zudoku 0.3.0-dev.70 → 0.3.0-dev.71

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. package/dist/lib/authentication/providers/openid.d.ts +7 -5
  2. package/dist/lib/authentication/providers/openid.js +10 -2
  3. package/dist/lib/authentication/providers/openid.js.map +1 -1
  4. package/lib/zudoku.auth-openid.js +66 -64
  5. package/lib/zudoku.auth-openid.js.map +1 -1
  6. package/package.json +1 -1
  7. package/src/lib/authentication/providers/openid.tsx +11 -3
package/dist/lib/authentication/providers/openid.d.ts CHANGED
@@ -11,7 +11,8 @@ interface TokenState {
11
11
  declare class OpenIdAuthPlugin extends AuthenticationPlugin {
12
12
  private callbackUrlPath;
13
13
  private handleCallback;
14
- constructor(callbackUrlPath: string, handleCallback: () => Promise<string>);
14
+ initialize?: (() => Promise<void>) | undefined;
15
+ constructor(callbackUrlPath: string, handleCallback: () => Promise<string>, initialize?: (() => Promise<void>) | undefined);
15
16
  getRoutes(): {
16
17
  path: string;
17
18
  element: import("react/jsx-runtime").JSX.Element;
@@ -26,10 +27,11 @@ export declare class OpenIDAuthenticationProvider implements AuthenticationProvi
26
27
  protected tokens: TokenState | undefined;
27
28
  protected callbackUrlPath: string;
28
29
  protected logoutRedirectUrlPath: string;
29
- private redirectToAfterSignUp;
30
- private redirectToAfterSignIn;
31
- private redirectToAfterSignOut;
32
- constructor({ issuer, authorizationEndpoint, tokenEndpoint, clientId, redirectToAfterSignUp, redirectToAfterSignIn, redirectToAfterSignOut, }: OpenIDAuthenticationConfig);
30
+ private readonly redirectToAfterSignUp;
31
+ private readonly redirectToAfterSignIn;
32
+ private readonly redirectToAfterSignOut;
33
+ private readonly audience?;
34
+ constructor({ issuer, audience, authorizationEndpoint, tokenEndpoint, clientId, redirectToAfterSignUp, redirectToAfterSignIn, redirectToAfterSignOut, }: OpenIDAuthenticationConfig);
33
35
  protected getAuthServer(): Promise<oauth.AuthorizationServer>;
34
36
  /**
35
37
  * Sets the tokens from various OAuth responses
package/dist/lib/authentication/providers/openid.js CHANGED
@@ -9,10 +9,12 @@ const CODE_VERIFIER_KEY = "code-verifier";
9
9
  class OpenIdAuthPlugin extends AuthenticationPlugin {
10
10
  callbackUrlPath;
11
11
  handleCallback;
12
- constructor(callbackUrlPath, handleCallback) {
12
+ initialize;
13
+ constructor(callbackUrlPath, handleCallback, initialize) {
13
14
  super();
14
15
  this.callbackUrlPath = callbackUrlPath;
15
16
  this.handleCallback = handleCallback;
17
+ this.initialize = initialize;
16
18
  }
17
19
  getRoutes() {
18
20
  return [
@@ -36,11 +38,13 @@ export class OpenIDAuthenticationProvider {
36
38
  redirectToAfterSignUp;
37
39
  redirectToAfterSignIn;
38
40
  redirectToAfterSignOut;
39
- constructor({ issuer, authorizationEndpoint, tokenEndpoint, clientId, redirectToAfterSignUp, redirectToAfterSignIn, redirectToAfterSignOut, }) {
41
+ audience;
42
+ constructor({ issuer, audience, authorizationEndpoint, tokenEndpoint, clientId, redirectToAfterSignUp, redirectToAfterSignIn, redirectToAfterSignOut, }) {
40
43
  this.client = {
41
44
  client_id: clientId,
42
45
  token_endpoint_auth_method: "none",
43
46
  };
47
+ this.audience = audience;
44
48
  this.issuer = issuer;
45
49
  this.authorizationEndpoint = authorizationEndpoint;
46
50
  this.tokenEndpoint = tokenEndpoint;
@@ -84,6 +88,7 @@ export class OpenIDAuthenticationProvider {
84
88
  expiresOn: new Date(Date.now() + response.expires_in * 1000),
85
89
  tokenType: response.token_type,
86
90
  };
91
+ localStorage.setItem("openid-token", JSON.stringify(this.tokens));
87
92
  }
88
93
  async signUp() {
89
94
  return this.authorize(true);
@@ -128,6 +133,9 @@ export class OpenIDAuthenticationProvider {
128
133
  authorizationUrl.searchParams.set("scope", "openid+profile+email");
129
134
  authorizationUrl.searchParams.set("code_challenge", codeChallenge);
130
135
  authorizationUrl.searchParams.set("code_challenge_method", code_challenge_method);
136
+ if (this.audience) {
137
+ authorizationUrl.searchParams.set("audience", this.audience);
138
+ }
131
139
  /**
132
140
  * We cannot be sure the AS supports PKCE so we're going to use state too. Use of PKCE is
133
141
  * backwards compatible even if the AS doesn't support it which is why we're using it regardless.
package/dist/lib/authentication/providers/openid.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"openid.js","sourceRoot":"","sources":["../../../../src/lib/authentication/providers/openid.tsx"],"names":[],"mappings":";AAAA,OAAO,MAAM,MAAM,UAAU,CAAC;AAC9B,OAAO,KAAK,KAAK,MAAM,cAAc,CAAC;AAMtC,OAAO,EAAE,oBAAoB,EAAE,MAAM,4BAA4B,CAAC;AAClE,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAC1C,OAAO,EAAE,kBAAkB,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAC3E,OAAO,EAAE,YAAY,EAAe,MAAM,aAAa,CAAC;AAExD,MAAM,iBAAiB,GAAG,eAAe,CAAC;AAS1C,MAAM,gBAAiB,SAAQ,oBAAoB;IAEvC;IACA;IAFV,YACU,eAAuB,EACvB,cAAqC;QAE7C,KAAK,EAAE,CAAC;QAHA,oBAAe,GAAf,eAAe,CAAQ;QACvB,mBAAc,GAAd,cAAc,CAAuB;IAG/C,CAAC;IACD,SAAS;QACP,OAAO;YACL,GAAG,KAAK,CAAC,SAAS,EAAE;YACpB;gBACE,IAAI,EAAE,IAAI,CAAC,eAAe;gBAC1B,OAAO,EAAE,KAAC,QAAQ,IAAC,cAAc,EAAE,IAAI,CAAC,cAAc,GAAI;aAC3D;SACF,CAAC;IACJ,CAAC;CACF;AAED,MAAM,OAAO,4BAA4B;IAC7B,MAAM,CAAe;IACrB,MAAM,CAAS;IACf,qBAAqB,CAAqB;IAC1C,aAAa,CAAqB;IAElC,mBAAmB,CAAwC;IAC3D,MAAM,CAAyB;IAE/B,eAAe,GAAG,iBAAiB,CAAC;IACpC,qBAAqB,GAAG,GAAG,CAAC;IAC9B,qBAAqB,CAAS;IAC9B,qBAAqB,CAAS;IAC9B,sBAAsB,CAAS;IAEvC,YAAY,EACV,MAAM,EACN,qBAAqB,EACrB,aAAa,EACb,QAAQ,EACR,qBAAqB,EACrB,qBAAqB,EACrB,sBAAsB,GACK;QAC3B,IAAI,CAAC,MAAM,GAAG;YACZ,SAAS,EAAE,QAAQ;YACnB,0BAA0B,EAAE,MAAM;SACnC,CAAC;QACF,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,qBAAqB,GAAG,qBAAqB,CAAC;QACnD,IAAI,CAAC,aAAa,GAAG,aAAa,CAAC;QACnC,IAAI,CAAC,qBAAqB,GAAG,qBAAqB,IAAI,GAAG,CAAC;QAC1D,IAAI,CAAC,qBAAqB,GAAG,qBAAqB,IAAI,GAAG,CAAC;QAC1D,IAAI,CAAC,sBAAsB,GAAG,sBAAsB,IAAI,GAAG,CAAC;IAC9D,CAAC;IAES,KAAK,CAAC,aAAa;QAC3B,IAAI,CAAC,IAAI,CAAC,mBAAmB,EAAE,CAAC;YAC9B,IAAI,IAAI,CAAC,aAAa,IAAI,IAAI,CAAC,qBAAqB,EAAE,CAAC;gBACrD,IAAI,CAAC,mBAAmB,GAAG;oBACzB,MAAM,EAAE,IAAI,GAAG,CAAC,IAAI,CAAC,qBAAsB,CAAC,CAAC,MAAM;oBACnD,sBAAsB,EAAE,IAAI,CAAC,qBAAqB;oBAClD,cAAc,EAAE,IAAI,CAAC,aAAa;oBAClC,gCAAgC,EAAE,EAAE;iBACrC,CAAC;YACJ,CAAC;iBAAM,CAAC;gBACN,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;gBACvC,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,gBAAgB,CAAC,SAAS,CAAC,CAAC;gBACzD,IAAI,CAAC,mBAAmB,GAAG,MAAM,KAAK,CAAC,wBAAwB,CAC7D,SAAS,EACT,QAAQ,CACT,CAAC;YACJ,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC,mBAAmB,CAAC;IAClC,CAAC;IAED;;;OAGG;IACO,qBAAqB,CAC7B,QAAyD;QAEzD,IAAI,KAAK,CAAC,aAAa,CAAC,QAAQ,CAAC,EAAE,CAAC;YAClC,MAAM,CAAC,KAAK,CAAC,oBAAoB,EAAE,QAAQ,CAAC,CAAC;YAC7C,MAAM,IAAI,uBAAuB,CAAC,oBAAoB,EAAE,QAAQ,CAAC,CAAC;QACpE,CAAC;QAED,IAAI,CAAC,QAAQ,CAAC,UAAU,EAAE,CAAC;YACzB,MAAM,IAAI,kBAAkB,CAAC,2BAA2B,CAAC,CAAC;QAC5D,CAAC;QAED,IAAI,CAAC,MAAM,GAAG;YACZ,WAAW,EAAE,QAAQ,CAAC,YAAY;YAClC,YAAY,EAAE,QAAQ,CAAC,aAAa;YACpC,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,CAAC,UAAU,GAAG,IAAI,CAAC;YAC5D,SAAS,EAAE,QAAQ,CAAC,UAAU;SAC/B,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,MAAM;QACV,OAAO,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;IAC9B,CAAC;IAED,KAAK,CAAC,MAAM;QACV,OAAO,IAAI,CAAC,SAAS,EAAE,CAAC;IAC1B,CAAC;IAEO,KAAK,CAAC,SAAS,CAAC,MAAM,GAAG,KAAK;QACpC,MAAM,qBAAqB,GAAG,MAAM,CAAC;QACrC,MAAM,mBAAmB,GAAG,MAAM,IAAI,CAAC,aAAa,EAAE,CAAC;QACvD,IAAI,MAAM,EAAE,CAAC;YACX,YAAY,CAAC,OAAO,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;QAC1C,CAAC;aAAM,CAAC;YACN,YAAY,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;QACrC,CAAC;QAED,IAAI,CAAC,mBAAmB,CAAC,sBAAsB,EAAE,CAAC;YAChD,MAAM,IAAI,kBAAkB,CAAC,2BAA2B,CAAC,CAAC;QAC5D,CAAC;QAED;;;;WAIG;QACH,MAAM,YAAY,GAAG,KAAK,CAAC,0BAA0B,EAAE,CAAC;QACxD,MAAM,aAAa,GAAG,MAAM,KAAK,CAAC,0BAA0B,CAAC,YAAY,CAAC,CAAC;QAE3E,YAAY,CAAC,OAAO,CAAC,iBAAiB,EAAE,YAAY,CAAC,CAAC;QAEtD,6CAA6C;QAC7C,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAC9B,MAAM;YACJ,CAAC,CAAC,mBAAmB,CAAC,qBAAqB;gBACzC,mBAAmB,CAAC,sBAAsB;YAC5C,CAAC,CAAC,mBAAmB,CAAC,sBAAsB,CAC/C,CAAC;QAEF,MAAM,WAAW,GAAG,IAAI,GAAG,CACzB,CAAC,MAAM;YACL,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,GAAG,IAAI,CAAC,qBAAqB;YACrD,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,GAAG,IAAI,CAAC,qBAAqB,CAAC;YACtD,MAAM,CAAC,QAAQ,CAAC,IAAI,CACvB,CAAC;QACF,WAAW,CAAC,QAAQ,GAAG,IAAI,CAAC,eAAe,CAAC;QAC5C,WAAW,CAAC,MAAM,GAAG,EAAE,CAAC;QAExB,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QACtE,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,WAAW,CAAC,QAAQ,EAAE,CAAC,CAAC;QAC1E,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;QAC3D,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,sBAAsB,CAAC,CAAC;QACnE,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,gBAAgB,EAAE,aAAa,CAAC,CAAC;QACnE,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAC/B,uBAAuB,EACvB,qBAAqB,CACtB,CAAC;QAEF;;;WAGG;QACH,IACE,mBAAmB,CAAC,gCAAgC,EAAE,QAAQ,CAAC,MAAM,CAAC;YACtE,IAAI,EACJ,CAAC;YACD,MAAM,KAAK,GAAG,KAAK,CAAC,mBAAmB,EAAE,CAAC;YAC1C,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;QACpD,CAAC;QAED,iDAAiD;QACjD,QAAQ,CAAC,IAAI,GAAG,gBAAgB,CAAC,IAAI,CAAC;IACxC,CAAC;IAED,KAAK,CAAC,cAAc;QAClB,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,aAAa,EAAE,CAAC;QACtC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACjB,MAAM,IAAI,kBAAkB,CAAC,2BAA2B,CAAC,CAAC;QAC5D,CAAC;QACD,IAAI,IAAI,CAAC,MAAM,CAAC,SAAS,GAAG,IAAI,IAAI,EAAE,EAAE,CAAC;YACvC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;gBAC9B,wBAAwB;gBACxB,MAAM,IAAI,kBAAkB,CAC1B,8CAA8C,CAC/C,CAAC;YACJ,CAAC;YAED,MAAM,OAAO,GAAG,MAAM,KAAK,CAAC,wBAAwB,CAClD,EAAE,EACF,IAAI,CAAC,MAAM,EACX,IAAI,CAAC,MAAM,CAAC,YAAY,CACzB,CAAC;YACF,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,2BAA2B,CACtD,EAAE,EACF,IAAI,CAAC,MAAM,EACX,OAAO,CACR,CAAC;YAEF,IAAI,CAAC,qBAAqB,CAAC,QAAQ,CAAC,CAAC;QACvC,CAAC;QAED,OAAO,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC;IACjC,CAAC;IAED,KAAK,CAAC,OAAO;QACX,YAAY,CAAC,QAAQ,CAAC;YACpB,eAAe,EAAE,KAAK;YACtB,SAAS,EAAE,KAAK;YAChB,OAAO,EAAE,SAAS;SACnB,CAAC,CAAC;QAEH,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,aAAa,EAAE,CAAC;QAEtC,MAAM,WAAW,GAAG,IAAI,GAAG,CACzB,MAAM,CAAC,QAAQ,CAAC,MAAM,GAAG,IAAI,CAAC,sBAAsB,CACrD,CAAC;QACF,WAAW,CAAC,QAAQ,GAAG,IAAI,CAAC,qBAAqB,CAAC;QAElD,IAAI,SAAc,CAAC;QACnB,uEAAuE;QACvE,sEAAsE;QACtE,IAAI,EAAE,CAAC,oBAAoB,EAAE,CAAC;YAC5B,SAAS,GAAG,IAAI,GAAG,CAAC,EAAE,CAAC,oBAAoB,CAAC,CAAC;YAC7C,kCAAkC;YAClC,gCAAgC;YAChC,kBAAkB;YAClB,2DAA2D;YAC3D,IAAI;YACJ,SAAS,CAAC,YAAY,CAAC,GAAG,CACxB,0BAA0B,EAC1B,WAAW,CAAC,QAAQ,EAAE,CACvB,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,SAAS,GAAG,WAAW,CAAC;QAC1B,CAAC;IACH,CAAC;IAED,cAAc,GAAG,KAAK,IAAqB,EAAE;QAC3C,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QAC1C,MAAM,KAAK,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAE5C,8DAA8D;QAC9D,8CAA8C;QAC9C,MAAM,YAAY,GAAG,YAAY,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;QAC7D,8CAA8C;QAE9C,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,MAAM,IAAI,kBAAkB,CAC1B,8CAA8C,CAC/C,CAAC;QACJ,CAAC;QAED,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,aAAa,EAAE,CAAC;QAE9C,MAAM,MAAM,GAAG,KAAK,CAAC,oBAAoB,CACvC,UAAU,EACV,IAAI,CAAC,MAAM,EACX,GAAG,CAAC,YAAY,EAChB,KAAK,IAAI,SAAS,CACnB,CAAC;QACF,IAAI,KAAK,CAAC,aAAa,CAAC,MAAM,CAAC,EAAE,CAAC;YAChC,MAAM,CAAC,KAAK,CAAC,iCAAiC,EAAE,MAAM,CAAC,CAAC;YACxD,MAAM,IAAI,uBAAuB,CAC/B,iCAAiC,EACjC,MAAM,CACP,CAAC;QACJ,CAAC;QAED,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QACjC,WAAW,CAAC,QAAQ,GAAG,IAAI,CAAC,qBAAqB,IAAI,IAAI,CAAC,eAAe,CAAC;QAC1E,WAAW,CAAC,MAAM,GAAG,EAAE,CAAC;QAExB,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,6BAA6B,CACxD,UAAU,EACV,IAAI,CAAC,MAAM,EACX,MAAM,EACN,WAAW,CAAC,QAAQ,EAAE,EACtB,YAAY,CACb,CAAC;QAEF,+BAA+B;QAC/B,qEAAqE;QACrE,oBAAoB;QACpB,0CAA0C;QAC1C,8DAA8D;QAC9D,MAAM;QACN,uEAAuE;QACvE,IAAI;QACJ,MAAM,WAAW,GAAG,MAAM,KAAK,CAAC,sCAAsC,CACpE,UAAU,EACV,IAAI,CAAC,MAAM,EACX,QAAQ,CACT,CAAC;QAEF,IAAI,CAAC,qBAAqB,CAAC,WAAW,CAAC,CAAC;QAExC,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,cAAc,EAAE,CAAC;QAEhD,MAAM,gBAAgB,GAAG,MAAM,KAAK,CAAC,eAAe,CAClD,UAAU,EACV,IAAI,CAAC,MAAM,EACX,WAAW,CACZ,CAAC;QACF,MAAM,QAAQ,GAAG,MAAM,gBAAgB,CAAC,IAAI,EAAE,CAAC;QAE/C,MAAM,OAAO,GAAgB;YAC3B,GAAG,EAAE,QAAQ,CAAC,GAAG;YACjB,KAAK,EAAE,QAAQ,CAAC,KAAK;YACrB,IAAI,EAAE,QAAQ,CAAC,IAAI;YACnB,aAAa,EAAE,QAAQ,CAAC,cAAc,IAAI,KAAK;YAC/C,UAAU,EAAE,QAAQ,CAAC,OAAO;SAC7B,CAAC;QAEF,YAAY,CAAC,QAAQ,CAAC;YACpB,eAAe,EAAE,IAAI;YACrB,SAAS,EAAE,KAAK;YAChB,OAAO;SACR,CAAC,CAAC;QAEH,IAAI,YAAY,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,CAAC;YACpC,OAAO,IAAI,CAAC,qBAAqB,CAAC;QACpC,CAAC;aAAM,CAAC;YACN,OAAO,IAAI,CAAC,qBAAqB,CAAC;QACpC,CAAC;QAED,mEAAmE;QACnE,+BAA+B;QAC/B,0DAA0D;QAE1D,kDAAkD;QAClD,eAAe;IACjB,CAAC,CAAC;IAEF,uBAAuB;QACrB,OAAO,IAAI,gBAAgB,CAAC,IAAI,CAAC,eAAe,EAAE,GAAG,EAAE,CACrD,IAAI,CAAC,cAAc,EAAE,CACtB,CAAC;IACJ,CAAC;CACF;AAED,MAAM,UAAU,GAEZ,CAAC,OAAO,EAAE,EAAE,CAAC,IAAI,4BAA4B,CAAC,OAAO,CAAC,CAAC;AAE3D,eAAe,UAAU,CAAC"}
1
+ {"version":3,"file":"openid.js","sourceRoot":"","sources":["../../../../src/lib/authentication/providers/openid.tsx"],"names":[],"mappings":";AAAA,OAAO,MAAM,MAAM,UAAU,CAAC;AAC9B,OAAO,KAAK,KAAK,MAAM,cAAc,CAAC;AAMtC,OAAO,EAAE,oBAAoB,EAAE,MAAM,4BAA4B,CAAC;AAClE,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAC1C,OAAO,EAAE,kBAAkB,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAC3E,OAAO,EAAE,YAAY,EAAe,MAAM,aAAa,CAAC;AAExD,MAAM,iBAAiB,GAAG,eAAe,CAAC;AAS1C,MAAM,gBAAiB,SAAQ,oBAAoB;IAEvC;IACA;IACD;IAHT,YACU,eAAuB,EACvB,cAAqC,EACtC,UAAgC;QAEvC,KAAK,EAAE,CAAC;QAJA,oBAAe,GAAf,eAAe,CAAQ;QACvB,mBAAc,GAAd,cAAc,CAAuB;QACtC,eAAU,GAAV,UAAU,CAAsB;IAGzC,CAAC;IACD,SAAS;QACP,OAAO;YACL,GAAG,KAAK,CAAC,SAAS,EAAE;YACpB;gBACE,IAAI,EAAE,IAAI,CAAC,eAAe;gBAC1B,OAAO,EAAE,KAAC,QAAQ,IAAC,cAAc,EAAE,IAAI,CAAC,cAAc,GAAI;aAC3D;SACF,CAAC;IACJ,CAAC;CACF;AAED,MAAM,OAAO,4BAA4B;IAC7B,MAAM,CAAe;IACrB,MAAM,CAAS;IACf,qBAAqB,CAAqB;IAC1C,aAAa,CAAqB;IAElC,mBAAmB,CAAwC;IAC3D,MAAM,CAAyB;IAE/B,eAAe,GAAG,iBAAiB,CAAC;IACpC,qBAAqB,GAAG,GAAG,CAAC;IACrB,qBAAqB,CAAS;IAC9B,qBAAqB,CAAS;IAC9B,sBAAsB,CAAS;IAC/B,QAAQ,CAAU;IAEnC,YAAY,EACV,MAAM,EACN,QAAQ,EACR,qBAAqB,EACrB,aAAa,EACb,QAAQ,EACR,qBAAqB,EACrB,qBAAqB,EACrB,sBAAsB,GACK;QAC3B,IAAI,CAAC,MAAM,GAAG;YACZ,SAAS,EAAE,QAAQ;YACnB,0BAA0B,EAAE,MAAM;SACnC,CAAC;QACF,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,qBAAqB,GAAG,qBAAqB,CAAC;QACnD,IAAI,CAAC,aAAa,GAAG,aAAa,CAAC;QACnC,IAAI,CAAC,qBAAqB,GAAG,qBAAqB,IAAI,GAAG,CAAC;QAC1D,IAAI,CAAC,qBAAqB,GAAG,qBAAqB,IAAI,GAAG,CAAC;QAC1D,IAAI,CAAC,sBAAsB,GAAG,sBAAsB,IAAI,GAAG,CAAC;IAC9D,CAAC;IAES,KAAK,CAAC,aAAa;QAC3B,IAAI,CAAC,IAAI,CAAC,mBAAmB,EAAE,CAAC;YAC9B,IAAI,IAAI,CAAC,aAAa,IAAI,IAAI,CAAC,qBAAqB,EAAE,CAAC;gBACrD,IAAI,CAAC,mBAAmB,GAAG;oBACzB,MAAM,EAAE,IAAI,GAAG,CAAC,IAAI,CAAC,qBAAsB,CAAC,CAAC,MAAM;oBACnD,sBAAsB,EAAE,IAAI,CAAC,qBAAqB;oBAClD,cAAc,EAAE,IAAI,CAAC,aAAa;oBAClC,gCAAgC,EAAE,EAAE;iBACrC,CAAC;YACJ,CAAC;iBAAM,CAAC;gBACN,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;gBACvC,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,gBAAgB,CAAC,SAAS,CAAC,CAAC;gBACzD,IAAI,CAAC,mBAAmB,GAAG,MAAM,KAAK,CAAC,wBAAwB,CAC7D,SAAS,EACT,QAAQ,CACT,CAAC;YACJ,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC,mBAAmB,CAAC;IAClC,CAAC;IAED;;;OAGG;IACO,qBAAqB,CAC7B,QAAyD;QAEzD,IAAI,KAAK,CAAC,aAAa,CAAC,QAAQ,CAAC,EAAE,CAAC;YAClC,MAAM,CAAC,KAAK,CAAC,oBAAoB,EAAE,QAAQ,CAAC,CAAC;YAC7C,MAAM,IAAI,uBAAuB,CAAC,oBAAoB,EAAE,QAAQ,CAAC,CAAC;QACpE,CAAC;QAED,IAAI,CAAC,QAAQ,CAAC,UAAU,EAAE,CAAC;YACzB,MAAM,IAAI,kBAAkB,CAAC,2BAA2B,CAAC,CAAC;QAC5D,CAAC;QAED,IAAI,CAAC,MAAM,GAAG;YACZ,WAAW,EAAE,QAAQ,CAAC,YAAY;YAClC,YAAY,EAAE,QAAQ,CAAC,aAAa;YACpC,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,CAAC,UAAU,GAAG,IAAI,CAAC;YAC5D,SAAS,EAAE,QAAQ,CAAC,UAAU;SAC/B,CAAC;QACF,YAAY,CAAC,OAAO,CAAC,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;IACpE,CAAC;IAED,KAAK,CAAC,MAAM;QACV,OAAO,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;IAC9B,CAAC;IAED,KAAK,CAAC,MAAM;QACV,OAAO,IAAI,CAAC,SAAS,EAAE,CAAC;IAC1B,CAAC;IAEO,KAAK,CAAC,SAAS,CAAC,MAAM,GAAG,KAAK;QACpC,MAAM,qBAAqB,GAAG,MAAM,CAAC;QACrC,MAAM,mBAAmB,GAAG,MAAM,IAAI,CAAC,aAAa,EAAE,CAAC;QACvD,IAAI,MAAM,EAAE,CAAC;YACX,YAAY,CAAC,OAAO,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;QAC1C,CAAC;aAAM,CAAC;YACN,YAAY,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;QACrC,CAAC;QAED,IAAI,CAAC,mBAAmB,CAAC,sBAAsB,EAAE,CAAC;YAChD,MAAM,IAAI,kBAAkB,CAAC,2BAA2B,CAAC,CAAC;QAC5D,CAAC;QAED;;;;WAIG;QACH,MAAM,YAAY,GAAG,KAAK,CAAC,0BAA0B,EAAE,CAAC;QACxD,MAAM,aAAa,GAAG,MAAM,KAAK,CAAC,0BAA0B,CAAC,YAAY,CAAC,CAAC;QAE3E,YAAY,CAAC,OAAO,CAAC,iBAAiB,EAAE,YAAY,CAAC,CAAC;QAEtD,6CAA6C;QAC7C,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAC9B,MAAM;YACJ,CAAC,CAAC,mBAAmB,CAAC,qBAAqB;gBACzC,mBAAmB,CAAC,sBAAsB;YAC5C,CAAC,CAAC,mBAAmB,CAAC,sBAAsB,CAC/C,CAAC;QAEF,MAAM,WAAW,GAAG,IAAI,GAAG,CACzB,CAAC,MAAM;YACL,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,GAAG,IAAI,CAAC,qBAAqB;YACrD,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,GAAG,IAAI,CAAC,qBAAqB,CAAC;YACtD,MAAM,CAAC,QAAQ,CAAC,IAAI,CACvB,CAAC;QACF,WAAW,CAAC,QAAQ,GAAG,IAAI,CAAC,eAAe,CAAC;QAC5C,WAAW,CAAC,MAAM,GAAG,EAAE,CAAC;QAExB,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QACtE,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,WAAW,CAAC,QAAQ,EAAE,CAAC,CAAC;QAC1E,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;QAC3D,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,sBAAsB,CAAC,CAAC;QACnE,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,gBAAgB,EAAE,aAAa,CAAC,CAAC;QACnE,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAC/B,uBAAuB,EACvB,qBAAqB,CACtB,CAAC;QACF,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAClB,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC/D,CAAC;QAED;;;WAGG;QACH,IACE,mBAAmB,CAAC,gCAAgC,EAAE,QAAQ,CAAC,MAAM,CAAC;YACtE,IAAI,EACJ,CAAC;YACD,MAAM,KAAK,GAAG,KAAK,CAAC,mBAAmB,EAAE,CAAC;YAC1C,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;QACpD,CAAC;QAED,iDAAiD;QACjD,QAAQ,CAAC,IAAI,GAAG,gBAAgB,CAAC,IAAI,CAAC;IACxC,CAAC;IAED,KAAK,CAAC,cAAc;QAClB,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,aAAa,EAAE,CAAC;QACtC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACjB,MAAM,IAAI,kBAAkB,CAAC,2BAA2B,CAAC,CAAC;QAC5D,CAAC;QACD,IAAI,IAAI,CAAC,MAAM,CAAC,SAAS,GAAG,IAAI,IAAI,EAAE,EAAE,CAAC;YACvC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;gBAC9B,wBAAwB;gBACxB,MAAM,IAAI,kBAAkB,CAC1B,8CAA8C,CAC/C,CAAC;YACJ,CAAC;YAED,MAAM,OAAO,GAAG,MAAM,KAAK,CAAC,wBAAwB,CAClD,EAAE,EACF,IAAI,CAAC,MAAM,EACX,IAAI,CAAC,MAAM,CAAC,YAAY,CACzB,CAAC;YACF,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,2BAA2B,CACtD,EAAE,EACF,IAAI,CAAC,MAAM,EACX,OAAO,CACR,CAAC;YAEF,IAAI,CAAC,qBAAqB,CAAC,QAAQ,CAAC,CAAC;QACvC,CAAC;QAED,OAAO,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC;IACjC,CAAC;IAED,KAAK,CAAC,OAAO;QACX,YAAY,CAAC,QAAQ,CAAC;YACpB,eAAe,EAAE,KAAK;YACtB,SAAS,EAAE,KAAK;YAChB,OAAO,EAAE,SAAS;SACnB,CAAC,CAAC;QAEH,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,aAAa,EAAE,CAAC;QAEtC,MAAM,WAAW,GAAG,IAAI,GAAG,CACzB,MAAM,CAAC,QAAQ,CAAC,MAAM,GAAG,IAAI,CAAC,sBAAsB,CACrD,CAAC;QACF,WAAW,CAAC,QAAQ,GAAG,IAAI,CAAC,qBAAqB,CAAC;QAElD,IAAI,SAAc,CAAC;QACnB,uEAAuE;QACvE,sEAAsE;QACtE,IAAI,EAAE,CAAC,oBAAoB,EAAE,CAAC;YAC5B,SAAS,GAAG,IAAI,GAAG,CAAC,EAAE,CAAC,oBAAoB,CAAC,CAAC;YAC7C,kCAAkC;YAClC,gCAAgC;YAChC,kBAAkB;YAClB,2DAA2D;YAC3D,IAAI;YACJ,SAAS,CAAC,YAAY,CAAC,GAAG,CACxB,0BAA0B,EAC1B,WAAW,CAAC,QAAQ,EAAE,CACvB,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,SAAS,GAAG,WAAW,CAAC;QAC1B,CAAC;IACH,CAAC;IAED,cAAc,GAAG,KAAK,IAAqB,EAAE;QAC3C,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QAC1C,MAAM,KAAK,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAE5C,8DAA8D;QAC9D,8CAA8C;QAC9C,MAAM,YAAY,GAAG,YAAY,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;QAC7D,8CAA8C;QAE9C,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,MAAM,IAAI,kBAAkB,CAC1B,8CAA8C,CAC/C,CAAC;QACJ,CAAC;QAED,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,aAAa,EAAE,CAAC;QAE9C,MAAM,MAAM,GAAG,KAAK,CAAC,oBAAoB,CACvC,UAAU,EACV,IAAI,CAAC,MAAM,EACX,GAAG,CAAC,YAAY,EAChB,KAAK,IAAI,SAAS,CACnB,CAAC;QACF,IAAI,KAAK,CAAC,aAAa,CAAC,MAAM,CAAC,EAAE,CAAC;YAChC,MAAM,CAAC,KAAK,CAAC,iCAAiC,EAAE,MAAM,CAAC,CAAC;YACxD,MAAM,IAAI,uBAAuB,CAC/B,iCAAiC,EACjC,MAAM,CACP,CAAC;QACJ,CAAC;QAED,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QACjC,WAAW,CAAC,QAAQ,GAAG,IAAI,CAAC,qBAAqB,IAAI,IAAI,CAAC,eAAe,CAAC;QAC1E,WAAW,CAAC,MAAM,GAAG,EAAE,CAAC;QAExB,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,6BAA6B,CACxD,UAAU,EACV,IAAI,CAAC,MAAM,EACX,MAAM,EACN,WAAW,CAAC,QAAQ,EAAE,EACtB,YAAY,CACb,CAAC;QAEF,+BAA+B;QAC/B,qEAAqE;QACrE,oBAAoB;QACpB,0CAA0C;QAC1C,8DAA8D;QAC9D,MAAM;QACN,uEAAuE;QACvE,IAAI;QACJ,MAAM,WAAW,GAAG,MAAM,KAAK,CAAC,sCAAsC,CACpE,UAAU,EACV,IAAI,CAAC,MAAM,EACX,QAAQ,CACT,CAAC;QAEF,IAAI,CAAC,qBAAqB,CAAC,WAAW,CAAC,CAAC;QAExC,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,cAAc,EAAE,CAAC;QAEhD,MAAM,gBAAgB,GAAG,MAAM,KAAK,CAAC,eAAe,CAClD,UAAU,EACV,IAAI,CAAC,MAAM,EACX,WAAW,CACZ,CAAC;QACF,MAAM,QAAQ,GAAG,MAAM,gBAAgB,CAAC,IAAI,EAAE,CAAC;QAE/C,MAAM,OAAO,GAAgB;YAC3B,GAAG,EAAE,QAAQ,CAAC,GAAG;YACjB,KAAK,EAAE,QAAQ,CAAC,KAAK;YACrB,IAAI,EAAE,QAAQ,CAAC,IAAI;YACnB,aAAa,EAAE,QAAQ,CAAC,cAAc,IAAI,KAAK;YAC/C,UAAU,EAAE,QAAQ,CAAC,OAAO;SAC7B,CAAC;QAEF,YAAY,CAAC,QAAQ,CAAC;YACpB,eAAe,EAAE,IAAI;YACrB,SAAS,EAAE,KAAK;YAChB,OAAO;SACR,CAAC,CAAC;QAEH,IAAI,YAAY,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,CAAC;YACpC,OAAO,IAAI,CAAC,qBAAqB,CAAC;QACpC,CAAC;aAAM,CAAC;YACN,OAAO,IAAI,CAAC,qBAAqB,CAAC;QACpC,CAAC;QAED,mEAAmE;QACnE,+BAA+B;QAC/B,0DAA0D;QAE1D,kDAAkD;QAClD,eAAe;IACjB,CAAC,CAAC;IAEF,uBAAuB;QACrB,OAAO,IAAI,gBAAgB,CAAC,IAAI,CAAC,eAAe,EAAE,GAAG,EAAE,CACrD,IAAI,CAAC,cAAc,EAAE,CACtB,CAAC;IACJ,CAAC;CACF;AAED,MAAM,UAAU,GAEZ,CAAC,OAAO,EAAE,EAAE,CAAC,IAAI,4BAA4B,CAAC,OAAO,CAAC,CAAC;AAE3D,eAAe,UAAU,CAAC"}
package/lib/zudoku.auth-openid.js CHANGED
@@ -19,8 +19,8 @@ var he = { exports: {} };
19
19
  "warn",
20
20
  "error"
21
21
  ], o = {}, i = null;
22
- function u(l, f) {
23
- var c = l[f];
22
+ function u(l, p) {
23
+ var c = l[p];
24
24
  if (typeof c.bind == "function")
25
25
  return c.bind(l);
26
26
  try {
@@ -31,16 +31,16 @@ var he = { exports: {} };
31
31
  };
32
32
  }
33
33
  }
34
- function g() {
34
+ function f() {
35
35
  console.log && (console.log.apply ? console.log.apply(console, arguments) : Function.prototype.apply.apply(console.log, [console, arguments])), console.trace && console.trace();
36
36
  }
37
37
  function m(l) {
38
- return l === "debug" && (l = "log"), typeof console === n ? !1 : l === "trace" && r ? g : console[l] !== void 0 ? u(console, l) : console.log !== void 0 ? u(console, "log") : e;
38
+ return l === "debug" && (l = "log"), typeof console === n ? !1 : l === "trace" && r ? f : console[l] !== void 0 ? u(console, l) : console.log !== void 0 ? u(console, "log") : e;
39
39
  }
40
40
  function b() {
41
- for (var l = this.getLevel(), f = 0; f < s.length; f++) {
42
- var c = s[f];
43
- this[c] = f < l ? e : this.methodFactory(c, l, this.name);
41
+ for (var l = this.getLevel(), p = 0; p < s.length; p++) {
42
+ var c = s[p];
43
+ this[c] = p < l ? e : this.methodFactory(c, l, this.name);
44
44
  }
45
45
  if (this.log = this.debug, typeof console === n && l < this.levels.SILENT)
46
46
  return "No console available for logging";
@@ -50,22 +50,22 @@ var he = { exports: {} };
50
50
  typeof console !== n && (b.call(this), this[l].apply(this, arguments));
51
51
  };
52
52
  }
53
- function h(l, f, c) {
53
+ function h(l, p, c) {
54
54
  return m(l) || _.apply(this, arguments);
55
55
  }
56
- function U(l, f) {
56
+ function U(l, p) {
57
57
  var c = this, z, $, P, v = "loglevel";
58
58
  typeof l == "string" ? v += ":" + l : typeof l == "symbol" && (v = void 0);
59
59
  function Te(d) {
60
- var p = (s[d] || "silent").toUpperCase();
60
+ var w = (s[d] || "silent").toUpperCase();
61
61
  if (!(typeof window === n || !v)) {
62
62
  try {
63
- window.localStorage[v] = p;
63
+ window.localStorage[v] = w;
64
64
  return;
65
65
  } catch {
66
66
  }
67
67
  try {
68
- window.document.cookie = encodeURIComponent(v) + "=" + p + ";";
68
+ window.document.cookie = encodeURIComponent(v) + "=" + w + ";";
69
69
  } catch {
70
70
  }
71
71
  }
@@ -79,9 +79,9 @@ var he = { exports: {} };
79
79
  }
80
80
  if (typeof d === n)
81
81
  try {
82
- var p = window.document.cookie, J = encodeURIComponent(v), ne = p.indexOf(J + "=");
82
+ var w = window.document.cookie, J = encodeURIComponent(v), ne = w.indexOf(J + "=");
83
83
  ne !== -1 && (d = /^([^;]+)/.exec(
84
- p.slice(ne + J.length + 1)
84
+ w.slice(ne + J.length + 1)
85
85
  )[1]);
86
86
  } catch {
87
87
  }
@@ -101,9 +101,9 @@ var he = { exports: {} };
101
101
  }
102
102
  }
103
103
  function L(d) {
104
- var p = d;
105
- if (typeof p == "string" && c.levels[p.toUpperCase()] !== void 0 && (p = c.levels[p.toUpperCase()]), typeof p == "number" && p >= 0 && p <= c.levels.SILENT)
106
- return p;
104
+ var w = d;
105
+ if (typeof w == "string" && c.levels[w.toUpperCase()] !== void 0 && (w = c.levels[w.toUpperCase()]), typeof w == "number" && w >= 0 && w <= c.levels.SILENT)
106
+ return w;
107
107
  throw new TypeError("log.setLevel() called with invalid level: " + d);
108
108
  }
109
109
  c.name = l, c.levels = {
@@ -113,10 +113,10 @@ var he = { exports: {} };
113
113
  WARN: 3,
114
114
  ERROR: 4,
115
115
  SILENT: 5
116
- }, c.methodFactory = f || h, c.getLevel = function() {
116
+ }, c.methodFactory = p || h, c.getLevel = function() {
117
117
  return P ?? $ ?? z;
118
- }, c.setLevel = function(d, p) {
119
- return P = L(d), p !== !1 && Te(P), b.call(c);
118
+ }, c.setLevel = function(d, w) {
119
+ return P = L(d), w !== !1 && Te(P), b.call(c);
120
120
  }, c.setDefaultLevel = function(d) {
121
121
  $ = L(d), ee() || c.setLevel(d, !1);
122
122
  }, c.resetLevel = function() {
@@ -135,12 +135,12 @@ var he = { exports: {} };
135
135
  var te = ee();
136
136
  te != null && (P = L(te)), b.call(c);
137
137
  }
138
- i = new U(), i.getLogger = function(f) {
139
- if (typeof f != "symbol" && typeof f != "string" || f === "")
138
+ i = new U(), i.getLogger = function(p) {
139
+ if (typeof p != "symbol" && typeof p != "string" || p === "")
140
140
  throw new TypeError("You must supply a name when creating a logger.");
141
- var c = o[f];
142
- return c || (c = o[f] = new U(
143
- f,
141
+ var c = o[p];
142
+ return c || (c = o[p] = new U(
143
+ p,
144
144
  i.methodFactory
145
145
  )), c;
146
146
  };
@@ -287,7 +287,7 @@ async function Me(t, e) {
287
287
  signal: e != null && e.signal ? Z(e.signal) : null
288
288
  }).then(Y);
289
289
  }
290
- function w(t) {
290
+ function g(t) {
291
291
  return typeof t == "string" && t.length !== 0;
292
292
  }
293
293
  async function Be(t, e) {
@@ -306,7 +306,7 @@ async function Be(t, e) {
306
306
  }
307
307
  if (!C(n))
308
308
  throw new a('"response" body must be a top level object');
309
- if (!w(n.issuer))
309
+ if (!g(n.issuer))
310
310
  throw new a('"response" body "issuer" property must be a non-empty string');
311
311
  if (new URL(n.issuer).href !== t.href)
312
312
  throw new a('"response" body "issuer" does not match "expectedIssuer"');
@@ -322,7 +322,7 @@ function qe() {
322
322
  return D();
323
323
  }
324
324
  async function Ve(t) {
325
- if (!w(t))
325
+ if (!g(t))
326
326
  throw new TypeError('"codeVerifier" must be a non-empty string');
327
327
  return T(await crypto.subtle.digest("SHA-256", E(t)));
328
328
  }
@@ -331,7 +331,7 @@ function Ye(t) {
331
331
  return { key: t };
332
332
  if (!((t == null ? void 0 : t.key) instanceof CryptoKey))
333
333
  return {};
334
- if (t.kid !== void 0 && !w(t.kid))
334
+ if (t.kid !== void 0 && !g(t.kid))
335
335
  throw new TypeError('"kid" must be a non-empty string');
336
336
  return { key: t.key, kid: t.kid };
337
337
  }
@@ -425,19 +425,19 @@ async function rt(t, e, n, r) {
425
425
  function j(t) {
426
426
  if (typeof t != "object" || t === null)
427
427
  throw new TypeError('"as" must be an object');
428
- if (!w(t.issuer))
428
+ if (!g(t.issuer))
429
429
  throw new TypeError('"as.issuer" property must be a non-empty string');
430
430
  return !0;
431
431
  }
432
432
  function I(t) {
433
433
  if (typeof t != "object" || t === null)
434
434
  throw new TypeError('"client" must be an object');
435
- if (!w(t.client_id))
435
+ if (!g(t.client_id))
436
436
  throw new TypeError('"client.client_id" property must be a non-empty string');
437
437
  return !0;
438
438
  }
439
439
  function ae(t) {
440
- if (!w(t))
440
+ if (!g(t))
441
441
  throw new TypeError('"client.client_secret" property must be a non-empty string');
442
442
  return t;
443
443
  }
@@ -486,12 +486,12 @@ async function me(t, e, n) {
486
486
  return `${r}.${s}`;
487
487
  }
488
488
  async function it(t, e, n, r, s, o) {
489
- const { privateKey: i, publicKey: u, nonce: g = fe.get(n.origin) } = e;
489
+ const { privateKey: i, publicKey: u, nonce: f = fe.get(n.origin) } = e;
490
490
  if (!we(i))
491
491
  throw new TypeError('"DPoP.privateKey" must be a private CryptoKey');
492
492
  if (!Fe(u))
493
493
  throw new TypeError('"DPoP.publicKey" must be a public CryptoKey');
494
- if (g !== void 0 && !w(g))
494
+ if (f !== void 0 && !g(f))
495
495
  throw new TypeError('"DPoP.nonce" must be a non-empty string or undefined');
496
496
  if (!u.extractable)
497
497
  throw new TypeError('"DPoP.publicKey.extractable" must be true');
@@ -503,7 +503,7 @@ async function it(t, e, n, r, s, o) {
503
503
  iat: m,
504
504
  jti: D(),
505
505
  htm: r,
506
- nonce: g,
506
+ nonce: f,
507
507
  htu: `${n.origin}${n.pathname}`,
508
508
  ath: o ? T(await crypto.subtle.digest("SHA-256", E(o))) : void 0
509
509
  }, i);
@@ -530,7 +530,7 @@ function B(t) {
530
530
  return typeof e != "object" || Array.isArray(e) || e === null ? !1 : e.error !== void 0;
531
531
  }
532
532
  async function ut(t, e, n, r, s, o) {
533
- if (!w(t))
533
+ if (!g(t))
534
534
  throw new TypeError('"accessToken" must be a non-empty string');
535
535
  if (!(n instanceof URL))
536
536
  throw new TypeError('"url" must be an instance of URL');
@@ -566,7 +566,7 @@ async function _e(t, e, n, r, s) {
566
566
  return i.set("accept", "application/json"), dt(t, e, "POST", o, r, i, s);
567
567
  }
568
568
  async function ht(t, e, n, r) {
569
- if (j(t), I(e), !w(n))
569
+ if (j(t), I(e), !g(n))
570
570
  throw new TypeError('"refreshToken" must be a non-empty string');
571
571
  const s = new URLSearchParams(r == null ? void 0 : r.additionalParameters);
572
572
  return s.set("refresh_token", n), _e(t, e, "refresh_token", s, r);
@@ -590,20 +590,20 @@ async function be(t, e, n, r = !1, s = !1) {
590
590
  }
591
591
  if (!C(o))
592
592
  throw new a('"response" body must be a top level object');
593
- if (!w(o.access_token))
593
+ if (!g(o.access_token))
594
594
  throw new a('"response" body "access_token" property must be a non-empty string');
595
- if (!w(o.token_type))
595
+ if (!g(o.token_type))
596
596
  throw new a('"response" body "token_type" property must be a non-empty string');
597
597
  if (o.token_type = o.token_type.toLowerCase(), o.token_type !== "dpop" && o.token_type !== "bearer")
598
598
  throw new S("unsupported `token_type` value");
599
599
  if (o.expires_in !== void 0 && (typeof o.expires_in != "number" || o.expires_in <= 0))
600
600
  throw new a('"response" body "expires_in" property must be a positive number');
601
- if (!s && o.refresh_token !== void 0 && !w(o.refresh_token))
601
+ if (!s && o.refresh_token !== void 0 && !g(o.refresh_token))
602
602
  throw new a('"response" body "refresh_token" property must be a non-empty string');
603
603
  if (o.scope !== void 0 && typeof o.scope != "string")
604
604
  throw new a('"response" body "scope" property must be a string');
605
605
  if (!r) {
606
- if (o.id_token !== void 0 && !w(o.id_token))
606
+ if (o.id_token !== void 0 && !g(o.id_token))
607
607
  throw new a('"response" body "id_token" property must be a non-empty string');
608
608
  if (o.id_token) {
609
609
  const { claims: i } = await Tt(o.id_token, At.bind(void 0, e.id_token_signed_response_alg, t.id_token_signing_alg_values_supported), ke, H(e), tt(e)).then(bt.bind(void 0, ["aud", "exp", "iat", "iss", "sub"])).then(gt.bind(void 0, t.issuer)).then(wt.bind(void 0, e.client_id));
@@ -639,9 +639,9 @@ function mt(t) {
639
639
  async function yt(t, e, n, r, s, o) {
640
640
  if (j(t), I(e), !ve.has(n))
641
641
  throw new TypeError('"callbackParameters" must be an instance of URLSearchParams obtained from "validateAuthResponse()", or "validateJwtAuthResponse()');
642
- if (!w(r))
642
+ if (!g(r))
643
643
  throw new TypeError('"redirectUri" must be a non-empty string');
644
- if (!w(s))
644
+ if (!g(s))
645
645
  throw new TypeError('"codeVerifier" must be a non-empty string');
646
646
  const i = k(n, "code");
647
647
  if (!i)
@@ -742,10 +742,10 @@ function Se(t) {
742
742
  }
743
743
  const ke = Symbol();
744
744
  async function Tt(t, e, n, r, s) {
745
- const { 0: o, 1: i, 2: u, length: g } = t.split(".");
746
- if (g === 5)
745
+ const { 0: o, 1: i, 2: u, length: f } = t.split(".");
746
+ if (f === 5)
747
747
  throw new S("JWE structure JWTs are not supported");
748
- if (g !== 3)
748
+ if (f !== 3)
749
749
  throw new a("Invalid JWT");
750
750
  let m;
751
751
  try {
@@ -834,7 +834,7 @@ function Pt(t, e, n, r) {
834
834
  case Et:
835
835
  break;
836
836
  default:
837
- if (!w(r))
837
+ if (!g(r))
838
838
  throw new a('"expectedState" must be a non-empty string');
839
839
  if (o === void 0)
840
840
  throw new a('response parameter "state" missing');
@@ -848,8 +848,8 @@ function Pt(t, e, n, r) {
848
848
  error_description: k(n, "error_description"),
849
849
  error_uri: k(n, "error_uri")
850
850
  };
851
- const u = k(n, "id_token"), g = k(n, "token");
852
- if (u !== void 0 || g !== void 0)
851
+ const u = k(n, "id_token"), f = k(n, "token");
852
+ if (u !== void 0 || f !== void 0)
853
853
  throw new S("implicit and hybrid flows are not supported");
854
854
  return mt(new URLSearchParams(n));
855
855
  }
@@ -887,8 +887,8 @@ function xt({
887
887
  }
888
888
  const le = "code-verifier";
889
889
  class Ut extends Ce {
890
- constructor(e, n) {
891
- super(), this.callbackUrlPath = e, this.handleCallback = n;
890
+ constructor(e, n, r) {
891
+ super(), this.callbackUrlPath = e, this.handleCallback = n, this.initialize = r;
892
892
  }
893
893
  getRoutes() {
894
894
  return [
@@ -903,12 +903,13 @@ class Ut extends Ce {
903
903
  class Lt {
904
904
  constructor({
905
905
  issuer: e,
906
- authorizationEndpoint: n,
907
- tokenEndpoint: r,
908
- clientId: s,
909
- redirectToAfterSignUp: o,
910
- redirectToAfterSignIn: i,
911
- redirectToAfterSignOut: u
906
+ audience: n,
907
+ authorizationEndpoint: r,
908
+ tokenEndpoint: s,
909
+ clientId: o,
910
+ redirectToAfterSignUp: i,
911
+ redirectToAfterSignIn: u,
912
+ redirectToAfterSignOut: f
912
913
  }) {
913
914
  y(this, "client");
914
915
  y(this, "issuer");
@@ -921,6 +922,7 @@ class Lt {
921
922
  y(this, "redirectToAfterSignUp");
922
923
  y(this, "redirectToAfterSignIn");
923
924
  y(this, "redirectToAfterSignOut");
925
+ y(this, "audience");
924
926
  y(this, "handleCallback", async () => {
925
927
  const e = new URL(window.location.href), n = e.searchParams.get("state"), r = localStorage.getItem(le);
926
928
  if (!r)
@@ -946,12 +948,12 @@ class Lt {
946
948
  o,
947
949
  i.toString(),
948
950
  r
949
- ), g = await vt(
951
+ ), f = await vt(
950
952
  s,
951
953
  this.client,
952
954
  u
953
955
  );
954
- this.setTokensFromResponse(g);
956
+ this.setTokensFromResponse(f);
955
957
  const m = await this.getAccessToken(), _ = await (await lt(
956
958
  s,
957
959
  this.client,
@@ -970,9 +972,9 @@ class Lt {
970
972
  }), localStorage.getItem("sign-up") ? this.redirectToAfterSignUp : this.redirectToAfterSignIn;
971
973
  });
972
974
  this.client = {
973
- client_id: s,
975
+ client_id: o,
974
976
  token_endpoint_auth_method: "none"
975
- }, this.issuer = e, this.authorizationEndpoint = n, this.tokenEndpoint = r, this.redirectToAfterSignUp = o ?? "/", this.redirectToAfterSignIn = i ?? "/", this.redirectToAfterSignOut = u ?? "/";
977
+ }, this.audience = n, this.issuer = e, this.authorizationEndpoint = r, this.tokenEndpoint = s, this.redirectToAfterSignUp = i ?? "/", this.redirectToAfterSignIn = u ?? "/", this.redirectToAfterSignOut = f ?? "/";
976
978
  }
977
979
  async getAuthServer() {
978
980
  if (!this.authorizationServer)
@@ -1006,7 +1008,7 @@ class Lt {
1006
1008
  refreshToken: e.refresh_token,
1007
1009
  expiresOn: new Date(Date.now() + e.expires_in * 1e3),
1008
1010
  tokenType: e.token_type
1009
- };
1011
+ }, localStorage.setItem("openid-token", JSON.stringify(this.tokens));
1010
1012
  }
1011
1013
  async signUp() {
1012
1014
  return this.authorize(!0);
@@ -1015,7 +1017,7 @@ class Lt {
1015
1017
  return this.authorize();
1016
1018
  }
1017
1019
  async authorize(e = !1) {
1018
- var g;
1020
+ var f;
1019
1021
  const n = "S256", r = await this.getAuthServer();
1020
1022
  if (e ? localStorage.setItem("sign-up", "true") : localStorage.removeItem("sign-up"), !r.authorization_endpoint)
1021
1023
  throw new x("No authorization endpoint");
@@ -1029,7 +1031,7 @@ class Lt {
1029
1031
  if (u.pathname = this.callbackUrlPath, u.search = "", i.searchParams.set("client_id", this.client.client_id), i.searchParams.set("redirect_uri", u.toString()), i.searchParams.set("response_type", "code"), i.searchParams.set("scope", "openid+profile+email"), i.searchParams.set("code_challenge", o), i.searchParams.set(
1030
1032
  "code_challenge_method",
1031
1033
  n
1032
- ), ((g = r.code_challenge_methods_supported) == null ? void 0 : g.includes("S256")) !== !0) {
1034
+ ), this.audience && i.searchParams.set("audience", this.audience), ((f = r.code_challenge_methods_supported) == null ? void 0 : f.includes("S256")) !== !0) {
1033
1035
  const m = qe();
1034
1036
  i.searchParams.set("state", m);
1035
1037
  }
package/lib/zudoku.auth-openid.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"zudoku.auth-openid.js","sources":["../../../node_modules/.pnpm/loglevel@1.9.1/node_modules/loglevel/lib/loglevel.js","../../../node_modules/.pnpm/oauth4webapi@2.11.1/node_modules/oauth4webapi/build/index.js","../src/lib/authentication/errors.ts","../src/lib/authentication/Callback.tsx","../src/lib/authentication/providers/openid.tsx"],"sourcesContent":["/*\n* loglevel - https://github.com/pimterry/loglevel\n*\n* Copyright (c) 2013 Tim Perry\n* Licensed under the MIT license.\n*/\n(function (root, definition) {\n \"use strict\";\n if (typeof define === 'function' && define.amd) {\n define(definition);\n } else if (typeof module === 'object' && module.exports) {\n module.exports = definition();\n } else {\n root.log = definition();\n }\n}(this, function () {\n \"use strict\";\n\n // Slightly dubious tricks to cut down minimized file size\n var noop = function() {};\n var undefinedType = \"undefined\";\n var isIE = (typeof window !== undefinedType) && (typeof window.navigator !== undefinedType) && (\n /Trident\\/|MSIE /.test(window.navigator.userAgent)\n );\n\n var logMethods = [\n \"trace\",\n \"debug\",\n \"info\",\n \"warn\",\n \"error\"\n ];\n\n var _loggersByName = {};\n var defaultLogger = null;\n\n // Cross-browser bind equivalent that works at least back to IE6\n function bindMethod(obj, methodName) {\n var method = obj[methodName];\n if (typeof method.bind === 'function') {\n return method.bind(obj);\n } else {\n try {\n return Function.prototype.bind.call(method, obj);\n } catch (e) {\n // Missing bind shim or IE8 + Modernizr, fallback to wrapping\n return function() {\n return Function.prototype.apply.apply(method, [obj, arguments]);\n };\n }\n }\n }\n\n // Trace() doesn't print the message in IE, so for that case we need to wrap it\n function traceForIE() {\n if (console.log) {\n if (console.log.apply) {\n console.log.apply(console, arguments);\n } else {\n // In old IE, native console methods themselves don't have apply().\n Function.prototype.apply.apply(console.log, [console, arguments]);\n }\n }\n if (console.trace) console.trace();\n }\n\n // Build the best logging method possible for this env\n // Wherever possible we want to bind, not wrap, to preserve stack traces\n function realMethod(methodName) {\n if (methodName === 'debug') {\n methodName = 'log';\n }\n\n if (typeof console === undefinedType) {\n return false; // No method possible, for now - fixed later by enableLoggingWhenConsoleArrives\n } else if (methodName === 'trace' && isIE) {\n return traceForIE;\n } else if (console[methodName] !== undefined) {\n return bindMethod(console, methodName);\n } else if (console.log !== undefined) {\n return bindMethod(console, 'log');\n } else {\n return noop;\n }\n }\n\n // These private functions always need `this` to be set properly\n\n function replaceLoggingMethods() {\n /*jshint validthis:true */\n var level = this.getLevel();\n\n // Replace the actual methods.\n for (var i = 0; i < logMethods.length; i++) {\n var methodName = logMethods[i];\n this[methodName] = (i < level) ?\n noop :\n this.methodFactory(methodName, level, this.name);\n }\n\n // Define log.log as an alias for log.debug\n this.log = this.debug;\n\n // Return any important warnings.\n if (typeof console === undefinedType && level < this.levels.SILENT) {\n return \"No console available for logging\";\n }\n }\n\n // In old IE versions, the console isn't present until you first open it.\n // We build realMethod() replacements here that regenerate logging methods\n function enableLoggingWhenConsoleArrives(methodName) {\n return function () {\n if (typeof console !== undefinedType) {\n replaceLoggingMethods.call(this);\n this[methodName].apply(this, arguments);\n }\n };\n }\n\n // By default, we use closely bound real methods wherever possible, and\n // otherwise we wait for a console to appear, and then try again.\n function defaultMethodFactory(methodName, _level, _loggerName) {\n /*jshint validthis:true */\n return realMethod(methodName) ||\n enableLoggingWhenConsoleArrives.apply(this, arguments);\n }\n\n function Logger(name, factory) {\n // Private instance variables.\n var self = this;\n /**\n * The level inherited from a parent logger (or a global default). We\n * cache this here rather than delegating to the parent so that it stays\n * in sync with the actual logging methods that we have installed (the\n * parent could change levels but we might not have rebuilt the loggers\n * in this child yet).\n * @type {number}\n */\n var inheritedLevel;\n /**\n * The default level for this logger, if any. If set, this overrides\n * `inheritedLevel`.\n * @type {number|null}\n */\n var defaultLevel;\n /**\n * A user-specific level for this logger. If set, this overrides\n * `defaultLevel`.\n * @type {number|null}\n */\n var userLevel;\n\n var storageKey = \"loglevel\";\n if (typeof name === \"string\") {\n storageKey += \":\" + name;\n } else if (typeof name === \"symbol\") {\n storageKey = undefined;\n }\n\n function persistLevelIfPossible(levelNum) {\n var levelName = (logMethods[levelNum] || 'silent').toUpperCase();\n\n if (typeof window === undefinedType || !storageKey) return;\n\n // Use localStorage if available\n try {\n window.localStorage[storageKey] = levelName;\n return;\n } catch (ignore) {}\n\n // Use session cookie as fallback\n try {\n window.document.cookie =\n encodeURIComponent(storageKey) + \"=\" + levelName + \";\";\n } catch (ignore) {}\n }\n\n function getPersistedLevel() {\n var storedLevel;\n\n if (typeof window === undefinedType || !storageKey) return;\n\n try {\n storedLevel = window.localStorage[storageKey];\n } catch (ignore) {}\n\n // Fallback to cookies if local storage gives us nothing\n if (typeof storedLevel === undefinedType) {\n try {\n var cookie = window.document.cookie;\n var cookieName = encodeURIComponent(storageKey);\n var location = cookie.indexOf(cookieName + \"=\");\n if (location !== -1) {\n storedLevel = /^([^;]+)/.exec(\n cookie.slice(location + cookieName.length + 1)\n )[1];\n }\n } catch (ignore) {}\n }\n\n // If the stored level is not valid, treat it as if nothing was stored.\n if (self.levels[storedLevel] === undefined) {\n storedLevel = undefined;\n }\n\n return storedLevel;\n }\n\n function clearPersistedLevel() {\n if (typeof window === undefinedType || !storageKey) return;\n\n // Use localStorage if available\n try {\n window.localStorage.removeItem(storageKey);\n } catch (ignore) {}\n\n // Use session cookie as fallback\n try {\n window.document.cookie =\n encodeURIComponent(storageKey) + \"=; expires=Thu, 01 Jan 1970 00:00:00 UTC\";\n } catch (ignore) {}\n }\n\n function normalizeLevel(input) {\n var level = input;\n if (typeof level === \"string\" && self.levels[level.toUpperCase()] !== undefined) {\n level = self.levels[level.toUpperCase()];\n }\n if (typeof level === \"number\" && level >= 0 && level <= self.levels.SILENT) {\n return level;\n } else {\n throw new TypeError(\"log.setLevel() called with invalid level: \" + input);\n }\n }\n\n /*\n *\n * Public logger API - see https://github.com/pimterry/loglevel for details\n *\n */\n\n self.name = name;\n\n self.levels = { \"TRACE\": 0, \"DEBUG\": 1, \"INFO\": 2, \"WARN\": 3,\n \"ERROR\": 4, \"SILENT\": 5};\n\n self.methodFactory = factory || defaultMethodFactory;\n\n self.getLevel = function () {\n if (userLevel != null) {\n return userLevel;\n } else if (defaultLevel != null) {\n return defaultLevel;\n } else {\n return inheritedLevel;\n }\n };\n\n self.setLevel = function (level, persist) {\n userLevel = normalizeLevel(level);\n if (persist !== false) { // defaults to true\n persistLevelIfPossible(userLevel);\n }\n\n // NOTE: in v2, this should call rebuild(), which updates children.\n return replaceLoggingMethods.call(self);\n };\n\n self.setDefaultLevel = function (level) {\n defaultLevel = normalizeLevel(level);\n if (!getPersistedLevel()) {\n self.setLevel(level, false);\n }\n };\n\n self.resetLevel = function () {\n userLevel = null;\n clearPersistedLevel();\n replaceLoggingMethods.call(self);\n };\n\n self.enableAll = function(persist) {\n self.setLevel(self.levels.TRACE, persist);\n };\n\n self.disableAll = function(persist) {\n self.setLevel(self.levels.SILENT, persist);\n };\n\n self.rebuild = function () {\n if (defaultLogger !== self) {\n inheritedLevel = normalizeLevel(defaultLogger.getLevel());\n }\n replaceLoggingMethods.call(self);\n\n if (defaultLogger === self) {\n for (var childName in _loggersByName) {\n _loggersByName[childName].rebuild();\n }\n }\n };\n\n // Initialize all the internal levels.\n inheritedLevel = normalizeLevel(\n defaultLogger ? defaultLogger.getLevel() : \"WARN\"\n );\n var initialLevel = getPersistedLevel();\n if (initialLevel != null) {\n userLevel = normalizeLevel(initialLevel);\n }\n replaceLoggingMethods.call(self);\n }\n\n /*\n *\n * Top-level API\n *\n */\n\n defaultLogger = new Logger();\n\n defaultLogger.getLogger = function getLogger(name) {\n if ((typeof name !== \"symbol\" && typeof name !== \"string\") || name === \"\") {\n throw new TypeError(\"You must supply a name when creating a logger.\");\n }\n\n var logger = _loggersByName[name];\n if (!logger) {\n logger = _loggersByName[name] = new Logger(\n name,\n defaultLogger.methodFactory\n );\n }\n return logger;\n };\n\n // Grab the current global log variable in case of overwrite\n var _log = (typeof window !== undefinedType) ? window.log : undefined;\n defaultLogger.noConflict = function() {\n if (typeof window !== undefinedType &&\n window.log === defaultLogger) {\n window.log = _log;\n }\n\n return defaultLogger;\n };\n\n defaultLogger.getLoggers = function getLoggers() {\n return _loggersByName;\n };\n\n // ES6 default export, for compatibility\n defaultLogger['default'] = defaultLogger;\n\n return defaultLogger;\n}));\n","let USER_AGENT;\nif (typeof navigator === 'undefined' || !navigator.userAgent?.startsWith?.('Mozilla/5.0 ')) {\n const NAME = 'oauth4webapi';\n const VERSION = 'v2.11.1';\n USER_AGENT = `${NAME}/${VERSION}`;\n}\nfunction looseInstanceOf(input, expected) {\n if (input == null) {\n return false;\n }\n try {\n return (input instanceof expected ||\n Object.getPrototypeOf(input)[Symbol.toStringTag] === expected.prototype[Symbol.toStringTag]);\n }\n catch {\n return false;\n }\n}\nexport const clockSkew = Symbol();\nexport const clockTolerance = Symbol();\nexport const customFetch = Symbol();\nexport const experimental_jwksCache = Symbol();\nexport const useMtlsAlias = Symbol();\nconst encoder = new TextEncoder();\nconst decoder = new TextDecoder();\nfunction buf(input) {\n if (typeof input === 'string') {\n return encoder.encode(input);\n }\n return decoder.decode(input);\n}\nconst CHUNK_SIZE = 0x8000;\nfunction encodeBase64Url(input) {\n if (input instanceof ArrayBuffer) {\n input = new Uint8Array(input);\n }\n const arr = [];\n for (let i = 0; i < input.byteLength; i += CHUNK_SIZE) {\n arr.push(String.fromCharCode.apply(null, input.subarray(i, i + CHUNK_SIZE)));\n }\n return btoa(arr.join('')).replace(/=/g, '').replace(/\\+/g, '-').replace(/\\//g, '_');\n}\nfunction decodeBase64Url(input) {\n try {\n const binary = atob(input.replace(/-/g, '+').replace(/_/g, '/').replace(/\\s/g, ''));\n const bytes = new Uint8Array(binary.length);\n for (let i = 0; i < binary.length; i++) {\n bytes[i] = binary.charCodeAt(i);\n }\n return bytes;\n }\n catch (cause) {\n throw new OPE('The input to be decoded is not correctly encoded.', { cause });\n }\n}\nfunction b64u(input) {\n if (typeof input === 'string') {\n return decodeBase64Url(input);\n }\n return encodeBase64Url(input);\n}\nclass LRU {\n constructor(maxSize) {\n this.cache = new Map();\n this._cache = new Map();\n this.maxSize = maxSize;\n }\n get(key) {\n let v = this.cache.get(key);\n if (v) {\n return v;\n }\n if ((v = this._cache.get(key))) {\n this.update(key, v);\n return v;\n }\n return undefined;\n }\n has(key) {\n return this.cache.has(key) || this._cache.has(key);\n }\n set(key, value) {\n if (this.cache.has(key)) {\n this.cache.set(key, value);\n }\n else {\n this.update(key, value);\n }\n return this;\n }\n delete(key) {\n if (this.cache.has(key)) {\n return this.cache.delete(key);\n }\n if (this._cache.has(key)) {\n return this._cache.delete(key);\n }\n return false;\n }\n update(key, value) {\n this.cache.set(key, value);\n if (this.cache.size >= this.maxSize) {\n this._cache = this.cache;\n this.cache = new Map();\n }\n }\n}\nexport class UnsupportedOperationError extends Error {\n constructor(message) {\n super(message ?? 'operation not supported');\n this.name = this.constructor.name;\n Error.captureStackTrace?.(this, this.constructor);\n }\n}\nexport class OperationProcessingError extends Error {\n constructor(message, options) {\n super(message, options);\n this.name = this.constructor.name;\n Error.captureStackTrace?.(this, this.constructor);\n }\n}\nconst OPE = OperationProcessingError;\nconst dpopNonces = new LRU(100);\nfunction isCryptoKey(key) {\n return key instanceof CryptoKey;\n}\nfunction isPrivateKey(key) {\n return isCryptoKey(key) && key.type === 'private';\n}\nfunction isPublicKey(key) {\n return isCryptoKey(key) && key.type === 'public';\n}\nconst SUPPORTED_JWS_ALGS = [\n 'PS256',\n 'ES256',\n 'RS256',\n 'PS384',\n 'ES384',\n 'RS384',\n 'PS512',\n 'ES512',\n 'RS512',\n 'EdDSA',\n];\nfunction processDpopNonce(response) {\n try {\n const nonce = response.headers.get('dpop-nonce');\n if (nonce) {\n dpopNonces.set(new URL(response.url).origin, nonce);\n }\n }\n catch { }\n return response;\n}\nfunction normalizeTyp(value) {\n return value.toLowerCase().replace(/^application\\//, '');\n}\nfunction isJsonObject(input) {\n if (input === null || typeof input !== 'object' || Array.isArray(input)) {\n return false;\n }\n return true;\n}\nfunction prepareHeaders(input) {\n if (looseInstanceOf(input, Headers)) {\n input = Object.fromEntries(input.entries());\n }\n const headers = new Headers(input);\n if (USER_AGENT && !headers.has('user-agent')) {\n headers.set('user-agent', USER_AGENT);\n }\n if (headers.has('authorization')) {\n throw new TypeError('\"options.headers\" must not include the \"authorization\" header name');\n }\n if (headers.has('dpop')) {\n throw new TypeError('\"options.headers\" must not include the \"dpop\" header name');\n }\n return headers;\n}\nfunction signal(value) {\n if (typeof value === 'function') {\n value = value();\n }\n if (!(value instanceof AbortSignal)) {\n throw new TypeError('\"options.signal\" must return or be an instance of AbortSignal');\n }\n return value;\n}\nexport async function discoveryRequest(issuerIdentifier, options) {\n if (!(issuerIdentifier instanceof URL)) {\n throw new TypeError('\"issuerIdentifier\" must be an instance of URL');\n }\n if (issuerIdentifier.protocol !== 'https:' && issuerIdentifier.protocol !== 'http:') {\n throw new TypeError('\"issuer.protocol\" must be \"https:\" or \"http:\"');\n }\n const url = new URL(issuerIdentifier.href);\n switch (options?.algorithm) {\n case undefined:\n case 'oidc':\n url.pathname = `${url.pathname}/.well-known/openid-configuration`.replace('//', '/');\n break;\n case 'oauth2':\n if (url.pathname === '/') {\n url.pathname = '.well-known/oauth-authorization-server';\n }\n else {\n url.pathname = `.well-known/oauth-authorization-server/${url.pathname}`.replace('//', '/');\n }\n break;\n default:\n throw new TypeError('\"options.algorithm\" must be \"oidc\" (default), or \"oauth2\"');\n }\n const headers = prepareHeaders(options?.headers);\n headers.set('accept', 'application/json');\n return (options?.[customFetch] || fetch)(url.href, {\n headers: Object.fromEntries(headers.entries()),\n method: 'GET',\n redirect: 'manual',\n signal: options?.signal ? signal(options.signal) : null,\n }).then(processDpopNonce);\n}\nfunction validateString(input) {\n return typeof input === 'string' && input.length !== 0;\n}\nexport async function processDiscoveryResponse(expectedIssuerIdentifier, response) {\n if (!(expectedIssuerIdentifier instanceof URL)) {\n throw new TypeError('\"expectedIssuer\" must be an instance of URL');\n }\n if (!looseInstanceOf(response, Response)) {\n throw new TypeError('\"response\" must be an instance of Response');\n }\n if (response.status !== 200) {\n throw new OPE('\"response\" is not a conform Authorization Server Metadata response');\n }\n assertReadableResponse(response);\n let json;\n try {\n json = await response.json();\n }\n catch (cause) {\n throw new OPE('failed to parse \"response\" body as JSON', { cause });\n }\n if (!isJsonObject(json)) {\n throw new OPE('\"response\" body must be a top level object');\n }\n if (!validateString(json.issuer)) {\n throw new OPE('\"response\" body \"issuer\" property must be a non-empty string');\n }\n if (new URL(json.issuer).href !== expectedIssuerIdentifier.href) {\n throw new OPE('\"response\" body \"issuer\" does not match \"expectedIssuer\"');\n }\n return json;\n}\nfunction randomBytes() {\n return b64u(crypto.getRandomValues(new Uint8Array(32)));\n}\nexport function generateRandomCodeVerifier() {\n return randomBytes();\n}\nexport function generateRandomState() {\n return randomBytes();\n}\nexport function generateRandomNonce() {\n return randomBytes();\n}\nexport async function calculatePKCECodeChallenge(codeVerifier) {\n if (!validateString(codeVerifier)) {\n throw new TypeError('\"codeVerifier\" must be a non-empty string');\n }\n return b64u(await crypto.subtle.digest('SHA-256', buf(codeVerifier)));\n}\nfunction getKeyAndKid(input) {\n if (input instanceof CryptoKey) {\n return { key: input };\n }\n if (!(input?.key instanceof CryptoKey)) {\n return {};\n }\n if (input.kid !== undefined && !validateString(input.kid)) {\n throw new TypeError('\"kid\" must be a non-empty string');\n }\n return { key: input.key, kid: input.kid };\n}\nfunction formUrlEncode(token) {\n return encodeURIComponent(token).replace(/%20/g, '+');\n}\nfunction clientSecretBasic(clientId, clientSecret) {\n const username = formUrlEncode(clientId);\n const password = formUrlEncode(clientSecret);\n const credentials = btoa(`${username}:${password}`);\n return `Basic ${credentials}`;\n}\nfunction psAlg(key) {\n switch (key.algorithm.hash.name) {\n case 'SHA-256':\n return 'PS256';\n case 'SHA-384':\n return 'PS384';\n case 'SHA-512':\n return 'PS512';\n default:\n throw new UnsupportedOperationError('unsupported RsaHashedKeyAlgorithm hash name');\n }\n}\nfunction rsAlg(key) {\n switch (key.algorithm.hash.name) {\n case 'SHA-256':\n return 'RS256';\n case 'SHA-384':\n return 'RS384';\n case 'SHA-512':\n return 'RS512';\n default:\n throw new UnsupportedOperationError('unsupported RsaHashedKeyAlgorithm hash name');\n }\n}\nfunction esAlg(key) {\n switch (key.algorithm.namedCurve) {\n case 'P-256':\n return 'ES256';\n case 'P-384':\n return 'ES384';\n case 'P-521':\n return 'ES512';\n default:\n throw new UnsupportedOperationError('unsupported EcKeyAlgorithm namedCurve');\n }\n}\nfunction keyToJws(key) {\n switch (key.algorithm.name) {\n case 'RSA-PSS':\n return psAlg(key);\n case 'RSASSA-PKCS1-v1_5':\n return rsAlg(key);\n case 'ECDSA':\n return esAlg(key);\n case 'Ed25519':\n case 'Ed448':\n return 'EdDSA';\n default:\n throw new UnsupportedOperationError('unsupported CryptoKey algorithm name');\n }\n}\nfunction getClockSkew(client) {\n const skew = client?.[clockSkew];\n return typeof skew === 'number' && Number.isFinite(skew) ? skew : 0;\n}\nfunction getClockTolerance(client) {\n const tolerance = client?.[clockTolerance];\n return typeof tolerance === 'number' && Number.isFinite(tolerance) && Math.sign(tolerance) !== -1\n ? tolerance\n : 30;\n}\nfunction epochTime() {\n return Math.floor(Date.now() / 1000);\n}\nfunction clientAssertion(as, client) {\n const now = epochTime() + getClockSkew(client);\n return {\n jti: randomBytes(),\n aud: [as.issuer, as.token_endpoint],\n exp: now + 60,\n iat: now,\n nbf: now,\n iss: client.client_id,\n sub: client.client_id,\n };\n}\nasync function privateKeyJwt(as, client, key, kid) {\n return jwt({\n alg: keyToJws(key),\n kid,\n }, clientAssertion(as, client), key);\n}\nfunction assertAs(as) {\n if (typeof as !== 'object' || as === null) {\n throw new TypeError('\"as\" must be an object');\n }\n if (!validateString(as.issuer)) {\n throw new TypeError('\"as.issuer\" property must be a non-empty string');\n }\n return true;\n}\nfunction assertClient(client) {\n if (typeof client !== 'object' || client === null) {\n throw new TypeError('\"client\" must be an object');\n }\n if (!validateString(client.client_id)) {\n throw new TypeError('\"client.client_id\" property must be a non-empty string');\n }\n return true;\n}\nfunction assertClientSecret(clientSecret) {\n if (!validateString(clientSecret)) {\n throw new TypeError('\"client.client_secret\" property must be a non-empty string');\n }\n return clientSecret;\n}\nfunction assertNoClientPrivateKey(clientAuthMethod, clientPrivateKey) {\n if (clientPrivateKey !== undefined) {\n throw new TypeError(`\"options.clientPrivateKey\" property must not be provided when ${clientAuthMethod} client authentication method is used.`);\n }\n}\nfunction assertNoClientSecret(clientAuthMethod, clientSecret) {\n if (clientSecret !== undefined) {\n throw new TypeError(`\"client.client_secret\" property must not be provided when ${clientAuthMethod} client authentication method is used.`);\n }\n}\nasync function clientAuthentication(as, client, body, headers, clientPrivateKey) {\n body.delete('client_secret');\n body.delete('client_assertion_type');\n body.delete('client_assertion');\n switch (client.token_endpoint_auth_method) {\n case undefined:\n case 'client_secret_basic': {\n assertNoClientPrivateKey('client_secret_basic', clientPrivateKey);\n headers.set('authorization', clientSecretBasic(client.client_id, assertClientSecret(client.client_secret)));\n break;\n }\n case 'client_secret_post': {\n assertNoClientPrivateKey('client_secret_post', clientPrivateKey);\n body.set('client_id', client.client_id);\n body.set('client_secret', assertClientSecret(client.client_secret));\n break;\n }\n case 'private_key_jwt': {\n assertNoClientSecret('private_key_jwt', client.client_secret);\n if (clientPrivateKey === undefined) {\n throw new TypeError('\"options.clientPrivateKey\" must be provided when \"client.token_endpoint_auth_method\" is \"private_key_jwt\"');\n }\n const { key, kid } = getKeyAndKid(clientPrivateKey);\n if (!isPrivateKey(key)) {\n throw new TypeError('\"options.clientPrivateKey.key\" must be a private CryptoKey');\n }\n body.set('client_id', client.client_id);\n body.set('client_assertion_type', 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer');\n body.set('client_assertion', await privateKeyJwt(as, client, key, kid));\n break;\n }\n case 'tls_client_auth':\n case 'self_signed_tls_client_auth':\n case 'none': {\n assertNoClientSecret(client.token_endpoint_auth_method, client.client_secret);\n assertNoClientPrivateKey(client.token_endpoint_auth_method, clientPrivateKey);\n body.set('client_id', client.client_id);\n break;\n }\n default:\n throw new UnsupportedOperationError('unsupported client token_endpoint_auth_method');\n }\n}\nasync function jwt(header, claimsSet, key) {\n if (!key.usages.includes('sign')) {\n throw new TypeError('CryptoKey instances used for signing assertions must include \"sign\" in their \"usages\"');\n }\n const input = `${b64u(buf(JSON.stringify(header)))}.${b64u(buf(JSON.stringify(claimsSet)))}`;\n const signature = b64u(await crypto.subtle.sign(keyToSubtle(key), key, buf(input)));\n return `${input}.${signature}`;\n}\nexport async function issueRequestObject(as, client, parameters, privateKey) {\n assertAs(as);\n assertClient(client);\n parameters = new URLSearchParams(parameters);\n const { key, kid } = getKeyAndKid(privateKey);\n if (!isPrivateKey(key)) {\n throw new TypeError('\"privateKey.key\" must be a private CryptoKey');\n }\n parameters.set('client_id', client.client_id);\n const now = epochTime() + getClockSkew(client);\n const claims = {\n ...Object.fromEntries(parameters.entries()),\n jti: randomBytes(),\n aud: as.issuer,\n exp: now + 60,\n iat: now,\n nbf: now,\n iss: client.client_id,\n };\n let resource;\n if (parameters.has('resource') &&\n (resource = parameters.getAll('resource')) &&\n resource.length > 1) {\n claims.resource = resource;\n }\n {\n let value = parameters.get('max_age');\n if (value !== null) {\n claims.max_age = parseInt(value, 10);\n if (!Number.isFinite(claims.max_age)) {\n throw new OPE('\"max_age\" parameter must be a number');\n }\n }\n }\n {\n let value = parameters.get('claims');\n if (value !== null) {\n try {\n claims.claims = JSON.parse(value);\n }\n catch (cause) {\n throw new OPE('failed to parse the \"claims\" parameter as JSON', { cause });\n }\n if (!isJsonObject(claims.claims)) {\n throw new OPE('\"claims\" parameter must be a JSON with a top level object');\n }\n }\n }\n {\n let value = parameters.get('authorization_details');\n if (value !== null) {\n try {\n claims.authorization_details = JSON.parse(value);\n }\n catch (cause) {\n throw new OPE('failed to parse the \"authorization_details\" parameter as JSON', { cause });\n }\n if (!Array.isArray(claims.authorization_details)) {\n throw new OPE('\"authorization_details\" parameter must be a JSON with a top level array');\n }\n }\n }\n return jwt({\n alg: keyToJws(key),\n typ: 'oauth-authz-req+jwt',\n kid,\n }, claims, key);\n}\nasync function dpopProofJwt(headers, options, url, htm, clockSkew, accessToken) {\n const { privateKey, publicKey, nonce = dpopNonces.get(url.origin) } = options;\n if (!isPrivateKey(privateKey)) {\n throw new TypeError('\"DPoP.privateKey\" must be a private CryptoKey');\n }\n if (!isPublicKey(publicKey)) {\n throw new TypeError('\"DPoP.publicKey\" must be a public CryptoKey');\n }\n if (nonce !== undefined && !validateString(nonce)) {\n throw new TypeError('\"DPoP.nonce\" must be a non-empty string or undefined');\n }\n if (!publicKey.extractable) {\n throw new TypeError('\"DPoP.publicKey.extractable\" must be true');\n }\n const now = epochTime() + clockSkew;\n const proof = await jwt({\n alg: keyToJws(privateKey),\n typ: 'dpop+jwt',\n jwk: await publicJwk(publicKey),\n }, {\n iat: now,\n jti: randomBytes(),\n htm,\n nonce,\n htu: `${url.origin}${url.pathname}`,\n ath: accessToken ? b64u(await crypto.subtle.digest('SHA-256', buf(accessToken))) : undefined,\n }, privateKey);\n headers.set('dpop', proof);\n}\nlet jwkCache;\nasync function getSetPublicJwkCache(key) {\n const { kty, e, n, x, y, crv } = await crypto.subtle.exportKey('jwk', key);\n const jwk = { kty, e, n, x, y, crv };\n jwkCache.set(key, jwk);\n return jwk;\n}\nasync function publicJwk(key) {\n jwkCache || (jwkCache = new WeakMap());\n return jwkCache.get(key) || getSetPublicJwkCache(key);\n}\nfunction validateEndpoint(value, endpoint, options) {\n if (typeof value !== 'string') {\n if (options?.[useMtlsAlias]) {\n throw new TypeError(`\"as.mtls_endpoint_aliases.${endpoint}\" must be a string`);\n }\n throw new TypeError(`\"as.${endpoint}\" must be a string`);\n }\n return new URL(value);\n}\nfunction resolveEndpoint(as, endpoint, options) {\n if (options?.[useMtlsAlias] && as.mtls_endpoint_aliases && endpoint in as.mtls_endpoint_aliases) {\n return validateEndpoint(as.mtls_endpoint_aliases[endpoint], endpoint, options);\n }\n return validateEndpoint(as[endpoint], endpoint);\n}\nexport async function pushedAuthorizationRequest(as, client, parameters, options) {\n assertAs(as);\n assertClient(client);\n const url = resolveEndpoint(as, 'pushed_authorization_request_endpoint', options);\n const body = new URLSearchParams(parameters);\n body.set('client_id', client.client_id);\n const headers = prepareHeaders(options?.headers);\n headers.set('accept', 'application/json');\n if (options?.DPoP !== undefined) {\n await dpopProofJwt(headers, options.DPoP, url, 'POST', getClockSkew(client));\n }\n return authenticatedRequest(as, client, 'POST', url, body, headers, options);\n}\nexport function isOAuth2Error(input) {\n const value = input;\n if (typeof value !== 'object' || Array.isArray(value) || value === null) {\n return false;\n }\n return value.error !== undefined;\n}\nfunction unquote(value) {\n if (value.length >= 2 && value[0] === '\"' && value[value.length - 1] === '\"') {\n return value.slice(1, -1);\n }\n return value;\n}\nconst SPLIT_REGEXP = /((?:,|, )?[0-9a-zA-Z!#$%&'*+-.^_`|~]+=)/;\nconst SCHEMES_REGEXP = /(?:^|, ?)([0-9a-zA-Z!#$%&'*+\\-.^_`|~]+)(?=$|[ ,])/g;\nfunction wwwAuth(scheme, params) {\n const arr = params.split(SPLIT_REGEXP).slice(1);\n if (!arr.length) {\n return { scheme: scheme.toLowerCase(), parameters: {} };\n }\n arr[arr.length - 1] = arr[arr.length - 1].replace(/,$/, '');\n const parameters = {};\n for (let i = 1; i < arr.length; i += 2) {\n const idx = i;\n if (arr[idx][0] === '\"') {\n while (arr[idx].slice(-1) !== '\"' && ++i < arr.length) {\n arr[idx] += arr[i];\n }\n }\n const key = arr[idx - 1].replace(/^(?:, ?)|=$/g, '').toLowerCase();\n parameters[key] = unquote(arr[idx]);\n }\n return {\n scheme: scheme.toLowerCase(),\n parameters,\n };\n}\nexport function parseWwwAuthenticateChallenges(response) {\n if (!looseInstanceOf(response, Response)) {\n throw new TypeError('\"response\" must be an instance of Response');\n }\n const header = response.headers.get('www-authenticate');\n if (header === null) {\n return undefined;\n }\n const result = [];\n for (const { 1: scheme, index } of header.matchAll(SCHEMES_REGEXP)) {\n result.push([scheme, index]);\n }\n if (!result.length) {\n return undefined;\n }\n const challenges = result.map(([scheme, indexOf], i, others) => {\n const next = others[i + 1];\n let parameters;\n if (next) {\n parameters = header.slice(indexOf, next[1]);\n }\n else {\n parameters = header.slice(indexOf);\n }\n return wwwAuth(scheme, parameters);\n });\n return challenges;\n}\nexport async function processPushedAuthorizationResponse(as, client, response) {\n assertAs(as);\n assertClient(client);\n if (!looseInstanceOf(response, Response)) {\n throw new TypeError('\"response\" must be an instance of Response');\n }\n if (response.status !== 201) {\n let err;\n if ((err = await handleOAuthBodyError(response))) {\n return err;\n }\n throw new OPE('\"response\" is not a conform Pushed Authorization Request Endpoint response');\n }\n assertReadableResponse(response);\n let json;\n try {\n json = await response.json();\n }\n catch (cause) {\n throw new OPE('failed to parse \"response\" body as JSON', { cause });\n }\n if (!isJsonObject(json)) {\n throw new OPE('\"response\" body must be a top level object');\n }\n if (!validateString(json.request_uri)) {\n throw new OPE('\"response\" body \"request_uri\" property must be a non-empty string');\n }\n if (typeof json.expires_in !== 'number' || json.expires_in <= 0) {\n throw new OPE('\"response\" body \"expires_in\" property must be a positive number');\n }\n return json;\n}\nexport async function protectedResourceRequest(accessToken, method, url, headers, body, options) {\n if (!validateString(accessToken)) {\n throw new TypeError('\"accessToken\" must be a non-empty string');\n }\n if (!(url instanceof URL)) {\n throw new TypeError('\"url\" must be an instance of URL');\n }\n headers = prepareHeaders(headers);\n if (options?.DPoP === undefined) {\n headers.set('authorization', `Bearer ${accessToken}`);\n }\n else {\n await dpopProofJwt(headers, options.DPoP, url, 'GET', getClockSkew({ [clockSkew]: options?.[clockSkew] }), accessToken);\n headers.set('authorization', `DPoP ${accessToken}`);\n }\n return (options?.[customFetch] || fetch)(url.href, {\n body,\n headers: Object.fromEntries(headers.entries()),\n method,\n redirect: 'manual',\n signal: options?.signal ? signal(options.signal) : null,\n }).then(processDpopNonce);\n}\nexport async function userInfoRequest(as, client, accessToken, options) {\n assertAs(as);\n assertClient(client);\n const url = resolveEndpoint(as, 'userinfo_endpoint', options);\n const headers = prepareHeaders(options?.headers);\n if (client.userinfo_signed_response_alg) {\n headers.set('accept', 'application/jwt');\n }\n else {\n headers.set('accept', 'application/json');\n headers.append('accept', 'application/jwt');\n }\n return protectedResourceRequest(accessToken, 'GET', url, headers, null, {\n ...options,\n [clockSkew]: getClockSkew(client),\n });\n}\nlet jwksMap;\nfunction setJwksCache(as, jwks, uat, cache) {\n jwksMap || (jwksMap = new WeakMap());\n jwksMap.set(as, {\n jwks,\n uat,\n get age() {\n return epochTime() - this.uat;\n },\n });\n if (cache) {\n Object.assign(cache, { jwks: structuredClone(jwks), uat });\n }\n}\nfunction isFreshJwksCache(input) {\n if (typeof input !== 'object' || input === null) {\n return false;\n }\n if (!('uat' in input) || typeof input.uat !== 'number' || epochTime() - input.uat >= 300) {\n return false;\n }\n if (!('jwks' in input) ||\n !isJsonObject(input.jwks) ||\n !Array.isArray(input.jwks.keys) ||\n !Array.prototype.every.call(input.jwks.keys, isJsonObject)) {\n return false;\n }\n return true;\n}\nfunction clearJwksCache(as, cache) {\n jwksMap?.delete(as);\n delete cache?.jwks;\n delete cache?.uat;\n}\nasync function getPublicSigKeyFromIssuerJwksUri(as, options, header) {\n const { alg, kid } = header;\n checkSupportedJwsAlg(alg);\n if (!jwksMap?.has(as) && isFreshJwksCache(options?.[experimental_jwksCache])) {\n setJwksCache(as, options?.[experimental_jwksCache].jwks, options?.[experimental_jwksCache].uat);\n }\n let jwks;\n let age;\n if (jwksMap?.has(as)) {\n ;\n ({ jwks, age } = jwksMap.get(as));\n if (age >= 300) {\n clearJwksCache(as, options?.[experimental_jwksCache]);\n return getPublicSigKeyFromIssuerJwksUri(as, options, header);\n }\n }\n else {\n jwks = await jwksRequest(as, options).then(processJwksResponse);\n age = 0;\n setJwksCache(as, jwks, epochTime(), options?.[experimental_jwksCache]);\n }\n let kty;\n switch (alg.slice(0, 2)) {\n case 'RS':\n case 'PS':\n kty = 'RSA';\n break;\n case 'ES':\n kty = 'EC';\n break;\n case 'Ed':\n kty = 'OKP';\n break;\n default:\n throw new UnsupportedOperationError();\n }\n const candidates = jwks.keys.filter((jwk) => {\n if (jwk.kty !== kty) {\n return false;\n }\n if (kid !== undefined && kid !== jwk.kid) {\n return false;\n }\n if (jwk.alg !== undefined && alg !== jwk.alg) {\n return false;\n }\n if (jwk.use !== undefined && jwk.use !== 'sig') {\n return false;\n }\n if (jwk.key_ops?.includes('verify') === false) {\n return false;\n }\n switch (true) {\n case alg === 'ES256' && jwk.crv !== 'P-256':\n case alg === 'ES384' && jwk.crv !== 'P-384':\n case alg === 'ES512' && jwk.crv !== 'P-521':\n case alg === 'EdDSA' && !(jwk.crv === 'Ed25519' || jwk.crv === 'Ed448'):\n return false;\n }\n return true;\n });\n const { 0: jwk, length } = candidates;\n if (!length) {\n if (age >= 60) {\n clearJwksCache(as, options?.[experimental_jwksCache]);\n return getPublicSigKeyFromIssuerJwksUri(as, options, header);\n }\n throw new OPE('error when selecting a JWT verification key, no applicable keys found');\n }\n if (length !== 1) {\n throw new OPE('error when selecting a JWT verification key, multiple applicable keys found, a \"kid\" JWT Header Parameter is required');\n }\n const key = await importJwk(alg, jwk);\n if (key.type !== 'public') {\n throw new OPE('jwks_uri must only contain public keys');\n }\n return key;\n}\nexport const skipSubjectCheck = Symbol();\nfunction getContentType(response) {\n return response.headers.get('content-type')?.split(';')[0];\n}\nexport async function processUserInfoResponse(as, client, expectedSubject, response) {\n assertAs(as);\n assertClient(client);\n if (!looseInstanceOf(response, Response)) {\n throw new TypeError('\"response\" must be an instance of Response');\n }\n if (response.status !== 200) {\n throw new OPE('\"response\" is not a conform UserInfo Endpoint response');\n }\n let json;\n if (getContentType(response) === 'application/jwt') {\n assertReadableResponse(response);\n const { claims } = await validateJwt(await response.text(), checkSigningAlgorithm.bind(undefined, client.userinfo_signed_response_alg, as.userinfo_signing_alg_values_supported), noSignatureCheck, getClockSkew(client), getClockTolerance(client))\n .then(validateOptionalAudience.bind(undefined, client.client_id))\n .then(validateOptionalIssuer.bind(undefined, as.issuer));\n json = claims;\n }\n else {\n if (client.userinfo_signed_response_alg) {\n throw new OPE('JWT UserInfo Response expected');\n }\n assertReadableResponse(response);\n try {\n json = await response.json();\n }\n catch (cause) {\n throw new OPE('failed to parse \"response\" body as JSON', { cause });\n }\n }\n if (!isJsonObject(json)) {\n throw new OPE('\"response\" body must be a top level object');\n }\n if (!validateString(json.sub)) {\n throw new OPE('\"response\" body \"sub\" property must be a non-empty string');\n }\n switch (expectedSubject) {\n case skipSubjectCheck:\n break;\n default:\n if (!validateString(expectedSubject)) {\n throw new OPE('\"expectedSubject\" must be a non-empty string');\n }\n if (json.sub !== expectedSubject) {\n throw new OPE('unexpected \"response\" body \"sub\" value');\n }\n }\n return json;\n}\nasync function authenticatedRequest(as, client, method, url, body, headers, options) {\n await clientAuthentication(as, client, body, headers, options?.clientPrivateKey);\n headers.set('content-type', 'application/x-www-form-urlencoded;charset=UTF-8');\n return (options?.[customFetch] || fetch)(url.href, {\n body,\n headers: Object.fromEntries(headers.entries()),\n method,\n redirect: 'manual',\n signal: options?.signal ? signal(options.signal) : null,\n }).then(processDpopNonce);\n}\nasync function tokenEndpointRequest(as, client, grantType, parameters, options) {\n const url = resolveEndpoint(as, 'token_endpoint', options);\n parameters.set('grant_type', grantType);\n const headers = prepareHeaders(options?.headers);\n headers.set('accept', 'application/json');\n if (options?.DPoP !== undefined) {\n await dpopProofJwt(headers, options.DPoP, url, 'POST', getClockSkew(client));\n }\n return authenticatedRequest(as, client, 'POST', url, parameters, headers, options);\n}\nexport async function refreshTokenGrantRequest(as, client, refreshToken, options) {\n assertAs(as);\n assertClient(client);\n if (!validateString(refreshToken)) {\n throw new TypeError('\"refreshToken\" must be a non-empty string');\n }\n const parameters = new URLSearchParams(options?.additionalParameters);\n parameters.set('refresh_token', refreshToken);\n return tokenEndpointRequest(as, client, 'refresh_token', parameters, options);\n}\nconst idTokenClaims = new WeakMap();\nexport function getValidatedIdTokenClaims(ref) {\n if (!ref.id_token) {\n return undefined;\n }\n const claims = idTokenClaims.get(ref);\n if (!claims) {\n throw new TypeError('\"ref\" was already garbage collected or did not resolve from the proper sources');\n }\n return claims;\n}\nasync function processGenericAccessTokenResponse(as, client, response, ignoreIdToken = false, ignoreRefreshToken = false) {\n assertAs(as);\n assertClient(client);\n if (!looseInstanceOf(response, Response)) {\n throw new TypeError('\"response\" must be an instance of Response');\n }\n if (response.status !== 200) {\n let err;\n if ((err = await handleOAuthBodyError(response))) {\n return err;\n }\n throw new OPE('\"response\" is not a conform Token Endpoint response');\n }\n assertReadableResponse(response);\n let json;\n try {\n json = await response.json();\n }\n catch (cause) {\n throw new OPE('failed to parse \"response\" body as JSON', { cause });\n }\n if (!isJsonObject(json)) {\n throw new OPE('\"response\" body must be a top level object');\n }\n if (!validateString(json.access_token)) {\n throw new OPE('\"response\" body \"access_token\" property must be a non-empty string');\n }\n if (!validateString(json.token_type)) {\n throw new OPE('\"response\" body \"token_type\" property must be a non-empty string');\n }\n json.token_type = json.token_type.toLowerCase();\n if (json.token_type !== 'dpop' && json.token_type !== 'bearer') {\n throw new UnsupportedOperationError('unsupported `token_type` value');\n }\n if (json.expires_in !== undefined &&\n (typeof json.expires_in !== 'number' || json.expires_in <= 0)) {\n throw new OPE('\"response\" body \"expires_in\" property must be a positive number');\n }\n if (!ignoreRefreshToken &&\n json.refresh_token !== undefined &&\n !validateString(json.refresh_token)) {\n throw new OPE('\"response\" body \"refresh_token\" property must be a non-empty string');\n }\n if (json.scope !== undefined && typeof json.scope !== 'string') {\n throw new OPE('\"response\" body \"scope\" property must be a string');\n }\n if (!ignoreIdToken) {\n if (json.id_token !== undefined && !validateString(json.id_token)) {\n throw new OPE('\"response\" body \"id_token\" property must be a non-empty string');\n }\n if (json.id_token) {\n const { claims } = await validateJwt(json.id_token, checkSigningAlgorithm.bind(undefined, client.id_token_signed_response_alg, as.id_token_signing_alg_values_supported), noSignatureCheck, getClockSkew(client), getClockTolerance(client))\n .then(validatePresence.bind(undefined, ['aud', 'exp', 'iat', 'iss', 'sub']))\n .then(validateIssuer.bind(undefined, as.issuer))\n .then(validateAudience.bind(undefined, client.client_id));\n if (Array.isArray(claims.aud) && claims.aud.length !== 1 && claims.azp !== client.client_id) {\n throw new OPE('unexpected ID Token \"azp\" (authorized party) claim value');\n }\n if (claims.auth_time !== undefined &&\n (!Number.isFinite(claims.auth_time) || Math.sign(claims.auth_time) !== 1)) {\n throw new OPE('ID Token \"auth_time\" (authentication time) must be a positive number');\n }\n idTokenClaims.set(json, claims);\n }\n }\n return json;\n}\nexport async function processRefreshTokenResponse(as, client, response) {\n return processGenericAccessTokenResponse(as, client, response);\n}\nfunction validateOptionalAudience(expected, result) {\n if (result.claims.aud !== undefined) {\n return validateAudience(expected, result);\n }\n return result;\n}\nfunction validateAudience(expected, result) {\n if (Array.isArray(result.claims.aud)) {\n if (!result.claims.aud.includes(expected)) {\n throw new OPE('unexpected JWT \"aud\" (audience) claim value');\n }\n }\n else if (result.claims.aud !== expected) {\n throw new OPE('unexpected JWT \"aud\" (audience) claim value');\n }\n return result;\n}\nfunction validateOptionalIssuer(expected, result) {\n if (result.claims.iss !== undefined) {\n return validateIssuer(expected, result);\n }\n return result;\n}\nfunction validateIssuer(expected, result) {\n if (result.claims.iss !== expected) {\n throw new OPE('unexpected JWT \"iss\" (issuer) claim value');\n }\n return result;\n}\nconst branded = new WeakSet();\nfunction brand(searchParams) {\n branded.add(searchParams);\n return searchParams;\n}\nexport async function authorizationCodeGrantRequest(as, client, callbackParameters, redirectUri, codeVerifier, options) {\n assertAs(as);\n assertClient(client);\n if (!branded.has(callbackParameters)) {\n throw new TypeError('\"callbackParameters\" must be an instance of URLSearchParams obtained from \"validateAuthResponse()\", or \"validateJwtAuthResponse()');\n }\n if (!validateString(redirectUri)) {\n throw new TypeError('\"redirectUri\" must be a non-empty string');\n }\n if (!validateString(codeVerifier)) {\n throw new TypeError('\"codeVerifier\" must be a non-empty string');\n }\n const code = getURLSearchParameter(callbackParameters, 'code');\n if (!code) {\n throw new OPE('no authorization code in \"callbackParameters\"');\n }\n const parameters = new URLSearchParams(options?.additionalParameters);\n parameters.set('redirect_uri', redirectUri);\n parameters.set('code_verifier', codeVerifier);\n parameters.set('code', code);\n return tokenEndpointRequest(as, client, 'authorization_code', parameters, options);\n}\nconst jwtClaimNames = {\n aud: 'audience',\n c_hash: 'code hash',\n client_id: 'client id',\n exp: 'expiration time',\n iat: 'issued at',\n iss: 'issuer',\n jti: 'jwt id',\n nonce: 'nonce',\n s_hash: 'state hash',\n sub: 'subject',\n ath: 'access token hash',\n htm: 'http method',\n htu: 'http uri',\n cnf: 'confirmation',\n};\nfunction validatePresence(required, result) {\n for (const claim of required) {\n if (result.claims[claim] === undefined) {\n throw new OPE(`JWT \"${claim}\" (${jwtClaimNames[claim]}) claim missing`);\n }\n }\n return result;\n}\nexport const expectNoNonce = Symbol();\nexport const skipAuthTimeCheck = Symbol();\nexport async function processAuthorizationCodeOpenIDResponse(as, client, response, expectedNonce, maxAge) {\n const result = await processGenericAccessTokenResponse(as, client, response);\n if (isOAuth2Error(result)) {\n return result;\n }\n if (!validateString(result.id_token)) {\n throw new OPE('\"response\" body \"id_token\" property must be a non-empty string');\n }\n maxAge ?? (maxAge = client.default_max_age ?? skipAuthTimeCheck);\n const claims = getValidatedIdTokenClaims(result);\n if ((client.require_auth_time || maxAge !== skipAuthTimeCheck) &&\n claims.auth_time === undefined) {\n throw new OPE('ID Token \"auth_time\" (authentication time) claim missing');\n }\n if (maxAge !== skipAuthTimeCheck) {\n if (typeof maxAge !== 'number' || maxAge < 0) {\n throw new TypeError('\"maxAge\" must be a non-negative number');\n }\n const now = epochTime() + getClockSkew(client);\n const tolerance = getClockTolerance(client);\n if (claims.auth_time + maxAge < now - tolerance) {\n throw new OPE('too much time has elapsed since the last End-User authentication');\n }\n }\n switch (expectedNonce) {\n case undefined:\n case expectNoNonce:\n if (claims.nonce !== undefined) {\n throw new OPE('unexpected ID Token \"nonce\" claim value');\n }\n break;\n default:\n if (!validateString(expectedNonce)) {\n throw new TypeError('\"expectedNonce\" must be a non-empty string');\n }\n if (claims.nonce === undefined) {\n throw new OPE('ID Token \"nonce\" claim missing');\n }\n if (claims.nonce !== expectedNonce) {\n throw new OPE('unexpected ID Token \"nonce\" claim value');\n }\n }\n return result;\n}\nexport async function processAuthorizationCodeOAuth2Response(as, client, response) {\n const result = await processGenericAccessTokenResponse(as, client, response, true);\n if (isOAuth2Error(result)) {\n return result;\n }\n if (result.id_token !== undefined) {\n if (typeof result.id_token === 'string' && result.id_token.length) {\n throw new OPE('Unexpected ID Token returned, use processAuthorizationCodeOpenIDResponse() for OpenID Connect callback processing');\n }\n delete result.id_token;\n }\n return result;\n}\nfunction checkJwtType(expected, result) {\n if (typeof result.header.typ !== 'string' || normalizeTyp(result.header.typ) !== expected) {\n throw new OPE('unexpected JWT \"typ\" header parameter value');\n }\n return result;\n}\nexport async function clientCredentialsGrantRequest(as, client, parameters, options) {\n assertAs(as);\n assertClient(client);\n return tokenEndpointRequest(as, client, 'client_credentials', new URLSearchParams(parameters), options);\n}\nexport async function processClientCredentialsResponse(as, client, response) {\n const result = await processGenericAccessTokenResponse(as, client, response, true, true);\n if (isOAuth2Error(result)) {\n return result;\n }\n return result;\n}\nexport async function revocationRequest(as, client, token, options) {\n assertAs(as);\n assertClient(client);\n if (!validateString(token)) {\n throw new TypeError('\"token\" must be a non-empty string');\n }\n const url = resolveEndpoint(as, 'revocation_endpoint', options);\n const body = new URLSearchParams(options?.additionalParameters);\n body.set('token', token);\n const headers = prepareHeaders(options?.headers);\n headers.delete('accept');\n return authenticatedRequest(as, client, 'POST', url, body, headers, options);\n}\nexport async function processRevocationResponse(response) {\n if (!looseInstanceOf(response, Response)) {\n throw new TypeError('\"response\" must be an instance of Response');\n }\n if (response.status !== 200) {\n let err;\n if ((err = await handleOAuthBodyError(response))) {\n return err;\n }\n throw new OPE('\"response\" is not a conform Revocation Endpoint response');\n }\n return undefined;\n}\nfunction assertReadableResponse(response) {\n if (response.bodyUsed) {\n throw new TypeError('\"response\" body has been used already');\n }\n}\nexport async function introspectionRequest(as, client, token, options) {\n assertAs(as);\n assertClient(client);\n if (!validateString(token)) {\n throw new TypeError('\"token\" must be a non-empty string');\n }\n const url = resolveEndpoint(as, 'introspection_endpoint', options);\n const body = new URLSearchParams(options?.additionalParameters);\n body.set('token', token);\n const headers = prepareHeaders(options?.headers);\n if (options?.requestJwtResponse ?? client.introspection_signed_response_alg) {\n headers.set('accept', 'application/token-introspection+jwt');\n }\n else {\n headers.set('accept', 'application/json');\n }\n return authenticatedRequest(as, client, 'POST', url, body, headers, options);\n}\nexport async function processIntrospectionResponse(as, client, response) {\n assertAs(as);\n assertClient(client);\n if (!looseInstanceOf(response, Response)) {\n throw new TypeError('\"response\" must be an instance of Response');\n }\n if (response.status !== 200) {\n let err;\n if ((err = await handleOAuthBodyError(response))) {\n return err;\n }\n throw new OPE('\"response\" is not a conform Introspection Endpoint response');\n }\n let json;\n if (getContentType(response) === 'application/token-introspection+jwt') {\n assertReadableResponse(response);\n const { claims } = await validateJwt(await response.text(), checkSigningAlgorithm.bind(undefined, client.introspection_signed_response_alg, as.introspection_signing_alg_values_supported), noSignatureCheck, getClockSkew(client), getClockTolerance(client))\n .then(checkJwtType.bind(undefined, 'token-introspection+jwt'))\n .then(validatePresence.bind(undefined, ['aud', 'iat', 'iss']))\n .then(validateIssuer.bind(undefined, as.issuer))\n .then(validateAudience.bind(undefined, client.client_id));\n json = claims.token_introspection;\n if (!isJsonObject(json)) {\n throw new OPE('JWT \"token_introspection\" claim must be a JSON object');\n }\n }\n else {\n assertReadableResponse(response);\n try {\n json = await response.json();\n }\n catch (cause) {\n throw new OPE('failed to parse \"response\" body as JSON', { cause });\n }\n if (!isJsonObject(json)) {\n throw new OPE('\"response\" body must be a top level object');\n }\n }\n if (typeof json.active !== 'boolean') {\n throw new OPE('\"response\" body \"active\" property must be a boolean');\n }\n return json;\n}\nasync function jwksRequest(as, options) {\n assertAs(as);\n const url = resolveEndpoint(as, 'jwks_uri');\n const headers = prepareHeaders(options?.headers);\n headers.set('accept', 'application/json');\n headers.append('accept', 'application/jwk-set+json');\n return (options?.[customFetch] || fetch)(url.href, {\n headers: Object.fromEntries(headers.entries()),\n method: 'GET',\n redirect: 'manual',\n signal: options?.signal ? signal(options.signal) : null,\n }).then(processDpopNonce);\n}\nasync function processJwksResponse(response) {\n if (!looseInstanceOf(response, Response)) {\n throw new TypeError('\"response\" must be an instance of Response');\n }\n if (response.status !== 200) {\n throw new OPE('\"response\" is not a conform JSON Web Key Set response');\n }\n assertReadableResponse(response);\n let json;\n try {\n json = await response.json();\n }\n catch (cause) {\n throw new OPE('failed to parse \"response\" body as JSON', { cause });\n }\n if (!isJsonObject(json)) {\n throw new OPE('\"response\" body must be a top level object');\n }\n if (!Array.isArray(json.keys)) {\n throw new OPE('\"response\" body \"keys\" property must be an array');\n }\n if (!Array.prototype.every.call(json.keys, isJsonObject)) {\n throw new OPE('\"response\" body \"keys\" property members must be JWK formatted objects');\n }\n return json;\n}\nasync function handleOAuthBodyError(response) {\n if (response.status > 399 && response.status < 500) {\n assertReadableResponse(response);\n try {\n const json = await response.json();\n if (isJsonObject(json) && typeof json.error === 'string' && json.error.length) {\n if (json.error_description !== undefined && typeof json.error_description !== 'string') {\n delete json.error_description;\n }\n if (json.error_uri !== undefined && typeof json.error_uri !== 'string') {\n delete json.error_uri;\n }\n if (json.algs !== undefined && typeof json.algs !== 'string') {\n delete json.algs;\n }\n if (json.scope !== undefined && typeof json.scope !== 'string') {\n delete json.scope;\n }\n return json;\n }\n }\n catch { }\n }\n return undefined;\n}\nfunction checkSupportedJwsAlg(alg) {\n if (!SUPPORTED_JWS_ALGS.includes(alg)) {\n throw new UnsupportedOperationError('unsupported JWS \"alg\" identifier');\n }\n return alg;\n}\nfunction checkRsaKeyAlgorithm(algorithm) {\n if (typeof algorithm.modulusLength !== 'number' || algorithm.modulusLength < 2048) {\n throw new OPE(`${algorithm.name} modulusLength must be at least 2048 bits`);\n }\n}\nfunction ecdsaHashName(namedCurve) {\n switch (namedCurve) {\n case 'P-256':\n return 'SHA-256';\n case 'P-384':\n return 'SHA-384';\n case 'P-521':\n return 'SHA-512';\n default:\n throw new UnsupportedOperationError();\n }\n}\nfunction keyToSubtle(key) {\n switch (key.algorithm.name) {\n case 'ECDSA':\n return {\n name: key.algorithm.name,\n hash: ecdsaHashName(key.algorithm.namedCurve),\n };\n case 'RSA-PSS': {\n checkRsaKeyAlgorithm(key.algorithm);\n switch (key.algorithm.hash.name) {\n case 'SHA-256':\n case 'SHA-384':\n case 'SHA-512':\n return {\n name: key.algorithm.name,\n saltLength: parseInt(key.algorithm.hash.name.slice(-3), 10) >> 3,\n };\n default:\n throw new UnsupportedOperationError();\n }\n }\n case 'RSASSA-PKCS1-v1_5':\n checkRsaKeyAlgorithm(key.algorithm);\n return key.algorithm.name;\n case 'Ed448':\n case 'Ed25519':\n return key.algorithm.name;\n }\n throw new UnsupportedOperationError();\n}\nconst noSignatureCheck = Symbol();\nasync function validateJwt(jws, checkAlg, getKey, clockSkew, clockTolerance) {\n const { 0: protectedHeader, 1: payload, 2: encodedSignature, length } = jws.split('.');\n if (length === 5) {\n throw new UnsupportedOperationError('JWE structure JWTs are not supported');\n }\n if (length !== 3) {\n throw new OPE('Invalid JWT');\n }\n let header;\n try {\n header = JSON.parse(buf(b64u(protectedHeader)));\n }\n catch (cause) {\n throw new OPE('failed to parse JWT Header body as base64url encoded JSON', { cause });\n }\n if (!isJsonObject(header)) {\n throw new OPE('JWT Header must be a top level object');\n }\n checkAlg(header);\n if (header.crit !== undefined) {\n throw new OPE('unexpected JWT \"crit\" header parameter');\n }\n const signature = b64u(encodedSignature);\n let key;\n if (getKey !== noSignatureCheck) {\n key = await getKey(header);\n const input = `${protectedHeader}.${payload}`;\n const verified = await crypto.subtle.verify(keyToSubtle(key), key, signature, buf(input));\n if (!verified) {\n throw new OPE('JWT signature verification failed');\n }\n }\n let claims;\n try {\n claims = JSON.parse(buf(b64u(payload)));\n }\n catch (cause) {\n throw new OPE('failed to parse JWT Payload body as base64url encoded JSON', { cause });\n }\n if (!isJsonObject(claims)) {\n throw new OPE('JWT Payload must be a top level object');\n }\n const now = epochTime() + clockSkew;\n if (claims.exp !== undefined) {\n if (typeof claims.exp !== 'number') {\n throw new OPE('unexpected JWT \"exp\" (expiration time) claim type');\n }\n if (claims.exp <= now - clockTolerance) {\n throw new OPE('unexpected JWT \"exp\" (expiration time) claim value, timestamp is <= now()');\n }\n }\n if (claims.iat !== undefined) {\n if (typeof claims.iat !== 'number') {\n throw new OPE('unexpected JWT \"iat\" (issued at) claim type');\n }\n }\n if (claims.iss !== undefined) {\n if (typeof claims.iss !== 'string') {\n throw new OPE('unexpected JWT \"iss\" (issuer) claim type');\n }\n }\n if (claims.nbf !== undefined) {\n if (typeof claims.nbf !== 'number') {\n throw new OPE('unexpected JWT \"nbf\" (not before) claim type');\n }\n if (claims.nbf > now + clockTolerance) {\n throw new OPE('unexpected JWT \"nbf\" (not before) claim value, timestamp is > now()');\n }\n }\n if (claims.aud !== undefined) {\n if (typeof claims.aud !== 'string' && !Array.isArray(claims.aud)) {\n throw new OPE('unexpected JWT \"aud\" (audience) claim type');\n }\n }\n return { header, claims, signature, key };\n}\nexport async function validateJwtAuthResponse(as, client, parameters, expectedState, options) {\n assertAs(as);\n assertClient(client);\n if (parameters instanceof URL) {\n parameters = parameters.searchParams;\n }\n if (!(parameters instanceof URLSearchParams)) {\n throw new TypeError('\"parameters\" must be an instance of URLSearchParams, or URL');\n }\n const response = getURLSearchParameter(parameters, 'response');\n if (!response) {\n throw new OPE('\"parameters\" does not contain a JARM response');\n }\n if (typeof as.jwks_uri !== 'string') {\n throw new TypeError('\"as.jwks_uri\" must be a string');\n }\n const { claims } = await validateJwt(response, checkSigningAlgorithm.bind(undefined, client.authorization_signed_response_alg, as.authorization_signing_alg_values_supported), getPublicSigKeyFromIssuerJwksUri.bind(undefined, as, options), getClockSkew(client), getClockTolerance(client))\n .then(validatePresence.bind(undefined, ['aud', 'exp', 'iss']))\n .then(validateIssuer.bind(undefined, as.issuer))\n .then(validateAudience.bind(undefined, client.client_id));\n const result = new URLSearchParams();\n for (const [key, value] of Object.entries(claims)) {\n if (typeof value === 'string' && key !== 'aud') {\n result.set(key, value);\n }\n }\n return validateAuthResponse(as, client, result, expectedState);\n}\nasync function idTokenHash(alg, data, key) {\n let algorithm;\n switch (alg) {\n case 'RS256':\n case 'PS256':\n case 'ES256':\n algorithm = 'SHA-256';\n break;\n case 'RS384':\n case 'PS384':\n case 'ES384':\n algorithm = 'SHA-384';\n break;\n case 'RS512':\n case 'PS512':\n case 'ES512':\n algorithm = 'SHA-512';\n break;\n case 'EdDSA':\n if (key.algorithm.name === 'Ed25519') {\n algorithm = 'SHA-512';\n break;\n }\n throw new UnsupportedOperationError();\n default:\n throw new UnsupportedOperationError();\n }\n const digest = await crypto.subtle.digest(algorithm, buf(data));\n return b64u(digest.slice(0, digest.byteLength / 2));\n}\nasync function idTokenHashMatches(data, actual, alg, key) {\n const expected = await idTokenHash(alg, data, key);\n return actual === expected;\n}\nexport async function validateDetachedSignatureResponse(as, client, parameters, expectedNonce, expectedState, maxAge, options) {\n assertAs(as);\n assertClient(client);\n if (parameters instanceof URL) {\n if (!parameters.hash.length) {\n throw new TypeError('\"parameters\" as an instance of URL must contain a hash (fragment) with the Authorization Response parameters');\n }\n parameters = new URLSearchParams(parameters.hash.slice(1));\n }\n if (!(parameters instanceof URLSearchParams)) {\n throw new TypeError('\"parameters\" must be an instance of URLSearchParams');\n }\n parameters = new URLSearchParams(parameters);\n const id_token = getURLSearchParameter(parameters, 'id_token');\n parameters.delete('id_token');\n switch (expectedState) {\n case undefined:\n case expectNoState:\n break;\n default:\n if (!validateString(expectedState)) {\n throw new TypeError('\"expectedState\" must be a non-empty string');\n }\n }\n const result = validateAuthResponse({\n ...as,\n authorization_response_iss_parameter_supported: false,\n }, client, parameters, expectedState);\n if (isOAuth2Error(result)) {\n return result;\n }\n if (!id_token) {\n throw new OPE('\"parameters\" does not contain an ID Token');\n }\n const code = getURLSearchParameter(parameters, 'code');\n if (!code) {\n throw new OPE('\"parameters\" does not contain an Authorization Code');\n }\n if (typeof as.jwks_uri !== 'string') {\n throw new TypeError('\"as.jwks_uri\" must be a string');\n }\n const requiredClaims = [\n 'aud',\n 'exp',\n 'iat',\n 'iss',\n 'sub',\n 'nonce',\n 'c_hash',\n ];\n if (typeof expectedState === 'string') {\n requiredClaims.push('s_hash');\n }\n const { claims, header, key } = await validateJwt(id_token, checkSigningAlgorithm.bind(undefined, client.id_token_signed_response_alg, as.id_token_signing_alg_values_supported), getPublicSigKeyFromIssuerJwksUri.bind(undefined, as, options), getClockSkew(client), getClockTolerance(client))\n .then(validatePresence.bind(undefined, requiredClaims))\n .then(validateIssuer.bind(undefined, as.issuer))\n .then(validateAudience.bind(undefined, client.client_id));\n const clockSkew = getClockSkew(client);\n const now = epochTime() + clockSkew;\n if (claims.iat < now - 3600) {\n throw new OPE('unexpected JWT \"iat\" (issued at) claim value, it is too far in the past');\n }\n if (typeof claims.c_hash !== 'string' ||\n (await idTokenHashMatches(code, claims.c_hash, header.alg, key)) !== true) {\n throw new OPE('invalid ID Token \"c_hash\" (code hash) claim value');\n }\n if (claims.s_hash !== undefined && typeof expectedState !== 'string') {\n throw new OPE('could not verify ID Token \"s_hash\" (state hash) claim value');\n }\n if (typeof expectedState === 'string' &&\n (typeof claims.s_hash !== 'string' ||\n (await idTokenHashMatches(expectedState, claims.s_hash, header.alg, key)) !== true)) {\n throw new OPE('invalid ID Token \"s_hash\" (state hash) claim value');\n }\n if (claims.auth_time !== undefined &&\n (!Number.isFinite(claims.auth_time) || Math.sign(claims.auth_time) !== 1)) {\n throw new OPE('ID Token \"auth_time\" (authentication time) must be a positive number');\n }\n maxAge ?? (maxAge = client.default_max_age ?? skipAuthTimeCheck);\n if ((client.require_auth_time || maxAge !== skipAuthTimeCheck) &&\n claims.auth_time === undefined) {\n throw new OPE('ID Token \"auth_time\" (authentication time) claim missing');\n }\n if (maxAge !== skipAuthTimeCheck) {\n if (typeof maxAge !== 'number' || maxAge < 0) {\n throw new TypeError('\"maxAge\" must be a non-negative number');\n }\n const now = epochTime() + getClockSkew(client);\n const tolerance = getClockTolerance(client);\n if (claims.auth_time + maxAge < now - tolerance) {\n throw new OPE('too much time has elapsed since the last End-User authentication');\n }\n }\n if (!validateString(expectedNonce)) {\n throw new TypeError('\"expectedNonce\" must be a non-empty string');\n }\n if (claims.nonce !== expectedNonce) {\n throw new OPE('unexpected ID Token \"nonce\" claim value');\n }\n if (Array.isArray(claims.aud) && claims.aud.length !== 1 && claims.azp !== client.client_id) {\n throw new OPE('unexpected ID Token \"azp\" (authorized party) claim value');\n }\n return result;\n}\nfunction checkSigningAlgorithm(client, issuer, header) {\n if (client !== undefined) {\n if (header.alg !== client) {\n throw new OPE('unexpected JWT \"alg\" header parameter');\n }\n return;\n }\n if (Array.isArray(issuer)) {\n if (!issuer.includes(header.alg)) {\n throw new OPE('unexpected JWT \"alg\" header parameter');\n }\n return;\n }\n if (header.alg !== 'RS256') {\n throw new OPE('unexpected JWT \"alg\" header parameter');\n }\n}\nfunction getURLSearchParameter(parameters, name) {\n const { 0: value, length } = parameters.getAll(name);\n if (length > 1) {\n throw new OPE(`\"${name}\" parameter must be provided only once`);\n }\n return value;\n}\nexport const skipStateCheck = Symbol();\nexport const expectNoState = Symbol();\nexport function validateAuthResponse(as, client, parameters, expectedState) {\n assertAs(as);\n assertClient(client);\n if (parameters instanceof URL) {\n parameters = parameters.searchParams;\n }\n if (!(parameters instanceof URLSearchParams)) {\n throw new TypeError('\"parameters\" must be an instance of URLSearchParams, or URL');\n }\n if (getURLSearchParameter(parameters, 'response')) {\n throw new OPE('\"parameters\" contains a JARM response, use validateJwtAuthResponse() instead of validateAuthResponse()');\n }\n const iss = getURLSearchParameter(parameters, 'iss');\n const state = getURLSearchParameter(parameters, 'state');\n if (!iss && as.authorization_response_iss_parameter_supported) {\n throw new OPE('response parameter \"iss\" (issuer) missing');\n }\n if (iss && iss !== as.issuer) {\n throw new OPE('unexpected \"iss\" (issuer) response parameter value');\n }\n switch (expectedState) {\n case undefined:\n case expectNoState:\n if (state !== undefined) {\n throw new OPE('unexpected \"state\" response parameter encountered');\n }\n break;\n case skipStateCheck:\n break;\n default:\n if (!validateString(expectedState)) {\n throw new OPE('\"expectedState\" must be a non-empty string');\n }\n if (state === undefined) {\n throw new OPE('response parameter \"state\" missing');\n }\n if (state !== expectedState) {\n throw new OPE('unexpected \"state\" response parameter value');\n }\n }\n const error = getURLSearchParameter(parameters, 'error');\n if (error) {\n return {\n error,\n error_description: getURLSearchParameter(parameters, 'error_description'),\n error_uri: getURLSearchParameter(parameters, 'error_uri'),\n };\n }\n const id_token = getURLSearchParameter(parameters, 'id_token');\n const token = getURLSearchParameter(parameters, 'token');\n if (id_token !== undefined || token !== undefined) {\n throw new UnsupportedOperationError('implicit and hybrid flows are not supported');\n }\n return brand(new URLSearchParams(parameters));\n}\nfunction algToSubtle(alg, crv) {\n switch (alg) {\n case 'PS256':\n case 'PS384':\n case 'PS512':\n return { name: 'RSA-PSS', hash: `SHA-${alg.slice(-3)}` };\n case 'RS256':\n case 'RS384':\n case 'RS512':\n return { name: 'RSASSA-PKCS1-v1_5', hash: `SHA-${alg.slice(-3)}` };\n case 'ES256':\n case 'ES384':\n return { name: 'ECDSA', namedCurve: `P-${alg.slice(-3)}` };\n case 'ES512':\n return { name: 'ECDSA', namedCurve: 'P-521' };\n case 'EdDSA': {\n switch (crv) {\n case 'Ed25519':\n case 'Ed448':\n return crv;\n default:\n throw new UnsupportedOperationError();\n }\n }\n default:\n throw new UnsupportedOperationError();\n }\n}\nasync function importJwk(alg, jwk) {\n const { ext, key_ops, use, ...key } = jwk;\n return crypto.subtle.importKey('jwk', key, algToSubtle(alg, jwk.crv), true, ['verify']);\n}\nexport async function deviceAuthorizationRequest(as, client, parameters, options) {\n assertAs(as);\n assertClient(client);\n const url = resolveEndpoint(as, 'device_authorization_endpoint', options);\n const body = new URLSearchParams(parameters);\n body.set('client_id', client.client_id);\n const headers = prepareHeaders(options?.headers);\n headers.set('accept', 'application/json');\n return authenticatedRequest(as, client, 'POST', url, body, headers, options);\n}\nexport async function processDeviceAuthorizationResponse(as, client, response) {\n assertAs(as);\n assertClient(client);\n if (!looseInstanceOf(response, Response)) {\n throw new TypeError('\"response\" must be an instance of Response');\n }\n if (response.status !== 200) {\n let err;\n if ((err = await handleOAuthBodyError(response))) {\n return err;\n }\n throw new OPE('\"response\" is not a conform Device Authorization Endpoint response');\n }\n assertReadableResponse(response);\n let json;\n try {\n json = await response.json();\n }\n catch (cause) {\n throw new OPE('failed to parse \"response\" body as JSON', { cause });\n }\n if (!isJsonObject(json)) {\n throw new OPE('\"response\" body must be a top level object');\n }\n if (!validateString(json.device_code)) {\n throw new OPE('\"response\" body \"device_code\" property must be a non-empty string');\n }\n if (!validateString(json.user_code)) {\n throw new OPE('\"response\" body \"user_code\" property must be a non-empty string');\n }\n if (!validateString(json.verification_uri)) {\n throw new OPE('\"response\" body \"verification_uri\" property must be a non-empty string');\n }\n if (typeof json.expires_in !== 'number' || json.expires_in <= 0) {\n throw new OPE('\"response\" body \"expires_in\" property must be a positive number');\n }\n if (json.verification_uri_complete !== undefined &&\n !validateString(json.verification_uri_complete)) {\n throw new OPE('\"response\" body \"verification_uri_complete\" property must be a non-empty string');\n }\n if (json.interval !== undefined && (typeof json.interval !== 'number' || json.interval <= 0)) {\n throw new OPE('\"response\" body \"interval\" property must be a positive number');\n }\n return json;\n}\nexport async function deviceCodeGrantRequest(as, client, deviceCode, options) {\n assertAs(as);\n assertClient(client);\n if (!validateString(deviceCode)) {\n throw new TypeError('\"deviceCode\" must be a non-empty string');\n }\n const parameters = new URLSearchParams(options?.additionalParameters);\n parameters.set('device_code', deviceCode);\n return tokenEndpointRequest(as, client, 'urn:ietf:params:oauth:grant-type:device_code', parameters, options);\n}\nexport async function processDeviceCodeResponse(as, client, response) {\n return processGenericAccessTokenResponse(as, client, response);\n}\nexport async function generateKeyPair(alg, options) {\n if (!validateString(alg)) {\n throw new TypeError('\"alg\" must be a non-empty string');\n }\n const algorithm = algToSubtle(alg, alg === 'EdDSA' ? options?.crv ?? 'Ed25519' : undefined);\n if (alg.startsWith('PS') || alg.startsWith('RS')) {\n Object.assign(algorithm, {\n modulusLength: options?.modulusLength ?? 2048,\n publicExponent: new Uint8Array([0x01, 0x00, 0x01]),\n });\n }\n return (crypto.subtle.generateKey(algorithm, options?.extractable ?? false, ['sign', 'verify']));\n}\nfunction normalizeHtu(htu) {\n const url = new URL(htu);\n url.search = '';\n url.hash = '';\n return url.href;\n}\nasync function validateDPoP(as, request, accessToken, accessTokenClaims, options) {\n const header = request.headers.get('dpop');\n if (header === null) {\n throw new OPE('operation indicated DPoP use but the request has no DPoP HTTP Header');\n }\n if (request.headers.get('authorization')?.toLowerCase().startsWith('dpop ') === false) {\n throw new OPE(`operation indicated DPoP use but the request's Authorization HTTP Header scheme is not DPoP`);\n }\n if (typeof accessTokenClaims.cnf?.jkt !== 'string') {\n throw new OPE('operation indicated DPoP use but the JWT Access Token has no jkt confirmation claim');\n }\n const clockSkew = getClockSkew(options);\n const proof = await validateJwt(header, checkSigningAlgorithm.bind(undefined, undefined, as?.dpop_signing_alg_values_supported || SUPPORTED_JWS_ALGS), async ({ jwk, alg }) => {\n if (!jwk) {\n throw new OPE('DPoP Proof is missing the jwk header parameter');\n }\n const key = await importJwk(alg, jwk);\n if (key.type !== 'public') {\n throw new OPE('DPoP Proof jwk header parameter must contain a public key');\n }\n return key;\n }, clockSkew, getClockTolerance(options))\n .then(checkJwtType.bind(undefined, 'dpop+jwt'))\n .then(validatePresence.bind(undefined, ['iat', 'jti', 'ath', 'htm', 'htu']));\n const now = epochTime() + clockSkew;\n const diff = Math.abs(now - proof.claims.iat);\n if (diff > 300) {\n throw new OPE('DPoP Proof iat is not recent enough');\n }\n if (proof.claims.htm !== request.method) {\n throw new OPE('DPoP Proof htm mismatch');\n }\n if (typeof proof.claims.htu !== 'string' ||\n normalizeHtu(proof.claims.htu) !== normalizeHtu(request.url)) {\n throw new OPE('DPoP Proof htu mismatch');\n }\n {\n const expected = b64u(await crypto.subtle.digest('SHA-256', encoder.encode(accessToken)));\n if (proof.claims.ath !== expected) {\n throw new OPE('DPoP Proof ath mismatch');\n }\n }\n {\n let components;\n switch (proof.header.jwk.kty) {\n case 'EC':\n components = {\n crv: proof.header.jwk.crv,\n kty: proof.header.jwk.kty,\n x: proof.header.jwk.x,\n y: proof.header.jwk.y,\n };\n break;\n case 'OKP':\n components = {\n crv: proof.header.jwk.crv,\n kty: proof.header.jwk.kty,\n x: proof.header.jwk.x,\n };\n break;\n case 'RSA':\n components = {\n e: proof.header.jwk.e,\n kty: proof.header.jwk.kty,\n n: proof.header.jwk.n,\n };\n break;\n default:\n throw new UnsupportedOperationError();\n }\n const expected = b64u(await crypto.subtle.digest('SHA-256', encoder.encode(JSON.stringify(components))));\n if (accessTokenClaims.cnf.jkt !== expected) {\n throw new OPE('JWT Access Token confirmation mismatch');\n }\n }\n}\nexport async function validateJwtAccessToken(as, request, expectedAudience, options) {\n assertAs(as);\n if (!looseInstanceOf(request, Request)) {\n throw new TypeError('\"request\" must be an instance of Request');\n }\n if (!validateString(expectedAudience)) {\n throw new OPE('\"expectedAudience\" must be a non-empty string');\n }\n const authorization = request.headers.get('authorization');\n if (authorization === null) {\n throw new OPE('\"request\" is missing an Authorization HTTP Header');\n }\n let { 0: scheme, 1: accessToken, length } = authorization.split(' ');\n scheme = scheme.toLowerCase();\n switch (scheme) {\n case 'dpop':\n case 'bearer':\n break;\n default:\n throw new UnsupportedOperationError('unsupported Authorization HTTP Header scheme');\n }\n if (length !== 2) {\n throw new OPE('invalid Authorization HTTP Header format');\n }\n const requiredClaims = [\n 'iss',\n 'exp',\n 'aud',\n 'sub',\n 'iat',\n 'jti',\n 'client_id',\n ];\n if (options?.requireDPoP || scheme === 'dpop' || request.headers.has('dpop')) {\n requiredClaims.push('cnf');\n }\n const { claims } = await validateJwt(accessToken, checkSigningAlgorithm.bind(undefined, undefined, SUPPORTED_JWS_ALGS), getPublicSigKeyFromIssuerJwksUri.bind(undefined, as, options), getClockSkew(options), getClockTolerance(options))\n .then(checkJwtType.bind(undefined, 'at+jwt'))\n .then(validatePresence.bind(undefined, requiredClaims))\n .then(validateIssuer.bind(undefined, as.issuer))\n .then(validateAudience.bind(undefined, expectedAudience));\n for (const claim of ['client_id', 'jti', 'sub']) {\n if (typeof claims[claim] !== 'string') {\n throw new OPE(`unexpected JWT \"${claim}\" claim type`);\n }\n }\n if ('cnf' in claims) {\n if (!isJsonObject(claims.cnf)) {\n throw new OPE('unexpected JWT \"cnf\" (confirmation) claim value');\n }\n const { 0: cnf, length } = Object.keys(claims.cnf);\n if (length) {\n if (length !== 1) {\n throw new UnsupportedOperationError('multiple confirmation claims are not supported');\n }\n if (cnf !== 'jkt') {\n throw new UnsupportedOperationError('unsupported JWT Confirmation method');\n }\n }\n }\n if (options?.requireDPoP ||\n scheme === 'dpop' ||\n claims.cnf?.jkt !== undefined ||\n request.headers.has('dpop')) {\n await validateDPoP(as, request, accessToken, claims, options);\n }\n return claims;\n}\nexport const experimentalCustomFetch = customFetch;\nexport const experimental_customFetch = customFetch;\nexport const experimentalUseMtlsAlias = useMtlsAlias;\nexport const experimental_useMtlsAlias = useMtlsAlias;\nexport const experimental_validateDetachedSignatureResponse = validateDetachedSignatureResponse;\nexport const experimental_validateJwtAccessToken = validateJwtAccessToken;\n","export class AuthorizationError extends Error {}\n\ninterface OAuthError {\n readonly error: string;\n readonly error_description?: string;\n readonly error_uri?: string;\n readonly algs?: string;\n readonly scope?: string;\n // eslint-disable-next-line @typescript-eslint/no-explicit-any\n readonly [parameter: string]: any | undefined;\n}\n\nexport class OAuthAuthorizationError extends AuthorizationError {\n constructor(\n message: string,\n public error: OAuthError,\n options?: ErrorOptions,\n ) {\n super(message, options);\n }\n}\n","import { useEffect, useRef, useState } from \"react\";\nimport { useNavigate } from \"react-router-dom\";\nimport { OAuthAuthorizationError } from \"./errors.js\";\n\nexport function Callback({\n handleCallback,\n}: {\n handleCallback: () => Promise<string>;\n}) {\n const didInitialize = useRef(false);\n const [error, setError] = useState<Error | undefined>(undefined);\n const navigate = useNavigate();\n\n // This should not use react query, etc. It is important that it\n // only ever runs once. The didInitialize ref keeps it from double\n // initializing in dev mode with ReactStrict enabled.\n useEffect(() => {\n if (didInitialize.current) {\n return;\n }\n didInitialize.current = true;\n handleCallback()\n .then((redirect) => {\n // TODO: Handle return url, state, etc\n navigate(redirect);\n })\n .catch((err) => {\n setError(err);\n });\n }, []);\n\n if (error) {\n if (error instanceof OAuthAuthorizationError) {\n return (\n <div>\n <h2>Error</h2>\n <pre>\n {error.error.error}\n\n {error.error.error_description}\n\n {error.error.error_uri}\n </pre>\n </div>\n );\n }\n return (\n <div>\n <h2>Error</h2>\n <pre>\n {error.message}\n\n {error.stack}\n </pre>\n </div>\n );\n }\n\n return <div>Loading...</div>;\n}\n","import logger from \"loglevel\";\nimport * as oauth from \"oauth4webapi\";\nimport { OpenIDAuthenticationConfig } from \"../../../config/config.js\";\nimport {\n AuthenticationProvider,\n AuthenticationProviderInitializer,\n} from \"../authentication.js\";\nimport { AuthenticationPlugin } from \"../AuthenticationPlugin.js\";\nimport { Callback } from \"../Callback.js\";\nimport { AuthorizationError, OAuthAuthorizationError } from \"../errors.js\";\nimport { useAuthState, UserProfile } from \"../state.js\";\n\nconst CODE_VERIFIER_KEY = \"code-verifier\";\n\ninterface TokenState {\n accessToken: string;\n refreshToken?: string;\n expiresOn: Date;\n tokenType: string;\n}\n\nclass OpenIdAuthPlugin extends AuthenticationPlugin {\n constructor(\n private callbackUrlPath: string,\n private handleCallback: () => Promise<string>,\n ) {\n super();\n }\n getRoutes() {\n return [\n ...super.getRoutes(),\n {\n path: this.callbackUrlPath,\n element: <Callback handleCallback={this.handleCallback} />,\n },\n ];\n }\n}\n\nexport class OpenIDAuthenticationProvider implements AuthenticationProvider {\n protected client: oauth.Client;\n protected issuer: string;\n protected authorizationEndpoint: string | undefined;\n protected tokenEndpoint: string | undefined;\n\n protected authorizationServer: oauth.AuthorizationServer | undefined;\n protected tokens: TokenState | undefined;\n\n protected callbackUrlPath = \"/oauth/callback\";\n protected logoutRedirectUrlPath = \"/\";\n private redirectToAfterSignUp: string;\n private redirectToAfterSignIn: string;\n private redirectToAfterSignOut: string;\n\n constructor({\n issuer,\n authorizationEndpoint,\n tokenEndpoint,\n clientId,\n redirectToAfterSignUp,\n redirectToAfterSignIn,\n redirectToAfterSignOut,\n }: OpenIDAuthenticationConfig) {\n this.client = {\n client_id: clientId,\n token_endpoint_auth_method: \"none\",\n };\n this.issuer = issuer;\n this.authorizationEndpoint = authorizationEndpoint;\n this.tokenEndpoint = tokenEndpoint;\n this.redirectToAfterSignUp = redirectToAfterSignUp ?? \"/\";\n this.redirectToAfterSignIn = redirectToAfterSignIn ?? \"/\";\n this.redirectToAfterSignOut = redirectToAfterSignOut ?? \"/\";\n }\n\n protected async getAuthServer() {\n if (!this.authorizationServer) {\n if (this.tokenEndpoint && this.authorizationEndpoint) {\n this.authorizationServer = {\n issuer: new URL(this.authorizationEndpoint!).origin,\n authorization_endpoint: this.authorizationEndpoint,\n token_endpoint: this.tokenEndpoint,\n code_challenge_methods_supported: [],\n };\n } else {\n const issuerUrl = new URL(this.issuer);\n const response = await oauth.discoveryRequest(issuerUrl);\n this.authorizationServer = await oauth.processDiscoveryResponse(\n issuerUrl,\n response,\n );\n }\n }\n return this.authorizationServer;\n }\n\n /**\n * Sets the tokens from various OAuth responses\n * @param response\n */\n protected setTokensFromResponse(\n response: oauth.TokenEndpointResponse | oauth.OAuth2Error,\n ) {\n if (oauth.isOAuth2Error(response)) {\n logger.error(\"Bad Token Response\", response);\n throw new OAuthAuthorizationError(\"Bad Token Response\", response);\n }\n\n if (!response.expires_in) {\n throw new AuthorizationError(\"No expires_in in response\");\n }\n\n this.tokens = {\n accessToken: response.access_token,\n refreshToken: response.refresh_token,\n expiresOn: new Date(Date.now() + response.expires_in * 1000),\n tokenType: response.token_type,\n };\n }\n\n async signUp() {\n return this.authorize(true);\n }\n\n async signIn() {\n return this.authorize();\n }\n\n private async authorize(signUp = false): Promise<void> {\n const code_challenge_method = \"S256\";\n const authorizationServer = await this.getAuthServer();\n if (signUp) {\n localStorage.setItem(\"sign-up\", \"true\");\n } else {\n localStorage.removeItem(\"sign-up\");\n }\n\n if (!authorizationServer.authorization_endpoint) {\n throw new AuthorizationError(\"No authorization endpoint\");\n }\n\n /**\n * The following MUST be generated for every redirect to the authorization_endpoint. You must store\n * the codeVerifier and nonce in the end-user session such that it can be recovered as the user\n * gets redirected from the authorization server back to your application.\n */\n const codeVerifier = oauth.generateRandomCodeVerifier();\n const codeChallenge = await oauth.calculatePKCECodeChallenge(codeVerifier);\n\n localStorage.setItem(CODE_VERIFIER_KEY, codeVerifier);\n\n // redirect user to as.authorization_endpoint\n const authorizationUrl = new URL(\n signUp\n ? authorizationServer.registration_endpoint ??\n authorizationServer.authorization_endpoint\n : authorizationServer.authorization_endpoint,\n );\n\n const redirectUrl = new URL(\n (signUp\n ? window.location.origin + this.redirectToAfterSignUp\n : window.location.origin + this.redirectToAfterSignIn) ??\n window.location.href,\n );\n redirectUrl.pathname = this.callbackUrlPath;\n redirectUrl.search = \"\";\n\n authorizationUrl.searchParams.set(\"client_id\", this.client.client_id);\n authorizationUrl.searchParams.set(\"redirect_uri\", redirectUrl.toString());\n authorizationUrl.searchParams.set(\"response_type\", \"code\");\n authorizationUrl.searchParams.set(\"scope\", \"openid+profile+email\");\n authorizationUrl.searchParams.set(\"code_challenge\", codeChallenge);\n authorizationUrl.searchParams.set(\n \"code_challenge_method\",\n code_challenge_method,\n );\n\n /**\n * We cannot be sure the AS supports PKCE so we're going to use state too. Use of PKCE is\n * backwards compatible even if the AS doesn't support it which is why we're using it regardless.\n */\n if (\n authorizationServer.code_challenge_methods_supported?.includes(\"S256\") !==\n true\n ) {\n const state = oauth.generateRandomState();\n authorizationUrl.searchParams.set(\"state\", state);\n }\n\n // now redirect the user to authorizationUrl.href\n location.href = authorizationUrl.href;\n }\n\n async getAccessToken(): Promise<string> {\n const as = await this.getAuthServer();\n if (!this.tokens) {\n throw new AuthorizationError(\"User is not authenticated\");\n }\n if (this.tokens.expiresOn < new Date()) {\n if (!this.tokens.refreshToken) {\n // TODO: Log user bac in\n throw new AuthorizationError(\n \"Token expired and no refresh token available\",\n );\n }\n\n const request = await oauth.refreshTokenGrantRequest(\n as,\n this.client,\n this.tokens.refreshToken,\n );\n const response = await oauth.processRefreshTokenResponse(\n as,\n this.client,\n request,\n );\n\n this.setTokensFromResponse(response);\n }\n\n return this.tokens.accessToken;\n }\n\n async signOut(): Promise<void> {\n useAuthState.setState({\n isAuthenticated: false,\n isPending: false,\n profile: undefined,\n });\n\n const as = await this.getAuthServer();\n\n const redirectUrl = new URL(\n window.location.origin + this.redirectToAfterSignOut,\n );\n redirectUrl.pathname = this.logoutRedirectUrlPath;\n\n let logoutUrl: URL;\n // The endSessionEndpoint is set, the IdP supports some form of logout,\n // so we use the IdP logout. Otherwise, just redirect the user to home\n if (as.end_session_endpoint) {\n logoutUrl = new URL(as.end_session_endpoint);\n // TODO: get id_token and set hint\n // const { id_token } = session;\n // if (id_token) {\n // logoutUrl.searchParams.set(\"id_token_hint\", id_token);\n // }\n logoutUrl.searchParams.set(\n \"post_logout_redirect_uri\",\n redirectUrl.toString(),\n );\n } else {\n logoutUrl = redirectUrl;\n }\n }\n\n handleCallback = async (): Promise<string> => {\n const url = new URL(window.location.href);\n const state = url.searchParams.get(\"state\");\n\n // one eternity later, the user lands back on the redirect_uri\n // Authorization Code Grant Request & Response\n const codeVerifier = localStorage.getItem(CODE_VERIFIER_KEY);\n // localStorage.removeItem(CODE_VERIFIER_KEY);\n\n if (!codeVerifier) {\n throw new AuthorizationError(\n \"Code verifier not found. Invalid auth state.\",\n );\n }\n\n const authServer = await this.getAuthServer();\n\n const params = oauth.validateAuthResponse(\n authServer,\n this.client,\n url.searchParams,\n state ?? undefined,\n );\n if (oauth.isOAuth2Error(params)) {\n logger.error(\"Error validating OAuth response\", params);\n throw new OAuthAuthorizationError(\n \"Error validating OAuth response\",\n params,\n );\n }\n\n const redirectUrl = new URL(url);\n redirectUrl.pathname = this.redirectToAfterSignIn ?? this.callbackUrlPath;\n redirectUrl.search = \"\";\n\n const response = await oauth.authorizationCodeGrantRequest(\n authServer,\n this.client,\n params,\n redirectUrl.toString(),\n codeVerifier,\n );\n\n // TODO: do we need to do these\n // const challenges = oauth.parseWwwAuthenticateChallenges(response);\n // if (challenges) {\n // for (const challenge of challenges) {\n // console.error(\"WWW-Authenticate Challenge\", challenge);\n // }\n // throw new Error(); // Handle WWW-Authenticate Challenges as needed\n // }\n const oauthResult = await oauth.processAuthorizationCodeOAuth2Response(\n authServer,\n this.client,\n response,\n );\n\n this.setTokensFromResponse(oauthResult);\n\n const accessToken = await this.getAccessToken();\n\n const userInfoResponse = await oauth.userInfoRequest(\n authServer,\n this.client,\n accessToken,\n );\n const userInfo = await userInfoResponse.json();\n\n const profile: UserProfile = {\n sub: userInfo.sub,\n email: userInfo.email,\n name: userInfo.name,\n emailVerified: userInfo.email_verified ?? false,\n pictureUrl: userInfo.picture,\n };\n\n useAuthState.setState({\n isAuthenticated: true,\n isPending: false,\n profile,\n });\n\n if (localStorage.getItem(\"sign-up\")) {\n return this.redirectToAfterSignUp;\n } else {\n return this.redirectToAfterSignIn;\n }\n\n // // Remove the query strings so react query doesn't keep retrying\n // // to make the token request\n // history.replaceState({}, \"\", window.location.pathname);\n\n // Returning true because we are using react query\n // return true;\n };\n\n getAuthenticationPlugin() {\n return new OpenIdAuthPlugin(this.callbackUrlPath, () =>\n this.handleCallback(),\n );\n }\n}\n\nconst openIDAuth: AuthenticationProviderInitializer<\n OpenIDAuthenticationConfig\n> = (options) => new OpenIDAuthenticationProvider(options);\n\nexport default openIDAuth;\n"],"names":["root","definition","module","this","noop","undefinedType","isIE","logMethods","_loggersByName","defaultLogger","bindMethod","obj","methodName","method","traceForIE","realMethod","replaceLoggingMethods","level","i","enableLoggingWhenConsoleArrives","defaultMethodFactory","_level","_loggerName","Logger","name","factory","self","inheritedLevel","defaultLevel","userLevel","storageKey","persistLevelIfPossible","levelNum","levelName","getPersistedLevel","storedLevel","cookie","cookieName","location","clearPersistedLevel","normalizeLevel","input","persist","childName","initialLevel","logger","_log","USER_AGENT","_b","_a","looseInstanceOf","expected","clockSkew","clockTolerance","customFetch","encoder","decoder","buf","CHUNK_SIZE","encodeBase64Url","arr","decodeBase64Url","binary","bytes","cause","OPE","b64u","LRU","maxSize","key","v","value","UnsupportedOperationError","message","OperationProcessingError","options","dpopNonces","isCryptoKey","isPrivateKey","isPublicKey","processDpopNonce","response","nonce","isJsonObject","prepareHeaders","headers","signal","discoveryRequest","issuerIdentifier","url","validateString","processDiscoveryResponse","expectedIssuerIdentifier","assertReadableResponse","json","randomBytes","generateRandomCodeVerifier","generateRandomState","calculatePKCECodeChallenge","codeVerifier","getKeyAndKid","formUrlEncode","token","clientSecretBasic","clientId","clientSecret","username","password","psAlg","rsAlg","esAlg","keyToJws","getClockSkew","client","skew","getClockTolerance","tolerance","epochTime","clientAssertion","as","now","privateKeyJwt","kid","jwt","assertAs","assertClient","assertClientSecret","assertNoClientPrivateKey","clientAuthMethod","clientPrivateKey","assertNoClientSecret","clientAuthentication","body","header","claimsSet","signature","keyToSubtle","dpopProofJwt","htm","accessToken","privateKey","publicKey","proof","publicJwk","jwkCache","getSetPublicJwkCache","kty","e","n","x","y","crv","jwk","validateEndpoint","endpoint","resolveEndpoint","isOAuth2Error","protectedResourceRequest","userInfoRequest","authenticatedRequest","tokenEndpointRequest","grantType","parameters","refreshTokenGrantRequest","refreshToken","idTokenClaims","processGenericAccessTokenResponse","ignoreIdToken","ignoreRefreshToken","err","handleOAuthBodyError","claims","validateJwt","checkSigningAlgorithm","noSignatureCheck","validatePresence","validateIssuer","validateAudience","processRefreshTokenResponse","result","branded","brand","searchParams","authorizationCodeGrantRequest","callbackParameters","redirectUri","code","getURLSearchParameter","jwtClaimNames","required","claim","processAuthorizationCodeOAuth2Response","checkRsaKeyAlgorithm","algorithm","ecdsaHashName","namedCurve","jws","checkAlg","getKey","protectedHeader","payload","encodedSignature","length","issuer","skipStateCheck","expectNoState","validateAuthResponse","expectedState","iss","state","error","id_token","AuthorizationError","OAuthAuthorizationError","Callback","handleCallback","didInitialize","useRef","setError","useState","navigate","useNavigate","useEffect","redirect","jsx","CODE_VERIFIER_KEY","OpenIdAuthPlugin","AuthenticationPlugin","callbackUrlPath","OpenIDAuthenticationProvider","authorizationEndpoint","tokenEndpoint","redirectToAfterSignUp","redirectToAfterSignIn","redirectToAfterSignOut","__publicField","authServer","params","oauth.validateAuthResponse","oauth.isOAuth2Error","redirectUrl","oauth.authorizationCodeGrantRequest","oauthResult","oauth.processAuthorizationCodeOAuth2Response","userInfo","oauth.userInfoRequest","profile","useAuthState","issuerUrl","oauth.discoveryRequest","oauth.processDiscoveryResponse","signUp","code_challenge_method","authorizationServer","oauth.generateRandomCodeVerifier","codeChallenge","oauth.calculatePKCECodeChallenge","authorizationUrl","oauth.generateRandomState","request","oauth.refreshTokenGrantRequest","oauth.processRefreshTokenResponse","logoutUrl","openIDAuth"],"mappings":";;;;;;;;;;AAMA,GAAC,SAAUA,GAAMC,GAAY;AAIlB,IAAkCC,EAAO,UAC5CA,EAAA,UAAiBD,MAEjBD,EAAK,MAAMC;EAElB,GAACE,IAAM,WAAY;AAIhB,QAAIC,IAAO,WAAW;AAAA,OAClBC,IAAgB,aAChBC,IAAQ,OAAO,WAAWD,KAAmB,OAAO,OAAO,cAAcA,KACzE,kBAAkB,KAAK,OAAO,UAAU,SAAS,GAGjDE,IAAa;AAAA,MACb;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACR,GAEQC,IAAiB,CAAA,GACjBC,IAAgB;AAGpB,aAASC,EAAWC,GAAKC,GAAY;AACjC,UAAIC,IAASF,EAAIC,CAAU;AAC3B,UAAI,OAAOC,EAAO,QAAS;AACvB,eAAOA,EAAO,KAAKF,CAAG;AAEtB,UAAI;AACA,eAAO,SAAS,UAAU,KAAK,KAAKE,GAAQF,CAAG;AAAA,MAClD,QAAW;AAER,eAAO,WAAW;AACd,iBAAO,SAAS,UAAU,MAAM,MAAME,GAAQ,CAACF,GAAK,SAAS,CAAC;AAAA,QAClF;AAAA,MACa;AAAA,IAER;AAGD,aAASG,IAAa;AAClB,MAAI,QAAQ,QACJ,QAAQ,IAAI,QACZ,QAAQ,IAAI,MAAM,SAAS,SAAS,IAGpC,SAAS,UAAU,MAAM,MAAM,QAAQ,KAAK,CAAC,SAAS,SAAS,CAAC,IAGpE,QAAQ,SAAO,QAAQ,MAAK;AAAA,IACnC;AAID,aAASC,EAAWH,GAAY;AAK5B,aAJIA,MAAe,YACfA,IAAa,QAGb,OAAO,YAAYP,IACZ,KACAO,MAAe,WAAWN,IAC1BQ,IACA,QAAQF,CAAU,MAAM,SACxBF,EAAW,SAASE,CAAU,IAC9B,QAAQ,QAAQ,SAChBF,EAAW,SAAS,KAAK,IAEzBN;AAAA,IAEd;AAID,aAASY,IAAwB;AAK7B,eAHIC,IAAQ,KAAK,YAGRC,IAAI,GAAGA,IAAIX,EAAW,QAAQW,KAAK;AACxC,YAAIN,IAAaL,EAAWW,CAAC;AAC7B,aAAKN,CAAU,IAAKM,IAAID,IACpBb,IACA,KAAK,cAAcQ,GAAYK,GAAO,KAAK,IAAI;AAAA,MACtD;AAMD,UAHA,KAAK,MAAM,KAAK,OAGZ,OAAO,YAAYZ,KAAiBY,IAAQ,KAAK,OAAO;AACxD,eAAO;AAAA,IAEd;AAID,aAASE,EAAgCP,GAAY;AACjD,aAAO,WAAY;AACf,QAAI,OAAO,YAAYP,MACnBW,EAAsB,KAAK,IAAI,GAC/B,KAAKJ,CAAU,EAAE,MAAM,MAAM,SAAS;AAAA,MAEtD;AAAA,IACK;AAID,aAASQ,EAAqBR,GAAYS,GAAQC,GAAa;AAE3D,aAAOP,EAAWH,CAAU,KACrBO,EAAgC,MAAM,MAAM,SAAS;AAAA,IAC/D;AAED,aAASI,EAAOC,GAAMC,GAAS;AAE7B,UAAIC,IAAO,MASPC,GAMAC,GAMAC,GAEAC,IAAa;AACjB,MAAI,OAAON,KAAS,WAClBM,KAAc,MAAMN,IACX,OAAOA,KAAS,aACzBM,IAAa;AAGf,eAASC,GAAuBC,GAAU;AACtC,YAAIC,KAAa1B,EAAWyB,CAAQ,KAAK,UAAU;AAEnD,YAAI,SAAO,WAAW3B,KAAiB,CAACyB,IAGxC;AAAA,cAAI;AACA,mBAAO,aAAaA,CAAU,IAAIG;AAClC;AAAA,UACd,QAA2B;AAAA,UAAE;AAGnB,cAAI;AACA,mBAAO,SAAS,SACd,mBAAmBH,CAAU,IAAI,MAAMG,IAAY;AAAA,UACnE,QAA2B;AAAA,UAAE;AAAA;AAAA,MACtB;AAED,eAASC,KAAoB;AACzB,YAAIC;AAEJ,YAAI,SAAO,WAAW9B,KAAiB,CAACyB,IAExC;AAAA,cAAI;AACA,YAAAK,IAAc,OAAO,aAAaL,CAAU;AAAA,UAC1D,QAA2B;AAAA,UAAE;AAGnB,cAAI,OAAOK,MAAgB9B;AACvB,gBAAI;AACA,kBAAI+B,IAAS,OAAO,SAAS,QACzBC,IAAa,mBAAmBP,CAAU,GAC1CQ,KAAWF,EAAO,QAAQC,IAAa,GAAG;AAC9C,cAAIC,OAAa,OACbH,IAAc,WAAW;AAAA,gBACrBC,EAAO,MAAME,KAAWD,EAAW,SAAS,CAAC;AAAA,cAChD,EAAC,CAAC;AAAA,YAEzB,QAA+B;AAAA,YAAE;AAIvB,iBAAIX,EAAK,OAAOS,CAAW,MAAM,WAC7BA,IAAc,SAGXA;AAAA;AAAA,MACV;AAED,eAASI,KAAsB;AAC3B,YAAI,SAAO,WAAWlC,KAAiB,CAACyB,IAGxC;AAAA,cAAI;AACA,mBAAO,aAAa,WAAWA,CAAU;AAAA,UACvD,QAA2B;AAAA,UAAE;AAGnB,cAAI;AACA,mBAAO,SAAS,SACd,mBAAmBA,CAAU,IAAI;AAAA,UACjD,QAA2B;AAAA,UAAE;AAAA;AAAA,MACtB;AAED,eAASU,EAAeC,GAAO;AAC3B,YAAIxB,IAAQwB;AAIZ,YAHI,OAAOxB,KAAU,YAAYS,EAAK,OAAOT,EAAM,aAAa,MAAM,WAClEA,IAAQS,EAAK,OAAOT,EAAM,YAAa,CAAA,IAEvC,OAAOA,KAAU,YAAYA,KAAS,KAAKA,KAASS,EAAK,OAAO;AAChE,iBAAOT;AAEP,cAAM,IAAI,UAAU,+CAA+CwB,CAAK;AAAA,MAE/E;AAQD,MAAAf,EAAK,OAAOF,GAEZE,EAAK,SAAS;AAAA,QAAE,OAAS;AAAA,QAAG,OAAS;AAAA,QAAG,MAAQ;AAAA,QAAG,MAAQ;AAAA,QACvD,OAAS;AAAA,QAAG,QAAU;AAAA,MAAC,GAE3BA,EAAK,gBAAgBD,KAAWL,GAEhCM,EAAK,WAAW,WAAY;AACxB,eAAIG,KAEOD,KAGFD;AAAA,MAEnB,GAEMD,EAAK,WAAW,SAAUT,GAAOyB,GAAS;AACtC,eAAAb,IAAYW,EAAevB,CAAK,GAC5ByB,MAAY,MACZX,GAAuBF,CAAS,GAI7Bb,EAAsB,KAAKU,CAAI;AAAA,MAChD,GAEMA,EAAK,kBAAkB,SAAUT,GAAO;AACpC,QAAAW,IAAeY,EAAevB,CAAK,GAC9BiB,GAAiB,KAClBR,EAAK,SAAST,GAAO,EAAK;AAAA,MAExC,GAEMS,EAAK,aAAa,WAAY;AAC1B,QAAAG,IAAY,MACZU,MACAvB,EAAsB,KAAKU,CAAI;AAAA,MACzC,GAEMA,EAAK,YAAY,SAASgB,GAAS;AAC/B,QAAAhB,EAAK,SAASA,EAAK,OAAO,OAAOgB,CAAO;AAAA,MAClD,GAEMhB,EAAK,aAAa,SAASgB,GAAS;AAChC,QAAAhB,EAAK,SAASA,EAAK,OAAO,QAAQgB,CAAO;AAAA,MACnD,GAEMhB,EAAK,UAAU,WAAY;AAMvB,YALIjB,MAAkBiB,MAClBC,IAAiBa,EAAe/B,EAAc,SAAU,CAAA,IAE5DO,EAAsB,KAAKU,CAAI,GAE3BjB,MAAkBiB;AAClB,mBAASiB,KAAanC;AACpB,YAAAA,EAAemC,CAAS,EAAE;MAG1C,GAGMhB,IAAiBa;AAAA,QACb/B,IAAgBA,EAAc,SAAQ,IAAK;AAAA,MACrD;AACM,UAAImC,KAAeV;AACnB,MAAIU,MAAgB,SAChBf,IAAYW,EAAeI,EAAY,IAE3C5B,EAAsB,KAAKU,CAAI;AAAA,IAChC;AAQD,IAAAjB,IAAgB,IAAIc,KAEpBd,EAAc,YAAY,SAAmBe,GAAM;AAC/C,UAAK,OAAOA,KAAS,YAAY,OAAOA,KAAS,YAAaA,MAAS;AACnE,cAAM,IAAI,UAAU,gDAAgD;AAGxE,UAAIqB,IAASrC,EAAegB,CAAI;AAChC,aAAKqB,MACDA,IAASrC,EAAegB,CAAI,IAAI,IAAID;AAAA,QAChCC;AAAA,QACAf,EAAc;AAAA,MAC9B,IAEeoC;AAAA,IACf;AAGI,QAAIC,IAAQ,OAAO,WAAWzC,IAAiB,OAAO,MAAM;AAC5D,WAAAI,EAAc,aAAa,WAAW;AAClC,aAAI,OAAO,WAAWJ,KACf,OAAO,QAAQI,MAClB,OAAO,MAAMqC,IAGVrC;AAAA,IACf,GAEIA,EAAc,aAAa,WAAsB;AAC7C,aAAOD;AAAA,IACf,GAGIC,EAAc,UAAaA,GAEpBA;AAAA,EACX,CAAC;;;;ACpWD,IAAIsC;;CACA,OAAO,YAAc,OAAe,GAACC,MAAAC,IAAA,UAAU,cAAV,gBAAAA,EAAqB,eAArB,QAAAD,GAAA,KAAAC,GAAkC,sBAGvEF,IAAa;AAEjB,SAASG,EAAgBT,GAAOU,GAAU;AACtC,MAAIV,KAAS;AACT,WAAO;AAEX,MAAI;AACA,WAAQA,aAAiBU,KACrB,OAAO,eAAeV,CAAK,EAAE,OAAO,WAAW,MAAMU,EAAS,UAAU,OAAO,WAAW;AAAA,EACjG,QACK;AACF,WAAO;AAAA,EACV;AACL;AACO,MAAMC,IAAY,OAAM,GAClBC,KAAiB,OAAM,GACvBC,IAAc,OAAM,GAG3BC,KAAU,IAAI,eACdC,KAAU,IAAI;AACpB,SAASC,EAAIhB,GAAO;AAChB,SAAI,OAAOA,KAAU,WACVc,GAAQ,OAAOd,CAAK,IAExBe,GAAQ,OAAOf,CAAK;AAC/B;AACA,MAAMiB,KAAa;AACnB,SAASC,GAAgBlB,GAAO;AAC5B,EAAIA,aAAiB,gBACjBA,IAAQ,IAAI,WAAWA,CAAK;AAEhC,QAAMmB,IAAM,CAAA;AACZ,WAAS1C,IAAI,GAAGA,IAAIuB,EAAM,YAAYvB,KAAKwC;AACvC,IAAAE,EAAI,KAAK,OAAO,aAAa,MAAM,MAAMnB,EAAM,SAASvB,GAAGA,IAAIwC,EAAU,CAAC,CAAC;AAE/E,SAAO,KAAKE,EAAI,KAAK,EAAE,CAAC,EAAE,QAAQ,MAAM,EAAE,EAAE,QAAQ,OAAO,GAAG,EAAE,QAAQ,OAAO,GAAG;AACtF;AACA,SAASC,GAAgBpB,GAAO;AAC5B,MAAI;AACA,UAAMqB,IAAS,KAAKrB,EAAM,QAAQ,MAAM,GAAG,EAAE,QAAQ,MAAM,GAAG,EAAE,QAAQ,OAAO,EAAE,CAAC,GAC5EsB,IAAQ,IAAI,WAAWD,EAAO,MAAM;AAC1C,aAAS5C,IAAI,GAAGA,IAAI4C,EAAO,QAAQ5C;AAC/B,MAAA6C,EAAM7C,CAAC,IAAI4C,EAAO,WAAW5C,CAAC;AAElC,WAAO6C;AAAA,EACV,SACMC,GAAO;AACV,UAAM,IAAIC,EAAI,qDAAqD,EAAE,OAAAD,EAAO,CAAA;AAAA,EAC/E;AACL;AACA,SAASE,EAAKzB,GAAO;AACjB,SAAI,OAAOA,KAAU,WACVoB,GAAgBpB,CAAK,IAEzBkB,GAAgBlB,CAAK;AAChC;AACA,MAAM0B,GAAI;AAAA,EACN,YAAYC,GAAS;AACjB,SAAK,QAAQ,oBAAI,OACjB,KAAK,SAAS,oBAAI,OAClB,KAAK,UAAUA;AAAA,EAClB;AAAA,EACD,IAAIC,GAAK;AACL,QAAIC,IAAI,KAAK,MAAM,IAAID,CAAG;AAC1B,QAAIC;AACA,aAAOA;AAEX,QAAKA,IAAI,KAAK,OAAO,IAAID,CAAG;AACxB,kBAAK,OAAOA,GAAKC,CAAC,GACXA;AAAA,EAGd;AAAA,EACD,IAAID,GAAK;AACL,WAAO,KAAK,MAAM,IAAIA,CAAG,KAAK,KAAK,OAAO,IAAIA,CAAG;AAAA,EACpD;AAAA,EACD,IAAIA,GAAKE,GAAO;AACZ,WAAI,KAAK,MAAM,IAAIF,CAAG,IAClB,KAAK,MAAM,IAAIA,GAAKE,CAAK,IAGzB,KAAK,OAAOF,GAAKE,CAAK,GAEnB;AAAA,EACV;AAAA,EACD,OAAOF,GAAK;AACR,WAAI,KAAK,MAAM,IAAIA,CAAG,IACX,KAAK,MAAM,OAAOA,CAAG,IAE5B,KAAK,OAAO,IAAIA,CAAG,IACZ,KAAK,OAAO,OAAOA,CAAG,IAE1B;AAAA,EACV;AAAA,EACD,OAAOA,GAAKE,GAAO;AACf,SAAK,MAAM,IAAIF,GAAKE,CAAK,GACrB,KAAK,MAAM,QAAQ,KAAK,YACxB,KAAK,SAAS,KAAK,OACnB,KAAK,QAAQ,oBAAI;EAExB;AACL;AACO,MAAMC,UAAkC,MAAM;AAAA,EACjD,YAAYC,GAAS;;AACjB,UAAMA,KAAW,yBAAyB,GAC1C,KAAK,OAAO,KAAK,YAAY,OAC7BxB,IAAA,MAAM,sBAAN,QAAAA,EAAA,YAA0B,MAAM,KAAK;AAAA,EACxC;AACL;AACO,MAAMyB,WAAiC,MAAM;AAAA,EAChD,YAAYD,GAASE,GAAS;;AAC1B,UAAMF,GAASE,CAAO,GACtB,KAAK,OAAO,KAAK,YAAY,OAC7B1B,IAAA,MAAM,sBAAN,QAAAA,EAAA,YAA0B,MAAM,KAAK;AAAA,EACxC;AACL;AACA,MAAMgB,IAAMS,IACNE,KAAa,IAAIT,GAAI,GAAG;AAC9B,SAASU,GAAYR,GAAK;AACtB,SAAOA,aAAe;AAC1B;AACA,SAASS,GAAaT,GAAK;AACvB,SAAOQ,GAAYR,CAAG,KAAKA,EAAI,SAAS;AAC5C;AACA,SAASU,GAAYV,GAAK;AACtB,SAAOQ,GAAYR,CAAG,KAAKA,EAAI,SAAS;AAC5C;AAaA,SAASW,EAAiBC,GAAU;AAChC,MAAI;AACA,UAAMC,IAAQD,EAAS,QAAQ,IAAI,YAAY;AAC/C,IAAIC,KACAN,GAAW,IAAI,IAAI,IAAIK,EAAS,GAAG,EAAE,QAAQC,CAAK;AAAA,EAEzD,QACK;AAAA,EAAG;AACT,SAAOD;AACX;AAIA,SAASE,EAAa1C,GAAO;AACzB,SAAI,EAAAA,MAAU,QAAQ,OAAOA,KAAU,YAAY,MAAM,QAAQA,CAAK;AAI1E;AACA,SAAS2C,EAAe3C,GAAO;AAC3B,EAAIS,EAAgBT,GAAO,OAAO,MAC9BA,IAAQ,OAAO,YAAYA,EAAM,QAAS,CAAA;AAE9C,QAAM4C,IAAU,IAAI,QAAQ5C,CAAK;AAIjC,MAHIM,KAAc,CAACsC,EAAQ,IAAI,YAAY,KACvCA,EAAQ,IAAI,cAActC,CAAU,GAEpCsC,EAAQ,IAAI,eAAe;AAC3B,UAAM,IAAI,UAAU,oEAAoE;AAE5F,MAAIA,EAAQ,IAAI,MAAM;AAClB,UAAM,IAAI,UAAU,2DAA2D;AAEnF,SAAOA;AACX;AACA,SAASC,EAAOf,GAAO;AAInB,MAHI,OAAOA,KAAU,eACjBA,IAAQA,EAAK,IAEb,EAAEA,aAAiB;AACnB,UAAM,IAAI,UAAU,+DAA+D;AAEvF,SAAOA;AACX;AACO,eAAegB,GAAiBC,GAAkBb,GAAS;AAC9D,MAAI,EAAEa,aAA4B;AAC9B,UAAM,IAAI,UAAU,+CAA+C;AAEvE,MAAIA,EAAiB,aAAa,YAAYA,EAAiB,aAAa;AACxE,UAAM,IAAI,UAAU,+CAA+C;AAEvE,QAAMC,IAAM,IAAI,IAAID,EAAiB,IAAI;AACzC,UAAQb,KAAA,gBAAAA,EAAS,WAAS;AAAA,IACtB,KAAK;AAAA,IACL,KAAK;AACD,MAAAc,EAAI,WAAW,GAAGA,EAAI,QAAQ,oCAAoC,QAAQ,MAAM,GAAG;AACnF;AAAA,IACJ,KAAK;AACD,MAAIA,EAAI,aAAa,MACjBA,EAAI,WAAW,2CAGfA,EAAI,WAAW,0CAA0CA,EAAI,QAAQ,GAAG,QAAQ,MAAM,GAAG;AAE7F;AAAA,IACJ;AACI,YAAM,IAAI,UAAU,2DAA2D;AAAA,EACtF;AACD,QAAMJ,IAAUD,EAAeT,KAAA,gBAAAA,EAAS,OAAO;AAC/C,SAAAU,EAAQ,IAAI,UAAU,kBAAkB,KAChCV,KAAA,gBAAAA,EAAUrB,OAAgB,OAAOmC,EAAI,MAAM;AAAA,IAC/C,SAAS,OAAO,YAAYJ,EAAQ,QAAO,CAAE;AAAA,IAC7C,QAAQ;AAAA,IACR,UAAU;AAAA,IACV,QAAQV,KAAA,QAAAA,EAAS,SAASW,EAAOX,EAAQ,MAAM,IAAI;AAAA,EAC3D,CAAK,EAAE,KAAKK,CAAgB;AAC5B;AACA,SAASU,EAAejD,GAAO;AAC3B,SAAO,OAAOA,KAAU,YAAYA,EAAM,WAAW;AACzD;AACO,eAAekD,GAAyBC,GAA0BX,GAAU;AAC/E,MAAI,EAAEW,aAAoC;AACtC,UAAM,IAAI,UAAU,6CAA6C;AAErE,MAAI,CAAC1C,EAAgB+B,GAAU,QAAQ;AACnC,UAAM,IAAI,UAAU,4CAA4C;AAEpE,MAAIA,EAAS,WAAW;AACpB,UAAM,IAAIhB,EAAI,oEAAoE;AAEtF,EAAA4B,EAAuBZ,CAAQ;AAC/B,MAAIa;AACJ,MAAI;AACA,IAAAA,IAAO,MAAMb,EAAS;EACzB,SACMjB,GAAO;AACV,UAAM,IAAIC,EAAI,2CAA2C,EAAE,OAAAD,EAAO,CAAA;AAAA,EACrE;AACD,MAAI,CAACmB,EAAaW,CAAI;AAClB,UAAM,IAAI7B,EAAI,4CAA4C;AAE9D,MAAI,CAACyB,EAAeI,EAAK,MAAM;AAC3B,UAAM,IAAI7B,EAAI,8DAA8D;AAEhF,MAAI,IAAI,IAAI6B,EAAK,MAAM,EAAE,SAASF,EAAyB;AACvD,UAAM,IAAI3B,EAAI,0DAA0D;AAE5E,SAAO6B;AACX;AACA,SAASC,IAAc;AACnB,SAAO7B,EAAK,OAAO,gBAAgB,IAAI,WAAW,EAAE,CAAC,CAAC;AAC1D;AACO,SAAS8B,KAA6B;AACzC,SAAOD,EAAW;AACtB;AACO,SAASE,KAAsB;AAClC,SAAOF,EAAW;AACtB;AAIO,eAAeG,GAA2BC,GAAc;AAC3D,MAAI,CAACT,EAAeS,CAAY;AAC5B,UAAM,IAAI,UAAU,2CAA2C;AAEnE,SAAOjC,EAAK,MAAM,OAAO,OAAO,OAAO,WAAWT,EAAI0C,CAAY,CAAC,CAAC;AACxE;AACA,SAASC,GAAa3D,GAAO;AACzB,MAAIA,aAAiB;AACjB,WAAO,EAAE,KAAKA;AAElB,MAAI,GAAEA,KAAA,gBAAAA,EAAO,gBAAe;AACxB,WAAO;AAEX,MAAIA,EAAM,QAAQ,UAAa,CAACiD,EAAejD,EAAM,GAAG;AACpD,UAAM,IAAI,UAAU,kCAAkC;AAE1D,SAAO,EAAE,KAAKA,EAAM,KAAK,KAAKA,EAAM;AACxC;AACA,SAAS4D,GAAcC,GAAO;AAC1B,SAAO,mBAAmBA,CAAK,EAAE,QAAQ,QAAQ,GAAG;AACxD;AACA,SAASC,GAAkBC,GAAUC,GAAc;AAC/C,QAAMC,IAAWL,GAAcG,CAAQ,GACjCG,IAAWN,GAAcI,CAAY;AAE3C,SAAO,SADa,KAAK,GAAGC,CAAQ,IAAIC,CAAQ,EAAE,CACvB;AAC/B;AACA,SAASC,GAAMvC,GAAK;AAChB,UAAQA,EAAI,UAAU,KAAK,MAAI;AAAA,IAC3B,KAAK;AACD,aAAO;AAAA,IACX,KAAK;AACD,aAAO;AAAA,IACX,KAAK;AACD,aAAO;AAAA,IACX;AACI,YAAM,IAAIG,EAA0B,6CAA6C;AAAA,EACxF;AACL;AACA,SAASqC,GAAMxC,GAAK;AAChB,UAAQA,EAAI,UAAU,KAAK,MAAI;AAAA,IAC3B,KAAK;AACD,aAAO;AAAA,IACX,KAAK;AACD,aAAO;AAAA,IACX,KAAK;AACD,aAAO;AAAA,IACX;AACI,YAAM,IAAIG,EAA0B,6CAA6C;AAAA,EACxF;AACL;AACA,SAASsC,GAAMzC,GAAK;AAChB,UAAQA,EAAI,UAAU,YAAU;AAAA,IAC5B,KAAK;AACD,aAAO;AAAA,IACX,KAAK;AACD,aAAO;AAAA,IACX,KAAK;AACD,aAAO;AAAA,IACX;AACI,YAAM,IAAIG,EAA0B,uCAAuC;AAAA,EAClF;AACL;AACA,SAASuC,GAAS1C,GAAK;AACnB,UAAQA,EAAI,UAAU,MAAI;AAAA,IACtB,KAAK;AACD,aAAOuC,GAAMvC,CAAG;AAAA,IACpB,KAAK;AACD,aAAOwC,GAAMxC,CAAG;AAAA,IACpB,KAAK;AACD,aAAOyC,GAAMzC,CAAG;AAAA,IACpB,KAAK;AAAA,IACL,KAAK;AACD,aAAO;AAAA,IACX;AACI,YAAM,IAAIG,EAA0B,sCAAsC;AAAA,EACjF;AACL;AACA,SAASwC,EAAaC,GAAQ;AAC1B,QAAMC,IAAOD,KAAA,gBAAAA,EAAS7D;AACtB,SAAO,OAAO8D,KAAS,YAAY,OAAO,SAASA,CAAI,IAAIA,IAAO;AACtE;AACA,SAASC,GAAkBF,GAAQ;AAC/B,QAAMG,IAAYH,KAAA,gBAAAA,EAAS5D;AAC3B,SAAO,OAAO+D,KAAc,YAAY,OAAO,SAASA,CAAS,KAAK,KAAK,KAAKA,CAAS,MAAM,KACzFA,IACA;AACV;AACA,SAASC,IAAY;AACjB,SAAO,KAAK,MAAM,KAAK,IAAK,IAAG,GAAI;AACvC;AACA,SAASC,GAAgBC,GAAIN,GAAQ;AACjC,QAAMO,IAAMH,EAAS,IAAKL,EAAaC,CAAM;AAC7C,SAAO;AAAA,IACH,KAAKlB,EAAa;AAAA,IAClB,KAAK,CAACwB,EAAG,QAAQA,EAAG,cAAc;AAAA,IAClC,KAAKC,IAAM;AAAA,IACX,KAAKA;AAAA,IACL,KAAKA;AAAA,IACL,KAAKP,EAAO;AAAA,IACZ,KAAKA,EAAO;AAAA,EACpB;AACA;AACA,eAAeQ,GAAcF,GAAIN,GAAQ5C,GAAKqD,GAAK;AAC/C,SAAOC,GAAI;AAAA,IACP,KAAKZ,GAAS1C,CAAG;AAAA,IACjB,KAAAqD;AAAA,EACH,GAAEJ,GAAgBC,GAAIN,CAAM,GAAG5C,CAAG;AACvC;AACA,SAASuD,EAASL,GAAI;AAClB,MAAI,OAAOA,KAAO,YAAYA,MAAO;AACjC,UAAM,IAAI,UAAU,wBAAwB;AAEhD,MAAI,CAAC7B,EAAe6B,EAAG,MAAM;AACzB,UAAM,IAAI,UAAU,iDAAiD;AAEzE,SAAO;AACX;AACA,SAASM,EAAaZ,GAAQ;AAC1B,MAAI,OAAOA,KAAW,YAAYA,MAAW;AACzC,UAAM,IAAI,UAAU,4BAA4B;AAEpD,MAAI,CAACvB,EAAeuB,EAAO,SAAS;AAChC,UAAM,IAAI,UAAU,wDAAwD;AAEhF,SAAO;AACX;AACA,SAASa,GAAmBrB,GAAc;AACtC,MAAI,CAACf,EAAee,CAAY;AAC5B,UAAM,IAAI,UAAU,4DAA4D;AAEpF,SAAOA;AACX;AACA,SAASsB,EAAyBC,GAAkBC,GAAkB;AAClE,MAAIA,MAAqB;AACrB,UAAM,IAAI,UAAU,iEAAiED,CAAgB,wCAAwC;AAErJ;AACA,SAASE,GAAqBF,GAAkBvB,GAAc;AAC1D,MAAIA,MAAiB;AACjB,UAAM,IAAI,UAAU,6DAA6DuB,CAAgB,wCAAwC;AAEjJ;AACA,eAAeG,GAAqBZ,GAAIN,GAAQmB,GAAM/C,GAAS4C,GAAkB;AAI7E,UAHAG,EAAK,OAAO,eAAe,GAC3BA,EAAK,OAAO,uBAAuB,GACnCA,EAAK,OAAO,kBAAkB,GACtBnB,EAAO,4BAA0B;AAAA,IACrC,KAAK;AAAA,IACL,KAAK,uBAAuB;AACxB,MAAAc,EAAyB,uBAAuBE,CAAgB,GAChE5C,EAAQ,IAAI,iBAAiBkB,GAAkBU,EAAO,WAAWa,GAAmBb,EAAO,aAAa,CAAC,CAAC;AAC1G;AAAA,IACH;AAAA,IACD,KAAK,sBAAsB;AACvB,MAAAc,EAAyB,sBAAsBE,CAAgB,GAC/DG,EAAK,IAAI,aAAanB,EAAO,SAAS,GACtCmB,EAAK,IAAI,iBAAiBN,GAAmBb,EAAO,aAAa,CAAC;AAClE;AAAA,IACH;AAAA,IACD,KAAK,mBAAmB;AAEpB,UADAiB,GAAqB,mBAAmBjB,EAAO,aAAa,GACxDgB,MAAqB;AACrB,cAAM,IAAI,UAAU,2GAA2G;AAEnI,YAAM,EAAE,KAAA5D,GAAK,KAAAqD,EAAK,IAAGtB,GAAa6B,CAAgB;AAClD,UAAI,CAACnD,GAAaT,CAAG;AACjB,cAAM,IAAI,UAAU,4DAA4D;AAEpF,MAAA+D,EAAK,IAAI,aAAanB,EAAO,SAAS,GACtCmB,EAAK,IAAI,yBAAyB,wDAAwD,GAC1FA,EAAK,IAAI,oBAAoB,MAAMX,GAAcF,GAAIN,GAAQ5C,GAAKqD,CAAG,CAAC;AACtE;AAAA,IACH;AAAA,IACD,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK,QAAQ;AACT,MAAAQ,GAAqBjB,EAAO,4BAA4BA,EAAO,aAAa,GAC5Ec,EAAyBd,EAAO,4BAA4BgB,CAAgB,GAC5EG,EAAK,IAAI,aAAanB,EAAO,SAAS;AACtC;AAAA,IACH;AAAA,IACD;AACI,YAAM,IAAIzC,EAA0B,+CAA+C;AAAA,EAC1F;AACL;AACA,eAAemD,GAAIU,GAAQC,GAAWjE,GAAK;AACvC,MAAI,CAACA,EAAI,OAAO,SAAS,MAAM;AAC3B,UAAM,IAAI,UAAU,uFAAuF;AAE/G,QAAM5B,IAAQ,GAAGyB,EAAKT,EAAI,KAAK,UAAU4E,CAAM,CAAC,CAAC,CAAC,IAAInE,EAAKT,EAAI,KAAK,UAAU6E,CAAS,CAAC,CAAC,CAAC,IACpFC,IAAYrE,EAAK,MAAM,OAAO,OAAO,KAAKsE,GAAYnE,CAAG,GAAGA,GAAKZ,EAAIhB,CAAK,CAAC,CAAC;AAClF,SAAO,GAAGA,CAAK,IAAI8F,CAAS;AAChC;AAqEA,eAAeE,GAAapD,GAASV,GAASc,GAAKiD,GAAKtF,GAAWuF,GAAa;AAC5E,QAAM,EAAE,YAAAC,GAAY,WAAAC,GAAW,OAAA3D,IAAQN,GAAW,IAAIa,EAAI,MAAM,EAAG,IAAGd;AACtE,MAAI,CAACG,GAAa8D,CAAU;AACxB,UAAM,IAAI,UAAU,+CAA+C;AAEvE,MAAI,CAAC7D,GAAY8D,CAAS;AACtB,UAAM,IAAI,UAAU,6CAA6C;AAErE,MAAI3D,MAAU,UAAa,CAACQ,EAAeR,CAAK;AAC5C,UAAM,IAAI,UAAU,sDAAsD;AAE9E,MAAI,CAAC2D,EAAU;AACX,UAAM,IAAI,UAAU,2CAA2C;AAEnE,QAAMrB,IAAMH,EAAW,IAAGjE,GACpB0F,IAAQ,MAAMnB,GAAI;AAAA,IACpB,KAAKZ,GAAS6B,CAAU;AAAA,IACxB,KAAK;AAAA,IACL,KAAK,MAAMG,GAAUF,CAAS;AAAA,EACtC,GAAO;AAAA,IACC,KAAKrB;AAAA,IACL,KAAKzB,EAAa;AAAA,IAClB,KAAA2C;AAAA,IACA,OAAAxD;AAAA,IACA,KAAK,GAAGO,EAAI,MAAM,GAAGA,EAAI,QAAQ;AAAA,IACjC,KAAKkD,IAAczE,EAAK,MAAM,OAAO,OAAO,OAAO,WAAWT,EAAIkF,CAAW,CAAC,CAAC,IAAI;AAAA,EACtF,GAAEC,CAAU;AACb,EAAAvD,EAAQ,IAAI,QAAQyD,CAAK;AAC7B;AACA,IAAIE;AACJ,eAAeC,GAAqB5E,GAAK;AACrC,QAAM,EAAE,KAAA6E,GAAK,GAAAC,GAAG,GAAAC,GAAG,GAAAC,GAAG,GAAAC,GAAG,KAAAC,MAAQ,MAAM,OAAO,OAAO,UAAU,OAAOlF,CAAG,GACnEmF,IAAM,EAAE,KAAAN,GAAK,GAAAC,GAAG,GAAAC,GAAG,GAAAC,GAAG,GAAAC,GAAG,KAAAC;AAC/B,SAAAP,EAAS,IAAI3E,GAAKmF,CAAG,GACdA;AACX;AACA,eAAeT,GAAU1E,GAAK;AAC1B,SAAA2E,MAAaA,IAAW,oBAAI,QAAO,IAC5BA,EAAS,IAAI3E,CAAG,KAAK4E,GAAqB5E,CAAG;AACxD;AACA,SAASoF,GAAiBlF,GAAOmF,GAAU/E,GAAS;AAChD,MAAI,OAAOJ,KAAU;AAIjB,UAAM,IAAI,UAAU,OAAOmF,CAAQ,oBAAoB;AAE3D,SAAO,IAAI,IAAInF,CAAK;AACxB;AACA,SAASoF,GAAgBpC,GAAImC,GAAU/E,GAAS;AAI5C,SAAO8E,GAAiBlC,EAAGmC,CAAQ,GAAGA,CAAQ;AAClD;AAcO,SAASE,EAAcnH,GAAO;AACjC,QAAM8B,IAAQ9B;AACd,SAAI,OAAO8B,KAAU,YAAY,MAAM,QAAQA,CAAK,KAAKA,MAAU,OACxD,KAEJA,EAAM,UAAU;AAC3B;AA2FO,eAAesF,GAAyBlB,GAAa9H,GAAQ4E,GAAKJ,GAAS+C,GAAMzD,GAAS;AAC7F,MAAI,CAACe,EAAeiD,CAAW;AAC3B,UAAM,IAAI,UAAU,0CAA0C;AAElE,MAAI,EAAElD,aAAe;AACjB,UAAM,IAAI,UAAU,kCAAkC;AAE1D,SAAAJ,IAAUD,EAAeC,CAAO,IAC5BV,KAAA,gBAAAA,EAAS,UAAS,SAClBU,EAAQ,IAAI,iBAAiB,UAAUsD,CAAW,EAAE,KAGpD,MAAMF,GAAapD,GAASV,EAAQ,MAAMc,GAAK,OAAOuB,EAAa,EAAE,CAAC5D,CAAS,GAAGuB,KAAA,gBAAAA,EAAUvB,GAAU,CAAE,GAAGuF,CAAW,GACtHtD,EAAQ,IAAI,iBAAiB,QAAQsD,CAAW,EAAE,MAE9ChE,KAAA,gBAAAA,EAAUrB,OAAgB,OAAOmC,EAAI,MAAM;AAAA,IAC/C,MAAA2C;AAAA,IACA,SAAS,OAAO,YAAY/C,EAAQ,QAAO,CAAE;AAAA,IAC7C,QAAAxE;AAAA,IACA,UAAU;AAAA,IACV,QAAQ8D,KAAA,QAAAA,EAAS,SAASW,EAAOX,EAAQ,MAAM,IAAI;AAAA,EAC3D,CAAK,EAAE,KAAKK,CAAgB;AAC5B;AACO,eAAe8E,GAAgBvC,GAAIN,GAAQ0B,GAAahE,GAAS;AACpE,EAAAiD,EAASL,CAAE,GACXM,EAAaZ,CAAM;AACnB,QAAMxB,IAAMkE,GAAgBpC,GAAI,mBAA4B,GACtDlC,IAAUD,EAAeT,KAAA,gBAAAA,EAAS,OAAO;AAC/C,SAAIsC,EAAO,+BACP5B,EAAQ,IAAI,UAAU,iBAAiB,KAGvCA,EAAQ,IAAI,UAAU,kBAAkB,GACxCA,EAAQ,OAAO,UAAU,iBAAiB,IAEvCwE,GAAyBlB,GAAa,OAAOlD,GAAKJ,GAAS,MAAM;AAAA,IACpE,GAAGV;AAAA,IACH,CAACvB,CAAS,GAAG4D,EAAaC,CAAM;AAAA,EACxC,CAAK;AACL;AAqKA,eAAe8C,GAAqBxC,GAAIN,GAAQpG,GAAQ4E,GAAK2C,GAAM/C,GAASV,GAAS;AACjF,eAAMwD,GAAqBZ,GAAIN,GAAQmB,GAAM/C,GAASV,KAAA,gBAAAA,EAAS,gBAAgB,GAC/EU,EAAQ,IAAI,gBAAgB,iDAAiD,KACrEV,KAAA,gBAAAA,EAAUrB,OAAgB,OAAOmC,EAAI,MAAM;AAAA,IAC/C,MAAA2C;AAAA,IACA,SAAS,OAAO,YAAY/C,EAAQ,QAAO,CAAE;AAAA,IAC7C,QAAAxE;AAAA,IACA,UAAU;AAAA,IACV,QAAQ8D,KAAA,QAAAA,EAAS,SAASW,EAAOX,EAAQ,MAAM,IAAI;AAAA,EAC3D,CAAK,EAAE,KAAKK,CAAgB;AAC5B;AACA,eAAegF,GAAqBzC,GAAIN,GAAQgD,GAAWC,GAAYvF,GAAS;AAC5E,QAAMc,IAAMkE,GAAgBpC,GAAI,gBAAyB;AACzD,EAAA2C,EAAW,IAAI,cAAcD,CAAS;AACtC,QAAM5E,IAAUD,EAAeT,KAAA,gBAAAA,EAAS,OAAO;AAC/C,SAAAU,EAAQ,IAAI,UAAU,kBAAkB,GAIjC0E,GAAqBxC,GAAIN,GAAQ,QAAQxB,GAAKyE,GAAY7E,GAASV,CAAO;AACrF;AACO,eAAewF,GAAyB5C,GAAIN,GAAQmD,GAAczF,GAAS;AAG9E,MAFAiD,EAASL,CAAE,GACXM,EAAaZ,CAAM,GACf,CAACvB,EAAe0E,CAAY;AAC5B,UAAM,IAAI,UAAU,2CAA2C;AAEnE,QAAMF,IAAa,IAAI,gBAAgBvF,KAAA,gBAAAA,EAAS,oBAAoB;AACpE,SAAAuF,EAAW,IAAI,iBAAiBE,CAAY,GACrCJ,GAAqBzC,GAAIN,GAAQ,iBAAiBiD,GAAYvF,CAAO;AAChF;AACA,MAAM0F,KAAgB,oBAAI;AAW1B,eAAeC,GAAkC/C,GAAIN,GAAQhC,GAAUsF,IAAgB,IAAOC,IAAqB,IAAO;AAGtH,MAFA5C,EAASL,CAAE,GACXM,EAAaZ,CAAM,GACf,CAAC/D,EAAgB+B,GAAU,QAAQ;AACnC,UAAM,IAAI,UAAU,4CAA4C;AAEpE,MAAIA,EAAS,WAAW,KAAK;AACzB,QAAIwF;AACJ,QAAKA,IAAM,MAAMC,GAAqBzF,CAAQ;AAC1C,aAAOwF;AAEX,UAAM,IAAIxG,EAAI,qDAAqD;AAAA,EACtE;AACD,EAAA4B,EAAuBZ,CAAQ;AAC/B,MAAIa;AACJ,MAAI;AACA,IAAAA,IAAO,MAAMb,EAAS;EACzB,SACMjB,GAAO;AACV,UAAM,IAAIC,EAAI,2CAA2C,EAAE,OAAAD,EAAO,CAAA;AAAA,EACrE;AACD,MAAI,CAACmB,EAAaW,CAAI;AAClB,UAAM,IAAI7B,EAAI,4CAA4C;AAE9D,MAAI,CAACyB,EAAeI,EAAK,YAAY;AACjC,UAAM,IAAI7B,EAAI,oEAAoE;AAEtF,MAAI,CAACyB,EAAeI,EAAK,UAAU;AAC/B,UAAM,IAAI7B,EAAI,kEAAkE;AAGpF,MADA6B,EAAK,aAAaA,EAAK,WAAW,YAAW,GACzCA,EAAK,eAAe,UAAUA,EAAK,eAAe;AAClD,UAAM,IAAItB,EAA0B,gCAAgC;AAExE,MAAIsB,EAAK,eAAe,WACnB,OAAOA,EAAK,cAAe,YAAYA,EAAK,cAAc;AAC3D,UAAM,IAAI7B,EAAI,iEAAiE;AAEnF,MAAI,CAACuG,KACD1E,EAAK,kBAAkB,UACvB,CAACJ,EAAeI,EAAK,aAAa;AAClC,UAAM,IAAI7B,EAAI,qEAAqE;AAEvF,MAAI6B,EAAK,UAAU,UAAa,OAAOA,EAAK,SAAU;AAClD,UAAM,IAAI7B,EAAI,mDAAmD;AAErE,MAAI,CAACsG,GAAe;AAChB,QAAIzE,EAAK,aAAa,UAAa,CAACJ,EAAeI,EAAK,QAAQ;AAC5D,YAAM,IAAI7B,EAAI,gEAAgE;AAElF,QAAI6B,EAAK,UAAU;AACf,YAAM,EAAE,QAAA6E,EAAQ,IAAG,MAAMC,GAAY9E,EAAK,UAAU+E,GAAsB,KAAK,QAAW5D,EAAO,8BAA8BM,EAAG,qCAAqC,GAAGuD,IAAkB9D,EAAaC,CAAM,GAAGE,GAAkBF,CAAM,CAAC,EACtO,KAAK8D,GAAiB,KAAK,QAAW,CAAC,OAAO,OAAO,OAAO,OAAO,KAAK,CAAC,CAAC,EAC1E,KAAKC,GAAe,KAAK,QAAWzD,EAAG,MAAM,CAAC,EAC9C,KAAK0D,GAAiB,KAAK,QAAWhE,EAAO,SAAS,CAAC;AAC5D,UAAI,MAAM,QAAQ0D,EAAO,GAAG,KAAKA,EAAO,IAAI,WAAW,KAAKA,EAAO,QAAQ1D,EAAO;AAC9E,cAAM,IAAIhD,EAAI,0DAA0D;AAE5E,UAAI0G,EAAO,cAAc,WACpB,CAAC,OAAO,SAASA,EAAO,SAAS,KAAK,KAAK,KAAKA,EAAO,SAAS,MAAM;AACvE,cAAM,IAAI1G,EAAI,sEAAsE;AAExF,MAAAoG,GAAc,IAAIvE,GAAM6E,CAAM;AAAA,IACjC;AAAA,EACJ;AACD,SAAO7E;AACX;AACO,eAAeoF,GAA4B3D,GAAIN,GAAQhC,GAAU;AACpE,SAAOqF,GAAkC/C,GAAIN,GAAQhC,CAAQ;AACjE;AAOA,SAASgG,GAAiB9H,GAAUgI,GAAQ;AACxC,MAAI,MAAM,QAAQA,EAAO,OAAO,GAAG;AAC/B,QAAI,CAACA,EAAO,OAAO,IAAI,SAAShI,CAAQ;AACpC,YAAM,IAAIc,EAAI,6CAA6C;AAAA,aAG1DkH,EAAO,OAAO,QAAQhI;AAC3B,UAAM,IAAIc,EAAI,6CAA6C;AAE/D,SAAOkH;AACX;AAOA,SAASH,GAAe7H,GAAUgI,GAAQ;AACtC,MAAIA,EAAO,OAAO,QAAQhI;AACtB,UAAM,IAAIc,EAAI,2CAA2C;AAE7D,SAAOkH;AACX;AACA,MAAMC,KAAU,oBAAI;AACpB,SAASC,GAAMC,GAAc;AACzB,SAAAF,GAAQ,IAAIE,CAAY,GACjBA;AACX;AACO,eAAeC,GAA8BhE,GAAIN,GAAQuE,GAAoBC,GAAatF,GAAcxB,GAAS;AAGpH,MAFAiD,EAASL,CAAE,GACXM,EAAaZ,CAAM,GACf,CAACmE,GAAQ,IAAII,CAAkB;AAC/B,UAAM,IAAI,UAAU,mIAAmI;AAE3J,MAAI,CAAC9F,EAAe+F,CAAW;AAC3B,UAAM,IAAI,UAAU,0CAA0C;AAElE,MAAI,CAAC/F,EAAeS,CAAY;AAC5B,UAAM,IAAI,UAAU,2CAA2C;AAEnE,QAAMuF,IAAOC,EAAsBH,GAAoB,MAAM;AAC7D,MAAI,CAACE;AACD,UAAM,IAAIzH,EAAI,+CAA+C;AAEjE,QAAMiG,IAAa,IAAI,gBAAgBvF,KAAA,gBAAAA,EAAS,oBAAoB;AACpE,SAAAuF,EAAW,IAAI,gBAAgBuB,CAAW,GAC1CvB,EAAW,IAAI,iBAAiB/D,CAAY,GAC5C+D,EAAW,IAAI,QAAQwB,CAAI,GACpB1B,GAAqBzC,GAAIN,GAAQ,sBAAsBiD,GAAYvF,CAAO;AACrF;AACA,MAAMiH,KAAgB;AAAA,EAClB,KAAK;AAAA,EACL,QAAQ;AAAA,EACR,WAAW;AAAA,EACX,KAAK;AAAA,EACL,KAAK;AAAA,EACL,KAAK;AAAA,EACL,KAAK;AAAA,EACL,OAAO;AAAA,EACP,QAAQ;AAAA,EACR,KAAK;AAAA,EACL,KAAK;AAAA,EACL,KAAK;AAAA,EACL,KAAK;AAAA,EACL,KAAK;AACT;AACA,SAASb,GAAiBc,GAAUV,GAAQ;AACxC,aAAWW,KAASD;AAChB,QAAIV,EAAO,OAAOW,CAAK,MAAM;AACzB,YAAM,IAAI7H,EAAI,QAAQ6H,CAAK,MAAMF,GAAcE,CAAK,CAAC,iBAAiB;AAG9E,SAAOX;AACX;AA+CO,eAAeY,GAAuCxE,GAAIN,GAAQhC,GAAU;AAC/E,QAAMkG,IAAS,MAAMb,GAAkC/C,GAAIN,GAAQhC,GAAU,EAAI;AACjF,MAAI2E,EAAcuB,CAAM;AACpB,WAAOA;AAEX,MAAIA,EAAO,aAAa,QAAW;AAC/B,QAAI,OAAOA,EAAO,YAAa,YAAYA,EAAO,SAAS;AACvD,YAAM,IAAIlH,EAAI,mHAAmH;AAErI,WAAOkH,EAAO;AAAA,EACjB;AACD,SAAOA;AACX;AA6CA,SAAStF,EAAuBZ,GAAU;AACtC,MAAIA,EAAS;AACT,UAAM,IAAI,UAAU,uCAAuC;AAEnE;AAqGA,eAAeyF,GAAqBzF,GAAU;AAC1C,MAAIA,EAAS,SAAS,OAAOA,EAAS,SAAS,KAAK;AAChD,IAAAY,EAAuBZ,CAAQ;AAC/B,QAAI;AACA,YAAMa,IAAO,MAAMb,EAAS;AAC5B,UAAIE,EAAaW,CAAI,KAAK,OAAOA,EAAK,SAAU,YAAYA,EAAK,MAAM;AACnE,eAAIA,EAAK,sBAAsB,UAAa,OAAOA,EAAK,qBAAsB,YAC1E,OAAOA,EAAK,mBAEZA,EAAK,cAAc,UAAa,OAAOA,EAAK,aAAc,YAC1D,OAAOA,EAAK,WAEZA,EAAK,SAAS,UAAa,OAAOA,EAAK,QAAS,YAChD,OAAOA,EAAK,MAEZA,EAAK,UAAU,UAAa,OAAOA,EAAK,SAAU,YAClD,OAAOA,EAAK,OAETA;AAAA,IAEd,QACK;AAAA,IAAG;AAAA,EACZ;AAEL;AAOA,SAASkG,GAAqBC,GAAW;AACrC,MAAI,OAAOA,EAAU,iBAAkB,YAAYA,EAAU,gBAAgB;AACzE,UAAM,IAAIhI,EAAI,GAAGgI,EAAU,IAAI,2CAA2C;AAElF;AACA,SAASC,GAAcC,GAAY;AAC/B,UAAQA,GAAU;AAAA,IACd,KAAK;AACD,aAAO;AAAA,IACX,KAAK;AACD,aAAO;AAAA,IACX,KAAK;AACD,aAAO;AAAA,IACX;AACI,YAAM,IAAI3H,EAAyB;AAAA,EAC1C;AACL;AACA,SAASgE,GAAYnE,GAAK;AACtB,UAAQA,EAAI,UAAU,MAAI;AAAA,IACtB,KAAK;AACD,aAAO;AAAA,QACH,MAAMA,EAAI,UAAU;AAAA,QACpB,MAAM6H,GAAc7H,EAAI,UAAU,UAAU;AAAA,MAC5D;AAAA,IACQ,KAAK;AAED,cADA2H,GAAqB3H,EAAI,SAAS,GAC1BA,EAAI,UAAU,KAAK,MAAI;AAAA,QAC3B,KAAK;AAAA,QACL,KAAK;AAAA,QACL,KAAK;AACD,iBAAO;AAAA,YACH,MAAMA,EAAI,UAAU;AAAA,YACpB,YAAY,SAASA,EAAI,UAAU,KAAK,KAAK,MAAM,EAAE,GAAG,EAAE,KAAK;AAAA,UACvF;AAAA,QACgB;AACI,gBAAM,IAAIG,EAAyB;AAAA,MAC1C;AAAA,IAEL,KAAK;AACD,aAAAwH,GAAqB3H,EAAI,SAAS,GAC3BA,EAAI,UAAU;AAAA,IACzB,KAAK;AAAA,IACL,KAAK;AACD,aAAOA,EAAI,UAAU;AAAA,EAC5B;AACD,QAAM,IAAIG,EAAyB;AACvC;AACA,MAAMsG,KAAmB,OAAM;AAC/B,eAAeF,GAAYwB,GAAKC,GAAUC,GAAQlJ,GAAWC,GAAgB;AACzE,QAAM,EAAE,GAAGkJ,GAAiB,GAAGC,GAAS,GAAGC,GAAkB,QAAAC,EAAM,IAAKN,EAAI,MAAM,GAAG;AACrF,MAAIM,MAAW;AACX,UAAM,IAAIlI,EAA0B,sCAAsC;AAE9E,MAAIkI,MAAW;AACX,UAAM,IAAIzI,EAAI,aAAa;AAE/B,MAAIoE;AACJ,MAAI;AACA,IAAAA,IAAS,KAAK,MAAM5E,EAAIS,EAAKqI,CAAe,CAAC,CAAC;AAAA,EACjD,SACMvI,GAAO;AACV,UAAM,IAAIC,EAAI,6DAA6D,EAAE,OAAAD,EAAO,CAAA;AAAA,EACvF;AACD,MAAI,CAACmB,EAAakD,CAAM;AACpB,UAAM,IAAIpE,EAAI,uCAAuC;AAGzD,MADAoI,EAAShE,CAAM,GACXA,EAAO,SAAS;AAChB,UAAM,IAAIpE,EAAI,wCAAwC;AAE1D,QAAMsE,IAAYrE,EAAKuI,CAAgB;AACvC,MAAIpI;AACJ,MAAIiI,MAAWxB,IAAkB;AAC7B,IAAAzG,IAAM,MAAMiI,EAAOjE,CAAM;AACzB,UAAM5F,IAAQ,GAAG8J,CAAe,IAAIC,CAAO;AAE3C,QAAI,CADa,MAAM,OAAO,OAAO,OAAOhE,GAAYnE,CAAG,GAAGA,GAAKkE,GAAW9E,EAAIhB,CAAK,CAAC;AAEpF,YAAM,IAAIwB,EAAI,mCAAmC;AAAA,EAExD;AACD,MAAI0G;AACJ,MAAI;AACA,IAAAA,IAAS,KAAK,MAAMlH,EAAIS,EAAKsI,CAAO,CAAC,CAAC;AAAA,EACzC,SACMxI,GAAO;AACV,UAAM,IAAIC,EAAI,8DAA8D,EAAE,OAAAD,EAAO,CAAA;AAAA,EACxF;AACD,MAAI,CAACmB,EAAawF,CAAM;AACpB,UAAM,IAAI1G,EAAI,wCAAwC;AAE1D,QAAMuD,IAAMH,EAAW,IAAGjE;AAC1B,MAAIuH,EAAO,QAAQ,QAAW;AAC1B,QAAI,OAAOA,EAAO,OAAQ;AACtB,YAAM,IAAI1G,EAAI,mDAAmD;AAErE,QAAI0G,EAAO,OAAOnD,IAAMnE;AACpB,YAAM,IAAIY,EAAI,2EAA2E;AAAA,EAEhG;AACD,MAAI0G,EAAO,QAAQ,UACX,OAAOA,EAAO,OAAQ;AACtB,UAAM,IAAI1G,EAAI,6CAA6C;AAGnE,MAAI0G,EAAO,QAAQ,UACX,OAAOA,EAAO,OAAQ;AACtB,UAAM,IAAI1G,EAAI,0CAA0C;AAGhE,MAAI0G,EAAO,QAAQ,QAAW;AAC1B,QAAI,OAAOA,EAAO,OAAQ;AACtB,YAAM,IAAI1G,EAAI,8CAA8C;AAEhE,QAAI0G,EAAO,MAAMnD,IAAMnE;AACnB,YAAM,IAAIY,EAAI,qEAAqE;AAAA,EAE1F;AACD,MAAI0G,EAAO,QAAQ,UACX,OAAOA,EAAO,OAAQ,YAAY,CAAC,MAAM,QAAQA,EAAO,GAAG;AAC3D,UAAM,IAAI1G,EAAI,4CAA4C;AAGlE,SAAO,EAAE,QAAAoE,GAAQ,QAAAsC,GAAQ,WAAApC,GAAW,KAAAlE,EAAG;AAC3C;AAuKA,SAASwG,GAAsB5D,GAAQ0F,GAAQtE,GAAQ;AACnD,MAAIpB,MAAW,QAAW;AACtB,QAAIoB,EAAO,QAAQpB;AACf,YAAM,IAAIhD,EAAI,uCAAuC;AAEzD;AAAA,EACH;AACD,MAAI,MAAM,QAAQ0I,CAAM,GAAG;AACvB,QAAI,CAACA,EAAO,SAAStE,EAAO,GAAG;AAC3B,YAAM,IAAIpE,EAAI,uCAAuC;AAEzD;AAAA,EACH;AACD,MAAIoE,EAAO,QAAQ;AACf,UAAM,IAAIpE,EAAI,uCAAuC;AAE7D;AACA,SAAS0H,EAAsBzB,GAAY1I,GAAM;AAC7C,QAAM,EAAE,GAAG+C,GAAO,QAAAmI,EAAQ,IAAGxC,EAAW,OAAO1I,CAAI;AACnD,MAAIkL,IAAS;AACT,UAAM,IAAIzI,EAAI,IAAIzC,CAAI,wCAAwC;AAElE,SAAO+C;AACX;AACO,MAAMqI,KAAiB,OAAM,GACvBC,KAAgB,OAAM;AAC5B,SAASC,GAAqBvF,GAAIN,GAAQiD,GAAY6C,GAAe;AAMxE,MALAnF,EAASL,CAAE,GACXM,EAAaZ,CAAM,GACfiD,aAAsB,QACtBA,IAAaA,EAAW,eAExB,EAAEA,aAAsB;AACxB,UAAM,IAAI,UAAU,6DAA6D;AAErF,MAAIyB,EAAsBzB,GAAY,UAAU;AAC5C,UAAM,IAAIjG,EAAI,wGAAwG;AAE1H,QAAM+I,IAAMrB,EAAsBzB,GAAY,KAAK,GAC7C+C,IAAQtB,EAAsBzB,GAAY,OAAO;AACvD,MAAI,CAAC8C,KAAOzF,EAAG;AACX,UAAM,IAAItD,EAAI,2CAA2C;AAE7D,MAAI+I,KAAOA,MAAQzF,EAAG;AAClB,UAAM,IAAItD,EAAI,oDAAoD;AAEtE,UAAQ8I,GAAa;AAAA,IACjB,KAAK;AAAA,IACL,KAAKF;AACD,UAAII,MAAU;AACV,cAAM,IAAIhJ,EAAI,mDAAmD;AAErE;AAAA,IACJ,KAAK2I;AACD;AAAA,IACJ;AACI,UAAI,CAAClH,EAAeqH,CAAa;AAC7B,cAAM,IAAI9I,EAAI,4CAA4C;AAE9D,UAAIgJ,MAAU;AACV,cAAM,IAAIhJ,EAAI,oCAAoC;AAEtD,UAAIgJ,MAAUF;AACV,cAAM,IAAI9I,EAAI,6CAA6C;AAAA,EAEtE;AACD,QAAMiJ,IAAQvB,EAAsBzB,GAAY,OAAO;AACvD,MAAIgD;AACA,WAAO;AAAA,MACH,OAAAA;AAAA,MACA,mBAAmBvB,EAAsBzB,GAAY,mBAAmB;AAAA,MACxE,WAAWyB,EAAsBzB,GAAY,WAAW;AAAA,IACpE;AAEI,QAAMiD,IAAWxB,EAAsBzB,GAAY,UAAU,GACvD5D,IAAQqF,EAAsBzB,GAAY,OAAO;AACvD,MAAIiD,MAAa,UAAa7G,MAAU;AACpC,UAAM,IAAI9B,EAA0B,6CAA6C;AAErF,SAAO6G,GAAM,IAAI,gBAAgBnB,CAAU,CAAC;AAChD;ACjqDO,MAAMkD,UAA2B,MAAM;AAAC;AAYxC,MAAMC,UAAgCD,EAAmB;AAAA,EAC9D,YACE3I,GACOyI,GACPvI,GACA;AACA,UAAMF,GAASE,CAAO,GAHf,KAAA,QAAAuI;AAAA,EAIT;AACF;AChBO,SAASI,GAAS;AAAA,EACvB,gBAAAC;AACF,GAEG;AACK,QAAAC,IAAgBC,GAAO,EAAK,GAC5B,CAACP,GAAOQ,CAAQ,IAAIC,GAA4B,MAAS,GACzDC,IAAWC;AAoBjB,SAfAC,GAAU,MAAM;AACd,IAAIN,EAAc,YAGlBA,EAAc,UAAU,IACTD,EAAA,EACZ,KAAK,CAACQ,MAAa;AAElB,MAAAH,EAASG,CAAQ;AAAA,IAAA,CAClB,EACA,MAAM,CAACtD,MAAQ;AACd,MAAAiD,EAASjD,CAAG;AAAA,IAAA,CACb;AAAA,EACL,GAAG,CAAE,CAAA,GAEDyC,IACEA,aAAiBG,2BAEhB,OACC,EAAA,UAAA;AAAA,IAAAW,gBAAAA,EAAAA,IAAC,QAAG,UAAK,QAAA,CAAA;AAAA,2BACR,OACE,EAAA,UAAA;AAAA,MAAAd,EAAM,MAAM;AAAA,MAEZA,EAAM,MAAM;AAAA,MAEZA,EAAM,MAAM;AAAA,IAAA,GACf;AAAA,EACF,EAAA,CAAA,2BAID,OACC,EAAA,UAAA;AAAA,IAAAc,gBAAAA,EAAAA,IAAC,QAAG,UAAK,QAAA,CAAA;AAAA,2BACR,OACE,EAAA,UAAA;AAAA,MAAMd,EAAA;AAAA,MAENA,EAAM;AAAA,IAAA,GACT;AAAA,EACF,EAAA,CAAA,IAIGc,gBAAAA,EAAA,IAAC,SAAI,UAAU,aAAA,CAAA;AACxB;AC/CA,MAAMC,KAAoB;AAS1B,MAAMC,WAAyBC,GAAqB;AAAA,EAClD,YACUC,GACAb,GACR;AACM,aAHE,KAAA,kBAAAa,GACA,KAAA,iBAAAb;AAAA,EAGV;AAAA,EACA,YAAY;AACH,WAAA;AAAA,MACL,GAAG,MAAM,UAAU;AAAA,MACnB;AAAA,QACE,MAAM,KAAK;AAAA,QACX,SAASS,gBAAAA,EAAA,IAACV,IAAS,EAAA,gBAAgB,KAAK,gBAAgB;AAAA,MAC1D;AAAA,IAAA;AAAA,EAEJ;AACF;AAEO,MAAMe,GAA+D;AAAA,EAe1E,YAAY;AAAA,IACV,QAAA1B;AAAA,IACA,uBAAA2B;AAAA,IACA,eAAAC;AAAA,IACA,UAAA/H;AAAA,IACA,uBAAAgI;AAAA,IACA,uBAAAC;AAAA,IACA,wBAAAC;AAAA,EAAA,GAC6B;AAtBrB,IAAAC,EAAA;AACA,IAAAA,EAAA;AACA,IAAAA,EAAA;AACA,IAAAA,EAAA;AAEA,IAAAA,EAAA;AACA,IAAAA,EAAA;AAEA,IAAAA,EAAA,yBAAkB;AAClB,IAAAA,EAAA,+BAAwB;AAC1B,IAAAA,EAAA;AACA,IAAAA,EAAA;AACA,IAAAA,EAAA;AA6MR,IAAAA,EAAA,wBAAiB,YAA6B;AAC5C,YAAMlJ,IAAM,IAAI,IAAI,OAAO,SAAS,IAAI,GAClCwH,IAAQxH,EAAI,aAAa,IAAI,OAAO,GAIpCU,IAAe,aAAa,QAAQ8H,EAAiB;AAG3D,UAAI,CAAC9H;AACH,cAAM,IAAIiH;AAAA,UACR;AAAA,QAAA;AAIE,YAAAwB,IAAa,MAAM,KAAK,iBAExBC,IAASC;AAAAA,QACbF;AAAA,QACA,KAAK;AAAA,QACLnJ,EAAI;AAAA,QACJwH,KAAS;AAAA,MAAA;AAEP,UAAA8B,EAAoBF,CAAM;AACrB,cAAAhM,GAAA,MAAM,mCAAmCgM,CAAM,GAChD,IAAIxB;AAAA,UACR;AAAA,UACAwB;AAAA,QAAA;AAIE,YAAAG,IAAc,IAAI,IAAIvJ,CAAG;AACnB,MAAAuJ,EAAA,WAAW,KAAK,yBAAyB,KAAK,iBAC1DA,EAAY,SAAS;AAEf,YAAA/J,IAAW,MAAMgK;AAAAA,QACrBL;AAAA,QACA,KAAK;AAAA,QACLC;AAAA,QACAG,EAAY,SAAS;AAAA,QACrB7I;AAAA,MAAA,GAWI+I,IAAc,MAAMC;AAAAA,QACxBP;AAAA,QACA,KAAK;AAAA,QACL3J;AAAA,MAAA;AAGF,WAAK,sBAAsBiK,CAAW;AAEhC,YAAAvG,IAAc,MAAM,KAAK,kBAOzByG,IAAW,OALQ,MAAMC;AAAAA,QAC7BT;AAAA,QACA,KAAK;AAAA,QACLjG;AAAA,MAAA,GAEsC,QAElC2G,IAAuB;AAAA,QAC3B,KAAKF,EAAS;AAAA,QACd,OAAOA,EAAS;AAAA,QAChB,MAAMA,EAAS;AAAA,QACf,eAAeA,EAAS,kBAAkB;AAAA,QAC1C,YAAYA,EAAS;AAAA,MAAA;AASnB,aANJG,GAAa,SAAS;AAAA,QACpB,iBAAiB;AAAA,QACjB,WAAW;AAAA,QACX,SAAAD;AAAA,MAAA,CACD,GAEG,aAAa,QAAQ,SAAS,IACzB,KAAK,wBAEL,KAAK;AAAA,IACd;AAxRA,SAAK,SAAS;AAAA,MACZ,WAAW9I;AAAA,MACX,4BAA4B;AAAA,IAAA,GAE9B,KAAK,SAASmG,GACd,KAAK,wBAAwB2B,GAC7B,KAAK,gBAAgBC,GACrB,KAAK,wBAAwBC,KAAyB,KACtD,KAAK,wBAAwBC,KAAyB,KACtD,KAAK,yBAAyBC,KAA0B;AAAA,EAC1D;AAAA,EAEA,MAAgB,gBAAgB;AAC1B,QAAA,CAAC,KAAK;AACJ,UAAA,KAAK,iBAAiB,KAAK;AAC7B,aAAK,sBAAsB;AAAA,UACzB,QAAQ,IAAI,IAAI,KAAK,qBAAsB,EAAE;AAAA,UAC7C,wBAAwB,KAAK;AAAA,UAC7B,gBAAgB,KAAK;AAAA,UACrB,kCAAkC,CAAC;AAAA,QAAA;AAAA,WAEhC;AACL,cAAMc,IAAY,IAAI,IAAI,KAAK,MAAM,GAC/BvK,IAAW,MAAMwK,GAAuBD,CAAS;AAClD,aAAA,sBAAsB,MAAME;AAAAA,UAC/BF;AAAA,UACAvK;AAAA,QAAA;AAAA,MAEJ;AAEF,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA,EAMU,sBACRA,GACA;AACI,QAAA8J,EAAoB9J,CAAQ;AACvB,YAAApC,GAAA,MAAM,sBAAsBoC,CAAQ,GACrC,IAAIoI,EAAwB,sBAAsBpI,CAAQ;AAG9D,QAAA,CAACA,EAAS;AACN,YAAA,IAAImI,EAAmB,2BAA2B;AAG1D,SAAK,SAAS;AAAA,MACZ,aAAanI,EAAS;AAAA,MACtB,cAAcA,EAAS;AAAA,MACvB,WAAW,IAAI,KAAK,KAAK,QAAQA,EAAS,aAAa,GAAI;AAAA,MAC3D,WAAWA,EAAS;AAAA,IAAA;AAAA,EAExB;AAAA,EAEA,MAAM,SAAS;AACN,WAAA,KAAK,UAAU,EAAI;AAAA,EAC5B;AAAA,EAEA,MAAM,SAAS;AACb,WAAO,KAAK;EACd;AAAA,EAEA,MAAc,UAAU0K,IAAS,IAAsB;;AACrD,UAAMC,IAAwB,QACxBC,IAAsB,MAAM,KAAK;AAOnC,QANAF,IACW,aAAA,QAAQ,WAAW,MAAM,IAEtC,aAAa,WAAW,SAAS,GAG/B,CAACE,EAAoB;AACjB,YAAA,IAAIzC,EAAmB,2BAA2B;AAQpD,UAAAjH,IAAe2J,MACfC,IAAgB,MAAMC,GAAiC7J,CAAY;AAE5D,iBAAA,QAAQ8H,IAAmB9H,CAAY;AAGpD,UAAM8J,IAAmB,IAAI;AAAA,MAC3BN,IACIE,EAAoB,yBACpBA,EAAoB,yBACpBA,EAAoB;AAAA,IAAA,GAGpBb,IAAc,IAAI;AAAA,OACrBW,IACG,OAAO,SAAS,SAAS,KAAK,wBAC9B,OAAO,SAAS,SAAS,KAAK,0BAChC,OAAO,SAAS;AAAA,IAAA;AAmBpB,QAjBAX,EAAY,WAAW,KAAK,iBAC5BA,EAAY,SAAS,IAErBiB,EAAiB,aAAa,IAAI,aAAa,KAAK,OAAO,SAAS,GACpEA,EAAiB,aAAa,IAAI,gBAAgBjB,EAAY,UAAU,GACvDiB,EAAA,aAAa,IAAI,iBAAiB,MAAM,GACxCA,EAAA,aAAa,IAAI,SAAS,sBAAsB,GAChDA,EAAA,aAAa,IAAI,kBAAkBF,CAAa,GACjEE,EAAiB,aAAa;AAAA,MAC5B;AAAA,MACAL;AAAA,IAAA,KAQA3M,IAAA4M,EAAoB,qCAApB,gBAAA5M,EAAsD,SAAS,aAC/D,IACA;AACM,YAAAgK,IAAQiD;AACG,MAAAD,EAAA,aAAa,IAAI,SAAShD,CAAK;AAAA,IAClD;AAGA,aAAS,OAAOgD,EAAiB;AAAA,EACnC;AAAA,EAEA,MAAM,iBAAkC;AAChC,UAAA1I,IAAK,MAAM,KAAK;AAClB,QAAA,CAAC,KAAK;AACF,YAAA,IAAI6F,EAAmB,2BAA2B;AAE1D,QAAI,KAAK,OAAO,YAAY,oBAAI,QAAQ;AAClC,UAAA,CAAC,KAAK,OAAO;AAEf,cAAM,IAAIA;AAAA,UACR;AAAA,QAAA;AAIE,YAAA+C,IAAU,MAAMC;AAAAA,QACpB7I;AAAA,QACA,KAAK;AAAA,QACL,KAAK,OAAO;AAAA,MAAA,GAERtC,IAAW,MAAMoL;AAAAA,QACrB9I;AAAA,QACA,KAAK;AAAA,QACL4I;AAAA,MAAA;AAGF,WAAK,sBAAsBlL,CAAQ;AAAA,IACrC;AAEA,WAAO,KAAK,OAAO;AAAA,EACrB;AAAA,EAEA,MAAM,UAAyB;AAC7B,IAAAsK,GAAa,SAAS;AAAA,MACpB,iBAAiB;AAAA,MACjB,WAAW;AAAA,MACX,SAAS;AAAA,IAAA,CACV;AAEK,UAAAhI,IAAK,MAAM,KAAK,iBAEhByH,IAAc,IAAI;AAAA,MACtB,OAAO,SAAS,SAAS,KAAK;AAAA,IAAA;AAEhC,IAAAA,EAAY,WAAW,KAAK;AAExB,QAAAsB;AAGJ,IAAI/I,EAAG,wBACO+I,IAAA,IAAI,IAAI/I,EAAG,oBAAoB,GAM3C+I,EAAU,aAAa;AAAA,MACrB;AAAA,MACAtB,EAAY,SAAS;AAAA,IAAA,KAGXsB,IAAAtB;AAAA,EAEhB;AAAA,EAkGA,0BAA0B;AACxB,WAAO,IAAId;AAAA,MAAiB,KAAK;AAAA,MAAiB,MAChD,KAAK,eAAe;AAAA,IAAA;AAAA,EAExB;AACF;AAEA,MAAMqC,KAEF,CAAC5L,MAAY,IAAI0J,GAA6B1J,CAAO;","x_google_ignoreList":[0,1]}
1
+ {"version":3,"file":"zudoku.auth-openid.js","sources":["../../../node_modules/.pnpm/loglevel@1.9.1/node_modules/loglevel/lib/loglevel.js","../../../node_modules/.pnpm/oauth4webapi@2.11.1/node_modules/oauth4webapi/build/index.js","../src/lib/authentication/errors.ts","../src/lib/authentication/Callback.tsx","../src/lib/authentication/providers/openid.tsx"],"sourcesContent":["/*\n* loglevel - https://github.com/pimterry/loglevel\n*\n* Copyright (c) 2013 Tim Perry\n* Licensed under the MIT license.\n*/\n(function (root, definition) {\n \"use strict\";\n if (typeof define === 'function' && define.amd) {\n define(definition);\n } else if (typeof module === 'object' && module.exports) {\n module.exports = definition();\n } else {\n root.log = definition();\n }\n}(this, function () {\n \"use strict\";\n\n // Slightly dubious tricks to cut down minimized file size\n var noop = function() {};\n var undefinedType = \"undefined\";\n var isIE = (typeof window !== undefinedType) && (typeof window.navigator !== undefinedType) && (\n /Trident\\/|MSIE /.test(window.navigator.userAgent)\n );\n\n var logMethods = [\n \"trace\",\n \"debug\",\n \"info\",\n \"warn\",\n \"error\"\n ];\n\n var _loggersByName = {};\n var defaultLogger = null;\n\n // Cross-browser bind equivalent that works at least back to IE6\n function bindMethod(obj, methodName) {\n var method = obj[methodName];\n if (typeof method.bind === 'function') {\n return method.bind(obj);\n } else {\n try {\n return Function.prototype.bind.call(method, obj);\n } catch (e) {\n // Missing bind shim or IE8 + Modernizr, fallback to wrapping\n return function() {\n return Function.prototype.apply.apply(method, [obj, arguments]);\n };\n }\n }\n }\n\n // Trace() doesn't print the message in IE, so for that case we need to wrap it\n function traceForIE() {\n if (console.log) {\n if (console.log.apply) {\n console.log.apply(console, arguments);\n } else {\n // In old IE, native console methods themselves don't have apply().\n Function.prototype.apply.apply(console.log, [console, arguments]);\n }\n }\n if (console.trace) console.trace();\n }\n\n // Build the best logging method possible for this env\n // Wherever possible we want to bind, not wrap, to preserve stack traces\n function realMethod(methodName) {\n if (methodName === 'debug') {\n methodName = 'log';\n }\n\n if (typeof console === undefinedType) {\n return false; // No method possible, for now - fixed later by enableLoggingWhenConsoleArrives\n } else if (methodName === 'trace' && isIE) {\n return traceForIE;\n } else if (console[methodName] !== undefined) {\n return bindMethod(console, methodName);\n } else if (console.log !== undefined) {\n return bindMethod(console, 'log');\n } else {\n return noop;\n }\n }\n\n // These private functions always need `this` to be set properly\n\n function replaceLoggingMethods() {\n /*jshint validthis:true */\n var level = this.getLevel();\n\n // Replace the actual methods.\n for (var i = 0; i < logMethods.length; i++) {\n var methodName = logMethods[i];\n this[methodName] = (i < level) ?\n noop :\n this.methodFactory(methodName, level, this.name);\n }\n\n // Define log.log as an alias for log.debug\n this.log = this.debug;\n\n // Return any important warnings.\n if (typeof console === undefinedType && level < this.levels.SILENT) {\n return \"No console available for logging\";\n }\n }\n\n // In old IE versions, the console isn't present until you first open it.\n // We build realMethod() replacements here that regenerate logging methods\n function enableLoggingWhenConsoleArrives(methodName) {\n return function () {\n if (typeof console !== undefinedType) {\n replaceLoggingMethods.call(this);\n this[methodName].apply(this, arguments);\n }\n };\n }\n\n // By default, we use closely bound real methods wherever possible, and\n // otherwise we wait for a console to appear, and then try again.\n function defaultMethodFactory(methodName, _level, _loggerName) {\n /*jshint validthis:true */\n return realMethod(methodName) ||\n enableLoggingWhenConsoleArrives.apply(this, arguments);\n }\n\n function Logger(name, factory) {\n // Private instance variables.\n var self = this;\n /**\n * The level inherited from a parent logger (or a global default). We\n * cache this here rather than delegating to the parent so that it stays\n * in sync with the actual logging methods that we have installed (the\n * parent could change levels but we might not have rebuilt the loggers\n * in this child yet).\n * @type {number}\n */\n var inheritedLevel;\n /**\n * The default level for this logger, if any. If set, this overrides\n * `inheritedLevel`.\n * @type {number|null}\n */\n var defaultLevel;\n /**\n * A user-specific level for this logger. If set, this overrides\n * `defaultLevel`.\n * @type {number|null}\n */\n var userLevel;\n\n var storageKey = \"loglevel\";\n if (typeof name === \"string\") {\n storageKey += \":\" + name;\n } else if (typeof name === \"symbol\") {\n storageKey = undefined;\n }\n\n function persistLevelIfPossible(levelNum) {\n var levelName = (logMethods[levelNum] || 'silent').toUpperCase();\n\n if (typeof window === undefinedType || !storageKey) return;\n\n // Use localStorage if available\n try {\n window.localStorage[storageKey] = levelName;\n return;\n } catch (ignore) {}\n\n // Use session cookie as fallback\n try {\n window.document.cookie =\n encodeURIComponent(storageKey) + \"=\" + levelName + \";\";\n } catch (ignore) {}\n }\n\n function getPersistedLevel() {\n var storedLevel;\n\n if (typeof window === undefinedType || !storageKey) return;\n\n try {\n storedLevel = window.localStorage[storageKey];\n } catch (ignore) {}\n\n // Fallback to cookies if local storage gives us nothing\n if (typeof storedLevel === undefinedType) {\n try {\n var cookie = window.document.cookie;\n var cookieName = encodeURIComponent(storageKey);\n var location = cookie.indexOf(cookieName + \"=\");\n if (location !== -1) {\n storedLevel = /^([^;]+)/.exec(\n cookie.slice(location + cookieName.length + 1)\n )[1];\n }\n } catch (ignore) {}\n }\n\n // If the stored level is not valid, treat it as if nothing was stored.\n if (self.levels[storedLevel] === undefined) {\n storedLevel = undefined;\n }\n\n return storedLevel;\n }\n\n function clearPersistedLevel() {\n if (typeof window === undefinedType || !storageKey) return;\n\n // Use localStorage if available\n try {\n window.localStorage.removeItem(storageKey);\n } catch (ignore) {}\n\n // Use session cookie as fallback\n try {\n window.document.cookie =\n encodeURIComponent(storageKey) + \"=; expires=Thu, 01 Jan 1970 00:00:00 UTC\";\n } catch (ignore) {}\n }\n\n function normalizeLevel(input) {\n var level = input;\n if (typeof level === \"string\" && self.levels[level.toUpperCase()] !== undefined) {\n level = self.levels[level.toUpperCase()];\n }\n if (typeof level === \"number\" && level >= 0 && level <= self.levels.SILENT) {\n return level;\n } else {\n throw new TypeError(\"log.setLevel() called with invalid level: \" + input);\n }\n }\n\n /*\n *\n * Public logger API - see https://github.com/pimterry/loglevel for details\n *\n */\n\n self.name = name;\n\n self.levels = { \"TRACE\": 0, \"DEBUG\": 1, \"INFO\": 2, \"WARN\": 3,\n \"ERROR\": 4, \"SILENT\": 5};\n\n self.methodFactory = factory || defaultMethodFactory;\n\n self.getLevel = function () {\n if (userLevel != null) {\n return userLevel;\n } else if (defaultLevel != null) {\n return defaultLevel;\n } else {\n return inheritedLevel;\n }\n };\n\n self.setLevel = function (level, persist) {\n userLevel = normalizeLevel(level);\n if (persist !== false) { // defaults to true\n persistLevelIfPossible(userLevel);\n }\n\n // NOTE: in v2, this should call rebuild(), which updates children.\n return replaceLoggingMethods.call(self);\n };\n\n self.setDefaultLevel = function (level) {\n defaultLevel = normalizeLevel(level);\n if (!getPersistedLevel()) {\n self.setLevel(level, false);\n }\n };\n\n self.resetLevel = function () {\n userLevel = null;\n clearPersistedLevel();\n replaceLoggingMethods.call(self);\n };\n\n self.enableAll = function(persist) {\n self.setLevel(self.levels.TRACE, persist);\n };\n\n self.disableAll = function(persist) {\n self.setLevel(self.levels.SILENT, persist);\n };\n\n self.rebuild = function () {\n if (defaultLogger !== self) {\n inheritedLevel = normalizeLevel(defaultLogger.getLevel());\n }\n replaceLoggingMethods.call(self);\n\n if (defaultLogger === self) {\n for (var childName in _loggersByName) {\n _loggersByName[childName].rebuild();\n }\n }\n };\n\n // Initialize all the internal levels.\n inheritedLevel = normalizeLevel(\n defaultLogger ? defaultLogger.getLevel() : \"WARN\"\n );\n var initialLevel = getPersistedLevel();\n if (initialLevel != null) {\n userLevel = normalizeLevel(initialLevel);\n }\n replaceLoggingMethods.call(self);\n }\n\n /*\n *\n * Top-level API\n *\n */\n\n defaultLogger = new Logger();\n\n defaultLogger.getLogger = function getLogger(name) {\n if ((typeof name !== \"symbol\" && typeof name !== \"string\") || name === \"\") {\n throw new TypeError(\"You must supply a name when creating a logger.\");\n }\n\n var logger = _loggersByName[name];\n if (!logger) {\n logger = _loggersByName[name] = new Logger(\n name,\n defaultLogger.methodFactory\n );\n }\n return logger;\n };\n\n // Grab the current global log variable in case of overwrite\n var _log = (typeof window !== undefinedType) ? window.log : undefined;\n defaultLogger.noConflict = function() {\n if (typeof window !== undefinedType &&\n window.log === defaultLogger) {\n window.log = _log;\n }\n\n return defaultLogger;\n };\n\n defaultLogger.getLoggers = function getLoggers() {\n return _loggersByName;\n };\n\n // ES6 default export, for compatibility\n defaultLogger['default'] = defaultLogger;\n\n return defaultLogger;\n}));\n","let USER_AGENT;\nif (typeof navigator === 'undefined' || !navigator.userAgent?.startsWith?.('Mozilla/5.0 ')) {\n const NAME = 'oauth4webapi';\n const VERSION = 'v2.11.1';\n USER_AGENT = `${NAME}/${VERSION}`;\n}\nfunction looseInstanceOf(input, expected) {\n if (input == null) {\n return false;\n }\n try {\n return (input instanceof expected ||\n Object.getPrototypeOf(input)[Symbol.toStringTag] === expected.prototype[Symbol.toStringTag]);\n }\n catch {\n return false;\n }\n}\nexport const clockSkew = Symbol();\nexport const clockTolerance = Symbol();\nexport const customFetch = Symbol();\nexport const experimental_jwksCache = Symbol();\nexport const useMtlsAlias = Symbol();\nconst encoder = new TextEncoder();\nconst decoder = new TextDecoder();\nfunction buf(input) {\n if (typeof input === 'string') {\n return encoder.encode(input);\n }\n return decoder.decode(input);\n}\nconst CHUNK_SIZE = 0x8000;\nfunction encodeBase64Url(input) {\n if (input instanceof ArrayBuffer) {\n input = new Uint8Array(input);\n }\n const arr = [];\n for (let i = 0; i < input.byteLength; i += CHUNK_SIZE) {\n arr.push(String.fromCharCode.apply(null, input.subarray(i, i + CHUNK_SIZE)));\n }\n return btoa(arr.join('')).replace(/=/g, '').replace(/\\+/g, '-').replace(/\\//g, '_');\n}\nfunction decodeBase64Url(input) {\n try {\n const binary = atob(input.replace(/-/g, '+').replace(/_/g, '/').replace(/\\s/g, ''));\n const bytes = new Uint8Array(binary.length);\n for (let i = 0; i < binary.length; i++) {\n bytes[i] = binary.charCodeAt(i);\n }\n return bytes;\n }\n catch (cause) {\n throw new OPE('The input to be decoded is not correctly encoded.', { cause });\n }\n}\nfunction b64u(input) {\n if (typeof input === 'string') {\n return decodeBase64Url(input);\n }\n return encodeBase64Url(input);\n}\nclass LRU {\n constructor(maxSize) {\n this.cache = new Map();\n this._cache = new Map();\n this.maxSize = maxSize;\n }\n get(key) {\n let v = this.cache.get(key);\n if (v) {\n return v;\n }\n if ((v = this._cache.get(key))) {\n this.update(key, v);\n return v;\n }\n return undefined;\n }\n has(key) {\n return this.cache.has(key) || this._cache.has(key);\n }\n set(key, value) {\n if (this.cache.has(key)) {\n this.cache.set(key, value);\n }\n else {\n this.update(key, value);\n }\n return this;\n }\n delete(key) {\n if (this.cache.has(key)) {\n return this.cache.delete(key);\n }\n if (this._cache.has(key)) {\n return this._cache.delete(key);\n }\n return false;\n }\n update(key, value) {\n this.cache.set(key, value);\n if (this.cache.size >= this.maxSize) {\n this._cache = this.cache;\n this.cache = new Map();\n }\n }\n}\nexport class UnsupportedOperationError extends Error {\n constructor(message) {\n super(message ?? 'operation not supported');\n this.name = this.constructor.name;\n Error.captureStackTrace?.(this, this.constructor);\n }\n}\nexport class OperationProcessingError extends Error {\n constructor(message, options) {\n super(message, options);\n this.name = this.constructor.name;\n Error.captureStackTrace?.(this, this.constructor);\n }\n}\nconst OPE = OperationProcessingError;\nconst dpopNonces = new LRU(100);\nfunction isCryptoKey(key) {\n return key instanceof CryptoKey;\n}\nfunction isPrivateKey(key) {\n return isCryptoKey(key) && key.type === 'private';\n}\nfunction isPublicKey(key) {\n return isCryptoKey(key) && key.type === 'public';\n}\nconst SUPPORTED_JWS_ALGS = [\n 'PS256',\n 'ES256',\n 'RS256',\n 'PS384',\n 'ES384',\n 'RS384',\n 'PS512',\n 'ES512',\n 'RS512',\n 'EdDSA',\n];\nfunction processDpopNonce(response) {\n try {\n const nonce = response.headers.get('dpop-nonce');\n if (nonce) {\n dpopNonces.set(new URL(response.url).origin, nonce);\n }\n }\n catch { }\n return response;\n}\nfunction normalizeTyp(value) {\n return value.toLowerCase().replace(/^application\\//, '');\n}\nfunction isJsonObject(input) {\n if (input === null || typeof input !== 'object' || Array.isArray(input)) {\n return false;\n }\n return true;\n}\nfunction prepareHeaders(input) {\n if (looseInstanceOf(input, Headers)) {\n input = Object.fromEntries(input.entries());\n }\n const headers = new Headers(input);\n if (USER_AGENT && !headers.has('user-agent')) {\n headers.set('user-agent', USER_AGENT);\n }\n if (headers.has('authorization')) {\n throw new TypeError('\"options.headers\" must not include the \"authorization\" header name');\n }\n if (headers.has('dpop')) {\n throw new TypeError('\"options.headers\" must not include the \"dpop\" header name');\n }\n return headers;\n}\nfunction signal(value) {\n if (typeof value === 'function') {\n value = value();\n }\n if (!(value instanceof AbortSignal)) {\n throw new TypeError('\"options.signal\" must return or be an instance of AbortSignal');\n }\n return value;\n}\nexport async function discoveryRequest(issuerIdentifier, options) {\n if (!(issuerIdentifier instanceof URL)) {\n throw new TypeError('\"issuerIdentifier\" must be an instance of URL');\n }\n if (issuerIdentifier.protocol !== 'https:' && issuerIdentifier.protocol !== 'http:') {\n throw new TypeError('\"issuer.protocol\" must be \"https:\" or \"http:\"');\n }\n const url = new URL(issuerIdentifier.href);\n switch (options?.algorithm) {\n case undefined:\n case 'oidc':\n url.pathname = `${url.pathname}/.well-known/openid-configuration`.replace('//', '/');\n break;\n case 'oauth2':\n if (url.pathname === '/') {\n url.pathname = '.well-known/oauth-authorization-server';\n }\n else {\n url.pathname = `.well-known/oauth-authorization-server/${url.pathname}`.replace('//', '/');\n }\n break;\n default:\n throw new TypeError('\"options.algorithm\" must be \"oidc\" (default), or \"oauth2\"');\n }\n const headers = prepareHeaders(options?.headers);\n headers.set('accept', 'application/json');\n return (options?.[customFetch] || fetch)(url.href, {\n headers: Object.fromEntries(headers.entries()),\n method: 'GET',\n redirect: 'manual',\n signal: options?.signal ? signal(options.signal) : null,\n }).then(processDpopNonce);\n}\nfunction validateString(input) {\n return typeof input === 'string' && input.length !== 0;\n}\nexport async function processDiscoveryResponse(expectedIssuerIdentifier, response) {\n if (!(expectedIssuerIdentifier instanceof URL)) {\n throw new TypeError('\"expectedIssuer\" must be an instance of URL');\n }\n if (!looseInstanceOf(response, Response)) {\n throw new TypeError('\"response\" must be an instance of Response');\n }\n if (response.status !== 200) {\n throw new OPE('\"response\" is not a conform Authorization Server Metadata response');\n }\n assertReadableResponse(response);\n let json;\n try {\n json = await response.json();\n }\n catch (cause) {\n throw new OPE('failed to parse \"response\" body as JSON', { cause });\n }\n if (!isJsonObject(json)) {\n throw new OPE('\"response\" body must be a top level object');\n }\n if (!validateString(json.issuer)) {\n throw new OPE('\"response\" body \"issuer\" property must be a non-empty string');\n }\n if (new URL(json.issuer).href !== expectedIssuerIdentifier.href) {\n throw new OPE('\"response\" body \"issuer\" does not match \"expectedIssuer\"');\n }\n return json;\n}\nfunction randomBytes() {\n return b64u(crypto.getRandomValues(new Uint8Array(32)));\n}\nexport function generateRandomCodeVerifier() {\n return randomBytes();\n}\nexport function generateRandomState() {\n return randomBytes();\n}\nexport function generateRandomNonce() {\n return randomBytes();\n}\nexport async function calculatePKCECodeChallenge(codeVerifier) {\n if (!validateString(codeVerifier)) {\n throw new TypeError('\"codeVerifier\" must be a non-empty string');\n }\n return b64u(await crypto.subtle.digest('SHA-256', buf(codeVerifier)));\n}\nfunction getKeyAndKid(input) {\n if (input instanceof CryptoKey) {\n return { key: input };\n }\n if (!(input?.key instanceof CryptoKey)) {\n return {};\n }\n if (input.kid !== undefined && !validateString(input.kid)) {\n throw new TypeError('\"kid\" must be a non-empty string');\n }\n return { key: input.key, kid: input.kid };\n}\nfunction formUrlEncode(token) {\n return encodeURIComponent(token).replace(/%20/g, '+');\n}\nfunction clientSecretBasic(clientId, clientSecret) {\n const username = formUrlEncode(clientId);\n const password = formUrlEncode(clientSecret);\n const credentials = btoa(`${username}:${password}`);\n return `Basic ${credentials}`;\n}\nfunction psAlg(key) {\n switch (key.algorithm.hash.name) {\n case 'SHA-256':\n return 'PS256';\n case 'SHA-384':\n return 'PS384';\n case 'SHA-512':\n return 'PS512';\n default:\n throw new UnsupportedOperationError('unsupported RsaHashedKeyAlgorithm hash name');\n }\n}\nfunction rsAlg(key) {\n switch (key.algorithm.hash.name) {\n case 'SHA-256':\n return 'RS256';\n case 'SHA-384':\n return 'RS384';\n case 'SHA-512':\n return 'RS512';\n default:\n throw new UnsupportedOperationError('unsupported RsaHashedKeyAlgorithm hash name');\n }\n}\nfunction esAlg(key) {\n switch (key.algorithm.namedCurve) {\n case 'P-256':\n return 'ES256';\n case 'P-384':\n return 'ES384';\n case 'P-521':\n return 'ES512';\n default:\n throw new UnsupportedOperationError('unsupported EcKeyAlgorithm namedCurve');\n }\n}\nfunction keyToJws(key) {\n switch (key.algorithm.name) {\n case 'RSA-PSS':\n return psAlg(key);\n case 'RSASSA-PKCS1-v1_5':\n return rsAlg(key);\n case 'ECDSA':\n return esAlg(key);\n case 'Ed25519':\n case 'Ed448':\n return 'EdDSA';\n default:\n throw new UnsupportedOperationError('unsupported CryptoKey algorithm name');\n }\n}\nfunction getClockSkew(client) {\n const skew = client?.[clockSkew];\n return typeof skew === 'number' && Number.isFinite(skew) ? skew : 0;\n}\nfunction getClockTolerance(client) {\n const tolerance = client?.[clockTolerance];\n return typeof tolerance === 'number' && Number.isFinite(tolerance) && Math.sign(tolerance) !== -1\n ? tolerance\n : 30;\n}\nfunction epochTime() {\n return Math.floor(Date.now() / 1000);\n}\nfunction clientAssertion(as, client) {\n const now = epochTime() + getClockSkew(client);\n return {\n jti: randomBytes(),\n aud: [as.issuer, as.token_endpoint],\n exp: now + 60,\n iat: now,\n nbf: now,\n iss: client.client_id,\n sub: client.client_id,\n };\n}\nasync function privateKeyJwt(as, client, key, kid) {\n return jwt({\n alg: keyToJws(key),\n kid,\n }, clientAssertion(as, client), key);\n}\nfunction assertAs(as) {\n if (typeof as !== 'object' || as === null) {\n throw new TypeError('\"as\" must be an object');\n }\n if (!validateString(as.issuer)) {\n throw new TypeError('\"as.issuer\" property must be a non-empty string');\n }\n return true;\n}\nfunction assertClient(client) {\n if (typeof client !== 'object' || client === null) {\n throw new TypeError('\"client\" must be an object');\n }\n if (!validateString(client.client_id)) {\n throw new TypeError('\"client.client_id\" property must be a non-empty string');\n }\n return true;\n}\nfunction assertClientSecret(clientSecret) {\n if (!validateString(clientSecret)) {\n throw new TypeError('\"client.client_secret\" property must be a non-empty string');\n }\n return clientSecret;\n}\nfunction assertNoClientPrivateKey(clientAuthMethod, clientPrivateKey) {\n if (clientPrivateKey !== undefined) {\n throw new TypeError(`\"options.clientPrivateKey\" property must not be provided when ${clientAuthMethod} client authentication method is used.`);\n }\n}\nfunction assertNoClientSecret(clientAuthMethod, clientSecret) {\n if (clientSecret !== undefined) {\n throw new TypeError(`\"client.client_secret\" property must not be provided when ${clientAuthMethod} client authentication method is used.`);\n }\n}\nasync function clientAuthentication(as, client, body, headers, clientPrivateKey) {\n body.delete('client_secret');\n body.delete('client_assertion_type');\n body.delete('client_assertion');\n switch (client.token_endpoint_auth_method) {\n case undefined:\n case 'client_secret_basic': {\n assertNoClientPrivateKey('client_secret_basic', clientPrivateKey);\n headers.set('authorization', clientSecretBasic(client.client_id, assertClientSecret(client.client_secret)));\n break;\n }\n case 'client_secret_post': {\n assertNoClientPrivateKey('client_secret_post', clientPrivateKey);\n body.set('client_id', client.client_id);\n body.set('client_secret', assertClientSecret(client.client_secret));\n break;\n }\n case 'private_key_jwt': {\n assertNoClientSecret('private_key_jwt', client.client_secret);\n if (clientPrivateKey === undefined) {\n throw new TypeError('\"options.clientPrivateKey\" must be provided when \"client.token_endpoint_auth_method\" is \"private_key_jwt\"');\n }\n const { key, kid } = getKeyAndKid(clientPrivateKey);\n if (!isPrivateKey(key)) {\n throw new TypeError('\"options.clientPrivateKey.key\" must be a private CryptoKey');\n }\n body.set('client_id', client.client_id);\n body.set('client_assertion_type', 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer');\n body.set('client_assertion', await privateKeyJwt(as, client, key, kid));\n break;\n }\n case 'tls_client_auth':\n case 'self_signed_tls_client_auth':\n case 'none': {\n assertNoClientSecret(client.token_endpoint_auth_method, client.client_secret);\n assertNoClientPrivateKey(client.token_endpoint_auth_method, clientPrivateKey);\n body.set('client_id', client.client_id);\n break;\n }\n default:\n throw new UnsupportedOperationError('unsupported client token_endpoint_auth_method');\n }\n}\nasync function jwt(header, claimsSet, key) {\n if (!key.usages.includes('sign')) {\n throw new TypeError('CryptoKey instances used for signing assertions must include \"sign\" in their \"usages\"');\n }\n const input = `${b64u(buf(JSON.stringify(header)))}.${b64u(buf(JSON.stringify(claimsSet)))}`;\n const signature = b64u(await crypto.subtle.sign(keyToSubtle(key), key, buf(input)));\n return `${input}.${signature}`;\n}\nexport async function issueRequestObject(as, client, parameters, privateKey) {\n assertAs(as);\n assertClient(client);\n parameters = new URLSearchParams(parameters);\n const { key, kid } = getKeyAndKid(privateKey);\n if (!isPrivateKey(key)) {\n throw new TypeError('\"privateKey.key\" must be a private CryptoKey');\n }\n parameters.set('client_id', client.client_id);\n const now = epochTime() + getClockSkew(client);\n const claims = {\n ...Object.fromEntries(parameters.entries()),\n jti: randomBytes(),\n aud: as.issuer,\n exp: now + 60,\n iat: now,\n nbf: now,\n iss: client.client_id,\n };\n let resource;\n if (parameters.has('resource') &&\n (resource = parameters.getAll('resource')) &&\n resource.length > 1) {\n claims.resource = resource;\n }\n {\n let value = parameters.get('max_age');\n if (value !== null) {\n claims.max_age = parseInt(value, 10);\n if (!Number.isFinite(claims.max_age)) {\n throw new OPE('\"max_age\" parameter must be a number');\n }\n }\n }\n {\n let value = parameters.get('claims');\n if (value !== null) {\n try {\n claims.claims = JSON.parse(value);\n }\n catch (cause) {\n throw new OPE('failed to parse the \"claims\" parameter as JSON', { cause });\n }\n if (!isJsonObject(claims.claims)) {\n throw new OPE('\"claims\" parameter must be a JSON with a top level object');\n }\n }\n }\n {\n let value = parameters.get('authorization_details');\n if (value !== null) {\n try {\n claims.authorization_details = JSON.parse(value);\n }\n catch (cause) {\n throw new OPE('failed to parse the \"authorization_details\" parameter as JSON', { cause });\n }\n if (!Array.isArray(claims.authorization_details)) {\n throw new OPE('\"authorization_details\" parameter must be a JSON with a top level array');\n }\n }\n }\n return jwt({\n alg: keyToJws(key),\n typ: 'oauth-authz-req+jwt',\n kid,\n }, claims, key);\n}\nasync function dpopProofJwt(headers, options, url, htm, clockSkew, accessToken) {\n const { privateKey, publicKey, nonce = dpopNonces.get(url.origin) } = options;\n if (!isPrivateKey(privateKey)) {\n throw new TypeError('\"DPoP.privateKey\" must be a private CryptoKey');\n }\n if (!isPublicKey(publicKey)) {\n throw new TypeError('\"DPoP.publicKey\" must be a public CryptoKey');\n }\n if (nonce !== undefined && !validateString(nonce)) {\n throw new TypeError('\"DPoP.nonce\" must be a non-empty string or undefined');\n }\n if (!publicKey.extractable) {\n throw new TypeError('\"DPoP.publicKey.extractable\" must be true');\n }\n const now = epochTime() + clockSkew;\n const proof = await jwt({\n alg: keyToJws(privateKey),\n typ: 'dpop+jwt',\n jwk: await publicJwk(publicKey),\n }, {\n iat: now,\n jti: randomBytes(),\n htm,\n nonce,\n htu: `${url.origin}${url.pathname}`,\n ath: accessToken ? b64u(await crypto.subtle.digest('SHA-256', buf(accessToken))) : undefined,\n }, privateKey);\n headers.set('dpop', proof);\n}\nlet jwkCache;\nasync function getSetPublicJwkCache(key) {\n const { kty, e, n, x, y, crv } = await crypto.subtle.exportKey('jwk', key);\n const jwk = { kty, e, n, x, y, crv };\n jwkCache.set(key, jwk);\n return jwk;\n}\nasync function publicJwk(key) {\n jwkCache || (jwkCache = new WeakMap());\n return jwkCache.get(key) || getSetPublicJwkCache(key);\n}\nfunction validateEndpoint(value, endpoint, options) {\n if (typeof value !== 'string') {\n if (options?.[useMtlsAlias]) {\n throw new TypeError(`\"as.mtls_endpoint_aliases.${endpoint}\" must be a string`);\n }\n throw new TypeError(`\"as.${endpoint}\" must be a string`);\n }\n return new URL(value);\n}\nfunction resolveEndpoint(as, endpoint, options) {\n if (options?.[useMtlsAlias] && as.mtls_endpoint_aliases && endpoint in as.mtls_endpoint_aliases) {\n return validateEndpoint(as.mtls_endpoint_aliases[endpoint], endpoint, options);\n }\n return validateEndpoint(as[endpoint], endpoint);\n}\nexport async function pushedAuthorizationRequest(as, client, parameters, options) {\n assertAs(as);\n assertClient(client);\n const url = resolveEndpoint(as, 'pushed_authorization_request_endpoint', options);\n const body = new URLSearchParams(parameters);\n body.set('client_id', client.client_id);\n const headers = prepareHeaders(options?.headers);\n headers.set('accept', 'application/json');\n if (options?.DPoP !== undefined) {\n await dpopProofJwt(headers, options.DPoP, url, 'POST', getClockSkew(client));\n }\n return authenticatedRequest(as, client, 'POST', url, body, headers, options);\n}\nexport function isOAuth2Error(input) {\n const value = input;\n if (typeof value !== 'object' || Array.isArray(value) || value === null) {\n return false;\n }\n return value.error !== undefined;\n}\nfunction unquote(value) {\n if (value.length >= 2 && value[0] === '\"' && value[value.length - 1] === '\"') {\n return value.slice(1, -1);\n }\n return value;\n}\nconst SPLIT_REGEXP = /((?:,|, )?[0-9a-zA-Z!#$%&'*+-.^_`|~]+=)/;\nconst SCHEMES_REGEXP = /(?:^|, ?)([0-9a-zA-Z!#$%&'*+\\-.^_`|~]+)(?=$|[ ,])/g;\nfunction wwwAuth(scheme, params) {\n const arr = params.split(SPLIT_REGEXP).slice(1);\n if (!arr.length) {\n return { scheme: scheme.toLowerCase(), parameters: {} };\n }\n arr[arr.length - 1] = arr[arr.length - 1].replace(/,$/, '');\n const parameters = {};\n for (let i = 1; i < arr.length; i += 2) {\n const idx = i;\n if (arr[idx][0] === '\"') {\n while (arr[idx].slice(-1) !== '\"' && ++i < arr.length) {\n arr[idx] += arr[i];\n }\n }\n const key = arr[idx - 1].replace(/^(?:, ?)|=$/g, '').toLowerCase();\n parameters[key] = unquote(arr[idx]);\n }\n return {\n scheme: scheme.toLowerCase(),\n parameters,\n };\n}\nexport function parseWwwAuthenticateChallenges(response) {\n if (!looseInstanceOf(response, Response)) {\n throw new TypeError('\"response\" must be an instance of Response');\n }\n const header = response.headers.get('www-authenticate');\n if (header === null) {\n return undefined;\n }\n const result = [];\n for (const { 1: scheme, index } of header.matchAll(SCHEMES_REGEXP)) {\n result.push([scheme, index]);\n }\n if (!result.length) {\n return undefined;\n }\n const challenges = result.map(([scheme, indexOf], i, others) => {\n const next = others[i + 1];\n let parameters;\n if (next) {\n parameters = header.slice(indexOf, next[1]);\n }\n else {\n parameters = header.slice(indexOf);\n }\n return wwwAuth(scheme, parameters);\n });\n return challenges;\n}\nexport async function processPushedAuthorizationResponse(as, client, response) {\n assertAs(as);\n assertClient(client);\n if (!looseInstanceOf(response, Response)) {\n throw new TypeError('\"response\" must be an instance of Response');\n }\n if (response.status !== 201) {\n let err;\n if ((err = await handleOAuthBodyError(response))) {\n return err;\n }\n throw new OPE('\"response\" is not a conform Pushed Authorization Request Endpoint response');\n }\n assertReadableResponse(response);\n let json;\n try {\n json = await response.json();\n }\n catch (cause) {\n throw new OPE('failed to parse \"response\" body as JSON', { cause });\n }\n if (!isJsonObject(json)) {\n throw new OPE('\"response\" body must be a top level object');\n }\n if (!validateString(json.request_uri)) {\n throw new OPE('\"response\" body \"request_uri\" property must be a non-empty string');\n }\n if (typeof json.expires_in !== 'number' || json.expires_in <= 0) {\n throw new OPE('\"response\" body \"expires_in\" property must be a positive number');\n }\n return json;\n}\nexport async function protectedResourceRequest(accessToken, method, url, headers, body, options) {\n if (!validateString(accessToken)) {\n throw new TypeError('\"accessToken\" must be a non-empty string');\n }\n if (!(url instanceof URL)) {\n throw new TypeError('\"url\" must be an instance of URL');\n }\n headers = prepareHeaders(headers);\n if (options?.DPoP === undefined) {\n headers.set('authorization', `Bearer ${accessToken}`);\n }\n else {\n await dpopProofJwt(headers, options.DPoP, url, 'GET', getClockSkew({ [clockSkew]: options?.[clockSkew] }), accessToken);\n headers.set('authorization', `DPoP ${accessToken}`);\n }\n return (options?.[customFetch] || fetch)(url.href, {\n body,\n headers: Object.fromEntries(headers.entries()),\n method,\n redirect: 'manual',\n signal: options?.signal ? signal(options.signal) : null,\n }).then(processDpopNonce);\n}\nexport async function userInfoRequest(as, client, accessToken, options) {\n assertAs(as);\n assertClient(client);\n const url = resolveEndpoint(as, 'userinfo_endpoint', options);\n const headers = prepareHeaders(options?.headers);\n if (client.userinfo_signed_response_alg) {\n headers.set('accept', 'application/jwt');\n }\n else {\n headers.set('accept', 'application/json');\n headers.append('accept', 'application/jwt');\n }\n return protectedResourceRequest(accessToken, 'GET', url, headers, null, {\n ...options,\n [clockSkew]: getClockSkew(client),\n });\n}\nlet jwksMap;\nfunction setJwksCache(as, jwks, uat, cache) {\n jwksMap || (jwksMap = new WeakMap());\n jwksMap.set(as, {\n jwks,\n uat,\n get age() {\n return epochTime() - this.uat;\n },\n });\n if (cache) {\n Object.assign(cache, { jwks: structuredClone(jwks), uat });\n }\n}\nfunction isFreshJwksCache(input) {\n if (typeof input !== 'object' || input === null) {\n return false;\n }\n if (!('uat' in input) || typeof input.uat !== 'number' || epochTime() - input.uat >= 300) {\n return false;\n }\n if (!('jwks' in input) ||\n !isJsonObject(input.jwks) ||\n !Array.isArray(input.jwks.keys) ||\n !Array.prototype.every.call(input.jwks.keys, isJsonObject)) {\n return false;\n }\n return true;\n}\nfunction clearJwksCache(as, cache) {\n jwksMap?.delete(as);\n delete cache?.jwks;\n delete cache?.uat;\n}\nasync function getPublicSigKeyFromIssuerJwksUri(as, options, header) {\n const { alg, kid } = header;\n checkSupportedJwsAlg(alg);\n if (!jwksMap?.has(as) && isFreshJwksCache(options?.[experimental_jwksCache])) {\n setJwksCache(as, options?.[experimental_jwksCache].jwks, options?.[experimental_jwksCache].uat);\n }\n let jwks;\n let age;\n if (jwksMap?.has(as)) {\n ;\n ({ jwks, age } = jwksMap.get(as));\n if (age >= 300) {\n clearJwksCache(as, options?.[experimental_jwksCache]);\n return getPublicSigKeyFromIssuerJwksUri(as, options, header);\n }\n }\n else {\n jwks = await jwksRequest(as, options).then(processJwksResponse);\n age = 0;\n setJwksCache(as, jwks, epochTime(), options?.[experimental_jwksCache]);\n }\n let kty;\n switch (alg.slice(0, 2)) {\n case 'RS':\n case 'PS':\n kty = 'RSA';\n break;\n case 'ES':\n kty = 'EC';\n break;\n case 'Ed':\n kty = 'OKP';\n break;\n default:\n throw new UnsupportedOperationError();\n }\n const candidates = jwks.keys.filter((jwk) => {\n if (jwk.kty !== kty) {\n return false;\n }\n if (kid !== undefined && kid !== jwk.kid) {\n return false;\n }\n if (jwk.alg !== undefined && alg !== jwk.alg) {\n return false;\n }\n if (jwk.use !== undefined && jwk.use !== 'sig') {\n return false;\n }\n if (jwk.key_ops?.includes('verify') === false) {\n return false;\n }\n switch (true) {\n case alg === 'ES256' && jwk.crv !== 'P-256':\n case alg === 'ES384' && jwk.crv !== 'P-384':\n case alg === 'ES512' && jwk.crv !== 'P-521':\n case alg === 'EdDSA' && !(jwk.crv === 'Ed25519' || jwk.crv === 'Ed448'):\n return false;\n }\n return true;\n });\n const { 0: jwk, length } = candidates;\n if (!length) {\n if (age >= 60) {\n clearJwksCache(as, options?.[experimental_jwksCache]);\n return getPublicSigKeyFromIssuerJwksUri(as, options, header);\n }\n throw new OPE('error when selecting a JWT verification key, no applicable keys found');\n }\n if (length !== 1) {\n throw new OPE('error when selecting a JWT verification key, multiple applicable keys found, a \"kid\" JWT Header Parameter is required');\n }\n const key = await importJwk(alg, jwk);\n if (key.type !== 'public') {\n throw new OPE('jwks_uri must only contain public keys');\n }\n return key;\n}\nexport const skipSubjectCheck = Symbol();\nfunction getContentType(response) {\n return response.headers.get('content-type')?.split(';')[0];\n}\nexport async function processUserInfoResponse(as, client, expectedSubject, response) {\n assertAs(as);\n assertClient(client);\n if (!looseInstanceOf(response, Response)) {\n throw new TypeError('\"response\" must be an instance of Response');\n }\n if (response.status !== 200) {\n throw new OPE('\"response\" is not a conform UserInfo Endpoint response');\n }\n let json;\n if (getContentType(response) === 'application/jwt') {\n assertReadableResponse(response);\n const { claims } = await validateJwt(await response.text(), checkSigningAlgorithm.bind(undefined, client.userinfo_signed_response_alg, as.userinfo_signing_alg_values_supported), noSignatureCheck, getClockSkew(client), getClockTolerance(client))\n .then(validateOptionalAudience.bind(undefined, client.client_id))\n .then(validateOptionalIssuer.bind(undefined, as.issuer));\n json = claims;\n }\n else {\n if (client.userinfo_signed_response_alg) {\n throw new OPE('JWT UserInfo Response expected');\n }\n assertReadableResponse(response);\n try {\n json = await response.json();\n }\n catch (cause) {\n throw new OPE('failed to parse \"response\" body as JSON', { cause });\n }\n }\n if (!isJsonObject(json)) {\n throw new OPE('\"response\" body must be a top level object');\n }\n if (!validateString(json.sub)) {\n throw new OPE('\"response\" body \"sub\" property must be a non-empty string');\n }\n switch (expectedSubject) {\n case skipSubjectCheck:\n break;\n default:\n if (!validateString(expectedSubject)) {\n throw new OPE('\"expectedSubject\" must be a non-empty string');\n }\n if (json.sub !== expectedSubject) {\n throw new OPE('unexpected \"response\" body \"sub\" value');\n }\n }\n return json;\n}\nasync function authenticatedRequest(as, client, method, url, body, headers, options) {\n await clientAuthentication(as, client, body, headers, options?.clientPrivateKey);\n headers.set('content-type', 'application/x-www-form-urlencoded;charset=UTF-8');\n return (options?.[customFetch] || fetch)(url.href, {\n body,\n headers: Object.fromEntries(headers.entries()),\n method,\n redirect: 'manual',\n signal: options?.signal ? signal(options.signal) : null,\n }).then(processDpopNonce);\n}\nasync function tokenEndpointRequest(as, client, grantType, parameters, options) {\n const url = resolveEndpoint(as, 'token_endpoint', options);\n parameters.set('grant_type', grantType);\n const headers = prepareHeaders(options?.headers);\n headers.set('accept', 'application/json');\n if (options?.DPoP !== undefined) {\n await dpopProofJwt(headers, options.DPoP, url, 'POST', getClockSkew(client));\n }\n return authenticatedRequest(as, client, 'POST', url, parameters, headers, options);\n}\nexport async function refreshTokenGrantRequest(as, client, refreshToken, options) {\n assertAs(as);\n assertClient(client);\n if (!validateString(refreshToken)) {\n throw new TypeError('\"refreshToken\" must be a non-empty string');\n }\n const parameters = new URLSearchParams(options?.additionalParameters);\n parameters.set('refresh_token', refreshToken);\n return tokenEndpointRequest(as, client, 'refresh_token', parameters, options);\n}\nconst idTokenClaims = new WeakMap();\nexport function getValidatedIdTokenClaims(ref) {\n if (!ref.id_token) {\n return undefined;\n }\n const claims = idTokenClaims.get(ref);\n if (!claims) {\n throw new TypeError('\"ref\" was already garbage collected or did not resolve from the proper sources');\n }\n return claims;\n}\nasync function processGenericAccessTokenResponse(as, client, response, ignoreIdToken = false, ignoreRefreshToken = false) {\n assertAs(as);\n assertClient(client);\n if (!looseInstanceOf(response, Response)) {\n throw new TypeError('\"response\" must be an instance of Response');\n }\n if (response.status !== 200) {\n let err;\n if ((err = await handleOAuthBodyError(response))) {\n return err;\n }\n throw new OPE('\"response\" is not a conform Token Endpoint response');\n }\n assertReadableResponse(response);\n let json;\n try {\n json = await response.json();\n }\n catch (cause) {\n throw new OPE('failed to parse \"response\" body as JSON', { cause });\n }\n if (!isJsonObject(json)) {\n throw new OPE('\"response\" body must be a top level object');\n }\n if (!validateString(json.access_token)) {\n throw new OPE('\"response\" body \"access_token\" property must be a non-empty string');\n }\n if (!validateString(json.token_type)) {\n throw new OPE('\"response\" body \"token_type\" property must be a non-empty string');\n }\n json.token_type = json.token_type.toLowerCase();\n if (json.token_type !== 'dpop' && json.token_type !== 'bearer') {\n throw new UnsupportedOperationError('unsupported `token_type` value');\n }\n if (json.expires_in !== undefined &&\n (typeof json.expires_in !== 'number' || json.expires_in <= 0)) {\n throw new OPE('\"response\" body \"expires_in\" property must be a positive number');\n }\n if (!ignoreRefreshToken &&\n json.refresh_token !== undefined &&\n !validateString(json.refresh_token)) {\n throw new OPE('\"response\" body \"refresh_token\" property must be a non-empty string');\n }\n if (json.scope !== undefined && typeof json.scope !== 'string') {\n throw new OPE('\"response\" body \"scope\" property must be a string');\n }\n if (!ignoreIdToken) {\n if (json.id_token !== undefined && !validateString(json.id_token)) {\n throw new OPE('\"response\" body \"id_token\" property must be a non-empty string');\n }\n if (json.id_token) {\n const { claims } = await validateJwt(json.id_token, checkSigningAlgorithm.bind(undefined, client.id_token_signed_response_alg, as.id_token_signing_alg_values_supported), noSignatureCheck, getClockSkew(client), getClockTolerance(client))\n .then(validatePresence.bind(undefined, ['aud', 'exp', 'iat', 'iss', 'sub']))\n .then(validateIssuer.bind(undefined, as.issuer))\n .then(validateAudience.bind(undefined, client.client_id));\n if (Array.isArray(claims.aud) && claims.aud.length !== 1 && claims.azp !== client.client_id) {\n throw new OPE('unexpected ID Token \"azp\" (authorized party) claim value');\n }\n if (claims.auth_time !== undefined &&\n (!Number.isFinite(claims.auth_time) || Math.sign(claims.auth_time) !== 1)) {\n throw new OPE('ID Token \"auth_time\" (authentication time) must be a positive number');\n }\n idTokenClaims.set(json, claims);\n }\n }\n return json;\n}\nexport async function processRefreshTokenResponse(as, client, response) {\n return processGenericAccessTokenResponse(as, client, response);\n}\nfunction validateOptionalAudience(expected, result) {\n if (result.claims.aud !== undefined) {\n return validateAudience(expected, result);\n }\n return result;\n}\nfunction validateAudience(expected, result) {\n if (Array.isArray(result.claims.aud)) {\n if (!result.claims.aud.includes(expected)) {\n throw new OPE('unexpected JWT \"aud\" (audience) claim value');\n }\n }\n else if (result.claims.aud !== expected) {\n throw new OPE('unexpected JWT \"aud\" (audience) claim value');\n }\n return result;\n}\nfunction validateOptionalIssuer(expected, result) {\n if (result.claims.iss !== undefined) {\n return validateIssuer(expected, result);\n }\n return result;\n}\nfunction validateIssuer(expected, result) {\n if (result.claims.iss !== expected) {\n throw new OPE('unexpected JWT \"iss\" (issuer) claim value');\n }\n return result;\n}\nconst branded = new WeakSet();\nfunction brand(searchParams) {\n branded.add(searchParams);\n return searchParams;\n}\nexport async function authorizationCodeGrantRequest(as, client, callbackParameters, redirectUri, codeVerifier, options) {\n assertAs(as);\n assertClient(client);\n if (!branded.has(callbackParameters)) {\n throw new TypeError('\"callbackParameters\" must be an instance of URLSearchParams obtained from \"validateAuthResponse()\", or \"validateJwtAuthResponse()');\n }\n if (!validateString(redirectUri)) {\n throw new TypeError('\"redirectUri\" must be a non-empty string');\n }\n if (!validateString(codeVerifier)) {\n throw new TypeError('\"codeVerifier\" must be a non-empty string');\n }\n const code = getURLSearchParameter(callbackParameters, 'code');\n if (!code) {\n throw new OPE('no authorization code in \"callbackParameters\"');\n }\n const parameters = new URLSearchParams(options?.additionalParameters);\n parameters.set('redirect_uri', redirectUri);\n parameters.set('code_verifier', codeVerifier);\n parameters.set('code', code);\n return tokenEndpointRequest(as, client, 'authorization_code', parameters, options);\n}\nconst jwtClaimNames = {\n aud: 'audience',\n c_hash: 'code hash',\n client_id: 'client id',\n exp: 'expiration time',\n iat: 'issued at',\n iss: 'issuer',\n jti: 'jwt id',\n nonce: 'nonce',\n s_hash: 'state hash',\n sub: 'subject',\n ath: 'access token hash',\n htm: 'http method',\n htu: 'http uri',\n cnf: 'confirmation',\n};\nfunction validatePresence(required, result) {\n for (const claim of required) {\n if (result.claims[claim] === undefined) {\n throw new OPE(`JWT \"${claim}\" (${jwtClaimNames[claim]}) claim missing`);\n }\n }\n return result;\n}\nexport const expectNoNonce = Symbol();\nexport const skipAuthTimeCheck = Symbol();\nexport async function processAuthorizationCodeOpenIDResponse(as, client, response, expectedNonce, maxAge) {\n const result = await processGenericAccessTokenResponse(as, client, response);\n if (isOAuth2Error(result)) {\n return result;\n }\n if (!validateString(result.id_token)) {\n throw new OPE('\"response\" body \"id_token\" property must be a non-empty string');\n }\n maxAge ?? (maxAge = client.default_max_age ?? skipAuthTimeCheck);\n const claims = getValidatedIdTokenClaims(result);\n if ((client.require_auth_time || maxAge !== skipAuthTimeCheck) &&\n claims.auth_time === undefined) {\n throw new OPE('ID Token \"auth_time\" (authentication time) claim missing');\n }\n if (maxAge !== skipAuthTimeCheck) {\n if (typeof maxAge !== 'number' || maxAge < 0) {\n throw new TypeError('\"maxAge\" must be a non-negative number');\n }\n const now = epochTime() + getClockSkew(client);\n const tolerance = getClockTolerance(client);\n if (claims.auth_time + maxAge < now - tolerance) {\n throw new OPE('too much time has elapsed since the last End-User authentication');\n }\n }\n switch (expectedNonce) {\n case undefined:\n case expectNoNonce:\n if (claims.nonce !== undefined) {\n throw new OPE('unexpected ID Token \"nonce\" claim value');\n }\n break;\n default:\n if (!validateString(expectedNonce)) {\n throw new TypeError('\"expectedNonce\" must be a non-empty string');\n }\n if (claims.nonce === undefined) {\n throw new OPE('ID Token \"nonce\" claim missing');\n }\n if (claims.nonce !== expectedNonce) {\n throw new OPE('unexpected ID Token \"nonce\" claim value');\n }\n }\n return result;\n}\nexport async function processAuthorizationCodeOAuth2Response(as, client, response) {\n const result = await processGenericAccessTokenResponse(as, client, response, true);\n if (isOAuth2Error(result)) {\n return result;\n }\n if (result.id_token !== undefined) {\n if (typeof result.id_token === 'string' && result.id_token.length) {\n throw new OPE('Unexpected ID Token returned, use processAuthorizationCodeOpenIDResponse() for OpenID Connect callback processing');\n }\n delete result.id_token;\n }\n return result;\n}\nfunction checkJwtType(expected, result) {\n if (typeof result.header.typ !== 'string' || normalizeTyp(result.header.typ) !== expected) {\n throw new OPE('unexpected JWT \"typ\" header parameter value');\n }\n return result;\n}\nexport async function clientCredentialsGrantRequest(as, client, parameters, options) {\n assertAs(as);\n assertClient(client);\n return tokenEndpointRequest(as, client, 'client_credentials', new URLSearchParams(parameters), options);\n}\nexport async function processClientCredentialsResponse(as, client, response) {\n const result = await processGenericAccessTokenResponse(as, client, response, true, true);\n if (isOAuth2Error(result)) {\n return result;\n }\n return result;\n}\nexport async function revocationRequest(as, client, token, options) {\n assertAs(as);\n assertClient(client);\n if (!validateString(token)) {\n throw new TypeError('\"token\" must be a non-empty string');\n }\n const url = resolveEndpoint(as, 'revocation_endpoint', options);\n const body = new URLSearchParams(options?.additionalParameters);\n body.set('token', token);\n const headers = prepareHeaders(options?.headers);\n headers.delete('accept');\n return authenticatedRequest(as, client, 'POST', url, body, headers, options);\n}\nexport async function processRevocationResponse(response) {\n if (!looseInstanceOf(response, Response)) {\n throw new TypeError('\"response\" must be an instance of Response');\n }\n if (response.status !== 200) {\n let err;\n if ((err = await handleOAuthBodyError(response))) {\n return err;\n }\n throw new OPE('\"response\" is not a conform Revocation Endpoint response');\n }\n return undefined;\n}\nfunction assertReadableResponse(response) {\n if (response.bodyUsed) {\n throw new TypeError('\"response\" body has been used already');\n }\n}\nexport async function introspectionRequest(as, client, token, options) {\n assertAs(as);\n assertClient(client);\n if (!validateString(token)) {\n throw new TypeError('\"token\" must be a non-empty string');\n }\n const url = resolveEndpoint(as, 'introspection_endpoint', options);\n const body = new URLSearchParams(options?.additionalParameters);\n body.set('token', token);\n const headers = prepareHeaders(options?.headers);\n if (options?.requestJwtResponse ?? client.introspection_signed_response_alg) {\n headers.set('accept', 'application/token-introspection+jwt');\n }\n else {\n headers.set('accept', 'application/json');\n }\n return authenticatedRequest(as, client, 'POST', url, body, headers, options);\n}\nexport async function processIntrospectionResponse(as, client, response) {\n assertAs(as);\n assertClient(client);\n if (!looseInstanceOf(response, Response)) {\n throw new TypeError('\"response\" must be an instance of Response');\n }\n if (response.status !== 200) {\n let err;\n if ((err = await handleOAuthBodyError(response))) {\n return err;\n }\n throw new OPE('\"response\" is not a conform Introspection Endpoint response');\n }\n let json;\n if (getContentType(response) === 'application/token-introspection+jwt') {\n assertReadableResponse(response);\n const { claims } = await validateJwt(await response.text(), checkSigningAlgorithm.bind(undefined, client.introspection_signed_response_alg, as.introspection_signing_alg_values_supported), noSignatureCheck, getClockSkew(client), getClockTolerance(client))\n .then(checkJwtType.bind(undefined, 'token-introspection+jwt'))\n .then(validatePresence.bind(undefined, ['aud', 'iat', 'iss']))\n .then(validateIssuer.bind(undefined, as.issuer))\n .then(validateAudience.bind(undefined, client.client_id));\n json = claims.token_introspection;\n if (!isJsonObject(json)) {\n throw new OPE('JWT \"token_introspection\" claim must be a JSON object');\n }\n }\n else {\n assertReadableResponse(response);\n try {\n json = await response.json();\n }\n catch (cause) {\n throw new OPE('failed to parse \"response\" body as JSON', { cause });\n }\n if (!isJsonObject(json)) {\n throw new OPE('\"response\" body must be a top level object');\n }\n }\n if (typeof json.active !== 'boolean') {\n throw new OPE('\"response\" body \"active\" property must be a boolean');\n }\n return json;\n}\nasync function jwksRequest(as, options) {\n assertAs(as);\n const url = resolveEndpoint(as, 'jwks_uri');\n const headers = prepareHeaders(options?.headers);\n headers.set('accept', 'application/json');\n headers.append('accept', 'application/jwk-set+json');\n return (options?.[customFetch] || fetch)(url.href, {\n headers: Object.fromEntries(headers.entries()),\n method: 'GET',\n redirect: 'manual',\n signal: options?.signal ? signal(options.signal) : null,\n }).then(processDpopNonce);\n}\nasync function processJwksResponse(response) {\n if (!looseInstanceOf(response, Response)) {\n throw new TypeError('\"response\" must be an instance of Response');\n }\n if (response.status !== 200) {\n throw new OPE('\"response\" is not a conform JSON Web Key Set response');\n }\n assertReadableResponse(response);\n let json;\n try {\n json = await response.json();\n }\n catch (cause) {\n throw new OPE('failed to parse \"response\" body as JSON', { cause });\n }\n if (!isJsonObject(json)) {\n throw new OPE('\"response\" body must be a top level object');\n }\n if (!Array.isArray(json.keys)) {\n throw new OPE('\"response\" body \"keys\" property must be an array');\n }\n if (!Array.prototype.every.call(json.keys, isJsonObject)) {\n throw new OPE('\"response\" body \"keys\" property members must be JWK formatted objects');\n }\n return json;\n}\nasync function handleOAuthBodyError(response) {\n if (response.status > 399 && response.status < 500) {\n assertReadableResponse(response);\n try {\n const json = await response.json();\n if (isJsonObject(json) && typeof json.error === 'string' && json.error.length) {\n if (json.error_description !== undefined && typeof json.error_description !== 'string') {\n delete json.error_description;\n }\n if (json.error_uri !== undefined && typeof json.error_uri !== 'string') {\n delete json.error_uri;\n }\n if (json.algs !== undefined && typeof json.algs !== 'string') {\n delete json.algs;\n }\n if (json.scope !== undefined && typeof json.scope !== 'string') {\n delete json.scope;\n }\n return json;\n }\n }\n catch { }\n }\n return undefined;\n}\nfunction checkSupportedJwsAlg(alg) {\n if (!SUPPORTED_JWS_ALGS.includes(alg)) {\n throw new UnsupportedOperationError('unsupported JWS \"alg\" identifier');\n }\n return alg;\n}\nfunction checkRsaKeyAlgorithm(algorithm) {\n if (typeof algorithm.modulusLength !== 'number' || algorithm.modulusLength < 2048) {\n throw new OPE(`${algorithm.name} modulusLength must be at least 2048 bits`);\n }\n}\nfunction ecdsaHashName(namedCurve) {\n switch (namedCurve) {\n case 'P-256':\n return 'SHA-256';\n case 'P-384':\n return 'SHA-384';\n case 'P-521':\n return 'SHA-512';\n default:\n throw new UnsupportedOperationError();\n }\n}\nfunction keyToSubtle(key) {\n switch (key.algorithm.name) {\n case 'ECDSA':\n return {\n name: key.algorithm.name,\n hash: ecdsaHashName(key.algorithm.namedCurve),\n };\n case 'RSA-PSS': {\n checkRsaKeyAlgorithm(key.algorithm);\n switch (key.algorithm.hash.name) {\n case 'SHA-256':\n case 'SHA-384':\n case 'SHA-512':\n return {\n name: key.algorithm.name,\n saltLength: parseInt(key.algorithm.hash.name.slice(-3), 10) >> 3,\n };\n default:\n throw new UnsupportedOperationError();\n }\n }\n case 'RSASSA-PKCS1-v1_5':\n checkRsaKeyAlgorithm(key.algorithm);\n return key.algorithm.name;\n case 'Ed448':\n case 'Ed25519':\n return key.algorithm.name;\n }\n throw new UnsupportedOperationError();\n}\nconst noSignatureCheck = Symbol();\nasync function validateJwt(jws, checkAlg, getKey, clockSkew, clockTolerance) {\n const { 0: protectedHeader, 1: payload, 2: encodedSignature, length } = jws.split('.');\n if (length === 5) {\n throw new UnsupportedOperationError('JWE structure JWTs are not supported');\n }\n if (length !== 3) {\n throw new OPE('Invalid JWT');\n }\n let header;\n try {\n header = JSON.parse(buf(b64u(protectedHeader)));\n }\n catch (cause) {\n throw new OPE('failed to parse JWT Header body as base64url encoded JSON', { cause });\n }\n if (!isJsonObject(header)) {\n throw new OPE('JWT Header must be a top level object');\n }\n checkAlg(header);\n if (header.crit !== undefined) {\n throw new OPE('unexpected JWT \"crit\" header parameter');\n }\n const signature = b64u(encodedSignature);\n let key;\n if (getKey !== noSignatureCheck) {\n key = await getKey(header);\n const input = `${protectedHeader}.${payload}`;\n const verified = await crypto.subtle.verify(keyToSubtle(key), key, signature, buf(input));\n if (!verified) {\n throw new OPE('JWT signature verification failed');\n }\n }\n let claims;\n try {\n claims = JSON.parse(buf(b64u(payload)));\n }\n catch (cause) {\n throw new OPE('failed to parse JWT Payload body as base64url encoded JSON', { cause });\n }\n if (!isJsonObject(claims)) {\n throw new OPE('JWT Payload must be a top level object');\n }\n const now = epochTime() + clockSkew;\n if (claims.exp !== undefined) {\n if (typeof claims.exp !== 'number') {\n throw new OPE('unexpected JWT \"exp\" (expiration time) claim type');\n }\n if (claims.exp <= now - clockTolerance) {\n throw new OPE('unexpected JWT \"exp\" (expiration time) claim value, timestamp is <= now()');\n }\n }\n if (claims.iat !== undefined) {\n if (typeof claims.iat !== 'number') {\n throw new OPE('unexpected JWT \"iat\" (issued at) claim type');\n }\n }\n if (claims.iss !== undefined) {\n if (typeof claims.iss !== 'string') {\n throw new OPE('unexpected JWT \"iss\" (issuer) claim type');\n }\n }\n if (claims.nbf !== undefined) {\n if (typeof claims.nbf !== 'number') {\n throw new OPE('unexpected JWT \"nbf\" (not before) claim type');\n }\n if (claims.nbf > now + clockTolerance) {\n throw new OPE('unexpected JWT \"nbf\" (not before) claim value, timestamp is > now()');\n }\n }\n if (claims.aud !== undefined) {\n if (typeof claims.aud !== 'string' && !Array.isArray(claims.aud)) {\n throw new OPE('unexpected JWT \"aud\" (audience) claim type');\n }\n }\n return { header, claims, signature, key };\n}\nexport async function validateJwtAuthResponse(as, client, parameters, expectedState, options) {\n assertAs(as);\n assertClient(client);\n if (parameters instanceof URL) {\n parameters = parameters.searchParams;\n }\n if (!(parameters instanceof URLSearchParams)) {\n throw new TypeError('\"parameters\" must be an instance of URLSearchParams, or URL');\n }\n const response = getURLSearchParameter(parameters, 'response');\n if (!response) {\n throw new OPE('\"parameters\" does not contain a JARM response');\n }\n if (typeof as.jwks_uri !== 'string') {\n throw new TypeError('\"as.jwks_uri\" must be a string');\n }\n const { claims } = await validateJwt(response, checkSigningAlgorithm.bind(undefined, client.authorization_signed_response_alg, as.authorization_signing_alg_values_supported), getPublicSigKeyFromIssuerJwksUri.bind(undefined, as, options), getClockSkew(client), getClockTolerance(client))\n .then(validatePresence.bind(undefined, ['aud', 'exp', 'iss']))\n .then(validateIssuer.bind(undefined, as.issuer))\n .then(validateAudience.bind(undefined, client.client_id));\n const result = new URLSearchParams();\n for (const [key, value] of Object.entries(claims)) {\n if (typeof value === 'string' && key !== 'aud') {\n result.set(key, value);\n }\n }\n return validateAuthResponse(as, client, result, expectedState);\n}\nasync function idTokenHash(alg, data, key) {\n let algorithm;\n switch (alg) {\n case 'RS256':\n case 'PS256':\n case 'ES256':\n algorithm = 'SHA-256';\n break;\n case 'RS384':\n case 'PS384':\n case 'ES384':\n algorithm = 'SHA-384';\n break;\n case 'RS512':\n case 'PS512':\n case 'ES512':\n algorithm = 'SHA-512';\n break;\n case 'EdDSA':\n if (key.algorithm.name === 'Ed25519') {\n algorithm = 'SHA-512';\n break;\n }\n throw new UnsupportedOperationError();\n default:\n throw new UnsupportedOperationError();\n }\n const digest = await crypto.subtle.digest(algorithm, buf(data));\n return b64u(digest.slice(0, digest.byteLength / 2));\n}\nasync function idTokenHashMatches(data, actual, alg, key) {\n const expected = await idTokenHash(alg, data, key);\n return actual === expected;\n}\nexport async function validateDetachedSignatureResponse(as, client, parameters, expectedNonce, expectedState, maxAge, options) {\n assertAs(as);\n assertClient(client);\n if (parameters instanceof URL) {\n if (!parameters.hash.length) {\n throw new TypeError('\"parameters\" as an instance of URL must contain a hash (fragment) with the Authorization Response parameters');\n }\n parameters = new URLSearchParams(parameters.hash.slice(1));\n }\n if (!(parameters instanceof URLSearchParams)) {\n throw new TypeError('\"parameters\" must be an instance of URLSearchParams');\n }\n parameters = new URLSearchParams(parameters);\n const id_token = getURLSearchParameter(parameters, 'id_token');\n parameters.delete('id_token');\n switch (expectedState) {\n case undefined:\n case expectNoState:\n break;\n default:\n if (!validateString(expectedState)) {\n throw new TypeError('\"expectedState\" must be a non-empty string');\n }\n }\n const result = validateAuthResponse({\n ...as,\n authorization_response_iss_parameter_supported: false,\n }, client, parameters, expectedState);\n if (isOAuth2Error(result)) {\n return result;\n }\n if (!id_token) {\n throw new OPE('\"parameters\" does not contain an ID Token');\n }\n const code = getURLSearchParameter(parameters, 'code');\n if (!code) {\n throw new OPE('\"parameters\" does not contain an Authorization Code');\n }\n if (typeof as.jwks_uri !== 'string') {\n throw new TypeError('\"as.jwks_uri\" must be a string');\n }\n const requiredClaims = [\n 'aud',\n 'exp',\n 'iat',\n 'iss',\n 'sub',\n 'nonce',\n 'c_hash',\n ];\n if (typeof expectedState === 'string') {\n requiredClaims.push('s_hash');\n }\n const { claims, header, key } = await validateJwt(id_token, checkSigningAlgorithm.bind(undefined, client.id_token_signed_response_alg, as.id_token_signing_alg_values_supported), getPublicSigKeyFromIssuerJwksUri.bind(undefined, as, options), getClockSkew(client), getClockTolerance(client))\n .then(validatePresence.bind(undefined, requiredClaims))\n .then(validateIssuer.bind(undefined, as.issuer))\n .then(validateAudience.bind(undefined, client.client_id));\n const clockSkew = getClockSkew(client);\n const now = epochTime() + clockSkew;\n if (claims.iat < now - 3600) {\n throw new OPE('unexpected JWT \"iat\" (issued at) claim value, it is too far in the past');\n }\n if (typeof claims.c_hash !== 'string' ||\n (await idTokenHashMatches(code, claims.c_hash, header.alg, key)) !== true) {\n throw new OPE('invalid ID Token \"c_hash\" (code hash) claim value');\n }\n if (claims.s_hash !== undefined && typeof expectedState !== 'string') {\n throw new OPE('could not verify ID Token \"s_hash\" (state hash) claim value');\n }\n if (typeof expectedState === 'string' &&\n (typeof claims.s_hash !== 'string' ||\n (await idTokenHashMatches(expectedState, claims.s_hash, header.alg, key)) !== true)) {\n throw new OPE('invalid ID Token \"s_hash\" (state hash) claim value');\n }\n if (claims.auth_time !== undefined &&\n (!Number.isFinite(claims.auth_time) || Math.sign(claims.auth_time) !== 1)) {\n throw new OPE('ID Token \"auth_time\" (authentication time) must be a positive number');\n }\n maxAge ?? (maxAge = client.default_max_age ?? skipAuthTimeCheck);\n if ((client.require_auth_time || maxAge !== skipAuthTimeCheck) &&\n claims.auth_time === undefined) {\n throw new OPE('ID Token \"auth_time\" (authentication time) claim missing');\n }\n if (maxAge !== skipAuthTimeCheck) {\n if (typeof maxAge !== 'number' || maxAge < 0) {\n throw new TypeError('\"maxAge\" must be a non-negative number');\n }\n const now = epochTime() + getClockSkew(client);\n const tolerance = getClockTolerance(client);\n if (claims.auth_time + maxAge < now - tolerance) {\n throw new OPE('too much time has elapsed since the last End-User authentication');\n }\n }\n if (!validateString(expectedNonce)) {\n throw new TypeError('\"expectedNonce\" must be a non-empty string');\n }\n if (claims.nonce !== expectedNonce) {\n throw new OPE('unexpected ID Token \"nonce\" claim value');\n }\n if (Array.isArray(claims.aud) && claims.aud.length !== 1 && claims.azp !== client.client_id) {\n throw new OPE('unexpected ID Token \"azp\" (authorized party) claim value');\n }\n return result;\n}\nfunction checkSigningAlgorithm(client, issuer, header) {\n if (client !== undefined) {\n if (header.alg !== client) {\n throw new OPE('unexpected JWT \"alg\" header parameter');\n }\n return;\n }\n if (Array.isArray(issuer)) {\n if (!issuer.includes(header.alg)) {\n throw new OPE('unexpected JWT \"alg\" header parameter');\n }\n return;\n }\n if (header.alg !== 'RS256') {\n throw new OPE('unexpected JWT \"alg\" header parameter');\n }\n}\nfunction getURLSearchParameter(parameters, name) {\n const { 0: value, length } = parameters.getAll(name);\n if (length > 1) {\n throw new OPE(`\"${name}\" parameter must be provided only once`);\n }\n return value;\n}\nexport const skipStateCheck = Symbol();\nexport const expectNoState = Symbol();\nexport function validateAuthResponse(as, client, parameters, expectedState) {\n assertAs(as);\n assertClient(client);\n if (parameters instanceof URL) {\n parameters = parameters.searchParams;\n }\n if (!(parameters instanceof URLSearchParams)) {\n throw new TypeError('\"parameters\" must be an instance of URLSearchParams, or URL');\n }\n if (getURLSearchParameter(parameters, 'response')) {\n throw new OPE('\"parameters\" contains a JARM response, use validateJwtAuthResponse() instead of validateAuthResponse()');\n }\n const iss = getURLSearchParameter(parameters, 'iss');\n const state = getURLSearchParameter(parameters, 'state');\n if (!iss && as.authorization_response_iss_parameter_supported) {\n throw new OPE('response parameter \"iss\" (issuer) missing');\n }\n if (iss && iss !== as.issuer) {\n throw new OPE('unexpected \"iss\" (issuer) response parameter value');\n }\n switch (expectedState) {\n case undefined:\n case expectNoState:\n if (state !== undefined) {\n throw new OPE('unexpected \"state\" response parameter encountered');\n }\n break;\n case skipStateCheck:\n break;\n default:\n if (!validateString(expectedState)) {\n throw new OPE('\"expectedState\" must be a non-empty string');\n }\n if (state === undefined) {\n throw new OPE('response parameter \"state\" missing');\n }\n if (state !== expectedState) {\n throw new OPE('unexpected \"state\" response parameter value');\n }\n }\n const error = getURLSearchParameter(parameters, 'error');\n if (error) {\n return {\n error,\n error_description: getURLSearchParameter(parameters, 'error_description'),\n error_uri: getURLSearchParameter(parameters, 'error_uri'),\n };\n }\n const id_token = getURLSearchParameter(parameters, 'id_token');\n const token = getURLSearchParameter(parameters, 'token');\n if (id_token !== undefined || token !== undefined) {\n throw new UnsupportedOperationError('implicit and hybrid flows are not supported');\n }\n return brand(new URLSearchParams(parameters));\n}\nfunction algToSubtle(alg, crv) {\n switch (alg) {\n case 'PS256':\n case 'PS384':\n case 'PS512':\n return { name: 'RSA-PSS', hash: `SHA-${alg.slice(-3)}` };\n case 'RS256':\n case 'RS384':\n case 'RS512':\n return { name: 'RSASSA-PKCS1-v1_5', hash: `SHA-${alg.slice(-3)}` };\n case 'ES256':\n case 'ES384':\n return { name: 'ECDSA', namedCurve: `P-${alg.slice(-3)}` };\n case 'ES512':\n return { name: 'ECDSA', namedCurve: 'P-521' };\n case 'EdDSA': {\n switch (crv) {\n case 'Ed25519':\n case 'Ed448':\n return crv;\n default:\n throw new UnsupportedOperationError();\n }\n }\n default:\n throw new UnsupportedOperationError();\n }\n}\nasync function importJwk(alg, jwk) {\n const { ext, key_ops, use, ...key } = jwk;\n return crypto.subtle.importKey('jwk', key, algToSubtle(alg, jwk.crv), true, ['verify']);\n}\nexport async function deviceAuthorizationRequest(as, client, parameters, options) {\n assertAs(as);\n assertClient(client);\n const url = resolveEndpoint(as, 'device_authorization_endpoint', options);\n const body = new URLSearchParams(parameters);\n body.set('client_id', client.client_id);\n const headers = prepareHeaders(options?.headers);\n headers.set('accept', 'application/json');\n return authenticatedRequest(as, client, 'POST', url, body, headers, options);\n}\nexport async function processDeviceAuthorizationResponse(as, client, response) {\n assertAs(as);\n assertClient(client);\n if (!looseInstanceOf(response, Response)) {\n throw new TypeError('\"response\" must be an instance of Response');\n }\n if (response.status !== 200) {\n let err;\n if ((err = await handleOAuthBodyError(response))) {\n return err;\n }\n throw new OPE('\"response\" is not a conform Device Authorization Endpoint response');\n }\n assertReadableResponse(response);\n let json;\n try {\n json = await response.json();\n }\n catch (cause) {\n throw new OPE('failed to parse \"response\" body as JSON', { cause });\n }\n if (!isJsonObject(json)) {\n throw new OPE('\"response\" body must be a top level object');\n }\n if (!validateString(json.device_code)) {\n throw new OPE('\"response\" body \"device_code\" property must be a non-empty string');\n }\n if (!validateString(json.user_code)) {\n throw new OPE('\"response\" body \"user_code\" property must be a non-empty string');\n }\n if (!validateString(json.verification_uri)) {\n throw new OPE('\"response\" body \"verification_uri\" property must be a non-empty string');\n }\n if (typeof json.expires_in !== 'number' || json.expires_in <= 0) {\n throw new OPE('\"response\" body \"expires_in\" property must be a positive number');\n }\n if (json.verification_uri_complete !== undefined &&\n !validateString(json.verification_uri_complete)) {\n throw new OPE('\"response\" body \"verification_uri_complete\" property must be a non-empty string');\n }\n if (json.interval !== undefined && (typeof json.interval !== 'number' || json.interval <= 0)) {\n throw new OPE('\"response\" body \"interval\" property must be a positive number');\n }\n return json;\n}\nexport async function deviceCodeGrantRequest(as, client, deviceCode, options) {\n assertAs(as);\n assertClient(client);\n if (!validateString(deviceCode)) {\n throw new TypeError('\"deviceCode\" must be a non-empty string');\n }\n const parameters = new URLSearchParams(options?.additionalParameters);\n parameters.set('device_code', deviceCode);\n return tokenEndpointRequest(as, client, 'urn:ietf:params:oauth:grant-type:device_code', parameters, options);\n}\nexport async function processDeviceCodeResponse(as, client, response) {\n return processGenericAccessTokenResponse(as, client, response);\n}\nexport async function generateKeyPair(alg, options) {\n if (!validateString(alg)) {\n throw new TypeError('\"alg\" must be a non-empty string');\n }\n const algorithm = algToSubtle(alg, alg === 'EdDSA' ? options?.crv ?? 'Ed25519' : undefined);\n if (alg.startsWith('PS') || alg.startsWith('RS')) {\n Object.assign(algorithm, {\n modulusLength: options?.modulusLength ?? 2048,\n publicExponent: new Uint8Array([0x01, 0x00, 0x01]),\n });\n }\n return (crypto.subtle.generateKey(algorithm, options?.extractable ?? false, ['sign', 'verify']));\n}\nfunction normalizeHtu(htu) {\n const url = new URL(htu);\n url.search = '';\n url.hash = '';\n return url.href;\n}\nasync function validateDPoP(as, request, accessToken, accessTokenClaims, options) {\n const header = request.headers.get('dpop');\n if (header === null) {\n throw new OPE('operation indicated DPoP use but the request has no DPoP HTTP Header');\n }\n if (request.headers.get('authorization')?.toLowerCase().startsWith('dpop ') === false) {\n throw new OPE(`operation indicated DPoP use but the request's Authorization HTTP Header scheme is not DPoP`);\n }\n if (typeof accessTokenClaims.cnf?.jkt !== 'string') {\n throw new OPE('operation indicated DPoP use but the JWT Access Token has no jkt confirmation claim');\n }\n const clockSkew = getClockSkew(options);\n const proof = await validateJwt(header, checkSigningAlgorithm.bind(undefined, undefined, as?.dpop_signing_alg_values_supported || SUPPORTED_JWS_ALGS), async ({ jwk, alg }) => {\n if (!jwk) {\n throw new OPE('DPoP Proof is missing the jwk header parameter');\n }\n const key = await importJwk(alg, jwk);\n if (key.type !== 'public') {\n throw new OPE('DPoP Proof jwk header parameter must contain a public key');\n }\n return key;\n }, clockSkew, getClockTolerance(options))\n .then(checkJwtType.bind(undefined, 'dpop+jwt'))\n .then(validatePresence.bind(undefined, ['iat', 'jti', 'ath', 'htm', 'htu']));\n const now = epochTime() + clockSkew;\n const diff = Math.abs(now - proof.claims.iat);\n if (diff > 300) {\n throw new OPE('DPoP Proof iat is not recent enough');\n }\n if (proof.claims.htm !== request.method) {\n throw new OPE('DPoP Proof htm mismatch');\n }\n if (typeof proof.claims.htu !== 'string' ||\n normalizeHtu(proof.claims.htu) !== normalizeHtu(request.url)) {\n throw new OPE('DPoP Proof htu mismatch');\n }\n {\n const expected = b64u(await crypto.subtle.digest('SHA-256', encoder.encode(accessToken)));\n if (proof.claims.ath !== expected) {\n throw new OPE('DPoP Proof ath mismatch');\n }\n }\n {\n let components;\n switch (proof.header.jwk.kty) {\n case 'EC':\n components = {\n crv: proof.header.jwk.crv,\n kty: proof.header.jwk.kty,\n x: proof.header.jwk.x,\n y: proof.header.jwk.y,\n };\n break;\n case 'OKP':\n components = {\n crv: proof.header.jwk.crv,\n kty: proof.header.jwk.kty,\n x: proof.header.jwk.x,\n };\n break;\n case 'RSA':\n components = {\n e: proof.header.jwk.e,\n kty: proof.header.jwk.kty,\n n: proof.header.jwk.n,\n };\n break;\n default:\n throw new UnsupportedOperationError();\n }\n const expected = b64u(await crypto.subtle.digest('SHA-256', encoder.encode(JSON.stringify(components))));\n if (accessTokenClaims.cnf.jkt !== expected) {\n throw new OPE('JWT Access Token confirmation mismatch');\n }\n }\n}\nexport async function validateJwtAccessToken(as, request, expectedAudience, options) {\n assertAs(as);\n if (!looseInstanceOf(request, Request)) {\n throw new TypeError('\"request\" must be an instance of Request');\n }\n if (!validateString(expectedAudience)) {\n throw new OPE('\"expectedAudience\" must be a non-empty string');\n }\n const authorization = request.headers.get('authorization');\n if (authorization === null) {\n throw new OPE('\"request\" is missing an Authorization HTTP Header');\n }\n let { 0: scheme, 1: accessToken, length } = authorization.split(' ');\n scheme = scheme.toLowerCase();\n switch (scheme) {\n case 'dpop':\n case 'bearer':\n break;\n default:\n throw new UnsupportedOperationError('unsupported Authorization HTTP Header scheme');\n }\n if (length !== 2) {\n throw new OPE('invalid Authorization HTTP Header format');\n }\n const requiredClaims = [\n 'iss',\n 'exp',\n 'aud',\n 'sub',\n 'iat',\n 'jti',\n 'client_id',\n ];\n if (options?.requireDPoP || scheme === 'dpop' || request.headers.has('dpop')) {\n requiredClaims.push('cnf');\n }\n const { claims } = await validateJwt(accessToken, checkSigningAlgorithm.bind(undefined, undefined, SUPPORTED_JWS_ALGS), getPublicSigKeyFromIssuerJwksUri.bind(undefined, as, options), getClockSkew(options), getClockTolerance(options))\n .then(checkJwtType.bind(undefined, 'at+jwt'))\n .then(validatePresence.bind(undefined, requiredClaims))\n .then(validateIssuer.bind(undefined, as.issuer))\n .then(validateAudience.bind(undefined, expectedAudience));\n for (const claim of ['client_id', 'jti', 'sub']) {\n if (typeof claims[claim] !== 'string') {\n throw new OPE(`unexpected JWT \"${claim}\" claim type`);\n }\n }\n if ('cnf' in claims) {\n if (!isJsonObject(claims.cnf)) {\n throw new OPE('unexpected JWT \"cnf\" (confirmation) claim value');\n }\n const { 0: cnf, length } = Object.keys(claims.cnf);\n if (length) {\n if (length !== 1) {\n throw new UnsupportedOperationError('multiple confirmation claims are not supported');\n }\n if (cnf !== 'jkt') {\n throw new UnsupportedOperationError('unsupported JWT Confirmation method');\n }\n }\n }\n if (options?.requireDPoP ||\n scheme === 'dpop' ||\n claims.cnf?.jkt !== undefined ||\n request.headers.has('dpop')) {\n await validateDPoP(as, request, accessToken, claims, options);\n }\n return claims;\n}\nexport const experimentalCustomFetch = customFetch;\nexport const experimental_customFetch = customFetch;\nexport const experimentalUseMtlsAlias = useMtlsAlias;\nexport const experimental_useMtlsAlias = useMtlsAlias;\nexport const experimental_validateDetachedSignatureResponse = validateDetachedSignatureResponse;\nexport const experimental_validateJwtAccessToken = validateJwtAccessToken;\n","export class AuthorizationError extends Error {}\n\ninterface OAuthError {\n readonly error: string;\n readonly error_description?: string;\n readonly error_uri?: string;\n readonly algs?: string;\n readonly scope?: string;\n // eslint-disable-next-line @typescript-eslint/no-explicit-any\n readonly [parameter: string]: any | undefined;\n}\n\nexport class OAuthAuthorizationError extends AuthorizationError {\n constructor(\n message: string,\n public error: OAuthError,\n options?: ErrorOptions,\n ) {\n super(message, options);\n }\n}\n","import { useEffect, useRef, useState } from \"react\";\nimport { useNavigate } from \"react-router-dom\";\nimport { OAuthAuthorizationError } from \"./errors.js\";\n\nexport function Callback({\n handleCallback,\n}: {\n handleCallback: () => Promise<string>;\n}) {\n const didInitialize = useRef(false);\n const [error, setError] = useState<Error | undefined>(undefined);\n const navigate = useNavigate();\n\n // This should not use react query, etc. It is important that it\n // only ever runs once. The didInitialize ref keeps it from double\n // initializing in dev mode with ReactStrict enabled.\n useEffect(() => {\n if (didInitialize.current) {\n return;\n }\n didInitialize.current = true;\n handleCallback()\n .then((redirect) => {\n // TODO: Handle return url, state, etc\n navigate(redirect);\n })\n .catch((err) => {\n setError(err);\n });\n }, []);\n\n if (error) {\n if (error instanceof OAuthAuthorizationError) {\n return (\n <div>\n <h2>Error</h2>\n <pre>\n {error.error.error}\n\n {error.error.error_description}\n\n {error.error.error_uri}\n </pre>\n </div>\n );\n }\n return (\n <div>\n <h2>Error</h2>\n <pre>\n {error.message}\n\n {error.stack}\n </pre>\n </div>\n );\n }\n\n return <div>Loading...</div>;\n}\n","import logger from \"loglevel\";\nimport * as oauth from \"oauth4webapi\";\nimport { OpenIDAuthenticationConfig } from \"../../../config/config.js\";\nimport {\n AuthenticationProvider,\n AuthenticationProviderInitializer,\n} from \"../authentication.js\";\nimport { AuthenticationPlugin } from \"../AuthenticationPlugin.js\";\nimport { Callback } from \"../Callback.js\";\nimport { AuthorizationError, OAuthAuthorizationError } from \"../errors.js\";\nimport { useAuthState, UserProfile } from \"../state.js\";\n\nconst CODE_VERIFIER_KEY = \"code-verifier\";\n\ninterface TokenState {\n accessToken: string;\n refreshToken?: string;\n expiresOn: Date;\n tokenType: string;\n}\n\nclass OpenIdAuthPlugin extends AuthenticationPlugin {\n constructor(\n private callbackUrlPath: string,\n private handleCallback: () => Promise<string>,\n public initialize?: () => Promise<void>,\n ) {\n super();\n }\n getRoutes() {\n return [\n ...super.getRoutes(),\n {\n path: this.callbackUrlPath,\n element: <Callback handleCallback={this.handleCallback} />,\n },\n ];\n }\n}\n\nexport class OpenIDAuthenticationProvider implements AuthenticationProvider {\n protected client: oauth.Client;\n protected issuer: string;\n protected authorizationEndpoint: string | undefined;\n protected tokenEndpoint: string | undefined;\n\n protected authorizationServer: oauth.AuthorizationServer | undefined;\n protected tokens: TokenState | undefined;\n\n protected callbackUrlPath = \"/oauth/callback\";\n protected logoutRedirectUrlPath = \"/\";\n private readonly redirectToAfterSignUp: string;\n private readonly redirectToAfterSignIn: string;\n private readonly redirectToAfterSignOut: string;\n private readonly audience?: string;\n\n constructor({\n issuer,\n audience,\n authorizationEndpoint,\n tokenEndpoint,\n clientId,\n redirectToAfterSignUp,\n redirectToAfterSignIn,\n redirectToAfterSignOut,\n }: OpenIDAuthenticationConfig) {\n this.client = {\n client_id: clientId,\n token_endpoint_auth_method: \"none\",\n };\n this.audience = audience;\n this.issuer = issuer;\n this.authorizationEndpoint = authorizationEndpoint;\n this.tokenEndpoint = tokenEndpoint;\n this.redirectToAfterSignUp = redirectToAfterSignUp ?? \"/\";\n this.redirectToAfterSignIn = redirectToAfterSignIn ?? \"/\";\n this.redirectToAfterSignOut = redirectToAfterSignOut ?? \"/\";\n }\n\n protected async getAuthServer() {\n if (!this.authorizationServer) {\n if (this.tokenEndpoint && this.authorizationEndpoint) {\n this.authorizationServer = {\n issuer: new URL(this.authorizationEndpoint!).origin,\n authorization_endpoint: this.authorizationEndpoint,\n token_endpoint: this.tokenEndpoint,\n code_challenge_methods_supported: [],\n };\n } else {\n const issuerUrl = new URL(this.issuer);\n const response = await oauth.discoveryRequest(issuerUrl);\n this.authorizationServer = await oauth.processDiscoveryResponse(\n issuerUrl,\n response,\n );\n }\n }\n return this.authorizationServer;\n }\n\n /**\n * Sets the tokens from various OAuth responses\n * @param response\n */\n protected setTokensFromResponse(\n response: oauth.TokenEndpointResponse | oauth.OAuth2Error,\n ) {\n if (oauth.isOAuth2Error(response)) {\n logger.error(\"Bad Token Response\", response);\n throw new OAuthAuthorizationError(\"Bad Token Response\", response);\n }\n\n if (!response.expires_in) {\n throw new AuthorizationError(\"No expires_in in response\");\n }\n\n this.tokens = {\n accessToken: response.access_token,\n refreshToken: response.refresh_token,\n expiresOn: new Date(Date.now() + response.expires_in * 1000),\n tokenType: response.token_type,\n };\n localStorage.setItem(\"openid-token\", JSON.stringify(this.tokens));\n }\n\n async signUp() {\n return this.authorize(true);\n }\n\n async signIn() {\n return this.authorize();\n }\n\n private async authorize(signUp = false): Promise<void> {\n const code_challenge_method = \"S256\";\n const authorizationServer = await this.getAuthServer();\n if (signUp) {\n localStorage.setItem(\"sign-up\", \"true\");\n } else {\n localStorage.removeItem(\"sign-up\");\n }\n\n if (!authorizationServer.authorization_endpoint) {\n throw new AuthorizationError(\"No authorization endpoint\");\n }\n\n /**\n * The following MUST be generated for every redirect to the authorization_endpoint. You must store\n * the codeVerifier and nonce in the end-user session such that it can be recovered as the user\n * gets redirected from the authorization server back to your application.\n */\n const codeVerifier = oauth.generateRandomCodeVerifier();\n const codeChallenge = await oauth.calculatePKCECodeChallenge(codeVerifier);\n\n localStorage.setItem(CODE_VERIFIER_KEY, codeVerifier);\n\n // redirect user to as.authorization_endpoint\n const authorizationUrl = new URL(\n signUp\n ? authorizationServer.registration_endpoint ??\n authorizationServer.authorization_endpoint\n : authorizationServer.authorization_endpoint,\n );\n\n const redirectUrl = new URL(\n (signUp\n ? window.location.origin + this.redirectToAfterSignUp\n : window.location.origin + this.redirectToAfterSignIn) ??\n window.location.href,\n );\n redirectUrl.pathname = this.callbackUrlPath;\n redirectUrl.search = \"\";\n\n authorizationUrl.searchParams.set(\"client_id\", this.client.client_id);\n authorizationUrl.searchParams.set(\"redirect_uri\", redirectUrl.toString());\n authorizationUrl.searchParams.set(\"response_type\", \"code\");\n authorizationUrl.searchParams.set(\"scope\", \"openid+profile+email\");\n authorizationUrl.searchParams.set(\"code_challenge\", codeChallenge);\n authorizationUrl.searchParams.set(\n \"code_challenge_method\",\n code_challenge_method,\n );\n if (this.audience) {\n authorizationUrl.searchParams.set(\"audience\", this.audience);\n }\n\n /**\n * We cannot be sure the AS supports PKCE so we're going to use state too. Use of PKCE is\n * backwards compatible even if the AS doesn't support it which is why we're using it regardless.\n */\n if (\n authorizationServer.code_challenge_methods_supported?.includes(\"S256\") !==\n true\n ) {\n const state = oauth.generateRandomState();\n authorizationUrl.searchParams.set(\"state\", state);\n }\n\n // now redirect the user to authorizationUrl.href\n location.href = authorizationUrl.href;\n }\n\n async getAccessToken(): Promise<string> {\n const as = await this.getAuthServer();\n if (!this.tokens) {\n throw new AuthorizationError(\"User is not authenticated\");\n }\n if (this.tokens.expiresOn < new Date()) {\n if (!this.tokens.refreshToken) {\n // TODO: Log user bac in\n throw new AuthorizationError(\n \"Token expired and no refresh token available\",\n );\n }\n\n const request = await oauth.refreshTokenGrantRequest(\n as,\n this.client,\n this.tokens.refreshToken,\n );\n const response = await oauth.processRefreshTokenResponse(\n as,\n this.client,\n request,\n );\n\n this.setTokensFromResponse(response);\n }\n\n return this.tokens.accessToken;\n }\n\n async signOut(): Promise<void> {\n useAuthState.setState({\n isAuthenticated: false,\n isPending: false,\n profile: undefined,\n });\n\n const as = await this.getAuthServer();\n\n const redirectUrl = new URL(\n window.location.origin + this.redirectToAfterSignOut,\n );\n redirectUrl.pathname = this.logoutRedirectUrlPath;\n\n let logoutUrl: URL;\n // The endSessionEndpoint is set, the IdP supports some form of logout,\n // so we use the IdP logout. Otherwise, just redirect the user to home\n if (as.end_session_endpoint) {\n logoutUrl = new URL(as.end_session_endpoint);\n // TODO: get id_token and set hint\n // const { id_token } = session;\n // if (id_token) {\n // logoutUrl.searchParams.set(\"id_token_hint\", id_token);\n // }\n logoutUrl.searchParams.set(\n \"post_logout_redirect_uri\",\n redirectUrl.toString(),\n );\n } else {\n logoutUrl = redirectUrl;\n }\n }\n\n handleCallback = async (): Promise<string> => {\n const url = new URL(window.location.href);\n const state = url.searchParams.get(\"state\");\n\n // one eternity later, the user lands back on the redirect_uri\n // Authorization Code Grant Request & Response\n const codeVerifier = localStorage.getItem(CODE_VERIFIER_KEY);\n // localStorage.removeItem(CODE_VERIFIER_KEY);\n\n if (!codeVerifier) {\n throw new AuthorizationError(\n \"Code verifier not found. Invalid auth state.\",\n );\n }\n\n const authServer = await this.getAuthServer();\n\n const params = oauth.validateAuthResponse(\n authServer,\n this.client,\n url.searchParams,\n state ?? undefined,\n );\n if (oauth.isOAuth2Error(params)) {\n logger.error(\"Error validating OAuth response\", params);\n throw new OAuthAuthorizationError(\n \"Error validating OAuth response\",\n params,\n );\n }\n\n const redirectUrl = new URL(url);\n redirectUrl.pathname = this.redirectToAfterSignIn ?? this.callbackUrlPath;\n redirectUrl.search = \"\";\n\n const response = await oauth.authorizationCodeGrantRequest(\n authServer,\n this.client,\n params,\n redirectUrl.toString(),\n codeVerifier,\n );\n\n // TODO: do we need to do these\n // const challenges = oauth.parseWwwAuthenticateChallenges(response);\n // if (challenges) {\n // for (const challenge of challenges) {\n // console.error(\"WWW-Authenticate Challenge\", challenge);\n // }\n // throw new Error(); // Handle WWW-Authenticate Challenges as needed\n // }\n const oauthResult = await oauth.processAuthorizationCodeOAuth2Response(\n authServer,\n this.client,\n response,\n );\n\n this.setTokensFromResponse(oauthResult);\n\n const accessToken = await this.getAccessToken();\n\n const userInfoResponse = await oauth.userInfoRequest(\n authServer,\n this.client,\n accessToken,\n );\n const userInfo = await userInfoResponse.json();\n\n const profile: UserProfile = {\n sub: userInfo.sub,\n email: userInfo.email,\n name: userInfo.name,\n emailVerified: userInfo.email_verified ?? false,\n pictureUrl: userInfo.picture,\n };\n\n useAuthState.setState({\n isAuthenticated: true,\n isPending: false,\n profile,\n });\n\n if (localStorage.getItem(\"sign-up\")) {\n return this.redirectToAfterSignUp;\n } else {\n return this.redirectToAfterSignIn;\n }\n\n // // Remove the query strings so react query doesn't keep retrying\n // // to make the token request\n // history.replaceState({}, \"\", window.location.pathname);\n\n // Returning true because we are using react query\n // return true;\n };\n\n getAuthenticationPlugin() {\n return new OpenIdAuthPlugin(this.callbackUrlPath, () =>\n this.handleCallback(),\n );\n }\n}\n\nconst openIDAuth: AuthenticationProviderInitializer<\n OpenIDAuthenticationConfig\n> = (options) => new OpenIDAuthenticationProvider(options);\n\nexport default openIDAuth;\n"],"names":["root","definition","module","this","noop","undefinedType","isIE","logMethods","_loggersByName","defaultLogger","bindMethod","obj","methodName","method","traceForIE","realMethod","replaceLoggingMethods","level","i","enableLoggingWhenConsoleArrives","defaultMethodFactory","_level","_loggerName","Logger","name","factory","self","inheritedLevel","defaultLevel","userLevel","storageKey","persistLevelIfPossible","levelNum","levelName","getPersistedLevel","storedLevel","cookie","cookieName","location","clearPersistedLevel","normalizeLevel","input","persist","childName","initialLevel","logger","_log","USER_AGENT","_b","_a","looseInstanceOf","expected","clockSkew","clockTolerance","customFetch","encoder","decoder","buf","CHUNK_SIZE","encodeBase64Url","arr","decodeBase64Url","binary","bytes","cause","OPE","b64u","LRU","maxSize","key","v","value","UnsupportedOperationError","message","OperationProcessingError","options","dpopNonces","isCryptoKey","isPrivateKey","isPublicKey","processDpopNonce","response","nonce","isJsonObject","prepareHeaders","headers","signal","discoveryRequest","issuerIdentifier","url","validateString","processDiscoveryResponse","expectedIssuerIdentifier","assertReadableResponse","json","randomBytes","generateRandomCodeVerifier","generateRandomState","calculatePKCECodeChallenge","codeVerifier","getKeyAndKid","formUrlEncode","token","clientSecretBasic","clientId","clientSecret","username","password","psAlg","rsAlg","esAlg","keyToJws","getClockSkew","client","skew","getClockTolerance","tolerance","epochTime","clientAssertion","as","now","privateKeyJwt","kid","jwt","assertAs","assertClient","assertClientSecret","assertNoClientPrivateKey","clientAuthMethod","clientPrivateKey","assertNoClientSecret","clientAuthentication","body","header","claimsSet","signature","keyToSubtle","dpopProofJwt","htm","accessToken","privateKey","publicKey","proof","publicJwk","jwkCache","getSetPublicJwkCache","kty","e","n","x","y","crv","jwk","validateEndpoint","endpoint","resolveEndpoint","isOAuth2Error","protectedResourceRequest","userInfoRequest","authenticatedRequest","tokenEndpointRequest","grantType","parameters","refreshTokenGrantRequest","refreshToken","idTokenClaims","processGenericAccessTokenResponse","ignoreIdToken","ignoreRefreshToken","err","handleOAuthBodyError","claims","validateJwt","checkSigningAlgorithm","noSignatureCheck","validatePresence","validateIssuer","validateAudience","processRefreshTokenResponse","result","branded","brand","searchParams","authorizationCodeGrantRequest","callbackParameters","redirectUri","code","getURLSearchParameter","jwtClaimNames","required","claim","processAuthorizationCodeOAuth2Response","checkRsaKeyAlgorithm","algorithm","ecdsaHashName","namedCurve","jws","checkAlg","getKey","protectedHeader","payload","encodedSignature","length","issuer","skipStateCheck","expectNoState","validateAuthResponse","expectedState","iss","state","error","id_token","AuthorizationError","OAuthAuthorizationError","Callback","handleCallback","didInitialize","useRef","setError","useState","navigate","useNavigate","useEffect","redirect","jsx","CODE_VERIFIER_KEY","OpenIdAuthPlugin","AuthenticationPlugin","callbackUrlPath","initialize","OpenIDAuthenticationProvider","audience","authorizationEndpoint","tokenEndpoint","redirectToAfterSignUp","redirectToAfterSignIn","redirectToAfterSignOut","__publicField","authServer","params","oauth.validateAuthResponse","oauth.isOAuth2Error","redirectUrl","oauth.authorizationCodeGrantRequest","oauthResult","oauth.processAuthorizationCodeOAuth2Response","userInfo","oauth.userInfoRequest","profile","useAuthState","issuerUrl","oauth.discoveryRequest","oauth.processDiscoveryResponse","signUp","code_challenge_method","authorizationServer","oauth.generateRandomCodeVerifier","codeChallenge","oauth.calculatePKCECodeChallenge","authorizationUrl","oauth.generateRandomState","request","oauth.refreshTokenGrantRequest","oauth.processRefreshTokenResponse","logoutUrl","openIDAuth"],"mappings":";;;;;;;;;;AAMA,GAAC,SAAUA,GAAMC,GAAY;AAIlB,IAAkCC,EAAO,UAC5CA,EAAA,UAAiBD,MAEjBD,EAAK,MAAMC;EAElB,GAACE,IAAM,WAAY;AAIhB,QAAIC,IAAO,WAAW;AAAA,OAClBC,IAAgB,aAChBC,IAAQ,OAAO,WAAWD,KAAmB,OAAO,OAAO,cAAcA,KACzE,kBAAkB,KAAK,OAAO,UAAU,SAAS,GAGjDE,IAAa;AAAA,MACb;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACR,GAEQC,IAAiB,CAAA,GACjBC,IAAgB;AAGpB,aAASC,EAAWC,GAAKC,GAAY;AACjC,UAAIC,IAASF,EAAIC,CAAU;AAC3B,UAAI,OAAOC,EAAO,QAAS;AACvB,eAAOA,EAAO,KAAKF,CAAG;AAEtB,UAAI;AACA,eAAO,SAAS,UAAU,KAAK,KAAKE,GAAQF,CAAG;AAAA,MAClD,QAAW;AAER,eAAO,WAAW;AACd,iBAAO,SAAS,UAAU,MAAM,MAAME,GAAQ,CAACF,GAAK,SAAS,CAAC;AAAA,QAClF;AAAA,MACa;AAAA,IAER;AAGD,aAASG,IAAa;AAClB,MAAI,QAAQ,QACJ,QAAQ,IAAI,QACZ,QAAQ,IAAI,MAAM,SAAS,SAAS,IAGpC,SAAS,UAAU,MAAM,MAAM,QAAQ,KAAK,CAAC,SAAS,SAAS,CAAC,IAGpE,QAAQ,SAAO,QAAQ,MAAK;AAAA,IACnC;AAID,aAASC,EAAWH,GAAY;AAK5B,aAJIA,MAAe,YACfA,IAAa,QAGb,OAAO,YAAYP,IACZ,KACAO,MAAe,WAAWN,IAC1BQ,IACA,QAAQF,CAAU,MAAM,SACxBF,EAAW,SAASE,CAAU,IAC9B,QAAQ,QAAQ,SAChBF,EAAW,SAAS,KAAK,IAEzBN;AAAA,IAEd;AAID,aAASY,IAAwB;AAK7B,eAHIC,IAAQ,KAAK,YAGRC,IAAI,GAAGA,IAAIX,EAAW,QAAQW,KAAK;AACxC,YAAIN,IAAaL,EAAWW,CAAC;AAC7B,aAAKN,CAAU,IAAKM,IAAID,IACpBb,IACA,KAAK,cAAcQ,GAAYK,GAAO,KAAK,IAAI;AAAA,MACtD;AAMD,UAHA,KAAK,MAAM,KAAK,OAGZ,OAAO,YAAYZ,KAAiBY,IAAQ,KAAK,OAAO;AACxD,eAAO;AAAA,IAEd;AAID,aAASE,EAAgCP,GAAY;AACjD,aAAO,WAAY;AACf,QAAI,OAAO,YAAYP,MACnBW,EAAsB,KAAK,IAAI,GAC/B,KAAKJ,CAAU,EAAE,MAAM,MAAM,SAAS;AAAA,MAEtD;AAAA,IACK;AAID,aAASQ,EAAqBR,GAAYS,GAAQC,GAAa;AAE3D,aAAOP,EAAWH,CAAU,KACrBO,EAAgC,MAAM,MAAM,SAAS;AAAA,IAC/D;AAED,aAASI,EAAOC,GAAMC,GAAS;AAE7B,UAAIC,IAAO,MASPC,GAMAC,GAMAC,GAEAC,IAAa;AACjB,MAAI,OAAON,KAAS,WAClBM,KAAc,MAAMN,IACX,OAAOA,KAAS,aACzBM,IAAa;AAGf,eAASC,GAAuBC,GAAU;AACtC,YAAIC,KAAa1B,EAAWyB,CAAQ,KAAK,UAAU;AAEnD,YAAI,SAAO,WAAW3B,KAAiB,CAACyB,IAGxC;AAAA,cAAI;AACA,mBAAO,aAAaA,CAAU,IAAIG;AAClC;AAAA,UACd,QAA2B;AAAA,UAAE;AAGnB,cAAI;AACA,mBAAO,SAAS,SACd,mBAAmBH,CAAU,IAAI,MAAMG,IAAY;AAAA,UACnE,QAA2B;AAAA,UAAE;AAAA;AAAA,MACtB;AAED,eAASC,KAAoB;AACzB,YAAIC;AAEJ,YAAI,SAAO,WAAW9B,KAAiB,CAACyB,IAExC;AAAA,cAAI;AACA,YAAAK,IAAc,OAAO,aAAaL,CAAU;AAAA,UAC1D,QAA2B;AAAA,UAAE;AAGnB,cAAI,OAAOK,MAAgB9B;AACvB,gBAAI;AACA,kBAAI+B,IAAS,OAAO,SAAS,QACzBC,IAAa,mBAAmBP,CAAU,GAC1CQ,KAAWF,EAAO,QAAQC,IAAa,GAAG;AAC9C,cAAIC,OAAa,OACbH,IAAc,WAAW;AAAA,gBACrBC,EAAO,MAAME,KAAWD,EAAW,SAAS,CAAC;AAAA,cAChD,EAAC,CAAC;AAAA,YAEzB,QAA+B;AAAA,YAAE;AAIvB,iBAAIX,EAAK,OAAOS,CAAW,MAAM,WAC7BA,IAAc,SAGXA;AAAA;AAAA,MACV;AAED,eAASI,KAAsB;AAC3B,YAAI,SAAO,WAAWlC,KAAiB,CAACyB,IAGxC;AAAA,cAAI;AACA,mBAAO,aAAa,WAAWA,CAAU;AAAA,UACvD,QAA2B;AAAA,UAAE;AAGnB,cAAI;AACA,mBAAO,SAAS,SACd,mBAAmBA,CAAU,IAAI;AAAA,UACjD,QAA2B;AAAA,UAAE;AAAA;AAAA,MACtB;AAED,eAASU,EAAeC,GAAO;AAC3B,YAAIxB,IAAQwB;AAIZ,YAHI,OAAOxB,KAAU,YAAYS,EAAK,OAAOT,EAAM,aAAa,MAAM,WAClEA,IAAQS,EAAK,OAAOT,EAAM,YAAa,CAAA,IAEvC,OAAOA,KAAU,YAAYA,KAAS,KAAKA,KAASS,EAAK,OAAO;AAChE,iBAAOT;AAEP,cAAM,IAAI,UAAU,+CAA+CwB,CAAK;AAAA,MAE/E;AAQD,MAAAf,EAAK,OAAOF,GAEZE,EAAK,SAAS;AAAA,QAAE,OAAS;AAAA,QAAG,OAAS;AAAA,QAAG,MAAQ;AAAA,QAAG,MAAQ;AAAA,QACvD,OAAS;AAAA,QAAG,QAAU;AAAA,MAAC,GAE3BA,EAAK,gBAAgBD,KAAWL,GAEhCM,EAAK,WAAW,WAAY;AACxB,eAAIG,KAEOD,KAGFD;AAAA,MAEnB,GAEMD,EAAK,WAAW,SAAUT,GAAOyB,GAAS;AACtC,eAAAb,IAAYW,EAAevB,CAAK,GAC5ByB,MAAY,MACZX,GAAuBF,CAAS,GAI7Bb,EAAsB,KAAKU,CAAI;AAAA,MAChD,GAEMA,EAAK,kBAAkB,SAAUT,GAAO;AACpC,QAAAW,IAAeY,EAAevB,CAAK,GAC9BiB,GAAiB,KAClBR,EAAK,SAAST,GAAO,EAAK;AAAA,MAExC,GAEMS,EAAK,aAAa,WAAY;AAC1B,QAAAG,IAAY,MACZU,MACAvB,EAAsB,KAAKU,CAAI;AAAA,MACzC,GAEMA,EAAK,YAAY,SAASgB,GAAS;AAC/B,QAAAhB,EAAK,SAASA,EAAK,OAAO,OAAOgB,CAAO;AAAA,MAClD,GAEMhB,EAAK,aAAa,SAASgB,GAAS;AAChC,QAAAhB,EAAK,SAASA,EAAK,OAAO,QAAQgB,CAAO;AAAA,MACnD,GAEMhB,EAAK,UAAU,WAAY;AAMvB,YALIjB,MAAkBiB,MAClBC,IAAiBa,EAAe/B,EAAc,SAAU,CAAA,IAE5DO,EAAsB,KAAKU,CAAI,GAE3BjB,MAAkBiB;AAClB,mBAASiB,KAAanC;AACpB,YAAAA,EAAemC,CAAS,EAAE;MAG1C,GAGMhB,IAAiBa;AAAA,QACb/B,IAAgBA,EAAc,SAAQ,IAAK;AAAA,MACrD;AACM,UAAImC,KAAeV;AACnB,MAAIU,MAAgB,SAChBf,IAAYW,EAAeI,EAAY,IAE3C5B,EAAsB,KAAKU,CAAI;AAAA,IAChC;AAQD,IAAAjB,IAAgB,IAAIc,KAEpBd,EAAc,YAAY,SAAmBe,GAAM;AAC/C,UAAK,OAAOA,KAAS,YAAY,OAAOA,KAAS,YAAaA,MAAS;AACnE,cAAM,IAAI,UAAU,gDAAgD;AAGxE,UAAIqB,IAASrC,EAAegB,CAAI;AAChC,aAAKqB,MACDA,IAASrC,EAAegB,CAAI,IAAI,IAAID;AAAA,QAChCC;AAAA,QACAf,EAAc;AAAA,MAC9B,IAEeoC;AAAA,IACf;AAGI,QAAIC,IAAQ,OAAO,WAAWzC,IAAiB,OAAO,MAAM;AAC5D,WAAAI,EAAc,aAAa,WAAW;AAClC,aAAI,OAAO,WAAWJ,KACf,OAAO,QAAQI,MAClB,OAAO,MAAMqC,IAGVrC;AAAA,IACf,GAEIA,EAAc,aAAa,WAAsB;AAC7C,aAAOD;AAAA,IACf,GAGIC,EAAc,UAAaA,GAEpBA;AAAA,EACX,CAAC;;;;ACpWD,IAAIsC;;CACA,OAAO,YAAc,OAAe,GAACC,MAAAC,IAAA,UAAU,cAAV,gBAAAA,EAAqB,eAArB,QAAAD,GAAA,KAAAC,GAAkC,sBAGvEF,IAAa;AAEjB,SAASG,EAAgBT,GAAOU,GAAU;AACtC,MAAIV,KAAS;AACT,WAAO;AAEX,MAAI;AACA,WAAQA,aAAiBU,KACrB,OAAO,eAAeV,CAAK,EAAE,OAAO,WAAW,MAAMU,EAAS,UAAU,OAAO,WAAW;AAAA,EACjG,QACK;AACF,WAAO;AAAA,EACV;AACL;AACO,MAAMC,IAAY,OAAM,GAClBC,KAAiB,OAAM,GACvBC,IAAc,OAAM,GAG3BC,KAAU,IAAI,eACdC,KAAU,IAAI;AACpB,SAASC,EAAIhB,GAAO;AAChB,SAAI,OAAOA,KAAU,WACVc,GAAQ,OAAOd,CAAK,IAExBe,GAAQ,OAAOf,CAAK;AAC/B;AACA,MAAMiB,KAAa;AACnB,SAASC,GAAgBlB,GAAO;AAC5B,EAAIA,aAAiB,gBACjBA,IAAQ,IAAI,WAAWA,CAAK;AAEhC,QAAMmB,IAAM,CAAA;AACZ,WAAS1C,IAAI,GAAGA,IAAIuB,EAAM,YAAYvB,KAAKwC;AACvC,IAAAE,EAAI,KAAK,OAAO,aAAa,MAAM,MAAMnB,EAAM,SAASvB,GAAGA,IAAIwC,EAAU,CAAC,CAAC;AAE/E,SAAO,KAAKE,EAAI,KAAK,EAAE,CAAC,EAAE,QAAQ,MAAM,EAAE,EAAE,QAAQ,OAAO,GAAG,EAAE,QAAQ,OAAO,GAAG;AACtF;AACA,SAASC,GAAgBpB,GAAO;AAC5B,MAAI;AACA,UAAMqB,IAAS,KAAKrB,EAAM,QAAQ,MAAM,GAAG,EAAE,QAAQ,MAAM,GAAG,EAAE,QAAQ,OAAO,EAAE,CAAC,GAC5EsB,IAAQ,IAAI,WAAWD,EAAO,MAAM;AAC1C,aAAS5C,IAAI,GAAGA,IAAI4C,EAAO,QAAQ5C;AAC/B,MAAA6C,EAAM7C,CAAC,IAAI4C,EAAO,WAAW5C,CAAC;AAElC,WAAO6C;AAAA,EACV,SACMC,GAAO;AACV,UAAM,IAAIC,EAAI,qDAAqD,EAAE,OAAAD,EAAO,CAAA;AAAA,EAC/E;AACL;AACA,SAASE,EAAKzB,GAAO;AACjB,SAAI,OAAOA,KAAU,WACVoB,GAAgBpB,CAAK,IAEzBkB,GAAgBlB,CAAK;AAChC;AACA,MAAM0B,GAAI;AAAA,EACN,YAAYC,GAAS;AACjB,SAAK,QAAQ,oBAAI,OACjB,KAAK,SAAS,oBAAI,OAClB,KAAK,UAAUA;AAAA,EAClB;AAAA,EACD,IAAIC,GAAK;AACL,QAAIC,IAAI,KAAK,MAAM,IAAID,CAAG;AAC1B,QAAIC;AACA,aAAOA;AAEX,QAAKA,IAAI,KAAK,OAAO,IAAID,CAAG;AACxB,kBAAK,OAAOA,GAAKC,CAAC,GACXA;AAAA,EAGd;AAAA,EACD,IAAID,GAAK;AACL,WAAO,KAAK,MAAM,IAAIA,CAAG,KAAK,KAAK,OAAO,IAAIA,CAAG;AAAA,EACpD;AAAA,EACD,IAAIA,GAAKE,GAAO;AACZ,WAAI,KAAK,MAAM,IAAIF,CAAG,IAClB,KAAK,MAAM,IAAIA,GAAKE,CAAK,IAGzB,KAAK,OAAOF,GAAKE,CAAK,GAEnB;AAAA,EACV;AAAA,EACD,OAAOF,GAAK;AACR,WAAI,KAAK,MAAM,IAAIA,CAAG,IACX,KAAK,MAAM,OAAOA,CAAG,IAE5B,KAAK,OAAO,IAAIA,CAAG,IACZ,KAAK,OAAO,OAAOA,CAAG,IAE1B;AAAA,EACV;AAAA,EACD,OAAOA,GAAKE,GAAO;AACf,SAAK,MAAM,IAAIF,GAAKE,CAAK,GACrB,KAAK,MAAM,QAAQ,KAAK,YACxB,KAAK,SAAS,KAAK,OACnB,KAAK,QAAQ,oBAAI;EAExB;AACL;AACO,MAAMC,UAAkC,MAAM;AAAA,EACjD,YAAYC,GAAS;;AACjB,UAAMA,KAAW,yBAAyB,GAC1C,KAAK,OAAO,KAAK,YAAY,OAC7BxB,IAAA,MAAM,sBAAN,QAAAA,EAAA,YAA0B,MAAM,KAAK;AAAA,EACxC;AACL;AACO,MAAMyB,WAAiC,MAAM;AAAA,EAChD,YAAYD,GAASE,GAAS;;AAC1B,UAAMF,GAASE,CAAO,GACtB,KAAK,OAAO,KAAK,YAAY,OAC7B1B,IAAA,MAAM,sBAAN,QAAAA,EAAA,YAA0B,MAAM,KAAK;AAAA,EACxC;AACL;AACA,MAAMgB,IAAMS,IACNE,KAAa,IAAIT,GAAI,GAAG;AAC9B,SAASU,GAAYR,GAAK;AACtB,SAAOA,aAAe;AAC1B;AACA,SAASS,GAAaT,GAAK;AACvB,SAAOQ,GAAYR,CAAG,KAAKA,EAAI,SAAS;AAC5C;AACA,SAASU,GAAYV,GAAK;AACtB,SAAOQ,GAAYR,CAAG,KAAKA,EAAI,SAAS;AAC5C;AAaA,SAASW,EAAiBC,GAAU;AAChC,MAAI;AACA,UAAMC,IAAQD,EAAS,QAAQ,IAAI,YAAY;AAC/C,IAAIC,KACAN,GAAW,IAAI,IAAI,IAAIK,EAAS,GAAG,EAAE,QAAQC,CAAK;AAAA,EAEzD,QACK;AAAA,EAAG;AACT,SAAOD;AACX;AAIA,SAASE,EAAa1C,GAAO;AACzB,SAAI,EAAAA,MAAU,QAAQ,OAAOA,KAAU,YAAY,MAAM,QAAQA,CAAK;AAI1E;AACA,SAAS2C,EAAe3C,GAAO;AAC3B,EAAIS,EAAgBT,GAAO,OAAO,MAC9BA,IAAQ,OAAO,YAAYA,EAAM,QAAS,CAAA;AAE9C,QAAM4C,IAAU,IAAI,QAAQ5C,CAAK;AAIjC,MAHIM,KAAc,CAACsC,EAAQ,IAAI,YAAY,KACvCA,EAAQ,IAAI,cAActC,CAAU,GAEpCsC,EAAQ,IAAI,eAAe;AAC3B,UAAM,IAAI,UAAU,oEAAoE;AAE5F,MAAIA,EAAQ,IAAI,MAAM;AAClB,UAAM,IAAI,UAAU,2DAA2D;AAEnF,SAAOA;AACX;AACA,SAASC,EAAOf,GAAO;AAInB,MAHI,OAAOA,KAAU,eACjBA,IAAQA,EAAK,IAEb,EAAEA,aAAiB;AACnB,UAAM,IAAI,UAAU,+DAA+D;AAEvF,SAAOA;AACX;AACO,eAAegB,GAAiBC,GAAkBb,GAAS;AAC9D,MAAI,EAAEa,aAA4B;AAC9B,UAAM,IAAI,UAAU,+CAA+C;AAEvE,MAAIA,EAAiB,aAAa,YAAYA,EAAiB,aAAa;AACxE,UAAM,IAAI,UAAU,+CAA+C;AAEvE,QAAMC,IAAM,IAAI,IAAID,EAAiB,IAAI;AACzC,UAAQb,KAAA,gBAAAA,EAAS,WAAS;AAAA,IACtB,KAAK;AAAA,IACL,KAAK;AACD,MAAAc,EAAI,WAAW,GAAGA,EAAI,QAAQ,oCAAoC,QAAQ,MAAM,GAAG;AACnF;AAAA,IACJ,KAAK;AACD,MAAIA,EAAI,aAAa,MACjBA,EAAI,WAAW,2CAGfA,EAAI,WAAW,0CAA0CA,EAAI,QAAQ,GAAG,QAAQ,MAAM,GAAG;AAE7F;AAAA,IACJ;AACI,YAAM,IAAI,UAAU,2DAA2D;AAAA,EACtF;AACD,QAAMJ,IAAUD,EAAeT,KAAA,gBAAAA,EAAS,OAAO;AAC/C,SAAAU,EAAQ,IAAI,UAAU,kBAAkB,KAChCV,KAAA,gBAAAA,EAAUrB,OAAgB,OAAOmC,EAAI,MAAM;AAAA,IAC/C,SAAS,OAAO,YAAYJ,EAAQ,QAAO,CAAE;AAAA,IAC7C,QAAQ;AAAA,IACR,UAAU;AAAA,IACV,QAAQV,KAAA,QAAAA,EAAS,SAASW,EAAOX,EAAQ,MAAM,IAAI;AAAA,EAC3D,CAAK,EAAE,KAAKK,CAAgB;AAC5B;AACA,SAASU,EAAejD,GAAO;AAC3B,SAAO,OAAOA,KAAU,YAAYA,EAAM,WAAW;AACzD;AACO,eAAekD,GAAyBC,GAA0BX,GAAU;AAC/E,MAAI,EAAEW,aAAoC;AACtC,UAAM,IAAI,UAAU,6CAA6C;AAErE,MAAI,CAAC1C,EAAgB+B,GAAU,QAAQ;AACnC,UAAM,IAAI,UAAU,4CAA4C;AAEpE,MAAIA,EAAS,WAAW;AACpB,UAAM,IAAIhB,EAAI,oEAAoE;AAEtF,EAAA4B,EAAuBZ,CAAQ;AAC/B,MAAIa;AACJ,MAAI;AACA,IAAAA,IAAO,MAAMb,EAAS;EACzB,SACMjB,GAAO;AACV,UAAM,IAAIC,EAAI,2CAA2C,EAAE,OAAAD,EAAO,CAAA;AAAA,EACrE;AACD,MAAI,CAACmB,EAAaW,CAAI;AAClB,UAAM,IAAI7B,EAAI,4CAA4C;AAE9D,MAAI,CAACyB,EAAeI,EAAK,MAAM;AAC3B,UAAM,IAAI7B,EAAI,8DAA8D;AAEhF,MAAI,IAAI,IAAI6B,EAAK,MAAM,EAAE,SAASF,EAAyB;AACvD,UAAM,IAAI3B,EAAI,0DAA0D;AAE5E,SAAO6B;AACX;AACA,SAASC,IAAc;AACnB,SAAO7B,EAAK,OAAO,gBAAgB,IAAI,WAAW,EAAE,CAAC,CAAC;AAC1D;AACO,SAAS8B,KAA6B;AACzC,SAAOD,EAAW;AACtB;AACO,SAASE,KAAsB;AAClC,SAAOF,EAAW;AACtB;AAIO,eAAeG,GAA2BC,GAAc;AAC3D,MAAI,CAACT,EAAeS,CAAY;AAC5B,UAAM,IAAI,UAAU,2CAA2C;AAEnE,SAAOjC,EAAK,MAAM,OAAO,OAAO,OAAO,WAAWT,EAAI0C,CAAY,CAAC,CAAC;AACxE;AACA,SAASC,GAAa3D,GAAO;AACzB,MAAIA,aAAiB;AACjB,WAAO,EAAE,KAAKA;AAElB,MAAI,GAAEA,KAAA,gBAAAA,EAAO,gBAAe;AACxB,WAAO;AAEX,MAAIA,EAAM,QAAQ,UAAa,CAACiD,EAAejD,EAAM,GAAG;AACpD,UAAM,IAAI,UAAU,kCAAkC;AAE1D,SAAO,EAAE,KAAKA,EAAM,KAAK,KAAKA,EAAM;AACxC;AACA,SAAS4D,GAAcC,GAAO;AAC1B,SAAO,mBAAmBA,CAAK,EAAE,QAAQ,QAAQ,GAAG;AACxD;AACA,SAASC,GAAkBC,GAAUC,GAAc;AAC/C,QAAMC,IAAWL,GAAcG,CAAQ,GACjCG,IAAWN,GAAcI,CAAY;AAE3C,SAAO,SADa,KAAK,GAAGC,CAAQ,IAAIC,CAAQ,EAAE,CACvB;AAC/B;AACA,SAASC,GAAMvC,GAAK;AAChB,UAAQA,EAAI,UAAU,KAAK,MAAI;AAAA,IAC3B,KAAK;AACD,aAAO;AAAA,IACX,KAAK;AACD,aAAO;AAAA,IACX,KAAK;AACD,aAAO;AAAA,IACX;AACI,YAAM,IAAIG,EAA0B,6CAA6C;AAAA,EACxF;AACL;AACA,SAASqC,GAAMxC,GAAK;AAChB,UAAQA,EAAI,UAAU,KAAK,MAAI;AAAA,IAC3B,KAAK;AACD,aAAO;AAAA,IACX,KAAK;AACD,aAAO;AAAA,IACX,KAAK;AACD,aAAO;AAAA,IACX;AACI,YAAM,IAAIG,EAA0B,6CAA6C;AAAA,EACxF;AACL;AACA,SAASsC,GAAMzC,GAAK;AAChB,UAAQA,EAAI,UAAU,YAAU;AAAA,IAC5B,KAAK;AACD,aAAO;AAAA,IACX,KAAK;AACD,aAAO;AAAA,IACX,KAAK;AACD,aAAO;AAAA,IACX;AACI,YAAM,IAAIG,EAA0B,uCAAuC;AAAA,EAClF;AACL;AACA,SAASuC,GAAS1C,GAAK;AACnB,UAAQA,EAAI,UAAU,MAAI;AAAA,IACtB,KAAK;AACD,aAAOuC,GAAMvC,CAAG;AAAA,IACpB,KAAK;AACD,aAAOwC,GAAMxC,CAAG;AAAA,IACpB,KAAK;AACD,aAAOyC,GAAMzC,CAAG;AAAA,IACpB,KAAK;AAAA,IACL,KAAK;AACD,aAAO;AAAA,IACX;AACI,YAAM,IAAIG,EAA0B,sCAAsC;AAAA,EACjF;AACL;AACA,SAASwC,EAAaC,GAAQ;AAC1B,QAAMC,IAAOD,KAAA,gBAAAA,EAAS7D;AACtB,SAAO,OAAO8D,KAAS,YAAY,OAAO,SAASA,CAAI,IAAIA,IAAO;AACtE;AACA,SAASC,GAAkBF,GAAQ;AAC/B,QAAMG,IAAYH,KAAA,gBAAAA,EAAS5D;AAC3B,SAAO,OAAO+D,KAAc,YAAY,OAAO,SAASA,CAAS,KAAK,KAAK,KAAKA,CAAS,MAAM,KACzFA,IACA;AACV;AACA,SAASC,IAAY;AACjB,SAAO,KAAK,MAAM,KAAK,IAAK,IAAG,GAAI;AACvC;AACA,SAASC,GAAgBC,GAAIN,GAAQ;AACjC,QAAMO,IAAMH,EAAS,IAAKL,EAAaC,CAAM;AAC7C,SAAO;AAAA,IACH,KAAKlB,EAAa;AAAA,IAClB,KAAK,CAACwB,EAAG,QAAQA,EAAG,cAAc;AAAA,IAClC,KAAKC,IAAM;AAAA,IACX,KAAKA;AAAA,IACL,KAAKA;AAAA,IACL,KAAKP,EAAO;AAAA,IACZ,KAAKA,EAAO;AAAA,EACpB;AACA;AACA,eAAeQ,GAAcF,GAAIN,GAAQ5C,GAAKqD,GAAK;AAC/C,SAAOC,GAAI;AAAA,IACP,KAAKZ,GAAS1C,CAAG;AAAA,IACjB,KAAAqD;AAAA,EACH,GAAEJ,GAAgBC,GAAIN,CAAM,GAAG5C,CAAG;AACvC;AACA,SAASuD,EAASL,GAAI;AAClB,MAAI,OAAOA,KAAO,YAAYA,MAAO;AACjC,UAAM,IAAI,UAAU,wBAAwB;AAEhD,MAAI,CAAC7B,EAAe6B,EAAG,MAAM;AACzB,UAAM,IAAI,UAAU,iDAAiD;AAEzE,SAAO;AACX;AACA,SAASM,EAAaZ,GAAQ;AAC1B,MAAI,OAAOA,KAAW,YAAYA,MAAW;AACzC,UAAM,IAAI,UAAU,4BAA4B;AAEpD,MAAI,CAACvB,EAAeuB,EAAO,SAAS;AAChC,UAAM,IAAI,UAAU,wDAAwD;AAEhF,SAAO;AACX;AACA,SAASa,GAAmBrB,GAAc;AACtC,MAAI,CAACf,EAAee,CAAY;AAC5B,UAAM,IAAI,UAAU,4DAA4D;AAEpF,SAAOA;AACX;AACA,SAASsB,EAAyBC,GAAkBC,GAAkB;AAClE,MAAIA,MAAqB;AACrB,UAAM,IAAI,UAAU,iEAAiED,CAAgB,wCAAwC;AAErJ;AACA,SAASE,GAAqBF,GAAkBvB,GAAc;AAC1D,MAAIA,MAAiB;AACjB,UAAM,IAAI,UAAU,6DAA6DuB,CAAgB,wCAAwC;AAEjJ;AACA,eAAeG,GAAqBZ,GAAIN,GAAQmB,GAAM/C,GAAS4C,GAAkB;AAI7E,UAHAG,EAAK,OAAO,eAAe,GAC3BA,EAAK,OAAO,uBAAuB,GACnCA,EAAK,OAAO,kBAAkB,GACtBnB,EAAO,4BAA0B;AAAA,IACrC,KAAK;AAAA,IACL,KAAK,uBAAuB;AACxB,MAAAc,EAAyB,uBAAuBE,CAAgB,GAChE5C,EAAQ,IAAI,iBAAiBkB,GAAkBU,EAAO,WAAWa,GAAmBb,EAAO,aAAa,CAAC,CAAC;AAC1G;AAAA,IACH;AAAA,IACD,KAAK,sBAAsB;AACvB,MAAAc,EAAyB,sBAAsBE,CAAgB,GAC/DG,EAAK,IAAI,aAAanB,EAAO,SAAS,GACtCmB,EAAK,IAAI,iBAAiBN,GAAmBb,EAAO,aAAa,CAAC;AAClE;AAAA,IACH;AAAA,IACD,KAAK,mBAAmB;AAEpB,UADAiB,GAAqB,mBAAmBjB,EAAO,aAAa,GACxDgB,MAAqB;AACrB,cAAM,IAAI,UAAU,2GAA2G;AAEnI,YAAM,EAAE,KAAA5D,GAAK,KAAAqD,EAAK,IAAGtB,GAAa6B,CAAgB;AAClD,UAAI,CAACnD,GAAaT,CAAG;AACjB,cAAM,IAAI,UAAU,4DAA4D;AAEpF,MAAA+D,EAAK,IAAI,aAAanB,EAAO,SAAS,GACtCmB,EAAK,IAAI,yBAAyB,wDAAwD,GAC1FA,EAAK,IAAI,oBAAoB,MAAMX,GAAcF,GAAIN,GAAQ5C,GAAKqD,CAAG,CAAC;AACtE;AAAA,IACH;AAAA,IACD,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK,QAAQ;AACT,MAAAQ,GAAqBjB,EAAO,4BAA4BA,EAAO,aAAa,GAC5Ec,EAAyBd,EAAO,4BAA4BgB,CAAgB,GAC5EG,EAAK,IAAI,aAAanB,EAAO,SAAS;AACtC;AAAA,IACH;AAAA,IACD;AACI,YAAM,IAAIzC,EAA0B,+CAA+C;AAAA,EAC1F;AACL;AACA,eAAemD,GAAIU,GAAQC,GAAWjE,GAAK;AACvC,MAAI,CAACA,EAAI,OAAO,SAAS,MAAM;AAC3B,UAAM,IAAI,UAAU,uFAAuF;AAE/G,QAAM5B,IAAQ,GAAGyB,EAAKT,EAAI,KAAK,UAAU4E,CAAM,CAAC,CAAC,CAAC,IAAInE,EAAKT,EAAI,KAAK,UAAU6E,CAAS,CAAC,CAAC,CAAC,IACpFC,IAAYrE,EAAK,MAAM,OAAO,OAAO,KAAKsE,GAAYnE,CAAG,GAAGA,GAAKZ,EAAIhB,CAAK,CAAC,CAAC;AAClF,SAAO,GAAGA,CAAK,IAAI8F,CAAS;AAChC;AAqEA,eAAeE,GAAapD,GAASV,GAASc,GAAKiD,GAAKtF,GAAWuF,GAAa;AAC5E,QAAM,EAAE,YAAAC,GAAY,WAAAC,GAAW,OAAA3D,IAAQN,GAAW,IAAIa,EAAI,MAAM,EAAG,IAAGd;AACtE,MAAI,CAACG,GAAa8D,CAAU;AACxB,UAAM,IAAI,UAAU,+CAA+C;AAEvE,MAAI,CAAC7D,GAAY8D,CAAS;AACtB,UAAM,IAAI,UAAU,6CAA6C;AAErE,MAAI3D,MAAU,UAAa,CAACQ,EAAeR,CAAK;AAC5C,UAAM,IAAI,UAAU,sDAAsD;AAE9E,MAAI,CAAC2D,EAAU;AACX,UAAM,IAAI,UAAU,2CAA2C;AAEnE,QAAMrB,IAAMH,EAAW,IAAGjE,GACpB0F,IAAQ,MAAMnB,GAAI;AAAA,IACpB,KAAKZ,GAAS6B,CAAU;AAAA,IACxB,KAAK;AAAA,IACL,KAAK,MAAMG,GAAUF,CAAS;AAAA,EACtC,GAAO;AAAA,IACC,KAAKrB;AAAA,IACL,KAAKzB,EAAa;AAAA,IAClB,KAAA2C;AAAA,IACA,OAAAxD;AAAA,IACA,KAAK,GAAGO,EAAI,MAAM,GAAGA,EAAI,QAAQ;AAAA,IACjC,KAAKkD,IAAczE,EAAK,MAAM,OAAO,OAAO,OAAO,WAAWT,EAAIkF,CAAW,CAAC,CAAC,IAAI;AAAA,EACtF,GAAEC,CAAU;AACb,EAAAvD,EAAQ,IAAI,QAAQyD,CAAK;AAC7B;AACA,IAAIE;AACJ,eAAeC,GAAqB5E,GAAK;AACrC,QAAM,EAAE,KAAA6E,GAAK,GAAAC,GAAG,GAAAC,GAAG,GAAAC,GAAG,GAAAC,GAAG,KAAAC,MAAQ,MAAM,OAAO,OAAO,UAAU,OAAOlF,CAAG,GACnEmF,IAAM,EAAE,KAAAN,GAAK,GAAAC,GAAG,GAAAC,GAAG,GAAAC,GAAG,GAAAC,GAAG,KAAAC;AAC/B,SAAAP,EAAS,IAAI3E,GAAKmF,CAAG,GACdA;AACX;AACA,eAAeT,GAAU1E,GAAK;AAC1B,SAAA2E,MAAaA,IAAW,oBAAI,QAAO,IAC5BA,EAAS,IAAI3E,CAAG,KAAK4E,GAAqB5E,CAAG;AACxD;AACA,SAASoF,GAAiBlF,GAAOmF,GAAU/E,GAAS;AAChD,MAAI,OAAOJ,KAAU;AAIjB,UAAM,IAAI,UAAU,OAAOmF,CAAQ,oBAAoB;AAE3D,SAAO,IAAI,IAAInF,CAAK;AACxB;AACA,SAASoF,GAAgBpC,GAAImC,GAAU/E,GAAS;AAI5C,SAAO8E,GAAiBlC,EAAGmC,CAAQ,GAAGA,CAAQ;AAClD;AAcO,SAASE,EAAcnH,GAAO;AACjC,QAAM8B,IAAQ9B;AACd,SAAI,OAAO8B,KAAU,YAAY,MAAM,QAAQA,CAAK,KAAKA,MAAU,OACxD,KAEJA,EAAM,UAAU;AAC3B;AA2FO,eAAesF,GAAyBlB,GAAa9H,GAAQ4E,GAAKJ,GAAS+C,GAAMzD,GAAS;AAC7F,MAAI,CAACe,EAAeiD,CAAW;AAC3B,UAAM,IAAI,UAAU,0CAA0C;AAElE,MAAI,EAAElD,aAAe;AACjB,UAAM,IAAI,UAAU,kCAAkC;AAE1D,SAAAJ,IAAUD,EAAeC,CAAO,IAC5BV,KAAA,gBAAAA,EAAS,UAAS,SAClBU,EAAQ,IAAI,iBAAiB,UAAUsD,CAAW,EAAE,KAGpD,MAAMF,GAAapD,GAASV,EAAQ,MAAMc,GAAK,OAAOuB,EAAa,EAAE,CAAC5D,CAAS,GAAGuB,KAAA,gBAAAA,EAAUvB,GAAU,CAAE,GAAGuF,CAAW,GACtHtD,EAAQ,IAAI,iBAAiB,QAAQsD,CAAW,EAAE,MAE9ChE,KAAA,gBAAAA,EAAUrB,OAAgB,OAAOmC,EAAI,MAAM;AAAA,IAC/C,MAAA2C;AAAA,IACA,SAAS,OAAO,YAAY/C,EAAQ,QAAO,CAAE;AAAA,IAC7C,QAAAxE;AAAA,IACA,UAAU;AAAA,IACV,QAAQ8D,KAAA,QAAAA,EAAS,SAASW,EAAOX,EAAQ,MAAM,IAAI;AAAA,EAC3D,CAAK,EAAE,KAAKK,CAAgB;AAC5B;AACO,eAAe8E,GAAgBvC,GAAIN,GAAQ0B,GAAahE,GAAS;AACpE,EAAAiD,EAASL,CAAE,GACXM,EAAaZ,CAAM;AACnB,QAAMxB,IAAMkE,GAAgBpC,GAAI,mBAA4B,GACtDlC,IAAUD,EAAeT,KAAA,gBAAAA,EAAS,OAAO;AAC/C,SAAIsC,EAAO,+BACP5B,EAAQ,IAAI,UAAU,iBAAiB,KAGvCA,EAAQ,IAAI,UAAU,kBAAkB,GACxCA,EAAQ,OAAO,UAAU,iBAAiB,IAEvCwE,GAAyBlB,GAAa,OAAOlD,GAAKJ,GAAS,MAAM;AAAA,IACpE,GAAGV;AAAA,IACH,CAACvB,CAAS,GAAG4D,EAAaC,CAAM;AAAA,EACxC,CAAK;AACL;AAqKA,eAAe8C,GAAqBxC,GAAIN,GAAQpG,GAAQ4E,GAAK2C,GAAM/C,GAASV,GAAS;AACjF,eAAMwD,GAAqBZ,GAAIN,GAAQmB,GAAM/C,GAASV,KAAA,gBAAAA,EAAS,gBAAgB,GAC/EU,EAAQ,IAAI,gBAAgB,iDAAiD,KACrEV,KAAA,gBAAAA,EAAUrB,OAAgB,OAAOmC,EAAI,MAAM;AAAA,IAC/C,MAAA2C;AAAA,IACA,SAAS,OAAO,YAAY/C,EAAQ,QAAO,CAAE;AAAA,IAC7C,QAAAxE;AAAA,IACA,UAAU;AAAA,IACV,QAAQ8D,KAAA,QAAAA,EAAS,SAASW,EAAOX,EAAQ,MAAM,IAAI;AAAA,EAC3D,CAAK,EAAE,KAAKK,CAAgB;AAC5B;AACA,eAAegF,GAAqBzC,GAAIN,GAAQgD,GAAWC,GAAYvF,GAAS;AAC5E,QAAMc,IAAMkE,GAAgBpC,GAAI,gBAAyB;AACzD,EAAA2C,EAAW,IAAI,cAAcD,CAAS;AACtC,QAAM5E,IAAUD,EAAeT,KAAA,gBAAAA,EAAS,OAAO;AAC/C,SAAAU,EAAQ,IAAI,UAAU,kBAAkB,GAIjC0E,GAAqBxC,GAAIN,GAAQ,QAAQxB,GAAKyE,GAAY7E,GAASV,CAAO;AACrF;AACO,eAAewF,GAAyB5C,GAAIN,GAAQmD,GAAczF,GAAS;AAG9E,MAFAiD,EAASL,CAAE,GACXM,EAAaZ,CAAM,GACf,CAACvB,EAAe0E,CAAY;AAC5B,UAAM,IAAI,UAAU,2CAA2C;AAEnE,QAAMF,IAAa,IAAI,gBAAgBvF,KAAA,gBAAAA,EAAS,oBAAoB;AACpE,SAAAuF,EAAW,IAAI,iBAAiBE,CAAY,GACrCJ,GAAqBzC,GAAIN,GAAQ,iBAAiBiD,GAAYvF,CAAO;AAChF;AACA,MAAM0F,KAAgB,oBAAI;AAW1B,eAAeC,GAAkC/C,GAAIN,GAAQhC,GAAUsF,IAAgB,IAAOC,IAAqB,IAAO;AAGtH,MAFA5C,EAASL,CAAE,GACXM,EAAaZ,CAAM,GACf,CAAC/D,EAAgB+B,GAAU,QAAQ;AACnC,UAAM,IAAI,UAAU,4CAA4C;AAEpE,MAAIA,EAAS,WAAW,KAAK;AACzB,QAAIwF;AACJ,QAAKA,IAAM,MAAMC,GAAqBzF,CAAQ;AAC1C,aAAOwF;AAEX,UAAM,IAAIxG,EAAI,qDAAqD;AAAA,EACtE;AACD,EAAA4B,EAAuBZ,CAAQ;AAC/B,MAAIa;AACJ,MAAI;AACA,IAAAA,IAAO,MAAMb,EAAS;EACzB,SACMjB,GAAO;AACV,UAAM,IAAIC,EAAI,2CAA2C,EAAE,OAAAD,EAAO,CAAA;AAAA,EACrE;AACD,MAAI,CAACmB,EAAaW,CAAI;AAClB,UAAM,IAAI7B,EAAI,4CAA4C;AAE9D,MAAI,CAACyB,EAAeI,EAAK,YAAY;AACjC,UAAM,IAAI7B,EAAI,oEAAoE;AAEtF,MAAI,CAACyB,EAAeI,EAAK,UAAU;AAC/B,UAAM,IAAI7B,EAAI,kEAAkE;AAGpF,MADA6B,EAAK,aAAaA,EAAK,WAAW,YAAW,GACzCA,EAAK,eAAe,UAAUA,EAAK,eAAe;AAClD,UAAM,IAAItB,EAA0B,gCAAgC;AAExE,MAAIsB,EAAK,eAAe,WACnB,OAAOA,EAAK,cAAe,YAAYA,EAAK,cAAc;AAC3D,UAAM,IAAI7B,EAAI,iEAAiE;AAEnF,MAAI,CAACuG,KACD1E,EAAK,kBAAkB,UACvB,CAACJ,EAAeI,EAAK,aAAa;AAClC,UAAM,IAAI7B,EAAI,qEAAqE;AAEvF,MAAI6B,EAAK,UAAU,UAAa,OAAOA,EAAK,SAAU;AAClD,UAAM,IAAI7B,EAAI,mDAAmD;AAErE,MAAI,CAACsG,GAAe;AAChB,QAAIzE,EAAK,aAAa,UAAa,CAACJ,EAAeI,EAAK,QAAQ;AAC5D,YAAM,IAAI7B,EAAI,gEAAgE;AAElF,QAAI6B,EAAK,UAAU;AACf,YAAM,EAAE,QAAA6E,EAAQ,IAAG,MAAMC,GAAY9E,EAAK,UAAU+E,GAAsB,KAAK,QAAW5D,EAAO,8BAA8BM,EAAG,qCAAqC,GAAGuD,IAAkB9D,EAAaC,CAAM,GAAGE,GAAkBF,CAAM,CAAC,EACtO,KAAK8D,GAAiB,KAAK,QAAW,CAAC,OAAO,OAAO,OAAO,OAAO,KAAK,CAAC,CAAC,EAC1E,KAAKC,GAAe,KAAK,QAAWzD,EAAG,MAAM,CAAC,EAC9C,KAAK0D,GAAiB,KAAK,QAAWhE,EAAO,SAAS,CAAC;AAC5D,UAAI,MAAM,QAAQ0D,EAAO,GAAG,KAAKA,EAAO,IAAI,WAAW,KAAKA,EAAO,QAAQ1D,EAAO;AAC9E,cAAM,IAAIhD,EAAI,0DAA0D;AAE5E,UAAI0G,EAAO,cAAc,WACpB,CAAC,OAAO,SAASA,EAAO,SAAS,KAAK,KAAK,KAAKA,EAAO,SAAS,MAAM;AACvE,cAAM,IAAI1G,EAAI,sEAAsE;AAExF,MAAAoG,GAAc,IAAIvE,GAAM6E,CAAM;AAAA,IACjC;AAAA,EACJ;AACD,SAAO7E;AACX;AACO,eAAeoF,GAA4B3D,GAAIN,GAAQhC,GAAU;AACpE,SAAOqF,GAAkC/C,GAAIN,GAAQhC,CAAQ;AACjE;AAOA,SAASgG,GAAiB9H,GAAUgI,GAAQ;AACxC,MAAI,MAAM,QAAQA,EAAO,OAAO,GAAG;AAC/B,QAAI,CAACA,EAAO,OAAO,IAAI,SAAShI,CAAQ;AACpC,YAAM,IAAIc,EAAI,6CAA6C;AAAA,aAG1DkH,EAAO,OAAO,QAAQhI;AAC3B,UAAM,IAAIc,EAAI,6CAA6C;AAE/D,SAAOkH;AACX;AAOA,SAASH,GAAe7H,GAAUgI,GAAQ;AACtC,MAAIA,EAAO,OAAO,QAAQhI;AACtB,UAAM,IAAIc,EAAI,2CAA2C;AAE7D,SAAOkH;AACX;AACA,MAAMC,KAAU,oBAAI;AACpB,SAASC,GAAMC,GAAc;AACzB,SAAAF,GAAQ,IAAIE,CAAY,GACjBA;AACX;AACO,eAAeC,GAA8BhE,GAAIN,GAAQuE,GAAoBC,GAAatF,GAAcxB,GAAS;AAGpH,MAFAiD,EAASL,CAAE,GACXM,EAAaZ,CAAM,GACf,CAACmE,GAAQ,IAAII,CAAkB;AAC/B,UAAM,IAAI,UAAU,mIAAmI;AAE3J,MAAI,CAAC9F,EAAe+F,CAAW;AAC3B,UAAM,IAAI,UAAU,0CAA0C;AAElE,MAAI,CAAC/F,EAAeS,CAAY;AAC5B,UAAM,IAAI,UAAU,2CAA2C;AAEnE,QAAMuF,IAAOC,EAAsBH,GAAoB,MAAM;AAC7D,MAAI,CAACE;AACD,UAAM,IAAIzH,EAAI,+CAA+C;AAEjE,QAAMiG,IAAa,IAAI,gBAAgBvF,KAAA,gBAAAA,EAAS,oBAAoB;AACpE,SAAAuF,EAAW,IAAI,gBAAgBuB,CAAW,GAC1CvB,EAAW,IAAI,iBAAiB/D,CAAY,GAC5C+D,EAAW,IAAI,QAAQwB,CAAI,GACpB1B,GAAqBzC,GAAIN,GAAQ,sBAAsBiD,GAAYvF,CAAO;AACrF;AACA,MAAMiH,KAAgB;AAAA,EAClB,KAAK;AAAA,EACL,QAAQ;AAAA,EACR,WAAW;AAAA,EACX,KAAK;AAAA,EACL,KAAK;AAAA,EACL,KAAK;AAAA,EACL,KAAK;AAAA,EACL,OAAO;AAAA,EACP,QAAQ;AAAA,EACR,KAAK;AAAA,EACL,KAAK;AAAA,EACL,KAAK;AAAA,EACL,KAAK;AAAA,EACL,KAAK;AACT;AACA,SAASb,GAAiBc,GAAUV,GAAQ;AACxC,aAAWW,KAASD;AAChB,QAAIV,EAAO,OAAOW,CAAK,MAAM;AACzB,YAAM,IAAI7H,EAAI,QAAQ6H,CAAK,MAAMF,GAAcE,CAAK,CAAC,iBAAiB;AAG9E,SAAOX;AACX;AA+CO,eAAeY,GAAuCxE,GAAIN,GAAQhC,GAAU;AAC/E,QAAMkG,IAAS,MAAMb,GAAkC/C,GAAIN,GAAQhC,GAAU,EAAI;AACjF,MAAI2E,EAAcuB,CAAM;AACpB,WAAOA;AAEX,MAAIA,EAAO,aAAa,QAAW;AAC/B,QAAI,OAAOA,EAAO,YAAa,YAAYA,EAAO,SAAS;AACvD,YAAM,IAAIlH,EAAI,mHAAmH;AAErI,WAAOkH,EAAO;AAAA,EACjB;AACD,SAAOA;AACX;AA6CA,SAAStF,EAAuBZ,GAAU;AACtC,MAAIA,EAAS;AACT,UAAM,IAAI,UAAU,uCAAuC;AAEnE;AAqGA,eAAeyF,GAAqBzF,GAAU;AAC1C,MAAIA,EAAS,SAAS,OAAOA,EAAS,SAAS,KAAK;AAChD,IAAAY,EAAuBZ,CAAQ;AAC/B,QAAI;AACA,YAAMa,IAAO,MAAMb,EAAS;AAC5B,UAAIE,EAAaW,CAAI,KAAK,OAAOA,EAAK,SAAU,YAAYA,EAAK,MAAM;AACnE,eAAIA,EAAK,sBAAsB,UAAa,OAAOA,EAAK,qBAAsB,YAC1E,OAAOA,EAAK,mBAEZA,EAAK,cAAc,UAAa,OAAOA,EAAK,aAAc,YAC1D,OAAOA,EAAK,WAEZA,EAAK,SAAS,UAAa,OAAOA,EAAK,QAAS,YAChD,OAAOA,EAAK,MAEZA,EAAK,UAAU,UAAa,OAAOA,EAAK,SAAU,YAClD,OAAOA,EAAK,OAETA;AAAA,IAEd,QACK;AAAA,IAAG;AAAA,EACZ;AAEL;AAOA,SAASkG,GAAqBC,GAAW;AACrC,MAAI,OAAOA,EAAU,iBAAkB,YAAYA,EAAU,gBAAgB;AACzE,UAAM,IAAIhI,EAAI,GAAGgI,EAAU,IAAI,2CAA2C;AAElF;AACA,SAASC,GAAcC,GAAY;AAC/B,UAAQA,GAAU;AAAA,IACd,KAAK;AACD,aAAO;AAAA,IACX,KAAK;AACD,aAAO;AAAA,IACX,KAAK;AACD,aAAO;AAAA,IACX;AACI,YAAM,IAAI3H,EAAyB;AAAA,EAC1C;AACL;AACA,SAASgE,GAAYnE,GAAK;AACtB,UAAQA,EAAI,UAAU,MAAI;AAAA,IACtB,KAAK;AACD,aAAO;AAAA,QACH,MAAMA,EAAI,UAAU;AAAA,QACpB,MAAM6H,GAAc7H,EAAI,UAAU,UAAU;AAAA,MAC5D;AAAA,IACQ,KAAK;AAED,cADA2H,GAAqB3H,EAAI,SAAS,GAC1BA,EAAI,UAAU,KAAK,MAAI;AAAA,QAC3B,KAAK;AAAA,QACL,KAAK;AAAA,QACL,KAAK;AACD,iBAAO;AAAA,YACH,MAAMA,EAAI,UAAU;AAAA,YACpB,YAAY,SAASA,EAAI,UAAU,KAAK,KAAK,MAAM,EAAE,GAAG,EAAE,KAAK;AAAA,UACvF;AAAA,QACgB;AACI,gBAAM,IAAIG,EAAyB;AAAA,MAC1C;AAAA,IAEL,KAAK;AACD,aAAAwH,GAAqB3H,EAAI,SAAS,GAC3BA,EAAI,UAAU;AAAA,IACzB,KAAK;AAAA,IACL,KAAK;AACD,aAAOA,EAAI,UAAU;AAAA,EAC5B;AACD,QAAM,IAAIG,EAAyB;AACvC;AACA,MAAMsG,KAAmB,OAAM;AAC/B,eAAeF,GAAYwB,GAAKC,GAAUC,GAAQlJ,GAAWC,GAAgB;AACzE,QAAM,EAAE,GAAGkJ,GAAiB,GAAGC,GAAS,GAAGC,GAAkB,QAAAC,EAAM,IAAKN,EAAI,MAAM,GAAG;AACrF,MAAIM,MAAW;AACX,UAAM,IAAIlI,EAA0B,sCAAsC;AAE9E,MAAIkI,MAAW;AACX,UAAM,IAAIzI,EAAI,aAAa;AAE/B,MAAIoE;AACJ,MAAI;AACA,IAAAA,IAAS,KAAK,MAAM5E,EAAIS,EAAKqI,CAAe,CAAC,CAAC;AAAA,EACjD,SACMvI,GAAO;AACV,UAAM,IAAIC,EAAI,6DAA6D,EAAE,OAAAD,EAAO,CAAA;AAAA,EACvF;AACD,MAAI,CAACmB,EAAakD,CAAM;AACpB,UAAM,IAAIpE,EAAI,uCAAuC;AAGzD,MADAoI,EAAShE,CAAM,GACXA,EAAO,SAAS;AAChB,UAAM,IAAIpE,EAAI,wCAAwC;AAE1D,QAAMsE,IAAYrE,EAAKuI,CAAgB;AACvC,MAAIpI;AACJ,MAAIiI,MAAWxB,IAAkB;AAC7B,IAAAzG,IAAM,MAAMiI,EAAOjE,CAAM;AACzB,UAAM5F,IAAQ,GAAG8J,CAAe,IAAIC,CAAO;AAE3C,QAAI,CADa,MAAM,OAAO,OAAO,OAAOhE,GAAYnE,CAAG,GAAGA,GAAKkE,GAAW9E,EAAIhB,CAAK,CAAC;AAEpF,YAAM,IAAIwB,EAAI,mCAAmC;AAAA,EAExD;AACD,MAAI0G;AACJ,MAAI;AACA,IAAAA,IAAS,KAAK,MAAMlH,EAAIS,EAAKsI,CAAO,CAAC,CAAC;AAAA,EACzC,SACMxI,GAAO;AACV,UAAM,IAAIC,EAAI,8DAA8D,EAAE,OAAAD,EAAO,CAAA;AAAA,EACxF;AACD,MAAI,CAACmB,EAAawF,CAAM;AACpB,UAAM,IAAI1G,EAAI,wCAAwC;AAE1D,QAAMuD,IAAMH,EAAW,IAAGjE;AAC1B,MAAIuH,EAAO,QAAQ,QAAW;AAC1B,QAAI,OAAOA,EAAO,OAAQ;AACtB,YAAM,IAAI1G,EAAI,mDAAmD;AAErE,QAAI0G,EAAO,OAAOnD,IAAMnE;AACpB,YAAM,IAAIY,EAAI,2EAA2E;AAAA,EAEhG;AACD,MAAI0G,EAAO,QAAQ,UACX,OAAOA,EAAO,OAAQ;AACtB,UAAM,IAAI1G,EAAI,6CAA6C;AAGnE,MAAI0G,EAAO,QAAQ,UACX,OAAOA,EAAO,OAAQ;AACtB,UAAM,IAAI1G,EAAI,0CAA0C;AAGhE,MAAI0G,EAAO,QAAQ,QAAW;AAC1B,QAAI,OAAOA,EAAO,OAAQ;AACtB,YAAM,IAAI1G,EAAI,8CAA8C;AAEhE,QAAI0G,EAAO,MAAMnD,IAAMnE;AACnB,YAAM,IAAIY,EAAI,qEAAqE;AAAA,EAE1F;AACD,MAAI0G,EAAO,QAAQ,UACX,OAAOA,EAAO,OAAQ,YAAY,CAAC,MAAM,QAAQA,EAAO,GAAG;AAC3D,UAAM,IAAI1G,EAAI,4CAA4C;AAGlE,SAAO,EAAE,QAAAoE,GAAQ,QAAAsC,GAAQ,WAAApC,GAAW,KAAAlE,EAAG;AAC3C;AAuKA,SAASwG,GAAsB5D,GAAQ0F,GAAQtE,GAAQ;AACnD,MAAIpB,MAAW,QAAW;AACtB,QAAIoB,EAAO,QAAQpB;AACf,YAAM,IAAIhD,EAAI,uCAAuC;AAEzD;AAAA,EACH;AACD,MAAI,MAAM,QAAQ0I,CAAM,GAAG;AACvB,QAAI,CAACA,EAAO,SAAStE,EAAO,GAAG;AAC3B,YAAM,IAAIpE,EAAI,uCAAuC;AAEzD;AAAA,EACH;AACD,MAAIoE,EAAO,QAAQ;AACf,UAAM,IAAIpE,EAAI,uCAAuC;AAE7D;AACA,SAAS0H,EAAsBzB,GAAY1I,GAAM;AAC7C,QAAM,EAAE,GAAG+C,GAAO,QAAAmI,EAAQ,IAAGxC,EAAW,OAAO1I,CAAI;AACnD,MAAIkL,IAAS;AACT,UAAM,IAAIzI,EAAI,IAAIzC,CAAI,wCAAwC;AAElE,SAAO+C;AACX;AACO,MAAMqI,KAAiB,OAAM,GACvBC,KAAgB,OAAM;AAC5B,SAASC,GAAqBvF,GAAIN,GAAQiD,GAAY6C,GAAe;AAMxE,MALAnF,EAASL,CAAE,GACXM,EAAaZ,CAAM,GACfiD,aAAsB,QACtBA,IAAaA,EAAW,eAExB,EAAEA,aAAsB;AACxB,UAAM,IAAI,UAAU,6DAA6D;AAErF,MAAIyB,EAAsBzB,GAAY,UAAU;AAC5C,UAAM,IAAIjG,EAAI,wGAAwG;AAE1H,QAAM+I,IAAMrB,EAAsBzB,GAAY,KAAK,GAC7C+C,IAAQtB,EAAsBzB,GAAY,OAAO;AACvD,MAAI,CAAC8C,KAAOzF,EAAG;AACX,UAAM,IAAItD,EAAI,2CAA2C;AAE7D,MAAI+I,KAAOA,MAAQzF,EAAG;AAClB,UAAM,IAAItD,EAAI,oDAAoD;AAEtE,UAAQ8I,GAAa;AAAA,IACjB,KAAK;AAAA,IACL,KAAKF;AACD,UAAII,MAAU;AACV,cAAM,IAAIhJ,EAAI,mDAAmD;AAErE;AAAA,IACJ,KAAK2I;AACD;AAAA,IACJ;AACI,UAAI,CAAClH,EAAeqH,CAAa;AAC7B,cAAM,IAAI9I,EAAI,4CAA4C;AAE9D,UAAIgJ,MAAU;AACV,cAAM,IAAIhJ,EAAI,oCAAoC;AAEtD,UAAIgJ,MAAUF;AACV,cAAM,IAAI9I,EAAI,6CAA6C;AAAA,EAEtE;AACD,QAAMiJ,IAAQvB,EAAsBzB,GAAY,OAAO;AACvD,MAAIgD;AACA,WAAO;AAAA,MACH,OAAAA;AAAA,MACA,mBAAmBvB,EAAsBzB,GAAY,mBAAmB;AAAA,MACxE,WAAWyB,EAAsBzB,GAAY,WAAW;AAAA,IACpE;AAEI,QAAMiD,IAAWxB,EAAsBzB,GAAY,UAAU,GACvD5D,IAAQqF,EAAsBzB,GAAY,OAAO;AACvD,MAAIiD,MAAa,UAAa7G,MAAU;AACpC,UAAM,IAAI9B,EAA0B,6CAA6C;AAErF,SAAO6G,GAAM,IAAI,gBAAgBnB,CAAU,CAAC;AAChD;ACjqDO,MAAMkD,UAA2B,MAAM;AAAC;AAYxC,MAAMC,UAAgCD,EAAmB;AAAA,EAC9D,YACE3I,GACOyI,GACPvI,GACA;AACA,UAAMF,GAASE,CAAO,GAHf,KAAA,QAAAuI;AAAA,EAIT;AACF;AChBO,SAASI,GAAS;AAAA,EACvB,gBAAAC;AACF,GAEG;AACK,QAAAC,IAAgBC,GAAO,EAAK,GAC5B,CAACP,GAAOQ,CAAQ,IAAIC,GAA4B,MAAS,GACzDC,IAAWC;AAoBjB,SAfAC,GAAU,MAAM;AACd,IAAIN,EAAc,YAGlBA,EAAc,UAAU,IACTD,EAAA,EACZ,KAAK,CAACQ,MAAa;AAElB,MAAAH,EAASG,CAAQ;AAAA,IAAA,CAClB,EACA,MAAM,CAACtD,MAAQ;AACd,MAAAiD,EAASjD,CAAG;AAAA,IAAA,CACb;AAAA,EACL,GAAG,CAAE,CAAA,GAEDyC,IACEA,aAAiBG,2BAEhB,OACC,EAAA,UAAA;AAAA,IAAAW,gBAAAA,EAAAA,IAAC,QAAG,UAAK,QAAA,CAAA;AAAA,2BACR,OACE,EAAA,UAAA;AAAA,MAAAd,EAAM,MAAM;AAAA,MAEZA,EAAM,MAAM;AAAA,MAEZA,EAAM,MAAM;AAAA,IAAA,GACf;AAAA,EACF,EAAA,CAAA,2BAID,OACC,EAAA,UAAA;AAAA,IAAAc,gBAAAA,EAAAA,IAAC,QAAG,UAAK,QAAA,CAAA;AAAA,2BACR,OACE,EAAA,UAAA;AAAA,MAAMd,EAAA;AAAA,MAENA,EAAM;AAAA,IAAA,GACT;AAAA,EACF,EAAA,CAAA,IAIGc,gBAAAA,EAAA,IAAC,SAAI,UAAU,aAAA,CAAA;AACxB;AC/CA,MAAMC,KAAoB;AAS1B,MAAMC,WAAyBC,GAAqB;AAAA,EAClD,YACUC,GACAb,GACDc,GACP;AACM,aAJE,KAAA,kBAAAD,GACA,KAAA,iBAAAb,GACD,KAAA,aAAAc;AAAA,EAGT;AAAA,EACA,YAAY;AACH,WAAA;AAAA,MACL,GAAG,MAAM,UAAU;AAAA,MACnB;AAAA,QACE,MAAM,KAAK;AAAA,QACX,SAASL,gBAAAA,EAAA,IAACV,IAAS,EAAA,gBAAgB,KAAK,gBAAgB;AAAA,MAC1D;AAAA,IAAA;AAAA,EAEJ;AACF;AAEO,MAAMgB,GAA+D;AAAA,EAgB1E,YAAY;AAAA,IACV,QAAA3B;AAAA,IACA,UAAA4B;AAAA,IACA,uBAAAC;AAAA,IACA,eAAAC;AAAA,IACA,UAAAjI;AAAA,IACA,uBAAAkI;AAAA,IACA,uBAAAC;AAAA,IACA,wBAAAC;AAAA,EAAA,GAC6B;AAxBrB,IAAAC,EAAA;AACA,IAAAA,EAAA;AACA,IAAAA,EAAA;AACA,IAAAA,EAAA;AAEA,IAAAA,EAAA;AACA,IAAAA,EAAA;AAEA,IAAAA,EAAA,yBAAkB;AAClB,IAAAA,EAAA,+BAAwB;AACjB,IAAAA,EAAA;AACA,IAAAA,EAAA;AACA,IAAAA,EAAA;AACA,IAAAA,EAAA;AAmNjB,IAAAA,EAAA,wBAAiB,YAA6B;AAC5C,YAAMpJ,IAAM,IAAI,IAAI,OAAO,SAAS,IAAI,GAClCwH,IAAQxH,EAAI,aAAa,IAAI,OAAO,GAIpCU,IAAe,aAAa,QAAQ8H,EAAiB;AAG3D,UAAI,CAAC9H;AACH,cAAM,IAAIiH;AAAA,UACR;AAAA,QAAA;AAIE,YAAA0B,IAAa,MAAM,KAAK,iBAExBC,IAASC;AAAAA,QACbF;AAAA,QACA,KAAK;AAAA,QACLrJ,EAAI;AAAA,QACJwH,KAAS;AAAA,MAAA;AAEP,UAAAgC,EAAoBF,CAAM;AACrB,cAAAlM,GAAA,MAAM,mCAAmCkM,CAAM,GAChD,IAAI1B;AAAA,UACR;AAAA,UACA0B;AAAA,QAAA;AAIE,YAAAG,IAAc,IAAI,IAAIzJ,CAAG;AACnB,MAAAyJ,EAAA,WAAW,KAAK,yBAAyB,KAAK,iBAC1DA,EAAY,SAAS;AAEf,YAAAjK,IAAW,MAAMkK;AAAAA,QACrBL;AAAA,QACA,KAAK;AAAA,QACLC;AAAA,QACAG,EAAY,SAAS;AAAA,QACrB/I;AAAA,MAAA,GAWIiJ,IAAc,MAAMC;AAAAA,QACxBP;AAAA,QACA,KAAK;AAAA,QACL7J;AAAA,MAAA;AAGF,WAAK,sBAAsBmK,CAAW;AAEhC,YAAAzG,IAAc,MAAM,KAAK,kBAOzB2G,IAAW,OALQ,MAAMC;AAAAA,QAC7BT;AAAA,QACA,KAAK;AAAA,QACLnG;AAAA,MAAA,GAEsC,QAElC6G,IAAuB;AAAA,QAC3B,KAAKF,EAAS;AAAA,QACd,OAAOA,EAAS;AAAA,QAChB,MAAMA,EAAS;AAAA,QACf,eAAeA,EAAS,kBAAkB;AAAA,QAC1C,YAAYA,EAAS;AAAA,MAAA;AASnB,aANJG,GAAa,SAAS;AAAA,QACpB,iBAAiB;AAAA,QACjB,WAAW;AAAA,QACX,SAAAD;AAAA,MAAA,CACD,GAEG,aAAa,QAAQ,SAAS,IACzB,KAAK,wBAEL,KAAK;AAAA,IACd;AA7RA,SAAK,SAAS;AAAA,MACZ,WAAWhJ;AAAA,MACX,4BAA4B;AAAA,IAAA,GAE9B,KAAK,WAAW+H,GAChB,KAAK,SAAS5B,GACd,KAAK,wBAAwB6B,GAC7B,KAAK,gBAAgBC,GACrB,KAAK,wBAAwBC,KAAyB,KACtD,KAAK,wBAAwBC,KAAyB,KACtD,KAAK,yBAAyBC,KAA0B;AAAA,EAC1D;AAAA,EAEA,MAAgB,gBAAgB;AAC1B,QAAA,CAAC,KAAK;AACJ,UAAA,KAAK,iBAAiB,KAAK;AAC7B,aAAK,sBAAsB;AAAA,UACzB,QAAQ,IAAI,IAAI,KAAK,qBAAsB,EAAE;AAAA,UAC7C,wBAAwB,KAAK;AAAA,UAC7B,gBAAgB,KAAK;AAAA,UACrB,kCAAkC,CAAC;AAAA,QAAA;AAAA,WAEhC;AACL,cAAMc,IAAY,IAAI,IAAI,KAAK,MAAM,GAC/BzK,IAAW,MAAM0K,GAAuBD,CAAS;AAClD,aAAA,sBAAsB,MAAME;AAAAA,UAC/BF;AAAA,UACAzK;AAAA,QAAA;AAAA,MAEJ;AAEF,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA,EAMU,sBACRA,GACA;AACI,QAAAgK,EAAoBhK,CAAQ;AACvB,YAAApC,GAAA,MAAM,sBAAsBoC,CAAQ,GACrC,IAAIoI,EAAwB,sBAAsBpI,CAAQ;AAG9D,QAAA,CAACA,EAAS;AACN,YAAA,IAAImI,EAAmB,2BAA2B;AAG1D,SAAK,SAAS;AAAA,MACZ,aAAanI,EAAS;AAAA,MACtB,cAAcA,EAAS;AAAA,MACvB,WAAW,IAAI,KAAK,KAAK,QAAQA,EAAS,aAAa,GAAI;AAAA,MAC3D,WAAWA,EAAS;AAAA,IAAA,GAEtB,aAAa,QAAQ,gBAAgB,KAAK,UAAU,KAAK,MAAM,CAAC;AAAA,EAClE;AAAA,EAEA,MAAM,SAAS;AACN,WAAA,KAAK,UAAU,EAAI;AAAA,EAC5B;AAAA,EAEA,MAAM,SAAS;AACb,WAAO,KAAK;EACd;AAAA,EAEA,MAAc,UAAU4K,IAAS,IAAsB;;AACrD,UAAMC,IAAwB,QACxBC,IAAsB,MAAM,KAAK;AAOnC,QANAF,IACW,aAAA,QAAQ,WAAW,MAAM,IAEtC,aAAa,WAAW,SAAS,GAG/B,CAACE,EAAoB;AACjB,YAAA,IAAI3C,EAAmB,2BAA2B;AAQpD,UAAAjH,IAAe6J,MACfC,IAAgB,MAAMC,GAAiC/J,CAAY;AAE5D,iBAAA,QAAQ8H,IAAmB9H,CAAY;AAGpD,UAAMgK,IAAmB,IAAI;AAAA,MAC3BN,IACIE,EAAoB,yBACpBA,EAAoB,yBACpBA,EAAoB;AAAA,IAAA,GAGpBb,IAAc,IAAI;AAAA,OACrBW,IACG,OAAO,SAAS,SAAS,KAAK,wBAC9B,OAAO,SAAS,SAAS,KAAK,0BAChC,OAAO,SAAS;AAAA,IAAA;AAsBpB,QApBAX,EAAY,WAAW,KAAK,iBAC5BA,EAAY,SAAS,IAErBiB,EAAiB,aAAa,IAAI,aAAa,KAAK,OAAO,SAAS,GACpEA,EAAiB,aAAa,IAAI,gBAAgBjB,EAAY,UAAU,GACvDiB,EAAA,aAAa,IAAI,iBAAiB,MAAM,GACxCA,EAAA,aAAa,IAAI,SAAS,sBAAsB,GAChDA,EAAA,aAAa,IAAI,kBAAkBF,CAAa,GACjEE,EAAiB,aAAa;AAAA,MAC5B;AAAA,MACAL;AAAA,IAAA,GAEE,KAAK,YACPK,EAAiB,aAAa,IAAI,YAAY,KAAK,QAAQ,KAQ3DlN,IAAA8M,EAAoB,qCAApB,gBAAA9M,EAAsD,SAAS,aAC/D,IACA;AACM,YAAAgK,IAAQmD;AACG,MAAAD,EAAA,aAAa,IAAI,SAASlD,CAAK;AAAA,IAClD;AAGA,aAAS,OAAOkD,EAAiB;AAAA,EACnC;AAAA,EAEA,MAAM,iBAAkC;AAChC,UAAA5I,IAAK,MAAM,KAAK;AAClB,QAAA,CAAC,KAAK;AACF,YAAA,IAAI6F,EAAmB,2BAA2B;AAE1D,QAAI,KAAK,OAAO,YAAY,oBAAI,QAAQ;AAClC,UAAA,CAAC,KAAK,OAAO;AAEf,cAAM,IAAIA;AAAA,UACR;AAAA,QAAA;AAIE,YAAAiD,IAAU,MAAMC;AAAAA,QACpB/I;AAAA,QACA,KAAK;AAAA,QACL,KAAK,OAAO;AAAA,MAAA,GAERtC,IAAW,MAAMsL;AAAAA,QACrBhJ;AAAA,QACA,KAAK;AAAA,QACL8I;AAAA,MAAA;AAGF,WAAK,sBAAsBpL,CAAQ;AAAA,IACrC;AAEA,WAAO,KAAK,OAAO;AAAA,EACrB;AAAA,EAEA,MAAM,UAAyB;AAC7B,IAAAwK,GAAa,SAAS;AAAA,MACpB,iBAAiB;AAAA,MACjB,WAAW;AAAA,MACX,SAAS;AAAA,IAAA,CACV;AAEK,UAAAlI,IAAK,MAAM,KAAK,iBAEhB2H,IAAc,IAAI;AAAA,MACtB,OAAO,SAAS,SAAS,KAAK;AAAA,IAAA;AAEhC,IAAAA,EAAY,WAAW,KAAK;AAExB,QAAAsB;AAGJ,IAAIjJ,EAAG,wBACOiJ,IAAA,IAAI,IAAIjJ,EAAG,oBAAoB,GAM3CiJ,EAAU,aAAa;AAAA,MACrB;AAAA,MACAtB,EAAY,SAAS;AAAA,IAAA,KAGXsB,IAAAtB;AAAA,EAEhB;AAAA,EAkGA,0BAA0B;AACxB,WAAO,IAAIhB;AAAA,MAAiB,KAAK;AAAA,MAAiB,MAChD,KAAK,eAAe;AAAA,IAAA;AAAA,EAExB;AACF;AAEA,MAAMuC,KAEF,CAAC9L,MAAY,IAAI2J,GAA6B3J,CAAO;","x_google_ignoreList":[0,1]}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "zudoku",
3
- "version": "0.3.0-dev.70",
3
+ "version": "0.3.0-dev.71",
4
4
  "type": "module",
5
5
  "files": [
6
6
  "dist",
package/src/lib/authentication/providers/openid.tsx CHANGED
@@ -23,6 +23,7 @@ class OpenIdAuthPlugin extends AuthenticationPlugin {
23
23
  constructor(
24
24
  private callbackUrlPath: string,
25
25
  private handleCallback: () => Promise<string>,
26
+ public initialize?: () => Promise<void>,
26
27
  ) {
27
28
  super();
28
29
  }
@@ -48,12 +49,14 @@ export class OpenIDAuthenticationProvider implements AuthenticationProvider {
48
49
 
49
50
  protected callbackUrlPath = "/oauth/callback";
50
51
  protected logoutRedirectUrlPath = "/";
51
- private redirectToAfterSignUp: string;
52
- private redirectToAfterSignIn: string;
53
- private redirectToAfterSignOut: string;
52
+ private readonly redirectToAfterSignUp: string;
53
+ private readonly redirectToAfterSignIn: string;
54
+ private readonly redirectToAfterSignOut: string;
55
+ private readonly audience?: string;
54
56
 
55
57
  constructor({
56
58
  issuer,
59
+ audience,
57
60
  authorizationEndpoint,
58
61
  tokenEndpoint,
59
62
  clientId,
@@ -65,6 +68,7 @@ export class OpenIDAuthenticationProvider implements AuthenticationProvider {
65
68
  client_id: clientId,
66
69
  token_endpoint_auth_method: "none",
67
70
  };
71
+ this.audience = audience;
68
72
  this.issuer = issuer;
69
73
  this.authorizationEndpoint = authorizationEndpoint;
70
74
  this.tokenEndpoint = tokenEndpoint;
@@ -116,6 +120,7 @@ export class OpenIDAuthenticationProvider implements AuthenticationProvider {
116
120
  expiresOn: new Date(Date.now() + response.expires_in * 1000),
117
121
  tokenType: response.token_type,
118
122
  };
123
+ localStorage.setItem("openid-token", JSON.stringify(this.tokens));
119
124
  }
120
125
 
121
126
  async signUp() {
@@ -175,6 +180,9 @@ export class OpenIDAuthenticationProvider implements AuthenticationProvider {
175
180
  "code_challenge_method",
176
181
  code_challenge_method,
177
182
  );
183
+ if (this.audience) {
184
+ authorizationUrl.searchParams.set("audience", this.audience);
185
+ }
178
186
 
179
187
  /**
180
188
  * We cannot be sure the AS supports PKCE so we're going to use state too. Use of PKCE is