npm - dauth-md-node - Versions diffs - 3.0.2 → 4.0.0 - Mend

dauth-md-node 3.0.2 → 4.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (19) hide show

package/dist/chunk-4A7BR4EM.mjs +82 -0
package/dist/chunk-4A7BR4EM.mjs.map +1 -0
package/dist/index.d.mts +9 -2
package/dist/index.d.ts +9 -2
package/dist/index.js +108 -4
package/dist/index.js.map +1 -1
package/dist/index.mjs +65 -19
package/dist/index.mjs.map +1 -1
package/dist/router.d.mts +16 -0
package/dist/router.d.ts +16 -0
package/dist/router.js +436 -0
package/dist/router.js.map +1 -0
package/dist/router.mjs +333 -0
package/dist/router.mjs.map +1 -0
package/package.json +22 -2
package/src/csrf.ts +18 -0
package/src/index.ts +100 -15
package/src/router.ts +444 -0
package/src/session.ts +81 -0

package/dist/router.js ADDED Viewed

@@ -0,0 +1,436 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+// src/router.ts
+var router_exports = {};
+__export(router_exports, {
+  dauthRouter: () => dauthRouter
+});
+module.exports = __toCommonJS(router_exports);
+var import_express = require("express");
+var import_jsonwebtoken = __toESM(require("jsonwebtoken"));
+// src/api/utils/config.ts
+var apiVersion = "v1";
+var serverDomain = "dauth.ovh";
+function getServerBasePath() {
+  if (process.env.DAUTH_URL) {
+    const base = process.env.DAUTH_URL.replace(/\/+$/, "");
+    return `${base}/api/${apiVersion}`;
+  }
+  const isLocalhost = process.env.NODE_ENV === "development";
+  const serverPort = 4012;
+  const serverLocalUrl = `http://localhost:${serverPort}/api/${apiVersion}`;
+  const serverProdUrl = `https://${serverDomain}/api/${apiVersion}`;
+  return isLocalhost ? serverLocalUrl : serverProdUrl;
+}
+// src/session.ts
+var import_crypto = __toESM(require("crypto"));
+var INFO = "dauth-cookie-enc-v1";
+var DEFAULT_SALT = Buffer.from(
+  "a3f8c1d7e9b24f6081c5d3a7e2f49b0653d81f7a2e94c0b6d8f3a5e1c7b09d42",
+  "hex"
+);
+async function deriveEncryptionKey(tsk, salt) {
+  const saltBuf = salt ? Buffer.from(salt, "hex") : DEFAULT_SALT;
+  return new Promise((resolve, reject) => {
+    import_crypto.default.hkdf(
+      "sha256",
+      Buffer.from(tsk),
+      saltBuf,
+      INFO,
+      32,
+      (err, derivedKey) => {
+        if (err) return reject(err);
+        resolve(Buffer.from(derivedKey));
+      }
+    );
+  });
+}
+function encryptSession(payload, key) {
+  const nonce = import_crypto.default.randomBytes(12);
+  const cipher = import_crypto.default.createCipheriv("aes-256-gcm", key, nonce);
+  const plaintext = JSON.stringify(payload);
+  const encrypted = Buffer.concat([
+    cipher.update(plaintext, "utf8"),
+    cipher.final()
+  ]);
+  const authTag = cipher.getAuthTag();
+  return Buffer.concat([nonce, encrypted, authTag]).toString("base64");
+}
+function decryptSession(ciphertext, key) {
+  try {
+    const buf = Buffer.from(ciphertext, "base64");
+    if (buf.length < 12 + 16) return null;
+    const nonce = buf.subarray(0, 12);
+    const authTag = buf.subarray(buf.length - 16);
+    const encrypted = buf.subarray(12, buf.length - 16);
+    const decipher = import_crypto.default.createDecipheriv("aes-256-gcm", key, nonce);
+    decipher.setAuthTag(authTag);
+    const decrypted = Buffer.concat([
+      decipher.update(encrypted),
+      decipher.final()
+    ]);
+    return JSON.parse(decrypted.toString("utf8"));
+  } catch {
+    return null;
+  }
+}
+function decryptSessionWithKeys(ciphertext, keys) {
+  for (const key of keys) {
+    const result = decryptSession(ciphertext, key);
+    if (result) return result;
+  }
+  return null;
+}
+// src/csrf.ts
+var import_crypto2 = __toESM(require("crypto"));
+function generateCsrfToken() {
+  return import_crypto2.default.randomBytes(32).toString("hex");
+}
+function verifyCsrf(req, csrfCookieName) {
+  const headerToken = req.headers["x-csrf-token"];
+  const cookieToken = req.cookies?.[csrfCookieName];
+  if (!headerToken || !cookieToken) return false;
+  return headerToken === cookieToken;
+}
+// src/router.ts
+var refreshLocks = /* @__PURE__ */ new Map();
+function lockKey(refreshToken) {
+  return refreshToken.substring(0, 16);
+}
+function clearStaleLocks() {
+  if (refreshLocks.size > 100) refreshLocks.clear();
+}
+async function resolveConfig(opts) {
+  const secure = opts.secure ?? process.env.NODE_ENV !== "development";
+  const cookieName = opts.cookieName ?? (secure ? "__Host-dauth-session" : "dauth-session");
+  const csrfCookieName = opts.csrfCookieName ?? (secure ? "__Host-csrf" : "csrf-token");
+  const maxAgeMs = (opts.maxAge ?? 30 * 24 * 3600) * 1e3;
+  const keys = [];
+  keys.push(await deriveEncryptionKey(opts.tsk, opts.sessionSalt));
+  if (opts.previousTsk) {
+    keys.push(
+      await deriveEncryptionKey(opts.previousTsk, opts.sessionSalt)
+    );
+  }
+  let dauthBasePath;
+  if (opts.dauthUrl) {
+    dauthBasePath = `${opts.dauthUrl.replace(/\/+$/, "")}/api/v1`;
+  } else {
+    dauthBasePath = getServerBasePath();
+  }
+  return {
+    domainName: opts.domainName,
+    dauthBasePath,
+    cookieName,
+    csrfCookieName,
+    maxAgeMs,
+    secure,
+    encKeys: keys
+  };
+}
+function setSessionCookie(res, payload, config) {
+  const encrypted = encryptSession(payload, config.encKeys[0]);
+  const cookieOpts = {
+    httpOnly: true,
+    secure: config.secure,
+    sameSite: "lax",
+    maxAge: config.maxAgeMs,
+    path: "/"
+  };
+  if (!config.secure) {
+  }
+  res.cookie(config.cookieName, encrypted, cookieOpts);
+}
+function setCsrfCookie(res, config) {
+  const csrfToken = generateCsrfToken();
+  res.cookie(config.csrfCookieName, csrfToken, {
+    httpOnly: false,
+    secure: config.secure,
+    sameSite: "lax",
+    maxAge: config.maxAgeMs,
+    path: "/"
+  });
+}
+function clearCookies(res, config) {
+  const baseOpts = { path: "/", secure: config.secure };
+  res.clearCookie(config.cookieName, baseOpts);
+  res.clearCookie(config.csrfCookieName, baseOpts);
+}
+function readSession(req, config) {
+  const cookie = req.cookies?.[config.cookieName];
+  if (!cookie) return null;
+  return decryptSessionWithKeys(cookie, config.encKeys);
+}
+function isTokenExpiringSoon(token, thresholdMs = 3e5) {
+  try {
+    const decoded = import_jsonwebtoken.default.decode(token);
+    if (!decoded?.exp) return true;
+    return decoded.exp * 1e3 - Date.now() < thresholdMs;
+  } catch {
+    return true;
+  }
+}
+async function maybeRefreshTokens(session, config, res) {
+  if (!isTokenExpiringSoon(session.accessToken)) return session;
+  const key = lockKey(session.refreshToken);
+  clearStaleLocks();
+  const existingLock = refreshLocks.get(key);
+  if (existingLock) {
+    const result2 = await existingLock;
+    return result2 ?? session;
+  }
+  const refreshPromise = (async () => {
+    try {
+      const response = await fetch(
+        `${config.dauthBasePath}/app/${config.domainName}/refresh-token`,
+        {
+          method: "POST",
+          headers: { "Content-Type": "application/json" },
+          body: JSON.stringify({
+            refreshToken: session.refreshToken
+          })
+        }
+      );
+      if (!response.ok) return null;
+      const data = await response.json();
+      if (!data.accessToken || !data.refreshToken) return null;
+      const newSession = {
+        accessToken: data.accessToken,
+        refreshToken: data.refreshToken
+      };
+      setSessionCookie(res, newSession, config);
+      return newSession;
+    } catch {
+      return null;
+    }
+  })();
+  refreshLocks.set(key, refreshPromise);
+  const timeout = setTimeout(() => refreshLocks.delete(key), 1e4);
+  refreshPromise.finally(() => {
+    clearTimeout(timeout);
+    refreshLocks.delete(key);
+  });
+  const result = await refreshPromise;
+  return result ?? session;
+}
+function dauthRouter(opts) {
+  const router = (0, import_express.Router)();
+  let configPromise = null;
+  async function getConfig() {
+    if (!configPromise) configPromise = resolveConfig(opts);
+    return configPromise;
+  }
+  router.post("/exchange-code", async (req, res) => {
+    const config = await getConfig();
+    const { code } = req.body;
+    if (!code) {
+      return res.status(400).send({ status: "code-required", message: "Code required" });
+    }
+    const response = await fetch(
+      `${config.dauthBasePath}/app/${config.domainName}/exchange-code`,
+      {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ code })
+      }
+    );
+    if (!response.ok) {
+      return res.status(response.status).send({ status: "code-invalid", message: "Code invalid" });
+    }
+    const data = await response.json();
+    setSessionCookie(
+      res,
+      {
+        accessToken: data.accessToken,
+        refreshToken: data.refreshToken
+      },
+      config
+    );
+    setCsrfCookie(res, config);
+    const userResponse = await fetch(
+      `${config.dauthBasePath}/app/${config.domainName}/user`,
+      {
+        method: "GET",
+        headers: { Authorization: data.accessToken }
+      }
+    );
+    const userData = await userResponse.json();
+    return res.status(200).send({
+      user: userData.user,
+      domain: userData.domain,
+      isNewUser: data.isNewUser
+    });
+  });
+  router.get("/session", async (req, res) => {
+    const config = await getConfig();
+    const session = readSession(req, config);
+    if (!session) {
+      return res.status(401).send({ status: "no-session", message: "Not authenticated" });
+    }
+    const refreshed = await maybeRefreshTokens(session, config, res);
+    const userResponse = await fetch(
+      `${config.dauthBasePath}/app/${config.domainName}/user`,
+      {
+        method: "GET",
+        headers: { Authorization: refreshed.accessToken }
+      }
+    );
+    if (!userResponse.ok) {
+      clearCookies(res, config);
+      return res.status(401).send({ status: "session-invalid", message: "Session expired" });
+    }
+    const userData = await userResponse.json();
+    return res.status(200).send({
+      user: userData.user,
+      domain: userData.domain
+    });
+  });
+  router.post("/logout", async (req, res) => {
+    const config = await getConfig();
+    if (!verifyCsrf(req, config.csrfCookieName)) {
+      return res.status(403).send({ status: "csrf-invalid", message: "CSRF token invalid" });
+    }
+    const session = readSession(req, config);
+    if (session) {
+      fetch(
+        `${config.dauthBasePath}/app/${config.domainName}/logout`,
+        {
+          method: "POST",
+          headers: { "Content-Type": "application/json" },
+          body: JSON.stringify({
+            refreshToken: session.refreshToken
+          })
+        }
+      ).catch(() => {
+      });
+    }
+    clearCookies(res, config);
+    return res.status(200).send({ status: "success", message: "Logged out" });
+  });
+  router.patch("/user", async (req, res) => {
+    const config = await getConfig();
+    if (!verifyCsrf(req, config.csrfCookieName)) {
+      return res.status(403).send({ status: "csrf-invalid", message: "CSRF token invalid" });
+    }
+    const session = readSession(req, config);
+    if (!session) {
+      return res.status(401).send({ status: "no-session", message: "Not authenticated" });
+    }
+    const refreshed = await maybeRefreshTokens(session, config, res);
+    const response = await fetch(
+      `${config.dauthBasePath}/app/${config.domainName}/user`,
+      {
+        method: "PATCH",
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: refreshed.accessToken
+        },
+        body: JSON.stringify(req.body)
+      }
+    );
+    const data = await response.json();
+    return res.status(response.status).send(data);
+  });
+  router.delete("/user", async (req, res) => {
+    const config = await getConfig();
+    if (!verifyCsrf(req, config.csrfCookieName)) {
+      return res.status(403).send({ status: "csrf-invalid", message: "CSRF token invalid" });
+    }
+    const session = readSession(req, config);
+    if (!session) {
+      return res.status(401).send({ status: "no-session", message: "Not authenticated" });
+    }
+    const response = await fetch(
+      `${config.dauthBasePath}/app/${config.domainName}/user`,
+      {
+        method: "DELETE",
+        headers: { Authorization: session.accessToken }
+      }
+    );
+    const data = await response.json();
+    clearCookies(res, config);
+    return res.status(response.status).send(data);
+  });
+  router.get(
+    "/profile-redirect",
+    async (req, res) => {
+      const config = await getConfig();
+      if (!verifyCsrf(req, config.csrfCookieName)) {
+        return res.status(403).send({
+          status: "csrf-invalid",
+          message: "CSRF token invalid"
+        });
+      }
+      const session = readSession(req, config);
+      if (!session) {
+        return res.status(401).send({
+          status: "no-session",
+          message: "Not authenticated"
+        });
+      }
+      const refreshed = await maybeRefreshTokens(
+        session,
+        config,
+        res
+      );
+      const response = await fetch(
+        `${config.dauthBasePath}/app/${config.domainName}/profile-code`,
+        {
+          method: "POST",
+          headers: {
+            "Content-Type": "application/json",
+            Authorization: refreshed.accessToken
+          }
+        }
+      );
+      if (!response.ok) {
+        return res.status(response.status).send({
+          status: "profile-code-error",
+          message: "Could not generate profile code"
+        });
+      }
+      const data = await response.json();
+      const dauthFrontendUrl = opts.dauthUrl ? opts.dauthUrl.replace(/\/+$/, "") : process.env.DAUTH_URL ? process.env.DAUTH_URL.replace(/\/+$/, "") : process.env.NODE_ENV === "development" ? "http://localhost:5185" : "https://dauth.ovh";
+      return res.status(200).send({
+        redirectUrl: `${dauthFrontendUrl}/${config.domainName}/update-user?code=${data.code}`
+      });
+    }
+  );
+  return router;
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  dauthRouter
+});
+//# sourceMappingURL=router.js.map

package/dist/router.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/router.ts","../src/api/utils/config.ts","../src/session.ts","../src/csrf.ts"],"sourcesContent":["import { Router, Request, Response } from 'express';\nimport jwt from 'jsonwebtoken';\nimport { getServerBasePath } from './api/utils/config';\nimport {\n deriveEncryptionKey,\n encryptSession,\n decryptSessionWithKeys,\n SessionPayload,\n} from './session';\nimport { generateCsrfToken, verifyCsrf } from './csrf';\n\nexport interface DauthRouterOptions {\n domainName: string;\n tsk: string;\n dauthUrl?: string;\n cookieName?: string;\n csrfCookieName?: string;\n maxAge?: number;\n secure?: boolean;\n previousTsk?: string;\n sessionSalt?: string;\n}\n\ninterface ResolvedConfig {\n domainName: string;\n dauthBasePath: string;\n cookieName: string;\n csrfCookieName: string;\n maxAgeMs: number;\n secure: boolean;\n encKeys: Buffer[];\n}\n\n// Refresh lock to prevent race conditions on concurrent token rotation\nconst refreshLocks = new Map<string, Promise<SessionPayload | null>>();\n\nfunction lockKey(refreshToken: string): string {\n return refreshToken.substring(0, 16);\n}\n\nfunction clearStaleLocks(): void {\n if (refreshLocks.size > 100) refreshLocks.clear();\n}\n\nasync function resolveConfig(\n opts: DauthRouterOptions\n): Promise<ResolvedConfig> {\n const secure =\n opts.secure ?? process.env.NODE_ENV !== 'development';\n const cookieName =\n opts.cookieName ??\n (secure ? '__Host-dauth-session' : 'dauth-session');\n const csrfCookieName =\n opts.csrfCookieName ?? (secure ? '__Host-csrf' : 'csrf-token');\n const maxAgeMs = (opts.maxAge ?? 30 * 24 * 3600) * 1000;\n\n const keys: Buffer[] = [];\n keys.push(await deriveEncryptionKey(opts.tsk, opts.sessionSalt));\n if (opts.previousTsk) {\n keys.push(\n await deriveEncryptionKey(opts.previousTsk, opts.sessionSalt)\n );\n }\n\n let dauthBasePath: string;\n if (opts.dauthUrl) {\n dauthBasePath = `${opts.dauthUrl.replace(/\\/+$/, '')}/api/v1`;\n } else {\n dauthBasePath = getServerBasePath();\n }\n\n return {\n domainName: opts.domainName,\n dauthBasePath,\n cookieName,\n csrfCookieName,\n maxAgeMs,\n secure,\n encKeys: keys,\n };\n}\n\nfunction setSessionCookie(\n res: Response,\n payload: SessionPayload,\n config: ResolvedConfig\n): void {\n const encrypted = encryptSession(payload, config.encKeys[0]);\n const cookieOpts: Record<string, unknown> = {\n httpOnly: true,\n secure: config.secure,\n sameSite: 'lax',\n maxAge: config.maxAgeMs,\n path: '/',\n };\n // __Host- prefix requires no domain attribute\n if (!config.secure) {\n // Dev mode: no __Host- prefix, no domain restriction needed\n }\n res.cookie(config.cookieName, encrypted, cookieOpts);\n}\n\nfunction setCsrfCookie(res: Response, config: ResolvedConfig): void {\n const csrfToken = generateCsrfToken();\n res.cookie(config.csrfCookieName, csrfToken, {\n httpOnly: false,\n secure: config.secure,\n sameSite: 'lax',\n maxAge: config.maxAgeMs,\n path: '/',\n });\n}\n\nfunction clearCookies(res: Response, config: ResolvedConfig): void {\n const baseOpts = { path: '/', secure: config.secure };\n res.clearCookie(config.cookieName, baseOpts);\n res.clearCookie(config.csrfCookieName, baseOpts);\n}\n\nfunction readSession(\n req: Request,\n config: ResolvedConfig\n): SessionPayload | null {\n const cookie = req.cookies?.[config.cookieName];\n if (!cookie) return null;\n return decryptSessionWithKeys(cookie, config.encKeys);\n}\n\nfunction isTokenExpiringSoon(token: string, thresholdMs = 300_000): boolean {\n try {\n const decoded = jwt.decode(token) as { exp?: number } | null;\n if (!decoded?.exp) return true;\n return decoded.exp * 1000 - Date.now() < thresholdMs;\n } catch {\n return true;\n }\n}\n\nasync function maybeRefreshTokens(\n session: SessionPayload,\n config: ResolvedConfig,\n res: Response\n): Promise<SessionPayload> {\n if (!isTokenExpiringSoon(session.accessToken)) return session;\n\n const key = lockKey(session.refreshToken);\n clearStaleLocks();\n\n const existingLock = refreshLocks.get(key);\n if (existingLock) {\n const result = await existingLock;\n return result ?? session;\n }\n\n const refreshPromise = (async (): Promise<SessionPayload | null> => {\n try {\n const response = await fetch(\n `${config.dauthBasePath}/app/${config.domainName}/refresh-token`,\n {\n method: 'POST',\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({\n refreshToken: session.refreshToken,\n }),\n }\n );\n if (!response.ok) return null;\n const data = (await response.json()) as {\n accessToken?: string;\n refreshToken?: string;\n };\n if (!data.accessToken || !data.refreshToken) return null;\n const newSession: SessionPayload = {\n accessToken: data.accessToken,\n refreshToken: data.refreshToken,\n };\n setSessionCookie(res, newSession, config);\n return newSession;\n } catch {\n return null;\n }\n })();\n\n refreshLocks.set(key, refreshPromise);\n\n // Timeout safety net: clean lock after 10s\n const timeout = setTimeout(() => refreshLocks.delete(key), 10_000);\n refreshPromise.finally(() => {\n clearTimeout(timeout);\n refreshLocks.delete(key);\n });\n\n const result = await refreshPromise;\n return result ?? session;\n}\n\nexport function dauthRouter(opts: DauthRouterOptions): Router {\n const router = Router();\n let configPromise: Promise<ResolvedConfig> | null = null;\n\n async function getConfig(): Promise<ResolvedConfig> {\n if (!configPromise) configPromise = resolveConfig(opts);\n return configPromise;\n }\n\n // POST /exchange-code — no CSRF (no prior session)\n router.post('/exchange-code', async (req: Request, res: Response) => {\n const config = await getConfig();\n const { code } = req.body;\n if (!code) {\n return res\n .status(400)\n .send({ status: 'code-required', message: 'Code required' });\n }\n\n const response = await fetch(\n `${config.dauthBasePath}/app/${config.domainName}/exchange-code`,\n {\n method: 'POST',\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ code }),\n }\n );\n if (!response.ok) {\n return res\n .status(response.status)\n .send({ status: 'code-invalid', message: 'Code invalid' });\n }\n const data = (await response.json()) as {\n accessToken: string;\n refreshToken: string;\n isNewUser: boolean;\n };\n\n setSessionCookie(\n res,\n {\n accessToken: data.accessToken,\n refreshToken: data.refreshToken,\n },\n config\n );\n setCsrfCookie(res, config);\n\n // Fetch user data to return\n const userResponse = await fetch(\n `${config.dauthBasePath}/app/${config.domainName}/user`,\n {\n method: 'GET',\n headers: { Authorization: data.accessToken },\n }\n );\n const userData = (await userResponse.json()) as {\n user?: unknown;\n domain?: unknown;\n };\n\n return res.status(200).send({\n user: userData.user,\n domain: userData.domain,\n isNewUser: data.isNewUser,\n });\n });\n\n // GET /session — no CSRF (read-only)\n router.get('/session', async (req: Request, res: Response) => {\n const config = await getConfig();\n const session = readSession(req, config);\n if (!session) {\n return res\n .status(401)\n .send({ status: 'no-session', message: 'Not authenticated' });\n }\n\n const refreshed = await maybeRefreshTokens(session, config, res);\n\n const userResponse = await fetch(\n `${config.dauthBasePath}/app/${config.domainName}/user`,\n {\n method: 'GET',\n headers: { Authorization: refreshed.accessToken },\n }\n );\n if (!userResponse.ok) {\n clearCookies(res, config);\n return res\n .status(401)\n .send({ status: 'session-invalid', message: 'Session expired' });\n }\n const userData = (await userResponse.json()) as {\n user?: unknown;\n domain?: unknown;\n };\n return res.status(200).send({\n user: userData.user,\n domain: userData.domain,\n });\n });\n\n // POST /logout — CSRF required\n router.post('/logout', async (req: Request, res: Response) => {\n const config = await getConfig();\n if (!verifyCsrf(req, config.csrfCookieName)) {\n return res\n .status(403)\n .send({ status: 'csrf-invalid', message: 'CSRF token invalid' });\n }\n const session = readSession(req, config);\n if (session) {\n // Revoke refresh token server-to-server (fire-and-forget)\n fetch(\n `${config.dauthBasePath}/app/${config.domainName}/logout`,\n {\n method: 'POST',\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({\n refreshToken: session.refreshToken,\n }),\n }\n ).catch(() => {});\n }\n clearCookies(res, config);\n return res\n .status(200)\n .send({ status: 'success', message: 'Logged out' });\n });\n\n // PATCH /user — CSRF required\n router.patch('/user', async (req: Request, res: Response) => {\n const config = await getConfig();\n if (!verifyCsrf(req, config.csrfCookieName)) {\n return res\n .status(403)\n .send({ status: 'csrf-invalid', message: 'CSRF token invalid' });\n }\n const session = readSession(req, config);\n if (!session) {\n return res\n .status(401)\n .send({ status: 'no-session', message: 'Not authenticated' });\n }\n const refreshed = await maybeRefreshTokens(session, config, res);\n\n const response = await fetch(\n `${config.dauthBasePath}/app/${config.domainName}/user`,\n {\n method: 'PATCH',\n headers: {\n 'Content-Type': 'application/json',\n Authorization: refreshed.accessToken,\n },\n body: JSON.stringify(req.body),\n }\n );\n const data = await response.json();\n return res.status(response.status).send(data);\n });\n\n // DELETE /user — CSRF required\n router.delete('/user', async (req: Request, res: Response) => {\n const config = await getConfig();\n if (!verifyCsrf(req, config.csrfCookieName)) {\n return res\n .status(403)\n .send({ status: 'csrf-invalid', message: 'CSRF token invalid' });\n }\n const session = readSession(req, config);\n if (!session) {\n return res\n .status(401)\n .send({ status: 'no-session', message: 'Not authenticated' });\n }\n\n const response = await fetch(\n `${config.dauthBasePath}/app/${config.domainName}/user`,\n {\n method: 'DELETE',\n headers: { Authorization: session.accessToken },\n }\n );\n const data = await response.json();\n clearCookies(res, config);\n return res.status(response.status).send(data);\n });\n\n // GET /profile-redirect — CSRF required (generates profile code)\n router.get(\n '/profile-redirect',\n async (req: Request, res: Response) => {\n const config = await getConfig();\n if (!verifyCsrf(req, config.csrfCookieName)) {\n return res.status(403).send({\n status: 'csrf-invalid',\n message: 'CSRF token invalid',\n });\n }\n const session = readSession(req, config);\n if (!session) {\n return res.status(401).send({\n status: 'no-session',\n message: 'Not authenticated',\n });\n }\n const refreshed = await maybeRefreshTokens(\n session,\n config,\n res\n );\n\n const response = await fetch(\n `${config.dauthBasePath}/app/${config.domainName}/profile-code`,\n {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json',\n Authorization: refreshed.accessToken,\n },\n }\n );\n if (!response.ok) {\n return res.status(response.status).send({\n status: 'profile-code-error',\n message: 'Could not generate profile code',\n });\n }\n const data = (await response.json()) as { code: string };\n\n // Build redirect URL to dauth frontend\n const dauthFrontendUrl = opts.dauthUrl\n ? opts.dauthUrl.replace(/\\/+$/, '')\n : process.env.DAUTH_URL\n ? process.env.DAUTH_URL.replace(/\\/+$/, '')\n : process.env.NODE_ENV === 'development'\n ? 'http://localhost:5185'\n : 'https://dauth.ovh';\n\n return res.status(200).send({\n redirectUrl: `${dauthFrontendUrl}/${config.domainName}/update-user?code=${data.code}`,\n });\n }\n );\n\n return router;\n}\n","export const apiVersion = 'v1';\nexport const serverDomain = 'dauth.ovh';\n\nexport function getServerBasePath(): string {\n if (process.env.DAUTH_URL) {\n const base = process.env.DAUTH_URL.replace(/\\/+$/, '');\n return `${base}/api/${apiVersion}`;\n }\n\n const isLocalhost = process.env.NODE_ENV === 'development';\n const serverPort = 4012;\n const serverLocalUrl = `http://localhost:${serverPort}/api/${apiVersion}`;\n const serverProdUrl = `https://${serverDomain}/api/${apiVersion}`;\n return isLocalhost ? serverLocalUrl : serverProdUrl;\n}\n","import crypto from 'crypto';\n\nexport interface SessionPayload {\n accessToken: string;\n refreshToken: string;\n}\n\nconst INFO = 'dauth-cookie-enc-v1';\nconst DEFAULT_SALT = Buffer.from(\n 'a3f8c1d7e9b24f6081c5d3a7e2f49b0653d81f7a2e94c0b6d8f3a5e1c7b09d42',\n 'hex'\n);\n\nexport async function deriveEncryptionKey(\n tsk: string,\n salt?: string\n): Promise<Buffer> {\n const saltBuf = salt ? Buffer.from(salt, 'hex') : DEFAULT_SALT;\n return new Promise((resolve, reject) => {\n crypto.hkdf(\n 'sha256',\n Buffer.from(tsk),\n saltBuf,\n INFO,\n 32,\n (err, derivedKey) => {\n if (err) return reject(err);\n resolve(Buffer.from(derivedKey));\n }\n );\n });\n}\n\nexport function encryptSession(\n payload: SessionPayload,\n key: Buffer\n): string {\n const nonce = crypto.randomBytes(12);\n const cipher = crypto.createCipheriv('aes-256-gcm', key, nonce);\n const plaintext = JSON.stringify(payload);\n const encrypted = Buffer.concat([\n cipher.update(plaintext, 'utf8'),\n cipher.final(),\n ]);\n const authTag = cipher.getAuthTag();\n // Format: base64(nonce + ciphertext + authTag)\n return Buffer.concat([nonce, encrypted, authTag]).toString('base64');\n}\n\nexport function decryptSession(\n ciphertext: string,\n key: Buffer\n): SessionPayload | null {\n try {\n const buf = Buffer.from(ciphertext, 'base64');\n if (buf.length < 12 + 16) return null; // nonce(12) + authTag(16) minimum\n const nonce = buf.subarray(0, 12);\n const authTag = buf.subarray(buf.length - 16);\n const encrypted = buf.subarray(12, buf.length - 16);\n const decipher = crypto.createDecipheriv('aes-256-gcm', key, nonce);\n decipher.setAuthTag(authTag);\n const decrypted = Buffer.concat([\n decipher.update(encrypted),\n decipher.final(),\n ]);\n return JSON.parse(decrypted.toString('utf8')) as SessionPayload;\n } catch {\n return null;\n }\n}\n\nexport function decryptSessionWithKeys(\n ciphertext: string,\n keys: Buffer[]\n): SessionPayload | null {\n for (const key of keys) {\n const result = decryptSession(ciphertext, key);\n if (result) return result;\n }\n return null;\n}\n","import crypto from 'crypto';\nimport type { Request } from 'express';\n\nexport function generateCsrfToken(): string {\n return crypto.randomBytes(32).toString('hex');\n}\n\nexport function verifyCsrf(\n req: Request,\n csrfCookieName: string\n): boolean {\n const headerToken = req.headers['x-csrf-token'] as string | undefined;\n const cookieToken = req.cookies?.[csrfCookieName] as\n | string\n | undefined;\n if (!headerToken || !cookieToken) return false;\n return headerToken === cookieToken;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,qBAA0C;AAC1C,0BAAgB;;;ACDT,IAAM,aAAa;AACnB,IAAM,eAAe;AAErB,SAAS,oBAA4B;AAC1C,MAAI,QAAQ,IAAI,WAAW;AACzB,UAAM,OAAO,QAAQ,IAAI,UAAU,QAAQ,QAAQ,EAAE;AACrD,WAAO,GAAG,IAAI,QAAQ,UAAU;AAAA,EAClC;AAEA,QAAM,cAAc,QAAQ,IAAI,aAAa;AAC7C,QAAM,aAAa;AACnB,QAAM,iBAAiB,oBAAoB,UAAU,QAAQ,UAAU;AACvE,QAAM,gBAAgB,WAAW,YAAY,QAAQ,UAAU;AAC/D,SAAO,cAAc,iBAAiB;AACxC;;;ACdA,oBAAmB;AAOnB,IAAM,OAAO;AACb,IAAM,eAAe,OAAO;AAAA,EAC1B;AAAA,EACA;AACF;AAEA,eAAsB,oBACpB,KACA,MACiB;AACjB,QAAM,UAAU,OAAO,OAAO,KAAK,MAAM,KAAK,IAAI;AAClD,SAAO,IAAI,QAAQ,CAAC,SAAS,WAAW;AACtC,kBAAAA,QAAO;AAAA,MACL;AAAA,MACA,OAAO,KAAK,GAAG;AAAA,MACf;AAAA,MACA;AAAA,MACA;AAAA,MACA,CAAC,KAAK,eAAe;AACnB,YAAI,IAAK,QAAO,OAAO,GAAG;AAC1B,gBAAQ,OAAO,KAAK,UAAU,CAAC;AAAA,MACjC;AAAA,IACF;AAAA,EACF,CAAC;AACH;AAEO,SAAS,eACd,SACA,KACQ;AACR,QAAM,QAAQ,cAAAA,QAAO,YAAY,EAAE;AACnC,QAAM,SAAS,cAAAA,QAAO,eAAe,eAAe,KAAK,KAAK;AAC9D,QAAM,YAAY,KAAK,UAAU,OAAO;AACxC,QAAM,YAAY,OAAO,OAAO;AAAA,IAC9B,OAAO,OAAO,WAAW,MAAM;AAAA,IAC/B,OAAO,MAAM;AAAA,EACf,CAAC;AACD,QAAM,UAAU,OAAO,WAAW;AAElC,SAAO,OAAO,OAAO,CAAC,OAAO,WAAW,OAAO,CAAC,EAAE,SAAS,QAAQ;AACrE;AAEO,SAAS,eACd,YACA,KACuB;AACvB,MAAI;AACF,UAAM,MAAM,OAAO,KAAK,YAAY,QAAQ;AAC5C,QAAI,IAAI,SAAS,KAAK,GAAI,QAAO;AACjC,UAAM,QAAQ,IAAI,SAAS,GAAG,EAAE;AAChC,UAAM,UAAU,IAAI,SAAS,IAAI,SAAS,EAAE;AAC5C,UAAM,YAAY,IAAI,SAAS,IAAI,IAAI,SAAS,EAAE;AAClD,UAAM,WAAW,cAAAA,QAAO,iBAAiB,eAAe,KAAK,KAAK;AAClE,aAAS,WAAW,OAAO;AAC3B,UAAM,YAAY,OAAO,OAAO;AAAA,MAC9B,SAAS,OAAO,SAAS;AAAA,MACzB,SAAS,MAAM;AAAA,IACjB,CAAC;AACD,WAAO,KAAK,MAAM,UAAU,SAAS,MAAM,CAAC;AAAA,EAC9C,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,uBACd,YACA,MACuB;AACvB,aAAW,OAAO,MAAM;AACtB,UAAM,SAAS,eAAe,YAAY,GAAG;AAC7C,QAAI,OAAQ,QAAO;AAAA,EACrB;AACA,SAAO;AACT;;;AChFA,IAAAC,iBAAmB;AAGZ,SAAS,oBAA4B;AAC1C,SAAO,eAAAC,QAAO,YAAY,EAAE,EAAE,SAAS,KAAK;AAC9C;AAEO,SAAS,WACd,KACA,gBACS;AACT,QAAM,cAAc,IAAI,QAAQ,cAAc;AAC9C,QAAM,cAAc,IAAI,UAAU,cAAc;AAGhD,MAAI,CAAC,eAAe,CAAC,YAAa,QAAO;AACzC,SAAO,gBAAgB;AACzB;;;AHiBA,IAAM,eAAe,oBAAI,IAA4C;AAErE,SAAS,QAAQ,cAA8B;AAC7C,SAAO,aAAa,UAAU,GAAG,EAAE;AACrC;AAEA,SAAS,kBAAwB;AAC/B,MAAI,aAAa,OAAO,IAAK,cAAa,MAAM;AAClD;AAEA,eAAe,cACb,MACyB;AACzB,QAAM,SACJ,KAAK,UAAU,QAAQ,IAAI,aAAa;AAC1C,QAAM,aACJ,KAAK,eACJ,SAAS,yBAAyB;AACrC,QAAM,iBACJ,KAAK,mBAAmB,SAAS,gBAAgB;AACnD,QAAM,YAAY,KAAK,UAAU,KAAK,KAAK,QAAQ;AAEnD,QAAM,OAAiB,CAAC;AACxB,OAAK,KAAK,MAAM,oBAAoB,KAAK,KAAK,KAAK,WAAW,CAAC;AAC/D,MAAI,KAAK,aAAa;AACpB,SAAK;AAAA,MACH,MAAM,oBAAoB,KAAK,aAAa,KAAK,WAAW;AAAA,IAC9D;AAAA,EACF;AAEA,MAAI;AACJ,MAAI,KAAK,UAAU;AACjB,oBAAgB,GAAG,KAAK,SAAS,QAAQ,QAAQ,EAAE,CAAC;AAAA,EACtD,OAAO;AACL,oBAAgB,kBAAkB;AAAA,EACpC;AAEA,SAAO;AAAA,IACL,YAAY,KAAK;AAAA,IACjB;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,SAAS;AAAA,EACX;AACF;AAEA,SAAS,iBACP,KACA,SACA,QACM;AACN,QAAM,YAAY,eAAe,SAAS,OAAO,QAAQ,CAAC,CAAC;AAC3D,QAAM,aAAsC;AAAA,IAC1C,UAAU;AAAA,IACV,QAAQ,OAAO;AAAA,IACf,UAAU;AAAA,IACV,QAAQ,OAAO;AAAA,IACf,MAAM;AAAA,EACR;AAEA,MAAI,CAAC,OAAO,QAAQ;AAAA,EAEpB;AACA,MAAI,OAAO,OAAO,YAAY,WAAW,UAAU;AACrD;AAEA,SAAS,cAAc,KAAe,QAA8B;AAClE,QAAM,YAAY,kBAAkB;AACpC,MAAI,OAAO,OAAO,gBAAgB,WAAW;AAAA,IAC3C,UAAU;AAAA,IACV,QAAQ,OAAO;AAAA,IACf,UAAU;AAAA,IACV,QAAQ,OAAO;AAAA,IACf,MAAM;AAAA,EACR,CAAC;AACH;AAEA,SAAS,aAAa,KAAe,QAA8B;AACjE,QAAM,WAAW,EAAE,MAAM,KAAK,QAAQ,OAAO,OAAO;AACpD,MAAI,YAAY,OAAO,YAAY,QAAQ;AAC3C,MAAI,YAAY,OAAO,gBAAgB,QAAQ;AACjD;AAEA,SAAS,YACP,KACA,QACuB;AACvB,QAAM,SAAS,IAAI,UAAU,OAAO,UAAU;AAC9C,MAAI,CAAC,OAAQ,QAAO;AACpB,SAAO,uBAAuB,QAAQ,OAAO,OAAO;AACtD;AAEA,SAAS,oBAAoB,OAAe,cAAc,KAAkB;AAC1E,MAAI;AACF,UAAM,UAAU,oBAAAC,QAAI,OAAO,KAAK;AAChC,QAAI,CAAC,SAAS,IAAK,QAAO;AAC1B,WAAO,QAAQ,MAAM,MAAO,KAAK,IAAI,IAAI;AAAA,EAC3C,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,eAAe,mBACb,SACA,QACA,KACyB;AACzB,MAAI,CAAC,oBAAoB,QAAQ,WAAW,EAAG,QAAO;AAEtD,QAAM,MAAM,QAAQ,QAAQ,YAAY;AACxC,kBAAgB;AAEhB,QAAM,eAAe,aAAa,IAAI,GAAG;AACzC,MAAI,cAAc;AAChB,UAAMC,UAAS,MAAM;AACrB,WAAOA,WAAU;AAAA,EACnB;AAEA,QAAM,kBAAkB,YAA4C;AAClE,QAAI;AACF,YAAM,WAAW,MAAM;AAAA,QACrB,GAAG,OAAO,aAAa,QAAQ,OAAO,UAAU;AAAA,QAChD;AAAA,UACE,QAAQ;AAAA,UACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,UAC9C,MAAM,KAAK,UAAU;AAAA,YACnB,cAAc,QAAQ;AAAA,UACxB,CAAC;AAAA,QACH;AAAA,MACF;AACA,UAAI,CAAC,SAAS,GAAI,QAAO;AACzB,YAAM,OAAQ,MAAM,SAAS,KAAK;AAIlC,UAAI,CAAC,KAAK,eAAe,CAAC,KAAK,aAAc,QAAO;AACpD,YAAM,aAA6B;AAAA,QACjC,aAAa,KAAK;AAAA,QAClB,cAAc,KAAK;AAAA,MACrB;AACA,uBAAiB,KAAK,YAAY,MAAM;AACxC,aAAO;AAAA,IACT,QAAQ;AACN,aAAO;AAAA,IACT;AAAA,EACF,GAAG;AAEH,eAAa,IAAI,KAAK,cAAc;AAGpC,QAAM,UAAU,WAAW,MAAM,aAAa,OAAO,GAAG,GAAG,GAAM;AACjE,iBAAe,QAAQ,MAAM;AAC3B,iBAAa,OAAO;AACpB,iBAAa,OAAO,GAAG;AAAA,EACzB,CAAC;AAED,QAAM,SAAS,MAAM;AACrB,SAAO,UAAU;AACnB;AAEO,SAAS,YAAY,MAAkC;AAC5D,QAAM,aAAS,uBAAO;AACtB,MAAI,gBAAgD;AAEpD,iBAAe,YAAqC;AAClD,QAAI,CAAC,cAAe,iBAAgB,cAAc,IAAI;AACtD,WAAO;AAAA,EACT;AAGA,SAAO,KAAK,kBAAkB,OAAO,KAAc,QAAkB;AACnE,UAAM,SAAS,MAAM,UAAU;AAC/B,UAAM,EAAE,KAAK,IAAI,IAAI;AACrB,QAAI,CAAC,MAAM;AACT,aAAO,IACJ,OAAO,GAAG,EACV,KAAK,EAAE,QAAQ,iBAAiB,SAAS,gBAAgB,CAAC;AAAA,IAC/D;AAEA,UAAM,WAAW,MAAM;AAAA,MACrB,GAAG,OAAO,aAAa,QAAQ,OAAO,UAAU;AAAA,MAChD;AAAA,QACE,QAAQ;AAAA,QACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,QAC9C,MAAM,KAAK,UAAU,EAAE,KAAK,CAAC;AAAA,MAC/B;AAAA,IACF;AACA,QAAI,CAAC,SAAS,IAAI;AAChB,aAAO,IACJ,OAAO,SAAS,MAAM,EACtB,KAAK,EAAE,QAAQ,gBAAgB,SAAS,eAAe,CAAC;AAAA,IAC7D;AACA,UAAM,OAAQ,MAAM,SAAS,KAAK;AAMlC;AAAA,MACE;AAAA,MACA;AAAA,QACE,aAAa,KAAK;AAAA,QAClB,cAAc,KAAK;AAAA,MACrB;AAAA,MACA;AAAA,IACF;AACA,kBAAc,KAAK,MAAM;AAGzB,UAAM,eAAe,MAAM;AAAA,MACzB,GAAG,OAAO,aAAa,QAAQ,OAAO,UAAU;AAAA,MAChD;AAAA,QACE,QAAQ;AAAA,QACR,SAAS,EAAE,eAAe,KAAK,YAAY;AAAA,MAC7C;AAAA,IACF;AACA,UAAM,WAAY,MAAM,aAAa,KAAK;AAK1C,WAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,MAC1B,MAAM,SAAS;AAAA,MACf,QAAQ,SAAS;AAAA,MACjB,WAAW,KAAK;AAAA,IAClB,CAAC;AAAA,EACH,CAAC;AAGD,SAAO,IAAI,YAAY,OAAO,KAAc,QAAkB;AAC5D,UAAM,SAAS,MAAM,UAAU;AAC/B,UAAM,UAAU,YAAY,KAAK,MAAM;AACvC,QAAI,CAAC,SAAS;AACZ,aAAO,IACJ,OAAO,GAAG,EACV,KAAK,EAAE,QAAQ,cAAc,SAAS,oBAAoB,CAAC;AAAA,IAChE;AAEA,UAAM,YAAY,MAAM,mBAAmB,SAAS,QAAQ,GAAG;AAE/D,UAAM,eAAe,MAAM;AAAA,MACzB,GAAG,OAAO,aAAa,QAAQ,OAAO,UAAU;AAAA,MAChD;AAAA,QACE,QAAQ;AAAA,QACR,SAAS,EAAE,eAAe,UAAU,YAAY;AAAA,MAClD;AAAA,IACF;AACA,QAAI,CAAC,aAAa,IAAI;AACpB,mBAAa,KAAK,MAAM;AACxB,aAAO,IACJ,OAAO,GAAG,EACV,KAAK,EAAE,QAAQ,mBAAmB,SAAS,kBAAkB,CAAC;AAAA,IACnE;AACA,UAAM,WAAY,MAAM,aAAa,KAAK;AAI1C,WAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,MAC1B,MAAM,SAAS;AAAA,MACf,QAAQ,SAAS;AAAA,IACnB,CAAC;AAAA,EACH,CAAC;AAGD,SAAO,KAAK,WAAW,OAAO,KAAc,QAAkB;AAC5D,UAAM,SAAS,MAAM,UAAU;AAC/B,QAAI,CAAC,WAAW,KAAK,OAAO,cAAc,GAAG;AAC3C,aAAO,IACJ,OAAO,GAAG,EACV,KAAK,EAAE,QAAQ,gBAAgB,SAAS,qBAAqB,CAAC;AAAA,IACnE;AACA,UAAM,UAAU,YAAY,KAAK,MAAM;AACvC,QAAI,SAAS;AAEX;AAAA,QACE,GAAG,OAAO,aAAa,QAAQ,OAAO,UAAU;AAAA,QAChD;AAAA,UACE,QAAQ;AAAA,UACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,UAC9C,MAAM,KAAK,UAAU;AAAA,YACnB,cAAc,QAAQ;AAAA,UACxB,CAAC;AAAA,QACH;AAAA,MACF,EAAE,MAAM,MAAM;AAAA,MAAC,CAAC;AAAA,IAClB;AACA,iBAAa,KAAK,MAAM;AACxB,WAAO,IACJ,OAAO,GAAG,EACV,KAAK,EAAE,QAAQ,WAAW,SAAS,aAAa,CAAC;AAAA,EACtD,CAAC;AAGD,SAAO,MAAM,SAAS,OAAO,KAAc,QAAkB;AAC3D,UAAM,SAAS,MAAM,UAAU;AAC/B,QAAI,CAAC,WAAW,KAAK,OAAO,cAAc,GAAG;AAC3C,aAAO,IACJ,OAAO,GAAG,EACV,KAAK,EAAE,QAAQ,gBAAgB,SAAS,qBAAqB,CAAC;AAAA,IACnE;AACA,UAAM,UAAU,YAAY,KAAK,MAAM;AACvC,QAAI,CAAC,SAAS;AACZ,aAAO,IACJ,OAAO,GAAG,EACV,KAAK,EAAE,QAAQ,cAAc,SAAS,oBAAoB,CAAC;AAAA,IAChE;AACA,UAAM,YAAY,MAAM,mBAAmB,SAAS,QAAQ,GAAG;AAE/D,UAAM,WAAW,MAAM;AAAA,MACrB,GAAG,OAAO,aAAa,QAAQ,OAAO,UAAU;AAAA,MAChD;AAAA,QACE,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,gBAAgB;AAAA,UAChB,eAAe,UAAU;AAAA,QAC3B;AAAA,QACA,MAAM,KAAK,UAAU,IAAI,IAAI;AAAA,MAC/B;AAAA,IACF;AACA,UAAM,OAAO,MAAM,SAAS,KAAK;AACjC,WAAO,IAAI,OAAO,SAAS,MAAM,EAAE,KAAK,IAAI;AAAA,EAC9C,CAAC;AAGD,SAAO,OAAO,SAAS,OAAO,KAAc,QAAkB;AAC5D,UAAM,SAAS,MAAM,UAAU;AAC/B,QAAI,CAAC,WAAW,KAAK,OAAO,cAAc,GAAG;AAC3C,aAAO,IACJ,OAAO,GAAG,EACV,KAAK,EAAE,QAAQ,gBAAgB,SAAS,qBAAqB,CAAC;AAAA,IACnE;AACA,UAAM,UAAU,YAAY,KAAK,MAAM;AACvC,QAAI,CAAC,SAAS;AACZ,aAAO,IACJ,OAAO,GAAG,EACV,KAAK,EAAE,QAAQ,cAAc,SAAS,oBAAoB,CAAC;AAAA,IAChE;AAEA,UAAM,WAAW,MAAM;AAAA,MACrB,GAAG,OAAO,aAAa,QAAQ,OAAO,UAAU;AAAA,MAChD;AAAA,QACE,QAAQ;AAAA,QACR,SAAS,EAAE,eAAe,QAAQ,YAAY;AAAA,MAChD;AAAA,IACF;AACA,UAAM,OAAO,MAAM,SAAS,KAAK;AACjC,iBAAa,KAAK,MAAM;AACxB,WAAO,IAAI,OAAO,SAAS,MAAM,EAAE,KAAK,IAAI;AAAA,EAC9C,CAAC;AAGD,SAAO;AAAA,IACL;AAAA,IACA,OAAO,KAAc,QAAkB;AACrC,YAAM,SAAS,MAAM,UAAU;AAC/B,UAAI,CAAC,WAAW,KAAK,OAAO,cAAc,GAAG;AAC3C,eAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,UAC1B,QAAQ;AAAA,UACR,SAAS;AAAA,QACX,CAAC;AAAA,MACH;AACA,YAAM,UAAU,YAAY,KAAK,MAAM;AACvC,UAAI,CAAC,SAAS;AACZ,eAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,UAC1B,QAAQ;AAAA,UACR,SAAS;AAAA,QACX,CAAC;AAAA,MACH;AACA,YAAM,YAAY,MAAM;AAAA,QACtB;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAEA,YAAM,WAAW,MAAM;AAAA,QACrB,GAAG,OAAO,aAAa,QAAQ,OAAO,UAAU;AAAA,QAChD;AAAA,UACE,QAAQ;AAAA,UACR,SAAS;AAAA,YACP,gBAAgB;AAAA,YAChB,eAAe,UAAU;AAAA,UAC3B;AAAA,QACF;AAAA,MACF;AACA,UAAI,CAAC,SAAS,IAAI;AAChB,eAAO,IAAI,OAAO,SAAS,MAAM,EAAE,KAAK;AAAA,UACtC,QAAQ;AAAA,UACR,SAAS;AAAA,QACX,CAAC;AAAA,MACH;AACA,YAAM,OAAQ,MAAM,SAAS,KAAK;AAGlC,YAAM,mBAAmB,KAAK,WAC1B,KAAK,SAAS,QAAQ,QAAQ,EAAE,IAChC,QAAQ,IAAI,YACV,QAAQ,IAAI,UAAU,QAAQ,QAAQ,EAAE,IACxC,QAAQ,IAAI,aAAa,gBACvB,0BACA;AAER,aAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,QAC1B,aAAa,GAAG,gBAAgB,IAAI,OAAO,UAAU,qBAAqB,KAAK,IAAI;AAAA,MACrF,CAAC;AAAA,IACH;AAAA,EACF;AAEA,SAAO;AACT;","names":["crypto","import_crypto","crypto","jwt","result"]}