oidc-spa 8.4.8 → 8.5.1

package/src/core/tokenExfiltrationDefense_legacy.ts

@@ -0,0 +1,165 @@
+import { assert } from "../tools/tsafe/assert";
+
+export type Params = {
+    freezeFetch?: boolean;
+    freezeXMLHttpRequest?: boolean;
+    freezeWebSocket?: boolean;
+    freezePromise?: boolean;
+    safeMode?: boolean;
+};
+
+export function handleTokenExfiltrationDefense_legacy(params: Params) {
+    const {
+        freezeFetch,
+        freezeXMLHttpRequest,
+        freezeWebSocket,
+        freezePromise,
+        safeMode = false
+    } = params;
+
+    const createWriteError = (target: string) =>
+        new Error(
+            [
+                `oidc-spa: Monkey patching of ${target} has been blocked for security reasons.`,
+                "You can disable this restriction by setting `safeMode: false` in `oidcEarlyInit()`",
+                "or in your Vite plugin configuration,",
+                "but please note this will reduce security.",
+                "If you believe this restriction is too strict, please open an issue at:",
+                "https://github.com/keycloakify/oidc-spa",
+                "We're still identifying real-world blockers and can safely add exceptions where needed.",
+                "For now, we prefer to err on the side of hardening rather than exposure."
+            ].join(" ")
+        );
+
+    for (const name of [
+        "fetch",
+        "XMLHttpRequest",
+        "WebSocket",
+        "Headers",
+        "URLSearchParams",
+        "String",
+        "Object",
+        "Promise",
+        "Array",
+        "RegExp",
+        "TextEncoder",
+        "Uint8Array",
+        "Uint32Array",
+        "Response",
+        "Reflect",
+        "JSON",
+        "encodeURIComponent",
+        "decodeURIComponent",
+        "atob",
+        "btoa"
+    ] as const) {
+        const doSkip = (() => {
+            switch (name) {
+                case "XMLHttpRequest":
+                    if (freezeXMLHttpRequest !== undefined) {
+                        return !freezeXMLHttpRequest;
+                    }
+                    break;
+                case "fetch":
+                    if (freezeFetch !== undefined) {
+                        return !freezeFetch;
+                    }
+                    break;
+                case "WebSocket":
+                    if (freezeWebSocket !== undefined) {
+                        return !freezeWebSocket;
+                    }
+                    break;
+                case "Promise":
+                    if (freezePromise !== undefined) {
+                        return !freezePromise;
+                    }
+                    break;
+            }
+
+            return !safeMode;
+        })();
+
+        if (doSkip) {
+            continue;
+        }
+
+        const original = window[name];
+
+        if (!original) {
+            continue;
+        }
+
+        if ("prototype" in original) {
+            for (const propertyName of Object.getOwnPropertyNames(original.prototype)) {
+                if (name === "Object") {
+                    if (
+                        propertyName === "toString" ||
+                        propertyName === "constructor" ||
+                        propertyName === "valueOf"
+                    ) {
+                        continue;
+                    }
+                }
+
+                if (name === "Array") {
+                    if (propertyName === "constructor" || propertyName === "concat") {
+                        continue;
+                    }
+                }
+
+                const pd = Object.getOwnPropertyDescriptor(original.prototype, propertyName);
+
+                assert(pd !== undefined);
+
+                if (!pd.configurable) {
+                    continue;
+                }
+
+                Object.defineProperty(original.prototype, propertyName, {
+                    enumerable: pd.enumerable,
+                    configurable: false,
+                    ...("value" in pd
+                        ? {
+                              get: () => pd.value,
+                              set: () => {
+                                  throw createWriteError(`window.${name}.prototype.${propertyName}`);
+                              }
+                          }
+                        : {
+                              get: pd.get,
+                              set:
+                                  pd.set ??
+                                  (() => {
+                                      throw createWriteError(`window.${name}.prototype.${propertyName}`);
+                                  })
+                          })
+                });
+            }
+        }
+
+        Object.defineProperty(window, name, {
+            configurable: false,
+            enumerable: true,
+            get: () => original,
+            set: () => {
+                throw createWriteError(`window.${name}`);
+            }
+        });
+    }
+
+    if (safeMode) {
+        for (const name of ["call", "apply", "bind"] as const) {
+            const original = Function.prototype[name];
+
+            Object.defineProperty(Function.prototype, name, {
+                configurable: false,
+                enumerable: true,
+                get: () => original,
+                set: () => {
+                    throw createWriteError(`window.Function.prototype.${name})`);
+                }
+            });
+        }
+    }
+}

package/src/core/tokenPlaceholderSubstitution.ts

@@ -0,0 +1,105 @@
+import { assert } from "../tools/tsafe/assert";
+
+let isTokenSubstitutionEnabled = false;
+
+export function markTokenSubstitutionAdEnabled() {
+    isTokenSubstitutionEnabled = true;
+}
+
+export function getIsTokenSubstitutionEnabled() {
+    return isTokenSubstitutionEnabled;
+}
+
+type Tokens = {
+    accessToken: string;
+    idToken: string;
+    refreshToken?: string;
+};
+
+const entries: {
+    configId: string;
+    tokens: Tokens;
+    id: number;
+}[] = [];
+
+let counter = Math.floor(Math.random() * 1_000_000) + 1_000_000;
+
+export function getTokensPlaceholders(params: { configId: string; tokens: Tokens }): Tokens {
+    const { configId, tokens } = params;
+
+    assert(isTokenSubstitutionEnabled, "2934482");
+
+    for (const entry of entries) {
+        if (entry.configId !== configId) {
+            continue;
+        }
+
+        setTimeout(() => {
+            const index = entries.indexOf(entry);
+
+            if (index === -1) {
+                return;
+            }
+
+            entries.splice(index, 1);
+        }, 30_000);
+    }
+
+    const id = counter++;
+
+    const entry_new: (typeof entries)[number] = {
+        id,
+        configId,
+        tokens: {
+            accessToken: tokens.accessToken,
+            idToken: tokens.idToken,
+            refreshToken: tokens.refreshToken
+        }
+    };
+
+    entries.push(entry_new);
+
+    return {
+        accessToken: `access_token_placeholder_${id}`,
+        idToken: `id_token_placeholder_${id}`,
+        refreshToken: tokens.refreshToken === undefined ? undefined : `refresh_token_placeholder_${id}`
+    };
+}
+
+export function substitutePlaceholderByRealToken(text: string): string {
+    let text_modified = text;
+
+    for (const [tokenType, regExp] of [
+        ["access_token", /access_token_placeholder_(\d+)/g],
+        ["id_token", /id_token_placeholder_(\d+)/g],
+        ["refresh_token", /refresh_token_placeholder_(\d+)/g]
+    ] as const) {
+        text_modified = text_modified.replace(regExp, (...[, p1]) => {
+            const id = parseInt(p1);
+
+            const entry = entries.find(e => e.id === id);
+
+            if (!entry) {
+                throw new Error(
+                    [
+                        "oidc-spa: Outdated token used to make a request.",
+                        "Token should not be stored at the application level, when a token",
+                        "is needed, it should be requested and used immediately."
+                    ].join(" ")
+                );
+            }
+
+            switch (tokenType) {
+                case "access_token":
+                    return entry.tokens.accessToken;
+                case "id_token":
+                    return entry.tokens.idToken;
+                case "refresh_token":
+                    assert(entry.tokens.refreshToken !== undefined, "204392284");
+                    return entry.tokens.refreshToken;
+            }
+        });
+    }
+
+    return text_modified;
+}

package/src/tools/isDomain.ts

@@ -0,0 +1,18 @@
+export function getIsDomain(hostname: string): boolean {
+    // Reject IPv4
+    if (/^\d+\.\d+\.\d+\.\d+$/.test(hostname)) {
+        return false;
+    }
+
+    // Reject IPv6
+    if (hostname.includes(":")) {
+        return false;
+    }
+
+    // Must contain at least one dot (e.g., "example.com")
+    if (!hostname.includes(".")) {
+        return false;
+    }
+
+    return true;
+}

package/src/tools/isHostnameAuthorized.ts

@@ -0,0 +1,91 @@
+import { getIsLikelyDevServer } from "../tools/isLikelyDevServer";
+import { getIsDomain } from "../tools/isDomain";
+
+const MULTI_TENANT_DOMAINS = [
+    "vercel.app",
+    "netlify.app",
+    "github.io",
+    "pages.dev",
+    "web.app",
+    "firebaseapp.com",
+    "onrender.com",
+    "railway.app",
+    "fly.dev",
+    "herokuapp.com",
+    "amplifyapp.com",
+    "surge.sh",
+    "stackblitz.io",
+    "glitch.me",
+    "csb.app",
+    "codesandbox.io",
+    "repl.co",
+    "replit.dev",
+    "ondigitalocean.app",
+    "bubbleapps.io",
+    "wixsite.com",
+    "webflow.io",
+    "framer.app",
+    "deno.dev",
+    "azurestaticapps.net",
+    "run.app",
+    "cloudfront.net",
+    "qovery.io",
+    "northflank.app",
+    "cyclic.app",
+    "turso.io",
+    "koyeb.app",
+    "on.fleek.co",
+    "back4app.io"
+];
+
+export function getIsHostnameAuthorized(params: {
+    allowedHostnames: string[];
+    hostname: string;
+    extendAuthorizationToParentDomain: boolean;
+}) {
+    if (getIsLikelyDevServer()) {
+        return true;
+    }
+
+    const { hostname, allowedHostnames, extendAuthorizationToParentDomain } = params;
+
+    if (hostname === location.host) {
+        return true;
+    }
+
+    for (let allowedHost of allowedHostnames) {
+        allowedHost = allowedHost.toLocaleLowerCase();
+
+        if (allowedHost === hostname) {
+            return true;
+        }
+
+        if (allowedHost.startsWith("*") && hostname.endsWith(allowedHost.slice(1))) {
+            return true;
+        }
+    }
+
+    if (!extendAuthorizationToParentDomain) {
+        return false;
+    }
+
+    if (!getIsDomain(location.host) || !getIsDomain(hostname)) {
+        return false;
+    }
+
+    if (MULTI_TENANT_DOMAINS.find(suffix => location.host.endsWith(`.${suffix}`)) !== undefined) {
+        return false;
+    }
+
+    const trustedParentDomain = (() => {
+        const [s1, s2] = location.host.split(".").reverse();
+
+        return `${s2}.${s1}`;
+    })();
+
+    if (hostname.endsWith(`.${trustedParentDomain}`)) {
+        return true;
+    }
+
+    return false;
+}

package/src/tools/isLikelyDevServer.ts

@@ -1,17 +1,29 @@
-export function getIsLikelyDevServer(): boolean {
-    const origin = window.location.origin;
+let isLikelyDevServer_cache: boolean | undefined = undefined;
 
-    if (/^https?:\/\/localhost/.test(origin)) {
-        return true;
+export function getIsLikelyDevServer(): boolean {
+    if (isLikelyDevServer_cache !== undefined) {
+        return isLikelyDevServer_cache;
     }
 
-    if (/^https?:\/\/\[::\]/.test(origin)) {
-        return true;
-    }
+    const isLikelyDevServer = (() => {
+        const origin = window.location.origin;
 
-    if (/^https?:\/\/127.0.0.1/.test(origin)) {
-        return true;
-    }
+        if (/^https?:\/\/localhost/.test(origin)) {
+            return true;
+        }
+
+        if (/^https?:\/\/\[::\]/.test(origin)) {
+            return true;
+        }
+
+        if (/^https?:\/\/127.0.0.1/.test(origin)) {
+            return true;
+        }
+
+        return false;
+    })();
+
+    isLikelyDevServer_cache = isLikelyDevServer;
 
-    return false;
+    return isLikelyDevServer;
 }

package/src/vite-plugin/handleClientEntrypoint.ts

@@ -68,29 +68,66 @@ export function createHandleClientEntrypoint(params: {
 
         entryResolution.watchFiles.forEach(file => pluginContext.addWatchFile(file));
 
-        const { freezeFetch, freezeXMLHttpRequest, freezeWebSocket, freezePromise, safeMode, ...rest } =
-            oidcSpaVitePluginParams ?? {};
-
-        assert<Equals<typeof rest, {}>>;
-
         return [
             `import { oidcEarlyInit } from "oidc-spa/entrypoint";`,
             `const { shouldLoadApp } = oidcEarlyInit({`,
-            ...[
-                `   freezeFetch: ${freezeFetch},`,
-                `   freezeXMLHttpRequest: ${freezeXMLHttpRequest},`,
-                `   freezeWebSocket: ${freezeWebSocket},`,
-                `   freezePromise: ${freezePromise},`,
-                `   safeMode: ${safeMode},`,
-                `   BASE_URL: ${(() => {
-                    switch (projectType) {
-                        case "nuxt":
-                            return "__NUXT__.config.app.baseURL";
-                        default:
-                            return `"${resolvedConfig.base}"`;
-                    }
-                })()}`
-            ],
+            ...(() => {
+                if ("enableTokenExfiltrationDefense" in oidcSpaVitePluginParams) {
+                    const {
+                        enableTokenExfiltrationDefense,
+                        serviceWorkersAllowedHostnames,
+                        resourceServersAllowedHostnames,
+                        ...rest
+                    } = oidcSpaVitePluginParams ?? {};
+
+                    assert<Equals<typeof rest, {}>>;
+
+                    return [
+                        `   enableTokenExfiltrationDefense: ${enableTokenExfiltrationDefense},`,
+                        `   resourceServersAllowedHostnames: ${JSON.stringify(
+                            resourceServersAllowedHostnames
+                        )},`,
+                        `   serviceWorkersAllowedHostnames: ${JSON.stringify(
+                            serviceWorkersAllowedHostnames
+                        )},`,
+                        `   BASE_URL: ${(() => {
+                            switch (projectType) {
+                                case "nuxt":
+                                    return "__NUXT__.config.app.baseURL";
+                                default:
+                                    return `"${resolvedConfig.base}"`;
+                            }
+                        })()}`
+                    ];
+                }
+
+                const {
+                    freezeFetch,
+                    freezeXMLHttpRequest,
+                    freezeWebSocket,
+                    freezePromise,
+                    safeMode,
+                    ...rest
+                } = oidcSpaVitePluginParams ?? {};
+
+                assert<Equals<typeof rest, {}>>;
+
+                return [
+                    `   freezeFetch: ${freezeFetch},`,
+                    `   freezeXMLHttpRequest: ${freezeXMLHttpRequest},`,
+                    `   freezeWebSocket: ${freezeWebSocket},`,
+                    `   freezePromise: ${freezePromise},`,
+                    `   safeMode: ${safeMode},`,
+                    `   BASE_URL: ${(() => {
+                        switch (projectType) {
+                            case "nuxt":
+                                return "__NUXT__.config.app.baseURL";
+                            default:
+                                return `"${resolvedConfig.base}"`;
+                        }
+                    })()}`
+                ];
+            })(),
             `});`,
             ``,
             `if (shouldLoadApp) {`,

package/src/vite-plugin/vite-plugin.ts

@@ -1,22 +1,17 @@
 import type { Plugin, TransformResult } from "vite";
 import { assert } from "../tools/tsafe/assert";
-import type { Param0 } from "../tools/tsafe/Param0";
-import type { oidcEarlyInit } from "../entrypoint";
+import type { ParamsOfEarlyInit, ParamsOfEarlyInit_legacy } from "../core/earlyInit";
 import { createHandleClientEntrypoint } from "./handleClientEntrypoint";
 import { createHandleServerEntrypoint } from "./handleServerEntrypoint";
 import { manageOptimizedDeps } from "./manageOptimizedDeps";
 import { transformCreateFileRoute } from "./transformTanstackRouterCreateFileRoute";
 import { getProjectType, type ProjectType } from "./projectType";
 
-export type OidcSpaVitePluginParams = Omit<Param0<typeof oidcEarlyInit>, "BASE_URL">;
+export type OidcSpaVitePluginParams =
+    | Omit<ParamsOfEarlyInit, "BASE_URL">
+    | Omit<ParamsOfEarlyInit_legacy, "BASE_URL">;
 
-export function oidcSpa(
-    params: OidcSpaVitePluginParams = {
-        freezeFetch: true,
-        freezeXMLHttpRequest: true,
-        freezeWebSocket: true
-    }
-) {
+export function oidcSpa(params: OidcSpaVitePluginParams) {
     let load_handleClientEntrypoint:
         | ReturnType<typeof createHandleClientEntrypoint>["load_handleClientEntrypoint"]
         | undefined = undefined;

package/tools/isDomain.d.ts

@@ -0,0 +1 @@
+export declare function getIsDomain(hostname: string): boolean;

package/tools/isDomain.js

@@ -0,0 +1,19 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getIsDomain = getIsDomain;
+function getIsDomain(hostname) {
+    // Reject IPv4
+    if (/^\d+\.\d+\.\d+\.\d+$/.test(hostname)) {
+        return false;
+    }
+    // Reject IPv6
+    if (hostname.includes(":")) {
+        return false;
+    }
+    // Must contain at least one dot (e.g., "example.com")
+    if (!hostname.includes(".")) {
+        return false;
+    }
+    return true;
+}
+//# sourceMappingURL=isDomain.js.map

package/tools/isDomain.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"isDomain.js","sourceRoot":"","sources":["../src/tools/isDomain.ts"],"names":[],"mappings":";;AAAA,kCAiBC;AAjBD,SAAgB,WAAW,CAAC,QAAgB;IACxC,cAAc;IACd,IAAI,sBAAsB,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QACxC,OAAO,KAAK,CAAC;IACjB,CAAC;IAED,cAAc;IACd,IAAI,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACzB,OAAO,KAAK,CAAC;IACjB,CAAC;IAED,sDAAsD;IACtD,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAC1B,OAAO,KAAK,CAAC;IACjB,CAAC;IAED,OAAO,IAAI,CAAC;AAChB,CAAC"}

package/tools/isHostnameAuthorized.d.ts

@@ -0,0 +1,5 @@
+export declare function getIsHostnameAuthorized(params: {
+    allowedHostnames: string[];
+    hostname: string;
+    extendAuthorizationToParentDomain: boolean;
+}): boolean;

package/tools/isHostnameAuthorized.js

@@ -0,0 +1,77 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getIsHostnameAuthorized = getIsHostnameAuthorized;
+const isLikelyDevServer_1 = require("../tools/isLikelyDevServer");
+const isDomain_1 = require("../tools/isDomain");
+const MULTI_TENANT_DOMAINS = [
+    "vercel.app",
+    "netlify.app",
+    "github.io",
+    "pages.dev",
+    "web.app",
+    "firebaseapp.com",
+    "onrender.com",
+    "railway.app",
+    "fly.dev",
+    "herokuapp.com",
+    "amplifyapp.com",
+    "surge.sh",
+    "stackblitz.io",
+    "glitch.me",
+    "csb.app",
+    "codesandbox.io",
+    "repl.co",
+    "replit.dev",
+    "ondigitalocean.app",
+    "bubbleapps.io",
+    "wixsite.com",
+    "webflow.io",
+    "framer.app",
+    "deno.dev",
+    "azurestaticapps.net",
+    "run.app",
+    "cloudfront.net",
+    "qovery.io",
+    "northflank.app",
+    "cyclic.app",
+    "turso.io",
+    "koyeb.app",
+    "on.fleek.co",
+    "back4app.io"
+];
+function getIsHostnameAuthorized(params) {
+    if ((0, isLikelyDevServer_1.getIsLikelyDevServer)()) {
+        return true;
+    }
+    const { hostname, allowedHostnames, extendAuthorizationToParentDomain } = params;
+    if (hostname === location.host) {
+        return true;
+    }
+    for (let allowedHost of allowedHostnames) {
+        allowedHost = allowedHost.toLocaleLowerCase();
+        if (allowedHost === hostname) {
+            return true;
+        }
+        if (allowedHost.startsWith("*") && hostname.endsWith(allowedHost.slice(1))) {
+            return true;
+        }
+    }
+    if (!extendAuthorizationToParentDomain) {
+        return false;
+    }
+    if (!(0, isDomain_1.getIsDomain)(location.host) || !(0, isDomain_1.getIsDomain)(hostname)) {
+        return false;
+    }
+    if (MULTI_TENANT_DOMAINS.find(suffix => location.host.endsWith(`.${suffix}`)) !== undefined) {
+        return false;
+    }
+    const trustedParentDomain = (() => {
+        const [s1, s2] = location.host.split(".").reverse();
+        return `${s2}.${s1}`;
+    })();
+    if (hostname.endsWith(`.${trustedParentDomain}`)) {
+        return true;
+    }
+    return false;
+}
+//# sourceMappingURL=isHostnameAuthorized.js.map

package/tools/isHostnameAuthorized.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"isHostnameAuthorized.js","sourceRoot":"","sources":["../src/tools/isHostnameAuthorized.ts"],"names":[],"mappings":";;AAwCA,0DAkDC;AA1FD,kEAAkE;AAClE,gDAAgD;AAEhD,MAAM,oBAAoB,GAAG;IACzB,YAAY;IACZ,aAAa;IACb,WAAW;IACX,WAAW;IACX,SAAS;IACT,iBAAiB;IACjB,cAAc;IACd,aAAa;IACb,SAAS;IACT,eAAe;IACf,gBAAgB;IAChB,UAAU;IACV,eAAe;IACf,WAAW;IACX,SAAS;IACT,gBAAgB;IAChB,SAAS;IACT,YAAY;IACZ,oBAAoB;IACpB,eAAe;IACf,aAAa;IACb,YAAY;IACZ,YAAY;IACZ,UAAU;IACV,qBAAqB;IACrB,SAAS;IACT,gBAAgB;IAChB,WAAW;IACX,gBAAgB;IAChB,YAAY;IACZ,UAAU;IACV,WAAW;IACX,aAAa;IACb,aAAa;CAChB,CAAC;AAEF,SAAgB,uBAAuB,CAAC,MAIvC;IACG,IAAI,IAAA,wCAAoB,GAAE,EAAE,CAAC;QACzB,OAAO,IAAI,CAAC;IAChB,CAAC;IAED,MAAM,EAAE,QAAQ,EAAE,gBAAgB,EAAE,iCAAiC,EAAE,GAAG,MAAM,CAAC;IAEjF,IAAI,QAAQ,KAAK,QAAQ,CAAC,IAAI,EAAE,CAAC;QAC7B,OAAO,IAAI,CAAC;IAChB,CAAC;IAED,KAAK,IAAI,WAAW,IAAI,gBAAgB,EAAE,CAAC;QACvC,WAAW,GAAG,WAAW,CAAC,iBAAiB,EAAE,CAAC;QAE9C,IAAI,WAAW,KAAK,QAAQ,EAAE,CAAC;YAC3B,OAAO,IAAI,CAAC;QAChB,CAAC;QAED,IAAI,WAAW,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YACzE,OAAO,IAAI,CAAC;QAChB,CAAC;IACL,CAAC;IAED,IAAI,CAAC,iCAAiC,EAAE,CAAC;QACrC,OAAO,KAAK,CAAC;IACjB,CAAC;IAED,IAAI,CAAC,IAAA,sBAAW,EAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,IAAA,sBAAW,EAAC,QAAQ,CAAC,EAAE,CAAC;QACxD,OAAO,KAAK,CAAC;IACjB,CAAC;IAED,IAAI,oBAAoB,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,MAAM,EAAE,CAAC,CAAC,KAAK,SAAS,EAAE,CAAC;QAC1F,OAAO,KAAK,CAAC;IACjB,CAAC;IAED,MAAM,mBAAmB,GAAG,CAAC,GAAG,EAAE;QAC9B,MAAM,CAAC,EAAE,EAAE,EAAE,CAAC,GAAG,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,CAAC;QAEpD,OAAO,GAAG,EAAE,IAAI,EAAE,EAAE,CAAC;IACzB,CAAC,CAAC,EAAE,CAAC;IAEL,IAAI,QAAQ,CAAC,QAAQ,CAAC,IAAI,mBAAmB,EAAE,CAAC,EAAE,CAAC;QAC/C,OAAO,IAAI,CAAC;IAChB,CAAC;IAED,OAAO,KAAK,CAAC;AACjB,CAAC"}