authscape 1.0.778 → 1.0.782

package/index.js

@@ -9645,7 +9645,7 @@ function _typeof(o) { "@babel/helpers - typeof"; return _typeof = "function" ==
 Object.defineProperty(exports, "__esModule", {
   value: true
 });
-exports.apiService = void 0;
+exports.invalidateCurrentUser = exports.apiService = void 0;
 var _axios = _interopRequireDefault(require("axios"));
 var _queryString = _interopRequireDefault(require("query-string"));
 var _jsFileDownload = _interopRequireDefault(require("js-file-download"));
@@ -9659,6 +9659,50 @@ function _toPrimitive(t, r) { if ("object" != _typeof(t) || !t) return t; var e
 function _regeneratorRuntime() { "use strict"; /*! regenerator-runtime -- Copyright (c) 2014-present, Facebook, Inc. -- license (MIT): https://github.com/facebook/regenerator/blob/main/LICENSE */ _regeneratorRuntime = function _regeneratorRuntime() { return e; }; var t, e = {}, r = Object.prototype, n = r.hasOwnProperty, o = Object.defineProperty || function (t, e, r) { t[e] = r.value; }, i = "function" == typeof Symbol ? Symbol : {}, a = i.iterator || "@@iterator", c = i.asyncIterator || "@@asyncIterator", u = i.toStringTag || "@@toStringTag"; function define(t, e, r) { return Object.defineProperty(t, e, { value: r, enumerable: !0, configurable: !0, writable: !0 }), t[e]; } try { define({}, ""); } catch (t) { define = function define(t, e, r) { return t[e] = r; }; } function wrap(t, e, r, n) { var i = e && e.prototype instanceof Generator ? e : Generator, a = Object.create(i.prototype), c = new Context(n || []); return o(a, "_invoke", { value: makeInvokeMethod(t, r, c) }), a; } function tryCatch(t, e, r) { try { return { type: "normal", arg: t.call(e, r) }; } catch (t) { return { type: "throw", arg: t }; } } e.wrap = wrap; var h = "suspendedStart", l = "suspendedYield", f = "executing", s = "completed", y = {}; function Generator() {} function GeneratorFunction() {} function GeneratorFunctionPrototype() {} var p = {}; define(p, a, function () { return this; }); var d = Object.getPrototypeOf, v = d && d(d(values([]))); v && v !== r && n.call(v, a) && (p = v); var g = GeneratorFunctionPrototype.prototype = Generator.prototype = Object.create(p); function defineIteratorMethods(t) { ["next", "throw", "return"].forEach(function (e) { define(t, e, function (t) { return this._invoke(e, t); }); }); } function AsyncIterator(t, e) { function invoke(r, o, i, a) { var c = tryCatch(t[r], t, o); if ("throw" !== c.type) { var u = c.arg, h = u.value; return h && "object" == _typeof(h) && n.call(h, "__await") ? e.resolve(h.__await).then(function (t) { invoke("next", t, i, a); }, function (t) { invoke("throw", t, i, a); }) : e.resolve(h).then(function (t) { u.value = t, i(u); }, function (t) { return invoke("throw", t, i, a); }); } a(c.arg); } var r; o(this, "_invoke", { value: function value(t, n) { function callInvokeWithMethodAndArg() { return new e(function (e, r) { invoke(t, n, e, r); }); } return r = r ? r.then(callInvokeWithMethodAndArg, callInvokeWithMethodAndArg) : callInvokeWithMethodAndArg(); } }); } function makeInvokeMethod(e, r, n) { var o = h; return function (i, a) { if (o === f) throw Error("Generator is already running"); if (o === s) { if ("throw" === i) throw a; return { value: t, done: !0 }; } for (n.method = i, n.arg = a;;) { var c = n.delegate; if (c) { var u = maybeInvokeDelegate(c, n); if (u) { if (u === y) continue; return u; } } if ("next" === n.method) n.sent = n._sent = n.arg;else if ("throw" === n.method) { if (o === h) throw o = s, n.arg; n.dispatchException(n.arg); } else "return" === n.method && n.abrupt("return", n.arg); o = f; var p = tryCatch(e, r, n); if ("normal" === p.type) { if (o = n.done ? s : l, p.arg === y) continue; return { value: p.arg, done: n.done }; } "throw" === p.type && (o = s, n.method = "throw", n.arg = p.arg); } }; } function maybeInvokeDelegate(e, r) { var n = r.method, o = e.iterator[n]; if (o === t) return r.delegate = null, "throw" === n && e.iterator["return"] && (r.method = "return", r.arg = t, maybeInvokeDelegate(e, r), "throw" === r.method) || "return" !== n && (r.method = "throw", r.arg = new TypeError("The iterator does not provide a '" + n + "' method")), y; var i = tryCatch(o, e.iterator, r.arg); if ("throw" === i.type) return r.method = "throw", r.arg = i.arg, r.delegate = null, y; var a = i.arg; return a ? a.done ? (r[e.resultName] = a.value, r.next = e.nextLoc, "return" !== r.method && (r.method = "next", r.arg = t), r.delegate = null, y) : a : (r.method = "throw", r.arg = new TypeError("iterator result is not an object"), r.delegate = null, y); } function pushTryEntry(t) { var e = { tryLoc: t[0] }; 1 in t && (e.catchLoc = t[1]), 2 in t && (e.finallyLoc = t[2], e.afterLoc = t[3]), this.tryEntries.push(e); } function resetTryEntry(t) { var e = t.completion || {}; e.type = "normal", delete e.arg, t.completion = e; } function Context(t) { this.tryEntries = [{ tryLoc: "root" }], t.forEach(pushTryEntry, this), this.reset(!0); } function values(e) { if (e || "" === e) { var r = e[a]; if (r) return r.call(e); if ("function" == typeof e.next) return e; if (!isNaN(e.length)) { var o = -1, i = function next() { for (; ++o < e.length;) if (n.call(e, o)) return next.value = e[o], next.done = !1, next; return next.value = t, next.done = !0, next; }; return i.next = i; } } throw new TypeError(_typeof(e) + " is not iterable"); } return GeneratorFunction.prototype = GeneratorFunctionPrototype, o(g, "constructor", { value: GeneratorFunctionPrototype, configurable: !0 }), o(GeneratorFunctionPrototype, "constructor", { value: GeneratorFunction, configurable: !0 }), GeneratorFunction.displayName = define(GeneratorFunctionPrototype, u, "GeneratorFunction"), e.isGeneratorFunction = function (t) { var e = "function" == typeof t && t.constructor; return !!e && (e === GeneratorFunction || "GeneratorFunction" === (e.displayName || e.name)); }, e.mark = function (t) { return Object.setPrototypeOf ? Object.setPrototypeOf(t, GeneratorFunctionPrototype) : (t.__proto__ = GeneratorFunctionPrototype, define(t, u, "GeneratorFunction")), t.prototype = Object.create(g), t; }, e.awrap = function (t) { return { __await: t }; }, defineIteratorMethods(AsyncIterator.prototype), define(AsyncIterator.prototype, c, function () { return this; }), e.AsyncIterator = AsyncIterator, e.async = function (t, r, n, o, i) { void 0 === i && (i = Promise); var a = new AsyncIterator(wrap(t, r, n, o), i); return e.isGeneratorFunction(r) ? a : a.next().then(function (t) { return t.done ? t.value : a.next(); }); }, defineIteratorMethods(g), define(g, u, "Generator"), define(g, a, function () { return this; }), define(g, "toString", function () { return "[object Generator]"; }), e.keys = function (t) { var e = Object(t), r = []; for (var n in e) r.push(n); return r.reverse(), function next() { for (; r.length;) { var t = r.pop(); if (t in e) return next.value = t, next.done = !1, next; } return next.done = !0, next; }; }, e.values = values, Context.prototype = { constructor: Context, reset: function reset(e) { if (this.prev = 0, this.next = 0, this.sent = this._sent = t, this.done = !1, this.delegate = null, this.method = "next", this.arg = t, this.tryEntries.forEach(resetTryEntry), !e) for (var r in this) "t" === r.charAt(0) && n.call(this, r) && !isNaN(+r.slice(1)) && (this[r] = t); }, stop: function stop() { this.done = !0; var t = this.tryEntries[0].completion; if ("throw" === t.type) throw t.arg; return this.rval; }, dispatchException: function dispatchException(e) { if (this.done) throw e; var r = this; function handle(n, o) { return a.type = "throw", a.arg = e, r.next = n, o && (r.method = "next", r.arg = t), !!o; } for (var o = this.tryEntries.length - 1; o >= 0; --o) { var i = this.tryEntries[o], a = i.completion; if ("root" === i.tryLoc) return handle("end"); if (i.tryLoc <= this.prev) { var c = n.call(i, "catchLoc"), u = n.call(i, "finallyLoc"); if (c && u) { if (this.prev < i.catchLoc) return handle(i.catchLoc, !0); if (this.prev < i.finallyLoc) return handle(i.finallyLoc); } else if (c) { if (this.prev < i.catchLoc) return handle(i.catchLoc, !0); } else { if (!u) throw Error("try statement without catch or finally"); if (this.prev < i.finallyLoc) return handle(i.finallyLoc); } } } }, abrupt: function abrupt(t, e) { for (var r = this.tryEntries.length - 1; r >= 0; --r) { var o = this.tryEntries[r]; if (o.tryLoc <= this.prev && n.call(o, "finallyLoc") && this.prev < o.finallyLoc) { var i = o; break; } } i && ("break" === t || "continue" === t) && i.tryLoc <= e && e <= i.finallyLoc && (i = null); var a = i ? i.completion : {}; return a.type = t, a.arg = e, i ? (this.method = "next", this.next = i.finallyLoc, y) : this.complete(a); }, complete: function complete(t, e) { if ("throw" === t.type) throw t.arg; return "break" === t.type || "continue" === t.type ? this.next = t.arg : "return" === t.type ? (this.rval = this.arg = t.arg, this.method = "return", this.next = "end") : "normal" === t.type && e && (this.next = e), y; }, finish: function finish(t) { for (var e = this.tryEntries.length - 1; e >= 0; --e) { var r = this.tryEntries[e]; if (r.finallyLoc === t) return this.complete(r.completion, r.afterLoc), resetTryEntry(r), y; } }, "catch": function _catch(t) { for (var e = this.tryEntries.length - 1; e >= 0; --e) { var r = this.tryEntries[e]; if (r.tryLoc === t) { var n = r.completion; if ("throw" === n.type) { var o = n.arg; resetTryEntry(r); } return o; } } throw Error("illegal catch attempt"); }, delegateYield: function delegateYield(e, r, n) { return this.delegate = { iterator: values(e), resultName: r, nextLoc: n }, "next" === this.method && (this.arg = t), y; } }, e; }
 function asyncGeneratorStep(n, t, e, r, o, a, c) { try { var i = n[a](c), u = i.value; } catch (n) { return void e(n); } i.done ? t(u) : Promise.resolve(u).then(r, o); }
 function _asyncToGenerator(n) { return function () { var t = this, e = arguments; return new Promise(function (r, o) { var a = n.apply(t, e); function _next(n) { asyncGeneratorStep(a, r, o, _next, _throw, "next", n); } function _throw(n) { asyncGeneratorStep(a, r, o, _next, _throw, "throw", n); } _next(void 0); }); }; }
+// ---------------------------------------------------------------------------
+// Signed-in user cache (client-side only)
+// ---------------------------------------------------------------------------
+// Caches the result of GetCurrentUser in sessionStorage to avoid re-calling
+// /UserManagement on every hard page reload. The entry is KEYED BY THE ACCESS
+// TOKEN: company/location/impersonation context lives in the token claims, so
+// switching context issues a new token -> new key -> the stale entry is never
+// read. Cleared on logout, and bounded by a short TTL as a backstop. This is
+// purely per-browser; it has no effect on the server handling many users.
+var CURRENT_USER_CACHE_KEY = 'authscape_current_user';
+var CURRENT_USER_TTL_MS = 60 * 1000; // 60s backstop
+
+var readCurrentUserCache = function readCurrentUserCache(token) {
+  if (typeof window === 'undefined' || !token) return null;
+  try {
+    var raw = window.sessionStorage.getItem(CURRENT_USER_CACHE_KEY);
+    if (!raw) return null;
+    var entry = JSON.parse(raw);
+    if (entry.t !== token) return null; // different token => different context
+    if (!entry.exp || entry.exp < Date.now()) return null; // TTL backstop
+    return entry.u;
+  } catch (e) {
+    return null;
+  }
+};
+var writeCurrentUserCache = function writeCurrentUserCache(token, user) {
+  if (typeof window === 'undefined' || !token) return;
+  try {
+    window.sessionStorage.setItem(CURRENT_USER_CACHE_KEY, JSON.stringify({
+      t: token,
+      u: user,
+      exp: Date.now() + CURRENT_USER_TTL_MS
+    }));
+  } catch (e) {/* sessionStorage unavailable (private mode / quota) — skip caching */}
+};
+
+// Clear the cached signed-in user. Call after impersonation / company / location
+// switches, and it is also called automatically on logout and when no token exists.
+var invalidateCurrentUser = exports.invalidateCurrentUser = function invalidateCurrentUser() {
+  if (typeof window === 'undefined') return;
+  try {
+    window.sessionStorage.removeItem(CURRENT_USER_CACHE_KEY);
+  } catch (e) {/* ignore */}
+};
 var setupDefaultOptions = /*#__PURE__*/function () {
   var _ref = _asyncToGenerator(/*#__PURE__*/_regeneratorRuntime().mark(function _callee() {
     var ctx,
@@ -9980,42 +10024,63 @@ var apiService = exports.apiService = function apiService() {
     }(),
     GetCurrentUser: function () {
       var _GetCurrentUser = _asyncToGenerator(/*#__PURE__*/_regeneratorRuntime().mark(function _callee8() {
-        var accessToken, defaultOptions, response;
+        var forceRefresh,
+          accessToken,
+          cached,
+          defaultOptions,
+          response,
+          _args8 = arguments;
         return _regeneratorRuntime().wrap(function _callee8$(_context8) {
           while (1) switch (_context8.prev = _context8.next) {
             case 0:
-              _context8.prev = 0;
+              forceRefresh = _args8.length > 0 && _args8[0] !== undefined ? _args8[0] : false;
+              _context8.prev = 1;
               accessToken = _jsCookie["default"].get('access_token') || null;
-              if (!accessToken) {
-                _context8.next = 11;
+              if (accessToken) {
+                _context8.next = 6;
                 break;
               }
-              _context8.next = 5;
+              invalidateCurrentUser();
+              return _context8.abrupt("return", null);
+            case 6:
+              if (forceRefresh) {
+                _context8.next = 10;
+                break;
+              }
+              cached = readCurrentUserCache(accessToken);
+              if (!cached) {
+                _context8.next = 10;
+                break;
+              }
+              return _context8.abrupt("return", cached);
+            case 10:
+              _context8.next = 12;
               return setupDefaultOptions(null);
-            case 5:
+            case 12:
               defaultOptions = _context8.sent;
-              _context8.next = 8;
+              _context8.next = 15;
               return instance.get('/UserManagement', defaultOptions);
-            case 8:
+            case 15:
               response = _context8.sent;
               if (!(response != null && response.status == 200)) {
-                _context8.next = 11;
+                _context8.next = 19;
                 break;
               }
+              writeCurrentUserCache(accessToken, response.data);
               return _context8.abrupt("return", response.data);
-            case 11:
-              _context8.next = 15;
+            case 19:
+              _context8.next = 23;
               break;
-            case 13:
-              _context8.prev = 13;
-              _context8.t0 = _context8["catch"](0);
-            case 15:
+            case 21:
+              _context8.prev = 21;
+              _context8.t0 = _context8["catch"](1);
+            case 23:
               return _context8.abrupt("return", null);
-            case 16:
+            case 24:
             case "end":
               return _context8.stop();
           }
-        }, _callee8, null, [[0, 13]]);
+        }, _callee8, null, [[1, 21]]);
       }));
       function GetCurrentUser() {
         return _GetCurrentUser.apply(this, arguments);
@@ -10385,12 +10450,17 @@ var _authService = exports.authService = function authService() {
                 domain: domainHost,
                 secure: typeof window !== "undefined" && window.location.protocol === "https:"
               });
+
+              // Drop the cached signed-in user so the next sign-in never reads a stale identity.
+              try {
+                if (typeof window !== "undefined") window.sessionStorage.removeItem("authscape_current_user");
+              } catch (e) {/* ignore */}
               if (redirectUri == null) {
                 window.location.href = AuthUri + "/connect/logout?redirect=" + window.location.href;
               } else {
                 window.location.href = AuthUri + "/connect/logout?redirect=" + redirectUri;
               }
-            case 7:
+            case 8:
             case "end":
               return _context6.stop();
           }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "authscape",
-  "version": "1.0.778",
+  "version": "1.0.782",
   "description": "",
   "main": "index.js",
   "files": [

package/src/scripts/postinstall.js

@@ -41,6 +41,64 @@ import { createSitemapRoute } from 'authscape/src/lib/sitemap-route';
 export const GET = createSitemapRoute(process.env.apiUri);
 `;
 
+// ---------------------------------------------------------------------------
+// /signin-oidc page templates
+// ---------------------------------------------------------------------------
+// AuthScapeApp reads the PKCE `code` query param from `useSearchParams()`
+// (next/navigation). If the consumer doesn't have a `/signin-oidc` page, the
+// IDP's redirect back lands on Next.js's 404 page — and Webkit/Safari
+// doesn't reliably hydrate `useSearchParams()` on the 404 page. The code is
+// never read, the user is stuck.
+//
+// Making /signin-oidc a real Next.js page (200 status) fixes this in every
+// browser. The page itself is a placeholder; AuthScapeApp's signInValidator
+// does the actual token exchange.
+
+const SIGNIN_OIDC_PAGES_ROUTER_TEMPLATE = `// Auto-generated by AuthScape - Do not edit manually.
+// Exists so /signin-oidc returns HTTP 200 (not the Next.js 404 page).
+// Required for Webkit/Safari: useSearchParams() doesn't hydrate on the 404
+// page in Webkit, so the PKCE 'code' query param is never read and sign-in
+// silently stalls. With this real page in place, AuthScapeApp's
+// signInValidator picks up the code and completes the exchange normally.
+export default function SignInOidc() {
+  return (
+    <div
+      style={{
+        display: "flex",
+        alignItems: "center",
+        justifyContent: "center",
+        minHeight: "60vh",
+        fontFamily: "system-ui, -apple-system, Segoe UI, sans-serif",
+        color: "#666",
+      }}
+    >
+      Signing you in…
+    </div>
+  );
+}
+`;
+
+const SIGNIN_OIDC_APP_ROUTER_TEMPLATE = `// Auto-generated by AuthScape - Do not edit manually.
+// Exists so /signin-oidc returns HTTP 200 (not the Next.js 404 page).
+// Required for Webkit/Safari to pick up the PKCE 'code' query param.
+export default function SignInOidc() {
+  return (
+    <div
+      style={{
+        display: "flex",
+        alignItems: "center",
+        justifyContent: "center",
+        minHeight: "60vh",
+        fontFamily: "system-ui, -apple-system, Segoe UI, sans-serif",
+        color: "#666",
+      }}
+    >
+      Signing you in…
+    </div>
+  );
+}
+`;
+
 function detectProjectStructure() {
   // Get the parent directory where the user ran npm install
   // This goes up from node_modules/authscape to the project root
@@ -118,9 +176,42 @@ function setupSitemap() {
   }
 }
 
+function setupSigninOidc() {
+  const structure = detectProjectStructure();
+  if (!structure) return;
+
+  const targetFile =
+    structure.type === 'app'
+      ? path.join(structure.baseDir, 'signin-oidc', 'page.js')
+      : path.join(structure.baseDir, 'signin-oidc.js');
+
+  if (fs.existsSync(targetFile)) {
+    // File exists, don't overwrite — consumer may have their own handler
+    return;
+  }
+
+  try {
+    fs.mkdirSync(path.dirname(targetFile), { recursive: true });
+    fs.writeFileSync(
+      targetFile,
+      structure.type === 'app' ? SIGNIN_OIDC_APP_ROUTER_TEMPLATE : SIGNIN_OIDC_PAGES_ROUTER_TEMPLATE,
+      'utf8'
+    );
+    console.log(
+      '✅ AuthScape signin-oidc page configured at /signin-oidc (' +
+        (structure.type === 'app' ? 'App Router' : 'Pages Router') +
+        ')'
+    );
+  } catch (error) {
+    console.log('⚠️  Could not auto-configure /signin-oidc:', error.message);
+    console.log('   Without this page, Safari users will fail to sign in.');
+  }
+}
+
 // Run the setup
 try {
   setupSitemap();
+  setupSigninOidc();
 } catch (error) {
   // Completely silent failure to avoid breaking npm install
   // Only log if there's an unexpected error

package/src/services/apiService.js

@@ -3,6 +3,49 @@ import querystring from 'query-string';
 import fileDownload from 'js-file-download';
 import Cookies from 'js-cookie';
 
+// ---------------------------------------------------------------------------
+// Signed-in user cache (client-side only)
+// ---------------------------------------------------------------------------
+// Caches the result of GetCurrentUser in sessionStorage to avoid re-calling
+// /UserManagement on every hard page reload. The entry is KEYED BY THE ACCESS
+// TOKEN: company/location/impersonation context lives in the token claims, so
+// switching context issues a new token -> new key -> the stale entry is never
+// read. Cleared on logout, and bounded by a short TTL as a backstop. This is
+// purely per-browser; it has no effect on the server handling many users.
+const CURRENT_USER_CACHE_KEY = 'authscape_current_user';
+const CURRENT_USER_TTL_MS = 60 * 1000; // 60s backstop
+
+const readCurrentUserCache = (token) => {
+    if (typeof window === 'undefined' || !token) return null;
+    try {
+        const raw = window.sessionStorage.getItem(CURRENT_USER_CACHE_KEY);
+        if (!raw) return null;
+        const entry = JSON.parse(raw);
+        if (entry.t !== token) return null;                 // different token => different context
+        if (!entry.exp || entry.exp < Date.now()) return null; // TTL backstop
+        return entry.u;
+    } catch (e) {
+        return null;
+    }
+};
+
+const writeCurrentUserCache = (token, user) => {
+    if (typeof window === 'undefined' || !token) return;
+    try {
+        window.sessionStorage.setItem(
+            CURRENT_USER_CACHE_KEY,
+            JSON.stringify({ t: token, u: user, exp: Date.now() + CURRENT_USER_TTL_MS })
+        );
+    } catch (e) { /* sessionStorage unavailable (private mode / quota) — skip caching */ }
+};
+
+// Clear the cached signed-in user. Call after impersonation / company / location
+// switches, and it is also called automatically on logout and when no token exists.
+export const invalidateCurrentUser = () => {
+    if (typeof window === 'undefined') return;
+    try { window.sessionStorage.removeItem(CURRENT_USER_CACHE_KEY); } catch (e) { /* ignore */ }
+};
+
 const setupDefaultOptions = async (ctx = null) => {
     let defaultOptions = {};
     if (ctx == null) {
@@ -160,16 +203,25 @@ export const apiService = (ctx = null) => {
                 return error.response;
             }
         },
-        GetCurrentUser: async () => {
+        GetCurrentUser: async (forceRefresh = false) => {
             try {
                 let accessToken = Cookies.get('access_token') || null;
 
-                if (accessToken) {
-                    let defaultOptions = await setupDefaultOptions(null);
-                    const response = await instance.get('/UserManagement', defaultOptions);
-                    if (response != null && response.status == 200) {
-                        return response.data;
-                    }
+                if (!accessToken) {
+                    invalidateCurrentUser();
+                    return null;
+                }
+
+                if (!forceRefresh) {
+                    const cached = readCurrentUserCache(accessToken);
+                    if (cached) return cached;
+                }
+
+                let defaultOptions = await setupDefaultOptions(null);
+                const response = await instance.get('/UserManagement', defaultOptions);
+                if (response != null && response.status == 200) {
+                    writeCurrentUserCache(accessToken, response.data);
+                    return response.data;
                 }
             } catch (exp) {
                 // Token invalid or expired

package/src/services/authService.js

@@ -120,6 +120,9 @@ export const authService = () => {
             Cookies.remove('refresh_token', { path: '/', domain: domainHost, secure: (typeof window !== "undefined" && window.location.protocol === "https:") });
             Cookies.remove('expires_in', { path: '/', domain: domainHost, secure: (typeof window !== "undefined" && window.location.protocol === "https:") });
 
+            // Drop the cached signed-in user so the next sign-in never reads a stale identity.
+            try { if (typeof window !== "undefined") window.sessionStorage.removeItem("authscape_current_user"); } catch (e) { /* ignore */ }
+
             if (redirectUri == null)
             {
                 window.location.href = AuthUri + "/connect/logout?redirect=" + window.location.href;