homebridge-meural-cognito 1.0.0

package/LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2012-2018 Scott Chacon and others
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

package/README.md

@@ -0,0 +1,134 @@
+# Homebridge Meural Cognito
+
+Maintained edition of Mike Knoop's `homebridge-meural` plugin. It preserves the original HomeKit accessories and local canvas controls while replacing Meural's retired legacy login with the current Netgear Accounts and AWS Cognito flow.
+
+The original MIT license and Git history are retained. Upstream: <https://github.com/mikeknoop/homebridge-meural>.
+
+## Features
+
+- Canvas discovery through `https://api.meural.com/v1`
+- Netgear Accounts / AWS Cognito `CUSTOM_AUTH`
+- `USER_PASSWORD_AUTH` fallback used by account migration
+- Email, SMS, software-token, and custom challenge responses
+- Automatic access-token refresh
+- Refresh-token persistence with file mode `0600`
+- Existing HomeKit power, brightness, remote, and Show Random controls
+- Docker image for amd64 and arm64-capable Node base images
+
+## Architecture
+
+```text
+HomeKit -> Homebridge plugin -> Meural v1 cloud API
+                         |
+                         +-> Netgear Accounts -> AWS Cognito
+                         |
+                         +-> Canvas LAN HTTP controls
+```
+
+Cloud authentication and discovery use HTTPS. Power, brightness, remote keys, and artwork selection continue to call each canvas on the local network, matching the upstream plugin.
+
+## Authentication
+
+The production web client currently:
+
+1. Starts Cognito `CUSTOM_AUTH` in `eu-west-1`.
+2. Answers password and, when required, OTP/MFA custom challenges.
+3. Falls back to `USER_PASSWORD_AUTH` for the observed account-migration error.
+4. Exchanges the Cognito access token for a Netgear authorization code.
+5. Exchanges that code for Meural access, ID, and refresh tokens.
+6. Sends `Authorization: Token <access token>` to the Meural API.
+7. Refreshes through Netgear Accounts with the Meural refresh token and public app key.
+
+No PKCE, browser cookie, CSRF token, hosted UI, or SRP exchange was observed in the Meural web flow. See [docs/auth-flow.md](docs/auth-flow.md).
+
+Credentials are needed only when no usable token file exists. After the first successful login, remove `MEURAL_PASSWORD` and `MEURAL_CHALLENGE_RESPONSE` from the environment.
+
+## Homebridge Configuration
+
+Install `homebridge-meural-cognito` from the Homebridge UI plugin search, then configure:
+
+```json
+{
+  "platform": "MeuralCanvas",
+  "account_email": "",
+  "account_password": "",
+  "token_path": "/homebridge/meural/tokens.json",
+  "control_center_remote": true,
+  "exclude_devices": []
+}
+```
+
+For backward compatibility, `account_email` and `account_password` still work. Environment variables take precedence and are preferred:
+
+| Variable | Default |
+| --- | --- |
+| `MEURAL_USERNAME` | Homebridge `account_email` |
+| `MEURAL_PASSWORD` | Homebridge `account_password` |
+| `MEURAL_CHALLENGE_RESPONSE` | unset |
+| `MEURAL_TOKEN_PATH` | Homebridge storage directory |
+| `MEURAL_API_BASE_URL` | `https://api.meural.com` |
+| `MEURAL_AWS_REGION` | discovered public value |
+| `MEURAL_COGNITO_CLIENT_ID` | discovered public value |
+| `MEURAL_COGNITO_USER_POOL_ID` | discovered public value |
+
+The public AWS and application identifiers are built in, so normal deployments do not need to set them.
+
+## Docker Compose
+
+```bash
+cp .env.example .env
+mkdir -p homebridge
+cp examples/config.json homebridge/config.json
+docker compose build
+docker compose up -d
+```
+
+Put the username and password in `.env` for the first start. If Netgear requests an OTP, set `MEURAL_CHALLENGE_RESPONSE`, restart once, then clear it. After `homebridge/meural/tokens.json` exists, clear the password as well.
+
+The container:
+
+- runs as the unprivileged `node` user
+- mounts `/homebridge` for configuration, Homebridge state, and tokens
+- uses host networking for HomeKit/mDNS discovery
+- includes a Homebridge TCP health check
+- adds `no-new-privileges`
+
+## Synology
+
+In Container Manager, create a project from `docker-compose.yml`, bind a persistent folder to `/homebridge`, and use host networking. Ensure the mounted folder is writable by UID/GID `1000`. Use project environment variables or a protected `.env` file for the one-time login.
+
+## Token Security
+
+- Token directories are mode `0700`; token files are mode `0600`.
+- Writes use a temporary file followed by an atomic rename.
+- Passwords are never written to the token file.
+- Tokens and authorization values are redacted by logging helpers.
+- `.env`, tokens, cookies, browser profiles, and HAR files are ignored by Git and Docker.
+
+Filesystem permissions protect the token file; it is not application-encrypted. Use an encrypted host volume when storage-at-rest encryption is required.
+
+## Development
+
+```bash
+npm ci
+npm run check
+docker build -t homebridge-meural-cognito:local .
+```
+
+Tests use mocked Cognito, Netgear, Meural, and token-store responses. They do not modify a Meural account or canvas.
+
+## Troubleshooting
+
+- `Meural login is required`: provide credentials for one start or restore the token volume.
+- `Cognito challenge ... requires an interactive response`: set the one-time `MEURAL_CHALLENGE_RESPONSE`.
+- Refresh failure: the token file is cleared and a new login is required.
+- Canvas cloud discovery works but controls fail: verify Homebridge can reach the canvas local IP.
+- HomeKit cannot discover the bridge: use host networking and confirm TCP port `51826` plus mDNS are not blocked.
+
+## Compatibility
+
+See [docs/compatibility-matrix.md](docs/compatibility-matrix.md). The plugin interface remains `MeuralCanvas`; no separate proxy API or second plugin fork is required.
+
+## License
+
+MIT. See [LICENSE](LICENSE).

package/config.schema.json

@@ -0,0 +1,61 @@
+{
+  "pluginAlias": "MeuralCanvas",
+  "pluginType": "platform",
+  "singular": true,
+  "schema": {
+    "type": "object",
+    "properties": {
+      "platform": {
+        "title": "Platform",
+        "type": "string",
+        "required": true,
+        "default": "MeuralCanvas"
+      },
+      "account_email": {
+        "title": "Account Email",
+        "type": "string",
+        "required": true,
+        "default": ""
+      },
+      "account_password": {
+        "title": "Account Password",
+        "type": "string",
+        "required": false,
+        "format": "password",
+        "default": ""
+      },
+      "token_path": {
+        "title": "Token File Path",
+        "type": "string",
+        "required": false,
+        "default": ""
+      },
+      "api_base_url": {
+        "title": "Meural API Base URL",
+        "type": "string",
+        "required": false,
+        "default": "https://api.meural.com"
+      },
+      "accounts_base_url": {
+        "title": "Netgear Accounts Base URL",
+        "type": "string",
+        "required": false,
+        "default": "https://accounts2.netgear.com"
+      },
+      "exclude_devices": {
+        "title": "Exclude Devices",
+        "type": "array",
+        "items": {
+          "type": "string"
+        },
+        "required": false
+      },
+      "control_center_remote": {
+        "title": "Enable Control Center Remote",
+        "type": "boolean",
+        "required": false,
+        "default": true
+      }
+    }
+  }
+}

package/dist/auth/cognito.d.ts

@@ -0,0 +1,33 @@
+import { HttpTransport } from '../http';
+export interface CognitoTokens {
+    accessToken: string;
+    idToken?: string;
+    refreshToken?: string;
+    expiresIn?: number;
+}
+export interface CognitoChallenge {
+    name: string;
+    parameters: Record<string, string>;
+    attempt: number;
+}
+export type ChallengeHandler = (challenge: CognitoChallenge) => Promise<string>;
+export interface CognitoClientConfig {
+    region: string;
+    clientId: string;
+    metadata?: Record<string, string>;
+}
+export declare class CognitoClient {
+    private readonly config;
+    private readonly transport;
+    constructor(config: CognitoClientConfig, transport: HttpTransport);
+    authenticate(username: string, password: string, challengeHandler?: ChallengeHandler): Promise<CognitoTokens>;
+    refresh(refreshToken: string): Promise<CognitoTokens>;
+    private initiate;
+    private respond;
+    private call;
+    private passwordAnswersChallenge;
+    private resolveChallenge;
+    private responseKey;
+    private isUserMigrationError;
+}
+//# sourceMappingURL=cognito.d.ts.map

package/dist/auth/cognito.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cognito.d.ts","sourceRoot":"","sources":["../../src/auth/cognito.ts"],"names":[],"mappings":"AAAA,OAAO,EAAoB,aAAa,EAAE,MAAM,SAAS,CAAC;AAE1D,MAAM,WAAW,aAAa;IAC5B,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnC,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,MAAM,gBAAgB,GAAG,CAAC,SAAS,EAAE,gBAAgB,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;AAchF,MAAM,WAAW,mBAAmB;IAClC,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACnC;AAED,qBAAa,aAAa;IAEtB,OAAO,CAAC,QAAQ,CAAC,MAAM;IACvB,OAAO,CAAC,QAAQ,CAAC,SAAS;gBADT,MAAM,EAAE,mBAAmB,EAC3B,SAAS,EAAE,aAAa;IAGrC,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,gBAAgB,CAAC,EAAE,gBAAgB,GAAG,OAAO,CAAC,aAAa,CAAC;IAwC7G,OAAO,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC;YAe7C,QAAQ;YASR,OAAO;YAmBP,IAAI;IAalB,OAAO,CAAC,wBAAwB;YAQlB,gBAAgB;IAgB9B,OAAO,CAAC,WAAW;IAanB,OAAO,CAAC,oBAAoB;CAM7B"}

package/dist/auth/cognito.js

@@ -0,0 +1,130 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CognitoClient = void 0;
+const http_1 = require("../http");
+class CognitoClient {
+    constructor(config, transport) {
+        this.config = config;
+        this.transport = transport;
+    }
+    async authenticate(username, password, challengeHandler) {
+        let response;
+        try {
+            response = await this.initiate('CUSTOM_AUTH', {
+                USERNAME: username,
+            });
+        }
+        catch (error) {
+            if (!this.isUserMigrationError(error)) {
+                throw error;
+            }
+            response = await this.initiate('USER_PASSWORD_AUTH', {
+                USERNAME: username,
+                PASSWORD: password,
+            });
+        }
+        let attempt = 0;
+        while (!response.AuthenticationResult) {
+            attempt += 1;
+            const challengeName = response.ChallengeName;
+            if (!challengeName || !response.Session) {
+                throw new Error('Cognito returned neither tokens nor a supported challenge');
+            }
+            const parameters = response.ChallengeParameters ?? {};
+            const answer = this.passwordAnswersChallenge(challengeName, parameters, attempt)
+                ? password
+                : await this.resolveChallenge(challengeName, parameters, attempt, challengeHandler);
+            response = await this.respond(username, challengeName, answer, response.Session);
+        }
+        return {
+            accessToken: response.AuthenticationResult.AccessToken,
+            idToken: response.AuthenticationResult.IdToken,
+            refreshToken: response.AuthenticationResult.RefreshToken,
+            expiresIn: response.AuthenticationResult.ExpiresIn,
+        };
+    }
+    async refresh(refreshToken) {
+        const response = await this.initiate('REFRESH_TOKEN_AUTH', {
+            REFRESH_TOKEN: refreshToken,
+        });
+        if (!response.AuthenticationResult) {
+            throw new Error('Cognito refresh did not return tokens');
+        }
+        return {
+            accessToken: response.AuthenticationResult.AccessToken,
+            idToken: response.AuthenticationResult.IdToken,
+            refreshToken,
+            expiresIn: response.AuthenticationResult.ExpiresIn,
+        };
+    }
+    async initiate(authFlow, authParameters) {
+        return this.call('AWSCognitoIdentityProviderService.InitiateAuth', {
+            AuthFlow: authFlow,
+            ClientId: this.config.clientId,
+            AuthParameters: authParameters,
+            ClientMetadata: this.config.metadata,
+        });
+    }
+    async respond(username, challengeName, answer, session) {
+        const responseKey = this.responseKey(challengeName);
+        return this.call('AWSCognitoIdentityProviderService.RespondToAuthChallenge', {
+            ChallengeName: challengeName,
+            ClientId: this.config.clientId,
+            Session: session,
+            ChallengeResponses: {
+                USERNAME: username,
+                [responseKey]: answer,
+            },
+            ClientMetadata: this.config.metadata,
+        });
+    }
+    async call(target, data) {
+        const response = await this.transport.request({
+            method: 'POST',
+            url: `https://cognito-idp.${this.config.region}.amazonaws.com/`,
+            headers: {
+                'Content-Type': 'application/x-amz-json-1.1',
+                'X-Amz-Target': target,
+            },
+            data,
+        });
+        return response.data;
+    }
+    passwordAnswersChallenge(name, parameters, attempt) {
+        if (name !== 'CUSTOM_CHALLENGE' || attempt !== 1) {
+            return false;
+        }
+        const description = JSON.stringify(parameters).toLowerCase();
+        return !/(otp|verification|email|phone|code)/.test(description);
+    }
+    async resolveChallenge(name, parameters, attempt, challengeHandler) {
+        if (!challengeHandler) {
+            throw new Error(`Cognito challenge ${name} requires an interactive response`);
+        }
+        const answer = await challengeHandler({ name, parameters, attempt });
+        if (!answer) {
+            throw new Error(`Cognito challenge ${name} was not answered`);
+        }
+        return answer;
+    }
+    responseKey(challengeName) {
+        switch (challengeName) {
+            case 'SMS_MFA':
+                return 'SMS_MFA_CODE';
+            case 'SOFTWARE_TOKEN_MFA':
+                return 'SOFTWARE_TOKEN_MFA_CODE';
+            case 'NEW_PASSWORD_REQUIRED':
+                return 'NEW_PASSWORD';
+            default:
+                return 'ANSWER';
+        }
+    }
+    isUserMigrationError(error) {
+        if (!(error instanceof http_1.HttpRequestError)) {
+            return false;
+        }
+        return JSON.stringify(error.responseData).includes('User_Not_Found');
+    }
+}
+exports.CognitoClient = CognitoClient;
+//# sourceMappingURL=cognito.js.map

package/dist/auth/cognito.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cognito.js","sourceRoot":"","sources":["../../src/auth/cognito.ts"],"names":[],"mappings":";;;AAAA,kCAA0D;AAmC1D,MAAa,aAAa;IACxB,YACmB,MAA2B,EAC3B,SAAwB;QADxB,WAAM,GAAN,MAAM,CAAqB;QAC3B,cAAS,GAAT,SAAS,CAAe;IACxC,CAAC;IAEJ,KAAK,CAAC,YAAY,CAAC,QAAgB,EAAE,QAAgB,EAAE,gBAAmC;QACxF,IAAI,QAAyB,CAAC;QAC9B,IAAI;YACF,QAAQ,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,aAAa,EAAE;gBAC5C,QAAQ,EAAE,QAAQ;aACnB,CAAC,CAAC;SACJ;QAAC,OAAO,KAAK,EAAE;YACd,IAAI,CAAC,IAAI,CAAC,oBAAoB,CAAC,KAAK,CAAC,EAAE;gBACrC,MAAM,KAAK,CAAC;aACb;YACD,QAAQ,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,oBAAoB,EAAE;gBACnD,QAAQ,EAAE,QAAQ;gBAClB,QAAQ,EAAE,QAAQ;aACnB,CAAC,CAAC;SACJ;QAED,IAAI,OAAO,GAAG,CAAC,CAAC;QAChB,OAAO,CAAC,QAAQ,CAAC,oBAAoB,EAAE;YACrC,OAAO,IAAI,CAAC,CAAC;YACb,MAAM,aAAa,GAAG,QAAQ,CAAC,aAAa,CAAC;YAC7C,IAAI,CAAC,aAAa,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE;gBACvC,MAAM,IAAI,KAAK,CAAC,2DAA2D,CAAC,CAAC;aAC9E;YAED,MAAM,UAAU,GAAG,QAAQ,CAAC,mBAAmB,IAAI,EAAE,CAAC;YACtD,MAAM,MAAM,GAAG,IAAI,CAAC,wBAAwB,CAAC,aAAa,EAAE,UAAU,EAAE,OAAO,CAAC;gBAC9E,CAAC,CAAC,QAAQ;gBACV,CAAC,CAAC,MAAM,IAAI,CAAC,gBAAgB,CAAC,aAAa,EAAE,UAAU,EAAE,OAAO,EAAE,gBAAgB,CAAC,CAAC;YAEtF,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,aAAa,EAAE,MAAM,EAAE,QAAQ,CAAC,OAAO,CAAC,CAAC;SAClF;QAED,OAAO;YACL,WAAW,EAAE,QAAQ,CAAC,oBAAoB,CAAC,WAAW;YACtD,OAAO,EAAE,QAAQ,CAAC,oBAAoB,CAAC,OAAO;YAC9C,YAAY,EAAE,QAAQ,CAAC,oBAAoB,CAAC,YAAY;YACxD,SAAS,EAAE,QAAQ,CAAC,oBAAoB,CAAC,SAAS;SACnD,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,YAAoB;QAChC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,oBAAoB,EAAE;YACzD,aAAa,EAAE,YAAY;SAC5B,CAAC,CAAC;QACH,IAAI,CAAC,QAAQ,CAAC,oBAAoB,EAAE;YAClC,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;SAC1D;QACD,OAAO;YACL,WAAW,EAAE,QAAQ,CAAC,oBAAoB,CAAC,WAAW;YACtD,OAAO,EAAE,QAAQ,CAAC,oBAAoB,CAAC,OAAO;YAC9C,YAAY;YACZ,SAAS,EAAE,QAAQ,CAAC,oBAAoB,CAAC,SAAS;SACnD,CAAC;IACJ,CAAC;IAEO,KAAK,CAAC,QAAQ,CAAC,QAAgB,EAAE,cAAsC;QAC7E,OAAO,IAAI,CAAC,IAAI,CAAC,gDAAgD,EAAE;YACjE,QAAQ,EAAE,QAAQ;YAClB,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;YAC9B,cAAc,EAAE,cAAc;YAC9B,cAAc,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;SACrC,CAAC,CAAC;IACL,CAAC;IAEO,KAAK,CAAC,OAAO,CACnB,QAAgB,EAChB,aAAqB,EACrB,MAAc,EACd,OAAe;QAEf,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,CAAC,aAAa,CAAC,CAAC;QACpD,OAAO,IAAI,CAAC,IAAI,CAAC,0DAA0D,EAAE;YAC3E,aAAa,EAAE,aAAa;YAC5B,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;YAC9B,OAAO,EAAE,OAAO;YAChB,kBAAkB,EAAE;gBAClB,QAAQ,EAAE,QAAQ;gBAClB,CAAC,WAAW,CAAC,EAAE,MAAM;aACtB;YACD,cAAc,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;SACrC,CAAC,CAAC;IACL,CAAC;IAEO,KAAK,CAAC,IAAI,CAAC,MAAc,EAAE,IAAa;QAC9C,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAAkB;YAC7D,MAAM,EAAE,MAAM;YACd,GAAG,EAAE,uBAAuB,IAAI,CAAC,MAAM,CAAC,MAAM,iBAAiB;YAC/D,OAAO,EAAE;gBACP,cAAc,EAAE,4BAA4B;gBAC5C,cAAc,EAAE,MAAM;aACvB;YACD,IAAI;SACL,CAAC,CAAC;QACH,OAAO,QAAQ,CAAC,IAAI,CAAC;IACvB,CAAC;IAEO,wBAAwB,CAAC,IAAY,EAAE,UAAkC,EAAE,OAAe;QAChG,IAAI,IAAI,KAAK,kBAAkB,IAAI,OAAO,KAAK,CAAC,EAAE;YAChD,OAAO,KAAK,CAAC;SACd;QACD,MAAM,WAAW,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC,WAAW,EAAE,CAAC;QAC7D,OAAO,CAAC,qCAAqC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAClE,CAAC;IAEO,KAAK,CAAC,gBAAgB,CAC5B,IAAY,EACZ,UAAkC,EAClC,OAAe,EACf,gBAAmC;QAEnC,IAAI,CAAC,gBAAgB,EAAE;YACrB,MAAM,IAAI,KAAK,CAAC,qBAAqB,IAAI,mCAAmC,CAAC,CAAC;SAC/E;QACD,MAAM,MAAM,GAAG,MAAM,gBAAgB,CAAC,EAAE,IAAI,EAAE,UAAU,EAAE,OAAO,EAAE,CAAC,CAAC;QACrE,IAAI,CAAC,MAAM,EAAE;YACX,MAAM,IAAI,KAAK,CAAC,qBAAqB,IAAI,mBAAmB,CAAC,CAAC;SAC/D;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAEO,WAAW,CAAC,aAAqB;QACvC,QAAQ,aAAa,EAAE;YACrB,KAAK,SAAS;gBACZ,OAAO,cAAc,CAAC;YACxB,KAAK,oBAAoB;gBACvB,OAAO,yBAAyB,CAAC;YACnC,KAAK,uBAAuB;gBAC1B,OAAO,cAAc,CAAC;YACxB;gBACE,OAAO,QAAQ,CAAC;SACnB;IACH,CAAC;IAEO,oBAAoB,CAAC,KAAc;QACzC,IAAI,CAAC,CAAC,KAAK,YAAY,uBAAgB,CAAC,EAAE;YACxC,OAAO,KAAK,CAAC;SACd;QACD,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAC;IACvE,CAAC;CACF;AAjJD,sCAiJC"}

package/dist/auth/netgearAuth.d.ts

@@ -0,0 +1,44 @@
+import { ChallengeHandler } from './cognito';
+import { TokenStore } from './tokenStore';
+import { HttpTransport } from '../http';
+export declare const DEFAULT_AUTH_CONFIG: {
+    awsRegion: string;
+    cognitoUserPoolId: string;
+    cognitoClientId: string;
+    meuralClientId: string;
+    accountsBaseUrl: string;
+};
+export interface NetgearAuthConfig {
+    username?: string;
+    password?: string;
+    awsRegion?: string;
+    cognitoUserPoolId?: string;
+    cognitoClientId?: string;
+    meuralClientId?: string;
+    accountsBaseUrl?: string;
+    challengeResponse?: string;
+}
+export declare class ReauthenticationRequiredError extends Error {
+    constructor(message?: string);
+}
+export declare class NetgearAuthProvider {
+    private readonly tokenStore;
+    private readonly transport;
+    private tokens?;
+    private refreshPromise?;
+    private readonly resolvedConfig;
+    private readonly cognito;
+    constructor(config: NetgearAuthConfig, tokenStore: TokenStore, transport: HttpTransport);
+    getAccessToken(forceRefresh?: boolean): Promise<string>;
+    login(challengeHandler?: ChallengeHandler): Promise<void>;
+    clear(): Promise<void>;
+    private refresh;
+    private performRefresh;
+    private loadTokens;
+    private isExpired;
+    private toStoredTokens;
+    private pick;
+    private jwtExpiration;
+    private environmentChallengeHandler;
+}
+//# sourceMappingURL=netgearAuth.d.ts.map

package/dist/auth/netgearAuth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"netgearAuth.d.ts","sourceRoot":"","sources":["../../src/auth/netgearAuth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAiB,gBAAgB,EAAE,MAAM,WAAW,CAAC;AAC5D,OAAO,EAAgB,UAAU,EAAE,MAAM,cAAc,CAAC;AACxD,OAAO,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAGxC,eAAO,MAAM,mBAAmB;;;;;;CAM/B,CAAC;AAEF,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B;AAiBD,qBAAa,6BAA8B,SAAQ,KAAK;gBAC1C,OAAO,SAA6B;CAIjD;AAED,qBAAa,mBAAmB;IAW5B,OAAO,CAAC,QAAQ,CAAC,UAAU;IAC3B,OAAO,CAAC,QAAQ,CAAC,SAAS;IAX5B,OAAO,CAAC,MAAM,CAAC,CAAe;IAC9B,OAAO,CAAC,cAAc,CAAC,CAAwB;IAE/C,OAAO,CAAC,QAAQ,CAAC,cAAc,CAC4C;IAE3E,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAgB;gBAGtC,MAAM,EAAE,iBAAiB,EACR,UAAU,EAAE,UAAU,EACtB,SAAS,EAAE,aAAa;IAwBrC,cAAc,CAAC,YAAY,UAAQ,GAAG,OAAO,CAAC,MAAM,CAAC;IAarD,KAAK,CAAC,gBAAgB,CAAC,EAAE,gBAAgB,GAAG,OAAO,CAAC,IAAI,CAAC;IAwCzD,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;YAKd,OAAO;YAYP,cAAc;YAoBd,UAAU;IAMxB,OAAO,CAAC,SAAS;IAIjB,OAAO,CAAC,cAAc;IAiBtB,OAAO,CAAC,IAAI;IAcZ,OAAO,CAAC,aAAa;IAarB,OAAO,CAAC,2BAA2B;CAOpC"}

package/dist/auth/netgearAuth.js

@@ -0,0 +1,187 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.NetgearAuthProvider = exports.ReauthenticationRequiredError = exports.DEFAULT_AUTH_CONFIG = void 0;
+const cognito_1 = require("./cognito");
+const crypto_1 = require("crypto");
+exports.DEFAULT_AUTH_CONFIG = {
+    awsRegion: 'eu-west-1',
+    cognitoUserPoolId: 'eu-west-1_eHc7fzKFg',
+    cognitoClientId: '487bd4kvb1fnop6mbgk8gu5ibf',
+    meuralClientId: '3ui6nklcaqoij8inrkm06gfk4s',
+    accountsBaseUrl: 'https://accounts2.netgear.com',
+};
+class ReauthenticationRequiredError extends Error {
+    constructor(message = 'Meural login is required') {
+        super(message);
+        this.name = 'ReauthenticationRequiredError';
+    }
+}
+exports.ReauthenticationRequiredError = ReauthenticationRequiredError;
+class NetgearAuthProvider {
+    constructor(config, tokenStore, transport) {
+        this.tokenStore = tokenStore;
+        this.transport = transport;
+        this.resolvedConfig = {
+            username: config.username,
+            password: config.password,
+            challengeResponse: config.challengeResponse,
+            awsRegion: config.awsRegion || exports.DEFAULT_AUTH_CONFIG.awsRegion,
+            cognitoUserPoolId: config.cognitoUserPoolId || exports.DEFAULT_AUTH_CONFIG.cognitoUserPoolId,
+            cognitoClientId: config.cognitoClientId || exports.DEFAULT_AUTH_CONFIG.cognitoClientId,
+            meuralClientId: config.meuralClientId || exports.DEFAULT_AUTH_CONFIG.meuralClientId,
+            accountsBaseUrl: config.accountsBaseUrl || exports.DEFAULT_AUTH_CONFIG.accountsBaseUrl,
+        };
+        this.cognito = new cognito_1.CognitoClient({
+            region: this.resolvedConfig.awsRegion,
+            clientId: this.resolvedConfig.cognitoClientId,
+            metadata: {
+                trustID: (0, crypto_1.randomUUID)(),
+                sourceEvent: 'login',
+                language: 'en-US',
+                appType: 'meural',
+            },
+        }, transport);
+    }
+    async getAccessToken(forceRefresh = false) {
+        await this.loadTokens();
+        if (!this.tokens) {
+            await this.login();
+        }
+        else if (forceRefresh || this.isExpired(this.tokens)) {
+            await this.refresh();
+        }
+        if (!this.tokens) {
+            throw new ReauthenticationRequiredError();
+        }
+        return this.tokens.accessToken;
+    }
+    async login(challengeHandler) {
+        const username = this.resolvedConfig.username;
+        const password = this.resolvedConfig.password;
+        if (!username || !password) {
+            throw new ReauthenticationRequiredError('No persisted Meural session was found. Supply account credentials once to create one.');
+        }
+        const handler = challengeHandler ?? this.environmentChallengeHandler();
+        const cognitoTokens = await this.cognito.authenticate(username, password, handler);
+        const authorizeUrl = new URL('/api/oauth/authorize', this.resolvedConfig.accountsBaseUrl);
+        authorizeUrl.searchParams.set('client_id', this.resolvedConfig.meuralClientId);
+        const authorizeResponse = await this.transport.request({
+            method: 'GET',
+            url: authorizeUrl.toString(),
+            headers: {
+                'Authorization': `Bearer ${cognitoTokens.accessToken}`,
+                'Accept': 'application/json',
+            },
+        });
+        const code = this.pick(authorizeResponse.data, ['code', 'authorizationCode']);
+        if (!code) {
+            throw new Error('Netgear authorization did not return an authorization code');
+        }
+        const tokenUrl = new URL('/api/oauth/token', this.resolvedConfig.accountsBaseUrl);
+        tokenUrl.searchParams.set('code', code);
+        const tokenResponse = await this.transport.request({
+            method: 'GET',
+            url: tokenUrl.toString(),
+            headers: {
+                'Accept': 'application/json',
+                'Content-Type': 'application/json',
+            },
+        });
+        this.tokens = this.toStoredTokens(tokenResponse.data);
+        await this.tokenStore.save(this.tokens);
+    }
+    async clear() {
+        this.tokens = undefined;
+        await this.tokenStore.clear();
+    }
+    async refresh() {
+        if (!this.tokens?.refreshToken) {
+            throw new ReauthenticationRequiredError('The Meural refresh token is missing');
+        }
+        if (!this.refreshPromise) {
+            this.refreshPromise = this.performRefresh().finally(() => {
+                this.refreshPromise = undefined;
+            });
+        }
+        this.tokens = await this.refreshPromise;
+    }
+    async performRefresh() {
+        try {
+            const response = await this.transport.request({
+                method: 'GET',
+                url: new URL('/api/getAccessToken', this.resolvedConfig.accountsBaseUrl).toString(),
+                headers: {
+                    'Authorization': `Bearer ${this.tokens.refreshToken}`,
+                    'appkey': this.resolvedConfig.meuralClientId,
+                    'Accept': 'application/json',
+                },
+            });
+            const refreshed = this.toStoredTokens(response.data, this.tokens.refreshToken);
+            await this.tokenStore.save(refreshed);
+            return refreshed;
+        }
+        catch {
+            await this.clear();
+            throw new ReauthenticationRequiredError('The Meural session expired and a new login is required');
+        }
+    }
+    async loadTokens() {
+        if (this.tokens === undefined) {
+            this.tokens = await this.tokenStore.load();
+        }
+    }
+    isExpired(tokens) {
+        return tokens.expiresAt <= Date.now() + 60000;
+    }
+    toStoredTokens(response, existingRefreshToken) {
+        const body = response.data ?? response;
+        const accessToken = this.pick(body, ['access_token', 'accessToken', 'token']);
+        const refreshToken = this.pick(body, ['refresh_token', 'refreshToken']) ?? existingRefreshToken;
+        if (!accessToken || !refreshToken) {
+            throw new Error('Netgear token response was missing required tokens');
+        }
+        const expiresIn = Number(this.pick(body, ['expires_in', 'expiresIn']) ?? 3600);
+        return {
+            version: 1,
+            accessToken,
+            idToken: this.pick(body, ['id_token', 'idToken']),
+            refreshToken,
+            expiresAt: this.jwtExpiration(accessToken) ?? Date.now() + expiresIn * 1000,
+        };
+    }
+    pick(response, keys) {
+        const body = response.data ?? response;
+        for (const key of keys) {
+            const value = body[key];
+            if (typeof value === 'string') {
+                return value;
+            }
+            if (typeof value === 'number') {
+                return String(value);
+            }
+        }
+        return undefined;
+    }
+    jwtExpiration(token) {
+        const parts = token.split('.');
+        if (parts.length !== 3) {
+            return undefined;
+        }
+        try {
+            const payload = JSON.parse(Buffer.from(parts[1], 'base64url').toString('utf8'));
+            return payload.exp ? payload.exp * 1000 : undefined;
+        }
+        catch {
+            return undefined;
+        }
+    }
+    environmentChallengeHandler() {
+        const answer = this.resolvedConfig.challengeResponse;
+        if (!answer) {
+            return undefined;
+        }
+        return async () => answer;
+    }
+}
+exports.NetgearAuthProvider = NetgearAuthProvider;
+//# sourceMappingURL=netgearAuth.js.map

package/dist/auth/netgearAuth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"netgearAuth.js","sourceRoot":"","sources":["../../src/auth/netgearAuth.ts"],"names":[],"mappings":";;;AAAA,uCAA4D;AAG5D,mCAAoC;AAEvB,QAAA,mBAAmB,GAAG;IACjC,SAAS,EAAE,WAAW;IACtB,iBAAiB,EAAE,qBAAqB;IACxC,eAAe,EAAE,4BAA4B;IAC7C,cAAc,EAAE,4BAA4B;IAC5C,eAAe,EAAE,+BAA+B;CACjD,CAAC;AA4BF,MAAa,6BAA8B,SAAQ,KAAK;IACtD,YAAY,OAAO,GAAG,0BAA0B;QAC9C,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,+BAA+B,CAAC;IAC9C,CAAC;CACF;AALD,sEAKC;AAED,MAAa,mBAAmB;IAS9B,YACE,MAAyB,EACR,UAAsB,EACtB,SAAwB;QADxB,eAAU,GAAV,UAAU,CAAY;QACtB,cAAS,GAAT,SAAS,CAAe;QAEzC,IAAI,CAAC,cAAc,GAAG;YACpB,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,iBAAiB,EAAE,MAAM,CAAC,iBAAiB;YAC3C,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,2BAAmB,CAAC,SAAS;YAC5D,iBAAiB,EAAE,MAAM,CAAC,iBAAiB,IAAI,2BAAmB,CAAC,iBAAiB;YACpF,eAAe,EAAE,MAAM,CAAC,eAAe,IAAI,2BAAmB,CAAC,eAAe;YAC9E,cAAc,EAAE,MAAM,CAAC,cAAc,IAAI,2BAAmB,CAAC,cAAc;YAC3E,eAAe,EAAE,MAAM,CAAC,eAAe,IAAI,2BAAmB,CAAC,eAAe;SAC/E,CAAC;QACF,IAAI,CAAC,OAAO,GAAG,IAAI,uBAAa,CAAC;YAC/B,MAAM,EAAE,IAAI,CAAC,cAAc,CAAC,SAAS;YACrC,QAAQ,EAAE,IAAI,CAAC,cAAc,CAAC,eAAe;YAC7C,QAAQ,EAAE;gBACR,OAAO,EAAE,IAAA,mBAAU,GAAE;gBACrB,WAAW,EAAE,OAAO;gBACpB,QAAQ,EAAE,OAAO;gBACjB,OAAO,EAAE,QAAQ;aAClB;SACF,EAAE,SAAS,CAAC,CAAC;IAChB,CAAC;IAED,KAAK,CAAC,cAAc,CAAC,YAAY,GAAG,KAAK;QACvC,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;QACxB,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE;YAChB,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC;SACpB;aAAM,IAAI,YAAY,IAAI,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE;YACtD,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;SACtB;QACD,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE;YAChB,MAAM,IAAI,6BAA6B,EAAE,CAAC;SAC3C;QACD,OAAO,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC;IACjC,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,gBAAmC;QAC7C,MAAM,QAAQ,GAAG,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC;QAC9C,MAAM,QAAQ,GAAG,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC;QAC9C,IAAI,CAAC,QAAQ,IAAI,CAAC,QAAQ,EAAE;YAC1B,MAAM,IAAI,6BAA6B,CACrC,uFAAuF,CACxF,CAAC;SACH;QAED,MAAM,OAAO,GAAG,gBAAgB,IAAI,IAAI,CAAC,2BAA2B,EAAE,CAAC;QACvE,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,QAAQ,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;QACnF,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,sBAAsB,EAAE,IAAI,CAAC,cAAc,CAAC,eAAe,CAAC,CAAC;QAC1F,YAAY,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,IAAI,CAAC,cAAc,CAAC,cAAc,CAAC,CAAC;QAC/E,MAAM,iBAAiB,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAAgB;YACpE,MAAM,EAAE,KAAK;YACb,GAAG,EAAE,YAAY,CAAC,QAAQ,EAAE;YAC5B,OAAO,EAAE;gBACP,eAAe,EAAE,UAAU,aAAa,CAAC,WAAW,EAAE;gBACtD,QAAQ,EAAE,kBAAkB;aAC7B;SACF,CAAC,CAAC;QACH,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,iBAAiB,CAAC,IAAI,EAAE,CAAC,MAAM,EAAE,mBAAmB,CAAC,CAAC,CAAC;QAC9E,IAAI,CAAC,IAAI,EAAE;YACT,MAAM,IAAI,KAAK,CAAC,4DAA4D,CAAC,CAAC;SAC/E;QAED,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,kBAAkB,EAAE,IAAI,CAAC,cAAc,CAAC,eAAe,CAAC,CAAC;QAClF,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;QACxC,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAAgB;YAChE,MAAM,EAAE,KAAK;YACb,GAAG,EAAE,QAAQ,CAAC,QAAQ,EAAE;YACxB,OAAO,EAAE;gBACP,QAAQ,EAAE,kBAAkB;gBAC5B,cAAc,EAAE,kBAAkB;aACnC;SACF,CAAC,CAAC;QACH,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,cAAc,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC;QACtD,MAAM,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC1C,CAAC;IAED,KAAK,CAAC,KAAK;QACT,IAAI,CAAC,MAAM,GAAG,SAAS,CAAC;QACxB,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;IAChC,CAAC;IAEO,KAAK,CAAC,OAAO;QACnB,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,YAAY,EAAE;YAC9B,MAAM,IAAI,6BAA6B,CAAC,qCAAqC,CAAC,CAAC;SAChF;QACD,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE;YACxB,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,cAAc,EAAE,CAAC,OAAO,CAAC,GAAG,EAAE;gBACvD,IAAI,CAAC,cAAc,GAAG,SAAS,CAAC;YAClC,CAAC,CAAC,CAAC;SACJ;QACD,IAAI,CAAC,MAAM,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC;IAC1C,CAAC;IAEO,KAAK,CAAC,cAAc;QAC1B,IAAI;YACF,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAAgB;gBAC3D,MAAM,EAAE,KAAK;gBACb,GAAG,EAAE,IAAI,GAAG,CAAC,qBAAqB,EAAE,IAAI,CAAC,cAAc,CAAC,eAAe,CAAC,CAAC,QAAQ,EAAE;gBACnF,OAAO,EAAE;oBACP,eAAe,EAAE,UAAU,IAAI,CAAC,MAAO,CAAC,YAAY,EAAE;oBACtD,QAAQ,EAAE,IAAI,CAAC,cAAc,CAAC,cAAc;oBAC5C,QAAQ,EAAE,kBAAkB;iBAC7B;aACF,CAAC,CAAC;YACH,MAAM,SAAS,GAAG,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC,MAAO,CAAC,YAAY,CAAC,CAAC;YAChF,MAAM,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACtC,OAAO,SAAS,CAAC;SAClB;QAAC,MAAM;YACN,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC;YACnB,MAAM,IAAI,6BAA6B,CAAC,wDAAwD,CAAC,CAAC;SACnG;IACH,CAAC;IAEO,KAAK,CAAC,UAAU;QACtB,IAAI,IAAI,CAAC,MAAM,KAAK,SAAS,EAAE;YAC7B,IAAI,CAAC,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC;SAC5C;IACH,CAAC;IAEO,SAAS,CAAC,MAAoB;QACpC,OAAO,MAAM,CAAC,SAAS,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC;IAChD,CAAC;IAEO,cAAc,CAAC,QAAuB,EAAE,oBAA6B;QAC3E,MAAM,IAAI,GAAG,QAAQ,CAAC,IAAI,IAAI,QAAQ,CAAC;QACvC,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,cAAc,EAAE,aAAa,EAAE,OAAO,CAAC,CAAC,CAAC;QAC9E,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,eAAe,EAAE,cAAc,CAAC,CAAC,IAAI,oBAAoB,CAAC;QAChG,IAAI,CAAC,WAAW,IAAI,CAAC,YAAY,EAAE;YACjC,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;SACvE;QACD,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,YAAY,EAAE,WAAW,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC;QAC/E,OAAO;YACL,OAAO,EAAE,CAAC;YACV,WAAW;YACX,OAAO,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC;YACjD,YAAY;YACZ,SAAS,EAAE,IAAI,CAAC,aAAa,CAAC,WAAW,CAAC,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,GAAG,IAAI;SAC5E,CAAC;IACJ,CAAC;IAEO,IAAI,CAAC,QAAuB,EAAE,IAAgC;QACpE,MAAM,IAAI,GAAG,QAAQ,CAAC,IAAI,IAAI,QAAQ,CAAC;QACvC,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE;YACtB,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC;YACxB,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE;gBAC7B,OAAO,KAAK,CAAC;aACd;YACD,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE;gBAC7B,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC;aACtB;SACF;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAEO,aAAa,CAAC,KAAa;QACjC,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE;YACtB,OAAO,SAAS,CAAC;SAClB;QACD,IAAI;YACF,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAqB,CAAC;YACpG,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;SACrD;QAAC,MAAM;YACN,OAAO,SAAS,CAAC;SAClB;IACH,CAAC;IAEO,2BAA2B;QACjC,MAAM,MAAM,GAAG,IAAI,CAAC,cAAc,CAAC,iBAAiB,CAAC;QACrD,IAAI,CAAC,MAAM,EAAE;YACX,OAAO,SAAS,CAAC;SAClB;QACD,OAAO,KAAK,IAAI,EAAE,CAAC,MAAM,CAAC;IAC5B,CAAC;CACF;AA3LD,kDA2LC"}

package/dist/auth/redact.d.ts

@@ -0,0 +1,3 @@
+export declare function redact(value: unknown): unknown;
+export declare function safeErrorMessage(error: unknown): string;
+//# sourceMappingURL=redact.d.ts.map

package/dist/auth/redact.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"redact.d.ts","sourceRoot":"","sources":["../../src/auth/redact.ts"],"names":[],"mappings":"AAGA,wBAAgB,MAAM,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAiB9C;AAED,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,CAKvD"}