diff --git a/CHANGELOG.md b/CHANGELOG.md index b6d5e47a..00fef63c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,18 @@ All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines. +## [6.1.1](https://github.com/panva/openid-client/compare/v6.1.0...v6.1.1) (2024-10-18) + + +### Documentation + +* update link to passport example ([110575b](https://github.com/panva/openid-client/commit/110575b11e739b8acba9a241ff9db7c89505860a)) + + +### Fixes + +* correct supportsPKCE bool return ([f1aa9db](https://github.com/panva/openid-client/commit/f1aa9dbf304940061cb5efb350e68381b9887f9d)), closes [#710](https://github.com/panva/openid-client/issues/710) + ## [6.1.0](https://github.com/panva/openid-client/compare/v6.0.0...v6.1.0) (2024-10-17) diff --git a/build/index.d.ts b/build/index.d.ts new file mode 100644 index 00000000..d0b4f740 --- /dev/null +++ b/build/index.d.ts @@ -0,0 +1,1918 @@ +import * as oauth from 'oauth4webapi'; +/** + * @ignore + */ +export type CryptoKey = Extract>, { + type: string; +}>; +export interface CryptoKeyPair { + privateKey: CryptoKey; + publicKey: CryptoKey; +} +export { AuthorizationResponseError, ResponseBodyError, WWWAuthenticateChallengeError, type AuthorizationDetails, type ConfirmationClaims, type DeviceAuthorizationResponse, type ExportedJWKSCache, type GenerateKeyPairOptions, type IDToken, type IntrospectionResponse, type JsonArray, type JsonObject, type JsonPrimitive, type JsonValue, type JWK, type JWKS, type JWSAlgorithm, type ModifyAssertionFunction, type ModifyAssertionOptions, type MTLSEndpointAliases, type PrivateKey, type TokenEndpointResponse, type UserInfoAddress, type UserInfoResponse, type WWWAuthenticateChallenge, type WWWAuthenticateChallengeParameters, } from 'oauth4webapi'; +/** + * Implementation of the Client's Authentication Method at the Authorization + * Server. + * + * The default is {@link ClientSecretPost} if {@link ClientMetadata.client_secret} + * is present, {@link None} otherwise. + * + * Other Client Authentication Methods must be provided explicitly and their + * implementations are linked below. + * + * @see {@link ClientSecretBasic} + * @see {@link ClientSecretJwt} + * @see {@link ClientSecretPost} + * @see {@link None} + * @see {@link PrivateKeyJwt} + * @see {@link TlsClientAuth} + */ +export type ClientAuth = (as: ServerMetadata, client: ClientMetadata, body: URLSearchParams, headers: Headers) => void; +/** + * **`client_secret_post`** uses the HTTP request body to send `client_id` and + * `client_secret` as `application/x-www-form-urlencoded` body parameters + * + * @example + * + * Usage with a {@link Configuration} obtained through {@link discovery} + * + * ```ts + * let server!: URL + * let clientId!: string + * let clientSecret!: string + * let clientMetadata!: Partial | string | undefined + * + * let config = await client.discovery( + * server, + * clientId, + * clientMetadata, + * client.ClientSecretPost(clientSecret), + * ) + * ``` + * + * @example + * + * Usage with a {@link Configuration} instance + * + * ```ts + * let server!: client.ServerMetadata + * let clientId!: string + * let clientSecret!: string + * let clientMetadata!: Partial | string | undefined + * + * let config = new client.Configuration( + * server, + * clientId, + * clientMetadata, + * client.ClientSecretPost(clientSecret), + * ) + * ``` + * + * @param clientSecret Client Secret + * + * @group Client Authentication Methods + * + * @see [OAuth Token Endpoint Authentication Methods](https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#token-endpoint-auth-method) + * @see [RFC 6749 - The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749.html#section-2.3) + * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication) + */ +export declare function ClientSecretPost(clientSecret: string): ClientAuth; +/** + * **`client_secret_basic`** uses the HTTP `Basic` authentication scheme to send + * `client_id` and `client_secret` in an `Authorization` HTTP Header. + * + * @example + * + * Usage with a {@link Configuration} obtained through {@link discovery} + * + * ```ts + * let server!: URL + * let clientId!: string + * let clientSecret!: string + * let clientMetadata!: Partial | string | undefined + * + * let config = await client.discovery( + * server, + * clientId, + * clientMetadata, + * client.ClientSecretBasic(clientSecret), + * ) + * ``` + * + * @example + * + * Usage with a {@link Configuration} instance + * + * ```ts + * let server!: client.ServerMetadata + * let clientId!: string + * let clientSecret!: string + * let clientMetadata!: Partial | string | undefined + * + * let config = new client.Configuration( + * server, + * clientId, + * clientMetadata, + * client.ClientSecretBasic(clientSecret), + * ) + * ``` + * + * @param clientSecret Client Secret + * + * @group Client Authentication Methods + * + * @see [OAuth Token Endpoint Authentication Methods](https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#token-endpoint-auth-method) + * @see [RFC 6749 - The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749.html#section-2.3) + * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication) + */ +export declare function ClientSecretBasic(clientSecret: string): ClientAuth; +/** + * **`client_secret_jwt`** uses the HTTP request body to send `client_id`, + * `client_assertion_type`, and `client_assertion` as + * `application/x-www-form-urlencoded` body parameters. HMAC is used for the + * assertion's authenticity and integrity. + * + * @example + * + * Usage with a {@link Configuration} obtained through {@link discovery} + * + * ```ts + * let server!: URL + * let clientId!: string + * let clientSecret!: string + * let clientMetadata!: Partial | string | undefined + * + * let config = await client.discovery( + * server, + * clientId, + * clientMetadata, + * client.ClientSecretJwt(clientSecret), + * ) + * ``` + * + * @example + * + * Usage with a {@link Configuration} instance + * + * ```ts + * let server!: client.ServerMetadata + * let clientId!: string + * let clientSecret!: string + * let clientMetadata!: Partial | string | undefined + * + * let config = new client.Configuration( + * server, + * clientId, + * clientMetadata, + * client.ClientSecretJwt(clientSecret), + * ) + * ``` + * + * @param clientSecret Client Secret + * @param options + * + * @group Client Authentication Methods + * + * @see [OAuth Token Endpoint Authentication Methods](https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#token-endpoint-auth-method) + * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication) + */ +export declare function ClientSecretJwt(clientSecret: string, options?: oauth.ModifyAssertionOptions): ClientAuth; +/** + * **`none`** (public client) uses the HTTP request body to send only + * `client_id` as `application/x-www-form-urlencoded` body parameter. + * + * @example + * + * Usage with a {@link Configuration} obtained through {@link discovery} + * + * ```ts + * let server!: URL + * let clientId!: string + * let clientMetadata!: Partial | string | undefined + * + * let config = await client.discovery( + * server, + * clientId, + * clientMetadata, + * client.None(), + * ) + * ``` + * + * @example + * + * Usage with a {@link Configuration} instance + * + * ```ts + * let server!: client.ServerMetadata + * let clientId!: string + * let clientMetadata!: Partial | string | undefined + * + * let config = new client.Configuration( + * server, + * clientId, + * clientMetadata, + * client.None(), + * ) + * ``` + * + * @group Client Authentication Methods + * + * @see [OAuth Token Endpoint Authentication Methods](https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#token-endpoint-auth-method) + * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication) + */ +export declare function None(): ClientAuth; +/** + * **`private_key_jwt`** uses the HTTP request body to send `client_id`, + * `client_assertion_type`, and `client_assertion` as + * `application/x-www-form-urlencoded` body parameters. Digital signature is + * used for the assertion's authenticity and integrity. + * + * @example + * + * Usage with a {@link Configuration} obtained through {@link discovery} + * + * ```ts + * let server!: URL + * let key!: client.CryptoKey | client.PrivateKey + * let clientId!: string + * let clientMetadata!: Partial | string | undefined + * + * let config = await client.discovery( + * server, + * clientId, + * clientMetadata, + * client.PrivateKeyJwt(key), + * ) + * ``` + * + * @example + * + * Usage with a {@link Configuration} instance + * + * ```ts + * let server!: client.ServerMetadata + * let key!: client.CryptoKey | client.PrivateKey + * let clientId!: string + * let clientMetadata!: Partial | string | undefined + * + * let config = new client.Configuration( + * server, + * clientId, + * clientMetadata, + * client.PrivateKeyJwt(key), + * ) + * ``` + * + * @param clientPrivateKey + * + * @group Client Authentication Methods + * + * @see [OAuth Token Endpoint Authentication Methods](https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#token-endpoint-auth-method) + * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication) + */ +export declare function PrivateKeyJwt(clientPrivateKey: CryptoKey | oauth.PrivateKey, options?: oauth.ModifyAssertionOptions): ClientAuth; +/** + * **`tls_client_auth`** uses the HTTP request body to send only `client_id` as + * `application/x-www-form-urlencoded` body parameter and the mTLS key and + * certificate is configured through + * {@link ClientMetadata.use_mtls_endpoint_aliases} and {@link customFetch}. + * + * @example + * + * Usage with a {@link Configuration} obtained through {@link discovery} + * + * ```ts + * let server!: URL + * let clientId!: string + * + * let clientMetadata = { use_mtls_endpoint_aliases: true } + * let config = await client.discovery( + * server, + * clientId, + * clientMetadata, + * client.TlsClientAuth(), + * ) + * ``` + * + * @example + * + * Usage with a {@link Configuration} instance + * + * ```ts + * let server!: client.ServerMetadata + * let clientId!: string + * + * let clientMetadata = { use_mtls_endpoint_aliases: true } + * let config = new client.Configuration( + * server, + * clientId, + * clientMetadata, + * client.TlsClientAuth(), + * ) + * ``` + * + * @group Client Authentication Methods + * + * @see [OAuth Token Endpoint Authentication Methods](https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#token-endpoint-auth-method) + * @see [RFC 8705 - OAuth 2.0 Mutual-TLS Client Authentication (PKI Mutual-TLS Method)](https://www.rfc-editor.org/rfc/rfc8705.html#name-pki-mutual-tls-method) + */ +export declare function TlsClientAuth(): ClientAuth; +/** + * DANGER ZONE - This option has security implications that must be understood, + * assessed for applicability, and accepted before use. + * + * Use this as a value for `state` check state parameter options to skip the + * `state` value check. This should only be done if the `state` parameter value + * used is integrity protected (and its integrity and expiration is checked) and + * bound to the browsing session. One such mechanism to do so is described in an + * I-D + * [draft-bradley-oauth-jwt-encoded-state-09](https://datatracker.ietf.org/doc/html/draft-bradley-oauth-jwt-encoded-state-09). + * + * @deprecated Marked as deprecated only to make it stand out as something you + * shouldn't use unless you've assessed the implications. + */ +export declare const skipStateCheck: typeof oauth.skipStateCheck; +/** + * DANGER ZONE - This option has security implications that must be understood, + * assessed for applicability, and accepted before use. + * + * Use this as a value to {@link fetchUserInfo} `expectedSubject` parameter to + * skip the `sub` claim value check. + * + * @deprecated Marked as deprecated only to make it stand out as something you + * shouldn't use unless you've assessed the implications. + * + * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse) + */ +export declare const skipSubjectCheck: typeof oauth.skipSubjectCheck; +/** + * When set on a {@link Configuration}, this replaces the use of global fetch. As + * a fetch replacement the arguments and expected return are the same as fetch. + * + * In theory any module that claims to be compatible with the + * {@link !fetch Fetch API} can be used but your mileage may vary. No workarounds + * to allow use of non-conform {@link !Response} instances will be considered. + * + * If you only need to update the {@link !Request} properties you do not need to + * use a {@link !fetch Fetch API} module, just change what you need and pass it + * to globalThis.fetch just like this module would normally do. + * + * Its intended use cases are: + * + * - {@link !Request}/{@link !Response} tracing and logging + * - Custom caching strategies + * - Changing the {@link !Request} properties like headers, body, credentials, mode + * before it is passed to fetch + * + * Known caveats: + * + * - Expect Type-related issues when passing the inputs through to fetch-like + * modules, they hardly ever get their typings inline with actual fetch, you + * should `@ts-expect-error` them. + * - Returning self-constructed {@link !Response} instances prohibits + * AS/RS-signalled DPoP Nonce caching. + * + * @example + * + * Using [sindresorhus/ky](https://github.com/sindresorhus/ky) for retries and + * its hooks feature for logging outgoing requests and their responses. + * + * ```ts + * import ky from 'ky' + * + * let config!: client.Configuration + * let logRequest!: (request: Request) => void + * let logResponse!: (request: Request, response: Response) => void + * let logRetry!: ( + * request: Request, + * error: Error, + * retryCount: number, + * ) => void + * + * config[client.customFetch] = (...args) => + * ky(args[0], { + * ...args[1], + * hooks: { + * beforeRequest: [ + * (request) => { + * logRequest(request) + * }, + * ], + * beforeRetry: [ + * ({ request, error, retryCount }) => { + * logRetry(request, error, retryCount) + * }, + * ], + * afterResponse: [ + * (request, _, response) => { + * logResponse(request, response) + * }, + * ], + * }, + * }) + * ``` + * + * @example + * + * Using [nodejs/undici](https://github.com/nodejs/undici) to detect and use + * HTTP proxies. + * + * ```ts + * import * as undici from 'undici' + * + * // see https://undici.nodejs.org/#/docs/api/EnvHttpProxyAgent + * let envHttpProxyAgent = new undici.EnvHttpProxyAgent() + * + * let config!: client.Configuration + * + * // @ts-ignore + * config[client.customFetch] = (...args) => { + * // @ts-ignore + * return undici.fetch(args[0], { ...args[1], dispatcher: envHttpProxyAgent }) // prettier-ignore + * } + * ``` + * + * @example + * + * Using [nodejs/undici](https://github.com/nodejs/undici) to automatically + * retry network errors. + * + * ```ts + * import * as undici from 'undici' + * + * // see https://undici.nodejs.org/#/docs/api/RetryAgent + * let retryAgent = new undici.RetryAgent(new undici.Agent(), { + * statusCodes: [], + * errorCodes: [ + * 'ECONNRESET', + * 'ECONNREFUSED', + * 'ENOTFOUND', + * 'ENETDOWN', + * 'ENETUNREACH', + * 'EHOSTDOWN', + * 'UND_ERR_SOCKET', + * ], + * }) + * + * let config!: client.Configuration + * + * // @ts-ignore + * config[client.customFetch] = (...args) => { + * // @ts-ignore + * return undici.fetch(args[0], { ...args[1], dispatcher: retryAgent }) // prettier-ignore + * } + * ``` + * + * @example + * + * Using [nodejs/undici](https://github.com/nodejs/undici) to mock responses in + * tests. + * + * ```ts + * import * as undici from 'undici' + * + * // see https://undici.nodejs.org/#/docs/api/MockAgent + * let mockAgent = new undici.MockAgent() + * mockAgent.disableNetConnect() + * + * let config!: client.Configuration + * + * // @ts-ignore + * config[client.customFetch] = (...args) => { + * // @ts-ignore + * return undici.fetch(args[0], { ...args[1], dispatcher: mockAgent }) // prettier-ignore + * } + * ``` + */ +export declare const customFetch: typeof oauth.customFetch; +/** + * Use to mutate JWT header and payload before they are signed. Its intended use + * is working around non-conform server behaviours, such as modifying JWT "aud" + * (audience) claims, or otherwise changing fixed claims used by this library. + * + * @example + * + * Changing the `alg: "Ed25519"` back to `alg: "EdDSA"` + * + * ```ts + * let key!: client.CryptoKey | client.PrivateKey + * let config!: client.Configuration + * let parameters!: URLSearchParams + * let keyPair!: client.CryptoKeyPair + * + * let remapEd25519: client.ModifyAssertionOptions = { + * [client.modifyAssertion]: (header) => { + * if (header.alg === 'Ed25519') { + * header.alg = 'EdDSA' + * } + * }, + * } + * + * // For JAR + * client.buildAuthorizationUrlWithJAR( + * config, + * parameters, + * key, + * remapEd25519, + * ) + * + * // For Private Key JWT + * client.PrivateKeyJwt(key, remapEd25519) + * + * // For DPoP + * client.getDPoPHandle(config, keyPair, remapEd25519) + * ``` + */ +export declare const modifyAssertion: typeof oauth.modifyAssertion; +/** + * Use to adjust the assumed current time. Positive and negative finite values + * representing seconds are allowed. Default is `0` (Date.now() + 0 seconds is + * used). + * + * @example + * + * When the local clock is mistakenly 1 hour in the past + * + * ```ts + * let clientMetadata: client.ClientMetadata = { + * client_id: 'abc4ba37-4ab8-49b5-99d4-9441ba35d428', + * // ... other metadata + * [client.clockSkew]: +(60 * 60), + * } + * ``` + * + * @example + * + * When the local clock is mistakenly 1 hour in the future + * + * ```ts + * let clientMetadata: client.ClientMetadata = { + * client_id: 'abc4ba37-4ab8-49b5-99d4-9441ba35d428', + * // ... other metadata + * [client.clockSkew]: -(60 * 60), + * } + * ``` + */ +export declare const clockSkew: typeof oauth.clockSkew; +/** + * Use to set allowed clock tolerance when checking DateTime JWT Claims. Only + * positive finite values representing seconds are allowed. Default is `30` (30 + * seconds). + * + * @example + * + * Tolerate 30 seconds clock skew when validating JWT claims like exp or nbf. + * + * ```ts + * let clientMetadata: client.ClientMetadata = { + * client_id: 'abc4ba37-4ab8-49b5-99d4-9441ba35d428', + * // ... other metadata + * [client.clockTolerance]: 30, + * } + * ``` + */ +export declare const clockTolerance: typeof oauth.clockTolerance; +export type FetchBody = ArrayBuffer | null | ReadableStream | string | Uint8Array | undefined | URLSearchParams; +/** + * DPoP handle to use for requesting a sender-constrained access token. Obtained + * from {@link getDPoPHandle} + * + * @see {@link !DPoP RFC 9449 - OAuth 2.0 Demonstrating Proof of Possession (DPoP)} + */ +export interface DPoPHandle extends oauth.DPoPHandle { +} +/** + * A subset of the [IANA OAuth Client Metadata + * registry](https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#client-metadata) + * that has an effect on how the Client functions + * + * @group You are probably looking for this + */ +export interface ClientMetadata extends oauth.Client { + /** + * Client secret. + */ + client_secret?: string; + /** + * Indicates the requirement for a client to use mutual TLS endpoint aliases + * indicated by the + * {@link ServerMetadata.mtls_endpoint_aliases Authorization Server Metadata}. + * Default is `false`. + * + * When combined with {@link customFetch} (to use a {@link !fetch Fetch API} + * implementation that supports client certificates) this can be used to + * target security profiles that utilize Mutual-TLS for either client + * authentication or sender constraining. + * + * @example + * + * (Node.js) Using [nodejs/undici](https://github.com/nodejs/undici) for + * Mutual-TLS Client Authentication and Certificate-Bound Access Tokens + * support. + * + * ```ts + * import * as undici from 'undici' + * + * let config!: client.Configuration + * let key!: string // PEM-encoded key + * let cert!: string // PEM-encoded certificate + * + * let agent = new undici.Agent({ connect: { key, cert } }) + * + * config[client.customFetch] = (...args) => + * // @ts-expect-error + * undici.fetch(args[0], { ...args[1], dispatcher: agent }) + * ``` + * + * @example + * + * (Deno) Using Deno.createHttpClient API for Mutual-TLS Client Authentication + * and Certificate-Bound Access Tokens support. + * + * ```ts + * let config!: client.Configuration + * let key!: string // PEM-encoded key + * let cert!: string // PEM-encoded certificate + * + * // @ts-expect-error + * let agent = Deno.createHttpClient({ key, cert }) + * + * config[client.customFetch] = (...args) => + * // @ts-expect-error + * fetch(args[0], { ...args[1], client: agent }) + * ``` + * + * @see [RFC 8705 - OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens](https://www.rfc-editor.org/rfc/rfc8705.html) + */ + use_mtls_endpoint_aliases?: boolean; +} +/** + * Authorization Server Metadata + * + * @group You are probably looking for this + * + * @see [IANA OAuth Authorization Server Metadata registry](https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#authorization-server-metadata) + */ +export interface ServerMetadata extends oauth.AuthorizationServer { +} +/** + * Calculates the PKCE `code_challenge` value to send with an authorization + * request using the S256 PKCE Code Challenge Method transformation + * + * @param codeVerifier `code_verifier` value generated e.g. from + * {@link randomPKCECodeVerifier} + * + * @returns S256 `code_challenge` value calculated from a provided + * `code_verifier` + * + * @group PKCE + * @group Authorization Request + */ +export declare function calculatePKCECodeChallenge(codeVerifier: string): Promise; +/** + * @returns Random `code_verifier` value + * + * @group PKCE + */ +export declare function randomPKCECodeVerifier(): string; +/** + * @returns Random `nonce` value + * + * @group Authorization Request + */ +export declare function randomNonce(): string; +/** + * @returns Random `state` value + * + * @group Authorization Request + */ +export declare function randomState(): string; +/** + * @group Errors + */ +export declare class ClientError extends Error { + code?: string; +} +/** + * Generates random {@link CryptoKeyPair} to sign DPoP Proof JWTs with + * + * @param alg One of the supported {@link JWSAlgorithm JWS Algorithm} + * identifiers. Default is `ES256`. + * @param options + * + * @group DPoP + * + * @see {@link !DPoP} + */ +export declare function randomDPoPKeyPair(alg?: string, options?: oauth.GenerateKeyPairOptions): Promise; +export interface DiscoveryRequestOptions { + /** + * Custom {@link !fetch Fetch API} implementation to use for the HTTP Requests + * the client will be making. + * + * @see {@link customFetch} + */ + [customFetch]?: CustomFetch; + /** + * The issuer transformation algorithm to use. Default is `oidc`. + * + * Note: This has no effect if the first argument is a URL with a pathname + * containing `/.well-known/`. + * + * @example + * + * ```txt + * Given the Issuer Identifier is https://example.com + * oidc => https://example.com/.well-known/openid-configuration + * oauth => https://example.com/.well-known/oauth-authorization-server + * + * Given the Issuer Identifier is https://example.com/pathname + * oidc => https://example.com/pathname/.well-known/openid-configuration + * oauth => https://example.com/.well-known/oauth-authorization-server/pathname + * ``` + * + * @see {@link https://openid.net/specs/openid-connect-discovery-1_0.html OpenID Connect Discovery 1.0 (oidc)} + * @see {@link https://www.rfc-editor.org/rfc/rfc8414.html RFC8414 - OAuth 2.0 Authorization Server Metadata (oauth)} + */ + algorithm?: 'oidc' | 'oauth2'; + /** + * Methods (available list linked below) to execute with the + * {@link Configuration} instance as argument after it is instantiated + * + * Note: Presence of {@link allowInsecureRequests} in this option also enables + * the use of insecure HTTP requests for the Authorization Server Metadata + * discovery request itself. + * + * @example + * + * Disable the HTTPS-only restriction for the discovery call and subsequently + * for all requests made with the resulting {@link Configuration} instance. + * + * ```ts + * let server!: URL + * let clientId!: string + * let clientMetadata!: + * | Partial + * | undefined + * | string + * let clientAuth!: client.ClientAuth | undefined + * + * let config = await client.discovery( + * server, + * clientId, + * clientMetadata, + * clientAuth, + * { + * execute: [client.allowInsecureRequests], + * }, + * ) + * ``` + * + * @see {@link allowInsecureRequests} + * @see {@link enableNonRepudiationChecks} + * @see {@link useCodeIdTokenResponseType} + * @see {@link enableDetachedSignatureResponseChecks} + * @see {@link useJwtResponseMode} + */ + execute?: Array<(config: Configuration) => void>; + /** + * Timeout (in seconds) for the Authorization Server Metadata discovery. If + * this option is used, then the same timeout value will be assigned to the + * resolved {@link Configuration} instance for use with all its future + * individual HTTP requests. Default is `30` (seconds) + */ + timeout?: number; +} +/** + * Performs Authorization Server Metadata discovery and returns a + * {@link Configuration} with the discovered + * {@link ServerMetadata Authorization Server} metadata. + * + * This is the RECOMMENDED method of client configuration. + * + * This has the same effect as calling the {@link Configuration} constructor + * except that the server metadata is discovered from its own Authorization + * Server Metadata discovery document. + * + * @param server URL representation of the Authorization Server's Issuer + * Identifier + * @param clientId Client Identifier at the Authorization Server + * @param metadata Client Metadata, when a string is passed in it is a shorthand + * for passing just {@link ClientMetadata.client_secret} + * @param options + * + * @group OpenID Connect 1.0 + * @group Configuration + * @group You are probably looking for this + */ +export declare function discovery(server: URL, clientId: string, metadata?: Partial | string, clientAuthentication?: ClientAuth, options?: DiscoveryRequestOptions): Promise; +export interface DecryptionKey { + /** + * An asymmetric private CryptoKey. Its algorithm must be compatible with a + * supported JWE Key Management Algorithm Identifier + */ + key: CryptoKey; + /** + * The key's JWE Key Management Algorithm Identifier, this can be used to + * limit ECDH and X25519 keys to only a specified ECDH-ES* JWE Key Management + * Algorithm (The other (RSA) keys have a JWE Key Management Algorithm + * Identifier fully specified by their CryptoKey algorithm). + */ + alg?: string; + /** + * The key's JWK Key ID. + */ + kid?: string; +} +/** + * Enables the client to process encrypted ID Tokens, encrypted JWT UserInfo + * responses, and encrypted JWT Introspection responses. Multiple private keys + * may be provided for the decryption key selection process but only a single + * one must match the process. + * + * The following JWE Key Management Algorithms are supported + * + * - ECDH-ES + * - ECDH-ES+A128KW + * - ECDH-ES+A192KW + * - ECDH-ES+A256KW + * - RSA-OAEP + * - RSA-OAEP-256 + * - RSA-OAEP-384 + * - RSA-OAEP-512 + * + * Note: ECDH algorithms only allow P-256 or X25519 key curve to be used + * + * The following JWE Content Encryption Algorithms are supported + * + * - A128GCM + * - A192GCM + * - A256GCM + * - A128CBC-HS256 + * - A192CBC-HS384 + * - A256CBC-HS512 + * + * @example + * + * ```ts + * let key!: client.CryptoKey | client.DecryptionKey + * let config!: client.Configuration + * + * client.enableDecryptingResponses(config, ['A128CBC-HS256'], key) + * ``` + * + * @param contentEncryptionAlgorithms An allow list for JWE Content Encryption + * Algorithms identifiers + * @param keys Keys to enable decrypting assertions with + * + * @group Advanced Configuration + */ +export declare function enableDecryptingResponses(config: Configuration, contentEncryptionAlgorithms?: string[], ...keys: Array): void; +export interface ServerMetadataHelpers { + /** + * Determines whether the Authorization Server supports a given Code Challenge + * Method + * + * @param method Code Challenge Method. Default is `S256` + */ + supportsPKCE(method?: string): boolean; +} +/** + * Public methods available on a {@link Configuration} instance + */ +export interface ConfigurationMethods { + /** + * Used to retrieve the Authorization Server Metadata + */ + serverMetadata(): Readonly & ServerMetadataHelpers; +} +/** + * @see {@link customFetch} + */ +export type CustomFetch = ( +/** + * URL the request is being made sent to {@link !fetch} as the `resource` + * argument + */ +url: string, +/** + * Options otherwise sent to {@link !fetch} as the `options` argument + */ +options: { + /** + * The request body content to send to the server + */ + body: FetchBody; + /** + * HTTP Headers + */ + headers: Record; + /** + * The + * {@link https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods request method} + */ + method: string; + /** + * See {@link !Request.redirect} + */ + redirect: 'manual'; + /** + * An AbortSignal configured as per the + * {@link ConfigurationProperties.timeout} value + */ + signal?: AbortSignal; +}) => Promise; +/** + * Public properties available on a {@link Configuration} instance + */ +export interface ConfigurationProperties { + /** + * Custom {@link !fetch Fetch API} implementation to use for the HTTP Requests + * the client will be making. + * + * @see {@link customFetch} + */ + [customFetch]?: CustomFetch; + /** + * Timeout (in seconds) for the HTTP Requests the client will be making. + * Default is `30` (seconds) + */ + timeout?: number; +} +/** + * Configuration is an abstraction over the + * {@link ServerMetadata OAuth 2.0 Authorization Server metadata} and + * {@link ClientMetadata OAuth 2.0 Client metadata} + * + * Configuration instances are obtained either through + * + * - (RECOMMENDED) the {@link discovery} function that discovers the + * {@link ServerMetadata OAuth 2.0 Authorization Server metadata} using the + * Authorization Server's Issuer Identifier, or + * - The {@link Configuration} constructor if the + * {@link ServerMetadata OAuth 2.0 Authorization Server metadata} is known + * upfront + * + * @example + * + * (RECOMMENDED) Setting up a Configuration with a Server Metadata discovery + * step + * + * ```ts + * let server!: URL + * let clientId!: string + * let clientSecret!: string | undefined + * + * let config = await client.discovery(server, clientId, clientSecret) + * ``` + * + * @example + * + * Setting up a Configuration with a constructor + * + * ```ts + * let server!: client.ServerMetadata + * let clientId!: string + * let clientSecret!: string | undefined + * + * let config = new client.Configuration(server, clientId, clientSecret) + * ``` + * + * @group Configuration + */ +export declare class Configuration implements ConfigurationMethods, ConfigurationProperties { + /** + * @param server Authorization Server Metadata + * @param clientId Client Identifier at the Authorization Server + * @param metadata Client Metadata, when a string is passed in it is a + * shorthand for passing just {@link ClientMetadata.client_secret}. + * @param clientAuthentication Implementation of the Client's Authentication + * Method at the Authorization Server. + */ + constructor(server: ServerMetadata, clientId: string, metadata?: Partial | string, clientAuthentication?: ClientAuth); + /** + * @ignore + */ + serverMetadata(): Readonly & ServerMetadataHelpers; + /** + * @ignore + */ + get timeout(): number | undefined; + /** + * @ignore + */ + set timeout(value: number | undefined); + /** + * @ignore + */ + get [customFetch](): CustomFetch | undefined; + /** + * @ignore + */ + set [customFetch](value: CustomFetch); +} +/** + * Helpers attached to any resolved {@link TokenEndpointResponse} + */ +export interface TokenEndpointResponseHelpers { + /** + * Returns the parsed JWT Claims Set of an + * {@link TokenEndpointResponse.id_token id_token} returned by the + * authorization server + * + * Note: Returns `undefined` when + * {@link TokenEndpointResponse.expires_in expires_in} was not returned by the + * authorization server + */ + claims(): oauth.IDToken | undefined; + /** + * Returns the number of seconds until the + * {@link TokenEndpointResponse.access_token access_token} expires + * + * Note: Returns `0` when already expired + * + * Note: Returns `undefined` when + * {@link TokenEndpointResponse.expires_in expires_in} was not returned by the + * authorization server + */ + expiresIn(): number | undefined; +} +/** + * Returns a wrapper / handle around a public/private key pair that is used for + * negotiating and proving proof-of-possession to sender-constrain OAuth 2.0 + * tokens via {@link !DPoP} at the Authorization Server and Resource Server. + * + * Support for {@link !DPoP} at the authorization is indicated by + * {@link ServerMetadata.dpop_signing_alg_values_supported}. Whether the + * authorization server ends up sender-constraining the access token is at the + * server's discretion. When an access token is sender-constrained then the + * resulting + * {@link TokenEndpointResponse.token_type `token_type` will be `dpop`}. + * + * This wrapper / handle also keeps track of server-issued nonces, allowing this + * module to automatically retry requests with a fresh nonce when the server + * indicates the need to use one. + * + * Note: Public Clients that use DPoP will also get their Refresh Token + * sender-constrained, this binding is not indicated in the response. + * + * @param keyPair {@link CryptoKeyPair} to sign the DPoP Proof JWT, + * {@link randomDPoPKeyPair} may be used to generate it + * + * @group DPoP + * + * @see {@link !DPoP RFC 9449 - OAuth 2.0 Demonstrating Proof of Possession (DPoP)} + */ +export declare function getDPoPHandle(config: Configuration, keyPair: CryptoKeyPair, options?: oauth.ModifyAssertionOptions): DPoPHandle; +export interface DeviceAutorizationGrantPollOptions extends DPoPOptions { + /** + * AbortSignal to abort polling. Default is that the operation will time out + * after the indicated expires_in property returned by the server in + * {@link initiateDeviceAuthorization} + */ + signal?: AbortSignal; +} +/** + * Continuously polls the {@link ServerMetadata.token_endpoint token endpoint} + * until the end-user finishes the {@link !"Device Authorization Grant"} process + * on their secondary device + * + * Note: + * {@link ServerMetadata.token_endpoint URL of the authorization server's token endpoint} + * must be configured. + * + * @example + * + * ```ts + * let config!: client.Configuration + * let scope!: string + * + * let deviceAuthorizationResponse = + * await client.initiateDeviceAuthorization(config, { scope }) + * + * let { user_code, verification_uri, verification_uri_complete } = + * deviceAuthorizationResponse + * + * console.log({ user_code, verification_uri, verification_uri_complete }) + * + * let tokenEndpointResponse = await client.pollDeviceAuthorizationGrant( + * config, + * deviceAuthorizationResponse, + * ) + * ``` + * + * @param deviceAuthorizationResponse Device Authorization Response obtained + * from {@link initiateDeviceAuthorization} + * @param parameters Additional parameters that will be sent to the token + * endpoint, typically used for parameters such as `scope` and a `resource` + * ({@link !"Resource Indicators" Resource Indicator}) + * + * @group Grants + */ +export declare function pollDeviceAuthorizationGrant(config: Configuration, deviceAuthorizationResponse: oauth.DeviceAuthorizationResponse, parameters?: URLSearchParams | Record, options?: DeviceAutorizationGrantPollOptions): Promise; +/** + * Initiates a {@link !"Device Authorization Grant"} using parameters from the + * `parameters` argument. + * + * Note: + * {@link ServerMetadata.device_authorization_endpoint URL of the authorization server's device authorization endpoint} + * must be configured. + * + * @example + * + * ```ts + * let config!: client.Configuration + * let scope!: string + * + * let deviceAuthorizationResponse = + * await client.initiateDeviceAuthorization(config, { scope }) + * + * let { user_code, verification_uri, verification_uri_complete } = + * deviceAuthorizationResponse + * + * console.log({ user_code, verification_uri, verification_uri_complete }) + * ``` + * + * @param parameters Authorization request parameters that will be sent to the + * device authorization endpoint + * + * @group Grants + */ +export declare function initiateDeviceAuthorization(config: Configuration, parameters: URLSearchParams | Record): Promise; +export interface AuthorizationCodeGrantOptions extends DPoPOptions { +} +/** + * By default the module only allows interactions with HTTPS endpoints. This + * removes that restriction. + * + * @deprecated Marked as deprecated only to make it stand out as something you + * shouldn't have the need to use, possibly only for local development and + * testing against non-TLS secured environments. + * + * @example + * + * Usage with a {@link Configuration} obtained through {@link discovery} to also + * disable its HTTPS-only restriction. + * + * ```ts + * let server!: URL + * let clientId!: string + * let clientMetadata!: Partial | string | undefined + * let clientAuth!: client.ClientAuth | undefined + * + * let config = await client.discovery( + * server, + * clientId, + * clientMetadata, + * clientAuth, + * { + * execute: [client.allowInsecureRequests], + * }, + * ) + * ``` + * + * @example + * + * Usage with a {@link Configuration} instance + * + * ```ts + * let config!: client.Configuration + * + * client.allowInsecureRequests(config) + * ``` + * + * @group Advanced Configuration + */ +export declare function allowInsecureRequests(config: Configuration): void; +/** + * DANGER ZONE - Use of this function has security implications that must be + * understood, assessed for applicability, and accepted before use. It is + * critical that the JSON Web Key Set cache only be writable by your own code. + * + * This option is intended for cloud computing runtimes that cannot keep an in + * memory cache between their code's invocations. Use in runtimes where an in + * memory cache between requests is available is not desirable. + * + * @param jwksCache JWKS Cache previously obtained from {@link getJwksCache} + * + * @group Advanced Configuration + */ +export declare function setJwksCache(config: Configuration, jwksCache: oauth.ExportedJWKSCache): void; +/** + * This function can be used to export the JSON Web Key Set and the timestamp at + * which it was last fetched if the client used the + * {@link ServerMetadata.jwks_uri authorization server's JWK Set} to validate + * digital signatures. + * + * This function is intended for cloud computing runtimes that cannot keep an in + * memory cache between their code's invocations. Use in runtimes where an in + * memory cache between requests is available is not desirable. + * + * Note: the client only uses the authorization server's JWK Set when + * {@link enableNonRepudiationChecks}, {@link useJwtResponseMode}, or + * {@link useCodeIdTokenResponseType} is used. + * + * @group Advanced Configuration + */ +export declare function getJwksCache(config: Configuration): oauth.ExportedJWKSCache | undefined; +/** + * Enables validating the JWS Signature of either a JWT {@link !Response.body} or + * {@link TokenEndpointResponse.id_token} of a processed {@link !Response} such as + * JWT UserInfo or JWT Introspection responses. + * + * Note: Validating signatures of JWTs received via direct communication between + * the client and a TLS-secured endpoint (which it is here) is not mandatory + * since the TLS server validation is used to validate the issuer instead of + * checking the token signature. You only need to use this method for + * non-repudiation purposes. + * + * Note: + * {@link ServerMetadata.jwks_uri URL of the authorization server's JWK Set document} + * must be configured. + * + * Note: Supports only digital signatures using + * {@link JWSAlgorithm these supported JWS Algorithms}. + * + * @example + * + * Usage with a {@link Configuration} obtained through {@link discovery} to also + * disable the its HTTPS-only restriction. + * + * ```ts + * let server!: URL + * let clientId!: string + * let clientMetadata!: Partial | string | undefined + * let clientAuth!: client.ClientAuth | undefined + * + * let config = await client.discovery( + * server, + * clientId, + * clientMetadata, + * clientAuth, + * { + * execute: [client.enableNonRepudiationChecks], + * }, + * ) + * ``` + * + * @example + * + * Usage with a {@link Configuration} instance + * + * ```ts + * let config!: client.Configuration + * + * client.enableNonRepudiationChecks(config) + * ``` + * + * @group Advanced Configuration + */ +export declare function enableNonRepudiationChecks(config: Configuration): void; +/** + * This changes the `response_mode` used by the client to be `jwt` and expects + * the authorization server response passed to {@link authorizationCodeGrant} to + * be one described by {@link !JARM}. + * + * Note: + * {@link ServerMetadata.jwks_uri URL of the authorization server's JWK Set document} + * must be configured. + * + * @example + * + * Usage with a {@link Configuration} obtained through {@link discovery} + * + * ```ts + * let server!: URL + * let clientId!: string + * let clientMetadata!: Partial | string | undefined + * let clientAuth!: client.ClientAuth | undefined + * + * let config = await client.discovery( + * server, + * clientId, + * clientMetadata, + * clientAuth, + * { + * execute: [client.useJwtResponseMode], + * }, + * ) + * ``` + * + * @example + * + * Usage with a {@link Configuration} instance + * + * ```ts + * let config!: client.Configuration + * + * client.useJwtResponseMode(config) + * ``` + * + * @group Advanced Configuration + * + * @see {@link !JARM} + */ +export declare function useJwtResponseMode(config: Configuration): void; +/** + * This builds on top of {@link useCodeIdTokenResponseType} and enables the + * response to be validated as per the + * {@link https://openid.net/specs/openid-financial-api-part-2-1_0.html#id-token-as-detached-signature FAPI 1.0 Advanced profile}. + * + * @example + * + * Usage with a {@link Configuration} obtained through {@link discovery} + * + * ```ts + * let server!: URL + * let clientId!: string + * let clientMetadata!: Partial | string | undefined + * let clientAuth!: client.ClientAuth | undefined + * + * let config = await client.discovery( + * server, + * clientId, + * clientMetadata, + * clientAuth, + * { + * execute: [ + * client.useCodeIdTokenResponseType, + * client.enableDetachedSignatureResponseChecks, + * ], + * }, + * ) + * ``` + * + * @example + * + * Usage with a {@link Configuration} instance + * + * ```ts + * let config!: client.Configuration + * + * client.useCodeIdTokenResponseType(config) + * client.enableDetachedSignatureResponseChecks(config) + * ``` + * + * @group Advanced Configuration + * + * @see {@link https://openid.net/specs/openid-financial-api-part-2-1_0.html#id-token-as-detached-signature ID Token as Detached Signature} + */ +export declare function enableDetachedSignatureResponseChecks(config: Configuration): void; +/** + * This changes the `response_type` used by the client to be `code id_token` and + * expects the authorization server response passed to + * {@link authorizationCodeGrant} to be one described by + * {@link https://openid.net/specs/openid-connect-core-1_0.html#HybridFlowAuth OpenID Connect 1.0 Hybrid Flow}. + * + * Note: + * {@link ServerMetadata.jwks_uri URL of the authorization server's JWK Set document} + * must be configured. + * + * @example + * + * Usage with a {@link Configuration} obtained through {@link discovery} + * + * ```ts + * let server!: URL + * let clientId!: string + * let clientMetadata!: Partial | string | undefined + * let clientAuth!: client.ClientAuth | undefined + * + * let config = await client.discovery( + * server, + * clientId, + * clientMetadata, + * clientAuth, + * { + * execute: [client.useCodeIdTokenResponseType], + * }, + * ) + * ``` + * + * @example + * + * Usage with a {@link Configuration} instance + * + * ```ts + * let config!: client.Configuration + * + * client.useCodeIdTokenResponseType(config) + * ``` + * + * @group Advanced Configuration + * + * @see {@link https://openid.net/specs/openid-connect-core-1_0.html#HybridFlowAuth OpenID Connect 1.0 Hybrid Flow} + */ +export declare function useCodeIdTokenResponseType(config: Configuration): void; +export interface AuthorizationCodeGrantChecks { + /** + * Expected value of the `nonce` ID Token claim. This value must match + * exactly. When `undefined` the expectation is that there is no `nonce` in + * the ID Token (i.e. also `undefined`). + * + * Using this option also means that an ID Token must be part of the response. + */ + expectedNonce?: string; + /** + * Expected value of the `state` authorization response parameter. This value + * must match exactly. When `undefined` the expectation is that there is no + * `state` in the authorization response. + */ + expectedState?: string | typeof skipStateCheck; + /** + * Use this to have the client assert that an ID Token is returned by the + * Authorization Server. + * + * Note: When `expectedNonce` or `maxAge` is used this has no effect. + */ + idTokenExpected?: boolean; + /** + * ID Token {@link IDToken.auth_time `auth_time`} claim value will be checked + * to be present and conform to this `maxAge` value. Use of this option is + * required if you sent a `max_age` parameter in the authorization request. + * Default is {@link ClientMetadata.default_max_age } and falls back to not + * checking the claim's value beyond it being a number when present. + */ + maxAge?: number; + /** + * When PKCE is used this is the `code_verifier` that will be sent to the + * {@link ServerMetadata.token_endpoint token endpoint}. + */ + pkceCodeVerifier?: string; +} +/** + * This method validates the authorization response and then executes the + * {@link !"Authorization Code Grant"} at the Authorization Server's + * {@link ServerMetadata.token_endpoint token endpoint} to obtain an access + * token. ID Token and Refresh Token are also optionally issued by the server. + * + * Note: + * {@link ServerMetadata.token_endpoint URL of the authorization server's token endpoint} + * must be configured. + * + * @example + * + * ```ts + * let config!: client.Configuration + * let getCodeVerifierFromSession!: (...args: any) => string + * let getCurrentUrl!: (...args: any) => URL + * + * let tokens = await client.authorizationCodeGrant( + * config, + * getCurrentUrl(), + * { + * pkceCodeVerifier: getCodeVerifierFromSession(), + * }, + * ) + * ``` + * + * @param currentUrl Current {@link !URL} the Authorization Server provided an + * Authorization Response to or a {@link !Request}, the + * {@link !"Authorization Code Grant"} parameters are extracted from this. + * @param checks CSRF Protection checks like PKCE, expected state, or expected + * nonce + * @param parameters Additional parameters that will be sent to the token + * endpoint, typically used for parameters such as `resource` + * ({@link !"Resource Indicators" Resource Indicator}) in cases where multiple + * resource indicators were requested but the authorization server only + * supports issuing an access token with a single audience + * + * @group OpenID Connect 1.0 + * @group Grants + * @group PKCE + * @group You are probably looking for this + */ +export declare function authorizationCodeGrant(config: Configuration, currentUrl: URL | Request, checks?: AuthorizationCodeGrantChecks, parameters?: URLSearchParams | Record, options?: AuthorizationCodeGrantOptions): Promise; +/** + * Performs an OAuth 2.0 {@link !"Refresh Token Grant"} at the Authorization + * Server's {@link ServerMetadata.token_endpoint token endpoint} using parameters + * from the `parameters` argument, allowing a client to obtain a new access + * token using a valid refresh token. + * + * Note: + * {@link ServerMetadata.token_endpoint URL of the authorization server's token endpoint} + * must be configured. + * + * @example + * + * Requesting a new Access Token using the {@link !"Refresh Token Grant"} with a + * `scope` and a `resource` ({@link !"Resource Indicators" Resource Indicator}) + * parameters. + * + * ```ts + * let config!: client.Configuration + * let refreshToken!: string + * let scope!: string + * let resource!: string + * + * let tokenEndpointResponse = await client.refreshTokenGrant( + * config, + * refreshToken, + * { + * scope, + * resource, + * }, + * ) + * ``` + * + * @param refreshToken OAuth 2.0 Refresh Token provided by the authorization + * server that is used to obtain a new access token. + * @param parameters Additional parameters that will be sent to the token + * endpoint, typically used for parameters such as `scope` and a `resource` + * ({@link !"Resource Indicators" Resource Indicator}) + * + * @group Grants + */ +export declare function refreshTokenGrant(config: Configuration, refreshToken: string, parameters?: URLSearchParams | Record, options?: DPoPOptions): Promise; +/** + * Performs an OAuth 2.0 {@link !"Client Credentials Grant"} at the Authorization + * Server's {@link ServerMetadata.token_endpoint token endpoint} using parameters + * from the `parameters` argument + * + * Note: + * {@link ServerMetadata.token_endpoint URL of the authorization server's token endpoint} + * must be configured. + * + * @example + * + * Requesting an Access Token using the {@link !"Client Credentials Grant"} with + * a `scope` and a `resource` ({@link !"Resource Indicators" Resource Indicator}) + * parameters. + * + * ```ts + * let config!: client.Configuration + * let scope!: string + * let resource!: string + * + * let tokenEndpointResponse = await client.clientCredentialsGrant(config, { + * scope, + * resource, + * }) + * ``` + * + * @param parameters Additional parameters that will be sent to the token + * endpoint, typically used for parameters such as `scope` and a `resource` + * ({@link !"Resource Indicators" Resource Indicator}) + * + * @group Grants + */ +export declare function clientCredentialsGrant(config: Configuration, parameters?: URLSearchParams | Record, options?: DPoPOptions): Promise; +/** + * Returns a URL to redirect the user-agent to to request authorization at the + * Authorization Server + * + * Note: + * {@link ServerMetadata.authorization_endpoint URL of the authorization server's authorization endpoint} + * must be configured. + * + * @example + * + * ```ts + * let config!: client.Configuration + * let redirect_uri!: string + * let scope!: string + * + * // these must be unique for every single authorization request + * let code_verifier = client.randomPKCECodeVerifier() + * let code_challenge = + * await client.calculatePKCECodeChallenge(code_verifier) + * + * let redirectTo = client.buildAuthorizationUrl(config, { + * redirect_uri, + * scope, + * code_challenge, + * code_challenge_method: 'S256', + * }) + * // redirect now + * ``` + * + * @param parameters Authorization request parameters that will be sent to PAR + * + * @returns {@link !URL} Instance with {@link !URL.searchParams} including + * `client_id`, `response_type`, and all parameters from the `parameters` + * argument + * + * @group Authorization Request + * @group You are probably looking for this + */ +export declare function buildAuthorizationUrl(config: Configuration, parameters: URLSearchParams | Record): URL; +/** + * Returns a URL to redirect the user-agent to to request authorization at the + * Authorization Server with a prior step of using {@link !JAR} + * + * Note: + * {@link ServerMetadata.authorization_endpoint URL of the authorization server's authorization endpoint} + * must be configured. + * + * @example + * + * Using {@link !JAR} + * + * ```ts + * let config!: client.Configuration + * let redirect_uri!: string + * let scope!: string + * let key!: client.CryptoKey + * + * // these must be unique for every single authorization request + * let code_verifier = client.randomPKCECodeVerifier() + * let code_challenge = + * await client.calculatePKCECodeChallenge(code_verifier) + * + * let redirectTo = await client.buildAuthorizationUrlWithJAR( + * config, + * { + * redirect_uri, + * scope, + * code_challenge, + * code_challenge_method: 'S256', + * }, + * key, + * ) + * // redirect now + * ``` + * + * @example + * + * Using {@link !JAR} and {@link !PAR} together + * + * ```ts + * let config!: client.Configuration + * let redirect_uri!: string + * let scope!: string + * let key!: client.CryptoKey + * + * // these must be unique for every single authorization request + * let code_verifier = client.randomPKCECodeVerifier() + * let code_challenge = + * await client.calculatePKCECodeChallenge(code_verifier) + * + * let { searchParams: params } = await client.buildAuthorizationUrlWithJAR( + * config, + * { + * redirect_uri, + * scope, + * code_challenge, + * code_challenge_method: 'S256', + * }, + * key, + * ) + * + * let redirectTo = await client.buildAuthorizationUrlWithPAR( + * config, + * params, + * ) + * // redirect now + * ``` + * + * @param parameters Authorization request parameters that will be encoded in a + * {@link !JAR} Request Object + * @param signingKey Key to sign the JAR Request Object with. + * + * @returns {@link !URL} Instance with {@link !URL.searchParams} including + * `client_id` and `request` + * + * @group Authorization Request + */ +export declare function buildAuthorizationUrlWithJAR(config: Configuration, parameters: URLSearchParams | Record, +/** + * Key to sign the JAR Request Object with. + */ +signingKey: CryptoKey | oauth.PrivateKey, options?: oauth.ModifyAssertionOptions): Promise; +/** + * Returns a URL to redirect the user-agent to to request authorization at the + * Authorization Server with a prior step of using {@link !PAR} + * + * Note: + * {@link ServerMetadata.authorization_endpoint URL of the authorization server's authorization endpoint} + * must be configured. + * + * Note: + * {@link ServerMetadata.pushed_authorization_request_endpoint URL of the authorization server's pushed authorization request endpoint} + * must be configured. + * + * @example + * + * Using {@link !PAR} + * + * ```ts + * let config!: client.Configuration + * let redirect_uri!: string + * let scope!: string + * + * // these must be unique for every single authorization request + * let code_verifier = client.randomPKCECodeVerifier() + * let code_challenge = + * await client.calculatePKCECodeChallenge(code_verifier) + * + * let redirectTo = await client.buildAuthorizationUrlWithPAR(config, { + * redirect_uri, + * scope, + * code_challenge, + * code_challenge_method: 'S256', + * }) + * // redirect now + * ``` + * + * @example + * + * Using {@link !JAR} and {@link !PAR} together + * + * ```ts + * let config!: client.Configuration + * let redirect_uri!: string + * let scope!: string + * let key!: client.CryptoKey + * + * // these must be unique for every single authorization request + * let code_verifier = client.randomPKCECodeVerifier() + * let code_challenge = + * await client.calculatePKCECodeChallenge(code_verifier) + * + * let { searchParams: params } = await client.buildAuthorizationUrlWithJAR( + * config, + * { + * redirect_uri, + * scope, + * code_challenge, + * code_challenge_method: 'S256', + * }, + * key, + * ) + * + * let redirectTo = await client.buildAuthorizationUrlWithPAR( + * config, + * params, + * ) + * // redirect now + * ``` + * + * @param parameters Authorization request parameters that will be sent to + * {@link !PAR} + * + * @returns {@link !URL} Instance with {@link !URL.searchParams} including + * `client_id` and `request_uri`. + * + * @group Authorization Request + */ +export declare function buildAuthorizationUrlWithPAR(config: Configuration, parameters: URLSearchParams | Record, options?: DPoPOptions): Promise; +/** + * Returns a URL to redirect the user-agent to after they log out to trigger + * {@link https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout RP-Initiated Logout} + * at the Authorization Server. + * + * Note: + * {@link ServerMetadata.end_session_endpoint URL of the authorization server's end session endpoint} + * must be configured. + * + * @example + * + * ```ts + * let config!: client.Configuration + * let post_logout_redirect_uri!: string + * let id_token!: string + * + * let redirectTo = client.buildEndSessionUrl(config, { + * post_logout_redirect_uri, + * id_token_hint: id_token, + * }) + * // redirect now + * ``` + * + * @param parameters Logout endpoint parameters + * + * @returns {@link !URL} Instance with {@link !URL.searchParams} including + * `client_id` and all parameters from the `parameters` argument + * + * @group OpenID Connect 1.0 + */ +export declare function buildEndSessionUrl(config: Configuration, parameters?: URLSearchParams | Record): URL; +/** + * Performs a UserInfo Request at the + * {@link ServerMetadata.userinfo_endpoint userinfo endpoint} and returns the + * parsed UserInfo claims from either its JSON or JWT response. + * + * Authorization Header is used to transmit the Access Token value. No other + * Access Token means of transport are supported. + * + * Note: + * {@link ServerMetadata.userinfo_endpoint URL of authorization server's UserInfo endpoint} + * must be configured. + * + * @param accessToken OAuth 2.0 Access Token + * @param expectedSubject Expected `sub` claim value. In response to OpenID + * Connect authentication requests, the expected subject is the one from the + * ID Token claims retrieved from {@link TokenEndpointResponseHelpers.claims} + * which is available on all returned Token Endpoint responses. + * + * @group OpenID Connect 1.0 + * @group Protected Resource Requests + * + * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo) + */ +export declare function fetchUserInfo(config: Configuration, accessToken: string, expectedSubject: string | typeof skipSubjectCheck, options?: DPoPOptions): Promise; +/** + * Queries the + * {@link ServerMetadata.introspection_endpoint token introspection endpoint} to + * obtain the status and metadata of a given token. The range of metadata + * returned is at the discretion of the authorization server. + * + * Note: + * {@link ServerMetadata.introspection_endpoint URL of the authorization server's token introspection endpoint} + * must be configured. + * + * @param token OAuth 2.0 token (either access token or refresh token) that is + * being introspected + * @param parameters Additional parameters to be included in the introspection + * request body, such as `token_type_hint` + * @param token + * @param parameters + * + * @group Token Management + * + * @see [RFC 7662 - OAuth 2.0 Token Introspection](https://www.rfc-editor.org/rfc/rfc7662.html#section-2) + * @see [draft-ietf-oauth-jwt-introspection-response-12 - JWT Response for OAuth Token Introspection](https://www.ietf.org/archive/id/draft-ietf-oauth-jwt-introspection-response-12.html#section-4) + */ +export declare function tokenIntrospection(config: Configuration, token: string, parameters?: URLSearchParams | Record): Promise; +export interface DPoPOptions { + /** + * DPoP handle to use for requesting a sender-constrained access token. + * Obtained from {@link getDPoPHandle} + * + * @see {@link !DPoP RFC 9449 - OAuth 2.0 Demonstrating Proof of Possession (DPoP)} + */ + DPoP?: DPoPHandle; +} +/** + * Performs any Grant request at the + * {@link ServerMetadata.token_endpoint token endpoint}. The purpose is to be + * able to execute grant requests such as Token Exchange Grant, JWT Bearer Token + * Grant, SAML 2.0 Bearer Assertion Grant, or any other grant. + * + * Note: + * {@link ServerMetadata.token_endpoint URL of the authorization server's token endpoint} + * must be configured. + * + * @example + * + * Requesting an Access Token using the JWT Bearer Token Grant + * + * ```ts + * let config!: client.Configuration + * let scope!: string + * let resource!: string + * let assertion!: string + * + * let tokenEndpointResponse = await client.genericGrantRequest( + * config, + * 'urn:ietf:params:oauth:grant-type:jwt-bearer', + * { scope, resource, assertion }, + * ) + * ``` + * + * @param grantType Grant Type + * @param parameters Parameters required by the given grant type to send to the + * {@link ServerMetadata.token_endpoint token endpoint} + * + * @group Grants + * + * @see {@link https://www.rfc-editor.org/rfc/rfc8693.html Token Exchange Grant} + * @see {@link https://www.rfc-editor.org/rfc/rfc7523.html#section-2.1 JWT Bearer Token Grant} + * @see {@link https://www.rfc-editor.org/rfc/rfc7522.html#section-2.1 SAML 2.0 Bearer Assertion Grant} + */ +export declare function genericGrantRequest(config: Configuration, grantType: string, parameters: URLSearchParams | Record, options?: DPoPOptions): Promise; +/** + * Attempts revocation of an OAuth 2.0 token by making a request to the + * {@link ServerMetadata.revocation_endpoint token revocation endpoint}. Whether + * the token gets revoked, and the effect of that revocation is at the + * discretion of the authorization server. + * + * Note: + * {@link ServerMetadata.revocation_endpoint URL of the authorization server's token revocation endpoint} + * must be configured. + * + * @param token OAuth 2.0 token (either access token or refresh token) that is + * being revoked + * @param parameters Additional parameters to be included in the revocation + * request body, such as `token_type_hint` + * + * @group Token Management + * + * @see [RFC 7009 - OAuth 2.0 Token Revocation](https://www.rfc-editor.org/rfc/rfc7009.html#section-2) + */ +export declare function tokenRevocation(config: Configuration, token: string, parameters?: URLSearchParams | Record): Promise; +/** + * Performs an arbitrary Protected Resource resource. + * + * Authorization Header is used to transmit the Access Token value. No other + * Access Token means of transport are supported. + * + * @param accessToken OAuth 2.0 Access Token + * @param url URL to send the request to + * @param method HTTP Request method to use for the request + * @param body HTTP Request body to send in the request + * @param headers HTTP Request headers to add to the request + * + * @group Protected Resource Requests + */ +export declare function fetchProtectedResource(config: Configuration, accessToken: string, url: URL, method: string, body?: FetchBody, headers?: Headers, options?: DPoPOptions): Promise; diff --git a/build/index.js b/build/index.js new file mode 100644 index 00000000..2793715d --- /dev/null +++ b/build/index.js @@ -0,0 +1,986 @@ +import * as oauth from 'oauth4webapi'; +import * as jose from 'jose'; +import { JOSEError } from 'jose/errors'; +let headers; +let USER_AGENT; +if (typeof navigator === 'undefined' || !navigator.userAgent?.startsWith?.('Mozilla/5.0 ')) { + const NAME = 'openid-client'; + const VERSION = 'v6.1.1'; + USER_AGENT = `${NAME}/${VERSION}`; + headers = { 'user-agent': USER_AGENT }; +} +const int = (config) => { + return props.get(config); +}; +let props; +export { AuthorizationResponseError, ResponseBodyError, WWWAuthenticateChallengeError, } from 'oauth4webapi'; +export function ClientSecretPost(clientSecret) { + return oauth.ClientSecretPost(clientSecret); +} +export function ClientSecretBasic(clientSecret) { + return oauth.ClientSecretBasic(clientSecret); +} +export function ClientSecretJwt(clientSecret, options) { + return oauth.ClientSecretJwt(clientSecret, options); +} +export function None() { + return oauth.None(); +} +export function PrivateKeyJwt(clientPrivateKey, options) { + return oauth.PrivateKeyJwt(clientPrivateKey, options); +} +export function TlsClientAuth() { + return oauth.TlsClientAuth(); +} +export const skipStateCheck = oauth.skipStateCheck; +export const skipSubjectCheck = oauth.skipSubjectCheck; +export const customFetch = oauth.customFetch; +export const modifyAssertion = oauth.modifyAssertion; +export const clockSkew = oauth.clockSkew; +export const clockTolerance = oauth.clockTolerance; +const ERR_INVALID_ARG_VALUE = 'ERR_INVALID_ARG_VALUE'; +const ERR_INVALID_ARG_TYPE = 'ERR_INVALID_ARG_TYPE'; +function CodedTypeError(message, code, cause) { + const err = new TypeError(message, { cause }); + Object.assign(err, { code }); + return err; +} +export function calculatePKCECodeChallenge(codeVerifier) { + return oauth.calculatePKCECodeChallenge(codeVerifier); +} +export function randomPKCECodeVerifier() { + return oauth.generateRandomCodeVerifier(); +} +export function randomNonce() { + return oauth.generateRandomNonce(); +} +export function randomState() { + return oauth.generateRandomState(); +} +export class ClientError extends Error { + code; + constructor(message, options) { + super(message, options); + this.name = this.constructor.name; + this.code = options?.code; + Error.captureStackTrace?.(this, this.constructor); + } +} +const decoder = new TextDecoder(); +function e(msg, cause, code) { + return new ClientError(msg, { cause, code }); +} +function errorHandler(err) { + if (err instanceof TypeError || + err instanceof ClientError || + err instanceof oauth.ResponseBodyError || + err instanceof oauth.AuthorizationResponseError || + err instanceof oauth.WWWAuthenticateChallengeError) { + throw err; + } + if (err instanceof oauth.OperationProcessingError) { + switch (err.code) { + case oauth.HTTP_REQUEST_FORBIDDEN: + throw e('only requests to HTTPS are allowed', err, err.code); + case oauth.REQUEST_PROTOCOL_FORBIDDEN: + throw e('only requests to HTTP or HTTPS are allowed', err, err.code); + case oauth.RESPONSE_IS_NOT_CONFORM: + throw e('unexpected HTTP response status code', err.cause, err.code); + case oauth.RESPONSE_IS_NOT_JSON: + throw e('unexpected response content-type', err.cause, err.code); + case oauth.PARSE_ERROR: + throw e('parsing error occured', err, err.code); + case oauth.INVALID_RESPONSE: + throw e('invalid response encountered', err, err.code); + case oauth.JWT_CLAIM_COMPARISON: + throw e('unexpected JWT claim value encountered', err, err.code); + case oauth.JSON_ATTRIBUTE_COMPARISON: + throw e('unexpected JSON attribute value encountered', err, err.code); + case oauth.JWT_TIMESTAMP_CHECK: + throw e('JWT timestamp claim value failed validation', err, err.code); + default: + throw e(err.message, err, err.code); + } + } + if (err instanceof oauth.UnsupportedOperationError) { + throw e('unsupported operation', err, err.code); + } + if (err instanceof DOMException) { + switch (err.name) { + case 'OperationError': + throw e('runtime operation error', err, oauth.UNSUPPORTED_OPERATION); + case 'NotSupportedError': + throw e('runtime unsupported operation', err, oauth.UNSUPPORTED_OPERATION); + case 'TimeoutError': + throw e('operation timed out', err, 'OAUTH_TIMEOUT'); + case 'AbortError': + throw e('operation aborted', err, 'OAUTH_ABORT'); + } + } + throw new ClientError('something went wrong', { cause: err }); +} +export function randomDPoPKeyPair(alg, options) { + return oauth + .generateKeyPair(alg ?? 'ES256', { + extractable: options?.extractable, + }) + .catch(errorHandler); +} +function handleEntraId(server, as, options) { + if ((server.href === 'https://login.microsoftonline.com/common/v2.0' || + server.href === 'https://login.microsoftonline.com/organizations/v2.0') && + (!options?.algorithm || options.algorithm === 'oidc')) { + as[kEntraId] = true; + return true; + } + return false; +} +export async function discovery(server, clientId, metadata, clientAuthentication, options) { + if (!(server instanceof URL)) { + throw CodedTypeError('"server" must be an instance of URL', ERR_INVALID_ARG_TYPE); + } + const resolve = !server.href.includes('/.well-known/'); + const timeout = options?.timeout ?? 30; + const signal = AbortSignal.timeout(timeout * 1000); + const as = await (resolve + ? oauth.discoveryRequest(server, { + algorithm: options?.algorithm, + [oauth.customFetch]: options?.[customFetch], + [oauth.allowInsecureRequests]: options?.execute?.includes(allowInsecureRequests), + signal, + headers: new Headers(headers), + }) + : (options?.[customFetch] || fetch)((() => { + oauth.checkProtocol(server, options?.execute?.includes(allowInsecureRequests) ? false : true); + return server.href; + })(), { + headers: Object.fromEntries(new Headers({ accept: 'application/json', ...headers }).entries()), + body: undefined, + method: 'GET', + redirect: 'manual', + signal, + })) + .then((response) => oauth.processDiscoveryResponse(oauth._nodiscoverycheck, response)) + .catch(errorHandler); + if (resolve && new URL(as.issuer).href !== server.href) { + handleEntraId(server, as, options) || + (() => { + throw new ClientError('discovered metadata issuer does not match the expected issuer', { + code: oauth.JSON_ATTRIBUTE_COMPARISON, + cause: { + expected: server.href, + body: as, + attribute: 'issuer', + }, + }); + })(); + } + const instance = new Configuration(as, clientId, metadata, clientAuthentication); + let internals = int(instance); + if (options?.[customFetch]) { + internals.fetch = options[customFetch]; + } + if (options?.timeout) { + internals.timeout = options.timeout; + } + if (options?.execute) { + for (const extension of options.execute) { + extension(instance); + } + } + return instance; +} +function isRsaOaep(input) { + return input.name === 'RSA-OAEP'; +} +function isEcdh(input) { + return input.name === 'ECDH'; +} +const ecdhEs = 'ECDH-ES'; +const ecdhEsA128Kw = 'ECDH-ES+A128KW'; +const ecdhEsA192Kw = 'ECDH-ES+A192KW'; +const ecdhEsA256Kw = 'ECDH-ES+A256KW'; +function checkEcdhAlg(algs, alg, pk) { + switch (alg) { + case undefined: + algs.add(ecdhEs); + algs.add(ecdhEsA128Kw); + algs.add(ecdhEsA192Kw); + algs.add(ecdhEsA256Kw); + break; + case ecdhEs: + case ecdhEsA128Kw: + case ecdhEsA192Kw: + case ecdhEsA256Kw: + algs.add(alg); + break; + default: + throw CodedTypeError('invalid key alg', ERR_INVALID_ARG_VALUE, { pk }); + } +} +export function enableDecryptingResponses(config, contentEncryptionAlgorithms = [ + 'A128GCM', + 'A192GCM', + 'A256GCM', + 'A128CBC-HS256', + 'A192CBC-HS384', + 'A256CBC-HS512', +], ...keys) { + if (int(config).decrypt !== undefined) { + throw new TypeError('enableDecryptingResponses can only be called on a given Configuration instance once'); + } + if (keys.length === 0) { + throw CodedTypeError('no keys were provided', ERR_INVALID_ARG_VALUE); + } + const algs = new Set(); + const normalized = []; + for (const pk of keys) { + let key; + if ('key' in pk) { + key = { key: pk.key }; + if (typeof pk.alg === 'string') + key.alg = pk.alg; + if (typeof pk.kid === 'string') + key.kid = pk.kid; + } + else { + key = { key: pk }; + } + if (key.key.type !== 'private') { + throw CodedTypeError('only private keys must be provided', ERR_INVALID_ARG_VALUE); + } + if (isRsaOaep(key.key.algorithm)) { + switch (key.key.algorithm.hash.name) { + case 'SHA-1': + case 'SHA-256': + case 'SHA-384': + case 'SHA-512': { + let alg = 'RSA-OAEP'; + let sha; + if ((sha = parseInt(key.key.algorithm.hash.name.slice(-3), 10))) { + alg = `${alg}-${sha}`; + } + key.alg ||= alg; + if (alg !== key.alg) + throw CodedTypeError('invalid key alg', ERR_INVALID_ARG_VALUE, { + pk, + }); + algs.add(key.alg); + break; + } + default: + throw CodedTypeError('only SHA-512, SHA-384, SHA-256, and SHA-1 RSA-OAEP keys are supported', ERR_INVALID_ARG_VALUE); + } + } + else if (isEcdh(key.key.algorithm)) { + if (key.key.algorithm.namedCurve !== 'P-256') { + throw CodedTypeError('Only P-256 ECDH keys are supported', ERR_INVALID_ARG_VALUE); + } + checkEcdhAlg(algs, key.alg, pk); + } + else if (key.key.algorithm.name === 'X25519') { + checkEcdhAlg(algs, key.alg, pk); + } + else { + throw CodedTypeError('only RSA-OAEP, ECDH, or X25519 keys are supported', ERR_INVALID_ARG_VALUE); + } + normalized.push(key); + } + int(config).decrypt = async (jwe) => decrypt(normalized, jwe, contentEncryptionAlgorithms, [...algs]).catch(errorHandler); +} +function checkCryptoKey(key, alg, epk) { + if (alg.startsWith('RSA-OAEP')) { + return true; + } + if (alg.startsWith('ECDH-ES')) { + if (key.algorithm.name !== 'ECDH' && key.algorithm.name !== 'X25519') { + return false; + } + if (key.algorithm.name === 'ECDH') { + return epk?.crv === key.algorithm.namedCurve; + } + if (key.algorithm.name === 'X25519') { + return epk?.crv === 'X25519'; + } + } + return false; +} +function selectCryptoKeyForDecryption(keys, alg, kid, epk) { + const { 0: key, length } = keys.filter((key) => { + if (kid !== key.kid) { + return false; + } + if (key.alg && alg !== key.alg) { + return false; + } + return checkCryptoKey(key.key, alg, epk); + }); + if (!key) { + throw e('no applicable decryption key selected', undefined, 'OAUTH_DECRYPTION_FAILED'); + } + if (length !== 1) { + throw e('multiple applicable decryption keys selected', undefined, 'OAUTH_DECRYPTION_FAILED'); + } + return key.key; +} +async function decrypt(keys, jwe, contentEncryptionAlgorithms, keyManagementAlgorithms) { + return decoder.decode((await jose + .compactDecrypt(jwe, async (header) => { + const { kid, alg, epk } = header; + return selectCryptoKeyForDecryption(keys, alg, kid, epk); + }, { keyManagementAlgorithms, contentEncryptionAlgorithms }) + .catch((err) => { + if (err instanceof JOSEError) { + throw e('decryption failed', err, 'OAUTH_DECRYPTION_FAILED'); + } + errorHandler(err); + })).plaintext); +} +function getServerHelpers(metadata) { + return { + supportsPKCE: { + __proto__: null, + value(method = 'S256') { + return (metadata.code_challenge_methods_supported?.includes(method) === true); + }, + }, + }; +} +function addServerHelpers(metadata) { + Object.defineProperties(metadata, getServerHelpers(metadata)); +} +const kEntraId = Symbol(); +export class Configuration { + constructor(server, clientId, metadata, clientAuthentication) { + if (typeof clientId !== 'string' || !clientId.length) { + throw CodedTypeError('"clientId" must be a non-empty string', ERR_INVALID_ARG_TYPE); + } + if (typeof metadata === 'string') { + metadata = { client_secret: metadata }; + } + if (metadata?.client_id !== undefined && clientId !== metadata.client_id) { + throw CodedTypeError('"clientId" and "metadata.client_id" must be the same', ERR_INVALID_ARG_VALUE); + } + const client = { + ...structuredClone(metadata), + client_id: clientId, + }; + client[oauth.clockSkew] = metadata?.[oauth.clockSkew] ?? 0; + client[oauth.clockTolerance] = metadata?.[oauth.clockTolerance] ?? 30; + let auth; + if (clientAuthentication) { + auth = clientAuthentication; + } + else { + if (typeof client.client_secret === 'string' && + client.client_secret.length) { + auth = ClientSecretPost(client.client_secret); + } + else { + auth = None(); + } + } + let c = Object.freeze(client); + const clone = structuredClone(server); + if (kEntraId in server) { + clone[oauth._expectedIssuer] = ({ claims: { tid } }) => server.issuer.replace('{tenantid}', tid); + } + let as = Object.freeze(clone); + props ||= new WeakMap(); + props.set(this, { + __proto__: null, + as, + c, + auth, + tlsOnly: true, + jwksCache: {}, + }); + } + serverMetadata() { + const metadata = structuredClone(int(this).as); + addServerHelpers(metadata); + return metadata; + } + get timeout() { + return int(this).timeout; + } + set timeout(value) { + int(this).timeout = value; + } + get [customFetch]() { + return int(this).fetch; + } + set [customFetch](value) { + int(this).fetch = value; + } +} +Object.freeze(Configuration.prototype); +function getHelpers(response) { + let exp = undefined; + if (response.expires_in !== undefined) { + const now = new Date(); + now.setSeconds(now.getSeconds() + response.expires_in); + exp = now.getTime(); + } + return { + expiresIn: { + __proto__: null, + value() { + if (exp) { + const now = Date.now(); + if (exp > now) { + return Math.floor((exp - now) / 1000); + } + return 0; + } + return undefined; + }, + }, + claims: { + __proto__: null, + value() { + try { + return oauth.getValidatedIdTokenClaims(this); + } + catch { + return undefined; + } + }, + }, + }; +} +function addHelpers(response) { + Object.defineProperties(response, getHelpers(response)); +} +export function getDPoPHandle(config, keyPair, options) { + checkConfig(config); + return oauth.DPoP(int(config).c, keyPair, options); +} +function wait(interval) { + return new Promise((resolve) => { + setTimeout(resolve, interval * 1000); + }); +} +export async function pollDeviceAuthorizationGrant(config, deviceAuthorizationResponse, parameters, options) { + checkConfig(config); + parameters = new URLSearchParams(parameters); + let interval = deviceAuthorizationResponse.interval ?? 5; + const pollingSignal = options?.signal ?? + AbortSignal.timeout(deviceAuthorizationResponse.expires_in * 1000); + try { + pollingSignal.throwIfAborted(); + } + catch (err) { + errorHandler(err); + } + await wait(interval); + const { as, c, auth, fetch, tlsOnly, nonRepudiation, timeout, decrypt } = int(config); + const response = await oauth + .deviceCodeGrantRequest(as, c, auth, deviceAuthorizationResponse.device_code, { + [oauth.customFetch]: fetch, + [oauth.allowInsecureRequests]: !tlsOnly, + additionalParameters: parameters, + DPoP: options?.DPoP, + headers: new Headers(headers), + signal: pollingSignal.aborted ? pollingSignal : signal(timeout), + }) + .catch(errorHandler); + const p = oauth.processDeviceCodeResponse(as, c, response, { + [oauth.jweDecrypt]: decrypt, + }); + let result; + try { + result = await p; + } + catch (err) { + if (retryable(err, options)) { + return pollDeviceAuthorizationGrant(config, { + ...deviceAuthorizationResponse, + interval, + }, parameters, { + ...options, + signal: pollingSignal, + flag: retry, + }); + } + if (err instanceof oauth.ResponseBodyError) { + switch (err.error) { + case 'slow_down': + interval += 5; + case 'authorization_pending': + return pollDeviceAuthorizationGrant(config, { + ...deviceAuthorizationResponse, + interval, + }, parameters, { + ...options, + signal: pollingSignal, + flag: undefined, + }); + } + } + errorHandler(err); + } + result.id_token && (await nonRepudiation?.(response)); + addHelpers(result); + return result; +} +export async function initiateDeviceAuthorization(config, parameters) { + checkConfig(config); + const { as, c, auth, fetch, tlsOnly, timeout } = int(config); + return oauth + .deviceAuthorizationRequest(as, c, auth, parameters, { + [oauth.customFetch]: fetch, + [oauth.allowInsecureRequests]: !tlsOnly, + headers: new Headers(headers), + signal: signal(timeout), + }) + .then((response) => oauth.processDeviceAuthorizationResponse(as, c, response)) + .catch(errorHandler); +} +export function allowInsecureRequests(config) { + int(config).tlsOnly = false; +} +export function setJwksCache(config, jwksCache) { + int(config).jwksCache = structuredClone(jwksCache); +} +export function getJwksCache(config) { + const cache = int(config).jwksCache; + if (cache.uat) { + return cache; + } + return undefined; +} +export function enableNonRepudiationChecks(config) { + checkConfig(config); + int(config).nonRepudiation = (response) => { + const { as, fetch, tlsOnly, timeout, jwksCache } = int(config); + return oauth + .validateApplicationLevelSignature(as, response, { + [oauth.customFetch]: fetch, + [oauth.allowInsecureRequests]: !tlsOnly, + headers: new Headers(headers), + signal: signal(timeout), + [oauth.jwksCache]: jwksCache, + }) + .catch(errorHandler); + }; +} +export function useJwtResponseMode(config) { + checkConfig(config); + if (int(config).hybrid) { + throw e('JARM cannot be combined with a hybrid response mode', undefined, oauth.UNSUPPORTED_OPERATION); + } + int(config).jarm = (authorizationResponse, expectedState) => validateJARMResponse(config, authorizationResponse, expectedState); +} +export function enableDetachedSignatureResponseChecks(config) { + if (!int(config).hybrid) { + throw e('"code id_token" response type must be configured to be used first', undefined, oauth.UNSUPPORTED_OPERATION); + } + int(config).hybrid = (authorizationResponse, expectedNonce, expectedState, maxAge) => validateCodeIdTokenResponse(config, authorizationResponse, expectedNonce, expectedState, maxAge, true); +} +export function useCodeIdTokenResponseType(config) { + checkConfig(config); + if (int(config).jarm) { + throw e('"code id_token" response type cannot be combined with JARM', undefined, oauth.UNSUPPORTED_OPERATION); + } + int(config).hybrid = (authorizationResponse, expectedNonce, expectedState, maxAge) => validateCodeIdTokenResponse(config, authorizationResponse, expectedNonce, expectedState, maxAge, false); +} +function stripParams(url) { + url = new URL(url); + url.search = ''; + url.hash = ''; + return url.href; +} +function webInstanceOf(input, toStringTag) { + try { + return Object.getPrototypeOf(input)[Symbol.toStringTag] === toStringTag; + } + catch { + return false; + } +} +export async function authorizationCodeGrant(config, currentUrl, checks, parameters, options) { + checkConfig(config); + if (options?.flag !== retry && + !(currentUrl instanceof URL) && + !webInstanceOf(currentUrl, 'Request')) { + throw CodedTypeError('"currentUrl" must be an instance of URL, or Request', ERR_INVALID_ARG_TYPE); + } + let authResponse; + let redirectUri; + const { as, c, auth, fetch, tlsOnly, jarm, hybrid, nonRepudiation, timeout, decrypt } = int(config); + if (options?.flag === retry) { + authResponse = options.authResponse; + redirectUri = options.redirectUri; + } + else { + let request; + if (!(currentUrl instanceof URL)) { + if (currentUrl.method === 'POST') { + request = currentUrl; + } + currentUrl = new URL(currentUrl.url); + } + redirectUri = stripParams(currentUrl); + switch (true) { + case !!jarm: + authResponse = await jarm(currentUrl, checks?.expectedState); + break; + case !!hybrid: + authResponse = await hybrid(request || currentUrl, checks?.expectedNonce, checks?.expectedState, checks?.maxAge); + break; + default: + try { + authResponse = oauth.validateAuthResponse(as, c, currentUrl.searchParams, checks?.expectedState); + } + catch (err) { + return errorHandler(err); + } + } + } + const response = await oauth + .authorizationCodeGrantRequest(as, c, auth, authResponse, redirectUri, checks?.pkceCodeVerifier || oauth._nopkce, { + additionalParameters: parameters, + [oauth.customFetch]: fetch, + [oauth.allowInsecureRequests]: !tlsOnly, + DPoP: options?.DPoP, + headers: new Headers(headers), + signal: signal(timeout), + }) + .catch(errorHandler); + if (typeof checks?.expectedNonce === 'string' || + typeof checks?.maxAge === 'number') { + checks.idTokenExpected = true; + } + const p = oauth.processAuthorizationCodeResponse(as, c, response, { + expectedNonce: checks?.expectedNonce, + maxAge: checks?.maxAge, + requireIdToken: checks?.idTokenExpected, + [oauth.jweDecrypt]: decrypt, + }); + let result; + try { + result = await p; + } + catch (err) { + if (retryable(err, options)) { + return authorizationCodeGrant(config, undefined, checks, parameters, { + ...options, + flag: retry, + authResponse: authResponse, + redirectUri: redirectUri, + }); + } + errorHandler(err); + } + result.id_token && (await nonRepudiation?.(response)); + addHelpers(result); + return result; +} +async function validateJARMResponse(config, authorizationResponse, expectedState) { + const { as, c, fetch, tlsOnly, timeout, decrypt, jwksCache } = int(config); + return oauth + .validateJwtAuthResponse(as, c, authorizationResponse, expectedState, { + [oauth.customFetch]: fetch, + [oauth.allowInsecureRequests]: !tlsOnly, + headers: new Headers(headers), + signal: signal(timeout), + [oauth.jweDecrypt]: decrypt, + [oauth.jwksCache]: jwksCache, + }) + .catch(errorHandler); +} +async function validateCodeIdTokenResponse(config, authorizationResponse, expectedNonce, expectedState, maxAge, fapi) { + if (typeof expectedNonce !== 'string') { + throw CodedTypeError('"expectedNonce" must be a string', ERR_INVALID_ARG_TYPE); + } + if (expectedState !== undefined && typeof expectedState !== 'string') { + throw CodedTypeError('"expectedState" must be a string', ERR_INVALID_ARG_TYPE); + } + const { as, c, fetch, tlsOnly, timeout, decrypt, jwksCache } = int(config); + return (fapi + ? oauth.validateDetachedSignatureResponse + : oauth.validateCodeIdTokenResponse)(as, c, authorizationResponse, expectedNonce, expectedState, maxAge, { + [oauth.customFetch]: fetch, + [oauth.allowInsecureRequests]: !tlsOnly, + headers: new Headers(headers), + signal: signal(timeout), + [oauth.jweDecrypt]: decrypt, + [oauth.jwksCache]: jwksCache, + }).catch(errorHandler); +} +export async function refreshTokenGrant(config, refreshToken, parameters, options) { + checkConfig(config); + parameters = new URLSearchParams(parameters); + const { as, c, auth, fetch, tlsOnly, nonRepudiation, timeout, decrypt } = int(config); + const response = await oauth + .refreshTokenGrantRequest(as, c, auth, refreshToken, { + [oauth.customFetch]: fetch, + [oauth.allowInsecureRequests]: !tlsOnly, + additionalParameters: parameters, + DPoP: options?.DPoP, + headers: new Headers(headers), + signal: signal(timeout), + }) + .catch(errorHandler); + const p = oauth.processRefreshTokenResponse(as, c, response, { + [oauth.jweDecrypt]: decrypt, + }); + let result; + try { + result = await p; + } + catch (err) { + if (retryable(err, options)) { + return refreshTokenGrant(config, refreshToken, parameters, { + ...options, + flag: retry, + }); + } + errorHandler(err); + } + result.id_token && (await nonRepudiation?.(response)); + addHelpers(result); + return result; +} +export async function clientCredentialsGrant(config, parameters, options) { + checkConfig(config); + parameters = new URLSearchParams(parameters); + const { as, c, auth, fetch, tlsOnly, timeout } = int(config); + const response = await oauth + .clientCredentialsGrantRequest(as, c, auth, parameters, { + [oauth.customFetch]: fetch, + [oauth.allowInsecureRequests]: !tlsOnly, + DPoP: options?.DPoP, + headers: new Headers(headers), + signal: signal(timeout), + }) + .catch(errorHandler); + const p = oauth.processClientCredentialsResponse(as, c, response); + let result; + try { + result = await p; + } + catch (err) { + if (retryable(err, options)) { + return clientCredentialsGrant(config, parameters, { + ...options, + flag: retry, + }); + } + errorHandler(err); + } + addHelpers(result); + return result; +} +export function buildAuthorizationUrl(config, parameters) { + checkConfig(config); + const { as, c, tlsOnly, hybrid, jarm } = int(config); + const authorizationEndpoint = oauth.resolveEndpoint(as, 'authorization_endpoint', false, tlsOnly); + parameters = new URLSearchParams(parameters); + if (!parameters.has('client_id')) { + parameters.set('client_id', c.client_id); + } + if (!parameters.has('request_uri') && !parameters.has('request')) { + if (!parameters.has('response_type')) { + parameters.set('response_type', hybrid ? 'code id_token' : 'code'); + } + if (jarm) { + parameters.set('response_mode', 'jwt'); + } + } + for (const [k, v] of parameters.entries()) { + authorizationEndpoint.searchParams.append(k, v); + } + return authorizationEndpoint; +} +export async function buildAuthorizationUrlWithJAR(config, parameters, signingKey, options) { + checkConfig(config); + const authorizationEndpoint = buildAuthorizationUrl(config, parameters); + parameters = authorizationEndpoint.searchParams; + if (!signingKey) { + throw CodedTypeError('"signingKey" must be provided', ERR_INVALID_ARG_VALUE); + } + const { as, c } = int(config); + const request = await oauth + .issueRequestObject(as, c, parameters, signingKey, options) + .catch(errorHandler); + return buildAuthorizationUrl(config, { request }); +} +export async function buildAuthorizationUrlWithPAR(config, parameters, options) { + checkConfig(config); + const authorizationEndpoint = buildAuthorizationUrl(config, parameters); + const { as, c, auth, fetch, tlsOnly, timeout } = int(config); + const response = await oauth + .pushedAuthorizationRequest(as, c, auth, authorizationEndpoint.searchParams, { + [oauth.customFetch]: fetch, + [oauth.allowInsecureRequests]: !tlsOnly, + DPoP: options?.DPoP, + headers: new Headers(headers), + signal: signal(timeout), + }) + .catch(errorHandler); + const p = oauth.processPushedAuthorizationResponse(as, c, response); + let result; + try { + result = await p; + } + catch (err) { + if (retryable(err, options)) { + return buildAuthorizationUrlWithPAR(config, parameters, { + ...options, + flag: retry, + }); + } + errorHandler(err); + } + return buildAuthorizationUrl(config, { request_uri: result.request_uri }); +} +export function buildEndSessionUrl(config, parameters) { + checkConfig(config); + const { as, c, tlsOnly } = int(config); + const endSessionEndpoint = oauth.resolveEndpoint(as, 'end_session_endpoint', false, tlsOnly); + parameters = new URLSearchParams(parameters); + if (!parameters.has('client_id')) { + parameters.set('client_id', c.client_id); + } + for (const [k, v] of parameters.entries()) { + endSessionEndpoint.searchParams.append(k, v); + } + return endSessionEndpoint; +} +function checkConfig(input) { + if (!(input instanceof Configuration)) { + throw CodedTypeError('"config" must be an instance of Configuration', ERR_INVALID_ARG_TYPE); + } + if (Object.getPrototypeOf(input) !== Configuration.prototype) { + throw CodedTypeError('subclassing Configuration is not allowed', ERR_INVALID_ARG_VALUE); + } +} +function signal(timeout) { + return timeout ? AbortSignal.timeout(timeout * 1000) : undefined; +} +export async function fetchUserInfo(config, accessToken, expectedSubject, options) { + checkConfig(config); + const { as, c, fetch, tlsOnly, nonRepudiation, timeout, decrypt } = int(config); + const response = await oauth + .userInfoRequest(as, c, accessToken, { + [oauth.customFetch]: fetch, + [oauth.allowInsecureRequests]: !tlsOnly, + DPoP: options?.DPoP, + headers: new Headers(headers), + signal: signal(timeout), + }) + .catch(errorHandler); + let exec = oauth.processUserInfoResponse(as, c, expectedSubject, response, { + [oauth.jweDecrypt]: decrypt, + }); + let result; + try { + result = await exec; + } + catch (err) { + if (retryable(err, options)) { + return fetchUserInfo(config, accessToken, expectedSubject, { + ...options, + flag: retry, + }); + } + errorHandler(err); + } + getContentType(response) === 'application/jwt' && + (await nonRepudiation?.(response)); + return result; +} +function retryable(err, options) { + if (options?.DPoP && options.flag !== retry) { + return oauth.isDPoPNonceError(err); + } + return false; +} +export async function tokenIntrospection(config, token, parameters) { + checkConfig(config); + const { as, c, auth, fetch, tlsOnly, nonRepudiation, timeout, decrypt } = int(config); + const response = await oauth + .introspectionRequest(as, c, auth, token, { + [oauth.customFetch]: fetch, + [oauth.allowInsecureRequests]: !tlsOnly, + additionalParameters: new URLSearchParams(parameters), + headers: new Headers(headers), + signal: signal(timeout), + }) + .catch(errorHandler); + const result = await oauth + .processIntrospectionResponse(as, c, response, { + [oauth.jweDecrypt]: decrypt, + }) + .catch(errorHandler); + getContentType(response) === 'application/token-introspection+jwt' && + (await nonRepudiation?.(response)); + return result; +} +const retry = Symbol(); +export async function genericGrantRequest(config, grantType, parameters, options) { + checkConfig(config); + const { as, c, auth, fetch, tlsOnly, timeout, decrypt } = int(config); + const result = await oauth + .genericTokenEndpointRequest(as, c, auth, grantType, new URLSearchParams(parameters), { + [oauth.customFetch]: fetch, + [oauth.allowInsecureRequests]: !tlsOnly, + DPoP: options?.DPoP, + headers: new Headers(headers), + signal: signal(timeout), + }) + .then((response) => oauth.processGenericTokenEndpointResponse(as, c, response, { + [oauth.jweDecrypt]: decrypt, + })) + .catch(errorHandler); + addHelpers(result); + return result; +} +export async function tokenRevocation(config, token, parameters) { + checkConfig(config); + const { as, c, auth, fetch, tlsOnly, timeout } = int(config); + return oauth + .revocationRequest(as, c, auth, token, { + [oauth.customFetch]: fetch, + [oauth.allowInsecureRequests]: !tlsOnly, + additionalParameters: new URLSearchParams(parameters), + headers: new Headers(headers), + signal: signal(timeout), + }) + .then(oauth.processRevocationResponse) + .catch(errorHandler); +} +export async function fetchProtectedResource(config, accessToken, url, method, body, headers, options) { + checkConfig(config); + headers ||= new Headers(); + if (!headers.has('user-agent')) { + headers.set('user-agent', USER_AGENT); + } + const { fetch, tlsOnly, timeout } = int(config); + const exec = oauth.protectedResourceRequest(accessToken, method, url, headers, body, { + [oauth.customFetch]: fetch, + [oauth.allowInsecureRequests]: !tlsOnly, + DPoP: options?.DPoP, + signal: signal(timeout), + }); + let result; + try { + result = await exec; + } + catch (err) { + if (retryable(err, options)) { + return fetchProtectedResource(config, accessToken, url, method, body, headers, { + ...options, + flag: retry, + }); + } + errorHandler(err); + } + return result; +} +function getContentType(response) { + return response.headers.get('content-type')?.split(';')[0]; +} +//# sourceMappingURL=index.js.map \ No newline at end of file diff --git a/build/index.js.map b/build/index.js.map new file mode 100644 index 00000000..a7bb495c --- /dev/null +++ b/build/index.js.map @@ -0,0 +1 @@ +{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,KAAK,MAAM,cAAc,CAAA;AACrC,OAAO,KAAK,IAAI,MAAM,MAAM,CAAA;AAC5B,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAA;AAEvC,IAAI,OAA+B,CAAA;AACnC,IAAI,UAAkB,CAAA;AACtB,IAEE,OAAO,SAAS,KAAK,WAAW,IAAI,CAAC,SAAS,CAAC,SAAS,EAAE,UAAU,EAAE,CAAC,cAAc,CAAC,EACtF,CAAC;IACD,MAAM,IAAI,GAAG,eAAe,CAAA;IAC5B,MAAM,OAAO,GAAG,QAAQ,CAAA;IACxB,UAAU,GAAG,GAAG,IAAI,IAAI,OAAO,EAAE,CAAA;IACjC,OAAO,GAAG,EAAE,YAAY,EAAE,UAAU,EAAE,CAAA;AACxC,CAAC;AA8BD,MAAM,GAAG,GAAG,CAAC,MAAqB,EAAE,EAAE;IACpC,OAAO,KAAK,CAAC,GAAG,CAAC,MAAM,CAAE,CAAA;AAC3B,CAAC,CAAA;AAED,IAAI,KAAwC,CAAA;AAE5C,OAAO,EAEL,0BAA0B,EAC1B,iBAAiB,EACjB,6BAA6B,GA0B9B,MAAM,cAAc,CAAA;AA0ErB,MAAM,UAAU,gBAAgB,CAAC,YAAoB;IACnD,OAAO,KAAK,CAAC,gBAAgB,CAAC,YAAY,CAAC,CAAA;AAC7C,CAAC;AAkDD,MAAM,UAAU,iBAAiB,CAAC,YAAoB;IACpD,OAAO,KAAK,CAAC,iBAAiB,CAAC,YAAY,CAAC,CAAA;AAC9C,CAAC;AAoDD,MAAM,UAAU,eAAe,CAC7B,YAAoB,EACpB,OAAsC;IAEtC,OAAO,KAAK,CAAC,eAAe,CAAC,YAAY,EAAE,OAAO,CAAC,CAAA;AACrD,CAAC;AA6CD,MAAM,UAAU,IAAI;IAClB,OAAO,KAAK,CAAC,IAAI,EAAE,CAAA;AACrB,CAAC;AAmDD,MAAM,UAAU,aAAa,CAC3B,gBAA8C,EAC9C,OAAsC;IAEtC,OAAO,KAAK,CAAC,aAAa,CAAC,gBAAgB,EAAE,OAAO,CAAC,CAAA;AACvD,CAAC;AA+CD,MAAM,UAAU,aAAa;IAC3B,OAAO,KAAK,CAAC,aAAa,EAAE,CAAA;AAC9B,CAAC;AAgBD,MAAM,CAAC,MAAM,cAAc,GAAgC,KAAK,CAAC,cAAc,CAAA;AAc/E,MAAM,CAAC,MAAM,gBAAgB,GAC3B,KAAK,CAAC,gBAAgB,CAAA;AA6IxB,MAAM,CAAC,MAAM,WAAW,GAA6B,KAAK,CAAC,WAAW,CAAA;AAwCtE,MAAM,CAAC,MAAM,eAAe,GAC1B,KAAK,CAAC,eAAe,CAAA;AAgCvB,MAAM,CAAC,MAAM,SAAS,GAA2B,KAAK,CAAC,SAAS,CAAA;AAkBhE,MAAM,CAAC,MAAM,cAAc,GAAgC,KAAK,CAAC,cAAc,CAAA;AA8F/E,MAAM,qBAAqB,GAAG,uBAAuB,CAAA;AACrD,MAAM,oBAAoB,GAAG,sBAAsB,CAAA;AAInD,SAAS,cAAc,CAAC,OAAe,EAAE,IAAW,EAAE,KAAe;IACnE,MAAM,GAAG,GAAG,IAAI,SAAS,CAAC,OAAO,EAAE,EAAE,KAAK,EAAE,CAAC,CAAA;IAC7C,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE,EAAE,IAAI,EAAE,CAAC,CAAA;IAC5B,OAAO,GAAG,CAAA;AACZ,CAAC;AAeD,MAAM,UAAU,0BAA0B,CAAC,YAAoB;IAC7D,OAAO,KAAK,CAAC,0BAA0B,CAAC,YAAY,CAAC,CAAA;AACvD,CAAC;AAOD,MAAM,UAAU,sBAAsB;IACpC,OAAO,KAAK,CAAC,0BAA0B,EAAE,CAAA;AAC3C,CAAC;AAOD,MAAM,UAAU,WAAW;IACzB,OAAO,KAAK,CAAC,mBAAmB,EAAE,CAAA;AACpC,CAAC;AAOD,MAAM,UAAU,WAAW;IACzB,OAAO,KAAK,CAAC,mBAAmB,EAAE,CAAA;AACpC,CAAC;AAKD,MAAM,OAAO,WAAY,SAAQ,KAAK;IACpC,IAAI,CAAS;IAKb,YAAY,OAAgB,EAAE,OAA4C;QACxE,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAA;QACvB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,CAAA;QACjC,IAAI,CAAC,IAAI,GAAG,OAAO,EAAE,IAAI,CAAA;QAEzB,KAAK,CAAC,iBAAiB,EAAE,CAAC,IAAI,EAAE,IAAI,CAAC,WAAW,CAAC,CAAA;IACnD,CAAC;CACF;AAED,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAA;AAEjC,SAAS,CAAC,CAAC,GAAW,EAAE,KAAc,EAAE,IAAa;IACnD,OAAO,IAAI,WAAW,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAA;AAC9C,CAAC;AAED,SAAS,YAAY,CAAC,GAAY;IAChC,IACE,GAAG,YAAY,SAAS;QACxB,GAAG,YAAY,WAAW;QAC1B,GAAG,YAAY,KAAK,CAAC,iBAAiB;QACtC,GAAG,YAAY,KAAK,CAAC,0BAA0B;QAC/C,GAAG,YAAY,KAAK,CAAC,6BAA6B,EAClD,CAAC;QACD,MAAM,GAAG,CAAA;IACX,CAAC;IAED,IAAI,GAAG,YAAY,KAAK,CAAC,wBAAwB,EAAE,CAAC;QAClD,QAAQ,GAAG,CAAC,IAAI,EAAE,CAAC;YACjB,KAAK,KAAK,CAAC,sBAAsB;gBAC/B,MAAM,CAAC,CAAC,oCAAoC,EAAE,GAAG,EAAE,GAAG,CAAC,IAAI,CAAC,CAAA;YAC9D,KAAK,KAAK,CAAC,0BAA0B;gBACnC,MAAM,CAAC,CAAC,4CAA4C,EAAE,GAAG,EAAE,GAAG,CAAC,IAAI,CAAC,CAAA;YACtE,KAAK,KAAK,CAAC,uBAAuB;gBAChC,MAAM,CAAC,CAAC,sCAAsC,EAAE,GAAG,CAAC,KAAK,EAAE,GAAG,CAAC,IAAI,CAAC,CAAA;YACtE,KAAK,KAAK,CAAC,oBAAoB;gBAC7B,MAAM,CAAC,CAAC,kCAAkC,EAAE,GAAG,CAAC,KAAK,EAAE,GAAG,CAAC,IAAI,CAAC,CAAA;YAClE,KAAK,KAAK,CAAC,WAAW;gBACpB,MAAM,CAAC,CAAC,uBAAuB,EAAE,GAAG,EAAE,GAAG,CAAC,IAAI,CAAC,CAAA;YACjD,KAAK,KAAK,CAAC,gBAAgB;gBACzB,MAAM,CAAC,CAAC,8BAA8B,EAAE,GAAG,EAAE,GAAG,CAAC,IAAI,CAAC,CAAA;YACxD,KAAK,KAAK,CAAC,oBAAoB;gBAC7B,MAAM,CAAC,CAAC,wCAAwC,EAAE,GAAG,EAAE,GAAG,CAAC,IAAI,CAAC,CAAA;YAClE,KAAK,KAAK,CAAC,yBAAyB;gBAClC,MAAM,CAAC,CAAC,6CAA6C,EAAE,GAAG,EAAE,GAAG,CAAC,IAAI,CAAC,CAAA;YACvE,KAAK,KAAK,CAAC,mBAAmB;gBAC5B,MAAM,CAAC,CAAC,6CAA6C,EAAE,GAAG,EAAE,GAAG,CAAC,IAAI,CAAC,CAAA;YACvE;gBACE,MAAM,CAAC,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,EAAE,GAAG,CAAC,IAAI,CAAC,CAAA;QACvC,CAAC;IACH,CAAC;IAED,IAAI,GAAG,YAAY,KAAK,CAAC,yBAAyB,EAAE,CAAC;QACnD,MAAM,CAAC,CAAC,uBAAuB,EAAE,GAAG,EAAE,GAAG,CAAC,IAAI,CAAC,CAAA;IACjD,CAAC;IAED,IAAI,GAAG,YAAY,YAAY,EAAE,CAAC;QAChC,QAAQ,GAAG,CAAC,IAAI,EAAE,CAAC;YAEjB,KAAK,gBAAgB;gBACnB,MAAM,CAAC,CAAC,yBAAyB,EAAE,GAAG,EAAE,KAAK,CAAC,qBAAqB,CAAC,CAAA;YACtE,KAAK,mBAAmB;gBACtB,MAAM,CAAC,CACL,+BAA+B,EAC/B,GAAG,EACH,KAAK,CAAC,qBAAqB,CAC5B,CAAA;YAGH,KAAK,cAAc;gBACjB,MAAM,CAAC,CAAC,qBAAqB,EAAE,GAAG,EAAE,eAAe,CAAC,CAAA;YACtD,KAAK,YAAY;gBACf,MAAM,CAAC,CAAC,mBAAmB,EAAE,GAAG,EAAE,aAAa,CAAC,CAAA;QACpD,CAAC;IACH,CAAC;IAED,MAAM,IAAI,WAAW,CAAC,sBAAsB,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAA;AAC/D,CAAC;AAaD,MAAM,UAAU,iBAAiB,CAC/B,GAAY,EACZ,OAAsC;IAEtC,OAAO,KAAK;SACT,eAAe,CAAC,GAAG,IAAI,OAAO,EAAE;QAC/B,WAAW,EAAE,OAAO,EAAE,WAAW;KAClC,CAAC;SACD,KAAK,CAAC,YAAY,CAAC,CAAA;AACxB,CAAC;AAoFD,SAAS,aAAa,CACpB,MAAW,EACX,EAA6B,EAC7B,OAAiC;IAEjC,IACE,CAAC,MAAM,CAAC,IAAI,KAAK,+CAA+C;QAC9D,MAAM,CAAC,IAAI,KAAK,sDAAsD,CAAC;QACzE,CAAC,CAAC,OAAO,EAAE,SAAS,IAAI,OAAO,CAAC,SAAS,KAAK,MAAM,CAAC,EACrD,CAAC;QAED,EAAE,CAAC,QAAQ,CAAC,GAAG,IAAI,CAAA;QACnB,OAAO,IAAI,CAAA;IACb,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC;AAwBD,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,MAAW,EACX,QAAgB,EAChB,QAA2C,EAC3C,oBAAiC,EACjC,OAAiC;IAEjC,IAAI,CAAC,CAAC,MAAM,YAAY,GAAG,CAAC,EAAE,CAAC;QAC7B,MAAM,cAAc,CAClB,qCAAqC,EACrC,oBAAoB,CACrB,CAAA;IACH,CAAC;IAED,MAAM,OAAO,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAA;IAEtD,MAAM,OAAO,GAAG,OAAO,EAAE,OAAO,IAAI,EAAE,CAAA;IACtC,MAAM,MAAM,GAAG,WAAW,CAAC,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC,CAAA;IAClD,MAAM,EAAE,GAAG,MAAM,CACf,OAAO;QACL,CAAC,CAAC,KAAK,CAAC,gBAAgB,CAAC,MAAM,EAAE;YAC7B,SAAS,EAAE,OAAO,EAAE,SAAS;YAC7B,CAAC,KAAK,CAAC,WAAW,CAAC,EAAE,OAAO,EAAE,CAAC,WAAW,CAAC;YAC3C,CAAC,KAAK,CAAC,qBAAqB,CAAC,EAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,CACvD,qBAAqB,CACtB;YACD,MAAM;YACN,OAAO,EAAE,IAAI,OAAO,CAAC,OAAO,CAAC;SAC9B,CAAC;QACJ,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,WAAW,CAAC,IAAI,KAAK,CAAC,CAC/B,CAAC,GAAG,EAAE;YACJ,KAAK,CAAC,aAAa,CACjB,MAAM,EACN,OAAO,EAAE,OAAO,EAAE,QAAQ,CAAC,qBAAqB,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CACjE,CAAA;YAED,OAAO,MAAM,CAAC,IAAI,CAAA;QACpB,CAAC,CAAC,EAAE,EACJ;YACE,OAAO,EAAE,MAAM,CAAC,WAAW,CACzB,IAAI,OAAO,CAAC,EAAE,MAAM,EAAE,kBAAkB,EAAE,GAAG,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAClE;YACD,IAAI,EAAE,SAAS;YACf,MAAM,EAAE,KAAK;YACb,QAAQ,EAAE,QAAQ;YAClB,MAAM;SACP,CACF,CACN;SACE,IAAI,CAAC,CAAC,QAAQ,EAAE,EAAE,CAEjB,KAAK,CAAC,wBAAwB,CAAC,KAAK,CAAC,iBAAiB,EAAE,QAAQ,CAAC,CAClE;SACA,KAAK,CAAC,YAAY,CAAC,CAAA;IAEtB,IAAI,OAAO,IAAI,IAAI,GAAG,CAAC,EAAE,CAAC,MAAM,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC,IAAI,EAAE,CAAC;QACvD,aAAa,CAAC,MAAM,EAAE,EAAE,EAAE,OAAO,CAAC;YAChC,CAAC,GAAG,EAAE;gBACJ,MAAM,IAAI,WAAW,CACnB,+DAA+D,EAC/D;oBACE,IAAI,EAAE,KAAK,CAAC,yBAAyB;oBACrC,KAAK,EAAE;wBACL,QAAQ,EAAE,MAAM,CAAC,IAAI;wBACrB,IAAI,EAAE,EAAE;wBACR,SAAS,EAAE,QAAQ;qBACpB;iBACF,CACF,CAAA;YACH,CAAC,CAAC,EAAE,CAAA;IACR,CAAC;IAED,MAAM,QAAQ,GAAG,IAAI,aAAa,CAChC,EAAE,EACF,QAAQ,EACR,QAAQ,EACR,oBAAoB,CACrB,CAAA;IACD,IAAI,SAAS,GAAG,GAAG,CAAC,QAAQ,CAAC,CAAA;IAE7B,IAAI,OAAO,EAAE,CAAC,WAAW,CAAC,EAAE,CAAC;QAC3B,SAAS,CAAC,KAAK,GAAG,OAAO,CAAC,WAAW,CAAC,CAAA;IACxC,CAAC;IAED,IAAI,OAAO,EAAE,OAAO,EAAE,CAAC;QACrB,SAAS,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAA;IACrC,CAAC;IAED,IAAI,OAAO,EAAE,OAAO,EAAE,CAAC;QACrB,KAAK,MAAM,SAAS,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;YACxC,SAAS,CAAC,QAAQ,CAAC,CAAA;QACrB,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAA;AACjB,CAAC;AAuCD,SAAS,SAAS,CAAC,KAAmB;IACpC,OAAO,KAAK,CAAC,IAAI,KAAK,UAAU,CAAA;AAClC,CAAC;AAED,SAAS,MAAM,CAAC,KAAmB;IACjC,OAAO,KAAK,CAAC,IAAI,KAAK,MAAM,CAAA;AAC9B,CAAC;AACD,MAAM,MAAM,GAAG,SAAS,CAAA;AACxB,MAAM,YAAY,GAAG,gBAAgB,CAAA;AACrC,MAAM,YAAY,GAAG,gBAAgB,CAAA;AACrC,MAAM,YAAY,GAAG,gBAAgB,CAAA;AAErC,SAAS,YAAY,CAAC,IAAiB,EAAE,GAAY,EAAE,EAAW;IAChE,QAAQ,GAAG,EAAE,CAAC;QACZ,KAAK,SAAS;YACZ,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;YAChB,IAAI,CAAC,GAAG,CAAC,YAAY,CAAC,CAAA;YACtB,IAAI,CAAC,GAAG,CAAC,YAAY,CAAC,CAAA;YACtB,IAAI,CAAC,GAAG,CAAC,YAAY,CAAC,CAAA;YACtB,MAAK;QACP,KAAK,MAAM,CAAC;QACZ,KAAK,YAAY,CAAC;QAClB,KAAK,YAAY,CAAC;QAClB,KAAK,YAAY;YACf,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;YACb,MAAK;QACP;YACE,MAAM,cAAc,CAAC,iBAAiB,EAAE,qBAAqB,EAAE,EAAE,EAAE,EAAE,CAAC,CAAA;IAC1E,CAAC;AACH,CAAC;AA6CD,MAAM,UAAU,yBAAyB,CACvC,MAAqB,EACrB,8BAAwC;IACtC,SAAS;IACT,SAAS;IACT,SAAS;IACT,eAAe;IACf,eAAe;IACf,eAAe;CAChB,EACD,GAAG,IAAsC;IAEzC,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC;QACtC,MAAM,IAAI,SAAS,CACjB,qFAAqF,CACtF,CAAA;IACH,CAAC;IAED,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtB,MAAM,cAAc,CAAC,uBAAuB,EAAE,qBAAqB,CAAC,CAAA;IACtE,CAAC;IAED,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAA;IAC9B,MAAM,UAAU,GAAoB,EAAE,CAAA;IAEtC,KAAK,MAAM,EAAE,IAAI,IAAI,EAAE,CAAC;QACtB,IAAI,GAAkB,CAAA;QACtB,IAAI,KAAK,IAAI,EAAE,EAAE,CAAC;YAChB,GAAG,GAAG,EAAE,GAAG,EAAE,EAAE,CAAC,GAAG,EAAE,CAAA;YACrB,IAAI,OAAO,EAAE,CAAC,GAAG,KAAK,QAAQ;gBAAE,GAAG,CAAC,GAAG,GAAG,EAAE,CAAC,GAAG,CAAA;YAChD,IAAI,OAAO,EAAE,CAAC,GAAG,KAAK,QAAQ;gBAAE,GAAG,CAAC,GAAG,GAAG,EAAE,CAAC,GAAG,CAAA;QAClD,CAAC;aAAM,CAAC;YACN,GAAG,GAAG,EAAE,GAAG,EAAE,EAAE,EAAE,CAAA;QACnB,CAAC;QAED,IAAI,GAAG,CAAC,GAAG,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YAC/B,MAAM,cAAc,CAClB,oCAAoC,EACpC,qBAAqB,CACtB,CAAA;QACH,CAAC;QAED,IAAI,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC;YACjC,QAAQ,GAAG,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;gBACpC,KAAK,OAAO,CAAC;gBACb,KAAK,SAAS,CAAC;gBACf,KAAK,SAAS,CAAC;gBACf,KAAK,SAAS,CAAC,CAAC,CAAC;oBACf,IAAI,GAAG,GAAG,UAAU,CAAA;oBACpB,IAAI,GAAW,CAAA;oBACf,IAAI,CAAC,GAAG,GAAG,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,CAAC;wBAChE,GAAG,GAAG,GAAG,GAAG,IAAI,GAAG,EAAE,CAAA;oBACvB,CAAC;oBACD,GAAG,CAAC,GAAG,KAAK,GAAG,CAAA;oBACf,IAAI,GAAG,KAAK,GAAG,CAAC,GAAG;wBACjB,MAAM,cAAc,CAAC,iBAAiB,EAAE,qBAAqB,EAAE;4BAC7D,EAAE;yBACH,CAAC,CAAA;oBACJ,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;oBACjB,MAAK;gBACP,CAAC;gBACD;oBACE,MAAM,cAAc,CAClB,uEAAuE,EACvE,qBAAqB,CACtB,CAAA;YACL,CAAC;QACH,CAAC;aAAM,IAAI,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC;YACrC,IAAI,GAAG,CAAC,GAAG,CAAC,SAAS,CAAC,UAAU,KAAK,OAAO,EAAE,CAAC;gBAC7C,MAAM,cAAc,CAClB,oCAAoC,EACpC,qBAAqB,CACtB,CAAA;YACH,CAAC;YAED,YAAY,CAAC,IAAI,EAAE,GAAG,CAAC,GAAG,EAAE,EAAE,CAAC,CAAA;QACjC,CAAC;aAAM,IAAI,GAAG,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YAC/C,YAAY,CAAC,IAAI,EAAE,GAAG,CAAC,GAAG,EAAE,EAAE,CAAC,CAAA;QACjC,CAAC;aAAM,CAAC;YACN,MAAM,cAAc,CAClB,mDAAmD,EACnD,qBAAqB,CACtB,CAAA;QACH,CAAC;QAED,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IACtB,CAAC;IAED,GAAG,CAAC,MAAM,CAAC,CAAC,OAAO,GAAG,KAAK,EAAE,GAAG,EAAE,EAAE,CAClC,OAAO,CAAC,UAAU,EAAE,GAAG,EAAE,2BAA2B,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,KAAK,CACpE,YAAY,CACb,CAAA;AACL,CAAC;AAED,SAAS,cAAc,CAAC,GAAc,EAAE,GAAW,EAAE,GAAY;IAC/D,IAAI,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC/B,OAAO,IAAI,CAAA;IACb,CAAC;IAED,IAAI,GAAG,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAC9B,IAAI,GAAG,CAAC,SAAS,CAAC,IAAI,KAAK,MAAM,IAAI,GAAG,CAAC,SAAS,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YACrE,OAAO,KAAK,CAAA;QACd,CAAC;QAED,IAAI,GAAG,CAAC,SAAS,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;YAElC,OAAO,GAAG,EAAE,GAAG,KAAK,GAAG,CAAC,SAAS,CAAC,UAAU,CAAA;QAC9C,CAAC;QAED,IAAI,GAAG,CAAC,SAAS,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YAEpC,OAAO,GAAG,EAAE,GAAG,KAAK,QAAQ,CAAA;QAC9B,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC;AAED,SAAS,4BAA4B,CACnC,IAAqB,EACrB,GAAW,EACX,GAAY,EACZ,GAAa;IAEb,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE;QAC7C,IAAI,GAAG,KAAK,GAAG,CAAC,GAAG,EAAE,CAAC;YACpB,OAAO,KAAK,CAAA;QACd,CAAC;QAED,IAAI,GAAG,CAAC,GAAG,IAAI,GAAG,KAAK,GAAG,CAAC,GAAG,EAAE,CAAC;YAC/B,OAAO,KAAK,CAAA;QACd,CAAC;QAED,OAAO,cAAc,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,CAAA;IAC1C,CAAC,CAAC,CAAA;IAEF,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,CAAC,CACL,uCAAuC,EACvC,SAAS,EACT,yBAAyB,CAC1B,CAAA;IACH,CAAC;IAED,IAAI,MAAM,KAAK,CAAC,EAAE,CAAC;QACjB,MAAM,CAAC,CACL,8CAA8C,EAC9C,SAAS,EACT,yBAAyB,CAC1B,CAAA;IACH,CAAC;IAED,OAAO,GAAG,CAAC,GAAG,CAAA;AAChB,CAAC;AAED,KAAK,UAAU,OAAO,CACpB,IAAqB,EACrB,GAAW,EACX,2BAAqC,EACrC,uBAAiC;IAEjC,OAAO,OAAO,CAAC,MAAM,CACnB,CACE,MAAM,IAAI;SACP,cAAc,CACb,GAAG,EACH,KAAK,EAAE,MAAuC,EAAE,EAAE;QAChD,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,MAAM,CAAA;QAChC,OAAO,4BAA4B,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,CAAA;IAC1D,CAAC,EACD,EAAE,uBAAuB,EAAE,2BAA2B,EAAE,CACzD;SACA,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;QACb,IAAI,GAAG,YAAY,SAAS,EAAE,CAAC;YAC7B,MAAM,CAAC,CAAC,mBAAmB,EAAE,GAAG,EAAE,yBAAyB,CAAC,CAAA;QAC9D,CAAC;QAED,YAAY,CAAC,GAAG,CAAC,CAAA;IACnB,CAAC,CAAC,CACL,CAAC,SAAS,CACZ,CAAA;AACH,CAAC;AAYD,SAAS,gBAAgB,CAAC,QAAkC;IAC1D,OAAO;QACL,YAAY,EAAE;YACZ,SAAS,EAAE,IAAI;YACf,KAAK,CAAC,MAAM,GAAG,MAAM;gBACnB,OAAO,CACL,QAAQ,CAAC,gCAAgC,EAAE,QAAQ,CAAC,MAAM,CAAC,KAAK,IAAI,CACrE,CAAA;YACH,CAAC;SACF;KACF,CAAA;AACH,CAAC;AAED,SAAS,gBAAgB,CACvB,QAAkC;IAElC,MAAM,CAAC,gBAAgB,CAAC,QAAQ,EAAE,gBAAgB,CAAC,QAAQ,CAAC,CAAC,CAAA;AAC/D,CAAC;AAGD,MAAM,QAAQ,GAAkB,MAAM,EAAE,CAAA;AA0HxC,MAAM,OAAO,aAAa;IAWxB,YACE,MAAsB,EACtB,QAAgB,EAChB,QAA2C,EAC3C,oBAAiC;QAEjC,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC;YACrD,MAAM,cAAc,CAClB,uCAAuC,EACvC,oBAAoB,CACrB,CAAA;QACH,CAAC;QAED,IAAI,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;YACjC,QAAQ,GAAG,EAAE,aAAa,EAAE,QAAQ,EAAE,CAAA;QACxC,CAAC;QAED,IAAI,QAAQ,EAAE,SAAS,KAAK,SAAS,IAAI,QAAQ,KAAK,QAAQ,CAAC,SAAS,EAAE,CAAC;YACzE,MAAM,cAAc,CAClB,sDAAsD,EACtD,qBAAqB,CACtB,CAAA;QACH,CAAC;QAED,MAAM,MAAM,GAAiB;YAC3B,GAAG,eAAe,CAAC,QAAQ,CAAC;YAC5B,SAAS,EAAE,QAAQ;SACpB,CAAA;QAED,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,GAAG,QAAQ,EAAE,CAAC,KAAK,CAAC,SAAS,CAAC,IAAI,CAAC,CAAA;QAC1D,MAAM,CAAC,KAAK,CAAC,cAAc,CAAC,GAAG,QAAQ,EAAE,CAAC,KAAK,CAAC,cAAc,CAAC,IAAI,EAAE,CAAA;QAErE,IAAI,IAAgB,CAAA;QACpB,IAAI,oBAAoB,EAAE,CAAC;YACzB,IAAI,GAAG,oBAAoB,CAAA;QAC7B,CAAC;aAAM,CAAC;YACN,IACE,OAAO,MAAM,CAAC,aAAa,KAAK,QAAQ;gBACxC,MAAM,CAAC,aAAa,CAAC,MAAM,EAC3B,CAAC;gBACD,IAAI,GAAG,gBAAgB,CAAC,MAAM,CAAC,aAAa,CAAC,CAAA;YAC/C,CAAC;iBAAM,CAAC;gBACN,IAAI,GAAG,IAAI,EAAE,CAAA;YACf,CAAC;QACH,CAAC;QAED,IAAI,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;QAC7B,MAAM,KAAK,GAAG,eAAe,CAAC,MAAM,CAAC,CAAA;QACrC,IAAI,QAAQ,IAAI,MAAM,EAAE,CAAC;YAEvB,KAAK,CAAC,KAAK,CAAC,eAAe,CAAC,GAAG,CAAC,EAAE,MAAM,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,YAAY,EAAE,GAAG,CAAC,CAAA;QAClG,CAAC;QACD,IAAI,EAAE,GAAG,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;QAE7B,KAAK,KAAK,IAAI,OAAO,EAAE,CAAA;QACvB,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE;YACd,SAAS,EAAE,IAAI;YACf,EAAE;YACF,CAAC;YACD,IAAI;YACJ,OAAO,EAAE,IAAI;YACb,SAAS,EAAE,EAAE;SACd,CAAC,CAAA;IACJ,CAAC;IAKD,cAAc;QACZ,MAAM,QAAQ,GAAG,eAAe,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC,CAAA;QAC9C,gBAAgB,CAAC,QAAQ,CAAC,CAAA;QAC1B,OAAO,QAAQ,CAAA;IACjB,CAAC;IAKD,IAAI,OAAO;QACT,OAAO,GAAG,CAAC,IAAI,CAAC,CAAC,OAAO,CAAA;IAC1B,CAAC;IAKD,IAAI,OAAO,CAAC,KAAyB;QACnC,GAAG,CAAC,IAAI,CAAC,CAAC,OAAO,GAAG,KAAK,CAAA;IAC3B,CAAC;IAKD,IAAI,CAAC,WAAW,CAAC;QACf,OAAO,GAAG,CAAC,IAAI,CAAC,CAAC,KAAK,CAAA;IACxB,CAAC;IAKD,IAAI,CAAC,WAAW,CAAC,CAAC,KAAkB;QAClC,GAAG,CAAC,IAAI,CAAC,CAAC,KAAK,GAAG,KAAK,CAAA;IACzB,CAAC;CACF;AACD,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,SAAS,CAAC,CAAA;AA8BtC,SAAS,UAAU,CAAC,QAAqC;IACvD,IAAI,GAAG,GAAuB,SAAS,CAAA;IACvC,IAAI,QAAQ,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;QACtC,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAA;QACtB,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,UAAU,EAAE,GAAG,QAAQ,CAAC,UAAU,CAAC,CAAA;QACtD,GAAG,GAAG,GAAG,CAAC,OAAO,EAAE,CAAA;IACrB,CAAC;IAED,OAAO;QACL,SAAS,EAAE;YACT,SAAS,EAAE,IAAI;YACf,KAAK;gBACH,IAAI,GAAG,EAAE,CAAC;oBACR,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;oBACtB,IAAI,GAAG,GAAG,GAAG,EAAE,CAAC;wBACd,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,GAAG,GAAG,GAAG,CAAC,GAAG,IAAI,CAAC,CAAA;oBACvC,CAAC;oBAED,OAAO,CAAC,CAAA;gBACV,CAAC;gBAED,OAAO,SAAS,CAAA;YAClB,CAAC;SACF;QACD,MAAM,EAAE;YACN,SAAS,EAAE,IAAI;YACf,KAAK;gBACH,IAAI,CAAC;oBACH,OAAO,KAAK,CAAC,yBAAyB,CAAC,IAAI,CAAC,CAAA;gBAC9C,CAAC;gBAAC,MAAM,CAAC;oBACP,OAAO,SAAS,CAAA;gBAClB,CAAC;YACH,CAAC;SACF;KACF,CAAA;AACH,CAAC;AAED,SAAS,UAAU,CACjB,QAAqC;IAErC,MAAM,CAAC,gBAAgB,CAAC,QAAQ,EAAE,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAA;AACzD,CAAC;AA4BD,MAAM,UAAU,aAAa,CAC3B,MAAqB,EACrB,OAAsB,EACtB,OAAsC;IAEtC,WAAW,CAAC,MAAM,CAAC,CAAA;IACnB,OAAO,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,OAAO,CAAC,CAAA;AACpD,CAAC;AAWD,SAAS,IAAI,CAAC,QAAgB;IAC5B,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC7B,UAAU,CAAC,OAAO,EAAE,QAAQ,GAAG,IAAI,CAAC,CAAA;IACtC,CAAC,CAAC,CAAA;AACJ,CAAC;AAuCD,MAAM,CAAC,KAAK,UAAU,4BAA4B,CAChD,MAAqB,EACrB,2BAA8D,EAC9D,UAAqD,EACrD,OAA4C;IAE5C,WAAW,CAAC,MAAM,CAAC,CAAA;IAEnB,UAAU,GAAG,IAAI,eAAe,CAAC,UAAU,CAAC,CAAA;IAE5C,IAAI,QAAQ,GAAG,2BAA2B,CAAC,QAAQ,IAAI,CAAC,CAAA;IAExD,MAAM,aAAa,GACjB,OAAO,EAAE,MAAM;QACf,WAAW,CAAC,OAAO,CAAC,2BAA2B,CAAC,UAAU,GAAG,IAAI,CAAC,CAAA;IAEpE,IAAI,CAAC;QACH,aAAa,CAAC,cAAc,EAAE,CAAA;IAChC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,YAAY,CAAC,GAAG,CAAC,CAAA;IACnB,CAAC;IAED,MAAM,IAAI,CAAC,QAAQ,CAAC,CAAA;IAEpB,MAAM,EAAE,EAAE,EAAE,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,OAAO,EAAE,GACrE,GAAG,CAAC,MAAM,CAAC,CAAA;IAEb,MAAM,QAAQ,GAAG,MAAM,KAAK;SACzB,sBAAsB,CACrB,EAAE,EACF,CAAC,EACD,IAAI,EACJ,2BAA2B,CAAC,WAAW,EACvC;QACE,CAAC,KAAK,CAAC,WAAW,CAAC,EAAE,KAAK;QAC1B,CAAC,KAAK,CAAC,qBAAqB,CAAC,EAAE,CAAC,OAAO;QACvC,oBAAoB,EAAE,UAAU;QAChC,IAAI,EAAE,OAAO,EAAE,IAAI;QACnB,OAAO,EAAE,IAAI,OAAO,CAAC,OAAO,CAAC;QAC7B,MAAM,EAAE,aAAa,CAAC,OAAO,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC;KAChE,CACF;SACA,KAAK,CAAC,YAAY,CAAC,CAAA;IAEtB,MAAM,CAAC,GAAG,KAAK,CAAC,yBAAyB,CAAC,EAAE,EAAE,CAAC,EAAE,QAAQ,EAAE;QACzD,CAAC,KAAK,CAAC,UAAU,CAAC,EAAE,OAAO;KAC5B,CAAC,CAAA;IAEF,IAAI,MAAmC,CAAA;IACvC,IAAI,CAAC;QACH,MAAM,GAAG,MAAM,CAAC,CAAA;IAClB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,SAAS,CAAC,GAAG,EAAE,OAAO,CAAC,EAAE,CAAC;YAC5B,OAAO,4BAA4B,CACjC,MAAM,EACN;gBACE,GAAG,2BAA2B;gBAC9B,QAAQ;aACT,EACD,UAAU,EACV;gBACE,GAAG,OAAO;gBACV,MAAM,EAAE,aAAa;gBACrB,IAAI,EAAE,KAAK;aACZ,CACF,CAAA;QACH,CAAC;QAED,IAAI,GAAG,YAAY,KAAK,CAAC,iBAAiB,EAAE,CAAC;YAC3C,QAAQ,GAAG,CAAC,KAAK,EAAE,CAAC;gBAElB,KAAK,WAAW;oBACd,QAAQ,IAAI,CAAC,CAAA;gBACf,KAAK,uBAAuB;oBAC1B,OAAO,4BAA4B,CACjC,MAAM,EACN;wBACE,GAAG,2BAA2B;wBAC9B,QAAQ;qBACT,EACD,UAAU,EACV;wBACE,GAAG,OAAO;wBACV,MAAM,EAAE,aAAa;wBACrB,IAAI,EAAE,SAAS;qBAChB,CACF,CAAA;YACL,CAAC;QACH,CAAC;QAED,YAAY,CAAC,GAAG,CAAC,CAAA;IACnB,CAAC;IAED,MAAM,CAAC,QAAQ,IAAI,CAAC,MAAM,cAAc,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAA;IAErD,UAAU,CAAC,MAAM,CAAC,CAAA;IAClB,OAAO,MAAM,CAAA;AACf,CAAC;AA8BD,MAAM,CAAC,KAAK,UAAU,2BAA2B,CAC/C,MAAqB,EACrB,UAAoD;IAEpD,WAAW,CAAC,MAAM,CAAC,CAAA;IAEnB,MAAM,EAAE,EAAE,EAAE,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,GAAG,CAAC,MAAM,CAAC,CAAA;IAC5D,OAAO,KAAK;SACT,0BAA0B,CAAC,EAAE,EAAE,CAAC,EAAE,IAAI,EAAE,UAAU,EAAE;QACnD,CAAC,KAAK,CAAC,WAAW,CAAC,EAAE,KAAK;QAC1B,CAAC,KAAK,CAAC,qBAAqB,CAAC,EAAE,CAAC,OAAO;QACvC,OAAO,EAAE,IAAI,OAAO,CAAC,OAAO,CAAC;QAC7B,MAAM,EAAE,MAAM,CAAC,OAAO,CAAC;KACxB,CAAC;SACD,IAAI,CAAC,CAAC,QAAQ,EAAE,EAAE,CACjB,KAAK,CAAC,kCAAkC,CAAC,EAAE,EAAE,CAAC,EAAE,QAAQ,CAAC,CAC1D;SACA,KAAK,CAAC,YAAY,CAAC,CAAA;AACxB,CAAC;AAyED,MAAM,UAAU,qBAAqB,CAAC,MAAqB;IACzD,GAAG,CAAC,MAAM,CAAC,CAAC,OAAO,GAAG,KAAK,CAAA;AAC7B,CAAC;AAeD,MAAM,UAAU,YAAY,CAC1B,MAAqB,EACrB,SAAkC;IAElC,GAAG,CAAC,MAAM,CAAC,CAAC,SAAS,GAAG,eAAe,CAAC,SAAS,CAAC,CAAA;AACpD,CAAC;AAkBD,MAAM,UAAU,YAAY,CAC1B,MAAqB;IAErB,MAAM,KAAK,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,SAAS,CAAA;IACnC,IAAI,KAAK,CAAC,GAAG,EAAE,CAAC;QACd,OAAO,KAAgC,CAAA;IACzC,CAAC;IACD,OAAO,SAAS,CAAA;AAClB,CAAC;AAsDD,MAAM,UAAU,0BAA0B,CAAC,MAAqB;IAC9D,WAAW,CAAC,MAAM,CAAC,CAAA;IAEnB,GAAG,CAAC,MAAM,CAAC,CAAC,cAAc,GAAG,CAAC,QAAQ,EAAE,EAAE;QACxC,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,GAAG,GAAG,CAAC,MAAM,CAAC,CAAA;QAC9D,OAAO,KAAK;aACT,iCAAiC,CAAC,EAAE,EAAE,QAAQ,EAAE;YAC/C,CAAC,KAAK,CAAC,WAAW,CAAC,EAAE,KAAK;YAC1B,CAAC,KAAK,CAAC,qBAAqB,CAAC,EAAE,CAAC,OAAO;YACvC,OAAO,EAAE,IAAI,OAAO,CAAC,OAAO,CAAC;YAC7B,MAAM,EAAE,MAAM,CAAC,OAAO,CAAC;YACvB,CAAC,KAAK,CAAC,SAAS,CAAC,EAAE,SAAS;SAC7B,CAAC;aACD,KAAK,CAAC,YAAY,CAAC,CAAA;IACxB,CAAC,CAAA;AACH,CAAC;AA8CD,MAAM,UAAU,kBAAkB,CAAC,MAAqB;IACtD,WAAW,CAAC,MAAM,CAAC,CAAA;IAEnB,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC,MAAM,EAAE,CAAC;QACvB,MAAM,CAAC,CACL,qDAAqD,EACrD,SAAS,EACT,KAAK,CAAC,qBAAqB,CAC5B,CAAA;IACH,CAAC;IAED,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,GAAG,CAAC,qBAAqB,EAAE,aAAa,EAAE,EAAE,CAC1D,oBAAoB,CAAC,MAAM,EAAE,qBAAqB,EAAE,aAAa,CAAC,CAAA;AACtE,CAAC;AA8CD,MAAM,UAAU,qCAAqC,CAAC,MAAqB;IACzE,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,MAAM,EAAE,CAAC;QACxB,MAAM,CAAC,CACL,mEAAmE,EACnE,SAAS,EACT,KAAK,CAAC,qBAAqB,CAC5B,CAAA;IACH,CAAC;IAED,GAAG,CAAC,MAAM,CAAC,CAAC,MAAM,GAAG,CACnB,qBAAqB,EACrB,aAAa,EACb,aAAa,EACb,MAAM,EACN,EAAE,CACF,2BAA2B,CACzB,MAAM,EACN,qBAAqB,EACrB,aAAa,EACb,aAAa,EACb,MAAM,EACN,IAAI,CACL,CAAA;AACL,CAAC;AA+CD,MAAM,UAAU,0BAA0B,CAAC,MAAqB;IAC9D,WAAW,CAAC,MAAM,CAAC,CAAA;IAEnB,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC;QACrB,MAAM,CAAC,CACL,4DAA4D,EAC5D,SAAS,EACT,KAAK,CAAC,qBAAqB,CAC5B,CAAA;IACH,CAAC;IAED,GAAG,CAAC,MAAM,CAAC,CAAC,MAAM,GAAG,CACnB,qBAAqB,EACrB,aAAa,EACb,aAAa,EACb,MAAM,EACN,EAAE,CACF,2BAA2B,CACzB,MAAM,EACN,qBAAqB,EACrB,aAAa,EACb,aAAa,EACb,MAAM,EACN,KAAK,CACN,CAAA;AACL,CAAC;AA2CD,SAAS,WAAW,CAAC,GAAQ;IAC3B,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAA;IAClB,GAAG,CAAC,MAAM,GAAG,EAAE,CAAA;IACf,GAAG,CAAC,IAAI,GAAG,EAAE,CAAA;IACb,OAAO,GAAG,CAAC,IAAI,CAAA;AACjB,CAAC;AAED,SAAS,aAAa,CAAI,KAAc,EAAE,WAAmB;IAC3D,IAAI,CAAC;QACH,OAAO,MAAM,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,KAAK,WAAW,CAAA;IACzE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAA;IACd,CAAC;AACH,CAAC;AA4CD,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,MAAqB,EACrB,UAAyB,EACzB,MAAqC,EACrC,UAAqD,EACrD,OAAuC;IAEvC,WAAW,CAAC,MAAM,CAAC,CAAA;IAEnB,IACE,OAAO,EAAE,IAAI,KAAK,KAAK;QACvB,CAAC,CAAC,UAAU,YAAY,GAAG,CAAC;QAC5B,CAAC,aAAa,CAAU,UAAU,EAAE,SAAS,CAAC,EAC9C,CAAC;QACD,MAAM,cAAc,CAClB,qDAAqD,EACrD,oBAAoB,CACrB,CAAA;IACH,CAAC;IAED,IAAI,YAMH,CAAA;IAED,IAAI,WAAmB,CAAA;IAEvB,MAAM,EAAE,EAAE,EAAE,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,cAAc,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,GAAG,CAAC,MAAM,CAAC,CAAA;IAEnG,IAAI,OAAO,EAAE,IAAI,KAAK,KAAK,EAAE,CAAC;QAC5B,YAAY,GAAG,OAAO,CAAC,YAAa,CAAA;QACpC,WAAW,GAAG,OAAO,CAAC,WAAY,CAAA;IACpC,CAAC;SAAM,CAAC;QACN,IAAI,OAA4B,CAAA;QAChC,IAAI,CAAC,CAAC,UAAU,YAAY,GAAG,CAAC,EAAE,CAAC;YACjC,IAAI,UAAU,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;gBACjC,OAAO,GAAG,UAAU,CAAA;YACtB,CAAC;YACD,UAAU,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,CAAA;QACtC,CAAC;QACD,WAAW,GAAG,WAAW,CAAC,UAAU,CAAC,CAAA;QACrC,QAAQ,IAAI,EAAE,CAAC;YACb,KAAK,CAAC,CAAC,IAAI;gBACT,YAAY,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,MAAM,EAAE,aAAa,CAAC,CAAA;gBAC5D,MAAK;YACP,KAAK,CAAC,CAAC,MAAM;gBACX,YAAY,GAAG,MAAM,MAAM,CACzB,OAAO,IAAI,UAAU,EACrB,MAAM,EAAE,aAAa,EACrB,MAAM,EAAE,aAAa,EACrB,MAAM,EAAE,MAAM,CACf,CAAA;gBACD,MAAK;YAEP;gBACE,IAAI,CAAC;oBACH,YAAY,GAAG,KAAK,CAAC,oBAAoB,CACvC,EAAE,EACF,CAAC,EACD,UAAU,CAAC,YAAY,EACvB,MAAM,EAAE,aAAa,CACtB,CAAA;gBACH,CAAC;gBAAC,OAAO,GAAG,EAAE,CAAC;oBACb,OAAO,YAAY,CAAC,GAAG,CAAC,CAAA;gBAC1B,CAAC;QACL,CAAC;IACH,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,KAAK;SACzB,6BAA6B,CAC5B,EAAE,EACF,CAAC,EACD,IAAI,EACJ,YAAY,EACZ,WAAW,EAEX,MAAM,EAAE,gBAAgB,IAAI,KAAK,CAAC,OAAO,EACzC;QACE,oBAAoB,EAAE,UAAU;QAChC,CAAC,KAAK,CAAC,WAAW,CAAC,EAAE,KAAK;QAC1B,CAAC,KAAK,CAAC,qBAAqB,CAAC,EAAE,CAAC,OAAO;QACvC,IAAI,EAAE,OAAO,EAAE,IAAI;QACnB,OAAO,EAAE,IAAI,OAAO,CAAC,OAAO,CAAC;QAC7B,MAAM,EAAE,MAAM,CAAC,OAAO,CAAC;KACxB,CACF;SACA,KAAK,CAAC,YAAY,CAAC,CAAA;IAEtB,IACE,OAAO,MAAM,EAAE,aAAa,KAAK,QAAQ;QACzC,OAAO,MAAM,EAAE,MAAM,KAAK,QAAQ,EAClC,CAAC;QACD,MAAM,CAAC,eAAe,GAAG,IAAI,CAAA;IAC/B,CAAC;IAED,MAAM,CAAC,GAAG,KAAK,CAAC,gCAAgC,CAAC,EAAE,EAAE,CAAC,EAAE,QAAQ,EAAE;QAChE,aAAa,EAAE,MAAM,EAAE,aAAa;QACpC,MAAM,EAAE,MAAM,EAAE,MAAM;QACtB,cAAc,EAAE,MAAM,EAAE,eAAe;QACvC,CAAC,KAAK,CAAC,UAAU,CAAC,EAAE,OAAO;KAC5B,CAAC,CAAA;IAEF,IAAI,MAAmC,CAAA;IACvC,IAAI,CAAC;QACH,MAAM,GAAG,MAAM,CAAC,CAAA;IAClB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,SAAS,CAAC,GAAG,EAAE,OAAO,CAAC,EAAE,CAAC;YAC5B,OAAO,sBAAsB,CAC3B,MAAM,EAEN,SAAS,EACT,MAAM,EACN,UAAU,EACV;gBACE,GAAG,OAAO;gBACV,IAAI,EAAE,KAAK;gBACX,YAAY,EAAE,YAAY;gBAC1B,WAAW,EAAE,WAAW;aACzB,CACF,CAAA;QACH,CAAC;QAED,YAAY,CAAC,GAAG,CAAC,CAAA;IACnB,CAAC;IAED,MAAM,CAAC,QAAQ,IAAI,CAAC,MAAM,cAAc,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAA;IAErD,UAAU,CAAC,MAAM,CAAC,CAAA;IAClB,OAAO,MAAM,CAAA;AACf,CAAC;AAED,KAAK,UAAU,oBAAoB,CACjC,MAAqB,EACrB,qBAA0B,EAC1B,aAAyD;IAEzD,MAAM,EAAE,EAAE,EAAE,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,GAAG,GAAG,CAAC,MAAM,CAAC,CAAA;IAC1E,OAAO,KAAK;SACT,uBAAuB,CAAC,EAAE,EAAE,CAAC,EAAE,qBAAqB,EAAE,aAAa,EAAE;QACpE,CAAC,KAAK,CAAC,WAAW,CAAC,EAAE,KAAK;QAC1B,CAAC,KAAK,CAAC,qBAAqB,CAAC,EAAE,CAAC,OAAO;QACvC,OAAO,EAAE,IAAI,OAAO,CAAC,OAAO,CAAC;QAC7B,MAAM,EAAE,MAAM,CAAC,OAAO,CAAC;QACvB,CAAC,KAAK,CAAC,UAAU,CAAC,EAAE,OAAO;QAC3B,CAAC,KAAK,CAAC,SAAS,CAAC,EAAE,SAAS;KAC7B,CAAC;SACD,KAAK,CAAC,YAAY,CAAC,CAAA;AACxB,CAAC;AAED,KAAK,UAAU,2BAA2B,CACxC,MAAqB,EACrB,qBAAoC,EACpC,aAAiC,EACjC,aAAyD,EACzD,MAA0B,EAC1B,IAAa;IAEb,IAAI,OAAO,aAAa,KAAK,QAAQ,EAAE,CAAC;QACtC,MAAM,cAAc,CAClB,kCAAkC,EAClC,oBAAoB,CACrB,CAAA;IACH,CAAC;IAED,IAAI,aAAa,KAAK,SAAS,IAAI,OAAO,aAAa,KAAK,QAAQ,EAAE,CAAC;QACrE,MAAM,cAAc,CAClB,kCAAkC,EAClC,oBAAoB,CACrB,CAAA;IACH,CAAC;IAED,MAAM,EAAE,EAAE,EAAE,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,GAAG,GAAG,CAAC,MAAM,CAAC,CAAA;IAE1E,OAAO,CACL,IAAI;QACF,CAAC,CAAC,KAAK,CAAC,iCAAiC;QACzC,CAAC,CAAC,KAAK,CAAC,2BAA2B,CACtC,CAAC,EAAE,EAAE,CAAC,EAAE,qBAAqB,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,EAAE;QACpE,CAAC,KAAK,CAAC,WAAW,CAAC,EAAE,KAAK;QAC1B,CAAC,KAAK,CAAC,qBAAqB,CAAC,EAAE,CAAC,OAAO;QACvC,OAAO,EAAE,IAAI,OAAO,CAAC,OAAO,CAAC;QAC7B,MAAM,EAAE,MAAM,CAAC,OAAO,CAAC;QACvB,CAAC,KAAK,CAAC,UAAU,CAAC,EAAE,OAAO;QAC3B,CAAC,KAAK,CAAC,SAAS,CAAC,EAAE,SAAS;KAC7B,CAAC,CAAC,KAAK,CAAC,YAAY,CAAC,CAAA;AACxB,CAAC;AA0CD,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,MAAqB,EACrB,YAAoB,EACpB,UAAqD,EACrD,OAAqB;IAErB,WAAW,CAAC,MAAM,CAAC,CAAA;IAEnB,UAAU,GAAG,IAAI,eAAe,CAAC,UAAU,CAAC,CAAA;IAE5C,MAAM,EAAE,EAAE,EAAE,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,OAAO,EAAE,GACrE,GAAG,CAAC,MAAM,CAAC,CAAA;IACb,MAAM,QAAQ,GAAG,MAAM,KAAK;SACzB,wBAAwB,CAAC,EAAE,EAAE,CAAC,EAAE,IAAI,EAAE,YAAY,EAAE;QACnD,CAAC,KAAK,CAAC,WAAW,CAAC,EAAE,KAAK;QAC1B,CAAC,KAAK,CAAC,qBAAqB,CAAC,EAAE,CAAC,OAAO;QACvC,oBAAoB,EAAE,UAAU;QAChC,IAAI,EAAE,OAAO,EAAE,IAAI;QACnB,OAAO,EAAE,IAAI,OAAO,CAAC,OAAO,CAAC;QAC7B,MAAM,EAAE,MAAM,CAAC,OAAO,CAAC;KACxB,CAAC;SACD,KAAK,CAAC,YAAY,CAAC,CAAA;IAEtB,MAAM,CAAC,GAAG,KAAK,CAAC,2BAA2B,CAAC,EAAE,EAAE,CAAC,EAAE,QAAQ,EAAE;QAC3D,CAAC,KAAK,CAAC,UAAU,CAAC,EAAE,OAAO;KAC5B,CAAC,CAAA;IAEF,IAAI,MAAmC,CAAA;IACvC,IAAI,CAAC;QACH,MAAM,GAAG,MAAM,CAAC,CAAA;IAClB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,SAAS,CAAC,GAAG,EAAE,OAAO,CAAC,EAAE,CAAC;YAC5B,OAAO,iBAAiB,CAAC,MAAM,EAAE,YAAY,EAAE,UAAU,EAAE;gBACzD,GAAG,OAAO;gBACV,IAAI,EAAE,KAAK;aACZ,CAAC,CAAA;QACJ,CAAC;QAED,YAAY,CAAC,GAAG,CAAC,CAAA;IACnB,CAAC;IAED,MAAM,CAAC,QAAQ,IAAI,CAAC,MAAM,cAAc,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAA;IAErD,UAAU,CAAC,MAAM,CAAC,CAAA;IAClB,OAAO,MAAM,CAAA;AACf,CAAC;AAkCD,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,MAAqB,EACrB,UAAqD,EACrD,OAAqB;IAErB,WAAW,CAAC,MAAM,CAAC,CAAA;IAEnB,UAAU,GAAG,IAAI,eAAe,CAAC,UAAU,CAAC,CAAA;IAE5C,MAAM,EAAE,EAAE,EAAE,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,GAAG,CAAC,MAAM,CAAC,CAAA;IAC5D,MAAM,QAAQ,GAAG,MAAM,KAAK;SACzB,6BAA6B,CAAC,EAAE,EAAE,CAAC,EAAE,IAAI,EAAE,UAAU,EAAE;QACtD,CAAC,KAAK,CAAC,WAAW,CAAC,EAAE,KAAK;QAC1B,CAAC,KAAK,CAAC,qBAAqB,CAAC,EAAE,CAAC,OAAO;QACvC,IAAI,EAAE,OAAO,EAAE,IAAI;QACnB,OAAO,EAAE,IAAI,OAAO,CAAC,OAAO,CAAC;QAC7B,MAAM,EAAE,MAAM,CAAC,OAAO,CAAC;KACxB,CAAC;SACD,KAAK,CAAC,YAAY,CAAC,CAAA;IAEtB,MAAM,CAAC,GAAG,KAAK,CAAC,gCAAgC,CAAC,EAAE,EAAE,CAAC,EAAE,QAAQ,CAAC,CAAA;IAEjE,IAAI,MAAmC,CAAA;IACvC,IAAI,CAAC;QACH,MAAM,GAAG,MAAM,CAAC,CAAA;IAClB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,SAAS,CAAC,GAAG,EAAE,OAAO,CAAC,EAAE,CAAC;YAC5B,OAAO,sBAAsB,CAAC,MAAM,EAAE,UAAU,EAAE;gBAChD,GAAG,OAAO;gBACV,IAAI,EAAE,KAAK;aACZ,CAAC,CAAA;QACJ,CAAC;QAED,YAAY,CAAC,GAAG,CAAC,CAAA;IACnB,CAAC;IAED,UAAU,CAAC,MAAM,CAAC,CAAA;IAClB,OAAO,MAAM,CAAA;AACf,CAAC;AAwCD,MAAM,UAAU,qBAAqB,CACnC,MAAqB,EACrB,UAAoD;IAEpD,WAAW,CAAC,MAAM,CAAC,CAAA;IAEnB,MAAM,EAAE,EAAE,EAAE,CAAC,EAAE,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,GAAG,CAAC,MAAM,CAAC,CAAA;IACpD,MAAM,qBAAqB,GAAG,KAAK,CAAC,eAAe,CACjD,EAAE,EACF,wBAAwB,EACxB,KAAK,EACL,OAAO,CACR,CAAA;IAED,UAAU,GAAG,IAAI,eAAe,CAAC,UAAU,CAAC,CAAA;IAE5C,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,WAAW,CAAC,EAAE,CAAC;QACjC,UAAU,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,CAAC,SAAS,CAAC,CAAA;IAC1C,CAAC;IACD,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,aAAa,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC;QACjE,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,eAAe,CAAC,EAAE,CAAC;YACrC,UAAU,CAAC,GAAG,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,MAAM,CAAC,CAAA;QACpE,CAAC;QACD,IAAI,IAAI,EAAE,CAAC;YACT,UAAU,CAAC,GAAG,CAAC,eAAe,EAAE,KAAK,CAAC,CAAA;QACxC,CAAC;IACH,CAAC;IAED,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC;QAC1C,qBAAqB,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,CAAA;IACjD,CAAC;IAED,OAAO,qBAAqB,CAAA;AAC9B,CAAC;AAgFD,MAAM,CAAC,KAAK,UAAU,4BAA4B,CAChD,MAAqB,EACrB,UAAoD,EAIpD,UAAwC,EACxC,OAAsC;IAEtC,WAAW,CAAC,MAAM,CAAC,CAAA;IAEnB,MAAM,qBAAqB,GAAG,qBAAqB,CAAC,MAAM,EAAE,UAAU,CAAC,CAAA;IACvE,UAAU,GAAG,qBAAqB,CAAC,YAAY,CAAA;IAE/C,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,MAAM,cAAc,CAAC,+BAA+B,EAAE,qBAAqB,CAAC,CAAA;IAC9E,CAAC;IAED,MAAM,EAAE,EAAE,EAAE,CAAC,EAAE,GAAG,GAAG,CAAC,MAAM,CAAC,CAAA;IAC7B,MAAM,OAAO,GAAG,MAAM,KAAK;SACxB,kBAAkB,CAAC,EAAE,EAAE,CAAC,EAAE,UAAU,EAAE,UAAU,EAAE,OAAO,CAAC;SAC1D,KAAK,CAAC,YAAY,CAAC,CAAA;IAEtB,OAAO,qBAAqB,CAAC,MAAM,EAAE,EAAE,OAAO,EAAE,CAAC,CAAA;AACnD,CAAC;AA8ED,MAAM,CAAC,KAAK,UAAU,4BAA4B,CAChD,MAAqB,EACrB,UAAoD,EACpD,OAAqB;IAErB,WAAW,CAAC,MAAM,CAAC,CAAA;IAEnB,MAAM,qBAAqB,GAAG,qBAAqB,CAAC,MAAM,EAAE,UAAU,CAAC,CAAA;IAEvE,MAAM,EAAE,EAAE,EAAE,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,GAAG,CAAC,MAAM,CAAC,CAAA;IAC5D,MAAM,QAAQ,GAAG,MAAM,KAAK;SACzB,0BAA0B,CACzB,EAAE,EACF,CAAC,EACD,IAAI,EACJ,qBAAqB,CAAC,YAAY,EAClC;QACE,CAAC,KAAK,CAAC,WAAW,CAAC,EAAE,KAAK;QAC1B,CAAC,KAAK,CAAC,qBAAqB,CAAC,EAAE,CAAC,OAAO;QACvC,IAAI,EAAE,OAAO,EAAE,IAAI;QACnB,OAAO,EAAE,IAAI,OAAO,CAAC,OAAO,CAAC;QAC7B,MAAM,EAAE,MAAM,CAAC,OAAO,CAAC;KACxB,CACF;SACA,KAAK,CAAC,YAAY,CAAC,CAAA;IAEtB,MAAM,CAAC,GAAG,KAAK,CAAC,kCAAkC,CAAC,EAAE,EAAE,CAAC,EAAE,QAAQ,CAAC,CAAA;IAEnE,IAAI,MAAyC,CAAA;IAC7C,IAAI,CAAC;QACH,MAAM,GAAG,MAAM,CAAC,CAAA;IAClB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,SAAS,CAAC,GAAG,EAAE,OAAO,CAAC,EAAE,CAAC;YAC5B,OAAO,4BAA4B,CAAC,MAAM,EAAE,UAAU,EAAE;gBACtD,GAAG,OAAO;gBACV,IAAI,EAAE,KAAK;aACZ,CAAC,CAAA;QACJ,CAAC;QACD,YAAY,CAAC,GAAG,CAAC,CAAA;IACnB,CAAC;IAED,OAAO,qBAAqB,CAAC,MAAM,EAAE,EAAE,WAAW,EAAE,MAAM,CAAC,WAAW,EAAE,CAAC,CAAA;AAC3E,CAAC;AAgCD,MAAM,UAAU,kBAAkB,CAChC,MAAqB,EACrB,UAAqD;IAErD,WAAW,CAAC,MAAM,CAAC,CAAA;IAEnB,MAAM,EAAE,EAAE,EAAE,CAAC,EAAE,OAAO,EAAE,GAAG,GAAG,CAAC,MAAM,CAAC,CAAA;IACtC,MAAM,kBAAkB,GAAG,KAAK,CAAC,eAAe,CAC9C,EAAE,EACF,sBAAsB,EACtB,KAAK,EACL,OAAO,CACR,CAAA;IAED,UAAU,GAAG,IAAI,eAAe,CAAC,UAAU,CAAC,CAAA;IAE5C,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,WAAW,CAAC,EAAE,CAAC;QACjC,UAAU,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,CAAC,SAAS,CAAC,CAAA;IAC1C,CAAC;IAED,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC;QAC1C,kBAAkB,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,CAAA;IAC9C,CAAC;IAED,OAAO,kBAAkB,CAAA;AAC3B,CAAC;AAED,SAAS,WAAW,CAAC,KAAc;IACjC,IAAI,CAAC,CAAC,KAAK,YAAY,aAAa,CAAC,EAAE,CAAC;QACtC,MAAM,cAAc,CAClB,+CAA+C,EAC/C,oBAAoB,CACrB,CAAA;IACH,CAAC;IAED,IAAI,MAAM,CAAC,cAAc,CAAC,KAAK,CAAC,KAAK,aAAa,CAAC,SAAS,EAAE,CAAC;QAC7D,MAAM,cAAc,CAClB,0CAA0C,EAC1C,qBAAqB,CACtB,CAAA;IACH,CAAC;AACH,CAAC;AAED,SAAS,MAAM,CAAC,OAAgB;IAC9B,OAAO,OAAO,CAAC,CAAC,CAAC,WAAW,CAAC,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS,CAAA;AAClE,CAAC;AAyBD,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,MAAqB,EACrB,WAAmB,EACnB,eAAiD,EACjD,OAAqB;IAErB,WAAW,CAAC,MAAM,CAAC,CAAA;IAEnB,MAAM,EAAE,EAAE,EAAE,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,OAAO,EAAE,GAC/D,GAAG,CAAC,MAAM,CAAC,CAAA;IACb,MAAM,QAAQ,GAAG,MAAM,KAAK;SACzB,eAAe,CAAC,EAAE,EAAE,CAAC,EAAE,WAAW,EAAE;QACnC,CAAC,KAAK,CAAC,WAAW,CAAC,EAAE,KAAK;QAC1B,CAAC,KAAK,CAAC,qBAAqB,CAAC,EAAE,CAAC,OAAO;QACvC,IAAI,EAAE,OAAO,EAAE,IAAI;QACnB,OAAO,EAAE,IAAI,OAAO,CAAC,OAAO,CAAC;QAC7B,MAAM,EAAE,MAAM,CAAC,OAAO,CAAC;KACxB,CAAC;SACD,KAAK,CAAC,YAAY,CAAC,CAAA;IAEtB,IAAI,IAAI,GAAG,KAAK,CAAC,uBAAuB,CAAC,EAAE,EAAE,CAAC,EAAE,eAAe,EAAE,QAAQ,EAAE;QACzE,CAAC,KAAK,CAAC,UAAU,CAAC,EAAE,OAAO;KAC5B,CAAC,CAAA;IAEF,IAAI,MAA8B,CAAA;IAClC,IAAI,CAAC;QACH,MAAM,GAAG,MAAM,IAAI,CAAA;IACrB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,SAAS,CAAC,GAAG,EAAE,OAAO,CAAC,EAAE,CAAC;YAC5B,OAAO,aAAa,CAAC,MAAM,EAAE,WAAW,EAAE,eAAe,EAAE;gBACzD,GAAG,OAAO;gBACV,IAAI,EAAE,KAAK;aACZ,CAAC,CAAA;QACJ,CAAC;QAED,YAAY,CAAC,GAAG,CAAC,CAAA;IACnB,CAAC;IAED,cAAc,CAAC,QAAQ,CAAC,KAAK,iBAAiB;QAC5C,CAAC,MAAM,cAAc,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAA;IAEpC,OAAO,MAAM,CAAA;AACf,CAAC;AAED,SAAS,SAAS,CAAC,GAAY,EAAE,OAAgC;IAC/D,IAAI,OAAO,EAAE,IAAI,IAAI,OAAO,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;QAC5C,OAAO,KAAK,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAA;IACpC,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC;AAwBD,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,MAAqB,EACrB,KAAa,EACb,UAAqD;IAErD,WAAW,CAAC,MAAM,CAAC,CAAA;IAEnB,MAAM,EAAE,EAAE,EAAE,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,OAAO,EAAE,GACrE,GAAG,CAAC,MAAM,CAAC,CAAA;IACb,MAAM,QAAQ,GAAG,MAAM,KAAK;SACzB,oBAAoB,CAAC,EAAE,EAAE,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE;QACxC,CAAC,KAAK,CAAC,WAAW,CAAC,EAAE,KAAK;QAC1B,CAAC,KAAK,CAAC,qBAAqB,CAAC,EAAE,CAAC,OAAO;QACvC,oBAAoB,EAAE,IAAI,eAAe,CAAC,UAAU,CAAC;QACrD,OAAO,EAAE,IAAI,OAAO,CAAC,OAAO,CAAC;QAC7B,MAAM,EAAE,MAAM,CAAC,OAAO,CAAC;KACxB,CAAC;SACD,KAAK,CAAC,YAAY,CAAC,CAAA;IAEtB,MAAM,MAAM,GAAG,MAAM,KAAK;SACvB,4BAA4B,CAAC,EAAE,EAAE,CAAC,EAAE,QAAQ,EAAE;QAC7C,CAAC,KAAK,CAAC,UAAU,CAAC,EAAE,OAAO;KAC5B,CAAC;SACD,KAAK,CAAC,YAAY,CAAC,CAAA;IAEtB,cAAc,CAAC,QAAQ,CAAC,KAAK,qCAAqC;QAChE,CAAC,MAAM,cAAc,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAA;IAEpC,OAAO,MAAM,CAAA;AACf,CAAC;AAED,MAAM,KAAK,GAAkB,MAAM,EAAE,CAAA;AA2DrC,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,MAAqB,EACrB,SAAiB,EACjB,UAAoD,EACpD,OAAqB;IAErB,WAAW,CAAC,MAAM,CAAC,CAAA;IAEnB,MAAM,EAAE,EAAE,EAAE,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,GAAG,CAAC,MAAM,CAAC,CAAA;IACrE,MAAM,MAAM,GAAG,MAAM,KAAK;SACvB,2BAA2B,CAC1B,EAAE,EACF,CAAC,EACD,IAAI,EACJ,SAAS,EACT,IAAI,eAAe,CAAC,UAAU,CAAC,EAC/B;QACE,CAAC,KAAK,CAAC,WAAW,CAAC,EAAE,KAAK;QAC1B,CAAC,KAAK,CAAC,qBAAqB,CAAC,EAAE,CAAC,OAAO;QACvC,IAAI,EAAE,OAAO,EAAE,IAAI;QACnB,OAAO,EAAE,IAAI,OAAO,CAAC,OAAO,CAAC;QAC7B,MAAM,EAAE,MAAM,CAAC,OAAO,CAAC;KACxB,CACF;SACA,IAAI,CAAC,CAAC,QAAQ,EAAE,EAAE,CACjB,KAAK,CAAC,mCAAmC,CAAC,EAAE,EAAE,CAAC,EAAE,QAAQ,EAAE;QACzD,CAAC,KAAK,CAAC,UAAU,CAAC,EAAE,OAAO;KAC5B,CAAC,CACH;SACA,KAAK,CAAC,YAAY,CAAC,CAAA;IAEtB,UAAU,CAAC,MAAM,CAAC,CAAA;IAClB,OAAO,MAAM,CAAA;AACf,CAAC;AAqBD,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,MAAqB,EACrB,KAAa,EACb,UAAqD;IAErD,WAAW,CAAC,MAAM,CAAC,CAAA;IAEnB,MAAM,EAAE,EAAE,EAAE,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,GAAG,CAAC,MAAM,CAAC,CAAA;IAC5D,OAAO,KAAK;SACT,iBAAiB,CAAC,EAAE,EAAE,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE;QACrC,CAAC,KAAK,CAAC,WAAW,CAAC,EAAE,KAAK;QAC1B,CAAC,KAAK,CAAC,qBAAqB,CAAC,EAAE,CAAC,OAAO;QACvC,oBAAoB,EAAE,IAAI,eAAe,CAAC,UAAU,CAAC;QACrD,OAAO,EAAE,IAAI,OAAO,CAAC,OAAO,CAAC;QAC7B,MAAM,EAAE,MAAM,CAAC,OAAO,CAAC;KACxB,CAAC;SACD,IAAI,CAAC,KAAK,CAAC,yBAAyB,CAAC;SACrC,KAAK,CAAC,YAAY,CAAC,CAAA;AACxB,CAAC;AAgBD,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,MAAqB,EACrB,WAAmB,EACnB,GAAQ,EACR,MAAc,EACd,IAAgB,EAChB,OAAiB,EACjB,OAAqB;IAErB,WAAW,CAAC,MAAM,CAAC,CAAA;IAEnB,OAAO,KAAK,IAAI,OAAO,EAAE,CAAA;IACzB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,EAAE,CAAC;QAC/B,OAAO,CAAC,GAAG,CAAC,YAAY,EAAE,UAAU,CAAC,CAAA;IACvC,CAAC;IAED,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,GAAG,CAAC,MAAM,CAAC,CAAA;IAC/C,MAAM,IAAI,GAAG,KAAK,CAAC,wBAAwB,CACzC,WAAW,EACX,MAAM,EACN,GAAG,EACH,OAAO,EACP,IAAI,EACJ;QACE,CAAC,KAAK,CAAC,WAAW,CAAC,EAAE,KAAK;QAC1B,CAAC,KAAK,CAAC,qBAAqB,CAAC,EAAE,CAAC,OAAO;QACvC,IAAI,EAAE,OAAO,EAAE,IAAI;QACnB,MAAM,EAAE,MAAM,CAAC,OAAO,CAAC;KACxB,CACF,CAAA;IAED,IAAI,MAAgB,CAAA;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,MAAM,IAAI,CAAA;IACrB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,SAAS,CAAC,GAAG,EAAE,OAAO,CAAC,EAAE,CAAC;YAC5B,OAAO,sBAAsB,CAC3B,MAAM,EACN,WAAW,EACX,GAAG,EACH,MAAM,EACN,IAAI,EACJ,OAAO,EACP;gBACE,GAAG,OAAO;gBACV,IAAI,EAAE,KAAK;aACZ,CACF,CAAA;QACH,CAAC;QAED,YAAY,CAAC,GAAG,CAAC,CAAA;IACnB,CAAC;IAED,OAAO,MAAM,CAAA;AACf,CAAC;AAED,SAAS,cAAc,CAAC,QAAkB;IACxC,OAAO,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAA;AAC5D,CAAC"} \ No newline at end of file diff --git a/build/passport.d.ts b/build/passport.d.ts new file mode 100644 index 00000000..ef33089e --- /dev/null +++ b/build/passport.d.ts @@ -0,0 +1,104 @@ +import * as client from './index.js'; +import type { PrivateKey } from 'oauth4webapi'; +import type * as express from 'express'; +import type passport from 'passport'; +export type VerifyFunction = ( +/** + * Parsed Token Endpoint Response returned by the authorization server with + * attached helpers. + */ +tokens: client.TokenEndpointResponse & client.TokenEndpointResponseHelpers, verified: passport.AuthenticateCallback) => void; +export type VerifyFunctionWithRequest = (req: express.Request, +/** + * Parsed Token Endpoint Response returned by the authorization server with + * attached helpers. + */ +tokens: client.TokenEndpointResponse & client.TokenEndpointResponseHelpers, verified: passport.AuthenticateCallback) => void; +/** + * Retrieve an openid-client DPoPHandle for a given request. + */ +export type getDPoPHandle = (req: express.Request) => client.DPoPHandle; +interface StrategyOptionsBase { + /** + * Openid-client Configuration instance. + */ + config: client.Configuration; + /** + * Name of the strategy, default is the host component of the authorization + * server's issuer identifier. + */ + name?: string; + /** + * Property in the session to use for storing the authorization request state, + * default is the host component of the authorization server's issuer + * identifier. + */ + sessionKey?: string; + /** + * Function used to retrieve an openid-client DPoPHandle for a given request, + * when provided the strategy will use DPoP where applicable. + */ + DPoP?: getDPoPHandle; + /** + * URL to which the authorization server will redirect the user after + * obtaining authorization. This will be used as the `redirect_uri` + * authorization request parameter unless specified elsewhere. + */ + callbackURL?: string; + /** + * Authorization Request Scope. This will be used as the `scope` authorization + * request parameter unless specified elsewhere. + */ + scope?: string; + /** + * Whether the strategy will use PAR. Default is `false`. + */ + usePAR?: boolean; + /** + * Whether the strategy will use JAR. Its value can be a private key to sign + * with or an array with the private key and a modify assertion function that + * will be used to modify the request object before it is signed. Default is + * `false`. + */ + useJAR?: false | client.CryptoKey | PrivateKey | [client.CryptoKey | PrivateKey, client.ModifyAssertionFunction]; + /** + * Whether the verify function should get the `req` as first argument instead. + * Default is `false`. + */ + passReqToCallback?: boolean; +} +export interface StrategyOptions extends StrategyOptionsBase { + passReqToCallback?: false; +} +export interface StrategyOptionsWithRequest extends StrategyOptionsBase { + passReqToCallback: true; +} +export declare class Strategy implements passport.Strategy { + /** + * Name of the strategy + */ + readonly name: string; + constructor(options: StrategyOptions, verify: VerifyFunction); + constructor(options: StrategyOptionsWithRequest, verify: VerifyFunctionWithRequest); + /** + * Return extra parameters to be included an authorization request. + */ + authorizationRequestParams(req: express.Request, options: TOptions): URLSearchParams | Record | undefined; + /** + * Return extra parameters to be included in the authorization code grant + * token endpoint request. + */ + authorizationCodeGrantParameters(req: express.Request, options: TOptions): URLSearchParams | Record | undefined; + /** + * Return the current request URL. + * + * - Its `searchParams` are used as the authorization response parameters when + * the response type used by the client is `code` + * - Its value stripped of `searchParams` and `hash` is used as the + * `redirect_uri` authorization code grant token endpoint parameter unless + * callbackURL was specified in the Strategy constructor + */ + currentUrl(req: express.Request): URL; + authenticate(this: passport.StrategyCreated, req: express.Request, options: TOptions): void; +} +export {}; diff --git a/build/passport.js b/build/passport.js new file mode 100644 index 00000000..cec77a98 --- /dev/null +++ b/build/passport.js @@ -0,0 +1,167 @@ +import * as client from './index.js'; +export class Strategy { + name; + _config; + _verify; + _callbackURL; + _sessionKey; + _passReqToCallback; + _proxy; + _usePAR; + _useJAR; + _DPoP; + _scope; + constructor(options, verify) { + if (!(options?.config instanceof client.Configuration)) { + throw new TypeError(); + } + if (typeof verify !== 'function') { + throw new TypeError(); + } + const { host } = new URL(options.config.serverMetadata().issuer); + this.name = options.name ?? host; + this._sessionKey = options.sessionKey ?? host; + this._DPoP = options.DPoP; + this._config = options.config; + this._scope = options.scope; + this._useJAR = options.useJAR; + this._usePAR = options.usePAR; + this._verify = verify; + this._callbackURL = options.callbackURL; + this._passReqToCallback = options.passReqToCallback; + } + authorizationRequestParams(req, options) { + return {}; + } + authorizationCodeGrantParameters(req, options) { + return {}; + } + async authorizationRequest(req, options) { + try { + let redirectTo = client.buildAuthorizationUrl(this._config, new URLSearchParams(this.authorizationRequestParams(req, options))); + if (redirectTo.searchParams.get('response_type')?.includes('id_token')) { + redirectTo.searchParams.set('nonce', client.randomNonce()); + } + const codeVerifier = client.randomPKCECodeVerifier(); + const code_challenge = await client.calculatePKCECodeChallenge(codeVerifier); + redirectTo.searchParams.set('code_challenge', code_challenge); + redirectTo.searchParams.set('code_challenge_method', 'S256'); + if (this._config + .serverMetadata() + .code_challenge_methods_supported?.includes('S256') !== true && + !redirectTo.searchParams.has('nonce')) { + redirectTo.searchParams.set('state', client.randomState()); + } + if (this._callbackURL && !redirectTo.searchParams.has('redirect_uri')) { + redirectTo.searchParams.set('redirect_uri', this._callbackURL); + } + if (this._scope && !redirectTo.searchParams.has('scope')) { + redirectTo.searchParams.set('scope', this._scope); + } + const sessionKey = this._sessionKey; + const stateData = { code_verifier: codeVerifier }; + let nonce; + if ((nonce = redirectTo.searchParams.get('nonce'))) { + stateData.nonce = nonce; + } + let state; + if ((state = redirectTo.searchParams.get('state'))) { + stateData.state = state; + } + let max_age; + if ((max_age = redirectTo.searchParams.get('max_age'))) { + stateData.max_age = parseInt(max_age, 10); + } + ; + req.session[sessionKey] = stateData; + if (this._useJAR) { + let key; + let modifyAssertion; + if (Array.isArray(this._useJAR)) { + ; + [key, modifyAssertion] = this._useJAR; + } + else { + key = this._useJAR; + } + redirectTo = await client.buildAuthorizationUrlWithJAR(this._config, redirectTo.searchParams, key, { [client.modifyAssertion]: modifyAssertion }); + } + if (this._usePAR) { + redirectTo = await client.buildAuthorizationUrlWithPAR(this._config, redirectTo.searchParams, { DPoP: this._DPoP?.(req) }); + } + return this.redirect(redirectTo.href); + } + catch (err) { + return this.error(err); + } + } + async authorizationCodeGrant(req, currentUrl, options) { + try { + const sessionKey = this._sessionKey; + const stateData = req.session[sessionKey]; + if (!stateData?.code_verifier) { + return this.fail({ + message: 'Unable to verify authorization request state', + }); + } + let input = currentUrl; + if (req.method === 'POST') { + input = new Request(currentUrl.href, { + method: 'POST', + headers: Object.entries(req.headersDistinct).reduce((acc, [key, values]) => { + for (const value of values) { + acc.append(key, value); + } + return acc; + }, new Headers()), + body: req, + duplex: 'half', + }); + } + const tokens = await client.authorizationCodeGrant(this._config, input, { + pkceCodeVerifier: stateData.code_verifier, + expectedNonce: stateData.nonce, + expectedState: stateData.state, + maxAge: stateData.max_age, + }, this.authorizationCodeGrantParameters(req, options), { DPoP: this._DPoP?.(req) }); + const verified = (err, user, info) => { + if (err) + return this.error(err); + if (!user) + return this.fail(info); + return this.success(user); + }; + if (this._passReqToCallback) { + return this._verify(req, tokens, verified); + } + return this._verify(tokens, verified); + } + catch (err) { + if (err instanceof client.AuthorizationResponseError && + err.error === 'access_denied') { + return this.fail({ + message: err.error_description || err.error, + ...Object.fromEntries(err.cause.entries()), + }); + } + return this.error(err); + } + } + currentUrl(req) { + return new URL(`${req.protocol}://${req.host}${req.url}`); + } + authenticate(req, options) { + if (!req.session) { + return this.error(new Error('OAuth 2.0 authentication requires session support. Did you forget to use express-session middleware?')); + } + const currentUrl = this.currentUrl(req); + if ((req.method === 'GET' && currentUrl.searchParams.size === 0) || + (currentUrl.searchParams.size === 1 && currentUrl.searchParams.has('iss'))) { + Strategy.prototype.authorizationRequest.call(this, req, options); + } + else { + Strategy.prototype.authorizationCodeGrant.call(this, req, currentUrl, options); + } + } +} +//# sourceMappingURL=passport.js.map \ No newline at end of file diff --git a/build/passport.js.map b/build/passport.js.map new file mode 100644 index 00000000..8047f1cd --- /dev/null +++ b/build/passport.js.map @@ -0,0 +1 @@ +{"version":3,"file":"passport.js","sourceRoot":"","sources":["../src/passport.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,MAAM,YAAY,CAAA;AA2FpC,MAAM,OAAO,QAAQ;IAIV,IAAI,CAAQ;IAIrB,OAAO,CAAsB;IAI7B,OAAO,CAA4C;IAInD,YAAY,CAAS;IAIrB,WAAW,CAAQ;IAInB,kBAAkB,CAAU;IAI5B,MAAM,CAAU;IAIhB,OAAO,CAAU;IAIjB,OAAO,CAAgC;IAIvC,KAAK,CAA8B;IAInC,MAAM,CAAS;IAOf,YACE,OAAqD,EACrD,MAAkD;QAElD,IAAI,CAAC,CAAC,OAAO,EAAE,MAAM,YAAY,MAAM,CAAC,aAAa,CAAC,EAAE,CAAC;YACvD,MAAM,IAAI,SAAS,EAAE,CAAA;QACvB,CAAC;QAED,IAAI,OAAO,MAAM,KAAK,UAAU,EAAE,CAAC;YACjC,MAAM,IAAI,SAAS,EAAE,CAAA;QACvB,CAAC;QAED,MAAM,EAAE,IAAI,EAAE,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,cAAc,EAAE,CAAC,MAAM,CAAC,CAAA;QAEhE,IAAI,CAAC,IAAI,GAAG,OAAO,CAAC,IAAI,IAAI,IAAI,CAAA;QAChC,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,UAAU,IAAI,IAAI,CAAA;QAC7C,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,IAAI,CAAA;QACzB,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,MAAM,CAAA;QAC7B,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,KAAK,CAAA;QAC3B,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,MAAM,CAAA;QAC7B,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,MAAM,CAAA;QAC7B,IAAI,CAAC,OAAO,GAAG,MAAM,CAAA;QACrB,IAAI,CAAC,YAAY,GAAG,OAAO,CAAC,WAAW,CAAA;QACvC,IAAI,CAAC,kBAAkB,GAAG,OAAO,CAAC,iBAAiB,CAAA;IACrD,CAAC;IAMD,0BAA0B,CAKxB,GAAoB,EAAE,OAAiB;QAEvC,OAAO,EAAE,CAAA;IACX,CAAC;IAOD,gCAAgC,CAK9B,GAAoB,EAAE,OAAiB;QAEvC,OAAO,EAAE,CAAA;IACX,CAAC;IAKD,KAAK,CAAC,oBAAoB,CAQxB,GAAoB,EACpB,OAAiB;QAEjB,IAAI,CAAC;YACH,IAAI,UAAU,GAAG,MAAM,CAAC,qBAAqB,CAC3C,IAAI,CAAC,OAAO,EACZ,IAAI,eAAe,CAAC,IAAI,CAAC,0BAA0B,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC,CACnE,CAAA;YAED,IAAI,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,CAAC,EAAE,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;gBACvE,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,WAAW,EAAE,CAAC,CAAA;YAC5D,CAAC;YAED,MAAM,YAAY,GAAG,MAAM,CAAC,sBAAsB,EAAE,CAAA;YACpD,MAAM,cAAc,GAClB,MAAM,MAAM,CAAC,0BAA0B,CAAC,YAAY,CAAC,CAAA;YACvD,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,gBAAgB,EAAE,cAAc,CAAC,CAAA;YAC7D,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,uBAAuB,EAAE,MAAM,CAAC,CAAA;YAE5D,IACE,IAAI,CAAC,OAAO;iBACT,cAAc,EAAE;iBAChB,gCAAgC,EAAE,QAAQ,CAAC,MAAM,CAAC,KAAK,IAAI;gBAC9D,CAAC,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,EACrC,CAAC;gBACD,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,WAAW,EAAE,CAAC,CAAA;YAC5D,CAAC;YAED,IAAI,IAAI,CAAC,YAAY,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE,CAAC;gBACtE,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,IAAI,CAAC,YAAY,CAAC,CAAA;YAChE,CAAC;YAED,IAAI,IAAI,CAAC,MAAM,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;gBACzD,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,CAAA;YACnD,CAAC;YAED,MAAM,UAAU,GAAG,IAAI,CAAC,WAAW,CAAA;YACnC,MAAM,SAAS,GAAc,EAAE,aAAa,EAAE,YAAY,EAAE,CAAA;YAE5D,IAAI,KAAoB,CAAA;YACxB,IAAI,CAAC,KAAK,GAAG,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;gBACnD,SAAS,CAAC,KAAK,GAAG,KAAK,CAAA;YACzB,CAAC;YACD,IAAI,KAAoB,CAAA;YACxB,IAAI,CAAC,KAAK,GAAG,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;gBACnD,SAAS,CAAC,KAAK,GAAG,KAAK,CAAA;YACzB,CAAC;YACD,IAAI,OAAsB,CAAA;YAC1B,IAAI,CAAC,OAAO,GAAG,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC;gBACvD,SAAS,CAAC,OAAO,GAAG,QAAQ,CAAC,OAAO,EAAE,EAAE,CAAC,CAAA;YAC3C,CAAC;YAED,CAAC;YAAC,GAAW,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG,SAAS,CAAA;YAE7C,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;gBACjB,IAAI,GAAyC,CAAA;gBAC7C,IAAI,eAA2D,CAAA;gBAC/D,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;oBAChC,CAAC;oBAAA,CAAC,GAAG,EAAE,eAAe,CAAC,GAAG,IAAI,CAAC,OAAO,CAAA;gBACxC,CAAC;qBAAM,CAAC;oBACN,GAAG,GAAG,IAAI,CAAC,OAAO,CAAA;gBACpB,CAAC;gBACD,UAAU,GAAG,MAAM,MAAM,CAAC,4BAA4B,CACpD,IAAI,CAAC,OAAO,EACZ,UAAU,CAAC,YAAY,EACvB,GAAG,EACH,EAAE,CAAC,MAAM,CAAC,eAAe,CAAC,EAAE,eAAe,EAAE,CAC9C,CAAA;YACH,CAAC;YAED,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;gBACjB,UAAU,GAAG,MAAM,MAAM,CAAC,4BAA4B,CACpD,IAAI,CAAC,OAAO,EACZ,UAAU,CAAC,YAAY,EACvB,EAAE,IAAI,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC,GAAG,CAAC,EAAE,CAC5B,CAAA;YACH,CAAC;YAED,OAAO,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC,CAAA;QACvC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;QACxB,CAAC;IACH,CAAC;IAKD,KAAK,CAAC,sBAAsB,CAQ1B,GAAoB,EACpB,UAAe,EACf,OAAiB;QAEjB,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,IAAI,CAAC,WAAW,CAAA;YACnC,MAAM,SAAS,GAAe,GAAW,CAAC,OAAO,CAAC,UAAU,CAAC,CAAA;YAE7D,IAAI,CAAC,SAAS,EAAE,aAAa,EAAE,CAAC;gBAC9B,OAAO,IAAI,CAAC,IAAI,CAAC;oBACf,OAAO,EAAE,8CAA8C;iBACxD,CAAC,CAAA;YACJ,CAAC;YAED,IAAI,KAAK,GAAkB,UAAU,CAAA;YACrC,IAAI,GAAG,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;gBAC1B,KAAK,GAAG,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,EAAE;oBACnC,MAAM,EAAE,MAAM;oBACd,OAAO,EAAE,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC,MAAM,CACjD,CAAC,GAAG,EAAE,CAAC,GAAG,EAAE,MAAM,CAAC,EAAE,EAAE;wBACrB,KAAK,MAAM,KAAK,IAAI,MAAO,EAAE,CAAC;4BAC5B,GAAG,CAAC,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,CAAA;wBACxB,CAAC;wBACD,OAAO,GAAG,CAAA;oBACZ,CAAC,EACD,IAAI,OAAO,EAAE,CACd;oBACD,IAAI,EAAE,GAAG;oBACT,MAAM,EAAE,MAAM;iBACf,CAAC,CAAA;YACJ,CAAC;YAED,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,sBAAsB,CAChD,IAAI,CAAC,OAAO,EACZ,KAAK,EACL;gBACE,gBAAgB,EAAE,SAAS,CAAC,aAAa;gBACzC,aAAa,EAAE,SAAS,CAAC,KAAK;gBAC9B,aAAa,EAAE,SAAS,CAAC,KAAK;gBAC9B,MAAM,EAAE,SAAS,CAAC,OAAO;aAC1B,EACD,IAAI,CAAC,gCAAgC,CAAC,GAAG,EAAE,OAAO,CAAC,EACnD,EAAE,IAAI,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC,GAAG,CAAC,EAAE,CAC5B,CAAA;YAED,MAAM,QAAQ,GAAkC,CAAC,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE;gBAClE,IAAI,GAAG;oBAAE,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;gBAC/B,IAAI,CAAC,IAAI;oBAAE,OAAO,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;gBACjC,OAAO,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAA;YAC3B,CAAC,CAAA;YAED,IAAI,IAAI,CAAC,kBAAkB,EAAE,CAAC;gBAC5B,OAAQ,IAAI,CAAC,OAAqC,CAChD,GAAG,EACH,MAAM,EACN,QAAQ,CACT,CAAA;YACH,CAAC;YAED,OAAQ,IAAI,CAAC,OAA0B,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAA;QAC3D,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IACE,GAAG,YAAY,MAAM,CAAC,0BAA0B;gBAChD,GAAG,CAAC,KAAK,KAAK,eAAe,EAC7B,CAAC;gBACD,OAAO,IAAI,CAAC,IAAI,CAAC;oBACf,OAAO,EAAE,GAAG,CAAC,iBAAiB,IAAI,GAAG,CAAC,KAAK;oBAC3C,GAAG,MAAM,CAAC,WAAW,CAAC,GAAG,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;iBAC3C,CAAC,CAAA;YACJ,CAAC;YACD,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;QACxB,CAAC;IACH,CAAC;IAWD,UAAU,CAAC,GAAoB;QAC7B,OAAO,IAAI,GAAG,CAAC,GAAG,GAAG,CAAC,QAAQ,MAAM,GAAG,CAAC,IAAI,GAAG,GAAG,CAAC,GAAG,EAAE,CAAC,CAAA;IAC3D,CAAC;IAED,YAAY,CAQV,GAAoB,EACpB,OAAiB;QAEjB,IAAI,CAAE,GAAW,CAAC,OAAO,EAAE,CAAC;YAC1B,OAAO,IAAI,CAAC,KAAK,CACf,IAAI,KAAK,CACP,sGAAsG,CACvG,CACF,CAAA;QACH,CAAC;QAED,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAA;QAEvC,IACE,CAAC,GAAG,CAAC,MAAM,KAAK,KAAK,IAAI,UAAU,CAAC,YAAY,CAAC,IAAI,KAAK,CAAC,CAAC;YAC5D,CAAC,UAAU,CAAC,YAAY,CAAC,IAAI,KAAK,CAAC,IAAI,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAC1E,CAAC;YACD,QAAQ,CAAC,SAAS,CAAC,oBAAoB,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,EAAE,OAAO,CAAC,CAAA;QAClE,CAAC;aAAM,CAAC;YACN,QAAQ,CAAC,SAAS,CAAC,sBAAsB,CAAC,IAAI,CAC5C,IAAI,EACJ,GAAG,EACH,UAAU,EACV,OAAO,CACR,CAAA;QACH,CAAC;IACH,CAAC;CACF"} \ No newline at end of file diff --git a/package-lock.json b/package-lock.json index 6a731dcb..fffe138f 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "openid-client", - "version": "6.1.0", + "version": "6.1.1", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "openid-client", - "version": "6.1.0", + "version": "6.1.1", "license": "MIT", "dependencies": { "jose": "^5.9.4", diff --git a/package.json b/package.json index aa41b6f0..36955b85 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "openid-client", - "version": "6.1.0", + "version": "6.1.1", "description": "OAuth 2 / OpenID Connect Client API for JavaScript Runtimes", "keywords": [ "access token", diff --git a/src/index.ts b/src/index.ts index 1251faef..d99d8bcb 100644 --- a/src/index.ts +++ b/src/index.ts @@ -9,7 +9,7 @@ if ( typeof navigator === 'undefined' || !navigator.userAgent?.startsWith?.('Mozilla/5.0 ') // prettier-ignore ) { const NAME = 'openid-client' - const VERSION = 'v6.1.0' + const VERSION = 'v6.1.1' USER_AGENT = `${NAME}/${VERSION}` headers = { 'user-agent': USER_AGENT } }