{ "version": 3, "sources": ["../../src/index.ts", "../../src/utils/Logger.ts", "../../src/utils/CryptoUtils.ts", "../../src/utils/Event.ts", "../../node_modules/jwt-decode/build/esm/index.js", "../../src/utils/JwtUtils.ts", "../../src/utils/PopupUtils.ts", "../../src/utils/Timer.ts", "../../src/utils/UrlUtils.ts", "../../src/errors/ErrorResponse.ts", "../../src/errors/ErrorTimeout.ts", "../../src/AccessTokenEvents.ts", "../../src/CheckSessionIFrame.ts", "../../src/InMemoryWebStorage.ts", "../../src/JsonService.ts", "../../src/MetadataService.ts", "../../src/WebStorageStateStore.ts", "../../src/OidcClientSettings.ts", "../../src/UserInfoService.ts", "../../src/TokenClient.ts", "../../src/ResponseValidator.ts", "../../src/State.ts", "../../src/SigninState.ts", "../../src/SigninRequest.ts", "../../src/SigninResponse.ts", "../../src/SignoutRequest.ts", "../../src/SignoutResponse.ts", "../../src/ClaimsService.ts", "../../src/OidcClient.ts", "../../src/SessionMonitor.ts", "../../src/User.ts", "../../src/navigators/AbstractChildWindow.ts", "../../src/UserManagerSettings.ts", "../../src/navigators/IFrameWindow.ts", "../../src/navigators/IFrameNavigator.ts", "../../src/navigators/PopupWindow.ts", "../../src/navigators/PopupNavigator.ts", "../../src/navigators/RedirectNavigator.ts", "../../src/UserManagerEvents.ts", "../../src/SilentRenewService.ts", "../../src/RefreshState.ts", "../../src/UserManager.ts", "../../package.json", "../../src/Version.ts"], "sourcesContent": ["// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\r\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\r\n\r\nexport { ErrorResponse, ErrorTimeout } from \"./errors\";\r\nexport type { INavigator, IFrameWindowParams, IWindow, NavigateParams, NavigateResponse, PopupWindowParams, RedirectParams } from \"./navigators\";\r\nexport { Log, Logger } from \"./utils\";\r\nexport type { ILogger, PopupWindowFeatures } from \"./utils\";\r\nexport type { OidcAddressClaim, OidcStandardClaims, IdTokenClaims, JwtClaims } from \"./Claims\";\r\n\r\nexport { AccessTokenEvents } from \"./AccessTokenEvents\";\r\nexport type { AccessTokenCallback } from \"./AccessTokenEvents\";\r\nexport { CheckSessionIFrame } from \"./CheckSessionIFrame\";\r\nexport { InMemoryWebStorage } from \"./InMemoryWebStorage\";\r\nexport type { AsyncStorage } from \"./AsyncStorage\";\r\nexport { MetadataService } from \"./MetadataService\";\r\nexport * from \"./OidcClient\";\r\nexport { OidcClientSettingsStore } from \"./OidcClientSettings\";\r\nexport type { OidcClientSettings, SigningKey, ExtraHeader } from \"./OidcClientSettings\";\r\nexport type { OidcMetadata } from \"./OidcMetadata\";\r\nexport { SessionMonitor } from \"./SessionMonitor\";\r\nexport type { SessionStatus } from \"./SessionStatus\";\r\nexport type { SigninRequest, SigninRequestCreateArgs } from \"./SigninRequest\";\r\nexport type { RefreshState } from \"./RefreshState\";\r\nexport { SigninResponse } from \"./SigninResponse\";\r\nexport { SigninState } from \"./SigninState\";\r\nexport type { SigninStateArgs, SigninStateCreateArgs } from \"./SigninState\";\r\nexport type { SignoutRequest, SignoutRequestArgs } from \"./SignoutRequest\";\r\nexport { SignoutResponse } from \"./SignoutResponse\";\r\nexport { State } from \"./State\";\r\nexport type { StateStore } from \"./StateStore\";\r\nexport { User } from \"./User\";\r\nexport type { UserProfile } from \"./User\";\r\nexport * from \"./UserManager\";\r\nexport type {\r\n UserManagerEvents,\r\n SilentRenewErrorCallback,\r\n UserLoadedCallback,\r\n UserSessionChangedCallback,\r\n UserSignedInCallback,\r\n UserSignedOutCallback,\r\n UserUnloadedCallback,\r\n} from \"./UserManagerEvents\";\r\nexport { UserManagerSettingsStore } from \"./UserManagerSettings\";\r\nexport type { UserManagerSettings } from \"./UserManagerSettings\";\r\nexport { Version } from \"./Version\";\r\nexport { WebStorageStateStore } from \"./WebStorageStateStore\";\r\n", "// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\r\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\r\n\r\n/**\r\n * Native interface\r\n *\r\n * @public\r\n */\r\nexport interface ILogger {\r\n debug(...args: unknown[]): void;\r\n info(...args: unknown[]): void;\r\n warn(...args: unknown[]): void;\r\n error(...args: unknown[]): void;\r\n}\r\n\r\nconst nopLogger: ILogger = {\r\n debug: () => undefined,\r\n info: () => undefined,\r\n warn: () => undefined,\r\n error: () => undefined,\r\n};\r\n\r\nlet level: number;\r\nlet logger: ILogger;\r\n\r\n/**\r\n * Log levels\r\n *\r\n * @public\r\n */\r\nexport enum Log {\r\n NONE,\r\n ERROR,\r\n WARN,\r\n INFO,\r\n DEBUG\r\n}\r\n\r\n/**\r\n * Log manager\r\n *\r\n * @public\r\n */\r\nexport namespace Log { // eslint-disable-line @typescript-eslint/no-namespace\r\n export function reset(): void {\r\n level = Log.INFO;\r\n logger = nopLogger;\r\n }\r\n\r\n export function setLevel(value: Log): void {\r\n if (!(Log.NONE <= value && value <= Log.DEBUG)) {\r\n throw new Error(\"Invalid log level\");\r\n }\r\n level = value;\r\n }\r\n\r\n export function setLogger(value: ILogger): void {\r\n logger = value;\r\n }\r\n}\r\n\r\n/**\r\n * Internal logger instance\r\n *\r\n * @public\r\n */\r\nexport class Logger {\r\n private _method?: string;\r\n public constructor(private _name: string) {}\r\n\r\n /* eslint-disable @typescript-eslint/no-unsafe-enum-comparison */\r\n public debug(...args: unknown[]): void {\r\n if (level >= Log.DEBUG) {\r\n logger.debug(Logger._format(this._name, this._method), ...args);\r\n }\r\n }\r\n public info(...args: unknown[]): void {\r\n if (level >= Log.INFO) {\r\n logger.info(Logger._format(this._name, this._method), ...args);\r\n }\r\n }\r\n public warn(...args: unknown[]): void {\r\n if (level >= Log.WARN) {\r\n logger.warn(Logger._format(this._name, this._method), ...args);\r\n }\r\n }\r\n public error(...args: unknown[]): void {\r\n if (level >= Log.ERROR) {\r\n logger.error(Logger._format(this._name, this._method), ...args);\r\n }\r\n }\r\n /* eslint-enable @typescript-eslint/no-unsafe-enum-comparison */\r\n\r\n public throw(err: Error): never {\r\n this.error(err);\r\n throw err;\r\n }\r\n\r\n public create(method: string): Logger {\r\n const methodLogger: Logger = Object.create(this);\r\n methodLogger._method = method;\r\n methodLogger.debug(\"begin\");\r\n return methodLogger;\r\n }\r\n\r\n public static createStatic(name: string, staticMethod: string): Logger {\r\n const staticLogger = new Logger(`${name}.${staticMethod}`);\r\n staticLogger.debug(\"begin\");\r\n return staticLogger;\r\n }\r\n\r\n private static _format(name: string, method?: string) {\r\n const prefix = `[${name}]`;\r\n return method ? `${prefix} ${method}:` : prefix;\r\n }\r\n\r\n /* eslint-disable @typescript-eslint/no-unsafe-enum-comparison */\r\n // helpers for static class methods\r\n public static debug(name: string, ...args: unknown[]): void {\r\n if (level >= Log.DEBUG) {\r\n logger.debug(Logger._format(name), ...args);\r\n }\r\n }\r\n public static info(name: string, ...args: unknown[]): void {\r\n if (level >= Log.INFO) {\r\n logger.info(Logger._format(name), ...args);\r\n }\r\n }\r\n public static warn(name: string, ...args: unknown[]): void {\r\n if (level >= Log.WARN) {\r\n logger.warn(Logger._format(name), ...args);\r\n }\r\n }\r\n public static error(name: string, ...args: unknown[]): void {\r\n if (level >= Log.ERROR) {\r\n logger.error(Logger._format(name), ...args);\r\n }\r\n }\r\n /* eslint-enable @typescript-eslint/no-unsafe-enum-comparison */\r\n}\r\n\r\nLog.reset();\r\n", "import { Logger } from \"./Logger\";\r\n\r\nconst UUID_V4_TEMPLATE = \"10000000-1000-4000-8000-100000000000\";\r\n\r\nconst toBase64 = (val: ArrayBuffer): string =>\r\n btoa([...new Uint8Array(val)]\r\n .map((chr) => String.fromCharCode(chr))\r\n .join(\"\"));\r\n\r\n/**\r\n * @internal\r\n */\r\nexport class CryptoUtils {\r\n private static _randomWord(): number {\r\n const arr = new Uint32Array(1);\r\n crypto.getRandomValues(arr);\r\n return arr[0];\r\n }\r\n\r\n /**\r\n * Generates RFC4122 version 4 guid\r\n */\r\n public static generateUUIDv4(): string {\r\n const uuid = UUID_V4_TEMPLATE.replace(/[018]/g, c =>\r\n (+c ^ CryptoUtils._randomWord() & 15 >> +c / 4).toString(16),\r\n );\r\n return uuid.replace(/-/g, \"\");\r\n }\r\n\r\n /**\r\n * PKCE: Generate a code verifier\r\n */\r\n public static generateCodeVerifier(): string {\r\n return CryptoUtils.generateUUIDv4() + CryptoUtils.generateUUIDv4() + CryptoUtils.generateUUIDv4();\r\n }\r\n\r\n /**\r\n * PKCE: Generate a code challenge\r\n */\r\n public static async generateCodeChallenge(code_verifier: string): Promise {\r\n if (!crypto.subtle) {\r\n throw new Error(\"Crypto.subtle is available only in secure contexts (HTTPS).\");\r\n }\r\n\r\n try {\r\n const encoder = new TextEncoder();\r\n const data = encoder.encode(code_verifier);\r\n const hashed = await crypto.subtle.digest(\"SHA-256\", data);\r\n return toBase64(hashed).replace(/\\+/g, \"-\").replace(/\\//g, \"_\").replace(/=+$/, \"\");\r\n }\r\n catch (err) {\r\n Logger.error(\"CryptoUtils.generateCodeChallenge\", err);\r\n throw err;\r\n }\r\n }\r\n\r\n /**\r\n * Generates a base64-encoded string for a basic auth header\r\n */\r\n public static generateBasicAuth(client_id: string, client_secret: string): string {\r\n const encoder = new TextEncoder();\r\n const data = encoder.encode([client_id, client_secret].join(\":\"));\r\n return toBase64(data);\r\n }\r\n}\r\n", "// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\r\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\r\n\r\nimport { Logger } from \"./Logger\";\r\n\r\n/**\r\n * @internal\r\n */\r\nexport type Callback = (...ev: EventType) => (Promise | void);\r\n\r\n/**\r\n * @internal\r\n */\r\nexport class Event {\r\n protected readonly _logger = new Logger(`Event('${this._name}')`);\r\n\r\n private _callbacks: Array> = [];\r\n\r\n public constructor(protected readonly _name: string) {}\r\n\r\n public addHandler(cb: Callback): () => void {\r\n this._callbacks.push(cb);\r\n return () => this.removeHandler(cb);\r\n }\r\n\r\n public removeHandler(cb: Callback): void {\r\n const idx = this._callbacks.lastIndexOf(cb);\r\n if (idx >= 0) {\r\n this._callbacks.splice(idx, 1);\r\n }\r\n }\r\n\r\n public async raise(...ev: EventType): Promise {\r\n this._logger.debug(\"raise:\", ...ev);\r\n for (const cb of this._callbacks) {\r\n await cb(...ev);\r\n }\r\n }\r\n}\r\n", "export class InvalidTokenError extends Error {\n}\nInvalidTokenError.prototype.name = \"InvalidTokenError\";\nfunction b64DecodeUnicode(str) {\n return decodeURIComponent(atob(str).replace(/(.)/g, (m, p) => {\n let code = p.charCodeAt(0).toString(16).toUpperCase();\n if (code.length < 2) {\n code = \"0\" + code;\n }\n return \"%\" + code;\n }));\n}\nfunction base64UrlDecode(str) {\n let output = str.replace(/-/g, \"+\").replace(/_/g, \"/\");\n switch (output.length % 4) {\n case 0:\n break;\n case 2:\n output += \"==\";\n break;\n case 3:\n output += \"=\";\n break;\n default:\n throw new Error(\"base64 string is not of the correct length\");\n }\n try {\n return b64DecodeUnicode(output);\n }\n catch (err) {\n return atob(output);\n }\n}\nexport function jwtDecode(token, options) {\n if (typeof token !== \"string\") {\n throw new InvalidTokenError(\"Invalid token specified: must be a string\");\n }\n options || (options = {});\n const pos = options.header === true ? 0 : 1;\n const part = token.split(\".\")[pos];\n if (typeof part !== \"string\") {\n throw new InvalidTokenError(`Invalid token specified: missing part #${pos + 1}`);\n }\n let decoded;\n try {\n decoded = base64UrlDecode(part);\n }\n catch (e) {\n throw new InvalidTokenError(`Invalid token specified: invalid base64 for part #${pos + 1} (${e.message})`);\n }\n try {\n return JSON.parse(decoded);\n }\n catch (e) {\n throw new InvalidTokenError(`Invalid token specified: invalid json for part #${pos + 1} (${e.message})`);\n }\n}\n", "import { jwtDecode } from \"jwt-decode\";\r\n\r\nimport { Logger } from \"./Logger\";\r\nimport type { JwtClaims } from \"../Claims\";\r\n\r\n/**\r\n * @internal\r\n */\r\nexport class JwtUtils {\r\n // IMPORTANT: doesn't validate the token\r\n public static decode(token: string): JwtClaims {\r\n try {\r\n return jwtDecode(token);\r\n }\r\n catch (err) {\r\n Logger.error(\"JwtUtils.decode\", err);\r\n throw err;\r\n }\r\n }\r\n}\r\n", "/**\r\n *\r\n * @public\r\n * @see https://developer.mozilla.org/en-US/docs/Web/API/Window/open#window_features\r\n */\r\nexport interface PopupWindowFeatures {\r\n left?: number;\r\n top?: number;\r\n width?: number;\r\n height?: number;\r\n menubar?: boolean | string;\r\n toolbar?: boolean | string;\r\n location?: boolean | string;\r\n status?: boolean | string;\r\n resizable?: boolean | string;\r\n scrollbars?: boolean | string;\r\n /** Close popup window after time in seconds, by default it is -1. To enable this feature, set value greater than 0. */\r\n closePopupWindowAfterInSeconds?: number;\r\n\r\n [k: string]: boolean | string | number | undefined;\r\n}\r\n\r\nexport class PopupUtils {\r\n /**\r\n * Populates a map of window features with a placement centered in front of\r\n * the current window. If no explicit width is given, a default value is\r\n * binned into [800, 720, 600, 480, 360] based on the current window's width.\r\n */\r\n static center({ ...features }: PopupWindowFeatures): PopupWindowFeatures {\r\n if (features.width == null)\r\n features.width = [800, 720, 600, 480].find(width => width <= window.outerWidth / 1.618) ?? 360;\r\n features.left ??= Math.max(0, Math.round(window.screenX + (window.outerWidth - features.width) / 2));\r\n if (features.height != null)\r\n features.top ??= Math.max(0, Math.round(window.screenY + (window.outerHeight - features.height) / 2));\r\n return features;\r\n }\r\n\r\n static serialize(features: PopupWindowFeatures): string {\r\n return Object.entries(features)\r\n .filter(([, value]) => value != null)\r\n .map(([key, value]) => `${key}=${typeof value !== \"boolean\" ? value as string : value ? \"yes\" : \"no\"}`)\r\n .join(\",\");\r\n }\r\n}\r\n", "// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\r\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\r\n\r\nimport { Event } from \"./Event\";\r\nimport { Logger } from \"./Logger\";\r\n\r\n/**\r\n * @internal\r\n */\r\nexport class Timer extends Event<[void]> {\r\n protected readonly _logger = new Logger(`Timer('${this._name}')`);\r\n private _timerHandle: ReturnType | null = null;\r\n private _expiration = 0;\r\n\r\n // get the time\r\n public static getEpochTime(): number {\r\n return Math.floor(Date.now() / 1000);\r\n }\r\n\r\n public init(durationInSeconds: number): void {\r\n const logger = this._logger.create(\"init\");\r\n durationInSeconds = Math.max(Math.floor(durationInSeconds), 1);\r\n const expiration = Timer.getEpochTime() + durationInSeconds;\r\n if (this.expiration === expiration && this._timerHandle) {\r\n // no need to reinitialize to same expiration, so bail out\r\n logger.debug(\"skipping since already initialized for expiration at\", this.expiration);\r\n return;\r\n }\r\n\r\n this.cancel();\r\n\r\n logger.debug(\"using duration\", durationInSeconds);\r\n this._expiration = expiration;\r\n\r\n // we're using a fairly short timer and then checking the expiration in the\r\n // callback to handle scenarios where the browser device sleeps, and then\r\n // the timers end up getting delayed.\r\n const timerDurationInSeconds = Math.min(durationInSeconds, 5);\r\n this._timerHandle = setInterval(this._callback, timerDurationInSeconds * 1000);\r\n }\r\n\r\n public get expiration(): number {\r\n return this._expiration;\r\n }\r\n\r\n public cancel(): void {\r\n this._logger.create(\"cancel\");\r\n if (this._timerHandle) {\r\n clearInterval(this._timerHandle);\r\n this._timerHandle = null;\r\n }\r\n }\r\n\r\n protected _callback = (): void => {\r\n const diff = this._expiration - Timer.getEpochTime();\r\n this._logger.debug(\"timer completes in\", diff);\r\n\r\n if (this._expiration <= Timer.getEpochTime()) {\r\n this.cancel();\r\n void super.raise();\r\n }\r\n };\r\n}\r\n", "// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\r\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\r\n\r\n/**\r\n * @internal\r\n */\r\nexport class UrlUtils {\r\n public static readParams(url: string, responseMode: \"query\" | \"fragment\" = \"query\"): URLSearchParams {\r\n if (!url) throw new TypeError(\"Invalid URL\");\r\n // the base URL is irrelevant, it's just here to support relative url arguments\r\n const parsedUrl = new URL(url, \"http://127.0.0.1\");\r\n const params = parsedUrl[responseMode === \"fragment\" ? \"hash\" : \"search\"];\r\n return new URLSearchParams(params.slice(1));\r\n }\r\n}\r\n\r\n/**\r\n * @internal\r\n */\r\nexport const URL_STATE_DELIMITER = \";\";", "// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\r\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\r\n\r\nimport { Logger } from \"../utils\";\r\n\r\n/**\r\n * Error class thrown in case of an authentication error.\r\n *\r\n * @public\r\n * @see https://openid.net/specs/openid-connect-core-1_0.html#AuthError\r\n */\r\nexport class ErrorResponse extends Error {\r\n /** Marker to detect class: \"ErrorResponse\" */\r\n public readonly name: string = \"ErrorResponse\";\r\n\r\n /** An error code string that can be used to classify the types of errors that occur and to respond to errors. */\r\n public readonly error: string | null;\r\n /** additional information that can help a developer identify the cause of the error.*/\r\n public readonly error_description: string | null;\r\n /**\r\n * URI identifying a human-readable web page with information about the error, used to provide the client\r\n developer with additional information about the error.\r\n */\r\n public readonly error_uri: string | null;\r\n\r\n /** custom state data set during the initial signin request */\r\n public state?: unknown;\r\n\r\n public readonly session_state: string | null;\r\n\r\n public url_state?: string;\r\n\r\n public constructor(\r\n args: {\r\n error?: string | null; error_description?: string | null; error_uri?: string | null;\r\n userState?: unknown; session_state?: string | null; url_state?: string;\r\n },\r\n /** The x-www-form-urlencoded request body sent to the authority server */\r\n public readonly form?: URLSearchParams,\r\n ) {\r\n super(args.error_description || args.error || \"\");\r\n\r\n if (!args.error) {\r\n Logger.error(\"ErrorResponse\", \"No error passed\");\r\n throw new Error(\"No error passed\");\r\n }\r\n\r\n this.error = args.error;\r\n this.error_description = args.error_description ?? null;\r\n this.error_uri = args.error_uri ?? null;\r\n\r\n this.state = args.userState;\r\n this.session_state = args.session_state ?? null;\r\n this.url_state = args.url_state;\r\n }\r\n}\r\n", "// Copyright (C) 2021 AuthTS Contributors\r\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\r\n\r\n/**\r\n * Error class thrown in case of network timeouts (e.g IFrame time out).\r\n *\r\n * @public\r\n */\r\nexport class ErrorTimeout extends Error {\r\n /** Marker to detect class: \"ErrorTimeout\" */\r\n public readonly name: string = \"ErrorTimeout\";\r\n\r\n public constructor(message?: string) {\r\n super(message);\r\n }\r\n}\r\n", "// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\r\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\r\n\r\nimport { Logger, Timer } from \"./utils\";\r\nimport type { User } from \"./User\";\r\n\r\n/**\r\n * @public\r\n */\r\nexport type AccessTokenCallback = (...ev: unknown[]) => (Promise | void);\r\n\r\n/**\r\n * @public\r\n */\r\nexport class AccessTokenEvents {\r\n protected readonly _logger = new Logger(\"AccessTokenEvents\");\r\n\r\n private readonly _expiringTimer = new Timer(\"Access token expiring\");\r\n private readonly _expiredTimer = new Timer(\"Access token expired\");\r\n private readonly _expiringNotificationTimeInSeconds: number;\r\n\r\n public constructor(args: { expiringNotificationTimeInSeconds: number }) {\r\n this._expiringNotificationTimeInSeconds = args.expiringNotificationTimeInSeconds;\r\n }\r\n\r\n public load(container: User): void {\r\n const logger = this._logger.create(\"load\");\r\n // only register events if there's an access token and it has an expiration\r\n if (container.access_token && container.expires_in !== undefined) {\r\n const duration = container.expires_in;\r\n logger.debug(\"access token present, remaining duration:\", duration);\r\n\r\n if (duration > 0) {\r\n // only register expiring if we still have time\r\n let expiring = duration - this._expiringNotificationTimeInSeconds;\r\n if (expiring <= 0) {\r\n expiring = 1;\r\n }\r\n\r\n logger.debug(\"registering expiring timer, raising in\", expiring, \"seconds\");\r\n this._expiringTimer.init(expiring);\r\n }\r\n else {\r\n logger.debug(\"canceling existing expiring timer because we're past expiration.\");\r\n this._expiringTimer.cancel();\r\n }\r\n\r\n // if it's negative, it will still fire\r\n const expired = duration + 1;\r\n logger.debug(\"registering expired timer, raising in\", expired, \"seconds\");\r\n this._expiredTimer.init(expired);\r\n }\r\n else {\r\n this._expiringTimer.cancel();\r\n this._expiredTimer.cancel();\r\n }\r\n }\r\n\r\n public unload(): void {\r\n this._logger.debug(\"unload: canceling existing access token timers\");\r\n this._expiringTimer.cancel();\r\n this._expiredTimer.cancel();\r\n }\r\n\r\n /**\r\n * Add callback: Raised prior to the access token expiring.\r\n */\r\n public addAccessTokenExpiring(cb: AccessTokenCallback): () => void {\r\n return this._expiringTimer.addHandler(cb);\r\n }\r\n /**\r\n * Remove callback: Raised prior to the access token expiring.\r\n */\r\n public removeAccessTokenExpiring(cb: AccessTokenCallback): void {\r\n this._expiringTimer.removeHandler(cb);\r\n }\r\n\r\n /**\r\n * Add callback: Raised after the access token has expired.\r\n */\r\n public addAccessTokenExpired(cb: AccessTokenCallback): () => void {\r\n return this._expiredTimer.addHandler(cb);\r\n }\r\n /**\r\n * Remove callback: Raised after the access token has expired.\r\n */\r\n public removeAccessTokenExpired(cb: AccessTokenCallback): void {\r\n this._expiredTimer.removeHandler(cb);\r\n }\r\n}\r\n", "// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\r\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\r\n\r\nimport { Logger } from \"./utils\";\r\n\r\n/**\r\n * @internal\r\n */\r\nexport class CheckSessionIFrame {\r\n private readonly _logger = new Logger(\"CheckSessionIFrame\");\r\n private _frame_origin: string;\r\n private _frame: HTMLIFrameElement;\r\n private _timer: ReturnType | null = null;\r\n private _session_state: string | null = null;\r\n\r\n public constructor(\r\n private _callback: () => Promise,\r\n private _client_id: string,\r\n url: string,\r\n private _intervalInSeconds: number,\r\n private _stopOnError: boolean,\r\n ) {\r\n const parsedUrl = new URL(url);\r\n this._frame_origin = parsedUrl.origin;\r\n\r\n this._frame = window.document.createElement(\"iframe\");\r\n\r\n // shotgun approach\r\n this._frame.style.visibility = \"hidden\";\r\n this._frame.style.position = \"fixed\";\r\n this._frame.style.left = \"-1000px\";\r\n this._frame.style.top = \"0\";\r\n this._frame.width = \"0\";\r\n this._frame.height = \"0\";\r\n this._frame.src = parsedUrl.href;\r\n }\r\n\r\n public load(): Promise {\r\n return new Promise((resolve) => {\r\n this._frame.onload = () => {\r\n resolve();\r\n };\r\n\r\n window.document.body.appendChild(this._frame);\r\n window.addEventListener(\"message\", this._message, false);\r\n });\r\n }\r\n\r\n private _message = (e: MessageEvent): void => {\r\n if (e.origin === this._frame_origin &&\r\n e.source === this._frame.contentWindow\r\n ) {\r\n if (e.data === \"error\") {\r\n this._logger.error(\"error message from check session op iframe\");\r\n if (this._stopOnError) {\r\n this.stop();\r\n }\r\n }\r\n else if (e.data === \"changed\") {\r\n this._logger.debug(\"changed message from check session op iframe\");\r\n this.stop();\r\n void this._callback();\r\n }\r\n else {\r\n this._logger.debug(e.data + \" message from check session op iframe\");\r\n }\r\n }\r\n };\r\n\r\n public start(session_state: string): void {\r\n if (this._session_state === session_state) {\r\n return;\r\n }\r\n\r\n this._logger.create(\"start\");\r\n\r\n this.stop();\r\n\r\n this._session_state = session_state;\r\n\r\n const send = () => {\r\n if (!this._frame.contentWindow || !this._session_state) {\r\n return;\r\n }\r\n\r\n this._frame.contentWindow.postMessage(this._client_id + \" \" + this._session_state, this._frame_origin);\r\n };\r\n\r\n // trigger now\r\n send();\r\n\r\n // and setup timer\r\n this._timer = setInterval(send, this._intervalInSeconds * 1000);\r\n }\r\n\r\n public stop(): void {\r\n this._logger.create(\"stop\");\r\n this._session_state = null;\r\n\r\n if (this._timer) {\r\n\r\n clearInterval(this._timer);\r\n this._timer = null;\r\n }\r\n }\r\n}\r\n", "// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\r\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\r\n\r\nimport { Logger } from \"./utils\";\r\n\r\n/**\r\n * @public\r\n */\r\nexport class InMemoryWebStorage implements Storage {\r\n private readonly _logger = new Logger(\"InMemoryWebStorage\");\r\n private _data: Record = {};\r\n\r\n public clear(): void {\r\n this._logger.create(\"clear\");\r\n this._data = {};\r\n }\r\n\r\n public getItem(key: string): string {\r\n this._logger.create(`getItem('${key}')`);\r\n return this._data[key];\r\n }\r\n\r\n public setItem(key: string, value: string): void {\r\n this._logger.create(`setItem('${key}')`);\r\n this._data[key] = value;\r\n }\r\n\r\n public removeItem(key: string): void {\r\n this._logger.create(`removeItem('${key}')`);\r\n delete this._data[key];\r\n }\r\n\r\n public get length(): number {\r\n return Object.getOwnPropertyNames(this._data).length;\r\n }\r\n\r\n public key(index: number): string {\r\n return Object.getOwnPropertyNames(this._data)[index];\r\n }\r\n}\r\n", "// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\r\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\r\n\r\nimport { ErrorResponse, ErrorTimeout } from \"./errors\";\r\nimport type { ExtraHeader } from \"./OidcClientSettings\";\r\nimport { Logger } from \"./utils\";\r\n\r\n/**\r\n * @internal\r\n */\r\nexport type JwtHandler = (text: string) => Promise>;\r\n\r\n/**\r\n * @internal\r\n */\r\nexport interface GetJsonOpts {\r\n token?: string;\r\n credentials?: RequestCredentials;\r\n}\r\n\r\n/**\r\n * @internal\r\n */\r\nexport interface PostFormOpts {\r\n body: URLSearchParams;\r\n basicAuth?: string;\r\n timeoutInSeconds?: number;\r\n initCredentials?: \"same-origin\" | \"include\" | \"omit\";\r\n extraHeaders?: Record;\r\n}\r\n\r\n/**\r\n * @internal\r\n */\r\nexport class JsonService {\r\n private readonly _logger = new Logger(\"JsonService\");\r\n\r\n private _contentTypes: string[] = [];\r\n\r\n public constructor(\r\n additionalContentTypes: string[] = [],\r\n private _jwtHandler: JwtHandler | null = null,\r\n private _extraHeaders: Record = {},\r\n ) {\r\n this._contentTypes.push(...additionalContentTypes, \"application/json\");\r\n if (_jwtHandler) {\r\n this._contentTypes.push(\"application/jwt\");\r\n }\r\n }\r\n\r\n protected async fetchWithTimeout(input: RequestInfo, init: RequestInit & { timeoutInSeconds?: number } = {}) {\r\n const { timeoutInSeconds, ...initFetch } = init;\r\n if (!timeoutInSeconds) {\r\n return await fetch(input, initFetch);\r\n }\r\n\r\n const controller = new AbortController();\r\n const timeoutId = setTimeout(() => controller.abort(), timeoutInSeconds * 1000);\r\n\r\n try {\r\n const response = await fetch(input, {\r\n ...init,\r\n signal: controller.signal,\r\n });\r\n return response;\r\n }\r\n catch (err) {\r\n if (err instanceof DOMException && err.name === \"AbortError\") {\r\n throw new ErrorTimeout(\"Network timed out\");\r\n }\r\n throw err;\r\n }\r\n finally {\r\n clearTimeout(timeoutId);\r\n }\r\n }\r\n\r\n public async getJson(url: string, {\r\n token,\r\n credentials,\r\n }: GetJsonOpts = {}): Promise> {\r\n const logger = this._logger.create(\"getJson\");\r\n const headers: HeadersInit = {\r\n \"Accept\": this._contentTypes.join(\", \"),\r\n };\r\n if (token) {\r\n logger.debug(\"token passed, setting Authorization header\");\r\n headers[\"Authorization\"] = \"Bearer \" + token;\r\n }\r\n\r\n this.appendExtraHeaders(headers);\r\n\r\n let response: Response;\r\n try {\r\n logger.debug(\"url:\", url);\r\n response = await this.fetchWithTimeout(url, { method: \"GET\", headers, credentials });\r\n }\r\n catch (err) {\r\n logger.error(\"Network Error\");\r\n throw err;\r\n }\r\n\r\n logger.debug(\"HTTP response received, status\", response.status);\r\n const contentType = response.headers.get(\"Content-Type\");\r\n if (contentType && !this._contentTypes.find(item => contentType.startsWith(item))) {\r\n logger.throw(new Error(`Invalid response Content-Type: ${(contentType ?? \"undefined\")}, from URL: ${url}`));\r\n }\r\n if (response.ok && this._jwtHandler && contentType?.startsWith(\"application/jwt\")) {\r\n return await this._jwtHandler(await response.text());\r\n }\r\n let json: Record;\r\n try {\r\n json = await response.json();\r\n }\r\n catch (err) {\r\n logger.error(\"Error parsing JSON response\", err);\r\n if (response.ok) throw err;\r\n throw new Error(`${response.statusText} (${response.status})`);\r\n }\r\n if (!response.ok) {\r\n logger.error(\"Error from server:\", json);\r\n if (json.error) {\r\n throw new ErrorResponse(json);\r\n }\r\n throw new Error(`${response.statusText} (${response.status}): ${JSON.stringify(json)}`);\r\n }\r\n return json;\r\n }\r\n\r\n public async postForm(url: string, {\r\n body,\r\n basicAuth,\r\n timeoutInSeconds,\r\n initCredentials,\r\n extraHeaders,\r\n }: PostFormOpts): Promise> {\r\n const logger = this._logger.create(\"postForm\");\r\n const headers: HeadersInit = {\r\n \"Accept\": this._contentTypes.join(\", \"),\r\n \"Content-Type\": \"application/x-www-form-urlencoded\",\r\n ...extraHeaders,\r\n };\r\n if (basicAuth !== undefined) {\r\n headers[\"Authorization\"] = \"Basic \" + basicAuth;\r\n }\r\n\r\n this.appendExtraHeaders(headers);\r\n\r\n let response: Response;\r\n try {\r\n logger.debug(\"url:\", url);\r\n response = await this.fetchWithTimeout(url, { method: \"POST\", headers, body, timeoutInSeconds, credentials: initCredentials });\r\n }\r\n catch (err) {\r\n logger.error(\"Network error\");\r\n throw err;\r\n }\r\n\r\n logger.debug(\"HTTP response received, status\", response.status);\r\n const contentType = response.headers.get(\"Content-Type\");\r\n if (contentType && !this._contentTypes.find(item => contentType.startsWith(item))) {\r\n throw new Error(`Invalid response Content-Type: ${(contentType ?? \"undefined\")}, from URL: ${url}`);\r\n }\r\n\r\n const responseText = await response.text();\r\n\r\n let json: Record = {};\r\n if (responseText) {\r\n try {\r\n json = JSON.parse(responseText);\r\n }\r\n catch (err) {\r\n logger.error(\"Error parsing JSON response\", err);\r\n if (response.ok) throw err;\r\n throw new Error(`${response.statusText} (${response.status})`);\r\n }\r\n }\r\n\r\n if (!response.ok) {\r\n logger.error(\"Error from server:\", json);\r\n if (json.error) {\r\n throw new ErrorResponse(json, body);\r\n }\r\n throw new Error(`${response.statusText} (${response.status}): ${JSON.stringify(json)}`);\r\n }\r\n\r\n return json;\r\n }\r\n\r\n private appendExtraHeaders(\r\n headers: Record,\r\n ): void {\r\n const logger = this._logger.create(\"appendExtraHeaders\");\r\n const customKeys = Object.keys(this._extraHeaders);\r\n const protectedHeaders = [\r\n \"authorization\",\r\n \"accept\",\r\n \"content-type\",\r\n ];\r\n if (customKeys.length === 0) {\r\n return;\r\n }\r\n customKeys.forEach((headerName) => {\r\n if (protectedHeaders.includes(headerName.toLocaleLowerCase())) {\r\n logger.warn(\"Protected header could not be overridden\", headerName, protectedHeaders);\r\n return;\r\n }\r\n const content = (typeof this._extraHeaders[headerName] === \"function\") ?\r\n (this._extraHeaders[headerName] as ()=>string)() :\r\n this._extraHeaders[headerName];\r\n if (content && content !== \"\") {\r\n headers[headerName] = content as string;\r\n }\r\n });\r\n }\r\n}\r\n", "// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\r\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\r\n\r\nimport { Logger } from \"./utils\";\r\nimport { JsonService } from \"./JsonService\";\r\nimport type { OidcClientSettingsStore, SigningKey } from \"./OidcClientSettings\";\r\nimport type { OidcMetadata } from \"./OidcMetadata\";\r\n\r\n/**\r\n * @public\r\n * @see https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata\r\n */\r\nexport class MetadataService {\r\n private readonly _logger = new Logger(\"MetadataService\");\r\n private readonly _jsonService;\r\n\r\n // cache\r\n private _metadataUrl: string;\r\n private _signingKeys: SigningKey[] | null = null;\r\n private _metadata: Partial | null = null;\r\n private _fetchRequestCredentials: RequestCredentials | undefined;\r\n\r\n public constructor(private readonly _settings: OidcClientSettingsStore) {\r\n this._metadataUrl = this._settings.metadataUrl;\r\n this._jsonService = new JsonService(\r\n [\"application/jwk-set+json\"],\r\n null,\r\n this._settings.extraHeaders,\r\n );\r\n if (this._settings.signingKeys) {\r\n this._logger.debug(\"using signingKeys from settings\");\r\n this._signingKeys = this._settings.signingKeys;\r\n }\r\n\r\n if (this._settings.metadata) {\r\n this._logger.debug(\"using metadata from settings\");\r\n this._metadata = this._settings.metadata;\r\n }\r\n\r\n if (this._settings.fetchRequestCredentials) {\r\n this._logger.debug(\"using fetchRequestCredentials from settings\");\r\n this._fetchRequestCredentials = this._settings.fetchRequestCredentials;\r\n }\r\n }\r\n\r\n public resetSigningKeys(): void {\r\n this._signingKeys = null;\r\n }\r\n\r\n public async getMetadata(): Promise> {\r\n const logger = this._logger.create(\"getMetadata\");\r\n if (this._metadata) {\r\n logger.debug(\"using cached values\");\r\n return this._metadata;\r\n }\r\n\r\n if (!this._metadataUrl) {\r\n logger.throw(new Error(\"No authority or metadataUrl configured on settings\"));\r\n throw null;\r\n }\r\n\r\n logger.debug(\"getting metadata from\", this._metadataUrl);\r\n const metadata = await this._jsonService.getJson(this._metadataUrl, { credentials: this._fetchRequestCredentials });\r\n\r\n logger.debug(\"merging remote JSON with seed metadata\");\r\n this._metadata = Object.assign({}, this._settings.metadataSeed, metadata);\r\n return this._metadata;\r\n }\r\n\r\n public getIssuer(): Promise {\r\n return this._getMetadataProperty(\"issuer\") as Promise;\r\n }\r\n\r\n public getAuthorizationEndpoint(): Promise {\r\n return this._getMetadataProperty(\"authorization_endpoint\") as Promise;\r\n }\r\n\r\n public getUserInfoEndpoint(): Promise {\r\n return this._getMetadataProperty(\"userinfo_endpoint\") as Promise;\r\n }\r\n\r\n public getTokenEndpoint(optional: false): Promise;\r\n public getTokenEndpoint(optional?: true): Promise;\r\n public getTokenEndpoint(optional = true): Promise {\r\n return this._getMetadataProperty(\"token_endpoint\", optional) as Promise;\r\n }\r\n\r\n public getCheckSessionIframe(): Promise {\r\n return this._getMetadataProperty(\"check_session_iframe\", true) as Promise;\r\n }\r\n\r\n public getEndSessionEndpoint(): Promise {\r\n return this._getMetadataProperty(\"end_session_endpoint\", true) as Promise;\r\n }\r\n\r\n public getRevocationEndpoint(optional: false): Promise;\r\n public getRevocationEndpoint(optional?: true): Promise;\r\n public getRevocationEndpoint(optional = true): Promise {\r\n return this._getMetadataProperty(\"revocation_endpoint\", optional) as Promise;\r\n }\r\n\r\n public getKeysEndpoint(optional: false): Promise;\r\n public getKeysEndpoint(optional?: true): Promise;\r\n public getKeysEndpoint(optional = true): Promise {\r\n return this._getMetadataProperty(\"jwks_uri\", optional) as Promise;\r\n }\r\n\r\n protected async _getMetadataProperty(name: keyof OidcMetadata, optional=false): Promise {\r\n const logger = this._logger.create(`_getMetadataProperty('${name}')`);\r\n\r\n const metadata = await this.getMetadata();\r\n logger.debug(\"resolved\");\r\n\r\n if (metadata[name] === undefined) {\r\n if (optional === true) {\r\n logger.warn(\"Metadata does not contain optional property\");\r\n return undefined;\r\n }\r\n\r\n logger.throw(new Error(\"Metadata does not contain property \" + name));\r\n }\r\n\r\n return metadata[name];\r\n }\r\n\r\n public async getSigningKeys(): Promise {\r\n const logger = this._logger.create(\"getSigningKeys\");\r\n if (this._signingKeys) {\r\n logger.debug(\"returning signingKeys from cache\");\r\n return this._signingKeys;\r\n }\r\n\r\n const jwks_uri = await this.getKeysEndpoint(false);\r\n logger.debug(\"got jwks_uri\", jwks_uri);\r\n\r\n const keySet = await this._jsonService.getJson(jwks_uri);\r\n logger.debug(\"got key set\", keySet);\r\n\r\n if (!Array.isArray(keySet.keys)) {\r\n logger.throw(new Error(\"Missing keys on keyset\"));\r\n throw null; // https://github.com/microsoft/TypeScript/issues/46972\r\n }\r\n\r\n this._signingKeys = keySet.keys;\r\n return this._signingKeys;\r\n }\r\n}\r\n", "// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\r\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\r\n\r\nimport { Logger } from \"./utils\";\r\nimport type { StateStore } from \"./StateStore\";\r\nimport type { AsyncStorage } from \"./AsyncStorage\";\r\n\r\n/**\r\n * @public\r\n */\r\nexport class WebStorageStateStore implements StateStore {\r\n private readonly _logger = new Logger(\"WebStorageStateStore\");\r\n\r\n private readonly _store: AsyncStorage | Storage;\r\n private readonly _prefix: string;\r\n\r\n public constructor({\r\n prefix = \"oidc.\",\r\n store = localStorage,\r\n }: { prefix?: string; store?: AsyncStorage | Storage } = {}) {\r\n this._store = store;\r\n this._prefix = prefix;\r\n }\r\n\r\n public async set(key: string, value: string): Promise {\r\n this._logger.create(`set('${key}')`);\r\n\r\n key = this._prefix + key;\r\n await this._store.setItem(key, value);\r\n }\r\n\r\n public async get(key: string): Promise {\r\n this._logger.create(`get('${key}')`);\r\n\r\n key = this._prefix + key;\r\n const item = await this._store.getItem(key);\r\n return item;\r\n }\r\n\r\n public async remove(key: string): Promise {\r\n this._logger.create(`remove('${key}')`);\r\n\r\n key = this._prefix + key;\r\n const item = await this._store.getItem(key);\r\n await this._store.removeItem(key);\r\n return item;\r\n }\r\n\r\n public async getAllKeys(): Promise {\r\n this._logger.create(\"getAllKeys\");\r\n const len = await this._store.length;\r\n\r\n const keys = [];\r\n for (let index = 0; index < len; index++) {\r\n const key = await this._store.key(index);\r\n if (key && key.indexOf(this._prefix) === 0) {\r\n keys.push(key.substr(this._prefix.length));\r\n }\r\n }\r\n return keys;\r\n }\r\n}\r\n", "// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\r\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\r\n\r\nimport { WebStorageStateStore } from \"./WebStorageStateStore\";\r\nimport type { OidcMetadata } from \"./OidcMetadata\";\r\nimport type { StateStore } from \"./StateStore\";\r\nimport { InMemoryWebStorage } from \"./InMemoryWebStorage\";\r\n\r\nconst DefaultResponseType = \"code\";\r\nconst DefaultScope = \"openid\";\r\nconst DefaultClientAuthentication = \"client_secret_post\";\r\nconst DefaultStaleStateAgeInSeconds = 60 * 15;\r\n\r\n/**\r\n * @public\r\n */\r\nexport type SigningKey = Record;\r\n\r\n/**\r\n * @public\r\n */\r\nexport type ExtraHeader = string | (() => string);\r\n\r\n/**\r\n * The settings used to configure the {@link OidcClient}.\r\n *\r\n * @public\r\n */\r\nexport interface OidcClientSettings {\r\n /** The URL of the OIDC/OAuth2 provider */\r\n authority: string;\r\n metadataUrl?: string;\r\n /** Provide metadata when authority server does not allow CORS on the metadata endpoint */\r\n metadata?: Partial;\r\n /** Can be used to seed or add additional values to the results of the discovery request */\r\n metadataSeed?: Partial;\r\n /** Provide signingKeys when authority server does not allow CORS on the jwks uri */\r\n signingKeys?: SigningKey[];\r\n\r\n /** Your client application's identifier as registered with the OIDC/OAuth2 */\r\n client_id: string;\r\n client_secret?: string;\r\n /** The type of response desired from the OIDC/OAuth2 provider (default: \"code\") */\r\n response_type?: string;\r\n /** The scope being requested from the OIDC/OAuth2 provider (default: \"openid\") */\r\n scope?: string;\r\n /** The redirect URI of your client application to receive a response from the OIDC/OAuth2 provider */\r\n redirect_uri: string;\r\n /** The OIDC/OAuth2 post-logout redirect URI */\r\n post_logout_redirect_uri?: string;\r\n\r\n /**\r\n * Client authentication method that is used to authenticate when using the token endpoint (default: \"client_secret_post\")\r\n * - \"client_secret_basic\": using the HTTP Basic authentication scheme\r\n * - \"client_secret_post\": including the client credentials in the request body\r\n *\r\n * See https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication\r\n */\r\n client_authentication?: \"client_secret_basic\" | \"client_secret_post\";\r\n\r\n /** optional protocol param */\r\n prompt?: string;\r\n /** optional protocol param */\r\n display?: string;\r\n /** optional protocol param */\r\n max_age?: number;\r\n /** optional protocol param */\r\n ui_locales?: string;\r\n /** optional protocol param */\r\n acr_values?: string;\r\n /** optional protocol param */\r\n resource?: string | string[];\r\n\r\n /**\r\n * Optional protocol param\r\n * The response mode used by the authority server is defined by the response_type unless explicitly specified:\r\n * - Response mode for the OAuth 2.0 response type \"code\" is the \"query\" encoding\r\n * - Response mode for the OAuth 2.0 response type \"token\" is the \"fragment\" encoding\r\n *\r\n * @see https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#ResponseModes\r\n */\r\n response_mode?: \"query\" | \"fragment\";\r\n\r\n /**\r\n * Should optional OIDC protocol claims be removed from profile or specify the ones to be removed (default: true)\r\n * When true, the following claims are removed by default: [\"nbf\", \"jti\", \"auth_time\", \"nonce\", \"acr\", \"amr\", \"azp\", \"at_hash\"]\r\n * When specifying claims, the following claims are not allowed: [\"sub\", \"iss\", \"aud\", \"exp\", \"iat\"]\r\n */\r\n filterProtocolClaims?: boolean | string[];\r\n /** Flag to control if additional identity data is loaded from the user info endpoint in order to populate the user's profile (default: false) */\r\n loadUserInfo?: boolean;\r\n /** Number (in seconds) indicating the age of state entries in storage for authorize requests that are considered abandoned and thus can be cleaned up (default: 900) */\r\n staleStateAgeInSeconds?: number;\r\n\r\n /**\r\n * Indicates how objects returned from the user info endpoint as claims (e.g. `address`) are merged into the claims from the\r\n * id token as a single object. (default: `{ array: \"replace\" }`)\r\n * - array: \"replace\": natives (string, int, float) and arrays are replaced, objects are merged as distinct objects\r\n * - array: \"merge\": natives (string, int, float) are replaced, arrays and objects are merged as distinct objects\r\n */\r\n mergeClaimsStrategy?: { array: \"replace\" | \"merge\" };\r\n\r\n /**\r\n * Storage object used to persist interaction state (default: window.localStorage, InMemoryWebStorage iff no window).\r\n * E.g. `stateStore: new WebStorageStateStore({ store: window.localStorage })`\r\n */\r\n stateStore?: StateStore;\r\n\r\n /**\r\n * An object containing additional query string parameters to be including in the authorization request.\r\n * E.g, when using Azure AD to obtain an access token an additional resource parameter is required. extraQueryParams: `{resource:\"some_identifier\"}`\r\n */\r\n extraQueryParams?: Record;\r\n\r\n extraTokenParams?: Record;\r\n\r\n /**\r\n * An object containing additional header to be including in request.\r\n */\r\n extraHeaders?: Record;\r\n\r\n /**\r\n * Will check the content type header of the response of the revocation endpoint to match these passed values (default: [])\r\n */\r\n revokeTokenAdditionalContentTypes?: string[];\r\n /**\r\n * Will disable PKCE validation, changing to true will not append to sign in request code_challenge and code_challenge_method. (default: false)\r\n */\r\n disablePKCE?: boolean;\r\n /**\r\n * Sets the credentials for fetch requests. (default: \"same-origin\")\r\n * Use this if you need to send cookies to the OIDC/OAuth2 provider or if you are using a proxy that requires cookies\r\n */\r\n fetchRequestCredentials?: RequestCredentials;\r\n\r\n /**\r\n * Only scopes in this list will be passed in the token refresh request.\r\n */\r\n refreshTokenAllowedScope?: string | undefined;\r\n}\r\n\r\n/**\r\n * The settings with defaults applied of the {@link OidcClient}.\r\n *\r\n * @public\r\n * @see {@link OidcClientSettings}\r\n */\r\nexport class OidcClientSettingsStore {\r\n // metadata\r\n public readonly authority: string;\r\n public readonly metadataUrl: string;\r\n public readonly metadata: Partial | undefined;\r\n public readonly metadataSeed: Partial | undefined;\r\n public readonly signingKeys: SigningKey[] | undefined;\r\n\r\n // client config\r\n public readonly client_id: string;\r\n public readonly client_secret: string | undefined;\r\n public readonly response_type: string;\r\n public readonly scope: string;\r\n public readonly redirect_uri: string;\r\n public readonly post_logout_redirect_uri: string | undefined;\r\n public readonly client_authentication: \"client_secret_basic\" | \"client_secret_post\";\r\n\r\n // optional protocol params\r\n public readonly prompt: string | undefined;\r\n public readonly display: string | undefined;\r\n public readonly max_age: number | undefined;\r\n public readonly ui_locales: string | undefined;\r\n public readonly acr_values: string | undefined;\r\n public readonly resource: string | string[] | undefined;\r\n public readonly response_mode: \"query\" | \"fragment\" | undefined;\r\n\r\n // behavior flags\r\n public readonly filterProtocolClaims: boolean | string[];\r\n public readonly loadUserInfo: boolean;\r\n public readonly staleStateAgeInSeconds: number;\r\n public readonly mergeClaimsStrategy: { array: \"replace\" | \"merge\" };\r\n\r\n public readonly stateStore: StateStore;\r\n\r\n // extra\r\n public readonly extraQueryParams: Record;\r\n public readonly extraTokenParams: Record;\r\n public readonly extraHeaders: Record;\r\n\r\n public readonly revokeTokenAdditionalContentTypes?: string[];\r\n public readonly fetchRequestCredentials: RequestCredentials;\r\n public readonly refreshTokenAllowedScope: string | undefined;\r\n public readonly disablePKCE: boolean;\r\n\r\n public constructor({\r\n // metadata related\r\n authority, metadataUrl, metadata, signingKeys, metadataSeed,\r\n // client related\r\n client_id, client_secret, response_type = DefaultResponseType, scope = DefaultScope,\r\n redirect_uri, post_logout_redirect_uri,\r\n client_authentication = DefaultClientAuthentication,\r\n // optional protocol\r\n prompt, display, max_age, ui_locales, acr_values, resource, response_mode,\r\n // behavior flags\r\n filterProtocolClaims = true,\r\n loadUserInfo = false,\r\n staleStateAgeInSeconds = DefaultStaleStateAgeInSeconds,\r\n mergeClaimsStrategy = { array: \"replace\" },\r\n disablePKCE = false,\r\n // other behavior\r\n stateStore,\r\n revokeTokenAdditionalContentTypes,\r\n fetchRequestCredentials,\r\n refreshTokenAllowedScope,\r\n // extra\r\n extraQueryParams = {},\r\n extraTokenParams = {},\r\n extraHeaders = {},\r\n }: OidcClientSettings) {\r\n\r\n this.authority = authority;\r\n\r\n if (metadataUrl) {\r\n this.metadataUrl = metadataUrl;\r\n } else {\r\n this.metadataUrl = authority;\r\n if (authority) {\r\n if (!this.metadataUrl.endsWith(\"/\")) {\r\n this.metadataUrl += \"/\";\r\n }\r\n this.metadataUrl += \".well-known/openid-configuration\";\r\n }\r\n }\r\n\r\n this.metadata = metadata;\r\n this.metadataSeed = metadataSeed;\r\n this.signingKeys = signingKeys;\r\n\r\n this.client_id = client_id;\r\n this.client_secret = client_secret;\r\n this.response_type = response_type;\r\n this.scope = scope;\r\n this.redirect_uri = redirect_uri;\r\n this.post_logout_redirect_uri = post_logout_redirect_uri;\r\n this.client_authentication = client_authentication;\r\n\r\n this.prompt = prompt;\r\n this.display = display;\r\n this.max_age = max_age;\r\n this.ui_locales = ui_locales;\r\n this.acr_values = acr_values;\r\n this.resource = resource;\r\n this.response_mode = response_mode;\r\n\r\n this.filterProtocolClaims = filterProtocolClaims ?? true;\r\n this.loadUserInfo = !!loadUserInfo;\r\n this.staleStateAgeInSeconds = staleStateAgeInSeconds;\r\n this.mergeClaimsStrategy = mergeClaimsStrategy;\r\n this.disablePKCE = !!disablePKCE;\r\n this.revokeTokenAdditionalContentTypes = revokeTokenAdditionalContentTypes;\r\n\r\n this.fetchRequestCredentials = fetchRequestCredentials ? fetchRequestCredentials : \"same-origin\";\r\n\r\n if (stateStore) {\r\n this.stateStore = stateStore;\r\n }\r\n else {\r\n const store = typeof window !== \"undefined\" ? window.localStorage : new InMemoryWebStorage();\r\n this.stateStore = new WebStorageStateStore({ store });\r\n }\r\n\r\n this.refreshTokenAllowedScope = refreshTokenAllowedScope;\r\n\r\n this.extraQueryParams = extraQueryParams;\r\n this.extraTokenParams = extraTokenParams;\r\n this.extraHeaders = extraHeaders;\r\n }\r\n}\r\n", "// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\r\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\r\n\r\nimport { Logger, JwtUtils } from \"./utils\";\r\nimport { JsonService } from \"./JsonService\";\r\nimport type { MetadataService } from \"./MetadataService\";\r\nimport type { JwtClaims } from \"./Claims\";\r\nimport type { OidcClientSettingsStore } from \"./OidcClientSettings\";\r\n\r\n/**\r\n * @internal\r\n */\r\nexport class UserInfoService {\r\n protected readonly _logger = new Logger(\"UserInfoService\");\r\n private readonly _jsonService: JsonService;\r\n\r\n public constructor(private readonly _settings: OidcClientSettingsStore,\r\n private readonly _metadataService: MetadataService,\r\n ) {\r\n this._jsonService = new JsonService(\r\n undefined,\r\n this._getClaimsFromJwt,\r\n this._settings.extraHeaders,\r\n );\r\n }\r\n\r\n public async getClaims(token: string): Promise {\r\n const logger = this._logger.create(\"getClaims\");\r\n if (!token) {\r\n this._logger.throw(new Error(\"No token passed\"));\r\n }\r\n\r\n const url = await this._metadataService.getUserInfoEndpoint();\r\n logger.debug(\"got userinfo url\", url);\r\n\r\n const claims = await this._jsonService.getJson(url, {\r\n token,\r\n credentials: this._settings.fetchRequestCredentials,\r\n });\r\n logger.debug(\"got claims\", claims);\r\n\r\n return claims;\r\n }\r\n\r\n protected _getClaimsFromJwt = async (responseText: string): Promise => {\r\n const logger = this._logger.create(\"_getClaimsFromJwt\");\r\n try {\r\n const payload = JwtUtils.decode(responseText);\r\n logger.debug(\"JWT decoding successful\");\r\n\r\n return payload;\r\n } catch (err) {\r\n logger.error(\"Error parsing JWT response\");\r\n throw err;\r\n }\r\n };\r\n}\r\n", "// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\r\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\r\n\r\nimport { CryptoUtils, Logger } from \"./utils\";\r\nimport { JsonService } from \"./JsonService\";\r\nimport type { MetadataService } from \"./MetadataService\";\r\nimport type { ExtraHeader, OidcClientSettingsStore } from \"./OidcClientSettings\";\r\n\r\n/**\r\n * @internal\r\n */\r\nexport interface ExchangeCodeArgs {\r\n client_id?: string;\r\n client_secret?: string;\r\n redirect_uri?: string;\r\n\r\n grant_type?: string;\r\n code: string;\r\n code_verifier?: string;\r\n\r\n extraHeaders?: Record;\r\n}\r\n\r\n/**\r\n * @internal\r\n */\r\nexport interface ExchangeCredentialsArgs {\r\n client_id?: string;\r\n client_secret?: string;\r\n\r\n grant_type?: string;\r\n scope?: string;\r\n\r\n username: string;\r\n password: string;\r\n}\r\n\r\n/**\r\n * @internal\r\n */\r\nexport interface ExchangeRefreshTokenArgs {\r\n client_id?: string;\r\n client_secret?: string;\r\n redirect_uri?: string;\r\n\r\n grant_type?: string;\r\n refresh_token: string;\r\n scope?: string;\r\n resource?: string | string[];\r\n\r\n timeoutInSeconds?: number;\r\n\r\n extraHeaders?: Record;\r\n}\r\n\r\n/**\r\n * @internal\r\n */\r\nexport interface RevokeArgs {\r\n token: string;\r\n token_type_hint?: \"access_token\" | \"refresh_token\";\r\n}\r\n\r\n/**\r\n * @internal\r\n */\r\nexport class TokenClient {\r\n private readonly _logger = new Logger(\"TokenClient\");\r\n private readonly _jsonService;\r\n\r\n public constructor(\r\n private readonly _settings: OidcClientSettingsStore,\r\n private readonly _metadataService: MetadataService,\r\n ) {\r\n this._jsonService = new JsonService(\r\n this._settings.revokeTokenAdditionalContentTypes,\r\n null,\r\n this._settings.extraHeaders,\r\n );\r\n }\r\n\r\n /**\r\n * Exchange code.\r\n *\r\n * @see https://www.rfc-editor.org/rfc/rfc6749#section-4.1.3\r\n */\r\n public async exchangeCode({\r\n grant_type = \"authorization_code\",\r\n redirect_uri = this._settings.redirect_uri,\r\n client_id = this._settings.client_id,\r\n client_secret = this._settings.client_secret,\r\n extraHeaders,\r\n ...args\r\n }: ExchangeCodeArgs): Promise> {\r\n const logger = this._logger.create(\"exchangeCode\");\r\n if (!client_id) {\r\n logger.throw(new Error(\"A client_id is required\"));\r\n }\r\n if (!redirect_uri) {\r\n logger.throw(new Error(\"A redirect_uri is required\"));\r\n }\r\n if (!args.code) {\r\n logger.throw(new Error(\"A code is required\"));\r\n }\r\n\r\n const params = new URLSearchParams({ grant_type, redirect_uri });\r\n for (const [key, value] of Object.entries(args)) {\r\n if (value != null) {\r\n params.set(key, value);\r\n }\r\n }\r\n let basicAuth: string | undefined;\r\n switch (this._settings.client_authentication) {\r\n case \"client_secret_basic\":\r\n if (!client_secret) {\r\n logger.throw(new Error(\"A client_secret is required\"));\r\n throw null; // https://github.com/microsoft/TypeScript/issues/46972\r\n }\r\n basicAuth = CryptoUtils.generateBasicAuth(client_id, client_secret);\r\n break;\r\n case \"client_secret_post\":\r\n params.append(\"client_id\", client_id);\r\n if (client_secret) {\r\n params.append(\"client_secret\", client_secret);\r\n }\r\n break;\r\n }\r\n\r\n const url = await this._metadataService.getTokenEndpoint(false);\r\n logger.debug(\"got token endpoint\");\r\n\r\n const response = await this._jsonService.postForm(url, { body: params, basicAuth, initCredentials: this._settings.fetchRequestCredentials, extraHeaders });\r\n logger.debug(\"got response\");\r\n\r\n return response;\r\n }\r\n\r\n /**\r\n * Exchange credentials.\r\n *\r\n * @see https://www.rfc-editor.org/rfc/rfc6749#section-4.3.2\r\n */\r\n public async exchangeCredentials({\r\n grant_type = \"password\",\r\n client_id = this._settings.client_id,\r\n client_secret = this._settings.client_secret,\r\n scope = this._settings.scope,\r\n ...args\r\n }: ExchangeCredentialsArgs): Promise> {\r\n const logger = this._logger.create(\"exchangeCredentials\");\r\n\r\n if (!client_id) {\r\n logger.throw(new Error(\"A client_id is required\"));\r\n }\r\n\r\n const params = new URLSearchParams({ grant_type, scope });\r\n for (const [key, value] of Object.entries(args)) {\r\n if (value != null) {\r\n params.set(key, value);\r\n }\r\n }\r\n\r\n let basicAuth: string | undefined;\r\n switch (this._settings.client_authentication) {\r\n case \"client_secret_basic\":\r\n if (!client_secret) {\r\n logger.throw(new Error(\"A client_secret is required\"));\r\n throw null; // https://github.com/microsoft/TypeScript/issues/46972\r\n }\r\n basicAuth = CryptoUtils.generateBasicAuth(client_id, client_secret);\r\n break;\r\n case \"client_secret_post\":\r\n params.append(\"client_id\", client_id);\r\n if (client_secret) {\r\n params.append(\"client_secret\", client_secret);\r\n }\r\n break;\r\n }\r\n\r\n const url = await this._metadataService.getTokenEndpoint(false);\r\n logger.debug(\"got token endpoint\");\r\n\r\n const response = await this._jsonService.postForm(url, { body: params, basicAuth, initCredentials: this._settings.fetchRequestCredentials });\r\n logger.debug(\"got response\");\r\n\r\n return response;\r\n }\r\n\r\n /**\r\n * Exchange a refresh token.\r\n *\r\n * @see https://www.rfc-editor.org/rfc/rfc6749#section-6\r\n */\r\n public async exchangeRefreshToken({\r\n grant_type = \"refresh_token\",\r\n client_id = this._settings.client_id,\r\n client_secret = this._settings.client_secret,\r\n timeoutInSeconds,\r\n extraHeaders,\r\n ...args\r\n }: ExchangeRefreshTokenArgs): Promise> {\r\n const logger = this._logger.create(\"exchangeRefreshToken\");\r\n if (!client_id) {\r\n logger.throw(new Error(\"A client_id is required\"));\r\n }\r\n if (!args.refresh_token) {\r\n logger.throw(new Error(\"A refresh_token is required\"));\r\n }\r\n\r\n const params = new URLSearchParams({ grant_type });\r\n for (const [key, value] of Object.entries(args)) {\r\n if (Array.isArray(value)) {\r\n value.forEach(param => params.append(key, param));\r\n }\r\n else if (value != null) {\r\n params.set(key, value);\r\n }\r\n }\r\n let basicAuth: string | undefined;\r\n switch (this._settings.client_authentication) {\r\n case \"client_secret_basic\":\r\n if (!client_secret) {\r\n logger.throw(new Error(\"A client_secret is required\"));\r\n throw null; // https://github.com/microsoft/TypeScript/issues/46972\r\n }\r\n basicAuth = CryptoUtils.generateBasicAuth(client_id, client_secret);\r\n break;\r\n case \"client_secret_post\":\r\n params.append(\"client_id\", client_id);\r\n if (client_secret) {\r\n params.append(\"client_secret\", client_secret);\r\n }\r\n break;\r\n }\r\n\r\n const url = await this._metadataService.getTokenEndpoint(false);\r\n logger.debug(\"got token endpoint\");\r\n\r\n const response = await this._jsonService.postForm(url, { body: params, basicAuth, timeoutInSeconds, initCredentials: this._settings.fetchRequestCredentials, extraHeaders });\r\n logger.debug(\"got response\");\r\n\r\n return response;\r\n }\r\n\r\n /**\r\n * Revoke an access or refresh token.\r\n *\r\n * @see https://datatracker.ietf.org/doc/html/rfc7009#section-2.1\r\n */\r\n public async revoke(args: RevokeArgs): Promise {\r\n const logger = this._logger.create(\"revoke\");\r\n if (!args.token) {\r\n logger.throw(new Error(\"A token is required\"));\r\n }\r\n\r\n const url = await this._metadataService.getRevocationEndpoint(false);\r\n\r\n logger.debug(`got revocation endpoint, revoking ${args.token_type_hint ?? \"default token type\"}`);\r\n\r\n const params = new URLSearchParams();\r\n for (const [key, value] of Object.entries(args)) {\r\n if (value != null) {\r\n params.set(key, value);\r\n }\r\n }\r\n params.set(\"client_id\", this._settings.client_id);\r\n if (this._settings.client_secret) {\r\n params.set(\"client_secret\", this._settings.client_secret);\r\n }\r\n\r\n await this._jsonService.postForm(url, { body: params });\r\n logger.debug(\"got response\");\r\n }\r\n}\r\n", "// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\r\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\r\n\r\nimport { Logger, JwtUtils } from \"./utils\";\r\nimport { ErrorResponse } from \"./errors\";\r\nimport type { MetadataService } from \"./MetadataService\";\r\nimport { UserInfoService } from \"./UserInfoService\";\r\nimport { TokenClient } from \"./TokenClient\";\r\nimport type { ExtraHeader, OidcClientSettingsStore } from \"./OidcClientSettings\";\r\nimport type { SigninState } from \"./SigninState\";\r\nimport type { SigninResponse } from \"./SigninResponse\";\r\nimport type { State } from \"./State\";\r\nimport type { SignoutResponse } from \"./SignoutResponse\";\r\nimport type { UserProfile } from \"./User\";\r\nimport type { RefreshState } from \"./RefreshState\";\r\nimport type { IdTokenClaims } from \"./Claims\";\r\nimport type { ClaimsService } from \"./ClaimsService\";\r\n\r\n/**\r\n * @internal\r\n */\r\nexport class ResponseValidator {\r\n protected readonly _logger = new Logger(\"ResponseValidator\");\r\n protected readonly _userInfoService = new UserInfoService(this._settings, this._metadataService);\r\n protected readonly _tokenClient = new TokenClient(this._settings, this._metadataService);\r\n\r\n public constructor(\r\n protected readonly _settings: OidcClientSettingsStore,\r\n protected readonly _metadataService: MetadataService,\r\n protected readonly _claimsService: ClaimsService,\r\n ) {}\r\n\r\n public async validateSigninResponse(response: SigninResponse, state: SigninState, extraHeaders?: Record): Promise {\r\n const logger = this._logger.create(\"validateSigninResponse\");\r\n\r\n this._processSigninState(response, state);\r\n logger.debug(\"state processed\");\r\n\r\n await this._processCode(response, state, extraHeaders);\r\n logger.debug(\"code processed\");\r\n\r\n if (response.isOpenId) {\r\n this._validateIdTokenAttributes(response);\r\n }\r\n logger.debug(\"tokens validated\");\r\n\r\n await this._processClaims(response, state?.skipUserInfo, response.isOpenId);\r\n logger.debug(\"claims processed\");\r\n }\r\n\r\n public async validateCredentialsResponse(response: SigninResponse, skipUserInfo: boolean): Promise {\r\n const logger = this._logger.create(\"validateCredentialsResponse\");\r\n\r\n if (response.isOpenId && !!response.id_token) {\r\n this._validateIdTokenAttributes(response);\r\n }\r\n logger.debug(\"tokens validated\");\r\n\r\n await this._processClaims(response, skipUserInfo, response.isOpenId);\r\n logger.debug(\"claims processed\");\r\n }\r\n\r\n public async validateRefreshResponse(response: SigninResponse, state: RefreshState): Promise {\r\n const logger = this._logger.create(\"validateRefreshResponse\");\r\n\r\n response.userState = state.data;\r\n // if there's no session_state on the response, copy over session_state from original request\r\n response.session_state ??= state.session_state;\r\n // if there's no scope on the response, then assume all scopes granted (per-spec) and copy over scopes from original request\r\n response.scope ??= state.scope;\r\n\r\n // OpenID Connect Core 1.0 says that id_token is optional in refresh response:\r\n // https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse\r\n if (response.isOpenId && !!response.id_token) {\r\n this._validateIdTokenAttributes(response, state.id_token);\r\n logger.debug(\"ID Token validated\");\r\n }\r\n\r\n if (!response.id_token) {\r\n // if there's no id_token on the response, copy over id_token from original request\r\n response.id_token = state.id_token;\r\n // and decoded part too\r\n response.profile = state.profile;\r\n }\r\n\r\n const hasIdToken = response.isOpenId && !!response.id_token;\r\n await this._processClaims(response, false, hasIdToken);\r\n logger.debug(\"claims processed\");\r\n }\r\n\r\n public validateSignoutResponse(response: SignoutResponse, state: State): void {\r\n const logger = this._logger.create(\"validateSignoutResponse\");\r\n if (state.id !== response.state) {\r\n logger.throw(new Error(\"State does not match\"));\r\n }\r\n\r\n // now that we know the state matches, take the stored data\r\n // and set it into the response so callers can get their state\r\n // this is important for both success & error outcomes\r\n logger.debug(\"state validated\");\r\n response.userState = state.data;\r\n\r\n if (response.error) {\r\n logger.warn(\"Response was error\", response.error);\r\n throw new ErrorResponse(response);\r\n }\r\n }\r\n\r\n protected _processSigninState(response: SigninResponse, state: SigninState): void {\r\n const logger = this._logger.create(\"_processSigninState\");\r\n if (state.id !== response.state) {\r\n logger.throw(new Error(\"State does not match\"));\r\n }\r\n\r\n if (!state.client_id) {\r\n logger.throw(new Error(\"No client_id on state\"));\r\n }\r\n\r\n if (!state.authority) {\r\n logger.throw(new Error(\"No authority on state\"));\r\n }\r\n\r\n // ensure we're using the correct authority\r\n if (this._settings.authority !== state.authority) {\r\n logger.throw(new Error(\"authority mismatch on settings vs. signin state\"));\r\n }\r\n if (this._settings.client_id && this._settings.client_id !== state.client_id) {\r\n logger.throw(new Error(\"client_id mismatch on settings vs. signin state\"));\r\n }\r\n\r\n // now that we know the state matches, take the stored data\r\n // and set it into the response so callers can get their state\r\n // this is important for both success & error outcomes\r\n logger.debug(\"state validated\");\r\n response.userState = state.data;\r\n response.url_state = state.url_state;\r\n // if there's no scope on the response, then assume all scopes granted (per-spec) and copy over scopes from original request\r\n response.scope ??= state.scope;\r\n\r\n if (response.error) {\r\n logger.warn(\"Response was error\", response.error);\r\n throw new ErrorResponse(response);\r\n }\r\n\r\n if (state.code_verifier && !response.code) {\r\n logger.throw(new Error(\"Expected code in response\"));\r\n }\r\n\r\n }\r\n\r\n protected async _processClaims(response: SigninResponse, skipUserInfo = false, validateSub = true): Promise {\r\n const logger = this._logger.create(\"_processClaims\");\r\n response.profile = this._claimsService.filterProtocolClaims(response.profile);\r\n\r\n if (skipUserInfo || !this._settings.loadUserInfo || !response.access_token) {\r\n logger.debug(\"not loading user info\");\r\n return;\r\n }\r\n\r\n logger.debug(\"loading user info\");\r\n const claims = await this._userInfoService.getClaims(response.access_token);\r\n logger.debug(\"user info claims received from user info endpoint\");\r\n\r\n if (validateSub && claims.sub !== response.profile.sub) {\r\n logger.throw(new Error(\"subject from UserInfo response does not match subject in ID Token\"));\r\n }\r\n\r\n response.profile = this._claimsService.mergeClaims(response.profile, this._claimsService.filterProtocolClaims(claims as IdTokenClaims));\r\n logger.debug(\"user info claims received, updated profile:\", response.profile);\r\n }\r\n\r\n protected async _processCode(response: SigninResponse, state: SigninState, extraHeaders?: Record): Promise {\r\n const logger = this._logger.create(\"_processCode\");\r\n if (response.code) {\r\n logger.debug(\"Validating code\");\r\n const tokenResponse = await this._tokenClient.exchangeCode({\r\n client_id: state.client_id,\r\n client_secret: state.client_secret,\r\n code: response.code,\r\n redirect_uri: state.redirect_uri,\r\n code_verifier: state.code_verifier,\r\n extraHeaders: extraHeaders,\r\n ...state.extraTokenParams,\r\n });\r\n Object.assign(response, tokenResponse);\r\n } else {\r\n logger.debug(\"No code to process\");\r\n }\r\n }\r\n\r\n protected _validateIdTokenAttributes(response: SigninResponse, existingToken?: string): void {\r\n const logger = this._logger.create(\"_validateIdTokenAttributes\");\r\n\r\n logger.debug(\"decoding ID Token JWT\");\r\n const incoming = JwtUtils.decode(response.id_token ?? \"\");\r\n\r\n if (!incoming.sub) {\r\n logger.throw(new Error(\"ID Token is missing a subject claim\"));\r\n }\r\n\r\n if (existingToken) {\r\n const existing = JwtUtils.decode(existingToken);\r\n if (incoming.sub !== existing.sub) {\r\n logger.throw(new Error(\"sub in id_token does not match current sub\"));\r\n }\r\n if (incoming.auth_time && incoming.auth_time !== existing.auth_time) {\r\n logger.throw(new Error(\"auth_time in id_token does not match original auth_time\"));\r\n }\r\n if (incoming.azp && incoming.azp !== existing.azp) {\r\n logger.throw(new Error(\"azp in id_token does not match original azp\"));\r\n }\r\n if (!incoming.azp && existing.azp) {\r\n logger.throw(new Error(\"azp not in id_token, but present in original id_token\"));\r\n }\r\n }\r\n\r\n response.profile = incoming as UserProfile;\r\n }\r\n}\r\n", "// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\r\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\r\n\r\nimport { Logger, CryptoUtils, Timer } from \"./utils\";\r\nimport type { StateStore } from \"./StateStore\";\r\n\r\n/**\r\n * @public\r\n */\r\nexport class State {\r\n public readonly id: string;\r\n public readonly created: number;\r\n public readonly request_type: string | undefined;\r\n public readonly url_state: string | undefined;\r\n\r\n /** custom \"state\", which can be used by a caller to have \"data\" round tripped */\r\n public readonly data?: unknown;\r\n\r\n public constructor(args: {\r\n id?: string;\r\n data?: unknown;\r\n created?: number;\r\n request_type?: string;\r\n url_state?: string;\r\n }) {\r\n this.id = args.id || CryptoUtils.generateUUIDv4();\r\n this.data = args.data;\r\n\r\n if (args.created && args.created > 0) {\r\n this.created = args.created;\r\n }\r\n else {\r\n this.created = Timer.getEpochTime();\r\n }\r\n this.request_type = args.request_type;\r\n this.url_state = args.url_state;\r\n }\r\n\r\n public toStorageString(): string {\r\n new Logger(\"State\").create(\"toStorageString\");\r\n return JSON.stringify({\r\n id: this.id,\r\n data: this.data,\r\n created: this.created,\r\n request_type: this.request_type,\r\n url_state: this.url_state,\r\n });\r\n }\r\n\r\n public static fromStorageString(storageString: string): Promise {\r\n Logger.createStatic(\"State\", \"fromStorageString\");\r\n return Promise.resolve(new State(JSON.parse(storageString)));\r\n }\r\n\r\n public static async clearStaleState(storage: StateStore, age: number): Promise {\r\n const logger = Logger.createStatic(\"State\", \"clearStaleState\");\r\n const cutoff = Timer.getEpochTime() - age;\r\n\r\n const keys = await storage.getAllKeys();\r\n logger.debug(\"got keys\", keys);\r\n\r\n for (let i = 0; i < keys.length; i++) {\r\n const key = keys[i];\r\n const item = await storage.get(key);\r\n let remove = false;\r\n\r\n if (item) {\r\n try {\r\n const state = await State.fromStorageString(item);\r\n\r\n logger.debug(\"got item from key:\", key, state.created);\r\n if (state.created <= cutoff) {\r\n remove = true;\r\n }\r\n }\r\n catch (err) {\r\n logger.error(\"Error parsing state for key:\", key, err);\r\n remove = true;\r\n }\r\n }\r\n else {\r\n logger.debug(\"no item in storage for key:\", key);\r\n remove = true;\r\n }\r\n\r\n if (remove) {\r\n logger.debug(\"removed item for key:\", key);\r\n void storage.remove(key);\r\n }\r\n }\r\n }\r\n}\r\n", "// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\r\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\r\n\r\nimport { Logger, CryptoUtils } from \"./utils\";\r\nimport { State } from \"./State\";\r\n\r\n/** @public */\r\nexport interface SigninStateArgs {\r\n id?: string;\r\n data?: unknown;\r\n created?: number;\r\n request_type?: string;\r\n\r\n code_verifier?: string;\r\n code_challenge?: string;\r\n authority: string;\r\n client_id: string;\r\n redirect_uri: string;\r\n scope: string;\r\n client_secret?: string;\r\n extraTokenParams?: Record;\r\n response_mode?: \"query\" | \"fragment\";\r\n skipUserInfo?: boolean;\r\n url_state?: string;\r\n}\r\n\r\n/** @public */\r\nexport type SigninStateCreateArgs = Omit & {\r\n code_verifier?: string | boolean;\r\n};\r\n\r\n/**\r\n * @public\r\n */\r\nexport class SigninState extends State {\r\n // isCode\r\n /** The same code_verifier that was used to obtain the authorization_code via PKCE. */\r\n public readonly code_verifier: string | undefined;\r\n /** Used to secure authorization code grants via Proof Key for Code Exchange (PKCE). */\r\n public readonly code_challenge: string | undefined;\r\n\r\n // to ensure state still matches settings\r\n /** @see {@link OidcClientSettings.authority} */\r\n public readonly authority: string;\r\n /** @see {@link OidcClientSettings.client_id} */\r\n public readonly client_id: string;\r\n /** @see {@link OidcClientSettings.redirect_uri} */\r\n public readonly redirect_uri: string;\r\n /** @see {@link OidcClientSettings.scope} */\r\n public readonly scope: string;\r\n /** @see {@link OidcClientSettings.client_secret} */\r\n public readonly client_secret: string | undefined;\r\n /** @see {@link OidcClientSettings.extraTokenParams} */\r\n public readonly extraTokenParams: Record | undefined;\r\n /** @see {@link OidcClientSettings.response_mode} */\r\n public readonly response_mode: \"query\" | \"fragment\" | undefined;\r\n\r\n public readonly skipUserInfo: boolean | undefined;\r\n\r\n private constructor(args: SigninStateArgs) {\r\n super(args);\r\n\r\n this.code_verifier = args.code_verifier;\r\n this.code_challenge = args.code_challenge;\r\n this.authority = args.authority;\r\n this.client_id = args.client_id;\r\n this.redirect_uri = args.redirect_uri;\r\n this.scope = args.scope;\r\n this.client_secret = args.client_secret;\r\n this.extraTokenParams = args.extraTokenParams;\r\n\r\n this.response_mode = args.response_mode;\r\n this.skipUserInfo = args.skipUserInfo;\r\n }\r\n\r\n public static async create(args: SigninStateCreateArgs): Promise {\r\n const code_verifier = args.code_verifier === true ? CryptoUtils.generateCodeVerifier() : (args.code_verifier || undefined);\r\n const code_challenge = code_verifier ? (await CryptoUtils.generateCodeChallenge(code_verifier)) : undefined;\r\n\r\n return new SigninState({\r\n ...args,\r\n code_verifier,\r\n code_challenge,\r\n });\r\n }\r\n\r\n public toStorageString(): string {\r\n new Logger(\"SigninState\").create(\"toStorageString\");\r\n return JSON.stringify({\r\n id: this.id,\r\n data: this.data,\r\n created: this.created,\r\n request_type: this.request_type,\r\n url_state: this.url_state,\r\n\r\n code_verifier: this.code_verifier,\r\n authority: this.authority,\r\n client_id: this.client_id,\r\n redirect_uri: this.redirect_uri,\r\n scope: this.scope,\r\n client_secret: this.client_secret,\r\n extraTokenParams : this.extraTokenParams,\r\n response_mode: this.response_mode,\r\n skipUserInfo: this.skipUserInfo,\r\n });\r\n }\r\n\r\n public static fromStorageString(storageString: string): Promise {\r\n Logger.createStatic(\"SigninState\", \"fromStorageString\");\r\n const data = JSON.parse(storageString);\r\n return SigninState.create(data);\r\n }\r\n}\r\n", "// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\r\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\r\n\r\nimport { Logger, URL_STATE_DELIMITER } from \"./utils\";\r\nimport { SigninState } from \"./SigninState\";\r\n\r\n/**\r\n * @public\r\n * @see https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest\r\n */\r\nexport interface SigninRequestCreateArgs {\r\n // mandatory\r\n url: string;\r\n authority: string;\r\n client_id: string;\r\n redirect_uri: string;\r\n response_type: string;\r\n scope: string;\r\n\r\n // optional\r\n response_mode?: \"query\" | \"fragment\";\r\n nonce?: string;\r\n display?: string;\r\n prompt?: string;\r\n max_age?: number;\r\n ui_locales?: string;\r\n id_token_hint?: string;\r\n login_hint?: string;\r\n acr_values?: string;\r\n\r\n // other\r\n resource?: string | string[];\r\n request?: string;\r\n request_uri?: string;\r\n request_type?: string;\r\n extraQueryParams?: Record;\r\n\r\n // special\r\n extraTokenParams?: Record;\r\n client_secret?: string;\r\n skipUserInfo?: boolean;\r\n disablePKCE?: boolean;\r\n /** custom \"state\", which can be used by a caller to have \"data\" round tripped */\r\n state_data?: unknown;\r\n url_state?: string;\r\n}\r\n\r\n/**\r\n * @public\r\n */\r\nexport class SigninRequest {\r\n private static readonly _logger = new Logger(\"SigninRequest\");\r\n\r\n public readonly url: string;\r\n public readonly state: SigninState;\r\n\r\n private constructor(args: {\r\n url: string;\r\n state: SigninState;\r\n }) {\r\n this.url = args.url;\r\n this.state = args.state;\r\n }\r\n\r\n public static async create({\r\n // mandatory\r\n url, authority, client_id, redirect_uri, response_type, scope,\r\n // optional\r\n state_data, response_mode, request_type, client_secret, nonce, url_state,\r\n resource,\r\n skipUserInfo,\r\n extraQueryParams,\r\n extraTokenParams,\r\n disablePKCE,\r\n ...optionalParams\r\n }: SigninRequestCreateArgs): Promise {\r\n if (!url) {\r\n this._logger.error(\"create: No url passed\");\r\n throw new Error(\"url\");\r\n }\r\n if (!client_id) {\r\n this._logger.error(\"create: No client_id passed\");\r\n throw new Error(\"client_id\");\r\n }\r\n if (!redirect_uri) {\r\n this._logger.error(\"create: No redirect_uri passed\");\r\n throw new Error(\"redirect_uri\");\r\n }\r\n if (!response_type) {\r\n this._logger.error(\"create: No response_type passed\");\r\n throw new Error(\"response_type\");\r\n }\r\n if (!scope) {\r\n this._logger.error(\"create: No scope passed\");\r\n throw new Error(\"scope\");\r\n }\r\n if (!authority) {\r\n this._logger.error(\"create: No authority passed\");\r\n throw new Error(\"authority\");\r\n }\r\n\r\n const state = await SigninState.create({\r\n data: state_data,\r\n request_type,\r\n url_state,\r\n code_verifier: !disablePKCE,\r\n client_id, authority, redirect_uri,\r\n response_mode,\r\n client_secret, scope, extraTokenParams,\r\n skipUserInfo,\r\n });\r\n\r\n const parsedUrl = new URL(url);\r\n parsedUrl.searchParams.append(\"client_id\", client_id);\r\n parsedUrl.searchParams.append(\"redirect_uri\", redirect_uri);\r\n parsedUrl.searchParams.append(\"response_type\", response_type);\r\n parsedUrl.searchParams.append(\"scope\", scope);\r\n if (nonce) {\r\n parsedUrl.searchParams.append(\"nonce\", nonce);\r\n }\r\n\r\n let stateParam = state.id;\r\n if (url_state) {\r\n stateParam = `${stateParam}${URL_STATE_DELIMITER}${url_state}`;\r\n }\r\n parsedUrl.searchParams.append(\"state\", stateParam);\r\n if (state.code_challenge) {\r\n parsedUrl.searchParams.append(\"code_challenge\", state.code_challenge);\r\n parsedUrl.searchParams.append(\"code_challenge_method\", \"S256\");\r\n }\r\n\r\n if (resource) {\r\n // https://datatracker.ietf.org/doc/html/rfc8707\r\n const resources = Array.isArray(resource) ? resource : [resource];\r\n resources\r\n .forEach(r => parsedUrl.searchParams.append(\"resource\", r));\r\n }\r\n\r\n for (const [key, value] of Object.entries({ response_mode, ...optionalParams, ...extraQueryParams })) {\r\n if (value != null) {\r\n parsedUrl.searchParams.append(key, value.toString());\r\n }\r\n }\r\n\r\n return new SigninRequest({\r\n url: parsedUrl.href,\r\n state,\r\n });\r\n }\r\n}\r\n", "// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\r\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\r\n\r\nimport { Timer, URL_STATE_DELIMITER } from \"./utils\";\r\nimport type { UserProfile } from \"./User\";\r\n\r\nconst OidcScope = \"openid\";\r\n\r\n/**\r\n * @public\r\n * @see https://openid.net/specs/openid-connect-core-1_0.html#AuthResponse\r\n * @see https://openid.net/specs/openid-connect-core-1_0.html#AuthError\r\n */\r\nexport class SigninResponse {\r\n // props present in the initial callback response regardless of success\r\n public readonly state: string | null;\r\n /** @see {@link User.session_state} */\r\n public session_state: string | null;\r\n\r\n // error props\r\n /** @see {@link ErrorResponse.error} */\r\n public readonly error: string | null;\r\n /** @see {@link ErrorResponse.error_description} */\r\n public readonly error_description: string | null;\r\n /** @see {@link ErrorResponse.error_uri} */\r\n public readonly error_uri: string | null;\r\n\r\n // success props\r\n public readonly code: string | null;\r\n\r\n // props set after validation\r\n /** @see {@link User.id_token} */\r\n public id_token?: string;\r\n /** @see {@link User.access_token} */\r\n public access_token = \"\";\r\n /** @see {@link User.token_type} */\r\n public token_type = \"\";\r\n /** @see {@link User.refresh_token} */\r\n public refresh_token?: string;\r\n /** @see {@link User.scope} */\r\n public scope?: string;\r\n /** @see {@link User.expires_at} */\r\n public expires_at?: number;\r\n\r\n /** custom state data set during the initial signin request */\r\n public userState: unknown;\r\n public url_state?: string;\r\n\r\n /** @see {@link User.profile} */\r\n public profile: UserProfile = {} as UserProfile;\r\n\r\n public constructor(params: URLSearchParams) {\r\n this.state = params.get(\"state\");\r\n this.session_state = params.get(\"session_state\");\r\n if (this.state) {\r\n const splitState = decodeURIComponent(this.state).split(URL_STATE_DELIMITER);\r\n this.state = splitState[0];\r\n if (splitState.length > 1) {\r\n this.url_state = splitState.slice(1).join(URL_STATE_DELIMITER);\r\n }\r\n }\r\n\r\n this.error = params.get(\"error\");\r\n this.error_description = params.get(\"error_description\");\r\n this.error_uri = params.get(\"error_uri\");\r\n\r\n this.code = params.get(\"code\");\r\n }\r\n\r\n public get expires_in(): number | undefined {\r\n if (this.expires_at === undefined) {\r\n return undefined;\r\n }\r\n return this.expires_at - Timer.getEpochTime();\r\n }\r\n public set expires_in(value: number | undefined) {\r\n // spec expects a number, but normalize here just in case\r\n if (typeof value === \"string\") value = Number(value);\r\n if (value !== undefined && value >= 0) {\r\n this.expires_at = Math.floor(value) + Timer.getEpochTime();\r\n }\r\n }\r\n\r\n public get isOpenId(): boolean {\r\n return this.scope?.split(\" \").includes(OidcScope) || !!this.id_token;\r\n }\r\n}\r\n", "// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\r\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\r\n\r\nimport { Logger } from \"./utils\";\r\nimport { State } from \"./State\";\r\n\r\n/**\r\n * @public\r\n * @see https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout\r\n */\r\nexport interface SignoutRequestArgs {\r\n // mandatory\r\n url: string;\r\n\r\n // optional\r\n id_token_hint?: string;\r\n client_id?: string;\r\n post_logout_redirect_uri?: string;\r\n extraQueryParams?: Record;\r\n\r\n // special\r\n request_type?: string;\r\n /** custom \"state\", which can be used by a caller to have \"data\" round tripped */\r\n state_data?: unknown;\r\n}\r\n\r\n/**\r\n * @public\r\n */\r\nexport class SignoutRequest {\r\n private readonly _logger = new Logger(\"SignoutRequest\");\r\n\r\n public readonly url: string;\r\n public readonly state?: State;\r\n\r\n public constructor({\r\n url,\r\n state_data, id_token_hint, post_logout_redirect_uri, extraQueryParams, request_type, client_id,\r\n }: SignoutRequestArgs) {\r\n if (!url) {\r\n this._logger.error(\"ctor: No url passed\");\r\n throw new Error(\"url\");\r\n }\r\n\r\n const parsedUrl = new URL(url);\r\n if (id_token_hint) {\r\n parsedUrl.searchParams.append(\"id_token_hint\", id_token_hint);\r\n }\r\n if (client_id) {\r\n parsedUrl.searchParams.append(\"client_id\", client_id);\r\n }\r\n\r\n if (post_logout_redirect_uri) {\r\n parsedUrl.searchParams.append(\"post_logout_redirect_uri\", post_logout_redirect_uri);\r\n\r\n if (state_data) {\r\n this.state = new State({ data: state_data, request_type });\r\n\r\n parsedUrl.searchParams.append(\"state\", this.state.id);\r\n }\r\n }\r\n\r\n for (const [key, value] of Object.entries({ ...extraQueryParams })) {\r\n if (value != null) {\r\n parsedUrl.searchParams.append(key, value.toString());\r\n }\r\n }\r\n\r\n this.url = parsedUrl.href;\r\n }\r\n}\r\n", "// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\r\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\r\n\r\n/**\r\n * @public\r\n * @see https://openid.net/specs/openid-connect-core-1_0.html#AuthError\r\n */\r\nexport class SignoutResponse {\r\n public readonly state: string | null;\r\n\r\n // error props\r\n /** @see {@link ErrorResponse.error} */\r\n public error: string | null;\r\n /** @see {@link ErrorResponse.error_description} */\r\n public error_description: string | null;\r\n /** @see {@link ErrorResponse.error_uri} */\r\n public error_uri: string | null;\r\n\r\n /** custom state data set during the initial signin request */\r\n public userState: unknown;\r\n\r\n public constructor(params: URLSearchParams) {\r\n this.state = params.get(\"state\");\r\n\r\n this.error = params.get(\"error\");\r\n this.error_description = params.get(\"error_description\");\r\n this.error_uri = params.get(\"error_uri\");\r\n }\r\n}\r\n", "// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\r\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\r\n\r\nimport type { JwtClaims } from \"./Claims\";\r\nimport type { OidcClientSettingsStore } from \"./OidcClientSettings\";\r\nimport type { UserProfile } from \"./User\";\r\nimport { Logger } from \"./utils\";\r\n\r\n/**\r\n * Protocol claims that could be removed by default from profile.\r\n * Derived from the following sets of claims:\r\n * - {@link https://datatracker.ietf.org/doc/html/rfc7519.html#section-4.1}\r\n * - {@link https://openid.net/specs/openid-connect-core-1_0.html#IDToken}\r\n * - {@link https://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken}\r\n *\r\n * @internal\r\n */\r\nconst DefaultProtocolClaims = [\r\n \"nbf\",\r\n \"jti\",\r\n \"auth_time\",\r\n \"nonce\",\r\n \"acr\",\r\n \"amr\",\r\n \"azp\",\r\n \"at_hash\", // https://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken\r\n] as const;\r\n\r\n/**\r\n * Protocol claims that should never be removed from profile.\r\n * \"sub\" is needed internally and others should remain required as per the OIDC specs.\r\n *\r\n * @internal\r\n */\r\nconst InternalRequiredProtocolClaims = [\"sub\", \"iss\", \"aud\", \"exp\", \"iat\"];\r\n\r\n/**\r\n * @internal\r\n */\r\nexport class ClaimsService {\r\n protected readonly _logger = new Logger(\"ClaimsService\");\r\n public constructor(\r\n protected readonly _settings: OidcClientSettingsStore,\r\n ) {}\r\n\r\n public filterProtocolClaims(claims: UserProfile): UserProfile {\r\n const result = { ...claims };\r\n\r\n if (this._settings.filterProtocolClaims) {\r\n let protocolClaims;\r\n if (Array.isArray(this._settings.filterProtocolClaims)) {\r\n protocolClaims = this._settings.filterProtocolClaims;\r\n } else {\r\n protocolClaims = DefaultProtocolClaims;\r\n }\r\n\r\n for (const claim of protocolClaims) {\r\n if (!InternalRequiredProtocolClaims.includes(claim)) {\r\n delete result[claim];\r\n }\r\n }\r\n }\r\n\r\n return result;\r\n }\r\n\r\n public mergeClaims(claims1: JwtClaims, claims2: JwtClaims): UserProfile;\r\n public mergeClaims(claims1: UserProfile, claims2: JwtClaims): UserProfile {\r\n const result = { ...claims1 };\r\n for (const [claim, values] of Object.entries(claims2)) {\r\n if (result[claim] !== values) {\r\n if (Array.isArray(result[claim]) || Array.isArray(values)) {\r\n if (this._settings.mergeClaimsStrategy.array == \"replace\") {\r\n result[claim] = values;\r\n } else {\r\n const mergedValues = Array.isArray(result[claim]) ? result[claim] as unknown[] : [result[claim]];\r\n for (const value of Array.isArray(values) ? values : [values]) {\r\n if (!mergedValues.includes(value)) {\r\n mergedValues.push(value);\r\n }\r\n }\r\n result[claim] = mergedValues;\r\n }\r\n } else if (typeof result[claim] === \"object\" && typeof values === \"object\") {\r\n result[claim] = this.mergeClaims(result[claim] as JwtClaims, values as JwtClaims);\r\n } else {\r\n result[claim] = values;\r\n }\r\n }\r\n }\r\n\r\n return result;\r\n }\r\n}\r\n", "// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\r\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\r\n\r\nimport { Logger, UrlUtils } from \"./utils\";\r\nimport { ErrorResponse } from \"./errors\";\r\nimport { type ExtraHeader, type OidcClientSettings, OidcClientSettingsStore } from \"./OidcClientSettings\";\r\nimport { ResponseValidator } from \"./ResponseValidator\";\r\nimport { MetadataService } from \"./MetadataService\";\r\nimport type { RefreshState } from \"./RefreshState\";\r\nimport { SigninRequest, type SigninRequestCreateArgs } from \"./SigninRequest\";\r\nimport { SigninResponse } from \"./SigninResponse\";\r\nimport { SignoutRequest, type SignoutRequestArgs } from \"./SignoutRequest\";\r\nimport { SignoutResponse } from \"./SignoutResponse\";\r\nimport { SigninState } from \"./SigninState\";\r\nimport { State } from \"./State\";\r\nimport { TokenClient } from \"./TokenClient\";\r\nimport { ClaimsService } from \"./ClaimsService\";\r\n\r\n/**\r\n * @public\r\n */\r\nexport interface CreateSigninRequestArgs\r\n extends Omit {\r\n redirect_uri?: string;\r\n response_type?: string;\r\n scope?: string;\r\n\r\n /** custom \"state\", which can be used by a caller to have \"data\" round tripped */\r\n state?: unknown;\r\n}\r\n\r\n/**\r\n * @public\r\n */\r\nexport interface UseRefreshTokenArgs {\r\n redirect_uri?: string;\r\n resource?: string | string[];\r\n extraTokenParams?: Record;\r\n timeoutInSeconds?: number;\r\n\r\n state: RefreshState;\r\n\r\n extraHeaders?: Record;\r\n}\r\n\r\n/**\r\n * @public\r\n */\r\nexport type CreateSignoutRequestArgs = Omit & {\r\n /** custom \"state\", which can be used by a caller to have \"data\" round tripped */\r\n state?: unknown;\r\n};\r\n\r\n/**\r\n * @public\r\n */\r\nexport type ProcessResourceOwnerPasswordCredentialsArgs = {\r\n username: string;\r\n password: string;\r\n skipUserInfo?: boolean;\r\n extraTokenParams?: Record;\r\n};\r\n\r\n/**\r\n * Provides the raw OIDC/OAuth2 protocol support for the authorization endpoint and the end session endpoint in the\r\n * authorization server. It provides a bare-bones protocol implementation and is used by the UserManager class.\r\n * Only use this class if you simply want protocol support without the additional management features of the\r\n * UserManager class.\r\n *\r\n * @public\r\n */\r\nexport class OidcClient {\r\n public readonly settings: OidcClientSettingsStore;\r\n protected readonly _logger = new Logger(\"OidcClient\");\r\n\r\n public readonly metadataService: MetadataService;\r\n protected readonly _claimsService: ClaimsService;\r\n protected readonly _validator: ResponseValidator;\r\n protected readonly _tokenClient: TokenClient;\r\n\r\n public constructor(settings: OidcClientSettings);\r\n public constructor(settings: OidcClientSettingsStore, metadataService: MetadataService);\r\n public constructor(settings: OidcClientSettings | OidcClientSettingsStore, metadataService?: MetadataService) {\r\n this.settings = settings instanceof OidcClientSettingsStore ? settings : new OidcClientSettingsStore(settings);\r\n\r\n this.metadataService = metadataService ?? new MetadataService(this.settings);\r\n this._claimsService = new ClaimsService(this.settings);\r\n this._validator = new ResponseValidator(this.settings, this.metadataService, this._claimsService);\r\n this._tokenClient = new TokenClient(this.settings, this.metadataService);\r\n }\r\n\r\n public async createSigninRequest({\r\n state,\r\n request,\r\n request_uri,\r\n request_type,\r\n id_token_hint,\r\n login_hint,\r\n skipUserInfo,\r\n nonce,\r\n url_state,\r\n response_type = this.settings.response_type,\r\n scope = this.settings.scope,\r\n redirect_uri = this.settings.redirect_uri,\r\n prompt = this.settings.prompt,\r\n display = this.settings.display,\r\n max_age = this.settings.max_age,\r\n ui_locales = this.settings.ui_locales,\r\n acr_values = this.settings.acr_values,\r\n resource = this.settings.resource,\r\n response_mode = this.settings.response_mode,\r\n extraQueryParams = this.settings.extraQueryParams,\r\n extraTokenParams = this.settings.extraTokenParams,\r\n }: CreateSigninRequestArgs): Promise {\r\n const logger = this._logger.create(\"createSigninRequest\");\r\n\r\n if (response_type !== \"code\") {\r\n throw new Error(\"Only the Authorization Code flow (with PKCE) is supported\");\r\n }\r\n\r\n const url = await this.metadataService.getAuthorizationEndpoint();\r\n logger.debug(\"Received authorization endpoint\", url);\r\n\r\n const signinRequest = await SigninRequest.create({\r\n url,\r\n authority: this.settings.authority,\r\n client_id: this.settings.client_id,\r\n redirect_uri,\r\n response_type,\r\n scope,\r\n state_data: state,\r\n url_state,\r\n prompt, display, max_age, ui_locales, id_token_hint, login_hint, acr_values,\r\n resource, request, request_uri, extraQueryParams, extraTokenParams, request_type, response_mode,\r\n client_secret: this.settings.client_secret,\r\n skipUserInfo,\r\n nonce,\r\n disablePKCE: this.settings.disablePKCE,\r\n });\r\n\r\n // house cleaning\r\n await this.clearStaleState();\r\n\r\n const signinState = signinRequest.state;\r\n await this.settings.stateStore.set(signinState.id, signinState.toStorageString());\r\n return signinRequest;\r\n }\r\n\r\n public async readSigninResponseState(url: string, removeState = false): Promise<{ state: SigninState; response: SigninResponse }> {\r\n const logger = this._logger.create(\"readSigninResponseState\");\r\n\r\n const response = new SigninResponse(UrlUtils.readParams(url, this.settings.response_mode));\r\n if (!response.state) {\r\n logger.throw(new Error(\"No state in response\"));\r\n // need to throw within this function's body for type narrowing to work\r\n throw null; // https://github.com/microsoft/TypeScript/issues/46972\r\n }\r\n\r\n const storedStateString = await this.settings.stateStore[removeState ? \"remove\" : \"get\"](response.state);\r\n if (!storedStateString) {\r\n logger.throw(new Error(\"No matching state found in storage\"));\r\n throw null; // https://github.com/microsoft/TypeScript/issues/46972\r\n }\r\n\r\n const state = await SigninState.fromStorageString(storedStateString);\r\n return { state, response };\r\n }\r\n\r\n public async processSigninResponse(url: string, extraHeaders?: Record): Promise {\r\n const logger = this._logger.create(\"processSigninResponse\");\r\n\r\n const { state, response } = await this.readSigninResponseState(url, true);\r\n logger.debug(\"received state from storage; validating response\");\r\n await this._validator.validateSigninResponse(response, state, extraHeaders);\r\n return response;\r\n }\r\n\r\n public async processResourceOwnerPasswordCredentials({\r\n username,\r\n password,\r\n skipUserInfo = false,\r\n extraTokenParams = {},\r\n }: ProcessResourceOwnerPasswordCredentialsArgs): Promise {\r\n const tokenResponse: Record = await this._tokenClient.exchangeCredentials({ username, password, ...extraTokenParams });\r\n const signinResponse: SigninResponse = new SigninResponse(new URLSearchParams());\r\n Object.assign(signinResponse, tokenResponse);\r\n await this._validator.validateCredentialsResponse(signinResponse, skipUserInfo);\r\n return signinResponse;\r\n }\r\n\r\n public async useRefreshToken({\r\n state,\r\n redirect_uri,\r\n resource,\r\n timeoutInSeconds,\r\n extraHeaders,\r\n extraTokenParams,\r\n }: UseRefreshTokenArgs): Promise {\r\n const logger = this._logger.create(\"useRefreshToken\");\r\n\r\n // https://github.com/authts/oidc-client-ts/issues/695\r\n // In some cases (e.g. AzureAD), not all granted scopes are allowed on token refresh requests.\r\n // Therefore, we filter all granted scopes by a list of allowable scopes.\r\n let scope;\r\n if (this.settings.refreshTokenAllowedScope === undefined) {\r\n scope = state.scope;\r\n } else {\r\n const allowableScopes = this.settings.refreshTokenAllowedScope.split(\" \");\r\n const providedScopes = state.scope?.split(\" \") || [];\r\n\r\n scope = providedScopes.filter(s => allowableScopes.includes(s)).join(\" \");\r\n }\r\n\r\n const result = await this._tokenClient.exchangeRefreshToken({\r\n refresh_token: state.refresh_token,\r\n // provide the (possible filtered) scope list\r\n scope,\r\n redirect_uri,\r\n resource,\r\n timeoutInSeconds,\r\n extraHeaders,\r\n ...extraTokenParams,\r\n });\r\n const response = new SigninResponse(new URLSearchParams());\r\n Object.assign(response, result);\r\n logger.debug(\"validating response\", response);\r\n await this._validator.validateRefreshResponse(response, {\r\n ...state,\r\n // override the scope in the state handed over to the validator\r\n // so it can set the granted scope to the requested scope in case none is included in the response\r\n scope,\r\n });\r\n return response;\r\n }\r\n\r\n public async createSignoutRequest({\r\n state,\r\n id_token_hint,\r\n client_id,\r\n request_type,\r\n post_logout_redirect_uri = this.settings.post_logout_redirect_uri,\r\n extraQueryParams = this.settings.extraQueryParams,\r\n }: CreateSignoutRequestArgs = {}): Promise {\r\n const logger = this._logger.create(\"createSignoutRequest\");\r\n\r\n const url = await this.metadataService.getEndSessionEndpoint();\r\n if (!url) {\r\n logger.throw(new Error(\"No end session endpoint\"));\r\n throw null; // https://github.com/microsoft/TypeScript/issues/46972\r\n }\r\n\r\n logger.debug(\"Received end session endpoint\", url);\r\n\r\n // specify the client identifier when post_logout_redirect_uri is used but id_token_hint is not\r\n if (!client_id && post_logout_redirect_uri && !id_token_hint) {\r\n client_id = this.settings.client_id;\r\n }\r\n\r\n const request = new SignoutRequest({\r\n url,\r\n id_token_hint,\r\n client_id,\r\n post_logout_redirect_uri,\r\n state_data: state,\r\n extraQueryParams,\r\n request_type,\r\n });\r\n\r\n // house cleaning\r\n await this.clearStaleState();\r\n\r\n const signoutState = request.state;\r\n if (signoutState) {\r\n logger.debug(\"Signout request has state to persist\");\r\n await this.settings.stateStore.set(signoutState.id, signoutState.toStorageString());\r\n }\r\n\r\n return request;\r\n }\r\n\r\n public async readSignoutResponseState(url: string, removeState = false): Promise<{ state: State | undefined; response: SignoutResponse }> {\r\n const logger = this._logger.create(\"readSignoutResponseState\");\r\n\r\n const response = new SignoutResponse(UrlUtils.readParams(url, this.settings.response_mode));\r\n if (!response.state) {\r\n logger.debug(\"No state in response\");\r\n\r\n if (response.error) {\r\n logger.warn(\"Response was error:\", response.error);\r\n throw new ErrorResponse(response);\r\n }\r\n\r\n return { state: undefined, response };\r\n }\r\n\r\n const storedStateString = await this.settings.stateStore[removeState ? \"remove\" : \"get\"](response.state);\r\n if (!storedStateString) {\r\n logger.throw(new Error(\"No matching state found in storage\"));\r\n throw null; // https://github.com/microsoft/TypeScript/issues/46972\r\n }\r\n\r\n const state = await State.fromStorageString(storedStateString);\r\n return { state, response };\r\n }\r\n\r\n public async processSignoutResponse(url: string): Promise {\r\n const logger = this._logger.create(\"processSignoutResponse\");\r\n\r\n const { state, response } = await this.readSignoutResponseState(url, true);\r\n if (state) {\r\n logger.debug(\"Received state from storage; validating response\");\r\n this._validator.validateSignoutResponse(response, state);\r\n } else {\r\n logger.debug(\"No state from storage; skipping response validation\");\r\n }\r\n\r\n return response;\r\n }\r\n\r\n public clearStaleState(): Promise {\r\n this._logger.create(\"clearStaleState\");\r\n return State.clearStaleState(this.settings.stateStore, this.settings.staleStateAgeInSeconds);\r\n }\r\n\r\n public async revokeToken(token: string, type?: \"access_token\" | \"refresh_token\"): Promise {\r\n this._logger.create(\"revokeToken\");\r\n return await this._tokenClient.revoke({\r\n token,\r\n token_type_hint: type,\r\n });\r\n }\r\n}\r\n", "// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\r\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\r\n\r\nimport { Logger } from \"./utils\";\r\nimport { CheckSessionIFrame } from \"./CheckSessionIFrame\";\r\nimport type { UserManager } from \"./UserManager\";\r\nimport type { User } from \"./User\";\r\n\r\n/**\r\n * @public\r\n */\r\nexport class SessionMonitor {\r\n private readonly _logger = new Logger(\"SessionMonitor\");\r\n\r\n private _sub: string | undefined;\r\n private _checkSessionIFrame?: CheckSessionIFrame;\r\n\r\n public constructor(private readonly _userManager: UserManager) {\r\n if (!_userManager) {\r\n this._logger.throw(new Error(\"No user manager passed\"));\r\n }\r\n\r\n this._userManager.events.addUserLoaded(this._start);\r\n this._userManager.events.addUserUnloaded(this._stop);\r\n\r\n this._init().catch((err: unknown) => {\r\n // catch to suppress errors since we're in a ctor\r\n this._logger.error(err);\r\n });\r\n }\r\n\r\n protected async _init(): Promise {\r\n this._logger.create(\"_init\");\r\n const user = await this._userManager.getUser();\r\n // doing this manually here since calling getUser\r\n // doesn't trigger load event.\r\n if (user) {\r\n void this._start(user);\r\n }\r\n else if (this._userManager.settings.monitorAnonymousSession) {\r\n const session = await this._userManager.querySessionStatus();\r\n if (session) {\r\n const tmpUser = {\r\n session_state: session.session_state,\r\n profile: session.sub ? {\r\n sub: session.sub,\r\n } : null,\r\n };\r\n void this._start(tmpUser);\r\n }\r\n }\r\n }\r\n\r\n protected _start = async (\r\n user: User | {\r\n session_state: string;\r\n profile: { sub: string } | null;\r\n },\r\n ): Promise => {\r\n const session_state = user.session_state;\r\n if (!session_state) {\r\n return;\r\n }\r\n const logger = this._logger.create(\"_start\");\r\n\r\n if (user.profile) {\r\n this._sub = user.profile.sub;\r\n logger.debug(\"session_state\", session_state, \", sub\", this._sub);\r\n }\r\n else {\r\n this._sub = undefined;\r\n logger.debug(\"session_state\", session_state, \", anonymous user\");\r\n }\r\n\r\n if (this._checkSessionIFrame) {\r\n this._checkSessionIFrame.start(session_state);\r\n return;\r\n }\r\n\r\n try {\r\n const url = await this._userManager.metadataService.getCheckSessionIframe();\r\n if (url) {\r\n logger.debug(\"initializing check session iframe\");\r\n\r\n const client_id = this._userManager.settings.client_id;\r\n const intervalInSeconds = this._userManager.settings.checkSessionIntervalInSeconds;\r\n const stopOnError = this._userManager.settings.stopCheckSessionOnError;\r\n\r\n const checkSessionIFrame = new CheckSessionIFrame(this._callback, client_id, url, intervalInSeconds, stopOnError);\r\n await checkSessionIFrame.load();\r\n this._checkSessionIFrame = checkSessionIFrame;\r\n checkSessionIFrame.start(session_state);\r\n }\r\n else {\r\n logger.warn(\"no check session iframe found in the metadata\");\r\n }\r\n }\r\n catch (err) {\r\n // catch to suppress errors since we're in non-promise callback\r\n logger.error(\"Error from getCheckSessionIframe:\", err instanceof Error ? err.message : err);\r\n }\r\n };\r\n\r\n protected _stop = (): void => {\r\n const logger = this._logger.create(\"_stop\");\r\n this._sub = undefined;\r\n\r\n if (this._checkSessionIFrame) {\r\n this._checkSessionIFrame.stop();\r\n }\r\n\r\n if (this._userManager.settings.monitorAnonymousSession) {\r\n // using a timer to delay re-initialization to avoid race conditions during signout\r\n // TODO rewrite to use promise correctly\r\n // eslint-disable-next-line @typescript-eslint/no-misused-promises\r\n const timerHandle = setInterval(async () => {\r\n clearInterval(timerHandle);\r\n\r\n try {\r\n const session = await this._userManager.querySessionStatus();\r\n if (session) {\r\n const tmpUser = {\r\n session_state: session.session_state,\r\n profile: session.sub ? {\r\n sub: session.sub,\r\n } : null,\r\n };\r\n void this._start(tmpUser);\r\n }\r\n }\r\n catch (err) {\r\n // catch to suppress errors since we're in a callback\r\n logger.error(\"error from querySessionStatus\", err instanceof Error ? err.message : err);\r\n }\r\n }, 1000);\r\n }\r\n };\r\n\r\n protected _callback = async (): Promise => {\r\n const logger = this._logger.create(\"_callback\");\r\n try {\r\n const session = await this._userManager.querySessionStatus();\r\n let raiseEvent = true;\r\n\r\n if (session && this._checkSessionIFrame) {\r\n if (session.sub === this._sub) {\r\n raiseEvent = false;\r\n this._checkSessionIFrame.start(session.session_state);\r\n\r\n logger.debug(\"same sub still logged in at OP, session state has changed, restarting check session iframe; session_state\", session.session_state);\r\n await this._userManager.events._raiseUserSessionChanged();\r\n }\r\n else {\r\n logger.debug(\"different subject signed into OP\", session.sub);\r\n }\r\n }\r\n else {\r\n logger.debug(\"subject no longer signed into OP\");\r\n }\r\n\r\n if (raiseEvent) {\r\n if (this._sub) {\r\n await this._userManager.events._raiseUserSignedOut();\r\n }\r\n else {\r\n await this._userManager.events._raiseUserSignedIn();\r\n }\r\n } else {\r\n logger.debug(\"no change in session detected, no event to raise\");\r\n }\r\n }\r\n catch (err) {\r\n if (this._sub) {\r\n logger.debug(\"Error calling queryCurrentSigninSession; raising signed out event\", err);\r\n await this._userManager.events._raiseUserSignedOut();\r\n }\r\n }\r\n };\r\n}\r\n", "// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\r\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\r\n\r\nimport { Logger, Timer } from \"./utils\";\r\nimport type { IdTokenClaims } from \"./Claims\";\r\n\r\n/**\r\n * Holds claims represented by a combination of the `id_token` and the user info endpoint.\r\n *\r\n * @public\r\n */\r\nexport type UserProfile = IdTokenClaims;\r\n\r\n/**\r\n * @public\r\n */\r\nexport class User {\r\n /**\r\n * A JSON Web Token (JWT). Only provided if `openid` scope was requested.\r\n * The application can access the data decoded by using the `profile` property.\r\n */\r\n public id_token?: string;\r\n\r\n /** The session state value returned from the OIDC provider. */\r\n public session_state: string | null;\r\n\r\n /**\r\n * The requested access token returned from the OIDC provider. The application can use this token to\r\n * authenticate itself to the secured resource.\r\n */\r\n public access_token: string;\r\n\r\n /**\r\n * An OAuth 2.0 refresh token. The app can use this token to acquire additional access tokens after the\r\n * current access token expires. Refresh tokens are long-lived and can be used to maintain access to resources\r\n * for extended periods of time.\r\n */\r\n public refresh_token?: string;\r\n\r\n /** Typically \"Bearer\" */\r\n public token_type: string;\r\n\r\n /** The scopes that the requested access token is valid for. */\r\n public scope?: string;\r\n\r\n /** The claims represented by a combination of the `id_token` and the user info endpoint. */\r\n public profile: UserProfile;\r\n\r\n /** The expires at returned from the OIDC provider. */\r\n public expires_at?: number;\r\n\r\n /** custom state data set during the initial signin request */\r\n public readonly state: unknown;\r\n public readonly url_state?: string;\r\n\r\n public constructor(args: {\r\n id_token?: string;\r\n session_state?: string | null;\r\n access_token: string;\r\n refresh_token?: string;\r\n token_type: string;\r\n scope?: string;\r\n profile: UserProfile;\r\n expires_at?: number;\r\n userState?: unknown;\r\n url_state?: string;\r\n }) {\r\n this.id_token = args.id_token;\r\n this.session_state = args.session_state ?? null;\r\n this.access_token = args.access_token;\r\n this.refresh_token = args.refresh_token;\r\n\r\n this.token_type = args.token_type;\r\n this.scope = args.scope;\r\n this.profile = args.profile;\r\n this.expires_at = args.expires_at;\r\n this.state = args.userState;\r\n this.url_state = args.url_state;\r\n }\r\n\r\n /** Computed number of seconds the access token has remaining. */\r\n public get expires_in(): number | undefined {\r\n if (this.expires_at === undefined) {\r\n return undefined;\r\n }\r\n return this.expires_at - Timer.getEpochTime();\r\n }\r\n\r\n public set expires_in(value: number | undefined) {\r\n if (value !== undefined) {\r\n this.expires_at = Math.floor(value) + Timer.getEpochTime();\r\n }\r\n }\r\n\r\n /** Computed value indicating if the access token is expired. */\r\n public get expired(): boolean | undefined {\r\n const expires_in = this.expires_in;\r\n if (expires_in === undefined) {\r\n return undefined;\r\n }\r\n return expires_in <= 0;\r\n }\r\n\r\n /** Array representing the parsed values from the `scope`. */\r\n public get scopes(): string[] {\r\n return this.scope?.split(\" \") ?? [];\r\n }\r\n\r\n public toStorageString(): string {\r\n new Logger(\"User\").create(\"toStorageString\");\r\n return JSON.stringify({\r\n id_token: this.id_token,\r\n session_state: this.session_state,\r\n access_token: this.access_token,\r\n refresh_token: this.refresh_token,\r\n token_type: this.token_type,\r\n scope: this.scope,\r\n profile: this.profile,\r\n expires_at: this.expires_at,\r\n });\r\n }\r\n\r\n public static fromStorageString(storageString: string): User {\r\n Logger.createStatic(\"User\", \"fromStorageString\");\r\n return new User(JSON.parse(storageString));\r\n }\r\n}\r\n", "// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\r\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\r\n\r\nimport { Event, Logger, UrlUtils } from \"../utils\";\r\nimport type { IWindow, NavigateParams, NavigateResponse } from \"./IWindow\";\r\n\r\nconst messageSource = \"oidc-client\";\r\n\r\ninterface MessageData {\r\n source: string;\r\n url: string;\r\n keepOpen: boolean;\r\n}\r\n\r\n/**\r\n * Window implementation which resolves via communication from a child window\r\n * via the `Window.postMessage()` interface.\r\n *\r\n * @internal\r\n */\r\nexport abstract class AbstractChildWindow implements IWindow {\r\n protected abstract readonly _logger: Logger;\r\n protected readonly _abort = new Event<[reason: Error]>(\"Window navigation aborted\");\r\n protected readonly _disposeHandlers = new Set<() => void>();\r\n\r\n protected _window: WindowProxy | null = null;\r\n\r\n public async navigate(params: NavigateParams): Promise {\r\n const logger = this._logger.create(\"navigate\");\r\n if (!this._window) {\r\n throw new Error(\"Attempted to navigate on a disposed window\");\r\n }\r\n\r\n logger.debug(\"setting URL in window\");\r\n this._window.location.replace(params.url);\r\n\r\n const { url, keepOpen } = await new Promise((resolve, reject) => {\r\n const listener = (e: MessageEvent) => {\r\n const data: MessageData | undefined = e.data;\r\n const origin = params.scriptOrigin ?? window.location.origin;\r\n if (e.origin !== origin || data?.source !== messageSource) {\r\n // silently discard events not intended for us\r\n return;\r\n }\r\n try {\r\n const state = UrlUtils.readParams(data.url, params.response_mode).get(\"state\");\r\n if (!state) {\r\n logger.warn(\"no state found in response url\");\r\n }\r\n if (e.source !== this._window && state !== params.state) {\r\n // MessageEvent source is a relatively modern feature, we can't rely on it\r\n // so we also inspect the payload for a matching state key as an alternative\r\n return;\r\n }\r\n }\r\n catch (err) {\r\n this._dispose();\r\n reject(new Error(\"Invalid response from window\"));\r\n }\r\n resolve(data);\r\n };\r\n window.addEventListener(\"message\", listener, false);\r\n this._disposeHandlers.add(() => window.removeEventListener(\"message\", listener, false));\r\n this._disposeHandlers.add(this._abort.addHandler((reason) => {\r\n this._dispose();\r\n reject(reason);\r\n }));\r\n });\r\n logger.debug(\"got response from window\");\r\n this._dispose();\r\n\r\n if (!keepOpen) {\r\n this.close();\r\n }\r\n\r\n return { url };\r\n }\r\n\r\n public abstract close(): void;\r\n\r\n private _dispose(): void {\r\n this._logger.create(\"_dispose\");\r\n\r\n for (const dispose of this._disposeHandlers) {\r\n dispose();\r\n }\r\n this._disposeHandlers.clear();\r\n }\r\n\r\n protected static _notifyParent(parent: Window, url: string, keepOpen = false, targetOrigin = window.location.origin): void {\r\n parent.postMessage({\r\n source: messageSource,\r\n url,\r\n keepOpen,\r\n } as MessageData, targetOrigin);\r\n }\r\n}\r\n", "// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\r\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\r\n\r\nimport { type OidcClientSettings, OidcClientSettingsStore } from \"./OidcClientSettings\";\r\nimport type { PopupWindowFeatures } from \"./utils/PopupUtils\";\r\nimport { WebStorageStateStore } from \"./WebStorageStateStore\";\r\nimport { InMemoryWebStorage } from \"./InMemoryWebStorage\";\r\n\r\nexport const DefaultPopupWindowFeatures: PopupWindowFeatures = {\r\n location: false,\r\n toolbar: false,\r\n height: 640,\r\n closePopupWindowAfterInSeconds: -1,\r\n};\r\nexport const DefaultPopupTarget = \"_blank\";\r\nconst DefaultAccessTokenExpiringNotificationTimeInSeconds = 60;\r\nconst DefaultCheckSessionIntervalInSeconds = 2;\r\nexport const DefaultSilentRequestTimeoutInSeconds = 10;\r\n\r\n/**\r\n * The settings used to configure the {@link UserManager}.\r\n *\r\n * @public\r\n */\r\nexport interface UserManagerSettings extends OidcClientSettings {\r\n /** The URL for the page containing the call to signinPopupCallback to handle the callback from the OIDC/OAuth2 */\r\n popup_redirect_uri?: string;\r\n popup_post_logout_redirect_uri?: string;\r\n /**\r\n * The features parameter to window.open for the popup signin window. By default, the popup is\r\n * placed centered in front of the window opener.\r\n * (default: \\{ location: false, menubar: false, height: 640, closePopupWindowAfterInSeconds: -1 \\})\r\n */\r\n popupWindowFeatures?: PopupWindowFeatures;\r\n /** The target parameter to window.open for the popup signin window (default: \"_blank\") */\r\n popupWindowTarget?: string;\r\n /** The methods window.location method used to redirect (default: \"assign\") */\r\n redirectMethod?: \"replace\" | \"assign\";\r\n /** The methods target window being redirected (default: \"self\") */\r\n redirectTarget?: \"top\" | \"self\";\r\n\r\n /** The target to pass while calling postMessage inside iframe for callback (default: window.location.origin) */\r\n iframeNotifyParentOrigin?: string;\r\n\r\n /** The script origin to check during 'message' callback execution while performing silent auth via iframe (default: window.location.origin) */\r\n iframeScriptOrigin?: string;\r\n\r\n /** The URL for the page containing the code handling the silent renew */\r\n silent_redirect_uri?: string;\r\n /** Number of seconds to wait for the silent renew to return before assuming it has failed or timed out (default: 10) */\r\n silentRequestTimeoutInSeconds?: number;\r\n /** Flag to indicate if there should be an automatic attempt to renew the access token prior to its expiration. The automatic renew attempt starts 1 minute before the access token expires (default: true) */\r\n automaticSilentRenew?: boolean;\r\n /** Flag to validate user.profile.sub in silent renew calls (default: true) */\r\n validateSubOnSilentRenew?: boolean;\r\n /** Flag to control if id_token is included as id_token_hint in silent renew calls (default: false) */\r\n includeIdTokenInSilentRenew?: boolean;\r\n\r\n /** Will raise events for when user has performed a signout at the OP (default: false) */\r\n monitorSession?: boolean;\r\n monitorAnonymousSession?: boolean;\r\n /** Interval in seconds to check the user's session (default: 2) */\r\n checkSessionIntervalInSeconds?: number;\r\n query_status_response_type?: string;\r\n stopCheckSessionOnError?: boolean;\r\n\r\n /**\r\n * The `token_type_hint`s to pass to the authority server by default (default: [\"access_token\", \"refresh_token\"])\r\n *\r\n * Token types will be revoked in the same order as they are given here.\r\n */\r\n revokeTokenTypes?: (\"access_token\" | \"refresh_token\")[];\r\n /** Will invoke the revocation endpoint on signout if there is an access token for the user (default: false) */\r\n revokeTokensOnSignout?: boolean;\r\n /** Flag to control if id_token is included as id_token_hint in silent signout calls (default: false) */\r\n includeIdTokenInSilentSignout?: boolean;\r\n\r\n /** The number of seconds before an access token is to expire to raise the accessTokenExpiring event (default: 60) */\r\n accessTokenExpiringNotificationTimeInSeconds?: number;\r\n\r\n /**\r\n * Storage object used to persist User for currently authenticated user (default: window.sessionStorage, InMemoryWebStorage iff no window).\r\n * E.g. `userStore: new WebStorageStateStore({ store: window.localStorage })`\r\n */\r\n userStore?: WebStorageStateStore;\r\n}\r\n\r\n/**\r\n * The settings with defaults applied of the {@link UserManager}.\r\n * @see {@link UserManagerSettings}\r\n *\r\n * @public\r\n */\r\nexport class UserManagerSettingsStore extends OidcClientSettingsStore {\r\n public readonly popup_redirect_uri: string;\r\n public readonly popup_post_logout_redirect_uri: string | undefined;\r\n public readonly popupWindowFeatures: PopupWindowFeatures;\r\n public readonly popupWindowTarget: string;\r\n public readonly redirectMethod: \"replace\" | \"assign\";\r\n public readonly redirectTarget: \"top\" | \"self\";\r\n\r\n public readonly iframeNotifyParentOrigin: string | undefined;\r\n public readonly iframeScriptOrigin: string | undefined;\r\n\r\n public readonly silent_redirect_uri: string;\r\n public readonly silentRequestTimeoutInSeconds: number;\r\n public readonly automaticSilentRenew: boolean;\r\n public readonly validateSubOnSilentRenew: boolean;\r\n public readonly includeIdTokenInSilentRenew: boolean;\r\n\r\n public readonly monitorSession: boolean;\r\n public readonly monitorAnonymousSession: boolean;\r\n public readonly checkSessionIntervalInSeconds: number;\r\n public readonly query_status_response_type: string;\r\n public readonly stopCheckSessionOnError: boolean;\r\n\r\n public readonly revokeTokenTypes: (\"access_token\" | \"refresh_token\")[];\r\n public readonly revokeTokensOnSignout: boolean;\r\n public readonly includeIdTokenInSilentSignout: boolean;\r\n\r\n public readonly accessTokenExpiringNotificationTimeInSeconds: number;\r\n\r\n public readonly userStore: WebStorageStateStore;\r\n\r\n public constructor(args: UserManagerSettings) {\r\n const {\r\n popup_redirect_uri = args.redirect_uri,\r\n popup_post_logout_redirect_uri = args.post_logout_redirect_uri,\r\n popupWindowFeatures = DefaultPopupWindowFeatures,\r\n popupWindowTarget = DefaultPopupTarget,\r\n redirectMethod = \"assign\",\r\n redirectTarget = \"self\",\r\n\r\n iframeNotifyParentOrigin = args.iframeNotifyParentOrigin,\r\n iframeScriptOrigin = args.iframeScriptOrigin,\r\n\r\n silent_redirect_uri = args.redirect_uri,\r\n silentRequestTimeoutInSeconds = DefaultSilentRequestTimeoutInSeconds,\r\n automaticSilentRenew = true,\r\n validateSubOnSilentRenew = true,\r\n includeIdTokenInSilentRenew = false,\r\n\r\n monitorSession = false,\r\n monitorAnonymousSession = false,\r\n checkSessionIntervalInSeconds = DefaultCheckSessionIntervalInSeconds,\r\n query_status_response_type = \"code\",\r\n stopCheckSessionOnError = true,\r\n\r\n revokeTokenTypes = [\"access_token\", \"refresh_token\"],\r\n revokeTokensOnSignout = false,\r\n includeIdTokenInSilentSignout = false,\r\n\r\n accessTokenExpiringNotificationTimeInSeconds = DefaultAccessTokenExpiringNotificationTimeInSeconds,\r\n\r\n userStore,\r\n } = args;\r\n\r\n super(args);\r\n\r\n this.popup_redirect_uri = popup_redirect_uri;\r\n this.popup_post_logout_redirect_uri = popup_post_logout_redirect_uri;\r\n this.popupWindowFeatures = popupWindowFeatures;\r\n this.popupWindowTarget = popupWindowTarget;\r\n this.redirectMethod = redirectMethod;\r\n this.redirectTarget = redirectTarget;\r\n\r\n this.iframeNotifyParentOrigin = iframeNotifyParentOrigin;\r\n this.iframeScriptOrigin = iframeScriptOrigin;\r\n\r\n this.silent_redirect_uri = silent_redirect_uri;\r\n this.silentRequestTimeoutInSeconds = silentRequestTimeoutInSeconds;\r\n this.automaticSilentRenew = automaticSilentRenew;\r\n this.validateSubOnSilentRenew = validateSubOnSilentRenew;\r\n this.includeIdTokenInSilentRenew = includeIdTokenInSilentRenew;\r\n\r\n this.monitorSession = monitorSession;\r\n this.monitorAnonymousSession = monitorAnonymousSession;\r\n this.checkSessionIntervalInSeconds = checkSessionIntervalInSeconds;\r\n this.stopCheckSessionOnError = stopCheckSessionOnError;\r\n this.query_status_response_type = query_status_response_type;\r\n\r\n this.revokeTokenTypes = revokeTokenTypes;\r\n this.revokeTokensOnSignout = revokeTokensOnSignout;\r\n this.includeIdTokenInSilentSignout = includeIdTokenInSilentSignout;\r\n\r\n this.accessTokenExpiringNotificationTimeInSeconds = accessTokenExpiringNotificationTimeInSeconds;\r\n\r\n if (userStore) {\r\n this.userStore = userStore;\r\n }\r\n else {\r\n const store = typeof window !== \"undefined\" ? window.sessionStorage : new InMemoryWebStorage();\r\n this.userStore = new WebStorageStateStore({ store });\r\n }\r\n }\r\n}\r\n", "// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\r\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\r\n\r\nimport { Logger } from \"../utils\";\r\nimport { ErrorTimeout } from \"../errors\";\r\nimport type { NavigateParams, NavigateResponse } from \"./IWindow\";\r\nimport { AbstractChildWindow } from \"./AbstractChildWindow\";\r\nimport { DefaultSilentRequestTimeoutInSeconds } from \"../UserManagerSettings\";\r\n\r\n/**\r\n * @public\r\n */\r\nexport interface IFrameWindowParams {\r\n silentRequestTimeoutInSeconds?: number;\r\n}\r\n\r\n/**\r\n * @internal\r\n */\r\nexport class IFrameWindow extends AbstractChildWindow {\r\n protected readonly _logger = new Logger(\"IFrameWindow\");\r\n private _frame: HTMLIFrameElement | null;\r\n private _timeoutInSeconds: number;\r\n\r\n public constructor({\r\n silentRequestTimeoutInSeconds = DefaultSilentRequestTimeoutInSeconds,\r\n }: IFrameWindowParams) {\r\n super();\r\n this._timeoutInSeconds = silentRequestTimeoutInSeconds;\r\n\r\n this._frame = IFrameWindow.createHiddenIframe();\r\n this._window = this._frame.contentWindow;\r\n }\r\n\r\n private static createHiddenIframe(): HTMLIFrameElement {\r\n const iframe = window.document.createElement(\"iframe\");\r\n\r\n // shotgun approach\r\n iframe.style.visibility = \"hidden\";\r\n iframe.style.position = \"fixed\";\r\n iframe.style.left = \"-1000px\";\r\n iframe.style.top = \"0\";\r\n iframe.width = \"0\";\r\n iframe.height = \"0\";\r\n\r\n window.document.body.appendChild(iframe);\r\n return iframe;\r\n }\r\n\r\n public async navigate(params: NavigateParams): Promise {\r\n this._logger.debug(\"navigate: Using timeout of:\", this._timeoutInSeconds);\r\n const timer = setTimeout(() => void this._abort.raise(new ErrorTimeout(\"IFrame timed out without a response\")), this._timeoutInSeconds * 1000);\r\n this._disposeHandlers.add(() => clearTimeout(timer));\r\n\r\n return await super.navigate(params);\r\n }\r\n\r\n public close(): void {\r\n if (this._frame) {\r\n if (this._frame.parentNode) {\r\n this._frame.addEventListener(\"load\", (ev) => {\r\n const frame = ev.target as HTMLIFrameElement;\r\n frame.parentNode?.removeChild(frame);\r\n void this._abort.raise(new Error(\"IFrame removed from DOM\"));\r\n }, true);\r\n this._frame.contentWindow?.location.replace(\"about:blank\");\r\n }\r\n this._frame = null;\r\n }\r\n this._window = null;\r\n }\r\n\r\n public static notifyParent(url: string, targetOrigin?: string): void {\r\n return super._notifyParent(window.parent, url, false, targetOrigin);\r\n }\r\n}\r\n", "// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\r\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\r\n\r\nimport { Logger } from \"../utils\";\r\nimport type { UserManagerSettingsStore } from \"../UserManagerSettings\";\r\nimport { IFrameWindow, type IFrameWindowParams } from \"./IFrameWindow\";\r\nimport type { INavigator } from \"./INavigator\";\r\n\r\n/**\r\n * @internal\r\n */\r\nexport class IFrameNavigator implements INavigator {\r\n private readonly _logger = new Logger(\"IFrameNavigator\");\r\n\r\n constructor(private _settings: UserManagerSettingsStore) {}\r\n\r\n public async prepare({\r\n silentRequestTimeoutInSeconds = this._settings.silentRequestTimeoutInSeconds,\r\n }: IFrameWindowParams): Promise {\r\n return new IFrameWindow({ silentRequestTimeoutInSeconds });\r\n }\r\n\r\n public async callback(url: string): Promise {\r\n this._logger.create(\"callback\");\r\n IFrameWindow.notifyParent(url, this._settings.iframeNotifyParentOrigin);\r\n }\r\n}\r\n", "// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\r\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\r\n\r\nimport { Logger, PopupUtils, type PopupWindowFeatures } from \"../utils\";\r\nimport { DefaultPopupWindowFeatures, DefaultPopupTarget } from \"../UserManagerSettings\";\r\nimport { AbstractChildWindow } from \"./AbstractChildWindow\";\r\nimport type { NavigateParams, NavigateResponse } from \"./IWindow\";\r\n\r\nconst checkForPopupClosedInterval = 500;\r\nconst second = 1000;\r\n\r\n/**\r\n * @public\r\n */\r\nexport interface PopupWindowParams {\r\n popupWindowFeatures?: PopupWindowFeatures;\r\n popupWindowTarget?: string;\r\n}\r\n\r\n/**\r\n * @internal\r\n */\r\nexport class PopupWindow extends AbstractChildWindow {\r\n protected readonly _logger = new Logger(\"PopupWindow\");\r\n\r\n protected _window: WindowProxy | null;\r\n\r\n public constructor({\r\n popupWindowTarget = DefaultPopupTarget,\r\n popupWindowFeatures = {},\r\n }: PopupWindowParams) {\r\n super();\r\n const centeredPopup = PopupUtils.center({ ...DefaultPopupWindowFeatures, ...popupWindowFeatures });\r\n this._window = window.open(undefined, popupWindowTarget, PopupUtils.serialize(centeredPopup));\r\n if (popupWindowFeatures.closePopupWindowAfterInSeconds && popupWindowFeatures.closePopupWindowAfterInSeconds > 0) {\r\n setTimeout(() => {\r\n if (!this._window || typeof this._window.closed !== \"boolean\" || this._window.closed) {\r\n void this._abort.raise(new Error(\"Popup blocked by user\"));\r\n return;\r\n }\r\n\r\n this.close();\r\n }, popupWindowFeatures.closePopupWindowAfterInSeconds * second);\r\n }\r\n }\r\n\r\n public async navigate(params: NavigateParams): Promise {\r\n this._window?.focus();\r\n\r\n const popupClosedInterval = setInterval(() => {\r\n if (!this._window || this._window.closed) {\r\n void this._abort.raise(new Error(\"Popup closed by user\"));\r\n }\r\n }, checkForPopupClosedInterval);\r\n this._disposeHandlers.add(() => clearInterval(popupClosedInterval));\r\n\r\n return await super.navigate(params);\r\n }\r\n\r\n public close(): void {\r\n if (this._window) {\r\n if (!this._window.closed) {\r\n this._window.close();\r\n void this._abort.raise(new Error(\"Popup closed\"));\r\n }\r\n }\r\n this._window = null;\r\n }\r\n\r\n public static notifyOpener(url: string, keepOpen: boolean): void {\r\n if (!window.opener) {\r\n throw new Error(\"No window.opener. Can't complete notification.\");\r\n }\r\n return super._notifyParent(window.opener, url, keepOpen);\r\n }\r\n}\r\n", "// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\r\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\r\n\r\nimport { Logger } from \"../utils\";\r\nimport { PopupWindow, type PopupWindowParams } from \"./PopupWindow\";\r\nimport type { INavigator } from \"./INavigator\";\r\nimport type { UserManagerSettingsStore } from \"../UserManagerSettings\";\r\n\r\n/**\r\n * @internal\r\n */\r\nexport class PopupNavigator implements INavigator {\r\n private readonly _logger = new Logger(\"PopupNavigator\");\r\n\r\n constructor(private _settings: UserManagerSettingsStore) {}\r\n\r\n public async prepare({\r\n popupWindowFeatures = this._settings.popupWindowFeatures,\r\n popupWindowTarget = this._settings.popupWindowTarget,\r\n }: PopupWindowParams): Promise {\r\n return new PopupWindow({ popupWindowFeatures, popupWindowTarget });\r\n }\r\n\r\n public async callback(url: string, { keepOpen = false }): Promise {\r\n this._logger.create(\"callback\");\r\n\r\n PopupWindow.notifyOpener(url, keepOpen);\r\n }\r\n}\r\n", "// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\r\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\r\n\r\nimport { Logger } from \"../utils\";\r\nimport type { UserManagerSettingsStore } from \"../UserManagerSettings\";\r\nimport type { INavigator } from \"./INavigator\";\r\nimport type { IWindow } from \"./IWindow\";\r\n\r\n/**\r\n * @public\r\n */\r\nexport interface RedirectParams {\r\n redirectMethod?: \"replace\" | \"assign\";\r\n redirectTarget?: \"top\" | \"self\";\r\n}\r\n\r\n/**\r\n * @internal\r\n */\r\nexport class RedirectNavigator implements INavigator {\r\n private readonly _logger = new Logger(\"RedirectNavigator\");\r\n\r\n constructor(private _settings: UserManagerSettingsStore) {}\r\n\r\n public async prepare({\r\n redirectMethod = this._settings.redirectMethod,\r\n redirectTarget = this._settings.redirectTarget,\r\n }: RedirectParams): Promise {\r\n this._logger.create(\"prepare\");\r\n let targetWindow = window.self as Window;\r\n\r\n if (redirectTarget === \"top\") {\r\n targetWindow = window.top ?? window.self;\r\n }\r\n \r\n const redirect = targetWindow.location[redirectMethod].bind(targetWindow.location) as (url: string) => never;\r\n let abort: (reason: Error) => void;\r\n return {\r\n navigate: async (params): Promise => {\r\n this._logger.create(\"navigate\");\r\n // We use a promise that never resolves to block the caller\r\n const promise = new Promise((resolve, reject) => {\r\n abort = reject;\r\n });\r\n redirect(params.url);\r\n return await (promise as Promise);\r\n },\r\n close: () => {\r\n this._logger.create(\"close\");\r\n abort?.(new Error(\"Redirect aborted\"));\r\n targetWindow.stop();\r\n },\r\n };\r\n }\r\n\r\n public async callback(): Promise {\r\n return;\r\n }\r\n}\r\n", "// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\r\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\r\n\r\nimport { Logger, Event } from \"./utils\";\r\nimport { AccessTokenEvents } from \"./AccessTokenEvents\";\r\nimport type { UserManagerSettingsStore } from \"./UserManagerSettings\";\r\nimport type { User } from \"./User\";\r\n\r\n/**\r\n * @public\r\n */\r\nexport type UserLoadedCallback = (user: User) => Promise | void;\r\n/**\r\n * @public\r\n */\r\nexport type UserUnloadedCallback = () => Promise | void;\r\n/**\r\n * @public\r\n */\r\nexport type SilentRenewErrorCallback = (error: Error) => Promise | void;\r\n/**\r\n * @public\r\n */\r\nexport type UserSignedInCallback = () => Promise | void;\r\n/**\r\n * @public\r\n */\r\nexport type UserSignedOutCallback = () => Promise | void;\r\n/**\r\n * @public\r\n */\r\nexport type UserSessionChangedCallback = () => Promise | void;\r\n\r\n/**\r\n * @public\r\n */\r\nexport class UserManagerEvents extends AccessTokenEvents {\r\n protected readonly _logger = new Logger(\"UserManagerEvents\");\r\n\r\n private readonly _userLoaded = new Event<[User]>(\"User loaded\");\r\n private readonly _userUnloaded = new Event<[]>(\"User unloaded\");\r\n private readonly _silentRenewError = new Event<[Error]>(\"Silent renew error\");\r\n private readonly _userSignedIn = new Event<[]>(\"User signed in\");\r\n private readonly _userSignedOut = new Event<[]>(\"User signed out\");\r\n private readonly _userSessionChanged = new Event<[]>(\"User session changed\");\r\n\r\n public constructor(settings: UserManagerSettingsStore) {\r\n super({ expiringNotificationTimeInSeconds: settings.accessTokenExpiringNotificationTimeInSeconds });\r\n }\r\n\r\n public async load(user: User, raiseEvent=true): Promise {\r\n super.load(user);\r\n if (raiseEvent) {\r\n await this._userLoaded.raise(user);\r\n }\r\n }\r\n public async unload(): Promise {\r\n super.unload();\r\n await this._userUnloaded.raise();\r\n }\r\n\r\n /**\r\n * Add callback: Raised when a user session has been established (or re-established).\r\n */\r\n public addUserLoaded(cb: UserLoadedCallback): () => void {\r\n return this._userLoaded.addHandler(cb);\r\n }\r\n /**\r\n * Remove callback: Raised when a user session has been established (or re-established).\r\n */\r\n public removeUserLoaded(cb: UserLoadedCallback): void {\r\n return this._userLoaded.removeHandler(cb);\r\n }\r\n\r\n /**\r\n * Add callback: Raised when a user session has been terminated.\r\n */\r\n public addUserUnloaded(cb: UserUnloadedCallback): () => void {\r\n return this._userUnloaded.addHandler(cb);\r\n }\r\n /**\r\n * Remove callback: Raised when a user session has been terminated.\r\n */\r\n public removeUserUnloaded(cb: UserUnloadedCallback): void {\r\n return this._userUnloaded.removeHandler(cb);\r\n }\r\n\r\n /**\r\n * Add callback: Raised when the automatic silent renew has failed.\r\n */\r\n public addSilentRenewError(cb: SilentRenewErrorCallback): () => void {\r\n return this._silentRenewError.addHandler(cb);\r\n }\r\n /**\r\n * Remove callback: Raised when the automatic silent renew has failed.\r\n */\r\n public removeSilentRenewError(cb: SilentRenewErrorCallback): void {\r\n return this._silentRenewError.removeHandler(cb);\r\n }\r\n /**\r\n * @internal\r\n */\r\n public async _raiseSilentRenewError(e: Error): Promise {\r\n await this._silentRenewError.raise(e);\r\n }\r\n\r\n /**\r\n * Add callback: Raised when the user is signed in (when `monitorSession` is set).\r\n * @see {@link UserManagerSettings.monitorSession}\r\n */\r\n public addUserSignedIn(cb: UserSignedInCallback): () => void {\r\n return this._userSignedIn.addHandler(cb);\r\n }\r\n /**\r\n * Remove callback: Raised when the user is signed in (when `monitorSession` is set).\r\n */\r\n public removeUserSignedIn(cb: UserSignedInCallback): void {\r\n this._userSignedIn.removeHandler(cb);\r\n }\r\n /**\r\n * @internal\r\n */\r\n public async _raiseUserSignedIn(): Promise {\r\n await this._userSignedIn.raise();\r\n }\r\n\r\n /**\r\n * Add callback: Raised when the user's sign-in status at the OP has changed (when `monitorSession` is set).\r\n * @see {@link UserManagerSettings.monitorSession}\r\n */\r\n public addUserSignedOut(cb: UserSignedOutCallback): () => void {\r\n return this._userSignedOut.addHandler(cb);\r\n }\r\n /**\r\n * Remove callback: Raised when the user's sign-in status at the OP has changed (when `monitorSession` is set).\r\n */\r\n public removeUserSignedOut(cb: UserSignedOutCallback): void {\r\n this._userSignedOut.removeHandler(cb);\r\n }\r\n /**\r\n * @internal\r\n */\r\n public async _raiseUserSignedOut(): Promise {\r\n await this._userSignedOut.raise();\r\n }\r\n\r\n /**\r\n * Add callback: Raised when the user session changed (when `monitorSession` is set).\r\n * @see {@link UserManagerSettings.monitorSession}\r\n */\r\n public addUserSessionChanged(cb: UserSessionChangedCallback): () => void {\r\n return this._userSessionChanged.addHandler(cb);\r\n }\r\n /**\r\n * Remove callback: Raised when the user session changed (when `monitorSession` is set).\r\n */\r\n public removeUserSessionChanged(cb: UserSessionChangedCallback): void {\r\n this._userSessionChanged.removeHandler(cb);\r\n }\r\n /**\r\n * @internal\r\n */\r\n public async _raiseUserSessionChanged(): Promise {\r\n await this._userSessionChanged.raise();\r\n }\r\n}\r\n", "// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\r\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\r\n\r\nimport { Logger, Timer } from \"./utils\";\r\nimport { ErrorTimeout } from \"./errors\";\r\nimport type { UserManager } from \"./UserManager\";\r\nimport type { AccessTokenCallback } from \"./AccessTokenEvents\";\r\n\r\n/**\r\n * @internal\r\n */\r\nexport class SilentRenewService {\r\n protected _logger = new Logger(\"SilentRenewService\");\r\n private _isStarted = false;\r\n private readonly _retryTimer = new Timer(\"Retry Silent Renew\");\r\n\r\n public constructor(private _userManager: UserManager) {}\r\n\r\n public async start(): Promise {\r\n const logger = this._logger.create(\"start\");\r\n if (!this._isStarted) {\r\n this._isStarted = true;\r\n this._userManager.events.addAccessTokenExpiring(this._tokenExpiring);\r\n this._retryTimer.addHandler(this._tokenExpiring);\r\n\r\n // this will trigger loading of the user so the expiring events can be initialized\r\n try {\r\n await this._userManager.getUser();\r\n // deliberate nop\r\n }\r\n catch (err) {\r\n // catch to suppress errors since we're in a ctor\r\n logger.error(\"getUser error\", err);\r\n }\r\n }\r\n }\r\n\r\n public stop(): void {\r\n if (this._isStarted) {\r\n this._retryTimer.cancel();\r\n this._retryTimer.removeHandler(this._tokenExpiring);\r\n this._userManager.events.removeAccessTokenExpiring(this._tokenExpiring);\r\n this._isStarted = false;\r\n }\r\n }\r\n\r\n protected _tokenExpiring: AccessTokenCallback = async () => {\r\n const logger = this._logger.create(\"_tokenExpiring\");\r\n try {\r\n await this._userManager.signinSilent();\r\n logger.debug(\"silent token renewal successful\");\r\n }\r\n catch (err) {\r\n if (err instanceof ErrorTimeout) {\r\n // no response from authority server, e.g. IFrame timeout, ...\r\n logger.warn(\"ErrorTimeout from signinSilent:\", err, \"retry in 5s\");\r\n this._retryTimer.init(5);\r\n return;\r\n }\r\n\r\n logger.error(\"Error from signinSilent:\", err);\r\n await this._userManager.events._raiseSilentRenewError(err as Error);\r\n }\r\n };\r\n}\r\n", "// Copyright (C) AuthTS Contributors\r\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\r\n\r\nimport type { UserProfile } from \"./User\";\r\n\r\n/**\r\n * Fake state store implementation necessary for validating refresh token requests.\r\n *\r\n * @public\r\n */\r\nexport class RefreshState {\r\n /** custom \"state\", which can be used by a caller to have \"data\" round tripped */\r\n public readonly data?: unknown;\r\n\r\n public readonly refresh_token: string;\r\n public readonly id_token?: string;\r\n public readonly session_state: string | null;\r\n public readonly scope?: string;\r\n public readonly profile: UserProfile;\r\n\r\n constructor(args: {\r\n refresh_token: string;\r\n id_token?: string;\r\n session_state: string | null;\r\n scope?: string;\r\n profile: UserProfile;\r\n\r\n state?: unknown;\r\n }) {\r\n this.refresh_token = args.refresh_token;\r\n this.id_token = args.id_token;\r\n this.session_state = args.session_state;\r\n this.scope = args.scope;\r\n this.profile = args.profile;\r\n\r\n this.data = args.state;\r\n\r\n }\r\n}\r\n", "// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\r\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\r\n\r\nimport { Logger } from \"./utils\";\r\nimport { ErrorResponse } from \"./errors\";\r\nimport { type NavigateResponse, type PopupWindowParams, type IWindow, type IFrameWindowParams, type RedirectParams, RedirectNavigator, PopupNavigator, IFrameNavigator, type INavigator } from \"./navigators\";\r\nimport { OidcClient, type CreateSigninRequestArgs, type CreateSignoutRequestArgs, type ProcessResourceOwnerPasswordCredentialsArgs, type UseRefreshTokenArgs } from \"./OidcClient\";\r\nimport { type UserManagerSettings, UserManagerSettingsStore } from \"./UserManagerSettings\";\r\nimport { User } from \"./User\";\r\nimport { UserManagerEvents } from \"./UserManagerEvents\";\r\nimport { SilentRenewService } from \"./SilentRenewService\";\r\nimport { SessionMonitor } from \"./SessionMonitor\";\r\nimport type { SessionStatus } from \"./SessionStatus\";\r\nimport type { SignoutResponse } from \"./SignoutResponse\";\r\nimport type { MetadataService } from \"./MetadataService\";\r\nimport { RefreshState } from \"./RefreshState\";\r\nimport type { SigninResponse } from \"./SigninResponse\";\r\nimport type { ExtraHeader } from \"./OidcClientSettings\";\r\n\r\n/**\r\n * @public\r\n */\r\nexport type ExtraSigninRequestArgs = Pick;\r\n/**\r\n * @public\r\n */\r\nexport type ExtraSignoutRequestArgs = Pick;\r\n\r\n/**\r\n * @public\r\n */\r\nexport type RevokeTokensTypes = UserManagerSettings[\"revokeTokenTypes\"];\r\n\r\n/**\r\n * @public\r\n */\r\nexport type SigninRedirectArgs = RedirectParams & ExtraSigninRequestArgs;\r\n\r\n/**\r\n * @public\r\n */\r\nexport type SigninPopupArgs = PopupWindowParams & ExtraSigninRequestArgs;\r\n\r\n/**\r\n * @public\r\n */\r\nexport type SigninSilentArgs = IFrameWindowParams & ExtraSigninRequestArgs;\r\n\r\n/**\r\n * @public\r\n */\r\nexport type SigninResourceOwnerCredentialsArgs = ProcessResourceOwnerPasswordCredentialsArgs;\r\n\r\n/**\r\n * @public\r\n */\r\nexport type QuerySessionStatusArgs = IFrameWindowParams & ExtraSigninRequestArgs;\r\n\r\n/**\r\n * @public\r\n */\r\nexport type SignoutRedirectArgs = RedirectParams & ExtraSignoutRequestArgs;\r\n\r\n/**\r\n * @public\r\n */\r\nexport type SignoutPopupArgs = PopupWindowParams & ExtraSignoutRequestArgs;\r\n\r\n/**\r\n * @public\r\n */\r\nexport type SignoutSilentArgs = IFrameWindowParams & ExtraSignoutRequestArgs;\r\n\r\n/**\r\n * Provides a higher level API for signing a user in, signing out, managing the user's claims returned from the identity provider,\r\n * and managing an access token returned from the identity provider (OAuth2/OIDC).\r\n *\r\n * @public\r\n */\r\nexport class UserManager {\r\n /** Get the settings used to configure the `UserManager`. */\r\n public readonly settings: UserManagerSettingsStore;\r\n protected readonly _logger = new Logger(\"UserManager\");\r\n\r\n protected readonly _client: OidcClient;\r\n protected readonly _redirectNavigator: INavigator;\r\n protected readonly _popupNavigator: INavigator;\r\n protected readonly _iframeNavigator: INavigator;\r\n protected readonly _events: UserManagerEvents;\r\n protected readonly _silentRenewService: SilentRenewService;\r\n protected readonly _sessionMonitor: SessionMonitor | null;\r\n\r\n public constructor(settings: UserManagerSettings, redirectNavigator?: INavigator, popupNavigator?: INavigator, iframeNavigator?: INavigator) {\r\n this.settings = new UserManagerSettingsStore(settings);\r\n\r\n this._client = new OidcClient(settings);\r\n\r\n this._redirectNavigator = redirectNavigator ?? new RedirectNavigator(this.settings);\r\n this._popupNavigator = popupNavigator ?? new PopupNavigator(this.settings);\r\n this._iframeNavigator = iframeNavigator ?? new IFrameNavigator(this.settings);\r\n\r\n this._events = new UserManagerEvents(this.settings);\r\n this._silentRenewService = new SilentRenewService(this);\r\n\r\n // order is important for the following properties; these services depend upon the events.\r\n if (this.settings.automaticSilentRenew) {\r\n this.startSilentRenew();\r\n }\r\n\r\n this._sessionMonitor = null;\r\n if (this.settings.monitorSession) {\r\n this._sessionMonitor = new SessionMonitor(this);\r\n }\r\n\r\n }\r\n\r\n /**\r\n * Get object used to register for events raised by the `UserManager`.\r\n */\r\n public get events(): UserManagerEvents {\r\n return this._events;\r\n }\r\n\r\n /**\r\n * Get object used to access the metadata configuration of the identity provider.\r\n */\r\n public get metadataService(): MetadataService {\r\n return this._client.metadataService;\r\n }\r\n\r\n /**\r\n * Load the `User` object for the currently authenticated user.\r\n *\r\n * @returns A promise\r\n */\r\n public async getUser(): Promise {\r\n const logger = this._logger.create(\"getUser\");\r\n const user = await this._loadUser();\r\n if (user) {\r\n logger.info(\"user loaded\");\r\n await this._events.load(user, false);\r\n return user;\r\n }\r\n\r\n logger.info(\"user not found in storage\");\r\n return null;\r\n }\r\n\r\n /**\r\n * Remove from any storage the currently authenticated user.\r\n *\r\n * @returns A promise\r\n */\r\n public async removeUser(): Promise {\r\n const logger = this._logger.create(\"removeUser\");\r\n await this.storeUser(null);\r\n logger.info(\"user removed from storage\");\r\n await this._events.unload();\r\n }\r\n\r\n /**\r\n * Trigger a redirect of the current window to the authorization endpoint.\r\n *\r\n * @returns A promise\r\n *\r\n * @throws `Error` In cases of wrong authentication.\r\n */\r\n public async signinRedirect(args: SigninRedirectArgs = {}): Promise {\r\n this._logger.create(\"signinRedirect\");\r\n const {\r\n redirectMethod,\r\n ...requestArgs\r\n } = args;\r\n const handle = await this._redirectNavigator.prepare({ redirectMethod });\r\n await this._signinStart({\r\n request_type: \"si:r\",\r\n ...requestArgs,\r\n }, handle);\r\n }\r\n\r\n /**\r\n * Process the response (callback) from the authorization endpoint.\r\n * It is recommended to use {@link UserManager.signinCallback} instead.\r\n *\r\n * @returns A promise containing the authenticated `User`.\r\n *\r\n * @see {@link UserManager.signinCallback}\r\n */\r\n public async signinRedirectCallback(url = window.location.href): Promise {\r\n const logger = this._logger.create(\"signinRedirectCallback\");\r\n const user = await this._signinEnd(url);\r\n if (user.profile && user.profile.sub) {\r\n logger.info(\"success, signed in subject\", user.profile.sub);\r\n }\r\n else {\r\n logger.info(\"no subject\");\r\n }\r\n\r\n return user;\r\n }\r\n\r\n /**\r\n * Trigger the signin with user/password.\r\n *\r\n * @returns A promise containing the authenticated `User`.\r\n * @throws {@link ErrorResponse} In cases of wrong authentication.\r\n */\r\n public async signinResourceOwnerCredentials({\r\n username,\r\n password,\r\n skipUserInfo = false,\r\n }: SigninResourceOwnerCredentialsArgs): Promise {\r\n const logger = this._logger.create(\"signinResourceOwnerCredential\");\r\n\r\n const signinResponse = await this._client.processResourceOwnerPasswordCredentials({ username, password, skipUserInfo, extraTokenParams: this.settings.extraTokenParams });\r\n logger.debug(\"got signin response\");\r\n\r\n const user = await this._buildUser(signinResponse);\r\n if (user.profile && user.profile.sub) {\r\n logger.info(\"success, signed in subject\", user.profile.sub);\r\n } else {\r\n logger.info(\"no subject\");\r\n }\r\n return user;\r\n }\r\n\r\n /**\r\n * Trigger a request (via a popup window) to the authorization endpoint.\r\n *\r\n * @returns A promise containing the authenticated `User`.\r\n * @throws `Error` In cases of wrong authentication.\r\n */\r\n public async signinPopup(args: SigninPopupArgs = {}): Promise {\r\n const logger = this._logger.create(\"signinPopup\");\r\n const {\r\n popupWindowFeatures,\r\n popupWindowTarget,\r\n ...requestArgs\r\n } = args;\r\n const url = this.settings.popup_redirect_uri;\r\n if (!url) {\r\n logger.throw(new Error(\"No popup_redirect_uri configured\"));\r\n }\r\n\r\n const handle = await this._popupNavigator.prepare({ popupWindowFeatures, popupWindowTarget });\r\n const user = await this._signin({\r\n request_type: \"si:p\",\r\n redirect_uri: url,\r\n display: \"popup\",\r\n ...requestArgs,\r\n }, handle);\r\n if (user) {\r\n if (user.profile && user.profile.sub) {\r\n logger.info(\"success, signed in subject\", user.profile.sub);\r\n }\r\n else {\r\n logger.info(\"no subject\");\r\n }\r\n }\r\n\r\n return user;\r\n }\r\n /**\r\n * Notify the opening window of response (callback) from the authorization endpoint.\r\n * It is recommended to use {@link UserManager.signinCallback} instead.\r\n *\r\n * @returns A promise\r\n *\r\n * @see {@link UserManager.signinCallback}\r\n */\r\n public async signinPopupCallback(url = window.location.href, keepOpen = false): Promise {\r\n const logger = this._logger.create(\"signinPopupCallback\");\r\n await this._popupNavigator.callback(url, { keepOpen });\r\n logger.info(\"success\");\r\n }\r\n\r\n /**\r\n * Trigger a silent request (via refresh token or an iframe) to the authorization endpoint.\r\n *\r\n * @returns A promise that contains the authenticated `User`.\r\n */\r\n public async signinSilent(args: SigninSilentArgs = {}): Promise {\r\n const logger = this._logger.create(\"signinSilent\");\r\n const {\r\n silentRequestTimeoutInSeconds,\r\n ...requestArgs\r\n } = args;\r\n // first determine if we have a refresh token, or need to use iframe\r\n let user = await this._loadUser();\r\n if (user?.refresh_token) {\r\n logger.debug(\"using refresh token\");\r\n const state = new RefreshState(user as Required);\r\n return await this._useRefreshToken({\r\n state,\r\n redirect_uri: requestArgs.redirect_uri,\r\n resource: requestArgs.resource,\r\n extraTokenParams: requestArgs.extraTokenParams,\r\n timeoutInSeconds: silentRequestTimeoutInSeconds,\r\n });\r\n }\r\n\r\n const url = this.settings.silent_redirect_uri;\r\n if (!url) {\r\n logger.throw(new Error(\"No silent_redirect_uri configured\"));\r\n }\r\n\r\n let verifySub: string | undefined;\r\n if (user && this.settings.validateSubOnSilentRenew) {\r\n logger.debug(\"subject prior to silent renew:\", user.profile.sub);\r\n verifySub = user.profile.sub;\r\n }\r\n\r\n const handle = await this._iframeNavigator.prepare({ silentRequestTimeoutInSeconds });\r\n user = await this._signin({\r\n request_type: \"si:s\",\r\n redirect_uri: url,\r\n prompt: \"none\",\r\n id_token_hint: this.settings.includeIdTokenInSilentRenew ? user?.id_token : undefined,\r\n ...requestArgs,\r\n }, handle, verifySub);\r\n if (user) {\r\n if (user.profile?.sub) {\r\n logger.info(\"success, signed in subject\", user.profile.sub);\r\n }\r\n else {\r\n logger.info(\"no subject\");\r\n }\r\n }\r\n\r\n return user;\r\n }\r\n\r\n protected async _useRefreshToken(args: UseRefreshTokenArgs, extraHeaders?: Record): Promise {\r\n const response = await this._client.useRefreshToken({\r\n ...args,\r\n timeoutInSeconds: this.settings.silentRequestTimeoutInSeconds,\r\n extraHeaders,\r\n });\r\n const user = new User({ ...args.state, ...response });\r\n\r\n await this.storeUser(user);\r\n await this._events.load(user);\r\n return user;\r\n }\r\n\r\n /**\r\n *\r\n * Notify the parent window of response (callback) from the authorization endpoint.\r\n * It is recommended to use {@link UserManager.signinCallback} instead.\r\n *\r\n * @returns A promise\r\n *\r\n * @see {@link UserManager.signinCallback}\r\n */\r\n public async signinSilentCallback(url = window.location.href): Promise {\r\n const logger = this._logger.create(\"signinSilentCallback\");\r\n await this._iframeNavigator.callback(url);\r\n logger.info(\"success\");\r\n }\r\n\r\n /**\r\n * Process any response (callback) from the authorization endpoint, by dispatching the request_type\r\n * and executing one of the following functions:\r\n * - {@link UserManager.signinRedirectCallback}\r\n * - {@link UserManager.signinPopupCallback}\r\n * - {@link UserManager.signinSilentCallback}\r\n *\r\n * @throws `Error` If request_type is unknown or signout cannot be processed.\r\n */\r\n public async signinCallback(url = window.location.href): Promise {\r\n const { state } = await this._client.readSigninResponseState(url);\r\n switch (state.request_type) {\r\n case \"si:r\":\r\n return await this.signinRedirectCallback(url);\r\n case \"si:p\":\r\n return await this.signinPopupCallback(url);\r\n case \"si:s\":\r\n return await this.signinSilentCallback(url);\r\n default:\r\n throw new Error(\"invalid response_type in state\");\r\n }\r\n }\r\n\r\n /**\r\n * Process any response (callback) from the end session endpoint, by dispatching the request_type\r\n * and executing one of the following functions:\r\n * - {@link UserManager.signoutRedirectCallback}\r\n * - {@link UserManager.signoutPopupCallback}\r\n * - {@link UserManager.signoutSilentCallback}\r\n *\r\n * @throws `Error` If request_type is unknown or signout cannot be processed.\r\n */\r\n public async signoutCallback(url = window.location.href, keepOpen = false): Promise {\r\n const { state } = await this._client.readSignoutResponseState(url);\r\n if (!state) {\r\n return;\r\n }\r\n\r\n switch (state.request_type) {\r\n case \"so:r\":\r\n await this.signoutRedirectCallback(url);\r\n break;\r\n case \"so:p\":\r\n await this.signoutPopupCallback(url, keepOpen);\r\n break;\r\n case \"so:s\":\r\n await this.signoutSilentCallback(url);\r\n break;\r\n default:\r\n throw new Error(\"invalid response_type in state\");\r\n }\r\n }\r\n\r\n /**\r\n * Query OP for user's current signin status.\r\n *\r\n * @returns A promise object with session_state and subject identifier.\r\n */\r\n public async querySessionStatus(args: QuerySessionStatusArgs = {}): Promise {\r\n const logger = this._logger.create(\"querySessionStatus\");\r\n const {\r\n silentRequestTimeoutInSeconds,\r\n ...requestArgs\r\n } = args;\r\n const url = this.settings.silent_redirect_uri;\r\n if (!url) {\r\n logger.throw(new Error(\"No silent_redirect_uri configured\"));\r\n }\r\n\r\n const user = await this._loadUser();\r\n const handle = await this._iframeNavigator.prepare({ silentRequestTimeoutInSeconds });\r\n const navResponse = await this._signinStart({\r\n request_type: \"si:s\", // this acts like a signin silent\r\n redirect_uri: url,\r\n prompt: \"none\",\r\n id_token_hint: this.settings.includeIdTokenInSilentRenew ? user?.id_token : undefined,\r\n response_type: this.settings.query_status_response_type,\r\n scope: \"openid\",\r\n skipUserInfo: true,\r\n ...requestArgs,\r\n }, handle);\r\n try {\r\n const signinResponse = await this._client.processSigninResponse(navResponse.url);\r\n logger.debug(\"got signin response\");\r\n\r\n if (signinResponse.session_state && signinResponse.profile.sub) {\r\n logger.info(\"success for subject\", signinResponse.profile.sub);\r\n return {\r\n session_state: signinResponse.session_state,\r\n sub: signinResponse.profile.sub,\r\n };\r\n }\r\n\r\n logger.info(\"success, user not authenticated\");\r\n return null;\r\n }\r\n catch (err) {\r\n if (this.settings.monitorAnonymousSession && err instanceof ErrorResponse) {\r\n switch (err.error) {\r\n case \"login_required\":\r\n case \"consent_required\":\r\n case \"interaction_required\":\r\n case \"account_selection_required\":\r\n logger.info(\"success for anonymous user\");\r\n return {\r\n // eslint-disable-next-line @typescript-eslint/no-non-null-assertion\r\n session_state: err.session_state!,\r\n };\r\n }\r\n }\r\n throw err;\r\n }\r\n }\r\n\r\n protected async _signin(args: CreateSigninRequestArgs, handle: IWindow, verifySub?: string): Promise {\r\n const navResponse = await this._signinStart(args, handle);\r\n return await this._signinEnd(navResponse.url, verifySub);\r\n }\r\n protected async _signinStart(args: CreateSigninRequestArgs, handle: IWindow): Promise {\r\n const logger = this._logger.create(\"_signinStart\");\r\n\r\n try {\r\n const signinRequest = await this._client.createSigninRequest(args);\r\n logger.debug(\"got signin request\");\r\n\r\n return await handle.navigate({\r\n url: signinRequest.url,\r\n state: signinRequest.state.id,\r\n response_mode: signinRequest.state.response_mode,\r\n scriptOrigin: this.settings.iframeScriptOrigin,\r\n });\r\n }\r\n catch (err) {\r\n logger.debug(\"error after preparing navigator, closing navigator window\");\r\n handle.close();\r\n throw err;\r\n }\r\n }\r\n protected async _signinEnd(url: string, verifySub?: string): Promise {\r\n const logger = this._logger.create(\"_signinEnd\");\r\n const signinResponse = await this._client.processSigninResponse(url);\r\n logger.debug(\"got signin response\");\r\n\r\n const user = await this._buildUser(signinResponse, verifySub);\r\n return user;\r\n }\r\n\r\n protected async _buildUser(signinResponse: SigninResponse, verifySub?: string) {\r\n const logger = this._logger.create(\"_buildUser\");\r\n const user = new User(signinResponse);\r\n if (verifySub) {\r\n if (verifySub !== user.profile.sub) {\r\n logger.debug(\"current user does not match user returned from signin. sub from signin:\", user.profile.sub);\r\n throw new ErrorResponse({ ...signinResponse, error: \"login_required\" });\r\n }\r\n logger.debug(\"current user matches user returned from signin\");\r\n }\r\n\r\n await this.storeUser(user);\r\n logger.debug(\"user stored\");\r\n await this._events.load(user);\r\n\r\n return user;\r\n }\r\n\r\n /**\r\n * Trigger a redirect of the current window to the end session endpoint.\r\n *\r\n * @returns A promise\r\n */\r\n public async signoutRedirect(args: SignoutRedirectArgs = {}): Promise {\r\n const logger = this._logger.create(\"signoutRedirect\");\r\n const {\r\n redirectMethod,\r\n ...requestArgs\r\n } = args;\r\n const handle = await this._redirectNavigator.prepare({ redirectMethod });\r\n await this._signoutStart({\r\n request_type: \"so:r\",\r\n post_logout_redirect_uri: this.settings.post_logout_redirect_uri,\r\n ...requestArgs,\r\n }, handle);\r\n logger.info(\"success\");\r\n }\r\n\r\n /**\r\n * Process response (callback) from the end session endpoint.\r\n * It is recommended to use {@link UserManager.signoutCallback} instead.\r\n *\r\n * @returns A promise containing signout response\r\n *\r\n * @see {@link UserManager.signoutCallback}\r\n */\r\n public async signoutRedirectCallback(url = window.location.href): Promise {\r\n const logger = this._logger.create(\"signoutRedirectCallback\");\r\n const response = await this._signoutEnd(url);\r\n logger.info(\"success\");\r\n return response;\r\n }\r\n\r\n /**\r\n * Trigger a redirect of a popup window to the end session endpoint.\r\n *\r\n * @returns A promise\r\n */\r\n public async signoutPopup(args: SignoutPopupArgs = {}): Promise {\r\n const logger = this._logger.create(\"signoutPopup\");\r\n const {\r\n popupWindowFeatures,\r\n popupWindowTarget,\r\n ...requestArgs\r\n } = args;\r\n const url = this.settings.popup_post_logout_redirect_uri;\r\n\r\n const handle = await this._popupNavigator.prepare({ popupWindowFeatures, popupWindowTarget });\r\n await this._signout({\r\n request_type: \"so:p\",\r\n post_logout_redirect_uri: url,\r\n // we're putting a dummy entry in here because we\r\n // need a unique id from the state for notification\r\n // to the parent window, which is necessary if we\r\n // plan to return back to the client after signout\r\n // and so we can close the popup after signout\r\n state: url == null ? undefined : {},\r\n ...requestArgs,\r\n }, handle);\r\n logger.info(\"success\");\r\n }\r\n\r\n /**\r\n * Process response (callback) from the end session endpoint from a popup window.\r\n * It is recommended to use {@link UserManager.signoutCallback} instead.\r\n *\r\n * @returns A promise\r\n *\r\n * @see {@link UserManager.signoutCallback}\r\n */\r\n public async signoutPopupCallback(url = window.location.href, keepOpen = false): Promise {\r\n const logger = this._logger.create(\"signoutPopupCallback\");\r\n await this._popupNavigator.callback(url, { keepOpen });\r\n logger.info(\"success\");\r\n }\r\n\r\n protected async _signout(args: CreateSignoutRequestArgs, handle: IWindow): Promise {\r\n const navResponse = await this._signoutStart(args, handle);\r\n return await this._signoutEnd(navResponse.url);\r\n }\r\n protected async _signoutStart(args: CreateSignoutRequestArgs = {}, handle: IWindow): Promise {\r\n const logger = this._logger.create(\"_signoutStart\");\r\n\r\n try {\r\n const user = await this._loadUser();\r\n logger.debug(\"loaded current user from storage\");\r\n\r\n if (this.settings.revokeTokensOnSignout) {\r\n await this._revokeInternal(user);\r\n }\r\n\r\n const id_token = args.id_token_hint || user && user.id_token;\r\n if (id_token) {\r\n logger.debug(\"setting id_token_hint in signout request\");\r\n args.id_token_hint = id_token;\r\n }\r\n\r\n await this.removeUser();\r\n logger.debug(\"user removed, creating signout request\");\r\n\r\n const signoutRequest = await this._client.createSignoutRequest(args);\r\n logger.debug(\"got signout request\");\r\n\r\n return await handle.navigate({\r\n url: signoutRequest.url,\r\n state: signoutRequest.state?.id,\r\n scriptOrigin: this.settings.iframeScriptOrigin,\r\n });\r\n }\r\n catch (err) {\r\n logger.debug(\"error after preparing navigator, closing navigator window\");\r\n handle.close();\r\n throw err;\r\n }\r\n }\r\n protected async _signoutEnd(url: string): Promise {\r\n const logger = this._logger.create(\"_signoutEnd\");\r\n const signoutResponse = await this._client.processSignoutResponse(url);\r\n logger.debug(\"got signout response\");\r\n\r\n return signoutResponse;\r\n }\r\n\r\n /**\r\n * Trigger a silent request (via an iframe) to the end session endpoint.\r\n *\r\n * @returns A promise\r\n */\r\n public async signoutSilent(args: SignoutSilentArgs = {}): Promise {\r\n const logger = this._logger.create(\"signoutSilent\");\r\n const {\r\n silentRequestTimeoutInSeconds,\r\n ...requestArgs\r\n } = args;\r\n\r\n const id_token_hint = this.settings.includeIdTokenInSilentSignout\r\n ? (await this._loadUser())?.id_token\r\n : undefined;\r\n\r\n const url = this.settings.popup_post_logout_redirect_uri;\r\n const handle = await this._iframeNavigator.prepare({ silentRequestTimeoutInSeconds });\r\n await this._signout({\r\n request_type: \"so:s\",\r\n post_logout_redirect_uri: url,\r\n id_token_hint: id_token_hint,\r\n ...requestArgs,\r\n }, handle);\r\n\r\n logger.info(\"success\");\r\n }\r\n\r\n /**\r\n * Notify the parent window of response (callback) from the end session endpoint.\r\n * It is recommended to use {@link UserManager.signoutCallback} instead.\r\n *\r\n * @returns A promise\r\n *\r\n * @see {@link UserManager.signoutCallback}\r\n */\r\n public async signoutSilentCallback(url = window.location.href): Promise {\r\n const logger = this._logger.create(\"signoutSilentCallback\");\r\n await this._iframeNavigator.callback(url);\r\n logger.info(\"success\");\r\n }\r\n\r\n public async revokeTokens(types?: RevokeTokensTypes): Promise {\r\n const user = await this._loadUser();\r\n await this._revokeInternal(user, types);\r\n }\r\n\r\n protected async _revokeInternal(user: User | null, types = this.settings.revokeTokenTypes): Promise {\r\n const logger = this._logger.create(\"_revokeInternal\");\r\n if (!user) return;\r\n\r\n const typesPresent = types.filter(type => typeof user[type] === \"string\");\r\n\r\n if (!typesPresent.length) {\r\n logger.debug(\"no need to revoke due to no token(s)\");\r\n return;\r\n }\r\n\r\n // don't Promise.all, order matters\r\n for (const type of typesPresent) {\r\n await this._client.revokeToken(\r\n user[type]!, // eslint-disable-line @typescript-eslint/no-non-null-assertion\r\n type,\r\n );\r\n logger.info(`${type} revoked successfully`);\r\n if (type !== \"access_token\") {\r\n user[type] = null as never;\r\n }\r\n }\r\n\r\n await this.storeUser(user);\r\n logger.debug(\"user stored\");\r\n await this._events.load(user);\r\n }\r\n\r\n /**\r\n * Enables silent renew for the `UserManager`.\r\n */\r\n public startSilentRenew(): void {\r\n this._logger.create(\"startSilentRenew\");\r\n void this._silentRenewService.start();\r\n }\r\n\r\n /**\r\n * Disables silent renew for the `UserManager`.\r\n */\r\n public stopSilentRenew(): void {\r\n this._silentRenewService.stop();\r\n }\r\n\r\n protected get _userStoreKey(): string {\r\n return `user:${this.settings.authority}:${this.settings.client_id}`;\r\n }\r\n\r\n protected async _loadUser(): Promise {\r\n const logger = this._logger.create(\"_loadUser\");\r\n const storageString = await this.settings.userStore.get(this._userStoreKey);\r\n if (storageString) {\r\n logger.debug(\"user storageString loaded\");\r\n return User.fromStorageString(storageString);\r\n }\r\n\r\n logger.debug(\"no user storageString\");\r\n return null;\r\n }\r\n\r\n public async storeUser(user: User | null): Promise {\r\n const logger = this._logger.create(\"storeUser\");\r\n if (user) {\r\n logger.debug(\"storing user\");\r\n const storageString = user.toStorageString();\r\n await this.settings.userStore.set(this._userStoreKey, storageString);\r\n }\r\n else {\r\n this._logger.debug(\"removing user\");\r\n await this.settings.userStore.remove(this._userStoreKey);\r\n }\r\n }\r\n\r\n /**\r\n * Removes stale state entries in storage for incomplete authorize requests.\r\n */\r\n public async clearStaleState(): Promise {\r\n await this._client.clearStaleState();\r\n }\r\n}\r\n", "{\r\n \"name\": \"oidc-client-ts\",\r\n \"version\": \"3.0.1\",\r\n \"description\": \"OpenID Connect (OIDC) & OAuth2 client library\",\r\n \"repository\": {\r\n \"type\": \"git\",\r\n \"url\": \"git+https://github.com/authts/oidc-client-ts.git\"\r\n },\r\n \"homepage\": \"https://github.com/authts/oidc-client-ts#readme\",\r\n \"license\": \"Apache-2.0\",\r\n \"main\": \"dist/umd/oidc-client-ts.js\",\r\n \"types\": \"dist/types/oidc-client-ts.d.ts\",\r\n \"exports\": {\r\n \".\": {\r\n \"types\": \"./dist/types/oidc-client-ts.d.ts\",\r\n \"import\": \"./dist/esm/oidc-client-ts.js\",\r\n \"require\": \"./dist/umd/oidc-client-ts.js\"\r\n },\r\n \"./package.json\": \"./package.json\"\r\n },\r\n \"files\": [\r\n \"dist\"\r\n ],\r\n \"keywords\": [\r\n \"authentication\",\r\n \"oauth2\",\r\n \"oidc\",\r\n \"openid\",\r\n \"OpenID Connect\"\r\n ],\r\n \"scripts\": {\r\n \"build\": \"node scripts/build.js && npm run build-types\",\r\n \"build-types\": \"tsc -p tsconfig.build.json && api-extractor run\",\r\n \"clean\": \"git clean -fdX dist lib *.tsbuildinfo\",\r\n \"prepack\": \"npm run build\",\r\n \"test\": \"tsc && jest\",\r\n \"typedoc\": \"typedoc\",\r\n \"lint\": \"eslint --max-warnings=0 --cache .\",\r\n \"prepare\": \"husky install\"\r\n },\r\n \"dependencies\": {\r\n \"jwt-decode\": \"^4.0.0\"\r\n },\r\n \"devDependencies\": {\r\n \"@microsoft/api-extractor\": \"^7.35.0\",\r\n \"@testing-library/jest-dom\": \"^6.0.0\",\r\n \"@types/jest\": \"^29.2.3\",\r\n \"@types/node\": \"^20.8.2\",\r\n \"@typescript-eslint/eslint-plugin\": \"^6.4.1\",\r\n \"@typescript-eslint/parser\": \"^6.4.1\",\r\n \"esbuild\": \"^0.20.0\",\r\n \"eslint\": \"^8.5.0\",\r\n \"eslint-plugin-testing-library\": \"^6.0.0\",\r\n \"http-proxy-middleware\": \"^3.0.0\",\r\n \"husky\": \"^9.0.6\",\r\n \"jest\": \"^29.3.1\",\r\n \"jest-environment-jsdom\": \"^29.3.1\",\r\n \"jest-mock\": \"^29.3.1\",\r\n \"lint-staged\": \"^15.0.1\",\r\n \"ts-jest\": \"^29.0.3\",\r\n \"typedoc\": \"^0.25.0\",\r\n \"typescript\": \"~5.4.2\",\r\n \"yn\": \"^5.0.0\"\r\n },\r\n \"engines\": {\r\n \"node\": \">=18\"\r\n },\r\n \"lint-staged\": {\r\n \"*.{js,jsx,ts,tsx}\": \"eslint --cache --fix\"\r\n }\r\n}\r\n", "// @ts-expect-error avoid enabling resolveJsonModule to keep build process simple\r\nimport { version } from \"../package.json\";\r\n\r\n/**\r\n * @public\r\n */\r\nexport const Version: string = version;\r\n"], "mappings": "scAAA,IAAAA,GAAA,GAAAC,GAAAD,GAAA,uBAAAE,EAAA,uBAAAC,EAAA,kBAAAC,EAAA,iBAAAC,EAAA,uBAAAC,EAAA,QAAAC,EAAA,WAAAC,EAAA,oBAAAC,EAAA,eAAAC,GAAA,4BAAAC,EAAA,mBAAAC,EAAA,mBAAAC,EAAA,gBAAAC,EAAA,oBAAAC,EAAA,UAAAC,EAAA,SAAAC,EAAA,gBAAAC,GAAA,6BAAAC,EAAA,YAAAC,GAAA,yBAAAC,ICeA,IAAMC,GAAqB,CACvB,MAAO,IAAG,GACV,KAAM,IAAG,GACT,KAAM,IAAG,GACT,MAAO,IAAG,EACd,EAEIC,EACAC,EAOQC,OACRA,IAAA,eACAA,IAAA,iBACAA,IAAA,eACAA,IAAA,eACAA,IAAA,iBALQA,OAAA,KAaKA,GAAV,CACI,SAASC,GAAc,CAC1BH,EAAQ,EACRC,EAASF,EACb,CAHOG,EAAS,MAAAC,EAKT,SAASC,EAASC,EAAkB,CACvC,GAAI,EAAE,GAAYA,GAASA,GAAS,GAChC,MAAM,IAAI,MAAM,mBAAmB,EAEvCL,EAAQK,CACZ,CALOH,EAAS,SAAAE,EAOT,SAASE,EAAUD,EAAsB,CAC5CJ,EAASI,CACb,CAFOH,EAAS,UAAAI,IAbHJ,MAAA,KAuBV,IAAMK,EAAN,MAAMC,CAAO,CAET,YAAoBC,EAAe,CAAf,WAAAA,CAAgB,CAGpC,SAASC,EAAuB,CAC/BV,GAAS,GACTC,EAAO,MAAMO,EAAO,QAAQ,KAAK,MAAO,KAAK,OAAO,EAAG,GAAGE,CAAI,CAEtE,CACO,QAAQA,EAAuB,CAC9BV,GAAS,GACTC,EAAO,KAAKO,EAAO,QAAQ,KAAK,MAAO,KAAK,OAAO,EAAG,GAAGE,CAAI,CAErE,CACO,QAAQA,EAAuB,CAC9BV,GAAS,GACTC,EAAO,KAAKO,EAAO,QAAQ,KAAK,MAAO,KAAK,OAAO,EAAG,GAAGE,CAAI,CAErE,CACO,SAASA,EAAuB,CAC/BV,GAAS,GACTC,EAAO,MAAMO,EAAO,QAAQ,KAAK,MAAO,KAAK,OAAO,EAAG,GAAGE,CAAI,CAEtE,CAGO,MAAMC,EAAmB,CAC5B,WAAK,MAAMA,CAAG,EACRA,CACV,CAEO,OAAOC,EAAwB,CAClC,IAAMC,EAAuB,OAAO,OAAO,IAAI,EAC/C,OAAAA,EAAa,QAAUD,EACvBC,EAAa,MAAM,OAAO,EACnBA,CACX,CAEA,OAAc,aAAaC,EAAcC,EAA8B,CACnE,IAAMC,EAAe,IAAIR,EAAO,GAAGM,CAAI,IAAIC,CAAY,EAAE,EACzD,OAAAC,EAAa,MAAM,OAAO,EACnBA,CACX,CAEA,OAAe,QAAQF,EAAcF,EAAiB,CAClD,IAAMK,EAAS,IAAIH,CAAI,IACvB,OAAOF,EAAS,GAAGK,CAAM,IAAIL,CAAM,IAAMK,CAC7C,CAIA,OAAc,MAAMH,KAAiBJ,EAAuB,CACpDV,GAAS,GACTC,EAAO,MAAMO,EAAO,QAAQM,CAAI,EAAG,GAAGJ,CAAI,CAElD,CACA,OAAc,KAAKI,KAAiBJ,EAAuB,CACnDV,GAAS,GACTC,EAAO,KAAKO,EAAO,QAAQM,CAAI,EAAG,GAAGJ,CAAI,CAEjD,CACA,OAAc,KAAKI,KAAiBJ,EAAuB,CACnDV,GAAS,GACTC,EAAO,KAAKO,EAAO,QAAQM,CAAI,EAAG,GAAGJ,CAAI,CAEjD,CACA,OAAc,MAAMI,KAAiBJ,EAAuB,CACpDV,GAAS,GACTC,EAAO,MAAMO,EAAO,QAAQM,CAAI,EAAG,GAAGJ,CAAI,CAElD,CAEJ,EAEAR,EAAI,MAAM,EC3IV,IAAMgB,GAAmB,uCAEnBC,GAAYC,GACd,KAAK,CAAC,GAAG,IAAI,WAAWA,CAAG,CAAC,EACvB,IAAKC,GAAQ,OAAO,aAAaA,CAAG,CAAC,EACrC,KAAK,EAAE,CAAC,EAKJC,EAAN,MAAMC,CAAY,CACrB,OAAe,aAAsB,CACjC,IAAMC,EAAM,IAAI,YAAY,CAAC,EAC7B,cAAO,gBAAgBA,CAAG,EACnBA,EAAI,CAAC,CAChB,CAKA,OAAc,gBAAyB,CAInC,OAHaN,GAAiB,QAAQ,SAAUO,IAC3C,CAACA,EAAIF,EAAY,YAAY,EAAI,IAAM,CAACE,EAAI,GAAG,SAAS,EAAE,CAC/D,EACY,QAAQ,KAAM,EAAE,CAChC,CAKA,OAAc,sBAA+B,CACzC,OAAOF,EAAY,eAAe,EAAIA,EAAY,eAAe,EAAIA,EAAY,eAAe,CACpG,CAKA,aAAoB,sBAAsBG,EAAwC,CAC9E,GAAI,CAAC,OAAO,OACR,MAAM,IAAI,MAAM,6DAA6D,EAGjF,GAAI,CAEA,IAAMC,EADU,IAAI,YAAY,EACX,OAAOD,CAAa,EACnCE,EAAS,MAAM,OAAO,OAAO,OAAO,UAAWD,CAAI,EACzD,OAAOR,GAASS,CAAM,EAAE,QAAQ,MAAO,GAAG,EAAE,QAAQ,MAAO,GAAG,EAAE,QAAQ,MAAO,EAAE,CACrF,OACOC,EAAK,CACR,MAAAC,EAAO,MAAM,oCAAqCD,CAAG,EAC/CA,CACV,CACJ,CAKA,OAAc,kBAAkBE,EAAmBC,EAA+B,CAE9E,IAAML,EADU,IAAI,YAAY,EACX,OAAO,CAACI,EAAWC,CAAa,EAAE,KAAK,GAAG,CAAC,EAChE,OAAOb,GAASQ,CAAI,CACxB,CACJ,ECnDO,IAAMM,EAAN,KAAyC,CAKrC,YAA+BC,EAAe,CAAf,WAAAA,EAJtC,KAAmB,QAAU,IAAIC,EAAO,UAAU,KAAK,KAAK,IAAI,EAEhE,KAAQ,WAAyC,CAAC,CAEI,CAE/C,WAAWC,EAAqC,CACnD,YAAK,WAAW,KAAKA,CAAE,EAChB,IAAM,KAAK,cAAcA,CAAE,CACtC,CAEO,cAAcA,EAA+B,CAChD,IAAMC,EAAM,KAAK,WAAW,YAAYD,CAAE,EACtCC,GAAO,GACP,KAAK,WAAW,OAAOA,EAAK,CAAC,CAErC,CAEA,MAAa,SAASC,EAA8B,CAChD,KAAK,QAAQ,MAAM,SAAU,GAAGA,CAAE,EAClC,QAAWF,KAAM,KAAK,WAClB,MAAMA,EAAG,GAAGE,CAAE,CAEtB,CACJ,ECtCO,IAAMC,EAAN,cAAgC,KAAM,CAC7C,EACAA,EAAkB,UAAU,KAAO,oBACnC,SAASC,GAAiBC,EAAK,CAC3B,OAAO,mBAAmB,KAAKA,CAAG,EAAE,QAAQ,OAAQ,CAACC,EAAGC,IAAM,CAC1D,IAAIC,EAAOD,EAAE,WAAW,CAAC,EAAE,SAAS,EAAE,EAAE,YAAY,EACpD,OAAIC,EAAK,OAAS,IACdA,EAAO,IAAMA,GAEV,IAAMA,CACjB,CAAC,CAAC,CACN,CACA,SAASC,GAAgBJ,EAAK,CAC1B,IAAIK,EAASL,EAAI,QAAQ,KAAM,GAAG,EAAE,QAAQ,KAAM,GAAG,EACrD,OAAQK,EAAO,OAAS,EAAG,CACvB,IAAK,GACD,MACJ,IAAK,GACDA,GAAU,KACV,MACJ,IAAK,GACDA,GAAU,IACV,MACJ,QACI,MAAM,IAAI,MAAM,4CAA4C,CACpE,CACA,GAAI,CACA,OAAON,GAAiBM,CAAM,CAClC,MACY,CACR,OAAO,KAAKA,CAAM,CACtB,CACJ,CACO,SAASC,GAAUC,EAAOC,EAAS,CACtC,GAAI,OAAOD,GAAU,SACjB,MAAM,IAAIT,EAAkB,2CAA2C,EAE3EU,IAAYA,EAAU,CAAC,GACvB,IAAMC,EAAMD,EAAQ,SAAW,GAAO,EAAI,EACpCE,EAAOH,EAAM,MAAM,GAAG,EAAEE,CAAG,EACjC,GAAI,OAAOC,GAAS,SAChB,MAAM,IAAIZ,EAAkB,0CAA0CW,EAAM,CAAC,EAAE,EAEnF,IAAIE,EACJ,GAAI,CACAA,EAAUP,GAAgBM,CAAI,CAClC,OACOE,EAAG,CACN,MAAM,IAAId,EAAkB,qDAAqDW,EAAM,CAAC,KAAKG,EAAE,OAAO,GAAG,CAC7G,CACA,GAAI,CACA,OAAO,KAAK,MAAMD,CAAO,CAC7B,OACOC,EAAG,CACN,MAAM,IAAId,EAAkB,mDAAmDW,EAAM,CAAC,KAAKG,EAAE,OAAO,GAAG,CAC3G,CACJ,CChDO,IAAMC,EAAN,KAAe,CAElB,OAAc,OAAOC,EAA0B,CAC3C,GAAI,CACA,OAAOC,GAAqBD,CAAK,CACrC,OACOE,EAAK,CACR,MAAAC,EAAO,MAAM,kBAAmBD,CAAG,EAC7BA,CACV,CACJ,CACJ,ECGO,IAAME,GAAN,KAAiB,CAMpB,OAAO,OAAO,CAAE,GAAGC,CAAS,EAA6C,CA5B7E,IAAAC,EAAAC,EAAAC,EA6BQ,OAAIH,EAAS,OAAS,OAClBA,EAAS,OAAQC,EAAA,CAAC,IAAK,IAAK,IAAK,GAAG,EAAE,KAAKG,GAASA,GAAS,OAAO,WAAa,KAAK,IAArE,KAAAH,EAA0E,MAC/FC,EAAAF,EAAS,OAAT,OAAAA,EAAS,KAAS,KAAK,IAAI,EAAG,KAAK,MAAM,OAAO,SAAW,OAAO,WAAaA,EAAS,OAAS,CAAC,CAAC,GAC/FA,EAAS,QAAU,QACnBG,EAAAH,EAAS,MAAT,OAAAA,EAAS,IAAQ,KAAK,IAAI,EAAG,KAAK,MAAM,OAAO,SAAW,OAAO,YAAcA,EAAS,QAAU,CAAC,CAAC,IACjGA,CACX,CAEA,OAAO,UAAUA,EAAuC,CACpD,OAAO,OAAO,QAAQA,CAAQ,EACzB,OAAO,CAAC,CAAC,CAAEK,CAAK,IAAMA,GAAS,IAAI,EACnC,IAAI,CAAC,CAACC,EAAKD,CAAK,IAAM,GAAGC,CAAG,IAAI,OAAOD,GAAU,UAAYA,EAAkBA,EAAQ,MAAQ,IAAI,EAAE,EACrG,KAAK,GAAG,CACjB,CACJ,EClCO,IAAME,EAAN,MAAMC,UAAcC,CAAc,CAAlC,kCACH,KAAmB,QAAU,IAAIC,EAAO,UAAU,KAAK,KAAK,IAAI,EAChE,KAAQ,aAAsD,KAC9D,KAAQ,YAAc,EAyCtB,KAAU,UAAY,IAAY,CAC9B,IAAMC,EAAO,KAAK,YAAcH,EAAM,aAAa,EACnD,KAAK,QAAQ,MAAM,qBAAsBG,CAAI,EAEzC,KAAK,aAAeH,EAAM,aAAa,IACvC,KAAK,OAAO,EACP,MAAM,MAAM,EAEzB,EA9CA,OAAc,cAAuB,CACjC,OAAO,KAAK,MAAM,KAAK,IAAI,EAAI,GAAI,CACvC,CAEO,KAAKI,EAAiC,CACzC,IAAMC,EAAS,KAAK,QAAQ,OAAO,MAAM,EACzCD,EAAoB,KAAK,IAAI,KAAK,MAAMA,CAAiB,EAAG,CAAC,EAC7D,IAAME,EAAaN,EAAM,aAAa,EAAII,EAC1C,GAAI,KAAK,aAAeE,GAAc,KAAK,aAAc,CAErDD,EAAO,MAAM,uDAAwD,KAAK,UAAU,EACpF,MACJ,CAEA,KAAK,OAAO,EAEZA,EAAO,MAAM,iBAAkBD,CAAiB,EAChD,KAAK,YAAcE,EAKnB,IAAMC,EAAyB,KAAK,IAAIH,EAAmB,CAAC,EAC5D,KAAK,aAAe,YAAY,KAAK,UAAWG,EAAyB,GAAI,CACjF,CAEA,IAAW,YAAqB,CAC5B,OAAO,KAAK,WAChB,CAEO,QAAe,CAClB,KAAK,QAAQ,OAAO,QAAQ,EACxB,KAAK,eACL,cAAc,KAAK,YAAY,EAC/B,KAAK,aAAe,KAE5B,CAWJ,ECxDO,IAAMC,EAAN,KAAe,CAClB,OAAc,WAAWC,EAAaC,EAAqC,QAA0B,CACjG,GAAI,CAACD,EAAK,MAAM,IAAI,UAAU,aAAa,EAG3C,IAAME,EADY,IAAI,IAAIF,EAAK,kBAAkB,EACxBC,IAAiB,WAAa,OAAS,QAAQ,EACxE,OAAO,IAAI,gBAAgBC,EAAO,MAAM,CAAC,CAAC,CAC9C,CACJ,EAKaC,GAAsB,ICR5B,IAAMC,EAAN,cAA4B,KAAM,CAqB9B,YACHC,EAKgBC,EAClB,CAvCN,IAAAC,EAAAC,EAAAC,EAwCQ,MAAMJ,EAAK,mBAAqBA,EAAK,OAAS,EAAE,EAFhC,UAAAC,EAzBpB,KAAgB,KAAe,gBA6BvB,IAACD,EAAK,MACN,MAAAK,EAAO,MAAM,gBAAiB,iBAAiB,EACzC,IAAI,MAAM,iBAAiB,EAGrC,KAAK,MAAQL,EAAK,MAClB,KAAK,mBAAoBE,EAAAF,EAAK,oBAAL,KAAAE,EAA0B,KACnD,KAAK,WAAYC,EAAAH,EAAK,YAAL,KAAAG,EAAkB,KAEnC,KAAK,MAAQH,EAAK,UAClB,KAAK,eAAgBI,EAAAJ,EAAK,gBAAL,KAAAI,EAAsB,KAC3C,KAAK,UAAYJ,EAAK,SAC1B,CACJ,EC/CO,IAAMM,EAAN,cAA2B,KAAM,CAI7B,YAAYC,EAAkB,CACjC,MAAMA,CAAO,EAHjB,KAAgB,KAAe,cAI/B,CACJ,ECDO,IAAMC,EAAN,KAAwB,CAOpB,YAAYC,EAAqD,CANxE,KAAmB,QAAU,IAAIC,EAAO,mBAAmB,EAE3D,KAAiB,eAAiB,IAAIC,EAAM,uBAAuB,EACnE,KAAiB,cAAgB,IAAIA,EAAM,sBAAsB,EAI7D,KAAK,mCAAqCF,EAAK,iCACnD,CAEO,KAAKG,EAAuB,CAC/B,IAAMC,EAAS,KAAK,QAAQ,OAAO,MAAM,EAEzC,GAAID,EAAU,cAAgBA,EAAU,aAAe,OAAW,CAC9D,IAAME,EAAWF,EAAU,WAG3B,GAFAC,EAAO,MAAM,4CAA6CC,CAAQ,EAE9DA,EAAW,EAAG,CAEd,IAAIC,EAAWD,EAAW,KAAK,mCAC3BC,GAAY,IACZA,EAAW,GAGfF,EAAO,MAAM,yCAA0CE,EAAU,SAAS,EAC1E,KAAK,eAAe,KAAKA,CAAQ,CACrC,MAEIF,EAAO,MAAM,kEAAkE,EAC/E,KAAK,eAAe,OAAO,EAI/B,IAAMG,EAAUF,EAAW,EAC3BD,EAAO,MAAM,wCAAyCG,EAAS,SAAS,EACxE,KAAK,cAAc,KAAKA,CAAO,CACnC,MAEI,KAAK,eAAe,OAAO,EAC3B,KAAK,cAAc,OAAO,CAElC,CAEO,QAAe,CAClB,KAAK,QAAQ,MAAM,gDAAgD,EACnE,KAAK,eAAe,OAAO,EAC3B,KAAK,cAAc,OAAO,CAC9B,CAKO,uBAAuBC,EAAqC,CAC/D,OAAO,KAAK,eAAe,WAAWA,CAAE,CAC5C,CAIO,0BAA0BA,EAA+B,CAC5D,KAAK,eAAe,cAAcA,CAAE,CACxC,CAKO,sBAAsBA,EAAqC,CAC9D,OAAO,KAAK,cAAc,WAAWA,CAAE,CAC3C,CAIO,yBAAyBA,EAA+B,CAC3D,KAAK,cAAc,cAAcA,CAAE,CACvC,CACJ,ECjFO,IAAMC,EAAN,KAAyB,CAOrB,YACKC,EACAC,EACRC,EACQC,EACAC,EACV,CALU,eAAAJ,EACA,gBAAAC,EAEA,wBAAAE,EACA,kBAAAC,EAXZ,KAAiB,QAAU,IAAIC,EAAO,oBAAoB,EAG1D,KAAQ,OAAgD,KACxD,KAAQ,eAAgC,KAmCxC,KAAQ,SAAY,GAAkC,CAC9C,EAAE,SAAW,KAAK,eAClB,EAAE,SAAW,KAAK,OAAO,gBAErB,EAAE,OAAS,SACX,KAAK,QAAQ,MAAM,4CAA4C,EAC3D,KAAK,cACL,KAAK,KAAK,GAGT,EAAE,OAAS,WAChB,KAAK,QAAQ,MAAM,8CAA8C,EACjE,KAAK,KAAK,EACL,KAAK,UAAU,GAGpB,KAAK,QAAQ,MAAM,EAAE,KAAO,uCAAuC,EAG/E,EA7CI,IAAMC,EAAY,IAAI,IAAIJ,CAAG,EAC7B,KAAK,cAAgBI,EAAU,OAE/B,KAAK,OAAS,OAAO,SAAS,cAAc,QAAQ,EAGpD,KAAK,OAAO,MAAM,WAAa,SAC/B,KAAK,OAAO,MAAM,SAAW,QAC7B,KAAK,OAAO,MAAM,KAAO,UACzB,KAAK,OAAO,MAAM,IAAM,IACxB,KAAK,OAAO,MAAQ,IACpB,KAAK,OAAO,OAAS,IACrB,KAAK,OAAO,IAAMA,EAAU,IAChC,CAEO,MAAsB,CACzB,OAAO,IAAI,QAAeC,GAAY,CAClC,KAAK,OAAO,OAAS,IAAM,CACvBA,EAAQ,CACZ,EAEA,OAAO,SAAS,KAAK,YAAY,KAAK,MAAM,EAC5C,OAAO,iBAAiB,UAAW,KAAK,SAAU,EAAK,CAC3D,CAAC,CACL,CAuBO,MAAMC,EAA6B,CACtC,GAAI,KAAK,iBAAmBA,EACxB,OAGJ,KAAK,QAAQ,OAAO,OAAO,EAE3B,KAAK,KAAK,EAEV,KAAK,eAAiBA,EAEtB,IAAMC,EAAO,IAAM,CACX,CAAC,KAAK,OAAO,eAAiB,CAAC,KAAK,gBAIxC,KAAK,OAAO,cAAc,YAAY,KAAK,WAAa,IAAM,KAAK,eAAgB,KAAK,aAAa,CACzG,EAGAA,EAAK,EAGL,KAAK,OAAS,YAAYA,EAAM,KAAK,mBAAqB,GAAI,CAClE,CAEO,MAAa,CAChB,KAAK,QAAQ,OAAO,MAAM,EAC1B,KAAK,eAAiB,KAElB,KAAK,SAEL,cAAc,KAAK,MAAM,EACzB,KAAK,OAAS,KAEtB,CACJ,ECjGO,IAAMC,EAAN,KAA4C,CAA5C,cACH,KAAiB,QAAU,IAAIC,EAAO,oBAAoB,EAC1D,KAAQ,MAAgC,CAAC,EAElC,OAAc,CACjB,KAAK,QAAQ,OAAO,OAAO,EAC3B,KAAK,MAAQ,CAAC,CAClB,CAEO,QAAQC,EAAqB,CAChC,YAAK,QAAQ,OAAO,YAAYA,CAAG,IAAI,EAChC,KAAK,MAAMA,CAAG,CACzB,CAEO,QAAQA,EAAaC,EAAqB,CAC7C,KAAK,QAAQ,OAAO,YAAYD,CAAG,IAAI,EACvC,KAAK,MAAMA,CAAG,EAAIC,CACtB,CAEO,WAAWD,EAAmB,CACjC,KAAK,QAAQ,OAAO,eAAeA,CAAG,IAAI,EAC1C,OAAO,KAAK,MAAMA,CAAG,CACzB,CAEA,IAAW,QAAiB,CACxB,OAAO,OAAO,oBAAoB,KAAK,KAAK,EAAE,MAClD,CAEO,IAAIE,EAAuB,CAC9B,OAAO,OAAO,oBAAoB,KAAK,KAAK,EAAEA,CAAK,CACvD,CACJ,ECLO,IAAMC,EAAN,KAAkB,CAKd,YACHC,EAAmC,CAAC,EAC5BC,EAAiC,KACjCC,EAA6C,CAAC,EACxD,CAFU,iBAAAD,EACA,mBAAAC,EAPZ,KAAiB,QAAU,IAAIC,EAAO,aAAa,EAEnD,KAAQ,cAA0B,CAAC,EAO/B,KAAK,cAAc,KAAK,GAAGH,EAAwB,kBAAkB,EACjEC,GACA,KAAK,cAAc,KAAK,iBAAiB,CAEjD,CAEA,MAAgB,iBAAiBG,EAAoBC,EAAoD,CAAC,EAAG,CACzG,GAAM,CAAE,iBAAAC,EAAkB,GAAGC,CAAU,EAAIF,EAC3C,GAAI,CAACC,EACD,OAAO,MAAM,MAAMF,EAAOG,CAAS,EAGvC,IAAMC,EAAa,IAAI,gBACjBC,EAAY,WAAW,IAAMD,EAAW,MAAM,EAAGF,EAAmB,GAAI,EAE9E,GAAI,CAKA,OAJiB,MAAM,MAAMF,EAAO,CAChC,GAAGC,EACH,OAAQG,EAAW,MACvB,CAAC,CAEL,OACOE,EAAK,CACR,MAAIA,aAAe,cAAgBA,EAAI,OAAS,aACtC,IAAIC,EAAa,mBAAmB,EAExCD,CACV,QACA,CACI,aAAaD,CAAS,CAC1B,CACJ,CAEA,MAAa,QAAQG,EAAa,CAC9B,MAAAC,EACA,YAAAC,CACJ,EAAiB,CAAC,EAAqC,CACnD,IAAMC,EAAS,KAAK,QAAQ,OAAO,SAAS,EACtCC,EAAuB,CACzB,OAAU,KAAK,cAAc,KAAK,IAAI,CAC1C,EACIH,IACAE,EAAO,MAAM,4CAA4C,EACzDC,EAAQ,cAAmB,UAAYH,GAG3C,KAAK,mBAAmBG,CAAO,EAE/B,IAAIC,EACJ,GAAI,CACAF,EAAO,MAAM,OAAQH,CAAG,EACxBK,EAAW,MAAM,KAAK,iBAAiBL,EAAK,CAAE,OAAQ,MAAO,QAAAI,EAAS,YAAAF,CAAY,CAAC,CACvF,OACOJ,EAAK,CACR,MAAAK,EAAO,MAAM,eAAe,EACtBL,CACV,CAEAK,EAAO,MAAM,iCAAkCE,EAAS,MAAM,EAC9D,IAAMC,EAAcD,EAAS,QAAQ,IAAI,cAAc,EAIvD,GAHIC,GAAe,CAAC,KAAK,cAAc,KAAKC,GAAQD,EAAY,WAAWC,CAAI,CAAC,GAC5EJ,EAAO,MAAM,IAAI,MAAM,kCAAmCG,GAAA,KAAAA,EAAe,WAAY,eAAeN,CAAG,EAAE,CAAC,EAE1GK,EAAS,IAAM,KAAK,cAAeC,GAAA,MAAAA,EAAa,WAAW,oBAC3D,OAAO,MAAM,KAAK,YAAY,MAAMD,EAAS,KAAK,CAAC,EAEvD,IAAIG,EACJ,GAAI,CACAA,EAAO,MAAMH,EAAS,KAAK,CAC/B,OACOP,EAAK,CAER,MADAK,EAAO,MAAM,8BAA+BL,CAAG,EAC3CO,EAAS,GAAUP,EACjB,IAAI,MAAM,GAAGO,EAAS,UAAU,KAAKA,EAAS,MAAM,GAAG,CACjE,CACA,GAAI,CAACA,EAAS,GAEV,MADAF,EAAO,MAAM,qBAAsBK,CAAI,EACnCA,EAAK,MACC,IAAIC,EAAcD,CAAI,EAE1B,IAAI,MAAM,GAAGH,EAAS,UAAU,KAAKA,EAAS,MAAM,MAAM,KAAK,UAAUG,CAAI,CAAC,EAAE,EAE1F,OAAOA,CACX,CAEA,MAAa,SAASR,EAAa,CAC/B,KAAAU,EACA,UAAAC,EACA,iBAAAjB,EACA,gBAAAkB,EACA,aAAAC,CACJ,EAAmD,CAC/C,IAAMV,EAAS,KAAK,QAAQ,OAAO,UAAU,EACvCC,EAAuB,CACzB,OAAU,KAAK,cAAc,KAAK,IAAI,EACtC,eAAgB,oCAChB,GAAGS,CACP,EACIF,IAAc,SACdP,EAAQ,cAAmB,SAAWO,GAG1C,KAAK,mBAAmBP,CAAO,EAE/B,IAAIC,EACJ,GAAI,CACAF,EAAO,MAAM,OAAQH,CAAG,EACxBK,EAAW,MAAM,KAAK,iBAAiBL,EAAK,CAAE,OAAQ,OAAQ,QAAAI,EAAS,KAAAM,EAAM,iBAAAhB,EAAkB,YAAakB,CAAgB,CAAC,CACjI,OACOd,EAAK,CACR,MAAAK,EAAO,MAAM,eAAe,EACtBL,CACV,CAEAK,EAAO,MAAM,iCAAkCE,EAAS,MAAM,EAC9D,IAAMC,EAAcD,EAAS,QAAQ,IAAI,cAAc,EACvD,GAAIC,GAAe,CAAC,KAAK,cAAc,KAAKC,GAAQD,EAAY,WAAWC,CAAI,CAAC,EAC5E,MAAM,IAAI,MAAM,kCAAmCD,GAAA,KAAAA,EAAe,WAAY,eAAeN,CAAG,EAAE,EAGtG,IAAMc,EAAe,MAAMT,EAAS,KAAK,EAErCG,EAAgC,CAAC,EACrC,GAAIM,EACA,GAAI,CACAN,EAAO,KAAK,MAAMM,CAAY,CAClC,OACOhB,EAAK,CAER,MADAK,EAAO,MAAM,8BAA+BL,CAAG,EAC3CO,EAAS,GAAUP,EACjB,IAAI,MAAM,GAAGO,EAAS,UAAU,KAAKA,EAAS,MAAM,GAAG,CACjE,CAGJ,GAAI,CAACA,EAAS,GAEV,MADAF,EAAO,MAAM,qBAAsBK,CAAI,EACnCA,EAAK,MACC,IAAIC,EAAcD,EAAME,CAAI,EAEhC,IAAI,MAAM,GAAGL,EAAS,UAAU,KAAKA,EAAS,MAAM,MAAM,KAAK,UAAUG,CAAI,CAAC,EAAE,EAG1F,OAAOA,CACX,CAEQ,mBACJJ,EACI,CACJ,IAAMD,EAAS,KAAK,QAAQ,OAAO,oBAAoB,EACjDY,EAAa,OAAO,KAAK,KAAK,aAAa,EAC3CC,EAAmB,CACrB,gBACA,SACA,cACJ,EACID,EAAW,SAAW,GAG1BA,EAAW,QAASE,GAAe,CAC/B,GAAID,EAAiB,SAASC,EAAW,kBAAkB,CAAC,EAAG,CAC3Dd,EAAO,KAAK,2CAA4Cc,EAAYD,CAAgB,EACpF,MACJ,CACA,IAAME,EAAW,OAAO,KAAK,cAAcD,CAAU,GAAM,WACtD,KAAK,cAAcA,CAAU,EAAiB,EAC/C,KAAK,cAAcA,CAAU,EAC7BC,GAAWA,IAAY,KACvBd,EAAQa,CAAU,EAAIC,EAE9B,CAAC,CACL,CACJ,EC3MO,IAAMC,EAAN,KAAsB,CAUlB,YAA6BC,EAAoC,CAApC,eAAAA,EATpC,KAAiB,QAAU,IAAIC,EAAO,iBAAiB,EAKvD,KAAQ,aAAoC,KAC5C,KAAQ,UAA0C,KAI9C,KAAK,aAAe,KAAK,UAAU,YACnC,KAAK,aAAe,IAAIC,EACpB,CAAC,0BAA0B,EAC3B,KACA,KAAK,UAAU,YACnB,EACI,KAAK,UAAU,cACf,KAAK,QAAQ,MAAM,iCAAiC,EACpD,KAAK,aAAe,KAAK,UAAU,aAGnC,KAAK,UAAU,WACf,KAAK,QAAQ,MAAM,8BAA8B,EACjD,KAAK,UAAY,KAAK,UAAU,UAGhC,KAAK,UAAU,0BACf,KAAK,QAAQ,MAAM,6CAA6C,EAChE,KAAK,yBAA2B,KAAK,UAAU,wBAEvD,CAEO,kBAAyB,CAC5B,KAAK,aAAe,IACxB,CAEA,MAAa,aAA8C,CACvD,IAAMC,EAAS,KAAK,QAAQ,OAAO,aAAa,EAChD,GAAI,KAAK,UACL,OAAAA,EAAO,MAAM,qBAAqB,EAC3B,KAAK,UAGhB,GAAI,CAAC,KAAK,aACN,MAAAA,EAAO,MAAM,IAAI,MAAM,oDAAoD,CAAC,EACtE,KAGVA,EAAO,MAAM,wBAAyB,KAAK,YAAY,EACvD,IAAMC,EAAW,MAAM,KAAK,aAAa,QAAQ,KAAK,aAAc,CAAE,YAAa,KAAK,wBAAyB,CAAC,EAElH,OAAAD,EAAO,MAAM,wCAAwC,EACrD,KAAK,UAAY,OAAO,OAAO,CAAC,EAAG,KAAK,UAAU,aAAcC,CAAQ,EACjE,KAAK,SAChB,CAEO,WAA6B,CAChC,OAAO,KAAK,qBAAqB,QAAQ,CAC7C,CAEO,0BAA4C,CAC/C,OAAO,KAAK,qBAAqB,wBAAwB,CAC7D,CAEO,qBAAuC,CAC1C,OAAO,KAAK,qBAAqB,mBAAmB,CACxD,CAIO,iBAAiBC,EAAW,GAAmC,CAClE,OAAO,KAAK,qBAAqB,iBAAkBA,CAAQ,CAC/D,CAEO,uBAAqD,CACxD,OAAO,KAAK,qBAAqB,uBAAwB,EAAI,CACjE,CAEO,uBAAqD,CACxD,OAAO,KAAK,qBAAqB,uBAAwB,EAAI,CACjE,CAIO,sBAAsBA,EAAW,GAAmC,CACvE,OAAO,KAAK,qBAAqB,sBAAuBA,CAAQ,CACpE,CAIO,gBAAgBA,EAAW,GAAmC,CACjE,OAAO,KAAK,qBAAqB,WAAYA,CAAQ,CACzD,CAEA,MAAgB,qBAAqBC,EAA0BD,EAAS,GAAyD,CAC7H,IAAMF,EAAS,KAAK,QAAQ,OAAO,yBAAyBG,CAAI,IAAI,EAE9DF,EAAW,MAAM,KAAK,YAAY,EAGxC,GAFAD,EAAO,MAAM,UAAU,EAEnBC,EAASE,CAAI,IAAM,OAAW,CAC9B,GAAID,IAAa,GAAM,CACnBF,EAAO,KAAK,6CAA6C,EACzD,MACJ,CAEAA,EAAO,MAAM,IAAI,MAAM,sCAAwCG,CAAI,CAAC,CACxE,CAEA,OAAOF,EAASE,CAAI,CACxB,CAEA,MAAa,gBAA+C,CACxD,IAAMH,EAAS,KAAK,QAAQ,OAAO,gBAAgB,EACnD,GAAI,KAAK,aACL,OAAAA,EAAO,MAAM,kCAAkC,EACxC,KAAK,aAGhB,IAAMI,EAAW,MAAM,KAAK,gBAAgB,EAAK,EACjDJ,EAAO,MAAM,eAAgBI,CAAQ,EAErC,IAAMC,EAAS,MAAM,KAAK,aAAa,QAAQD,CAAQ,EAGvD,GAFAJ,EAAO,MAAM,cAAeK,CAAM,EAE9B,CAAC,MAAM,QAAQA,EAAO,IAAI,EAC1B,MAAAL,EAAO,MAAM,IAAI,MAAM,wBAAwB,CAAC,EAC1C,KAGV,YAAK,aAAeK,EAAO,KACpB,KAAK,YAChB,CACJ,ECxIO,IAAMC,EAAN,KAAiD,CAM7C,YAAY,CACf,OAAAC,EAAS,QACT,MAAAC,EAAQ,YACZ,EAAyD,CAAC,EAAG,CAR7D,KAAiB,QAAU,IAAIC,EAAO,sBAAsB,EASxD,KAAK,OAASD,EACd,KAAK,QAAUD,CACnB,CAEA,MAAa,IAAIG,EAAaC,EAA8B,CACxD,KAAK,QAAQ,OAAO,QAAQD,CAAG,IAAI,EAEnCA,EAAM,KAAK,QAAUA,EACrB,MAAM,KAAK,OAAO,QAAQA,EAAKC,CAAK,CACxC,CAEA,MAAa,IAAID,EAAqC,CAClD,YAAK,QAAQ,OAAO,QAAQA,CAAG,IAAI,EAEnCA,EAAM,KAAK,QAAUA,EACR,MAAM,KAAK,OAAO,QAAQA,CAAG,CAE9C,CAEA,MAAa,OAAOA,EAAqC,CACrD,KAAK,QAAQ,OAAO,WAAWA,CAAG,IAAI,EAEtCA,EAAM,KAAK,QAAUA,EACrB,IAAME,EAAO,MAAM,KAAK,OAAO,QAAQF,CAAG,EAC1C,aAAM,KAAK,OAAO,WAAWA,CAAG,EACzBE,CACX,CAEA,MAAa,YAAgC,CACzC,KAAK,QAAQ,OAAO,YAAY,EAChC,IAAMC,EAAM,MAAM,KAAK,OAAO,OAExBC,EAAO,CAAC,EACd,QAASC,EAAQ,EAAGA,EAAQF,EAAKE,IAAS,CACtC,IAAML,EAAM,MAAM,KAAK,OAAO,IAAIK,CAAK,EACnCL,GAAOA,EAAI,QAAQ,KAAK,OAAO,IAAM,GACrCI,EAAK,KAAKJ,EAAI,OAAO,KAAK,QAAQ,MAAM,CAAC,CAEjD,CACA,OAAOI,CACX,CACJ,ECrDA,IAAME,GAAsB,OACtBC,GAAe,SACfC,GAA8B,qBAC9BC,GAAgC,GAAK,GAwI9BC,EAAN,KAA8B,CA4C1B,YAAY,CAEf,UAAAC,EAAW,YAAAC,EAAa,SAAAC,EAAU,YAAAC,EAAa,aAAAC,EAE/C,UAAAC,EAAW,cAAAC,EAAe,cAAAC,EAAgBZ,GAAqB,MAAAa,EAAQZ,GACvE,aAAAa,EAAc,yBAAAC,EACd,sBAAAC,EAAwBd,GAExB,OAAAe,EAAQ,QAAAC,EAAS,QAAAC,EAAS,WAAAC,EAAY,WAAAC,EAAY,SAAAC,EAAU,cAAAC,EAE5D,qBAAAC,EAAuB,GACvB,aAAAC,EAAe,GACf,uBAAAC,EAAyBvB,GACzB,oBAAAwB,EAAsB,CAAE,MAAO,SAAU,EACzC,YAAAC,EAAc,GAEd,WAAAC,EACA,kCAAAC,GACA,wBAAAC,GACA,yBAAAC,GAEA,iBAAAC,GAAmB,CAAC,EACpB,iBAAAC,GAAmB,CAAC,EACpB,aAAAC,GAAe,CAAC,CACpB,EAAuB,CA6CnB,GA3CA,KAAK,UAAY9B,EAEbC,EACA,KAAK,YAAcA,GAEnB,KAAK,YAAcD,EACfA,IACK,KAAK,YAAY,SAAS,GAAG,IAC9B,KAAK,aAAe,KAExB,KAAK,aAAe,qCAI5B,KAAK,SAAWE,EAChB,KAAK,aAAeE,EACpB,KAAK,YAAcD,EAEnB,KAAK,UAAYE,EACjB,KAAK,cAAgBC,EACrB,KAAK,cAAgBC,EACrB,KAAK,MAAQC,EACb,KAAK,aAAeC,EACpB,KAAK,yBAA2BC,EAChC,KAAK,sBAAwBC,EAE7B,KAAK,OAASC,EACd,KAAK,QAAUC,EACf,KAAK,QAAUC,EACf,KAAK,WAAaC,EAClB,KAAK,WAAaC,EAClB,KAAK,SAAWC,EAChB,KAAK,cAAgBC,EAErB,KAAK,qBAAuBC,GAAA,KAAAA,EAAwB,GACpD,KAAK,aAAe,CAAC,CAACC,EACtB,KAAK,uBAAyBC,EAC9B,KAAK,oBAAsBC,EAC3B,KAAK,YAAc,CAAC,CAACC,EACrB,KAAK,kCAAoCE,GAEzC,KAAK,wBAA0BC,IAAoD,cAE/EF,EACA,KAAK,WAAaA,MAEjB,CACD,IAAMO,GAAQ,OAAO,QAAW,YAAc,OAAO,aAAe,IAAIC,EACxE,KAAK,WAAa,IAAIC,EAAqB,CAAE,MAAAF,EAAM,CAAC,CACxD,CAEA,KAAK,yBAA2BJ,GAEhC,KAAK,iBAAmBC,GACxB,KAAK,iBAAmBC,GACxB,KAAK,aAAeC,EACxB,CACJ,ECtQO,IAAMI,GAAN,KAAsB,CAIlB,YAA6BC,EACfC,EACnB,CAFkC,eAAAD,EACf,sBAAAC,EAJrB,KAAmB,QAAU,IAAIC,EAAO,iBAAiB,EA+BzD,KAAU,kBAAoB,MAAOC,GAA6C,CAC9E,IAAMC,EAAS,KAAK,QAAQ,OAAO,mBAAmB,EACtD,GAAI,CACA,IAAMC,EAAUC,EAAS,OAAOH,CAAY,EAC5C,OAAAC,EAAO,MAAM,yBAAyB,EAE/BC,CACX,OAASE,EAAK,CACV,MAAAH,EAAO,MAAM,4BAA4B,EACnCG,CACV,CACJ,EApCI,KAAK,aAAe,IAAIC,EACpB,OACA,KAAK,kBACL,KAAK,UAAU,YACnB,CACJ,CAEA,MAAa,UAAUC,EAAmC,CACtD,IAAML,EAAS,KAAK,QAAQ,OAAO,WAAW,EACzCK,GACD,KAAK,QAAQ,MAAM,IAAI,MAAM,iBAAiB,CAAC,EAGnD,IAAMC,EAAM,MAAM,KAAK,iBAAiB,oBAAoB,EAC5DN,EAAO,MAAM,mBAAoBM,CAAG,EAEpC,IAAMC,EAAS,MAAM,KAAK,aAAa,QAAQD,EAAK,CAChD,MAAAD,EACA,YAAa,KAAK,UAAU,uBAChC,CAAC,EACD,OAAAL,EAAO,MAAM,aAAcO,CAAM,EAE1BA,CACX,CAcJ,ECUO,IAAMC,EAAN,KAAkB,CAId,YACcC,EACAC,EACnB,CAFmB,eAAAD,EACA,sBAAAC,EALrB,KAAiB,QAAU,IAAIC,EAAO,aAAa,EAO/C,KAAK,aAAe,IAAIC,EACpB,KAAK,UAAU,kCACf,KACA,KAAK,UAAU,YACnB,CACJ,CAOA,MAAa,aAAa,CACtB,WAAAC,EAAa,qBACb,aAAAC,EAAe,KAAK,UAAU,aAC9B,UAAAC,EAAY,KAAK,UAAU,UAC3B,cAAAC,EAAgB,KAAK,UAAU,cAC/B,aAAAC,EACA,GAAGC,CACP,EAAuD,CACnD,IAAMC,EAAS,KAAK,QAAQ,OAAO,cAAc,EAC5CJ,GACDI,EAAO,MAAM,IAAI,MAAM,yBAAyB,CAAC,EAEhDL,GACDK,EAAO,MAAM,IAAI,MAAM,4BAA4B,CAAC,EAEnDD,EAAK,MACNC,EAAO,MAAM,IAAI,MAAM,oBAAoB,CAAC,EAGhD,IAAMC,EAAS,IAAI,gBAAgB,CAAE,WAAAP,EAAY,aAAAC,CAAa,CAAC,EAC/D,OAAW,CAACO,EAAKC,CAAK,IAAK,OAAO,QAAQJ,CAAI,EACtCI,GAAS,MACTF,EAAO,IAAIC,EAAKC,CAAK,EAG7B,IAAIC,EACJ,OAAQ,KAAK,UAAU,sBAAuB,CAC1C,IAAK,sBACD,GAAI,CAACP,EACD,MAAAG,EAAO,MAAM,IAAI,MAAM,6BAA6B,CAAC,EAC/C,KAEVI,EAAYC,EAAY,kBAAkBT,EAAWC,CAAa,EAClE,MACJ,IAAK,qBACDI,EAAO,OAAO,YAAaL,CAAS,EAChCC,GACAI,EAAO,OAAO,gBAAiBJ,CAAa,EAEhD,KACR,CAEA,IAAMS,EAAM,MAAM,KAAK,iBAAiB,iBAAiB,EAAK,EAC9DN,EAAO,MAAM,oBAAoB,EAEjC,IAAMO,EAAW,MAAM,KAAK,aAAa,SAASD,EAAK,CAAE,KAAML,EAAQ,UAAAG,EAAW,gBAAiB,KAAK,UAAU,wBAAyB,aAAAN,CAAa,CAAC,EACzJ,OAAAE,EAAO,MAAM,cAAc,EAEpBO,CACX,CAOA,MAAa,oBAAoB,CAC7B,WAAAb,EAAa,WACb,UAAAE,EAAY,KAAK,UAAU,UAC3B,cAAAC,EAAgB,KAAK,UAAU,cAC/B,MAAAW,EAAQ,KAAK,UAAU,MACvB,GAAGT,CACP,EAA8D,CAC1D,IAAMC,EAAS,KAAK,QAAQ,OAAO,qBAAqB,EAEnDJ,GACDI,EAAO,MAAM,IAAI,MAAM,yBAAyB,CAAC,EAGrD,IAAMC,EAAS,IAAI,gBAAgB,CAAE,WAAAP,EAAY,MAAAc,CAAM,CAAC,EACxD,OAAW,CAACN,EAAKC,CAAK,IAAK,OAAO,QAAQJ,CAAI,EACtCI,GAAS,MACTF,EAAO,IAAIC,EAAKC,CAAK,EAI7B,IAAIC,EACJ,OAAQ,KAAK,UAAU,sBAAuB,CAC1C,IAAK,sBACD,GAAI,CAACP,EACD,MAAAG,EAAO,MAAM,IAAI,MAAM,6BAA6B,CAAC,EAC/C,KAEVI,EAAYC,EAAY,kBAAkBT,EAAWC,CAAa,EAClE,MACJ,IAAK,qBACDI,EAAO,OAAO,YAAaL,CAAS,EAChCC,GACAI,EAAO,OAAO,gBAAiBJ,CAAa,EAEhD,KACR,CAEA,IAAMS,EAAM,MAAM,KAAK,iBAAiB,iBAAiB,EAAK,EAC9DN,EAAO,MAAM,oBAAoB,EAEjC,IAAMO,EAAW,MAAM,KAAK,aAAa,SAASD,EAAK,CAAE,KAAML,EAAQ,UAAAG,EAAW,gBAAiB,KAAK,UAAU,uBAAwB,CAAC,EAC3I,OAAAJ,EAAO,MAAM,cAAc,EAEpBO,CACX,CAOA,MAAa,qBAAqB,CAC9B,WAAAb,EAAa,gBACb,UAAAE,EAAY,KAAK,UAAU,UAC3B,cAAAC,EAAgB,KAAK,UAAU,cAC/B,iBAAAY,EACA,aAAAX,EACA,GAAGC,CACP,EAA+D,CAC3D,IAAMC,EAAS,KAAK,QAAQ,OAAO,sBAAsB,EACpDJ,GACDI,EAAO,MAAM,IAAI,MAAM,yBAAyB,CAAC,EAEhDD,EAAK,eACNC,EAAO,MAAM,IAAI,MAAM,6BAA6B,CAAC,EAGzD,IAAMC,EAAS,IAAI,gBAAgB,CAAE,WAAAP,CAAW,CAAC,EACjD,OAAW,CAACQ,EAAKC,CAAK,IAAK,OAAO,QAAQJ,CAAI,EACtC,MAAM,QAAQI,CAAK,EACnBA,EAAM,QAAQO,GAAST,EAAO,OAAOC,EAAKQ,CAAK,CAAC,EAE3CP,GAAS,MACdF,EAAO,IAAIC,EAAKC,CAAK,EAG7B,IAAIC,EACJ,OAAQ,KAAK,UAAU,sBAAuB,CAC1C,IAAK,sBACD,GAAI,CAACP,EACD,MAAAG,EAAO,MAAM,IAAI,MAAM,6BAA6B,CAAC,EAC/C,KAEVI,EAAYC,EAAY,kBAAkBT,EAAWC,CAAa,EAClE,MACJ,IAAK,qBACDI,EAAO,OAAO,YAAaL,CAAS,EAChCC,GACAI,EAAO,OAAO,gBAAiBJ,CAAa,EAEhD,KACR,CAEA,IAAMS,EAAM,MAAM,KAAK,iBAAiB,iBAAiB,EAAK,EAC9DN,EAAO,MAAM,oBAAoB,EAEjC,IAAMO,EAAW,MAAM,KAAK,aAAa,SAASD,EAAK,CAAE,KAAML,EAAQ,UAAAG,EAAW,iBAAAK,EAAkB,gBAAiB,KAAK,UAAU,wBAAyB,aAAAX,CAAa,CAAC,EAC3K,OAAAE,EAAO,MAAM,cAAc,EAEpBO,CACX,CAOA,MAAa,OAAOR,EAAiC,CAzPzD,IAAAY,EA0PQ,IAAMX,EAAS,KAAK,QAAQ,OAAO,QAAQ,EACtCD,EAAK,OACNC,EAAO,MAAM,IAAI,MAAM,qBAAqB,CAAC,EAGjD,IAAMM,EAAM,MAAM,KAAK,iBAAiB,sBAAsB,EAAK,EAEnEN,EAAO,MAAM,sCAAqCW,EAAAZ,EAAK,kBAAL,KAAAY,EAAwB,oBAAoB,EAAE,EAEhG,IAAMV,EAAS,IAAI,gBACnB,OAAW,CAACC,EAAKC,CAAK,IAAK,OAAO,QAAQJ,CAAI,EACtCI,GAAS,MACTF,EAAO,IAAIC,EAAKC,CAAK,EAG7BF,EAAO,IAAI,YAAa,KAAK,UAAU,SAAS,EAC5C,KAAK,UAAU,eACfA,EAAO,IAAI,gBAAiB,KAAK,UAAU,aAAa,EAG5D,MAAM,KAAK,aAAa,SAASK,EAAK,CAAE,KAAML,CAAO,CAAC,EACtDD,EAAO,MAAM,cAAc,CAC/B,CACJ,EC5PO,IAAMY,GAAN,KAAwB,CAKpB,YACgBC,EACAC,EACAC,EACrB,CAHqB,eAAAF,EACA,sBAAAC,EACA,oBAAAC,EAPvB,KAAmB,QAAU,IAAIC,EAAO,mBAAmB,EAC3D,KAAmB,iBAAmB,IAAIC,GAAgB,KAAK,UAAW,KAAK,gBAAgB,EAC/F,KAAmB,aAAe,IAAIC,EAAY,KAAK,UAAW,KAAK,gBAAgB,CAMpF,CAEH,MAAa,uBAAuBC,EAA0BC,EAAoBC,EAA2D,CACzI,IAAMC,EAAS,KAAK,QAAQ,OAAO,wBAAwB,EAE3D,KAAK,oBAAoBH,EAAUC,CAAK,EACxCE,EAAO,MAAM,iBAAiB,EAE9B,MAAM,KAAK,aAAaH,EAAUC,EAAOC,CAAY,EACrDC,EAAO,MAAM,gBAAgB,EAEzBH,EAAS,UACT,KAAK,2BAA2BA,CAAQ,EAE5CG,EAAO,MAAM,kBAAkB,EAE/B,MAAM,KAAK,eAAeH,EAAUC,GAAA,YAAAA,EAAO,aAAcD,EAAS,QAAQ,EAC1EG,EAAO,MAAM,kBAAkB,CACnC,CAEA,MAAa,4BAA4BH,EAA0BI,EAAsC,CACrG,IAAMD,EAAS,KAAK,QAAQ,OAAO,6BAA6B,EAE5DH,EAAS,UAAcA,EAAS,UAChC,KAAK,2BAA2BA,CAAQ,EAE5CG,EAAO,MAAM,kBAAkB,EAE/B,MAAM,KAAK,eAAeH,EAAUI,EAAcJ,EAAS,QAAQ,EACnEG,EAAO,MAAM,kBAAkB,CACnC,CAEA,MAAa,wBAAwBH,EAA0BC,EAAoC,CA9DvG,IAAAI,EAAAC,EA+DQ,IAAMH,EAAS,KAAK,QAAQ,OAAO,yBAAyB,EAE5DH,EAAS,UAAYC,EAAM,MAE3BI,EAAAL,EAAS,gBAAT,OAAAA,EAAS,cAAkBC,EAAM,gBAEjCK,EAAAN,EAAS,QAAT,OAAAA,EAAS,MAAUC,EAAM,OAIrBD,EAAS,UAAcA,EAAS,WAChC,KAAK,2BAA2BA,EAAUC,EAAM,QAAQ,EACxDE,EAAO,MAAM,oBAAoB,GAGhCH,EAAS,WAEVA,EAAS,SAAWC,EAAM,SAE1BD,EAAS,QAAUC,EAAM,SAG7B,IAAMM,EAAaP,EAAS,UAAY,CAAC,CAACA,EAAS,SACnD,MAAM,KAAK,eAAeA,EAAU,GAAOO,CAAU,EACrDJ,EAAO,MAAM,kBAAkB,CACnC,CAEO,wBAAwBH,EAA2BC,EAAoB,CAC1E,IAAME,EAAS,KAAK,QAAQ,OAAO,yBAAyB,EAW5D,GAVIF,EAAM,KAAOD,EAAS,OACtBG,EAAO,MAAM,IAAI,MAAM,sBAAsB,CAAC,EAMlDA,EAAO,MAAM,iBAAiB,EAC9BH,EAAS,UAAYC,EAAM,KAEvBD,EAAS,MACT,MAAAG,EAAO,KAAK,qBAAsBH,EAAS,KAAK,EAC1C,IAAIQ,EAAcR,CAAQ,CAExC,CAEU,oBAAoBA,EAA0BC,EAA0B,CA5GtF,IAAAI,EA6GQ,IAAMF,EAAS,KAAK,QAAQ,OAAO,qBAAqB,EA8BxD,GA7BIF,EAAM,KAAOD,EAAS,OACtBG,EAAO,MAAM,IAAI,MAAM,sBAAsB,CAAC,EAG7CF,EAAM,WACPE,EAAO,MAAM,IAAI,MAAM,uBAAuB,CAAC,EAG9CF,EAAM,WACPE,EAAO,MAAM,IAAI,MAAM,uBAAuB,CAAC,EAI/C,KAAK,UAAU,YAAcF,EAAM,WACnCE,EAAO,MAAM,IAAI,MAAM,iDAAiD,CAAC,EAEzE,KAAK,UAAU,WAAa,KAAK,UAAU,YAAcF,EAAM,WAC/DE,EAAO,MAAM,IAAI,MAAM,iDAAiD,CAAC,EAM7EA,EAAO,MAAM,iBAAiB,EAC9BH,EAAS,UAAYC,EAAM,KAC3BD,EAAS,UAAYC,EAAM,WAE3BI,EAAAL,EAAS,QAAT,OAAAA,EAAS,MAAUC,EAAM,OAErBD,EAAS,MACT,MAAAG,EAAO,KAAK,qBAAsBH,EAAS,KAAK,EAC1C,IAAIQ,EAAcR,CAAQ,EAGhCC,EAAM,eAAiB,CAACD,EAAS,MACjCG,EAAO,MAAM,IAAI,MAAM,2BAA2B,CAAC,CAG3D,CAEA,MAAgB,eAAeH,EAA0BI,EAAe,GAAOK,EAAc,GAAqB,CAC9G,IAAMN,EAAS,KAAK,QAAQ,OAAO,gBAAgB,EAGnD,GAFAH,EAAS,QAAU,KAAK,eAAe,qBAAqBA,EAAS,OAAO,EAExEI,GAAgB,CAAC,KAAK,UAAU,cAAgB,CAACJ,EAAS,aAAc,CACxEG,EAAO,MAAM,uBAAuB,EACpC,MACJ,CAEAA,EAAO,MAAM,mBAAmB,EAChC,IAAMO,EAAS,MAAM,KAAK,iBAAiB,UAAUV,EAAS,YAAY,EAC1EG,EAAO,MAAM,mDAAmD,EAE5DM,GAAeC,EAAO,MAAQV,EAAS,QAAQ,KAC/CG,EAAO,MAAM,IAAI,MAAM,mEAAmE,CAAC,EAG/FH,EAAS,QAAU,KAAK,eAAe,YAAYA,EAAS,QAAS,KAAK,eAAe,qBAAqBU,CAAuB,CAAC,EACtIP,EAAO,MAAM,8CAA+CH,EAAS,OAAO,CAChF,CAEA,MAAgB,aAAaA,EAA0BC,EAAoBC,EAA2D,CAClI,IAAMC,EAAS,KAAK,QAAQ,OAAO,cAAc,EACjD,GAAIH,EAAS,KAAM,CACfG,EAAO,MAAM,iBAAiB,EAC9B,IAAMQ,EAAgB,MAAM,KAAK,aAAa,aAAa,CACvD,UAAWV,EAAM,UACjB,cAAeA,EAAM,cACrB,KAAMD,EAAS,KACf,aAAcC,EAAM,aACpB,cAAeA,EAAM,cACrB,aAAcC,EACd,GAAGD,EAAM,gBACb,CAAC,EACD,OAAO,OAAOD,EAAUW,CAAa,CACzC,MACIR,EAAO,MAAM,oBAAoB,CAEzC,CAEU,2BAA2BH,EAA0BY,EAA8B,CA9LjG,IAAAP,EA+LQ,IAAMF,EAAS,KAAK,QAAQ,OAAO,4BAA4B,EAE/DA,EAAO,MAAM,uBAAuB,EACpC,IAAMU,EAAWC,EAAS,QAAOT,EAAAL,EAAS,WAAT,KAAAK,EAAqB,EAAE,EAMxD,GAJKQ,EAAS,KACVV,EAAO,MAAM,IAAI,MAAM,qCAAqC,CAAC,EAG7DS,EAAe,CACf,IAAMG,EAAWD,EAAS,OAAOF,CAAa,EAC1CC,EAAS,MAAQE,EAAS,KAC1BZ,EAAO,MAAM,IAAI,MAAM,4CAA4C,CAAC,EAEpEU,EAAS,WAAaA,EAAS,YAAcE,EAAS,WACtDZ,EAAO,MAAM,IAAI,MAAM,yDAAyD,CAAC,EAEjFU,EAAS,KAAOA,EAAS,MAAQE,EAAS,KAC1CZ,EAAO,MAAM,IAAI,MAAM,6CAA6C,CAAC,EAErE,CAACU,EAAS,KAAOE,EAAS,KAC1BZ,EAAO,MAAM,IAAI,MAAM,uDAAuD,CAAC,CAEvF,CAEAH,EAAS,QAAUa,CACvB,CACJ,ECjNO,IAAMG,EAAN,MAAMC,CAAM,CASR,YAAYC,EAMhB,CACC,KAAK,GAAKA,EAAK,IAAMC,EAAY,eAAe,EAChD,KAAK,KAAOD,EAAK,KAEbA,EAAK,SAAWA,EAAK,QAAU,EAC/B,KAAK,QAAUA,EAAK,QAGpB,KAAK,QAAUE,EAAM,aAAa,EAEtC,KAAK,aAAeF,EAAK,aACzB,KAAK,UAAYA,EAAK,SAC1B,CAEO,iBAA0B,CAC7B,WAAIG,EAAO,OAAO,EAAE,OAAO,iBAAiB,EACrC,KAAK,UAAU,CAClB,GAAI,KAAK,GACT,KAAM,KAAK,KACX,QAAS,KAAK,QACd,aAAc,KAAK,aACnB,UAAW,KAAK,SACpB,CAAC,CACL,CAEA,OAAc,kBAAkBC,EAAuC,CACnE,OAAAD,EAAO,aAAa,QAAS,mBAAmB,EACzC,QAAQ,QAAQ,IAAIJ,EAAM,KAAK,MAAMK,CAAa,CAAC,CAAC,CAC/D,CAEA,aAAoB,gBAAgBC,EAAqBC,EAA4B,CACjF,IAAMC,EAASJ,EAAO,aAAa,QAAS,iBAAiB,EACvDK,EAASN,EAAM,aAAa,EAAII,EAEhCG,EAAO,MAAMJ,EAAQ,WAAW,EACtCE,EAAO,MAAM,WAAYE,CAAI,EAE7B,QAASC,EAAI,EAAGA,EAAID,EAAK,OAAQC,IAAK,CAClC,IAAMC,EAAMF,EAAKC,CAAC,EACZE,EAAO,MAAMP,EAAQ,IAAIM,CAAG,EAC9BE,EAAS,GAEb,GAAID,EACA,GAAI,CACA,IAAME,EAAQ,MAAMf,EAAM,kBAAkBa,CAAI,EAEhDL,EAAO,MAAM,qBAAsBI,EAAKG,EAAM,OAAO,EACjDA,EAAM,SAAWN,IACjBK,EAAS,GAEjB,OACOE,EAAK,CACRR,EAAO,MAAM,+BAAgCI,EAAKI,CAAG,EACrDF,EAAS,EACb,MAGAN,EAAO,MAAM,8BAA+BI,CAAG,EAC/CE,EAAS,GAGTA,IACAN,EAAO,MAAM,wBAAyBI,CAAG,EACpCN,EAAQ,OAAOM,CAAG,EAE/B,CACJ,CACJ,ECzDO,IAAMK,EAAN,MAAMC,UAAoBC,CAAM,CAyB3B,YAAYC,EAAuB,CACvC,MAAMA,CAAI,EAEV,KAAK,cAAgBA,EAAK,cAC1B,KAAK,eAAiBA,EAAK,eAC3B,KAAK,UAAYA,EAAK,UACtB,KAAK,UAAYA,EAAK,UACtB,KAAK,aAAeA,EAAK,aACzB,KAAK,MAAQA,EAAK,MAClB,KAAK,cAAgBA,EAAK,cAC1B,KAAK,iBAAmBA,EAAK,iBAE7B,KAAK,cAAgBA,EAAK,cAC1B,KAAK,aAAeA,EAAK,YAC7B,CAEA,aAAoB,OAAOA,EAAmD,CAC1E,IAAMC,EAAgBD,EAAK,gBAAkB,GAAOE,EAAY,qBAAqB,EAAKF,EAAK,eAAiB,OAC1GG,EAAiBF,EAAiB,MAAMC,EAAY,sBAAsBD,CAAa,EAAK,OAElG,OAAO,IAAIH,EAAY,CACnB,GAAGE,EACH,cAAAC,EACA,eAAAE,CACJ,CAAC,CACL,CAEO,iBAA0B,CAC7B,WAAIC,EAAO,aAAa,EAAE,OAAO,iBAAiB,EAC3C,KAAK,UAAU,CAClB,GAAI,KAAK,GACT,KAAM,KAAK,KACX,QAAS,KAAK,QACd,aAAc,KAAK,aACnB,UAAW,KAAK,UAEhB,cAAe,KAAK,cACpB,UAAW,KAAK,UAChB,UAAW,KAAK,UAChB,aAAc,KAAK,aACnB,MAAO,KAAK,MACZ,cAAe,KAAK,cACpB,iBAAmB,KAAK,iBACxB,cAAe,KAAK,cACpB,aAAc,KAAK,YACvB,CAAC,CACL,CAEA,OAAc,kBAAkBC,EAA6C,CACzED,EAAO,aAAa,cAAe,mBAAmB,EACtD,IAAME,EAAO,KAAK,MAAMD,CAAa,EACrC,OAAOP,EAAY,OAAOQ,CAAI,CAClC,CACJ,EC9DO,IAAMC,GAAN,MAAMA,EAAc,CAMf,YAAYC,EAGjB,CACC,KAAK,IAAMA,EAAK,IAChB,KAAK,MAAQA,EAAK,KACtB,CAEA,aAAoB,OAAO,CAEvB,IAAAC,EAAK,UAAAC,EAAW,UAAAC,EAAW,aAAAC,EAAc,cAAAC,EAAe,MAAAC,EAExD,WAAAC,EAAY,cAAAC,EAAe,aAAAC,EAAc,cAAAC,EAAe,MAAAC,EAAO,UAAAC,EAC/D,SAAAC,EACA,aAAAC,EACA,iBAAAC,EACA,iBAAAC,EACA,YAAAC,EACA,GAAGC,CACP,EAAoD,CAChD,GAAI,CAACjB,EACD,WAAK,QAAQ,MAAM,uBAAuB,EACpC,IAAI,MAAM,KAAK,EAEzB,GAAI,CAACE,EACD,WAAK,QAAQ,MAAM,6BAA6B,EAC1C,IAAI,MAAM,WAAW,EAE/B,GAAI,CAACC,EACD,WAAK,QAAQ,MAAM,gCAAgC,EAC7C,IAAI,MAAM,cAAc,EAElC,GAAI,CAACC,EACD,WAAK,QAAQ,MAAM,iCAAiC,EAC9C,IAAI,MAAM,eAAe,EAEnC,GAAI,CAACC,EACD,WAAK,QAAQ,MAAM,yBAAyB,EACtC,IAAI,MAAM,OAAO,EAE3B,GAAI,CAACJ,EACD,WAAK,QAAQ,MAAM,6BAA6B,EAC1C,IAAI,MAAM,WAAW,EAG/B,IAAMiB,EAAQ,MAAMC,EAAY,OAAO,CACnC,KAAMb,EACN,aAAAE,EACA,UAAAG,EACA,cAAe,CAACK,EAChB,UAAAd,EAAW,UAAAD,EAAW,aAAAE,EACtB,cAAAI,EACA,cAAAE,EAAe,MAAAJ,EAAO,iBAAAU,EACtB,aAAAF,CACJ,CAAC,EAEKO,EAAY,IAAI,IAAIpB,CAAG,EAC7BoB,EAAU,aAAa,OAAO,YAAalB,CAAS,EACpDkB,EAAU,aAAa,OAAO,eAAgBjB,CAAY,EAC1DiB,EAAU,aAAa,OAAO,gBAAiBhB,CAAa,EAC5DgB,EAAU,aAAa,OAAO,QAASf,CAAK,EACxCK,GACAU,EAAU,aAAa,OAAO,QAASV,CAAK,EAGhD,IAAIW,EAAaH,EAAM,GACnBP,IACAU,EAAa,GAAGA,CAAU,GAAGC,EAAmB,GAAGX,CAAS,IAEhES,EAAU,aAAa,OAAO,QAASC,CAAU,EAC7CH,EAAM,iBACNE,EAAU,aAAa,OAAO,iBAAkBF,EAAM,cAAc,EACpEE,EAAU,aAAa,OAAO,wBAAyB,MAAM,GAG7DR,IAEkB,MAAM,QAAQA,CAAQ,EAAIA,EAAW,CAACA,CAAQ,GAE3D,QAAQW,GAAKH,EAAU,aAAa,OAAO,WAAYG,CAAC,CAAC,EAGlE,OAAW,CAACC,EAAKC,CAAK,IAAK,OAAO,QAAQ,CAAE,cAAAlB,EAAe,GAAGU,EAAgB,GAAGH,CAAiB,CAAC,EAC3FW,GAAS,MACTL,EAAU,aAAa,OAAOI,EAAKC,EAAM,SAAS,CAAC,EAI3D,OAAO,IAAI3B,GAAc,CACrB,IAAKsB,EAAU,KACf,MAAAF,CACJ,CAAC,CACL,CACJ,EAnGapB,GACe,QAAU,IAAI4B,EAAO,eAAe,EADzD,IAAMC,GAAN7B,GC5CP,IAAM8B,GAAY,SAOLC,EAAN,KAAqB,CAsCjB,YAAYC,EAAyB,CAjB5C,KAAO,aAAe,GAEtB,KAAO,WAAa,GAapB,KAAO,QAAuB,CAAC,EAK3B,GAFA,KAAK,MAAQA,EAAO,IAAI,OAAO,EAC/B,KAAK,cAAgBA,EAAO,IAAI,eAAe,EAC3C,KAAK,MAAO,CACZ,IAAMC,EAAa,mBAAmB,KAAK,KAAK,EAAE,MAAMC,EAAmB,EAC3E,KAAK,MAAQD,EAAW,CAAC,EACrBA,EAAW,OAAS,IACpB,KAAK,UAAYA,EAAW,MAAM,CAAC,EAAE,KAAKC,EAAmB,EAErE,CAEA,KAAK,MAAQF,EAAO,IAAI,OAAO,EAC/B,KAAK,kBAAoBA,EAAO,IAAI,mBAAmB,EACvD,KAAK,UAAYA,EAAO,IAAI,WAAW,EAEvC,KAAK,KAAOA,EAAO,IAAI,MAAM,CACjC,CAEA,IAAW,YAAiC,CACxC,GAAI,KAAK,aAAe,OAGxB,OAAO,KAAK,WAAaG,EAAM,aAAa,CAChD,CACA,IAAW,WAAWC,EAA2B,CAEzC,OAAOA,GAAU,WAAUA,EAAQ,OAAOA,CAAK,GAC/CA,IAAU,QAAaA,GAAS,IAChC,KAAK,WAAa,KAAK,MAAMA,CAAK,EAAID,EAAM,aAAa,EAEjE,CAEA,IAAW,UAAoB,CAnFnC,IAAAE,EAoFQ,QAAOA,EAAA,KAAK,QAAL,YAAAA,EAAY,MAAM,KAAK,SAASP,MAAc,CAAC,CAAC,KAAK,QAChE,CACJ,ECzDO,IAAMQ,GAAN,KAAqB,CAMjB,YAAY,CACf,IAAAC,EACA,WAAAC,EAAY,cAAAC,EAAe,yBAAAC,EAA0B,iBAAAC,EAAkB,aAAAC,EAAc,UAAAC,CACzF,EAAuB,CARvB,KAAiB,QAAU,IAAIC,EAAO,gBAAgB,EASlD,GAAI,CAACP,EACD,WAAK,QAAQ,MAAM,qBAAqB,EAClC,IAAI,MAAM,KAAK,EAGzB,IAAMQ,EAAY,IAAI,IAAIR,CAAG,EACzBE,GACAM,EAAU,aAAa,OAAO,gBAAiBN,CAAa,EAE5DI,GACAE,EAAU,aAAa,OAAO,YAAaF,CAAS,EAGpDH,IACAK,EAAU,aAAa,OAAO,2BAA4BL,CAAwB,EAE9EF,IACA,KAAK,MAAQ,IAAIQ,EAAM,CAAE,KAAMR,EAAY,aAAAI,CAAa,CAAC,EAEzDG,EAAU,aAAa,OAAO,QAAS,KAAK,MAAM,EAAE,IAI5D,OAAW,CAACE,EAAKC,CAAK,IAAK,OAAO,QAAQ,CAAE,GAAGP,CAAiB,CAAC,EACzDO,GAAS,MACTH,EAAU,aAAa,OAAOE,EAAKC,EAAM,SAAS,CAAC,EAI3D,KAAK,IAAMH,EAAU,IACzB,CACJ,EC/DO,IAAMI,EAAN,KAAsB,CAclB,YAAYC,EAAyB,CACxC,KAAK,MAAQA,EAAO,IAAI,OAAO,EAE/B,KAAK,MAAQA,EAAO,IAAI,OAAO,EAC/B,KAAK,kBAAoBA,EAAO,IAAI,mBAAmB,EACvD,KAAK,UAAYA,EAAO,IAAI,WAAW,CAC3C,CACJ,ECXA,IAAMC,GAAwB,CAC1B,MACA,MACA,YACA,QACA,MACA,MACA,MACA,SACJ,EAQMC,GAAiC,CAAC,MAAO,MAAO,MAAO,MAAO,KAAK,EAK5DC,GAAN,KAAoB,CAEhB,YACgBC,EACrB,CADqB,eAAAA,EAFvB,KAAmB,QAAU,IAAIC,EAAO,eAAe,CAGpD,CAEI,qBAAqBC,EAAkC,CAC1D,IAAMC,EAAS,CAAE,GAAGD,CAAO,EAE3B,GAAI,KAAK,UAAU,qBAAsB,CACrC,IAAIE,EACA,MAAM,QAAQ,KAAK,UAAU,oBAAoB,EACjDA,EAAiB,KAAK,UAAU,qBAEhCA,EAAiBP,GAGrB,QAAWQ,KAASD,EACXN,GAA+B,SAASO,CAAK,GAC9C,OAAOF,EAAOE,CAAK,CAG/B,CAEA,OAAOF,CACX,CAGO,YAAYG,EAAsBC,EAAiC,CACtE,IAAMJ,EAAS,CAAE,GAAGG,CAAQ,EAC5B,OAAW,CAACD,EAAOG,CAAM,IAAK,OAAO,QAAQD,CAAO,EAChD,GAAIJ,EAAOE,CAAK,IAAMG,EAClB,GAAI,MAAM,QAAQL,EAAOE,CAAK,CAAC,GAAK,MAAM,QAAQG,CAAM,EACpD,GAAI,KAAK,UAAU,oBAAoB,OAAS,UAC5CL,EAAOE,CAAK,EAAIG,MACb,CACH,IAAMC,EAAe,MAAM,QAAQN,EAAOE,CAAK,CAAC,EAAIF,EAAOE,CAAK,EAAiB,CAACF,EAAOE,CAAK,CAAC,EAC/F,QAAWK,KAAS,MAAM,QAAQF,CAAM,EAAIA,EAAS,CAACA,CAAM,EACnDC,EAAa,SAASC,CAAK,GAC5BD,EAAa,KAAKC,CAAK,EAG/BP,EAAOE,CAAK,EAAII,CACpB,MACO,OAAON,EAAOE,CAAK,GAAM,UAAY,OAAOG,GAAW,SAC9DL,EAAOE,CAAK,EAAI,KAAK,YAAYF,EAAOE,CAAK,EAAgBG,CAAmB,EAEhFL,EAAOE,CAAK,EAAIG,EAK5B,OAAOL,CACX,CACJ,ECtBO,IAAMQ,GAAN,KAAiB,CAWb,YAAYC,EAAwDC,EAAmC,CAT9G,KAAmB,QAAU,IAAIC,EAAO,YAAY,EAUhD,KAAK,SAAWF,aAAoBG,EAA0BH,EAAW,IAAIG,EAAwBH,CAAQ,EAE7G,KAAK,gBAAkBC,GAAA,KAAAA,EAAmB,IAAIG,EAAgB,KAAK,QAAQ,EAC3E,KAAK,eAAiB,IAAIC,GAAc,KAAK,QAAQ,EACrD,KAAK,WAAa,IAAIC,GAAkB,KAAK,SAAU,KAAK,gBAAiB,KAAK,cAAc,EAChG,KAAK,aAAe,IAAIC,EAAY,KAAK,SAAU,KAAK,eAAe,CAC3E,CAEA,MAAa,oBAAoB,CAC7B,MAAAC,EACA,QAAAC,EACA,YAAAC,EACA,aAAAC,EACA,cAAAC,EACA,WAAAC,EACA,aAAAC,EACA,MAAAC,EACA,UAAAC,EACA,cAAAC,EAAgB,KAAK,SAAS,cAC9B,MAAAC,EAAQ,KAAK,SAAS,MACtB,aAAAC,EAAe,KAAK,SAAS,aAC7B,OAAAC,EAAS,KAAK,SAAS,OACvB,QAAAC,EAAU,KAAK,SAAS,QACxB,QAAAC,EAAU,KAAK,SAAS,QACxB,WAAAC,EAAa,KAAK,SAAS,WAC3B,WAAAC,EAAa,KAAK,SAAS,WAC3B,SAAAC,EAAW,KAAK,SAAS,SACzB,cAAAC,EAAgB,KAAK,SAAS,cAC9B,iBAAAC,EAAmB,KAAK,SAAS,iBACjC,iBAAAC,EAAmB,KAAK,SAAS,gBACrC,EAAoD,CAChD,IAAMC,EAAS,KAAK,QAAQ,OAAO,qBAAqB,EAExD,GAAIZ,IAAkB,OAClB,MAAM,IAAI,MAAM,2DAA2D,EAG/E,IAAMa,EAAM,MAAM,KAAK,gBAAgB,yBAAyB,EAChED,EAAO,MAAM,kCAAmCC,CAAG,EAEnD,IAAMC,EAAgB,MAAMC,GAAc,OAAO,CAC7C,IAAAF,EACA,UAAW,KAAK,SAAS,UACzB,UAAW,KAAK,SAAS,UACzB,aAAAX,EACA,cAAAF,EACA,MAAAC,EACA,WAAYV,EACZ,UAAAQ,EACA,OAAAI,EAAQ,QAAAC,EAAS,QAAAC,EAAS,WAAAC,EAAY,cAAAX,EAAe,WAAAC,EAAY,WAAAW,EACjE,SAAAC,EAAU,QAAAhB,EAAS,YAAAC,EAAa,iBAAAiB,EAAkB,iBAAAC,EAAkB,aAAAjB,EAAc,cAAAe,EAClF,cAAe,KAAK,SAAS,cAC7B,aAAAZ,EACA,MAAAC,EACA,YAAa,KAAK,SAAS,WAC/B,CAAC,EAGD,MAAM,KAAK,gBAAgB,EAE3B,IAAMkB,EAAcF,EAAc,MAClC,aAAM,KAAK,SAAS,WAAW,IAAIE,EAAY,GAAIA,EAAY,gBAAgB,CAAC,EACzEF,CACX,CAEA,MAAa,wBAAwBD,EAAaI,EAAc,GAAkE,CAC9H,IAAML,EAAS,KAAK,QAAQ,OAAO,yBAAyB,EAEtDM,EAAW,IAAIC,EAAeC,EAAS,WAAWP,EAAK,KAAK,SAAS,aAAa,CAAC,EACzF,GAAI,CAACK,EAAS,MACV,MAAAN,EAAO,MAAM,IAAI,MAAM,sBAAsB,CAAC,EAExC,KAGV,IAAMS,EAAoB,MAAM,KAAK,SAAS,WAAWJ,EAAc,SAAW,KAAK,EAAEC,EAAS,KAAK,EACvG,GAAI,CAACG,EACD,MAAAT,EAAO,MAAM,IAAI,MAAM,oCAAoC,CAAC,EACtD,KAIV,MAAO,CAAE,MADK,MAAMU,EAAY,kBAAkBD,CAAiB,EACnD,SAAAH,CAAS,CAC7B,CAEA,MAAa,sBAAsBL,EAAaU,EAAqE,CACjH,IAAMX,EAAS,KAAK,QAAQ,OAAO,uBAAuB,EAEpD,CAAE,MAAArB,EAAO,SAAA2B,CAAS,EAAI,MAAM,KAAK,wBAAwBL,EAAK,EAAI,EACxE,OAAAD,EAAO,MAAM,kDAAkD,EAC/D,MAAM,KAAK,WAAW,uBAAuBM,EAAU3B,EAAOgC,CAAY,EACnEL,CACX,CAEA,MAAa,wCAAwC,CACjD,SAAAM,EACA,SAAAC,EACA,aAAA5B,EAAe,GACf,iBAAAc,EAAmB,CAAC,CACxB,EAAyE,CACrE,IAAMe,EAAyC,MAAM,KAAK,aAAa,oBAAoB,CAAE,SAAAF,EAAU,SAAAC,EAAU,GAAGd,CAAiB,CAAC,EAChIgB,EAAiC,IAAIR,EAAe,IAAI,eAAiB,EAC/E,cAAO,OAAOQ,EAAgBD,CAAa,EAC3C,MAAM,KAAK,WAAW,4BAA4BC,EAAgB9B,CAAY,EACvE8B,CACX,CAEA,MAAa,gBAAgB,CACzB,MAAApC,EACA,aAAAW,EACA,SAAAM,EACA,iBAAAoB,EACA,aAAAL,EACA,iBAAAZ,CACJ,EAAiD,CArMrD,IAAAkB,EAsMQ,IAAMjB,EAAS,KAAK,QAAQ,OAAO,iBAAiB,EAKhDX,EACJ,GAAI,KAAK,SAAS,2BAA6B,OAC3CA,EAAQV,EAAM,UACX,CACH,IAAMuC,EAAkB,KAAK,SAAS,yBAAyB,MAAM,GAAG,EAGxE7B,KAFuB4B,EAAAtC,EAAM,QAAN,YAAAsC,EAAa,MAAM,OAAQ,CAAC,GAE5B,OAAOE,GAAKD,EAAgB,SAASC,CAAC,CAAC,EAAE,KAAK,GAAG,CAC5E,CAEA,IAAMC,EAAS,MAAM,KAAK,aAAa,qBAAqB,CACxD,cAAezC,EAAM,cAErB,MAAAU,EACA,aAAAC,EACA,SAAAM,EACA,iBAAAoB,EACA,aAAAL,EACA,GAAGZ,CACP,CAAC,EACKO,EAAW,IAAIC,EAAe,IAAI,eAAiB,EACzD,cAAO,OAAOD,EAAUc,CAAM,EAC9BpB,EAAO,MAAM,sBAAuBM,CAAQ,EAC5C,MAAM,KAAK,WAAW,wBAAwBA,EAAU,CACpD,GAAG3B,EAGH,MAAAU,CACJ,CAAC,EACMiB,CACX,CAEA,MAAa,qBAAqB,CAC9B,MAAA3B,EACA,cAAAI,EACA,UAAAsC,EACA,aAAAvC,EACA,yBAAAwC,EAA2B,KAAK,SAAS,yBACzC,iBAAAxB,EAAmB,KAAK,SAAS,gBACrC,EAA8B,CAAC,EAA4B,CACvD,IAAME,EAAS,KAAK,QAAQ,OAAO,sBAAsB,EAEnDC,EAAM,MAAM,KAAK,gBAAgB,sBAAsB,EAC7D,GAAI,CAACA,EACD,MAAAD,EAAO,MAAM,IAAI,MAAM,yBAAyB,CAAC,EAC3C,KAGVA,EAAO,MAAM,gCAAiCC,CAAG,EAG7C,CAACoB,GAAaC,GAA4B,CAACvC,IAC3CsC,EAAY,KAAK,SAAS,WAG9B,IAAMzC,EAAU,IAAI2C,GAAe,CAC/B,IAAAtB,EACA,cAAAlB,EACA,UAAAsC,EACA,yBAAAC,EACA,WAAY3C,EACZ,iBAAAmB,EACA,aAAAhB,CACJ,CAAC,EAGD,MAAM,KAAK,gBAAgB,EAE3B,IAAM0C,EAAe5C,EAAQ,MAC7B,OAAI4C,IACAxB,EAAO,MAAM,sCAAsC,EACnD,MAAM,KAAK,SAAS,WAAW,IAAIwB,EAAa,GAAIA,EAAa,gBAAgB,CAAC,GAG/E5C,CACX,CAEA,MAAa,yBAAyBqB,EAAaI,EAAc,GAAyE,CACtI,IAAML,EAAS,KAAK,QAAQ,OAAO,0BAA0B,EAEvDM,EAAW,IAAImB,EAAgBjB,EAAS,WAAWP,EAAK,KAAK,SAAS,aAAa,CAAC,EAC1F,GAAI,CAACK,EAAS,MAAO,CAGjB,GAFAN,EAAO,MAAM,sBAAsB,EAE/BM,EAAS,MACT,MAAAN,EAAO,KAAK,sBAAuBM,EAAS,KAAK,EAC3C,IAAIoB,EAAcpB,CAAQ,EAGpC,MAAO,CAAE,MAAO,OAAW,SAAAA,CAAS,CACxC,CAEA,IAAMG,EAAoB,MAAM,KAAK,SAAS,WAAWJ,EAAc,SAAW,KAAK,EAAEC,EAAS,KAAK,EACvG,GAAI,CAACG,EACD,MAAAT,EAAO,MAAM,IAAI,MAAM,oCAAoC,CAAC,EACtD,KAIV,MAAO,CAAE,MADK,MAAM2B,EAAM,kBAAkBlB,CAAiB,EAC7C,SAAAH,CAAS,CAC7B,CAEA,MAAa,uBAAuBL,EAAuC,CACvE,IAAMD,EAAS,KAAK,QAAQ,OAAO,wBAAwB,EAErD,CAAE,MAAArB,EAAO,SAAA2B,CAAS,EAAI,MAAM,KAAK,yBAAyBL,EAAK,EAAI,EACzE,OAAItB,GACAqB,EAAO,MAAM,kDAAkD,EAC/D,KAAK,WAAW,wBAAwBM,EAAU3B,CAAK,GAEvDqB,EAAO,MAAM,qDAAqD,EAG/DM,CACX,CAEO,iBAAiC,CACpC,YAAK,QAAQ,OAAO,iBAAiB,EAC9BqB,EAAM,gBAAgB,KAAK,SAAS,WAAY,KAAK,SAAS,sBAAsB,CAC/F,CAEA,MAAa,YAAYC,EAAeC,EAAwD,CAC5F,YAAK,QAAQ,OAAO,aAAa,EAC1B,MAAM,KAAK,aAAa,OAAO,CAClC,MAAAD,EACA,gBAAiBC,CACrB,CAAC,CACL,CACJ,EChUO,IAAMC,EAAN,KAAqB,CAMjB,YAA6BC,EAA2B,CAA3B,kBAAAA,EALpC,KAAiB,QAAU,IAAIC,EAAO,gBAAgB,EAyCtD,KAAU,OAAS,MACfC,GAIgB,CAChB,IAAMC,EAAgBD,EAAK,cAC3B,GAAI,CAACC,EACD,OAEJ,IAAMC,EAAS,KAAK,QAAQ,OAAO,QAAQ,EAW3C,GATIF,EAAK,SACL,KAAK,KAAOA,EAAK,QAAQ,IACzBE,EAAO,MAAM,gBAAiBD,EAAe,QAAS,KAAK,IAAI,IAG/D,KAAK,KAAO,OACZC,EAAO,MAAM,gBAAiBD,EAAe,kBAAkB,GAG/D,KAAK,oBAAqB,CAC1B,KAAK,oBAAoB,MAAMA,CAAa,EAC5C,MACJ,CAEA,GAAI,CACA,IAAME,EAAM,MAAM,KAAK,aAAa,gBAAgB,sBAAsB,EAC1E,GAAIA,EAAK,CACLD,EAAO,MAAM,mCAAmC,EAEhD,IAAME,EAAY,KAAK,aAAa,SAAS,UACvCC,EAAoB,KAAK,aAAa,SAAS,8BAC/CC,EAAc,KAAK,aAAa,SAAS,wBAEzCC,EAAqB,IAAIC,EAAmB,KAAK,UAAWJ,EAAWD,EAAKE,EAAmBC,CAAW,EAChH,MAAMC,EAAmB,KAAK,EAC9B,KAAK,oBAAsBA,EAC3BA,EAAmB,MAAMN,CAAa,CAC1C,MAEIC,EAAO,KAAK,+CAA+C,CAEnE,OACOO,EAAK,CAERP,EAAO,MAAM,oCAAqCO,aAAe,MAAQA,EAAI,QAAUA,CAAG,CAC9F,CACJ,EAEA,KAAU,MAAQ,IAAY,CAC1B,IAAMP,EAAS,KAAK,QAAQ,OAAO,OAAO,EAO1C,GANA,KAAK,KAAO,OAER,KAAK,qBACL,KAAK,oBAAoB,KAAK,EAG9B,KAAK,aAAa,SAAS,wBAAyB,CAIpD,IAAMQ,EAAc,YAAY,SAAY,CACxC,cAAcA,CAAW,EAEzB,GAAI,CACA,IAAMC,EAAU,MAAM,KAAK,aAAa,mBAAmB,EAC3D,GAAIA,EAAS,CACT,IAAMC,EAAU,CACZ,cAAeD,EAAQ,cACvB,QAASA,EAAQ,IAAM,CACnB,IAAKA,EAAQ,GACjB,EAAI,IACR,EACK,KAAK,OAAOC,CAAO,CAC5B,CACJ,OACOH,EAAK,CAERP,EAAO,MAAM,gCAAiCO,aAAe,MAAQA,EAAI,QAAUA,CAAG,CAC1F,CACJ,EAAG,GAAI,CACX,CACJ,EAEA,KAAU,UAAY,SAA2B,CAC7C,IAAMP,EAAS,KAAK,QAAQ,OAAO,WAAW,EAC9C,GAAI,CACA,IAAMS,EAAU,MAAM,KAAK,aAAa,mBAAmB,EACvDE,EAAa,GAEbF,GAAW,KAAK,oBACZA,EAAQ,MAAQ,KAAK,MACrBE,EAAa,GACb,KAAK,oBAAoB,MAAMF,EAAQ,aAAa,EAEpDT,EAAO,MAAM,4GAA6GS,EAAQ,aAAa,EAC/I,MAAM,KAAK,aAAa,OAAO,yBAAyB,GAGxDT,EAAO,MAAM,mCAAoCS,EAAQ,GAAG,EAIhET,EAAO,MAAM,kCAAkC,EAG/CW,EACI,KAAK,KACL,MAAM,KAAK,aAAa,OAAO,oBAAoB,EAGnD,MAAM,KAAK,aAAa,OAAO,mBAAmB,EAGtDX,EAAO,MAAM,kDAAkD,CAEvE,OACOO,EAAK,CACJ,KAAK,OACLP,EAAO,MAAM,oEAAqEO,CAAG,EACrF,MAAM,KAAK,aAAa,OAAO,oBAAoB,EAE3D,CACJ,EA/JSX,GACD,KAAK,QAAQ,MAAM,IAAI,MAAM,wBAAwB,CAAC,EAG1D,KAAK,aAAa,OAAO,cAAc,KAAK,MAAM,EAClD,KAAK,aAAa,OAAO,gBAAgB,KAAK,KAAK,EAEnD,KAAK,MAAM,EAAE,MAAOW,GAAiB,CAEjC,KAAK,QAAQ,MAAMA,CAAG,CAC1B,CAAC,CACL,CAEA,MAAgB,OAAuB,CACnC,KAAK,QAAQ,OAAO,OAAO,EAC3B,IAAMT,EAAO,MAAM,KAAK,aAAa,QAAQ,EAG7C,GAAIA,EACK,KAAK,OAAOA,CAAI,UAEhB,KAAK,aAAa,SAAS,wBAAyB,CACzD,IAAMW,EAAU,MAAM,KAAK,aAAa,mBAAmB,EAC3D,GAAIA,EAAS,CACT,IAAMC,EAAU,CACZ,cAAeD,EAAQ,cACvB,QAASA,EAAQ,IAAM,CACnB,IAAKA,EAAQ,GACjB,EAAI,IACR,EACK,KAAK,OAAOC,CAAO,CAC5B,CACJ,CACJ,CA+HJ,EClKO,IAAME,EAAN,MAAMC,CAAK,CAuCP,YAAYC,EAWhB,CAlEP,IAAAC,EAmEQ,KAAK,SAAWD,EAAK,SACrB,KAAK,eAAgBC,EAAAD,EAAK,gBAAL,KAAAC,EAAsB,KAC3C,KAAK,aAAeD,EAAK,aACzB,KAAK,cAAgBA,EAAK,cAE1B,KAAK,WAAaA,EAAK,WACvB,KAAK,MAAQA,EAAK,MAClB,KAAK,QAAUA,EAAK,QACpB,KAAK,WAAaA,EAAK,WACvB,KAAK,MAAQA,EAAK,UAClB,KAAK,UAAYA,EAAK,SAC1B,CAGA,IAAW,YAAiC,CACxC,GAAI,KAAK,aAAe,OAGxB,OAAO,KAAK,WAAaE,EAAM,aAAa,CAChD,CAEA,IAAW,WAAWC,EAA2B,CACzCA,IAAU,SACV,KAAK,WAAa,KAAK,MAAMA,CAAK,EAAID,EAAM,aAAa,EAEjE,CAGA,IAAW,SAA+B,CACtC,IAAME,EAAa,KAAK,WACxB,GAAIA,IAAe,OAGnB,OAAOA,GAAc,CACzB,CAGA,IAAW,QAAmB,CAxGlC,IAAAH,EAAAI,EAyGQ,OAAOA,GAAAJ,EAAA,KAAK,QAAL,YAAAA,EAAY,MAAM,OAAlB,KAAAI,EAA0B,CAAC,CACtC,CAEO,iBAA0B,CAC7B,WAAIC,EAAO,MAAM,EAAE,OAAO,iBAAiB,EACpC,KAAK,UAAU,CAClB,SAAU,KAAK,SACf,cAAe,KAAK,cACpB,aAAc,KAAK,aACnB,cAAe,KAAK,cACpB,WAAY,KAAK,WACjB,MAAO,KAAK,MACZ,QAAS,KAAK,QACd,WAAY,KAAK,UACrB,CAAC,CACL,CAEA,OAAc,kBAAkBC,EAA6B,CACzD,OAAAD,EAAO,aAAa,OAAQ,mBAAmB,EACxC,IAAIP,EAAK,KAAK,MAAMQ,CAAa,CAAC,CAC7C,CACJ,ECxHA,IAAMC,GAAgB,cAcAC,EAAf,KAAsD,CAAtD,cAEH,KAAmB,OAAS,IAAIC,EAAuB,2BAA2B,EAClF,KAAmB,iBAAmB,IAAI,IAE1C,KAAU,QAA8B,KAExC,MAAa,SAASC,EAAmD,CACrE,IAAMC,EAAS,KAAK,QAAQ,OAAO,UAAU,EAC7C,GAAI,CAAC,KAAK,QACN,MAAM,IAAI,MAAM,4CAA4C,EAGhEA,EAAO,MAAM,uBAAuB,EACpC,KAAK,QAAQ,SAAS,QAAQD,EAAO,GAAG,EAExC,GAAM,CAAE,IAAAE,EAAK,SAAAC,CAAS,EAAI,MAAM,IAAI,QAAqB,CAACC,EAASC,IAAW,CAC1E,IAAMC,EAAYC,GAAoB,CArClD,IAAAC,EAsCgB,IAAMC,EAAgCF,EAAE,KAClCG,GAASF,EAAAR,EAAO,eAAP,KAAAQ,EAAuB,OAAO,SAAS,OACtD,GAAI,EAAAD,EAAE,SAAWG,IAAUD,GAAA,YAAAA,EAAM,UAAWZ,IAI5C,IAAI,CACA,IAAMc,EAAQC,EAAS,WAAWH,EAAK,IAAKT,EAAO,aAAa,EAAE,IAAI,OAAO,EAI7E,GAHKW,GACDV,EAAO,KAAK,gCAAgC,EAE5CM,EAAE,SAAW,KAAK,SAAWI,IAAUX,EAAO,MAG9C,MAER,MACY,CACR,KAAK,SAAS,EACdK,EAAO,IAAI,MAAM,8BAA8B,CAAC,CACpD,CACAD,EAAQK,CAAI,EAChB,EACA,OAAO,iBAAiB,UAAWH,EAAU,EAAK,EAClD,KAAK,iBAAiB,IAAI,IAAM,OAAO,oBAAoB,UAAWA,EAAU,EAAK,CAAC,EACtF,KAAK,iBAAiB,IAAI,KAAK,OAAO,WAAYO,GAAW,CACzD,KAAK,SAAS,EACdR,EAAOQ,CAAM,CACjB,CAAC,CAAC,CACN,CAAC,EACD,OAAAZ,EAAO,MAAM,0BAA0B,EACvC,KAAK,SAAS,EAETE,GACD,KAAK,MAAM,EAGR,CAAE,IAAAD,CAAI,CACjB,CAIQ,UAAiB,CACrB,KAAK,QAAQ,OAAO,UAAU,EAE9B,QAAWY,KAAW,KAAK,iBACvBA,EAAQ,EAEZ,KAAK,iBAAiB,MAAM,CAChC,CAEA,OAAiB,cAAcC,EAAgBb,EAAaC,EAAW,GAAOa,EAAe,OAAO,SAAS,OAAc,CACvHD,EAAO,YAAY,CACf,OAAQlB,GACR,IAAAK,EACA,SAAAC,CACJ,EAAkBa,CAAY,CAClC,CACJ,ECxFO,IAAMC,GAAkD,CAC3D,SAAU,GACV,QAAS,GACT,OAAQ,IACR,+BAAgC,EACpC,EACaC,GAAqB,SAC5BC,GAAsD,GACtDC,GAAuC,EAChCC,GAAuC,GA4EvCC,EAAN,cAAuCC,CAAwB,CA+B3D,YAAYC,EAA2B,CAC1C,GAAM,CACF,mBAAAC,EAAqBD,EAAK,aAC1B,+BAAAE,EAAiCF,EAAK,yBACtC,oBAAAG,EAAsBV,GACtB,kBAAAW,EAAoBV,GACpB,eAAAW,EAAiB,SACjB,eAAAC,EAAiB,OAEjB,yBAAAC,EAA2BP,EAAK,yBAChC,mBAAAQ,EAAqBR,EAAK,mBAE1B,oBAAAS,EAAsBT,EAAK,aAC3B,8BAAAU,EAAgCb,GAChC,qBAAAc,EAAuB,GACvB,yBAAAC,EAA2B,GAC3B,4BAAAC,EAA8B,GAE9B,eAAAC,EAAiB,GACjB,wBAAAC,EAA0B,GAC1B,8BAAAC,EAAgCpB,GAChC,2BAAAqB,EAA6B,OAC7B,wBAAAC,EAA0B,GAE1B,iBAAAC,EAAmB,CAAC,eAAgB,eAAe,EACnD,sBAAAC,EAAwB,GACxB,8BAAAC,EAAgC,GAEhC,6CAAAC,EAA+C3B,GAE/C,UAAA4B,CACJ,EAAIvB,EAgCJ,GA9BA,MAAMA,CAAI,EAEV,KAAK,mBAAqBC,EAC1B,KAAK,+BAAiCC,EACtC,KAAK,oBAAsBC,EAC3B,KAAK,kBAAoBC,EACzB,KAAK,eAAiBC,EACtB,KAAK,eAAiBC,EAEtB,KAAK,yBAA2BC,EAChC,KAAK,mBAAqBC,EAE1B,KAAK,oBAAsBC,EAC3B,KAAK,8BAAgCC,EACrC,KAAK,qBAAuBC,EAC5B,KAAK,yBAA2BC,EAChC,KAAK,4BAA8BC,EAEnC,KAAK,eAAiBC,EACtB,KAAK,wBAA0BC,EAC/B,KAAK,8BAAgCC,EACrC,KAAK,wBAA0BE,EAC/B,KAAK,2BAA6BD,EAElC,KAAK,iBAAmBE,EACxB,KAAK,sBAAwBC,EAC7B,KAAK,8BAAgCC,EAErC,KAAK,6CAA+CC,EAEhDC,EACA,KAAK,UAAYA,MAEhB,CACD,IAAMC,EAAQ,OAAO,QAAW,YAAc,OAAO,eAAiB,IAAIC,EAC1E,KAAK,UAAY,IAAIC,EAAqB,CAAE,MAAAF,CAAM,CAAC,CACvD,CACJ,CACJ,EChLO,IAAMG,GAAN,MAAMC,UAAqBC,CAAoB,CAK3C,YAAY,CACf,8BAAAC,EAAgCC,EACpC,EAAuB,CACnB,MAAM,EAPV,KAAmB,QAAU,IAAIC,EAAO,cAAc,EAQlD,KAAK,kBAAoBF,EAEzB,KAAK,OAASF,EAAa,mBAAmB,EAC9C,KAAK,QAAU,KAAK,OAAO,aAC/B,CAEA,OAAe,oBAAwC,CACnD,IAAMK,EAAS,OAAO,SAAS,cAAc,QAAQ,EAGrD,OAAAA,EAAO,MAAM,WAAa,SAC1BA,EAAO,MAAM,SAAW,QACxBA,EAAO,MAAM,KAAO,UACpBA,EAAO,MAAM,IAAM,IACnBA,EAAO,MAAQ,IACfA,EAAO,OAAS,IAEhB,OAAO,SAAS,KAAK,YAAYA,CAAM,EAChCA,CACX,CAEA,MAAa,SAASC,EAAmD,CACrE,KAAK,QAAQ,MAAM,8BAA+B,KAAK,iBAAiB,EACxE,IAAMC,EAAQ,WAAW,IAAM,KAAK,KAAK,OAAO,MAAM,IAAIC,EAAa,qCAAqC,CAAC,EAAG,KAAK,kBAAoB,GAAI,EAC7I,YAAK,iBAAiB,IAAI,IAAM,aAAaD,CAAK,CAAC,EAE5C,MAAM,MAAM,SAASD,CAAM,CACtC,CAEO,OAAc,CAzDzB,IAAAG,EA0DY,KAAK,SACD,KAAK,OAAO,aACZ,KAAK,OAAO,iBAAiB,OAASC,GAAO,CA5D7D,IAAAD,EA6DoB,IAAME,EAAQD,EAAG,QACjBD,EAAAE,EAAM,aAAN,MAAAF,EAAkB,YAAYE,GACzB,KAAK,OAAO,MAAM,IAAI,MAAM,yBAAyB,CAAC,CAC/D,EAAG,EAAI,GACPF,EAAA,KAAK,OAAO,gBAAZ,MAAAA,EAA2B,SAAS,QAAQ,gBAEhD,KAAK,OAAS,MAElB,KAAK,QAAU,IACnB,CAEA,OAAc,aAAaG,EAAaC,EAA6B,CACjE,OAAO,MAAM,cAAc,OAAO,OAAQD,EAAK,GAAOC,CAAY,CACtE,CACJ,EChEO,IAAMC,GAAN,KAA4C,CAG/C,YAAoBC,EAAqC,CAArC,eAAAA,EAFpB,KAAiB,QAAU,IAAIC,EAAO,iBAAiB,CAEG,CAE1D,MAAa,QAAQ,CACjB,8BAAAC,EAAgC,KAAK,UAAU,6BACnD,EAA8C,CAC1C,OAAO,IAAIC,GAAa,CAAE,8BAAAD,CAA8B,CAAC,CAC7D,CAEA,MAAa,SAASE,EAA4B,CAC9C,KAAK,QAAQ,OAAO,UAAU,EAC9BD,GAAa,aAAaC,EAAK,KAAK,UAAU,wBAAwB,CAC1E,CACJ,EClBA,IAAMC,GAA8B,IAC9BC,GAAS,IAaFC,GAAN,cAA0BC,CAAoB,CAK1C,YAAY,CACf,kBAAAC,EAAoBC,GACpB,oBAAAC,EAAsB,CAAC,CAC3B,EAAsB,CAClB,MAAM,EARV,KAAmB,QAAU,IAAIC,EAAO,aAAa,EASjD,IAAMC,EAAgBC,GAAW,OAAO,CAAE,GAAGC,GAA4B,GAAGJ,CAAoB,CAAC,EACjG,KAAK,QAAU,OAAO,KAAK,OAAWF,EAAmBK,GAAW,UAAUD,CAAa,CAAC,EACxFF,EAAoB,gCAAkCA,EAAoB,+BAAiC,GAC3G,WAAW,IAAM,CACb,GAAI,CAAC,KAAK,SAAW,OAAO,KAAK,QAAQ,QAAW,WAAa,KAAK,QAAQ,OAAQ,CAC7E,KAAK,OAAO,MAAM,IAAI,MAAM,uBAAuB,CAAC,EACzD,MACJ,CAEA,KAAK,MAAM,CACf,EAAGA,EAAoB,+BAAiCL,EAAM,CAEtE,CAEA,MAAa,SAASU,EAAmD,CA9C7E,IAAAC,GA+CQA,EAAA,KAAK,UAAL,MAAAA,EAAc,QAEd,IAAMC,EAAsB,YAAY,IAAM,EACtC,CAAC,KAAK,SAAW,KAAK,QAAQ,SACzB,KAAK,OAAO,MAAM,IAAI,MAAM,sBAAsB,CAAC,CAEhE,EAAGb,EAA2B,EAC9B,YAAK,iBAAiB,IAAI,IAAM,cAAca,CAAmB,CAAC,EAE3D,MAAM,MAAM,SAASF,CAAM,CACtC,CAEO,OAAc,CACb,KAAK,UACA,KAAK,QAAQ,SACd,KAAK,QAAQ,MAAM,EACd,KAAK,OAAO,MAAM,IAAI,MAAM,cAAc,CAAC,IAGxD,KAAK,QAAU,IACnB,CAEA,OAAc,aAAaG,EAAaC,EAAyB,CAC7D,GAAI,CAAC,OAAO,OACR,MAAM,IAAI,MAAM,gDAAgD,EAEpE,OAAO,MAAM,cAAc,OAAO,OAAQD,EAAKC,CAAQ,CAC3D,CACJ,EChEO,IAAMC,GAAN,KAA2C,CAG9C,YAAoBC,EAAqC,CAArC,eAAAA,EAFpB,KAAiB,QAAU,IAAIC,EAAO,gBAAgB,CAEI,CAE1D,MAAa,QAAQ,CACjB,oBAAAC,EAAsB,KAAK,UAAU,oBACrC,kBAAAC,EAAoB,KAAK,UAAU,iBACvC,EAA4C,CACxC,OAAO,IAAIC,GAAY,CAAE,oBAAAF,EAAqB,kBAAAC,CAAkB,CAAC,CACrE,CAEA,MAAa,SAASE,EAAa,CAAE,SAAAC,EAAW,EAAM,EAAkB,CACpE,KAAK,QAAQ,OAAO,UAAU,EAE9BF,GAAY,aAAaC,EAAKC,CAAQ,CAC1C,CACJ,ECTO,IAAMC,GAAN,KAA8C,CAGjD,YAAoBC,EAAqC,CAArC,eAAAA,EAFpB,KAAiB,QAAU,IAAIC,EAAO,mBAAmB,CAEC,CAE1D,MAAa,QAAQ,CACjB,eAAAC,EAAiB,KAAK,UAAU,eAChC,eAAAC,EAAiB,KAAK,UAAU,cACpC,EAAqC,CA3BzC,IAAAC,EA4BQ,KAAK,QAAQ,OAAO,SAAS,EAC7B,IAAIC,EAAe,OAAO,KAEtBF,IAAmB,QACnBE,GAAeD,EAAA,OAAO,MAAP,KAAAA,EAAc,OAAO,MAGxC,IAAME,EAAWD,EAAa,SAASH,CAAc,EAAE,KAAKG,EAAa,QAAQ,EAC7EE,EACJ,MAAO,CACH,SAAU,MAAOC,GAA2B,CACxC,KAAK,QAAQ,OAAO,UAAU,EAE9B,IAAMC,EAAU,IAAI,QAAQ,CAACC,EAASC,IAAW,CAC7CJ,EAAQI,CACZ,CAAC,EACD,OAAAL,EAASE,EAAO,GAAG,EACZ,MAAOC,CAClB,EACA,MAAO,IAAM,CACT,KAAK,QAAQ,OAAO,OAAO,EAC3BF,GAAA,MAAAA,EAAQ,IAAI,MAAM,kBAAkB,GACpCF,EAAa,KAAK,CACtB,CACJ,CACJ,CAEA,MAAa,UAA0B,CAEvC,CACJ,ECtBO,IAAMO,GAAN,cAAgCC,CAAkB,CAU9C,YAAYC,EAAoC,CACnD,MAAM,CAAE,kCAAmCA,EAAS,4CAA6C,CAAC,EAVtG,KAAmB,QAAU,IAAIC,EAAO,mBAAmB,EAE3D,KAAiB,YAAc,IAAIC,EAAc,aAAa,EAC9D,KAAiB,cAAgB,IAAIA,EAAU,eAAe,EAC9D,KAAiB,kBAAoB,IAAIA,EAAe,oBAAoB,EAC5E,KAAiB,cAAgB,IAAIA,EAAU,gBAAgB,EAC/D,KAAiB,eAAiB,IAAIA,EAAU,iBAAiB,EACjE,KAAiB,oBAAsB,IAAIA,EAAU,sBAAsB,CAI3E,CAEA,MAAa,KAAKC,EAAYC,EAAW,GAAqB,CAC1D,MAAM,KAAKD,CAAI,EACXC,GACA,MAAM,KAAK,YAAY,MAAMD,CAAI,CAEzC,CACA,MAAa,QAAwB,CACjC,MAAM,OAAO,EACb,MAAM,KAAK,cAAc,MAAM,CACnC,CAKO,cAAcE,EAAoC,CACrD,OAAO,KAAK,YAAY,WAAWA,CAAE,CACzC,CAIO,iBAAiBA,EAA8B,CAClD,OAAO,KAAK,YAAY,cAAcA,CAAE,CAC5C,CAKO,gBAAgBA,EAAsC,CACzD,OAAO,KAAK,cAAc,WAAWA,CAAE,CAC3C,CAIO,mBAAmBA,EAAgC,CACtD,OAAO,KAAK,cAAc,cAAcA,CAAE,CAC9C,CAKO,oBAAoBA,EAA0C,CACjE,OAAO,KAAK,kBAAkB,WAAWA,CAAE,CAC/C,CAIO,uBAAuBA,EAAoC,CAC9D,OAAO,KAAK,kBAAkB,cAAcA,CAAE,CAClD,CAIA,MAAa,uBAAuBC,EAAyB,CACzD,MAAM,KAAK,kBAAkB,MAAMA,CAAC,CACxC,CAMO,gBAAgBD,EAAsC,CACzD,OAAO,KAAK,cAAc,WAAWA,CAAE,CAC3C,CAIO,mBAAmBA,EAAgC,CACtD,KAAK,cAAc,cAAcA,CAAE,CACvC,CAIA,MAAa,oBAAoC,CAC7C,MAAM,KAAK,cAAc,MAAM,CACnC,CAMO,iBAAiBA,EAAuC,CAC3D,OAAO,KAAK,eAAe,WAAWA,CAAE,CAC5C,CAIO,oBAAoBA,EAAiC,CACxD,KAAK,eAAe,cAAcA,CAAE,CACxC,CAIA,MAAa,qBAAqC,CAC9C,MAAM,KAAK,eAAe,MAAM,CACpC,CAMO,sBAAsBA,EAA4C,CACrE,OAAO,KAAK,oBAAoB,WAAWA,CAAE,CACjD,CAIO,yBAAyBA,EAAsC,CAClE,KAAK,oBAAoB,cAAcA,CAAE,CAC7C,CAIA,MAAa,0BAA0C,CACnD,MAAM,KAAK,oBAAoB,MAAM,CACzC,CACJ,EC1JO,IAAME,GAAN,KAAyB,CAKrB,YAAoBC,EAA2B,CAA3B,kBAAAA,EAJ3B,KAAU,QAAU,IAAIC,EAAO,oBAAoB,EACnD,KAAQ,WAAa,GACrB,KAAiB,YAAc,IAAIC,EAAM,oBAAoB,EAgC7D,KAAU,eAAsC,SAAY,CACxD,IAAMC,EAAS,KAAK,QAAQ,OAAO,gBAAgB,EACnD,GAAI,CACA,MAAM,KAAK,aAAa,aAAa,EACrCA,EAAO,MAAM,iCAAiC,CAClD,OACOC,EAAK,CACR,GAAIA,aAAeC,EAAc,CAE7BF,EAAO,KAAK,kCAAmCC,EAAK,aAAa,EACjE,KAAK,YAAY,KAAK,CAAC,EACvB,MACJ,CAEAD,EAAO,MAAM,2BAA4BC,CAAG,EAC5C,MAAM,KAAK,aAAa,OAAO,uBAAuBA,CAAY,CACtE,CACJ,CA/CuD,CAEvD,MAAa,OAAuB,CAChC,IAAMD,EAAS,KAAK,QAAQ,OAAO,OAAO,EAC1C,GAAI,CAAC,KAAK,WAAY,CAClB,KAAK,WAAa,GAClB,KAAK,aAAa,OAAO,uBAAuB,KAAK,cAAc,EACnE,KAAK,YAAY,WAAW,KAAK,cAAc,EAG/C,GAAI,CACA,MAAM,KAAK,aAAa,QAAQ,CAEpC,OACOC,EAAK,CAERD,EAAO,MAAM,gBAAiBC,CAAG,CACrC,CACJ,CACJ,CAEO,MAAa,CACZ,KAAK,aACL,KAAK,YAAY,OAAO,EACxB,KAAK,YAAY,cAAc,KAAK,cAAc,EAClD,KAAK,aAAa,OAAO,0BAA0B,KAAK,cAAc,EACtE,KAAK,WAAa,GAE1B,CAoBJ,ECtDO,IAAME,GAAN,KAAmB,CAUtB,YAAYC,EAQT,CACC,KAAK,cAAgBA,EAAK,cAC1B,KAAK,SAAWA,EAAK,SACrB,KAAK,cAAgBA,EAAK,cAC1B,KAAK,MAAQA,EAAK,MAClB,KAAK,QAAUA,EAAK,QAEpB,KAAK,KAAOA,EAAK,KAErB,CACJ,ECyCO,IAAMC,GAAN,KAAkB,CAad,YAAYC,EAA+BC,EAAgCC,EAA6BC,EAA8B,CAV7I,KAAmB,QAAU,IAAIC,EAAO,aAAa,EAWjD,KAAK,SAAW,IAAIC,EAAyBL,CAAQ,EAErD,KAAK,QAAU,IAAIM,GAAWN,CAAQ,EAEtC,KAAK,mBAAqBC,GAAA,KAAAA,EAAqB,IAAIM,GAAkB,KAAK,QAAQ,EAClF,KAAK,gBAAkBL,GAAA,KAAAA,EAAkB,IAAIM,GAAe,KAAK,QAAQ,EACzE,KAAK,iBAAmBL,GAAA,KAAAA,EAAmB,IAAIM,GAAgB,KAAK,QAAQ,EAE5E,KAAK,QAAU,IAAIC,GAAkB,KAAK,QAAQ,EAClD,KAAK,oBAAsB,IAAIC,GAAmB,IAAI,EAGlD,KAAK,SAAS,sBACd,KAAK,iBAAiB,EAG1B,KAAK,gBAAkB,KACnB,KAAK,SAAS,iBACd,KAAK,gBAAkB,IAAIC,EAAe,IAAI,EAGtD,CAKA,IAAW,QAA4B,CACnC,OAAO,KAAK,OAChB,CAKA,IAAW,iBAAmC,CAC1C,OAAO,KAAK,QAAQ,eACxB,CAOA,MAAa,SAAgC,CACzC,IAAMC,EAAS,KAAK,QAAQ,OAAO,SAAS,EACtCC,EAAO,MAAM,KAAK,UAAU,EAClC,OAAIA,GACAD,EAAO,KAAK,aAAa,EACzB,MAAM,KAAK,QAAQ,KAAKC,EAAM,EAAK,EAC5BA,IAGXD,EAAO,KAAK,2BAA2B,EAChC,KACX,CAOA,MAAa,YAA4B,CACrC,IAAMA,EAAS,KAAK,QAAQ,OAAO,YAAY,EAC/C,MAAM,KAAK,UAAU,IAAI,EACzBA,EAAO,KAAK,2BAA2B,EACvC,MAAM,KAAK,QAAQ,OAAO,CAC9B,CASA,MAAa,eAAeE,EAA2B,CAAC,EAAkB,CACtE,KAAK,QAAQ,OAAO,gBAAgB,EACpC,GAAM,CACF,eAAAC,EACA,GAAGC,CACP,EAAIF,EACEG,EAAS,MAAM,KAAK,mBAAmB,QAAQ,CAAE,eAAAF,CAAe,CAAC,EACvE,MAAM,KAAK,aAAa,CACpB,aAAc,OACd,GAAGC,CACP,EAAGC,CAAM,CACb,CAUA,MAAa,uBAAuBC,EAAM,OAAO,SAAS,KAAqB,CAC3E,IAAMN,EAAS,KAAK,QAAQ,OAAO,wBAAwB,EACrDC,EAAO,MAAM,KAAK,WAAWK,CAAG,EACtC,OAAIL,EAAK,SAAWA,EAAK,QAAQ,IAC7BD,EAAO,KAAK,6BAA8BC,EAAK,QAAQ,GAAG,EAG1DD,EAAO,KAAK,YAAY,EAGrBC,CACX,CAQA,MAAa,+BAA+B,CACxC,SAAAM,EACA,SAAAC,EACA,aAAAC,EAAe,EACnB,EAAsD,CAClD,IAAMT,EAAS,KAAK,QAAQ,OAAO,+BAA+B,EAE5DU,EAAiB,MAAM,KAAK,QAAQ,wCAAwC,CAAE,SAAAH,EAAU,SAAAC,EAAU,aAAAC,EAAc,iBAAkB,KAAK,SAAS,gBAAiB,CAAC,EACxKT,EAAO,MAAM,qBAAqB,EAElC,IAAMC,EAAO,MAAM,KAAK,WAAWS,CAAc,EACjD,OAAIT,EAAK,SAAWA,EAAK,QAAQ,IAC7BD,EAAO,KAAK,6BAA8BC,EAAK,QAAQ,GAAG,EAE1DD,EAAO,KAAK,YAAY,EAErBC,CACX,CAQA,MAAa,YAAYC,EAAwB,CAAC,EAAkB,CAChE,IAAMF,EAAS,KAAK,QAAQ,OAAO,aAAa,EAC1C,CACF,oBAAAW,EACA,kBAAAC,EACA,GAAGR,CACP,EAAIF,EACEI,EAAM,KAAK,SAAS,mBACrBA,GACDN,EAAO,MAAM,IAAI,MAAM,kCAAkC,CAAC,EAG9D,IAAMK,EAAS,MAAM,KAAK,gBAAgB,QAAQ,CAAE,oBAAAM,EAAqB,kBAAAC,CAAkB,CAAC,EACtFX,EAAO,MAAM,KAAK,QAAQ,CAC5B,aAAc,OACd,aAAcK,EACd,QAAS,QACT,GAAGF,CACP,EAAGC,CAAM,EACT,OAAIJ,IACIA,EAAK,SAAWA,EAAK,QAAQ,IAC7BD,EAAO,KAAK,6BAA8BC,EAAK,QAAQ,GAAG,EAG1DD,EAAO,KAAK,YAAY,GAIzBC,CACX,CASA,MAAa,oBAAoBK,EAAM,OAAO,SAAS,KAAMO,EAAW,GAAsB,CAC1F,IAAMb,EAAS,KAAK,QAAQ,OAAO,qBAAqB,EACxD,MAAM,KAAK,gBAAgB,SAASM,EAAK,CAAE,SAAAO,CAAS,CAAC,EACrDb,EAAO,KAAK,SAAS,CACzB,CAOA,MAAa,aAAaE,EAAyB,CAAC,EAAyB,CAzRjF,IAAAY,EA0RQ,IAAMd,EAAS,KAAK,QAAQ,OAAO,cAAc,EAC3C,CACF,8BAAAe,EACA,GAAGX,CACP,EAAIF,EAEAD,EAAO,MAAM,KAAK,UAAU,EAChC,GAAIA,GAAA,MAAAA,EAAM,cAAe,CACrBD,EAAO,MAAM,qBAAqB,EAClC,IAAMgB,EAAQ,IAAIC,GAAahB,CAAsB,EACrD,OAAO,MAAM,KAAK,iBAAiB,CAC/B,MAAAe,EACA,aAAcZ,EAAY,aAC1B,SAAUA,EAAY,SACtB,iBAAkBA,EAAY,iBAC9B,iBAAkBW,CACtB,CAAC,CACL,CAEA,IAAMT,EAAM,KAAK,SAAS,oBACrBA,GACDN,EAAO,MAAM,IAAI,MAAM,mCAAmC,CAAC,EAG/D,IAAIkB,EACAjB,GAAQ,KAAK,SAAS,2BACtBD,EAAO,MAAM,iCAAkCC,EAAK,QAAQ,GAAG,EAC/DiB,EAAYjB,EAAK,QAAQ,KAG7B,IAAMI,EAAS,MAAM,KAAK,iBAAiB,QAAQ,CAAE,8BAAAU,CAA8B,CAAC,EACpF,OAAAd,EAAO,MAAM,KAAK,QAAQ,CACtB,aAAc,OACd,aAAcK,EACd,OAAQ,OACR,cAAe,KAAK,SAAS,4BAA8BL,GAAA,YAAAA,EAAM,SAAW,OAC5E,GAAGG,CACP,EAAGC,EAAQa,CAAS,EAChBjB,KACIa,EAAAb,EAAK,UAAL,MAAAa,EAAc,IACdd,EAAO,KAAK,6BAA8BC,EAAK,QAAQ,GAAG,EAG1DD,EAAO,KAAK,YAAY,GAIzBC,CACX,CAEA,MAAgB,iBAAiBC,EAA2BiB,EAA2D,CACnH,IAAMC,EAAW,MAAM,KAAK,QAAQ,gBAAgB,CAChD,GAAGlB,EACH,iBAAkB,KAAK,SAAS,8BAChC,aAAAiB,CACJ,CAAC,EACKlB,EAAO,IAAIoB,EAAK,CAAE,GAAGnB,EAAK,MAAO,GAAGkB,CAAS,CAAC,EAEpD,aAAM,KAAK,UAAUnB,CAAI,EACzB,MAAM,KAAK,QAAQ,KAAKA,CAAI,EACrBA,CACX,CAWA,MAAa,qBAAqBK,EAAM,OAAO,SAAS,KAAqB,CACzE,IAAMN,EAAS,KAAK,QAAQ,OAAO,sBAAsB,EACzD,MAAM,KAAK,iBAAiB,SAASM,CAAG,EACxCN,EAAO,KAAK,SAAS,CACzB,CAWA,MAAa,eAAeM,EAAM,OAAO,SAAS,KAA4B,CAC1E,GAAM,CAAE,MAAAU,CAAM,EAAI,MAAM,KAAK,QAAQ,wBAAwBV,CAAG,EAChE,OAAQU,EAAM,aAAc,CACxB,IAAK,OACD,OAAO,MAAM,KAAK,uBAAuBV,CAAG,EAChD,IAAK,OACD,OAAO,MAAM,KAAK,oBAAoBA,CAAG,EAC7C,IAAK,OACD,OAAO,MAAM,KAAK,qBAAqBA,CAAG,EAC9C,QACI,MAAM,IAAI,MAAM,gCAAgC,CACxD,CACJ,CAWA,MAAa,gBAAgBA,EAAM,OAAO,SAAS,KAAMO,EAAW,GAAsB,CACtF,GAAM,CAAE,MAAAG,CAAM,EAAI,MAAM,KAAK,QAAQ,yBAAyBV,CAAG,EACjE,GAAKU,EAIL,OAAQA,EAAM,aAAc,CACxB,IAAK,OACD,MAAM,KAAK,wBAAwBV,CAAG,EACtC,MACJ,IAAK,OACD,MAAM,KAAK,qBAAqBA,EAAKO,CAAQ,EAC7C,MACJ,IAAK,OACD,MAAM,KAAK,sBAAsBP,CAAG,EACpC,MACJ,QACI,MAAM,IAAI,MAAM,gCAAgC,CACxD,CACJ,CAOA,MAAa,mBAAmBJ,EAA+B,CAAC,EAAkC,CAC9F,IAAMF,EAAS,KAAK,QAAQ,OAAO,oBAAoB,EACjD,CACF,8BAAAe,EACA,GAAGX,CACP,EAAIF,EACEI,EAAM,KAAK,SAAS,oBACrBA,GACDN,EAAO,MAAM,IAAI,MAAM,mCAAmC,CAAC,EAG/D,IAAMC,EAAO,MAAM,KAAK,UAAU,EAC5BI,EAAS,MAAM,KAAK,iBAAiB,QAAQ,CAAE,8BAAAU,CAA8B,CAAC,EAC9EO,EAAc,MAAM,KAAK,aAAa,CACxC,aAAc,OACd,aAAchB,EACd,OAAQ,OACR,cAAe,KAAK,SAAS,4BAA8BL,GAAA,YAAAA,EAAM,SAAW,OAC5E,cAAe,KAAK,SAAS,2BAC7B,MAAO,SACP,aAAc,GACd,GAAGG,CACP,EAAGC,CAAM,EACT,GAAI,CACA,IAAMK,EAAiB,MAAM,KAAK,QAAQ,sBAAsBY,EAAY,GAAG,EAG/E,OAFAtB,EAAO,MAAM,qBAAqB,EAE9BU,EAAe,eAAiBA,EAAe,QAAQ,KACvDV,EAAO,KAAK,sBAAuBU,EAAe,QAAQ,GAAG,EACtD,CACH,cAAeA,EAAe,cAC9B,IAAKA,EAAe,QAAQ,GAChC,IAGJV,EAAO,KAAK,iCAAiC,EACtC,KACX,OACOuB,EAAK,CACR,GAAI,KAAK,SAAS,yBAA2BA,aAAeC,EACxD,OAAQD,EAAI,MAAO,CACf,IAAK,iBACL,IAAK,mBACL,IAAK,uBACL,IAAK,6BACD,OAAAvB,EAAO,KAAK,4BAA4B,EACjC,CAEH,cAAeuB,EAAI,aACvB,CACR,CAEJ,MAAMA,CACV,CACJ,CAEA,MAAgB,QAAQrB,EAA+BG,EAAiBa,EAAmC,CACvG,IAAMI,EAAc,MAAM,KAAK,aAAapB,EAAMG,CAAM,EACxD,OAAO,MAAM,KAAK,WAAWiB,EAAY,IAAKJ,CAAS,CAC3D,CACA,MAAgB,aAAahB,EAA+BG,EAA4C,CACpG,IAAML,EAAS,KAAK,QAAQ,OAAO,cAAc,EAEjD,GAAI,CACA,IAAMyB,EAAgB,MAAM,KAAK,QAAQ,oBAAoBvB,CAAI,EACjE,OAAAF,EAAO,MAAM,oBAAoB,EAE1B,MAAMK,EAAO,SAAS,CACzB,IAAKoB,EAAc,IACnB,MAAOA,EAAc,MAAM,GAC3B,cAAeA,EAAc,MAAM,cACnC,aAAc,KAAK,SAAS,kBAChC,CAAC,CACL,OACOF,EAAK,CACR,MAAAvB,EAAO,MAAM,2DAA2D,EACxEK,EAAO,MAAM,EACPkB,CACV,CACJ,CACA,MAAgB,WAAWjB,EAAaY,EAAmC,CACvE,IAAMlB,EAAS,KAAK,QAAQ,OAAO,YAAY,EACzCU,EAAiB,MAAM,KAAK,QAAQ,sBAAsBJ,CAAG,EACnE,OAAAN,EAAO,MAAM,qBAAqB,EAErB,MAAM,KAAK,WAAWU,EAAgBQ,CAAS,CAEhE,CAEA,MAAgB,WAAWR,EAAgCQ,EAAoB,CAC3E,IAAMlB,EAAS,KAAK,QAAQ,OAAO,YAAY,EACzCC,EAAO,IAAIoB,EAAKX,CAAc,EACpC,GAAIQ,EAAW,CACX,GAAIA,IAAcjB,EAAK,QAAQ,IAC3B,MAAAD,EAAO,MAAM,0EAA2EC,EAAK,QAAQ,GAAG,EAClG,IAAIuB,EAAc,CAAE,GAAGd,EAAgB,MAAO,gBAAiB,CAAC,EAE1EV,EAAO,MAAM,gDAAgD,CACjE,CAEA,aAAM,KAAK,UAAUC,CAAI,EACzBD,EAAO,MAAM,aAAa,EAC1B,MAAM,KAAK,QAAQ,KAAKC,CAAI,EAErBA,CACX,CAOA,MAAa,gBAAgBC,EAA4B,CAAC,EAAkB,CACxE,IAAMF,EAAS,KAAK,QAAQ,OAAO,iBAAiB,EAC9C,CACF,eAAAG,EACA,GAAGC,CACP,EAAIF,EACEG,EAAS,MAAM,KAAK,mBAAmB,QAAQ,CAAE,eAAAF,CAAe,CAAC,EACvE,MAAM,KAAK,cAAc,CACrB,aAAc,OACd,yBAA0B,KAAK,SAAS,yBACxC,GAAGC,CACP,EAAGC,CAAM,EACTL,EAAO,KAAK,SAAS,CACzB,CAUA,MAAa,wBAAwBM,EAAM,OAAO,SAAS,KAAgC,CACvF,IAAMN,EAAS,KAAK,QAAQ,OAAO,yBAAyB,EACtDoB,EAAW,MAAM,KAAK,YAAYd,CAAG,EAC3C,OAAAN,EAAO,KAAK,SAAS,EACdoB,CACX,CAOA,MAAa,aAAalB,EAAyB,CAAC,EAAkB,CAClE,IAAMF,EAAS,KAAK,QAAQ,OAAO,cAAc,EAC3C,CACF,oBAAAW,EACA,kBAAAC,EACA,GAAGR,CACP,EAAIF,EACEI,EAAM,KAAK,SAAS,+BAEpBD,EAAS,MAAM,KAAK,gBAAgB,QAAQ,CAAE,oBAAAM,EAAqB,kBAAAC,CAAkB,CAAC,EAC5F,MAAM,KAAK,SAAS,CAChB,aAAc,OACd,yBAA0BN,EAM1B,MAAOA,GAAO,KAAO,OAAY,CAAC,EAClC,GAAGF,CACP,EAAGC,CAAM,EACTL,EAAO,KAAK,SAAS,CACzB,CAUA,MAAa,qBAAqBM,EAAM,OAAO,SAAS,KAAMO,EAAW,GAAsB,CAC3F,IAAMb,EAAS,KAAK,QAAQ,OAAO,sBAAsB,EACzD,MAAM,KAAK,gBAAgB,SAASM,EAAK,CAAE,SAAAO,CAAS,CAAC,EACrDb,EAAO,KAAK,SAAS,CACzB,CAEA,MAAgB,SAASE,EAAgCG,EAA2C,CAChG,IAAMiB,EAAc,MAAM,KAAK,cAAcpB,EAAMG,CAAM,EACzD,OAAO,MAAM,KAAK,YAAYiB,EAAY,GAAG,CACjD,CACA,MAAgB,cAAcpB,EAAiC,CAAC,EAAGG,EAA4C,CA/lBnH,IAAAS,EAgmBQ,IAAMd,EAAS,KAAK,QAAQ,OAAO,eAAe,EAElD,GAAI,CACA,IAAMC,EAAO,MAAM,KAAK,UAAU,EAClCD,EAAO,MAAM,kCAAkC,EAE3C,KAAK,SAAS,uBACd,MAAM,KAAK,gBAAgBC,CAAI,EAGnC,IAAMyB,EAAWxB,EAAK,eAAiBD,GAAQA,EAAK,SAChDyB,IACA1B,EAAO,MAAM,0CAA0C,EACvDE,EAAK,cAAgBwB,GAGzB,MAAM,KAAK,WAAW,EACtB1B,EAAO,MAAM,wCAAwC,EAErD,IAAM2B,EAAiB,MAAM,KAAK,QAAQ,qBAAqBzB,CAAI,EACnE,OAAAF,EAAO,MAAM,qBAAqB,EAE3B,MAAMK,EAAO,SAAS,CACzB,IAAKsB,EAAe,IACpB,OAAOb,EAAAa,EAAe,QAAf,YAAAb,EAAsB,GAC7B,aAAc,KAAK,SAAS,kBAChC,CAAC,CACL,OACOS,EAAK,CACR,MAAAvB,EAAO,MAAM,2DAA2D,EACxEK,EAAO,MAAM,EACPkB,CACV,CACJ,CACA,MAAgB,YAAYjB,EAAuC,CAC/D,IAAMN,EAAS,KAAK,QAAQ,OAAO,aAAa,EAC1C4B,EAAkB,MAAM,KAAK,QAAQ,uBAAuBtB,CAAG,EACrE,OAAAN,EAAO,MAAM,sBAAsB,EAE5B4B,CACX,CAOA,MAAa,cAAc1B,EAA0B,CAAC,EAAkB,CA/oB5E,IAAAY,EAgpBQ,IAAMd,EAAS,KAAK,QAAQ,OAAO,eAAe,EAC5C,CACF,8BAAAe,EACA,GAAGX,CACP,EAAIF,EAEE2B,EAAgB,KAAK,SAAS,+BAC7Bf,EAAA,MAAM,KAAK,UAAU,IAArB,YAAAA,EAAyB,SAC1B,OAEAR,EAAM,KAAK,SAAS,+BACpBD,EAAS,MAAM,KAAK,iBAAiB,QAAQ,CAAE,8BAAAU,CAA8B,CAAC,EACpF,MAAM,KAAK,SAAS,CAChB,aAAc,OACd,yBAA0BT,EAC1B,cAAeuB,EACf,GAAGzB,CACP,EAAGC,CAAM,EAETL,EAAO,KAAK,SAAS,CACzB,CAUA,MAAa,sBAAsBM,EAAM,OAAO,SAAS,KAAqB,CAC1E,IAAMN,EAAS,KAAK,QAAQ,OAAO,uBAAuB,EAC1D,MAAM,KAAK,iBAAiB,SAASM,CAAG,EACxCN,EAAO,KAAK,SAAS,CACzB,CAEA,MAAa,aAAa8B,EAA0C,CAChE,IAAM7B,EAAO,MAAM,KAAK,UAAU,EAClC,MAAM,KAAK,gBAAgBA,EAAM6B,CAAK,CAC1C,CAEA,MAAgB,gBAAgB7B,EAAmB6B,EAAQ,KAAK,SAAS,iBAAiC,CACtG,IAAM9B,EAAS,KAAK,QAAQ,OAAO,iBAAiB,EACpD,GAAI,CAACC,EAAM,OAEX,IAAM8B,EAAeD,EAAM,OAAOE,GAAQ,OAAO/B,EAAK+B,CAAI,GAAM,QAAQ,EAExE,GAAI,CAACD,EAAa,OAAQ,CACtB/B,EAAO,MAAM,sCAAsC,EACnD,MACJ,CAGA,QAAWgC,KAAQD,EACf,MAAM,KAAK,QAAQ,YACf9B,EAAK+B,CAAI,EACTA,CACJ,EACAhC,EAAO,KAAK,GAAGgC,CAAI,uBAAuB,EACtCA,IAAS,iBACT/B,EAAK+B,CAAI,EAAI,MAIrB,MAAM,KAAK,UAAU/B,CAAI,EACzBD,EAAO,MAAM,aAAa,EAC1B,MAAM,KAAK,QAAQ,KAAKC,CAAI,CAChC,CAKO,kBAAyB,CAC5B,KAAK,QAAQ,OAAO,kBAAkB,EACjC,KAAK,oBAAoB,MAAM,CACxC,CAKO,iBAAwB,CAC3B,KAAK,oBAAoB,KAAK,CAClC,CAEA,IAAc,eAAwB,CAClC,MAAO,QAAQ,KAAK,SAAS,SAAS,IAAI,KAAK,SAAS,SAAS,EACrE,CAEA,MAAgB,WAAkC,CAC9C,IAAMD,EAAS,KAAK,QAAQ,OAAO,WAAW,EACxCiC,EAAgB,MAAM,KAAK,SAAS,UAAU,IAAI,KAAK,aAAa,EAC1E,OAAIA,GACAjC,EAAO,MAAM,2BAA2B,EACjCqB,EAAK,kBAAkBY,CAAa,IAG/CjC,EAAO,MAAM,uBAAuB,EAC7B,KACX,CAEA,MAAa,UAAUC,EAAkC,CACrD,IAAMD,EAAS,KAAK,QAAQ,OAAO,WAAW,EAC9C,GAAIC,EAAM,CACND,EAAO,MAAM,cAAc,EAC3B,IAAMiC,EAAgBhC,EAAK,gBAAgB,EAC3C,MAAM,KAAK,SAAS,UAAU,IAAI,KAAK,cAAegC,CAAa,CACvE,MAEI,KAAK,QAAQ,MAAM,eAAe,EAClC,MAAM,KAAK,SAAS,UAAU,OAAO,KAAK,aAAa,CAE/D,CAKA,MAAa,iBAAiC,CAC1C,MAAM,KAAK,QAAQ,gBAAgB,CACvC,CACJ,ECrwBE,IAAAC,GAAW,QCIN,IAAMC,GAAkBC", "names": ["src_exports", "__export", "AccessTokenEvents", "CheckSessionIFrame", "ErrorResponse", "ErrorTimeout", "InMemoryWebStorage", "Log", "Logger", "MetadataService", "OidcClient", "OidcClientSettingsStore", "SessionMonitor", "SigninResponse", "SigninState", "SignoutResponse", "State", "User", "UserManager", "UserManagerSettingsStore", "Version", "WebStorageStateStore", "nopLogger", "level", "logger", "Log", "reset", "setLevel", "value", "setLogger", "Logger", "_Logger", "_name", "args", "err", "method", "methodLogger", "name", "staticMethod", "staticLogger", "prefix", "UUID_V4_TEMPLATE", "toBase64", "val", "chr", "CryptoUtils", "_CryptoUtils", "arr", "c", "code_verifier", "data", "hashed", "err", "Logger", "client_id", "client_secret", "Event", "_name", "Logger", "cb", "idx", "ev", "InvalidTokenError", "b64DecodeUnicode", "str", "m", "p", "code", "base64UrlDecode", "output", "jwtDecode", "token", "options", "pos", "part", "decoded", "e", "JwtUtils", "token", "jwtDecode", "err", "Logger", "PopupUtils", "features", "_a", "_b", "_c", "width", "value", "key", "Timer", "_Timer", "Event", "Logger", "diff", "durationInSeconds", "logger", "expiration", "timerDurationInSeconds", "UrlUtils", "url", "responseMode", "params", "URL_STATE_DELIMITER", "ErrorResponse", "args", "form", "_a", "_b", "_c", "Logger", "ErrorTimeout", "message", "AccessTokenEvents", "args", "Logger", "Timer", "container", "logger", "duration", "expiring", "expired", "cb", "CheckSessionIFrame", "_callback", "_client_id", "url", "_intervalInSeconds", "_stopOnError", "Logger", "parsedUrl", "resolve", "session_state", "send", "InMemoryWebStorage", "Logger", "key", "value", "index", "JsonService", "additionalContentTypes", "_jwtHandler", "_extraHeaders", "Logger", "input", "init", "timeoutInSeconds", "initFetch", "controller", "timeoutId", "err", "ErrorTimeout", "url", "token", "credentials", "logger", "headers", "response", "contentType", "item", "json", "ErrorResponse", "body", "basicAuth", "initCredentials", "extraHeaders", "responseText", "customKeys", "protectedHeaders", "headerName", "content", "MetadataService", "_settings", "Logger", "JsonService", "logger", "metadata", "optional", "name", "jwks_uri", "keySet", "WebStorageStateStore", "prefix", "store", "Logger", "key", "value", "item", "len", "keys", "index", "DefaultResponseType", "DefaultScope", "DefaultClientAuthentication", "DefaultStaleStateAgeInSeconds", "OidcClientSettingsStore", "authority", "metadataUrl", "metadata", "signingKeys", "metadataSeed", "client_id", "client_secret", "response_type", "scope", "redirect_uri", "post_logout_redirect_uri", "client_authentication", "prompt", "display", "max_age", "ui_locales", "acr_values", "resource", "response_mode", "filterProtocolClaims", "loadUserInfo", "staleStateAgeInSeconds", "mergeClaimsStrategy", "disablePKCE", "stateStore", "revokeTokenAdditionalContentTypes", "fetchRequestCredentials", "refreshTokenAllowedScope", "extraQueryParams", "extraTokenParams", "extraHeaders", "store", "InMemoryWebStorage", "WebStorageStateStore", "UserInfoService", "_settings", "_metadataService", "Logger", "responseText", "logger", "payload", "JwtUtils", "err", "JsonService", "token", "url", "claims", "TokenClient", "_settings", "_metadataService", "Logger", "JsonService", "grant_type", "redirect_uri", "client_id", "client_secret", "extraHeaders", "args", "logger", "params", "key", "value", "basicAuth", "CryptoUtils", "url", "response", "scope", "timeoutInSeconds", "param", "_a", "ResponseValidator", "_settings", "_metadataService", "_claimsService", "Logger", "UserInfoService", "TokenClient", "response", "state", "extraHeaders", "logger", "skipUserInfo", "_a", "_b", "hasIdToken", "ErrorResponse", "validateSub", "claims", "tokenResponse", "existingToken", "incoming", "JwtUtils", "existing", "State", "_State", "args", "CryptoUtils", "Timer", "Logger", "storageString", "storage", "age", "logger", "cutoff", "keys", "i", "key", "item", "remove", "state", "err", "SigninState", "_SigninState", "State", "args", "code_verifier", "CryptoUtils", "code_challenge", "Logger", "storageString", "data", "_SigninRequest", "args", "url", "authority", "client_id", "redirect_uri", "response_type", "scope", "state_data", "response_mode", "request_type", "client_secret", "nonce", "url_state", "resource", "skipUserInfo", "extraQueryParams", "extraTokenParams", "disablePKCE", "optionalParams", "state", "SigninState", "parsedUrl", "stateParam", "URL_STATE_DELIMITER", "r", "key", "value", "Logger", "SigninRequest", "OidcScope", "SigninResponse", "params", "splitState", "URL_STATE_DELIMITER", "Timer", "value", "_a", "SignoutRequest", "url", "state_data", "id_token_hint", "post_logout_redirect_uri", "extraQueryParams", "request_type", "client_id", "Logger", "parsedUrl", "State", "key", "value", "SignoutResponse", "params", "DefaultProtocolClaims", "InternalRequiredProtocolClaims", "ClaimsService", "_settings", "Logger", "claims", "result", "protocolClaims", "claim", "claims1", "claims2", "values", "mergedValues", "value", "OidcClient", "settings", "metadataService", "Logger", "OidcClientSettingsStore", "MetadataService", "ClaimsService", "ResponseValidator", "TokenClient", "state", "request", "request_uri", "request_type", "id_token_hint", "login_hint", "skipUserInfo", "nonce", "url_state", "response_type", "scope", "redirect_uri", "prompt", "display", "max_age", "ui_locales", "acr_values", "resource", "response_mode", "extraQueryParams", "extraTokenParams", "logger", "url", "signinRequest", "SigninRequest", "signinState", "removeState", "response", "SigninResponse", "UrlUtils", "storedStateString", "SigninState", "extraHeaders", "username", "password", "tokenResponse", "signinResponse", "timeoutInSeconds", "_a", "allowableScopes", "s", "result", "client_id", "post_logout_redirect_uri", "SignoutRequest", "signoutState", "SignoutResponse", "ErrorResponse", "State", "token", "type", "SessionMonitor", "_userManager", "Logger", "user", "session_state", "logger", "url", "client_id", "intervalInSeconds", "stopOnError", "checkSessionIFrame", "CheckSessionIFrame", "err", "timerHandle", "session", "tmpUser", "raiseEvent", "User", "_User", "args", "_a", "Timer", "value", "expires_in", "_b", "Logger", "storageString", "messageSource", "AbstractChildWindow", "Event", "params", "logger", "url", "keepOpen", "resolve", "reject", "listener", "e", "_a", "data", "origin", "state", "UrlUtils", "reason", "dispose", "parent", "targetOrigin", "DefaultPopupWindowFeatures", "DefaultPopupTarget", "DefaultAccessTokenExpiringNotificationTimeInSeconds", "DefaultCheckSessionIntervalInSeconds", "DefaultSilentRequestTimeoutInSeconds", "UserManagerSettingsStore", "OidcClientSettingsStore", "args", "popup_redirect_uri", "popup_post_logout_redirect_uri", "popupWindowFeatures", "popupWindowTarget", "redirectMethod", "redirectTarget", "iframeNotifyParentOrigin", "iframeScriptOrigin", "silent_redirect_uri", "silentRequestTimeoutInSeconds", "automaticSilentRenew", "validateSubOnSilentRenew", "includeIdTokenInSilentRenew", "monitorSession", "monitorAnonymousSession", "checkSessionIntervalInSeconds", "query_status_response_type", "stopCheckSessionOnError", "revokeTokenTypes", "revokeTokensOnSignout", "includeIdTokenInSilentSignout", "accessTokenExpiringNotificationTimeInSeconds", "userStore", "store", "InMemoryWebStorage", "WebStorageStateStore", "IFrameWindow", "_IFrameWindow", "AbstractChildWindow", "silentRequestTimeoutInSeconds", "DefaultSilentRequestTimeoutInSeconds", "Logger", "iframe", "params", "timer", "ErrorTimeout", "_a", "ev", "frame", "url", "targetOrigin", "IFrameNavigator", "_settings", "Logger", "silentRequestTimeoutInSeconds", "IFrameWindow", "url", "checkForPopupClosedInterval", "second", "PopupWindow", "AbstractChildWindow", "popupWindowTarget", "DefaultPopupTarget", "popupWindowFeatures", "Logger", "centeredPopup", "PopupUtils", "DefaultPopupWindowFeatures", "params", "_a", "popupClosedInterval", "url", "keepOpen", "PopupNavigator", "_settings", "Logger", "popupWindowFeatures", "popupWindowTarget", "PopupWindow", "url", "keepOpen", "RedirectNavigator", "_settings", "Logger", "redirectMethod", "redirectTarget", "_a", "targetWindow", "redirect", "abort", "params", "promise", "resolve", "reject", "UserManagerEvents", "AccessTokenEvents", "settings", "Logger", "Event", "user", "raiseEvent", "cb", "e", "SilentRenewService", "_userManager", "Logger", "Timer", "logger", "err", "ErrorTimeout", "RefreshState", "args", "UserManager", "settings", "redirectNavigator", "popupNavigator", "iframeNavigator", "Logger", "UserManagerSettingsStore", "OidcClient", "RedirectNavigator", "PopupNavigator", "IFrameNavigator", "UserManagerEvents", "SilentRenewService", "SessionMonitor", "logger", "user", "args", "redirectMethod", "requestArgs", "handle", "url", "username", "password", "skipUserInfo", "signinResponse", "popupWindowFeatures", "popupWindowTarget", "keepOpen", "_a", "silentRequestTimeoutInSeconds", "state", "RefreshState", "verifySub", "extraHeaders", "response", "User", "navResponse", "err", "ErrorResponse", "signinRequest", "id_token", "signoutRequest", "signoutResponse", "id_token_hint", "types", "typesPresent", "type", "storageString", "version", "Version", "version"] }