xypriss 2.3.7 → 3.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +21 -19
- package/dist/cjs/mods/security/src/index.js +1 -1
- package/dist/cjs/src/cluster/modules/CrossPlatformMemory.js +2 -2
- package/dist/cjs/src/cluster/modules/CrossPlatformMemory.js.map +1 -1
- package/dist/cjs/src/middleware/built-in/BuiltInMiddleware.js +123 -14
- package/dist/cjs/src/middleware/built-in/BuiltInMiddleware.js.map +1 -1
- package/dist/cjs/src/middleware/built-in/security/BrowserOnlyProtector.js +552 -0
- package/dist/cjs/src/middleware/built-in/security/BrowserOnlyProtector.js.map +1 -0
- package/dist/cjs/src/middleware/built-in/security/RequestSignatureProtector.js +465 -0
- package/dist/cjs/src/middleware/built-in/security/RequestSignatureProtector.js.map +1 -0
- package/dist/cjs/src/middleware/built-in/security/TerminalOnlyProtector.js +477 -0
- package/dist/cjs/src/middleware/built-in/security/TerminalOnlyProtector.js.map +1 -0
- package/dist/cjs/src/middleware/security-middleware.js +257 -91
- package/dist/cjs/src/middleware/security-middleware.js.map +1 -1
- package/dist/cjs/src/server/components/fastapi/templates/redirectTemp.js +1 -1
- package/dist/cjs/src/server/const/default.js +1 -1
- package/dist/cjs/src/server/const/default.js.map +1 -1
- package/dist/esm/mods/security/src/index.js +1 -1
- package/dist/esm/src/cluster/modules/CrossPlatformMemory.js +2 -2
- package/dist/esm/src/cluster/modules/CrossPlatformMemory.js.map +1 -1
- package/dist/esm/src/middleware/built-in/BuiltInMiddleware.js +123 -14
- package/dist/esm/src/middleware/built-in/BuiltInMiddleware.js.map +1 -1
- package/dist/esm/src/middleware/built-in/security/BrowserOnlyProtector.js +550 -0
- package/dist/esm/src/middleware/built-in/security/BrowserOnlyProtector.js.map +1 -0
- package/dist/esm/src/middleware/built-in/security/RequestSignatureProtector.js +444 -0
- package/dist/esm/src/middleware/built-in/security/RequestSignatureProtector.js.map +1 -0
- package/dist/esm/src/middleware/built-in/security/TerminalOnlyProtector.js +475 -0
- package/dist/esm/src/middleware/built-in/security/TerminalOnlyProtector.js.map +1 -0
- package/dist/esm/src/middleware/security-middleware.js +257 -91
- package/dist/esm/src/middleware/security-middleware.js.map +1 -1
- package/dist/esm/src/server/components/fastapi/templates/redirectTemp.js +1 -1
- package/dist/esm/src/server/const/default.js +1 -1
- package/dist/esm/src/server/const/default.js.map +1 -1
- package/dist/index.d.ts +268 -10
- package/package.json +6 -5
- package/scripts/install-memory-cli.js +1 -1
|
@@ -0,0 +1,552 @@
|
|
|
1
|
+
'use strict';
|
|
2
|
+
|
|
3
|
+
var Logger = require('../../../../shared/logger/Logger.js');
|
|
4
|
+
|
|
5
|
+
/**
|
|
6
|
+
* Browser-Only Protector - Enhanced Edition
|
|
7
|
+
* Aggressively blocks non-browser requests while avoiding false positives
|
|
8
|
+
* Uses multi-layered validation with scoring system
|
|
9
|
+
*/
|
|
10
|
+
class BrowserOnlyProtector {
|
|
11
|
+
constructor(options = {}, logger) {
|
|
12
|
+
this.BROWSER_SCORE_THRESHOLD = 3; // Minimum score to pass as browser
|
|
13
|
+
this.config = {
|
|
14
|
+
requireSecFetch: true,
|
|
15
|
+
blockAutomationTools: true,
|
|
16
|
+
requireComplexAccept: false,
|
|
17
|
+
allowOriginRequests: true,
|
|
18
|
+
errorMessage: "Browser access required. Direct API access blocked.",
|
|
19
|
+
statusCode: 403,
|
|
20
|
+
debug: false,
|
|
21
|
+
...options,
|
|
22
|
+
};
|
|
23
|
+
// Only set customValidator if explicitly provided
|
|
24
|
+
if (options.customValidator !== undefined) {
|
|
25
|
+
this.config.customValidator = options.customValidator;
|
|
26
|
+
}
|
|
27
|
+
// Initialize logger
|
|
28
|
+
this.logger =
|
|
29
|
+
logger ||
|
|
30
|
+
new Logger.Logger({
|
|
31
|
+
enabled: true,
|
|
32
|
+
level: "debug",
|
|
33
|
+
components: { security: true },
|
|
34
|
+
types: { debug: true },
|
|
35
|
+
});
|
|
36
|
+
}
|
|
37
|
+
/**
|
|
38
|
+
* Get the browser-only middleware function
|
|
39
|
+
*/
|
|
40
|
+
getMiddleware() {
|
|
41
|
+
return (req, res, next) => {
|
|
42
|
+
this.handleRequest(req, res, next);
|
|
43
|
+
};
|
|
44
|
+
}
|
|
45
|
+
/**
|
|
46
|
+
* Handle incoming request and determine if it's from a browser
|
|
47
|
+
*/
|
|
48
|
+
handleRequest(req, res, next) {
|
|
49
|
+
if (this.config.debug) {
|
|
50
|
+
this.logger.debug("security", "BrowOn called for request");
|
|
51
|
+
}
|
|
52
|
+
if (this.config.debug) {
|
|
53
|
+
this.logger.debug("security", "BrowOn analyzing request", {
|
|
54
|
+
secFetchDest: req.headers["sec-fetch-dest"],
|
|
55
|
+
secFetchMode: req.headers["sec-fetch-mode"],
|
|
56
|
+
secFetchSite: req.headers["sec-fetch-site"],
|
|
57
|
+
});
|
|
58
|
+
}
|
|
59
|
+
// Custom validator takes precedence (if provided)
|
|
60
|
+
if (this.config.customValidator &&
|
|
61
|
+
typeof this.config.customValidator === "function") {
|
|
62
|
+
if (!this.config.customValidator(req)) {
|
|
63
|
+
return this.blockRequest(res, "BROWSER_ONLY", "Custom validator failed");
|
|
64
|
+
}
|
|
65
|
+
return next();
|
|
66
|
+
}
|
|
67
|
+
// CRITICAL: Block if automation tool is detected (highest priority)
|
|
68
|
+
if (this.config.blockAutomationTools &&
|
|
69
|
+
this.isDefinitelyAutomationTool(req)) {
|
|
70
|
+
return this.blockRequest(res, "AUTOMATION_TOOL_DETECTED", "Request from known automation tool");
|
|
71
|
+
}
|
|
72
|
+
// Check for Sec-Fetch headers (modern browsers only)
|
|
73
|
+
if (this.config.requireSecFetch) {
|
|
74
|
+
const hasSecFetch = this.hasSecFetchHeaders(req);
|
|
75
|
+
if (hasSecFetch) {
|
|
76
|
+
// Validate Sec-Fetch headers are legitimate (not spoofed)
|
|
77
|
+
if (this.validateSecFetchHeaders(req)) {
|
|
78
|
+
if (this.config.debug) {
|
|
79
|
+
this.logger.debug("security", "BrowOn valid Sec-Fetch headers - allowing request");
|
|
80
|
+
}
|
|
81
|
+
return next();
|
|
82
|
+
}
|
|
83
|
+
else {
|
|
84
|
+
// Sec-Fetch headers present but invalid - suspicious
|
|
85
|
+
if (this.config.debug) {
|
|
86
|
+
this.logger.debug("security", "BrowOn invalid Sec-Fetch headers detected - potential spoofing");
|
|
87
|
+
}
|
|
88
|
+
return this.blockRequest(res, "INVALID_SEC_FETCH", "Sec-Fetch headers present but invalid");
|
|
89
|
+
}
|
|
90
|
+
}
|
|
91
|
+
// No Sec-Fetch headers - use scoring system to determine if browser
|
|
92
|
+
const browserScore = this.calculateBrowserScore(req);
|
|
93
|
+
if (this.config.debug) {
|
|
94
|
+
this.logger.debug("security", `BrowOn browser score: ${browserScore.total}/${this.BROWSER_SCORE_THRESHOLD} (need ${this.BROWSER_SCORE_THRESHOLD} to pass)`);
|
|
95
|
+
this.logger.debug("security", "BrowOn score breakdown", browserScore.breakdown);
|
|
96
|
+
}
|
|
97
|
+
if (browserScore.total >= this.BROWSER_SCORE_THRESHOLD) {
|
|
98
|
+
if (this.config.debug) {
|
|
99
|
+
this.logger.debug("security", "BrowOn browser score passed - allowing request");
|
|
100
|
+
}
|
|
101
|
+
return next();
|
|
102
|
+
}
|
|
103
|
+
// Failed browser score check
|
|
104
|
+
return this.blockRequest(res, "INSUFFICIENT_BROWSER_INDICATORS", `Browser score ${browserScore.total}/${this.BROWSER_SCORE_THRESHOLD} - not enough browser characteristics`);
|
|
105
|
+
}
|
|
106
|
+
// Sec-Fetch check disabled, allow all requests
|
|
107
|
+
next();
|
|
108
|
+
}
|
|
109
|
+
/**
|
|
110
|
+
* Check if request has Sec-Fetch headers
|
|
111
|
+
*/
|
|
112
|
+
hasSecFetchHeaders(req) {
|
|
113
|
+
return !!(req.headers["sec-fetch-dest"] ||
|
|
114
|
+
req.headers["sec-fetch-mode"] ||
|
|
115
|
+
req.headers["sec-fetch-site"] ||
|
|
116
|
+
req.headers["sec-fetch-user"]);
|
|
117
|
+
}
|
|
118
|
+
/**
|
|
119
|
+
* Validate Sec-Fetch headers are consistent and legitimate
|
|
120
|
+
*/
|
|
121
|
+
validateSecFetchHeaders(req) {
|
|
122
|
+
const dest = req.headers["sec-fetch-dest"];
|
|
123
|
+
const mode = req.headers["sec-fetch-mode"];
|
|
124
|
+
const site = req.headers["sec-fetch-site"];
|
|
125
|
+
const user = req.headers["sec-fetch-user"];
|
|
126
|
+
// Must have at least dest and mode
|
|
127
|
+
if (!dest || !mode) {
|
|
128
|
+
return false;
|
|
129
|
+
}
|
|
130
|
+
// Validate dest values (common legitimate values)
|
|
131
|
+
const validDest = [
|
|
132
|
+
"document",
|
|
133
|
+
"empty",
|
|
134
|
+
"iframe",
|
|
135
|
+
"image",
|
|
136
|
+
"script",
|
|
137
|
+
"style",
|
|
138
|
+
"font",
|
|
139
|
+
"audio",
|
|
140
|
+
"video",
|
|
141
|
+
"manifest",
|
|
142
|
+
"object",
|
|
143
|
+
"embed",
|
|
144
|
+
"worker",
|
|
145
|
+
"sharedworker",
|
|
146
|
+
"serviceworker",
|
|
147
|
+
];
|
|
148
|
+
if (!validDest.includes(dest)) {
|
|
149
|
+
return false;
|
|
150
|
+
}
|
|
151
|
+
// Validate mode values
|
|
152
|
+
const validMode = [
|
|
153
|
+
"navigate",
|
|
154
|
+
"cors",
|
|
155
|
+
"no-cors",
|
|
156
|
+
"same-origin",
|
|
157
|
+
"websocket",
|
|
158
|
+
];
|
|
159
|
+
if (!validMode.includes(mode)) {
|
|
160
|
+
return false;
|
|
161
|
+
}
|
|
162
|
+
// Validate site values
|
|
163
|
+
if (site &&
|
|
164
|
+
!["same-origin", "same-site", "cross-site", "none"].includes(site)) {
|
|
165
|
+
return false;
|
|
166
|
+
}
|
|
167
|
+
// Validate user values (should be ?1 if present)
|
|
168
|
+
if (user !== undefined && user !== "?1") {
|
|
169
|
+
return false;
|
|
170
|
+
}
|
|
171
|
+
// Cross-validate consistency
|
|
172
|
+
if (mode === "navigate" && dest !== "document" && dest !== "iframe") {
|
|
173
|
+
return false; // Navigate mode should only be for documents/iframes
|
|
174
|
+
}
|
|
175
|
+
if (user === "?1" && mode !== "navigate") {
|
|
176
|
+
return false; // User activation only makes sense for navigation
|
|
177
|
+
}
|
|
178
|
+
return true;
|
|
179
|
+
}
|
|
180
|
+
/**
|
|
181
|
+
* Definitively identify automation tools (aggressive blocking)
|
|
182
|
+
*/
|
|
183
|
+
isDefinitelyAutomationTool(req) {
|
|
184
|
+
const userAgent = (req.headers["user-agent"] || "").toLowerCase();
|
|
185
|
+
const accept = req.headers["accept"] || "";
|
|
186
|
+
if (this.config.debug) {
|
|
187
|
+
this.logger.debug("security", "BrowOn checking automation tool detection", {
|
|
188
|
+
userAgent,
|
|
189
|
+
accept,
|
|
190
|
+
});
|
|
191
|
+
}
|
|
192
|
+
// Known automation tool patterns (comprehensive list)
|
|
193
|
+
const automationPatterns = [
|
|
194
|
+
/\bcurl\/\d+/i,
|
|
195
|
+
/\bwget\/\d+/i,
|
|
196
|
+
/\bpostman/i,
|
|
197
|
+
/\binsomnia/i,
|
|
198
|
+
/\bhttpie/i,
|
|
199
|
+
/\bpython-requests/i,
|
|
200
|
+
/\baxios/i,
|
|
201
|
+
/\bnode-fetch/i,
|
|
202
|
+
/\bundici/i,
|
|
203
|
+
/\bsuperagent/i,
|
|
204
|
+
/\bneedle/i,
|
|
205
|
+
/\bhyperquest/i,
|
|
206
|
+
/\bwreck/i,
|
|
207
|
+
/\brestify/i,
|
|
208
|
+
/\bgot\//i,
|
|
209
|
+
/^python[\/-]/i,
|
|
210
|
+
/^java[\/-]/i,
|
|
211
|
+
/^go-http-client/i,
|
|
212
|
+
/^ruby/i,
|
|
213
|
+
/^php/i,
|
|
214
|
+
/\bpycurl/i,
|
|
215
|
+
/\blibwww-perl/i,
|
|
216
|
+
/\blibcurl/i,
|
|
217
|
+
/\bhttp\.rb/i,
|
|
218
|
+
/\bhttpclient/i,
|
|
219
|
+
/\bapache-httpclient/i,
|
|
220
|
+
/\bokhttp/i,
|
|
221
|
+
/\bretrofit/i,
|
|
222
|
+
/\bunirest/i,
|
|
223
|
+
/\brest-client/i,
|
|
224
|
+
/\bhttparty/i,
|
|
225
|
+
/\bfetch\//i,
|
|
226
|
+
/\bscraper/i,
|
|
227
|
+
/\bbot\b/i,
|
|
228
|
+
/\bcrawler/i,
|
|
229
|
+
/\bspider/i,
|
|
230
|
+
/\bpuppeteer/i,
|
|
231
|
+
/\bplaywright/i,
|
|
232
|
+
/\bselenium/i,
|
|
233
|
+
/\bphantomjs/i,
|
|
234
|
+
/\bheadless/i,
|
|
235
|
+
];
|
|
236
|
+
// Check user agent
|
|
237
|
+
for (const pattern of automationPatterns) {
|
|
238
|
+
if (pattern.test(userAgent)) {
|
|
239
|
+
if (this.config.debug) {
|
|
240
|
+
this.logger.debug("security", "BrowOn automation tool detected", {
|
|
241
|
+
pattern: pattern.toString(),
|
|
242
|
+
userAgent,
|
|
243
|
+
});
|
|
244
|
+
}
|
|
245
|
+
return true;
|
|
246
|
+
}
|
|
247
|
+
}
|
|
248
|
+
// Suspicious: Empty user agent
|
|
249
|
+
if (!userAgent || userAgent.trim() === "") {
|
|
250
|
+
return true;
|
|
251
|
+
}
|
|
252
|
+
// Suspicious: Too short user agent (< 20 chars usually means custom/scripted)
|
|
253
|
+
if (userAgent.length < 20 && !this.isKnownShortBrowserUA(userAgent)) {
|
|
254
|
+
return true;
|
|
255
|
+
}
|
|
256
|
+
// Suspicious: Accept */* with empty or simple user agent
|
|
257
|
+
if (accept === "*/*" && userAgent.length < 50) {
|
|
258
|
+
return true;
|
|
259
|
+
}
|
|
260
|
+
// Suspicious: User agent contains only version numbers and basic text
|
|
261
|
+
if (/^[a-z0-9\.\-\/\s]+$/i.test(userAgent) && userAgent.length < 30) {
|
|
262
|
+
return true;
|
|
263
|
+
}
|
|
264
|
+
return false;
|
|
265
|
+
}
|
|
266
|
+
/**
|
|
267
|
+
* Check if user agent is a known short legitimate browser UA
|
|
268
|
+
*/
|
|
269
|
+
isKnownShortBrowserUA(userAgent) {
|
|
270
|
+
// Some mobile browsers or minimal browsers have shorter UAs
|
|
271
|
+
const knownShort = [/^opera/i, /^lynx/i];
|
|
272
|
+
return knownShort.some((pattern) => pattern.test(userAgent));
|
|
273
|
+
}
|
|
274
|
+
/**
|
|
275
|
+
* Calculate browser legitimacy score using multiple indicators
|
|
276
|
+
*/
|
|
277
|
+
calculateBrowserScore(req) {
|
|
278
|
+
const breakdown = {};
|
|
279
|
+
let total = 0;
|
|
280
|
+
// 1. User Agent Analysis (0-2 points)
|
|
281
|
+
const uaScore = this.scoreUserAgent(req);
|
|
282
|
+
breakdown["userAgent"] = uaScore;
|
|
283
|
+
total += uaScore;
|
|
284
|
+
// 2. Accept Header Analysis (0-1 points)
|
|
285
|
+
const acceptScore = this.scoreAcceptHeader(req);
|
|
286
|
+
breakdown["accept"] = acceptScore;
|
|
287
|
+
total += acceptScore;
|
|
288
|
+
// 3. Accept-Language (0-1 points)
|
|
289
|
+
const langScore = this.scoreAcceptLanguage(req);
|
|
290
|
+
breakdown["acceptLanguage"] = langScore;
|
|
291
|
+
total += langScore;
|
|
292
|
+
// 4. Accept-Encoding (0-1 points)
|
|
293
|
+
const encodingScore = this.scoreAcceptEncoding(req);
|
|
294
|
+
breakdown["acceptEncoding"] = encodingScore;
|
|
295
|
+
total += encodingScore;
|
|
296
|
+
// 5. Origin/Referer (0-1 points)
|
|
297
|
+
const originScore = this.scoreOriginReferer(req);
|
|
298
|
+
breakdown["originReferer"] = originScore;
|
|
299
|
+
total += originScore;
|
|
300
|
+
// 6. Connection headers (0-1 points)
|
|
301
|
+
const connectionScore = this.scoreConnectionHeaders(req);
|
|
302
|
+
breakdown["connection"] = connectionScore;
|
|
303
|
+
total += connectionScore;
|
|
304
|
+
// 7. Cache-Control (0-1 points)
|
|
305
|
+
const cacheScore = this.scoreCacheControl(req);
|
|
306
|
+
breakdown["cache"] = cacheScore;
|
|
307
|
+
total += cacheScore;
|
|
308
|
+
// 8. DNT/Upgrade-Insecure-Requests (0-1 points)
|
|
309
|
+
const privacyScore = this.scorePrivacyHeaders(req);
|
|
310
|
+
breakdown["privacy"] = privacyScore;
|
|
311
|
+
total += privacyScore;
|
|
312
|
+
return { total, breakdown };
|
|
313
|
+
}
|
|
314
|
+
/**
|
|
315
|
+
* Score User-Agent header (0-2 points)
|
|
316
|
+
*/
|
|
317
|
+
scoreUserAgent(req) {
|
|
318
|
+
const ua = req.headers["user-agent"] || "";
|
|
319
|
+
let score = 0;
|
|
320
|
+
// Must contain browser indicators
|
|
321
|
+
if (/\b(Mozilla|Chrome|Safari|Firefox|Edge|Opera|Trident)\b/i.test(ua)) {
|
|
322
|
+
score += 1;
|
|
323
|
+
}
|
|
324
|
+
// Must be long and complex (typical browser UAs are 100+ chars)
|
|
325
|
+
if (ua.length > 80) {
|
|
326
|
+
score += 1;
|
|
327
|
+
}
|
|
328
|
+
// Contains platform info (Windows, Macintosh, Linux, Android, iOS)
|
|
329
|
+
if (/\b(Windows|Macintosh|Linux|Android|iPhone|iPad)\b/i.test(ua)) {
|
|
330
|
+
score += 0.5;
|
|
331
|
+
}
|
|
332
|
+
// Contains rendering engine (AppleWebKit, Gecko, Blink)
|
|
333
|
+
if (/\b(AppleWebKit|Gecko|Blink|rv:)\b/i.test(ua)) {
|
|
334
|
+
score += 0.5;
|
|
335
|
+
}
|
|
336
|
+
return Math.min(score, 2);
|
|
337
|
+
}
|
|
338
|
+
/**
|
|
339
|
+
* Score Accept header (0-1 points)
|
|
340
|
+
*/
|
|
341
|
+
scoreAcceptHeader(req) {
|
|
342
|
+
const accept = req.headers["accept"] || "";
|
|
343
|
+
// Browsers send complex Accept headers
|
|
344
|
+
if (accept.includes("text/html") &&
|
|
345
|
+
accept.includes("application/xhtml+xml")) {
|
|
346
|
+
return 1;
|
|
347
|
+
}
|
|
348
|
+
// At least multiple MIME types
|
|
349
|
+
if (accept.split(",").length >= 3) {
|
|
350
|
+
return 0.5;
|
|
351
|
+
}
|
|
352
|
+
return 0;
|
|
353
|
+
}
|
|
354
|
+
/**
|
|
355
|
+
* Score Accept-Language header (0-1 points)
|
|
356
|
+
*/
|
|
357
|
+
scoreAcceptLanguage(req) {
|
|
358
|
+
const lang = req.headers["accept-language"];
|
|
359
|
+
if (!lang) {
|
|
360
|
+
return 0;
|
|
361
|
+
}
|
|
362
|
+
// Browsers send detailed language preferences with quality values
|
|
363
|
+
if (lang.includes("q=") || lang.split(",").length >= 2) {
|
|
364
|
+
return 1;
|
|
365
|
+
}
|
|
366
|
+
// At least has a language code
|
|
367
|
+
if (lang.length >= 2) {
|
|
368
|
+
return 0.5;
|
|
369
|
+
}
|
|
370
|
+
return 0;
|
|
371
|
+
}
|
|
372
|
+
/**
|
|
373
|
+
* Score Accept-Encoding header (0-1 points)
|
|
374
|
+
*/
|
|
375
|
+
scoreAcceptEncoding(req) {
|
|
376
|
+
const encoding = req.headers["accept-encoding"];
|
|
377
|
+
if (!encoding) {
|
|
378
|
+
return 0;
|
|
379
|
+
}
|
|
380
|
+
// Browsers support multiple compression formats
|
|
381
|
+
const hasGzip = encoding.includes("gzip");
|
|
382
|
+
const hasDeflate = encoding.includes("deflate");
|
|
383
|
+
const hasBr = encoding.includes("br");
|
|
384
|
+
if ((hasGzip && hasDeflate) || hasBr) {
|
|
385
|
+
return 1;
|
|
386
|
+
}
|
|
387
|
+
if (hasGzip || hasDeflate) {
|
|
388
|
+
return 0.5;
|
|
389
|
+
}
|
|
390
|
+
return 0;
|
|
391
|
+
}
|
|
392
|
+
/**
|
|
393
|
+
* Score Origin/Referer headers (0-1 points)
|
|
394
|
+
*/
|
|
395
|
+
scoreOriginReferer(req) {
|
|
396
|
+
const origin = req.headers["origin"];
|
|
397
|
+
const referer = req.headers["referer"];
|
|
398
|
+
// Origin header (CORS request from browser)
|
|
399
|
+
if (origin && this.config.allowOriginRequests) {
|
|
400
|
+
// Validate it's a proper URL
|
|
401
|
+
if (this.isValidUrl(origin)) {
|
|
402
|
+
return 1;
|
|
403
|
+
}
|
|
404
|
+
}
|
|
405
|
+
// Referer header (navigation from another page)
|
|
406
|
+
if (referer && this.isValidUrl(referer)) {
|
|
407
|
+
return 1;
|
|
408
|
+
}
|
|
409
|
+
return 0;
|
|
410
|
+
}
|
|
411
|
+
/**
|
|
412
|
+
* Score Connection headers (0-1 points)
|
|
413
|
+
*/
|
|
414
|
+
scoreConnectionHeaders(req) {
|
|
415
|
+
const connection = req.headers["connection"];
|
|
416
|
+
const upgrade = req.headers["upgrade-insecure-requests"];
|
|
417
|
+
// Browsers typically send keep-alive
|
|
418
|
+
if (connection && connection.toLowerCase().includes("keep-alive")) {
|
|
419
|
+
return 0.5;
|
|
420
|
+
}
|
|
421
|
+
// Upgrade-Insecure-Requests is browser-specific
|
|
422
|
+
if (upgrade === "1") {
|
|
423
|
+
return 1;
|
|
424
|
+
}
|
|
425
|
+
return 0;
|
|
426
|
+
}
|
|
427
|
+
/**
|
|
428
|
+
* Score Cache-Control header (0-1 points)
|
|
429
|
+
*/
|
|
430
|
+
scoreCacheControl(req) {
|
|
431
|
+
const cache = req.headers["cache-control"];
|
|
432
|
+
if (!cache) {
|
|
433
|
+
return 0;
|
|
434
|
+
}
|
|
435
|
+
// Browsers send various cache directives
|
|
436
|
+
if (cache.includes("max-age") ||
|
|
437
|
+
cache.includes("no-cache") ||
|
|
438
|
+
cache.includes("no-store")) {
|
|
439
|
+
return 1;
|
|
440
|
+
}
|
|
441
|
+
return 0;
|
|
442
|
+
}
|
|
443
|
+
/**
|
|
444
|
+
* Score privacy-related headers (0-1 points)
|
|
445
|
+
*/
|
|
446
|
+
scorePrivacyHeaders(req) {
|
|
447
|
+
const dnt = req.headers["dnt"];
|
|
448
|
+
const gpc = req.headers["sec-gpc"];
|
|
449
|
+
const upgradeInsecure = req.headers["upgrade-insecure-requests"];
|
|
450
|
+
// DNT (Do Not Track)
|
|
451
|
+
if (dnt === "1") {
|
|
452
|
+
return 1;
|
|
453
|
+
}
|
|
454
|
+
// GPC (Global Privacy Control)
|
|
455
|
+
if (gpc === "1") {
|
|
456
|
+
return 1;
|
|
457
|
+
}
|
|
458
|
+
// Upgrade-Insecure-Requests
|
|
459
|
+
if (upgradeInsecure === "1") {
|
|
460
|
+
return 1;
|
|
461
|
+
}
|
|
462
|
+
return 0;
|
|
463
|
+
}
|
|
464
|
+
/**
|
|
465
|
+
* Validate if string is a proper URL
|
|
466
|
+
*/
|
|
467
|
+
isValidUrl(url) {
|
|
468
|
+
try {
|
|
469
|
+
const parsed = new URL(url);
|
|
470
|
+
return parsed.protocol === "http:" || parsed.protocol === "https:";
|
|
471
|
+
}
|
|
472
|
+
catch {
|
|
473
|
+
return false;
|
|
474
|
+
}
|
|
475
|
+
}
|
|
476
|
+
/**
|
|
477
|
+
* Check if request shows browser-like characteristics (legacy method - kept for compatibility)
|
|
478
|
+
*/
|
|
479
|
+
isLikelyBrowserRequest(req) {
|
|
480
|
+
const score = this.calculateBrowserScore(req);
|
|
481
|
+
return score.total >= this.BROWSER_SCORE_THRESHOLD;
|
|
482
|
+
}
|
|
483
|
+
/**
|
|
484
|
+
* Check if User-Agent indicates an automation tool (legacy method - kept for compatibility)
|
|
485
|
+
*/
|
|
486
|
+
isAutomationTool(userAgent) {
|
|
487
|
+
return this.isDefinitelyAutomationTool({
|
|
488
|
+
headers: { "user-agent": userAgent },
|
|
489
|
+
});
|
|
490
|
+
}
|
|
491
|
+
/**
|
|
492
|
+
* Check if Accept header is complex enough for a browser (legacy method)
|
|
493
|
+
*/
|
|
494
|
+
hasComplexAcceptHeader(accept) {
|
|
495
|
+
if (!accept || accept === "*/*") {
|
|
496
|
+
return false;
|
|
497
|
+
}
|
|
498
|
+
const acceptParts = accept.split(",").map((s) => s.trim());
|
|
499
|
+
return acceptParts.length >= 3 && accept.includes("text/html");
|
|
500
|
+
}
|
|
501
|
+
/**
|
|
502
|
+
* Check for other browser indicators (legacy method)
|
|
503
|
+
*/
|
|
504
|
+
hasBrowserIndicators(req) {
|
|
505
|
+
const score = this.calculateBrowserScore(req);
|
|
506
|
+
return score.total >= this.BROWSER_SCORE_THRESHOLD;
|
|
507
|
+
}
|
|
508
|
+
/**
|
|
509
|
+
* Block the request with appropriate error response
|
|
510
|
+
*/
|
|
511
|
+
blockRequest(res, code, details) {
|
|
512
|
+
// Generic error message for security (don't reveal implementation details)
|
|
513
|
+
const isDevelopment = this.config.debug;
|
|
514
|
+
const response = {
|
|
515
|
+
error: isDevelopment ? this.config.errorMessage : "Access denied",
|
|
516
|
+
timestamp: new Date().toISOString(),
|
|
517
|
+
code: "NEHONIXYPBROw01",
|
|
518
|
+
};
|
|
519
|
+
// Add XyPriss-specific info for developers in development/debug mode
|
|
520
|
+
if (isDevelopment) {
|
|
521
|
+
response.xypriss = {
|
|
522
|
+
module: "BrowserOnly",
|
|
523
|
+
code,
|
|
524
|
+
details,
|
|
525
|
+
userAgent: res.req?.headers["user-agent"]?.substring(0, 100),
|
|
526
|
+
};
|
|
527
|
+
}
|
|
528
|
+
if (this.config.debug) {
|
|
529
|
+
this.logger.debug("security", "BrowOn blocking request", {
|
|
530
|
+
code,
|
|
531
|
+
details,
|
|
532
|
+
userAgent: res.req?.headers["user-agent"]?.substring(0, 100),
|
|
533
|
+
});
|
|
534
|
+
}
|
|
535
|
+
res.status(this.config.statusCode).json(response);
|
|
536
|
+
}
|
|
537
|
+
/**
|
|
538
|
+
* Update configuration
|
|
539
|
+
*/
|
|
540
|
+
updateConfig(newConfig) {
|
|
541
|
+
this.config = { ...this.config, ...newConfig };
|
|
542
|
+
}
|
|
543
|
+
/**
|
|
544
|
+
* Get current configuration
|
|
545
|
+
*/
|
|
546
|
+
getConfig() {
|
|
547
|
+
return { ...this.config };
|
|
548
|
+
}
|
|
549
|
+
}
|
|
550
|
+
|
|
551
|
+
exports.BrowserOnlyProtector = BrowserOnlyProtector;
|
|
552
|
+
//# sourceMappingURL=BrowserOnlyProtector.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"BrowserOnlyProtector.js","sources":["../../../../../../src/middleware/built-in/security/BrowserOnlyProtector.ts"],"sourcesContent":[null],"names":["Logger"],"mappings":";;;;AAAA;;;;AAIG;MAMU,oBAAoB,CAAA;IAK7B,WAAY,CAAA,OAAA,GAA6B,EAAE,EAAE,MAAe,EAAA;AAH3C,QAAA,IAAA,CAAA,uBAAuB,GAAG,CAAC,CAAC;QAIzC,IAAI,CAAC,MAAM,GAAG;AACV,YAAA,eAAe,EAAE,IAAI;AACrB,YAAA,oBAAoB,EAAE,IAAI;AAC1B,YAAA,oBAAoB,EAAE,KAAK;AAC3B,YAAA,mBAAmB,EAAE,IAAI;AACzB,YAAA,YAAY,EAAE,qDAAqD;AACnE,YAAA,UAAU,EAAE,GAAG;AACf,YAAA,KAAK,EAAE,KAAK;AACZ,YAAA,GAAG,OAAO;SACb,CAAC;;AAGF,QAAA,IAAI,OAAO,CAAC,eAAe,KAAK,SAAS,EAAE;YACvC,IAAI,CAAC,MAAM,CAAC,eAAe,GAAG,OAAO,CAAC,eAAe,CAAC;SACzD;;AAGD,QAAA,IAAI,CAAC,MAAM;YACP,MAAM;AACN,gBAAA,IAAIA,aAAM,CAAC;AACP,oBAAA,OAAO,EAAE,IAAI;AACb,oBAAA,KAAK,EAAE,OAAO;AACd,oBAAA,UAAU,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE;AAC9B,oBAAA,KAAK,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE;AACzB,iBAAA,CAAC,CAAC;KACV;AAED;;AAEG;IACI,aAAa,GAAA;AAChB,QAAA,OAAO,CAAC,GAAQ,EAAE,GAAQ,EAAE,IAAS,KAAI;YACrC,IAAI,CAAC,aAAa,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;AACvC,SAAC,CAAC;KACL;AAED;;AAEG;AACK,IAAA,aAAa,CAAC,GAAQ,EAAE,GAAQ,EAAE,IAAS,EAAA;AAC/C,QAAA,IAAI,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE;YACnB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,UAAU,EAAE,2BAA2B,CAAC,CAAC;SAC9D;AACD,QAAA,IAAI,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE;YACnB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,UAAU,EAAE,0BAA0B,EAAE;AACtD,gBAAA,YAAY,EAAE,GAAG,CAAC,OAAO,CAAC,gBAAgB,CAAC;AAC3C,gBAAA,YAAY,EAAE,GAAG,CAAC,OAAO,CAAC,gBAAgB,CAAC;AAC3C,gBAAA,YAAY,EAAE,GAAG,CAAC,OAAO,CAAC,gBAAgB,CAAC;AAC9C,aAAA,CAAC,CAAC;SACN;;AAGD,QAAA,IACI,IAAI,CAAC,MAAM,CAAC,eAAe;YAC3B,OAAO,IAAI,CAAC,MAAM,CAAC,eAAe,KAAK,UAAU,EACnD;YACE,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,GAAG,CAAC,EAAE;gBACnC,OAAO,IAAI,CAAC,YAAY,CACpB,GAAG,EACH,cAAc,EACd,yBAAyB,CAC5B,CAAC;aACL;YACD,OAAO,IAAI,EAAE,CAAC;SACjB;;AAGD,QAAA,IACI,IAAI,CAAC,MAAM,CAAC,oBAAoB;AAChC,YAAA,IAAI,CAAC,0BAA0B,CAAC,GAAG,CAAC,EACtC;YACE,OAAO,IAAI,CAAC,YAAY,CACpB,GAAG,EACH,0BAA0B,EAC1B,oCAAoC,CACvC,CAAC;SACL;;AAGD,QAAA,IAAI,IAAI,CAAC,MAAM,CAAC,eAAe,EAAE;YAC7B,MAAM,WAAW,GAAG,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,CAAC;YAEjD,IAAI,WAAW,EAAE;;AAEb,gBAAA,IAAI,IAAI,CAAC,uBAAuB,CAAC,GAAG,CAAC,EAAE;AACnC,oBAAA,IAAI,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE;wBACnB,IAAI,CAAC,MAAM,CAAC,KAAK,CACb,UAAU,EACV,mDAAmD,CACtD,CAAC;qBACL;oBACD,OAAO,IAAI,EAAE,CAAC;iBACjB;qBAAM;;AAEH,oBAAA,IAAI,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE;wBACnB,IAAI,CAAC,MAAM,CAAC,KAAK,CACb,UAAU,EACV,gEAAgE,CACnE,CAAC;qBACL;oBACD,OAAO,IAAI,CAAC,YAAY,CACpB,GAAG,EACH,mBAAmB,EACnB,uCAAuC,CAC1C,CAAC;iBACL;aACJ;;YAGD,MAAM,YAAY,GAAG,IAAI,CAAC,qBAAqB,CAAC,GAAG,CAAC,CAAC;AAErD,YAAA,IAAI,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE;gBACnB,IAAI,CAAC,MAAM,CAAC,KAAK,CACb,UAAU,EACV,yBAAyB,YAAY,CAAC,KAAK,CAAI,CAAA,EAAA,IAAI,CAAC,uBAAuB,CAAA,OAAA,EAAU,IAAI,CAAC,uBAAuB,CAAW,SAAA,CAAA,CAC/H,CAAC;AACF,gBAAA,IAAI,CAAC,MAAM,CAAC,KAAK,CACb,UAAU,EACV,wBAAwB,EACxB,YAAY,CAAC,SAAS,CACzB,CAAC;aACL;YAED,IAAI,YAAY,CAAC,KAAK,IAAI,IAAI,CAAC,uBAAuB,EAAE;AACpD,gBAAA,IAAI,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE;oBACnB,IAAI,CAAC,MAAM,CAAC,KAAK,CACb,UAAU,EACV,gDAAgD,CACnD,CAAC;iBACL;gBACD,OAAO,IAAI,EAAE,CAAC;aACjB;;AAGD,YAAA,OAAO,IAAI,CAAC,YAAY,CACpB,GAAG,EACH,iCAAiC,EACjC,CAAA,cAAA,EAAiB,YAAY,CAAC,KAAK,CAAI,CAAA,EAAA,IAAI,CAAC,uBAAuB,CAAA,qCAAA,CAAuC,CAC7G,CAAC;SACL;;AAGD,QAAA,IAAI,EAAE,CAAC;KACV;AAED;;AAEG;AACK,IAAA,kBAAkB,CAAC,GAAQ,EAAA;QAC/B,OAAO,CAAC,EACJ,GAAG,CAAC,OAAO,CAAC,gBAAgB,CAAC;AAC7B,YAAA,GAAG,CAAC,OAAO,CAAC,gBAAgB,CAAC;AAC7B,YAAA,GAAG,CAAC,OAAO,CAAC,gBAAgB,CAAC;AAC7B,YAAA,GAAG,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAChC,CAAC;KACL;AAED;;AAEG;AACK,IAAA,uBAAuB,CAAC,GAAQ,EAAA;QACpC,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;QAC3C,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;QAC3C,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;QAC3C,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;;AAG3C,QAAA,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,EAAE;AAChB,YAAA,OAAO,KAAK,CAAC;SAChB;;AAGD,QAAA,MAAM,SAAS,GAAG;YACd,UAAU;YACV,OAAO;YACP,QAAQ;YACR,OAAO;YACP,QAAQ;YACR,OAAO;YACP,MAAM;YACN,OAAO;YACP,OAAO;YACP,UAAU;YACV,QAAQ;YACR,OAAO;YACP,QAAQ;YACR,cAAc;YACd,eAAe;SAClB,CAAC;QACF,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE;AAC3B,YAAA,OAAO,KAAK,CAAC;SAChB;;AAGD,QAAA,MAAM,SAAS,GAAG;YACd,UAAU;YACV,MAAM;YACN,SAAS;YACT,aAAa;YACb,WAAW;SACd,CAAC;QACF,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE;AAC3B,YAAA,OAAO,KAAK,CAAC;SAChB;;AAGD,QAAA,IACI,IAAI;AACJ,YAAA,CAAC,CAAC,aAAa,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,EACpE;AACE,YAAA,OAAO,KAAK,CAAC;SAChB;;QAGD,IAAI,IAAI,KAAK,SAAS,IAAI,IAAI,KAAK,IAAI,EAAE;AACrC,YAAA,OAAO,KAAK,CAAC;SAChB;;AAGD,QAAA,IAAI,IAAI,KAAK,UAAU,IAAI,IAAI,KAAK,UAAU,IAAI,IAAI,KAAK,QAAQ,EAAE;YACjE,OAAO,KAAK,CAAC;SAChB;QAED,IAAI,IAAI,KAAK,IAAI,IAAI,IAAI,KAAK,UAAU,EAAE;YACtC,OAAO,KAAK,CAAC;SAChB;AAED,QAAA,OAAO,IAAI,CAAC;KACf;AAED;;AAEG;AACK,IAAA,0BAA0B,CAAC,GAAQ,EAAA;AACvC,QAAA,MAAM,SAAS,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,YAAY,CAAC,IAAI,EAAE,EAAE,WAAW,EAAE,CAAC;QAClE,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;AAE3C,QAAA,IAAI,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE;YACnB,IAAI,CAAC,MAAM,CAAC,KAAK,CACb,UAAU,EACV,2CAA2C,EAC3C;gBACI,SAAS;gBACT,MAAM;AACT,aAAA,CACJ,CAAC;SACL;;AAGD,QAAA,MAAM,kBAAkB,GAAG;YACvB,cAAc;YACd,cAAc;YACd,YAAY;YACZ,aAAa;YACb,WAAW;YACX,oBAAoB;YACpB,UAAU;YACV,eAAe;YACf,WAAW;YACX,eAAe;YACf,WAAW;YACX,eAAe;YACf,UAAU;YACV,YAAY;YACZ,UAAU;YACV,eAAe;YACf,aAAa;YACb,kBAAkB;YAClB,QAAQ;YACR,OAAO;YACP,WAAW;YACX,gBAAgB;YAChB,YAAY;YACZ,aAAa;YACb,eAAe;YACf,sBAAsB;YACtB,WAAW;YACX,aAAa;YACb,YAAY;YACZ,gBAAgB;YAChB,aAAa;YACb,YAAY;YACZ,YAAY;YACZ,UAAU;YACV,YAAY;YACZ,WAAW;YACX,cAAc;YACd,eAAe;YACf,aAAa;YACb,cAAc;YACd,aAAa;SAChB,CAAC;;AAGF,QAAA,KAAK,MAAM,OAAO,IAAI,kBAAkB,EAAE;AACtC,YAAA,IAAI,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE;AACzB,gBAAA,IAAI,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE;oBACnB,IAAI,CAAC,MAAM,CAAC,KAAK,CACb,UAAU,EACV,iCAAiC,EACjC;AACI,wBAAA,OAAO,EAAE,OAAO,CAAC,QAAQ,EAAE;wBAC3B,SAAS;AACZ,qBAAA,CACJ,CAAC;iBACL;AACD,gBAAA,OAAO,IAAI,CAAC;aACf;SACJ;;QAGD,IAAI,CAAC,SAAS,IAAI,SAAS,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;AACvC,YAAA,OAAO,IAAI,CAAC;SACf;;AAGD,QAAA,IAAI,SAAS,CAAC,MAAM,GAAG,EAAE,IAAI,CAAC,IAAI,CAAC,qBAAqB,CAAC,SAAS,CAAC,EAAE;AACjE,YAAA,OAAO,IAAI,CAAC;SACf;;QAGD,IAAI,MAAM,KAAK,KAAK,IAAI,SAAS,CAAC,MAAM,GAAG,EAAE,EAAE;AAC3C,YAAA,OAAO,IAAI,CAAC;SACf;;AAGD,QAAA,IAAI,sBAAsB,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC,MAAM,GAAG,EAAE,EAAE;AACjE,YAAA,OAAO,IAAI,CAAC;SACf;AAED,QAAA,OAAO,KAAK,CAAC;KAChB;AAED;;AAEG;AACK,IAAA,qBAAqB,CAAC,SAAiB,EAAA;;AAE3C,QAAA,MAAM,UAAU,GAAG,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;AACzC,QAAA,OAAO,UAAU,CAAC,IAAI,CAAC,CAAC,OAAO,KAAK,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC;KAChE;AAED;;AAEG;AACK,IAAA,qBAAqB,CAAC,GAAQ,EAAA;QAIlC,MAAM,SAAS,GAA2B,EAAE,CAAC;QAC7C,IAAI,KAAK,GAAG,CAAC,CAAC;;QAGd,MAAM,OAAO,GAAG,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;AACzC,QAAA,SAAS,CAAC,WAAW,CAAC,GAAG,OAAO,CAAC;QACjC,KAAK,IAAI,OAAO,CAAC;;QAGjB,MAAM,WAAW,GAAG,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAC;AAChD,QAAA,SAAS,CAAC,QAAQ,CAAC,GAAG,WAAW,CAAC;QAClC,KAAK,IAAI,WAAW,CAAC;;QAGrB,MAAM,SAAS,GAAG,IAAI,CAAC,mBAAmB,CAAC,GAAG,CAAC,CAAC;AAChD,QAAA,SAAS,CAAC,gBAAgB,CAAC,GAAG,SAAS,CAAC;QACxC,KAAK,IAAI,SAAS,CAAC;;QAGnB,MAAM,aAAa,GAAG,IAAI,CAAC,mBAAmB,CAAC,GAAG,CAAC,CAAC;AACpD,QAAA,SAAS,CAAC,gBAAgB,CAAC,GAAG,aAAa,CAAC;QAC5C,KAAK,IAAI,aAAa,CAAC;;QAGvB,MAAM,WAAW,GAAG,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,CAAC;AACjD,QAAA,SAAS,CAAC,eAAe,CAAC,GAAG,WAAW,CAAC;QACzC,KAAK,IAAI,WAAW,CAAC;;QAGrB,MAAM,eAAe,GAAG,IAAI,CAAC,sBAAsB,CAAC,GAAG,CAAC,CAAC;AACzD,QAAA,SAAS,CAAC,YAAY,CAAC,GAAG,eAAe,CAAC;QAC1C,KAAK,IAAI,eAAe,CAAC;;QAGzB,MAAM,UAAU,GAAG,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAC;AAC/C,QAAA,SAAS,CAAC,OAAO,CAAC,GAAG,UAAU,CAAC;QAChC,KAAK,IAAI,UAAU,CAAC;;QAGpB,MAAM,YAAY,GAAG,IAAI,CAAC,mBAAmB,CAAC,GAAG,CAAC,CAAC;AACnD,QAAA,SAAS,CAAC,SAAS,CAAC,GAAG,YAAY,CAAC;QACpC,KAAK,IAAI,YAAY,CAAC;AAEtB,QAAA,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC;KAC/B;AAED;;AAEG;AACK,IAAA,cAAc,CAAC,GAAQ,EAAA;QAC3B,MAAM,EAAE,GAAG,GAAG,CAAC,OAAO,CAAC,YAAY,CAAC,IAAI,EAAE,CAAC;QAC3C,IAAI,KAAK,GAAG,CAAC,CAAC;;AAGd,QAAA,IACI,yDAAyD,CAAC,IAAI,CAAC,EAAE,CAAC,EACpE;YACE,KAAK,IAAI,CAAC,CAAC;SACd;;AAGD,QAAA,IAAI,EAAE,CAAC,MAAM,GAAG,EAAE,EAAE;YAChB,KAAK,IAAI,CAAC,CAAC;SACd;;AAGD,QAAA,IAAI,oDAAoD,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE;YAC/D,KAAK,IAAI,GAAG,CAAC;SAChB;;AAGD,QAAA,IAAI,oCAAoC,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE;YAC/C,KAAK,IAAI,GAAG,CAAC;SAChB;QAED,OAAO,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;KAC7B;AAED;;AAEG;AACK,IAAA,iBAAiB,CAAC,GAAQ,EAAA;QAC9B,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;;AAG3C,QAAA,IACI,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC;AAC5B,YAAA,MAAM,CAAC,QAAQ,CAAC,uBAAuB,CAAC,EAC1C;AACE,YAAA,OAAO,CAAC,CAAC;SACZ;;QAGD,IAAI,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,IAAI,CAAC,EAAE;AAC/B,YAAA,OAAO,GAAG,CAAC;SACd;AAED,QAAA,OAAO,CAAC,CAAC;KACZ;AAED;;AAEG;AACK,IAAA,mBAAmB,CAAC,GAAQ,EAAA;QAChC,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;QAE5C,IAAI,CAAC,IAAI,EAAE;AACP,YAAA,OAAO,CAAC,CAAC;SACZ;;AAGD,QAAA,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,IAAI,CAAC,EAAE;AACpD,YAAA,OAAO,CAAC,CAAC;SACZ;;AAGD,QAAA,IAAI,IAAI,CAAC,MAAM,IAAI,CAAC,EAAE;AAClB,YAAA,OAAO,GAAG,CAAC;SACd;AAED,QAAA,OAAO,CAAC,CAAC;KACZ;AAED;;AAEG;AACK,IAAA,mBAAmB,CAAC,GAAQ,EAAA;QAChC,MAAM,QAAQ,GAAG,GAAG,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;QAEhD,IAAI,CAAC,QAAQ,EAAE;AACX,YAAA,OAAO,CAAC,CAAC;SACZ;;QAGD,MAAM,OAAO,GAAG,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAC1C,MAAM,UAAU,GAAG,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;QAChD,MAAM,KAAK,GAAG,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QAEtC,IAAI,CAAC,OAAO,IAAI,UAAU,KAAK,KAAK,EAAE;AAClC,YAAA,OAAO,CAAC,CAAC;SACZ;AAED,QAAA,IAAI,OAAO,IAAI,UAAU,EAAE;AACvB,YAAA,OAAO,GAAG,CAAC;SACd;AAED,QAAA,OAAO,CAAC,CAAC;KACZ;AAED;;AAEG;AACK,IAAA,kBAAkB,CAAC,GAAQ,EAAA;QAC/B,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QACrC,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;;QAGvC,IAAI,MAAM,IAAI,IAAI,CAAC,MAAM,CAAC,mBAAmB,EAAE;;AAE3C,YAAA,IAAI,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE;AACzB,gBAAA,OAAO,CAAC,CAAC;aACZ;SACJ;;QAGD,IAAI,OAAO,IAAI,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE;AACrC,YAAA,OAAO,CAAC,CAAC;SACZ;AAED,QAAA,OAAO,CAAC,CAAC;KACZ;AAED;;AAEG;AACK,IAAA,sBAAsB,CAAC,GAAQ,EAAA;QACnC,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;QAC7C,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC,2BAA2B,CAAC,CAAC;;AAGzD,QAAA,IAAI,UAAU,IAAI,UAAU,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE;AAC/D,YAAA,OAAO,GAAG,CAAC;SACd;;AAGD,QAAA,IAAI,OAAO,KAAK,GAAG,EAAE;AACjB,YAAA,OAAO,CAAC,CAAC;SACZ;AAED,QAAA,OAAO,CAAC,CAAC;KACZ;AAED;;AAEG;AACK,IAAA,iBAAiB,CAAC,GAAQ,EAAA;QAC9B,MAAM,KAAK,GAAG,GAAG,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;QAE3C,IAAI,CAAC,KAAK,EAAE;AACR,YAAA,OAAO,CAAC,CAAC;SACZ;;AAGD,QAAA,IACI,KAAK,CAAC,QAAQ,CAAC,SAAS,CAAC;AACzB,YAAA,KAAK,CAAC,QAAQ,CAAC,UAAU,CAAC;AAC1B,YAAA,KAAK,CAAC,QAAQ,CAAC,UAAU,CAAC,EAC5B;AACE,YAAA,OAAO,CAAC,CAAC;SACZ;AAED,QAAA,OAAO,CAAC,CAAC;KACZ;AAED;;AAEG;AACK,IAAA,mBAAmB,CAAC,GAAQ,EAAA;QAChC,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QAC/B,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QACnC,MAAM,eAAe,GAAG,GAAG,CAAC,OAAO,CAAC,2BAA2B,CAAC,CAAC;;AAGjE,QAAA,IAAI,GAAG,KAAK,GAAG,EAAE;AACb,YAAA,OAAO,CAAC,CAAC;SACZ;;AAGD,QAAA,IAAI,GAAG,KAAK,GAAG,EAAE;AACb,YAAA,OAAO,CAAC,CAAC;SACZ;;AAGD,QAAA,IAAI,eAAe,KAAK,GAAG,EAAE;AACzB,YAAA,OAAO,CAAC,CAAC;SACZ;AAED,QAAA,OAAO,CAAC,CAAC;KACZ;AAED;;AAEG;AACK,IAAA,UAAU,CAAC,GAAW,EAAA;AAC1B,QAAA,IAAI;AACA,YAAA,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;YAC5B,OAAO,MAAM,CAAC,QAAQ,KAAK,OAAO,IAAI,MAAM,CAAC,QAAQ,KAAK,QAAQ,CAAC;SACtE;AAAC,QAAA,MAAM;AACJ,YAAA,OAAO,KAAK,CAAC;SAChB;KACJ;AAED;;AAEG;AACK,IAAA,sBAAsB,CAAC,GAAQ,EAAA;QACnC,MAAM,KAAK,GAAG,IAAI,CAAC,qBAAqB,CAAC,GAAG,CAAC,CAAC;AAC9C,QAAA,OAAO,KAAK,CAAC,KAAK,IAAI,IAAI,CAAC,uBAAuB,CAAC;KACtD;AAED;;AAEG;AACK,IAAA,gBAAgB,CAAC,SAAiB,EAAA;QACtC,OAAO,IAAI,CAAC,0BAA0B,CAAC;AACnC,YAAA,OAAO,EAAE,EAAE,YAAY,EAAE,SAAS,EAAE;AACvC,SAAA,CAAC,CAAC;KACN;AAED;;AAEG;AACK,IAAA,sBAAsB,CAAC,MAAc,EAAA;AACzC,QAAA,IAAI,CAAC,MAAM,IAAI,MAAM,KAAK,KAAK,EAAE;AAC7B,YAAA,OAAO,KAAK,CAAC;SAChB;QAED,MAAM,WAAW,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;AAC3D,QAAA,OAAO,WAAW,CAAC,MAAM,IAAI,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;KAClE;AAED;;AAEG;AACK,IAAA,oBAAoB,CAAC,GAAQ,EAAA;QACjC,MAAM,KAAK,GAAG,IAAI,CAAC,qBAAqB,CAAC,GAAG,CAAC,CAAC;AAC9C,QAAA,OAAO,KAAK,CAAC,KAAK,IAAI,IAAI,CAAC,uBAAuB,CAAC;KACtD;AAED;;AAEG;AACK,IAAA,YAAY,CAAC,GAAQ,EAAE,IAAY,EAAE,OAAgB,EAAA;;AAEzD,QAAA,MAAM,aAAa,GAAG,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC;AAExC,QAAA,MAAM,QAAQ,GAAQ;AAClB,YAAA,KAAK,EAAE,aAAa,GAAG,IAAI,CAAC,MAAM,CAAC,YAAY,GAAG,eAAe;AACjE,YAAA,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;AACnC,YAAA,IAAI,EAAE,iBAAiB;SAC1B,CAAC;;QAGF,IAAI,aAAa,EAAE;YACf,QAAQ,CAAC,OAAO,GAAG;AACf,gBAAA,MAAM,EAAE,aAAa;gBACrB,IAAI;gBACJ,OAAO;AACP,gBAAA,SAAS,EAAE,GAAG,CAAC,GAAG,EAAE,OAAO,CAAC,YAAY,CAAC,EAAE,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC;aAC/D,CAAC;SACL;AAED,QAAA,IAAI,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE;YACnB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,UAAU,EAAE,yBAAyB,EAAE;gBACrD,IAAI;gBACJ,OAAO;AACP,gBAAA,SAAS,EAAE,GAAG,CAAC,GAAG,EAAE,OAAO,CAAC,YAAY,CAAC,EAAE,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC;AAC/D,aAAA,CAAC,CAAC;SACN;AAED,QAAA,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;KACrD;AAED;;AAEG;AACI,IAAA,YAAY,CAAC,SAAqC,EAAA;AACrD,QAAA,IAAI,CAAC,MAAM,GAAG,EAAE,GAAG,IAAI,CAAC,MAAM,EAAE,GAAG,SAAS,EAAE,CAAC;KAClD;AAED;;AAEG;IACI,SAAS,GAAA;AACZ,QAAA,OAAO,EAAE,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;KAC7B;AACJ;;;;"}
|