From 5b75092f2e69d73fdb712f173f20d31018ebf34c Mon Sep 17 00:00:00 2001 From: Filip Skokan Date: Mon, 2 Dec 2024 16:58:28 +0100 Subject: [PATCH] chore(release): 3.1.4 --- CHANGELOG.md | 7 + build/index.d.ts | 2286 ++++++++++++++++++++++++++++++++++++++++++ build/index.js | 2387 ++++++++++++++++++++++++++++++++++++++++++++ build/index.js.map | 1 + jsr.json | 2 +- package-lock.json | 4 +- package.json | 2 +- src/index.ts | 2 +- 8 files changed, 4686 insertions(+), 5 deletions(-) create mode 100644 build/index.d.ts create mode 100644 build/index.js create mode 100644 build/index.js.map diff --git a/CHANGELOG.md b/CHANGELOG.md index cedba382..ac6853a5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,13 @@ All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines. +## [3.1.4](https://github.com/panva/oauth4webapi/compare/v3.1.3...v3.1.4) (2024-12-02) + + +### Refactor + +* **types:** move customFetch options into its own interface ([21c7d0a](https://github.com/panva/oauth4webapi/commit/21c7d0a0b9dc4375c05d5334777e939b3da8514f)) + ## [3.1.3](https://github.com/panva/oauth4webapi/compare/v3.1.2...v3.1.3) (2024-11-15) diff --git a/build/index.d.ts b/build/index.d.ts new file mode 100644 index 00000000..2e2f8d00 --- /dev/null +++ b/build/index.d.ts @@ -0,0 +1,2286 @@ +/** + * @ignore + */ +export type CryptoKey = Extract>, { + type: string; +}>; +export interface CryptoKeyPair { + privateKey: CryptoKey; + publicKey: CryptoKey; +} +/** + * JSON Object + */ +export type JsonObject = { + [Key in string]?: JsonValue; +}; +/** + * JSON Array + */ +export type JsonArray = JsonValue[]; +/** + * JSON Primitives + */ +export type JsonPrimitive = string | number | boolean | null; +/** + * JSON Values + */ +export type JsonValue = JsonPrimitive | JsonObject | JsonArray; +export interface ModifyAssertionFunction { + ( + /** + * JWS Header to modify right before it is signed. + */ + header: Record, + /** + * JWT Claims Set to modify right before it is signed. + */ + payload: Record): void; +} +/** + * Interface to pass an asymmetric private key and, optionally, its associated JWK Key ID to be + * added as a `kid` JOSE Header Parameter. + */ +export interface PrivateKey { + /** + * An asymmetric private CryptoKey. + * + * Its algorithm must be compatible with a supported {@link JWSAlgorithm JWS Algorithm}. + */ + key: CryptoKey; + /** + * JWK Key ID to add to JOSE headers when this key is used. When not provided no `kid` (JWK Key + * ID) will be added to the JOSE Header. + */ + kid?: string; +} +/** + * JWS `alg` Algorithm identifiers from the + * {@link https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms JSON Web Signature and Encryption Algorithms IANA registry} + * for which Digital Signature validation is implemented. + */ +export type JWSAlgorithm = 'PS256' | 'ES256' | 'RS256' | 'Ed25519' | 'ES384' | 'PS384' | 'RS384' | 'ES512' | 'PS512' | 'RS512' | 'EdDSA'; +export interface JWK { + readonly kty?: string; + readonly kid?: string; + readonly alg?: string; + readonly use?: string; + readonly key_ops?: string[]; + readonly e?: string; + readonly n?: string; + readonly crv?: string; + readonly x?: string; + readonly y?: string; + readonly [parameter: string]: JsonValue | undefined; +} +/** + * By default the module only allows interactions with HTTPS endpoints. Setting this option to + * `true` removes that restriction. + * + * @deprecated To make it stand out as something you shouldn't use, possibly only for local + * development and testing against non-TLS secured environments. + */ +export declare const allowInsecureRequests: unique symbol; +/** + * Use to adjust the assumed current time. Positive and negative finite values representing seconds + * are allowed. Default is `0` (Date.now() + 0 seconds is used). + * + * @example + * + * When the local clock is mistakenly 1 hour in the past + * + * ```ts + * let client: oauth.Client = { + * client_id: 'abc4ba37-4ab8-49b5-99d4-9441ba35d428', + * // ... other metadata + * [oauth.clockSkew]: +(60 * 60), + * } + * ``` + * + * @example + * + * When the local clock is mistakenly 1 hour in the future + * + * ```ts + * let client: oauth.Client = { + * client_id: 'abc4ba37-4ab8-49b5-99d4-9441ba35d428', + * // ... other metadata + * [oauth.clockSkew]: -(60 * 60), + * } + * ``` + */ +export declare const clockSkew: unique symbol; +/** + * Use to set allowed clock tolerance when checking DateTime JWT Claims. Only positive finite values + * representing seconds are allowed. Default is `30` (30 seconds). + * + * @example + * + * Tolerate 30 seconds clock skew when validating JWT claims like exp or nbf. + * + * ```ts + * let client: oauth.Client = { + * client_id: 'abc4ba37-4ab8-49b5-99d4-9441ba35d428', + * // ... other metadata + * [oauth.clockTolerance]: 30, + * } + * ``` + */ +export declare const clockTolerance: unique symbol; +/** + * When configured on an interface that extends {@link HttpRequestOptions}, this applies to `options` + * parameter for functions that may trigger HTTP requests, this replaces the use of global fetch. As + * a fetch replacement the arguments and expected return are the same as fetch. + * + * In theory any module that claims to be compatible with the Fetch API can be used but your mileage + * may vary. No workarounds to allow use of non-conform {@link !Response}s will be considered. + * + * If you only need to update the {@link !Request} properties you do not need to use a Fetch API + * module, just change what you need and pass it to globalThis.fetch just like this module would + * normally do. + * + * Its intended use cases are: + * + * - {@link !Request}/{@link !Response} tracing and logging + * - Custom caching strategies for responses of Authorization Server Metadata and JSON Web Key Set + * (JWKS) endpoints + * - Changing the {@link !Request} properties like headers, body, credentials, mode before it is passed + * to fetch + * + * Known caveats: + * + * - Expect Type-related issues when passing the inputs through to fetch-like modules, they hardly + * ever get their typings inline with actual fetch, you should `@ts-expect-error` them. + * - Returning self-constructed {@link !Response} instances prohibits AS/RS-signalled DPoP Nonce + * caching. + * + * @example + * + * Using [sindresorhus/ky](https://github.com/sindresorhus/ky) for retries and its hooks feature for + * logging outgoing requests and their responses. + * + * ```js + * import ky from 'ky' + * + * // example use + * await oauth.discoveryRequest(new URL('https://as.example.com'), { + * [oauth.customFetch]: (...args) => + * ky(args[0], { + * ...args[1], + * hooks: { + * beforeRequest: [ + * (request) => { + * logRequest(request) + * }, + * ], + * beforeRetry: [ + * ({ request, error, retryCount }) => { + * logRetry(request, error, retryCount) + * }, + * ], + * afterResponse: [ + * (request, _, response) => { + * logResponse(request, response) + * }, + * ], + * }, + * }), + * }) + * ``` + * + * @example + * + * Using [nodejs/undici](https://github.com/nodejs/undici) to detect and use HTTP proxies. + * + * ```ts + * import * as undici from 'undici' + * + * // see https://undici.nodejs.org/#/docs/api/EnvHttpProxyAgent + * let envHttpProxyAgent = new undici.EnvHttpProxyAgent() + * + * // example use + * await oauth.discoveryRequest(new URL('https://as.example.com'), { + * // @ts-ignore + * [oauth.customFetch](...args) { + * return undici.fetch(args[0], { ...args[1], dispatcher: envHttpProxyAgent }) // prettier-ignore + * }, + * }) + * ``` + * + * @example + * + * Using [nodejs/undici](https://github.com/nodejs/undici) to automatically retry network errors. + * + * ```ts + * import * as undici from 'undici' + * + * // see https://undici.nodejs.org/#/docs/api/RetryAgent + * let retryAgent = new undici.RetryAgent(new undici.Agent(), { + * statusCodes: [], + * errorCodes: [ + * 'ECONNRESET', + * 'ECONNREFUSED', + * 'ENOTFOUND', + * 'ENETDOWN', + * 'ENETUNREACH', + * 'EHOSTDOWN', + * 'UND_ERR_SOCKET', + * ], + * }) + * + * // example use + * await oauth.discoveryRequest(new URL('https://as.example.com'), { + * // @ts-ignore + * [oauth.customFetch](...args) { + * return undici.fetch(args[0], { ...args[1], dispatcher: retryAgent }) // prettier-ignore + * }, + * }) + * ``` + * + * @example + * + * Using [nodejs/undici](https://github.com/nodejs/undici) to mock responses in tests. + * + * ```ts + * import * as undici from 'undici' + * + * // see https://undici.nodejs.org/#/docs/api/MockAgent + * let mockAgent = new undici.MockAgent() + * mockAgent.disableNetConnect() + * + * // example use + * await oauth.discoveryRequest(new URL('https://as.example.com'), { + * // @ts-ignore + * [oauth.customFetch](...args) { + * return undici.fetch(args[0], { ...args[1], dispatcher: mockAgent }) // prettier-ignore + * }, + * }) + * ``` + */ +export declare const customFetch: unique symbol; +/** + * Use to mutate JWT header and payload before they are signed. Its intended use is working around + * non-conform server behaviours, such as modifying JWT "aud" (audience) claims, or otherwise + * changing fixed claims used by this library. + * + * @example + * + * Changing the `alg: "Ed25519"` back to `alg: "EdDSA"` + * + * ```ts + * let as!: oauth.AuthorizationServer + * let client!: oauth.Client + * let parameters!: URLSearchParams + * let key!: oauth.CryptoKey | oauth.PrivateKey + * let keyPair!: oauth.CryptoKeyPair + * + * let remapEd25519: oauth.ModifyAssertionOptions = { + * [oauth.modifyAssertion]: (header, _payload) => { + * if (header.alg === 'Ed25519') { + * header.alg = 'EdDSA' + * } + * }, + * } + * + * // For JAR + * oauth.issueRequestObject(as, client, parameters, key, remapEd25519) + * + * // For Private Key JWT + * oauth.PrivateKeyJwt(key, remapEd25519) + * + * // For DPoP + * oauth.DPoP(client, keyPair, remapEd25519) + * ``` + */ +export declare const modifyAssertion: unique symbol; +/** + * Use to add support for decrypting JWEs the client encounters, namely + * + * - Encrypted ID Tokens returned by the Token Endpoint + * - Encrypted ID Tokens returned as part of FAPI 1.0 Advanced Detached Signature authorization + * responses + * - Encrypted JWT UserInfo responses + * - Encrypted JWT Introspection responses + * - Encrypted JARM Responses + * + * @example + * + * Decrypting JARM responses + * + * ```ts + * import * as jose from 'jose' + * + * let as!: oauth.AuthorizationServer + * let client!: oauth.Client + * let key!: oauth.CryptoKey + * let alg!: string + * let enc!: string + * let currentUrl!: URL + * let state!: string | undefined + * + * let decoder = new TextDecoder() + * let jweDecrypt: oauth.JweDecryptFunction = async (jwe) => { + * const { plaintext } = await jose + * .compactDecrypt(jwe, key, { + * keyManagementAlgorithms: [alg], + * contentEncryptionAlgorithms: [enc], + * }) + * .catch((cause: unknown) => { + * throw new oauth.OperationProcessingError('decryption failed', { cause }) + * }) + * + * return decoder.decode(plaintext) + * } + * + * let params = await oauth.validateJwtAuthResponse(as, client, currentUrl, state, { + * [oauth.jweDecrypt]: jweDecrypt, + * }) + * ``` + */ +export declare const jweDecrypt: unique symbol; +/** + * DANGER ZONE - This option has security implications that must be understood, assessed for + * applicability, and accepted before use. It is critical that the JSON Web Key Set cache only be + * writable by your own code. + * + * This option is intended for cloud computing runtimes that cannot keep an in memory cache between + * their code's invocations. Use in runtimes where an in memory cache between requests is available + * is not desirable. + * + * When configured on an interface that extends {@link JWKSCacheOptions}, this applies to `options` + * parameter for functions that may trigger HTTP requests to + * {@link AuthorizationServer.jwks_uri `as.jwks_uri`}, this allows the passed in object to: + * + * - Serve as an initial value for the JSON Web Key Set that the module would otherwise need to + * trigger an HTTP request for + * - Have the JSON Web Key Set the function optionally ended up triggering an HTTP request for + * assigned to it as properties + * + * The intended use pattern is: + * + * - Before executing a function with {@link JWKSCacheOptions} in its `options` parameter you pull the + * previously cached object from a low-latency key-value store offered by the cloud computing + * runtime it is executed on; + * - Default to an empty object `{}` instead when there's no previously cached value; + * - Pass it into the options interfaces that extend {@link JWKSCacheOptions}; + * - Afterwards, update the key-value storage if the {@link ExportedJWKSCache.uat `uat`} property of + * the object has changed. + * + * @example + * + * ```ts + * let as!: oauth.AuthorizationServer + * let request!: Request + * let expectedAudience!: string + * let getPreviouslyCachedJWKS!: () => Promise + * let storeNewJWKScache!: (cache: oauth.ExportedJWKSCache) => Promise + * + * // Load JSON Web Key Set cache + * let jwksCache: oauth.JWKSCacheInput = (await getPreviouslyCachedJWKS()) || {} + * let { uat } = jwksCache + * + * // Use JSON Web Key Set cache + * let accessTokenClaims = await oauth.validateJwtAccessToken(as, request, expectedAudience, { + * [oauth.jwksCache]: jwksCache, + * }) + * + * if (uat !== jwksCache.uat) { + * // Update JSON Web Key Set cache + * await storeNewJWKScache(jwksCache) + * } + * ``` + */ +export declare const jwksCache: unique symbol; +/** + * Authorization Server Metadata + * + * @see [IANA OAuth Authorization Server Metadata registry](https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#authorization-server-metadata) + */ +export interface AuthorizationServer { + /** + * Authorization server's Issuer Identifier URL. + */ + readonly issuer: string; + /** + * URL of the authorization server's authorization endpoint. + */ + readonly authorization_endpoint?: string; + /** + * URL of the authorization server's token endpoint. + */ + readonly token_endpoint?: string; + /** + * URL of the authorization server's JWK Set document. + */ + readonly jwks_uri?: string; + /** + * URL of the authorization server's Dynamic Client Registration Endpoint. + */ + readonly registration_endpoint?: string; + /** + * JSON array containing a list of the `scope` values that this authorization server supports. + */ + readonly scopes_supported?: string[]; + /** + * JSON array containing a list of the `response_type` values that this authorization server + * supports. + */ + readonly response_types_supported?: string[]; + /** + * JSON array containing a list of the `response_mode` values that this authorization server + * supports. + */ + readonly response_modes_supported?: string[]; + /** + * JSON array containing a list of the `grant_type` values that this authorization server + * supports. + */ + readonly grant_types_supported?: string[]; + /** + * JSON array containing a list of client authentication methods supported by this token endpoint. + */ + readonly token_endpoint_auth_methods_supported?: string[]; + /** + * JSON array containing a list of the JWS signing algorithms supported by the token endpoint for + * the signature on the JWT used to authenticate the client at the token endpoint. + */ + readonly token_endpoint_auth_signing_alg_values_supported?: string[]; + /** + * URL of a page containing human-readable information that developers might want or need to know + * when using the authorization server. + */ + readonly service_documentation?: string; + /** + * Languages and scripts supported for the user interface, represented as a JSON array of language + * tag values from RFC 5646. + */ + readonly ui_locales_supported?: string[]; + /** + * URL that the authorization server provides to the person registering the client to read about + * the authorization server's requirements on how the client can use the data provided by the + * authorization server. + */ + readonly op_policy_uri?: string; + /** + * URL that the authorization server provides to the person registering the client to read about + * the authorization server's terms of service. + */ + readonly op_tos_uri?: string; + /** + * URL of the authorization server's revocation endpoint. + */ + readonly revocation_endpoint?: string; + /** + * JSON array containing a list of client authentication methods supported by this revocation + * endpoint. + */ + readonly revocation_endpoint_auth_methods_supported?: string[]; + /** + * JSON array containing a list of the JWS signing algorithms supported by the revocation endpoint + * for the signature on the JWT used to authenticate the client at the revocation endpoint. + */ + readonly revocation_endpoint_auth_signing_alg_values_supported?: string[]; + /** + * URL of the authorization server's introspection endpoint. + */ + readonly introspection_endpoint?: string; + /** + * JSON array containing a list of client authentication methods supported by this introspection + * endpoint. + */ + readonly introspection_endpoint_auth_methods_supported?: string[]; + /** + * JSON array containing a list of the JWS signing algorithms supported by the introspection + * endpoint for the signature on the JWT used to authenticate the client at the introspection + * endpoint. + */ + readonly introspection_endpoint_auth_signing_alg_values_supported?: string[]; + /** + * PKCE code challenge methods supported by this authorization server. + */ + readonly code_challenge_methods_supported?: string[]; + /** + * Signed JWT containing metadata values about the authorization server as claims. + */ + readonly signed_metadata?: string; + /** + * URL of the authorization server's device authorization endpoint. + */ + readonly device_authorization_endpoint?: string; + /** + * Indicates authorization server support for mutual-TLS client certificate-bound access tokens. + */ + readonly tls_client_certificate_bound_access_tokens?: boolean; + /** + * JSON object containing alternative authorization server endpoints, which a client intending to + * do mutual TLS will use in preference to the conventional endpoints. + */ + readonly mtls_endpoint_aliases?: MTLSEndpointAliases; + /** + * URL of the authorization server's UserInfo Endpoint. + */ + readonly userinfo_endpoint?: string; + /** + * JSON array containing a list of the Authentication Context Class References that this + * authorization server supports. + */ + readonly acr_values_supported?: string[]; + /** + * JSON array containing a list of the Subject Identifier types that this authorization server + * supports. + */ + readonly subject_types_supported?: string[]; + /** + * JSON array containing a list of the JWS `alg` values supported by the authorization server for + * the ID Token. + */ + readonly id_token_signing_alg_values_supported?: string[]; + /** + * JSON array containing a list of the JWE `alg` values supported by the authorization server for + * the ID Token. + */ + readonly id_token_encryption_alg_values_supported?: string[]; + /** + * JSON array containing a list of the JWE `enc` values supported by the authorization server for + * the ID Token. + */ + readonly id_token_encryption_enc_values_supported?: string[]; + /** + * JSON array containing a list of the JWS `alg` values supported by the UserInfo Endpoint. + */ + readonly userinfo_signing_alg_values_supported?: string[]; + /** + * JSON array containing a list of the JWE `alg` values supported by the UserInfo Endpoint. + */ + readonly userinfo_encryption_alg_values_supported?: string[]; + /** + * JSON array containing a list of the JWE `enc` values supported by the UserInfo Endpoint. + */ + readonly userinfo_encryption_enc_values_supported?: string[]; + /** + * JSON array containing a list of the JWS `alg` values supported by the authorization server for + * Request Objects. + */ + readonly request_object_signing_alg_values_supported?: string[]; + /** + * JSON array containing a list of the JWE `alg` values supported by the authorization server for + * Request Objects. + */ + readonly request_object_encryption_alg_values_supported?: string[]; + /** + * JSON array containing a list of the JWE `enc` values supported by the authorization server for + * Request Objects. + */ + readonly request_object_encryption_enc_values_supported?: string[]; + /** + * JSON array containing a list of the `display` parameter values that the authorization server + * supports. + */ + readonly display_values_supported?: string[]; + /** + * JSON array containing a list of the Claim Types that the authorization server supports. + */ + readonly claim_types_supported?: string[]; + /** + * JSON array containing a list of the Claim Names of the Claims that the authorization server MAY + * be able to supply values for. + */ + readonly claims_supported?: string[]; + /** + * Languages and scripts supported for values in Claims being returned, represented as a JSON + * array of RFC 5646 language tag values. + */ + readonly claims_locales_supported?: string[]; + /** + * Boolean value specifying whether the authorization server supports use of the `claims` + * parameter. + */ + readonly claims_parameter_supported?: boolean; + /** + * Boolean value specifying whether the authorization server supports use of the `request` + * parameter. + */ + readonly request_parameter_supported?: boolean; + /** + * Boolean value specifying whether the authorization server supports use of the `request_uri` + * parameter. + */ + readonly request_uri_parameter_supported?: boolean; + /** + * Boolean value specifying whether the authorization server requires any `request_uri` values + * used to be pre-registered. + */ + readonly require_request_uri_registration?: boolean; + /** + * Indicates where authorization request needs to be protected as Request Object and provided + * through either `request` or `request_uri` parameter. + */ + readonly require_signed_request_object?: boolean; + /** + * URL of the authorization server's pushed authorization request endpoint. + */ + readonly pushed_authorization_request_endpoint?: string; + /** + * Indicates whether the authorization server accepts authorization requests only via PAR. + */ + readonly require_pushed_authorization_requests?: boolean; + /** + * JSON array containing a list of algorithms supported by the authorization server for + * introspection response signing. + */ + readonly introspection_signing_alg_values_supported?: string[]; + /** + * JSON array containing a list of algorithms supported by the authorization server for + * introspection response content key encryption (`alg` value). + */ + readonly introspection_encryption_alg_values_supported?: string[]; + /** + * JSON array containing a list of algorithms supported by the authorization server for + * introspection response content encryption (`enc` value). + */ + readonly introspection_encryption_enc_values_supported?: string[]; + /** + * Boolean value indicating whether the authorization server provides the `iss` parameter in the + * authorization response. + */ + readonly authorization_response_iss_parameter_supported?: boolean; + /** + * JSON array containing a list of algorithms supported by the authorization server for + * introspection response signing. + */ + readonly authorization_signing_alg_values_supported?: string[]; + /** + * JSON array containing a list of algorithms supported by the authorization server for + * introspection response encryption (`alg` value). + */ + readonly authorization_encryption_alg_values_supported?: string[]; + /** + * JSON array containing a list of algorithms supported by the authorization server for + * introspection response encryption (`enc` value). + */ + readonly authorization_encryption_enc_values_supported?: string[]; + /** + * CIBA Backchannel Authentication Endpoint. + */ + readonly backchannel_authentication_endpoint?: string; + /** + * JSON array containing a list of the JWS signing algorithms supported for validation of signed + * CIBA authentication requests. + */ + readonly backchannel_authentication_request_signing_alg_values_supported?: string[]; + /** + * Supported CIBA authentication result delivery modes. + */ + readonly backchannel_token_delivery_modes_supported?: string[]; + /** + * Indicates whether the authorization server supports the use of the CIBA `user_code` parameter. + */ + readonly backchannel_user_code_parameter_supported?: boolean; + /** + * URL of an authorization server iframe that supports cross-origin communications for session + * state information with the RP Client, using the HTML5 postMessage API. + */ + readonly check_session_iframe?: string; + /** + * JSON array containing a list of the JWS algorithms supported for DPoP proof JWTs. + */ + readonly dpop_signing_alg_values_supported?: string[]; + /** + * URL at the authorization server to which an RP can perform a redirect to request that the + * End-User be logged out at the authorization server. + */ + readonly end_session_endpoint?: string; + /** + * Boolean value specifying whether the authorization server can pass `iss` (issuer) and `sid` + * (session ID) query parameters to identify the RP session with the authorization server when the + * `frontchannel_logout_uri` is used. + */ + readonly frontchannel_logout_session_supported?: boolean; + /** + * Boolean value specifying whether the authorization server supports HTTP-based logout. + */ + readonly frontchannel_logout_supported?: boolean; + /** + * Boolean value specifying whether the authorization server can pass a `sid` (session ID) Claim + * in the Logout Token to identify the RP session with the OP. + */ + readonly backchannel_logout_session_supported?: boolean; + /** + * Boolean value specifying whether the authorization server supports back-channel logout. + */ + readonly backchannel_logout_supported?: boolean; + readonly [metadata: string]: JsonValue | undefined; +} +export interface MTLSEndpointAliases extends Pick { + readonly [metadata: string]: string | undefined; +} +/** + * Recognized Client Metadata that have an effect on the exposed functionality. + * + * @see [IANA OAuth Client Registration Metadata registry](https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#client-metadata) + */ +export interface Client { + /** + * Client identifier. + */ + client_id: string; + /** + * JWS `alg` algorithm required for signing the ID Token issued to this Client. When not + * configured the default is to allow only algorithms listed in + * {@link AuthorizationServer.id_token_signing_alg_values_supported `as.id_token_signing_alg_values_supported`} + * and fall back to `RS256` when the authorization server metadata is not set. + */ + id_token_signed_response_alg?: string; + /** + * JWS `alg` algorithm required for signing authorization responses. When not configured the + * default is to allow only algorithms listed in + * {@link AuthorizationServer.authorization_signing_alg_values_supported `as.authorization_signing_alg_values_supported`} + * and fall back to `RS256` when the authorization server metadata is not set. + */ + authorization_signed_response_alg?: string; + /** + * Boolean value specifying whether the {@link IDToken.auth_time `auth_time`} Claim in the ID Token + * is REQUIRED. Default is `false`. + */ + require_auth_time?: boolean; + /** + * JWS `alg` algorithm REQUIRED for signing UserInfo Responses. When not configured the default is + * to allow only algorithms listed in + * {@link AuthorizationServer.userinfo_signing_alg_values_supported `as.userinfo_signing_alg_values_supported`} + * and fail otherwise. + */ + userinfo_signed_response_alg?: string; + /** + * JWS `alg` algorithm REQUIRED for signed introspection responses. When not configured the + * default is to allow only algorithms listed in + * {@link AuthorizationServer.introspection_signing_alg_values_supported `as.introspection_signing_alg_values_supported`} + * and fall back to `RS256` when the authorization server metadata is not set. + */ + introspection_signed_response_alg?: string; + /** + * Default Maximum Authentication Age. + */ + default_max_age?: number; + /** + * Indicates the requirement for a client to use mutual TLS endpoint aliases defined by the AS + * where present. Default is `false`. + * + * When combined with {@link customFetch} (to use a Fetch API implementation that supports client + * certificates) this can be used to target security profiles that utilize Mutual-TLS for either + * client authentication or sender constraining. + * + * @example + * + * (Node.js) Using [nodejs/undici](https://github.com/nodejs/undici) for Mutual-TLS Client + * Authentication and Certificate-Bound Access Tokens support. + * + * ```ts + * import * as undici from 'undici' + * + * let as!: oauth.AuthorizationServer + * let client!: oauth.Client & { use_mtls_endpoint_aliases: true } + * let params!: URLSearchParams + * let key!: string // PEM-encoded key + * let cert!: string // PEM-encoded certificate + * + * let clientAuth = oauth.TlsClientAuth() + * let agent = new undici.Agent({ connect: { key, cert } }) + * + * let response = await oauth.pushedAuthorizationRequest(as, client, clientAuth, params, { + * // @ts-ignore + * [oauth.customFetch]: (...args) => + * undici.fetch(args[0], { ...args[1], dispatcher: agent }), + * }) + * ``` + * + * @example + * + * (Deno) Using Deno.createHttpClient API for Mutual-TLS Client Authentication and + * Certificate-Bound Access Tokens support. + * + * ```ts + * let as!: oauth.AuthorizationServer + * let client!: oauth.Client & { use_mtls_endpoint_aliases: true } + * let params!: URLSearchParams + * let key!: string // PEM-encoded key + * let cert!: string // PEM-encoded certificate + * + * let clientAuth = oauth.TlsClientAuth() + * // @ts-ignore + * let agent = Deno.createHttpClient({ key, cert }) + * + * let response = await oauth.pushedAuthorizationRequest(as, client, clientAuth, params, { + * // @ts-ignore + * [oauth.customFetch]: (...args) => fetch(args[0], { ...args[1], client: agent }), + * }) + * ``` + * + * @see [RFC 8705 - OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens](https://www.rfc-editor.org/rfc/rfc8705.html) + */ + use_mtls_endpoint_aliases?: boolean; + /** + * See {@link clockSkew}. + */ + [clockSkew]?: number; + /** + * See {@link clockTolerance}. + */ + [clockTolerance]?: number; + [metadata: string]: JsonValue | undefined; +} +/** + * @group Errors + */ +export declare class UnsupportedOperationError extends Error { + code: string; + /** + * @ignore + */ + constructor(message: string, options?: { + cause?: unknown; + }); +} +/** + * @group Errors + */ +export declare class OperationProcessingError extends Error { + code?: string; + /** + * @ignore + */ + constructor(message: string, options?: { + cause?: unknown; + code?: string; + }); +} +export interface JWKSCacheOptions { + /** + * See {@link jwksCache}. + */ + [jwksCache]?: JWKSCacheInput; +} +export interface CustomFetchOptions { + /** + * The request body content to send to the server + */ + body: BodyType; + /** + * HTTP Headers + */ + headers: Record; + /** + * The {@link https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods request method} + */ + method: Method; + /** + * See {@link !Request.redirect} + */ + redirect: 'manual'; + /** + * Depending on whether {@link HttpRequestOptions.signal} was used, if so, it is the value passed, + * otherwise undefined + */ + signal?: AbortSignal; +} +export interface HttpRequestOptions { + /** + * An AbortSignal instance, or a factory returning one, to abort the HTTP request(s) triggered by + * this function's invocation. + * + * @example + * + * A 5000ms timeout AbortSignal for every request + * + * ```js + * let signal = () => AbortSignal.timeout(5_000) // Note: AbortSignal.timeout may not yet be available in all runtimes. + * ``` + */ + signal?: (() => AbortSignal) | AbortSignal; + /** + * Headers to additionally send with the HTTP request(s) triggered by this function's invocation. + */ + headers?: [string, string][] | Record | Headers; + /** + * See {@link customFetch}. + */ + [customFetch]?: ( + /** + * URL the request is being made sent to {@link !fetch} as the `resource` argument + */ + url: string, + /** + * Options otherwise sent to {@link !fetch} as the `options` argument + */ + options: CustomFetchOptions) => Promise; + /** + * See {@link allowInsecureRequests}. + * + * @deprecated + */ + [allowInsecureRequests]?: boolean; +} +export interface DiscoveryRequestOptions extends HttpRequestOptions<'GET'> { + /** + * The issuer transformation algorithm to use. + */ + algorithm?: 'oidc' | 'oauth2'; +} +/** + * Performs an authorization server metadata discovery using one of two + * {@link DiscoveryRequestOptions.algorithm transformation algorithms} applied to the + * `issuerIdentifier` argument. + * + * - `oidc` (default) as defined by OpenID Connect Discovery 1.0. + * - `oauth2` as defined by RFC 8414. + * + * @param issuerIdentifier Issuer Identifier to resolve the well-known discovery URI for. + * + * @group Authorization Server Metadata + * @group OpenID Connect (OIDC) Discovery + * + * @see [RFC 8414 - OAuth 2.0 Authorization Server Metadata](https://www.rfc-editor.org/rfc/rfc8414.html#section-3) + * @see [OpenID Connect Discovery 1.0](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig) + */ +export declare function discoveryRequest(issuerIdentifier: URL, options?: DiscoveryRequestOptions): Promise; +/** + * Validates {@link !Response} instance to be one coming from the authorization server's well-known + * discovery endpoint. + * + * @param expectedIssuerIdentifier Expected Issuer Identifier value. + * @param response Resolved value from {@link discoveryRequest}. + * + * @returns Resolves with the discovered Authorization Server Metadata. + * + * @group Authorization Server Metadata + * @group OpenID Connect (OIDC) Discovery + * + * @see [RFC 8414 - OAuth 2.0 Authorization Server Metadata](https://www.rfc-editor.org/rfc/rfc8414.html#section-3) + * @see [OpenID Connect Discovery 1.0](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig) + */ +export declare function processDiscoveryResponse(expectedIssuerIdentifier: URL, response: Response): Promise; +/** + * Generate random `code_verifier` value. + * + * @group Utilities + * @group Authorization Code Grant + * @group Authorization Code Grant w/ OpenID Connect (OIDC) + * @group Proof Key for Code Exchange (PKCE) + * + * @see [RFC 7636 - Proof Key for Code Exchange (PKCE)](https://www.rfc-editor.org/rfc/rfc7636.html#section-4) + */ +export declare function generateRandomCodeVerifier(): string; +/** + * Generate random `state` value. + * + * @group Utilities + * + * @see [RFC 6749 - The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749.html#section-4.1.1) + */ +export declare function generateRandomState(): string; +/** + * Generate random `nonce` value. + * + * @group Utilities + * + * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#IDToken) + */ +export declare function generateRandomNonce(): string; +/** + * Calculates the PKCE `code_challenge` value to send with an authorization request using the S256 + * PKCE Code Challenge Method transformation. + * + * @param codeVerifier `code_verifier` value generated e.g. from {@link generateRandomCodeVerifier}. + * + * @group Authorization Code Grant + * @group Authorization Code Grant w/ OpenID Connect (OIDC) + * @group Proof Key for Code Exchange (PKCE) + * + * @see [RFC 7636 - Proof Key for Code Exchange (PKCE)](https://www.rfc-editor.org/rfc/rfc7636.html#section-4) + */ +export declare function calculatePKCECodeChallenge(codeVerifier: string): Promise; +export interface DPoPRequestOptions { + /** + * DPoP handle, obtained from {@link DPoP} + */ + DPoP?: DPoPHandle; +} +export interface PushedAuthorizationRequestOptions extends HttpRequestOptions<'POST', URLSearchParams>, DPoPRequestOptions { +} +/** + * Implementation of the Client's Authentication Method at the Authorization Server. + * + * @see {@link ClientSecretPost} + * @see {@link ClientSecretBasic} + * @see {@link PrivateKeyJwt} + * @see {@link None} + * @see {@link TlsClientAuth} + * @see [OAuth Token Endpoint Authentication Methods](https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#token-endpoint-auth-method) + */ +export type ClientAuth = (as: AuthorizationServer, client: Client, body: URLSearchParams, headers: Headers) => void | Promise; +/** + * **`client_secret_post`** uses the HTTP request body to send `client_id` and `client_secret` as + * `application/x-www-form-urlencoded` body parameters + * + * @example + * + * ```ts + * let clientSecret!: string + * + * let clientAuth = oauth.ClientSecretPost(clientSecret) + * ``` + * + * @param clientSecret + * + * @group Client Authentication + * + * @see [OAuth Token Endpoint Authentication Methods](https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#token-endpoint-auth-method) + * @see [RFC 6749 - The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749.html#section-2.3) + * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication) + */ +export declare function ClientSecretPost(clientSecret: string): ClientAuth; +/** + * **`client_secret_basic`** uses the HTTP `Basic` authentication scheme to send `client_id` and + * `client_secret` in an `Authorization` HTTP Header. + * + * @example + * + * ```ts + * let clientSecret!: string + * + * let clientAuth = oauth.ClientSecretBasic(clientSecret) + * ``` + * + * @param clientSecret + * + * @group Client Authentication + * + * @see [OAuth Token Endpoint Authentication Methods](https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#token-endpoint-auth-method) + * @see [RFC 6749 - The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749.html#section-2.3) + * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication) + */ +export declare function ClientSecretBasic(clientSecret: string): ClientAuth; +export interface ModifyAssertionOptions { + /** + * Use to modify a JWT assertion payload or header right before it is signed. + * + * @see {@link modifyAssertion} + */ + [modifyAssertion]?: ModifyAssertionFunction; +} +/** + * **`private_key_jwt`** uses the HTTP request body to send `client_id`, `client_assertion_type`, + * and `client_assertion` as `application/x-www-form-urlencoded` body parameters. Digital signature + * is used for the assertion's authenticity and integrity. + * + * @example + * + * ```ts + * let key!: oauth.CryptoKey | oauth.PrivateKey + * + * let clientAuth = oauth.PrivateKeyJwt(key) + * ``` + * + * @param clientPrivateKey + * + * @group Client Authentication + * + * @see [OAuth Token Endpoint Authentication Methods](https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#token-endpoint-auth-method) + * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication) + */ +export declare function PrivateKeyJwt(clientPrivateKey: CryptoKey | PrivateKey, options?: ModifyAssertionOptions): ClientAuth; +/** + * **`client_secret_jwt`** uses the HTTP request body to send `client_id`, `client_assertion_type`, + * and `client_assertion` as `application/x-www-form-urlencoded` body parameters. HMAC is used for + * the assertion's authenticity and integrity. + * + * @example + * + * ```ts + * let clientSecret!: string + * + * let clientAuth = oauth.ClientSecretJwt(clientSecret) + * ``` + * + * @param clientSecret + * @param options + * + * @group Client Authentication + * + * @see [OAuth Token Endpoint Authentication Methods](https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#token-endpoint-auth-method) + * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication) + */ +export declare function ClientSecretJwt(clientSecret: string, options?: ModifyAssertionOptions): ClientAuth; +/** + * **`none`** (public client) uses the HTTP request body to send only `client_id` as + * `application/x-www-form-urlencoded` body parameter. + * + * ```ts + * let clientAuth = oauth.None() + * ``` + * + * @group Client Authentication + * + * @see [OAuth Token Endpoint Authentication Methods](https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#token-endpoint-auth-method) + * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication) + */ +export declare function None(): ClientAuth; +/** + * **`tls_client_auth`** uses the HTTP request body to send only `client_id` as + * `application/x-www-form-urlencoded` body parameter and the mTLS key and certificate is configured + * through {@link customFetch}. + * + * ```ts + * let clientAuth = oauth.TlsClientAuth() + * ``` + * + * @group Client Authentication + * + * @see [OAuth Token Endpoint Authentication Methods](https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#token-endpoint-auth-method) + * @see [RFC 8705 - OAuth 2.0 Mutual-TLS Client Authentication (PKI Mutual-TLS Method)](https://www.rfc-editor.org/rfc/rfc8705.html#name-pki-mutual-tls-method) + */ +export declare function TlsClientAuth(): ClientAuth; +/** + * Generates a signed JWT-Secured Authorization Request (JAR). + * + * @param as Authorization Server Metadata. + * @param client Client Metadata. + * @param privateKey Private key to sign the Request Object with. + * + * @group Authorization Code Grant + * @group Authorization Code Grant w/ OpenID Connect (OIDC) + * @group JWT-Secured Authorization Request (JAR) + * + * @see [RFC 9101 - The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR)](https://www.rfc-editor.org/rfc/rfc9101.html#name-request-object-2) + */ +export declare function issueRequestObject(as: AuthorizationServer, client: Client, parameters: URLSearchParams | Record | string[][], privateKey: CryptoKey | PrivateKey, options?: ModifyAssertionOptions): Promise; +/** + * @ignore + */ +export declare function checkProtocol(url: URL, enforceHttps: boolean | undefined): void; +/** + * @ignore + */ +export declare function resolveEndpoint(as: AuthorizationServer, endpoint: keyof AuthorizationServer, useMtlsAlias: boolean | undefined, enforceHttps: boolean | undefined): URL; +/** + * Performs a Pushed Authorization Request at the + * {@link AuthorizationServer.pushed_authorization_request_endpoint `as.pushed_authorization_request_endpoint`}. + * + * @param as Authorization Server Metadata. + * @param client Client Metadata. + * @param clientAuthentication Client Authentication Method. + * @param parameters Authorization Request parameters. + * + * @group Pushed Authorization Requests (PAR) + * + * @see [RFC 9126 - OAuth 2.0 Pushed Authorization Requests (PAR)](https://www.rfc-editor.org/rfc/rfc9126.html#name-pushed-authorization-reques) + * @see [RFC 9449 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.rfc-editor.org/rfc/rfc9449.html#name-dpop-with-pushed-authorizat) + */ +export declare function pushedAuthorizationRequest(as: AuthorizationServer, client: Client, clientAuthentication: ClientAuth, parameters: URLSearchParams | Record | string[][], options?: PushedAuthorizationRequestOptions): Promise; +/** + * DPoP handle, obtained from {@link DPoP} + */ +export interface DPoPHandle { +} +/** + * Used to determine if a rejected error indicates the need to retry the request due to an + * expired/missing nonce. + * + * @group DPoP + */ +export declare function isDPoPNonceError(err: unknown): boolean; +/** + * Returns a wrapper / handle around a {@link CryptoKeyPair} that is used for negotiating and proving + * proof-of-possession to sender-constrain OAuth 2.0 tokens via DPoP at the Authorization Server and + * Resource Server. + * + * This wrapper / handle also keeps track of server-issued nonces, allowing requests to be retried + * with a fresh nonce when the server indicates the need to use one. {@link isDPoPNonceError} can be + * used to determine if a rejected error indicates the need to retry the request due to an + * expired/missing nonce. + * + * @example + * + * ```ts + * let client!: oauth.Client + * let keyPair!: oauth.CryptoKeyPair + * + * let DPoP = oauth.DPoP(client, keyPair) + * ``` + * + * @param keyPair Public/private key pair to sign the DPoP Proof JWT with + * + * @group DPoP + * + * @see {@link !DPoP RFC 9449 - OAuth 2.0 Demonstrating Proof of Possession (DPoP)} + */ +export declare function DPoP(client: Client, keyPair: CryptoKeyPair, options?: ModifyAssertionOptions): DPoPHandle; +export interface PushedAuthorizationResponse { + readonly request_uri: string; + readonly expires_in: number; + readonly [parameter: string]: JsonValue | undefined; +} +export interface OAuth2Error { + readonly error: string; + readonly error_description?: string; + readonly error_uri?: string; + readonly algs?: string; + readonly scope?: string; + readonly [parameter: string]: JsonValue | undefined; +} +/** + * Throw when a server responds with an "OAuth-style" error JSON body + * + * @example + * + * ```http + * HTTP/1.1 400 Bad Request + * Content-Type: application/json;charset=UTF-8 + * Cache-Control: no-store + * Pragma: no-cache + * + * { + * "error": "invalid_request" + * } + * ``` + * + * @group Errors + */ +export declare class ResponseBodyError extends Error { + /** + * The parsed JSON response body + */ + cause: Record; + code: typeof RESPONSE_BODY_ERROR; + /** + * Error code given in the JSON response + */ + error: string; + /** + * HTTP Status Code of the response + */ + status: number; + /** + * Human-readable text providing additional information, used to assist the developer in + * understanding the error that occurred, given in the JSON response + */ + error_description?: string; + /** + * The "OAuth-style" error {@link !Response}, its {@link !Response.bodyUsed} is `false` and the JSON + * body is available in {@link ResponseBodyError.cause} + */ + response: Response; + /** + * @ignore + */ + constructor(message: string, options: { + cause: OAuth2Error; + response: Response; + }); +} +/** + * Thrown when OAuth 2.0 Authorization Error Response is encountered. + * + * @example + * + * ```http + * HTTP/1.1 302 Found + * Location: https://client.example.com/cb?error=access_denied&state=xyz + * ``` + * + * @group Errors + */ +export declare class AuthorizationResponseError extends Error { + /** + * Authorization Response parameters as {@link !URLSearchParams} + */ + cause: URLSearchParams; + code: typeof AUTHORIZATION_RESPONSE_ERROR; + /** + * Error code given in the Authorization Response + */ + error: string; + /** + * Human-readable text providing additional information, used to assist the developer in + * understanding the error that occurred, given in the Authorization Response + */ + error_description?: string; + /** + * @ignore + */ + constructor(message: string, options: { + cause: URLSearchParams; + }); +} +/** + * Thrown when a server responds with WWW-Authenticate challenges, typically because of expired + * tokens, or bad client authentication + * + * @example + * + * ```http + * HTTP/1.1 401 Unauthorized + * WWW-Authenticate: Bearer error="invalid_token", + * error_description="The access token expired" + * ``` + * + * @group Errors + */ +export declare class WWWAuthenticateChallengeError extends Error { + /** + * The parsed WWW-Authenticate HTTP Header challenges + */ + cause: WWWAuthenticateChallenge[]; + code: typeof WWW_AUTHENTICATE_CHALLENGE; + /** + * The {@link !Response} that included a WWW-Authenticate HTTP Header challenges, its + * {@link !Response.bodyUsed} is `true` + */ + response: Response; + /** + * HTTP Status Code of the response + */ + status: number; + /** + * @ignore + */ + constructor(message: string, options: { + cause: WWWAuthenticateChallenge[]; + response: Response; + }); +} +export interface WWWAuthenticateChallengeParameters { + readonly realm?: string; + readonly error?: string; + readonly error_description?: string; + readonly error_uri?: string; + readonly algs?: string; + readonly scope?: string; + /** + * NOTE: because the parameter names are case insensitive they are always returned lowercased + */ + readonly [parameter: Lowercase]: string | undefined; +} +export interface WWWAuthenticateChallenge { + /** + * NOTE: because the value is case insensitive it is always returned lowercased + */ + readonly scheme: Lowercase; + readonly parameters: WWWAuthenticateChallengeParameters; +} +/** + * Validates {@link !Response} instance to be one coming from the + * {@link AuthorizationServer.pushed_authorization_request_endpoint `as.pushed_authorization_request_endpoint`}. + * + * @param as Authorization Server Metadata. + * @param client Client Metadata. + * @param response Resolved value from {@link pushedAuthorizationRequest}. + * + * @returns Resolves with an object representing the parsed successful response. OAuth 2.0 protocol + * style errors are rejected using {@link ResponseBodyError}. WWW-Authenticate HTTP Header + * challenges are rejected with {@link WWWAuthenticateChallengeError}. + * + * @group Pushed Authorization Requests (PAR) + * + * @see [RFC 9126 - OAuth 2.0 Pushed Authorization Requests (PAR)](https://www.rfc-editor.org/rfc/rfc9126.html#name-pushed-authorization-reques) + */ +export declare function processPushedAuthorizationResponse(as: AuthorizationServer, client: Client, response: Response): Promise; +export type ProtectedResourceRequestBody = ArrayBuffer | null | ReadableStream | string | Uint8Array | undefined | URLSearchParams; +export interface ProtectedResourceRequestOptions extends Omit, 'headers'>, DPoPRequestOptions { +} +/** + * Performs a protected resource request at an arbitrary URL. + * + * Authorization Header is used to transmit the Access Token value. + * + * @param accessToken The Access Token for the request. + * @param method The HTTP method for the request. + * @param url Target URL for the request. + * @param headers Headers for the request. + * @param body Request body compatible with the Fetch API and the request's method. + * + * @returns Resolves with a {@link !Response} instance. WWW-Authenticate HTTP Header challenges are + * rejected with {@link WWWAuthenticateChallengeError}. + * + * @group Accessing Protected Resources + * + * @see [RFC 6750 - The OAuth 2.0 Authorization Framework: Bearer Token Usage](https://www.rfc-editor.org/rfc/rfc6750.html#section-2.1) + * @see [RFC 9449 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.rfc-editor.org/rfc/rfc9449.html#name-protected-resource-access) + */ +export declare function protectedResourceRequest(accessToken: string, method: string, url: URL, headers?: Headers, body?: ProtectedResourceRequestBody, options?: ProtectedResourceRequestOptions): Promise; +export interface UserInfoRequestOptions extends HttpRequestOptions<'GET'>, DPoPRequestOptions { +} +/** + * Performs a UserInfo Request at the + * {@link AuthorizationServer.userinfo_endpoint `as.userinfo_endpoint`}. + * + * Authorization Header is used to transmit the Access Token value. + * + * @param as Authorization Server Metadata. + * @param client Client Metadata. + * @param accessToken Access Token value. + * + * @group Authorization Code Grant w/ OpenID Connect (OIDC) + * @group OpenID Connect (OIDC) UserInfo + * @group Accessing Protected Resources + * + * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo) + * @see [RFC 9449 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.rfc-editor.org/rfc/rfc9449.html#name-protected-resource-access) + */ +export declare function userInfoRequest(as: AuthorizationServer, client: Client, accessToken: string, options?: UserInfoRequestOptions): Promise; +export interface UserInfoAddress { + readonly formatted?: string; + readonly street_address?: string; + readonly locality?: string; + readonly region?: string; + readonly postal_code?: string; + readonly country?: string; + readonly [claim: string]: JsonValue | undefined; +} +export interface UserInfoResponse { + readonly sub: string; + readonly name?: string; + readonly given_name?: string; + readonly family_name?: string; + readonly middle_name?: string; + readonly nickname?: string; + readonly preferred_username?: string; + readonly profile?: string; + readonly picture?: string; + readonly website?: string; + readonly email?: string; + readonly email_verified?: boolean; + readonly gender?: string; + readonly birthdate?: string; + readonly zoneinfo?: string; + readonly locale?: string; + readonly phone_number?: string; + readonly updated_at?: number; + readonly address?: UserInfoAddress; + readonly [claim: string]: JsonValue | undefined; +} +export interface ExportedJWKSCache { + jwks: JWKS; + uat: number; +} +export type JWKSCacheInput = ExportedJWKSCache | Record; +/** + * DANGER ZONE - This option has security implications that must be understood, assessed for + * applicability, and accepted before use. + * + * Use this as a value to {@link processUserInfoResponse} `expectedSubject` parameter to skip the + * `sub` claim value check. + * + * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse) + */ +export declare const skipSubjectCheck: unique symbol; +export interface JWEDecryptOptions { + /** + * See {@link jweDecrypt}. + */ + [jweDecrypt]?: JweDecryptFunction; +} +/** + * Validates {@link !Response} instance to be one coming from the + * {@link AuthorizationServer.userinfo_endpoint `as.userinfo_endpoint`}. + * + * @param as Authorization Server Metadata. + * @param client Client Metadata. + * @param expectedSubject Expected `sub` claim value. In response to OpenID Connect authentication + * requests, the expected subject is the one from the ID Token claims retrieved from + * {@link getValidatedIdTokenClaims}. + * @param response Resolved value from {@link userInfoRequest}. + * + * @returns Resolves with an object representing the parsed successful response. WWW-Authenticate + * HTTP Header challenges are rejected with {@link WWWAuthenticateChallengeError}. + * + * @group Authorization Code Grant w/ OpenID Connect (OIDC) + * @group OpenID Connect (OIDC) UserInfo + * @group Accessing Protected Resources + * + * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo) + */ +export declare function processUserInfoResponse(as: AuthorizationServer, client: Client, expectedSubject: string | typeof skipSubjectCheck, response: Response, options?: JWEDecryptOptions): Promise; +export interface TokenEndpointRequestOptions extends HttpRequestOptions<'POST', URLSearchParams>, DPoPRequestOptions { + /** + * Any additional parameters to send. This cannot override existing parameter values. + */ + additionalParameters?: URLSearchParams | Record | string[][]; +} +/** + * Performs a Refresh Token Grant request at the + * {@link AuthorizationServer.token_endpoint `as.token_endpoint`}. + * + * @param as Authorization Server Metadata. + * @param client Client Metadata. + * @param clientAuthentication Client Authentication Method. + * @param refreshToken Refresh Token value. + * + * @group Refreshing an Access Token + * + * @see [RFC 6749 - The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749.html#section-6) + * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokens) + * @see [RFC 9449 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.rfc-editor.org/rfc/rfc9449.html#name-dpop-access-token-request) + */ +export declare function refreshTokenGrantRequest(as: AuthorizationServer, client: Client, clientAuthentication: ClientAuth, refreshToken: string, options?: TokenEndpointRequestOptions): Promise; +/** + * Returns ID Token claims validated during {@link processRefreshTokenResponse} or + * {@link processDeviceCodeResponse}. To optionally validate its JWS Signature use + * {@link validateApplicationLevelSignature} + * + * @param ref Value previously resolved from {@link processRefreshTokenResponse} or + * {@link processDeviceCodeResponse}. + * + * @returns JWT Claims Set from an ID Token, or undefined if there is no ID Token in `ref`. + */ +export declare function getValidatedIdTokenClaims(ref: TokenEndpointResponse): IDToken | undefined; +export interface ValidateSignatureOptions extends HttpRequestOptions<'GET'>, JWKSCacheOptions { +} +/** + * Validates the JWS Signature of either a JWT {@link !Response.body} or + * {@link TokenEndpointResponse.id_token} of a processed {@link !Response} + * + * Note: Validating signatures of JWTs received via direct communication between the Client and a + * TLS-secured Endpoint (which it is here) is not mandatory since the TLS server validation is used + * to validate the issuer instead of checking the token signature. You only need to use this method + * for non-repudiation purposes. + * + * Note: Supports only digital signatures. + * + * @param as Authorization Server Metadata. + * @param ref Response previously processed by this module that contained an ID Token or its + * response body was a JWT + * + * @returns Resolves if the signature validates, rejects otherwise. + * + * @group FAPI 1.0 Advanced + * @group FAPI 2.0 Message Signing + * @group Authorization Code Grant w/ OpenID Connect (OIDC) + * @group OpenID Connect (OIDC) UserInfo + * @group Token Introspection + * + * @see [draft-ietf-oauth-jwt-introspection-response-12 - JWT Response for OAuth Token Introspection](https://www.ietf.org/archive/id/draft-ietf-oauth-jwt-introspection-response-12.html#section-5) + * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo) + */ +export declare function validateApplicationLevelSignature(as: AuthorizationServer, ref: Response, options?: ValidateSignatureOptions): Promise; +/** + * Validates Refresh Token Grant {@link !Response} instance to be one coming from the + * {@link AuthorizationServer.token_endpoint `as.token_endpoint`}. + * + * @param as Authorization Server Metadata. + * @param client Client Metadata. + * @param response Resolved value from {@link refreshTokenGrantRequest}. + * + * @returns Resolves with an object representing the parsed successful response. OAuth 2.0 protocol + * style errors are rejected using {@link ResponseBodyError}. WWW-Authenticate HTTP Header + * challenges are rejected with {@link WWWAuthenticateChallengeError}. + * + * @group Refreshing an Access Token + * + * @see [RFC 6749 - The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749.html#section-6) + * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokens) + */ +export declare function processRefreshTokenResponse(as: AuthorizationServer, client: Client, response: Response, options?: JWEDecryptOptions): Promise; +/** + * Performs an Authorization Code grant request at the + * {@link AuthorizationServer.token_endpoint `as.token_endpoint`}. + * + * @param as Authorization Server Metadata. + * @param client Client Metadata. + * @param clientAuthentication Client Authentication Method. + * @param callbackParameters Parameters obtained from the callback to redirect_uri, this is returned + * from {@link validateAuthResponse}, or {@link validateJwtAuthResponse}. + * @param redirectUri `redirect_uri` value used in the authorization request. + * @param codeVerifier PKCE `code_verifier` to send to the token endpoint. + * + * @group Authorization Code Grant + * @group Authorization Code Grant w/ OpenID Connect (OIDC) + * + * @see [RFC 6749 - The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749.html#section-4.1) + * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth) + * @see [RFC 7636 - Proof Key for Code Exchange (PKCE)](https://www.rfc-editor.org/rfc/rfc7636.html#section-4) + * @see [RFC 9449 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.rfc-editor.org/rfc/rfc9449.html#name-dpop-access-token-request) + */ +export declare function authorizationCodeGrantRequest(as: AuthorizationServer, client: Client, clientAuthentication: ClientAuth, callbackParameters: URLSearchParams, redirectUri: string, codeVerifier: string, options?: TokenEndpointRequestOptions): Promise; +interface JWTPayload { + readonly iss?: string; + readonly sub?: string; + readonly aud?: string | string[]; + readonly jti?: string; + readonly nbf?: number; + readonly exp?: number; + readonly iat?: number; + readonly cnf?: ConfirmationClaims; + readonly [claim: string]: JsonValue | undefined; +} +export interface IDToken extends JWTPayload { + readonly iss: string; + readonly sub: string; + readonly aud: string | string[]; + readonly iat: number; + readonly exp: number; + readonly nonce?: string; + readonly auth_time?: number; + readonly azp?: string; + readonly [claim: string]: JsonValue | undefined; +} +export interface AuthorizationDetails { + readonly type: string; + readonly locations?: string[]; + readonly actions?: string[]; + readonly datatypes?: string[]; + readonly privileges?: string[]; + readonly identifier?: string; + readonly [parameter: string]: JsonValue | undefined; +} +export interface TokenEndpointResponse { + readonly access_token: string; + readonly expires_in?: number; + readonly id_token?: string; + readonly refresh_token?: string; + readonly scope?: string; + readonly authorization_details?: AuthorizationDetails[]; + /** + * NOTE: because the value is case insensitive it is always returned lowercased + */ + readonly token_type: 'bearer' | 'dpop' | Lowercase; + readonly [parameter: string]: JsonValue | undefined; +} +/** + * Use this as a value to {@link processAuthorizationCodeResponse} `oidc.expectedNonce` parameter to + * indicate no `nonce` ID Token claim value is expected, i.e. no `nonce` parameter value was sent + * with the authorization request. + */ +export declare const expectNoNonce: unique symbol; +/** + * Use this as a value to {@link processAuthorizationCodeResponse} `oidc.maxAge` parameter to + * indicate no `auth_time` ID Token claim value check should be performed. + */ +export declare const skipAuthTimeCheck: unique symbol; +export interface ProcessAuthorizationCodeResponseOptions extends JWEDecryptOptions { + /** + * Expected ID Token `nonce` claim value. Default is {@link expectNoNonce}. + */ + expectedNonce?: string | typeof expectNoNonce; + /** + * ID Token {@link IDToken.auth_time `auth_time`} claim value will be checked to be present and + * conform to the `maxAge` value. Use of this option is required if you sent a `max_age` parameter + * in an authorization request. Default is {@link Client.default_max_age `client.default_max_age`} + * and falls back to {@link skipAuthTimeCheck}. + */ + maxAge?: number | typeof skipAuthTimeCheck; + /** + * When true this requires {@link TokenEndpointResponse.id_token} to be present + */ + requireIdToken?: boolean; +} +/** + * Validates Authorization Code Grant {@link !Response} instance to be one coming from the + * {@link AuthorizationServer.token_endpoint `as.token_endpoint`}. + * + * @param as Authorization Server Metadata. + * @param client Client Metadata. + * @param response Resolved value from {@link authorizationCodeGrantRequest}. + * + * @returns Resolves with an object representing the parsed successful response. OAuth 2.0 protocol + * style errors are rejected using {@link ResponseBodyError}. WWW-Authenticate HTTP Header + * challenges are rejected with {@link WWWAuthenticateChallengeError}. + * + * @group Authorization Code Grant + * @group Authorization Code Grant w/ OpenID Connect (OIDC) + * + * @see [RFC 6749 - The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749.html#section-4.1) + * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth) + */ +export declare function processAuthorizationCodeResponse(as: AuthorizationServer, client: Client, response: Response, options?: ProcessAuthorizationCodeResponseOptions): Promise; +/** + * @group Error Codes + * + * @see {@link WWWAuthenticateChallengeError} + */ +export declare const WWW_AUTHENTICATE_CHALLENGE = "OAUTH_WWW_AUTHENTICATE_CHALLENGE"; +/** + * @group Error Codes + * + * @see {@link ResponseBodyError} + */ +export declare const RESPONSE_BODY_ERROR = "OAUTH_RESPONSE_BODY_ERROR"; +/** + * @group Error Codes + * + * @see {@link UnsupportedOperationError} + */ +export declare const UNSUPPORTED_OPERATION = "OAUTH_UNSUPPORTED_OPERATION"; +/** + * @group Error Codes + * + * @see {@link AuthorizationResponseError} + */ +export declare const AUTHORIZATION_RESPONSE_ERROR = "OAUTH_AUTHORIZATION_RESPONSE_ERROR"; +/** + * Assigned as {@link OperationProcessingError.code} when a JWT UserInfo Response was expected but a + * regular JSON one was given instead. + * + * @group Error Codes + */ +export declare const JWT_USERINFO_EXPECTED = "OAUTH_JWT_USERINFO_EXPECTED"; +/** + * Assigned as {@link OperationProcessingError.code} when the following fails to parse as JSON + * + * - JWS/JWE Headers + * - JSON response bodies + * - "claims" authorization request parameters + * - "authorization_details" authorization request parameters + * + * @group Error Codes + */ +export declare const PARSE_ERROR = "OAUTH_PARSE_ERROR"; +/** + * Assigned as {@link OperationProcessingError.code} when authorization server responses are invalid. + * + * @group Error Codes + */ +export declare const INVALID_RESPONSE = "OAUTH_INVALID_RESPONSE"; +/** + * Assigned as {@link OperationProcessingError.code} during {@link validateJwtAccessToken} when the + * request or its contents are invalid. + * + * @group Error Codes + */ +export declare const INVALID_REQUEST = "OAUTH_INVALID_REQUEST"; +/** + * Assigned as {@link OperationProcessingError.code} when a {@link !Response} does not have the + * expected `application/json` response-type HTTP Header. + * + * @group Error Codes + */ +export declare const RESPONSE_IS_NOT_JSON = "OAUTH_RESPONSE_IS_NOT_JSON"; +/** + * Assigned as {@link OperationProcessingError.code} when a {@link !Response} does not have the + * expected success HTTP Status Code as defined by its specification. + * + * @group Error Codes + */ +export declare const RESPONSE_IS_NOT_CONFORM = "OAUTH_RESPONSE_IS_NOT_CONFORM"; +/** + * Assigned as {@link OperationProcessingError.code} when a request is about to made to a non-TLS + * secured HTTP endpoint and {@link allowInsecureRequests} is not provided. + * + * @group Error Codes + */ +export declare const HTTP_REQUEST_FORBIDDEN = "OAUTH_HTTP_REQUEST_FORBIDDEN"; +/** + * Assigned as {@link OperationProcessingError.code} when a request is about to made to a non-HTTP(S) + * endpoint. + * + * @group Error Codes + */ +export declare const REQUEST_PROTOCOL_FORBIDDEN = "OAUTH_REQUEST_PROTOCOL_FORBIDDEN"; +/** + * Assigned as {@link OperationProcessingError.code} when a JWT NumericDate comparison with the + * current timestamp fails. + * + * @group Error Codes + * + * @see {@link https://www.rfc-editor.org/rfc/rfc7519.html#section-2 JSON Web Token (JWT)} + */ +export declare const JWT_TIMESTAMP_CHECK = "OAUTH_JWT_TIMESTAMP_CHECK_FAILED"; +/** + * Assigned as {@link OperationProcessingError.code} when a JWT claim is not of a given expected + * value. + * + * @group Error Codes + * + * @see {@link https://www.rfc-editor.org/rfc/rfc7519.html#section-2 JSON Web Token (JWT)} + */ +export declare const JWT_CLAIM_COMPARISON = "OAUTH_JWT_CLAIM_COMPARISON_FAILED"; +/** + * Assigned as {@link OperationProcessingError.code} when a {@link !Response} JSON body attribute is + * not of a given expected value. + * + * @group Error Codes + */ +export declare const JSON_ATTRIBUTE_COMPARISON = "OAUTH_JSON_ATTRIBUTE_COMPARISON_FAILED"; +/** + * Assigned as {@link OperationProcessingError.code} when a JWT signature validation fails to select + * an applicable key. + * + * @group Error Codes + */ +export declare const KEY_SELECTION = "OAUTH_KEY_SELECTION_FAILED"; +/** + * Assigned as {@link OperationProcessingError.code} when the AS configuration is missing metadata. + * + * @group Error Codes + */ +export declare const MISSING_SERVER_METADATA = "OAUTH_MISSING_SERVER_METADATA"; +/** + * Assigned as {@link OperationProcessingError.code} when the AS configuration has invalid metadata. + * + * @group Error Codes + */ +export declare const INVALID_SERVER_METADATA = "OAUTH_INVALID_SERVER_METADATA"; +export interface ClientCredentialsGrantRequestOptions extends HttpRequestOptions<'POST', URLSearchParams>, DPoPRequestOptions { +} +/** + * Performs a Client Credentials Grant request at the + * {@link AuthorizationServer.token_endpoint `as.token_endpoint`}. + * + * @param as Authorization Server Metadata. + * @param client Client Metadata. + * @param clientAuthentication Client Authentication Method. + * + * @group Client Credentials Grant + * + * @see [RFC 6749 - The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749.html#section-4.4) + * @see [RFC 9449 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.rfc-editor.org/rfc/rfc9449.html#name-dpop-access-token-request) + */ +export declare function clientCredentialsGrantRequest(as: AuthorizationServer, client: Client, clientAuthentication: ClientAuth, parameters: URLSearchParams | Record | string[][], options?: ClientCredentialsGrantRequestOptions): Promise; +/** + * Performs any Grant request at the {@link AuthorizationServer.token_endpoint `as.token_endpoint`}. + * The purpose is to be able to execute grant requests such as Token Exchange Grant Type, JWT Bearer + * Token Grant Type, or SAML 2.0 Bearer Assertion Grant Type. + * + * @param as Authorization Server Metadata. + * @param client Client Metadata. + * @param clientAuthentication Client Authentication Method. + * @param grantType Grant Type. + * + * @group JWT Bearer Token Grant Type + * @group SAML 2.0 Bearer Assertion Grant Type + * @group Token Exchange Grant Type + * + * @see {@link https://www.rfc-editor.org/rfc/rfc8693.html Token Exchange Grant Type} + * @see {@link https://www.rfc-editor.org/rfc/rfc7523.html#section-2.1 JWT Bearer Token Grant Type} + * @see {@link https://www.rfc-editor.org/rfc/rfc7522.html#section-2.1 SAML 2.0 Bearer Assertion Grant Type} + */ +export declare function genericTokenEndpointRequest(as: AuthorizationServer, client: Client, clientAuthentication: ClientAuth, grantType: string, parameters: URLSearchParams | Record | string[][], options?: Omit): Promise; +/** + * Validates Token Endpoint {@link !Response} instance to be one coming from the + * {@link AuthorizationServer.token_endpoint `as.token_endpoint`}. + * + * @param as Authorization Server Metadata. + * @param client Client Metadata. + * @param response Resolved value from {@link genericTokenEndpointRequest}. + * + * @group JWT Bearer Token Grant Type + * @group SAML 2.0 Bearer Assertion Grant Type + * @group Token Exchange Grant Type + * + * @see {@link https://www.rfc-editor.org/rfc/rfc8693.html Token Exchange Grant Type} + * @see {@link https://www.rfc-editor.org/rfc/rfc7523.html#section-2.1 JWT Bearer Token Grant Type} + * @see {@link https://www.rfc-editor.org/rfc/rfc7522.html#section-2.1 SAML 2.0 Bearer Assertion Grant Type} + */ +export declare function processGenericTokenEndpointResponse(as: AuthorizationServer, client: Client, response: Response, options?: JWEDecryptOptions): Promise; +/** + * Validates Client Credentials Grant {@link !Response} instance to be one coming from the + * {@link AuthorizationServer.token_endpoint `as.token_endpoint`}. + * + * @param as Authorization Server Metadata. + * @param client Client Metadata. + * @param response Resolved value from {@link clientCredentialsGrantRequest}. + * + * @returns Resolves with an object representing the parsed successful response. OAuth 2.0 protocol + * style errors are rejected using {@link ResponseBodyError}. WWW-Authenticate HTTP Header + * challenges are rejected with {@link WWWAuthenticateChallengeError}. + * + * @group Client Credentials Grant + * + * @see [RFC 6749 - The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749.html#section-4.4) + */ +export declare function processClientCredentialsResponse(as: AuthorizationServer, client: Client, response: Response, options?: JWEDecryptOptions): Promise; +export interface RevocationRequestOptions extends HttpRequestOptions<'POST', URLSearchParams> { + /** + * Any additional parameters to send. This cannot override existing parameter values. + */ + additionalParameters?: URLSearchParams | Record | string[][]; +} +/** + * Performs a Revocation Request at the + * {@link AuthorizationServer.revocation_endpoint `as.revocation_endpoint`}. + * + * @param as Authorization Server Metadata. + * @param client Client Metadata. + * @param clientAuthentication Client Authentication Method. + * @param token Token to revoke. You can provide the `token_type_hint` parameter via + * {@link RevocationRequestOptions.additionalParameters options}. + * + * @group Token Revocation + * + * @see [RFC 7009 - OAuth 2.0 Token Revocation](https://www.rfc-editor.org/rfc/rfc7009.html#section-2) + */ +export declare function revocationRequest(as: AuthorizationServer, client: Client, clientAuthentication: ClientAuth, token: string, options?: RevocationRequestOptions): Promise; +/** + * Validates {@link !Response} instance to be one coming from the + * {@link AuthorizationServer.revocation_endpoint `as.revocation_endpoint`}. + * + * @param response Resolved value from {@link revocationRequest}. + * + * @returns Resolves with `undefined` when the request was successful, or an object representing an + * OAuth 2.0 protocol style error. + * + * @group Token Revocation + * + * @see [RFC 7009 - OAuth 2.0 Token Revocation](https://www.rfc-editor.org/rfc/rfc7009.html#section-2) + */ +export declare function processRevocationResponse(response: Response): Promise; +export interface IntrospectionRequestOptions extends HttpRequestOptions<'POST', URLSearchParams> { + /** + * Any additional parameters to send. This cannot override existing parameter values. + */ + additionalParameters?: URLSearchParams | Record | string[][]; + /** + * Request a JWT Response from the + * {@link AuthorizationServer.introspection_endpoint `as.introspection_endpoint`}. Default is + * + * - True when + * {@link Client.introspection_signed_response_alg `client.introspection_signed_response_alg`} is + * set + * - False otherwise + */ + requestJwtResponse?: boolean; +} +/** + * Performs an Introspection Request at the + * {@link AuthorizationServer.introspection_endpoint `as.introspection_endpoint`}. + * + * @param as Authorization Server Metadata. + * @param client Client Metadata. + * @param clientAuthentication Client Authentication Method. + * @param token Token to introspect. You can provide the `token_type_hint` parameter via + * {@link IntrospectionRequestOptions.additionalParameters options}. + * + * @group Token Introspection + * + * @see [RFC 7662 - OAuth 2.0 Token Introspection](https://www.rfc-editor.org/rfc/rfc7662.html#section-2) + * @see [draft-ietf-oauth-jwt-introspection-response-12 - JWT Response for OAuth Token Introspection](https://www.ietf.org/archive/id/draft-ietf-oauth-jwt-introspection-response-12.html#section-4) + */ +export declare function introspectionRequest(as: AuthorizationServer, client: Client, clientAuthentication: ClientAuth, token: string, options?: IntrospectionRequestOptions): Promise; +export interface ConfirmationClaims { + readonly 'x5t#S256'?: string; + readonly jkt?: string; + readonly [claim: string]: JsonValue | undefined; +} +export interface IntrospectionResponse { + readonly active: boolean; + readonly client_id?: string; + readonly exp?: number; + readonly iat?: number; + readonly sid?: string; + readonly iss?: string; + readonly jti?: string; + readonly username?: string; + readonly aud?: string | string[]; + readonly scope?: string; + readonly sub?: string; + readonly nbf?: number; + readonly token_type?: string; + readonly cnf?: ConfirmationClaims; + readonly authorization_details?: AuthorizationDetails[]; + readonly [claim: string]: JsonValue | undefined; +} +/** + * Validates {@link !Response} instance to be one coming from the + * {@link AuthorizationServer.introspection_endpoint `as.introspection_endpoint`}. + * + * @param as Authorization Server Metadata. + * @param client Client Metadata. + * @param response Resolved value from {@link introspectionRequest}. + * + * @returns Resolves with an object representing the parsed successful response. OAuth 2.0 protocol + * style errors are rejected using {@link ResponseBodyError}. WWW-Authenticate HTTP Header + * challenges are rejected with {@link WWWAuthenticateChallengeError}. + * + * @group Token Introspection + * + * @see [RFC 7662 - OAuth 2.0 Token Introspection](https://www.rfc-editor.org/rfc/rfc7662.html#section-2) + * @see [draft-ietf-oauth-jwt-introspection-response-12 - JWT Response for OAuth Token Introspection](https://www.ietf.org/archive/id/draft-ietf-oauth-jwt-introspection-response-12.html#section-5) + */ +export declare function processIntrospectionResponse(as: AuthorizationServer, client: Client, response: Response, options?: JWEDecryptOptions): Promise; +export interface JWKS { + readonly keys: JWK[]; +} +export type JweDecryptFunction = (jwe: string) => Promise; +/** + * Same as {@link validateAuthResponse} but for signed JARM responses. + * + * @param as Authorization Server Metadata. + * @param client Client Metadata. + * @param parameters JARM authorization response. + * @param expectedState Expected `state` parameter value. Default is {@link expectNoState}. + * + * @returns Validated Authorization Response parameters. Authorization Error Responses are rejected + * using {@link AuthorizationResponseError}. + * + * @group Authorization Code Grant + * @group Authorization Code Grant w/ OpenID Connect (OIDC) + * @group JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) + * @group FAPI 2.0 Message Signing + * @group FAPI 1.0 Advanced + * + * @see [JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)](https://openid.net/specs/openid-financial-api-jarm.html) + */ +export declare function validateJwtAuthResponse(as: AuthorizationServer, client: Client, parameters: URLSearchParams | URL, expectedState?: string | typeof expectNoState | typeof skipStateCheck, options?: ValidateSignatureOptions & JWEDecryptOptions): Promise; +/** + * Same as {@link validateAuthResponse} but for FAPI 1.0 Advanced Detached Signature authorization + * responses. + * + * @param as Authorization Server Metadata. + * @param client Client Metadata. + * @param parameters Authorization Response parameters as URLSearchParams, instance of URL with + * parameters in a fragment/hash, or a `form_post` Request instance. + * @param expectedNonce Expected ID Token `nonce` claim value. + * @param expectedState Expected `state` parameter value. Default is {@link expectNoState}. + * @param maxAge ID Token {@link IDToken.auth_time `auth_time`} claim value will be checked to be + * present and conform to the `maxAge` value. Use of this option is required if you sent a + * `max_age` parameter in an authorization request. Default is + * {@link Client.default_max_age `client.default_max_age`} and falls back to + * {@link skipAuthTimeCheck}. + * + * @returns Validated Authorization Response parameters. Authorization Error Responses are rejected + * using {@link AuthorizationResponseError}. + * + * @group FAPI 1.0 Advanced + * + * @see [Financial-grade API Security Profile 1.0 - Part 2: Advanced](https://openid.net/specs/openid-financial-api-part-2-1_0.html#id-token-as-detached-signature) + */ +export declare function validateDetachedSignatureResponse(as: AuthorizationServer, client: Client, parameters: URLSearchParams | URL | Request, expectedNonce: string, expectedState?: string | typeof expectNoState, maxAge?: number | typeof skipAuthTimeCheck, options?: ValidateSignatureOptions & JWEDecryptOptions): Promise; +/** + * Same as {@link validateAuthResponse} but for `code id_token` authorization responses. + * + * @param as Authorization Server Metadata. + * @param client Client Metadata. + * @param parameters Authorization Response parameters as URLSearchParams, instance of URL with + * parameters in a fragment/hash, or a `form_post` Request instance. + * @param expectedNonce Expected ID Token `nonce` claim value. + * @param expectedState Expected `state` parameter value. Default is {@link expectNoState}. + * @param maxAge ID Token {@link IDToken.auth_time `auth_time`} claim value will be checked to be + * present and conform to the `maxAge` value. Use of this option is required if you sent a + * `max_age` parameter in an authorization request. Default is + * {@link Client.default_max_age `client.default_max_age`} and falls back to + * {@link skipAuthTimeCheck}. + * + * @returns Validated Authorization Response parameters. Authorization Error Responses are rejected + * using {@link AuthorizationResponseError}. + * + * @group Authorization Code Grant w/ OpenID Connect (OIDC) + * + * @see [RFC 6749 - The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749.html#section-4.1.2) + * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#HybridFlowAuth) + */ +export declare function validateCodeIdTokenResponse(as: AuthorizationServer, client: Client, parameters: URLSearchParams | URL | Request, expectedNonce: string, expectedState?: string | typeof expectNoState, maxAge?: number | typeof skipAuthTimeCheck, options?: ValidateSignatureOptions & JWEDecryptOptions): Promise; +/** + * DANGER ZONE - This option has security implications that must be understood, assessed for + * applicability, and accepted before use. + * + * Use this as a value to {@link validateAuthResponse} `expectedState` parameter to skip the `state` + * value check when you'll be validating such `state` value yourself instead. This should only be + * done if you use a `state` parameter value that is integrity protected and bound to the browsing + * session. One such mechanism to do so is described in an I-D + * [draft-bradley-oauth-jwt-encoded-state-09](https://datatracker.ietf.org/doc/html/draft-bradley-oauth-jwt-encoded-state-09). + */ +export declare const skipStateCheck: unique symbol; +/** + * Use this as a value to {@link validateAuthResponse} `expectedState` parameter to indicate no + * `state` parameter value is expected, i.e. no `state` parameter value was sent with the + * authorization request. + */ +export declare const expectNoState: unique symbol; +/** + * Validates an OAuth 2.0 Authorization Response or Authorization Error Response message returned + * from the authorization server's + * {@link AuthorizationServer.authorization_endpoint `as.authorization_endpoint`}. + * + * @param as Authorization Server Metadata. + * @param client Client Metadata. + * @param parameters Authorization response. + * @param expectedState Expected `state` parameter value. Default is {@link expectNoState}. + * + * @returns Validated Authorization Response parameters. Authorization Error Responses throw + * {@link AuthorizationResponseError}. + * + * @group Authorization Code Grant + * @group Authorization Code Grant w/ OpenID Connect (OIDC) + * + * @see [RFC 6749 - The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749.html#section-4.1.2) + * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth) + * @see [RFC 9207 - OAuth 2.0 Authorization Server Issuer Identification](https://www.rfc-editor.org/rfc/rfc9207.html) + */ +export declare function validateAuthResponse(as: AuthorizationServer, client: Client, parameters: URLSearchParams | URL, expectedState?: string | typeof expectNoState | typeof skipStateCheck): URLSearchParams; +export interface DeviceAuthorizationRequestOptions extends HttpRequestOptions<'POST', URLSearchParams> { +} +/** + * Performs a Device Authorization Request at the + * {@link AuthorizationServer.device_authorization_endpoint `as.device_authorization_endpoint`}. + * + * @param as Authorization Server Metadata. + * @param client Client Metadata. + * @param clientAuthentication Client Authentication Method. + * @param parameters Device Authorization Request parameters. + * + * @group Device Authorization Grant + * + * @see [RFC 8628 - OAuth 2.0 Device Authorization Grant](https://www.rfc-editor.org/rfc/rfc8628.html#section-3.1) + */ +export declare function deviceAuthorizationRequest(as: AuthorizationServer, client: Client, clientAuthentication: ClientAuth, parameters: URLSearchParams | Record | string[][], options?: DeviceAuthorizationRequestOptions): Promise; +export interface DeviceAuthorizationResponse { + /** + * The device verification code + */ + readonly device_code: string; + /** + * The end-user verification code + */ + readonly user_code: string; + /** + * The end-user verification URI on the authorization server. The URI should be short and easy to + * remember as end users will be asked to manually type it into their user agent. + */ + readonly verification_uri: string; + /** + * The lifetime in seconds of the "device_code" and "user_code" + */ + readonly expires_in: number; + /** + * A verification URI that includes the "user_code" (or other information with the same function + * as the "user_code"), which is designed for non-textual transmission + */ + readonly verification_uri_complete?: string; + /** + * The minimum amount of time in seconds that the client should wait between polling requests to + * the token endpoint. + */ + readonly interval?: number; + readonly [parameter: string]: JsonValue | undefined; +} +/** + * Validates {@link !Response} instance to be one coming from the + * {@link AuthorizationServer.device_authorization_endpoint `as.device_authorization_endpoint`}. + * + * @param as Authorization Server Metadata. + * @param client Client Metadata. + * @param response Resolved value from {@link deviceAuthorizationRequest}. + * + * @returns Resolves with an object representing the parsed successful response. OAuth 2.0 protocol + * style errors are rejected using {@link ResponseBodyError}. WWW-Authenticate HTTP Header + * challenges are rejected with {@link WWWAuthenticateChallengeError}. + * + * @group Device Authorization Grant + * + * @see [RFC 8628 - OAuth 2.0 Device Authorization Grant](https://www.rfc-editor.org/rfc/rfc8628.html#section-3.1) + */ +export declare function processDeviceAuthorizationResponse(as: AuthorizationServer, client: Client, response: Response): Promise; +/** + * Performs a Device Authorization Grant request at the + * {@link AuthorizationServer.token_endpoint `as.token_endpoint`}. + * + * @param as Authorization Server Metadata. + * @param client Client Metadata. + * @param clientAuthentication Client Authentication Method. + * @param deviceCode Device Code. + * + * @group Device Authorization Grant + * + * @see [RFC 8628 - OAuth 2.0 Device Authorization Grant](https://www.rfc-editor.org/rfc/rfc8628.html#section-3.4) + * @see [RFC 9449 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.rfc-editor.org/rfc/rfc9449.html#name-dpop-access-token-request) + */ +export declare function deviceCodeGrantRequest(as: AuthorizationServer, client: Client, clientAuthentication: ClientAuth, deviceCode: string, options?: TokenEndpointRequestOptions): Promise; +/** + * Validates Device Authorization Grant {@link !Response} instance to be one coming from the + * {@link AuthorizationServer.token_endpoint `as.token_endpoint`}. + * + * @param as Authorization Server Metadata. + * @param client Client Metadata. + * @param response Resolved value from {@link deviceCodeGrantRequest}. + * + * @returns Resolves with an object representing the parsed successful response. OAuth 2.0 protocol + * style errors are rejected using {@link ResponseBodyError}. WWW-Authenticate HTTP Header + * challenges are rejected with {@link WWWAuthenticateChallengeError}. + * + * @group Device Authorization Grant + * + * @see [RFC 8628 - OAuth 2.0 Device Authorization Grant](https://www.rfc-editor.org/rfc/rfc8628.html#section-3.4) + */ +export declare function processDeviceCodeResponse(as: AuthorizationServer, client: Client, response: Response, options?: JWEDecryptOptions): Promise; +export interface GenerateKeyPairOptions { + /** + * Indicates whether or not the private key may be exported. Default is `false`. + */ + extractable?: boolean; + /** + * (RSA algorithms only) The length, in bits, of the RSA modulus. Default is `2048`. + */ + modulusLength?: number; +} +/** + * Generates a {@link CryptoKeyPair} for a given JWS `alg` Algorithm identifier. + * + * @param alg Supported JWS `alg` Algorithm identifier. Must be a + * {@link JWSAlgorithm supported JWS Algorithm}. + * + * @group Utilities + */ +export declare function generateKeyPair(alg: string, options?: GenerateKeyPairOptions): Promise; +export interface JWTAccessTokenClaims extends JWTPayload { + readonly iss: string; + readonly exp: number; + readonly aud: string | string[]; + readonly sub: string; + readonly iat: number; + readonly jti: string; + readonly client_id: string; + readonly authorization_details?: AuthorizationDetails[]; + readonly scope?: string; + readonly [claim: string]: JsonValue | undefined; +} +export interface ValidateJWTAccessTokenOptions extends HttpRequestOptions<'GET'>, JWKSCacheOptions { + /** + * Indicates whether DPoP use is required. + */ + requireDPoP?: boolean; + /** + * See {@link clockSkew}. + */ + [clockSkew]?: number; + /** + * See {@link clockTolerance}. + */ + [clockTolerance]?: number; + /** + * Supported (or expected) JWT "alg" header parameter values for the JWT Access Token (and DPoP + * Proof JWTs). Default is all {@link JWSAlgorithm supported JWS Algorithms}. + */ + signingAlgorithms?: string[]; +} +/** + * Validates use of JSON Web Token (JWT) OAuth 2.0 Access Tokens for a given {@link !Request} as per + * RFC 6750, RFC 9068, and RFC 9449. + * + * The only supported means of sending access tokens is via the Authorization Request Header Field + * method. + * + * This does validate the presence and type of all required claims as well as the values of the + * {@link JWTAccessTokenClaims.iss `iss`}, {@link JWTAccessTokenClaims.exp `exp`}, + * {@link JWTAccessTokenClaims.aud `aud`} claims. + * + * This does NOT validate the {@link JWTAccessTokenClaims.sub `sub`}, + * {@link JWTAccessTokenClaims.jti `jti`}, and {@link JWTAccessTokenClaims.client_id `client_id`} + * claims beyond just checking that they're present and that their type is a string. If you need to + * validate these values further you would do so after this function's execution. + * + * This does NOT validate the DPoP Proof JWT nonce. If your server indicates RS-provided nonces to + * clients you would check these after this function's execution. + * + * This does NOT validate authorization claims such as `scope` either, you would do so after this + * function's execution. + * + * @param as Authorization Server to accept JWT Access Tokens from. + * @param expectedAudience Audience identifier the resource server expects for itself. + * + * @group JWT Access Tokens + * + * @see [RFC 6750 - OAuth 2.0 Bearer Token Usage](https://www.rfc-editor.org/rfc/rfc6750.html) + * @see [RFC 9068 - JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens](https://www.rfc-editor.org/rfc/rfc9068.html) + * @see [RFC 9449 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.rfc-editor.org/rfc/rfc9449.html) + */ +export declare function validateJwtAccessToken(as: AuthorizationServer, request: Request, expectedAudience: string, options?: ValidateJWTAccessTokenOptions): Promise; +export {}; diff --git a/build/index.js b/build/index.js new file mode 100644 index 00000000..e3b35983 --- /dev/null +++ b/build/index.js @@ -0,0 +1,2387 @@ +let USER_AGENT; +if (typeof navigator === 'undefined' || !navigator.userAgent?.startsWith?.('Mozilla/5.0 ')) { + const NAME = 'oauth4webapi'; + const VERSION = 'v3.1.4'; + USER_AGENT = `${NAME}/${VERSION}`; +} +function looseInstanceOf(input, expected) { + if (input == null) { + return false; + } + try { + return (input instanceof expected || + Object.getPrototypeOf(input)[Symbol.toStringTag] === expected.prototype[Symbol.toStringTag]); + } + catch { + return false; + } +} +const ERR_INVALID_ARG_VALUE = 'ERR_INVALID_ARG_VALUE'; +const ERR_INVALID_ARG_TYPE = 'ERR_INVALID_ARG_TYPE'; +function CodedTypeError(message, code, cause) { + const err = new TypeError(message, { cause }); + Object.assign(err, { code }); + return err; +} +export const allowInsecureRequests = Symbol(); +export const clockSkew = Symbol(); +export const clockTolerance = Symbol(); +export const customFetch = Symbol(); +export const modifyAssertion = Symbol(); +export const jweDecrypt = Symbol(); +export const jwksCache = Symbol(); +const encoder = new TextEncoder(); +const decoder = new TextDecoder(); +function buf(input) { + if (typeof input === 'string') { + return encoder.encode(input); + } + return decoder.decode(input); +} +const CHUNK_SIZE = 0x8000; +function encodeBase64Url(input) { + if (input instanceof ArrayBuffer) { + input = new Uint8Array(input); + } + const arr = []; + for (let i = 0; i < input.byteLength; i += CHUNK_SIZE) { + arr.push(String.fromCharCode.apply(null, input.subarray(i, i + CHUNK_SIZE))); + } + return btoa(arr.join('')).replace(/=/g, '').replace(/\+/g, '-').replace(/\//g, '_'); +} +function decodeBase64Url(input) { + try { + const binary = atob(input.replace(/-/g, '+').replace(/_/g, '/').replace(/\s/g, '')); + const bytes = new Uint8Array(binary.length); + for (let i = 0; i < binary.length; i++) { + bytes[i] = binary.charCodeAt(i); + } + return bytes; + } + catch (cause) { + throw CodedTypeError('The input to be decoded is not correctly encoded.', ERR_INVALID_ARG_VALUE, cause); + } +} +function b64u(input) { + if (typeof input === 'string') { + return decodeBase64Url(input); + } + return encodeBase64Url(input); +} +export class UnsupportedOperationError extends Error { + code; + constructor(message, options) { + super(message, options); + this.name = this.constructor.name; + this.code = UNSUPPORTED_OPERATION; + Error.captureStackTrace?.(this, this.constructor); + } +} +export class OperationProcessingError extends Error { + code; + constructor(message, options) { + super(message, options); + this.name = this.constructor.name; + if (options?.code) { + this.code = options?.code; + } + Error.captureStackTrace?.(this, this.constructor); + } +} +function OPE(message, code, cause) { + return new OperationProcessingError(message, { code, cause }); +} +function assertCryptoKey(key, it) { + if (!(key instanceof CryptoKey)) { + throw CodedTypeError(`${it} must be a CryptoKey`, ERR_INVALID_ARG_TYPE); + } +} +function assertPrivateKey(key, it) { + assertCryptoKey(key, it); + if (key.type !== 'private') { + throw CodedTypeError(`${it} must be a private CryptoKey`, ERR_INVALID_ARG_VALUE); + } +} +function assertPublicKey(key, it) { + assertCryptoKey(key, it); + if (key.type !== 'public') { + throw CodedTypeError(`${it} must be a public CryptoKey`, ERR_INVALID_ARG_VALUE); + } +} +function normalizeTyp(value) { + return value.toLowerCase().replace(/^application\//, ''); +} +function isJsonObject(input) { + if (input === null || typeof input !== 'object' || Array.isArray(input)) { + return false; + } + return true; +} +function prepareHeaders(input) { + if (looseInstanceOf(input, Headers)) { + input = Object.fromEntries(input.entries()); + } + const headers = new Headers(input); + if (USER_AGENT && !headers.has('user-agent')) { + headers.set('user-agent', USER_AGENT); + } + if (headers.has('authorization')) { + throw CodedTypeError('"options.headers" must not include the "authorization" header name', ERR_INVALID_ARG_VALUE); + } + if (headers.has('dpop')) { + throw CodedTypeError('"options.headers" must not include the "dpop" header name', ERR_INVALID_ARG_VALUE); + } + return headers; +} +function signal(value) { + if (typeof value === 'function') { + value = value(); + } + if (!(value instanceof AbortSignal)) { + throw CodedTypeError('"options.signal" must return or be an instance of AbortSignal', ERR_INVALID_ARG_TYPE); + } + return value; +} +export async function discoveryRequest(issuerIdentifier, options) { + if (!(issuerIdentifier instanceof URL)) { + throw CodedTypeError('"issuerIdentifier" must be an instance of URL', ERR_INVALID_ARG_TYPE); + } + checkProtocol(issuerIdentifier, options?.[allowInsecureRequests] !== true); + const url = new URL(issuerIdentifier.href); + switch (options?.algorithm) { + case undefined: + case 'oidc': + url.pathname = `${url.pathname}/.well-known/openid-configuration`.replace('//', '/'); + break; + case 'oauth2': + if (url.pathname === '/') { + url.pathname = '.well-known/oauth-authorization-server'; + } + else { + url.pathname = `.well-known/oauth-authorization-server/${url.pathname}`.replace('//', '/'); + } + break; + default: + throw CodedTypeError('"options.algorithm" must be "oidc" (default), or "oauth2"', ERR_INVALID_ARG_VALUE); + } + const headers = prepareHeaders(options?.headers); + headers.set('accept', 'application/json'); + return (options?.[customFetch] || fetch)(url.href, { + body: undefined, + headers: Object.fromEntries(headers.entries()), + method: 'GET', + redirect: 'manual', + signal: options?.signal ? signal(options.signal) : undefined, + }); +} +function assertNumber(input, allow0, it, code, cause) { + try { + if (typeof input !== 'number' || !Number.isFinite(input)) { + throw CodedTypeError(`${it} must be a number`, ERR_INVALID_ARG_TYPE, cause); + } + if (input > 0) + return; + if (allow0 && input !== 0) { + throw CodedTypeError(`${it} must be a non-negative number`, ERR_INVALID_ARG_VALUE, cause); + } + throw CodedTypeError(`${it} must be a positive number`, ERR_INVALID_ARG_VALUE, cause); + } + catch (err) { + if (code) { + throw OPE(err.message, code, cause); + } + throw err; + } +} +function assertString(input, it, code, cause) { + try { + if (typeof input !== 'string') { + throw CodedTypeError(`${it} must be a string`, ERR_INVALID_ARG_TYPE, cause); + } + if (input.length === 0) { + throw CodedTypeError(`${it} must not be empty`, ERR_INVALID_ARG_VALUE, cause); + } + } + catch (err) { + if (code) { + throw OPE(err.message, code, cause); + } + throw err; + } +} +export async function processDiscoveryResponse(expectedIssuerIdentifier, response) { + if (!(expectedIssuerIdentifier instanceof URL) && + expectedIssuerIdentifier !== _nodiscoverycheck) { + throw CodedTypeError('"expectedIssuer" must be an instance of URL', ERR_INVALID_ARG_TYPE); + } + if (!looseInstanceOf(response, Response)) { + throw CodedTypeError('"response" must be an instance of Response', ERR_INVALID_ARG_TYPE); + } + if (response.status !== 200) { + throw OPE('"response" is not a conform Authorization Server Metadata response (unexpected HTTP status code)', RESPONSE_IS_NOT_CONFORM, response); + } + assertReadableResponse(response); + assertApplicationJson(response); + let json; + try { + json = await response.json(); + } + catch (cause) { + throw OPE('failed to parse "response" body as JSON', PARSE_ERROR, cause); + } + if (!isJsonObject(json)) { + throw OPE('"response" body must be a top level object', INVALID_RESPONSE, { body: json }); + } + assertString(json.issuer, '"response" body "issuer" property', INVALID_RESPONSE, { body: json }); + if (new URL(json.issuer).href !== expectedIssuerIdentifier.href && + expectedIssuerIdentifier !== _nodiscoverycheck) { + throw OPE('"response" body "issuer" property does not match the expected value', JSON_ATTRIBUTE_COMPARISON, { expected: expectedIssuerIdentifier.href, body: json, attribute: 'issuer' }); + } + return json; +} +function assertApplicationJson(response) { + assertContentType(response, 'application/json'); +} +function notJson(response, ...types) { + let msg = '"response" content-type must be '; + if (types.length > 2) { + const last = types.pop(); + msg += `${types.join(', ')}, or ${last}`; + } + else if (types.length === 2) { + msg += `${types[0]} or ${types[1]}`; + } + else { + msg += types[0]; + } + return OPE(msg, RESPONSE_IS_NOT_JSON, response); +} +function assertContentTypes(response, ...types) { + if (!types.includes(getContentType(response))) { + throw notJson(response, ...types); + } +} +function assertContentType(response, contentType) { + if (getContentType(response) !== contentType) { + throw notJson(response, contentType); + } +} +function randomBytes() { + return b64u(crypto.getRandomValues(new Uint8Array(32))); +} +export function generateRandomCodeVerifier() { + return randomBytes(); +} +export function generateRandomState() { + return randomBytes(); +} +export function generateRandomNonce() { + return randomBytes(); +} +export async function calculatePKCECodeChallenge(codeVerifier) { + assertString(codeVerifier, 'codeVerifier'); + return b64u(await crypto.subtle.digest('SHA-256', buf(codeVerifier))); +} +function getKeyAndKid(input) { + if (input instanceof CryptoKey) { + return { key: input }; + } + if (!(input?.key instanceof CryptoKey)) { + return {}; + } + if (input.kid !== undefined) { + assertString(input.kid, '"kid"'); + } + return { + key: input.key, + kid: input.kid, + }; +} +function psAlg(key) { + switch (key.algorithm.hash.name) { + case 'SHA-256': + return 'PS256'; + case 'SHA-384': + return 'PS384'; + case 'SHA-512': + return 'PS512'; + default: + throw new UnsupportedOperationError('unsupported RsaHashedKeyAlgorithm hash name', { + cause: key, + }); + } +} +function rsAlg(key) { + switch (key.algorithm.hash.name) { + case 'SHA-256': + return 'RS256'; + case 'SHA-384': + return 'RS384'; + case 'SHA-512': + return 'RS512'; + default: + throw new UnsupportedOperationError('unsupported RsaHashedKeyAlgorithm hash name', { + cause: key, + }); + } +} +function esAlg(key) { + switch (key.algorithm.namedCurve) { + case 'P-256': + return 'ES256'; + case 'P-384': + return 'ES384'; + case 'P-521': + return 'ES512'; + default: + throw new UnsupportedOperationError('unsupported EcKeyAlgorithm namedCurve', { cause: key }); + } +} +function keyToJws(key) { + switch (key.algorithm.name) { + case 'RSA-PSS': + return psAlg(key); + case 'RSASSA-PKCS1-v1_5': + return rsAlg(key); + case 'ECDSA': + return esAlg(key); + case 'Ed25519': + case 'EdDSA': + return 'Ed25519'; + default: + throw new UnsupportedOperationError('unsupported CryptoKey algorithm name', { cause: key }); + } +} +function getClockSkew(client) { + const skew = client?.[clockSkew]; + return typeof skew === 'number' && Number.isFinite(skew) ? skew : 0; +} +function getClockTolerance(client) { + const tolerance = client?.[clockTolerance]; + return typeof tolerance === 'number' && Number.isFinite(tolerance) && Math.sign(tolerance) !== -1 + ? tolerance + : 30; +} +function epochTime() { + return Math.floor(Date.now() / 1000); +} +function assertAs(as) { + if (typeof as !== 'object' || as === null) { + throw CodedTypeError('"as" must be an object', ERR_INVALID_ARG_TYPE); + } + assertString(as.issuer, '"as.issuer"'); +} +function assertClient(client) { + if (typeof client !== 'object' || client === null) { + throw CodedTypeError('"client" must be an object', ERR_INVALID_ARG_TYPE); + } + assertString(client.client_id, '"client.client_id"'); +} +function formUrlEncode(token) { + return encodeURIComponent(token).replace(/(?:[-_.!~*'()]|%20)/g, (substring) => { + switch (substring) { + case '-': + case '_': + case '.': + case '!': + case '~': + case '*': + case "'": + case '(': + case ')': + return `%${substring.charCodeAt(0).toString(16).toUpperCase()}`; + case '%20': + return '+'; + default: + throw new Error(); + } + }); +} +export function ClientSecretPost(clientSecret) { + assertString(clientSecret, '"clientSecret"'); + return (_as, client, body, _headers) => { + body.set('client_id', client.client_id); + body.set('client_secret', clientSecret); + }; +} +export function ClientSecretBasic(clientSecret) { + assertString(clientSecret, '"clientSecret"'); + return (_as, client, _body, headers) => { + const username = formUrlEncode(client.client_id); + const password = formUrlEncode(clientSecret); + const credentials = btoa(`${username}:${password}`); + headers.set('authorization', `Basic ${credentials}`); + }; +} +function clientAssertionPayload(as, client) { + const now = epochTime() + getClockSkew(client); + return { + jti: randomBytes(), + aud: as.issuer, + exp: now + 60, + iat: now, + nbf: now, + iss: client.client_id, + sub: client.client_id, + }; +} +export function PrivateKeyJwt(clientPrivateKey, options) { + const { key, kid } = getKeyAndKid(clientPrivateKey); + assertPrivateKey(key, '"clientPrivateKey.key"'); + return async (as, client, body, _headers) => { + const header = { alg: keyToJws(key), kid }; + const payload = clientAssertionPayload(as, client); + options?.[modifyAssertion]?.(header, payload); + body.set('client_id', client.client_id); + body.set('client_assertion_type', 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'); + body.set('client_assertion', await signJwt(header, payload, key)); + }; +} +export function ClientSecretJwt(clientSecret, options) { + assertString(clientSecret, '"clientSecret"'); + const modify = options?.[modifyAssertion]; + let key; + return async (as, client, body, _headers) => { + key ||= await crypto.subtle.importKey('raw', buf(clientSecret), { hash: 'SHA-256', name: 'HMAC' }, false, ['sign']); + const header = { alg: 'HS256' }; + const payload = clientAssertionPayload(as, client); + modify?.(header, payload); + const data = `${b64u(buf(JSON.stringify(header)))}.${b64u(buf(JSON.stringify(payload)))}`; + const hmac = await crypto.subtle.sign(key.algorithm, key, buf(data)); + body.set('client_id', client.client_id); + body.set('client_assertion_type', 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'); + body.set('client_assertion', `${data}.${b64u(new Uint8Array(hmac))}`); + }; +} +export function None() { + return (_as, client, body, _headers) => { + body.set('client_id', client.client_id); + }; +} +export function TlsClientAuth() { + return None(); +} +async function signJwt(header, payload, key) { + if (!key.usages.includes('sign')) { + throw CodedTypeError('CryptoKey instances used for signing assertions must include "sign" in their "usages"', ERR_INVALID_ARG_VALUE); + } + const input = `${b64u(buf(JSON.stringify(header)))}.${b64u(buf(JSON.stringify(payload)))}`; + const signature = b64u(await crypto.subtle.sign(keyToSubtle(key), key, buf(input))); + return `${input}.${signature}`; +} +export async function issueRequestObject(as, client, parameters, privateKey, options) { + assertAs(as); + assertClient(client); + parameters = new URLSearchParams(parameters); + const { key, kid } = getKeyAndKid(privateKey); + assertPrivateKey(key, '"privateKey.key"'); + parameters.set('client_id', client.client_id); + const now = epochTime() + getClockSkew(client); + const claims = { + ...Object.fromEntries(parameters.entries()), + jti: randomBytes(), + aud: as.issuer, + exp: now + 60, + iat: now, + nbf: now, + iss: client.client_id, + }; + let resource; + if (parameters.has('resource') && + (resource = parameters.getAll('resource')) && + resource.length > 1) { + claims.resource = resource; + } + { + let value = parameters.get('max_age'); + if (value !== null) { + claims.max_age = parseInt(value, 10); + assertNumber(claims.max_age, true, '"max_age" parameter'); + } + } + { + let value = parameters.get('claims'); + if (value !== null) { + try { + claims.claims = JSON.parse(value); + } + catch (cause) { + throw OPE('failed to parse the "claims" parameter as JSON', PARSE_ERROR, cause); + } + if (!isJsonObject(claims.claims)) { + throw CodedTypeError('"claims" parameter must be a JSON with a top level object', ERR_INVALID_ARG_VALUE); + } + } + } + { + let value = parameters.get('authorization_details'); + if (value !== null) { + try { + claims.authorization_details = JSON.parse(value); + } + catch (cause) { + throw OPE('failed to parse the "authorization_details" parameter as JSON', PARSE_ERROR, cause); + } + if (!Array.isArray(claims.authorization_details)) { + throw CodedTypeError('"authorization_details" parameter must be a JSON with a top level array', ERR_INVALID_ARG_VALUE); + } + } + } + const header = { + alg: keyToJws(key), + typ: 'oauth-authz-req+jwt', + kid, + }; + options?.[modifyAssertion]?.(header, claims); + return signJwt(header, claims, key); +} +let jwkCache; +async function getSetPublicJwkCache(key) { + const { kty, e, n, x, y, crv } = await crypto.subtle.exportKey('jwk', key); + const jwk = { kty, e, n, x, y, crv }; + jwkCache.set(key, jwk); + return jwk; +} +async function publicJwk(key) { + jwkCache ||= new WeakMap(); + return jwkCache.get(key) || getSetPublicJwkCache(key); +} +const URLParse = URL.parse + ? + (url, base) => URL.parse(url, base) + : (url, base) => { + try { + return new URL(url, base); + } + catch { + return null; + } + }; +export function checkProtocol(url, enforceHttps) { + if (enforceHttps && url.protocol !== 'https:') { + throw OPE('only requests to HTTPS are allowed', HTTP_REQUEST_FORBIDDEN, url); + } + if (url.protocol !== 'https:' && url.protocol !== 'http:') { + throw OPE('only HTTP and HTTPS requests are allowed', REQUEST_PROTOCOL_FORBIDDEN, url); + } +} +function validateEndpoint(value, endpoint, useMtlsAlias, enforceHttps) { + let url; + if (typeof value !== 'string' || !(url = URLParse(value))) { + throw OPE(`authorization server metadata does not contain a valid ${useMtlsAlias ? `"as.mtls_endpoint_aliases.${endpoint}"` : `"as.${endpoint}"`}`, value === undefined ? MISSING_SERVER_METADATA : INVALID_SERVER_METADATA, { attribute: useMtlsAlias ? `mtls_endpoint_aliases.${endpoint}` : endpoint }); + } + checkProtocol(url, enforceHttps); + return url; +} +export function resolveEndpoint(as, endpoint, useMtlsAlias, enforceHttps) { + if (useMtlsAlias && as.mtls_endpoint_aliases && endpoint in as.mtls_endpoint_aliases) { + return validateEndpoint(as.mtls_endpoint_aliases[endpoint], endpoint, useMtlsAlias, enforceHttps); + } + return validateEndpoint(as[endpoint], endpoint, useMtlsAlias, enforceHttps); +} +export async function pushedAuthorizationRequest(as, client, clientAuthentication, parameters, options) { + assertAs(as); + assertClient(client); + const url = resolveEndpoint(as, 'pushed_authorization_request_endpoint', client.use_mtls_endpoint_aliases, options?.[allowInsecureRequests] !== true); + const body = new URLSearchParams(parameters); + body.set('client_id', client.client_id); + const headers = prepareHeaders(options?.headers); + headers.set('accept', 'application/json'); + if (options?.DPoP !== undefined) { + assertDPoP(options.DPoP); + await options.DPoP.addProof(url, headers, 'POST'); + } + const response = await authenticatedRequest(as, client, clientAuthentication, url, body, headers, options); + options?.DPoP?.cacheNonce(response); + return response; +} +class DPoPHandler { + #header; + #privateKey; + #publicKey; + #clockSkew; + #modifyAssertion; + #map; + constructor(client, keyPair, options) { + assertPrivateKey(keyPair?.privateKey, '"DPoP.privateKey"'); + assertPublicKey(keyPair?.publicKey, '"DPoP.publicKey"'); + if (!keyPair.publicKey.extractable) { + throw CodedTypeError('"DPoP.publicKey.extractable" must be true', ERR_INVALID_ARG_VALUE); + } + this.#modifyAssertion = options?.[modifyAssertion]; + this.#clockSkew = getClockSkew(client); + this.#privateKey = keyPair.privateKey; + this.#publicKey = keyPair.publicKey; + branded.add(this); + } + #get(key) { + this.#map ||= new Map(); + let item = this.#map.get(key); + if (item) { + this.#map.delete(key); + this.#map.set(key, item); + } + return item; + } + #set(key, val) { + this.#map ||= new Map(); + this.#map.delete(key); + if (this.#map.size === 100) { + this.#map.delete(this.#map.keys().next().value); + } + this.#map.set(key, val); + } + async addProof(url, headers, htm, accessToken) { + this.#header ||= { + alg: keyToJws(this.#privateKey), + typ: 'dpop+jwt', + jwk: await publicJwk(this.#publicKey), + }; + const nonce = this.#get(url.origin); + const now = epochTime() + this.#clockSkew; + const payload = { + iat: now, + jti: randomBytes(), + htm, + nonce, + htu: `${url.origin}${url.pathname}`, + ath: accessToken ? b64u(await crypto.subtle.digest('SHA-256', buf(accessToken))) : undefined, + }; + this.#modifyAssertion?.(this.#header, payload); + headers.set('dpop', await signJwt(this.#header, payload, this.#privateKey)); + } + cacheNonce(response) { + try { + const nonce = response.headers.get('dpop-nonce'); + if (nonce) { + this.#set(new URL(response.url).origin, nonce); + } + } + catch { } + } +} +export function isDPoPNonceError(err) { + if (err instanceof WWWAuthenticateChallengeError) { + const { 0: challenge, length } = err.cause; + return (length === 1 && challenge.scheme === 'dpop' && challenge.parameters.error === 'use_dpop_nonce'); + } + if (err instanceof ResponseBodyError) { + return err.error === 'use_dpop_nonce'; + } + return false; +} +export function DPoP(client, keyPair, options) { + return new DPoPHandler(client, keyPair, options); +} +export class ResponseBodyError extends Error { + cause; + code; + error; + status; + error_description; + response; + constructor(message, options) { + super(message, options); + this.name = this.constructor.name; + this.code = RESPONSE_BODY_ERROR; + this.cause = options.cause; + this.error = options.cause.error; + this.status = options.response.status; + this.error_description = options.cause.error_description; + Object.defineProperty(this, 'response', { enumerable: false, value: options.response }); + Error.captureStackTrace?.(this, this.constructor); + } +} +export class AuthorizationResponseError extends Error { + cause; + code; + error; + error_description; + constructor(message, options) { + super(message, options); + this.name = this.constructor.name; + this.code = AUTHORIZATION_RESPONSE_ERROR; + this.cause = options.cause; + this.error = options.cause.get('error'); + this.error_description = options.cause.get('error_description') ?? undefined; + Error.captureStackTrace?.(this, this.constructor); + } +} +export class WWWAuthenticateChallengeError extends Error { + cause; + code; + response; + status; + constructor(message, options) { + super(message, options); + this.name = this.constructor.name; + this.code = WWW_AUTHENTICATE_CHALLENGE; + this.cause = options.cause; + this.status = options.response.status; + this.response = options.response; + Object.defineProperty(this, 'response', { enumerable: false }); + Error.captureStackTrace?.(this, this.constructor); + } +} +function unquote(value) { + if (value.length >= 2 && value[0] === '"' && value[value.length - 1] === '"') { + return value.slice(1, -1); + } + return value; +} +const SPLIT_REGEXP = /((?:,|, )?[0-9a-zA-Z!#$%&'*+-.^_`|~]+=)/; +const SCHEMES_REGEXP = /(?:^|, ?)([0-9a-zA-Z!#$%&'*+\-.^_`|~]+)(?=$|[ ,])/g; +function wwwAuth(scheme, params) { + const arr = params.split(SPLIT_REGEXP).slice(1); + if (!arr.length) { + return { scheme: scheme.toLowerCase(), parameters: {} }; + } + arr[arr.length - 1] = arr[arr.length - 1].replace(/,$/, ''); + const parameters = {}; + for (let i = 1; i < arr.length; i += 2) { + const idx = i; + if (arr[idx][0] === '"') { + while (arr[idx].slice(-1) !== '"' && ++i < arr.length) { + arr[idx] += arr[i]; + } + } + const key = arr[idx - 1].replace(/^(?:, ?)|=$/g, '').toLowerCase(); + parameters[key] = unquote(arr[idx]); + } + return { + scheme: scheme.toLowerCase(), + parameters, + }; +} +function parseWwwAuthenticateChallenges(response) { + if (!looseInstanceOf(response, Response)) { + throw CodedTypeError('"response" must be an instance of Response', ERR_INVALID_ARG_TYPE); + } + const header = response.headers.get('www-authenticate'); + if (header === null) { + return undefined; + } + const result = []; + for (const { 1: scheme, index } of header.matchAll(SCHEMES_REGEXP)) { + result.push([scheme, index]); + } + if (!result.length) { + return undefined; + } + const challenges = result.map(([scheme, indexOf], i, others) => { + const next = others[i + 1]; + let parameters; + if (next) { + parameters = header.slice(indexOf, next[1]); + } + else { + parameters = header.slice(indexOf); + } + return wwwAuth(scheme, parameters); + }); + return challenges; +} +export async function processPushedAuthorizationResponse(as, client, response) { + assertAs(as); + assertClient(client); + if (!looseInstanceOf(response, Response)) { + throw CodedTypeError('"response" must be an instance of Response', ERR_INVALID_ARG_TYPE); + } + let challenges; + if ((challenges = parseWwwAuthenticateChallenges(response))) { + throw new WWWAuthenticateChallengeError('server responded with a challenge in the WWW-Authenticate HTTP Header', { cause: challenges, response }); + } + if (response.status !== 201) { + let err; + if ((err = await handleOAuthBodyError(response))) { + await response.body?.cancel(); + throw new ResponseBodyError('server responded with an error in the response body', { + cause: err, + response, + }); + } + throw OPE('"response" is not a conform Pushed Authorization Request Endpoint response (unexpected HTTP status code)', RESPONSE_IS_NOT_CONFORM, response); + } + assertReadableResponse(response); + assertApplicationJson(response); + let json; + try { + json = await response.json(); + } + catch (cause) { + throw OPE('failed to parse "response" body as JSON', PARSE_ERROR, cause); + } + if (!isJsonObject(json)) { + throw OPE('"response" body must be a top level object', INVALID_RESPONSE, { body: json }); + } + assertString(json.request_uri, '"response" body "request_uri" property', INVALID_RESPONSE, { + body: json, + }); + let expiresIn = typeof json.expires_in !== 'number' ? parseFloat(json.expires_in) : json.expires_in; + assertNumber(expiresIn, false, '"response" body "expires_in" property', INVALID_RESPONSE, { + body: json, + }); + json.expires_in = expiresIn; + return json; +} +function assertDPoP(option) { + if (!branded.has(option)) { + throw CodedTypeError('"options.DPoP" is not a valid DPoPHandle', ERR_INVALID_ARG_VALUE); + } +} +async function resourceRequest(accessToken, method, url, headers, body, options) { + assertString(accessToken, '"accessToken"'); + if (!(url instanceof URL)) { + throw CodedTypeError('"url" must be an instance of URL', ERR_INVALID_ARG_TYPE); + } + checkProtocol(url, options?.[allowInsecureRequests] !== true); + headers = prepareHeaders(headers); + if (options?.DPoP) { + assertDPoP(options.DPoP); + await options.DPoP.addProof(url, headers, method.toUpperCase(), accessToken); + headers.set('authorization', `DPoP ${accessToken}`); + } + else { + headers.set('authorization', `Bearer ${accessToken}`); + } + const response = await (options?.[customFetch] || fetch)(url.href, { + body, + headers: Object.fromEntries(headers.entries()), + method, + redirect: 'manual', + signal: options?.signal ? signal(options.signal) : undefined, + }); + options?.DPoP?.cacheNonce(response); + return response; +} +export async function protectedResourceRequest(accessToken, method, url, headers, body, options) { + return resourceRequest(accessToken, method, url, headers, body, options).then((response) => { + let challenges; + if ((challenges = parseWwwAuthenticateChallenges(response))) { + throw new WWWAuthenticateChallengeError('server responded with a challenge in the WWW-Authenticate HTTP Header', { cause: challenges, response }); + } + return response; + }); +} +export async function userInfoRequest(as, client, accessToken, options) { + assertAs(as); + assertClient(client); + const url = resolveEndpoint(as, 'userinfo_endpoint', client.use_mtls_endpoint_aliases, options?.[allowInsecureRequests] !== true); + const headers = prepareHeaders(options?.headers); + if (client.userinfo_signed_response_alg) { + headers.set('accept', 'application/jwt'); + } + else { + headers.set('accept', 'application/json'); + headers.append('accept', 'application/jwt'); + } + return resourceRequest(accessToken, 'GET', url, headers, null, { + ...options, + [clockSkew]: getClockSkew(client), + }); +} +let jwksMap; +function setJwksCache(as, jwks, uat, cache) { + jwksMap ||= new WeakMap(); + jwksMap.set(as, { + jwks, + uat, + get age() { + return epochTime() - this.uat; + }, + }); + if (cache) { + Object.assign(cache, { jwks: structuredClone(jwks), uat }); + } +} +function isFreshJwksCache(input) { + if (typeof input !== 'object' || input === null) { + return false; + } + if (!('uat' in input) || typeof input.uat !== 'number' || epochTime() - input.uat >= 300) { + return false; + } + if (!('jwks' in input) || + !isJsonObject(input.jwks) || + !Array.isArray(input.jwks.keys) || + !Array.prototype.every.call(input.jwks.keys, isJsonObject)) { + return false; + } + return true; +} +function clearJwksCache(as, cache) { + jwksMap?.delete(as); + delete cache?.jwks; + delete cache?.uat; +} +async function getPublicSigKeyFromIssuerJwksUri(as, options, header) { + const { alg, kid } = header; + checkSupportedJwsAlg(header); + if (!jwksMap?.has(as) && isFreshJwksCache(options?.[jwksCache])) { + setJwksCache(as, options?.[jwksCache].jwks, options?.[jwksCache].uat); + } + let jwks; + let age; + if (jwksMap?.has(as)) { + ; + ({ jwks, age } = jwksMap.get(as)); + if (age >= 300) { + clearJwksCache(as, options?.[jwksCache]); + return getPublicSigKeyFromIssuerJwksUri(as, options, header); + } + } + else { + jwks = await jwksRequest(as, options).then(processJwksResponse); + age = 0; + setJwksCache(as, jwks, epochTime(), options?.[jwksCache]); + } + let kty; + switch (alg.slice(0, 2)) { + case 'RS': + case 'PS': + kty = 'RSA'; + break; + case 'ES': + kty = 'EC'; + break; + case 'Ed': + kty = 'OKP'; + break; + default: + throw new UnsupportedOperationError('unsupported JWS algorithm', { cause: { alg } }); + } + const candidates = jwks.keys.filter((jwk) => { + if (jwk.kty !== kty) { + return false; + } + if (kid !== undefined && kid !== jwk.kid) { + return false; + } + if (jwk.alg !== undefined && alg !== jwk.alg) { + return false; + } + if (jwk.use !== undefined && jwk.use !== 'sig') { + return false; + } + if (jwk.key_ops?.includes('verify') === false) { + return false; + } + switch (true) { + case alg === 'ES256' && jwk.crv !== 'P-256': + case alg === 'ES384' && jwk.crv !== 'P-384': + case alg === 'ES512' && jwk.crv !== 'P-521': + case alg === 'Ed25519' && jwk.crv !== 'Ed25519': + case alg === 'EdDSA' && jwk.crv !== 'Ed25519': + return false; + } + return true; + }); + const { 0: jwk, length } = candidates; + if (!length) { + if (age >= 60) { + clearJwksCache(as, options?.[jwksCache]); + return getPublicSigKeyFromIssuerJwksUri(as, options, header); + } + throw OPE('error when selecting a JWT verification key, no applicable keys found', KEY_SELECTION, { header, candidates, jwks_uri: new URL(as.jwks_uri) }); + } + if (length !== 1) { + throw OPE('error when selecting a JWT verification key, multiple applicable keys found, a "kid" JWT Header Parameter is required', KEY_SELECTION, { header, candidates, jwks_uri: new URL(as.jwks_uri) }); + } + return importJwk(alg, jwk); +} +export const skipSubjectCheck = Symbol(); +function getContentType(input) { + return input.headers.get('content-type')?.split(';')[0]; +} +export async function processUserInfoResponse(as, client, expectedSubject, response, options) { + assertAs(as); + assertClient(client); + if (!looseInstanceOf(response, Response)) { + throw CodedTypeError('"response" must be an instance of Response', ERR_INVALID_ARG_TYPE); + } + let challenges; + if ((challenges = parseWwwAuthenticateChallenges(response))) { + throw new WWWAuthenticateChallengeError('server responded with a challenge in the WWW-Authenticate HTTP Header', { cause: challenges, response }); + } + if (response.status !== 200) { + throw OPE('"response" is not a conform UserInfo Endpoint response (unexpected HTTP status code)', RESPONSE_IS_NOT_CONFORM, response); + } + assertReadableResponse(response); + let json; + if (getContentType(response) === 'application/jwt') { + const { claims, jwt } = await validateJwt(await response.text(), checkSigningAlgorithm.bind(undefined, client.userinfo_signed_response_alg, as.userinfo_signing_alg_values_supported, undefined), getClockSkew(client), getClockTolerance(client), options?.[jweDecrypt]) + .then(validateOptionalAudience.bind(undefined, client.client_id)) + .then(validateOptionalIssuer.bind(undefined, as)); + jwtRefs.set(response, jwt); + json = claims; + } + else { + if (client.userinfo_signed_response_alg) { + throw OPE('JWT UserInfo Response expected', JWT_USERINFO_EXPECTED, response); + } + assertApplicationJson(response); + try { + json = await response.json(); + } + catch (cause) { + throw OPE('failed to parse "response" body as JSON', PARSE_ERROR, cause); + } + } + if (!isJsonObject(json)) { + throw OPE('"response" body must be a top level object', INVALID_RESPONSE, { body: json }); + } + assertString(json.sub, '"response" body "sub" property', INVALID_RESPONSE, { body: json }); + switch (expectedSubject) { + case skipSubjectCheck: + break; + default: + assertString(expectedSubject, '"expectedSubject"'); + if (json.sub !== expectedSubject) { + throw OPE('unexpected "response" body "sub" property value', JSON_ATTRIBUTE_COMPARISON, { + expected: expectedSubject, + body: json, + attribute: 'sub', + }); + } + } + return json; +} +async function authenticatedRequest(as, client, clientAuthentication, url, body, headers, options) { + await clientAuthentication(as, client, body, headers); + headers.set('content-type', 'application/x-www-form-urlencoded;charset=UTF-8'); + return (options?.[customFetch] || fetch)(url.href, { + body, + headers: Object.fromEntries(headers.entries()), + method: 'POST', + redirect: 'manual', + signal: options?.signal ? signal(options.signal) : undefined, + }); +} +async function tokenEndpointRequest(as, client, clientAuthentication, grantType, parameters, options) { + const url = resolveEndpoint(as, 'token_endpoint', client.use_mtls_endpoint_aliases, options?.[allowInsecureRequests] !== true); + parameters.set('grant_type', grantType); + const headers = prepareHeaders(options?.headers); + headers.set('accept', 'application/json'); + if (options?.DPoP !== undefined) { + assertDPoP(options.DPoP); + await options.DPoP.addProof(url, headers, 'POST'); + } + const response = await authenticatedRequest(as, client, clientAuthentication, url, parameters, headers, options); + options?.DPoP?.cacheNonce(response); + return response; +} +export async function refreshTokenGrantRequest(as, client, clientAuthentication, refreshToken, options) { + assertAs(as); + assertClient(client); + assertString(refreshToken, '"refreshToken"'); + const parameters = new URLSearchParams(options?.additionalParameters); + parameters.set('refresh_token', refreshToken); + return tokenEndpointRequest(as, client, clientAuthentication, 'refresh_token', parameters, options); +} +const idTokenClaims = new WeakMap(); +const jwtRefs = new WeakMap(); +export function getValidatedIdTokenClaims(ref) { + if (!ref.id_token) { + return undefined; + } + const claims = idTokenClaims.get(ref); + if (!claims) { + throw CodedTypeError('"ref" was already garbage collected or did not resolve from the proper sources', ERR_INVALID_ARG_VALUE); + } + return claims; +} +export async function validateApplicationLevelSignature(as, ref, options) { + assertAs(as); + if (!jwtRefs.has(ref)) { + throw CodedTypeError('"ref" does not contain a processed JWT Response to verify the signature of', ERR_INVALID_ARG_VALUE); + } + const { 0: protectedHeader, 1: payload, 2: encodedSignature } = jwtRefs.get(ref).split('.'); + const header = JSON.parse(buf(b64u(protectedHeader))); + if (header.alg.startsWith('HS')) { + throw new UnsupportedOperationError('unsupported JWS algorithm', { cause: { alg: header.alg } }); + } + let key; + key = await getPublicSigKeyFromIssuerJwksUri(as, options, header); + await validateJwsSignature(protectedHeader, payload, key, b64u(encodedSignature)); +} +async function processGenericAccessTokenResponse(as, client, response, additionalRequiredIdTokenClaims, options) { + assertAs(as); + assertClient(client); + if (!looseInstanceOf(response, Response)) { + throw CodedTypeError('"response" must be an instance of Response', ERR_INVALID_ARG_TYPE); + } + let challenges; + if ((challenges = parseWwwAuthenticateChallenges(response))) { + throw new WWWAuthenticateChallengeError('server responded with a challenge in the WWW-Authenticate HTTP Header', { cause: challenges, response }); + } + if (response.status !== 200) { + let err; + if ((err = await handleOAuthBodyError(response))) { + await response.body?.cancel(); + throw new ResponseBodyError('server responded with an error in the response body', { + cause: err, + response, + }); + } + throw OPE('"response" is not a conform Token Endpoint response (unexpected HTTP status code)', RESPONSE_IS_NOT_CONFORM, response); + } + assertReadableResponse(response); + assertApplicationJson(response); + let json; + try { + json = await response.json(); + } + catch (cause) { + throw OPE('failed to parse "response" body as JSON', PARSE_ERROR, cause); + } + if (!isJsonObject(json)) { + throw OPE('"response" body must be a top level object', INVALID_RESPONSE, { body: json }); + } + assertString(json.access_token, '"response" body "access_token" property', INVALID_RESPONSE, { + body: json, + }); + assertString(json.token_type, '"response" body "token_type" property', INVALID_RESPONSE, { + body: json, + }); + json.token_type = json.token_type.toLowerCase(); + if (json.token_type !== 'dpop' && json.token_type !== 'bearer') { + throw new UnsupportedOperationError('unsupported `token_type` value', { cause: { body: json } }); + } + if (json.expires_in !== undefined) { + let expiresIn = typeof json.expires_in !== 'number' ? parseFloat(json.expires_in) : json.expires_in; + assertNumber(expiresIn, false, '"response" body "expires_in" property', INVALID_RESPONSE, { + body: json, + }); + json.expires_in = expiresIn; + } + if (json.refresh_token !== undefined) { + assertString(json.refresh_token, '"response" body "refresh_token" property', INVALID_RESPONSE, { + body: json, + }); + } + if (json.scope !== undefined && typeof json.scope !== 'string') { + throw OPE('"response" body "scope" property must be a string', INVALID_RESPONSE, { body: json }); + } + if (json.id_token !== undefined) { + assertString(json.id_token, '"response" body "id_token" property', INVALID_RESPONSE, { + body: json, + }); + const requiredClaims = ['aud', 'exp', 'iat', 'iss', 'sub']; + if (client.require_auth_time === true) { + requiredClaims.push('auth_time'); + } + if (client.default_max_age !== undefined) { + assertNumber(client.default_max_age, false, '"client.default_max_age"'); + requiredClaims.push('auth_time'); + } + if (additionalRequiredIdTokenClaims?.length) { + requiredClaims.push(...additionalRequiredIdTokenClaims); + } + const { claims, jwt } = await validateJwt(json.id_token, checkSigningAlgorithm.bind(undefined, client.id_token_signed_response_alg, as.id_token_signing_alg_values_supported, 'RS256'), getClockSkew(client), getClockTolerance(client), options?.[jweDecrypt]) + .then(validatePresence.bind(undefined, requiredClaims)) + .then(validateIssuer.bind(undefined, as)) + .then(validateAudience.bind(undefined, client.client_id)); + if (Array.isArray(claims.aud) && claims.aud.length !== 1) { + if (claims.azp === undefined) { + throw OPE('ID Token "aud" (audience) claim includes additional untrusted audiences', JWT_CLAIM_COMPARISON, { claims, claim: 'aud' }); + } + if (claims.azp !== client.client_id) { + throw OPE('unexpected ID Token "azp" (authorized party) claim value', JWT_CLAIM_COMPARISON, { expected: client.client_id, claims, claim: 'azp' }); + } + } + if (claims.auth_time !== undefined) { + assertNumber(claims.auth_time, false, 'ID Token "auth_time" (authentication time)', INVALID_RESPONSE, { claims }); + } + jwtRefs.set(response, jwt); + idTokenClaims.set(json, claims); + } + return json; +} +export async function processRefreshTokenResponse(as, client, response, options) { + return processGenericAccessTokenResponse(as, client, response, undefined, options); +} +function validateOptionalAudience(expected, result) { + if (result.claims.aud !== undefined) { + return validateAudience(expected, result); + } + return result; +} +function validateAudience(expected, result) { + if (Array.isArray(result.claims.aud)) { + if (!result.claims.aud.includes(expected)) { + throw OPE('unexpected JWT "aud" (audience) claim value', JWT_CLAIM_COMPARISON, { + expected, + claims: result.claims, + claim: 'aud', + }); + } + } + else if (result.claims.aud !== expected) { + throw OPE('unexpected JWT "aud" (audience) claim value', JWT_CLAIM_COMPARISON, { + expected, + claims: result.claims, + claim: 'aud', + }); + } + return result; +} +function validateOptionalIssuer(as, result) { + if (result.claims.iss !== undefined) { + return validateIssuer(as, result); + } + return result; +} +function validateIssuer(as, result) { + const expected = as[_expectedIssuer]?.(result) ?? as.issuer; + if (result.claims.iss !== expected) { + throw OPE('unexpected JWT "iss" (issuer) claim value', JWT_CLAIM_COMPARISON, { + expected, + claims: result.claims, + claim: 'iss', + }); + } + return result; +} +const branded = new WeakSet(); +function brand(searchParams) { + branded.add(searchParams); + return searchParams; +} +export async function authorizationCodeGrantRequest(as, client, clientAuthentication, callbackParameters, redirectUri, codeVerifier, options) { + assertAs(as); + assertClient(client); + if (!branded.has(callbackParameters)) { + throw CodedTypeError('"callbackParameters" must be an instance of URLSearchParams obtained from "validateAuthResponse()", or "validateJwtAuthResponse()', ERR_INVALID_ARG_VALUE); + } + assertString(redirectUri, '"redirectUri"'); + const code = getURLSearchParameter(callbackParameters, 'code'); + if (!code) { + throw OPE('no authorization code in "callbackParameters"', INVALID_RESPONSE); + } + const parameters = new URLSearchParams(options?.additionalParameters); + parameters.set('redirect_uri', redirectUri); + parameters.set('code', code); + if (codeVerifier !== _nopkce) { + assertString(codeVerifier, '"codeVerifier"'); + parameters.set('code_verifier', codeVerifier); + } + return tokenEndpointRequest(as, client, clientAuthentication, 'authorization_code', parameters, options); +} +const jwtClaimNames = { + aud: 'audience', + c_hash: 'code hash', + client_id: 'client id', + exp: 'expiration time', + iat: 'issued at', + iss: 'issuer', + jti: 'jwt id', + nonce: 'nonce', + s_hash: 'state hash', + sub: 'subject', + ath: 'access token hash', + htm: 'http method', + htu: 'http uri', + cnf: 'confirmation', + auth_time: 'authentication time', +}; +function validatePresence(required, result) { + for (const claim of required) { + if (result.claims[claim] === undefined) { + throw OPE(`JWT "${claim}" (${jwtClaimNames[claim]}) claim missing`, INVALID_RESPONSE, { + claims: result.claims, + }); + } + } + return result; +} +export const expectNoNonce = Symbol(); +export const skipAuthTimeCheck = Symbol(); +export async function processAuthorizationCodeResponse(as, client, response, options) { + if (typeof options?.expectedNonce === 'string' || + typeof options?.maxAge === 'number' || + options?.requireIdToken) { + return processAuthorizationCodeOpenIDResponse(as, client, response, options.expectedNonce, options.maxAge, { + [jweDecrypt]: options[jweDecrypt], + }); + } + return processAuthorizationCodeOAuth2Response(as, client, response, options); +} +async function processAuthorizationCodeOpenIDResponse(as, client, response, expectedNonce, maxAge, options) { + const additionalRequiredClaims = []; + switch (expectedNonce) { + case undefined: + expectedNonce = expectNoNonce; + break; + case expectNoNonce: + break; + default: + assertString(expectedNonce, '"expectedNonce" argument'); + additionalRequiredClaims.push('nonce'); + } + maxAge ??= client.default_max_age; + switch (maxAge) { + case undefined: + maxAge = skipAuthTimeCheck; + break; + case skipAuthTimeCheck: + break; + default: + assertNumber(maxAge, false, '"maxAge" argument'); + additionalRequiredClaims.push('auth_time'); + } + const result = await processGenericAccessTokenResponse(as, client, response, additionalRequiredClaims, options); + assertString(result.id_token, '"response" body "id_token" property', INVALID_RESPONSE, { + body: result, + }); + const claims = getValidatedIdTokenClaims(result); + if (maxAge !== skipAuthTimeCheck) { + const now = epochTime() + getClockSkew(client); + const tolerance = getClockTolerance(client); + if (claims.auth_time + maxAge < now - tolerance) { + throw OPE('too much time has elapsed since the last End-User authentication', JWT_TIMESTAMP_CHECK, { claims, now, tolerance, claim: 'auth_time' }); + } + } + if (expectedNonce === expectNoNonce) { + if (claims.nonce !== undefined) { + throw OPE('unexpected ID Token "nonce" claim value', JWT_CLAIM_COMPARISON, { + expected: undefined, + claims, + claim: 'nonce', + }); + } + } + else if (claims.nonce !== expectedNonce) { + throw OPE('unexpected ID Token "nonce" claim value', JWT_CLAIM_COMPARISON, { + expected: expectedNonce, + claims, + claim: 'nonce', + }); + } + return result; +} +async function processAuthorizationCodeOAuth2Response(as, client, response, options) { + const result = await processGenericAccessTokenResponse(as, client, response, undefined, options); + const claims = getValidatedIdTokenClaims(result); + if (claims) { + if (client.default_max_age !== undefined) { + assertNumber(client.default_max_age, false, '"client.default_max_age"'); + const now = epochTime() + getClockSkew(client); + const tolerance = getClockTolerance(client); + if (claims.auth_time + client.default_max_age < now - tolerance) { + throw OPE('too much time has elapsed since the last End-User authentication', JWT_TIMESTAMP_CHECK, { claims, now, tolerance, claim: 'auth_time' }); + } + } + if (claims.nonce !== undefined) { + throw OPE('unexpected ID Token "nonce" claim value', JWT_CLAIM_COMPARISON, { + expected: undefined, + claims, + claim: 'nonce', + }); + } + } + return result; +} +export const WWW_AUTHENTICATE_CHALLENGE = 'OAUTH_WWW_AUTHENTICATE_CHALLENGE'; +export const RESPONSE_BODY_ERROR = 'OAUTH_RESPONSE_BODY_ERROR'; +export const UNSUPPORTED_OPERATION = 'OAUTH_UNSUPPORTED_OPERATION'; +export const AUTHORIZATION_RESPONSE_ERROR = 'OAUTH_AUTHORIZATION_RESPONSE_ERROR'; +export const JWT_USERINFO_EXPECTED = 'OAUTH_JWT_USERINFO_EXPECTED'; +export const PARSE_ERROR = 'OAUTH_PARSE_ERROR'; +export const INVALID_RESPONSE = 'OAUTH_INVALID_RESPONSE'; +export const INVALID_REQUEST = 'OAUTH_INVALID_REQUEST'; +export const RESPONSE_IS_NOT_JSON = 'OAUTH_RESPONSE_IS_NOT_JSON'; +export const RESPONSE_IS_NOT_CONFORM = 'OAUTH_RESPONSE_IS_NOT_CONFORM'; +export const HTTP_REQUEST_FORBIDDEN = 'OAUTH_HTTP_REQUEST_FORBIDDEN'; +export const REQUEST_PROTOCOL_FORBIDDEN = 'OAUTH_REQUEST_PROTOCOL_FORBIDDEN'; +export const JWT_TIMESTAMP_CHECK = 'OAUTH_JWT_TIMESTAMP_CHECK_FAILED'; +export const JWT_CLAIM_COMPARISON = 'OAUTH_JWT_CLAIM_COMPARISON_FAILED'; +export const JSON_ATTRIBUTE_COMPARISON = 'OAUTH_JSON_ATTRIBUTE_COMPARISON_FAILED'; +export const KEY_SELECTION = 'OAUTH_KEY_SELECTION_FAILED'; +export const MISSING_SERVER_METADATA = 'OAUTH_MISSING_SERVER_METADATA'; +export const INVALID_SERVER_METADATA = 'OAUTH_INVALID_SERVER_METADATA'; +function checkJwtType(expected, result) { + if (typeof result.header.typ !== 'string' || normalizeTyp(result.header.typ) !== expected) { + throw OPE('unexpected JWT "typ" header parameter value', INVALID_RESPONSE, { + header: result.header, + }); + } + return result; +} +export async function clientCredentialsGrantRequest(as, client, clientAuthentication, parameters, options) { + assertAs(as); + assertClient(client); + return tokenEndpointRequest(as, client, clientAuthentication, 'client_credentials', new URLSearchParams(parameters), options); +} +export async function genericTokenEndpointRequest(as, client, clientAuthentication, grantType, parameters, options) { + assertAs(as); + assertClient(client); + assertString(grantType, '"grantType"'); + return tokenEndpointRequest(as, client, clientAuthentication, grantType, new URLSearchParams(parameters), options); +} +export async function processGenericTokenEndpointResponse(as, client, response, options) { + return processGenericAccessTokenResponse(as, client, response, undefined, options); +} +export async function processClientCredentialsResponse(as, client, response, options) { + return processGenericAccessTokenResponse(as, client, response, undefined, options); +} +export async function revocationRequest(as, client, clientAuthentication, token, options) { + assertAs(as); + assertClient(client); + assertString(token, '"token"'); + const url = resolveEndpoint(as, 'revocation_endpoint', client.use_mtls_endpoint_aliases, options?.[allowInsecureRequests] !== true); + const body = new URLSearchParams(options?.additionalParameters); + body.set('token', token); + const headers = prepareHeaders(options?.headers); + headers.delete('accept'); + return authenticatedRequest(as, client, clientAuthentication, url, body, headers, options); +} +export async function processRevocationResponse(response) { + if (!looseInstanceOf(response, Response)) { + throw CodedTypeError('"response" must be an instance of Response', ERR_INVALID_ARG_TYPE); + } + let challenges; + if ((challenges = parseWwwAuthenticateChallenges(response))) { + throw new WWWAuthenticateChallengeError('server responded with a challenge in the WWW-Authenticate HTTP Header', { cause: challenges, response }); + } + if (response.status !== 200) { + let err; + if ((err = await handleOAuthBodyError(response))) { + await response.body?.cancel(); + throw new ResponseBodyError('server responded with an error in the response body', { + cause: err, + response, + }); + } + throw OPE('"response" is not a conform Revocation Endpoint response (unexpected HTTP status code)', RESPONSE_IS_NOT_CONFORM, response); + } + return undefined; +} +function assertReadableResponse(response) { + if (response.bodyUsed) { + throw CodedTypeError('"response" body has been used already', ERR_INVALID_ARG_VALUE); + } +} +export async function introspectionRequest(as, client, clientAuthentication, token, options) { + assertAs(as); + assertClient(client); + assertString(token, '"token"'); + const url = resolveEndpoint(as, 'introspection_endpoint', client.use_mtls_endpoint_aliases, options?.[allowInsecureRequests] !== true); + const body = new URLSearchParams(options?.additionalParameters); + body.set('token', token); + const headers = prepareHeaders(options?.headers); + if (options?.requestJwtResponse ?? client.introspection_signed_response_alg) { + headers.set('accept', 'application/token-introspection+jwt'); + } + else { + headers.set('accept', 'application/json'); + } + return authenticatedRequest(as, client, clientAuthentication, url, body, headers, options); +} +export async function processIntrospectionResponse(as, client, response, options) { + assertAs(as); + assertClient(client); + if (!looseInstanceOf(response, Response)) { + throw CodedTypeError('"response" must be an instance of Response', ERR_INVALID_ARG_TYPE); + } + let challenges; + if ((challenges = parseWwwAuthenticateChallenges(response))) { + throw new WWWAuthenticateChallengeError('server responded with a challenge in the WWW-Authenticate HTTP Header', { cause: challenges, response }); + } + if (response.status !== 200) { + let err; + if ((err = await handleOAuthBodyError(response))) { + await response.body?.cancel(); + throw new ResponseBodyError('server responded with an error in the response body', { + cause: err, + response, + }); + } + throw OPE('"response" is not a conform Introspection Endpoint response (unexpected HTTP status code)', RESPONSE_IS_NOT_CONFORM, response); + } + let json; + if (getContentType(response) === 'application/token-introspection+jwt') { + assertReadableResponse(response); + const { claims, jwt } = await validateJwt(await response.text(), checkSigningAlgorithm.bind(undefined, client.introspection_signed_response_alg, as.introspection_signing_alg_values_supported, 'RS256'), getClockSkew(client), getClockTolerance(client), options?.[jweDecrypt]) + .then(checkJwtType.bind(undefined, 'token-introspection+jwt')) + .then(validatePresence.bind(undefined, ['aud', 'iat', 'iss'])) + .then(validateIssuer.bind(undefined, as)) + .then(validateAudience.bind(undefined, client.client_id)); + jwtRefs.set(response, jwt); + json = claims.token_introspection; + if (!isJsonObject(json)) { + throw OPE('JWT "token_introspection" claim must be a JSON object', INVALID_RESPONSE, { + claims, + }); + } + } + else { + assertReadableResponse(response); + assertApplicationJson(response); + try { + json = await response.json(); + } + catch (cause) { + throw OPE('failed to parse "response" body as JSON', PARSE_ERROR, cause); + } + if (!isJsonObject(json)) { + throw OPE('"response" body must be a top level object', INVALID_RESPONSE, { body: json }); + } + } + if (typeof json.active !== 'boolean') { + throw OPE('"response" body "active" property must be a boolean', INVALID_RESPONSE, { + body: json, + }); + } + return json; +} +async function jwksRequest(as, options) { + assertAs(as); + const url = resolveEndpoint(as, 'jwks_uri', false, options?.[allowInsecureRequests] !== true); + const headers = prepareHeaders(options?.headers); + headers.set('accept', 'application/json'); + headers.append('accept', 'application/jwk-set+json'); + return (options?.[customFetch] || fetch)(url.href, { + body: undefined, + headers: Object.fromEntries(headers.entries()), + method: 'GET', + redirect: 'manual', + signal: options?.signal ? signal(options.signal) : undefined, + }); +} +async function processJwksResponse(response) { + if (!looseInstanceOf(response, Response)) { + throw CodedTypeError('"response" must be an instance of Response', ERR_INVALID_ARG_TYPE); + } + if (response.status !== 200) { + throw OPE('"response" is not a conform JSON Web Key Set response (unexpected HTTP status code)', RESPONSE_IS_NOT_CONFORM, response); + } + assertReadableResponse(response); + assertContentTypes(response, 'application/json', 'application/jwk-set+json'); + let json; + try { + json = await response.json(); + } + catch (cause) { + throw OPE('failed to parse "response" body as JSON', PARSE_ERROR, cause); + } + if (!isJsonObject(json)) { + throw OPE('"response" body must be a top level object', INVALID_RESPONSE, { body: json }); + } + if (!Array.isArray(json.keys)) { + throw OPE('"response" body "keys" property must be an array', INVALID_RESPONSE, { body: json }); + } + if (!Array.prototype.every.call(json.keys, isJsonObject)) { + throw OPE('"response" body "keys" property members must be JWK formatted objects', INVALID_RESPONSE, { body: json }); + } + return json; +} +async function handleOAuthBodyError(response) { + if (response.status > 399 && response.status < 500) { + assertReadableResponse(response); + assertApplicationJson(response); + try { + const json = await response.clone().json(); + if (isJsonObject(json) && typeof json.error === 'string' && json.error.length) { + return json; + } + } + catch { } + } + return undefined; +} +function supported(alg) { + switch (alg) { + case 'PS256': + case 'ES256': + case 'RS256': + case 'PS384': + case 'ES384': + case 'RS384': + case 'PS512': + case 'ES512': + case 'RS512': + case 'Ed25519': + case 'EdDSA': + return true; + default: + return false; + } +} +function checkSupportedJwsAlg(header) { + if (!supported(header.alg)) { + throw new UnsupportedOperationError('unsupported JWS "alg" identifier', { + cause: { alg: header.alg }, + }); + } +} +function checkRsaKeyAlgorithm(key) { + const { algorithm } = key; + if (typeof algorithm.modulusLength !== 'number' || algorithm.modulusLength < 2048) { + throw new UnsupportedOperationError(`unsupported ${algorithm.name} modulusLength`, { + cause: key, + }); + } +} +function ecdsaHashName(key) { + const { algorithm } = key; + switch (algorithm.namedCurve) { + case 'P-256': + return 'SHA-256'; + case 'P-384': + return 'SHA-384'; + case 'P-521': + return 'SHA-512'; + default: + throw new UnsupportedOperationError('unsupported ECDSA namedCurve', { cause: key }); + } +} +function keyToSubtle(key) { + switch (key.algorithm.name) { + case 'ECDSA': + return { + name: key.algorithm.name, + hash: ecdsaHashName(key), + }; + case 'RSA-PSS': { + checkRsaKeyAlgorithm(key); + switch (key.algorithm.hash.name) { + case 'SHA-256': + case 'SHA-384': + case 'SHA-512': + return { + name: key.algorithm.name, + saltLength: parseInt(key.algorithm.hash.name.slice(-3), 10) >> 3, + }; + default: + throw new UnsupportedOperationError('unsupported RSA-PSS hash name', { cause: key }); + } + } + case 'RSASSA-PKCS1-v1_5': + checkRsaKeyAlgorithm(key); + return key.algorithm.name; + case 'Ed25519': + case 'EdDSA': + return key.algorithm.name; + } + throw new UnsupportedOperationError('unsupported CryptoKey algorithm name', { cause: key }); +} +async function validateJwsSignature(protectedHeader, payload, key, signature) { + const data = buf(`${protectedHeader}.${payload}`); + const algorithm = keyToSubtle(key); + const verified = await crypto.subtle.verify(algorithm, key, signature, data); + if (!verified) { + throw OPE('JWT signature verification failed', INVALID_RESPONSE, { + key, + data, + signature, + algorithm, + }); + } +} +async function validateJwt(jws, checkAlg, clockSkew, clockTolerance, decryptJwt) { + let { 0: protectedHeader, 1: payload, length } = jws.split('.'); + if (length === 5) { + if (decryptJwt !== undefined) { + jws = await decryptJwt(jws); + ({ 0: protectedHeader, 1: payload, length } = jws.split('.')); + } + else { + throw new UnsupportedOperationError('JWE decryption is not configured', { cause: jws }); + } + } + if (length !== 3) { + throw OPE('Invalid JWT', INVALID_RESPONSE, jws); + } + let header; + try { + header = JSON.parse(buf(b64u(protectedHeader))); + } + catch (cause) { + throw OPE('failed to parse JWT Header body as base64url encoded JSON', PARSE_ERROR, cause); + } + if (!isJsonObject(header)) { + throw OPE('JWT Header must be a top level object', INVALID_RESPONSE, jws); + } + checkAlg(header); + if (header.crit !== undefined) { + throw new UnsupportedOperationError('no JWT "crit" header parameter extensions are supported', { + cause: { header }, + }); + } + let claims; + try { + claims = JSON.parse(buf(b64u(payload))); + } + catch (cause) { + throw OPE('failed to parse JWT Payload body as base64url encoded JSON', PARSE_ERROR, cause); + } + if (!isJsonObject(claims)) { + throw OPE('JWT Payload must be a top level object', INVALID_RESPONSE, jws); + } + const now = epochTime() + clockSkew; + if (claims.exp !== undefined) { + if (typeof claims.exp !== 'number') { + throw OPE('unexpected JWT "exp" (expiration time) claim type', INVALID_RESPONSE, { claims }); + } + if (claims.exp <= now - clockTolerance) { + throw OPE('unexpected JWT "exp" (expiration time) claim value, expiration is past current timestamp', JWT_TIMESTAMP_CHECK, { claims, now, tolerance: clockTolerance, claim: 'exp' }); + } + } + if (claims.iat !== undefined) { + if (typeof claims.iat !== 'number') { + throw OPE('unexpected JWT "iat" (issued at) claim type', INVALID_RESPONSE, { claims }); + } + } + if (claims.iss !== undefined) { + if (typeof claims.iss !== 'string') { + throw OPE('unexpected JWT "iss" (issuer) claim type', INVALID_RESPONSE, { claims }); + } + } + if (claims.nbf !== undefined) { + if (typeof claims.nbf !== 'number') { + throw OPE('unexpected JWT "nbf" (not before) claim type', INVALID_RESPONSE, { claims }); + } + if (claims.nbf > now + clockTolerance) { + throw OPE('unexpected JWT "nbf" (not before) claim value', JWT_TIMESTAMP_CHECK, { + claims, + now, + tolerance: clockTolerance, + claim: 'nbf', + }); + } + } + if (claims.aud !== undefined) { + if (typeof claims.aud !== 'string' && !Array.isArray(claims.aud)) { + throw OPE('unexpected JWT "aud" (audience) claim type', INVALID_RESPONSE, { claims }); + } + } + return { header, claims, jwt: jws }; +} +export async function validateJwtAuthResponse(as, client, parameters, expectedState, options) { + assertAs(as); + assertClient(client); + if (parameters instanceof URL) { + parameters = parameters.searchParams; + } + if (!(parameters instanceof URLSearchParams)) { + throw CodedTypeError('"parameters" must be an instance of URLSearchParams, or URL', ERR_INVALID_ARG_TYPE); + } + const response = getURLSearchParameter(parameters, 'response'); + if (!response) { + throw OPE('"parameters" does not contain a JARM response', INVALID_RESPONSE); + } + const { claims, header, jwt } = await validateJwt(response, checkSigningAlgorithm.bind(undefined, client.authorization_signed_response_alg, as.authorization_signing_alg_values_supported, 'RS256'), getClockSkew(client), getClockTolerance(client), options?.[jweDecrypt]) + .then(validatePresence.bind(undefined, ['aud', 'exp', 'iss'])) + .then(validateIssuer.bind(undefined, as)) + .then(validateAudience.bind(undefined, client.client_id)); + const { 0: protectedHeader, 1: payload, 2: encodedSignature } = jwt.split('.'); + const signature = b64u(encodedSignature); + const key = await getPublicSigKeyFromIssuerJwksUri(as, options, header); + await validateJwsSignature(protectedHeader, payload, key, signature); + const result = new URLSearchParams(); + for (const [key, value] of Object.entries(claims)) { + if (typeof value === 'string' && key !== 'aud') { + result.set(key, value); + } + } + return validateAuthResponse(as, client, result, expectedState); +} +async function idTokenHash(data, header, claimName) { + let algorithm; + switch (header.alg) { + case 'RS256': + case 'PS256': + case 'ES256': + algorithm = 'SHA-256'; + break; + case 'RS384': + case 'PS384': + case 'ES384': + algorithm = 'SHA-384'; + break; + case 'RS512': + case 'PS512': + case 'ES512': + case 'Ed25519': + case 'EdDSA': + algorithm = 'SHA-512'; + break; + default: + throw new UnsupportedOperationError(`unsupported JWS algorithm for ${claimName} calculation`, { cause: { alg: header.alg } }); + } + const digest = await crypto.subtle.digest(algorithm, buf(data)); + return b64u(digest.slice(0, digest.byteLength / 2)); +} +async function idTokenHashMatches(data, actual, header, claimName) { + const expected = await idTokenHash(data, header, claimName); + return actual === expected; +} +export async function validateDetachedSignatureResponse(as, client, parameters, expectedNonce, expectedState, maxAge, options) { + return validateHybridResponse(as, client, parameters, expectedNonce, expectedState, maxAge, options, true); +} +export async function validateCodeIdTokenResponse(as, client, parameters, expectedNonce, expectedState, maxAge, options) { + return validateHybridResponse(as, client, parameters, expectedNonce, expectedState, maxAge, options, false); +} +async function consumeStream(request) { + if (request.bodyUsed) { + throw CodedTypeError('form_post Request instances must contain a readable body', ERR_INVALID_ARG_VALUE, { cause: request }); + } + return request.text(); +} +async function formPostResponse(request) { + if (request.method !== 'POST') { + throw CodedTypeError('form_post responses are expected to use the POST method', ERR_INVALID_ARG_VALUE, { cause: request }); + } + if (getContentType(request) !== 'application/x-www-form-urlencoded') { + throw CodedTypeError('form_post responses are expected to use the application/x-www-form-urlencoded content-type', ERR_INVALID_ARG_VALUE, { cause: request }); + } + return consumeStream(request); +} +async function validateHybridResponse(as, client, parameters, expectedNonce, expectedState, maxAge, options, fapi) { + assertAs(as); + assertClient(client); + if (parameters instanceof URL) { + if (!parameters.hash.length) { + throw CodedTypeError('"parameters" as an instance of URL must contain a hash (fragment) with the Authorization Response parameters', ERR_INVALID_ARG_VALUE); + } + parameters = new URLSearchParams(parameters.hash.slice(1)); + } + else if (looseInstanceOf(parameters, Request)) { + parameters = new URLSearchParams(await formPostResponse(parameters)); + } + else if (parameters instanceof URLSearchParams) { + parameters = new URLSearchParams(parameters); + } + else { + throw CodedTypeError('"parameters" must be an instance of URLSearchParams, URL, or Response', ERR_INVALID_ARG_TYPE); + } + const id_token = getURLSearchParameter(parameters, 'id_token'); + parameters.delete('id_token'); + switch (expectedState) { + case undefined: + case expectNoState: + break; + default: + assertString(expectedState, '"expectedState" argument'); + } + const result = validateAuthResponse({ + ...as, + authorization_response_iss_parameter_supported: false, + }, client, parameters, expectedState); + if (!id_token) { + throw OPE('"parameters" does not contain an ID Token', INVALID_RESPONSE); + } + const code = getURLSearchParameter(parameters, 'code'); + if (!code) { + throw OPE('"parameters" does not contain an Authorization Code', INVALID_RESPONSE); + } + const requiredClaims = [ + 'aud', + 'exp', + 'iat', + 'iss', + 'sub', + 'nonce', + 'c_hash', + ]; + const state = parameters.get('state'); + if (fapi && (typeof expectedState === 'string' || state !== null)) { + requiredClaims.push('s_hash'); + } + if (maxAge !== undefined) { + assertNumber(maxAge, false, '"maxAge" argument'); + } + else if (client.default_max_age !== undefined) { + assertNumber(client.default_max_age, false, '"client.default_max_age"'); + } + maxAge ??= client.default_max_age ?? skipAuthTimeCheck; + if (client.require_auth_time || maxAge !== skipAuthTimeCheck) { + requiredClaims.push('auth_time'); + } + const { claims, header, jwt } = await validateJwt(id_token, checkSigningAlgorithm.bind(undefined, client.id_token_signed_response_alg, as.id_token_signing_alg_values_supported, 'RS256'), getClockSkew(client), getClockTolerance(client), options?.[jweDecrypt]) + .then(validatePresence.bind(undefined, requiredClaims)) + .then(validateIssuer.bind(undefined, as)) + .then(validateAudience.bind(undefined, client.client_id)); + const clockSkew = getClockSkew(client); + const now = epochTime() + clockSkew; + if (claims.iat < now - 3600) { + throw OPE('unexpected JWT "iat" (issued at) claim value, it is too far in the past', JWT_TIMESTAMP_CHECK, { now, claims, claim: 'iat' }); + } + assertString(claims.c_hash, 'ID Token "c_hash" (code hash) claim value', INVALID_RESPONSE, { + claims, + }); + if (claims.auth_time !== undefined) { + assertNumber(claims.auth_time, false, 'ID Token "auth_time" (authentication time)', INVALID_RESPONSE, { claims }); + } + if (maxAge !== skipAuthTimeCheck) { + const now = epochTime() + getClockSkew(client); + const tolerance = getClockTolerance(client); + if (claims.auth_time + maxAge < now - tolerance) { + throw OPE('too much time has elapsed since the last End-User authentication', JWT_TIMESTAMP_CHECK, { claims, now, tolerance, claim: 'auth_time' }); + } + } + assertString(expectedNonce, '"expectedNonce" argument'); + if (claims.nonce !== expectedNonce) { + throw OPE('unexpected ID Token "nonce" claim value', JWT_CLAIM_COMPARISON, { + expected: expectedNonce, + claims, + claim: 'nonce', + }); + } + if (Array.isArray(claims.aud) && claims.aud.length !== 1) { + if (claims.azp === undefined) { + throw OPE('ID Token "aud" (audience) claim includes additional untrusted audiences', JWT_CLAIM_COMPARISON, { claims, claim: 'aud' }); + } + if (claims.azp !== client.client_id) { + throw OPE('unexpected ID Token "azp" (authorized party) claim value', JWT_CLAIM_COMPARISON, { + expected: client.client_id, + claims, + claim: 'azp', + }); + } + } + const { 0: protectedHeader, 1: payload, 2: encodedSignature } = jwt.split('.'); + const signature = b64u(encodedSignature); + const key = await getPublicSigKeyFromIssuerJwksUri(as, options, header); + await validateJwsSignature(protectedHeader, payload, key, signature); + if ((await idTokenHashMatches(code, claims.c_hash, header, 'c_hash')) !== true) { + throw OPE('invalid ID Token "c_hash" (code hash) claim value', JWT_CLAIM_COMPARISON, { + code, + alg: header.alg, + claim: 'c_hash', + claims, + }); + } + if ((fapi && state !== null) || claims.s_hash !== undefined) { + assertString(claims.s_hash, 'ID Token "s_hash" (state hash) claim value', INVALID_RESPONSE, { + claims, + }); + assertString(state, '"state" response parameter', INVALID_RESPONSE, { parameters }); + if ((await idTokenHashMatches(state, claims.s_hash, header, 's_hash')) !== true) { + throw OPE('invalid ID Token "s_hash" (state hash) claim value', JWT_CLAIM_COMPARISON, { + state, + alg: header.alg, + claim: 's_hash', + claims, + }); + } + } + return result; +} +function checkSigningAlgorithm(client, issuer, fallback, header) { + if (client !== undefined) { + if (typeof client === 'string' ? header.alg !== client : !client.includes(header.alg)) { + throw OPE('unexpected JWT "alg" header parameter', INVALID_RESPONSE, { + header, + expected: client, + reason: 'client configuration', + }); + } + return; + } + if (Array.isArray(issuer)) { + if (!issuer.includes(header.alg)) { + throw OPE('unexpected JWT "alg" header parameter', INVALID_RESPONSE, { + header, + expected: issuer, + reason: 'authorization server metadata', + }); + } + return; + } + if (fallback !== undefined) { + if (typeof fallback === 'string' + ? header.alg !== fallback + : typeof fallback === 'function' + ? !fallback(header.alg) + : !fallback.includes(header.alg)) { + throw OPE('unexpected JWT "alg" header parameter', INVALID_RESPONSE, { + header, + expected: fallback, + reason: 'default value', + }); + } + return; + } + throw OPE('missing client or server configuration to verify used JWT "alg" header parameter', undefined, { client, issuer, fallback }); +} +function getURLSearchParameter(parameters, name) { + const { 0: value, length } = parameters.getAll(name); + if (length > 1) { + throw OPE(`"${name}" parameter must be provided only once`, INVALID_RESPONSE); + } + return value; +} +export const skipStateCheck = Symbol(); +export const expectNoState = Symbol(); +export function validateAuthResponse(as, client, parameters, expectedState) { + assertAs(as); + assertClient(client); + if (parameters instanceof URL) { + parameters = parameters.searchParams; + } + if (!(parameters instanceof URLSearchParams)) { + throw CodedTypeError('"parameters" must be an instance of URLSearchParams, or URL', ERR_INVALID_ARG_TYPE); + } + if (getURLSearchParameter(parameters, 'response')) { + throw OPE('"parameters" contains a JARM response, use validateJwtAuthResponse() instead of validateAuthResponse()', INVALID_RESPONSE, { parameters }); + } + const iss = getURLSearchParameter(parameters, 'iss'); + const state = getURLSearchParameter(parameters, 'state'); + if (!iss && as.authorization_response_iss_parameter_supported) { + throw OPE('response parameter "iss" (issuer) missing', INVALID_RESPONSE, { parameters }); + } + if (iss && iss !== as.issuer) { + throw OPE('unexpected "iss" (issuer) response parameter value', INVALID_RESPONSE, { + expected: as.issuer, + parameters, + }); + } + switch (expectedState) { + case undefined: + case expectNoState: + if (state !== undefined) { + throw OPE('unexpected "state" response parameter encountered', INVALID_RESPONSE, { + expected: undefined, + parameters, + }); + } + break; + case skipStateCheck: + break; + default: + assertString(expectedState, '"expectedState" argument'); + if (state !== expectedState) { + throw OPE(state === undefined + ? 'response parameter "state" missing' + : 'unexpected "state" response parameter value', INVALID_RESPONSE, { expected: expectedState, parameters }); + } + } + const error = getURLSearchParameter(parameters, 'error'); + if (error) { + throw new AuthorizationResponseError('authorization response from the server is an error', { + cause: parameters, + }); + } + const id_token = getURLSearchParameter(parameters, 'id_token'); + const token = getURLSearchParameter(parameters, 'token'); + if (id_token !== undefined || token !== undefined) { + throw new UnsupportedOperationError('implicit and hybrid flows are not supported'); + } + return brand(new URLSearchParams(parameters)); +} +function algToSubtle(alg) { + switch (alg) { + case 'PS256': + case 'PS384': + case 'PS512': + return { name: 'RSA-PSS', hash: `SHA-${alg.slice(-3)}` }; + case 'RS256': + case 'RS384': + case 'RS512': + return { name: 'RSASSA-PKCS1-v1_5', hash: `SHA-${alg.slice(-3)}` }; + case 'ES256': + case 'ES384': + return { name: 'ECDSA', namedCurve: `P-${alg.slice(-3)}` }; + case 'ES512': + return { name: 'ECDSA', namedCurve: 'P-521' }; + case 'Ed25519': + case 'EdDSA': + return 'Ed25519'; + default: + throw new UnsupportedOperationError('unsupported JWS algorithm', { cause: { alg } }); + } +} +async function importJwk(alg, jwk) { + const { ext, key_ops, use, ...key } = jwk; + return crypto.subtle.importKey('jwk', key, algToSubtle(alg), true, ['verify']); +} +export async function deviceAuthorizationRequest(as, client, clientAuthentication, parameters, options) { + assertAs(as); + assertClient(client); + const url = resolveEndpoint(as, 'device_authorization_endpoint', client.use_mtls_endpoint_aliases, options?.[allowInsecureRequests] !== true); + const body = new URLSearchParams(parameters); + body.set('client_id', client.client_id); + const headers = prepareHeaders(options?.headers); + headers.set('accept', 'application/json'); + return authenticatedRequest(as, client, clientAuthentication, url, body, headers, options); +} +export async function processDeviceAuthorizationResponse(as, client, response) { + assertAs(as); + assertClient(client); + if (!looseInstanceOf(response, Response)) { + throw CodedTypeError('"response" must be an instance of Response', ERR_INVALID_ARG_TYPE); + } + let challenges; + if ((challenges = parseWwwAuthenticateChallenges(response))) { + throw new WWWAuthenticateChallengeError('server responded with a challenge in the WWW-Authenticate HTTP Header', { cause: challenges, response }); + } + if (response.status !== 200) { + let err; + if ((err = await handleOAuthBodyError(response))) { + await response.body?.cancel(); + throw new ResponseBodyError('server responded with an error in the response body', { + cause: err, + response, + }); + } + throw OPE('"response" is not a conform Device Authorization Endpoint response (unexpected HTTP status code)', RESPONSE_IS_NOT_CONFORM, response); + } + assertReadableResponse(response); + assertApplicationJson(response); + let json; + try { + json = await response.json(); + } + catch (cause) { + throw OPE('failed to parse "response" body as JSON', PARSE_ERROR, cause); + } + if (!isJsonObject(json)) { + throw OPE('"response" body must be a top level object', INVALID_RESPONSE, { body: json }); + } + assertString(json.device_code, '"response" body "device_code" property', INVALID_RESPONSE, { + body: json, + }); + assertString(json.user_code, '"response" body "user_code" property', INVALID_RESPONSE, { + body: json, + }); + assertString(json.verification_uri, '"response" body "verification_uri" property', INVALID_RESPONSE, { body: json }); + let expiresIn = typeof json.expires_in !== 'number' ? parseFloat(json.expires_in) : json.expires_in; + assertNumber(expiresIn, false, '"response" body "expires_in" property', INVALID_RESPONSE, { + body: json, + }); + json.expires_in = expiresIn; + if (json.verification_uri_complete !== undefined) { + assertString(json.verification_uri_complete, '"response" body "verification_uri_complete" property', INVALID_RESPONSE, { body: json }); + } + if (json.interval !== undefined) { + assertNumber(json.interval, false, '"response" body "interval" property', INVALID_RESPONSE, { + body: json, + }); + } + return json; +} +export async function deviceCodeGrantRequest(as, client, clientAuthentication, deviceCode, options) { + assertAs(as); + assertClient(client); + assertString(deviceCode, '"deviceCode"'); + const parameters = new URLSearchParams(options?.additionalParameters); + parameters.set('device_code', deviceCode); + return tokenEndpointRequest(as, client, clientAuthentication, 'urn:ietf:params:oauth:grant-type:device_code', parameters, options); +} +export async function processDeviceCodeResponse(as, client, response, options) { + return processGenericAccessTokenResponse(as, client, response, undefined, options); +} +export async function generateKeyPair(alg, options) { + assertString(alg, '"alg"'); + const algorithm = algToSubtle(alg); + if (alg.startsWith('PS') || alg.startsWith('RS')) { + Object.assign(algorithm, { + modulusLength: options?.modulusLength ?? 2048, + publicExponent: new Uint8Array([0x01, 0x00, 0x01]), + }); + } + return crypto.subtle.generateKey(algorithm, options?.extractable ?? false, [ + 'sign', + 'verify', + ]); +} +function normalizeHtu(htu) { + const url = new URL(htu); + url.search = ''; + url.hash = ''; + return url.href; +} +async function validateDPoP(request, accessToken, accessTokenClaims, options) { + const headerValue = request.headers.get('dpop'); + if (headerValue === null) { + throw OPE('operation indicated DPoP use but the request has no DPoP HTTP Header', INVALID_REQUEST, { headers: request.headers }); + } + if (request.headers.get('authorization')?.toLowerCase().startsWith('dpop ') === false) { + throw OPE(`operation indicated DPoP use but the request's Authorization HTTP Header scheme is not DPoP`, INVALID_REQUEST, { headers: request.headers }); + } + if (typeof accessTokenClaims.cnf?.jkt !== 'string') { + throw OPE('operation indicated DPoP use but the JWT Access Token has no jkt confirmation claim', INVALID_REQUEST, { claims: accessTokenClaims }); + } + const clockSkew = getClockSkew(options); + const proof = await validateJwt(headerValue, checkSigningAlgorithm.bind(undefined, options?.signingAlgorithms, undefined, supported), clockSkew, getClockTolerance(options), undefined) + .then(checkJwtType.bind(undefined, 'dpop+jwt')) + .then(validatePresence.bind(undefined, ['iat', 'jti', 'ath', 'htm', 'htu'])); + const now = epochTime() + clockSkew; + const diff = Math.abs(now - proof.claims.iat); + if (diff > 300) { + throw OPE('DPoP Proof iat is not recent enough', JWT_TIMESTAMP_CHECK, { + now, + claims: proof.claims, + claim: 'iat', + }); + } + if (proof.claims.htm !== request.method) { + throw OPE('DPoP Proof htm mismatch', JWT_CLAIM_COMPARISON, { + expected: request.method, + claims: proof.claims, + claim: 'htm', + }); + } + if (typeof proof.claims.htu !== 'string' || + normalizeHtu(proof.claims.htu) !== normalizeHtu(request.url)) { + throw OPE('DPoP Proof htu mismatch', JWT_CLAIM_COMPARISON, { + expected: normalizeHtu(request.url), + claims: proof.claims, + claim: 'htu', + }); + } + { + const expected = b64u(await crypto.subtle.digest('SHA-256', buf(accessToken))); + if (proof.claims.ath !== expected) { + throw OPE('DPoP Proof ath mismatch', JWT_CLAIM_COMPARISON, { + expected, + claims: proof.claims, + claim: 'ath', + }); + } + } + { + let components; + switch (proof.header.jwk.kty) { + case 'EC': + components = { + crv: proof.header.jwk.crv, + kty: proof.header.jwk.kty, + x: proof.header.jwk.x, + y: proof.header.jwk.y, + }; + break; + case 'OKP': + components = { + crv: proof.header.jwk.crv, + kty: proof.header.jwk.kty, + x: proof.header.jwk.x, + }; + break; + case 'RSA': + components = { + e: proof.header.jwk.e, + kty: proof.header.jwk.kty, + n: proof.header.jwk.n, + }; + break; + default: + throw new UnsupportedOperationError('unsupported JWK key type', { cause: proof.header.jwk }); + } + const expected = b64u(await crypto.subtle.digest('SHA-256', buf(JSON.stringify(components)))); + if (accessTokenClaims.cnf.jkt !== expected) { + throw OPE('JWT Access Token confirmation mismatch', JWT_CLAIM_COMPARISON, { + expected, + claims: accessTokenClaims, + claim: 'cnf.jkt', + }); + } + } + const { 0: protectedHeader, 1: payload, 2: encodedSignature } = headerValue.split('.'); + const signature = b64u(encodedSignature); + const { jwk, alg } = proof.header; + if (!jwk) { + throw OPE('DPoP Proof is missing the jwk header parameter', INVALID_REQUEST, { + header: proof.header, + }); + } + const key = await importJwk(alg, jwk); + if (key.type !== 'public') { + throw OPE('DPoP Proof jwk header parameter must contain a public key', INVALID_REQUEST, { + header: proof.header, + }); + } + await validateJwsSignature(protectedHeader, payload, key, signature); +} +export async function validateJwtAccessToken(as, request, expectedAudience, options) { + assertAs(as); + if (!looseInstanceOf(request, Request)) { + throw CodedTypeError('"request" must be an instance of Request', ERR_INVALID_ARG_TYPE); + } + assertString(expectedAudience, '"expectedAudience"'); + const authorization = request.headers.get('authorization'); + if (authorization === null) { + throw OPE('"request" is missing an Authorization HTTP Header', INVALID_REQUEST, { + headers: request.headers, + }); + } + let { 0: scheme, 1: accessToken, length } = authorization.split(' '); + scheme = scheme.toLowerCase(); + switch (scheme) { + case 'dpop': + case 'bearer': + break; + default: + throw new UnsupportedOperationError('unsupported Authorization HTTP Header scheme', { + cause: { headers: request.headers }, + }); + } + if (length !== 2) { + throw OPE('invalid Authorization HTTP Header format', INVALID_REQUEST, { + headers: request.headers, + }); + } + const requiredClaims = [ + 'iss', + 'exp', + 'aud', + 'sub', + 'iat', + 'jti', + 'client_id', + ]; + if (options?.requireDPoP || scheme === 'dpop' || request.headers.has('dpop')) { + requiredClaims.push('cnf'); + } + const { claims, header } = await validateJwt(accessToken, checkSigningAlgorithm.bind(undefined, options?.signingAlgorithms, undefined, supported), getClockSkew(options), getClockTolerance(options), undefined) + .then(checkJwtType.bind(undefined, 'at+jwt')) + .then(validatePresence.bind(undefined, requiredClaims)) + .then(validateIssuer.bind(undefined, as)) + .then(validateAudience.bind(undefined, expectedAudience)) + .catch(reassignRSCode); + for (const claim of ['client_id', 'jti', 'sub']) { + if (typeof claims[claim] !== 'string') { + throw OPE(`unexpected JWT "${claim}" claim type`, INVALID_REQUEST, { claims }); + } + } + if ('cnf' in claims) { + if (!isJsonObject(claims.cnf)) { + throw OPE('unexpected JWT "cnf" (confirmation) claim value', INVALID_REQUEST, { claims }); + } + const { 0: cnf, length } = Object.keys(claims.cnf); + if (length) { + if (length !== 1) { + throw new UnsupportedOperationError('multiple confirmation claims are not supported', { + cause: { claims }, + }); + } + if (cnf !== 'jkt') { + throw new UnsupportedOperationError('unsupported JWT Confirmation method', { + cause: { claims }, + }); + } + } + } + const { 0: protectedHeader, 1: payload, 2: encodedSignature } = accessToken.split('.'); + const signature = b64u(encodedSignature); + const key = await getPublicSigKeyFromIssuerJwksUri(as, options, header); + await validateJwsSignature(protectedHeader, payload, key, signature); + if (options?.requireDPoP || + scheme === 'dpop' || + claims.cnf?.jkt !== undefined || + request.headers.has('dpop')) { + await validateDPoP(request, accessToken, claims, options).catch(reassignRSCode); + } + return claims; +} +function reassignRSCode(err) { + if (err instanceof OperationProcessingError && err?.code === INVALID_REQUEST) { + err.code = INVALID_RESPONSE; + } + throw err; +} +export const _nopkce = Symbol(); +export const _nodiscoverycheck = Symbol(); +export const _expectedIssuer = Symbol(); +//# sourceMappingURL=index.js.map \ No newline at end of file diff --git a/build/index.js.map b/build/index.js.map new file mode 100644 index 00000000..25079cd9 --- /dev/null +++ b/build/index.js.map @@ -0,0 +1 @@ +{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,IAAI,UAAkB,CAAA;AAEtB,IAAI,OAAO,SAAS,KAAK,WAAW,IAAI,CAAC,SAAS,CAAC,SAAS,EAAE,UAAU,EAAE,CAAC,cAAc,CAAC,EAAE,CAAC;IAC3F,MAAM,IAAI,GAAG,cAAc,CAAA;IAC3B,MAAM,OAAO,GAAG,QAAQ,CAAA;IACxB,UAAU,GAAG,GAAG,IAAI,IAAI,OAAO,EAAE,CAAA;AACnC,CAAC;AAkCD,SAAS,eAAe,CAAe,KAAc,EAAE,QAAwB;IAC7E,IAAI,KAAK,IAAI,IAAI,EAAE,CAAC;QAClB,OAAO,KAAK,CAAA;IACd,CAAC;IAED,IAAI,CAAC;QACH,OAAO,CACL,KAAK,YAAY,QAAQ;YACzB,MAAM,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,KAAK,QAAQ,CAAC,SAAS,CAAC,MAAM,CAAC,WAAW,CAAC,CAC5F,CAAA;IACH,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAA;IACd,CAAC;AACH,CAAC;AAkCD,MAAM,qBAAqB,GAAG,uBAAuB,CAAA;AACrD,MAAM,oBAAoB,GAAG,sBAAsB,CAAA;AAInD,SAAS,cAAc,CAAC,OAAe,EAAE,IAAW,EAAE,KAAe;IACnE,MAAM,GAAG,GAAG,IAAI,SAAS,CAAC,OAAO,EAAE,EAAE,KAAK,EAAE,CAAC,CAAA;IAC7C,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE,EAAE,IAAI,EAAE,CAAC,CAAA;IAC5B,OAAO,GAAG,CAAA;AACZ,CAAC;AA2CD,MAAM,CAAC,MAAM,qBAAqB,GAAkB,MAAM,EAAE,CAAA;AA8B5D,MAAM,CAAC,MAAM,SAAS,GAAkB,MAAM,EAAE,CAAA;AAkBhD,MAAM,CAAC,MAAM,cAAc,GAAkB,MAAM,EAAE,CAAA;AAoIrD,MAAM,CAAC,MAAM,WAAW,GAAkB,MAAM,EAAE,CAAA;AAoClD,MAAM,CAAC,MAAM,eAAe,GAAkB,MAAM,EAAE,CAAA;AA8CtD,MAAM,CAAC,MAAM,UAAU,GAAkB,MAAM,EAAE,CAAA;AAsDjD,MAAM,CAAC,MAAM,SAAS,GAAkB,MAAM,EAAE,CAAA;AAychD,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAA;AACjC,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAA;AAIjC,SAAS,GAAG,CAAC,KAA0B;IACrC,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,OAAO,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;IAC9B,CAAC;IAED,OAAO,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;AAC9B,CAAC;AAED,MAAM,UAAU,GAAG,MAAM,CAAA;AACzB,SAAS,eAAe,CAAC,KAA+B;IACtD,IAAI,KAAK,YAAY,WAAW,EAAE,CAAC;QACjC,KAAK,GAAG,IAAI,UAAU,CAAC,KAAK,CAAC,CAAA;IAC/B,CAAC;IAED,MAAM,GAAG,GAAG,EAAE,CAAA;IACd,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,UAAU,EAAE,CAAC,IAAI,UAAU,EAAE,CAAC;QAEtD,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC,GAAG,UAAU,CAAC,CAAC,CAAC,CAAA;IAC9E,CAAC;IACD,OAAO,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAA;AACrF,CAAC;AAED,SAAS,eAAe,CAAC,KAAa;IACpC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,CAAA;QACnF,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;QAC3C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACvC,KAAK,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAA;QACjC,CAAC;QACD,OAAO,KAAK,CAAA;IACd,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,cAAc,CAClB,mDAAmD,EACnD,qBAAqB,EACrB,KAAK,CACN,CAAA;IACH,CAAC;AACH,CAAC;AAID,SAAS,IAAI,CAAC,KAAwC;IACpD,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,OAAO,eAAe,CAAC,KAAK,CAAC,CAAA;IAC/B,CAAC;IAED,OAAO,eAAe,CAAC,KAAK,CAAC,CAAA;AAC/B,CAAC;AAKD,MAAM,OAAO,yBAA0B,SAAQ,KAAK;IAClD,IAAI,CAAQ;IAIZ,YAAY,OAAe,EAAE,OAA6B;QACxD,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAA;QACvB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,CAAA;QACjC,IAAI,CAAC,IAAI,GAAG,qBAAqB,CAAA;QAEjC,KAAK,CAAC,iBAAiB,EAAE,CAAC,IAAI,EAAE,IAAI,CAAC,WAAW,CAAC,CAAA;IACnD,CAAC;CACF;AAKD,MAAM,OAAO,wBAAyB,SAAQ,KAAK;IACjD,IAAI,CAAS;IAKb,YAAY,OAAe,EAAE,OAA4C;QACvE,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAA;QACvB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,CAAA;QACjC,IAAI,OAAO,EAAE,IAAI,EAAE,CAAC;YAClB,IAAI,CAAC,IAAI,GAAG,OAAO,EAAE,IAAI,CAAA;QAC3B,CAAC;QAED,KAAK,CAAC,iBAAiB,EAAE,CAAC,IAAI,EAAE,IAAI,CAAC,WAAW,CAAC,CAAA;IACnD,CAAC;CACF;AAED,SAAS,GAAG,CAAC,OAAe,EAAE,IAAa,EAAE,KAAe;IAC1D,OAAO,IAAI,wBAAwB,CAAC,OAAO,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAA;AAC/D,CAAC;AAED,SAAS,eAAe,CAAC,GAAY,EAAE,EAAU;IAC/C,IAAI,CAAC,CAAC,GAAG,YAAY,SAAS,CAAC,EAAE,CAAC;QAChC,MAAM,cAAc,CAAC,GAAG,EAAE,sBAAsB,EAAE,oBAAoB,CAAC,CAAA;IACzE,CAAC;AACH,CAAC;AAED,SAAS,gBAAgB,CACvB,GAAY,EACZ,EAAU;IAEV,eAAe,CAAC,GAAG,EAAE,EAAE,CAAC,CAAA;IAExB,IAAI,GAAG,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC3B,MAAM,cAAc,CAAC,GAAG,EAAE,8BAA8B,EAAE,qBAAqB,CAAC,CAAA;IAClF,CAAC;AACH,CAAC;AAED,SAAS,eAAe,CAAC,GAAY,EAAE,EAAU;IAC/C,eAAe,CAAC,GAAG,EAAE,EAAE,CAAC,CAAA;IAExB,IAAI,GAAG,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC1B,MAAM,cAAc,CAAC,GAAG,EAAE,6BAA6B,EAAE,qBAAqB,CAAC,CAAA;IACjF,CAAC;AACH,CAAC;AAkFD,SAAS,YAAY,CAAC,KAAa;IACjC,OAAO,KAAK,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,gBAAgB,EAAE,EAAE,CAAC,CAAA;AAC1D,CAAC;AAED,SAAS,YAAY,CAAiB,KAAc;IAClD,IAAI,KAAK,KAAK,IAAI,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACxE,OAAO,KAAK,CAAA;IACd,CAAC;IAED,OAAO,IAAI,CAAA;AACb,CAAC;AAED,SAAS,cAAc,CAAC,KAA6D;IACnF,IAAI,eAAe,CAAC,KAAK,EAAE,OAAO,CAAC,EAAE,CAAC;QACpC,KAAK,GAAG,MAAM,CAAC,WAAW,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,CAAA;IAC7C,CAAC;IACD,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,KAAK,CAAC,CAAA;IAElC,IAAI,UAAU,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,EAAE,CAAC;QAC7C,OAAO,CAAC,GAAG,CAAC,YAAY,EAAE,UAAU,CAAC,CAAA;IACvC,CAAC;IACD,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,EAAE,CAAC;QACjC,MAAM,cAAc,CAClB,oEAAoE,EACpE,qBAAqB,CACtB,CAAA;IACH,CAAC;IACD,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;QACxB,MAAM,cAAc,CAClB,2DAA2D,EAC3D,qBAAqB,CACtB,CAAA;IACH,CAAC;IACD,OAAO,OAAO,CAAA;AAChB,CAAC;AAED,SAAS,MAAM,CAAC,KAA4D;IAC1E,IAAI,OAAO,KAAK,KAAK,UAAU,EAAE,CAAC;QAChC,KAAK,GAAG,KAAK,EAAE,CAAA;IACjB,CAAC;IAED,IAAI,CAAC,CAAC,KAAK,YAAY,WAAW,CAAC,EAAE,CAAC;QACpC,MAAM,cAAc,CAClB,+DAA+D,EAC/D,oBAAoB,CACrB,CAAA;IACH,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC;AAkBD,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,gBAAqB,EACrB,OAAiC;IAEjC,IAAI,CAAC,CAAC,gBAAgB,YAAY,GAAG,CAAC,EAAE,CAAC;QACvC,MAAM,cAAc,CAAC,+CAA+C,EAAE,oBAAoB,CAAC,CAAA;IAC7F,CAAC;IAED,aAAa,CAAC,gBAAgB,EAAE,OAAO,EAAE,CAAC,qBAAqB,CAAC,KAAK,IAAI,CAAC,CAAA;IAE1E,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAA;IAE1C,QAAQ,OAAO,EAAE,SAAS,EAAE,CAAC;QAC3B,KAAK,SAAS,CAAC;QACf,KAAK,MAAM;YACT,GAAG,CAAC,QAAQ,GAAG,GAAG,GAAG,CAAC,QAAQ,mCAAmC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAA;YACpF,MAAK;QACP,KAAK,QAAQ;YACX,IAAI,GAAG,CAAC,QAAQ,KAAK,GAAG,EAAE,CAAC;gBACzB,GAAG,CAAC,QAAQ,GAAG,wCAAwC,CAAA;YACzD,CAAC;iBAAM,CAAC;gBACN,GAAG,CAAC,QAAQ,GAAG,0CAA0C,GAAG,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAA;YAC5F,CAAC;YACD,MAAK;QACP;YACE,MAAM,cAAc,CAClB,2DAA2D,EAC3D,qBAAqB,CACtB,CAAA;IACL,CAAC;IAED,MAAM,OAAO,GAAG,cAAc,CAAC,OAAO,EAAE,OAAO,CAAC,CAAA;IAChD,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,kBAAkB,CAAC,CAAA;IAEzC,OAAO,CAAC,OAAO,EAAE,CAAC,WAAW,CAAC,IAAI,KAAK,CAAC,CAAC,GAAG,CAAC,IAAI,EAAE;QACjD,IAAI,EAAE,SAAS;QACf,OAAO,EAAE,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;QAC9C,MAAM,EAAE,KAAK;QACb,QAAQ,EAAE,QAAQ;QAClB,MAAM,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,SAAS;KAC7D,CAAC,CAAA;AACJ,CAAC;AAED,SAAS,YAAY,CACnB,KAAc,EACd,MAAe,EACf,EAAU,EACV,IAAa,EACb,KAAe;IAEf,IAAI,CAAC;QACH,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YACzD,MAAM,cAAc,CAAC,GAAG,EAAE,mBAAmB,EAAE,oBAAoB,EAAE,KAAK,CAAC,CAAA;QAC7E,CAAC;QAED,IAAI,KAAK,GAAG,CAAC;YAAE,OAAM;QAErB,IAAI,MAAM,IAAI,KAAK,KAAK,CAAC,EAAE,CAAC;YAC1B,MAAM,cAAc,CAAC,GAAG,EAAE,gCAAgC,EAAE,qBAAqB,EAAE,KAAK,CAAC,CAAA;QAC3F,CAAC;QAED,MAAM,cAAc,CAAC,GAAG,EAAE,4BAA4B,EAAE,qBAAqB,EAAE,KAAK,CAAC,CAAA;IACvF,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,IAAI,EAAE,CAAC;YACT,MAAM,GAAG,CAAE,GAAa,CAAC,OAAO,EAAE,IAAI,EAAE,KAAK,CAAC,CAAA;QAChD,CAAC;QAED,MAAM,GAAG,CAAA;IACX,CAAC;AACH,CAAC;AAED,SAAS,YAAY,CACnB,KAAc,EACd,EAAU,EACV,IAAa,EACb,KAAe;IAEf,IAAI,CAAC;QACH,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,MAAM,cAAc,CAAC,GAAG,EAAE,mBAAmB,EAAE,oBAAoB,EAAE,KAAK,CAAC,CAAA;QAC7E,CAAC;QAED,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,MAAM,cAAc,CAAC,GAAG,EAAE,oBAAoB,EAAE,qBAAqB,EAAE,KAAK,CAAC,CAAA;QAC/E,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,IAAI,EAAE,CAAC;YACT,MAAM,GAAG,CAAE,GAAa,CAAC,OAAO,EAAE,IAAI,EAAE,KAAK,CAAC,CAAA;QAChD,CAAC;QAED,MAAM,GAAG,CAAA;IACX,CAAC;AACH,CAAC;AAiBD,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAC5C,wBAA6B,EAC7B,QAAkB;IAElB,IACE,CAAC,CAAC,wBAAwB,YAAY,GAAG,CAAC;QAC1C,wBAAwB,KAAK,iBAAiB,EAC9C,CAAC;QACD,MAAM,cAAc,CAAC,6CAA6C,EAAE,oBAAoB,CAAC,CAAA;IAC3F,CAAC;IAED,IAAI,CAAC,eAAe,CAAC,QAAQ,EAAE,QAAQ,CAAC,EAAE,CAAC;QACzC,MAAM,cAAc,CAAC,4CAA4C,EAAE,oBAAoB,CAAC,CAAA;IAC1F,CAAC;IAED,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;QAC5B,MAAM,GAAG,CACP,kGAAkG,EAClG,uBAAuB,EACvB,QAAQ,CACT,CAAA;IACH,CAAC;IAED,sBAAsB,CAAC,QAAQ,CAAC,CAAA;IAChC,qBAAqB,CAAC,QAAQ,CAAC,CAAA;IAC/B,IAAI,IAAe,CAAA;IACnB,IAAI,CAAC;QACH,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAA;IAC9B,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,GAAG,CAAC,yCAAyC,EAAE,WAAW,EAAE,KAAK,CAAC,CAAA;IAC1E,CAAC;IAED,IAAI,CAAC,YAAY,CAAsB,IAAI,CAAC,EAAE,CAAC;QAC7C,MAAM,GAAG,CAAC,4CAA4C,EAAE,gBAAgB,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAA;IAC3F,CAAC;IAED,YAAY,CAAC,IAAI,CAAC,MAAM,EAAE,mCAAmC,EAAE,gBAAgB,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAA;IAEhG,IACE,IAAI,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,IAAI,KAAK,wBAAwB,CAAC,IAAI;QAE3D,wBAAwB,KAAK,iBAAiB,EAC9C,CAAC;QACD,MAAM,GAAG,CACP,qEAAqE,EACrE,yBAAyB,EACzB,EAAE,QAAQ,EAAE,wBAAwB,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,SAAS,EAAE,QAAQ,EAAE,CAC7E,CAAA;IACH,CAAC;IAED,OAAO,IAAI,CAAA;AACb,CAAC;AAED,SAAS,qBAAqB,CAAC,QAAkB;IAC/C,iBAAiB,CAAC,QAAQ,EAAE,kBAAkB,CAAC,CAAA;AACjD,CAAC;AAED,SAAS,OAAO,CAAC,QAAkB,EAAE,GAAG,KAAe;IACrD,IAAI,GAAG,GAAG,kCAAkC,CAAA;IAC5C,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACrB,MAAM,IAAI,GAAG,KAAK,CAAC,GAAG,EAAE,CAAA;QACxB,GAAG,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAA;IAC1C,CAAC;SAAM,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC9B,GAAG,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,OAAO,KAAK,CAAC,CAAC,CAAC,EAAE,CAAA;IACrC,CAAC;SAAM,CAAC;QACN,GAAG,IAAI,KAAK,CAAC,CAAC,CAAC,CAAA;IACjB,CAAC;IACD,OAAO,GAAG,CAAC,GAAG,EAAE,oBAAoB,EAAE,QAAQ,CAAC,CAAA;AACjD,CAAC;AAED,SAAS,kBAAkB,CAAC,QAAkB,EAAE,GAAG,KAAe;IAChE,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,cAAc,CAAC,QAAQ,CAAE,CAAC,EAAE,CAAC;QAC/C,MAAM,OAAO,CAAC,QAAQ,EAAE,GAAG,KAAK,CAAC,CAAA;IACnC,CAAC;AACH,CAAC;AAED,SAAS,iBAAiB,CAAC,QAAkB,EAAE,WAAmB;IAChE,IAAI,cAAc,CAAC,QAAQ,CAAC,KAAK,WAAW,EAAE,CAAC;QAC7C,MAAM,OAAO,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAA;IACtC,CAAC;AACH,CAAC;AAKD,SAAS,WAAW;IAClB,OAAO,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC,CAAA;AACzD,CAAC;AAYD,MAAM,UAAU,0BAA0B;IACxC,OAAO,WAAW,EAAE,CAAA;AACtB,CAAC;AASD,MAAM,UAAU,mBAAmB;IACjC,OAAO,WAAW,EAAE,CAAA;AACtB,CAAC;AASD,MAAM,UAAU,mBAAmB;IACjC,OAAO,WAAW,EAAE,CAAA;AACtB,CAAC;AAcD,MAAM,CAAC,KAAK,UAAU,0BAA0B,CAAC,YAAoB;IACnE,YAAY,CAAC,YAAY,EAAE,cAAc,CAAC,CAAA;IAE1C,OAAO,IAAI,CAAC,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,CAAA;AACvE,CAAC;AAOD,SAAS,YAAY,CAAC,KAAyC;IAC7D,IAAI,KAAK,YAAY,SAAS,EAAE,CAAC;QAC/B,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAA;IACvB,CAAC;IAED,IAAI,CAAC,CAAC,KAAK,EAAE,GAAG,YAAY,SAAS,CAAC,EAAE,CAAC;QACvC,OAAO,EAAE,CAAA;IACX,CAAC;IAED,IAAI,KAAK,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;QAC5B,YAAY,CAAC,KAAK,CAAC,GAAG,EAAE,OAAO,CAAC,CAAA;IAClC,CAAC;IAED,OAAO;QACL,GAAG,EAAE,KAAK,CAAC,GAAG;QACd,GAAG,EAAE,KAAK,CAAC,GAAG;KACf,CAAA;AACH,CAAC;AAgBD,SAAS,KAAK,CAAC,GAAc;IAC3B,QAAS,GAAG,CAAC,SAAmC,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QAC3D,KAAK,SAAS;YACZ,OAAO,OAAO,CAAA;QAChB,KAAK,SAAS;YACZ,OAAO,OAAO,CAAA;QAChB,KAAK,SAAS;YACZ,OAAO,OAAO,CAAA;QAChB;YACE,MAAM,IAAI,yBAAyB,CAAC,6CAA6C,EAAE;gBACjF,KAAK,EAAE,GAAG;aACX,CAAC,CAAA;IACN,CAAC;AACH,CAAC;AAKD,SAAS,KAAK,CAAC,GAAc;IAC3B,QAAS,GAAG,CAAC,SAAmC,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QAC3D,KAAK,SAAS;YACZ,OAAO,OAAO,CAAA;QAChB,KAAK,SAAS;YACZ,OAAO,OAAO,CAAA;QAChB,KAAK,SAAS;YACZ,OAAO,OAAO,CAAA;QAChB;YACE,MAAM,IAAI,yBAAyB,CAAC,6CAA6C,EAAE;gBACjF,KAAK,EAAE,GAAG;aACX,CAAC,CAAA;IACN,CAAC;AACH,CAAC;AAKD,SAAS,KAAK,CAAC,GAAc;IAC3B,QAAS,GAAG,CAAC,SAA4B,CAAC,UAAU,EAAE,CAAC;QACrD,KAAK,OAAO;YACV,OAAO,OAAO,CAAA;QAChB,KAAK,OAAO;YACV,OAAO,OAAO,CAAA;QAChB,KAAK,OAAO;YACV,OAAO,OAAO,CAAA;QAChB;YACE,MAAM,IAAI,yBAAyB,CAAC,uCAAuC,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAA;IAChG,CAAC;AACH,CAAC;AAKD,SAAS,QAAQ,CAAC,GAAc;IAC9B,QAAQ,GAAG,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC;QAC3B,KAAK,SAAS;YACZ,OAAO,KAAK,CAAC,GAAG,CAAC,CAAA;QACnB,KAAK,mBAAmB;YACtB,OAAO,KAAK,CAAC,GAAG,CAAC,CAAA;QACnB,KAAK,OAAO;YACV,OAAO,KAAK,CAAC,GAAG,CAAC,CAAA;QACnB,KAAK,SAAS,CAAC;QACf,KAAK,OAAO;YACV,OAAO,SAAS,CAAA;QAClB;YACE,MAAM,IAAI,yBAAyB,CAAC,sCAAsC,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAA;IAC/F,CAAC;AACH,CAAC;AAED,SAAS,YAAY,CAAC,MAAuC;IAC3D,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,SAAS,CAAC,CAAA;IAEhC,OAAO,OAAO,IAAI,KAAK,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAA;AACrE,CAAC;AAED,SAAS,iBAAiB,CAAC,MAA4C;IACrE,MAAM,SAAS,GAAG,MAAM,EAAE,CAAC,cAAc,CAAC,CAAA;IAE1C,OAAO,OAAO,SAAS,KAAK,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAC/F,CAAC,CAAC,SAAS;QACX,CAAC,CAAC,EAAE,CAAA;AACR,CAAC;AAKD,SAAS,SAAS;IAChB,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAA;AACtC,CAAC;AAED,SAAS,QAAQ,CAAC,EAAuB;IACvC,IAAI,OAAO,EAAE,KAAK,QAAQ,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC;QAC1C,MAAM,cAAc,CAAC,wBAAwB,EAAE,oBAAoB,CAAC,CAAA;IACtE,CAAC;IAED,YAAY,CAAC,EAAE,CAAC,MAAM,EAAE,aAAa,CAAC,CAAA;AACxC,CAAC;AAED,SAAS,YAAY,CAAC,MAAc;IAClC,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;QAClD,MAAM,cAAc,CAAC,4BAA4B,EAAE,oBAAoB,CAAC,CAAA;IAC1E,CAAC;IAED,YAAY,CAAC,MAAM,CAAC,SAAS,EAAE,oBAAoB,CAAC,CAAA;AACtD,CAAC;AAOD,SAAS,aAAa,CAAC,KAAa;IAClC,OAAO,kBAAkB,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,sBAAsB,EAAE,CAAC,SAAS,EAAE,EAAE;QAC7E,QAAQ,SAAS,EAAE,CAAC;YAClB,KAAK,GAAG,CAAC;YACT,KAAK,GAAG,CAAC;YACT,KAAK,GAAG,CAAC;YACT,KAAK,GAAG,CAAC;YACT,KAAK,GAAG,CAAC;YACT,KAAK,GAAG,CAAC;YACT,KAAK,GAAG,CAAC;YACT,KAAK,GAAG,CAAC;YACT,KAAK,GAAG;gBACN,OAAO,IAAI,SAAS,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,WAAW,EAAE,EAAE,CAAA;YACjE,KAAK,KAAK;gBACR,OAAO,GAAG,CAAA;YACZ;gBACE,MAAM,IAAI,KAAK,EAAE,CAAA;QACrB,CAAC;IACH,CAAC,CAAC,CAAA;AACJ,CAAC;AAuCD,MAAM,UAAU,gBAAgB,CAAC,YAAoB;IACnD,YAAY,CAAC,YAAY,EAAE,gBAAgB,CAAC,CAAA;IAC5C,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE;QACrC,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,MAAM,CAAC,SAAS,CAAC,CAAA;QACvC,IAAI,CAAC,GAAG,CAAC,eAAe,EAAE,YAAY,CAAC,CAAA;IACzC,CAAC,CAAA;AACH,CAAC;AAsBD,MAAM,UAAU,iBAAiB,CAAC,YAAoB;IACpD,YAAY,CAAC,YAAY,EAAE,gBAAgB,CAAC,CAAA;IAC5C,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE;QACrC,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,SAAS,CAAC,CAAA;QAChD,MAAM,QAAQ,GAAG,aAAa,CAAC,YAAY,CAAC,CAAA;QAC5C,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,QAAQ,IAAI,QAAQ,EAAE,CAAC,CAAA;QACnD,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,SAAS,WAAW,EAAE,CAAC,CAAA;IACtD,CAAC,CAAA;AACH,CAAC;AAWD,SAAS,sBAAsB,CAAC,EAAuB,EAAE,MAAc;IACrE,MAAM,GAAG,GAAG,SAAS,EAAE,GAAG,YAAY,CAAC,MAAM,CAAC,CAAA;IAC9C,OAAO;QACL,GAAG,EAAE,WAAW,EAAE;QAClB,GAAG,EAAE,EAAE,CAAC,MAAM;QACd,GAAG,EAAE,GAAG,GAAG,EAAE;QACb,GAAG,EAAE,GAAG;QACR,GAAG,EAAE,GAAG;QACR,GAAG,EAAE,MAAM,CAAC,SAAS;QACrB,GAAG,EAAE,MAAM,CAAC,SAAS;KACtB,CAAA;AACH,CAAC;AAsBD,MAAM,UAAU,aAAa,CAC3B,gBAAwC,EACxC,OAAgC;IAEhC,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,YAAY,CAAC,gBAAgB,CAAC,CAAA;IACnD,gBAAgB,CAAC,GAAG,EAAE,wBAAwB,CAAC,CAAA;IAC/C,OAAO,KAAK,EAAE,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE;QAC1C,MAAM,MAAM,GAAG,EAAE,GAAG,EAAE,QAAQ,CAAC,GAAG,CAAC,EAAE,GAAG,EAAE,CAAA;QAC1C,MAAM,OAAO,GAAG,sBAAsB,CAAC,EAAE,EAAE,MAAM,CAAC,CAAA;QAElD,OAAO,EAAE,CAAC,eAAe,CAAC,EAAE,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;QAE7C,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,MAAM,CAAC,SAAS,CAAC,CAAA;QACvC,IAAI,CAAC,GAAG,CAAC,uBAAuB,EAAE,wDAAwD,CAAC,CAAA;QAC3F,IAAI,CAAC,GAAG,CAAC,kBAAkB,EAAE,MAAM,OAAO,CAAC,MAAM,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC,CAAA;IACnE,CAAC,CAAA;AACH,CAAC;AAuBD,MAAM,UAAU,eAAe,CAC7B,YAAoB,EACpB,OAAgC;IAEhC,YAAY,CAAC,YAAY,EAAE,gBAAgB,CAAC,CAAA;IAC5C,MAAM,MAAM,GAAG,OAAO,EAAE,CAAC,eAAe,CAAC,CAAA;IACzC,IAAI,GAAc,CAAA;IAClB,OAAO,KAAK,EAAE,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE;QAC1C,GAAG,KAAK,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACnC,KAAK,EACL,GAAG,CAAC,YAAY,CAAC,EACjB,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,EAAE,EACjC,KAAK,EACL,CAAC,MAAM,CAAC,CACT,CAAA;QAED,MAAM,MAAM,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,CAAA;QAC/B,MAAM,OAAO,GAAG,sBAAsB,CAAC,EAAE,EAAE,MAAM,CAAC,CAAA;QAElD,MAAM,EAAE,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;QAEzB,MAAM,IAAI,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAA;QACzF,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,GAAG,EAAE,GAAG,CAAC,IAAI,CAAC,CAAC,CAAA;QAEpE,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,MAAM,CAAC,SAAS,CAAC,CAAA;QACvC,IAAI,CAAC,GAAG,CAAC,uBAAuB,EAAE,wDAAwD,CAAC,CAAA;QAC3F,IAAI,CAAC,GAAG,CAAC,kBAAkB,EAAE,GAAG,IAAI,IAAI,IAAI,CAAC,IAAI,UAAU,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC,CAAA;IACvE,CAAC,CAAA;AACH,CAAC;AAeD,MAAM,UAAU,IAAI;IAClB,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE;QACrC,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,MAAM,CAAC,SAAS,CAAC,CAAA;IACzC,CAAC,CAAA;AACH,CAAC;AAgBD,MAAM,UAAU,aAAa;IAC3B,OAAO,IAAI,EAAE,CAAA;AACf,CAAC;AAKD,KAAK,UAAU,OAAO,CACpB,MAAkC,EAClC,OAAgC,EAChC,GAAc;IAEd,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QACjC,MAAM,cAAc,CAClB,uFAAuF,EACvF,qBAAqB,CACtB,CAAA;IACH,CAAC;IACD,MAAM,KAAK,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAA;IAC1F,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,GAAG,EAAE,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAA;IACnF,OAAO,GAAG,KAAK,IAAI,SAAS,EAAE,CAAA;AAChC,CAAC;AAeD,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,EAAuB,EACvB,MAAc,EACd,UAAiE,EACjE,UAAkC,EAClC,OAAgC;IAEhC,QAAQ,CAAC,EAAE,CAAC,CAAA;IACZ,YAAY,CAAC,MAAM,CAAC,CAAA;IAEpB,UAAU,GAAG,IAAI,eAAe,CAAC,UAAU,CAAC,CAAA;IAE5C,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,YAAY,CAAC,UAAU,CAAC,CAAA;IAC7C,gBAAgB,CAAC,GAAG,EAAE,kBAAkB,CAAC,CAAA;IAEzC,UAAU,CAAC,GAAG,CAAC,WAAW,EAAE,MAAM,CAAC,SAAS,CAAC,CAAA;IAE7C,MAAM,GAAG,GAAG,SAAS,EAAE,GAAG,YAAY,CAAC,MAAM,CAAC,CAAA;IAC9C,MAAM,MAAM,GAA8B;QACxC,GAAG,MAAM,CAAC,WAAW,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;QAC3C,GAAG,EAAE,WAAW,EAAE;QAClB,GAAG,EAAE,EAAE,CAAC,MAAM;QACd,GAAG,EAAE,GAAG,GAAG,EAAE;QACb,GAAG,EAAE,GAAG;QACR,GAAG,EAAE,GAAG;QACR,GAAG,EAAE,MAAM,CAAC,SAAS;KACtB,CAAA;IAED,IAAI,QAAkB,CAAA;IACtB,IACE,UAAU,CAAC,GAAG,CAAC,UAAU,CAAC;QAC1B,CAAC,QAAQ,GAAG,UAAU,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;QAC1C,QAAQ,CAAC,MAAM,GAAG,CAAC,EACnB,CAAC;QACD,MAAM,CAAC,QAAQ,GAAG,QAAQ,CAAA;IAC5B,CAAC;IAED,CAAC;QACC,IAAI,KAAK,GAAG,UAAU,CAAC,GAAG,CAAC,SAAS,CAAC,CAAA;QACrC,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;YACnB,MAAM,CAAC,OAAO,GAAG,QAAQ,CAAC,KAAK,EAAE,EAAE,CAAC,CAAA;YAEpC,YAAY,CAAC,MAAM,CAAC,OAAO,EAAE,IAAI,EAAE,qBAAqB,CAAC,CAAA;QAC3D,CAAC;IACH,CAAC;IAED,CAAC;QACC,IAAI,KAAK,GAAG,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;QACpC,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;YACnB,IAAI,CAAC;gBACH,MAAM,CAAC,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAA;YACnC,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,MAAM,GAAG,CAAC,gDAAgD,EAAE,WAAW,EAAE,KAAK,CAAC,CAAA;YACjF,CAAC;YAED,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC;gBACjC,MAAM,cAAc,CAClB,2DAA2D,EAC3D,qBAAqB,CACtB,CAAA;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,CAAC;QACC,IAAI,KAAK,GAAG,UAAU,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAA;QACnD,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;YACnB,IAAI,CAAC;gBACH,MAAM,CAAC,qBAAqB,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAA;YAClD,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,MAAM,GAAG,CACP,+DAA+D,EAC/D,WAAW,EACX,KAAK,CACN,CAAA;YACH,CAAC;YAED,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,qBAAqB,CAAC,EAAE,CAAC;gBACjD,MAAM,cAAc,CAClB,yEAAyE,EACzE,qBAAqB,CACtB,CAAA;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,MAAM,MAAM,GAAG;QACb,GAAG,EAAE,QAAQ,CAAC,GAAG,CAAC;QAClB,GAAG,EAAE,qBAAqB;QAC1B,GAAG;KACJ,CAAA;IAED,OAAO,EAAE,CAAC,eAAe,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;IAE5C,OAAO,OAAO,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,CAAC,CAAA;AACrC,CAAC;AAED,IAAI,QAAiC,CAAA;AAErC,KAAK,UAAU,oBAAoB,CAAC,GAAc;IAChD,MAAM,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,GAAG,EAAE,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,CAAC,CAAA;IAC1E,MAAM,GAAG,GAAG,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,GAAG,EAAE,CAAA;IACpC,QAAQ,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;IACtB,OAAO,GAAG,CAAA;AACZ,CAAC;AAKD,KAAK,UAAU,SAAS,CAAC,GAAc;IACrC,QAAQ,KAAK,IAAI,OAAO,EAAE,CAAA;IAC1B,OAAO,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,oBAAoB,CAAC,GAAG,CAAC,CAAA;AACvD,CAAC;AAGD,MAAM,QAAQ,GAA2D,GAAG,CAAC,KAAK;IAChF,CAAC;QACC,CAAC,GAAG,EAAE,IAAI,EAAE,EAAE,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,EAAE,IAAI,CAAC;IACrC,CAAC,CAAC,CAAC,GAAG,EAAE,IAAI,EAAE,EAAE;QACZ,IAAI,CAAC;YACH,OAAO,IAAI,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,CAAA;QAC3B,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAA;QACb,CAAC;IACH,CAAC,CAAA;AAKL,MAAM,UAAU,aAAa,CAAC,GAAQ,EAAE,YAAiC;IACvE,IAAI,YAAY,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC9C,MAAM,GAAG,CAAC,oCAAoC,EAAE,sBAAsB,EAAE,GAAG,CAAC,CAAA;IAC9E,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,IAAI,GAAG,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;QAC1D,MAAM,GAAG,CAAC,0CAA0C,EAAE,0BAA0B,EAAE,GAAG,CAAC,CAAA;IACxF,CAAC;AACH,CAAC;AAED,SAAS,gBAAgB,CACvB,KAAc,EACd,QAAmC,EACnC,YAAiC,EACjC,YAAiC;IAEjC,IAAI,GAAe,CAAA;IACnB,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,CAAC,GAAG,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;QAC1D,MAAM,GAAG,CACP,0DAA0D,YAAY,CAAC,CAAC,CAAC,6BAA6B,QAAQ,GAAG,CAAC,CAAC,CAAC,OAAO,QAAQ,GAAG,EAAE,EACxI,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,uBAAuB,CAAC,CAAC,CAAC,uBAAuB,EACvE,EAAE,SAAS,EAAE,YAAY,CAAC,CAAC,CAAC,yBAAyB,QAAQ,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE,CAC7E,CAAA;IACH,CAAC;IAED,aAAa,CAAC,GAAG,EAAE,YAAY,CAAC,CAAA;IAEhC,OAAO,GAAG,CAAA;AACZ,CAAC;AAKD,MAAM,UAAU,eAAe,CAC7B,EAAuB,EACvB,QAAmC,EACnC,YAAiC,EACjC,YAAiC;IAEjC,IAAI,YAAY,IAAI,EAAE,CAAC,qBAAqB,IAAI,QAAQ,IAAI,EAAE,CAAC,qBAAqB,EAAE,CAAC;QACrF,OAAO,gBAAgB,CACrB,EAAE,CAAC,qBAAqB,CAAC,QAAQ,CAAC,EAClC,QAAQ,EACR,YAAY,EACZ,YAAY,CACb,CAAA;IACH,CAAC;IAED,OAAO,gBAAgB,CAAC,EAAE,CAAC,QAAQ,CAAC,EAAE,QAAQ,EAAE,YAAY,EAAE,YAAY,CAAC,CAAA;AAC7E,CAAC;AAgBD,MAAM,CAAC,KAAK,UAAU,0BAA0B,CAC9C,EAAuB,EACvB,MAAc,EACd,oBAAgC,EAChC,UAAiE,EACjE,OAA2C;IAE3C,QAAQ,CAAC,EAAE,CAAC,CAAA;IACZ,YAAY,CAAC,MAAM,CAAC,CAAA;IAEpB,MAAM,GAAG,GAAG,eAAe,CACzB,EAAE,EACF,uCAAuC,EACvC,MAAM,CAAC,yBAAyB,EAChC,OAAO,EAAE,CAAC,qBAAqB,CAAC,KAAK,IAAI,CAC1C,CAAA;IAED,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC,UAAU,CAAC,CAAA;IAC5C,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,MAAM,CAAC,SAAS,CAAC,CAAA;IAEvC,MAAM,OAAO,GAAG,cAAc,CAAC,OAAO,EAAE,OAAO,CAAC,CAAA;IAChD,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,kBAAkB,CAAC,CAAA;IAEzC,IAAI,OAAO,EAAE,IAAI,KAAK,SAAS,EAAE,CAAC;QAChC,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAA;QACxB,MAAM,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,EAAE,OAAO,EAAE,MAAM,CAAC,CAAA;IACnD,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,oBAAoB,CACzC,EAAE,EACF,MAAM,EACN,oBAAoB,EACpB,GAAG,EACH,IAAI,EACJ,OAAO,EACP,OAAO,CACR,CAAA;IACD,OAAO,EAAE,IAAI,EAAE,UAAU,CAAC,QAAQ,CAAC,CAAA;IACnC,OAAO,QAAQ,CAAA;AACjB,CAAC;AA4BD,MAAM,WAAW;IACf,OAAO,CAA6B;IACpC,WAAW,CAAW;IACtB,UAAU,CAAW;IACrB,UAAU,CAAQ;IAClB,gBAAgB,CAA0B;IAC1C,IAAI,CAAsB;IAE1B,YAAY,MAAc,EAAE,OAAsB,EAAE,OAAgC;QAClF,gBAAgB,CAAC,OAAO,EAAE,UAAU,EAAE,mBAAmB,CAAC,CAAA;QAC1D,eAAe,CAAC,OAAO,EAAE,SAAS,EAAE,kBAAkB,CAAC,CAAA;QAEvD,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,WAAW,EAAE,CAAC;YACnC,MAAM,cAAc,CAAC,2CAA2C,EAAE,qBAAqB,CAAC,CAAA;QAC1F,CAAC;QAED,IAAI,CAAC,gBAAgB,GAAG,OAAO,EAAE,CAAC,eAAe,CAAC,CAAA;QAClD,IAAI,CAAC,UAAU,GAAG,YAAY,CAAC,MAAM,CAAC,CAAA;QACtC,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,UAAU,CAAA;QACrC,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,SAAS,CAAA;QACnC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAA;IACnB,CAAC;IAED,IAAI,CAAC,GAAW;QACd,IAAI,CAAC,IAAI,KAAK,IAAI,GAAG,EAAE,CAAA;QACvB,IAAI,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;QAC7B,IAAI,IAAI,EAAE,CAAC;YACT,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;YACrB,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,CAAA;QAC1B,CAAC;QACD,OAAO,IAAI,CAAA;IACb,CAAC;IAED,IAAI,CAAC,GAAW,EAAE,GAAW;QAC3B,IAAI,CAAC,IAAI,KAAK,IAAI,GAAG,EAAE,CAAA;QACvB,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;QACrB,IAAI,IAAI,CAAC,IAAI,CAAC,IAAI,KAAK,GAAG,EAAE,CAAC;YAC3B,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,IAAI,EAAE,CAAC,KAAM,CAAC,CAAA;QAClD,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;IACzB,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,GAAQ,EAAE,OAAgB,EAAE,GAAW,EAAE,WAAoB;QAC1E,IAAI,CAAC,OAAO,KAAK;YACf,GAAG,EAAE,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC;YAC/B,GAAG,EAAE,UAAU;YACf,GAAG,EAAE,MAAM,SAAS,CAAC,IAAI,CAAC,UAAU,CAAC;SACtC,CAAA;QAED,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QAEnC,MAAM,GAAG,GAAG,SAAS,EAAE,GAAG,IAAI,CAAC,UAAU,CAAA;QACzC,MAAM,OAAO,GAAG;YACd,GAAG,EAAE,GAAG;YACR,GAAG,EAAE,WAAW,EAAE;YAClB,GAAG;YACH,KAAK;YACL,GAAG,EAAE,GAAG,GAAG,CAAC,MAAM,GAAG,GAAG,CAAC,QAAQ,EAAE;YACnC,GAAG,EAAE,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS;SAC7F,CAAA;QAED,IAAI,CAAC,gBAAgB,EAAE,CAAC,IAAI,CAAC,OAAO,EAAE,OAAO,CAAC,CAAA;QAE9C,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,OAAO,EAAE,OAAO,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC,CAAA;IAC7E,CAAC;IAED,UAAU,CAAC,QAAkB;QAC3B,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAA;YAChD,IAAI,KAAK,EAAE,CAAC;gBACV,IAAI,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,KAAK,CAAC,CAAA;YAChD,CAAC;QACH,CAAC;QAAC,MAAM,CAAC,CAAA,CAAC;IACZ,CAAC;CACF;AAQD,MAAM,UAAU,gBAAgB,CAAC,GAAY;IAC3C,IAAI,GAAG,YAAY,6BAA6B,EAAE,CAAC;QACjD,MAAM,EAAE,CAAC,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,GAAG,CAAC,KAAK,CAAA;QAC1C,OAAO,CACL,MAAM,KAAK,CAAC,IAAI,SAAS,CAAC,MAAM,KAAK,MAAM,IAAI,SAAS,CAAC,UAAU,CAAC,KAAK,KAAK,gBAAgB,CAC/F,CAAA;IACH,CAAC;IAED,IAAI,GAAG,YAAY,iBAAiB,EAAE,CAAC;QACrC,OAAO,GAAG,CAAC,KAAK,KAAK,gBAAgB,CAAA;IACvC,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC;AA2BD,MAAM,UAAU,IAAI,CAClB,MAAc,EACd,OAAsB,EACtB,OAAgC;IAEhC,OAAO,IAAI,WAAW,CAAC,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC,CAAA;AAClD,CAAC;AAqCD,MAAM,OAAO,iBAAkB,SAAQ,KAAK;IAIjC,KAAK,CAAuC;IAErD,IAAI,CAA4B;IAKhC,KAAK,CAAQ;IAKb,MAAM,CAAQ;IAMd,iBAAiB,CAAS;IAM1B,QAAQ,CAAW;IAKnB,YACE,OAAe,EACf,OAGC;QAED,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAA;QACvB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,CAAA;QACjC,IAAI,CAAC,IAAI,GAAG,mBAAmB,CAAA;QAC/B,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAA;QAC1B,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,KAAK,CAAA;QAChC,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAA;QACrC,IAAI,CAAC,iBAAiB,GAAG,OAAO,CAAC,KAAK,CAAC,iBAAiB,CAAA;QACxD,MAAM,CAAC,cAAc,CAAC,IAAI,EAAE,UAAU,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAA;QAGvF,KAAK,CAAC,iBAAiB,EAAE,CAAC,IAAI,EAAE,IAAI,CAAC,WAAW,CAAC,CAAA;IACnD,CAAC;CACF;AAcD,MAAM,OAAO,0BAA2B,SAAQ,KAAK;IAI1C,KAAK,CAAiB;IAE/B,IAAI,CAAqC;IAKzC,KAAK,CAAQ;IAMb,iBAAiB,CAAS;IAK1B,YACE,OAAe,EACf,OAEC;QAED,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAA;QACvB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,CAAA;QACjC,IAAI,CAAC,IAAI,GAAG,4BAA4B,CAAA;QACxC,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAA;QAC1B,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,CAAE,CAAA;QACxC,IAAI,CAAC,iBAAiB,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,mBAAmB,CAAC,IAAI,SAAS,CAAA;QAG5E,KAAK,CAAC,iBAAiB,EAAE,CAAC,IAAI,EAAE,IAAI,CAAC,WAAW,CAAC,CAAA;IACnD,CAAC;CACF;AAgBD,MAAM,OAAO,6BAA8B,SAAQ,KAAK;IAI7C,KAAK,CAA4B;IAE1C,IAAI,CAAmC;IAMvC,QAAQ,CAAU;IAKlB,MAAM,CAAQ;IAKd,YAAY,OAAe,EAAE,OAAkE;QAC7F,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAA;QACvB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,CAAA;QACjC,IAAI,CAAC,IAAI,GAAG,0BAA0B,CAAA;QACtC,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAA;QAC1B,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAA;QACrC,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAA;QAChC,MAAM,CAAC,cAAc,CAAC,IAAI,EAAE,UAAU,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,CAAC,CAAA;QAG9D,KAAK,CAAC,iBAAiB,EAAE,CAAC,IAAI,EAAE,IAAI,CAAC,WAAW,CAAC,CAAA;IACnD,CAAC;CACF;AAwBD,SAAS,OAAO,CAAC,KAAa;IAC5B,IAAI,KAAK,CAAC,MAAM,IAAI,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,GAAG,IAAI,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;QAC7E,OAAO,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAA;IAC3B,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC;AAED,MAAM,YAAY,GAAG,yCAAyC,CAAA;AAC9D,MAAM,cAAc,GAAG,oDAAoD,CAAA;AAE3E,SAAS,OAAO,CAAC,MAAc,EAAE,MAAc;IAC7C,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAA;IAC/C,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC;QAChB,OAAO,EAAE,MAAM,EAAE,MAAM,CAAC,WAAW,EAAuB,EAAE,UAAU,EAAE,EAAE,EAAE,CAAA;IAC9E,CAAC;IACD,GAAG,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAA;IAC3D,MAAM,UAAU,GAA2C,EAAE,CAAA;IAC7D,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;QACvC,MAAM,GAAG,GAAG,CAAC,CAAA;QACb,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;YACxB,OAAO,GAAG,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,GAAG,IAAI,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC;gBACtD,GAAG,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC,CAAA;YACpB,CAAC;QACH,CAAC;QACD,MAAM,GAAG,GAAG,GAAG,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,cAAc,EAAE,EAAE,CAAC,CAAC,WAAW,EAAuB,CAAA;QAEvF,UAAU,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAA;IACrC,CAAC;IAED,OAAO;QACL,MAAM,EAAE,MAAM,CAAC,WAAW,EAAuB;QACjD,UAAU;KACX,CAAA;AACH,CAAC;AAED,SAAS,8BAA8B,CACrC,QAAkB;IAElB,IAAI,CAAC,eAAe,CAAC,QAAQ,EAAE,QAAQ,CAAC,EAAE,CAAC;QACzC,MAAM,cAAc,CAAC,4CAA4C,EAAE,oBAAoB,CAAC,CAAA;IAC1F,CAAC;IAED,MAAM,MAAM,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAA;IACvD,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;QACpB,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,MAAM,MAAM,GAAuB,EAAE,CAAA;IACrC,KAAK,MAAM,EAAE,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,MAAM,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;QACnE,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,KAAM,CAAC,CAAC,CAAA;IAC/B,CAAC;IAED,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QACnB,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,MAAM,UAAU,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,CAAC,EAAE,MAAM,EAAE,EAAE;QAC7D,MAAM,IAAI,GAAG,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC,CAAA;QAC1B,IAAI,UAAkB,CAAA;QACtB,IAAI,IAAI,EAAE,CAAC;YACT,UAAU,GAAG,MAAM,CAAC,KAAK,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,CAAA;QAC7C,CAAC;aAAM,CAAC;YACN,UAAU,GAAG,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;QACpC,CAAC;QACD,OAAO,OAAO,CAAC,MAAM,EAAE,UAAU,CAAC,CAAA;IACpC,CAAC,CAAC,CAAA;IAEF,OAAO,UAAU,CAAA;AACnB,CAAC;AAkBD,MAAM,CAAC,KAAK,UAAU,kCAAkC,CACtD,EAAuB,EACvB,MAAc,EACd,QAAkB;IAElB,QAAQ,CAAC,EAAE,CAAC,CAAA;IACZ,YAAY,CAAC,MAAM,CAAC,CAAA;IAEpB,IAAI,CAAC,eAAe,CAAC,QAAQ,EAAE,QAAQ,CAAC,EAAE,CAAC;QACzC,MAAM,cAAc,CAAC,4CAA4C,EAAE,oBAAoB,CAAC,CAAA;IAC1F,CAAC;IAED,IAAI,UAAkD,CAAA;IACtD,IAAI,CAAC,UAAU,GAAG,8BAA8B,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC;QAC5D,MAAM,IAAI,6BAA6B,CACrC,uEAAuE,EACvE,EAAE,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,CAChC,CAAA;IACH,CAAC;IAED,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;QAC5B,IAAI,GAA4B,CAAA;QAChC,IAAI,CAAC,GAAG,GAAG,MAAM,oBAAoB,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC;YACjD,MAAM,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,CAAA;YAC7B,MAAM,IAAI,iBAAiB,CAAC,qDAAqD,EAAE;gBACjF,KAAK,EAAE,GAAG;gBACV,QAAQ;aACT,CAAC,CAAA;QACJ,CAAC;QACD,MAAM,GAAG,CACP,0GAA0G,EAC1G,uBAAuB,EACvB,QAAQ,CACT,CAAA;IACH,CAAC;IAED,sBAAsB,CAAC,QAAQ,CAAC,CAAA;IAChC,qBAAqB,CAAC,QAAQ,CAAC,CAAA;IAC/B,IAAI,IAAe,CAAA;IACnB,IAAI,CAAC;QACH,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAA;IAC9B,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,GAAG,CAAC,yCAAyC,EAAE,WAAW,EAAE,KAAK,CAAC,CAAA;IAC1E,CAAC;IAED,IAAI,CAAC,YAAY,CAAyC,IAAI,CAAC,EAAE,CAAC;QAChE,MAAM,GAAG,CAAC,4CAA4C,EAAE,gBAAgB,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAA;IAC3F,CAAC;IAED,YAAY,CAAC,IAAI,CAAC,WAAW,EAAE,wCAAwC,EAAE,gBAAgB,EAAE;QACzF,IAAI,EAAE,IAAI;KACX,CAAC,CAAA;IAEF,IAAI,SAAS,GACX,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAA;IACrF,YAAY,CAAC,SAAS,EAAE,KAAK,EAAE,uCAAuC,EAAE,gBAAgB,EAAE;QACxF,IAAI,EAAE,IAAI;KACX,CAAC,CAAA;IACF,IAAI,CAAC,UAAU,GAAG,SAAS,CAAA;IAE3B,OAAO,IAAI,CAAA;AACb,CAAC;AAeD,SAAS,UAAU,CAAC,MAAkB;IACpC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;QACzB,MAAM,cAAc,CAAC,0CAA0C,EAAE,qBAAqB,CAAC,CAAA;IACzF,CAAC;AACH,CAAC;AAED,KAAK,UAAU,eAAe,CAC5B,WAAmB,EACnB,MAAc,EACd,GAAQ,EACR,OAAiB,EACjB,IAAmC,EACnC,OAAyC;IAEzC,YAAY,CAAC,WAAW,EAAE,eAAe,CAAC,CAAA;IAE1C,IAAI,CAAC,CAAC,GAAG,YAAY,GAAG,CAAC,EAAE,CAAC;QAC1B,MAAM,cAAc,CAAC,kCAAkC,EAAE,oBAAoB,CAAC,CAAA;IAChF,CAAC;IAED,aAAa,CAAC,GAAG,EAAE,OAAO,EAAE,CAAC,qBAAqB,CAAC,KAAK,IAAI,CAAC,CAAA;IAE7D,OAAO,GAAG,cAAc,CAAC,OAAO,CAAC,CAAA;IAEjC,IAAI,OAAO,EAAE,IAAI,EAAE,CAAC;QAClB,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAA;QACxB,MAAM,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,EAAE,OAAO,EAAE,MAAM,CAAC,WAAW,EAAE,EAAE,WAAW,CAAC,CAAA;QAC5E,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,QAAQ,WAAW,EAAE,CAAC,CAAA;IACrD,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,UAAU,WAAW,EAAE,CAAC,CAAA;IACvD,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,CAAC,OAAO,EAAE,CAAC,WAAW,CAAC,IAAI,KAAK,CAAC,CAAC,GAAG,CAAC,IAAI,EAAE;QACjE,IAAI;QACJ,OAAO,EAAE,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;QAC9C,MAAM;QACN,QAAQ,EAAE,QAAQ;QAClB,MAAM,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,SAAS;KAC7D,CAAC,CAAA;IACF,OAAO,EAAE,IAAI,EAAE,UAAU,CAAC,QAAQ,CAAC,CAAA;IACnC,OAAO,QAAQ,CAAA;AACjB,CAAC;AAqBD,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAC5C,WAAmB,EACnB,MAAc,EACd,GAAQ,EACR,OAAiB,EACjB,IAAmC,EACnC,OAAyC;IAEzC,OAAO,eAAe,CAAC,WAAW,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,EAAE;QACzF,IAAI,UAAkD,CAAA;QACtD,IAAI,CAAC,UAAU,GAAG,8BAA8B,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC;YAC5D,MAAM,IAAI,6BAA6B,CACrC,uEAAuE,EACvE,EAAE,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,CAChC,CAAA;QACH,CAAC;QACD,OAAO,QAAQ,CAAA;IACjB,CAAC,CAAC,CAAA;AACJ,CAAC;AAqBD,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,EAAuB,EACvB,MAAc,EACd,WAAmB,EACnB,OAAgC;IAEhC,QAAQ,CAAC,EAAE,CAAC,CAAA;IACZ,YAAY,CAAC,MAAM,CAAC,CAAA;IAEpB,MAAM,GAAG,GAAG,eAAe,CACzB,EAAE,EACF,mBAAmB,EACnB,MAAM,CAAC,yBAAyB,EAChC,OAAO,EAAE,CAAC,qBAAqB,CAAC,KAAK,IAAI,CAC1C,CAAA;IAED,MAAM,OAAO,GAAG,cAAc,CAAC,OAAO,EAAE,OAAO,CAAC,CAAA;IAChD,IAAI,MAAM,CAAC,4BAA4B,EAAE,CAAC;QACxC,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,iBAAiB,CAAC,CAAA;IAC1C,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,kBAAkB,CAAC,CAAA;QACzC,OAAO,CAAC,MAAM,CAAC,QAAQ,EAAE,iBAAiB,CAAC,CAAA;IAC7C,CAAC;IAED,OAAO,eAAe,CAAC,WAAW,EAAE,KAAK,EAAE,GAAG,EAAE,OAAO,EAAE,IAAI,EAAE;QAC7D,GAAG,OAAO;QACV,CAAC,SAAS,CAAC,EAAE,YAAY,CAAC,MAAM,CAAC;KACC,CAAC,CAAA;AACvC,CAAC;AAqCD,IAAI,OAA0E,CAAA;AAS9E,SAAS,YAAY,CACnB,EAAuB,EACvB,IAAU,EACV,GAAW,EACX,KAAsB;IAEtB,OAAO,KAAK,IAAI,OAAO,EAAE,CAAA;IACzB,OAAO,CAAC,GAAG,CAAC,EAAE,EAAE;QACd,IAAI;QACJ,GAAG;QACH,IAAI,GAAG;YACL,OAAO,SAAS,EAAE,GAAG,IAAI,CAAC,GAAG,CAAA;QAC/B,CAAC;KACF,CAAC,CAAA;IAEF,IAAI,KAAK,EAAE,CAAC;QACV,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,EAAE,IAAI,EAAE,eAAe,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,CAAC,CAAA;IAC5D,CAAC;AACH,CAAC;AAED,SAAS,gBAAgB,CAAC,KAAc;IACtC,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;QAChD,OAAO,KAAK,CAAA;IACd,CAAC;IAED,IAAI,CAAC,CAAC,KAAK,IAAI,KAAK,CAAC,IAAI,OAAO,KAAK,CAAC,GAAG,KAAK,QAAQ,IAAI,SAAS,EAAE,GAAG,KAAK,CAAC,GAAG,IAAI,GAAG,EAAE,CAAC;QACzF,OAAO,KAAK,CAAA;IACd,CAAC;IAED,IACE,CAAC,CAAC,MAAM,IAAI,KAAK,CAAC;QAClB,CAAC,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC;QACzB,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC;QAC/B,CAAC,KAAK,CAAC,SAAS,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,YAAY,CAAC,EAC1D,CAAC;QACD,OAAO,KAAK,CAAA;IACd,CAAC;IAED,OAAO,IAAI,CAAA;AACb,CAAC;AAED,SAAS,cAAc,CAAC,EAAuB,EAAE,KAA+B;IAC9E,OAAO,EAAE,MAAM,CAAC,EAAE,CAAC,CAAA;IACnB,OAAO,KAAK,EAAE,IAAI,CAAA;IAClB,OAAO,KAAK,EAAE,GAAG,CAAA;AACnB,CAAC;AAED,KAAK,UAAU,gCAAgC,CAC7C,EAAuB,EACvB,OAAmE,EACnE,MAAkC;IAElC,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,MAAM,CAAA;IAC3B,oBAAoB,CAAC,MAAM,CAAC,CAAA;IAE5B,IAAI,CAAC,OAAO,EAAE,GAAG,CAAC,EAAE,CAAC,IAAI,gBAAgB,CAAC,OAAO,EAAE,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC;QAChE,YAAY,CAAC,EAAE,EAAE,OAAO,EAAE,CAAC,SAAS,CAAC,CAAC,IAAI,EAAE,OAAO,EAAE,CAAC,SAAS,CAAC,CAAC,GAAG,CAAC,CAAA;IACvE,CAAC;IAED,IAAI,IAAU,CAAA;IACd,IAAI,GAAW,CAAA;IAEf,IAAI,OAAO,EAAE,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC;QACrB,CAAC;QAAA,CAAC,EAAE,IAAI,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC,GAAG,CAAC,EAAE,CAAE,CAAC,CAAA;QACnC,IAAI,GAAG,IAAI,GAAG,EAAE,CAAC;YAEf,cAAc,CAAC,EAAE,EAAE,OAAO,EAAE,CAAC,SAAS,CAAC,CAAC,CAAA;YACxC,OAAO,gCAAgC,CAAC,EAAE,EAAE,OAAO,EAAE,MAAM,CAAC,CAAA;QAC9D,CAAC;IACH,CAAC;SAAM,CAAC;QACN,IAAI,GAAG,MAAM,WAAW,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAA;QAC/D,GAAG,GAAG,CAAC,CAAA;QACP,YAAY,CAAC,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,OAAO,EAAE,CAAC,SAAS,CAAC,CAAC,CAAA;IAC3D,CAAC;IAED,IAAI,GAAW,CAAA;IACf,QAAQ,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC;QACxB,KAAK,IAAI,CAAC;QACV,KAAK,IAAI;YACP,GAAG,GAAG,KAAK,CAAA;YACX,MAAK;QACP,KAAK,IAAI;YACP,GAAG,GAAG,IAAI,CAAA;YACV,MAAK;QACP,KAAK,IAAI;YACP,GAAG,GAAG,KAAK,CAAA;YACX,MAAK;QACP;YACE,MAAM,IAAI,yBAAyB,CAAC,2BAA2B,EAAE,EAAE,KAAK,EAAE,EAAE,GAAG,EAAE,EAAE,CAAC,CAAA;IACxF,CAAC;IAED,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE;QAE1C,IAAI,GAAG,CAAC,GAAG,KAAK,GAAG,EAAE,CAAC;YACpB,OAAO,KAAK,CAAA;QACd,CAAC;QAGD,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,GAAG,CAAC,GAAG,EAAE,CAAC;YACzC,OAAO,KAAK,CAAA;QACd,CAAC;QAGD,IAAI,GAAG,CAAC,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,GAAG,CAAC,GAAG,EAAE,CAAC;YAC7C,OAAO,KAAK,CAAA;QACd,CAAC;QAGD,IAAI,GAAG,CAAC,GAAG,KAAK,SAAS,IAAI,GAAG,CAAC,GAAG,KAAK,KAAK,EAAE,CAAC;YAC/C,OAAO,KAAK,CAAA;QACd,CAAC;QAGD,IAAI,GAAG,CAAC,OAAO,EAAE,QAAQ,CAAC,QAAQ,CAAC,KAAK,KAAK,EAAE,CAAC;YAC9C,OAAO,KAAK,CAAA;QACd,CAAC;QAGD,QAAQ,IAAI,EAAE,CAAC;YACb,KAAK,GAAG,KAAK,OAAO,IAAI,GAAG,CAAC,GAAG,KAAK,OAAO,CAAC;YAC5C,KAAK,GAAG,KAAK,OAAO,IAAI,GAAG,CAAC,GAAG,KAAK,OAAO,CAAC;YAC5C,KAAK,GAAG,KAAK,OAAO,IAAI,GAAG,CAAC,GAAG,KAAK,OAAO,CAAC;YAC5C,KAAK,GAAG,KAAK,SAAS,IAAI,GAAG,CAAC,GAAG,KAAK,SAAS,CAAC;YAChD,KAAK,GAAG,KAAK,OAAO,IAAI,GAAG,CAAC,GAAG,KAAK,SAAS;gBAC3C,OAAO,KAAK,CAAA;QAChB,CAAC;QAED,OAAO,IAAI,CAAA;IACb,CAAC,CAAC,CAAA;IAEF,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,UAAU,CAAA;IAErC,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,IAAI,GAAG,IAAI,EAAE,EAAE,CAAC;YAEd,cAAc,CAAC,EAAE,EAAE,OAAO,EAAE,CAAC,SAAS,CAAC,CAAC,CAAA;YACxC,OAAO,gCAAgC,CAAC,EAAE,EAAE,OAAO,EAAE,MAAM,CAAC,CAAA;QAC9D,CAAC;QACD,MAAM,GAAG,CACP,uEAAuE,EACvE,aAAa,EACb,EAAE,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,IAAI,GAAG,CAAC,EAAE,CAAC,QAAS,CAAC,EAAE,CACxD,CAAA;IACH,CAAC;IAED,IAAI,MAAM,KAAK,CAAC,EAAE,CAAC;QACjB,MAAM,GAAG,CACP,uHAAuH,EACvH,aAAa,EACb,EAAE,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,IAAI,GAAG,CAAC,EAAE,CAAC,QAAS,CAAC,EAAE,CACxD,CAAA;IACH,CAAC;IAED,OAAO,SAAS,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;AAC5B,CAAC;AAWD,MAAM,CAAC,MAAM,gBAAgB,GAAkB,MAAM,EAAE,CAAA;AAEvD,SAAS,cAAc,CAAC,KAAyB;IAC/C,OAAO,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAA;AACzD,CAAC;AA6BD,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,EAAuB,EACvB,MAAc,EACd,eAAiD,EACjD,QAAkB,EAClB,OAA2B;IAE3B,QAAQ,CAAC,EAAE,CAAC,CAAA;IACZ,YAAY,CAAC,MAAM,CAAC,CAAA;IAEpB,IAAI,CAAC,eAAe,CAAC,QAAQ,EAAE,QAAQ,CAAC,EAAE,CAAC;QACzC,MAAM,cAAc,CAAC,4CAA4C,EAAE,oBAAoB,CAAC,CAAA;IAC1F,CAAC;IAED,IAAI,UAAkD,CAAA;IACtD,IAAI,CAAC,UAAU,GAAG,8BAA8B,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC;QAC5D,MAAM,IAAI,6BAA6B,CACrC,uEAAuE,EACvE,EAAE,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,CAChC,CAAA;IACH,CAAC;IAED,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;QAC5B,MAAM,GAAG,CACP,sFAAsF,EACtF,uBAAuB,EACvB,QAAQ,CACT,CAAA;IACH,CAAC;IAED,sBAAsB,CAAC,QAAQ,CAAC,CAAA;IAEhC,IAAI,IAAe,CAAA;IACnB,IAAI,cAAc,CAAC,QAAQ,CAAC,KAAK,iBAAiB,EAAE,CAAC;QACnD,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,GAAG,MAAM,WAAW,CACvC,MAAM,QAAQ,CAAC,IAAI,EAAE,EACrB,qBAAqB,CAAC,IAAI,CACxB,SAAS,EACT,MAAM,CAAC,4BAA4B,EACnC,EAAE,CAAC,qCAAqC,EACxC,SAAS,CACV,EACD,YAAY,CAAC,MAAM,CAAC,EACpB,iBAAiB,CAAC,MAAM,CAAC,EACzB,OAAO,EAAE,CAAC,UAAU,CAAC,CACtB;aACE,IAAI,CAAC,wBAAwB,CAAC,IAAI,CAAC,SAAS,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC;aAChE,IAAI,CAAC,sBAAsB,CAAC,IAAI,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC,CAAA;QAEnD,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAA;QAC1B,IAAI,GAAG,MAAmB,CAAA;IAC5B,CAAC;SAAM,CAAC;QACN,IAAI,MAAM,CAAC,4BAA4B,EAAE,CAAC;YACxC,MAAM,GAAG,CAAC,gCAAgC,EAAE,qBAAqB,EAAE,QAAQ,CAAC,CAAA;QAC9E,CAAC;QAED,qBAAqB,CAAC,QAAQ,CAAC,CAAA;QAC/B,IAAI,CAAC;YACH,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAA;QAC9B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,GAAG,CAAC,yCAAyC,EAAE,WAAW,EAAE,KAAK,CAAC,CAAA;QAC1E,CAAC;IACH,CAAC;IAED,IAAI,CAAC,YAAY,CAAmB,IAAI,CAAC,EAAE,CAAC;QAC1C,MAAM,GAAG,CAAC,4CAA4C,EAAE,gBAAgB,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAA;IAC3F,CAAC;IAED,YAAY,CAAC,IAAI,CAAC,GAAG,EAAE,gCAAgC,EAAE,gBAAgB,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAA;IAE1F,QAAQ,eAAe,EAAE,CAAC;QACxB,KAAK,gBAAgB;YACnB,MAAK;QACP;YACE,YAAY,CAAC,eAAe,EAAE,mBAAmB,CAAC,CAAA;YAElD,IAAI,IAAI,CAAC,GAAG,KAAK,eAAe,EAAE,CAAC;gBACjC,MAAM,GAAG,CAAC,iDAAiD,EAAE,yBAAyB,EAAE;oBACtF,QAAQ,EAAE,eAAe;oBACzB,IAAI,EAAE,IAAI;oBACV,SAAS,EAAE,KAAK;iBACjB,CAAC,CAAA;YACJ,CAAC;IACL,CAAC;IAED,OAAO,IAAI,CAAA;AACb,CAAC;AAED,KAAK,UAAU,oBAAoB,CACjC,EAAuB,EACvB,MAAc,EACd,oBAAgC,EAChC,GAAQ,EACR,IAAqB,EACrB,OAAgB,EAChB,OAAsE;IAEtE,MAAM,oBAAoB,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,CAAC,CAAA;IACrD,OAAO,CAAC,GAAG,CAAC,cAAc,EAAE,iDAAiD,CAAC,CAAA;IAE9E,OAAO,CAAC,OAAO,EAAE,CAAC,WAAW,CAAC,IAAI,KAAK,CAAC,CAAC,GAAG,CAAC,IAAI,EAAE;QACjD,IAAI;QACJ,OAAO,EAAE,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;QAC9C,MAAM,EAAE,MAAM;QACd,QAAQ,EAAE,QAAQ;QAClB,MAAM,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,SAAS;KAC7D,CAAC,CAAA;AACJ,CAAC;AAWD,KAAK,UAAU,oBAAoB,CACjC,EAAuB,EACvB,MAAc,EACd,oBAAgC,EAChC,SAAiB,EACjB,UAA2B,EAC3B,OAAmE;IAEnE,MAAM,GAAG,GAAG,eAAe,CACzB,EAAE,EACF,gBAAgB,EAChB,MAAM,CAAC,yBAAyB,EAChC,OAAO,EAAE,CAAC,qBAAqB,CAAC,KAAK,IAAI,CAC1C,CAAA;IAED,UAAU,CAAC,GAAG,CAAC,YAAY,EAAE,SAAS,CAAC,CAAA;IACvC,MAAM,OAAO,GAAG,cAAc,CAAC,OAAO,EAAE,OAAO,CAAC,CAAA;IAChD,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,kBAAkB,CAAC,CAAA;IAEzC,IAAI,OAAO,EAAE,IAAI,KAAK,SAAS,EAAE,CAAC;QAChC,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAA;QACxB,MAAM,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,EAAE,OAAO,EAAE,MAAM,CAAC,CAAA;IACnD,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,oBAAoB,CACzC,EAAE,EACF,MAAM,EACN,oBAAoB,EACpB,GAAG,EACH,UAAU,EACV,OAAO,EACP,OAAO,CACR,CAAA;IACD,OAAO,EAAE,IAAI,EAAE,UAAU,CAAC,QAAQ,CAAC,CAAA;IACnC,OAAO,QAAQ,CAAA;AACjB,CAAC;AAiBD,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAC5C,EAAuB,EACvB,MAAc,EACd,oBAAgC,EAChC,YAAoB,EACpB,OAAqC;IAErC,QAAQ,CAAC,EAAE,CAAC,CAAA;IACZ,YAAY,CAAC,MAAM,CAAC,CAAA;IAEpB,YAAY,CAAC,YAAY,EAAE,gBAAgB,CAAC,CAAA;IAE5C,MAAM,UAAU,GAAG,IAAI,eAAe,CAAC,OAAO,EAAE,oBAAoB,CAAC,CAAA;IACrE,UAAU,CAAC,GAAG,CAAC,eAAe,EAAE,YAAY,CAAC,CAAA;IAC7C,OAAO,oBAAoB,CACzB,EAAE,EACF,MAAM,EACN,oBAAoB,EACpB,eAAe,EACf,UAAU,EACV,OAAO,CACR,CAAA;AACH,CAAC;AAED,MAAM,aAAa,GAAG,IAAI,OAAO,EAAkC,CAAA;AACnE,MAAM,OAAO,GAAG,IAAI,OAAO,EAAoB,CAAA;AAY/C,MAAM,UAAU,yBAAyB,CAAC,GAA0B;IAClE,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;QAClB,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,MAAM,MAAM,GAAG,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;IACrC,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,cAAc,CAClB,gFAAgF,EAChF,qBAAqB,CACtB,CAAA;IACH,CAAC;IAED,OAAO,MAAM,CAAA;AACf,CAAC;AA8BD,MAAM,CAAC,KAAK,UAAU,iCAAiC,CACrD,EAAuB,EACvB,GAAa,EACb,OAAkC;IAElC,QAAQ,CAAC,EAAE,CAAC,CAAA;IAEZ,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;QACtB,MAAM,cAAc,CAClB,4EAA4E,EAC5E,qBAAqB,CACtB,CAAA;IACH,CAAC;IAED,MAAM,EAAE,CAAC,EAAE,eAAe,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,gBAAgB,EAAE,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAE5F,MAAM,MAAM,GAA+B,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,CAAC,CAAA;IAEjF,IAAI,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QAChC,MAAM,IAAI,yBAAyB,CAAC,2BAA2B,EAAE,EAAE,KAAK,EAAE,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,EAAE,EAAE,CAAC,CAAA;IAClG,CAAC;IAED,IAAI,GAAe,CAAA;IACnB,GAAG,GAAG,MAAM,gCAAgC,CAAC,EAAE,EAAE,OAAO,EAAE,MAAM,CAAC,CAAA;IACjE,MAAM,oBAAoB,CAAC,eAAe,EAAE,OAAO,EAAE,GAAG,EAAE,IAAI,CAAC,gBAAgB,CAAC,CAAC,CAAA;AACnF,CAAC;AAED,KAAK,UAAU,iCAAiC,CAC9C,EAAuB,EACvB,MAAc,EACd,QAAkB,EAClB,+BAA2E,EAC3E,OAAsC;IAEtC,QAAQ,CAAC,EAAE,CAAC,CAAA;IACZ,YAAY,CAAC,MAAM,CAAC,CAAA;IAEpB,IAAI,CAAC,eAAe,CAAC,QAAQ,EAAE,QAAQ,CAAC,EAAE,CAAC;QACzC,MAAM,cAAc,CAAC,4CAA4C,EAAE,oBAAoB,CAAC,CAAA;IAC1F,CAAC;IAED,IAAI,UAAkD,CAAA;IACtD,IAAI,CAAC,UAAU,GAAG,8BAA8B,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC;QAC5D,MAAM,IAAI,6BAA6B,CACrC,uEAAuE,EACvE,EAAE,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,CAChC,CAAA;IACH,CAAC;IAED,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;QAC5B,IAAI,GAA4B,CAAA;QAChC,IAAI,CAAC,GAAG,GAAG,MAAM,oBAAoB,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC;YACjD,MAAM,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,CAAA;YAC7B,MAAM,IAAI,iBAAiB,CAAC,qDAAqD,EAAE;gBACjF,KAAK,EAAE,GAAG;gBACV,QAAQ;aACT,CAAC,CAAA;QACJ,CAAC;QACD,MAAM,GAAG,CACP,mFAAmF,EACnF,uBAAuB,EACvB,QAAQ,CACT,CAAA;IACH,CAAC;IAED,sBAAsB,CAAC,QAAQ,CAAC,CAAA;IAChC,qBAAqB,CAAC,QAAQ,CAAC,CAAA;IAC/B,IAAI,IAAe,CAAA;IACnB,IAAI,CAAC;QACH,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAA;IAC9B,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,GAAG,CAAC,yCAAyC,EAAE,WAAW,EAAE,KAAK,CAAC,CAAA;IAC1E,CAAC;IAED,IAAI,CAAC,YAAY,CAAmC,IAAI,CAAC,EAAE,CAAC;QAC1D,MAAM,GAAG,CAAC,4CAA4C,EAAE,gBAAgB,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAA;IAC3F,CAAC;IAED,YAAY,CAAC,IAAI,CAAC,YAAY,EAAE,yCAAyC,EAAE,gBAAgB,EAAE;QAC3F,IAAI,EAAE,IAAI;KACX,CAAC,CAAA;IAEF,YAAY,CAAC,IAAI,CAAC,UAAU,EAAE,uCAAuC,EAAE,gBAAgB,EAAE;QACvF,IAAI,EAAE,IAAI;KACX,CAAC,CAAA;IAEF,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC,WAAW,EAAuB,CAAA;IAEpE,IAAI,IAAI,CAAC,UAAU,KAAK,MAAM,IAAI,IAAI,CAAC,UAAU,KAAK,QAAQ,EAAE,CAAC;QAC/D,MAAM,IAAI,yBAAyB,CAAC,gCAAgC,EAAE,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE,CAAC,CAAA;IAClG,CAAC;IAED,IAAI,IAAI,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;QAClC,IAAI,SAAS,GACX,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAA;QACrF,YAAY,CAAC,SAAS,EAAE,KAAK,EAAE,uCAAuC,EAAE,gBAAgB,EAAE;YACxF,IAAI,EAAE,IAAI;SACX,CAAC,CAAA;QACF,IAAI,CAAC,UAAU,GAAG,SAAS,CAAA;IAC7B,CAAC;IAED,IAAI,IAAI,CAAC,aAAa,KAAK,SAAS,EAAE,CAAC;QACrC,YAAY,CAAC,IAAI,CAAC,aAAa,EAAE,0CAA0C,EAAE,gBAAgB,EAAE;YAC7F,IAAI,EAAE,IAAI;SACX,CAAC,CAAA;IACJ,CAAC;IAGD,IAAI,IAAI,CAAC,KAAK,KAAK,SAAS,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC/D,MAAM,GAAG,CAAC,mDAAmD,EAAE,gBAAgB,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAA;IAClG,CAAC;IAED,IAAI,IAAI,CAAC,QAAQ,KAAK,SAAS,EAAE,CAAC;QAChC,YAAY,CAAC,IAAI,CAAC,QAAQ,EAAE,qCAAqC,EAAE,gBAAgB,EAAE;YACnF,IAAI,EAAE,IAAI;SACX,CAAC,CAAA;QAEF,MAAM,cAAc,GAAmC,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,CAAA;QAE1F,IAAI,MAAM,CAAC,iBAAiB,KAAK,IAAI,EAAE,CAAC;YACtC,cAAc,CAAC,IAAI,CAAC,WAAW,CAAC,CAAA;QAClC,CAAC;QAED,IAAI,MAAM,CAAC,eAAe,KAAK,SAAS,EAAE,CAAC;YACzC,YAAY,CAAC,MAAM,CAAC,eAAe,EAAE,KAAK,EAAE,0BAA0B,CAAC,CAAA;YACvE,cAAc,CAAC,IAAI,CAAC,WAAW,CAAC,CAAA;QAClC,CAAC;QAED,IAAI,+BAA+B,EAAE,MAAM,EAAE,CAAC;YAC5C,cAAc,CAAC,IAAI,CAAC,GAAG,+BAA+B,CAAC,CAAA;QACzD,CAAC;QAED,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,GAAG,MAAM,WAAW,CACvC,IAAI,CAAC,QAAQ,EACb,qBAAqB,CAAC,IAAI,CACxB,SAAS,EACT,MAAM,CAAC,4BAA4B,EACnC,EAAE,CAAC,qCAAqC,EACxC,OAAO,CACR,EACD,YAAY,CAAC,MAAM,CAAC,EACpB,iBAAiB,CAAC,MAAM,CAAC,EACzB,OAAO,EAAE,CAAC,UAAU,CAAC,CACtB;aACE,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,SAAS,EAAE,cAAc,CAAC,CAAC;aACtD,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;aACxC,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,SAAS,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,CAAA;QAE3D,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,MAAM,CAAC,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACzD,IAAI,MAAM,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;gBAC7B,MAAM,GAAG,CACP,yEAAyE,EACzE,oBAAoB,EACpB,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,CACzB,CAAA;YACH,CAAC;YACD,IAAI,MAAM,CAAC,GAAG,KAAK,MAAM,CAAC,SAAS,EAAE,CAAC;gBACpC,MAAM,GAAG,CACP,0DAA0D,EAC1D,oBAAoB,EACpB,EAAE,QAAQ,EAAE,MAAM,CAAC,SAAS,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,CACrD,CAAA;YACH,CAAC;QACH,CAAC;QAED,IAAI,MAAM,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;YACnC,YAAY,CACV,MAAM,CAAC,SAAS,EAChB,KAAK,EACL,4CAA4C,EAC5C,gBAAgB,EAChB,EAAE,MAAM,EAAE,CACX,CAAA;QACH,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAA;QAC1B,aAAa,CAAC,GAAG,CAAC,IAAI,EAAE,MAAiB,CAAC,CAAA;IAC5C,CAAC;IAED,OAAO,IAAI,CAAA;AACb,CAAC;AAmBD,MAAM,CAAC,KAAK,UAAU,2BAA2B,CAC/C,EAAuB,EACvB,MAAc,EACd,QAAkB,EAClB,OAA2B;IAE3B,OAAO,iCAAiC,CAAC,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,OAAO,CAAC,CAAA;AACpF,CAAC;AAED,SAAS,wBAAwB,CAC/B,QAAgB,EAChB,MAA+C;IAE/C,IAAI,MAAM,CAAC,MAAM,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;QACpC,OAAO,gBAAgB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAA;IAC3C,CAAC;IACD,OAAO,MAAM,CAAA;AACf,CAAC;AAED,SAAS,gBAAgB,CAAC,QAAgB,EAAE,MAA+C;IACzF,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;QACrC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC1C,MAAM,GAAG,CAAC,6CAA6C,EAAE,oBAAoB,EAAE;gBAC7E,QAAQ;gBACR,MAAM,EAAE,MAAM,CAAC,MAAM;gBACrB,KAAK,EAAE,KAAK;aACb,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;SAAM,IAAI,MAAM,CAAC,MAAM,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC1C,MAAM,GAAG,CAAC,6CAA6C,EAAE,oBAAoB,EAAE;YAC7E,QAAQ;YACR,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,KAAK,EAAE,KAAK;SACb,CAAC,CAAA;IACJ,CAAC;IAED,OAAO,MAAM,CAAA;AACf,CAAC;AAED,SAAS,sBAAsB,CAC7B,EAAuB,EACvB,MAA+C;IAE/C,IAAI,MAAM,CAAC,MAAM,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;QACpC,OAAO,cAAc,CAAC,EAAE,EAAE,MAAM,CAAC,CAAA;IACnC,CAAC;IACD,OAAO,MAAM,CAAA;AACf,CAAC;AAED,SAAS,cAAc,CAAC,EAAuB,EAAE,MAA+C;IAE9F,MAAM,QAAQ,GAAG,EAAE,CAAC,eAAe,CAAC,EAAE,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,MAAM,CAAA;IAC3D,IAAI,MAAM,CAAC,MAAM,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;QACnC,MAAM,GAAG,CAAC,2CAA2C,EAAE,oBAAoB,EAAE;YAC3E,QAAQ;YACR,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,KAAK,EAAE,KAAK;SACb,CAAC,CAAA;IACJ,CAAC;IACD,OAAO,MAAM,CAAA;AACf,CAAC;AAED,MAAM,OAAO,GAAG,IAAI,OAAO,EAAgC,CAAA;AAC3D,SAAS,KAAK,CAAC,YAA6B;IAC1C,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAA;IACzB,OAAO,YAAY,CAAA;AACrB,CAAC;AAsBD,MAAM,CAAC,KAAK,UAAU,6BAA6B,CACjD,EAAuB,EACvB,MAAc,EACd,oBAAgC,EAChC,kBAAmC,EACnC,WAAmB,EACnB,YAAoB,EACpB,OAAqC;IAErC,QAAQ,CAAC,EAAE,CAAC,CAAA;IACZ,YAAY,CAAC,MAAM,CAAC,CAAA;IAEpB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,EAAE,CAAC;QACrC,MAAM,cAAc,CAClB,mIAAmI,EACnI,qBAAqB,CACtB,CAAA;IACH,CAAC;IAED,YAAY,CAAC,WAAW,EAAE,eAAe,CAAC,CAAA;IAE1C,MAAM,IAAI,GAAG,qBAAqB,CAAC,kBAAkB,EAAE,MAAM,CAAC,CAAA;IAC9D,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,GAAG,CAAC,+CAA+C,EAAE,gBAAgB,CAAC,CAAA;IAC9E,CAAC;IAED,MAAM,UAAU,GAAG,IAAI,eAAe,CAAC,OAAO,EAAE,oBAAoB,CAAC,CAAA;IACrE,UAAU,CAAC,GAAG,CAAC,cAAc,EAAE,WAAW,CAAC,CAAA;IAC3C,UAAU,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAA;IAG5B,IAAI,YAAY,KAAK,OAAO,EAAE,CAAC;QAC7B,YAAY,CAAC,YAAY,EAAE,gBAAgB,CAAC,CAAA;QAC5C,UAAU,CAAC,GAAG,CAAC,eAAe,EAAE,YAAY,CAAC,CAAA;IAC/C,CAAC;IAED,OAAO,oBAAoB,CACzB,EAAE,EACF,MAAM,EACN,oBAAoB,EACpB,oBAAoB,EACpB,UAAU,EACV,OAAO,CACR,CAAA;AACH,CAAC;AA4CD,MAAM,aAAa,GAAG;IACpB,GAAG,EAAE,UAAU;IACf,MAAM,EAAE,WAAW;IACnB,SAAS,EAAE,WAAW;IACtB,GAAG,EAAE,iBAAiB;IACtB,GAAG,EAAE,WAAW;IAChB,GAAG,EAAE,QAAQ;IACb,GAAG,EAAE,QAAQ;IACb,KAAK,EAAE,OAAO;IACd,MAAM,EAAE,YAAY;IACpB,GAAG,EAAE,SAAS;IACd,GAAG,EAAE,mBAAmB;IACxB,GAAG,EAAE,aAAa;IAClB,GAAG,EAAE,UAAU;IACf,GAAG,EAAE,cAAc;IACnB,SAAS,EAAE,qBAAqB;CACjC,CAAA;AAED,SAAS,gBAAgB,CACvB,QAAwC,EACxC,MAA+C;IAE/C,KAAK,MAAM,KAAK,IAAI,QAAQ,EAAE,CAAC;QAC7B,IAAI,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,SAAS,EAAE,CAAC;YACvC,MAAM,GAAG,CAAC,QAAQ,KAAK,MAAM,aAAa,CAAC,KAAK,CAAC,iBAAiB,EAAE,gBAAgB,EAAE;gBACpF,MAAM,EAAE,MAAM,CAAC,MAAM;aACtB,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAA;AACf,CAAC;AAmCD,MAAM,CAAC,MAAM,aAAa,GAAkB,MAAM,EAAE,CAAA;AAMpD,MAAM,CAAC,MAAM,iBAAiB,GAAkB,MAAM,EAAE,CAAA;AAsCxD,MAAM,CAAC,KAAK,UAAU,gCAAgC,CACpD,EAAuB,EACvB,MAAc,EACd,QAAkB,EAClB,OAAiD;IAEjD,IACE,OAAO,OAAO,EAAE,aAAa,KAAK,QAAQ;QAC1C,OAAO,OAAO,EAAE,MAAM,KAAK,QAAQ;QACnC,OAAO,EAAE,cAAc,EACvB,CAAC;QACD,OAAO,sCAAsC,CAC3C,EAAE,EACF,MAAM,EACN,QAAQ,EACR,OAAO,CAAC,aAAa,EACrB,OAAO,CAAC,MAAM,EACd;YACE,CAAC,UAAU,CAAC,EAAE,OAAO,CAAC,UAAU,CAAC;SAClC,CACF,CAAA;IACH,CAAC;IAED,OAAO,sCAAsC,CAAC,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAA;AAC9E,CAAC;AAED,KAAK,UAAU,sCAAsC,CACnD,EAAuB,EACvB,MAAc,EACd,QAAkB,EAClB,aAAwD,EACxD,MAAqD,EACrD,OAAsC;IAEtC,MAAM,wBAAwB,GAAmC,EAAE,CAAA;IAEnE,QAAQ,aAAa,EAAE,CAAC;QACtB,KAAK,SAAS;YACZ,aAAa,GAAG,aAAa,CAAA;YAC7B,MAAK;QACP,KAAK,aAAa;YAChB,MAAK;QACP;YACE,YAAY,CAAC,aAAa,EAAE,0BAA0B,CAAC,CAAA;YACvD,wBAAwB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;IAC1C,CAAC;IAED,MAAM,KAAK,MAAM,CAAC,eAAe,CAAA;IACjC,QAAQ,MAAM,EAAE,CAAC;QACf,KAAK,SAAS;YACZ,MAAM,GAAG,iBAAiB,CAAA;YAC1B,MAAK;QACP,KAAK,iBAAiB;YACpB,MAAK;QACP;YACE,YAAY,CAAC,MAAM,EAAE,KAAK,EAAE,mBAAmB,CAAC,CAAA;YAChD,wBAAwB,CAAC,IAAI,CAAC,WAAW,CAAC,CAAA;IAC9C,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,iCAAiC,CACpD,EAAE,EACF,MAAM,EACN,QAAQ,EACR,wBAAwB,EACxB,OAAO,CACR,CAAA;IAED,YAAY,CAAC,MAAM,CAAC,QAAQ,EAAE,qCAAqC,EAAE,gBAAgB,EAAE;QACrF,IAAI,EAAE,MAAM;KACb,CAAC,CAAA;IAEF,MAAM,MAAM,GAAG,yBAAyB,CAAC,MAAM,CAAE,CAAA;IACjD,IAAI,MAAM,KAAK,iBAAiB,EAAE,CAAC;QACjC,MAAM,GAAG,GAAG,SAAS,EAAE,GAAG,YAAY,CAAC,MAAM,CAAC,CAAA;QAC9C,MAAM,SAAS,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAA;QAC3C,IAAI,MAAM,CAAC,SAAU,GAAG,MAAM,GAAG,GAAG,GAAG,SAAS,EAAE,CAAC;YACjD,MAAM,GAAG,CACP,kEAAkE,EAClE,mBAAmB,EACnB,EAAE,MAAM,EAAE,GAAG,EAAE,SAAS,EAAE,KAAK,EAAE,WAAW,EAAE,CAC/C,CAAA;QACH,CAAC;IACH,CAAC;IAED,IAAI,aAAa,KAAK,aAAa,EAAE,CAAC;QACpC,IAAI,MAAM,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;YAC/B,MAAM,GAAG,CAAC,yCAAyC,EAAE,oBAAoB,EAAE;gBACzE,QAAQ,EAAE,SAAS;gBACnB,MAAM;gBACN,KAAK,EAAE,OAAO;aACf,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;SAAM,IAAI,MAAM,CAAC,KAAK,KAAK,aAAa,EAAE,CAAC;QAC1C,MAAM,GAAG,CAAC,yCAAyC,EAAE,oBAAoB,EAAE;YACzE,QAAQ,EAAE,aAAa;YACvB,MAAM;YACN,KAAK,EAAE,OAAO;SACf,CAAC,CAAA;IACJ,CAAC;IAED,OAAO,MAAM,CAAA;AACf,CAAC;AAED,KAAK,UAAU,sCAAsC,CACnD,EAAuB,EACvB,MAAc,EACd,QAAkB,EAClB,OAA2B;IAE3B,MAAM,MAAM,GAAG,MAAM,iCAAiC,CAAC,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,OAAO,CAAC,CAAA;IAEhG,MAAM,MAAM,GAAG,yBAAyB,CAAC,MAAM,CAAC,CAAA;IAChD,IAAI,MAAM,EAAE,CAAC;QACX,IAAI,MAAM,CAAC,eAAe,KAAK,SAAS,EAAE,CAAC;YACzC,YAAY,CAAC,MAAM,CAAC,eAAe,EAAE,KAAK,EAAE,0BAA0B,CAAC,CAAA;YACvE,MAAM,GAAG,GAAG,SAAS,EAAE,GAAG,YAAY,CAAC,MAAM,CAAC,CAAA;YAC9C,MAAM,SAAS,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAA;YAC3C,IAAI,MAAM,CAAC,SAAU,GAAG,MAAM,CAAC,eAAe,GAAG,GAAG,GAAG,SAAS,EAAE,CAAC;gBACjE,MAAM,GAAG,CACP,kEAAkE,EAClE,mBAAmB,EACnB,EAAE,MAAM,EAAE,GAAG,EAAE,SAAS,EAAE,KAAK,EAAE,WAAW,EAAE,CAC/C,CAAA;YACH,CAAC;QACH,CAAC;QAED,IAAI,MAAM,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;YAC/B,MAAM,GAAG,CAAC,yCAAyC,EAAE,oBAAoB,EAAE;gBACzE,QAAQ,EAAE,SAAS;gBACnB,MAAM;gBACN,KAAK,EAAE,OAAO;aACf,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAA;AACf,CAAC;AAOD,MAAM,CAAC,MAAM,0BAA0B,GAAG,kCAAkC,CAAA;AAM5E,MAAM,CAAC,MAAM,mBAAmB,GAAG,2BAA2B,CAAA;AAM9D,MAAM,CAAC,MAAM,qBAAqB,GAAG,6BAA6B,CAAA;AAMlE,MAAM,CAAC,MAAM,4BAA4B,GAAG,oCAAoC,CAAA;AAOhF,MAAM,CAAC,MAAM,qBAAqB,GAAG,6BAA6B,CAAA;AAWlE,MAAM,CAAC,MAAM,WAAW,GAAG,mBAAmB,CAAA;AAM9C,MAAM,CAAC,MAAM,gBAAgB,GAAG,wBAAwB,CAAA;AAOxD,MAAM,CAAC,MAAM,eAAe,GAAG,uBAAuB,CAAA;AAOtD,MAAM,CAAC,MAAM,oBAAoB,GAAG,4BAA4B,CAAA;AAOhE,MAAM,CAAC,MAAM,uBAAuB,GAAG,+BAA+B,CAAA;AAOtE,MAAM,CAAC,MAAM,sBAAsB,GAAG,8BAA8B,CAAA;AAOpE,MAAM,CAAC,MAAM,0BAA0B,GAAG,kCAAkC,CAAA;AAS5E,MAAM,CAAC,MAAM,mBAAmB,GAAG,kCAAkC,CAAA;AASrE,MAAM,CAAC,MAAM,oBAAoB,GAAG,mCAAmC,CAAA;AAOvE,MAAM,CAAC,MAAM,yBAAyB,GAAG,wCAAwC,CAAA;AAOjF,MAAM,CAAC,MAAM,aAAa,GAAG,4BAA4B,CAAA;AAMzD,MAAM,CAAC,MAAM,uBAAuB,GAAG,+BAA+B,CAAA;AAMtE,MAAM,CAAC,MAAM,uBAAuB,GAAG,+BAA+B,CAAA;AAEtE,SAAS,YAAY,CAAC,QAAgB,EAAE,MAA+C;IACrF,IAAI,OAAO,MAAM,CAAC,MAAM,CAAC,GAAG,KAAK,QAAQ,IAAI,YAAY,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,QAAQ,EAAE,CAAC;QAC1F,MAAM,GAAG,CAAC,6CAA6C,EAAE,gBAAgB,EAAE;YACzE,MAAM,EAAE,MAAM,CAAC,MAAM;SACtB,CAAC,CAAA;IACJ,CAAC;IAED,OAAO,MAAM,CAAA;AACf,CAAC;AAmBD,MAAM,CAAC,KAAK,UAAU,6BAA6B,CACjD,EAAuB,EACvB,MAAc,EACd,oBAAgC,EAChC,UAAiE,EACjE,OAA8C;IAE9C,QAAQ,CAAC,EAAE,CAAC,CAAA;IACZ,YAAY,CAAC,MAAM,CAAC,CAAA;IAEpB,OAAO,oBAAoB,CACzB,EAAE,EACF,MAAM,EACN,oBAAoB,EACpB,oBAAoB,EACpB,IAAI,eAAe,CAAC,UAAU,CAAC,EAC/B,OAAO,CACR,CAAA;AACH,CAAC;AAoBD,MAAM,CAAC,KAAK,UAAU,2BAA2B,CAC/C,EAAuB,EACvB,MAAc,EACd,oBAAgC,EAChC,SAAiB,EACjB,UAAiE,EACjE,OAAmE;IAEnE,QAAQ,CAAC,EAAE,CAAC,CAAA;IACZ,YAAY,CAAC,MAAM,CAAC,CAAA;IAEpB,YAAY,CAAC,SAAS,EAAE,aAAa,CAAC,CAAA;IAEtC,OAAO,oBAAoB,CACzB,EAAE,EACF,MAAM,EACN,oBAAoB,EACpB,SAAS,EACT,IAAI,eAAe,CAAC,UAAU,CAAC,EAC/B,OAAO,CACR,CAAA;AACH,CAAC;AAkBD,MAAM,CAAC,KAAK,UAAU,mCAAmC,CACvD,EAAuB,EACvB,MAAc,EACd,QAAkB,EAClB,OAA2B;IAE3B,OAAO,iCAAiC,CAAC,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,OAAO,CAAC,CAAA;AACpF,CAAC;AAkBD,MAAM,CAAC,KAAK,UAAU,gCAAgC,CACpD,EAAuB,EACvB,MAAc,EACd,QAAkB,EAClB,OAA2B;IAE3B,OAAO,iCAAiC,CAAC,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,OAAO,CAAC,CAAA;AACpF,CAAC;AAuBD,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,EAAuB,EACvB,MAAc,EACd,oBAAgC,EAChC,KAAa,EACb,OAAkC;IAElC,QAAQ,CAAC,EAAE,CAAC,CAAA;IACZ,YAAY,CAAC,MAAM,CAAC,CAAA;IAEpB,YAAY,CAAC,KAAK,EAAE,SAAS,CAAC,CAAA;IAE9B,MAAM,GAAG,GAAG,eAAe,CACzB,EAAE,EACF,qBAAqB,EACrB,MAAM,CAAC,yBAAyB,EAChC,OAAO,EAAE,CAAC,qBAAqB,CAAC,KAAK,IAAI,CAC1C,CAAA;IAED,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC,OAAO,EAAE,oBAAoB,CAAC,CAAA;IAC/D,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAA;IAExB,MAAM,OAAO,GAAG,cAAc,CAAC,OAAO,EAAE,OAAO,CAAC,CAAA;IAChD,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAA;IAExB,OAAO,oBAAoB,CAAC,EAAE,EAAE,MAAM,EAAE,oBAAoB,EAAE,GAAG,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,CAAC,CAAA;AAC5F,CAAC;AAeD,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAAC,QAAkB;IAChE,IAAI,CAAC,eAAe,CAAC,QAAQ,EAAE,QAAQ,CAAC,EAAE,CAAC;QACzC,MAAM,cAAc,CAAC,4CAA4C,EAAE,oBAAoB,CAAC,CAAA;IAC1F,CAAC;IAED,IAAI,UAAkD,CAAA;IACtD,IAAI,CAAC,UAAU,GAAG,8BAA8B,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC;QAC5D,MAAM,IAAI,6BAA6B,CACrC,uEAAuE,EACvE,EAAE,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,CAChC,CAAA;IACH,CAAC;IAED,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;QAC5B,IAAI,GAA4B,CAAA;QAChC,IAAI,CAAC,GAAG,GAAG,MAAM,oBAAoB,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC;YACjD,MAAM,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,CAAA;YAC7B,MAAM,IAAI,iBAAiB,CAAC,qDAAqD,EAAE;gBACjF,KAAK,EAAE,GAAG;gBACV,QAAQ;aACT,CAAC,CAAA;QACJ,CAAC;QACD,MAAM,GAAG,CACP,wFAAwF,EACxF,uBAAuB,EACvB,QAAQ,CACT,CAAA;IACH,CAAC;IAED,OAAO,SAAS,CAAA;AAClB,CAAC;AAmBD,SAAS,sBAAsB,CAAC,QAAkB;IAChD,IAAI,QAAQ,CAAC,QAAQ,EAAE,CAAC;QACtB,MAAM,cAAc,CAAC,uCAAuC,EAAE,qBAAqB,CAAC,CAAA;IACtF,CAAC;AACH,CAAC;AAiBD,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,EAAuB,EACvB,MAAc,EACd,oBAAgC,EAChC,KAAa,EACb,OAAqC;IAErC,QAAQ,CAAC,EAAE,CAAC,CAAA;IACZ,YAAY,CAAC,MAAM,CAAC,CAAA;IAEpB,YAAY,CAAC,KAAK,EAAE,SAAS,CAAC,CAAA;IAE9B,MAAM,GAAG,GAAG,eAAe,CACzB,EAAE,EACF,wBAAwB,EACxB,MAAM,CAAC,yBAAyB,EAChC,OAAO,EAAE,CAAC,qBAAqB,CAAC,KAAK,IAAI,CAC1C,CAAA;IAED,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC,OAAO,EAAE,oBAAoB,CAAC,CAAA;IAC/D,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAA;IACxB,MAAM,OAAO,GAAG,cAAc,CAAC,OAAO,EAAE,OAAO,CAAC,CAAA;IAChD,IAAI,OAAO,EAAE,kBAAkB,IAAI,MAAM,CAAC,iCAAiC,EAAE,CAAC;QAC5E,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,qCAAqC,CAAC,CAAA;IAC9D,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,kBAAkB,CAAC,CAAA;IAC3C,CAAC;IAED,OAAO,oBAAoB,CAAC,EAAE,EAAE,MAAM,EAAE,oBAAoB,EAAE,GAAG,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,CAAC,CAAA;AAC5F,CAAC;AA8CD,MAAM,CAAC,KAAK,UAAU,4BAA4B,CAChD,EAAuB,EACvB,MAAc,EACd,QAAkB,EAClB,OAA2B;IAE3B,QAAQ,CAAC,EAAE,CAAC,CAAA;IACZ,YAAY,CAAC,MAAM,CAAC,CAAA;IAEpB,IAAI,CAAC,eAAe,CAAC,QAAQ,EAAE,QAAQ,CAAC,EAAE,CAAC;QACzC,MAAM,cAAc,CAAC,4CAA4C,EAAE,oBAAoB,CAAC,CAAA;IAC1F,CAAC;IAED,IAAI,UAAkD,CAAA;IACtD,IAAI,CAAC,UAAU,GAAG,8BAA8B,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC;QAC5D,MAAM,IAAI,6BAA6B,CACrC,uEAAuE,EACvE,EAAE,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,CAChC,CAAA;IACH,CAAC;IAED,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;QAC5B,IAAI,GAA4B,CAAA;QAChC,IAAI,CAAC,GAAG,GAAG,MAAM,oBAAoB,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC;YACjD,MAAM,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,CAAA;YAC7B,MAAM,IAAI,iBAAiB,CAAC,qDAAqD,EAAE;gBACjF,KAAK,EAAE,GAAG;gBACV,QAAQ;aACT,CAAC,CAAA;QACJ,CAAC;QACD,MAAM,GAAG,CACP,2FAA2F,EAC3F,uBAAuB,EACvB,QAAQ,CACT,CAAA;IACH,CAAC;IAED,IAAI,IAAe,CAAA;IACnB,IAAI,cAAc,CAAC,QAAQ,CAAC,KAAK,qCAAqC,EAAE,CAAC;QACvE,sBAAsB,CAAC,QAAQ,CAAC,CAAA;QAChC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,GAAG,MAAM,WAAW,CACvC,MAAM,QAAQ,CAAC,IAAI,EAAE,EACrB,qBAAqB,CAAC,IAAI,CACxB,SAAS,EACT,MAAM,CAAC,iCAAiC,EACxC,EAAE,CAAC,0CAA0C,EAC7C,OAAO,CACR,EACD,YAAY,CAAC,MAAM,CAAC,EACpB,iBAAiB,CAAC,MAAM,CAAC,EACzB,OAAO,EAAE,CAAC,UAAU,CAAC,CACtB;aACE,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,SAAS,EAAE,yBAAyB,CAAC,CAAC;aAC7D,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC;aAC7D,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;aACxC,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,SAAS,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,CAAA;QAE3D,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAA;QAC1B,IAAI,GAAG,MAAM,CAAC,mBAAgC,CAAA;QAC9C,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,EAAE,CAAC;YACxB,MAAM,GAAG,CAAC,uDAAuD,EAAE,gBAAgB,EAAE;gBACnF,MAAM;aACP,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;SAAM,CAAC;QACN,sBAAsB,CAAC,QAAQ,CAAC,CAAA;QAChC,qBAAqB,CAAC,QAAQ,CAAC,CAAA;QAC/B,IAAI,CAAC;YACH,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAA;QAC9B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,GAAG,CAAC,yCAAyC,EAAE,WAAW,EAAE,KAAK,CAAC,CAAA;QAC1E,CAAC;QACD,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,EAAE,CAAC;YACxB,MAAM,GAAG,CAAC,4CAA4C,EAAE,gBAAgB,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAA;QAC3F,CAAC;IACH,CAAC;IAED,IAAI,OAAO,IAAI,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QACrC,MAAM,GAAG,CAAC,qDAAqD,EAAE,gBAAgB,EAAE;YACjF,IAAI,EAAE,IAAI;SACX,CAAC,CAAA;IACJ,CAAC;IAED,OAAO,IAA6B,CAAA;AACtC,CAAC;AAED,KAAK,UAAU,WAAW,CACxB,EAAuB,EACvB,OAAmC;IAEnC,QAAQ,CAAC,EAAE,CAAC,CAAA;IAEZ,MAAM,GAAG,GAAG,eAAe,CAAC,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,qBAAqB,CAAC,KAAK,IAAI,CAAC,CAAA;IAE7F,MAAM,OAAO,GAAG,cAAc,CAAC,OAAO,EAAE,OAAO,CAAC,CAAA;IAChD,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,kBAAkB,CAAC,CAAA;IACzC,OAAO,CAAC,MAAM,CAAC,QAAQ,EAAE,0BAA0B,CAAC,CAAA;IAEpD,OAAO,CAAC,OAAO,EAAE,CAAC,WAAW,CAAC,IAAI,KAAK,CAAC,CAAC,GAAG,CAAC,IAAI,EAAE;QACjD,IAAI,EAAE,SAAS;QACf,OAAO,EAAE,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;QAC9C,MAAM,EAAE,KAAK;QACb,QAAQ,EAAE,QAAQ;QAClB,MAAM,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,SAAS;KAC7D,CAAC,CAAA;AACJ,CAAC;AAMD,KAAK,UAAU,mBAAmB,CAAC,QAAkB;IACnD,IAAI,CAAC,eAAe,CAAC,QAAQ,EAAE,QAAQ,CAAC,EAAE,CAAC;QACzC,MAAM,cAAc,CAAC,4CAA4C,EAAE,oBAAoB,CAAC,CAAA;IAC1F,CAAC;IAED,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;QAC5B,MAAM,GAAG,CACP,qFAAqF,EACrF,uBAAuB,EACvB,QAAQ,CACT,CAAA;IACH,CAAC;IAED,sBAAsB,CAAC,QAAQ,CAAC,CAAA;IAChC,kBAAkB,CAAC,QAAQ,EAAE,kBAAkB,EAAE,0BAA0B,CAAC,CAAA;IAC5E,IAAI,IAAe,CAAA;IACnB,IAAI,CAAC;QACH,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAA;IAC9B,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,GAAG,CAAC,yCAAyC,EAAE,WAAW,EAAE,KAAK,CAAC,CAAA;IAC1E,CAAC;IAED,IAAI,CAAC,YAAY,CAAO,IAAI,CAAC,EAAE,CAAC;QAC9B,MAAM,GAAG,CAAC,4CAA4C,EAAE,gBAAgB,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAA;IAC3F,CAAC;IAED,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QAC9B,MAAM,GAAG,CAAC,kDAAkD,EAAE,gBAAgB,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAA;IACjG,CAAC;IAED,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,YAAY,CAAC,EAAE,CAAC;QACzD,MAAM,GAAG,CACP,uEAAuE,EACvE,gBAAgB,EAChB,EAAE,IAAI,EAAE,IAAI,EAAE,CACf,CAAA;IACH,CAAC;IAED,OAAO,IAAI,CAAA;AACb,CAAC;AAED,KAAK,UAAU,oBAAoB,CAAC,QAAkB;IACpD,IAAI,QAAQ,CAAC,MAAM,GAAG,GAAG,IAAI,QAAQ,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;QACnD,sBAAsB,CAAC,QAAQ,CAAC,CAAA;QAChC,qBAAqB,CAAC,QAAQ,CAAC,CAAA;QAC/B,IAAI,CAAC;YACH,MAAM,IAAI,GAAc,MAAM,QAAQ,CAAC,KAAK,EAAE,CAAC,IAAI,EAAE,CAAA;YACrD,IAAI,YAAY,CAAc,IAAI,CAAC,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;gBAC3F,OAAO,IAAI,CAAA;YACb,CAAC;QACH,CAAC;QAAC,MAAM,CAAC,CAAA,CAAC;IACZ,CAAC;IACD,OAAO,SAAS,CAAA;AAClB,CAAC;AAED,SAAS,SAAS,CAAC,GAAW;IAC5B,QAAQ,GAAG,EAAE,CAAC;QACZ,KAAK,OAAO,CAAC;QACb,KAAK,OAAO,CAAC;QACb,KAAK,OAAO,CAAC;QACb,KAAK,OAAO,CAAC;QACb,KAAK,OAAO,CAAC;QACb,KAAK,OAAO,CAAC;QACb,KAAK,OAAO,CAAC;QACb,KAAK,OAAO,CAAC;QACb,KAAK,OAAO,CAAC;QACb,KAAK,SAAS,CAAC;QACf,KAAK,OAAO;YACV,OAAO,IAAI,CAAA;QACb;YACE,OAAO,KAAK,CAAA;IAChB,CAAC;AACH,CAAC;AAED,SAAS,oBAAoB,CAAC,MAAkC;IAC9D,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;QAC3B,MAAM,IAAI,yBAAyB,CAAC,kCAAkC,EAAE;YACtE,KAAK,EAAE,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,EAAE;SAC3B,CAAC,CAAA;IACJ,CAAC;AACH,CAAC;AAED,SAAS,oBAAoB,CAAC,GAAc;IAC1C,MAAM,EAAE,SAAS,EAAE,GAAG,GAAuD,CAAA;IAC7E,IAAI,OAAO,SAAS,CAAC,aAAa,KAAK,QAAQ,IAAI,SAAS,CAAC,aAAa,GAAG,IAAI,EAAE,CAAC;QAClF,MAAM,IAAI,yBAAyB,CAAC,eAAe,SAAS,CAAC,IAAI,gBAAgB,EAAE;YACjF,KAAK,EAAE,GAAG;SACX,CAAC,CAAA;IACJ,CAAC;AACH,CAAC;AAED,SAAS,aAAa,CAAC,GAAc;IACnC,MAAM,EAAE,SAAS,EAAE,GAAG,GAAgD,CAAA;IACtE,QAAQ,SAAS,CAAC,UAAU,EAAE,CAAC;QAC7B,KAAK,OAAO;YACV,OAAO,SAAS,CAAA;QAClB,KAAK,OAAO;YACV,OAAO,SAAS,CAAA;QAClB,KAAK,OAAO;YACV,OAAO,SAAS,CAAA;QAClB;YACE,MAAM,IAAI,yBAAyB,CAAC,8BAA8B,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAA;IACvF,CAAC;AACH,CAAC;AAED,SAAS,WAAW,CAAC,GAAc;IACjC,QAAQ,GAAG,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC;QAC3B,KAAK,OAAO;YACV,OAAO;gBACL,IAAI,EAAE,GAAG,CAAC,SAAS,CAAC,IAAI;gBACxB,IAAI,EAAE,aAAa,CAAC,GAAG,CAAC;aACV,CAAA;QAClB,KAAK,SAAS,CAAC,CAAC,CAAC;YACf,oBAAoB,CAAC,GAAG,CAAC,CAAA;YACzB,QAAS,GAAG,CAAC,SAAmC,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;gBAC3D,KAAK,SAAS,CAAC;gBACf,KAAK,SAAS,CAAC;gBACf,KAAK,SAAS;oBACZ,OAAO;wBACL,IAAI,EAAE,GAAG,CAAC,SAAS,CAAC,IAAI;wBACxB,UAAU,EACR,QAAQ,CAAE,GAAG,CAAC,SAAmC,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC;qBAClE,CAAA;gBACnB;oBACE,MAAM,IAAI,yBAAyB,CAAC,+BAA+B,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAA;YACxF,CAAC;QACH,CAAC;QACD,KAAK,mBAAmB;YACtB,oBAAoB,CAAC,GAAG,CAAC,CAAA;YACzB,OAAO,GAAG,CAAC,SAAS,CAAC,IAAI,CAAA;QAC3B,KAAK,SAAS,CAAC;QACf,KAAK,OAAO;YACV,OAAO,GAAG,CAAC,SAAS,CAAC,IAAI,CAAA;IAC7B,CAAC;IACD,MAAM,IAAI,yBAAyB,CAAC,sCAAsC,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAA;AAC7F,CAAC;AAED,KAAK,UAAU,oBAAoB,CACjC,eAAuB,EACvB,OAAe,EACf,GAAc,EACd,SAAqB;IAErB,MAAM,IAAI,GAAG,GAAG,CAAC,GAAG,eAAe,IAAI,OAAO,EAAE,CAAC,CAAA;IACjD,MAAM,SAAS,GAAG,WAAW,CAAC,GAAG,CAAC,CAAA;IAClC,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,GAAG,EAAE,SAAS,EAAE,IAAI,CAAC,CAAA;IAC5E,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,GAAG,CAAC,mCAAmC,EAAE,gBAAgB,EAAE;YAC/D,GAAG;YACH,IAAI;YACJ,SAAS;YACT,SAAS;SACV,CAAC,CAAA;IACJ,CAAC;AACH,CAAC;AAOD,KAAK,UAAU,WAAW,CACxB,GAAW,EACX,QAAiD,EACjD,SAAiB,EACjB,cAAsB,EACtB,UAA0C;IAE1C,IAAI,EAAE,CAAC,EAAE,eAAe,EAAE,CAAC,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAE/D,IAAI,MAAM,KAAK,CAAC,EAAE,CAAC;QACjB,IAAI,UAAU,KAAK,SAAS,EAAE,CAAC;YAC7B,GAAG,GAAG,MAAM,UAAU,CAAC,GAAG,CAAC,CAC1B;YAAA,CAAC,EAAE,CAAC,EAAE,eAAe,EAAE,CAAC,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAA;QAChE,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,yBAAyB,CAAC,kCAAkC,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAA;QACzF,CAAC;IACH,CAAC;IAED,IAAI,MAAM,KAAK,CAAC,EAAE,CAAC;QACjB,MAAM,GAAG,CAAC,aAAa,EAAE,gBAAgB,EAAE,GAAG,CAAC,CAAA;IACjD,CAAC;IAED,IAAI,MAAiB,CAAA;IACrB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,CAAC,CAAA;IACjD,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,GAAG,CAAC,2DAA2D,EAAE,WAAW,EAAE,KAAK,CAAC,CAAA;IAC5F,CAAC;IAED,IAAI,CAAC,YAAY,CAA6B,MAAM,CAAC,EAAE,CAAC;QACtD,MAAM,GAAG,CAAC,uCAAuC,EAAE,gBAAgB,EAAE,GAAG,CAAC,CAAA;IAC3E,CAAC;IAED,QAAQ,CAAC,MAAM,CAAC,CAAA;IAChB,IAAI,MAAM,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC9B,MAAM,IAAI,yBAAyB,CAAC,yDAAyD,EAAE;YAC7F,KAAK,EAAE,EAAE,MAAM,EAAE;SAClB,CAAC,CAAA;IACJ,CAAC;IAED,IAAI,MAAiB,CAAA;IACrB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAA;IACzC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,GAAG,CAAC,4DAA4D,EAAE,WAAW,EAAE,KAAK,CAAC,CAAA;IAC7F,CAAC;IAED,IAAI,CAAC,YAAY,CAAa,MAAM,CAAC,EAAE,CAAC;QACtC,MAAM,GAAG,CAAC,wCAAwC,EAAE,gBAAgB,EAAE,GAAG,CAAC,CAAA;IAC5E,CAAC;IAED,MAAM,GAAG,GAAG,SAAS,EAAE,GAAG,SAAS,CAAA;IAEnC,IAAI,MAAM,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;QAC7B,IAAI,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;YACnC,MAAM,GAAG,CAAC,mDAAmD,EAAE,gBAAgB,EAAE,EAAE,MAAM,EAAE,CAAC,CAAA;QAC9F,CAAC;QAED,IAAI,MAAM,CAAC,GAAG,IAAI,GAAG,GAAG,cAAc,EAAE,CAAC;YACvC,MAAM,GAAG,CACP,0FAA0F,EAC1F,mBAAmB,EACnB,EAAE,MAAM,EAAE,GAAG,EAAE,SAAS,EAAE,cAAc,EAAE,KAAK,EAAE,KAAK,EAAE,CACzD,CAAA;QACH,CAAC;IACH,CAAC;IAED,IAAI,MAAM,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;QAC7B,IAAI,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;YACnC,MAAM,GAAG,CAAC,6CAA6C,EAAE,gBAAgB,EAAE,EAAE,MAAM,EAAE,CAAC,CAAA;QACxF,CAAC;IACH,CAAC;IAED,IAAI,MAAM,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;QAC7B,IAAI,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;YACnC,MAAM,GAAG,CAAC,0CAA0C,EAAE,gBAAgB,EAAE,EAAE,MAAM,EAAE,CAAC,CAAA;QACrF,CAAC;IACH,CAAC;IAED,IAAI,MAAM,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;QAC7B,IAAI,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;YACnC,MAAM,GAAG,CAAC,8CAA8C,EAAE,gBAAgB,EAAE,EAAE,MAAM,EAAE,CAAC,CAAA;QACzF,CAAC;QACD,IAAI,MAAM,CAAC,GAAG,GAAG,GAAG,GAAG,cAAc,EAAE,CAAC;YACtC,MAAM,GAAG,CAAC,+CAA+C,EAAE,mBAAmB,EAAE;gBAC9E,MAAM;gBACN,GAAG;gBACH,SAAS,EAAE,cAAc;gBACzB,KAAK,EAAE,KAAK;aACb,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IAED,IAAI,MAAM,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;QAC7B,IAAI,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;YACjE,MAAM,GAAG,CAAC,4CAA4C,EAAE,gBAAgB,EAAE,EAAE,MAAM,EAAE,CAAC,CAAA;QACvF,CAAC;IACH,CAAC;IAED,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,CAAA;AACrC,CAAC;AAqBD,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,EAAuB,EACvB,MAAc,EACd,UAAiC,EACjC,aAAqE,EACrE,OAAsD;IAEtD,QAAQ,CAAC,EAAE,CAAC,CAAA;IACZ,YAAY,CAAC,MAAM,CAAC,CAAA;IAEpB,IAAI,UAAU,YAAY,GAAG,EAAE,CAAC;QAC9B,UAAU,GAAG,UAAU,CAAC,YAAY,CAAA;IACtC,CAAC;IAED,IAAI,CAAC,CAAC,UAAU,YAAY,eAAe,CAAC,EAAE,CAAC;QAC7C,MAAM,cAAc,CAClB,6DAA6D,EAC7D,oBAAoB,CACrB,CAAA;IACH,CAAC;IAED,MAAM,QAAQ,GAAG,qBAAqB,CAAC,UAAU,EAAE,UAAU,CAAC,CAAA;IAC9D,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,GAAG,CAAC,+CAA+C,EAAE,gBAAgB,CAAC,CAAA;IAC9E,CAAC;IAED,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,GAAG,MAAM,WAAW,CAC/C,QAAQ,EACR,qBAAqB,CAAC,IAAI,CACxB,SAAS,EACT,MAAM,CAAC,iCAAiC,EACxC,EAAE,CAAC,0CAA0C,EAC7C,OAAO,CACR,EACD,YAAY,CAAC,MAAM,CAAC,EACpB,iBAAiB,CAAC,MAAM,CAAC,EACzB,OAAO,EAAE,CAAC,UAAU,CAAC,CACtB;SACE,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC;SAC7D,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;SACxC,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,SAAS,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,CAAA;IAE3D,MAAM,EAAE,CAAC,EAAE,eAAe,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,gBAAgB,EAAE,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAE9E,MAAM,SAAS,GAAG,IAAI,CAAC,gBAAgB,CAAC,CAAA;IACxC,MAAM,GAAG,GAAG,MAAM,gCAAgC,CAAC,EAAE,EAAE,OAAO,EAAE,MAAM,CAAC,CAAA;IACvE,MAAM,oBAAoB,CAAC,eAAe,EAAE,OAAO,EAAE,GAAG,EAAE,SAAS,CAAC,CAAA;IAEpE,MAAM,MAAM,GAAG,IAAI,eAAe,EAAE,CAAA;IACpC,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAElD,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,GAAG,KAAK,KAAK,EAAE,CAAC;YAC/C,MAAM,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAA;QACxB,CAAC;IACH,CAAC;IAED,OAAO,oBAAoB,CAAC,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,aAAa,CAAC,CAAA;AAChE,CAAC;AAED,KAAK,UAAU,WAAW,CAAC,IAAY,EAAE,MAAkC,EAAE,SAAiB;IAC5F,IAAI,SAAiB,CAAA;IACrB,QAAQ,MAAM,CAAC,GAAG,EAAE,CAAC;QACnB,KAAK,OAAO,CAAC;QACb,KAAK,OAAO,CAAC;QACb,KAAK,OAAO;YACV,SAAS,GAAG,SAAS,CAAA;YACrB,MAAK;QACP,KAAK,OAAO,CAAC;QACb,KAAK,OAAO,CAAC;QACb,KAAK,OAAO;YACV,SAAS,GAAG,SAAS,CAAA;YACrB,MAAK;QACP,KAAK,OAAO,CAAC;QACb,KAAK,OAAO,CAAC;QACb,KAAK,OAAO,CAAC;QACb,KAAK,SAAS,CAAC;QACf,KAAK,OAAO;YACV,SAAS,GAAG,SAAS,CAAA;YACrB,MAAK;QACP;YACE,MAAM,IAAI,yBAAyB,CACjC,iCAAiC,SAAS,cAAc,EACxD,EAAE,KAAK,EAAE,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,EAAE,EAAE,CAC/B,CAAA;IACL,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,GAAG,CAAC,IAAI,CAAC,CAAC,CAAA;IAC/D,OAAO,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,UAAU,GAAG,CAAC,CAAC,CAAC,CAAA;AACrD,CAAC;AAED,KAAK,UAAU,kBAAkB,CAC/B,IAAY,EACZ,MAAc,EACd,MAAkC,EAClC,SAAiB;IAEjB,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,IAAI,EAAE,MAAM,EAAE,SAAS,CAAC,CAAA;IAC3D,OAAO,MAAM,KAAK,QAAQ,CAAA;AAC5B,CAAC;AAyBD,MAAM,CAAC,KAAK,UAAU,iCAAiC,CACrD,EAAuB,EACvB,MAAc,EACd,UAA2C,EAC3C,aAAqB,EACrB,aAA6C,EAC7C,MAA0C,EAC1C,OAAsD;IAEtD,OAAO,sBAAsB,CAC3B,EAAE,EACF,MAAM,EACN,UAAU,EACV,aAAa,EACb,aAAa,EACb,MAAM,EACN,OAAO,EACP,IAAI,CACL,CAAA;AACH,CAAC;AAyBD,MAAM,CAAC,KAAK,UAAU,2BAA2B,CAC/C,EAAuB,EACvB,MAAc,EACd,UAA2C,EAC3C,aAAqB,EACrB,aAA6C,EAC7C,MAA0C,EAC1C,OAAsD;IAEtD,OAAO,sBAAsB,CAC3B,EAAE,EACF,MAAM,EACN,UAAU,EACV,aAAa,EACb,aAAa,EACb,MAAM,EACN,OAAO,EACP,KAAK,CACN,CAAA;AACH,CAAC;AAED,KAAK,UAAU,aAAa,CAAC,OAAgB;IAC3C,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;QACrB,MAAM,cAAc,CAClB,0DAA0D,EAC1D,qBAAqB,EACrB,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;IACH,CAAC;IAED,OAAO,OAAO,CAAC,IAAI,EAAE,CAAA;AACvB,CAAC;AAED,KAAK,UAAU,gBAAgB,CAAC,OAAgB;IAC9C,IAAI,OAAO,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;QAC9B,MAAM,cAAc,CAClB,yDAAyD,EACzD,qBAAqB,EACrB,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;IACH,CAAC;IAED,IAAI,cAAc,CAAC,OAAO,CAAC,KAAK,mCAAmC,EAAE,CAAC;QACpE,MAAM,cAAc,CAClB,4FAA4F,EAC5F,qBAAqB,EACrB,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;IACH,CAAC;IAED,OAAO,aAAa,CAAC,OAAO,CAAC,CAAA;AAC/B,CAAC;AAED,KAAK,UAAU,sBAAsB,CACnC,EAAuB,EACvB,MAAc,EACd,UAA2C,EAC3C,aAAqB,EACrB,aAAwD,EACxD,MAAqD,EACrD,OAAmE,EACnE,IAAa;IAEb,QAAQ,CAAC,EAAE,CAAC,CAAA;IACZ,YAAY,CAAC,MAAM,CAAC,CAAA;IAEpB,IAAI,UAAU,YAAY,GAAG,EAAE,CAAC;QAC9B,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YAC5B,MAAM,cAAc,CAClB,8GAA8G,EAC9G,qBAAqB,CACtB,CAAA;QACH,CAAC;QACD,UAAU,GAAG,IAAI,eAAe,CAAC,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAA;IAC5D,CAAC;SAAM,IAAI,eAAe,CAAC,UAAU,EAAE,OAAO,CAAC,EAAE,CAAC;QAChD,UAAU,GAAG,IAAI,eAAe,CAAC,MAAM,gBAAgB,CAAC,UAAU,CAAC,CAAC,CAAA;IACtE,CAAC;SAAM,IAAI,UAAU,YAAY,eAAe,EAAE,CAAC;QACjD,UAAU,GAAG,IAAI,eAAe,CAAC,UAAU,CAAC,CAAA;IAC9C,CAAC;SAAM,CAAC;QACN,MAAM,cAAc,CAClB,uEAAuE,EACvE,oBAAoB,CACrB,CAAA;IACH,CAAC;IAED,MAAM,QAAQ,GAAG,qBAAqB,CAAC,UAAU,EAAE,UAAU,CAAC,CAAA;IAC9D,UAAU,CAAC,MAAM,CAAC,UAAU,CAAC,CAAA;IAE7B,QAAQ,aAAa,EAAE,CAAC;QACtB,KAAK,SAAS,CAAC;QACf,KAAK,aAAa;YAChB,MAAK;QACP;YACE,YAAY,CAAC,aAAa,EAAE,0BAA0B,CAAC,CAAA;IAC3D,CAAC;IAED,MAAM,MAAM,GAAG,oBAAoB,CACjC;QACE,GAAG,EAAE;QACL,8CAA8C,EAAE,KAAK;KACtD,EACD,MAAM,EACN,UAAU,EACV,aAAa,CACd,CAAA;IAED,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,GAAG,CAAC,2CAA2C,EAAE,gBAAgB,CAAC,CAAA;IAC1E,CAAC;IACD,MAAM,IAAI,GAAG,qBAAqB,CAAC,UAAU,EAAE,MAAM,CAAC,CAAA;IACtD,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,GAAG,CAAC,qDAAqD,EAAE,gBAAgB,CAAC,CAAA;IACpF,CAAC;IAED,MAAM,cAAc,GAAmC;QACrD,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,OAAO;QACP,QAAQ;KACT,CAAA;IAED,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,CAAC,OAAO,CAAC,CAAA;IACrC,IAAI,IAAI,IAAI,CAAC,OAAO,aAAa,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,CAAC,EAAE,CAAC;QAClE,cAAc,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;IAC/B,CAAC;IAED,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;QACzB,YAAY,CAAC,MAAM,EAAE,KAAK,EAAE,mBAAmB,CAAC,CAAA;IAClD,CAAC;SAAM,IAAI,MAAM,CAAC,eAAe,KAAK,SAAS,EAAE,CAAC;QAChD,YAAY,CAAC,MAAM,CAAC,eAAe,EAAE,KAAK,EAAE,0BAA0B,CAAC,CAAA;IACzE,CAAC;IAED,MAAM,KAAK,MAAM,CAAC,eAAe,IAAI,iBAAiB,CAAA;IACtD,IAAI,MAAM,CAAC,iBAAiB,IAAI,MAAM,KAAK,iBAAiB,EAAE,CAAC;QAC7D,cAAc,CAAC,IAAI,CAAC,WAAW,CAAC,CAAA;IAClC,CAAC;IAED,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,GAAG,MAAM,WAAW,CAC/C,QAAQ,EACR,qBAAqB,CAAC,IAAI,CACxB,SAAS,EACT,MAAM,CAAC,4BAA4B,EACnC,EAAE,CAAC,qCAAqC,EACxC,OAAO,CACR,EACD,YAAY,CAAC,MAAM,CAAC,EACpB,iBAAiB,CAAC,MAAM,CAAC,EACzB,OAAO,EAAE,CAAC,UAAU,CAAC,CACtB;SACE,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,SAAS,EAAE,cAAc,CAAC,CAAC;SACtD,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;SACxC,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,SAAS,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,CAAA;IAE3D,MAAM,SAAS,GAAG,YAAY,CAAC,MAAM,CAAC,CAAA;IACtC,MAAM,GAAG,GAAG,SAAS,EAAE,GAAG,SAAS,CAAA;IACnC,IAAI,MAAM,CAAC,GAAI,GAAG,GAAG,GAAG,IAAI,EAAE,CAAC;QAC7B,MAAM,GAAG,CACP,yEAAyE,EACzE,mBAAmB,EACnB,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,CAC9B,CAAA;IACH,CAAC;IAED,YAAY,CAAC,MAAM,CAAC,MAAM,EAAE,2CAA2C,EAAE,gBAAgB,EAAE;QACzF,MAAM;KACP,CAAC,CAAA;IAEF,IAAI,MAAM,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;QACnC,YAAY,CACV,MAAM,CAAC,SAAS,EAChB,KAAK,EACL,4CAA4C,EAC5C,gBAAgB,EAChB,EAAE,MAAM,EAAE,CACX,CAAA;IACH,CAAC;IAED,IAAI,MAAM,KAAK,iBAAiB,EAAE,CAAC;QACjC,MAAM,GAAG,GAAG,SAAS,EAAE,GAAG,YAAY,CAAC,MAAM,CAAC,CAAA;QAC9C,MAAM,SAAS,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAA;QAC3C,IAAK,MAAkB,CAAC,SAAU,GAAG,MAAM,GAAG,GAAG,GAAG,SAAS,EAAE,CAAC;YAC9D,MAAM,GAAG,CACP,kEAAkE,EAClE,mBAAmB,EACnB,EAAE,MAAM,EAAE,GAAG,EAAE,SAAS,EAAE,KAAK,EAAE,WAAW,EAAE,CAC/C,CAAA;QACH,CAAC;IACH,CAAC;IAED,YAAY,CAAC,aAAa,EAAE,0BAA0B,CAAC,CAAA;IAEvD,IAAI,MAAM,CAAC,KAAK,KAAK,aAAa,EAAE,CAAC;QACnC,MAAM,GAAG,CAAC,yCAAyC,EAAE,oBAAoB,EAAE;YACzE,QAAQ,EAAE,aAAa;YACvB,MAAM;YACN,KAAK,EAAE,OAAO;SACf,CAAC,CAAA;IACJ,CAAC;IAED,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,MAAM,CAAC,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzD,IAAI,MAAM,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;YAC7B,MAAM,GAAG,CACP,yEAAyE,EACzE,oBAAoB,EACpB,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,CACzB,CAAA;QACH,CAAC;QACD,IAAI,MAAM,CAAC,GAAG,KAAK,MAAM,CAAC,SAAS,EAAE,CAAC;YACpC,MAAM,GAAG,CAAC,0DAA0D,EAAE,oBAAoB,EAAE;gBAC1F,QAAQ,EAAE,MAAM,CAAC,SAAS;gBAC1B,MAAM;gBACN,KAAK,EAAE,KAAK;aACb,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IAED,MAAM,EAAE,CAAC,EAAE,eAAe,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,gBAAgB,EAAE,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAE9E,MAAM,SAAS,GAAG,IAAI,CAAC,gBAAgB,CAAC,CAAA;IACxC,MAAM,GAAG,GAAG,MAAM,gCAAgC,CAAC,EAAE,EAAE,OAAO,EAAE,MAAM,CAAC,CAAA;IACvE,MAAM,oBAAoB,CAAC,eAAe,EAAE,OAAO,EAAE,GAAG,EAAE,SAAS,CAAC,CAAA;IAEpE,IAAI,CAAC,MAAM,kBAAkB,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QAC/E,MAAM,GAAG,CAAC,mDAAmD,EAAE,oBAAoB,EAAE;YACnF,IAAI;YACJ,GAAG,EAAE,MAAM,CAAC,GAAG;YACf,KAAK,EAAE,QAAQ;YACf,MAAM;SACP,CAAC,CAAA;IACJ,CAAC;IAED,IAAI,CAAC,IAAI,IAAI,KAAK,KAAK,IAAI,CAAC,IAAI,MAAM,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QAC5D,YAAY,CAAC,MAAM,CAAC,MAAM,EAAE,4CAA4C,EAAE,gBAAgB,EAAE;YAC1F,MAAM;SACP,CAAC,CAAA;QACF,YAAY,CAAC,KAAK,EAAE,4BAA4B,EAAE,gBAAgB,EAAE,EAAE,UAAU,EAAE,CAAC,CAAA;QAEnF,IAAI,CAAC,MAAM,kBAAkB,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YAChF,MAAM,GAAG,CAAC,oDAAoD,EAAE,oBAAoB,EAAE;gBACpF,KAAK;gBACL,GAAG,EAAE,MAAM,CAAC,GAAG;gBACf,KAAK,EAAE,QAAQ;gBACf,MAAM;aACP,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAA;AACf,CAAC;AAOD,SAAS,qBAAqB,CAC5B,MAAqC,EACrC,MAA4B,EAC5B,QAA0D,EAC1D,MAAkC;IAElC,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;QACzB,IAAI,OAAO,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,KAAK,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;YACtF,MAAM,GAAG,CAAC,uCAAuC,EAAE,gBAAgB,EAAE;gBACnE,MAAM;gBACN,QAAQ,EAAE,MAAM;gBAChB,MAAM,EAAE,sBAAsB;aAC/B,CAAC,CAAA;QACJ,CAAC;QACD,OAAM;IACR,CAAC;IAED,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAC1B,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;YACjC,MAAM,GAAG,CAAC,uCAAuC,EAAE,gBAAgB,EAAE;gBACnE,MAAM;gBACN,QAAQ,EAAE,MAAM;gBAChB,MAAM,EAAE,+BAA+B;aACxC,CAAC,CAAA;QACJ,CAAC;QACD,OAAM;IACR,CAAC;IAED,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;QAC3B,IACE,OAAO,QAAQ,KAAK,QAAQ;YAC1B,CAAC,CAAC,MAAM,CAAC,GAAG,KAAK,QAAQ;YACzB,CAAC,CAAC,OAAO,QAAQ,KAAK,UAAU;gBAC9B,CAAC,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC;gBACvB,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,EACpC,CAAC;YACD,MAAM,GAAG,CAAC,uCAAuC,EAAE,gBAAgB,EAAE;gBACnE,MAAM;gBACN,QAAQ,EAAE,QAAQ;gBAClB,MAAM,EAAE,eAAe;aACxB,CAAC,CAAA;QACJ,CAAC;QACD,OAAM;IACR,CAAC;IAED,MAAM,GAAG,CACP,kFAAkF,EAClF,SAAS,EACT,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,CAC7B,CAAA;AACH,CAAC;AAMD,SAAS,qBAAqB,CAAC,UAA2B,EAAE,IAAY;IACtE,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,CAAA;IACpD,IAAI,MAAM,GAAG,CAAC,EAAE,CAAC;QACf,MAAM,GAAG,CAAC,IAAI,IAAI,wCAAwC,EAAE,gBAAgB,CAAC,CAAA;IAC/E,CAAC;IACD,OAAO,KAAK,CAAA;AACd,CAAC;AAYD,MAAM,CAAC,MAAM,cAAc,GAAkB,MAAM,EAAE,CAAA;AAOrD,MAAM,CAAC,MAAM,aAAa,GAAkB,MAAM,EAAE,CAAA;AAsBpD,MAAM,UAAU,oBAAoB,CAClC,EAAuB,EACvB,MAAc,EACd,UAAiC,EACjC,aAAqE;IAErE,QAAQ,CAAC,EAAE,CAAC,CAAA;IACZ,YAAY,CAAC,MAAM,CAAC,CAAA;IAEpB,IAAI,UAAU,YAAY,GAAG,EAAE,CAAC;QAC9B,UAAU,GAAG,UAAU,CAAC,YAAY,CAAA;IACtC,CAAC;IAED,IAAI,CAAC,CAAC,UAAU,YAAY,eAAe,CAAC,EAAE,CAAC;QAC7C,MAAM,cAAc,CAClB,6DAA6D,EAC7D,oBAAoB,CACrB,CAAA;IACH,CAAC;IAED,IAAI,qBAAqB,CAAC,UAAU,EAAE,UAAU,CAAC,EAAE,CAAC;QAClD,MAAM,GAAG,CACP,wGAAwG,EACxG,gBAAgB,EAChB,EAAE,UAAU,EAAE,CACf,CAAA;IACH,CAAC;IAED,MAAM,GAAG,GAAG,qBAAqB,CAAC,UAAU,EAAE,KAAK,CAAC,CAAA;IACpD,MAAM,KAAK,GAAG,qBAAqB,CAAC,UAAU,EAAE,OAAO,CAAC,CAAA;IAExD,IAAI,CAAC,GAAG,IAAI,EAAE,CAAC,8CAA8C,EAAE,CAAC;QAC9D,MAAM,GAAG,CAAC,2CAA2C,EAAE,gBAAgB,EAAE,EAAE,UAAU,EAAE,CAAC,CAAA;IAC1F,CAAC;IAED,IAAI,GAAG,IAAI,GAAG,KAAK,EAAE,CAAC,MAAM,EAAE,CAAC;QAC7B,MAAM,GAAG,CAAC,oDAAoD,EAAE,gBAAgB,EAAE;YAChF,QAAQ,EAAE,EAAE,CAAC,MAAM;YACnB,UAAU;SACX,CAAC,CAAA;IACJ,CAAC;IAED,QAAQ,aAAa,EAAE,CAAC;QACtB,KAAK,SAAS,CAAC;QACf,KAAK,aAAa;YAChB,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;gBACxB,MAAM,GAAG,CAAC,mDAAmD,EAAE,gBAAgB,EAAE;oBAC/E,QAAQ,EAAE,SAAS;oBACnB,UAAU;iBACX,CAAC,CAAA;YACJ,CAAC;YACD,MAAK;QACP,KAAK,cAAc;YACjB,MAAK;QACP;YACE,YAAY,CAAC,aAAa,EAAE,0BAA0B,CAAC,CAAA;YAEvD,IAAI,KAAK,KAAK,aAAa,EAAE,CAAC;gBAC5B,MAAM,GAAG,CACP,KAAK,KAAK,SAAS;oBACjB,CAAC,CAAC,oCAAoC;oBACtC,CAAC,CAAC,6CAA6C,EACjD,gBAAgB,EAChB,EAAE,QAAQ,EAAE,aAAa,EAAE,UAAU,EAAE,CACxC,CAAA;YACH,CAAC;IACL,CAAC;IAED,MAAM,KAAK,GAAG,qBAAqB,CAAC,UAAU,EAAE,OAAO,CAAC,CAAA;IACxD,IAAI,KAAK,EAAE,CAAC;QACV,MAAM,IAAI,0BAA0B,CAAC,oDAAoD,EAAE;YACzF,KAAK,EAAE,UAAU;SAClB,CAAC,CAAA;IACJ,CAAC;IAED,MAAM,QAAQ,GAAG,qBAAqB,CAAC,UAAU,EAAE,UAAU,CAAC,CAAA;IAC9D,MAAM,KAAK,GAAG,qBAAqB,CAAC,UAAU,EAAE,OAAO,CAAC,CAAA;IACxD,IAAI,QAAQ,KAAK,SAAS,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;QAClD,MAAM,IAAI,yBAAyB,CAAC,6CAA6C,CAAC,CAAA;IACpF,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,eAAe,CAAC,UAAU,CAAC,CAAC,CAAA;AAC/C,CAAC;AAED,SAAS,WAAW,CAAC,GAAW;IAC9B,QAAQ,GAAG,EAAE,CAAC;QACZ,KAAK,OAAO,CAAC;QACb,KAAK,OAAO,CAAC;QACb,KAAK,OAAO;YACV,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,OAAO,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAA;QAC1D,KAAK,OAAO,CAAC;QACb,KAAK,OAAO,CAAC;QACb,KAAK,OAAO;YACV,OAAO,EAAE,IAAI,EAAE,mBAAmB,EAAE,IAAI,EAAE,OAAO,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAA;QACpE,KAAK,OAAO,CAAC;QACb,KAAK,OAAO;YACV,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,UAAU,EAAE,KAAK,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAA;QAC5D,KAAK,OAAO;YACV,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,UAAU,EAAE,OAAO,EAAE,CAAA;QAC/C,KAAK,SAAS,CAAC;QACf,KAAK,OAAO;YACV,OAAO,SAAS,CAAA;QAClB;YACE,MAAM,IAAI,yBAAyB,CAAC,2BAA2B,EAAE,EAAE,KAAK,EAAE,EAAE,GAAG,EAAE,EAAE,CAAC,CAAA;IACxF,CAAC;AACH,CAAC;AAED,KAAK,UAAU,SAAS,CAAC,GAAW,EAAE,GAAQ;IAC5C,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,GAAG,GAAG,EAAE,GAAG,GAAG,CAAA;IACzC,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,EAAE,WAAW,CAAC,GAAG,CAAC,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAA;AAChF,CAAC;AAkBD,MAAM,CAAC,KAAK,UAAU,0BAA0B,CAC9C,EAAuB,EACvB,MAAc,EACd,oBAAgC,EAChC,UAAiE,EACjE,OAA2C;IAE3C,QAAQ,CAAC,EAAE,CAAC,CAAA;IACZ,YAAY,CAAC,MAAM,CAAC,CAAA;IAEpB,MAAM,GAAG,GAAG,eAAe,CACzB,EAAE,EACF,+BAA+B,EAC/B,MAAM,CAAC,yBAAyB,EAChC,OAAO,EAAE,CAAC,qBAAqB,CAAC,KAAK,IAAI,CAC1C,CAAA;IAED,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC,UAAU,CAAC,CAAA;IAC5C,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,MAAM,CAAC,SAAS,CAAC,CAAA;IAEvC,MAAM,OAAO,GAAG,cAAc,CAAC,OAAO,EAAE,OAAO,CAAC,CAAA;IAChD,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,kBAAkB,CAAC,CAAA;IAEzC,OAAO,oBAAoB,CAAC,EAAE,EAAE,MAAM,EAAE,oBAAoB,EAAE,GAAG,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,CAAC,CAAA;AAC5F,CAAC;AAkDD,MAAM,CAAC,KAAK,UAAU,kCAAkC,CACtD,EAAuB,EACvB,MAAc,EACd,QAAkB;IAElB,QAAQ,CAAC,EAAE,CAAC,CAAA;IACZ,YAAY,CAAC,MAAM,CAAC,CAAA;IAEpB,IAAI,CAAC,eAAe,CAAC,QAAQ,EAAE,QAAQ,CAAC,EAAE,CAAC;QACzC,MAAM,cAAc,CAAC,4CAA4C,EAAE,oBAAoB,CAAC,CAAA;IAC1F,CAAC;IAED,IAAI,UAAkD,CAAA;IACtD,IAAI,CAAC,UAAU,GAAG,8BAA8B,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC;QAC5D,MAAM,IAAI,6BAA6B,CACrC,uEAAuE,EACvE,EAAE,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,CAChC,CAAA;IACH,CAAC;IAED,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;QAC5B,IAAI,GAA4B,CAAA;QAChC,IAAI,CAAC,GAAG,GAAG,MAAM,oBAAoB,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC;YACjD,MAAM,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,CAAA;YAC7B,MAAM,IAAI,iBAAiB,CAAC,qDAAqD,EAAE;gBACjF,KAAK,EAAE,GAAG;gBACV,QAAQ;aACT,CAAC,CAAA;QACJ,CAAC;QACD,MAAM,GAAG,CACP,kGAAkG,EAClG,uBAAuB,EACvB,QAAQ,CACT,CAAA;IACH,CAAC;IAED,sBAAsB,CAAC,QAAQ,CAAC,CAAA;IAChC,qBAAqB,CAAC,QAAQ,CAAC,CAAA;IAC/B,IAAI,IAAe,CAAA;IACnB,IAAI,CAAC;QACH,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAA;IAC9B,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,GAAG,CAAC,yCAAyC,EAAE,WAAW,EAAE,KAAK,CAAC,CAAA;IAC1E,CAAC;IAED,IAAI,CAAC,YAAY,CAAyC,IAAI,CAAC,EAAE,CAAC;QAChE,MAAM,GAAG,CAAC,4CAA4C,EAAE,gBAAgB,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAA;IAC3F,CAAC;IAED,YAAY,CAAC,IAAI,CAAC,WAAW,EAAE,wCAAwC,EAAE,gBAAgB,EAAE;QACzF,IAAI,EAAE,IAAI;KACX,CAAC,CAAA;IACF,YAAY,CAAC,IAAI,CAAC,SAAS,EAAE,sCAAsC,EAAE,gBAAgB,EAAE;QACrF,IAAI,EAAE,IAAI;KACX,CAAC,CAAA;IACF,YAAY,CACV,IAAI,CAAC,gBAAgB,EACrB,6CAA6C,EAC7C,gBAAgB,EAChB,EAAE,IAAI,EAAE,IAAI,EAAE,CACf,CAAA;IAED,IAAI,SAAS,GACX,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAA;IACrF,YAAY,CAAC,SAAS,EAAE,KAAK,EAAE,uCAAuC,EAAE,gBAAgB,EAAE;QACxF,IAAI,EAAE,IAAI;KACX,CAAC,CAAA;IACF,IAAI,CAAC,UAAU,GAAG,SAAS,CAAA;IAE3B,IAAI,IAAI,CAAC,yBAAyB,KAAK,SAAS,EAAE,CAAC;QACjD,YAAY,CACV,IAAI,CAAC,yBAAyB,EAC9B,sDAAsD,EACtD,gBAAgB,EAChB,EAAE,IAAI,EAAE,IAAI,EAAE,CACf,CAAA;IACH,CAAC;IAED,IAAI,IAAI,CAAC,QAAQ,KAAK,SAAS,EAAE,CAAC;QAChC,YAAY,CAAC,IAAI,CAAC,QAAQ,EAAE,KAAK,EAAE,qCAAqC,EAAE,gBAAgB,EAAE;YAC1F,IAAI,EAAE,IAAI;SACX,CAAC,CAAA;IACJ,CAAC;IAED,OAAO,IAAI,CAAA;AACb,CAAC;AAgBD,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,EAAuB,EACvB,MAAc,EACd,oBAAgC,EAChC,UAAkB,EAClB,OAAqC;IAErC,QAAQ,CAAC,EAAE,CAAC,CAAA;IACZ,YAAY,CAAC,MAAM,CAAC,CAAA;IAEpB,YAAY,CAAC,UAAU,EAAE,cAAc,CAAC,CAAA;IAExC,MAAM,UAAU,GAAG,IAAI,eAAe,CAAC,OAAO,EAAE,oBAAoB,CAAC,CAAA;IACrE,UAAU,CAAC,GAAG,CAAC,aAAa,EAAE,UAAU,CAAC,CAAA;IACzC,OAAO,oBAAoB,CACzB,EAAE,EACF,MAAM,EACN,oBAAoB,EACpB,8CAA8C,EAC9C,UAAU,EACV,OAAO,CACR,CAAA;AACH,CAAC;AAkBD,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC7C,EAAuB,EACvB,MAAc,EACd,QAAkB,EAClB,OAA2B;IAE3B,OAAO,iCAAiC,CAAC,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,OAAO,CAAC,CAAA;AACpF,CAAC;AAsBD,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,GAAW,EACX,OAAgC;IAEhC,YAAY,CAAC,GAAG,EAAE,OAAO,CAAC,CAAA;IAE1B,MAAM,SAAS,GAAiE,WAAW,CAAC,GAAG,CAAC,CAAA;IAEhG,IAAI,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACjD,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE;YACvB,aAAa,EAAE,OAAO,EAAE,aAAa,IAAI,IAAI;YAC7C,cAAc,EAAE,IAAI,UAAU,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;SACnD,CAAC,CAAA;IACJ,CAAC;IAED,OAAO,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,SAAS,EAAE,OAAO,EAAE,WAAW,IAAI,KAAK,EAAE;QACzE,MAAM;QACN,QAAQ;KACT,CAA2B,CAAA;AAC9B,CAAC;AAuCD,SAAS,YAAY,CAAC,GAAW;IAC/B,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAA;IACxB,GAAG,CAAC,MAAM,GAAG,EAAE,CAAA;IACf,GAAG,CAAC,IAAI,GAAG,EAAE,CAAA;IACb,OAAO,GAAG,CAAC,IAAI,CAAA;AACjB,CAAC;AAED,KAAK,UAAU,YAAY,CACzB,OAAgB,EAChB,WAAmB,EACnB,iBAA6B,EAC7B,OAGC;IAED,MAAM,WAAW,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;IAC/C,IAAI,WAAW,KAAK,IAAI,EAAE,CAAC;QACzB,MAAM,GAAG,CACP,sEAAsE,EACtE,eAAe,EACf,EAAE,OAAO,EAAE,OAAO,CAAC,OAAO,EAAE,CAC7B,CAAA;IACH,CAAC;IAED,IAAI,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,EAAE,WAAW,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,KAAK,KAAK,EAAE,CAAC;QACtF,MAAM,GAAG,CACP,6FAA6F,EAC7F,eAAe,EACf,EAAE,OAAO,EAAE,OAAO,CAAC,OAAO,EAAE,CAC7B,CAAA;IACH,CAAC;IAED,IAAI,OAAO,iBAAiB,CAAC,GAAG,EAAE,GAAG,KAAK,QAAQ,EAAE,CAAC;QACnD,MAAM,GAAG,CACP,qFAAqF,EACrF,eAAe,EACf,EAAE,MAAM,EAAE,iBAAiB,EAAE,CAC9B,CAAA;IACH,CAAC;IAED,MAAM,SAAS,GAAG,YAAY,CAAC,OAAO,CAAC,CAAA;IACvC,MAAM,KAAK,GAAG,MAAM,WAAW,CAC7B,WAAW,EACX,qBAAqB,CAAC,IAAI,CAAC,SAAS,EAAE,OAAO,EAAE,iBAAiB,EAAE,SAAS,EAAE,SAAS,CAAC,EACvF,SAAS,EACT,iBAAiB,CAAC,OAAO,CAAC,EAC1B,SAAS,CACV;SACE,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;SAC9C,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC,CAAA;IAE9E,MAAM,GAAG,GAAG,SAAS,EAAE,GAAG,SAAS,CAAA;IACnC,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,KAAK,CAAC,MAAM,CAAC,GAAI,CAAC,CAAA;IAC9C,IAAI,IAAI,GAAG,GAAG,EAAE,CAAC;QACf,MAAM,GAAG,CAAC,qCAAqC,EAAE,mBAAmB,EAAE;YACpE,GAAG;YACH,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,KAAK,EAAE,KAAK;SACb,CAAC,CAAA;IACJ,CAAC;IAED,IAAI,KAAK,CAAC,MAAM,CAAC,GAAG,KAAK,OAAO,CAAC,MAAM,EAAE,CAAC;QACxC,MAAM,GAAG,CAAC,yBAAyB,EAAE,oBAAoB,EAAE;YACzD,QAAQ,EAAE,OAAO,CAAC,MAAM;YACxB,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,KAAK,EAAE,KAAK;SACb,CAAC,CAAA;IACJ,CAAC;IAED,IACE,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,KAAK,QAAQ;QACpC,YAAY,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,YAAY,CAAC,OAAO,CAAC,GAAG,CAAC,EAC5D,CAAC;QACD,MAAM,GAAG,CAAC,yBAAyB,EAAE,oBAAoB,EAAE;YACzD,QAAQ,EAAE,YAAY,CAAC,OAAO,CAAC,GAAG,CAAC;YACnC,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,KAAK,EAAE,KAAK;SACb,CAAC,CAAA;IACJ,CAAC;IAED,CAAC;QACC,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC,CAAA;QAE9E,IAAI,KAAK,CAAC,MAAM,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;YAClC,MAAM,GAAG,CAAC,yBAAyB,EAAE,oBAAoB,EAAE;gBACzD,QAAQ;gBACR,MAAM,EAAE,KAAK,CAAC,MAAM;gBACpB,KAAK,EAAE,KAAK;aACb,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IAED,CAAC;QACC,IAAI,UAAe,CAAA;QACnB,QAAQ,KAAK,CAAC,MAAM,CAAC,GAAI,CAAC,GAAG,EAAE,CAAC;YAC9B,KAAK,IAAI;gBACP,UAAU,GAAG;oBACX,GAAG,EAAE,KAAK,CAAC,MAAM,CAAC,GAAI,CAAC,GAAG;oBAC1B,GAAG,EAAE,KAAK,CAAC,MAAM,CAAC,GAAI,CAAC,GAAG;oBAC1B,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,GAAI,CAAC,CAAC;oBACtB,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,GAAI,CAAC,CAAC;iBACvB,CAAA;gBACD,MAAK;YACP,KAAK,KAAK;gBACR,UAAU,GAAG;oBACX,GAAG,EAAE,KAAK,CAAC,MAAM,CAAC,GAAI,CAAC,GAAG;oBAC1B,GAAG,EAAE,KAAK,CAAC,MAAM,CAAC,GAAI,CAAC,GAAG;oBAC1B,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,GAAI,CAAC,CAAC;iBACvB,CAAA;gBACD,MAAK;YACP,KAAK,KAAK;gBACR,UAAU,GAAG;oBACX,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,GAAI,CAAC,CAAC;oBACtB,GAAG,EAAE,KAAK,CAAC,MAAM,CAAC,GAAI,CAAC,GAAG;oBAC1B,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,GAAI,CAAC,CAAC;iBACvB,CAAA;gBACD,MAAK;YACP;gBACE,MAAM,IAAI,yBAAyB,CAAC,0BAA0B,EAAE,EAAE,KAAK,EAAE,KAAK,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,CAAA;QAChG,CAAC;QACD,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAA;QAE7F,IAAI,iBAAiB,CAAC,GAAG,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;YAC3C,MAAM,GAAG,CAAC,wCAAwC,EAAE,oBAAoB,EAAE;gBACxE,QAAQ;gBACR,MAAM,EAAE,iBAAiB;gBACzB,KAAK,EAAE,SAAS;aACjB,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IAED,MAAM,EAAE,CAAC,EAAE,eAAe,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,gBAAgB,EAAE,GAAG,WAAW,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAEtF,MAAM,SAAS,GAAG,IAAI,CAAC,gBAAgB,CAAC,CAAA;IACxC,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,KAAK,CAAC,MAAM,CAAA;IACjC,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,GAAG,CAAC,gDAAgD,EAAE,eAAe,EAAE;YAC3E,MAAM,EAAE,KAAK,CAAC,MAAM;SACrB,CAAC,CAAA;IACJ,CAAC;IACD,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;IACrC,IAAI,GAAG,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC1B,MAAM,GAAG,CAAC,2DAA2D,EAAE,eAAe,EAAE;YACtF,MAAM,EAAE,KAAK,CAAC,MAAM;SACrB,CAAC,CAAA;IACJ,CAAC;IACD,MAAM,oBAAoB,CAAC,eAAe,EAAE,OAAO,EAAE,GAAG,EAAE,SAAS,CAAC,CAAA;AACtE,CAAC;AAiCD,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,EAAuB,EACvB,OAAgB,EAChB,gBAAwB,EACxB,OAAuC;IAEvC,QAAQ,CAAC,EAAE,CAAC,CAAA;IAEZ,IAAI,CAAC,eAAe,CAAC,OAAO,EAAE,OAAO,CAAC,EAAE,CAAC;QACvC,MAAM,cAAc,CAAC,0CAA0C,EAAE,oBAAoB,CAAC,CAAA;IACxF,CAAC;IAED,YAAY,CAAC,gBAAgB,EAAE,oBAAoB,CAAC,CAAA;IAEpD,MAAM,aAAa,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAA;IAC1D,IAAI,aAAa,KAAK,IAAI,EAAE,CAAC;QAC3B,MAAM,GAAG,CAAC,mDAAmD,EAAE,eAAe,EAAE;YAC9E,OAAO,EAAE,OAAO,CAAC,OAAO;SACzB,CAAC,CAAA;IACJ,CAAC;IACD,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,WAAW,EAAE,MAAM,EAAE,GAAG,aAAa,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IACpE,MAAM,GAAG,MAAM,CAAC,WAAW,EAAE,CAAA;IAC7B,QAAQ,MAAM,EAAE,CAAC;QACf,KAAK,MAAM,CAAC;QACZ,KAAK,QAAQ;YACX,MAAK;QACP;YACE,MAAM,IAAI,yBAAyB,CAAC,8CAA8C,EAAE;gBAClF,KAAK,EAAE,EAAE,OAAO,EAAE,OAAO,CAAC,OAAO,EAAE;aACpC,CAAC,CAAA;IACN,CAAC;IAED,IAAI,MAAM,KAAK,CAAC,EAAE,CAAC;QACjB,MAAM,GAAG,CAAC,0CAA0C,EAAE,eAAe,EAAE;YACrE,OAAO,EAAE,OAAO,CAAC,OAAO;SACzB,CAAC,CAAA;IACJ,CAAC;IAED,MAAM,cAAc,GAAmC;QACrD,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,WAAW;KACZ,CAAA;IAED,IAAI,OAAO,EAAE,WAAW,IAAI,MAAM,KAAK,MAAM,IAAI,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;QAC7E,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;IAC5B,CAAC;IAED,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,WAAW,CAC1C,WAAW,EACX,qBAAqB,CAAC,IAAI,CAAC,SAAS,EAAE,OAAO,EAAE,iBAAiB,EAAE,SAAS,EAAE,SAAS,CAAC,EACvF,YAAY,CAAC,OAAO,CAAC,EACrB,iBAAiB,CAAC,OAAO,CAAC,EAC1B,SAAS,CACV;SACE,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;SAC5C,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,SAAS,EAAE,cAAc,CAAC,CAAC;SACtD,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;SACxC,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,SAAS,EAAE,gBAAgB,CAAC,CAAC;SACxD,KAAK,CAAC,cAAc,CAAC,CAAA;IAExB,KAAK,MAAM,KAAK,IAAI,CAAC,WAAW,EAAE,KAAK,EAAE,KAAK,CAAC,EAAE,CAAC;QAChD,IAAI,OAAO,MAAM,CAAC,KAAK,CAAC,KAAK,QAAQ,EAAE,CAAC;YACtC,MAAM,GAAG,CAAC,mBAAmB,KAAK,cAAc,EAAE,eAAe,EAAE,EAAE,MAAM,EAAE,CAAC,CAAA;QAChF,CAAC;IACH,CAAC;IAED,IAAI,KAAK,IAAI,MAAM,EAAE,CAAC;QACpB,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;YAC9B,MAAM,GAAG,CAAC,iDAAiD,EAAE,eAAe,EAAE,EAAE,MAAM,EAAE,CAAC,CAAA;QAC3F,CAAC;QAED,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;QAElD,IAAI,MAAM,EAAE,CAAC;YACX,IAAI,MAAM,KAAK,CAAC,EAAE,CAAC;gBACjB,MAAM,IAAI,yBAAyB,CAAC,gDAAgD,EAAE;oBACpF,KAAK,EAAE,EAAE,MAAM,EAAE;iBAClB,CAAC,CAAA;YACJ,CAAC;YAED,IAAI,GAAG,KAAK,KAAK,EAAE,CAAC;gBAClB,MAAM,IAAI,yBAAyB,CAAC,qCAAqC,EAAE;oBACzE,KAAK,EAAE,EAAE,MAAM,EAAE;iBAClB,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED,MAAM,EAAE,CAAC,EAAE,eAAe,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,gBAAgB,EAAE,GAAG,WAAW,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAEtF,MAAM,SAAS,GAAG,IAAI,CAAC,gBAAgB,CAAC,CAAA;IACxC,MAAM,GAAG,GAAG,MAAM,gCAAgC,CAAC,EAAE,EAAE,OAAO,EAAE,MAAM,CAAC,CAAA;IACvE,MAAM,oBAAoB,CAAC,eAAe,EAAE,OAAO,EAAE,GAAG,EAAE,SAAS,CAAC,CAAA;IAEpE,IACE,OAAO,EAAE,WAAW;QACpB,MAAM,KAAK,MAAM;QACjB,MAAM,CAAC,GAAG,EAAE,GAAG,KAAK,SAAS;QAC7B,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,EAC3B,CAAC;QACD,MAAM,YAAY,CAAC,OAAO,EAAE,WAAW,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC,KAAK,CAAC,cAAc,CAAC,CAAA;IACjF,CAAC;IAED,OAAO,MAA8B,CAAA;AACvC,CAAC;AAED,SAAS,cAAc,CAAC,GAAY;IAClC,IAAI,GAAG,YAAY,wBAAwB,IAAI,GAAG,EAAE,IAAI,KAAK,eAAe,EAAE,CAAC;QAC7E,GAAG,CAAC,IAAI,GAAG,gBAAgB,CAAA;IAC7B,CAAC;IACD,MAAM,GAAG,CAAA;AACX,CAAC;AAWD,MAAM,CAAC,MAAM,OAAO,GAAkB,MAAM,EAAE,CAAA;AAW9C,MAAM,CAAC,MAAM,iBAAiB,GAAkB,MAAM,EAAE,CAAA;AAWxD,MAAM,CAAC,MAAM,eAAe,GAAkB,MAAM,EAAE,CAAA"} \ No newline at end of file diff --git a/jsr.json b/jsr.json index aee2963d..6ed67245 100644 --- a/jsr.json +++ b/jsr.json @@ -1,7 +1,7 @@ { "$schema": "https://jsr.io/schema/config-file.v1.json", "name": "@panva/oauth4webapi", - "version": "3.1.3", + "version": "3.1.4", "exports": "./src/index.ts", "publish": { "include": ["LICENSE.md", "README.md", "src/**/*.ts"] diff --git a/package-lock.json b/package-lock.json index ce770e99..f027580e 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "oauth4webapi", - "version": "3.1.3", + "version": "3.1.4", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "oauth4webapi", - "version": "3.1.3", + "version": "3.1.4", "license": "MIT", "devDependencies": { "@koa/cors": "^5.0.0", diff --git a/package.json b/package.json index 5345480c..03b81894 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "oauth4webapi", - "version": "3.1.3", + "version": "3.1.4", "description": "Low-Level OAuth 2 / OpenID Connect Client API for JavaScript Runtimes", "keywords": [ "access token", diff --git a/src/index.ts b/src/index.ts index 9c604785..4ef24dcd 100644 --- a/src/index.ts +++ b/src/index.ts @@ -2,7 +2,7 @@ let USER_AGENT: string // @ts-ignore if (typeof navigator === 'undefined' || !navigator.userAgent?.startsWith?.('Mozilla/5.0 ')) { const NAME = 'oauth4webapi' - const VERSION = 'v3.1.3' + const VERSION = 'v3.1.4' USER_AGENT = `${NAME}/${VERSION}` }