oidc-spa 8.6.19 → 8.7.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/backend.d.ts +3 -20
- package/backend.js +50 -242
- package/backend.js.map +1 -1
- package/core/OidcMetadata.d.ts +2 -2
- package/core/OidcMetadata.js.map +1 -1
- package/core/createOidc.d.ts +2 -4
- package/core/createOidc.js +41 -3
- package/core/createOidc.js.map +1 -1
- package/core/dpop.d.ts +20 -0
- package/core/dpop.js +389 -0
- package/core/dpop.js.map +1 -0
- package/core/earlyInit.js +2 -0
- package/core/earlyInit.js.map +1 -1
- package/core/oidcClientTsUserToTokens.d.ts +1 -0
- package/core/oidcClientTsUserToTokens.js +15 -5
- package/core/oidcClientTsUserToTokens.js.map +1 -1
- package/core/tokenExfiltrationDefense.js +49 -6
- package/core/tokenExfiltrationDefense.js.map +1 -1
- package/esm/angular.d.ts +2 -0
- package/esm/angular.mjs.map +1 -1
- package/esm/backend.d.ts +3 -20
- package/esm/backend.mjs +50 -242
- package/esm/backend.mjs.map +1 -1
- package/esm/core/OidcMetadata.d.ts +2 -2
- package/esm/core/OidcMetadata.mjs.map +1 -1
- package/esm/core/createOidc.d.ts +2 -4
- package/esm/core/createOidc.mjs +41 -3
- package/esm/core/createOidc.mjs.map +1 -1
- package/esm/core/dpop.d.ts +20 -0
- package/esm/core/dpop.mjs +384 -0
- package/esm/core/dpop.mjs.map +1 -0
- package/esm/core/earlyInit.mjs +2 -0
- package/esm/core/earlyInit.mjs.map +1 -1
- package/esm/core/oidcClientTsUserToTokens.d.ts +1 -0
- package/esm/core/oidcClientTsUserToTokens.mjs +15 -5
- package/esm/core/oidcClientTsUserToTokens.mjs.map +1 -1
- package/esm/core/tokenExfiltrationDefense.mjs +49 -6
- package/esm/core/tokenExfiltrationDefense.mjs.map +1 -1
- package/esm/react-spa/createOidcSpaApi.mjs +2 -1
- package/esm/react-spa/createOidcSpaApi.mjs.map +1 -1
- package/esm/react-spa/types.d.ts +2 -0
- package/esm/server/createOidcSpaUtils.d.ts +5 -0
- package/esm/server/createOidcSpaUtils.mjs +639 -0
- package/esm/server/createOidcSpaUtils.mjs.map +1 -0
- package/esm/server/index.d.ts +2 -0
- package/esm/server/index.mjs +3 -0
- package/esm/server/index.mjs.map +1 -0
- package/esm/server/types.d.ts +79 -0
- package/esm/server/types.mjs +2 -0
- package/esm/server/types.mjs.map +1 -0
- package/esm/server/utilsBuilder.d.ts +10 -0
- package/esm/server/utilsBuilder.mjs +13 -0
- package/esm/server/utilsBuilder.mjs.map +1 -0
- package/esm/tanstack-start/react/accessTokenValidation_rfc9068.d.ts +1 -1
- package/esm/tanstack-start/react/accessTokenValidation_rfc9068.mjs +102 -94
- package/esm/tanstack-start/react/accessTokenValidation_rfc9068.mjs.map +1 -1
- package/esm/tanstack-start/react/createOidcSpaApi.d.ts +2 -2
- package/esm/tanstack-start/react/createOidcSpaApi.mjs +60 -51
- package/esm/tanstack-start/react/createOidcSpaApi.mjs.map +1 -1
- package/esm/tanstack-start/react/index.d.ts +1 -1
- package/esm/tanstack-start/react/index.mjs +2 -2
- package/esm/tanstack-start/react/index.mjs.map +1 -1
- package/esm/tanstack-start/react/types.d.ts +36 -11
- package/esm/tanstack-start/react/{apiBuilder.d.ts → utilsBuilder.d.ts} +9 -9
- package/esm/tanstack-start/react/{apiBuilder.mjs → utilsBuilder.mjs} +6 -6
- package/esm/tanstack-start/react/utilsBuilder.mjs.map +1 -0
- package/esm/tools/generateES256DPoPProof.d.ts +8 -0
- package/esm/tools/generateES256DPoPProof.mjs +48 -0
- package/esm/tools/generateES256DPoPProof.mjs.map +1 -0
- package/esm/tools/getServerDateNow.d.ts +5 -0
- package/esm/tools/getServerDateNow.mjs +7 -0
- package/esm/tools/getServerDateNow.mjs.map +1 -0
- package/esm/vendor/{backend → server}/evt.mjs +84 -140
- package/esm/vendor/{backend → server}/jose.mjs +5 -27
- package/esm/vendor/{backend → server}/tsafe.d.ts +1 -0
- package/esm/vendor/{backend → server}/tsafe.mjs +6 -0
- package/esm/vendor/{backend → server}/zod.mjs +196 -50
- package/package.json +6 -1
- package/react-spa/createOidcSpaApi.js +2 -1
- package/react-spa/createOidcSpaApi.js.map +1 -1
- package/react-spa/types.d.ts +2 -0
- package/server/createOidcSpaUtils.d.ts +5 -0
- package/server/createOidcSpaUtils.js +642 -0
- package/server/createOidcSpaUtils.js.map +1 -0
- package/server/index.d.ts +2 -0
- package/server/index.js +6 -0
- package/server/index.js.map +1 -0
- package/server/types.d.ts +79 -0
- package/server/types.js +3 -0
- package/server/types.js.map +1 -0
- package/server/utilsBuilder.d.ts +10 -0
- package/server/utilsBuilder.js +16 -0
- package/server/utilsBuilder.js.map +1 -0
- package/src/angular.ts +3 -0
- package/src/backend.ts +63 -364
- package/src/core/OidcMetadata.ts +4 -2
- package/src/core/createOidc.ts +54 -6
- package/src/core/dpop.ts +583 -0
- package/src/core/earlyInit.ts +3 -0
- package/src/core/oidcClientTsUserToTokens.ts +18 -4
- package/src/core/tokenExfiltrationDefense.ts +60 -5
- package/src/react-spa/createOidcSpaApi.ts +2 -1
- package/src/react-spa/types.tsx +3 -0
- package/src/server/createOidcSpaUtils.ts +848 -0
- package/src/server/index.ts +4 -0
- package/src/server/types.tsx +99 -0
- package/src/server/utilsBuilder.ts +41 -0
- package/src/tanstack-start/react/accessTokenValidation_rfc9068.ts +134 -124
- package/src/tanstack-start/react/createOidcSpaApi.ts +73 -69
- package/src/tanstack-start/react/index.ts +2 -2
- package/src/tanstack-start/react/types.tsx +44 -12
- package/src/tanstack-start/react/{apiBuilder.ts → utilsBuilder.ts} +14 -14
- package/src/tools/generateES256DPoPProof.ts +74 -0
- package/src/tools/getServerDateNow.ts +11 -0
- package/src/vendor/{backend → server}/tsafe.ts +1 -0
- package/tools/generateES256DPoPProof.d.ts +8 -0
- package/tools/generateES256DPoPProof.js +51 -0
- package/tools/generateES256DPoPProof.js.map +1 -0
- package/tools/getServerDateNow.d.ts +5 -0
- package/tools/getServerDateNow.js +10 -0
- package/tools/getServerDateNow.js.map +1 -0
- package/vendor/server/evt.js +3 -0
- package/vendor/server/jose.js +3 -0
- package/vendor/{backend → server}/tsafe.d.ts +1 -0
- package/vendor/server/tsafe.js +2 -0
- package/vendor/server/zod.js +3 -0
- package/esm/tanstack-start/react/apiBuilder.mjs.map +0 -1
- package/vendor/backend/evt.js +0 -3
- package/vendor/backend/jose.js +0 -3
- package/vendor/backend/tsafe.js +0 -2
- package/vendor/backend/zod.js +0 -3
- /package/esm/vendor/{backend → server}/evt.d.ts +0 -0
- /package/esm/vendor/{backend → server}/jose.d.ts +0 -0
- /package/esm/vendor/{backend → server}/zod.d.ts +0 -0
- /package/src/vendor/{backend → server}/evt.ts +0 -0
- /package/src/vendor/{backend → server}/jose.ts +0 -0
- /package/src/vendor/{backend → server}/zod.ts +0 -0
- /package/vendor/{backend → server}/evt.d.ts +0 -0
- /package/vendor/{backend → server}/jose.d.ts +0 -0
- /package/vendor/{backend → server}/zod.d.ts +0 -0
|
@@ -0,0 +1,642 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.createOidcSpaUtils = createOidcSpaUtils;
|
|
4
|
+
const Deferred_1 = require("../tools/Deferred");
|
|
5
|
+
const jose_1 = require("../vendor/server/jose");
|
|
6
|
+
const tsafe_1 = require("../vendor/server/tsafe");
|
|
7
|
+
const zod_1 = require("../vendor/server/zod");
|
|
8
|
+
const evt_1 = require("../vendor/server/evt");
|
|
9
|
+
const decodeJwt_1 = require("../tools/decodeJwt");
|
|
10
|
+
const crypto_1 = require("crypto");
|
|
11
|
+
function createOidcSpaUtils(params) {
|
|
12
|
+
const { decodedAccessTokenSchema } = params;
|
|
13
|
+
const dParamsOfBootstrap = new Deferred_1.Deferred();
|
|
14
|
+
const evtPublicSigningKeys = evt_1.Evt.create(undefined);
|
|
15
|
+
const evtInvalidSignature = evt_1.Evt.create();
|
|
16
|
+
evtInvalidSignature.pipe((0, evt_1.throttleTime)(3600000)).attach(async () => {
|
|
17
|
+
const publicSigningKeys_new = await (async function callee(count) {
|
|
18
|
+
const paramsOfBootstrap = await dParamsOfBootstrap.pr;
|
|
19
|
+
(0, tsafe_1.assert)(paramsOfBootstrap.implementation === "real");
|
|
20
|
+
const { issuerUri } = paramsOfBootstrap;
|
|
21
|
+
let wrap;
|
|
22
|
+
try {
|
|
23
|
+
wrap = await fetchPublicSigningKeys({ issuerUri });
|
|
24
|
+
}
|
|
25
|
+
catch (error) {
|
|
26
|
+
if (count === 9) {
|
|
27
|
+
console.warn(`Failed to refresh public key and signing algorithm after ${count + 1} attempts`);
|
|
28
|
+
return undefined;
|
|
29
|
+
}
|
|
30
|
+
const delayMs = 1000 * Math.pow(2, count);
|
|
31
|
+
console.warn(`Failed to refresh public key and signing algorithm: ${String(error)}, retrying in ${delayMs}ms`);
|
|
32
|
+
await new Promise(resolve => setTimeout(resolve, delayMs));
|
|
33
|
+
return callee(count + 1);
|
|
34
|
+
}
|
|
35
|
+
return wrap;
|
|
36
|
+
})(0);
|
|
37
|
+
if (publicSigningKeys_new === undefined) {
|
|
38
|
+
return;
|
|
39
|
+
}
|
|
40
|
+
evtPublicSigningKeys.state = publicSigningKeys_new;
|
|
41
|
+
});
|
|
42
|
+
let bootstrapAuth_prResolved = undefined;
|
|
43
|
+
const bootstrapAuth = paramsOfBootstrap => {
|
|
44
|
+
if (bootstrapAuth_prResolved !== undefined) {
|
|
45
|
+
return bootstrapAuth_prResolved;
|
|
46
|
+
}
|
|
47
|
+
return (bootstrapAuth_prResolved = (async () => {
|
|
48
|
+
dParamsOfBootstrap.resolve(paramsOfBootstrap);
|
|
49
|
+
if (paramsOfBootstrap.implementation === "real") {
|
|
50
|
+
evtPublicSigningKeys.state = await fetchPublicSigningKeys({
|
|
51
|
+
issuerUri: paramsOfBootstrap.issuerUri
|
|
52
|
+
});
|
|
53
|
+
}
|
|
54
|
+
})());
|
|
55
|
+
};
|
|
56
|
+
const { getIsDpopPoofSeenRecordIfNotSeen } = (() => {
|
|
57
|
+
const timeSeenByDpopProofId = new Map();
|
|
58
|
+
const evtDpopProofAdded = evt_1.Evt.create();
|
|
59
|
+
evtDpopProofAdded.pipe((0, evt_1.throttleTime)(40000)).attach(async () => {
|
|
60
|
+
await Promise.resolve();
|
|
61
|
+
const now = Date.now();
|
|
62
|
+
for (const [dpopProofId, timeSeen] of timeSeenByDpopProofId) {
|
|
63
|
+
if (now - timeSeen > 40000) {
|
|
64
|
+
timeSeenByDpopProofId.delete(dpopProofId);
|
|
65
|
+
}
|
|
66
|
+
else {
|
|
67
|
+
// NOTE: All entries added after are more recent.
|
|
68
|
+
break;
|
|
69
|
+
}
|
|
70
|
+
}
|
|
71
|
+
});
|
|
72
|
+
function getIsDpopPoofSeenRecordIfNotSeen(params) {
|
|
73
|
+
const { jkt, jti } = params;
|
|
74
|
+
const dpopProofId = `${jkt}:${jti}`;
|
|
75
|
+
if (timeSeenByDpopProofId.has(dpopProofId)) {
|
|
76
|
+
return true;
|
|
77
|
+
}
|
|
78
|
+
{
|
|
79
|
+
timeSeenByDpopProofId.set(dpopProofId, Date.now());
|
|
80
|
+
if (timeSeenByDpopProofId.size > 50000) {
|
|
81
|
+
const firstEntry = timeSeenByDpopProofId[Symbol.iterator]().next().value;
|
|
82
|
+
(0, tsafe_1.assert)(firstEntry !== undefined);
|
|
83
|
+
const [key] = firstEntry;
|
|
84
|
+
timeSeenByDpopProofId.delete(key);
|
|
85
|
+
}
|
|
86
|
+
evtDpopProofAdded.post();
|
|
87
|
+
}
|
|
88
|
+
return false;
|
|
89
|
+
}
|
|
90
|
+
return { getIsDpopPoofSeenRecordIfNotSeen };
|
|
91
|
+
})();
|
|
92
|
+
const validateAndDecodeAccessToken = async ({ request }) => {
|
|
93
|
+
const paramsOfBootstrap = await dParamsOfBootstrap.pr;
|
|
94
|
+
if (paramsOfBootstrap.implementation === "mock" &&
|
|
95
|
+
paramsOfBootstrap.behavior === "use static identity") {
|
|
96
|
+
return (0, tsafe_1.id)({
|
|
97
|
+
isSuccess: true,
|
|
98
|
+
decodedAccessToken: paramsOfBootstrap.decodedAccessToken_mock,
|
|
99
|
+
get accessToken() {
|
|
100
|
+
if (paramsOfBootstrap.accessToken_mock === undefined) {
|
|
101
|
+
throw new Error([
|
|
102
|
+
"oidc-spa: No mock provided for accessToken.",
|
|
103
|
+
"Provide accessToken_mock to bootstrapAuth"
|
|
104
|
+
].join(" "));
|
|
105
|
+
}
|
|
106
|
+
return paramsOfBootstrap.accessToken_mock;
|
|
107
|
+
},
|
|
108
|
+
get decodedAccessToken_original() {
|
|
109
|
+
if (paramsOfBootstrap.decodedAccessToken_original_mock === undefined) {
|
|
110
|
+
throw new Error([
|
|
111
|
+
"oidc-spa: No mock provided for decodedAccessToken_original.",
|
|
112
|
+
"Provide decodedAccessToken_original_mock to bootstrapAuth"
|
|
113
|
+
].join(" "));
|
|
114
|
+
}
|
|
115
|
+
return paramsOfBootstrap.decodedAccessToken_original_mock;
|
|
116
|
+
}
|
|
117
|
+
});
|
|
118
|
+
}
|
|
119
|
+
if (!request.headers.Authorization) {
|
|
120
|
+
return (0, tsafe_1.id)({
|
|
121
|
+
isSuccess: false,
|
|
122
|
+
errorCause: "missing Authorization header",
|
|
123
|
+
debugErrorMessage: "The request is anonymous, no Authorization header"
|
|
124
|
+
});
|
|
125
|
+
}
|
|
126
|
+
const match = request.headers.Authorization.trim().match(/^((?:Bearer)|(?:DPoP))\s+(.+)$/i);
|
|
127
|
+
if (match === null) {
|
|
128
|
+
return (0, tsafe_1.id)({
|
|
129
|
+
isSuccess: false,
|
|
130
|
+
errorCause: "validation error",
|
|
131
|
+
debugErrorMessage: "Malformed Authorization header"
|
|
132
|
+
});
|
|
133
|
+
}
|
|
134
|
+
const [, scheme, accessToken] = match;
|
|
135
|
+
if (!(0, tsafe_1.isAmong)(["Bearer", "DPoP"], scheme)) {
|
|
136
|
+
return (0, tsafe_1.id)({
|
|
137
|
+
isSuccess: false,
|
|
138
|
+
errorCause: "validation error",
|
|
139
|
+
debugErrorMessage: `Unsupported scheme ${scheme}, expected Bearer or DPoP`
|
|
140
|
+
});
|
|
141
|
+
}
|
|
142
|
+
let decodedAccessToken_original;
|
|
143
|
+
validation: {
|
|
144
|
+
if (paramsOfBootstrap.implementation === "mock") {
|
|
145
|
+
tsafe_1.assert;
|
|
146
|
+
decodedAccessToken_original = (0, decodeJwt_1.decodeJwt)(accessToken);
|
|
147
|
+
try {
|
|
148
|
+
zDecodedAccessToken_RFC9068.parse(decodedAccessToken_original);
|
|
149
|
+
}
|
|
150
|
+
catch (error) {
|
|
151
|
+
(0, tsafe_1.assert)(error instanceof Error, "38292332");
|
|
152
|
+
return (0, tsafe_1.id)({
|
|
153
|
+
isSuccess: false,
|
|
154
|
+
errorCause: "validation error",
|
|
155
|
+
debugErrorMessage: [
|
|
156
|
+
`The decoded access token does not satisfies`,
|
|
157
|
+
`the shape mandated by RFC9068: ${error.message}`
|
|
158
|
+
].join(" ")
|
|
159
|
+
});
|
|
160
|
+
}
|
|
161
|
+
(0, tsafe_1.assert)((0, tsafe_1.is)(decodedAccessToken_original));
|
|
162
|
+
break validation;
|
|
163
|
+
}
|
|
164
|
+
let kid;
|
|
165
|
+
let alg;
|
|
166
|
+
{
|
|
167
|
+
let header;
|
|
168
|
+
try {
|
|
169
|
+
header = (0, jose_1.decodeProtectedHeader)(accessToken);
|
|
170
|
+
}
|
|
171
|
+
catch {
|
|
172
|
+
return (0, tsafe_1.id)({
|
|
173
|
+
isSuccess: false,
|
|
174
|
+
errorCause: "validation error",
|
|
175
|
+
debugErrorMessage: "Failed to decode the JWT header"
|
|
176
|
+
});
|
|
177
|
+
}
|
|
178
|
+
const { kid: kidFromHeader, alg: algFromHeader } = header;
|
|
179
|
+
if (typeof kidFromHeader !== "string" || kidFromHeader.length === 0) {
|
|
180
|
+
return (0, tsafe_1.id)({
|
|
181
|
+
isSuccess: false,
|
|
182
|
+
errorCause: "validation error",
|
|
183
|
+
debugErrorMessage: "The decoded JWT header does not have a kid property"
|
|
184
|
+
});
|
|
185
|
+
}
|
|
186
|
+
if (typeof algFromHeader !== "string") {
|
|
187
|
+
return (0, tsafe_1.id)({
|
|
188
|
+
isSuccess: false,
|
|
189
|
+
errorCause: "validation error",
|
|
190
|
+
debugErrorMessage: "The decoded JWT header does not specify an algorithm"
|
|
191
|
+
});
|
|
192
|
+
}
|
|
193
|
+
if (!(0, tsafe_1.isAmong)([
|
|
194
|
+
"RS256",
|
|
195
|
+
"RS384",
|
|
196
|
+
"RS512",
|
|
197
|
+
"ES256",
|
|
198
|
+
"ES384",
|
|
199
|
+
"ES512",
|
|
200
|
+
"PS256",
|
|
201
|
+
"PS384",
|
|
202
|
+
"PS512"
|
|
203
|
+
], algFromHeader)) {
|
|
204
|
+
return (0, tsafe_1.id)({
|
|
205
|
+
isSuccess: false,
|
|
206
|
+
errorCause: "validation error",
|
|
207
|
+
debugErrorMessage: `Unsupported or too weak algorithm ${algFromHeader}`
|
|
208
|
+
});
|
|
209
|
+
}
|
|
210
|
+
kid = kidFromHeader;
|
|
211
|
+
alg = algFromHeader;
|
|
212
|
+
}
|
|
213
|
+
const publicSigningKeys = evtPublicSigningKeys.state;
|
|
214
|
+
(0, tsafe_1.assert)(publicSigningKeys !== undefined);
|
|
215
|
+
if (!publicSigningKeys.kidSet.has(kid)) {
|
|
216
|
+
return (0, tsafe_1.id)({
|
|
217
|
+
isSuccess: false,
|
|
218
|
+
errorCause: "validation error",
|
|
219
|
+
debugErrorMessage: `No public signing key found with kid ${kid}`
|
|
220
|
+
});
|
|
221
|
+
}
|
|
222
|
+
try {
|
|
223
|
+
const verification = await (0, jose_1.jwtVerify)(accessToken, publicSigningKeys.keyResolver, {
|
|
224
|
+
algorithms: [alg]
|
|
225
|
+
});
|
|
226
|
+
decodedAccessToken_original = verification.payload;
|
|
227
|
+
}
|
|
228
|
+
catch (error) {
|
|
229
|
+
(0, tsafe_1.assert)(error instanceof Error, "3922843");
|
|
230
|
+
if (error instanceof jose_1.errors.JWTExpired) {
|
|
231
|
+
return (0, tsafe_1.id)({
|
|
232
|
+
isSuccess: false,
|
|
233
|
+
errorCause: "validation error - access token expired",
|
|
234
|
+
debugErrorMessage: error.message
|
|
235
|
+
});
|
|
236
|
+
}
|
|
237
|
+
evtInvalidSignature.post();
|
|
238
|
+
return (0, tsafe_1.id)({
|
|
239
|
+
isSuccess: false,
|
|
240
|
+
errorCause: "validation error - invalid signature",
|
|
241
|
+
debugErrorMessage: error.message
|
|
242
|
+
});
|
|
243
|
+
}
|
|
244
|
+
try {
|
|
245
|
+
zDecodedAccessToken_RFC9068.parse(decodedAccessToken_original);
|
|
246
|
+
}
|
|
247
|
+
catch (error) {
|
|
248
|
+
(0, tsafe_1.assert)(error instanceof Error, "382923");
|
|
249
|
+
return (0, tsafe_1.id)({
|
|
250
|
+
isSuccess: false,
|
|
251
|
+
errorCause: "validation error",
|
|
252
|
+
debugErrorMessage: [
|
|
253
|
+
`The decoded access token does not satisfies`,
|
|
254
|
+
`the shape mandated by RFC9068: ${error.message}`
|
|
255
|
+
].join(" ")
|
|
256
|
+
});
|
|
257
|
+
}
|
|
258
|
+
(0, tsafe_1.assert)((0, tsafe_1.is)(decodedAccessToken_original));
|
|
259
|
+
// Validate issuer
|
|
260
|
+
{
|
|
261
|
+
const { issuerUri } = paramsOfBootstrap;
|
|
262
|
+
const normalize = (url) => url.replace(/\/$/, "");
|
|
263
|
+
if (normalize(decodedAccessToken_original.iss) !== normalize(issuerUri)) {
|
|
264
|
+
return (0, tsafe_1.id)({
|
|
265
|
+
isSuccess: false,
|
|
266
|
+
errorCause: "validation error",
|
|
267
|
+
debugErrorMessage: [
|
|
268
|
+
`iss claim in access token payload "${decodedAccessToken_original.iss}"`,
|
|
269
|
+
`does not match the issuerUri "${issuerUri}".`
|
|
270
|
+
].join(" ")
|
|
271
|
+
});
|
|
272
|
+
}
|
|
273
|
+
}
|
|
274
|
+
validate_audience: {
|
|
275
|
+
const { expectedAudience } = paramsOfBootstrap;
|
|
276
|
+
if (expectedAudience === undefined) {
|
|
277
|
+
break validate_audience;
|
|
278
|
+
}
|
|
279
|
+
const audiences = decodedAccessToken_original.aud instanceof Array
|
|
280
|
+
? decodedAccessToken_original.aud
|
|
281
|
+
: [decodedAccessToken_original.aud];
|
|
282
|
+
if (!audiences.includes(expectedAudience)) {
|
|
283
|
+
return (0, tsafe_1.id)({
|
|
284
|
+
isSuccess: false,
|
|
285
|
+
errorCause: "validation error",
|
|
286
|
+
debugErrorMessage: [
|
|
287
|
+
`Not expected audience, got aud claim ${JSON.stringify(decodedAccessToken_original.aud)}`,
|
|
288
|
+
`but expected "${expectedAudience}".`
|
|
289
|
+
].join(" ")
|
|
290
|
+
});
|
|
291
|
+
}
|
|
292
|
+
}
|
|
293
|
+
validate_DPoP: {
|
|
294
|
+
const cnf_jkt = decodedAccessToken_original.cnf === undefined
|
|
295
|
+
? undefined
|
|
296
|
+
: decodedAccessToken_original.cnf.jkt;
|
|
297
|
+
if (cnf_jkt !== undefined && typeof cnf_jkt !== "string") {
|
|
298
|
+
return (0, tsafe_1.id)({
|
|
299
|
+
isSuccess: false,
|
|
300
|
+
errorCause: "validation error",
|
|
301
|
+
debugErrorMessage: "cnf.jkt claim is expected to be a string"
|
|
302
|
+
});
|
|
303
|
+
}
|
|
304
|
+
if (scheme === "Bearer") {
|
|
305
|
+
if (cnf_jkt !== undefined) {
|
|
306
|
+
return (0, tsafe_1.id)({
|
|
307
|
+
isSuccess: false,
|
|
308
|
+
errorCause: "validation error",
|
|
309
|
+
debugErrorMessage: [
|
|
310
|
+
"access token is DPoP bound (cnf.jkt claim present)",
|
|
311
|
+
"but used with bearer scheme"
|
|
312
|
+
].join(" ")
|
|
313
|
+
});
|
|
314
|
+
}
|
|
315
|
+
break validate_DPoP;
|
|
316
|
+
}
|
|
317
|
+
tsafe_1.assert;
|
|
318
|
+
if (cnf_jkt === undefined) {
|
|
319
|
+
return (0, tsafe_1.id)({
|
|
320
|
+
isSuccess: false,
|
|
321
|
+
errorCause: "validation error",
|
|
322
|
+
debugErrorMessage: [
|
|
323
|
+
"DPoP validation error, missing cnf.jtk claim",
|
|
324
|
+
"in the access token payload"
|
|
325
|
+
].join(" ")
|
|
326
|
+
});
|
|
327
|
+
}
|
|
328
|
+
if (!request.headers.DPoP) {
|
|
329
|
+
return (0, tsafe_1.id)({
|
|
330
|
+
isSuccess: false,
|
|
331
|
+
errorCause: "validation error",
|
|
332
|
+
debugErrorMessage: "Scheme DPoP was specified but the DPoP header is missing"
|
|
333
|
+
});
|
|
334
|
+
}
|
|
335
|
+
const dpopHeaderValue = request.headers.DPoP.trim();
|
|
336
|
+
let dpopHeader;
|
|
337
|
+
try {
|
|
338
|
+
dpopHeader = (0, jose_1.decodeProtectedHeader)(dpopHeaderValue);
|
|
339
|
+
}
|
|
340
|
+
catch {
|
|
341
|
+
return (0, tsafe_1.id)({
|
|
342
|
+
isSuccess: false,
|
|
343
|
+
errorCause: "validation error",
|
|
344
|
+
debugErrorMessage: "Failed to decode DPoP proof header"
|
|
345
|
+
});
|
|
346
|
+
}
|
|
347
|
+
const { jwk, alg: dpopAlg, typ: dpopTyp } = dpopHeader;
|
|
348
|
+
if (dpopAlg === undefined) {
|
|
349
|
+
return (0, tsafe_1.id)({
|
|
350
|
+
isSuccess: false,
|
|
351
|
+
errorCause: "validation error",
|
|
352
|
+
debugErrorMessage: "DPoP proof header missing alg"
|
|
353
|
+
});
|
|
354
|
+
}
|
|
355
|
+
if (!(0, tsafe_1.isAmong)([
|
|
356
|
+
"RS256",
|
|
357
|
+
"RS384",
|
|
358
|
+
"RS512",
|
|
359
|
+
"ES256",
|
|
360
|
+
"ES384",
|
|
361
|
+
"ES512",
|
|
362
|
+
"PS256",
|
|
363
|
+
"PS384",
|
|
364
|
+
"PS512"
|
|
365
|
+
], dpopAlg)) {
|
|
366
|
+
return (0, tsafe_1.id)({
|
|
367
|
+
isSuccess: false,
|
|
368
|
+
errorCause: "validation error",
|
|
369
|
+
debugErrorMessage: `Unsupported or too weak DPoP algorithm ${dpopAlg}`
|
|
370
|
+
});
|
|
371
|
+
}
|
|
372
|
+
if (dpopTyp === undefined || dpopTyp.toLowerCase() !== "dpop+jwt") {
|
|
373
|
+
return (0, tsafe_1.id)({
|
|
374
|
+
isSuccess: false,
|
|
375
|
+
errorCause: "validation error",
|
|
376
|
+
debugErrorMessage: "DPoP proof header typ must be dpop+jwt"
|
|
377
|
+
});
|
|
378
|
+
}
|
|
379
|
+
if (jwk === undefined) {
|
|
380
|
+
return (0, tsafe_1.id)({
|
|
381
|
+
isSuccess: false,
|
|
382
|
+
errorCause: "validation error",
|
|
383
|
+
debugErrorMessage: "DPoP proof header missing jwk"
|
|
384
|
+
});
|
|
385
|
+
}
|
|
386
|
+
let jkt_calculated;
|
|
387
|
+
try {
|
|
388
|
+
jkt_calculated = await (0, jose_1.calculateJwkThumbprint)(jwk);
|
|
389
|
+
}
|
|
390
|
+
catch (error) {
|
|
391
|
+
return (0, tsafe_1.id)({
|
|
392
|
+
isSuccess: false,
|
|
393
|
+
errorCause: "validation error",
|
|
394
|
+
debugErrorMessage: `Failed to calculate DPoP jwk thumbprint: ${String(error)}`
|
|
395
|
+
});
|
|
396
|
+
}
|
|
397
|
+
if (jkt_calculated !== cnf_jkt) {
|
|
398
|
+
return (0, tsafe_1.id)({
|
|
399
|
+
isSuccess: false,
|
|
400
|
+
errorCause: "validation error",
|
|
401
|
+
debugErrorMessage: "DPoP jwk thumbprint does not match cnf.jkt claim"
|
|
402
|
+
});
|
|
403
|
+
}
|
|
404
|
+
let dpopPayload;
|
|
405
|
+
try {
|
|
406
|
+
const key = await (0, jose_1.importJWK)(jwk, dpopAlg);
|
|
407
|
+
const verification = await (0, jose_1.jwtVerify)(dpopHeaderValue, key, {
|
|
408
|
+
algorithms: [dpopAlg],
|
|
409
|
+
typ: "dpop+jwt"
|
|
410
|
+
});
|
|
411
|
+
dpopPayload = verification.payload;
|
|
412
|
+
}
|
|
413
|
+
catch (error) {
|
|
414
|
+
(0, tsafe_1.assert)(error instanceof Error);
|
|
415
|
+
return (0, tsafe_1.id)({
|
|
416
|
+
isSuccess: false,
|
|
417
|
+
errorCause: "validation error",
|
|
418
|
+
debugErrorMessage: `DPoP proof signature/structure invalid: ${error.message}`
|
|
419
|
+
});
|
|
420
|
+
}
|
|
421
|
+
const { htm, htu, ath, iat, jti } = dpopPayload;
|
|
422
|
+
{
|
|
423
|
+
if (iat === undefined) {
|
|
424
|
+
return (0, tsafe_1.id)({
|
|
425
|
+
isSuccess: false,
|
|
426
|
+
errorCause: "validation error",
|
|
427
|
+
debugErrorMessage: "DPoP proof missing or invalid iat claim"
|
|
428
|
+
});
|
|
429
|
+
}
|
|
430
|
+
const now = Math.floor(Date.now() / 1000);
|
|
431
|
+
const maxAgeSeconds = 40;
|
|
432
|
+
const maxFutureSkewSeconds = 3;
|
|
433
|
+
if (iat - now > maxFutureSkewSeconds) {
|
|
434
|
+
return (0, tsafe_1.id)({
|
|
435
|
+
isSuccess: false,
|
|
436
|
+
errorCause: "validation error",
|
|
437
|
+
debugErrorMessage: "DPoP proof iat is in the future"
|
|
438
|
+
});
|
|
439
|
+
}
|
|
440
|
+
if (now - iat > maxAgeSeconds) {
|
|
441
|
+
return (0, tsafe_1.id)({
|
|
442
|
+
isSuccess: false,
|
|
443
|
+
errorCause: "validation error",
|
|
444
|
+
debugErrorMessage: "DPoP proof iat too old"
|
|
445
|
+
});
|
|
446
|
+
}
|
|
447
|
+
}
|
|
448
|
+
if (typeof htm !== "string" || htm.toUpperCase() !== request.method.toUpperCase()) {
|
|
449
|
+
return (0, tsafe_1.id)({
|
|
450
|
+
isSuccess: false,
|
|
451
|
+
errorCause: "validation error",
|
|
452
|
+
debugErrorMessage: "DPoP proof htm claim does not match request method"
|
|
453
|
+
});
|
|
454
|
+
}
|
|
455
|
+
const expectedHtu = (() => {
|
|
456
|
+
try {
|
|
457
|
+
const url = new URL(request.url);
|
|
458
|
+
return `${url.origin}${url.pathname}`;
|
|
459
|
+
}
|
|
460
|
+
catch {
|
|
461
|
+
return undefined;
|
|
462
|
+
}
|
|
463
|
+
})();
|
|
464
|
+
if (expectedHtu === undefined || typeof htu !== "string" || htu !== expectedHtu) {
|
|
465
|
+
return (0, tsafe_1.id)({
|
|
466
|
+
isSuccess: false,
|
|
467
|
+
errorCause: "validation error",
|
|
468
|
+
debugErrorMessage: "DPoP proof htu claim does not match request url"
|
|
469
|
+
});
|
|
470
|
+
}
|
|
471
|
+
if (typeof ath !== "string") {
|
|
472
|
+
return (0, tsafe_1.id)({
|
|
473
|
+
isSuccess: false,
|
|
474
|
+
errorCause: "validation error",
|
|
475
|
+
debugErrorMessage: "DPoP proof missing ath claim"
|
|
476
|
+
});
|
|
477
|
+
}
|
|
478
|
+
const expectedAth = (0, crypto_1.createHash)("sha256").update(accessToken).digest("base64url");
|
|
479
|
+
if (ath !== expectedAth) {
|
|
480
|
+
return (0, tsafe_1.id)({
|
|
481
|
+
isSuccess: false,
|
|
482
|
+
errorCause: "validation error",
|
|
483
|
+
debugErrorMessage: "DPoP proof ath claim does not match access token"
|
|
484
|
+
});
|
|
485
|
+
}
|
|
486
|
+
if (jti === undefined) {
|
|
487
|
+
return (0, tsafe_1.id)({
|
|
488
|
+
isSuccess: false,
|
|
489
|
+
errorCause: "validation error",
|
|
490
|
+
debugErrorMessage: "DPoP proof missing jti claim"
|
|
491
|
+
});
|
|
492
|
+
}
|
|
493
|
+
if (getIsDpopPoofSeenRecordIfNotSeen({ jkt: cnf_jkt, jti })) {
|
|
494
|
+
return (0, tsafe_1.id)({
|
|
495
|
+
isSuccess: false,
|
|
496
|
+
errorCause: "validation error",
|
|
497
|
+
debugErrorMessage: "DPoP proof replayed"
|
|
498
|
+
});
|
|
499
|
+
}
|
|
500
|
+
}
|
|
501
|
+
}
|
|
502
|
+
let decodedAccessToken;
|
|
503
|
+
if (decodedAccessTokenSchema === undefined) {
|
|
504
|
+
// @ts-expect-error: We know it will match because DecodedAccessToken will default to DecodedAccessToken_RFC9068
|
|
505
|
+
decodedAccessToken = decodedAccessToken_original;
|
|
506
|
+
}
|
|
507
|
+
else {
|
|
508
|
+
try {
|
|
509
|
+
decodedAccessToken = decodedAccessTokenSchema.parse(decodedAccessToken_original);
|
|
510
|
+
}
|
|
511
|
+
catch (error) {
|
|
512
|
+
(0, tsafe_1.assert)(error instanceof Error);
|
|
513
|
+
return (0, tsafe_1.id)({
|
|
514
|
+
isSuccess: false,
|
|
515
|
+
errorCause: "validation error",
|
|
516
|
+
debugErrorMessage: [
|
|
517
|
+
`The decoded access token does not satisfies`,
|
|
518
|
+
`the shape that the application expects: ${error.message}`
|
|
519
|
+
].join(" ")
|
|
520
|
+
});
|
|
521
|
+
}
|
|
522
|
+
}
|
|
523
|
+
return (0, tsafe_1.id)({
|
|
524
|
+
isSuccess: true,
|
|
525
|
+
decodedAccessToken,
|
|
526
|
+
decodedAccessToken_original,
|
|
527
|
+
accessToken
|
|
528
|
+
});
|
|
529
|
+
};
|
|
530
|
+
return {
|
|
531
|
+
bootstrapAuth,
|
|
532
|
+
validateAndDecodeAccessToken,
|
|
533
|
+
ofTypeDecodedAccessToken: (0, tsafe_1.Reflect)()
|
|
534
|
+
};
|
|
535
|
+
}
|
|
536
|
+
async function fetchPublicSigningKeys(params) {
|
|
537
|
+
const { issuerUri } = params;
|
|
538
|
+
const { jwks_uri } = await (async () => {
|
|
539
|
+
const url = `${issuerUri.replace(/\/$/, "")}/.well-known/openid-configuration`;
|
|
540
|
+
const response = await fetch(url);
|
|
541
|
+
if (!response.ok) {
|
|
542
|
+
throw new Error(`Failed to fetch openid configuration of the issuerUri: ${issuerUri} (${url}): ${response.statusText}`);
|
|
543
|
+
}
|
|
544
|
+
let data;
|
|
545
|
+
try {
|
|
546
|
+
data = await response.json();
|
|
547
|
+
}
|
|
548
|
+
catch (error) {
|
|
549
|
+
throw new Error(`Failed to parse json from ${url}: ${String(error)}`);
|
|
550
|
+
}
|
|
551
|
+
{
|
|
552
|
+
const zWellKnownConfiguration = zod_1.z.object({
|
|
553
|
+
jwks_uri: zod_1.z.string()
|
|
554
|
+
});
|
|
555
|
+
(0, tsafe_1.assert)();
|
|
556
|
+
try {
|
|
557
|
+
zWellKnownConfiguration.parse(data);
|
|
558
|
+
}
|
|
559
|
+
catch {
|
|
560
|
+
throw new Error(`${url} does not have a jwks_uri property`);
|
|
561
|
+
}
|
|
562
|
+
(0, tsafe_1.assert)((0, tsafe_1.is)(data));
|
|
563
|
+
}
|
|
564
|
+
const { jwks_uri } = data;
|
|
565
|
+
return { jwks_uri };
|
|
566
|
+
})();
|
|
567
|
+
const { jwks } = await (async () => {
|
|
568
|
+
const response = await fetch(jwks_uri);
|
|
569
|
+
if (!response.ok) {
|
|
570
|
+
throw new Error(`Failed to fetch public key and algorithm from ${jwks_uri}: ${response.statusText}`);
|
|
571
|
+
}
|
|
572
|
+
let jwks;
|
|
573
|
+
try {
|
|
574
|
+
jwks = await response.json();
|
|
575
|
+
}
|
|
576
|
+
catch (error) {
|
|
577
|
+
throw new Error(`Failed to parse json from ${jwks_uri}: ${String(error)}`);
|
|
578
|
+
}
|
|
579
|
+
{
|
|
580
|
+
const zJwks = zod_1.z.object({
|
|
581
|
+
keys: zod_1.z.array(zod_1.z.object({
|
|
582
|
+
kid: zod_1.z.string(),
|
|
583
|
+
kty: zod_1.z.string(),
|
|
584
|
+
use: zod_1.z.string().optional(),
|
|
585
|
+
alg: zod_1.z.string().optional()
|
|
586
|
+
}))
|
|
587
|
+
});
|
|
588
|
+
(0, tsafe_1.assert)();
|
|
589
|
+
try {
|
|
590
|
+
zJwks.parse(jwks);
|
|
591
|
+
}
|
|
592
|
+
catch {
|
|
593
|
+
throw new Error(`${jwks_uri} does not have the expected shape`);
|
|
594
|
+
}
|
|
595
|
+
(0, tsafe_1.assert)((0, tsafe_1.is)(jwks));
|
|
596
|
+
}
|
|
597
|
+
return { jwks };
|
|
598
|
+
})();
|
|
599
|
+
//const signatureKeys = jwks.keys.filter((key): key is JWKS["keys"][number] & { kid: string } => {
|
|
600
|
+
const signatureKeys = jwks.keys.filter(key => {
|
|
601
|
+
if (typeof key.kid !== "string" || key.kid.length === 0) {
|
|
602
|
+
return false;
|
|
603
|
+
}
|
|
604
|
+
if (key.use !== undefined && key.use !== "sig") {
|
|
605
|
+
return false;
|
|
606
|
+
}
|
|
607
|
+
const supportedKty = ["RSA", "EC"];
|
|
608
|
+
if (!supportedKty.includes(key.kty)) {
|
|
609
|
+
return false;
|
|
610
|
+
}
|
|
611
|
+
return true;
|
|
612
|
+
});
|
|
613
|
+
(0, tsafe_1.assert)(signatureKeys.length !== 0, `No public signing key found at ${jwks_uri}, ${JSON.stringify(jwks, null, 2)}`);
|
|
614
|
+
const kidSet = new Set(signatureKeys.map(({ kid }) => kid));
|
|
615
|
+
const keyResolver = (0, jose_1.createLocalJWKSet)({
|
|
616
|
+
keys: signatureKeys
|
|
617
|
+
});
|
|
618
|
+
return {
|
|
619
|
+
keyResolver,
|
|
620
|
+
kidSet
|
|
621
|
+
};
|
|
622
|
+
}
|
|
623
|
+
const zDecodedAccessToken_RFC9068 = (() => {
|
|
624
|
+
const zTargetType = zod_1.z
|
|
625
|
+
.object({
|
|
626
|
+
iss: zod_1.z.string(),
|
|
627
|
+
sub: zod_1.z.string(),
|
|
628
|
+
aud: zod_1.z.union([zod_1.z.string(), zod_1.z.array(zod_1.z.string())]),
|
|
629
|
+
exp: zod_1.z.number(),
|
|
630
|
+
iat: zod_1.z.number(),
|
|
631
|
+
client_id: zod_1.z.string().optional(),
|
|
632
|
+
scope: zod_1.z.string().optional(),
|
|
633
|
+
jti: zod_1.z.string().optional(),
|
|
634
|
+
nbf: zod_1.z.number().optional(),
|
|
635
|
+
auth_time: zod_1.z.number().optional(),
|
|
636
|
+
cnf: zod_1.z.record(zod_1.z.string(), zod_1.z.unknown()).optional()
|
|
637
|
+
})
|
|
638
|
+
.catchall(zod_1.z.unknown());
|
|
639
|
+
tsafe_1.assert;
|
|
640
|
+
return (0, tsafe_1.id)(zTargetType);
|
|
641
|
+
})();
|
|
642
|
+
//# sourceMappingURL=createOidcSpaUtils.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"createOidcSpaUtils.js","sourceRoot":"","sources":["../src/server/createOidcSpaUtils.ts"],"names":[],"mappings":";;AAsBA,gDAmpBC;AAlqBD,gDAA6C;AAC7C,gDAO+B;AAC/B,kDAAuF;AACvF,8CAAyC;AACzC,8CAAyD;AACzD,kDAA+C;AAC/C,mCAAoC;AAEpC,SAAgB,kBAAkB,CAAqD,MAEtF;IACG,MAAM,EAAE,wBAAwB,EAAE,GAAG,MAAM,CAAC;IAE5C,MAAM,kBAAkB,GAAG,IAAI,mBAAQ,EAAyC,CAAC;IAEjF,MAAM,oBAAoB,GAAG,SAAG,CAAC,MAAM,CAAgC,SAAS,CAAC,CAAC;IAElF,MAAM,mBAAmB,GAAG,SAAG,CAAC,MAAM,EAAQ,CAAC;IAE/C,mBAAmB,CAAC,IAAI,CAAC,IAAA,kBAAY,EAAC,OAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE;QAC/D,MAAM,qBAAqB,GAAG,MAAM,CAAC,KAAK,UAAU,MAAM,CACtD,KAAa;YAEb,MAAM,iBAAiB,GAAG,MAAM,kBAAkB,CAAC,EAAE,CAAC;YAEtD,IAAA,cAAM,EAAC,iBAAiB,CAAC,cAAc,KAAK,MAAM,CAAC,CAAC;YAEpD,MAAM,EAAE,SAAS,EAAE,GAAG,iBAAiB,CAAC;YAExC,IAAI,IAAmC,CAAC;YAExC,IAAI,CAAC;gBACD,IAAI,GAAG,MAAM,sBAAsB,CAAC,EAAE,SAAS,EAAE,CAAC,CAAC;YACvD,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACb,IAAI,KAAK,KAAK,CAAC,EAAE,CAAC;oBACd,OAAO,CAAC,IAAI,CACR,4DAA4D,KAAK,GAAG,CAAC,WAAW,CACnF,CAAC;oBAEF,OAAO,SAAS,CAAC;gBACrB,CAAC;gBAED,MAAM,OAAO,GAAG,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;gBAE1C,OAAO,CAAC,IAAI,CACR,uDAAuD,MAAM,CACzD,KAAK,CACR,iBAAiB,OAAO,IAAI,CAChC,CAAC;gBAEF,MAAM,IAAI,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC;gBAE3D,OAAO,MAAM,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC;YAC7B,CAAC;YAED,OAAO,IAAI,CAAC;QAChB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAEN,IAAI,qBAAqB,KAAK,SAAS,EAAE,CAAC;YACtC,OAAO;QACX,CAAC;QAED,oBAAoB,CAAC,KAAK,GAAG,qBAAqB,CAAC;IACvD,CAAC,CAAC,CAAC;IAEH,IAAI,wBAAwB,GAA8B,SAAS,CAAC;IAIpE,MAAM,aAAa,GAAyB,iBAAiB,CAAC,EAAE;QAC5D,IAAI,wBAAwB,KAAK,SAAS,EAAE,CAAC;YACzC,OAAO,wBAAwB,CAAC;QACpC,CAAC;QAED,OAAO,CAAC,wBAAwB,GAAG,CAAC,KAAK,IAAI,EAAE;YAC3C,kBAAkB,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;YAE9C,IAAI,iBAAiB,CAAC,cAAc,KAAK,MAAM,EAAE,CAAC;gBAC9C,oBAAoB,CAAC,KAAK,GAAG,MAAM,sBAAsB,CAAC;oBACtD,SAAS,EAAE,iBAAiB,CAAC,SAAS;iBACzC,CAAC,CAAC;YACP,CAAC;QACL,CAAC,CAAC,EAAE,CAAC,CAAC;IACV,CAAC,CAAC;IAEF,MAAM,EAAE,gCAAgC,EAAE,GAAG,CAAC,GAAG,EAAE;QAC/C,MAAM,qBAAqB,GAAG,IAAI,GAAG,EAAkB,CAAC;QAExD,MAAM,iBAAiB,GAAG,SAAG,CAAC,MAAM,EAAQ,CAAC;QAE7C,iBAAiB,CAAC,IAAI,CAAC,IAAA,kBAAY,EAAC,KAAM,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE;YAC3D,MAAM,OAAO,CAAC,OAAO,EAAE,CAAC;YAExB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YAEvB,KAAK,MAAM,CAAC,WAAW,EAAE,QAAQ,CAAC,IAAI,qBAAqB,EAAE,CAAC;gBAC1D,IAAI,GAAG,GAAG,QAAQ,GAAG,KAAM,EAAE,CAAC;oBAC1B,qBAAqB,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;gBAC9C,CAAC;qBAAM,CAAC;oBACJ,iDAAiD;oBACjD,MAAM;gBACV,CAAC;YACL,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,SAAS,gCAAgC,CAAC,MAAoC;YAC1E,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,MAAM,CAAC;YAC5B,MAAM,WAAW,GAAG,GAAG,GAAG,IAAI,GAAG,EAAE,CAAC;YAEpC,IAAI,qBAAqB,CAAC,GAAG,CAAC,WAAW,CAAC,EAAE,CAAC;gBACzC,OAAO,IAAI,CAAC;YAChB,CAAC;YAED,CAAC;gBACG,qBAAqB,CAAC,GAAG,CAAC,WAAW,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;gBAEnD,IAAI,qBAAqB,CAAC,IAAI,GAAG,KAAM,EAAE,CAAC;oBACtC,MAAM,UAAU,GAAG,qBAAqB,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC;oBAEzE,IAAA,cAAM,EAAC,UAAU,KAAK,SAAS,CAAC,CAAC;oBAEjC,MAAM,CAAC,GAAG,CAAC,GAAG,UAAU,CAAC;oBAEzB,qBAAqB,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;gBACtC,CAAC;gBAED,iBAAiB,CAAC,IAAI,EAAE,CAAC;YAC7B,CAAC;YAED,OAAO,KAAK,CAAC;QACjB,CAAC;QAED,OAAO,EAAE,gCAAgC,EAAE,CAAC;IAChD,CAAC,CAAC,EAAE,CAAC;IAEL,MAAM,4BAA4B,GAAwC,KAAK,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE;QAC5F,MAAM,iBAAiB,GAAG,MAAM,kBAAkB,CAAC,EAAE,CAAC;QAEtD,IACI,iBAAiB,CAAC,cAAc,KAAK,MAAM;YAC3C,iBAAiB,CAAC,QAAQ,KAAK,qBAAqB,EACtD,CAAC;YACC,OAAO,IAAA,UAAE,EAAsE;gBAC3E,SAAS,EAAE,IAAI;gBACf,kBAAkB,EAAE,iBAAiB,CAAC,uBAAuB;gBAC7D,IAAI,WAAW;oBACX,IAAI,iBAAiB,CAAC,gBAAgB,KAAK,SAAS,EAAE,CAAC;wBACnD,MAAM,IAAI,KAAK,CACX;4BACI,6CAA6C;4BAC7C,2CAA2C;yBAC9C,CAAC,IAAI,CAAC,GAAG,CAAC,CACd,CAAC;oBACN,CAAC;oBAED,OAAO,iBAAiB,CAAC,gBAAgB,CAAC;gBAC9C,CAAC;gBACD,IAAI,2BAA2B;oBAC3B,IAAI,iBAAiB,CAAC,gCAAgC,KAAK,SAAS,EAAE,CAAC;wBACnE,MAAM,IAAI,KAAK,CACX;4BACI,6DAA6D;4BAC7D,2DAA2D;yBAC9D,CAAC,IAAI,CAAC,GAAG,CAAC,CACd,CAAC;oBACN,CAAC;oBAED,OAAO,iBAAiB,CAAC,gCAAgC,CAAC;gBAC9D,CAAC;aACJ,CAAC,CAAC;QACP,CAAC;QAED,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,aAAa,EAAE,CAAC;YACjC,OAAO,IAAA,UAAE,EAAkD;gBACvD,SAAS,EAAE,KAAK;gBAChB,UAAU,EAAE,8BAA8B;gBAC1C,iBAAiB,EAAE,mDAAmD;aACzE,CAAC,CAAC;QACP,CAAC;QAED,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,aAAa,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,iCAAiC,CAAC,CAAC;QAE5F,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;YACjB,OAAO,IAAA,UAAE,EAAkD;gBACvD,SAAS,EAAE,KAAK;gBAChB,UAAU,EAAE,kBAAkB;gBAC9B,iBAAiB,EAAE,gCAAgC;aACtD,CAAC,CAAC;QACP,CAAC;QAED,MAAM,CAAC,EAAE,MAAM,EAAE,WAAW,CAAC,GAAG,KAAK,CAAC;QAEtC,IAAI,CAAC,IAAA,eAAO,EAAC,CAAC,QAAQ,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,EAAE,CAAC;YACvC,OAAO,IAAA,UAAE,EAAkD;gBACvD,SAAS,EAAE,KAAK;gBAChB,UAAU,EAAE,kBAAkB;gBAC9B,iBAAiB,EAAE,sBAAsB,MAAM,2BAA2B;aAC7E,CAAC,CAAC;QACP,CAAC;QAED,IAAI,2BAAoC,CAAC;QAEzC,UAAU,EAAE,CAAC;YACT,IAAI,iBAAiB,CAAC,cAAc,KAAK,MAAM,EAAE,CAAC;gBAC9C,cAAgE,CAAC;gBAEjE,2BAA2B,GAAG,IAAA,qBAAS,EAAC,WAAW,CAAC,CAAC;gBAErD,IAAI,CAAC;oBACD,2BAA2B,CAAC,KAAK,CAAC,2BAA2B,CAAC,CAAC;gBACnE,CAAC;gBAAC,OAAO,KAAK,EAAE,CAAC;oBACb,IAAA,cAAM,EAAC,KAAK,YAAY,KAAK,EAAE,UAAU,CAAC,CAAC;oBAE3C,OAAO,IAAA,UAAE,EAAkD;wBACvD,SAAS,EAAE,KAAK;wBAChB,UAAU,EAAE,kBAAkB;wBAC9B,iBAAiB,EAAE;4BACf,6CAA6C;4BAC7C,kCAAkC,KAAK,CAAC,OAAO,EAAE;yBACpD,CAAC,IAAI,CAAC,GAAG,CAAC;qBACd,CAAC,CAAC;gBACP,CAAC;gBAED,IAAA,cAAM,EAAC,IAAA,UAAE,EAA6B,2BAA2B,CAAC,CAAC,CAAC;gBAEpE,MAAM,UAAU,CAAC;YACrB,CAAC;YAED,IAAI,GAAW,CAAC;YAChB,IAAI,GAAW,CAAC;YAEhB,CAAC;gBACG,IAAI,MAAgD,CAAC;gBAErD,IAAI,CAAC;oBACD,MAAM,GAAG,IAAA,4BAAqB,EAAC,WAAW,CAAC,CAAC;gBAChD,CAAC;gBAAC,MAAM,CAAC;oBACL,OAAO,IAAA,UAAE,EAAkD;wBACvD,SAAS,EAAE,KAAK;wBAChB,UAAU,EAAE,kBAAkB;wBAC9B,iBAAiB,EAAE,iCAAiC;qBACvD,CAAC,CAAC;gBACP,CAAC;gBAED,MAAM,EAAE,GAAG,EAAE,aAAa,EAAE,GAAG,EAAE,aAAa,EAAE,GAAG,MAAM,CAAC;gBAE1D,IAAI,OAAO,aAAa,KAAK,QAAQ,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;oBAClE,OAAO,IAAA,UAAE,EAAkD;wBACvD,SAAS,EAAE,KAAK;wBAChB,UAAU,EAAE,kBAAkB;wBAC9B,iBAAiB,EAAE,qDAAqD;qBAC3E,CAAC,CAAC;gBACP,CAAC;gBAED,IAAI,OAAO,aAAa,KAAK,QAAQ,EAAE,CAAC;oBACpC,OAAO,IAAA,UAAE,EAAkD;wBACvD,SAAS,EAAE,KAAK;wBAChB,UAAU,EAAE,kBAAkB;wBAC9B,iBAAiB,EAAE,sDAAsD;qBAC5E,CAAC,CAAC;gBACP,CAAC;gBAED,IACI,CAAC,IAAA,eAAO,EACJ;oBACI,OAAO;oBACP,OAAO;oBACP,OAAO;oBACP,OAAO;oBACP,OAAO;oBACP,OAAO;oBACP,OAAO;oBACP,OAAO;oBACP,OAAO;iBACV,EACD,aAAa,CAChB,EACH,CAAC;oBACC,OAAO,IAAA,UAAE,EAAkD;wBACvD,SAAS,EAAE,KAAK;wBAChB,UAAU,EAAE,kBAAkB;wBAC9B,iBAAiB,EAAE,qCAAqC,aAAa,EAAE;qBAC1E,CAAC,CAAC;gBACP,CAAC;gBAED,GAAG,GAAG,aAAa,CAAC;gBACpB,GAAG,GAAG,aAAa,CAAC;YACxB,CAAC;YAED,MAAM,iBAAiB,GAAG,oBAAoB,CAAC,KAAK,CAAC;YAErD,IAAA,cAAM,EAAC,iBAAiB,KAAK,SAAS,CAAC,CAAC;YAExC,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;gBACrC,OAAO,IAAA,UAAE,EAAkD;oBACvD,SAAS,EAAE,KAAK;oBAChB,UAAU,EAAE,kBAAkB;oBAC9B,iBAAiB,EAAE,wCAAwC,GAAG,EAAE;iBACnE,CAAC,CAAC;YACP,CAAC;YAED,IAAI,CAAC;gBACD,MAAM,YAAY,GAAG,MAAM,IAAA,gBAAS,EAAC,WAAW,EAAE,iBAAiB,CAAC,WAAW,EAAE;oBAC7E,UAAU,EAAE,CAAC,GAAG,CAAC;iBACpB,CAAC,CAAC;gBAEH,2BAA2B,GAAG,YAAY,CAAC,OAAO,CAAC;YACvD,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACb,IAAA,cAAM,EAAC,KAAK,YAAY,KAAK,EAAE,SAAS,CAAC,CAAC;gBAE1C,IAAI,KAAK,YAAY,aAAM,CAAC,UAAU,EAAE,CAAC;oBACrC,OAAO,IAAA,UAAE,EAAkD;wBACvD,SAAS,EAAE,KAAK;wBAChB,UAAU,EAAE,yCAAyC;wBACrD,iBAAiB,EAAE,KAAK,CAAC,OAAO;qBACnC,CAAC,CAAC;gBACP,CAAC;gBAED,mBAAmB,CAAC,IAAI,EAAE,CAAC;gBAE3B,OAAO,IAAA,UAAE,EAAkD;oBACvD,SAAS,EAAE,KAAK;oBAChB,UAAU,EAAE,sCAAsC;oBAClD,iBAAiB,EAAE,KAAK,CAAC,OAAO;iBACnC,CAAC,CAAC;YACP,CAAC;YAED,IAAI,CAAC;gBACD,2BAA2B,CAAC,KAAK,CAAC,2BAA2B,CAAC,CAAC;YACnE,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACb,IAAA,cAAM,EAAC,KAAK,YAAY,KAAK,EAAE,QAAQ,CAAC,CAAC;gBAEzC,OAAO,IAAA,UAAE,EAAkD;oBACvD,SAAS,EAAE,KAAK;oBAChB,UAAU,EAAE,kBAAkB;oBAC9B,iBAAiB,EAAE;wBACf,6CAA6C;wBAC7C,kCAAkC,KAAK,CAAC,OAAO,EAAE;qBACpD,CAAC,IAAI,CAAC,GAAG,CAAC;iBACd,CAAC,CAAC;YACP,CAAC;YAED,IAAA,cAAM,EAAC,IAAA,UAAE,EAA6B,2BAA2B,CAAC,CAAC,CAAC;YAEpE,kBAAkB;YAClB,CAAC;gBACG,MAAM,EAAE,SAAS,EAAE,GAAG,iBAAiB,CAAC;gBAExC,MAAM,SAAS,GAAG,CAAC,GAAW,EAAE,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;gBAE1D,IAAI,SAAS,CAAC,2BAA2B,CAAC,GAAG,CAAC,KAAK,SAAS,CAAC,SAAS,CAAC,EAAE,CAAC;oBACtE,OAAO,IAAA,UAAE,EAAkD;wBACvD,SAAS,EAAE,KAAK;wBAChB,UAAU,EAAE,kBAAkB;wBAC9B,iBAAiB,EAAE;4BACf,sCAAsC,2BAA2B,CAAC,GAAG,GAAG;4BACxE,iCAAiC,SAAS,IAAI;yBACjD,CAAC,IAAI,CAAC,GAAG,CAAC;qBACd,CAAC,CAAC;gBACP,CAAC;YACL,CAAC;YAED,iBAAiB,EAAE,CAAC;gBAChB,MAAM,EAAE,gBAAgB,EAAE,GAAG,iBAAiB,CAAC;gBAE/C,IAAI,gBAAgB,KAAK,SAAS,EAAE,CAAC;oBACjC,MAAM,iBAAiB,CAAC;gBAC5B,CAAC;gBAED,MAAM,SAAS,GACX,2BAA2B,CAAC,GAAG,YAAY,KAAK;oBAC5C,CAAC,CAAC,2BAA2B,CAAC,GAAG;oBACjC,CAAC,CAAC,CAAC,2BAA2B,CAAC,GAAG,CAAC,CAAC;gBAE5C,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,CAAC;oBACxC,OAAO,IAAA,UAAE,EAAkD;wBACvD,SAAS,EAAE,KAAK;wBAChB,UAAU,EAAE,kBAAkB;wBAC9B,iBAAiB,EAAE;4BACf,wCAAwC,IAAI,CAAC,SAAS,CAClD,2BAA2B,CAAC,GAAG,CAClC,EAAE;4BACH,iBAAiB,gBAAgB,IAAI;yBACxC,CAAC,IAAI,CAAC,GAAG,CAAC;qBACd,CAAC,CAAC;gBACP,CAAC;YACL,CAAC;YAED,aAAa,EAAE,CAAC;gBACZ,MAAM,OAAO,GACT,2BAA2B,CAAC,GAAG,KAAK,SAAS;oBACzC,CAAC,CAAC,SAAS;oBACX,CAAC,CAAC,2BAA2B,CAAC,GAAG,CAAC,GAAG,CAAC;gBAE9C,IAAI,OAAO,KAAK,SAAS,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;oBACvD,OAAO,IAAA,UAAE,EAAkD;wBACvD,SAAS,EAAE,KAAK;wBAChB,UAAU,EAAE,kBAAkB;wBAC9B,iBAAiB,EAAE,0CAA0C;qBAChE,CAAC,CAAC;gBACP,CAAC;gBAED,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;oBACtB,IAAI,OAAO,KAAK,SAAS,EAAE,CAAC;wBACxB,OAAO,IAAA,UAAE,EAAkD;4BACvD,SAAS,EAAE,KAAK;4BAChB,UAAU,EAAE,kBAAkB;4BAC9B,iBAAiB,EAAE;gCACf,oDAAoD;gCACpD,6BAA6B;6BAChC,CAAC,IAAI,CAAC,GAAG,CAAC;yBACd,CAAC,CAAC;oBACP,CAAC;oBAED,MAAM,aAAa,CAAC;gBACxB,CAAC;gBACD,cAAqC,CAAC;gBAEtC,IAAI,OAAO,KAAK,SAAS,EAAE,CAAC;oBACxB,OAAO,IAAA,UAAE,EAAkD;wBACvD,SAAS,EAAE,KAAK;wBAChB,UAAU,EAAE,kBAAkB;wBAC9B,iBAAiB,EAAE;4BACf,8CAA8C;4BAC9C,6BAA6B;yBAChC,CAAC,IAAI,CAAC,GAAG,CAAC;qBACd,CAAC,CAAC;gBACP,CAAC;gBAED,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;oBACxB,OAAO,IAAA,UAAE,EAAkD;wBACvD,SAAS,EAAE,KAAK;wBAChB,UAAU,EAAE,kBAAkB;wBAC9B,iBAAiB,EAAE,0DAA0D;qBAChF,CAAC,CAAC;gBACP,CAAC;gBAED,MAAM,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;gBAEpD,IAAI,UAAoD,CAAC;gBAEzD,IAAI,CAAC;oBACD,UAAU,GAAG,IAAA,4BAAqB,EAAC,eAAe,CAAC,CAAC;gBACxD,CAAC;gBAAC,MAAM,CAAC;oBACL,OAAO,IAAA,UAAE,EAAkD;wBACvD,SAAS,EAAE,KAAK;wBAChB,UAAU,EAAE,kBAAkB;wBAC9B,iBAAiB,EAAE,oCAAoC;qBAC1D,CAAC,CAAC;gBACP,CAAC;gBAED,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,UAAU,CAAC;gBAEvD,IAAI,OAAO,KAAK,SAAS,EAAE,CAAC;oBACxB,OAAO,IAAA,UAAE,EAAkD;wBACvD,SAAS,EAAE,KAAK;wBAChB,UAAU,EAAE,kBAAkB;wBAC9B,iBAAiB,EAAE,+BAA+B;qBACrD,CAAC,CAAC;gBACP,CAAC;gBAED,IACI,CAAC,IAAA,eAAO,EACJ;oBACI,OAAO;oBACP,OAAO;oBACP,OAAO;oBACP,OAAO;oBACP,OAAO;oBACP,OAAO;oBACP,OAAO;oBACP,OAAO;oBACP,OAAO;iBACV,EACD,OAAO,CACV,EACH,CAAC;oBACC,OAAO,IAAA,UAAE,EAAkD;wBACvD,SAAS,EAAE,KAAK;wBAChB,UAAU,EAAE,kBAAkB;wBAC9B,iBAAiB,EAAE,0CAA0C,OAAO,EAAE;qBACzE,CAAC,CAAC;gBACP,CAAC;gBAED,IAAI,OAAO,KAAK,SAAS,IAAI,OAAO,CAAC,WAAW,EAAE,KAAK,UAAU,EAAE,CAAC;oBAChE,OAAO,IAAA,UAAE,EAAkD;wBACvD,SAAS,EAAE,KAAK;wBAChB,UAAU,EAAE,kBAAkB;wBAC9B,iBAAiB,EAAE,wCAAwC;qBAC9D,CAAC,CAAC;gBACP,CAAC;gBAED,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;oBACpB,OAAO,IAAA,UAAE,EAAkD;wBACvD,SAAS,EAAE,KAAK;wBAChB,UAAU,EAAE,kBAAkB;wBAC9B,iBAAiB,EAAE,+BAA+B;qBACrD,CAAC,CAAC;gBACP,CAAC;gBAED,IAAI,cAAsB,CAAC;gBAE3B,IAAI,CAAC;oBACD,cAAc,GAAG,MAAM,IAAA,6BAAsB,EAAC,GAAG,CAAC,CAAC;gBACvD,CAAC;gBAAC,OAAO,KAAK,EAAE,CAAC;oBACb,OAAO,IAAA,UAAE,EAAkD;wBACvD,SAAS,EAAE,KAAK;wBAChB,UAAU,EAAE,kBAAkB;wBAC9B,iBAAiB,EAAE,4CAA4C,MAAM,CAAC,KAAK,CAAC,EAAE;qBACjF,CAAC,CAAC;gBACP,CAAC;gBAED,IAAI,cAAc,KAAK,OAAO,EAAE,CAAC;oBAC7B,OAAO,IAAA,UAAE,EAAkD;wBACvD,SAAS,EAAE,KAAK;wBAChB,UAAU,EAAE,kBAAkB;wBAC9B,iBAAiB,EAAE,kDAAkD;qBACxE,CAAC,CAAC;gBACP,CAAC;gBAED,IAAI,WAA6D,CAAC;gBAElE,IAAI,CAAC;oBACD,MAAM,GAAG,GAAG,MAAM,IAAA,gBAAS,EAAC,GAAG,EAAE,OAAO,CAAC,CAAC;oBAC1C,MAAM,YAAY,GAAG,MAAM,IAAA,gBAAS,EAAC,eAAe,EAAE,GAAG,EAAE;wBACvD,UAAU,EAAE,CAAC,OAAO,CAAC;wBACrB,GAAG,EAAE,UAAU;qBAClB,CAAC,CAAC;oBACH,WAAW,GAAG,YAAY,CAAC,OAAO,CAAC;gBACvC,CAAC;gBAAC,OAAO,KAAK,EAAE,CAAC;oBACb,IAAA,cAAM,EAAC,KAAK,YAAY,KAAK,CAAC,CAAC;oBAE/B,OAAO,IAAA,UAAE,EAAkD;wBACvD,SAAS,EAAE,KAAK;wBAChB,UAAU,EAAE,kBAAkB;wBAC9B,iBAAiB,EAAE,2CAA2C,KAAK,CAAC,OAAO,EAAE;qBAChF,CAAC,CAAC;gBACP,CAAC;gBAED,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,WAAW,CAAC;gBAEhD,CAAC;oBACG,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;wBACpB,OAAO,IAAA,UAAE,EAAkD;4BACvD,SAAS,EAAE,KAAK;4BAChB,UAAU,EAAE,kBAAkB;4BAC9B,iBAAiB,EAAE,yCAAyC;yBAC/D,CAAC,CAAC;oBACP,CAAC;oBAED,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;oBAC1C,MAAM,aAAa,GAAG,EAAE,CAAC;oBACzB,MAAM,oBAAoB,GAAG,CAAC,CAAC;oBAE/B,IAAI,GAAG,GAAG,GAAG,GAAG,oBAAoB,EAAE,CAAC;wBACnC,OAAO,IAAA,UAAE,EAAkD;4BACvD,SAAS,EAAE,KAAK;4BAChB,UAAU,EAAE,kBAAkB;4BAC9B,iBAAiB,EAAE,iCAAiC;yBACvD,CAAC,CAAC;oBACP,CAAC;oBAED,IAAI,GAAG,GAAG,GAAG,GAAG,aAAa,EAAE,CAAC;wBAC5B,OAAO,IAAA,UAAE,EAAkD;4BACvD,SAAS,EAAE,KAAK;4BAChB,UAAU,EAAE,kBAAkB;4BAC9B,iBAAiB,EAAE,wBAAwB;yBAC9C,CAAC,CAAC;oBACP,CAAC;gBACL,CAAC;gBAED,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,WAAW,EAAE,KAAK,OAAO,CAAC,MAAM,CAAC,WAAW,EAAE,EAAE,CAAC;oBAChF,OAAO,IAAA,UAAE,EAAkD;wBACvD,SAAS,EAAE,KAAK;wBAChB,UAAU,EAAE,kBAAkB;wBAC9B,iBAAiB,EAAE,oDAAoD;qBAC1E,CAAC,CAAC;gBACP,CAAC;gBAED,MAAM,WAAW,GAAG,CAAC,GAAG,EAAE;oBACtB,IAAI,CAAC;wBACD,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;wBACjC,OAAO,GAAG,GAAG,CAAC,MAAM,GAAG,GAAG,CAAC,QAAQ,EAAE,CAAC;oBAC1C,CAAC;oBAAC,MAAM,CAAC;wBACL,OAAO,SAAS,CAAC;oBACrB,CAAC;gBACL,CAAC,CAAC,EAAE,CAAC;gBAEL,IAAI,WAAW,KAAK,SAAS,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,WAAW,EAAE,CAAC;oBAC9E,OAAO,IAAA,UAAE,EAAkD;wBACvD,SAAS,EAAE,KAAK;wBAChB,UAAU,EAAE,kBAAkB;wBAC9B,iBAAiB,EAAE,iDAAiD;qBACvE,CAAC,CAAC;gBACP,CAAC;gBAED,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;oBAC1B,OAAO,IAAA,UAAE,EAAkD;wBACvD,SAAS,EAAE,KAAK;wBAChB,UAAU,EAAE,kBAAkB;wBAC9B,iBAAiB,EAAE,8BAA8B;qBACpD,CAAC,CAAC;gBACP,CAAC;gBAED,MAAM,WAAW,GAAG,IAAA,mBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;gBAEjF,IAAI,GAAG,KAAK,WAAW,EAAE,CAAC;oBACtB,OAAO,IAAA,UAAE,EAAkD;wBACvD,SAAS,EAAE,KAAK;wBAChB,UAAU,EAAE,kBAAkB;wBAC9B,iBAAiB,EAAE,kDAAkD;qBACxE,CAAC,CAAC;gBACP,CAAC;gBAED,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;oBACpB,OAAO,IAAA,UAAE,EAAkD;wBACvD,SAAS,EAAE,KAAK;wBAChB,UAAU,EAAE,kBAAkB;wBAC9B,iBAAiB,EAAE,8BAA8B;qBACpD,CAAC,CAAC;gBACP,CAAC;gBAED,IAAI,gCAAgC,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;oBAC1D,OAAO,IAAA,UAAE,EAAkD;wBACvD,SAAS,EAAE,KAAK;wBAChB,UAAU,EAAE,kBAAkB;wBAC9B,iBAAiB,EAAE,qBAAqB;qBAC3C,CAAC,CAAC;gBACP,CAAC;YACL,CAAC;QACL,CAAC;QAED,IAAI,kBAAsC,CAAC;QAE3C,IAAI,wBAAwB,KAAK,SAAS,EAAE,CAAC;YACzC,gHAAgH;YAChH,kBAAkB,GAAG,2BAA2B,CAAC;QACrD,CAAC;aAAM,CAAC;YACJ,IAAI,CAAC;gBACD,kBAAkB,GAAG,wBAAwB,CAAC,KAAK,CAAC,2BAA2B,CAAC,CAAC;YACrF,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACb,IAAA,cAAM,EAAC,KAAK,YAAY,KAAK,CAAC,CAAC;gBAE/B,OAAO,IAAA,UAAE,EAAkD;oBACvD,SAAS,EAAE,KAAK;oBAChB,UAAU,EAAE,kBAAkB;oBAC9B,iBAAiB,EAAE;wBACf,6CAA6C;wBAC7C,2CAA2C,KAAK,CAAC,OAAO,EAAE;qBAC7D,CAAC,IAAI,CAAC,GAAG,CAAC;iBACd,CAAC,CAAC;YACP,CAAC;QACL,CAAC;QAED,OAAO,IAAA,UAAE,EAAsE;YAC3E,SAAS,EAAE,IAAI;YACf,kBAAkB;YAClB,2BAA2B;YAC3B,WAAW;SACd,CAAC,CAAC;IACP,CAAC,CAAC;IAEF,OAAO;QACH,aAAa;QACb,4BAA4B;QAC5B,wBAAwB,EAAE,IAAA,eAAO,GAAsB;KAC1D,CAAC;AACN,CAAC;AAOD,KAAK,UAAU,sBAAsB,CAAC,MAA6B;IAC/D,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,CAAC;IAE7B,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,CAAC,KAAK,IAAI,EAAE;QACnC,MAAM,GAAG,GAAG,GAAG,SAAS,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,mCAAmC,CAAC;QAE/E,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,CAAC;QAElC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CACX,0DAA0D,SAAS,KAAK,GAAG,MAAM,QAAQ,CAAC,UAAU,EAAE,CACzG,CAAC;QACN,CAAC;QAED,IAAI,IAAa,CAAC;QAElB,IAAI,CAAC;YACD,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QACjC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CAAC,6BAA6B,GAAG,KAAK,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAC1E,CAAC;QAED,CAAC;YAKG,MAAM,uBAAuB,GAAG,OAAC,CAAC,MAAM,CAAC;gBACrC,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE;aACvB,CAAC,CAAC;YAEH,IAAA,cAAM,GAA2E,CAAC;YAElF,IAAI,CAAC;gBACD,uBAAuB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YACxC,CAAC;YAAC,MAAM,CAAC;gBACL,MAAM,IAAI,KAAK,CAAC,GAAG,GAAG,oCAAoC,CAAC,CAAC;YAChE,CAAC;YAED,IAAA,cAAM,EAAC,IAAA,UAAE,EAAyB,IAAI,CAAC,CAAC,CAAC;QAC7C,CAAC;QAED,MAAM,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAC;QAE1B,OAAO,EAAE,QAAQ,EAAE,CAAC;IACxB,CAAC,CAAC,EAAE,CAAC;IAEL,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,CAAC,KAAK,IAAI,EAAE;QAC/B,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,QAAQ,CAAC,CAAC;QAEvC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CACX,iDAAiD,QAAQ,KAAK,QAAQ,CAAC,UAAU,EAAE,CACtF,CAAC;QACN,CAAC;QAED,IAAI,IAAa,CAAC;QAElB,IAAI,CAAC;YACD,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QACjC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CAAC,6BAA6B,QAAQ,KAAK,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAC/E,CAAC;QAED,CAAC;YAUG,MAAM,KAAK,GAAG,OAAC,CAAC,MAAM,CAAC;gBACnB,IAAI,EAAE,OAAC,CAAC,KAAK,CACT,OAAC,CAAC,MAAM,CAAC;oBACL,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;oBACf,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;oBACf,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;oBAC1B,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;iBAC7B,CAAC,CACL;aACJ,CAAC,CAAC;YAEH,IAAA,cAAM,GAAuC,CAAC;YAE9C,IAAI,CAAC;gBACD,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YACtB,CAAC;YAAC,MAAM,CAAC;gBACL,MAAM,IAAI,KAAK,CAAC,GAAG,QAAQ,mCAAmC,CAAC,CAAC;YACpE,CAAC;YAED,IAAA,cAAM,EAAC,IAAA,UAAE,EAAO,IAAI,CAAC,CAAC,CAAC;QAC3B,CAAC;QAED,OAAO,EAAE,IAAI,EAAE,CAAC;IACpB,CAAC,CAAC,EAAE,CAAC;IAEL,kGAAkG;IAClG,MAAM,aAAa,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE;QACzC,IAAI,OAAO,GAAG,CAAC,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACtD,OAAO,KAAK,CAAC;QACjB,CAAC;QAED,IAAI,GAAG,CAAC,GAAG,KAAK,SAAS,IAAI,GAAG,CAAC,GAAG,KAAK,KAAK,EAAE,CAAC;YAC7C,OAAO,KAAK,CAAC;QACjB,CAAC;QAED,MAAM,YAAY,GAAG,CAAC,KAAK,EAAE,IAAI,CAAU,CAAC;QAE5C,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,GAAG,CAAC,GAAoC,CAAC,EAAE,CAAC;YACnE,OAAO,KAAK,CAAC;QACjB,CAAC;QAED,OAAO,IAAI,CAAC;IAChB,CAAC,CAAC,CAAC;IAEH,IAAA,cAAM,EACF,aAAa,CAAC,MAAM,KAAK,CAAC,EAC1B,kCAAkC,QAAQ,KAAK,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,CACjF,CAAC;IAEF,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,EAAE,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAE5D,MAAM,WAAW,GAAG,IAAA,wBAAiB,EAAC;QAClC,IAAI,EAAE,aAAa;KACtB,CAAC,CAAC;IAEH,OAAO;QACH,WAAW;QACX,MAAM;KACT,CAAC;AACN,CAAC;AAED,MAAM,2BAA2B,GAAG,CAAC,GAAG,EAAE;IAGtC,MAAM,WAAW,GAAG,OAAC;SAChB,MAAM,CAAC;QACJ,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;QACf,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;QACf,GAAG,EAAE,OAAC,CAAC,KAAK,CAAC,CAAC,OAAC,CAAC,MAAM,EAAE,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;QAC/C,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;QACf,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;QACf,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAChC,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAC5B,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAC1B,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAC1B,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAChC,GAAG,EAAE,OAAC,CAAC,MAAM,CAAC,OAAC,CAAC,MAAM,EAAE,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,EAAE;KACpD,CAAC;SACD,QAAQ,CAAC,OAAC,CAAC,OAAO,EAAE,CAAC,CAAC;IAI3B,cAAwC,CAAC;IAEzC,OAAO,IAAA,UAAE,EAAwB,WAAW,CAAC,CAAC;AAClD,CAAC,CAAC,EAAE,CAAC"}
|