binoauth 0.0.11 → 0.0.13

package/dist/core/src/oauth/flows/authorization-code.js

@@ -0,0 +1,278 @@
+import { TokenStorage } from "../storage";
+import { generatePKCEPair, generateState, validateState } from "../utils";
+import { AuthError, ErrorCode } from "../error";
+import { BaseFlow } from "./base-flow";
+/**
+ * OAuth 2.0 Authorization Code Flow with PKCE support
+ *
+ * This flow is designed for browser-based applications (SPAs) and mobile apps
+ * where the client cannot securely store a client secret. It uses PKCE
+ * (Proof Key for Code Exchange) for enhanced security.
+ *
+ * @example
+ * ```typescript
+ * const flow = new AuthorizationCodeFlow(config, storage, oauthApi);
+ *
+ * // Step 1: Get authorization URL
+ * const loginUrl = await flow.getLoginUrl();
+ * window.location.href = loginUrl; // Redirect user to BinoAuth
+ *
+ * // Step 2: Handle callback (after user returns from BinoAuth)
+ * const urlParams = new URLSearchParams(window.location.search);
+ * const code = urlParams.get('code');
+ * const state = urlParams.get('state');
+ *
+ * if (code && state) {
+ *   await flow.handleCallback(code, state);
+ *   // User is now authenticated, tokens are stored
+ * }
+ * ```
+ */
+export class AuthorizationCodeFlow extends BaseFlow {
+    loginUrlGenerationInProgress = false;
+    constructor(config, storage, oauthApi) {
+        super(config, storage, oauthApi);
+        if (!config.authorizeEndpoint) {
+            throw new AuthError("Missing authorizeEndpoint in config", ErrorCode.InvalidConfig);
+        }
+        if (!config.tokenEndpoint) {
+            throw new AuthError("Missing tokenEndpoint in config", ErrorCode.InvalidConfig);
+        }
+    }
+    /**
+     * Generates the authorization URL for initiating the OAuth flow
+     *
+     * This method creates a secure authorization URL with PKCE parameters
+     * and stores the necessary state and verifier tokens for later validation.
+     *
+     * @returns Promise resolving to the authorization URL
+     *
+     * @example
+     * ```typescript
+     * const loginUrl = await flow.getLoginUrl();
+     * // Returns: "https://auth.binoauth.com/api/v1/oauth/authorize?response_type=code&client_id=..."
+     *
+     * // Redirect user to the authorization server
+     * window.location.href = loginUrl;
+     * ```
+     *
+     * @throws {AuthError} When authorization endpoint is missing from config
+     */
+    async getLoginUrl() {
+        if (this.loginUrlGenerationInProgress) {
+            console.warn("OAuth login URL generation already in progress - potential race condition");
+        }
+        this.loginUrlGenerationInProgress = true;
+        try {
+            const { verifier, challenge } = await generatePKCEPair();
+            const state = generateState();
+            console.debug("OAuth login URL generation", {
+                generatedState: state,
+                stateLength: state.length,
+                generatedVerifier: verifier.substring(0, 10) + "...",
+                timestamp: new Date().toISOString()
+            });
+            await this.storage.setTokens({
+                state: {
+                    value: state,
+                    expiresAt: Date.now() + 1200000, // 20 minutes
+                },
+                verifier: {
+                    value: verifier,
+                    expiresAt: Date.now() + 1200000, // 20 minutes
+                },
+            });
+            const storedStateToken = await this.storage.getStateToken();
+            console.debug("OAuth state storage verification", {
+                generatedState: state,
+                storedState: storedStateToken?.value,
+                storageWorked: storedStateToken?.value === state,
+                storageExpiry: storedStateToken?.expiresAt
+            });
+            const params = new URLSearchParams({
+                response_type: "code",
+                client_id: this.config.clientId,
+                scope: this.config.scope,
+                state,
+                code_challenge: challenge,
+                code_challenge_method: "S256",
+                redirect_uri: this.config.redirectUri,
+            });
+            const finalUrl = `${this.config.authorizeEndpoint}?${params.toString()}`;
+            console.debug("OAuth login URL complete", {
+                finalUrl,
+                stateInUrl: params.get('state'),
+                stateMatches: params.get('state') === state,
+                urlLength: finalUrl.length
+            });
+            return finalUrl;
+        }
+        finally {
+            this.loginUrlGenerationInProgress = false;
+        }
+    }
+    /**
+     * Handles the OAuth callback and exchanges the authorization code for tokens
+     *
+     * This method validates the state parameter for CSRF protection, then exchanges
+     * the authorization code for access and refresh tokens using PKCE verification.
+     *
+     * @param code - The authorization code returned from the authorization server
+     * @param state - The state parameter returned from the authorization server
+     *
+     * @example
+     * ```typescript
+     * // Extract parameters from callback URL
+     * const urlParams = new URLSearchParams(window.location.search);
+     * const code = urlParams.get('code')!;
+     * const state = urlParams.get('state')!;
+     *
+     * // Exchange code for tokens
+     * await flow.handleCallback(code, state);
+     *
+     * // Tokens are now stored and user is authenticated
+     * const accessToken = await storage.getAccessToken();
+     * ```
+     *
+     * @throws {AuthError} When state validation fails (CSRF protection)
+     * @throws {AuthError} When state or verifier tokens are missing/expired
+     * @throws {AuthError} When token exchange fails
+     */
+    async handleCallback(code, state) {
+        this.checkRateLimit("callback", 10, 5 * 60 * 1000);
+        this.cleanupRateLimiter();
+        console.debug("OAuth callback initiated", {
+            codeLength: code?.length || 0,
+            stateLength: state?.length || 0,
+            timestamp: new Date().toISOString()
+        });
+        const storedStateToken = await this.storage.getStateToken();
+        const verifierToken = await this.storage.getVerifierToken();
+        console.debug("OAuth callback storage state", {
+            hasStoredState: !!storedStateToken,
+            hasVerifier: !!verifierToken,
+            storedStateExpired: storedStateToken ? this.storage.isTokenExpired(storedStateToken) : null,
+            receivedStateLength: state?.length || 0,
+            storedStateLength: storedStateToken?.value?.length || 0
+        });
+        if (!storedStateToken || !verifierToken) {
+            console.warn("OAuth callback failed: missing stored state or verifier", {
+                hasStoredState: !!storedStateToken,
+                hasVerifier: !!verifierToken
+            });
+            this.storage.clearTokens();
+            this.storage.clearStateAndVerifier();
+            throw new AuthError("Authentication session not found - please restart login process", ErrorCode.MissingVerifier);
+        }
+        console.debug("State validation comparison:", {
+            receivedState: state,
+            storedState: storedStateToken.value,
+            lengthsMatch: state.length === storedStateToken.value.length,
+            directEquals: state === storedStateToken.value
+        });
+        if (!validateState(state, storedStateToken.value)) {
+            console.error("State validation failed - detailed comparison:", {
+                receivedState: state,
+                storedState: storedStateToken.value,
+                receivedLength: state.length,
+                storedLength: storedStateToken.value.length,
+                directEquals: state === storedStateToken.value,
+                charDiffs: Array.from({ length: Math.min(state.length, storedStateToken.value.length, 10) }, (_, i) => state.charAt(i) !== storedStateToken.value.charAt(i) ?
+                    `pos${i}: '${state.charAt(i)}' vs '${storedStateToken.value.charAt(i)}'` : null).filter(Boolean)
+            });
+            this.storage.clearTokens();
+            this.storage.clearStateAndVerifier();
+            throw new AuthError("State parameter mismatch - potential CSRF attack", ErrorCode.InvalidState);
+        }
+        if (this.storage.isTokenExpired(storedStateToken)) {
+            this.storage.clearTokens();
+            this.storage.clearStateAndVerifier();
+            throw new AuthError("State parameter expired - possible replay attack", ErrorCode.InvalidState);
+        }
+        if (this.oauthApi) {
+            try {
+                const response = await this.oauthApi.getTokensApiV1OauthTokenPost({
+                    tokenRequest: {
+                        grantType: "authorization_code",
+                        code,
+                        clientId: this.config.clientId,
+                        codeVerifier: verifierToken.value,
+                    }
+                });
+                const tokenSet = this.convertTenantTokenResponse(response);
+                await this.storage.setTokens(tokenSet);
+                this.storage.clearStateAndVerifier();
+                return;
+            }
+            catch (error) {
+                throw new AuthError("Token exchange failed", ErrorCode.TokenExchangeFailed, error.message || "Tenant SDK request failed");
+            }
+        }
+        // Fallback to manual implementation
+        const tokenSet = await this.makeTokenRequest({
+            grant_type: "authorization_code",
+            code,
+            redirect_uri: this.config.redirectUri,
+            client_id: this.config.clientId,
+            code_verifier: verifierToken.value,
+        });
+        await this.storage.setTokens(tokenSet);
+        this.storage.clearStateAndVerifier();
+    }
+    /**
+     * Generates the logout URL for ending the OAuth session
+     *
+     * @returns Promise resolving to the logout URL
+     *
+     * @example
+     * ```typescript
+     * const logoutUrl = await flow.getLogoutUrl();
+     * // Returns: "https://auth.binoauth.com/api/v1/oauth/logout?client_id=..."
+     *
+     * window.location.href = logoutUrl; // Redirect to logout
+     * ```
+     *
+     * @throws {AuthError} When logout endpoint is missing from config
+     */
+    async getLogoutUrl() {
+        if (!this.config.logoutEndpoint) {
+            throw new AuthError("Missing logoutEndpoint in config", ErrorCode.InvalidConfig);
+        }
+        const params = new URLSearchParams({
+            client_id: this.config.clientId,
+            redirect_uri: this.config.redirectUri,
+        });
+        return `${this.config.logoutEndpoint}?${params.toString()}`;
+    }
+    /**
+     * Generates the logout page URL with optional return URL
+     *
+     * This URL points to the BinoAuth logout page where the user can
+     * terminate their session and optionally be redirected back.
+     *
+     * @param returnTo - Optional URL to redirect to after logout
+     * @returns Promise resolving to the logout page URL
+     *
+     * @example
+     * ```typescript
+     * // Simple logout
+     * const logoutPageUrl = await flow.getLogoutPageUrl();
+     * // Returns: "https://auth.binoauth.com/auth/logout?client_id=..."
+     *
+     * // Logout with return URL
+     * const logoutPageUrl = await flow.getLogoutPageUrl('https://myapp.com/goodbye');
+     * // Returns: "https://auth.binoauth.com/auth/logout?client_id=...&return_to=..."
+     *
+     * window.location.href = logoutPageUrl;
+     * ```
+     */
+    async getLogoutPageUrl(returnTo) {
+        const url = new URL(this.config.logoutPage);
+        url.searchParams.set("client_id", this.config.clientId);
+        if (returnTo) {
+            url.searchParams.set("return_to", returnTo);
+        }
+        return url.toString();
+    }
+}
+//# sourceMappingURL=authorization-code.js.map

package/dist/core/src/oauth/flows/authorization-code.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"authorization-code.js","sourceRoot":"","sources":["../../../../../src/oauth/flows/authorization-code.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAC1C,OAAO,EAAE,gBAAgB,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAC1E,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,UAAU,CAAC;AAChD,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAGvC;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,MAAM,OAAO,qBAAsB,SAAQ,QAAQ;IACzC,4BAA4B,GAAG,KAAK,CAAC;IAE7C,YAAY,MAAkB,EAAE,OAAqB,EAAE,QAAoB;QACzE,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;QAEjC,IAAI,CAAC,MAAM,CAAC,iBAAiB,EAAE,CAAC;YAC9B,MAAM,IAAI,SAAS,CACjB,qCAAqC,EACrC,SAAS,CAAC,aAAa,CACxB,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE,CAAC;YAC1B,MAAM,IAAI,SAAS,CACjB,iCAAiC,EACjC,SAAS,CAAC,aAAa,CACxB,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;;;;;;;;;;;;;;;;;OAkBG;IACH,KAAK,CAAC,WAAW;QACf,IAAI,IAAI,CAAC,4BAA4B,EAAE,CAAC;YACtC,OAAO,CAAC,IAAI,CAAC,2EAA2E,CAAC,CAAC;QAC5F,CAAC;QACD,IAAI,CAAC,4BAA4B,GAAG,IAAI,CAAC;QAEzC,IAAI,CAAC;YACH,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,GAAG,MAAM,gBAAgB,EAAE,CAAC;YACzD,MAAM,KAAK,GAAG,aAAa,EAAE,CAAC;YAE9B,OAAO,CAAC,KAAK,CAAC,4BAA4B,EAAE;gBAC1C,cAAc,EAAE,KAAK;gBACrB,WAAW,EAAE,KAAK,CAAC,MAAM;gBACzB,iBAAiB,EAAE,QAAQ,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK;gBACpD,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;aACpC,CAAC,CAAC;YAEH,MAAM,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC;gBAC3B,KAAK,EAAE;oBACL,KAAK,EAAE,KAAK;oBACZ,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,EAAE,aAAa;iBAC/C;gBACD,QAAQ,EAAE;oBACR,KAAK,EAAE,QAAQ;oBACf,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,EAAE,aAAa;iBAC/C;aACF,CAAC,CAAC;YAEH,MAAM,gBAAgB,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,aAAa,EAAE,CAAC;YAC5D,OAAO,CAAC,KAAK,CAAC,kCAAkC,EAAE;gBAChD,cAAc,EAAE,KAAK;gBACrB,WAAW,EAAE,gBAAgB,EAAE,KAAK;gBACpC,aAAa,EAAE,gBAAgB,EAAE,KAAK,KAAK,KAAK;gBAChD,aAAa,EAAE,gBAAgB,EAAE,SAAS;aAC3C,CAAC,CAAC;YAEH,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;gBACjC,aAAa,EAAE,MAAM;gBACrB,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;gBAC/B,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,KAAK;gBACxB,KAAK;gBACL,cAAc,EAAE,SAAS;gBACzB,qBAAqB,EAAE,MAAM;gBAC7B,YAAY,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW;aACtC,CAAC,CAAC;YAEH,MAAM,QAAQ,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,iBAAiB,IAAI,MAAM,CAAC,QAAQ,EAAE,EAAE,CAAC;YAEzE,OAAO,CAAC,KAAK,CAAC,0BAA0B,EAAE;gBACxC,QAAQ;gBACR,UAAU,EAAE,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC;gBAC/B,YAAY,EAAE,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,KAAK,KAAK;gBAC3C,SAAS,EAAE,QAAQ,CAAC,MAAM;aAC3B,CAAC,CAAC;YAEH,OAAO,QAAQ,CAAC;QAClB,CAAC;gBAAS,CAAC;YACT,IAAI,CAAC,4BAA4B,GAAG,KAAK,CAAC;QAC5C,CAAC;IACH,CAAC;IAED;;;;;;;;;;;;;;;;;;;;;;;;;;OA0BG;IACH,KAAK,CAAC,cAAc,CAAC,IAAY,EAAE,KAAa;QAC9C,IAAI,CAAC,cAAc,CAAC,UAAU,EAAE,EAAE,EAAE,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QACnD,IAAI,CAAC,kBAAkB,EAAE,CAAC;QAE1B,OAAO,CAAC,KAAK,CAAC,0BAA0B,EAAE;YACxC,UAAU,EAAE,IAAI,EAAE,MAAM,IAAI,CAAC;YAC7B,WAAW,EAAE,KAAK,EAAE,MAAM,IAAI,CAAC;YAC/B,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACpC,CAAC,CAAC;QAEH,MAAM,gBAAgB,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,aAAa,EAAE,CAAC;QAC5D,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,gBAAgB,EAAE,CAAC;QAE5D,OAAO,CAAC,KAAK,CAAC,8BAA8B,EAAE;YAC5C,cAAc,EAAE,CAAC,CAAC,gBAAgB;YAClC,WAAW,EAAE,CAAC,CAAC,aAAa;YAC5B,kBAAkB,EAAE,gBAAgB,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC,IAAI;YAC3F,mBAAmB,EAAE,KAAK,EAAE,MAAM,IAAI,CAAC;YACvC,iBAAiB,EAAE,gBAAgB,EAAE,KAAK,EAAE,MAAM,IAAI,CAAC;SACxD,CAAC,CAAC;QAEH,IAAI,CAAC,gBAAgB,IAAI,CAAC,aAAa,EAAE,CAAC;YACxC,OAAO,CAAC,IAAI,CAAC,yDAAyD,EAAE;gBACtE,cAAc,EAAE,CAAC,CAAC,gBAAgB;gBAClC,WAAW,EAAE,CAAC,CAAC,aAAa;aAC7B,CAAC,CAAC;YAEH,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC;YAC3B,IAAI,CAAC,OAAO,CAAC,qBAAqB,EAAE,CAAC;YAErC,MAAM,IAAI,SAAS,CACjB,iEAAiE,EACjE,SAAS,CAAC,eAAe,CAC1B,CAAC;QACJ,CAAC;QAED,OAAO,CAAC,KAAK,CAAC,8BAA8B,EAAE;YAC5C,aAAa,EAAE,KAAK;YACpB,WAAW,EAAE,gBAAgB,CAAC,KAAK;YACnC,YAAY,EAAE,KAAK,CAAC,MAAM,KAAK,gBAAgB,CAAC,KAAK,CAAC,MAAM;YAC5D,YAAY,EAAE,KAAK,KAAK,gBAAgB,CAAC,KAAK;SAC/C,CAAC,CAAC;QAEH,IAAI,CAAC,aAAa,CAAC,KAAK,EAAE,gBAAgB,CAAC,KAAK,CAAC,EAAE,CAAC;YAClD,OAAO,CAAC,KAAK,CAAC,gDAAgD,EAAE;gBAC9D,aAAa,EAAE,KAAK;gBACpB,WAAW,EAAE,gBAAgB,CAAC,KAAK;gBACnC,cAAc,EAAE,KAAK,CAAC,MAAM;gBAC5B,YAAY,EAAE,gBAAgB,CAAC,KAAK,CAAC,MAAM;gBAC3C,YAAY,EAAE,KAAK,KAAK,gBAAgB,CAAC,KAAK;gBAC9C,SAAS,EAAE,KAAK,CAAC,IAAI,CAAC,EAAC,MAAM,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,gBAAgB,CAAC,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,EAAC,EAAE,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAClG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,gBAAgB,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;oBACpD,MAAM,CAAC,MAAM,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS,gBAAgB,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAClF,CAAC,MAAM,CAAC,OAAO,CAAC;aAClB,CAAC,CAAC;YAEH,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC;YAC3B,IAAI,CAAC,OAAO,CAAC,qBAAqB,EAAE,CAAC;YAErC,MAAM,IAAI,SAAS,CACjB,kDAAkD,EAClD,SAAS,CAAC,YAAY,CACvB,CAAC;QACJ,CAAC;QAED,IAAI,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC,gBAAgB,CAAC,EAAE,CAAC;YAClD,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC;YAC3B,IAAI,CAAC,OAAO,CAAC,qBAAqB,EAAE,CAAC;YAErC,MAAM,IAAI,SAAS,CACjB,kDAAkD,EAClD,SAAS,CAAC,YAAY,CACvB,CAAC;QACJ,CAAC;QAED,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAClB,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,4BAA4B,CAAC;oBAChE,YAAY,EAAE;wBACZ,SAAS,EAAE,oBAAoB;wBAC/B,IAAI;wBACJ,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;wBAC9B,YAAY,EAAE,aAAa,CAAC,KAAK;qBAClC;iBACF,CAAC,CAAC;gBAEH,MAAM,QAAQ,GAAG,IAAI,CAAC,0BAA0B,CAAC,QAAQ,CAAC,CAAC;gBAC3D,MAAM,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;gBACvC,IAAI,CAAC,OAAO,CAAC,qBAAqB,EAAE,CAAC;gBACrC,OAAO;YACT,CAAC;YAAC,OAAO,KAAU,EAAE,CAAC;gBACpB,MAAM,IAAI,SAAS,CACjB,uBAAuB,EACvB,SAAS,CAAC,mBAAmB,EAC7B,KAAK,CAAC,OAAO,IAAI,2BAA2B,CAC7C,CAAC;YACJ,CAAC;QACH,CAAC;QAED,oCAAoC;QACpC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC;YAC3C,UAAU,EAAE,oBAAoB;YAChC,IAAI;YACJ,YAAY,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW;YACrC,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;YAC/B,aAAa,EAAE,aAAa,CAAC,KAAK;SACnC,CAAC,CAAC;QAEH,MAAM,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;QACvC,IAAI,CAAC,OAAO,CAAC,qBAAqB,EAAE,CAAC;IACvC,CAAC;IAED;;;;;;;;;;;;;;OAcG;IACH,KAAK,CAAC,YAAY;QAChB,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,cAAc,EAAE,CAAC;YAChC,MAAM,IAAI,SAAS,CACjB,kCAAkC,EAClC,SAAS,CAAC,aAAa,CACxB,CAAC;QACJ,CAAC;QAED,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;YACjC,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;YAC/B,YAAY,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW;SACtC,CAAC,CAAC;QAEH,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,cAAc,IAAI,MAAM,CAAC,QAAQ,EAAE,EAAE,CAAC;IAC9D,CAAC;IAED;;;;;;;;;;;;;;;;;;;;;OAqBG;IACH,KAAK,CAAC,gBAAgB,CAAC,QAAiB;QACtC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;QAC5C,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QACxD,IAAI,QAAQ,EAAE,CAAC;YACb,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;QAC9C,CAAC;QACD,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAC;IACxB,CAAC;CACF"}

package/dist/core/src/oauth/flows/base-flow.d.ts

@@ -0,0 +1,17 @@
+import type { AuthConfig, TokenSet } from "../types";
+import { TokenStorage } from "../storage";
+import type { OAuth2Api } from "@binoauth/tenant-sdk";
+export declare abstract class BaseFlow {
+    protected config: AuthConfig;
+    protected storage: TokenStorage;
+    protected oauthApi?: OAuth2Api;
+    private rateLimiter;
+    protected constructor(config: AuthConfig, storage: TokenStorage, oauthApi?: OAuth2Api);
+    protected checkRateLimit(operation: string, maxAttempts?: number, windowMs?: number): void;
+    protected cleanupRateLimiter(): void;
+    protected makeTokenRequest(payload: Record<string, string>): Promise<TokenSet>;
+    private convertToTokenSet;
+    protected convertTenantTokenResponse(response: any): TokenSet;
+    protected getIssuerFromEndpoint(): string;
+}
+//# sourceMappingURL=base-flow.d.ts.map

package/dist/core/src/oauth/flows/base-flow.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"base-flow.d.ts","sourceRoot":"","sources":["../../../../../src/oauth/flows/base-flow.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,UAAU,CAAC;AACrD,OAAO,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE1C,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAC;AAEtD,8BAAsB,QAAQ;IAC5B,SAAS,CAAC,MAAM,EAAE,UAAU,CAAC;IAC7B,SAAS,CAAC,OAAO,EAAE,YAAY,CAAC;IAChC,SAAS,CAAC,QAAQ,CAAC,EAAE,SAAS,CAAC;IAC/B,OAAO,CAAC,WAAW,CAAgE;IAEnF,SAAS,aAAa,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,YAAY,EAAE,QAAQ,CAAC,EAAE,SAAS;IAMrF,SAAS,CAAC,cAAc,CAAC,SAAS,EAAE,MAAM,EAAE,WAAW,GAAE,MAAU,EAAE,QAAQ,GAAE,MAAuB,GAAG,IAAI;IAyB7G,SAAS,CAAC,kBAAkB,IAAI,IAAI;cASpB,gBAAgB,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,OAAO,CAAC,QAAQ,CAAC;IA8BpF,OAAO,CAAC,iBAAiB;IA4CzB,SAAS,CAAC,0BAA0B,CAAC,QAAQ,EAAE,GAAG,GAAG,QAAQ;IAiB7D,SAAS,CAAC,qBAAqB,IAAI,MAAM;CAG1C"}

package/dist/core/src/oauth/flows/base-flow.js

@@ -0,0 +1,107 @@
+import { TokenStorage } from "../storage";
+import { AuthError, ErrorCode } from "../error";
+export class BaseFlow {
+    config;
+    storage;
+    oauthApi;
+    rateLimiter = new Map();
+    constructor(config, storage, oauthApi) {
+        this.config = config;
+        this.storage = storage;
+        this.oauthApi = oauthApi;
+    }
+    checkRateLimit(operation, maxAttempts = 5, windowMs = 15 * 60 * 1000) {
+        const now = Date.now();
+        const key = `${this.config.clientId}:${operation}`;
+        let limiter = this.rateLimiter.get(key);
+        if (!limiter || now >= limiter.resetTime) {
+            limiter = {
+                count: 0,
+                resetTime: now + windowMs
+            };
+            this.rateLimiter.set(key, limiter);
+        }
+        if (limiter.count >= maxAttempts) {
+            const timeUntilReset = Math.ceil((limiter.resetTime - now) / 1000);
+            throw new AuthError(`Rate limit exceeded for ${operation}. Try again in ${timeUntilReset} seconds.`, ErrorCode.RateLimitExceeded);
+        }
+        limiter.count++;
+    }
+    cleanupRateLimiter() {
+        const now = Date.now();
+        for (const [key, limiter] of this.rateLimiter.entries()) {
+            if (now >= limiter.resetTime) {
+                this.rateLimiter.delete(key);
+            }
+        }
+    }
+    async makeTokenRequest(payload) {
+        const params = new URLSearchParams(payload);
+        const response = await fetch(this.config.tokenEndpoint, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/x-www-form-urlencoded",
+            },
+            body: params.toString(),
+        });
+        if (!response.ok) {
+            let errorDetail = "Token request failed";
+            try {
+                const error = await response.json();
+                errorDetail = error.detail || error.error_description || error.error || errorDetail;
+            }
+            catch (e) {
+                errorDetail = await response.text();
+            }
+            throw new AuthError("Token request failed", ErrorCode.TokenExchangeFailed, errorDetail);
+        }
+        const tokens = await response.json();
+        return this.convertToTokenSet(tokens);
+    }
+    convertToTokenSet(tokens) {
+        if (!tokens.access_token || typeof tokens.access_token !== 'string' || tokens.access_token.trim() === '') {
+            throw new AuthError("Invalid token response: missing or invalid access_token", ErrorCode.TokenExchangeFailed);
+        }
+        if (tokens.expires_in === undefined || tokens.expires_in === null || typeof tokens.expires_in !== 'number' || tokens.expires_in <= 0) {
+            throw new AuthError("Invalid token response: missing or invalid expires_in", ErrorCode.TokenExchangeFailed);
+        }
+        if (tokens.refresh_token !== undefined && (typeof tokens.refresh_token !== 'string' || tokens.refresh_token.trim() === '')) {
+            throw new AuthError("Invalid token response: invalid refresh_token", ErrorCode.TokenExchangeFailed);
+        }
+        const tokenSet = {
+            accessToken: {
+                value: tokens.access_token,
+                expiresAt: Date.now() + tokens.expires_in * 1000,
+            },
+        };
+        if (tokens.refresh_token) {
+            tokenSet.refreshToken = {
+                value: tokens.refresh_token,
+            };
+        }
+        if (tokens.id_token) {
+            tokenSet.idToken = {
+                value: tokens.id_token,
+            };
+        }
+        return tokenSet;
+    }
+    convertTenantTokenResponse(response) {
+        const tokenSet = {
+            accessToken: {
+                value: response.accessToken,
+                expiresAt: Date.now() + response.expiresIn * 1000,
+            },
+        };
+        if (response.refreshToken) {
+            tokenSet.refreshToken = {
+                value: response.refreshToken,
+            };
+        }
+        return tokenSet;
+    }
+    getIssuerFromEndpoint() {
+        return this.config.authorizeEndpoint.replace('/api/v1/oauth/authorize', '');
+    }
+}
+//# sourceMappingURL=base-flow.js.map

package/dist/core/src/oauth/flows/base-flow.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"base-flow.js","sourceRoot":"","sources":["../../../../../src/oauth/flows/base-flow.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAC1C,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,UAAU,CAAC;AAGhD,MAAM,OAAgB,QAAQ;IAClB,MAAM,CAAa;IACnB,OAAO,CAAe;IACtB,QAAQ,CAAa;IACvB,WAAW,GAAsD,IAAI,GAAG,EAAE,CAAC;IAEnF,YAAsB,MAAkB,EAAE,OAAqB,EAAE,QAAoB;QACnF,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;QACvB,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAC3B,CAAC;IAES,cAAc,CAAC,SAAiB,EAAE,cAAsB,CAAC,EAAE,WAAmB,EAAE,GAAG,EAAE,GAAG,IAAI;QACpG,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,QAAQ,IAAI,SAAS,EAAE,CAAC;QAEnD,IAAI,OAAO,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAExC,IAAI,CAAC,OAAO,IAAI,GAAG,IAAI,OAAO,CAAC,SAAS,EAAE,CAAC;YACzC,OAAO,GAAG;gBACR,KAAK,EAAE,CAAC;gBACR,SAAS,EAAE,GAAG,GAAG,QAAQ;aAC1B,CAAC;YACF,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QACrC,CAAC;QAED,IAAI,OAAO,CAAC,KAAK,IAAI,WAAW,EAAE,CAAC;YACjC,MAAM,cAAc,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,SAAS,GAAG,GAAG,CAAC,GAAG,IAAI,CAAC,CAAC;YACnE,MAAM,IAAI,SAAS,CACjB,2BAA2B,SAAS,kBAAkB,cAAc,WAAW,EAC/E,SAAS,CAAC,iBAAiB,CAC5B,CAAC;QACJ,CAAC;QAED,OAAO,CAAC,KAAK,EAAE,CAAC;IAClB,CAAC;IAES,kBAAkB;QAC1B,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,KAAK,MAAM,CAAC,GAAG,EAAE,OAAO,CAAC,IAAI,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,EAAE,CAAC;YACxD,IAAI,GAAG,IAAI,OAAO,CAAC,SAAS,EAAE,CAAC;gBAC7B,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAC/B,CAAC;QACH,CAAC;IACH,CAAC;IAES,KAAK,CAAC,gBAAgB,CAAC,OAA+B;QAC9D,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC,OAAO,CAAC,CAAC;QAE5C,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE;YACtD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,mCAAmC;aACpD;YACD,IAAI,EAAE,MAAM,CAAC,QAAQ,EAAE;SACxB,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,IAAI,WAAW,GAAG,sBAAsB,CAAC;YACzC,IAAI,CAAC;gBACH,MAAM,KAAK,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;gBACpC,WAAW,GAAG,KAAK,CAAC,MAAM,IAAI,KAAK,CAAC,iBAAiB,IAAI,KAAK,CAAC,KAAK,IAAI,WAAW,CAAC;YACtF,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,WAAW,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YACtC,CAAC;YACD,MAAM,IAAI,SAAS,CACjB,sBAAsB,EACtB,SAAS,CAAC,mBAAmB,EAC7B,WAAW,CACZ,CAAC;QACJ,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QACrC,OAAO,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAC;IACxC,CAAC;IAEO,iBAAiB,CAAC,MAAW;QACnC,IAAI,CAAC,MAAM,CAAC,YAAY,IAAI,OAAO,MAAM,CAAC,YAAY,KAAK,QAAQ,IAAI,MAAM,CAAC,YAAY,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;YACzG,MAAM,IAAI,SAAS,CACjB,yDAAyD,EACzD,SAAS,CAAC,mBAAmB,CAC9B,CAAC;QACJ,CAAC;QAED,IAAI,MAAM,CAAC,UAAU,KAAK,SAAS,IAAI,MAAM,CAAC,UAAU,KAAK,IAAI,IAAI,OAAO,MAAM,CAAC,UAAU,KAAK,QAAQ,IAAI,MAAM,CAAC,UAAU,IAAI,CAAC,EAAE,CAAC;YACrI,MAAM,IAAI,SAAS,CACjB,uDAAuD,EACvD,SAAS,CAAC,mBAAmB,CAC9B,CAAC;QACJ,CAAC;QAED,IAAI,MAAM,CAAC,aAAa,KAAK,SAAS,IAAI,CAAC,OAAO,MAAM,CAAC,aAAa,KAAK,QAAQ,IAAI,MAAM,CAAC,aAAa,CAAC,IAAI,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC;YAC3H,MAAM,IAAI,SAAS,CACjB,+CAA+C,EAC/C,SAAS,CAAC,mBAAmB,CAC9B,CAAC;QACJ,CAAC;QAED,MAAM,QAAQ,GAAa;YACzB,WAAW,EAAE;gBACX,KAAK,EAAE,MAAM,CAAC,YAAY;gBAC1B,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,UAAU,GAAG,IAAI;aACjD;SACF,CAAC;QAEF,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;YACzB,QAAQ,CAAC,YAAY,GAAG;gBACtB,KAAK,EAAE,MAAM,CAAC,aAAa;aAC5B,CAAC;QACJ,CAAC;QAED,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YACpB,QAAQ,CAAC,OAAO,GAAG;gBACjB,KAAK,EAAE,MAAM,CAAC,QAAQ;aACvB,CAAC;QACJ,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAES,0BAA0B,CAAC,QAAa;QAChD,MAAM,QAAQ,GAAa;YACzB,WAAW,EAAE;gBACX,KAAK,EAAE,QAAQ,CAAC,WAAW;gBAC3B,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,CAAC,SAAS,GAAG,IAAI;aAClD;SACF,CAAC;QAEF,IAAI,QAAQ,CAAC,YAAY,EAAE,CAAC;YAC1B,QAAQ,CAAC,YAAY,GAAG;gBACtB,KAAK,EAAE,QAAQ,CAAC,YAAY;aAC7B,CAAC;QACJ,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAES,qBAAqB;QAC7B,OAAO,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAAC,OAAO,CAAC,yBAAyB,EAAE,EAAE,CAAC,CAAC;IAC9E,CAAC;CACF"}

package/dist/core/src/oauth/flows/client-credentials.d.ts

@@ -0,0 +1,72 @@
+import type { AuthConfig } from "../types";
+import { TokenStorage } from "../storage";
+import { BaseFlow } from "./base-flow";
+import type { OAuth2Api } from "@binoauth/tenant-sdk";
+/**
+ * OAuth 2.0 Client Credentials Grant
+ *
+ * This flow is used for server-to-server authentication where the client
+ * can securely store a client secret. No user interaction is required.
+ *
+ * @example
+ * ```typescript
+ * const flow = new ClientCredentialsFlow(
+ *   { ...config, clientSecret: 'your_client_secret' },
+ *   storage,
+ *   oauthApi
+ * );
+ *
+ * // Get access token for server-to-server communication
+ * await flow.getTokens();
+ *
+ * // Token is now stored and ready for API calls
+ * const accessToken = await storage.getAccessToken();
+ *
+ * // Use token for API requests
+ * const response = await fetch('/api/protected', {
+ *   headers: {
+ *     'Authorization': `Bearer ${accessToken.value}`
+ *   }
+ * });
+ * ```
+ */
+export declare class ClientCredentialsFlow extends BaseFlow {
+    private clientSecret;
+    constructor(config: AuthConfig & {
+        clientSecret: string;
+    }, storage: TokenStorage, oauthApi?: OAuth2Api);
+    /**
+     * Requests access tokens using client credentials
+     *
+     * This method authenticates the client application itself (not a user)
+     * and obtains an access token for server-to-server communication.
+     *
+     * @example
+     * ```typescript
+     * const flow = new ClientCredentialsFlow(
+     *   {
+     *     ...config,
+     *     clientSecret: 'your_client_secret'
+     *   },
+     *   storage,
+     *   oauthApi
+     * );
+     *
+     * // Request tokens for server-to-server auth
+     * await flow.getTokens();
+     *
+     * // Use the stored token for API calls
+     * const accessToken = await storage.getAccessToken();
+     * const response = await fetch('/api/protected-resource', {
+     *   headers: {
+     *     'Authorization': `Bearer ${accessToken.value}`
+     *   }
+     * });
+     * ```
+     *
+     * @throws {AuthError} When client credentials are invalid
+     * @throws {AuthError} When the token request fails
+     */
+    getTokens(): Promise<void>;
+}
+//# sourceMappingURL=client-credentials.d.ts.map

package/dist/core/src/oauth/flows/client-credentials.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client-credentials.d.ts","sourceRoot":"","sources":["../../../../../src/oauth/flows/client-credentials.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,UAAU,CAAC;AAC3C,OAAO,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE1C,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AACvC,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAC;AAEtD;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,qBAAa,qBAAsB,SAAQ,QAAQ;IACjD,OAAO,CAAC,YAAY,CAAS;gBAEjB,MAAM,EAAE,UAAU,GAAG;QAAE,YAAY,EAAE,MAAM,CAAA;KAAE,EAAE,OAAO,EAAE,YAAY,EAAE,QAAQ,CAAC,EAAE,SAAS;IAKtG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA+BG;IACG,SAAS,IAAI,OAAO,CAAC,IAAI,CAAC;CAoCjC"}

package/dist/core/src/oauth/flows/client-credentials.js

@@ -0,0 +1,100 @@
+import { TokenStorage } from "../storage";
+import { AuthError, ErrorCode } from "../error";
+import { BaseFlow } from "./base-flow";
+/**
+ * OAuth 2.0 Client Credentials Grant
+ *
+ * This flow is used for server-to-server authentication where the client
+ * can securely store a client secret. No user interaction is required.
+ *
+ * @example
+ * ```typescript
+ * const flow = new ClientCredentialsFlow(
+ *   { ...config, clientSecret: 'your_client_secret' },
+ *   storage,
+ *   oauthApi
+ * );
+ *
+ * // Get access token for server-to-server communication
+ * await flow.getTokens();
+ *
+ * // Token is now stored and ready for API calls
+ * const accessToken = await storage.getAccessToken();
+ *
+ * // Use token for API requests
+ * const response = await fetch('/api/protected', {
+ *   headers: {
+ *     'Authorization': `Bearer ${accessToken.value}`
+ *   }
+ * });
+ * ```
+ */
+export class ClientCredentialsFlow extends BaseFlow {
+    clientSecret;
+    constructor(config, storage, oauthApi) {
+        super(config, storage, oauthApi);
+        this.clientSecret = config.clientSecret;
+    }
+    /**
+     * Requests access tokens using client credentials
+     *
+     * This method authenticates the client application itself (not a user)
+     * and obtains an access token for server-to-server communication.
+     *
+     * @example
+     * ```typescript
+     * const flow = new ClientCredentialsFlow(
+     *   {
+     *     ...config,
+     *     clientSecret: 'your_client_secret'
+     *   },
+     *   storage,
+     *   oauthApi
+     * );
+     *
+     * // Request tokens for server-to-server auth
+     * await flow.getTokens();
+     *
+     * // Use the stored token for API calls
+     * const accessToken = await storage.getAccessToken();
+     * const response = await fetch('/api/protected-resource', {
+     *   headers: {
+     *     'Authorization': `Bearer ${accessToken.value}`
+     *   }
+     * });
+     * ```
+     *
+     * @throws {AuthError} When client credentials are invalid
+     * @throws {AuthError} When the token request fails
+     */
+    async getTokens() {
+        this.checkRateLimit("client_credentials", 5, 10 * 60 * 1000);
+        if (this.oauthApi) {
+            try {
+                const response = await this.oauthApi.getTokensApiV1OauthTokenPost({
+                    tokenRequest: {
+                        grantType: "client_credentials",
+                        clientId: this.config.clientId,
+                        clientSecret: this.clientSecret,
+                        scope: this.config.scope,
+                    }
+                });
+                const tokenSet = this.convertTenantTokenResponse(response);
+                await this.storage.setTokens(tokenSet);
+                return;
+            }
+            catch (error) {
+                throw new AuthError("Client credentials token request failed", ErrorCode.TokenExchangeFailed, error.message || "Tenant SDK request failed");
+            }
+        }
+        // Fallback to manual implementation
+        const tokenSet = await this.makeTokenRequest({
+            grant_type: "client_credentials",
+            client_id: this.config.clientId,
+            client_secret: this.clientSecret,
+            scope: this.config.scope,
+        });
+        await this.storage.setTokens(tokenSet);
+    }
+}
+//# sourceMappingURL=client-credentials.js.map

package/dist/core/src/oauth/flows/client-credentials.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client-credentials.js","sourceRoot":"","sources":["../../../../../src/oauth/flows/client-credentials.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAC1C,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,UAAU,CAAC;AAChD,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAGvC;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,MAAM,OAAO,qBAAsB,SAAQ,QAAQ;IACzC,YAAY,CAAS;IAE7B,YAAY,MAA6C,EAAE,OAAqB,EAAE,QAAoB;QACpG,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;QACjC,IAAI,CAAC,YAAY,GAAG,MAAM,CAAC,YAAY,CAAC;IAC1C,CAAC;IAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA+BG;IACH,KAAK,CAAC,SAAS;QACb,IAAI,CAAC,cAAc,CAAC,oBAAoB,EAAE,CAAC,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAE7D,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAClB,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,4BAA4B,CAAC;oBAChE,YAAY,EAAE;wBACZ,SAAS,EAAE,oBAAoB;wBAC/B,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;wBAC9B,YAAY,EAAE,IAAI,CAAC,YAAY;wBAC/B,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,KAAK;qBACzB;iBACF,CAAC,CAAC;gBAEH,MAAM,QAAQ,GAAG,IAAI,CAAC,0BAA0B,CAAC,QAAQ,CAAC,CAAC;gBAC3D,MAAM,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;gBACvC,OAAO;YACT,CAAC;YAAC,OAAO,KAAU,EAAE,CAAC;gBACpB,MAAM,IAAI,SAAS,CACjB,yCAAyC,EACzC,SAAS,CAAC,mBAAmB,EAC7B,KAAK,CAAC,OAAO,IAAI,2BAA2B,CAC7C,CAAC;YACJ,CAAC;QACH,CAAC;QAED,oCAAoC;QACpC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC;YAC3C,UAAU,EAAE,oBAAoB;YAChC,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;YAC/B,aAAa,EAAE,IAAI,CAAC,YAAY;YAChC,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,KAAK;SACzB,CAAC,CAAC;QAEH,MAAM,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;IACzC,CAAC;CACF"}