sentri 1.1.2 → 2.0.0

package/dist/middleware/errorHandler.js

@@ -1,74 +0,0 @@
-import { SentriError } from '../errors/AuthError.js';
-/**
- * Creates an Express error-handling middleware that formats every `SentriError`
- * (including subclasses) into the standard sentri response envelope:
- *
- * ```json
- * { "error": true, "statusCode": 401, "code": "UNAUTHORIZED", "message": "...", "data": null }
- * ```
- *
- * Prefer using `auth.errorHandler()` instead of calling this directly:
- *
- * ```typescript
- * app.use('/auth', auth.router());
- * app.use('/api', apiRouter);
- *
- * // Must come after all route/middleware registrations
- * app.use(auth.errorHandler());
- * ```
- *
- * ---
- *
- * **Works with built-in sentri errors and your own subclasses**
- *
- * Because `instanceof SentriError` matches any subclass, you can define
- * application-specific error types and have them automatically formatted
- * by this handler:
- *
- * ```typescript
- * import { SentriError } from 'sentri';
- *
- * // Extend SentriError for domain-specific failures
- * export class NotFoundError extends SentriError {
- *   constructor(resource: string) {
- *     super('NOT_FOUND', `${resource} not found`, 404);
- *   }
- * }
- *
- * export class PaymentError extends SentriError {
- *   constructor(message: string) {
- *     super('PAYMENT_FAILED', message, 402);
- *   }
- * }
- *
- * // All of the above are caught and formatted by one handler
- * app.use(auth.errorHandler({
- *   onUnhandled: (err) => console.error('Unexpected error:', err),
- * }));
- * ```
- *
- * @param options - Optional configuration (see {@link ErrorHandlerOptions}).
- * @returns An Express `ErrorRequestHandler` (4-argument middleware).
- */
-export function createErrorHandler(options) {
-    return (err, _req, res, _next) => {
-        if (err instanceof SentriError) {
-            res.status(err.statusCode).json({
-                error: true,
-                statusCode: err.statusCode,
-                code: err.code,
-                message: err.message,
-                data: null,
-            });
-            return;
-        }
-        options?.onUnhandled?.(err);
-        res.status(500).json({
-            error: true,
-            statusCode: 500,
-            message: 'Internal server error',
-            data: null,
-        });
-    };
-}
-//# sourceMappingURL=errorHandler.js.map

package/dist/middleware/errorHandler.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"errorHandler.js","sourceRoot":"","sources":["../../src/middleware/errorHandler.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AAoBrD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkDG;AACH,MAAM,UAAU,kBAAkB,CAAC,OAA6B;IAC9D,OAAO,CAAC,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,KAAK,EAAE,EAAE;QAC/B,IAAI,GAAG,YAAY,WAAW,EAAE,CAAC;YAC/B,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC;gBAC9B,KAAK,EAAE,IAAI;gBACX,UAAU,EAAE,GAAG,CAAC,UAAU;gBAC1B,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,OAAO,EAAE,GAAG,CAAC,OAAO;gBACpB,IAAI,EAAE,IAAI;aACX,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,OAAO,EAAE,WAAW,EAAE,CAAC,GAAG,CAAC,CAAC;QAE5B,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACnB,KAAK,EAAE,IAAI;YACX,UAAU,EAAE,GAAG;YACf,OAAO,EAAE,uBAAuB;YAChC,IAAI,EAAE,IAAI;SACX,CAAC,CAAC;IACL,CAAC,CAAC;AACJ,CAAC"}

package/dist/middleware/permit.d.ts

@@ -1,62 +0,0 @@
-import type { Request, RequestHandler } from 'express';
-/** A function that determines whether the current request is permitted. */
-export type PermitCheck = (request: Request) => boolean | Promise<boolean>;
-/**
- * Options for {@link permit} when you need role-bypass alongside a resource check.
- *
- * @example
- * // Admins can edit any post; others only their own
- * auth.permit({
- *   roles: ['admin'],
- *   check: async (request) => {
- *     const post = await db.findPost(request.params['id']);
- *     return post?.authorId === request.user!.id;
- *   },
- * })
- */
-export interface PermitOptions<TRole extends string> {
-    /**
-     * Roles whose members are granted access without running `check`.
-     * Use for privileged roles like `'admin'` that should bypass ownership checks.
-     */
-    roles?: TRole[];
-    /**
-     * Permission check executed when the user has none of the bypass `roles`.
-     * Return `true` to allow, `false` to deny with `FORBIDDEN`.
-     * May be async — useful for database-backed ownership checks.
-     */
-    check: PermitCheck;
-}
-/**
- * Express middleware factory for resource-level permission checks.
- *
- * Must be used **after** `protect()`. Evaluates a check function against the
- * current request; calls `next(SentriError)` with code `FORBIDDEN` if it returns `false`.
- *
- * Accepts either a bare check function or an options object with an optional
- * `roles` list whose members bypass the check entirely.
- *
- * @example
- * // Simple ownership check
- * router.put('/users/:id',
- *   auth.protect(),
- *   auth.permit((request) => request.user!.id === request.params['id']),
- *   updateUserHandler,
- * );
- *
- * @example
- * // Admins bypass the check; others must own the post
- * router.delete('/posts/:id',
- *   auth.protect(),
- *   auth.permit({
- *     roles: ['admin'],
- *     check: async (request) => {
- *       const post = await db.post.findUnique({ where: { id: request.params['id'] } });
- *       return post?.authorId === request.user!.id;
- *     },
- *   }),
- *   deletePostHandler,
- * );
- */
-export declare function permit<TRole extends string>(optionsOrCheck: PermitOptions<TRole> | PermitCheck): RequestHandler;
-//# sourceMappingURL=permit.d.ts.map

package/dist/middleware/permit.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"permit.d.ts","sourceRoot":"","sources":["../../src/middleware/permit.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAGvD,2EAA2E;AAC3E,MAAM,MAAM,WAAW,GAAG,CAAC,OAAO,EAAE,OAAO,KAAK,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;AAE3E;;;;;;;;;;;;GAYG;AACH,MAAM,WAAW,aAAa,CAAC,KAAK,SAAS,MAAM;IACjD;;;OAGG;IACH,KAAK,CAAC,EAAE,KAAK,EAAE,CAAC;IAChB;;;;OAIG;IACH,KAAK,EAAE,WAAW,CAAC;CACpB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,wBAAgB,MAAM,CAAC,KAAK,SAAS,MAAM,EACzC,cAAc,EAAE,aAAa,CAAC,KAAK,CAAC,GAAG,WAAW,GACjD,cAAc,CA4BhB"}

package/dist/middleware/permit.js

@@ -1,61 +0,0 @@
-import { SentriError } from '../errors/AuthError.js';
-/**
- * Express middleware factory for resource-level permission checks.
- *
- * Must be used **after** `protect()`. Evaluates a check function against the
- * current request; calls `next(SentriError)` with code `FORBIDDEN` if it returns `false`.
- *
- * Accepts either a bare check function or an options object with an optional
- * `roles` list whose members bypass the check entirely.
- *
- * @example
- * // Simple ownership check
- * router.put('/users/:id',
- *   auth.protect(),
- *   auth.permit((request) => request.user!.id === request.params['id']),
- *   updateUserHandler,
- * );
- *
- * @example
- * // Admins bypass the check; others must own the post
- * router.delete('/posts/:id',
- *   auth.protect(),
- *   auth.permit({
- *     roles: ['admin'],
- *     check: async (request) => {
- *       const post = await db.post.findUnique({ where: { id: request.params['id'] } });
- *       return post?.authorId === request.user!.id;
- *     },
- *   }),
- *   deletePostHandler,
- * );
- */
-export function permit(optionsOrCheck) {
-    const options = typeof optionsOrCheck === 'function'
-        ? { check: optionsOrCheck }
-        : optionsOrCheck;
-    return async (request, _response, next) => {
-        if (!request.user) {
-            return next(new SentriError('UNAUTHORIZED', 'Not authenticated'));
-        }
-        if (options.roles && options.roles.length > 0) {
-            const userRoles = request.user.roles;
-            const hasBypassRole = options.roles.some((role) => userRoles.includes(role));
-            if (hasBypassRole)
-                return next();
-        }
-        try {
-            const allowed = await options.check(request);
-            if (allowed) {
-                next();
-            }
-            else {
-                next(new SentriError('FORBIDDEN', 'You do not have permission to perform this action'));
-            }
-        }
-        catch (error) {
-            next(error);
-        }
-    };
-}
-//# sourceMappingURL=permit.js.map

package/dist/middleware/permit.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"permit.js","sourceRoot":"","sources":["../../src/middleware/permit.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AAgCrD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,MAAM,UAAU,MAAM,CACpB,cAAkD;IAElD,MAAM,OAAO,GACX,OAAO,cAAc,KAAK,UAAU;QAClC,CAAC,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE;QAC3B,CAAC,CAAC,cAAc,CAAC;IAErB,OAAO,KAAK,EAAE,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,EAAE;QACxC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;YAClB,OAAO,IAAI,CAAC,IAAI,WAAW,CAAC,cAAc,EAAE,mBAAmB,CAAC,CAAC,CAAC;QACpE,CAAC;QAED,IAAI,OAAO,CAAC,KAAK,IAAI,OAAO,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC9C,MAAM,SAAS,GAAsB,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC;YACxD,MAAM,aAAa,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;YAC7E,IAAI,aAAa;gBAAE,OAAO,IAAI,EAAE,CAAC;QACnC,CAAC;QAED,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YAC7C,IAAI,OAAO,EAAE,CAAC;gBACZ,IAAI,EAAE,CAAC;YACT,CAAC;iBAAM,CAAC;gBACN,IAAI,CAAC,IAAI,WAAW,CAAC,WAAW,EAAE,mDAAmD,CAAC,CAAC,CAAC;YAC1F,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,KAAK,CAAC,CAAC;QACd,CAAC;IACH,CAAC,CAAC;AACJ,CAAC"}

package/dist/middleware/protect.d.ts

@@ -1,31 +0,0 @@
-import type { RequestHandler } from 'express';
-import type { AuthConfig } from '../types/auth.js';
-/**
- * Express middleware factory that enforces JWT authentication and session validity.
- *
- * Reads the `Authorization: Bearer <token>` header, verifies the access token,
- * and attaches the decoded payload to `req.user`. Calls `next(SentriError)` on
- * any failure so your error handler can convert it to an HTTP response.
- *
- * Since sentri 1.1.0 access tokens embed a `sessionId` claim. When this claim
- * is present, `protect()` performs a lightweight database lookup
- * (`adapter.session.findById`) to confirm the session is still active. This
- * means a user who has logged out (or been logged out from all devices) cannot
- * use an access token that was issued before the logout — even if the token has
- * not yet expired.
- *
- * Tokens issued before 1.1.0 (without the `sessionId` claim) are still accepted
- * but bypass the session check.
- *
- * Must be used **before** `authorize()` or `permit()`.
- *
- * @param config - Auth configuration (secret, algorithm, adapter).
- * @returns An Express `RequestHandler` that populates `req.user` on success.
- *
- * @example
- * router.get('/profile', protect(config), (request, response) => {
- *   response.json(request.user);
- * });
- */
-export declare function protect(config: AuthConfig): RequestHandler;
-//# sourceMappingURL=protect.d.ts.map

package/dist/middleware/protect.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"protect.d.ts","sourceRoot":"","sources":["../../src/middleware/protect.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAG9C,OAAO,KAAK,EAAsB,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAEvE;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,wBAAgB,OAAO,CAAC,MAAM,EAAE,UAAU,GAAG,cAAc,CAwB1D"}

package/dist/middleware/protect.js

@@ -1,54 +0,0 @@
-import { SentriError } from '../errors/AuthError.js';
-import { verifyAccessToken } from '../libs/token.js';
-/**
- * Express middleware factory that enforces JWT authentication and session validity.
- *
- * Reads the `Authorization: Bearer <token>` header, verifies the access token,
- * and attaches the decoded payload to `req.user`. Calls `next(SentriError)` on
- * any failure so your error handler can convert it to an HTTP response.
- *
- * Since sentri 1.1.0 access tokens embed a `sessionId` claim. When this claim
- * is present, `protect()` performs a lightweight database lookup
- * (`adapter.session.findById`) to confirm the session is still active. This
- * means a user who has logged out (or been logged out from all devices) cannot
- * use an access token that was issued before the logout — even if the token has
- * not yet expired.
- *
- * Tokens issued before 1.1.0 (without the `sessionId` claim) are still accepted
- * but bypass the session check.
- *
- * Must be used **before** `authorize()` or `permit()`.
- *
- * @param config - Auth configuration (secret, algorithm, adapter).
- * @returns An Express `RequestHandler` that populates `req.user` on success.
- *
- * @example
- * router.get('/profile', protect(config), (request, response) => {
- *   response.json(request.user);
- * });
- */
-export function protect(config) {
-    return async (request, _response, next) => {
-        const authHeader = request.headers['authorization'];
-        if (!authHeader?.startsWith('Bearer ')) {
-            return next(new SentriError('UNAUTHORIZED', 'Missing or malformed Authorization header'));
-        }
-        const token = authHeader.slice(7);
-        try {
-            const payload = verifyAccessToken(token, config);
-            request.user = { id: payload.id, identifier: payload.identifier, roles: payload.roles };
-            // Session-bound validation: reject the request if the session was revoked (logout).
-            if (payload.sessionId) {
-                const session = await config.adapter.session.findById(payload.sessionId);
-                if (!session) {
-                    return next(new SentriError('UNAUTHORIZED', 'Session has been revoked'));
-                }
-            }
-            next();
-        }
-        catch (error) {
-            next(error);
-        }
-    };
-}
-//# sourceMappingURL=protect.js.map

package/dist/middleware/protect.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"protect.js","sourceRoot":"","sources":["../../src/middleware/protect.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AACrD,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAGrD;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,MAAM,UAAU,OAAO,CAAC,MAAkB;IACxC,OAAO,KAAK,EAAE,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,EAAE;QACxC,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;QACpD,IAAI,CAAC,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YACvC,OAAO,IAAI,CAAC,IAAI,WAAW,CAAC,cAAc,EAAE,2CAA2C,CAAC,CAAC,CAAC;QAC5F,CAAC;QACD,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAClC,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,iBAAiB,CAAC,KAAK,EAAE,MAAM,CAAuB,CAAC;YACvE,OAAO,CAAC,IAAI,GAAG,EAAE,EAAE,EAAE,OAAO,CAAC,EAAE,EAAE,UAAU,EAAE,OAAO,CAAC,UAAU,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC;YAExF,oFAAoF;YACpF,IAAI,OAAO,CAAC,SAAS,EAAE,CAAC;gBACtB,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;gBACzE,IAAI,CAAC,OAAO,EAAE,CAAC;oBACb,OAAO,IAAI,CAAC,IAAI,WAAW,CAAC,cAAc,EAAE,0BAA0B,CAAC,CAAC,CAAC;gBAC3E,CAAC;YACH,CAAC;YAED,IAAI,EAAE,CAAC;QACT,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,KAAK,CAAC,CAAC;QACd,CAAC;IACH,CAAC,CAAC;AACJ,CAAC"}

package/dist/middleware/router.d.ts

@@ -1,34 +0,0 @@
-import { Router } from 'express';
-import type { AuthConfig } from '../types/auth.js';
-/**
- * Creates a pre-built Express Router with all standard auth endpoints.
- *
- * Mount it once and all routes are ready:
- *
- * ```
- * POST /register            — register a new user (protected by X-Api-Key when config.apiKey is set)
- * POST /login               — authenticate and get tokens
- * POST /refresh             — rotate refresh token
- * POST /logout              — invalidate current session; access tokens issued before logout become invalid
- * POST /logout-all          — invalidate all sessions for the authenticated user
- * GET  /me                  — return the currently authenticated user
- * POST /users/:userId/roles — assign roles (admin only)
- * ```
- *
- * Requires `express.json()` to be applied before the router.
- *
- * When `cookie` is set in config, the refresh token is stored in an httpOnly
- * cookie automatically — no `cookie-parser` needed.
- *
- * When `apiKey` is set in config, `POST /register` requires the caller to send
- * an `X-Api-Key: <key>` header matching the configured value.
- *
- * When `router` is set in config, individual service functions can be replaced
- * while the router still handles validation and response formatting.
- *
- * @example
- * app.use(express.json());
- * app.use('/auth', auth.router());
- */
-export declare function createAuthRouter<TRole extends string>(config: AuthConfig<TRole>): Router;
-//# sourceMappingURL=router.d.ts.map

package/dist/middleware/router.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"router.d.ts","sourceRoot":"","sources":["../../src/middleware/router.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAkD,MAAM,SAAS,CAAC;AAEjF,OAAO,KAAK,EAAE,UAAU,EAA6B,MAAM,kBAAkB,CAAC;AA4E9E;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,SAAS,MAAM,EAAE,MAAM,EAAE,UAAU,CAAC,KAAK,CAAC,GAAG,MAAM,CAwLxF"}

package/dist/middleware/router.js

@@ -1,264 +0,0 @@
-import { Router } from 'express';
-import { SentriError } from '../errors/AuthError.js';
-import { register, login, refresh, logout, logoutAll, assignRoles } from '../services/auth.js';
-import { resolveConfig, parseExpiry } from '../libs/config.js';
-import { protect } from './protect.js';
-import { authorize } from './authorize.js';
-const MIN_PASSWORD_LENGTH = 8;
-// bcrypt silently truncates input beyond 72 bytes. Enforcing a cap makes the
-// truncation boundary explicit so two passwords that share the same first 72
-// bytes cannot be treated as identical.
-const MAX_PASSWORD_LENGTH = 72;
-const MAX_IDENTIFIER_LENGTH = 255;
-function badRequest(message) {
-    return new SentriError('VALIDATION_ERROR', message);
-}
-function ok(response, statusCode, message, data) {
-    response.status(statusCode).json({ error: false, statusCode, message, data });
-}
-function fail(response, error) {
-    response.status(error.statusCode).json({ error: true, statusCode: error.statusCode, message: error.message, data: null });
-}
-function parseBody(body) {
-    if (body === null || body === undefined || typeof body !== 'object' || Array.isArray(body)) {
-        throw new SentriError('VALIDATION_ERROR', 'Request body is missing or not a JSON object. Did you apply express.json()?');
-    }
-    return body;
-}
-// Read a single cookie from the raw Cookie header — no cookie-parser needed.
-function readCookie(cookieHeader, name) {
-    if (!cookieHeader)
-        return undefined;
-    const pair = cookieHeader
-        .split(';')
-        .map((segment) => segment.trim())
-        .find((segment) => segment.startsWith(`${name}=`));
-    return pair !== undefined ? pair.slice(name.length + 1) : undefined;
-}
-function getCookieName(config) {
-    return config.cookie?.name ?? 'refresh_token';
-}
-function setCookie(response, token, config) {
-    const cookieConfig = config.cookie ?? {};
-    const resolved = resolveConfig(config);
-    const maxAge = parseExpiry(resolved.refreshExpiresIn);
-    response.cookie(getCookieName(config), token, {
-        httpOnly: cookieConfig.httpOnly ?? true,
-        secure: cookieConfig.secure ?? false,
-        sameSite: cookieConfig.sameSite ?? 'strict',
-        path: cookieConfig.path ?? '/',
-        maxAge,
-    });
-}
-function clearCookie(response, config) {
-    const cookieConfig = config.cookie ?? {};
-    response.clearCookie(getCookieName(config), { path: cookieConfig.path ?? '/' });
-}
-/**
- * Validate the `X-Api-Key` header when `config.apiKey` is set.
- * Throws `SentriError` with code `UNAUTHORIZED` on mismatch.
- */
-function validateApiKey(request, config) {
-    if (!config.apiKey)
-        return;
-    const provided = request.headers['x-api-key'];
-    if (typeof provided !== 'string' || provided !== config.apiKey) {
-        throw new SentriError('UNAUTHORIZED', 'Invalid or missing API key');
-    }
-}
-/**
- * Creates a pre-built Express Router with all standard auth endpoints.
- *
- * Mount it once and all routes are ready:
- *
- * ```
- * POST /register            — register a new user (protected by X-Api-Key when config.apiKey is set)
- * POST /login               — authenticate and get tokens
- * POST /refresh             — rotate refresh token
- * POST /logout              — invalidate current session; access tokens issued before logout become invalid
- * POST /logout-all          — invalidate all sessions for the authenticated user
- * GET  /me                  — return the currently authenticated user
- * POST /users/:userId/roles — assign roles (admin only)
- * ```
- *
- * Requires `express.json()` to be applied before the router.
- *
- * When `cookie` is set in config, the refresh token is stored in an httpOnly
- * cookie automatically — no `cookie-parser` needed.
- *
- * When `apiKey` is set in config, `POST /register` requires the caller to send
- * an `X-Api-Key: <key>` header matching the configured value.
- *
- * When `router` is set in config, individual service functions can be replaced
- * while the router still handles validation and response formatting.
- *
- * @example
- * app.use(express.json());
- * app.use('/auth', auth.router());
- */
-export function createAuthRouter(config) {
-    const router = Router();
-    // Resolve service functions — use custom override from config.router when provided, else fall back to the built-in service.
-    const baseConfig = config;
-    const registerFn = config.router?.register ?? ((input) => register(input, baseConfig));
-    const loginFn = config.router?.login ?? ((input) => login(input, baseConfig));
-    const refreshFn = config.router?.refresh ?? ((token) => refresh(token, baseConfig));
-    const logoutFn = config.router?.logout ?? ((token) => token !== undefined ? logout(token, baseConfig) : Promise.resolve());
-    const logoutAllFn = config.router?.logoutAll ?? ((userId) => logoutAll(userId, baseConfig));
-    const assignRolesFn = config.router?.assignRoles ?? ((userId, roles) => assignRoles(userId, roles, baseConfig));
-    /**
-     * POST /register
-     *
-     * Register a new user. Does **not** issue tokens — call `/login` after registration.
-     *
-     * When `config.apiKey` is set the caller must supply the matching value in the
-     * `X-Api-Key` header, preventing arbitrary users from self-registering as admins.
-     */
-    router.post('/register', async (request, response, next) => {
-        try {
-            validateApiKey(request, config);
-            const body = parseBody(request.body);
-            const { identifier, password, roles } = body;
-            if (typeof identifier !== 'string' || identifier.trim().length === 0) {
-                throw badRequest('identifier is required and must be a non-empty string');
-            }
-            if (identifier.length > MAX_IDENTIFIER_LENGTH) {
-                throw badRequest(`identifier must not exceed ${MAX_IDENTIFIER_LENGTH} characters`);
-            }
-            if (typeof password !== 'string' || password.length < MIN_PASSWORD_LENGTH) {
-                throw badRequest(`password is required and must be at least ${MIN_PASSWORD_LENGTH} characters`);
-            }
-            if (password.length > MAX_PASSWORD_LENGTH) {
-                throw badRequest(`password must not exceed ${MAX_PASSWORD_LENGTH} characters`);
-            }
-            if (roles !== undefined && !Array.isArray(roles)) {
-                throw badRequest('roles must be an array of strings when provided');
-            }
-            if (Array.isArray(roles) && !roles.every((role) => typeof role === 'string')) {
-                throw badRequest('each role must be a string');
-            }
-            const rolesInput = Array.isArray(roles) ? roles : undefined;
-            const input = rolesInput !== undefined
-                ? { identifier: identifier.trim(), password, roles: rolesInput }
-                : { identifier: identifier.trim(), password };
-            const result = await registerFn(input);
-            if (!result.success) {
-                fail(response, result.error);
-                return;
-            }
-            ok(response, 201, 'User registered successfully', { user: result.user });
-        }
-        catch (error) {
-            next(error);
-        }
-    });
-    router.post('/login', async (request, response, next) => {
-        try {
-            const body = parseBody(request.body);
-            const { identifier, password } = body;
-            if (typeof identifier !== 'string' || identifier.trim().length === 0) {
-                throw badRequest('identifier is required and must be a non-empty string');
-            }
-            if (identifier.length > MAX_IDENTIFIER_LENGTH) {
-                throw badRequest(`identifier must not exceed ${MAX_IDENTIFIER_LENGTH} characters`);
-            }
-            if (typeof password !== 'string' || password.length === 0) {
-                throw badRequest('password is required');
-            }
-            if (password.length > MAX_PASSWORD_LENGTH) {
-                throw badRequest(`password must not exceed ${MAX_PASSWORD_LENGTH} characters`);
-            }
-            const result = await loginFn({ identifier: identifier.trim(), password });
-            if (!result.success) {
-                fail(response, result.error);
-                return;
-            }
-            setCookie(response, result.refreshToken, config);
-            ok(response, 200, 'Login successful', { accessToken: result.accessToken, user: result.user });
-        }
-        catch (error) {
-            next(error);
-        }
-    });
-    router.post('/refresh', async (request, response, next) => {
-        try {
-            const fromCookie = readCookie(request.headers['cookie'], getCookieName(config));
-            if (!fromCookie) {
-                throw new SentriError('UNAUTHORIZED', 'Refresh token cookie is missing');
-            }
-            const result = await refreshFn(fromCookie);
-            if (!result.success) {
-                clearCookie(response, config);
-                fail(response, result.error);
-                return;
-            }
-            setCookie(response, result.refreshToken, config);
-            ok(response, 200, 'Token refreshed', { accessToken: result.accessToken });
-        }
-        catch (error) {
-            next(error);
-        }
-    });
-    router.post('/logout', async (request, response, next) => {
-        try {
-            const fromCookie = readCookie(request.headers['cookie'], getCookieName(config));
-            await logoutFn(fromCookie);
-            clearCookie(response, config);
-            ok(response, 200, 'Logged out', null);
-        }
-        catch (error) {
-            next(error);
-        }
-    });
-    router.post('/logout-all', protect(config), async (request, response, next) => {
-        try {
-            await logoutAllFn(request.user.id);
-            clearCookie(response, config);
-            ok(response, 200, 'All sessions revoked', null);
-        }
-        catch (error) {
-            next(error);
-        }
-    });
-    router.get('/me', protect(config), (request, response) => {
-        ok(response, 200, 'OK', request.user);
-    });
-    router.post('/users/:userId/roles', protect(config), authorize('admin'), async (request, response, next) => {
-        try {
-            const body = parseBody(request.body);
-            const { roles } = body;
-            const rawUserId = request.params['userId'];
-            const userId = typeof rawUserId === 'string' ? rawUserId : undefined;
-            if (!userId) {
-                throw badRequest('userId is required');
-            }
-            if (!Array.isArray(roles) || roles.length === 0) {
-                throw badRequest('roles must be a non-empty array of strings');
-            }
-            if (!roles.every((role) => typeof role === 'string')) {
-                throw badRequest('each role must be a string');
-            }
-            const result = await assignRolesFn(userId, roles);
-            if (!result.success) {
-                fail(response, result.error);
-                return;
-            }
-            ok(response, 200, 'Roles assigned successfully', { user: result.user });
-        }
-        catch (error) {
-            next(error);
-        }
-    });
-    // Centralized error handler — converts SentriError (and unexpected errors) to the
-    // standard envelope so every endpoint produces a consistent shape on failure.
-    router.use((error, _request, response, _next) => {
-        if (error instanceof SentriError) {
-            fail(response, error);
-        }
-        else {
-            response.status(500).json({ error: true, statusCode: 500, message: 'Internal server error', data: null });
-        }
-    });
-    return router;
-}
-//# sourceMappingURL=router.js.map

package/dist/middleware/router.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"router.js","sourceRoot":"","sources":["../../src/middleware/router.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAkD,MAAM,SAAS,CAAC;AACjF,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AAErD,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAC/F,OAAO,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAC/D,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AACvC,OAAO,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAE3C,MAAM,mBAAmB,GAAG,CAAC,CAAC;AAC9B,6EAA6E;AAC7E,6EAA6E;AAC7E,wCAAwC;AACxC,MAAM,mBAAmB,GAAG,EAAE,CAAC;AAC/B,MAAM,qBAAqB,GAAG,GAAG,CAAC;AAElC,SAAS,UAAU,CAAC,OAAe;IACjC,OAAO,IAAI,WAAW,CAAC,kBAAkB,EAAE,OAAO,CAAC,CAAC;AACtD,CAAC;AAED,SAAS,EAAE,CAAI,QAAkB,EAAE,UAAkB,EAAE,OAAe,EAAE,IAAO;IAC7E,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,UAAU,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;AAChF,CAAC;AAED,SAAS,IAAI,CAAC,QAAkB,EAAE,KAAkB;IAClD,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,UAAU,EAAE,KAAK,CAAC,UAAU,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC;AAC5H,CAAC;AAED,SAAS,SAAS,CAAC,IAAa;IAC9B,IAAI,IAAI,KAAK,IAAI,IAAI,IAAI,KAAK,SAAS,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QAC3F,MAAM,IAAI,WAAW,CAAC,kBAAkB,EAAE,6EAA6E,CAAC,CAAC;IAC3H,CAAC;IACD,OAAO,IAA+B,CAAC;AACzC,CAAC;AAED,6EAA6E;AAC7E,SAAS,UAAU,CAAC,YAAgC,EAAE,IAAY;IAChE,IAAI,CAAC,YAAY;QAAE,OAAO,SAAS,CAAC;IACpC,MAAM,IAAI,GAAG,YAAY;SACtB,KAAK,CAAC,GAAG,CAAC;SACV,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;SAChC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC;IACrD,OAAO,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;AACtE,CAAC;AAED,SAAS,aAAa,CAAC,MAAkB;IACvC,OAAO,MAAM,CAAC,MAAM,EAAE,IAAI,IAAI,eAAe,CAAC;AAChD,CAAC;AAED,SAAS,SAAS,CAAC,QAAkB,EAAE,KAAa,EAAE,MAAkB;IACtE,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC;IACzC,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IACvC,MAAM,MAAM,GAAG,WAAW,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAC;IACtD,QAAQ,CAAC,MAAM,CAAC,aAAa,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE;QAC5C,QAAQ,EAAE,YAAY,CAAC,QAAQ,IAAI,IAAI;QACvC,MAAM,EAAE,YAAY,CAAC,MAAM,IAAI,KAAK;QACpC,QAAQ,EAAE,YAAY,CAAC,QAAQ,IAAI,QAAQ;QAC3C,IAAI,EAAE,YAAY,CAAC,IAAI,IAAI,GAAG;QAC9B,MAAM;KACP,CAAC,CAAC;AACL,CAAC;AAED,SAAS,WAAW,CAAC,QAAkB,EAAE,MAAkB;IACzD,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC;IACzC,QAAQ,CAAC,WAAW,CAAC,aAAa,CAAC,MAAM,CAAC,EAAE,EAAE,IAAI,EAAE,YAAY,CAAC,IAAI,IAAI,GAAG,EAAE,CAAC,CAAC;AAClF,CAAC;AAED;;;GAGG;AACH,SAAS,cAAc,CAAC,OAAgB,EAAE,MAAkB;IAC1D,IAAI,CAAC,MAAM,CAAC,MAAM;QAAE,OAAO;IAC3B,MAAM,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;IAC9C,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,KAAK,MAAM,CAAC,MAAM,EAAE,CAAC;QAC/D,MAAM,IAAI,WAAW,CAAC,cAAc,EAAE,4BAA4B,CAAC,CAAC;IACtE,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,MAAM,UAAU,gBAAgB,CAAuB,MAAyB;IAC9E,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC;IAExB,4HAA4H;IAC5H,MAAM,UAAU,GAAG,MAAoB,CAAC;IACxC,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,EAAE,QAAQ,IAAI,CAAC,CAAC,KAAoB,EAAE,EAAE,CAAC,QAAQ,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC;IACtG,MAAM,OAAO,GAAM,MAAM,CAAC,MAAM,EAAE,KAAK,IAAO,CAAC,CAAC,KAAiB,EAAG,EAAE,CAAC,KAAK,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC;IACjG,MAAM,SAAS,GAAI,MAAM,CAAC,MAAM,EAAE,OAAO,IAAK,CAAC,CAAC,KAAa,EAAO,EAAE,CAAC,OAAO,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC;IACnG,MAAM,QAAQ,GAAK,MAAM,CAAC,MAAM,EAAE,MAAM,IAAM,CAAC,CAAC,KAAyB,EAAE,EAAE,CAC3E,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC;IACvE,MAAM,WAAW,GAAK,MAAM,CAAC,MAAM,EAAE,SAAS,IAAM,CAAC,CAAC,MAAc,EAAE,EAAE,CAAC,SAAS,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC,CAAC;IACxG,MAAM,aAAa,GAAG,MAAM,CAAC,MAAM,EAAE,WAAW,IAAI,CAAC,CAAC,MAAc,EAAE,KAAe,EAAE,EAAE,CAAC,WAAW,CAAC,MAAM,EAAE,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC;IAElI;;;;;;;OAOG;IACH,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,EAAE;QACzD,IAAI,CAAC;YACH,cAAc,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YAEhC,MAAM,IAAI,GAAG,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YACrC,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,KAAK,EAAE,GAAG,IAAI,CAAC;YAE7C,IAAI,OAAO,UAAU,KAAK,QAAQ,IAAI,UAAU,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACrE,MAAM,UAAU,CAAC,uDAAuD,CAAC,CAAC;YAC5E,CAAC;YACD,IAAI,UAAU,CAAC,MAAM,GAAG,qBAAqB,EAAE,CAAC;gBAC9C,MAAM,UAAU,CAAC,8BAA8B,qBAAqB,aAAa,CAAC,CAAC;YACrF,CAAC;YACD,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,CAAC,MAAM,GAAG,mBAAmB,EAAE,CAAC;gBAC1E,MAAM,UAAU,CAAC,6CAA6C,mBAAmB,aAAa,CAAC,CAAC;YAClG,CAAC;YACD,IAAI,QAAQ,CAAC,MAAM,GAAG,mBAAmB,EAAE,CAAC;gBAC1C,MAAM,UAAU,CAAC,4BAA4B,mBAAmB,aAAa,CAAC,CAAC;YACjF,CAAC;YACD,IAAI,KAAK,KAAK,SAAS,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;gBACjD,MAAM,UAAU,CAAC,iDAAiD,CAAC,CAAC;YACtE,CAAC;YACD,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,OAAO,IAAI,KAAK,QAAQ,CAAC,EAAE,CAAC;gBAC7E,MAAM,UAAU,CAAC,4BAA4B,CAAC,CAAC;YACjD,CAAC;YAED,MAAM,UAAU,GAAG,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAE,KAAiB,CAAC,CAAC,CAAC,SAAS,CAAC;YACzE,MAAM,KAAK,GAAG,UAAU,KAAK,SAAS;gBACpC,CAAC,CAAC,EAAE,UAAU,EAAE,UAAU,CAAC,IAAI,EAAE,EAAE,QAAQ,EAAE,KAAK,EAAE,UAAU,EAAE;gBAChE,CAAC,CAAC,EAAE,UAAU,EAAE,UAAU,CAAC,IAAI,EAAE,EAAE,QAAQ,EAAE,CAAC;YAChD,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC;YAEvC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;gBACpB,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;gBAC7B,OAAO;YACT,CAAC;YAED,EAAE,CAAC,QAAQ,EAAE,GAAG,EAAE,8BAA8B,EAAE,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;QAC3E,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,KAAK,CAAC,CAAC;QACd,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,EAAE;QACtD,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YACrC,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAC;YAEtC,IAAI,OAAO,UAAU,KAAK,QAAQ,IAAI,UAAU,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACrE,MAAM,UAAU,CAAC,uDAAuD,CAAC,CAAC;YAC5E,CAAC;YACD,IAAI,UAAU,CAAC,MAAM,GAAG,qBAAqB,EAAE,CAAC;gBAC9C,MAAM,UAAU,CAAC,8BAA8B,qBAAqB,aAAa,CAAC,CAAC;YACrF,CAAC;YACD,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC1D,MAAM,UAAU,CAAC,sBAAsB,CAAC,CAAC;YAC3C,CAAC;YACD,IAAI,QAAQ,CAAC,MAAM,GAAG,mBAAmB,EAAE,CAAC;gBAC1C,MAAM,UAAU,CAAC,4BAA4B,mBAAmB,aAAa,CAAC,CAAC;YACjF,CAAC;YAED,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,EAAE,UAAU,EAAE,UAAU,CAAC,IAAI,EAAE,EAAE,QAAQ,EAAE,CAAC,CAAC;YAE1E,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;gBACpB,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;gBAC7B,OAAO;YACT,CAAC;YAED,SAAS,CAAC,QAAQ,EAAE,MAAM,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;YACjD,EAAE,CAAC,QAAQ,EAAE,GAAG,EAAE,kBAAkB,EAAE,EAAE,WAAW,EAAE,MAAM,CAAC,WAAW,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;QAChG,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,KAAK,CAAC,CAAC;QACd,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,EAAE;QACxD,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,UAAU,CAAC,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC;YAChF,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,MAAM,IAAI,WAAW,CAAC,cAAc,EAAE,iCAAiC,CAAC,CAAC;YAC3E,CAAC;YAED,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,UAAU,CAAC,CAAC;YAE3C,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;gBACpB,WAAW,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;gBAC9B,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;gBAC7B,OAAO;YACT,CAAC;YAED,SAAS,CAAC,QAAQ,EAAE,MAAM,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;YACjD,EAAE,CAAC,QAAQ,EAAE,GAAG,EAAE,iBAAiB,EAAE,EAAE,WAAW,EAAE,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC;QAC5E,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,KAAK,CAAC,CAAC;QACd,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,EAAE;QACvD,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,UAAU,CAAC,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC;YAChF,MAAM,QAAQ,CAAC,UAAU,CAAC,CAAC;YAC3B,WAAW,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;YAC9B,EAAE,CAAC,QAAQ,EAAE,GAAG,EAAE,YAAY,EAAE,IAAI,CAAC,CAAC;QACxC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,KAAK,CAAC,CAAC;QACd,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,MAAM,CAAC,IAAI,CAAC,aAAa,EAAE,OAAO,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,EAAE;QAC5E,IAAI,CAAC;YACH,MAAM,WAAW,CAAC,OAAO,CAAC,IAAK,CAAC,EAAE,CAAC,CAAC;YACpC,WAAW,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;YAC9B,EAAE,CAAC,QAAQ,EAAE,GAAG,EAAE,sBAAsB,EAAE,IAAI,CAAC,CAAC;QAClD,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,KAAK,CAAC,CAAC;QACd,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,QAAQ,EAAE,EAAE;QACvD,EAAE,CAAC,QAAQ,EAAE,GAAG,EAAE,IAAI,EAAE,OAAO,CAAC,IAAK,CAAC,CAAC;IACzC,CAAC,CAAC,CAAC;IAEH,MAAM,CAAC,IAAI,CAAC,sBAAsB,EAAE,OAAO,CAAC,MAAM,CAAC,EAAE,SAAS,CAAC,OAAO,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,EAAE;QACzG,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YACrC,MAAM,EAAE,KAAK,EAAE,GAAG,IAAI,CAAC;YACvB,MAAM,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;YAC3C,MAAM,MAAM,GAAG,OAAO,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;YAErE,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,MAAM,UAAU,CAAC,oBAAoB,CAAC,CAAC;YACzC,CAAC;YACD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAChD,MAAM,UAAU,CAAC,4CAA4C,CAAC,CAAC;YACjE,CAAC;YACD,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,OAAO,IAAI,KAAK,QAAQ,CAAC,EAAE,CAAC;gBACrD,MAAM,UAAU,CAAC,4BAA4B,CAAC,CAAC;YACjD,CAAC;YAED,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,MAAM,EAAE,KAAiB,CAAC,CAAC;YAE9D,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;gBACpB,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;gBAC7B,OAAO;YACT,CAAC;YAED,EAAE,CAAC,QAAQ,EAAE,GAAG,EAAE,6BAA6B,EAAE,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;QAC1E,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,KAAK,CAAC,CAAC;QACd,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,kFAAkF;IAClF,8EAA8E;IAC9E,MAAM,CAAC,GAAG,CAAC,CAAC,KAAc,EAAE,QAAiB,EAAE,QAAkB,EAAE,KAAmB,EAAE,EAAE;QACxF,IAAI,KAAK,YAAY,WAAW,EAAE,CAAC;YACjC,IAAI,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;QACxB,CAAC;aAAM,CAAC;YACN,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,UAAU,EAAE,GAAG,EAAE,OAAO,EAAE,uBAAuB,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC;QAC5G,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,MAAM,CAAC;AAChB,CAAC"}