From c4ce2758914163ed427c0487fe56b3409990d4b2 Mon Sep 17 00:00:00 2001 From: MaicolBen Date: Wed, 21 Mar 2018 22:52:18 -0300 Subject: [PATCH 1/4] Change Readme organization --- README.md | 939 +----------------------------- docs/README.md | 27 + docs/conceptual.md | 50 ++ docs/config/README.md | 45 ++ docs/config/cors.md | 30 + docs/config/device.md | 13 + docs/config/email_auth.md | 16 + docs/config/initialization.md | 33 ++ docs/config/omniauth.md | 94 +++ docs/faq.md | 130 +++++ docs/security.md | 16 + docs/usage/README.md | 19 + docs/usage/controller_concerns.md | 77 +++ docs/usage/excluding_models.md | 61 ++ docs/usage/model_concerns.md | 53 ++ docs/usage/multiple_models.md | 77 +++ docs/usage/overrides.md | 126 ++++ docs/usage/routes.md | 20 + docs/usage/testing.md | 164 ++++++ 19 files changed, 1082 insertions(+), 908 deletions(-) create mode 100644 docs/README.md create mode 100644 docs/conceptual.md create mode 100644 docs/config/README.md create mode 100644 docs/config/cors.md create mode 100644 docs/config/device.md create mode 100644 docs/config/email_auth.md create mode 100644 docs/config/initialization.md create mode 100644 docs/config/omniauth.md create mode 100644 docs/faq.md create mode 100644 docs/security.md create mode 100644 docs/usage/README.md create mode 100644 docs/usage/controller_concerns.md create mode 100644 docs/usage/excluding_models.md create mode 100644 docs/usage/model_concerns.md create mode 100644 docs/usage/multiple_models.md create mode 100644 docs/usage/overrides.md create mode 100644 docs/usage/routes.md create mode 100644 docs/usage/testing.md diff --git a/README.md b/README.md index 520d0bc7c..00a42e6b6 100644 --- a/README.md +++ b/README.md @@ -1,25 +1,16 @@ -# Contributors wanted! - -See our [Contribution Guidelines](https://github.com/lynndylanhurley/devise_token_auth/blob/master/.github/CONTRIBUTING.md). We're making an effort to bring back this gem and fix everything open! Feel free to submit pull requests, review pull requests, or review open issues. If you'd like to get in contact, [Zach Feldman](https://github.com/zachfeldman) has been wrangling this effort, you can reach him with his name @gmail. Further discussion of this in [this issue](https://github.com/lynndylanhurley/devise_token_auth/issues/969). - -
- -![Serious Trust](https://github.com/lynndylanhurley/devise_token_auth/raw/master/test/dummy/app/assets/images/logo.jpg "Serious Trust") +# Devise Token Auth [![Gem Version](https://badge.fury.io/rb/devise_token_auth.svg)](http://badge.fury.io/rb/devise_token_auth) [![Build Status](https://travis-ci.org/lynndylanhurley/devise_token_auth.svg?branch=master)](https://travis-ci.org/lynndylanhurley/devise_token_auth) -[![Code Climate](http://img.shields.io/codeclimate/github/lynndylanhurley/devise_token_auth.svg)](https://codeclimate.com/github/lynndylanhurley/devise_token_auth) -[![Test Coverage](http://img.shields.io/codeclimate/coverage/github/lynndylanhurley/devise_token_auth.svg)](https://codeclimate.com/github/lynndylanhurley/devise_token_auth) +[![Code Climate](https://codeclimate.com/github/lynndylanhurley/devise_token_auth/badges/gpa.svg)](https://codeclimate.com/github/lynndylanhurley/devise_token_auth) +[![Test Coverage](https://codeclimate.com/github/lynndylanhurley/devise_token_auth/badges/coverage.svg)](https://codeclimate.com/github/lynndylanhurley/devise_token_auth/coverage) [![Dependency Status](https://gemnasium.com/lynndylanhurley/devise_token_auth.svg)](https://gemnasium.com/lynndylanhurley/devise_token_auth) -[![Downloads](https://img.shields.io/gem/dt/devise_token_auth.svg)](https://rubygems.org/gems/devise_token_auth) -[![Backers on Open Collective](https://opencollective.com/devise_token_auth/backers/badge.svg)](#backers) -[![Sponsors on Open Collective](https://opencollective.com/devise_token_auth/sponsors/badge.svg)](#sponsors) - -## Simple, secure token based authentication for Rails. - +[![Downloads](https://img.shields.io/gem/dt/devise_token_auth.svg)](https://rubygems.org/gems/devise_token_auth) +[![Backers on Open Collective](https://opencollective.com/devise_token_auth/backers/badge.svg)](#backers) +[![Sponsors on Open Collective](https://opencollective.com/devise_token_auth/sponsors/badge.svg)](#sponsors) [![Join the chat at https://gitter.im/lynndylanhurley/devise_token_auth](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/lynndylanhurley/devise_token_auth?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge) -This gem provides the following features: +Simple, secure token-based authentication for Rails. This gem provides the following features: * Seamless integration with: * [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) for [AngularJS](https://github.com/angular/angular.js) @@ -28,66 +19,19 @@ This gem provides the following features: * [jToker](https://github.com/lynndylanhurley/j-toker) for [jQuery](https://jquery.com/) * Oauth2 authentication using [OmniAuth](https://github.com/intridea/omniauth). * Email authentication using [Devise](https://github.com/plataformatec/devise), including: - * User registration - * Password reset - * Account updates - * Account deletion -* Support for [multiple user models](https://github.com/lynndylanhurley/devise_token_auth#using-multiple-models). -* It is [secure](#security). - -# Live Demos - -[Here is a demo](http://ng-token-auth-demo.herokuapp.com/) of this app running with the [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) module and [AngularJS](https://github.com/angular/angular.js). - -[Here is a demo](https://angular2-token.herokuapp.com) of this app running with the [Angular2-Token](https://github.com/neroniaky/angular2-token) service and [Angular2](https://github.com/angular/angular). - -[Here is a demo](https://j-toker-demo.herokuapp.com/) of this app using the [jToker](https://github.com/lynndylanhurley/j-toker) plugin and [React](http://facebook.github.io/react/). - -The fully configured api used in these demos can be found [here](https://github.com/lynndylanhurley/devise_token_auth_demo). + * User registration, update and deletion + * Login and logout + * Password reset, account confirmation +* Support for [multiple user models](./docs/usage/multiple_models.md). +* It is [secure](./docs/security.md). -# Troubleshooting - -Please read the [issue reporting guidelines](#issue-reporting) before posting issues. - -# Table of Contents - -* [Dependencies](#dependencies) -* [Configuration TL;DR](#configuration-tldr) -* [Usage TL;DR](#usage-tldr) -* [Configuration Continued](#configuration-cont) - * [Initializer Settings](#initializer-settings) - * [OmniAuth Authentication](#omniauth-authentication) - * [OmniAuth Provider Settings](#omniauth-provider-settings) - * [Email Authentication](#email-authentication) - * [Customizing Devise Verbiage](#customizing-devise-verbiage) - * [Cross Origin Requests (CORS)](#cors) -* [Usage Continued](#usage-cont) - * [Mounting Routes](#mounting-routes) - * [Controller Integration](#controller-methods) - * [Model Integration](#model-concerns) - * [Using Multiple User Classes](#using-multiple-models) - * [Excluding Modules](#excluding-modules) - * [Custom Controller Overrides](#custom-controller-overrides) - * [Passing blocks to Controllers](#passing-blocks-controllers) - * [Email Template Overrides](#email-template-overrides) - * [Testing](#testing) -* [Issue Reporting Guidelines](#issue-reporting) -* [FAQ](#faq) - * [Can I use this gem alongside standard Devise?](#can-i-use-this-gem-alongside-standard-devise) -* [Conceptual Diagrams](#conceptual) - * [Token Management](#about-token-management) - * [Batch Requests](#about-batch-requests) -* [Security](#security) -* [Callouts](#callouts) -* [Contribution Guidelines](#contributing) - -# Dependencies This project leverages the following gems: * [Devise](https://github.com/plataformatec/devise) * [OmniAuth](https://github.com/intridea/omniauth) -# Installation +## Installation + Add the following to your `Gemfile`: ~~~ruby @@ -100,834 +44,34 @@ Then install the gem using bundle: bundle install ~~~ -# Configuration TL;DR - -You will need to create a [user model](#model-concerns), [define routes](#mounting-routes), [include concerns](#controller-methods), and you may want to alter some of the [default settings](#initializer-settings) for this gem. Run the following command for an easy one-step installation: - -~~~bash -rails g devise_token_auth:install [USER_CLASS] [MOUNT_PATH] -~~~ - -**Example**: - -~~~bash -rails g devise_token_auth:install User auth -~~~ - -This generator accepts the following optional arguments: - -| Argument | Default | Description | -|---|---|---| -| USER_CLASS | `User` | The name of the class to use for user authentication. | -| MOUNT_PATH | `auth` | The path at which to mount the authentication routes. [Read more](#usage-tldr). | - -The following events will take place when using the install generator: - -* An initializer will be created at `config/initializers/devise_token_auth.rb`. [Read more](#initializer-settings). - -* A model will be created in the `app/models` directory. If the model already exists, a concern will be included at the top of the file. [Read more](#model-concerns). - -* Routes will be appended to file at `config/routes.rb`. [Read more](#mounting-routes). - -* A concern will be included by your application controller at `app/controllers/application_controller.rb`. [Read more](#controller-methods). - -* A migration file will be created in the `db/migrate` directory. Inspect the migrations file, add additional columns if necessary, and then run the migration: - - ~~~bash - rake db:migrate - ~~~ - -You may also need to configure the following items: - -* **OmniAuth providers** when using 3rd party oauth2 authentication. [Read more](#omniauth-authentication). -* **Cross Origin Request Settings** when using cross-domain clients. [Read more](#cors). -* **Email** when using email registration. [Read more](#email-authentication). -* **Multiple model support** may require additional steps. [Read more](#using-multiple-models). - -[Jump here](#configuration-cont) for more configuration information. - -# Usage TL;DR - -The following routes are available for use by your client. These routes live relative to the path at which this engine is mounted (`auth` by default). These routes correspond to the defaults used by the [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) module for [AngularJS](https://angularjs.org/) and the [jToker](https://github.com/lynndylanhurley/j-toker) plugin for [jQuery](https://jquery.com/). - -| path | method | purpose | -|:-----|:-------|:--------| -| / | POST | Email registration. Requires **`email`**, **`password`**, **`password_confirmation`**, and **`confirm_success_url`** params (this last one can be omitted if you have set `config.default_confirm_success_url` in `config/initializers/devise_token_auth.rb`). A verification email will be sent to the email address provided. Upon clicking the link in the confirmation email, the API will redirect to the URL specified in **`confirm_success_url`**. Accepted params can be customized using the [`devise_parameter_sanitizer`](https://github.com/plataformatec/devise#strong-parameters) system. | -| / | DELETE | Account deletion. This route will destroy users identified by their **`uid`**, **`access-token`** and **`client`** headers. | -| / | PUT | Account updates. This route will update an existing user's account settings. The default accepted params are **`password`** and **`password_confirmation`**, but this can be customized using the [`devise_parameter_sanitizer`](https://github.com/plataformatec/devise#strong-parameters) system. If **`config.check_current_password_before_update`** is set to `:attributes` the **`current_password`** param is checked before any update, if it is set to `:password` the **`current_password`** param is checked only if the request updates user password. | -| /sign_in | POST | Email authentication. Requires **`email`** and **`password`** as params. This route will return a JSON representation of the `User` model on successful login along with the `access-token` and `client` in the header of the response. | -| /sign_out | DELETE | Use this route to end the user's current session. This route will invalidate the user's authentication token. You must pass in **`uid`**, **`client`**, and **`access-token`** in the request headers. | -| /:provider | GET | Set this route as the destination for client authentication. Ideally this will happen in an external window or popup. [Read more](#omniauth-authentication). | -| /:provider/callback | GET/POST | Destination for the oauth2 provider's callback uri. `postMessage` events containing the authenticated user's data will be sent back to the main client window from this page. [Read more](#omniauth-authentication). | -| /validate_token | GET | Use this route to validate tokens on return visits to the client. Requires **`uid`**, **`client`**, and **`access-token`** as params. These values should correspond to the columns in your `User` table of the same names. | -| /password | POST | Use this route to send a password reset confirmation email to users that registered by email. Accepts **`email`** and **`redirect_url`** as params. The user matching the `email` param will be sent instructions on how to reset their password. `redirect_url` is the url to which the user will be redirected after visiting the link contained in the email. | -| /password | PUT | Use this route to change users' passwords. Requires **`password`** and **`password_confirmation`** as params. This route is only valid for users that registered by email (OAuth2 users will receive an error). It also checks **`current_password`** if **`config.check_current_password_before_update`** is not set `false` (disabled by default). | -| /password/edit | GET | Verify user by password reset token. This route is the destination URL for password reset confirmation. This route must contain **`reset_password_token`** and **`redirect_url`** params. These values will be set automatically by the confirmation email that is generated by the password reset request. | - -[Jump here](#usage-cont) for more usage information. - -# Configuration cont. - -## Initializer settings - -The following settings are available for configuration in `config/initializers/devise_token_auth.rb`: - -| Name | Default | Description| -|---|---|---| -| **`change_headers_on_each_request`** | `true` | By default the access-token header will change after each request. The client is responsible for keeping track of the changing tokens. Both [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) and [jToker](https://github.com/lynndylanhurley/j-toker) do this out of the box. While this implementation is more secure, it can be difficult to manage. Set this to false to prevent the `access-token` header from changing after each request. [Read more](#about-token-management). | -| **`token_lifespan`** | `2.weeks` | Set the length of your tokens' lifespans. Users will need to re-authenticate after this duration of time has passed since their last login. | -| **`batch_request_buffer_throttle`** | `5.seconds` | Sometimes it's necessary to make several requests to the API at the same time. In this case, each request in the batch will need to share the same auth token. This setting determines how far apart the requests can be while still using the same auth token. [Read more](#about-batch-requests). | -| **`omniauth_prefix`** | `"/omniauth"` | This route will be the prefix for all oauth2 redirect callbacks. For example, using the default '/omniauth' setting, the github oauth2 provider will redirect successful authentications to '/omniauth/github/callback'. [Read more](#omniauth-provider-settings). | -| **`default_confirm_success_url`** | `nil` | By default this value is expected to be sent by the client so that the API knows where to redirect users after successful email confirmation. If this param is set, the API will redirect to this value when no value is provided by the client. | -| **`default_password_reset_url`** | `nil` | By default this value is expected to be sent by the client so that the API knows where to redirect users after successful password resets. If this param is set, the API will redirect to this value when no value is provided by the client. | -| **`redirect_whitelist`** | `nil` | As an added security measure, you can limit the URLs to which the API will redirect after email token validation (password reset, email confirmation, etc.). This value should be an array containing matches to the client URLs to be visited after validation. Wildcards are supported. | -| **`enable_standard_devise_support`** | `false` | By default, only Bearer Token authentication is implemented out of the box. If, however, you wish to integrate with legacy Devise authentication, you can do so by enabling this flag. NOTE: This feature is highly experimental! | -| **`remove_tokens_after_password_reset`** | `false` | By default, old tokens are not invalidated when password is changed. Enable this option if you want to make passwords updates to logout other devices. | -| **`default_callbacks`** | `true` | By default User model will include the `DeviseTokenAuth::Concerns::UserOmniauthCallbacks` concern, which has `email`, `uid` validations & `uid` synchronization callbacks. | -| **`bypass_sign_in`** | `true` | By default DeviseTokenAuth will not check user's `#active_for_authentication?` which includes confirmation check on each call (it will do it only on sign in). If you want it to be validated on each request (for example, to be able to deactivate logged in users on the fly), set it to false. | - - -Additionally, you can configure other aspects of devise by manually creating the traditional devise.rb file at `config/initializers/devise.rb`. Here are some examples of what you can do in this file: - -~~~ruby -Devise.setup do |config| - # The e-mail address that mail will appear to be sent from - # If absent, mail is sent from "please-change-me-at-config-initializers-devise@example.com" - config.mailer_sender = "support@myapp.com" - - # If using rails-api, you may want to tell devise to not use ActionDispatch::Flash - # middleware b/c rails-api does not include it. - # See: http://stackoverflow.com/q/19600905/806956 - config.navigational_formats = [:json] -end -~~~ - -## OmniAuth authentication - -If you wish to use omniauth authentication, add all of your desired authentication provider gems to your `Gemfile`. - -**OmniAuth example using github, facebook, and google**: -~~~ruby -gem 'omniauth-github' -gem 'omniauth-facebook' -gem 'omniauth-google-oauth2' -~~~ - -Then run `bundle install`. - -[List of oauth2 providers](https://github.com/intridea/omniauth/wiki/List-of-Strategies) - -## OmniAuth provider settings - -In `config/initializers/omniauth.rb`, add the settings for each of your providers. - -These settings must be obtained from the providers themselves. - -**Example using github, facebook, and google**: -~~~ruby -# config/initializers/omniauth.rb -Rails.application.config.middleware.use OmniAuth::Builder do - provider :github, ENV['GITHUB_KEY'], ENV['GITHUB_SECRET'], scope: 'email,profile' - provider :facebook, ENV['FACEBOOK_KEY'], ENV['FACEBOOK_SECRET'] - provider :google_oauth2, ENV['GOOGLE_KEY'], ENV['GOOGLE_SECRET'] -end -~~~ - -The above example assumes that your provider keys and secrets are stored in environmental variables. Use the [figaro](https://github.com/laserlemon/figaro) gem (or [dotenv](https://github.com/bkeepers/dotenv) or [secrets.yml](https://github.com/rails/rails/blob/v4.1.0/railties/lib/rails/generators/rails/app/templates/config/secrets.yml) or equivalent) to accomplish this. - -#### OmniAuth callback settings - -The "Callback URL" setting that you set with your provider must correspond to the [omniauth prefix](#initializer-settings) setting defined by this app. **This will be different than the omniauth route that is used by your client application**. - -For example, the demo app uses the default `omniauth_prefix` setting `/omniauth`, so the "Authorization callback URL" for github must be set to "http://devise-token-auth-demo.herokuapp.com**/omniauth**/github/callback". - -**Github example for the demo site**: -![password reset flow](https://github.com/lynndylanhurley/devise_token_auth/raw/master/test/dummy/app/assets/images/omniauth-provider-settings.png) - -The url for github authentication will be different for the client. The client should visit the API at `/[MOUNT_PATH]/:provider` for omniauth authentication. - -For example, given that the app is mounted using the following settings: - -~~~ruby -# config/routes.rb -mount_devise_token_auth_for 'User', at: 'auth' -~~~ - -The client configuration for github should look like this: - -**Angular.js setting for authenticating using github**: -~~~javascript -angular.module('myApp', ['ng-token-auth']) - .config(function($authProvider) { - $authProvider.configure({ - apiUrl: 'http://api.example.com' - authProviderPaths: { - github: '/auth/github' // <-- note that this is different than what was set with github - } - }); - }); -~~~ - -**jToker settings for github should look like this: - -~~~javascript -$.auth.configure({ - apiUrl: 'http://api.example.com', - authProviderPaths: { - github: '/auth/github' // <-- note that this is different than what was set with github - } -}); -~~~ - -This incongruence is necessary to support multiple user classes and mounting points. - -#### Note for [pow](http://pow.cx/) and [xip.io](http://xip.io) users - -If you receive `redirect-uri-mismatch` errors from your provider when using pow or xip.io urls, set the following in your development config: - -~~~ruby -# config/environments/development.rb - -# when using pow -OmniAuth.config.full_host = "http://app-name.dev" - -# when using xip.io -OmniAuth.config.full_host = "http://xxx.xxx.xxx.app-name.xip.io" -~~~ - -## Email authentication -If you wish to use email authentication, you must configure your Rails application to send email. [Read here](http://guides.rubyonrails.org/action_mailer_basics.html) for more information. - -I recommend using [mailcatcher](http://mailcatcher.me/) for development. - -##### mailcatcher development example configuration: -~~~ruby -# config/environments/development.rb -Rails.application.configure do - config.action_mailer.default_url_options = { :host => 'your-dev-host.dev' } - config.action_mailer.delivery_method = :smtp - config.action_mailer.smtp_settings = { :address => 'your-dev-host.dev', :port => 1025 } -end -~~~ - -If you wish to send custom e-mails instead of using the default devise templates, you can [do that too](#email-template-overrides). - -## Customizing Devise Verbiage -Devise Token Auth ships with intelligent default wording for everything you need. But that doesn't mean you can't make it more awesome. You can override the [devise defaults](https://github.com/plataformatec/devise/blob/master/config/locales/en.yml) by creating a YAML file at `config/locales/devise.en.yml` and assigning whatever custom values you want. For example, to customize the subject line of your devise e-mails, you could do this: - -~~~yaml -en: - devise: - mailer: - confirmation_instructions: - subject: "Please confirm your e-mail address" - reset_password_instructions: - subject: "Reset password request" -~~~ - -## CORS - -If your API and client live on different domains, you will need to configure your Rails API to allow [cross origin requests](http://en.wikipedia.org/wiki/Cross-origin_resource_sharing). The [rack-cors](https://github.com/cyu/rack-cors) gem can be used to accomplish this. - -The following **dangerous** example will allow cross domain requests from **any** domain. Make sure to whitelist only the needed domains. - -##### Example rack-cors configuration: -~~~ruby -# gemfile -gem 'rack-cors', :require => 'rack/cors' - -# config/application.rb -module YourApp - class Application < Rails::Application - config.middleware.use Rack::Cors do - allow do - origins '*' - resource '*', - :headers => :any, - :expose => ['access-token', 'expiry', 'token-type', 'uid', 'client'], - :methods => [:get, :post, :options, :delete, :put] - end - end - end -end -~~~ - -Make extra sure that the `Access-Control-Expose-Headers` includes `access-token`, `expiry`, `token-type`, `uid`, and `client` (as is set in the example above by the`:expose` param). If your client experiences erroneous 401 responses, this is likely the cause. - -CORS may not be possible with older browsers (IE8, IE9). I usually set up a proxy for those browsers. See the [ng-token-auth readme](https://github.com/lynndylanhurley/ng-token-auth) or the [jToker readme](https://github.com/lynndylanhurley/j-toker) for more information. - -# Usage cont. - -## Mounting Routes - -The authentication routes must be mounted to your project. This gem includes a route helper for this purpose: - -**`mount_devise_token_auth_for`** - similar to `devise_for`, this method is used to append the routes necessary for user authentication. This method accepts the following arguments: - -| Argument | Type | Default | Description | -|---|---|---|---| -|`class_name`| string | 'User' | The name of the class to use for authentication. This class must include the [model concern described here](#model-concerns). | -| `options` | object | {at: 'auth'} | The [routes to be used for authentication](#usage) will be prefixed by the path specified in the `at` param of this object. | - -**Example**: -~~~ruby -# config/routes.rb -mount_devise_token_auth_for 'User', at: 'auth' -~~~ - -Any model class can be used, but the class will need to include [`DeviseTokenAuth::Concerns::User`](#model-concerns) for authentication to work properly. - -You can mount this engine to any route that you like. `/auth` is used by default to conform with the defaults of the [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) module and the [jToker](https://github.com/lynndylanhurley/j-toker) plugin. - - -## Controller Methods - -### Concerns - -This gem includes a [Rails concern](http://api.rubyonrails.org/classes/ActiveSupport/Concern.html) called `DeviseTokenAuth::Concerns::SetUserByToken`. Include this concern to provide access to [controller methods](#controller-methods) such as [`authenticate_user!`](#authenticate-user), [`user_signed_in?`](#user-signed-in), etc. - -The concern also runs an [after_action](http://guides.rubyonrails.org/action_controller_overview.html#filters) that changes the auth token after each request. - -It is recommended to include the concern in your base `ApplicationController` so that all children of that controller include the concern as well. - -##### Concern example: - -~~~ruby -# app/controllers/application_controller.rb -class ApplicationController < ActionController::Base - include DeviseTokenAuth::Concerns::SetUserByToken -end -~~~ - -### Methods - -This gem provides access to all of the following [devise helpers](https://github.com/plataformatec/devise#controller-filters-and-helpers): - -| Method | Description | -|---|---| -| **`before_action :authenticate_user!`** | Returns a 401 error unless a `User` is signed-in. | -| **`current_user`** | Returns the currently signed-in `User`, or `nil` if unavailable. | -| **`user_signed_in?`** | Returns `true` if a `User` is signed in, otherwise `false`. | -| **`devise_token_auth_group`** | Operate on multiple user classes as a group. [Read more](#group-access) | - -Note that if the model that you're trying to access isn't called `User`, the helper method names will change. For example, if the user model is called `Admin`, the methods would look like this: - -* `before_action :authenticate_admin!` -* `admin_signed_in?` -* `current_admin` - - -##### Example: limit access to authenticated users -~~~ruby -# app/controllers/test_controller.rb -class TestController < ApplicationController - before_action :authenticate_user! - - def members_only - render json: { - data: { - message: "Welcome #{current_user.name}", - user: current_user - } - }, status: 200 - end -end -~~~ - -### Token Header Format - -The authentication information should be included by the client in the headers of each request. The headers follow the [RFC 6750 Bearer Token](http://tools.ietf.org/html/rfc6750) format: - -##### Authentication headers example: -~~~ -"access-token": "wwwww", -"token-type": "Bearer", -"client": "xxxxx", -"expiry": "yyyyy", -"uid": "zzzzz" -~~~ - -The authentication headers (each one is a seperate header) consists of the following params: - -| param | description | -|---|---| -| **`access-token`** | This serves as the user's password for each request. A hashed version of this value is stored in the database for later comparison. This value should be changed on each request. | -| **`client`** | This enables the use of multiple simultaneous sessions on different clients. (For example, a user may want to be authenticated on both their phone and their laptop at the same time.) | -| **`expiry`** | The date at which the current session will expire. This can be used by clients to invalidate expired tokens without the need for an API request. | -| **`uid`** | A unique value that is used to identify the user. This is necessary because searching the DB for users by their access token will make the API susceptible to [timing attacks](http://codahale.com/a-lesson-in-timing-attacks/). | - -The authentication headers required for each request will be available in the response from the previous request. If you are using the [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) AngularJS module or the [jToker](https://github.com/lynndylanhurley/j-toker) jQuery plugin, this functionality is already provided. - -## Model Concerns - -##### DeviseTokenAuth::Concerns::User - -Typical use of this gem will not require the use of any of the following model methods. All authentication should be handled invisibly by the [controller concerns](#controller-methods) described above. +## [Docs](./docs) -Models that include the `DeviseTokenAuth::Concerns::User` concern will have access to the following public methods (read the above section for context on `token` and `client`): +## Need help? -* **`valid_token?`**: check if an authentication token is valid. Accepts a `token` and `client` as arguments. Returns a boolean. +Please use [StackOverflow](https://stackoverflow.com/questions/tagged/devise-token-auth) for help requests and how-to questions. - **Example**: - ~~~ruby - # extract token + client_id from auth header - client_id = request.headers['client'] - token = request.headers['access-token'] +Please open GitHub issues for bugs and enhancements only, not general help requests. Please search previous issues (and Google and StackOverflow) before creating a new issue. - @resource.valid_token?(token, client_id) - ~~~ - -* **`create_new_auth_token`**: creates a new auth token with all of the necessary metadata. Accepts `client` as an optional argument. Will generate a new `client` if none is provided. Returns the authentication headers that should be sent by the client as an object. - - **Example**: - ~~~ruby - # extract client_id from auth header - client_id = request.headers['client'] - - # update token, generate updated auth headers for response - new_auth_header = @resource.create_new_auth_token(client_id) - - # update response with the header that will be required by the next request - response.headers.merge!(new_auth_header) - ~~~ - -* **`build_auth_header`**: generates the auth header that should be sent to the client with the next request. Accepts `token` and `client` as arguments. Returns a string. - - **Example**: - ~~~ruby - # create client id and token - client_id = SecureRandom.urlsafe_base64(nil, false) - token = SecureRandom.urlsafe_base64(nil, false) - - # store client + token in user's token hash - @resource.tokens[client_id] = { - token: BCrypt::Password.create(token), - expiry: (Time.zone.now + @resource.token_lifespan).to_i - } - - # generate auth headers for response - new_auth_header = @resource.build_auth_header(token, client_id) - - # update response with the header that will be required by the next request - response.headers.merge!(new_auth_header) - ~~~ - -## Using multiple models - -### View Live Multi-User Demos - -* [AngularJS](http://ng-token-auth-demo.herokuapp.com/multi-user) -* [Angular2](https://angular2-token.herokuapp.com) -* [React + jToker](http://j-toker-demo.herokuapp.com/#/alt-user) - -This gem supports the use of multiple user models. One possible use case is to authenticate visitors using a model called `User`, and to authenticate administrators with a model called `Admin`. Take the following steps to add another authentication model to your app: - -1. Run the install generator for the new model. - ~~~ - rails g devise_token_auth:install Admin admin_auth - ~~~ - - This will create the `Admin` model and define the model's authentication routes with the base path `/admin_auth`. - -1. Define the routes to be used by the `Admin` user within a [`devise_scope`](https://github.com/plataformatec/devise#configuring-routes). - - **Example**: - - ~~~ruby - Rails.application.routes.draw do - # when using multiple models, controllers will default to the first available - # devise mapping. routes for subsequent devise mappings will need to defined - # within a `devise_scope` block - - # define :users as the first devise mapping: - mount_devise_token_auth_for 'User', at: 'auth' - - # define :admins as the second devise mapping. routes using this class will - # need to be defined within a devise_scope as shown below - mount_devise_token_auth_for "Admin", at: 'admin_auth' - - # this route will authorize requests using the User class - get 'demo/members_only', to: 'demo#members_only' - - # routes within this block will authorize requests using the Admin class - devise_scope :admin do - get 'demo/admins_only', to: 'demo#admins_only' - end - end - ~~~ - -1. Configure any `Admin` restricted controllers. Controllers will now have access to the methods [described here](#methods): - * `before_action :authenticate_admin!` - * `current_admin` - * `admin_signed_in?` - - -### Group access - -It is also possible to control access to multiple user types at the same time using groups. The following example shows how to limit controller access to both `User` and `Admin` users. - -##### Example: group authentication - -~~~ruby -class DemoGroupController < ApplicationController - devise_token_auth_group :member, contains: [:user, :admin] - before_action :authenticate_member! - - def members_only - render json: { - data: { - message: "Welcome #{current_member.name}", - user: current_member - } - }, status: 200 - end -end -~~~ - -In the above example, the following methods will be available (in addition to `current_user`, `current_admin`, etc.): - - * `before_action: :authenticate_member!` - * `current_member` - * `member_signed_in?` - -## Excluding Modules - -By default, almost all of the Devise modules are included: -* [`database_authenticatable`](https://github.com/plataformatec/devise/blob/master/lib/devise/models/database_authenticatable.rb) -* [`registerable`](https://github.com/plataformatec/devise/blob/master/lib/devise/models/registerable.rb) -* [`recoverable`](https://github.com/plataformatec/devise/blob/master/lib/devise/models/recoverable.rb) -* [`trackable`](https://github.com/plataformatec/devise/blob/master/lib/devise/models/trackable.rb) -* [`validatable`](https://github.com/plataformatec/devise/blob/master/lib/devise/models/validatable.rb) -* [`confirmable`](https://github.com/plataformatec/devise/blob/master/lib/devise/models/confirmable.rb) -* [`omniauthable`](https://github.com/plataformatec/devise/blob/master/lib/devise/models/omniauthable.rb) - -You may not want all of these features enabled in your app. That's OK! You can mix and match to suit your own unique style. - -The following example shows how to disable email confirmation. - -##### Example: disable email confirmation - -Just list the devise modules that you want to include **before** including the `DeviseTokenAuth::Concerns::User` model concern. - -~~~ruby -# app/models/user.rb -class User < ActiveRecord::Base - - # notice this comes BEFORE the include statement below - # also notice that :confirmable is not included in this block - devise :database_authenticatable, :recoverable, - :trackable, :validatable, :registerable, - :omniauthable - - # note that this include statement comes AFTER the devise block above - include DeviseTokenAuth::Concerns::User -end -~~~ - -Some features include routes that you may not want mounted to your app. The following example shows how to disable OAuth and its routes. - -##### Example: disable OAuth authentication - -First instruct the model not to include the `omniauthable` module. - -~~~ruby -# app/models/user.rb -class User < ActiveRecord::Base - - # notice that :omniauthable is not included in this block - devise :database_authenticatable, :confirmable, - :recoverable, :trackable, :validatable, - :registerable - - include DeviseTokenAuth::Concerns::User -end -~~~ - -Now tell the route helper to `skip` mounting the `omniauth_callbacks` controller: - -~~~ruby -Rails.application.routes.draw do - # config/routes.rb - mount_devise_token_auth_for 'User', at: 'auth', skip: [:omniauth_callbacks] -end -~~~ - -## Custom Controller Overrides - -The built-in controllers can be overridden with your own custom controllers. - -For example, the default behavior of the [`validate_token`](https://github.com/lynndylanhurley/devise_token_auth/blob/8a33d25deaedb4809b219e557e82ec7ec61bf940/app/controllers/devise_token_auth/token_validations_controller.rb#L6) method of the [`TokenValidationController`](https://github.com/lynndylanhurley/devise_token_auth/blob/8a33d25deaedb4809b219e557e82ec7ec61bf940/app/controllers/devise_token_auth/token_validations_controller.rb) is to return the `User` object as json (sans password and token data). The following example shows how to override the `validate_token` action to include a model method as well. - -##### Example: controller overrides - -~~~ruby -# config/routes.rb -Rails.application.routes.draw do - ... - mount_devise_token_auth_for 'User', at: 'auth', controllers: { - token_validations: 'overrides/token_validations' - } -end - -# app/controllers/overrides/token_validations_controller.rb -module Overrides - class TokenValidationsController < DeviseTokenAuth::TokenValidationsController - - def validate_token - # @resource will have been set by set_user_by_token concern - if @resource - render json: { - data: @resource.as_json(methods: :calculate_operating_thetan) - } - else - render json: { - success: false, - errors: ["Invalid login credentials"] - }, status: 401 - end - end - end -end -~~~ - -## Overriding rendering methods -To customize json rendering, implement the following protected controller methods, for success methods, assume that the @resource object is available: - -### Registrations Controller -* render_create_error_missing_confirm_success_url -* render_create_error_redirect_url_not_allowed -* render_create_success -* render_create_error -* render_create_error_email_already_exists -* render_update_success -* render_update_error -* render_update_error_user_not_found - - -### Sessions Controller -* render_new_error -* render_create_success -* render_create_error_not_confirmed -* render_create_error_bad_credentials -* render_destroy_success -* render_destroy_error - - -### Passwords Controller -* render_create_error_missing_email -* render_create_error_missing_redirect_url -* render_create_error_not_allowed_redirect_url -* render_create_success -* render_create_error -* render_update_error_unauthorized -* render_update_error_password_not_required -* render_update_error_missing_password -* render_update_success -* render_update_error - -### Token Validations Controller -* render_validate_token_success -* render_validate_token_error - -##### Example: all :controller options with default settings: - -~~~ruby -mount_devise_token_auth_for 'User', at: 'auth', controllers: { - confirmations: 'devise_token_auth/confirmations', - passwords: 'devise_token_auth/passwords', - omniauth_callbacks: 'devise_token_auth/omniauth_callbacks', - registrations: 'devise_token_auth/registrations', - sessions: 'devise_token_auth/sessions', - token_validations: 'devise_token_auth/token_validations' -} -~~~ - -**Note:** Controller overrides must implement the expected actions of the controllers that they replace. - -## Passing blocks to Controllers - -It may be that you simply want to _add_ behavior to existing controllers without having to re-implement their behavior completely. In this case, you can do so by creating a new controller that inherits from any of DeviseTokenAuth's controllers, overriding whichever methods you'd like to add behavior to by passing a block to `super`: - -```ruby -class Custom::RegistrationsController < DeviseTokenAuth::RegistrationsController - - def create - super do |resource| - resource.do_something(extra) - end - end - -end -``` - -Your block will be performed just before the controller would usually render a successful response. - -## Email Template Overrides - -You will probably want to override the default email templates for email sign-up and password-reset confirmation. Run the following command to copy the email templates into your app: - -~~~bash -rails generate devise_token_auth:install_views -~~~ - -This will create two new files: - -* `app/views/devise/mailer/reset_password_instructions.html.erb` -* `app/views/devise/mailer/confirmation_instructions.html.erb` - -These files may be edited to suit your taste. You can customize the e-mail subjects like [this](#customizing-devise-verbiage). - -**Note:** if you choose to modify these templates, do not modify the `link_to` blocks unless you absolutely know what you are doing. - -## Testing - -In order to authorise a request when testing your API you will need to pass the four headers through with your request, the easiest way to gain appropriate values for those headers is to use `resource.create_new_auth_token` e.g. - -```Ruby - request.headers.merge! resource.create_new_auth_token - get '/api/authenticated_resource' - # success -``` - -# Issue Reporting - -When posting issues, please include the information mentioned in the [ISSUE_TEMPLATE.md]. - -[ISSUE_TEMPLATE.md]: https://github.com/lynndylanhurley/devise_token_auth/blob/master/.github/ISSUE_TEMPLATE.md - -# FAQ - -### Can I use this gem alongside standard Devise? - -Yes! But you will need to enable the support of separate routes for standard Devise. So do something like this: - -#### config/initializers/devise_token_auth.rb -~~~ruby -DeviseTokenAuth.setup do |config| - # config.enable_standard_devise_support = false -end -~~~ - -#### config/routes.rb -~~~ruby -Rails.application.routes.draw do - - # standard devise routes available at /users - # NOTE: make sure this comes first!!! - devise_for :users - - # token auth routes available at /api/v1/auth - namespace :api do - scope :v1 do - mount_devise_token_auth_for 'User', at: 'auth' - end - end - -end -~~~ - -### Why are the `new` routes included if this gem doesn't use them? - -Removing the `new` routes will require significant modifications to devise. If the inclusion of the `new` routes is causing your app any problems, post an issue in the issue tracker and it will be addressed ASAP. - -### I'm having trouble using this gem alongside [ActiveAdmin](http://activeadmin.info/)... - -For some odd reason, [ActiveAdmin](http://activeadmin.info/) extends from your own app's `ApplicationController`. This becomes a problem if you include the `DeviseTokenAuth::Concerns::SetUserByToken` concern in your app's `ApplicationController`. - -The solution is to use two separate `ApplicationController` classes - one for your API, and one for ActiveAdmin. Something like this: - -~~~ruby -# app/controllers/api_controller.rb -# API routes extend from this controller -class ApiController < ActionController::Base - include DeviseTokenAuth::Concerns::SetUserByToken -end - -# app/controllers/application_controller.rb -# leave this for ActiveAdmin, and any other non-api routes -class ApplicationController < ActionController::Base -end -~~~ - -### How can I use this gem with Grape? - -You may be interested in [GrapeTokenAuth](https://github.com/mcordell/grape_token_auth) or [GrapeDeviseTokenAuth](https://github.com/mcordell/grape_devise_token_auth). - -### I already have a user, how can I add the new fields? - -Check [Setup migrations for an existing User table](https://github.com/lynndylanhurley/devise_token_auth/wiki/Setup-migrations-for-an-existing-User-table) - - -# Conceptual - -None of the following information is required to use this gem, but read on if you're curious. - -## About token management - -Tokens should be invalidated after each request to the API. The following diagram illustrates this concept: - -![password reset flow](https://github.com/lynndylanhurley/ng-token-auth/raw/master/test/app/images/flow/token-update-detail.jpg) - -During each request, a new token is generated. The `access-token` header that should be used in the next request is returned in the `access-token` header of the response to the previous request. The last request in the diagram fails because it tries to use a token that was invalidated by the previous request. - -The only case where an expired token is allowed is during [batch requests](#about-batch-requests). - -These measures are taken by default when using this gem. - -## About batch requests - -By default, the API should update the auth token for each request ([read more](#about-token-management)). But sometimes it's necessary to make several concurrent requests to the API, for example: - -##### Batch request example - -~~~javascript -$scope.getResourceData = function() { - - $http.get('/api/restricted_resource_1').success(function(resp) { - // handle response - $scope.resource1 = resp.data; - }); - - $http.get('/api/restricted_resource_2').success(function(resp) { - // handle response - $scope.resource2 = resp.data; - }); -}; -~~~ - -In this case, it's impossible to update the `access-token` header for the second request with the `access-token` header of the first response because the second request will begin before the first one is complete. The server must allow these batches of concurrent requests to share the same auth token. This diagram illustrates how batch requests are identified by the server: - -![batch request overview](https://github.com/lynndylanhurley/ng-token-auth/raw/master/test/app/images/flow/batch-request-overview.jpg) - -The "5 second" buffer in the diagram is the default used this gem. - -The following diagram details the relationship between the client, server, and access tokens used over time when dealing with batch requests: - -![batch request detail](https://github.com/lynndylanhurley/ng-token-auth/raw/master/test/app/images/flow/batch-request-detail.jpg) +Please read the [issue reporting guidelines](#issue-reporting) before posting issues. -Note that when the server identifies that a request is part of a batch request, the user's auth token is not updated. The auth token will be updated and returned with the first request in the batch, and the subsequent requests in the batch will not return a token. This is necessary because the order of the responses cannot be guaranteed to the client, and we need to be sure that the client does not receive an outdated token *after* the the last valid token is returned. +## [FAQ](./docs/faq) -This gem automatically manages batch requests. You can change the time buffer for what is considered a batch request using the `batch_request_buffer_throttle` parameter in `config/initializers/devise_token_auth.rb`. +## Contributors wanted! +See our [Contribution Guidelines](https://github.com/lynndylanhurley/devise_token_auth/blob/master/.github/CONTRIBUTING.md). Feel free to submit pull requests, review pull requests, or review open issues. If you'd like to get in contact, [Zach Feldman](https://github.com/zachfeldman) has been wrangling this effort, you can reach him with his name @gmail. Further discussion of this in [this issue](https://github.com/lynndylanhurley/devise_token_auth/issues/969). -# Security +## Live Demos -This gem takes the following steps to ensure security. +[Here is a demo](http://ng-token-auth-demo.herokuapp.com/) of this app running with the [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) module and [AngularJS](https://github.com/angular/angular.js). -This gem uses auth tokens that are: -* [changed after every request](#about-token-management) (can be [turned off](https://github.com/lynndylanhurley/devise_token_auth/#initializer-settings)), -* [of cryptographic strength](http://ruby-doc.org/stdlib-2.1.0/libdoc/securerandom/rdoc/SecureRandom.html), -* hashed using [BCrypt](https://github.com/codahale/bcrypt-ruby) (not stored in plain-text), -* securely compared (to protect against timing attacks), -* invalidated after 2 weeks (thus requiring users to login again) +[Here is a demo](https://angular2-token.herokuapp.com) of this app running with the [Angular2-Token](https://github.com/neroniaky/angular2-token) service and [Angular2](https://github.com/angular/angular). -These measures were inspired by [this stackoverflow post](http://stackoverflow.com/questions/18605294/is-devises-token-authenticatable-secure). +[Here is a demo](https://j-toker-demo.herokuapp.com/) of this app using the [jToker](https://github.com/lynndylanhurley/j-toker) plugin and [React](http://facebook.github.io/react/). -This gem further mitigates timing attacks by using [this technique](https://gist.github.com/josevalim/fb706b1e933ef01e4fb6). +The fully configured api used in these demos can be found [here](https://github.com/lynndylanhurley/devise_token_auth_demo). -But the most important step is to use HTTPS. You are on the hook for that. -# Callouts +## Callouts Thanks to the following contributors: @@ -944,41 +88,20 @@ Thanks to the following contributors: * [@nickL](https://github.com/nickL) * [@mchavarriagam](https://github.com/mchavarriagam) -# Contributing - -See the [CONTRIBUTING.md] document. - -[CONTRIBUTING.md]: https://github.com/lynndylanhurley/devise_token_auth/blob/master/.github/CONTRIBUTING.md - -## Contributors - -This project exists thanks to all the people who contribute. [[Contribute](https://github.com/lynndylanhurley/devise_token_auth/blob/master/.github/CONTRIBUTING.md)]. - ## Backers Thank you to all our backers! 🙏 [[Become a backer](https://opencollective.com/devise_token_auth#backer)] - +[![](https://opencollective.com/devise_token_auth/backers.svg?width=890)](https://opencollective.com/devise_token_auth#backers) ## Sponsors Support this project by becoming a sponsor. Your logo will show up here with a link to your website. [[Become a sponsor](https://opencollective.com/devise_token_auth#sponsor)] - - - - - - - - - - - - +[![](https://opencollective.com/devise_token_auth/sponsor/0/avatar.svg)](https://opencollective.com/devise_token_auth/sponsor/0/website) [![](https://opencollective.com/devise_token_auth/sponsor/1/avatar.svg)](https://opencollective.com/devise_token_auth/sponsor/1/website) [![](https://opencollective.com/devise_token_auth/sponsor/2/avatar.svg)](https://opencollective.com/devise_token_auth/sponsor/2/website) [![](https://opencollective.com/devise_token_auth/sponsor/3/avatar.svg)](https://opencollective.com/devise_token_auth/sponsor/3/website) [![](https://opencollective.com/devise_token_auth/sponsor/4/avatar.svg)](https://opencollective.com/devise_token_auth/sponsor/4/website) [![](https://opencollective.com/devise_token_auth/sponsor/5/avatar.svg)](https://opencollective.com/devise_token_auth/sponsor/5/website) [![](https://opencollective.com/devise_token_auth/sponsor/6/avatar.svg)](https://opencollective.com/devise_token_auth/sponsor/6/website) [![](https://opencollective.com/devise_token_auth/sponsor/7/avatar.svg)](https://opencollective.com/devise_token_auth/sponsor/7/website) [![](https://opencollective.com/devise_token_auth/sponsor/8/avatar.svg)](https://opencollective.com/devise_token_auth/sponsor/8/website) [![](https://opencollective.com/devise_token_auth/sponsor/9/avatar.svg)](https://opencollective.com/devise_token_auth/sponsor/9/website) -# License +## License This project uses the WTFPL diff --git a/docs/README.md b/docs/README.md new file mode 100644 index 000000000..a13a4c39e --- /dev/null +++ b/docs/README.md @@ -0,0 +1,27 @@ +# Table of Contents + +* [Configuration](./config) + * [Introduction](./config) + * [Initializer Settings](./config/initialization.md) + * [OmniAuth](./config/omniauth.md) + * [Email Authentication](./config/email_auth.md) + * [Customizing Devise Verbiage](./config/devise.md) + * [Cross Origin Requests (CORS)](./config/cors.md) +* [Usage](./usage) + * [Introduction](./usage) + * [Mounting Routes](./usage/routes.md) + * [Controller Integration](./usage/controller_concerns.md) + * [Model Integration](./usage/model_concerns.md) + * [Using Multiple User Classes](./usage/multiple_models.md) + * [Excluding Modules](./usage/excluding_models.md) + * [Custom Controller/Email Overrides](./usage/overrides.md) + * [Testing](./usage/testing.md) +* [FAQ](faq.md) + * [Can I use this gem alongside standard Devise?](faq.md#can-i-use-this-gem-alongside-standard-devise) + * [What's the reset password flow?](faq.md#whats-the-reset-password-flow) + * [How can I use this gem with Grape?](faq.md#how-can-i-use-this-gem-with-grape) + * [I already have an user, how can I add the new fields?](faq.md#i-already-have-an-user-how-can-i-add-the-new-fields) +* [Conceptual Diagrams](conceptual.md) + * [Token Management](conceptual.md#about-token-management) + * [Batch Requests](conceptual.md#about-batch-requests) +* [Security](security.md) diff --git a/docs/conceptual.md b/docs/conceptual.md new file mode 100644 index 000000000..9ebf5fbf5 --- /dev/null +++ b/docs/conceptual.md @@ -0,0 +1,50 @@ +# Conceptual + +None of the following information is required to use this gem, but read on if you're curious. + +## About token management + +Tokens should be invalidated after each request to the API. The following diagram illustrates this concept: + +![password reset flow](https://github.com/lynndylanhurley/ng-token-auth/raw/master/test/app/images/flow/token-update-detail.jpg) + +During each request, a new token is generated. The `access-token` header that should be used in the next request is returned in the `access-token` header of the response to the previous request. The last request in the diagram fails because it tries to use a token that was invalidated by the previous request. + +The only case where an expired token is allowed is during [batch requests](#about-batch-requests). + +These measures are taken by default when using this gem. + +## About batch requests + +By default, the API should update the auth token for each request ([read more](#about-token-management)). But sometimes it's necessary to make several concurrent requests to the API, for example: + +##### Batch request example + +~~~javascript +$scope.getResourceData = function() { + + $http.get('/api/restricted_resource_1').success(function(resp) { + // handle response + $scope.resource1 = resp.data; + }); + + $http.get('/api/restricted_resource_2').success(function(resp) { + // handle response + $scope.resource2 = resp.data; + }); +}; +~~~ + +In this case, it's impossible to update the `access-token` header for the second request with the `access-token` header of the first response because the second request will begin before the first one is complete. The server must allow these batches of concurrent requests to share the same auth token. This diagram illustrates how batch requests are identified by the server: + +![batch request overview](https://github.com/lynndylanhurley/ng-token-auth/raw/master/test/app/images/flow/batch-request-overview.jpg) + +The "5 second" buffer in the diagram is the default used this gem. + +The following diagram details the relationship between the client, server, and access tokens used over time when dealing with batch requests: + +![batch request detail](https://github.com/lynndylanhurley/ng-token-auth/raw/master/test/app/images/flow/batch-request-detail.jpg) + +Note that when the server identifies that a request is part of a batch request, the user's auth token is not updated. The auth token will be updated and returned with the first request in the batch, and the subsequent requests in the batch will not return a token. This is necessary because the order of the responses cannot be guaranteed to the client, and we need to be sure that the client does not receive an outdated token *after* the the last valid token is returned. + +This gem automatically manages batch requests. You can change the time buffer for what is considered a batch request using the `batch_request_buffer_throttle` parameter in `config/initializers/devise_token_auth.rb`. diff --git a/docs/config/README.md b/docs/config/README.md new file mode 100644 index 000000000..3ab179ab8 --- /dev/null +++ b/docs/config/README.md @@ -0,0 +1,45 @@ +## Configuration TL;DR + +You will need to create a [user model](#model-concerns), [define routes](#mounting-routes), [include concerns](#controller-methods), and you may want to alter some of the [default settings](#initializer-settings) for this gem. Run the following command for an easy one-step installation: + +~~~bash +rails g devise_token_auth:install [USER_CLASS] [MOUNT_PATH] +~~~ + +**Example**: + +~~~bash +rails g devise_token_auth:install User auth +~~~ + +This generator accepts the following optional arguments: + +| Argument | Default | Description | +|---|---|---| +| USER_CLASS | `User` | The name of the class to use for user authentication. | +| MOUNT_PATH | `auth` | The path at which to mount the authentication routes. [Read more](#usage-tldr). | + +The following events will take place when using the install generator: + +* An initializer will be created at `config/initializers/devise_token_auth.rb`. [Read more](#initializer-settings). + +* A model will be created in the `app/models` directory. If the model already exists, a concern will be included at the top of the file. [Read more](#model-concerns). + +* Routes will be appended to file at `config/routes.rb`. [Read more](#mounting-routes). + +* A concern will be included by your application controller at `app/controllers/application_controller.rb`. [Read more](#controller-methods). + +* A migration file will be created in the `db/migrate` directory. Inspect the migrations file, add additional columns if necessary, and then run the migration: + + ~~~bash + rake db:migrate + ~~~ + +You may also need to configure the following items: + +* **OmniAuth providers** when using 3rd party oauth2 authentication. [Read more](#omniauth-authentication). +* **Cross Origin Request Settings** when using cross-domain clients. [Read more](#cors). +* **Email** when using email registration. [Read more](#email-authentication). +* **Multiple model support** may require additional steps. [Read more](#using-multiple-models). + +[Jump here](#configuration-cont) for more configuration information. diff --git a/docs/config/cors.md b/docs/config/cors.md new file mode 100644 index 000000000..1e0e35e7a --- /dev/null +++ b/docs/config/cors.md @@ -0,0 +1,30 @@ +## CORS + +If your API and client live on different domains, you will need to configure your Rails API to allow [cross origin requests](http://en.wikipedia.org/wiki/Cross-origin_resource_sharing). The [rack-cors](https://github.com/cyu/rack-cors) gem can be used to accomplish this. + +The following **dangerous** example will allow cross domain requests from **any** domain. Make sure to whitelist only the needed domains. + +##### Example rack-cors configuration: +~~~ruby +# gemfile +gem 'rack-cors', :require => 'rack/cors' + +# config/application.rb +module YourApp + class Application < Rails::Application + config.middleware.use Rack::Cors do + allow do + origins '*' + resource '*', + :headers => :any, + :expose => ['access-token', 'expiry', 'token-type', 'uid', 'client'], + :methods => [:get, :post, :options, :delete, :put] + end + end + end +end +~~~ + +Make extra sure that the `Access-Control-Expose-Headers` includes `access-token`, `expiry`, `token-type`, `uid`, and `client` (as is set in the example above by the`:expose` param). If your client experiences erroneous 401 responses, this is likely the cause. + +CORS may not be possible with older browsers (IE8, IE9). I usually set up a proxy for those browsers. See the [ng-token-auth readme](https://github.com/lynndylanhurley/ng-token-auth) or the [jToker readme](https://github.com/lynndylanhurley/j-toker) for more information. diff --git a/docs/config/device.md b/docs/config/device.md new file mode 100644 index 000000000..e2319c5a5 --- /dev/null +++ b/docs/config/device.md @@ -0,0 +1,13 @@ +## Customizing Devise Verbiage + +Devise Token Auth ships with intelligent default wording for everything you need. But that doesn't mean you can't make it more awesome. You can override the [devise defaults](https://github.com/plataformatec/devise/blob/master/config/locales/en.yml) by creating a YAML file at `config/locales/devise.en.yml` and assigning whatever custom values you want. For example, to customize the subject line of your devise e-mails, you could do this: + +~~~yaml +en: + devise: + mailer: + confirmation_instructions: + subject: "Please confirm your e-mail address" + reset_password_instructions: + subject: "Reset password request" +~~~ diff --git a/docs/config/email_auth.md b/docs/config/email_auth.md new file mode 100644 index 000000000..f20459df9 --- /dev/null +++ b/docs/config/email_auth.md @@ -0,0 +1,16 @@ +## Email authentication +If you wish to use email authentication, you must configure your Rails application to send email. [Read here](http://guides.rubyonrails.org/action_mailer_basics.html) for more information. + +I recommend using [mailcatcher](http://mailcatcher.me/) for development. + +##### mailcatcher development example configuration: +~~~ruby +# config/environments/development.rb +Rails.application.configure do + config.action_mailer.default_url_options = { :host => 'your-dev-host.dev' } + config.action_mailer.delivery_method = :smtp + config.action_mailer.smtp_settings = { :address => 'your-dev-host.dev', :port => 1025 } +end +~~~ + +If you wish to send custom e-mails instead of using the default devise templates, you can [do that too](#email-template-overrides). diff --git a/docs/config/initialization.md b/docs/config/initialization.md new file mode 100644 index 000000000..0ea40d0ae --- /dev/null +++ b/docs/config/initialization.md @@ -0,0 +1,33 @@ +## Initializer settings + +The following settings are available for configuration in `config/initializers/devise_token_auth.rb`: + +| Name | Default | Description| +|---|---|---| +| **`change_headers_on_each_request`** | `true` | By default the access-token header will change after each request. The client is responsible for keeping track of the changing tokens. Both [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) and [jToker](https://github.com/lynndylanhurley/j-toker) do this out of the box. While this implementation is more secure, it can be difficult to manage. Set this to false to prevent the `access-token` header from changing after each request. [Read more](#about-token-management). | +| **`token_lifespan`** | `2.weeks` | Set the length of your tokens' lifespans. Users will need to re-authenticate after this duration of time has passed since their last login. | +| **`batch_request_buffer_throttle`** | `5.seconds` | Sometimes it's necessary to make several requests to the API at the same time. In this case, each request in the batch will need to share the same auth token. This setting determines how far apart the requests can be while still using the same auth token. [Read more](#about-batch-requests). | +| **`omniauth_prefix`** | `"/omniauth"` | This route will be the prefix for all oauth2 redirect callbacks. For example, using the default '/omniauth' setting, the github oauth2 provider will redirect successful authentications to '/omniauth/github/callback'. [Read more](#omniauth-provider-settings). | +| **`default_confirm_success_url`** | `nil` | By default this value is expected to be sent by the client so that the API knows where to redirect users after successful email confirmation. If this param is set, the API will redirect to this value when no value is provided by the client. | +| **`default_password_reset_url`** | `nil` | By default this value is expected to be sent by the client so that the API knows where to redirect users after successful password resets. If this param is set, the API will redirect to this value when no value is provided by the client. | +| **`redirect_whitelist`** | `nil` | As an added security measure, you can limit the URLs to which the API will redirect after email token validation (password reset, email confirmation, etc.). This value should be an array containing matches to the client URLs to be visited after validation. Wildcards are supported. | +| **`enable_standard_devise_support`** | `false` | By default, only Bearer Token authentication is implemented out of the box. If, however, you wish to integrate with legacy Devise authentication, you can do so by enabling this flag. NOTE: This feature is highly experimental! | +| **`remove_tokens_after_password_reset`** | `false` | By default, old tokens are not invalidated when password is changed. Enable this option if you want to make passwords updates to logout other devices. | +| **`default_callbacks`** | `true` | By default User model will include the `DeviseTokenAuth::Concerns::UserOmniauthCallbacks` concern, which has `email`, `uid` validations & `uid` synchronization callbacks. | +| **`bypass_sign_in`** | `true` | By default DeviseTokenAuth will not check user's `#active_for_authentication?` which includes confirmation check on each call (it will do it only on sign in). If you want it to be validated on each request (for example, to be able to deactivate logged in users on the fly), set it to false. | + + +Additionally, you can configure other aspects of devise by manually creating the traditional devise.rb file at `config/initializers/devise.rb`. Here are some examples of what you can do in this file: + +~~~ruby +Devise.setup do |config| + # The e-mail address that mail will appear to be sent from + # If absent, mail is sent from "please-change-me-at-config-initializers-devise@example.com" + config.mailer_sender = "support@myapp.com" + + # If using rails-api, you may want to tell devise to not use ActionDispatch::Flash + # middleware b/c rails-api does not include it. + # See: http://stackoverflow.com/q/19600905/806956 + config.navigational_formats = [:json] +end +~~~ diff --git a/docs/config/omniauth.md b/docs/config/omniauth.md new file mode 100644 index 000000000..310567903 --- /dev/null +++ b/docs/config/omniauth.md @@ -0,0 +1,94 @@ +# OmniAuth + +## OmniAuth authentication + +If you wish to use omniauth authentication, add all of your desired authentication provider gems to your `Gemfile`. + +**OmniAuth example using github, facebook, and google**: +~~~ruby +gem 'omniauth-github' +gem 'omniauth-facebook' +gem 'omniauth-google-oauth2' +~~~ + +Then run `bundle install`. + +[List of oauth2 providers](https://github.com/intridea/omniauth/wiki/List-of-Strategies) + +## OmniAuth provider settings + +In `config/initializers/omniauth.rb`, add the settings for each of your providers. + +These settings must be obtained from the providers themselves. + +**Example using github, facebook, and google**: +~~~ruby +# config/initializers/omniauth.rb +Rails.application.config.middleware.use OmniAuth::Builder do + provider :github, ENV['GITHUB_KEY'], ENV['GITHUB_SECRET'], scope: 'email,profile' + provider :facebook, ENV['FACEBOOK_KEY'], ENV['FACEBOOK_SECRET'] + provider :google_oauth2, ENV['GOOGLE_KEY'], ENV['GOOGLE_SECRET'] +end +~~~ + +The above example assumes that your provider keys and secrets are stored in environmental variables. Use the [figaro](https://github.com/laserlemon/figaro) gem (or [dotenv](https://github.com/bkeepers/dotenv) or [secrets.yml](https://github.com/rails/rails/blob/v4.1.0/railties/lib/rails/generators/rails/app/templates/config/secrets.yml) or equivalent) to accomplish this. + +#### OmniAuth callback settings + +The "Callback URL" setting that you set with your provider must correspond to the [omniauth prefix](#initializer-settings) setting defined by this app. **This will be different than the omniauth route that is used by your client application**. + +For example, the demo app uses the default `omniauth_prefix` setting `/omniauth`, so the "Authorization callback URL" for github must be set to "http://devise-token-auth-demo.herokuapp.com**/omniauth**/github/callback". + +**Github example for the demo site**: +![password reset flow](https://github.com/lynndylanhurley/devise_token_auth/raw/master/test/dummy/app/assets/images/omniauth-provider-settings.png) + +The url for github authentication will be different for the client. The client should visit the API at `/[MOUNT_PATH]/:provider` for omniauth authentication. + +For example, given that the app is mounted using the following settings: + +~~~ruby +# config/routes.rb +mount_devise_token_auth_for 'User', at: 'auth' +~~~ + +The client configuration for github should look like this: + +**Angular.js setting for authenticating using github**: +~~~javascript +angular.module('myApp', ['ng-token-auth']) + .config(function($authProvider) { + $authProvider.configure({ + apiUrl: 'http://api.example.com' + authProviderPaths: { + github: '/auth/github' // <-- note that this is different than what was set with github + } + }); + }); +~~~ + +**jToker settings for github should look like this: + +~~~javascript +$.auth.configure({ + apiUrl: 'http://api.example.com', + authProviderPaths: { + github: '/auth/github' // <-- note that this is different than what was set with github + } +}); +~~~ + +This incongruence is necessary to support multiple user classes and mounting points. + +#### Note for [pow](http://pow.cx/) and [xip.io](http://xip.io) users + +If you receive `redirect-uri-mismatch` errors from your provider when using pow or xip.io urls, set the following in your development config: + +~~~ruby +# config/environments/development.rb + +# when using pow +OmniAuth.config.full_host = "http://app-name.dev" + +# when using xip.io +OmniAuth.config.full_host = "http://xxx.xxx.xxx.app-name.xip.io" +~~~ diff --git a/docs/faq.md b/docs/faq.md new file mode 100644 index 000000000..975c97c96 --- /dev/null +++ b/docs/faq.md @@ -0,0 +1,130 @@ +## FAQ + +### Can I use this gem alongside standard Devise? + +Yes! But you will need to enable the support of separate routes for standard Devise. So do something like this: + +#### config/initializers/devise_token_auth.rb +~~~ruby +DeviseTokenAuth.setup do |config| + # config.enable_standard_devise_support = false +end +~~~ + +#### config/routes.rb +~~~ruby +Rails.application.routes.draw do + + # standard devise routes available at /users + # NOTE: make sure this comes first!!! + devise_for :users + + # token auth routes available at /api/v1/auth + namespace :api do + scope :v1 do + mount_devise_token_auth_for 'User', at: 'auth' + end + end + +end +~~~ + +### Why are the `new` routes included if this gem doesn't use them? + +Removing the `new` routes will require significant modifications to devise. If the inclusion of the `new` routes is causing your app any problems, post an issue in the issue tracker and it will be addressed ASAP. + +### I'm having trouble using this gem alongside [ActiveAdmin](http://activeadmin.info/)... + +For some odd reason, [ActiveAdmin](http://activeadmin.info/) extends from your own app's `ApplicationController`. This becomes a problem if you include the `DeviseTokenAuth::Concerns::SetUserByToken` concern in your app's `ApplicationController`. + +The solution is to use two separate `ApplicationController` classes - one for your API, and one for ActiveAdmin. Something like this: + +~~~ruby +# app/controllers/api_controller.rb +# API routes extend from this controller +class ApiController < ActionController::Base + include DeviseTokenAuth::Concerns::SetUserByToken +end + +# app/controllers/application_controller.rb +# leave this for ActiveAdmin, and any other non-api routes +class ApplicationController < ActionController::Base +end +~~~ + + +### How can I use this gem with Grape? + +You may be interested in [GrapeTokenAuth](https://github.com/mcordell/grape_token_auth) or [GrapeDeviseTokenAuth](https://github.com/mcordell/grape_devise_token_auth). + +### What's the reset password flow? + +This accompanies the discussion in [issue #604](https://github.com/lynndylanhurley/devise_token_auth/issues/604). + +This is the overall workflow for a User to reset their password: + +- user goes to a page on the front end site which contains a form with a single text field, they type their email address into this field and click a button to submit the form + +- that form submission sends a request to the API: `POST /auth/password` with some parameters: `email` (the email supplied in the field) & `redirect_url` (a page in the front end site that will contain a form with `password` and `password_confirmation` fields) + +- the API responds to this request by generating a `reset_password_token` and sending an email (the `reset_password_instructions.html.erb` file from devise) to the email address provided within the `email` parameter + - we need to modify the `reset_password_instructions.html.erb` file to point to the API: `GET /auth/password/edit` + - for example, if you have your API under the `api/v1` namespaces: `<%= link_to 'Change my password', edit_api_v1_user_password_url(reset_password_token: @token, config: message['client-config'].to_s, redirect_url: message['redirect-url'].to_s) %>` (I came up with this `link_to` by referring to [this line](https://github.com/lynndylanhurley/devise_token_auth/blob/15bf7857eca2d33602c7a9cb9d08db8a160f8ab8/app/views/devise/mailer/reset_password_instructions.html.erb#L5)) + +- the user clicks the link in the email, which brings them to the 'Verify user by password reset token' endpoint (`GET /password/edit`) + +- this endpoint verifies the user and redirects them to the `redirect_url` if they are who they claim to be (if their `reset_password_token` matches a User record) + +- this `redirect_url` is a page on the frontend which contains a `password` and `password_confirmation` field + +- the user submits the form on this frontend page, which sends a request to API: `PUT /auth/password` with the `password` and `password_confirmation` parameters. In addition headers need to be included from the url params. A side note, ensure that the header names follow the convention outlined in `config/initializers/devise_token_auth.rb`; at this time of writing it is: `uid`, `client` and `access-token`. + - _Ensure that the `uid` sent in the headers is not URL-escaped. e.g. it should be bob@example.com, not bob%40example.com_ + +- the API changes the user's password and responds back with a success message + +- the front end needs to manually redirect the user to its login page after receiving this success response + +- the user logs in + + +### I already have an user, how can I add the new fields? + +1. First, remove the migration generated by the following command`rails g devise_token_auth:install [USER_CLASS] [MOUNT_PATH]` and then:. +2. Create another fresh migration: + +```ruby + + # create migration by running a command like this (where `User` is your USER_CLASS table): + # `rails g migration AddTokensToUsers provider:string uid:string tokens:text` + + def up + add_column :users, :provider, :string, null: false, default: 'email' + add_column :users, :uid, :string, null: false, default: '' + add_column :users, :tokens, :text + + # if your existing User model does not have an existing **encrypted_password** column uncomment below line. + # add_column :users, :encrypted_password, :null => false, :default => "" + + # the following will update your models so that when you run your migration + + # updates the user table immediately with the above defaults + User.reset_column_information + + # finds all existing users and updates them. + # if you change the default values above you'll also have to change them here below: + User.find_each do |user| + user.uid = user.email + user.provider = 'email' + user.save! + end + + # to speed up lookups to these columns: + add_index :users, [:uid, :provider], unique: true + end + + def down + # if you added **encrypted_password** above, add here to successfully rollback + remove_columns :users, :provider, :uid, :tokens + end + +``` diff --git a/docs/security.md b/docs/security.md new file mode 100644 index 000000000..bedf981e0 --- /dev/null +++ b/docs/security.md @@ -0,0 +1,16 @@ +# Security + +This gem takes the following steps to ensure security. + +This gem uses auth tokens that are: +* [changed after every request](#about-token-management) (can be [turned off](https://github.com/lynndylanhurley/devise_token_auth/#initializer-settings)), +* [of cryptographic strength](http://ruby-doc.org/stdlib-2.1.0/libdoc/securerandom/rdoc/SecureRandom.html), +* hashed using [BCrypt](https://github.com/codahale/bcrypt-ruby) (not stored in plain-text), +* securely compared (to protect against timing attacks), +* invalidated after 2 weeks (thus requiring users to login again) + +These measures were inspired by [this stackoverflow post](http://stackoverflow.com/questions/18605294/is-devises-token-authenticatable-secure). + +This gem further mitigates timing attacks by using [this technique](https://gist.github.com/josevalim/fb706b1e933ef01e4fb6). + +But the most important step is to use HTTPS. You are on the hook for that. diff --git a/docs/usage/README.md b/docs/usage/README.md new file mode 100644 index 000000000..9f0405295 --- /dev/null +++ b/docs/usage/README.md @@ -0,0 +1,19 @@ +## Usage TL;DR + +The following routes are available for use by your client. These routes live relative to the path at which this engine is mounted (`auth` by default). These routes correspond to the defaults used by the [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) module for [AngularJS](https://angularjs.org/) and the [jToker](https://github.com/lynndylanhurley/j-toker) plugin for [jQuery](https://jquery.com/). + +| path | method | purpose | +|:-----|:-------|:--------| +| / | POST | Email registration. Requires **`email`**, **`password`**, **`password_confirmation`**, and **`confirm_success_url`** params (this last one can be omitted if you have set `config.default_confirm_success_url` in `config/initializers/devise_token_auth.rb`). A verification email will be sent to the email address provided. Upon clicking the link in the confirmation email, the API will redirect to the URL specified in **`confirm_success_url`**. Accepted params can be customized using the [`devise_parameter_sanitizer`](https://github.com/plataformatec/devise#strong-parameters) system. | +| / | DELETE | Account deletion. This route will destroy users identified by their **`uid`**, **`access-token`** and **`client`** headers. | +| / | PUT | Account updates. This route will update an existing user's account settings. The default accepted params are **`password`** and **`password_confirmation`**, but this can be customized using the [`devise_parameter_sanitizer`](https://github.com/plataformatec/devise#strong-parameters) system. If **`config.check_current_password_before_update`** is set to `:attributes` the **`current_password`** param is checked before any update, if it is set to `:password` the **`current_password`** param is checked only if the request updates user password. | +| /sign_in | POST | Email authentication. Requires **`email`** and **`password`** as params. This route will return a JSON representation of the `User` model on successful login along with the `access-token` and `client` in the header of the response. | +| /sign_out | DELETE | Use this route to end the user's current session. This route will invalidate the user's authentication token. You must pass in **`uid`**, **`client`**, and **`access-token`** in the request headers. | +| /:provider | GET | Set this route as the destination for client authentication. Ideally this will happen in an external window or popup. [Read more](#omniauth-authentication). | +| /:provider/callback | GET/POST | Destination for the oauth2 provider's callback uri. `postMessage` events containing the authenticated user's data will be sent back to the main client window from this page. [Read more](#omniauth-authentication). | +| /validate_token | GET | Use this route to validate tokens on return visits to the client. Requires **`uid`**, **`client`**, and **`access-token`** as params. These values should correspond to the columns in your `User` table of the same names. | +| /password | POST | Use this route to send a password reset confirmation email to users that registered by email. Accepts **`email`** and **`redirect_url`** as params. The user matching the `email` param will be sent instructions on how to reset their password. `redirect_url` is the url to which the user will be redirected after visiting the link contained in the email. | +| /password | PUT | Use this route to change users' passwords. Requires **`password`** and **`password_confirmation`** as params. This route is only valid for users that registered by email (OAuth2 users will receive an error). It also checks **`current_password`** if **`config.check_current_password_before_update`** is not set `false` (disabled by default). | +| /password/edit | GET | Verify user by password reset token. This route is the destination URL for password reset confirmation. This route must contain **`reset_password_token`** and **`redirect_url`** params. These values will be set automatically by the confirmation email that is generated by the password reset request. | + +[Jump here](#usage-cont) for more usage information. diff --git a/docs/usage/controller_concerns.md b/docs/usage/controller_concerns.md new file mode 100644 index 000000000..f2f2df665 --- /dev/null +++ b/docs/usage/controller_concerns.md @@ -0,0 +1,77 @@ +## Controller Methods + +### Concerns + +This gem includes a [Rails concern](http://api.rubyonrails.org/classes/ActiveSupport/Concern.html) called `DeviseTokenAuth::Concerns::SetUserByToken`. Include this concern to provide access to [controller methods](#controller-methods) such as [`authenticate_user!`](#authenticate-user), [`user_signed_in?`](#user-signed-in), etc. + +The concern also runs an [after_action](http://guides.rubyonrails.org/action_controller_overview.html#filters) that changes the auth token after each request. + +It is recommended to include the concern in your base `ApplicationController` so that all children of that controller include the concern as well. + +##### Concern example: + +~~~ruby +# app/controllers/application_controller.rb +class ApplicationController < ActionController::Base + include DeviseTokenAuth::Concerns::SetUserByToken +end +~~~ + +### Methods + +This gem provides access to all of the following [devise helpers](https://github.com/plataformatec/devise#controller-filters-and-helpers): + +| Method | Description | +|---|---| +| **`before_action :authenticate_user!`** | Returns a 401 error unless a `User` is signed-in. | +| **`current_user`** | Returns the currently signed-in `User`, or `nil` if unavailable. | +| **`user_signed_in?`** | Returns `true` if a `User` is signed in, otherwise `false`. | +| **`devise_token_auth_group`** | Operate on multiple user classes as a group. [Read more](#group-access) | + +Note that if the model that you're trying to access isn't called `User`, the helper method names will change. For example, if the user model is called `Admin`, the methods would look like this: + +* `before_action :authenticate_admin!` +* `admin_signed_in?` +* `current_admin` + + +##### Example: limit access to authenticated users +~~~ruby +# app/controllers/test_controller.rb +class TestController < ApplicationController + before_action :authenticate_user! + + def members_only + render json: { + data: { + message: "Welcome #{current_user.name}", + user: current_user + } + }, status: 200 + end +end +~~~ + +### Token Header Format + +The authentication information should be included by the client in the headers of each request. The headers follow the [RFC 6750 Bearer Token](http://tools.ietf.org/html/rfc6750) format: + +##### Authentication headers example: +~~~ +"access-token": "wwwww", +"token-type": "Bearer", +"client": "xxxxx", +"expiry": "yyyyy", +"uid": "zzzzz" +~~~ + +The authentication headers (each one is a seperate header) consists of the following params: + +| param | description | +|---|---| +| **`access-token`** | This serves as the user's password for each request. A hashed version of this value is stored in the database for later comparison. This value should be changed on each request. | +| **`client`** | This enables the use of multiple simultaneous sessions on different clients. (For example, a user may want to be authenticated on both their phone and their laptop at the same time.) | +| **`expiry`** | The date at which the current session will expire. This can be used by clients to invalidate expired tokens without the need for an API request. | +| **`uid`** | A unique value that is used to identify the user. This is necessary because searching the DB for users by their access token will make the API susceptible to [timing attacks](http://codahale.com/a-lesson-in-timing-attacks/). | + +The authentication headers required for each request will be available in the response from the previous request. If you are using the [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) AngularJS module or the [jToker](https://github.com/lynndylanhurley/j-toker) jQuery plugin, this functionality is already provided. diff --git a/docs/usage/excluding_models.md b/docs/usage/excluding_models.md new file mode 100644 index 000000000..d1a920e82 --- /dev/null +++ b/docs/usage/excluding_models.md @@ -0,0 +1,61 @@ +## Excluding Modules + +By default, almost all of the Devise modules are included: +* [`database_authenticatable`](https://github.com/plataformatec/devise/blob/master/lib/devise/models/database_authenticatable.rb) +* [`registerable`](https://github.com/plataformatec/devise/blob/master/lib/devise/models/registerable.rb) +* [`recoverable`](https://github.com/plataformatec/devise/blob/master/lib/devise/models/recoverable.rb) +* [`trackable`](https://github.com/plataformatec/devise/blob/master/lib/devise/models/trackable.rb) +* [`validatable`](https://github.com/plataformatec/devise/blob/master/lib/devise/models/validatable.rb) +* [`confirmable`](https://github.com/plataformatec/devise/blob/master/lib/devise/models/confirmable.rb) +* [`omniauthable`](https://github.com/plataformatec/devise/blob/master/lib/devise/models/omniauthable.rb) + +You may not want all of these features enabled in your app. That's OK! You can mix and match to suit your own unique style. + +The following example shows how to disable email confirmation. + +##### Example: disable email confirmation + +Just list the devise modules that you want to include **before** including the `DeviseTokenAuth::Concerns::User` model concern. + +~~~ruby +# app/models/user.rb +class User < ActiveRecord::Base + + # notice this comes BEFORE the include statement below + # also notice that :confirmable is not included in this block + devise :database_authenticatable, :recoverable, + :trackable, :validatable, :registerable, + :omniauthable + + # note that this include statement comes AFTER the devise block above + include DeviseTokenAuth::Concerns::User +end +~~~ + +Some features include routes that you may not want mounted to your app. The following example shows how to disable OAuth and its routes. + +##### Example: disable OAuth authentication + +First instruct the model not to include the `omniauthable` module. + +~~~ruby +# app/models/user.rb +class User < ActiveRecord::Base + + # notice that :omniauthable is not included in this block + devise :database_authenticatable, :confirmable, + :recoverable, :trackable, :validatable, + :registerable + + include DeviseTokenAuth::Concerns::User +end +~~~ + +Now tell the route helper to `skip` mounting the `omniauth_callbacks` controller: + +~~~ruby +Rails.application.routes.draw do + # config/routes.rb + mount_devise_token_auth_for 'User', at: 'auth', skip: [:omniauth_callbacks] +end +~~~ diff --git a/docs/usage/model_concerns.md b/docs/usage/model_concerns.md new file mode 100644 index 000000000..708521a80 --- /dev/null +++ b/docs/usage/model_concerns.md @@ -0,0 +1,53 @@ +## Model Concerns + +##### DeviseTokenAuth::Concerns::User + +Typical use of this gem will not require the use of any of the following model methods. All authentication should be handled invisibly by the [controller concerns](#controller-methods) described above. + +Models that include the `DeviseTokenAuth::Concerns::User` concern will have access to the following public methods (read the above section for context on `token` and `client`): + +* **`valid_token?`**: check if an authentication token is valid. Accepts a `token` and `client` as arguments. Returns a boolean. + + **Example**: + ~~~ruby + # extract token + client_id from auth header + client_id = request.headers['client'] + token = request.headers['access-token'] + + @resource.valid_token?(token, client_id) + ~~~ + +* **`create_new_auth_token`**: creates a new auth token with all of the necessary metadata. Accepts `client` as an optional argument. Will generate a new `client` if none is provided. Returns the authentication headers that should be sent by the client as an object. + + **Example**: + ~~~ruby + # extract client_id from auth header + client_id = request.headers['client'] + + # update token, generate updated auth headers for response + new_auth_header = @resource.create_new_auth_token(client_id) + + # update response with the header that will be required by the next request + response.headers.merge!(new_auth_header) + ~~~ + +* **`build_auth_header`**: generates the auth header that should be sent to the client with the next request. Accepts `token` and `client` as arguments. Returns a string. + + **Example**: + ~~~ruby + # create client id and token + client_id = SecureRandom.urlsafe_base64(nil, false) + token = SecureRandom.urlsafe_base64(nil, false) + + # store client + token in user's token hash + @resource.tokens[client_id] = { + token: BCrypt::Password.create(token), + expiry: (Time.zone.now + @resource.token_lifespan).to_i + } + + # generate auth headers for response + new_auth_header = @resource.build_auth_header(token, client_id) + + # update response with the header that will be required by the next request + response.headers.merge!(new_auth_header) + ~~~ diff --git a/docs/usage/multiple_models.md b/docs/usage/multiple_models.md new file mode 100644 index 000000000..9c1288428 --- /dev/null +++ b/docs/usage/multiple_models.md @@ -0,0 +1,77 @@ +## Using multiple models + +### View Live Multi-User Demos + +* [AngularJS](http://ng-token-auth-demo.herokuapp.com/multi-user) +* [Angular2](https://angular2-token.herokuapp.com) +* [React + jToker](http://j-toker-demo.herokuapp.com/#/alt-user) + +This gem supports the use of multiple user models. One possible use case is to authenticate visitors using a model called `User`, and to authenticate administrators with a model called `Admin`. Take the following steps to add another authentication model to your app: + +1. Run the install generator for the new model. + ~~~ + rails g devise_token_auth:install Admin admin_auth + ~~~ + + This will create the `Admin` model and define the model's authentication routes with the base path `/admin_auth`. + +1. Define the routes to be used by the `Admin` user within a [`devise_scope`](https://github.com/plataformatec/devise#configuring-routes). + + **Example**: + + ~~~ruby + Rails.application.routes.draw do + # when using multiple models, controllers will default to the first available + # devise mapping. routes for subsequent devise mappings will need to defined + # within a `devise_scope` block + + # define :users as the first devise mapping: + mount_devise_token_auth_for 'User', at: 'auth' + + # define :admins as the second devise mapping. routes using this class will + # need to be defined within a devise_scope as shown below + mount_devise_token_auth_for "Admin", at: 'admin_auth' + + # this route will authorize requests using the User class + get 'demo/members_only', to: 'demo#members_only' + + # routes within this block will authorize requests using the Admin class + devise_scope :admin do + get 'demo/admins_only', to: 'demo#admins_only' + end + end + ~~~ + +1. Configure any `Admin` restricted controllers. Controllers will now have access to the methods [described here](#methods): + * `before_action :authenticate_admin!` + * `current_admin` + * `admin_signed_in?` + + +### Group access + +It is also possible to control access to multiple user types at the same time using groups. The following example shows how to limit controller access to both `User` and `Admin` users. + +##### Example: group authentication + +~~~ruby +class DemoGroupController < ApplicationController + devise_token_auth_group :member, contains: [:user, :admin] + before_action :authenticate_member! + + def members_only + render json: { + data: { + message: "Welcome #{current_member.name}", + user: current_member + } + }, status: 200 + end +end +~~~ + +In the above example, the following methods will be available (in addition to `current_user`, `current_admin`, etc.): + + * `before_action: :authenticate_member!` + * `current_member` + * `member_signed_in?` diff --git a/docs/usage/overrides.md b/docs/usage/overrides.md new file mode 100644 index 000000000..a085802ad --- /dev/null +++ b/docs/usage/overrides.md @@ -0,0 +1,126 @@ +## Custom Controller Overrides + +The built-in controllers can be overridden with your own custom controllers. + +For example, the default behavior of the [`validate_token`](https://github.com/lynndylanhurley/devise_token_auth/blob/8a33d25deaedb4809b219e557e82ec7ec61bf940/app/controllers/devise_token_auth/token_validations_controller.rb#L6) method of the [`TokenValidationController`](https://github.com/lynndylanhurley/devise_token_auth/blob/8a33d25deaedb4809b219e557e82ec7ec61bf940/app/controllers/devise_token_auth/token_validations_controller.rb) is to return the `User` object as json (sans password and token data). The following example shows how to override the `validate_token` action to include a model method as well. + +##### Example: controller overrides + +~~~ruby +# config/routes.rb +Rails.application.routes.draw do + ... + mount_devise_token_auth_for 'User', at: 'auth', controllers: { + token_validations: 'overrides/token_validations' + } +end + +# app/controllers/overrides/token_validations_controller.rb +module Overrides + class TokenValidationsController < DeviseTokenAuth::TokenValidationsController + + def validate_token + # @resource will have been set by set_user_by_token concern + if @resource + render json: { + data: @resource.as_json(methods: :calculate_operating_thetan) + } + else + render json: { + success: false, + errors: ["Invalid login credentials"] + }, status: 401 + end + end + end +end +~~~ + +## Overriding rendering methods +To customize json rendering, implement the following protected controller methods, for success methods, assume that the @resource object is available: + +### Registrations Controller +* render_create_error_missing_confirm_success_url +* render_create_error_redirect_url_not_allowed +* render_create_success +* render_create_error +* render_create_error_email_already_exists +* render_update_success +* render_update_error +* render_update_error_user_not_found + + +### Sessions Controller +* render_new_error +* render_create_success +* render_create_error_not_confirmed +* render_create_error_bad_credentials +* render_destroy_success +* render_destroy_error + + +### Passwords Controller +* render_create_error_missing_email +* render_create_error_missing_redirect_url +* render_create_error_not_allowed_redirect_url +* render_create_success +* render_create_error +* render_update_error_unauthorized +* render_update_error_password_not_required +* render_update_error_missing_password +* render_update_success +* render_update_error + +### Token Validations Controller +* render_validate_token_success +* render_validate_token_error + +##### Example: all :controller options with default settings: + +~~~ruby +mount_devise_token_auth_for 'User', at: 'auth', controllers: { + confirmations: 'devise_token_auth/confirmations', + passwords: 'devise_token_auth/passwords', + omniauth_callbacks: 'devise_token_auth/omniauth_callbacks', + registrations: 'devise_token_auth/registrations', + sessions: 'devise_token_auth/sessions', + token_validations: 'devise_token_auth/token_validations' +} +~~~ + +**Note:** Controller overrides must implement the expected actions of the controllers that they replace. + +## Passing blocks to Controllers + +It may be that you simply want to _add_ behavior to existing controllers without having to re-implement their behavior completely. In this case, you can do so by creating a new controller that inherits from any of DeviseTokenAuth's controllers, overriding whichever methods you'd like to add behavior to by passing a block to `super`: + +```ruby +class Custom::RegistrationsController < DeviseTokenAuth::RegistrationsController + + def create + super do |resource| + resource.do_something(extra) + end + end + +end +``` + +Your block will be performed just before the controller would usually render a successful response. + +## Email Template Overrides + +You will probably want to override the default email templates for email sign-up and password-reset confirmation. Run the following command to copy the email templates into your app: + +~~~bash +rails generate devise_token_auth:install_views +~~~ + +This will create two new files: + +* `app/views/devise/mailer/reset_password_instructions.html.erb` +* `app/views/devise/mailer/confirmation_instructions.html.erb` + +These files may be edited to suit your taste. You can customize the e-mail subjects like [this](#customizing-devise-verbiage). + +**Note:** if you choose to modify these templates, do not modify the `link_to` blocks unless you absolutely know what you are doing. diff --git a/docs/usage/routes.md b/docs/usage/routes.md new file mode 100644 index 000000000..061228c10 --- /dev/null +++ b/docs/usage/routes.md @@ -0,0 +1,20 @@ +## Mounting Routes + +The authentication routes must be mounted to your project. This gem includes a route helper for this purpose: + +**`mount_devise_token_auth_for`** - similar to `devise_for`, this method is used to append the routes necessary for user authentication. This method accepts the following arguments: + +| Argument | Type | Default | Description | +|---|---|---|---| +|`class_name`| string | 'User' | The name of the class to use for authentication. This class must include the [model concern described here](#model-concerns). | +| `options` | object | {at: 'auth'} | The [routes to be used for authentication](#usage) will be prefixed by the path specified in the `at` param of this object. | + +**Example**: +~~~ruby +# config/routes.rb +mount_devise_token_auth_for 'User', at: 'auth' +~~~ + +Any model class can be used, but the class will need to include [`DeviseTokenAuth::Concerns::User`](#model-concerns) for authentication to work properly. + +You can mount this engine to any route that you like. `/auth` is used by default to conform with the defaults of the [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) module and the [jToker](https://github.com/lynndylanhurley/j-toker) plugin. diff --git a/docs/usage/testing.md b/docs/usage/testing.md new file mode 100644 index 000000000..7f364ed39 --- /dev/null +++ b/docs/usage/testing.md @@ -0,0 +1,164 @@ +## Testing + +In order to authorize a request when testing your API you will need to pass the four headers through with your request, the easiest way to gain appropriate values for those headers is to use `resource.create_new_auth_token` e.g. + +```Ruby + request.headers.merge! resource.create_new_auth_token + get '/api/authenticated_resource' + # success +``` + +### Testing with Rspec + +### (a) General Request Specs + +Below are some generic examples which may assist in helping you devise (pun intended) your own tests: + +```ruby +# I've called it authentication_test_spec.rb and placed it in the spec/requests folder +require 'rails_helper' +include ActionController::RespondWith + +# The authentication header looks something like this: +# {"access-token"=>"abcd1dMVlvW2BT67xIAS_A", "token-type"=>"Bearer", "client"=>"LSJEVZ7Pq6DX5LXvOWMq1w", "expiry"=>"1519086891", "uid"=>"darnell@konopelski.info"} + +describe "Whether access is ocurring properly", type: :request do + before(:each) do + @current_user = FactoryBot.create(:user) + @client = FactoryBot.create :client + end + + context "context: general authentication via API, " do + it "doesn't give you anything if you don't log in" do + get api_client_path(@client) + expect(response.status).to eq(401) + end + + it "gives you an authentication code if you are an existing user and you satisfy the password" do + login + # puts "#{response.headers.inspect}" + # puts "#{response.body.inspect}" + expect(response.has_header?('access-token')).to eq(true) + end + + it "gives you a status 200 on signing in " do + login + expect(response.status).to eq(200) + end + + it "gives you an authentication code if you are an existing user and you satisfy the password" do + login + expect(response.has_header?('access-token')).to eq(true) + end + + it "first get a token, then access a restricted page" do + login + auth_params = get_auth_params_from_login_response_headers(response) + new_client = FactoryBot.create(:client) + get api_find_client_by_name_path(new_client.name), headers: auth_params + expect(response).to have_http_status(:success) + end + + it "deny access to a restricted page with an incorrect token" do + login + auth_params = get_auth_params_from_login_response_headers(response).tap { |h| h.each{|k,v| + if k == 'access-token' + h[k] = '123' + end} + } + new_client = FactoryBot.create(:client) + get api_find_client_by_name_path(new_client.name), headers: auth_params + expect(response).not_to have_http_status(:success) + end + end + + RSpec.shared_examples "use authentication tokens of different ages" do |token_age, http_status| + let(:vary_authentication_age) { token_age } + + it "uses the given parameter" do + expect(vary_authentication_age(token_age)).to have_http_status(http_status) + end + + def vary_authentication_age(token_age) + login + auth_params = get_auth_params_from_login_response_headers(response) + new_client = FactoryBot.create(:client) + get api_find_client_by_name_path(new_client.name), headers: auth_params + expect(response).to have_http_status(:success) + + allow(Time).to receive(:now).and_return(Time.now + token_age) + + get api_find_client_by_name_path(new_client.name), headers: auth_params + return response + end + end + + context "test access tokens of varying ages" do + include_examples "use authentication tokens of different ages", 2.days, :success + include_examples "use authentication tokens of different ages", 5.years, :unauthorized + end + + def login + post api_user_session_path, params: { email: @current_user.email, password: "password"}.to_json, headers: { 'CONTENT_TYPE' => 'application/json', 'ACCEPT' => 'application/json' } + end + + def get_auth_params_from_login_response_headers(response) + client = response.headers['client'] + token = response.headers['access-token'] + expiry = response.headers['expiry'] + token_type = response.headers['token-type'] + uid = response.headers['uid'] + + auth_params = { + 'access-token' => token, + 'client' => client, + 'uid' => uid, + 'expiry' => expiry, + 'token_type' => token_type + } + auth_params + end +end +``` + +### (b) How to create an authorisation header from Scratch + +```ruby +require 'rails_helper' +include ActionController::RespondWith + +def create_auth_header_from_scratch + # You need to set up factory bot to use this method + @current_user = FactoryBot.create(:user) + # create client id and token + client_id = SecureRandom.urlsafe_base64(nil, false) + token = SecureRandom.urlsafe_base64(nil, false) + + # store client + token in user's token hash + @current_user.tokens[client_id] = { + token: BCrypt::Password.create(token), + expiry: (Time.now + 1.day).to_i + } + + # Now we have to pretend like an API user has already logged in. + # (When the user actually logs in, the server will send the user + # - assuming that the user has correctly and successfully logged in + # - four auth headers. We are to then use these headers to access + # things which are typically restricted + # The following assumes that the user has received those headers + # and that they are then using those headers to make a request + + new_auth_header = @current_user.build_auth_header(token, client_id) + + puts "This is the new auth header" + puts "#{new_auth_header}" + + # update response with the header that will be required by the next request + puts "#{response.headers.merge!(new_auth_header)}" +end +``` + +### Further Examples of Request Specs + +* https://gist.github.com/blaze182/3a59a6af8c6a7aaff7bf5f8078a5f2b6 +* https://gist.github.com/niinyarko/f146f24a50125d55396f63043a2696e7 From 7d7178b94eb5311194819b798ed4a3342c2450eb Mon Sep 17 00:00:00 2001 From: MaicolBen Date: Sat, 24 Mar 2018 21:55:58 -0300 Subject: [PATCH 2/4] Add gitbook table of contents --- README.md | 6 ++--- SUMMARY.md | 27 +++++++++++++++++++ docs/README.md | 27 ------------------- docs/config/README.md | 20 +++++++------- docs/config/{device.md => devise.md} | 0 docs/config/email_auth.md | 6 ++--- docs/config/omniauth.md | 2 +- docs/usage/README.md | 2 -- ...ller_concerns.md => controller_methods.md} | 2 +- docs/usage/model_concerns.md | 2 +- docs/usage/overrides.md | 2 +- docs/usage/routes.md | 2 +- 12 files changed, 47 insertions(+), 51 deletions(-) create mode 100644 SUMMARY.md delete mode 100644 docs/README.md rename docs/config/{device.md => devise.md} (100%) rename docs/usage/{controller_concerns.md => controller_methods.md} (96%) diff --git a/README.md b/README.md index 00a42e6b6..f5c4c8de1 100644 --- a/README.md +++ b/README.md @@ -23,7 +23,7 @@ Simple, secure token-based authentication for Rails. This gem provides the follo * Login and logout * Password reset, account confirmation * Support for [multiple user models](./docs/usage/multiple_models.md). -* It is [secure](./docs/security.md). +* It is [secure](docs/security.md). This project leverages the following gems: @@ -44,7 +44,7 @@ Then install the gem using bundle: bundle install ~~~ -## [Docs](./docs) +## [Docs](https://maicolben.gitbooks.io/devise-token-auth/content/docs/config/) ## Need help? @@ -54,7 +54,7 @@ Please open GitHub issues for bugs and enhancements only, not general help reque Please read the [issue reporting guidelines](#issue-reporting) before posting issues. -## [FAQ](./docs/faq) +## [FAQ](docs/faq.md) ## Contributors wanted! diff --git a/SUMMARY.md b/SUMMARY.md new file mode 100644 index 000000000..a2cd8182b --- /dev/null +++ b/SUMMARY.md @@ -0,0 +1,27 @@ +# Summary + +* Introduction + * [Installation](README.md#installation) + * [Need help?](README.md#need-help) + * [Live demos](README.md#live-demos) +* Configuration + * [Introduction](docs/config/README.md) + * [Initializer Settings](docs/config/initialization.md) + * [OmniAuth](docs/config/omniauth.md) + * [Email Authentication](docs/config/email_auth.md) + * [Customizing Devise Verbiage](docs/config/devise.md) + * [Cross Origin Requests (CORS)](docs/config/cors.md) +* Usage + * [Introduction](docs/usage/README.md) + * [Mounting Routes](docs/usage/routes.md) + * [Controller Integration](docs/usage/controller_methods.md) + * [Model Integration](docs/usage/model_concerns.md) + * [Using Multiple User Classes](docs/usage/multiple_models.md) + * [Excluding Modules](docs/usage/excluding_models.md) + * [Custom Controller/Email Overrides](docs/usage/overrides.md) + * [Testing](docs/usage/testing.md) +* [FAQ](docs/faq.md) +* [Conceptual Diagrams](docs/conceptual.md) + * [Token Management](docs/conceptual.md#about-token-management) + * [Batch Requests](docs/conceptual.md#about-batch-requests) +* [Security](docs/security.md) diff --git a/docs/README.md b/docs/README.md deleted file mode 100644 index a13a4c39e..000000000 --- a/docs/README.md +++ /dev/null @@ -1,27 +0,0 @@ -# Table of Contents - -* [Configuration](./config) - * [Introduction](./config) - * [Initializer Settings](./config/initialization.md) - * [OmniAuth](./config/omniauth.md) - * [Email Authentication](./config/email_auth.md) - * [Customizing Devise Verbiage](./config/devise.md) - * [Cross Origin Requests (CORS)](./config/cors.md) -* [Usage](./usage) - * [Introduction](./usage) - * [Mounting Routes](./usage/routes.md) - * [Controller Integration](./usage/controller_concerns.md) - * [Model Integration](./usage/model_concerns.md) - * [Using Multiple User Classes](./usage/multiple_models.md) - * [Excluding Modules](./usage/excluding_models.md) - * [Custom Controller/Email Overrides](./usage/overrides.md) - * [Testing](./usage/testing.md) -* [FAQ](faq.md) - * [Can I use this gem alongside standard Devise?](faq.md#can-i-use-this-gem-alongside-standard-devise) - * [What's the reset password flow?](faq.md#whats-the-reset-password-flow) - * [How can I use this gem with Grape?](faq.md#how-can-i-use-this-gem-with-grape) - * [I already have an user, how can I add the new fields?](faq.md#i-already-have-an-user-how-can-i-add-the-new-fields) -* [Conceptual Diagrams](conceptual.md) - * [Token Management](conceptual.md#about-token-management) - * [Batch Requests](conceptual.md#about-batch-requests) -* [Security](security.md) diff --git a/docs/config/README.md b/docs/config/README.md index 3ab179ab8..6ea0faaee 100644 --- a/docs/config/README.md +++ b/docs/config/README.md @@ -1,6 +1,6 @@ ## Configuration TL;DR -You will need to create a [user model](#model-concerns), [define routes](#mounting-routes), [include concerns](#controller-methods), and you may want to alter some of the [default settings](#initializer-settings) for this gem. Run the following command for an easy one-step installation: +You will need to create a [user model](/docs/usage/model_concerns.md), [define routes](/docs/usage/routes.md), [include concerns](/docs/usage/controller_methods.md), and you may want to alter some of the [default settings](initialization.md) for this gem. Run the following command for an easy one-step installation: ~~~bash rails g devise_token_auth:install [USER_CLASS] [MOUNT_PATH] @@ -21,13 +21,13 @@ This generator accepts the following optional arguments: The following events will take place when using the install generator: -* An initializer will be created at `config/initializers/devise_token_auth.rb`. [Read more](#initializer-settings). +* An initializer will be created at `config/initializers/devise_token_auth.rb`. [Read more](initialization.md). -* A model will be created in the `app/models` directory. If the model already exists, a concern will be included at the top of the file. [Read more](#model-concerns). +* A model will be created in the `app/models` directory. If the model already exists, a concern will be included at the top of the file. [Read more](/docs/usage/model_concerns.md). -* Routes will be appended to file at `config/routes.rb`. [Read more](#mounting-routes). +* Routes will be appended to file at `config/routes.rb`. [Read more](/docs/usage/routes.md). -* A concern will be included by your application controller at `app/controllers/application_controller.rb`. [Read more](#controller-methods). +* A concern will be included by your application controller at `app/controllers/application_controller.rb`. [Read more](/docs/usage/controller_methods.md). * A migration file will be created in the `db/migrate` directory. Inspect the migrations file, add additional columns if necessary, and then run the migration: @@ -37,9 +37,7 @@ The following events will take place when using the install generator: You may also need to configure the following items: -* **OmniAuth providers** when using 3rd party oauth2 authentication. [Read more](#omniauth-authentication). -* **Cross Origin Request Settings** when using cross-domain clients. [Read more](#cors). -* **Email** when using email registration. [Read more](#email-authentication). -* **Multiple model support** may require additional steps. [Read more](#using-multiple-models). - -[Jump here](#configuration-cont) for more configuration information. +* **OmniAuth providers** when using 3rd party oauth2 authentication. [Read more](omniauth.md). +* **Cross Origin Request Settings** when using cross-domain clients. [Read more](cors.md). +* **Email** when using email registration. [Read more](email-auth.md). +* **Multiple model support** may require additional steps. [Read more](/docs/usage/multiple_models.md). diff --git a/docs/config/device.md b/docs/config/devise.md similarity index 100% rename from docs/config/device.md rename to docs/config/devise.md diff --git a/docs/config/email_auth.md b/docs/config/email_auth.md index f20459df9..afddc480b 100644 --- a/docs/config/email_auth.md +++ b/docs/config/email_auth.md @@ -7,10 +7,10 @@ I recommend using [mailcatcher](http://mailcatcher.me/) for development. ~~~ruby # config/environments/development.rb Rails.application.configure do - config.action_mailer.default_url_options = { :host => 'your-dev-host.dev' } + config.action_mailer.default_url_options = { host: 'your-dev-host.dev' } config.action_mailer.delivery_method = :smtp - config.action_mailer.smtp_settings = { :address => 'your-dev-host.dev', :port => 1025 } + config.action_mailer.smtp_settings = { address: 'your-dev-host.dev', port: 1025 } end ~~~ -If you wish to send custom e-mails instead of using the default devise templates, you can [do that too](#email-template-overrides). +If you wish to send custom e-mails instead of using the default devise templates, you can [do that too](/docs/usage/overrides.md#email-template-overrides). diff --git a/docs/config/omniauth.md b/docs/config/omniauth.md index 310567903..8f4bff8d2 100644 --- a/docs/config/omniauth.md +++ b/docs/config/omniauth.md @@ -35,7 +35,7 @@ The above example assumes that your provider keys and secrets are stored in envi #### OmniAuth callback settings -The "Callback URL" setting that you set with your provider must correspond to the [omniauth prefix](#initializer-settings) setting defined by this app. **This will be different than the omniauth route that is used by your client application**. +The "Callback URL" setting that you set with your provider must correspond to the [omniauth prefix](initialization.md) setting defined by this app. **This will be different than the omniauth route that is used by your client application**. For example, the demo app uses the default `omniauth_prefix` setting `/omniauth`, so the "Authorization callback URL" for github must be set to "http://devise-token-auth-demo.herokuapp.com**/omniauth**/github/callback". diff --git a/docs/usage/README.md b/docs/usage/README.md index 9f0405295..1363ca772 100644 --- a/docs/usage/README.md +++ b/docs/usage/README.md @@ -15,5 +15,3 @@ The following routes are available for use by your client. These routes live rel | /password | POST | Use this route to send a password reset confirmation email to users that registered by email. Accepts **`email`** and **`redirect_url`** as params. The user matching the `email` param will be sent instructions on how to reset their password. `redirect_url` is the url to which the user will be redirected after visiting the link contained in the email. | | /password | PUT | Use this route to change users' passwords. Requires **`password`** and **`password_confirmation`** as params. This route is only valid for users that registered by email (OAuth2 users will receive an error). It also checks **`current_password`** if **`config.check_current_password_before_update`** is not set `false` (disabled by default). | | /password/edit | GET | Verify user by password reset token. This route is the destination URL for password reset confirmation. This route must contain **`reset_password_token`** and **`redirect_url`** params. These values will be set automatically by the confirmation email that is generated by the password reset request. | - -[Jump here](#usage-cont) for more usage information. diff --git a/docs/usage/controller_concerns.md b/docs/usage/controller_methods.md similarity index 96% rename from docs/usage/controller_concerns.md rename to docs/usage/controller_methods.md index f2f2df665..d6a48a49f 100644 --- a/docs/usage/controller_concerns.md +++ b/docs/usage/controller_methods.md @@ -2,7 +2,7 @@ ### Concerns -This gem includes a [Rails concern](http://api.rubyonrails.org/classes/ActiveSupport/Concern.html) called `DeviseTokenAuth::Concerns::SetUserByToken`. Include this concern to provide access to [controller methods](#controller-methods) such as [`authenticate_user!`](#authenticate-user), [`user_signed_in?`](#user-signed-in), etc. +This gem includes a [Rails concern](http://api.rubyonrails.org/classes/ActiveSupport/Concern.html) called `DeviseTokenAuth::Concerns::SetUserByToken`. Include this concern to provide access to controller methods such as `authenticate_user!`, `user_signed_in?`, etc. The concern also runs an [after_action](http://guides.rubyonrails.org/action_controller_overview.html#filters) that changes the auth token after each request. diff --git a/docs/usage/model_concerns.md b/docs/usage/model_concerns.md index 708521a80..e2ad78f7c 100644 --- a/docs/usage/model_concerns.md +++ b/docs/usage/model_concerns.md @@ -2,7 +2,7 @@ ##### DeviseTokenAuth::Concerns::User -Typical use of this gem will not require the use of any of the following model methods. All authentication should be handled invisibly by the [controller concerns](#controller-methods) described above. +Typical use of this gem will not require the use of any of the following model methods. All authentication should be handled invisibly by the [controller concerns](controller_methods.md). Models that include the `DeviseTokenAuth::Concerns::User` concern will have access to the following public methods (read the above section for context on `token` and `client`): diff --git a/docs/usage/overrides.md b/docs/usage/overrides.md index a085802ad..9b990269e 100644 --- a/docs/usage/overrides.md +++ b/docs/usage/overrides.md @@ -121,6 +121,6 @@ This will create two new files: * `app/views/devise/mailer/reset_password_instructions.html.erb` * `app/views/devise/mailer/confirmation_instructions.html.erb` -These files may be edited to suit your taste. You can customize the e-mail subjects like [this](#customizing-devise-verbiage). +These files may be edited to suit your taste. You can customize the e-mail subjects like [this](/docs/config/devise.md). **Note:** if you choose to modify these templates, do not modify the `link_to` blocks unless you absolutely know what you are doing. diff --git a/docs/usage/routes.md b/docs/usage/routes.md index 061228c10..0105f3183 100644 --- a/docs/usage/routes.md +++ b/docs/usage/routes.md @@ -15,6 +15,6 @@ The authentication routes must be mounted to your project. This gem includes a r mount_devise_token_auth_for 'User', at: 'auth' ~~~ -Any model class can be used, but the class will need to include [`DeviseTokenAuth::Concerns::User`](#model-concerns) for authentication to work properly. +Any model class can be used, but the class will need to include [`DeviseTokenAuth::Concerns::User`](model_concerns.md) for authentication to work properly. You can mount this engine to any route that you like. `/auth` is used by default to conform with the defaults of the [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) module and the [jToker](https://github.com/lynndylanhurley/j-toker) plugin. From 358e8b1bdfcbf4ebfb67247ad40a629b8f8e07cd Mon Sep 17 00:00:00 2001 From: MaicolBen Date: Wed, 28 Mar 2018 23:49:01 -0300 Subject: [PATCH 3/4] Readme and doc improvements --- README.md | 27 ++--- docs/config/cors.md | 6 +- docs/faq.md | 16 ++- docs/password_diagram_reset.jpg | Bin 0 -> 217594 bytes docs/usage/testing.md | 204 ++++++++++++++++---------------- 5 files changed, 126 insertions(+), 127 deletions(-) create mode 100644 docs/password_diagram_reset.jpg diff --git a/README.md b/README.md index f5c4c8de1..3182172fe 100644 --- a/README.md +++ b/README.md @@ -10,7 +10,13 @@ [![Sponsors on Open Collective](https://opencollective.com/devise_token_auth/sponsors/badge.svg)](#sponsors) [![Join the chat at https://gitter.im/lynndylanhurley/devise_token_auth](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/lynndylanhurley/devise_token_auth?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge) -Simple, secure token-based authentication for Rails. This gem provides the following features: +Simple, multi-client and secure token-based authentication for Rails. + +If you're building SPA or a mobile app, and you want authentication, you need tokens, not cookies. +This gem refreshes the tokens on each request, and expires them in a short time, so the app is secure. +Also, it maintains a session for each client/device, so you can have as many sessions as you want. + +## Main features * Seamless integration with: * [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) for [AngularJS](https://github.com/angular/angular.js) @@ -52,7 +58,7 @@ Please use [StackOverflow](https://stackoverflow.com/questions/tagged/devise-tok Please open GitHub issues for bugs and enhancements only, not general help requests. Please search previous issues (and Google and StackOverflow) before creating a new issue. -Please read the [issue reporting guidelines](#issue-reporting) before posting issues. +Please read the [ISSUE_TEMPLATE.md] before posting issues. ## [FAQ](docs/faq.md) @@ -71,22 +77,7 @@ See our [Contribution Guidelines](https://github.com/lynndylanhurley/devise_toke The fully configured api used in these demos can be found [here](https://github.com/lynndylanhurley/devise_token_auth_demo). -## Callouts - -Thanks to the following contributors: - -* [@booleanbetrayal](https://github.com/booleanbetrayal) -* [@zachfeldman](https://github.com/zachfeldman) -* [@MaicolBen](https://github.com/MaicolBen) -* [@guilhermesimoes](https://github.com/guilhermesimoes) -* [@jasonswett](https://github.com/jasonswett) -* [@m2omou](https://github.com/m2omou) -* [@smarquez1](https://github.com/smarquez1) -* [@jartek](https://github.com/jartek) -* [@nicolas-besnard](https://github.com/nicolas-besnard) -* [@tbloncar](https://github.com/tbloncar) -* [@nickL](https://github.com/nickL) -* [@mchavarriagam](https://github.com/mchavarriagam) +## Contributors diff --git a/docs/config/cors.md b/docs/config/cors.md index 1e0e35e7a..eb19a6901 100644 --- a/docs/config/cors.md +++ b/docs/config/cors.md @@ -16,9 +16,9 @@ module YourApp allow do origins '*' resource '*', - :headers => :any, - :expose => ['access-token', 'expiry', 'token-type', 'uid', 'client'], - :methods => [:get, :post, :options, :delete, :put] + headers: :any, + expose: ['access-token', 'expiry', 'token-type', 'uid', 'client'], + methods: [:get, :post, :options, :delete, :put] end end end diff --git a/docs/faq.md b/docs/faq.md index 975c97c96..8d7de0ad3 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -7,7 +7,7 @@ Yes! But you will need to enable the support of separate routes for standard Dev #### config/initializers/devise_token_auth.rb ~~~ruby DeviseTokenAuth.setup do |config| - # config.enable_standard_devise_support = false + config.enable_standard_devise_support = true end ~~~ @@ -59,8 +59,6 @@ You may be interested in [GrapeTokenAuth](https://github.com/mcordell/grape_toke ### What's the reset password flow? -This accompanies the discussion in [issue #604](https://github.com/lynndylanhurley/devise_token_auth/issues/604). - This is the overall workflow for a User to reset their password: - user goes to a page on the front end site which contains a form with a single text field, they type their email address into this field and click a button to submit the form @@ -73,11 +71,11 @@ This is the overall workflow for a User to reset their password: - the user clicks the link in the email, which brings them to the 'Verify user by password reset token' endpoint (`GET /password/edit`) -- this endpoint verifies the user and redirects them to the `redirect_url` if they are who they claim to be (if their `reset_password_token` matches a User record) +- this endpoint verifies the user and redirects them to the `redirect_url` (or the one you set in an initializer as default_password_reset_url) with the auth headers if they are who they claim to be (if their `reset_password_token` matches a User record) - this `redirect_url` is a page on the frontend which contains a `password` and `password_confirmation` field -- the user submits the form on this frontend page, which sends a request to API: `PUT /auth/password` with the `password` and `password_confirmation` parameters. In addition headers need to be included from the url params. A side note, ensure that the header names follow the convention outlined in `config/initializers/devise_token_auth.rb`; at this time of writing it is: `uid`, `client` and `access-token`. +- the user submits the form on this frontend page, which sends a request to API: `PUT /auth/password` with the `password` and `password_confirmation` parameters. In addition headers need to be included from the url params (you get these from the url as query params). A side note, ensure that the header names follow the convention outlined in `config/initializers/devise_token_auth.rb`; at this time of writing it is: `uid`, `client` and `access-token`. - _Ensure that the `uid` sent in the headers is not URL-escaped. e.g. it should be bob@example.com, not bob%40example.com_ - the API changes the user's password and responds back with a success message @@ -86,8 +84,14 @@ This is the overall workflow for a User to reset their password: - the user logs in +The next diagram shows how it works: + +![password reset flow](password_diagram_reset.jpg) + +If you get in any trouble configuring or overriding the behavior, you can check the [issue #604](https://github.com/lynndylanhurley/devise_token_auth/issues/604). + -### I already have an user, how can I add the new fields? +### I already have a user, how can I add the new fields? 1. First, remove the migration generated by the following command`rails g devise_token_auth:install [USER_CLASS] [MOUNT_PATH]` and then:. 2. Create another fresh migration: diff --git a/docs/password_diagram_reset.jpg b/docs/password_diagram_reset.jpg new file mode 100644 index 0000000000000000000000000000000000000000..a0aff487f843e46ae07087d14a540c5165ed3750 GIT binary patch literal 217594 zcmeFZ2|Sc^q^fOl8lOy=-Hb#AIj0 zm{Cc{jAcB`_J8!g@ArMrdC&R(zrX)EpZEMfpZ~daPtWI>=eh6ey6$Vcuj{&pHO`uW z2%SDYCcRckk=l+B-VCxG>D5z|X&6_V4f#2JvF&b8G!OqUX#lgYB#mxmaZeH%~#>>z9yYc_E3I1+7w;S}2#sUXn1IOUx zl;7))dH=PAoh`kOLG5VGdyk9KxW#j#GyGZ~vFjfP?kO&+*PC5I$P-$j+^?A)RbNL*;{ac7oz2a#?dsD=rZ+7>O zY{5xN@h{0d?JS5Wu=0&F1@N1d{Xg3{Vxd?_T&YV!69=h^sUvQhCY2-i74&#!pg3nS4eOkzQz zE^g&qn`S|r20u<5Qjp6`#Je2dU2=x!{ITy?({dx{S5CpkXxYijWv_Bfu5G1Rd-tmJ z-Kda?=xABG^+BuPi2iO;h4BHT7CE|01G0eFK@YgP=T*)^;4){Ce3bGhV+&WMUp+Ec zQ=?T{gb~_E1%Rs@^@&ia7mE^FaM3W&yL)k~^p0%|$ej%l*rH zaeyL>{-iI95w#9y@Tsovyl)%;n9|PDjesGF0!gEdz~|&G^pgb<^fQer+_=@f8+stq z)Bk3VYE{_}nam4Ex_74--v%;3I_U#^zxw&7kQ?^7`o^J(^{3<#)4F&qSvrCWiV*yX@~=StS1o6cvu9Q{Bno| z0T@Uqh(%Ib?*&G7BiBK#eSLX^#JhuK2~vtlmI8F~tF3}i&OMLVwvx%q-Ar+yXeLaQ zq!I2X!Gf4jxJrTot9J64?JkBA@9NvzetfGEBL0m9kwJS|gCMdQ9iP$I0gMvPy;vZr z7uKK3zVRyQf@M^24)>jvE<0_ll~+mH-Q{z*MPjix`Ym?Ju#nmPLbpDZDNR5Ad>zh? z_@b%0qoXvs!o%pME3H!d)2m&|G*e%6>lyUd66Qw?)d*z#Jl(@=OE7WxOfH&>DU3WZ zW-JpN-PWwpG<=tji8C6NzHIB*;Jf2-uFu1R?{4Oq>3r8EknIT*l`EuBOE^C;7_yW! z;hJnw=aI11Uf8hj?C}M}n;Kw~#?FHDEHKBgR2YJx-ux2!9_voP*R{ZF#A~quGtM%X z2PNCfZ=@%B_o)d+{V=!vIB~Gy{!0Jitdy)j;_QGaM9k)Yu8UL3yIGLQsu}CW2@32O zfS~MgVnLRC@9nzDnVHh9)|4yy>57H=^KYk2KUT@U>Gn=fy3dHeeVZ#+#M#;WZ99Kf z&>eBR3)j=EA#6Q5fWizsLW?<#l4caaJwq34Z{H?;4-;*58iVdOP|EV>{=^v2HocK# z4>S(+TR~8p?7SboO4AuYFUVZ-fE3w;G}=IR?Wl*v)>sP#hxlgC(bU^y9-p3a>bw)V z>q}0G$aTTfg1Tl#q99YY8Zq_ix)Bo|ZQ1=f`cIw7Bv}EwFLyxU9vZQcUG4F@qG{eu z`xK`7Ejfa)^29m`K~-`@&l^V`+Y{jfPI!xv#kHo}EI(vqM||gTg{vzkH!|k>ig}dR zz3HGLK;*@D-uj}u^L8xl z*fdhP8ZabPQ7SF>kt60e*w_8yI0IJtB@WS_Sg;@$MCS;J7+uwsEUI{NhZhUNSqhW{ zw8~Y5YDm^T!3Gj4SP+k^wH}FBFVVHxz|ima;r1wYx*r+6BuU0v0(CP-{M6Q*oqvgl zVH4%wagTaD*iiJ7PpI5|HF?+kU{f5{fCZV!fUUSPxml3%L{}E%tiAZwfn!`^Hvh5? z!(gP)Gr0&3V_u}=7)mfW%Y>p^M1n%qsxGr2ZsR8Yd``u|W#@8a9^GL-^C0$k)Q7on z`qu7qB3dEeNU6ispe-BPTBs3sA!b z(@#oGh|XtE#u?iBi2O7kJWE|@mUwaw`N4XtePxDbUr1*MmS^C26XNsePDHfTZALo! zAUVX|v*L2QT4R)+h0Pw*i!+DXcNZU6jswt4{-!rx*>j8V(9$1Sw|+_ozAE(GkQmcl zIrtVQSjm%Q{`G|2z;M(>&Tw8iQsXL>-<|OS>zOQz>a9z-@)_xtH_tpm{#em=?K`K_ zha8?V=m+>jo$E1J*;apfK7clB9;vp_v)Ebn6=+2VwVUD1uvrq(*D_M0GNB;xb~YXShUS;K}X>U1!B+f{g4R zpgzHBHrf#QF^jPPL?nqh)o5sRXlnB3xo*y%>SERBx#Ap-o8f0Lwa)@qt_{7+)XhHCy%*UPA9#zO&yd5#<~DIjhPn>~IWm|V z4mD*wCoj*cKky~iS~rN@%Y2;bIQdL)$Ask-r}r;R)**~bKmi4I955j-bihO#ZFaBB z8%tNGQNO9#Tz~#L=6cM?gjn6ngT^)AY6&&4_NV0&Z<)iCNpFSLg)3XhX;+h%m}l-h zHeYEZXao{lRyC8>AJFcCtcsz7`mzGG%z_**kE%v*nh0X3DqmQTdH>HmKZDxfu}oQD zfJ`_By9>Rpn8r#D{3UVxc3JNJoH zH_|K)?(W#|x|-{mS>@u4+uPPH$m=}LfY9&RwOVHVJd^GhGrMnX&<0z}^B!!;igpqK6twBCry=BWKxvHr!hR`|1#y)J*#?#4Vn?=}iEcwD!N@i+ytO${L41l3b(pVI zqz*W9tBRG%A8^C>_UyL*fnD6BDX}1Ju|O{+nlwk>2cN`{YjyS(hQ%+!-D%wF>K-d} zf-%C7X{`He0yfpJ-?G`;39cP9t_~(^u$MTUUSA(9AVZf3C{N%lPm@+Cu6XFaM95K?fdYj150r7TO#yh&K3 zZPU)|Er<973(_uv8po~$*Do`9K?m=k&qy;I)rFF0yn=fyvm>P_ejQJo9LPy|9z|0N zt6o^o^z)gc)4?(USiEhoRtT-?d$aB=k3K}UZYhtZHNhMraQ~v~Tp{&#Ny~udJvflA zmr31vsG#!VO6#TX9Ih!S+Zys|HIxqh6eHgc?g^S(w^D^}-NE;`^P7vAPyHzIUpWeXUqGN6A9$AP+s~)Mt-9X%`!NsgFue`DeX*sUg#aj zR}f#gu9|3YH}$$m2zgUOUM{hJjE9ZV5I6%Jyhlee9-zOjvmibM8nm35g|J_gMTU|E zsOMOaNLfl1i3RD>08XQ8K{EOv;+Nktq8ABQI#&Ct`d7cMV#iz!6=?6fk3e8oZA`@= z|AU=vlL2a9H2~*N&Z0Vxu07`(2hzJ&l%fxhlX@OK{cPH+lKfQui$S=7q0$}I@5$i= zHtb9xjH6lV2SyMDTY&9cV~Cn3e$u=g_Qs*zTES{>MrVcKx2ekG3U6olX|}T-i_cK{ zNEGN``gcsLOb~HVS~_3$?4j+X1RxQgL~90~ak0%td|i==`7pIg$6hbDa8>1$jWoRa)Tx2hlW|%QonGK6^)3)b zJBx0$Z`KaxA)Uz@n9nrcGqkSUkGW0tLINdsgY7kHDjVEyBm{Klp)ycIm`VWFnm(A8(xD2 zrOulLd5ANMwqSPBcH*i+Y{t94GsmBaE(Z1F{c`oRgY8QvSN|Um0`bAmgloj}k@nlh6=^|1FC8Ee@YY1XZdGj5 zR$bgu>5Z>ZI5XPG)XB+7r(*+8n3EFgsio&lXf>@Zb5c5RVl4ayV#~-m2&5e7mu4Pj z~CT zke;#9`yu4S%>;W51MV8y=~>?1UBLggl++O1lWUYG#N|gX;@LfG8C`;Ob0s zopdT@?Rf&RmUM8b>r^m={$*5@n#?GM-&~fayE3xX?<&>;Dz@#}0k{~!d|YTQxu1N{ z##}KlrN8y0MVLVHk-sc$4c~eR5 zb;s<^Z6*jn-|>Ds1}}zJ@+>yxqIxiV$?c)CSAZnu3Ukf|JB%kRmIfFBcE+bazx7pOKP4V1&Ey^gp#*CWGp*Z##1BNf$5qJ$^a)+U{1ZY2B zuUp696@_rSvyYBus$I+YcB1gRb*)u|)aLzh|D|Iv|36`+*jPjVsZ;u|R386-nTvxp z{J-@6mj>rY{+HhWQhJa6FTMYz^d9>=y~}($nzhJT5eK94NK4+mC#zknt-@~0R$pK5 z+H^RDmIiER^_FBPCM3O%QcEfrFiUJS=!&sHT9asnqonrZP|RAeyuMTXP{hjaH$rw% zCe>gl5ZvxwSq>MPMz>i~Tnq_u(+8i4`o96Pe>!yqx@Pj-boy|T=U3UN${{`Jk9nTm zCej(RvQq2Uu{D^*CV}enbQkhHgJvO`W zUPRSl&x-OkYd)bIj=;z(-IVe zSi58-3&O{ZVL`fofUeJbMke;h+hB0}&%XoCf+Uae{=*2rgN$)0s9toH217)H7d`WP zb}{DL2Izui#U!{B{!?R0z}?Cx(wVW6AXLA{%noK`qTQ{x6kWi)OY1f;T?c4);ic-` zpgXq1pQeT$xIzwMibS*9x=WgpAov3w6SoQV8l*aO&eTEC^i) z3~SS`VQQctoZxQb&%jA$WMJK4TZ(%?INQ)?!KD+U&{UY8U~A^v>+q1djk-$HOJ-$* z41qibuN-4YKzY!A4e!GLdEsN=ZitBpW-Lzx7K9NCbZXGG3Kp>}$Vqf70kEDY(61$X z!b{4!#^^e@#TpjGGy=STZX0q`GT?)m@L|Spzx$W8mn*tm1qEg&*39U?p?MBM1BU3L zE-=7Y$d6CnN(b{7rSli@j>Up^o`pl(ta%f*JPm?b5WJ3tNCO{f%yk~lPd@{o zXA7tOxPsHI#%5#KmkOp$0>$<`(bRU;!7Ea*CWvP!4Mqgoy244VbhYhGKAf|Pmn`+PZ4Q=MeuO~uZ!{kL@S z)vP5Ynpv<9^)5LwzbM2_FUH8K{EJ#t#4B+3)OUW9EOB_3q3h)c#m9S(@0M`82-%W% zcpa{r>A@Q#psm>gxnrU9Qk--TyQD)i@YLfTa{}Y*zQ(uA58N&t?`TOH4|!1jPz~$u z7X#+|Ma@XdlkiS^$G7hpi^hTjzZ5GzSFgLKij{K2s^{6XreJyGw99scqEcy!%umuf z^>{o|h5RYzCFJJaVxNN9kvTKh_5BT3A3U|cw>!Pd)KCHc=UAz?d$E-Ua=^eoax#V>;Vt631|Aqc1o%*1(PQA!@jQyM1+t%&px2k@@OUt^!u=1Z+q02x1FlpV4 z_$^Q;?aBic1vuy*x^#O`n{|&b#-N`2bGjHbxF4}qP=*K;)RUma*mhj30XM&i=xs~) zhdG8_3~OKTsrdXSjmDS(`k#h4%=}2$o@iSk|8*kc5?b`=m}~BTpza3#nIvUbm>*e? zD#?G;>0<4)f4@++AW>mX&Pm08ZlM&m2SBfxH^TnrybOD6>wX^kpvE7j<8YYWhUA!} zE0{|EC%^4Kf>asw_x_FJrX$SA1mhuopx^a(S<2k;n@a=!8P)&D@#14-!M6uM{e1v! znmY3n=tEc-fsveW+3nT0-AezZl<1s%;?F@^egs~*u?V7YGQABB?ENjFC()oHC}75F zJVgJ+lg&okgmtce8(#yfcmAClbJu`pNs27l8D!x`M8_~?M%DLSiIsg(;c;uR`=!9{ z5({eiPB`e1EP^AS%-WvfEvQ&@J^|5G14gEirPsa}IpnH#a<}}_{*P^{d=TR_$CziZ zTgM9+7Y_bbvs96qBA!ZLQYxema61eT*4-=XEBByk{ z;sx)IQ&JY^`MwpOIv1Eaa<;_1EcxY+!q+M0@5R-wd;U+B(EQ`v=)YA-mOsYcuud2Q zi<`iz4va)F?Ks=|dgQ^oF_b2ZO>?U6619LL=CR7Z!S6GVr~d-kBBtWqXB4kzISaC9 z3)|_(k3W0V)%Dg_l=lJM{r#)dn}AwAog1*o2^RShpJ;ovVPsk6d*+7iyUkx7sr{BB zbKaSX5ACE#O+Rc+jqFpV);;2;rY7WvU+0LcjN~3R=Q2MKo-6Jpc7#8L-?Qj~9fYiM z?7+(l_b*1Acwo(*!k=O4Xd3rAm;Jt>ZA(5on`PWBu|<^lX*q4NYq_1Aw%^!|Y;T_@ zrNmu+dBRjP@{H->xD-|4Gx7yjZGBEYAZZ{M*h`nDd)&jrf1t;%U22W6@DnP zIyC%N?y8N>*%8qTS`K_=P?ASGRuFlKyr+)5&~>pmDA%VJ=c|<>u%Ec{;o+Rfsqwph z#4Eh>&hyklT;A~m7#U_8L5OY@LS8)&IL$Vc*92pTE~Np)(4MDz%j7HM9KQ%zC|dBH z+m+tnbz>Frnra*C%8gZN=I&uUrMWYQq)+a4%ELvf-)BMcv+lVXMN{Ol)^`uYx4kcS z+&Qm}kElO0U-&xib$FceOZNX_=XAYqg|b8L5uhDo4k1L~Ub3N*_w2)$3&=+N2xrk$6smva0vEqZjp=X_}>Pnvm+R$Rh`oariQMfQC592;A;GjS#@MaS}$ z*NW~J-f+DSUOqTqSjg6L;r@B$qGN?Os_&~A@t-psYAL#LjcxjonmL!Dulkj}lgAyO zibZ<)v#~i|b$n}f@2X?*gUfLVac@menI2M2wGqC^yH*%ed?qSxQDwjQ)yR{k=dXdc zbuP)j@_wuOw(zlCxQayaNiFU|#{wMzyN;9G&1{)$G<_8Qo^w}hyfqK~UfnyVh5(tX z5gi8CLc#;O`ES0ymg}mq_n<{f_YbymP*>c9tr?cz&mK0qY(gBmuzS;a?MK{=+T*bQ7MJwD?%MMFtz@^n z9}6g3Z^0 zp`u7nM@8{yQb90Xqr^f+{BG5|E5}96X6Ypiw#om~c7_rTYAqkRqyu7u)JU>4Kxj4GfN1zyclp*&35kxFE>LX?cJ%pl! zh&Vk&BIifyOus7Z7e13VVba^Px7V;@=6aQ8OOK9a3%nMySVht6cpD6FMGN0un7X#q zan7mtJHC2F^nR*L%&dcKGJm1P(Ff&mOg%a;@SNgLJ;Hb%0FBNzGFGl9%O*$b_z-qX z8+7k1;&eprC0zk7UJZ{F5X@=j^L>LHBV~1IOlXk0(sPkojDlwI;B+c_^xFF<%cG8J z>N3`qy~4EGv0e`Sm^D{w*yHx=LQ=k_;?iE2nmq~>y=bJ&D;FTAGy8dSa<13Flbbhx zeY%>rHLPli%Nr$s+ zM-nPplq$+`){_JhS92BZBvKf#D+NL?0U0yqC2kb8(fF4w8aH*`XSiFsPe@2ynq7&1 zcUdEIxr?`(gJubIp8#;=W2Q!Q!evXWT-p+9PuXIiU+2 z5m6j>io{+Y8G?J$?I=nuFL*|cj=l`8bBs7MjIXlIAdaTusfB*PRQtborgGiXe+Ngj@mT0SKJ-0y5d9~M8v=(8l`A* zmw@!8W^qb#{JN@-+VO0q+Q!PJ=A=P^=#{VhlzQzd$T8Keu?4+04KPtZGuBe7b{8Az zBJ%b#U!+|2_g(f&SqESWOOgi#2cNC3R?Ow;h+IBz3dfs~0&~c&Gw>v1?ZZ3ltZ0(w6kB$%$)fZm6wBiqnLV zJ)&N-N3o<(?-!m;Uy;&>x-*GxH8KhykK~S`U2(|AQ_y>K3gARLgBn8fz&)XY%szDOzND;Tm<*4zK*!b*;qKc8w?rN&cE#5!}e9u<=s!!RT?Qd8PNtO+gkIgH<2U;kq5lUr0-kn9`%RD_a=R3LGG>; zA4(9ngK0{&?50>V8s5UaG$wWj86U#1Ag3JcA2A0Byp5`qVkUngxxMv;{zDf}O<RQZQI^I}hc~2-h^5cHv@FqTN`KSd?;dD~b9Dyb^L~ z(l6LCg!jXxGaus*9DV3kg>MS#B#1Qf%^bCE-_nR*FFagK5Op?&~l@w?;f%4BHY z>dtoy2pQ%VY?VeUPMG=W#o^Jr%L4QDJF8}zRA%i5%NNzIRlmSn8ED`BmeW=kXkK{k z)kk{k{V!t4QE*S$Ycy&Cph*+&n~i_cJT&WjulMZmF9lbz6{!~j`rj_@j!xl5Ce10t zy|7VMs@O{Pp?NSrZcHDxjvmE`-VF)p*)K6K^mx-s(>Gk_U3bdmI<}Kf_9yRQj)R-4 zcDQ)Y3|fYMa_I2X9X_L?(mD&x@UuH7@L~Zms~=Lz497lV$TqkKSYEKuKs5Npa@#a? zaLtRpf9pc__1eJH{|9|npBKqAD=2619MzX1SdZxt zo+%gn`T5dWBP%zh?6)Vz&RK}1T8Nf?d%Tn&enW`Si5#H0F$eE?EV3Xp4JS`D)L5?D zm%{C=dg`gklhl3n&DD}ZrfMH^d*oqS;wjH36w>rt%TpIM%9gP+u^R-RM<0E0X_4>c z4^vcpFK@B6tnI#Aj$+i&)rj#pKuH!Gw|qEWf4yOcK-+*5qQ_6h*+k}xLzMY<)h4m1 z8~-F`G-DP z^FxjnDdcJB_xI2^bk#c`nkMdz z7DVmz+CoRIV?}?|Uzn(kQdR!-y>3P6`t#Z2=_)zLnMi?uuV}I~B>Lq(*D`;C_W+>GAm6nMh9DWMO_3N$g!+ zs#~1h&ZJze%C{fnl6VzfiAhu76SYIcX$)Dfb<3~KPsEypvfUb7(f)m;fs1K)nx5$aWP{n~)&1vT566C+O!J{-P&AwNgwsT_S7IAP9shxWqI z(!ibP;QCeou??BK1s?Qi)7UhI;eD82v5dn_sOQ1{jPqftBL(D~i9B*n#p^hgUVi1* z_y68Yn*6Qbk5pTkSXMS?oq5+-m$~Z~k>9N@MCi@O2M?S-oc;DeK_MHm*=xcmT!Tx{ z?~S0igZ0`Re^ndl9jP9z0j|V&Ne2ua8!FKJ&=it23UqG&uo z9b$goqf3EylzN;WY=n}WzKy84CykpHS2{@O1v%N6XYk1FwfmTmRP%){NyaUy(k|1F zBJiRPKu!Y0^BwJ}s-@|c$^@a~Qv5GrMUU)B%Sq@P z(4<;S<%^0pg#Ne4^MEU5=UAIT?>td1{vz%0?7;^a54{2(DqKDGMe31CO3r7rXJ|6M zj*0{X-q6pCHY;OejBb;h(d`2!Zd@gS*%u$}`F>n2qgKzbT`9YwF*#Ps_54}?W3ZCL z_Fu6}qF{+As!u3bhV&wWlC<09Ia$7j0vTVR=X2t1mkLweGz>Em(~+!6=Zx3|^*dQ#l#S?kNlFOdi}f0=09_wCU^ z@k`HUBvjuW;`w=0%>LV4dlW#Vc`h&wfJiTjtv%p11B3dEWlKg^FGJ04rca?ggvvuh zjCu~-RyfpQB5>bK_7cYufroyRJeFvzi98Od7C1P!mmu|%Pp55#T-5YEG%}+nw8`cC zEW@t-muc&KYG0@h%8dCjlOSWHPdkkoy|_oYv5JD|II3zz9=@36yQ{KxI4|1zy)?4w zwQPk{j<6JUx2ojiXMT!bJXXZWhFn05+~_#!Pi@XR2aH_3nUzR8t(gF)#}m{Sp`=y=L}eMRO?q1ur#{j4X(ka)wGpIDGRFE|Wd_!)l*m`aP^@ z7xWK2_)uQRG@6G?HtOdFLtE47o)N^22RBOH_w1v*cy-&=w}f!{)Jvy!ws!)8?k1V3 zpE*A7)Y`?d?5(=uPjvu@cd#|hIb@|a*sgNaVSszJZN+b3J z;JGCz#Tz%{(P}M;Jl~*l{qy4W&WS7V&^OXH3gBToZ|tIJ<)O3^L^56vod zY9zqLn$_rX6s~W{(OCEKwRh*I@eU%>Or~Ll+I*^b_`8RECtuDT5Q*4$i}q=j3SKn@ z^2i(Q7-6K*Wc9M}xD(-oc3SvdK^rXo#Ob$-$Hjpx+J5E`h8HD*!s%gmFy(_~y0WPi zv-&kMIH502KiWJsU^d+H5@t^vh9@6#W=LJ@2q=Gvo_PclZzjwjBk8@LfM)gaFOyox0m4)Xx$d%<~L$&0qM=jFCqkeQKzEH;)yrXMhE3g0_7dq zzMm?baEeaEdZ&<+=WnPs9YYGW?-|(|eT`KF-R)dy-=xGMRG)$I6W;Lt?yigHOr+=d z#H`p~Cw!ezX2&{3dPx>*V%n0yjp-yDL4mbs;L~SW8RZ{VH*~ z>L#Cdd&5<pi^ zpz9_Rd}0&|x2vi#$j^rKGODZ@E3eTtD#fO2{s#>i9HvruKFQ9+Ib`jo_a?nByxEu0`zdvp**bl=nKJr{Qbp|qGDuQ~m-&70 zpGLEf4VU3%RAtrs>ZCMPc~gWwcR3|z>#pmpQB!G1X7|16CdsI379`F9G3kC=TIwYE z*rjJ|)Yxn0AxC%8?QyVO##~@P&59lq%05?N}M`9cP4YTJNvN4z7m{( zku}%Eb@znu3o~GZpS`Jp6!>6M1dW5XBbTu@n2;FK71{N46n6^5dUBxq5sgs$324^-Ew_dC-BdU+EAc?8WPgp9H z!oy6(nfBNWAaM=M{q)O#E7|9ywJ`lWMJFq&dh=PQSXSCYtqfTFTCyNwN`e3ny<z5oDWke3|tF!cLxO zlr%7?#zV548vmm9rhE4o&)G*GDvwy?q#e!8*G`~xhP9H%NQ8F3glzHd*ydfq;gcPX z&Ux*Qmbbkxy*?Y0rX|vHN5m9rvV z+~&Ue4Bz+jadTd^*79Ea-Y?hJEj7^g|7cb+h7O~Y=7oP+?u`upu*_~=;03)Ccje5U zo%7s=V*}Zkn8UI#6HEubHqX~BXY#~Nx5n)2N%$j>FW0>;J>*LY5>4<&q+}yHpb^=K z_Fc^)(DB~x4QYOSyq6JypZoozNW4b~3o0L5-mW1(&sf%uf8#$5X ztz;ZN>m=`3nE9dmLO$HtfW(5BMdrMV1AnyR0v*3aX;EvD{ zg{#N4sfJul>I-m&n@28|?mq^3(Z6Wc9i$8`km5>KWqz!Sf@k!FefOCmOg1o$P+aJVi{$Q=_aziqyZbmg5f%y< zJ&$+kgl^T8?<*ifqbq?m5_KCvr8?Mv+zs_II-bXeL<^o6k3 zheSWgUB%3u_eW^ZZ!|Efu|BY4@}zzq_!n za?;9I`{t&!>BZKA+_J;(aBbk`P!oF2YfAiGz#=sf;u; z#5(|SQ?8Q2_i>!$4^_vNZQE~T2**+0v1@5(12V+rWc18SFl6Qzb-%rT4wCk(we?M-`F5?r+QC#(c~{ShdHJ z__k-IM9uzu0|om5+bQ8?1SdWX%^g;M@zZb9*I&zBGrVw9#zOP;BH~GW^M1M>BbUj= z9CO*n$VYJjd!VsQFm9cPcUUkmAKp83bE)iLPMlbp-qY~BYv=ik(;V7Wh%Q(gF77v- ztC(aLL%@*cMh^sNWXsvC4mi(5u%89lFXoy*alz{J=r1dk77M{T$vS&0MW5RTKRq}Z z_#-gaHL+vv72^%sgMd%&gwX^ePY;M;E zD+zo*=*D(+wTLTg{o$~c`Pm%!KI4PVsA(3Y#{QwYG4~hb{wl!a^}>zJ`d>{!rISAq zKi*8{S$bZI1=a71yw3gCRZ+-$_`ZC0b1E!Gjy5qNEH7g@lJj|eWF!jxpna57)@V>nvCc`(481fHE2#}`XP$s;y1UVg{)e?0$g!3)`O7_ ze;l>{U8rrE&4Vx3R_`3|mQ`Jc46B{{_SLL<#n_&agyQhVR-s$ec!){ZusyGeTQ($v zDo(EI@c}t>PQty=jaGV ztYV3hbPRM!hXuKVU}n2u&o=5ai;OdXIt}_^1YLJyNdPQNB-4uugy~3uWjer}?1#|RmBu3bDU*@Q5u@WGj zM2oLk@jE>tPdE9LPI!GBO*daPm3YO~;~-2@H_>9xy=s3%5Pc4u=tEN|^$39Tpy~GH z^zFdLHtz>x3H!1V>8EPbJGn{(H&hh|S~hkFdCnx7LB3X8xu0M^3a{g7!|g#L0KKb3 z>u5&=wYHcirrK#Px<5+L$?eCC<0cD&oX5HoSIpk`2ix|AMVmszH!(99elYl6sS!u_BU*#L`VM;% zw!K`!$KH{ex-Y-fE8k^4NcsV{kKw~cl|6Dl`3*cgzs0K6pwDd6Az6Ug53j+*tE0V3 z{YYGSm?$GtO8luo`GJC}<|L;J!D{Y_C3Rh0ZYv7cYcnq z2dG>DdS;+W^@MILh-7tb0off6^U6d?rk`mbBk_3;(>)EU$98BtcdVxR7>cP12d~_E zKg;j4zCR8^Zy|R_V7(2oldx7a4Czen8ahdCB1D%pYT*N-ihYdm;#fRa+ZUH+oBbg& zfgAPOaXWzSWwzn|w!g!dQy#4%kq#ESQsk1F6ZdWAr{d3v%t9gJS$q z&VlO|qUg$>1$gW;7@&fs>p-c=?FhgN0hlxrR4;DVI6X9@ncbWkZARl!gns{To1t+0 z6drpB1w*%WfZtZOGsW$x<#a_FSQQDcK(Zip%V1#!!kzI8J@pd$i@D6ODDMS-xoD35 zB&Z!riw94{<5w!Mu23KZjF*GQU1w<;OkrpioSe#nd|5jjQ*&FFB&;f28_hdmC;MVYT0pLp*Y(4ru?QFs=F zo2kP5Twm9&5$UpfP}(}WwA8F9xcnT=uF=@J<~@H(iIqy<-s@i09}+l1JSw`UeQf!= zZ0f6Y5=wqWhVLpRnai2RDL+zCxi5Y}5CWNj7~0QaJ75p65=I)dpkO^}5@7X;1@Q(? zmK&g{@c6dNlg9>5X^MQ&vOef1cR{FmyuEJASTpk++T>!sxMeWG_zwe^z>v^*A95^ z1F2G$r|+zInhT{!H)KRM>v11pFn+Kq!DgXP72KC$KNg*ui~ zXU%z@$R<{vs8D-cI>!N0T5>i53tpBo#^qWGq`qvMlF+z?(+FC zx+d7Nb@X0`W9c$pZDsgFn!cWGdH7& z1-X$NnfBuj@=y&Bmg}V_F_!Wpu>|kpE#29_tf8SFyf;ebu1ETfrw&hVa_kmoRO*Oc zD^8nvGx=)MpJq-M12%Gz-oR0s6%t17tV=3K!RB}55rBK7U#j-<=3h@`OId7|VKPpQ+s-d-}a;E%L4({y{sjIsfgr-)@_R zo*MGv&o>6(L5vXryA}2~Bh_$2w0HSKtQ6WCF^(T=uL$5FBG$O>o{yJ&*A_nIT}%|5%CgmCHXvk#mIh(XfNt2zmaOm zMf3@}BA%ypY9RBAkm$1%pJjFTeN)n2g2qi}IBo|*GPf;Oj#=v|N4W$j6>{35M*HO#Qu*hNsqXiv-%)N#@7ffNn3TKM&r;yDmP4xDa+~ z;X@iKF+bMwro_{o>`N=3B0@}gk_TMR)trwGw60l9?nTHV%^2^Q%5?qFW~eu4hB7i< z6p&>2swbNq!%+RsY7#_2zgxBRimo8}&9dVV`jqM-Vj_KJ3D=_WV2?0h8HTLSn2zw1 zd-q%~#P{f@!ON!=rusWW`16nLJ9b1?m4JWcJt#D~vER17CdToV_p{+0PA7X(>Pk^`lBX(CdjgG5ET2o?l2B+@$w2q*|hmu8eMAfXpg=`9E$iGUy_0Spn6co$#U``h2Q z_wP6EIcJ=E?zsC8$B;K~U9+sUo;l|;H4km_y^Du@_kyL;!DJPYvJ3(1En>0KPX-et z@RMZw4Ny3>@Nh4da>;fR+&;RI8v{M_74-;8@IZgpN3P-X=;|4OxeA!Rf(*kpJ(|M! zhXa2*>jfwJKX_3h)EO0*&5ckCFzs^2e@{(t!~5)_bXgM%diqmwH>AAf#ir!0ElfMA zbT{)!$n3)8Kh|#ePp9eqN7DQ_f3Il%-$5>T#a@OP%64m>y=oC1YS~&P&&B%K@>)Kx z`}JOn^0U=4Bke3W+tW6& z=M!$be0W?IzsvB9*@5-p=;0oPL?d&4bJbCRrkL9@E8gI(r429e6&a}GbQnR z(URZx#g^?$aM`p@4SO9T9i0a=E?C^Uf326}v&<`d~94tv`p>Om%%zf+Zm< zIaWfpWf85~%CwwvO&w>#yGu?F`wo8oJnnZ)eK$2&H1u%4gR}#2U%Tn zm^&k~?Q0;{G=zS+0c4O6M z$*WPAJds^N7jCLUjg4MD9h*b7FW<2Xp|ge&L(T@%@mlJHmaQjAn6g)5iNmm~>BsM- z3J6HL1;LI7q~X!604d2J%(n+hki#ixuw-R!GmY4Kk}j2in+&v5tr>Bvb&Z}Q&rGfMRUG9??bNnL=)Q{+4Lr zqx+mZ(fZx<{#KoP_17k&55KyEpROdXcOh#c+7%fPpPf_yksi)OP2M1+%=v9rmtNM? zn4(IrkoPp=(j3>`<*$9))%G#W6~nYiwY9FcRg5yB3tH9HzB)nL;H`|o&DLc4rboV2 zR>Mx_#9Ody+eeb`KmA1hq|y<+aIJ~OBgclTg zsxXv|RvHMmCjPiV5kE6=)J~v~K*BcvWSHP=20P_i4X^=;xJ^lJ@3}f-sA}AMI&_3} z>a*r+9VLgi_YglA)pyTa^_7uhWxKR_zeL4Uwau=(BQZUyMAux+O?+RRzNfBvdiWmK zT+b%}3XnSIsbV1%JFLw42{>2S8XQ_RM(aUtc|4$s*ZCf0c_NR{yrPq9%21 zMK5~a!TiK=oE48tl-46gDYQn@F8G6fU>IR^Frno6P`PN|5^wHa)%_8&nWY>f{ zHR{hHiAJlTLLJ2i7BDw+a0@r{q4!kw=Ud>$$)Yz`KRtq8(N+Y-xHipL#?RDqlpxI- zj9UKa=$fXI>LH|FjCBX51mNj;nDYjFet`XaX zy>}9o(C9#7!#5S-d@yM<^RZOH7Yo?}a*Yyvd4VX3iOZT_IkabOz?BO@bBmvP=4^A# zP>%O(Py?)m&P&Vn%bsAo_|7y&dsh|3STS@&ip!nb=up#Bd36(!vRY>4&W2ReH2jfc<0&o|cRrPioXL*`T8Oywj$OtIT7)3Lw*Teq374r;Q5fe4Ak z0XoV~JndaGfMOpB50LII>t%-y5Dj6)F zEylDZ;U@iXJ;E&_er3{TU_(oMu{$vB-nMZ@v271?*4y!tPe+t^TbBf1a3UK3eia9j zdA{CjI`$f%;eiKn(GRC|O$T1Bl&e-hbz#~V$T5WN;TAQHjeXf&4&y_%oB=x~P8LU_ z(=gBazKG@P@v?mfJWg4SkR#mJmJho$MX{fYBlyO?WuBGr=OsWZKgAV*DZ1rYQ?HkY zi0>3d7?$p0#b6{kaJedWx*+OHda};o#y1#6@<~l9d7z68uGCm}l!s|O|8_9Uhz?Tq&wz_DJV_;_bJGe1jk@uqPqD z3?b&Jv;eEnXj6=E;u%mwMs3pf)ehe+_iFdn7_aiO8oXj$6n}!XS9K^i1yfeX%5p;T z6}%>!3sfZ?-E4`0#E5DRQteQg%sj}az8%g;Mmt2Vif=9S-YNbKhhTQuAQ z@EqoN`MahQ2ITy)CO+y}l4wr3J6%5DmGs-X^y$k&o6Dod@~N3J6&3cmHQZMj+1uWt zUQ~1P!r-E`5;~;E@1b0lFl8aHCi4z^g-VwX>TADT%^0gdX0~VTy`Waw<~i3d*Xc;O zKFF*wqP+#RPlZm%1w=N?34yulGKRd~>%}W=?Gu^Ko_O$+yz`lx70f3ltFo`2ffPRZ zCxpH5>}`ESCw3py(}yd-z!4DteQSU*7vS5Ry>5}+6|^x|73b>}Gs4#N_uPy~PIl@c z_RaLQCWP3VlBHYwSUsi%tHhYMdF#6*>%O|C?KN_s6}f7EUwC51p(tjhHg zL*3c?`qp}4ZmENyDkLFRJzXu|4AGmVRkwB}&MI}(1XX=z&%s?MwCdDmkrh6X0C5C+ zwMj)MTAub{wc1ds4sqSso8Odp=LcBl)R-GyH>hh+X=8oNzE(W0EObUhYGnPmkCzJK z@}Yrkg`&ZNOVLzwN-@d58C#{Xe42m?Lkl6~A>l|?x?q*{!G+YVbPs=_mBPu6_M{I8 z*JwWLv(JOp4u-p`eWV!Up{)rM#^f-{{X)bi7~fbIltWwGlO^|?lW5u{6Z5Lxs0rtq z##*tJIRCooTS+{{@^96pl>?KZ_jraM&DapgMTG&C7|r$I%v!YOAwhZmuW>S{-mKK0Ju`+IxtdIYd}jlUM?dUX5py z^;+gzqs{ZBy)Y!2cpb$o2#^;IL$vqxY%Ymj}+5C>DQwJ%1ue_|WM2ppl z^>a1D3gSbrHni@~*BD*Cl9Kdkqd1@i(|%x|q{tQPO)9Uj-N=UG__uaUe8fZT?0ab# zTf6dE_xxS22z!{%3S9TSUv%42&G_vWpC>o$DXa#&%!r~ew?SF7IRd;o1}Lnn_&a3} zvZGuR%@*vf%5DV~p7WQuQE?wF5xfu6%A}P+;EPW^K z-Mlo?C;{;GO1CZz4Cm8Yz7OF?(|3vQbqVbu$K}nftH+ie;8_SbJ)_v#)2M?(0!oJ# zttPeRCh^xz(cYH~hQI%Cs~NuA&vr2xvv0PJOGAK@Z`zpSRf%5lw-*oP)wDNgIY{@0 zgrI3{_sOZ`^*hltcZxZ&PoJVSb4Ud@9fU*{ z+j{8VIn-Hni(Fc}K6iie!;`S7@Z0?HJi9Qj1IBjwQ=r5p-%$F^W5!pFoxcT{ z@(L6)-QP!Iu`ax1#%NJoswZ_pM#r4df^|SSO7DUUgQu06AxnoL$5{?T*>e_dv#?n7 ztU?pmFuoD>nMJ}%HPlDPMk^+q+AAkNOBhJrWR%TgSAMN|K&NGII>!Z}svCnA?-JS) z#wT$vDAn6Sh<;>6dHG;lxkr}7aQSl1^YvXUjCMaBJuj*LSQ`BBYJ%h?#6jv!S_ndz zsxgFs(1)=ssy@tA6JpqNdqk1f%K&}Z;?=oo9fA6I_vQTkHyOB84BxZyiKVnbKKFaR z>xhdZoZCz#ed<^L`XN#v@4>4(AuBR(W5^M+%x$nR0RL2h8E}e}HK|WA!eK-0HRAd) z6hqqumV!lo^61T*@@~WD53p*M^0gj3OI>PsQp!*7!xGJqVbFcrJnq@dXpg(YRAv%m zv$~o47$3io_wd~E4fCtvw)T4xjgr(XjCq+VET0@s_;%4#(A!%&RX7S~bmUR8uySy> zVT+8ZSmJ`!t&`Zh2n|H%Plf|<6Ot*N^)SgF&lz=B7{&gR!JA?|>LtuJ%W{V=bIwja z@BO391UVfSmp&%a5HDv7Iw6}Ac@2#bCj4Xwg1WzbMU`cag`3>Mn{beq(TTUDu`?p#w&8zE|4|Q?qRXD$74(u zzLY+*5xqqH@JPh>zTkH7+~6mozM@z>@>odG)0~>RuWct=4#k~LIhIEXY0Kuj*>nQg zVuIj@>kn->Oi8rbhzgF#s~$t)w>7uosvB*>jRzRvq%O${<*vrv-9fK4uDz}9N9>_@ zqpPIbmu1Nnlv_pLM43orlvD!_#WU@$`THJG4%rwCBni3??oZSum@Y$b?=;9}6bal(I5TeG$jV!S zAXV|ulhiRKm-4)!>l2KU+pP!ejH#2sL4wkSlw>eVLy27-C_%Ugtx=P^a3a7$Hd~|h zK@~<0lM?nlWCi+8^7297yesltN7;paFDM|*#cFG-!sN@vZN+1+n)Ap6ePx)j)Tptx z58XRvRvSOZx0v+84{A2St8jMS0584NlMh!N`^n%VY$}52P!|e|Xf+Pxn}hOPd_Cph zp}`-Yye~IMp{54j#u(a+F^_)fn2gaS#k626eW*NMczPb`hLeXnkeM-k?hd{Tzf4Z?9S&pO>b*sdRHdvQj0%M;JVHlJ zp1z4Qt2Q(_*I9WzR!y*o`+}O>UZJo!!_HjKAY~Qv^!sXpW!+Fs#6e^akv;_5JOZLn z1>ZKlwPi0RFTkE6nGz@IFvu=<4D1xE_Yz5 z#jwJWXaQ;Cr}$ty1@^~csjAn+U9eTmpHHAJQhK%(s0S$PFBdSY?FpR1)z9yJn30xb!+5JT6{GCC*Ce1b4`gwWX^+2aAxseS%}Ti+?~r?Lh`)OmW1K`d zxqp=9)Z{JNfWQS`8(wl4&#t+xu2#he`%SPjCNWzKB!0(66h9OV(Y)QuYA2P)Q1jL* zT-w%A^ZWspgEhOJVD6&~0U0`RH8#5v*@8@nDe3|7g{b1`1*W)^4HZ+jK<|c^(Q_mC zC&x6OOjTtWO67urIaN?>sf3GjYlZD^R1tmVfP{Yh>lSi?-kJpyqO04K|yt zZkbW)9VVJ#-GmW*avO?`DhmsKz?Vq&VJZmSvVFaMZj~N!yR4#XUNcVP!=dn172m!+ zx6VPC>4$WPPpRxNhLbZP1?o|>?Dl9-`SZzb+_&e1>jXT6ap*V}N6UW15hj z;cV|?2{3Iz$P)W9uFe<-l&c=Q(okR9I5ZQk8pS31vcRr;LWuF*eH~Gc0LesY6MHP9?9EP4Wm~`E_mGLz8Dwz1@s=XwS8khyZndLo&k26la%5HCi;6-?hlh~gFc2Dp%`7M^ zybdN$WQ#pj>4D)J(?};a_v??TQMddAGpz*c`6k^CFsx^W)S*Vsc$#^g)Sr8tlF;EJ zOmV~UFI8^a!1V!zunKXmuLHu4komY5Ea1bx>BZQ@oF7I8Y^o2I8pw9dHB=sYl*%T^ zs=t=$6VfD(=z|Ky-kX<%{ zJzcALWw$#A&gTrYu;*Vt@F182F29YSa*+Th8af!T`y;r&k`_;eXXCX_(U#l$?Mv(@ z^WQJA_X)uZ#%7tNHCdnOjK4IwBh@EDtFA6a>_d!zmPBYzB$vmSzY`Pj%c-p7(kc71 zLxG`KT}dS)@t57q%S;jX#x3FPjO&0Zi3dV%AVQWowl%yE0u;tWtI?`j>Z_)WW7TNm>QxPP818;aZ z_Ns*%Yl#+v2&)K7+_^H$IJJsahu~VYFH9pkkVA*4BH0I2SHo{YYpeKbj62^Atl%Tx z;{_SzvJ6rUEsB^n6RTN7RR~B7jLx$9lA^POc3TZ`Iz&RZmz(c7<@5;7FH}GEmVqsM z<2sXbkE?C|wMkzAH(y$fRPm9NSPf;Eo{x~D$)mN7^A9OxYyMCG4dEK`|c#cEdZ3cpg zaiqm)D=%PFVQ=(fRtG((4$j-XbD%X{QPaSnn~C2GNanX>@#u3o(OxOwmJo)aDL7u9Lb>Lbsw@Q zfU~3CZw~G6!FFEapuqK1lbC*ur0qM8F7lrgN9$_yz^#ckoqY@o+1%Qqm*0_tN`K%n z9^wIlO?@gYQqGTM*^Pwv8=UCIzdKwa?q%EM@a(+55r>6Xapjq8avU?KSoOVcD6VA{FkVE2k>)vSQLh%AF}aj zL_tWGvX?hYf^u8Ejq1KV--5m6H4ZWYtg8u4oXpq8-ssZHy;`(#?f;?PF&B_#(}Iw5 z1msd>00@zId#!F!7|BdO88YI4P(Fgx5?VD1{V%Jz{#BLNf5maepT7~$qEgT|&>^)u zJUecEycF)Uht=l7PcKVdSiU|icikZ-5Jf#Qp;<8%BD7Ul>ewzB8*&CBNdJfys=_9~ z_HDopP2xE&xlO1&RB2DO&qVj!*%Rq&!?}J`j4QTCWb7R)C4<1(42y=aBBVTFRnVo1 z*QUka^n}}|x!?K)cR8|TW7`h@@Lpw*o`tG+j)jGjTZ|@{C+Z+0(PSf5N$<# z$lkDlAO6V@vP0sSFk+XGl11k*Cs6+#63VU;o$X6>KsIKxLqYZ1 z`T1=rWG#wNfZB`%`Q;947>WY!^D9y4P{i`3?c*TN2?p2_elvjk=ky&X19GY>2kkq50dU26N~2#~?AM4B;dDOnpAJ(ay$`u;Kq zh1r-q@-^^!XdsB+=t?bCWL2hFKr}P-_aEQw{P>H^cOC#;>H-gV2%h_^q-nYrvaBDL zT3#OugJ3eq*TLNy{^0_}C9t*E^Z%P>=smq%Ic0J@otU?60qUUsDD+F5%SPMEKu(T; zF_Lp*hdtF|Xi21OQ`}QZ4Oc|Yqdh}^eHEY!xH@;p+#oMAb`CZ7QRUJ5NDC-iBxx~% zPZucVvmJJ$c2hR0G+;L(@psx7d*r)Y_uWz9VpJbk>wJ`0ZzQ}ghI--5A+LE(K{`m~ zu2c*oIp+jCr(o@$LMlD7gu}iYXG9$06*@e-+jKLZ7e@@>2kvJ1GJ!*}6I;cXswq7q z&x%vnKr%(~-B(cHfv4G*J!0s%v(^^NS>Ft&yPOS49v(~;wRn(;T{6c(4z|r?Uc&pt zmD4}sVbMbG#-dQ-C*}9}=L@?lpE(hKApaQSP5fz_g~BivLmRa@ZT|ib4_O?qy-R<; zi~WjCeu5Q0;70nFE4_cU0{myk!*TxldWcI@zGvFI5QEr*z`B+n@};}QqKZgqq4~}= zCv!ncRKm9t>&*d@XRVJLjSCW)VI!l0du-k#tLB&HUr+;y)dkPTlHIkB^eceH?AbAS zhHa;34+WX7>n6SxW-t;xbA|bEik)AcO_F1$pU1j>7o6ilAzE7%g{kdA?oNk-$`2=j zw}V2Ho8|#+hP4l;xXr9iaGigBENRqQ{mso<>ulae6`|vM z*y1cOBR{?yO$k7*$zs9+j4k^_EnWCs6Y?yF-+Q&#kYCW!(O=6041kJ^LZ}b&A=R8q zLs{hp5O6|C?zx-$f!U|S@a;OC_fLk)Y#AXu=+3~0U=u}L0923}m09W-l$CTOs z7RVv0L*FDoiBh@18@;>O(`~`)$$1&RnTRIXakf6#qEoj0n<-cgO+%C`!VS&nIEdpL>Aw z3x|OD&J}#b-{!j=-^ahy2fo1vkn;UH$=N8cNb`?x@~LqP5eeI7^pB7YYpMj8l9s`H zC0M$VL53ajH*LfKhb3A%ce&?QV1lo+*&EaWA4~`t#7uIl0skmu$9K)ab+@n4dv}_l zZJJYxa6j_mj1RgXd8toD6EV*&C%oP>Qrscm(Y*~Zy@1|$C)0aQ{97w> z_lr8Ox5F#Z$OE26vynC;N;Pq}FWyetYq9r!M0<7>6bwJcLW780YRjFbIJEIc^fr<@ zQH&1WK@oklG z-#jIeRrEr@Z1*GPy(&EEU!t&KZB;+=1CQZkue~Ymc#!YBkLk{-BaecQ;Oi4R?iU68 zsZYf&BJ&ccmCz6d2zUl~t!*zDa_p}N_J3Qe#6PxWg#7$FzdfS@xkG^`SS5W8DhO91 z_QjMV+VGdfhiqz?eWTa*tw=DB-H2{eTjAwCmoRL`+-3u-kOpill5r9MqG?bONxJJG zZnQ}oxddkMv$SmV*R%i_0A^C5RL`abF9C;YmF-iI^9&R>x*!`Fs7LN)9Fod4fh3hc zagWh%AaDA}G=TG4I3VT!C08L4Q#L1FAbq z{}eHpu=F+XDB~Q29WG2v2;~LbazR&f^B?VXkhLuj*)=47#1a2a_X07uT}RgGh1_AM zk*i{Hr&t+!Uk_PK>F-r?5W8~4V&jk8Hvh^02fJHai4AXZT3nOah<3FCVt@uZn6gV{R=X12Y9_ zf07L#IgcUeGOFE^9g3ktJrK4T~PxBh(z7%_w#T!8i*!TAkTHZ2R{v<#Z< zIi}NaSjsu=HV=g~uOsh@FdIEbGPD*X3~C}-t-r!=f7mP^Urob|6j*`{-NJWZuHUr z3aIG6^B#;doD&4PDT)k|Q{FNI`qs5E?02x<0?4rR*tR3`GuT8F-Um3^e`s+33HbJH zhI5>sep7?qs{u;H$fLmi{tuM}^#8q4&c6lsC#>LqwBQE*Ex3PajsK$s_pke1|985) z|LC*+A9j`hclU(+e^_w;S2vfW0`xTawG-TvXxcKxjNfd*3Vah4fbGZ9l5G+$G^S1* zsYYWGO^(Jrk~)@RZVH?3XD&nZLDmA1)m^l1=$2b5SX`iRlg6|{P)r}l-Tq)cRuvh! zMaz1N_o+mBOn1Dzn8uHGj_vT7?-stBWx-Wkm-%AGhRnMyAK=`Tb&#@aCQ}w4Um1uB zs5jozFrrW`IF0{u`Ev5<*1p5i2Ye3h8e%yk3Lw7!eFl2wzv5T_V=^%R*dgIYH{I8WX(2(j0xOASE4dUe3@~t>r6epF(_yRJ0az?u2EdlB`)cT^7(>x=mLz=3oJw^v%S^O%UEAJ;mQpx?X+qCBm zkUSonc>}7Z`XoJW8^1~C0t?V2pa>D+4q(sRM0Em0DQ3tuE0J$?4^Q5M>U~9hLV+S4 z$c7J^A5DA$p{9U~WguG`ePDS>InPNypZCn4U$Oy`TeU;vuPLRtrGei0$tZz-z5v`e z6kz}Qn6Qj67V@`~LlkMkW1XB-$*!LaN6bHj zB$A=$UZOs&QUZ?tWXQWu0dRF__D=>sb8zh*@J>(xC@~o%{+FD5e7mXZYaH(n?9MMg z8A|U{+Q7L0sr%(zMsOtH??>*6l+h04qCpG~H{(W+BM><0Trk=Q_%cp<`R{+}_1~`C zI2%n}1s@RvcwZXf07Y*#{>f0kGhD&Qkw)s@4%F|rMnsy!GO9?=-#77x+p&W74!kGwoQ5nUQK65Fxf=nq|cVdY7F*Qv1a;1D$|@doT91o;PoN^8N>jZdKnCX zB~TBbUS~ht#xiItygXz?eAz6DCVe+JwIccn+&*0vuPtF$sJA}h!FIy=v5k+O@39txE4htT^?FHyIetke4~APM4nKZx zAQlp0sjEN5GjgR(JoCR6f99P*3j$UaY!I|^$*=6DB@)etB zPqH+;C$kEhuKQ4q&Ihj=WZ;mYQ0_(p&-)H>&^C6`ajkvIrh+ZY9a4jzJ>{1W(F3sO zKuW~zi&y|RbzrGSfa)LFQPur5T2Qy&2e#l-L(0%)sA!{y%5GyvWjdu-cK8$Z_A zfLV)m3q}_OwqZ>oMF2xkq%Y=v1z&Jj58)5;9h-kLEKX~KOaf;xyto z^4C8v?-=vZU%ZppKX@k#aH0)8?i+!b&gH!0Ugvb)0}HjZnfIY;9)f88yaRbEwkHj6^5eXIcn@E7gN&TbSWtR9w=Q3eL;!EULtTq5{e$g3l zSAOPyH2ba{h2#4t3b*4<_E&?qM^HeJITU!dFC{0(e95<$5V7X4=UAZ4z(xOLh(S}% z1BaeR7d0SaFNh-JLAJdv(JKAUk1F**OJQ!u-l{u!hsz!v67}6W>zP%?FSmAWpz-Lxs~2lGMB9PgjD&_Xx+No z&|7m124XY)`+j7!BP2+$$v!VE>&UCm+xg1V5)fYYk zL(@S3DjP**BW?n<O}*Et_CGJQ^~np%Ke!@HXJHg z70N(yJ-GMT3yhw}?x0|6wU&F|-A=k{jVIk#`z(gaLPh!=+JcxwwCO*G_b^=mEwN5n zyAPg=mT8TS(z7+UmpI7@8TB_Q+sPi7=^$0uDnv-|#eHmz`UAn|`5+uA)3qK`A&>>xX=3Tl_d*0f?tIi_evMH#$(xH~lyz_4pm7|4zm!{+q z-KQ3_nXf-L!oyfnABGgP&u^y3KmFA4M0z?^+*jY|wC?~S@^yFF)Y;ZP%QtmHegYPA zgDV>0ppq-e@QbjWfaty}h7xr}=NpR~a;)1r^KbN75>4Z(V1n*KfOiENkcM$B_u(BW zBR$W5{UK*yY~o3XQ*f-nb(>k!CF$bnfWzA2^uDxY&3-@`c%CD2@nIHE?x!8;Y@=)&+`$xna*KMvj2=G0Tzrb_p&4rA|-l`d%ofxHyEw|sm zJg@S)m+SW$dg@tJALMn9j!VtSO_os}W|twz|Ehoa*K)2}+unO=Ywa!MSf+QTExMvL z_o`X1o<8s8N2NDp8muk!Bg;Jb1bMHPNR>_G+pRHo^i7zy(Ir92TSCj^8zKRpnsuQj zee`*grN6?dHstOEg@F8-lP>bHZnuLY#?daO7y}E+yWGVlK@$DBCX@teQ7Mmztojt0 z{P=?Z@$1hgKOa>T>{;1$wK`+O_O>2en)ColvBXwmTYX~c&#cKe29mS)c|}L;zIT1S zYW`|}eRn>e=8{=nyeyhA3jR64x$ndAfmw3mXWEULOxH6yrB>~f2R|A5qHf>0{PLtA z%8|tMCqx!(;s1;p1G1YxMFjrP`QksJl7Gr5{r^*Q=?^ z*6wc;Y5WGvlVUbsI}o?Qdh;BT&^yCSOTn^&Toer}6^h+mx@4e8UbQVK_4QkTsc0R4F0x9XI3^#gQ+v% z;|;hYCCG=EhjWXjOMY%6KOv50_`zQ%SDhzz+DY_zuZH#A7;8blfhLNBtNYItu4&>s=1nU8%GEa^>{nqC+I73_LcnX)lqZGsc4;?>T9h z(QcEtuyy;h_K=_dv0aA~;_adYcu62HPIsFpzyXhr5F>H6lyYc*8H0O6Hsj$tY1K+vy69*~aPP#d-%cvg;C5;)f> z-W_Y!bbgkHAjnwYC7@UBENGc@asKP4ViJEdhClW$ECSP6?d^ew9+X5C*>+R17Oq&V z35+$3SeOnrjPR1s9i05sql19{&ooq&o1_>Du_V1hd6lTgl(R&?$`mm>KU5rhoO4dh z<%@`GjkX426ak@_5@aD^PTa)KQW8I&FNYa3c5cA=GtquM>Xqw_GDAZ`@U7r8OhyG9 zK_6v5Z%yex08{6Ne7yxq9pU1d_T=f+yeN2&8UR|Fp|o>}z5`GiAidMOcj@-sk!%h`6> z4d)gG*W*e03etTpCQrilwJGU6vtqbi;>&QgVOCDyrB8Shs3s6S89`@dBldN~5JTE; zJ5kQ|ISwstbi@Xh+J|=db7Gb{r?0VgUYMblc#f#M$dumMbYxv$je_zags7qe%Z)lD zXuEZm&=5+R?{!}Q-ClFnu9dOxW3>RGU+61UuzZ@5*Lq4i%1>T~aJFIOM)^wN&`PI* z+?Oo1d%@;3N)KlG*K(2f)56)INcQCw3A<})oufy;&L~$@S9kBk?fv$aD2=w9oNx~e zDnwwQ6|UuXYwiKQ&Qlc{x>{6gu;B=NZ;rIz(ls7YedljdGpcIb?Z?K}&ZTq9N4%H) z<&@wd7VAsn!FmBV3$_mAFAkc*vLp^miGZRG`Il~ z5~FE?=iD3M<5)B7*T>puzL@IUv~UCC+o>c&{>=Mk<5hn&Wqn357IE+!w#ui=2UMB0 z^u3^zo~<9^hm8n1i!W9fCJWe^yi5Egs=ue1LU1YMOC#OoAUsRl&p_-grw2E_1M z?@}j<({h=b;fugNkGo+hxlit0u?p9U3rJg9-L|L5k{^xu^)VfiFem!N!<9Z2;b_+s zW!41NO6O2+33nJSGVa#5+-re7NpEqcD=IEq{bX>a&C{P;wybmSoyT-7=&}ZdA>dB* z>2!3A8qMJ%ElYcUKmZsa<>AyhMWc4zjEwgy|FZ z%pIIzqFSVtD4dqXSUZx#+GiQXaXBn{>)2s~$GJ)Z*Q`(O4(5$HZ1I9{@_mMCobBiB z1JSQq8yjZ)!ETom{(xfh0+dm-oBBAvYG3_wUe{>P8^Zx(?v$A)cO|sCw7&JI`e3ll z7*te~!uXV(=~Wy$x?T!R=U*4o2{!+SzMGZA^;~T zX)|7_ZwLIwFT7TbsnC<@JSmZQ+n3Z`7Q0Kr_k`q?r>Ya7a9y(djL3N zXg%3mo)2jHzfvR(Tm`#l$T@hE1SRRao3kE|b>ZRv08skpuJwEPr4I^GGXXMuhYAX_ z#vT>jyq;O@c2CPLzWAPUAO$tbw!^w{6gu-9z2=JMM6SpK(hZ0D^>xLd2U)2$RD%V& z!DmC+`9KG9BkfrghxMlJC_-X^??HH`X6o319&OQMIoIN2l}2n2czsRbrGR`x0k}3r zmjH`KS6O1Y;Tkz!L-v%;S?>(n%IbRekykf+BR{q(nHdUBj>V2;>a!GLb%#+FM)~#G z_b2ER(2A+$VRh?lZdDJrI=^^TyB}_M!WiT8)3<{3;6I#+(qsqYI;S?=e2Cur`lqq> z7oUrqIBAiu_dH}sWUfvz7E)sqL}!INM&LN3R4?mqn>P+{TUDyFkfTu2>9}Rwo7!4f zW?|yv$G3U*8!>QOzsT5R|ADc2Mn22>+-BYo3{;4R6B{WoI|Ax%8ossKS}JcZI6w5A zqaC-3&SUk zDu(jbSH26!1l1p%Icq6``d}osYe>$@wD%NfO3K(Nx+}V?9VtX-49IAvbG*wsA#9T} zN?4k^6y~u^eTh+8a<~QBl=A0c{X{c2oAw>s67ms=f0~@Uq<-w37-D zkNSouj~;g|elTn<{tk+Y7Jgcu7J2Bfu~ya+c%AOr#hl5uR_^BvJuD{3M3{5&0d5 z0!77=-^;{YPL9)5%`JjV%we*006z+1XH1u-@T&sj7p{%2iqU%q&t^ZzV&{%dXxSf; zS3e!9W*%7}E1T6qTqPK^BBM9!n=**l4r@{I`hGjEtZ?4LBO!w&f?M#Y29?+>n znvn;Q0As=J9bK+QEeTJkg1NG?3H+Pt*u)_XobXL-uYn$gQL+N16eH8Hm7B5U2*K{) zJE$KXl2M)rpQ?;ACqorKT<1!e?3Qlgr*dsx9`vJe60)NhQYl#jAx z8QFFA3Ef*%db@=Dq22 zE1>bfJs9Pv-dODSa(gWKF6A`dGMzF zu89bqci&b@%@J?n27Q3q$DmwykzrU-ZNYEQeST0LXiDzq#rVo`>;*$MhB`|fm<*>#NqL;}qz&s}2Db?MvNHDFU+tU^gUWYery5 zFGic)lyARzu(!xj_V^wky6?PGQ=fI*yyd5cB5^^2QyIA>u}OiCQ1kv4#QFAeHgY;G z2kLywyg5#`1=*HFEtJNWRZLl-}JCPE|#e9xwku9Xs12XkL13liXA3j8g%|9@s6F0ZUV$aOauvrd<5izMd-jyb zz$lp&TxdEuy4~sjAZ)%F6*4VFiNnPyxQ1VL9bu|&EYRMZNF2zrP}aUwP3kdEw7Zzx zV4UMy_V!YsX}@~Ot-d|8?aF20D%HV{?e(4y3g7X zB4bk*WpS{{7`j#y6R4iI+Ua%kvJJ^~1c)?DV#BzVJ6UL~{M_x}MxPeY8Sl5+&JF1g zNdtO341dV~|DT=v|62+f>JxBG3Do;=22f?%fP>NYE~52I*VE{%5}=3!#sFPMJ%M&uzWsDz~){@@yTAZ2tkQrGj{~hyaGH6t5AcYUng? z)-dqOXuN~cHN#($ ztMXp<>^s0ETas~6vurlq)3L{KD;qS~BjnRRWiwazMPmvoJUI&Y<<(Spbi8e-%hHPz zx50c7;p*DgE|VO~2xF&@X&)P=-YKB>h=Pv2=q2N+hn@Bu)EaG%rsbiOR;_L zX<@262kL476|(HMI&v%=1Q7C*$3A7VEkixaFOl15`6z8>rvUvi`w*Mz@D0ifC)K%T z!LY~G+sY>o{xEF1azb#8R=N?>g|4inO2evb+I$kQ#K(a#blxR?BGN4|`Qx_RWKNRY z54z_M2aS1Ahk1eSZ;lb2*%P9xT`;Z}6aw*Kmp_`VNnHMQW&N17Rm z=;k3$&Az&|;Pi|*M%Ey?Q&9Qvo3wm{)MdB@Nh3Tod%Qm|TK=@@(3dpf0$cHGWz^mI zdl()WUMn$p4TsV|$PmX&%WsmT_h%Cy(`xB_yfxY0v}a^f#UlF6|!0@>MzbW7M~@WO5x z1i~&*LD(OSyGu2o7?T+3T#zLs#j3t-5$(DyjnSTZm*XS*VLfl{))(3`YOF|P4PBM6 zlu-)zCas2O%Tbu|9Aj+>!T~a;OCOr(PrpC?-Tmg1($aHldY=S4{SR1m%l41xl^!MKPu!Mg3}#)d4FV36s5=X1!c5 z68dT$z$T=a+TQ9f?9Oa z$nc$k^CpqN)AT`muME~aZ z!xi@V>UgVy@YFr$ulQVi2QUNrt6DE2O4j3+m zde_S-UlP{ak2*DUQ={r_`v(<(Qh7?66^SIN5`HuZ#yWoT)W}&4S7?}tNxL|Q!c!F6 zftJldSqvFTk(;3IB?l0lfzEH#S55x~>|u|3zcstX)dP0EQd6df@0=^?=k;nJHe`pL zwX{TV(jqXfuo#WB^-+*Lo~vH&Uc*NGtdBy>Hg!K8JH6WE|0%V8Ta|bv;lusTm)f@c|6T*()y0CnwkKyU<>-eceuFXLQgTF5o^0cSOTXfS>* zzQrM!2*F!NiBq)38bi414^8hacvoL4lW^PS21<*d!WDo$I{j25CWR;`~ud!{Y)U{XSU-&-+eflA_3#xtLC51gyqo zGn}v?nX<7SAL(%i>3jHt!$S0`{`;G$uCtlvoNSIrjNc(Bk>s0cS=y>zb6iyBh3NtU zGD_|hePnQp&A+L+xj900FW&ot{#?WRZ&$ia?|!g|d*S3J>8h@0ZJe_V3C)I9(_;Ni zrqt%^S}u4vvKY3w;GX4b8sB*E$ZCdVy;>wNa7`R~=|}lP%wG7>97LzUPk~-zD>(r= zKb&XH@z}`bQuIitUx{L7kgzQwO5%FwLuyc?;4ZYy-Yw>WbRiq$i!Xg+}HVy?!j<^#Oqq+?;T*nlRoy*5l1{t=7wS zA$I51>)Vz&;+s{c*&_uR4<5i*7s?5w=c%ubJAV)BoZUxj#kkEePJV%K`1`U^Jqi4o z?v);-v?pUzVIDYSz~Rd!i5feBEKMGFF*32tG(@Yl`+BY zo655GF%A}n-pV*|L2B}YeR`kAsf zH*W3YI!||rH9&0uUZ7G zY5Ce5D=>DjlZn>y_lK|qzWVl|r-L*g?2;6`qWL-{ZBH_1N`g9*;(_Z2js%USZD1*y zo~cb^g}I*F0aI5Zi#?_!njTvzg~WT!n0Z_e_s)0Od(%3+{%!g>)`YIp%6qnGeBbh8 zD4vK94>ltg&;oXW=sp6rb176y-zIz3y+kr8AXUZajII7uCR|cKN#xGW3H#e6@{EWX z^d7heen6ysxUCu&jO9^B>7~Jjd}^8g=!U3MU=ystuK}-<~A!_YTDF)i0%L5kH`S zr}aP|r3vMGui;aBprPLWt=;S$Aqfs5^!?)nbxr)kvof-uP52Pgn7ve4ya`vJ^oLRZ za$d5}R*8>ti1g(K%!uehoJ){+1fSClOMfP-smv$WmZRHIbk_Y8jaA3P72|M8zhZLL zw=K7TA!To=Rf=V`z1z1%uYQ|h{|c*lp-YjgnUTtSNCSLer_2e0WB^1(=f(73*vJuw za3b!@!OhJjQ?%HrWvqS5(-ToSJ@x^DoqH`p;ntn7dh9w8ZyanmB)n!lSfZ(`VYi~u zQ=BtvvmzWjILhLlqm-jG*sllCTMF@Tnc9BBQdwZ+ExB{!q>(vsz zG%;mq7rqWjw0W6@f6SG*$+-8u;`uk~>dl0HQVv<3Xx$Ew7-M0js%V$_;UnWOM~@_R ztX)z#nn)jKZ?|R8brN*BGRBZp!od9TsdcA@36)ok6f{!HaniBiiL&uNhlcoR6XL;w zm$SBC(#$U35$kW{Vkn<{F7v3LYmdr0S_JBW35V_R`H>~iqb5*KKQbOxht65yH}}*? z>C^9QI?tNKC8l=fs=<+)q2Lh~)>tSb(qk?hI5=OoTA4faO^2vDILz@?JMC)cQ(3R4 zawosd;GVJhK$FR}PDkm{7WK3Tb@iN)(q19X7DLLJtvW`-66e@r zG8@F*d)`wiY~E*>8HE`rs?h}K0U$xXU(U z(HuXtf?(6mt@Q7Tdp{@04p2EMe$@TM-sl=%78ZXLrwQKe(3dogrNn@IThEeC8M#x^ zx_WYh`}j^8u(BNC;;j7d%DeuH3XPM>lT5!njQdLK#{5_dfEADLGND}s>-QPx=K+M+ zZw#O8e`B~(@8AB6$~N+&3WJB5eAE7HN4-FMhIGLKj(WB3@+l?&a;=Lw1wbNrN<-=8 zfB^n!ey_~@+ZPp&+)5Dz+_9~8)R79><2Hprlb&p4qFcvTRJ|itWY1LThhjf3-16bda5POr{jTqpK+Jk|a zX&*Q43vH`>oIvzLYU5fLTf2KVj9!1z;f=-~B2XC&itbvV>ki+%ld;_oT-2`=9a8=f z#>01mhMvq8^Jb>Vt~bs#*}8mh8(xYoXh+;73dq z)gzkT6g9iK3)Q+%RLN2Q8wrE&l#h;3POr+2Vdis8bJ3N^uG_03hgNdkDuq+ZI3CFN zVkg(=0;w3n@HP4z9qdEG1Mni=!Tl8ZDa0hnP5+x(P-T#PoihR=M9FW$Ov%qLQ;v%sVuu{uSm5ulKUx# zAyEh+vMZgRn1_Ab;zuZ&6;#f;J3C=eCLVqKlabF&p@UA09G_3w8UU(4Ouj z^oOUgz=i-3L}ik)(85%zcK6>^sbNo#^5Lnz`98$4zmRmF>+@&osleu!-&H5 zgi}iiDEr#cjGcSA=aC#wAGUif=6*Rg$z6i*m>q~)&rNp30PgW&IuB+_30JVO2S5~= zCy+SD^GIfr@1!QSE~H857#6)OpHhvuv)FbgUSsrx{QES49f%1l74WG6)Feg}={dIt zzK<-OXB!y*9S1ihH=9?DNGjN9ji(ERo_!^BWh6GA;Yh`ERKa@act4Z@>B>X!!<%%? z#W)@%s!=7gCCSN%dc`ZZ=sk5-l|bgE5~XpsuQ_zHZ_$)#R_V&Ysql-lk;`ry0XRb*<=NLb&}F;tMk$dTX!xvuW}KB>DZq={VkOj_o%CzX=>Jt*f8 zJ&@|JUB>ra=pAEl`#gJc4zp)oca3@Hy{bJA#ZM+RFjwk)@!D3vMF(cH4Bm`CXPFXV z`81a6{OW-<*d91=_d-Jgq3uXkgg7ADjeLUchH_GU3q>z=bbE7T^~6ab%=voJYR^`= z536lO;Jratotk z{hPI~M`BAA< z=+P=($~rjQ2}sMWv*2I$sx+bB^h@RP2vKgF-h+X3UFXUUYG5Z3HxC`H|ZC5{z38z#Ig0D`t0@VHMq{(ISVp(7?9ufgJ4IxnQYLCOD((xQ; zE+$DFGz^q}T*dP0%&ikHl=lZM)9vg>%B-E|ky9}^&W(3OCEQG1A`#mQVQGBTPk3^$2NM;gugg3IF}Rj2AfrnG_zCrcAqzv3dhj=I(f1l+Of zMS37_J)215AF3)mA`_d{ccIK&hC?UuTI(%1@doiLe*7VjYdS-KZWIuTJMXT}9%=SI z+bMQ>Fj1Oo=8D;|N?OkQ40(lI-Gt%`wG5HfLAs*#$I8TLsY#<^3VJ6?Ye} z-eQiMxtKTetgXH;C1sDq{H&lptv}w`eTLKEG*5hf% zt&8MiyZo$R4Y%!Ci}!qoKPO#k-2bf5q06E!X7T>07?R+%Fc*_XdRa}@rI^4^48j$N z);2?n8rD(DkK?JPlK)_D95BVWCMqAotD#_TCgcgdJ`RL!l41 z9i4$+CT^8xPS{)-yW=tTAfzQT?1?u{GJtDc=^H9NeyI00MXNZwwEX3up?1OI__{T( zAAJ;3JEC+X@bh@hsLPEM7e&t_fQ?k&^Lvb;1TCDd78rx$f3*Y&Lkr+rng~D2kbb#q z975JLClRY>WWt~wH_q(bRN2;VH<|3D^DcM$#-MpHIIxg{Ww+q9JuD=79qmTpoXl9P z3u?QUegA8X|D>4ek24D|Xt~;Z$o8Z}vUMRF}R<@wDuYGx3wtlm? zZ1GcUf8z5;1AalQ%5(DB1&h!Q+pQQRS;9K@=EoSeBozto+%Qr=n{LC(^gDU9PmA?R z`FgS!t{*xXiM!{>dnjffZbJ*3_K>41q4-nkbkFxQ2^dPyz-u-elyxFF3XGbjMds{MvkLp6Us?QdtWzjV~#W)C->q7<^ z#+zwOCATgX_{DfE-R@77c=(d@jH_$E;PV{W;;mE9B}LBOtL%qEjO?N06KOqOP*!gT z8RS7blfqp6LmUQ~$5`0f6Cx7ofUWu*fzw=ny|1kXd*f?tfcwm)a4>)vk$keG#@=Q?D3Q|JGDv^nD=14Ykbxp z8AU3#?!eSTsKIbHkew*Tp%(pM{v+#^ zzgLL=kMlCTyLlPA3fZMsAr?_dC304FRVl9&PnKShX&PDevPnK8@L1VE51(Ki*XyF%GQ(m2WxS$OF{#3ovf7UnePBpmrq3 zn9WS}mUNt4vf#Z`tv1R8qt_37Ja^44++A4cCn=XWQJOR%ae1R5|({`J$XcCEf24s>t)D(I9?p+)s-O~ z+oG0B#&lX=*ftoKJJMF&!1`9It})h#_t7<`J&BJx8T5h}#_pa{Rmm={y}Vp|p{Lq4 z@rWn3wKkMA<|Ugq$I+qe(roT77+9ks;1 zTbPP=_hYq2HiWY}6ePQn6oJ~P#X|$e&~qwZy@&EW!;8<2JxOKqBDu<2(6_`=-Q@h5G(YpHWwFA{1>_jksK8pqs4jw|UL-SRzS zi@LbX_mhWULN~D|r2=9QB_KR%0((7s7)XkuFZ~pTFoqoZE{MV#jiNhYC~aZtd9r<} zTBNo(+3zZ0EVq%?^U_I4$W)aZ+z5wJgxJSs< z1%wh32g;Q`)viPKLtUX{vssxYq6t+F^+fC}#WH!47TNt^o0JzD{5jr4TOIz4^uEn; z6iz5xfT%%C2G4PLPhWY@)GM@ten7oMdrVcKT=Rr7m2b3(!F33AkwGrytAJG0^MUgC zgIo>F6dLO_X?0Id{9&Hq)%)I#_cLhq{VPKfHb^zj;!= zTzMECR@-MgzCa_6(3l{$Akj;5a2ckavj z#mCh?&aF}M4ap9$E_8VIK62|z`#>)|5Ns>WpPZfcRM1@>V45!0pJUH_5je5ob3eIe zoAD}hJElH08HZ)#oE#drsfp;sAtDz_6}8M59-Wk1Fqk|^UEJsN=J9FoP9JqGFC?8c z(jQldycy!uv6$+6$kQ%9DO)I>C$munR(J90l=n_cJ7;=Q%lgSZ@A$TTW2t;N=#y;0 z5lx|mEUCF`AGZvs#hFI0yAll=-@esiO<=8PH`~L=#Q|R-d?$(0o@on^%Q|~zc?s?s zZ3%t_M#zxh*Ljfzlg=&KHuxj4#WI`bAEOy|hG5J#|{l?(%-S^uzX{J8%X&ciwOtMLBfbJig=18dep}0Lp+$^XrgKs42U-^V(OkyomLd^pAU0laz{5 zc?`Pi*A;f$dp|m1j9R1#_BdpyGLkPaxO0k8VFjT&QeGS4I)(e(96{PPW34wicCF>% z$(QF8%Eb3Q%#mt=bk0>UuczUVJQIQCMg+y0pCAk1Syk7FX=|#eL!WJVTe6%rZ~mN1 z^*YySrsMlM{4o(4s3&v{j|bZToD&;`!=QwjLx1#ZA+TmcHybO*l!t4F@CKXwYOyUX z&3YeJ!mTX4ryDt>@%*SFPe_e^yYDn-r=38A%CnZU9{zY=KC<44SuLH*8PIC`ei^~V z2HTBPU4=+%2A{Kglfj>+gK;+Z^__tn3NLNKZAMp{*0CgQ1tM&E+c$pftHz8u3CW$q)025V>$4wWMVK=|s)JvLm zjSX_KvvgHwJaLPav>NSd(6kj0sjxgY;8~cgQ^mHFD$?Vn7$?LFJ~+G=|y;dJk#MxRIi2_)Xa8jFTH`NuA^Q z&5a&o20#;9H;vcDYzz}KFO9Z%yDgX;)+J0xPu*LS9DZ5T`u$_OXGKZ%X$2p>Pu~R2 z?({MQZ-XH0H3CQ4x)ClYX=$oYi(AVOu0x8j8K_+k;BFmkm5+<7iPUz5-nXEAvTg!9 z=JT{H5Z#&X#2nJ(z#XWOLw1b$O-x?1`*iJvyN@PTY2&!$^u5o0%W&MB^x3K+>+e`c zLS$zQhSy7DySIFjr%M>qwbhcLpWIQGX00temM$R$259_>Hzsgz4aOtt8MjS@lLZ4j zEx&3NQgQDA>Y;1>u%@uK`pIpxnKwfd)9&y4YYR~HVGnS zJgk;pi`FbU(%X+6{;^vUOL&9Xx`PqI5CBki)9!Ce?>3DWV7jQM&LryAU};9wZK;BGsrC}lY;>U&6lPz zGrqbt_cIyx6iT>avZDlx#BB3}lw;}4ZCB{tEv=K~WYjPf)d=KGqC73jrKGEmb&RGI zy|dyklQKJ5dO2n9$lAC{(J|fd!m;A$EU$}h$NDV8i~6m&YxT@d%Grp@RE;m7Hl*h> z=VC#m$P~*$6&j&B;5iQl2AdHcHa&HJ@TfX@;8FQaE0I)#o#XqsA15eer_?z6vGnz> zuUdwe4}eZ#>?a3+4hq1#(Rso4;hShkk3W==%0_l6KnalJZfQbsULy8VqbiwCxizMH zDsr$22gE#7W9Rp71|G)OSbfp)EnJN;FNL=g)=1s7XLK1dP@M{7!%L+Xu9-K+i(L51 zSlu8bdmzjC`;{{yYObxw9tbad4}oGvAfXnFedY{Xi4LnCQx@jj!ke3VmNw3Bpb95* zp8FR|W=CersH!}|qxk}n?b@OvaC?05mmf0_gGZY_n=TUi>fnjq-*40{3M)X zf%C~vM|7F}+Z)+)!Tp~vVS=OrQx>8kZ?ESDl)qfx(mHD~{9^P+|Ld~#Q?G1s4H1B| z;nzas@QMRRFVKos= ztls0PPQ|m)%oa?mDv8$&U8_EP*JZ!F{fsNZsVH|($NX)X!?y5# z=O6b*ILw6~6$=T!Vk#Q25*)q1Rg&w?&0{%L;8`}BseIAcGP^{@+H)Y|ShMB*!l@UY zZwC*lT_T&4K;{tzdxRue!WF1xUYq&l;Yc4SnM4)<(NODM(Z3o1o|FnK#~IL=2?3w% zNb1PZ(!k|EJ@qe~8Iu1&C6m7sf&GvD^Zjd9d%%3+Z*!F%eVgUkkx>L(a0@3pyNdjx z!eUmhi>@|TYSoMSfQXJwLch%J3Hb%)c2aH<_U7jMW{Xc0J}NzSv;UGG>GD_*)eaMD3Ds( zM{Cs7rRc%=$v2qe?}eD0uNx9q6K;(Q<*C{y?wxV(DWChDJ_f%8FHc{;>>@2?#CxDn zj;4v40vqKD5@0dqCxIR~7~odpIA7Gc7=VGj<2zRR`km0`v*S9*oxPrKMdv!AYvo1Hz-|Nd~e z zAGdh7SI?n2#Fum(@S>dRB!+b(YhfEQq}zepU8KVN2@ihmpt_&h&%^x$o(UypwbW2b z-oW46)Wq`o-qF2P0)IpiKzu;#A-^N`FJNO4vL2P>OhZC1h{N1#mH81gc4*e&lYvj! z%|}&9XX4ebGMh07_1sUS!17m`e4_FJkAX_As&L3-)9LAH`<_Z2c7@{x3-QW(EDxQt zyvo49pk5w@bov^G=GNx%f(mcak9a^PO#_>Inj%W`>ZgvNH~7t)1sA)x&s+}MhIt*F zxBhf%G{w*%V>m9MM|0$)$LEogUi<@zB8Nu@@t|p<>W5szcAm8|7D(x z&N8;zJv_u-2kefe1qd2me1FrP3BwQd@MWRu66>kF)9rK!*?NJKd|p#mElf?Ph?Xc1 z&(&-55O|jmes+ZKou-=#MK9O-4MKt}NrVEhL1;{%(L!r>%u=ApWkOAcch5^w=AEjI z@LBP1?4f@2TJ0M`jt>ZTTF(et#tj`A#JF)z$M;)Twu}HQ=l5VYMxvn>hAMtPYWZRb zTW^E5_1#cK4cC@_(!-A>Pw_kkGHyRXJ_+z3S57ENlA$V)W)hSHOJ&#kLZ`AZ_n0Osd zN}PW0BHw$M*!`fO+k)1N@iJk9w#(_`!qM&J>}v-T)}}_ss(p+4NW_YO_$gWMxX7tJ zg4Y)o6=hOYRw1?W>xKAMllkqA0X33eG&7(&;4r!}a?j}Oq$T&JmKN`U3_Y1PXXQJM zr}|1G7-K_KVm5WGTTwx@+E1L5()h6}Q2cYS?Hts@D1hGHPK3@Up;_&uj<0b>^i`-I zd1B8fyloPD7cm2?RqNp7fuC+5n|KiF`qoUc%JR{6wIe=Th8yGWqk9Iqx)S8N`ij22 z@4o0#(Y1wIz^soGt9y_H6HeeY?4_#UuyuiR7h^8k4?s6k6L<7JsM=zX68-zUrO7wX zY-I58CI@I&x6o1$jAXxg?Lq>U&P7w*eDA^2d&f_u#LV&9rvo;%BlYb0dJXdFngi2e zcXO{hf74sWqho6zWO1->KB?Tia;#x|E2>3xTO|I=`pwp+lmranr2#d0;^_1W43jNY z*D#`arf9-WI$diZm#Ejc&#&bc@6CDk5B}+>;jz_As(HAXZg9S3h{A=SJtf@KcL@qNwr~af$>Ti{K&O@FKi~bL4soU$!dt zy}hk!YN$25G4;J)fk{V}+dlACA@nE%J6sLSU@Sp5trHrBtSRW6QM}(!N%$HicS|l? z@6!@nK#M_`*g6+O$XX+SFJs8Zzdmk}^CEOwk`?mEs4mshYzCTEQ(G+$;KiV7eic7~ zJ~Pdr^xA!9=cs_XFsuT)P9YY|TSw6qXQ(&N``^L0I!=9?wy=G1r?4tBHG5v4H=f88 zbe`?F-ts2lTz34rheNUW5C6DxJ-N$gGB(~gK`4(Tp;j-=U*e?%+(ou25QOilDVo#^iN?}U`{T*Mp) z)eqY5HjjCN5E(m_3%#p;EXlyAas5RfQ;0$NU=b0GnqyT)#?7&4ni9$#o%sr$tmoE! zKlkZIT4coav(NG@Z=X%c9UYAnaPxa+ZpBN49YypZ`L|Hq?gB_=#PPym`U&_MwgNA! zq~}`i@4zcy9f9AEWowmOWA{1p#_9s1SqG+aT)mz@7h(HR$$zj^1yELVxoufmHeVGb6KkhZ~k3H%U2occBM+HG1o^P6;*g92oEX> z%k49nvD9%wH>Ind^vUtpX^Z=@^Vp~g%k!*pkVN-giuDDA1g1~DqxhKLo7zMq#K*kZNk1PhAbr#Q z^Q$r}7wvhjLog7W$!T%%g!dc8IqMGTl+P%+lca>wptDxjMTRhDRE>rxulYG3eoD^+ z>>?=30Ru}{?y8@?!gXlmxYpVaX5FyG1kx_lRZO&b2+9`lv$JRS$mI+bTx*liu>G4Fw}$LibB~v!%gXV-m zFXj1B8x?hxv&l{&BjH7IKQg~8v2mxqo-7P6d^{u?F7?Xw#dC|xqjISUv7SuIOP=9z zIxe{iap#P+;(+Gyt*c^_1?9z14tO5$>`g;cJyslsbu zRh$Rll9Zc$O_*4y8?csd0vsI!NxfD!y{B#r;*$)Yac;g&@cA(i(uoXl%eMu!5wXOn zDZ8Gbe&rHw^@a0|>FG~ciRY_DY964azT{ z58vB5ysZCAiQjHo_@7wM!cx<(*0b)I5C?`x9p-Y~jC1k0w1EtQ7|>0F>o zW*@7#>UNP4eQZhb!YBLZ&wG{|8F1fcXHtlWRTTm*{TuJ9oIa1H+J~Z zAo@z?t>~`1U3`}bIfCV5Q5#7vN1{J}rE2l+>^vB=bk{?2tL8m2=^$hO7Z-;a%i?6j>*kQbRA;6M}e2 zctD@E+DCV{?nY9jKr|w$aDnt=xOew1fJ61NJRp#?p1}|zrME%g?eQ6Cv+<21@@4PI zHi+4ux7P^LcnqBfB;?*%5GnAL9J;&7ANMKV^!?XkkR6B7GX-1jY-`EdqLBKfXV9g` zR2$GD2jq@SE~K862CC}2QB=us@bKb|um5&Y%$lFJ1cY#vLzezT|BsUj7Xb7-k8|fG zgda&rgV8UQ*FkXyO*RMr>+R4LPui-*@reM3x^D>i)LjO4= zfH31?0ea^p?9a+WkLY{WSlVi@)U`fsnM+*7&5`Jwph zlr<@Vh*!-7vgrQwxRW`MDaX?dD3j1n+51#-UGkp>92GpY;sEJ@OeR}Y5{uzC$iwAO z6yn(X>}%FZ7mrmBA3YLw5bdLF(<>qH#`T@L8MgWBvz8+dX;Uk=G}U+|L~Bb=Y91xz z2sfl-@vh8~%JLGjeC1|!PcA;RxIY%f`f$HPY3$zU|6SYU|K>M_*jVcnss-5vV8x=_ zxJFty7g}XRoiC1xe_O79=3=ui#YLRGESJgJOvr$dOV4ZcMEs*34hDp-E@7EeO-lo& zNIp@FS)dcGM68sbmG0Xj{U}jMd2+M9rKYz*u@nM8RXY8q zz(j=cVF=G4)MPXHjnSL`W^u@Hv2;oediQ&IBJwWRqh7QVAFk;9I-@)3tju};Zg;?x{mT&39{*`S(0|zv zz;yb5uvY)N3iL_)yrO+ z5+%gr*B^>EP5v_bd0Xx%VD<%}^*x!>U}-@9m-#Fbr#x6${q|J)y^rP_ZdmXGYgZh$}l9F4Vd01VTJ*^P^DZeOOkazXf z-%S%h()^8d@t-2Y^b2Wy?h&z?nyZYi$FZh{pSxGg2G1P|Qg~qc&pdpRBf4MnxafYl zf1|zl{{$*&&hGvoI)rzRKr$px?6PBu-0q>kKkpC$TE_4(T7%X9zt>UtCxWG+ znA4-FJX5PmlL~qZ1tJ0>5Bf9_?5=DLKwA}|$br%{`#=9|!|vlH$h1{~d&8XZK*nIQ|Wak@udfeRaN;bPOlRe0vYRKPpG(tM~)4ZXc&{FN*PM`uJ z00bWb{*uG_`^ml0msz!5hj@^*0U$l{VLeR*^LvBAyYV0g|5Cy!-aJ+-Wal{YuO@)+ z@&-i{`Qzn)3Loxr zV^?*9{=4c%ThB2-=uSjcganba0Z1+KaWClBUnGi3l z&4}fd&?(N!Z_vL9?SNpDDY(xAoA1;B!Z=<;;g{1YD3`?^~7(Tc)t-$}b8;02X zWb?;{!lzAlWjWEd0WWTn!~2qJ^6VBo$*{t-T?XD75XkVM0tR06L+M=x-hf>O-r`*b z-m;VM(#!bXz7cE_uSMvyTAA^Lz(EO9b5^I3(Ap@V-ErfZG>R@k=EPkAt~ZNGm-pT2 z&YvdF6GHM=Ncv0fk_w;utE>OCj^>;WCS3wD_XV$z^ZLIr*ww{~sKkociLci3ofa*A zr!55cBkK^8j4#NC&&pO3Wmk?#HS^yM$~MTn9g8{aGcoZ~cp4Jd=iEgElMwhxZG- zRgTzwmybdV(RrytwH2*^N;eb2e!j?nXji-bN@=5QTke-wVvvy=7Vn3-h4 z>GDU~DsQy8>ElQi?bGfHZ|jNMQ}Cl@GKX0vlRpe+MP67tmU1#^;^p~XzU?*Zc67b< z<~;e(?dJwy2r9p9-tceSWsw|fu(f-o+Hq<0&`%Q_h}>yQz8kpz;Cwt(uc=V#j zJ{T2`4xZe&HMMwaA;?m~>)zF_z0(11BB;XhM5-ES9Xm40k*9JTae#W12tk#ryNCqnBH;gnNe1C1^^8`^kd&x2o9XBf)y|cb}9|{)EI7F zUKBVw__RU-1(4&RAuA-1>k|a^GsUluTBNriLs+h#hBs`M^_73*R~Osz)4ym!mOWVa zc5k}2=uxM$=-P9NA%S~q7p*HxUW(Ktewl^R8YC;oDWz0tvJe5|K&~wdbUe>gsruY% z+N7%C46T1g@vY_?%dovgin)8cPKz$DFH)|pKt%x%916-%3GsylN-v!+>Xh$2@2gC{ z)s2?i-7?{yUNpJMG#<*G}=E1vB6^c#bcoAg+D3g7x@`j3DP6G5s3@e+Ob0kYGV85*Ht%xN)N>c5u% ztWU-Gyww-2zCz~;C0WrNNO0a+I*SiY6pL2@&`uC(?QVF@kw{!ZhYjQO}!!ZJPM z{o63wD)k|tCOEr0kjcJ;HW)8egCHHQl8KB`)9?DeD!ll)`1Q5gpR(cxl~_Sb+3!Ug zAFgF@8SYnU*8T>DLje3nGr69k_(gS!qDW3_KS)13>YNs3<*m6t>bY2eGLvH0RtT-V z6orD-1w?3b1(G`FzlKp|i{Y2ZaY)W7WTmprwpPpjfRkz52^Vifs@+nl(dJXPVGB-Yty~=!mHK- zl3e`Q0%@F9;tMyhAit8c>ytG<`aZ{K?zTWb_AIMp+h*q>im6i`-+e4FQ$Am(ihQGC zEH%F2NG>|W3&yT_#}{ubYZhZNYW^N@zd*I6Q^!{Ltc>IP1ieM|*lyI(>k)%<05MiR znbuCCA14krG&hY(Q>4=KZF-kxR|TXY&EbknOy^yl7~USPmO)1&=gY?0gpr|bds{{r zooyq#Nhh4HXwJ#uo_*RgcY`&&*@q>2)R`1zWM57`QLw(^h2JPRA7eO@S7D3V#MJI} z;OhzGZ1wJ2NWwAaNrk@4`>v#YlKx3d0v4VvKS)=i@)Dt)#v)xmPvsS?Otr4YWWs74 z?D`UP@ADlh&CuJi5bc$Ie#%A~bmV#WxoS5mPd!czwKa3f+i_}hu?8!{!mVo6glX;y zN5>V{XHX(Z)is2fx%GF%OA!7iAAtQmFq{8%$$9U^`upK&&>qPH=54fwC5&L($qPQv zc>t>N9+~ei>3ESnT`u3Po6KwGIkt+(rYh2Elp(PYzFkH-f%c!Zy$^ppD;GwJn26}S zs!4@~I6Zx-cj0`e@{=np)A1%54v4uaY*aVBnIJolj@Fh4JZqe4fOe=esha*2q-ijA zr^QzScSY}X>FWLm(i>U0ue)VF6$L0wNy6rY&6Il+qbipUzlCJ1FR%GQ=*k=-BnbOp z2TckYgwDSt!r2H1$gm=+d}N3BD;w>MLV7#1_^jOfr%t2T zx)x@NCG{{loS<`+OvzvMb;GrC3!yFJ@rtK@?36xLuKV5*j>>2hwERFVG&|4tZ3s|# zoudW?iKmmdx-P)=8B6AF3M5V1e0pZNi2=q+z{r0tgo! z`ZC9*JwR&|h*WW?{F3n$E3-4)8+6#qOCqW2DK}4>ZacGJDdu1x8%TrEvf&(VFW`!! zR9RyE8)27M-361gIrg3$1&p*$cND8Gt}V_>t>pDliw;c59KL#2-+XNYMye&N0EI{b zeYk24D<4+&!uALYzt88a+|#tD7Y)R2KU2QNc5A<(e1%VWhCgI_yH}fM=mrtng`C{( zMjR$cM5u;bYwz{+}*B95R6}at~_KlGw|L@4?R?Q@fLZIRwG(sAHw6 zmc;B!J*1Kk)lee}0(3Z2i)qmyAh>9jltF)zumYdkz;)O0Gv)z~SKP!iG$f5P4+b~i zOH7wUt~ms4q9?N#3TaAU%yQBWGbTYeCW^tc7yz9mqpE}F-J7$%(czEfXIs7ITYZyA zPq^;@%lOFvI;Uo75bR9$1F{7o__c)AlfRCndNcUF<0@1DF0q2SNfp3IR0oT+e9@Y1 zy{WdSl(Z^@H-t?NuFPYjmsigN&zWltOSv6{qDrkinvOR`z*eDwFkca^iXXF6tr@oI z9@h1ZSHCYWRYXxaY3>vQJmf$-RW;Nf)8@cII!kN1H+8uu-m^r+=0%(L(dE#v_eJ~m zORE30;(py>4W3QS_WP9HQvU^pt#PgZJ z{HiKG7--P>Z0}np7>!TWe4M|BsqUpouj&yzLBS@7IZmO74O@1zaPNs0%*t9_@K2`Z z!CVG%UULn(rv6!}*B_{3fa;AHcZ&E^a2tV%b`MSES%a+3-=spa$<2@DPk;PT<2k+L zNnKVS6zUGy8ObYfee@$6YD+JN-E5wp!nD~UI;}_^L3Y}S=JmLdF-;iO0L9rFFuiwU zk!SZna{z>+#HWXQBnydgDVUgc%kq=)_HYxv$f18KwO2UW!eoMpY4;1;N0zC=Vcck( zJ9<)!F=UJDoEHp2bt8z;0KMxeQIX-)wx%~IemdMS^n<*-S3mF8n)U<*+4nm7lK>e?q!LMIn7X}^Ii@JR13Qy~R%F6vq z5;@oJm&F|Sep2+KeW?j@h|xYzOhxwP^3c;!i|SMu?O6TL+)t)ksGHs!w8rIZmr3ME zv(mC7)HiH~@PvDazlg1D+Nmk&^;m7PQkSp}IjY=F@_SD4c}eWsgPcSC9B)juug}^T zu-p}<%>xhd1{@7xU-fD^N#!-y=dq0=a-Qa%)_F~CT7#)b z3unJ6rYT+@M8T@XRE_Tqay9g5ESZaPR$ygFVP#liyL#gC9e=4&qo~zhOLf?-!?!rY z58XWdiI)E$qf&kZ=7gFW?-CQkEY^eiBDd_)wY~Ni#xnP1ahABN@u%#sg$FJP-RWPi zc`W$kNu+w^hq@xckuyormU=lfdEm%;N6mBl!D5i?(ThX1>^>~Jb?3#MGJ{1M`kQMs zukA{^&D2)0SkhjydUd78_N(?NyZO>n_a5y7*iZp#5ULm5R!Nnf0|HML+r^a;DDR*a zy3B%~<`hf`Ul?O`=dj`@ubA^IdhRVS63+_}N*q-u)N^5t$<-SVJNzxf0rFvix^1=1 zGkt;UjQ9Pb*DGgoM~UM-Xo{@D$`+A+{6j0hwF6Ci)bUOHjlG?hIn+f#b+7!n^UKJ&b|>q+x=4}0b4DpEgO5dgotP(fb%)g>1`BD2074Ar+t*Yr2TBct zf4NJ6`Nv)Qr^*Q}IpEFRv{uX9(;QsRoqF8alX7$LsJUYTo#S7?r|F1CDbo9gjKFD;RoPkQ7+zU`Rgv9@B%XJDgshBe=bfeY9Z<(J~GyPyAN zBBw6{w%O7~!OKuViA4|xSISfrxZJJITwW%Vb94Rk2U)U(j=xz;ii(Oz&7z+$Lu3NI zOpu!typJQFa+}{_*(y_0%Oi=~fxJ?rD-GH@EW37`(o8yaw(E3Xd+7OnOihtK+0ZBB z?{WK}yF;OL^d_92@`lihJU*^mnjLhr71LEuFiv?RqHsDXb>GvZr(O5@kY2oEOe!0# zXsR+}_QMxT(`m*?k6`Y;H&QflOBeTaK_P{AtbAK*ZQijE0UGyWn4J#g6NwWkHHVnt zk6GOOe2ZViQBXI$SIGJH6$7bpQ5m}*S#KO%%7VCi861@C#SoYlc&Mp?liO>)dYdlyaa0v`WdIpp;sHazlr~nM_s#(@t19r+qs;(S`l(g zV-h`A5!ivKN35h0Di5|VLO4S&4@-@DB&VRg+GH+2kv}i3`5Fd5(&DOQ~+Gyzuc1;f@Ahv-rY0JY1 zqN&1E4?F_H85;`~3YwB*#@o$K%*d7W9v+vvlAdn^aTvamtrs;$gv)!|-8|3hijkJ-R;*~yAB^A#7`#8=CLM+net6oGAIQMvl zp1)InhOfLZPC{R*wYh42-Z8sj$gnJLS@ZV2s-wC-2!Mdk*YK@%;U)vS5c{FKzu2N; zx7ZV#Jq`S*>d%H(*XCwNTCSK_FjtqP-)xhO6N+4y$d(bW7y>ah*d#N8v_A-OnUYr^ z^2LegX!g7Mh$lp*hAidqkDHpr5dX?@#eIFtDinVLEEzO(81I;1>_?8HYI?B5yHnOT zYV7T<3@wJp7~E%)s&3&~v+V1eJUl66DX)YX_l_h{bf*`kqE@w-D-G}{&Z#c}_uZzR ztmhBg+ja`3sHJJ^k7C@z=a1#IePqshPT(Y+;-$2A% z&J=sjLqjOZJ)-1h5$6q~IH2y3Q?gg(Vf--_B4QOdoMN!uxRuf%#~=1qb1|*^>CHcx z2)zqd^mK0yluXIr7U1#rdC(7w|HM+=skf2(A5F{36a{%A_nkdo3Hh7yLrCxY!}IrO z+za!&rtH5k_Pt-JWjFkm*^(>59<=&AZAr%>_!6)(U+T>GJV?s*D1M&6^skAW|5tDO z`RA>c`*+eG8*G*R2#S=Cu=mQS%Ys`_3(*o=;W}r0DkGdF~Hb zF`LUqoL6m}zUqXEgIKN*SiXVN4%wfg(cX?k=SXlZNPpc;VhIbW*|hP#xbU4X5FEtK^q<`q6o2?(I$@Y?l{K z%nD1MCx$GJubSk8G8#VEO?1K(H@RRb{niGkk-aW&M7?!d- zOYrBO5V!yIFnK6Fc)u!_2;UB_DZ2@CivH|J6;&JA+p0=pT{-%c@eaaO@q8>)Z}CKJ zUHpstb_FYSE{9m$*sMFfK?7;nMKT>fBcS`|1U(=e$HyS~KkPP)k2~ESts>Uqw zoEPS%BqeX=4opax)ut&t{Pc3@*|qa~Td8tJ1BQ>qMll&sO-ed75HK9x%wRW^#K$>K>E_fv6}9 zerl&LFE2j(sdiiGweJaZ;6RmwY4MYTPY-iN&Bp_%RO9MnxS{n0cSX0Z5hIV2N=K92 z#jhOCJ6`Qnt*XLSEI6V)=6N3whVZ+o$=YzCvd5gMRYh0ab&D=LA3dFn*uwyU8WMph z!+2941KSkIq7IZUcuzYxjkefOp_F5Xn$|aZ$!D5+G<>T z1b{!W_S_$)IA4bS-Bgu?u<8nWC!$LX{`nQ{78gLwDJOg|^9 zPh7YFn3Fe93>;Be_eAp1?lh%*@_uv!u&h^pv8>uDTe|dB8ZsfNb1Uh84h(XaHZx01 zR4ToEMP9boELX=!W@Bo+4THt4RPRkDb}vu{iR&YLwIBRF3SN#YQ_N{EJMXr2Yq_^@ zpK{`mE{U-1r+R-Ac0EABEUtD_+xVSbgY=nAm+A;5$}|H>Ucfh|0>)dyS%56J}t+5pJ(u>|KV-z|M;1$mDdz8814 zm&SX@09^FnC_p%2|3 zgD-i`{kJb^YSo)Kn?!{?YoxgW^cF=V=0F&6uG@5h@K3Pd=Cytb5~U%YS3}YxSgYag}GiproR~h z$`C1w`VHT-X;NBIC>^ZYE)|Z;-2zZztMWY9o9{2c;|mNJoxgVf>*zH846lM%7Ee&y zleIk-nW@3QsH4B(u_d4`s%|`C%jr}Qgd9eqez z_EoNSxTTryFS6C{&pCSR2RDo7HQ`no5f-sI%Y3IC+y*SblVcleLzdniMM!ihK+J8iS=f7ef z*v~(4rTL39tb)orCzx|^LxcuanJhv@i0*>p}c+`+w7i^5?Cw{Nv64w?6+jeJFq43Wa~` zLHu$1f76HZ=S|N1@#g=lpDW*>DKdMOdn#FIqVJIkp`xUeszuN)7_^>I3EJ#`?U`n0 zM=$365I3>=#$yZKE&3|5bo?>xCdDNmH2pEdPh8^m`Kk%Ah7gmgZ4;tk4|(qrLqD&5psNQU||ItNp58n|YM&EiHf_9Ge`KM>|DVaij|!a%$xvR3Gie!*>b)#O4xqI9bH~kJf9u#GNL9Fx`JxG* zLVa5Dtj1B#Sq%fIQs5srM5~#g{IA zR=kW!dco?&Z{AfTZkpCU5JmYrl~@cS94?Gx!e3xWgcnc3b>1A834~o3Iv#+8sI9+4 zmGFO}HOFO)Qxh`d0Hg>A%w~qzegF<40XQi2lWEo*LnJzbOTJ41(Xo4venqXQS_#q7 zhFz^)bbm5b^;e9lkS;R*3kB^3krh*bh7L25|IV4N+>k!b$1O-@9mhBl<|#o&s7-Ga zxC_5wrF#F2u~zP*f!!5^sfXxKsSw~0c6L1bM=tRqi0(irfdyz-FNza+EJ*sbM%p(U z;>gQ(;lRLCuTSpRTsX9fu)%8IH3t(ev>lv>otQ`1?tmxnD0$59rX-sjF!xN{!d3U)=`NtQ78|MW5^6a zslsO~a8AC_Ph3?*l5e!6a-0yh(f`gPn6QqR!jThODMuFv#5;3$53|O#9;bX=1feBP zH@)u$XTqHu8`?!YS0BdS{}{khB>QaPgdvWnJKwN2mMWDlOK7V10DXLi98lU(9VTkbv{bb4x`3+$GZJdHP;tPOW zw@BbK;|VI>sA75{;!EdV1qvhpt@`4`mO+HGQ5lut}-2=gIB zRet@JYrf`hj5GS5UZQuq3wCFYTKUky&Y(gxHUhMe`1|Ym+q;a}QA7U~PA=omXE!DG zH;l=Vp~rvi4*B~p!7Kqb|fn;6nak+9+M6*RGgs zInO|AsSs|!NN4|@kp{0D8}5(r_4eMA`M>r>*@mIxQ2zv5|KgMXcwJ#lR%4GW(WUbE zo#~ZOFhy}Q1JT&OU*@k@ANKWcQ-=k)oll5&j4x1N9O8(_QG!57I4}6Oc?6(X{=fD< z2cFm;XO?pbNeL)(`_6CZDiVgKC4~As*ZLQN8KBi%7%+4El}C5tG2yY;QknThN~6JG z;sMj)?_w^=lzcd1#m4A>~Qb@*B*LQj+ znM%c9kEclynwgir%pL!L8p4X$j6ZYb|Kz8gkg_5Ib~|;4S+oN% z(QrgAriOKO520MIt7#la3a^USQ*svfbuBINuCHPT`?ChsU1`UwONBW#{=8uZjM39bRMBKXH2MzY-oE&kouqsC86EXHMxpCLQWlg+iLf zZPI!)Uu%2b?&~YBIUC{6lB-evw3+`wh}iSzFL=B87938~OMWuBz+zh^Ul9Y7kw@HY zRk4MKnq6;@yQ5B_ZS8@bLZa0aNcDgl4aPUs*C(NWbeWalt%^)Lw4x+33aT;3sK9aPEwm0R zsG~ps?%lZmZnI+q{9$O}H67)ImzH^eIhLrkaxUuYwmH@!gNLn35+RFXuOQJ3NebaI zaj9IE&983!&dU9EamCVzlzVx*HdXiqZB<(Ufs=I zbXHo)x-aHjM=J|uoQYycwWmo?+VjxI=6mPeh%pUCx20~vHLnDSvX>>8S1sR&W<6{* zUyj%d)Zd$<7IZp%j?pZLA7a+9W6QU94*S|JI=jbBv&oq2eSyVR(kPiyDpOIZS?db> zt{8bZV0qr`--d^#{b#b|_n&Zl7`gN0=u_@~Tr6n(jPnFI7eDrzOD)BhjM(dXV)@wY z2biX5s@3!6OKp1(KfIBTZ=K{LNv$|j2jJw`22_?Vr4gSmdpG@}7jGD=JJm;T(cwFv zZI;$8!4GpP!Rcg-?i!ZlLIsM zGpZBM51#4CMti<{lQ%Q=F1p;!L2}6NClimWl|jghuXQAQ+Zo+E56+)q6HkTvJ0C$i zn)pnNgLVB8IO((S1!?1xrKUy2x7_yc(dQ4Bi2zMX?G|wzcIbz5}(|?fa-+B2TY|ehhzIa?{JEd?az=_F+q{*2VUqS zUWi`gK;Qj-`qIJ$%lqZNNHr4f9#Vwju-((DIeKkK`K(&Mnp&n@-HDb-eu^?NK@CsFKisRw5pwDXx_tjRI~gMxvn0juX7__x{9f>t z814UPu5FPflSrCJhl&sfJFOfPN#siJXRaB#Dp}t@)oI6A@jP`LoD0~0c0e;>{LCF- z!0&xr{AFh@)2-Z1seCq>c6!F{ZR|-2(;`2AXi`3pje|4^7Td!23&7_Os$j?|=zYK| z+1nch^zwR)J|gd~ZQR?)$HsT@-1sJf@3So`o~98j_N>7DrJlcsFVF1Z_eReMerHD? zM#>nJ4DW6>H0dcec~?_VQ<=`pD5vS zr-6m%eboC=sUl_Vj_1b;-Qz~@TU|HCTC1>I#_6?zRBL(>1yx2)GQU2C7c#)Az$2k#f7x{de{BB`=4h= zV@h2WVay1hpfh(aB&?q%VGVOD*ydOpj?O$CE@5|k6b-+sXZ=g2`cIr;{C6tY{!P^C zUkCV+5}~G)>poQfPzMSf&wgs$7STZ$VDR8LZb{v08f}SLvb>-!(a)QDdinI5*e4vw zY{m#i@H&Nuc&G<*P&-1QOm<4{>=mwW)CV7@IRba{^s5huH;;UguOjFfmqq??BLCOcV{ zG6?$6O_P0ynaK)L8`#7kSdG8Y6WnxJ6>kz_y~w8OGrm=Z;zHbLgYe)M3UCnR`8cT1 zuom3Sqrh$BB3H5Vo)w?hAFV4k4Td`E*o2tX)yv=$j+T^oqBuF9w6?NFN;Ik^ZY_5S zPIsSiPETreei*nXryyk{@ox&bh~zI;W zeXule*33^omS&Aloi27swuskCyJMg=KGMlxdrTZh;A$Eu#Uzm);Njl7RbXQVAKgMJ zj=mv>>Mb#y?=g8#c;y7VKC{hNniuIws4Bk@*Oe7zx|uHB@GNM9@7fh}Nu9I92=A!32;ZioQQ1&9`)7wsgY-={J*y6=O$%CsPMsdl!- zEm~4SRefSO?);2TL(y4}O__Gsx|AzoYtaMLx@5Ej64pTIAr`i$kQf-lIPPX;wd2xd zukY%ic#&ny*xncAuZdKPr@x+Vj z0#=^uOR@6$Rkz0ZWnH}Xe&&44M~C0EVrP@9 zclA)>)n~)c_k7y*u>KQh+ey7bZ;)p&L-UB-W<(ZYxw$IjHfEY&;%R~9D0(>a=$OB( z)y+BIdZEe}j6*a@`tuc>mmCD&+p{J_JDZ5e>>L*kBPTCTPZwb|XJH4Gm9jPCEb`e; zopX|9vThTSi7J#<_QO}84G@$Q-m(4&9!mYv|LRton;^cnRf=1I zvA>2GoF`)Iy~q8;$J;hmt1G*3%`f!<^E=bGrIFa0XkiXxTg;%AI}nRxv4_)crPaI>p(}B8$++ ztQEKY<5|cx?(+#KqFD%>6V+i)RhygH*Bd9$tLif?rZs%i`QD6Uqsft|vk~IsSugQv z>F9i<7INZDU_dRKCH;PDki z6sGPWREtv1-3BDpx&1NGNKIT_+8VrOGHqszD zlq8Uda${pCG5S$_ewh69qlLQ{WbIxddX--*OuN?{tM-7oi2_F z2Ci3&^R`?QX#SMJMGQ+&Gh=_%Le3$)SbCucX#C9+J#GCkg9j;6N-rff^*g44jcE;G;k)rNR33Fz90E6r`OyGI!TY zEM&qKmAomcC=)E$2Yt;~@K#2IUov~!ktNMw&BST)q?AO3f37?@D(-5KAsikjfZNkz z4HbATeT+#hAvs7!Ad$_;t$?l-F+uTS2Jb)EaSDqS&AnS$6$L+03sz8Lz!Jr zA?*0t;sZnJvifR6$?EfaMZ!6v4Wu;9`P+NAhmrgb$e&2t;eM4A-Lg;~qGN}eaHxz6 zbNN_d35cp09|(`?uQg3|+<&g;)P;qF$LEi?4;#EXlbeo*qkl57w#p%Ur?z{3YzEVG z781)9@rJ9%9myfF2Vj{hwb6F_-z+4R9?;#Nwohd}aP?IQ#RWt`BfWxrZHW#UerI>@ zaB~e_zc#oeVrRoAe8TYH9g}@mKQ8lqgw?Fkp4;KALQ$Y@QoXc_UWEF@i{VDC@GZjW ze4;1XPlon9eVE>isj~H^MajXwC82iq6;G>hW&dP4G7aA$Kp2tI0hLfa=40;vQj=hO zuIHbikk4u=K`6ZTFgr~~skIW6tET1$icD);uvzH~)a=okZOXK^Z zLA=LCAcIYzc3$@FP`T zZ^|aj$lL&41LKtwx{sy`;cam#QgRc3npzi>1aHg_0PWJ4$-QbV;Rh8jL}c7xl0b%p z8j;|u14M;3;pD+y%zg@t(A#OZZ*=RXJ}tYaHa@+jKTa~~Lco2Yy6OJfw+IlC;|>mHpdKG?I5yMtuYSo_#v zKowmGY{bZL46i5mq>E?l`m6yRa^i`pC0aP7?U*?jMtQ@l{u2p1*fSb&ELxv}PI%$1OZZDpMTs z=>0SU5^IMCg55nUtV=j)qpo=Od9OauSnBoOzPE@l`vz0yfXXLGHQK2xL@cBV-k~7o zamFQa^&{z^o0VFY#p{;giWT9dISFei86iKa>cmFvwMbUxc}QjGhGP{NYZ^ z`@uVPnV$5jLMBC^nKis2KLVM{I4W_GzOzH#cOz0FlEs>kw8z{S)ar&ai86^wzk9E{ zukUP0er=87QcV-|Dm|eUq!&6?>5sM82#N76bbagcn5PE)^tv{BuBG?Iqi`kQvKW9i zvNUBq8gFGU<`Bqi=o6RQW;L|V7M}hDt6km@f0WXdr!paN=d=(ZVFMKb;VDDiKnWs8 zPLf#I$Pb7$_~kBdHi|Roqwdim zCOL|#w>1#{I5TIba|j;rRNz+M{*veG`fWlg%df$j%ud=`iy7=%6(IYP{Fgh?vNIJm zOWHLmY3p8=?`3YDYV_TRVffRdT=$cRjEbpgsB!`)@Uq7^jk(?=C%Nj zZLi0&WQop+j6331HkWv3+r#o$)z22jv_eqr7jQ1H-8MlXi^$4FcnX5suUR?qO3f=> z?1N|T?1}+ z?|GF&yIY=A9oKd8V7iZV>zbT_?0F%U@p8s=6hkEl%#?eG7)HAF`%iwof|HeI6AT{4 zNX8UwWx0rUh0?x|k12L9F2Y`-`Ozj>zmSsQ#YQ)Gk4$?K-zBI z*+K0mQ)RN$Po^uXTlqPJJ4ecuTLw!Qd(o6?1UGKQ;R9+jO?nySX7AnJDnj8VgoWVw zg%ouH8 zol_}S`2Ki$PF>EIoKJBkf}u}2Puf4-nf7Jw010$U?ibO?IrpL5TTa+@$_ApDwlA;q z@W-uz;I#w*mk7U$eqlh`+rJQ)sL(3Z5m+Dh_~6Xh;#+bf0o9yKtPsWKY7U+!F6c)n zx8yT}R`e*Cvz(N1lA%XPY0w2W<8@&T<;L^~@{ugM4gKlr0;FcGE89dEBn1V=4qapR znyI5Z8d$vHFcd7gEyzY#9o zsqU;5xlb!$XBzaV7g&Hz4!7O)YR1>dKP&kfDdQ=nS1snuD7e#pE@j`&!a+5S1t%_> zbi4Izyc1fA#zSZ~TCq+{y#C;G)58VsHV(@Xo=`J-HqH$fi>p;z4I@K%zRW>u&s@VL z+myFR1|FT|INKa{vC_LYu2S&iBp>M?<;SXdyT`KY3vo>7*fRC96a|S*MmWh z#;r-0c5ZD*Y}oCkmdfa=vi7i_ka8nv4ES@J#^@P;z9_>Hslg()Fyd)ngufM0!e2b~ zOyxNb5l7=iGmM(?QuGek=Bf+AgQ7<9z@sTArD%@>yWrG&s4r9RTE~dqL=AGO1FX zVuwcwqyBQrV4Qtzwd6ah_+#jY`1N$(YB=smXamgR>HghCZK6yBz5~S>^`-$;g-QW> zU`Y@KqF8m5S0tCk!X6Y?P#%K^#zWI=R1A*nUyWpp^r6XaFw`y`yiT87S7q;|50o&f z5?CoYsaI$h=y{;bKmwqVQUR7^%p}TjozeeMf*rRi<{O;dl0QGvmn|27RS;2VrPWFrDT4i(34cgQ03hx-3 zC)!H6__R-(o4wy$TS*q~)Zfrrt2)msLaGmZ7~z}r#6_s*a&TrZDjej^ajt{0ff!Dt z_*BbOSikK1!CmH!wGC)ZsfbBynIefh`=l?ul-7r~VWr2aPO9b%{U|M9yusD2Mai0V zI55)-^PwW~M#ed27wTGCBYA+>o})~o1wnIMG?K{re!d2=lD&wTT;FgYg?(=hBX~oC zuu<-eqa%Ym+KacfO8*0JH0cN3HQ1%n{MUt@C0~5!^bLaXF#+uCss`%18jF`Ic<<@~IZg>ZqIZw&b`N(P z^mGg50ZFavy=1{$eaOLSS<5){IJwoKC%T0RIlH_T=EgjnItD845PF=nRLB%-o+hHdwxV)Wxa3*xn5Fq_v`9Qxe)zQ7r|j1tFiDY8 zOM)Jy6oQZes0npzB?YF0s+CQAJx2DFJ6dBWqPB548T(L;r zo4Pq4JbC*|CoG?;_S~D_iVNJzWiT>FL%*7DAet z`x}jlRNe-uk(DWl6~H|1?OvOT!gu#}ts1r~Vte8X+h4Tje<5c|xgAnG=OZ3j()r0O z-M%|~8u5&C?72$L>t!dv*v;1ptXL5$6Je0r!71*=!S2S^!yZ`&g24=p-GCnoHeyF|@z{jp+;&F+% zeT>7Qnj~CTyo#J}TNAya*}uI1#mTVC<)Or5r{p@~?$qp=5hc}pe?r=3HsAZ~b^J)6 zRw4n{u|}~6AqNX$DHTo?VI1^Ot);p=Afv^7SW)S%XX$6W5#_G5lSBm?2!up4cqpFa zwN)5J$1ht{VbuZgV40r468m<28#+Mst@m|QfBntj{-}Ma5H!Xrpo+*Eg}a910Ln{) zaX9B+*`zG{JN*tL$44?vBj4Nfduq0rYFmoSF8uI5@D8zTYQ?Nk5ptdm9))Y-E3Rp9 zZ@8x*CgV`ZR99V^TN5(fyU=0IMtXJq_=v^ag7}FkTBDx?|FX)C`Y5w-rb%pF>W@L< zHkqHq8qQ!3HKs6Oc#_AXXdX++V*DS*k*UjR&VeZPv+d6Nnhl@RvSZlqYtARYsv$I4 z^rT+rd<{2E5;HkJq1t3oNv@yJT2rH*<_iqV9=zOobA~XW8D`r$u3}#*Wogx@SSt4> zfJo1pk_r93o@#Ygsn$`s+$<}iG)tF74lvYnkiQ|+>7!v^JvIPYDV2xn&;wq5)SMXA ze=L(;Oj7D3<2sje{NS5>TI+ZUb$hPVG5Q^)3Qr;JkJ79eJrJ1zJl|W%;2nsMN z)Cg(}KsVC+^=PLQ=vTdaylKEZpk{WMT5+Q*&28a$ZK0W2e zeXb0LEk>Ze5|B!$MG#z@sYP|}231r&w4301aDei0WnSBnS>UEzL+munC(ZxT{M?p< z5ZiEDJ~$y9u@ZEQuw|k${@+#o$M03E1pO6Qp@Hz#8{FPnTs(vAW%bDSdHdRzxpQy*C(whB~3rZZm=OC9uf935uk%Leu75bQD+OfSjR(zbV;Gqaz zxrz|KXd?abClm5O$r+p(q6o=H>WzXPb>*QvXuG?Lj`J&Kd>X^}h`yB|sLzX>>id2s zWs7!=CO}U`xmHf?*2gTyMtWCn{@{Yux|p~X7JWyKYUoc?`d=9M`~v5JbH-65mXjEV z+{p|L(sFmQ-o;Tfw-AMWaLK3FT2`{i=Q!f-Dh4x&-R@Q1^&L|cNJBE-S>nGdom!ND_FENfXDGjO`>Y_^iS1!ATU}f4QUFr7LCFJ!AI=O}gUO8;0HoG|bH!YC^xA*pq$j zoPOnd|Kg15V%}|)ds7p%g<5(H@)+$3DIgw?nVQGX4t8a8bHA;(Y~m}wXX};aa`FDK z1VT1J*F552)nS3DOPCTc$>Amm9f;c4P73W1UZy!mY#H91Xbc3#`6qp^hcF$}aQwWl zlTTWI;UnL*va?^@oy+K1`h_NQ%S%gGDg-$SIZ!KvJWR8o=U4c9v)G@A`93#zzP6^d zrC#u@w_n*+FJ=zwK9QXEh{`^sX^6?N0|cFKeXm_$WF7$%pKk<0D#icqhPELp{sY5|!Zz!n2G@-|FcV zg$%D9_VQBB2e2-7^{+>FLNnR&|wv{IG0N zi#5SsPxQ`MBI5S4K5k;A7d%R*+SB-Cvl~sV0`KmaBx_$by|C=k2|Y|lV`t$DdhxAHG!*4Q zAW2Po%&{)A!}q$_W1oWVo4lQ$6b;lKeg2#xw2{+nt(eB0evx_hCl^bh$d@RaDlHxjs7`i-{wQ%OeWFBOuHKurZN}wXv&y&d*6j^@-j^vH?3$3 zn{FK-4=SwG^UOHD*|@{cAoGzj0vin5-#Jx$jI`um5-0IH93cB=R2*{<3?b05+{l<^$dDj~b_7SLGa*?DKiCzlP%8>C8M$VF z{hTDHQr`SFVbRkff!}x^2iKVc!61m5{FBL1^bk3k{)Bdt6xf5|gC4Q@CQLxYv+I6cGJJ;^KfN@gA^7J8WyMsn=@g2%Dah!n<|54UJm1a!PWRysMa*xk4{ zP?i6?2kIn8!UdUN=NWmnn@6kp&Mj}wv%BJIfa2A3r`SP?#jPy0XvS&E-S1&$26e`D zRrZsTBmK(8mHmPP4Ly7J{y5jBE-c^q$;zX6=R23o`ZuySNg)o{pbL4ZT8Ai9iT%|t z8T_hyr^XCs7w%Qtee4y|G=B1AfeX76n?=LWvwq1nFTB9jrq|9(R2I5@kj`bhoDq9l z?2$9ATe(9-X{*#9X$fM-lA#tAlqm8ol0!Luz+u@eYrcCbA?*3i;*#s4q0I5=R#SbQ z*Xr-~8dQ#?Et)rrKIKTey9*HmdkJ1o9-18(3jU!8O5md5P@#M7iE)+ekdw0sx^Ky< zM`T`dXy4&G-N(C{hKYRHZ6a z1PLfr1f+M6CMD8D1SKR0(wo2o2nZ2r(xvy_R6u%{7C=D=B%&dZ;#oYqo_+7Q?|$F0 zpELFyXa7M4BUyFMHRqbY_W9oTiOte&v-m!gm#$|wKS&HIxWB?pmX_r^h&}G;HJbeC zrMhA^vG=B}x-CW|GRV#)*0SJy^7vGmtLueGI_ihwn8_Xlo5~rC^lDC37h>TM=Q35t zCu>m6hCvzpszq0j?kIzoauPnquZU6X@xhDOXTK&7t6rG` zQg8Kx@9NX87&p77lf|L)ZcQzXFN74n$VRw7mhQ zPa*26leqcmR_!I~fDyQ!2ZFVO*~5Vmh1Y;MtwbyGoL-3YP+4J!Z2m1`!R^T}iW%+? zM{Q%>;ScFiZEUuwsK^|^!heU4TSdg=f@kHZF`dy5Dju26?tZOp3lY%UvARcd-|VyC z{YOU+ODWWQVx!L535_mVLEJ&%f++87jE9Pit71Yx(6UX4l!%Ah+za^+G7p%l!NPja zE*e|BR^tAd@4!#~2)q*M0P`%OgB~-Q@MR1gU>Kd1^Xh40AxeBMJ><6D4nEMf#!%#I z3=2*_IgRG&M!M)Oo8_lL6?6!#yqf3zw>;I!ng4RSAdtEN;J9*G2yym*x-4b@4!tZ0N>QEDCQ^V3TWoZ;{fEBDQ+XoS-~o{bOe z9xcu;4%y=XtM()WEn=PNNmDXYsUi?C+L$Lfw3X-&=fsmYO=Si>rDH zt~Eph3k&T#2uxNjko&xoxX>;YU_Wj>cf8+gUDbaRo$99-=L4X++Slac4f<@QAPx@ zus=}&Uxt8)Y#7L@Xat#w$TC*m26DsR>dP{JR%U0}Rjqd;RwAAQwN7%W==2#8tQP-5 z)vKVbP_-dUjb1{!L(r21fmUm!>RGZUXis_z9VN~6 zPoS>!hEYfFT^&=U<2vOk(nv#%gIKFL5?tX!K!5H%T7+=Iv?g}F<)OjBtwD!vm0o-6 zXS>DAZ+{U^=90-&*kFCi^BFsfwjn4H<;LU?Z1_nOZJKitK8!M;SSK~4uoC@YFq`Qy zO8e1=fz>9u_%CgoxVxlGRR%<_C|;`943mp2(+9KyELS{d1JlPp+u074SQk{axY2Ya z!RJCD0;T9~?y79aYATpcmDh8nwtuz{bY@H8>6cbSsl63rHva79YE2_U!!lUzN}|l( zUbkQK%k)pQ7aLS9zY)Nt2xe7rm=eB!tpJPY1+gv!rRsR_2;L~j?z#P%jW^bJyovg3 zCDpy~_%rsvTPmLvB_}D`wNgKeHd%Ezy(p6X+S>E_jsEuE#Lm+5yEZ>QbK%J7;RX#L z0#9*;7Gl9*17*4@m>u2i z#=GI{@K%JIFb(_=LF+T@EWQQKy*M8<@zckN$CM{&VQFt~*r&yuMuDQ2sxqYP2V+-f z?N@aE>!8V7Gel>CF8GYQx#A1`5a4t@H=sVap`g!lFP@Yxras*aWYO|BV&CvFYTXO5 zLqQV2r`rTk*-11(`TZQ%4eFtV9rg0618B zp;W+L0l_bLWDV4EJ?1DypG%?72!7c%t$xXjCMNzJ1=|=efE5^AOM2cRiRd8NxF zTiuiTm_k;qH|7N8kAv=-E#kO`x~r6;q7)A`gAe0W?A8#cwm5Ueu(=h`ye-^me$?J~ zmoWP73(TK3C{xs^l!QW+B?y|>i7Z3vI-{k{XG91p zFT_+*E;4n;qN#>ABQ+glt*<^5y`KcfbfU)z!a<{bkI8J9!@hO}FM~bJNUlvQbc!zT znvrnswe|Z>YIn~IVU*r>dZ0l)*FUvlihy)5t?VwDIsBVX&`Sa<3HLYcZqKRCI;7tU z^-mtXO&lgQ5`)*kVDgA{e{pE18y~dC+8|jt9*d7MANP86>46~hZ9cPS=ur*BP;|pv zqbLb2j`kH?dwa`No#EV}QO9p1{sE|c7CniC>7|LK%%o;fxyxIV;M!@qr#^!@2)i2K zUc=y@7Wi`W{b{oi&Xw75mR|zGoYHI4WVGll#MA^YpgJ{qI^`km(nmUjyR*M2>;b(5 za*Clt;T`DH;99Y4jf7GT)Cm!I?tKgpdIW6ZvB;YMh=1g6R-GWA?RFXb|BN-5N_fg&M7IhrZm~v`u-`BH{jT*d-? z*ohagqY-uVs?(*=>m0?d9xR)NGQn|Hf(eSvW_H6}uF+H_7c9a6M;0B-0yBxz1hRtn z<65r0o4%K19)9IyR4p?p7VOQG)2;qK0+c@ znMpMeC!KnSh)xz5r4P1vE!$o{Fz*9@1#QM#kDW)G@oWse-gj4IAKYxsLEqqrGR^?7$fk`OSE^HzxtJ(cENo0y%C|U;RHePrX#CoGRl0NVpUr~ za;s2HS#7g)b@rot!cFohgrCSq(Cj8SkU#p(Lsc)fz0+6hQ|0e`sg{+~=9yd)tK~k% zmpu4lLS!a}%V+2!=@PR6vuVMZoTMQ`9vBdI35$d|U`7smlcHLgF3)GO0T`bp8I;ZNDfMaSw;Q zcgl1HK1~Q}m}@+5iGHW*Bl=e81$=Qyf64G=u}Sq&9I()gM_}$E7=v!E00J1DZe>2) zJ2UBJ&ZIUKP4{%pZnhy#PS*F_pRflyOwqQf--~Y#O&uNvx`1l@P|Rj@wY*^XJlDV*Ih3aiR76h@ zm@NR_uKxXbDy}K&!xIcIHtWNS`SU!_zZ7^rpD||R0-)^ZmA_HLe^ID6SG6s4(30xE z=-c!oYxl!0DpyIXAe_s}oina%VTOc;=?+bAD}tX+G81*O91+n;9mKx`i|lW#{#52@ zj|Bg8YG2=CaQ`0w!NpFpMfHsI$>n2oo3p!sBNNFAe06A z;;Kz}4Q>)8l3!lu)f+AUHb0AV@X%K4cJ8XhV%f~@~6Z(Rj^JzeGP02;Qsb~l&{&H#AOEzsi_w{`yT{E)J4^0~>X3sd_YlioKQ9+k=Ex4zcDmEKTE8pgw=5Z$_H6)_bcenu_VTE$Vo ze-mE-Z3x$Qq8+W5&%8(YMG;+uO&v|=+$e~`$zY>;ljclNblnKhM->OG;2@(y-rG+# z<(Hq7*y^2e)s?cAr%!%O`Ks~@)5c}5{2$Z$I?URl{)Qg&{B{_|UhA)69W*D!i7^!& zgXQk3=O-kj?=7c1u~2C6(-iZGuThvaRupHyp)QzpG)QKc#rUJNyO8srz?4AtHK3Rv zKRxYJso%LExrgw-s-N)1Mppv1ift8as%q*r={4RE&3*)vCnyuo12v5f3$?iC_%u`n zc-Nj6J2H@Rd}DS&a)V&Js4eyp*0kXvxL}DWH~SPc60(>T6(IHP_QlJ#L|eT6Dlkd3 z;=J%kY?3(!)U9mD>A?@d$}gAr`1x0P%oM2O;vyr`R41E!bk%!l9LM6nbVOIQ;`2KwDov`^0&2)8C$c@;G7i1});g@N|>|;g>K_t<^1wJKs?rtRF&)H{)gbdpf>J8l_t7_7&~>Z$cJ>*E$p6(&V8I zC42y8-+(-WWvS*%Sy(t4>;A&!Q}G3{Y=9kT(r`Yw^683F7esR>8CF?g#it_<=5OSULD# z;ZERUI(X*b!)EAgbhX0qyr)KC@R@pzsqdZwPz^v6LBi8qo}uhQ4B$rQ0es%{csKHC z?f>14O#I!AtO@ivXC_c3asP&P_gnwKbv|c}3CX)5MzC#glAaYs_-@imy~K7lBQY5y-MxhqFOL&u8w*oFbUEdgva9B zR9t*VBL?y8tm$uf$gRx6lmo}lWp7t18Q*%BaJ~-`gi=f&etkv+6>af&r6=TDX*w6r z^}Xn(zI67|n|Lo%O~9+eL?PbF7_kAH_`KiasB~l7`>8|3gJHiCf%dDk=T7%elt;AP zb7pV08w~oN-~df*U4d)^HE=q(?s*`xRvLZ27(O+wE|Gf*n^w+4mvBeNVb{3l=JrCW z7_r|%^-dJtB9!rZEWy0zc*vx-ajI^9y``=t!8OwTrOHFC^@lAoDcqK<>U7i=h4|K9 z9!TsDy?xLQ&dBq+cRpjczt?pJfvn4v7TQ|xT`#PLJG`tRGLYUtTo<=ja4ww<*rZUQ zv`v1d*<$yC>g7P0?UwMfW_piw;bt2-yLuLnIoaPgyH*dz^!f*neJu_AR02_ zADIy#iGW$r8O>o)(ic}?*;{^-H(*ijVIOzMc`Er!q_zii4$uBdf3MsxpM?5HeLL6< z!4wtIc2I*Gi(Wy#M4SZedK`f{F zuRL`lv7TrX+>t(^+qYo$EUE!50t%j&JVYY6@k=@&ML@Lt^B@CGfWCwnq5pkUw496z zy$Y7KUC}ubHEkhnrz%i3LU$V&=4bvkMtlJq@7cEC2@oHc3;-i4rSwK!aMGM%^)V~6 z4l_I$&^r)GIng`#%Sb-aJ6O>Ed*psg@}9gF0O^12u~v34hUixRE7Ttt$G|X+`dtO! z&+-R=4uN)E(!=)nR&ZW$g48$SkH2j2SD}Io%h^th@hBDGZOdFk>#eTz5%evr4?4O% zq@(f@0j=<%4j%!LHjrrgb6GT<`^KsFpxWD*wAcgW-a9)5$fzcA3(c{fa$t1bNW? zU8|K8lTXtXAdm9EC*laeeV3X!f6f3}rE?D0p-Y>5nyT<*0zH|pe(xDzzB)GgT{Ysb z^A&vIMlaCthx77hTu}E{+|S8T;#k#Re>Qc) zeFvIm>u-;1iPOc;NMMJhk-ODYsSfl*1V7J=Z%&xmF6kIf&TDHvKZ1VXV|JO6ltXVA zT&ond9qWWjFL)}9s|s)dQuL>`Xj&%f%F;S#_EF9Ux8%P)J9o7P1FKGvsVrw^8&D5u z_Ujq>Au!!`6ImaKmMuW^C=BecA-jV!rTBlUDI6nXbQa7@7q*AN#L~ zi)a{YKB4RBjNs?OKUr&s^zbuJ3QW|6$Sd5Uz7;B)qN^k^tSd3BcU1@wGAw%Jb|zm#9X{iQ>F2eD(8|+eVAeBKp0kjmAvgQkLdv(Oi$c^#2MN2K=r6)%TR;d6CRc zD;`FlsnSNgjnw#^pR8GK2%*a#W1hP0&DNYVnKDs%37q~9S2Y;_lODuBDVPA0$A0aF zg3!eTi3Mk}Dq>CX7sa65%LI41*ucffp}NV^HKr(l+PUV2fb-I**l_H@0o1e2kee+SaP-4REso%3Mw*L{*~zXM{n3tR^wA{};pc< zKjXhK=I{@1&3|ID`7f{G59pD9V>z9FMT`B>$M^$!>_Lz2{_(#2((y4}99Hn!=QsW|2VJk9`&4F1}?2*M>*mcWrEPBGX~e-O|wf z?Yz!_Cqix;!L6ax+3&BNw?c$!A5*+(JH{`nTIN0$h)-pvJYcGJ(tXy z=>fm~?$GY-S8P8D`7Z!wQ!f7sJw%!nkr0w7=E@#6F#PrS=dE=^^a}nmkf#1d{U|7$ z=%LjJ977fIL+4Lh=F;4LQ{nVQKH)9QjszG*CqDu1s*|Hgj0E6hUFa-fo%7o$fO3qUv-xR z2O&0l9Uf5{GMbmZM_6ZKsum%uZ*x28I=`m1}r}@*8M*n{ua=)SYYwINm%?e$xKaPm=~EK>MnLPull85R~B|!~^JNq>q5Tlw0r00+0Y~@{7U& zI7&t|Vjz{^Og;@Xn`!uWEC@fl7%wIx#xLS@yfGSM@Ouw}|J;L$gh29X;5JQx9i>1( zFTFI?FjcYr5HyeE;6sp42SK)8!0my@gU16X@jr)tB94iuo&&MEkn3^br$eVyT>5{0 ziyAP71B=%NWUrbJSpvp2Nwmw?QZx)$trS43`_vsaPFSVeo`D-Wit7kUc(LQ7virl6qlI345Z=x{A5OCwgy^=*0) zdx4QlsOd-XPh=685eD2nN@tHhM5$JBB)pk>)?)S0YN@v2+6&i$}(d2EEHFAffy_~HcG^EB=1`6^yx#MCaoDKxSc zx@zXBb~$l}$xHl|*r~y->$6!zJ^*cUxIP+|hmXMY8hM%A%=Pe^2n@4%=n{(dt8vv{ z1**tB>*92NQe5ta%G!0dOvp)Un^o6@-2U=$!Q)MRbVSP9`pu!UY+Y`G?xOKonEm-+ zToNV&0I>JL^e|}v&)LX+)Y0GVkx@}tkU|4jp5T{+@xfZNx4*qc`)_&Gc~!BI@>NxW zY;aJ#eksuk>($oSkOf`r=c{No%R)h8%;j~4UNlo=D5;30+NZAioH1Mn(`?yGHBT0f zZ_Mm^Rq3a7n`bSe&y?qyMg%QqznfdXF#RxXC~us-D6Ndz;!`Ih5N8dcLuK@@#B|cj zEs1>jNLY)<`P$hIzjta@EEBvOefjgLBRA!Ck85$i9ex*+sb51-Y=}>0nh0?28H#)zMG_Hm)2RE~4n~U6Dkf}b`Bi;qOLAbf4DoDyFS`ZX% zwk@uF>tLIx_-R#@`C@U1uj~19O}Ze*uS^@x;SOqNOoa5}<|+Z;ZTXcdQGld8;1iWA zhR;DIg&&K&nZ%cMkK5>%EW8xfjF3upiH@<-@JS1R2%c4*(Pwj>m;(U7k#D)oA8Khx zh|!jbP2+n)NK=1fTmL62?xr*h##A`8 z8z+F#%D@`lYM$N`;lK)fCV$hlYA6*RP)V2gEXBLA&i%fkb78WtletZppcHgqg>M7A z($NUF?2wx`lyG*Ve3Rvj)RJkvcfLzJ5n{Uffl8!P3ISabMXkg8c&20UN^3q5WXf?b zxepihD)i6`8@C%3w&_y&+RJ_WeK$(qTi^F8>>lEwAmz1V_ro8paC>xue0~N8spyv5 zj0C#f8;SWEwnBOk-9D|H6=i!;e83!(eH-K5USVUo^K?Vef2^c*X&ZK{ zLo!9DNl06=XjP@J^Q%4>mYX{Mdt6pqtm1U*yNr$r!Bmy#3%qlJCDpoRhzYI)#{rH^T zE1!9@Sp193>Z{Ed_F{q*9@-0l-x@5?23|kPbUJH&h?jA8@3cDIR*H0NK6V``1}?@Q zR{D?`x-qR?vP30-MTNd~vld7y+UMTE&026?5&DFCXIL%yeU-fBn(cPeDrSTNo{YEX z&*jFBMwP>CR+o$yt;Ykd5f`CDy5{b}caqZrgm_ui`2dWN`nitFScgcUD$^ccHgLV7 zAtvAB!x!6S``ho-&$@BDJ*4<>f#r!16M*74W~N>*W&8eZXNRd^(iH!1t;{JfxOp7A;uiiQt3s+q5O&y zGdp^iH$qM2F6i9YN9n~?V}o_%D1gU^zJ37j>!8DYjgkYTM?}LQ_2qRT z-dhXXjah}2Ncsbzi$Wmba_!-m+pjo86CY9%K$tRI82&Q04am0ZDaPhzqdX)ipwV6; zv_Ze+N% z=zRWJq>TLeSbiR4|(5H32F%@#+LnTvQ>C667)Oq&u zOg7YCmDo3sR4VdoB;_?9blPgG-F2F=9}xDSB0WY~o;r^51-N#~bJl0R3K3N9s}`K= zOX7M!$$yxvyhN3f}5EIpl0Km}*W6^8= za2@{4>uKq`k-$p{l{sd5FP*ppzcJ7ky9-_`fuDmt0?1!O`YqEPXYn?}efGP@=|-=3-Dm+(n(!*Tvk|FSMY)KmjCWaKBTEDYch8WWJ+H@`^N7S1 z+Ya*yOG=oeKHBqpiIU!Yq3EpqM0)MjP61DNi_gGmPm<+e!C12v6~(8e%ikKmFkUkj z54q`nk;%w8-qFm+S7wkZU4`J#v%ip!3&c-W46Ri~kZ(-Nlk9~&R0q!$N^!I8%V=NH z3b5a#q<9GZKDxT!6D*wo1}gd~f-b{s3WH4S9JuY4x5BMm2rPvqi=Kh^&oekVF%4b0 zPg*FezQCFgZ&3qXR>aah?~s8BwUXYE8MYVr^I7USGS)`9@g~MHmV+hsB{7m;8v6nn zsPiEbbY1JnH&*w%ACXaRkOp43I%CaBUo!1eoc}VO& z0RXPd+hdBqx0E1zJ|KHWO94yd>{L%j09Y=@{N&#^^)YUnQRrK4pnNm^|IsUCWnSmE^rfNDUKap$Z(hGqLr%P!mfI7P$>_>V8 z09fk*J54H5Wg*X@-4Eg1C1%K^Z7IH~e7I_{Z5XL46ht)u z=ZYJEb70vMi}Qxg4ohEbx^;G-_d=`7g9`!7VIXQMJ7a6DLDSh*js}%M9a1Kd@-=zv zI0Jn-&(6VPS#YKfARX)wbnMwD_a-+;yVXakju}@60vXhV)df?Li3sO*gB?w5BRZ~p z?uFC?701%g8kXMYQNe?@iR%KbNfF>WQ6N#n9keKGKdH*GQ?#>M^-M0$2O)9AroAYy z>_gM##Era{Nw3h~KVM|^-n8XBK+J2CwZMyd4ell$&pvr;~O1ZqHl@>Nf*{PM9OhfZaVTht9Uf5=jI%^w8Ak1XJuq@T z1+~{*CC?G5T4OV}^Ke8}+c#NUHwh=cKxQF-T%m!B5(UTM01_V{Y3S6Il;2C=@rivM zE6(s3q`;uwKpKy!DYV2UuG7}lSjcbQ-XH$iN2-OHpjPHaQQ!e)QT?P|hqJ1DnRQDx z200qz3!V)%S}BfP8-3j$?hc9tidg13N3BBG5#4G4nIUok+z*ag_!_0kyKS)$(w1(% z5Ru&4HnpkKGvucy55SgZ7R#hG?Z9NMI zCRn|NAsnGq2{60HS2dC+)UQZ<4;}XFx)=ekg@4>CAzXzCnBJu$3h>ZTJlzI_f954m z=?cI31}nrM0H7e4U;rOEt{4q-8wZN2412Es9Ehrv{~;~^JnYkri8`a=EHmV=`c&vg zys{2E$^oMrBDg+E6sr)mBm+t{Yi6V}6T{t=i@zx9Rp*+` zw^!-}E`5No{(Mcbce?_}Y6;WzTrfq}*yj`!?n;KRRF&+9>U4O1QR}^&(;EgdNONsx z)BZ-!ek4zjPzUfv2ZTV_ebOrtK!I)y7QhqKsCMi70OM7UH_^ciE{27TUysMczfY1+ zpLYg|ouk1toe#W36zICFKR-3E8;@_@=1IKe#`ha{J{W!Hn!HX{NG!OKiEe!sEsK%G zX*H6_>4yoZ&NJH6@LqR5XNw=pF}|-3ldo;KbzrOdq!-24r3b1wVOL4Hvj%v-HSj6< z_V&@}fFTCAY~$va3Tw{1$#v4at~#ranH;{FRl4B>VpOle#~pY(q4V#XCVlED*9@75 zrVVn6pC7m+kuqv-#3;(xUZgvy$ z6;hy@_wOq|I_I*RslP~hbl3FtW^cSR{JkJq)(2M){>eJl`NM7+wvNf@b)X|M1FtUK zu{Lo`c3&V|)CR(6-(U8P^EmEXhO8$(r@*55@x{yw-_6ploGYQGWp>bkzlQ)+)A}mX zb2(`eXMpbOl$EjV&igA1L-tru_ewlK4(pJ&Q+uF#J}A|)CVru(8vJhV7C;*vgFmr) zRhoJjbE<80Z8i?F`o^IyBVrXlx>^wkBos2M$d=XGy0^%qv+YOx-B|>oCGp-LYbalA z*Jtljn~6JIhY4cLJF$#79#VOm_*!)Cx=Hpx)^wkd=5R_Jq zde;OS4lGOi4Ce#8ESCAFz0@(wQI18Pcb~kia`h`-EI3Hx}DcFCFO%OO5eH5X)f)nKa~1KhBVn2 zY8rY?9*v-`*H_d7CWKV@c=~b9XN8m{j~0d)kz}KS{+!Ckw1SUiu0M^9D(w5w-pZeW z&0qgI06s(X0U&6Oq?cZGQ&`n(XZ~Uov%fh=I5*ixipfaglC02o@qDHY$EcyhOcmVh zx-=R>kRuvmG9nP3`i8pL;%7tzEXyn-`q7Z1vlO!AHo~88Slt*Rd9Nt_&?*WTg-@&^k{u?z{=QOWh|ey4-E?AxYbjmpWv$LR zn$Ij|R#Zt6?B?ZJ`c{tx)8wI#$n_9weU0g>Z?l>*d(=Edwv8LD6Uqc!;II>*cj^+U z2(kw}29qYU+lNt*Y0-(!D{vM-W^|7{2{{!0MX_DD^MlZf{Fb_HPXdLhMvaZ(1-Bl{ z8EJZYo-@*<_#^(FjP`d%*fZmoFkfx)R_g?})-jkmee9Z`KX0tjjOB(lckiHpc*%wM zx90gtH+X>?Q^o`l!NWfM2)5T7rcjnD9 zjbVbIijyYAL45kCA4YFABLYqpI&}rU zC8on?Is0y0jsFJ5?PL$y?OdS=m}o$7AShNIeXGwxBE zptBLt4-lpz;KDI5I1Bz6O_!eX%l&fc2SrdQS{2886sS;Jd0Qv*+WQM%UqI(Q<+3j8 zNqAS@T?@UidJMj$2IhxBNO8oAYlhJ+4*iC_L5uwkY(Ig-cZssNla1*oODP77?CQAMx%ovmeBqCeRf6xUg}Z>38>hBq#;J{vvRI? zSQ0<^6Ya|8%CcsOu4~e#m$nu7g=f6v%5t7=Kd8g+x#{HYZAY4O-C}il5vpVM0rwj8 zQsoJO8*kXxaeW3Z7{oY07RNhO;IkcPK#}t7b&XRlMvb4c7@X2H2tj8>CSO$#odu$4 z$a#m=(J)oe4w%|$!es`gjIwCTwhA%0-`qAW<^Aq{b4$~aU9nSXVC6)iY2_91tfqHet;pd1Va!5a2e@drh9UtMf(&kYYLFGyF&j4zNXmF!h&5Vl`(k&6D1o_lx!WRSRw6XRSVeJ z-WxK|Y4RD^Sxi;;lQtj4h`oL9?7fT-Fi1PG4xQsS^{dgi>&sQkMEZvHlE$&(1B+qISchG#-?{_m zH#jr)rd8hy2hY20cMO&9eSqqqP8zpr1pC%EZS|F zs)Qzg($wdOK=t1Hx`f?(zMJ+?QSe^;ck#m4pk!5H@?Zx$cBSt;IChyEi;RJTgBn)! zleC*VF+VrV(IL)fK5F}>^om_IIkdbqK&!scRE9agUB*Ab^saMcV>^4uB3N;JqBujj zyj%N}=IU(QQlDOlTy@41)-*9e_ib{_0gO(fBdC;Ra;2X!l!)+YV&@<2Nt!1GR~t4DvST4_kD8+9)43 zr2u@trm#zCLJ6DqqJ{{?%&nqIa2`@@9itByz*d2rB?|`iqM&$HwDgZ)26*7XGVxA@?T?&&)3r?k+t16uGBtb>3-sEWAx?q|51wA$P^l z;-dcbPa(JNW=d9gIeWOKYn@I8ia2Diu2N76<%WeyjN1+Zpx8A~v^}^H>+npz48rQ( z=-Q{)z*acY7AbmZ%_Y7jr@YVrM198Y#vk%__{$rI9Yco({h|<^B>;}=&!k@zML}iz z$9O7S6!2QxAteJCRbT}*sbWfbNcwLm!GM4LIY;`x=b)JR-7C@Y=%^`G@(#dfjDVhv zecF&v5EOO0bqwHF1n^xaD@39eQ1a>AZ~P*)wP>t#zR?SGZ~_J6VNT?M!)KC78t1O?LI*zS>Gat*gk#*Ov$Q*=S$3s^kKuUN6Ca@RaX!IV- zS6%k;%vN`zklKAXp)@$WXO;923hF^n!8z~(>jN2Z&T-X#=|1I>s(=}S{xI@EQ`5>9 z$i9#x$Ntr(xO?2IOs9X!l|*=E(}?&YnN->FjH~<4c00}!l_myK*G5!^@72lbKjcK8 zm8)^xnS)#qlFTqf;KjH08RL=0cm!Yj^l*g)cHZ9JYVr2)Lxdmo z2OcI|f~m#Aj!Eo<%>C-@_DPiYZz(*+aoqKJqEZI6oVk<=i^yqs1E|0Z zatq}`fdXl9n}i!61wiW12hcR7tg7m*5F}g($~Vrom_kg5B1b!#1~aAiH&XBKhD&=A1nPhcihp&@Kw7e8Z^2G+DE0Gb_~UCqh~*}1vMozN2b!*W2`six`|g%@J} zmd=#aqY6V*Vw_K)t9Y-Rp(?jfLTpR!^)PyQ3Q`Ng1$-=a3?@?}ewMixd9e%bsN1^r zAtF2I@tvzVhHImJUXlSwmYvga0iF}OtS>YLKE6!h&^=f7=ABqq*!AgsT40_51PWE; zoq>q$H{Tr|k)jB6C3^9Z@tf+KrdVXA4pF?!#5AJ1izp5_Vu8g^ahL>vH@!N+se!>| zP1JD=Nz|r!Y071s-i2$8$RIDfHk`WtuOF(PM3z~ z`u9Jro09k+icy+N&i>S#J$qn8~cB;F)I zEWH`;ODBI&4B!A)a~*2vl86?Nc%nKWW-wJH>`@6H3=DK-?rjumQ#jD(5+e4MmN*Z& zWf9z`n5`Q0Qmu=Ed_sZuoODixF;24~W}U=()it&5IU=)H%+_NRVLjLP~l{flgbK0jbPXrn>+58oU z`){VJG#Eh9CU@)I9&0Nve;ua7DU)6~VUgi&!Nqu)75y0%8YW*4kgLSZ_$^+kiNTIb zInKY8C!$+4?>i0pd8VQ)cH;=wVK&(Q#=a^rUWQMvZzl3o#s~iZsNi`gCM|U@Iq1bZ z6pE3nlw*_*x3gl(F6*XzIc#1>aKTT(F5nOI)$?FBn32Y4$qKGE=8Hka&t5vVm8`j> zQTa8Aht6@+ooZWL{R)U4UxQK4f@0z4gKjG8`#=R&Y)5aP`#ihK=(E;7Yo-b7suhHX z=~R`BXiR6P*2jNdo>le1&l4`es7bH)D(a;Hifo+8)b5xj^RDrT$D`^nom&zt@mq{% z*$*!Xy^uA7Gm$?aC?IZxqo2q~e)c%S>B_r!tjw*JK8oLS5gGFv2@#oQ zGdIqzuapXe+J;W)o5#zmsp)sJfHkoZC(+>im*;anPX3rVvLB2WGVFrHunv_FWv8T7!JajzdafNHiaAscsE37Zk$ZQ}J+=>PKL%5W zfb#M%+GE55{375AQX!R*WkT`|>#(QsV9jj7-KVGO%hFVs4_&i1UimJ%m_e4%4wD?2 z1Pk&|SxB^6q0Dd~c9gyo(>9{uT_QafFd$AWMmZ?7lV;1|XEIg0;W)PGv)KhM;EM&JMC zQ$l;E?sQ!R;&$!qBk}hEe2PYq%Gow$9vtqXVXh$FYMtk0`6W!{1!43TP(VWXKhDPX zD+Sxv&7T!oZCSIwy8bx3_!eJ%MMWKyiBwHd3GcOz}DN;q@jyLC5jP^_Z2fQJneElT@B2)REj zC0~@6l!Tcjvj)+S`b=_p$8tcn8 zN3A2?jRw9*MpjT|eG>lC{mdfrNatz5SunX46*)LS77gz`u8&DB&h5I~YE#_!eTsWY zztYK83e$T{g{9U6c#X>86?+;i99TQpq_Wq2_&lq(b5CRHcnVCG?Y*Oigk}$(Z7vFl zhhJTQwS@*JA0=aYO~>{-UH9il*EZft{zNbmgC`!;hsbC;3jdb6>~OtTWL0S{*li_? zuueXG88dUk*$xlEruHec^zVnYQN8_k7a#8~Gs=`VErMHJ14?L3K!AQ|vXHN;0sF7kuEfg*` ze1%r=93iU{qyl*Z9{?L|Y(Q(-(4StU2F3rXBQm1PzEDwsc)WVmt?js41d7|lz3UjGd(CpnA01m<4hzWlo zErO**znM|8GL_SCB%+al35A&AuZHv5xEFXc0yj*gjg$?j$!R$N;K?qY$O1t{jzD9P zDp&tN;XcK5A0`74i-Xglst+jqWM#B}f%NlcF-r%@HibhXM6t_jHA( ziZG35BzL-cA?|mXvehUqvRrAFqeLGAsYrSREh1A0XFsx@4zLHb@rd$eb+>?0cb@#^ zp}ZTD)G<}4bU6_JK~xIILVM#?Gw)vDL}-01V>hxcF$Y-OUc(5%rKf-HGm11jiZ6$x zaP2YgzEf)bt&AR>AIbTmCGv5qi)XX1_J~700<|Z%QJw(Sp_jN8KHO(*zD@JBe$mR1LTc&F6fPj~QKv8Yi~`kJ zhQ%f{mmMG)+}*N2*xaE+^bYT{=NvEp0UhO99zuyn2QUa_4c_H=U7+yR`ILJc4b5B$ zMQWn>Vw=$~ipvTZLsF_2Q0QPFzu8$^)z8Pdwt}W3=n#e49!H_1V^j>^?%0DTyf5S+ z>Kyezs*1Wdp9FJ>Jn_}pUI@|f1=&GdL@{Iy}!6|QvpA`lR z{Y(6o=n2X6O`JmiOTykg^%9`c;C7HK3cvu~H;k!R4Yo4^0y4zV7S3F2o_dfO1DsAKfp;m5U>l`p4w2 zF?=3LfA%3Yf)%i)Xf=EBeIA6q-Y<8lnQJb@7k7SCRl4Er`+A&e=L+8u=1*cdYD=1D zwsgRS*sTpKLY5u%1x*~@KYti5GVPl)`OwNFU)aHL6A2x5BQjwUouMBco63V&uWTv+CNe-Ym1Yi9wrk@y}!MXxASQ!E$!giK>> zC2Yi7M_)(tr#*>q=GxE^?#?A!z{g#+@QG+4I2T1|bXPHES)%Dp{g~>Fdcx5PciuYz z3@k@dyISQ`?r12#>;Akcu&Eh9_6xb%2Q0ONj}ff*Oj87Xe}ed=OcjrKN9i|Y`o2m# z*OaiIy6nCqv&>w++`mg4}xpDkI+xzf667ie&YYq_MPzp~{)oOj1l<*2f?h zH!hm?d7nPn?11VEJ+YcxO{mC7Q+o8mIUtSf2aSg`nr}S72Q2w_%<*h?MrM39Q}JdPHMZeAyX_u&ZssA`MF*UV5~04lH+YD0mRf?63NdZV z3Caq^FLhx%mAe=cAKEuJ9NTPZy4K|2IlJwy#dss6gxE?gt@Dq5LmLr9v{O}4d|fc6 z7b<)gDteHnCB4V$aXK|BXANx<%9S5sE&xn!qyD<63LP* zN>L^u7dc`wb8ckekU}Pl)AtlkJ=;HP77(`5?^C3ht(oNCWZ4iC+%8sizq_7nK^uXx zYQh#mwY9^QMpVq{No4!Fp%+af^FNw+pRe!hFdw z4(%Xfa_;Tf1+zDtd*wtcX%b(Mjc|AtZDDc<^^l}Y(8GZ@SQZO7Ln>_Wn%W|G5#*6K zq`Shl4qTSwRYe!ku$E|x1gFr*edd8>r=T<3=q?Bk#0wHzP}c}h1-kRuN!i4vdllxf z4OTtu^%$MkE2eQLlfBsXupDPT@Iy}H*$y#rplMz6JmF47bKe2uZmI4Wq&iNjW7)c{ zB|K&0JqU>DUx_cr%UEZX3Al7Ng@f*><;xIK))9+?(a^Wh4)jsj1z_g}pD?SM?>K$B zXmm%2L7j7cP*6i|P}bmUsKv{O^|+=t##TF0?f!{iVO9UQ3ymG%6g0;RJh8&7M6$xO zYW0bE=nJTh=MUH8Dm5?S7x};Ff2lpaf-R@>7o|4tq9e+xNm3X{Jzu1F3!a_S9HQyT z-6(xe!7OM!I%fcKf#)5aF+xR5DXI4&uZRp;mell;TJ{8xh0f|k9t*!pI!le!Jm~v= z)ePbH>Kp4+L(IrQ$WS^3zGfn1%4wgHO251E4ww?kMLY+_MOGmgryh52kaey0Q^WAA zPh;v-+xFYqN>lO8c;|9uMrLuDb8V_qcHkvwEQ*elQEc!c+z>yJjjK{)$z0KJu^kXv zds{S!(ccOCJ+^?b|M5H!_U8j( zf7joH{UFF^D{Qa_7P+sgDCcK~B`S6yXJbzIh5AH4Dz=139j! zDbOtR-TbI7Z$T04E(^b=h_{~Ly9YB-uV<&}5}4=#xWNlK!`EIQtZ7pjt~9P9Y}E!m zR>z?1LP9ttd~7=XlU_wr{nfbiXP;ra!`?1CS;p2KIB;QMfDd54>6mD?>|2o zBnCd7FU<)UFebdPYpo_E*s1FWo1(X zmi`J0@he9@rwLpuJVjTnc6bx)_{%%TI*ZF=%x! zM`%^-$beh6jrtku8;h4xlhr+qk$lvIx+-nx420M)=@IRCFljfc@bYP7lju9&o;2NW z^eUF=8XF=RVZ>bOB!!!g=<+UMIqlWt(3^z}GQj*9U4dkm28mu$Uxt_^T^yGajI5x~ zPE=*He*MDT!8lXjN3x9lVt4J0yJD(b)-f-9y3%`-^v6$?=G3M!7{2g%I%f7Oi}`h7 zi;};!arP(ZE>KDA3RDuGr__5*Y39L1z>TI!@h8Yk5n4h6=$qCBm-be}kMC&5 z#I}R=YF@_6Sy}v7Yrm8-R=s(r9>vY|c3sI&=;Lnp<~w59YT@Cf80my(X%@XRxghrb zQK>P)L=hlr6~*S{>j%hH$BAz9x7@U7dA2JhY_eOn`ZD5V4i>x6J$YRGwd7p%Q?-d* zfz=0H<_6q!M{J4sx|AcnLYHQqmq$1>dn}dp1X%r%TdI@UFg&nl*^!`9$b7p{nQn+{ zY^h%R-1SF1(LD5LuXEF7x~E^!crrHj^f!eG22RHrQrDV`LBy#wze#MO`rrXA?X}QPjKdsz-`St+s;MJ)>(2v!{SyK^l3ij z^eZnbmQLL2@d51${*`Z-fcTwHN!;baC$3c-iPAc(3Lx(FPv!i*Samt?8IQ@P6rQl& z`ER9?!Th`M*x%i;v>*#b6Y81hLn;Mvyth?*C~{ElRaeP0uB~U4o0=tZn=fw`=&+Qf zH+yGSyiO?r3b?XMpwm8?YS{cdrO%G8`cL#kPgL}X#@I3sMIEj>^-FX@%JG>E;1*mL z=h0^sU&(&ub-jUpw%L`}6@a5am6h~!!E7@fcH`G|mxtc4UwU0=WzJNeASmZ6h#;a; z9u$Y>o6lU!1ZcyJpRTslq&@dK*Nem;weD4uizu9sg>+Ct=&~n z$D^T%yntwFtfoC+d?5Y0nB6w}<&*l9!2&LLXTCBX-I;PM+=7~clAEPSw-P*Ff3+PI zGLHrP0&lq_sC-~p=aiI)BO{}XFP7idq9-D#DOEIX%EfWG8s#z}Zx4V#;+pFu$G)o* z6zXgnN(AC3#sv)?pSYGf#rC7n!d`tEG+OH@!?)qu)341&eU4Z>MlD61f{!5ZsemjF zSO0}>3|VeHA36>1;y&(AHh(^M10cLGi+;d(YweKQfV`&M+CLf}3j_0*rBAW0B^H@tmT*C+fFe7N8!#fh3+-|vg7`r6|^ zO~z?$bs$do;EOI)U|=FIO1@p^VG}Zk$;tZD>Bt8kC9B`M5xX$I9#~EC$BhA|L)sLB z7E;;L#s#dYnG(!TY;?VD>h%$DZ)03`aOx&KdpUi0HlH< zvz1W5M+4r^^r%%pO39Hnu(yuz_@UiSG_MQK_s^5cYZ?6hR?}}a0HZApA3)%1Xb_45 z3D8Pn;UFR?a+YvNE$zeC2aOxU`-tz9FFzUr0mHt1BC>>~bZYE8*TB{t{xQR+Ic}=C zH-h=QUr6S6zm$CIk>qYsuLYQjcuC$kGsb?krqq7oX7=%%=<=&Ryp=^C#8la?7Xz*( z4oU+1`}lyrTxZSyw9Zl*0cQ-p?s);YCdIXOe`f>HISjK+-`##WXd|0&gX zR}s^zF9+2#aAXMu8~yrUIFQ@YQSg@t|G(_tHByCZLdP86gr@l&fgAL%e+1z0NJnF9bCv_}fVGTJ#Ylqf9 z)s`eAzo;O+!hnx^j3Vm0I@1Qa+4W50u%d~Y#ZTmeB)M;i3Hxq>0cIvW;^zGHpnfw+ z4=?A0hrh=YH4@@fGzvI{cE)x>PCI`by5J;cbT_S~G1D}vlQLt+ilQg0(gyho_z+%T zY!)$?z#J#CWrZdsR5^U8GCRhuMa{0wK3yDVe#iuO^cx2#_2_MH`t`vXvi*1+WD1E> zt9dzZUNS$kMobd!YOUh#HJg1W;d1zzvH0z<$&cuI#cq-(5IPJJ;e^Z@oQqW3;G%S^ zX*Ga6DKL&&FMFQUzQ`#A6AtczPLqiQ>I-c~A1DJ#GUQ?V z1%<|GH@$#j)C+O!`>vw2RtPNAO>~a)qj+kMP)l<(>*F2~GQpP^Ldp%qA?YZ-B%!Lc z9P`c;MwpS_yI4DuqLIJ{N-mYe(N?j6L?dY>{nesP$eFbW4&eFqLdQ9(MbkO{Gu9becFzGnY@ADY&Q*{qkEqFNPvM3S(N2to zdl3S9?o&|0_>_cQ?|XiNJreeME;H%UK`IAai41wC5wuSCaMvfNGhOdA1|St?Ny@L8Zh zp_ON`k1`#CHjcFO~@KedF8 z5IOx&A1KrIY6`7OvNcV6@!fXP@-bF!tWlz|D`^NdA>EmO^e~9@is=537(xJdJ#gwM zpo7c!=3I%b^bQWXFpr@InHg&A%sMQ(GvkA~*L#Ab)s_dX^mvuV|8q_mV}Zl;+t%Gkn%Ua1Z2BK^nMekP=lBNMXlynuz`PVisY z0tN)ls~L*)F_V|Zh_;3ea)l^*q`xMW1hD}g3vMc0t0d6o}uwY$* zto1o0psNuZ9Jh;1cmo^$=C3?>a@#*pdWkdEeWm-+sk7RaQ4xl6yJ19Sk_-+xJwv<+ z5Jcw%XB}LDj3jMndu4RaM8Rnzc#qFyxo)`QD~oK*M~-L5l+FOACxX;Cxa{hD?R>lc zqdmv!cq|%I@R*1?GbUlOX;#-9&X*O;F5Dt?ZR5Pd7~?(tUdTCqar&p!LKF)Y{_*}~ z2NLi{q`2U`CjB+NUascM6JOT^lp0k|`6ll(f+oOvj{)zXla;RxvD8L@y{2YSRR zk^~N!oX?HF6}>1|A!nMx5z=TlSuJ>AB4$`WS`?HacGgHnDHU_=q|9bVs}N2-ieght zn-oMR0iNtzf+6=OaW^UovB5baAo!ies#o^CfJ@WF4d>4TL(x4U!|r((nMoP?CXglu%^J4@PA?tvjZw<` z+g>-C863~Tx?KCtW17OykikaMWd8Q5edziq$39SE_J z${(K`6%Ll+rrQVOrFyU>>%+Kr5D)X@#u$D-`<{h@W1l@0>K~{yZdQItrNjl^I-KGr zCgzi}pag$ZR*n{cvxU$v89mwz7a$1fKXe+ob=Y6lLeJ>rz_e(ZamZ(n#o@?yAUT3M z2Av)yz95}X;D`kC4ZK<;-F@RdccxY_YNiBV89aP_>H3a!8|eOI0hBSgpKGA=T4;d^ z2RgFs>EzcwfX#`&YKoYBM6x^Ms^0uPzJK%LbNZdvDaQb`!-SdALXr6iLIuv#WZ&4! zJpT!@EQQC!XPChOE@p=bFttD(UjZT-vNzBIY}!__afpQ?49$hc{S!2QVeco1$M($= z!S>5kZl)qDXr365k-2&Y&@KcbXUJAw7y$H?AUXj2gHam%V+;R^wm*p`mDk5)L#?t8 zRDSs;+)3d@v|oaJomn)ZZX*!{>n)NgdZ8Gyy@4zBoX+l=zSu|{3j^< z`#i-)ks?_Dm?r%B6BozgQ&d~8HDjM3-)-xVNg6A_KGmLQ`3d^%0uq2i-$yfl_z?Z4 z4@=gc(W;bpDpYQuRS}B-aW*RRCuk7a;ZOeR`pc>K6P*2*1|#00AQ{45hltna97XZZ zz%EQ;HJ@!=pICYat#vlJMV>fcq?;A@7?XeYxd`3*6s<~ZcV1;=e7^>GYXwr2jkE_S zu0IYmA21m#ND6oDUw&rv_WD6x%E;Am0o8qAeppI=I}ZP!&MBa9Bmd$Y9+Qz&RE6?R zL{3r?{0^eS6PO%1V2=MhfTQM#kcDC+n#-U5Hjl+>FVqH@F*8GRo_*lDSb{0sC4c#) zX4(LYH|lA@elW@Mj{|M~CQXq=dB-ft(099q#)%}!7*WU+>0dY77ELx6_!7Wo1GwS( z&>bm%7`1W{!RrUl2Ztt9kMAM}t#JM%nX|yuBBH^6nAxj{zr7=^HRV5q$P^TQ^5OK| z-XSH>ST7-#=NHYFfwwS%_234e?I|O$)Jw8f{(QQnho)tL58xZ~0T&+eUG&Eyh>>Gm zOYi~cAqf{NTuPk#8FP94I&JXVr`Mfk%D6<;tINUZpcVp}fZ*X=E84?bNR~!$A48cW00+qd9>C|MiZorDA z?$w_Ax{`iz-~me;4%I#4M=8xpv^!h4dVSV9qnaq)=>tLB#p0nD ze}-_4+)gf%@}(5hCtVkcyX(uIdimFV<8umMn+a1BASOn45ZZV?|2be0k-?V$7MF5( zy{i+u1<`Z75B0}1jihoBcg1sXp#!+~@V?lz3_9^gSC5G#v>|=}qIYr_+G%({ngM>{ zvptk@6<;aXMSIGMofEH}p1YWoZh6|zBj#GR_{Mx<`kg1Piw2-jppZQh%>rkF0Xk3} zh$C215SFH^+NXyy*%TMRm}yr2_-H3}Ywz5LZlKT+fR+9!Yxci_Wd4=sLVo^PlKPN( zk_W$PQecsRx=j^Unm#%UV^KrSfYOe8Bbr>JBMlirp<5Kup`W1Jz=LvB z1#|wdD1>8=5sXjJqqhI+TiSJi@s~Fa$<0rtEOzxtngXCOJm>uaE#tsF5(+}JpVk5L zM%*N?pP)NPs;27@GoTXqt7k@k=)B#FYnG8ZBEXLE>l(NbzxDk-FC#xU-PeCh!xJaq z0@3E5t14W0rEg!HG>9|+>2b^Px0RLt_q|d6l{eu(`rVM9f0E<=-;0|AVzvue;2+n2 zsVQ%&{sfgIV97KTkU)rXMtq15SN;ilH%ZG^^rqiB_%}Xp|LCRu|EV41cj4cE1k?Y| zwEVlK7V^)yY5r$g{(aN(PqKIz%^ zi<5!2Qd8p{xtYD$W(v~>4rzu4aBtw<0@&agFTgKSPB|0BIt9R0iWG4O-U>6b$gzy$ zAXI5rX?G*+V*_>?MHAyGV}g4WZah%ucaqYoOH)~_MzouoQ#m>MI>Ae(fDs`0SId%L zEvE#51S#oHEzvXJUqbo^Mc`jL`YCSO7$SZX{=~yF4VsI<&f~2)4qpAz*oR@PflZ_k zc5(H?;K^jHZ0p0_y=-(Q?n(BKK<{b<% z`XSwm8~`^0F|oyaI0s;ofH5U*kz~Qh_ASagSeQ%@ho8vT)lCBdp8XHR!QT&flf8cT zE>Hp5fE!W*cKm-`#+Sc1@R!yET2EWpW{jE+)PD`*-Csvye>X7r3wHvb700hu=YO@j z^PuI=z6IvL_Ym+?FnXKi7UsPNF?#!}@4vY-@cqHJ0akML*JvdFaWqPPjYb_X8s~qF z#@aY=`Sj>^AoA)|ncwgy$pZWDOUN%j32!3Ty2zaH;K=28CAn>n@4(m-euDH7znKxd z&hw?QhX2Wc0N(N7;S8qf!17lgeewcmtoQ$P3^w_zwESUX$8Qr1fP_=fUlUyWYh;GC zflOLd-cQi@AMS-w9D*d%3DxMrCwsbHIyE_-JH>mB`MdeI(LdZ37}0pj$0x*EY6+a{ zVHjD5!bc8{#bKO%U5~WVhE4C$B-1-?I^Tr04!#2^wCn@5}7{dZrBE61C zoI%KB2NcVr&Pu(LkRy6A%TXdRrs?POyQi+rP3s4b~I?g{v z0U(dFyUx1|AwRuj>$9Cd5+fieqt^JKI?C2LXzex~b! zT1n+B%fgV@yBnEv2b%*SxaK$;LA8Km?(dlRRXYHY!OEjm_`!vg6dEh(~;ueCAwv{(#-SFje3wa1fnMv$2SJp7*( z0e`?lkRraO=An-H5&(rVyH0i~-3jr--6NsxdAzzAu;cXniBoOscQAZfKr%aajsqGr@O}dDbz%Il6__c5?!b6M*Cy8ZYJ|4`k zX##uIUJ4VmZnWF0P8Dwq&Lq@;Ky<-(jjcuA@t**Nb@8mAG)Y}}^kQ)IH9}*jKbJ#@ zzd`f#mqCP7+Dcu*d&}ea_2tkh?l%Ix3*-KvaDS2k!Kz~~Uzrq$o7LzPRLc>l-c*os zU~CxMKAa7wczMspTHG0srXO2HW&?@U8D*j!zIlxU8GdD0fvJTd*fzB3h(}|VhQzhP zr-tnq?V$(0t5k@^oAFA8db86j8hvuTBi>Tc6UN2yIs(GNCbqU$51(8}HUK&OBQLPO zw?Rshz7h}^C>@GB0 zTM|A9W;~s|q1=g*EwFo^Ah31t?ON5u)Pkz>lEw*+KN-bKi4nWrqw!0u4Cvu6; zsV^)8q4D|Bx>~JDF}{eS_Lr2|qo13n3B5dVY2nsqdyn)DDeN`t>#r@Lx~x8O86w;( zUp9Lpt>`X0X26t;BCS}Hd_2oM#Wh)m+ijRt=yBcX`d9}3knlz6zcZ7AJb%RO- zYY2Ctb%Zsqy5DJRD(h`WyF*%a*NbNiWdi8v9AP}}erMu?4;=!$WZHQIxVx@5@d)r- zi+>zn_rbf`K;OV#^rf5iBRf&R@!*(`B+oTFH;XqF4Az%rhvk989VMz3o{G9UV>g-rClbWKqApHfdY$Rgno4y@D3n1Zpo0Z9)Cty)2u+h*4`J=8`kYd)s%2i>rY+&=Lf z5O5+4V(hgg0bsn{v~mkB={+ZcpFmcIpKl6!i(d!Cf*Z^X^!-9rYIHoGzdioWkXy8n z0rx(E#uBJ<7LK7YZVTJ3Z~I<%PE|WzK3g-p7NPsKQ58$FBMOrqENsQ+pCAnvhqQFr ziJTeE4B6Thnl-ugbz(91)+sbh^n8+$$>$QF>5bc zCM4>!(;QxL`U2J{k3Vh-8+RK#5FpqWD)s*<(7gKOoP4z}8xhfzv##Ywl^$@jV!9_RDFGB|#o z>C~GAY4(=qI44>+?WjL}h>Tmbz7vI=ros!Lo?2F-Ac!(Y&7!C-e)pddBbNHQNDd2KM&pswhcJTsj5{CLLiH6t zyxX0beD98ES7{Yn0159N6}T$Qk~nVh$qib z$6P}uFiZXbF_<=e->f3Uv{PHSwvH6Wt(;x=UdSd!dV-_D(69&9{79^*(q68)9Avcz zEphZ(&&DU{QVVv`(-_Pfmo>N`LHK>AWArDh*s)uZEg-W%@on+QlJFz7rz|55MT6M= zxw-VNF(QEHjQvfzM*ZwJ%*SDBvoGRRN$TAW{t zw+PW#vdthHe4m35@*gg2#l9uQwqeI#*A#hUN6bUZyN+Bn@ejY5b1oYzV{JIfD1J)z z$~j~cpoRBQo1IhuTh!RF>O`Fyp?EE{xcR!_`jvJSRJ$J+I`D?NKh~3emNX(0%aDoX z3-E$0maIoEKtWJaZkOQTV_=d_gkZXIZsr)wp^Jp>iIqn>bu}w&beGBF#nWd^#4eS)Oz~$~BqmrAw9X@=r~7IE7rhM4Dfta*nNs_JZeP35Ia+3p%!CKlY!|Hrcj zlo@JSGQ!V)`Z7@G324nd^W8~DtD$|M`&x);E85orstU$&h_v+0%V_}~J5gZ;7-@MT z!|@*sF28)~nC+{kVqC8@=4+*(CvyVP2@&>290_N}aXf}g+|7Z;-Yh{C+)`K4iEfa* zlXdq{>1HP@esJ2HSc~`Ha47W6X^g3BdC$6y**k*?@C>*3B-)hlDeBIfw6~YfLHA77 z;sJ#Q8td^YC~21_Nb98uxFsBeJRYKzmVE~Wx~kwoR~&N#6zMVwHUCPGMNggwZPL-0*e$M?Z(xG zX0D}udVBFjV%(eOGJ|^k;mTyzZ?<3{FMg8)OTRRU$u&7i3a%6i(|~=FJiMi-o0RWq zOV@bTMBtUFsK;!jgGr59d6ojCUV#2FG)`T(T zs=dLoCw1*jZG5bpWb+e9dzIKIG$q5zVHN2NUjI&*#DMEkIvz;j1|MxKzpWk156Pcc zD9f4i4Rw?>VdYc`isAoO$#I{E5j0LZ5ux)BrdW(C4idh&l2C! zK?%vyN!(H6)8&bJGI`V7=O`o&IyCyUUi7S)@UWk`>sB^dAcy!!LR64K6Bua;Tl(#i$UoC zv$ih~-2cRIof(szv<@`m>E?Cg%lo@>)2k^X zRrT9oU=zUl1E+Eaf)noF%6d7A{eVxgY8lz2bQ_XAGV^aM9KLGI{^dE-*EClF@>xm{ z=|@4GT_Ql8;lRp%y);?Bb#(2lZ_tH_jN^??33egYMKz#up}kc@p0o9_1FZF-S?e&s z6ej;1wKlNg5aU3>l7b^n6my$Xe=oU7xZCK`dCW9+PkV<%M~EL>+Um#?!xhIQ1uv3R zgPLsK{*8eg0Fcl~0%VtOisZuvWE+ZaNHy~2;+W?FE^KqMA8(J5jlbt@G3Kf~Uz& zWm~NhIG~)HZ{v)rBACQxJ)(Vtbl(58LR|~H)1|OHN1U_}o9ahr{dT>bj~lDEi$MLB zWrfS;R=bSRp^zwTWx&lPWr;%|grh?+!PVE5?p@5JLv&&0DSy?T?B&u>o~xJl%|G(e zpV;O3A+U_-;AV;JG!v*V(H;vwsXmZG$gNcIhNP1rED_NbX z%A@d$)MN^TY>VEoA=KOh?hn%a^T3L5e6^>$c*9e!)M&*yQxNfi{AxKaVzx08s%MV% za|=`0gfAV(zI21qQ7)0T2!pub9${a=d@v)+bkqxf^H@I)%K2?|@|Z*4U6%NfIYtJ} zq9e7{p_6IH>fQ-O8;NLL>1Ri9j|0;L!y{o8qz60uGhI7?gf+a83qt zCQxY2vsdv5r;NFT{qfY+LzT|^@fE=9>0S!N=Ycw|y9IAYOd1xQP^etzvlyX3i>3yd za_^~^*VhfcxmdgSmiwldyT=*X?pK!duSc}U+$`$tMPK;LNg4!|=9Kuvl@Bupm8Ll6 zmGf5Ugfo&kn_PUCdVhk-k+>8pD=XD>Sm+FL1T7D_p0dwQ2?a{!tNw7nYzRHBID)#5 z;L=*XnVcLiT`K*5%0c+AJnwgk*Z(S9`~BG84cpMt0J#xTC)K7%5ATL>Xeum0Q=>g&`u!TyZmG3^@_!J?t5{j$xQhPKX;87Gqu7jldr$hG}rRqFKft4IKw{d=-` z?C!tG=6L|JdE6I*e}ce;9Eg{#|46xdgcdCx&+)hVc@q#oKabZO(9hEY^z#ltd;cA~ z8BAmRL#gHrdeJeY&k(TR^U5Hi*OLqZO8Gi1XiKr5teH{^@0n>4YG_b?s3Q{j8{Eo6 zi0wjRO>rl{{ITl5?dYiW#OYmAj8`#?cU1Td3syDMBj*agVTACbGrhBQ z^y|5~xnUZiw>H1nUyF4360BikX=utB0y=6^%`}7i+A-6wjA&zd}pjLkX1U*dq1gV+Gs|vZ&(^(r5+j+5L1h<}g;Jl?Z z%ojvr-iv2qx&t_Cc}gP_H4$Vzip>N~-WS1uzLCPbMw6PLh%wg9og5FWn0z}@x2DMb z!QV&oX}UwnJ;q)O9wsG|US~8rZBpb^ZX1ICC1LMj7O-1#!Px=+OcgEuR#$)C7Z#Yp zcyU+NNO@M&9bTd3S%Gu6?&yH;jNLWkHqfswYmIhJRWf(`=DRJ7@Eyb=J0XmI5brI9 zaPUYGUbXsZPVpD@gSymjjkhtNbfWLMtCITB!XC#3_&>blP&~M}MepRRJ|`)j&{$*o zuzAk)?3YfuC+7#kESRTv`$M4JuAGGT8QsMT8#hLs>gt*@2Vgf>Ohz=G9i6^@*6uMuNRtEel213}2EC!U<6)^?l0&FdqqTV@{GC+a{XCKc@OJh~ot2$hVBP|#vo0CL z(yzl$vfo?0FP!C;`Q^mzmLgB^?1m0_@&VirK8F5rAJ{xgsDqFLSWN5SLKcNrh!{%P zo8B3W&*VcNtv5MSC0{tdR-AIeoHfo)ij0r896!iuB)r1ScMQfCG!(4ASH~#wd(-5d z=$7;Xs2K>xwMMSBv(H)=*=iC|-PjX{f*LNI@YP#NDa-SZJOGC)T(0LFtLP6~$A8Ft z?HK1{Q`sE{6x|(u?c%71fN5oPZ^76faHlw znaLs+lkx~iOup8*Cfm!9LpVitZ^6veJDPp0y^V)t=w+<^`eoWbaFwp*)Bx_89cZqd zf`^WSow1}zT#ASfoIZto<71y~YM-Fc4R+0%nzVT1)Y#kBcdd`^BgcOg-Z5(nQI6oB z;nh3d^W0N7W-jp|@KJxD%a=!lf!{v#gE&zhD}QD{*>C;5BS0(|LO7mz@>sCF?J9*Lm;OBm2NJ z`bKym;!Bb++36LVi}2=52VDFarKT!xA>hbc_tGShU~z!JEH099P+0#J%>$58HAssK zEd{Y??z+H96}BePOw*uDZ;ovGSVMbXMaId|7??mU#3f#Nhl05ghS_# zjz}Ur%?T#?6Tcjh{731LkWrfB1XJCIB;C`T*Z>*};cDz6xOak*yt;h~y< z?T-WNrf08z>P$D0L|rG$Q@DDF`lKgIrf6_TNn1R&x>(LUl;||mckY&FKvTYP)k>1O za`-1}8TUSqm6}==V*EPEoM1gwydfECh~<)5vP zCT7}XbxsKGpr@q~T}EWTpP;GfDuf1>d=uV{sP%AF!F#3b08hTtTJvDUsbqHH_2Qff zY4_+k`@Jr%%DWk9vwOw@&uTt9zGv=00NE-M@7L}qhSJJnyhPZ#1c%R%PKY1dUg|qJ2 zPmp^&)r*=BSD~np((rs35eS}G?+qCQoS(iR- z3It62I8|!(d_zNhVPZA2Py87^a7G}adF;jni*lx}<^(qZ(pV*g3Ji8{Lx>Ee+{RxP zvmTMJyoRc^|G|iZ)i_IgY{h-jc)E)@s@xR_sYO1bz{oBXk(4DsLYgB*442}5L~=@tRr`MRMUy1w*F8gVuy8AN%v5Ks$ye3N;KsD+ z(Ch(&x0l7}sS#@KN$<)n-2;#R2&QnUL1NVqB50VI#-h#QdwiXG^99&w>(=ebW1W+| zqoHp(N0`GKDBJIjxAUw5kM2O(YZzd%2UNv*mdwv$`~riKFed)uG|OfBjaSl@y8f;2 z>ByKdyJKefZ2Lyl}Efol=%5G?D*i9y^}wBPQMTg&=rX6D?=u~{3b$fc(;nonozo^!JB z^o8?K(-2;R)0?yhUW>txaHG4vMQ2SAnxn2R`+iBiZ=E%sjlWT6zzWfy9GATwn3CRV zj_)CwQLAYeNHeAl4*(>ePm}Gg{FdVSY4=gZEe4&U;4`wV9U&c}DQCLhGD!1BSReIW z-?vEok&k0T`4Rf2`2B*O5Zd*$LeBY&gU^~-wI`sScJDS`=a2%j0u&PYNq%zZX;L_}VABqWHvm zbUAMspzh#tOjUne*;>JoZl6r%M)dkF4FX#^H)7So?%S+{^<<`;C!d~7G~*2&{b)2_mf$Mf3KMRe;5C&A;r=j);C@40;>NbL(> z&TZk?&mlJM@2^oV@4a}dUGR^EkcF@QKMqWv;{8)JIS72l+9yd5a0(io2lg2+)bG1| zR&SvBfE+ZZ1V-;hu?Y0`?p9a-<2e0)A>;Tj8T_E%VTAvupGbyWq75}`^F}&u2>?VN z7H8U?-lTy?v$LOlNxux3le~Vv84m(t_Wzyy*4}|MJpe8Ijqp7JBLxS<_zful()@@B zP_Me>=2r_jenAWWh>#N!@iIb_{%?e!jVMaNzf}44{Q*^ebJ#rP`g_`c!*06#1VsWu zsPZHzz~{5gXCH2rpq4B@K$69-G`t}jJ!$!+>?G(v{hqivFx#K#F>J_-NPd;P_ z?SY&Lz#&plDgt#W^x+<(b>~$EkEw9>d-{dFn#pyLFG&~om-&3dU{EM%`$Nw+EhCjP zpY?~XB#7TS^RbQRB#^@NreE}@gO90$>uyyMB(w!ryT31{M_{e}CbOgkFO=gUa z6iDD(oNPx#qw9ma(kj7f=+-KLE*{^sy0CUdULhi zkeMR;ZcwDe-~%$A;$H3;Vop@1CTfd*kFsyoTIApgv9cVmeid($IWQnCIj@qyS$oqp z8}vg*K%AZ&Y5)q*K0?Tf0n9k8E)mcV{j;tP?Y7)&u5Gfp=irv=X)hmX?-6to>_ZtR z%t!faOTe)ZVU#dzl+72-9WE^BtWAMdRso26t{>}CrfoUs2wDg)G~6n*m?zaC zBHYNEV;c)&Oe#8=F4owPbUjWfRKrqdrP2G>0`#AC;jeY<|6R-1^Log%9?```Z38Ia zT^K$YZw4e2OT09$oPB&@a$5s$N@Iy7+fh8o+Ao3^m+{&OY8*3~I*#KXcQq6a)qgm* z9Bf#Qct3}(1{U`p8UP${{3|gO&oR9ViOaqy{&NJIQZsQl? z>j|$Gr8>~jh=#27_Z%2S=2aS(6JbdgfCJnZ)7~9}oqgQ8#43~enuv8yS644XPTZ$p zsbz>SyFlj4oScu?8D;-7Lf{M_1c%1@T*;bBZdM8xo60h41tlG`eR#@jUp$SQcsZ^^8KZ$Y2`UoM?q&*kXn`+@M~STo-arO`ndDO+0XZaujNwg-=BXkUy9WDW%2Hv7o zpvPOKibBfdRTFMBxY%~gk#szAzK14WNqN&S+`>P=bf0z4e8!0gqdrwpoc`rs*n)?| zwn{xHUJK@0Ys3adH{{+{<-X`AY8UCQxYA$GdLrgX$maR|yz0PnhD69E+t*Ae32Hj( z)GV-NoWv`3B9d})VT3hDE*C(Og7*gRnU(|?|BubVo1(HH`7aSl#)D6s0b-OM#auFR z{&=ef8A8I?kYN0*t0t?s>PJmat<|7Gc}k*O7`R&6oiz>tj-h%P3^= zT8I}hjF4Z3pAPN~oLWlx6y_ln*lGJr+vA#y#G@9&^P(^6SlJ6oB5r2U6^Yp@vhegG9=D<5g_lr{}`mq8Q;M3Ac0gO&d3TB$0Wj6Y$~t>YXV`^PH%| z(=a~X;CXhl)ORiE`rg%WZ1iNG<@V{%*H&7gIF60BOgLnMCJ=s@l_Quv+Q;g26%4~MZQGMk)*d(ZQ^VA24%Ei4$mND*DEi4>D!-JT$bU%VL@+X0 z^Ay=@70pRw{SM{P77PKq5SUsPTfU42DzX-xQVsL16@67^{*1@M^y{$kDSM@qSRg}} zh2W#uFaRX7+XY7h%kCkMkuVOZrpa+;B0N{7Hk#IV`%Y(JXT@Y?g55xMDmAy(YvX+B zv#}&g)tkw8B}<)nL)3d?yUDP7K&2nOQ$?u$g^H5ln~ zgCr#aHlsk8qjsVrU>m2!HWe-dd^q%#-^>D~*uSRxJ&FB)sZsuDp&kaUNh}T~k}mzN zHHkl*VD%d)ED!DZ?gnQ)5HgV5PuD5OJ80HJjRQ^Mf(C0Ch`f z5nd&qHr+$iT9so(9$LbPV;2atWI|ja zq|nwhE+vzxHH=#`jFzkEi&UtRS;ja#CoH2-*}S51znRo%r1~H*dR<~C|XiLS3y@aGOXca zH(hpbTOX0H{B~vS82U}t$8Qe};!PB)Br1-k>OlfJ^2V$zT&jFb0fL2FO~@JE)2bK; zZ$lHAQLky`f(W8M4#^HOOJ*Z+$S_`Z&x5`pRAIjlr{*k^D!c?vtBK}^bOw$7m`hJgIY`t$ zW=jk@7*)HZo4AY&_0DpPt07nx$4(&ewe>K#9f5u9_lwe*_ z_2FB_09JDjz-pcyT9DX_-(Y_qzd@xFI{Le-8Yv7#gIN~A0K#ORV=AHOs_22dV0+oC zsIzkWQeNs^jSw+1lDLEtO$m_(7=~{xo^uAm4y&9*d{JSfWFT*+VJwE)9#KD}O9mIV z5_pd9+)gp_l4!I!bM8~MRFeEgyMB>3(2QVY=DKDWJ%V`=%ca6YEU_Ar!_x2#n0B>( z8+E%7(0bymOYdaTn56nc&sTTf)Lr>ejd((4qP&Dn>HE77O9@CS6MO|pv|zh49uT>V zbRsdt|4_kR>`v(Jc@?#M)h?@=L}l38&1Y z`GY^LCoP;fy%czHsD7cAfqZgHS#+@P$^ez=nA|P($NYMhpH3X0*>@nw<4ZLyx9x|H zspRFV44?tQgSKuGlk-KQHxySq#4~GHvzsO+%u{?DRAou_!7py#A+s1o#ULJ4QX)Xo zAC|$H9^cgjtC-EpA<~=}ZE^F;7##zSvLMk)0`_5no@;bpMRLLOI+Fz}*x>kh|?MLFGe`tG5B7K}2VJXzy+AQ$e!|X5p+p;c6o2Ygf9>RN^l8p+uIQ7~2 ztA-;+qoVfBhjc-DU+;qnpD&%5vXXz=ILZz=lE@l-=8U(J?v_Rc{(IK;N{ij(fNDlZ z9yaS;ORTsivmuS$Xxw{VW^Oz7l0xL`roVa8{3ZSxV~nq1K`=w&s-$=RhEl>*RdY}5uG30h4%wPW0nIN=G3oe$ zftb8ZXS1Ob@Cg?id*4;TirV0-Ve$EEi7!rTH_kbV2~2e~N?|-F<&y()sV!J0B`FZ- z2;t0{*{)2{e6QY{ku<_@Ie}p+JMpPB_6^g_-MT8~O`qj$l7OYZ0Kqd1Ax73Fcw<}9 z;k;+6EXBqhcUh{U#fLn1l~@{xB`UvXhpTBfmVU=v4Lw?R_FfD<^{^un*Fy$yMP&C8c^Q<6S+@#3 zq9gSzk%0g=Aiy3|#U?~r#_dee18Yh`lCPMx#JAs9*ijU|j5Sz3ynUpV{?LGBO@Yq5 zdKQntwk~J*2bY(No{$LH)I@X^4b3d;$n7}50bkOm-x}(+#^bC`URquj2X2E_jq05=@&i&& zK?vgM!pM4VIlkMi))Gjbrab4Z&ncjX9-U^Ox#dUW7XpXNXEALzHkzk5iX$N8?fwQ{ z1a>c>yG)4@gvb!Acvy(LM^VmzH4u?Egs**-CWDs=QDkLU zr2nZRqQ$6jZLjdaagq_?4|pJ zfS-^+6ouKKZ&dqL8(T?kSDvn;Q5Q))DVj^bI(R2&=fw}mU7cC8G3m3maI- zGWeVpW%*g%QTUOC2aj&v>uTw&yi=$;Y#(UpapyRlYGcVWe|NmvRyJR2%1cZstzbm>9Pimko)LtOhu| z<62O|$=-UsocT011pQ4tzs$wb!yflP38tEJ`njleaA!~8GD^jMxNXgXw}Rn9mp2L7^X`30a=4cpk)M!rPpwZ?k`z)pDqQWjVyibx zzF83TW3h+)FB1Bu%)+Rw#B?va5{rt<*V9uc98OKWp`j{fns{#t&^>X@5R+{a^0s9( zk}C4oA}Nx+1~*o2P(OnX(fcE_{EhI!iJmjudBSpVW?TloL$>-x*!+R9|$xYTcYx{ z>b3wO^@C?}<+lnv_CtA$>bmkk`%woPzGIyaC+ti_bG2S3Uwf5MrT`)-Vtya=r$R~y ztc$EcR90v>s)SK9cDvOlnd?MV4Wqr^3Aard^_!Q0-(!0!Ip{w6i1Q<-kPR-A^1k~8 zzD4fo`gPoAbJYzt_BF)yrLW_lS9Z2~yaldAoX({AT}?k-BlNu#dCZfNm+^i_=OwObT$WGAo z+VV8MXL=%-HJU)L%@%DxYbjQ3{`N!JtJn$4?icsZL*hCs4}Mo!aNTwY&TU>r$7H0Phw_=tCv4LXC8+p z>lGoJbOd&;!j8P+>0GJ@X$}2p_-EkS??Exqx`O!6;)w5Rzk#de3_6YVEaI0DAmyi7 z17!FJ?Ezcn0H{hNG2e$Qh{hXw?ral{egi>7#Qln7_A3gT?h^AV)GXBQ2Qak&>V?7{ z9wHe9&=6lMfd>wV`~tQ48`z=Q{PrJU-A?*F+=jjf&&E=j(8M#B{s4>!=3)s3IP=E= zuzwujLp>?96b$f+%JdVUBASs&{-=LKV|=Y-10ENJuKyi%lL9vHQw!+o5!e)KDCtRZ zW%8Y^v&)G4;FBD{tsvU?JH$u;k=*PAu8RNRs@Z(WA1B~v?!#cm+c5|K4T5v?Z=jr3 ze+K15go82vfnTSEO7l zv^-w1>SP#&ChBy>$V8BETPhfdU4r}k_PM-+ zRxQIFr8^+z@F&Z--E-HL~EdbS?5@yMmlve1JhOg0Xz&U)$lI>JSzJ4&nANl$iH7O*_HVN zWFE|2a%$OTm^=f>2he2<_rNfJLsm`0CxS;A0OIT4$d1ZpFT-=POEMg0iS zpkZzgI4yWT){@r9s*%C80nW?f|v+s8CEOZsrBDmS7F#c z&V&nrjePR?FEF2Jq`6<8P58sJDy1s8-TI5rS0b$dJr*1^Nq`=UlmLW?$bRDqP=!T4 zF5rv##@N({IFiQ>-ev{@_O}`Tf`X{OB=gIuTBic9yVHsm!HY|uh$Y-3!7ja`SBahC zQq9R+AYa)obDVa&Z{M{4k=X#CpUNR$sVR7)H!x`(x4*n*as49G`uWDL zb0UEgA54)mT>6s$bu*=rr;){UWfxQd2%Oqo_=ZW#rw;^)pOzQMZf}h5i|f z0Qx7M?@vS8_Y?A^{U>C^5%^j#L)Z<7fyT-I>3=jo{|%_CzskM;yYFkv*cWjc@)y3+ zPBIWh&qDFdY0R)y`aM8FQPNMyzF!~(Gk!tWxm2gmz`mN4>*oYo!^h=(rVI)SykS9_HUAiZpVN8tZjm_`Lcd5oN$ zMlP580*{ir+uH8Gpyj{k1paSY9NK>eL*&2dGygl4xc`p{_Zv|B|3aet6$1Z%Ot^m_ zEdP~-`d@WV?kv-b*Oq04S=X8y%R)N#2dWAvYifZOYJsrC9?UfLh!lZ@gFmhJA)O^( z!-oWAAhV0pa&_#JZGE%9t!2E}aWo&lV;^`l@w`!o9Xx>A3db9GVi>kchzm~mQA2!k z=mzB=rhD%CfaHom-H-ID;LE}-LM_5`Z>F!QPA0^NO(BWmB27|6Gi-$(aPCNByS_E> zkA%;Np3N{Qr9ajPxuc+I^K7^L+@{?2PY9VY2V^as!tVF(iQ3I-_@dU4oT`y=cE$yB zPxe;vLtclbWR>(2ySHe!H2(_@Pli9m@EiWb=l?A?&%fgm`p@qDJuGsuTWfD{ zBn!9V+NEA$SD_c+#ZzIw*}h}0iR2{8O#7@z5M(;gjGIu9=3*dEaJz6ugP;&uY~Ue& zpJxYjNPi-bSp7i}cB(VI^ZmyMks)~O@_D?CCvr-NSXhN-Q8H7}YcIfAzVzf6skxQ( zz5e+n#Nvu=2CY}I>u|1`R?Uza-GzuHyX6t28*Jnen{yWN!{mmyqNq1T=|n(BngO!q zCbbK`aYKpcCnWe_8Ys6|YU8K8KstVmvx5h#oIIte;(oj>7I#%Jcb{W@q$Nugvb#bEow8qqCn#ElwB7lg*Y-Mg6r#Sg*ChA6BIbjYb+Ca^ox zv0O?5{TF&q;gQrsd!#&f4XltE1sJdM&xl}k_V2wRd(O&`O@PVvg_6H8=6Cc|BJlFU zb_G=!{`T&`gxnhx{rfR9M&It1uX@A&G%47h7Gtv$09lA5KEpS({h`20-6LC+A#}uU z%NEc`4dk4VPwZ_v+gOh}x&ipTf`38f-apf=Se@DhEr(K=r0BqI`eoT!I4DUlN7bJY z*}t#x7m+Zl&`q0M*K1@ zJ<>VqmsUnFYDTjiY;)gxC`mJibXhs1Y{W;U3SZLN6H2`hJ&QLBmmNna21;TAW)y5x z7ZRA|Wvt%mb8X1&1mSvyown``Wm@UBr1E;wx+U$%V{$^~5_D^;?)5&qtgaqJnURZ~ zg2sRYfOf#LFTlX*bSX0St!jL<*=#=FptwGG*u9wBKdH8sAyLuzAs>%p(*IavC=B7f&e{=HZEzwrIjU=AgkOZ4BWdszK7 z@N|K=7*8%@f*ziH_lW_D{-Zlf;G*iwA;qndZY&StD~t{8g5_Am9tGL9A4~v<42)q+ zIjL&8M8ZR;wnmlIrN?s^GkPzix(E935ZBRS00ksRIzNB6G6$#60EoN_S+s?3eTX65KqOUb!Xzybc5A^uBd9#^v5 zMv{l_WbS!Dn~sJ4gmB~~Z{4D##FD>xg6;Fmt{w<@_<*@9Yi!f=FEF(AO-eFgXsKv? zp1%N?7tbE|>Cf0ZKFIlaq84D17XXvw$S#d6m4c8`!Oed`LRjC2IbcUJ_RcgCul9>L zhyzjkkypQ-@?Wl`loS;=??$dZV)(Osjs4Ti??jR$sGrBFj6}7+@$EdVWfVyo@OJ@x z=x_X8&oto(G+0aPze_PuRT5yt$PMlKzcb>20GkIQizPKfe->H) zl0w3JGAouE&JgrBnHAwfmPRjk0Ld2G1O(Nuq7CLzM-N6N0IYDW*0gfZ6&aFB*A)5) z*$i(_75%zNZ>6T&6DB)V6S>2j?g=|}Rr(_1cwB(kl4l5v7j4fFj66l_|+3LA# zJwxu3+*Oz<=$w5^p6q%nz=2dh!)iAc@1{oOfN$CTlNcd7AV(tqFhk{9hWv&(qrXJj znS-5{P_!8@TMA~3tlclVS*h({wn_Dm=Qp2Ir|fm@(=0tH&ONDuZb!m zwJYsc!SvghEMUz4NL2kbk@~r38BLM}FZvG^&sF}HGg?NcAg{e}r;H3nu6zg3#dN=`9wUI{T1&rc`P@&sO_VhLTwwUv5&Ngn!$pkJCVIZUMil z(dpdaYv@F0$4}3V7e$3wY&4wXUI`k2%Z&v`&RGbmzrc%{oNW8$`mq>rJ=4G_mn^0p z_3D7dvm@6M~DhOT1w$Xp+rh6|5$~GHmjI#Rc3_=G@D| zZhWvv&dl{o3jaZtMzRhOIaLyodT_7->f11E<#OSB`RM1&eP(xd>@VL7jeb9mZEj@z z_JJn9&eT)SAm7Z?=`;L&a;qoPBJ{W%G=%p;Ey*mrfpxJ;g}pwpj1wouf1q%NNr&O^ zb@qhnJde#?IS0k0vu^9iEyVK$Y$bH%OlGr}N3se_EiE<0%B6T6+8RO8{+cayWVRvc zbnOV};h2<&(*-jByb=FPKNBstsKjub{xN@OAC-f6d}%pVj96Y^K{V}j_~hs7 zS-w>lc<>NoBZuz3Bgw~JN0747fJL}fDWstQyM6cNOGUDZRGk1d#lj^{)(J1}Dyo|# zkzyDt``jx`wVswy{I5x$E?i$H8hE*+w?k<4pH<#LIUMjx2}4#@O2p z8i~UuPGIkt*_c;Yh`!I&E;y>3f3WZiqZI`t%{%u5Jp!F#gE>1MuO13A8rdomUiK17 z%>qdpDGJhhCZCl|6)F#bKe=4Qm$08b)Gns3&8uJQ?cwzSmA10KV^e+ z6-AVU7b0WmW~&6mL{o4;sr%`8ut9>hm|l!Xwd-*TL6#YP%wGn5ZH1t(d;KgwKgxUxhsbtFuz$qf4#)wwb|#^-5RD`@Pot+YcXTn z&z>iVX_|Pm;7yRjAA>A+vEa$vt}>jy$XBH%7#%}2QRLY*`wnjga5BJDntYqY47y6M z;67Nkz!^L}gdkL zbJcm_nw-upl}p5Qk~mqHl5js4aTcU~o+2DC#Hizu&cw@$=5iMUGzVr5HM0v?eNXoJ zeD32!4ynrNKd$u!@CdT2^E#)?{2ccSt+)=$R$=?kP-9t ziP#!gG$N@PNng*C4-$Jj6k4u+z3=>V$m{^GRoD%_9Rbq^LN6dJI)X!US}S?Dak`E& zYA3+IuUPTUSZcV?TOvN|ocXlN^I|Ijoh(|A>%bS?dHk50UX9#6(Kv%^9sO9w4XMKb zhaFfes3LuwIEJ;x&NGi*>S*y#h?Kcmh^jyXx74btxOC3y5X%25=(m11hqSPUriw9*!}h5_b@xu?FcC7bJ#^G;{}Yp2Lwt9f_=V^+{DBv{Dg1k5nm{;}iVcDN@ajeB`})6&sLV6F^-P%e~Z zG{cl<^s?N_l>tsI)MdgogKHe$&L{GGsIIf4kL6BHLx=++^fmb41Kz_smn#o-P z!8L+$9i)mz+Opg9yW?uK4P7_|M5RBMMhQT!$vo4O*($|5J#FAY3_;80qLt_~F!L80 zN=n8Sk`rz;C(X_dPtq_Fepa1^7!il?LsKAW$PoQFMTTg3#T{nZySem= zbkB|^WYx><5%o4YS8Y1EbsTC4uYql?D?&|T4&8_)vKN+&^i4~( z_dEsph`}ApHY6Q4H{8;zaiv9-lY|pbJCrH)x`MGh9osLoPNvB?B;vfK`0QHJ8^9t?Lv+^)NAp=3UHgXODyY1C*wT(=^nlIi-44FF;>E1u8I*f$Zo}bu-V=Qd zFn{L(S*dVl-*VG_kNeZP&eEPEZ>7aY85J%{tvwc8F(HA18v3nXN>T%xZxWIYoCV1@ zc7>Rl7(Zw7XwDPWCY|VtyNAYn%=lt(4epe<3~2-gi)wY9l^(*dA3gW%s@ct`8GFBo z9lyzyv`D1Q3aoVk0#rbf@`S%?@0uJ}WF;Xa-0t}M?FZi;w{>>bn6L{T7K}X*cII{Y zaRH+;m}9*H0orISjdvynPe~wpZs12EbQ-WO(qACjs?rY0if4jq^gm~wxFm-|@KMTP z4n4y(#>Ug%&bDhmb`8g#%5BAwAN<1~F@VXG4@6(y7$pSy!TV_2Fyl7dy{Y3@m$Wsg{d*~lLz_-vItcz%hkqbl>G*VEQ*e62ULLr(E1o3EnS1*J7Sm=Cn3tKN4wN-uVrk2@~L?T6hYIuba$ zV8N!GL&4PJzVxl=3f>waO4p(_e>t9P5uP#&>Q<~S+b|vKaIZ1_{`ruLAf# zJ(z?>Ye9S%J|?nY++_(C5-HH(!1^}1OAuPSLv!vKyW~E~R|w=#qMTbYXYoA62Hz2( zq&)4(;6fG0r>3*!Wh|D8Z&h9A>FwgW?*N;L+5EhKK8fI6LP!nOAIMy)90Diq#C0y?;_=hQtz$`)}P1h zvL?MEI*kXb~HW*d}&_f5^)7xE|r6u7WGo++O-aT=`u7vcACE9O!p`51*JSu1sYtuwx25}@XprT906&p{*KOTK zh~ootQY(Fuzln_t@1$ylTra(Jy}kRAX7rU}x~s;f+3~fKiKgQ(H`GiX6iAq0YB&Zj zxz?E^Tvv7yxRG{<%p?f7Kt&bhQ`)ZUBZ>xoO2sfhY<+GrjhtGwBJmS)*NK{viZ-Y} zPt8+F+_-_9>ga`@3!@5tFdy#KV95*n@5s_Jn@wAR|AdHSki?KEFW zuI(s8M=bZ+0LZDC+rmPnG~Gj~f&m7bOap{ymKu;i> zG&iH+mnd;cHu>{reG5aS`dLp?F{U9V$B_G8UpUdi_w3F?ZnJpudBA`XL>b_2VyHid z`=E=vi;B=?$lv|#BeRqbCZIr_d-`&f39goOml-J8-cm{Pm z`H{%VqxB^$8?1EZRm+7p^@KO{<5ynrYrxsa_0 z=vJwx2qEGJksuG-ud)~21$3zWsBe5#E~Z-X@|}eVWo*%5J<^P$oQhWDsA5LZJSRe8fus}(L_u>yL6tVgaDg{HzS|ax;GRN zjN0T?xT@;J-v{Jh)j6k{#Hd~qw>9JB`r6(px8$S#3Ey(~Ald~U3@RNCBYLdQ6aDhd z7vqMBF)sDWa&Ho;3BC*5*^`!ehP`=?6Vp5#;ltHi$iN1A{M-sN$t%`tktp!dIBxiz3y$yUb+rCXS ztB$yZNoHoaf2n}6&gGU4#BL1jMgTtXmn7iHAJzxh8DAwt`&pAteJL2D94Dkj z`=7zjHE&bp2<SXAKmu@-qCCt!Py@MhOU*P&SKib)D(9zCEsqG3OSOObLi&FYaI(YL1=e|5vPs` zsh~y#6EQ9u?v`wL=xxybIPvwWBhR`-#SJg=vKWMm1RgH&1n<@g0OCdQV-r%u*b;N1 zkLKeia$lAUnAmPzc{i8*pa~N}&&^E>kB0G*-6lOF(TC(D;Q?_onQJHjiO!$BsEBG9l4T7a&&>ytDGgD!Ak|H@L4Vh_qEACBMyEQ zyeoU*YBVi6)jqoOO!)9>R7lg3wa|2I6tZ-#U5e57Vlx`*Pm6<(47H~SXLs6aKk3pSNBz7TOBUF@pFoW57(C%B6A;g| zjel8WmSIGVB%p`SV5iABjL;D%=j{E3&fv#^58rEq&nvwI z{RHD_cC0w`c{Kcij65JRD2HUAwyVGfHn>_hmpMR3q-F0n* z(*vcWNsfvf!ZiS;5(6*mX+TBa?Xp!3iiP{HlHW0i)kzVMo=aWspH(Uk-WOH}>a?6`K?r9e=Q^prt)!fIQ zJlg0M+l1<;VCJr&YAR~kzUne5`OqY`e(XH*k>hOU**USM9&WQ)D47LHRmTEla|`B@ zwkzt|O+TTDQek}rFd_6vs%~&Lf8Y~`g@+BoPpWY1Qxb6W=I@0PaY6!h9hZeLYH=Me z3N=|0R7?o^@S!5~WHxYPD_!)=yV;gy1q!p{-85bfPMF<5F>&DN?9O7&YWL87%LBsa z7=f)(DjXxS(u;rhB_~0fae*q^mp)C>(tehI_#=-sAB!&c^zCb!!=p-};r@10Jz;RX zA#8-y!OK{0N#VMQH`yF7TQKDw1d?8KgiKZ{hJ~PiBc7B*n#JQzTk190T`oOYXSYF70ZKO&L^hrG{N&Z87bc=V(WEV0zVfBA zs9R=V)OYikC2m|PPPB0Yz;no)8%vx4g9-VUl1j6Yt;h746g(_=XlE zi{bk~)IJPlrQeda-~S>5&?SQ}M7K;>xO}q`O3ldDIn~AIB>0{Wa-}e$)pL}K_1JE0 zqGEBxy~ch49y7wHxi)1i;2YxSg4#oJBYs(G?xqSbGQ?%xy)ZaKuE8OAvECu>0+ZW*Vw=bX+rc+qq5AD=98)muof)Kf{%|^QR|7Kq?h(~R*m}nGEddp z`^V;Zjs;*6FAV1A*h$%=Y6wzodn|^r-iYMv&qyp!cY(R$bDm1b`J!}tRQ8iDj$3wd zt93qPH5>a(x7r)nqsY=u{4pi6asV#|gl`yt!(tf8P%S64#}f95dEsD3$0mfH&aMvJ z(DHUy%G8ue66Ahe7Z}BUl5+COdsL>QdS1qlx@J>orDq2^%K9WBwl$g`{shUObV|(X zQ^v^BzQt|JSE6-b^i4igfq{B~cdn^t zza?KDDiJT5?U&trDQVihsy&b$c=c)K69pl)l4DUZ$Na^B(BLNu5PYUX0W&%10y|i* zqNGzWZ!KIoAY7?nIvA*WtbXyvhyKztJL8%(65U>bZX2qu-nfdZ;SvmA5{Y1Q9grRv zST006tuZ*u)ILl0p`Jq3R7LGpm=5vU1soJBrz9cm0ipvfjxG%8+=F3meMYRpbwu7` zU6(7f?a)PiggI4?olIq9yJK>spn^8Zku-0cn7_+t_k*;BB=QghnxPfw6@lqkHkWu8 zYi?q&S2hplu2}BTT4vW2O5zwVS6?ezp`26>KF-ozG2%w}s38a46VnZGSc{Jlx z<%P;BBhX30n6Te8IYCt{S-sA(R5mMFx$)51$FEPz?G_HuB1{y{sFO>HP&_Rz`Kb}u zS}Tl%1l{+5E2{{*3<)dK>b=lsi8?#l`MFP*3NC{^2<85t)@6NEJ-h^$Al_CG~= zU2zPUqJa_!2_jqT54e@(NJm~rwkxMzznLMXi^HX*@Y$8G;hJrNGV)&i)EQ!lIJU5KGVOPSy7V;D^VWwN(T~%($@fSaW7NU4itoW`p>hEi^#ep& zQhCa&Ez!$M4{7O=%%>frUl+z7KRjk{d-;GyHu)gvaV+GFiCxjjCJuh8hdB|M^3%};OSa+ckbi(=eiCMkU)-9dZ-SqkE4rwk6v3Q^=zOrxT%#nz>pvSv018?q<>J9VY*WwoO!vyFtb;~jtFSE$jN{ba3Homcjzuw>T=Jv7*kHL~yID0S z2XFU_<9i8>(70hx;ilO6_!H=X6pp0#mhhZ>kbzH|dQb&>Qex9*Q`Wmy_&uJj%KwZk=I-^lps&Q9rnC{QHUuNF5HwI!QS{fWCZv}=gyaur@YJD(oN4&^uQYZxOkaZMe_4?YJTt&avZ>6AHlYBelL1o zMjhkjL+NsTE%+Wj7jg-7=#~xq82m{|M+O{#sPD&9&~8vBCkX{H_7VVsoBDf&EfO zX|9i#&U2{~VgKY$xn99x7c$!Yvem1-?&XWg)3k!|k7(dAy9#6pB+)eu6GT1Pv!z8A zOe1LSz(*0t5id%DFmf6@JHC*r>|62~jrl?4rF|7kbjGfriCPL?TjI!Db}&gq8#Oj< zbq8I)IVZPa3=4&-`?m`a<2Ri)Xb4r*BU+@>{!Ao|U~EKkTS`9%bYvG|xqVbo^hb!L zJs-aFTL^Sqv81-h$+E!NGk1Q5krn3DTO=ldKFST^L#h)_yj*yS-%2_9Zm+H^8mOKF9Dv*ru|$j~#UPDbolCp6D+Vgj{`TYVZwgca`9ptv zu9o32$XNRbGJ8dP(NhG{4ZRC&r~n0>u$Eapu~DllVL!&v-GZXp*CBim2;Iu{0onGxnD}irlLI7pwcap_<685{8@c3%^O1T-KChj(&x;(ruFGmYW*csRzT~I z!B#7Ek5EeKIC`U`{V=M_{ z#+*b|B$`S`*4s&-Cld${&GaiIbz+7`uF|yHrd3^9~UMAuVW= zhZWA`vbz#InBW;FG-GCd40>siYA@Li(*sZC)x+01a|f2MBlw0ofdkCmZ-H^D@3C zh^Mkgl{uHYcHP_3UKK1eJcX2$56Cxjc9e+vO1I<@iaSQvy8FnL%GqCpa^pBm@8u$` z&&=3Q7ghE;z_n;7vi^)ik=j(BqZ z->f#Gy?fk8S826WgLAjM6vA-VO`&B%43Ca19KDXuE(M^48Mj?-7Yo!xDcod@e&NJZ z4v*s%CY~o5lPxK)RQ4~T8OhxKE+ziw`#oj|3PIj}8x`(|LoeT!r|7&)5lK-rhOM!O zO16f4G8#s7r^GJ*$fOR)pO~MZA+Rk|2n?pZtL|LQ+ooRT^C`;)j&|Y)kM-&b(wGP3 zBtPQ{IscZSuSlz-;XvHS8HinZ?$)+Wc^MWkaGN||FAAs*yrGzB!i{5e~vZOBp=blt61D*9mbFFEtgU8UL zj>t5I%$?KhUuP*99D3|baF-k1cv=@lFt(=HT_v+_2#@p_FpNmcF zbQ~puc=aAI&!@-!I)&y7nhQ@ZORfq8eZJRg^x0u7AQ&NynIGh(r=XBdMV^f?+BqUm zwwvKn%Iy`w%Clbz8^wKg?v32|BK`L1R8{Bb%NM-4hc;tJbSFViRZOaWIF=Uyb7q~8 zC-7$BKA34%g&G@qu_k1@d}f;Ho)8hT73D5rIdAi^t9G%sA!FmUFdDoV2>{YlSK}RhT#?uJ;+~Dz-GUijDO*!}T;TEn!Dq zU7}QbsBl^LJXCn%P#US7^pJB=S6x>pqw?}Ps}rksXJmC+65nyR$leB4XKQ{Uy;G(J zNzAw0h!9ec-Qk}q&t|Gu0RFPS^cJjlOM@M>6*3m_7&~JDp^)Cyt8KaWs|YW`_xUq> z5t7>7VeOxCw2l|BG#Q<%4tx<+<}T!O<%ISfuOwUv8RX~(lYmGnDk00Hkp*D*_yCkj zFNhNYIo+}amDHochmjBG9;TX(k?VZs-c-;mpEPTP5-PB}8L%BMgP#yCAkp$=07eB1 zBmk8D_=9A-e_ZzXI5_P5>l8bjPwI z4d0K%W1!`sWZ4q(sTzP7&_a@;GD@v*BR`%2611cW;JQjlb^U~R`rrpmsD~fP+=dYZ z7GuAi%`DOAAX(p8 zqJG|eJ51_SlG^MwLi^bWeQ}wnqp4!^@Zd+1Ia56$Dktz;FLtnK=;*{@44F?yx66Aw2$UZ;`j1Rd`VK zeW>tnvlup1$alxE^Dz(Y9Z6{!x;TYOUr;as7GJ=v)AqL}`r@|s= zelt|te`lzEJb&JYhW+fBT|U%>!QR}@R)UC!#A_W}ox~r&P2X^i7@OIJH=9~}D&$rp z>!*Cn%G&Lo!&R?wxl)a@`!eo+%s(_%XZgT1wiOx#tAIA5F(PovJD@Y_G4-`$^kYwj z`|C_aMpl$27E26$uc=BgJsf}c;im&*`)^I=EHDiO7qRFIoHy#bhu7NL7(lzi!r=@` zGSg{MDoiM%!xWD|tNe)(XI&(3j-TJd`(-~NnLV->?KDDU9n?j+BuD6;z%K7C4U)C~ zUV;BvVh>(=aLAO9-2BGSZMdSY#&qH$$*n}JJL<}EF4wl`+3p~>bH}P70hU`ils9&i zY%0&f1Whtrg~tkJRxyD1TKR6i24&9HH8R^4J>fJl<`omtka}e(O~Z~&-|XJH+Ez#} z(gTiJn(Y2Cc?Q91L6-eL?7eqTl-rgz4uX z5k!(?0Rg3nl4;3EYBC}sk|ier_G~GV{aS1u=DUgF0i^t>c@=^r z*2M6L{xE>v|>gw#CQq z7RvVQyh+Ilu)KWEr=?$ZvK_Elj)b`7gvbNOw>Y=Xl0`J; ziokvnZA$pg)^y;p77jd);IM*zwor|U1LfY7Mxpg;x@F3lUS9C;UZkO#AKat;#DU0o zr5VAy3yRDuG-9EMp1T$-CJvS5h(NdjL7QkeO*&3c2*&DKdr9;`m^U7F6bB$YC!Tg$ zTUXqS4^~Z!xx$S;*jTUr9LcO5fhfUhEW1!6_b3Dju5FV_MnMw? z^PjGqyLKy#*F?Wrx&wALRIlR))PX-o>A3a-SV<@R680hVI7OHMTO!vDIBGAwk{dA8 zpLHs}$$*;kDPDwdMwnJ6r6KR4FiM3nV>wruPIQ;J64kAOnwr=rG(Q3L&v1N5t z$p%rn1HRrM{KZQ9Gr16WI9SI%4T4vY+J()e6%>PfpZBpDxGceLN%i}#&H02)-d*WU z%O5gNY=oIi* zBGxdWljZXuEpJWaR?3|;vto^a=O?V;1xfFELZH|N2g2iJ*b(=p$sP!EQFx2d{o6## zbfH|+#;$;oCU^%vV zxBQDI$CB~q6pH5G!o@R_e};wk9f<76cXlfcQI`TI{~B>r_|AODmD`OgK69qTTjGoyDONZ7ss;r7nVVcs;$a>nvHCr|5)H1^l# zH$IK6+g|-pUFYOco%zbhokNm4t;iN=&(U#}D!L}Y(qLQ&Rm5cWDROn)_EZ@jF|MZc z`by!Q`h%vnW^VTNR^P zD+s}S3S{3Zf&RHex5XQ$+r_`Iu~`hiB37kF`Q_P(}dWb1u&5y#~v>%ac~IqImZ8z zxp(5c@U3h5(&5se-=gjbTI~XZE)8+4e*}mYhJ_}AL*^CE7joqp&%ZV#+PsPgxr?Z(D(0PB>DwR^C4Zpm7P`uy)1vqSTwj!u zkz23p_QN?qfm{MNBJ#p7DJ3gL!&prRH8 z5!~xwjkQGqJK9B28Q=2$`066h!IM43789F-Y96+k_QZ7Q+7dZx%}3RU`2a|#tv`5U z0Kx4+YNNB(0p7;7qh4R%-v8O6e82q6NOc7BR}=12mn9@<3SE_4^scSyearDkO;BRu z@6Qt9F8$!~NF&uD&Q(+|QAxA6(8Z+HP1KCWq|VUen9|EQ#?2d_$2L5gEzQnfl{I-= z5_fs`Wt=mBMq`Sx9X<_6c7w60kuj{;mf3XB>&u5Qy)O>s<>z?W!syknpa&MhkUK$t zXAJ3JR}TsftcFbpqTdrpxAG%%0M|Y;4BqT$ER*@bB^y2rJ9F8$Bx*DN;XR0wD4o zm4IF7(GaN*o3wxGr7UY@I3AHR<1JRdqjvk^ih1p|^6T?w&-JwR<%MbpV<$I!Lc9Tq z;1NXwx7!zsI7M zPk_Xf*U9zs-qTCtcg^~J@4K1{Xx9WQ=rccgxv7RK{SMwgBxTV!gJ`ZrGyse>m-pB} zEDCQm)$|Pn+!s8E#^7bBc1UP^13uq~z(IaRyzU9D^~SGekSmt5kib=4$yvg%Bwu_2 zbW_-U4%J-qo_D?R7dodnhxO&dgsE@6eJiWotZ}xli!)!L5^C*)xI=^uF0)@KA5R@H zyyYbIzWj<7|DwOr&+&u}U)*Z@ykH~23hTeJyYRG4z|b{*x^w+%!=g<44GEAjQE?RHc=1{)8Drg=uo)RJ{Chg-Cc z{=GE%(pZ5CFRn$7ewJyCb4OrzkT>5e&L4c^m8k#;-J|GbTS6^m< zUe9Fkt`9qS{j%Ywj%fUnp0|>J*?nuToiRj<)hhyKiM10Mr804VN`Q0a1*GkaQ8OQ8 zXL$w6+$g#9z#?iFR~&QkG-$tf=esgM+kHmQpOWGM^;Z~W8N8iM^N^)Q>k-07k6j>0#R_%pkr zA}<5ooCm%hyAqmD#YjH!=FOXt@|@9!&3867Hcefg@|wEDpEr%L(58}l+)j1#MibQ+ zIL#u+K~=Lj4;Ld@rv$id7ER(k45VtWuRE#Z`^<-ya8UZz& zE?K@K)gnlQZv^cDik@14s$! zSetZghb?2k)}2Zb?g8#{-F*#FH_#p9hBY=lPQ|BGC!0#95kIx{yP~*UA8P+x= zTp9IJsvU{=Ix()o0prum?c!kyvvarS+7I`LYAYve%=N&Hu&XPR2`$EeyJt(FD^;(; zqQf7?$>H0@RPWI?+_&wQ$dJ3f)MVM--Y1;8zmJvf1_PhA6O;uFMuI+34zAOJgLQ55 zx;LzquWcfx<04wWa8L5E@tziSQQ0#2YH;@G^EQDy2e8FvWbZKYj@EBfW?KIeE)1^=gGst>v(5vMPP#C#z zz8xrbH7%8xT?c_q`~=RU;bchO&O7~E6A22d5A%-1in8mwiX}fV-gsMH%5NUTrha)` z@{h5@F(rq%>%C=lzYiTQ?<(>~41%GpBC{m)a ze4rc+5YjU-Yf8CdHVS=1!|p z)(D8C`Ldg?Hs_5Kf7SW@k3x{USh@{hfGPr@L&^ec;6zUt^3z`_DgUqjPxm(^y8rup z;ViSTAVIPm%6*{Q17(`K9wKUf{|V)ulpD5sjih$~R`W{-EVydW0xN4TzLkJcGzbWGHbSPid*>m9)RpbeLw)l+Nvp%8D=Pxh>$<7T_dX5EX64?x zXR#R1dX4OG4AoR&bYgLSg9MaB!wO$gx+%(#U$_F~TJL;Y0#2gqGXm%vG$5IUU2BEK zv2RB6GoF5ZY7l!i>79ii{TF5RvN;;lCe(!o9*E17K}bCs$eVaS<%ZPsZMq%>TJ361 zi@fu_ib`>VgKfEY;sVo)KV2%k zdFV)zJUN#q#RpN?pZwJ#$I(?<8pAc92^H{q8B*KwcZ>To0_YdVCmNqc!XiCj>oZ*7l->Z zYK@;zz#OfA9Wk=7CyrbzS>F}tLj6ctgQY{Lhi0I6q0`2ekuSvFVk?TFzeXmFZY3gU zCx1XAsdvCJx>}0~c^WV_l73K4RbGs=`H8<|YyPKY*U*E|X$-|!7jOAzbsm$+HCKcO zV)EoPViH+BQKQ0*vnRBTp$^>rUtg_C=q@QQBeDOw{TaEeI}S0GEa|Z{2S)rrVodK9 zFyhkJ<&r%f&urX{tj%v68f_jhW2H-(hubUIn5$nGncuJ&`w?szozeeqhCHq)GMx=X z<0*`GOCeT<1pmc_X=vyDZ5&-kMbPLCvrBc)c6w8KeLjwgblTOoPpv2&Xs{UaSIT|- zW)?S|FqlA)P|gTh`HYZ2OthV92&iL?4I*vctlq)7^9R?O=&-5_*18F@vA@jR*V*fZ zP{Y}XcS+9UAk-bFUg_{HoN{8yFGOR-d?fvv`KcLZw!U-hCSBoQQ;&<$mZh-}t68j? zs;k;|C^KF{eaRi8A1)KE{q4iUx1?{V8_uZ%p^#-v`~ovrlfJthis7q;FxUqOEY80Y zu6VuHROW8va;(r-z4lGNY-@qSezsn46q|i7lTaV8c|rw+8A6!m**u2);qVFbE4deA za64>%(1v(_e^H&A39}&l;fF_w_&dlQiy>CMmdcOlzxz7w%u9A$1Xh=+2*jMpG;cQ|F~kY zSpyYBx?muLl*5EX`Q?QKl0nW~fG5$jbE3xjvtzNri(lL4`n`lLXg30#nWW_c%*Y*oeluU&e;*8a?HP;OH6pAi*7M2ZDci+YyX0-yPT;ZQU1W7v($ z=A!#)4lBKM;*jFFmW$2*Dg`(E{yi@y@5o=y zwK_d37#-Knxw#u@_G&kVdm>}@M4om5~DJ^6{Q16EViYoxk@>WqW*Vx3ux z-KP9J6}!`dQZfC$%u)9(BKM!4V9+s-_niAQ*$?9f_2i>b%x$MVptbTFjc<%fJx>dC zw{gDp3+uCIKrM8g0%{l3(2JdKPbZx2e$mE7Zfaw&pF?)4<23AsA}Eqi*nA2J@zVyH z&sx~ij~dEl5G&pq9DfvpU0?jl6Hu1_{p{z@AC*&TG$y#tWn!%{?%Pw*_`vN|4Fs?7D3I%1rp@y?^7QQ9Cl5cRMQNfbVi5Ank_3z_d=n_eBv|C*^T`=N z&8;#(7d+E65~NC3aKc*=jz}TOr6BW;KK4MkQPH0fw441#V?!K>#LZp;(^J>;DQ#1qC|ha31k}eyR1(uIGhAo13!pZg|*qe zy!kplrNut*%r6eV%D+9daPiQl5%C;y*a1i-vHm(#H8dNAoZAZSQo7vRa)vU7sgWmh z4FRQ`KW@LvMlM0#_CAn4Ot9{tpg>cU^1Hrn&i+1VqJU=co=(8KZQ^`^QlG}*8|+?P zsN>lf0&nHr3H{@xcC}(R?i4go2NiT!5KYwe4L_<%&6|pt# z)05p0p4nIj39b6z=og86^$BU`X?J#%*?5{y(An;<_d*-2Hs+S9Wgg12L-^MfkI2?8 z9Pd1MHP{s&6L(_gu>^61amPz_X{cvtI=$xr76$@GLNWnX?M+;r4&N!v>@qv{_Gk9x z>a1v(br9A*kN2!uvp$T(vzrH%iAoVZU%9h2bd?;fCbTSVOydD#hr4^@z1iW{$1C9m zfo%PEL|aeJTuBLk@rWw~@U_!(%Md3~>Ui9tiP%U1rtwJx>?0W~* zyPT$mSNvHIjbV*yXa&MdP&ZIcQBdLiLUOi6x)o@xC)Oh=gHmVW9i zy0Hql3LzsN(-r!^^ITfsBXJYn5@iUZmV{`c(wbHe;>hHd@K0N;?u$42UiVj4n?`Pl zdTjODGW+gXKoWI75w!5%$uHG3`;2jPQ8OL{|wlmM5ToNG7Wa%9lslInQ6Li{vJSeHb zseXTrP;>J#tDym+83Kr*$pwH(^6#i5T%x;a@Vgk=-#y$iMbXP&<1vfb5zp17e~xVb z9wi`U`iavTp{&!{{B1}`9rRGN?5{W_Pg45Jwm+0mOF!6xd(7$l*ax7(pZ|}jltAz} zltYWz3kRIU-x2sg27uv0tT~g_A+r4)D*uE}P3Saw{$M;d2gk^8RSnY0x_e7tb7S!u+}Eu%&ANu9-Ou-2?Ly zG@CalQR}%07L#EFjW>sV9ur~|Q{%LTbNRO|S&^|02;-pIQP z*&Cr6K075;@iA4KT6B`C{WiSLK2=Y=cpe2?Z6L9Ld$AJtXcxFcf~;S%43@q1(P4ziRkZ<$IXF2sU{hP`JNsC12f_@D9NL3 z&6C%zPLX&Ca*c}MM&V<^1M|ysSVEH6r;xZ(=u#ra4J7xSp63A=B?|_q{OGrsn%rOc z|9i&&eyjhNR$@v#MHyQB0++)!ic)gwVZe01Qa(nGBy4;SIYaXe&?f}22~W6|v9BLH zk(s%41H>%JoGm?Lw_aop)-+$Bb;fj6UOb2`Tq>`vaiY4$7c zzpmi9=DD-(cXF8R$VzgYU)+?I+mt~@0EWM`Z+VFIv!^@nDa(Ti>BOAf_EbAQbnc}w zd0KDavYkH>?_f1s%etN0AOO0U47$u`<4D3S`6(hL+CKvHdIqjQYq4xA+==NCAl|!a ztzCvNgP!jc0*se`8MMfQNS&QLMM;-*jt96t(A8}21Vif6fKj$`V^0PDP~$oBe^2_~ z5AiQ&5ylC4ZNgEGXiewvzT*dsPg`Me!+!7jl%!(fB!uXd-xgt`P2R@H|ONvh6SrFHp{P=I)r)0 z;V#R;wQokw8`z-bR*}t|Cr$HTqJ_R(v3 z70%z3;)>x8oY~a20txhQtYiiN(KBeO-p&&~>3DRAtr~sk{9sjyNj{V`wl5 zLTb^XoZsGr5~NtsU>$|ji0o~fH8rEQEPLn4qqxkv2_Z-^Y-2%0M2`PH20UYK5D5Y@ zo}acYo0>h2DYVrN@o?*cf&A#O+yj#E;huzg5GOGqBUq7NyI>EgjhQS<-yv-?u;>|3 zzcCv_huK*wBwCTUI3^eODE3NwcWfU`BgPZf6*buYzWIDe8HF)+9UFXjVm~gA$}pZ2xh2E%1RlOd^pWvbukNa*o#GZr$)5yg=sKD1<@rKxJr5yvNwh3LSY1-%_4jU$4Z!- zc_wvEN?6?a;LA|-_1{|%@@EUG5dA5P;59A4iE^x z2uENZ{J+=F-3*k*MpS)fJ#mXthYx2A9aFp2v-=~m*9-yT-u0-i%ia_jIPWOQAzw$u z*l)2yyRb1r*Q{Q}<>QN_Pp5>xwN(Q3#cOaWa?V2rzwM_7?JdgpL|SVy_?c!T-;(Eg znwN&F>FHAM3YFjY^ooFM6ZPOMljq4+6n+>Up*_+jNpNER*>l1*yjxj;dBDY=|EAtn zINL>mhNJdjZ21%Mm$pWg^AnnDhsNk%+Z@w2f?Xt06Q-6x9{d6`35t{M@`_b|Fy*Si z&5Sj~$b7m8>EV2wi0kJQwEBe86Eo2c(tU04U$O3Tcnu?e>#^p<(tNS(P)0w*Ey}2{ zEDpNKhfDg6%4M6%BY91jb6ED~7#vwTebMFv51sOXnw-YUti+JyHecT<2VplQu1AL7 z@+v=$_QD#{(n|v}_u64KJYm}uMb87@TB~$r_QJGCw=)-}=NK!5BusrDN zLt@PaZ!*1tUM4u@=*;f($9+Wmof&e*HyXwhRz})VvCzjYr?D$t+``OQjr3!2d27X@ zVbgPu^5Vbj-F6vJWdEQqqkplo-6~xTj_OR13Vf2aX9~1F#h_U8u9+p)ugk2sB9>qZ zV-WIh)2Q08~1Wp5R&X4xi;eB8I&={u$CH37aqtuHW|i^$UnF zfGNa09m_WzDXuYG3kz)2V+B#&^iEe zqL|;I)EzUufVH3=`vYZ__87Q07$c*SbAZzd2Vf1@Is9zrg(H`5OdG6(+#@t&J` zQp#McTnZr%+`1QLP+0SYg91o;6tp*SeF2DqfyfpB6*|J?^poGA;vMKEmRFV`1j)rs zY~=4P&f4uwkmQNH(lSnhV7GgQb$<$Y@&86;`X>7dc`SINmlrSF6O!4PuLN;;5fYU9 zv!QcgCZW?&92bY_#KdL`k0Ce+2OAOfqe^dBTG!N&xv-NbhEjGCnrs?PdfS#8TH z_52EnU7&+g<1if!j&y|B*W$TO&>@b5v|yXieTjzW@Zoo@Q9sV{a*070$j`z0<#q=} zaq>`SH;zAP9B#V!PNaEw*PVggGl;q9mU-Jo%6XQk!iyKxKbNUKTB^Dhr2cV3S<+&7 z3z0#SDXrYQVa$7SBGvDe(?7t&zp_Zz-?%M97=ol+ey|Ug^%}v;Rn-o#5eIOV5la~k z&u!F_4L zxCo;Pr_W?kD5jy7^wk$=<34tuc}M%D7%HPr41!w>mqU6G^5o1Grvk!tNVeUUV?Ykw zw=@H*Fp*ICi*8JmiHns{W+_%WxP0--qyzh-hIuV6OM88=NFBy zyFcdK&Aup`*pg@<;42s|#Oln;Ucm9C3AP!rGzY_*A*XAMvAy{kX%V3#`3kM;UKnn= zqYp5_tG`h_3>q(1=*`*)c_wv(YlvWHZ_Ggen%OcY>ZKkNi4NuGexoXXX3YPN4KwZV zSz~v&xJ(a}#o#ojDtT@h%`c|Ln8>&c(q1lO(Vdv19t$U0d>&0);*REd<$tO7CuhQa z`zOy78)Pog*lDoilw()CneNOhVrP3-^(Qwfc9||-JAd22vv|V#Wq#g^_+<6eovXT9`sFX<%?qS&rPUZyi6sQ{QBrajC%S z^l5gVcdAzRzxqqE*q)hf>}X9GPL%BMT=ovd)Nenb$iX#Hi$ifF$uhVCA(q)lEl9aR zxXYKFrF-VRCLg_t-BBJXCb>o4guE7aT>jEf*McBHWeF3rD_%QE3X$!;q{c*B%@kQj z?|SU2r5;uc);91Gm+i5C4S#o6sMf2bK1O-;E7J+C*QsT+=8R*t66|le_-tRsIB~JC zTZ+8UzTTN9lAC8M{iZmoQhFJkaJP+%q=HlFuDCW~Fk{T@K6&Zco2!?TE$W}WyTNpy zfrduSDuFVvP$vMo)L_KK*|-OVIlYq}7XNdmodm=~bUro&Z1g?bF-6OJiEI#r&&K z%vbk<8)0>Pyv07J^N!T9aovoGOUp@%`C?%x^+4*}h4L@at`DTdxl|dWCcI7zJ4EOJ z1Ikr;o+QRB#bL>7Au&>OOYd=nrbicJDCNfU=vy+T>pg~g$GSj}qBpxVBQTla$i z+pm%O6?KigQqao2XVu3)=%d^C+nC7B0o4Td5DjU9%f9`@3pbCbN%~DwNIrtE?OgX; zrSDP?awg*m8k(k_lgr-}9C5#BpPOn^{g0v0|G9pR{)i%+aU%s&hA?=m7D-ZN*)Lnn zCFEi*3b#$v_>F4H5nHr#Sj43t)j3p}_L_@*th3Dzaz0@|KEje4BZyhdhjOa9Ex%C` zkbk25DAO_8Tk2{2#Ihs*4ReyScH_;tEBBERJ_qQ~_A=)14xzFg@x2~yXf+Rslc~E+ zln^1c)<#X3bYbc!z4WG`9uw}In$gEd`*@F|v;19m1heiBxdtGP>d23+omT;c1Dsr! z2%_g&f2FghtF^e_=Jh}D z$_(fp4u?iDv%Wn}y)Sk*NZ1pM2X7C>Vz?2|0D~1&PXbU_K?u&*?G}Y^-mVWjQvXKx zLYl+7Sm`gk&(j}KcNJeWPk3I7+1KpZBZ4ldtX_o?Nu8!AhdS z!s2-hgvD?}@yjC{wO&$+UuD0Q6>G+YKTC}>V88t1QO?OXqTO&ie=r&q1NrNLZ3^p` zKpw7|oqK+#cbzfgw9WYoby420yejJh6GX&~<$_$VzLXAV*lb>c)|1%C8EPRFFpo=C zPe@9>1zi=ewFiM#kGLoC_#B6BqJ2S9pixzQqR?|ckyfTYXmxr!j1Df3ArvjkgS0)R zz9%a+$zP0FW4wyucVx4k+(+hnWqjeaxO{#2^0pOi`GsCd(PlD`f_-J&iK&U~L{Ez@ z9f>}_&9^?m4GL6rrhN1g7D#WZGkulkmrNtPh`?T0E+OfT1Iw8g#0sNv6YAcbnMRed z?#dPNPmX5Ut35g^nX#0H3w4(hjXKe(tbLo#omjWC(Cf`a(f|deZHTHiB!vWf7^4T| z#IN-kUXqS1U}eLz@`LshZ69;@iM0g$c*gK$8RLYxW4wP71_)dmHWSESF}7u5HxuM1x^9fr@|-z{h(%*Sj;kA!=q*Rw#t9O|q zieQG$|COEricOdkRzFs93Yv%>_MTF)8u2rp%3r$Xo}M^Y*YM=mnXhbml`ei&(Khyy zs(P*`!{42ZAJ3oekdHtsPLb^LW&>h7GbbY}rPhtceL=1l}B~1Icf^% z52in>^^O!iGoc}5t5qD3*Jaq;II`&$_cdmDhc{y>B3W5iM3?%0Ijg$oYQhu^J{Q}t zsgKQkzYTjk>WnLwmThaz&Doir511_xnf4DuL^T`h zJ1~BExUol^d*0EiZvUJM#5?$s?0naRtma7Ay0=QF%!ZsLSK~$;nDA*8(v637~9SL*HLYI*S?Nz%UL_I;Hz1FX`xh*c8j&=Otv7UHa@El}la@$o9q!f%>) zDc8%>6qXyb`PDVvuu2-HhAIl9&iF>$1wpnMvpNEjco{JWQU>c0!;7%v>pYJxrA{Mu zn3P-D0?mbrUXLg3C{oHMsmL=p)Cv;t2EZ8Os2@5;gF$usOz>eWlFgl?`rUl zFJPcgOk0ckqY8DHwDHm&NY)Lbc$wp05(b1*7rjI4gN)`2J@Z@!Cr{V0ZP#Wyi{2MY zy$`RF60ENL@Dr8=%FGD2F0m5C{KLH9#>{CWo)npevD~NE`DEpVkz$WO>+`asYrdhCor+Jo95v#bq?gi$xUKY_F9^2K=N*9zK>IM{eDhpp}ysB?-ZInycT++nXWP~#> z9@WtVVxPgw$j(=)D}Yf>LM}0gOx%51=C%}de&HNX6#9j1TtCa1EE*>*2~aj%^8OXk z?Sv`fvP5i~6iEbph&WQnlHJhJfOx!$k=C`=hRkU_xl>8`x2;!iB3cwo3O8`k5Cfl68+uZbiutTJ-RkF z%QGtL;e#%vx`E#Bx;Fr}uEF#uW5`;S7zB@pFdM-f8><)I4dI}O*c*5k%s42@R+OKu zT-%m=MC!c|sd|NvI_rXF5l##LYK-KCl~@{I-ME4~S~PZ-q`qt?T~7iuN8~1YJ()UI^||ly z2|3$5dtYgNv$yiWkz~4~dArh6Xg{c83vMp~dJjE?yq>T^*W=)Mg^<2zaM7863spE3 z60_4g@5Z)2fv!?(f7T_g8MKr8U~O$)k(>{ASVB)nE^dXp2YdNrQOo#LQ5&N#3FkeI zD9UKx{&?-3SOc~3-cTWYj(CLvD!LxVf+8m8%oY_2`COG0$U30oA$5~Us zv-RWIroLAOJpLq4*0-N4JUr$X$AWrAVT zm~*xLMbUwaGCA=Ne)v3g949)#J#edC>Z(h7Pukdx?qw^0f|sfe;=`4vc-RVSXjTW` zB+_dRfB8iny$O>DFzB*HZblYS#-Uv2pR1$^pQ&lUPDbkUQP;*Qy%h-2n&XAVuf)73 zr@}oJ>fAul$F{R?UHqM}u=d1?8I=!oQGQ1z9&ig$2RNNOzF4gBG`GXsD;n=ETR%&V z?4Ua08xI1BrEyIb6%+X$KR+@+P*6JPmp!C=0x=n|yT*18LY9Vh^?#v1K*BLQ!I;`1 zazFCGJ&3IFhav|CBoF5PIlHkN5h z58cim-PKMOk271gCiT$wMG6GR{Q5!qMNYa`kw<*pJ8t=xK^Pro`2;RKt<-52V z*Wylm=s>zW!3<+XyN%pcQr8@GeDw6p#_ifn>z3!KvD#9}^g2|PdeWI_9IGKYSAz;M zSW@9Jy$XVqcf3On)Sse6-4C|1@A@%3d~&C)|I53$(=CI%JMU{tKisD``^-swa0Q3L zM-rT{B0_Rd!TBNaGPEAfJ=5})mn@|aj(dhl@;p-W=CaPWlZUaQ(EA8J$~cU!O=?Y8 z9E085oXgH#{LH^-5JtgQ;pn=+ z{9ogE8_1r0b!ok8wL1u&p0(kcKG;;>a7D~Xj_c!^X7UX63ZIfM3~Su&0L90R*I{Cz zoGt3*0Y7GzKDKi8Cgk0jv`m@3Q>`tLe)_{qVT7gXtMV`%OLb1c7%HN7JF?!t-8;HX z35)L9ruoreTmN=>fUUTT)6$o-w%#*P&SZX|VW7b+Ua^j^;Z^@m=zHVQpvtn>cY<8M zHB>nCI2Em7`+azPuDV}Y~ z)V@k}D={Z&9n9%881;!fKMtA(Zz1^g7x%fDIf)l*l!H&jsRHqXsQhm~&*t1~M-QPR zG@$&DjTKNNOcjfH@-TrNu8Fhzp&0P!r(?49uQ?H;i`fRT4JSZAk>Mm;UZVa-UcqBj zWT2!$yiF1z6s@cqM_{Mc+qiH#Mc%R#D3@hf@fCw)3a>>=!d+JZn8%UsTS7UB^mGtK zk`(zZM-Qf6;u%8NQ5hru1buV3{Ff@<`HRlV{-f;a?6VEYr(-1UvWX4W2v#1wzrb;q zBI}N--`nV?>otaapBJ4FYndzv*B`F!D(Wff#H-p`y5EzNNW9)Il`aK+^eD{VWr4zR z0=k%o66So#ja_(3FPx(@mBXq_h$MQE_^_;Te#VjYX-#|2>gMPm(}{pt*Er5&EOu|k zN9?jrIh{;ywEc;8wwOKRCnz2e<{oIThpl+CB0k`EEdgzKCVmKAGPf^ zSsy(B40)22;opTJ#{NdNHob!}llzToERzJ{Q(<1n{xs6xqfij6ym`0+fv05e+F0zS zA(zPH^MunJjHw<9FfNiAIQ}tZaDh%Oqzrx@*H(x;_BQXl`-8;K2InNx#4_%$ckBxx zQ@yXVY}lWi8HRWlm+F?U?pN}QsiKb>=)VF@B^N~*yOL|dojL(+GO6RNILs7c*PcglO8C>(y_6Bj$ z1|dQ+Y)u}}jS27y*XA&i9=zCDDzei@RrQN1dz^*i{kF@vwS{=;n(gyT6Dh9cc70+B zunxiRDW~FZ*jSuB9+`UcIQ>RI+3o5imJ@ZCwF6;cZ7KnD%RC7rPcSR6;xMQTIARx2 zXOYYue?BwvAO|diAse2H=$S5x8saE&$`ad03HP;% zq==mFLb5@E0#vtTg9V{KCR%(u7JNKEgB57Yx^2kie_UMtS6)5(lMDO*FMK$07(UEv zd$`~D(!U$>be@(_wG@mxO41pY-QDE>9){mzO5{VV=O5u$as2q??1twTSy2i@Dp6?7 zHfL<6lZU4?UPyM!Pr6@rEF9Hz`e>wJqzwIHI4nrkP&$tzd05eU4E*rVbj}ObVkb$b zCiow6+n%iVRH~`JLMwUiy-9B@_ovv}MCBEsvVl|Nj5hi%>tw%zzsc=CJ9D^{C@TID;Nb4Z)|2NsP1aX-8eqsf^$B z6&5^R`j>_Ke`;*_w2tZ!W^clJkTlvxa$2#=Q-zPK-ok1%C#rI^HF9;nHQ8Mtqw-D-}jz7Ttr^mywTBeKRZ7mL9+k+TpAo{~!o zkqC{^U3E+Q{YMGkZ0!x=^UiFUi6`!L9`PBvc3@)J-_QLrZ?ozflC6!Aq(EpW_#VX5 z&BEp<&3YU*^CJi@c^+Tp?e9^Z*hJ3M+hKDE)p;L;rV)O;%tE7&gGKH_nbxr(Wrh>7 zuWOnjeI+uEcJh8PdUqrJK^31F{SSJjyt)fzvHW*`!dT$E1Q*cNmtf6xJ~_i^fdB$* zDy5}CK_EEoQJQk#+?Sg@pGhC|hJ=n?9126#NVJ1U^1RnQWOz2eu#h)f2x@cY-qzMt zjO$Oea;A(zhK508BhSUv3%q-$mCjb&GfSzGn(SNP#@vKW*{xj1Kx5$!i;bIgGxhT7 zTUlxo>_(!38DiE#F3FmKa__A7l<t{`*# z(O|ILHxX6o7M$($8h(OcUPzJ(Uwon=SdVI-n0P&SzBzBtCr}{POZNVV>WRKn8L>2B z^e3$b+W?gy>@KBeo);&EI5SES(o*VaiIq7!H$Oi&-TT8ARWqd8yO>@2V_-90dh6yL z@$x!}*`0(~=ur(mxHtB>1}y=V7w4kc@b>AJs%v(zNsV2Y=*@|ds|1t2uOAmoM_SL1 zeehg`2~oxuY7)AjoQ?s~eG4ZZRxmk?l4^Y1e3kq2e&*Yl-|rJh8jq~vVi&ax)J?!F zzFGhrjBalZdqQ)!26c?kwF7gd{;KBYsu=%!)-B3A1vjg{#*`)pie(;{cS4xjgh){A zRU`{ZU};@ezKcy;3_6ADW&u?q37ezDlXwC;7esgfW68y_ z54*6u-DUhNNc$rOi|KxpeR{NfRe99-HpN-@?2QLc7JciUlUc4-O8&Gn|1zjcVaOu# zdR!XI93?P!tU_Pl-*~8enyzt!{z$&hiL7ok{cJVm$bm&hkf@iMS?LJ!1`Wdx9ps== z(<9@wK00sv+lBhYs??J8#gdKubQ+~WSqR!UxZU*5nZbM0^4vd^N zec9ZVxTnY|r4+A>_eNWeK>81^zOv2ugTjFGDw_G_@MywLbs%J$C(HZN^CXq-ck8KQ zuGVayV{#W^M+jC+>EXZ7)Bz%WL>0~9Q{4DR^LJAMO^@g~{8W86n=+uFG{qlX#;2%! zAk2o#!rvoE5HG(v)h0){tsZ2=@FiGMW7x-2Ox&TlJ=opZxu7(;{Mr|qXOsRQbQC$y zK*(JR9y&_8GF-8{$xWb^t$XjSsXOPYcJ9)yl^LJ$$#93N;>;Sa&*|cDn?)2sVs#@0 zyVvuGat^!qSTscE{S{gCjNI0?Q-hysYO+A|EzKKm%{pSTuW;=mqe#$vLQU5}dPIx% z-G(O1Dles1v&Z#pytYpCiLe)(;IodW*Ld1so9FTVf!7a7qgFdL%#u|nBoaoeCJK41 z!EZj#QyT|v$GZ*)31e^Kfg!LIN2w5*u9iu8Yj(|}AANJk@s;O;V8wP2DAkv!< zm8O6cX(~vpAR-2(NsZErfYQ~FAVs>NC@3u=y-O1XB=jmGU1|s@AT<#Tkre;QKIiPS z?>YN^W8Cqb@7(YI|2r5k7%N$8%{AY-o;l}Ro=1ll!D;9Q4Y!3DvLG(pRV;sFs7?1R zu6Oo^O&&WPA?<7_42g~P2_)Ox!9=z$J-a_r8hTC{36a6!;dL27| z#;O0p&~4yyRSoJ}{pJO-gQ5(Gb?38nLJQXn$=P5d<4zn($<*utNi}9A@6q}%t72) zSp>aL)Ex38Xofben0_KC8&*x^AVV&tNv=NFQ&ap*n`_%K^-KEQNe5Ht^cs9f@CC)3 z-dmhEp@0*nic0b5z158LU0rnf=mWK+J0k%HLbEb(#{lOc5C=J~t=)KX;C45~DY(xU zuO}IlW%`co;G56mdfWA5TkUzs9!TYi>zg>u=6==}oY&Wn3f`JaNzE9t(Kj3wi6*;4#+~UgvY}8y))1CVgAlrL zmHjjxEGr6sCLcwNhT@a3j+h-uBqzu_d3X)f!|^lxzobzsLx2f$UlWwKy3h|7p(8z{ zZJO7tYNhX&YkMJR&$Xhm0kwFog1coUCh5UV^UUVYQLVB_(Am0F(Ai-m(AgdG;1Y!G zCMcJ0p|4Vej_8oKd|tn*b+>!2MXNp2$DV@0>bpmdc^4GjjE#Tk%wWWJ8?KBnrp2M0 zp|On`@W>f$Lg8DYNVvyBLv>@r(3f|Qgj}A?uO?lTW;|>CTGnM>#!HSJWHbZOiv{@+ z$4nQOjhZDmhn1>L!bPkmEZs)45y`b?B#ni^y>Sh(pI#|QWtm*!PK4iEXfOb_2nnQj z?KtJLY}s<$FFo!|xq8~8Bfr4f^$1*bNu$~c4wSS zs~$NYU*H#6oqxjOO8N29zU+8LWoxSjAKm?|=iiz&b)6JmL<-S+FpQ1+zeyY#)Mmqn zgPmqrnNX-%UFO2vGU>bQjgmwgm}FlqXP`NQ#96k~EhQ#U4X@M|WYum73H`zPzJXwt zvvaNJv54JwC7ugvw{uMQGe|C+@7=K8UIknV^{wz~cuSDj9JubCvMrjtm3waVzOQkf z{1evQcPMSJBi;kN%AFyqq3sO*GYkZwFuG8nral=pYXw>DW4aJ#H9mR2vhV9f_QQzo z7hgQ}zdpx2SoSRSC@;;cd>^iOe4Qsd@f82*(Jx!Uq%*V(&*|B%MPnIf0fS4FiNa+M|79DY**W(W|=(x%~?s$EDd$UbdKY;y( z=$UNQO8M42O3--t`W(3S6BD$Q;AIG{RO-41`23)=Kwp47g17) z`oCS{+AhS#kpaZAuK|dSHDUyPXa5_<;pEQQ!JvlU8b-#^*+GVpj1^&n4&Kup|Az8PMXV$D zxT~Esa(|#2#EX0P5gRrCSMHz7g~_i3#5nTO5)HsOi!V}_{_ znA28C`t{2CB2amrkjrH~f>rN^B5L0wJEt%;(Dse-QaUrar*n=iO6|Di=!!x8lbPN% z|7}e^>*}kA1&PI~KO3C}%d(H^QiItgEGQCW@SM)vpP9}RaUGo)!`B0) zUTEq&63bcrO4c(t>9gnrkD*k3TF0?=>6-omC_V@3NwaS~23SjQd$y`($B$4PPCI_g z!A*_{$}U<6@Q3TU&~J-GVbWPVRku8oK#1n>Fv_VA<)-mA6T)dZSq1a#!QOeYcJTZi z5-ek;ue}E=aRLb{k7_pG1;yQ{f}N9B+tO*K#X()pIFr)I(yl~f z+d+>ltNNJ9dSkCU8&bDDrjFi%r>AdTB?PSTlm@1d-V<@FlR61r`(NP2d527+X*M4= z&veyFi*xtz-|uAhX)4de&L&oY6oE?VjLMTICRQxdy~_h}4>U%_pNz6egqcecQmoz( z;Z*)H(jy7}_j;+g7XMN9(+9dz?n=jcp4{MnS-k&4j%jYOQi82s;WDZwr4t=vt4dUQ z47JBb)S;r)yx697FsQjR{)9=_A$U8za^J zT!cj8_&SqPIN{tH$8AJFh5k5I9i{HY18*=4^7CYjKgX#U&MI;xSpi6xoRb#%q;r5iiW1T} zPKM5zhn3L9&*f0>lAYCS-j79;l|Q{XRnv<|?DW3e!mlqT_MAID;?`V)QZw+vdOjiw znG>O%u+QA{Z*pf{ew5yrT~3DBKP)}=LtSgZth#|m&H04q&-wVHcMh?KOVm=1(m&xO zesH60HEBG&(?crHr8LRk+2l@e)4{Rz+ko;Jpu{&Q z(Uv|eiKQxJnEztXGlb{24GGxvcLQzU@5$&1CVG1YfL{Hr)U_I=iGETnxrV6ML1&;P zAt6gUjVXlXpVjY;ZxXpyF7S_4R7rL+D_3eT>CS2_Ff(*|p4EmmLw_3Rt$~@%?qeF* zOz#-#bFZ$=_Qzm&8}5VPo*a3+2yupZ!L702hHPuBtQo$uIJ7Zmu~wGtk{j1yI?yqCLkld{0CVv8%KYM*2!3P2>N+hE zqKFER1lfe!4@^4nsY#*QYpu7}~yVQVm&>qHuwpknQRN zJXseYGqIDC>j!c&(~?iw|Df$;s+yx*-$pdSCX;5z*2LL%G$Q8X>HEi~5ET(AF&5HZ zWYLN<$ulMNRzV>7)q#n_)%;l6^k}$LgxOCihu{Ns4v^2}yv?SCy+5YyEgC55;ic_OcCT~Xy4H0E**UM7HeFSm z514gcyF_$0Cocw3G>`+0`zi_fv5%Ae;&fIF-l=}ZSr)H)WQ~u*IL}S_RJ5`j^4x^8 zAPi}*0OMj5hIb41h<;?Ck(aF6Y}uBoT^BiMH{us`Wm(YizU8U$+ooCu$8JC4WcwIk z-`TKlcG|cJLok7GE!j$v9|aM`Y{61pXU^vQ4*8PUWWVeL$D|(fAt{we#5-oh=3%e7 zk}0#c@AB$j0Mk?wAeRS~dcPRP=n-HKy6!%Jb%0L@wIWZ0br>r4!B_+cXt+#BFXW8f zb*+e8vwz$z@a1{Iz7+Yf*mRCf%(yHaW#=79lTXF8zz_f#slY zd|AXgv4|D9lU~M2GmYwGzB00V8>qg*JkgvHN<1|i(KpvHbaSJM`L#vRpA* zuKKgFh7!ZEhD4~bWtLm|h<};LK`Ez3Hd@1%%hk9?iC3C=bmYhmReZq=Rwao+EI|bK zS@h(`lV69Bte4~>^ZYrYx}+y}c;G<}6NyO3w- zaIR^H_LCWdgmH2oGC6RQ&i;*}O!azfRjSvDBE&9lI?%8e94nLVt$zx450Lt9a1m^s z0)fgv2Zk)^)v3f*vQyjq-mSN@?!njO(Hm-Om-oNjC$GkPD_}D|v-_j`j7~76oX%cM zu?##hKPyohM7e-~56%%CagpVYP(s4W8^TPQ56kP=BAcsaN4jo3I(sfeD69Mv<{$kR z$cLzAb(8~^)r!hAQi5{v3KO+%RH!Bjtm@Hu&v4AR4|pDWqZ0nGz~Y02f>Gg7?<+sl zcliFqee#m&PuBMT>^}L2wf#T2PZ<7mZU1LJoqt^0gYvF_^6C7m8ub%PXU7%0TGF3U z&aTu6d^!Cjt$+$A+Vqur_7JY)ZriBkX6-wo-SU0Z}wt{}UhTp;lV6%p?aXMXjGsx@DFVqs!Km&lqa zI4$t%nZ>C7YQl>YCyTwDW@mHkQ+IqiumaVPU>w^#`4O?+H2Slvpno??y|OxF?q|aF z#Bq({Q;F8AEap$F+(Psg`a5x-VPM%=)gO$|CoYoU#3!|c4I4s6PF<2^?xvxm57%o& z0!DQ^{Dn9F;omt{ZT01MolV&me6qTprv1C?i^SII@=gJ7)mV@8;mC2 z_sA?zRBKbe_)y-Q?CSFpo|#zk5caXM;VxMREZdDzgueHf*v7+DR$@RnU3|LXT+K?D zxqD#VA*nIJ=(KEfyw3u!PdMjY?m-+VGIYZ}hO#t@x}bQ=Z0Fkufo}`~)%F>Rv-EWo zs}F93ojt)idV}5WVK9@5DO7$FIbth9W(>gh?>qN$*;buc9xHKiVC(o1Oi8OGiAr+*Ce&ql!>`ae73hR?NP}Gt{GFI{a=DD(RL>V*!=YU*kr44-~U! zs-xYjP82X`h@|*`I#;&XMpq^4xl?=swVHNPLNiz9q!+`T>ne$RpNG8}8nt>k+Hw4| zRORIW54ui+c^8CNM~nXH7Xzag^%!(*fY91vt4&aQP}<->BRwd|r-KRVHb`KZsIV|K zeQ~9ojUgOC2!eLTa#ICR_%x;j;M3j#J7m3Ofmg>alCW{`H`vE?QR-z_2#OnVxR`20 zj(i;x6DND=+?yU5qvbK<*YXly9kt~>m<1=_1?UmHNYkGX_lX+N5K#9bRDzHr(uQsQ zk~2yQT)c+mRfAH$o-dB)LCa;mKA+h1Xcj`a7GCv^{GI|^PF)`*z95!<&o>WdT3Ycy0A^&9~giad>wAPTk6G&?li?Q@nVVmj5UrY@iFND(u=D3!=4_PpGT z(YrO6SeBH(j3R)d>pj-+vsF47gdKzD`xyKUNHI&ToZI^(Z&60kRDp=Ev`nh>X`+;b z`oOeU-RtNt4icTI0W1QqphoO{_qn5yj0kpOQW6BDR!X8AYh9Wkx}6c74H zYD(0b+US?Vt1qih9PFtx``N^kw0Y-f@?_Jj9n{S*wLidT94ShlsZ z`&(c_?k`b}t;Hjp*w_oiK$G*t{DupSIgopFcR+<%F zDf&l_GuUBRI93n)`#lkRW@4=LYV8mv#ec5Ift*3P8z_lKb)4~<&CJJ7gIbR*n$GA3 zEcDtrpL<19(@)u5J@(*h!|hf-oDbJMbC3RWnJ|5v1>pM@F=Oq^K7|SAV0`BE^F8*@ za;m~AcOZ&-);lWV%hq-VVFBOI@U=i|xq7L_z)#hJjf3v<>kr>Xs>C{SGSJ0P{pJ0>1B0`&91VIg7z>$l%IOu*#T}v(VGqhq^RoV=?367D;rpJPk&lof zs^gl=Un|8XPl_Vy(qjbD_kS#w`d;<*9;f3M#z!}Lm^k_1=wA$iboG9UPCFjN3j!CSU#@XUZyZ#EbdZ?Cr^9sQ~yVHvBy|1D6FSF^M92%#Sr8JZG(xHQ~Bj4@#mKZ z(d^JxnbB(*-+#&)iFVgg^b98(%9F}eCMva2^H9hPee!`)bDU&bttB*~1{;x@F|X$- zsbiK!s$w>GeGl6>V*ISXxAV}L0MWb^QVj)LQx^yWeGIa{@gRn;-w%YB$+``f@TfH{ z19u8b>ik+$=RL{$d}_uT9pAgBtI*GC<&hAC4lNg9LvdNcRm0n%Y?Ea3))>6lw5XV{ zpP2hMUlQd;x2Scu7+S-%`#yWPsFY!}^&1zaUg)j<@XQl~$Wv6$Q6;3*%IS>q#|@4T z!Ov-{NWZAm;iL6+^1`>}k~x_j&E-z6*jiCo5&OxDL@Sa$VLd+&VL#F+@lE5#a)OJX z~pWfojG;yj&f0o5NqjmNnd+6L`FQTdey@M$6OeSwk zqtRDW;^y07MOpNA@`jYNueUs+Lea3iny4ph33;cPQnzx zc#EVqfrHj-A>62FU(vBU44TdioQ&Ur74`6)(Lee@-OwK3$LX9XL%Wv*Zd@2FEh!yj z+K=&X@m3e!mt}u9J6QN>Ct+*|_qw*FUjlKE%;-Lgi2^J#x-}A|#Zxud46csDbq$F( z(-7Q85M534{(9#b=c=$C@W)`%zyFGQf(UCdF^jb!LD#F7WGHIx z%no~RxGvlfe}l++mXgJFW&S3)pCXO$A-m#X0*Ld&Ix+|iaz1iG(64Lubl$U~O3ydG z@4}C4+Gji&HHSalqj&P-Vml-PRn3XzrAr_`qc{=bo--$hwoa)j@sdw$8rSM!uDyLa zwb$bZ3&eTz<%<`!d=;-%J{23on2?{~)r+0n5t-WL_p`oan^~psF>g0gs$WO8N5QgX zS&6X&ujY7w9;Y%-y2{l3mAAr8Iwp;@vW8<61*$Ktz}97cxZ(C3lxOLa%LJnQ%VY}W zKwO!Z%*mS`cCLI6dD*4p=9A%hI?4z`at-AWy-zt1(}~m$ZHMzVJS?^Nmf#l9Q?c~G z@MCtPuFIiI)|Qs%6P2A<(u1u%T9jb3ka2s;!?~0-&3ix*{xuY+4NQHu`fQ^**?p!j z#B%LvR$S)It3E7#GY2+I@9zKP-gO8Rbh!YuL4MqZGHCmWH>7U2a3A=*Ji|zo-ueV{ zESYpITNsq@lDsb)nWOOOZKArcLkF$oCQ}D^>x^7640qJ}qitDfMS2}tFFi|SUKF4z_d2F1W*W?Kq`py?`*zJ{0ACacgmOAiwizXku&11J4VZ{+JVLCg)~J26slU%cH(udN9{)|VOLm8? z*ApUSpFH1wbmO=O>%hIFONRFPm1A2E*Y;h%K}vnfJ9+ix?DK{5PZ)RjY{dvZBnL7O z^PXKBYf3w{fq>z~I_hv zn2^G*#D4rV_nhpLt#W1?t%ezqH)9;Go>F#}M>1{a`Sx7c)Be#Lu019O7GU2A3lVtk zICu?rI6~D?A}z;N;^>>2>NjC_CvSz9^Y8=(Gx+qEB6E-5TFTr{KtKM$Wo$-RkFd{$ zyC=rPoquTH@-q4R?L?`!fg_gYKhqYxVX~Qqck-u(Cf=kvw~OXe`LOs-s?3AM=tf8& zr316SgbKSmW|{X4-v?hc)8u`p&?cMwA?tZkb=6VkB4%sG6&x$p9vg~fY&-%-Tqb*n zuZ54$(febh(+tEW?i*E}!qALflu7wcOQGdGrJtOdUlveTE?TfB#g+C)(Pii$a>AwU zGry)chY4wb&B4QGxdtC)OdMQBM&W$dYfYKt#;yRrYx~ERy1g>y0YbtWc2j$d1Fp@j-HZB zl@8S^pQMkRy86A=}7vL37*(X2jNXZ=U1& z%C1phB5i(B#H09aMmEGK2`2MOrYcGGY1)HK0m?;seg86oB^Hx`? zRqD$hIg;Y+tZQ?MbfSS$3v4Z?fI4ku6!M19Sn>#R~#plJk(wf({ z&C1nvsT7LteV&|@zEc)^o*9ds@L-6;J^(Tu7Ycwr;uHZBfnm@VBlOOp+LU5MxxP|& zux&3&WrpqECCa{uDrt)jnZ6TtZ<`Bw zi(kiQnz_GZjzko^I{)035oVoaOYV57{xs)<_4rTXeK01M$@aHP+%!>K4L6Cq*uu0$<%y9aDPw=HVVKX{Pl>VZv1=Zw+nN_m8?z^ z^-)f`a>7|&&uML3*Yav(Cq_h#)2twAmieo$luJ~*5T*UdK^#O8aRJZb>mDbmJGfSj zeY5xTiISmsd9A>O19*&ny z-uIZUy*+PxVtk67E8g(oOQ2;sZsPPL2i@mkPEw%dQf*#>&1n^JaZRak8OQxK_MDHq zM4T6Ew%;Ay(GV+~%9mR`%9a-nc?KNrdx&X=f5zgmZICdqtarvg?8UNJBTgkAqpBBu zR&meJ39Q&me|^I1kQTM4z3Eod*jVszv>Pp3X`*V=3r>p#{$E&(=oKI$W9~qH;7rV|R$NfQyIrwtF`YIGmb@p*WbK04EL7gTypDp495z`uD z`ufukD`v|1cDtwwkG$|{L|4lf?)1AK#O~V3uRc>FxSML2S10`JzXwVl9mrKBF3zM9 z^0;OjH)kM{q(!dQ5(I?xsiy@ z@(J0wGmGtL(WQ!~gNVt?TWeZ|ihG?N56UbtqKb5NnVC2^=;;CR*}*@$0alt z4-&f(zO*NR8Q?b6u$l}?O*@5f`;gLBlQH@~v`+G_&(Ozp1+|LJeJ%Dfo|TSlDR8ta zFkcIC(@H!Y>YXQdQeX(9dUAPLpheiknUv3VLu$QZ!OdYUGlECg zIf_|1(uo>;*m!b!eaYjR`H%4fMQu9D;{v-;9(6X)KRstrDcm%EePAFOnK6YBC|G zxxT$kcO=$)xsh|K-3tw^44@u|i@0Egs7&)({Sgp8UxV9DsWTXkK7qb617S}O@exPE z5B?#v{bGUp&=tbN7e_ts*bZcGuC$;k&}em#wvH4hXH#HQvv=g|fZ1>Kk!;t2Z-j3T zf@(g=nFT!Iy%@_O$snNPC>FDyyUGPyRZG%bGoOP@c+q*ewI~l;2bQ23myjkUkbuZW;-(&=AE_P#nSn!V za5st~>K^@#l9E627egO{6Kgx*XsA#LJxB{qRI@bAd5>7C z7Q5%ZaBMx+>MPWeWY85Rcjm}g4I8%|pal zjB13k?cxVYh1;b9li^nlNu5!*-L4xQE4<_`c>T8F6*(4lW%Uw+i_31;O@UPOXu>hR z!oo*IO~Xy3(j&dH%)>oyuhkEoEHyqRcrO2O!3E<-#W&=>#t+Yqz}4!DhNBl0oRa)5 z)Ft`p+}`9BEa=WlGL*^cN^X~Vb^MCqMVQ;;?mMpPB5HGPGU{m#vB03$WU^(d94cbn z_+a+elPvV(bvv@uB}F4s`{KJk53}al8>RMKtccw$My&s1F(UkaMR_pP{b4Rh4k;f8 zL*Wd1!?QCohj^*wN&KYC>k4y};l^Q;GhIijTjhs!KVNzfN!vpRn6f0DM2(c*=MJ4e zEchO&C@HWZ@l*QG_zeCVjzNC?mFm9iLZ^hlfVLM9G;Yz6sy0}Yx2Q?|xXwnYY(CBJ z2Q`(=92pxD4>-op2=G9*b0U9rVD2r{0rsT!v9QO@&RNWXDaYeAL29+@C12vHQGT9# z(YGZf-O#fqkYR;ISP|sDK&E-Uuyuq8QS4%<)u88IFFB(NdWSxaA4#|zIOTvJc+@O; zQl{|$e0+$MMLre7{RkrTF&j_ze(f@&TqPPZnNKJQ7_ghS+cIflcrb>6vjp_*v#%w(`&iz#deejap9y9IcIhIJ(^H zo5#`teQE*nar84oWB|Z_ec&;c{>6Yng+sSL*8gH?H;#xx&E~YyZRmh=8+Us97lVM= z>mG6!Lw8kWK$Nh9wu(JbnQ; zezBv*b(sr!4=splz5-pG#Ou*E%TYv=4YC1tHW#|NM!@{_+vhLb)W>8myBWD}-VMak zIZU8mC-KnVzU_;j2aK>Fg(Jl)>=(oK$M>L(BXTF?m#d(cn+uuD7y79(fTkGxlSGF7 zVnD3msHRF(84Te@|KE?;Smqw4nK^&E?B?&jX%aX_=K#ehIym-U48J`pTPrb@a5YhVX*Ok}=`Y@#})Sl>xMV?^)~8g_%c;r4k@ zzPU%*#&`}LWv>iVxLBeLUyrndRjfmCDO@{>8SymQXWnytfI$TKz%|y~h>qsQE;?zV2D7dwuuA zZtebLpTuh?_<8*wC0PzMjn6m@D+>m^sGvX*k^@K{1oRV9BG6COIs0tI3yw9{Tv^|$ zlZy+9=RXFqH_bJ640=!tQew?jUM|^9n>;Hc9c^=CD8Ibb?E=aVj{XaN9b(??1=I-> z7g{rAK%uZ2cJ1D*#|ay&mejA+q5){N`isX;hD^=j%%j+F5B+{hK{h`)2Y>vwlX9~z zBgE!n*Rrtkq0lMO7tQ(>NhgoVt2R-&=h5s4Jwkg#ES0OMxn!v>-R`oY$E3INI`{dK z{KsaDPeb-H^VkHc6XCH~yW4maA3Sh{Kb@+I|a7Z`0%T&jb${LIlh^fA*n&nl)$E5?&>2hCFym{VH%v; zYn03Tq2$Y8e-=u=i8%IGxJ%d8+l9AXT*?PXgCZ9R?suT+X6+oz%VWiAvHcU$U6TNA z){rFhAI3O*#OX%!2bv&jt}#3vM|ipmslON&aeo6d{2bs!KKsWpY+9ln@#7RG8*E@u z98|mnSk#0(MgR2w{k2h|0>mZUDE~V^nZjQu7=Sk^R`jm=&v)Rx0mALYe|-6_0fg$M zbATkqzr$8^5$VRU+fK;D$Gb3y{SEZ~2!jwpDyrFF7kB@Hq<+Z0h><+xGgki9v4wJ~ z3~m=AfBX$KZ6Jg+@O9MU*x!Knp$xS6GEJ^eW|=w)ZjYmLSb^LB9U!ymeBkxK6R#25P$ttE{V@cxmyjg4+oh!FLi?zDRo8X zH$!0lU3z;)%)UmkzSyKQroX5>%w9`Mg-Julmi-CzM z<~NUttV?y>K|mB-bX?c-B;{Ee>=zPsSJ}=bwjGs1#8FNL%63X<5og|0j1X2sA79Kt zg<8ck6LNJ7mL?AB`5I}g@+frjUQt$_ep+>Oh8#pW?COtHt|h-9I>U!`WCLeDhk6yP zFy9w+@S#UIVcrEhCu~P&nuNmrmn6i#_f%M}wca*Sf0*(4j$D56)Uvj!on4f-{3ny! zXG>PZ&N1I&v@{*{`%^-z|CR;d-<5UtXvR4RtH=4}T+%cxojA%Ap3-VmL3swJ^SGei z*@i#TWns9#K|KQUi0*=!Z*MhpN?_?G|1Bf7%v}uQ-e!RiVlL2{|IdFDR7?}DuI-V> zeMaNkdu71p=?*gW{Ve_2j{PGz1FBgO;Lu}!vhy#7d*w83+fQs`*xy>F_m{?-XWhE~ z=&S@-vh6+tKkB!(KM-UQ=4V{|w|w#7L8M4HY^t=_M)2s}^JAADU1GSvFE0$j!v8|= z-+9K_!GW_PV}d*%P6_l|2l@-0nzVTa9SpKsNXfBzz%jc1@hf) zR}5zzI8X9pCMfhq1^~U*sP1TlDqt)hqh~6)Fm3GoZ@7;+{^#6a=&!%3Mf@l7T)&%S z_w)ZT%fD;LK>wgZ{vS;6XJ+~zv;6za@?TJj{S&kNv?5Ib5Q{;6LRCg|8uUM&2ncI{ z7Px3?_)k1e2?!9!WvDmwT;G1aE}$v(?Z{m=hJ!xvJxH**B3wtIaa`Kcv#{|9JUUEG z+?l3cP17+Lu2=2VC=8Nn{h)F!=8@DFhodb|9;O2MwWR_)Z)E(np22Xj=#V0-gYoQA zoLeGL%fx@36|T9LoJhk#6DUWq;MM3?j zU38HIIL2Q!gG|n&YJi{?Py?v!!9ipon1wfw0acrlnL+ZBBN_jJwlg*g~;{mqWl|1IS(eZEXdcGKJb^CGu6|-X)aC zR(;S;MDT`o%$w`oLp6doyYF}->K_T7VS4wYzX?Ln!-l{KuTd^({n3^g*cZ8o(^aY+ zHyy8KBSgjSo||2ZH9WNCXuRaUtu+_WSw7A*m*0xzMQ9L(+BeuV(&jvL7GckSF?fAz zdo`tN{D2NTjE4_DB^?s|DNARco`a3olALH5I|44cQJ#E)TfjXvd^D@bzD@MrL^Cz= zfF>sKmGD6D>c^RC#vS4%1n_PBW8VXwhkvx@S;)l!xYnQa{hwI#6Wf5A`A6J8^*;2U zjmfxWD6m=k&m#p8_56b|8G`u!oo&5Nu}1bf1nVe~wUd4^82@dYMazd1%G>%Q=%?cr z2}S5V3yGfp``DGltYg?n4nE zq(GtWwhA%53z58GdMRCk1k5N{BB;bwk**1JWSM@gS2Jnk-TY1eGR8S zMqfw3=2mj7V#L{ysDatYubxWRxVyXy&Y6kqAMmCN)57TNogjaOU8xi}> znVu~DaYQPS$HX~$JGWf0QSkZSI2{+89jGZ z3ey2nGaixv_PsK|L#PM70T6V0-vq>l1WpAgFQ)jkMy$T4fPKM$6ah`&>kD90<%ZJg zyT2Za_{$+x+b=-kv?yu)MtXgwFx0VsJdGX&34;=T!{5|+WG|{piN*`vi<luL6Tq)~>ehD(```IWlbbq3zx;al{{YiCzfmXM$9g|Kq2iS)9cbu z?Ow$8XSBaul07(K4?q}G+H>eq{O)|gPTOrTaFOhufEqXi<_o?Z6v(bEN45)RU*A-1 zg5sZ{oVa(SB)Gwpf!dui_=hNRfL?yw&4asd%qGSmsWBc%gw`j>8&U)lp? zOvUWHgZeT3tDu4eHE`tjF1qS9?o4t3!{QR2n|c6@570wDfLfH(moD&q252R2wFkP8 zK)wJHuXblckvzz_56KCfp!dfUF1l;VPGtfs%j^z6B#vGC@ZU^o;!Lukz4*njlo+T7 zE^>PJBIStNMyY+>+tMFx`kB4Jz;yW!12b#)kn15d*`$$2 z^!lWJ#l?BsW{WIQ3AINmxTSyd&TU&() zZ>qz!_6tuQpGhd2Jk!u~Rv|5-_XuA`rS4~6FZ`{&-z*2)uPB*kl^(Qy^&>!U-~lpM zyl2mTAFH!p9LyKSR^^F&ZMC@lKa|2}PS;V)qv(QeW46K#FDganTbna$zxvN&@T!0cFfbRJ3_BQ0toZ_T9!ClSC1vkH{LIf78lD6V$CwN2|e^1L5Yxlqf}=-dq>6B%Doe>}tp~XQBq1wOl&mST53tdYo)X zl%;bB+`dPwo$rrP_u`~#zki#mv_H`PB4#y`^y!Lmf1Q&#FRw}2TJG}@(*%veZ(&Ns zpC{54%Vr{0&lWy4{{m}Q8n>GBT20D5M~oqzBnm~=I1Mb;(gz7a!un~JR|oNtyz^DjJB!-G%1vsrmtx87F{W7J0M)f&de0= z)=^72OXVkYWX;7XwINRoRri*&9IskA=A#_5dY-^qySeX{lTqs}=A?LrK9^TI<`t{a z$7anRQIFCJu+AHCJEa}rgsKjbC@I%1PI4kEu#Dqa>*-4;vg?>eo*p=H>WlLncQmdR z9!6EAxBx}0Cuu~vk3;yHjJ#5>xwmg5FYM3u66iUfba_DJda`5eZQ(ul(ql&xLe=6l zwxH%ALoK7Q2z8oJdn#+%9A>{wURKVE;HMc&YrSom+6?A|u6NC?$C&R8VoyM4OH$vw z&!rwBKV*GWV!Kpc7}zp6=vtyEF=5RAruJ}(H_z%_?-PvemXY)O>LG;`mq~aUim>Lf z&wzCW%tZ(3GD|y&v|jYum%CWgCwp(A$-*V&+t2m*F{+Nw=KP%FPpF&ADJA$ie`~h9E$}^}S)8eP$Ey>_;GE72 zC(3vUx=qA=O!pIKHKf}HcU9fFIJJsxWKOCvUms0rQ<^j;-6UJhxl+aF(UB8=PpaG& zPOWA0POI_m=eX*T{Zx0p?j3W0fTGk}_pGe}0TF?&K(9GyFv59ufXLlqNz1IjSMetW zH4ZwaGQ@{C^d38TEc6}hL(YM-+UC*jK-L4;NrkbQ^&AWRj8!KXx)H0b9>sHl;= zqnN!xfE{ul!Yp3G*vuwC=wDSWcdzSj2U7!b=;m;lSJn_BAb_g~rrPuRqU<}yBW6-Z zg4ufB9yEEoq-ZFzqui1uS%bh6WdVulb2{(JW}x{l(eIkp%{N+3)#$$ZWI<@F+@w^V z#zqa{-bWRiHwi@C>_#Mzu|rsYYOt^`2)uC3>|v=cJ7(Dp{&;UgoyL1qG(qsy$*2P&+tUF#1Vfcl2 z^IQ*`PG5WP0c3=2PktRa&hunN?b(IH&njxX^H27dXLWe%T9>R_rG|$ivi&Ij^seO8 z%|K7DXwmBp=HGj>k_|k@JE=hmPB_Tg{pTC$=EH9^Nus53jfJ^Wm+m{>7d2!i)OGV$ zbTLV07ao50i21-}$pnil$36K%tzKO)dR^FezNI4Z#36N{*7@qT#R(|{8$klLikp-t zr3~Jhn^r^|^JSx{)eVV!fkp}Jgl1i}73f1+A;jiMe@tfEj$r?u^bLOQHz^mB|Fx9M ze?#Pp<^QsKLVo=<68EPm*Z--!IT)VeCsOTN6lu6uzpECW>TEZ)NFR+oW!%A26)(Gcnxkhs8i^xHktajDh-X6f_rr?Kg)=6Vqm$Ue@1>YhV+@}A3FaN

iao8im0JOVl& zsIR5>@yEaLSPab6{QlL{k28no-MQv(7BgoE&TBCgj|?q5$h1eZHWRGyM(;v4%=Cus zu_NkI;jMf5dYC--axy2pdd%1zlqEm;|Fn1BVNEY<9!EiuCek|rX(}ZkL`0D&N)r(2 zO+cjwA~qmMOhiNoy+~J3iZmh85s*-Xpd!6UK&qlhOO6_H2#Gr!&$)Z{-t#lbQL=%W%dqgW)6 zl{iepk;7jAlfQuMIqVAQFRzJHqT3A_-F{c-C~cg5pz2JwtD>B4w~_zNH41iS?FCi{ zL&CB$Reg>ak(!le=;p4fcIzv9l*Xq%PdUsKlTZ`fo=b9@fk%|H1@MmGXsQt#6rXcD<{{Bad&HWty;EIvwdMAtotK zGi7p`kd5ZniM$a^u0aep4UI~1=x;VhmYVxtDlccbEfF$yCA8$C^_Rxj?aue-Sw>{7 zX|-^J?PKrPRs<=25VAE8FdjNJP{>v4OR~!k4C=mW_qH>r%^`@pvRh}VvFRHPSRFew zM+TOk5WJ^(eKZ>r(}S6^wa@C~o;xY~C1^xG?F_{`->XXV-gpasXoS+{oIbT4IYPwx)>+(>t`k2F&xLWTtW_Ph0^(~{q@?4h_U4Pr% zgB;OIN%vzDuDC%rC2A-E%Q{80>{dt(`|>vs$!XL)T%k76bwnZdNXNU0)9fP32R_)G zf68wn&9%o`$BSM~#nPlGO6`yu;)>jSu8424ud5_2^2%c=@eSo-?sN_|dk*Ei4mndU z*`&)JHaZ`!g(t|9MQ}h=$E`XrV!FeP4}A!mkcBKCUU`g4)jc6p_`d)2hXJ+GW%K=> zeP}j_j5jBbqAfi{81UU=jC3_7C)x)vMV<@{^QN|I{CAeK!&(w6Nj$=He!i8G!b^fk z$us$g2S1hYMcBVmuaIDJc+-z=D#NSKqypv3e*eI=J+#ufO<3nwzIVsU%gcM}%8cx1sM;qKDn`tE|C%F6F_|9nFbAOo?#&rt3L6nXUJ4c zqj^wcNA$FN-&j&0$;gF4yRu32TtNhX_i{rvl$BkkmDx6Q@Thxz1Ua8(&e?E zif7U8suRlk3KD{;UjFkXY5Yz{H75zP0{sN9HQN5j@axcspvq4zlC+M8Q{P$qeC>+) z$1gpZZ^-nH7iuS_Md*Fnc1=xPH2O3A!cGoKD7Et1zFW|Q0E>((cV4VxHTp!QLMn=8 zj9T&WIY$`zm#}_V(v9}MjvFlxiu6)u`*u4{mQPayo5R9it5B*9d+kh&*j5i}$ZpRY z!fa>u0&zVTBWmFg+RtN3x{6kgM^t^PFVhvMNlTwboND0Wjvq+nFGD8Eh3>wR{k9kB zSe6S1`s9&7k|?jkiA-oCumAG1koyb?a3F*ZOgmZ7xd7 zYtR)U{m`an6(gr+`qrql+!4uo{k|6*coNCMM5<>^`+?ReF^HcrYNz%AmbbfJekORr z@3_@Ww_!=)bFTRm_{lnobQ}eSgemt4I81i#D6DU53u*(yVfMF{Ja~O+0G(r7Be#2ByKm!a=L8{IZul-m^v(&RmIp55_)(Ytty0 zZj4ekp}7~A-_56dITOIK^t4M;wyLtR?!oHTNfdAQGWNrL&*SgM7Smt!MchcMCu>^L zOv&}mxoz4{7oU#%tdCxO$vO_pu&BO85xSfaE4QMv&*A)6otKN4g=@(J>+pSOWr|!I zmJP%0w8_ILhkHFY(jU4`mo0MjBL$@gVBN2_1xXN}ZPPa+epE{~Zew~9SuiP>?okLw zP3|pMi9tPfTHab`%kFBr{KNc$db!FRg0BN+a`_)@oFpr8!XJ5lB52J}E?7UTv7m2sq@>dhH)`N0cm7p}OnBmnPX-Rww)_`Q zAMhwXQ6e~3V<5a^X9ka&pZ+SWl+{Yp#xU=c8xtz4fv>$f)@2jQ^%@614Iqi1FpV zckIkfHh`kuzcZD#7siFL)hKoriqZ5i8Z36}fOX!dQimi$JPd8_@pOvaWp$68`4ZiX zP<-;@Tvw?l-c=W~hhsC9@S+S~Uc$tztqO~aSEakDyQL39@P4ozgc-4Vdu zdRGZX&9`~{$lbBmeAVpzM3XE6S88nubKkoQ=yTp1Hg`1cxkI-xw}KgV{Z7fp`!^*Y z)DI;ec5s3Zlzf0s<5wl0=0C0Ev+WPmeg4_*vHu1({asV36ige=tPJ~JxrL;I!|e~9 zGQ>#=DPYUmI1I*Uo@Ysfy|s0@A3ykVX5=!$6INgfKhSJKKg=8f?~kIc1c^;|Mv|IV zf}oGvo=d%tN@?B>7q}QD58k_TM?5lPPu9Ox6j0Xg7F4HyKlo}<* z=>(_K;@H`Vakhqd>nmF6mL2t8y`ns&XIyTFyO_9Lt5uvTTez{lQak5}Y}w0vbr1!& z@wxuMndo#e++D*tG}}b6_AUInezRF**sH{w%AW%!q?upL8L5~9(~D#LPVby)HyHD2 zO8fV!N6nP&XXE?KgBGJZZNezQZTK*^YIsaR)ia7bd|Ryx=e&#X`JTC{u6^i5`!IST z>d?-^oMOROl2tInZuQW1d_26mKE9ciepKQ+i@4vBG~6|{hl>}k`5_AypB7~Y9~&OC zd~qu(HA#p|IO*Q*e62={9B(^>rWDY&glBoD+oDGc^Ud>d3Vh$AkSr0? z&GqtfmrGkVLeOfwqp^}*w4!kdq@#NTy`#PG7qTN2BIHK!FUYORW@D$$nadj@JyY(dLRQ`_p zmmCkpJILDZh!R>J0tfoGaBoNS&h^&htJa&BI_>&jFgL}C(A`&Uwpn7 zWK<}jA9*ul^nB3XHhYfy>Cb0TW{dTPUq7ofIA4=Vc&WS~Da_jxAj^fWSrwmnr=h2_ ziDu-(z1H3~bsYN6A^`PQX;Jsvh;@}PcQBW%>&J1&!^BKnveTy2B~x2d>r*Fw8tWzX zwL{*Hpw%~kQBOdWg;5YB0bObN+)hsPYqB=)LDd&exHpk@lY&3>+@P})-NGR?cw)fY zl(s1)TK3};bC4Kmk&%a#Q(3aractCRkCR1OoZB;bn#x{^S#_r7wH>ZdT%v*#g4~#HEK0*h10g&pR>$XiP;_hZKswr=pGD5()P)zjovuEt@E~c59S|hv>;_^Ubpd-& zZbXnV85?&N8ucU~FWY7iriyV~sg=^&K2$)xt#gSju8Xy^KDooM^y#8=$}}EHZtMPaeEzEm7R72-K(so=%Dl!FOYZk9=Hqrlea8 zMLiEOQ<Y&YcA+?{0LCi*%FsV{*bHHPR^v&g zN-VH-#c^@odv}?i8j<}Wvj;RV{#a)3ARnIAnE2*SJ1*}OswoN68ZjA$sa87(eO3AZjOof(ey zJM~HhMBpCh(G~BnA)a$~nrfxiC&`l=I^?6p9B%AE!JJJ7v|KplcH)XA7AYDpO;O1T zN|Q3%D@sbX{SpygjPze#cGqw`A=RiUqAY%AM|O#fd&*?Lcp;Bnrb)`(;vEkXCg3%C zeWHyM)oydP@aR^(M;T$ZM7Yf6kY)lRB~Yw% z0iv-VkvD3mih{8Qh&9^2RoJK7+7bqS@AbqhG3$)Jzm?xXDX3{}V=|T0D_Y@6|ET~` zF>S}HL@E1FdT>NF*XuWxh;ka~j>*85*)$H_B#TiTZPR3&m`)XFAb$)*{loG{*ON`c!oQdHj?DLjn- z8jjp)%+A*?7$Jk4G(s?7{g3u@F0@47M+zns6iFD!JpRtB&-r5H>(cu3q1;w8_{7EB#)*4RKl)!Mv6FcoMl8Z>8FSd|yK>#HC7^d+eCMmUr3YLU}~&x6m9VkrgAl zmT}D9O-FJf_d#vHI!^2!FE$M9JZ2bPZNU)2?*chTH#z_WYiB;TjHAO}${9~{ZL0MU zviNF)Tp)e%^%rS)oU{pR4-hQkHUOhj#NL(?XYheeR0YS!F1JJ2s zR=lJbsyF0|-KH$a$hgHzC5-I{z*GbsTn?y_ff&9&fi?mmce_=CgKhpbE>MHC*T8{o ztHQquFE)DimY0<93vKia&_)ozMr~pWAhk+cOi~33FiGqi04I{JfHK9nsNgEkWfr^1 zKaQo8!nf)PJT^ZnstQj3#Y-IwCb5<-z3(x@1c0dtO#@8rJIfZ9H6p_(*<#a_r?#M} zEi8+;1k|4H>NCLQr*xDXuv+TeHW47B7<3#o3>O>$m^4#QfNzzii3RhPsC|40U9q5R zfL6Hxw2JrZFRf1?h~V zqro!)&GFamy%B;?SkB0mIrjrg~}|HArR^b}4&sb8{{piTI;HrGMS~CG?T?_dz7ZS@M{?!n|AiVX>;DOvVG=LLbZH z02&?d-?03L{v>E{N160Qp0DVHwdHa4)Bg|A`~OZO?{^sge;ywDuX*%e?jzRk"abcd1dMVlvW2BT67xIAS_A", "token-type"=>"Bearer", "client"=>"LSJEVZ7Pq6DX5LXvOWMq1w", "expiry"=>"1519086891", "uid"=>"darnell@konopelski.info"} -describe "Whether access is ocurring properly", type: :request do +describe 'Whether access is ocurring properly', type: :request do before(:each) do - @current_user = FactoryBot.create(:user) - @client = FactoryBot.create :client + @current_user = FactoryBot.create(:user) + @client = FactoryBot.create :client end - context "context: general authentication via API, " do - it "doesn't give you anything if you don't log in" do - get api_client_path(@client) - expect(response.status).to eq(401) - end - - it "gives you an authentication code if you are an existing user and you satisfy the password" do - login - # puts "#{response.headers.inspect}" - # puts "#{response.body.inspect}" - expect(response.has_header?('access-token')).to eq(true) - end - - it "gives you a status 200 on signing in " do - login - expect(response.status).to eq(200) - end + context 'context: general authentication via API, ' do + it "doesn't give you anything if you don't log in" do + get api_client_path(@client) + expect(response.status).to eq(401) + end + + it 'gives you an authentication code if you are an existing user and you satisfy the password' do + login + # puts "#{response.headers.inspect}" + # puts "#{response.body.inspect}" + expect(response.has_header?('access-token')).to eq(true) + end + + it 'gives you a status 200 on signing in ' do + login + expect(response.status).to eq(200) + end + + it 'gives you an authentication code if you are an existing user and you satisfy the password' do + login + expect(response.has_header?('access-token')).to eq(true) + end + + it 'first get a token, then access a restricted page' do + login + auth_params = get_auth_params_from_login_response_headers(response) + new_client = FactoryBot.create(:client) + get api_find_client_by_name_path(new_client.name), headers: auth_params + expect(response).to have_http_status(:success) + end - it "gives you an authentication code if you are an existing user and you satisfy the password" do - login - expect(response.has_header?('access-token')).to eq(true) + it 'deny access to a restricted page with an incorrect token' do + login + auth_params = get_auth_params_from_login_response_headers(response).tap do |h| + h.each do |k, _v| + if k == 'access-token' + h[k] = '123' + end end end + new_client = FactoryBot.create(:client) + get api_find_client_by_name_path(new_client.name), headers: auth_params + expect(response).not_to have_http_status(:success) + end + end - it "first get a token, then access a restricted page" do - login - auth_params = get_auth_params_from_login_response_headers(response) - new_client = FactoryBot.create(:client) - get api_find_client_by_name_path(new_client.name), headers: auth_params - expect(response).to have_http_status(:success) - end - - it "deny access to a restricted page with an incorrect token" do - login - auth_params = get_auth_params_from_login_response_headers(response).tap { |h| h.each{|k,v| - if k == 'access-token' - h[k] = '123' - end} - } - new_client = FactoryBot.create(:client) - get api_find_client_by_name_path(new_client.name), headers: auth_params - expect(response).not_to have_http_status(:success) - end - end - - RSpec.shared_examples "use authentication tokens of different ages" do |token_age, http_status| + RSpec.shared_examples 'use authentication tokens of different ages' do |token_age, http_status| let(:vary_authentication_age) { token_age } - it "uses the given parameter" do + it 'uses the given parameter' do expect(vary_authentication_age(token_age)).to have_http_status(http_status) end def vary_authentication_age(token_age) - login - auth_params = get_auth_params_from_login_response_headers(response) - new_client = FactoryBot.create(:client) - get api_find_client_by_name_path(new_client.name), headers: auth_params - expect(response).to have_http_status(:success) + login + auth_params = get_auth_params_from_login_response_headers(response) + new_client = FactoryBot.create(:client) + get api_find_client_by_name_path(new_client.name), headers: auth_params + expect(response).to have_http_status(:success) - allow(Time).to receive(:now).and_return(Time.now + token_age) + allow(Time).to receive(:now).and_return(Time.now + token_age) - get api_find_client_by_name_path(new_client.name), headers: auth_params - return response + get api_find_client_by_name_path(new_client.name), headers: auth_params + response end end - context "test access tokens of varying ages" do - include_examples "use authentication tokens of different ages", 2.days, :success - include_examples "use authentication tokens of different ages", 5.years, :unauthorized + context 'test access tokens of varying ages' do + include_examples 'use authentication tokens of different ages', 2.days, :success + include_examples 'use authentication tokens of different ages', 5.years, :unauthorized end def login - post api_user_session_path, params: { email: @current_user.email, password: "password"}.to_json, headers: { 'CONTENT_TYPE' => 'application/json', 'ACCEPT' => 'application/json' } + post api_user_session_path, params: { email: @current_user.email, password: 'password' }.to_json, headers: { 'CONTENT_TYPE' => 'application/json', 'ACCEPT' => 'application/json' } end def get_auth_params_from_login_response_headers(response) client = response.headers['client'] - token = response.headers['access-token'] - expiry = response.headers['expiry'] - token_type = response.headers['token-type'] - uid = response.headers['uid'] - - auth_params = { - 'access-token' => token, - 'client' => client, - 'uid' => uid, - 'expiry' => expiry, - 'token_type' => token_type - } - auth_params + token = response.headers['access-token'] + expiry = response.headers['expiry'] + token_type = response.headers['token-type'] + uid = response.headers['uid'] + + auth_params = { + 'access-token' => token, + 'client' => client, + 'uid' => uid, + 'expiry' => expiry, + 'token_type' => token_type + } + auth_params end end + ``` ### (b) How to create an authorisation header from Scratch @@ -128,33 +132,33 @@ require 'rails_helper' include ActionController::RespondWith def create_auth_header_from_scratch - # You need to set up factory bot to use this method - @current_user = FactoryBot.create(:user) - # create client id and token - client_id = SecureRandom.urlsafe_base64(nil, false) - token = SecureRandom.urlsafe_base64(nil, false) - - # store client + token in user's token hash - @current_user.tokens[client_id] = { - token: BCrypt::Password.create(token), - expiry: (Time.now + 1.day).to_i - } - - # Now we have to pretend like an API user has already logged in. - # (When the user actually logs in, the server will send the user - # - assuming that the user has correctly and successfully logged in - # - four auth headers. We are to then use these headers to access - # things which are typically restricted - # The following assumes that the user has received those headers - # and that they are then using those headers to make a request - - new_auth_header = @current_user.build_auth_header(token, client_id) - - puts "This is the new auth header" - puts "#{new_auth_header}" - - # update response with the header that will be required by the next request - puts "#{response.headers.merge!(new_auth_header)}" + # You need to set up factory bot to use this method + @current_user = FactoryBot.create(:user) + # create client id and token + client_id = SecureRandom.urlsafe_base64(nil, false) + token = SecureRandom.urlsafe_base64(nil, false) + + # store client + token in user's token hash + @current_user.tokens[client_id] = { + token: BCrypt::Password.create(token), + expiry: (Time.now + 1.day).to_i + } + + # Now we have to pretend like an API user has already logged in. + # (When the user actually logs in, the server will send the user + # - assuming that the user has correctly and successfully logged in + # - four auth headers. We are to then use these headers to access + # things which are typically restricted + # The following assumes that the user has received those headers + # and that they are then using those headers to make a request + + new_auth_header = @current_user.build_auth_header(token, client_id) + + puts 'This is the new auth header' + puts new_auth_header.to_s + + # update response with the header that will be required by the next request + puts response.headers.merge!(new_auth_header).to_s end ``` From 17b82be3b59b868527a0742674b9fc2aa5ced31c Mon Sep 17 00:00:00 2001 From: Konstantin Date: Fri, 30 Mar 2018 21:07:02 +0300 Subject: [PATCH 4/4] Change links to https protocol --- docs/config/cors.md | 2 +- docs/config/email_auth.md | 2 +- docs/config/initialization.md | 2 +- docs/config/omniauth.md | 6 +++--- docs/faq.md | 4 ++-- docs/security.md | 4 ++-- docs/usage/controller_methods.md | 4 ++-- docs/usage/multiple_models.md | 4 ++-- 8 files changed, 14 insertions(+), 14 deletions(-) diff --git a/docs/config/cors.md b/docs/config/cors.md index eb19a6901..ddea7d6e1 100644 --- a/docs/config/cors.md +++ b/docs/config/cors.md @@ -1,6 +1,6 @@ ## CORS -If your API and client live on different domains, you will need to configure your Rails API to allow [cross origin requests](http://en.wikipedia.org/wiki/Cross-origin_resource_sharing). The [rack-cors](https://github.com/cyu/rack-cors) gem can be used to accomplish this. +If your API and client live on different domains, you will need to configure your Rails API to allow [cross origin requests](https://en.wikipedia.org/wiki/Cross-origin_resource_sharing). The [rack-cors](https://github.com/cyu/rack-cors) gem can be used to accomplish this. The following **dangerous** example will allow cross domain requests from **any** domain. Make sure to whitelist only the needed domains. diff --git a/docs/config/email_auth.md b/docs/config/email_auth.md index afddc480b..043dc3e0a 100644 --- a/docs/config/email_auth.md +++ b/docs/config/email_auth.md @@ -1,7 +1,7 @@ ## Email authentication If you wish to use email authentication, you must configure your Rails application to send email. [Read here](http://guides.rubyonrails.org/action_mailer_basics.html) for more information. -I recommend using [mailcatcher](http://mailcatcher.me/) for development. +I recommend using [mailcatcher](https://mailcatcher.me/) for development. ##### mailcatcher development example configuration: ~~~ruby diff --git a/docs/config/initialization.md b/docs/config/initialization.md index 0ea40d0ae..8423edb82 100644 --- a/docs/config/initialization.md +++ b/docs/config/initialization.md @@ -27,7 +27,7 @@ Devise.setup do |config| # If using rails-api, you may want to tell devise to not use ActionDispatch::Flash # middleware b/c rails-api does not include it. - # See: http://stackoverflow.com/q/19600905/806956 + # See: https://stackoverflow.com/q/19600905/806956 config.navigational_formats = [:json] end ~~~ diff --git a/docs/config/omniauth.md b/docs/config/omniauth.md index 8f4bff8d2..d6b25dd2a 100644 --- a/docs/config/omniauth.md +++ b/docs/config/omniauth.md @@ -37,7 +37,7 @@ The above example assumes that your provider keys and secrets are stored in envi The "Callback URL" setting that you set with your provider must correspond to the [omniauth prefix](initialization.md) setting defined by this app. **This will be different than the omniauth route that is used by your client application**. -For example, the demo app uses the default `omniauth_prefix` setting `/omniauth`, so the "Authorization callback URL" for github must be set to "http://devise-token-auth-demo.herokuapp.com**/omniauth**/github/callback". +For example, the demo app uses the default `omniauth_prefix` setting `/omniauth`, so the "Authorization callback URL" for github must be set to "https://devise-token-auth-demo.herokuapp.com**/omniauth**/github/callback". **Github example for the demo site**: ![password reset flow](https://github.com/lynndylanhurley/devise_token_auth/raw/master/test/dummy/app/assets/images/omniauth-provider-settings.png) @@ -58,7 +58,7 @@ The client configuration for github should look like this: angular.module('myApp', ['ng-token-auth']) .config(function($authProvider) { $authProvider.configure({ - apiUrl: 'http://api.example.com' + apiUrl: 'https://api.example.com' authProviderPaths: { github: '/auth/github' // <-- note that this is different than what was set with github } @@ -70,7 +70,7 @@ angular.module('myApp', ['ng-token-auth']) ~~~javascript $.auth.configure({ - apiUrl: 'http://api.example.com', + apiUrl: 'https://api.example.com', authProviderPaths: { github: '/auth/github' // <-- note that this is different than what was set with github } diff --git a/docs/faq.md b/docs/faq.md index 8d7de0ad3..d48256be4 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -33,9 +33,9 @@ end Removing the `new` routes will require significant modifications to devise. If the inclusion of the `new` routes is causing your app any problems, post an issue in the issue tracker and it will be addressed ASAP. -### I'm having trouble using this gem alongside [ActiveAdmin](http://activeadmin.info/)... +### I'm having trouble using this gem alongside [ActiveAdmin](https://activeadmin.info/)... -For some odd reason, [ActiveAdmin](http://activeadmin.info/) extends from your own app's `ApplicationController`. This becomes a problem if you include the `DeviseTokenAuth::Concerns::SetUserByToken` concern in your app's `ApplicationController`. +For some odd reason, [ActiveAdmin](https://activeadmin.info/) extends from your own app's `ApplicationController`. This becomes a problem if you include the `DeviseTokenAuth::Concerns::SetUserByToken` concern in your app's `ApplicationController`. The solution is to use two separate `ApplicationController` classes - one for your API, and one for ActiveAdmin. Something like this: diff --git a/docs/security.md b/docs/security.md index bedf981e0..a339d6758 100644 --- a/docs/security.md +++ b/docs/security.md @@ -4,12 +4,12 @@ This gem takes the following steps to ensure security. This gem uses auth tokens that are: * [changed after every request](#about-token-management) (can be [turned off](https://github.com/lynndylanhurley/devise_token_auth/#initializer-settings)), -* [of cryptographic strength](http://ruby-doc.org/stdlib-2.1.0/libdoc/securerandom/rdoc/SecureRandom.html), +* [of cryptographic strength](https://ruby-doc.org/stdlib-2.1.0/libdoc/securerandom/rdoc/SecureRandom.html), * hashed using [BCrypt](https://github.com/codahale/bcrypt-ruby) (not stored in plain-text), * securely compared (to protect against timing attacks), * invalidated after 2 weeks (thus requiring users to login again) -These measures were inspired by [this stackoverflow post](http://stackoverflow.com/questions/18605294/is-devises-token-authenticatable-secure). +These measures were inspired by [this stackoverflow post](https://stackoverflow.com/questions/18605294/is-devises-token-authenticatable-secure). This gem further mitigates timing attacks by using [this technique](https://gist.github.com/josevalim/fb706b1e933ef01e4fb6). diff --git a/docs/usage/controller_methods.md b/docs/usage/controller_methods.md index d6a48a49f..85ba353b9 100644 --- a/docs/usage/controller_methods.md +++ b/docs/usage/controller_methods.md @@ -54,7 +54,7 @@ end ### Token Header Format -The authentication information should be included by the client in the headers of each request. The headers follow the [RFC 6750 Bearer Token](http://tools.ietf.org/html/rfc6750) format: +The authentication information should be included by the client in the headers of each request. The headers follow the [RFC 6750 Bearer Token](https://tools.ietf.org/html/rfc6750) format: ##### Authentication headers example: ~~~ @@ -72,6 +72,6 @@ The authentication headers (each one is a seperate header) consists of the follo | **`access-token`** | This serves as the user's password for each request. A hashed version of this value is stored in the database for later comparison. This value should be changed on each request. | | **`client`** | This enables the use of multiple simultaneous sessions on different clients. (For example, a user may want to be authenticated on both their phone and their laptop at the same time.) | | **`expiry`** | The date at which the current session will expire. This can be used by clients to invalidate expired tokens without the need for an API request. | -| **`uid`** | A unique value that is used to identify the user. This is necessary because searching the DB for users by their access token will make the API susceptible to [timing attacks](http://codahale.com/a-lesson-in-timing-attacks/). | +| **`uid`** | A unique value that is used to identify the user. This is necessary because searching the DB for users by their access token will make the API susceptible to [timing attacks](https://codahale.com/a-lesson-in-timing-attacks/). | The authentication headers required for each request will be available in the response from the previous request. If you are using the [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) AngularJS module or the [jToker](https://github.com/lynndylanhurley/j-toker) jQuery plugin, this functionality is already provided. diff --git a/docs/usage/multiple_models.md b/docs/usage/multiple_models.md index 9c1288428..cb06e16ca 100644 --- a/docs/usage/multiple_models.md +++ b/docs/usage/multiple_models.md @@ -2,9 +2,9 @@ ### View Live Multi-User Demos -* [AngularJS](http://ng-token-auth-demo.herokuapp.com/multi-user) +* [AngularJS](https://ng-token-auth-demo.herokuapp.com/multi-user) * [Angular2](https://angular2-token.herokuapp.com) -* [React + jToker](http://j-toker-demo.herokuapp.com/#/alt-user) +* [React + jToker](https://j-toker-demo.herokuapp.com/#/alt-user) This gem supports the use of multiple user models. One possible use case is to authenticate visitors using a model called `User`, and to authenticate administrators with a model called `Admin`. Take the following steps to add another authentication model to your app: