zudoku 0.12.2 → 0.13.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (197) hide show
  1. package/dist/app/main.js +3 -3
  2. package/dist/app/main.js.map +1 -1
  3. package/dist/cli/dev/handler.js +2 -2
  4. package/dist/cli/dev/handler.js.map +1 -1
  5. package/dist/config/validators/validate.d.ts +42 -23
  6. package/dist/config/validators/validate.js +6 -2
  7. package/dist/config/validators/validate.js.map +1 -1
  8. package/dist/index.d.ts +1 -0
  9. package/dist/lib/components/Banner.js +7 -1
  10. package/dist/lib/components/Banner.js.map +1 -1
  11. package/dist/lib/components/Header.js +1 -1
  12. package/dist/lib/components/Header.js.map +1 -1
  13. package/dist/lib/components/Layout.js +1 -1
  14. package/dist/lib/components/Layout.js.map +1 -1
  15. package/dist/lib/components/MobileTopNavigation.js +2 -1
  16. package/dist/lib/components/MobileTopNavigation.js.map +1 -1
  17. package/dist/lib/components/Search.js +1 -1
  18. package/dist/lib/components/Search.js.map +1 -1
  19. package/dist/lib/components/SlotletProvider.d.ts +9 -2
  20. package/dist/lib/components/SlotletProvider.js +4 -2
  21. package/dist/lib/components/SlotletProvider.js.map +1 -1
  22. package/dist/lib/components/index.d.ts +2 -1
  23. package/dist/lib/components/index.js.map +1 -1
  24. package/dist/lib/core/DevPortalContext.d.ts +1 -1
  25. package/dist/lib/oas/graphql/index.js +2 -6
  26. package/dist/lib/oas/graphql/index.js.map +1 -1
  27. package/dist/lib/plugins/custom-pages/CustomPage.d.ts +2 -0
  28. package/dist/lib/plugins/custom-pages/CustomPage.js +10 -0
  29. package/dist/lib/plugins/custom-pages/CustomPage.js.map +1 -0
  30. package/dist/lib/plugins/custom-pages/index.d.ts +10 -0
  31. package/dist/lib/plugins/custom-pages/index.js +11 -0
  32. package/dist/lib/plugins/custom-pages/index.js.map +1 -0
  33. package/dist/lib/plugins/openapi/Endpoint.js +1 -1
  34. package/dist/lib/plugins/openapi/Endpoint.js.map +1 -1
  35. package/dist/lib/plugins/openapi/OperationList.js +1 -1
  36. package/dist/lib/plugins/openapi/OperationList.js.map +1 -1
  37. package/dist/lib/plugins/openapi/Route.d.ts +1 -1
  38. package/dist/lib/plugins/openapi/Route.js +1 -1
  39. package/dist/lib/plugins/openapi/Route.js.map +1 -1
  40. package/dist/lib/plugins/openapi/Sidecar.js +1 -1
  41. package/dist/lib/plugins/openapi/Sidecar.js.map +1 -1
  42. package/dist/lib/plugins/openapi/client/createMemoryClient.js +1 -1
  43. package/dist/lib/plugins/openapi/client/createMemoryClient.js.map +1 -1
  44. package/dist/lib/plugins/openapi/client/createWorkerClient.js +1 -1
  45. package/dist/lib/plugins/openapi/client/createWorkerClient.js.map +1 -1
  46. package/dist/lib/plugins/openapi/index.js +1 -1
  47. package/dist/lib/plugins/openapi/index.js.map +1 -1
  48. package/dist/lib/ui/Callout.d.ts +36 -35
  49. package/dist/lib/ui/Callout.js.map +1 -1
  50. package/dist/lib/ui/Drawer.d.ts +8 -10
  51. package/dist/lib/ui/Drawer.js.map +1 -1
  52. package/dist/lib/util/useExposedProps.d.ts +2 -0
  53. package/dist/lib/util/useExposedProps.js +8 -0
  54. package/dist/lib/util/useExposedProps.js.map +1 -0
  55. package/dist/vite/config.js +2 -0
  56. package/dist/vite/config.js.map +1 -1
  57. package/dist/vite/dev-server.d.ts +6 -1
  58. package/dist/vite/dev-server.js +13 -3
  59. package/dist/vite/dev-server.js.map +1 -1
  60. package/dist/vite/plugin-component.js +0 -1
  61. package/dist/vite/plugin-component.js.map +1 -1
  62. package/dist/vite/plugin-custom-pages.d.ts +4 -0
  63. package/dist/vite/plugin-custom-pages.js +30 -0
  64. package/dist/vite/plugin-custom-pages.js.map +1 -0
  65. package/dist/vite/plugin.js +2 -0
  66. package/dist/vite/plugin.js.map +1 -1
  67. package/lib/{AuthenticationPlugin-Bx9FK124.js → AuthenticationPlugin-CbgJ5SAh.js} +3 -3
  68. package/lib/{AuthenticationPlugin-Bx9FK124.js.map → AuthenticationPlugin-CbgJ5SAh.js.map} +1 -1
  69. package/lib/{DeveloperHint-YeWHKvyr.js → DeveloperHint-CiXPc9Xm.js} +2 -2
  70. package/lib/{DeveloperHint-YeWHKvyr.js.map → DeveloperHint-CiXPc9Xm.js.map} +1 -1
  71. package/lib/ErrorPage-B-zoPPVx.js +15 -0
  72. package/lib/{ErrorPage-CsZAN_za.js.map → ErrorPage-B-zoPPVx.js.map} +1 -1
  73. package/lib/Input-QMLhK7Rb.js +2229 -0
  74. package/lib/Input-QMLhK7Rb.js.map +1 -0
  75. package/lib/{Markdown-DapSf3wG.js → Markdown-D6Nze6qq.js} +3281 -5392
  76. package/lib/Markdown-D6Nze6qq.js.map +1 -0
  77. package/lib/{MdxPage-BqBWsXZ1.js → MdxPage-DBhq6-5F.js} +15 -15
  78. package/lib/{MdxPage-BqBWsXZ1.js.map → MdxPage-DBhq6-5F.js.map} +1 -1
  79. package/lib/{OperationList-CYrmxPa8.js → OperationList-Ba24gUd2.js} +50 -51
  80. package/lib/OperationList-Ba24gUd2.js.map +1 -0
  81. package/lib/{Route-Q5mqNQrv.js → Route-DI38nxYt.js} +3 -4
  82. package/lib/Route-DI38nxYt.js.map +1 -0
  83. package/lib/SidebarBadge-B9-VJSQr.js +503 -0
  84. package/lib/SidebarBadge-B9-VJSQr.js.map +1 -0
  85. package/lib/{SlotletProvider-D3UD5Go3.js → SlotletProvider-Cb8mGpBO.js} +46 -46
  86. package/lib/{SlotletProvider-D3UD5Go3.js.map → SlotletProvider-Cb8mGpBO.js.map} +1 -1
  87. package/lib/ZudokuContext-BEmsYQoq.js +1173 -0
  88. package/lib/ZudokuContext-BEmsYQoq.js.map +1 -0
  89. package/lib/assets/{index-B9EWVYfo.js → index-B_Jk_Yzp.js} +968 -938
  90. package/lib/assets/index-B_Jk_Yzp.js.map +1 -0
  91. package/lib/assets/{worker-Bcj4NA2p.js → worker-Bf8vjASY.js} +4582 -4303
  92. package/lib/assets/worker-Bf8vjASY.js.map +1 -0
  93. package/lib/cn-BmFQLtkS.js +2279 -0
  94. package/lib/cn-BmFQLtkS.js.map +1 -0
  95. package/lib/{index-BG0g4WW0.js → index-BRCiYFaL.js} +747 -737
  96. package/lib/index-BRCiYFaL.js.map +1 -0
  97. package/lib/{index-CLd8ycZz.js → index-CkwDvuPt.js} +947 -917
  98. package/lib/index-CkwDvuPt.js.map +1 -0
  99. package/lib/{index-LNp6rxyU.js → index-D06ATMgg.js} +2 -2
  100. package/lib/{index-LNp6rxyU.js.map → index-D06ATMgg.js.map} +1 -1
  101. package/lib/{index-BlJ2rj99.js → index-DA74gNq3.js} +1124 -974
  102. package/lib/index-DA74gNq3.js.map +1 -0
  103. package/lib/index-DJqnphbT.js +35 -0
  104. package/lib/{index-Bn6Lc9tq.js.map → index-DJqnphbT.js.map} +1 -1
  105. package/lib/{index-BngPzhKn.js → index-dgcPryXi.js} +3 -3
  106. package/lib/{index-BngPzhKn.js.map → index-dgcPryXi.js.map} +1 -1
  107. package/lib/{index-Dolisrci.js → index-g_JJcuFg.js} +603 -549
  108. package/lib/index-g_JJcuFg.js.map +1 -0
  109. package/lib/router-Oe6YmY6B.js +3024 -0
  110. package/lib/router-Oe6YmY6B.js.map +1 -0
  111. package/lib/state-CsuHT8ZO.js +183 -0
  112. package/lib/state-CsuHT8ZO.js.map +1 -0
  113. package/lib/urql-core-KJnLL26g.js +1455 -0
  114. package/lib/urql-core-KJnLL26g.js.map +1 -0
  115. package/lib/useExposedProps-Csw8oAlt.js +9 -0
  116. package/lib/useExposedProps-Csw8oAlt.js.map +1 -0
  117. package/lib/{utils-ByIc_KIM.js → utils-Chi3p5nE.js} +4 -4
  118. package/lib/utils-Chi3p5nE.js.map +1 -0
  119. package/lib/zudoku.auth-auth0.js +1 -1
  120. package/lib/zudoku.auth-clerk.js +2 -2
  121. package/lib/zudoku.auth-openid.js +363 -350
  122. package/lib/zudoku.auth-openid.js.map +1 -1
  123. package/lib/zudoku.components.js +1697 -1623
  124. package/lib/zudoku.components.js.map +1 -1
  125. package/lib/zudoku.openapi-worker.js +4599 -4319
  126. package/lib/zudoku.openapi-worker.js.map +1 -1
  127. package/lib/zudoku.plugin-api-keys.js +7 -7
  128. package/lib/zudoku.plugin-custom-pages.js +21 -0
  129. package/lib/zudoku.plugin-custom-pages.js.map +1 -0
  130. package/lib/zudoku.plugin-markdown.js +1 -1
  131. package/lib/zudoku.plugin-openapi.js +8 -8
  132. package/lib/zudoku.plugin-redirect.js +1 -1
  133. package/package.json +61 -68
  134. package/src/app/main.tsx +3 -3
  135. package/src/lib/components/Banner.tsx +12 -2
  136. package/src/lib/components/Header.tsx +4 -2
  137. package/src/lib/components/Layout.tsx +1 -0
  138. package/src/lib/components/MobileTopNavigation.tsx +4 -0
  139. package/src/lib/components/Search.tsx +1 -1
  140. package/src/lib/components/SlotletProvider.tsx +27 -4
  141. package/src/lib/components/index.ts +1 -1
  142. package/src/lib/core/DevPortalContext.ts +1 -1
  143. package/src/lib/oas/graphql/index.ts +3 -11
  144. package/src/lib/plugins/custom-pages/CustomPage.tsx +15 -0
  145. package/src/lib/plugins/custom-pages/index.tsx +24 -0
  146. package/src/lib/plugins/openapi/Endpoint.tsx +1 -1
  147. package/src/lib/plugins/openapi/OperationList.tsx +1 -1
  148. package/src/lib/plugins/openapi/Route.tsx +1 -2
  149. package/src/lib/plugins/openapi/Sidecar.tsx +1 -1
  150. package/src/lib/plugins/openapi/client/createMemoryClient.ts +1 -6
  151. package/src/lib/plugins/openapi/client/createWorkerClient.ts +1 -6
  152. package/src/lib/plugins/openapi/index.tsx +1 -5
  153. package/src/lib/ui/Callout.tsx +7 -6
  154. package/src/lib/ui/Drawer.tsx +38 -36
  155. package/src/lib/util/useExposedProps.tsx +10 -0
  156. package/dist/lib/plugins/custom-page/index.d.ts +0 -8
  157. package/dist/lib/plugins/custom-page/index.js +0 -12
  158. package/dist/lib/plugins/custom-page/index.js.map +0 -1
  159. package/dist/lib/plugins/openapi/playground/Editor.d.ts +0 -1
  160. package/dist/lib/plugins/openapi/playground/Editor.js +0 -5
  161. package/dist/lib/plugins/openapi/playground/Editor.js.map +0 -1
  162. package/dist/lib/plugins/openapi/util/urql.d.ts +0 -7
  163. package/dist/lib/plugins/openapi/util/urql.js +0 -8
  164. package/dist/lib/plugins/openapi/util/urql.js.map +0 -1
  165. package/lib/CategoryHeading-ovR-zHRq.js +0 -10
  166. package/lib/CategoryHeading-ovR-zHRq.js.map +0 -1
  167. package/lib/ErrorPage-CsZAN_za.js +0 -16
  168. package/lib/Input-CtVUl3eT.js +0 -2198
  169. package/lib/Input-CtVUl3eT.js.map +0 -1
  170. package/lib/Markdown-DapSf3wG.js.map +0 -1
  171. package/lib/OperationList-CYrmxPa8.js.map +0 -1
  172. package/lib/Route-Q5mqNQrv.js.map +0 -1
  173. package/lib/SidebarBadge-Dx7jtnoA.js +0 -498
  174. package/lib/SidebarBadge-Dx7jtnoA.js.map +0 -1
  175. package/lib/ZudokuContext-cr-pTRY1.js +0 -1084
  176. package/lib/ZudokuContext-cr-pTRY1.js.map +0 -1
  177. package/lib/_commonjsHelpers-BkfeUUK-.js +0 -29
  178. package/lib/_commonjsHelpers-BkfeUUK-.js.map +0 -1
  179. package/lib/assets/index-B9EWVYfo.js.map +0 -1
  180. package/lib/assets/worker-Bcj4NA2p.js.map +0 -1
  181. package/lib/index-BG0g4WW0.js.map +0 -1
  182. package/lib/index-BlJ2rj99.js.map +0 -1
  183. package/lib/index-Bn6Lc9tq.js +0 -9
  184. package/lib/index-CLd8ycZz.js.map +0 -1
  185. package/lib/index-Dolisrci.js.map +0 -1
  186. package/lib/router-D2p7Olpn.js +0 -2971
  187. package/lib/router-D2p7Olpn.js.map +0 -1
  188. package/lib/state-hNe1dw4B.js +0 -548
  189. package/lib/state-hNe1dw4B.js.map +0 -1
  190. package/lib/urql-YhcsXYy8.js +0 -1591
  191. package/lib/urql-YhcsXYy8.js.map +0 -1
  192. package/lib/utils-ByIc_KIM.js.map +0 -1
  193. package/lib/zudoku.plugin-custom-page.js +0 -13
  194. package/lib/zudoku.plugin-custom-page.js.map +0 -1
  195. package/src/lib/plugins/custom-page/index.tsx +0 -22
  196. package/src/lib/plugins/openapi/playground/Editor.tsx +0 -4
  197. package/src/lib/plugins/openapi/util/urql.ts +0 -8
package/lib/zudoku.auth-openid.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"zudoku.auth-openid.js","sources":["../../../node_modules/.pnpm/loglevel@1.9.1/node_modules/loglevel/lib/loglevel.js","../../../node_modules/.pnpm/oauth4webapi@2.11.1/node_modules/oauth4webapi/build/index.js","../src/lib/authentication/components/CallbackHandler.tsx","../src/lib/authentication/errors.ts","../src/lib/authentication/providers/openid.tsx"],"sourcesContent":["/*\n* loglevel - https://github.com/pimterry/loglevel\n*\n* Copyright (c) 2013 Tim Perry\n* Licensed under the MIT license.\n*/\n(function (root, definition) {\n \"use strict\";\n if (typeof define === 'function' && define.amd) {\n define(definition);\n } else if (typeof module === 'object' && module.exports) {\n module.exports = definition();\n } else {\n root.log = definition();\n }\n}(this, function () {\n \"use strict\";\n\n // Slightly dubious tricks to cut down minimized file size\n var noop = function() {};\n var undefinedType = \"undefined\";\n var isIE = (typeof window !== undefinedType) && (typeof window.navigator !== undefinedType) && (\n /Trident\\/|MSIE /.test(window.navigator.userAgent)\n );\n\n var logMethods = [\n \"trace\",\n \"debug\",\n \"info\",\n \"warn\",\n \"error\"\n ];\n\n var _loggersByName = {};\n var defaultLogger = null;\n\n // Cross-browser bind equivalent that works at least back to IE6\n function bindMethod(obj, methodName) {\n var method = obj[methodName];\n if (typeof method.bind === 'function') {\n return method.bind(obj);\n } else {\n try {\n return Function.prototype.bind.call(method, obj);\n } catch (e) {\n // Missing bind shim or IE8 + Modernizr, fallback to wrapping\n return function() {\n return Function.prototype.apply.apply(method, [obj, arguments]);\n };\n }\n }\n }\n\n // Trace() doesn't print the message in IE, so for that case we need to wrap it\n function traceForIE() {\n if (console.log) {\n if (console.log.apply) {\n console.log.apply(console, arguments);\n } else {\n // In old IE, native console methods themselves don't have apply().\n Function.prototype.apply.apply(console.log, [console, arguments]);\n }\n }\n if (console.trace) console.trace();\n }\n\n // Build the best logging method possible for this env\n // Wherever possible we want to bind, not wrap, to preserve stack traces\n function realMethod(methodName) {\n if (methodName === 'debug') {\n methodName = 'log';\n }\n\n if (typeof console === undefinedType) {\n return false; // No method possible, for now - fixed later by enableLoggingWhenConsoleArrives\n } else if (methodName === 'trace' && isIE) {\n return traceForIE;\n } else if (console[methodName] !== undefined) {\n return bindMethod(console, methodName);\n } else if (console.log !== undefined) {\n return bindMethod(console, 'log');\n } else {\n return noop;\n }\n }\n\n // These private functions always need `this` to be set properly\n\n function replaceLoggingMethods() {\n /*jshint validthis:true */\n var level = this.getLevel();\n\n // Replace the actual methods.\n for (var i = 0; i < logMethods.length; i++) {\n var methodName = logMethods[i];\n this[methodName] = (i < level) ?\n noop :\n this.methodFactory(methodName, level, this.name);\n }\n\n // Define log.log as an alias for log.debug\n this.log = this.debug;\n\n // Return any important warnings.\n if (typeof console === undefinedType && level < this.levels.SILENT) {\n return \"No console available for logging\";\n }\n }\n\n // In old IE versions, the console isn't present until you first open it.\n // We build realMethod() replacements here that regenerate logging methods\n function enableLoggingWhenConsoleArrives(methodName) {\n return function () {\n if (typeof console !== undefinedType) {\n replaceLoggingMethods.call(this);\n this[methodName].apply(this, arguments);\n }\n };\n }\n\n // By default, we use closely bound real methods wherever possible, and\n // otherwise we wait for a console to appear, and then try again.\n function defaultMethodFactory(methodName, _level, _loggerName) {\n /*jshint validthis:true */\n return realMethod(methodName) ||\n enableLoggingWhenConsoleArrives.apply(this, arguments);\n }\n\n function Logger(name, factory) {\n // Private instance variables.\n var self = this;\n /**\n * The level inherited from a parent logger (or a global default). We\n * cache this here rather than delegating to the parent so that it stays\n * in sync with the actual logging methods that we have installed (the\n * parent could change levels but we might not have rebuilt the loggers\n * in this child yet).\n * @type {number}\n */\n var inheritedLevel;\n /**\n * The default level for this logger, if any. If set, this overrides\n * `inheritedLevel`.\n * @type {number|null}\n */\n var defaultLevel;\n /**\n * A user-specific level for this logger. If set, this overrides\n * `defaultLevel`.\n * @type {number|null}\n */\n var userLevel;\n\n var storageKey = \"loglevel\";\n if (typeof name === \"string\") {\n storageKey += \":\" + name;\n } else if (typeof name === \"symbol\") {\n storageKey = undefined;\n }\n\n function persistLevelIfPossible(levelNum) {\n var levelName = (logMethods[levelNum] || 'silent').toUpperCase();\n\n if (typeof window === undefinedType || !storageKey) return;\n\n // Use localStorage if available\n try {\n window.localStorage[storageKey] = levelName;\n return;\n } catch (ignore) {}\n\n // Use session cookie as fallback\n try {\n window.document.cookie =\n encodeURIComponent(storageKey) + \"=\" + levelName + \";\";\n } catch (ignore) {}\n }\n\n function getPersistedLevel() {\n var storedLevel;\n\n if (typeof window === undefinedType || !storageKey) return;\n\n try {\n storedLevel = window.localStorage[storageKey];\n } catch (ignore) {}\n\n // Fallback to cookies if local storage gives us nothing\n if (typeof storedLevel === undefinedType) {\n try {\n var cookie = window.document.cookie;\n var cookieName = encodeURIComponent(storageKey);\n var location = cookie.indexOf(cookieName + \"=\");\n if (location !== -1) {\n storedLevel = /^([^;]+)/.exec(\n cookie.slice(location + cookieName.length + 1)\n )[1];\n }\n } catch (ignore) {}\n }\n\n // If the stored level is not valid, treat it as if nothing was stored.\n if (self.levels[storedLevel] === undefined) {\n storedLevel = undefined;\n }\n\n return storedLevel;\n }\n\n function clearPersistedLevel() {\n if (typeof window === undefinedType || !storageKey) return;\n\n // Use localStorage if available\n try {\n window.localStorage.removeItem(storageKey);\n } catch (ignore) {}\n\n // Use session cookie as fallback\n try {\n window.document.cookie =\n encodeURIComponent(storageKey) + \"=; expires=Thu, 01 Jan 1970 00:00:00 UTC\";\n } catch (ignore) {}\n }\n\n function normalizeLevel(input) {\n var level = input;\n if (typeof level === \"string\" && self.levels[level.toUpperCase()] !== undefined) {\n level = self.levels[level.toUpperCase()];\n }\n if (typeof level === \"number\" && level >= 0 && level <= self.levels.SILENT) {\n return level;\n } else {\n throw new TypeError(\"log.setLevel() called with invalid level: \" + input);\n }\n }\n\n /*\n *\n * Public logger API - see https://github.com/pimterry/loglevel for details\n *\n */\n\n self.name = name;\n\n self.levels = { \"TRACE\": 0, \"DEBUG\": 1, \"INFO\": 2, \"WARN\": 3,\n \"ERROR\": 4, \"SILENT\": 5};\n\n self.methodFactory = factory || defaultMethodFactory;\n\n self.getLevel = function () {\n if (userLevel != null) {\n return userLevel;\n } else if (defaultLevel != null) {\n return defaultLevel;\n } else {\n return inheritedLevel;\n }\n };\n\n self.setLevel = function (level, persist) {\n userLevel = normalizeLevel(level);\n if (persist !== false) { // defaults to true\n persistLevelIfPossible(userLevel);\n }\n\n // NOTE: in v2, this should call rebuild(), which updates children.\n return replaceLoggingMethods.call(self);\n };\n\n self.setDefaultLevel = function (level) {\n defaultLevel = normalizeLevel(level);\n if (!getPersistedLevel()) {\n self.setLevel(level, false);\n }\n };\n\n self.resetLevel = function () {\n userLevel = null;\n clearPersistedLevel();\n replaceLoggingMethods.call(self);\n };\n\n self.enableAll = function(persist) {\n self.setLevel(self.levels.TRACE, persist);\n };\n\n self.disableAll = function(persist) {\n self.setLevel(self.levels.SILENT, persist);\n };\n\n self.rebuild = function () {\n if (defaultLogger !== self) {\n inheritedLevel = normalizeLevel(defaultLogger.getLevel());\n }\n replaceLoggingMethods.call(self);\n\n if (defaultLogger === self) {\n for (var childName in _loggersByName) {\n _loggersByName[childName].rebuild();\n }\n }\n };\n\n // Initialize all the internal levels.\n inheritedLevel = normalizeLevel(\n defaultLogger ? defaultLogger.getLevel() : \"WARN\"\n );\n var initialLevel = getPersistedLevel();\n if (initialLevel != null) {\n userLevel = normalizeLevel(initialLevel);\n }\n replaceLoggingMethods.call(self);\n }\n\n /*\n *\n * Top-level API\n *\n */\n\n defaultLogger = new Logger();\n\n defaultLogger.getLogger = function getLogger(name) {\n if ((typeof name !== \"symbol\" && typeof name !== \"string\") || name === \"\") {\n throw new TypeError(\"You must supply a name when creating a logger.\");\n }\n\n var logger = _loggersByName[name];\n if (!logger) {\n logger = _loggersByName[name] = new Logger(\n name,\n defaultLogger.methodFactory\n );\n }\n return logger;\n };\n\n // Grab the current global log variable in case of overwrite\n var _log = (typeof window !== undefinedType) ? window.log : undefined;\n defaultLogger.noConflict = function() {\n if (typeof window !== undefinedType &&\n window.log === defaultLogger) {\n window.log = _log;\n }\n\n return defaultLogger;\n };\n\n defaultLogger.getLoggers = function getLoggers() {\n return _loggersByName;\n };\n\n // ES6 default export, for compatibility\n defaultLogger['default'] = defaultLogger;\n\n return defaultLogger;\n}));\n","let USER_AGENT;\nif (typeof navigator === 'undefined' || !navigator.userAgent?.startsWith?.('Mozilla/5.0 ')) {\n const NAME = 'oauth4webapi';\n const VERSION = 'v2.11.1';\n USER_AGENT = `${NAME}/${VERSION}`;\n}\nfunction looseInstanceOf(input, expected) {\n if (input == null) {\n return false;\n }\n try {\n return (input instanceof expected ||\n Object.getPrototypeOf(input)[Symbol.toStringTag] === expected.prototype[Symbol.toStringTag]);\n }\n catch {\n return false;\n }\n}\nexport const clockSkew = Symbol();\nexport const clockTolerance = Symbol();\nexport const customFetch = Symbol();\nexport const experimental_jwksCache = Symbol();\nexport const useMtlsAlias = Symbol();\nconst encoder = new TextEncoder();\nconst decoder = new TextDecoder();\nfunction buf(input) {\n if (typeof input === 'string') {\n return encoder.encode(input);\n }\n return decoder.decode(input);\n}\nconst CHUNK_SIZE = 0x8000;\nfunction encodeBase64Url(input) {\n if (input instanceof ArrayBuffer) {\n input = new Uint8Array(input);\n }\n const arr = [];\n for (let i = 0; i < input.byteLength; i += CHUNK_SIZE) {\n arr.push(String.fromCharCode.apply(null, input.subarray(i, i + CHUNK_SIZE)));\n }\n return btoa(arr.join('')).replace(/=/g, '').replace(/\\+/g, '-').replace(/\\//g, '_');\n}\nfunction decodeBase64Url(input) {\n try {\n const binary = atob(input.replace(/-/g, '+').replace(/_/g, '/').replace(/\\s/g, ''));\n const bytes = new Uint8Array(binary.length);\n for (let i = 0; i < binary.length; i++) {\n bytes[i] = binary.charCodeAt(i);\n }\n return bytes;\n }\n catch (cause) {\n throw new OPE('The input to be decoded is not correctly encoded.', { cause });\n }\n}\nfunction b64u(input) {\n if (typeof input === 'string') {\n return decodeBase64Url(input);\n }\n return encodeBase64Url(input);\n}\nclass LRU {\n constructor(maxSize) {\n this.cache = new Map();\n this._cache = new Map();\n this.maxSize = maxSize;\n }\n get(key) {\n let v = this.cache.get(key);\n if (v) {\n return v;\n }\n if ((v = this._cache.get(key))) {\n this.update(key, v);\n return v;\n }\n return undefined;\n }\n has(key) {\n return this.cache.has(key) || this._cache.has(key);\n }\n set(key, value) {\n if (this.cache.has(key)) {\n this.cache.set(key, value);\n }\n else {\n this.update(key, value);\n }\n return this;\n }\n delete(key) {\n if (this.cache.has(key)) {\n return this.cache.delete(key);\n }\n if (this._cache.has(key)) {\n return this._cache.delete(key);\n }\n return false;\n }\n update(key, value) {\n this.cache.set(key, value);\n if (this.cache.size >= this.maxSize) {\n this._cache = this.cache;\n this.cache = new Map();\n }\n }\n}\nexport class UnsupportedOperationError extends Error {\n constructor(message) {\n super(message ?? 'operation not supported');\n this.name = this.constructor.name;\n Error.captureStackTrace?.(this, this.constructor);\n }\n}\nexport class OperationProcessingError extends Error {\n constructor(message, options) {\n super(message, options);\n this.name = this.constructor.name;\n Error.captureStackTrace?.(this, this.constructor);\n }\n}\nconst OPE = OperationProcessingError;\nconst dpopNonces = new LRU(100);\nfunction isCryptoKey(key) {\n return key instanceof CryptoKey;\n}\nfunction isPrivateKey(key) {\n return isCryptoKey(key) && key.type === 'private';\n}\nfunction isPublicKey(key) {\n return isCryptoKey(key) && key.type === 'public';\n}\nconst SUPPORTED_JWS_ALGS = [\n 'PS256',\n 'ES256',\n 'RS256',\n 'PS384',\n 'ES384',\n 'RS384',\n 'PS512',\n 'ES512',\n 'RS512',\n 'EdDSA',\n];\nfunction processDpopNonce(response) {\n try {\n const nonce = response.headers.get('dpop-nonce');\n if (nonce) {\n dpopNonces.set(new URL(response.url).origin, nonce);\n }\n }\n catch { }\n return response;\n}\nfunction normalizeTyp(value) {\n return value.toLowerCase().replace(/^application\\//, '');\n}\nfunction isJsonObject(input) {\n if (input === null || typeof input !== 'object' || Array.isArray(input)) {\n return false;\n }\n return true;\n}\nfunction prepareHeaders(input) {\n if (looseInstanceOf(input, Headers)) {\n input = Object.fromEntries(input.entries());\n }\n const headers = new Headers(input);\n if (USER_AGENT && !headers.has('user-agent')) {\n headers.set('user-agent', USER_AGENT);\n }\n if (headers.has('authorization')) {\n throw new TypeError('\"options.headers\" must not include the \"authorization\" header name');\n }\n if (headers.has('dpop')) {\n throw new TypeError('\"options.headers\" must not include the \"dpop\" header name');\n }\n return headers;\n}\nfunction signal(value) {\n if (typeof value === 'function') {\n value = value();\n }\n if (!(value instanceof AbortSignal)) {\n throw new TypeError('\"options.signal\" must return or be an instance of AbortSignal');\n }\n return value;\n}\nexport async function discoveryRequest(issuerIdentifier, options) {\n if (!(issuerIdentifier instanceof URL)) {\n throw new TypeError('\"issuerIdentifier\" must be an instance of URL');\n }\n if (issuerIdentifier.protocol !== 'https:' && issuerIdentifier.protocol !== 'http:') {\n throw new TypeError('\"issuer.protocol\" must be \"https:\" or \"http:\"');\n }\n const url = new URL(issuerIdentifier.href);\n switch (options?.algorithm) {\n case undefined:\n case 'oidc':\n url.pathname = `${url.pathname}/.well-known/openid-configuration`.replace('//', '/');\n break;\n case 'oauth2':\n if (url.pathname === '/') {\n url.pathname = '.well-known/oauth-authorization-server';\n }\n else {\n url.pathname = `.well-known/oauth-authorization-server/${url.pathname}`.replace('//', '/');\n }\n break;\n default:\n throw new TypeError('\"options.algorithm\" must be \"oidc\" (default), or \"oauth2\"');\n }\n const headers = prepareHeaders(options?.headers);\n headers.set('accept', 'application/json');\n return (options?.[customFetch] || fetch)(url.href, {\n headers: Object.fromEntries(headers.entries()),\n method: 'GET',\n redirect: 'manual',\n signal: options?.signal ? signal(options.signal) : null,\n }).then(processDpopNonce);\n}\nfunction validateString(input) {\n return typeof input === 'string' && input.length !== 0;\n}\nexport async function processDiscoveryResponse(expectedIssuerIdentifier, response) {\n if (!(expectedIssuerIdentifier instanceof URL)) {\n throw new TypeError('\"expectedIssuer\" must be an instance of URL');\n }\n if (!looseInstanceOf(response, Response)) {\n throw new TypeError('\"response\" must be an instance of Response');\n }\n if (response.status !== 200) {\n throw new OPE('\"response\" is not a conform Authorization Server Metadata response');\n }\n assertReadableResponse(response);\n let json;\n try {\n json = await response.json();\n }\n catch (cause) {\n throw new OPE('failed to parse \"response\" body as JSON', { cause });\n }\n if (!isJsonObject(json)) {\n throw new OPE('\"response\" body must be a top level object');\n }\n if (!validateString(json.issuer)) {\n throw new OPE('\"response\" body \"issuer\" property must be a non-empty string');\n }\n if (new URL(json.issuer).href !== expectedIssuerIdentifier.href) {\n throw new OPE('\"response\" body \"issuer\" does not match \"expectedIssuer\"');\n }\n return json;\n}\nfunction randomBytes() {\n return b64u(crypto.getRandomValues(new Uint8Array(32)));\n}\nexport function generateRandomCodeVerifier() {\n return randomBytes();\n}\nexport function generateRandomState() {\n return randomBytes();\n}\nexport function generateRandomNonce() {\n return randomBytes();\n}\nexport async function calculatePKCECodeChallenge(codeVerifier) {\n if (!validateString(codeVerifier)) {\n throw new TypeError('\"codeVerifier\" must be a non-empty string');\n }\n return b64u(await crypto.subtle.digest('SHA-256', buf(codeVerifier)));\n}\nfunction getKeyAndKid(input) {\n if (input instanceof CryptoKey) {\n return { key: input };\n }\n if (!(input?.key instanceof CryptoKey)) {\n return {};\n }\n if (input.kid !== undefined && !validateString(input.kid)) {\n throw new TypeError('\"kid\" must be a non-empty string');\n }\n return { key: input.key, kid: input.kid };\n}\nfunction formUrlEncode(token) {\n return encodeURIComponent(token).replace(/%20/g, '+');\n}\nfunction clientSecretBasic(clientId, clientSecret) {\n const username = formUrlEncode(clientId);\n const password = formUrlEncode(clientSecret);\n const credentials = btoa(`${username}:${password}`);\n return `Basic ${credentials}`;\n}\nfunction psAlg(key) {\n switch (key.algorithm.hash.name) {\n case 'SHA-256':\n return 'PS256';\n case 'SHA-384':\n return 'PS384';\n case 'SHA-512':\n return 'PS512';\n default:\n throw new UnsupportedOperationError('unsupported RsaHashedKeyAlgorithm hash name');\n }\n}\nfunction rsAlg(key) {\n switch (key.algorithm.hash.name) {\n case 'SHA-256':\n return 'RS256';\n case 'SHA-384':\n return 'RS384';\n case 'SHA-512':\n return 'RS512';\n default:\n throw new UnsupportedOperationError('unsupported RsaHashedKeyAlgorithm hash name');\n }\n}\nfunction esAlg(key) {\n switch (key.algorithm.namedCurve) {\n case 'P-256':\n return 'ES256';\n case 'P-384':\n return 'ES384';\n case 'P-521':\n return 'ES512';\n default:\n throw new UnsupportedOperationError('unsupported EcKeyAlgorithm namedCurve');\n }\n}\nfunction keyToJws(key) {\n switch (key.algorithm.name) {\n case 'RSA-PSS':\n return psAlg(key);\n case 'RSASSA-PKCS1-v1_5':\n return rsAlg(key);\n case 'ECDSA':\n return esAlg(key);\n case 'Ed25519':\n case 'Ed448':\n return 'EdDSA';\n default:\n throw new UnsupportedOperationError('unsupported CryptoKey algorithm name');\n }\n}\nfunction getClockSkew(client) {\n const skew = client?.[clockSkew];\n return typeof skew === 'number' && Number.isFinite(skew) ? skew : 0;\n}\nfunction getClockTolerance(client) {\n const tolerance = client?.[clockTolerance];\n return typeof tolerance === 'number' && Number.isFinite(tolerance) && Math.sign(tolerance) !== -1\n ? tolerance\n : 30;\n}\nfunction epochTime() {\n return Math.floor(Date.now() / 1000);\n}\nfunction clientAssertion(as, client) {\n const now = epochTime() + getClockSkew(client);\n return {\n jti: randomBytes(),\n aud: [as.issuer, as.token_endpoint],\n exp: now + 60,\n iat: now,\n nbf: now,\n iss: client.client_id,\n sub: client.client_id,\n };\n}\nasync function privateKeyJwt(as, client, key, kid) {\n return jwt({\n alg: keyToJws(key),\n kid,\n }, clientAssertion(as, client), key);\n}\nfunction assertAs(as) {\n if (typeof as !== 'object' || as === null) {\n throw new TypeError('\"as\" must be an object');\n }\n if (!validateString(as.issuer)) {\n throw new TypeError('\"as.issuer\" property must be a non-empty string');\n }\n return true;\n}\nfunction assertClient(client) {\n if (typeof client !== 'object' || client === null) {\n throw new TypeError('\"client\" must be an object');\n }\n if (!validateString(client.client_id)) {\n throw new TypeError('\"client.client_id\" property must be a non-empty string');\n }\n return true;\n}\nfunction assertClientSecret(clientSecret) {\n if (!validateString(clientSecret)) {\n throw new TypeError('\"client.client_secret\" property must be a non-empty string');\n }\n return clientSecret;\n}\nfunction assertNoClientPrivateKey(clientAuthMethod, clientPrivateKey) {\n if (clientPrivateKey !== undefined) {\n throw new TypeError(`\"options.clientPrivateKey\" property must not be provided when ${clientAuthMethod} client authentication method is used.`);\n }\n}\nfunction assertNoClientSecret(clientAuthMethod, clientSecret) {\n if (clientSecret !== undefined) {\n throw new TypeError(`\"client.client_secret\" property must not be provided when ${clientAuthMethod} client authentication method is used.`);\n }\n}\nasync function clientAuthentication(as, client, body, headers, clientPrivateKey) {\n body.delete('client_secret');\n body.delete('client_assertion_type');\n body.delete('client_assertion');\n switch (client.token_endpoint_auth_method) {\n case undefined:\n case 'client_secret_basic': {\n assertNoClientPrivateKey('client_secret_basic', clientPrivateKey);\n headers.set('authorization', clientSecretBasic(client.client_id, assertClientSecret(client.client_secret)));\n break;\n }\n case 'client_secret_post': {\n assertNoClientPrivateKey('client_secret_post', clientPrivateKey);\n body.set('client_id', client.client_id);\n body.set('client_secret', assertClientSecret(client.client_secret));\n break;\n }\n case 'private_key_jwt': {\n assertNoClientSecret('private_key_jwt', client.client_secret);\n if (clientPrivateKey === undefined) {\n throw new TypeError('\"options.clientPrivateKey\" must be provided when \"client.token_endpoint_auth_method\" is \"private_key_jwt\"');\n }\n const { key, kid } = getKeyAndKid(clientPrivateKey);\n if (!isPrivateKey(key)) {\n throw new TypeError('\"options.clientPrivateKey.key\" must be a private CryptoKey');\n }\n body.set('client_id', client.client_id);\n body.set('client_assertion_type', 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer');\n body.set('client_assertion', await privateKeyJwt(as, client, key, kid));\n break;\n }\n case 'tls_client_auth':\n case 'self_signed_tls_client_auth':\n case 'none': {\n assertNoClientSecret(client.token_endpoint_auth_method, client.client_secret);\n assertNoClientPrivateKey(client.token_endpoint_auth_method, clientPrivateKey);\n body.set('client_id', client.client_id);\n break;\n }\n default:\n throw new UnsupportedOperationError('unsupported client token_endpoint_auth_method');\n }\n}\nasync function jwt(header, claimsSet, key) {\n if (!key.usages.includes('sign')) {\n throw new TypeError('CryptoKey instances used for signing assertions must include \"sign\" in their \"usages\"');\n }\n const input = `${b64u(buf(JSON.stringify(header)))}.${b64u(buf(JSON.stringify(claimsSet)))}`;\n const signature = b64u(await crypto.subtle.sign(keyToSubtle(key), key, buf(input)));\n return `${input}.${signature}`;\n}\nexport async function issueRequestObject(as, client, parameters, privateKey) {\n assertAs(as);\n assertClient(client);\n parameters = new URLSearchParams(parameters);\n const { key, kid } = getKeyAndKid(privateKey);\n if (!isPrivateKey(key)) {\n throw new TypeError('\"privateKey.key\" must be a private CryptoKey');\n }\n parameters.set('client_id', client.client_id);\n const now = epochTime() + getClockSkew(client);\n const claims = {\n ...Object.fromEntries(parameters.entries()),\n jti: randomBytes(),\n aud: as.issuer,\n exp: now + 60,\n iat: now,\n nbf: now,\n iss: client.client_id,\n };\n let resource;\n if (parameters.has('resource') &&\n (resource = parameters.getAll('resource')) &&\n resource.length > 1) {\n claims.resource = resource;\n }\n {\n let value = parameters.get('max_age');\n if (value !== null) {\n claims.max_age = parseInt(value, 10);\n if (!Number.isFinite(claims.max_age)) {\n throw new OPE('\"max_age\" parameter must be a number');\n }\n }\n }\n {\n let value = parameters.get('claims');\n if (value !== null) {\n try {\n claims.claims = JSON.parse(value);\n }\n catch (cause) {\n throw new OPE('failed to parse the \"claims\" parameter as JSON', { cause });\n }\n if (!isJsonObject(claims.claims)) {\n throw new OPE('\"claims\" parameter must be a JSON with a top level object');\n }\n }\n }\n {\n let value = parameters.get('authorization_details');\n if (value !== null) {\n try {\n claims.authorization_details = JSON.parse(value);\n }\n catch (cause) {\n throw new OPE('failed to parse the \"authorization_details\" parameter as JSON', { cause });\n }\n if (!Array.isArray(claims.authorization_details)) {\n throw new OPE('\"authorization_details\" parameter must be a JSON with a top level array');\n }\n }\n }\n return jwt({\n alg: keyToJws(key),\n typ: 'oauth-authz-req+jwt',\n kid,\n }, claims, key);\n}\nasync function dpopProofJwt(headers, options, url, htm, clockSkew, accessToken) {\n const { privateKey, publicKey, nonce = dpopNonces.get(url.origin) } = options;\n if (!isPrivateKey(privateKey)) {\n throw new TypeError('\"DPoP.privateKey\" must be a private CryptoKey');\n }\n if (!isPublicKey(publicKey)) {\n throw new TypeError('\"DPoP.publicKey\" must be a public CryptoKey');\n }\n if (nonce !== undefined && !validateString(nonce)) {\n throw new TypeError('\"DPoP.nonce\" must be a non-empty string or undefined');\n }\n if (!publicKey.extractable) {\n throw new TypeError('\"DPoP.publicKey.extractable\" must be true');\n }\n const now = epochTime() + clockSkew;\n const proof = await jwt({\n alg: keyToJws(privateKey),\n typ: 'dpop+jwt',\n jwk: await publicJwk(publicKey),\n }, {\n iat: now,\n jti: randomBytes(),\n htm,\n nonce,\n htu: `${url.origin}${url.pathname}`,\n ath: accessToken ? b64u(await crypto.subtle.digest('SHA-256', buf(accessToken))) : undefined,\n }, privateKey);\n headers.set('dpop', proof);\n}\nlet jwkCache;\nasync function getSetPublicJwkCache(key) {\n const { kty, e, n, x, y, crv } = await crypto.subtle.exportKey('jwk', key);\n const jwk = { kty, e, n, x, y, crv };\n jwkCache.set(key, jwk);\n return jwk;\n}\nasync function publicJwk(key) {\n jwkCache || (jwkCache = new WeakMap());\n return jwkCache.get(key) || getSetPublicJwkCache(key);\n}\nfunction validateEndpoint(value, endpoint, options) {\n if (typeof value !== 'string') {\n if (options?.[useMtlsAlias]) {\n throw new TypeError(`\"as.mtls_endpoint_aliases.${endpoint}\" must be a string`);\n }\n throw new TypeError(`\"as.${endpoint}\" must be a string`);\n }\n return new URL(value);\n}\nfunction resolveEndpoint(as, endpoint, options) {\n if (options?.[useMtlsAlias] && as.mtls_endpoint_aliases && endpoint in as.mtls_endpoint_aliases) {\n return validateEndpoint(as.mtls_endpoint_aliases[endpoint], endpoint, options);\n }\n return validateEndpoint(as[endpoint], endpoint);\n}\nexport async function pushedAuthorizationRequest(as, client, parameters, options) {\n assertAs(as);\n assertClient(client);\n const url = resolveEndpoint(as, 'pushed_authorization_request_endpoint', options);\n const body = new URLSearchParams(parameters);\n body.set('client_id', client.client_id);\n const headers = prepareHeaders(options?.headers);\n headers.set('accept', 'application/json');\n if (options?.DPoP !== undefined) {\n await dpopProofJwt(headers, options.DPoP, url, 'POST', getClockSkew(client));\n }\n return authenticatedRequest(as, client, 'POST', url, body, headers, options);\n}\nexport function isOAuth2Error(input) {\n const value = input;\n if (typeof value !== 'object' || Array.isArray(value) || value === null) {\n return false;\n }\n return value.error !== undefined;\n}\nfunction unquote(value) {\n if (value.length >= 2 && value[0] === '\"' && value[value.length - 1] === '\"') {\n return value.slice(1, -1);\n }\n return value;\n}\nconst SPLIT_REGEXP = /((?:,|, )?[0-9a-zA-Z!#$%&'*+-.^_`|~]+=)/;\nconst SCHEMES_REGEXP = /(?:^|, ?)([0-9a-zA-Z!#$%&'*+\\-.^_`|~]+)(?=$|[ ,])/g;\nfunction wwwAuth(scheme, params) {\n const arr = params.split(SPLIT_REGEXP).slice(1);\n if (!arr.length) {\n return { scheme: scheme.toLowerCase(), parameters: {} };\n }\n arr[arr.length - 1] = arr[arr.length - 1].replace(/,$/, '');\n const parameters = {};\n for (let i = 1; i < arr.length; i += 2) {\n const idx = i;\n if (arr[idx][0] === '\"') {\n while (arr[idx].slice(-1) !== '\"' && ++i < arr.length) {\n arr[idx] += arr[i];\n }\n }\n const key = arr[idx - 1].replace(/^(?:, ?)|=$/g, '').toLowerCase();\n parameters[key] = unquote(arr[idx]);\n }\n return {\n scheme: scheme.toLowerCase(),\n parameters,\n };\n}\nexport function parseWwwAuthenticateChallenges(response) {\n if (!looseInstanceOf(response, Response)) {\n throw new TypeError('\"response\" must be an instance of Response');\n }\n const header = response.headers.get('www-authenticate');\n if (header === null) {\n return undefined;\n }\n const result = [];\n for (const { 1: scheme, index } of header.matchAll(SCHEMES_REGEXP)) {\n result.push([scheme, index]);\n }\n if (!result.length) {\n return undefined;\n }\n const challenges = result.map(([scheme, indexOf], i, others) => {\n const next = others[i + 1];\n let parameters;\n if (next) {\n parameters = header.slice(indexOf, next[1]);\n }\n else {\n parameters = header.slice(indexOf);\n }\n return wwwAuth(scheme, parameters);\n });\n return challenges;\n}\nexport async function processPushedAuthorizationResponse(as, client, response) {\n assertAs(as);\n assertClient(client);\n if (!looseInstanceOf(response, Response)) {\n throw new TypeError('\"response\" must be an instance of Response');\n }\n if (response.status !== 201) {\n let err;\n if ((err = await handleOAuthBodyError(response))) {\n return err;\n }\n throw new OPE('\"response\" is not a conform Pushed Authorization Request Endpoint response');\n }\n assertReadableResponse(response);\n let json;\n try {\n json = await response.json();\n }\n catch (cause) {\n throw new OPE('failed to parse \"response\" body as JSON', { cause });\n }\n if (!isJsonObject(json)) {\n throw new OPE('\"response\" body must be a top level object');\n }\n if (!validateString(json.request_uri)) {\n throw new OPE('\"response\" body \"request_uri\" property must be a non-empty string');\n }\n if (typeof json.expires_in !== 'number' || json.expires_in <= 0) {\n throw new OPE('\"response\" body \"expires_in\" property must be a positive number');\n }\n return json;\n}\nexport async function protectedResourceRequest(accessToken, method, url, headers, body, options) {\n if (!validateString(accessToken)) {\n throw new TypeError('\"accessToken\" must be a non-empty string');\n }\n if (!(url instanceof URL)) {\n throw new TypeError('\"url\" must be an instance of URL');\n }\n headers = prepareHeaders(headers);\n if (options?.DPoP === undefined) {\n headers.set('authorization', `Bearer ${accessToken}`);\n }\n else {\n await dpopProofJwt(headers, options.DPoP, url, 'GET', getClockSkew({ [clockSkew]: options?.[clockSkew] }), accessToken);\n headers.set('authorization', `DPoP ${accessToken}`);\n }\n return (options?.[customFetch] || fetch)(url.href, {\n body,\n headers: Object.fromEntries(headers.entries()),\n method,\n redirect: 'manual',\n signal: options?.signal ? signal(options.signal) : null,\n }).then(processDpopNonce);\n}\nexport async function userInfoRequest(as, client, accessToken, options) {\n assertAs(as);\n assertClient(client);\n const url = resolveEndpoint(as, 'userinfo_endpoint', options);\n const headers = prepareHeaders(options?.headers);\n if (client.userinfo_signed_response_alg) {\n headers.set('accept', 'application/jwt');\n }\n else {\n headers.set('accept', 'application/json');\n headers.append('accept', 'application/jwt');\n }\n return protectedResourceRequest(accessToken, 'GET', url, headers, null, {\n ...options,\n [clockSkew]: getClockSkew(client),\n });\n}\nlet jwksMap;\nfunction setJwksCache(as, jwks, uat, cache) {\n jwksMap || (jwksMap = new WeakMap());\n jwksMap.set(as, {\n jwks,\n uat,\n get age() {\n return epochTime() - this.uat;\n },\n });\n if (cache) {\n Object.assign(cache, { jwks: structuredClone(jwks), uat });\n }\n}\nfunction isFreshJwksCache(input) {\n if (typeof input !== 'object' || input === null) {\n return false;\n }\n if (!('uat' in input) || typeof input.uat !== 'number' || epochTime() - input.uat >= 300) {\n return false;\n }\n if (!('jwks' in input) ||\n !isJsonObject(input.jwks) ||\n !Array.isArray(input.jwks.keys) ||\n !Array.prototype.every.call(input.jwks.keys, isJsonObject)) {\n return false;\n }\n return true;\n}\nfunction clearJwksCache(as, cache) {\n jwksMap?.delete(as);\n delete cache?.jwks;\n delete cache?.uat;\n}\nasync function getPublicSigKeyFromIssuerJwksUri(as, options, header) {\n const { alg, kid } = header;\n checkSupportedJwsAlg(alg);\n if (!jwksMap?.has(as) && isFreshJwksCache(options?.[experimental_jwksCache])) {\n setJwksCache(as, options?.[experimental_jwksCache].jwks, options?.[experimental_jwksCache].uat);\n }\n let jwks;\n let age;\n if (jwksMap?.has(as)) {\n ;\n ({ jwks, age } = jwksMap.get(as));\n if (age >= 300) {\n clearJwksCache(as, options?.[experimental_jwksCache]);\n return getPublicSigKeyFromIssuerJwksUri(as, options, header);\n }\n }\n else {\n jwks = await jwksRequest(as, options).then(processJwksResponse);\n age = 0;\n setJwksCache(as, jwks, epochTime(), options?.[experimental_jwksCache]);\n }\n let kty;\n switch (alg.slice(0, 2)) {\n case 'RS':\n case 'PS':\n kty = 'RSA';\n break;\n case 'ES':\n kty = 'EC';\n break;\n case 'Ed':\n kty = 'OKP';\n break;\n default:\n throw new UnsupportedOperationError();\n }\n const candidates = jwks.keys.filter((jwk) => {\n if (jwk.kty !== kty) {\n return false;\n }\n if (kid !== undefined && kid !== jwk.kid) {\n return false;\n }\n if (jwk.alg !== undefined && alg !== jwk.alg) {\n return false;\n }\n if (jwk.use !== undefined && jwk.use !== 'sig') {\n return false;\n }\n if (jwk.key_ops?.includes('verify') === false) {\n return false;\n }\n switch (true) {\n case alg === 'ES256' && jwk.crv !== 'P-256':\n case alg === 'ES384' && jwk.crv !== 'P-384':\n case alg === 'ES512' && jwk.crv !== 'P-521':\n case alg === 'EdDSA' && !(jwk.crv === 'Ed25519' || jwk.crv === 'Ed448'):\n return false;\n }\n return true;\n });\n const { 0: jwk, length } = candidates;\n if (!length) {\n if (age >= 60) {\n clearJwksCache(as, options?.[experimental_jwksCache]);\n return getPublicSigKeyFromIssuerJwksUri(as, options, header);\n }\n throw new OPE('error when selecting a JWT verification key, no applicable keys found');\n }\n if (length !== 1) {\n throw new OPE('error when selecting a JWT verification key, multiple applicable keys found, a \"kid\" JWT Header Parameter is required');\n }\n const key = await importJwk(alg, jwk);\n if (key.type !== 'public') {\n throw new OPE('jwks_uri must only contain public keys');\n }\n return key;\n}\nexport const skipSubjectCheck = Symbol();\nfunction getContentType(response) {\n return response.headers.get('content-type')?.split(';')[0];\n}\nexport async function processUserInfoResponse(as, client, expectedSubject, response) {\n assertAs(as);\n assertClient(client);\n if (!looseInstanceOf(response, Response)) {\n throw new TypeError('\"response\" must be an instance of Response');\n }\n if (response.status !== 200) {\n throw new OPE('\"response\" is not a conform UserInfo Endpoint response');\n }\n let json;\n if (getContentType(response) === 'application/jwt') {\n assertReadableResponse(response);\n const { claims } = await validateJwt(await response.text(), checkSigningAlgorithm.bind(undefined, client.userinfo_signed_response_alg, as.userinfo_signing_alg_values_supported), noSignatureCheck, getClockSkew(client), getClockTolerance(client))\n .then(validateOptionalAudience.bind(undefined, client.client_id))\n .then(validateOptionalIssuer.bind(undefined, as.issuer));\n json = claims;\n }\n else {\n if (client.userinfo_signed_response_alg) {\n throw new OPE('JWT UserInfo Response expected');\n }\n assertReadableResponse(response);\n try {\n json = await response.json();\n }\n catch (cause) {\n throw new OPE('failed to parse \"response\" body as JSON', { cause });\n }\n }\n if (!isJsonObject(json)) {\n throw new OPE('\"response\" body must be a top level object');\n }\n if (!validateString(json.sub)) {\n throw new OPE('\"response\" body \"sub\" property must be a non-empty string');\n }\n switch (expectedSubject) {\n case skipSubjectCheck:\n break;\n default:\n if (!validateString(expectedSubject)) {\n throw new OPE('\"expectedSubject\" must be a non-empty string');\n }\n if (json.sub !== expectedSubject) {\n throw new OPE('unexpected \"response\" body \"sub\" value');\n }\n }\n return json;\n}\nasync function authenticatedRequest(as, client, method, url, body, headers, options) {\n await clientAuthentication(as, client, body, headers, options?.clientPrivateKey);\n headers.set('content-type', 'application/x-www-form-urlencoded;charset=UTF-8');\n return (options?.[customFetch] || fetch)(url.href, {\n body,\n headers: Object.fromEntries(headers.entries()),\n method,\n redirect: 'manual',\n signal: options?.signal ? signal(options.signal) : null,\n }).then(processDpopNonce);\n}\nasync function tokenEndpointRequest(as, client, grantType, parameters, options) {\n const url = resolveEndpoint(as, 'token_endpoint', options);\n parameters.set('grant_type', grantType);\n const headers = prepareHeaders(options?.headers);\n headers.set('accept', 'application/json');\n if (options?.DPoP !== undefined) {\n await dpopProofJwt(headers, options.DPoP, url, 'POST', getClockSkew(client));\n }\n return authenticatedRequest(as, client, 'POST', url, parameters, headers, options);\n}\nexport async function refreshTokenGrantRequest(as, client, refreshToken, options) {\n assertAs(as);\n assertClient(client);\n if (!validateString(refreshToken)) {\n throw new TypeError('\"refreshToken\" must be a non-empty string');\n }\n const parameters = new URLSearchParams(options?.additionalParameters);\n parameters.set('refresh_token', refreshToken);\n return tokenEndpointRequest(as, client, 'refresh_token', parameters, options);\n}\nconst idTokenClaims = new WeakMap();\nexport function getValidatedIdTokenClaims(ref) {\n if (!ref.id_token) {\n return undefined;\n }\n const claims = idTokenClaims.get(ref);\n if (!claims) {\n throw new TypeError('\"ref\" was already garbage collected or did not resolve from the proper sources');\n }\n return claims;\n}\nasync function processGenericAccessTokenResponse(as, client, response, ignoreIdToken = false, ignoreRefreshToken = false) {\n assertAs(as);\n assertClient(client);\n if (!looseInstanceOf(response, Response)) {\n throw new TypeError('\"response\" must be an instance of Response');\n }\n if (response.status !== 200) {\n let err;\n if ((err = await handleOAuthBodyError(response))) {\n return err;\n }\n throw new OPE('\"response\" is not a conform Token Endpoint response');\n }\n assertReadableResponse(response);\n let json;\n try {\n json = await response.json();\n }\n catch (cause) {\n throw new OPE('failed to parse \"response\" body as JSON', { cause });\n }\n if (!isJsonObject(json)) {\n throw new OPE('\"response\" body must be a top level object');\n }\n if (!validateString(json.access_token)) {\n throw new OPE('\"response\" body \"access_token\" property must be a non-empty string');\n }\n if (!validateString(json.token_type)) {\n throw new OPE('\"response\" body \"token_type\" property must be a non-empty string');\n }\n json.token_type = json.token_type.toLowerCase();\n if (json.token_type !== 'dpop' && json.token_type !== 'bearer') {\n throw new UnsupportedOperationError('unsupported `token_type` value');\n }\n if (json.expires_in !== undefined &&\n (typeof json.expires_in !== 'number' || json.expires_in <= 0)) {\n throw new OPE('\"response\" body \"expires_in\" property must be a positive number');\n }\n if (!ignoreRefreshToken &&\n json.refresh_token !== undefined &&\n !validateString(json.refresh_token)) {\n throw new OPE('\"response\" body \"refresh_token\" property must be a non-empty string');\n }\n if (json.scope !== undefined && typeof json.scope !== 'string') {\n throw new OPE('\"response\" body \"scope\" property must be a string');\n }\n if (!ignoreIdToken) {\n if (json.id_token !== undefined && !validateString(json.id_token)) {\n throw new OPE('\"response\" body \"id_token\" property must be a non-empty string');\n }\n if (json.id_token) {\n const { claims } = await validateJwt(json.id_token, checkSigningAlgorithm.bind(undefined, client.id_token_signed_response_alg, as.id_token_signing_alg_values_supported), noSignatureCheck, getClockSkew(client), getClockTolerance(client))\n .then(validatePresence.bind(undefined, ['aud', 'exp', 'iat', 'iss', 'sub']))\n .then(validateIssuer.bind(undefined, as.issuer))\n .then(validateAudience.bind(undefined, client.client_id));\n if (Array.isArray(claims.aud) && claims.aud.length !== 1 && claims.azp !== client.client_id) {\n throw new OPE('unexpected ID Token \"azp\" (authorized party) claim value');\n }\n if (claims.auth_time !== undefined &&\n (!Number.isFinite(claims.auth_time) || Math.sign(claims.auth_time) !== 1)) {\n throw new OPE('ID Token \"auth_time\" (authentication time) must be a positive number');\n }\n idTokenClaims.set(json, claims);\n }\n }\n return json;\n}\nexport async function processRefreshTokenResponse(as, client, response) {\n return processGenericAccessTokenResponse(as, client, response);\n}\nfunction validateOptionalAudience(expected, result) {\n if (result.claims.aud !== undefined) {\n return validateAudience(expected, result);\n }\n return result;\n}\nfunction validateAudience(expected, result) {\n if (Array.isArray(result.claims.aud)) {\n if (!result.claims.aud.includes(expected)) {\n throw new OPE('unexpected JWT \"aud\" (audience) claim value');\n }\n }\n else if (result.claims.aud !== expected) {\n throw new OPE('unexpected JWT \"aud\" (audience) claim value');\n }\n return result;\n}\nfunction validateOptionalIssuer(expected, result) {\n if (result.claims.iss !== undefined) {\n return validateIssuer(expected, result);\n }\n return result;\n}\nfunction validateIssuer(expected, result) {\n if (result.claims.iss !== expected) {\n throw new OPE('unexpected JWT \"iss\" (issuer) claim value');\n }\n return result;\n}\nconst branded = new WeakSet();\nfunction brand(searchParams) {\n branded.add(searchParams);\n return searchParams;\n}\nexport async function authorizationCodeGrantRequest(as, client, callbackParameters, redirectUri, codeVerifier, options) {\n assertAs(as);\n assertClient(client);\n if (!branded.has(callbackParameters)) {\n throw new TypeError('\"callbackParameters\" must be an instance of URLSearchParams obtained from \"validateAuthResponse()\", or \"validateJwtAuthResponse()');\n }\n if (!validateString(redirectUri)) {\n throw new TypeError('\"redirectUri\" must be a non-empty string');\n }\n if (!validateString(codeVerifier)) {\n throw new TypeError('\"codeVerifier\" must be a non-empty string');\n }\n const code = getURLSearchParameter(callbackParameters, 'code');\n if (!code) {\n throw new OPE('no authorization code in \"callbackParameters\"');\n }\n const parameters = new URLSearchParams(options?.additionalParameters);\n parameters.set('redirect_uri', redirectUri);\n parameters.set('code_verifier', codeVerifier);\n parameters.set('code', code);\n return tokenEndpointRequest(as, client, 'authorization_code', parameters, options);\n}\nconst jwtClaimNames = {\n aud: 'audience',\n c_hash: 'code hash',\n client_id: 'client id',\n exp: 'expiration time',\n iat: 'issued at',\n iss: 'issuer',\n jti: 'jwt id',\n nonce: 'nonce',\n s_hash: 'state hash',\n sub: 'subject',\n ath: 'access token hash',\n htm: 'http method',\n htu: 'http uri',\n cnf: 'confirmation',\n};\nfunction validatePresence(required, result) {\n for (const claim of required) {\n if (result.claims[claim] === undefined) {\n throw new OPE(`JWT \"${claim}\" (${jwtClaimNames[claim]}) claim missing`);\n }\n }\n return result;\n}\nexport const expectNoNonce = Symbol();\nexport const skipAuthTimeCheck = Symbol();\nexport async function processAuthorizationCodeOpenIDResponse(as, client, response, expectedNonce, maxAge) {\n const result = await processGenericAccessTokenResponse(as, client, response);\n if (isOAuth2Error(result)) {\n return result;\n }\n if (!validateString(result.id_token)) {\n throw new OPE('\"response\" body \"id_token\" property must be a non-empty string');\n }\n maxAge ?? (maxAge = client.default_max_age ?? skipAuthTimeCheck);\n const claims = getValidatedIdTokenClaims(result);\n if ((client.require_auth_time || maxAge !== skipAuthTimeCheck) &&\n claims.auth_time === undefined) {\n throw new OPE('ID Token \"auth_time\" (authentication time) claim missing');\n }\n if (maxAge !== skipAuthTimeCheck) {\n if (typeof maxAge !== 'number' || maxAge < 0) {\n throw new TypeError('\"maxAge\" must be a non-negative number');\n }\n const now = epochTime() + getClockSkew(client);\n const tolerance = getClockTolerance(client);\n if (claims.auth_time + maxAge < now - tolerance) {\n throw new OPE('too much time has elapsed since the last End-User authentication');\n }\n }\n switch (expectedNonce) {\n case undefined:\n case expectNoNonce:\n if (claims.nonce !== undefined) {\n throw new OPE('unexpected ID Token \"nonce\" claim value');\n }\n break;\n default:\n if (!validateString(expectedNonce)) {\n throw new TypeError('\"expectedNonce\" must be a non-empty string');\n }\n if (claims.nonce === undefined) {\n throw new OPE('ID Token \"nonce\" claim missing');\n }\n if (claims.nonce !== expectedNonce) {\n throw new OPE('unexpected ID Token \"nonce\" claim value');\n }\n }\n return result;\n}\nexport async function processAuthorizationCodeOAuth2Response(as, client, response) {\n const result = await processGenericAccessTokenResponse(as, client, response, true);\n if (isOAuth2Error(result)) {\n return result;\n }\n if (result.id_token !== undefined) {\n if (typeof result.id_token === 'string' && result.id_token.length) {\n throw new OPE('Unexpected ID Token returned, use processAuthorizationCodeOpenIDResponse() for OpenID Connect callback processing');\n }\n delete result.id_token;\n }\n return result;\n}\nfunction checkJwtType(expected, result) {\n if (typeof result.header.typ !== 'string' || normalizeTyp(result.header.typ) !== expected) {\n throw new OPE('unexpected JWT \"typ\" header parameter value');\n }\n return result;\n}\nexport async function clientCredentialsGrantRequest(as, client, parameters, options) {\n assertAs(as);\n assertClient(client);\n return tokenEndpointRequest(as, client, 'client_credentials', new URLSearchParams(parameters), options);\n}\nexport async function processClientCredentialsResponse(as, client, response) {\n const result = await processGenericAccessTokenResponse(as, client, response, true, true);\n if (isOAuth2Error(result)) {\n return result;\n }\n return result;\n}\nexport async function revocationRequest(as, client, token, options) {\n assertAs(as);\n assertClient(client);\n if (!validateString(token)) {\n throw new TypeError('\"token\" must be a non-empty string');\n }\n const url = resolveEndpoint(as, 'revocation_endpoint', options);\n const body = new URLSearchParams(options?.additionalParameters);\n body.set('token', token);\n const headers = prepareHeaders(options?.headers);\n headers.delete('accept');\n return authenticatedRequest(as, client, 'POST', url, body, headers, options);\n}\nexport async function processRevocationResponse(response) {\n if (!looseInstanceOf(response, Response)) {\n throw new TypeError('\"response\" must be an instance of Response');\n }\n if (response.status !== 200) {\n let err;\n if ((err = await handleOAuthBodyError(response))) {\n return err;\n }\n throw new OPE('\"response\" is not a conform Revocation Endpoint response');\n }\n return undefined;\n}\nfunction assertReadableResponse(response) {\n if (response.bodyUsed) {\n throw new TypeError('\"response\" body has been used already');\n }\n}\nexport async function introspectionRequest(as, client, token, options) {\n assertAs(as);\n assertClient(client);\n if (!validateString(token)) {\n throw new TypeError('\"token\" must be a non-empty string');\n }\n const url = resolveEndpoint(as, 'introspection_endpoint', options);\n const body = new URLSearchParams(options?.additionalParameters);\n body.set('token', token);\n const headers = prepareHeaders(options?.headers);\n if (options?.requestJwtResponse ?? client.introspection_signed_response_alg) {\n headers.set('accept', 'application/token-introspection+jwt');\n }\n else {\n headers.set('accept', 'application/json');\n }\n return authenticatedRequest(as, client, 'POST', url, body, headers, options);\n}\nexport async function processIntrospectionResponse(as, client, response) {\n assertAs(as);\n assertClient(client);\n if (!looseInstanceOf(response, Response)) {\n throw new TypeError('\"response\" must be an instance of Response');\n }\n if (response.status !== 200) {\n let err;\n if ((err = await handleOAuthBodyError(response))) {\n return err;\n }\n throw new OPE('\"response\" is not a conform Introspection Endpoint response');\n }\n let json;\n if (getContentType(response) === 'application/token-introspection+jwt') {\n assertReadableResponse(response);\n const { claims } = await validateJwt(await response.text(), checkSigningAlgorithm.bind(undefined, client.introspection_signed_response_alg, as.introspection_signing_alg_values_supported), noSignatureCheck, getClockSkew(client), getClockTolerance(client))\n .then(checkJwtType.bind(undefined, 'token-introspection+jwt'))\n .then(validatePresence.bind(undefined, ['aud', 'iat', 'iss']))\n .then(validateIssuer.bind(undefined, as.issuer))\n .then(validateAudience.bind(undefined, client.client_id));\n json = claims.token_introspection;\n if (!isJsonObject(json)) {\n throw new OPE('JWT \"token_introspection\" claim must be a JSON object');\n }\n }\n else {\n assertReadableResponse(response);\n try {\n json = await response.json();\n }\n catch (cause) {\n throw new OPE('failed to parse \"response\" body as JSON', { cause });\n }\n if (!isJsonObject(json)) {\n throw new OPE('\"response\" body must be a top level object');\n }\n }\n if (typeof json.active !== 'boolean') {\n throw new OPE('\"response\" body \"active\" property must be a boolean');\n }\n return json;\n}\nasync function jwksRequest(as, options) {\n assertAs(as);\n const url = resolveEndpoint(as, 'jwks_uri');\n const headers = prepareHeaders(options?.headers);\n headers.set('accept', 'application/json');\n headers.append('accept', 'application/jwk-set+json');\n return (options?.[customFetch] || fetch)(url.href, {\n headers: Object.fromEntries(headers.entries()),\n method: 'GET',\n redirect: 'manual',\n signal: options?.signal ? signal(options.signal) : null,\n }).then(processDpopNonce);\n}\nasync function processJwksResponse(response) {\n if (!looseInstanceOf(response, Response)) {\n throw new TypeError('\"response\" must be an instance of Response');\n }\n if (response.status !== 200) {\n throw new OPE('\"response\" is not a conform JSON Web Key Set response');\n }\n assertReadableResponse(response);\n let json;\n try {\n json = await response.json();\n }\n catch (cause) {\n throw new OPE('failed to parse \"response\" body as JSON', { cause });\n }\n if (!isJsonObject(json)) {\n throw new OPE('\"response\" body must be a top level object');\n }\n if (!Array.isArray(json.keys)) {\n throw new OPE('\"response\" body \"keys\" property must be an array');\n }\n if (!Array.prototype.every.call(json.keys, isJsonObject)) {\n throw new OPE('\"response\" body \"keys\" property members must be JWK formatted objects');\n }\n return json;\n}\nasync function handleOAuthBodyError(response) {\n if (response.status > 399 && response.status < 500) {\n assertReadableResponse(response);\n try {\n const json = await response.json();\n if (isJsonObject(json) && typeof json.error === 'string' && json.error.length) {\n if (json.error_description !== undefined && typeof json.error_description !== 'string') {\n delete json.error_description;\n }\n if (json.error_uri !== undefined && typeof json.error_uri !== 'string') {\n delete json.error_uri;\n }\n if (json.algs !== undefined && typeof json.algs !== 'string') {\n delete json.algs;\n }\n if (json.scope !== undefined && typeof json.scope !== 'string') {\n delete json.scope;\n }\n return json;\n }\n }\n catch { }\n }\n return undefined;\n}\nfunction checkSupportedJwsAlg(alg) {\n if (!SUPPORTED_JWS_ALGS.includes(alg)) {\n throw new UnsupportedOperationError('unsupported JWS \"alg\" identifier');\n }\n return alg;\n}\nfunction checkRsaKeyAlgorithm(algorithm) {\n if (typeof algorithm.modulusLength !== 'number' || algorithm.modulusLength < 2048) {\n throw new OPE(`${algorithm.name} modulusLength must be at least 2048 bits`);\n }\n}\nfunction ecdsaHashName(namedCurve) {\n switch (namedCurve) {\n case 'P-256':\n return 'SHA-256';\n case 'P-384':\n return 'SHA-384';\n case 'P-521':\n return 'SHA-512';\n default:\n throw new UnsupportedOperationError();\n }\n}\nfunction keyToSubtle(key) {\n switch (key.algorithm.name) {\n case 'ECDSA':\n return {\n name: key.algorithm.name,\n hash: ecdsaHashName(key.algorithm.namedCurve),\n };\n case 'RSA-PSS': {\n checkRsaKeyAlgorithm(key.algorithm);\n switch (key.algorithm.hash.name) {\n case 'SHA-256':\n case 'SHA-384':\n case 'SHA-512':\n return {\n name: key.algorithm.name,\n saltLength: parseInt(key.algorithm.hash.name.slice(-3), 10) >> 3,\n };\n default:\n throw new UnsupportedOperationError();\n }\n }\n case 'RSASSA-PKCS1-v1_5':\n checkRsaKeyAlgorithm(key.algorithm);\n return key.algorithm.name;\n case 'Ed448':\n case 'Ed25519':\n return key.algorithm.name;\n }\n throw new UnsupportedOperationError();\n}\nconst noSignatureCheck = Symbol();\nasync function validateJwt(jws, checkAlg, getKey, clockSkew, clockTolerance) {\n const { 0: protectedHeader, 1: payload, 2: encodedSignature, length } = jws.split('.');\n if (length === 5) {\n throw new UnsupportedOperationError('JWE structure JWTs are not supported');\n }\n if (length !== 3) {\n throw new OPE('Invalid JWT');\n }\n let header;\n try {\n header = JSON.parse(buf(b64u(protectedHeader)));\n }\n catch (cause) {\n throw new OPE('failed to parse JWT Header body as base64url encoded JSON', { cause });\n }\n if (!isJsonObject(header)) {\n throw new OPE('JWT Header must be a top level object');\n }\n checkAlg(header);\n if (header.crit !== undefined) {\n throw new OPE('unexpected JWT \"crit\" header parameter');\n }\n const signature = b64u(encodedSignature);\n let key;\n if (getKey !== noSignatureCheck) {\n key = await getKey(header);\n const input = `${protectedHeader}.${payload}`;\n const verified = await crypto.subtle.verify(keyToSubtle(key), key, signature, buf(input));\n if (!verified) {\n throw new OPE('JWT signature verification failed');\n }\n }\n let claims;\n try {\n claims = JSON.parse(buf(b64u(payload)));\n }\n catch (cause) {\n throw new OPE('failed to parse JWT Payload body as base64url encoded JSON', { cause });\n }\n if (!isJsonObject(claims)) {\n throw new OPE('JWT Payload must be a top level object');\n }\n const now = epochTime() + clockSkew;\n if (claims.exp !== undefined) {\n if (typeof claims.exp !== 'number') {\n throw new OPE('unexpected JWT \"exp\" (expiration time) claim type');\n }\n if (claims.exp <= now - clockTolerance) {\n throw new OPE('unexpected JWT \"exp\" (expiration time) claim value, timestamp is <= now()');\n }\n }\n if (claims.iat !== undefined) {\n if (typeof claims.iat !== 'number') {\n throw new OPE('unexpected JWT \"iat\" (issued at) claim type');\n }\n }\n if (claims.iss !== undefined) {\n if (typeof claims.iss !== 'string') {\n throw new OPE('unexpected JWT \"iss\" (issuer) claim type');\n }\n }\n if (claims.nbf !== undefined) {\n if (typeof claims.nbf !== 'number') {\n throw new OPE('unexpected JWT \"nbf\" (not before) claim type');\n }\n if (claims.nbf > now + clockTolerance) {\n throw new OPE('unexpected JWT \"nbf\" (not before) claim value, timestamp is > now()');\n }\n }\n if (claims.aud !== undefined) {\n if (typeof claims.aud !== 'string' && !Array.isArray(claims.aud)) {\n throw new OPE('unexpected JWT \"aud\" (audience) claim type');\n }\n }\n return { header, claims, signature, key };\n}\nexport async function validateJwtAuthResponse(as, client, parameters, expectedState, options) {\n assertAs(as);\n assertClient(client);\n if (parameters instanceof URL) {\n parameters = parameters.searchParams;\n }\n if (!(parameters instanceof URLSearchParams)) {\n throw new TypeError('\"parameters\" must be an instance of URLSearchParams, or URL');\n }\n const response = getURLSearchParameter(parameters, 'response');\n if (!response) {\n throw new OPE('\"parameters\" does not contain a JARM response');\n }\n if (typeof as.jwks_uri !== 'string') {\n throw new TypeError('\"as.jwks_uri\" must be a string');\n }\n const { claims } = await validateJwt(response, checkSigningAlgorithm.bind(undefined, client.authorization_signed_response_alg, as.authorization_signing_alg_values_supported), getPublicSigKeyFromIssuerJwksUri.bind(undefined, as, options), getClockSkew(client), getClockTolerance(client))\n .then(validatePresence.bind(undefined, ['aud', 'exp', 'iss']))\n .then(validateIssuer.bind(undefined, as.issuer))\n .then(validateAudience.bind(undefined, client.client_id));\n const result = new URLSearchParams();\n for (const [key, value] of Object.entries(claims)) {\n if (typeof value === 'string' && key !== 'aud') {\n result.set(key, value);\n }\n }\n return validateAuthResponse(as, client, result, expectedState);\n}\nasync function idTokenHash(alg, data, key) {\n let algorithm;\n switch (alg) {\n case 'RS256':\n case 'PS256':\n case 'ES256':\n algorithm = 'SHA-256';\n break;\n case 'RS384':\n case 'PS384':\n case 'ES384':\n algorithm = 'SHA-384';\n break;\n case 'RS512':\n case 'PS512':\n case 'ES512':\n algorithm = 'SHA-512';\n break;\n case 'EdDSA':\n if (key.algorithm.name === 'Ed25519') {\n algorithm = 'SHA-512';\n break;\n }\n throw new UnsupportedOperationError();\n default:\n throw new UnsupportedOperationError();\n }\n const digest = await crypto.subtle.digest(algorithm, buf(data));\n return b64u(digest.slice(0, digest.byteLength / 2));\n}\nasync function idTokenHashMatches(data, actual, alg, key) {\n const expected = await idTokenHash(alg, data, key);\n return actual === expected;\n}\nexport async function validateDetachedSignatureResponse(as, client, parameters, expectedNonce, expectedState, maxAge, options) {\n assertAs(as);\n assertClient(client);\n if (parameters instanceof URL) {\n if (!parameters.hash.length) {\n throw new TypeError('\"parameters\" as an instance of URL must contain a hash (fragment) with the Authorization Response parameters');\n }\n parameters = new URLSearchParams(parameters.hash.slice(1));\n }\n if (!(parameters instanceof URLSearchParams)) {\n throw new TypeError('\"parameters\" must be an instance of URLSearchParams');\n }\n parameters = new URLSearchParams(parameters);\n const id_token = getURLSearchParameter(parameters, 'id_token');\n parameters.delete('id_token');\n switch (expectedState) {\n case undefined:\n case expectNoState:\n break;\n default:\n if (!validateString(expectedState)) {\n throw new TypeError('\"expectedState\" must be a non-empty string');\n }\n }\n const result = validateAuthResponse({\n ...as,\n authorization_response_iss_parameter_supported: false,\n }, client, parameters, expectedState);\n if (isOAuth2Error(result)) {\n return result;\n }\n if (!id_token) {\n throw new OPE('\"parameters\" does not contain an ID Token');\n }\n const code = getURLSearchParameter(parameters, 'code');\n if (!code) {\n throw new OPE('\"parameters\" does not contain an Authorization Code');\n }\n if (typeof as.jwks_uri !== 'string') {\n throw new TypeError('\"as.jwks_uri\" must be a string');\n }\n const requiredClaims = [\n 'aud',\n 'exp',\n 'iat',\n 'iss',\n 'sub',\n 'nonce',\n 'c_hash',\n ];\n if (typeof expectedState === 'string') {\n requiredClaims.push('s_hash');\n }\n const { claims, header, key } = await validateJwt(id_token, checkSigningAlgorithm.bind(undefined, client.id_token_signed_response_alg, as.id_token_signing_alg_values_supported), getPublicSigKeyFromIssuerJwksUri.bind(undefined, as, options), getClockSkew(client), getClockTolerance(client))\n .then(validatePresence.bind(undefined, requiredClaims))\n .then(validateIssuer.bind(undefined, as.issuer))\n .then(validateAudience.bind(undefined, client.client_id));\n const clockSkew = getClockSkew(client);\n const now = epochTime() + clockSkew;\n if (claims.iat < now - 3600) {\n throw new OPE('unexpected JWT \"iat\" (issued at) claim value, it is too far in the past');\n }\n if (typeof claims.c_hash !== 'string' ||\n (await idTokenHashMatches(code, claims.c_hash, header.alg, key)) !== true) {\n throw new OPE('invalid ID Token \"c_hash\" (code hash) claim value');\n }\n if (claims.s_hash !== undefined && typeof expectedState !== 'string') {\n throw new OPE('could not verify ID Token \"s_hash\" (state hash) claim value');\n }\n if (typeof expectedState === 'string' &&\n (typeof claims.s_hash !== 'string' ||\n (await idTokenHashMatches(expectedState, claims.s_hash, header.alg, key)) !== true)) {\n throw new OPE('invalid ID Token \"s_hash\" (state hash) claim value');\n }\n if (claims.auth_time !== undefined &&\n (!Number.isFinite(claims.auth_time) || Math.sign(claims.auth_time) !== 1)) {\n throw new OPE('ID Token \"auth_time\" (authentication time) must be a positive number');\n }\n maxAge ?? (maxAge = client.default_max_age ?? skipAuthTimeCheck);\n if ((client.require_auth_time || maxAge !== skipAuthTimeCheck) &&\n claims.auth_time === undefined) {\n throw new OPE('ID Token \"auth_time\" (authentication time) claim missing');\n }\n if (maxAge !== skipAuthTimeCheck) {\n if (typeof maxAge !== 'number' || maxAge < 0) {\n throw new TypeError('\"maxAge\" must be a non-negative number');\n }\n const now = epochTime() + getClockSkew(client);\n const tolerance = getClockTolerance(client);\n if (claims.auth_time + maxAge < now - tolerance) {\n throw new OPE('too much time has elapsed since the last End-User authentication');\n }\n }\n if (!validateString(expectedNonce)) {\n throw new TypeError('\"expectedNonce\" must be a non-empty string');\n }\n if (claims.nonce !== expectedNonce) {\n throw new OPE('unexpected ID Token \"nonce\" claim value');\n }\n if (Array.isArray(claims.aud) && claims.aud.length !== 1 && claims.azp !== client.client_id) {\n throw new OPE('unexpected ID Token \"azp\" (authorized party) claim value');\n }\n return result;\n}\nfunction checkSigningAlgorithm(client, issuer, header) {\n if (client !== undefined) {\n if (header.alg !== client) {\n throw new OPE('unexpected JWT \"alg\" header parameter');\n }\n return;\n }\n if (Array.isArray(issuer)) {\n if (!issuer.includes(header.alg)) {\n throw new OPE('unexpected JWT \"alg\" header parameter');\n }\n return;\n }\n if (header.alg !== 'RS256') {\n throw new OPE('unexpected JWT \"alg\" header parameter');\n }\n}\nfunction getURLSearchParameter(parameters, name) {\n const { 0: value, length } = parameters.getAll(name);\n if (length > 1) {\n throw new OPE(`\"${name}\" parameter must be provided only once`);\n }\n return value;\n}\nexport const skipStateCheck = Symbol();\nexport const expectNoState = Symbol();\nexport function validateAuthResponse(as, client, parameters, expectedState) {\n assertAs(as);\n assertClient(client);\n if (parameters instanceof URL) {\n parameters = parameters.searchParams;\n }\n if (!(parameters instanceof URLSearchParams)) {\n throw new TypeError('\"parameters\" must be an instance of URLSearchParams, or URL');\n }\n if (getURLSearchParameter(parameters, 'response')) {\n throw new OPE('\"parameters\" contains a JARM response, use validateJwtAuthResponse() instead of validateAuthResponse()');\n }\n const iss = getURLSearchParameter(parameters, 'iss');\n const state = getURLSearchParameter(parameters, 'state');\n if (!iss && as.authorization_response_iss_parameter_supported) {\n throw new OPE('response parameter \"iss\" (issuer) missing');\n }\n if (iss && iss !== as.issuer) {\n throw new OPE('unexpected \"iss\" (issuer) response parameter value');\n }\n switch (expectedState) {\n case undefined:\n case expectNoState:\n if (state !== undefined) {\n throw new OPE('unexpected \"state\" response parameter encountered');\n }\n break;\n case skipStateCheck:\n break;\n default:\n if (!validateString(expectedState)) {\n throw new OPE('\"expectedState\" must be a non-empty string');\n }\n if (state === undefined) {\n throw new OPE('response parameter \"state\" missing');\n }\n if (state !== expectedState) {\n throw new OPE('unexpected \"state\" response parameter value');\n }\n }\n const error = getURLSearchParameter(parameters, 'error');\n if (error) {\n return {\n error,\n error_description: getURLSearchParameter(parameters, 'error_description'),\n error_uri: getURLSearchParameter(parameters, 'error_uri'),\n };\n }\n const id_token = getURLSearchParameter(parameters, 'id_token');\n const token = getURLSearchParameter(parameters, 'token');\n if (id_token !== undefined || token !== undefined) {\n throw new UnsupportedOperationError('implicit and hybrid flows are not supported');\n }\n return brand(new URLSearchParams(parameters));\n}\nfunction algToSubtle(alg, crv) {\n switch (alg) {\n case 'PS256':\n case 'PS384':\n case 'PS512':\n return { name: 'RSA-PSS', hash: `SHA-${alg.slice(-3)}` };\n case 'RS256':\n case 'RS384':\n case 'RS512':\n return { name: 'RSASSA-PKCS1-v1_5', hash: `SHA-${alg.slice(-3)}` };\n case 'ES256':\n case 'ES384':\n return { name: 'ECDSA', namedCurve: `P-${alg.slice(-3)}` };\n case 'ES512':\n return { name: 'ECDSA', namedCurve: 'P-521' };\n case 'EdDSA': {\n switch (crv) {\n case 'Ed25519':\n case 'Ed448':\n return crv;\n default:\n throw new UnsupportedOperationError();\n }\n }\n default:\n throw new UnsupportedOperationError();\n }\n}\nasync function importJwk(alg, jwk) {\n const { ext, key_ops, use, ...key } = jwk;\n return crypto.subtle.importKey('jwk', key, algToSubtle(alg, jwk.crv), true, ['verify']);\n}\nexport async function deviceAuthorizationRequest(as, client, parameters, options) {\n assertAs(as);\n assertClient(client);\n const url = resolveEndpoint(as, 'device_authorization_endpoint', options);\n const body = new URLSearchParams(parameters);\n body.set('client_id', client.client_id);\n const headers = prepareHeaders(options?.headers);\n headers.set('accept', 'application/json');\n return authenticatedRequest(as, client, 'POST', url, body, headers, options);\n}\nexport async function processDeviceAuthorizationResponse(as, client, response) {\n assertAs(as);\n assertClient(client);\n if (!looseInstanceOf(response, Response)) {\n throw new TypeError('\"response\" must be an instance of Response');\n }\n if (response.status !== 200) {\n let err;\n if ((err = await handleOAuthBodyError(response))) {\n return err;\n }\n throw new OPE('\"response\" is not a conform Device Authorization Endpoint response');\n }\n assertReadableResponse(response);\n let json;\n try {\n json = await response.json();\n }\n catch (cause) {\n throw new OPE('failed to parse \"response\" body as JSON', { cause });\n }\n if (!isJsonObject(json)) {\n throw new OPE('\"response\" body must be a top level object');\n }\n if (!validateString(json.device_code)) {\n throw new OPE('\"response\" body \"device_code\" property must be a non-empty string');\n }\n if (!validateString(json.user_code)) {\n throw new OPE('\"response\" body \"user_code\" property must be a non-empty string');\n }\n if (!validateString(json.verification_uri)) {\n throw new OPE('\"response\" body \"verification_uri\" property must be a non-empty string');\n }\n if (typeof json.expires_in !== 'number' || json.expires_in <= 0) {\n throw new OPE('\"response\" body \"expires_in\" property must be a positive number');\n }\n if (json.verification_uri_complete !== undefined &&\n !validateString(json.verification_uri_complete)) {\n throw new OPE('\"response\" body \"verification_uri_complete\" property must be a non-empty string');\n }\n if (json.interval !== undefined && (typeof json.interval !== 'number' || json.interval <= 0)) {\n throw new OPE('\"response\" body \"interval\" property must be a positive number');\n }\n return json;\n}\nexport async function deviceCodeGrantRequest(as, client, deviceCode, options) {\n assertAs(as);\n assertClient(client);\n if (!validateString(deviceCode)) {\n throw new TypeError('\"deviceCode\" must be a non-empty string');\n }\n const parameters = new URLSearchParams(options?.additionalParameters);\n parameters.set('device_code', deviceCode);\n return tokenEndpointRequest(as, client, 'urn:ietf:params:oauth:grant-type:device_code', parameters, options);\n}\nexport async function processDeviceCodeResponse(as, client, response) {\n return processGenericAccessTokenResponse(as, client, response);\n}\nexport async function generateKeyPair(alg, options) {\n if (!validateString(alg)) {\n throw new TypeError('\"alg\" must be a non-empty string');\n }\n const algorithm = algToSubtle(alg, alg === 'EdDSA' ? options?.crv ?? 'Ed25519' : undefined);\n if (alg.startsWith('PS') || alg.startsWith('RS')) {\n Object.assign(algorithm, {\n modulusLength: options?.modulusLength ?? 2048,\n publicExponent: new Uint8Array([0x01, 0x00, 0x01]),\n });\n }\n return (crypto.subtle.generateKey(algorithm, options?.extractable ?? false, ['sign', 'verify']));\n}\nfunction normalizeHtu(htu) {\n const url = new URL(htu);\n url.search = '';\n url.hash = '';\n return url.href;\n}\nasync function validateDPoP(as, request, accessToken, accessTokenClaims, options) {\n const header = request.headers.get('dpop');\n if (header === null) {\n throw new OPE('operation indicated DPoP use but the request has no DPoP HTTP Header');\n }\n if (request.headers.get('authorization')?.toLowerCase().startsWith('dpop ') === false) {\n throw new OPE(`operation indicated DPoP use but the request's Authorization HTTP Header scheme is not DPoP`);\n }\n if (typeof accessTokenClaims.cnf?.jkt !== 'string') {\n throw new OPE('operation indicated DPoP use but the JWT Access Token has no jkt confirmation claim');\n }\n const clockSkew = getClockSkew(options);\n const proof = await validateJwt(header, checkSigningAlgorithm.bind(undefined, undefined, as?.dpop_signing_alg_values_supported || SUPPORTED_JWS_ALGS), async ({ jwk, alg }) => {\n if (!jwk) {\n throw new OPE('DPoP Proof is missing the jwk header parameter');\n }\n const key = await importJwk(alg, jwk);\n if (key.type !== 'public') {\n throw new OPE('DPoP Proof jwk header parameter must contain a public key');\n }\n return key;\n }, clockSkew, getClockTolerance(options))\n .then(checkJwtType.bind(undefined, 'dpop+jwt'))\n .then(validatePresence.bind(undefined, ['iat', 'jti', 'ath', 'htm', 'htu']));\n const now = epochTime() + clockSkew;\n const diff = Math.abs(now - proof.claims.iat);\n if (diff > 300) {\n throw new OPE('DPoP Proof iat is not recent enough');\n }\n if (proof.claims.htm !== request.method) {\n throw new OPE('DPoP Proof htm mismatch');\n }\n if (typeof proof.claims.htu !== 'string' ||\n normalizeHtu(proof.claims.htu) !== normalizeHtu(request.url)) {\n throw new OPE('DPoP Proof htu mismatch');\n }\n {\n const expected = b64u(await crypto.subtle.digest('SHA-256', encoder.encode(accessToken)));\n if (proof.claims.ath !== expected) {\n throw new OPE('DPoP Proof ath mismatch');\n }\n }\n {\n let components;\n switch (proof.header.jwk.kty) {\n case 'EC':\n components = {\n crv: proof.header.jwk.crv,\n kty: proof.header.jwk.kty,\n x: proof.header.jwk.x,\n y: proof.header.jwk.y,\n };\n break;\n case 'OKP':\n components = {\n crv: proof.header.jwk.crv,\n kty: proof.header.jwk.kty,\n x: proof.header.jwk.x,\n };\n break;\n case 'RSA':\n components = {\n e: proof.header.jwk.e,\n kty: proof.header.jwk.kty,\n n: proof.header.jwk.n,\n };\n break;\n default:\n throw new UnsupportedOperationError();\n }\n const expected = b64u(await crypto.subtle.digest('SHA-256', encoder.encode(JSON.stringify(components))));\n if (accessTokenClaims.cnf.jkt !== expected) {\n throw new OPE('JWT Access Token confirmation mismatch');\n }\n }\n}\nexport async function validateJwtAccessToken(as, request, expectedAudience, options) {\n assertAs(as);\n if (!looseInstanceOf(request, Request)) {\n throw new TypeError('\"request\" must be an instance of Request');\n }\n if (!validateString(expectedAudience)) {\n throw new OPE('\"expectedAudience\" must be a non-empty string');\n }\n const authorization = request.headers.get('authorization');\n if (authorization === null) {\n throw new OPE('\"request\" is missing an Authorization HTTP Header');\n }\n let { 0: scheme, 1: accessToken, length } = authorization.split(' ');\n scheme = scheme.toLowerCase();\n switch (scheme) {\n case 'dpop':\n case 'bearer':\n break;\n default:\n throw new UnsupportedOperationError('unsupported Authorization HTTP Header scheme');\n }\n if (length !== 2) {\n throw new OPE('invalid Authorization HTTP Header format');\n }\n const requiredClaims = [\n 'iss',\n 'exp',\n 'aud',\n 'sub',\n 'iat',\n 'jti',\n 'client_id',\n ];\n if (options?.requireDPoP || scheme === 'dpop' || request.headers.has('dpop')) {\n requiredClaims.push('cnf');\n }\n const { claims } = await validateJwt(accessToken, checkSigningAlgorithm.bind(undefined, undefined, SUPPORTED_JWS_ALGS), getPublicSigKeyFromIssuerJwksUri.bind(undefined, as, options), getClockSkew(options), getClockTolerance(options))\n .then(checkJwtType.bind(undefined, 'at+jwt'))\n .then(validatePresence.bind(undefined, requiredClaims))\n .then(validateIssuer.bind(undefined, as.issuer))\n .then(validateAudience.bind(undefined, expectedAudience));\n for (const claim of ['client_id', 'jti', 'sub']) {\n if (typeof claims[claim] !== 'string') {\n throw new OPE(`unexpected JWT \"${claim}\" claim type`);\n }\n }\n if ('cnf' in claims) {\n if (!isJsonObject(claims.cnf)) {\n throw new OPE('unexpected JWT \"cnf\" (confirmation) claim value');\n }\n const { 0: cnf, length } = Object.keys(claims.cnf);\n if (length) {\n if (length !== 1) {\n throw new UnsupportedOperationError('multiple confirmation claims are not supported');\n }\n if (cnf !== 'jkt') {\n throw new UnsupportedOperationError('unsupported JWT Confirmation method');\n }\n }\n }\n if (options?.requireDPoP ||\n scheme === 'dpop' ||\n claims.cnf?.jkt !== undefined ||\n request.headers.has('dpop')) {\n await validateDPoP(as, request, accessToken, claims, options);\n }\n return claims;\n}\nexport const experimentalCustomFetch = customFetch;\nexport const experimental_customFetch = customFetch;\nexport const experimentalUseMtlsAlias = useMtlsAlias;\nexport const experimental_useMtlsAlias = useMtlsAlias;\nexport const experimental_validateDetachedSignatureResponse = validateDetachedSignatureResponse;\nexport const experimental_validateJwtAccessToken = validateJwtAccessToken;\n","import logger from \"loglevel\";\nimport { useEffect, useRef, useState } from \"react\";\nimport { useNavigate } from \"react-router-dom\";\nimport { DeveloperHint } from \"../../components/DeveloperHint.js\";\nimport { ErrorPage } from \"../../components/ErrorPage.js\";\nimport { Spinner } from \"../../components/Spinner.js\";\nimport { SyntaxHighlight } from \"../../components/SyntaxHighlight.js\";\n\nexport function CallbackHandler({\n handleCallback,\n}: {\n handleCallback: () => Promise<string>;\n}) {\n const [error, setError] = useState<Error | null>(null);\n const navigate = useNavigate();\n // Deal with double mount in dev mode which will break\n // the OAuth flow because you can only use the code once\n const didInitialize = useRef(false);\n\n useEffect(() => {\n if (didInitialize.current) {\n return;\n }\n didInitialize.current = true;\n handleCallback()\n .then((redirect) => {\n navigate(redirect);\n })\n .catch((err) => {\n logger.error(err);\n setError(err);\n });\n }, [navigate, handleCallback]);\n\n if (error) {\n return (\n <ErrorPage\n category=\"Error\"\n title=\"Authentication Error\"\n message={\n <>\n <DeveloperHint className=\"mb-4\">\n Check the configuration of your authorization provider and ensure\n all settings such as the callback URL are configured correctly.\n </DeveloperHint>\n An error occurred while authorizing the user.\n <SyntaxHighlight code={error.toString()} language=\"plain\" />\n </>\n }\n />\n );\n }\n\n return (\n <div className=\"grid h-full place-items-center\">\n <Spinner />\n </div>\n );\n}\n","export class AuthorizationError extends Error {}\n\ninterface OAuthError {\n readonly error: string;\n readonly error_description?: string;\n readonly error_uri?: string;\n readonly algs?: string;\n readonly scope?: string;\n // eslint-disable-next-line @typescript-eslint/no-explicit-any\n readonly [parameter: string]: any | undefined;\n}\n\nexport class OAuthAuthorizationError extends AuthorizationError {\n constructor(\n message: string,\n public error: OAuthError,\n options?: ErrorOptions,\n ) {\n super(message, options);\n }\n}\n","import logger from \"loglevel\";\nimport * as oauth from \"oauth4webapi\";\nimport { OpenIDAuthenticationConfig } from \"../../../config/config.js\";\nimport {\n AuthenticationProvider,\n AuthenticationProviderInitializer,\n} from \"../authentication.js\";\nimport { AuthenticationPlugin } from \"../AuthenticationPlugin.js\";\nimport { CallbackHandler } from \"../components/CallbackHandler.js\";\nimport { AuthorizationError, OAuthAuthorizationError } from \"../errors.js\";\nimport { useAuthState, UserProfile } from \"../state.js\";\n\nconst CODE_VERIFIER_KEY = \"code-verifier\";\n\ninterface TokenState {\n accessToken: string;\n refreshToken?: string;\n expiresOn: Date;\n tokenType: string;\n}\n\nclass OpenIdAuthPlugin extends AuthenticationPlugin {\n constructor(\n private callbackUrlPath: string,\n private handleCallback: () => Promise<string>,\n ) {\n super();\n }\n getRoutes() {\n return [\n ...super.getRoutes(),\n {\n path: this.callbackUrlPath,\n element: <CallbackHandler handleCallback={this.handleCallback} />,\n },\n ];\n }\n}\n\nexport class OpenIDAuthenticationProvider implements AuthenticationProvider {\n protected client: oauth.Client;\n protected issuer: string;\n\n protected authorizationServer: oauth.AuthorizationServer | undefined;\n\n protected callbackUrlPath = \"/oauth/callback\";\n protected logoutRedirectUrlPath = \"/\";\n protected onAuthorizationUrl?: (\n authorizationUrl: URL,\n options: { isSignIn: boolean; isSignUp: boolean },\n ) => void;\n private readonly redirectToAfterSignUp: string;\n private readonly redirectToAfterSignIn: string;\n private readonly redirectToAfterSignOut: string;\n private readonly audience?: string;\n\n constructor({\n issuer,\n audience,\n clientId,\n redirectToAfterSignUp,\n redirectToAfterSignIn,\n redirectToAfterSignOut,\n }: OpenIDAuthenticationConfig) {\n this.client = {\n client_id: clientId,\n token_endpoint_auth_method: \"none\",\n };\n this.audience = audience;\n this.issuer = issuer;\n this.redirectToAfterSignUp = redirectToAfterSignUp ?? \"/\";\n this.redirectToAfterSignIn = redirectToAfterSignIn ?? \"/\";\n this.redirectToAfterSignOut = redirectToAfterSignOut ?? \"/\";\n }\n\n protected async getAuthServer() {\n if (!this.authorizationServer) {\n const issuerUrl = new URL(this.issuer);\n const response = await oauth.discoveryRequest(issuerUrl);\n this.authorizationServer = await oauth.processDiscoveryResponse(\n issuerUrl,\n response,\n );\n }\n return this.authorizationServer;\n }\n\n /**\n * Sets the tokens from various OAuth responses\n * @param response\n */\n protected setTokensFromResponse(\n response: oauth.TokenEndpointResponse | oauth.OAuth2Error,\n ) {\n if (oauth.isOAuth2Error(response)) {\n logger.error(\"Bad Token Response\", response);\n throw new OAuthAuthorizationError(\"Bad Token Response\", response);\n }\n\n if (!response.expires_in) {\n throw new AuthorizationError(\"No expires_in in response\");\n }\n\n const tokens: TokenState = {\n accessToken: response.access_token,\n refreshToken: response.refresh_token,\n expiresOn: new Date(Date.now() + response.expires_in * 1000),\n tokenType: response.token_type,\n };\n sessionStorage.setItem(\"token-state\", JSON.stringify(tokens));\n }\n\n async signUp({ redirectTo }: { redirectTo?: string } = {}) {\n return this.authorize({\n redirectTo: redirectTo ?? this.redirectToAfterSignUp,\n isSignUp: true,\n });\n }\n\n async signIn({ redirectTo }: { redirectTo?: string } = {}) {\n return this.authorize({\n redirectTo: redirectTo ?? this.redirectToAfterSignIn,\n });\n }\n\n private async authorize({\n redirectTo,\n isSignUp = false,\n }: {\n redirectTo: string;\n isSignUp?: boolean;\n }): Promise<void> {\n const code_challenge_method = \"S256\";\n const authorizationServer = await this.getAuthServer();\n\n if (!authorizationServer.authorization_endpoint) {\n throw new AuthorizationError(\"No authorization endpoint\");\n }\n\n /**\n * The following MUST be generated for every redirect to the authorization_endpoint. You must store\n * the codeVerifier and nonce in the end-user session such that it can be recovered as the user\n * gets redirected from the authorization server back to your application.\n */\n const codeVerifier = oauth.generateRandomCodeVerifier();\n const codeChallenge = await oauth.calculatePKCECodeChallenge(codeVerifier);\n\n sessionStorage.setItem(CODE_VERIFIER_KEY, codeVerifier);\n\n // redirect user to as.authorization_endpoint\n const authorizationUrl = new URL(\n authorizationServer.authorization_endpoint,\n );\n\n sessionStorage.setItem(\"redirect-to\", redirectTo);\n\n const redirectUrl = new URL(window.location.origin);\n redirectUrl.pathname = this.callbackUrlPath;\n redirectUrl.search = \"\";\n\n authorizationUrl.searchParams.set(\"client_id\", this.client.client_id);\n authorizationUrl.searchParams.set(\"redirect_uri\", redirectUrl.toString());\n authorizationUrl.searchParams.set(\"response_type\", \"code\");\n authorizationUrl.searchParams.set(\"scope\", \"openid profile email\");\n authorizationUrl.searchParams.set(\"code_challenge\", codeChallenge);\n authorizationUrl.searchParams.set(\n \"code_challenge_method\",\n code_challenge_method,\n );\n if (this.audience) {\n authorizationUrl.searchParams.set(\"audience\", this.audience);\n }\n\n this.onAuthorizationUrl?.(authorizationUrl, {\n isSignIn: !isSignUp,\n isSignUp,\n });\n\n /**\n * We cannot be sure the AS supports PKCE so we're going to use state too. Use of PKCE is\n * backwards compatible even if the AS doesn't support it which is why we're using it regardless.\n */\n if (\n authorizationServer.code_challenge_methods_supported?.includes(\"S256\") !==\n true\n ) {\n const state = oauth.generateRandomState();\n authorizationUrl.searchParams.set(\"state\", state);\n }\n\n // now redirect the user to authorizationUrl.href\n location.href = authorizationUrl.href;\n }\n\n async getAccessToken(): Promise<string> {\n const as = await this.getAuthServer();\n const tokenState = sessionStorage.getItem(\"token-state\");\n if (!tokenState) {\n throw new AuthorizationError(\"User is not authenticated\");\n }\n\n const state = JSON.parse(tokenState) as TokenState;\n if (state.expiresOn < new Date()) {\n if (!state.refreshToken) {\n await this.signIn();\n return \"\";\n }\n\n const request = await oauth.refreshTokenGrantRequest(\n as,\n this.client,\n state.refreshToken,\n );\n const response = await oauth.processRefreshTokenResponse(\n as,\n this.client,\n request,\n );\n\n if (!response.access_token) {\n throw new AuthorizationError(\"No access token in response\");\n }\n\n this.setTokensFromResponse(response);\n\n return response.access_token.toString();\n } else {\n return state.accessToken;\n }\n }\n\n signOut = async () => {\n useAuthState.setState({\n isAuthenticated: false,\n isPending: false,\n profile: undefined,\n });\n sessionStorage.clear();\n\n const as = await this.getAuthServer();\n\n const redirectUrl = new URL(\n window.location.origin + this.redirectToAfterSignOut,\n );\n redirectUrl.pathname = this.logoutRedirectUrlPath;\n\n let logoutUrl: URL;\n // The endSessionEndpoint is set, the IdP supports some form of logout,\n // so we use the IdP logout. Otherwise, just redirect the user to home\n if (as.end_session_endpoint) {\n logoutUrl = new URL(as.end_session_endpoint);\n // TODO: get id_token and set hint\n // const { id_token } = session;\n // if (id_token) {\n // logoutUrl.searchParams.set(\"id_token_hint\", id_token);\n // }\n logoutUrl.searchParams.set(\n \"post_logout_redirect_uri\",\n redirectUrl.toString(),\n );\n } else {\n logoutUrl = redirectUrl;\n }\n };\n\n handleCallback = async () => {\n const url = new URL(window.location.href);\n const state = url.searchParams.get(\"state\");\n\n // one eternity later, the user lands back on the redirect_uri\n // Authorization Code Grant Request & Response\n const codeVerifier = sessionStorage.getItem(CODE_VERIFIER_KEY);\n sessionStorage.removeItem(CODE_VERIFIER_KEY);\n if (!codeVerifier) {\n throw new AuthorizationError(\"No code verifier found in state.\");\n }\n\n const authServer = await this.getAuthServer();\n\n const params = oauth.validateAuthResponse(\n authServer,\n this.client,\n url.searchParams,\n state ?? undefined,\n );\n if (oauth.isOAuth2Error(params)) {\n logger.error(\"Error validating OAuth response\", params);\n throw new OAuthAuthorizationError(\n \"Error validating OAuth response\",\n params,\n );\n }\n\n const redirectUrl = new URL(url);\n redirectUrl.pathname = this.redirectToAfterSignIn;\n redirectUrl.search = \"\";\n\n const response = await oauth.authorizationCodeGrantRequest(\n authServer,\n this.client,\n params,\n redirectUrl.toString(),\n codeVerifier,\n );\n\n // TODO: do we need to do these\n // const challenges = oauth.parseWwwAuthenticateChallenges(response);\n // if (challenges) {\n // for (const challenge of challenges) {\n // console.error(\"WWW-Authenticate Challenge\", challenge);\n // }\n // throw new Error(); // Handle WWW-Authenticate Challenges as needed\n // }\n const oauthResult = await oauth.processAuthorizationCodeOpenIDResponse(\n authServer,\n this.client,\n response,\n );\n\n this.setTokensFromResponse(oauthResult);\n\n const accessToken = await this.getAccessToken();\n\n const userInfoResponse = await oauth.userInfoRequest(\n authServer,\n this.client,\n accessToken,\n );\n const userInfo = await userInfoResponse.json();\n\n const profile: UserProfile = {\n sub: userInfo.sub,\n email: userInfo.email,\n name: userInfo.name,\n emailVerified: userInfo.email_verified ?? false,\n pictureUrl: userInfo.picture,\n };\n\n useAuthState.setState({\n isAuthenticated: true,\n isPending: false,\n profile,\n });\n\n sessionStorage.setItem(\n \"profile-state\",\n JSON.stringify(useAuthState.getState().profile),\n );\n\n const redirectTo = sessionStorage.getItem(\"redirect-to\") ?? \"/\";\n sessionStorage.removeItem(\"redirect-to\");\n return redirectTo;\n };\n\n pageLoad(): void {\n const profileState = sessionStorage.getItem(\"profile-state\");\n if (profileState) {\n try {\n const profile = JSON.parse(profileState);\n useAuthState.setState({\n isAuthenticated: true,\n isPending: false,\n profile,\n });\n } catch (err) {\n logger.error(\"Error parsing auth state\", err);\n }\n }\n }\n\n getAuthenticationPlugin() {\n // TODO: This API is a bit messy, we need to refactor auth plugins/providers\n // to remove the extra layers of abstraction.\n return new OpenIdAuthPlugin(this.callbackUrlPath, this.handleCallback);\n }\n}\n\nconst openIDAuth: AuthenticationProviderInitializer<\n OpenIDAuthenticationConfig\n> = (options) => new OpenIDAuthenticationProvider(options);\n\nexport default openIDAuth;\n"],"names":["root","definition","module","this","noop","undefinedType","isIE","logMethods","_loggersByName","defaultLogger","bindMethod","obj","methodName","method","traceForIE","realMethod","replaceLoggingMethods","level","i","enableLoggingWhenConsoleArrives","defaultMethodFactory","_level","_loggerName","Logger","name","factory","self","inheritedLevel","defaultLevel","userLevel","storageKey","persistLevelIfPossible","levelNum","levelName","getPersistedLevel","storedLevel","cookie","cookieName","location","clearPersistedLevel","normalizeLevel","input","persist","childName","initialLevel","logger","_log","USER_AGENT","_b","_a","looseInstanceOf","expected","clockSkew","clockTolerance","customFetch","encoder","decoder","buf","CHUNK_SIZE","encodeBase64Url","arr","decodeBase64Url","binary","bytes","cause","OPE","b64u","LRU","maxSize","key","v","value","UnsupportedOperationError","message","OperationProcessingError","options","dpopNonces","isCryptoKey","isPrivateKey","isPublicKey","processDpopNonce","response","nonce","isJsonObject","prepareHeaders","headers","signal","discoveryRequest","issuerIdentifier","url","validateString","processDiscoveryResponse","expectedIssuerIdentifier","assertReadableResponse","json","randomBytes","generateRandomCodeVerifier","generateRandomState","calculatePKCECodeChallenge","codeVerifier","getKeyAndKid","formUrlEncode","token","clientSecretBasic","clientId","clientSecret","username","password","psAlg","rsAlg","esAlg","keyToJws","getClockSkew","client","skew","getClockTolerance","tolerance","epochTime","clientAssertion","as","now","privateKeyJwt","kid","jwt","assertAs","assertClient","assertClientSecret","assertNoClientPrivateKey","clientAuthMethod","clientPrivateKey","assertNoClientSecret","clientAuthentication","body","header","claimsSet","signature","keyToSubtle","dpopProofJwt","htm","accessToken","privateKey","publicKey","proof","publicJwk","jwkCache","getSetPublicJwkCache","kty","e","n","x","y","crv","jwk","validateEndpoint","endpoint","resolveEndpoint","isOAuth2Error","protectedResourceRequest","userInfoRequest","authenticatedRequest","tokenEndpointRequest","grantType","parameters","refreshTokenGrantRequest","refreshToken","idTokenClaims","getValidatedIdTokenClaims","ref","claims","processGenericAccessTokenResponse","ignoreIdToken","ignoreRefreshToken","err","handleOAuthBodyError","validateJwt","checkSigningAlgorithm","noSignatureCheck","validatePresence","validateIssuer","validateAudience","processRefreshTokenResponse","result","branded","brand","searchParams","authorizationCodeGrantRequest","callbackParameters","redirectUri","code","getURLSearchParameter","jwtClaimNames","required","claim","expectNoNonce","skipAuthTimeCheck","processAuthorizationCodeOpenIDResponse","expectedNonce","maxAge","checkRsaKeyAlgorithm","algorithm","ecdsaHashName","namedCurve","jws","checkAlg","getKey","protectedHeader","payload","encodedSignature","length","issuer","skipStateCheck","expectNoState","validateAuthResponse","expectedState","iss","state","error","id_token","CallbackHandler","handleCallback","setError","useState","navigate","useNavigate","didInitialize","useRef","useEffect","redirect","jsx","ErrorPage","jsxs","Fragment","DeveloperHint","SyntaxHighlight","Spinner","AuthorizationError","OAuthAuthorizationError","CODE_VERIFIER_KEY","OpenIdAuthPlugin","AuthenticationPlugin","callbackUrlPath","OpenIDAuthenticationProvider","audience","redirectToAfterSignUp","redirectToAfterSignIn","redirectToAfterSignOut","__publicField","useAuthState","redirectUrl","logoutUrl","authServer","params","oauth.validateAuthResponse","oauth.isOAuth2Error","oauth.authorizationCodeGrantRequest","oauthResult","oauth.processAuthorizationCodeOpenIDResponse","userInfo","oauth.userInfoRequest","profile","redirectTo","issuerUrl","oauth.discoveryRequest","oauth.processDiscoveryResponse","tokens","isSignUp","code_challenge_method","authorizationServer","oauth.generateRandomCodeVerifier","codeChallenge","oauth.calculatePKCECodeChallenge","authorizationUrl","oauth.generateRandomState","tokenState","request","oauth.refreshTokenGrantRequest","oauth.processRefreshTokenResponse","profileState","openIDAuth"],"mappings":";;;;;;;;;;;;;;;AAMA,GAAC,SAAUA,GAAMC,GAAY;AAIlB,IAAkCC,EAAO,UAC5CA,EAAA,UAAiBD,MAEjBD,EAAK,MAAMC;EAElB,GAACE,IAAM,WAAY;AAIhB,QAAIC,IAAO,WAAW;AAAA,OAClBC,IAAgB,aAChBC,IAAQ,OAAO,WAAWD,KAAmB,OAAO,OAAO,cAAcA,KACzE,kBAAkB,KAAK,OAAO,UAAU,SAAS,GAGjDE,IAAa;AAAA,MACb;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACR,GAEQC,IAAiB,CAAA,GACjBC,IAAgB;AAGpB,aAASC,EAAWC,GAAKC,GAAY;AACjC,UAAIC,IAASF,EAAIC,CAAU;AAC3B,UAAI,OAAOC,EAAO,QAAS;AACvB,eAAOA,EAAO,KAAKF,CAAG;AAEtB,UAAI;AACA,eAAO,SAAS,UAAU,KAAK,KAAKE,GAAQF,CAAG;AAAA,MAClD,QAAW;AAER,eAAO,WAAW;AACd,iBAAO,SAAS,UAAU,MAAM,MAAME,GAAQ,CAACF,GAAK,SAAS,CAAC;AAAA,QAClF;AAAA,MACa;AAAA,IAER;AAGD,aAASG,IAAa;AAClB,MAAI,QAAQ,QACJ,QAAQ,IAAI,QACZ,QAAQ,IAAI,MAAM,SAAS,SAAS,IAGpC,SAAS,UAAU,MAAM,MAAM,QAAQ,KAAK,CAAC,SAAS,SAAS,CAAC,IAGpE,QAAQ,SAAO,QAAQ,MAAK;AAAA,IACnC;AAID,aAASC,EAAWH,GAAY;AAK5B,aAJIA,MAAe,YACfA,IAAa,QAGb,OAAO,YAAYP,IACZ,KACAO,MAAe,WAAWN,IAC1BQ,IACA,QAAQF,CAAU,MAAM,SACxBF,EAAW,SAASE,CAAU,IAC9B,QAAQ,QAAQ,SAChBF,EAAW,SAAS,KAAK,IAEzBN;AAAA,IAEd;AAID,aAASY,IAAwB;AAK7B,eAHIC,IAAQ,KAAK,YAGRC,IAAI,GAAGA,IAAIX,EAAW,QAAQW,KAAK;AACxC,YAAIN,IAAaL,EAAWW,CAAC;AAC7B,aAAKN,CAAU,IAAKM,IAAID,IACpBb,IACA,KAAK,cAAcQ,GAAYK,GAAO,KAAK,IAAI;AAAA,MACtD;AAMD,UAHA,KAAK,MAAM,KAAK,OAGZ,OAAO,YAAYZ,KAAiBY,IAAQ,KAAK,OAAO;AACxD,eAAO;AAAA,IAEd;AAID,aAASE,EAAgCP,GAAY;AACjD,aAAO,WAAY;AACf,QAAI,OAAO,YAAYP,MACnBW,EAAsB,KAAK,IAAI,GAC/B,KAAKJ,CAAU,EAAE,MAAM,MAAM,SAAS;AAAA,MAEtD;AAAA,IACK;AAID,aAASQ,EAAqBR,GAAYS,GAAQC,GAAa;AAE3D,aAAOP,EAAWH,CAAU,KACrBO,EAAgC,MAAM,MAAM,SAAS;AAAA,IAC/D;AAED,aAASI,EAAOC,GAAMC,GAAS;AAE7B,UAAIC,IAAO,MASPC,GAMAC,GAMAC,GAEAC,IAAa;AACjB,MAAI,OAAON,KAAS,WAClBM,KAAc,MAAMN,IACX,OAAOA,KAAS,aACzBM,IAAa;AAGf,eAASC,GAAuBC,GAAU;AACtC,YAAIC,KAAa1B,EAAWyB,CAAQ,KAAK,UAAU;AAEnD,YAAI,SAAO,WAAW3B,KAAiB,CAACyB,IAGxC;AAAA,cAAI;AACA,mBAAO,aAAaA,CAAU,IAAIG;AAClC;AAAA,UACd,QAA2B;AAAA,UAAE;AAGnB,cAAI;AACA,mBAAO,SAAS,SACd,mBAAmBH,CAAU,IAAI,MAAMG,IAAY;AAAA,UACnE,QAA2B;AAAA,UAAE;AAAA;AAAA,MACtB;AAED,eAASC,KAAoB;AACzB,YAAIC;AAEJ,YAAI,SAAO,WAAW9B,KAAiB,CAACyB,IAExC;AAAA,cAAI;AACA,YAAAK,IAAc,OAAO,aAAaL,CAAU;AAAA,UAC1D,QAA2B;AAAA,UAAE;AAGnB,cAAI,OAAOK,MAAgB9B;AACvB,gBAAI;AACA,kBAAI+B,IAAS,OAAO,SAAS,QACzBC,IAAa,mBAAmBP,CAAU,GAC1CQ,KAAWF,EAAO,QAAQC,IAAa,GAAG;AAC9C,cAAIC,OAAa,OACbH,IAAc,WAAW;AAAA,gBACrBC,EAAO,MAAME,KAAWD,EAAW,SAAS,CAAC;AAAA,cAChD,EAAC,CAAC;AAAA,YAEzB,QAA+B;AAAA,YAAE;AAIvB,iBAAIX,EAAK,OAAOS,CAAW,MAAM,WAC7BA,IAAc,SAGXA;AAAA;AAAA,MACV;AAED,eAASI,KAAsB;AAC3B,YAAI,SAAO,WAAWlC,KAAiB,CAACyB,IAGxC;AAAA,cAAI;AACA,mBAAO,aAAa,WAAWA,CAAU;AAAA,UACvD,QAA2B;AAAA,UAAE;AAGnB,cAAI;AACA,mBAAO,SAAS,SACd,mBAAmBA,CAAU,IAAI;AAAA,UACjD,QAA2B;AAAA,UAAE;AAAA;AAAA,MACtB;AAED,eAASU,EAAeC,GAAO;AAC3B,YAAIxB,IAAQwB;AAIZ,YAHI,OAAOxB,KAAU,YAAYS,EAAK,OAAOT,EAAM,aAAa,MAAM,WAClEA,IAAQS,EAAK,OAAOT,EAAM,YAAa,CAAA,IAEvC,OAAOA,KAAU,YAAYA,KAAS,KAAKA,KAASS,EAAK,OAAO;AAChE,iBAAOT;AAEP,cAAM,IAAI,UAAU,+CAA+CwB,CAAK;AAAA,MAE/E;AAQD,MAAAf,EAAK,OAAOF,GAEZE,EAAK,SAAS;AAAA,QAAE,OAAS;AAAA,QAAG,OAAS;AAAA,QAAG,MAAQ;AAAA,QAAG,MAAQ;AAAA,QACvD,OAAS;AAAA,QAAG,QAAU;AAAA,MAAC,GAE3BA,EAAK,gBAAgBD,KAAWL,GAEhCM,EAAK,WAAW,WAAY;AACxB,eAAIG,KAEOD,KAGFD;AAAA,MAEnB,GAEMD,EAAK,WAAW,SAAUT,GAAOyB,GAAS;AACtC,eAAAb,IAAYW,EAAevB,CAAK,GAC5ByB,MAAY,MACZX,GAAuBF,CAAS,GAI7Bb,EAAsB,KAAKU,CAAI;AAAA,MAChD,GAEMA,EAAK,kBAAkB,SAAUT,GAAO;AACpC,QAAAW,IAAeY,EAAevB,CAAK,GAC9BiB,GAAiB,KAClBR,EAAK,SAAST,GAAO,EAAK;AAAA,MAExC,GAEMS,EAAK,aAAa,WAAY;AAC1B,QAAAG,IAAY,MACZU,MACAvB,EAAsB,KAAKU,CAAI;AAAA,MACzC,GAEMA,EAAK,YAAY,SAASgB,GAAS;AAC/B,QAAAhB,EAAK,SAASA,EAAK,OAAO,OAAOgB,CAAO;AAAA,MAClD,GAEMhB,EAAK,aAAa,SAASgB,GAAS;AAChC,QAAAhB,EAAK,SAASA,EAAK,OAAO,QAAQgB,CAAO;AAAA,MACnD,GAEMhB,EAAK,UAAU,WAAY;AAMvB,YALIjB,MAAkBiB,MAClBC,IAAiBa,EAAe/B,EAAc,SAAU,CAAA,IAE5DO,EAAsB,KAAKU,CAAI,GAE3BjB,MAAkBiB;AAClB,mBAASiB,KAAanC;AACpB,YAAAA,EAAemC,CAAS,EAAE;MAG1C,GAGMhB,IAAiBa;AAAA,QACb/B,IAAgBA,EAAc,SAAQ,IAAK;AAAA,MACrD;AACM,UAAImC,KAAeV;AACnB,MAAIU,MAAgB,SAChBf,IAAYW,EAAeI,EAAY,IAE3C5B,EAAsB,KAAKU,CAAI;AAAA,IAChC;AAQD,IAAAjB,IAAgB,IAAIc,KAEpBd,EAAc,YAAY,SAAmBe,GAAM;AAC/C,UAAK,OAAOA,KAAS,YAAY,OAAOA,KAAS,YAAaA,MAAS;AACnE,cAAM,IAAI,UAAU,gDAAgD;AAGxE,UAAIqB,IAASrC,EAAegB,CAAI;AAChC,aAAKqB,MACDA,IAASrC,EAAegB,CAAI,IAAI,IAAID;AAAA,QAChCC;AAAA,QACAf,EAAc;AAAA,MAC9B,IAEeoC;AAAA,IACf;AAGI,QAAIC,IAAQ,OAAO,WAAWzC,IAAiB,OAAO,MAAM;AAC5D,WAAAI,EAAc,aAAa,WAAW;AAClC,aAAI,OAAO,WAAWJ,KACf,OAAO,QAAQI,MAClB,OAAO,MAAMqC,IAGVrC;AAAA,IACf,GAEIA,EAAc,aAAa,WAAsB;AAC7C,aAAOD;AAAA,IACf,GAGIC,EAAc,UAAaA,GAEpBA;AAAA,EACX,CAAC;;;;ACpWD,IAAIsC;;CACA,OAAO,YAAc,OAAe,GAACC,MAAAC,IAAA,UAAU,cAAV,gBAAAA,EAAqB,eAArB,QAAAD,GAAA,KAAAC,GAAkC,sBAGvEF,IAAa;AAEjB,SAASG,EAAgBT,GAAOU,GAAU;AACtC,MAAIV,KAAS;AACT,WAAO;AAEX,MAAI;AACA,WAAQA,aAAiBU,KACrB,OAAO,eAAeV,CAAK,EAAE,OAAO,WAAW,MAAMU,EAAS,UAAU,OAAO,WAAW;AAAA,EACjG,QACK;AACF,WAAO;AAAA,EACV;AACL;AACO,MAAMC,IAAY,OAAM,GAClBC,KAAiB,OAAM,GACvBC,IAAc,OAAM,GAG3BC,KAAU,IAAI,eACdC,KAAU,IAAI;AACpB,SAASC,EAAIhB,GAAO;AAChB,SAAI,OAAOA,KAAU,WACVc,GAAQ,OAAOd,CAAK,IAExBe,GAAQ,OAAOf,CAAK;AAC/B;AACA,MAAMiB,KAAa;AACnB,SAASC,GAAgBlB,GAAO;AAC5B,EAAIA,aAAiB,gBACjBA,IAAQ,IAAI,WAAWA,CAAK;AAEhC,QAAMmB,IAAM,CAAA;AACZ,WAAS1C,IAAI,GAAGA,IAAIuB,EAAM,YAAYvB,KAAKwC;AACvC,IAAAE,EAAI,KAAK,OAAO,aAAa,MAAM,MAAMnB,EAAM,SAASvB,GAAGA,IAAIwC,EAAU,CAAC,CAAC;AAE/E,SAAO,KAAKE,EAAI,KAAK,EAAE,CAAC,EAAE,QAAQ,MAAM,EAAE,EAAE,QAAQ,OAAO,GAAG,EAAE,QAAQ,OAAO,GAAG;AACtF;AACA,SAASC,GAAgBpB,GAAO;AAC5B,MAAI;AACA,UAAMqB,IAAS,KAAKrB,EAAM,QAAQ,MAAM,GAAG,EAAE,QAAQ,MAAM,GAAG,EAAE,QAAQ,OAAO,EAAE,CAAC,GAC5EsB,IAAQ,IAAI,WAAWD,EAAO,MAAM;AAC1C,aAAS5C,IAAI,GAAGA,IAAI4C,EAAO,QAAQ5C;AAC/B,MAAA6C,EAAM7C,CAAC,IAAI4C,EAAO,WAAW5C,CAAC;AAElC,WAAO6C;AAAA,EACV,SACMC,GAAO;AACV,UAAM,IAAIC,EAAI,qDAAqD,EAAE,OAAAD,EAAO,CAAA;AAAA,EAC/E;AACL;AACA,SAASE,EAAKzB,GAAO;AACjB,SAAI,OAAOA,KAAU,WACVoB,GAAgBpB,CAAK,IAEzBkB,GAAgBlB,CAAK;AAChC;AACA,MAAM0B,GAAI;AAAA,EACN,YAAYC,GAAS;AACjB,SAAK,QAAQ,oBAAI,OACjB,KAAK,SAAS,oBAAI,OAClB,KAAK,UAAUA;AAAA,EAClB;AAAA,EACD,IAAIC,GAAK;AACL,QAAIC,IAAI,KAAK,MAAM,IAAID,CAAG;AAC1B,QAAIC;AACA,aAAOA;AAEX,QAAKA,IAAI,KAAK,OAAO,IAAID,CAAG;AACxB,kBAAK,OAAOA,GAAKC,CAAC,GACXA;AAAA,EAGd;AAAA,EACD,IAAID,GAAK;AACL,WAAO,KAAK,MAAM,IAAIA,CAAG,KAAK,KAAK,OAAO,IAAIA,CAAG;AAAA,EACpD;AAAA,EACD,IAAIA,GAAKE,GAAO;AACZ,WAAI,KAAK,MAAM,IAAIF,CAAG,IAClB,KAAK,MAAM,IAAIA,GAAKE,CAAK,IAGzB,KAAK,OAAOF,GAAKE,CAAK,GAEnB;AAAA,EACV;AAAA,EACD,OAAOF,GAAK;AACR,WAAI,KAAK,MAAM,IAAIA,CAAG,IACX,KAAK,MAAM,OAAOA,CAAG,IAE5B,KAAK,OAAO,IAAIA,CAAG,IACZ,KAAK,OAAO,OAAOA,CAAG,IAE1B;AAAA,EACV;AAAA,EACD,OAAOA,GAAKE,GAAO;AACf,SAAK,MAAM,IAAIF,GAAKE,CAAK,GACrB,KAAK,MAAM,QAAQ,KAAK,YACxB,KAAK,SAAS,KAAK,OACnB,KAAK,QAAQ,oBAAI;EAExB;AACL;AACO,MAAMC,UAAkC,MAAM;AAAA,EACjD,YAAYC,GAAS;;AACjB,UAAMA,KAAW,yBAAyB,GAC1C,KAAK,OAAO,KAAK,YAAY,OAC7BxB,IAAA,MAAM,sBAAN,QAAAA,EAAA,YAA0B,MAAM,KAAK;AAAA,EACxC;AACL;AACO,MAAMyB,WAAiC,MAAM;AAAA,EAChD,YAAYD,GAASE,GAAS;;AAC1B,UAAMF,GAASE,CAAO,GACtB,KAAK,OAAO,KAAK,YAAY,OAC7B1B,IAAA,MAAM,sBAAN,QAAAA,EAAA,YAA0B,MAAM,KAAK;AAAA,EACxC;AACL;AACA,MAAMgB,IAAMS,IACNE,KAAa,IAAIT,GAAI,GAAG;AAC9B,SAASU,GAAYR,GAAK;AACtB,SAAOA,aAAe;AAC1B;AACA,SAASS,GAAaT,GAAK;AACvB,SAAOQ,GAAYR,CAAG,KAAKA,EAAI,SAAS;AAC5C;AACA,SAASU,GAAYV,GAAK;AACtB,SAAOQ,GAAYR,CAAG,KAAKA,EAAI,SAAS;AAC5C;AAaA,SAASW,GAAiBC,GAAU;AAChC,MAAI;AACA,UAAMC,IAAQD,EAAS,QAAQ,IAAI,YAAY;AAC/C,IAAIC,KACAN,GAAW,IAAI,IAAI,IAAIK,EAAS,GAAG,EAAE,QAAQC,CAAK;AAAA,EAEzD,QACK;AAAA,EAAG;AACT,SAAOD;AACX;AAIA,SAASE,EAAa1C,GAAO;AACzB,SAAI,EAAAA,MAAU,QAAQ,OAAOA,KAAU,YAAY,MAAM,QAAQA,CAAK;AAI1E;AACA,SAAS2C,EAAe3C,GAAO;AAC3B,EAAIS,EAAgBT,GAAO,OAAO,MAC9BA,IAAQ,OAAO,YAAYA,EAAM,QAAS,CAAA;AAE9C,QAAM4C,IAAU,IAAI,QAAQ5C,CAAK;AAIjC,MAHIM,KAAc,CAACsC,EAAQ,IAAI,YAAY,KACvCA,EAAQ,IAAI,cAActC,CAAU,GAEpCsC,EAAQ,IAAI,eAAe;AAC3B,UAAM,IAAI,UAAU,oEAAoE;AAE5F,MAAIA,EAAQ,IAAI,MAAM;AAClB,UAAM,IAAI,UAAU,2DAA2D;AAEnF,SAAOA;AACX;AACA,SAASC,GAAOf,GAAO;AAInB,MAHI,OAAOA,KAAU,eACjBA,IAAQA,EAAK,IAEb,EAAEA,aAAiB;AACnB,UAAM,IAAI,UAAU,+DAA+D;AAEvF,SAAOA;AACX;AACO,eAAegB,GAAiBC,GAAkBb,GAAS;AAC9D,MAAI,EAAEa,aAA4B;AAC9B,UAAM,IAAI,UAAU,+CAA+C;AAEvE,MAAIA,EAAiB,aAAa,YAAYA,EAAiB,aAAa;AACxE,UAAM,IAAI,UAAU,+CAA+C;AAEvE,QAAMC,IAAM,IAAI,IAAID,EAAiB,IAAI;AACzC,UAAQb,KAAA,gBAAAA,EAAS,WAAS;AAAA,IACtB,KAAK;AAAA,IACL,KAAK;AACD,MAAAc,EAAI,WAAW,GAAGA,EAAI,QAAQ,oCAAoC,QAAQ,MAAM,GAAG;AACnF;AAAA,IACJ,KAAK;AACD,MAAIA,EAAI,aAAa,MACjBA,EAAI,WAAW,2CAGfA,EAAI,WAAW,0CAA0CA,EAAI,QAAQ,GAAG,QAAQ,MAAM,GAAG;AAE7F;AAAA,IACJ;AACI,YAAM,IAAI,UAAU,2DAA2D;AAAA,EACtF;AACD,QAAMJ,IAAUD,EAAeT,KAAA,gBAAAA,EAAS,OAAO;AAC/C,SAAAU,EAAQ,IAAI,UAAU,kBAAkB,KAChCV,KAAA,gBAAAA,EAAUrB,OAAgB,OAAOmC,EAAI,MAAM;AAAA,IAC/C,SAAS,OAAO,YAAYJ,EAAQ,QAAO,CAAE;AAAA,IAC7C,QAAQ;AAAA,IACR,UAAU;AAAA,IACV,QAAQV,KAAA,QAAAA,EAAS,SAASW,GAAOX,EAAQ,MAAM,IAAI;AAAA,EAC3D,CAAK,EAAE,KAAKK,EAAgB;AAC5B;AACA,SAASU,EAAejD,GAAO;AAC3B,SAAO,OAAOA,KAAU,YAAYA,EAAM,WAAW;AACzD;AACO,eAAekD,GAAyBC,GAA0BX,GAAU;AAC/E,MAAI,EAAEW,aAAoC;AACtC,UAAM,IAAI,UAAU,6CAA6C;AAErE,MAAI,CAAC1C,EAAgB+B,GAAU,QAAQ;AACnC,UAAM,IAAI,UAAU,4CAA4C;AAEpE,MAAIA,EAAS,WAAW;AACpB,UAAM,IAAIhB,EAAI,oEAAoE;AAEtF,EAAA4B,GAAuBZ,CAAQ;AAC/B,MAAIa;AACJ,MAAI;AACA,IAAAA,IAAO,MAAMb,EAAS;EACzB,SACMjB,GAAO;AACV,UAAM,IAAIC,EAAI,2CAA2C,EAAE,OAAAD,EAAO,CAAA;AAAA,EACrE;AACD,MAAI,CAACmB,EAAaW,CAAI;AAClB,UAAM,IAAI7B,EAAI,4CAA4C;AAE9D,MAAI,CAACyB,EAAeI,EAAK,MAAM;AAC3B,UAAM,IAAI7B,EAAI,8DAA8D;AAEhF,MAAI,IAAI,IAAI6B,EAAK,MAAM,EAAE,SAASF,EAAyB;AACvD,UAAM,IAAI3B,EAAI,0DAA0D;AAE5E,SAAO6B;AACX;AACA,SAASC,IAAc;AACnB,SAAO7B,EAAK,OAAO,gBAAgB,IAAI,WAAW,EAAE,CAAC,CAAC;AAC1D;AACO,SAAS8B,KAA6B;AACzC,SAAOD,EAAW;AACtB;AACO,SAASE,KAAsB;AAClC,SAAOF,EAAW;AACtB;AAIO,eAAeG,GAA2BC,GAAc;AAC3D,MAAI,CAACT,EAAeS,CAAY;AAC5B,UAAM,IAAI,UAAU,2CAA2C;AAEnE,SAAOjC,EAAK,MAAM,OAAO,OAAO,OAAO,WAAWT,EAAI0C,CAAY,CAAC,CAAC;AACxE;AACA,SAASC,GAAa3D,GAAO;AACzB,MAAIA,aAAiB;AACjB,WAAO,EAAE,KAAKA;AAElB,MAAI,GAAEA,KAAA,gBAAAA,EAAO,gBAAe;AACxB,WAAO;AAEX,MAAIA,EAAM,QAAQ,UAAa,CAACiD,EAAejD,EAAM,GAAG;AACpD,UAAM,IAAI,UAAU,kCAAkC;AAE1D,SAAO,EAAE,KAAKA,EAAM,KAAK,KAAKA,EAAM;AACxC;AACA,SAAS4D,GAAcC,GAAO;AAC1B,SAAO,mBAAmBA,CAAK,EAAE,QAAQ,QAAQ,GAAG;AACxD;AACA,SAASC,GAAkBC,GAAUC,GAAc;AAC/C,QAAMC,IAAWL,GAAcG,CAAQ,GACjCG,IAAWN,GAAcI,CAAY;AAE3C,SAAO,SADa,KAAK,GAAGC,CAAQ,IAAIC,CAAQ,EAAE,CACvB;AAC/B;AACA,SAASC,GAAMvC,GAAK;AAChB,UAAQA,EAAI,UAAU,KAAK,MAAI;AAAA,IAC3B,KAAK;AACD,aAAO;AAAA,IACX,KAAK;AACD,aAAO;AAAA,IACX,KAAK;AACD,aAAO;AAAA,IACX;AACI,YAAM,IAAIG,EAA0B,6CAA6C;AAAA,EACxF;AACL;AACA,SAASqC,GAAMxC,GAAK;AAChB,UAAQA,EAAI,UAAU,KAAK,MAAI;AAAA,IAC3B,KAAK;AACD,aAAO;AAAA,IACX,KAAK;AACD,aAAO;AAAA,IACX,KAAK;AACD,aAAO;AAAA,IACX;AACI,YAAM,IAAIG,EAA0B,6CAA6C;AAAA,EACxF;AACL;AACA,SAASsC,GAAMzC,GAAK;AAChB,UAAQA,EAAI,UAAU,YAAU;AAAA,IAC5B,KAAK;AACD,aAAO;AAAA,IACX,KAAK;AACD,aAAO;AAAA,IACX,KAAK;AACD,aAAO;AAAA,IACX;AACI,YAAM,IAAIG,EAA0B,uCAAuC;AAAA,EAClF;AACL;AACA,SAASuC,GAAS1C,GAAK;AACnB,UAAQA,EAAI,UAAU,MAAI;AAAA,IACtB,KAAK;AACD,aAAOuC,GAAMvC,CAAG;AAAA,IACpB,KAAK;AACD,aAAOwC,GAAMxC,CAAG;AAAA,IACpB,KAAK;AACD,aAAOyC,GAAMzC,CAAG;AAAA,IACpB,KAAK;AAAA,IACL,KAAK;AACD,aAAO;AAAA,IACX;AACI,YAAM,IAAIG,EAA0B,sCAAsC;AAAA,EACjF;AACL;AACA,SAASwC,EAAaC,GAAQ;AAC1B,QAAMC,IAAOD,KAAA,gBAAAA,EAAS7D;AACtB,SAAO,OAAO8D,KAAS,YAAY,OAAO,SAASA,CAAI,IAAIA,IAAO;AACtE;AACA,SAASC,GAAkBF,GAAQ;AAC/B,QAAMG,IAAYH,KAAA,gBAAAA,EAAS5D;AAC3B,SAAO,OAAO+D,KAAc,YAAY,OAAO,SAASA,CAAS,KAAK,KAAK,KAAKA,CAAS,MAAM,KACzFA,IACA;AACV;AACA,SAASC,IAAY;AACjB,SAAO,KAAK,MAAM,KAAK,IAAK,IAAG,GAAI;AACvC;AACA,SAASC,GAAgBC,GAAIN,GAAQ;AACjC,QAAMO,IAAMH,EAAS,IAAKL,EAAaC,CAAM;AAC7C,SAAO;AAAA,IACH,KAAKlB,EAAa;AAAA,IAClB,KAAK,CAACwB,EAAG,QAAQA,EAAG,cAAc;AAAA,IAClC,KAAKC,IAAM;AAAA,IACX,KAAKA;AAAA,IACL,KAAKA;AAAA,IACL,KAAKP,EAAO;AAAA,IACZ,KAAKA,EAAO;AAAA,EACpB;AACA;AACA,eAAeQ,GAAcF,GAAIN,GAAQ5C,GAAKqD,GAAK;AAC/C,SAAOC,GAAI;AAAA,IACP,KAAKZ,GAAS1C,CAAG;AAAA,IACjB,KAAAqD;AAAA,EACH,GAAEJ,GAAgBC,GAAIN,CAAM,GAAG5C,CAAG;AACvC;AACA,SAASuD,EAASL,GAAI;AAClB,MAAI,OAAOA,KAAO,YAAYA,MAAO;AACjC,UAAM,IAAI,UAAU,wBAAwB;AAEhD,MAAI,CAAC7B,EAAe6B,EAAG,MAAM;AACzB,UAAM,IAAI,UAAU,iDAAiD;AAEzE,SAAO;AACX;AACA,SAASM,EAAaZ,GAAQ;AAC1B,MAAI,OAAOA,KAAW,YAAYA,MAAW;AACzC,UAAM,IAAI,UAAU,4BAA4B;AAEpD,MAAI,CAACvB,EAAeuB,EAAO,SAAS;AAChC,UAAM,IAAI,UAAU,wDAAwD;AAEhF,SAAO;AACX;AACA,SAASa,GAAmBrB,GAAc;AACtC,MAAI,CAACf,EAAee,CAAY;AAC5B,UAAM,IAAI,UAAU,4DAA4D;AAEpF,SAAOA;AACX;AACA,SAASsB,EAAyBC,GAAkBC,GAAkB;AAClE,MAAIA,MAAqB;AACrB,UAAM,IAAI,UAAU,iEAAiED,CAAgB,wCAAwC;AAErJ;AACA,SAASE,GAAqBF,GAAkBvB,GAAc;AAC1D,MAAIA,MAAiB;AACjB,UAAM,IAAI,UAAU,6DAA6DuB,CAAgB,wCAAwC;AAEjJ;AACA,eAAeG,GAAqBZ,GAAIN,GAAQmB,GAAM/C,GAAS4C,GAAkB;AAI7E,UAHAG,EAAK,OAAO,eAAe,GAC3BA,EAAK,OAAO,uBAAuB,GACnCA,EAAK,OAAO,kBAAkB,GACtBnB,EAAO,4BAA0B;AAAA,IACrC,KAAK;AAAA,IACL,KAAK,uBAAuB;AACxB,MAAAc,EAAyB,uBAAuBE,CAAgB,GAChE5C,EAAQ,IAAI,iBAAiBkB,GAAkBU,EAAO,WAAWa,GAAmBb,EAAO,aAAa,CAAC,CAAC;AAC1G;AAAA,IACH;AAAA,IACD,KAAK,sBAAsB;AACvB,MAAAc,EAAyB,sBAAsBE,CAAgB,GAC/DG,EAAK,IAAI,aAAanB,EAAO,SAAS,GACtCmB,EAAK,IAAI,iBAAiBN,GAAmBb,EAAO,aAAa,CAAC;AAClE;AAAA,IACH;AAAA,IACD,KAAK,mBAAmB;AAEpB,UADAiB,GAAqB,mBAAmBjB,EAAO,aAAa,GACxDgB,MAAqB;AACrB,cAAM,IAAI,UAAU,2GAA2G;AAEnI,YAAM,EAAE,KAAA5D,GAAK,KAAAqD,EAAK,IAAGtB,GAAa6B,CAAgB;AAClD,UAAI,CAACnD,GAAaT,CAAG;AACjB,cAAM,IAAI,UAAU,4DAA4D;AAEpF,MAAA+D,EAAK,IAAI,aAAanB,EAAO,SAAS,GACtCmB,EAAK,IAAI,yBAAyB,wDAAwD,GAC1FA,EAAK,IAAI,oBAAoB,MAAMX,GAAcF,GAAIN,GAAQ5C,GAAKqD,CAAG,CAAC;AACtE;AAAA,IACH;AAAA,IACD,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK,QAAQ;AACT,MAAAQ,GAAqBjB,EAAO,4BAA4BA,EAAO,aAAa,GAC5Ec,EAAyBd,EAAO,4BAA4BgB,CAAgB,GAC5EG,EAAK,IAAI,aAAanB,EAAO,SAAS;AACtC;AAAA,IACH;AAAA,IACD;AACI,YAAM,IAAIzC,EAA0B,+CAA+C;AAAA,EAC1F;AACL;AACA,eAAemD,GAAIU,GAAQC,GAAWjE,GAAK;AACvC,MAAI,CAACA,EAAI,OAAO,SAAS,MAAM;AAC3B,UAAM,IAAI,UAAU,uFAAuF;AAE/G,QAAM5B,IAAQ,GAAGyB,EAAKT,EAAI,KAAK,UAAU4E,CAAM,CAAC,CAAC,CAAC,IAAInE,EAAKT,EAAI,KAAK,UAAU6E,CAAS,CAAC,CAAC,CAAC,IACpFC,IAAYrE,EAAK,MAAM,OAAO,OAAO,KAAKsE,GAAYnE,CAAG,GAAGA,GAAKZ,EAAIhB,CAAK,CAAC,CAAC;AAClF,SAAO,GAAGA,CAAK,IAAI8F,CAAS;AAChC;AAqEA,eAAeE,GAAapD,GAASV,GAASc,GAAKiD,GAAKtF,GAAWuF,GAAa;AAC5E,QAAM,EAAE,YAAAC,GAAY,WAAAC,GAAW,OAAA3D,IAAQN,GAAW,IAAIa,EAAI,MAAM,EAAG,IAAGd;AACtE,MAAI,CAACG,GAAa8D,CAAU;AACxB,UAAM,IAAI,UAAU,+CAA+C;AAEvE,MAAI,CAAC7D,GAAY8D,CAAS;AACtB,UAAM,IAAI,UAAU,6CAA6C;AAErE,MAAI3D,MAAU,UAAa,CAACQ,EAAeR,CAAK;AAC5C,UAAM,IAAI,UAAU,sDAAsD;AAE9E,MAAI,CAAC2D,EAAU;AACX,UAAM,IAAI,UAAU,2CAA2C;AAEnE,QAAMrB,IAAMH,EAAW,IAAGjE,GACpB0F,IAAQ,MAAMnB,GAAI;AAAA,IACpB,KAAKZ,GAAS6B,CAAU;AAAA,IACxB,KAAK;AAAA,IACL,KAAK,MAAMG,GAAUF,CAAS;AAAA,EACtC,GAAO;AAAA,IACC,KAAKrB;AAAA,IACL,KAAKzB,EAAa;AAAA,IAClB,KAAA2C;AAAA,IACA,OAAAxD;AAAA,IACA,KAAK,GAAGO,EAAI,MAAM,GAAGA,EAAI,QAAQ;AAAA,IACjC,KAAKkD,IAAczE,EAAK,MAAM,OAAO,OAAO,OAAO,WAAWT,EAAIkF,CAAW,CAAC,CAAC,IAAI;AAAA,EACtF,GAAEC,CAAU;AACb,EAAAvD,EAAQ,IAAI,QAAQyD,CAAK;AAC7B;AACA,IAAIE;AACJ,eAAeC,GAAqB5E,GAAK;AACrC,QAAM,EAAE,KAAA6E,GAAK,GAAAC,GAAG,GAAAC,GAAG,GAAAC,GAAG,GAAAC,GAAG,KAAAC,MAAQ,MAAM,OAAO,OAAO,UAAU,OAAOlF,CAAG,GACnEmF,IAAM,EAAE,KAAAN,GAAK,GAAAC,GAAG,GAAAC,GAAG,GAAAC,GAAG,GAAAC,GAAG,KAAAC;AAC/B,SAAAP,EAAS,IAAI3E,GAAKmF,CAAG,GACdA;AACX;AACA,eAAeT,GAAU1E,GAAK;AAC1B,SAAA2E,MAAaA,IAAW,oBAAI,QAAO,IAC5BA,EAAS,IAAI3E,CAAG,KAAK4E,GAAqB5E,CAAG;AACxD;AACA,SAASoF,GAAiBlF,GAAOmF,GAAU/E,GAAS;AAChD,MAAI,OAAOJ,KAAU;AAIjB,UAAM,IAAI,UAAU,OAAOmF,CAAQ,oBAAoB;AAE3D,SAAO,IAAI,IAAInF,CAAK;AACxB;AACA,SAASoF,GAAgBpC,GAAImC,GAAU/E,GAAS;AAI5C,SAAO8E,GAAiBlC,EAAGmC,CAAQ,GAAGA,CAAQ;AAClD;AAcO,SAASE,EAAcnH,GAAO;AACjC,QAAM8B,IAAQ9B;AACd,SAAI,OAAO8B,KAAU,YAAY,MAAM,QAAQA,CAAK,KAAKA,MAAU,OACxD,KAEJA,EAAM,UAAU;AAC3B;AA2FO,eAAesF,GAAyBlB,GAAa9H,GAAQ4E,GAAKJ,GAAS+C,GAAMzD,GAAS;AAC7F,MAAI,CAACe,EAAeiD,CAAW;AAC3B,UAAM,IAAI,UAAU,0CAA0C;AAElE,MAAI,EAAElD,aAAe;AACjB,UAAM,IAAI,UAAU,kCAAkC;AAE1D,SAAAJ,IAAUD,EAAeC,CAAO,IAC5BV,KAAA,gBAAAA,EAAS,UAAS,SAClBU,EAAQ,IAAI,iBAAiB,UAAUsD,CAAW,EAAE,KAGpD,MAAMF,GAAapD,GAASV,EAAQ,MAAMc,GAAK,OAAOuB,EAAa,EAAE,CAAC5D,CAAS,GAAGuB,KAAA,gBAAAA,EAAUvB,GAAU,CAAE,GAAGuF,CAAW,GACtHtD,EAAQ,IAAI,iBAAiB,QAAQsD,CAAW,EAAE,MAE9ChE,KAAA,gBAAAA,EAAUrB,OAAgB,OAAOmC,EAAI,MAAM;AAAA,IAC/C,MAAA2C;AAAA,IACA,SAAS,OAAO,YAAY/C,EAAQ,QAAO,CAAE;AAAA,IAC7C,QAAAxE;AAAA,IACA,UAAU;AAAA,IACV,QAAQ8D,KAAA,QAAAA,EAAS,SAASW,GAAOX,EAAQ,MAAM,IAAI;AAAA,EAC3D,CAAK,EAAE,KAAKK,EAAgB;AAC5B;AACO,eAAe8E,GAAgBvC,GAAIN,GAAQ0B,GAAahE,GAAS;AACpE,EAAAiD,EAASL,CAAE,GACXM,EAAaZ,CAAM;AACnB,QAAMxB,IAAMkE,GAAgBpC,GAAI,mBAA4B,GACtDlC,IAAUD,EAAeT,KAAA,gBAAAA,EAAS,OAAO;AAC/C,SAAIsC,EAAO,+BACP5B,EAAQ,IAAI,UAAU,iBAAiB,KAGvCA,EAAQ,IAAI,UAAU,kBAAkB,GACxCA,EAAQ,OAAO,UAAU,iBAAiB,IAEvCwE,GAAyBlB,GAAa,OAAOlD,GAAKJ,GAAS,MAAM;AAAA,IACpE,GAAGV;AAAA,IACH,CAACvB,CAAS,GAAG4D,EAAaC,CAAM;AAAA,EACxC,CAAK;AACL;AAqKA,eAAe8C,GAAqBxC,GAAIN,GAAQpG,GAAQ4E,GAAK2C,GAAM/C,GAASV,GAAS;AACjF,eAAMwD,GAAqBZ,GAAIN,GAAQmB,GAAM/C,GAASV,KAAA,gBAAAA,EAAS,gBAAgB,GAC/EU,EAAQ,IAAI,gBAAgB,iDAAiD,KACrEV,KAAA,gBAAAA,EAAUrB,OAAgB,OAAOmC,EAAI,MAAM;AAAA,IAC/C,MAAA2C;AAAA,IACA,SAAS,OAAO,YAAY/C,EAAQ,QAAO,CAAE;AAAA,IAC7C,QAAAxE;AAAA,IACA,UAAU;AAAA,IACV,QAAQ8D,KAAA,QAAAA,EAAS,SAASW,GAAOX,EAAQ,MAAM,IAAI;AAAA,EAC3D,CAAK,EAAE,KAAKK,EAAgB;AAC5B;AACA,eAAegF,GAAqBzC,GAAIN,GAAQgD,GAAWC,GAAYvF,GAAS;AAC5E,QAAMc,IAAMkE,GAAgBpC,GAAI,gBAAyB;AACzD,EAAA2C,EAAW,IAAI,cAAcD,CAAS;AACtC,QAAM5E,IAAUD,EAAeT,KAAA,gBAAAA,EAAS,OAAO;AAC/C,SAAAU,EAAQ,IAAI,UAAU,kBAAkB,GAIjC0E,GAAqBxC,GAAIN,GAAQ,QAAQxB,GAAKyE,GAAY7E,GAASV,CAAO;AACrF;AACO,eAAewF,GAAyB5C,GAAIN,GAAQmD,GAAczF,GAAS;AAG9E,MAFAiD,EAASL,CAAE,GACXM,EAAaZ,CAAM,GACf,CAACvB,EAAe0E,CAAY;AAC5B,UAAM,IAAI,UAAU,2CAA2C;AAEnE,QAAMF,IAAa,IAAI,gBAAgBvF,KAAA,gBAAAA,EAAS,oBAAoB;AACpE,SAAAuF,EAAW,IAAI,iBAAiBE,CAAY,GACrCJ,GAAqBzC,GAAIN,GAAQ,iBAAiBiD,GAAYvF,CAAO;AAChF;AACA,MAAM0F,KAAgB,oBAAI;AACnB,SAASC,GAA0BC,GAAK;AAC3C,MAAI,CAACA,EAAI;AACL;AAEJ,QAAMC,IAASH,GAAc,IAAIE,CAAG;AACpC,MAAI,CAACC;AACD,UAAM,IAAI,UAAU,gFAAgF;AAExG,SAAOA;AACX;AACA,eAAeC,GAAkClD,GAAIN,GAAQhC,GAAUyF,IAAgB,IAAOC,IAAqB,IAAO;AAGtH,MAFA/C,EAASL,CAAE,GACXM,EAAaZ,CAAM,GACf,CAAC/D,EAAgB+B,GAAU,QAAQ;AACnC,UAAM,IAAI,UAAU,4CAA4C;AAEpE,MAAIA,EAAS,WAAW,KAAK;AACzB,QAAI2F;AACJ,QAAKA,IAAM,MAAMC,GAAqB5F,CAAQ;AAC1C,aAAO2F;AAEX,UAAM,IAAI3G,EAAI,qDAAqD;AAAA,EACtE;AACD,EAAA4B,GAAuBZ,CAAQ;AAC/B,MAAIa;AACJ,MAAI;AACA,IAAAA,IAAO,MAAMb,EAAS;EACzB,SACMjB,GAAO;AACV,UAAM,IAAIC,EAAI,2CAA2C,EAAE,OAAAD,EAAO,CAAA;AAAA,EACrE;AACD,MAAI,CAACmB,EAAaW,CAAI;AAClB,UAAM,IAAI7B,EAAI,4CAA4C;AAE9D,MAAI,CAACyB,EAAeI,EAAK,YAAY;AACjC,UAAM,IAAI7B,EAAI,oEAAoE;AAEtF,MAAI,CAACyB,EAAeI,EAAK,UAAU;AAC/B,UAAM,IAAI7B,EAAI,kEAAkE;AAGpF,MADA6B,EAAK,aAAaA,EAAK,WAAW,YAAW,GACzCA,EAAK,eAAe,UAAUA,EAAK,eAAe;AAClD,UAAM,IAAItB,EAA0B,gCAAgC;AAExE,MAAIsB,EAAK,eAAe,WACnB,OAAOA,EAAK,cAAe,YAAYA,EAAK,cAAc;AAC3D,UAAM,IAAI7B,EAAI,iEAAiE;AAEnF,MAAI,CAAC0G,KACD7E,EAAK,kBAAkB,UACvB,CAACJ,EAAeI,EAAK,aAAa;AAClC,UAAM,IAAI7B,EAAI,qEAAqE;AAEvF,MAAI6B,EAAK,UAAU,UAAa,OAAOA,EAAK,SAAU;AAClD,UAAM,IAAI7B,EAAI,mDAAmD;AAErE,MAAI,CAACyG,GAAe;AAChB,QAAI5E,EAAK,aAAa,UAAa,CAACJ,EAAeI,EAAK,QAAQ;AAC5D,YAAM,IAAI7B,EAAI,gEAAgE;AAElF,QAAI6B,EAAK,UAAU;AACf,YAAM,EAAE,QAAA0E,EAAQ,IAAG,MAAMM,GAAYhF,EAAK,UAAUiF,GAAsB,KAAK,QAAW9D,EAAO,8BAA8BM,EAAG,qCAAqC,GAAGyD,IAAkBhE,EAAaC,CAAM,GAAGE,GAAkBF,CAAM,CAAC,EACtO,KAAKgE,GAAiB,KAAK,QAAW,CAAC,OAAO,OAAO,OAAO,OAAO,KAAK,CAAC,CAAC,EAC1E,KAAKC,GAAe,KAAK,QAAW3D,EAAG,MAAM,CAAC,EAC9C,KAAK4D,GAAiB,KAAK,QAAWlE,EAAO,SAAS,CAAC;AAC5D,UAAI,MAAM,QAAQuD,EAAO,GAAG,KAAKA,EAAO,IAAI,WAAW,KAAKA,EAAO,QAAQvD,EAAO;AAC9E,cAAM,IAAIhD,EAAI,0DAA0D;AAE5E,UAAIuG,EAAO,cAAc,WACpB,CAAC,OAAO,SAASA,EAAO,SAAS,KAAK,KAAK,KAAKA,EAAO,SAAS,MAAM;AACvE,cAAM,IAAIvG,EAAI,sEAAsE;AAExF,MAAAoG,GAAc,IAAIvE,GAAM0E,CAAM;AAAA,IACjC;AAAA,EACJ;AACD,SAAO1E;AACX;AACO,eAAesF,GAA4B7D,GAAIN,GAAQhC,GAAU;AACpE,SAAOwF,GAAkClD,GAAIN,GAAQhC,CAAQ;AACjE;AAOA,SAASkG,GAAiBhI,GAAUkI,GAAQ;AACxC,MAAI,MAAM,QAAQA,EAAO,OAAO,GAAG;AAC/B,QAAI,CAACA,EAAO,OAAO,IAAI,SAASlI,CAAQ;AACpC,YAAM,IAAIc,EAAI,6CAA6C;AAAA,aAG1DoH,EAAO,OAAO,QAAQlI;AAC3B,UAAM,IAAIc,EAAI,6CAA6C;AAE/D,SAAOoH;AACX;AAOA,SAASH,GAAe/H,GAAUkI,GAAQ;AACtC,MAAIA,EAAO,OAAO,QAAQlI;AACtB,UAAM,IAAIc,EAAI,2CAA2C;AAE7D,SAAOoH;AACX;AACA,MAAMC,KAAU,oBAAI;AACpB,SAASC,GAAMC,GAAc;AACzB,SAAAF,GAAQ,IAAIE,CAAY,GACjBA;AACX;AACO,eAAeC,GAA8BlE,GAAIN,GAAQyE,GAAoBC,GAAaxF,GAAcxB,GAAS;AAGpH,MAFAiD,EAASL,CAAE,GACXM,EAAaZ,CAAM,GACf,CAACqE,GAAQ,IAAII,CAAkB;AAC/B,UAAM,IAAI,UAAU,mIAAmI;AAE3J,MAAI,CAAChG,EAAeiG,CAAW;AAC3B,UAAM,IAAI,UAAU,0CAA0C;AAElE,MAAI,CAACjG,EAAeS,CAAY;AAC5B,UAAM,IAAI,UAAU,2CAA2C;AAEnE,QAAMyF,IAAOC,EAAsBH,GAAoB,MAAM;AAC7D,MAAI,CAACE;AACD,UAAM,IAAI3H,EAAI,+CAA+C;AAEjE,QAAMiG,IAAa,IAAI,gBAAgBvF,KAAA,gBAAAA,EAAS,oBAAoB;AACpE,SAAAuF,EAAW,IAAI,gBAAgByB,CAAW,GAC1CzB,EAAW,IAAI,iBAAiB/D,CAAY,GAC5C+D,EAAW,IAAI,QAAQ0B,CAAI,GACpB5B,GAAqBzC,GAAIN,GAAQ,sBAAsBiD,GAAYvF,CAAO;AACrF;AACA,MAAMmH,KAAgB;AAAA,EAClB,KAAK;AAAA,EACL,QAAQ;AAAA,EACR,WAAW;AAAA,EACX,KAAK;AAAA,EACL,KAAK;AAAA,EACL,KAAK;AAAA,EACL,KAAK;AAAA,EACL,OAAO;AAAA,EACP,QAAQ;AAAA,EACR,KAAK;AAAA,EACL,KAAK;AAAA,EACL,KAAK;AAAA,EACL,KAAK;AAAA,EACL,KAAK;AACT;AACA,SAASb,GAAiBc,GAAUV,GAAQ;AACxC,aAAWW,KAASD;AAChB,QAAIV,EAAO,OAAOW,CAAK,MAAM;AACzB,YAAM,IAAI/H,EAAI,QAAQ+H,CAAK,MAAMF,GAAcE,CAAK,CAAC,iBAAiB;AAG9E,SAAOX;AACX;AACO,MAAMY,KAAgB,OAAM,GACtBC,IAAoB,OAAM;AAChC,eAAeC,GAAuC5E,GAAIN,GAAQhC,GAAUmH,GAAeC,GAAQ;AACtG,QAAMhB,IAAS,MAAMZ,GAAkClD,GAAIN,GAAQhC,CAAQ;AAC3E,MAAI2E,EAAcyB,CAAM;AACpB,WAAOA;AAEX,MAAI,CAAC3F,EAAe2F,EAAO,QAAQ;AAC/B,UAAM,IAAIpH,EAAI,gEAAgE;AAElF,EAAAoI,MAAWA,IAASpF,EAAO,mBAAmBiF;AAC9C,QAAM1B,IAASF,GAA0Be,CAAM;AAC/C,OAAKpE,EAAO,qBAAqBoF,MAAWH,MACxC1B,EAAO,cAAc;AACrB,UAAM,IAAIvG,EAAI,0DAA0D;AAE5E,MAAIoI,MAAWH,GAAmB;AAC9B,QAAI,OAAOG,KAAW,YAAYA,IAAS;AACvC,YAAM,IAAI,UAAU,wCAAwC;AAEhE,UAAM7E,IAAMH,EAAS,IAAKL,EAAaC,CAAM,GACvCG,IAAYD,GAAkBF,CAAM;AAC1C,QAAIuD,EAAO,YAAY6B,IAAS7E,IAAMJ;AAClC,YAAM,IAAInD,EAAI,kEAAkE;AAAA,EAEvF;AACD,UAAQmI,GAAa;AAAA,IACjB,KAAK;AAAA,IACL,KAAKH;AACD,UAAIzB,EAAO,UAAU;AACjB,cAAM,IAAIvG,EAAI,yCAAyC;AAE3D;AAAA,IACJ;AACI,UAAI,CAACyB,EAAe0G,CAAa;AAC7B,cAAM,IAAI,UAAU,4CAA4C;AAEpE,UAAI5B,EAAO,UAAU;AACjB,cAAM,IAAIvG,EAAI,gCAAgC;AAElD,UAAIuG,EAAO,UAAU4B;AACjB,cAAM,IAAInI,EAAI,yCAAyC;AAAA,EAElE;AACD,SAAOoH;AACX;AA0DA,SAASxF,GAAuBZ,GAAU;AACtC,MAAIA,EAAS;AACT,UAAM,IAAI,UAAU,uCAAuC;AAEnE;AAqGA,eAAe4F,GAAqB5F,GAAU;AAC1C,MAAIA,EAAS,SAAS,OAAOA,EAAS,SAAS,KAAK;AAChD,IAAAY,GAAuBZ,CAAQ;AAC/B,QAAI;AACA,YAAMa,IAAO,MAAMb,EAAS;AAC5B,UAAIE,EAAaW,CAAI,KAAK,OAAOA,EAAK,SAAU,YAAYA,EAAK,MAAM;AACnE,eAAIA,EAAK,sBAAsB,UAAa,OAAOA,EAAK,qBAAsB,YAC1E,OAAOA,EAAK,mBAEZA,EAAK,cAAc,UAAa,OAAOA,EAAK,aAAc,YAC1D,OAAOA,EAAK,WAEZA,EAAK,SAAS,UAAa,OAAOA,EAAK,QAAS,YAChD,OAAOA,EAAK,MAEZA,EAAK,UAAU,UAAa,OAAOA,EAAK,SAAU,YAClD,OAAOA,EAAK,OAETA;AAAA,IAEd,QACK;AAAA,IAAG;AAAA,EACZ;AAEL;AAOA,SAASwG,GAAqBC,GAAW;AACrC,MAAI,OAAOA,EAAU,iBAAkB,YAAYA,EAAU,gBAAgB;AACzE,UAAM,IAAItI,EAAI,GAAGsI,EAAU,IAAI,2CAA2C;AAElF;AACA,SAASC,GAAcC,GAAY;AAC/B,UAAQA,GAAU;AAAA,IACd,KAAK;AACD,aAAO;AAAA,IACX,KAAK;AACD,aAAO;AAAA,IACX,KAAK;AACD,aAAO;AAAA,IACX;AACI,YAAM,IAAIjI,EAAyB;AAAA,EAC1C;AACL;AACA,SAASgE,GAAYnE,GAAK;AACtB,UAAQA,EAAI,UAAU,MAAI;AAAA,IACtB,KAAK;AACD,aAAO;AAAA,QACH,MAAMA,EAAI,UAAU;AAAA,QACpB,MAAMmI,GAAcnI,EAAI,UAAU,UAAU;AAAA,MAC5D;AAAA,IACQ,KAAK;AAED,cADAiI,GAAqBjI,EAAI,SAAS,GAC1BA,EAAI,UAAU,KAAK,MAAI;AAAA,QAC3B,KAAK;AAAA,QACL,KAAK;AAAA,QACL,KAAK;AACD,iBAAO;AAAA,YACH,MAAMA,EAAI,UAAU;AAAA,YACpB,YAAY,SAASA,EAAI,UAAU,KAAK,KAAK,MAAM,EAAE,GAAG,EAAE,KAAK;AAAA,UACvF;AAAA,QACgB;AACI,gBAAM,IAAIG,EAAyB;AAAA,MAC1C;AAAA,IAEL,KAAK;AACD,aAAA8H,GAAqBjI,EAAI,SAAS,GAC3BA,EAAI,UAAU;AAAA,IACzB,KAAK;AAAA,IACL,KAAK;AACD,aAAOA,EAAI,UAAU;AAAA,EAC5B;AACD,QAAM,IAAIG,EAAyB;AACvC;AACA,MAAMwG,KAAmB,OAAM;AAC/B,eAAeF,GAAY4B,GAAKC,GAAUC,GAAQxJ,GAAWC,GAAgB;AACzE,QAAM,EAAE,GAAGwJ,GAAiB,GAAGC,GAAS,GAAGC,GAAkB,QAAAC,EAAM,IAAKN,EAAI,MAAM,GAAG;AACrF,MAAIM,MAAW;AACX,UAAM,IAAIxI,EAA0B,sCAAsC;AAE9E,MAAIwI,MAAW;AACX,UAAM,IAAI/I,EAAI,aAAa;AAE/B,MAAIoE;AACJ,MAAI;AACA,IAAAA,IAAS,KAAK,MAAM5E,EAAIS,EAAK2I,CAAe,CAAC,CAAC;AAAA,EACjD,SACM7I,GAAO;AACV,UAAM,IAAIC,EAAI,6DAA6D,EAAE,OAAAD,EAAO,CAAA;AAAA,EACvF;AACD,MAAI,CAACmB,EAAakD,CAAM;AACpB,UAAM,IAAIpE,EAAI,uCAAuC;AAGzD,MADA0I,EAAStE,CAAM,GACXA,EAAO,SAAS;AAChB,UAAM,IAAIpE,EAAI,wCAAwC;AAE1D,QAAMsE,IAAYrE,EAAK6I,CAAgB;AACvC,MAAI1I;AACJ,MAAIuI,MAAW5B,IAAkB;AAC7B,IAAA3G,IAAM,MAAMuI,EAAOvE,CAAM;AACzB,UAAM5F,IAAQ,GAAGoK,CAAe,IAAIC,CAAO;AAE3C,QAAI,CADa,MAAM,OAAO,OAAO,OAAOtE,GAAYnE,CAAG,GAAGA,GAAKkE,GAAW9E,EAAIhB,CAAK,CAAC;AAEpF,YAAM,IAAIwB,EAAI,mCAAmC;AAAA,EAExD;AACD,MAAIuG;AACJ,MAAI;AACA,IAAAA,IAAS,KAAK,MAAM/G,EAAIS,EAAK4I,CAAO,CAAC,CAAC;AAAA,EACzC,SACM9I,GAAO;AACV,UAAM,IAAIC,EAAI,8DAA8D,EAAE,OAAAD,EAAO,CAAA;AAAA,EACxF;AACD,MAAI,CAACmB,EAAaqF,CAAM;AACpB,UAAM,IAAIvG,EAAI,wCAAwC;AAE1D,QAAMuD,IAAMH,EAAW,IAAGjE;AAC1B,MAAIoH,EAAO,QAAQ,QAAW;AAC1B,QAAI,OAAOA,EAAO,OAAQ;AACtB,YAAM,IAAIvG,EAAI,mDAAmD;AAErE,QAAIuG,EAAO,OAAOhD,IAAMnE;AACpB,YAAM,IAAIY,EAAI,2EAA2E;AAAA,EAEhG;AACD,MAAIuG,EAAO,QAAQ,UACX,OAAOA,EAAO,OAAQ;AACtB,UAAM,IAAIvG,EAAI,6CAA6C;AAGnE,MAAIuG,EAAO,QAAQ,UACX,OAAOA,EAAO,OAAQ;AACtB,UAAM,IAAIvG,EAAI,0CAA0C;AAGhE,MAAIuG,EAAO,QAAQ,QAAW;AAC1B,QAAI,OAAOA,EAAO,OAAQ;AACtB,YAAM,IAAIvG,EAAI,8CAA8C;AAEhE,QAAIuG,EAAO,MAAMhD,IAAMnE;AACnB,YAAM,IAAIY,EAAI,qEAAqE;AAAA,EAE1F;AACD,MAAIuG,EAAO,QAAQ,UACX,OAAOA,EAAO,OAAQ,YAAY,CAAC,MAAM,QAAQA,EAAO,GAAG;AAC3D,UAAM,IAAIvG,EAAI,4CAA4C;AAGlE,SAAO,EAAE,QAAAoE,GAAQ,QAAAmC,GAAQ,WAAAjC,GAAW,KAAAlE,EAAG;AAC3C;AAuKA,SAAS0G,GAAsB9D,GAAQgG,GAAQ5E,GAAQ;AACnD,MAAIpB,MAAW,QAAW;AACtB,QAAIoB,EAAO,QAAQpB;AACf,YAAM,IAAIhD,EAAI,uCAAuC;AAEzD;AAAA,EACH;AACD,MAAI,MAAM,QAAQgJ,CAAM,GAAG;AACvB,QAAI,CAACA,EAAO,SAAS5E,EAAO,GAAG;AAC3B,YAAM,IAAIpE,EAAI,uCAAuC;AAEzD;AAAA,EACH;AACD,MAAIoE,EAAO,QAAQ;AACf,UAAM,IAAIpE,EAAI,uCAAuC;AAE7D;AACA,SAAS4H,EAAsB3B,GAAY1I,GAAM;AAC7C,QAAM,EAAE,GAAG+C,GAAO,QAAAyI,EAAQ,IAAG9C,EAAW,OAAO1I,CAAI;AACnD,MAAIwL,IAAS;AACT,UAAM,IAAI/I,EAAI,IAAIzC,CAAI,wCAAwC;AAElE,SAAO+C;AACX;AACO,MAAM2I,KAAiB,OAAM,GACvBC,KAAgB,OAAM;AAC5B,SAASC,GAAqB7F,GAAIN,GAAQiD,GAAYmD,GAAe;AAMxE,MALAzF,EAASL,CAAE,GACXM,EAAaZ,CAAM,GACfiD,aAAsB,QACtBA,IAAaA,EAAW,eAExB,EAAEA,aAAsB;AACxB,UAAM,IAAI,UAAU,6DAA6D;AAErF,MAAI2B,EAAsB3B,GAAY,UAAU;AAC5C,UAAM,IAAIjG,EAAI,wGAAwG;AAE1H,QAAMqJ,IAAMzB,EAAsB3B,GAAY,KAAK,GAC7CqD,IAAQ1B,EAAsB3B,GAAY,OAAO;AACvD,MAAI,CAACoD,KAAO/F,EAAG;AACX,UAAM,IAAItD,EAAI,2CAA2C;AAE7D,MAAIqJ,KAAOA,MAAQ/F,EAAG;AAClB,UAAM,IAAItD,EAAI,oDAAoD;AAEtE,UAAQoJ,GAAa;AAAA,IACjB,KAAK;AAAA,IACL,KAAKF;AACD,UAAII,MAAU;AACV,cAAM,IAAItJ,EAAI,mDAAmD;AAErE;AAAA,IACJ,KAAKiJ;AACD;AAAA,IACJ;AACI,UAAI,CAACxH,EAAe2H,CAAa;AAC7B,cAAM,IAAIpJ,EAAI,4CAA4C;AAE9D,UAAIsJ,MAAU;AACV,cAAM,IAAItJ,EAAI,oCAAoC;AAEtD,UAAIsJ,MAAUF;AACV,cAAM,IAAIpJ,EAAI,6CAA6C;AAAA,EAEtE;AACD,QAAMuJ,IAAQ3B,EAAsB3B,GAAY,OAAO;AACvD,MAAIsD;AACA,WAAO;AAAA,MACH,OAAAA;AAAA,MACA,mBAAmB3B,EAAsB3B,GAAY,mBAAmB;AAAA,MACxE,WAAW2B,EAAsB3B,GAAY,WAAW;AAAA,IACpE;AAEI,QAAMuD,IAAW5B,EAAsB3B,GAAY,UAAU,GACvD5D,IAAQuF,EAAsB3B,GAAY,OAAO;AACvD,MAAIuD,MAAa,UAAanH,MAAU;AACpC,UAAM,IAAI9B,EAA0B,6CAA6C;AAErF,SAAO+G,GAAM,IAAI,gBAAgBrB,CAAU,CAAC;AAChD;ACzpDO,SAASwD,GAAgB;AAAA,EAC9B,gBAAAC;AACF,GAEG;AACD,QAAM,CAACH,GAAOI,CAAQ,IAAIC,GAAuB,IAAI,GAC/CC,IAAWC,MAGXC,IAAgBC,GAAO,EAAK;AAiBlC,SAfAC,GAAU,MAAM;AACd,IAAIF,EAAc,YAGlBA,EAAc,UAAU,IACTL,EAAA,EACZ,KAAK,CAACQ,MAAa;AAClB,MAAAL,EAASK,CAAQ;AAAA,IAAA,CAClB,EACA,MAAM,CAACvD,MAAQ;AACd,MAAA/H,EAAO,MAAM+H,CAAG,GAChBgD,EAAShD,CAAG;AAAA,IAAA,CACb;AAAA,EAAA,GACF,CAACkD,GAAUH,CAAc,CAAC,GAEzBH,IAEAY,gBAAAA,EAAA;AAAA,IAACC;AAAA,IAAA;AAAA,MACC,UAAS;AAAA,MACT,OAAM;AAAA,MACN,SAEIC,gBAAAA,EAAA,KAAAC,YAAA,EAAA,UAAA;AAAA,QAACH,gBAAAA,EAAA,IAAAI,IAAA,EAAc,WAAU,QAAO,UAGhC,qIAAA;AAAA,QAAgB;AAAA,8BAEfC,IAAgB,EAAA,MAAMjB,EAAM,YAAY,UAAS,SAAQ;AAAA,MAAA,GAC5D;AAAA,IAAA;AAAA,EAAA,0BAOL,OAAI,EAAA,WAAU,kCACb,UAAAY,gBAAAA,EAAAA,IAACM,MAAQ,EACX,CAAA;AAEJ;AC1DO,MAAMC,UAA2B,MAAM;AAAC;AAYxC,MAAMC,WAAgCD,EAAmB;AAAA,EAC9D,YACElK,GACO+I,GACP7I,GACA;AACA,UAAMF,GAASE,CAAO,GAHf,KAAA,QAAA6I;AAAA,EAIT;AACF;ACRA,MAAMqB,IAAoB;AAS1B,MAAMC,WAAyBC,GAAqB;AAAA,EAClD,YACUC,GACArB,GACR;AACM,aAHE,KAAA,kBAAAqB,GACA,KAAA,iBAAArB;AAAA,EAGV;AAAA,EACA,YAAY;AACH,WAAA;AAAA,MACL,GAAG,MAAM,UAAU;AAAA,MACnB;AAAA,QACE,MAAM,KAAK;AAAA,QACX,SAASS,gBAAAA,EAAA,IAACV,IAAgB,EAAA,gBAAgB,KAAK,gBAAgB;AAAA,MACjE;AAAA,IAAA;AAAA,EAEJ;AACF;AAEO,MAAMuB,GAA+D;AAAA,EAiB1E,YAAY;AAAA,IACV,QAAAhC;AAAA,IACA,UAAAiC;AAAA,IACA,UAAA1I;AAAA,IACA,uBAAA2I;AAAA,IACA,uBAAAC;AAAA,IACA,wBAAAC;AAAA,EAAA,GAC6B;AAvBrB,IAAAC,EAAA;AACA,IAAAA,EAAA;AAEA,IAAAA,EAAA;AAEA,IAAAA,EAAA,yBAAkB;AAClB,IAAAA,EAAA,+BAAwB;AACxB,IAAAA,EAAA;AAIO,IAAAA,EAAA;AACA,IAAAA,EAAA;AACA,IAAAA,EAAA;AACA,IAAAA,EAAA;AAiLjB,IAAAA,EAAA,iBAAU,YAAY;AACpB,MAAAC,EAAa,SAAS;AAAA,QACpB,iBAAiB;AAAA,QACjB,WAAW;AAAA,QACX,SAAS;AAAA,MAAA,CACV,GACD,eAAe,MAAM;AAEf,YAAAhI,IAAK,MAAM,KAAK,iBAEhBiI,IAAc,IAAI;AAAA,QACtB,OAAO,SAAS,SAAS,KAAK;AAAA,MAAA;AAEhC,MAAAA,EAAY,WAAW,KAAK;AAExB,UAAAC;AAGJ,MAAIlI,EAAG,wBACOkI,IAAA,IAAI,IAAIlI,EAAG,oBAAoB,GAM3CkI,EAAU,aAAa;AAAA,QACrB;AAAA,QACAD,EAAY,SAAS;AAAA,MAAA,KAGXC,IAAAD;AAAA,IACd;AAGF,IAAAF,EAAA,wBAAiB,YAAY;AAC3B,YAAM7J,IAAM,IAAI,IAAI,OAAO,SAAS,IAAI,GAClC8H,IAAQ9H,EAAI,aAAa,IAAI,OAAO,GAIpCU,IAAe,eAAe,QAAQ0I,CAAiB;AAE7D,UADA,eAAe,WAAWA,CAAiB,GACvC,CAAC1I;AACG,cAAA,IAAIwI,EAAmB,kCAAkC;AAG3D,YAAAe,IAAa,MAAM,KAAK,iBAExBC,IAASC;AAAAA,QACbF;AAAA,QACA,KAAK;AAAA,QACLjK,EAAI;AAAA,QACJ8H,KAAS;AAAA,MAAA;AAEP,UAAAsC,EAAoBF,CAAM;AACrB,cAAA9M,EAAA,MAAM,mCAAmC8M,CAAM,GAChD,IAAIf;AAAA,UACR;AAAA,UACAe;AAAA,QAAA;AAIE,YAAAH,IAAc,IAAI,IAAI/J,CAAG;AAC/B,MAAA+J,EAAY,WAAW,KAAK,uBAC5BA,EAAY,SAAS;AAEf,YAAAvK,IAAW,MAAM6K;AAAAA,QACrBJ;AAAA,QACA,KAAK;AAAA,QACLC;AAAA,QACAH,EAAY,SAAS;AAAA,QACrBrJ;AAAA,MAAA,GAWI4J,IAAc,MAAMC;AAAAA,QACxBN;AAAA,QACA,KAAK;AAAA,QACLzK;AAAA,MAAA;AAGF,WAAK,sBAAsB8K,CAAW;AAEhC,YAAApH,IAAc,MAAM,KAAK,kBAOzBsH,IAAW,OALQ,MAAMC;AAAAA,QAC7BR;AAAA,QACA,KAAK;AAAA,QACL/G;AAAA,MAAA,GAEsC,QAElCwH,IAAuB;AAAA,QAC3B,KAAKF,EAAS;AAAA,QACd,OAAOA,EAAS;AAAA,QAChB,MAAMA,EAAS;AAAA,QACf,eAAeA,EAAS,kBAAkB;AAAA,QAC1C,YAAYA,EAAS;AAAA,MAAA;AAGvB,MAAAV,EAAa,SAAS;AAAA,QACpB,iBAAiB;AAAA,QACjB,WAAW;AAAA,QACX,SAAAY;AAAA,MAAA,CACD,GAEc,eAAA;AAAA,QACb;AAAA,QACA,KAAK,UAAUZ,EAAa,SAAA,EAAW,OAAO;AAAA,MAAA;AAGhD,YAAMa,IAAa,eAAe,QAAQ,aAAa,KAAK;AAC5D,4BAAe,WAAW,aAAa,GAChCA;AAAA,IAAA;AA/RP,SAAK,SAAS;AAAA,MACZ,WAAW5J;AAAA,MACX,4BAA4B;AAAA,IAAA,GAE9B,KAAK,WAAW0I,GAChB,KAAK,SAASjC,GACd,KAAK,wBAAwBkC,KAAyB,KACtD,KAAK,wBAAwBC,KAAyB,KACtD,KAAK,yBAAyBC,KAA0B;AAAA,EAC1D;AAAA,EAEA,MAAgB,gBAAgB;AAC1B,QAAA,CAAC,KAAK,qBAAqB;AAC7B,YAAMgB,IAAY,IAAI,IAAI,KAAK,MAAM,GAC/BpL,IAAW,MAAMqL,GAAuBD,CAAS;AAClD,WAAA,sBAAsB,MAAME;AAAAA,QAC/BF;AAAA,QACApL;AAAA,MAAA;AAAA,IAEJ;AACA,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA,EAMU,sBACRA,GACA;AACI,QAAA4K,EAAoB5K,CAAQ;AACvB,YAAApC,EAAA,MAAM,sBAAsBoC,CAAQ,GACrC,IAAI2J,GAAwB,sBAAsB3J,CAAQ;AAG9D,QAAA,CAACA,EAAS;AACN,YAAA,IAAI0J,EAAmB,2BAA2B;AAG1D,UAAM6B,IAAqB;AAAA,MACzB,aAAavL,EAAS;AAAA,MACtB,cAAcA,EAAS;AAAA,MACvB,WAAW,IAAI,KAAK,KAAK,QAAQA,EAAS,aAAa,GAAI;AAAA,MAC3D,WAAWA,EAAS;AAAA,IAAA;AAEtB,mBAAe,QAAQ,eAAe,KAAK,UAAUuL,CAAM,CAAC;AAAA,EAC9D;AAAA,EAEA,MAAM,OAAO,EAAE,YAAAJ,EAAW,IAA6B,IAAI;AACzD,WAAO,KAAK,UAAU;AAAA,MACpB,YAAYA,KAAc,KAAK;AAAA,MAC/B,UAAU;AAAA,IAAA,CACX;AAAA,EACH;AAAA,EAEA,MAAM,OAAO,EAAE,YAAAA,EAAW,IAA6B,IAAI;AACzD,WAAO,KAAK,UAAU;AAAA,MACpB,YAAYA,KAAc,KAAK;AAAA,IAAA,CAChC;AAAA,EACH;AAAA,EAEA,MAAc,UAAU;AAAA,IACtB,YAAAA;AAAA,IACA,UAAAK,IAAW;AAAA,EAAA,GAIK;;AAChB,UAAMC,IAAwB,QACxBC,IAAsB,MAAM,KAAK;AAEnC,QAAA,CAACA,EAAoB;AACjB,YAAA,IAAIhC,EAAmB,2BAA2B;AAQpD,UAAAxI,IAAeyK,MACfC,IAAgB,MAAMC,GAAiC3K,CAAY;AAE1D,mBAAA,QAAQ0I,GAAmB1I,CAAY;AAGtD,UAAM4K,IAAmB,IAAI;AAAA,MAC3BJ,EAAoB;AAAA,IAAA;AAGP,mBAAA,QAAQ,eAAeP,CAAU;AAEhD,UAAMZ,IAAc,IAAI,IAAI,OAAO,SAAS,MAAM;AA0BlD,QAzBAA,EAAY,WAAW,KAAK,iBAC5BA,EAAY,SAAS,IAErBuB,EAAiB,aAAa,IAAI,aAAa,KAAK,OAAO,SAAS,GACpEA,EAAiB,aAAa,IAAI,gBAAgBvB,EAAY,UAAU,GACvDuB,EAAA,aAAa,IAAI,iBAAiB,MAAM,GACxCA,EAAA,aAAa,IAAI,SAAS,sBAAsB,GAChDA,EAAA,aAAa,IAAI,kBAAkBF,CAAa,GACjEE,EAAiB,aAAa;AAAA,MAC5B;AAAA,MACAL;AAAA,IAAA,GAEE,KAAK,YACPK,EAAiB,aAAa,IAAI,YAAY,KAAK,QAAQ,IAG7D9N,IAAA,KAAK,uBAAL,QAAAA,EAAA,WAA0B8N,GAAkB;AAAA,MAC1C,UAAU,CAACN;AAAA,MACX,UAAAA;AAAA,IAAA,MAQAzN,IAAA2N,EAAoB,qCAApB,gBAAA3N,EAAsD,SAAS,aAC/D,IACA;AACM,YAAAuK,IAAQyD;AACG,MAAAD,EAAA,aAAa,IAAI,SAASxD,CAAK;AAAA,IAClD;AAGA,aAAS,OAAOwD,EAAiB;AAAA,EACnC;AAAA,EAEA,MAAM,iBAAkC;AAChC,UAAAxJ,IAAK,MAAM,KAAK,iBAChB0J,IAAa,eAAe,QAAQ,aAAa;AACvD,QAAI,CAACA;AACG,YAAA,IAAItC,EAAmB,2BAA2B;AAGpD,UAAApB,IAAQ,KAAK,MAAM0D,CAAU;AACnC,QAAI1D,EAAM,YAAgB,oBAAA,QAAQ;AAC5B,UAAA,CAACA,EAAM;AACT,qBAAM,KAAK,UACJ;AAGH,YAAA2D,IAAU,MAAMC;AAAAA,QACpB5J;AAAA,QACA,KAAK;AAAA,QACLgG,EAAM;AAAA,MAAA,GAEFtI,IAAW,MAAMmM;AAAAA,QACrB7J;AAAA,QACA,KAAK;AAAA,QACL2J;AAAA,MAAA;AAGE,UAAA,CAACjM,EAAS;AACN,cAAA,IAAI0J,EAAmB,6BAA6B;AAG5D,kBAAK,sBAAsB1J,CAAQ,GAE5BA,EAAS,aAAa;IAAS;AAEtC,aAAOsI,EAAM;AAAA,EAEjB;AAAA,EA6HA,WAAiB;AACT,UAAA8D,IAAe,eAAe,QAAQ,eAAe;AAC3D,QAAIA;AACE,UAAA;AACI,cAAAlB,IAAU,KAAK,MAAMkB,CAAY;AACvC,QAAA9B,EAAa,SAAS;AAAA,UACpB,iBAAiB;AAAA,UACjB,WAAW;AAAA,UACX,SAAAY;AAAA,QAAA,CACD;AAAA,eACMvF,GAAK;AACL,QAAA/H,EAAA,MAAM,4BAA4B+H,CAAG;AAAA,MAC9C;AAAA,EAEJ;AAAA,EAEA,0BAA0B;AAGxB,WAAO,IAAIkE,GAAiB,KAAK,iBAAiB,KAAK,cAAc;AAAA,EACvE;AACF;AAEA,MAAMwC,KAEF,CAAC3M,MAAY,IAAIsK,GAA6BtK,CAAO;","x_google_ignoreList":[0,1]}
1
+ {"version":3,"file":"zudoku.auth-openid.js","sources":["../../../node_modules/.pnpm/loglevel@1.9.2/node_modules/loglevel/lib/loglevel.js","../../../node_modules/.pnpm/oauth4webapi@2.17.0/node_modules/oauth4webapi/build/index.js","../src/lib/authentication/components/CallbackHandler.tsx","../src/lib/authentication/errors.ts","../src/lib/authentication/providers/openid.tsx"],"sourcesContent":["/*\n* loglevel - https://github.com/pimterry/loglevel\n*\n* Copyright (c) 2013 Tim Perry\n* Licensed under the MIT license.\n*/\n(function (root, definition) {\n \"use strict\";\n if (typeof define === 'function' && define.amd) {\n define(definition);\n } else if (typeof module === 'object' && module.exports) {\n module.exports = definition();\n } else {\n root.log = definition();\n }\n}(this, function () {\n \"use strict\";\n\n // Slightly dubious tricks to cut down minimized file size\n var noop = function() {};\n var undefinedType = \"undefined\";\n var isIE = (typeof window !== undefinedType) && (typeof window.navigator !== undefinedType) && (\n /Trident\\/|MSIE /.test(window.navigator.userAgent)\n );\n\n var logMethods = [\n \"trace\",\n \"debug\",\n \"info\",\n \"warn\",\n \"error\"\n ];\n\n var _loggersByName = {};\n var defaultLogger = null;\n\n // Cross-browser bind equivalent that works at least back to IE6\n function bindMethod(obj, methodName) {\n var method = obj[methodName];\n if (typeof method.bind === 'function') {\n return method.bind(obj);\n } else {\n try {\n return Function.prototype.bind.call(method, obj);\n } catch (e) {\n // Missing bind shim or IE8 + Modernizr, fallback to wrapping\n return function() {\n return Function.prototype.apply.apply(method, [obj, arguments]);\n };\n }\n }\n }\n\n // Trace() doesn't print the message in IE, so for that case we need to wrap it\n function traceForIE() {\n if (console.log) {\n if (console.log.apply) {\n console.log.apply(console, arguments);\n } else {\n // In old IE, native console methods themselves don't have apply().\n Function.prototype.apply.apply(console.log, [console, arguments]);\n }\n }\n if (console.trace) console.trace();\n }\n\n // Build the best logging method possible for this env\n // Wherever possible we want to bind, not wrap, to preserve stack traces\n function realMethod(methodName) {\n if (methodName === 'debug') {\n methodName = 'log';\n }\n\n if (typeof console === undefinedType) {\n return false; // No method possible, for now - fixed later by enableLoggingWhenConsoleArrives\n } else if (methodName === 'trace' && isIE) {\n return traceForIE;\n } else if (console[methodName] !== undefined) {\n return bindMethod(console, methodName);\n } else if (console.log !== undefined) {\n return bindMethod(console, 'log');\n } else {\n return noop;\n }\n }\n\n // These private functions always need `this` to be set properly\n\n function replaceLoggingMethods() {\n /*jshint validthis:true */\n var level = this.getLevel();\n\n // Replace the actual methods.\n for (var i = 0; i < logMethods.length; i++) {\n var methodName = logMethods[i];\n this[methodName] = (i < level) ?\n noop :\n this.methodFactory(methodName, level, this.name);\n }\n\n // Define log.log as an alias for log.debug\n this.log = this.debug;\n\n // Return any important warnings.\n if (typeof console === undefinedType && level < this.levels.SILENT) {\n return \"No console available for logging\";\n }\n }\n\n // In old IE versions, the console isn't present until you first open it.\n // We build realMethod() replacements here that regenerate logging methods\n function enableLoggingWhenConsoleArrives(methodName) {\n return function () {\n if (typeof console !== undefinedType) {\n replaceLoggingMethods.call(this);\n this[methodName].apply(this, arguments);\n }\n };\n }\n\n // By default, we use closely bound real methods wherever possible, and\n // otherwise we wait for a console to appear, and then try again.\n function defaultMethodFactory(methodName, _level, _loggerName) {\n /*jshint validthis:true */\n return realMethod(methodName) ||\n enableLoggingWhenConsoleArrives.apply(this, arguments);\n }\n\n function Logger(name, factory) {\n // Private instance variables.\n var self = this;\n /**\n * The level inherited from a parent logger (or a global default). We\n * cache this here rather than delegating to the parent so that it stays\n * in sync with the actual logging methods that we have installed (the\n * parent could change levels but we might not have rebuilt the loggers\n * in this child yet).\n * @type {number}\n */\n var inheritedLevel;\n /**\n * The default level for this logger, if any. If set, this overrides\n * `inheritedLevel`.\n * @type {number|null}\n */\n var defaultLevel;\n /**\n * A user-specific level for this logger. If set, this overrides\n * `defaultLevel`.\n * @type {number|null}\n */\n var userLevel;\n\n var storageKey = \"loglevel\";\n if (typeof name === \"string\") {\n storageKey += \":\" + name;\n } else if (typeof name === \"symbol\") {\n storageKey = undefined;\n }\n\n function persistLevelIfPossible(levelNum) {\n var levelName = (logMethods[levelNum] || 'silent').toUpperCase();\n\n if (typeof window === undefinedType || !storageKey) return;\n\n // Use localStorage if available\n try {\n window.localStorage[storageKey] = levelName;\n return;\n } catch (ignore) {}\n\n // Use session cookie as fallback\n try {\n window.document.cookie =\n encodeURIComponent(storageKey) + \"=\" + levelName + \";\";\n } catch (ignore) {}\n }\n\n function getPersistedLevel() {\n var storedLevel;\n\n if (typeof window === undefinedType || !storageKey) return;\n\n try {\n storedLevel = window.localStorage[storageKey];\n } catch (ignore) {}\n\n // Fallback to cookies if local storage gives us nothing\n if (typeof storedLevel === undefinedType) {\n try {\n var cookie = window.document.cookie;\n var cookieName = encodeURIComponent(storageKey);\n var location = cookie.indexOf(cookieName + \"=\");\n if (location !== -1) {\n storedLevel = /^([^;]+)/.exec(\n cookie.slice(location + cookieName.length + 1)\n )[1];\n }\n } catch (ignore) {}\n }\n\n // If the stored level is not valid, treat it as if nothing was stored.\n if (self.levels[storedLevel] === undefined) {\n storedLevel = undefined;\n }\n\n return storedLevel;\n }\n\n function clearPersistedLevel() {\n if (typeof window === undefinedType || !storageKey) return;\n\n // Use localStorage if available\n try {\n window.localStorage.removeItem(storageKey);\n } catch (ignore) {}\n\n // Use session cookie as fallback\n try {\n window.document.cookie =\n encodeURIComponent(storageKey) + \"=; expires=Thu, 01 Jan 1970 00:00:00 UTC\";\n } catch (ignore) {}\n }\n\n function normalizeLevel(input) {\n var level = input;\n if (typeof level === \"string\" && self.levels[level.toUpperCase()] !== undefined) {\n level = self.levels[level.toUpperCase()];\n }\n if (typeof level === \"number\" && level >= 0 && level <= self.levels.SILENT) {\n return level;\n } else {\n throw new TypeError(\"log.setLevel() called with invalid level: \" + input);\n }\n }\n\n /*\n *\n * Public logger API - see https://github.com/pimterry/loglevel for details\n *\n */\n\n self.name = name;\n\n self.levels = { \"TRACE\": 0, \"DEBUG\": 1, \"INFO\": 2, \"WARN\": 3,\n \"ERROR\": 4, \"SILENT\": 5};\n\n self.methodFactory = factory || defaultMethodFactory;\n\n self.getLevel = function () {\n if (userLevel != null) {\n return userLevel;\n } else if (defaultLevel != null) {\n return defaultLevel;\n } else {\n return inheritedLevel;\n }\n };\n\n self.setLevel = function (level, persist) {\n userLevel = normalizeLevel(level);\n if (persist !== false) { // defaults to true\n persistLevelIfPossible(userLevel);\n }\n\n // NOTE: in v2, this should call rebuild(), which updates children.\n return replaceLoggingMethods.call(self);\n };\n\n self.setDefaultLevel = function (level) {\n defaultLevel = normalizeLevel(level);\n if (!getPersistedLevel()) {\n self.setLevel(level, false);\n }\n };\n\n self.resetLevel = function () {\n userLevel = null;\n clearPersistedLevel();\n replaceLoggingMethods.call(self);\n };\n\n self.enableAll = function(persist) {\n self.setLevel(self.levels.TRACE, persist);\n };\n\n self.disableAll = function(persist) {\n self.setLevel(self.levels.SILENT, persist);\n };\n\n self.rebuild = function () {\n if (defaultLogger !== self) {\n inheritedLevel = normalizeLevel(defaultLogger.getLevel());\n }\n replaceLoggingMethods.call(self);\n\n if (defaultLogger === self) {\n for (var childName in _loggersByName) {\n _loggersByName[childName].rebuild();\n }\n }\n };\n\n // Initialize all the internal levels.\n inheritedLevel = normalizeLevel(\n defaultLogger ? defaultLogger.getLevel() : \"WARN\"\n );\n var initialLevel = getPersistedLevel();\n if (initialLevel != null) {\n userLevel = normalizeLevel(initialLevel);\n }\n replaceLoggingMethods.call(self);\n }\n\n /*\n *\n * Top-level API\n *\n */\n\n defaultLogger = new Logger();\n\n defaultLogger.getLogger = function getLogger(name) {\n if ((typeof name !== \"symbol\" && typeof name !== \"string\") || name === \"\") {\n throw new TypeError(\"You must supply a name when creating a logger.\");\n }\n\n var logger = _loggersByName[name];\n if (!logger) {\n logger = _loggersByName[name] = new Logger(\n name,\n defaultLogger.methodFactory\n );\n }\n return logger;\n };\n\n // Grab the current global log variable in case of overwrite\n var _log = (typeof window !== undefinedType) ? window.log : undefined;\n defaultLogger.noConflict = function() {\n if (typeof window !== undefinedType &&\n window.log === defaultLogger) {\n window.log = _log;\n }\n\n return defaultLogger;\n };\n\n defaultLogger.getLoggers = function getLoggers() {\n return _loggersByName;\n };\n\n // ES6 default export, for compatibility\n defaultLogger['default'] = defaultLogger;\n\n return defaultLogger;\n}));\n","let USER_AGENT;\nif (typeof navigator === 'undefined' || !navigator.userAgent?.startsWith?.('Mozilla/5.0 ')) {\n const NAME = 'oauth4webapi';\n const VERSION = 'v2.17.0';\n USER_AGENT = `${NAME}/${VERSION}`;\n}\nfunction looseInstanceOf(input, expected) {\n if (input == null) {\n return false;\n }\n try {\n return (input instanceof expected ||\n Object.getPrototypeOf(input)[Symbol.toStringTag] === expected.prototype[Symbol.toStringTag]);\n }\n catch {\n return false;\n }\n}\nexport const clockSkew = Symbol();\nexport const clockTolerance = Symbol();\nexport const customFetch = Symbol();\nexport const modifyAssertion = Symbol();\nexport const jweDecrypt = Symbol();\nexport const jwksCache = Symbol();\nexport const useMtlsAlias = Symbol();\nconst encoder = new TextEncoder();\nconst decoder = new TextDecoder();\nfunction buf(input) {\n if (typeof input === 'string') {\n return encoder.encode(input);\n }\n return decoder.decode(input);\n}\nconst CHUNK_SIZE = 0x8000;\nfunction encodeBase64Url(input) {\n if (input instanceof ArrayBuffer) {\n input = new Uint8Array(input);\n }\n const arr = [];\n for (let i = 0; i < input.byteLength; i += CHUNK_SIZE) {\n arr.push(String.fromCharCode.apply(null, input.subarray(i, i + CHUNK_SIZE)));\n }\n return btoa(arr.join('')).replace(/=/g, '').replace(/\\+/g, '-').replace(/\\//g, '_');\n}\nfunction decodeBase64Url(input) {\n try {\n const binary = atob(input.replace(/-/g, '+').replace(/_/g, '/').replace(/\\s/g, ''));\n const bytes = new Uint8Array(binary.length);\n for (let i = 0; i < binary.length; i++) {\n bytes[i] = binary.charCodeAt(i);\n }\n return bytes;\n }\n catch (cause) {\n throw new OPE('The input to be decoded is not correctly encoded.', { cause });\n }\n}\nfunction b64u(input) {\n if (typeof input === 'string') {\n return decodeBase64Url(input);\n }\n return encodeBase64Url(input);\n}\nclass LRU {\n constructor(maxSize) {\n this.cache = new Map();\n this._cache = new Map();\n this.maxSize = maxSize;\n }\n get(key) {\n let v = this.cache.get(key);\n if (v) {\n return v;\n }\n if ((v = this._cache.get(key))) {\n this.update(key, v);\n return v;\n }\n return undefined;\n }\n has(key) {\n return this.cache.has(key) || this._cache.has(key);\n }\n set(key, value) {\n if (this.cache.has(key)) {\n this.cache.set(key, value);\n }\n else {\n this.update(key, value);\n }\n return this;\n }\n delete(key) {\n if (this.cache.has(key)) {\n return this.cache.delete(key);\n }\n if (this._cache.has(key)) {\n return this._cache.delete(key);\n }\n return false;\n }\n update(key, value) {\n this.cache.set(key, value);\n if (this.cache.size >= this.maxSize) {\n this._cache = this.cache;\n this.cache = new Map();\n }\n }\n}\nexport class UnsupportedOperationError extends Error {\n constructor(message) {\n super(message ?? 'operation not supported');\n this.name = this.constructor.name;\n Error.captureStackTrace?.(this, this.constructor);\n }\n}\nexport class OperationProcessingError extends Error {\n constructor(message, options) {\n super(message, options);\n this.name = this.constructor.name;\n Error.captureStackTrace?.(this, this.constructor);\n }\n}\nconst OPE = OperationProcessingError;\nconst dpopNonces = new LRU(100);\nfunction isCryptoKey(key) {\n return key instanceof CryptoKey;\n}\nfunction isPrivateKey(key) {\n return isCryptoKey(key) && key.type === 'private';\n}\nfunction isPublicKey(key) {\n return isCryptoKey(key) && key.type === 'public';\n}\nconst SUPPORTED_JWS_ALGS = [\n 'PS256',\n 'ES256',\n 'RS256',\n 'PS384',\n 'ES384',\n 'RS384',\n 'PS512',\n 'ES512',\n 'RS512',\n 'EdDSA',\n];\nfunction processDpopNonce(response) {\n try {\n const nonce = response.headers.get('dpop-nonce');\n if (nonce) {\n dpopNonces.set(new URL(response.url).origin, nonce);\n }\n }\n catch { }\n return response;\n}\nfunction normalizeTyp(value) {\n return value.toLowerCase().replace(/^application\\//, '');\n}\nfunction isJsonObject(input) {\n if (input === null || typeof input !== 'object' || Array.isArray(input)) {\n return false;\n }\n return true;\n}\nfunction prepareHeaders(input) {\n if (looseInstanceOf(input, Headers)) {\n input = Object.fromEntries(input.entries());\n }\n const headers = new Headers(input);\n if (USER_AGENT && !headers.has('user-agent')) {\n headers.set('user-agent', USER_AGENT);\n }\n if (headers.has('authorization')) {\n throw new TypeError('\"options.headers\" must not include the \"authorization\" header name');\n }\n if (headers.has('dpop')) {\n throw new TypeError('\"options.headers\" must not include the \"dpop\" header name');\n }\n return headers;\n}\nfunction signal(value) {\n if (typeof value === 'function') {\n value = value();\n }\n if (!(value instanceof AbortSignal)) {\n throw new TypeError('\"options.signal\" must return or be an instance of AbortSignal');\n }\n return value;\n}\nexport async function discoveryRequest(issuerIdentifier, options) {\n if (!(issuerIdentifier instanceof URL)) {\n throw new TypeError('\"issuerIdentifier\" must be an instance of URL');\n }\n if (issuerIdentifier.protocol !== 'https:' && issuerIdentifier.protocol !== 'http:') {\n throw new TypeError('\"issuer.protocol\" must be \"https:\" or \"http:\"');\n }\n const url = new URL(issuerIdentifier.href);\n switch (options?.algorithm) {\n case undefined:\n case 'oidc':\n url.pathname = `${url.pathname}/.well-known/openid-configuration`.replace('//', '/');\n break;\n case 'oauth2':\n if (url.pathname === '/') {\n url.pathname = '.well-known/oauth-authorization-server';\n }\n else {\n url.pathname = `.well-known/oauth-authorization-server/${url.pathname}`.replace('//', '/');\n }\n break;\n default:\n throw new TypeError('\"options.algorithm\" must be \"oidc\" (default), or \"oauth2\"');\n }\n const headers = prepareHeaders(options?.headers);\n headers.set('accept', 'application/json');\n return (options?.[customFetch] || fetch)(url.href, {\n headers: Object.fromEntries(headers.entries()),\n method: 'GET',\n redirect: 'manual',\n signal: options?.signal ? signal(options.signal) : null,\n }).then(processDpopNonce);\n}\nfunction validateString(input) {\n return typeof input === 'string' && input.length !== 0;\n}\nexport async function processDiscoveryResponse(expectedIssuerIdentifier, response) {\n if (!(expectedIssuerIdentifier instanceof URL)) {\n throw new TypeError('\"expectedIssuer\" must be an instance of URL');\n }\n if (!looseInstanceOf(response, Response)) {\n throw new TypeError('\"response\" must be an instance of Response');\n }\n if (response.status !== 200) {\n throw new OPE('\"response\" is not a conform Authorization Server Metadata response');\n }\n assertReadableResponse(response);\n let json;\n try {\n json = await response.json();\n }\n catch (cause) {\n throw new OPE('failed to parse \"response\" body as JSON', { cause });\n }\n if (!isJsonObject(json)) {\n throw new OPE('\"response\" body must be a top level object');\n }\n if (!validateString(json.issuer)) {\n throw new OPE('\"response\" body \"issuer\" property must be a non-empty string');\n }\n if (new URL(json.issuer).href !== expectedIssuerIdentifier.href) {\n throw new OPE('\"response\" body \"issuer\" does not match \"expectedIssuer\"');\n }\n return json;\n}\nfunction randomBytes() {\n return b64u(crypto.getRandomValues(new Uint8Array(32)));\n}\nexport function generateRandomCodeVerifier() {\n return randomBytes();\n}\nexport function generateRandomState() {\n return randomBytes();\n}\nexport function generateRandomNonce() {\n return randomBytes();\n}\nexport async function calculatePKCECodeChallenge(codeVerifier) {\n if (!validateString(codeVerifier)) {\n throw new TypeError('\"codeVerifier\" must be a non-empty string');\n }\n return b64u(await crypto.subtle.digest('SHA-256', buf(codeVerifier)));\n}\nfunction getKeyAndKid(input) {\n if (input instanceof CryptoKey) {\n return { key: input };\n }\n if (!(input?.key instanceof CryptoKey)) {\n return {};\n }\n if (input.kid !== undefined && !validateString(input.kid)) {\n throw new TypeError('\"kid\" must be a non-empty string');\n }\n return {\n key: input.key,\n kid: input.kid,\n modifyAssertion: input[modifyAssertion],\n };\n}\nfunction formUrlEncode(token) {\n return encodeURIComponent(token).replace(/%20/g, '+');\n}\nfunction clientSecretBasic(clientId, clientSecret) {\n const username = formUrlEncode(clientId);\n const password = formUrlEncode(clientSecret);\n const credentials = btoa(`${username}:${password}`);\n return `Basic ${credentials}`;\n}\nfunction psAlg(key) {\n switch (key.algorithm.hash.name) {\n case 'SHA-256':\n return 'PS256';\n case 'SHA-384':\n return 'PS384';\n case 'SHA-512':\n return 'PS512';\n default:\n throw new UnsupportedOperationError('unsupported RsaHashedKeyAlgorithm hash name');\n }\n}\nfunction rsAlg(key) {\n switch (key.algorithm.hash.name) {\n case 'SHA-256':\n return 'RS256';\n case 'SHA-384':\n return 'RS384';\n case 'SHA-512':\n return 'RS512';\n default:\n throw new UnsupportedOperationError('unsupported RsaHashedKeyAlgorithm hash name');\n }\n}\nfunction esAlg(key) {\n switch (key.algorithm.namedCurve) {\n case 'P-256':\n return 'ES256';\n case 'P-384':\n return 'ES384';\n case 'P-521':\n return 'ES512';\n default:\n throw new UnsupportedOperationError('unsupported EcKeyAlgorithm namedCurve');\n }\n}\nfunction keyToJws(key) {\n switch (key.algorithm.name) {\n case 'RSA-PSS':\n return psAlg(key);\n case 'RSASSA-PKCS1-v1_5':\n return rsAlg(key);\n case 'ECDSA':\n return esAlg(key);\n case 'Ed25519':\n case 'Ed448':\n return 'EdDSA';\n default:\n throw new UnsupportedOperationError('unsupported CryptoKey algorithm name');\n }\n}\nfunction getClockSkew(client) {\n const skew = client?.[clockSkew];\n return typeof skew === 'number' && Number.isFinite(skew) ? skew : 0;\n}\nfunction getClockTolerance(client) {\n const tolerance = client?.[clockTolerance];\n return typeof tolerance === 'number' && Number.isFinite(tolerance) && Math.sign(tolerance) !== -1\n ? tolerance\n : 30;\n}\nfunction epochTime() {\n return Math.floor(Date.now() / 1000);\n}\nfunction clientAssertion(as, client) {\n const now = epochTime() + getClockSkew(client);\n return {\n jti: randomBytes(),\n aud: [as.issuer, as.token_endpoint],\n exp: now + 60,\n iat: now,\n nbf: now,\n iss: client.client_id,\n sub: client.client_id,\n };\n}\nasync function privateKeyJwt(as, client, key, kid, modifyAssertion) {\n const header = { alg: keyToJws(key), kid };\n const payload = clientAssertion(as, client);\n modifyAssertion?.(header, payload);\n return jwt(header, payload, key);\n}\nfunction assertAs(as) {\n if (typeof as !== 'object' || as === null) {\n throw new TypeError('\"as\" must be an object');\n }\n if (!validateString(as.issuer)) {\n throw new TypeError('\"as.issuer\" property must be a non-empty string');\n }\n return true;\n}\nfunction assertClient(client) {\n if (typeof client !== 'object' || client === null) {\n throw new TypeError('\"client\" must be an object');\n }\n if (!validateString(client.client_id)) {\n throw new TypeError('\"client.client_id\" property must be a non-empty string');\n }\n return true;\n}\nfunction assertClientSecret(clientSecret) {\n if (!validateString(clientSecret)) {\n throw new TypeError('\"client.client_secret\" property must be a non-empty string');\n }\n return clientSecret;\n}\nfunction assertNoClientPrivateKey(clientAuthMethod, clientPrivateKey) {\n if (clientPrivateKey !== undefined) {\n throw new TypeError(`\"options.clientPrivateKey\" property must not be provided when ${clientAuthMethod} client authentication method is used.`);\n }\n}\nfunction assertNoClientSecret(clientAuthMethod, clientSecret) {\n if (clientSecret !== undefined) {\n throw new TypeError(`\"client.client_secret\" property must not be provided when ${clientAuthMethod} client authentication method is used.`);\n }\n}\nasync function clientAuthentication(as, client, body, headers, clientPrivateKey) {\n body.delete('client_secret');\n body.delete('client_assertion_type');\n body.delete('client_assertion');\n switch (client.token_endpoint_auth_method) {\n case undefined:\n case 'client_secret_basic': {\n assertNoClientPrivateKey('client_secret_basic', clientPrivateKey);\n headers.set('authorization', clientSecretBasic(client.client_id, assertClientSecret(client.client_secret)));\n break;\n }\n case 'client_secret_post': {\n assertNoClientPrivateKey('client_secret_post', clientPrivateKey);\n body.set('client_id', client.client_id);\n body.set('client_secret', assertClientSecret(client.client_secret));\n break;\n }\n case 'private_key_jwt': {\n assertNoClientSecret('private_key_jwt', client.client_secret);\n if (clientPrivateKey === undefined) {\n throw new TypeError('\"options.clientPrivateKey\" must be provided when \"client.token_endpoint_auth_method\" is \"private_key_jwt\"');\n }\n const { key, kid, modifyAssertion } = getKeyAndKid(clientPrivateKey);\n if (!isPrivateKey(key)) {\n throw new TypeError('\"options.clientPrivateKey.key\" must be a private CryptoKey');\n }\n body.set('client_id', client.client_id);\n body.set('client_assertion_type', 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer');\n body.set('client_assertion', await privateKeyJwt(as, client, key, kid, modifyAssertion));\n break;\n }\n case 'tls_client_auth':\n case 'self_signed_tls_client_auth':\n case 'none': {\n assertNoClientSecret(client.token_endpoint_auth_method, client.client_secret);\n assertNoClientPrivateKey(client.token_endpoint_auth_method, clientPrivateKey);\n body.set('client_id', client.client_id);\n break;\n }\n default:\n throw new UnsupportedOperationError('unsupported client token_endpoint_auth_method');\n }\n}\nasync function jwt(header, payload, key) {\n if (!key.usages.includes('sign')) {\n throw new TypeError('CryptoKey instances used for signing assertions must include \"sign\" in their \"usages\"');\n }\n const input = `${b64u(buf(JSON.stringify(header)))}.${b64u(buf(JSON.stringify(payload)))}`;\n const signature = b64u(await crypto.subtle.sign(keyToSubtle(key), key, buf(input)));\n return `${input}.${signature}`;\n}\nexport async function issueRequestObject(as, client, parameters, privateKey) {\n assertAs(as);\n assertClient(client);\n parameters = new URLSearchParams(parameters);\n const { key, kid, modifyAssertion } = getKeyAndKid(privateKey);\n if (!isPrivateKey(key)) {\n throw new TypeError('\"privateKey.key\" must be a private CryptoKey');\n }\n parameters.set('client_id', client.client_id);\n const now = epochTime() + getClockSkew(client);\n const claims = {\n ...Object.fromEntries(parameters.entries()),\n jti: randomBytes(),\n aud: as.issuer,\n exp: now + 60,\n iat: now,\n nbf: now,\n iss: client.client_id,\n };\n let resource;\n if (parameters.has('resource') &&\n (resource = parameters.getAll('resource')) &&\n resource.length > 1) {\n claims.resource = resource;\n }\n {\n let value = parameters.get('max_age');\n if (value !== null) {\n claims.max_age = parseInt(value, 10);\n if (!Number.isFinite(claims.max_age)) {\n throw new OPE('\"max_age\" parameter must be a number');\n }\n }\n }\n {\n let value = parameters.get('claims');\n if (value !== null) {\n try {\n claims.claims = JSON.parse(value);\n }\n catch (cause) {\n throw new OPE('failed to parse the \"claims\" parameter as JSON', { cause });\n }\n if (!isJsonObject(claims.claims)) {\n throw new OPE('\"claims\" parameter must be a JSON with a top level object');\n }\n }\n }\n {\n let value = parameters.get('authorization_details');\n if (value !== null) {\n try {\n claims.authorization_details = JSON.parse(value);\n }\n catch (cause) {\n throw new OPE('failed to parse the \"authorization_details\" parameter as JSON', { cause });\n }\n if (!Array.isArray(claims.authorization_details)) {\n throw new OPE('\"authorization_details\" parameter must be a JSON with a top level array');\n }\n }\n }\n const header = {\n alg: keyToJws(key),\n typ: 'oauth-authz-req+jwt',\n kid,\n };\n modifyAssertion?.(header, claims);\n return jwt(header, claims, key);\n}\nasync function dpopProofJwt(headers, options, url, htm, clockSkew, accessToken) {\n const { privateKey, publicKey, nonce = dpopNonces.get(url.origin) } = options;\n if (!isPrivateKey(privateKey)) {\n throw new TypeError('\"DPoP.privateKey\" must be a private CryptoKey');\n }\n if (!isPublicKey(publicKey)) {\n throw new TypeError('\"DPoP.publicKey\" must be a public CryptoKey');\n }\n if (nonce !== undefined && !validateString(nonce)) {\n throw new TypeError('\"DPoP.nonce\" must be a non-empty string or undefined');\n }\n if (!publicKey.extractable) {\n throw new TypeError('\"DPoP.publicKey.extractable\" must be true');\n }\n const now = epochTime() + clockSkew;\n const header = {\n alg: keyToJws(privateKey),\n typ: 'dpop+jwt',\n jwk: await publicJwk(publicKey),\n };\n const payload = {\n iat: now,\n jti: randomBytes(),\n htm,\n nonce,\n htu: `${url.origin}${url.pathname}`,\n ath: accessToken ? b64u(await crypto.subtle.digest('SHA-256', buf(accessToken))) : undefined,\n };\n options[modifyAssertion]?.(header, payload);\n headers.set('dpop', await jwt(header, payload, privateKey));\n}\nlet jwkCache;\nasync function getSetPublicJwkCache(key) {\n const { kty, e, n, x, y, crv } = await crypto.subtle.exportKey('jwk', key);\n const jwk = { kty, e, n, x, y, crv };\n jwkCache.set(key, jwk);\n return jwk;\n}\nasync function publicJwk(key) {\n jwkCache || (jwkCache = new WeakMap());\n return jwkCache.get(key) || getSetPublicJwkCache(key);\n}\nfunction validateEndpoint(value, endpoint, useMtlsAlias) {\n if (typeof value !== 'string') {\n if (useMtlsAlias) {\n throw new TypeError(`\"as.mtls_endpoint_aliases.${endpoint}\" must be a string`);\n }\n throw new TypeError(`\"as.${endpoint}\" must be a string`);\n }\n return new URL(value);\n}\nfunction resolveEndpoint(as, endpoint, useMtlsAlias = false) {\n if (useMtlsAlias && as.mtls_endpoint_aliases && endpoint in as.mtls_endpoint_aliases) {\n return validateEndpoint(as.mtls_endpoint_aliases[endpoint], endpoint, useMtlsAlias);\n }\n return validateEndpoint(as[endpoint], endpoint, useMtlsAlias);\n}\nfunction alias(client, options) {\n if (client.use_mtls_endpoint_aliases || options?.[useMtlsAlias]) {\n return true;\n }\n return false;\n}\nexport async function pushedAuthorizationRequest(as, client, parameters, options) {\n assertAs(as);\n assertClient(client);\n const url = resolveEndpoint(as, 'pushed_authorization_request_endpoint', alias(client, options));\n const body = new URLSearchParams(parameters);\n body.set('client_id', client.client_id);\n const headers = prepareHeaders(options?.headers);\n headers.set('accept', 'application/json');\n if (options?.DPoP !== undefined) {\n await dpopProofJwt(headers, options.DPoP, url, 'POST', getClockSkew(client));\n }\n return authenticatedRequest(as, client, 'POST', url, body, headers, options);\n}\nexport function isOAuth2Error(input) {\n const value = input;\n if (typeof value !== 'object' || Array.isArray(value) || value === null) {\n return false;\n }\n return value.error !== undefined;\n}\nfunction unquote(value) {\n if (value.length >= 2 && value[0] === '\"' && value[value.length - 1] === '\"') {\n return value.slice(1, -1);\n }\n return value;\n}\nconst SPLIT_REGEXP = /((?:,|, )?[0-9a-zA-Z!#$%&'*+-.^_`|~]+=)/;\nconst SCHEMES_REGEXP = /(?:^|, ?)([0-9a-zA-Z!#$%&'*+\\-.^_`|~]+)(?=$|[ ,])/g;\nfunction wwwAuth(scheme, params) {\n const arr = params.split(SPLIT_REGEXP).slice(1);\n if (!arr.length) {\n return { scheme: scheme.toLowerCase(), parameters: {} };\n }\n arr[arr.length - 1] = arr[arr.length - 1].replace(/,$/, '');\n const parameters = {};\n for (let i = 1; i < arr.length; i += 2) {\n const idx = i;\n if (arr[idx][0] === '\"') {\n while (arr[idx].slice(-1) !== '\"' && ++i < arr.length) {\n arr[idx] += arr[i];\n }\n }\n const key = arr[idx - 1].replace(/^(?:, ?)|=$/g, '').toLowerCase();\n parameters[key] = unquote(arr[idx]);\n }\n return {\n scheme: scheme.toLowerCase(),\n parameters,\n };\n}\nexport function parseWwwAuthenticateChallenges(response) {\n if (!looseInstanceOf(response, Response)) {\n throw new TypeError('\"response\" must be an instance of Response');\n }\n const header = response.headers.get('www-authenticate');\n if (header === null) {\n return undefined;\n }\n const result = [];\n for (const { 1: scheme, index } of header.matchAll(SCHEMES_REGEXP)) {\n result.push([scheme, index]);\n }\n if (!result.length) {\n return undefined;\n }\n const challenges = result.map(([scheme, indexOf], i, others) => {\n const next = others[i + 1];\n let parameters;\n if (next) {\n parameters = header.slice(indexOf, next[1]);\n }\n else {\n parameters = header.slice(indexOf);\n }\n return wwwAuth(scheme, parameters);\n });\n return challenges;\n}\nexport async function processPushedAuthorizationResponse(as, client, response) {\n assertAs(as);\n assertClient(client);\n if (!looseInstanceOf(response, Response)) {\n throw new TypeError('\"response\" must be an instance of Response');\n }\n if (response.status !== 201) {\n let err;\n if ((err = await handleOAuthBodyError(response))) {\n return err;\n }\n throw new OPE('\"response\" is not a conform Pushed Authorization Request Endpoint response');\n }\n assertReadableResponse(response);\n let json;\n try {\n json = await response.json();\n }\n catch (cause) {\n throw new OPE('failed to parse \"response\" body as JSON', { cause });\n }\n if (!isJsonObject(json)) {\n throw new OPE('\"response\" body must be a top level object');\n }\n if (!validateString(json.request_uri)) {\n throw new OPE('\"response\" body \"request_uri\" property must be a non-empty string');\n }\n if (typeof json.expires_in !== 'number' || json.expires_in <= 0) {\n throw new OPE('\"response\" body \"expires_in\" property must be a positive number');\n }\n return json;\n}\nexport async function protectedResourceRequest(accessToken, method, url, headers, body, options) {\n if (!validateString(accessToken)) {\n throw new TypeError('\"accessToken\" must be a non-empty string');\n }\n if (!(url instanceof URL)) {\n throw new TypeError('\"url\" must be an instance of URL');\n }\n headers = prepareHeaders(headers);\n if (options?.DPoP === undefined) {\n headers.set('authorization', `Bearer ${accessToken}`);\n }\n else {\n await dpopProofJwt(headers, options.DPoP, url, method.toUpperCase(), getClockSkew({ [clockSkew]: options?.[clockSkew] }), accessToken);\n headers.set('authorization', `DPoP ${accessToken}`);\n }\n return (options?.[customFetch] || fetch)(url.href, {\n body,\n headers: Object.fromEntries(headers.entries()),\n method,\n redirect: 'manual',\n signal: options?.signal ? signal(options.signal) : null,\n }).then(processDpopNonce);\n}\nexport async function userInfoRequest(as, client, accessToken, options) {\n assertAs(as);\n assertClient(client);\n const url = resolveEndpoint(as, 'userinfo_endpoint', alias(client, options));\n const headers = prepareHeaders(options?.headers);\n if (client.userinfo_signed_response_alg) {\n headers.set('accept', 'application/jwt');\n }\n else {\n headers.set('accept', 'application/json');\n headers.append('accept', 'application/jwt');\n }\n return protectedResourceRequest(accessToken, 'GET', url, headers, null, {\n ...options,\n [clockSkew]: getClockSkew(client),\n });\n}\nlet jwksMap;\nfunction setJwksCache(as, jwks, uat, cache) {\n jwksMap || (jwksMap = new WeakMap());\n jwksMap.set(as, {\n jwks,\n uat,\n get age() {\n return epochTime() - this.uat;\n },\n });\n if (cache) {\n Object.assign(cache, { jwks: structuredClone(jwks), uat });\n }\n}\nfunction isFreshJwksCache(input) {\n if (typeof input !== 'object' || input === null) {\n return false;\n }\n if (!('uat' in input) || typeof input.uat !== 'number' || epochTime() - input.uat >= 300) {\n return false;\n }\n if (!('jwks' in input) ||\n !isJsonObject(input.jwks) ||\n !Array.isArray(input.jwks.keys) ||\n !Array.prototype.every.call(input.jwks.keys, isJsonObject)) {\n return false;\n }\n return true;\n}\nfunction clearJwksCache(as, cache) {\n jwksMap?.delete(as);\n delete cache?.jwks;\n delete cache?.uat;\n}\nasync function getPublicSigKeyFromIssuerJwksUri(as, options, header) {\n const { alg, kid } = header;\n checkSupportedJwsAlg(alg);\n if (!jwksMap?.has(as) && isFreshJwksCache(options?.[jwksCache])) {\n setJwksCache(as, options?.[jwksCache].jwks, options?.[jwksCache].uat);\n }\n let jwks;\n let age;\n if (jwksMap?.has(as)) {\n ;\n ({ jwks, age } = jwksMap.get(as));\n if (age >= 300) {\n clearJwksCache(as, options?.[jwksCache]);\n return getPublicSigKeyFromIssuerJwksUri(as, options, header);\n }\n }\n else {\n jwks = await jwksRequest(as, options).then(processJwksResponse);\n age = 0;\n setJwksCache(as, jwks, epochTime(), options?.[jwksCache]);\n }\n let kty;\n switch (alg.slice(0, 2)) {\n case 'RS':\n case 'PS':\n kty = 'RSA';\n break;\n case 'ES':\n kty = 'EC';\n break;\n case 'Ed':\n kty = 'OKP';\n break;\n default:\n throw new UnsupportedOperationError();\n }\n const candidates = jwks.keys.filter((jwk) => {\n if (jwk.kty !== kty) {\n return false;\n }\n if (kid !== undefined && kid !== jwk.kid) {\n return false;\n }\n if (jwk.alg !== undefined && alg !== jwk.alg) {\n return false;\n }\n if (jwk.use !== undefined && jwk.use !== 'sig') {\n return false;\n }\n if (jwk.key_ops?.includes('verify') === false) {\n return false;\n }\n switch (true) {\n case alg === 'ES256' && jwk.crv !== 'P-256':\n case alg === 'ES384' && jwk.crv !== 'P-384':\n case alg === 'ES512' && jwk.crv !== 'P-521':\n case alg === 'EdDSA' && !(jwk.crv === 'Ed25519' || jwk.crv === 'Ed448'):\n return false;\n }\n return true;\n });\n const { 0: jwk, length } = candidates;\n if (!length) {\n if (age >= 60) {\n clearJwksCache(as, options?.[jwksCache]);\n return getPublicSigKeyFromIssuerJwksUri(as, options, header);\n }\n throw new OPE('error when selecting a JWT verification key, no applicable keys found');\n }\n if (length !== 1) {\n throw new OPE('error when selecting a JWT verification key, multiple applicable keys found, a \"kid\" JWT Header Parameter is required');\n }\n const key = await importJwk(alg, jwk);\n if (key.type !== 'public') {\n throw new OPE('jwks_uri must only contain public keys');\n }\n return key;\n}\nexport const skipSubjectCheck = Symbol();\nfunction getContentType(response) {\n return response.headers.get('content-type')?.split(';')[0];\n}\nexport async function processUserInfoResponse(as, client, expectedSubject, response) {\n assertAs(as);\n assertClient(client);\n if (!looseInstanceOf(response, Response)) {\n throw new TypeError('\"response\" must be an instance of Response');\n }\n if (response.status !== 200) {\n throw new OPE('\"response\" is not a conform UserInfo Endpoint response');\n }\n let json;\n if (getContentType(response) === 'application/jwt') {\n assertReadableResponse(response);\n const { claims, jwt } = await validateJwt(await response.text(), checkSigningAlgorithm.bind(undefined, client.userinfo_signed_response_alg, as.userinfo_signing_alg_values_supported), noSignatureCheck, getClockSkew(client), getClockTolerance(client), client[jweDecrypt])\n .then(validateOptionalAudience.bind(undefined, client.client_id))\n .then(validateOptionalIssuer.bind(undefined, as.issuer));\n jwtResponseBodies.set(response, jwt);\n json = claims;\n }\n else {\n if (client.userinfo_signed_response_alg) {\n throw new OPE('JWT UserInfo Response expected');\n }\n assertReadableResponse(response);\n try {\n json = await response.json();\n }\n catch (cause) {\n throw new OPE('failed to parse \"response\" body as JSON', { cause });\n }\n }\n if (!isJsonObject(json)) {\n throw new OPE('\"response\" body must be a top level object');\n }\n if (!validateString(json.sub)) {\n throw new OPE('\"response\" body \"sub\" property must be a non-empty string');\n }\n switch (expectedSubject) {\n case skipSubjectCheck:\n break;\n default:\n if (!validateString(expectedSubject)) {\n throw new OPE('\"expectedSubject\" must be a non-empty string');\n }\n if (json.sub !== expectedSubject) {\n throw new OPE('unexpected \"response\" body \"sub\" value');\n }\n }\n return json;\n}\nasync function authenticatedRequest(as, client, method, url, body, headers, options) {\n await clientAuthentication(as, client, body, headers, options?.clientPrivateKey);\n headers.set('content-type', 'application/x-www-form-urlencoded;charset=UTF-8');\n return (options?.[customFetch] || fetch)(url.href, {\n body,\n headers: Object.fromEntries(headers.entries()),\n method,\n redirect: 'manual',\n signal: options?.signal ? signal(options.signal) : null,\n }).then(processDpopNonce);\n}\nasync function tokenEndpointRequest(as, client, grantType, parameters, options) {\n const url = resolveEndpoint(as, 'token_endpoint', alias(client, options));\n parameters.set('grant_type', grantType);\n const headers = prepareHeaders(options?.headers);\n headers.set('accept', 'application/json');\n if (options?.DPoP !== undefined) {\n await dpopProofJwt(headers, options.DPoP, url, 'POST', getClockSkew(client));\n }\n return authenticatedRequest(as, client, 'POST', url, parameters, headers, options);\n}\nexport async function refreshTokenGrantRequest(as, client, refreshToken, options) {\n assertAs(as);\n assertClient(client);\n if (!validateString(refreshToken)) {\n throw new TypeError('\"refreshToken\" must be a non-empty string');\n }\n const parameters = new URLSearchParams(options?.additionalParameters);\n parameters.set('refresh_token', refreshToken);\n return tokenEndpointRequest(as, client, 'refresh_token', parameters, options);\n}\nconst idTokenClaims = new WeakMap();\nconst jwtResponseBodies = new WeakMap();\nexport function getValidatedIdTokenClaims(ref) {\n if (!ref.id_token) {\n return undefined;\n }\n const claims = idTokenClaims.get(ref);\n if (!claims) {\n throw new TypeError('\"ref\" was already garbage collected or did not resolve from the proper sources');\n }\n return claims[0];\n}\nexport async function validateIdTokenSignature(as, ref, options) {\n assertAs(as);\n if (!idTokenClaims.has(ref)) {\n throw new OPE('\"ref\" does not contain an ID Token to verify the signature of');\n }\n const { 0: protectedHeader, 1: payload, 2: encodedSignature, } = idTokenClaims.get(ref)[1].split('.');\n const header = JSON.parse(buf(b64u(protectedHeader)));\n if (header.alg.startsWith('HS')) {\n throw new UnsupportedOperationError();\n }\n let key;\n key = await getPublicSigKeyFromIssuerJwksUri(as, options, header);\n await validateJwsSignature(protectedHeader, payload, key, b64u(encodedSignature));\n}\nasync function validateJwtResponseSignature(as, ref, options) {\n assertAs(as);\n if (!jwtResponseBodies.has(ref)) {\n throw new OPE('\"ref\" does not contain a processed JWT Response to verify the signature of');\n }\n const { 0: protectedHeader, 1: payload, 2: encodedSignature, } = jwtResponseBodies.get(ref).split('.');\n const header = JSON.parse(buf(b64u(protectedHeader)));\n if (header.alg.startsWith('HS')) {\n throw new UnsupportedOperationError();\n }\n let key;\n key = await getPublicSigKeyFromIssuerJwksUri(as, options, header);\n await validateJwsSignature(protectedHeader, payload, key, b64u(encodedSignature));\n}\nexport function validateJwtUserInfoSignature(as, ref, options) {\n return validateJwtResponseSignature(as, ref, options);\n}\nexport function validateJwtIntrospectionSignature(as, ref, options) {\n return validateJwtResponseSignature(as, ref, options);\n}\nasync function processGenericAccessTokenResponse(as, client, response, ignoreIdToken = false, ignoreRefreshToken = false) {\n assertAs(as);\n assertClient(client);\n if (!looseInstanceOf(response, Response)) {\n throw new TypeError('\"response\" must be an instance of Response');\n }\n if (response.status !== 200) {\n let err;\n if ((err = await handleOAuthBodyError(response))) {\n return err;\n }\n throw new OPE('\"response\" is not a conform Token Endpoint response');\n }\n assertReadableResponse(response);\n let json;\n try {\n json = await response.json();\n }\n catch (cause) {\n throw new OPE('failed to parse \"response\" body as JSON', { cause });\n }\n if (!isJsonObject(json)) {\n throw new OPE('\"response\" body must be a top level object');\n }\n if (!validateString(json.access_token)) {\n throw new OPE('\"response\" body \"access_token\" property must be a non-empty string');\n }\n if (!validateString(json.token_type)) {\n throw new OPE('\"response\" body \"token_type\" property must be a non-empty string');\n }\n json.token_type = json.token_type.toLowerCase();\n if (json.token_type !== 'dpop' && json.token_type !== 'bearer') {\n throw new UnsupportedOperationError('unsupported `token_type` value');\n }\n if (json.expires_in !== undefined &&\n (typeof json.expires_in !== 'number' || json.expires_in <= 0)) {\n throw new OPE('\"response\" body \"expires_in\" property must be a positive number');\n }\n if (!ignoreRefreshToken &&\n json.refresh_token !== undefined &&\n !validateString(json.refresh_token)) {\n throw new OPE('\"response\" body \"refresh_token\" property must be a non-empty string');\n }\n if (json.scope !== undefined && typeof json.scope !== 'string') {\n throw new OPE('\"response\" body \"scope\" property must be a string');\n }\n if (!ignoreIdToken) {\n if (json.id_token !== undefined && !validateString(json.id_token)) {\n throw new OPE('\"response\" body \"id_token\" property must be a non-empty string');\n }\n if (json.id_token) {\n const { claims, jwt } = await validateJwt(json.id_token, checkSigningAlgorithm.bind(undefined, client.id_token_signed_response_alg, as.id_token_signing_alg_values_supported), noSignatureCheck, getClockSkew(client), getClockTolerance(client), client[jweDecrypt])\n .then(validatePresence.bind(undefined, ['aud', 'exp', 'iat', 'iss', 'sub']))\n .then(validateIssuer.bind(undefined, as.issuer))\n .then(validateAudience.bind(undefined, client.client_id));\n if (Array.isArray(claims.aud) && claims.aud.length !== 1) {\n if (claims.azp === undefined) {\n throw new OPE('ID Token \"aud\" (audience) claim includes additional untrusted audiences');\n }\n if (claims.azp !== client.client_id) {\n throw new OPE('unexpected ID Token \"azp\" (authorized party) claim value');\n }\n }\n if (claims.auth_time !== undefined &&\n (!Number.isFinite(claims.auth_time) || Math.sign(claims.auth_time) !== 1)) {\n throw new OPE('ID Token \"auth_time\" (authentication time) must be a positive number');\n }\n idTokenClaims.set(json, [claims, jwt]);\n }\n }\n return json;\n}\nexport async function processRefreshTokenResponse(as, client, response) {\n return processGenericAccessTokenResponse(as, client, response);\n}\nfunction validateOptionalAudience(expected, result) {\n if (result.claims.aud !== undefined) {\n return validateAudience(expected, result);\n }\n return result;\n}\nfunction validateAudience(expected, result) {\n if (Array.isArray(result.claims.aud)) {\n if (!result.claims.aud.includes(expected)) {\n throw new OPE('unexpected JWT \"aud\" (audience) claim value');\n }\n }\n else if (result.claims.aud !== expected) {\n throw new OPE('unexpected JWT \"aud\" (audience) claim value');\n }\n return result;\n}\nfunction validateOptionalIssuer(expected, result) {\n if (result.claims.iss !== undefined) {\n return validateIssuer(expected, result);\n }\n return result;\n}\nfunction validateIssuer(expected, result) {\n if (result.claims.iss !== expected) {\n throw new OPE('unexpected JWT \"iss\" (issuer) claim value');\n }\n return result;\n}\nconst branded = new WeakSet();\nfunction brand(searchParams) {\n branded.add(searchParams);\n return searchParams;\n}\nexport async function authorizationCodeGrantRequest(as, client, callbackParameters, redirectUri, codeVerifier, options) {\n assertAs(as);\n assertClient(client);\n if (!branded.has(callbackParameters)) {\n throw new TypeError('\"callbackParameters\" must be an instance of URLSearchParams obtained from \"validateAuthResponse()\", or \"validateJwtAuthResponse()');\n }\n if (!validateString(redirectUri)) {\n throw new TypeError('\"redirectUri\" must be a non-empty string');\n }\n if (!validateString(codeVerifier)) {\n throw new TypeError('\"codeVerifier\" must be a non-empty string');\n }\n const code = getURLSearchParameter(callbackParameters, 'code');\n if (!code) {\n throw new OPE('no authorization code in \"callbackParameters\"');\n }\n const parameters = new URLSearchParams(options?.additionalParameters);\n parameters.set('redirect_uri', redirectUri);\n parameters.set('code_verifier', codeVerifier);\n parameters.set('code', code);\n return tokenEndpointRequest(as, client, 'authorization_code', parameters, options);\n}\nconst jwtClaimNames = {\n aud: 'audience',\n c_hash: 'code hash',\n client_id: 'client id',\n exp: 'expiration time',\n iat: 'issued at',\n iss: 'issuer',\n jti: 'jwt id',\n nonce: 'nonce',\n s_hash: 'state hash',\n sub: 'subject',\n ath: 'access token hash',\n htm: 'http method',\n htu: 'http uri',\n cnf: 'confirmation',\n};\nfunction validatePresence(required, result) {\n for (const claim of required) {\n if (result.claims[claim] === undefined) {\n throw new OPE(`JWT \"${claim}\" (${jwtClaimNames[claim]}) claim missing`);\n }\n }\n return result;\n}\nexport const expectNoNonce = Symbol();\nexport const skipAuthTimeCheck = Symbol();\nexport async function processAuthorizationCodeOpenIDResponse(as, client, response, expectedNonce, maxAge) {\n const result = await processGenericAccessTokenResponse(as, client, response);\n if (isOAuth2Error(result)) {\n return result;\n }\n if (!validateString(result.id_token)) {\n throw new OPE('\"response\" body \"id_token\" property must be a non-empty string');\n }\n maxAge ?? (maxAge = client.default_max_age ?? skipAuthTimeCheck);\n const claims = getValidatedIdTokenClaims(result);\n if ((client.require_auth_time || maxAge !== skipAuthTimeCheck) &&\n claims.auth_time === undefined) {\n throw new OPE('ID Token \"auth_time\" (authentication time) claim missing');\n }\n if (maxAge !== skipAuthTimeCheck) {\n if (typeof maxAge !== 'number' || maxAge < 0) {\n throw new TypeError('\"maxAge\" must be a non-negative number');\n }\n const now = epochTime() + getClockSkew(client);\n const tolerance = getClockTolerance(client);\n if (claims.auth_time + maxAge < now - tolerance) {\n throw new OPE('too much time has elapsed since the last End-User authentication');\n }\n }\n switch (expectedNonce) {\n case undefined:\n case expectNoNonce:\n if (claims.nonce !== undefined) {\n throw new OPE('unexpected ID Token \"nonce\" claim value');\n }\n break;\n default:\n if (!validateString(expectedNonce)) {\n throw new TypeError('\"expectedNonce\" must be a non-empty string');\n }\n if (claims.nonce === undefined) {\n throw new OPE('ID Token \"nonce\" claim missing');\n }\n if (claims.nonce !== expectedNonce) {\n throw new OPE('unexpected ID Token \"nonce\" claim value');\n }\n }\n return result;\n}\nexport async function processAuthorizationCodeOAuth2Response(as, client, response) {\n const result = await processGenericAccessTokenResponse(as, client, response, true);\n if (isOAuth2Error(result)) {\n return result;\n }\n if (result.id_token !== undefined) {\n if (typeof result.id_token === 'string' && result.id_token.length) {\n throw new OPE('Unexpected ID Token returned, use processAuthorizationCodeOpenIDResponse() for OpenID Connect callback processing');\n }\n delete result.id_token;\n }\n return result;\n}\nfunction checkJwtType(expected, result) {\n if (typeof result.header.typ !== 'string' || normalizeTyp(result.header.typ) !== expected) {\n throw new OPE('unexpected JWT \"typ\" header parameter value');\n }\n return result;\n}\nexport async function clientCredentialsGrantRequest(as, client, parameters, options) {\n assertAs(as);\n assertClient(client);\n return tokenEndpointRequest(as, client, 'client_credentials', new URLSearchParams(parameters), options);\n}\nexport async function genericTokenEndpointRequest(as, client, grantType, parameters, options) {\n assertAs(as);\n assertClient(client);\n if (!validateString(grantType)) {\n throw new TypeError('\"grantType\" must be a non-empty string');\n }\n return tokenEndpointRequest(as, client, grantType, new URLSearchParams(parameters), options);\n}\nexport async function processClientCredentialsResponse(as, client, response) {\n const result = await processGenericAccessTokenResponse(as, client, response, true, true);\n if (isOAuth2Error(result)) {\n return result;\n }\n return result;\n}\nexport async function revocationRequest(as, client, token, options) {\n assertAs(as);\n assertClient(client);\n if (!validateString(token)) {\n throw new TypeError('\"token\" must be a non-empty string');\n }\n const url = resolveEndpoint(as, 'revocation_endpoint', alias(client, options));\n const body = new URLSearchParams(options?.additionalParameters);\n body.set('token', token);\n const headers = prepareHeaders(options?.headers);\n headers.delete('accept');\n return authenticatedRequest(as, client, 'POST', url, body, headers, options);\n}\nexport async function processRevocationResponse(response) {\n if (!looseInstanceOf(response, Response)) {\n throw new TypeError('\"response\" must be an instance of Response');\n }\n if (response.status !== 200) {\n let err;\n if ((err = await handleOAuthBodyError(response))) {\n return err;\n }\n throw new OPE('\"response\" is not a conform Revocation Endpoint response');\n }\n return undefined;\n}\nfunction assertReadableResponse(response) {\n if (response.bodyUsed) {\n throw new TypeError('\"response\" body has been used already');\n }\n}\nexport async function introspectionRequest(as, client, token, options) {\n assertAs(as);\n assertClient(client);\n if (!validateString(token)) {\n throw new TypeError('\"token\" must be a non-empty string');\n }\n const url = resolveEndpoint(as, 'introspection_endpoint', alias(client, options));\n const body = new URLSearchParams(options?.additionalParameters);\n body.set('token', token);\n const headers = prepareHeaders(options?.headers);\n if (options?.requestJwtResponse ?? client.introspection_signed_response_alg) {\n headers.set('accept', 'application/token-introspection+jwt');\n }\n else {\n headers.set('accept', 'application/json');\n }\n return authenticatedRequest(as, client, 'POST', url, body, headers, options);\n}\nexport async function processIntrospectionResponse(as, client, response) {\n assertAs(as);\n assertClient(client);\n if (!looseInstanceOf(response, Response)) {\n throw new TypeError('\"response\" must be an instance of Response');\n }\n if (response.status !== 200) {\n let err;\n if ((err = await handleOAuthBodyError(response))) {\n return err;\n }\n throw new OPE('\"response\" is not a conform Introspection Endpoint response');\n }\n let json;\n if (getContentType(response) === 'application/token-introspection+jwt') {\n assertReadableResponse(response);\n const { claims, jwt } = await validateJwt(await response.text(), checkSigningAlgorithm.bind(undefined, client.introspection_signed_response_alg, as.introspection_signing_alg_values_supported), noSignatureCheck, getClockSkew(client), getClockTolerance(client), client[jweDecrypt])\n .then(checkJwtType.bind(undefined, 'token-introspection+jwt'))\n .then(validatePresence.bind(undefined, ['aud', 'iat', 'iss']))\n .then(validateIssuer.bind(undefined, as.issuer))\n .then(validateAudience.bind(undefined, client.client_id));\n jwtResponseBodies.set(response, jwt);\n json = claims.token_introspection;\n if (!isJsonObject(json)) {\n throw new OPE('JWT \"token_introspection\" claim must be a JSON object');\n }\n }\n else {\n assertReadableResponse(response);\n try {\n json = await response.json();\n }\n catch (cause) {\n throw new OPE('failed to parse \"response\" body as JSON', { cause });\n }\n if (!isJsonObject(json)) {\n throw new OPE('\"response\" body must be a top level object');\n }\n }\n if (typeof json.active !== 'boolean') {\n throw new OPE('\"response\" body \"active\" property must be a boolean');\n }\n return json;\n}\nasync function jwksRequest(as, options) {\n assertAs(as);\n const url = resolveEndpoint(as, 'jwks_uri');\n const headers = prepareHeaders(options?.headers);\n headers.set('accept', 'application/json');\n headers.append('accept', 'application/jwk-set+json');\n return (options?.[customFetch] || fetch)(url.href, {\n headers: Object.fromEntries(headers.entries()),\n method: 'GET',\n redirect: 'manual',\n signal: options?.signal ? signal(options.signal) : null,\n }).then(processDpopNonce);\n}\nasync function processJwksResponse(response) {\n if (!looseInstanceOf(response, Response)) {\n throw new TypeError('\"response\" must be an instance of Response');\n }\n if (response.status !== 200) {\n throw new OPE('\"response\" is not a conform JSON Web Key Set response');\n }\n assertReadableResponse(response);\n let json;\n try {\n json = await response.json();\n }\n catch (cause) {\n throw new OPE('failed to parse \"response\" body as JSON', { cause });\n }\n if (!isJsonObject(json)) {\n throw new OPE('\"response\" body must be a top level object');\n }\n if (!Array.isArray(json.keys)) {\n throw new OPE('\"response\" body \"keys\" property must be an array');\n }\n if (!Array.prototype.every.call(json.keys, isJsonObject)) {\n throw new OPE('\"response\" body \"keys\" property members must be JWK formatted objects');\n }\n return json;\n}\nasync function handleOAuthBodyError(response) {\n if (response.status > 399 && response.status < 500) {\n assertReadableResponse(response);\n try {\n const json = await response.json();\n if (isJsonObject(json) && typeof json.error === 'string' && json.error.length) {\n if (json.error_description !== undefined && typeof json.error_description !== 'string') {\n delete json.error_description;\n }\n if (json.error_uri !== undefined && typeof json.error_uri !== 'string') {\n delete json.error_uri;\n }\n if (json.algs !== undefined && typeof json.algs !== 'string') {\n delete json.algs;\n }\n if (json.scope !== undefined && typeof json.scope !== 'string') {\n delete json.scope;\n }\n return json;\n }\n }\n catch { }\n }\n return undefined;\n}\nfunction checkSupportedJwsAlg(alg) {\n if (!SUPPORTED_JWS_ALGS.includes(alg)) {\n throw new UnsupportedOperationError('unsupported JWS \"alg\" identifier');\n }\n return alg;\n}\nfunction checkRsaKeyAlgorithm(algorithm) {\n if (typeof algorithm.modulusLength !== 'number' || algorithm.modulusLength < 2048) {\n throw new OPE(`${algorithm.name} modulusLength must be at least 2048 bits`);\n }\n}\nfunction ecdsaHashName(namedCurve) {\n switch (namedCurve) {\n case 'P-256':\n return 'SHA-256';\n case 'P-384':\n return 'SHA-384';\n case 'P-521':\n return 'SHA-512';\n default:\n throw new UnsupportedOperationError();\n }\n}\nfunction keyToSubtle(key) {\n switch (key.algorithm.name) {\n case 'ECDSA':\n return {\n name: key.algorithm.name,\n hash: ecdsaHashName(key.algorithm.namedCurve),\n };\n case 'RSA-PSS': {\n checkRsaKeyAlgorithm(key.algorithm);\n switch (key.algorithm.hash.name) {\n case 'SHA-256':\n case 'SHA-384':\n case 'SHA-512':\n return {\n name: key.algorithm.name,\n saltLength: parseInt(key.algorithm.hash.name.slice(-3), 10) >> 3,\n };\n default:\n throw new UnsupportedOperationError();\n }\n }\n case 'RSASSA-PKCS1-v1_5':\n checkRsaKeyAlgorithm(key.algorithm);\n return key.algorithm.name;\n case 'Ed448':\n case 'Ed25519':\n return key.algorithm.name;\n }\n throw new UnsupportedOperationError();\n}\nconst noSignatureCheck = Symbol();\nasync function validateJwsSignature(protectedHeader, payload, key, signature) {\n const input = `${protectedHeader}.${payload}`;\n const verified = await crypto.subtle.verify(keyToSubtle(key), key, signature, buf(input));\n if (!verified) {\n throw new OPE('JWT signature verification failed');\n }\n}\nasync function validateJwt(jws, checkAlg, getKey, clockSkew, clockTolerance, decryptJwt) {\n let { 0: protectedHeader, 1: payload, 2: encodedSignature, length } = jws.split('.');\n if (length === 5) {\n if (decryptJwt !== undefined) {\n jws = await decryptJwt(jws);\n ({ 0: protectedHeader, 1: payload, 2: encodedSignature, length } = jws.split('.'));\n }\n else {\n throw new UnsupportedOperationError('JWE structure JWTs are not supported');\n }\n }\n if (length !== 3) {\n throw new OPE('Invalid JWT');\n }\n let header;\n try {\n header = JSON.parse(buf(b64u(protectedHeader)));\n }\n catch (cause) {\n throw new OPE('failed to parse JWT Header body as base64url encoded JSON', { cause });\n }\n if (!isJsonObject(header)) {\n throw new OPE('JWT Header must be a top level object');\n }\n checkAlg(header);\n if (header.crit !== undefined) {\n throw new OPE('unexpected JWT \"crit\" header parameter');\n }\n const signature = b64u(encodedSignature);\n let key;\n if (getKey !== noSignatureCheck) {\n key = await getKey(header);\n await validateJwsSignature(protectedHeader, payload, key, signature);\n }\n let claims;\n try {\n claims = JSON.parse(buf(b64u(payload)));\n }\n catch (cause) {\n throw new OPE('failed to parse JWT Payload body as base64url encoded JSON', { cause });\n }\n if (!isJsonObject(claims)) {\n throw new OPE('JWT Payload must be a top level object');\n }\n const now = epochTime() + clockSkew;\n if (claims.exp !== undefined) {\n if (typeof claims.exp !== 'number') {\n throw new OPE('unexpected JWT \"exp\" (expiration time) claim type');\n }\n if (claims.exp <= now - clockTolerance) {\n throw new OPE('unexpected JWT \"exp\" (expiration time) claim value, timestamp is <= now()');\n }\n }\n if (claims.iat !== undefined) {\n if (typeof claims.iat !== 'number') {\n throw new OPE('unexpected JWT \"iat\" (issued at) claim type');\n }\n }\n if (claims.iss !== undefined) {\n if (typeof claims.iss !== 'string') {\n throw new OPE('unexpected JWT \"iss\" (issuer) claim type');\n }\n }\n if (claims.nbf !== undefined) {\n if (typeof claims.nbf !== 'number') {\n throw new OPE('unexpected JWT \"nbf\" (not before) claim type');\n }\n if (claims.nbf > now + clockTolerance) {\n throw new OPE('unexpected JWT \"nbf\" (not before) claim value, timestamp is > now()');\n }\n }\n if (claims.aud !== undefined) {\n if (typeof claims.aud !== 'string' && !Array.isArray(claims.aud)) {\n throw new OPE('unexpected JWT \"aud\" (audience) claim type');\n }\n }\n return { header, claims, signature, key, jwt: jws };\n}\nexport async function validateJwtAuthResponse(as, client, parameters, expectedState, options) {\n assertAs(as);\n assertClient(client);\n if (parameters instanceof URL) {\n parameters = parameters.searchParams;\n }\n if (!(parameters instanceof URLSearchParams)) {\n throw new TypeError('\"parameters\" must be an instance of URLSearchParams, or URL');\n }\n const response = getURLSearchParameter(parameters, 'response');\n if (!response) {\n throw new OPE('\"parameters\" does not contain a JARM response');\n }\n const { claims } = await validateJwt(response, checkSigningAlgorithm.bind(undefined, client.authorization_signed_response_alg, as.authorization_signing_alg_values_supported), getPublicSigKeyFromIssuerJwksUri.bind(undefined, as, options), getClockSkew(client), getClockTolerance(client), client[jweDecrypt])\n .then(validatePresence.bind(undefined, ['aud', 'exp', 'iss']))\n .then(validateIssuer.bind(undefined, as.issuer))\n .then(validateAudience.bind(undefined, client.client_id));\n const result = new URLSearchParams();\n for (const [key, value] of Object.entries(claims)) {\n if (typeof value === 'string' && key !== 'aud') {\n result.set(key, value);\n }\n }\n return validateAuthResponse(as, client, result, expectedState);\n}\nasync function idTokenHash(alg, data, key) {\n let algorithm;\n switch (alg) {\n case 'RS256':\n case 'PS256':\n case 'ES256':\n algorithm = 'SHA-256';\n break;\n case 'RS384':\n case 'PS384':\n case 'ES384':\n algorithm = 'SHA-384';\n break;\n case 'RS512':\n case 'PS512':\n case 'ES512':\n algorithm = 'SHA-512';\n break;\n case 'EdDSA':\n if (key.algorithm.name === 'Ed25519') {\n algorithm = 'SHA-512';\n break;\n }\n throw new UnsupportedOperationError();\n default:\n throw new UnsupportedOperationError();\n }\n const digest = await crypto.subtle.digest(algorithm, buf(data));\n return b64u(digest.slice(0, digest.byteLength / 2));\n}\nasync function idTokenHashMatches(data, actual, alg, key) {\n const expected = await idTokenHash(alg, data, key);\n return actual === expected;\n}\nexport async function validateDetachedSignatureResponse(as, client, parameters, expectedNonce, expectedState, maxAge, options) {\n assertAs(as);\n assertClient(client);\n if (parameters instanceof URL) {\n if (!parameters.hash.length) {\n throw new TypeError('\"parameters\" as an instance of URL must contain a hash (fragment) with the Authorization Response parameters');\n }\n parameters = new URLSearchParams(parameters.hash.slice(1));\n }\n if (!(parameters instanceof URLSearchParams)) {\n throw new TypeError('\"parameters\" must be an instance of URLSearchParams');\n }\n parameters = new URLSearchParams(parameters);\n const id_token = getURLSearchParameter(parameters, 'id_token');\n parameters.delete('id_token');\n switch (expectedState) {\n case undefined:\n case expectNoState:\n break;\n default:\n if (!validateString(expectedState)) {\n throw new TypeError('\"expectedState\" must be a non-empty string');\n }\n }\n const result = validateAuthResponse({\n ...as,\n authorization_response_iss_parameter_supported: false,\n }, client, parameters, expectedState);\n if (isOAuth2Error(result)) {\n return result;\n }\n if (!id_token) {\n throw new OPE('\"parameters\" does not contain an ID Token');\n }\n const code = getURLSearchParameter(parameters, 'code');\n if (!code) {\n throw new OPE('\"parameters\" does not contain an Authorization Code');\n }\n const requiredClaims = [\n 'aud',\n 'exp',\n 'iat',\n 'iss',\n 'sub',\n 'nonce',\n 'c_hash',\n ];\n if (typeof expectedState === 'string') {\n requiredClaims.push('s_hash');\n }\n const { claims, header, key } = await validateJwt(id_token, checkSigningAlgorithm.bind(undefined, client.id_token_signed_response_alg, as.id_token_signing_alg_values_supported), getPublicSigKeyFromIssuerJwksUri.bind(undefined, as, options), getClockSkew(client), getClockTolerance(client), client[jweDecrypt])\n .then(validatePresence.bind(undefined, requiredClaims))\n .then(validateIssuer.bind(undefined, as.issuer))\n .then(validateAudience.bind(undefined, client.client_id));\n const clockSkew = getClockSkew(client);\n const now = epochTime() + clockSkew;\n if (claims.iat < now - 3600) {\n throw new OPE('unexpected JWT \"iat\" (issued at) claim value, it is too far in the past');\n }\n if (typeof claims.c_hash !== 'string' ||\n (await idTokenHashMatches(code, claims.c_hash, header.alg, key)) !== true) {\n throw new OPE('invalid ID Token \"c_hash\" (code hash) claim value');\n }\n if (claims.s_hash !== undefined && typeof expectedState !== 'string') {\n throw new OPE('could not verify ID Token \"s_hash\" (state hash) claim value');\n }\n if (typeof expectedState === 'string' &&\n (typeof claims.s_hash !== 'string' ||\n (await idTokenHashMatches(expectedState, claims.s_hash, header.alg, key)) !== true)) {\n throw new OPE('invalid ID Token \"s_hash\" (state hash) claim value');\n }\n if (claims.auth_time !== undefined &&\n (!Number.isFinite(claims.auth_time) || Math.sign(claims.auth_time) !== 1)) {\n throw new OPE('ID Token \"auth_time\" (authentication time) must be a positive number');\n }\n maxAge ?? (maxAge = client.default_max_age ?? skipAuthTimeCheck);\n if ((client.require_auth_time || maxAge !== skipAuthTimeCheck) &&\n claims.auth_time === undefined) {\n throw new OPE('ID Token \"auth_time\" (authentication time) claim missing');\n }\n if (maxAge !== skipAuthTimeCheck) {\n if (typeof maxAge !== 'number' || maxAge < 0) {\n throw new TypeError('\"maxAge\" must be a non-negative number');\n }\n const now = epochTime() + getClockSkew(client);\n const tolerance = getClockTolerance(client);\n if (claims.auth_time + maxAge < now - tolerance) {\n throw new OPE('too much time has elapsed since the last End-User authentication');\n }\n }\n if (!validateString(expectedNonce)) {\n throw new TypeError('\"expectedNonce\" must be a non-empty string');\n }\n if (claims.nonce !== expectedNonce) {\n throw new OPE('unexpected ID Token \"nonce\" claim value');\n }\n if (Array.isArray(claims.aud) && claims.aud.length !== 1) {\n if (claims.azp === undefined) {\n throw new OPE('ID Token \"aud\" (audience) claim includes additional untrusted audiences');\n }\n if (claims.azp !== client.client_id) {\n throw new OPE('unexpected ID Token \"azp\" (authorized party) claim value');\n }\n }\n return result;\n}\nfunction checkSigningAlgorithm(client, issuer, header) {\n if (client !== undefined) {\n if (header.alg !== client) {\n throw new OPE('unexpected JWT \"alg\" header parameter');\n }\n return;\n }\n if (Array.isArray(issuer)) {\n if (!issuer.includes(header.alg)) {\n throw new OPE('unexpected JWT \"alg\" header parameter');\n }\n return;\n }\n if (header.alg !== 'RS256') {\n throw new OPE('unexpected JWT \"alg\" header parameter');\n }\n}\nfunction getURLSearchParameter(parameters, name) {\n const { 0: value, length } = parameters.getAll(name);\n if (length > 1) {\n throw new OPE(`\"${name}\" parameter must be provided only once`);\n }\n return value;\n}\nexport const skipStateCheck = Symbol();\nexport const expectNoState = Symbol();\nexport function validateAuthResponse(as, client, parameters, expectedState) {\n assertAs(as);\n assertClient(client);\n if (parameters instanceof URL) {\n parameters = parameters.searchParams;\n }\n if (!(parameters instanceof URLSearchParams)) {\n throw new TypeError('\"parameters\" must be an instance of URLSearchParams, or URL');\n }\n if (getURLSearchParameter(parameters, 'response')) {\n throw new OPE('\"parameters\" contains a JARM response, use validateJwtAuthResponse() instead of validateAuthResponse()');\n }\n const iss = getURLSearchParameter(parameters, 'iss');\n const state = getURLSearchParameter(parameters, 'state');\n if (!iss && as.authorization_response_iss_parameter_supported) {\n throw new OPE('response parameter \"iss\" (issuer) missing');\n }\n if (iss && iss !== as.issuer) {\n throw new OPE('unexpected \"iss\" (issuer) response parameter value');\n }\n switch (expectedState) {\n case undefined:\n case expectNoState:\n if (state !== undefined) {\n throw new OPE('unexpected \"state\" response parameter encountered');\n }\n break;\n case skipStateCheck:\n break;\n default:\n if (!validateString(expectedState)) {\n throw new OPE('\"expectedState\" must be a non-empty string');\n }\n if (state === undefined) {\n throw new OPE('response parameter \"state\" missing');\n }\n if (state !== expectedState) {\n throw new OPE('unexpected \"state\" response parameter value');\n }\n }\n const error = getURLSearchParameter(parameters, 'error');\n if (error) {\n return {\n error,\n error_description: getURLSearchParameter(parameters, 'error_description'),\n error_uri: getURLSearchParameter(parameters, 'error_uri'),\n };\n }\n const id_token = getURLSearchParameter(parameters, 'id_token');\n const token = getURLSearchParameter(parameters, 'token');\n if (id_token !== undefined || token !== undefined) {\n throw new UnsupportedOperationError('implicit and hybrid flows are not supported');\n }\n return brand(new URLSearchParams(parameters));\n}\nfunction algToSubtle(alg, crv) {\n switch (alg) {\n case 'PS256':\n case 'PS384':\n case 'PS512':\n return { name: 'RSA-PSS', hash: `SHA-${alg.slice(-3)}` };\n case 'RS256':\n case 'RS384':\n case 'RS512':\n return { name: 'RSASSA-PKCS1-v1_5', hash: `SHA-${alg.slice(-3)}` };\n case 'ES256':\n case 'ES384':\n return { name: 'ECDSA', namedCurve: `P-${alg.slice(-3)}` };\n case 'ES512':\n return { name: 'ECDSA', namedCurve: 'P-521' };\n case 'EdDSA': {\n switch (crv) {\n case 'Ed25519':\n case 'Ed448':\n return crv;\n default:\n throw new UnsupportedOperationError();\n }\n }\n default:\n throw new UnsupportedOperationError();\n }\n}\nasync function importJwk(alg, jwk) {\n const { ext, key_ops, use, ...key } = jwk;\n return crypto.subtle.importKey('jwk', key, algToSubtle(alg, jwk.crv), true, ['verify']);\n}\nexport async function deviceAuthorizationRequest(as, client, parameters, options) {\n assertAs(as);\n assertClient(client);\n const url = resolveEndpoint(as, 'device_authorization_endpoint', alias(client, options));\n const body = new URLSearchParams(parameters);\n body.set('client_id', client.client_id);\n const headers = prepareHeaders(options?.headers);\n headers.set('accept', 'application/json');\n return authenticatedRequest(as, client, 'POST', url, body, headers, options);\n}\nexport async function processDeviceAuthorizationResponse(as, client, response) {\n assertAs(as);\n assertClient(client);\n if (!looseInstanceOf(response, Response)) {\n throw new TypeError('\"response\" must be an instance of Response');\n }\n if (response.status !== 200) {\n let err;\n if ((err = await handleOAuthBodyError(response))) {\n return err;\n }\n throw new OPE('\"response\" is not a conform Device Authorization Endpoint response');\n }\n assertReadableResponse(response);\n let json;\n try {\n json = await response.json();\n }\n catch (cause) {\n throw new OPE('failed to parse \"response\" body as JSON', { cause });\n }\n if (!isJsonObject(json)) {\n throw new OPE('\"response\" body must be a top level object');\n }\n if (!validateString(json.device_code)) {\n throw new OPE('\"response\" body \"device_code\" property must be a non-empty string');\n }\n if (!validateString(json.user_code)) {\n throw new OPE('\"response\" body \"user_code\" property must be a non-empty string');\n }\n if (!validateString(json.verification_uri)) {\n throw new OPE('\"response\" body \"verification_uri\" property must be a non-empty string');\n }\n if (typeof json.expires_in !== 'number' || json.expires_in <= 0) {\n throw new OPE('\"response\" body \"expires_in\" property must be a positive number');\n }\n if (json.verification_uri_complete !== undefined &&\n !validateString(json.verification_uri_complete)) {\n throw new OPE('\"response\" body \"verification_uri_complete\" property must be a non-empty string');\n }\n if (json.interval !== undefined && (typeof json.interval !== 'number' || json.interval <= 0)) {\n throw new OPE('\"response\" body \"interval\" property must be a positive number');\n }\n return json;\n}\nexport async function deviceCodeGrantRequest(as, client, deviceCode, options) {\n assertAs(as);\n assertClient(client);\n if (!validateString(deviceCode)) {\n throw new TypeError('\"deviceCode\" must be a non-empty string');\n }\n const parameters = new URLSearchParams(options?.additionalParameters);\n parameters.set('device_code', deviceCode);\n return tokenEndpointRequest(as, client, 'urn:ietf:params:oauth:grant-type:device_code', parameters, options);\n}\nexport async function processDeviceCodeResponse(as, client, response) {\n return processGenericAccessTokenResponse(as, client, response);\n}\nexport async function generateKeyPair(alg, options) {\n if (!validateString(alg)) {\n throw new TypeError('\"alg\" must be a non-empty string');\n }\n const algorithm = algToSubtle(alg, alg === 'EdDSA' ? (options?.crv ?? 'Ed25519') : undefined);\n if (alg.startsWith('PS') || alg.startsWith('RS')) {\n Object.assign(algorithm, {\n modulusLength: options?.modulusLength ?? 2048,\n publicExponent: new Uint8Array([0x01, 0x00, 0x01]),\n });\n }\n return crypto.subtle.generateKey(algorithm, options?.extractable ?? false, [\n 'sign',\n 'verify',\n ]);\n}\nfunction normalizeHtu(htu) {\n const url = new URL(htu);\n url.search = '';\n url.hash = '';\n return url.href;\n}\nasync function validateDPoP(as, request, accessToken, accessTokenClaims, options) {\n const header = request.headers.get('dpop');\n if (header === null) {\n throw new OPE('operation indicated DPoP use but the request has no DPoP HTTP Header');\n }\n if (request.headers.get('authorization')?.toLowerCase().startsWith('dpop ') === false) {\n throw new OPE(`operation indicated DPoP use but the request's Authorization HTTP Header scheme is not DPoP`);\n }\n if (typeof accessTokenClaims.cnf?.jkt !== 'string') {\n throw new OPE('operation indicated DPoP use but the JWT Access Token has no jkt confirmation claim');\n }\n const clockSkew = getClockSkew(options);\n const proof = await validateJwt(header, checkSigningAlgorithm.bind(undefined, undefined, as?.dpop_signing_alg_values_supported || SUPPORTED_JWS_ALGS), async ({ jwk, alg }) => {\n if (!jwk) {\n throw new OPE('DPoP Proof is missing the jwk header parameter');\n }\n const key = await importJwk(alg, jwk);\n if (key.type !== 'public') {\n throw new OPE('DPoP Proof jwk header parameter must contain a public key');\n }\n return key;\n }, clockSkew, getClockTolerance(options), undefined)\n .then(checkJwtType.bind(undefined, 'dpop+jwt'))\n .then(validatePresence.bind(undefined, ['iat', 'jti', 'ath', 'htm', 'htu']));\n const now = epochTime() + clockSkew;\n const diff = Math.abs(now - proof.claims.iat);\n if (diff > 300) {\n throw new OPE('DPoP Proof iat is not recent enough');\n }\n if (proof.claims.htm !== request.method) {\n throw new OPE('DPoP Proof htm mismatch');\n }\n if (typeof proof.claims.htu !== 'string' ||\n normalizeHtu(proof.claims.htu) !== normalizeHtu(request.url)) {\n throw new OPE('DPoP Proof htu mismatch');\n }\n {\n const expected = b64u(await crypto.subtle.digest('SHA-256', encoder.encode(accessToken)));\n if (proof.claims.ath !== expected) {\n throw new OPE('DPoP Proof ath mismatch');\n }\n }\n {\n let components;\n switch (proof.header.jwk.kty) {\n case 'EC':\n components = {\n crv: proof.header.jwk.crv,\n kty: proof.header.jwk.kty,\n x: proof.header.jwk.x,\n y: proof.header.jwk.y,\n };\n break;\n case 'OKP':\n components = {\n crv: proof.header.jwk.crv,\n kty: proof.header.jwk.kty,\n x: proof.header.jwk.x,\n };\n break;\n case 'RSA':\n components = {\n e: proof.header.jwk.e,\n kty: proof.header.jwk.kty,\n n: proof.header.jwk.n,\n };\n break;\n default:\n throw new UnsupportedOperationError();\n }\n const expected = b64u(await crypto.subtle.digest('SHA-256', encoder.encode(JSON.stringify(components))));\n if (accessTokenClaims.cnf.jkt !== expected) {\n throw new OPE('JWT Access Token confirmation mismatch');\n }\n }\n}\nexport async function validateJwtAccessToken(as, request, expectedAudience, options) {\n assertAs(as);\n if (!looseInstanceOf(request, Request)) {\n throw new TypeError('\"request\" must be an instance of Request');\n }\n if (!validateString(expectedAudience)) {\n throw new OPE('\"expectedAudience\" must be a non-empty string');\n }\n const authorization = request.headers.get('authorization');\n if (authorization === null) {\n throw new OPE('\"request\" is missing an Authorization HTTP Header');\n }\n let { 0: scheme, 1: accessToken, length } = authorization.split(' ');\n scheme = scheme.toLowerCase();\n switch (scheme) {\n case 'dpop':\n case 'bearer':\n break;\n default:\n throw new UnsupportedOperationError('unsupported Authorization HTTP Header scheme');\n }\n if (length !== 2) {\n throw new OPE('invalid Authorization HTTP Header format');\n }\n const requiredClaims = [\n 'iss',\n 'exp',\n 'aud',\n 'sub',\n 'iat',\n 'jti',\n 'client_id',\n ];\n if (options?.requireDPoP || scheme === 'dpop' || request.headers.has('dpop')) {\n requiredClaims.push('cnf');\n }\n const { claims } = await validateJwt(accessToken, checkSigningAlgorithm.bind(undefined, undefined, SUPPORTED_JWS_ALGS), getPublicSigKeyFromIssuerJwksUri.bind(undefined, as, options), getClockSkew(options), getClockTolerance(options), undefined)\n .then(checkJwtType.bind(undefined, 'at+jwt'))\n .then(validatePresence.bind(undefined, requiredClaims))\n .then(validateIssuer.bind(undefined, as.issuer))\n .then(validateAudience.bind(undefined, expectedAudience));\n for (const claim of ['client_id', 'jti', 'sub']) {\n if (typeof claims[claim] !== 'string') {\n throw new OPE(`unexpected JWT \"${claim}\" claim type`);\n }\n }\n if ('cnf' in claims) {\n if (!isJsonObject(claims.cnf)) {\n throw new OPE('unexpected JWT \"cnf\" (confirmation) claim value');\n }\n const { 0: cnf, length } = Object.keys(claims.cnf);\n if (length) {\n if (length !== 1) {\n throw new UnsupportedOperationError('multiple confirmation claims are not supported');\n }\n if (cnf !== 'jkt') {\n throw new UnsupportedOperationError('unsupported JWT Confirmation method');\n }\n }\n }\n if (options?.requireDPoP ||\n scheme === 'dpop' ||\n claims.cnf?.jkt !== undefined ||\n request.headers.has('dpop')) {\n await validateDPoP(as, request, accessToken, claims, options);\n }\n return claims;\n}\nexport const experimentalCustomFetch = customFetch;\nexport const experimental_customFetch = customFetch;\nexport const experimentalUseMtlsAlias = useMtlsAlias;\nexport const experimental_useMtlsAlias = useMtlsAlias;\nexport const experimental_validateDetachedSignatureResponse = (...args) => validateDetachedSignatureResponse(...args);\nexport const experimental_validateJwtAccessToken = (...args) => validateJwtAccessToken(...args);\nexport const validateJwtUserinfoSignature = (...args) => validateJwtUserInfoSignature(...args);\nexport const experimental_jwksCache = jwksCache;\n","import logger from \"loglevel\";\nimport { useEffect, useRef, useState } from \"react\";\nimport { useNavigate } from \"react-router-dom\";\nimport { DeveloperHint } from \"../../components/DeveloperHint.js\";\nimport { ErrorPage } from \"../../components/ErrorPage.js\";\nimport { Spinner } from \"../../components/Spinner.js\";\nimport { SyntaxHighlight } from \"../../components/SyntaxHighlight.js\";\n\nexport function CallbackHandler({\n handleCallback,\n}: {\n handleCallback: () => Promise<string>;\n}) {\n const [error, setError] = useState<Error | null>(null);\n const navigate = useNavigate();\n // Deal with double mount in dev mode which will break\n // the OAuth flow because you can only use the code once\n const didInitialize = useRef(false);\n\n useEffect(() => {\n if (didInitialize.current) {\n return;\n }\n didInitialize.current = true;\n handleCallback()\n .then((redirect) => {\n navigate(redirect);\n })\n .catch((err) => {\n logger.error(err);\n setError(err);\n });\n }, [navigate, handleCallback]);\n\n if (error) {\n return (\n <ErrorPage\n category=\"Error\"\n title=\"Authentication Error\"\n message={\n <>\n <DeveloperHint className=\"mb-4\">\n Check the configuration of your authorization provider and ensure\n all settings such as the callback URL are configured correctly.\n </DeveloperHint>\n An error occurred while authorizing the user.\n <SyntaxHighlight code={error.toString()} language=\"plain\" />\n </>\n }\n />\n );\n }\n\n return (\n <div className=\"grid h-full place-items-center\">\n <Spinner />\n </div>\n );\n}\n","export class AuthorizationError extends Error {}\n\ninterface OAuthError {\n readonly error: string;\n readonly error_description?: string;\n readonly error_uri?: string;\n readonly algs?: string;\n readonly scope?: string;\n // eslint-disable-next-line @typescript-eslint/no-explicit-any\n readonly [parameter: string]: any | undefined;\n}\n\nexport class OAuthAuthorizationError extends AuthorizationError {\n constructor(\n message: string,\n public error: OAuthError,\n options?: ErrorOptions,\n ) {\n super(message, options);\n }\n}\n","import logger from \"loglevel\";\nimport * as oauth from \"oauth4webapi\";\nimport { OpenIDAuthenticationConfig } from \"../../../config/config.js\";\nimport {\n AuthenticationProvider,\n AuthenticationProviderInitializer,\n} from \"../authentication.js\";\nimport { AuthenticationPlugin } from \"../AuthenticationPlugin.js\";\nimport { CallbackHandler } from \"../components/CallbackHandler.js\";\nimport { AuthorizationError, OAuthAuthorizationError } from \"../errors.js\";\nimport { useAuthState, UserProfile } from \"../state.js\";\n\nconst CODE_VERIFIER_KEY = \"code-verifier\";\n\ninterface TokenState {\n accessToken: string;\n refreshToken?: string;\n expiresOn: Date;\n tokenType: string;\n}\n\nclass OpenIdAuthPlugin extends AuthenticationPlugin {\n constructor(\n private callbackUrlPath: string,\n private handleCallback: () => Promise<string>,\n ) {\n super();\n }\n getRoutes() {\n return [\n ...super.getRoutes(),\n {\n path: this.callbackUrlPath,\n element: <CallbackHandler handleCallback={this.handleCallback} />,\n },\n ];\n }\n}\n\nexport class OpenIDAuthenticationProvider implements AuthenticationProvider {\n protected client: oauth.Client;\n protected issuer: string;\n\n protected authorizationServer: oauth.AuthorizationServer | undefined;\n\n protected callbackUrlPath = \"/oauth/callback\";\n protected logoutRedirectUrlPath = \"/\";\n protected onAuthorizationUrl?: (\n authorizationUrl: URL,\n options: { isSignIn: boolean; isSignUp: boolean },\n ) => void;\n private readonly redirectToAfterSignUp: string;\n private readonly redirectToAfterSignIn: string;\n private readonly redirectToAfterSignOut: string;\n private readonly audience?: string;\n\n constructor({\n issuer,\n audience,\n clientId,\n redirectToAfterSignUp,\n redirectToAfterSignIn,\n redirectToAfterSignOut,\n }: OpenIDAuthenticationConfig) {\n this.client = {\n client_id: clientId,\n token_endpoint_auth_method: \"none\",\n };\n this.audience = audience;\n this.issuer = issuer;\n this.redirectToAfterSignUp = redirectToAfterSignUp ?? \"/\";\n this.redirectToAfterSignIn = redirectToAfterSignIn ?? \"/\";\n this.redirectToAfterSignOut = redirectToAfterSignOut ?? \"/\";\n }\n\n protected async getAuthServer() {\n if (!this.authorizationServer) {\n const issuerUrl = new URL(this.issuer);\n const response = await oauth.discoveryRequest(issuerUrl);\n this.authorizationServer = await oauth.processDiscoveryResponse(\n issuerUrl,\n response,\n );\n }\n return this.authorizationServer;\n }\n\n /**\n * Sets the tokens from various OAuth responses\n * @param response\n */\n protected setTokensFromResponse(\n response: oauth.TokenEndpointResponse | oauth.OAuth2Error,\n ) {\n if (oauth.isOAuth2Error(response)) {\n logger.error(\"Bad Token Response\", response);\n throw new OAuthAuthorizationError(\"Bad Token Response\", response);\n }\n\n if (!response.expires_in) {\n throw new AuthorizationError(\"No expires_in in response\");\n }\n\n const tokens: TokenState = {\n accessToken: response.access_token,\n refreshToken: response.refresh_token,\n expiresOn: new Date(Date.now() + response.expires_in * 1000),\n tokenType: response.token_type,\n };\n sessionStorage.setItem(\"token-state\", JSON.stringify(tokens));\n }\n\n async signUp({ redirectTo }: { redirectTo?: string } = {}) {\n return this.authorize({\n redirectTo: redirectTo ?? this.redirectToAfterSignUp,\n isSignUp: true,\n });\n }\n\n async signIn({ redirectTo }: { redirectTo?: string } = {}) {\n return this.authorize({\n redirectTo: redirectTo ?? this.redirectToAfterSignIn,\n });\n }\n\n private async authorize({\n redirectTo,\n isSignUp = false,\n }: {\n redirectTo: string;\n isSignUp?: boolean;\n }): Promise<void> {\n const code_challenge_method = \"S256\";\n const authorizationServer = await this.getAuthServer();\n\n if (!authorizationServer.authorization_endpoint) {\n throw new AuthorizationError(\"No authorization endpoint\");\n }\n\n /**\n * The following MUST be generated for every redirect to the authorization_endpoint. You must store\n * the codeVerifier and nonce in the end-user session such that it can be recovered as the user\n * gets redirected from the authorization server back to your application.\n */\n const codeVerifier = oauth.generateRandomCodeVerifier();\n const codeChallenge = await oauth.calculatePKCECodeChallenge(codeVerifier);\n\n sessionStorage.setItem(CODE_VERIFIER_KEY, codeVerifier);\n\n // redirect user to as.authorization_endpoint\n const authorizationUrl = new URL(\n authorizationServer.authorization_endpoint,\n );\n\n sessionStorage.setItem(\"redirect-to\", redirectTo);\n\n const redirectUrl = new URL(window.location.origin);\n redirectUrl.pathname = this.callbackUrlPath;\n redirectUrl.search = \"\";\n\n authorizationUrl.searchParams.set(\"client_id\", this.client.client_id);\n authorizationUrl.searchParams.set(\"redirect_uri\", redirectUrl.toString());\n authorizationUrl.searchParams.set(\"response_type\", \"code\");\n authorizationUrl.searchParams.set(\"scope\", \"openid profile email\");\n authorizationUrl.searchParams.set(\"code_challenge\", codeChallenge);\n authorizationUrl.searchParams.set(\n \"code_challenge_method\",\n code_challenge_method,\n );\n if (this.audience) {\n authorizationUrl.searchParams.set(\"audience\", this.audience);\n }\n\n this.onAuthorizationUrl?.(authorizationUrl, {\n isSignIn: !isSignUp,\n isSignUp,\n });\n\n /**\n * We cannot be sure the AS supports PKCE so we're going to use state too. Use of PKCE is\n * backwards compatible even if the AS doesn't support it which is why we're using it regardless.\n */\n if (\n authorizationServer.code_challenge_methods_supported?.includes(\"S256\") !==\n true\n ) {\n const state = oauth.generateRandomState();\n authorizationUrl.searchParams.set(\"state\", state);\n }\n\n // now redirect the user to authorizationUrl.href\n location.href = authorizationUrl.href;\n }\n\n async getAccessToken(): Promise<string> {\n const as = await this.getAuthServer();\n const tokenState = sessionStorage.getItem(\"token-state\");\n if (!tokenState) {\n throw new AuthorizationError(\"User is not authenticated\");\n }\n\n const state = JSON.parse(tokenState) as TokenState;\n if (state.expiresOn < new Date()) {\n if (!state.refreshToken) {\n await this.signIn();\n return \"\";\n }\n\n const request = await oauth.refreshTokenGrantRequest(\n as,\n this.client,\n state.refreshToken,\n );\n const response = await oauth.processRefreshTokenResponse(\n as,\n this.client,\n request,\n );\n\n if (!response.access_token) {\n throw new AuthorizationError(\"No access token in response\");\n }\n\n this.setTokensFromResponse(response);\n\n return response.access_token.toString();\n } else {\n return state.accessToken;\n }\n }\n\n signOut = async () => {\n useAuthState.setState({\n isAuthenticated: false,\n isPending: false,\n profile: undefined,\n });\n sessionStorage.clear();\n\n const as = await this.getAuthServer();\n\n const redirectUrl = new URL(\n window.location.origin + this.redirectToAfterSignOut,\n );\n redirectUrl.pathname = this.logoutRedirectUrlPath;\n\n let logoutUrl: URL;\n // The endSessionEndpoint is set, the IdP supports some form of logout,\n // so we use the IdP logout. Otherwise, just redirect the user to home\n if (as.end_session_endpoint) {\n logoutUrl = new URL(as.end_session_endpoint);\n // TODO: get id_token and set hint\n // const { id_token } = session;\n // if (id_token) {\n // logoutUrl.searchParams.set(\"id_token_hint\", id_token);\n // }\n logoutUrl.searchParams.set(\n \"post_logout_redirect_uri\",\n redirectUrl.toString(),\n );\n } else {\n logoutUrl = redirectUrl;\n }\n };\n\n handleCallback = async () => {\n const url = new URL(window.location.href);\n const state = url.searchParams.get(\"state\");\n\n // one eternity later, the user lands back on the redirect_uri\n // Authorization Code Grant Request & Response\n const codeVerifier = sessionStorage.getItem(CODE_VERIFIER_KEY);\n sessionStorage.removeItem(CODE_VERIFIER_KEY);\n if (!codeVerifier) {\n throw new AuthorizationError(\"No code verifier found in state.\");\n }\n\n const authServer = await this.getAuthServer();\n\n const params = oauth.validateAuthResponse(\n authServer,\n this.client,\n url.searchParams,\n state ?? undefined,\n );\n if (oauth.isOAuth2Error(params)) {\n logger.error(\"Error validating OAuth response\", params);\n throw new OAuthAuthorizationError(\n \"Error validating OAuth response\",\n params,\n );\n }\n\n const redirectUrl = new URL(url);\n redirectUrl.pathname = this.redirectToAfterSignIn;\n redirectUrl.search = \"\";\n\n const response = await oauth.authorizationCodeGrantRequest(\n authServer,\n this.client,\n params,\n redirectUrl.toString(),\n codeVerifier,\n );\n\n // TODO: do we need to do these\n // const challenges = oauth.parseWwwAuthenticateChallenges(response);\n // if (challenges) {\n // for (const challenge of challenges) {\n // console.error(\"WWW-Authenticate Challenge\", challenge);\n // }\n // throw new Error(); // Handle WWW-Authenticate Challenges as needed\n // }\n const oauthResult = await oauth.processAuthorizationCodeOpenIDResponse(\n authServer,\n this.client,\n response,\n );\n\n this.setTokensFromResponse(oauthResult);\n\n const accessToken = await this.getAccessToken();\n\n const userInfoResponse = await oauth.userInfoRequest(\n authServer,\n this.client,\n accessToken,\n );\n const userInfo = await userInfoResponse.json();\n\n const profile: UserProfile = {\n sub: userInfo.sub,\n email: userInfo.email,\n name: userInfo.name,\n emailVerified: userInfo.email_verified ?? false,\n pictureUrl: userInfo.picture,\n };\n\n useAuthState.setState({\n isAuthenticated: true,\n isPending: false,\n profile,\n });\n\n sessionStorage.setItem(\n \"profile-state\",\n JSON.stringify(useAuthState.getState().profile),\n );\n\n const redirectTo = sessionStorage.getItem(\"redirect-to\") ?? \"/\";\n sessionStorage.removeItem(\"redirect-to\");\n return redirectTo;\n };\n\n pageLoad(): void {\n const profileState = sessionStorage.getItem(\"profile-state\");\n if (profileState) {\n try {\n const profile = JSON.parse(profileState);\n useAuthState.setState({\n isAuthenticated: true,\n isPending: false,\n profile,\n });\n } catch (err) {\n logger.error(\"Error parsing auth state\", err);\n }\n }\n }\n\n getAuthenticationPlugin() {\n // TODO: This API is a bit messy, we need to refactor auth plugins/providers\n // to remove the extra layers of abstraction.\n return new OpenIdAuthPlugin(this.callbackUrlPath, this.handleCallback);\n }\n}\n\nconst openIDAuth: AuthenticationProviderInitializer<\n OpenIDAuthenticationConfig\n> = (options) => new OpenIDAuthenticationProvider(options);\n\nexport default openIDAuth;\n"],"names":["root","definition","module","this","noop","undefinedType","isIE","logMethods","_loggersByName","defaultLogger","bindMethod","obj","methodName","method","traceForIE","realMethod","replaceLoggingMethods","level","i","enableLoggingWhenConsoleArrives","defaultMethodFactory","_level","_loggerName","Logger","name","factory","self","inheritedLevel","defaultLevel","userLevel","storageKey","persistLevelIfPossible","levelNum","levelName","getPersistedLevel","storedLevel","cookie","cookieName","location","clearPersistedLevel","normalizeLevel","input","persist","childName","initialLevel","logger","_log","USER_AGENT","_b","_a","looseInstanceOf","expected","clockSkew","clockTolerance","customFetch","modifyAssertion","jweDecrypt","useMtlsAlias","encoder","decoder","buf","CHUNK_SIZE","encodeBase64Url","arr","decodeBase64Url","binary","bytes","cause","OPE","b64u","LRU","maxSize","key","v","value","UnsupportedOperationError","message","OperationProcessingError","options","dpopNonces","isCryptoKey","isPrivateKey","isPublicKey","processDpopNonce","response","nonce","isJsonObject","prepareHeaders","headers","signal","discoveryRequest","issuerIdentifier","url","validateString","processDiscoveryResponse","expectedIssuerIdentifier","assertReadableResponse","json","randomBytes","generateRandomCodeVerifier","generateRandomState","calculatePKCECodeChallenge","codeVerifier","getKeyAndKid","formUrlEncode","token","clientSecretBasic","clientId","clientSecret","username","password","psAlg","rsAlg","esAlg","keyToJws","getClockSkew","client","skew","getClockTolerance","tolerance","epochTime","clientAssertion","as","now","privateKeyJwt","kid","header","payload","jwt","assertAs","assertClient","assertClientSecret","assertNoClientPrivateKey","clientAuthMethod","clientPrivateKey","assertNoClientSecret","clientAuthentication","body","signature","keyToSubtle","dpopProofJwt","htm","accessToken","privateKey","publicKey","publicJwk","jwkCache","getSetPublicJwkCache","kty","e","n","x","y","crv","jwk","validateEndpoint","endpoint","resolveEndpoint","alias","isOAuth2Error","protectedResourceRequest","userInfoRequest","authenticatedRequest","tokenEndpointRequest","grantType","parameters","refreshTokenGrantRequest","refreshToken","idTokenClaims","getValidatedIdTokenClaims","ref","claims","processGenericAccessTokenResponse","ignoreIdToken","ignoreRefreshToken","err","handleOAuthBodyError","validateJwt","checkSigningAlgorithm","noSignatureCheck","validatePresence","validateIssuer","validateAudience","processRefreshTokenResponse","result","branded","brand","searchParams","authorizationCodeGrantRequest","callbackParameters","redirectUri","code","getURLSearchParameter","jwtClaimNames","required","claim","expectNoNonce","skipAuthTimeCheck","processAuthorizationCodeOpenIDResponse","expectedNonce","maxAge","checkRsaKeyAlgorithm","algorithm","ecdsaHashName","namedCurve","validateJwsSignature","protectedHeader","jws","checkAlg","getKey","decryptJwt","encodedSignature","length","issuer","skipStateCheck","expectNoState","validateAuthResponse","expectedState","iss","state","error","id_token","CallbackHandler","handleCallback","setError","useState","navigate","useNavigate","didInitialize","useRef","useEffect","redirect","jsx","ErrorPage","jsxs","Fragment","DeveloperHint","SyntaxHighlight","Spinner","AuthorizationError","OAuthAuthorizationError","CODE_VERIFIER_KEY","OpenIdAuthPlugin","AuthenticationPlugin","callbackUrlPath","OpenIDAuthenticationProvider","audience","redirectToAfterSignUp","redirectToAfterSignIn","redirectToAfterSignOut","__publicField","useAuthState","redirectUrl","logoutUrl","authServer","params","oauth.validateAuthResponse","oauth.isOAuth2Error","oauth.authorizationCodeGrantRequest","oauthResult","oauth.processAuthorizationCodeOpenIDResponse","userInfo","oauth.userInfoRequest","profile","redirectTo","issuerUrl","oauth.discoveryRequest","oauth.processDiscoveryResponse","tokens","isSignUp","code_challenge_method","authorizationServer","oauth.generateRandomCodeVerifier","codeChallenge","oauth.calculatePKCECodeChallenge","authorizationUrl","oauth.generateRandomState","tokenState","request","oauth.refreshTokenGrantRequest","oauth.processRefreshTokenResponse","profileState","openIDAuth"],"mappings":";;;;;;;;;;;;;;;AAMA,GAAC,SAAUA,GAAMC,GAAY;AAIlB,IAAkCC,EAAO,UAC5CA,EAAA,UAAiBD,MAEjBD,EAAK,MAAMC;EAElB,GAACE,IAAM,WAAY;AAIhB,QAAIC,IAAO,WAAW;AAAA,OAClBC,IAAgB,aAChBC,IAAQ,OAAO,WAAWD,KAAmB,OAAO,OAAO,cAAcA,KACzE,kBAAkB,KAAK,OAAO,UAAU,SAAS,GAGjDE,IAAa;AAAA,MACb;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACR,GAEQC,IAAiB,CAAA,GACjBC,IAAgB;AAGpB,aAASC,EAAWC,GAAKC,GAAY;AACjC,UAAIC,IAASF,EAAIC,CAAU;AAC3B,UAAI,OAAOC,EAAO,QAAS;AACvB,eAAOA,EAAO,KAAKF,CAAG;AAEtB,UAAI;AACA,eAAO,SAAS,UAAU,KAAK,KAAKE,GAAQF,CAAG;AAAA,MAClD,QAAW;AAER,eAAO,WAAW;AACd,iBAAO,SAAS,UAAU,MAAM,MAAME,GAAQ,CAACF,GAAK,SAAS,CAAC;AAAA,QAClF;AAAA,MACa;AAAA,IAER;AAGD,aAASG,IAAa;AAClB,MAAI,QAAQ,QACJ,QAAQ,IAAI,QACZ,QAAQ,IAAI,MAAM,SAAS,SAAS,IAGpC,SAAS,UAAU,MAAM,MAAM,QAAQ,KAAK,CAAC,SAAS,SAAS,CAAC,IAGpE,QAAQ,SAAO,QAAQ,MAAK;AAAA,IACnC;AAID,aAASC,EAAWH,GAAY;AAK5B,aAJIA,MAAe,YACfA,IAAa,QAGb,OAAO,YAAYP,IACZ,KACAO,MAAe,WAAWN,IAC1BQ,IACA,QAAQF,CAAU,MAAM,SACxBF,EAAW,SAASE,CAAU,IAC9B,QAAQ,QAAQ,SAChBF,EAAW,SAAS,KAAK,IAEzBN;AAAA,IAEd;AAID,aAASY,IAAwB;AAK7B,eAHIC,IAAQ,KAAK,YAGRC,IAAI,GAAGA,IAAIX,EAAW,QAAQW,KAAK;AACxC,YAAIN,IAAaL,EAAWW,CAAC;AAC7B,aAAKN,CAAU,IAAKM,IAAID,IACpBb,IACA,KAAK,cAAcQ,GAAYK,GAAO,KAAK,IAAI;AAAA,MACtD;AAMD,UAHA,KAAK,MAAM,KAAK,OAGZ,OAAO,YAAYZ,KAAiBY,IAAQ,KAAK,OAAO;AACxD,eAAO;AAAA,IAEd;AAID,aAASE,EAAgCP,GAAY;AACjD,aAAO,WAAY;AACf,QAAI,OAAO,YAAYP,MACnBW,EAAsB,KAAK,IAAI,GAC/B,KAAKJ,CAAU,EAAE,MAAM,MAAM,SAAS;AAAA,MAEtD;AAAA,IACK;AAID,aAASQ,EAAqBR,GAAYS,GAAQC,GAAa;AAE3D,aAAOP,EAAWH,CAAU,KACrBO,EAAgC,MAAM,MAAM,SAAS;AAAA,IAC/D;AAED,aAASI,EAAOC,GAAMC,GAAS;AAE7B,UAAIC,IAAO,MASPC,GAMAC,GAMAC,GAEAC,IAAa;AACjB,MAAI,OAAON,KAAS,WAClBM,KAAc,MAAMN,IACX,OAAOA,KAAS,aACzBM,IAAa;AAGf,eAASC,GAAuBC,GAAU;AACtC,YAAIC,KAAa1B,EAAWyB,CAAQ,KAAK,UAAU;AAEnD,YAAI,SAAO,WAAW3B,KAAiB,CAACyB,IAGxC;AAAA,cAAI;AACA,mBAAO,aAAaA,CAAU,IAAIG;AAClC;AAAA,UACd,QAA2B;AAAA,UAAE;AAGnB,cAAI;AACA,mBAAO,SAAS,SACd,mBAAmBH,CAAU,IAAI,MAAMG,IAAY;AAAA,UACnE,QAA2B;AAAA,UAAE;AAAA;AAAA,MACtB;AAED,eAASC,KAAoB;AACzB,YAAIC;AAEJ,YAAI,SAAO,WAAW9B,KAAiB,CAACyB,IAExC;AAAA,cAAI;AACA,YAAAK,IAAc,OAAO,aAAaL,CAAU;AAAA,UAC1D,QAA2B;AAAA,UAAE;AAGnB,cAAI,OAAOK,MAAgB9B;AACvB,gBAAI;AACA,kBAAI+B,IAAS,OAAO,SAAS,QACzBC,IAAa,mBAAmBP,CAAU,GAC1CQ,KAAWF,EAAO,QAAQC,IAAa,GAAG;AAC9C,cAAIC,OAAa,OACbH,IAAc,WAAW;AAAA,gBACrBC,EAAO,MAAME,KAAWD,EAAW,SAAS,CAAC;AAAA,cAChD,EAAC,CAAC;AAAA,YAEzB,QAA+B;AAAA,YAAE;AAIvB,iBAAIX,EAAK,OAAOS,CAAW,MAAM,WAC7BA,IAAc,SAGXA;AAAA;AAAA,MACV;AAED,eAASI,KAAsB;AAC3B,YAAI,SAAO,WAAWlC,KAAiB,CAACyB,IAGxC;AAAA,cAAI;AACA,mBAAO,aAAa,WAAWA,CAAU;AAAA,UACvD,QAA2B;AAAA,UAAE;AAGnB,cAAI;AACA,mBAAO,SAAS,SACd,mBAAmBA,CAAU,IAAI;AAAA,UACjD,QAA2B;AAAA,UAAE;AAAA;AAAA,MACtB;AAED,eAASU,EAAeC,GAAO;AAC3B,YAAIxB,IAAQwB;AAIZ,YAHI,OAAOxB,KAAU,YAAYS,EAAK,OAAOT,EAAM,aAAa,MAAM,WAClEA,IAAQS,EAAK,OAAOT,EAAM,YAAa,CAAA,IAEvC,OAAOA,KAAU,YAAYA,KAAS,KAAKA,KAASS,EAAK,OAAO;AAChE,iBAAOT;AAEP,cAAM,IAAI,UAAU,+CAA+CwB,CAAK;AAAA,MAE/E;AAQD,MAAAf,EAAK,OAAOF,GAEZE,EAAK,SAAS;AAAA,QAAE,OAAS;AAAA,QAAG,OAAS;AAAA,QAAG,MAAQ;AAAA,QAAG,MAAQ;AAAA,QACvD,OAAS;AAAA,QAAG,QAAU;AAAA,MAAC,GAE3BA,EAAK,gBAAgBD,KAAWL,GAEhCM,EAAK,WAAW,WAAY;AACxB,eAAIG,KAEOD,KAGFD;AAAA,MAEnB,GAEMD,EAAK,WAAW,SAAUT,GAAOyB,GAAS;AACtC,eAAAb,IAAYW,EAAevB,CAAK,GAC5ByB,MAAY,MACZX,GAAuBF,CAAS,GAI7Bb,EAAsB,KAAKU,CAAI;AAAA,MAChD,GAEMA,EAAK,kBAAkB,SAAUT,GAAO;AACpC,QAAAW,IAAeY,EAAevB,CAAK,GAC9BiB,GAAiB,KAClBR,EAAK,SAAST,GAAO,EAAK;AAAA,MAExC,GAEMS,EAAK,aAAa,WAAY;AAC1B,QAAAG,IAAY,MACZU,MACAvB,EAAsB,KAAKU,CAAI;AAAA,MACzC,GAEMA,EAAK,YAAY,SAASgB,GAAS;AAC/B,QAAAhB,EAAK,SAASA,EAAK,OAAO,OAAOgB,CAAO;AAAA,MAClD,GAEMhB,EAAK,aAAa,SAASgB,GAAS;AAChC,QAAAhB,EAAK,SAASA,EAAK,OAAO,QAAQgB,CAAO;AAAA,MACnD,GAEMhB,EAAK,UAAU,WAAY;AAMvB,YALIjB,MAAkBiB,MAClBC,IAAiBa,EAAe/B,EAAc,SAAU,CAAA,IAE5DO,EAAsB,KAAKU,CAAI,GAE3BjB,MAAkBiB;AAClB,mBAASiB,KAAanC;AACpB,YAAAA,EAAemC,CAAS,EAAE;MAG1C,GAGMhB,IAAiBa;AAAA,QACb/B,IAAgBA,EAAc,SAAQ,IAAK;AAAA,MACrD;AACM,UAAImC,KAAeV;AACnB,MAAIU,MAAgB,SAChBf,IAAYW,EAAeI,EAAY,IAE3C5B,EAAsB,KAAKU,CAAI;AAAA,IAChC;AAQD,IAAAjB,IAAgB,IAAIc,KAEpBd,EAAc,YAAY,SAAmBe,GAAM;AAC/C,UAAK,OAAOA,KAAS,YAAY,OAAOA,KAAS,YAAaA,MAAS;AACnE,cAAM,IAAI,UAAU,gDAAgD;AAGxE,UAAIqB,IAASrC,EAAegB,CAAI;AAChC,aAAKqB,MACDA,IAASrC,EAAegB,CAAI,IAAI,IAAID;AAAA,QAChCC;AAAA,QACAf,EAAc;AAAA,MAC9B,IAEeoC;AAAA,IACf;AAGI,QAAIC,IAAQ,OAAO,WAAWzC,IAAiB,OAAO,MAAM;AAC5D,WAAAI,EAAc,aAAa,WAAW;AAClC,aAAI,OAAO,WAAWJ,KACf,OAAO,QAAQI,MAClB,OAAO,MAAMqC,IAGVrC;AAAA,IACf,GAEIA,EAAc,aAAa,WAAsB;AAC7C,aAAOD;AAAA,IACf,GAGIC,EAAc,UAAaA,GAEpBA;AAAA,EACX,CAAC;;;;ACpWD,IAAIsC;;CACA,OAAO,YAAc,OAAe,GAACC,MAAAC,IAAA,UAAU,cAAV,gBAAAA,EAAqB,eAArB,QAAAD,GAAA,KAAAC,GAAkC,sBAGvEF,IAAa;AAEjB,SAASG,EAAgBT,GAAOU,GAAU;AACtC,MAAIV,KAAS;AACT,WAAO;AAEX,MAAI;AACA,WAAQA,aAAiBU,KACrB,OAAO,eAAeV,CAAK,EAAE,OAAO,WAAW,MAAMU,EAAS,UAAU,OAAO,WAAW;AAAA,EACjG,QACK;AACF,WAAO;AAAA,EACV;AACL;AACO,MAAMC,IAAY,OAAM,GAClBC,KAAiB,OAAM,GACvBC,IAAc,OAAM,GACpBC,KAAkB,OAAM,GACxBC,KAAa,OAAM,GAEnBC,KAAe,OAAM,GAC5BC,KAAU,IAAI,eACdC,KAAU,IAAI;AACpB,SAASC,EAAInB,GAAO;AAChB,SAAI,OAAOA,KAAU,WACViB,GAAQ,OAAOjB,CAAK,IAExBkB,GAAQ,OAAOlB,CAAK;AAC/B;AACA,MAAMoB,KAAa;AACnB,SAASC,GAAgBrB,GAAO;AAC5B,EAAIA,aAAiB,gBACjBA,IAAQ,IAAI,WAAWA,CAAK;AAEhC,QAAMsB,IAAM,CAAA;AACZ,WAAS7C,IAAI,GAAGA,IAAIuB,EAAM,YAAYvB,KAAK2C;AACvC,IAAAE,EAAI,KAAK,OAAO,aAAa,MAAM,MAAMtB,EAAM,SAASvB,GAAGA,IAAI2C,EAAU,CAAC,CAAC;AAE/E,SAAO,KAAKE,EAAI,KAAK,EAAE,CAAC,EAAE,QAAQ,MAAM,EAAE,EAAE,QAAQ,OAAO,GAAG,EAAE,QAAQ,OAAO,GAAG;AACtF;AACA,SAASC,GAAgBvB,GAAO;AAC5B,MAAI;AACA,UAAMwB,IAAS,KAAKxB,EAAM,QAAQ,MAAM,GAAG,EAAE,QAAQ,MAAM,GAAG,EAAE,QAAQ,OAAO,EAAE,CAAC,GAC5EyB,IAAQ,IAAI,WAAWD,EAAO,MAAM;AAC1C,aAAS/C,IAAI,GAAGA,IAAI+C,EAAO,QAAQ/C;AAC/B,MAAAgD,EAAMhD,CAAC,IAAI+C,EAAO,WAAW/C,CAAC;AAElC,WAAOgD;AAAA,EACV,SACMC,GAAO;AACV,UAAM,IAAIC,EAAI,qDAAqD,EAAE,OAAAD,EAAO,CAAA;AAAA,EAC/E;AACL;AACA,SAASE,EAAK5B,GAAO;AACjB,SAAI,OAAOA,KAAU,WACVuB,GAAgBvB,CAAK,IAEzBqB,GAAgBrB,CAAK;AAChC;AACA,MAAM6B,GAAI;AAAA,EACN,YAAYC,GAAS;AACjB,SAAK,QAAQ,oBAAI,OACjB,KAAK,SAAS,oBAAI,OAClB,KAAK,UAAUA;AAAA,EAClB;AAAA,EACD,IAAIC,GAAK;AACL,QAAIC,IAAI,KAAK,MAAM,IAAID,CAAG;AAC1B,QAAIC;AACA,aAAOA;AAEX,QAAKA,IAAI,KAAK,OAAO,IAAID,CAAG;AACxB,kBAAK,OAAOA,GAAKC,CAAC,GACXA;AAAA,EAGd;AAAA,EACD,IAAID,GAAK;AACL,WAAO,KAAK,MAAM,IAAIA,CAAG,KAAK,KAAK,OAAO,IAAIA,CAAG;AAAA,EACpD;AAAA,EACD,IAAIA,GAAKE,GAAO;AACZ,WAAI,KAAK,MAAM,IAAIF,CAAG,IAClB,KAAK,MAAM,IAAIA,GAAKE,CAAK,IAGzB,KAAK,OAAOF,GAAKE,CAAK,GAEnB;AAAA,EACV;AAAA,EACD,OAAOF,GAAK;AACR,WAAI,KAAK,MAAM,IAAIA,CAAG,IACX,KAAK,MAAM,OAAOA,CAAG,IAE5B,KAAK,OAAO,IAAIA,CAAG,IACZ,KAAK,OAAO,OAAOA,CAAG,IAE1B;AAAA,EACV;AAAA,EACD,OAAOA,GAAKE,GAAO;AACf,SAAK,MAAM,IAAIF,GAAKE,CAAK,GACrB,KAAK,MAAM,QAAQ,KAAK,YACxB,KAAK,SAAS,KAAK,OACnB,KAAK,QAAQ,oBAAI;EAExB;AACL;AACO,MAAMC,UAAkC,MAAM;AAAA,EACjD,YAAYC,GAAS;;AACjB,UAAMA,KAAW,yBAAyB,GAC1C,KAAK,OAAO,KAAK,YAAY,OAC7B3B,IAAA,MAAM,sBAAN,QAAAA,EAAA,YAA0B,MAAM,KAAK;AAAA,EACxC;AACL;AACO,MAAM4B,WAAiC,MAAM;AAAA,EAChD,YAAYD,GAASE,GAAS;;AAC1B,UAAMF,GAASE,CAAO,GACtB,KAAK,OAAO,KAAK,YAAY,OAC7B7B,IAAA,MAAM,sBAAN,QAAAA,EAAA,YAA0B,MAAM,KAAK;AAAA,EACxC;AACL;AACA,MAAMmB,IAAMS,IACNE,KAAa,IAAIT,GAAI,GAAG;AAC9B,SAASU,GAAYR,GAAK;AACtB,SAAOA,aAAe;AAC1B;AACA,SAASS,GAAaT,GAAK;AACvB,SAAOQ,GAAYR,CAAG,KAAKA,EAAI,SAAS;AAC5C;AACA,SAASU,GAAYV,GAAK;AACtB,SAAOQ,GAAYR,CAAG,KAAKA,EAAI,SAAS;AAC5C;AAaA,SAASW,GAAiBC,GAAU;AAChC,MAAI;AACA,UAAMC,IAAQD,EAAS,QAAQ,IAAI,YAAY;AAC/C,IAAIC,KACAN,GAAW,IAAI,IAAI,IAAIK,EAAS,GAAG,EAAE,QAAQC,CAAK;AAAA,EAEzD,QACK;AAAA,EAAG;AACT,SAAOD;AACX;AAIA,SAASE,EAAa7C,GAAO;AACzB,SAAI,EAAAA,MAAU,QAAQ,OAAOA,KAAU,YAAY,MAAM,QAAQA,CAAK;AAI1E;AACA,SAAS8C,EAAe9C,GAAO;AAC3B,EAAIS,EAAgBT,GAAO,OAAO,MAC9BA,IAAQ,OAAO,YAAYA,EAAM,QAAS,CAAA;AAE9C,QAAM+C,IAAU,IAAI,QAAQ/C,CAAK;AAIjC,MAHIM,KAAc,CAACyC,EAAQ,IAAI,YAAY,KACvCA,EAAQ,IAAI,cAAczC,CAAU,GAEpCyC,EAAQ,IAAI,eAAe;AAC3B,UAAM,IAAI,UAAU,oEAAoE;AAE5F,MAAIA,EAAQ,IAAI,MAAM;AAClB,UAAM,IAAI,UAAU,2DAA2D;AAEnF,SAAOA;AACX;AACA,SAASC,GAAOf,GAAO;AAInB,MAHI,OAAOA,KAAU,eACjBA,IAAQA,EAAK,IAEb,EAAEA,aAAiB;AACnB,UAAM,IAAI,UAAU,+DAA+D;AAEvF,SAAOA;AACX;AACO,eAAegB,GAAiBC,GAAkBb,GAAS;AAC9D,MAAI,EAAEa,aAA4B;AAC9B,UAAM,IAAI,UAAU,+CAA+C;AAEvE,MAAIA,EAAiB,aAAa,YAAYA,EAAiB,aAAa;AACxE,UAAM,IAAI,UAAU,+CAA+C;AAEvE,QAAMC,IAAM,IAAI,IAAID,EAAiB,IAAI;AACzC,UAAQb,KAAA,gBAAAA,EAAS,WAAS;AAAA,IACtB,KAAK;AAAA,IACL,KAAK;AACD,MAAAc,EAAI,WAAW,GAAGA,EAAI,QAAQ,oCAAoC,QAAQ,MAAM,GAAG;AACnF;AAAA,IACJ,KAAK;AACD,MAAIA,EAAI,aAAa,MACjBA,EAAI,WAAW,2CAGfA,EAAI,WAAW,0CAA0CA,EAAI,QAAQ,GAAG,QAAQ,MAAM,GAAG;AAE7F;AAAA,IACJ;AACI,YAAM,IAAI,UAAU,2DAA2D;AAAA,EACtF;AACD,QAAMJ,IAAUD,EAAeT,KAAA,gBAAAA,EAAS,OAAO;AAC/C,SAAAU,EAAQ,IAAI,UAAU,kBAAkB,KAChCV,KAAA,gBAAAA,EAAUxB,OAAgB,OAAOsC,EAAI,MAAM;AAAA,IAC/C,SAAS,OAAO,YAAYJ,EAAQ,QAAO,CAAE;AAAA,IAC7C,QAAQ;AAAA,IACR,UAAU;AAAA,IACV,QAAQV,KAAA,QAAAA,EAAS,SAASW,GAAOX,EAAQ,MAAM,IAAI;AAAA,EAC3D,CAAK,EAAE,KAAKK,EAAgB;AAC5B;AACA,SAASU,EAAepD,GAAO;AAC3B,SAAO,OAAOA,KAAU,YAAYA,EAAM,WAAW;AACzD;AACO,eAAeqD,GAAyBC,GAA0BX,GAAU;AAC/E,MAAI,EAAEW,aAAoC;AACtC,UAAM,IAAI,UAAU,6CAA6C;AAErE,MAAI,CAAC7C,EAAgBkC,GAAU,QAAQ;AACnC,UAAM,IAAI,UAAU,4CAA4C;AAEpE,MAAIA,EAAS,WAAW;AACpB,UAAM,IAAIhB,EAAI,oEAAoE;AAEtF,EAAA4B,GAAuBZ,CAAQ;AAC/B,MAAIa;AACJ,MAAI;AACA,IAAAA,IAAO,MAAMb,EAAS;EACzB,SACMjB,GAAO;AACV,UAAM,IAAIC,EAAI,2CAA2C,EAAE,OAAAD,EAAO,CAAA;AAAA,EACrE;AACD,MAAI,CAACmB,EAAaW,CAAI;AAClB,UAAM,IAAI7B,EAAI,4CAA4C;AAE9D,MAAI,CAACyB,EAAeI,EAAK,MAAM;AAC3B,UAAM,IAAI7B,EAAI,8DAA8D;AAEhF,MAAI,IAAI,IAAI6B,EAAK,MAAM,EAAE,SAASF,EAAyB;AACvD,UAAM,IAAI3B,EAAI,0DAA0D;AAE5E,SAAO6B;AACX;AACA,SAASC,IAAc;AACnB,SAAO7B,EAAK,OAAO,gBAAgB,IAAI,WAAW,EAAE,CAAC,CAAC;AAC1D;AACO,SAAS8B,KAA6B;AACzC,SAAOD,EAAW;AACtB;AACO,SAASE,KAAsB;AAClC,SAAOF,EAAW;AACtB;AAIO,eAAeG,GAA2BC,GAAc;AAC3D,MAAI,CAACT,EAAeS,CAAY;AAC5B,UAAM,IAAI,UAAU,2CAA2C;AAEnE,SAAOjC,EAAK,MAAM,OAAO,OAAO,OAAO,WAAWT,EAAI0C,CAAY,CAAC,CAAC;AACxE;AACA,SAASC,GAAa9D,GAAO;AACzB,MAAIA,aAAiB;AACjB,WAAO,EAAE,KAAKA;AAElB,MAAI,GAAEA,KAAA,gBAAAA,EAAO,gBAAe;AACxB,WAAO;AAEX,MAAIA,EAAM,QAAQ,UAAa,CAACoD,EAAepD,EAAM,GAAG;AACpD,UAAM,IAAI,UAAU,kCAAkC;AAE1D,SAAO;AAAA,IACH,KAAKA,EAAM;AAAA,IACX,KAAKA,EAAM;AAAA,IACX,iBAAiBA,EAAMc,EAAe;AAAA,EAC9C;AACA;AACA,SAASiD,GAAcC,GAAO;AAC1B,SAAO,mBAAmBA,CAAK,EAAE,QAAQ,QAAQ,GAAG;AACxD;AACA,SAASC,GAAkBC,GAAUC,GAAc;AAC/C,QAAMC,IAAWL,GAAcG,CAAQ,GACjCG,IAAWN,GAAcI,CAAY;AAE3C,SAAO,SADa,KAAK,GAAGC,CAAQ,IAAIC,CAAQ,EAAE,CACvB;AAC/B;AACA,SAASC,GAAMvC,GAAK;AAChB,UAAQA,EAAI,UAAU,KAAK,MAAI;AAAA,IAC3B,KAAK;AACD,aAAO;AAAA,IACX,KAAK;AACD,aAAO;AAAA,IACX,KAAK;AACD,aAAO;AAAA,IACX;AACI,YAAM,IAAIG,EAA0B,6CAA6C;AAAA,EACxF;AACL;AACA,SAASqC,GAAMxC,GAAK;AAChB,UAAQA,EAAI,UAAU,KAAK,MAAI;AAAA,IAC3B,KAAK;AACD,aAAO;AAAA,IACX,KAAK;AACD,aAAO;AAAA,IACX,KAAK;AACD,aAAO;AAAA,IACX;AACI,YAAM,IAAIG,EAA0B,6CAA6C;AAAA,EACxF;AACL;AACA,SAASsC,GAAMzC,GAAK;AAChB,UAAQA,EAAI,UAAU,YAAU;AAAA,IAC5B,KAAK;AACD,aAAO;AAAA,IACX,KAAK;AACD,aAAO;AAAA,IACX,KAAK;AACD,aAAO;AAAA,IACX;AACI,YAAM,IAAIG,EAA0B,uCAAuC;AAAA,EAClF;AACL;AACA,SAASuC,GAAS1C,GAAK;AACnB,UAAQA,EAAI,UAAU,MAAI;AAAA,IACtB,KAAK;AACD,aAAOuC,GAAMvC,CAAG;AAAA,IACpB,KAAK;AACD,aAAOwC,GAAMxC,CAAG;AAAA,IACpB,KAAK;AACD,aAAOyC,GAAMzC,CAAG;AAAA,IACpB,KAAK;AAAA,IACL,KAAK;AACD,aAAO;AAAA,IACX;AACI,YAAM,IAAIG,EAA0B,sCAAsC;AAAA,EACjF;AACL;AACA,SAASwC,EAAaC,GAAQ;AAC1B,QAAMC,IAAOD,KAAA,gBAAAA,EAAShE;AACtB,SAAO,OAAOiE,KAAS,YAAY,OAAO,SAASA,CAAI,IAAIA,IAAO;AACtE;AACA,SAASC,GAAkBF,GAAQ;AAC/B,QAAMG,IAAYH,KAAA,gBAAAA,EAAS/D;AAC3B,SAAO,OAAOkE,KAAc,YAAY,OAAO,SAASA,CAAS,KAAK,KAAK,KAAKA,CAAS,MAAM,KACzFA,IACA;AACV;AACA,SAASC,IAAY;AACjB,SAAO,KAAK,MAAM,KAAK,IAAK,IAAG,GAAI;AACvC;AACA,SAASC,GAAgBC,GAAIN,GAAQ;AACjC,QAAMO,IAAMH,EAAS,IAAKL,EAAaC,CAAM;AAC7C,SAAO;AAAA,IACH,KAAKlB,EAAa;AAAA,IAClB,KAAK,CAACwB,EAAG,QAAQA,EAAG,cAAc;AAAA,IAClC,KAAKC,IAAM;AAAA,IACX,KAAKA;AAAA,IACL,KAAKA;AAAA,IACL,KAAKP,EAAO;AAAA,IACZ,KAAKA,EAAO;AAAA,EACpB;AACA;AACA,eAAeQ,GAAcF,GAAIN,GAAQ5C,GAAKqD,GAAKtE,GAAiB;AAChE,QAAMuE,IAAS,EAAE,KAAKZ,GAAS1C,CAAG,GAAG,KAAAqD,KAC/BE,IAAUN,GAAgBC,GAAIN,CAAM;AAC1C,SAAA7D,KAAA,QAAAA,EAAkBuE,GAAQC,IACnBC,GAAIF,GAAQC,GAASvD,CAAG;AACnC;AACA,SAASyD,EAASP,GAAI;AAClB,MAAI,OAAOA,KAAO,YAAYA,MAAO;AACjC,UAAM,IAAI,UAAU,wBAAwB;AAEhD,MAAI,CAAC7B,EAAe6B,EAAG,MAAM;AACzB,UAAM,IAAI,UAAU,iDAAiD;AAEzE,SAAO;AACX;AACA,SAASQ,EAAad,GAAQ;AAC1B,MAAI,OAAOA,KAAW,YAAYA,MAAW;AACzC,UAAM,IAAI,UAAU,4BAA4B;AAEpD,MAAI,CAACvB,EAAeuB,EAAO,SAAS;AAChC,UAAM,IAAI,UAAU,wDAAwD;AAEhF,SAAO;AACX;AACA,SAASe,GAAmBvB,GAAc;AACtC,MAAI,CAACf,EAAee,CAAY;AAC5B,UAAM,IAAI,UAAU,4DAA4D;AAEpF,SAAOA;AACX;AACA,SAASwB,EAAyBC,GAAkBC,GAAkB;AAClE,MAAIA,MAAqB;AACrB,UAAM,IAAI,UAAU,iEAAiED,CAAgB,wCAAwC;AAErJ;AACA,SAASE,GAAqBF,GAAkBzB,GAAc;AAC1D,MAAIA,MAAiB;AACjB,UAAM,IAAI,UAAU,6DAA6DyB,CAAgB,wCAAwC;AAEjJ;AACA,eAAeG,GAAqBd,GAAIN,GAAQqB,GAAMjD,GAAS8C,GAAkB;AAI7E,UAHAG,EAAK,OAAO,eAAe,GAC3BA,EAAK,OAAO,uBAAuB,GACnCA,EAAK,OAAO,kBAAkB,GACtBrB,EAAO,4BAA0B;AAAA,IACrC,KAAK;AAAA,IACL,KAAK,uBAAuB;AACxB,MAAAgB,EAAyB,uBAAuBE,CAAgB,GAChE9C,EAAQ,IAAI,iBAAiBkB,GAAkBU,EAAO,WAAWe,GAAmBf,EAAO,aAAa,CAAC,CAAC;AAC1G;AAAA,IACH;AAAA,IACD,KAAK,sBAAsB;AACvB,MAAAgB,EAAyB,sBAAsBE,CAAgB,GAC/DG,EAAK,IAAI,aAAarB,EAAO,SAAS,GACtCqB,EAAK,IAAI,iBAAiBN,GAAmBf,EAAO,aAAa,CAAC;AAClE;AAAA,IACH;AAAA,IACD,KAAK,mBAAmB;AAEpB,UADAmB,GAAqB,mBAAmBnB,EAAO,aAAa,GACxDkB,MAAqB;AACrB,cAAM,IAAI,UAAU,2GAA2G;AAEnI,YAAM,EAAE,KAAA9D,GAAK,KAAAqD,GAAK,iBAAAtE,EAAe,IAAKgD,GAAa+B,CAAgB;AACnE,UAAI,CAACrD,GAAaT,CAAG;AACjB,cAAM,IAAI,UAAU,4DAA4D;AAEpF,MAAAiE,EAAK,IAAI,aAAarB,EAAO,SAAS,GACtCqB,EAAK,IAAI,yBAAyB,wDAAwD,GAC1FA,EAAK,IAAI,oBAAoB,MAAMb,GAAcF,GAAIN,GAAQ5C,GAAKqD,GAAKtE,CAAe,CAAC;AACvF;AAAA,IACH;AAAA,IACD,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK,QAAQ;AACT,MAAAgF,GAAqBnB,EAAO,4BAA4BA,EAAO,aAAa,GAC5EgB,EAAyBhB,EAAO,4BAA4BkB,CAAgB,GAC5EG,EAAK,IAAI,aAAarB,EAAO,SAAS;AACtC;AAAA,IACH;AAAA,IACD;AACI,YAAM,IAAIzC,EAA0B,+CAA+C;AAAA,EAC1F;AACL;AACA,eAAeqD,GAAIF,GAAQC,GAASvD,GAAK;AACrC,MAAI,CAACA,EAAI,OAAO,SAAS,MAAM;AAC3B,UAAM,IAAI,UAAU,uFAAuF;AAE/G,QAAM/B,IAAQ,GAAG4B,EAAKT,EAAI,KAAK,UAAUkE,CAAM,CAAC,CAAC,CAAC,IAAIzD,EAAKT,EAAI,KAAK,UAAUmE,CAAO,CAAC,CAAC,CAAC,IAClFW,IAAYrE,EAAK,MAAM,OAAO,OAAO,KAAKsE,GAAYnE,CAAG,GAAGA,GAAKZ,EAAInB,CAAK,CAAC,CAAC;AAClF,SAAO,GAAGA,CAAK,IAAIiG,CAAS;AAChC;AAuEA,eAAeE,GAAapD,GAASV,GAASc,GAAKiD,GAAKzF,GAAW0F,GAAa;;AAC5E,QAAM,EAAE,YAAAC,GAAY,WAAAC,GAAW,OAAA3D,IAAQN,GAAW,IAAIa,EAAI,MAAM,EAAG,IAAGd;AACtE,MAAI,CAACG,GAAa8D,CAAU;AACxB,UAAM,IAAI,UAAU,+CAA+C;AAEvE,MAAI,CAAC7D,GAAY8D,CAAS;AACtB,UAAM,IAAI,UAAU,6CAA6C;AAErE,MAAI3D,MAAU,UAAa,CAACQ,EAAeR,CAAK;AAC5C,UAAM,IAAI,UAAU,sDAAsD;AAE9E,MAAI,CAAC2D,EAAU;AACX,UAAM,IAAI,UAAU,2CAA2C;AAEnE,QAAMrB,IAAMH,EAAW,IAAGpE,GACpB0E,IAAS;AAAA,IACX,KAAKZ,GAAS6B,CAAU;AAAA,IACxB,KAAK;AAAA,IACL,KAAK,MAAME,GAAUD,CAAS;AAAA,EACtC,GACUjB,IAAU;AAAA,IACZ,KAAKJ;AAAA,IACL,KAAKzB,EAAa;AAAA,IAClB,KAAA2C;AAAA,IACA,OAAAxD;AAAA,IACA,KAAK,GAAGO,EAAI,MAAM,GAAGA,EAAI,QAAQ;AAAA,IACjC,KAAKkD,IAAczE,EAAK,MAAM,OAAO,OAAO,OAAO,WAAWT,EAAIkF,CAAW,CAAC,CAAC,IAAI;AAAA,EAC3F;AACI,GAAA7F,IAAA6B,EAAQvB,QAAR,QAAAN,EAAA,KAAA6B,GAA2BgD,GAAQC,IACnCvC,EAAQ,IAAI,QAAQ,MAAMwC,GAAIF,GAAQC,GAASgB,CAAU,CAAC;AAC9D;AACA,IAAIG;AACJ,eAAeC,GAAqB3E,GAAK;AACrC,QAAM,EAAE,KAAA4E,GAAK,GAAAC,GAAG,GAAAC,GAAG,GAAAC,GAAG,GAAAC,GAAG,KAAAC,MAAQ,MAAM,OAAO,OAAO,UAAU,OAAOjF,CAAG,GACnEkF,IAAM,EAAE,KAAAN,GAAK,GAAAC,GAAG,GAAAC,GAAG,GAAAC,GAAG,GAAAC,GAAG,KAAAC;AAC/B,SAAAP,EAAS,IAAI1E,GAAKkF,CAAG,GACdA;AACX;AACA,eAAeT,GAAUzE,GAAK;AAC1B,SAAA0E,MAAaA,IAAW,oBAAI,QAAO,IAC5BA,EAAS,IAAI1E,CAAG,KAAK2E,GAAqB3E,CAAG;AACxD;AACA,SAASmF,GAAiBjF,GAAOkF,GAAUnG,GAAc;AACrD,MAAI,OAAOiB,KAAU;AACjB,UAAIjB,IACM,IAAI,UAAU,6BAA6BmG,CAAQ,oBAAoB,IAE3E,IAAI,UAAU,OAAOA,CAAQ,oBAAoB;AAE3D,SAAO,IAAI,IAAIlF,CAAK;AACxB;AACA,SAASmF,GAAgBnC,GAAIkC,GAAUnG,IAAe,IAAO;AACzD,SAAIA,KAAgBiE,EAAG,yBAAyBkC,KAAYlC,EAAG,wBACpDiC,GAAiBjC,EAAG,sBAAsBkC,CAAQ,GAAGA,GAAUnG,CAAY,IAE/EkG,GAAiBjC,EAAGkC,CAAQ,GAAGA,GAAUnG,CAAY;AAChE;AACA,SAASqG,GAAM1C,GAAQtC,GAAS;AAC5B,SAAI,GAAAsC,EAAO,6BAA6BtC,KAAA,QAAAA,EAAUrB;AAItD;AAcO,SAASsG,EAActH,GAAO;AACjC,QAAMiC,IAAQjC;AACd,SAAI,OAAOiC,KAAU,YAAY,MAAM,QAAQA,CAAK,KAAKA,MAAU,OACxD,KAEJA,EAAM,UAAU;AAC3B;AA2FO,eAAesF,GAAyBlB,GAAajI,GAAQ+E,GAAKJ,GAASiD,GAAM3D,GAAS;AAC7F,MAAI,CAACe,EAAeiD,CAAW;AAC3B,UAAM,IAAI,UAAU,0CAA0C;AAElE,MAAI,EAAElD,aAAe;AACjB,UAAM,IAAI,UAAU,kCAAkC;AAE1D,SAAAJ,IAAUD,EAAeC,CAAO,IAC5BV,KAAA,gBAAAA,EAAS,UAAS,SAClBU,EAAQ,IAAI,iBAAiB,UAAUsD,CAAW,EAAE,KAGpD,MAAMF,GAAapD,GAASV,EAAQ,MAAMc,GAAK/E,EAAO,YAAW,GAAIsG,EAAa,EAAE,CAAC/D,CAAS,GAAG0B,KAAA,gBAAAA,EAAU1B,GAAY,CAAA,GAAG0F,CAAW,GACrItD,EAAQ,IAAI,iBAAiB,QAAQsD,CAAW,EAAE,MAE9ChE,KAAA,gBAAAA,EAAUxB,OAAgB,OAAOsC,EAAI,MAAM;AAAA,IAC/C,MAAA6C;AAAA,IACA,SAAS,OAAO,YAAYjD,EAAQ,QAAO,CAAE;AAAA,IAC7C,QAAA3E;AAAA,IACA,UAAU;AAAA,IACV,QAAQiE,KAAA,QAAAA,EAAS,SAASW,GAAOX,EAAQ,MAAM,IAAI;AAAA,EAC3D,CAAK,EAAE,KAAKK,EAAgB;AAC5B;AACO,eAAe8E,GAAgBvC,GAAIN,GAAQ0B,GAAahE,GAAS;AACpE,EAAAmD,EAASP,CAAE,GACXQ,EAAad,CAAM;AACnB,QAAMxB,IAAMiE,GAAgBnC,GAAI,qBAAqBoC,GAAM1C,GAAQtC,CAAO,CAAC,GACrEU,IAAUD,EAAeT,KAAA,gBAAAA,EAAS,OAAO;AAC/C,SAAIsC,EAAO,+BACP5B,EAAQ,IAAI,UAAU,iBAAiB,KAGvCA,EAAQ,IAAI,UAAU,kBAAkB,GACxCA,EAAQ,OAAO,UAAU,iBAAiB,IAEvCwE,GAAyBlB,GAAa,OAAOlD,GAAKJ,GAAS,MAAM;AAAA,IACpE,GAAGV;AAAA,IACH,CAAC1B,CAAS,GAAG+D,EAAaC,CAAM;AAAA,EACxC,CAAK;AACL;AAsKA,eAAe8C,GAAqBxC,GAAIN,GAAQvG,GAAQ+E,GAAK6C,GAAMjD,GAASV,GAAS;AACjF,eAAM0D,GAAqBd,GAAIN,GAAQqB,GAAMjD,GAASV,KAAA,gBAAAA,EAAS,gBAAgB,GAC/EU,EAAQ,IAAI,gBAAgB,iDAAiD,KACrEV,KAAA,gBAAAA,EAAUxB,OAAgB,OAAOsC,EAAI,MAAM;AAAA,IAC/C,MAAA6C;AAAA,IACA,SAAS,OAAO,YAAYjD,EAAQ,QAAO,CAAE;AAAA,IAC7C,QAAA3E;AAAA,IACA,UAAU;AAAA,IACV,QAAQiE,KAAA,QAAAA,EAAS,SAASW,GAAOX,EAAQ,MAAM,IAAI;AAAA,EAC3D,CAAK,EAAE,KAAKK,EAAgB;AAC5B;AACA,eAAegF,GAAqBzC,GAAIN,GAAQgD,GAAWC,GAAYvF,GAAS;AAC5E,QAAMc,IAAMiE,GAAgBnC,GAAI,kBAAkBoC,GAAM1C,GAAQtC,CAAO,CAAC;AACxE,EAAAuF,EAAW,IAAI,cAAcD,CAAS;AACtC,QAAM5E,IAAUD,EAAeT,KAAA,gBAAAA,EAAS,OAAO;AAC/C,SAAAU,EAAQ,IAAI,UAAU,kBAAkB,GAIjC0E,GAAqBxC,GAAIN,GAAQ,QAAQxB,GAAKyE,GAAY7E,GAASV,CAAO;AACrF;AACO,eAAewF,GAAyB5C,GAAIN,GAAQmD,GAAczF,GAAS;AAG9E,MAFAmD,EAASP,CAAE,GACXQ,EAAad,CAAM,GACf,CAACvB,EAAe0E,CAAY;AAC5B,UAAM,IAAI,UAAU,2CAA2C;AAEnE,QAAMF,IAAa,IAAI,gBAAgBvF,KAAA,gBAAAA,EAAS,oBAAoB;AACpE,SAAAuF,EAAW,IAAI,iBAAiBE,CAAY,GACrCJ,GAAqBzC,GAAIN,GAAQ,iBAAiBiD,GAAYvF,CAAO;AAChF;AACA,MAAM0F,KAAgB,oBAAI;AAEnB,SAASC,GAA0BC,GAAK;AAC3C,MAAI,CAACA,EAAI;AACL;AAEJ,QAAMC,IAASH,GAAc,IAAIE,CAAG;AACpC,MAAI,CAACC;AACD,UAAM,IAAI,UAAU,gFAAgF;AAExG,SAAOA,EAAO,CAAC;AACnB;AAmCA,eAAeC,GAAkClD,GAAIN,GAAQhC,GAAUyF,IAAgB,IAAOC,IAAqB,IAAO;AAGtH,MAFA7C,EAASP,CAAE,GACXQ,EAAad,CAAM,GACf,CAAClE,EAAgBkC,GAAU,QAAQ;AACnC,UAAM,IAAI,UAAU,4CAA4C;AAEpE,MAAIA,EAAS,WAAW,KAAK;AACzB,QAAI2F;AACJ,QAAKA,IAAM,MAAMC,GAAqB5F,CAAQ;AAC1C,aAAO2F;AAEX,UAAM,IAAI3G,EAAI,qDAAqD;AAAA,EACtE;AACD,EAAA4B,GAAuBZ,CAAQ;AAC/B,MAAIa;AACJ,MAAI;AACA,IAAAA,IAAO,MAAMb,EAAS;EACzB,SACMjB,GAAO;AACV,UAAM,IAAIC,EAAI,2CAA2C,EAAE,OAAAD,EAAO,CAAA;AAAA,EACrE;AACD,MAAI,CAACmB,EAAaW,CAAI;AAClB,UAAM,IAAI7B,EAAI,4CAA4C;AAE9D,MAAI,CAACyB,EAAeI,EAAK,YAAY;AACjC,UAAM,IAAI7B,EAAI,oEAAoE;AAEtF,MAAI,CAACyB,EAAeI,EAAK,UAAU;AAC/B,UAAM,IAAI7B,EAAI,kEAAkE;AAGpF,MADA6B,EAAK,aAAaA,EAAK,WAAW,YAAW,GACzCA,EAAK,eAAe,UAAUA,EAAK,eAAe;AAClD,UAAM,IAAItB,EAA0B,gCAAgC;AAExE,MAAIsB,EAAK,eAAe,WACnB,OAAOA,EAAK,cAAe,YAAYA,EAAK,cAAc;AAC3D,UAAM,IAAI7B,EAAI,iEAAiE;AAEnF,MAAI,CAAC0G,KACD7E,EAAK,kBAAkB,UACvB,CAACJ,EAAeI,EAAK,aAAa;AAClC,UAAM,IAAI7B,EAAI,qEAAqE;AAEvF,MAAI6B,EAAK,UAAU,UAAa,OAAOA,EAAK,SAAU;AAClD,UAAM,IAAI7B,EAAI,mDAAmD;AAErE,MAAI,CAACyG,GAAe;AAChB,QAAI5E,EAAK,aAAa,UAAa,CAACJ,EAAeI,EAAK,QAAQ;AAC5D,YAAM,IAAI7B,EAAI,gEAAgE;AAElF,QAAI6B,EAAK,UAAU;AACf,YAAM,EAAE,QAAA0E,GAAQ,KAAA3C,EAAK,IAAG,MAAMiD,GAAYhF,EAAK,UAAUiF,GAAsB,KAAK,QAAW9D,EAAO,8BAA8BM,EAAG,qCAAqC,GAAGyD,IAAkBhE,EAAaC,CAAM,GAAGE,GAAkBF,CAAM,GAAGA,EAAO5D,EAAU,CAAC,EAC/P,KAAK4H,GAAiB,KAAK,QAAW,CAAC,OAAO,OAAO,OAAO,OAAO,KAAK,CAAC,CAAC,EAC1E,KAAKC,GAAe,KAAK,QAAW3D,EAAG,MAAM,CAAC,EAC9C,KAAK4D,GAAiB,KAAK,QAAWlE,EAAO,SAAS,CAAC;AAC5D,UAAI,MAAM,QAAQuD,EAAO,GAAG,KAAKA,EAAO,IAAI,WAAW,GAAG;AACtD,YAAIA,EAAO,QAAQ;AACf,gBAAM,IAAIvG,EAAI,yEAAyE;AAE3F,YAAIuG,EAAO,QAAQvD,EAAO;AACtB,gBAAM,IAAIhD,EAAI,0DAA0D;AAAA,MAE/E;AACD,UAAIuG,EAAO,cAAc,WACpB,CAAC,OAAO,SAASA,EAAO,SAAS,KAAK,KAAK,KAAKA,EAAO,SAAS,MAAM;AACvE,cAAM,IAAIvG,EAAI,sEAAsE;AAExF,MAAAoG,GAAc,IAAIvE,GAAM,CAAC0E,GAAQ3C,CAAG,CAAC;AAAA,IACxC;AAAA,EACJ;AACD,SAAO/B;AACX;AACO,eAAesF,GAA4B7D,GAAIN,GAAQhC,GAAU;AACpE,SAAOwF,GAAkClD,GAAIN,GAAQhC,CAAQ;AACjE;AAOA,SAASkG,GAAiBnI,GAAUqI,GAAQ;AACxC,MAAI,MAAM,QAAQA,EAAO,OAAO,GAAG;AAC/B,QAAI,CAACA,EAAO,OAAO,IAAI,SAASrI,CAAQ;AACpC,YAAM,IAAIiB,EAAI,6CAA6C;AAAA,aAG1DoH,EAAO,OAAO,QAAQrI;AAC3B,UAAM,IAAIiB,EAAI,6CAA6C;AAE/D,SAAOoH;AACX;AAOA,SAASH,GAAelI,GAAUqI,GAAQ;AACtC,MAAIA,EAAO,OAAO,QAAQrI;AACtB,UAAM,IAAIiB,EAAI,2CAA2C;AAE7D,SAAOoH;AACX;AACA,MAAMC,KAAU,oBAAI;AACpB,SAASC,GAAMC,GAAc;AACzB,SAAAF,GAAQ,IAAIE,CAAY,GACjBA;AACX;AACO,eAAeC,GAA8BlE,GAAIN,GAAQyE,GAAoBC,GAAaxF,GAAcxB,GAAS;AAGpH,MAFAmD,EAASP,CAAE,GACXQ,EAAad,CAAM,GACf,CAACqE,GAAQ,IAAII,CAAkB;AAC/B,UAAM,IAAI,UAAU,mIAAmI;AAE3J,MAAI,CAAChG,EAAeiG,CAAW;AAC3B,UAAM,IAAI,UAAU,0CAA0C;AAElE,MAAI,CAACjG,EAAeS,CAAY;AAC5B,UAAM,IAAI,UAAU,2CAA2C;AAEnE,QAAMyF,IAAOC,EAAsBH,GAAoB,MAAM;AAC7D,MAAI,CAACE;AACD,UAAM,IAAI3H,EAAI,+CAA+C;AAEjE,QAAMiG,IAAa,IAAI,gBAAgBvF,KAAA,gBAAAA,EAAS,oBAAoB;AACpE,SAAAuF,EAAW,IAAI,gBAAgByB,CAAW,GAC1CzB,EAAW,IAAI,iBAAiB/D,CAAY,GAC5C+D,EAAW,IAAI,QAAQ0B,CAAI,GACpB5B,GAAqBzC,GAAIN,GAAQ,sBAAsBiD,GAAYvF,CAAO;AACrF;AACA,MAAMmH,KAAgB;AAAA,EAClB,KAAK;AAAA,EACL,QAAQ;AAAA,EACR,WAAW;AAAA,EACX,KAAK;AAAA,EACL,KAAK;AAAA,EACL,KAAK;AAAA,EACL,KAAK;AAAA,EACL,OAAO;AAAA,EACP,QAAQ;AAAA,EACR,KAAK;AAAA,EACL,KAAK;AAAA,EACL,KAAK;AAAA,EACL,KAAK;AAAA,EACL,KAAK;AACT;AACA,SAASb,GAAiBc,GAAUV,GAAQ;AACxC,aAAWW,KAASD;AAChB,QAAIV,EAAO,OAAOW,CAAK,MAAM;AACzB,YAAM,IAAI/H,EAAI,QAAQ+H,CAAK,MAAMF,GAAcE,CAAK,CAAC,iBAAiB;AAG9E,SAAOX;AACX;AACO,MAAMY,KAAgB,OAAM,GACtBC,IAAoB,OAAM;AAChC,eAAeC,GAAuC5E,GAAIN,GAAQhC,GAAUmH,GAAeC,GAAQ;AACtG,QAAMhB,IAAS,MAAMZ,GAAkClD,GAAIN,GAAQhC,CAAQ;AAC3E,MAAI2E,EAAcyB,CAAM;AACpB,WAAOA;AAEX,MAAI,CAAC3F,EAAe2F,EAAO,QAAQ;AAC/B,UAAM,IAAIpH,EAAI,gEAAgE;AAElF,EAAAoI,MAAWA,IAASpF,EAAO,mBAAmBiF;AAC9C,QAAM1B,IAASF,GAA0Be,CAAM;AAC/C,OAAKpE,EAAO,qBAAqBoF,MAAWH,MACxC1B,EAAO,cAAc;AACrB,UAAM,IAAIvG,EAAI,0DAA0D;AAE5E,MAAIoI,MAAWH,GAAmB;AAC9B,QAAI,OAAOG,KAAW,YAAYA,IAAS;AACvC,YAAM,IAAI,UAAU,wCAAwC;AAEhE,UAAM7E,IAAMH,EAAS,IAAKL,EAAaC,CAAM,GACvCG,IAAYD,GAAkBF,CAAM;AAC1C,QAAIuD,EAAO,YAAY6B,IAAS7E,IAAMJ;AAClC,YAAM,IAAInD,EAAI,kEAAkE;AAAA,EAEvF;AACD,UAAQmI,GAAa;AAAA,IACjB,KAAK;AAAA,IACL,KAAKH;AACD,UAAIzB,EAAO,UAAU;AACjB,cAAM,IAAIvG,EAAI,yCAAyC;AAE3D;AAAA,IACJ;AACI,UAAI,CAACyB,EAAe0G,CAAa;AAC7B,cAAM,IAAI,UAAU,4CAA4C;AAEpE,UAAI5B,EAAO,UAAU;AACjB,cAAM,IAAIvG,EAAI,gCAAgC;AAElD,UAAIuG,EAAO,UAAU4B;AACjB,cAAM,IAAInI,EAAI,yCAAyC;AAAA,EAElE;AACD,SAAOoH;AACX;AAkEA,SAASxF,GAAuBZ,GAAU;AACtC,MAAIA,EAAS;AACT,UAAM,IAAI,UAAU,uCAAuC;AAEnE;AAsGA,eAAe4F,GAAqB5F,GAAU;AAC1C,MAAIA,EAAS,SAAS,OAAOA,EAAS,SAAS,KAAK;AAChD,IAAAY,GAAuBZ,CAAQ;AAC/B,QAAI;AACA,YAAMa,IAAO,MAAMb,EAAS;AAC5B,UAAIE,EAAaW,CAAI,KAAK,OAAOA,EAAK,SAAU,YAAYA,EAAK,MAAM;AACnE,eAAIA,EAAK,sBAAsB,UAAa,OAAOA,EAAK,qBAAsB,YAC1E,OAAOA,EAAK,mBAEZA,EAAK,cAAc,UAAa,OAAOA,EAAK,aAAc,YAC1D,OAAOA,EAAK,WAEZA,EAAK,SAAS,UAAa,OAAOA,EAAK,QAAS,YAChD,OAAOA,EAAK,MAEZA,EAAK,UAAU,UAAa,OAAOA,EAAK,SAAU,YAClD,OAAOA,EAAK,OAETA;AAAA,IAEd,QACK;AAAA,IAAG;AAAA,EACZ;AAEL;AAOA,SAASwG,GAAqBC,GAAW;AACrC,MAAI,OAAOA,EAAU,iBAAkB,YAAYA,EAAU,gBAAgB;AACzE,UAAM,IAAItI,EAAI,GAAGsI,EAAU,IAAI,2CAA2C;AAElF;AACA,SAASC,GAAcC,GAAY;AAC/B,UAAQA,GAAU;AAAA,IACd,KAAK;AACD,aAAO;AAAA,IACX,KAAK;AACD,aAAO;AAAA,IACX,KAAK;AACD,aAAO;AAAA,IACX;AACI,YAAM,IAAIjI,EAAyB;AAAA,EAC1C;AACL;AACA,SAASgE,GAAYnE,GAAK;AACtB,UAAQA,EAAI,UAAU,MAAI;AAAA,IACtB,KAAK;AACD,aAAO;AAAA,QACH,MAAMA,EAAI,UAAU;AAAA,QACpB,MAAMmI,GAAcnI,EAAI,UAAU,UAAU;AAAA,MAC5D;AAAA,IACQ,KAAK;AAED,cADAiI,GAAqBjI,EAAI,SAAS,GAC1BA,EAAI,UAAU,KAAK,MAAI;AAAA,QAC3B,KAAK;AAAA,QACL,KAAK;AAAA,QACL,KAAK;AACD,iBAAO;AAAA,YACH,MAAMA,EAAI,UAAU;AAAA,YACpB,YAAY,SAASA,EAAI,UAAU,KAAK,KAAK,MAAM,EAAE,GAAG,EAAE,KAAK;AAAA,UACvF;AAAA,QACgB;AACI,gBAAM,IAAIG,EAAyB;AAAA,MAC1C;AAAA,IAEL,KAAK;AACD,aAAA8H,GAAqBjI,EAAI,SAAS,GAC3BA,EAAI,UAAU;AAAA,IACzB,KAAK;AAAA,IACL,KAAK;AACD,aAAOA,EAAI,UAAU;AAAA,EAC5B;AACD,QAAM,IAAIG,EAAyB;AACvC;AACA,MAAMwG,KAAmB,OAAM;AAC/B,eAAe0B,GAAqBC,GAAiB/E,GAASvD,GAAKkE,GAAW;AAC1E,QAAMjG,IAAQ,GAAGqK,CAAe,IAAI/E,CAAO;AAE3C,MAAI,CADa,MAAM,OAAO,OAAO,OAAOY,GAAYnE,CAAG,GAAGA,GAAKkE,GAAW9E,EAAInB,CAAK,CAAC;AAEpF,UAAM,IAAI2B,EAAI,mCAAmC;AAEzD;AACA,eAAe6G,GAAY8B,GAAKC,GAAUC,GAAQ7J,GAAWC,GAAgB6J,GAAY;AACrF,MAAI,EAAE,GAAGJ,GAAiB,GAAG/E,GAAS,GAAGoF,GAAkB,QAAAC,EAAM,IAAKL,EAAI,MAAM,GAAG;AACnF,MAAIK,MAAW;AACX,QAAIF,MAAe;AACf,MAAAH,IAAM,MAAMG,EAAWH,CAAG,GACzB,EAAE,GAAGD,GAAiB,GAAG/E,GAAS,GAAGoF,GAAkB,QAAAC,EAAM,IAAKL,EAAI,MAAM,GAAG;AAAA;AAGhF,YAAM,IAAIpI,EAA0B,sCAAsC;AAGlF,MAAIyI,MAAW;AACX,UAAM,IAAIhJ,EAAI,aAAa;AAE/B,MAAI0D;AACJ,MAAI;AACA,IAAAA,IAAS,KAAK,MAAMlE,EAAIS,EAAKyI,CAAe,CAAC,CAAC;AAAA,EACjD,SACM3I,GAAO;AACV,UAAM,IAAIC,EAAI,6DAA6D,EAAE,OAAAD,EAAO,CAAA;AAAA,EACvF;AACD,MAAI,CAACmB,EAAawC,CAAM;AACpB,UAAM,IAAI1D,EAAI,uCAAuC;AAGzD,MADA4I,EAASlF,CAAM,GACXA,EAAO,SAAS;AAChB,UAAM,IAAI1D,EAAI,wCAAwC;AAE1D,QAAMsE,IAAYrE,EAAK8I,CAAgB;AACvC,MAAI3I;AACJ,EAAIyI,MAAW9B,OACX3G,IAAM,MAAMyI,EAAOnF,CAAM,GACzB,MAAM+E,GAAqBC,GAAiB/E,GAASvD,GAAKkE,CAAS;AAEvE,MAAIiC;AACJ,MAAI;AACA,IAAAA,IAAS,KAAK,MAAM/G,EAAIS,EAAK0D,CAAO,CAAC,CAAC;AAAA,EACzC,SACM5D,GAAO;AACV,UAAM,IAAIC,EAAI,8DAA8D,EAAE,OAAAD,EAAO,CAAA;AAAA,EACxF;AACD,MAAI,CAACmB,EAAaqF,CAAM;AACpB,UAAM,IAAIvG,EAAI,wCAAwC;AAE1D,QAAMuD,IAAMH,EAAW,IAAGpE;AAC1B,MAAIuH,EAAO,QAAQ,QAAW;AAC1B,QAAI,OAAOA,EAAO,OAAQ;AACtB,YAAM,IAAIvG,EAAI,mDAAmD;AAErE,QAAIuG,EAAO,OAAOhD,IAAMtE;AACpB,YAAM,IAAIe,EAAI,2EAA2E;AAAA,EAEhG;AACD,MAAIuG,EAAO,QAAQ,UACX,OAAOA,EAAO,OAAQ;AACtB,UAAM,IAAIvG,EAAI,6CAA6C;AAGnE,MAAIuG,EAAO,QAAQ,UACX,OAAOA,EAAO,OAAQ;AACtB,UAAM,IAAIvG,EAAI,0CAA0C;AAGhE,MAAIuG,EAAO,QAAQ,QAAW;AAC1B,QAAI,OAAOA,EAAO,OAAQ;AACtB,YAAM,IAAIvG,EAAI,8CAA8C;AAEhE,QAAIuG,EAAO,MAAMhD,IAAMtE;AACnB,YAAM,IAAIe,EAAI,qEAAqE;AAAA,EAE1F;AACD,MAAIuG,EAAO,QAAQ,UACX,OAAOA,EAAO,OAAQ,YAAY,CAAC,MAAM,QAAQA,EAAO,GAAG;AAC3D,UAAM,IAAIvG,EAAI,4CAA4C;AAGlE,SAAO,EAAE,QAAA0D,GAAQ,QAAA6C,GAAQ,WAAAjC,GAAW,KAAAlE,GAAK,KAAKuI;AAClD;AAsKA,SAAS7B,GAAsB9D,GAAQiG,GAAQvF,GAAQ;AACnD,MAAIV,MAAW,QAAW;AACtB,QAAIU,EAAO,QAAQV;AACf,YAAM,IAAIhD,EAAI,uCAAuC;AAEzD;AAAA,EACH;AACD,MAAI,MAAM,QAAQiJ,CAAM,GAAG;AACvB,QAAI,CAACA,EAAO,SAASvF,EAAO,GAAG;AAC3B,YAAM,IAAI1D,EAAI,uCAAuC;AAEzD;AAAA,EACH;AACD,MAAI0D,EAAO,QAAQ;AACf,UAAM,IAAI1D,EAAI,uCAAuC;AAE7D;AACA,SAAS4H,EAAsB3B,GAAY7I,GAAM;AAC7C,QAAM,EAAE,GAAGkD,GAAO,QAAA0I,EAAQ,IAAG/C,EAAW,OAAO7I,CAAI;AACnD,MAAI4L,IAAS;AACT,UAAM,IAAIhJ,EAAI,IAAI5C,CAAI,wCAAwC;AAElE,SAAOkD;AACX;AACO,MAAM4I,KAAiB,OAAM,GACvBC,KAAgB,OAAM;AAC5B,SAASC,GAAqB9F,GAAIN,GAAQiD,GAAYoD,GAAe;AAMxE,MALAxF,EAASP,CAAE,GACXQ,EAAad,CAAM,GACfiD,aAAsB,QACtBA,IAAaA,EAAW,eAExB,EAAEA,aAAsB;AACxB,UAAM,IAAI,UAAU,6DAA6D;AAErF,MAAI2B,EAAsB3B,GAAY,UAAU;AAC5C,UAAM,IAAIjG,EAAI,wGAAwG;AAE1H,QAAMsJ,IAAM1B,EAAsB3B,GAAY,KAAK,GAC7CsD,IAAQ3B,EAAsB3B,GAAY,OAAO;AACvD,MAAI,CAACqD,KAAOhG,EAAG;AACX,UAAM,IAAItD,EAAI,2CAA2C;AAE7D,MAAIsJ,KAAOA,MAAQhG,EAAG;AAClB,UAAM,IAAItD,EAAI,oDAAoD;AAEtE,UAAQqJ,GAAa;AAAA,IACjB,KAAK;AAAA,IACL,KAAKF;AACD,UAAII,MAAU;AACV,cAAM,IAAIvJ,EAAI,mDAAmD;AAErE;AAAA,IACJ,KAAKkJ;AACD;AAAA,IACJ;AACI,UAAI,CAACzH,EAAe4H,CAAa;AAC7B,cAAM,IAAIrJ,EAAI,4CAA4C;AAE9D,UAAIuJ,MAAU;AACV,cAAM,IAAIvJ,EAAI,oCAAoC;AAEtD,UAAIuJ,MAAUF;AACV,cAAM,IAAIrJ,EAAI,6CAA6C;AAAA,EAEtE;AACD,QAAMwJ,IAAQ5B,EAAsB3B,GAAY,OAAO;AACvD,MAAIuD;AACA,WAAO;AAAA,MACH,OAAAA;AAAA,MACA,mBAAmB5B,EAAsB3B,GAAY,mBAAmB;AAAA,MACxE,WAAW2B,EAAsB3B,GAAY,WAAW;AAAA,IACpE;AAEI,QAAMwD,IAAW7B,EAAsB3B,GAAY,UAAU,GACvD5D,IAAQuF,EAAsB3B,GAAY,OAAO;AACvD,MAAIwD,MAAa,UAAapH,MAAU;AACpC,UAAM,IAAI9B,EAA0B,6CAA6C;AAErF,SAAO+G,GAAM,IAAI,gBAAgBrB,CAAU,CAAC;AAChD;ACnuDO,SAASyD,GAAgB;AAAA,EAC9B,gBAAAC;AACF,GAEG;AACD,QAAM,CAACH,GAAOI,CAAQ,IAAIC,GAAuB,IAAI,GAC/CC,IAAWC,MAGXC,IAAgBC,GAAO,EAAK;AAiBlC,SAfAC,GAAU,MAAM;AACd,IAAIF,EAAc,YAGlBA,EAAc,UAAU,IACTL,EAAA,EACZ,KAAK,CAACQ,MAAa;AAClB,MAAAL,EAASK,CAAQ;AAAA,IAAA,CAClB,EACA,MAAM,CAACxD,MAAQ;AACd,MAAAlI,EAAO,MAAMkI,CAAG,GAChBiD,EAASjD,CAAG;AAAA,IAAA,CACb;AAAA,EAAA,GACF,CAACmD,GAAUH,CAAc,CAAC,GAEzBH,IAEAY,gBAAAA,EAAA;AAAA,IAACC;AAAA,IAAA;AAAA,MACC,UAAS;AAAA,MACT,OAAM;AAAA,MACN,SAEIC,gBAAAA,EAAA,KAAAC,YAAA,EAAA,UAAA;AAAA,QAACH,gBAAAA,EAAA,IAAAI,IAAA,EAAc,WAAU,QAAO,UAGhC,qIAAA;AAAA,QAAgB;AAAA,8BAEfC,IAAgB,EAAA,MAAMjB,EAAM,YAAY,UAAS,SAAQ;AAAA,MAAA,GAC5D;AAAA,IAAA;AAAA,EAAA,0BAOL,OAAI,EAAA,WAAU,kCACb,UAAAY,gBAAAA,EAAAA,IAACM,MAAQ,EACX,CAAA;AAEJ;AC1DO,MAAMC,UAA2B,MAAM;AAAC;AAYxC,MAAMC,WAAgCD,EAAmB;AAAA,EAC9D,YACEnK,GACOgJ,GACP9I,GACA;AACA,UAAMF,GAASE,CAAO,GAHf,KAAA,QAAA8I;AAAA,EAIT;AACF;ACRA,MAAMqB,IAAoB;AAS1B,MAAMC,WAAyBC,GAAqB;AAAA,EAClD,YACUC,GACArB,GACR;AACM,aAHE,KAAA,kBAAAqB,GACA,KAAA,iBAAArB;AAAA,EAGV;AAAA,EACA,YAAY;AACH,WAAA;AAAA,MACL,GAAG,MAAM,UAAU;AAAA,MACnB;AAAA,QACE,MAAM,KAAK;AAAA,QACX,SAASS,gBAAAA,EAAA,IAACV,IAAgB,EAAA,gBAAgB,KAAK,gBAAgB;AAAA,MACjE;AAAA,IAAA;AAAA,EAEJ;AACF;AAEO,MAAMuB,GAA+D;AAAA,EAiB1E,YAAY;AAAA,IACV,QAAAhC;AAAA,IACA,UAAAiC;AAAA,IACA,UAAA3I;AAAA,IACA,uBAAA4I;AAAA,IACA,uBAAAC;AAAA,IACA,wBAAAC;AAAA,EAAA,GAC6B;AAvBrB,IAAAC,EAAA;AACA,IAAAA,EAAA;AAEA,IAAAA,EAAA;AAEA,IAAAA,EAAA,yBAAkB;AAClB,IAAAA,EAAA,+BAAwB;AACxB,IAAAA,EAAA;AAIO,IAAAA,EAAA;AACA,IAAAA,EAAA;AACA,IAAAA,EAAA;AACA,IAAAA,EAAA;AAiLjB,IAAAA,EAAA,iBAAU,YAAY;AACpB,MAAAC,EAAa,SAAS;AAAA,QACpB,iBAAiB;AAAA,QACjB,WAAW;AAAA,QACX,SAAS;AAAA,MAAA,CACV,GACD,eAAe,MAAM;AAEf,YAAAjI,IAAK,MAAM,KAAK,iBAEhBkI,IAAc,IAAI;AAAA,QACtB,OAAO,SAAS,SAAS,KAAK;AAAA,MAAA;AAEhC,MAAAA,EAAY,WAAW,KAAK;AAExB,UAAAC;AAGJ,MAAInI,EAAG,wBACOmI,IAAA,IAAI,IAAInI,EAAG,oBAAoB,GAM3CmI,EAAU,aAAa;AAAA,QACrB;AAAA,QACAD,EAAY,SAAS;AAAA,MAAA,KAGXC,IAAAD;AAAA,IACd;AAGF,IAAAF,EAAA,wBAAiB,YAAY;AAC3B,YAAM9J,IAAM,IAAI,IAAI,OAAO,SAAS,IAAI,GAClC+H,IAAQ/H,EAAI,aAAa,IAAI,OAAO,GAIpCU,IAAe,eAAe,QAAQ2I,CAAiB;AAE7D,UADA,eAAe,WAAWA,CAAiB,GACvC,CAAC3I;AACG,cAAA,IAAIyI,EAAmB,kCAAkC;AAG3D,YAAAe,IAAa,MAAM,KAAK,iBAExBC,IAASC;AAAAA,QACbF;AAAA,QACA,KAAK;AAAA,QACLlK,EAAI;AAAA,QACJ+H,KAAS;AAAA,MAAA;AAEP,UAAAsC,EAAoBF,CAAM;AACrB,cAAAlN,EAAA,MAAM,mCAAmCkN,CAAM,GAChD,IAAIf;AAAA,UACR;AAAA,UACAe;AAAA,QAAA;AAIE,YAAAH,IAAc,IAAI,IAAIhK,CAAG;AAC/B,MAAAgK,EAAY,WAAW,KAAK,uBAC5BA,EAAY,SAAS;AAEf,YAAAxK,IAAW,MAAM8K;AAAAA,QACrBJ;AAAA,QACA,KAAK;AAAA,QACLC;AAAA,QACAH,EAAY,SAAS;AAAA,QACrBtJ;AAAA,MAAA,GAWI6J,IAAc,MAAMC;AAAAA,QACxBN;AAAA,QACA,KAAK;AAAA,QACL1K;AAAA,MAAA;AAGF,WAAK,sBAAsB+K,CAAW;AAEhC,YAAArH,IAAc,MAAM,KAAK,kBAOzBuH,IAAW,OALQ,MAAMC;AAAAA,QAC7BR;AAAA,QACA,KAAK;AAAA,QACLhH;AAAA,MAAA,GAEsC,QAElCyH,IAAuB;AAAA,QAC3B,KAAKF,EAAS;AAAA,QACd,OAAOA,EAAS;AAAA,QAChB,MAAMA,EAAS;AAAA,QACf,eAAeA,EAAS,kBAAkB;AAAA,QAC1C,YAAYA,EAAS;AAAA,MAAA;AAGvB,MAAAV,EAAa,SAAS;AAAA,QACpB,iBAAiB;AAAA,QACjB,WAAW;AAAA,QACX,SAAAY;AAAA,MAAA,CACD,GAEc,eAAA;AAAA,QACb;AAAA,QACA,KAAK,UAAUZ,EAAa,SAAA,EAAW,OAAO;AAAA,MAAA;AAGhD,YAAMa,IAAa,eAAe,QAAQ,aAAa,KAAK;AAC5D,4BAAe,WAAW,aAAa,GAChCA;AAAA,IAAA;AA/RP,SAAK,SAAS;AAAA,MACZ,WAAW7J;AAAA,MACX,4BAA4B;AAAA,IAAA,GAE9B,KAAK,WAAW2I,GAChB,KAAK,SAASjC,GACd,KAAK,wBAAwBkC,KAAyB,KACtD,KAAK,wBAAwBC,KAAyB,KACtD,KAAK,yBAAyBC,KAA0B;AAAA,EAC1D;AAAA,EAEA,MAAgB,gBAAgB;AAC1B,QAAA,CAAC,KAAK,qBAAqB;AAC7B,YAAMgB,IAAY,IAAI,IAAI,KAAK,MAAM,GAC/BrL,IAAW,MAAMsL,GAAuBD,CAAS;AAClD,WAAA,sBAAsB,MAAME;AAAAA,QAC/BF;AAAA,QACArL;AAAA,MAAA;AAAA,IAEJ;AACA,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA,EAMU,sBACRA,GACA;AACI,QAAA6K,EAAoB7K,CAAQ;AACvB,YAAAvC,EAAA,MAAM,sBAAsBuC,CAAQ,GACrC,IAAI4J,GAAwB,sBAAsB5J,CAAQ;AAG9D,QAAA,CAACA,EAAS;AACN,YAAA,IAAI2J,EAAmB,2BAA2B;AAG1D,UAAM6B,IAAqB;AAAA,MACzB,aAAaxL,EAAS;AAAA,MACtB,cAAcA,EAAS;AAAA,MACvB,WAAW,IAAI,KAAK,KAAK,QAAQA,EAAS,aAAa,GAAI;AAAA,MAC3D,WAAWA,EAAS;AAAA,IAAA;AAEtB,mBAAe,QAAQ,eAAe,KAAK,UAAUwL,CAAM,CAAC;AAAA,EAC9D;AAAA,EAEA,MAAM,OAAO,EAAE,YAAAJ,EAAW,IAA6B,IAAI;AACzD,WAAO,KAAK,UAAU;AAAA,MACpB,YAAYA,KAAc,KAAK;AAAA,MAC/B,UAAU;AAAA,IAAA,CACX;AAAA,EACH;AAAA,EAEA,MAAM,OAAO,EAAE,YAAAA,EAAW,IAA6B,IAAI;AACzD,WAAO,KAAK,UAAU;AAAA,MACpB,YAAYA,KAAc,KAAK;AAAA,IAAA,CAChC;AAAA,EACH;AAAA,EAEA,MAAc,UAAU;AAAA,IACtB,YAAAA;AAAA,IACA,UAAAK,IAAW;AAAA,EAAA,GAIK;;AAChB,UAAMC,IAAwB,QACxBC,IAAsB,MAAM,KAAK;AAEnC,QAAA,CAACA,EAAoB;AACjB,YAAA,IAAIhC,EAAmB,2BAA2B;AAQpD,UAAAzI,IAAe0K,MACfC,IAAgB,MAAMC,GAAiC5K,CAAY;AAE1D,mBAAA,QAAQ2I,GAAmB3I,CAAY;AAGtD,UAAM6K,IAAmB,IAAI;AAAA,MAC3BJ,EAAoB;AAAA,IAAA;AAGP,mBAAA,QAAQ,eAAeP,CAAU;AAEhD,UAAMZ,IAAc,IAAI,IAAI,OAAO,SAAS,MAAM;AA0BlD,QAzBAA,EAAY,WAAW,KAAK,iBAC5BA,EAAY,SAAS,IAErBuB,EAAiB,aAAa,IAAI,aAAa,KAAK,OAAO,SAAS,GACpEA,EAAiB,aAAa,IAAI,gBAAgBvB,EAAY,UAAU,GACvDuB,EAAA,aAAa,IAAI,iBAAiB,MAAM,GACxCA,EAAA,aAAa,IAAI,SAAS,sBAAsB,GAChDA,EAAA,aAAa,IAAI,kBAAkBF,CAAa,GACjEE,EAAiB,aAAa;AAAA,MAC5B;AAAA,MACAL;AAAA,IAAA,GAEE,KAAK,YACPK,EAAiB,aAAa,IAAI,YAAY,KAAK,QAAQ,IAG7DlO,IAAA,KAAK,uBAAL,QAAAA,EAAA,WAA0BkO,GAAkB;AAAA,MAC1C,UAAU,CAACN;AAAA,MACX,UAAAA;AAAA,IAAA,MAQA7N,IAAA+N,EAAoB,qCAApB,gBAAA/N,EAAsD,SAAS,aAC/D,IACA;AACM,YAAA2K,IAAQyD;AACG,MAAAD,EAAA,aAAa,IAAI,SAASxD,CAAK;AAAA,IAClD;AAGA,aAAS,OAAOwD,EAAiB;AAAA,EACnC;AAAA,EAEA,MAAM,iBAAkC;AAChC,UAAAzJ,IAAK,MAAM,KAAK,iBAChB2J,IAAa,eAAe,QAAQ,aAAa;AACvD,QAAI,CAACA;AACG,YAAA,IAAItC,EAAmB,2BAA2B;AAGpD,UAAApB,IAAQ,KAAK,MAAM0D,CAAU;AACnC,QAAI1D,EAAM,YAAgB,oBAAA,QAAQ;AAC5B,UAAA,CAACA,EAAM;AACT,qBAAM,KAAK,UACJ;AAGH,YAAA2D,IAAU,MAAMC;AAAAA,QACpB7J;AAAA,QACA,KAAK;AAAA,QACLiG,EAAM;AAAA,MAAA,GAEFvI,IAAW,MAAMoM;AAAAA,QACrB9J;AAAA,QACA,KAAK;AAAA,QACL4J;AAAA,MAAA;AAGE,UAAA,CAAClM,EAAS;AACN,cAAA,IAAI2J,EAAmB,6BAA6B;AAG5D,kBAAK,sBAAsB3J,CAAQ,GAE5BA,EAAS,aAAa;IAAS;AAEtC,aAAOuI,EAAM;AAAA,EAEjB;AAAA,EA6HA,WAAiB;AACT,UAAA8D,IAAe,eAAe,QAAQ,eAAe;AAC3D,QAAIA;AACE,UAAA;AACI,cAAAlB,IAAU,KAAK,MAAMkB,CAAY;AACvC,QAAA9B,EAAa,SAAS;AAAA,UACpB,iBAAiB;AAAA,UACjB,WAAW;AAAA,UACX,SAAAY;AAAA,QAAA,CACD;AAAA,eACMxF,GAAK;AACL,QAAAlI,EAAA,MAAM,4BAA4BkI,CAAG;AAAA,MAC9C;AAAA,EAEJ;AAAA,EAEA,0BAA0B;AAGxB,WAAO,IAAImE,GAAiB,KAAK,iBAAiB,KAAK,cAAc;AAAA,EACvE;AACF;AAEA,MAAMwC,KAEF,CAAC5M,MAAY,IAAIuK,GAA6BvK,CAAO;","x_google_ignoreList":[0,1]}