedRequest(as, client, clientAuthentication, url, body, headers, options);\n}\nexport async function processBackchannelAuthenticationResponse(as, client, response) {\n assertAs(as);\n assertClient(client);\n if (!looseInstanceOf(response, Response)) {\n throw CodedTypeError('\"response\" must be an instance of Response', ERR_INVALID_ARG_TYPE);\n }\n await checkOAuthBodyError(response, 200, 'Backchannel Authentication Endpoint');\n assertReadableResponse(response);\n const json = await getResponseJsonBody(response);\n assertString(json.auth_req_id, '\"response\" body \"auth_req_id\" property', INVALID_RESPONSE, {\n body: json,\n });\n let expiresIn = typeof json.expires_in !== 'number' ? parseFloat(json.expires_in) : json.expires_in;\n assertNumber(expiresIn, true, '\"response\" body \"expires_in\" property', INVALID_RESPONSE, {\n body: json,\n });\n json.expires_in = expiresIn;\n if (json.interval !== undefined) {\n assertNumber(json.interval, false, '\"response\" body \"interval\" property', INVALID_RESPONSE, {\n body: json,\n });\n }\n return json;\n}\nexport async function backchannelAuthenticationGrantRequest(as, client, clientAuthentication, authReqId, options) {\n assertAs(as);\n assertClient(client);\n assertString(authReqId, '\"authReqId\"');\n const parameters = new URLSearchParams(options?.additionalParameters);\n parameters.set('auth_req_id', authReqId);\n return tokenEndpointRequest(as, client, clientAuthentication, 'urn:openid:params:grant-type:ciba', parameters, options);\n}\nexport async function processBackchannelAuthenticationGrantResponse(as, client, response, options) {\n return processGenericAccessTokenResponse(as, client, response, undefined, options?.[jweDecrypt], options?.recognizedTokenTypes);\n}\nexport async function dynamicClientRegistrationRequest(as, metadata, options) {\n assertAs(as);\n const url = resolveEndpoint(as, 'registration_endpoint', metadata.use_mtls_endpoint_aliases, options?.[allowInsecureRequests] !== true);\n const headers = prepareHeaders(options?.headers);\n headers.set('accept', 'application/json');\n headers.set('content-type', 'application/json');\n const method = 'POST';\n if (options?.DPoP) {\n assertDPoP(options.DPoP);\n await options.DPoP.addProof(url, headers, method, options.initialAccessToken);\n }\n if (options?.initialAccessToken) {\n headers.set('authorization', `${headers.has('dpop') ? 'DPoP' : 'Bearer'} ${options.initialAccessToken}`);\n }\n const response = await (options?.[customFetch] || fetch)(url.href, {\n body: JSON.stringify(metadata),\n headers: Object.fromEntries(headers.entries()),\n method,\n redirect: 'manual',\n signal: signal(url, options?.signal),\n });\n options?.DPoP?.cacheNonce(response, url);\n return response;\n}\nexport async function processDynamicClientRegistrationResponse(response) {\n if (!looseInstanceOf(response, Response)) {\n throw CodedTypeError('\"response\" must be an instance of Response', ERR_INVALID_ARG_TYPE);\n }\n await checkOAuthBodyError(response, 201, 'Dynamic Client Registration Endpoint');\n assertReadableResponse(response);\n const json = await getResponseJsonBody(response);\n assertString(json.client_id, '\"response\" body \"client_id\" property', INVALID_RESPONSE, {\n body: json,\n });\n if (json.client_secret !== undefined) {\n assertString(json.client_secret, '\"response\" body \"client_secret\" property', INVALID_RESPONSE, {\n body: json,\n });\n }\n if (json.client_secret) {\n assertNumber(json.client_secret_expires_at, true, '\"response\" body \"client_secret_expires_at\" property', INVALID_RESPONSE, {\n body: json,\n });\n }\n return json;\n}\nexport async function resourceDiscoveryRequest(resourceIdentifier, options) {\n return performDiscovery(resourceIdentifier, 'resourceIdentifier', (url) => {\n prependWellKnown(url, '.well-known/oauth-protected-resource', true);\n return url;\n }, options);\n}\nexport async function processResourceDiscoveryResponse(expectedResourceIdentifier, response) {\n const expected = expectedResourceIdentifier;\n if (!(expected instanceof URL) && expected !== _nodiscoverycheck) {\n throw CodedTypeError('\"expectedResourceIdentifier\" must be an instance of URL', ERR_INVALID_ARG_TYPE);\n }\n if (!looseInstanceOf(response, Response)) {\n throw CodedTypeError('\"response\" must be an instance of Response', ERR_INVALID_ARG_TYPE);\n }\n if (response.status !== 200) {\n throw OPE('\"response\" is not a conform Resource Server Metadata response (unexpected HTTP status code)', RESPONSE_IS_NOT_CONFORM, response);\n }\n assertReadableResponse(response);\n const json = await getResponseJsonBody(response);\n assertString(json.resource, '\"response\" body \"resource\" property', INVALID_RESPONSE, {\n body: json,\n });\n if (expected !== _nodiscoverycheck && new URL(json.resource).href !== expected.href) {\n throw OPE('\"response\" body \"resource\" property does not match the expected value', JSON_ATTRIBUTE_COMPARISON, { expected: expected.href, body: json, attribute: 'resource' });\n }\n return json;\n}\nasync function getResponseJsonBody(response, check = assertApplicationJson) {\n let json;\n try {\n json = await response.json();\n }\n catch (cause) {\n check(response);\n throw OPE('failed to parse \"response\" body as JSON', PARSE_ERROR, cause);\n }\n if (!isJsonObject(json)) {\n throw OPE('\"response\" body must be a top level object', INVALID_RESPONSE, { body: json });\n }\n return json;\n}\nexport const _nopkce = nopkce;\nexport const _nodiscoverycheck = Symbol();\nexport const _expectedIssuer = Symbol();\n//# sourceMappingURL=index.js.map","import * as oauth from 'oauth4webapi';\nimport { compactDecrypt } from 'jose/jwe/compact/decrypt';\nimport { JOSEError } from 'jose/errors';\nlet headers;\nlet USER_AGENT;\nif (typeof navigator === 'undefined' || !navigator.userAgent?.startsWith?.('Mozilla/5.0 ')) {\n const NAME = 'openid-client';\n const VERSION = 'v6.8.4';\n USER_AGENT = `${NAME}/${VERSION}`;\n headers = { 'user-agent': USER_AGENT };\n}\nconst int = (config) => {\n return props.get(config);\n};\nlet props;\nexport { AuthorizationResponseError, ResponseBodyError, WWWAuthenticateChallengeError, } from 'oauth4webapi';\nlet tbi;\nexport function ClientSecretPost(clientSecret) {\n if (clientSecret !== undefined) {\n return oauth.ClientSecretPost(clientSecret);\n }\n tbi ||= new WeakMap();\n return (as, client, body, headers) => {\n let auth;\n if (!(auth = tbi.get(client))) {\n assertString(client.client_secret, '\"metadata.client_secret\"');\n auth = oauth.ClientSecretPost(client.client_secret);\n tbi.set(client, auth);\n }\n return auth(as, client, body, headers);\n };\n}\nfunction assertString(input, it) {\n if (typeof input !== 'string') {\n throw CodedTypeError(`${it} must be a string`, ERR_INVALID_ARG_TYPE);\n }\n if (input.length === 0) {\n throw CodedTypeError(`${it} must not be empty`, ERR_INVALID_ARG_VALUE);\n }\n}\nexport function ClientSecretBasic(clientSecret) {\n if (clientSecret !== undefined) {\n return oauth.ClientSecretBasic(clientSecret);\n }\n tbi ||= new WeakMap();\n return (as, client, body, headers) => {\n let auth;\n if (!(auth = tbi.get(client))) {\n assertString(client.client_secret, '\"metadata.client_secret\"');\n auth = oauth.ClientSecretBasic(client.client_secret);\n tbi.set(client, auth);\n }\n return auth(as, client, body, headers);\n };\n}\nexport function ClientSecretJwt(clientSecret, options) {\n if (clientSecret !== undefined) {\n return oauth.ClientSecretJwt(clientSecret, options);\n }\n tbi ||= new WeakMap();\n return (as, client, body, headers) => {\n let auth;\n if (!(auth = tbi.get(client))) {\n assertString(client.client_secret, '\"metadata.client_secret\"');\n auth = oauth.ClientSecretJwt(client.client_secret, options);\n tbi.set(client, auth);\n }\n return auth(as, client, body, headers);\n };\n}\nexport function None() {\n return oauth.None();\n}\nexport function PrivateKeyJwt(clientPrivateKey, options) {\n return oauth.PrivateKeyJwt(clientPrivateKey, options);\n}\nexport function TlsClientAuth() {\n return oauth.TlsClientAuth();\n}\nexport const skipStateCheck = oauth.skipStateCheck;\nexport const skipSubjectCheck = oauth.skipSubjectCheck;\nexport const customFetch = oauth.customFetch;\nexport const modifyAssertion = oauth.modifyAssertion;\nexport const clockSkew = oauth.clockSkew;\nexport const clockTolerance = oauth.clockTolerance;\nconst ERR_INVALID_ARG_VALUE = 'ERR_INVALID_ARG_VALUE';\nconst ERR_INVALID_ARG_TYPE = 'ERR_INVALID_ARG_TYPE';\nfunction CodedTypeError(message, code, cause) {\n const err = new TypeError(message, { cause });\n Object.assign(err, { code });\n return err;\n}\nexport function calculatePKCECodeChallenge(codeVerifier) {\n return oauth.calculatePKCECodeChallenge(codeVerifier);\n}\nexport function randomPKCECodeVerifier() {\n return oauth.generateRandomCodeVerifier();\n}\nexport function randomNonce() {\n return oauth.generateRandomNonce();\n}\nexport function randomState() {\n return oauth.generateRandomState();\n}\nexport class ClientError extends Error {\n code;\n constructor(message, options) {\n super(message, options);\n this.name = this.constructor.name;\n this.code = options?.code;\n Error.captureStackTrace?.(this, this.constructor);\n }\n}\nconst decoder = new TextDecoder();\nfunction e(msg, cause, code) {\n return new ClientError(msg, { cause, code });\n}\nfunction errorHandler(err) {\n if (err instanceof TypeError ||\n err instanceof ClientError ||\n err instanceof oauth.ResponseBodyError ||\n err instanceof oauth.AuthorizationResponseError ||\n err instanceof oauth.WWWAuthenticateChallengeError) {\n throw err;\n }\n if (err instanceof oauth.OperationProcessingError) {\n switch (err.code) {\n case oauth.HTTP_REQUEST_FORBIDDEN:\n throw e('only requests to HTTPS are allowed', err, err.code);\n case oauth.REQUEST_PROTOCOL_FORBIDDEN:\n throw e('only requests to HTTP or HTTPS are allowed', err, err.code);\n case oauth.RESPONSE_IS_NOT_CONFORM:\n throw e('unexpected HTTP response status code', err.cause, err.code);\n case oauth.RESPONSE_IS_NOT_JSON:\n throw e('unexpected response content-type', err.cause, err.code);\n case oauth.PARSE_ERROR:\n throw e('parsing error occured', err, err.code);\n case oauth.INVALID_RESPONSE:\n throw e('invalid response encountered', err, err.code);\n case oauth.JWT_CLAIM_COMPARISON:\n throw e('unexpected JWT claim value encountered', err, err.code);\n case oauth.JSON_ATTRIBUTE_COMPARISON:\n throw e('unexpected JSON attribute value encountered', err, err.code);\n case oauth.JWT_TIMESTAMP_CHECK:\n throw e('JWT timestamp claim value failed validation', err, err.code);\n default:\n throw e(err.message, err, err.code);\n }\n }\n if (err instanceof oauth.UnsupportedOperationError) {\n throw e('unsupported operation', err, err.code);\n }\n if (err instanceof DOMException) {\n switch (err.name) {\n case 'OperationError':\n throw e('runtime operation error', err, oauth.UNSUPPORTED_OPERATION);\n case 'NotSupportedError':\n throw e('runtime unsupported operation', err, oauth.UNSUPPORTED_OPERATION);\n case 'TimeoutError':\n throw e('operation timed out', err, 'OAUTH_TIMEOUT');\n case 'AbortError':\n throw e('operation aborted', err, 'OAUTH_ABORT');\n }\n }\n throw new ClientError('something went wrong', { cause: err });\n}\nexport function randomDPoPKeyPair(alg, options) {\n return oauth\n .generateKeyPair(alg ?? 'ES256', {\n extractable: options?.extractable,\n })\n .catch(errorHandler);\n}\nfunction handleEntraId(server, as, options) {\n if (server.origin === 'https://login.microsoftonline.com' &&\n (!options?.algorithm || options.algorithm === 'oidc')) {\n as[kEntraId] = true;\n return true;\n }\n return false;\n}\nfunction handleB2Clogin(server, options) {\n if (server.hostname.endsWith('.b2clogin.com') &&\n (!options?.algorithm || options.algorithm === 'oidc')) {\n return true;\n }\n return false;\n}\nexport async function dynamicClientRegistration(server, metadata, clientAuthentication, options) {\n let as;\n if (options?.flag === retry) {\n as = options.as;\n }\n else {\n as = await performDiscovery(server, options);\n }\n const clockSkew = metadata[oauth.clockSkew] ?? 0;\n const clockTolerance = metadata[oauth.clockTolerance] ?? 30;\n metadata = structuredClone(metadata);\n const timeout = options?.timeout ?? 30;\n const signal = AbortSignal.timeout(timeout * 1000);\n let registered;\n try {\n registered = await oauth\n .dynamicClientRegistrationRequest(as, metadata, {\n initialAccessToken: options?.initialAccessToken,\n DPoP: options?.DPoP,\n headers: new Headers(headers),\n [oauth.customFetch]: options?.[customFetch],\n [oauth.allowInsecureRequests]: options?.execute?.includes(allowInsecureRequests),\n signal,\n })\n .then(oauth.processDynamicClientRegistrationResponse);\n }\n catch (err) {\n if (retryable(err, options)) {\n return dynamicClientRegistration(server, metadata, clientAuthentication, {\n ...options,\n flag: retry,\n as,\n });\n }\n errorHandler(err);\n }\n registered[oauth.clockSkew] = clockSkew;\n registered[oauth.clockTolerance] = clockTolerance;\n const instance = new Configuration(as, registered.client_id, registered, clientAuthentication);\n let internals = int(instance);\n if (options?.[customFetch]) {\n internals.fetch = options[customFetch];\n }\n if (options?.timeout) {\n internals.timeout = options.timeout;\n }\n if (options?.execute) {\n for (const extension of options.execute) {\n extension(instance);\n }\n }\n return instance;\n}\nexport async function discovery(server, clientId, metadata, clientAuthentication, options) {\n const as = await performDiscovery(server, options);\n const instance = new Configuration(as, clientId, metadata, clientAuthentication);\n let internals = int(instance);\n if (options?.[customFetch]) {\n internals.fetch = options[customFetch];\n }\n if (options?.timeout) {\n internals.timeout = options.timeout;\n }\n if (options?.execute) {\n for (const extension of options.execute) {\n extension(instance);\n }\n }\n return instance;\n}\nasync function performDiscovery(server, options) {\n if (!(server instanceof URL)) {\n throw CodedTypeError('\"server\" must be an instance of URL', ERR_INVALID_ARG_TYPE);\n }\n const resolve = !server.href.includes('/.well-known/');\n const timeout = options?.timeout ?? 30;\n const signal = AbortSignal.timeout(timeout * 1000);\n const as = await (resolve\n ? oauth.discoveryRequest(server, {\n algorithm: options?.algorithm,\n [oauth.customFetch]: options?.[customFetch],\n [oauth.allowInsecureRequests]: options?.execute?.includes(allowInsecureRequests),\n signal,\n headers: new Headers(headers),\n })\n : (options?.[customFetch] || fetch)((() => {\n oauth.checkProtocol(server, options?.execute?.includes(allowInsecureRequests) ? false : true);\n return server.href;\n })(), {\n headers: Object.fromEntries(new Headers({ accept: 'application/json', ...headers }).entries()),\n body: undefined,\n method: 'GET',\n redirect: 'manual',\n signal,\n }))\n .then((response) => oauth.processDiscoveryResponse(oauth._nodiscoverycheck, response))\n .catch(errorHandler);\n if (resolve && new URL(as.issuer).href !== server.href) {\n handleEntraId(server, as, options) ||\n handleB2Clogin(server, options) ||\n (() => {\n throw new ClientError('discovered metadata issuer does not match the expected issuer', {\n code: oauth.JSON_ATTRIBUTE_COMPARISON,\n cause: {\n expected: server.href,\n body: as,\n attribute: 'issuer',\n },\n });\n })();\n }\n return as;\n}\nfunction isRsaOaep(input) {\n return input.name === 'RSA-OAEP';\n}\nfunction isEcdh(input) {\n return input.name === 'ECDH';\n}\nconst ecdhEs = 'ECDH-ES';\nconst ecdhEsA128Kw = 'ECDH-ES+A128KW';\nconst ecdhEsA192Kw = 'ECDH-ES+A192KW';\nconst ecdhEsA256Kw = 'ECDH-ES+A256KW';\nfunction checkEcdhAlg(algs, alg, pk) {\n switch (alg) {\n case undefined:\n algs.add(ecdhEs);\n algs.add(ecdhEsA128Kw);\n algs.add(ecdhEsA192Kw);\n algs.add(ecdhEsA256Kw);\n break;\n case ecdhEs:\n case ecdhEsA128Kw:\n case ecdhEsA192Kw:\n case ecdhEsA256Kw:\n algs.add(alg);\n break;\n default:\n throw CodedTypeError('invalid key alg', ERR_INVALID_ARG_VALUE, { pk });\n }\n}\nexport function enableDecryptingResponses(config, contentEncryptionAlgorithms = [\n 'A128GCM',\n 'A192GCM',\n 'A256GCM',\n 'A128CBC-HS256',\n 'A192CBC-HS384',\n 'A256CBC-HS512',\n], ...keys) {\n if (int(config).decrypt !== undefined) {\n throw new TypeError('enableDecryptingResponses can only be called on a given Configuration instance once');\n }\n if (keys.length === 0) {\n throw CodedTypeError('no keys were provided', ERR_INVALID_ARG_VALUE);\n }\n const algs = new Set();\n const normalized = [];\n for (const pk of keys) {\n let key;\n if ('key' in pk) {\n key = { key: pk.key };\n if (typeof pk.alg === 'string')\n key.alg = pk.alg;\n if (typeof pk.kid === 'string')\n key.kid = pk.kid;\n }\n else {\n key = { key: pk };\n }\n if (key.key.type !== 'private') {\n throw CodedTypeError('only private keys must be provided', ERR_INVALID_ARG_VALUE);\n }\n if (isRsaOaep(key.key.algorithm)) {\n switch (key.key.algorithm.hash.name) {\n case 'SHA-1':\n case 'SHA-256':\n case 'SHA-384':\n case 'SHA-512': {\n let alg = 'RSA-OAEP';\n let sha;\n if ((sha = parseInt(key.key.algorithm.hash.name.slice(-3), 10))) {\n alg = `${alg}-${sha}`;\n }\n key.alg ||= alg;\n if (alg !== key.alg)\n throw CodedTypeError('invalid key alg', ERR_INVALID_ARG_VALUE, {\n pk,\n });\n algs.add(key.alg);\n break;\n }\n default:\n throw CodedTypeError('only SHA-512, SHA-384, SHA-256, and SHA-1 RSA-OAEP keys are supported', ERR_INVALID_ARG_VALUE);\n }\n }\n else if (isEcdh(key.key.algorithm)) {\n if (key.key.algorithm.namedCurve !== 'P-256') {\n throw CodedTypeError('Only P-256 ECDH keys are supported', ERR_INVALID_ARG_VALUE);\n }\n checkEcdhAlg(algs, key.alg, pk);\n }\n else if (key.key.algorithm.name === 'X25519') {\n checkEcdhAlg(algs, key.alg, pk);\n }\n else {\n throw CodedTypeError('only RSA-OAEP, ECDH, or X25519 keys are supported', ERR_INVALID_ARG_VALUE);\n }\n normalized.push(key);\n }\n int(config).decrypt = async (jwe) => decrypt(normalized, jwe, contentEncryptionAlgorithms, [...algs]).catch(errorHandler);\n}\nfunction checkCryptoKey(key, alg, epk) {\n if (alg.startsWith('RSA-OAEP')) {\n return key.algorithm.name === 'RSA-OAEP';\n }\n if (alg.startsWith('ECDH-ES')) {\n if (key.algorithm.name !== 'ECDH' && key.algorithm.name !== 'X25519') {\n return false;\n }\n if (key.algorithm.name === 'ECDH') {\n return epk?.crv === key.algorithm.namedCurve;\n }\n if (key.algorithm.name === 'X25519') {\n return epk?.crv === 'X25519';\n }\n }\n return false;\n}\nfunction selectCryptoKeyForDecryption(keys, alg, kid, epk) {\n const { 0: key, length } = keys.filter((key) => {\n if (kid !== key.kid) {\n return false;\n }\n if (key.alg && alg !== key.alg) {\n return false;\n }\n return checkCryptoKey(key.key, alg, epk);\n });\n if (!key) {\n throw e('no applicable decryption key selected', undefined, 'OAUTH_DECRYPTION_FAILED');\n }\n if (length !== 1) {\n throw e('multiple applicable decryption keys selected', undefined, 'OAUTH_DECRYPTION_FAILED');\n }\n return key.key;\n}\nasync function decrypt(keys, jwe, contentEncryptionAlgorithms, keyManagementAlgorithms) {\n return decoder.decode((await compactDecrypt(jwe, (header) => {\n const { kid, alg, epk } = header;\n return selectCryptoKeyForDecryption(keys, alg, kid, epk);\n }, { keyManagementAlgorithms, contentEncryptionAlgorithms }).catch((err) => {\n if (err instanceof JOSEError) {\n throw e('decryption failed', err, 'OAUTH_DECRYPTION_FAILED');\n }\n errorHandler(err);\n })).plaintext);\n}\nfunction getServerHelpers(metadata) {\n return {\n supportsPKCE: {\n __proto__: null,\n value(method = 'S256') {\n return (metadata.code_challenge_methods_supported?.includes(method) === true);\n },\n },\n };\n}\nfunction addServerHelpers(metadata) {\n Object.defineProperties(metadata, getServerHelpers(metadata));\n}\nconst kEntraId = Symbol();\nexport class Configuration {\n constructor(server, clientId, metadata, clientAuthentication) {\n if (typeof clientId !== 'string' || !clientId.length) {\n throw CodedTypeError('\"clientId\" must be a non-empty string', ERR_INVALID_ARG_TYPE);\n }\n if (typeof metadata === 'string') {\n metadata = { client_secret: metadata };\n }\n if (metadata?.client_id !== undefined && clientId !== metadata.client_id) {\n throw CodedTypeError('\"clientId\" and \"metadata.client_id\" must be the same', ERR_INVALID_ARG_VALUE);\n }\n const client = {\n ...structuredClone(metadata),\n client_id: clientId,\n };\n client[oauth.clockSkew] = metadata?.[oauth.clockSkew] ?? 0;\n client[oauth.clockTolerance] = metadata?.[oauth.clockTolerance] ?? 30;\n let auth;\n if (clientAuthentication) {\n auth = clientAuthentication;\n }\n else {\n if (typeof client.client_secret === 'string' &&\n client.client_secret.length) {\n auth = ClientSecretPost(client.client_secret);\n }\n else {\n auth = None();\n }\n }\n let c = Object.freeze(client);\n const clone = structuredClone(server);\n if (kEntraId in server) {\n clone[oauth._expectedIssuer] = ({ claims: { tid } }) => server.issuer.replace('{tenantid}', tid);\n }\n let as = Object.freeze(clone);\n props ||= new WeakMap();\n props.set(this, {\n __proto__: null,\n as,\n c,\n auth,\n tlsOnly: true,\n jwksCache: {},\n });\n }\n serverMetadata() {\n const metadata = structuredClone(int(this).as);\n addServerHelpers(metadata);\n return metadata;\n }\n clientMetadata() {\n const metadata = structuredClone(int(this).c);\n return metadata;\n }\n get timeout() {\n return int(this).timeout;\n }\n set timeout(value) {\n int(this).timeout = value;\n }\n get [customFetch]() {\n return int(this).fetch;\n }\n set [customFetch](value) {\n int(this).fetch = value;\n }\n}\nObject.freeze(Configuration.prototype);\nfunction getHelpers(response) {\n let exp = undefined;\n if (response.expires_in !== undefined) {\n const now = new Date();\n now.setSeconds(now.getSeconds() + response.expires_in);\n exp = now.getTime();\n }\n return {\n expiresIn: {\n __proto__: null,\n value() {\n if (exp) {\n const now = Date.now();\n if (exp > now) {\n return Math.floor((exp - now) / 1000);\n }\n return 0;\n }\n return undefined;\n },\n },\n claims: {\n __proto__: null,\n value() {\n try {\n return oauth.getValidatedIdTokenClaims(this);\n }\n catch {\n return undefined;\n }\n },\n },\n };\n}\nfunction addHelpers(response) {\n Object.defineProperties(response, getHelpers(response));\n}\nexport function getDPoPHandle(config, keyPair, options) {\n checkConfig(config);\n return oauth.DPoP(int(config).c, keyPair, options);\n}\nasync function handleRetryAfter(response, currentInterval, signal, throwIfInvalid = false) {\n const retryAfter = response.headers.get('retry-after')?.trim();\n if (retryAfter === undefined)\n return;\n let delaySeconds;\n if (/^\\d+$/.test(retryAfter)) {\n delaySeconds = parseInt(retryAfter, 10);\n }\n else {\n const retryDate = new Date(retryAfter);\n if (Number.isFinite(retryDate.getTime())) {\n const now = new Date();\n const delayMs = retryDate.getTime() - now.getTime();\n if (delayMs > 0) {\n delaySeconds = Math.ceil(delayMs / 1000);\n }\n }\n }\n if (throwIfInvalid && !Number.isFinite(delaySeconds)) {\n throw new oauth.OperationProcessingError('invalid Retry-After header value', { cause: response });\n }\n if (delaySeconds > currentInterval) {\n await wait(delaySeconds - currentInterval, signal);\n }\n}\nfunction wait(duration, signal) {\n return new Promise((resolve, reject) => {\n const waitStep = (remaining) => {\n try {\n signal.throwIfAborted();\n }\n catch (err) {\n reject(err);\n return;\n }\n if (remaining <= 0) {\n resolve();\n return;\n }\n const currentWait = Math.min(remaining, 5);\n setTimeout(() => waitStep(remaining - currentWait), currentWait * 1000);\n };\n waitStep(duration);\n });\n}\nfunction pollRequestSignal(pollingSignal, timeout) {\n const timeoutSignal = signal(timeout);\n if (!timeoutSignal) {\n return {\n signal: pollingSignal,\n cleanup() { },\n };\n }\n const controller = new AbortController();\n const abort = (event) => {\n const source = event.target;\n controller.abort(source.reason);\n };\n if (pollingSignal.aborted) {\n controller.abort(pollingSignal.reason);\n }\n else if (timeoutSignal.aborted) {\n controller.abort(timeoutSignal.reason);\n }\n else {\n pollingSignal.addEventListener('abort', abort, { once: true });\n timeoutSignal.addEventListener('abort', abort, { once: true });\n }\n return {\n signal: controller.signal,\n cleanup() {\n pollingSignal.removeEventListener('abort', abort);\n timeoutSignal.removeEventListener('abort', abort);\n },\n };\n}\nexport async function pollDeviceAuthorizationGrant(config, deviceAuthorizationResponse, parameters, options) {\n checkConfig(config);\n parameters = new URLSearchParams(parameters);\n let interval = deviceAuthorizationResponse.interval ?? 5;\n const pollingSignal = options?.signal ??\n AbortSignal.timeout(deviceAuthorizationResponse.expires_in * 1000);\n try {\n await wait(interval, pollingSignal);\n }\n catch (err) {\n errorHandler(err);\n }\n const { as, c, auth, fetch, tlsOnly, nonRepudiation, timeout, decrypt } = int(config);\n const retryPoll = (updatedInterval, flag) => pollDeviceAuthorizationGrant(config, {\n ...deviceAuthorizationResponse,\n interval: updatedInterval,\n }, parameters, {\n ...options,\n signal: pollingSignal,\n flag,\n });\n const requestSignal = pollRequestSignal(pollingSignal, timeout);\n const response = await oauth\n .deviceCodeGrantRequest(as, c, auth, deviceAuthorizationResponse.device_code, {\n [oauth.customFetch]: fetch,\n [oauth.allowInsecureRequests]: !tlsOnly,\n additionalParameters: parameters,\n DPoP: options?.DPoP,\n headers: new Headers(headers),\n signal: requestSignal.signal,\n })\n .catch(errorHandler)\n .finally(requestSignal.cleanup);\n if (response.status === 503 && response.headers.has('retry-after')) {\n await handleRetryAfter(response, interval, pollingSignal, true);\n await response.body?.cancel();\n return retryPoll(interval);\n }\n const p = oauth.processDeviceCodeResponse(as, c, response, {\n [oauth.jweDecrypt]: decrypt,\n });\n let result;\n try {\n result = await p;\n }\n catch (err) {\n if (retryable(err, options)) {\n return retryPoll(interval, retry);\n }\n if (err instanceof oauth.ResponseBodyError) {\n switch (err.error) {\n case 'slow_down':\n interval += 5;\n case 'authorization_pending':\n await handleRetryAfter(err.response, interval, pollingSignal);\n return retryPoll(interval);\n }\n }\n errorHandler(err);\n }\n result.id_token && (await nonRepudiation?.(response));\n addHelpers(result);\n return result;\n}\nexport async function initiateDeviceAuthorization(config, parameters) {\n checkConfig(config);\n const { as, c, auth, fetch, tlsOnly, timeout } = int(config);\n return oauth\n .deviceAuthorizationRequest(as, c, auth, parameters, {\n [oauth.customFetch]: fetch,\n [oauth.allowInsecureRequests]: !tlsOnly,\n headers: new Headers(headers),\n signal: signal(timeout),\n })\n .then((response) => oauth.processDeviceAuthorizationResponse(as, c, response))\n .catch(errorHandler);\n}\nexport async function initiateBackchannelAuthentication(config, parameters) {\n checkConfig(config);\n const { as, c, auth, fetch, tlsOnly, timeout } = int(config);\n return oauth\n .backchannelAuthenticationRequest(as, c, auth, parameters, {\n [oauth.customFetch]: fetch,\n [oauth.allowInsecureRequests]: !tlsOnly,\n headers: new Headers(headers),\n signal: signal(timeout),\n })\n .then((response) => oauth.processBackchannelAuthenticationResponse(as, c, response))\n .catch(errorHandler);\n}\nexport async function pollBackchannelAuthenticationGrant(config, backchannelAuthenticationResponse, parameters, options) {\n checkConfig(config);\n parameters = new URLSearchParams(parameters);\n let interval = backchannelAuthenticationResponse.interval ?? 5;\n const pollingSignal = options?.signal ??\n AbortSignal.timeout(backchannelAuthenticationResponse.expires_in * 1000);\n try {\n await wait(interval, pollingSignal);\n }\n catch (err) {\n errorHandler(err);\n }\n const { as, c, auth, fetch, tlsOnly, nonRepudiation, timeout, decrypt } = int(config);\n const retryPoll = (updatedInterval, flag) => pollBackchannelAuthenticationGrant(config, {\n ...backchannelAuthenticationResponse,\n interval: updatedInterval,\n }, parameters, {\n ...options,\n signal: pollingSignal,\n flag,\n });\n const requestSignal = pollRequestSignal(pollingSignal, timeout);\n const response = await oauth\n .backchannelAuthenticationGrantRequest(as, c, auth, backchannelAuthenticationResponse.auth_req_id, {\n [oauth.customFetch]: fetch,\n [oauth.allowInsecureRequests]: !tlsOnly,\n additionalParameters: parameters,\n DPoP: options?.DPoP,\n headers: new Headers(headers),\n signal: requestSignal.signal,\n })\n .catch(errorHandler)\n .finally(requestSignal.cleanup);\n if (response.status === 503 && response.headers.has('retry-after')) {\n await handleRetryAfter(response, interval, pollingSignal, true);\n await response.body?.cancel();\n return retryPoll(interval);\n }\n const p = oauth.processBackchannelAuthenticationGrantResponse(as, c, response, {\n [oauth.jweDecrypt]: decrypt,\n });\n let result;\n try {\n result = await p;\n }\n catch (err) {\n if (retryable(err, options)) {\n return retryPoll(interval, retry);\n }\n if (err instanceof oauth.ResponseBodyError) {\n switch (err.error) {\n case 'slow_down':\n interval += 5;\n case 'authorization_pending':\n await handleRetryAfter(err.response, interval, pollingSignal);\n return retryPoll(interval);\n }\n }\n errorHandler(err);\n }\n result.id_token && (await nonRepudiation?.(response));\n addHelpers(result);\n return result;\n}\nexport function allowInsecureRequests(config) {\n int(config).tlsOnly = false;\n}\nexport function setJwksCache(config, jwksCache) {\n int(config).jwksCache = structuredClone(jwksCache);\n}\nexport function getJwksCache(config) {\n const cache = int(config).jwksCache;\n if (cache.uat) {\n return cache;\n }\n return undefined;\n}\nexport function enableNonRepudiationChecks(config) {\n checkConfig(config);\n int(config).nonRepudiation = (response) => {\n const { as, fetch, tlsOnly, timeout, jwksCache } = int(config);\n return oauth\n .validateApplicationLevelSignature(as, response, {\n [oauth.customFetch]: fetch,\n [oauth.allowInsecureRequests]: !tlsOnly,\n headers: new Headers(headers),\n signal: signal(timeout),\n [oauth.jwksCache]: jwksCache,\n })\n .catch(errorHandler);\n };\n}\nexport function useJwtResponseMode(config) {\n checkConfig(config);\n const { hybrid, implicit } = int(config);\n if (hybrid || implicit) {\n throw e('JARM cannot be combined with a hybrid or implicit response types', undefined, oauth.UNSUPPORTED_OPERATION);\n }\n int(config).jarm = (authorizationResponse, expectedState) => validateJARMResponse(config, authorizationResponse, expectedState);\n}\nexport function enableDetachedSignatureResponseChecks(config) {\n if (!int(config).hybrid) {\n throw e('\"code id_token\" response type must be configured to be used first', undefined, oauth.UNSUPPORTED_OPERATION);\n }\n int(config).hybrid = (authorizationResponse, expectedNonce, expectedState, maxAge) => validateCodeIdTokenResponse(config, authorizationResponse, expectedNonce, expectedState, maxAge, true);\n}\nexport async function implicitAuthentication(config, currentUrl, expectedNonce, checks) {\n checkConfig(config);\n if (!(currentUrl instanceof URL) &&\n !webInstanceOf(currentUrl, 'Request')) {\n throw CodedTypeError('\"currentUrl\" must be an instance of URL, or Request', ERR_INVALID_ARG_TYPE);\n }\n if (typeof expectedNonce !== 'string') {\n throw CodedTypeError('\"expectedNonce\" must be a string', ERR_INVALID_ARG_TYPE);\n }\n const { as, c, fetch, tlsOnly, timeout, decrypt, implicit, jwksCache } = int(config);\n if (!implicit) {\n throw new TypeError('implicitAuthentication() cannot be used by clients using flows other than response_type=id_token');\n }\n let params;\n if (!(currentUrl instanceof URL)) {\n const request = currentUrl;\n switch (request.method) {\n case 'GET':\n params = new URLSearchParams(new URL(request.url).hash.slice(1));\n break;\n case 'POST':\n params = new URLSearchParams(await oauth.formPostResponse(request));\n break;\n default:\n throw CodedTypeError('unexpected Request HTTP method', ERR_INVALID_ARG_VALUE);\n }\n }\n else {\n params = new URLSearchParams(currentUrl.hash.slice(1));\n }\n try {\n {\n const decoy = new URLSearchParams(params);\n decoy.delete('id_token');\n oauth.validateAuthResponse({\n ...as,\n authorization_response_iss_parameter_supported: undefined,\n }, c, decoy, checks?.expectedState);\n }\n {\n const decoy = new Response(JSON.stringify({\n access_token: 'decoy',\n token_type: 'bearer',\n id_token: params.get('id_token'),\n }), {\n headers: new Headers({ 'content-type': 'application/json' }),\n });\n const ref = await oauth.processAuthorizationCodeResponse(as, c, decoy, {\n expectedNonce,\n maxAge: checks?.maxAge,\n [oauth.jweDecrypt]: decrypt,\n });\n await oauth.validateApplicationLevelSignature(as, decoy, {\n [oauth.customFetch]: fetch,\n [oauth.allowInsecureRequests]: !tlsOnly,\n headers: new Headers(headers),\n signal: signal(timeout),\n [oauth.jwksCache]: jwksCache,\n });\n return oauth.getValidatedIdTokenClaims(ref);\n }\n }\n catch (err) {\n errorHandler(err);\n }\n}\nexport function useCodeIdTokenResponseType(config) {\n checkConfig(config);\n const { jarm, implicit } = int(config);\n if (jarm || implicit) {\n throw e('\"code id_token\" response type cannot be combined with JARM or implicit response type', undefined, oauth.UNSUPPORTED_OPERATION);\n }\n int(config).hybrid = (authorizationResponse, expectedNonce, expectedState, maxAge) => validateCodeIdTokenResponse(config, authorizationResponse, expectedNonce, expectedState, maxAge, false);\n}\nexport function useIdTokenResponseType(config) {\n checkConfig(config);\n const { jarm, hybrid } = int(config);\n if (jarm || hybrid) {\n throw e('\"id_token\" response type cannot be combined with JARM or hybrid response type', undefined, oauth.UNSUPPORTED_OPERATION);\n }\n int(config).implicit = true;\n}\nfunction stripParams(url) {\n url = new URL(url);\n url.search = '';\n url.hash = '';\n return url.href;\n}\nfunction webInstanceOf(input, toStringTag) {\n try {\n return Object.getPrototypeOf(input)[Symbol.toStringTag] === toStringTag;\n }\n catch {\n return false;\n }\n}\nexport async function authorizationCodeGrant(config, currentUrl, checks, tokenEndpointParameters, options) {\n checkConfig(config);\n if (options?.flag !== retry &&\n !(currentUrl instanceof URL) &&\n !webInstanceOf(currentUrl, 'Request')) {\n throw CodedTypeError('\"currentUrl\" must be an instance of URL, or Request', ERR_INVALID_ARG_TYPE);\n }\n let authResponse;\n let redirectUri;\n const { as, c, auth, fetch, tlsOnly, jarm, hybrid, nonRepudiation, timeout, decrypt, implicit } = int(config);\n if (options?.flag === retry) {\n authResponse = options.authResponse;\n redirectUri = options.redirectUri;\n }\n else {\n if (!(currentUrl instanceof URL)) {\n const request = currentUrl;\n currentUrl = new URL(currentUrl.url);\n switch (request.method) {\n case 'GET':\n break;\n case 'POST':\n const params = new URLSearchParams(await oauth.formPostResponse(request));\n if (hybrid) {\n currentUrl.hash = params.toString();\n }\n else {\n for (const [k, v] of params.entries()) {\n currentUrl.searchParams.append(k, v);\n }\n }\n break;\n default:\n throw CodedTypeError('unexpected Request HTTP method', ERR_INVALID_ARG_VALUE);\n }\n }\n redirectUri = stripParams(currentUrl);\n switch (true) {\n case !!jarm:\n authResponse = await jarm(currentUrl, checks?.expectedState);\n break;\n case !!hybrid:\n authResponse = await hybrid(currentUrl, checks?.expectedNonce, checks?.expectedState, checks?.maxAge);\n break;\n case !!implicit:\n throw new TypeError('authorizationCodeGrant() cannot be used by response_type=id_token clients');\n default:\n try {\n authResponse = oauth.validateAuthResponse(as, c, currentUrl.searchParams, checks?.expectedState);\n }\n catch (err) {\n errorHandler(err);\n }\n }\n }\n const response = await oauth\n .authorizationCodeGrantRequest(as, c, auth, authResponse, redirectUri, checks?.pkceCodeVerifier || oauth.nopkce, {\n additionalParameters: tokenEndpointParameters,\n [oauth.customFetch]: fetch,\n [oauth.allowInsecureRequests]: !tlsOnly,\n DPoP: options?.DPoP,\n headers: new Headers(headers),\n signal: signal(timeout),\n })\n .catch(errorHandler);\n if (typeof checks?.expectedNonce === 'string' ||\n typeof checks?.maxAge === 'number') {\n checks.idTokenExpected = true;\n }\n const p = oauth.processAuthorizationCodeResponse(as, c, response, {\n expectedNonce: checks?.expectedNonce,\n maxAge: checks?.maxAge,\n requireIdToken: checks?.idTokenExpected,\n [oauth.jweDecrypt]: decrypt,\n });\n let result;\n try {\n result = await p;\n }\n catch (err) {\n if (retryable(err, options)) {\n return authorizationCodeGrant(config, undefined, checks, tokenEndpointParameters, {\n ...options,\n flag: retry,\n authResponse: authResponse,\n redirectUri: redirectUri,\n });\n }\n errorHandler(err);\n }\n result.id_token && (await nonRepudiation?.(response));\n addHelpers(result);\n return result;\n}\nasync function validateJARMResponse(config, authorizationResponse, expectedState) {\n const { as, c, fetch, tlsOnly, timeout, decrypt, jwksCache } = int(config);\n return oauth\n .validateJwtAuthResponse(as, c, authorizationResponse, expectedState, {\n [oauth.customFetch]: fetch,\n [oauth.allowInsecureRequests]: !tlsOnly,\n headers: new Headers(headers),\n signal: signal(timeout),\n [oauth.jweDecrypt]: decrypt,\n [oauth.jwksCache]: jwksCache,\n })\n .catch(errorHandler);\n}\nasync function validateCodeIdTokenResponse(config, authorizationResponse, expectedNonce, expectedState, maxAge, fapi) {\n if (typeof expectedNonce !== 'string') {\n throw CodedTypeError('\"expectedNonce\" must be a string', ERR_INVALID_ARG_TYPE);\n }\n if (expectedState !== undefined && typeof expectedState !== 'string') {\n throw CodedTypeError('\"expectedState\" must be a string', ERR_INVALID_ARG_TYPE);\n }\n const { as, c, fetch, tlsOnly, timeout, decrypt, jwksCache } = int(config);\n return (fapi\n ? oauth.validateDetachedSignatureResponse\n : oauth.validateCodeIdTokenResponse)(as, c, authorizationResponse, expectedNonce, expectedState, maxAge, {\n [oauth.customFetch]: fetch,\n [oauth.allowInsecureRequests]: !tlsOnly,\n headers: new Headers(headers),\n signal: signal(timeout),\n [oauth.jweDecrypt]: decrypt,\n [oauth.jwksCache]: jwksCache,\n }).catch(errorHandler);\n}\nexport async function refreshTokenGrant(config, refreshToken, parameters, options) {\n checkConfig(config);\n parameters = new URLSearchParams(parameters);\n const { as, c, auth, fetch, tlsOnly, nonRepudiation, timeout, decrypt } = int(config);\n const response = await oauth\n .refreshTokenGrantRequest(as, c, auth, refreshToken, {\n [oauth.customFetch]: fetch,\n [oauth.allowInsecureRequests]: !tlsOnly,\n additionalParameters: parameters,\n DPoP: options?.DPoP,\n headers: new Headers(headers),\n signal: signal(timeout),\n })\n .catch(errorHandler);\n const p = oauth.processRefreshTokenResponse(as, c, response, {\n [oauth.jweDecrypt]: decrypt,\n });\n let result;\n try {\n result = await p;\n }\n catch (err) {\n if (retryable(err, options)) {\n return refreshTokenGrant(config, refreshToken, parameters, {\n ...options,\n flag: retry,\n });\n }\n errorHandler(err);\n }\n result.id_token && (await nonRepudiation?.(response));\n addHelpers(result);\n return result;\n}\nexport async function clientCredentialsGrant(config, parameters, options) {\n checkConfig(config);\n parameters = new URLSearchParams(parameters);\n const { as, c, auth, fetch, tlsOnly, timeout } = int(config);\n const response = await oauth\n .clientCredentialsGrantRequest(as, c, auth, parameters, {\n [oauth.customFetch]: fetch,\n [oauth.allowInsecureRequests]: !tlsOnly,\n DPoP: options?.DPoP,\n headers: new Headers(headers),\n signal: signal(timeout),\n })\n .catch(errorHandler);\n const p = oauth.processClientCredentialsResponse(as, c, response);\n let result;\n try {\n result = await p;\n }\n catch (err) {\n if (retryable(err, options)) {\n return clientCredentialsGrant(config, parameters, {\n ...options,\n flag: retry,\n });\n }\n errorHandler(err);\n }\n addHelpers(result);\n return result;\n}\nexport function buildAuthorizationUrl(config, parameters) {\n checkConfig(config);\n const { as, c, tlsOnly, hybrid, jarm, implicit } = int(config);\n const authorizationEndpoint = oauth.resolveEndpoint(as, 'authorization_endpoint', false, tlsOnly);\n parameters = new URLSearchParams(parameters);\n if (!parameters.has('client_id')) {\n parameters.set('client_id', c.client_id);\n }\n if (!parameters.has('request_uri') && !parameters.has('request')) {\n if (!parameters.has('response_type')) {\n parameters.set('response_type', hybrid ? 'code id_token' : implicit ? 'id_token' : 'code');\n }\n if (implicit && !parameters.has('nonce')) {\n throw CodedTypeError('response_type=id_token clients must provide a nonce parameter in their authorization request parameters', ERR_INVALID_ARG_VALUE);\n }\n if (jarm) {\n parameters.set('response_mode', 'jwt');\n }\n }\n for (const [k, v] of parameters.entries()) {\n authorizationEndpoint.searchParams.append(k, v);\n }\n return authorizationEndpoint;\n}\nexport async function buildAuthorizationUrlWithJAR(config, parameters, signingKey, options) {\n checkConfig(config);\n const authorizationEndpoint = buildAuthorizationUrl(config, parameters);\n parameters = authorizationEndpoint.searchParams;\n if (!signingKey) {\n throw CodedTypeError('\"signingKey\" must be provided', ERR_INVALID_ARG_VALUE);\n }\n const { as, c } = int(config);\n const request = await oauth\n .issueRequestObject(as, c, parameters, signingKey, options)\n .catch(errorHandler);\n return buildAuthorizationUrl(config, { request });\n}\nexport async function buildAuthorizationUrlWithPAR(config, parameters, options) {\n checkConfig(config);\n const authorizationEndpoint = buildAuthorizationUrl(config, parameters);\n const { as, c, auth, fetch, tlsOnly, timeout } = int(config);\n const response = await oauth\n .pushedAuthorizationRequest(as, c, auth, authorizationEndpoint.searchParams, {\n [oauth.customFetch]: fetch,\n [oauth.allowInsecureRequests]: !tlsOnly,\n DPoP: options?.DPoP,\n headers: new Headers(headers),\n signal: signal(timeout),\n })\n .catch(errorHandler);\n const p = oauth.processPushedAuthorizationResponse(as, c, response);\n let result;\n try {\n result = await p;\n }\n catch (err) {\n if (retryable(err, options)) {\n return buildAuthorizationUrlWithPAR(config, parameters, {\n ...options,\n flag: retry,\n });\n }\n errorHandler(err);\n }\n return buildAuthorizationUrl(config, { request_uri: result.request_uri });\n}\nexport function buildEndSessionUrl(config, parameters) {\n checkConfig(config);\n const { as, c, tlsOnly } = int(config);\n const endSessionEndpoint = oauth.resolveEndpoint(as, 'end_session_endpoint', false, tlsOnly);\n parameters = new URLSearchParams(parameters);\n if (!parameters.has('client_id')) {\n parameters.set('client_id', c.client_id);\n }\n for (const [k, v] of parameters.entries()) {\n endSessionEndpoint.searchParams.append(k, v);\n }\n return endSessionEndpoint;\n}\nfunction checkConfig(input) {\n if (!(input instanceof Configuration)) {\n throw CodedTypeError('\"config\" must be an instance of Configuration', ERR_INVALID_ARG_TYPE);\n }\n if (Object.getPrototypeOf(input) !== Configuration.prototype) {\n throw CodedTypeError('subclassing Configuration is not allowed', ERR_INVALID_ARG_VALUE);\n }\n}\nfunction signal(timeout) {\n return timeout ? AbortSignal.timeout(timeout * 1000) : undefined;\n}\nexport async function fetchUserInfo(config, accessToken, expectedSubject, options) {\n checkConfig(config);\n const { as, c, fetch, tlsOnly, nonRepudiation, timeout, decrypt } = int(config);\n const response = await oauth\n .userInfoRequest(as, c, accessToken, {\n [oauth.customFetch]: fetch,\n [oauth.allowInsecureRequests]: !tlsOnly,\n DPoP: options?.DPoP,\n headers: new Headers(headers),\n signal: signal(timeout),\n })\n .catch(errorHandler);\n let exec = oauth.processUserInfoResponse(as, c, expectedSubject, response, {\n [oauth.jweDecrypt]: decrypt,\n });\n let result;\n try {\n result = await exec;\n }\n catch (err) {\n if (retryable(err, options)) {\n return fetchUserInfo(config, accessToken, expectedSubject, {\n ...options,\n flag: retry,\n });\n }\n errorHandler(err);\n }\n oauth.getContentType(response) === 'application/jwt' &&\n (await nonRepudiation?.(response));\n return result;\n}\nfunction retryable(err, options) {\n if (options?.DPoP && options.flag !== retry) {\n return oauth.isDPoPNonceError(err);\n }\n return false;\n}\nexport async function tokenIntrospection(config, token, parameters) {\n checkConfig(config);\n const { as, c, auth, fetch, tlsOnly, nonRepudiation, timeout, decrypt } = int(config);\n const response = await oauth\n .introspectionRequest(as, c, auth, token, {\n [oauth.customFetch]: fetch,\n [oauth.allowInsecureRequests]: !tlsOnly,\n additionalParameters: new URLSearchParams(parameters),\n headers: new Headers(headers),\n signal: signal(timeout),\n })\n .catch(errorHandler);\n const result = await oauth\n .processIntrospectionResponse(as, c, response, {\n [oauth.jweDecrypt]: decrypt,\n })\n .catch(errorHandler);\n oauth.getContentType(response) === 'application/token-introspection+jwt' &&\n (await nonRepudiation?.(response));\n return result;\n}\nconst retry = Symbol();\nexport async function genericGrantRequest(config, grantType, parameters, options) {\n checkConfig(config);\n const { as, c, auth, fetch, tlsOnly, timeout, decrypt, nonRepudiation } = int(config);\n const response = await oauth\n .genericTokenEndpointRequest(as, c, auth, grantType, new URLSearchParams(parameters), {\n [oauth.customFetch]: fetch,\n [oauth.allowInsecureRequests]: !tlsOnly,\n DPoP: options?.DPoP,\n headers: new Headers(headers),\n signal: signal(timeout),\n })\n .catch(errorHandler);\n let recognizedTokenTypes;\n if (grantType === 'urn:ietf:params:oauth:grant-type:token-exchange') {\n recognizedTokenTypes = { n_a: () => { } };\n }\n const p = oauth.processGenericTokenEndpointResponse(as, c, response, {\n [oauth.jweDecrypt]: decrypt,\n recognizedTokenTypes,\n });\n let result;\n try {\n result = await p;\n }\n catch (err) {\n if (retryable(err, options)) {\n return genericGrantRequest(config, grantType, parameters, {\n ...options,\n flag: retry,\n });\n }\n errorHandler(err);\n }\n result.id_token && (await nonRepudiation?.(response));\n addHelpers(result);\n return result;\n}\nexport async function tokenRevocation(config, token, parameters) {\n checkConfig(config);\n const { as, c, auth, fetch, tlsOnly, timeout } = int(config);\n return oauth\n .revocationRequest(as, c, auth, token, {\n [oauth.customFetch]: fetch,\n [oauth.allowInsecureRequests]: !tlsOnly,\n additionalParameters: new URLSearchParams(parameters),\n headers: new Headers(headers),\n signal: signal(timeout),\n })\n .then(oauth.processRevocationResponse)\n .catch(errorHandler);\n}\nexport async function fetchProtectedResource(config, accessToken, url, method, body, headers, options) {\n checkConfig(config);\n headers ||= new Headers();\n if (!headers.has('user-agent')) {\n headers.set('user-agent', USER_AGENT);\n }\n const { fetch, tlsOnly, timeout } = int(config);\n const exec = oauth.protectedResourceRequest(accessToken, method, url, headers, body, {\n [oauth.customFetch]: fetch,\n [oauth.allowInsecureRequests]: !tlsOnly,\n DPoP: options?.DPoP,\n signal: signal(timeout),\n });\n let result;\n try {\n result = await exec;\n }\n catch (err) {\n if (retryable(err, options)) {\n return fetchProtectedResource(config, accessToken, url, method, body, headers, {\n ...options,\n flag: retry,\n });\n }\n errorHandler(err);\n }\n return result;\n}\n//# sourceMappingURL=index.js.map","import {\n $inject,\n AlephaError,\n type Async,\n createPrimitive,\n KIND,\n Primitive,\n} from \"alepha\";\nimport { DateTimeProvider } from \"alepha/datetime\";\nimport {\n type AccessTokenResponse,\n type IssuerPrimitive,\n SecurityError,\n SecurityProvider,\n type UserAccount,\n} from \"alepha/security\";\nimport {\n allowInsecureRequests,\n Configuration,\n discovery,\n refreshTokenGrant,\n} from \"openid-client\";\nimport type { OAuth2Profile } from \"../providers/ServerAuthProvider.ts\";\nimport type { Tokens } from \"../schemas/tokensSchema.ts\";\n\n/**\n * Creates an authentication provider primitive for handling user login flows.\n *\n * Supports multiple authentication strategies: credentials (username/password), OAuth2,\n * and OIDC (OpenID Connect). Handles token management, user profile retrieval, and\n * integration with both external identity providers (Auth0, Keycloak) and internal realms.\n *\n * **Authentication Types**: Credentials, OAuth2 (Google, GitHub), OIDC, External providers\n *\n * @example\n * ```ts\n * class AuthProviders {\n * // Internal credentials-based auth\n * credentials = $auth({\n * realm: this.userRealm,\n * credentials: {\n * account: async ({ username, password }) => {\n * return await this.validateUser(username, password);\n * }\n * }\n * });\n *\n * // External OIDC provider\n * keycloak = $auth({\n * oidc: {\n * issuer: \"https://auth.example.com\",\n * clientId: \"my-app\",\n * clientSecret: \"secret\",\n * redirectUri: \"/auth/callback\"\n * }\n * });\n * }\n * ```\n */\nexport const $auth = (options: AuthPrimitiveOptions): AuthPrimitive => {\n return createPrimitive(AuthPrimitive, options);\n};\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport type AuthPrimitiveOptions = {\n /**\n * Name of the identity provider.\n * If not provided, it will be derived from the property key.\n */\n name?: string;\n\n /**\n * If true, auth provider will be skipped.\n */\n disabled?: boolean;\n} & (AuthExternal | AuthInternal);\n\n/**\n * When you let an external service handle authentication. (e.g. Keycloak, Auth0, etc.)\n */\nexport type AuthExternal = {\n /**\n * Only OIDC is supported for external authentication.\n */\n oidc: OidcOptions;\n\n /**\n * For anonymous access, this will expect a service account access token.\n *\n * ```ts\n * class App {\n * anonymous = $serviceAccount(...);\n * auth = $auth({\n * // ... config ...\n * fallback: this.anonymous,\n * })\n * }\n * ```\n */\n fallback?: () => Async<AccessToken>;\n};\n\n/**\n * When using your own authentication system, e.g. using a database to store user accounts.\n * This is usually used with a custom login form.\n *\n * This relies on the `issuer`, which is used to create/verify the access token.\n */\nexport type AuthInternal = {\n issuer: IssuerPrimitive;\n} & (\n | {\n /**\n * The common username/password authentication.\n *\n * - It uses the OAuth2 Client Credentials flow to obtain an access token.\n *\n * This is usually used with a custom login form on your website or mobile app.\n */\n credentials: CredentialsOptions;\n }\n | {\n /**\n * OAuth2 authentication. Delegates authentication to an OAuth2 provider. (e.g. Google, GitHub, etc.)\n *\n * - It uses the OAuth2 Authorization Code flow to obtain an access token and user information.\n *\n * This is usually used with a login button that redirects to the OAuth2 provider.\n */\n oauth: OAuth2Options;\n }\n | {\n /**\n * Like OAuth2, but uses OIDC (OpenID Connect) for authentication and user information retrieval.\n * OIDC is an identity layer on top of OAuth2, providing user authentication and profile information.\n *\n * - It uses the OAuth2 Authorization Code flow to obtain an access token and user information.\n * - PCKE (Proof Key for Code Exchange) is recommended for security.\n *\n * This is usually used with a login button that redirects to the OIDC provider.\n */\n oidc: OidcOptions;\n }\n);\n\nexport type CredentialsOptions = {\n account: CredentialsFn;\n};\n\nexport type CredentialsFn = (\n credentials: Credentials,\n) => Async<UserAccount | undefined>;\n\nexport interface Credentials {\n username: string;\n password: string;\n}\n\nexport interface OidcOptions {\n /**\n * URL of the OIDC issuer.\n */\n issuer: string;\n\n /**\n * Client ID for the OIDC client.\n */\n clientId: string;\n\n /**\n * Client secret for the OIDC client.\n * Optional if PKCE (Proof Key for Code Exchange) is used.\n */\n clientSecret?: string;\n\n /**\n * Redirect URI for the OIDC client.\n * This is where the user will be redirected after authentication.\n */\n redirectUri?: string;\n\n /**\n * For external auth providers only.\n * Take the ID token instead of the access token for validation.\n */\n useIdToken?: boolean;\n\n /**\n * URI to redirect the user after logout.\n */\n logoutUri?: string;\n\n /**\n * Optional scope for the OIDC client.\n * @default \"openid profile email\".\n */\n scope?: string;\n\n account?: LinkAccountFn;\n\n /**\n * OAuth2 response mode.\n * Apple requires \"form_post\" which sends the authorization code via POST body\n * instead of URL query parameters.\n */\n responseMode?: \"query\" | \"fragment\" | \"form_post\";\n\n /**\n * Additional parameters to include in the authorization URL.\n * Useful for provider-specific parameters.\n */\n authorizationParameters?: Record<string, string>;\n}\n\nexport interface LinkAccountOptions {\n access_token: string;\n user: OAuth2Profile;\n id_token?: string;\n expires_in?: number;\n scope?: string;\n}\n\nexport type LinkAccountFn = (tokens: LinkAccountOptions) => Async<UserAccount>;\n\nexport interface OAuth2Options {\n /**\n * URL of the OAuth2 authorization endpoint.\n */\n clientId: string;\n\n /**\n * Client secret for the OAuth2 client.\n */\n clientSecret: string;\n\n /**\n * URL of the OAuth2 authorization endpoint.\n */\n authorization: string;\n\n /**\n * URL of the OAuth2 token endpoint.\n */\n token: string;\n\n /**\n * Function to retrieve user profile information from the OAuth2 tokens.\n */\n userinfo: (tokens: Tokens) => Async<OAuth2Profile>;\n\n account?: LinkAccountFn;\n\n /**\n * URL of the OAuth2 authorization endpoint.\n */\n redirectUri?: string;\n\n /**\n * URL of the OAuth2 authorization endpoint.\n */\n scope?: string;\n}\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport class AuthPrimitive extends Primitive<AuthPrimitiveOptions> {\n protected readonly securityProvider = $inject(SecurityProvider);\n protected readonly dateTimeProvider = $inject(DateTimeProvider);\n\n protected oauthConfig?: Configuration;\n protected oauthInitializer?: () => Promise<Configuration>;\n\n public get oauth(): Configuration | undefined {\n return this.oauthConfig;\n }\n\n /**\n * Get the OAuth2/OIDC configuration, initializing lazily if needed (serverless mode).\n */\n public async getOAuth(): Promise<Configuration | undefined> {\n if (this.oauthConfig) {\n return this.oauthConfig;\n }\n\n if (this.oauthInitializer) {\n this.oauthConfig = await this.oauthInitializer();\n this.oauthInitializer = undefined;\n return this.oauthConfig;\n }\n\n return undefined;\n }\n\n public get name() {\n return this.options.name ?? this.config.propertyKey;\n }\n\n public get issuer(): IssuerPrimitive | undefined {\n if (\"issuer\" in this.options) {\n return this.options.issuer;\n }\n return undefined;\n }\n\n public get jwks_uri(): string {\n const jwks = this.oauth?.serverMetadata().jwks_uri;\n if (!jwks) {\n throw new AlephaError(\"No JWKS URI available for the auth provider\");\n }\n return jwks;\n }\n\n public get scope(): string | undefined {\n if (\"oauth\" in this.options) {\n return this.options.oauth.scope;\n }\n if (\"oidc\" in this.options) {\n return this.options.oidc.scope || \"openid profile email\";\n }\n throw new AlephaError(\n \"No OAuth2 or OIDC configuration available for the auth provider\",\n );\n }\n\n public get redirect_uri() {\n if (\"oauth\" in this.options) {\n return this.options.oauth.redirectUri;\n }\n if (\"oidc\" in this.options) {\n return this.options.oidc.redirectUri;\n }\n throw new AlephaError(\n \"No OAuth2 or OIDC configuration available for the auth provider\",\n );\n }\n\n /**\n * Refreshes the access token using the refresh token.\n * Can be used on oauth2, oidc or credentials auth providers.\n */\n public async refresh(\n refreshToken: string,\n accessToken?: string,\n ): Promise<AccessTokenResponse> {\n if (\"issuer\" in this.options) {\n return this.options.issuer\n .refreshToken(refreshToken, accessToken)\n .then((it) => it.tokens)\n .catch((error) => {\n throw new SecurityError(\n \"Failed to refresh access token using the refresh token (issuer)\",\n {\n cause: error,\n },\n );\n });\n }\n\n const oauth = await this.getOAuth();\n if (oauth) {\n try {\n return {\n ...(await refreshTokenGrant(oauth, refreshToken)),\n issued_at: this.dateTimeProvider.now().unix(),\n };\n } catch (error) {\n throw new SecurityError(\n \"Failed to refresh access token using the refresh token (oauth2)\",\n {\n cause: error,\n },\n );\n }\n }\n\n throw new AlephaError(\n \"No issuer or OAuth2 configuration available for refreshing the access token\",\n );\n }\n\n /**\n * Extracts user information from the access token.\n * This is used to create a user account from the access token.\n *\n * `externalProfile` carries extra profile fields that cannot be derived from the\n * ID token or userinfo endpoint — e.g. Apple's `user` form field that is only\n * delivered once, on first authorization. ID token / userinfo fields take\n * precedence; externalProfile only fills gaps.\n */\n public async user(\n tokens: Tokens,\n externalProfile?: Record<string, unknown>,\n ): Promise<UserAccount> {\n try {\n if (\"oauth\" in this.options) {\n const profile = {\n ...externalProfile,\n ...(await this.options.oauth.userinfo(tokens)),\n } as OAuth2Profile;\n\n if (this.options.oauth.account) {\n return this.options.oauth.account({\n ...tokens,\n user: profile,\n });\n }\n\n return this.securityProvider.createUserFromPayload(profile);\n }\n\n if (\"oidc\" in this.options) {\n const payload = {\n ...externalProfile,\n ...this.getUserFromIdToken(tokens.id_token || \"\"),\n } as OAuth2Profile;\n\n if (this.options.oidc.account) {\n return this.options.oidc.account({\n ...tokens,\n user: payload,\n });\n }\n\n return this.securityProvider.createUserFromPayload(payload);\n }\n } catch (error) {\n throw new SecurityError(\n \"Failed to extract user from identity provider tokens\",\n {\n cause: error,\n },\n );\n }\n\n throw new AlephaError(\n \"This authentication does not support user extraction from tokens\",\n );\n }\n\n // Security note: No JWT signature verification here is intentional and safe.\n // The id_token is received via authorizationCodeGrant() which fetches it over a\n // back-channel TLS connection directly from the IdP's token endpoint. TLS authenticates\n // the channel. openid-client/oauth4webapi validates claims (issuer, audience, nonce,\n // expiry) during the grant. Per OIDC spec, cryptographic signature verification is\n // not required for back-channel token responses — only for implicit/hybrid flows.\n // See: openid-client index.d.ts enableNonRepudiationChecks() docs.\n protected getUserFromIdToken(idToken: string): OAuth2Profile {\n try {\n return JSON.parse(\n Buffer.from(idToken.split(\".\")[1], \"base64\").toString(\"utf8\"),\n ) as OAuth2Profile;\n } catch (error) {\n throw new AlephaError(\"Failed to parse ID Token payload\", {\n cause: error,\n });\n }\n }\n\n public async prepare() {\n if (\"oidc\" in this.options) {\n const { oidc } = this.options;\n\n const discoverOidc = async () => {\n const execute: Array<(config: Configuration) => void> = [];\n execute.push(allowInsecureRequests);\n\n return discovery(\n new URL(oidc.issuer),\n oidc.clientId,\n {\n client_secret: oidc.clientSecret,\n },\n undefined,\n {\n execute,\n },\n );\n };\n\n // Defer OIDC discovery in serverless/dev to avoid cold start penalty\n if (this.alepha.isServerless() || !this.alepha.isProduction()) {\n this.oauthInitializer = discoverOidc;\n } else {\n this.oauthConfig = await discoverOidc();\n }\n }\n\n if (\"oauth\" in this.options) {\n const { oauth } = this.options;\n\n this.oauthConfig = new Configuration(\n {\n authorization_endpoint: oauth.authorization,\n token_endpoint: oauth.token,\n issuer: oauth.authorization, // use authorization URL as a pseudo-issuer?\n // we don't need all of these endpoints\n jwks_uri: undefined,\n end_session_endpoint: undefined,\n },\n oauth.clientId,\n {\n client_secret: oauth.clientSecret,\n },\n );\n }\n }\n}\n\n$auth[KIND] = AuthPrimitive;\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport type AccessToken = string | { token: () => Async<string> };\n\nexport interface WithLinkFn {\n link?: (name: string) => (opts: LinkAccountOptions) => Async<UserAccount>;\n}\n\nexport interface WithLoginFn {\n login?: (\n provider: string,\n ) => (creds: Credentials) => Async<UserAccount | undefined>;\n}\n","export const alephaServerAuthRoutes = {\n login: \"/oauth/login\",\n callback: \"/oauth/callback\",\n logout: \"/oauth/logout\",\n token: \"/_auth/token\",\n refresh: \"/_auth/refresh\",\n userinfo: \"/_auth/userinfo\",\n};\n","import type { Static } from \"alepha\";\nimport { t } from \"alepha\";\n\nexport const tokensSchema = t.object({\n provider: t.text(),\n access_token: t.text({ size: \"rich\" }),\n issued_at: t.number(),\n expires_in: t.optional(t.number()),\n refresh_token: t.optional(t.text({ size: \"rich\" })),\n refresh_token_expires_in: t.optional(t.number()),\n refresh_expires_in: t.optional(\n t.number({\n description:\n \"Alias of `refresh_token_expires_in` for compatibility with some providers.\",\n }),\n ),\n id_token: t.optional(t.text({ size: \"rich\" })),\n scope: t.optional(t.text()),\n});\n\nexport type Tokens = Static<typeof tokensSchema>;\n","import { type Static, t } from \"alepha\";\nimport { userAccountInfoSchema } from \"alepha/security\";\nimport { apiRegistryResponseSchema } from \"alepha/server/links\";\nimport { tokensSchema } from \"./tokensSchema.ts\";\n\nexport const tokenResponseSchema = t.extend(tokensSchema, {\n user: userAccountInfoSchema,\n api: apiRegistryResponseSchema,\n});\n\nexport type TokenResponse = Static<typeof tokenResponseSchema>;\n","import { type Static, t } from \"alepha\";\nimport { userAccountInfoSchema } from \"alepha/security\";\nimport { apiRegistryResponseSchema } from \"alepha/server/links\";\n\nexport const userinfoResponseSchema = t.object({\n user: t.optional(userAccountInfoSchema),\n api: apiRegistryResponseSchema,\n});\n\nexport type UserinfoResponse = Static<typeof userinfoResponseSchema>;\n","import { $hook, $inject, Alepha, t } from \"alepha\";\nimport { DateTimeProvider } from \"alepha/datetime\";\nimport { $logger } from \"alepha/logger\";\nimport {\n InvalidCredentialsError,\n type IssuerPrimitive,\n SecurityError,\n type UserAccount,\n} from \"alepha/security\";\nimport {\n $route,\n BadRequestError,\n type ServerRawRequest,\n type ServerReply,\n} from \"alepha/server\";\nimport {\n $cookie,\n type Cookies,\n ServerCookiesProvider,\n} from \"alepha/server/cookies\";\nimport { ServerLinksProvider } from \"alepha/server/links\";\nimport {\n authorizationCodeGrant,\n buildAuthorizationUrl,\n buildEndSessionUrl,\n calculatePKCECodeChallenge,\n randomPKCECodeVerifier,\n randomState,\n} from \"openid-client\";\nimport { alephaServerAuthRoutes } from \"../constants/routes.ts\";\nimport { $auth, type AuthPrimitive } from \"../primitives/$auth.ts\";\nimport type { AuthenticationProvider } from \"../schemas/authenticationProviderSchema.ts\";\nimport { tokenResponseSchema } from \"../schemas/tokenResponseSchema.ts\";\nimport { type Tokens, tokensSchema } from \"../schemas/tokensSchema.ts\";\nimport { userinfoResponseSchema } from \"../schemas/userinfoResponseSchema.ts\";\n\nexport class ServerAuthProvider {\n protected readonly log = $logger();\n protected readonly alepha = $inject(Alepha);\n protected readonly serverCookiesProvider = $inject(ServerCookiesProvider);\n protected readonly dateTimeProvider = $inject(DateTimeProvider);\n protected readonly serverLinksProvider = $inject(ServerLinksProvider);\n\n /**\n * Validates that a redirect URI is a safe relative path, or — when\n * COOKIE_PARENT_DOMAIN is configured — an https URL whose host is the\n * parent domain or a subdomain of it. Used by SaaS deployments where the\n * OAuth callback dispatches users back to their tenant subdomain.\n *\n * Prevents open redirect attacks by rejecting any other absolute URL.\n */\n protected validateRedirectUri(uri: string): string {\n if (uri.startsWith(\"/\") && !uri.startsWith(\"//\")) {\n return uri;\n }\n const parent = this.alepha.env.COOKIE_PARENT_DOMAIN;\n if (typeof parent === \"string\" && parent) {\n try {\n const parsed = new URL(uri);\n const parentHost = parent.startsWith(\".\") ? parent.slice(1) : parent;\n if (parsed.protocol !== \"https:\") return \"/\";\n if (parsed.host === parentHost) return uri;\n if (parsed.host.endsWith(`.${parentHost}`)) return uri;\n } catch {\n // fall through\n }\n }\n return \"/\";\n }\n\n public get identities(): Array<AuthPrimitive> {\n return this.alepha\n .primitives($auth)\n .filter((auth) => !auth.options.disabled);\n }\n\n protected readonly authorizationCode = $cookie({\n name: \"authorizationCode\",\n ttl: [15, \"minutes\"],\n httpOnly: true,\n encrypt: true,\n schema: t.object({\n provider: t.text(),\n realm: t.optional(t.text()),\n codeVerifier: t.optional(t.text({ size: \"long\" })),\n redirectUri: t.optional(t.text({ size: \"long\" })),\n loginUri: t.optional(t.text({ size: \"long\" })),\n state: t.optional(t.text()),\n nonce: t.optional(t.text()),\n }),\n });\n\n public readonly tokens = $cookie({\n name: \"tokens\",\n ttl: [30, \"days\"],\n httpOnly: true,\n compress: true,\n encrypt: true,\n schema: tokensSchema,\n });\n\n protected readonly configure = $hook({\n on: \"configure\",\n handler: async () => {\n for (const identity of this.identities) {\n await identity.prepare();\n }\n },\n });\n\n /**\n * Fill request headers with access token from cookies or fallback to provider's fallback function.\n */\n protected readonly onRequest = $hook({\n on: \"server:onRequest\",\n after: this.serverCookiesProvider,\n handler: async ({ request }) => {\n const cookies = request.cookies;\n\n // [feature] forward cookies to request headers\n if (cookies) {\n const tokens = await this.cookiesToTokens(cookies);\n if (tokens) {\n request.headers.authorization = `Bearer ${this.extractAccessToken(tokens)}`;\n this.log.trace(\"Access token set in request headers\", {\n provider: tokens.provider,\n });\n }\n }\n\n // [feature] support for auth providers with fallback\n if (!request.headers.authorization) {\n for (const provider of this.identities) {\n if (\"fallback\" in provider.options && provider.options.fallback) {\n const token = await provider.options.fallback();\n if (token) {\n request.headers.authorization = `Bearer ${token}`;\n break;\n }\n }\n }\n }\n },\n });\n\n // -------------------------------------------------------------------------------------------------------------------\n\n /**\n * Get user information.\n */\n public readonly userinfo = $route({\n path: alephaServerAuthRoutes.userinfo,\n use: [],\n schema: {\n response: userinfoResponseSchema,\n },\n handler: async ({ user, headers, cookies }) => {\n const tokens = this.getTokens(cookies);\n if (tokens) {\n const provider = this.provider(tokens);\n if (!(\"issuer\" in provider.options)) {\n const user = await provider.user(tokens);\n const api = await this.serverLinksProvider.getUserApiLinks({\n authorization: headers.authorization,\n user,\n });\n return {\n api,\n user,\n };\n }\n }\n\n const api = await this.serverLinksProvider.getUserApiLinks({\n authorization: headers.authorization,\n user,\n });\n\n return {\n api,\n user,\n };\n },\n });\n\n /**\n * Refresh a token for internal providers.\n */\n public readonly refresh = $route({\n path: alephaServerAuthRoutes.refresh,\n method: \"POST\",\n schema: {\n query: t.object({\n provider: t.text(),\n }),\n body: t.object({\n refresh_token: t.text({\n size: \"rich\",\n }),\n access_token: t.optional(\n t.text({\n size: \"rich\",\n description:\n \"Required if provider has stateless refresh token on credentials mode\",\n }),\n ),\n }),\n response: tokensSchema,\n },\n handler: async ({ query, body, cookies }) => {\n const provider = this.provider(query);\n\n const tokens = {\n provider: query.provider,\n ...(await provider.refresh(body.refresh_token, body.access_token)),\n };\n\n // for web applications, we store tokens in cookies\n this.setTokens(tokens, cookies);\n\n return tokens;\n },\n });\n\n /**\n * Login for local password-based authentication.\n */\n public readonly token = $route({\n path: alephaServerAuthRoutes.token,\n method: \"POST\",\n schema: {\n query: t.object({\n provider: t.text(),\n realm: t.optional(\n t.text({ description: \"Realm name for multi-realm setups\" }),\n ),\n }),\n body: t.object({\n username: t.text(),\n password: t.text(),\n }),\n response: tokenResponseSchema,\n },\n handler: async ({ query, body, cookies }) => {\n const provider = this.provider({\n provider: query.provider,\n realm: query.realm,\n });\n\n const issuer = provider.issuer;\n if (!issuer) {\n throw new SecurityError(\n `Auth provider '${query.provider}' does not support password grant`,\n );\n }\n\n const credentials =\n \"credentials\" in provider.options && provider.options.credentials;\n\n if (!credentials) {\n throw new SecurityError(\n `Auth provider '${query.provider}' does not support password grant`,\n );\n }\n\n let user: UserAccount | undefined;\n try {\n user = await credentials.account(body);\n } catch (e) {\n if (e instanceof InvalidCredentialsError) {\n throw e;\n }\n this.log.error(\"Failed to authenticate user\", e);\n throw new InvalidCredentialsError();\n }\n\n if (!user) {\n throw new InvalidCredentialsError();\n }\n\n const tokens = {\n provider: query.provider,\n ...(await issuer.createToken(user)),\n };\n\n // for web applications, we store tokens in cookies\n this.setTokens(tokens, cookies);\n\n const api = await this.serverLinksProvider.getUserApiLinks({\n user,\n });\n\n // mobile apps require this\n return {\n ...tokens,\n user,\n api,\n };\n },\n });\n\n /**\n * Oauth2/OIDC login route.\n */\n public readonly login = $route({\n path: alephaServerAuthRoutes.login,\n schema: {\n query: t.object({\n provider: t.text(),\n realm: t.optional(\n t.text({ description: \"Realm name for multi-realm setups\" }),\n ),\n redirect_uri: t.optional(t.text({ size: \"rich\" })),\n }),\n },\n handler: async ({ query, url, reply, headers }) => {\n const loginUri = headers.referer\n ? new URL(headers.referer).pathname + new URL(headers.referer).search\n : undefined;\n\n const provider = this.provider({\n provider: query.provider,\n realm: query.realm,\n });\n const oauth = await provider.getOAuth();\n if (!oauth) {\n throw new SecurityError(\n `Auth provider '${query.provider}' does not support OAuth2`,\n );\n }\n\n const scope = provider.scope;\n let redirect_uri =\n provider.redirect_uri || alephaServerAuthRoutes.callback;\n if (redirect_uri.startsWith(\"/\")) {\n redirect_uri = `${url.protocol}//${url.host}${redirect_uri}`;\n }\n\n const oidc = \"oidc\" in provider.options && provider.options.oidc;\n\n if (!oauth.serverMetadata().supportsPKCE()) {\n const state = randomState();\n const parameters: Record<string, string> = {\n redirect_uri,\n state,\n };\n\n if (oidc) {\n parameters.nonce = randomState();\n }\n\n if (scope) {\n parameters.scope = scope;\n }\n\n // biome-ignore lint/complexity/useOptionalChain: oidc is `false | OidcOptions`; optional chaining doesn't narrow `false`\n if (oidc && oidc.responseMode) {\n parameters.response_mode = oidc.responseMode;\n }\n\n // biome-ignore lint/complexity/useOptionalChain: oidc is `false | OidcOptions`; optional chaining doesn't narrow `false`\n if (oidc && oidc.authorizationParameters) {\n Object.assign(parameters, oidc.authorizationParameters);\n }\n\n this.authorizationCode.set({\n state,\n nonce: parameters.nonce,\n redirectUri: this.validateRedirectUri(query.redirect_uri ?? \"/\"),\n loginUri,\n provider: query.provider,\n realm: query.realm,\n });\n\n reply.redirect(\n buildAuthorizationUrl(oauth, parameters).toString(),\n 302,\n );\n return;\n }\n\n // Security note: No state or nonce in the PKCE path is intentional.\n // PKCE provides equivalent CSRF protection to state: the code_verifier is bound\n // to the session cookie, and the authorization code is bound to the code_challenge.\n // An attacker cannot forge the callback without the code_verifier. OAuth 2.1 (RFC 9126)\n // makes PKCE mandatory and state optional. For OIDC nonce: the id_token is received\n // over back-channel TLS from the token endpoint, making nonce replay irrelevant.\n // openid-client/oauth4webapi correctly validates that no state is in the response\n // when none was sent (expectNoState).\n const codeVerifier = randomPKCECodeVerifier();\n const codeChallenge = await calculatePKCECodeChallenge(codeVerifier);\n\n const parameters: Record<string, string> = {\n redirect_uri,\n code_challenge: codeChallenge,\n code_challenge_method: \"S256\",\n };\n\n if (scope) {\n parameters.scope = scope;\n }\n\n // biome-ignore lint/complexity/useOptionalChain: oidc is `false | OidcOptions`; optional chaining doesn't narrow `false`\n if (oidc && oidc.responseMode) {\n parameters.response_mode = oidc.responseMode;\n }\n\n // biome-ignore lint/complexity/useOptionalChain: oidc is `false | OidcOptions`; optional chaining doesn't narrow `false`\n if (oidc && oidc.authorizationParameters) {\n Object.assign(parameters, oidc.authorizationParameters);\n }\n\n this.authorizationCode.set({\n codeVerifier,\n redirectUri: this.validateRedirectUri(query.redirect_uri ?? \"/\"),\n loginUri,\n provider: query.provider,\n realm: query.realm,\n });\n\n reply.redirect(buildAuthorizationUrl(oauth, parameters).toString(), 302);\n },\n });\n\n /**\n * Extracts provider-specific extra profile fields delivered via the\n * authorization callback form body rather than the ID token or userinfo\n * endpoint. Currently handles Apple Sign In's `user` field, which is sent\n * only on the user's first authorization and contains their name.\n */\n protected async extractFormPostProfile(\n req: Request,\n ): Promise<Record<string, unknown> | undefined> {\n try {\n const form = await req.formData();\n const userField = form.get(\"user\");\n if (typeof userField !== \"string\") {\n return undefined;\n }\n const parsed = JSON.parse(userField) as {\n name?: { firstName?: string; lastName?: string };\n email?: string;\n };\n const profile: Record<string, unknown> = {};\n if (parsed.name?.firstName) {\n profile.given_name = parsed.name.firstName;\n }\n if (parsed.name?.lastName) {\n profile.family_name = parsed.name.lastName;\n }\n if (parsed.name?.firstName || parsed.name?.lastName) {\n profile.name = [parsed.name?.firstName, parsed.name?.lastName]\n .filter(Boolean)\n .join(\" \");\n }\n if (parsed.email) {\n profile.email = parsed.email;\n }\n return Object.keys(profile).length > 0 ? profile : undefined;\n } catch (e) {\n this.log.warn(\"Failed to parse form_post profile from callback body\", e);\n return undefined;\n }\n }\n\n /**\n * Shared callback logic for both GET and POST OAuth2/OIDC callbacks.\n * For form_post response mode (e.g. Apple Sign In), the raw Request object\n * is passed so openid-client can read the authorization code from the POST body.\n */\n protected async handleCallback(\n url: URL,\n reply: ServerReply,\n cookies: Cookies,\n raw?: ServerRawRequest,\n ) {\n const authorizationCode = this.authorizationCode.get({ cookies });\n if (!authorizationCode) {\n throw new BadRequestError(\"Missing code verifier\");\n }\n\n const provider = this.provider(authorizationCode);\n const oauth = await provider.getOAuth();\n if (!oauth) {\n throw new SecurityError(\n `Auth provider '${provider.name}' does not support OAuth2`,\n );\n }\n\n const redirectUri = authorizationCode.redirectUri ?? \"/\";\n const loginUri = authorizationCode.loginUri;\n\n // For form_post response mode (e.g. Apple), pass the raw Request object\n // so openid-client can read the authorization code from the POST body.\n // Clone first so we can also extract provider-specific fields (e.g. Apple's\n // `user` form field, only sent once on first authorization) without\n // consuming the body that openid-client needs to read.\n let currentUrl: URL | Request = url;\n let externalProfile: Record<string, unknown> | undefined;\n if (raw?.web?.req && raw.web.req.method === \"POST\") {\n const cloned = raw.web.req.clone();\n currentUrl = raw.web.req;\n externalProfile = await this.extractFormPostProfile(cloned);\n }\n\n const externalTokens = await authorizationCodeGrant(oauth, currentUrl, {\n pkceCodeVerifier: authorizationCode.codeVerifier,\n expectedState: authorizationCode.state,\n expectedNonce: authorizationCode.nonce,\n })\n .then((tokens) => ({\n issued_at: this.dateTimeProvider.now().unix(),\n provider: provider.name,\n ...tokens,\n }))\n .catch((e) => {\n this.log.error(\"Failed to get access token\", e);\n throw new SecurityError(\"Failed to get access token\", {\n cause: e,\n });\n });\n\n this.authorizationCode.del({ cookies });\n\n const issuer = provider.issuer;\n\n // external, full OIDC System (e.g. Keycloak, Auth0)\n if (!issuer) {\n this.setTokens(externalTokens, cookies);\n reply.redirect(redirectUri, 302);\n return;\n }\n\n // internal, we need to create our own tokens\n\n let user: UserAccount;\n try {\n user = await provider.user(externalTokens, externalProfile);\n } catch (e) {\n this.log.warn(\"OAuth2 account linking failed\", e);\n const errorTarget = loginUri || redirectUri;\n const errorUrl = new URL(errorTarget, url.origin);\n errorUrl.searchParams.set(\n \"error\",\n e instanceof BadRequestError ? e.message : \"Authentication failed\",\n );\n reply.redirect(errorUrl.pathname + errorUrl.search, 302);\n return;\n }\n\n await this.establishSession(user, issuer, provider.name, cookies);\n\n reply.redirect(redirectUri, 302);\n }\n\n /**\n * Establish a local session for an already-resolved user: mint realm tokens\n * and write the `tokens` cookie. Used by the OAuth callback and by federated\n * (broker) login. `issuer` is the realm issuer (provider.issuer / realm).\n */\n public async establishSession(\n user: UserAccount,\n issuer: IssuerPrimitive,\n providerName: string,\n cookies: Cookies,\n ): Promise<void> {\n const tokens = await issuer.createToken(user);\n this.setTokens(\n {\n ...tokens,\n issued_at: this.dateTimeProvider.now().unix(),\n provider: providerName,\n },\n cookies,\n );\n }\n\n /**\n * Callback for OAuth2/OIDC providers.\n * It handles the authorization code flow and retrieves the access token.\n */\n public readonly callback = $route({\n path: alephaServerAuthRoutes.callback,\n handler: async ({ url, reply, cookies }) => {\n await this.handleCallback(url, reply, cookies);\n },\n });\n\n /**\n * POST callback for OAuth2/OIDC providers using form_post response mode.\n * Apple Sign In sends the authorization code via POST body instead of URL query parameters.\n */\n public readonly callbackPost = $route({\n path: alephaServerAuthRoutes.callback,\n method: \"POST\",\n handler: async ({ url, reply, cookies, raw }) => {\n await this.handleCallback(url, reply, cookies, raw);\n },\n });\n\n /**\n * Logout route for OAuth2/OIDC providers.\n */\n public readonly logout = $route({\n path: alephaServerAuthRoutes.logout,\n method: \"POST\",\n schema: {\n query: t.object({\n post_logout_redirect_uri: t.optional(t.text()),\n }),\n },\n handler: async ({ query, reply, cookies }) => {\n const redirect = this.validateRedirectUri(\n query.post_logout_redirect_uri ?? \"/\",\n );\n const tokens = this.getTokens(cookies);\n if (!tokens) {\n reply.redirect(redirect, 302);\n return;\n }\n\n const provider = this.provider(tokens.provider);\n\n this.tokens.del({ cookies });\n\n // for internal providers, we can delete the session - if available\n if (provider.issuer && tokens.refresh_token) {\n const onDeleteSession =\n provider.issuer.options.settings?.onDeleteSession;\n if (onDeleteSession) {\n try {\n await onDeleteSession(tokens.refresh_token);\n } catch (e) {\n this.log.error(\"Failed to delete session\", e);\n }\n }\n }\n\n const oauth = await provider.getOAuth();\n if (!oauth) {\n reply.redirect(redirect, 302);\n return;\n }\n\n const params = new URLSearchParams();\n const idToken = tokens?.id_token;\n\n params.set(\"post_logout_redirect_uri\", redirect);\n if (idToken) {\n params.set(\"id_token_hint\", idToken);\n }\n\n const customLogoutUri =\n \"oidc\" in provider.options\n ? provider.options.oidc?.logoutUri\n : undefined;\n\n if (customLogoutUri) {\n reply.redirect(`${customLogoutUri}?${params}`, 302);\n return;\n }\n\n if (!oauth.serverMetadata().end_session_endpoint) {\n // await tokenRevocation(\n // \toauth,\n // \ttokens?.refresh_token ?? tokens.access_token,\n // );\n reply.redirect(redirect, 302);\n return;\n }\n\n reply.redirect(buildEndSessionUrl(oauth, params).toString(), 302);\n },\n });\n\n // -------------------------------------------------------------------------------------------------------------------\n\n public getAuthenticationProviders(\n filters: { realmName?: string } = {},\n ): AuthenticationProvider[] {\n const providers: AuthenticationProvider[] = [];\n\n for (const identity of this.identities) {\n if (filters.realmName) {\n const issuer = identity.issuer;\n if (!issuer || issuer.name !== filters.realmName) {\n continue;\n }\n }\n\n const type =\n \"oidc\" in identity.options\n ? \"OIDC\"\n : \"oauth\" in identity.options\n ? \"OAUTH2\"\n : \"credentials\" in identity.options\n ? \"CREDENTIALS\"\n : undefined;\n\n if (!type) {\n continue;\n }\n\n providers.push({\n name: identity.name,\n type,\n });\n }\n\n return providers;\n }\n\n // -------------------------------------------------------------------------------------------------------------------\n\n /**\n * Find an auth provider by name and optionally by realm.\n * When realm is specified, it filters providers by both name and realm.\n * This enables multi-realm setups where multiple providers share the same name (e.g., \"credentials\").\n */\n protected provider(\n opts: string | { provider: string; realm?: string },\n ): AuthPrimitive {\n const name = typeof opts === \"string\" ? opts : opts.provider;\n const realmName = typeof opts === \"string\" ? undefined : opts.realm;\n\n const identity = this.identities.find((identity) => {\n if (identity.name !== name) {\n return false;\n }\n\n // If realm filter is specified, match against provider's issuer\n if (realmName && identity.issuer?.name !== realmName) {\n return false;\n }\n\n return true;\n });\n\n if (!identity) {\n const realmInfo = realmName ? ` for realm '${realmName}'` : \"\";\n throw new SecurityError(`Auth provider '${name}'${realmInfo} not found`);\n }\n\n return identity;\n }\n\n /**\n * Convert cookies to tokens.\n * If the tokens are expired, try to refresh them using the refresh token.\n */\n protected async cookiesToTokens(\n cookies: Cookies,\n ): Promise<Tokens | undefined> {\n const tokens = this.getTokens(cookies);\n if (!tokens) {\n // no cookie, no tokens\n this.log.trace(\"No tokens found in cookies\");\n return;\n }\n\n this.log.trace(\"Tokens found in cookies\", {\n expires_in: tokens.expires_in,\n issued_at: tokens.issued_at,\n });\n\n // check if tokens are expired\n const refreshedTokens = await this.refreshTokens(tokens);\n if (!refreshedTokens) {\n this.tokens.del({ cookies });\n // 08/25: exception here will go to Server error handler, not the React one\n // better to remove cookie & session and let the page handle 401 Unauthorized\n //throw new SessionExpiredError(\"Session expired. Please login again.\");\n return;\n }\n\n // Non-constant-time comparison is fine here — this determines whether to update\n // the cookie, not whether to grant access. No authentication decision is made.\n if (refreshedTokens.access_token !== tokens.access_token) {\n this.setTokens(refreshedTokens, cookies);\n }\n\n return refreshedTokens;\n }\n\n protected getTokens(cookies?: Cookies): Tokens | undefined {\n return this.tokens.get({ cookies });\n }\n\n protected setTokens(tokens: Tokens, cookies?: Cookies): void {\n const exp =\n tokens.refresh_token_expires_in ||\n tokens.refresh_expires_in ||\n tokens.expires_in;\n\n const ttl = exp\n ? this.dateTimeProvider.duration(exp, \"seconds\")\n : undefined;\n\n this.tokens.set(tokens, {\n cookies,\n ttl,\n });\n }\n\n protected extractAccessToken(tokens: Tokens) {\n const idp = this.provider(tokens.provider);\n\n if (\n \"oidc\" in idp.options &&\n !(\"issuer\" in idp.options) &&\n idp.options.oidc?.useIdToken\n ) {\n return tokens.id_token;\n }\n\n return tokens.access_token;\n }\n\n protected async refreshTokens(tokens: Tokens): Promise<Tokens | undefined> {\n // Note: concurrent requests refreshing with the same token is safe here because\n // Alepha does not rotate refresh tokens — the same token is reused across refreshes\n // (session-based: same UUID in the session row; token-based: same JWT).\n // If single-use rotation is ever added (e.g., for SPA/public clients per OAuth 2.1),\n // a reuse grace window (à la Auth0) should be implemented to avoid race conditions.\n\n if (tokens.expires_in && tokens.issued_at) {\n const gracePeriodSec = 10;\n const expiresAt = tokens.issued_at + (tokens.expires_in - gracePeriodSec);\n\n if (expiresAt < this.dateTimeProvider.now().unix()) {\n this.log.trace(\"Tokens are expired\");\n\n // oh no, it is expired\n if (tokens.refresh_token) {\n this.log.trace(\"Trying to refresh tokens using refresh token\");\n // but has refresh token!\n try {\n const provider = this.provider(tokens);\n const result = await provider.refresh(\n tokens.refresh_token,\n tokens.access_token,\n );\n const newTokens = {\n ...result,\n provider: tokens.provider,\n issued_at: this.dateTimeProvider.now().unix(),\n };\n\n this.log.debug(\"Tokens refreshed successfully\");\n\n return newTokens;\n } catch (e) {\n this.log.warn(\"Failed to refresh token\", e);\n }\n }\n\n // session expired and no (valid) refresh token\n return;\n }\n }\n\n if (!tokens.issued_at && tokens.access_token) {\n return;\n }\n\n return tokens;\n }\n}\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport interface OAuth2Profile {\n sub: string; // Subject - unique ID per user (required by OpenID)\n email?: string;\n name?: string;\n given_name?: string;\n family_name?: string;\n middle_name?: string;\n nickname?: string;\n preferred_username?: string;\n profile?: string;\n picture?: string;\n website?: string;\n email_verified?: boolean;\n gender?: string;\n birthdate?: string; // ISO 8601: YYYY-MM-DD\n zoneinfo?: string;\n locale?: string;\n phone_number?: string;\n phone_number_verified?: boolean;\n address?: {\n formatted?: string;\n street_address?: string;\n locality?: string;\n region?: string;\n postal_code?: string;\n country?: string;\n };\n updated_at?: number; // seconds since epoch\n // Allow additional fields (provider-specific)\n [key: string]: unknown;\n}\n","export const encoder = new TextEncoder();\nexport const decoder = new TextDecoder();\nconst MAX_INT32 = 2 ** 32;\nexport function concat(...buffers) {\n const size = buffers.reduce((acc, { length }) => acc + length, 0);\n const buf = new Uint8Array(size);\n let i = 0;\n for (const buffer of buffers) {\n buf.set(buffer, i);\n i += buffer.length;\n }\n return buf;\n}\nfunction writeUInt32BE(buf, value, offset) {\n if (value < 0 || value >= MAX_INT32) {\n throw new RangeError(`value must be >= 0 and <= ${MAX_INT32 - 1}. Received ${value}`);\n }\n buf.set([value >>> 24, value >>> 16, value >>> 8, value & 0xff], offset);\n}\nexport function uint64be(value) {\n const high = Math.floor(value / MAX_INT32);\n const low = value % MAX_INT32;\n const buf = new Uint8Array(8);\n writeUInt32BE(buf, high, 0);\n writeUInt32BE(buf, low, 4);\n return buf;\n}\nexport function uint32be(value) {\n const buf = new Uint8Array(4);\n writeUInt32BE(buf, value);\n return buf;\n}\nexport function encode(string) {\n const bytes = new Uint8Array(string.length);\n for (let i = 0; i < string.length; i++) {\n const code = string.charCodeAt(i);\n if (code > 127) {\n throw new TypeError('non-ASCII string encountered in encode()');\n }\n bytes[i] = code;\n }\n return bytes;\n}\n","export function encodeBase64(input) {\n if (Uint8Array.prototype.toBase64) {\n return input.toBase64();\n }\n const CHUNK_SIZE = 0x8000;\n const arr = [];\n for (let i = 0; i < input.length; i += CHUNK_SIZE) {\n arr.push(String.fromCharCode.apply(null, input.subarray(i, i + CHUNK_SIZE)));\n }\n return btoa(arr.join(''));\n}\nexport function decodeBase64(encoded) {\n if (Uint8Array.fromBase64) {\n return Uint8Array.fromBase64(encoded);\n }\n const binary = atob(encoded);\n const bytes = new Uint8Array(binary.length);\n for (let i = 0; i < binary.length; i++) {\n bytes[i] = binary.charCodeAt(i);\n }\n return bytes;\n}\n","import { encoder, decoder } from '../lib/buffer_utils.js';\nimport { encodeBase64, decodeBase64 } from '../lib/base64.js';\nexport function decode(input) {\n if (Uint8Array.fromBase64) {\n return Uint8Array.fromBase64(typeof input === 'string' ? input : decoder.decode(input), {\n alphabet: 'base64url',\n });\n }\n let encoded = input;\n if (encoded instanceof Uint8Array) {\n encoded = decoder.decode(encoded);\n }\n encoded = encoded.replace(/-/g, '+').replace(/_/g, '/');\n try {\n return decodeBase64(encoded);\n }\n catch {\n throw new TypeError('The input to be decoded is not correctly encoded.');\n }\n}\nexport function encode(input) {\n let unencoded = input;\n if (typeof unencoded === 'string') {\n unencoded = encoder.encode(unencoded);\n }\n if (Uint8Array.prototype.toBase64) {\n return unencoded.toBase64({ alphabet: 'base64url', omitPadding: true });\n }\n return encodeBase64(unencoded).replace(/=/g, '').replace(/\\+/g, '-').replace(/\\//g, '_');\n}\n","const unusable = (name, prop = 'algorithm.name') => new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name}`);\nconst isAlgorithm = (algorithm, name) => algorithm.name === name;\nfunction getHashLength(hash) {\n return parseInt(hash.name.slice(4), 10);\n}\nfunction checkHashLength(algorithm, expected) {\n const actual = getHashLength(algorithm.hash);\n if (actual !== expected)\n throw unusable(`SHA-${expected}`, 'algorithm.hash');\n}\nfunction getNamedCurve(alg) {\n switch (alg) {\n case 'ES256':\n return 'P-256';\n case 'ES384':\n return 'P-384';\n case 'ES512':\n return 'P-521';\n default:\n throw new Error('unreachable');\n }\n}\nfunction checkUsage(key, usage) {\n if (usage && !key.usages.includes(usage)) {\n throw new TypeError(`CryptoKey does not support this operation, its usages must include ${usage}.`);\n }\n}\nexport function checkSigCryptoKey(key, alg, usage) {\n switch (alg) {\n case 'HS256':\n case 'HS384':\n case 'HS512': {\n if (!isAlgorithm(key.algorithm, 'HMAC'))\n throw unusable('HMAC');\n checkHashLength(key.algorithm, parseInt(alg.slice(2), 10));\n break;\n }\n case 'RS256':\n case 'RS384':\n case 'RS512': {\n if (!isAlgorithm(key.algorithm, 'RSASSA-PKCS1-v1_5'))\n throw unusable('RSASSA-PKCS1-v1_5');\n checkHashLength(key.algorithm, parseInt(alg.slice(2), 10));\n break;\n }\n case 'PS256':\n case 'PS384':\n case 'PS512': {\n if (!isAlgorithm(key.algorithm, 'RSA-PSS'))\n throw unusable('RSA-PSS');\n checkHashLength(key.algorithm, parseInt(alg.slice(2), 10));\n break;\n }\n case 'Ed25519':\n case 'EdDSA': {\n if (!isAlgorithm(key.algorithm, 'Ed25519'))\n throw unusable('Ed25519');\n break;\n }\n case 'ML-DSA-44':\n case 'ML-DSA-65':\n case 'ML-DSA-87': {\n if (!isAlgorithm(key.algorithm, alg))\n throw unusable(alg);\n break;\n }\n case 'ES256':\n case 'ES384':\n case 'ES512': {\n if (!isAlgorithm(key.algorithm, 'ECDSA'))\n throw unusable('ECDSA');\n const expected = getNamedCurve(alg);\n const actual = key.algorithm.namedCurve;\n if (actual !== expected)\n throw unusable(expected, 'algorithm.namedCurve');\n break;\n }\n default:\n throw new TypeError('CryptoKey does not support this operation');\n }\n checkUsage(key, usage);\n}\nexport function checkEncCryptoKey(key, alg, usage) {\n switch (alg) {\n case 'A128GCM':\n case 'A192GCM':\n case 'A256GCM': {\n if (!isAlgorithm(key.algorithm, 'AES-GCM'))\n throw unusable('AES-GCM');\n const expected = parseInt(alg.slice(1, 4), 10);\n const actual = key.algorithm.length;\n if (actual !== expected)\n throw unusable(expected, 'algorithm.length');\n break;\n }\n case 'A128KW':\n case 'A192KW':\n case 'A256KW': {\n if (!isAlgorithm(key.algorithm, 'AES-KW'))\n throw unusable('AES-KW');\n const expected = parseInt(alg.slice(1, 4), 10);\n const actual = key.algorithm.length;\n if (actual !== expected)\n throw unusable(expected, 'algorithm.length');\n break;\n }\n case 'ECDH': {\n switch (key.algorithm.name) {\n case 'ECDH':\n case 'X25519':\n break;\n default:\n throw unusable('ECDH or X25519');\n }\n break;\n }\n case 'PBES2-HS256+A128KW':\n case 'PBES2-HS384+A192KW':\n case 'PBES2-HS512+A256KW':\n if (!isAlgorithm(key.algorithm, 'PBKDF2'))\n throw unusable('PBKDF2');\n break;\n case 'RSA-OAEP':\n case 'RSA-OAEP-256':\n case 'RSA-OAEP-384':\n case 'RSA-OAEP-512': {\n if (!isAlgorithm(key.algorithm, 'RSA-OAEP'))\n throw unusable('RSA-OAEP');\n checkHashLength(key.algorithm, parseInt(alg.slice(9), 10) || 1);\n break;\n }\n default:\n throw new TypeError('CryptoKey does not support this operation');\n }\n checkUsage(key, usage);\n}\n","function message(msg, actual, ...types) {\n types = types.filter(Boolean);\n if (types.length > 2) {\n const last = types.pop();\n msg += `one of type ${types.join(', ')}, or ${last}.`;\n }\n else if (types.length === 2) {\n msg += `one of type ${types[0]} or ${types[1]}.`;\n }\n else {\n msg += `of type ${types[0]}.`;\n }\n if (actual == null) {\n msg += ` Received ${actual}`;\n }\n else if (typeof actual === 'function' && actual.name) {\n msg += ` Received function ${actual.name}`;\n }\n else if (typeof actual === 'object' && actual != null) {\n if (actual.constructor?.name) {\n msg += ` Received an instance of ${actual.constructor.name}`;\n }\n }\n return msg;\n}\nexport const invalidKeyInput = (actual, ...types) => message('Key must be ', actual, ...types);\nexport const withAlg = (alg, actual, ...types) => message(`Key for the ${alg} algorithm must be `, actual, ...types);\n","export class JOSEError extends Error {\n static code = 'ERR_JOSE_GENERIC';\n code = 'ERR_JOSE_GENERIC';\n constructor(message, options) {\n super(message, options);\n this.name = this.constructor.name;\n Error.captureStackTrace?.(this, this.constructor);\n }\n}\nexport class JWTClaimValidationFailed extends JOSEError {\n static code = 'ERR_JWT_CLAIM_VALIDATION_FAILED';\n code = 'ERR_JWT_CLAIM_VALIDATION_FAILED';\n claim;\n reason;\n payload;\n constructor(message, payload, claim = 'unspecified', reason = 'unspecified') {\n super(message, { cause: { claim, reason, payload } });\n this.claim = claim;\n this.reason = reason;\n this.payload = payload;\n }\n}\nexport class JWTExpired extends JOSEError {\n static code = 'ERR_JWT_EXPIRED';\n code = 'ERR_JWT_EXPIRED';\n claim;\n reason;\n payload;\n constructor(message, payload, claim = 'unspecified', reason = 'unspecified') {\n super(message, { cause: { claim, reason, payload } });\n this.claim = claim;\n this.reason = reason;\n this.payload = payload;\n }\n}\nexport class JOSEAlgNotAllowed extends JOSEError {\n static code = 'ERR_JOSE_ALG_NOT_ALLOWED';\n code = 'ERR_JOSE_ALG_NOT_ALLOWED';\n}\nexport class JOSENotSupported extends JOSEError {\n static code = 'ERR_JOSE_NOT_SUPPORTED';\n code = 'ERR_JOSE_NOT_SUPPORTED';\n}\nexport class JWEDecryptionFailed extends JOSEError {\n static code = 'ERR_JWE_DECRYPTION_FAILED';\n code = 'ERR_JWE_DECRYPTION_FAILED';\n constructor(message = 'decryption operation failed', options) {\n super(message, options);\n }\n}\nexport class JWEInvalid extends JOSEError {\n static code = 'ERR_JWE_INVALID';\n code = 'ERR_JWE_INVALID';\n}\nexport class JWSInvalid extends JOSEError {\n static code = 'ERR_JWS_INVALID';\n code = 'ERR_JWS_INVALID';\n}\nexport class JWTInvalid extends JOSEError {\n static code = 'ERR_JWT_INVALID';\n code = 'ERR_JWT_INVALID';\n}\nexport class JWKInvalid extends JOSEError {\n static code = 'ERR_JWK_INVALID';\n code = 'ERR_JWK_INVALID';\n}\nexport class JWKSInvalid extends JOSEError {\n static code = 'ERR_JWKS_INVALID';\n code = 'ERR_JWKS_INVALID';\n}\nexport class JWKSNoMatchingKey extends JOSEError {\n static code = 'ERR_JWKS_NO_MATCHING_KEY';\n code = 'ERR_JWKS_NO_MATCHING_KEY';\n constructor(message = 'no applicable key found in the JSON Web Key Set', options) {\n super(message, options);\n }\n}\nexport class JWKSMultipleMatchingKeys extends JOSEError {\n [Symbol.asyncIterator];\n static code = 'ERR_JWKS_MULTIPLE_MATCHING_KEYS';\n code = 'ERR_JWKS_MULTIPLE_MATCHING_KEYS';\n constructor(message = 'multiple matching keys found in the JSON Web Key Set', options) {\n super(message, options);\n }\n}\nexport class JWKSTimeout extends JOSEError {\n static code = 'ERR_JWKS_TIMEOUT';\n code = 'ERR_JWKS_TIMEOUT';\n constructor(message = 'request timed out', options) {\n super(message, options);\n }\n}\nexport class JWSSignatureVerificationFailed extends JOSEError {\n static code = 'ERR_JWS_SIGNATURE_VERIFICATION_FAILED';\n code = 'ERR_JWS_SIGNATURE_VERIFICATION_FAILED';\n constructor(message = 'signature verification failed', options) {\n super(message, options);\n }\n}\n","export function assertCryptoKey(key) {\n if (!isCryptoKey(key)) {\n throw new Error('CryptoKey instance expected');\n }\n}\nexport const isCryptoKey = (key) => {\n if (key?.[Symbol.toStringTag] === 'CryptoKey')\n return true;\n try {\n return key instanceof CryptoKey;\n }\n catch {\n return false;\n }\n};\nexport const isKeyObject = (key) => key?.[Symbol.toStringTag] === 'KeyObject';\nexport const isKeyLike = (key) => isCryptoKey(key) || isKeyObject(key);\n","import { decode } from '../util/base64url.js';\nexport const unprotected = Symbol();\nexport function assertNotSet(value, name) {\n if (value) {\n throw new TypeError(`${name} can only be called once`);\n }\n}\nexport function decodeBase64url(value, label, ErrorClass) {\n try {\n return decode(value);\n }\n catch {\n throw new ErrorClass(`Failed to base64url decode the ${label}`);\n }\n}\nexport async function digest(algorithm, data) {\n const subtleDigest = `SHA-${algorithm.slice(-3)}`;\n return new Uint8Array(await crypto.subtle.digest(subtleDigest, data));\n}\n","const isObjectLike = (value) => typeof value === 'object' && value !== null;\nexport function isObject(input) {\n if (!isObjectLike(input) || Object.prototype.toString.call(input) !== '[object Object]') {\n return false;\n }\n if (Object.getPrototypeOf(input) === null) {\n return true;\n }\n let proto = input;\n while (Object.getPrototypeOf(proto) !== null) {\n proto = Object.getPrototypeOf(proto);\n }\n return Object.getPrototypeOf(input) === proto;\n}\nexport function isDisjoint(...headers) {\n const sources = headers.filter(Boolean);\n if (sources.length === 0 || sources.length === 1) {\n return true;\n }\n let acc;\n for (const header of sources) {\n const parameters = Object.keys(header);\n if (!acc || acc.size === 0) {\n acc = new Set(parameters);\n continue;\n }\n for (const parameter of parameters) {\n if (acc.has(parameter)) {\n return false;\n }\n acc.add(parameter);\n }\n }\n return true;\n}\nexport const isJWK = (key) => isObject(key) && typeof key.kty === 'string';\nexport const isPrivateJWK = (key) => key.kty !== 'oct' &&\n ((key.kty === 'AKP' && typeof key.priv === 'string') || typeof key.d === 'string');\nexport const isPublicJWK = (key) => key.kty !== 'oct' && key.d === undefined && key.priv === undefined;\nexport const isSecretJWK = (key) => key.kty === 'oct' && typeof key.k === 'string';\n","import { JOSENotSupported } from '../util/errors.js';\nimport { checkSigCryptoKey } from './crypto_key.js';\nimport { invalidKeyInput } from './invalid_key_input.js';\nexport function checkKeyLength(alg, key) {\n if (alg.startsWith('RS') || alg.startsWith('PS')) {\n const { modulusLength } = key.algorithm;\n if (typeof modulusLength !== 'number' || modulusLength < 2048) {\n throw new TypeError(`${alg} requires key modulusLength to be 2048 bits or larger`);\n }\n }\n}\nfunction subtleAlgorithm(alg, algorithm) {\n const hash = `SHA-${alg.slice(-3)}`;\n switch (alg) {\n case 'HS256':\n case 'HS384':\n case 'HS512':\n return { hash, name: 'HMAC' };\n case 'PS256':\n case 'PS384':\n case 'PS512':\n return { hash, name: 'RSA-PSS', saltLength: parseInt(alg.slice(-3), 10) >> 3 };\n case 'RS256':\n case 'RS384':\n case 'RS512':\n return { hash, name: 'RSASSA-PKCS1-v1_5' };\n case 'ES256':\n case 'ES384':\n case 'ES512':\n return { hash, name: 'ECDSA', namedCurve: algorithm.namedCurve };\n case 'Ed25519':\n case 'EdDSA':\n return { name: 'Ed25519' };\n case 'ML-DSA-44':\n case 'ML-DSA-65':\n case 'ML-DSA-87':\n return { name: alg };\n default:\n throw new JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`);\n }\n}\nasync function getSigKey(alg, key, usage) {\n if (key instanceof Uint8Array) {\n if (!alg.startsWith('HS')) {\n throw new TypeError(invalidKeyInput(key, 'CryptoKey', 'KeyObject', 'JSON Web Key'));\n }\n return crypto.subtle.importKey('raw', key, { hash: `SHA-${alg.slice(-3)}`, name: 'HMAC' }, false, [usage]);\n }\n checkSigCryptoKey(key, alg, usage);\n return key;\n}\nexport async function sign(alg, key, data) {\n const cryptoKey = await getSigKey(alg, key, 'sign');\n checkKeyLength(alg, cryptoKey);\n const signature = await crypto.subtle.sign(subtleAlgorithm(alg, cryptoKey.algorithm), cryptoKey, data);\n return new Uint8Array(signature);\n}\nexport async function verify(alg, key, signature, data) {\n const cryptoKey = await getSigKey(alg, key, 'verify');\n checkKeyLength(alg, cryptoKey);\n const algorithm = subtleAlgorithm(alg, cryptoKey.algorithm);\n try {\n return await crypto.subtle.verify(algorithm, cryptoKey, signature, data);\n }\n catch {\n return false;\n }\n}\n","import { JOSENotSupported } from '../util/errors.js';\nconst unsupportedAlg = 'Invalid or unsupported JWK \"alg\" (Algorithm) Parameter value';\nfunction subtleMapping(jwk) {\n let algorithm;\n let keyUsages;\n switch (jwk.kty) {\n case 'AKP': {\n switch (jwk.alg) {\n case 'ML-DSA-44':\n case 'ML-DSA-65':\n case 'ML-DSA-87':\n algorithm = { name: jwk.alg };\n keyUsages = jwk.priv ? ['sign'] : ['verify'];\n break;\n default:\n throw new JOSENotSupported(unsupportedAlg);\n }\n break;\n }\n case 'RSA': {\n switch (jwk.alg) {\n case 'PS256':\n case 'PS384':\n case 'PS512':\n algorithm = { name: 'RSA-PSS', hash: `SHA-${jwk.alg.slice(-3)}` };\n keyUsages = jwk.d ? ['sign'] : ['verify'];\n break;\n case 'RS256':\n case 'RS384':\n case 'RS512':\n algorithm = { name: 'RSASSA-PKCS1-v1_5', hash: `SHA-${jwk.alg.slice(-3)}` };\n keyUsages = jwk.d ? ['sign'] : ['verify'];\n break;\n case 'RSA-OAEP':\n case 'RSA-OAEP-256':\n case 'RSA-OAEP-384':\n case 'RSA-OAEP-512':\n algorithm = {\n name: 'RSA-OAEP',\n hash: `SHA-${parseInt(jwk.alg.slice(-3), 10) || 1}`,\n };\n keyUsages = jwk.d ? ['decrypt', 'unwrapKey'] : ['encrypt', 'wrapKey'];\n break;\n default:\n throw new JOSENotSupported(unsupportedAlg);\n }\n break;\n }\n case 'EC': {\n switch (jwk.alg) {\n case 'ES256':\n case 'ES384':\n case 'ES512':\n algorithm = {\n name: 'ECDSA',\n namedCurve: { ES256: 'P-256', ES384: 'P-384', ES512: 'P-521' }[jwk.alg],\n };\n keyUsages = jwk.d ? ['sign'] : ['verify'];\n break;\n case 'ECDH-ES':\n case 'ECDH-ES+A128KW':\n case 'ECDH-ES+A192KW':\n case 'ECDH-ES+A256KW':\n algorithm = { name: 'ECDH', namedCurve: jwk.crv };\n keyUsages = jwk.d ? ['deriveBits'] : [];\n break;\n default:\n throw new JOSENotSupported(unsupportedAlg);\n }\n break;\n }\n case 'OKP': {\n switch (jwk.alg) {\n case 'Ed25519':\n case 'EdDSA':\n algorithm = { name: 'Ed25519' };\n keyUsages = jwk.d ? ['sign'] : ['verify'];\n break;\n case 'ECDH-ES':\n case 'ECDH-ES+A128KW':\n case 'ECDH-ES+A192KW':\n case 'ECDH-ES+A256KW':\n algorithm = { name: jwk.crv };\n keyUsages = jwk.d ? ['deriveBits'] : [];\n break;\n default:\n throw new JOSENotSupported(unsupportedAlg);\n }\n break;\n }\n default:\n throw new JOSENotSupported('Invalid or unsupported JWK \"kty\" (Key Type) Parameter value');\n }\n return { algorithm, keyUsages };\n}\nexport async function jwkToKey(jwk) {\n if (!jwk.alg) {\n throw new TypeError('\"alg\" argument is required when \"jwk.alg\" is not present');\n }\n const { algorithm, keyUsages } = subtleMapping(jwk);\n const keyData = { ...jwk };\n if (keyData.kty !== 'AKP') {\n delete keyData.alg;\n }\n delete keyData.use;\n return crypto.subtle.importKey('jwk', keyData, algorithm, jwk.ext ?? (jwk.d || jwk.priv ? false : true), jwk.key_ops ?? keyUsages);\n}\n","import { isJWK } from './type_checks.js';\nimport { decode } from '../util/base64url.js';\nimport { jwkToKey } from './jwk_to_key.js';\nimport { isCryptoKey, isKeyObject } from './is_key_like.js';\nconst unusableForAlg = 'given KeyObject instance cannot be used for this algorithm';\nlet cache;\nconst handleJWK = async (key, jwk, alg, freeze = false) => {\n cache ||= new WeakMap();\n let cached = cache.get(key);\n if (cached?.[alg]) {\n return cached[alg];\n }\n const cryptoKey = await jwkToKey({ ...jwk, alg });\n if (freeze)\n Object.freeze(key);\n if (!cached) {\n cache.set(key, { [alg]: cryptoKey });\n }\n else {\n cached[alg] = cryptoKey;\n }\n return cryptoKey;\n};\nconst handleKeyObject = (keyObject, alg) => {\n cache ||= new WeakMap();\n let cached = cache.get(keyObject);\n if (cached?.[alg]) {\n return cached[alg];\n }\n const isPublic = keyObject.type === 'public';\n const extractable = isPublic ? true : false;\n let cryptoKey;\n if (keyObject.asymmetricKeyType === 'x25519') {\n switch (alg) {\n case 'ECDH-ES':\n case 'ECDH-ES+A128KW':\n case 'ECDH-ES+A192KW':\n case 'ECDH-ES+A256KW':\n break;\n default:\n throw new TypeError(unusableForAlg);\n }\n cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, isPublic ? [] : ['deriveBits']);\n }\n if (keyObject.asymmetricKeyType === 'ed25519') {\n if (alg !== 'EdDSA' && alg !== 'Ed25519') {\n throw new TypeError(unusableForAlg);\n }\n cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [\n isPublic ? 'verify' : 'sign',\n ]);\n }\n switch (keyObject.asymmetricKeyType) {\n case 'ml-dsa-44':\n case 'ml-dsa-65':\n case 'ml-dsa-87': {\n if (alg !== keyObject.asymmetricKeyType.toUpperCase()) {\n throw new TypeError(unusableForAlg);\n }\n cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [\n isPublic ? 'verify' : 'sign',\n ]);\n }\n }\n if (keyObject.asymmetricKeyType === 'rsa') {\n let hash;\n switch (alg) {\n case 'RSA-OAEP':\n hash = 'SHA-1';\n break;\n case 'RS256':\n case 'PS256':\n case 'RSA-OAEP-256':\n hash = 'SHA-256';\n break;\n case 'RS384':\n case 'PS384':\n case 'RSA-OAEP-384':\n hash = 'SHA-384';\n break;\n case 'RS512':\n case 'PS512':\n case 'RSA-OAEP-512':\n hash = 'SHA-512';\n break;\n default:\n throw new TypeError(unusableForAlg);\n }\n if (alg.startsWith('RSA-OAEP')) {\n return keyObject.toCryptoKey({\n name: 'RSA-OAEP',\n hash,\n }, extractable, isPublic ? ['encrypt'] : ['decrypt']);\n }\n cryptoKey = keyObject.toCryptoKey({\n name: alg.startsWith('PS') ? 'RSA-PSS' : 'RSASSA-PKCS1-v1_5',\n hash,\n }, extractable, [isPublic ? 'verify' : 'sign']);\n }\n if (keyObject.asymmetricKeyType === 'ec') {\n const nist = new Map([\n ['prime256v1', 'P-256'],\n ['secp384r1', 'P-384'],\n ['secp521r1', 'P-521'],\n ]);\n const namedCurve = nist.get(keyObject.asymmetricKeyDetails?.namedCurve);\n if (!namedCurve) {\n throw new TypeError(unusableForAlg);\n }\n const expectedCurve = { ES256: 'P-256', ES384: 'P-384', ES512: 'P-521' };\n if (expectedCurve[alg] && namedCurve === expectedCurve[alg]) {\n cryptoKey = keyObject.toCryptoKey({\n name: 'ECDSA',\n namedCurve,\n }, extractable, [isPublic ? 'verify' : 'sign']);\n }\n if (alg.startsWith('ECDH-ES')) {\n cryptoKey = keyObject.toCryptoKey({\n name: 'ECDH',\n namedCurve,\n }, extractable, isPublic ? [] : ['deriveBits']);\n }\n }\n if (!cryptoKey) {\n throw new TypeError(unusableForAlg);\n }\n if (!cached) {\n cache.set(keyObject, { [alg]: cryptoKey });\n }\n else {\n cached[alg] = cryptoKey;\n }\n return cryptoKey;\n};\nexport async function normalizeKey(key, alg) {\n if (key instanceof Uint8Array) {\n return key;\n }\n if (isCryptoKey(key)) {\n return key;\n }\n if (isKeyObject(key)) {\n if (key.type === 'secret') {\n return key.export();\n }\n if ('toCryptoKey' in key && typeof key.toCryptoKey === 'function') {\n try {\n return handleKeyObject(key, alg);\n }\n catch (err) {\n if (err instanceof TypeError) {\n throw err;\n }\n }\n }\n let jwk = key.export({ format: 'jwk' });\n return handleJWK(key, jwk, alg);\n }\n if (isJWK(key)) {\n if (key.k) {\n return decode(key.k);\n }\n return handleJWK(key, key, alg, true);\n }\n throw new Error('unreachable');\n}\n","import { invalidKeyInput } from './invalid_key_input.js';\nimport { encodeBase64, decodeBase64 } from '../lib/base64.js';\nimport { JOSENotSupported } from '../util/errors.js';\nimport { isCryptoKey, isKeyObject } from './is_key_like.js';\nconst formatPEM = (b64, descriptor) => {\n const newlined = (b64.match(/.{1,64}/g) || []).join('\\n');\n return `-----BEGIN ${descriptor}-----\\n${newlined}\\n-----END ${descriptor}-----`;\n};\nconst genericExport = async (keyType, keyFormat, key) => {\n if (isKeyObject(key)) {\n if (key.type !== keyType) {\n throw new TypeError(`key is not a ${keyType} key`);\n }\n return key.export({ format: 'pem', type: keyFormat });\n }\n if (!isCryptoKey(key)) {\n throw new TypeError(invalidKeyInput(key, 'CryptoKey', 'KeyObject'));\n }\n if (!key.extractable) {\n throw new TypeError('CryptoKey is not extractable');\n }\n if (key.type !== keyType) {\n throw new TypeError(`key is not a ${keyType} key`);\n }\n return formatPEM(encodeBase64(new Uint8Array(await crypto.subtle.exportKey(keyFormat, key))), `${keyType.toUpperCase()} KEY`);\n};\nexport const toSPKI = (key) => genericExport('public', 'spki', key);\nexport const toPKCS8 = (key) => genericExport('private', 'pkcs8', key);\nconst bytesEqual = (a, b) => {\n if (a.byteLength !== b.length)\n return false;\n for (let i = 0; i < a.byteLength; i++) {\n if (a[i] !== b[i])\n return false;\n }\n return true;\n};\nconst createASN1State = (data) => ({ data, pos: 0 });\nconst parseLength = (state) => {\n const first = state.data[state.pos++];\n if (first & 0x80) {\n const lengthOfLen = first & 0x7f;\n let length = 0;\n for (let i = 0; i < lengthOfLen; i++) {\n length = (length << 8) | state.data[state.pos++];\n }\n return length;\n }\n return first;\n};\nconst skipElement = (state, count = 1) => {\n if (count <= 0)\n return;\n state.pos++;\n const length = parseLength(state);\n state.pos += length;\n if (count > 1) {\n skipElement(state, count - 1);\n }\n};\nconst expectTag = (state, expectedTag, errorMessage) => {\n if (state.data[state.pos++] !== expectedTag) {\n throw new Error(errorMessage);\n }\n};\nconst getSubarray = (state, length) => {\n const result = state.data.subarray(state.pos, state.pos + length);\n state.pos += length;\n return result;\n};\nconst parseAlgorithmOID = (state) => {\n expectTag(state, 0x06, 'Expected algorithm OID');\n const oidLen = parseLength(state);\n return getSubarray(state, oidLen);\n};\nfunction parsePKCS8Header(state) {\n expectTag(state, 0x30, 'Invalid PKCS#8 structure');\n parseLength(state);\n expectTag(state, 0x02, 'Expected version field');\n const verLen = parseLength(state);\n state.pos += verLen;\n expectTag(state, 0x30, 'Expected algorithm identifier');\n const algIdLen = parseLength(state);\n const algIdStart = state.pos;\n return { algIdStart, algIdLength: algIdLen };\n}\nfunction parseSPKIHeader(state) {\n expectTag(state, 0x30, 'Invalid SPKI structure');\n parseLength(state);\n expectTag(state, 0x30, 'Expected algorithm identifier');\n const algIdLen = parseLength(state);\n const algIdStart = state.pos;\n return { algIdStart, algIdLength: algIdLen };\n}\nconst parseECAlgorithmIdentifier = (state) => {\n const algOid = parseAlgorithmOID(state);\n if (bytesEqual(algOid, [0x2b, 0x65, 0x6e])) {\n return 'X25519';\n }\n if (!bytesEqual(algOid, [0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01])) {\n throw new Error('Unsupported key algorithm');\n }\n expectTag(state, 0x06, 'Expected curve OID');\n const curveOidLen = parseLength(state);\n const curveOid = getSubarray(state, curveOidLen);\n for (const { name, oid } of [\n { name: 'P-256', oid: [0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07] },\n { name: 'P-384', oid: [0x2b, 0x81, 0x04, 0x00, 0x22] },\n { name: 'P-521', oid: [0x2b, 0x81, 0x04, 0x00, 0x23] },\n ]) {\n if (bytesEqual(curveOid, oid)) {\n return name;\n }\n }\n throw new Error('Unsupported named curve');\n};\nconst genericImport = async (keyFormat, keyData, alg, options) => {\n let algorithm;\n let keyUsages;\n const isPublic = keyFormat === 'spki';\n const getSigUsages = () => (isPublic ? ['verify'] : ['sign']);\n const getEncUsages = () => isPublic ? ['encrypt', 'wrapKey'] : ['decrypt', 'unwrapKey'];\n switch (alg) {\n case 'PS256':\n case 'PS384':\n case 'PS512':\n algorithm = { name: 'RSA-PSS', hash: `SHA-${alg.slice(-3)}` };\n keyUsages = getSigUsages();\n break;\n case 'RS256':\n case 'RS384':\n case 'RS512':\n algorithm = { name: 'RSASSA-PKCS1-v1_5', hash: `SHA-${alg.slice(-3)}` };\n keyUsages = getSigUsages();\n break;\n case 'RSA-OAEP':\n case 'RSA-OAEP-256':\n case 'RSA-OAEP-384':\n case 'RSA-OAEP-512':\n algorithm = {\n name: 'RSA-OAEP',\n hash: `SHA-${parseInt(alg.slice(-3), 10) || 1}`,\n };\n keyUsages = getEncUsages();\n break;\n case 'ES256':\n case 'ES384':\n case 'ES512': {\n const curveMap = { ES256: 'P-256', ES384: 'P-384', ES512: 'P-521' };\n algorithm = { name: 'ECDSA', namedCurve: curveMap[alg] };\n keyUsages = getSigUsages();\n break;\n }\n case 'ECDH-ES':\n case 'ECDH-ES+A128KW':\n case 'ECDH-ES+A192KW':\n case 'ECDH-ES+A256KW': {\n try {\n const namedCurve = options.getNamedCurve(keyData);\n algorithm = namedCurve === 'X25519' ? { name: 'X25519' } : { name: 'ECDH', namedCurve };\n }\n catch (cause) {\n throw new JOSENotSupported('Invalid or unsupported key format');\n }\n keyUsages = isPublic ? [] : ['deriveBits'];\n break;\n }\n case 'Ed25519':\n case 'EdDSA':\n algorithm = { name: 'Ed25519' };\n keyUsages = getSigUsages();\n break;\n case 'ML-DSA-44':\n case 'ML-DSA-65':\n case 'ML-DSA-87':\n algorithm = { name: alg };\n keyUsages = getSigUsages();\n break;\n default:\n throw new JOSENotSupported('Invalid or unsupported \"alg\" (Algorithm) value');\n }\n return crypto.subtle.importKey(keyFormat, keyData, algorithm, options?.extractable ?? (isPublic ? true : false), keyUsages);\n};\nconst processPEMData = (pem, pattern) => {\n return decodeBase64(pem.replace(pattern, ''));\n};\nexport const fromPKCS8 = (pem, alg, options) => {\n const keyData = processPEMData(pem, /(?:-----(?:BEGIN|END) PRIVATE KEY-----|\\s)/g);\n let opts = options;\n if (alg?.startsWith?.('ECDH-ES')) {\n opts ||= {};\n opts.getNamedCurve = (keyData) => {\n const state = createASN1State(keyData);\n parsePKCS8Header(state);\n return parseECAlgorithmIdentifier(state);\n };\n }\n return genericImport('pkcs8', keyData, alg, opts);\n};\nexport const fromSPKI = (pem, alg, options) => {\n const keyData = processPEMData(pem, /(?:-----(?:BEGIN|END) PUBLIC KEY-----|\\s)/g);\n let opts = options;\n if (alg?.startsWith?.('ECDH-ES')) {\n opts ||= {};\n opts.getNamedCurve = (keyData) => {\n const state = createASN1State(keyData);\n parseSPKIHeader(state);\n return parseECAlgorithmIdentifier(state);\n };\n }\n return genericImport('spki', keyData, alg, opts);\n};\nfunction spkiFromX509(buf) {\n const state = createASN1State(buf);\n expectTag(state, 0x30, 'Invalid certificate structure');\n parseLength(state);\n expectTag(state, 0x30, 'Invalid tbsCertificate structure');\n parseLength(state);\n if (buf[state.pos] === 0xa0) {\n skipElement(state, 6);\n }\n else {\n skipElement(state, 5);\n }\n const spkiStart = state.pos;\n expectTag(state, 0x30, 'Invalid SPKI structure');\n const spkiContentLen = parseLength(state);\n return buf.subarray(spkiStart, spkiStart + spkiContentLen + (state.pos - spkiStart));\n}\nfunction extractX509SPKI(x509) {\n const derBytes = processPEMData(x509, /(?:-----(?:BEGIN|END) CERTIFICATE-----|\\s)/g);\n return spkiFromX509(derBytes);\n}\nexport const fromX509 = (pem, alg, options) => {\n let spki;\n try {\n spki = extractX509SPKI(pem);\n }\n catch (cause) {\n throw new TypeError('Failed to parse the X.509 certificate', { cause });\n }\n return fromSPKI(formatPEM(encodeBase64(spki), 'PUBLIC KEY'), alg, options);\n};\n","import { decode as decodeBase64URL } from '../util/base64url.js';\nimport { fromSPKI, fromPKCS8, fromX509 } from '../lib/asn1.js';\nimport { jwkToKey } from '../lib/jwk_to_key.js';\nimport { JOSENotSupported } from '../util/errors.js';\nimport { isObject } from '../lib/type_checks.js';\nexport async function importSPKI(spki, alg, options) {\n if (typeof spki !== 'string' || spki.indexOf('-----BEGIN PUBLIC KEY-----') !== 0) {\n throw new TypeError('\"spki\" must be SPKI formatted string');\n }\n return fromSPKI(spki, alg, options);\n}\nexport async function importX509(x509, alg, options) {\n if (typeof x509 !== 'string' || x509.indexOf('-----BEGIN CERTIFICATE-----') !== 0) {\n throw new TypeError('\"x509\" must be X.509 formatted string');\n }\n return fromX509(x509, alg, options);\n}\nexport async function importPKCS8(pkcs8, alg, options) {\n if (typeof pkcs8 !== 'string' || pkcs8.indexOf('-----BEGIN PRIVATE KEY-----') !== 0) {\n throw new TypeError('\"pkcs8\" must be PKCS#8 formatted string');\n }\n return fromPKCS8(pkcs8, alg, options);\n}\nexport async function importJWK(jwk, alg, options) {\n if (!isObject(jwk)) {\n throw new TypeError('JWK must be an object');\n }\n let ext;\n alg ??= jwk.alg;\n ext ??= options?.extractable ?? jwk.ext;\n switch (jwk.kty) {\n case 'oct':\n if (typeof jwk.k !== 'string' || !jwk.k) {\n throw new TypeError('missing \"k\" (Key Value) Parameter value');\n }\n return decodeBase64URL(jwk.k);\n case 'RSA':\n if ('oth' in jwk && jwk.oth !== undefined) {\n throw new JOSENotSupported('RSA JWK \"oth\" (Other Primes Info) Parameter value is not supported');\n }\n return jwkToKey({ ...jwk, alg, ext });\n case 'AKP': {\n if (typeof jwk.alg !== 'string' || !jwk.alg) {\n throw new TypeError('missing \"alg\" (Algorithm) Parameter value');\n }\n if (alg !== undefined && alg !== jwk.alg) {\n throw new TypeError('JWK alg and alg option value mismatch');\n }\n return jwkToKey({ ...jwk, ext });\n }\n case 'EC':\n case 'OKP':\n return jwkToKey({ ...jwk, alg, ext });\n default:\n throw new JOSENotSupported('Unsupported \"kty\" (Key Type) Parameter value');\n }\n}\n","import { JOSENotSupported, JWEInvalid, JWSInvalid } from '../util/errors.js';\nexport function validateCrit(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) {\n if (joseHeader.crit !== undefined && protectedHeader?.crit === undefined) {\n throw new Err('\"crit\" (Critical) Header Parameter MUST be integrity protected');\n }\n if (!protectedHeader || protectedHeader.crit === undefined) {\n return new Set();\n }\n if (!Array.isArray(protectedHeader.crit) ||\n protectedHeader.crit.length === 0 ||\n protectedHeader.crit.some((input) => typeof input !== 'string' || input.length === 0)) {\n throw new Err('\"crit\" (Critical) Header Parameter MUST be an array of non-empty strings when present');\n }\n let recognized;\n if (recognizedOption !== undefined) {\n recognized = new Map([...Object.entries(recognizedOption), ...recognizedDefault.entries()]);\n }\n else {\n recognized = recognizedDefault;\n }\n for (const parameter of protectedHeader.crit) {\n if (!recognized.has(parameter)) {\n throw new JOSENotSupported(`Extension Header Parameter \"${parameter}\" is not recognized`);\n }\n if (joseHeader[parameter] === undefined) {\n throw new Err(`Extension Header Parameter \"${parameter}\" is missing`);\n }\n if (recognized.get(parameter) && protectedHeader[parameter] === undefined) {\n throw new Err(`Extension Header Parameter \"${parameter}\" MUST be integrity protected`);\n }\n }\n return new Set(protectedHeader.crit);\n}\n","export function validateAlgorithms(option, algorithms) {\n if (algorithms !== undefined &&\n (!Array.isArray(algorithms) || algorithms.some((s) => typeof s !== 'string'))) {\n throw new TypeError(`\"${option}\" option must be an array of strings`);\n }\n if (!algorithms) {\n return undefined;\n }\n return new Set(algorithms);\n}\n","import { withAlg as invalidKeyInput } from './invalid_key_input.js';\nimport { isKeyLike } from './is_key_like.js';\nimport * as jwk from './type_checks.js';\nconst tag = (key) => key?.[Symbol.toStringTag];\nconst jwkMatchesOp = (alg, key, usage) => {\n if (key.use !== undefined) {\n let expected;\n switch (usage) {\n case 'sign':\n case 'verify':\n expected = 'sig';\n break;\n case 'encrypt':\n case 'decrypt':\n expected = 'enc';\n break;\n }\n if (key.use !== expected) {\n throw new TypeError(`Invalid key for this operation, its \"use\" must be \"${expected}\" when present`);\n }\n }\n if (key.alg !== undefined && key.alg !== alg) {\n throw new TypeError(`Invalid key for this operation, its \"alg\" must be \"${alg}\" when present`);\n }\n if (Array.isArray(key.key_ops)) {\n let expectedKeyOp;\n switch (true) {\n case usage === 'sign' || usage === 'verify':\n case alg === 'dir':\n case alg.includes('CBC-HS'):\n expectedKeyOp = usage;\n break;\n case alg.startsWith('PBES2'):\n expectedKeyOp = 'deriveBits';\n break;\n case /^A\\d{3}(?:GCM)?(?:KW)?$/.test(alg):\n if (!alg.includes('GCM') && alg.endsWith('KW')) {\n expectedKeyOp = usage === 'encrypt' ? 'wrapKey' : 'unwrapKey';\n }\n else {\n expectedKeyOp = usage;\n }\n break;\n case usage === 'encrypt' && alg.startsWith('RSA'):\n expectedKeyOp = 'wrapKey';\n break;\n case usage === 'decrypt':\n expectedKeyOp = alg.startsWith('RSA') ? 'unwrapKey' : 'deriveBits';\n break;\n }\n if (expectedKeyOp && key.key_ops?.includes?.(expectedKeyOp) === false) {\n throw new TypeError(`Invalid key for this operation, its \"key_ops\" must include \"${expectedKeyOp}\" when present`);\n }\n }\n return true;\n};\nconst symmetricTypeCheck = (alg, key, usage) => {\n if (key instanceof Uint8Array)\n return;\n if (jwk.isJWK(key)) {\n if (jwk.isSecretJWK(key) && jwkMatchesOp(alg, key, usage))\n return;\n throw new TypeError(`JSON Web Key for symmetric algorithms must have JWK \"kty\" (Key Type) equal to \"oct\" and the JWK \"k\" (Key Value) present`);\n }\n if (!isKeyLike(key)) {\n throw new TypeError(invalidKeyInput(alg, key, 'CryptoKey', 'KeyObject', 'JSON Web Key', 'Uint8Array'));\n }\n if (key.type !== 'secret') {\n throw new TypeError(`${tag(key)} instances for symmetric algorithms must be of type \"secret\"`);\n }\n};\nconst asymmetricTypeCheck = (alg, key, usage) => {\n if (jwk.isJWK(key)) {\n switch (usage) {\n case 'decrypt':\n case 'sign':\n if (jwk.isPrivateJWK(key) && jwkMatchesOp(alg, key, usage))\n return;\n throw new TypeError(`JSON Web Key for this operation must be a private JWK`);\n case 'encrypt':\n case 'verify':\n if (jwk.isPublicJWK(key) && jwkMatchesOp(alg, key, usage))\n return;\n throw new TypeError(`JSON Web Key for this operation must be a public JWK`);\n }\n }\n if (!isKeyLike(key)) {\n throw new TypeError(invalidKeyInput(alg, key, 'CryptoKey', 'KeyObject', 'JSON Web Key'));\n }\n if (key.type === 'secret') {\n throw new TypeError(`${tag(key)} instances for asymmetric algorithms must not be of type \"secret\"`);\n }\n if (key.type === 'public') {\n switch (usage) {\n case 'sign':\n throw new TypeError(`${tag(key)} instances for asymmetric algorithm signing must be of type \"private\"`);\n case 'decrypt':\n throw new TypeError(`${tag(key)} instances for asymmetric algorithm decryption must be of type \"private\"`);\n }\n }\n if (key.type === 'private') {\n switch (usage) {\n case 'verify':\n throw new TypeError(`${tag(key)} instances for asymmetric algorithm verifying must be of type \"public\"`);\n case 'encrypt':\n throw new TypeError(`${tag(key)} instances for asymmetric algorithm encryption must be of type \"public\"`);\n }\n }\n};\nexport function checkKeyType(alg, key, usage) {\n switch (alg.substring(0, 2)) {\n case 'A1':\n case 'A2':\n case 'di':\n case 'HS':\n case 'PB':\n symmetricTypeCheck(alg, key, usage);\n break;\n default:\n asymmetricTypeCheck(alg, key, usage);\n }\n}\n","import { decode as b64u } from '../../util/base64url.js';\nimport { verify } from '../../lib/signing.js';\nimport { JOSEAlgNotAllowed, JWSInvalid, JWSSignatureVerificationFailed } from '../../util/errors.js';\nimport { concat, encoder, decoder, encode } from '../../lib/buffer_utils.js';\nimport { decodeBase64url } from '../../lib/helpers.js';\nimport { isDisjoint } from '../../lib/type_checks.js';\nimport { isObject } from '../../lib/type_checks.js';\nimport { checkKeyType } from '../../lib/check_key_type.js';\nimport { validateCrit } from '../../lib/validate_crit.js';\nimport { validateAlgorithms } from '../../lib/validate_algorithms.js';\nimport { normalizeKey } from '../../lib/normalize_key.js';\nexport async function flattenedVerify(jws, key, options) {\n if (!isObject(jws)) {\n throw new JWSInvalid('Flattened JWS must be an object');\n }\n if (jws.protected === undefined && jws.header === undefined) {\n throw new JWSInvalid('Flattened JWS must have either of the \"protected\" or \"header\" members');\n }\n if (jws.protected !== undefined && typeof jws.protected !== 'string') {\n throw new JWSInvalid('JWS Protected Header incorrect type');\n }\n if (jws.payload === undefined) {\n throw new JWSInvalid('JWS Payload missing');\n }\n if (typeof jws.signature !== 'string') {\n throw new JWSInvalid('JWS Signature missing or incorrect type');\n }\n if (jws.header !== undefined && !isObject(jws.header)) {\n throw new JWSInvalid('JWS Unprotected Header incorrect type');\n }\n let parsedProt = {};\n if (jws.protected) {\n try {\n const protectedHeader = b64u(jws.protected);\n parsedProt = JSON.parse(decoder.decode(protectedHeader));\n }\n catch {\n throw new JWSInvalid('JWS Protected Header is invalid');\n }\n }\n if (!isDisjoint(parsedProt, jws.header)) {\n throw new JWSInvalid('JWS Protected and JWS Unprotected Header Parameter names must be disjoint');\n }\n const joseHeader = {\n ...parsedProt,\n ...jws.header,\n };\n const extensions = validateCrit(JWSInvalid, new Map([['b64', true]]), options?.crit, parsedProt, joseHeader);\n let b64 = true;\n if (extensions.has('b64')) {\n b64 = parsedProt.b64;\n if (typeof b64 !== 'boolean') {\n throw new JWSInvalid('The \"b64\" (base64url-encode payload) Header Parameter must be a boolean');\n }\n }\n const { alg } = joseHeader;\n if (typeof alg !== 'string' || !alg) {\n throw new JWSInvalid('JWS \"alg\" (Algorithm) Header Parameter missing or invalid');\n }\n const algorithms = options && validateAlgorithms('algorithms', options.algorithms);\n if (algorithms && !algorithms.has(alg)) {\n throw new JOSEAlgNotAllowed('\"alg\" (Algorithm) Header Parameter value not allowed');\n }\n if (b64) {\n if (typeof jws.payload !== 'string') {\n throw new JWSInvalid('JWS Payload must be a string');\n }\n }\n else if (typeof jws.payload !== 'string' && !(jws.payload instanceof Uint8Array)) {\n throw new JWSInvalid('JWS Payload must be a string or an Uint8Array instance');\n }\n let resolvedKey = false;\n if (typeof key === 'function') {\n key = await key(parsedProt, jws);\n resolvedKey = true;\n }\n checkKeyType(alg, key, 'verify');\n const data = concat(jws.protected !== undefined ? encode(jws.protected) : new Uint8Array(), encode('.'), typeof jws.payload === 'string'\n ? b64\n ? encode(jws.payload)\n : encoder.encode(jws.payload)\n : jws.payload);\n const signature = decodeBase64url(jws.signature, 'signature', JWSInvalid);\n const k = await normalizeKey(key, alg);\n const verified = await verify(alg, k, signature, data);\n if (!verified) {\n throw new JWSSignatureVerificationFailed();\n }\n let payload;\n if (b64) {\n payload = decodeBase64url(jws.payload, 'payload', JWSInvalid);\n }\n else if (typeof jws.payload === 'string') {\n payload = encoder.encode(jws.payload);\n }\n else {\n payload = jws.payload;\n }\n const result = { payload };\n if (jws.protected !== undefined) {\n result.protectedHeader = parsedProt;\n }\n if (jws.header !== undefined) {\n result.unprotectedHeader = jws.header;\n }\n if (resolvedKey) {\n return { ...result, key: k };\n }\n return result;\n}\n","import { flattenedVerify } from '../flattened/verify.js';\nimport { JWSInvalid } from '../../util/errors.js';\nimport { decoder } from '../../lib/buffer_utils.js';\nexport async function compactVerify(jws, key, options) {\n if (jws instanceof Uint8Array) {\n jws = decoder.decode(jws);\n }\n if (typeof jws !== 'string') {\n throw new JWSInvalid('Compact JWS must be a string or Uint8Array');\n }\n const { 0: protectedHeader, 1: payload, 2: signature, length } = jws.split('.');\n if (length !== 3) {\n throw new JWSInvalid('Invalid Compact JWS');\n }\n const verified = await flattenedVerify({ payload, protected: protectedHeader, signature }, key, options);\n const result = { payload: verified.payload, protectedHeader: verified.protectedHeader };\n if (typeof key === 'function') {\n return { ...result, key: verified.key };\n }\n return result;\n}\n","import { JWTClaimValidationFailed, JWTExpired, JWTInvalid } from '../util/errors.js';\nimport { encoder, decoder } from './buffer_utils.js';\nimport { isObject } from './type_checks.js';\nconst epoch = (date) => Math.floor(date.getTime() / 1000);\nconst minute = 60;\nconst hour = minute * 60;\nconst day = hour * 24;\nconst week = day * 7;\nconst year = day * 365.25;\nconst REGEX = /^(\\+|\\-)? ?(\\d+|\\d+\\.\\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;\nexport function secs(str) {\n const matched = REGEX.exec(str);\n if (!matched || (matched[4] && matched[1])) {\n throw new TypeError('Invalid time period format');\n }\n const value = parseFloat(matched[2]);\n const unit = matched[3].toLowerCase();\n let numericDate;\n switch (unit) {\n case 'sec':\n case 'secs':\n case 'second':\n case 'seconds':\n case 's':\n numericDate = Math.round(value);\n break;\n case 'minute':\n case 'minutes':\n case 'min':\n case 'mins':\n case 'm':\n numericDate = Math.round(value * minute);\n break;\n case 'hour':\n case 'hours':\n case 'hr':\n case 'hrs':\n case 'h':\n numericDate = Math.round(value * hour);\n break;\n case 'day':\n case 'days':\n case 'd':\n numericDate = Math.round(value * day);\n break;\n case 'week':\n case 'weeks':\n case 'w':\n numericDate = Math.round(value * week);\n break;\n default:\n numericDate = Math.round(value * year);\n break;\n }\n if (matched[1] === '-' || matched[4] === 'ago') {\n return -numericDate;\n }\n return numericDate;\n}\nfunction validateInput(label, input) {\n if (!Number.isFinite(input)) {\n throw new TypeError(`Invalid ${label} input`);\n }\n return input;\n}\nconst normalizeTyp = (value) => {\n if (value.includes('/')) {\n return value.toLowerCase();\n }\n return `application/${value.toLowerCase()}`;\n};\nconst checkAudiencePresence = (audPayload, audOption) => {\n if (typeof audPayload === 'string') {\n return audOption.includes(audPayload);\n }\n if (Array.isArray(audPayload)) {\n return audOption.some(Set.prototype.has.bind(new Set(audPayload)));\n }\n return false;\n};\nexport function validateClaimsSet(protectedHeader, encodedPayload, options = {}) {\n let payload;\n try {\n payload = JSON.parse(decoder.decode(encodedPayload));\n }\n catch {\n }\n if (!isObject(payload)) {\n throw new JWTInvalid('JWT Claims Set must be a top-level JSON object');\n }\n const { typ } = options;\n if (typ &&\n (typeof protectedHeader.typ !== 'string' ||\n normalizeTyp(protectedHeader.typ) !== normalizeTyp(typ))) {\n throw new JWTClaimValidationFailed('unexpected \"typ\" JWT header value', payload, 'typ', 'check_failed');\n }\n const { requiredClaims = [], issuer, subject, audience, maxTokenAge } = options;\n const presenceCheck = [...requiredClaims];\n if (maxTokenAge !== undefined)\n presenceCheck.push('iat');\n if (audience !== undefined)\n presenceCheck.push('aud');\n if (subject !== undefined)\n presenceCheck.push('sub');\n if (issuer !== undefined)\n presenceCheck.push('iss');\n for (const claim of new Set(presenceCheck.reverse())) {\n if (!(claim in payload)) {\n throw new JWTClaimValidationFailed(`missing required \"${claim}\" claim`, payload, claim, 'missing');\n }\n }\n if (issuer &&\n !(Array.isArray(issuer) ? issuer : [issuer]).includes(payload.iss)) {\n throw new JWTClaimValidationFailed('unexpected \"iss\" claim value', payload, 'iss', 'check_failed');\n }\n if (subject && payload.sub !== subject) {\n throw new JWTClaimValidationFailed('unexpected \"sub\" claim value', payload, 'sub', 'check_failed');\n }\n if (audience &&\n !checkAudiencePresence(payload.aud, typeof audience === 'string' ? [audience] : audience)) {\n throw new JWTClaimValidationFailed('unexpected \"aud\" claim value', payload, 'aud', 'check_failed');\n }\n let tolerance;\n switch (typeof options.clockTolerance) {\n case 'string':\n tolerance = secs(options.clockTolerance);\n break;\n case 'number':\n tolerance = options.clockTolerance;\n break;\n case 'undefined':\n tolerance = 0;\n break;\n default:\n throw new TypeError('Invalid clockTolerance option type');\n }\n const { currentDate } = options;\n const now = epoch(currentDate || new Date());\n if ((payload.iat !== undefined || maxTokenAge) && typeof payload.iat !== 'number') {\n throw new JWTClaimValidationFailed('\"iat\" claim must be a number', payload, 'iat', 'invalid');\n }\n if (payload.nbf !== undefined) {\n if (typeof payload.nbf !== 'number') {\n throw new JWTClaimValidationFailed('\"nbf\" claim must be a number', payload, 'nbf', 'invalid');\n }\n if (payload.nbf > now + tolerance) {\n throw new JWTClaimValidationFailed('\"nbf\" claim timestamp check failed', payload, 'nbf', 'check_failed');\n }\n }\n if (payload.exp !== undefined) {\n if (typeof payload.exp !== 'number') {\n throw new JWTClaimValidationFailed('\"exp\" claim must be a number', payload, 'exp', 'invalid');\n }\n if (payload.exp <= now - tolerance) {\n throw new JWTExpired('\"exp\" claim timestamp check failed', payload, 'exp', 'check_failed');\n }\n }\n if (maxTokenAge) {\n const age = now - payload.iat;\n const max = typeof maxTokenAge === 'number' ? maxTokenAge : secs(maxTokenAge);\n if (age - tolerance > max) {\n throw new JWTExpired('\"iat\" claim timestamp check failed (too far in the past)', payload, 'iat', 'check_failed');\n }\n if (age < 0 - tolerance) {\n throw new JWTClaimValidationFailed('\"iat\" claim timestamp check failed (it should be in the past)', payload, 'iat', 'check_failed');\n }\n }\n return payload;\n}\nexport class JWTClaimsBuilder {\n #payload;\n constructor(payload) {\n if (!isObject(payload)) {\n throw new TypeError('JWT Claims Set MUST be an object');\n }\n this.#payload = structuredClone(payload);\n }\n data() {\n return encoder.encode(JSON.stringify(this.#payload));\n }\n get iss() {\n return this.#payload.iss;\n }\n set iss(value) {\n this.#payload.iss = value;\n }\n get sub() {\n return this.#payload.sub;\n }\n set sub(value) {\n this.#payload.sub = value;\n }\n get aud() {\n return this.#payload.aud;\n }\n set aud(value) {\n this.#payload.aud = value;\n }\n set jti(value) {\n this.#payload.jti = value;\n }\n set nbf(value) {\n if (typeof value === 'number') {\n this.#payload.nbf = validateInput('setNotBefore', value);\n }\n else if (value instanceof Date) {\n this.#payload.nbf = validateInput('setNotBefore', epoch(value));\n }\n else {\n this.#payload.nbf = epoch(new Date()) + secs(value);\n }\n }\n set exp(value) {\n if (typeof value === 'number') {\n this.#payload.exp = validateInput('setExpirationTime', value);\n }\n else if (value instanceof Date) {\n this.#payload.exp = validateInput('setExpirationTime', epoch(value));\n }\n else {\n this.#payload.exp = epoch(new Date()) + secs(value);\n }\n }\n set iat(value) {\n if (value === undefined) {\n this.#payload.iat = epoch(new Date());\n }\n else if (value instanceof Date) {\n this.#payload.iat = validateInput('setIssuedAt', epoch(value));\n }\n else if (typeof value === 'string') {\n this.#payload.iat = validateInput('setIssuedAt', epoch(new Date()) + secs(value));\n }\n else {\n this.#payload.iat = validateInput('setIssuedAt', value);\n }\n }\n}\n","import { compactVerify } from '../jws/compact/verify.js';\nimport { validateClaimsSet } from '../lib/jwt_claims_set.js';\nimport { JWTInvalid } from '../util/errors.js';\nexport async function jwtVerify(jwt, key, options) {\n const verified = await compactVerify(jwt, key, options);\n if (verified.protectedHeader.crit?.includes('b64') && verified.protectedHeader.b64 === false) {\n throw new JWTInvalid('JWTs MUST NOT use unencoded payload');\n }\n const payload = validateClaimsSet(verified.protectedHeader, verified.payload, options);\n const result = { payload, protectedHeader: verified.protectedHeader };\n if (typeof key === 'function') {\n return { ...result, key: verified.key };\n }\n return result;\n}\n","import { encode as b64u } from '../../util/base64url.js';\nimport { sign } from '../../lib/signing.js';\nimport { isDisjoint } from '../../lib/type_checks.js';\nimport { JWSInvalid } from '../../util/errors.js';\nimport { concat, encode } from '../../lib/buffer_utils.js';\nimport { checkKeyType } from '../../lib/check_key_type.js';\nimport { validateCrit } from '../../lib/validate_crit.js';\nimport { normalizeKey } from '../../lib/normalize_key.js';\nimport { assertNotSet } from '../../lib/helpers.js';\nexport class FlattenedSign {\n #payload;\n #protectedHeader;\n #unprotectedHeader;\n constructor(payload) {\n if (!(payload instanceof Uint8Array)) {\n throw new TypeError('payload must be an instance of Uint8Array');\n }\n this.#payload = payload;\n }\n setProtectedHeader(protectedHeader) {\n assertNotSet(this.#protectedHeader, 'setProtectedHeader');\n this.#protectedHeader = protectedHeader;\n return this;\n }\n setUnprotectedHeader(unprotectedHeader) {\n assertNotSet(this.#unprotectedHeader, 'setUnprotectedHeader');\n this.#unprotectedHeader = unprotectedHeader;\n return this;\n }\n async sign(key, options) {\n if (!this.#protectedHeader && !this.#unprotectedHeader) {\n throw new JWSInvalid('either setProtectedHeader or setUnprotectedHeader must be called before #sign()');\n }\n if (!isDisjoint(this.#protectedHeader, this.#unprotectedHeader)) {\n throw new JWSInvalid('JWS Protected and JWS Unprotected Header Parameter names must be disjoint');\n }\n const joseHeader = {\n ...this.#protectedHeader,\n ...this.#unprotectedHeader,\n };\n const extensions = validateCrit(JWSInvalid, new Map([['b64', true]]), options?.crit, this.#protectedHeader, joseHeader);\n let b64 = true;\n if (extensions.has('b64')) {\n b64 = this.#protectedHeader.b64;\n if (typeof b64 !== 'boolean') {\n throw new JWSInvalid('The \"b64\" (base64url-encode payload) Header Parameter must be a boolean');\n }\n }\n const { alg } = joseHeader;\n if (typeof alg !== 'string' || !alg) {\n throw new JWSInvalid('JWS \"alg\" (Algorithm) Header Parameter missing or invalid');\n }\n checkKeyType(alg, key, 'sign');\n let payloadS;\n let payloadB;\n if (b64) {\n payloadS = b64u(this.#payload);\n payloadB = encode(payloadS);\n }\n else {\n payloadB = this.#payload;\n payloadS = '';\n }\n let protectedHeaderString;\n let protectedHeaderBytes;\n if (this.#protectedHeader) {\n protectedHeaderString = b64u(JSON.stringify(this.#protectedHeader));\n protectedHeaderBytes = encode(protectedHeaderString);\n }\n else {\n protectedHeaderString = '';\n protectedHeaderBytes = new Uint8Array();\n }\n const data = concat(protectedHeaderBytes, encode('.'), payloadB);\n const k = await normalizeKey(key, alg);\n const signature = await sign(alg, k, data);\n const jws = {\n signature: b64u(signature),\n payload: payloadS,\n };\n if (this.#unprotectedHeader) {\n jws.header = this.#unprotectedHeader;\n }\n if (this.#protectedHeader) {\n jws.protected = protectedHeaderString;\n }\n return jws;\n }\n}\n","import { FlattenedSign } from '../flattened/sign.js';\nexport class CompactSign {\n #flattened;\n constructor(payload) {\n this.#flattened = new FlattenedSign(payload);\n }\n setProtectedHeader(protectedHeader) {\n this.#flattened.setProtectedHeader(protectedHeader);\n return this;\n }\n async sign(key, options) {\n const jws = await this.#flattened.sign(key, options);\n if (jws.payload === undefined) {\n throw new TypeError('use the flattened module for creating JWS with b64: false');\n }\n return `${jws.protected}.${jws.payload}.${jws.signature}`;\n }\n}\n","import { CompactSign } from '../jws/compact/sign.js';\nimport { JWTInvalid } from '../util/errors.js';\nimport { JWTClaimsBuilder } from '../lib/jwt_claims_set.js';\nexport class SignJWT {\n #protectedHeader;\n #jwt;\n constructor(payload = {}) {\n this.#jwt = new JWTClaimsBuilder(payload);\n }\n setIssuer(issuer) {\n this.#jwt.iss = issuer;\n return this;\n }\n setSubject(subject) {\n this.#jwt.sub = subject;\n return this;\n }\n setAudience(audience) {\n this.#jwt.aud = audience;\n return this;\n }\n setJti(jwtId) {\n this.#jwt.jti = jwtId;\n return this;\n }\n setNotBefore(input) {\n this.#jwt.nbf = input;\n return this;\n }\n setExpirationTime(input) {\n this.#jwt.exp = input;\n return this;\n }\n setIssuedAt(input) {\n this.#jwt.iat = input;\n return this;\n }\n setProtectedHeader(protectedHeader) {\n this.#protectedHeader = protectedHeader;\n return this;\n }\n async sign(key, options) {\n const sig = new CompactSign(this.#jwt.data());\n sig.setProtectedHeader(this.#protectedHeader);\n if (Array.isArray(this.#protectedHeader?.crit) &&\n this.#protectedHeader.crit.includes('b64') &&\n this.#protectedHeader.b64 === false) {\n throw new JWTInvalid('JWTs MUST NOT use unencoded payload');\n }\n return sig.sign(key, options);\n }\n}\n","import { importPKCS8, SignJWT } from \"jose\";\n\nexport interface AppleClientSecretOptions {\n privateKeyPem: string; // ES256 .p8 contents (PKCS#8 PEM)\n teamId: string; // Apple Team ID -> iss\n serviceId: string; // Apple Service ID -> sub (the OAuth client_id)\n keyId: string; // Apple Key ID -> header kid\n ttlSeconds?: number; // default 300 (5 min)\n}\n\n/** Signs Apple's short-lived ES256 client_secret JWT on demand (no rotation job). */\nexport async function signAppleClientSecret(\n opts: AppleClientSecretOptions,\n): Promise<string> {\n const key = await importPKCS8(opts.privateKeyPem, \"ES256\");\n return new SignJWT({})\n .setProtectedHeader({ alg: \"ES256\", kid: opts.keyId, typ: \"JWT\" })\n .setIssuer(opts.teamId)\n .setSubject(opts.serviceId)\n .setAudience(\"https://appleid.apple.com\")\n .setIssuedAt()\n .setExpirationTime(`${opts.ttlSeconds ?? 300}s`)\n .sign(key);\n}\n","import { importPKCS8, importSPKI, jwtVerify, SignJWT } from \"jose\";\n\nconst ALG = \"EdDSA\";\n\nexport interface FederationProfile {\n provider: \"google\" | \"apple\";\n sub: string;\n email?: string;\n email_verified?: boolean;\n name?: string;\n given_name?: string;\n family_name?: string;\n picture?: string;\n is_private_email?: boolean;\n}\n\nexport interface SignAssertionOptions {\n privateKeyPem: string; // EdDSA PKCS#8 PEM\n issuer: string;\n audience: string; // exact tenant origin\n ttlSeconds?: number; // default 60\n jti?: string; // default random\n}\n\nexport interface VerifyAssertionOptions {\n publicKeyPem: string; // EdDSA SPKI PEM\n issuer: string;\n audience: string;\n}\n\nexport interface VerifiedAssertion {\n profile: FederationProfile;\n jti: string;\n}\n\nexport async function signFederationAssertion(\n profile: FederationProfile,\n opts: SignAssertionOptions,\n): Promise<string> {\n const key = await importPKCS8(opts.privateKeyPem, ALG);\n const jti = opts.jti ?? crypto.randomUUID();\n const ttl = opts.ttlSeconds ?? 60;\n return new SignJWT({ profile })\n .setProtectedHeader({ alg: ALG, typ: \"JWT\" })\n .setIssuer(opts.issuer)\n .setAudience(opts.audience)\n .setJti(jti)\n .setIssuedAt()\n .setExpirationTime(`${ttl}s`)\n .sign(key);\n}\n\nexport async function verifyFederationAssertion(\n token: string,\n opts: VerifyAssertionOptions,\n): Promise<VerifiedAssertion> {\n const key = await importSPKI(opts.publicKeyPem, ALG);\n const { payload } = await jwtVerify(token, key, {\n issuer: opts.issuer,\n audience: opts.audience,\n algorithms: [ALG],\n // Defense-in-depth: reject a (signature-valid) token that omits any of\n // these, so it can't slip an unbounded lifetime or an unreplayable id.\n requiredClaims: [\"exp\", \"iat\", \"jti\"],\n });\n const profile = payload.profile as FederationProfile | undefined;\n if (!profile?.sub || !profile.provider) {\n throw new Error(\"Federation assertion missing profile.sub/provider\");\n }\n if (!payload.jti) {\n throw new Error(\"Federation assertion missing jti\");\n }\n return { profile, jti: String(payload.jti) };\n}\n","import { type Static, t } from \"alepha\";\n\nexport const authenticationProviderSchema = t.object(\n {\n name: t.text({\n description: \"Name of the authentication provider.\",\n }),\n type: t.enum([\"OAUTH2\", \"OIDC\", \"CREDENTIALS\"], {\n description: \"Type of the authentication provider.\",\n }),\n },\n {\n title: \"AuthenticationProvider\",\n },\n);\n\nexport type AuthenticationProvider = Static<\n typeof authenticationProviderSchema\n>;\n","import { $context, AlephaError, t } from \"alepha\";\nimport type { IssuerPrimitive } from \"alepha/security\";\nimport type { OAuth2Profile } from \"../providers/ServerAuthProvider.ts\";\nimport {\n $auth,\n type LinkAccountFn,\n type LinkAccountOptions,\n type OidcOptions,\n type WithLinkFn,\n} from \"./$auth.ts\";\n\n/**\n * Already configured Apple authentication primitive.\n *\n * Uses OpenID Connect (OIDC) to authenticate users via their Apple accounts.\n * Upon successful authentication, it links the Apple account to a user session.\n *\n * Apple-specific behavior:\n * - `response_mode=form_post` (required by Apple when requesting `email`/`name`).\n * - Scope: `name email` (Apple does not support the standard `profile` scope).\n * - The user's name is only provided on the first authorization, as a `user`\n * form field on the POST callback. The framework extracts it and injects\n * `given_name` / `family_name` / `name` into the profile before linking.\n * Subsequent logins only return `sub` and `email` in the ID token.\n * - `email_verified` and `is_private_email` are normalized from Apple's\n * string (\"true\"/\"false\") representation to booleans.\n *\n * Client secret:\n * Apple requires the client secret to be a signed ES256 JWT generated from\n * your Apple private key, team ID, and key ID. This JWT is valid for up to 6\n * months; you must rotate it before expiration. Generate it out of band and\n * set it via `APPLE_CLIENT_SECRET`.\n *\n * See: https://developer.apple.com/documentation/accountorganizationaldatasharing/creating-a-client-secret\n *\n * Environment Variables:\n * - `APPLE_CLIENT_ID`: The Service ID obtained from the Apple Developer Console.\n * - `APPLE_CLIENT_SECRET`: The signed ES256 JWT client secret generated from your\n * Apple private key.\n */\nexport const $authApple = (\n realm: IssuerPrimitive & WithLinkFn,\n options: Partial<OidcOptions> = {},\n) => {\n const { alepha } = $context();\n\n const env = alepha.parseEnv(\n t.object({\n APPLE_CLIENT_ID: t.optional(\n t.text({\n description:\n \"The Service ID obtained from the Apple Developer Console.\",\n }),\n ),\n APPLE_CLIENT_SECRET: t.optional(\n t.text({\n description:\n \"The signed ES256 JWT client secret generated from your Apple private key.\",\n }),\n ),\n }),\n );\n\n const disabled = !env.APPLE_CLIENT_ID || !env.APPLE_CLIENT_SECRET;\n\n const name = \"apple\";\n\n const userAccount: LinkAccountFn | undefined =\n options.account ?? (realm.link ? realm.link(name) : undefined);\n\n if (!userAccount) {\n throw new AlephaError(\n \"Authentication requires a link function in the realm primitive.\",\n );\n }\n\n const account: LinkAccountFn = async (opts) => {\n return userAccount(normalizeApplePayload(opts));\n };\n\n return $auth({\n issuer: realm,\n name,\n oidc: {\n issuer: \"https://appleid.apple.com\",\n clientId: env.APPLE_CLIENT_ID!,\n clientSecret: env.APPLE_CLIENT_SECRET,\n scope: \"name email\",\n responseMode: \"form_post\",\n ...options,\n account,\n },\n disabled,\n });\n};\n\n/**\n * Normalize Apple-specific profile quirks before handing off to the\n * user-provided link function.\n *\n * Why: Apple's ID token non-conformities — `email_verified` and\n * `is_private_email` are delivered as the strings \"true\"/\"false\" rather than\n * booleans. Normalize so downstream code can rely on standard OIDC shapes.\n */\nconst normalizeApplePayload = (\n opts: LinkAccountOptions,\n): LinkAccountOptions => {\n const user: OAuth2Profile = { ...opts.user };\n\n for (const key of [\"email_verified\", \"is_private_email\"] as const) {\n const raw = user[key] as unknown;\n if (typeof raw === \"string\") {\n user[key] = raw === \"true\";\n }\n }\n\n return { ...opts, user };\n};\n","import { AlephaError } from \"alepha\";\nimport type { IssuerPrimitive } from \"alepha/security\";\nimport {\n $auth,\n type CredentialsFn,\n type CredentialsOptions,\n type WithLoginFn,\n} from \"./$auth.ts\";\n\n/**\n * Already configured Credentials authentication primitive.\n *\n * Uses username and password to authenticate users.\n */\nexport const $authCredentials = (\n realm: IssuerPrimitive & WithLoginFn,\n options: Partial<CredentialsOptions> = {},\n) => {\n const name = \"credentials\";\n\n const account: CredentialsFn | undefined = realm.login\n ? realm.login(name)\n : options.account;\n\n if (!account) {\n throw new AlephaError(\n \"Credentials authentication requires a login function in the realm primitive.\",\n );\n }\n\n return $auth({\n issuer: realm,\n name,\n credentials: {\n account,\n },\n });\n};\n","import { $context, AlephaError, t } from \"alepha\";\nimport type { IssuerPrimitive } from \"alepha/security\";\nimport type { OAuth2Profile } from \"../providers/ServerAuthProvider.ts\";\nimport {\n $auth,\n type LinkAccountFn,\n type OidcOptions,\n type WithLinkFn,\n} from \"./$auth.ts\";\n\n/**\n * Already configured Facebook authentication primitive.\n *\n * Uses OAuth2 to authenticate users via their Facebook accounts.\n * Upon successful authentication, it links the Facebook account to a user session.\n *\n * Environment Variables:\n * - `FACEBOOK_CLIENT_ID`: The App ID obtained from the Meta Developer Console.\n * - `FACEBOOK_CLIENT_SECRET`: The App Secret obtained from the Meta Developer Console.\n */\nexport const $authFacebook = (\n realm: IssuerPrimitive & WithLinkFn,\n options: Partial<OidcOptions> = {},\n) => {\n const { alepha } = $context();\n\n const env = alepha.parseEnv(\n t.object({\n FACEBOOK_CLIENT_ID: t.optional(\n t.text({\n description: \"The App ID obtained from the Meta Developer Console.\",\n }),\n ),\n FACEBOOK_CLIENT_SECRET: t.optional(\n t.text({\n description:\n \"The App Secret obtained from the Meta Developer Console.\",\n }),\n ),\n }),\n );\n\n const disabled = !env.FACEBOOK_CLIENT_ID || !env.FACEBOOK_CLIENT_SECRET;\n\n const name = \"facebook\";\n\n const account: LinkAccountFn | undefined =\n options.account ?? (realm.link ? realm.link(name) : undefined);\n\n if (!account) {\n throw new AlephaError(\n \"Authentication requires a link function in the realm primitive.\",\n );\n }\n\n return $auth({\n issuer: realm,\n name,\n oauth: {\n clientId: env.FACEBOOK_CLIENT_ID!,\n clientSecret: env.FACEBOOK_CLIENT_SECRET!,\n authorization: \"https://www.facebook.com/v25.0/dialog/oauth\",\n token: \"https://graph.facebook.com/v25.0/oauth/access_token\",\n scope: \"email\",\n userinfo: async (tokens) => {\n const res = await fetch(\n \"https://graph.facebook.com/v25.0/me?fields=id,name,email,picture.width(200).height(200)\",\n {\n headers: {\n Authorization: `Bearer ${tokens.access_token}`,\n },\n },\n ).then((res) => res.json());\n\n const user: OAuth2Profile = {\n sub: res.id,\n };\n\n if (res.email) {\n user.email = res.email;\n }\n\n if (res.name) {\n user.name = res.name.trim();\n }\n\n if (res.picture?.data?.url) {\n user.picture = res.picture.data.url;\n }\n\n return user;\n },\n ...options,\n account,\n },\n disabled,\n });\n};\n","/**\n * Returns a safe in-app redirect target: a single absolute path on the current\n * origin. Rejects protocol-relative (`//host`), absolute URLs, and backslash\n * tricks so a crafted `redirect` query can't become a post-auth open redirect.\n */\nexport function safeRedirectPath(\n redirect: string | undefined,\n fallback = \"/\",\n): string {\n if (\n typeof redirect === \"string\" &&\n redirect.startsWith(\"/\") &&\n !redirect.startsWith(\"//\") &&\n !redirect.includes(\"\\\\\")\n ) {\n return redirect;\n }\n return fallback;\n}\n","import { AlephaError, t } from \"alepha\";\nimport { SecurityError } from \"alepha/security\";\nimport { $route, BadRequestError } from \"alepha/server\";\nimport { $cookie } from \"alepha/server/cookies\";\nimport {\n authorizationCodeGrant,\n buildAuthorizationUrl,\n type Configuration,\n calculatePKCECodeChallenge,\n discovery,\n randomPKCECodeVerifier,\n randomState,\n} from \"openid-client\";\nimport { signAppleClientSecret } from \"../helpers/appleClientSecret.ts\";\nimport {\n type FederationProfile,\n signFederationAssertion,\n} from \"../helpers/federationAssertion.ts\";\nimport { safeRedirectPath } from \"../helpers/safeRedirectPath.ts\";\n\nexport interface FederationBrokerProviders {\n google?: { clientId: string; clientSecret: string };\n apple?: {\n serviceId: string;\n teamId: string;\n keyId: string;\n privateKeyPem: string;\n };\n}\n\nexport interface FederationBrokerOptions {\n /** Broker public origin, e.g. https://alepha.club — becomes the assertion `iss`. */\n issuer: string;\n /** EdDSA PKCS#8 PEM — signs assertions. */\n signingKeyPem: string;\n providers: FederationBrokerProviders;\n /** Validate the requested tenant and return its exact origin (or null to reject). */\n resolveTenant: (tenant: string) => Promise<string | null>;\n assertionTtlSeconds?: number;\n}\n\nconst ISSUERS = {\n google: \"https://accounts.google.com\",\n apple: \"https://appleid.apple.com\",\n} as const;\n\nexport const $authFederationBroker = (options: FederationBrokerOptions) => {\n const callbackPath = \"/auth/federated/callback\";\n\n if (!options.signingKeyPem) {\n throw new AlephaError(\"$authFederationBroker requires signingKeyPem\");\n }\n\n // Per-flow cookie: carries the tenant + PKCE/state across the redirect.\n const flow = $cookie({\n name: \"federationFlow\",\n ttl: [15, \"minutes\"],\n httpOnly: true,\n encrypt: true,\n schema: t.object({\n provider: t.text(),\n tenantOrigin: t.text({ size: \"long\" }),\n redirectPath: t.text({ size: \"long\" }),\n codeVerifier: t.optional(t.text({ size: \"long\" })),\n state: t.optional(t.text()),\n nonce: t.optional(t.text()),\n }),\n });\n\n const callbackUri = `${options.issuer}${callbackPath}`;\n\n // Build an openid-client Configuration for a provider. Apple's client_secret\n // is signed fresh on every call (~5min) — no static secret, no rotation.\n const getConfig = async (\n provider: \"google\" | \"apple\",\n ): Promise<Configuration> => {\n if (provider === \"google\") {\n const g = options.providers.google;\n if (!g) {\n throw new SecurityError(\"google federation not configured\");\n }\n return discovery(new URL(ISSUERS.google), g.clientId, g.clientSecret);\n }\n const a = options.providers.apple;\n if (!a) {\n throw new SecurityError(\"apple federation not configured\");\n }\n const clientSecret = await signAppleClientSecret({\n privateKeyPem: a.privateKeyPem,\n teamId: a.teamId,\n serviceId: a.serviceId,\n keyId: a.keyId,\n });\n return discovery(new URL(ISSUERS.apple), a.serviceId, clientSecret);\n };\n\n const scopeFor = (provider: string) =>\n provider === \"apple\" ? \"name email\" : \"openid email profile\";\n\n const start = $route({\n path: \"/auth/federated/start\",\n schema: {\n query: t.object({\n provider: t.text(),\n tenant: t.text(),\n redirect: t.optional(t.text({ size: \"long\" })),\n }),\n },\n handler: async ({ query, reply, cookies }) => {\n if (query.provider !== \"google\" && query.provider !== \"apple\") {\n throw new BadRequestError(`Unsupported provider '${query.provider}'`);\n }\n const tenantOrigin = await options.resolveTenant(query.tenant);\n if (!tenantOrigin) {\n throw new BadRequestError(\"Unknown or inactive tenant\");\n }\n\n const config = await getConfig(query.provider);\n const codeVerifier = randomPKCECodeVerifier();\n const codeChallenge = await calculatePKCECodeChallenge(codeVerifier);\n const parameters: Record<string, string> = {\n redirect_uri: callbackUri,\n scope: scopeFor(query.provider),\n code_challenge: codeChallenge,\n code_challenge_method: \"S256\",\n };\n // Apple needs response_mode=form_post when requesting name/email scopes.\n if (query.provider === \"apple\") {\n parameters.response_mode = \"form_post\";\n }\n\n const usePkce = config.serverMetadata().supportsPKCE();\n let state: string | undefined;\n let nonce: string | undefined;\n if (!usePkce) {\n state = randomState();\n nonce = randomState();\n parameters.state = state;\n parameters.nonce = nonce;\n delete parameters.code_challenge;\n delete parameters.code_challenge_method;\n }\n\n flow.set(\n {\n provider: query.provider,\n tenantOrigin,\n redirectPath: safeRedirectPath(query.redirect),\n codeVerifier: usePkce ? codeVerifier : undefined,\n state,\n nonce,\n },\n { cookies },\n );\n reply.redirect(buildAuthorizationUrl(config, parameters).toString(), 302);\n },\n });\n\n const handle = async (\n urlOrReq: URL | Request,\n cookies: any,\n reply: any,\n rawProfile?: Record<string, unknown>,\n ) => {\n const ctx = flow.get({ cookies });\n if (!ctx) {\n throw new BadRequestError(\"Missing federation flow\");\n }\n flow.del({ cookies });\n\n const provider = ctx.provider as \"google\" | \"apple\";\n\n let profile: FederationProfile;\n try {\n const config = await getConfig(provider);\n const tokens = await authorizationCodeGrant(config, urlOrReq, {\n pkceCodeVerifier: ctx.codeVerifier,\n expectedState: ctx.state,\n expectedNonce: ctx.nonce,\n });\n\n // Verified claims come from the id_token; merge Apple's one-time form_post name.\n const claims = (tokens.claims?.() ?? {}) as Record<string, unknown>;\n const merged = { ...rawProfile, ...claims } as Record<string, unknown>;\n profile = {\n provider,\n sub: String(merged.sub),\n email: merged.email as string | undefined,\n email_verified:\n typeof merged.email_verified === \"string\"\n ? merged.email_verified === \"true\"\n : (merged.email_verified as boolean | undefined),\n name: merged.name as string | undefined,\n given_name: merged.given_name as string | undefined,\n family_name: merged.family_name as string | undefined,\n picture: merged.picture as string | undefined,\n is_private_email:\n typeof merged.is_private_email === \"string\"\n ? merged.is_private_email === \"true\"\n : (merged.is_private_email as boolean | undefined),\n };\n } catch {\n // Upstream auth failed or the user denied consent — bounce back to the\n // tenant with an error rather than surfacing a raw 500.\n const fail = new URL(`${ctx.tenantOrigin}${ctx.redirectPath}`);\n fail.searchParams.set(\"error\", \"federation_failed\");\n reply.redirect(fail.toString(), 302);\n return;\n }\n\n const assertion = await signFederationAssertion(profile, {\n privateKeyPem: options.signingKeyPem,\n issuer: options.issuer,\n audience: ctx.tenantOrigin,\n ttlSeconds: options.assertionTtlSeconds,\n });\n\n const dest = new URL(`${ctx.tenantOrigin}/auth/federated/callback`);\n dest.searchParams.set(\"token\", assertion);\n dest.searchParams.set(\"redirect\", ctx.redirectPath);\n reply.redirect(dest.toString(), 302);\n };\n\n const callback = $route({\n path: callbackPath,\n handler: async ({ url, reply, cookies }) => handle(url, cookies, reply),\n });\n\n // Apple posts the result (form_post). Extract its one-time `user` (name/email)\n // before openid-client consumes the body.\n const callbackPost = $route({\n path: callbackPath,\n method: \"POST\",\n handler: async ({ reply, cookies, raw }) => {\n let rawProfile: Record<string, unknown> | undefined;\n let req: Request | URL = raw?.web?.req as Request;\n if (raw?.web?.req) {\n const cloned = raw.web.req.clone();\n req = raw.web.req;\n try {\n const form = await cloned.formData();\n const userField = form.get(\"user\");\n if (typeof userField === \"string\") {\n const parsed = JSON.parse(userField) as {\n name?: { firstName?: string; lastName?: string };\n email?: string;\n };\n rawProfile = {};\n if (parsed.name?.firstName) {\n rawProfile.given_name = parsed.name.firstName;\n }\n if (parsed.name?.lastName) {\n rawProfile.family_name = parsed.name.lastName;\n }\n if (parsed.name?.firstName || parsed.name?.lastName) {\n rawProfile.name = [parsed.name?.firstName, parsed.name?.lastName]\n .filter(Boolean)\n .join(\" \");\n }\n if (parsed.email) {\n rawProfile.email = parsed.email;\n }\n }\n } catch {\n // ignore — name is optional on repeat logins\n }\n }\n await handle(req, cookies, reply, rawProfile);\n },\n });\n\n return { start, callback, callbackPost };\n};\n","/**\n * Single-use guard for short-lived assertion `jti`s. Bounded + self-pruning so\n * it can't grow without limit in a long-lived process. Best-effort per-instance\n * (assertions are also `aud`-bound + ~60s TTL, so a cross-isolate replay window\n * is tiny); use a shared store if you need a hard cross-instance guarantee.\n */\nexport class JtiReplayGuard {\n protected readonly seen = new Map<string, number>(); // jti -> expiry epoch ms\n\n constructor(\n protected readonly ttlMs = 120_000,\n protected readonly maxEntries = 10_000,\n ) {}\n\n /** Records `jti` and returns true if fresh; false if already used (replay). */\n check(jti: string, now: number = Date.now()): boolean {\n this.prune(now);\n if (this.seen.has(jti)) {\n return false;\n }\n this.seen.set(jti, now + this.ttlMs);\n return true;\n }\n\n protected prune(now: number): void {\n for (const [k, exp] of this.seen) {\n if (exp <= now) {\n this.seen.delete(k);\n }\n }\n // Hard cap: if still over budget after dropping expired, evict oldest-first\n // (Map preserves insertion order).\n while (this.seen.size >= this.maxEntries) {\n const oldest = this.seen.keys().next().value;\n if (oldest === undefined) {\n break;\n }\n this.seen.delete(oldest);\n }\n }\n}\n","import { $context, t } from \"alepha\";\nimport type { IssuerPrimitive } from \"alepha/security\";\nimport { $route, BadRequestError } from \"alepha/server\";\nimport {\n type VerifyAssertionOptions,\n verifyFederationAssertion,\n} from \"../helpers/federationAssertion.ts\";\nimport { JtiReplayGuard } from \"../helpers/jtiReplayGuard.ts\";\nimport { safeRedirectPath } from \"../helpers/safeRedirectPath.ts\";\nimport { ServerAuthProvider } from \"../providers/ServerAuthProvider.ts\";\nimport type { LinkAccountOptions, WithLinkFn } from \"./$auth.ts\";\n\nexport async function assertionToProfile(\n token: string,\n opts: VerifyAssertionOptions,\n): Promise<{ provider: string; jti: string; link: LinkAccountOptions }> {\n const { profile, jti } = await verifyFederationAssertion(token, opts);\n return {\n provider: profile.provider,\n jti,\n link: {\n access_token: \"\", // federated: no upstream token retained\n user: {\n sub: profile.sub,\n email: profile.email,\n email_verified: profile.email_verified,\n name: profile.name,\n given_name: profile.given_name,\n family_name: profile.family_name,\n picture: profile.picture,\n },\n },\n };\n}\n\nexport interface FederationClientOptions {\n realm: IssuerPrimitive & WithLinkFn;\n brokerUrl: string; // assertion issuer\n publicKeyPem: string;\n selfOrigin?: string; // optional override; otherwise derived from the request host\n}\n\nexport const $authFederationClient = (options: FederationClientOptions) => {\n const { alepha } = $context();\n const replay = new JtiReplayGuard(); // single-use, bounded (assertions ~60s)\n\n const callback = $route({\n path: \"/auth/federated/callback\",\n schema: {\n query: t.object({\n token: t.text({ size: \"rich\" }),\n redirect: t.optional(t.text({ size: \"long\" })),\n }),\n },\n handler: async ({ query, url, reply, cookies }) => {\n const serverAuth = alepha.inject(ServerAuthProvider);\n const audience = options.selfOrigin ?? `${url.protocol}//${url.host}`;\n try {\n const { provider, jti, link } = await assertionToProfile(query.token, {\n publicKeyPem: options.publicKeyPem,\n issuer: options.brokerUrl,\n audience,\n });\n if (!replay.check(jti)) {\n throw new BadRequestError(\"Assertion already used\");\n }\n if (!options.realm.link) {\n throw new BadRequestError(\"Realm has no link function\");\n }\n const user = await options.realm.link(provider)(link);\n await serverAuth.establishSession(\n user,\n options.realm,\n provider,\n cookies,\n );\n } catch {\n // Invalid / expired / replayed / tampered assertion (or a link\n // refusal, e.g. unverified email) is an expected failure mode — bounce\n // to login with an error rather than surfacing a raw 500.\n reply.redirect(\"/auth/login?error=federation_failed\", 302);\n return;\n }\n reply.redirect(safeRedirectPath(query.redirect), 302);\n },\n });\n\n return { callback };\n};\n","import { $context, AlephaError, t } from \"alepha\";\nimport type { IssuerPrimitive } from \"alepha/security\";\nimport {\n $auth,\n type LinkAccountFn,\n type OidcOptions,\n type WithLinkFn,\n} from \"./$auth.ts\";\n\n/**\n * Creates an authentication provider primitive for France Connect.\n *\n * Uses OpenID Connect (OIDC) to authenticate users via France Connect,\n * the French government's identity federation system. It provides verified\n * identity data (name, email, birthdate) sourced directly from government\n * databases.\n *\n * **France Connect-specific behaviour**:\n * - Scopes use individual claim names (`given_name`, `family_name`) rather\n * than the standard grouped `profile` scope.\n * - The `acr_values=eidas1` authorization parameter is mandatory and is\n * included automatically.\n * - Logout is mandatory in France Connect integrations. Store the `id_token`\n * returned at login and pass it to the logout endpoint when the session ends.\n *\n * **Environment Variables** (obtain from partenaires.franceconnect.gouv.fr):\n * - `FRANCECONNECT_CLIENT_ID` — OAuth 2.0 client ID for your France Connect service provider.\n * - `FRANCECONNECT_CLIENT_SECRET` — OAuth 2.0 client secret for your France Connect service provider.\n *\n * @example\n * ```ts\n * class AuthProviders {\n * franceconnect = $authFranceConnect(this.userRealm);\n * }\n * ```\n */\nexport const $authFranceConnect = (\n realm: IssuerPrimitive & WithLinkFn,\n options: Partial<OidcOptions> = {},\n) => {\n const { alepha } = $context();\n\n const env = alepha.parseEnv(\n t.object({\n FRANCECONNECT_CLIENT_ID: t.optional(\n t.text({\n description:\n \"The OAuth 2.0 client ID for your France Connect service provider, obtained from partenaires.franceconnect.gouv.fr.\",\n }),\n ),\n FRANCECONNECT_CLIENT_SECRET: t.optional(\n t.text({\n description:\n \"The OAuth 2.0 client secret for your France Connect service provider, obtained from partenaires.franceconnect.gouv.fr.\",\n }),\n ),\n }),\n );\n\n const disabled =\n !env.FRANCECONNECT_CLIENT_ID || !env.FRANCECONNECT_CLIENT_SECRET;\n\n const name = \"franceconnect\";\n\n const account: LinkAccountFn | undefined =\n options.account ?? (realm.link ? realm.link(name) : undefined);\n\n if (!account) {\n throw new AlephaError(\n \"Authentication requires a link function in the realm primitive.\",\n );\n }\n\n return $auth({\n issuer: realm,\n name,\n oidc: {\n /**\n * France Connect production OIDC issuer.\n * Discovery: https://oidc.franceconnect.gouv.fr/api/v2/.well-known/openid-configuration\n *\n * Note: `oidc.franceconnect.gouv.fr` is standard FranceConnect (eidas1).\n * `auth.franceconnect.gouv.fr` is FranceConnect+ (eidas2/eidas3).\n */\n issuer: \"https://oidc.franceconnect.gouv.fr/api/v2\",\n clientId: env.FRANCECONNECT_CLIENT_ID!,\n clientSecret: env.FRANCECONNECT_CLIENT_SECRET,\n /**\n * France Connect requires individual claim names as scopes.\n * The standard grouped `profile` scope is NOT supported.\n */\n scope: \"openid given_name family_name email\",\n /**\n * `acr_values=eidas1` is mandatory for all France Connect integrations.\n */\n ...options,\n authorizationParameters: {\n acr_values: \"eidas1\",\n ...options.authorizationParameters,\n },\n account,\n },\n disabled,\n });\n};\n","import { $context, AlephaError, t } from \"alepha\";\nimport type { IssuerPrimitive } from \"alepha/security\";\nimport type { OAuth2Profile } from \"../providers/ServerAuthProvider.ts\";\nimport {\n $auth,\n type LinkAccountFn,\n type OidcOptions,\n type WithLinkFn,\n} from \"./$auth.ts\";\n\n/**\n * Already configured GitHub authentication primitive.\n *\n * Uses OAuth2 to authenticate users via their GitHub accounts.\n * Upon successful authentication, it links the GitHub account to a user session.\n *\n * Environment Variables:\n * - `GITHUB_CLIENT_ID`: The client ID obtained from the GitHub Developer Settings.\n * - `GITHUB_CLIENT_SECRET`: The client secret obtained from the GitHub Developer Settings.\n */\nexport const $authGithub = (\n realm: IssuerPrimitive & WithLinkFn,\n options: Partial<OidcOptions> = {},\n) => {\n const { alepha } = $context();\n\n const env = alepha.parseEnv(\n t.object({\n GITHUB_CLIENT_ID: t.optional(\n t.text({\n description:\n \"The OAuth App client ID obtained from GitHub Developer Settings.\",\n }),\n ),\n GITHUB_CLIENT_SECRET: t.optional(\n t.text({\n description:\n \"The OAuth App client secret obtained from GitHub Developer Settings.\",\n }),\n ),\n }),\n );\n\n const disabled = !env.GITHUB_CLIENT_ID || !env.GITHUB_CLIENT_SECRET;\n\n const name = \"github\";\n\n const account: LinkAccountFn | undefined =\n options.account ?? (realm.link ? realm.link(name) : undefined);\n\n if (!account) {\n throw new AlephaError(\n \"Authentication requires a link function in the realm primitive.\",\n );\n }\n\n return $auth({\n issuer: realm,\n name,\n oauth: {\n clientId: env.GITHUB_CLIENT_ID!,\n clientSecret: env.GITHUB_CLIENT_SECRET!,\n authorization: \"https://github.com/login/oauth/authorize\",\n token: \"https://github.com/login/oauth/access_token\",\n scope: \"read:user user:email\",\n userinfo: async (tokens) => {\n const BASE_URL = \"https://api.github.com\";\n const headers = {\n Authorization: `Bearer ${tokens.access_token}`,\n \"User-Agent\": \"Alepha\",\n };\n const res = await fetch(`${BASE_URL}/user`, { headers }).then((res) =>\n res.json(),\n );\n\n const user: OAuth2Profile = {\n sub: res.id.toString(),\n };\n\n if (res.email) {\n user.email = res.email;\n }\n\n if (res.name) {\n user.name = res.name.trim();\n }\n\n if (res.avatar_url) {\n user.picture = res.avatar_url;\n }\n\n // `/user` omits the email if the user's public profile hides it, and\n // never exposes `verified`. Fetch `/user/emails` to fill in both.\n const emailsRes = await fetch(`${BASE_URL}/user/emails`, { headers });\n if (emailsRes.ok) {\n const emails: Array<{\n email: string;\n primary: boolean;\n verified: boolean;\n }> = await emailsRes.json();\n if (!user.email) {\n user.email = (emails.find((e) => e.primary) ?? emails[0])?.email;\n }\n if (user.email) {\n user.email_verified =\n emails.find((e) => e.email === user.email)?.verified ?? false;\n }\n }\n\n return user;\n },\n ...options,\n account,\n },\n disabled,\n });\n};\n","import { $context, AlephaError, t } from \"alepha\";\nimport type { IssuerPrimitive } from \"alepha/security\";\nimport {\n $auth,\n type LinkAccountFn,\n type OidcOptions,\n type WithLinkFn,\n} from \"./$auth.ts\";\n\n/**\n * Already configured Google authentication primitive.\n *\n * Uses OpenID Connect (OIDC) to authenticate users via their Google accounts.\n * Upon successful authentication, it links the Google account to a user session.\n *\n * Environment Variables:\n * - `GOOGLE_CLIENT_ID`: The client ID obtained from the Google Developer Console.\n * - `GOOGLE_CLIENT_SECRET`: The client secret obtained from the Google Developer Console.\n */\nexport const $authGoogle = (\n realm: IssuerPrimitive & WithLinkFn,\n options: Partial<OidcOptions> = {},\n) => {\n const { alepha } = $context();\n\n const env = alepha.parseEnv(\n t.object({\n GOOGLE_CLIENT_ID: t.optional(\n t.text({\n description:\n \"The OAuth 2.0 client ID obtained from the Google Developer Console.\",\n }),\n ),\n GOOGLE_CLIENT_SECRET: t.optional(\n t.text({\n description:\n \"The OAuth 2.0 client secret obtained from the Google Developer Console.\",\n }),\n ),\n }),\n );\n\n const disabled = !env.GOOGLE_CLIENT_ID || !env.GOOGLE_CLIENT_SECRET;\n\n const name = \"google\";\n\n const account: LinkAccountFn | undefined =\n options.account ?? (realm.link ? realm.link(name) : undefined);\n\n if (!account) {\n throw new AlephaError(\n \"Authentication requires a link function in the realm primitive.\",\n );\n }\n\n return $auth({\n issuer: realm,\n name,\n oidc: {\n issuer: \"https://accounts.google.com\",\n clientId: env.GOOGLE_CLIENT_ID!,\n clientSecret: env.GOOGLE_CLIENT_SECRET,\n ...options,\n account,\n },\n disabled,\n });\n};\n","import { $context, AlephaError, t } from \"alepha\";\nimport type { IssuerPrimitive } from \"alepha/security\";\nimport {\n $auth,\n type LinkAccountFn,\n type OidcOptions,\n type WithLinkFn,\n} from \"./$auth.ts\";\n\n/**\n * Already configured Microsoft Entra ID (Azure AD) authentication primitive.\n *\n * Uses OpenID Connect (OIDC) to authenticate users via their Microsoft accounts.\n * Supports personal Microsoft accounts, work/school (Azure AD) accounts, and\n * multi-tenant applications.\n *\n * The tenant ID defaults to `\"common\"`, which allows all Microsoft account types\n * (personal, work, school). To restrict to a specific Azure AD tenant, set\n * `MICROSOFT_TENANT_ID` to your tenant's GUID or domain.\n *\n * **Note on multi-tenant issuer validation**: Microsoft's OIDC discovery document\n * for the `common` endpoint returns `{tenantid}` as a literal placeholder in the\n * `issuer` field. This is expected behavior for multi-tenant endpoints. The\n * openid-client library handles this during token validation automatically.\n *\n * Environment Variables:\n * - `MICROSOFT_CLIENT_ID`: The application (client) ID from the Azure Portal.\n * - `MICROSOFT_CLIENT_SECRET`: The client secret value from the Azure Portal.\n * - `MICROSOFT_TENANT_ID`: (Optional) Azure AD tenant ID or `\"common\"` for\n * multi-tenant. Defaults to `\"common\"`.\n */\nexport const $authMicrosoft = (\n realm: IssuerPrimitive & WithLinkFn,\n options: Partial<OidcOptions> = {},\n) => {\n const { alepha } = $context();\n\n const env = alepha.parseEnv(\n t.object({\n MICROSOFT_CLIENT_ID: t.optional(\n t.text({\n description:\n \"The application (client) ID obtained from the Azure Portal.\",\n }),\n ),\n MICROSOFT_CLIENT_SECRET: t.optional(\n t.text({\n description:\n \"The client secret value obtained from the Azure Portal.\",\n }),\n ),\n MICROSOFT_TENANT_ID: t.optional(\n t.text({\n description:\n \"The Azure AD tenant ID or 'common' for multi-tenant. Defaults to 'common'.\",\n }),\n ),\n }),\n );\n\n const disabled = !env.MICROSOFT_CLIENT_ID || !env.MICROSOFT_CLIENT_SECRET;\n\n const tenantId = env.MICROSOFT_TENANT_ID ?? \"common\";\n\n const name = \"microsoft\";\n\n const account: LinkAccountFn | undefined =\n options.account ?? (realm.link ? realm.link(name) : undefined);\n\n if (!account) {\n throw new AlephaError(\n \"Authentication requires a link function in the realm primitive.\",\n );\n }\n\n return $auth({\n issuer: realm,\n name,\n oidc: {\n issuer: `https://login.microsoftonline.com/${tenantId}/v2.0`,\n clientId: env.MICROSOFT_CLIENT_ID!,\n clientSecret: env.MICROSOFT_CLIENT_SECRET,\n ...options,\n account,\n },\n disabled,\n });\n};\n","import { $module } from \"alepha\";\nimport { AlephaServerCookies } from \"alepha/server/cookies\";\nimport { $auth } from \"./primitives/$auth.ts\";\nimport { ServerAuthProvider } from \"./providers/ServerAuthProvider.ts\";\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport * from \"./helpers/appleClientSecret.ts\";\nexport * from \"./helpers/federationAssertion.ts\";\nexport * from \"./index.shared.ts\";\nexport * from \"./primitives/$auth.ts\";\nexport * from \"./primitives/$authApple.ts\";\nexport * from \"./primitives/$authCredentials.ts\";\nexport * from \"./primitives/$authFacebook.ts\";\nexport * from \"./primitives/$authFederationBroker.ts\";\nexport * from \"./primitives/$authFederationClient.ts\";\nexport * from \"./primitives/$authFranceConnect.ts\";\nexport * from \"./primitives/$authGithub.ts\";\nexport * from \"./primitives/$authGoogle.ts\";\nexport * from \"./primitives/$authMicrosoft.ts\";\nexport * from \"./providers/ServerAuthProvider.ts\";\n\n// ---------------------------------------------------------------------------------------------------------------------\n\n/**\n * OAuth2/OIDC authentication with social login providers.\n *\n * **Features:**\n * - OAuth authentication provider\n * - Username/password authentication\n * - Google OAuth integration\n * - GitHub OAuth integration\n * - Apple OAuth integration\n * - Facebook OAuth integration\n * - Microsoft Entra ID (Azure AD) integration\n * - France Connect integration\n * - Cookie-based, SSR-friendly authentication\n * - Token management and refresh\n *\n * @module alepha.server.auth\n */\nexport const AlephaServerAuth = $module({\n name: \"alepha.server.auth\",\n primitives: [$auth],\n services: [AlephaServerCookies, ServerAuthProvider],\n});\n"],"x_google_ignoreList":[0,1,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31],"mappings":";;;;;;;;AAAA,IAAIA;AACJ,IAAI,OAAO,cAAc,eAAe,CAAC,UAAU,WAAW,aAAa,cAAc,GAGrF,eAAa;AAEjB,SAAS,gBAAgB,OAAO,UAAU;CACtC,IAAI,SAAS,MACT,OAAO;CAEX,IAAI;EACA,OAAQ,iBAAiB,YACrB,OAAO,eAAe,KAAK,EAAE,OAAO,iBAAiB,SAAS,UAAU,OAAO;CACvF,QACM;EACF,OAAO;CACX;AACJ;AACA,MAAMC,0BAAwB;AAC9B,MAAMC,yBAAuB;AAC7B,SAASC,iBAAe,SAAS,MAAM,OAAO;CAC1C,MAAM,MAAM,IAAI,UAAU,SAAS,EAAE,MAAM,CAAC;CAC5C,OAAO,OAAO,KAAK,EAAE,KAAK,CAAC;CAC3B,OAAO;AACX;AACA,MAAaC,0BAAwB,OAAO;AAC5C,MAAa,YAAY,OAAO;AAChC,MAAa,iBAAiB,OAAO;AACrC,MAAaC,gBAAc,OAAO;AAElC,MAAa,aAAa,OAAO;AAEjC,MAAMC,YAAU,IAAI,YAAY;AAChC,MAAMC,YAAU,IAAI,YAAY;AAChC,SAAS,IAAI,OAAO;CAChB,IAAI,OAAO,UAAU,UACjB,OAAOD,UAAQ,OAAO,KAAK;CAE/B,OAAOC,UAAQ,OAAO,KAAK;AAC/B;AACA,IAAI;AACJ,IAAI,WAAW,UAAU,UACrB,mBAAmB,UAAU;CACzB,IAAI,iBAAiB,aACjB,QAAQ,IAAI,WAAW,KAAK;CAEhC,OAAO,MAAM,SAAS;EAAE,UAAU;EAAa,aAAa;CAAK,CAAC;AACtE;KAEC;CACD,MAAM,aAAa;CACnB,mBAAmB,UAAU;EACzB,IAAI,iBAAiB,aACjB,QAAQ,IAAI,WAAW,KAAK;EAEhC,MAAM,MAAM,CAAC;EACb,KAAK,IAAI,IAAI,GAAG,IAAI,MAAM,YAAY,KAAK,YACvC,IAAI,KAAK,OAAO,aAAa,MAAM,MAAM,MAAM,SAAS,GAAG,IAAI,UAAU,CAAC,CAAC;EAE/E,OAAO,KAAK,IAAI,KAAK,EAAE,CAAC,EAAE,QAAQ,MAAM,EAAE,EAAE,QAAQ,OAAO,GAAG,EAAE,QAAQ,OAAO,GAAG;CACtF;AACJ;AACA,IAAI;AACJ,IAAI,WAAW,YACX,mBAAmB,UAAU;CACzB,IAAI;EACA,OAAO,WAAW,WAAW,OAAO,EAAE,UAAU,YAAY,CAAC;CACjE,SACO,OAAO;EACV,MAAMJ,iBAAe,qDAAqDF,yBAAuB,KAAK;CAC1G;AACJ;KAGA,mBAAmB,UAAU;CACzB,IAAI;EACA,MAAM,SAAS,KAAK,MAAM,QAAQ,MAAM,GAAG,EAAE,QAAQ,MAAM,GAAG,EAAE,QAAQ,OAAO,EAAE,CAAC;EAClF,MAAM,QAAQ,IAAI,WAAW,OAAO,MAAM;EAC1C,KAAK,IAAI,IAAI,GAAG,IAAI,OAAO,QAAQ,KAC/B,MAAM,KAAK,OAAO,WAAW,CAAC;EAElC,OAAO;CACX,SACO,OAAO;EACV,MAAME,iBAAe,qDAAqDF,yBAAuB,KAAK;CAC1G;AACJ;AAEJ,SAAS,KAAK,OAAO;CACjB,IAAI,OAAO,UAAU,UACjB,OAAO,gBAAgB,KAAK;CAEhC,OAAO,gBAAgB,KAAK;AAChC;AACA,IAAa,4BAAb,cAA+C,MAAM;CACjD;CACA,YAAY,SAAS,SAAS;EAC1B,MAAM,SAAS,OAAO;EACtB,KAAK,OAAO,KAAK,YAAY;EAC7B,KAAK,OAAO;EACZ,MAAM,oBAAoB,MAAM,KAAK,WAAW;CACpD;AACJ;AACA,IAAa,2BAAb,cAA8C,MAAM;CAChD;CACA,YAAY,SAAS,SAAS;EAC1B,MAAM,SAAS,OAAO;EACtB,KAAK,OAAO,KAAK,YAAY;EAC7B,IAAI,SAAS,MACT,KAAK,OAAO,SAAS;EAEzB,MAAM,oBAAoB,MAAM,KAAK,WAAW;CACpD;AACJ;AACA,SAAS,IAAI,SAAS,MAAM,OAAO;CAC/B,OAAO,IAAI,yBAAyB,SAAS;EAAE;EAAM;CAAM,CAAC;AAChE;AA0DA,SAAS,aAAa,OAAO;CACzB,IAAI,UAAU,QAAQ,OAAO,UAAU,YAAY,MAAM,QAAQ,KAAK,GAClE,OAAO;CAEX,OAAO;AACX;AACA,SAAS,eAAe,OAAO;CAC3B,IAAI,gBAAgB,OAAO,OAAO,GAC9B,QAAQ,OAAO,YAAY,MAAM,QAAQ,CAAC;CAE9C,MAAM,UAAU,IAAI,QAAQ,SAAS,CAAC,CAAC;CACvC,IAAID,gBAAc,CAAC,QAAQ,IAAI,YAAY,GACvC,QAAQ,IAAI,cAAcA,YAAU;CAExC,IAAI,QAAQ,IAAI,eAAe,GAC3B,MAAMG,iBAAe,0EAAsEF,uBAAqB;CAEpH,OAAO;AACX;AACA,SAASO,SAAO,KAAK,OAAO;CACxB,IAAI,UAAU,KAAA,GAAW;EACrB,IAAI,OAAO,UAAU,YACjB,QAAQ,MAAM,IAAI,IAAI;EAE1B,IAAI,EAAE,iBAAiB,cACnB,MAAML,iBAAe,mEAAiED,sBAAoB;EAE9G,OAAO;CACX;AAEJ;AACA,SAAS,mBAAmB,UAAU;CAClC,IAAI,SAAS,SAAS,IAAI,GACtB,OAAO,SAAS,QAAQ,MAAM,GAAG;CAErC,OAAO;AACX;AACA,SAAS,iBAAiB,KAAK,WAAW,wBAAwB,OAAO;CACrE,IAAI,IAAI,aAAa,KACjB,IAAI,WAAW;MAGf,IAAI,WAAW,mBAAmB,GAAG,UAAU,GAAG,wBAAwB,IAAI,WAAW,IAAI,SAAS,QAAQ,SAAS,EAAE,GAAG;CAEhI,OAAO;AACX;AACA,SAAS,gBAAgB,KAAK,WAAW;CACrC,IAAI,WAAW,mBAAmB,GAAG,IAAI,SAAS,GAAG,WAAW;CAChE,OAAO;AACX;AACA,eAAeO,mBAAiB,OAAO,SAAS,WAAW,SAAS;CAChE,IAAI,EAAE,iBAAiB,MACnB,MAAMN,iBAAe,IAAI,QAAQ,+BAA+BD,sBAAoB;CAExF,cAAc,OAAO,UAAUE,6BAA2B,IAAI;CAC9D,MAAM,MAAM,UAAU,IAAI,IAAI,MAAM,IAAI,CAAC;CACzC,MAAM,UAAU,eAAe,SAAS,OAAO;CAC/C,QAAQ,IAAI,UAAU,kBAAkB;CACxC,QAAQ,UAAUC,kBAAgB,OAAO,IAAI,MAAM;EAC/C,MAAM,KAAA;EACN,SAAS,OAAO,YAAY,QAAQ,QAAQ,CAAC;EAC7C,QAAQ;EACR,UAAU;EACV,QAAQG,SAAO,KAAK,SAAS,MAAM;CACvC,CAAC;AACL;AACA,eAAsB,iBAAiB,kBAAkB,SAAS;CAC9D,OAAOC,mBAAiB,kBAAkB,qBAAqB,QAAQ;EACnE,QAAQ,SAAS,WAAjB;GACI,KAAK,KAAA;GACL,KAAK;IACD,gBAAgB,KAAK,kCAAkC;IACvD;GACJ,KAAK;IACD,iBAAiB,KAAK,wCAAwC;IAC9D;GACJ,SACI,MAAMN,iBAAe,mEAA6DF,uBAAqB;EAC/G;EACA,OAAO;CACX,GAAG,OAAO;AACd;AACA,SAAS,aAAa,OAAO,QAAQ,IAAI,MAAM,OAAO;CAClD,IAAI;EACA,IAAI,OAAO,UAAU,YAAY,CAAC,OAAO,SAAS,KAAK,GACnD,MAAME,iBAAe,GAAG,GAAG,oBAAoBD,wBAAsB,KAAK;EAE9E,IAAI,QAAQ,GACR;EACJ,IAAI,QAAQ;GACR,IAAI,UAAU,GACV,MAAMC,iBAAe,GAAG,GAAG,iCAAiCF,yBAAuB,KAAK;GAE5F;EACJ;EACA,MAAME,iBAAe,GAAG,GAAG,6BAA6BF,yBAAuB,KAAK;CACxF,SACO,KAAK;EACR,IAAI,MACA,MAAM,IAAI,IAAI,SAAS,MAAM,KAAK;EAEtC,MAAM;CACV;AACJ;AACA,SAASS,eAAa,OAAO,IAAI,MAAM,OAAO;CAC1C,IAAI;EACA,IAAI,OAAO,UAAU,UACjB,MAAMP,iBAAe,GAAG,GAAG,oBAAoBD,wBAAsB,KAAK;EAE9E,IAAI,MAAM,WAAW,GACjB,MAAMC,iBAAe,GAAG,GAAG,qBAAqBF,yBAAuB,KAAK;CAEpF,SACO,KAAK;EACR,IAAI,MACA,MAAM,IAAI,IAAI,SAAS,MAAM,KAAK;EAEtC,MAAM;CACV;AACJ;AACA,eAAsB,yBAAyB,0BAA0B,UAAU;CAC/E,MAAM,WAAW;CACjB,IAAI,EAAE,oBAAoB,QAAQ,aAAa,mBAC3C,MAAME,iBAAe,2DAAyDD,sBAAoB;CAEtG,IAAI,CAAC,gBAAgB,UAAU,QAAQ,GACnC,MAAMC,iBAAe,gDAA8CD,sBAAoB;CAE3F,IAAI,SAAS,WAAW,KACpB,MAAM,IAAI,sGAAoG,yBAAyB,QAAQ;CAEnJ,uBAAuB,QAAQ;CAC/B,MAAM,OAAO,MAAM,oBAAoB,QAAQ;CAC/C,eAAa,KAAK,QAAQ,yCAAqC,kBAAkB,EAAE,MAAM,KAAK,CAAC;CAC/F,IAAI,aAAa,qBAAqB,IAAI,IAAI,KAAK,MAAM,EAAE,SAAS,SAAS,MACzE,MAAM,IAAI,2EAAuE,2BAA2B;EAAE,UAAU,SAAS;EAAM,MAAM;EAAM,WAAW;CAAS,CAAC;CAE5K,OAAO;AACX;AACA,SAAS,sBAAsB,UAAU;CACrC,kBAAkB,UAAU,kBAAkB;AAClD;AACA,SAAS,QAAQ,UAAU,GAAG,OAAO;CACjC,IAAI,MAAM;CACV,IAAI,MAAM,SAAS,GAAG;EAClB,MAAM,OAAO,MAAM,IAAI;EACvB,OAAO,GAAG,MAAM,KAAK,IAAI,EAAE,OAAO;CACtC,OACK,IAAI,MAAM,WAAW,GACtB,OAAO,GAAG,MAAM,GAAG,MAAM,MAAM;MAG/B,OAAO,MAAM;CAEjB,OAAO,IAAI,KAAK,sBAAsB,QAAQ;AAClD;AAMA,SAAS,kBAAkB,UAAU,aAAa;CAC9C,IAAI,eAAe,QAAQ,MAAM,aAC7B,MAAM,QAAQ,UAAU,WAAW;AAE3C;AACA,SAAS,cAAc;CACnB,OAAO,KAAK,OAAO,gBAAgB,IAAI,WAAW,EAAE,CAAC,CAAC;AAC1D;AACA,SAAgB,6BAA6B;CACzC,OAAO,YAAY;AACvB;AACA,SAAgB,sBAAsB;CAClC,OAAO,YAAY;AACvB;AAIA,eAAsBS,6BAA2B,cAAc;CAC3D,eAAa,cAAc,cAAc;CACzC,OAAO,KAAK,MAAM,OAAO,OAAO,OAAO,WAAW,IAAI,YAAY,CAAC,CAAC;AACxE;AA2EA,SAAS,aAAa,QAAQ;CAC1B,MAAM,OAAO,SAAS;CACtB,OAAO,OAAO,SAAS,YAAY,OAAO,SAAS,IAAI,IAAI,OAAO;AACtE;AACA,SAAS,kBAAkB,QAAQ;CAC/B,MAAM,YAAY,SAAS;CAC3B,OAAO,OAAO,cAAc,YAAY,OAAO,SAAS,SAAS,KAAK,KAAK,KAAK,SAAS,MAAM,KACzF,YACA;AACV;AACA,SAAS,YAAY;CACjB,OAAO,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AACvC;AACA,SAAS,SAAS,IAAI;CAClB,IAAI,OAAO,OAAO,YAAY,OAAO,MACjC,MAAMR,iBAAe,4BAA0BD,sBAAoB;CAEvE,eAAa,GAAG,QAAQ,eAAa;AACzC;AACA,SAAS,aAAa,QAAQ;CAC1B,IAAI,OAAO,WAAW,YAAY,WAAW,MACzC,MAAMC,iBAAe,gCAA8BD,sBAAoB;CAE3E,eAAa,OAAO,WAAW,sBAAoB;AACvD;AAqBA,SAAgBU,mBAAiB,cAAc;CAC3C,eAAa,cAAc,kBAAgB;CAC3C,QAAQ,KAAK,QAAQ,MAAM,aAAa;EACpC,KAAK,IAAI,aAAa,OAAO,SAAS;EACtC,KAAK,IAAI,iBAAiB,YAAY;CAC1C;AACJ;AAkDA,SAAgBC,SAAO;CACnB,QAAQ,KAAK,QAAQ,MAAM,aAAa;EACpC,KAAK,IAAI,aAAa,OAAO,SAAS;CAC1C;AACJ;AA2FA,MAAM,WAAW,IAAI,SAEZ,KAAK,SAAS,IAAI,MAAM,KAAK,IAAI,KACnC,KAAK,SAAS;CACb,IAAI;EACA,OAAO,IAAI,IAAI,KAAK,IAAI;CAC5B,QACM;EACF,OAAO;CACX;AACJ;AACJ,SAAgB,cAAc,KAAK,cAAc;CAC7C,IAAI,gBAAgB,IAAI,aAAa,UACjC,MAAM,IAAI,sCAAsC,wBAAwB,GAAG;CAE/E,IAAI,IAAI,aAAa,YAAY,IAAI,aAAa,SAC9C,MAAM,IAAI,4CAA4C,4BAA4B,GAAG;AAE7F;AACA,SAAS,iBAAiB,OAAO,UAAU,cAAc,cAAc;CACnE,IAAI;CACJ,IAAI,OAAO,UAAU,YAAY,EAAE,MAAM,SAAS,KAAK,IACnD,MAAM,IAAI,0DAA0D,eAAe,6BAA6B,SAAS,KAAK,OAAO,SAAS,MAAM,UAAU,KAAA,IAAY,0BAA0B,yBAAyB,EAAE,WAAW,eAAe,yBAAyB,aAAa,SAAS,CAAC;CAE7S,cAAc,KAAK,YAAY;CAC/B,OAAO;AACX;AACA,SAAgB,gBAAgB,IAAI,UAAU,cAAc,cAAc;CACtE,IAAI,gBAAgB,GAAG,yBAAyB,YAAY,GAAG,uBAC3D,OAAO,iBAAiB,GAAG,sBAAsB,WAAW,UAAU,cAAc,YAAY;CAEpG,OAAO,iBAAiB,GAAG,WAAW,UAAU,cAAc,YAAY;AAC9E;AA6FA,SAAgB,iBAAiB,KAAK;CAClC,IAAI,eAAe,+BAA+B;EAC9C,MAAM,EAAE,GAAG,WAAW,WAAW,IAAI;EACrC,OAAQ,WAAW,KAAK,UAAU,WAAW,UAAU,UAAU,WAAW,UAAU;CAC1F;CACA,IAAI,eAAe,mBACf,OAAO,IAAI,UAAU;CAEzB,OAAO;AACX;AAIA,IAAa,oBAAb,cAAuC,MAAM;CACzC;CACA;CACA;CACA;CACA;CACA;CACA,YAAY,SAAS,SAAS;EAC1B,MAAM,SAAS,OAAO;EACtB,KAAK,OAAO,KAAK,YAAY;EAC7B,KAAK,OAAO;EACZ,KAAK,QAAQ,QAAQ;EACrB,KAAK,QAAQ,QAAQ,MAAM;EAC3B,KAAK,SAAS,QAAQ,SAAS;EAC/B,KAAK,oBAAoB,QAAQ,MAAM;EACvC,OAAO,eAAe,MAAM,YAAY;GAAE,YAAY;GAAO,OAAO,QAAQ;EAAS,CAAC;EACtF,MAAM,oBAAoB,MAAM,KAAK,WAAW;CACpD;AACJ;AACA,IAAa,6BAAb,cAAgD,MAAM;CAClD;CACA;CACA;CACA;CACA,YAAY,SAAS,SAAS;EAC1B,MAAM,SAAS,OAAO;EACtB,KAAK,OAAO,KAAK,YAAY;EAC7B,KAAK,OAAO;EACZ,KAAK,QAAQ,QAAQ;EACrB,KAAK,QAAQ,QAAQ,MAAM,IAAI,OAAO;EACtC,KAAK,oBAAoB,QAAQ,MAAM,IAAI,mBAAmB,KAAK,KAAA;EACnE,MAAM,oBAAoB,MAAM,KAAK,WAAW;CACpD;AACJ;AACA,IAAa,gCAAb,cAAmD,MAAM;CACrD;CACA;CACA;CACA;CACA,YAAY,SAAS,SAAS;EAC1B,MAAM,SAAS,OAAO;EACtB,KAAK,OAAO,KAAK,YAAY;EAC7B,KAAK,OAAO;EACZ,KAAK,QAAQ,QAAQ;EACrB,KAAK,SAAS,QAAQ,SAAS;EAC/B,KAAK,WAAW,QAAQ;EACxB,OAAO,eAAe,MAAM,YAAY,EAAE,YAAY,MAAM,CAAC;EAC7D,MAAM,oBAAoB,MAAM,KAAK,WAAW;CACpD;AACJ;AAMA,MAAM,2BAAW,IAAI,OAAO,qDAA8B;AAC1D,MAAM,gCAAgB,IAAI,OAAO,0GAA+C;AAChF,MAAM,kCAAkB,IAAI,OAAO,oHAAyC;AAC5E,MAAM,iCAAiB,IAAI,OAAO,uDAAyC;AAC3E,SAAS,+BAA+B,UAAU;CAC9C,IAAI,CAAC,gBAAgB,UAAU,QAAQ,GACnC,MAAMV,iBAAe,gDAA8CD,sBAAoB;CAE3F,MAAM,SAAS,SAAS,QAAQ,IAAI,kBAAkB;CACtD,IAAI,WAAW,MACX;CAEJ,MAAM,aAAa,CAAC;CACpB,IAAI,OAAO;CACX,OAAO,MAAM;EACT,IAAI,QAAQ,KAAK,MAAM,QAAQ;EAC/B,MAAM,SAAS,QAAQ,KAAK,YAAY;EACxC,IAAI,CAAC,QACD;EAEJ,MAAM,cAAc,KAAK,UAAU,MAAM,GAAG,MAAM;EAClD,IAAI,eAAe,CAAC,YAAY,MAAM,QAAQ,GAC1C;EAEJ,MAAM,aAAa,YAAY,MAAM,WAAW;EAChD,MAAM,gBAAgB,CAAC,CAAC;EACxB,OAAO,aAAa,WAAW,KAAK,KAAA;EACpC,MAAM,aAAa,CAAC;EACpB,IAAI;EACJ,IAAI,eACA,OAAO,MAAM;GACT,IAAI;GACJ,IAAI;GACJ,IAAK,QAAQ,KAAK,MAAM,aAAa,GAAI;IAErC,GAAG,KAAK,OAAO,QAAQ;IACvB,IAAI,MAAM,SAAS,IAAI,GACnB,IAAI;KACA,QAAQ,KAAK,MAAM,IAAI,MAAM,EAAE;IACnC,QACM,CAAE;IAEZ,WAAW,IAAI,YAAY,KAAK;IAChC;GACJ;GACA,IAAK,QAAQ,KAAK,MAAM,eAAe,GAAI;IAEvC,GAAG,KAAK,OAAO,QAAQ;IACvB,WAAW,IAAI,YAAY,KAAK;IAChC;GACJ;GACA,IAAK,QAAQ,KAAK,MAAM,cAAc,GAAI;IACtC,IAAI,OAAO,KAAK,UAAU,EAAE,QACxB;IAGJ,GAAG,SAAS,QAAQ;IACpB;GACJ;GACA;EACJ;OAGA,OAAO,eAAe,KAAA;EAE1B,MAAM,YAAY;GAAE;GAAQ;EAAW;EACvC,IAAI,SACA,UAAU,UAAU;EAExB,WAAW,KAAK,SAAS;CAC7B;CACA,IAAI,CAAC,WAAW,QACZ;CAEJ,OAAO;AACX;AAoBA,eAAe,4BAA4B,UAAU;CACjD,IAAI,SAAS,SAAS,OAAO,SAAS,SAAS,KAAK;EAChD,uBAAuB,QAAQ;EAC/B,sBAAsB,QAAQ;EAC9B,IAAI;GACA,MAAM,OAAO,MAAM,SAAS,MAAM,EAAE,KAAK;GACzC,IAAI,aAAa,IAAI,KAAK,OAAO,KAAK,UAAU,YAAY,KAAK,MAAM,QACnE,OAAO;EAEf,QACM,CAAE;CACZ;AAEJ;AACA,eAAe,oBAAoB,UAAU,UAAU,OAAO;CAC1D,IAAI,SAAS,WAAW,UAAU;EAC9B,8BAA8B,QAAQ;EACtC,IAAI;EACJ,IAAK,MAAM,MAAM,4BAA4B,QAAQ,GAAI;GACrD,MAAM,SAAS,MAAM,OAAO;GAC5B,MAAM,IAAI,kBAAkB,uDAAuD;IAC/E,OAAO;IACP;GACJ,CAAC;EACL;EACA,MAAM,IAAI,+BAA+B,MAAM,0CAA0C,yBAAyB,QAAQ;CAC9H;AACJ;AACA,SAAS,WAAW,QAAQ;CACxB,IAAI,CAAC,QAAQ,IAAI,MAAM,GACnB,MAAMC,iBAAe,8CAA4CF,uBAAqB;AAE9F;AA+JA,SAAgB,eAAe,OAAO;CAClC,OAAO,MAAM,QAAQ,IAAI,cAAc,GAAG,MAAM,GAAG,EAAE;AACzD;AA0CA,eAAe,qBAAqB,IAAI,QAAQ,sBAAsB,KAAK,MAAM,SAAS,SAAS;CAC/F,MAAM,qBAAqB,IAAI,QAAQ,MAAM,OAAO;CACpD,QAAQ,IAAI,gBAAgB,iDAAiD;CAC7E,QAAQ,UAAUI,kBAAgB,OAAO,IAAI,MAAM;EAC/C;EACA,SAAS,OAAO,YAAY,QAAQ,QAAQ,CAAC;EAC7C,QAAQ;EACR,UAAU;EACV,QAAQG,SAAO,KAAK,SAAS,MAAM;CACvC,CAAC;AACL;AACA,eAAe,qBAAqB,IAAI,QAAQ,sBAAsB,WAAW,YAAY,SAAS;CAClG,MAAM,MAAM,gBAAgB,IAAI,kBAAkB,OAAO,2BAA2B,UAAUJ,6BAA2B,IAAI;CAC7H,WAAW,IAAI,cAAc,SAAS;CACtC,MAAM,UAAU,eAAe,SAAS,OAAO;CAC/C,QAAQ,IAAI,UAAU,kBAAkB;CACxC,IAAI,SAAS,SAAS,KAAA,GAAW;EAC7B,WAAW,QAAQ,IAAI;EACvB,MAAM,QAAQ,KAAK,SAAS,KAAK,SAAS,MAAM;CACpD;CACA,MAAM,WAAW,MAAM,qBAAqB,IAAI,QAAQ,sBAAsB,KAAK,YAAY,SAAS,OAAO;CAC/G,SAAS,MAAM,WAAW,UAAU,GAAG;CACvC,OAAO;AACX;AACA,eAAsB,yBAAyB,IAAI,QAAQ,sBAAsB,cAAc,SAAS;CACpG,SAAS,EAAE;CACX,aAAa,MAAM;CACnB,eAAa,cAAc,kBAAgB;CAC3C,MAAM,aAAa,IAAI,gBAAgB,SAAS,oBAAoB;CACpE,WAAW,IAAI,iBAAiB,YAAY;CAC5C,OAAO,qBAAqB,IAAI,QAAQ,sBAAsB,iBAAiB,YAAY,OAAO;AACtG;AACA,MAAM,gCAAgB,IAAI,QAAQ;AAClC,MAAM,0BAAU,IAAI,QAAQ;AAC5B,SAAgB,0BAA0B,KAAK;CAC3C,IAAI,CAAC,IAAI,UACL;CAEJ,MAAM,SAAS,cAAc,IAAI,GAAG;CACpC,IAAI,CAAC,QACD,MAAMD,iBAAe,oFAAkFF,uBAAqB;CAEhI,OAAO;AACX;AAeA,eAAe,kCAAkC,IAAI,QAAQ,UAAU,iCAAiC,WAAW,sBAAsB;CACrI,SAAS,EAAE;CACX,aAAa,MAAM;CACnB,IAAI,CAAC,gBAAgB,UAAU,QAAQ,GACnC,MAAME,iBAAe,gDAA8CD,sBAAoB;CAE3F,MAAM,oBAAoB,UAAU,KAAK,gBAAgB;CACzD,uBAAuB,QAAQ;CAC/B,MAAM,OAAO,MAAM,oBAAoB,QAAQ;CAC/C,eAAa,KAAK,cAAc,+CAA2C,kBAAkB,EACzF,MAAM,KACV,CAAC;CACD,eAAa,KAAK,YAAY,6CAAyC,kBAAkB,EACrF,MAAM,KACV,CAAC;CACD,KAAK,aAAa,KAAK,WAAW,YAAY;CAC9C,IAAI,KAAK,eAAe,KAAA,GAAW;EAC/B,IAAI,YAAY,OAAO,KAAK,eAAe,WAAW,WAAW,KAAK,UAAU,IAAI,KAAK;EACzF,aAAa,WAAW,MAAM,6CAAyC,kBAAkB,EACrF,MAAM,KACV,CAAC;EACD,KAAK,aAAa;CACtB;CACA,IAAI,KAAK,kBAAkB,KAAA,GACvB,eAAa,KAAK,eAAe,gDAA4C,kBAAkB,EAC3F,MAAM,KACV,CAAC;CAEL,IAAI,KAAK,UAAU,KAAA,KAAa,OAAO,KAAK,UAAU,UAClD,MAAM,IAAI,yDAAqD,kBAAkB,EAAE,MAAM,KAAK,CAAC;CAEnG,IAAI,KAAK,aAAa,KAAA,GAAW;EAC7B,eAAa,KAAK,UAAU,2CAAuC,kBAAkB,EACjF,MAAM,KACV,CAAC;EACD,MAAM,iBAAiB;GAAC;GAAO;GAAO;GAAO;GAAO;EAAK;EACzD,IAAI,OAAO,sBAAsB,MAC7B,eAAe,KAAK,WAAW;EAEnC,IAAI,OAAO,oBAAoB,KAAA,GAAW;GACtC,aAAa,OAAO,iBAAiB,MAAM,4BAA0B;GACrE,eAAe,KAAK,WAAW;EACnC;EACA,IAAI,iCAAiC,QACjC,eAAe,KAAK,GAAG,+BAA+B;EAE1D,MAAM,EAAE,QAAQ,QAAQ,MAAM,YAAY,KAAK,UAAU,sBAAsB,KAAK,KAAA,GAAW,OAAO,8BAA8B,GAAG,uCAAuC,OAAO,GAAG,aAAa,MAAM,GAAG,kBAAkB,MAAM,GAAG,SAAS,EAC7O,KAAK,iBAAiB,KAAK,KAAA,GAAW,cAAc,CAAC,EACrD,KAAK,eAAe,KAAK,KAAA,GAAW,EAAE,CAAC,EACvC,KAAK,iBAAiB,KAAK,KAAA,GAAW,OAAO,SAAS,CAAC;EAC5D,IAAI,MAAM,QAAQ,OAAO,GAAG,KAAK,OAAO,IAAI,WAAW,GAAG;GACtD,IAAI,OAAO,QAAQ,KAAA,GACf,MAAM,IAAI,6EAA2E,sBAAsB;IAAE;IAAQ,OAAO;GAAM,CAAC;GAEvI,IAAI,OAAO,QAAQ,OAAO,WACtB,MAAM,IAAI,8DAA4D,sBAAsB;IAAE,UAAU,OAAO;IAAW;IAAQ,OAAO;GAAM,CAAC;EAExJ;EACA,IAAI,OAAO,cAAc,KAAA,GACrB,aAAa,OAAO,WAAW,MAAM,gDAA8C,kBAAkB,EAAE,OAAO,CAAC;EAEnH,QAAQ,IAAI,UAAU,GAAG;EACzB,cAAc,IAAI,MAAM,MAAM;CAClC;CACA,IAAI,uBAAuB,KAAK,gBAAgB,KAAA,GAC5C,qBAAqB,KAAK,YAAY,UAAU,IAAI;MAEnD,IAAI,KAAK,eAAe,UAAU,KAAK,eAAe,UACvD,MAAM,IAAI,0BAA0B,kCAAkC,EAAE,OAAO,EAAE,MAAM,KAAK,EAAE,CAAC;CAEnG,OAAO;AACX;AACA,SAAS,8BAA8B,UAAU;CAC7C,IAAI;CACJ,IAAK,aAAa,+BAA+B,QAAQ,GACrD,MAAM,IAAI,8BAA8B,yEAAyE;EAAE,OAAO;EAAY;CAAS,CAAC;AAExJ;AACA,eAAsB,4BAA4B,IAAI,QAAQ,UAAU,SAAS;CAC7E,OAAO,kCAAkC,IAAI,QAAQ,UAAU,KAAA,GAAW,UAAU,aAAa,SAAS,oBAAoB;AAClI;AAOA,SAAS,iBAAiB,UAAU,QAAQ;CACxC,IAAI,MAAM,QAAQ,OAAO,OAAO,GAAG;MAC3B,CAAC,OAAO,OAAO,IAAI,SAAS,QAAQ,GACpC,MAAM,IAAI,iDAA+C,sBAAsB;GAC3E;GACA,QAAQ,OAAO;GACf,OAAO;EACX,CAAC;CAAA,OAGJ,IAAI,OAAO,OAAO,QAAQ,UAC3B,MAAM,IAAI,iDAA+C,sBAAsB;EAC3E;EACA,QAAQ,OAAO;EACf,OAAO;CACX,CAAC;CAEL,OAAO;AACX;AAOA,SAAS,eAAe,IAAI,QAAQ;CAChC,MAAM,WAAW,GAAG,mBAAmB,MAAM,KAAK,GAAG;CACrD,IAAI,OAAO,OAAO,QAAQ,UACtB,MAAM,IAAI,+CAA6C,sBAAsB;EACzE;EACA,QAAQ,OAAO;EACf,OAAO;CACX,CAAC;CAEL,OAAO;AACX;AACA,MAAM,0BAAU,IAAI,QAAQ;AAC5B,SAAS,MAAM,cAAc;CACzB,QAAQ,IAAI,YAAY;CACxB,OAAO;AACX;AACA,MAAa,SAAS,OAAO;AAC7B,eAAsB,8BAA8B,IAAI,QAAQ,sBAAsB,oBAAoB,aAAa,cAAc,SAAS;CAC1I,SAAS,EAAE;CACX,aAAa,MAAM;CACnB,IAAI,CAAC,QAAQ,IAAI,kBAAkB,GAC/B,MAAMC,iBAAe,0IAAqIF,uBAAqB;CAEnL,eAAa,aAAa,iBAAe;CACzC,MAAM,OAAO,sBAAsB,oBAAoB,MAAM;CAC7D,IAAI,CAAC,MACD,MAAM,IAAI,mDAAiD,gBAAgB;CAE/E,MAAM,aAAa,IAAI,gBAAgB,SAAS,oBAAoB;CACpE,WAAW,IAAI,gBAAgB,WAAW;CAC1C,WAAW,IAAI,QAAQ,IAAI;CAC3B,IAAI,iBAAiB,QAAQ;EACzB,eAAa,cAAc,kBAAgB;EAC3C,WAAW,IAAI,iBAAiB,YAAY;CAChD;CACA,OAAO,qBAAqB,IAAI,QAAQ,sBAAsB,sBAAsB,YAAY,OAAO;AAC3G;AACA,MAAM,gBAAgB;CAClB,KAAK;CACL,QAAQ;CACR,WAAW;CACX,KAAK;CACL,KAAK;CACL,KAAK;CACL,KAAK;CACL,OAAO;CACP,QAAQ;CACR,KAAK;CACL,KAAK;CACL,KAAK;CACL,KAAK;CACL,KAAK;CACL,WAAW;AACf;AACA,SAAS,iBAAiB,UAAU,QAAQ;CACxC,KAAK,MAAM,SAAS,UAChB,IAAI,OAAO,OAAO,WAAW,KAAA,GACzB,MAAM,IAAI,QAAQ,MAAM,KAAK,cAAc,OAAO,kBAAkB,kBAAkB,EAClF,QAAQ,OAAO,OACnB,CAAC;CAGT,OAAO;AACX;AACA,MAAa,gBAAgB,OAAO;AACpC,MAAa,oBAAoB,OAAO;AACxC,eAAsB,iCAAiC,IAAI,QAAQ,UAAU,SAAS;CAClF,IAAI,OAAO,SAAS,kBAAkB,YAClC,OAAO,SAAS,WAAW,YAC3B,SAAS,gBACT,OAAO,uCAAuC,IAAI,QAAQ,UAAU,QAAQ,eAAe,QAAQ,QAAQ,QAAQ,aAAa,QAAQ,oBAAoB;CAEhK,OAAO,uCAAuC,IAAI,QAAQ,UAAU,UAAU,aAAa,SAAS,oBAAoB;AAC5H;AACA,eAAe,uCAAuC,IAAI,QAAQ,UAAU,eAAe,QAAQ,WAAW,sBAAsB;CAChI,MAAM,2BAA2B,CAAC;CAClC,QAAQ,eAAR;EACI,KAAK,KAAA;GACD,gBAAgB;GAChB;EACJ,KAAK,eACD;EACJ;GACI,eAAa,eAAe,4BAA0B;GACtD,yBAAyB,KAAK,OAAO;CAC7C;CACA,WAAW,OAAO;CAClB,QAAQ,QAAR;EACI,KAAK,KAAA;GACD,SAAS;GACT;EACJ,KAAK,mBACD;EACJ;GACI,aAAa,QAAQ,MAAM,qBAAmB;GAC9C,yBAAyB,KAAK,WAAW;CACjD;CACA,MAAM,SAAS,MAAM,kCAAkC,IAAI,QAAQ,UAAU,0BAA0B,WAAW,oBAAoB;CACtI,eAAa,OAAO,UAAU,2CAAuC,kBAAkB,EACnF,MAAM,OACV,CAAC;CACD,MAAM,SAAS,0BAA0B,MAAM;CAC/C,IAAI,WAAW,mBAAmB;EAC9B,MAAM,MAAM,UAAU,IAAI,aAAa,MAAM;EAC7C,MAAM,YAAY,kBAAkB,MAAM;EAC1C,IAAI,OAAO,YAAY,SAAS,MAAM,WAClC,MAAM,IAAI,oEAAoE,qBAAqB;GAAE;GAAQ;GAAK;GAAW,OAAO;EAAY,CAAC;CAEzJ;CACA,IAAI,kBAAkB;MACd,OAAO,UAAU,KAAA,GACjB,MAAM,IAAI,6CAA2C,sBAAsB;GACvE,UAAU,KAAA;GACV;GACA,OAAO;EACX,CAAC;CAAA,OAGJ,IAAI,OAAO,UAAU,eACtB,MAAM,IAAI,6CAA2C,sBAAsB;EACvE,UAAU;EACV;EACA,OAAO;CACX,CAAC;CAEL,OAAO;AACX;AACA,eAAe,uCAAuC,IAAI,QAAQ,UAAU,WAAW,sBAAsB;CACzG,MAAM,SAAS,MAAM,kCAAkC,IAAI,QAAQ,UAAU,KAAA,GAAW,WAAW,oBAAoB;CACvH,MAAM,SAAS,0BAA0B,MAAM;CAC/C,IAAI,QAAQ;EACR,IAAI,OAAO,oBAAoB,KAAA,GAAW;GACtC,aAAa,OAAO,iBAAiB,MAAM,4BAA0B;GACrE,MAAM,MAAM,UAAU,IAAI,aAAa,MAAM;GAC7C,MAAM,YAAY,kBAAkB,MAAM;GAC1C,IAAI,OAAO,YAAY,OAAO,kBAAkB,MAAM,WAClD,MAAM,IAAI,oEAAoE,qBAAqB;IAAE;IAAQ;IAAK;IAAW,OAAO;GAAY,CAAC;EAEzJ;EACA,IAAI,OAAO,UAAU,KAAA,GACjB,MAAM,IAAI,6CAA2C,sBAAsB;GACvE,UAAU,KAAA;GACV;GACA,OAAO;EACX,CAAC;CAET;CACA,OAAO;AACX;AACA,MAAa,6BAA6B;AAC1C,MAAa,sBAAsB;AACnC,MAAa,wBAAwB;AACrC,MAAa,+BAA+B;AAE5C,MAAa,cAAc;AAC3B,MAAa,mBAAmB;AAEhC,MAAa,uBAAuB;AACpC,MAAa,0BAA0B;AACvC,MAAa,yBAAyB;AACtC,MAAa,6BAA6B;AAC1C,MAAa,sBAAsB;AACnC,MAAa,uBAAuB;AACpC,MAAa,4BAA4B;AAEzC,MAAa,0BAA0B;AACvC,MAAa,0BAA0B;AA4CvC,SAAS,uBAAuB,UAAU;CACtC,IAAI,SAAS,UACT,MAAME,iBAAe,2CAAyCF,uBAAqB;AAE3F;AAgLA,eAAe,YAAY,KAAK,UAAU,WAAW,gBAAgB,YAAY;CAC7E,IAAI,EAAE,GAAG,iBAAiB,GAAG,SAAS,WAAW,IAAI,MAAM,GAAG;CAC9D,IAAI,WAAW,GACX,IAAI,eAAe,KAAA,GAAW;EAC1B,MAAM,MAAM,WAAW,GAAG;EAC1B,CAAC,CAAE,GAAG,iBAAiB,GAAG,SAAS,UAAW,IAAI,MAAM,GAAG;CAC/D,OAEI,MAAM,IAAI,0BAA0B,oCAAoC,EAAE,OAAO,IAAI,CAAC;CAG9F,IAAI,WAAW,GACX,MAAM,IAAI,eAAe,kBAAkB,GAAG;CAElD,IAAI;CACJ,IAAI;EACA,SAAS,KAAK,MAAM,IAAI,KAAK,eAAe,CAAC,CAAC;CAClD,SACO,OAAO;EACV,MAAM,IAAI,6DAA6D,aAAa,KAAK;CAC7F;CACA,IAAI,CAAC,aAAa,MAAM,GACpB,MAAM,IAAI,yCAAyC,kBAAkB,GAAG;CAE5E,SAAS,MAAM;CACf,IAAI,OAAO,SAAS,KAAA,GAChB,MAAM,IAAI,0BAA0B,6DAA2D,EAC3F,OAAO,EAAE,OAAO,EACpB,CAAC;CAEL,IAAI;CACJ,IAAI;EACA,SAAS,KAAK,MAAM,IAAI,KAAK,OAAO,CAAC,CAAC;CAC1C,SACO,OAAO;EACV,MAAM,IAAI,8DAA8D,aAAa,KAAK;CAC9F;CACA,IAAI,CAAC,aAAa,MAAM,GACpB,MAAM,IAAI,0CAA0C,kBAAkB,GAAG;CAE7E,MAAM,MAAM,UAAU,IAAI;CAC1B,IAAI,OAAO,QAAQ,KAAA,GAAW;EAC1B,IAAI,OAAO,OAAO,QAAQ,UACtB,MAAM,IAAI,uDAAqD,kBAAkB,EAAE,OAAO,CAAC;EAE/F,IAAI,OAAO,OAAO,MAAM,gBACpB,MAAM,IAAI,8FAA4F,qBAAqB;GAAE;GAAQ;GAAK,WAAW;GAAgB,OAAO;EAAM,CAAC;CAE3L;CACA,IAAI,OAAO,QAAQ,KAAA;MACX,OAAO,OAAO,QAAQ,UACtB,MAAM,IAAI,iDAA+C,kBAAkB,EAAE,OAAO,CAAC;CAAA;CAG7F,IAAI,OAAO,QAAQ,KAAA;MACX,OAAO,OAAO,QAAQ,UACtB,MAAM,IAAI,8CAA4C,kBAAkB,EAAE,OAAO,CAAC;CAAA;CAG1F,IAAI,OAAO,QAAQ,KAAA,GAAW;EAC1B,IAAI,OAAO,OAAO,QAAQ,UACtB,MAAM,IAAI,kDAAgD,kBAAkB,EAAE,OAAO,CAAC;EAE1F,IAAI,OAAO,MAAM,MAAM,gBACnB,MAAM,IAAI,mDAAiD,qBAAqB;GAC5E;GACA;GACA,WAAW;GACX,OAAO;EACX,CAAC;CAET;CACA,IAAI,OAAO,QAAQ,KAAA;MACX,OAAO,OAAO,QAAQ,YAAY,CAAC,MAAM,QAAQ,OAAO,GAAG,GAC3D,MAAM,IAAI,gDAA8C,kBAAkB,EAAE,OAAO,CAAC;CAAA;CAG5F,OAAO;EAAE;EAAQ;EAAQ,KAAK;CAAI;AACtC;AAuEA,eAAe,cAAc,SAAS;CAClC,IAAI,QAAQ,UACR,MAAME,iBAAe,4DAA4DF,yBAAuB,EAAE,OAAO,QAAQ,CAAC;CAE9H,OAAO,QAAQ,KAAK;AACxB;AACA,eAAsB,iBAAiB,SAAS;CAC5C,IAAI,QAAQ,WAAW,QACnB,MAAME,iBAAe,2DAA2DF,yBAAuB,EAAE,OAAO,QAAQ,CAAC;CAE7H,IAAI,eAAe,OAAO,MAAM,qCAC5B,MAAME,iBAAe,8FAA8FF,yBAAuB,EAAE,OAAO,QAAQ,CAAC;CAEhK,OAAO,cAAc,OAAO;AAChC;AAoIA,SAAS,sBAAsB,QAAQ,QAAQ,UAAU,QAAQ;CAC7D,IAAI,WAAW,KAAA,GAAW;EACtB,IAAI,OAAO,WAAW,WAAW,OAAO,QAAQ,SAAS,CAAC,OAAO,SAAS,OAAO,GAAG,GAChF,MAAM,IAAI,2CAAyC,kBAAkB;GACjE;GACA,UAAU;GACV,QAAQ;EACZ,CAAC;EAEL;CACJ;CACA,IAAI,MAAM,QAAQ,MAAM,GAAG;EACvB,IAAI,CAAC,OAAO,SAAS,OAAO,GAAG,GAC3B,MAAM,IAAI,2CAAyC,kBAAkB;GACjE;GACA,UAAU;GACV,QAAQ;EACZ,CAAC;EAEL;CACJ;CACA,IAAI,aAAa,KAAA,GAAW;EACxB,IAAI,OAAO,aAAa,WAClB,OAAO,QAAQ,WACf,OAAO,aAAa,aAChB,CAAC,SAAS,OAAO,GAAG,IACpB,CAAC,SAAS,SAAS,OAAO,GAAG,GACnC,MAAM,IAAI,2CAAyC,kBAAkB;GACjE;GACA,UAAU;GACV,QAAQ;EACZ,CAAC;EAEL;CACJ;CACA,MAAM,IAAI,sFAAoF,KAAA,GAAW;EAAE;EAAQ;EAAQ;CAAS,CAAC;AACzI;AACA,SAAS,sBAAsB,YAAY,MAAM;CAC7C,MAAM,EAAE,GAAG,OAAO,WAAW,WAAW,OAAO,IAAI;CACnD,IAAI,SAAS,GACT,MAAM,IAAI,IAAI,KAAK,yCAAyC,gBAAgB;CAEhF,OAAO;AACX;AACA,MAAa,iBAAiB,OAAO;AACrC,MAAa,gBAAgB,OAAO;AACpC,SAAgB,qBAAqB,IAAI,QAAQ,YAAY,eAAe;CACxE,SAAS,EAAE;CACX,aAAa,MAAM;CACnB,IAAI,sBAAsB,KACtB,aAAa,WAAW;CAE5B,IAAI,EAAE,sBAAsB,kBACxB,MAAME,iBAAe,iEAA+DD,sBAAoB;CAE5G,IAAI,sBAAsB,YAAY,UAAU,GAC5C,MAAM,IAAI,4GAA0G,kBAAkB,EAAE,WAAW,CAAC;CAExJ,MAAM,MAAM,sBAAsB,YAAY,KAAK;CACnD,MAAM,QAAQ,sBAAsB,YAAY,OAAO;CACvD,IAAI,CAAC,OAAO,GAAG,gDACX,MAAM,IAAI,+CAA6C,kBAAkB,EAAE,WAAW,CAAC;CAE3F,IAAI,OAAO,QAAQ,GAAG,QAClB,MAAM,IAAI,wDAAsD,kBAAkB;EAC9E,UAAU,GAAG;EACb;CACJ,CAAC;CAEL,QAAQ,eAAR;EACI,KAAK,KAAA;EACL,KAAK;GACD,IAAI,UAAU,KAAA,GACV,MAAM,IAAI,uDAAqD,kBAAkB;IAC7E,UAAU,KAAA;IACV;GACJ,CAAC;GAEL;EACJ,KAAK,gBACD;EACJ;GACI,eAAa,eAAe,4BAA0B;GACtD,IAAI,UAAU,eACV,MAAM,IAAI,UAAU,KAAA,IACd,yCACA,iDAA+C,kBAAkB;IAAE,UAAU;IAAe;GAAW,CAAC;CAE1H;CAEA,IADc,sBAAsB,YAAY,OACxC,GACJ,MAAM,IAAI,2BAA2B,sDAAsD,EACvF,OAAO,WACX,CAAC;CAEL,MAAM,WAAW,sBAAsB,YAAY,UAAU;CAC7D,MAAM,QAAQ,sBAAsB,YAAY,OAAO;CACvD,IAAI,aAAa,KAAA,KAAa,UAAU,KAAA,GACpC,MAAM,IAAI,0BAA0B,6CAA6C;CAErF,OAAO,MAAM,IAAI,gBAAgB,UAAU,CAAC;AAChD;AA+XA,eAAe,oBAAoB,UAAU,QAAQ,uBAAuB;CACxE,IAAI;CACJ,IAAI;EACA,OAAO,MAAM,SAAS,KAAK;CAC/B,SACO,OAAO;EACV,MAAM,QAAQ;EACd,MAAM,IAAI,6CAA2C,aAAa,KAAK;CAC3E;CACA,IAAI,CAAC,aAAa,IAAI,GAClB,MAAM,IAAI,gDAA8C,kBAAkB,EAAE,MAAM,KAAK,CAAC;CAE5F,OAAO;AACX;AAEA,MAAa,oBAAoB,OAAO;AACxC,MAAa,kBAAkB,OAAO;;;ACr8EtC,IAAI;AACJ,IAAI;AACJ,IAAI,OAAO,cAAc,eAAe,CAAC,UAAU,WAAW,aAAa,cAAc,GAAG;CAGxF,aAAa;CACb,UAAU,EAAE,cAAc,WAAW;AACzC;AACA,MAAM,OAAO,WAAW;CACpB,OAAO,MAAM,IAAI,MAAM;AAC3B;AACA,IAAI;AAEJ,IAAI;AACJ,SAAgB,iBAAiB,cAAc;CAC3C,IAAI,iBAAiB,KAAA,GACjB,OAAOY,mBAAuB,YAAY;CAE9C,wBAAQ,IAAI,QAAQ;CACpB,QAAQ,IAAI,QAAQ,MAAM,YAAY;EAClC,IAAI;EACJ,IAAI,EAAE,OAAO,IAAI,IAAI,MAAM,IAAI;GAC3B,aAAa,OAAO,eAAe,4BAA0B;GAC7D,OAAOA,mBAAuB,OAAO,aAAa;GAClD,IAAI,IAAI,QAAQ,IAAI;EACxB;EACA,OAAO,KAAK,IAAI,QAAQ,MAAM,OAAO;CACzC;AACJ;AACA,SAAS,aAAa,OAAO,IAAI;CAC7B,IAAI,OAAO,UAAU,UACjB,MAAM,eAAe,GAAG,GAAG,oBAAoB,oBAAoB;CAEvE,IAAI,MAAM,WAAW,GACjB,MAAM,eAAe,GAAG,GAAG,qBAAqB,qBAAqB;AAE7E;AA+BA,SAAgB,OAAO;CACnB,OAAOC,OAAW;AACtB;AASA,MAAa,cAAcC;AAI3B,MAAM,wBAAwB;AAC9B,MAAM,uBAAuB;AAC7B,SAAS,eAAe,SAAS,MAAM,OAAO;CAC1C,MAAM,MAAM,IAAI,UAAU,SAAS,EAAE,MAAM,CAAC;CAC5C,OAAO,OAAO,KAAK,EAAE,KAAK,CAAC;CAC3B,OAAO;AACX;AACA,SAAgB,2BAA2B,cAAc;CACrD,OAAOC,6BAAiC,YAAY;AACxD;AACA,SAAgB,yBAAyB;CACrC,OAAOC,2BAAiC;AAC5C;AAIA,SAAgB,cAAc;CAC1B,OAAOC,oBAA0B;AACrC;AACA,IAAa,cAAb,cAAiC,MAAM;CACnC;CACA,YAAY,SAAS,SAAS;EAC1B,MAAM,SAAS,OAAO;EACtB,KAAK,OAAO,KAAK,YAAY;EAC7B,KAAK,OAAO,SAAS;EACrB,MAAM,oBAAoB,MAAM,KAAK,WAAW;CACpD;AACJ;AACgB,IAAI,YAAY;AAChC,SAAS,EAAE,KAAK,OAAO,MAAM;CACzB,OAAO,IAAI,YAAY,KAAK;EAAE;EAAO;CAAK,CAAC;AAC/C;AACA,SAAS,aAAa,KAAK;CACvB,IAAI,eAAe,aACf,eAAe,eACf,eAAeE,qBACf,eAAeC,8BACf,eAAeC,+BACf,MAAM;CAEV,IAAI,eAAeC,0BACf,QAAQ,IAAI,MAAZ;EACI,KAAKC,wBACD,MAAM,EAAE,sCAAsC,KAAK,IAAI,IAAI;EAC/D,KAAKC,4BACD,MAAM,EAAE,8CAA8C,KAAK,IAAI,IAAI;EACvE,KAAKC,yBACD,MAAM,EAAE,wCAAwC,IAAI,OAAO,IAAI,IAAI;EACvE,KAAKC,sBACD,MAAM,EAAE,oCAAoC,IAAI,OAAO,IAAI,IAAI;EACnE,KAAKC,aACD,MAAM,EAAE,yBAAyB,KAAK,IAAI,IAAI;EAClD,KAAKC,kBACD,MAAM,EAAE,gCAAgC,KAAK,IAAI,IAAI;EACzD,KAAKC,sBACD,MAAM,EAAE,0CAA0C,KAAK,IAAI,IAAI;EACnE,KAAKC,2BACD,MAAM,EAAE,+CAA+C,KAAK,IAAI,IAAI;EACxE,KAAKC,qBACD,MAAM,EAAE,+CAA+C,KAAK,IAAI,IAAI;EACxE,SACI,MAAM,EAAE,IAAI,SAAS,KAAK,IAAI,IAAI;CAC1C;CAEJ,IAAI,eAAeC,2BACf,MAAM,EAAE,yBAAyB,KAAK,IAAI,IAAI;CAElD,IAAI,eAAe,cACf,QAAQ,IAAI,MAAZ;EACI,KAAK,kBACD,MAAM,EAAE,2BAA2B,KAAKC,qBAA2B;EACvE,KAAK,qBACD,MAAM,EAAE,iCAAiC,KAAKA,qBAA2B;EAC7E,KAAK,gBACD,MAAM,EAAE,uBAAuB,KAAK,eAAe;EACvD,KAAK,cACD,MAAM,EAAE,qBAAqB,KAAK,aAAa;CACvD;CAEJ,MAAM,IAAI,YAAY,wBAAwB,EAAE,OAAO,IAAI,CAAC;AAChE;AAQA,SAAS,cAAc,QAAQ,IAAI,SAAS;CACxC,IAAI,OAAO,WAAW,wCACjB,CAAC,SAAS,aAAa,QAAQ,cAAc,SAAS;EACvD,GAAG,YAAY;EACf,OAAO;CACX;CACA,OAAO;AACX;AACA,SAAS,eAAe,QAAQ,SAAS;CACrC,IAAI,OAAO,SAAS,SAAS,eAAe,MACvC,CAAC,SAAS,aAAa,QAAQ,cAAc,SAC9C,OAAO;CAEX,OAAO;AACX;AAsDA,eAAsB,UAAU,QAAQ,UAAU,UAAU,sBAAsB,SAAS;CAEvF,MAAM,WAAW,IAAI,cAAc,MADlB,iBAAiB,QAAQ,OAAO,GACV,UAAU,UAAU,oBAAoB;CAC/E,IAAI,YAAY,IAAI,QAAQ;CAC5B,IAAI,UAAU,cACV,UAAU,QAAQ,QAAQ;CAE9B,IAAI,SAAS,SACT,UAAU,UAAU,QAAQ;CAEhC,IAAI,SAAS,SACT,KAAK,MAAM,aAAa,QAAQ,SAC5B,UAAU,QAAQ;CAG1B,OAAO;AACX;AACA,eAAe,iBAAiB,QAAQ,SAAS;CAC7C,IAAI,EAAE,kBAAkB,MACpB,MAAM,eAAe,yCAAuC,oBAAoB;CAEpF,MAAM,UAAU,CAAC,OAAO,KAAK,SAAS,eAAe;CACrD,MAAM,UAAU,SAAS,WAAW;CACpC,MAAM,SAAS,YAAY,QAAQ,UAAU,GAAI;CACjD,MAAM,KAAK,OAAO,UACZC,iBAAuB,QAAQ;EAC7B,WAAW,SAAS;GACnBpB,gBAAoB,UAAU;GAC9BqB,0BAA8B,SAAS,SAAS,SAAS,qBAAqB;EAC/E;EACA,SAAS,IAAI,QAAQ,OAAO;CAChC,CAAC,KACE,UAAU,gBAAgB,cAAc;EACvC,cAAoB,QAAQ,SAAS,SAAS,SAAS,qBAAqB,IAAI,QAAQ,IAAI;EAC5F,OAAO,OAAO;CAClB,GAAG,GAAG;EACF,SAAS,OAAO,YAAY,IAAI,QAAQ;GAAE,QAAQ;GAAoB,GAAG;EAAQ,CAAC,EAAE,QAAQ,CAAC;EAC7F,MAAM,KAAA;EACN,QAAQ;EACR,UAAU;EACV;CACJ,CAAC,GACA,MAAM,aAAaC,yBAA+BC,mBAAyB,QAAQ,CAAC,EACpF,MAAM,YAAY;CACvB,IAAI,WAAW,IAAI,IAAI,GAAG,MAAM,EAAE,SAAS,OAAO,MAC9C,cAAc,QAAQ,IAAI,OAAO,KAC7B,eAAe,QAAQ,OAAO,YACvB;EACH,MAAM,IAAI,YAAY,iEAAiE;GACnF,MAAM;GACN,OAAO;IACH,UAAU,OAAO;IACjB,MAAM;IACN,WAAW;GACf;EACJ,CAAC;CACL,GAAG;CAEX,OAAO;AACX;AAiJA,SAAS,iBAAiB,UAAU;CAChC,OAAO,EACH,cAAc;EACV,WAAW;EACX,MAAM,SAAS,QAAQ;GACnB,OAAQ,SAAS,kCAAkC,SAAS,MAAM,MAAM;EAC5E;CACJ,EACJ;AACJ;AACA,SAAS,iBAAiB,UAAU;CAChC,OAAO,iBAAiB,UAAU,iBAAiB,QAAQ,CAAC;AAChE;AACA,MAAM,WAAW,OAAO;AACxB,IAAa,gBAAb,MAA2B;CACvB,YAAY,QAAQ,UAAU,UAAU,sBAAsB;EAC1D,IAAI,OAAO,aAAa,YAAY,CAAC,SAAS,QAC1C,MAAM,eAAe,2CAAyC,oBAAoB;EAEtF,IAAI,OAAO,aAAa,UACpB,WAAW,EAAE,eAAe,SAAS;EAEzC,IAAI,UAAU,cAAc,KAAA,KAAa,aAAa,SAAS,WAC3D,MAAM,eAAe,4DAAwD,qBAAqB;EAEtG,MAAM,SAAS;GACX,GAAG,gBAAgB,QAAQ;GAC3B,WAAW;EACf;EACA,OAAOC,aAAmB,WAAWA,cAAoB;EACzD,OAAOC,kBAAwB,WAAWA,mBAAyB;EACnE,IAAI;EACJ,IAAI,sBACA,OAAO;OAGP,IAAI,OAAO,OAAO,kBAAkB,YAChC,OAAO,cAAc,QACrB,OAAO,iBAAiB,OAAO,aAAa;OAG5C,OAAO,KAAK;EAGpB,IAAI,IAAI,OAAO,OAAO,MAAM;EAC5B,MAAM,QAAQ,gBAAgB,MAAM;EACpC,IAAI,YAAY,QACZ,MAAMC,oBAA0B,EAAE,QAAQ,EAAE,YAAY,OAAO,OAAO,QAAQ,cAAc,GAAG;EAEnG,IAAI,KAAK,OAAO,OAAO,KAAK;EAC5B,0BAAU,IAAI,QAAQ;EACtB,MAAM,IAAI,MAAM;GACZ,WAAW;GACX;GACA;GACA;GACA,SAAS;GACT,WAAW,CAAC;EAChB,CAAC;CACL;CACA,iBAAiB;EACb,MAAM,WAAW,gBAAgB,IAAI,IAAI,EAAE,EAAE;EAC7C,iBAAiB,QAAQ;EACzB,OAAO;CACX;CACA,iBAAiB;EAEb,OADiB,gBAAgB,IAAI,IAAI,EAAE,CAC7B;CAClB;CACA,IAAI,UAAU;EACV,OAAO,IAAI,IAAI,EAAE;CACrB;CACA,IAAI,QAAQ,OAAO;EACf,IAAI,IAAI,EAAE,UAAU;CACxB;CACA,KAAK,eAAe;EAChB,OAAO,IAAI,IAAI,EAAE;CACrB;CACA,KAAK,aAAa,OAAO;EACrB,IAAI,IAAI,EAAE,QAAQ;CACtB;AACJ;AACA,OAAO,OAAO,cAAc,SAAS;AACrC,SAAS,WAAW,UAAU;CAC1B,IAAI,MAAM,KAAA;CACV,IAAI,SAAS,eAAe,KAAA,GAAW;EACnC,MAAM,sBAAM,IAAI,KAAK;EACrB,IAAI,WAAW,IAAI,WAAW,IAAI,SAAS,UAAU;EACrD,MAAM,IAAI,QAAQ;CACtB;CACA,OAAO;EACH,WAAW;GACP,WAAW;GACX,QAAQ;IACJ,IAAI,KAAK;KACL,MAAM,MAAM,KAAK,IAAI;KACrB,IAAI,MAAM,KACN,OAAO,KAAK,OAAO,MAAM,OAAO,GAAI;KAExC,OAAO;IACX;GAEJ;EACJ;EACA,QAAQ;GACJ,WAAW;GACX,QAAQ;IACJ,IAAI;KACA,OAAOC,0BAAgC,IAAI;IAC/C,QACM;KACF;IACJ;GACJ;EACJ;CACJ;AACJ;AACA,SAAS,WAAW,UAAU;CAC1B,OAAO,iBAAiB,UAAU,WAAW,QAAQ,CAAC;AAC1D;AA2OA,SAAgB,sBAAsB,QAAQ;CAC1C,IAAI,MAAM,EAAE,UAAU;AAC1B;AA0HA,SAAS,YAAY,KAAK;CACtB,MAAM,IAAI,IAAI,GAAG;CACjB,IAAI,SAAS;CACb,IAAI,OAAO;CACX,OAAO,IAAI;AACf;AACA,SAAS,cAAc,OAAO,aAAa;CACvC,IAAI;EACA,OAAO,OAAO,eAAe,KAAK,EAAE,OAAO,iBAAiB;CAChE,QACM;EACF,OAAO;CACX;AACJ;AACA,eAAsB,uBAAuB,QAAQ,YAAY,QAAQ,yBAAyB,SAAS;CACvG,YAAY,MAAM;CAClB,IAAI,SAAS,SAAS,SAClB,EAAE,sBAAsB,QACxB,CAAC,cAAc,YAAY,SAAS,GACpC,MAAM,eAAe,yDAAuD,oBAAoB;CAEpG,IAAI;CACJ,IAAI;CACJ,MAAM,EAAE,IAAI,GAAG,MAAM,OAAO,SAAS,MAAM,QAAQ,gBAAgB,SAAS,SAAS,aAAa,IAAI,MAAM;CAC5G,IAAI,SAAS,SAAS,OAAO;EACzB,eAAe,QAAQ;EACvB,cAAc,QAAQ;CAC1B,OACK;EACD,IAAI,EAAE,sBAAsB,MAAM;GAC9B,MAAM,UAAU;GAChB,aAAa,IAAI,IAAI,WAAW,GAAG;GACnC,QAAQ,QAAQ,QAAhB;IACI,KAAK,OACD;IACJ,KAAK;KACD,MAAM,SAAS,IAAI,gBAAgB,MAAMC,iBAAuB,OAAO,CAAC;KACxE,IAAI,QACA,WAAW,OAAO,OAAO,SAAS;UAGlC,KAAK,MAAM,CAAC,GAAG,MAAM,OAAO,QAAQ,GAChC,WAAW,aAAa,OAAO,GAAG,CAAC;KAG3C;IACJ,SACI,MAAM,eAAe,kCAAkC,qBAAqB;GACpF;EACJ;EACA,cAAc,YAAY,UAAU;EACpC,QAAQ,MAAR;GACI,KAAK,CAAC,CAAC;IACH,eAAe,MAAM,KAAK,YAAY,QAAQ,aAAa;IAC3D;GACJ,KAAK,CAAC,CAAC;IACH,eAAe,MAAM,OAAO,YAAY,QAAQ,eAAe,QAAQ,eAAe,QAAQ,MAAM;IACpG;GACJ,KAAK,CAAC,CAAC,UACH,MAAM,IAAI,UAAU,2EAA2E;GACnG,SACI,IAAI;IACA,eAAeC,qBAA2B,IAAI,GAAG,WAAW,cAAc,QAAQ,aAAa;GACnG,SACO,KAAK;IACR,aAAa,GAAG;GACpB;EACR;CACJ;CACA,MAAM,WAAW,MAAMC,8BACY,IAAI,GAAG,MAAM,cAAc,aAAa,QAAQ,oBAAoBC,QAAc;EACjH,sBAAsB;GACrB/B,gBAAoB;GACpBqB,0BAA8B,CAAC;EAChC,MAAM,SAAS;EACf,SAAS,IAAI,QAAQ,OAAO;EAC5B,QAAQ,OAAO,OAAO;CAC1B,CAAC,EACI,MAAM,YAAY;CACvB,IAAI,OAAO,QAAQ,kBAAkB,YACjC,OAAO,QAAQ,WAAW,UAC1B,OAAO,kBAAkB;CAE7B,MAAM,IAAIW,iCAAuC,IAAI,GAAG,UAAU;EAC9D,eAAe,QAAQ;EACvB,QAAQ,QAAQ;EAChB,gBAAgB,QAAQ;GACvBC,aAAmB;CACxB,CAAC;CACD,IAAI;CACJ,IAAI;EACA,SAAS,MAAM;CACnB,SACO,KAAK;EACR,IAAI,UAAU,KAAK,OAAO,GACtB,OAAO,uBAAuB,QAAQ,KAAA,GAAW,QAAQ,yBAAyB;GAC9E,GAAG;GACH,MAAM;GACQ;GACD;EACjB,CAAC;EAEL,aAAa,GAAG;CACpB;CACA,OAAO,YAAa,MAAM,iBAAiB,QAAQ;CACnD,WAAW,MAAM;CACjB,OAAO;AACX;AAiCA,eAAsB,kBAAkB,QAAQ,cAAc,YAAY,SAAS;CAC/E,YAAY,MAAM;CAClB,aAAa,IAAI,gBAAgB,UAAU;CAC3C,MAAM,EAAE,IAAI,GAAG,MAAM,OAAO,SAAS,gBAAgB,SAAS,YAAY,IAAI,MAAM;CACpF,MAAM,WAAW,MAAMC,yBACO,IAAI,GAAG,MAAM,cAAc;GACpDlC,gBAAoB;GACpBqB,0BAA8B,CAAC;EAChC,sBAAsB;EACtB,MAAM,SAAS;EACf,SAAS,IAAI,QAAQ,OAAO;EAC5B,QAAQ,OAAO,OAAO;CAC1B,CAAC,EACI,MAAM,YAAY;CACvB,MAAM,IAAIc,4BAAkC,IAAI,GAAG,UAAU,GACxDF,aAAmB,QACxB,CAAC;CACD,IAAI;CACJ,IAAI;EACA,SAAS,MAAM;CACnB,SACO,KAAK;EACR,IAAI,UAAU,KAAK,OAAO,GACtB,OAAO,kBAAkB,QAAQ,cAAc,YAAY;GACvD,GAAG;GACH,MAAM;EACV,CAAC;EAEL,aAAa,GAAG;CACpB;CACA,OAAO,YAAa,MAAM,iBAAiB,QAAQ;CACnD,WAAW,MAAM;CACjB,OAAO;AACX;AA+BA,SAAgB,sBAAsB,QAAQ,YAAY;CACtD,YAAY,MAAM;CAClB,MAAM,EAAE,IAAI,GAAG,SAAS,QAAQ,MAAM,aAAa,IAAI,MAAM;CAC7D,MAAM,wBAAwBG,gBAAsB,IAAI,0BAA0B,OAAO,OAAO;CAChG,aAAa,IAAI,gBAAgB,UAAU;CAC3C,IAAI,CAAC,WAAW,IAAI,WAAW,GAC3B,WAAW,IAAI,aAAa,EAAE,SAAS;CAE3C,IAAI,CAAC,WAAW,IAAI,aAAa,KAAK,CAAC,WAAW,IAAI,SAAS,GAAG;EAC9D,IAAI,CAAC,WAAW,IAAI,eAAe,GAC/B,WAAW,IAAI,iBAAiB,SAAS,kBAAkB,WAAW,aAAa,MAAM;EAE7F,IAAI,YAAY,CAAC,WAAW,IAAI,OAAO,GACnC,MAAM,eAAe,2GAA2G,qBAAqB;EAEzJ,IAAI,MACA,WAAW,IAAI,iBAAiB,KAAK;CAE7C;CACA,KAAK,MAAM,CAAC,GAAG,MAAM,WAAW,QAAQ,GACpC,sBAAsB,aAAa,OAAO,GAAG,CAAC;CAElD,OAAO;AACX;AA2CA,SAAgB,mBAAmB,QAAQ,YAAY;CACnD,YAAY,MAAM;CAClB,MAAM,EAAE,IAAI,GAAG,YAAY,IAAI,MAAM;CACrC,MAAM,qBAAqBA,gBAAsB,IAAI,wBAAwB,OAAO,OAAO;CAC3F,aAAa,IAAI,gBAAgB,UAAU;CAC3C,IAAI,CAAC,WAAW,IAAI,WAAW,GAC3B,WAAW,IAAI,aAAa,EAAE,SAAS;CAE3C,KAAK,MAAM,CAAC,GAAG,MAAM,WAAW,QAAQ,GACpC,mBAAmB,aAAa,OAAO,GAAG,CAAC;CAE/C,OAAO;AACX;AACA,SAAS,YAAY,OAAO;CACxB,IAAI,EAAE,iBAAiB,gBACnB,MAAM,eAAe,mDAAiD,oBAAoB;CAE9F,IAAI,OAAO,eAAe,KAAK,MAAM,cAAc,WAC/C,MAAM,eAAe,4CAA4C,qBAAqB;AAE9F;AACA,SAAS,OAAO,SAAS;CACrB,OAAO,UAAU,YAAY,QAAQ,UAAU,GAAI,IAAI,KAAA;AAC3D;AAiCA,SAAS,UAAU,KAAK,SAAS;CAC7B,IAAI,SAAS,QAAQ,QAAQ,SAAS,OAClC,OAAOC,iBAAuB,GAAG;CAErC,OAAO;AACX;AAsBA,MAAM,QAAQ,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;ACjsCrB,MAAa,SAAS,YAAiD;CACrE,OAAO,gBAAgB,eAAe,OAAO;AAC/C;AA6MA,IAAa,gBAAb,cAAmC,UAAgC;CACjE,mBAAsC,QAAQ,gBAAgB;CAC9D,mBAAsC,QAAQ,gBAAgB;CAE9D;CACA;CAEA,IAAW,QAAmC;EAC5C,OAAO,KAAK;CACd;;;;CAKA,MAAa,WAA+C;EAC1D,IAAI,KAAK,aACP,OAAO,KAAK;EAGd,IAAI,KAAK,kBAAkB;GACzB,KAAK,cAAc,MAAM,KAAK,iBAAiB;GAC/C,KAAK,mBAAmB,KAAA;GACxB,OAAO,KAAK;EACd;CAGF;CAEA,IAAW,OAAO;EAChB,OAAO,KAAK,QAAQ,QAAQ,KAAK,OAAO;CAC1C;CAEA,IAAW,SAAsC;EAC/C,IAAI,YAAY,KAAK,SACnB,OAAO,KAAK,QAAQ;CAGxB;CAEA,IAAW,WAAmB;EAC5B,MAAM,OAAO,KAAK,OAAO,eAAe,EAAE;EAC1C,IAAI,CAAC,MACH,MAAM,IAAI,YAAY,6CAA6C;EAErE,OAAO;CACT;CAEA,IAAW,QAA4B;EACrC,IAAI,WAAW,KAAK,SAClB,OAAO,KAAK,QAAQ,MAAM;EAE5B,IAAI,UAAU,KAAK,SACjB,OAAO,KAAK,QAAQ,KAAK,SAAS;EAEpC,MAAM,IAAI,YACR,iEACF;CACF;CAEA,IAAW,eAAe;EACxB,IAAI,WAAW,KAAK,SAClB,OAAO,KAAK,QAAQ,MAAM;EAE5B,IAAI,UAAU,KAAK,SACjB,OAAO,KAAK,QAAQ,KAAK;EAE3B,MAAM,IAAI,YACR,iEACF;CACF;;;;;CAMA,MAAa,QACX,cACA,aAC8B;EAC9B,IAAI,YAAY,KAAK,SACnB,OAAO,KAAK,QAAQ,OACjB,aAAa,cAAc,WAAW,EACtC,MAAM,OAAO,GAAG,MAAM,EACtB,OAAO,UAAU;GAChB,MAAM,IAAI,cACR,mEACA,EACE,OAAO,MACT,CACF;EACF,CAAC;EAGL,MAAM,QAAQ,MAAM,KAAK,SAAS;EAClC,IAAI,OACF,IAAI;GACF,OAAO;IACL,GAAI,MAAM,kBAAkB,OAAO,YAAY;IAC/C,WAAW,KAAK,iBAAiB,IAAI,EAAE,KAAK;GAC9C;EACF,SAAS,OAAO;GACd,MAAM,IAAI,cACR,mEACA,EACE,OAAO,MACT,CACF;EACF;EAGF,MAAM,IAAI,YACR,6EACF;CACF;;;;;;;;;;CAWA,MAAa,KACX,QACA,iBACsB;EACtB,IAAI;GACF,IAAI,WAAW,KAAK,SAAS;IAC3B,MAAM,UAAU;KACd,GAAG;KACH,GAAI,MAAM,KAAK,QAAQ,MAAM,SAAS,MAAM;IAC9C;IAEA,IAAI,KAAK,QAAQ,MAAM,SACrB,OAAO,KAAK,QAAQ,MAAM,QAAQ;KAChC,GAAG;KACH,MAAM;IACR,CAAC;IAGH,OAAO,KAAK,iBAAiB,sBAAsB,OAAO;GAC5D;GAEA,IAAI,UAAU,KAAK,SAAS;IAC1B,MAAM,UAAU;KACd,GAAG;KACH,GAAG,KAAK,mBAAmB,OAAO,YAAY,EAAE;IAClD;IAEA,IAAI,KAAK,QAAQ,KAAK,SACpB,OAAO,KAAK,QAAQ,KAAK,QAAQ;KAC/B,GAAG;KACH,MAAM;IACR,CAAC;IAGH,OAAO,KAAK,iBAAiB,sBAAsB,OAAO;GAC5D;EACF,SAAS,OAAO;GACd,MAAM,IAAI,cACR,wDACA,EACE,OAAO,MACT,CACF;EACF;EAEA,MAAM,IAAI,YACR,kEACF;CACF;CASA,mBAA6B,SAAgC;EAC3D,IAAI;GACF,OAAO,KAAK,MACV,OAAO,KAAK,QAAQ,MAAM,GAAG,EAAE,IAAI,QAAQ,EAAE,SAAS,MAAM,CAC9D;EACF,SAAS,OAAO;GACd,MAAM,IAAI,YAAY,oCAAoC,EACxD,OAAO,MACT,CAAC;EACH;CACF;CAEA,MAAa,UAAU;EACrB,IAAI,UAAU,KAAK,SAAS;GAC1B,MAAM,EAAE,SAAS,KAAK;GAEtB,MAAM,eAAe,YAAY;IAC/B,MAAM,UAAkD,CAAC;IACzD,QAAQ,KAAK,qBAAqB;IAElC,OAAO,UACL,IAAI,IAAI,KAAK,MAAM,GACnB,KAAK,UACL,EACE,eAAe,KAAK,aACtB,GACA,KAAA,GACA,EACE,QACF,CACF;GACF;GAGA,IAAI,KAAK,OAAO,aAAa,KAAK,CAAC,KAAK,OAAO,aAAa,GAC1D,KAAK,mBAAmB;QAExB,KAAK,cAAc,MAAM,aAAa;EAE1C;EAEA,IAAI,WAAW,KAAK,SAAS;GAC3B,MAAM,EAAE,UAAU,KAAK;GAEvB,KAAK,cAAc,IAAI,cACrB;IACE,wBAAwB,MAAM;IAC9B,gBAAgB,MAAM;IACtB,QAAQ,MAAM;IAEd,UAAU,KAAA;IACV,sBAAsB,KAAA;GACxB,GACA,MAAM,UACN,EACE,eAAe,MAAM,aACvB,CACF;EACF;CACF;AACF;AAEA,MAAM,QAAQ;;;AC7fd,MAAa,yBAAyB;CACpC,OAAO;CACP,UAAU;CACV,QAAQ;CACR,OAAO;CACP,SAAS;CACT,UAAU;AACZ;;;ACJA,MAAa,eAAe,EAAE,OAAO;CACnC,UAAU,EAAE,KAAK;CACjB,cAAc,EAAE,KAAK,EAAE,MAAM,OAAO,CAAC;CACrC,WAAW,EAAE,OAAO;CACpB,YAAY,EAAE,SAAS,EAAE,OAAO,CAAC;CACjC,eAAe,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,OAAO,CAAC,CAAC;CAClD,0BAA0B,EAAE,SAAS,EAAE,OAAO,CAAC;CAC/C,oBAAoB,EAAE,SACpB,EAAE,OAAO,EACP,aACE,6EACJ,CAAC,CACH;CACA,UAAU,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,OAAO,CAAC,CAAC;CAC7C,OAAO,EAAE,SAAS,EAAE,KAAK,CAAC;AAC5B,CAAC;;;ACbD,MAAa,sBAAsB,EAAE,OAAO,cAAc;CACxD,MAAM;CACN,KAAK;AACP,CAAC;;;ACJD,MAAa,yBAAyB,EAAE,OAAO;CAC7C,MAAM,EAAE,SAAS,qBAAqB;CACtC,KAAK;AACP,CAAC;;;AC6BD,IAAa,qBAAb,MAAgC;CAC9B,MAAyB,QAAQ;CACjC,SAA4B,QAAQ,MAAM;CAC1C,wBAA2C,QAAQ,qBAAqB;CACxE,mBAAsC,QAAQ,gBAAgB;CAC9D,sBAAyC,QAAQ,mBAAmB;;;;;;;;;CAUpE,oBAA8B,KAAqB;EACjD,IAAI,IAAI,WAAW,GAAG,KAAK,CAAC,IAAI,WAAW,IAAI,GAC7C,OAAO;EAET,MAAM,SAAS,KAAK,OAAO,IAAI;EAC/B,IAAI,OAAO,WAAW,YAAY,QAChC,IAAI;GACF,MAAM,SAAS,IAAI,IAAI,GAAG;GAC1B,MAAM,aAAa,OAAO,WAAW,GAAG,IAAI,OAAO,MAAM,CAAC,IAAI;GAC9D,IAAI,OAAO,aAAa,UAAU,OAAO;GACzC,IAAI,OAAO,SAAS,YAAY,OAAO;GACvC,IAAI,OAAO,KAAK,SAAS,IAAI,YAAY,GAAG,OAAO;EACrD,QAAQ,CAER;EAEF,OAAO;CACT;CAEA,IAAW,aAAmC;EAC5C,OAAO,KAAK,OACT,WAAW,KAAK,EAChB,QAAQ,SAAS,CAAC,KAAK,QAAQ,QAAQ;CAC5C;CAEA,oBAAuC,QAAQ;EAC7C,MAAM;EACN,KAAK,CAAC,IAAI,SAAS;EACnB,UAAU;EACV,SAAS;EACT,QAAQ,EAAE,OAAO;GACf,UAAU,EAAE,KAAK;GACjB,OAAO,EAAE,SAAS,EAAE,KAAK,CAAC;GAC1B,cAAc,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,OAAO,CAAC,CAAC;GACjD,aAAa,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,OAAO,CAAC,CAAC;GAChD,UAAU,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,OAAO,CAAC,CAAC;GAC7C,OAAO,EAAE,SAAS,EAAE,KAAK,CAAC;GAC1B,OAAO,EAAE,SAAS,EAAE,KAAK,CAAC;EAC5B,CAAC;CACH,CAAC;CAED,SAAyB,QAAQ;EAC/B,MAAM;EACN,KAAK,CAAC,IAAI,MAAM;EAChB,UAAU;EACV,UAAU;EACV,SAAS;EACT,QAAQ;CACV,CAAC;CAED,YAA+B,MAAM;EACnC,IAAI;EACJ,SAAS,YAAY;GACnB,KAAK,MAAM,YAAY,KAAK,YAC1B,MAAM,SAAS,QAAQ;EAE3B;CACF,CAAC;;;;CAKD,YAA+B,MAAM;EACnC,IAAI;EACJ,OAAO,KAAK;EACZ,SAAS,OAAO,EAAE,cAAc;GAC9B,MAAM,UAAU,QAAQ;GAGxB,IAAI,SAAS;IACX,MAAM,SAAS,MAAM,KAAK,gBAAgB,OAAO;IACjD,IAAI,QAAQ;KACV,QAAQ,QAAQ,gBAAgB,UAAU,KAAK,mBAAmB,MAAM;KACxE,KAAK,IAAI,MAAM,uCAAuC,EACpD,UAAU,OAAO,SACnB,CAAC;IACH;GACF;GAGA,IAAI,CAAC,QAAQ,QAAQ;SACd,MAAM,YAAY,KAAK,YAC1B,IAAI,cAAc,SAAS,WAAW,SAAS,QAAQ,UAAU;KAC/D,MAAM,QAAQ,MAAM,SAAS,QAAQ,SAAS;KAC9C,IAAI,OAAO;MACT,QAAQ,QAAQ,gBAAgB,UAAU;MAC1C;KACF;IACF;;EAGN;CACF,CAAC;;;;CAOD,WAA2B,OAAO;EAChC,MAAM,uBAAuB;EAC7B,KAAK,CAAC;EACN,QAAQ,EACN,UAAU,uBACZ;EACA,SAAS,OAAO,EAAE,MAAM,SAAS,cAAc;GAC7C,MAAM,SAAS,KAAK,UAAU,OAAO;GACrC,IAAI,QAAQ;IACV,MAAM,WAAW,KAAK,SAAS,MAAM;IACrC,IAAI,EAAE,YAAY,SAAS,UAAU;KACnC,MAAM,OAAO,MAAM,SAAS,KAAK,MAAM;KAKvC,OAAO;MACL,KAAA,MALgB,KAAK,oBAAoB,gBAAgB;OACzD,eAAe,QAAQ;OACvB;MACF,CAAC;MAGC;KACF;IACF;GACF;GAOA,OAAO;IACL,KAAA,MANgB,KAAK,oBAAoB,gBAAgB;KACzD,eAAe,QAAQ;KACvB;IACF,CAAC;IAIC;GACF;EACF;CACF,CAAC;;;;CAKD,UAA0B,OAAO;EAC/B,MAAM,uBAAuB;EAC7B,QAAQ;EACR,QAAQ;GACN,OAAO,EAAE,OAAO,EACd,UAAU,EAAE,KAAK,EACnB,CAAC;GACD,MAAM,EAAE,OAAO;IACb,eAAe,EAAE,KAAK,EACpB,MAAM,OACR,CAAC;IACD,cAAc,EAAE,SACd,EAAE,KAAK;KACL,MAAM;KACN,aACE;IACJ,CAAC,CACH;GACF,CAAC;GACD,UAAU;EACZ;EACA,SAAS,OAAO,EAAE,OAAO,MAAM,cAAc;GAC3C,MAAM,WAAW,KAAK,SAAS,KAAK;GAEpC,MAAM,SAAS;IACb,UAAU,MAAM;IAChB,GAAI,MAAM,SAAS,QAAQ,KAAK,eAAe,KAAK,YAAY;GAClE;GAGA,KAAK,UAAU,QAAQ,OAAO;GAE9B,OAAO;EACT;CACF,CAAC;;;;CAKD,QAAwB,OAAO;EAC7B,MAAM,uBAAuB;EAC7B,QAAQ;EACR,QAAQ;GACN,OAAO,EAAE,OAAO;IACd,UAAU,EAAE,KAAK;IACjB,OAAO,EAAE,SACP,EAAE,KAAK,EAAE,aAAa,oCAAoC,CAAC,CAC7D;GACF,CAAC;GACD,MAAM,EAAE,OAAO;IACb,UAAU,EAAE,KAAK;IACjB,UAAU,EAAE,KAAK;GACnB,CAAC;GACD,UAAU;EACZ;EACA,SAAS,OAAO,EAAE,OAAO,MAAM,cAAc;GAC3C,MAAM,WAAW,KAAK,SAAS;IAC7B,UAAU,MAAM;IAChB,OAAO,MAAM;GACf,CAAC;GAED,MAAM,SAAS,SAAS;GACxB,IAAI,CAAC,QACH,MAAM,IAAI,cACR,kBAAkB,MAAM,SAAS,kCACnC;GAGF,MAAM,cACJ,iBAAiB,SAAS,WAAW,SAAS,QAAQ;GAExD,IAAI,CAAC,aACH,MAAM,IAAI,cACR,kBAAkB,MAAM,SAAS,kCACnC;GAGF,IAAI;GACJ,IAAI;IACF,OAAO,MAAM,YAAY,QAAQ,IAAI;GACvC,SAAS,GAAG;IACV,IAAI,aAAa,yBACf,MAAM;IAER,KAAK,IAAI,MAAM,+BAA+B,CAAC;IAC/C,MAAM,IAAI,wBAAwB;GACpC;GAEA,IAAI,CAAC,MACH,MAAM,IAAI,wBAAwB;GAGpC,MAAM,SAAS;IACb,UAAU,MAAM;IAChB,GAAI,MAAM,OAAO,YAAY,IAAI;GACnC;GAGA,KAAK,UAAU,QAAQ,OAAO;GAE9B,MAAM,MAAM,MAAM,KAAK,oBAAoB,gBAAgB,EACzD,KACF,CAAC;GAGD,OAAO;IACL,GAAG;IACH;IACA;GACF;EACF;CACF,CAAC;;;;CAKD,QAAwB,OAAO;EAC7B,MAAM,uBAAuB;EAC7B,QAAQ,EACN,OAAO,EAAE,OAAO;GACd,UAAU,EAAE,KAAK;GACjB,OAAO,EAAE,SACP,EAAE,KAAK,EAAE,aAAa,oCAAoC,CAAC,CAC7D;GACA,cAAc,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,OAAO,CAAC,CAAC;EACnD,CAAC,EACH;EACA,SAAS,OAAO,EAAE,OAAO,KAAK,OAAO,cAAc;GACjD,MAAM,WAAW,QAAQ,UACrB,IAAI,IAAI,QAAQ,OAAO,EAAE,WAAW,IAAI,IAAI,QAAQ,OAAO,EAAE,SAC7D,KAAA;GAEJ,MAAM,WAAW,KAAK,SAAS;IAC7B,UAAU,MAAM;IAChB,OAAO,MAAM;GACf,CAAC;GACD,MAAM,QAAQ,MAAM,SAAS,SAAS;GACtC,IAAI,CAAC,OACH,MAAM,IAAI,cACR,kBAAkB,MAAM,SAAS,0BACnC;GAGF,MAAM,QAAQ,SAAS;GACvB,IAAI,eACF,SAAS,gBAAgB,uBAAuB;GAClD,IAAI,aAAa,WAAW,GAAG,GAC7B,eAAe,GAAG,IAAI,SAAS,IAAI,IAAI,OAAO;GAGhD,MAAM,OAAO,UAAU,SAAS,WAAW,SAAS,QAAQ;GAE5D,IAAI,CAAC,MAAM,eAAe,EAAE,aAAa,GAAG;IAC1C,MAAM,QAAQ,YAAY;IAC1B,MAAM,aAAqC;KACzC;KACA;IACF;IAEA,IAAI,MACF,WAAW,QAAQ,YAAY;IAGjC,IAAI,OACF,WAAW,QAAQ;IAIrB,IAAI,QAAQ,KAAK,cACf,WAAW,gBAAgB,KAAK;IAIlC,IAAI,QAAQ,KAAK,yBACf,OAAO,OAAO,YAAY,KAAK,uBAAuB;IAGxD,KAAK,kBAAkB,IAAI;KACzB;KACA,OAAO,WAAW;KAClB,aAAa,KAAK,oBAAoB,MAAM,gBAAgB,GAAG;KAC/D;KACA,UAAU,MAAM;KAChB,OAAO,MAAM;IACf,CAAC;IAED,MAAM,SACJ,sBAAsB,OAAO,UAAU,EAAE,SAAS,GAClD,GACF;IACA;GACF;GAUA,MAAM,eAAe,uBAAuB;GAC5C,MAAM,gBAAgB,MAAM,2BAA2B,YAAY;GAEnE,MAAM,aAAqC;IACzC;IACA,gBAAgB;IAChB,uBAAuB;GACzB;GAEA,IAAI,OACF,WAAW,QAAQ;GAIrB,IAAI,QAAQ,KAAK,cACf,WAAW,gBAAgB,KAAK;GAIlC,IAAI,QAAQ,KAAK,yBACf,OAAO,OAAO,YAAY,KAAK,uBAAuB;GAGxD,KAAK,kBAAkB,IAAI;IACzB;IACA,aAAa,KAAK,oBAAoB,MAAM,gBAAgB,GAAG;IAC/D;IACA,UAAU,MAAM;IAChB,OAAO,MAAM;GACf,CAAC;GAED,MAAM,SAAS,sBAAsB,OAAO,UAAU,EAAE,SAAS,GAAG,GAAG;EACzE;CACF,CAAC;;;;;;;CAQD,MAAgB,uBACd,KAC8C;EAC9C,IAAI;GAEF,MAAM,aAAY,MADC,IAAI,SAAS,GACT,IAAI,MAAM;GACjC,IAAI,OAAO,cAAc,UACvB;GAEF,MAAM,SAAS,KAAK,MAAM,SAAS;GAInC,MAAM,UAAmC,CAAC;GAC1C,IAAI,OAAO,MAAM,WACf,QAAQ,aAAa,OAAO,KAAK;GAEnC,IAAI,OAAO,MAAM,UACf,QAAQ,cAAc,OAAO,KAAK;GAEpC,IAAI,OAAO,MAAM,aAAa,OAAO,MAAM,UACzC,QAAQ,OAAO,CAAC,OAAO,MAAM,WAAW,OAAO,MAAM,QAAQ,EAC1D,OAAO,OAAO,EACd,KAAK,GAAG;GAEb,IAAI,OAAO,OACT,QAAQ,QAAQ,OAAO;GAEzB,OAAO,OAAO,KAAK,OAAO,EAAE,SAAS,IAAI,UAAU,KAAA;EACrD,SAAS,GAAG;GACV,KAAK,IAAI,KAAK,wDAAwD,CAAC;GACvE;EACF;CACF;;;;;;CAOA,MAAgB,eACd,KACA,OACA,SACA,KACA;EACA,MAAM,oBAAoB,KAAK,kBAAkB,IAAI,EAAE,QAAQ,CAAC;EAChE,IAAI,CAAC,mBACH,MAAM,IAAI,gBAAgB,uBAAuB;EAGnD,MAAM,WAAW,KAAK,SAAS,iBAAiB;EAChD,MAAM,QAAQ,MAAM,SAAS,SAAS;EACtC,IAAI,CAAC,OACH,MAAM,IAAI,cACR,kBAAkB,SAAS,KAAK,0BAClC;EAGF,MAAM,cAAc,kBAAkB,eAAe;EACrD,MAAM,WAAW,kBAAkB;EAOnC,IAAI,aAA4B;EAChC,IAAI;EACJ,IAAI,KAAK,KAAK,OAAO,IAAI,IAAI,IAAI,WAAW,QAAQ;GAClD,MAAM,SAAS,IAAI,IAAI,IAAI,MAAM;GACjC,aAAa,IAAI,IAAI;GACrB,kBAAkB,MAAM,KAAK,uBAAuB,MAAM;EAC5D;EAEA,MAAM,iBAAiB,MAAM,uBAAuB,OAAO,YAAY;GACrE,kBAAkB,kBAAkB;GACpC,eAAe,kBAAkB;GACjC,eAAe,kBAAkB;EACnC,CAAC,EACE,MAAM,YAAY;GACjB,WAAW,KAAK,iBAAiB,IAAI,EAAE,KAAK;GAC5C,UAAU,SAAS;GACnB,GAAG;EACL,EAAE,EACD,OAAO,MAAM;GACZ,KAAK,IAAI,MAAM,8BAA8B,CAAC;GAC9C,MAAM,IAAI,cAAc,8BAA8B,EACpD,OAAO,EACT,CAAC;EACH,CAAC;EAEH,KAAK,kBAAkB,IAAI,EAAE,QAAQ,CAAC;EAEtC,MAAM,SAAS,SAAS;EAGxB,IAAI,CAAC,QAAQ;GACX,KAAK,UAAU,gBAAgB,OAAO;GACtC,MAAM,SAAS,aAAa,GAAG;GAC/B;EACF;EAIA,IAAI;EACJ,IAAI;GACF,OAAO,MAAM,SAAS,KAAK,gBAAgB,eAAe;EAC5D,SAAS,GAAG;GACV,KAAK,IAAI,KAAK,iCAAiC,CAAC;GAEhD,MAAM,WAAW,IAAI,IADD,YAAY,aACM,IAAI,MAAM;GAChD,SAAS,aAAa,IACpB,SACA,aAAa,kBAAkB,EAAE,UAAU,uBAC7C;GACA,MAAM,SAAS,SAAS,WAAW,SAAS,QAAQ,GAAG;GACvD;EACF;EAEA,MAAM,KAAK,iBAAiB,MAAM,QAAQ,SAAS,MAAM,OAAO;EAEhE,MAAM,SAAS,aAAa,GAAG;CACjC;;;;;;CAOA,MAAa,iBACX,MACA,QACA,cACA,SACe;EACf,MAAM,SAAS,MAAM,OAAO,YAAY,IAAI;EAC5C,KAAK,UACH;GACE,GAAG;GACH,WAAW,KAAK,iBAAiB,IAAI,EAAE,KAAK;GAC5C,UAAU;EACZ,GACA,OACF;CACF;;;;;CAMA,WAA2B,OAAO;EAChC,MAAM,uBAAuB;EAC7B,SAAS,OAAO,EAAE,KAAK,OAAO,cAAc;GAC1C,MAAM,KAAK,eAAe,KAAK,OAAO,OAAO;EAC/C;CACF,CAAC;;;;;CAMD,eAA+B,OAAO;EACpC,MAAM,uBAAuB;EAC7B,QAAQ;EACR,SAAS,OAAO,EAAE,KAAK,OAAO,SAAS,UAAU;GAC/C,MAAM,KAAK,eAAe,KAAK,OAAO,SAAS,GAAG;EACpD;CACF,CAAC;;;;CAKD,SAAyB,OAAO;EAC9B,MAAM,uBAAuB;EAC7B,QAAQ;EACR,QAAQ,EACN,OAAO,EAAE,OAAO,EACd,0BAA0B,EAAE,SAAS,EAAE,KAAK,CAAC,EAC/C,CAAC,EACH;EACA,SAAS,OAAO,EAAE,OAAO,OAAO,cAAc;GAC5C,MAAM,WAAW,KAAK,oBACpB,MAAM,4BAA4B,GACpC;GACA,MAAM,SAAS,KAAK,UAAU,OAAO;GACrC,IAAI,CAAC,QAAQ;IACX,MAAM,SAAS,UAAU,GAAG;IAC5B;GACF;GAEA,MAAM,WAAW,KAAK,SAAS,OAAO,QAAQ;GAE9C,KAAK,OAAO,IAAI,EAAE,QAAQ,CAAC;GAG3B,IAAI,SAAS,UAAU,OAAO,eAAe;IAC3C,MAAM,kBACJ,SAAS,OAAO,QAAQ,UAAU;IACpC,IAAI,iBACF,IAAI;KACF,MAAM,gBAAgB,OAAO,aAAa;IAC5C,SAAS,GAAG;KACV,KAAK,IAAI,MAAM,4BAA4B,CAAC;IAC9C;GAEJ;GAEA,MAAM,QAAQ,MAAM,SAAS,SAAS;GACtC,IAAI,CAAC,OAAO;IACV,MAAM,SAAS,UAAU,GAAG;IAC5B;GACF;GAEA,MAAM,SAAS,IAAI,gBAAgB;GACnC,MAAM,UAAU,QAAQ;GAExB,OAAO,IAAI,4BAA4B,QAAQ;GAC/C,IAAI,SACF,OAAO,IAAI,iBAAiB,OAAO;GAGrC,MAAM,kBACJ,UAAU,SAAS,UACf,SAAS,QAAQ,MAAM,YACvB,KAAA;GAEN,IAAI,iBAAiB;IACnB,MAAM,SAAS,GAAG,gBAAgB,GAAG,UAAU,GAAG;IAClD;GACF;GAEA,IAAI,CAAC,MAAM,eAAe,EAAE,sBAAsB;IAKhD,MAAM,SAAS,UAAU,GAAG;IAC5B;GACF;GAEA,MAAM,SAAS,mBAAmB,OAAO,MAAM,EAAE,SAAS,GAAG,GAAG;EAClE;CACF,CAAC;CAID,2BACE,UAAkC,CAAC,GACT;EAC1B,MAAM,YAAsC,CAAC;EAE7C,KAAK,MAAM,YAAY,KAAK,YAAY;GACtC,IAAI,QAAQ,WAAW;IACrB,MAAM,SAAS,SAAS;IACxB,IAAI,CAAC,UAAU,OAAO,SAAS,QAAQ,WACrC;GAEJ;GAEA,MAAM,OACJ,UAAU,SAAS,UACf,SACA,WAAW,SAAS,UAClB,WACA,iBAAiB,SAAS,UACxB,gBACA,KAAA;GAEV,IAAI,CAAC,MACH;GAGF,UAAU,KAAK;IACb,MAAM,SAAS;IACf;GACF,CAAC;EACH;EAEA,OAAO;CACT;;;;;;CASA,SACE,MACe;EACf,MAAM,OAAO,OAAO,SAAS,WAAW,OAAO,KAAK;EACpD,MAAM,YAAY,OAAO,SAAS,WAAW,KAAA,IAAY,KAAK;EAE9D,MAAM,WAAW,KAAK,WAAW,MAAM,aAAa;GAClD,IAAI,SAAS,SAAS,MACpB,OAAO;GAIT,IAAI,aAAa,SAAS,QAAQ,SAAS,WACzC,OAAO;GAGT,OAAO;EACT,CAAC;EAED,IAAI,CAAC,UAEH,MAAM,IAAI,cAAc,kBAAkB,KAAK,GAD7B,YAAY,eAAe,UAAU,KAAK,GACA,WAAW;EAGzE,OAAO;CACT;;;;;CAMA,MAAgB,gBACd,SAC6B;EAC7B,MAAM,SAAS,KAAK,UAAU,OAAO;EACrC,IAAI,CAAC,QAAQ;GAEX,KAAK,IAAI,MAAM,4BAA4B;GAC3C;EACF;EAEA,KAAK,IAAI,MAAM,2BAA2B;GACxC,YAAY,OAAO;GACnB,WAAW,OAAO;EACpB,CAAC;EAGD,MAAM,kBAAkB,MAAM,KAAK,cAAc,MAAM;EACvD,IAAI,CAAC,iBAAiB;GACpB,KAAK,OAAO,IAAI,EAAE,QAAQ,CAAC;GAI3B;EACF;EAIA,IAAI,gBAAgB,iBAAiB,OAAO,cAC1C,KAAK,UAAU,iBAAiB,OAAO;EAGzC,OAAO;CACT;CAEA,UAAoB,SAAuC;EACzD,OAAO,KAAK,OAAO,IAAI,EAAE,QAAQ,CAAC;CACpC;CAEA,UAAoB,QAAgB,SAAyB;EAC3D,MAAM,MACJ,OAAO,4BACP,OAAO,sBACP,OAAO;EAET,MAAM,MAAM,MACR,KAAK,iBAAiB,SAAS,KAAK,SAAS,IAC7C,KAAA;EAEJ,KAAK,OAAO,IAAI,QAAQ;GACtB;GACA;EACF,CAAC;CACH;CAEA,mBAA6B,QAAgB;EAC3C,MAAM,MAAM,KAAK,SAAS,OAAO,QAAQ;EAEzC,IACE,UAAU,IAAI,WACd,EAAE,YAAY,IAAI,YAClB,IAAI,QAAQ,MAAM,YAElB,OAAO,OAAO;EAGhB,OAAO,OAAO;CAChB;CAEA,MAAgB,cAAc,QAA6C;EAOzE,IAAI,OAAO,cAAc,OAAO;OAEZ,OAAO,aAAa,OAAO,aAAa,MAE1C,KAAK,iBAAiB,IAAI,EAAE,KAAK,GAAG;IAClD,KAAK,IAAI,MAAM,oBAAoB;IAGnC,IAAI,OAAO,eAAe;KACxB,KAAK,IAAI,MAAM,8CAA8C;KAE7D,IAAI;MAMF,MAAM,YAAY;OAChB,GAAG,MANY,KAAK,SAAS,MACH,EAAE,QAC5B,OAAO,eACP,OAAO,YACT;OAGE,UAAU,OAAO;OACjB,WAAW,KAAK,iBAAiB,IAAI,EAAE,KAAK;MAC9C;MAEA,KAAK,IAAI,MAAM,+BAA+B;MAE9C,OAAO;KACT,SAAS,GAAG;MACV,KAAK,IAAI,KAAK,2BAA2B,CAAC;KAC5C;IACF;IAGA;GACF;;EAGF,IAAI,CAAC,OAAO,aAAa,OAAO,cAC9B;EAGF,OAAO;CACT;AACF;;;ACn2BA,MAAa,UAAU,IAAI,YAAY;AACvC,MAAa,UAAU,IAAI,YAAY;AAEvC,SAAgB,OAAO,GAAG,SAAS;CAC/B,MAAM,OAAO,QAAQ,QAAQ,KAAK,EAAE,aAAa,MAAM,QAAQ,CAAC;CAChE,MAAM,MAAM,IAAI,WAAW,IAAI;CAC/B,IAAI,IAAI;CACR,KAAK,MAAM,UAAU,SAAS;EAC1B,IAAI,IAAI,QAAQ,CAAC;EACjB,KAAK,OAAO;CAChB;CACA,OAAO;AACX;AAoBA,SAAgBC,SAAO,QAAQ;CAC3B,MAAM,QAAQ,IAAI,WAAW,OAAO,MAAM;CAC1C,KAAK,IAAI,IAAI,GAAG,IAAI,OAAO,QAAQ,KAAK;EACpC,MAAM,OAAO,OAAO,WAAW,CAAC;EAChC,IAAI,OAAO,KACP,MAAM,IAAI,UAAU,0CAA0C;EAElE,MAAM,KAAK;CACf;CACA,OAAO;AACX;;;AC1CA,SAAgB,aAAa,OAAO;CAChC,IAAI,WAAW,UAAU,UACrB,OAAO,MAAM,SAAS;CAE1B,MAAM,aAAa;CACnB,MAAM,MAAM,CAAC;CACb,KAAK,IAAI,IAAI,GAAG,IAAI,MAAM,QAAQ,KAAK,YACnC,IAAI,KAAK,OAAO,aAAa,MAAM,MAAM,MAAM,SAAS,GAAG,IAAI,UAAU,CAAC,CAAC;CAE/E,OAAO,KAAK,IAAI,KAAK,EAAE,CAAC;AAC5B;AACA,SAAgB,aAAa,SAAS;CAClC,IAAI,WAAW,YACX,OAAO,WAAW,WAAW,OAAO;CAExC,MAAM,SAAS,KAAK,OAAO;CAC3B,MAAM,QAAQ,IAAI,WAAW,OAAO,MAAM;CAC1C,KAAK,IAAI,IAAI,GAAG,IAAI,OAAO,QAAQ,KAC/B,MAAM,KAAK,OAAO,WAAW,CAAC;CAElC,OAAO;AACX;;;ACnBA,SAAgB,OAAO,OAAO;CAC1B,IAAI,WAAW,YACX,OAAO,WAAW,WAAW,OAAO,UAAU,WAAW,QAAQ,QAAQ,OAAO,KAAK,GAAG,EACpF,UAAU,YACd,CAAC;CAEL,IAAI,UAAU;CACd,IAAI,mBAAmB,YACnB,UAAU,QAAQ,OAAO,OAAO;CAEpC,UAAU,QAAQ,QAAQ,MAAM,GAAG,EAAE,QAAQ,MAAM,GAAG;CACtD,IAAI;EACA,OAAO,aAAa,OAAO;CAC/B,QACM;EACF,MAAM,IAAI,UAAU,mDAAmD;CAC3E;AACJ;AACA,SAAgB,OAAO,OAAO;CAC1B,IAAI,YAAY;CAChB,IAAI,OAAO,cAAc,UACrB,YAAY,QAAQ,OAAO,SAAS;CAExC,IAAI,WAAW,UAAU,UACrB,OAAO,UAAU,SAAS;EAAE,UAAU;EAAa,aAAa;CAAK,CAAC;CAE1E,OAAO,aAAa,SAAS,EAAE,QAAQ,MAAM,EAAE,EAAE,QAAQ,OAAO,GAAG,EAAE,QAAQ,OAAO,GAAG;AAC3F;;;AC7BA,MAAM,YAAY,MAAM,OAAO,qCAAqB,IAAI,UAAU,kDAAkD,KAAK,WAAW,MAAM;AAC1I,MAAM,eAAe,WAAW,SAAS,UAAU,SAAS;AAC5D,SAAS,cAAc,MAAM;CACzB,OAAO,SAAS,KAAK,KAAK,MAAM,CAAC,GAAG,EAAE;AAC1C;AACA,SAAS,gBAAgB,WAAW,UAAU;CAE1C,IADe,cAAc,UAAU,IAC9B,MAAM,UACX,MAAM,SAAS,OAAO,YAAY,gBAAgB;AAC1D;AACA,SAAS,cAAc,KAAK;CACxB,QAAQ,KAAR;EACI,KAAK,SACD,OAAO;EACX,KAAK,SACD,OAAO;EACX,KAAK,SACD,OAAO;EACX,SACI,MAAM,IAAI,MAAM,aAAa;CACrC;AACJ;AACA,SAAS,WAAW,KAAK,OAAO;CAC5B,IAAI,SAAS,CAAC,IAAI,OAAO,SAAS,KAAK,GACnC,MAAM,IAAI,UAAU,sEAAsE,MAAM,EAAE;AAE1G;AACA,SAAgB,kBAAkB,KAAK,KAAK,OAAO;CAC/C,QAAQ,KAAR;EACI,KAAK;EACL,KAAK;EACL,KAAK;GACD,IAAI,CAAC,YAAY,IAAI,WAAW,MAAM,GAClC,MAAM,SAAS,MAAM;GACzB,gBAAgB,IAAI,WAAW,SAAS,IAAI,MAAM,CAAC,GAAG,EAAE,CAAC;GACzD;EAEJ,KAAK;EACL,KAAK;EACL,KAAK;GACD,IAAI,CAAC,YAAY,IAAI,WAAW,mBAAmB,GAC/C,MAAM,SAAS,mBAAmB;GACtC,gBAAgB,IAAI,WAAW,SAAS,IAAI,MAAM,CAAC,GAAG,EAAE,CAAC;GACzD;EAEJ,KAAK;EACL,KAAK;EACL,KAAK;GACD,IAAI,CAAC,YAAY,IAAI,WAAW,SAAS,GACrC,MAAM,SAAS,SAAS;GAC5B,gBAAgB,IAAI,WAAW,SAAS,IAAI,MAAM,CAAC,GAAG,EAAE,CAAC;GACzD;EAEJ,KAAK;EACL,KAAK;GACD,IAAI,CAAC,YAAY,IAAI,WAAW,SAAS,GACrC,MAAM,SAAS,SAAS;GAC5B;EAEJ,KAAK;EACL,KAAK;EACL,KAAK;GACD,IAAI,CAAC,YAAY,IAAI,WAAW,GAAG,GAC/B,MAAM,SAAS,GAAG;GACtB;EAEJ,KAAK;EACL,KAAK;EACL,KAAK,SAAS;GACV,IAAI,CAAC,YAAY,IAAI,WAAW,OAAO,GACnC,MAAM,SAAS,OAAO;GAC1B,MAAM,WAAW,cAAc,GAAG;GAElC,IADe,IAAI,UAAU,eACd,UACX,MAAM,SAAS,UAAU,sBAAsB;GACnD;EACJ;EACA,SACI,MAAM,IAAI,UAAU,2CAA2C;CACvE;CACA,WAAW,KAAK,KAAK;AACzB;;;ACjFA,SAAS,QAAQ,KAAK,QAAQ,GAAG,OAAO;CACpC,QAAQ,MAAM,OAAO,OAAO;CAC5B,IAAI,MAAM,SAAS,GAAG;EAClB,MAAM,OAAO,MAAM,IAAI;EACvB,OAAO,eAAe,MAAM,KAAK,IAAI,EAAE,OAAO,KAAK;CACvD,OACK,IAAI,MAAM,WAAW,GACtB,OAAO,eAAe,MAAM,GAAG,MAAM,MAAM,GAAG;MAG9C,OAAO,WAAW,MAAM,GAAG;CAE/B,IAAI,UAAU,MACV,OAAO,aAAa;MAEnB,IAAI,OAAO,WAAW,cAAc,OAAO,MAC5C,OAAO,sBAAsB,OAAO;MAEnC,IAAI,OAAO,WAAW,YAAY,UAAU;MACzC,OAAO,aAAa,MACpB,OAAO,4BAA4B,OAAO,YAAY;CAAA;CAG9D,OAAO;AACX;AACA,MAAa,mBAAmB,QAAQ,GAAG,UAAU,QAAQ,gBAAgB,QAAQ,GAAG,KAAK;AAC7F,MAAa,WAAW,KAAK,QAAQ,GAAG,UAAU,QAAQ,eAAe,IAAI,sBAAsB,QAAQ,GAAG,KAAK;;;AC1BnH,IAAa,YAAb,cAA+B,MAAM;CACjC,OAAO,OAAO;CACd,OAAO;CACP,YAAY,SAAS,SAAS;EAC1B,MAAM,SAAS,OAAO;EACtB,KAAK,OAAO,KAAK,YAAY;EAC7B,MAAM,oBAAoB,MAAM,KAAK,WAAW;CACpD;AACJ;AACA,IAAa,2BAAb,cAA8C,UAAU;CACpD,OAAO,OAAO;CACd,OAAO;CACP;CACA;CACA;CACA,YAAY,SAAS,SAAS,QAAQ,eAAe,SAAS,eAAe;EACzE,MAAM,SAAS,EAAE,OAAO;GAAE;GAAO;GAAQ;EAAQ,EAAE,CAAC;EACpD,KAAK,QAAQ;EACb,KAAK,SAAS;EACd,KAAK,UAAU;CACnB;AACJ;AACA,IAAa,aAAb,cAAgC,UAAU;CACtC,OAAO,OAAO;CACd,OAAO;CACP;CACA;CACA;CACA,YAAY,SAAS,SAAS,QAAQ,eAAe,SAAS,eAAe;EACzE,MAAM,SAAS,EAAE,OAAO;GAAE;GAAO;GAAQ;EAAQ,EAAE,CAAC;EACpD,KAAK,QAAQ;EACb,KAAK,SAAS;EACd,KAAK,UAAU;CACnB;AACJ;AACA,IAAa,oBAAb,cAAuC,UAAU;CAC7C,OAAO,OAAO;CACd,OAAO;AACX;AACA,IAAa,mBAAb,cAAsC,UAAU;CAC5C,OAAO,OAAO;CACd,OAAO;AACX;AAYA,IAAa,aAAb,cAAgC,UAAU;CACtC,OAAO,OAAO;CACd,OAAO;AACX;AACA,IAAa,aAAb,cAAgC,UAAU;CACtC,OAAO,OAAO;CACd,OAAO;AACX;AA+BA,IAAa,iCAAb,cAAoD,UAAU;CAC1D,OAAO,OAAO;CACd,OAAO;CACP,YAAY,UAAU,iCAAiC,SAAS;EAC5D,MAAM,SAAS,OAAO;CAC1B;AACJ;;;AC7FA,MAAa,eAAe,QAAQ;CAChC,IAAI,MAAM,OAAO,iBAAiB,aAC9B,OAAO;CACX,IAAI;EACA,OAAO,eAAe;CAC1B,QACM;EACF,OAAO;CACX;AACJ;AACA,MAAa,eAAe,QAAQ,MAAM,OAAO,iBAAiB;AAClE,MAAa,aAAa,QAAQ,YAAY,GAAG,KAAK,YAAY,GAAG;;;ACdrE,SAAgB,aAAa,OAAO,MAAM;CACtC,IAAI,OACA,MAAM,IAAI,UAAU,GAAG,KAAK,yBAAyB;AAE7D;AACA,SAAgB,gBAAgB,OAAO,OAAO,YAAY;CACtD,IAAI;EACA,OAAO,OAAO,KAAK;CACvB,QACM;EACF,MAAM,IAAI,WAAW,kCAAkC,OAAO;CAClE;AACJ;;;ACdA,MAAM,gBAAgB,UAAU,OAAO,UAAU,YAAY,UAAU;AACvE,SAAgB,SAAS,OAAO;CAC5B,IAAI,CAAC,aAAa,KAAK,KAAK,OAAO,UAAU,SAAS,KAAK,KAAK,MAAM,mBAClE,OAAO;CAEX,IAAI,OAAO,eAAe,KAAK,MAAM,MACjC,OAAO;CAEX,IAAI,QAAQ;CACZ,OAAO,OAAO,eAAe,KAAK,MAAM,MACpC,QAAQ,OAAO,eAAe,KAAK;CAEvC,OAAO,OAAO,eAAe,KAAK,MAAM;AAC5C;AACA,SAAgB,WAAW,GAAG,SAAS;CACnC,MAAM,UAAU,QAAQ,OAAO,OAAO;CACtC,IAAI,QAAQ,WAAW,KAAK,QAAQ,WAAW,GAC3C,OAAO;CAEX,IAAI;CACJ,KAAK,MAAM,UAAU,SAAS;EAC1B,MAAM,aAAa,OAAO,KAAK,MAAM;EACrC,IAAI,CAAC,OAAO,IAAI,SAAS,GAAG;GACxB,MAAM,IAAI,IAAI,UAAU;GACxB;EACJ;EACA,KAAK,MAAM,aAAa,YAAY;GAChC,IAAI,IAAI,IAAI,SAAS,GACjB,OAAO;GAEX,IAAI,IAAI,SAAS;EACrB;CACJ;CACA,OAAO;AACX;AACA,MAAa,SAAS,QAAQ,SAAS,GAAG,KAAK,OAAO,IAAI,QAAQ;AAClE,MAAa,gBAAgB,QAAQ,IAAI,QAAQ,UAC3C,IAAI,QAAQ,SAAS,OAAO,IAAI,SAAS,YAAa,OAAO,IAAI,MAAM;AAC7E,MAAa,eAAe,QAAQ,IAAI,QAAQ,SAAS,IAAI,MAAM,KAAA,KAAa,IAAI,SAAS,KAAA;AAC7F,MAAa,eAAe,QAAQ,IAAI,QAAQ,SAAS,OAAO,IAAI,MAAM;;;ACpC1E,SAAgB,eAAe,KAAK,KAAK;CACrC,IAAI,IAAI,WAAW,IAAI,KAAK,IAAI,WAAW,IAAI,GAAG;EAC9C,MAAM,EAAE,kBAAkB,IAAI;EAC9B,IAAI,OAAO,kBAAkB,YAAY,gBAAgB,MACrD,MAAM,IAAI,UAAU,GAAG,IAAI,sDAAsD;CAEzF;AACJ;AACA,SAAS,gBAAgB,KAAK,WAAW;CACrC,MAAM,OAAO,OAAO,IAAI,MAAM,EAAE;CAChC,QAAQ,KAAR;EACI,KAAK;EACL,KAAK;EACL,KAAK,SACD,OAAO;GAAE;GAAM,MAAM;EAAO;EAChC,KAAK;EACL,KAAK;EACL,KAAK,SACD,OAAO;GAAE;GAAM,MAAM;GAAW,YAAY,SAAS,IAAI,MAAM,EAAE,GAAG,EAAE,KAAK;EAAE;EACjF,KAAK;EACL,KAAK;EACL,KAAK,SACD,OAAO;GAAE;GAAM,MAAM;EAAoB;EAC7C,KAAK;EACL,KAAK;EACL,KAAK,SACD,OAAO;GAAE;GAAM,MAAM;GAAS,YAAY,UAAU;EAAW;EACnE,KAAK;EACL,KAAK,SACD,OAAO,EAAE,MAAM,UAAU;EAC7B,KAAK;EACL,KAAK;EACL,KAAK,aACD,OAAO,EAAE,MAAM,IAAI;EACvB,SACI,MAAM,IAAI,iBAAiB,OAAO,IAAI,4DAA4D;CAC1G;AACJ;AACA,eAAe,UAAU,KAAK,KAAK,OAAO;CACtC,IAAI,eAAe,YAAY;EAC3B,IAAI,CAAC,IAAI,WAAW,IAAI,GACpB,MAAM,IAAI,UAAU,gBAAgB,KAAK,aAAa,aAAa,cAAc,CAAC;EAEtF,OAAO,OAAO,OAAO,UAAU,OAAO,KAAK;GAAE,MAAM,OAAO,IAAI,MAAM,EAAE;GAAK,MAAM;EAAO,GAAG,OAAO,CAAC,KAAK,CAAC;CAC7G;CACA,kBAAkB,KAAK,KAAK,KAAK;CACjC,OAAO;AACX;AACA,eAAsB,KAAK,KAAK,KAAK,MAAM;CACvC,MAAM,YAAY,MAAM,UAAU,KAAK,KAAK,MAAM;CAClD,eAAe,KAAK,SAAS;CAC7B,MAAM,YAAY,MAAM,OAAO,OAAO,KAAK,gBAAgB,KAAK,UAAU,SAAS,GAAG,WAAW,IAAI;CACrG,OAAO,IAAI,WAAW,SAAS;AACnC;AACA,eAAsB,OAAO,KAAK,KAAK,WAAW,MAAM;CACpD,MAAM,YAAY,MAAM,UAAU,KAAK,KAAK,QAAQ;CACpD,eAAe,KAAK,SAAS;CAC7B,MAAM,YAAY,gBAAgB,KAAK,UAAU,SAAS;CAC1D,IAAI;EACA,OAAO,MAAM,OAAO,OAAO,OAAO,WAAW,WAAW,WAAW,IAAI;CAC3E,QACM;EACF,OAAO;CACX;AACJ;;;AClEA,MAAM,iBAAiB;AACvB,SAAS,cAAc,KAAK;CACxB,IAAI;CACJ,IAAI;CACJ,QAAQ,IAAI,KAAZ;EACI,KAAK;GACD,QAAQ,IAAI,KAAZ;IACI,KAAK;IACL,KAAK;IACL,KAAK;KACD,YAAY,EAAE,MAAM,IAAI,IAAI;KAC5B,YAAY,IAAI,OAAO,CAAC,MAAM,IAAI,CAAC,QAAQ;KAC3C;IACJ,SACI,MAAM,IAAI,iBAAiB,cAAc;GACjD;GACA;EAEJ,KAAK;GACD,QAAQ,IAAI,KAAZ;IACI,KAAK;IACL,KAAK;IACL,KAAK;KACD,YAAY;MAAE,MAAM;MAAW,MAAM,OAAO,IAAI,IAAI,MAAM,EAAE;KAAI;KAChE,YAAY,IAAI,IAAI,CAAC,MAAM,IAAI,CAAC,QAAQ;KACxC;IACJ,KAAK;IACL,KAAK;IACL,KAAK;KACD,YAAY;MAAE,MAAM;MAAqB,MAAM,OAAO,IAAI,IAAI,MAAM,EAAE;KAAI;KAC1E,YAAY,IAAI,IAAI,CAAC,MAAM,IAAI,CAAC,QAAQ;KACxC;IACJ,KAAK;IACL,KAAK;IACL,KAAK;IACL,KAAK;KACD,YAAY;MACR,MAAM;MACN,MAAM,OAAO,SAAS,IAAI,IAAI,MAAM,EAAE,GAAG,EAAE,KAAK;KACpD;KACA,YAAY,IAAI,IAAI,CAAC,WAAW,WAAW,IAAI,CAAC,WAAW,SAAS;KACpE;IACJ,SACI,MAAM,IAAI,iBAAiB,cAAc;GACjD;GACA;EAEJ,KAAK;GACD,QAAQ,IAAI,KAAZ;IACI,KAAK;IACL,KAAK;IACL,KAAK;KACD,YAAY;MACR,MAAM;MACN,YAAY;OAAE,OAAO;OAAS,OAAO;OAAS,OAAO;MAAQ,EAAE,IAAI;KACvE;KACA,YAAY,IAAI,IAAI,CAAC,MAAM,IAAI,CAAC,QAAQ;KACxC;IACJ,KAAK;IACL,KAAK;IACL,KAAK;IACL,KAAK;KACD,YAAY;MAAE,MAAM;MAAQ,YAAY,IAAI;KAAI;KAChD,YAAY,IAAI,IAAI,CAAC,YAAY,IAAI,CAAC;KACtC;IACJ,SACI,MAAM,IAAI,iBAAiB,cAAc;GACjD;GACA;EAEJ,KAAK;GACD,QAAQ,IAAI,KAAZ;IACI,KAAK;IACL,KAAK;KACD,YAAY,EAAE,MAAM,UAAU;KAC9B,YAAY,IAAI,IAAI,CAAC,MAAM,IAAI,CAAC,QAAQ;KACxC;IACJ,KAAK;IACL,KAAK;IACL,KAAK;IACL,KAAK;KACD,YAAY,EAAE,MAAM,IAAI,IAAI;KAC5B,YAAY,IAAI,IAAI,CAAC,YAAY,IAAI,CAAC;KACtC;IACJ,SACI,MAAM,IAAI,iBAAiB,cAAc;GACjD;GACA;EAEJ,SACI,MAAM,IAAI,iBAAiB,+DAA6D;CAChG;CACA,OAAO;EAAE;EAAW;CAAU;AAClC;AACA,eAAsB,SAAS,KAAK;CAChC,IAAI,CAAC,IAAI,KACL,MAAM,IAAI,UAAU,8DAA0D;CAElF,MAAM,EAAE,WAAW,cAAc,cAAc,GAAG;CAClD,MAAM,UAAU,EAAE,GAAG,IAAI;CACzB,IAAI,QAAQ,QAAQ,OAChB,OAAO,QAAQ;CAEnB,OAAO,QAAQ;CACf,OAAO,OAAO,OAAO,UAAU,OAAO,SAAS,WAAW,IAAI,QAAQ,IAAI,KAAK,IAAI,OAAO,QAAQ,OAAO,IAAI,WAAW,SAAS;AACrI;;;ACtGA,MAAM,iBAAiB;AACvB,IAAI;AACJ,MAAM,YAAY,OAAO,KAAK,KAAK,KAAK,SAAS,UAAU;CACvD,0BAAU,IAAI,QAAQ;CACtB,IAAI,SAAS,MAAM,IAAI,GAAG;CAC1B,IAAI,SAAS,MACT,OAAO,OAAO;CAElB,MAAM,YAAY,MAAM,SAAS;EAAE,GAAG;EAAK;CAAI,CAAC;CAChD,IAAI,QACA,OAAO,OAAO,GAAG;CACrB,IAAI,CAAC,QACD,MAAM,IAAI,KAAK,GAAG,MAAM,UAAU,CAAC;MAGnC,OAAO,OAAO;CAElB,OAAO;AACX;AACA,MAAM,mBAAmB,WAAW,QAAQ;CACxC,0BAAU,IAAI,QAAQ;CACtB,IAAI,SAAS,MAAM,IAAI,SAAS;CAChC,IAAI,SAAS,MACT,OAAO,OAAO;CAElB,MAAM,WAAW,UAAU,SAAS;CACpC,MAAM,cAAc,WAAW,OAAO;CACtC,IAAI;CACJ,IAAI,UAAU,sBAAsB,UAAU;EAC1C,QAAQ,KAAR;GACI,KAAK;GACL,KAAK;GACL,KAAK;GACL,KAAK,kBACD;GACJ,SACI,MAAM,IAAI,UAAU,cAAc;EAC1C;EACA,YAAY,UAAU,YAAY,UAAU,mBAAmB,aAAa,WAAW,CAAC,IAAI,CAAC,YAAY,CAAC;CAC9G;CACA,IAAI,UAAU,sBAAsB,WAAW;EAC3C,IAAI,QAAQ,WAAW,QAAQ,WAC3B,MAAM,IAAI,UAAU,cAAc;EAEtC,YAAY,UAAU,YAAY,UAAU,mBAAmB,aAAa,CACxE,WAAW,WAAW,MAC1B,CAAC;CACL;CACA,QAAQ,UAAU,mBAAlB;EACI,KAAK;EACL,KAAK;EACL,KAAK;GACD,IAAI,QAAQ,UAAU,kBAAkB,YAAY,GAChD,MAAM,IAAI,UAAU,cAAc;GAEtC,YAAY,UAAU,YAAY,UAAU,mBAAmB,aAAa,CACxE,WAAW,WAAW,MAC1B,CAAC;CAET;CACA,IAAI,UAAU,sBAAsB,OAAO;EACvC,IAAI;EACJ,QAAQ,KAAR;GACI,KAAK;IACD,OAAO;IACP;GACJ,KAAK;GACL,KAAK;GACL,KAAK;IACD,OAAO;IACP;GACJ,KAAK;GACL,KAAK;GACL,KAAK;IACD,OAAO;IACP;GACJ,KAAK;GACL,KAAK;GACL,KAAK;IACD,OAAO;IACP;GACJ,SACI,MAAM,IAAI,UAAU,cAAc;EAC1C;EACA,IAAI,IAAI,WAAW,UAAU,GACzB,OAAO,UAAU,YAAY;GACzB,MAAM;GACN;EACJ,GAAG,aAAa,WAAW,CAAC,SAAS,IAAI,CAAC,SAAS,CAAC;EAExD,YAAY,UAAU,YAAY;GAC9B,MAAM,IAAI,WAAW,IAAI,IAAI,YAAY;GACzC;EACJ,GAAG,aAAa,CAAC,WAAW,WAAW,MAAM,CAAC;CAClD;CACA,IAAI,UAAU,sBAAsB,MAAM;EAMtC,MAAM,aAAa,IALF,IAAI;GACjB,CAAC,cAAc,OAAO;GACtB,CAAC,aAAa,OAAO;GACrB,CAAC,aAAa,OAAO;EACzB,CACsB,EAAE,IAAI,UAAU,sBAAsB,UAAU;EACtE,IAAI,CAAC,YACD,MAAM,IAAI,UAAU,cAAc;EAEtC,MAAM,gBAAgB;GAAE,OAAO;GAAS,OAAO;GAAS,OAAO;EAAQ;EACvE,IAAI,cAAc,QAAQ,eAAe,cAAc,MACnD,YAAY,UAAU,YAAY;GAC9B,MAAM;GACN;EACJ,GAAG,aAAa,CAAC,WAAW,WAAW,MAAM,CAAC;EAElD,IAAI,IAAI,WAAW,SAAS,GACxB,YAAY,UAAU,YAAY;GAC9B,MAAM;GACN;EACJ,GAAG,aAAa,WAAW,CAAC,IAAI,CAAC,YAAY,CAAC;CAEtD;CACA,IAAI,CAAC,WACD,MAAM,IAAI,UAAU,cAAc;CAEtC,IAAI,CAAC,QACD,MAAM,IAAI,WAAW,GAAG,MAAM,UAAU,CAAC;MAGzC,OAAO,OAAO;CAElB,OAAO;AACX;AACA,eAAsB,aAAa,KAAK,KAAK;CACzC,IAAI,eAAe,YACf,OAAO;CAEX,IAAI,YAAY,GAAG,GACf,OAAO;CAEX,IAAI,YAAY,GAAG,GAAG;EAClB,IAAI,IAAI,SAAS,UACb,OAAO,IAAI,OAAO;EAEtB,IAAI,iBAAiB,OAAO,OAAO,IAAI,gBAAgB,YACnD,IAAI;GACA,OAAO,gBAAgB,KAAK,GAAG;EACnC,SACO,KAAK;GACR,IAAI,eAAe,WACf,MAAM;EAEd;EAGJ,OAAO,UAAU,KADP,IAAI,OAAO,EAAE,QAAQ,MAAM,CACb,GAAG,GAAG;CAClC;CACA,IAAI,MAAM,GAAG,GAAG;EACZ,IAAI,IAAI,GACJ,OAAO,OAAO,IAAI,CAAC;EAEvB,OAAO,UAAU,KAAK,KAAK,KAAK,IAAI;CACxC;CACA,MAAM,IAAI,MAAM,aAAa;AACjC;;;ACzIA,MAAM,cAAc,GAAG,MAAM;CACzB,IAAI,EAAE,eAAe,EAAE,QACnB,OAAO;CACX,KAAK,IAAI,IAAI,GAAG,IAAI,EAAE,YAAY,KAC9B,IAAI,EAAE,OAAO,EAAE,IACX,OAAO;CAEf,OAAO;AACX;AACA,MAAM,mBAAmB,UAAU;CAAE;CAAM,KAAK;AAAE;AAClD,MAAM,eAAe,UAAU;CAC3B,MAAM,QAAQ,MAAM,KAAK,MAAM;CAC/B,IAAI,QAAQ,KAAM;EACd,MAAM,cAAc,QAAQ;EAC5B,IAAI,SAAS;EACb,KAAK,IAAI,IAAI,GAAG,IAAI,aAAa,KAC7B,SAAU,UAAU,IAAK,MAAM,KAAK,MAAM;EAE9C,OAAO;CACX;CACA,OAAO;AACX;AAWA,MAAM,aAAa,OAAO,aAAa,iBAAiB;CACpD,IAAI,MAAM,KAAK,MAAM,WAAW,aAC5B,MAAM,IAAI,MAAM,YAAY;AAEpC;AACA,MAAM,eAAe,OAAO,WAAW;CACnC,MAAM,SAAS,MAAM,KAAK,SAAS,MAAM,KAAK,MAAM,MAAM,MAAM;CAChE,MAAM,OAAO;CACb,OAAO;AACX;AACA,MAAM,qBAAqB,UAAU;CACjC,UAAU,OAAO,GAAM,wBAAwB;CAE/C,OAAO,YAAY,OADJ,YAAY,KACI,CAAC;AACpC;AACA,SAAS,iBAAiB,OAAO;CAC7B,UAAU,OAAO,IAAM,0BAA0B;CACjD,YAAY,KAAK;CACjB,UAAU,OAAO,GAAM,wBAAwB;CAC/C,MAAM,SAAS,YAAY,KAAK;CAChC,MAAM,OAAO;CACb,UAAU,OAAO,IAAM,+BAA+B;CACtD,MAAM,WAAW,YAAY,KAAK;CAElC,OAAO;EAAE,YADU,MAAM;EACJ,aAAa;CAAS;AAC/C;AACA,SAAS,gBAAgB,OAAO;CAC5B,UAAU,OAAO,IAAM,wBAAwB;CAC/C,YAAY,KAAK;CACjB,UAAU,OAAO,IAAM,+BAA+B;CACtD,MAAM,WAAW,YAAY,KAAK;CAElC,OAAO;EAAE,YADU,MAAM;EACJ,aAAa;CAAS;AAC/C;AACA,MAAM,8BAA8B,UAAU;CAC1C,MAAM,SAAS,kBAAkB,KAAK;CACtC,IAAI,WAAW,QAAQ;EAAC;EAAM;EAAM;CAAI,CAAC,GACrC,OAAO;CAEX,IAAI,CAAC,WAAW,QAAQ;EAAC;EAAM;EAAM;EAAM;EAAM;EAAM;EAAM;CAAI,CAAC,GAC9D,MAAM,IAAI,MAAM,2BAA2B;CAE/C,UAAU,OAAO,GAAM,oBAAoB;CAE3C,MAAM,WAAW,YAAY,OADT,YAAY,KACc,CAAC;CAC/C,KAAK,MAAM,EAAE,MAAM,SAAS;EACxB;GAAE,MAAM;GAAS,KAAK;IAAC;IAAM;IAAM;IAAM;IAAM;IAAM;IAAM;IAAM;GAAI;EAAE;EACvE;GAAE,MAAM;GAAS,KAAK;IAAC;IAAM;IAAM;IAAM;IAAM;GAAI;EAAE;EACrD;GAAE,MAAM;GAAS,KAAK;IAAC;IAAM;IAAM;IAAM;IAAM;GAAI;EAAE;CACzD,GACI,IAAI,WAAW,UAAU,GAAG,GACxB,OAAO;CAGf,MAAM,IAAI,MAAM,yBAAyB;AAC7C;AACA,MAAM,gBAAgB,OAAO,WAAW,SAAS,KAAK,YAAY;CAC9D,IAAI;CACJ,IAAI;CACJ,MAAM,WAAW,cAAc;CAC/B,MAAM,qBAAsB,WAAW,CAAC,QAAQ,IAAI,CAAC,MAAM;CAC3D,MAAM,qBAAqB,WAAW,CAAC,WAAW,SAAS,IAAI,CAAC,WAAW,WAAW;CACtF,QAAQ,KAAR;EACI,KAAK;EACL,KAAK;EACL,KAAK;GACD,YAAY;IAAE,MAAM;IAAW,MAAM,OAAO,IAAI,MAAM,EAAE;GAAI;GAC5D,YAAY,aAAa;GACzB;EACJ,KAAK;EACL,KAAK;EACL,KAAK;GACD,YAAY;IAAE,MAAM;IAAqB,MAAM,OAAO,IAAI,MAAM,EAAE;GAAI;GACtE,YAAY,aAAa;GACzB;EACJ,KAAK;EACL,KAAK;EACL,KAAK;EACL,KAAK;GACD,YAAY;IACR,MAAM;IACN,MAAM,OAAO,SAAS,IAAI,MAAM,EAAE,GAAG,EAAE,KAAK;GAChD;GACA,YAAY,aAAa;GACzB;EACJ,KAAK;EACL,KAAK;EACL,KAAK;GAED,YAAY;IAAE,MAAM;IAAS,YAAY;KADtB,OAAO;KAAS,OAAO;KAAS,OAAO;IACV,EAAE;GAAK;GACvD,YAAY,aAAa;GACzB;EAEJ,KAAK;EACL,KAAK;EACL,KAAK;EACL,KAAK;GACD,IAAI;IACA,MAAM,aAAa,QAAQ,cAAc,OAAO;IAChD,YAAY,eAAe,WAAW,EAAE,MAAM,SAAS,IAAI;KAAE,MAAM;KAAQ;IAAW;GAC1F,SACO,OAAO;IACV,MAAM,IAAI,iBAAiB,mCAAmC;GAClE;GACA,YAAY,WAAW,CAAC,IAAI,CAAC,YAAY;GACzC;EAEJ,KAAK;EACL,KAAK;GACD,YAAY,EAAE,MAAM,UAAU;GAC9B,YAAY,aAAa;GACzB;EACJ,KAAK;EACL,KAAK;EACL,KAAK;GACD,YAAY,EAAE,MAAM,IAAI;GACxB,YAAY,aAAa;GACzB;EACJ,SACI,MAAM,IAAI,iBAAiB,kDAAgD;CACnF;CACA,OAAO,OAAO,OAAO,UAAU,WAAW,SAAS,WAAW,SAAS,gBAAgB,WAAW,OAAO,QAAQ,SAAS;AAC9H;AACA,MAAM,kBAAkB,KAAK,YAAY;CACrC,OAAO,aAAa,IAAI,QAAQ,SAAS,EAAE,CAAC;AAChD;AACA,MAAa,aAAa,KAAK,KAAK,YAAY;CAC5C,MAAM,UAAU,eAAe,KAAK,6CAA6C;CACjF,IAAI,OAAO;CACX,IAAI,KAAK,aAAa,SAAS,GAAG;EAC9B,SAAS,CAAC;EACV,KAAK,iBAAiB,YAAY;GAC9B,MAAM,QAAQ,gBAAgB,OAAO;GACrC,iBAAiB,KAAK;GACtB,OAAO,2BAA2B,KAAK;EAC3C;CACJ;CACA,OAAO,cAAc,SAAS,SAAS,KAAK,IAAI;AACpD;AACA,MAAa,YAAY,KAAK,KAAK,YAAY;CAC3C,MAAM,UAAU,eAAe,KAAK,4CAA4C;CAChF,IAAI,OAAO;CACX,IAAI,KAAK,aAAa,SAAS,GAAG;EAC9B,SAAS,CAAC;EACV,KAAK,iBAAiB,YAAY;GAC9B,MAAM,QAAQ,gBAAgB,OAAO;GACrC,gBAAgB,KAAK;GACrB,OAAO,2BAA2B,KAAK;EAC3C;CACJ;CACA,OAAO,cAAc,QAAQ,SAAS,KAAK,IAAI;AACnD;;;AC9MA,eAAsB,WAAW,MAAM,KAAK,SAAS;CACjD,IAAI,OAAO,SAAS,YAAY,KAAK,QAAQ,4BAA4B,MAAM,GAC3E,MAAM,IAAI,UAAU,wCAAsC;CAE9D,OAAO,SAAS,MAAM,KAAK,OAAO;AACtC;AAOA,eAAsB,YAAY,OAAO,KAAK,SAAS;CACnD,IAAI,OAAO,UAAU,YAAY,MAAM,QAAQ,6BAA6B,MAAM,GAC9E,MAAM,IAAI,UAAU,2CAAyC;CAEjE,OAAO,UAAU,OAAO,KAAK,OAAO;AACxC;;;ACrBA,SAAgB,aAAa,KAAK,mBAAmB,kBAAkB,iBAAiB,YAAY;CAChG,IAAI,WAAW,SAAS,KAAA,KAAa,iBAAiB,SAAS,KAAA,GAC3D,MAAM,IAAI,IAAI,kEAAgE;CAElF,IAAI,CAAC,mBAAmB,gBAAgB,SAAS,KAAA,GAC7C,uBAAO,IAAI,IAAI;CAEnB,IAAI,CAAC,MAAM,QAAQ,gBAAgB,IAAI,KACnC,gBAAgB,KAAK,WAAW,KAChC,gBAAgB,KAAK,MAAM,UAAU,OAAO,UAAU,YAAY,MAAM,WAAW,CAAC,GACpF,MAAM,IAAI,IAAI,yFAAuF;CAEzG,IAAI;CACJ,IAAI,qBAAqB,KAAA,GACrB,aAAa,IAAI,IAAI,CAAC,GAAG,OAAO,QAAQ,gBAAgB,GAAG,GAAG,kBAAkB,QAAQ,CAAC,CAAC;MAG1F,aAAa;CAEjB,KAAK,MAAM,aAAa,gBAAgB,MAAM;EAC1C,IAAI,CAAC,WAAW,IAAI,SAAS,GACzB,MAAM,IAAI,iBAAiB,+BAA+B,UAAU,oBAAoB;EAE5F,IAAI,WAAW,eAAe,KAAA,GAC1B,MAAM,IAAI,IAAI,+BAA+B,UAAU,aAAa;EAExE,IAAI,WAAW,IAAI,SAAS,KAAK,gBAAgB,eAAe,KAAA,GAC5D,MAAM,IAAI,IAAI,+BAA+B,UAAU,8BAA8B;CAE7F;CACA,OAAO,IAAI,IAAI,gBAAgB,IAAI;AACvC;;;AChCA,SAAgB,mBAAmB,QAAQ,YAAY;CACnD,IAAI,eAAe,KAAA,MACd,CAAC,MAAM,QAAQ,UAAU,KAAK,WAAW,MAAM,MAAM,OAAO,MAAM,QAAQ,IAC3E,MAAM,IAAI,UAAU,IAAI,OAAO,qCAAqC;CAExE,IAAI,CAAC,YACD;CAEJ,OAAO,IAAI,IAAI,UAAU;AAC7B;;;ACNA,MAAM,OAAO,QAAQ,MAAM,OAAO;AAClC,MAAM,gBAAgB,KAAK,KAAK,UAAU;CACtC,IAAI,IAAI,QAAQ,KAAA,GAAW;EACvB,IAAI;EACJ,QAAQ,OAAR;GACI,KAAK;GACL,KAAK;IACD,WAAW;IACX;GACJ,KAAK;GACL,KAAK;IACD,WAAW;IACX;EACR;EACA,IAAI,IAAI,QAAQ,UACZ,MAAM,IAAI,UAAU,sDAAsD,SAAS,eAAe;CAE1G;CACA,IAAI,IAAI,QAAQ,KAAA,KAAa,IAAI,QAAQ,KACrC,MAAM,IAAI,UAAU,sDAAsD,IAAI,eAAe;CAEjG,IAAI,MAAM,QAAQ,IAAI,OAAO,GAAG;EAC5B,IAAI;EACJ,QAAQ,MAAR;GACI,KAAK,UAAU,UAAU,UAAU;GACnC,KAAK,QAAQ;GACb,KAAK,IAAI,SAAS,QAAQ;IACtB,gBAAgB;IAChB;GACJ,KAAK,IAAI,WAAW,OAAO;IACvB,gBAAgB;IAChB;GACJ,KAAK,0BAA0B,KAAK,GAAG;IACnC,IAAI,CAAC,IAAI,SAAS,KAAK,KAAK,IAAI,SAAS,IAAI,GACzC,gBAAgB,UAAU,YAAY,YAAY;SAGlD,gBAAgB;IAEpB;GACJ,KAAK,UAAU,aAAa,IAAI,WAAW,KAAK;IAC5C,gBAAgB;IAChB;GACJ,KAAK,UAAU;IACX,gBAAgB,IAAI,WAAW,KAAK,IAAI,cAAc;IACtD;EACR;EACA,IAAI,iBAAiB,IAAI,SAAS,WAAW,aAAa,MAAM,OAC5D,MAAM,IAAI,UAAU,+DAA+D,cAAc,eAAe;CAExH;CACA,OAAO;AACX;AACA,MAAM,sBAAsB,KAAK,KAAK,UAAU;CAC5C,IAAI,eAAe,YACf;CACJ,IAAIC,MAAU,GAAG,GAAG;EAChB,IAAIC,YAAgB,GAAG,KAAK,aAAa,KAAK,KAAK,KAAK,GACpD;EACJ,MAAM,IAAI,UAAU,yHAAyH;CACjJ;CACA,IAAI,CAAC,UAAU,GAAG,GACd,MAAM,IAAI,UAAUC,QAAgB,KAAK,KAAK,aAAa,aAAa,gBAAgB,YAAY,CAAC;CAEzG,IAAI,IAAI,SAAS,UACb,MAAM,IAAI,UAAU,GAAG,IAAI,GAAG,EAAE,6DAA6D;AAErG;AACA,MAAM,uBAAuB,KAAK,KAAK,UAAU;CAC7C,IAAIF,MAAU,GAAG,GACb,QAAQ,OAAR;EACI,KAAK;EACL,KAAK;GACD,IAAIG,aAAiB,GAAG,KAAK,aAAa,KAAK,KAAK,KAAK,GACrD;GACJ,MAAM,IAAI,UAAU,uDAAuD;EAC/E,KAAK;EACL,KAAK;GACD,IAAIC,YAAgB,GAAG,KAAK,aAAa,KAAK,KAAK,KAAK,GACpD;GACJ,MAAM,IAAI,UAAU,sDAAsD;CAClF;CAEJ,IAAI,CAAC,UAAU,GAAG,GACd,MAAM,IAAI,UAAUF,QAAgB,KAAK,KAAK,aAAa,aAAa,cAAc,CAAC;CAE3F,IAAI,IAAI,SAAS,UACb,MAAM,IAAI,UAAU,GAAG,IAAI,GAAG,EAAE,kEAAkE;CAEtG,IAAI,IAAI,SAAS,UACb,QAAQ,OAAR;EACI,KAAK,QACD,MAAM,IAAI,UAAU,GAAG,IAAI,GAAG,EAAE,sEAAsE;EAC1G,KAAK,WACD,MAAM,IAAI,UAAU,GAAG,IAAI,GAAG,EAAE,yEAAyE;CACjH;CAEJ,IAAI,IAAI,SAAS,WACb,QAAQ,OAAR;EACI,KAAK,UACD,MAAM,IAAI,UAAU,GAAG,IAAI,GAAG,EAAE,uEAAuE;EAC3G,KAAK,WACD,MAAM,IAAI,UAAU,GAAG,IAAI,GAAG,EAAE,wEAAwE;CAChH;AAER;AACA,SAAgB,aAAa,KAAK,KAAK,OAAO;CAC1C,QAAQ,IAAI,UAAU,GAAG,CAAC,GAA1B;EACI,KAAK;EACL,KAAK;EACL,KAAK;EACL,KAAK;EACL,KAAK;GACD,mBAAmB,KAAK,KAAK,KAAK;GAClC;EACJ,SACI,oBAAoB,KAAK,KAAK,KAAK;CAC3C;AACJ;;;AC9GA,eAAsB,gBAAgB,KAAK,KAAK,SAAS;CACrD,IAAI,CAAC,SAAS,GAAG,GACb,MAAM,IAAI,WAAW,iCAAiC;CAE1D,IAAI,IAAI,cAAc,KAAA,KAAa,IAAI,WAAW,KAAA,GAC9C,MAAM,IAAI,WAAW,2EAAuE;CAEhG,IAAI,IAAI,cAAc,KAAA,KAAa,OAAO,IAAI,cAAc,UACxD,MAAM,IAAI,WAAW,qCAAqC;CAE9D,IAAI,IAAI,YAAY,KAAA,GAChB,MAAM,IAAI,WAAW,qBAAqB;CAE9C,IAAI,OAAO,IAAI,cAAc,UACzB,MAAM,IAAI,WAAW,yCAAyC;CAElE,IAAI,IAAI,WAAW,KAAA,KAAa,CAAC,SAAS,IAAI,MAAM,GAChD,MAAM,IAAI,WAAW,uCAAuC;CAEhE,IAAI,aAAa,CAAC;CAClB,IAAI,IAAI,WACJ,IAAI;EACA,MAAM,kBAAkBG,OAAK,IAAI,SAAS;EAC1C,aAAa,KAAK,MAAM,QAAQ,OAAO,eAAe,CAAC;CAC3D,QACM;EACF,MAAM,IAAI,WAAW,iCAAiC;CAC1D;CAEJ,IAAI,CAAC,WAAW,YAAY,IAAI,MAAM,GAClC,MAAM,IAAI,WAAW,2EAA2E;CAEpG,MAAM,aAAa;EACf,GAAG;EACH,GAAG,IAAI;CACX;CACA,MAAM,aAAa,aAAa,YAAY,IAAI,IAAI,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,GAAG,SAAS,MAAM,YAAY,UAAU;CAC3G,IAAI,MAAM;CACV,IAAI,WAAW,IAAI,KAAK,GAAG;EACvB,MAAM,WAAW;EACjB,IAAI,OAAO,QAAQ,WACf,MAAM,IAAI,WAAW,2EAAyE;CAEtG;CACA,MAAM,EAAE,QAAQ;CAChB,IAAI,OAAO,QAAQ,YAAY,CAAC,KAC5B,MAAM,IAAI,WAAW,6DAA2D;CAEpF,MAAM,aAAa,WAAW,mBAAmB,cAAc,QAAQ,UAAU;CACjF,IAAI,cAAc,CAAC,WAAW,IAAI,GAAG,GACjC,MAAM,IAAI,kBAAkB,wDAAsD;CAEtF,IAAI;MACI,OAAO,IAAI,YAAY,UACvB,MAAM,IAAI,WAAW,8BAA8B;CAAA,OAGtD,IAAI,OAAO,IAAI,YAAY,YAAY,EAAE,IAAI,mBAAmB,aACjE,MAAM,IAAI,WAAW,wDAAwD;CAEjF,IAAI,cAAc;CAClB,IAAI,OAAO,QAAQ,YAAY;EAC3B,MAAM,MAAM,IAAI,YAAY,GAAG;EAC/B,cAAc;CAClB;CACA,aAAa,KAAK,KAAK,QAAQ;CAC/B,MAAM,OAAO,OAAO,IAAI,cAAc,KAAA,IAAYC,SAAO,IAAI,SAAS,IAAI,IAAI,WAAW,GAAGA,SAAO,GAAG,GAAG,OAAO,IAAI,YAAY,WAC1H,MACIA,SAAO,IAAI,OAAO,IAClB,QAAQ,OAAO,IAAI,OAAO,IAC9B,IAAI,OAAO;CACjB,MAAM,YAAY,gBAAgB,IAAI,WAAW,aAAa,UAAU;CACxE,MAAM,IAAI,MAAM,aAAa,KAAK,GAAG;CAErC,IAAI,CAAC,MADkB,OAAO,KAAK,GAAG,WAAW,IAAI,GAEjD,MAAM,IAAI,+BAA+B;CAE7C,IAAI;CACJ,IAAI,KACA,UAAU,gBAAgB,IAAI,SAAS,WAAW,UAAU;MAE3D,IAAI,OAAO,IAAI,YAAY,UAC5B,UAAU,QAAQ,OAAO,IAAI,OAAO;MAGpC,UAAU,IAAI;CAElB,MAAM,SAAS,EAAE,QAAQ;CACzB,IAAI,IAAI,cAAc,KAAA,GAClB,OAAO,kBAAkB;CAE7B,IAAI,IAAI,WAAW,KAAA,GACf,OAAO,oBAAoB,IAAI;CAEnC,IAAI,aACA,OAAO;EAAE,GAAG;EAAQ,KAAK;CAAE;CAE/B,OAAO;AACX;;;AC1GA,eAAsB,cAAc,KAAK,KAAK,SAAS;CACnD,IAAI,eAAe,YACf,MAAM,QAAQ,OAAO,GAAG;CAE5B,IAAI,OAAO,QAAQ,UACf,MAAM,IAAI,WAAW,4CAA4C;CAErE,MAAM,EAAE,GAAG,iBAAiB,GAAG,SAAS,GAAG,WAAW,WAAW,IAAI,MAAM,GAAG;CAC9E,IAAI,WAAW,GACX,MAAM,IAAI,WAAW,qBAAqB;CAE9C,MAAM,WAAW,MAAM,gBAAgB;EAAE;EAAS,WAAW;EAAiB;CAAU,GAAG,KAAK,OAAO;CACvG,MAAM,SAAS;EAAE,SAAS,SAAS;EAAS,iBAAiB,SAAS;CAAgB;CACtF,IAAI,OAAO,QAAQ,YACf,OAAO;EAAE,GAAG;EAAQ,KAAK,SAAS;CAAI;CAE1C,OAAO;AACX;;;ACjBA,MAAM,SAAS,SAAS,KAAK,MAAM,KAAK,QAAQ,IAAI,GAAI;AACxD,MAAM,SAAS;AACf,MAAM,OAAO,SAAS;AACtB,MAAM,MAAM,OAAO;AACnB,MAAM,OAAO,MAAM;AACnB,MAAM,OAAO,MAAM;AACnB,MAAM,QAAQ;AACd,SAAgB,KAAK,KAAK;CACtB,MAAM,UAAU,MAAM,KAAK,GAAG;CAC9B,IAAI,CAAC,WAAY,QAAQ,MAAM,QAAQ,IACnC,MAAM,IAAI,UAAU,4BAA4B;CAEpD,MAAM,QAAQ,WAAW,QAAQ,EAAE;CACnC,MAAM,OAAO,QAAQ,GAAG,YAAY;CACpC,IAAI;CACJ,QAAQ,MAAR;EACI,KAAK;EACL,KAAK;EACL,KAAK;EACL,KAAK;EACL,KAAK;GACD,cAAc,KAAK,MAAM,KAAK;GAC9B;EACJ,KAAK;EACL,KAAK;EACL,KAAK;EACL,KAAK;EACL,KAAK;GACD,cAAc,KAAK,MAAM,QAAQ,MAAM;GACvC;EACJ,KAAK;EACL,KAAK;EACL,KAAK;EACL,KAAK;EACL,KAAK;GACD,cAAc,KAAK,MAAM,QAAQ,IAAI;GACrC;EACJ,KAAK;EACL,KAAK;EACL,KAAK;GACD,cAAc,KAAK,MAAM,QAAQ,GAAG;GACpC;EACJ,KAAK;EACL,KAAK;EACL,KAAK;GACD,cAAc,KAAK,MAAM,QAAQ,IAAI;GACrC;EACJ;GACI,cAAc,KAAK,MAAM,QAAQ,IAAI;GACrC;CACR;CACA,IAAI,QAAQ,OAAO,OAAO,QAAQ,OAAO,OACrC,OAAO,CAAC;CAEZ,OAAO;AACX;AACA,SAAS,cAAc,OAAO,OAAO;CACjC,IAAI,CAAC,OAAO,SAAS,KAAK,GACtB,MAAM,IAAI,UAAU,WAAW,MAAM,OAAO;CAEhD,OAAO;AACX;AACA,MAAM,gBAAgB,UAAU;CAC5B,IAAI,MAAM,SAAS,GAAG,GAClB,OAAO,MAAM,YAAY;CAE7B,OAAO,eAAe,MAAM,YAAY;AAC5C;AACA,MAAM,yBAAyB,YAAY,cAAc;CACrD,IAAI,OAAO,eAAe,UACtB,OAAO,UAAU,SAAS,UAAU;CAExC,IAAI,MAAM,QAAQ,UAAU,GACxB,OAAO,UAAU,KAAK,IAAI,UAAU,IAAI,KAAK,IAAI,IAAI,UAAU,CAAC,CAAC;CAErE,OAAO;AACX;AACA,SAAgB,kBAAkB,iBAAiB,gBAAgB,UAAU,CAAC,GAAG;CAC7E,IAAI;CACJ,IAAI;EACA,UAAU,KAAK,MAAM,QAAQ,OAAO,cAAc,CAAC;CACvD,QACM,CACN;CACA,IAAI,CAAC,SAAS,OAAO,GACjB,MAAM,IAAI,WAAW,gDAAgD;CAEzE,MAAM,EAAE,QAAQ;CAChB,IAAI,QACC,OAAO,gBAAgB,QAAQ,YAC5B,aAAa,gBAAgB,GAAG,MAAM,aAAa,GAAG,IAC1D,MAAM,IAAI,yBAAyB,uCAAqC,SAAS,OAAO,cAAc;CAE1G,MAAM,EAAE,iBAAiB,CAAC,GAAG,QAAQ,SAAS,UAAU,gBAAgB;CACxE,MAAM,gBAAgB,CAAC,GAAG,cAAc;CACxC,IAAI,gBAAgB,KAAA,GAChB,cAAc,KAAK,KAAK;CAC5B,IAAI,aAAa,KAAA,GACb,cAAc,KAAK,KAAK;CAC5B,IAAI,YAAY,KAAA,GACZ,cAAc,KAAK,KAAK;CAC5B,IAAI,WAAW,KAAA,GACX,cAAc,KAAK,KAAK;CAC5B,KAAK,MAAM,SAAS,IAAI,IAAI,cAAc,QAAQ,CAAC,GAC/C,IAAI,EAAE,SAAS,UACX,MAAM,IAAI,yBAAyB,qBAAqB,MAAM,UAAU,SAAS,OAAO,SAAS;CAGzG,IAAI,UACA,EAAE,MAAM,QAAQ,MAAM,IAAI,SAAS,CAAC,MAAM,GAAG,SAAS,QAAQ,GAAG,GACjE,MAAM,IAAI,yBAAyB,kCAAgC,SAAS,OAAO,cAAc;CAErG,IAAI,WAAW,QAAQ,QAAQ,SAC3B,MAAM,IAAI,yBAAyB,kCAAgC,SAAS,OAAO,cAAc;CAErG,IAAI,YACA,CAAC,sBAAsB,QAAQ,KAAK,OAAO,aAAa,WAAW,CAAC,QAAQ,IAAI,QAAQ,GACxF,MAAM,IAAI,yBAAyB,kCAAgC,SAAS,OAAO,cAAc;CAErG,IAAI;CACJ,QAAQ,OAAO,QAAQ,gBAAvB;EACI,KAAK;GACD,YAAY,KAAK,QAAQ,cAAc;GACvC;EACJ,KAAK;GACD,YAAY,QAAQ;GACpB;EACJ,KAAK;GACD,YAAY;GACZ;EACJ,SACI,MAAM,IAAI,UAAU,oCAAoC;CAChE;CACA,MAAM,EAAE,gBAAgB;CACxB,MAAM,MAAM,MAAM,+BAAe,IAAI,KAAK,CAAC;CAC3C,KAAK,QAAQ,QAAQ,KAAA,KAAa,gBAAgB,OAAO,QAAQ,QAAQ,UACrE,MAAM,IAAI,yBAAyB,kCAAgC,SAAS,OAAO,SAAS;CAEhG,IAAI,QAAQ,QAAQ,KAAA,GAAW;EAC3B,IAAI,OAAO,QAAQ,QAAQ,UACvB,MAAM,IAAI,yBAAyB,kCAAgC,SAAS,OAAO,SAAS;EAEhG,IAAI,QAAQ,MAAM,MAAM,WACpB,MAAM,IAAI,yBAAyB,wCAAsC,SAAS,OAAO,cAAc;CAE/G;CACA,IAAI,QAAQ,QAAQ,KAAA,GAAW;EAC3B,IAAI,OAAO,QAAQ,QAAQ,UACvB,MAAM,IAAI,yBAAyB,kCAAgC,SAAS,OAAO,SAAS;EAEhG,IAAI,QAAQ,OAAO,MAAM,WACrB,MAAM,IAAI,WAAW,wCAAsC,SAAS,OAAO,cAAc;CAEjG;CACA,IAAI,aAAa;EACb,MAAM,MAAM,MAAM,QAAQ;EAC1B,MAAM,MAAM,OAAO,gBAAgB,WAAW,cAAc,KAAK,WAAW;EAC5E,IAAI,MAAM,YAAY,KAClB,MAAM,IAAI,WAAW,8DAA4D,SAAS,OAAO,cAAc;EAEnH,IAAI,MAAM,IAAI,WACV,MAAM,IAAI,yBAAyB,mEAAiE,SAAS,OAAO,cAAc;CAE1I;CACA,OAAO;AACX;AACA,IAAa,mBAAb,MAA8B;CAC1B;CACA,YAAY,SAAS;EACjB,IAAI,CAAC,SAAS,OAAO,GACjB,MAAM,IAAI,UAAU,kCAAkC;EAE1D,KAAKC,WAAW,gBAAgB,OAAO;CAC3C;CACA,OAAO;EACH,OAAO,QAAQ,OAAO,KAAK,UAAU,KAAKA,QAAQ,CAAC;CACvD;CACA,IAAI,MAAM;EACN,OAAO,KAAKA,SAAS;CACzB;CACA,IAAI,IAAI,OAAO;EACX,KAAKA,SAAS,MAAM;CACxB;CACA,IAAI,MAAM;EACN,OAAO,KAAKA,SAAS;CACzB;CACA,IAAI,IAAI,OAAO;EACX,KAAKA,SAAS,MAAM;CACxB;CACA,IAAI,MAAM;EACN,OAAO,KAAKA,SAAS;CACzB;CACA,IAAI,IAAI,OAAO;EACX,KAAKA,SAAS,MAAM;CACxB;CACA,IAAI,IAAI,OAAO;EACX,KAAKA,SAAS,MAAM;CACxB;CACA,IAAI,IAAI,OAAO;EACX,IAAI,OAAO,UAAU,UACjB,KAAKA,SAAS,MAAM,cAAc,gBAAgB,KAAK;OAEtD,IAAI,iBAAiB,MACtB,KAAKA,SAAS,MAAM,cAAc,gBAAgB,MAAM,KAAK,CAAC;OAG9D,KAAKA,SAAS,MAAM,sBAAM,IAAI,KAAK,CAAC,IAAI,KAAK,KAAK;CAE1D;CACA,IAAI,IAAI,OAAO;EACX,IAAI,OAAO,UAAU,UACjB,KAAKA,SAAS,MAAM,cAAc,qBAAqB,KAAK;OAE3D,IAAI,iBAAiB,MACtB,KAAKA,SAAS,MAAM,cAAc,qBAAqB,MAAM,KAAK,CAAC;OAGnE,KAAKA,SAAS,MAAM,sBAAM,IAAI,KAAK,CAAC,IAAI,KAAK,KAAK;CAE1D;CACA,IAAI,IAAI,OAAO;EACX,IAAI,UAAU,KAAA,GACV,KAAKA,SAAS,MAAM,sBAAM,IAAI,KAAK,CAAC;OAEnC,IAAI,iBAAiB,MACtB,KAAKA,SAAS,MAAM,cAAc,eAAe,MAAM,KAAK,CAAC;OAE5D,IAAI,OAAO,UAAU,UACtB,KAAKA,SAAS,MAAM,cAAc,eAAe,sBAAM,IAAI,KAAK,CAAC,IAAI,KAAK,KAAK,CAAC;OAGhF,KAAKA,SAAS,MAAM,cAAc,eAAe,KAAK;CAE9D;AACJ;;;AC1OA,eAAsB,UAAU,KAAK,KAAK,SAAS;CAC/C,MAAM,WAAW,MAAM,cAAc,KAAK,KAAK,OAAO;CACtD,IAAI,SAAS,gBAAgB,MAAM,SAAS,KAAK,KAAK,SAAS,gBAAgB,QAAQ,OACnF,MAAM,IAAI,WAAW,qCAAqC;CAG9D,MAAM,SAAS;EAAE,SADD,kBAAkB,SAAS,iBAAiB,SAAS,SAAS,OACvD;EAAG,iBAAiB,SAAS;CAAgB;CACpE,IAAI,OAAO,QAAQ,YACf,OAAO;EAAE,GAAG;EAAQ,KAAK,SAAS;CAAI;CAE1C,OAAO;AACX;;;ACLA,IAAa,gBAAb,MAA2B;CACvB;CACA;CACA;CACA,YAAY,SAAS;EACjB,IAAI,EAAE,mBAAmB,aACrB,MAAM,IAAI,UAAU,2CAA2C;EAEnE,KAAKC,WAAW;CACpB;CACA,mBAAmB,iBAAiB;EAChC,aAAa,KAAKC,kBAAkB,oBAAoB;EACxD,KAAKA,mBAAmB;EACxB,OAAO;CACX;CACA,qBAAqB,mBAAmB;EACpC,aAAa,KAAKC,oBAAoB,sBAAsB;EAC5D,KAAKA,qBAAqB;EAC1B,OAAO;CACX;CACA,MAAM,KAAK,KAAK,SAAS;EACrB,IAAI,CAAC,KAAKD,oBAAoB,CAAC,KAAKC,oBAChC,MAAM,IAAI,WAAW,iFAAiF;EAE1G,IAAI,CAAC,WAAW,KAAKD,kBAAkB,KAAKC,kBAAkB,GAC1D,MAAM,IAAI,WAAW,2EAA2E;EAEpG,MAAM,aAAa;GACf,GAAG,KAAKD;GACR,GAAG,KAAKC;EACZ;EACA,MAAM,aAAa,aAAa,YAAY,IAAI,IAAI,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,GAAG,SAAS,MAAM,KAAKD,kBAAkB,UAAU;EACtH,IAAI,MAAM;EACV,IAAI,WAAW,IAAI,KAAK,GAAG;GACvB,MAAM,KAAKA,iBAAiB;GAC5B,IAAI,OAAO,QAAQ,WACf,MAAM,IAAI,WAAW,2EAAyE;EAEtG;EACA,MAAM,EAAE,QAAQ;EAChB,IAAI,OAAO,QAAQ,YAAY,CAAC,KAC5B,MAAM,IAAI,WAAW,6DAA2D;EAEpF,aAAa,KAAK,KAAK,MAAM;EAC7B,IAAI;EACJ,IAAI;EACJ,IAAI,KAAK;GACL,WAAWE,OAAK,KAAKH,QAAQ;GAC7B,WAAWI,SAAO,QAAQ;EAC9B,OACK;GACD,WAAW,KAAKJ;GAChB,WAAW;EACf;EACA,IAAI;EACJ,IAAI;EACJ,IAAI,KAAKC,kBAAkB;GACvB,wBAAwBE,OAAK,KAAK,UAAU,KAAKF,gBAAgB,CAAC;GAClE,uBAAuBG,SAAO,qBAAqB;EACvD,OACK;GACD,wBAAwB;GACxB,uBAAuB,IAAI,WAAW;EAC1C;EACA,MAAM,OAAO,OAAO,sBAAsBA,SAAO,GAAG,GAAG,QAAQ;EAG/D,MAAM,MAAM;GACR,WAAWD,OAAK,MAFI,KAAK,KAAK,MADlB,aAAa,KAAK,GAAG,GACA,IAAI,CAEZ;GACzB,SAAS;EACb;EACA,IAAI,KAAKD,oBACL,IAAI,SAAS,KAAKA;EAEtB,IAAI,KAAKD,kBACL,IAAI,YAAY;EAEpB,OAAO;CACX;AACJ;;;ACvFA,IAAa,cAAb,MAAyB;CACrB;CACA,YAAY,SAAS;EACjB,KAAKI,aAAa,IAAI,cAAc,OAAO;CAC/C;CACA,mBAAmB,iBAAiB;EAChC,KAAKA,WAAW,mBAAmB,eAAe;EAClD,OAAO;CACX;CACA,MAAM,KAAK,KAAK,SAAS;EACrB,MAAM,MAAM,MAAM,KAAKA,WAAW,KAAK,KAAK,OAAO;EACnD,IAAI,IAAI,YAAY,KAAA,GAChB,MAAM,IAAI,UAAU,2DAA2D;EAEnF,OAAO,GAAG,IAAI,UAAU,GAAG,IAAI,QAAQ,GAAG,IAAI;CAClD;AACJ;;;ACdA,IAAa,UAAb,MAAqB;CACjB;CACA;CACA,YAAY,UAAU,CAAC,GAAG;EACtB,KAAKC,OAAO,IAAI,iBAAiB,OAAO;CAC5C;CACA,UAAU,QAAQ;EACd,KAAKA,KAAK,MAAM;EAChB,OAAO;CACX;CACA,WAAW,SAAS;EAChB,KAAKA,KAAK,MAAM;EAChB,OAAO;CACX;CACA,YAAY,UAAU;EAClB,KAAKA,KAAK,MAAM;EAChB,OAAO;CACX;CACA,OAAO,OAAO;EACV,KAAKA,KAAK,MAAM;EAChB,OAAO;CACX;CACA,aAAa,OAAO;EAChB,KAAKA,KAAK,MAAM;EAChB,OAAO;CACX;CACA,kBAAkB,OAAO;EACrB,KAAKA,KAAK,MAAM;EAChB,OAAO;CACX;CACA,YAAY,OAAO;EACf,KAAKA,KAAK,MAAM;EAChB,OAAO;CACX;CACA,mBAAmB,iBAAiB;EAChC,KAAKC,mBAAmB;EACxB,OAAO;CACX;CACA,MAAM,KAAK,KAAK,SAAS;EACrB,MAAM,MAAM,IAAI,YAAY,KAAKD,KAAK,KAAK,CAAC;EAC5C,IAAI,mBAAmB,KAAKC,gBAAgB;EAC5C,IAAI,MAAM,QAAQ,KAAKA,kBAAkB,IAAI,KACzC,KAAKA,iBAAiB,KAAK,SAAS,KAAK,KACzC,KAAKA,iBAAiB,QAAQ,OAC9B,MAAM,IAAI,WAAW,qCAAqC;EAE9D,OAAO,IAAI,KAAK,KAAK,OAAO;CAChC;AACJ;;;;ACxCA,eAAsB,sBACpB,MACiB;CACjB,MAAM,MAAM,MAAM,YAAY,KAAK,eAAe,OAAO;CACzD,OAAO,IAAI,QAAQ,CAAC,CAAC,EAClB,mBAAmB;EAAE,KAAK;EAAS,KAAK,KAAK;EAAO,KAAK;CAAM,CAAC,EAChE,UAAU,KAAK,MAAM,EACrB,WAAW,KAAK,SAAS,EACzB,YAAY,2BAA2B,EACvC,YAAY,EACZ,kBAAkB,GAAG,KAAK,cAAc,IAAI,EAAE,EAC9C,KAAK,GAAG;AACb;;;ACrBA,MAAM,MAAM;AAiCZ,eAAsB,wBACpB,SACA,MACiB;CACjB,MAAM,MAAM,MAAM,YAAY,KAAK,eAAe,GAAG;CACrD,MAAM,MAAM,KAAK,OAAO,OAAO,WAAW;CAC1C,MAAM,MAAM,KAAK,cAAc;CAC/B,OAAO,IAAI,QAAQ,EAAE,QAAQ,CAAC,EAC3B,mBAAmB;EAAE,KAAK;EAAK,KAAK;CAAM,CAAC,EAC3C,UAAU,KAAK,MAAM,EACrB,YAAY,KAAK,QAAQ,EACzB,OAAO,GAAG,EACV,YAAY,EACZ,kBAAkB,GAAG,IAAI,EAAE,EAC3B,KAAK,GAAG;AACb;AAEA,eAAsB,0BACpB,OACA,MAC4B;CAE5B,MAAM,EAAE,YAAY,MAAM,UAAU,OAAO,MADzB,WAAW,KAAK,cAAc,GAAG,GACH;EAC9C,QAAQ,KAAK;EACb,UAAU,KAAK;EACf,YAAY,CAAC,GAAG;EAGhB,gBAAgB;GAAC;GAAO;GAAO;EAAK;CACtC,CAAC;CACD,MAAM,UAAU,QAAQ;CACxB,IAAI,CAAC,SAAS,OAAO,CAAC,QAAQ,UAC5B,MAAM,IAAI,MAAM,mDAAmD;CAErE,IAAI,CAAC,QAAQ,KACX,MAAM,IAAI,MAAM,kCAAkC;CAEpD,OAAO;EAAE;EAAS,KAAK,OAAO,QAAQ,GAAG;CAAE;AAC7C;;;ACvEA,MAAa,+BAA+B,EAAE,OAC5C;CACE,MAAM,EAAE,KAAK,EACX,aAAa,uCACf,CAAC;CACD,MAAM,EAAE,KAAK;EAAC;EAAU;EAAQ;CAAa,GAAG,EAC9C,aAAa,uCACf,CAAC;AACH,GACA,EACE,OAAO,yBACT,CACF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AC0BA,MAAa,cACX,OACA,UAAgC,CAAC,MAC9B;CACH,MAAM,EAAE,WAAW,SAAS;CAE5B,MAAM,MAAM,OAAO,SACjB,EAAE,OAAO;EACP,iBAAiB,EAAE,SACjB,EAAE,KAAK,EACL,aACE,4DACJ,CAAC,CACH;EACA,qBAAqB,EAAE,SACrB,EAAE,KAAK,EACL,aACE,4EACJ,CAAC,CACH;CACF,CAAC,CACH;CAEA,MAAM,WAAW,CAAC,IAAI,mBAAmB,CAAC,IAAI;CAE9C,MAAM,OAAO;CAEb,MAAM,cACJ,QAAQ,YAAY,MAAM,OAAO,MAAM,KAAK,IAAI,IAAI,KAAA;CAEtD,IAAI,CAAC,aACH,MAAM,IAAI,YACR,iEACF;CAGF,MAAM,UAAyB,OAAO,SAAS;EAC7C,OAAO,YAAY,sBAAsB,IAAI,CAAC;CAChD;CAEA,OAAO,MAAM;EACX,QAAQ;EACR;EACA,MAAM;GACJ,QAAQ;GACR,UAAU,IAAI;GACd,cAAc,IAAI;GAClB,OAAO;GACP,cAAc;GACd,GAAG;GACH;EACF;EACA;CACF,CAAC;AACH;;;;;;;;;AAUA,MAAM,yBACJ,SACuB;CACvB,MAAM,OAAsB,EAAE,GAAG,KAAK,KAAK;CAE3C,KAAK,MAAM,OAAO,CAAC,kBAAkB,kBAAkB,GAAY;EACjE,MAAM,MAAM,KAAK;EACjB,IAAI,OAAO,QAAQ,UACjB,KAAK,OAAO,QAAQ;CAExB;CAEA,OAAO;EAAE,GAAG;EAAM;CAAK;AACzB;;;;;;;;ACvGA,MAAa,oBACX,OACA,UAAuC,CAAC,MACrC;CACH,MAAM,OAAO;CAEb,MAAM,UAAqC,MAAM,QAC7C,MAAM,MAAM,IAAI,IAChB,QAAQ;CAEZ,IAAI,CAAC,SACH,MAAM,IAAI,YACR,8EACF;CAGF,OAAO,MAAM;EACX,QAAQ;EACR;EACA,aAAa,EACX,QACF;CACF,CAAC;AACH;;;;;;;;;;;;;ACjBA,MAAa,iBACX,OACA,UAAgC,CAAC,MAC9B;CACH,MAAM,EAAE,WAAW,SAAS;CAE5B,MAAM,MAAM,OAAO,SACjB,EAAE,OAAO;EACP,oBAAoB,EAAE,SACpB,EAAE,KAAK,EACL,aAAa,uDACf,CAAC,CACH;EACA,wBAAwB,EAAE,SACxB,EAAE,KAAK,EACL,aACE,2DACJ,CAAC,CACH;CACF,CAAC,CACH;CAEA,MAAM,WAAW,CAAC,IAAI,sBAAsB,CAAC,IAAI;CAEjD,MAAM,OAAO;CAEb,MAAM,UACJ,QAAQ,YAAY,MAAM,OAAO,MAAM,KAAK,IAAI,IAAI,KAAA;CAEtD,IAAI,CAAC,SACH,MAAM,IAAI,YACR,iEACF;CAGF,OAAO,MAAM;EACX,QAAQ;EACR;EACA,OAAO;GACL,UAAU,IAAI;GACd,cAAc,IAAI;GAClB,eAAe;GACf,OAAO;GACP,OAAO;GACP,UAAU,OAAO,WAAW;IAC1B,MAAM,MAAM,MAAM,MAChB,2FACA,EACE,SAAS,EACP,eAAe,UAAU,OAAO,eAClC,EACF,CACF,EAAE,MAAM,QAAQ,IAAI,KAAK,CAAC;IAE1B,MAAM,OAAsB,EAC1B,KAAK,IAAI,GACX;IAEA,IAAI,IAAI,OACN,KAAK,QAAQ,IAAI;IAGnB,IAAI,IAAI,MACN,KAAK,OAAO,IAAI,KAAK,KAAK;IAG5B,IAAI,IAAI,SAAS,MAAM,KACrB,KAAK,UAAU,IAAI,QAAQ,KAAK;IAGlC,OAAO;GACT;GACA,GAAG;GACH;EACF;EACA;CACF,CAAC;AACH;;;;;;;;AC5FA,SAAgB,iBACd,UACA,WAAW,KACH;CACR,IACE,OAAO,aAAa,YACpB,SAAS,WAAW,GAAG,KACvB,CAAC,SAAS,WAAW,IAAI,KACzB,CAAC,SAAS,SAAS,IAAI,GAEvB,OAAO;CAET,OAAO;AACT;;;ACuBA,MAAM,UAAU;CACd,QAAQ;CACR,OAAO;AACT;AAEA,MAAa,yBAAyB,YAAqC;CACzE,MAAM,eAAe;CAErB,IAAI,CAAC,QAAQ,eACX,MAAM,IAAI,YAAY,8CAA8C;CAItE,MAAM,OAAO,QAAQ;EACnB,MAAM;EACN,KAAK,CAAC,IAAI,SAAS;EACnB,UAAU;EACV,SAAS;EACT,QAAQ,EAAE,OAAO;GACf,UAAU,EAAE,KAAK;GACjB,cAAc,EAAE,KAAK,EAAE,MAAM,OAAO,CAAC;GACrC,cAAc,EAAE,KAAK,EAAE,MAAM,OAAO,CAAC;GACrC,cAAc,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,OAAO,CAAC,CAAC;GACjD,OAAO,EAAE,SAAS,EAAE,KAAK,CAAC;GAC1B,OAAO,EAAE,SAAS,EAAE,KAAK,CAAC;EAC5B,CAAC;CACH,CAAC;CAED,MAAM,cAAc,GAAG,QAAQ,SAAS;CAIxC,MAAM,YAAY,OAChB,aAC2B;EAC3B,IAAI,aAAa,UAAU;GACzB,MAAM,IAAI,QAAQ,UAAU;GAC5B,IAAI,CAAC,GACH,MAAM,IAAI,cAAc,kCAAkC;GAE5D,OAAO,UAAU,IAAI,IAAI,QAAQ,MAAM,GAAG,EAAE,UAAU,EAAE,YAAY;EACtE;EACA,MAAM,IAAI,QAAQ,UAAU;EAC5B,IAAI,CAAC,GACH,MAAM,IAAI,cAAc,iCAAiC;EAE3D,MAAM,eAAe,MAAM,sBAAsB;GAC/C,eAAe,EAAE;GACjB,QAAQ,EAAE;GACV,WAAW,EAAE;GACb,OAAO,EAAE;EACX,CAAC;EACD,OAAO,UAAU,IAAI,IAAI,QAAQ,KAAK,GAAG,EAAE,WAAW,YAAY;CACpE;CAEA,MAAM,YAAY,aAChB,aAAa,UAAU,eAAe;CAExC,MAAM,QAAQ,OAAO;EACnB,MAAM;EACN,QAAQ,EACN,OAAO,EAAE,OAAO;GACd,UAAU,EAAE,KAAK;GACjB,QAAQ,EAAE,KAAK;GACf,UAAU,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,OAAO,CAAC,CAAC;EAC/C,CAAC,EACH;EACA,SAAS,OAAO,EAAE,OAAO,OAAO,cAAc;GAC5C,IAAI,MAAM,aAAa,YAAY,MAAM,aAAa,SACpD,MAAM,IAAI,gBAAgB,yBAAyB,MAAM,SAAS,EAAE;GAEtE,MAAM,eAAe,MAAM,QAAQ,cAAc,MAAM,MAAM;GAC7D,IAAI,CAAC,cACH,MAAM,IAAI,gBAAgB,4BAA4B;GAGxD,MAAM,SAAS,MAAM,UAAU,MAAM,QAAQ;GAC7C,MAAM,eAAe,uBAAuB;GAC5C,MAAM,gBAAgB,MAAM,2BAA2B,YAAY;GACnE,MAAM,aAAqC;IACzC,cAAc;IACd,OAAO,SAAS,MAAM,QAAQ;IAC9B,gBAAgB;IAChB,uBAAuB;GACzB;GAEA,IAAI,MAAM,aAAa,SACrB,WAAW,gBAAgB;GAG7B,MAAM,UAAU,OAAO,eAAe,EAAE,aAAa;GACrD,IAAI;GACJ,IAAI;GACJ,IAAI,CAAC,SAAS;IACZ,QAAQ,YAAY;IACpB,QAAQ,YAAY;IACpB,WAAW,QAAQ;IACnB,WAAW,QAAQ;IACnB,OAAO,WAAW;IAClB,OAAO,WAAW;GACpB;GAEA,KAAK,IACH;IACE,UAAU,MAAM;IAChB;IACA,cAAc,iBAAiB,MAAM,QAAQ;IAC7C,cAAc,UAAU,eAAe,KAAA;IACvC;IACA;GACF,GACA,EAAE,QAAQ,CACZ;GACA,MAAM,SAAS,sBAAsB,QAAQ,UAAU,EAAE,SAAS,GAAG,GAAG;EAC1E;CACF,CAAC;CAED,MAAM,SAAS,OACb,UACA,SACA,OACA,eACG;EACH,MAAM,MAAM,KAAK,IAAI,EAAE,QAAQ,CAAC;EAChC,IAAI,CAAC,KACH,MAAM,IAAI,gBAAgB,yBAAyB;EAErD,KAAK,IAAI,EAAE,QAAQ,CAAC;EAEpB,MAAM,WAAW,IAAI;EAErB,IAAI;EACJ,IAAI;GASF,MAAM,UAAU,MAPK,uBAAuB,MADvB,UAAU,QAAQ,GACa,UAAU;IAC5D,kBAAkB,IAAI;IACtB,eAAe,IAAI;IACnB,eAAe,IAAI;GACrB,CAAC,GAGsB,SAAS,KAAK,CAAC;GACtC,MAAM,SAAS;IAAE,GAAG;IAAY,GAAG;GAAO;GAC1C,UAAU;IACR;IACA,KAAK,OAAO,OAAO,GAAG;IACtB,OAAO,OAAO;IACd,gBACE,OAAO,OAAO,mBAAmB,WAC7B,OAAO,mBAAmB,SACzB,OAAO;IACd,MAAM,OAAO;IACb,YAAY,OAAO;IACnB,aAAa,OAAO;IACpB,SAAS,OAAO;IAChB,kBACE,OAAO,OAAO,qBAAqB,WAC/B,OAAO,qBAAqB,SAC3B,OAAO;GAChB;EACF,QAAQ;GAGN,MAAM,OAAO,IAAI,IAAI,GAAG,IAAI,eAAe,IAAI,cAAc;GAC7D,KAAK,aAAa,IAAI,SAAS,mBAAmB;GAClD,MAAM,SAAS,KAAK,SAAS,GAAG,GAAG;GACnC;EACF;EAEA,MAAM,YAAY,MAAM,wBAAwB,SAAS;GACvD,eAAe,QAAQ;GACvB,QAAQ,QAAQ;GAChB,UAAU,IAAI;GACd,YAAY,QAAQ;EACtB,CAAC;EAED,MAAM,OAAO,IAAI,IAAI,GAAG,IAAI,aAAa,yBAAyB;EAClE,KAAK,aAAa,IAAI,SAAS,SAAS;EACxC,KAAK,aAAa,IAAI,YAAY,IAAI,YAAY;EAClD,MAAM,SAAS,KAAK,SAAS,GAAG,GAAG;CACrC;CAkDA,OAAO;EAAE;EAAO,UAhDC,OAAO;GACtB,MAAM;GACN,SAAS,OAAO,EAAE,KAAK,OAAO,cAAc,OAAO,KAAK,SAAS,KAAK;EACxE,CA6CuB;EAAG,cAzCL,OAAO;GAC1B,MAAM;GACN,QAAQ;GACR,SAAS,OAAO,EAAE,OAAO,SAAS,UAAU;IAC1C,IAAI;IACJ,IAAI,MAAqB,KAAK,KAAK;IACnC,IAAI,KAAK,KAAK,KAAK;KACjB,MAAM,SAAS,IAAI,IAAI,IAAI,MAAM;KACjC,MAAM,IAAI,IAAI;KACd,IAAI;MAEF,MAAM,aAAY,MADC,OAAO,SAAS,GACZ,IAAI,MAAM;MACjC,IAAI,OAAO,cAAc,UAAU;OACjC,MAAM,SAAS,KAAK,MAAM,SAAS;OAInC,aAAa,CAAC;OACd,IAAI,OAAO,MAAM,WACf,WAAW,aAAa,OAAO,KAAK;OAEtC,IAAI,OAAO,MAAM,UACf,WAAW,cAAc,OAAO,KAAK;OAEvC,IAAI,OAAO,MAAM,aAAa,OAAO,MAAM,UACzC,WAAW,OAAO,CAAC,OAAO,MAAM,WAAW,OAAO,MAAM,QAAQ,EAC7D,OAAO,OAAO,EACd,KAAK,GAAG;OAEb,IAAI,OAAO,OACT,WAAW,QAAQ,OAAO;MAE9B;KACF,QAAQ,CAER;IACF;IACA,MAAM,OAAO,KAAK,SAAS,OAAO,UAAU;GAC9C;EACF,CAEqC;CAAE;AACzC;;;;;;;;;AC1QA,IAAa,iBAAb,MAA4B;CAIL;CACA;CAJrB,uBAA0B,IAAI,IAAoB;CAElD,YACE,QAA2B,MAC3B,aAAgC,KAChC;EAFmB,KAAA,QAAA;EACA,KAAA,aAAA;CAClB;;CAGH,MAAM,KAAa,MAAc,KAAK,IAAI,GAAY;EACpD,KAAK,MAAM,GAAG;EACd,IAAI,KAAK,KAAK,IAAI,GAAG,GACnB,OAAO;EAET,KAAK,KAAK,IAAI,KAAK,MAAM,KAAK,KAAK;EACnC,OAAO;CACT;CAEA,MAAgB,KAAmB;EACjC,KAAK,MAAM,CAAC,GAAG,QAAQ,KAAK,MAC1B,IAAI,OAAO,KACT,KAAK,KAAK,OAAO,CAAC;EAKtB,OAAO,KAAK,KAAK,QAAQ,KAAK,YAAY;GACxC,MAAM,SAAS,KAAK,KAAK,KAAK,EAAE,KAAK,EAAE;GACvC,IAAI,WAAW,KAAA,GACb;GAEF,KAAK,KAAK,OAAO,MAAM;EACzB;CACF;AACF;;;AC5BA,eAAsB,mBACpB,OACA,MACsE;CACtE,MAAM,EAAE,SAAS,QAAQ,MAAM,0BAA0B,OAAO,IAAI;CACpE,OAAO;EACL,UAAU,QAAQ;EAClB;EACA,MAAM;GACJ,cAAc;GACd,MAAM;IACJ,KAAK,QAAQ;IACb,OAAO,QAAQ;IACf,gBAAgB,QAAQ;IACxB,MAAM,QAAQ;IACd,YAAY,QAAQ;IACpB,aAAa,QAAQ;IACrB,SAAS,QAAQ;GACnB;EACF;CACF;AACF;AASA,MAAa,yBAAyB,YAAqC;CACzE,MAAM,EAAE,WAAW,SAAS;CAC5B,MAAM,SAAS,IAAI,eAAe;CA2ClC,OAAO,EAAE,UAzCQ,OAAO;EACtB,MAAM;EACN,QAAQ,EACN,OAAO,EAAE,OAAO;GACd,OAAO,EAAE,KAAK,EAAE,MAAM,OAAO,CAAC;GAC9B,UAAU,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,OAAO,CAAC,CAAC;EAC/C,CAAC,EACH;EACA,SAAS,OAAO,EAAE,OAAO,KAAK,OAAO,cAAc;GACjD,MAAM,aAAa,OAAO,OAAO,kBAAkB;GACnD,MAAM,WAAW,QAAQ,cAAc,GAAG,IAAI,SAAS,IAAI,IAAI;GAC/D,IAAI;IACF,MAAM,EAAE,UAAU,KAAK,SAAS,MAAM,mBAAmB,MAAM,OAAO;KACpE,cAAc,QAAQ;KACtB,QAAQ,QAAQ;KAChB;IACF,CAAC;IACD,IAAI,CAAC,OAAO,MAAM,GAAG,GACnB,MAAM,IAAI,gBAAgB,wBAAwB;IAEpD,IAAI,CAAC,QAAQ,MAAM,MACjB,MAAM,IAAI,gBAAgB,4BAA4B;IAExD,MAAM,OAAO,MAAM,QAAQ,MAAM,KAAK,QAAQ,EAAE,IAAI;IACpD,MAAM,WAAW,iBACf,MACA,QAAQ,OACR,UACA,OACF;GACF,QAAQ;IAIN,MAAM,SAAS,uCAAuC,GAAG;IACzD;GACF;GACA,MAAM,SAAS,iBAAiB,MAAM,QAAQ,GAAG,GAAG;EACtD;CACF,CAEgB,EAAE;AACpB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;ACpDA,MAAa,sBACX,OACA,UAAgC,CAAC,MAC9B;CACH,MAAM,EAAE,WAAW,SAAS;CAE5B,MAAM,MAAM,OAAO,SACjB,EAAE,OAAO;EACP,yBAAyB,EAAE,SACzB,EAAE,KAAK,EACL,aACE,qHACJ,CAAC,CACH;EACA,6BAA6B,EAAE,SAC7B,EAAE,KAAK,EACL,aACE,yHACJ,CAAC,CACH;CACF,CAAC,CACH;CAEA,MAAM,WACJ,CAAC,IAAI,2BAA2B,CAAC,IAAI;CAEvC,MAAM,OAAO;CAEb,MAAM,UACJ,QAAQ,YAAY,MAAM,OAAO,MAAM,KAAK,IAAI,IAAI,KAAA;CAEtD,IAAI,CAAC,SACH,MAAM,IAAI,YACR,iEACF;CAGF,OAAO,MAAM;EACX,QAAQ;EACR;EACA,MAAM;;;;;;;;GAQJ,QAAQ;GACR,UAAU,IAAI;GACd,cAAc,IAAI;;;;;GAKlB,OAAO;;;;GAIP,GAAG;GACH,yBAAyB;IACvB,YAAY;IACZ,GAAG,QAAQ;GACb;GACA;EACF;EACA;CACF,CAAC;AACH;;;;;;;;;;;;;ACpFA,MAAa,eACX,OACA,UAAgC,CAAC,MAC9B;CACH,MAAM,EAAE,WAAW,SAAS;CAE5B,MAAM,MAAM,OAAO,SACjB,EAAE,OAAO;EACP,kBAAkB,EAAE,SAClB,EAAE,KAAK,EACL,aACE,mEACJ,CAAC,CACH;EACA,sBAAsB,EAAE,SACtB,EAAE,KAAK,EACL,aACE,uEACJ,CAAC,CACH;CACF,CAAC,CACH;CAEA,MAAM,WAAW,CAAC,IAAI,oBAAoB,CAAC,IAAI;CAE/C,MAAM,OAAO;CAEb,MAAM,UACJ,QAAQ,YAAY,MAAM,OAAO,MAAM,KAAK,IAAI,IAAI,KAAA;CAEtD,IAAI,CAAC,SACH,MAAM,IAAI,YACR,iEACF;CAGF,OAAO,MAAM;EACX,QAAQ;EACR;EACA,OAAO;GACL,UAAU,IAAI;GACd,cAAc,IAAI;GAClB,eAAe;GACf,OAAO;GACP,OAAO;GACP,UAAU,OAAO,WAAW;IAC1B,MAAM,WAAW;IACjB,MAAM,UAAU;KACd,eAAe,UAAU,OAAO;KAChC,cAAc;IAChB;IACA,MAAM,MAAM,MAAM,MAAM,GAAG,SAAS,QAAQ,EAAE,QAAQ,CAAC,EAAE,MAAM,QAC7D,IAAI,KAAK,CACX;IAEA,MAAM,OAAsB,EAC1B,KAAK,IAAI,GAAG,SAAS,EACvB;IAEA,IAAI,IAAI,OACN,KAAK,QAAQ,IAAI;IAGnB,IAAI,IAAI,MACN,KAAK,OAAO,IAAI,KAAK,KAAK;IAG5B,IAAI,IAAI,YACN,KAAK,UAAU,IAAI;IAKrB,MAAM,YAAY,MAAM,MAAM,GAAG,SAAS,eAAe,EAAE,QAAQ,CAAC;IACpE,IAAI,UAAU,IAAI;KAChB,MAAM,SAID,MAAM,UAAU,KAAK;KAC1B,IAAI,CAAC,KAAK,OACR,KAAK,SAAS,OAAO,MAAM,MAAM,EAAE,OAAO,KAAK,OAAO,KAAK;KAE7D,IAAI,KAAK,OACP,KAAK,iBACH,OAAO,MAAM,MAAM,EAAE,UAAU,KAAK,KAAK,GAAG,YAAY;IAE9D;IAEA,OAAO;GACT;GACA,GAAG;GACH;EACF;EACA;CACF,CAAC;AACH;;;;;;;;;;;;;ACjGA,MAAa,eACX,OACA,UAAgC,CAAC,MAC9B;CACH,MAAM,EAAE,WAAW,SAAS;CAE5B,MAAM,MAAM,OAAO,SACjB,EAAE,OAAO;EACP,kBAAkB,EAAE,SAClB,EAAE,KAAK,EACL,aACE,sEACJ,CAAC,CACH;EACA,sBAAsB,EAAE,SACtB,EAAE,KAAK,EACL,aACE,0EACJ,CAAC,CACH;CACF,CAAC,CACH;CAEA,MAAM,WAAW,CAAC,IAAI,oBAAoB,CAAC,IAAI;CAE/C,MAAM,OAAO;CAEb,MAAM,UACJ,QAAQ,YAAY,MAAM,OAAO,MAAM,KAAK,IAAI,IAAI,KAAA;CAEtD,IAAI,CAAC,SACH,MAAM,IAAI,YACR,iEACF;CAGF,OAAO,MAAM;EACX,QAAQ;EACR;EACA,MAAM;GACJ,QAAQ;GACR,UAAU,IAAI;GACd,cAAc,IAAI;GAClB,GAAG;GACH;EACF;EACA;CACF,CAAC;AACH;;;;;;;;;;;;;;;;;;;;;;;;;ACpCA,MAAa,kBACX,OACA,UAAgC,CAAC,MAC9B;CACH,MAAM,EAAE,WAAW,SAAS;CAE5B,MAAM,MAAM,OAAO,SACjB,EAAE,OAAO;EACP,qBAAqB,EAAE,SACrB,EAAE,KAAK,EACL,aACE,8DACJ,CAAC,CACH;EACA,yBAAyB,EAAE,SACzB,EAAE,KAAK,EACL,aACE,0DACJ,CAAC,CACH;EACA,qBAAqB,EAAE,SACrB,EAAE,KAAK,EACL,aACE,6EACJ,CAAC,CACH;CACF,CAAC,CACH;CAEA,MAAM,WAAW,CAAC,IAAI,uBAAuB,CAAC,IAAI;CAElD,MAAM,WAAW,IAAI,uBAAuB;CAE5C,MAAM,OAAO;CAEb,MAAM,UACJ,QAAQ,YAAY,MAAM,OAAO,MAAM,KAAK,IAAI,IAAI,KAAA;CAEtD,IAAI,CAAC,SACH,MAAM,IAAI,YACR,iEACF;CAGF,OAAO,MAAM;EACX,QAAQ;EACR;EACA,MAAM;GACJ,QAAQ,qCAAqC,SAAS;GACtD,UAAU,IAAI;GACd,cAAc,IAAI;GAClB,GAAG;GACH;EACF;EACA;CACF,CAAC;AACH;;;;;;;;;;;;;;;;;;;;AC9CA,MAAa,mBAAmB,QAAQ;CACtC,MAAM;CACN,YAAY,CAAC,KAAK;CAClB,UAAU,CAAC,qBAAqB,kBAAkB;AACpD,CAAC"}
|