sentri 1.0.0

package/dist/middleware/permit.js

@@ -0,0 +1,61 @@
+import { AuthError } from '../errors/AuthError.js';
+/**
+ * Express middleware factory for resource-level permission checks.
+ *
+ * Must be used **after** `protect()`. Evaluates a check function against the
+ * current request; calls `next(AuthError)` with code `FORBIDDEN` if it returns `false`.
+ *
+ * Accepts either a bare check function or an options object with an optional
+ * `roles` list whose members bypass the check entirely.
+ *
+ * @example
+ * // Simple ownership check
+ * router.put('/users/:id',
+ *   auth.protect(),
+ *   auth.permit((req) => req.user!.id === req.params['id']),
+ *   updateUserHandler,
+ * );
+ *
+ * @example
+ * // Admins bypass the check; others must own the post
+ * router.delete('/posts/:id',
+ *   auth.protect(),
+ *   auth.permit({
+ *     roles: ['admin'],
+ *     check: async (req) => {
+ *       const post = await db.post.findUnique({ where: { id: req.params['id'] } });
+ *       return post?.authorId === req.user!.id;
+ *     },
+ *   }),
+ *   deletePostHandler,
+ * );
+ */
+export function permit(optionsOrCheck) {
+    const options = typeof optionsOrCheck === 'function'
+        ? { check: optionsOrCheck }
+        : optionsOrCheck;
+    return async (req, _res, next) => {
+        if (!req.user) {
+            return next(new AuthError('UNAUTHORIZED', 'Not authenticated'));
+        }
+        if (options.roles && options.roles.length > 0) {
+            const userRoles = req.user.roles;
+            const hasBypassRole = options.roles.some((role) => userRoles.includes(role));
+            if (hasBypassRole)
+                return next();
+        }
+        try {
+            const allowed = await options.check(req);
+            if (allowed) {
+                next();
+            }
+            else {
+                next(new AuthError('FORBIDDEN', 'You do not have permission to perform this action'));
+            }
+        }
+        catch (err) {
+            next(err);
+        }
+    };
+}
+//# sourceMappingURL=permit.js.map

package/dist/middleware/permit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"permit.js","sourceRoot":"","sources":["../../src/middleware/permit.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AAgCnD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,MAAM,UAAU,MAAM,CACpB,cAAkD;IAElD,MAAM,OAAO,GACX,OAAO,cAAc,KAAK,UAAU;QAClC,CAAC,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE;QAC3B,CAAC,CAAC,cAAc,CAAC;IAErB,OAAO,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE;QAC/B,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;YACd,OAAO,IAAI,CAAC,IAAI,SAAS,CAAC,cAAc,EAAE,mBAAmB,CAAC,CAAC,CAAC;QAClE,CAAC;QAED,IAAI,OAAO,CAAC,KAAK,IAAI,OAAO,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC9C,MAAM,SAAS,GAAsB,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC;YACpD,MAAM,aAAa,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;YAC7E,IAAI,aAAa;gBAAE,OAAO,IAAI,EAAE,CAAC;QACnC,CAAC;QAED,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YACzC,IAAI,OAAO,EAAE,CAAC;gBACZ,IAAI,EAAE,CAAC;YACT,CAAC;iBAAM,CAAC;gBACN,IAAI,CAAC,IAAI,SAAS,CAAC,WAAW,EAAE,mDAAmD,CAAC,CAAC,CAAC;YACxF,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC,GAAG,CAAC,CAAC;QACZ,CAAC;IACH,CAAC,CAAC;AACJ,CAAC"}

package/dist/middleware/protect.d.ts

@@ -0,0 +1,4 @@
+import type { RequestHandler } from 'express';
+import type { AuthConfig } from '../types/auth.js';
+export declare function protect(config: AuthConfig): RequestHandler;
+//# sourceMappingURL=protect.d.ts.map

package/dist/middleware/protect.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"protect.d.ts","sourceRoot":"","sources":["../../src/middleware/protect.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAG9C,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAEnD,wBAAgB,OAAO,CAAC,MAAM,EAAE,UAAU,GAAG,cAAc,CAc1D"}

package/dist/middleware/protect.js

@@ -0,0 +1,19 @@
+import { AuthError } from '../errors/AuthError.js';
+import { verifyAccessToken } from '../libs/token.js';
+export function protect(config) {
+    return (req, _res, next) => {
+        const authHeader = req.headers['authorization'];
+        if (!authHeader?.startsWith('Bearer ')) {
+            return next(new AuthError('UNAUTHORIZED', 'Missing or malformed Authorization header'));
+        }
+        const token = authHeader.slice(7);
+        try {
+            req.user = verifyAccessToken(token, config);
+            next();
+        }
+        catch (err) {
+            next(err);
+        }
+    };
+}
+//# sourceMappingURL=protect.js.map

package/dist/middleware/protect.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"protect.js","sourceRoot":"","sources":["../../src/middleware/protect.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AACnD,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAGrD,MAAM,UAAU,OAAO,CAAC,MAAkB;IACxC,OAAO,CAAC,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE;QACzB,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;QAChD,IAAI,CAAC,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YACvC,OAAO,IAAI,CAAC,IAAI,SAAS,CAAC,cAAc,EAAE,2CAA2C,CAAC,CAAC,CAAC;QAC1F,CAAC;QACD,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAClC,IAAI,CAAC;YACH,GAAG,CAAC,IAAI,GAAG,iBAAiB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;YAC5C,IAAI,EAAE,CAAC;QACT,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC,GAAG,CAAC,CAAC;QACZ,CAAC;IACH,CAAC,CAAC;AACJ,CAAC"}

package/dist/middleware/router.d.ts

@@ -0,0 +1,27 @@
+import { Router } from 'express';
+import type { AuthConfig } from '../types/auth.js';
+/**
+ * Creates a pre-built Express Router with all standard auth endpoints.
+ *
+ * Mount it once and all routes are ready:
+ *
+ * ```
+ * POST /signup       — register a new user
+ * POST /login        — authenticate and get tokens
+ * POST /refresh      — rotate refresh token
+ * POST /logout       — invalidate current session
+ * POST /logout-all   — invalidate all sessions for the authenticated user
+ * GET  /me           — return the currently authenticated user
+ * ```
+ *
+ * Requires `express.json()` to be applied before the router.
+ *
+ * When `cookie` is set in config, the refresh token is stored in an httpOnly
+ * cookie automatically — no `cookie-parser` needed.
+ *
+ * @example
+ * app.use(express.json());
+ * app.use('/auth', auth.router());
+ */
+export declare function createAuthRouter<TRole extends string>(config: AuthConfig<TRole>): Router;
+//# sourceMappingURL=router.d.ts.map

package/dist/middleware/router.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"router.d.ts","sourceRoot":"","sources":["../../src/middleware/router.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAiB,MAAM,SAAS,CAAC;AAEhD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAmDnD;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,SAAS,MAAM,EAAE,MAAM,EAAE,UAAU,CAAC,KAAK,CAAC,GAAG,MAAM,CA2LxF"}

package/dist/middleware/router.js

@@ -0,0 +1,244 @@
+import { Router } from 'express';
+import { AuthError } from '../errors/AuthError.js';
+import { signup, login, refresh, logout, logoutAll } from '../services/auth.js';
+import { resolveConfig, parseExpiry } from '../libs/config.js';
+import { protect } from './protect.js';
+const MIN_PASSWORD_LENGTH = 8;
+// bcrypt silently truncates input beyond 72 bytes. Enforcing a cap makes the
+// truncation boundary explicit so two passwords that share the same first 72
+// bytes cannot be treated as identical.
+const MAX_PASSWORD_LENGTH = 72;
+const MAX_IDENTIFIER_LENGTH = 255;
+function badRequest(message) {
+    return new AuthError('VALIDATION_ERROR', message);
+}
+function parseBody(body) {
+    if (body === null || body === undefined || typeof body !== 'object' || Array.isArray(body)) {
+        throw new AuthError('VALIDATION_ERROR', 'Request body is missing or not a JSON object. Did you apply express.json()?');
+    }
+    return body;
+}
+// Read a single cookie from the raw Cookie header — no cookie-parser needed.
+function readCookie(cookieHeader, name) {
+    if (!cookieHeader)
+        return undefined;
+    const pair = cookieHeader
+        .split(';')
+        .map((s) => s.trim())
+        .find((s) => s.startsWith(`${name}=`));
+    return pair !== undefined ? pair.slice(name.length + 1) : undefined;
+}
+function setCookie(res, token, config) {
+    const cfg = config.cookie;
+    const resolved = resolveConfig(config);
+    const maxAge = parseExpiry(resolved.refreshExpiresIn);
+    res.cookie(cfg.name ?? 'refresh_token', token, {
+        httpOnly: cfg.httpOnly ?? true,
+        secure: cfg.secure ?? false,
+        sameSite: cfg.sameSite ?? 'strict',
+        path: cfg.path ?? '/',
+        maxAge,
+    });
+}
+function clearCookie(res, config) {
+    const cfg = config.cookie;
+    res.clearCookie(cfg.name ?? 'refresh_token', { path: cfg.path ?? '/' });
+}
+/**
+ * Creates a pre-built Express Router with all standard auth endpoints.
+ *
+ * Mount it once and all routes are ready:
+ *
+ * ```
+ * POST /signup       — register a new user
+ * POST /login        — authenticate and get tokens
+ * POST /refresh      — rotate refresh token
+ * POST /logout       — invalidate current session
+ * POST /logout-all   — invalidate all sessions for the authenticated user
+ * GET  /me           — return the currently authenticated user
+ * ```
+ *
+ * Requires `express.json()` to be applied before the router.
+ *
+ * When `cookie` is set in config, the refresh token is stored in an httpOnly
+ * cookie automatically — no `cookie-parser` needed.
+ *
+ * @example
+ * app.use(express.json());
+ * app.use('/auth', auth.router());
+ */
+export function createAuthRouter(config) {
+    const router = Router();
+    const cookieMode = config.cookie !== undefined;
+    router.post('/signup', async (req, res, next) => {
+        try {
+            const body = parseBody(req.body);
+            const { identifier, password, roles } = body;
+            if (typeof identifier !== 'string' || identifier.trim().length === 0) {
+                throw badRequest('identifier is required and must be a non-empty string');
+            }
+            if (identifier.length > MAX_IDENTIFIER_LENGTH) {
+                throw badRequest(`identifier must not exceed ${MAX_IDENTIFIER_LENGTH} characters`);
+            }
+            if (typeof password !== 'string' || password.length < MIN_PASSWORD_LENGTH) {
+                throw badRequest(`password is required and must be at least ${MIN_PASSWORD_LENGTH} characters`);
+            }
+            if (password.length > MAX_PASSWORD_LENGTH) {
+                throw badRequest(`password must not exceed ${MAX_PASSWORD_LENGTH} characters`);
+            }
+            if (roles !== undefined && !Array.isArray(roles)) {
+                throw badRequest('roles must be an array of strings when provided');
+            }
+            if (Array.isArray(roles) && !roles.every((r) => typeof r === 'string')) {
+                throw badRequest('each role must be a string');
+            }
+            const rolesInput = Array.isArray(roles) ? roles : undefined;
+            const input = rolesInput !== undefined
+                ? { identifier: identifier.trim(), password, roles: rolesInput }
+                : { identifier: identifier.trim(), password };
+            const result = await signup(input, config);
+            if (!result.success) {
+                const status = result.error.code === 'USER_ALREADY_EXISTS' ? 409 : 400;
+                res.status(status).json({ code: result.error.code, message: result.error.message });
+                return;
+            }
+            if (cookieMode) {
+                setCookie(res, result.refreshToken, config);
+                res.status(201).json({ accessToken: result.accessToken, user: result.user });
+            }
+            else {
+                res.status(201).json({
+                    accessToken: result.accessToken,
+                    refreshToken: result.refreshToken,
+                    user: result.user,
+                });
+            }
+        }
+        catch (err) {
+            next(err);
+        }
+    });
+    router.post('/login', async (req, res, next) => {
+        try {
+            const body = parseBody(req.body);
+            const { identifier, password } = body;
+            if (typeof identifier !== 'string' || identifier.trim().length === 0) {
+                throw badRequest('identifier is required and must be a non-empty string');
+            }
+            if (identifier.length > MAX_IDENTIFIER_LENGTH) {
+                throw badRequest(`identifier must not exceed ${MAX_IDENTIFIER_LENGTH} characters`);
+            }
+            if (typeof password !== 'string' || password.length === 0) {
+                throw badRequest('password is required');
+            }
+            if (password.length > MAX_PASSWORD_LENGTH) {
+                throw badRequest(`password must not exceed ${MAX_PASSWORD_LENGTH} characters`);
+            }
+            const result = await login({ identifier: identifier.trim(), password }, config);
+            if (!result.success) {
+                res.status(401).json({ code: result.error.code, message: result.error.message });
+                return;
+            }
+            if (cookieMode) {
+                setCookie(res, result.refreshToken, config);
+                res.json({ accessToken: result.accessToken, user: result.user });
+            }
+            else {
+                res.json({
+                    accessToken: result.accessToken,
+                    refreshToken: result.refreshToken,
+                    user: result.user,
+                });
+            }
+        }
+        catch (err) {
+            next(err);
+        }
+    });
+    router.post('/refresh', async (req, res, next) => {
+        try {
+            let refreshToken;
+            if (cookieMode) {
+                const fromCookie = readCookie(req.headers['cookie'], config.cookie?.name ?? 'refresh_token');
+                if (!fromCookie) {
+                    throw new AuthError('UNAUTHORIZED', 'Refresh token cookie is missing');
+                }
+                refreshToken = fromCookie;
+            }
+            else {
+                const body = parseBody(req.body);
+                const { refreshToken: fromBody } = body;
+                if (typeof fromBody !== 'string' || fromBody.trim().length === 0) {
+                    throw badRequest('refreshToken is required');
+                }
+                refreshToken = fromBody;
+            }
+            const result = await refresh(refreshToken, config);
+            if (!result.success) {
+                if (cookieMode)
+                    clearCookie(res, config);
+                res.status(401).json({ code: result.error.code, message: result.error.message });
+                return;
+            }
+            if (cookieMode) {
+                setCookie(res, result.refreshToken, config);
+                res.json({ accessToken: result.accessToken });
+            }
+            else {
+                res.json({
+                    accessToken: result.accessToken,
+                    refreshToken: result.refreshToken,
+                });
+            }
+        }
+        catch (err) {
+            next(err);
+        }
+    });
+    router.post('/logout', async (req, res, next) => {
+        try {
+            let refreshToken;
+            if (cookieMode) {
+                const fromCookie = readCookie(req.headers['cookie'], config.cookie?.name ?? 'refresh_token');
+                if (!fromCookie) {
+                    // Nothing to revoke, just clear the cookie and return success
+                    clearCookie(res, config);
+                    res.json({ message: 'logged out' });
+                    return;
+                }
+                refreshToken = fromCookie;
+            }
+            else {
+                const body = parseBody(req.body);
+                const { refreshToken: fromBody } = body;
+                if (typeof fromBody !== 'string' || fromBody.trim().length === 0) {
+                    throw badRequest('refreshToken is required');
+                }
+                refreshToken = fromBody;
+            }
+            await logout(refreshToken, config);
+            if (cookieMode)
+                clearCookie(res, config);
+            res.json({ message: 'logged out' });
+        }
+        catch (err) {
+            next(err);
+        }
+    });
+    router.post('/logout-all', protect(config), async (req, res, next) => {
+        try {
+            await logoutAll(req.user.id, config);
+            if (cookieMode)
+                clearCookie(res, config);
+            res.json({ message: 'all sessions revoked' });
+        }
+        catch (err) {
+            next(err);
+        }
+    });
+    router.get('/me', protect(config), (req, res) => {
+        res.json(req.user);
+    });
+    return router;
+}
+//# sourceMappingURL=router.js.map

package/dist/middleware/router.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"router.js","sourceRoot":"","sources":["../../src/middleware/router.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAiB,MAAM,SAAS,CAAC;AAChD,OAAO,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AAEnD,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAC;AAChF,OAAO,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAC/D,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAEvC,MAAM,mBAAmB,GAAG,CAAC,CAAC;AAC9B,6EAA6E;AAC7E,6EAA6E;AAC7E,wCAAwC;AACxC,MAAM,mBAAmB,GAAG,EAAE,CAAC;AAC/B,MAAM,qBAAqB,GAAG,GAAG,CAAC;AAElC,SAAS,UAAU,CAAC,OAAe;IACjC,OAAO,IAAI,SAAS,CAAC,kBAAkB,EAAE,OAAO,CAAC,CAAC;AACpD,CAAC;AAED,SAAS,SAAS,CAAC,IAAa;IAC9B,IAAI,IAAI,KAAK,IAAI,IAAI,IAAI,KAAK,SAAS,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QAC3F,MAAM,IAAI,SAAS,CAAC,kBAAkB,EAAE,6EAA6E,CAAC,CAAC;IACzH,CAAC;IACD,OAAO,IAA+B,CAAC;AACzC,CAAC;AAED,6EAA6E;AAC7E,SAAS,UAAU,CAAC,YAAgC,EAAE,IAAY;IAChE,IAAI,CAAC,YAAY;QAAE,OAAO,SAAS,CAAC;IACpC,MAAM,IAAI,GAAG,YAAY;SACtB,KAAK,CAAC,GAAG,CAAC;SACV,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;SACpB,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC;IACzC,OAAO,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;AACtE,CAAC;AAED,SAAS,SAAS,CAAC,GAAa,EAAE,KAAa,EAAE,MAAkB;IACjE,MAAM,GAAG,GAAG,MAAM,CAAC,MAAO,CAAC;IAC3B,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IACvC,MAAM,MAAM,GAAG,WAAW,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAC;IACtD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,IAAI,eAAe,EAAE,KAAK,EAAE;QAC7C,QAAQ,EAAE,GAAG,CAAC,QAAQ,IAAI,IAAI;QAC9B,MAAM,EAAE,GAAG,CAAC,MAAM,IAAI,KAAK;QAC3B,QAAQ,EAAE,GAAG,CAAC,QAAQ,IAAI,QAAQ;QAClC,IAAI,EAAE,GAAG,CAAC,IAAI,IAAI,GAAG;QACrB,MAAM;KACP,CAAC,CAAC;AACL,CAAC;AAED,SAAS,WAAW,CAAC,GAAa,EAAE,MAAkB;IACpD,MAAM,GAAG,GAAG,MAAM,CAAC,MAAO,CAAC;IAC3B,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,IAAI,IAAI,eAAe,EAAE,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,IAAI,GAAG,EAAE,CAAC,CAAC;AAC1E,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,MAAM,UAAU,gBAAgB,CAAuB,MAAyB;IAC9E,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC;IACxB,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,KAAK,SAAS,CAAC;IAE/C,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QAC9C,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YACjC,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,KAAK,EAAE,GAAG,IAAI,CAAC;YAE7C,IAAI,OAAO,UAAU,KAAK,QAAQ,IAAI,UAAU,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACrE,MAAM,UAAU,CAAC,uDAAuD,CAAC,CAAC;YAC5E,CAAC;YACD,IAAI,UAAU,CAAC,MAAM,GAAG,qBAAqB,EAAE,CAAC;gBAC9C,MAAM,UAAU,CAAC,8BAA8B,qBAAqB,aAAa,CAAC,CAAC;YACrF,CAAC;YACD,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,CAAC,MAAM,GAAG,mBAAmB,EAAE,CAAC;gBAC1E,MAAM,UAAU,CAAC,6CAA6C,mBAAmB,aAAa,CAAC,CAAC;YAClG,CAAC;YACD,IAAI,QAAQ,CAAC,MAAM,GAAG,mBAAmB,EAAE,CAAC;gBAC1C,MAAM,UAAU,CAAC,4BAA4B,mBAAmB,aAAa,CAAC,CAAC;YACjF,CAAC;YACD,IAAI,KAAK,KAAK,SAAS,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;gBACjD,MAAM,UAAU,CAAC,iDAAiD,CAAC,CAAC;YACtE,CAAC;YACD,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,EAAE,CAAC;gBACvE,MAAM,UAAU,CAAC,4BAA4B,CAAC,CAAC;YACjD,CAAC;YAED,MAAM,UAAU,GAAG,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAE,KAAiB,CAAC,CAAC,CAAC,SAAS,CAAC;YACzE,MAAM,KAAK,GAAG,UAAU,KAAK,SAAS;gBACpC,CAAC,CAAC,EAAE,UAAU,EAAE,UAAU,CAAC,IAAI,EAAE,EAAE,QAAQ,EAAE,KAAK,EAAE,UAAU,EAAE;gBAChE,CAAC,CAAC,EAAE,UAAU,EAAE,UAAU,CAAC,IAAI,EAAE,EAAE,QAAQ,EAAE,CAAC;YAChD,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;YAE3C,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;gBACpB,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,KAAK,qBAAqB,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;gBACvE,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,MAAM,CAAC,KAAK,CAAC,IAAI,EAAE,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;gBACpF,OAAO;YACT,CAAC;YAED,IAAI,UAAU,EAAE,CAAC;gBACf,SAAS,CAAC,GAAG,EAAE,MAAM,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;gBAC5C,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,EAAE,MAAM,CAAC,WAAW,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;YAC/E,CAAC;iBAAM,CAAC;gBACN,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;oBACnB,WAAW,EAAE,MAAM,CAAC,WAAW;oBAC/B,YAAY,EAAE,MAAM,CAAC,YAAY;oBACjC,IAAI,EAAE,MAAM,CAAC,IAAI;iBAClB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC,GAAG,CAAC,CAAC;QACZ,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QAC7C,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YACjC,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAC;YAEtC,IAAI,OAAO,UAAU,KAAK,QAAQ,IAAI,UAAU,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACrE,MAAM,UAAU,CAAC,uDAAuD,CAAC,CAAC;YAC5E,CAAC;YACD,IAAI,UAAU,CAAC,MAAM,GAAG,qBAAqB,EAAE,CAAC;gBAC9C,MAAM,UAAU,CAAC,8BAA8B,qBAAqB,aAAa,CAAC,CAAC;YACrF,CAAC;YACD,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC1D,MAAM,UAAU,CAAC,sBAAsB,CAAC,CAAC;YAC3C,CAAC;YACD,IAAI,QAAQ,CAAC,MAAM,GAAG,mBAAmB,EAAE,CAAC;gBAC1C,MAAM,UAAU,CAAC,4BAA4B,mBAAmB,aAAa,CAAC,CAAC;YACjF,CAAC;YAED,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,EAAE,UAAU,EAAE,UAAU,CAAC,IAAI,EAAE,EAAE,QAAQ,EAAE,EAAE,MAAM,CAAC,CAAC;YAEhF,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;gBACpB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,MAAM,CAAC,KAAK,CAAC,IAAI,EAAE,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;gBACjF,OAAO;YACT,CAAC;YAED,IAAI,UAAU,EAAE,CAAC;gBACf,SAAS,CAAC,GAAG,EAAE,MAAM,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;gBAC5C,GAAG,CAAC,IAAI,CAAC,EAAE,WAAW,EAAE,MAAM,CAAC,WAAW,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;YACnE,CAAC;iBAAM,CAAC;gBACN,GAAG,CAAC,IAAI,CAAC;oBACP,WAAW,EAAE,MAAM,CAAC,WAAW;oBAC/B,YAAY,EAAE,MAAM,CAAC,YAAY;oBACjC,IAAI,EAAE,MAAM,CAAC,IAAI;iBAClB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC,GAAG,CAAC,CAAC;QACZ,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QAC/C,IAAI,CAAC;YACH,IAAI,YAAoB,CAAC;YAEzB,IAAI,UAAU,EAAE,CAAC;gBACf,MAAM,UAAU,GAAG,UAAU,CAC3B,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,EACrB,MAAM,CAAC,MAAM,EAAE,IAAI,IAAI,eAAe,CACvC,CAAC;gBACF,IAAI,CAAC,UAAU,EAAE,CAAC;oBAChB,MAAM,IAAI,SAAS,CAAC,cAAc,EAAE,iCAAiC,CAAC,CAAC;gBACzE,CAAC;gBACD,YAAY,GAAG,UAAU,CAAC;YAC5B,CAAC;iBAAM,CAAC;gBACN,MAAM,IAAI,GAAG,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;gBACjC,MAAM,EAAE,YAAY,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAC;gBACxC,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;oBACjE,MAAM,UAAU,CAAC,0BAA0B,CAAC,CAAC;gBAC/C,CAAC;gBACD,YAAY,GAAG,QAAQ,CAAC;YAC1B,CAAC;YAED,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;YAEnD,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;gBACpB,IAAI,UAAU;oBAAE,WAAW,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;gBACzC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,MAAM,CAAC,KAAK,CAAC,IAAI,EAAE,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;gBACjF,OAAO;YACT,CAAC;YAED,IAAI,UAAU,EAAE,CAAC;gBACf,SAAS,CAAC,GAAG,EAAE,MAAM,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;gBAC5C,GAAG,CAAC,IAAI,CAAC,EAAE,WAAW,EAAE,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC;YAChD,CAAC;iBAAM,CAAC;gBACN,GAAG,CAAC,IAAI,CAAC;oBACP,WAAW,EAAE,MAAM,CAAC,WAAW;oBAC/B,YAAY,EAAE,MAAM,CAAC,YAAY;iBAClC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC,GAAG,CAAC,CAAC;QACZ,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QAC9C,IAAI,CAAC;YACH,IAAI,YAAoB,CAAC;YAEzB,IAAI,UAAU,EAAE,CAAC;gBACf,MAAM,UAAU,GAAG,UAAU,CAC3B,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,EACrB,MAAM,CAAC,MAAM,EAAE,IAAI,IAAI,eAAe,CACvC,CAAC;gBACF,IAAI,CAAC,UAAU,EAAE,CAAC;oBAChB,8DAA8D;oBAC9D,WAAW,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;oBACzB,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,YAAY,EAAE,CAAC,CAAC;oBACpC,OAAO;gBACT,CAAC;gBACD,YAAY,GAAG,UAAU,CAAC;YAC5B,CAAC;iBAAM,CAAC;gBACN,MAAM,IAAI,GAAG,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;gBACjC,MAAM,EAAE,YAAY,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAC;gBACxC,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;oBACjE,MAAM,UAAU,CAAC,0BAA0B,CAAC,CAAC;gBAC/C,CAAC;gBACD,YAAY,GAAG,QAAQ,CAAC;YAC1B,CAAC;YAED,MAAM,MAAM,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;YACnC,IAAI,UAAU;gBAAE,WAAW,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;YACzC,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,YAAY,EAAE,CAAC,CAAC;QACtC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC,GAAG,CAAC,CAAC;QACZ,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,MAAM,CAAC,IAAI,CAAC,aAAa,EAAE,OAAO,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QACnE,IAAI,CAAC;YACH,MAAM,SAAS,CAAC,GAAG,CAAC,IAAK,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;YACtC,IAAI,UAAU;gBAAE,WAAW,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;YACzC,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,sBAAsB,EAAE,CAAC,CAAC;QAChD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC,GAAG,CAAC,CAAC;QACZ,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QAC9C,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IACrB,CAAC,CAAC,CAAC;IAEH,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/services/auth.d.ts

@@ -0,0 +1,7 @@
+import type { AuthConfig, AuthResult, LoginInput, RefreshResult, SignupInput } from '../types/auth.js';
+export declare function signup(input: SignupInput, config: AuthConfig): Promise<AuthResult>;
+export declare function login(input: LoginInput, config: AuthConfig): Promise<AuthResult>;
+export declare function refresh(refreshToken: string, config: AuthConfig): Promise<RefreshResult>;
+export declare function logout(refreshToken: string, config: AuthConfig): Promise<void>;
+export declare function logoutAll(userId: string, config: AuthConfig): Promise<void>;
+//# sourceMappingURL=auth.d.ts.map

package/dist/services/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/services/auth.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAEvG,wBAAsB,MAAM,CAC1B,KAAK,EAAE,WAAW,EAClB,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC,UAAU,CAAC,CAyBrB;AAED,wBAAsB,KAAK,CACzB,KAAK,EAAE,UAAU,EACjB,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC,UAAU,CAAC,CAoBrB;AAED,wBAAsB,OAAO,CAC3B,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC,aAAa,CAAC,CA8BxB;AAED,wBAAsB,MAAM,CAC1B,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC,IAAI,CAAC,CAQf;AAED,wBAAsB,SAAS,CAC7B,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC,IAAI,CAAC,CAEf"}

package/dist/services/auth.js

@@ -0,0 +1,84 @@
+import { AuthError } from '../errors/AuthError.js';
+import { hashPassword, verifyPassword } from '../libs/hash.js';
+import { signAccessToken, signRefreshToken, verifyRefreshToken } from '../libs/token.js';
+import { resolveConfig, parseExpiry } from '../libs/config.js';
+export async function signup(input, config) {
+    const resolved = resolveConfig(config);
+    const requestedRoles = input.roles ?? [];
+    const invalidRoles = requestedRoles.filter((r) => !resolved.validRoles.includes(r));
+    if (invalidRoles.length > 0) {
+        return { success: false, error: new AuthError('INVALID_ROLE', `Invalid roles: ${invalidRoles.join(', ')}`) };
+    }
+    const identifier = input.identifier.trim();
+    const existing = await resolved.adapter.user.findByIdentifier(identifier);
+    if (existing) {
+        return { success: false, error: new AuthError('USER_ALREADY_EXISTS', 'User already exists') };
+    }
+    const passwordHash = await hashPassword(input.password, resolved.saltRounds);
+    const created = await resolved.adapter.user.create({ identifier, passwordHash, roles: requestedRoles });
+    const expiresAt = new Date(Date.now() + parseExpiry(resolved.refreshExpiresIn));
+    const session = await resolved.adapter.session.create({ userId: created.id, expiresAt });
+    const user = { id: created.id, identifier, roles: requestedRoles };
+    const accessToken = signAccessToken(user, config);
+    const refreshToken = signRefreshToken(session.id, config);
+    return { success: true, accessToken, refreshToken, user };
+}
+export async function login(input, config) {
+    const resolved = resolveConfig(config);
+    const found = await resolved.adapter.user.findByIdentifier(input.identifier.trim());
+    if (!found) {
+        return { success: false, error: new AuthError('INVALID_CREDENTIALS', 'Invalid credentials') };
+    }
+    const valid = await verifyPassword(input.password, found.passwordHash);
+    if (!valid) {
+        return { success: false, error: new AuthError('INVALID_CREDENTIALS', 'Invalid credentials') };
+    }
+    const expiresAt = new Date(Date.now() + parseExpiry(resolved.refreshExpiresIn));
+    const session = await resolved.adapter.session.create({ userId: found.id, expiresAt });
+    const user = { id: found.id, identifier: found.identifier, roles: found.roles };
+    const accessToken = signAccessToken(user, config);
+    const refreshToken = signRefreshToken(session.id, config);
+    return { success: true, accessToken, refreshToken, user };
+}
+export async function refresh(refreshToken, config) {
+    const resolved = resolveConfig(config);
+    let sessionId;
+    try {
+        ({ sessionId } = verifyRefreshToken(refreshToken, config));
+    }
+    catch (err) {
+        if (err instanceof AuthError)
+            return { success: false, error: err };
+        return { success: false, error: new AuthError('TOKEN_INVALID', 'Invalid refresh token') };
+    }
+    const session = await resolved.adapter.session.findById(sessionId);
+    if (!session) {
+        return { success: false, error: new AuthError('UNAUTHORIZED', 'Session not found or revoked') };
+    }
+    if (session.expiresAt < new Date()) {
+        await resolved.adapter.session.delete(sessionId);
+        return { success: false, error: new AuthError('TOKEN_EXPIRED', 'Session has expired') };
+    }
+    // rotate: delete old session, create new one
+    await resolved.adapter.session.delete(sessionId);
+    const expiresAt = new Date(Date.now() + parseExpiry(resolved.refreshExpiresIn));
+    const newSession = await resolved.adapter.session.create({ userId: session.userId, expiresAt });
+    const user = { id: session.user.id, identifier: session.user.identifier, roles: session.user.roles };
+    const newAccessToken = signAccessToken(user, config);
+    const newRefreshToken = signRefreshToken(newSession.id, config);
+    return { success: true, accessToken: newAccessToken, refreshToken: newRefreshToken, user };
+}
+export async function logout(refreshToken, config) {
+    let sessionId;
+    try {
+        ({ sessionId } = verifyRefreshToken(refreshToken, config));
+    }
+    catch {
+        return; // already invalid, nothing to revoke
+    }
+    await resolveConfig(config).adapter.session.delete(sessionId);
+}
+export async function logoutAll(userId, config) {
+    await resolveConfig(config).adapter.session.deleteAllForUser(userId);
+}
+//# sourceMappingURL=auth.js.map

package/dist/services/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../src/services/auth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AACnD,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AAC/D,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAC;AACzF,OAAO,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAG/D,MAAM,CAAC,KAAK,UAAU,MAAM,CAC1B,KAAkB,EAClB,MAAkB;IAElB,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IAEvC,MAAM,cAAc,GAAG,KAAK,CAAC,KAAK,IAAI,EAAE,CAAC;IACzC,MAAM,YAAY,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;IACpF,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5B,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,SAAS,CAAC,cAAc,EAAE,kBAAkB,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;IAC/G,CAAC;IAED,MAAM,UAAU,GAAG,KAAK,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC;IAC3C,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,gBAAgB,CAAC,UAAU,CAAC,CAAC;IAC1E,IAAI,QAAQ,EAAE,CAAC;QACb,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,SAAS,CAAC,qBAAqB,EAAE,qBAAqB,CAAC,EAAE,CAAC;IAChG,CAAC;IAED,MAAM,YAAY,GAAG,MAAM,YAAY,CAAC,KAAK,CAAC,QAAQ,EAAE,QAAQ,CAAC,UAAU,CAAC,CAAC;IAC7E,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,UAAU,EAAE,YAAY,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAC;IAExG,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,WAAW,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAC,CAAC;IAChF,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC;IAEzF,MAAM,IAAI,GAAG,EAAE,EAAE,EAAE,OAAO,CAAC,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC;IACnE,MAAM,WAAW,GAAG,eAAe,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IAClD,MAAM,YAAY,GAAG,gBAAgB,CAAC,OAAO,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;IAC1D,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,WAAW,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC;AAC5D,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,KAAK,CACzB,KAAiB,EACjB,MAAkB;IAElB,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IAEvC,MAAM,KAAK,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,gBAAgB,CAAC,KAAK,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC,CAAC;IACpF,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,SAAS,CAAC,qBAAqB,EAAE,qBAAqB,CAAC,EAAE,CAAC;IAChG,CAAC;IAED,MAAM,KAAK,GAAG,MAAM,cAAc,CAAC,KAAK,CAAC,QAAQ,EAAE,KAAK,CAAC,YAAY,CAAC,CAAC;IACvE,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,SAAS,CAAC,qBAAqB,EAAE,qBAAqB,CAAC,EAAE,CAAC;IAChG,CAAC;IAED,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,WAAW,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAC,CAAC;IAChF,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC;IAEvF,MAAM,IAAI,GAAG,EAAE,EAAE,EAAE,KAAK,CAAC,EAAE,EAAE,UAAU,EAAE,KAAK,CAAC,UAAU,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC;IAChF,MAAM,WAAW,GAAG,eAAe,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IAClD,MAAM,YAAY,GAAG,gBAAgB,CAAC,OAAO,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;IAC1D,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,WAAW,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC;AAC5D,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,OAAO,CAC3B,YAAoB,EACpB,MAAkB;IAElB,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IAEvC,IAAI,SAAiB,CAAC;IACtB,IAAI,CAAC;QACH,CAAC,EAAE,SAAS,EAAE,GAAG,kBAAkB,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC;IAC7D,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,SAAS;YAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC;QACpE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,SAAS,CAAC,eAAe,EAAE,uBAAuB,CAAC,EAAE,CAAC;IAC5F,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;IACnE,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,SAAS,CAAC,cAAc,EAAE,8BAA8B,CAAC,EAAE,CAAC;IAClG,CAAC;IAED,IAAI,OAAO,CAAC,SAAS,GAAG,IAAI,IAAI,EAAE,EAAE,CAAC;QACnC,MAAM,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QACjD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,SAAS,CAAC,eAAe,EAAE,qBAAqB,CAAC,EAAE,CAAC;IAC1F,CAAC;IAED,6CAA6C;IAC7C,MAAM,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACjD,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,WAAW,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAC,CAAC;IAChF,MAAM,UAAU,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,SAAS,EAAE,CAAC,CAAC;IAEhG,MAAM,IAAI,GAAG,EAAE,EAAE,EAAE,OAAO,CAAC,IAAI,CAAC,EAAE,EAAE,UAAU,EAAE,OAAO,CAAC,IAAI,CAAC,UAAU,EAAE,KAAK,EAAE,OAAO,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;IACrG,MAAM,cAAc,GAAG,eAAe,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IACrD,MAAM,eAAe,GAAG,gBAAgB,CAAC,UAAU,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;IAChE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,WAAW,EAAE,cAAc,EAAE,YAAY,EAAE,eAAe,EAAE,IAAI,EAAE,CAAC;AAC7F,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,MAAM,CAC1B,YAAoB,EACpB,MAAkB;IAElB,IAAI,SAAiB,CAAC;IACtB,IAAI,CAAC;QACH,CAAC,EAAE,SAAS,EAAE,GAAG,kBAAkB,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC;IAC7D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,CAAC,qCAAqC;IAC/C,CAAC;IACD,MAAM,aAAa,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;AAChE,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,MAAc,EACd,MAAkB;IAElB,MAAM,aAAa,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC;AACvE,CAAC"}