{"version":3,"file":"static/js/248.a6e8e2e2.chunk.js","mappings":"yjBAAO,MAAMA,UAA0BC,OAYvC,SAASC,EAAgBC,GACrB,IAAIC,EAASD,EAAIE,QAAQ,KAAM,KAAKA,QAAQ,KAAM,KAClD,OAAQD,EAAOE,OAAS,GACpB,KAAK,EACD,MACJ,KAAK,EACDF,GAAU,KACV,MACJ,KAAK,EACDA,GAAU,IACV,MACJ,QACI,MAAM,IAAIH,MAAM,8CAExB,IACI,OAxBR,SAA0BE,GACtB,OAAOI,mBAAmBC,KAAKL,GAAKE,QAAQ,QAAQ,CAACI,EAAGC,KACpD,IAAIC,EAAOD,EAAEE,WAAW,GAAGC,SAAS,IAAIC,cAIxC,OAHIH,EAAKL,OAAS,IACdK,EAAO,IAAMA,GAEV,IAAMA,CAAI,IAEzB,CAgBeI,CAAiBX,EAC5B,CACA,MAAOY,GACH,OAAOR,KAAKJ,EAChB,CACJ,CA9BAJ,EAAkBiB,UAAUC,KAAO,oBCanC,IAOIC,EACAC,EAoBaC,EA5BXC,EAAqB,CACvBC,MAAOA,KAAM,EACbC,KAAMA,KAAM,EACZC,KAAMA,KAAM,EACZC,MAAOA,KACX,GAUYC,EAAL,CAAKN,IACRA,EAAAA,EAAA,eACAA,EAAAA,EAAA,iBACAA,EAAAA,EAAA,eACAA,EAAAA,EAAA,eACAA,EAAAA,EAAA,iBALQA,GAAL,CAAKM,GAAA,KAaKN,EAAAM,IAAAA,EAAA,KACGC,MAAT,WACHT,EAAQ,EACRC,EAASE,CACb,EAEOD,EAASQ,SAAT,SAAkBC,GACrB,KAAM,GAAYA,GAASA,GAAS,GAChC,MAAM,IAAI7B,MAAM,qBAEpBkB,EAAQW,CACZ,EAEOT,EAASU,UAAT,SAAmBD,GACtBV,EAASU,CACb,EAQG,IAAME,EAAN,MAAMC,EAEFC,WAAAA,CAAoBC,GAAA,KAAAA,MAAAA,CAAgB,CAGpCZ,KAAAA,GACH,GAAIJ,GAAS,EAAW,SAAAiB,EAAAC,UAAA/B,OADZgC,EAAA,IAAAC,MAAAH,GAAAI,EAAA,EAAAA,EAAAJ,EAAAI,IAAAF,EAAAE,GAAAH,UAAAG,GAERpB,EAAOG,MAAMU,EAAOQ,QAAQC,KAAKP,MAAOO,KAAKC,YAAaL,EAC9D,CACJ,CACOd,IAAAA,GACH,GAAIL,GAAS,EAAU,SAAAyB,EAAAP,UAAA/B,OADZgC,EAAA,IAAAC,MAAAK,GAAAC,EAAA,EAAAA,EAAAD,EAAAC,IAAAP,EAAAO,GAAAR,UAAAQ,GAEPzB,EAAOI,KAAKS,EAAOQ,QAAQC,KAAKP,MAAOO,KAAKC,YAAaL,EAC7D,CACJ,CACOb,IAAAA,GACH,GAAIN,GAAS,EAAU,SAAA2B,EAAAT,UAAA/B,OADZgC,EAAA,IAAAC,MAAAO,GAAAC,EAAA,EAAAA,EAAAD,EAAAC,IAAAT,EAAAS,GAAAV,UAAAU,GAEP3B,EAAOK,KAAKQ,EAAOQ,QAAQC,KAAKP,MAAOO,KAAKC,YAAaL,EAC7D,CACJ,CACOZ,KAAAA,GACH,GAAIP,GAAS,EAAW,SAAA6B,EAAAX,UAAA/B,OADZgC,EAAA,IAAAC,MAAAS,GAAAC,EAAA,EAAAA,EAAAD,EAAAC,IAAAX,EAAAW,GAAAZ,UAAAY,GAER7B,EAAOM,MAAMO,EAAOQ,QAAQC,KAAKP,MAAOO,KAAKC,YAAaL,EAC9D,CACJ,CAGOY,MAAMlC,GAET,MADA0B,KAAKhB,MAAMV,GACLA,CACV,CAEOmC,MAAAA,CAAOC,GACV,MAAMC,EAAuBC,OAAOH,OAAOT,MAG3C,OAFAW,EAAaV,QAAUS,EACvBC,EAAa9B,MAAM,SACZ8B,CACX,CAEA,mBAAcE,CAAarC,EAAcsC,GACrC,MAAMC,EAAe,IAAIxB,EAAO,GAAGf,KAAQsC,KAE3C,OADAC,EAAalC,MAAM,SACZkC,CACX,CAEA,cAAehB,CAAQvB,EAAckC,GACjC,MAAMM,EAAS,IAAIxC,KACnB,OAAOkC,EAAS,GAAGM,KAAUN,KAAYM,CAC7C,CAIA,YAAcnC,CAAML,GAChB,GAAIC,GAAS,EAAW,SAAAwC,EAAAtB,UAAA/B,OADSgC,EAAA,IAAAC,MAAAoB,EAAA,EAAAA,EAAA,KAAAC,EAAA,EAAAA,EAAAD,EAAAC,IAAAtB,EAAAsB,EAAA,GAAAvB,UAAAuB,GAE7BxC,EAAOG,MAAMU,EAAOQ,QAAQvB,MAAUoB,EAC1C,CACJ,CACA,WAAcd,CAAKN,GACf,GAAIC,GAAS,EAAU,SAAA0C,EAAAxB,UAAA/B,OADSgC,EAAA,IAAAC,MAAAsB,EAAA,EAAAA,EAAA,KAAAC,EAAA,EAAAA,EAAAD,EAAAC,IAAAxB,EAAAwB,EAAA,GAAAzB,UAAAyB,GAE5B1C,EAAOI,KAAKS,EAAOQ,QAAQvB,MAAUoB,EACzC,CACJ,CACA,WAAcb,CAAKP,GACf,GAAIC,GAAS,EAAU,SAAA4C,EAAA1B,UAAA/B,OADSgC,EAAA,IAAAC,MAAAwB,EAAA,EAAAA,EAAA,KAAAC,EAAA,EAAAA,EAAAD,EAAAC,IAAA1B,EAAA0B,EAAA,GAAA3B,UAAA2B,GAE5B5C,EAAOK,KAAKQ,EAAOQ,QAAQvB,MAAUoB,EACzC,CACJ,CACA,YAAcZ,CAAMR,GAChB,GAAIC,GAAS,EAAW,SAAA8C,EAAA5B,UAAA/B,OADSgC,EAAA,IAAAC,MAAA0B,EAAA,EAAAA,EAAA,KAAAC,EAAA,EAAAA,EAAAD,EAAAC,IAAA5B,EAAA4B,EAAA,GAAA7B,UAAA6B,GAE7B9C,EAAOM,MAAMO,EAAOQ,QAAQvB,MAAUoB,EAC1C,CACJ,GAIJX,EAAIC,QCpIG,IAAMuC,EAAN,MAEH,aAAcC,CAAOC,GACjB,IACI,OFoBL,SAAmBA,EAAOC,GAC7B,GAAqB,kBAAVD,EACP,MAAM,IAAIrE,EAAkB,6CAEhCsE,IAAYA,EAAU,CAAC,GACvB,MAAMC,GAAyB,IAAnBD,EAAQE,OAAkB,EAAI,EACpCC,EAAOJ,EAAMK,MAAM,KAAKH,GAC9B,GAAoB,kBAATE,EACP,MAAM,IAAIzE,EAAkB,0CAA0CuE,EAAM,KAEhF,IAAII,EACJ,IACIA,EAAUzE,EAAgBuE,EAC9B,CACA,MAAOG,GACH,MAAM,IAAI5E,EAAkB,qDAAqDuE,EAAM,MAAMK,EAAEC,WACnG,CACA,IACI,OAAOC,KAAKC,MAAMJ,EACtB,CACA,MAAOC,GACH,MAAM,IAAI5E,EAAkB,mDAAmDuE,EAAM,MAAMK,EAAEC,WACjG,CACJ,CE3CmBG,CAAqBX,EAChC,OACOrD,GAEH,MADAgB,EAAON,MAAM,kBAAmBV,GAC1BA,CACV,CACJ,CAEA,8BAAoBiE,CAAkBT,EAAgBU,EAAiBC,GACnE,MAEMC,EAAe,GAFCC,EAAYC,iBAAgB,IAAIC,aAAcC,OAAOV,KAAKW,UAAUjB,QACnEa,EAAYC,iBAAgB,IAAIC,aAAcC,OAAOV,KAAKW,UAAUP,OAGrFQ,QAAkBC,OAAOC,OAAOC,OAAOC,KACzC,CACI5E,KAAM,QACN6E,KAAM,CAAE7E,KAAM,YAElBiE,GACA,IAAII,aAAcC,OAAOJ,IAI7B,MAAO,GAAGA,KADeC,EAAYC,gBAAgB,IAAIU,WAAWN,KAExE,GCxBEO,EAAYC,GACdC,KAAK,IAAI,IAAIH,WAAWE,IACnBE,KAAKC,GAAQC,OAAOC,aAAaF,KACjCG,KAAK,KAKDC,EAAN,MAAMA,EACT,kBAAeC,GACX,MAAMC,EAAM,IAAIC,YAAY,GAE5B,OADAhB,OAAOiB,gBAAgBF,GAChBA,EAAI,EACf,CAKA,qBAAcG,GAIV,MAxBiB,uCAqBazG,QAAQ,UAAU0G,KAC1CA,EAAIN,EAAYC,cAAgB,KAAOK,EAAI,GAAGlG,SAAS,MAEjDR,QAAQ,KAAM,GAC9B,CAKA,2BAAc2G,GACV,OAAOP,EAAYK,iBAAmBL,EAAYK,iBAAmBL,EAAYK,gBACrF,CAKA,kCAAoBG,CAAsBC,GACtC,IAAKtB,OAAOC,OACR,MAAM,IAAI5F,MAAM,+DAGpB,IACI,MACMkH,GADU,IAAI5B,aACCC,OAAO0B,GACtBE,QAAexB,OAAOC,OAAOwB,OAAO,UAAWF,GACrD,OAAOlB,EAASmB,GAAQ/G,QAAQ,MAAO,KAAKA,QAAQ,MAAO,KAAKA,QAAQ,MAAO,GACnF,OACOW,GAEH,MADAgB,EAAON,MAAM,oCAAqCV,GAC5CA,CACV,CACJ,CAKA,wBAAcsG,CAAkBC,EAAmBC,GAC/C,MACML,GADU,IAAI5B,aACCC,OAAO,CAAC+B,EAAWC,GAAehB,KAAK,MAC5D,OAAOP,EAASkB,EACpB,CAOA,iBAAoBpB,CAAK0B,EAAa5C,GAClC,MAAM6C,GAAW,IAAInC,aAAcC,OAAOX,GACpC8C,QAAmB/B,OAAOC,OAAOwB,OAAOI,EAAKC,GACnD,OAAO,IAAI1B,WAAW2B,EAC1B,CAaA,yCAAoBC,CAA6BC,GAC7C,IAAIC,EACJ,OAAQD,EAAIE,KACR,IAAK,MACDD,EAAa,CACT,EAAKD,EAAIjD,EACT,IAAOiD,EAAIE,IACX,EAAKF,EAAIG,GAEb,MACJ,IAAK,KACDF,EAAa,CACT,IAAOD,EAAII,IACX,IAAOJ,EAAIE,IACX,EAAKF,EAAIK,EACT,EAAKL,EAAIM,GAEb,MACJ,IAAK,MACDL,EAAa,CACT,IAAOD,EAAII,IACX,IAAOJ,EAAIE,IACX,EAAKF,EAAIK,GAEb,MACJ,IAAK,MACDJ,EAAa,CACT,IAAOD,EAAIO,EACX,IAAOP,EAAIE,KAEf,MACJ,QACI,MAAM,IAAI9H,MAAM,oBAExB,MAAMoI,QAA6B5B,EAAYV,KAAK,UAAWjB,KAAKW,UAAUqC,IAC9E,OAAOrB,EAAYnB,gBAAgB+C,EACvC,CAEA,8BAAoBC,CAAAC,GAMuB,IACnCC,EACAC,GAR8B,IAClCC,EAAA,YACAC,EAAA,WACAC,EAAA,QACAC,EAAA,MACAC,GACJP,EAII,MAAMrD,EAA2C,CAC7C,IAAOS,OAAOC,OAAOmD,aACrB,IAAO,MAAAH,EAAAA,EAAc,MACrB,IAAOF,EACP,IAAOM,KAAKC,MAAMC,KAAKC,MAAQ,MAG/BR,IACAH,QAAoB/B,EAAYV,KAAK,UAAW4C,GAChDF,EAAchC,EAAYnB,gBAAgBkD,GAC1CtD,EAAQkE,IAAMX,GAGdK,IACA5D,EAAQ4D,MAAQA,GAGpB,IACI,MAAMO,QAAkBzD,OAAOC,OAAOyD,UAAU,MAAOT,EAAQU,WACzD/E,EAAS,CACX,IAAO,QACP,IAAO,WACP,IAAO,CACH,IAAO6E,EAAUpB,IACjB,IAAOoB,EAAUtB,IACjB,EAAKsB,EAAUnB,EACf,EAAKmB,EAAUlB,IAGvB,aAAahE,EAASc,kBAAkBT,EAAQU,EAAS2D,EAAQ1D,WACrE,CAAE,MAAOnE,GACL,MAAIA,aAAewI,UACT,IAAIvJ,MAAM,oCAAoCe,EAAI6D,WAElD7D,CAEd,CACJ,CAEA,4BAAoByI,CAAgBZ,GAChC,IACI,MAAMQ,QAAkBzD,OAAOC,OAAOyD,UAAU,MAAOT,EAAQU,WAC/D,aAAa9C,EAAYmB,6BAA6ByB,EAC1D,CAAE,MAAOrI,GACL,MAAIA,aAAewI,UACT,IAAIvJ,MAAM,8CAA8Ce,EAAI6D,WAE5D7D,CAEd,CACJ,CAEA,6BAAoB0I,GAChB,aAAa/D,OAAOC,OAAOC,OAAO8D,YAC9B,CACIzI,KAAM,QACN0I,WAAY,UAEhB,EACA,CAAC,OAAQ,UAEjB,GAxLSnD,EAmEKnB,gBAAmBuE,GACtB5D,EAAS4D,GAAOxJ,QAAQ,KAAM,IAAIA,QAAQ,MAAO,KAAKA,QAAQ,MAAO,KApE7E,IAAMgF,EAANoB,ECRMqD,EAAN,MAKI5H,WAAAA,CAA+BC,GAAA,KAAAA,MAAAA,EAFtC,KAAiB4H,WAAyC,GAGtDrH,KAAKsH,QAAU,IAAIhI,EAAO,UAAUU,KAAKP,UAC7C,CAEO8H,UAAAA,CAAWC,GAEd,OADAxH,KAAKqH,WAAWI,KAAKD,GACd,IAAMxH,KAAK0H,cAAcF,EACpC,CAEOE,aAAAA,CAAcF,GACjB,MAAMG,EAAM3H,KAAKqH,WAAWO,YAAYJ,GACpCG,GAAO,GACP3H,KAAKqH,WAAWQ,OAAOF,EAAK,EAEpC,CAEA,WAAaG,GAAuC,QAAAC,EAAApI,UAAA/B,OAA9BoK,EAAA,IAAAnI,MAAAkI,GAAAE,EAAA,EAAAA,EAAAF,EAAAE,IAAAD,EAAAC,GAAAtI,UAAAsI,GAClBjI,KAAKsH,QAAQzI,MAAM,YAAamJ,GAChC,IAAK,MAAMR,KAAMxH,KAAKqH,iBACZG,KAAMQ,EAEpB,GCjBSE,EAAN,MAMH,aAAOC,CAAAC,GAAkE,OAAtDC,GAASD,EA5BhC,IAAAE,EAkCQ,OALsB,MAAlBD,EAASE,QACTF,EAASE,MAAQ,OAAAD,EAAA,CAAC,IAAK,IAAK,IAAK,KAAKE,MAAKD,GAASA,GAAStF,OAAOwF,WAAa,SAAhEH,EAA0E,KAC/F,MAAAD,EAASK,OAATL,EAASK,KAASpC,KAAKqC,IAAI,EAAGrC,KAAKsC,MAAM3F,OAAO4F,SAAW5F,OAAOwF,WAAaJ,EAASE,OAAS,KAC1E,MAAnBF,EAASS,SACT,MAAAT,EAASU,MAATV,EAASU,IAAQzC,KAAKqC,IAAI,EAAGrC,KAAKsC,MAAM3F,OAAO+F,SAAW/F,OAAOgG,YAAcZ,EAASS,QAAU,MAC/FT,CACX,CAEA,gBAAOa,CAAUb,GACb,OAAOzH,OAAOuI,QAAQd,GACjBe,QAAOC,IAAA,IAAE,CAAEjK,GAAKiK,EAAA,OAAe,MAATjK,CAAa,IACnCsE,KAAI4F,IAAA,IAAEC,EAAKnK,GAAKkK,EAAA,MAAM,GAAGC,KAAwB,mBAAVnK,EAAsBA,EAAkBA,EAAQ,MAAQ,MAAM,IACrG0E,KAAK,IACd,GCjCS0F,EAAN,MAAMC,UAAcrC,EAApB5H,WAAAA,GAAA,SAAAG,WACH,KAAmB2H,QAAU,IAAIhI,EAAO,UAAUU,KAAKP,WACvD,KAAQiK,aAAsD,KAC9D,KAAQC,YAAc,EAyCtB,KAAUC,UAAY,KAClB,MAAMC,EAAO7J,KAAK2J,YAAcF,EAAMK,eACtC9J,KAAKsH,QAAQzI,MAAM,qBAAsBgL,GAErC7J,KAAK2J,aAAeF,EAAMK,iBAC1B9J,KAAK+J,SACAC,MAAMlC,QACf,CACJ,CA9CA,mBAAcgC,GACV,OAAOxD,KAAKC,MAAMC,KAAKC,MAAQ,IACnC,CAEOwD,IAAAA,CAAKC,GACR,MAAMC,EAASnK,KAAKsH,QAAQ7G,OAAO,QACnCyJ,EAAoB5D,KAAKqC,IAAIrC,KAAKC,MAAM2D,GAAoB,GAC5D,MAAME,EAAaX,EAAMK,eAAiBI,EAC1C,GAAIlK,KAAKoK,aAAeA,GAAcpK,KAAK0J,aAGvC,YADAS,EAAOtL,MAAM,uDAAwDmB,KAAKoK,YAI9EpK,KAAK+J,SAELI,EAAOtL,MAAM,iBAAkBqL,GAC/BlK,KAAK2J,YAAcS,EAKnB,MAAMC,EAAyB/D,KAAKgE,IAAIJ,EAAmB,GAC3DlK,KAAK0J,aAAea,YAAYvK,KAAK4J,UAAoC,IAAzBS,EACpD,CAEA,cAAWD,GACP,OAAOpK,KAAK2J,WAChB,CAEOI,MAAAA,GACH/J,KAAKsH,QAAQ7G,OAAO,UAChBT,KAAK0J,eACLc,cAAcxK,KAAK0J,cACnB1J,KAAK0J,aAAe,KAE5B,GC7CSe,EAAN,MACH,iBAAcC,CAAW1E,GAA4E,IAA/D2E,EAAAhL,UAAA/B,OAAA,QAAAgN,IAAAjL,UAAA,GAAAA,UAAA,GAAqC,QACvE,IAAKqG,EAAK,MAAM,IAAIc,UAAU,eAE9B,MACM+D,EADY,IAAIC,IAAI9E,EAAK,oBACW,aAAjB2E,EAA8B,OAAS,UAChE,OAAO,IAAII,gBAAgBF,EAAOG,MAAM,GAC5C,GCFSC,EAAN,cAA4B1N,MAqBxBiC,WAAAA,CACHI,EAKgBsL,GAtCxB,IAAA5C,EAAA6C,EAAAC,EA0CQ,GAFApB,MAAMpK,EAAKyL,mBAAqBzL,EAAKZ,OAAS,IAF9B,KAAAkM,KAAAA,EAzBpB,KAAgB1M,KAAe,iBA6BtBoB,EAAKZ,MAEN,MADAM,EAAON,MAAM,gBAAiB,mBACxB,IAAIzB,MAAM,mBAGpByC,KAAKhB,MAAQY,EAAKZ,MAClBgB,KAAKqL,kBAAoB,OAAA/C,EAAA1I,EAAKyL,mBAAL/C,EAA0B,KACnDtI,KAAKsL,UAAY,OAAAH,EAAAvL,EAAK0L,WAALH,EAAkB,KAEnCnL,KAAKuL,MAAQ3L,EAAK4L,UAClBxL,KAAKyL,cAAgB,OAAAL,EAAAxL,EAAK6L,eAALL,EAAsB,KAC3CpL,KAAK0L,UAAY9L,EAAK8L,SAC1B,GC9CSC,EAAN,cAA2BpO,MAIvBiC,WAAAA,CAAY2C,GACf6H,MAAM7H,GAHV,KAAgB3D,KAAe,cAI/B,GCASoN,EAAN,MAOIpM,WAAAA,CAAYI,GANnB,KAAmB0H,QAAU,IAAIhI,EAAO,qBAExC,KAAiBuM,eAAiB,IAAIrC,EAAM,yBAC5C,KAAiBsC,cAAgB,IAAItC,EAAM,wBAIvCxJ,KAAK+L,mCAAqCnM,EAAKoM,iCACnD,CAEOC,IAAAA,CAAKC,GACR,MAAM/B,EAASnK,KAAKsH,QAAQ7G,OAAO,QAEnC,GAAIyL,EAAUC,mBAAyC,IAAzBD,EAAUE,WAA0B,CAC9D,MAAMC,EAAWH,EAAUE,WAG3B,GAFAjC,EAAOtL,MAAM,4CAA6CwN,GAEtDA,EAAW,EAAG,CAEd,IAAIC,EAAWD,EAAWrM,KAAK+L,mCAC3BO,GAAY,IACZA,EAAW,GAGfnC,EAAOtL,MAAM,yCAA0CyN,EAAU,WACjEtM,KAAK6L,eAAe5B,KAAKqC,EAC7B,MAEInC,EAAOtL,MAAM,oEACbmB,KAAK6L,eAAe9B,SAIxB,MAAMwC,EAAUF,EAAW,EAC3BlC,EAAOtL,MAAM,wCAAyC0N,EAAS,WAC/DvM,KAAK8L,cAAc7B,KAAKsC,EAC5B,MAEIvM,KAAK6L,eAAe9B,SACpB/J,KAAK8L,cAAc/B,QAE3B,CAEOyC,MAAAA,GACHxM,KAAKsH,QAAQzI,MAAM,kDACnBmB,KAAK6L,eAAe9B,SACpB/J,KAAK8L,cAAc/B,QACvB,CAKO0C,sBAAAA,CAAuBjF,GAC1B,OAAOxH,KAAK6L,eAAetE,WAAWC,EAC1C,CAIOkF,yBAAAA,CAA0BlF,GAC7BxH,KAAK6L,eAAenE,cAAcF,EACtC,CAKOmF,qBAAAA,CAAsBnF,GACzB,OAAOxH,KAAK8L,cAAcvE,WAAWC,EACzC,CAIOoF,wBAAAA,CAAyBpF,GAC5BxH,KAAK8L,cAAcpE,cAAcF,EACrC,GChFSqF,EAAN,MAOIrN,WAAAA,CACKoK,EACAkD,EACR9G,EACQ+G,EACAC,GAJA,KAAApD,UAAAA,EACA,KAAAkD,WAAAA,EAEA,KAAAC,mBAAAA,EACA,KAAAC,aAAAA,EAXZ,KAAiB1F,QAAU,IAAIhI,EAAO,sBAGtC,KAAQ2N,OAAgD,KACxD,KAAQC,eAAgC,KAmCxC,KAAQC,SAAYjL,IACZA,EAAEkL,SAAWpN,KAAKqN,eAClBnL,EAAEoL,SAAWtN,KAAKuN,OAAOC,gBAEV,UAAXtL,EAAEuC,MACFzE,KAAKsH,QAAQtI,MAAM,8CACfgB,KAAKgN,cACLhN,KAAKyN,QAGO,YAAXvL,EAAEuC,MACPzE,KAAKsH,QAAQzI,MAAM,gDACnBmB,KAAKyN,OACAzN,KAAK4J,aAGV5J,KAAKsH,QAAQzI,MAAMqD,EAAEuC,KAAO,yCAEpC,EA5CA,MAAMiJ,EAAY,IAAI5C,IAAI9E,GAC1BhG,KAAKqN,cAAgBK,EAAUN,OAE/BpN,KAAKuN,OAAStK,OAAO0K,SAASC,cAAc,UAG5C5N,KAAKuN,OAAOM,MAAMC,WAAa,SAC/B9N,KAAKuN,OAAOM,MAAME,SAAW,QAC7B/N,KAAKuN,OAAOM,MAAMnF,KAAO,UACzB1I,KAAKuN,OAAOM,MAAM9E,IAAM,IACxB/I,KAAKuN,OAAOhF,MAAQ,IACpBvI,KAAKuN,OAAOzE,OAAS,IACrB9I,KAAKuN,OAAOS,IAAMN,EAAUO,IAChC,CAEOhC,IAAAA,GACH,OAAO,IAAIiC,SAAeC,IACtBnO,KAAKuN,OAAOa,OAAS,KACjBD,GAAS,EAGblL,OAAO0K,SAASU,KAAKC,YAAYtO,KAAKuN,QACtCtK,OAAOsL,iBAAiB,UAAWvO,KAAKmN,UAAU,EAAM,GAEhE,CAuBOqB,KAAAA,CAAM/C,GACT,GAAIzL,KAAKkN,iBAAmBzB,EACxB,OAGJzL,KAAKsH,QAAQ7G,OAAO,SAEpBT,KAAKyN,OAELzN,KAAKkN,eAAiBzB,EAEtB,MAAMgD,EAAOA,KACJzO,KAAKuN,OAAOC,eAAkBxN,KAAKkN,gBAIxClN,KAAKuN,OAAOC,cAAckB,YAAY1O,KAAK8M,WAAa,IAAM9M,KAAKkN,eAAgBlN,KAAKqN,cAAc,EAI1GoB,IAGAzO,KAAKiN,OAAS1C,YAAYkE,EAAgC,IAA1BzO,KAAK+M,mBACzC,CAEOU,IAAAA,GACHzN,KAAKsH,QAAQ7G,OAAO,QACpBT,KAAKkN,eAAiB,KAElBlN,KAAKiN,SAELzC,cAAcxK,KAAKiN,QACnBjN,KAAKiN,OAAS,KAEtB,GChGS0B,EAAN,MAAAnP,WAAAA,GACH,KAAiB8H,QAAU,IAAIhI,EAAO,sBACtC,KAAQsP,MAAgC,CAAC,EAElCC,KAAAA,GACH7O,KAAKsH,QAAQ7G,OAAO,SACpBT,KAAK4O,MAAQ,CAAC,CAClB,CAEOE,OAAAA,CAAQvF,GAEX,OADAvJ,KAAKsH,QAAQ7G,OAAO,YAAY8I,OACzBvJ,KAAK4O,MAAMrF,EACtB,CAEOwF,OAAAA,CAAQxF,EAAanK,GACxBY,KAAKsH,QAAQ7G,OAAO,YAAY8I,OAChCvJ,KAAK4O,MAAMrF,GAAOnK,CACtB,CAEO4P,UAAAA,CAAWzF,GACdvJ,KAAKsH,QAAQ7G,OAAO,eAAe8I,cAC5BvJ,KAAK4O,MAAMrF,EACtB,CAEA,UAAW3L,GACP,OAAOgD,OAAOqO,oBAAoBjP,KAAK4O,OAAOhR,MAClD,CAEO2L,GAAAA,CAAI2F,GACP,OAAOtO,OAAOqO,oBAAoBjP,KAAK4O,OAAOM,EAClD,GCtCSC,EAAN,cAA6B5R,MAKzBiC,WAAAA,CAAY4G,EAAejE,GAC9B6H,MAAM7H,GAJV,KAAgB3D,KAAe,iBAK3BwB,KAAKoG,MAAQA,CACjB,GC4BSgJ,EAAN,MAKI5P,WAAAA,GAIL,IAHE6P,EAAA1P,UAAA/B,OAAA,QAAAgN,IAAAjL,UAAA,GAAAA,UAAA,GAAmC,GAC3B2P,EAAA3P,UAAA/B,OAAA,QAAAgN,IAAAjL,UAAA,GAAAA,UAAA,GAAiC,KACjC4P,EAAA5P,UAAA/B,OAAA,QAAAgN,IAAAjL,UAAA,GAAAA,UAAA,GAA6C,CAAC,EAD9C,KAAA2P,YAAAA,EACA,KAAAC,cAAAA,EAPZ,KAAiBjI,QAAU,IAAIhI,EAAO,eAEtC,KAAQkQ,cAA0B,GAO9BxP,KAAKwP,cAAc/H,QAAQ4H,EAAwB,oBAC/CC,GACAtP,KAAKwP,cAAc/H,KAAK,kBAEhC,CAEA,sBAAgBgI,CAAiBtI,GAA4E,IAAxD8C,EAAAtK,UAAA/B,OAAA,QAAAgN,IAAAjL,UAAA,GAAAA,UAAA,GAAoD,CAAC,EACtG,MAAM,iBAAE+P,KAAqBC,GAAc1F,EAC3C,IAAKyF,EACD,aAAaE,MAAMzI,EAAOwI,GAG9B,MAAME,EAAa,IAAIC,gBACjBC,EAAYC,YAAW,IAAMH,EAAWI,SAA4B,IAAnBP,GAEvD,IAKI,aAJuBE,MAAMzI,EAAO,IAC7B8C,EACHiG,OAAQL,EAAWK,QAG3B,OACO5R,GACH,GAAIA,aAAe6R,cAA6B,eAAb7R,EAAIE,KACnC,MAAM,IAAImN,EAAa,qBAE3B,MAAMrN,CACV,SAEI8R,aAAaL,EACjB,CACJ,CAEA,aAAaM,CAAQrK,GAIkC,IAJrB,MAC9BrE,EAAA,YACA2O,EAAA,iBACAZ,GACJ/P,UAAA/B,OAAA,QAAAgN,IAAAjL,UAAA,GAAAA,UAAA,GAAiB,CAAC,EACd,MAAMwK,EAASnK,KAAKsH,QAAQ7G,OAAO,WAC7B8P,EAAuB,CACzB,OAAUvQ,KAAKwP,cAAc1L,KAAK,OAStC,IAAI0M,EAPA7O,IACAwI,EAAOtL,MAAM,8CACb0R,EAAuB,cAAI,UAAY5O,GAG3C3B,KAAKyQ,mBAAmBF,GAGxB,IACIpG,EAAOtL,MAAM,OAAQmH,GACrBwK,QAAiBxQ,KAAKyP,iBAAiBzJ,EAAK,CAAEtF,OAAQ,MAAO6P,UAASb,mBAAkBY,eAC5F,OACOhS,GAEH,MADA6L,EAAOnL,MAAM,iBACPV,CACV,CAEA6L,EAAOtL,MAAM,iCAAkC2R,EAASE,QACxD,MAAMC,EAAcH,EAASD,QAAQK,IAAI,gBAIzC,GAHID,IAAgB3Q,KAAKwP,cAAchH,MAAKqI,GAAQF,EAAYG,WAAWD,MACvE1G,EAAO3J,MAAM,IAAIjD,MAAM,kCAAmC,MAAAoT,EAAAA,EAAe,0BAA2B3K,MAEpGwK,EAASO,IAAM/Q,KAAKsP,cAAe,MAAAqB,OAAA,EAAAA,EAAaG,WAAW,oBAC3D,aAAa9Q,KAAKsP,kBAAkBkB,EAASQ,QAEjD,IAAIC,EACJ,IACIA,QAAaT,EAASS,MAC1B,OACO3S,GAEH,GADA6L,EAAOnL,MAAM,8BAA+BV,GACxCkS,EAASO,GAAI,MAAMzS,EACvB,MAAM,IAAIf,MAAM,GAAGiT,EAASU,eAAeV,EAASE,UACxD,CACA,IAAKF,EAASO,GAAI,CAEd,GADA5G,EAAOnL,MAAM,qBAAsBiS,GAC/BA,EAAKjS,MACL,MAAM,IAAIiM,EAAcgG,GAE5B,MAAM,IAAI1T,MAAM,GAAGiT,EAASU,eAAeV,EAASE,YAAYtO,KAAKW,UAAUkO,KACnF,CACA,OAAOA,CACX,CAEA,cAAaE,CAASnL,EAAAoL,GAM6B,IANhB,KAC/B/C,EAAA,UACAgD,EAAA,iBACA3B,EAAA,gBACA4B,EAAA,aACAC,GACJH,EACI,MAAMjH,EAASnK,KAAKsH,QAAQ7G,OAAO,YAC7B8P,EAAuB,CACzB,OAAUvQ,KAAKwP,cAAc1L,KAAK,MAClC,eAAgB,uCACbyN,GAQP,IAAIf,OANc,IAAda,IACAd,EAAuB,cAAI,SAAWc,GAG1CrR,KAAKyQ,mBAAmBF,GAGxB,IACIpG,EAAOtL,MAAM,OAAQmH,GACrBwK,QAAiBxQ,KAAKyP,iBAAiBzJ,EAAK,CAAEtF,OAAQ,OAAQ6P,UAASlC,OAAMqB,mBAAkBY,YAAagB,GAChH,OACOhT,GAEH,MADA6L,EAAOnL,MAAM,iBACPV,CACV,CAEA6L,EAAOtL,MAAM,iCAAkC2R,EAASE,QACxD,MAAMC,EAAcH,EAASD,QAAQK,IAAI,gBACzC,GAAID,IAAgB3Q,KAAKwP,cAAchH,MAAKqI,GAAQF,EAAYG,WAAWD,KACvE,MAAM,IAAItT,MAAM,kCAAmC,MAAAoT,EAAAA,EAAe,0BAA2B3K,KAGjG,MAAMwL,QAAqBhB,EAASQ,OAEpC,IAAIC,EAAgC,CAAC,EACrC,GAAIO,EACA,IACIP,EAAO7O,KAAKC,MAAMmP,EACtB,OACOlT,GAEH,GADA6L,EAAOnL,MAAM,8BAA+BV,GACxCkS,EAASO,GAAI,MAAMzS,EACvB,MAAM,IAAIf,MAAM,GAAGiT,EAASU,eAAeV,EAASE,UACxD,CAGJ,IAAKF,EAASO,GAAI,CAEd,GADA5G,EAAOnL,MAAM,qBAAsBiS,GAC/BT,EAASD,QAAQkB,IAAI,cAAe,CACpC,MAAMrL,EAAQoK,EAASD,QAAQK,IAAI,cACnC,MAAM,IAAIzB,EAAe/I,EAAO,GAAGhE,KAAKW,UAAUkO,KACtD,CACA,GAAIA,EAAKjS,MACL,MAAM,IAAIiM,EAAcgG,EAAM5C,GAElC,MAAM,IAAI9Q,MAAM,GAAGiT,EAASU,eAAeV,EAASE,YAAYtO,KAAKW,UAAUkO,KACnF,CAEA,OAAOA,CACX,CAEQR,kBAAAA,CACJF,GAEA,MAAMpG,EAASnK,KAAKsH,QAAQ7G,OAAO,sBAC7BiR,EAAa9Q,OAAO+Q,KAAK3R,KAAKuP,eAC9BqC,EAAmB,CACrB,gBACA,SACA,gBAEsB,IAAtBF,EAAW9T,QAGf8T,EAAWG,SAASC,IAChB,GAAIF,EAAiBG,SAASD,EAAWE,qBAErC,YADA7H,EAAOpL,KAAK,2CAA4C+S,EAAYF,GAGxE,MAAMK,EAAqD,oBAAnCjS,KAAKuP,cAAcuC,GACtC9R,KAAKuP,cAAcuC,KACpB9R,KAAKuP,cAAcuC,GACnBG,GAAuB,KAAZA,IACX1B,EAAQuB,GAAcG,EAC1B,GAER,GCjNSC,EAAN,MAUI1S,WAAAA,CAA6B2S,GAAA,KAAAA,UAAAA,EATpC,KAAiB7K,QAAU,IAAIhI,EAAO,mBAKtC,KAAQ8S,aAAoC,KAC5C,KAAQC,UAA0C,KAI9CrS,KAAKsS,aAAetS,KAAKmS,UAAUI,YACnCvS,KAAKwS,aAAe,IAAIpD,EACpB,CAAC,4BACD,KACApP,KAAKmS,UAAUZ,cAEfvR,KAAKmS,UAAUM,cACfzS,KAAKsH,QAAQzI,MAAM,mCACnBmB,KAAKoS,aAAepS,KAAKmS,UAAUM,aAGnCzS,KAAKmS,UAAUO,WACf1S,KAAKsH,QAAQzI,MAAM,gCACnBmB,KAAKqS,UAAYrS,KAAKmS,UAAUO,UAGhC1S,KAAKmS,UAAUQ,0BACf3S,KAAKsH,QAAQzI,MAAM,+CACnBmB,KAAK4S,yBAA2B5S,KAAKmS,UAAUQ,wBAEvD,CAEOE,gBAAAA,GACH7S,KAAKoS,aAAe,IACxB,CAEA,iBAAaU,GACT,MAAM3I,EAASnK,KAAKsH,QAAQ7G,OAAO,eACnC,GAAIT,KAAKqS,UAEL,OADAlI,EAAOtL,MAAM,uBACNmB,KAAKqS,UAGhB,IAAKrS,KAAKsS,aAEN,MADAnI,EAAO3J,MAAM,IAAIjD,MAAM,uDACjB,KAGV4M,EAAOtL,MAAM,wBAAyBmB,KAAKsS,cAC3C,MAAMI,QAAiB1S,KAAKwS,aAAanC,QAAQrQ,KAAKsS,aAAc,CAAEhC,YAAatQ,KAAK4S,yBAA0BlD,iBAAkB1P,KAAKmS,UAAUY,0BAInJ,OAFA5I,EAAOtL,MAAM,0CACbmB,KAAKqS,UAAYzR,OAAOoS,OAAO,CAAC,EAAGhT,KAAKmS,UAAUc,aAAcP,GACzD1S,KAAKqS,SAChB,CAEOa,SAAAA,GACH,OAAOlT,KAAKmT,qBAAqB,SACrC,CAEOC,wBAAAA,GACH,OAAOpT,KAAKmT,qBAAqB,yBACrC,CAEOE,mBAAAA,GACH,OAAOrT,KAAKmT,qBAAqB,oBACrC,CAIOG,gBAAAA,GAA+D,IAA9CC,IAAA5T,UAAA/B,OAAA,QAAAgN,IAAAjL,UAAA,KAAAA,UAAA,GACpB,OAAOK,KAAKmT,qBAAqB,iBAAkBI,EACvD,CAEOC,qBAAAA,GACH,OAAOxT,KAAKmT,qBAAqB,wBAAwB,EAC7D,CAEOM,qBAAAA,GACH,OAAOzT,KAAKmT,qBAAqB,wBAAwB,EAC7D,CAIOO,qBAAAA,GAAoE,IAA9CH,IAAA5T,UAAA/B,OAAA,QAAAgN,IAAAjL,UAAA,KAAAA,UAAA,GACzB,OAAOK,KAAKmT,qBAAqB,sBAAuBI,EAC5D,CAIOI,eAAAA,GAA8D,IAA9CJ,IAAA5T,UAAA/B,OAAA,QAAAgN,IAAAjL,UAAA,KAAAA,UAAA,GACnB,OAAOK,KAAKmT,qBAAqB,WAAYI,EACjD,CAEA,0BAAgBJ,CAAqB3U,GAA4F,IAAlE+U,EAAA5T,UAAA/B,OAAA,QAAAgN,IAAAjL,UAAA,IAAAA,UAAA,GAC3D,MAAMwK,EAASnK,KAAKsH,QAAQ7G,OAAO,yBAAyBjC,OAEtDkU,QAAiB1S,KAAK8S,cAG5B,GAFA3I,EAAOtL,MAAM,iBAEU,IAAnB6T,EAASlU,GAAqB,CAC9B,IAAiB,IAAb+U,EAEA,YADApJ,EAAOpL,KAAK,+CAIhBoL,EAAO3J,MAAM,IAAIjD,MAAM,sCAAwCiB,GACnE,CAEA,OAAOkU,EAASlU,EACpB,CAEA,oBAAaoV,GACT,MAAMzJ,EAASnK,KAAKsH,QAAQ7G,OAAO,kBACnC,GAAIT,KAAKoS,aAEL,OADAjI,EAAOtL,MAAM,oCACNmB,KAAKoS,aAGhB,MAAMyB,QAAiB7T,KAAK2T,iBAAgB,GAC5CxJ,EAAOtL,MAAM,eAAgBgV,GAE7B,MAAMC,QAAe9T,KAAKwS,aAAanC,QAAQwD,EAAU,CAAEnE,iBAAkB1P,KAAKmS,UAAUY,0BAG5F,GAFA5I,EAAOtL,MAAM,cAAeiV,IAEvBjU,MAAMkU,QAAQD,EAAOnC,MAEtB,MADAxH,EAAO3J,MAAM,IAAIjD,MAAM,2BACjB,KAIV,OADAyC,KAAKoS,aAAe0B,EAAOnC,KACpB3R,KAAKoS,YAChB,GCvIS4B,EAAN,MAMIxU,WAAAA,GAGsD,IAH1C,OACfwB,EAAS,QAAO,MAChBiT,EAAQC,cACZvU,UAAA/B,OAAA,QAAAgN,IAAAjL,UAAA,GAAAA,UAAA,GAAyD,CAAC,EAR1D,KAAiB2H,QAAU,IAAIhI,EAAO,wBASlCU,KAAKmU,OAASF,EACdjU,KAAKoU,QAAUpT,CACnB,CAEA,SAAaqT,CAAI9K,EAAanK,GAC1BY,KAAKsH,QAAQ7G,OAAO,QAAQ8I,OAE5BA,EAAMvJ,KAAKoU,QAAU7K,QACfvJ,KAAKmU,OAAOpF,QAAQxF,EAAKnK,EACnC,CAEA,SAAawR,CAAIrH,GACbvJ,KAAKsH,QAAQ7G,OAAO,QAAQ8I,OAE5BA,EAAMvJ,KAAKoU,QAAU7K,EAErB,aADmBvJ,KAAKmU,OAAOrF,QAAQvF,EAE3C,CAEA,YAAa+K,CAAO/K,GAChBvJ,KAAKsH,QAAQ7G,OAAO,WAAW8I,OAE/BA,EAAMvJ,KAAKoU,QAAU7K,EACrB,MAAMsH,QAAa7Q,KAAKmU,OAAOrF,QAAQvF,GAEvC,aADMvJ,KAAKmU,OAAOnF,WAAWzF,GACtBsH,CACX,CAEA,gBAAa0D,GACTvU,KAAKsH,QAAQ7G,OAAO,cACpB,MAAM+T,QAAYxU,KAAKmU,OAAOvW,OAExB+T,EAAO,GACb,IAAK,IAAIzC,EAAQ,EAAGA,EAAQsF,EAAKtF,IAAS,CACtC,MAAM3F,QAAYvJ,KAAKmU,OAAO5K,IAAI2F,GAC9B3F,GAAqC,IAA9BA,EAAIkL,QAAQzU,KAAKoU,UACxBzC,EAAKlK,KAAK8B,EAAImL,OAAO1U,KAAKoU,QAAQxW,QAE1C,CACA,OAAO+T,CACX,GCnDEgD,EAAsB,OACtBC,EAAe,SACfC,EAA8B,qBAC9BC,EAAgC,IAiKzBC,EAAN,MA+CIvV,WAAAA,CAAAwV,GA2BgB,IA3BJ,UAEfC,EAAA,YAAW1C,EAAAG,SAAaA,EAAA,YAAUD,EAAA,aAAaQ,EAAA,UAE/CpO,EAAA,cAAWC,EAAA,cAAeoQ,EAAgBP,EAAA,MAAqBQ,EAAQP,EAAA,aACvEQ,EAAA,yBAAcC,EAAA,sBACdC,EAAwBT,EAAA,OAExBU,EAAA,QAAQC,EAAA,QAASC,EAAA,WAASC,EAAA,WAAYC,EAAA,SAAYC,EAAA,cAAUC,EAAA,qBAE5DC,GAAuB,EAAI,aAC3BC,GAAe,EAAK,wBACpBhD,EAAA,uBACAiD,EAAyBlB,EAAA,oBACzBmB,EAAsB,CAAEC,MAAO,WAAW,YAC1CC,GAAc,EAAK,WAEnBC,EAAA,kCACAC,EAAA,wBACA1D,EAAA,yBACA2D,EAAA,iBAEAC,EAAmB,CAAC,EAAC,iBACrBC,EAAmB,CAAC,EAAC,aACrBjF,EAAe,CAAC,EAAC,KACjBkF,EAAA,wBACAC,GAA0B,GAC9B1B,EAvPJ,IAAA1M,EAsSQ,GA7CAtI,KAAKiV,UAAYA,EAEb1C,EACAvS,KAAKuS,YAAcA,GAEnBvS,KAAKuS,YAAc0C,EACfA,IACKjV,KAAKuS,YAAYoE,SAAS,OAC3B3W,KAAKuS,aAAe,KAExBvS,KAAKuS,aAAe,qCAI5BvS,KAAK0S,SAAWA,EAChB1S,KAAKiT,aAAeA,EACpBjT,KAAKyS,YAAcA,EAEnBzS,KAAK6E,UAAYA,EACjB7E,KAAK8E,cAAgBA,EACrB9E,KAAKkV,cAAgBA,EACrBlV,KAAKmV,MAAQA,EACbnV,KAAKoV,aAAeA,EACpBpV,KAAKqV,yBAA2BA,EAChCrV,KAAKsV,sBAAwBA,EAE7BtV,KAAKuV,OAASA,EACdvV,KAAKwV,QAAUA,EACfxV,KAAKyV,QAAUA,EACfzV,KAAK0V,WAAaA,EAClB1V,KAAK2V,WAAaA,EAClB3V,KAAK4V,SAAWA,EAChB5V,KAAK6V,cAAgBA,EAErB7V,KAAK8V,qBAAuB,MAAAA,GAAAA,EAC5B9V,KAAK+V,eAAiBA,EACtB/V,KAAKgW,uBAAyBA,EAC9BhW,KAAKiW,oBAAsBA,EAC3BjW,KAAK0W,wBAA0BA,EAC/B1W,KAAKmW,cAAgBA,EACrBnW,KAAKqW,kCAAoCA,EAEzCrW,KAAK2S,wBAA0BA,GAAoD,cACnF3S,KAAK+S,wBAA0BA,EAE3BqD,EACApW,KAAKoW,WAAaA,MAEjB,CACD,MAAMnC,EAA0B,qBAAXhR,OAAyBA,OAAOiR,aAAe,IAAIvF,EACxE3O,KAAKoW,WAAa,IAAIpC,EAAqB,CAAEC,SACjD,CASA,GAPAjU,KAAKsW,yBAA2BA,EAEhCtW,KAAKuW,iBAAmBA,EACxBvW,KAAKwW,iBAAmBA,EACxBxW,KAAKuR,aAAeA,EAEpBvR,KAAKyW,KAAOA,EACRzW,KAAKyW,QAAS,OAAAnO,EAAAtI,KAAKyW,WAAL,EAAAnO,EAAW2L,OACzB,MAAM,IAAI1W,MAAM,+CAExB,GC5SSqZ,EAAN,MAIIpX,WAAAA,CAA6B2S,EACf0E,GADe,KAAA1E,UAAAA,EACf,KAAA0E,iBAAAA,EAJrB,KAAmBvP,QAAU,IAAIhI,EAAO,mBAgCxC,KAAUwX,kBAAoBC,UAC1B,MAAM5M,EAASnK,KAAKsH,QAAQ7G,OAAO,qBACnC,IACI,MAAM+B,EAAUf,EAASC,OAAO8P,GAGhC,OAFArH,EAAOtL,MAAM,2BAEN2D,CACX,CAAE,MAAOlE,GAEL,MADA6L,EAAOnL,MAAM,8BACPV,CACV,GApCA0B,KAAKwS,aAAe,IAAIpD,OACpB,EACApP,KAAK8W,kBACL9W,KAAKmS,UAAUZ,aAEvB,CAEA,eAAayF,CAAUrV,GACnB,MAAMwI,EAASnK,KAAKsH,QAAQ7G,OAAO,aAC9BkB,GACD3B,KAAKsH,QAAQ9G,MAAM,IAAIjD,MAAM,oBAGjC,MAAMyI,QAAYhG,KAAK6W,iBAAiBxD,sBACxClJ,EAAOtL,MAAM,mBAAoBmH,GAEjC,MAAMiR,QAAejX,KAAKwS,aAAanC,QAAQrK,EAAK,CAChDrE,QACA2O,YAAatQ,KAAKmS,UAAUQ,wBAC5BjD,iBAAkB1P,KAAKmS,UAAUY,0BAIrC,OAFA5I,EAAOtL,MAAM,aAAcoY,GAEpBA,CACX,GCuBSC,EAAN,MAII1X,WAAAA,CACc2S,EACA0E,GADA,KAAA1E,UAAAA,EACA,KAAA0E,iBAAAA,EALrB,KAAiBvP,QAAU,IAAIhI,EAAO,eAOlCU,KAAKwS,aAAe,IAAIpD,EACpBpP,KAAKmS,UAAUkE,kCACf,KACArW,KAAKmS,UAAUZ,aAEvB,CAOA,kBAAa4F,CAAAC,GAO0C,IAP7B,WACtBC,EAAa,qBAAoB,aACjCjC,EAAepV,KAAKmS,UAAUiD,aAAA,UAC9BvQ,EAAY7E,KAAKmS,UAAUtN,UAAA,cAC3BC,EAAgB9E,KAAKmS,UAAUrN,cAAA,aAC/ByM,KACG3R,GACPwX,EACI,MAAMjN,EAASnK,KAAKsH,QAAQ7G,OAAO,gBAC9BoE,GACDsF,EAAO3J,MAAM,IAAIjD,MAAM,4BAEtB6X,GACDjL,EAAO3J,MAAM,IAAIjD,MAAM,+BAEtBqC,EAAK3B,MACNkM,EAAO3J,MAAM,IAAIjD,MAAM,uBAG3B,MAAMsN,EAAS,IAAIE,gBAAgB,CAAEsM,aAAYjC,iBACjD,IAAK,MAAO7L,EAAKnK,KAAUwB,OAAOuI,QAAQvJ,GACzB,MAATR,GACAyL,EAAOwJ,IAAI9K,EAAKnK,GAGxB,IAAIiS,EACJ,OAAQrR,KAAKmS,UAAUmD,uBACnB,IAAK,sBACD,IAAKxQ,EAED,MADAqF,EAAO3J,MAAM,IAAIjD,MAAM,gCACjB,KAEV8T,EAAY1O,EAAYiC,kBAAkBC,EAAWC,GACrD,MACJ,IAAK,qBACD+F,EAAOyM,OAAO,YAAazS,GACvBC,GACA+F,EAAOyM,OAAO,gBAAiBxS,GAK3C,MAAMkB,QAAYhG,KAAK6W,iBAAiBvD,kBAAiB,GACzDnJ,EAAOtL,MAAM,sBAEb,MAAM2R,QAAiBxQ,KAAKwS,aAAarB,SAASnL,EAAK,CACnDqI,KAAMxD,EACNwG,YACA3B,iBAAkB1P,KAAKmS,UAAUY,wBACjCzB,gBAAiBtR,KAAKmS,UAAUQ,wBAChCpB,iBAKJ,OAFApH,EAAOtL,MAAM,gBAEN2R,CACX,CAOA,yBAAa+G,CAAAC,GAMiD,IAN7B,WAC7BH,EAAa,WAAU,UACvBxS,EAAY7E,KAAKmS,UAAUtN,UAAA,cAC3BC,EAAgB9E,KAAKmS,UAAUrN,cAAA,MAC/BqQ,EAAQnV,KAAKmS,UAAUgD,SACpBvV,GACP4X,EACI,MAAMrN,EAASnK,KAAKsH,QAAQ7G,OAAO,uBAE9BoE,GACDsF,EAAO3J,MAAM,IAAIjD,MAAM,4BAG3B,MAAMsN,EAAS,IAAIE,gBAAgB,CAAEsM,eAChCrX,KAAKmS,UAAUuE,yBAChB7L,EAAOwJ,IAAI,QAASc,GAExB,IAAK,MAAO5L,EAAKnK,KAAUwB,OAAOuI,QAAQvJ,GACzB,MAATR,GACAyL,EAAOwJ,IAAI9K,EAAKnK,GAIxB,IAAIiS,EACJ,OAAQrR,KAAKmS,UAAUmD,uBACnB,IAAK,sBACD,IAAKxQ,EAED,MADAqF,EAAO3J,MAAM,IAAIjD,MAAM,gCACjB,KAEV8T,EAAY1O,EAAYiC,kBAAkBC,EAAWC,GACrD,MACJ,IAAK,qBACD+F,EAAOyM,OAAO,YAAazS,GACvBC,GACA+F,EAAOyM,OAAO,gBAAiBxS,GAK3C,MAAMkB,QAAYhG,KAAK6W,iBAAiBvD,kBAAiB,GACzDnJ,EAAOtL,MAAM,sBAEb,MAAM2R,QAAiBxQ,KAAKwS,aAAarB,SAASnL,EAAK,CAAEqI,KAAMxD,EAAQwG,YAAW3B,iBAAkB1P,KAAKmS,UAAUY,wBAAyBzB,gBAAiBtR,KAAKmS,UAAUQ,0BAG5K,OAFAxI,EAAOtL,MAAM,gBAEN2R,CACX,CAOA,0BAAaiH,CAAAC,GAOkD,IAP7B,WAC9BL,EAAa,gBAAe,UAC5BxS,EAAY7E,KAAKmS,UAAUtN,UAAA,cAC3BC,EAAgB9E,KAAKmS,UAAUrN,cAAA,iBAC/B4K,EAAA,aACA6B,KACG3R,GACP8X,EACI,MAAMvN,EAASnK,KAAKsH,QAAQ7G,OAAO,wBAC9BoE,GACDsF,EAAO3J,MAAM,IAAIjD,MAAM,4BAEtBqC,EAAK+X,eACNxN,EAAO3J,MAAM,IAAIjD,MAAM,gCAG3B,MAAMsN,EAAS,IAAIE,gBAAgB,CAAEsM,eACrC,IAAK,MAAO9N,EAAKnK,KAAUwB,OAAOuI,QAAQvJ,GAClCC,MAAMkU,QAAQ3U,GACdA,EAAMyS,SAAQ+F,GAAS/M,EAAOyM,OAAO/N,EAAKqO,KAE5B,MAATxY,GACLyL,EAAOwJ,IAAI9K,EAAKnK,GAGxB,IAAIiS,EACJ,OAAQrR,KAAKmS,UAAUmD,uBACnB,IAAK,sBACD,IAAKxQ,EAED,MADAqF,EAAO3J,MAAM,IAAIjD,MAAM,gCACjB,KAEV8T,EAAY1O,EAAYiC,kBAAkBC,EAAWC,GACrD,MACJ,IAAK,qBACD+F,EAAOyM,OAAO,YAAazS,GACvBC,GACA+F,EAAOyM,OAAO,gBAAiBxS,GAK3C,MAAMkB,QAAYhG,KAAK6W,iBAAiBvD,kBAAiB,GACzDnJ,EAAOtL,MAAM,sBAEb,MAAM2R,QAAiBxQ,KAAKwS,aAAarB,SAASnL,EAAK,CAAEqI,KAAMxD,EAAQwG,YAAW3B,mBAAkB4B,gBAAiBtR,KAAKmS,UAAUQ,wBAAyBpB,iBAG7J,OAFApH,EAAOtL,MAAM,gBAEN2R,CACX,CAOA,YAAaqH,CAAOjY,GAnQxB,IAAA0I,EAoQQ,MAAM6B,EAASnK,KAAKsH,QAAQ7G,OAAO,UAC9Bb,EAAK+B,OACNwI,EAAO3J,MAAM,IAAIjD,MAAM,wBAG3B,MAAMyI,QAAYhG,KAAK6W,iBAAiBnD,uBAAsB,GAE9DvJ,EAAOtL,MAAM,qCAAqC,OAAAyJ,EAAA1I,EAAKkY,iBAALxP,EAAwB,wBAE1E,MAAMuC,EAAS,IAAIE,gBACnB,IAAK,MAAOxB,EAAKnK,KAAUwB,OAAOuI,QAAQvJ,GACzB,MAATR,GACAyL,EAAOwJ,IAAI9K,EAAKnK,GAGxByL,EAAOwJ,IAAI,YAAarU,KAAKmS,UAAUtN,WACnC7E,KAAKmS,UAAUrN,eACf+F,EAAOwJ,IAAI,gBAAiBrU,KAAKmS,UAAUrN,qBAGzC9E,KAAKwS,aAAarB,SAASnL,EAAK,CAAEqI,KAAMxD,EAAQ6E,iBAAkB1P,KAAKmS,UAAUY,0BACvF5I,EAAOtL,MAAM,eACjB,GCrQSkZ,EAAN,MAKIvY,WAAAA,CACgB2S,EACA0E,EACAmB,GAFA,KAAA7F,UAAAA,EACA,KAAA0E,iBAAAA,EACA,KAAAmB,eAAAA,EAPvB,KAAmB1Q,QAAU,IAAIhI,EAAO,qBASpCU,KAAKiY,iBAAmB,IAAIrB,EAAgB5W,KAAKmS,UAAWnS,KAAK6W,kBACjE7W,KAAKkY,aAAe,IAAIhB,EAAYlX,KAAKmS,UAAWnS,KAAK6W,iBAC7D,CAEA,4BAAasB,CAAuB3H,EAA0BjF,EAAoBgG,GAC9E,MAAMpH,EAASnK,KAAKsH,QAAQ7G,OAAO,0BAEnCT,KAAKoY,oBAAoB5H,EAAUjF,GACnCpB,EAAOtL,MAAM,yBAEPmB,KAAKqY,aAAa7H,EAAUjF,EAAOgG,GACzCpH,EAAOtL,MAAM,kBAET2R,EAAS8H,UACTtY,KAAKuY,2BAA2B/H,GAEpCrG,EAAOtL,MAAM,0BAEPmB,KAAKwY,eAAehI,EAAU,MAAAjF,OAAA,EAAAA,EAAOkN,aAAcjI,EAAS8H,UAClEnO,EAAOtL,MAAM,mBACjB,CAEA,iCAAa6Z,CAA4BlI,EAA0BiI,GAC/D,MAAMtO,EAASnK,KAAKsH,QAAQ7G,OAAO,+BAE/B+P,EAAS8H,UAAc9H,EAASmI,UAChC3Y,KAAKuY,2BAA2B/H,GAEpCrG,EAAOtL,MAAM,0BAEPmB,KAAKwY,eAAehI,EAAUiI,EAAcjI,EAAS8H,UAC3DnO,EAAOtL,MAAM,mBACjB,CAEA,6BAAa+Z,CAAwBpI,EAA0BjF,GAC3D,MAAMpB,EAASnK,KAAKsH,QAAQ7G,OAAO,2BAEnC+P,EAAShF,UAAYD,EAAM9G,KAE3B,MAAA+L,EAAS/E,gBAAT+E,EAAS/E,cAAkBF,EAAME,eAEjC,MAAA+E,EAAS2E,QAAT3E,EAAS2E,MAAU5J,EAAM4J,OAIrB3E,EAAS8H,UAAc9H,EAASmI,WAChC3Y,KAAKuY,2BAA2B/H,EAAUjF,EAAMoN,UAChDxO,EAAOtL,MAAM,uBAGZ2R,EAASmI,WAEVnI,EAASmI,SAAWpN,EAAMoN,SAE1BnI,EAASqI,QAAUtN,EAAMsN,SAG7B,MAAMC,EAAatI,EAAS8H,YAAc9H,EAASmI,eAC7C3Y,KAAKwY,eAAehI,GAAU,EAAOsI,GAC3C3O,EAAOtL,MAAM,mBACjB,CAEOka,uBAAAA,CAAwBvI,EAA2BjF,GACtD,MAAMpB,EAASnK,KAAKsH,QAAQ7G,OAAO,2BAWnC,GAVI8K,EAAMyN,KAAOxI,EAASjF,OACtBpB,EAAO3J,MAAM,IAAIjD,MAAM,yBAM3B4M,EAAOtL,MAAM,mBACb2R,EAAShF,UAAYD,EAAM9G,KAEvB+L,EAASxR,MAET,MADAmL,EAAOpL,KAAK,qBAAsByR,EAASxR,OACrC,IAAIiM,EAAcuF,EAEhC,CAEU4H,mBAAAA,CAAoB5H,EAA0BjF,GACpD,MAAMpB,EAASnK,KAAKsH,QAAQ7G,OAAO,uBA8BnC,GA7BI8K,EAAMyN,KAAOxI,EAASjF,OACtBpB,EAAO3J,MAAM,IAAIjD,MAAM,yBAGtBgO,EAAM1G,WACPsF,EAAO3J,MAAM,IAAIjD,MAAM,0BAGtBgO,EAAM0J,WACP9K,EAAO3J,MAAM,IAAIjD,MAAM,0BAIvByC,KAAKmS,UAAU8C,YAAc1J,EAAM0J,WACnC9K,EAAO3J,MAAM,IAAIjD,MAAM,oDAEvByC,KAAKmS,UAAUtN,WAAa7E,KAAKmS,UAAUtN,YAAc0G,EAAM1G,WAC/DsF,EAAO3J,MAAM,IAAIjD,MAAM,oDAM3B4M,EAAOtL,MAAM,mBACb2R,EAAShF,UAAYD,EAAM9G,KAC3B+L,EAAS9E,UAAYH,EAAMG,UAE3B,MAAA8E,EAAS2E,QAAT3E,EAAS2E,MAAU5J,EAAM4J,OAErB3E,EAASxR,MAET,MADAmL,EAAOpL,KAAK,qBAAsByR,EAASxR,OACrC,IAAIiM,EAAcuF,GAGxBjF,EAAM/G,gBAAkBgM,EAASvS,MACjCkM,EAAO3J,MAAM,IAAIjD,MAAM,6BAG/B,CAEA,oBAAgBib,CAAehI,GAAmF,IAAzDiI,EAAA9Y,UAAA/B,OAAA,QAAAgN,IAAAjL,UAAA,IAAAA,UAAA,GAAsBsZ,IAAAtZ,UAAA/B,OAAA,QAAAgN,IAAAjL,UAAA,KAAAA,UAAA,GAC3E,MAAMwK,EAASnK,KAAKsH,QAAQ7G,OAAO,kBAGnC,GAFA+P,EAASqI,QAAU7Y,KAAKgY,eAAelC,qBAAqBtF,EAASqI,SAEjEJ,IAAiBzY,KAAKmS,UAAU4D,eAAiBvF,EAASrE,aAE1D,YADAhC,EAAOtL,MAAM,yBAIjBsL,EAAOtL,MAAM,qBACb,MAAMoY,QAAejX,KAAKiY,iBAAiBjB,UAAUxG,EAASrE,cAC9DhC,EAAOtL,MAAM,qDAEToa,GAAehC,EAAOiC,MAAQ1I,EAASqI,QAAQK,KAC/C/O,EAAO3J,MAAM,IAAIjD,MAAM,sEAG3BiT,EAASqI,QAAU7Y,KAAKgY,eAAemB,YAAY3I,EAASqI,QAAS7Y,KAAKgY,eAAelC,qBAAqBmB,IAC9G9M,EAAOtL,MAAM,8CAA+C2R,EAASqI,QACzE,CAEA,kBAAgBR,CAAa7H,EAA0BjF,EAAoBgG,GACvE,MAAMpH,EAASnK,KAAKsH,QAAQ7G,OAAO,gBACnC,GAAI+P,EAASvS,KAAM,CACfkM,EAAOtL,MAAM,mBACb,MAAMua,QAAsBpZ,KAAKkY,aAAaf,aAAa,CACvDtS,UAAW0G,EAAM1G,UACjBC,cAAeyG,EAAMzG,cACrB7G,KAAMuS,EAASvS,KACfmX,aAAc7J,EAAM6J,aACpB5Q,cAAe+G,EAAM/G,cACrB+M,kBACGhG,EAAMiL,mBAEb5V,OAAOoS,OAAOxC,EAAU4I,EAC5B,MACIjP,EAAOtL,MAAM,qBAErB,CAEU0Z,0BAAAA,CAA2B/H,EAA0B6I,GAjMnE,IAAA/Q,EAkMQ,MAAM6B,EAASnK,KAAKsH,QAAQ7G,OAAO,8BAEnC0J,EAAOtL,MAAM,yBACb,MAAMya,EAAW7X,EAASC,OAAO,OAAA4G,EAAAkI,EAASmI,UAATrQ,EAAqB,IAMtD,GAJKgR,EAASJ,KACV/O,EAAO3J,MAAM,IAAIjD,MAAM,wCAGvB8b,EAAe,CACf,MAAME,EAAW9X,EAASC,OAAO2X,GAC7BC,EAASJ,MAAQK,EAASL,KAC1B/O,EAAO3J,MAAM,IAAIjD,MAAM,+CAEvB+b,EAASE,WAAaF,EAASE,YAAcD,EAASC,WACtDrP,EAAO3J,MAAM,IAAIjD,MAAM,4DAEvB+b,EAASG,KAAOH,EAASG,MAAQF,EAASE,KAC1CtP,EAAO3J,MAAM,IAAIjD,MAAM,iDAEtB+b,EAASG,KAAOF,EAASE,KAC1BtP,EAAO3J,MAAM,IAAIjD,MAAM,yDAE/B,CAEAiT,EAASqI,QAAUS,CACvB,GCnNSI,EAAN,MAAMC,EASFna,WAAAA,CAAYI,GAOfI,KAAKgZ,GAAKpZ,EAAKoZ,IAAMrW,EAAYyB,iBACjCpE,KAAKyE,KAAO7E,EAAK6E,KAEb7E,EAAKga,SAAWha,EAAKga,QAAU,EAC/B5Z,KAAK4Z,QAAUha,EAAKga,QAGpB5Z,KAAK4Z,QAAUpQ,EAAMM,eAEzB9J,KAAK6Z,aAAeja,EAAKia,aACzB7Z,KAAK0L,UAAY9L,EAAK8L,SAC1B,CAEOoO,eAAAA,GAEH,OADA,IAAIxa,EAAO,SAASmB,OAAO,mBACpB2B,KAAKW,UAAU,CAClBiW,GAAIhZ,KAAKgZ,GACTvU,KAAMzE,KAAKyE,KACXmV,QAAS5Z,KAAK4Z,QACdC,aAAc7Z,KAAK6Z,aACnBnO,UAAW1L,KAAK0L,WAExB,CAEA,wBAAcqO,CAAkBC,GAE5B,OADA1a,EAAOuB,aAAa,QAAS,qBACtBqN,QAAQC,QAAQ,IAAIwL,EAAMvX,KAAKC,MAAM2X,IAChD,CAEA,4BAAoBC,CAAgBC,EAAqBC,GACrD,MAAMhQ,EAAS7K,EAAOuB,aAAa,QAAS,mBACtCuZ,EAAS5Q,EAAMM,eAAiBqQ,EAEhCxI,QAAauI,EAAQ3F,aAC3BpK,EAAOtL,MAAM,WAAY8S,GAEzB,IAAK,IAAI0I,EAAI,EAAGA,EAAI1I,EAAK/T,OAAQyc,IAAK,CAClC,MAAM9Q,EAAMoI,EAAK0I,GACXxJ,QAAaqJ,EAAQtJ,IAAIrH,GAC/B,IAAI+K,GAAS,EAEb,GAAIzD,EACA,IACI,MAAMtF,QAAcoO,EAAMI,kBAAkBlJ,GAE5C1G,EAAOtL,MAAM,qBAAsB0K,EAAKgC,EAAMqO,SAC1CrO,EAAMqO,SAAWQ,IACjB9F,GAAS,EAEjB,OACOhW,GACH6L,EAAOnL,MAAM,+BAAgCuK,EAAKjL,GAClDgW,GAAS,CACb,MAGAnK,EAAOtL,MAAM,8BAA+B0K,GAC5C+K,GAAS,EAGTA,IACAnK,EAAOtL,MAAM,wBAAyB0K,GACjC2Q,EAAQ5F,OAAO/K,GAE5B,CACJ,GCxDS+Q,EAAN,MAAMC,UAAoBb,EAyBrBla,WAAAA,CAAYI,GAChBoK,MAAMpK,GAENI,KAAKwE,cAAgB5E,EAAK4E,cAC1BxE,KAAKwa,eAAiB5a,EAAK4a,eAC3Bxa,KAAKiV,UAAYrV,EAAKqV,UACtBjV,KAAK6E,UAAYjF,EAAKiF,UACtB7E,KAAKoV,aAAexV,EAAKwV,aACzBpV,KAAKmV,MAAQvV,EAAKuV,MAClBnV,KAAK8E,cAAgBlF,EAAKkF,cAC1B9E,KAAKwW,iBAAmB5W,EAAK4W,iBAE7BxW,KAAK6V,cAAgBjW,EAAKiW,cAC1B7V,KAAKyY,aAAe7Y,EAAK6Y,YAC7B,CAEA,mBAAoBhY,CAAOb,GACvB,MAAM4E,GAAuC,IAAvB5E,EAAK4E,cAAyB7B,EAAY2B,uBAA0B1E,EAAK4E,oBAAiB,EAC1GgW,EAAiBhW,QAAuB7B,EAAY4B,sBAAsBC,QAAkB,EAElG,OAAO,IAAI+V,EAAY,IAChB3a,EACH4E,gBACAgW,kBAER,CAEOV,eAAAA,GAEH,OADA,IAAIxa,EAAO,eAAemB,OAAO,mBAC1B2B,KAAKW,UAAU,CAClBiW,GAAIhZ,KAAKgZ,GACTvU,KAAMzE,KAAKyE,KACXmV,QAAS5Z,KAAK4Z,QACdC,aAAc7Z,KAAK6Z,aACnBnO,UAAW1L,KAAK0L,UAEhBlH,cAAexE,KAAKwE,cACpByQ,UAAWjV,KAAKiV,UAChBpQ,UAAW7E,KAAK6E,UAChBuQ,aAAcpV,KAAKoV,aACnBD,MAAOnV,KAAKmV,MACZrQ,cAAe9E,KAAK8E,cACpB0R,iBAAmBxW,KAAKwW,iBACxBX,cAAe7V,KAAK6V,cACpB4C,aAAczY,KAAKyY,cAE3B,CAEA,wBAAcsB,CAAkBC,GAC5B1a,EAAOuB,aAAa,cAAe,qBACnC,MAAM4D,EAAOrC,KAAKC,MAAM2X,GACxB,OAAOO,EAAY9Z,OAAOgE,EAC9B,GC3DSgW,EAAN,MAAMA,EAMDjb,WAAAA,CAAYI,GAIhBI,KAAKgG,IAAMpG,EAAKoG,IAChBhG,KAAKuL,MAAQ3L,EAAK2L,KACtB,CAEA,mBAAoB9K,CAAAia,GAagC,IAbzB,IAEvB1U,EAAA,UAAKiP,EAAA,UAAWpQ,EAAA,aAAWuQ,EAAA,cAAcF,EAAA,MAAeC,EAAA,WAExDwF,EAAA,cAAY9E,EAAA,aAAegE,EAAA,cAAc/U,EAAA,MAAesB,EAAA,UAAOsF,EAAA,SAC/DkK,EAAA,aACA6C,EAAA,iBACAlC,EAAA,iBACAC,EAAA,YACAL,EAAA,QACAyE,EAAA,wBACAlE,KACGmE,GACPH,EACI,IAAK1U,EAED,MADAhG,KAAKsH,QAAQtI,MAAM,yBACb,IAAIzB,MAAM,OAEpB,IAAKsH,EAED,MADA7E,KAAKsH,QAAQtI,MAAM,+BACb,IAAIzB,MAAM,aAEpB,IAAK6X,EAED,MADApV,KAAKsH,QAAQtI,MAAM,kCACb,IAAIzB,MAAM,gBAEpB,IAAK2X,EAED,MADAlV,KAAKsH,QAAQtI,MAAM,mCACb,IAAIzB,MAAM,iBAEpB,IAAK4X,EAED,MADAnV,KAAKsH,QAAQtI,MAAM,2BACb,IAAIzB,MAAM,SAEpB,IAAK0X,EAED,MADAjV,KAAKsH,QAAQtI,MAAM,+BACb,IAAIzB,MAAM,aAGpB,MAAMgO,QAAc+O,EAAY7Z,OAAO,CACnCgE,KAAMkW,EACNd,eACAnO,YACAlH,eAAgB2R,EAChBtR,YAAWoQ,YAAWG,eACtBS,gBACA/Q,gBAAeqQ,QAAOqB,mBACtBiC,iBAGE/K,EAAY,IAAI5C,IAAI9E,GAC1B0H,EAAUoN,aAAaxD,OAAO,YAAazS,GAC3C6I,EAAUoN,aAAaxD,OAAO,eAAgBlC,GAC9C1H,EAAUoN,aAAaxD,OAAO,gBAAiBpC,GAC1CwB,GACDhJ,EAAUoN,aAAaxD,OAAO,QAASnC,GAEvC/O,GACAsH,EAAUoN,aAAaxD,OAAO,QAASlR,GAGvCwU,GACAlN,EAAUoN,aAAaxD,OAAO,WAAYsD,GAG9C,IAAIG,EAAaxP,EAAMyN,GAUvB,GATItN,IACAqP,EAAa,GAAGA,KAAmCrP,KAEvDgC,EAAUoN,aAAaxD,OAAO,QAASyD,GACnCxP,EAAMiP,iBACN9M,EAAUoN,aAAaxD,OAAO,iBAAkB/L,EAAMiP,gBACtD9M,EAAUoN,aAAaxD,OAAO,wBAAyB,SAGvD1B,EAAU,EAEQ/V,MAAMkU,QAAQ6B,GAAYA,EAAW,CAACA,IAEnD/D,SAAQmJ,GAAKtN,EAAUoN,aAAaxD,OAAO,WAAY0D,IAChE,CAEA,IAAK,MAAOzR,EAAKnK,KAAUwB,OAAOuI,QAAQ,CAAE0M,mBAAkBgF,KAAmBtE,IAChE,MAATnX,GACAsO,EAAUoN,aAAaxD,OAAO/N,EAAKnK,EAAMjB,YAIjD,OAAO,IAAIsc,EAAc,CACrBzU,IAAK0H,EAAUO,KACf1C,SAER,GA1GSkP,EACenT,QAAU,IAAIhI,EAAO,iBAD1C,IAAM2b,EAANR,ECvCMS,EAAN,MAsCI1b,WAAAA,CAAYqL,GAGf,GApBJ,KAAOsB,aAAe,GAEtB,KAAOgP,WAAa,GAapB,KAAOtC,QAAuB,CAAC,EAG3B7Y,KAAKuL,MAAQV,EAAO+F,IAAI,SACxB5Q,KAAKyL,cAAgBZ,EAAO+F,IAAI,iBAC5B5Q,KAAKuL,MAAO,CACZ,MAAM6P,EAAavd,mBAAmBmC,KAAKuL,OAAOvJ,MjBpC3B,KiBqCvBhC,KAAKuL,MAAQ6P,EAAW,GACpBA,EAAWxd,OAAS,IACpBoC,KAAK0L,UAAY0P,EAAWpQ,MAAM,GAAGlH,KjBvClB,KiByC3B,CAEA9D,KAAKhB,MAAQ6L,EAAO+F,IAAI,SACxB5Q,KAAKqL,kBAAoBR,EAAO+F,IAAI,qBACpC5Q,KAAKsL,UAAYT,EAAO+F,IAAI,aAE5B5Q,KAAK/B,KAAO4M,EAAO+F,IAAI,OAC3B,CAEA,cAAWxE,GACP,QAAwB,IAApBpM,KAAKqb,WAGT,OAAOrb,KAAKqb,WAAa7R,EAAMM,cACnC,CACA,cAAWsC,CAAWhN,GAEG,kBAAVA,IAAoBA,EAAQkc,OAAOlc,SAChC,IAAVA,GAAuBA,GAAS,IAChCY,KAAKqb,WAAa/U,KAAKC,MAAMnH,GAASoK,EAAMM,eAEpD,CAEA,YAAWwO,GAnFf,IAAAhQ,EAoFQ,OAAO,OAAAA,EAAAtI,KAAKmV,YAAL,EAAA7M,EAAYtG,MAAM,KAAK+P,SA9EpB,cA8E6C/R,KAAK2Y,QAChE,GCxDS4C,EAAN,MAMI/b,WAAAA,CAAAgc,GAGgB,IAHJ,IACfxV,EAAA,WACA2U,EAAA,cAAYc,EAAA,yBAAepG,EAAA,iBAA0BkB,EAAA,aAAkBsD,EAAA,UAAchV,GACzF2W,EACI,GATJ,KAAiBlU,QAAU,IAAIhI,EAAO,mBAS7B0G,EAED,MADAhG,KAAKsH,QAAQtI,MAAM,uBACb,IAAIzB,MAAM,OAGpB,MAAMmQ,EAAY,IAAI5C,IAAI9E,GACtByV,GACA/N,EAAUoN,aAAaxD,OAAO,gBAAiBmE,GAE/C5W,GACA6I,EAAUoN,aAAaxD,OAAO,YAAazS,GAG3CwQ,IACA3H,EAAUoN,aAAaxD,OAAO,2BAA4BjC,GAEtDsF,IACA3a,KAAKuL,MAAQ,IAAImO,EAAM,CAAEjV,KAAMkW,EAAYd,iBAE3CnM,EAAUoN,aAAaxD,OAAO,QAAStX,KAAKuL,MAAMyN,MAI1D,IAAK,MAAOzP,EAAKnK,KAAUwB,OAAOuI,QAAQ,IAAKoN,IAC9B,MAATnX,GACAsO,EAAUoN,aAAaxD,OAAO/N,EAAKnK,EAAMjB,YAIjD6B,KAAKgG,IAAM0H,EAAUO,IACzB,GC9DSyN,EAAN,MAcIlc,WAAAA,CAAYqL,GACf7K,KAAKuL,MAAQV,EAAO+F,IAAI,SAExB5Q,KAAKhB,MAAQ6L,EAAO+F,IAAI,SACxB5Q,KAAKqL,kBAAoBR,EAAO+F,IAAI,qBACpC5Q,KAAKsL,UAAYT,EAAO+F,IAAI,YAChC,GCVE+K,EAAwB,CAC1B,MACA,MACA,YACA,QACA,MACA,MACA,MACA,WASEC,EAAiC,CAAC,MAAO,MAAO,MAAO,MAAO,OAKvDC,EAAN,MAEIrc,WAAAA,CACgB2S,GAAA,KAAAA,UAAAA,EAFvB,KAAmB7K,QAAU,IAAIhI,EAAO,gBAGrC,CAEIwW,oBAAAA,CAAqBmB,GACxB,MAAM6E,EAAS,IAAK7E,GAEpB,GAAIjX,KAAKmS,UAAU2D,qBAAsB,CACrC,IAAIiG,EAEAA,EADAlc,MAAMkU,QAAQ/T,KAAKmS,UAAU2D,sBACZ9V,KAAKmS,UAAU2D,qBAEf6F,EAGrB,IAAK,MAAMK,KAASD,EACXH,EAA+B7J,SAASiK,WAClCF,EAAOE,EAG1B,CAEA,OAAOF,CACX,CAGO3C,WAAAA,CAAY8C,EAAsBC,GACrC,MAAMJ,EAAS,IAAKG,GACpB,IAAK,MAAOD,EAAOG,KAAWvb,OAAOuI,QAAQ+S,GACzC,GAAIJ,EAAOE,KAAWG,EAClB,GAAItc,MAAMkU,QAAQ+H,EAAOE,KAAWnc,MAAMkU,QAAQoI,GAC9C,GAAgD,WAA5Cnc,KAAKmS,UAAU8D,oBAAoBC,MACnC4F,EAAOE,GAASG,MACb,CACH,MAAMC,EAAevc,MAAMkU,QAAQ+H,EAAOE,IAAUF,EAAOE,GAAsB,CAACF,EAAOE,IACzF,IAAK,MAAM5c,KAASS,MAAMkU,QAAQoI,GAAUA,EAAS,CAACA,GAC7CC,EAAarK,SAAS3S,IACvBgd,EAAa3U,KAAKrI,GAG1B0c,EAAOE,GAASI,CACpB,KACgC,kBAAlBN,EAAOE,IAAyC,kBAAXG,EACnDL,EAAOE,GAAShc,KAAKmZ,YAAY2C,EAAOE,GAAqBG,GAE7DL,EAAOE,GAASG,EAK5B,OAAOL,CACX,GC/ESO,EAAN,MACI7c,WAAAA,CACamS,EACTvL,GADS,KAAAuL,KAAAA,EACT,KAAAvL,MAAAA,CACP,GCyDKkW,EAAN,MAWI9c,WAAAA,CAAY+c,EAAwDC,GAT3E,KAAmBlV,QAAU,IAAIhI,EAAO,cAUpCU,KAAKuc,SAAWA,aAAoBxH,EAA0BwH,EAAW,IAAIxH,EAAwBwH,GAErGvc,KAAKwc,gBAAkB,MAAAA,EAAAA,EAAmB,IAAItK,EAAgBlS,KAAKuc,UACnEvc,KAAKgY,eAAiB,IAAI6D,EAAc7b,KAAKuc,UAC7Cvc,KAAKyc,WAAa,IAAI1E,EAAkB/X,KAAKuc,SAAUvc,KAAKwc,gBAAiBxc,KAAKgY,gBAClFhY,KAAKkY,aAAe,IAAIhB,EAAYlX,KAAKuc,SAAUvc,KAAKwc,gBAC5D,CAEA,yBAAaE,CAAAC,GAwBuC,IAxBnB,MAC7BpR,EAAA,QACAqR,EAAA,YACAC,EAAA,aACAhD,EAAA,cACA4B,EAAA,WACAqB,EAAA,aACArE,EAAA,MACArS,EAAA,UACAsF,EAAA,cACAwJ,EAAgBlV,KAAKuc,SAASrH,cAAA,MAC9BC,EAAQnV,KAAKuc,SAASpH,MAAA,aACtBC,EAAepV,KAAKuc,SAASnH,aAAA,OAC7BG,EAASvV,KAAKuc,SAAShH,OAAA,QACvBC,EAAUxV,KAAKuc,SAAS/G,QAAA,QACxBC,EAAUzV,KAAKuc,SAAS9G,QAAA,WACxBC,EAAa1V,KAAKuc,SAAS7G,WAAA,WAC3BC,EAAa3V,KAAKuc,SAAS5G,WAAA,SAC3BC,EAAW5V,KAAKuc,SAAS3G,SAAA,cACzBC,EAAgB7V,KAAKuc,SAAS1G,cAAA,iBAC9BU,EAAmBvW,KAAKuc,SAAShG,iBAAA,iBACjCC,EAAmBxW,KAAKuc,SAAS/F,iBAAA,QACjCoE,EAAA,wBACAlE,EAA0B1W,KAAKuc,SAAS7F,yBAC5CiG,EACI,MAAMxS,EAASnK,KAAKsH,QAAQ7G,OAAO,uBAEnC,GAAsB,SAAlByU,EACA,MAAM,IAAI3X,MAAM,6DAGpB,MAAMyI,QAAYhG,KAAKwc,gBAAgBpJ,2BACvCjJ,EAAOtL,MAAM,kCAAmCmH,GAEhD,MAAM+W,QAAsB9B,EAAcxa,OAAO,CAC7CuF,MACAiP,UAAWjV,KAAKuc,SAAStH,UACzBpQ,UAAW7E,KAAKuc,SAAS1X,UACzBuQ,eACAF,gBACAC,QACAwF,WAAYpP,EACZG,YACA6J,SAAQC,UAASC,UAASC,aAAY+F,gBAAeqB,aAAYnH,aAAYiF,UAC7EhF,WAAUgH,UAASC,cAAatG,mBAAkBC,mBAAkBqD,eAAchE,gBAClF/Q,cAAe9E,KAAKuc,SAASzX,cAC7B2T,eACArS,QACA+P,YAAanW,KAAKuc,SAASpG,YAC3BO,kCAIE1W,KAAKia,kBAEX,MAAM+C,EAAcD,EAAcxR,MAElC,aADMvL,KAAKuc,SAASnG,WAAW/B,IAAI2I,EAAYhE,GAAIgE,EAAYlD,mBACxDiD,CACX,CAEA,6BAAaE,CAAwBjX,GAA6F,IAAhFkX,EAAAvd,UAAA/B,OAAA,QAAAgN,IAAAjL,UAAA,IAAAA,UAAA,GAC9C,MAAMwK,EAASnK,KAAKsH,QAAQ7G,OAAO,2BAE7B+P,EAAW,IAAI0K,EAAezQ,EAASC,WAAW1E,EAAKhG,KAAKuc,SAAS1G,gBAC3E,IAAKrF,EAASjF,MAGV,MAFApB,EAAO3J,MAAM,IAAIjD,MAAM,yBAEjB,KAGV,MAAM4f,QAA0Bnd,KAAKuc,SAASnG,WAAW8G,EAAc,SAAW,OAAO1M,EAASjF,OAClG,IAAK4R,EAED,MADAhT,EAAO3J,MAAM,IAAIjD,MAAM,uCACjB,KAIV,MAAO,CAAEgO,YADW+O,EAAYP,kBAAkBoD,GAClC3M,WACpB,CAEA,2BAAa4M,CAAsBpX,EAAauL,GAC5C,MAAMpH,EAASnK,KAAKsH,QAAQ7G,OAAO,0BAE7B,MAAE8K,EAAA,SAAOiF,SAAmBxQ,KAAKid,wBAAwBjX,GAAK,GAGpE,GAFAmE,EAAOtL,MAAM,oDAETmB,KAAKuc,SAAS9F,MAAQzW,KAAKuc,SAAS9F,KAAKxC,MAAO,CAChD,MAAMoJ,QAAkBrd,KAAKsd,aAAatd,KAAKuc,SAAS9F,KAAKxC,OAC7D1C,EAAe,IAAKA,EAAc,KAAQ8L,EAC9C,CAUA,UACUrd,KAAKyc,WAAWtE,uBAAuB3H,EAAUjF,EAAOgG,EAClE,OACOjT,GACH,KAAIA,aAAe6Q,GAAkBnP,KAAKuc,SAAS9F,MAK/C,MAAMnY,EAL+C,CACrD,MAAM+e,QAAkBrd,KAAKsd,aAAatd,KAAKuc,SAAS9F,KAAKxC,MAAO3V,EAAI8H,OACxEmL,EAAoB,KAAI8L,QAClBrd,KAAKyc,WAAWtE,uBAAuB3H,EAAUjF,EAAOgG,EAClE,CAGJ,CAEA,OAAOf,CACX,CAEA,kBAAM8M,CAAaC,EAAsBnX,GACrC,IAAID,EACAqX,EAgBJ,aAdYD,EAAUhJ,cAAcxC,SAAS/R,KAAKuc,SAAS1X,YAKvD2Y,QAAkBD,EAAU3M,IAAI5Q,KAAKuc,SAAS1X,WAG1C2Y,EAAUpX,QAAUA,GAASA,IAC7BoX,EAAUpX,MAAQA,QACZmX,EAAUlJ,IAAIrU,KAAKuc,SAAS1X,UAAW2Y,MATjDrX,QAAgBxD,EAAYqE,mBAC5BwW,EAAY,IAAInB,EAAUlW,EAASC,SAC7BmX,EAAUlJ,IAAIrU,KAAKuc,SAAS1X,UAAW2Y,UAWpC7a,EAAYiD,kBAAkB,CACvCI,UAAWhG,KAAKwc,gBAAgBlJ,kBAAiB,GACjDpN,WAAY,OACZC,QAASqX,EAAU7L,KACnBvL,MAAOoX,EAAUpX,OAEzB,CAEA,6CAAaqX,CAAAC,GAK4D,IALpB,SACjDC,EAAA,SACAC,EAAA,aACAnF,GAAe,EAAK,iBACpBjC,EAAmB,CAAC,GACxBkH,EACI,MAAMtE,QAA+CpZ,KAAKkY,aAAaX,oBAAoB,CAAEoG,WAAUC,cAAapH,IAC9GqH,EAAiC,IAAI3C,EAAe,IAAInQ,iBAG9D,OAFAnK,OAAOoS,OAAO6K,EAAgBzE,SACxBpZ,KAAKyc,WAAW/D,4BAA4BmF,EAAgBpF,GAC3DoF,CACX,CAEA,qBAAaC,CAAAC,GAOoC,IAPpB,MACzBxS,EAAA,aACA6J,EAAA,SACAQ,EAAA,iBACAlG,EAAA,aACA6B,EAAA,iBACAiF,GACJuH,EA/PJ,IAAAzV,EAgQQ,MAAM6B,EAASnK,KAAKsH,QAAQ7G,OAAO,mBAKnC,IAAI0U,EAuBA2G,EAtBJ,QAA+C,IAA3C9b,KAAKuc,SAASjG,yBACdnB,EAAQ5J,EAAM4J,UACX,CACH,MAAM6I,EAAkBhe,KAAKuc,SAASjG,yBAAyBtU,MAAM,KAGrEmT,IAFuB,OAAA7M,EAAAiD,EAAM4J,YAAN,EAAA7M,EAAatG,MAAM,OAAQ,IAE3BoH,QAAO6U,GAAKD,EAAgBjM,SAASkM,KAAIna,KAAK,IACzE,CAEA,GAAI9D,KAAKuc,SAAS9F,MAAQzW,KAAKuc,SAAS9F,KAAKxC,MAAO,CAChD,MAAMoJ,QAAkBrd,KAAKsd,aAAatd,KAAKuc,SAAS9F,KAAKxC,OAC7D1C,EAAe,IAAKA,EAAc,KAAQ8L,EAC9C,CAWA,IACIvB,QAAe9b,KAAKkY,aAAaT,qBAAqB,CAClDE,cAAepM,EAAMoM,cAErBxC,QACAC,eACAQ,WACAlG,mBACA6B,kBACGiF,GAEX,CAAE,MAAOlY,GACL,KAAIA,aAAe6Q,GAAkBnP,KAAKuc,SAAS9F,MAa/C,MAAMnY,EAZNiT,EAAoB,WAAUvR,KAAKsd,aAAatd,KAAKuc,SAAS9F,KAAKxC,MAAO3V,EAAI8H,OAC9E0V,QAAe9b,KAAKkY,aAAaT,qBAAqB,CAClDE,cAAepM,EAAMoM,cAErBxC,QACAC,eACAQ,WACAlG,mBACA6B,kBACGiF,GAKf,CAEA,MAAMhG,EAAW,IAAI0K,EAAe,IAAInQ,iBASxC,OARAnK,OAAOoS,OAAOxC,EAAUsL,GACxB3R,EAAOtL,MAAM,sBAAuB2R,SAC9BxQ,KAAKyc,WAAW7D,wBAAwBpI,EAAU,IACjDjF,EAGH4J,UAEG3E,CACX,CAEA,0BAAa0N,GAO8C,IAPzB,MAC9B3S,EAAA,cACAkQ,EAAA,UACA5W,EAAA,aACAgV,EAAA,yBACAxE,EAA2BrV,KAAKuc,SAASlH,yBAAA,iBACzCkB,EAAmBvW,KAAKuc,SAAShG,kBACrC5W,UAAA/B,OAAA,QAAAgN,IAAAjL,UAAA,GAAAA,UAAA,GAA8B,CAAC,EAC3B,MAAMwK,EAASnK,KAAKsH,QAAQ7G,OAAO,wBAE7BuF,QAAYhG,KAAKwc,gBAAgB/I,wBACvC,IAAKzN,EAED,MADAmE,EAAO3J,MAAM,IAAIjD,MAAM,4BACjB,KAGV4M,EAAOtL,MAAM,gCAAiCmH,GAGzCnB,IAAawQ,GAA6BoG,IAC3C5W,EAAY7E,KAAKuc,SAAS1X,WAG9B,MAAM+X,EAAU,IAAIrB,EAAe,CAC/BvV,MACAyV,gBACA5W,YACAwQ,2BACAsF,WAAYpP,EACZgL,mBACAsD,uBAIE7Z,KAAKia,kBAEX,MAAMkE,EAAevB,EAAQrR,MAM7B,OALI4S,IACAhU,EAAOtL,MAAM,8CACPmB,KAAKuc,SAASnG,WAAW/B,IAAI8J,EAAanF,GAAImF,EAAarE,oBAG9D8C,CACX,CAEA,8BAAawB,CAAyBpY,GAAoG,IAAvFkX,EAAAvd,UAAA/B,OAAA,QAAAgN,IAAAjL,UAAA,IAAAA,UAAA,GAC/C,MAAMwK,EAASnK,KAAKsH,QAAQ7G,OAAO,4BAE7B+P,EAAW,IAAIkL,EAAgBjR,EAASC,WAAW1E,EAAKhG,KAAKuc,SAAS1G,gBAC5E,IAAKrF,EAASjF,MAAO,CAGjB,GAFApB,EAAOtL,MAAM,wBAET2R,EAASxR,MAET,MADAmL,EAAOpL,KAAK,sBAAuByR,EAASxR,OACtC,IAAIiM,EAAcuF,GAG5B,MAAO,CAAEjF,WAAO,EAAWiF,WAC/B,CAEA,MAAM2M,QAA0Bnd,KAAKuc,SAASnG,WAAW8G,EAAc,SAAW,OAAO1M,EAASjF,OAClG,IAAK4R,EAED,MADAhT,EAAO3J,MAAM,IAAIjD,MAAM,uCACjB,KAIV,MAAO,CAAEgO,YADWmO,EAAMK,kBAAkBoD,GAC5B3M,WACpB,CAEA,4BAAa6N,CAAuBrY,GAChC,MAAMmE,EAASnK,KAAKsH,QAAQ7G,OAAO,2BAE7B,MAAE8K,EAAA,SAAOiF,SAAmBxQ,KAAKoe,yBAAyBpY,GAAK,GAQrE,OAPIuF,GACApB,EAAOtL,MAAM,oDACbmB,KAAKyc,WAAW1D,wBAAwBvI,EAAUjF,IAElDpB,EAAOtL,MAAM,uDAGV2R,CACX,CAEOyJ,eAAAA,GAEH,OADAja,KAAKsH,QAAQ7G,OAAO,mBACbiZ,EAAMO,gBAAgBja,KAAKuc,SAASnG,WAAYpW,KAAKuc,SAASvG,uBACzE,CAEA,iBAAasI,CAAY3c,EAAe4c,GAEpC,OADAve,KAAKsH,QAAQ7G,OAAO,qBACPT,KAAKkY,aAAaL,OAAO,CAClClW,QACAmW,gBAAiByG,GAEzB,GC1ZSC,EAAN,MAMIhf,WAAAA,CAA6Bif,GAAA,KAAAA,aAAAA,EALpC,KAAiBnX,QAAU,IAAIhI,EAAO,kBAyCtC,KAAUof,OAAS3H,UAMf,MAAMtL,EAAgBkT,EAAKlT,cAC3B,IAAKA,EACD,OAEJ,MAAMtB,EAASnK,KAAKsH,QAAQ7G,OAAO,UAWnC,GATIke,EAAK9F,SACL7Y,KAAK4e,KAAOD,EAAK9F,QAAQK,IACzB/O,EAAOtL,MAAM,gBAAiB4M,EAAe,QAASzL,KAAK4e,QAG3D5e,KAAK4e,UAAO,EACZzU,EAAOtL,MAAM,gBAAiB4M,EAAe,qBAG7CzL,KAAK6e,oBACL7e,KAAK6e,oBAAoBrQ,MAAM/C,QAInC,IACI,MAAMzF,QAAYhG,KAAKye,aAAajC,gBAAgBhJ,wBACpD,GAAIxN,EAAK,CACLmE,EAAOtL,MAAM,qCAEb,MAAMgG,EAAY7E,KAAKye,aAAalC,SAAS1X,UACvCia,EAAoB9e,KAAKye,aAAalC,SAASwC,8BAC/CC,EAAchf,KAAKye,aAAalC,SAAS0C,wBAEzCC,EAAqB,IAAIrS,EAAmB7M,KAAK4J,UAAW/E,EAAWmB,EAAK8Y,EAAmBE,SAC/FE,EAAmBjT,OACzBjM,KAAK6e,oBAAsBK,EAC3BA,EAAmB1Q,MAAM/C,EAC7B,MAEItB,EAAOpL,KAAK,gDAEpB,OACOT,GAEH6L,EAAOnL,MAAM,oCAAqCV,aAAef,MAAQe,EAAI6D,QAAU7D,EAC3F,GAGJ,KAAU6gB,MAAQ,KACd,MAAMhV,EAASnK,KAAKsH,QAAQ7G,OAAO,SAOnC,GANAT,KAAK4e,UAAO,EAER5e,KAAK6e,qBACL7e,KAAK6e,oBAAoBpR,OAGzBzN,KAAKye,aAAalC,SAAS6C,wBAAyB,CAIpD,MAAMC,EAAc9U,aAAYwM,UAC5BvM,cAAc6U,GAEd,IACI,MAAMC,QAAgBtf,KAAKye,aAAac,qBACxC,GAAID,EAAS,CACT,MAAME,EAAU,CACZ/T,cAAe6T,EAAQ7T,cACvBoN,QAASyG,EAAQpG,IAAM,CACnBA,IAAKoG,EAAQpG,KACb,MAEHlZ,KAAK0e,OAAOc,EACrB,CACJ,OACOlhB,GAEH6L,EAAOnL,MAAM,gCAAiCV,aAAef,MAAQe,EAAI6D,QAAU7D,EACvF,IACD,IACP,GAGJ,KAAUsL,UAAYmN,UAClB,MAAM5M,EAASnK,KAAKsH,QAAQ7G,OAAO,aACnC,IACI,MAAM6e,QAAgBtf,KAAKye,aAAac,qBACxC,IAAIE,GAAa,EAEbH,GAAWtf,KAAK6e,oBACZS,EAAQpG,MAAQlZ,KAAK4e,MACrBa,GAAa,EACbzf,KAAK6e,oBAAoBrQ,MAAM8Q,EAAQ7T,eAEvCtB,EAAOtL,MAAM,4GAA6GygB,EAAQ7T,qBAC5HzL,KAAKye,aAAaiB,OAAOC,4BAG/BxV,EAAOtL,MAAM,mCAAoCygB,EAAQpG,KAI7D/O,EAAOtL,MAAM,oCAGb4gB,EACIzf,KAAK4e,WACC5e,KAAKye,aAAaiB,OAAOE,4BAGzB5f,KAAKye,aAAaiB,OAAOG,qBAGnC1V,EAAOtL,MAAM,mDAErB,OACOP,GACC0B,KAAK4e,OACLzU,EAAOtL,MAAM,oEAAqEP,SAC5E0B,KAAKye,aAAaiB,OAAOE,sBAEvC,GA9JKnB,GACDze,KAAKsH,QAAQ9G,MAAM,IAAIjD,MAAM,2BAGjCyC,KAAKye,aAAaiB,OAAOI,cAAc9f,KAAK0e,QAC5C1e,KAAKye,aAAaiB,OAAOK,gBAAgB/f,KAAKmf,OAE9Cnf,KAAKggB,QAAQC,OAAO3hB,IAEhB0B,KAAKsH,QAAQtI,MAAMV,EAAI,GAE/B,CAEA,WAAgB0hB,GACZhgB,KAAKsH,QAAQ7G,OAAO,SACpB,MAAMke,QAAa3e,KAAKye,aAAayB,UAGrC,GAAIvB,EACK3e,KAAK0e,OAAOC,QACrB,GACS3e,KAAKye,aAAalC,SAAS6C,wBAAyB,CACzD,MAAME,QAAgBtf,KAAKye,aAAac,qBACxC,GAAID,EAAS,CACT,MAAME,EAAU,CACZ/T,cAAe6T,EAAQ7T,cACvBoN,QAASyG,EAAQpG,IAAM,CACnBA,IAAKoG,EAAQpG,KACb,MAEHlZ,KAAK0e,OAAOc,EACrB,CACJ,CACJ,GCnCSW,EAAN,MAAMC,EAuCF5gB,WAAAA,CAAYI,GAvDvB,IAAA0I,EAmEQtI,KAAK2Y,SAAW/Y,EAAK+Y,SACrB3Y,KAAKyL,cAAgB,OAAAnD,EAAA1I,EAAK6L,eAALnD,EAAsB,KAC3CtI,KAAKmM,aAAevM,EAAKuM,aACzBnM,KAAK2X,cAAgB/X,EAAK+X,cAE1B3X,KAAKmb,WAAavb,EAAKub,WACvBnb,KAAKmV,MAAQvV,EAAKuV,MAClBnV,KAAK6Y,QAAUjZ,EAAKiZ,QACpB7Y,KAAKqb,WAAazb,EAAKyb,WACvBrb,KAAKuL,MAAQ3L,EAAK4L,UAClBxL,KAAK0L,UAAY9L,EAAK8L,SAC1B,CAGA,cAAWU,GACP,QAAwB,IAApBpM,KAAKqb,WAGT,OAAOrb,KAAKqb,WAAa7R,EAAMM,cACnC,CAEA,cAAWsC,CAAWhN,QACJ,IAAVA,IACAY,KAAKqb,WAAa/U,KAAKC,MAAMnH,GAASoK,EAAMM,eAEpD,CAGA,WAAWyC,GACP,MAAMH,EAAapM,KAAKoM,WACxB,QAAmB,IAAfA,EAGJ,OAAOA,GAAc,CACzB,CAGA,UAAWiU,GAxGf,IAAA/X,EAAA6C,EAyGQ,OAAO,OAAAA,EAAA,OAAA7C,EAAAtI,KAAKmV,YAAL,EAAA7M,EAAYtG,MAAM,MAAlBmJ,EAA0B,EACrC,CAEO2O,eAAAA,GAEH,OADA,IAAIxa,EAAO,QAAQmB,OAAO,mBACnB2B,KAAKW,UAAU,CAClB4V,SAAU3Y,KAAK2Y,SACflN,cAAezL,KAAKyL,cACpBU,aAAcnM,KAAKmM,aACnBwL,cAAe3X,KAAK2X,cACpBwD,WAAYnb,KAAKmb,WACjBhG,MAAOnV,KAAKmV,MACZ0D,QAAS7Y,KAAK6Y,QACdwC,WAAYrb,KAAKqb,YAEzB,CAEA,wBAActB,CAAkBC,GAE5B,OADA1a,EAAOuB,aAAa,OAAQ,qBACrB,IAAIuf,EAAKhe,KAAKC,MAAM2X,GAC/B,GCvHEsG,EAAgB,cAcAC,EAAf,MAAA/gB,WAAAA,GAEH,KAAmBghB,OAAS,IAAIpZ,EAAuB,6BACvD,KAAmBqZ,iBAAmB,IAAIC,IAE1C,KAAUC,QAA8B,KAExC,cAAaC,CAAS/V,GAClB,MAAMV,EAASnK,KAAKsH,QAAQ7G,OAAO,YACnC,IAAKT,KAAK2gB,QACN,MAAM,IAAIpjB,MAAM,8CAGpB4M,EAAOtL,MAAM,yBACbmB,KAAK2gB,QAAQE,SAASljB,QAAQkN,EAAO7E,KAErC,MAAM,IAAEA,EAAA,SAAK8a,SAAmB,IAAI5S,SAAqB,CAACC,EAAS4S,KAC/D,MAAMC,EAAY9e,IArC9B,IAAAoG,EAsCgB,MAAM7D,EAAgCvC,EAAEuC,KAClC2I,EAAS,OAAA9E,EAAAuC,EAAOoW,cAAP3Y,EAAuBrF,OAAO4d,SAASzT,OACtD,GAAIlL,EAAEkL,SAAWA,IAAU,MAAA3I,OAAA,EAAAA,EAAM6I,UAAWgT,EAA5C,CAIA,IACI,MAAM/U,EAAQd,EAASC,WAAWjG,EAAKuB,IAAK6E,EAAOgL,eAAejF,IAAI,SAItE,GAHKrF,GACDpB,EAAOpL,KAAK,kCAEZmD,EAAEoL,SAAWtN,KAAK2gB,SAAWpV,IAAUV,EAAOU,MAG9C,MAER,OACOjN,GACH0B,KAAKkhB,WACLH,EAAO,IAAIxjB,MAAM,gCACrB,CACA4Q,EAAQ1J,EAhBR,CAgBa,EAEjBxB,OAAOsL,iBAAiB,UAAWyS,GAAU,GAC7ChhB,KAAKygB,iBAAiBU,KAAI,IAAMle,OAAOme,oBAAoB,UAAWJ,GAAU,KAChFhhB,KAAKygB,iBAAiBU,IAAInhB,KAAKwgB,OAAOjZ,YAAY8Z,IAC9CrhB,KAAKkhB,WACLH,EAAOM,EAAO,IACf,IASP,OAPAlX,EAAOtL,MAAM,4BACbmB,KAAKkhB,WAEAJ,GACD9gB,KAAKshB,QAGF,CAAEtb,MACb,CAIQkb,QAAAA,GACJlhB,KAAKsH,QAAQ7G,OAAO,YAEpB,IAAK,MAAM8gB,KAAWvhB,KAAKygB,iBACvBc,IAEJvhB,KAAKygB,iBAAiB5R,OAC1B,CAEA,oBAAiB2S,CAAcC,EAAgBzb,GAA4E,IAA/D8a,EAAAnhB,UAAA/B,OAAA,QAAAgN,IAAAjL,UAAA,IAAAA,UAAA,GAAkB+hB,EAAA/hB,UAAA/B,OAAA,QAAAgN,IAAAjL,UAAA,GAAAA,UAAA,GAAesD,OAAO4d,SAASzT,OACzGqU,EAAO/S,YAAY,CACfpB,OAAQgT,EACRta,MACA8a,YACcY,EACtB,GCvFSC,EAAkD,CAC3Dd,UAAU,EACVe,SAAS,EACT9Y,OAAQ,IACR+Y,gCAAiC,GAExBC,EAAqB,SAC5BC,GAAsD,GACtDC,GAAuC,EAChCC,GAAuC,GA4EvCC,GAAN,cAAuCnN,EA+BnCvV,WAAAA,CAAYI,GACf,MAAM,mBACFuiB,EAAqBviB,EAAKwV,aAAA,+BAC1BgN,EAAiCxiB,EAAKyV,yBAAA,oBACtCgN,EAAsBV,EAAA,kBACtBW,EAAoBR,EAAA,eACpBS,EAAiB,SAAQ,eACzBC,EAAiB,OAAM,yBAEvBC,EAA2B7iB,EAAK6iB,yBAAA,mBAChCC,EAAqB9iB,EAAK8iB,mBAAA,wBAE1B3P,EAAA,oBACA4P,EAAsB/iB,EAAKwV,aAAA,8BAC3BwN,EAAA,qBACAC,GAAuB,EAAI,yBAC3BC,GAA2B,EAAI,4BAC/BC,GAA8B,EAAK,eAEnCC,GAAiB,EAAK,wBACtB5D,GAA0B,EAAK,8BAC/BL,EAAgCiD,GAAA,2BAChCiB,EAA6B,OAAM,wBACnChE,GAA0B,EAAI,iBAE9BiE,EAAmB,CAAC,eAAgB,iBAAgB,sBACpDC,GAAwB,EAAK,8BAC7BC,GAAgC,EAAK,6CAErCC,EAA+CtB,GAAA,UAE/CuB,GACA1jB,EAgCJ,GA9BAoK,MAAMpK,GAENI,KAAKmiB,mBAAqBA,EAC1BniB,KAAKoiB,+BAAiCA,EACtCpiB,KAAKqiB,oBAAsBA,EAC3BriB,KAAKsiB,kBAAoBA,EACzBtiB,KAAKuiB,eAAiBA,EACtBviB,KAAKwiB,eAAiBA,EAEtBxiB,KAAKyiB,yBAA2BA,EAChCziB,KAAK0iB,mBAAqBA,EAE1B1iB,KAAK2iB,oBAAsBA,EAC3B3iB,KAAK4iB,8BAAgCA,GAAiC7P,GAA2BkP,GACjGjiB,KAAK6iB,qBAAuBA,EAC5B7iB,KAAK8iB,yBAA2BA,EAChC9iB,KAAK+iB,4BAA8BA,EAEnC/iB,KAAKgjB,eAAiBA,EACtBhjB,KAAKof,wBAA0BA,EAC/Bpf,KAAK+e,8BAAgCA,EACrC/e,KAAKif,wBAA0BA,EAC/Bjf,KAAKijB,2BAA6BA,EAElCjjB,KAAKkjB,iBAAmBA,EACxBljB,KAAKmjB,sBAAwBA,EAC7BnjB,KAAKojB,8BAAgCA,EAErCpjB,KAAKqjB,6CAA+CA,EAEhDC,EACAtjB,KAAKsjB,UAAYA,MAEhB,CACD,MAAMrP,EAA0B,qBAAXhR,OAAyBA,OAAOsgB,eAAiB,IAAI5U,EAC1E3O,KAAKsjB,UAAY,IAAItP,EAAqB,CAAEC,SAChD,CACJ,GChLSuP,GAAN,MAAMC,UAAqBlD,EAKvB/gB,WAAAA,CAAAkkB,GAEgB,IAFJ,8BACfd,EAAgCX,IACpCyB,EACI1Z,QAPJ,KAAmB1C,QAAU,IAAIhI,EAAO,gBAQpCU,KAAK2jB,kBAAoBf,EAEzB5iB,KAAKuN,OAASkW,EAAaG,qBAC3B5jB,KAAK2gB,QAAU3gB,KAAKuN,OAAOC,aAC/B,CAEA,yBAAeoW,GACX,MAAMC,EAAS5gB,OAAO0K,SAASC,cAAc,UAW7C,OARAiW,EAAOhW,MAAMC,WAAa,SAC1B+V,EAAOhW,MAAME,SAAW,QACxB8V,EAAOhW,MAAMnF,KAAO,UACpBmb,EAAOhW,MAAM9E,IAAM,IACnB8a,EAAOtb,MAAQ,IACfsb,EAAO/a,OAAS,IAEhB7F,OAAO0K,SAASU,KAAKC,YAAYuV,GAC1BA,CACX,CAEA,cAAajD,CAAS/V,GAClB7K,KAAKsH,QAAQzI,MAAM,8BAA+BmB,KAAK2jB,mBACvD,MAAMG,EAAQ9T,YAAW,KAAWhQ,KAAKwgB,OAAO1Y,MAAM,IAAI6D,EAAa,uCAAuC,GAA2B,IAAzB3L,KAAK2jB,mBAGrH,OAFA3jB,KAAKygB,iBAAiBU,KAAI,IAAM/Q,aAAa0T,WAEhC9Z,MAAM4W,SAAS/V,EAChC,CAEOyW,KAAAA,GAzDX,IAAAhZ,EA0DYtI,KAAKuN,SACDvN,KAAKuN,OAAOwW,aACZ/jB,KAAKuN,OAAOgB,iBAAiB,QAASvG,IA5DtD,IAAAgc,EA6DoB,MAAMC,EAAQjc,EAAGkc,OACjB,OAAAF,EAAAC,EAAMF,aAANC,EAAkBG,YAAYF,GACzBjkB,KAAKwgB,OAAO1Y,MAAM,IAAIvK,MAAM,2BAA2B,IAC7D,GACH,OAAA+K,EAAAtI,KAAKuN,OAAOC,gBAAZlF,EAA2BuY,SAASljB,QAAQ,gBAEhDqC,KAAKuN,OAAS,MAElBvN,KAAK2gB,QAAU,IACnB,CAEA,mBAAcyD,CAAape,EAAa0b,GACpC,OAAO1X,MAAMwX,cAAcve,OAAOwe,OAAQzb,GAAK,EAAO0b,EAC1D,GC/DS2C,GAAN,MAGH7kB,WAAAA,CAAoB2S,GAAA,KAAAA,UAAAA,EAFpB,KAAiB7K,QAAU,IAAIhI,EAAO,kBAEoB,CAE1D,aAAaglB,CAAAC,GAEiC,IAFzB,8BACjB3B,EAAgC5iB,KAAKmS,UAAUyQ,+BACnD2B,EACI,OAAO,IAAIf,GAAa,CAAEZ,iCAC9B,CAEA,cAAa4B,CAASxe,GAClBhG,KAAKsH,QAAQ7G,OAAO,YACpB+iB,GAAaY,aAAape,EAAKhG,KAAKmS,UAAUsQ,yBAClD,GCDSgC,GAAN,cAA0BlE,EAKtB/gB,WAAAA,CAAAklB,GAIe,IAJH,kBACfpC,EAAoBR,EAAA,oBACpBO,EAAsB,CAAC,EAAC,YACxBsC,GACJD,EACI1a,QATJ,KAAmB1C,QAAU,IAAIhI,EAAO,eAUpC,MAAMslB,EAAgB1c,EAAWC,OAAO,IAAKwZ,KAA+BU,IAC5EriB,KAAK2gB,QAAU1d,OAAO4hB,UAAK,EAAWvC,EAAmBpa,EAAWgB,UAAU0b,IAE1ED,GACAA,EAAYpW,iBAAiB,SAAS,KAvClD,IAAAjG,EAwCqBtI,KAAKwgB,OAAO1Y,MAAM,IAAIvK,MAAM,OAAA+K,EAAAqc,EAAYtD,QAAZ/Y,EAAsB,iBAAiB,IAI5E+Z,EAAoBR,gCAAkCQ,EAAoBR,+BAAiC,GAC3G7R,YAAW,KACFhQ,KAAK2gB,SAA0C,mBAAxB3gB,KAAK2gB,QAAQmE,SAAwB9kB,KAAK2gB,QAAQmE,OAK9E9kB,KAAKshB,QAJIthB,KAAKwgB,OAAO1Y,MAAM,IAAIvK,MAAM,yBAIzB,GA1Cb,IA2CA8kB,EAAoBR,+BAE/B,CAEA,cAAajB,CAAS/V,GAxD1B,IAAAvC,EAyDQ,OAAAA,EAAAtI,KAAK2gB,UAALrY,EAAcyc,QAEd,MAAMC,EAAsBza,aAAY,KAC/BvK,KAAK2gB,UAAW3gB,KAAK2gB,QAAQmE,QACzB9kB,KAAKwgB,OAAO1Y,MAAM,IAAIvK,MAAM,wBACrC,GAtDwB,KA0D5B,OAFAyC,KAAKygB,iBAAiBU,KAAI,IAAM3W,cAAcwa,WAEjChb,MAAM4W,SAAS/V,EAChC,CAEOyW,KAAAA,GACCthB,KAAK2gB,UACA3gB,KAAK2gB,QAAQmE,SACd9kB,KAAK2gB,QAAQW,QACRthB,KAAKwgB,OAAO1Y,MAAM,IAAIvK,MAAM,mBAGzCyC,KAAK2gB,QAAU,IACnB,CAEA,mBAAcsE,CAAajf,EAAa8a,GACpC,IAAK7d,OAAOiiB,OACR,MAAM,IAAI3nB,MAAM,kDAEpB,OAAOyM,MAAMwX,cAAcve,OAAOiiB,OAAQlf,EAAK8a,EACnD,GCzESqE,GAAN,MAGH3lB,WAAAA,CAAoB2S,GAAA,KAAAA,UAAAA,EAFpB,KAAiB7K,QAAU,IAAIhI,EAAO,iBAEqB,CAE3D,aAAaglB,CAAAc,GAI+B,IAJvB,oBACjB/C,EAAsBriB,KAAKmS,UAAUkQ,oBAAA,kBACrCC,EAAoBtiB,KAAKmS,UAAUmQ,kBAAA,YACnCqC,GACJS,EACI,OAAO,IAAIX,GAAY,CAAEpC,sBAAqBC,oBAAmBqC,eACrE,CAEA,cAAaH,CAASxe,EAAAqf,GAAkD,IAArC,SAAEvE,GAAW,GAAMuE,EAClDrlB,KAAKsH,QAAQ7G,OAAO,YAEpBgkB,GAAYQ,aAAajf,EAAK8a,EAClC,GCTSwE,GAAN,MAGH9lB,WAAAA,CAAoB2S,GAAA,KAAAA,UAAAA,EAFpB,KAAiB7K,QAAU,IAAIhI,EAAO,oBAEoB,CAE1D,aAAaglB,CAAAiB,GAGwB,IAHhB,eACjBhD,EAAiBviB,KAAKmS,UAAUoQ,eAAA,eAChCC,EAAiBxiB,KAAKmS,UAAUqQ,gBACpC+C,EA3BJ,IAAAjd,EA4BQtI,KAAKsH,QAAQ7G,OAAO,WACpB,IAAI+kB,EAAeviB,OAAOwiB,KAEH,QAAnBjD,IACAgD,EAAe,OAAAld,EAAArF,OAAO8F,KAAPT,EAAcrF,OAAOwiB,MAGxC,MAAMC,EAAWF,EAAa3E,SAAS0B,GAAgBoD,KAAKH,EAAa3E,UACzE,IAAI5Q,EACJ,MAAO,CACH2Q,SAAU7J,UACN/W,KAAKsH,QAAQ7G,OAAO,YAEpB,MAAMmlB,EAAU,IAAI1X,SAAQ,CAACC,EAAS4S,KAClC9Q,EAAQ8Q,CAAA,IAGZ,OADA2E,EAAS7a,EAAO7E,WACF4f,CAAA,EAElBtE,MAAOA,KACHthB,KAAKsH,QAAQ7G,OAAO,SACpB,MAAAwP,GAAAA,EAAQ,IAAI1S,MAAM,qBAClBioB,EAAa/X,MAAM,EAG/B,CAEA,cAAa+W,GAEb,GCrBSqB,GAAN,cAAgCja,EAU5BpM,WAAAA,CAAY+c,GACfvS,MAAM,CAAEgC,kCAAmCuQ,EAAS8G,+CAVxD,KAAmB/b,QAAU,IAAIhI,EAAO,qBAExC,KAAiBwmB,YAAc,IAAI1e,EAAc,eACjD,KAAiB2e,cAAgB,IAAI3e,EAAU,iBAC/C,KAAiB4e,kBAAoB,IAAI5e,EAAe,sBACxD,KAAiB6e,cAAgB,IAAI7e,EAAU,kBAC/C,KAAiB8e,eAAiB,IAAI9e,EAAU,mBAChD,KAAiB+e,oBAAsB,IAAI/e,EAAU,uBAIrD,CAEA,UAAa6E,CAAK0S,GAA4C,IAAhCc,IAAA9f,UAAA/B,OAAA,QAAAgN,IAAAjL,UAAA,KAAAA,UAAA,GAC1BqK,MAAMiC,KAAK0S,GACPc,SACMzf,KAAK8lB,YAAYhe,MAAM6W,EAErC,CACA,YAAanS,GACTxC,MAAMwC,eACAxM,KAAK+lB,cAAcje,OAC7B,CAKOgY,aAAAA,CAActY,GACjB,OAAOxH,KAAK8lB,YAAYve,WAAWC,EACvC,CAIO4e,gBAAAA,CAAiB5e,GACpB,OAAOxH,KAAK8lB,YAAYpe,cAAcF,EAC1C,CAKOuY,eAAAA,CAAgBvY,GACnB,OAAOxH,KAAK+lB,cAAcxe,WAAWC,EACzC,CAIO6e,kBAAAA,CAAmB7e,GACtB,OAAOxH,KAAK+lB,cAAcre,cAAcF,EAC5C,CAKO8e,mBAAAA,CAAoB9e,GACvB,OAAOxH,KAAKgmB,kBAAkBze,WAAWC,EAC7C,CAIO+e,sBAAAA,CAAuB/e,GAC1B,OAAOxH,KAAKgmB,kBAAkBte,cAAcF,EAChD,CAIA,4BAAagf,CAAuBtkB,SAC1BlC,KAAKgmB,kBAAkBle,MAAM5F,EACvC,CAMOukB,eAAAA,CAAgBjf,GACnB,OAAOxH,KAAKimB,cAAc1e,WAAWC,EACzC,CAIOkf,kBAAAA,CAAmBlf,GACtBxH,KAAKimB,cAAcve,cAAcF,EACrC,CAIA,wBAAaqY,SACH7f,KAAKimB,cAAcne,OAC7B,CAMO6e,gBAAAA,CAAiBnf,GACpB,OAAOxH,KAAKkmB,eAAe3e,WAAWC,EAC1C,CAIOof,mBAAAA,CAAoBpf,GACvBxH,KAAKkmB,eAAexe,cAAcF,EACtC,CAIA,yBAAaoY,SACH5f,KAAKkmB,eAAepe,OAC9B,CAMO+e,qBAAAA,CAAsBrf,GACzB,OAAOxH,KAAKmmB,oBAAoB5e,WAAWC,EAC/C,CAIOsf,wBAAAA,CAAyBtf,GAC5BxH,KAAKmmB,oBAAoBze,cAAcF,EAC3C,CAIA,8BAAamY,SACH3f,KAAKmmB,oBAAoBre,OACnC,GCzJSif,GAAN,MAKIvnB,WAAAA,CAAoBif,GAAA,KAAAA,aAAAA,EAJ3B,KAAUnX,QAAU,IAAIhI,EAAO,sBAC/B,KAAQ0nB,YAAa,EACrB,KAAiBC,YAAc,IAAIzd,EAAM,sBAgCzC,KAAU0d,eAAsCnQ,UAC5C,MAAM5M,EAASnK,KAAKsH,QAAQ7G,OAAO,kBACnC,UACUT,KAAKye,aAAa0I,eACxBhd,EAAOtL,MAAM,kCACjB,OACOP,GACH,GAAIA,aAAeqN,EAIf,OAFAxB,EAAOpL,KAAK,kCAAmCT,EAAK,oBACpD0B,KAAKinB,YAAYhd,KAAK,GAI1BE,EAAOnL,MAAM,2BAA4BV,SACnC0B,KAAKye,aAAaiB,OAAO8G,uBAAuBloB,EAC1D,EA9CmD,CAEvD,WAAakQ,GACT,MAAMrE,EAASnK,KAAKsH,QAAQ7G,OAAO,SACnC,IAAKT,KAAKgnB,WAAY,CAClBhnB,KAAKgnB,YAAa,EAClBhnB,KAAKye,aAAaiB,OAAOjT,uBAAuBzM,KAAKknB,gBACrDlnB,KAAKinB,YAAY1f,WAAWvH,KAAKknB,gBAGjC,UACUlnB,KAAKye,aAAayB,SAE5B,OACO5hB,GAEH6L,EAAOnL,MAAM,gBAAiBV,EAClC,CACJ,CACJ,CAEOmP,IAAAA,GACCzN,KAAKgnB,aACLhnB,KAAKinB,YAAYld,SACjB/J,KAAKinB,YAAYvf,cAAc1H,KAAKknB,gBACpClnB,KAAKye,aAAaiB,OAAOhT,0BAA0B1M,KAAKknB,gBACxDlnB,KAAKgnB,YAAa,EAE1B,GClCSI,GAAN,MAUH5nB,WAAAA,CAAYI,GASRI,KAAK2X,cAAgB/X,EAAK+X,cAC1B3X,KAAK2Y,SAAW/Y,EAAK+Y,SACrB3Y,KAAKyL,cAAgB7L,EAAK6L,cAC1BzL,KAAKmV,MAAQvV,EAAKuV,MAClBnV,KAAK6Y,QAAUjZ,EAAKiZ,QAEpB7Y,KAAKyE,KAAO7E,EAAK2L,KAErB,GC2CS8b,GAAN,MAaI7nB,WAAAA,CAAY+c,EAA+B+K,EAAgCC,EAA6BC,GAV/G,KAAmBlgB,QAAU,IAAIhI,EAAO,eAWpCU,KAAKuc,SAAW,IAAI2F,GAAyB3F,GAE7Cvc,KAAKynB,QAAU,IAAInL,EAAWC,GAE9Bvc,KAAK0nB,mBAAqB,MAAAJ,EAAAA,EAAqB,IAAIhC,GAAkBtlB,KAAKuc,UAC1Evc,KAAK2nB,gBAAkB,MAAAJ,EAAAA,EAAkB,IAAIpC,GAAenlB,KAAKuc,UACjEvc,KAAK4nB,iBAAmB,MAAAJ,EAAAA,EAAmB,IAAInD,GAAgBrkB,KAAKuc,UAEpEvc,KAAK6nB,QAAU,IAAIhC,GAAkB7lB,KAAKuc,UAC1Cvc,KAAK8nB,oBAAsB,IAAIf,GAAmB/mB,MAG9CA,KAAKuc,SAASsG,sBACd7iB,KAAK+nB,mBAGT/nB,KAAKgoB,gBAAkB,KACnBhoB,KAAKuc,SAASyG,iBACdhjB,KAAKgoB,gBAAkB,IAAIxJ,EAAexe,MAElD,CAKA,UAAW0f,GACP,OAAO1f,KAAK6nB,OAChB,CAKA,mBAAWrL,GACP,OAAOxc,KAAKynB,QAAQjL,eACxB,CAOA,aAAa0D,GACT,MAAM/V,EAASnK,KAAKsH,QAAQ7G,OAAO,WAC7Bke,QAAa3e,KAAKioB,YACxB,OAAItJ,GACAxU,EAAOrL,KAAK,qBACNkB,KAAK6nB,QAAQ5b,KAAK0S,GAAM,GACvBA,IAGXxU,EAAOrL,KAAK,6BACL,KACX,CAOA,gBAAaopB,GACT,MAAM/d,EAASnK,KAAKsH,QAAQ7G,OAAO,oBAC7BT,KAAKmoB,UAAU,MACrBhe,EAAOrL,KAAK,mCACNkB,KAAK6nB,QAAQrb,QACvB,CASA,oBAAa4b,GAA6D,IAA9CxoB,EAAAD,UAAA/B,OAAA,QAAAgN,IAAAjL,UAAA,GAAAA,UAAA,GAA2B,CAAC,EAvK5D,IAAA2I,EAwKQtI,KAAKsH,QAAQ7G,OAAO,kBACpB,MAAM,eACF8hB,KACG8F,GACHzoB,EAEJ,IAAIgb,GACA,OAAAtS,EAAAtI,KAAKuc,SAAS9F,WAAd,EAAAnO,EAAoBggB,2BACpB1N,QAAgB5a,KAAK+G,gBAAgB/G,KAAKuc,SAAS9F,OAGvD,MAAM8R,QAAevoB,KAAK0nB,mBAAmBpD,QAAQ,CAAE/B,yBACjDviB,KAAKwoB,aAAa,CACpB3O,aAAc,OACde,aACGyN,GACJE,EACP,CAUA,4BAAaE,GAAkE,IAA3CziB,EAAArG,UAAA/B,OAAA,QAAAgN,IAAAjL,UAAA,GAAAA,UAAA,GAAMsD,OAAO4d,SAAS5S,KACtD,MAAM9D,EAASnK,KAAKsH,QAAQ7G,OAAO,0BAC7Bke,QAAa3e,KAAK0oB,WAAW1iB,GAQnC,OAPI2Y,EAAK9F,SAAW8F,EAAK9F,QAAQK,IAC7B/O,EAAOrL,KAAK,6BAA8B6f,EAAK9F,QAAQK,KAGvD/O,EAAOrL,KAAK,cAGT6f,CACX,CAQA,oCAAagK,CAAAC,GAIyC,IAJV,SACxCjL,EAAA,SACAC,EAAA,aACAnF,GAAe,GACnBmQ,EACI,MAAMze,EAASnK,KAAKsH,QAAQ7G,OAAO,iCAE7Bod,QAAuB7d,KAAKynB,QAAQhK,wCAAwC,CAC9EE,WACAC,WACAnF,eACAjC,iBAAkBxW,KAAKuc,SAAS/F,mBAEpCrM,EAAOtL,MAAM,uBAEb,MAAM8f,QAAa3e,KAAK6oB,WAAWhL,GAMnC,OALIc,EAAK9F,SAAW8F,EAAK9F,QAAQK,IAC7B/O,EAAOrL,KAAK,6BAA8B6f,EAAK9F,QAAQK,KAEvD/O,EAAOrL,KAAK,cAET6f,CACX,CAQA,iBAAamK,GAAuD,IAA3ClpB,EAAAD,UAAA/B,OAAA,QAAAgN,IAAAjL,UAAA,GAAAA,UAAA,GAAwB,CAAC,EApPtD,IAAA2I,EAqPQ,MAAM6B,EAASnK,KAAKsH,QAAQ7G,OAAO,eAEnC,IAAIma,GACA,OAAAtS,EAAAtI,KAAKuc,SAAS9F,WAAd,EAAAnO,EAAoBggB,2BACpB1N,QAAgB5a,KAAK+G,gBAAgB/G,KAAKuc,SAAS9F,OAGvD,MAAM,oBACF4L,EAAA,kBACAC,EAAA,YACAqC,KACG0D,GACHzoB,EACEoG,EAAMhG,KAAKuc,SAAS4F,mBACrBnc,GACDmE,EAAO3J,MAAM,IAAIjD,MAAM,qCAG3B,MAAMgrB,QAAevoB,KAAK2nB,gBAAgBrD,QAAQ,CAAEjC,sBAAqBC,oBAAmBqC,gBACtFhG,QAAa3e,KAAK+oB,QAAQ,CAC5BlP,aAAc,OACdzE,aAAcpP,EACdwP,QAAS,QACToF,aACGyN,GACJE,GASH,OARI5J,IACIA,EAAK9F,SAAW8F,EAAK9F,QAAQK,IAC7B/O,EAAOrL,KAAK,6BAA8B6f,EAAK9F,QAAQK,KAEvD/O,EAAOrL,KAAK,eAIb6f,CACX,CAUA,yBAAaqK,GAAiF,IAA7DhjB,EAAArG,UAAA/B,OAAA,QAAAgN,IAAAjL,UAAA,GAAAA,UAAA,GAAMsD,OAAO4d,SAAS5S,KAAM6S,EAAAnhB,UAAA/B,OAAA,QAAAgN,IAAAjL,UAAA,IAAAA,UAAA,GACzD,MAAMwK,EAASnK,KAAKsH,QAAQ7G,OAAO,6BAC7BT,KAAK2nB,gBAAgBnD,SAASxe,EAAK,CAAE8a,aAC3C3W,EAAOrL,KAAK,UAChB,CAOA,kBAAaqoB,GAAgE,IAAnDvnB,EAAAD,UAAA/B,OAAA,QAAAgN,IAAAjL,UAAA,GAAAA,UAAA,GAAyB,CAAC,EA7SxD,IAAA2I,EAAA6C,EA8SQ,MAAMhB,EAASnK,KAAKsH,QAAQ7G,OAAO,iBAC7B,8BACFmiB,KACGyF,GACHzoB,EAEJ,IAaIgb,EAbA+D,QAAa3e,KAAKioB,YACtB,GAAI,MAAAtJ,OAAA,EAAAA,EAAMhH,cAAe,CACrBxN,EAAOtL,MAAM,uBACb,MAAM0M,EAAQ,IAAI6b,GAAazI,GAC/B,aAAa3e,KAAKipB,iBAAiB,CAC/B1d,QACA6J,aAAciT,EAAYjT,aAC1BQ,SAAUyS,EAAYzS,SACtBY,iBAAkB6R,EAAY7R,iBAC9B9G,iBAAkBkT,GAE1B,EAGI,OAAAta,EAAAtI,KAAKuc,SAAS9F,WAAd,EAAAnO,EAAoBggB,2BACpB1N,QAAgB5a,KAAK+G,gBAAgB/G,KAAKuc,SAAS9F,OAGvD,MAAMzQ,EAAMhG,KAAKuc,SAASoG,oBAK1B,IAAIuG,EAJCljB,GACDmE,EAAO3J,MAAM,IAAIjD,MAAM,sCAIvBohB,GAAQ3e,KAAKuc,SAASuG,2BACtB3Y,EAAOtL,MAAM,iCAAkC8f,EAAK9F,QAAQK,KAC5DgQ,EAAYvK,EAAK9F,QAAQK,KAG7B,MAAMqP,QAAevoB,KAAK4nB,iBAAiBtD,QAAQ,CAAE1B,kCAkBrD,OAjBAjE,QAAa3e,KAAK+oB,QAAQ,CACtBlP,aAAc,OACdzE,aAAcpP,EACduP,OAAQ,OACRkG,cAAezb,KAAKuc,SAASwG,4BAA8B,MAAApE,OAAA,EAAAA,EAAMhG,cAAW,EAC5EiC,aACGyN,GACJE,EAAQW,GACPvK,KACI,OAAAxT,EAAAwT,EAAK9F,cAAL,EAAA1N,EAAc+N,KACd/O,EAAOrL,KAAK,6BAA8B6f,EAAK9F,QAAQK,KAGvD/O,EAAOrL,KAAK,eAIb6f,CACX,CAEA,sBAAgBsK,CAAiBrpB,GAC7B,MAAM4Q,QAAiBxQ,KAAKynB,QAAQ3J,gBAAgB,CAChDpO,iBAAkB1P,KAAKuc,SAASqG,iCAC7BhjB,IAED+e,EAAO,IAAIwB,EAAK,IAAKvgB,EAAK2L,SAAUiF,IAI1C,aAFMxQ,KAAKmoB,UAAUxJ,SACf3e,KAAK6nB,QAAQ5b,KAAK0S,GACjBA,CACX,CAWA,0BAAawK,GAAgE,IAA3CnjB,EAAArG,UAAA/B,OAAA,QAAAgN,IAAAjL,UAAA,GAAAA,UAAA,GAAMsD,OAAO4d,SAAS5S,KACpD,MAAM9D,EAASnK,KAAKsH,QAAQ7G,OAAO,8BAC7BT,KAAK4nB,iBAAiBpD,SAASxe,GACrCmE,EAAOrL,KAAK,UAChB,CAWA,oBAAasqB,GAAsE,IAAvDpjB,EAAArG,UAAA/B,OAAA,QAAAgN,IAAAjL,UAAA,GAAAA,UAAA,GAAMsD,OAAO4d,SAAS5S,KAC9C,MAAM,MAAE1C,SAAgBvL,KAAKynB,QAAQxK,wBAAwBjX,GAC7D,OAAQuF,EAAMsO,cACV,IAAK,OACD,aAAa7Z,KAAKyoB,uBAAuBziB,GAC7C,IAAK,aACKhG,KAAKgpB,oBAAoBhjB,GAC/B,MACJ,IAAK,aACKhG,KAAKmpB,qBAAqBnjB,GAChC,MACJ,QACI,MAAM,IAAIzI,MAAM,kCAG5B,CAWA,qBAAa8rB,GAAoG,IAApFrjB,EAAArG,UAAA/B,OAAA,QAAAgN,IAAAjL,UAAA,GAAAA,UAAA,GAAMsD,OAAO4d,SAAS5S,KAAM6S,EAAAnhB,UAAA/B,OAAA,QAAAgN,IAAAjL,UAAA,IAAAA,UAAA,GACrD,MAAM,MAAE4L,SAAgBvL,KAAKynB,QAAQrJ,yBAAyBpY,GAC9D,GAAKuF,EAIL,OAAQA,EAAMsO,cACV,IAAK,OACD,aAAa7Z,KAAKspB,wBAAwBtjB,GAC9C,IAAK,aACKhG,KAAKupB,qBAAqBvjB,EAAK8a,GACrC,MACJ,IAAK,aACK9gB,KAAKwpB,sBAAsBxjB,GACjC,MACJ,QACI,MAAM,IAAIzI,MAAM,kCAG5B,CAOA,wBAAagiB,GAAqF,IAAlE3f,EAAAD,UAAA/B,OAAA,QAAAgN,IAAAjL,UAAA,GAAAA,UAAA,GAA+B,CAAC,EAC5D,MAAMwK,EAASnK,KAAKsH,QAAQ7G,OAAO,uBAC7B,8BACFmiB,KACGyF,GACHzoB,EACEoG,EAAMhG,KAAKuc,SAASoG,oBACrB3c,GACDmE,EAAO3J,MAAM,IAAIjD,MAAM,sCAG3B,MAAMohB,QAAa3e,KAAKioB,YAClBM,QAAevoB,KAAK4nB,iBAAiBtD,QAAQ,CAAE1B,kCAC/C6G,QAAoBzpB,KAAKwoB,aAAa,CACxC3O,aAAc,OACdzE,aAAcpP,EACduP,OAAQ,OACRkG,cAAezb,KAAKuc,SAASwG,4BAA8B,MAAApE,OAAA,EAAAA,EAAMhG,cAAW,EAC5EzD,cAAelV,KAAKuc,SAAS0G,2BAC7B9N,MAAO,SACPsD,cAAc,KACX4P,GACJE,GACH,IACI,MAAMhX,EAA4C,CAAC,EAC7CsM,QAAuB7d,KAAKynB,QAAQrK,sBAAsBqM,EAAYzjB,IAAKuL,GAGjF,OAFApH,EAAOtL,MAAM,uBAETgf,EAAepS,eAAiBoS,EAAehF,QAAQK,KACvD/O,EAAOrL,KAAK,sBAAuB+e,EAAehF,QAAQK,KACnD,CACHzN,cAAeoS,EAAepS,cAC9ByN,IAAK2E,EAAehF,QAAQK,OAIpC/O,EAAOrL,KAAK,mCACL,KACX,CAAE,MAAOR,GACL,GAAI0B,KAAKuc,SAAS6C,yBAA2B9gB,aAAe2M,EACxD,OAAQ3M,EAAIU,OACR,IAAK,iBACL,IAAK,mBACL,IAAK,uBACL,IAAK,6BAED,OADAmL,EAAOrL,KAAK,8BACL,CAEH2M,cAAenN,EAAImN,eAInC,MAAMnN,CACV,CACJ,CAEA,aAAgByqB,CAAQnpB,EAA+B2oB,EAAiBW,GACpE,MAAMO,QAAoBzpB,KAAKwoB,aAAa5oB,EAAM2oB,GAClD,aAAavoB,KAAK0oB,WAAWe,EAAYzjB,IAAKkjB,EAClD,CAEA,kBAAgBV,CAAa5oB,EAA+B2oB,GACxD,MAAMpe,EAASnK,KAAKsH,QAAQ7G,OAAO,gBAEnC,IACI,MAAMsc,QAAsB/c,KAAKynB,QAAQ/K,oBAAoB9c,GAG7D,OAFAuK,EAAOtL,MAAM,4BAEA0pB,EAAO3H,SAAS,CACzB5a,IAAK+W,EAAc/W,IACnBuF,MAAOwR,EAAcxR,MAAMyN,GAC3BnD,cAAekH,EAAcxR,MAAMsK,cACnCoL,aAAcjhB,KAAKuc,SAASmG,oBAEpC,CAAE,MAAOpkB,GAGL,MAFA6L,EAAOtL,MAAM,6DACb0pB,EAAOjH,QACDhjB,CACV,CACJ,CAEA,gBAAgBoqB,CAAW1iB,EAAakjB,GACpC,MAAM/e,EAASnK,KAAKsH,QAAQ7G,OAAO,cAE7Bod,QAAuB7d,KAAKynB,QAAQrK,sBAAsBpX,EADd,CAAC,GAEnDmE,EAAOtL,MAAM,uBAGb,aADmBmB,KAAK6oB,WAAWhL,EAAgBqL,EAEvD,CAEA,gBAAgBL,CAAWhL,EAAgCqL,GACvD,MAAM/e,EAASnK,KAAKsH,QAAQ7G,OAAO,cAC7Bke,EAAO,IAAIwB,EAAKtC,GACtB,GAAIqL,EAAW,CACX,GAAIA,IAAcvK,EAAK9F,QAAQK,IAE3B,MADA/O,EAAOtL,MAAM,0EAA2E8f,EAAK9F,QAAQK,KAC/F,IAAIjO,EAAc,IAAK4S,EAAgB7e,MAAO,mBAExDmL,EAAOtL,MAAM,iDACjB,CAMA,aAJMmB,KAAKmoB,UAAUxJ,GACrBxU,EAAOtL,MAAM,qBACPmB,KAAK6nB,QAAQ5b,KAAK0S,GAEjBA,CACX,CAOA,qBAAa+K,GAA+D,IAA/C9pB,EAAAD,UAAA/B,OAAA,QAAAgN,IAAAjL,UAAA,GAAAA,UAAA,GAA4B,CAAC,EACtD,MAAMwK,EAASnK,KAAKsH,QAAQ7G,OAAO,oBAC7B,eACF8hB,KACG8F,GACHzoB,EACE2oB,QAAevoB,KAAK0nB,mBAAmBpD,QAAQ,CAAE/B,yBACjDviB,KAAK2pB,cAAc,CACrB9P,aAAc,OACdxE,yBAA0BrV,KAAKuc,SAASlH,4BACrCgT,GACJE,GACHpe,EAAOrL,KAAK,UAChB,CAUA,6BAAawqB,GAA8E,IAAtDtjB,EAAArG,UAAA/B,OAAA,QAAAgN,IAAAjL,UAAA,GAAAA,UAAA,GAAMsD,OAAO4d,SAAS5S,KACvD,MAAM9D,EAASnK,KAAKsH,QAAQ7G,OAAO,2BAC7B+P,QAAiBxQ,KAAK4pB,YAAY5jB,GAExC,OADAmE,EAAOrL,KAAK,WACL0R,CACX,CAOA,kBAAaqZ,GAAyD,IAA5CjqB,EAAAD,UAAA/B,OAAA,QAAAgN,IAAAjL,UAAA,GAAAA,UAAA,GAAyB,CAAC,EAChD,MAAMwK,EAASnK,KAAKsH,QAAQ7G,OAAO,iBAC7B,oBACF4hB,EAAA,kBACAC,EAAA,YACAqC,KACG0D,GACHzoB,EACEoG,EAAMhG,KAAKuc,SAAS6F,+BAEpBmG,QAAevoB,KAAK2nB,gBAAgBrD,QAAQ,CAAEjC,sBAAqBC,oBAAmBqC,sBACtF3kB,KAAK8pB,SAAS,CAChBjQ,aAAc,OACdxE,yBAA0BrP,EAM1BuF,MAAc,MAAPvF,OAAc,EAAY,CAAC,KAC/BqiB,GACJE,GACHpe,EAAOrL,KAAK,UAChB,CAUA,0BAAayqB,GAAkF,IAA7DvjB,EAAArG,UAAA/B,OAAA,QAAAgN,IAAAjL,UAAA,GAAAA,UAAA,GAAMsD,OAAO4d,SAAS5S,KAAM6S,EAAAnhB,UAAA/B,OAAA,QAAAgN,IAAAjL,UAAA,IAAAA,UAAA,GAC1D,MAAMwK,EAASnK,KAAKsH,QAAQ7G,OAAO,8BAC7BT,KAAK2nB,gBAAgBnD,SAASxe,EAAK,CAAE8a,aAC3C3W,EAAOrL,KAAK,UAChB,CAEA,cAAgBgrB,CAASlqB,EAAgC2oB,GACrD,MAAMkB,QAAoBzpB,KAAK2pB,cAAc/pB,EAAM2oB,GACnD,aAAavoB,KAAK4pB,YAAYH,EAAYzjB,IAC9C,CAEA,mBAAgB2jB,GAA+F,IAAjF/pB,EAAAD,UAAA/B,OAAA,QAAAgN,IAAAjL,UAAA,GAAAA,UAAA,GAAiC,CAAC,EAAG4oB,EAAA5oB,UAAA/B,OAAA,EAAA+B,UAAA,QAAAiL,EA/nBvE,IAAAtC,EAgoBQ,MAAM6B,EAASnK,KAAKsH,QAAQ7G,OAAO,iBAEnC,IACI,MAAMke,QAAa3e,KAAKioB,YACxB9d,EAAOtL,MAAM,oCAETmB,KAAKuc,SAAS4G,6BACRnjB,KAAK+pB,gBAAgBpL,GAG/B,MAAMhG,EAAW/Y,EAAK6b,eAAiBkD,GAAQA,EAAKhG,SAChDA,IACAxO,EAAOtL,MAAM,4CACbe,EAAK6b,cAAgB9C,SAGnB3Y,KAAKkoB,aACX/d,EAAOtL,MAAM,0CAEb,MAAMmrB,QAAuBhqB,KAAKynB,QAAQvJ,qBAAqBte,GAG/D,OAFAuK,EAAOtL,MAAM,6BAEA0pB,EAAO3H,SAAS,CACzB5a,IAAKgkB,EAAehkB,IACpBuF,MAAO,OAAAjD,EAAA0hB,EAAeze,YAAf,EAAAjD,EAAsB0Q,GAC7BiI,aAAcjhB,KAAKuc,SAASmG,oBAEpC,CAAE,MAAOpkB,GAGL,MAFA6L,EAAOtL,MAAM,6DACb0pB,EAAOjH,QACDhjB,CACV,CACJ,CAEA,iBAAgBsrB,CAAY5jB,GACxB,MAAMmE,EAASnK,KAAKsH,QAAQ7G,OAAO,eAC7BwpB,QAAwBjqB,KAAKynB,QAAQpJ,uBAAuBrY,GAGlE,OAFAmE,EAAOtL,MAAM,wBAENorB,CACX,CAOA,mBAAaC,GAA2D,IAA7CtqB,EAAAD,UAAA/B,OAAA,QAAAgN,IAAAjL,UAAA,GAAAA,UAAA,GAA0B,CAAC,EA/qB1D,IAAA2I,EAgrBQ,MAAM6B,EAASnK,KAAKsH,QAAQ7G,OAAO,kBAC7B,8BACFmiB,KACGyF,GACHzoB,EAEE6b,EAAgBzb,KAAKuc,SAAS6G,8BAC7B,OAAA9a,QAAMtI,KAAKioB,kBAAX,EAAA3f,EAAyBqQ,cAC1B,EAEA3S,EAAMhG,KAAKuc,SAAS6F,+BACpBmG,QAAevoB,KAAK4nB,iBAAiBtD,QAAQ,CAAE1B,wCAC/C5iB,KAAK8pB,SAAS,CAChBjQ,aAAc,OACdxE,yBAA0BrP,EAC1ByV,mBACG4M,GACJE,GAEHpe,EAAOrL,KAAK,UAChB,CAUA,2BAAa0qB,GAAiE,IAA3CxjB,EAAArG,UAAA/B,OAAA,QAAAgN,IAAAjL,UAAA,GAAAA,UAAA,GAAMsD,OAAO4d,SAAS5S,KACrD,MAAM9D,EAASnK,KAAKsH,QAAQ7G,OAAO,+BAC7BT,KAAK4nB,iBAAiBpD,SAASxe,GACrCmE,EAAOrL,KAAK,UAChB,CAEA,kBAAaqrB,CAAaC,GACtB,MAAMzL,QAAa3e,KAAKioB,kBAClBjoB,KAAK+pB,gBAAgBpL,EAAMyL,EACrC,CAEA,qBAAgBL,CAAgBpL,GAA0E,IAAvDyL,EAAAzqB,UAAA/B,OAAA,QAAAgN,IAAAjL,UAAA,GAAAA,UAAA,GAAQK,KAAKuc,SAAS2G,iBACrE,MAAM/Y,EAASnK,KAAKsH,QAAQ7G,OAAO,mBACnC,IAAKke,EAAM,OAEX,MAAM0L,EAAeD,EAAMhhB,QAAOmV,GAA8B,kBAAfI,EAAKJ,KAEtD,GAAK8L,EAAazsB,OAAlB,CAMA,IAAK,MAAM2gB,KAAQ8L,QACTrqB,KAAKynB,QAAQnJ,YACfK,EAAKJ,GACLA,GAEJpU,EAAOrL,KAAK,GAAGyf,0BACF,iBAATA,IACAI,EAAKJ,GAAQ,YAIfve,KAAKmoB,UAAUxJ,GACrBxU,EAAOtL,MAAM,qBACPmB,KAAK6nB,QAAQ5b,KAAK0S,EAhBxB,MAFIxU,EAAOtL,MAAM,uCAmBrB,CAKOkpB,gBAAAA,GACH/nB,KAAKsH,QAAQ7G,OAAO,oBACfT,KAAK8nB,oBAAoBtZ,OAClC,CAKO8b,eAAAA,GACHtqB,KAAK8nB,oBAAoBra,MAC7B,CAEA,iBAAc8c,GACV,MAAO,QAAQvqB,KAAKuc,SAAStH,aAAajV,KAAKuc,SAAS1X,WAC5D,CAEA,eAAgBojB,GACZ,MAAM9d,EAASnK,KAAKsH,QAAQ7G,OAAO,aAC7BuZ,QAAsBha,KAAKuc,SAAS+G,UAAU1S,IAAI5Q,KAAKuqB,eAC7D,OAAIvQ,GACA7P,EAAOtL,MAAM,6BACNshB,EAAKpG,kBAAkBC,KAGlC7P,EAAOtL,MAAM,yBACN,KACX,CAEA,eAAaspB,CAAUxJ,GACnB,MAAMxU,EAASnK,KAAKsH,QAAQ7G,OAAO,aACnC,GAAIke,EAAM,CACNxU,EAAOtL,MAAM,gBACb,MAAMmb,EAAgB2E,EAAK7E,wBACrB9Z,KAAKuc,SAAS+G,UAAUjP,IAAIrU,KAAKuqB,cAAevQ,EAC1D,MACIha,KAAKsH,QAAQzI,MAAM,uBACbmB,KAAKuc,SAAS+G,UAAUhP,OAAOtU,KAAKuqB,eACtCvqB,KAAKuc,SAAS9F,YACRzW,KAAKuc,SAAS9F,KAAKxC,MAAMK,OAAOtU,KAAKuc,SAAS1X,UAGhE,CAKA,qBAAaoV,SACHja,KAAKynB,QAAQxN,iBACvB,CAaA,eAAaoD,CAAUrX,EAAa2Y,EAAYzY,EAAqBE,GArzBzE,IAAAkC,EAAA6C,EAszBQ,MAAMqS,QAAkB,OAAArS,EAAA,OAAA7C,EAAAtI,KAAKuc,SAAS9F,WAAd,EAAAnO,EAAoB2L,YAApB,EAAA9I,EAA2ByF,IAAI5Q,KAAKuc,SAAS1X,YACrE,GAAI2Y,EACA,aAAa7a,EAAYiD,kBAAkB,CACvCI,MACAC,YAAa,MAAA0Y,OAAA,EAAAA,EAAMxS,aACnBjG,aACAC,QAASqX,EAAU7L,KACnBvL,SAIZ,CAEA,qBAAMW,CAAgByjB,GAClB,IAAIhN,QAAkBgN,EAAavW,MAAMrD,IAAI5Q,KAAKuc,SAAS1X,WAC3D,IAAK2Y,EAAW,CACZ,MAAMiN,QAAiB9nB,EAAYqE,mBACnCwW,EAAY,IAAInB,EAAUoO,SACpBD,EAAavW,MAAMI,IAAIrU,KAAKuc,SAAS1X,UAAW2Y,EAC1D,CACA,aAAa7a,EAAYoE,gBAAgByW,EAAU7L,KACvD,GCr0BS+Y,GCJA,QCKAC,GAAN,MAAAnrB,WAAAA,GACH,KAASorB,QAAkB,OAC3B,KAASC,WAAqB,OAE9B,SAAaxW,CAAI9K,EAAanK,GAC1B,MAAM6U,QAAcjU,KAAK8qB,YAAY9qB,KAAK4qB,QAAS5qB,KAAK6qB,kBAClD5W,EAAM,aAAcxW,IACtBA,EAAIstB,IAAI3rB,EAAOmK,GACRvJ,KAAKgrB,iBAAiBvtB,EAAIwtB,eAEzC,CAEA,SAAara,CAAIrH,GACb,MAAM0K,QAAcjU,KAAK8qB,YAAY9qB,KAAK4qB,QAAS5qB,KAAK6qB,YACxD,aAAa5W,EAAM,YAAaxW,GACrBuC,KAAKgrB,iBAAiBvtB,EAAImT,IAAIrH,KAE7C,CAEA,YAAa+K,CAAO/K,GAChB,MAAMsH,QAAa7Q,KAAK4Q,IAAIrH,GACtB0K,QAAcjU,KAAK8qB,YAAY9qB,KAAK4qB,QAAS5qB,KAAK6qB,YAIxD,aAHM5W,EAAM,aAAcxW,GACfuC,KAAKgrB,iBAAiBvtB,EAAIytB,OAAO3hB,MAErCsH,CACX,CAEA,gBAAa0D,GACT,MAAMN,QAAcjU,KAAK8qB,YAAY9qB,KAAK4qB,QAAS5qB,KAAK6qB,YACxD,aAAa5W,EAAM,YAAaxW,GACrBuC,KAAKgrB,iBAAiBvtB,EAAI8W,eAEzC,CAEAyW,gBAAAA,CACIpO,GACA,OAAO,IAAI1O,SAAW,CAACC,EAAS4S,KAC3BnE,EAA2BuO,WAAcvO,EAA0BwO,UAAY,IAAMjd,EAASyO,EAA0Bd,QACxHc,EAA2ByO,QAAWzO,EAA0B0O,QAAU,IAAMvK,EAAQnE,EAA0B5d,MAAM,GAEjI,CAEA,iBAAM8rB,CACFS,EACAC,GAEA,MAAM5O,EAAU6O,UAAU5G,KAAK0G,GAC/B3O,EAAQ8O,gBAAkB,IAAM9O,EAAQd,OAAO6P,kBAAkBH,GACjE,MAAMI,QAAW5rB,KAAKgrB,iBAA8BpO,GAEpD,OAAO7F,MACH8U,EACArH,KAEA,MACMvQ,EADK2X,EAAGX,YAAYO,EAAWK,GACpBC,YAAYN,GAC7B,aAAahH,EAASvQ,EAAM,CAEpC,E","sources":["../node_modules/jwt-decode/build/esm/index.js","../node_modules/oidc-client-ts/src/utils/Logger.ts","../node_modules/oidc-client-ts/src/utils/JwtUtils.ts","../node_modules/oidc-client-ts/src/utils/CryptoUtils.ts","../node_modules/oidc-client-ts/src/utils/Event.ts","../node_modules/oidc-client-ts/src/utils/PopupUtils.ts","../node_modules/oidc-client-ts/src/utils/Timer.ts","../node_modules/oidc-client-ts/src/utils/UrlUtils.ts","../node_modules/oidc-client-ts/src/errors/ErrorResponse.ts","../node_modules/oidc-client-ts/src/errors/ErrorTimeout.ts","../node_modules/oidc-client-ts/src/AccessTokenEvents.ts","../node_modules/oidc-client-ts/src/CheckSessionIFrame.ts","../node_modules/oidc-client-ts/src/InMemoryWebStorage.ts","../node_modules/oidc-client-ts/src/errors/ErrorDPoPNonce.ts","../node_modules/oidc-client-ts/src/JsonService.ts","../node_modules/oidc-client-ts/src/MetadataService.ts","../node_modules/oidc-client-ts/src/WebStorageStateStore.ts","../node_modules/oidc-client-ts/src/OidcClientSettings.ts","../node_modules/oidc-client-ts/src/UserInfoService.ts","../node_modules/oidc-client-ts/src/TokenClient.ts","../node_modules/oidc-client-ts/src/ResponseValidator.ts","../node_modules/oidc-client-ts/src/State.ts","../node_modules/oidc-client-ts/src/SigninState.ts","../node_modules/oidc-client-ts/src/SigninRequest.ts","../node_modules/oidc-client-ts/src/SigninResponse.ts","../node_modules/oidc-client-ts/src/SignoutRequest.ts","../node_modules/oidc-client-ts/src/SignoutResponse.ts","../node_modules/oidc-client-ts/src/ClaimsService.ts","../node_modules/oidc-client-ts/src/DPoPStore.ts","../node_modules/oidc-client-ts/src/OidcClient.ts","../node_modules/oidc-client-ts/src/SessionMonitor.ts","../node_modules/oidc-client-ts/src/User.ts","../node_modules/oidc-client-ts/src/navigators/AbstractChildWindow.ts","../node_modules/oidc-client-ts/src/UserManagerSettings.ts","../node_modules/oidc-client-ts/src/navigators/IFrameWindow.ts","../node_modules/oidc-client-ts/src/navigators/IFrameNavigator.ts","../node_modules/oidc-client-ts/src/navigators/PopupWindow.ts","../node_modules/oidc-client-ts/src/navigators/PopupNavigator.ts","../node_modules/oidc-client-ts/src/navigators/RedirectNavigator.ts","../node_modules/oidc-client-ts/src/UserManagerEvents.ts","../node_modules/oidc-client-ts/src/SilentRenewService.ts","../node_modules/oidc-client-ts/src/RefreshState.ts","../node_modules/oidc-client-ts/src/UserManager.ts","../node_modules/oidc-client-ts/src/Version.ts","../node_modules/oidc-client-ts/package.json","../node_modules/oidc-client-ts/src/IndexedDbDPoPStore.ts"],"sourcesContent":["export class InvalidTokenError extends Error {\n}\nInvalidTokenError.prototype.name = \"InvalidTokenError\";\nfunction b64DecodeUnicode(str) {\n return decodeURIComponent(atob(str).replace(/(.)/g, (m, p) => {\n let code = p.charCodeAt(0).toString(16).toUpperCase();\n if (code.length < 2) {\n code = \"0\" + code;\n }\n return \"%\" + code;\n }));\n}\nfunction base64UrlDecode(str) {\n let output = str.replace(/-/g, \"+\").replace(/_/g, \"/\");\n switch (output.length % 4) {\n case 0:\n break;\n case 2:\n output += \"==\";\n break;\n case 3:\n output += \"=\";\n break;\n default:\n throw new Error(\"base64 string is not of the correct length\");\n }\n try {\n return b64DecodeUnicode(output);\n }\n catch (err) {\n return atob(output);\n }\n}\nexport function jwtDecode(token, options) {\n if (typeof token !== \"string\") {\n throw new InvalidTokenError(\"Invalid token specified: must be a string\");\n }\n options || (options = {});\n const pos = options.header === true ? 0 : 1;\n const part = token.split(\".\")[pos];\n if (typeof part !== \"string\") {\n throw new InvalidTokenError(`Invalid token specified: missing part #${pos + 1}`);\n }\n let decoded;\n try {\n decoded = base64UrlDecode(part);\n }\n catch (e) {\n throw new InvalidTokenError(`Invalid token specified: invalid base64 for part #${pos + 1} (${e.message})`);\n }\n try {\n return JSON.parse(decoded);\n }\n catch (e) {\n throw new InvalidTokenError(`Invalid token specified: invalid json for part #${pos + 1} (${e.message})`);\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\n/**\n * Native interface\n *\n * @public\n */\nexport interface ILogger {\n debug(...args: unknown[]): void;\n info(...args: unknown[]): void;\n warn(...args: unknown[]): void;\n error(...args: unknown[]): void;\n}\n\nconst nopLogger: ILogger = {\n debug: () => undefined,\n info: () => undefined,\n warn: () => undefined,\n error: () => undefined,\n};\n\nlet level: number;\nlet logger: ILogger;\n\n/**\n * Log levels\n *\n * @public\n */\nexport enum Log {\n NONE,\n ERROR,\n WARN,\n INFO,\n DEBUG\n}\n\n/**\n * Log manager\n *\n * @public\n */\nexport namespace Log { // eslint-disable-line @typescript-eslint/no-namespace\n export function reset(): void {\n level = Log.INFO;\n logger = nopLogger;\n }\n\n export function setLevel(value: Log): void {\n if (!(Log.NONE <= value && value <= Log.DEBUG)) {\n throw new Error(\"Invalid log level\");\n }\n level = value;\n }\n\n export function setLogger(value: ILogger): void {\n logger = value;\n }\n}\n\n/**\n * Internal logger instance\n *\n * @public\n */\nexport class Logger {\n private _method?: string;\n public constructor(private _name: string) {}\n\n /* eslint-disable @typescript-eslint/no-unsafe-enum-comparison */\n public debug(...args: unknown[]): void {\n if (level >= Log.DEBUG) {\n logger.debug(Logger._format(this._name, this._method), ...args);\n }\n }\n public info(...args: unknown[]): void {\n if (level >= Log.INFO) {\n logger.info(Logger._format(this._name, this._method), ...args);\n }\n }\n public warn(...args: unknown[]): void {\n if (level >= Log.WARN) {\n logger.warn(Logger._format(this._name, this._method), ...args);\n }\n }\n public error(...args: unknown[]): void {\n if (level >= Log.ERROR) {\n logger.error(Logger._format(this._name, this._method), ...args);\n }\n }\n /* eslint-enable @typescript-eslint/no-unsafe-enum-comparison */\n\n public throw(err: Error): never {\n this.error(err);\n throw err;\n }\n\n public create(method: string): Logger {\n const methodLogger: Logger = Object.create(this);\n methodLogger._method = method;\n methodLogger.debug(\"begin\");\n return methodLogger;\n }\n\n public static createStatic(name: string, staticMethod: string): Logger {\n const staticLogger = new Logger(`${name}.${staticMethod}`);\n staticLogger.debug(\"begin\");\n return staticLogger;\n }\n\n private static _format(name: string, method?: string) {\n const prefix = `[${name}]`;\n return method ? `${prefix} ${method}:` : prefix;\n }\n\n /* eslint-disable @typescript-eslint/no-unsafe-enum-comparison */\n // helpers for static class methods\n public static debug(name: string, ...args: unknown[]): void {\n if (level >= Log.DEBUG) {\n logger.debug(Logger._format(name), ...args);\n }\n }\n public static info(name: string, ...args: unknown[]): void {\n if (level >= Log.INFO) {\n logger.info(Logger._format(name), ...args);\n }\n }\n public static warn(name: string, ...args: unknown[]): void {\n if (level >= Log.WARN) {\n logger.warn(Logger._format(name), ...args);\n }\n }\n public static error(name: string, ...args: unknown[]): void {\n if (level >= Log.ERROR) {\n logger.error(Logger._format(name), ...args);\n }\n }\n /* eslint-enable @typescript-eslint/no-unsafe-enum-comparison */\n}\n\nLog.reset();\n","import { jwtDecode } from \"jwt-decode\";\n\nimport { Logger } from \"./Logger\";\nimport type { JwtClaims } from \"../Claims\";\nimport { CryptoUtils } from \"./CryptoUtils\";\n\n/**\n * @internal\n */\nexport class JwtUtils {\n // IMPORTANT: doesn't validate the token\n public static decode(token: string): JwtClaims {\n try {\n return jwtDecode<JwtClaims>(token);\n }\n catch (err) {\n Logger.error(\"JwtUtils.decode\", err);\n throw err;\n }\n }\n\n public static async generateSignedJwt(header: object, payload: object, privateKey: CryptoKey) : Promise<string> {\n const encodedHeader = CryptoUtils.encodeBase64Url(new TextEncoder().encode(JSON.stringify(header)));\n const encodedPayload = CryptoUtils.encodeBase64Url(new TextEncoder().encode(JSON.stringify(payload)));\n const encodedToken = `${encodedHeader}.${encodedPayload}`;\n\n const signature = await window.crypto.subtle.sign(\n {\n name: \"ECDSA\",\n hash: { name: \"SHA-256\" },\n },\n privateKey,\n new TextEncoder().encode(encodedToken),\n );\n\n const encodedSignature = CryptoUtils.encodeBase64Url(new Uint8Array(signature));\n return `${encodedToken}.${encodedSignature}`;\n }\n}\n","import { Logger } from \"./Logger\";\nimport { JwtUtils } from \"./JwtUtils\";\n\nexport interface GenerateDPoPProofOpts {\n url: string;\n accessToken?: string;\n httpMethod?: string;\n keyPair: CryptoKeyPair;\n nonce?: string;\n}\n\nconst UUID_V4_TEMPLATE = \"10000000-1000-4000-8000-100000000000\";\n\nconst toBase64 = (val: ArrayBuffer): string =>\n btoa([...new Uint8Array(val)]\n .map((chr) => String.fromCharCode(chr))\n .join(\"\"));\n\n/**\n * @internal\n */\nexport class CryptoUtils {\n private static _randomWord(): number {\n const arr = new Uint32Array(1);\n crypto.getRandomValues(arr);\n return arr[0];\n }\n\n /**\n * Generates RFC4122 version 4 guid\n */\n public static generateUUIDv4(): string {\n const uuid = UUID_V4_TEMPLATE.replace(/[018]/g, c =>\n (+c ^ CryptoUtils._randomWord() & 15 >> +c / 4).toString(16),\n );\n return uuid.replace(/-/g, \"\");\n }\n\n /**\n * PKCE: Generate a code verifier\n */\n public static generateCodeVerifier(): string {\n return CryptoUtils.generateUUIDv4() + CryptoUtils.generateUUIDv4() + CryptoUtils.generateUUIDv4();\n }\n\n /**\n * PKCE: Generate a code challenge\n */\n public static async generateCodeChallenge(code_verifier: string): Promise<string> {\n if (!crypto.subtle) {\n throw new Error(\"Crypto.subtle is available only in secure contexts (HTTPS).\");\n }\n\n try {\n const encoder = new TextEncoder();\n const data = encoder.encode(code_verifier);\n const hashed = await crypto.subtle.digest(\"SHA-256\", data);\n return toBase64(hashed).replace(/\\+/g, \"-\").replace(/\\//g, \"_\").replace(/=+$/, \"\");\n }\n catch (err) {\n Logger.error(\"CryptoUtils.generateCodeChallenge\", err);\n throw err;\n }\n }\n\n /**\n * Generates a base64-encoded string for a basic auth header\n */\n public static generateBasicAuth(client_id: string, client_secret: string): string {\n const encoder = new TextEncoder();\n const data = encoder.encode([client_id, client_secret].join(\":\"));\n return toBase64(data);\n }\n\n /**\n * Generates a hash of a string using a given algorithm\n * @param alg\n * @param message\n */\n public static async hash(alg: string, message: string) : Promise<Uint8Array> {\n const msgUint8 = new TextEncoder().encode(message);\n const hashBuffer = await crypto.subtle.digest(alg, msgUint8);\n return new Uint8Array(hashBuffer);\n }\n\n /**\n * Generates a base64url encoded string\n */\n public static encodeBase64Url = (input: Uint8Array) => {\n return toBase64(input).replace(/=/g, \"\").replace(/\\+/g, \"-\").replace(/\\//g, \"_\");\n };\n\n /**\n * Generates a rfc7638 compliant jwk thumbprint\n * @param jwk\n */\n public static async customCalculateJwkThumbprint(jwk: JsonWebKey): Promise<string> {\n let jsonObject: object;\n switch (jwk.kty) {\n case \"RSA\":\n jsonObject = {\n \"e\": jwk.e,\n \"kty\": jwk.kty,\n \"n\": jwk.n,\n };\n break;\n case \"EC\":\n jsonObject = {\n \"crv\": jwk.crv,\n \"kty\": jwk.kty,\n \"x\": jwk.x,\n \"y\": jwk.y,\n };\n break;\n case \"OKP\":\n jsonObject = {\n \"crv\": jwk.crv,\n \"kty\": jwk.kty,\n \"x\": jwk.x,\n };\n break;\n case \"oct\":\n jsonObject = {\n \"crv\": jwk.k,\n \"kty\": jwk.kty,\n };\n break;\n default:\n throw new Error(\"Unknown jwk type\");\n }\n const utf8encodedAndHashed = await CryptoUtils.hash(\"SHA-256\", JSON.stringify(jsonObject));\n return CryptoUtils.encodeBase64Url(utf8encodedAndHashed);\n }\n\n public static async generateDPoPProof({\n url,\n accessToken,\n httpMethod,\n keyPair,\n nonce,\n }: GenerateDPoPProofOpts): Promise<string> {\n let hashedToken: Uint8Array;\n let encodedHash: string;\n\n const payload: Record<string, string | number> = {\n \"jti\": window.crypto.randomUUID(),\n \"htm\": httpMethod ?? \"GET\",\n \"htu\": url,\n \"iat\": Math.floor(Date.now() / 1000),\n };\n\n if (accessToken) {\n hashedToken = await CryptoUtils.hash(\"SHA-256\", accessToken);\n encodedHash = CryptoUtils.encodeBase64Url(hashedToken);\n payload.ath = encodedHash;\n }\n\n if (nonce) {\n payload.nonce = nonce;\n }\n\n try {\n const publicJwk = await crypto.subtle.exportKey(\"jwk\", keyPair.publicKey);\n const header = {\n \"alg\": \"ES256\",\n \"typ\": \"dpop+jwt\",\n \"jwk\": {\n \"crv\": publicJwk.crv,\n \"kty\": publicJwk.kty,\n \"x\": publicJwk.x,\n \"y\": publicJwk.y,\n },\n };\n return await JwtUtils.generateSignedJwt(header, payload, keyPair.privateKey);\n } catch (err) {\n if (err instanceof TypeError) {\n throw new Error(`Error exporting dpop public key: ${err.message}`);\n } else {\n throw err;\n }\n }\n }\n\n public static async generateDPoPJkt(keyPair: CryptoKeyPair) : Promise<string> {\n try {\n const publicJwk = await crypto.subtle.exportKey(\"jwk\", keyPair.publicKey);\n return await CryptoUtils.customCalculateJwkThumbprint(publicJwk);\n } catch (err) {\n if (err instanceof TypeError) {\n throw new Error(`Could not retrieve dpop keys from storage: ${err.message}`);\n } else {\n throw err;\n }\n }\n }\n\n public static async generateDPoPKeys() : Promise<CryptoKeyPair> {\n return await window.crypto.subtle.generateKey(\n {\n name: \"ECDSA\",\n namedCurve: \"P-256\",\n },\n false,\n [\"sign\", \"verify\"],\n );\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { Logger } from \"./Logger\";\n\n/**\n * @internal\n */\nexport type Callback<EventType extends unknown[]> = (...ev: EventType) => (Promise<void> | void);\n\n/**\n * @internal\n */\nexport class Event<EventType extends unknown[]> {\n protected readonly _logger: Logger;\n\n private readonly _callbacks: Array<Callback<EventType>> = [];\n\n public constructor(protected readonly _name: string) {\n this._logger = new Logger(`Event('${this._name}')`);\n }\n\n public addHandler(cb: Callback<EventType>): () => void {\n this._callbacks.push(cb);\n return () => this.removeHandler(cb);\n }\n\n public removeHandler(cb: Callback<EventType>): void {\n const idx = this._callbacks.lastIndexOf(cb);\n if (idx >= 0) {\n this._callbacks.splice(idx, 1);\n }\n }\n\n public async raise(...ev: EventType): Promise<void> {\n this._logger.debug(\"raise:\", ...ev);\n for (const cb of this._callbacks) {\n await cb(...ev);\n }\n }\n}\n","/**\n *\n * @public\n * @see https://developer.mozilla.org/en-US/docs/Web/API/Window/open#window_features\n */\nexport interface PopupWindowFeatures {\n left?: number;\n top?: number;\n width?: number;\n height?: number;\n menubar?: boolean | string;\n toolbar?: boolean | string;\n location?: boolean | string;\n status?: boolean | string;\n resizable?: boolean | string;\n scrollbars?: boolean | string;\n /** Close popup window after time in seconds, by default it is -1. To enable this feature, set value greater than 0. */\n closePopupWindowAfterInSeconds?: number;\n\n [k: string]: boolean | string | number | undefined;\n}\n\nexport class PopupUtils {\n /**\n * Populates a map of window features with a placement centered in front of\n * the current window. If no explicit width is given, a default value is\n * binned into [800, 720, 600, 480, 360] based on the current window's width.\n */\n static center({ ...features }: PopupWindowFeatures): PopupWindowFeatures {\n if (features.width == null)\n features.width = [800, 720, 600, 480].find(width => width <= window.outerWidth / 1.618) ?? 360;\n features.left ??= Math.max(0, Math.round(window.screenX + (window.outerWidth - features.width) / 2));\n if (features.height != null)\n features.top ??= Math.max(0, Math.round(window.screenY + (window.outerHeight - features.height) / 2));\n return features;\n }\n\n static serialize(features: PopupWindowFeatures): string {\n return Object.entries(features)\n .filter(([, value]) => value != null)\n .map(([key, value]) => `${key}=${typeof value !== \"boolean\" ? value as string : value ? \"yes\" : \"no\"}`)\n .join(\",\");\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { Event } from \"./Event\";\nimport { Logger } from \"./Logger\";\n\n/**\n * @internal\n */\nexport class Timer extends Event<[void]> {\n protected readonly _logger = new Logger(`Timer('${this._name}')`);\n private _timerHandle: ReturnType<typeof setInterval> | null = null;\n private _expiration = 0;\n\n // get the time\n public static getEpochTime(): number {\n return Math.floor(Date.now() / 1000);\n }\n\n public init(durationInSeconds: number): void {\n const logger = this._logger.create(\"init\");\n durationInSeconds = Math.max(Math.floor(durationInSeconds), 1);\n const expiration = Timer.getEpochTime() + durationInSeconds;\n if (this.expiration === expiration && this._timerHandle) {\n // no need to reinitialize to same expiration, so bail out\n logger.debug(\"skipping since already initialized for expiration at\", this.expiration);\n return;\n }\n\n this.cancel();\n\n logger.debug(\"using duration\", durationInSeconds);\n this._expiration = expiration;\n\n // we're using a fairly short timer and then checking the expiration in the\n // callback to handle scenarios where the browser device sleeps, and then\n // the timers end up getting delayed.\n const timerDurationInSeconds = Math.min(durationInSeconds, 5);\n this._timerHandle = setInterval(this._callback, timerDurationInSeconds * 1000);\n }\n\n public get expiration(): number {\n return this._expiration;\n }\n\n public cancel(): void {\n this._logger.create(\"cancel\");\n if (this._timerHandle) {\n clearInterval(this._timerHandle);\n this._timerHandle = null;\n }\n }\n\n protected _callback = (): void => {\n const diff = this._expiration - Timer.getEpochTime();\n this._logger.debug(\"timer completes in\", diff);\n\n if (this._expiration <= Timer.getEpochTime()) {\n this.cancel();\n void super.raise();\n }\n };\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\n/**\n * @internal\n */\nexport class UrlUtils {\n public static readParams(url: string, responseMode: \"query\" | \"fragment\" = \"query\"): URLSearchParams {\n if (!url) throw new TypeError(\"Invalid URL\");\n // the base URL is irrelevant, it's just here to support relative url arguments\n const parsedUrl = new URL(url, \"http://127.0.0.1\");\n const params = parsedUrl[responseMode === \"fragment\" ? \"hash\" : \"search\"];\n return new URLSearchParams(params.slice(1));\n }\n}\n\n/**\n * @internal\n */\nexport const URL_STATE_DELIMITER = \";\";","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { Logger } from \"../utils\";\n\n/**\n * Error class thrown in case of an authentication error.\n *\n * @public\n * @see https://openid.net/specs/openid-connect-core-1_0.html#AuthError\n */\nexport class ErrorResponse extends Error {\n /** Marker to detect class: \"ErrorResponse\" */\n public readonly name: string = \"ErrorResponse\";\n\n /** An error code string that can be used to classify the types of errors that occur and to respond to errors. */\n public readonly error: string | null;\n /** additional information that can help a developer identify the cause of the error.*/\n public readonly error_description: string | null;\n /**\n * URI identifying a human-readable web page with information about the error, used to provide the client\n developer with additional information about the error.\n */\n public readonly error_uri: string | null;\n\n /** custom state data set during the initial signin request */\n public state?: unknown;\n\n public readonly session_state: string | null;\n\n public url_state?: string;\n\n public constructor(\n args: {\n error?: string | null; error_description?: string | null; error_uri?: string | null;\n userState?: unknown; session_state?: string | null; url_state?: string;\n },\n /** The x-www-form-urlencoded request body sent to the authority server */\n public readonly form?: URLSearchParams,\n ) {\n super(args.error_description || args.error || \"\");\n\n if (!args.error) {\n Logger.error(\"ErrorResponse\", \"No error passed\");\n throw new Error(\"No error passed\");\n }\n\n this.error = args.error;\n this.error_description = args.error_description ?? null;\n this.error_uri = args.error_uri ?? null;\n\n this.state = args.userState;\n this.session_state = args.session_state ?? null;\n this.url_state = args.url_state;\n }\n}\n","// Copyright (C) 2021 AuthTS Contributors\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\n/**\n * Error class thrown in case of network timeouts (e.g IFrame time out).\n *\n * @public\n */\nexport class ErrorTimeout extends Error {\n /** Marker to detect class: \"ErrorTimeout\" */\n public readonly name: string = \"ErrorTimeout\";\n\n public constructor(message?: string) {\n super(message);\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { Logger, Timer } from \"./utils\";\nimport type { User } from \"./User\";\n\n/**\n * @public\n */\nexport type AccessTokenCallback = (...ev: unknown[]) => (Promise<void> | void);\n\n/**\n * @public\n */\nexport class AccessTokenEvents {\n protected readonly _logger = new Logger(\"AccessTokenEvents\");\n\n private readonly _expiringTimer = new Timer(\"Access token expiring\");\n private readonly _expiredTimer = new Timer(\"Access token expired\");\n private readonly _expiringNotificationTimeInSeconds: number;\n\n public constructor(args: { expiringNotificationTimeInSeconds: number }) {\n this._expiringNotificationTimeInSeconds = args.expiringNotificationTimeInSeconds;\n }\n\n public load(container: User): void {\n const logger = this._logger.create(\"load\");\n // only register events if there's an access token and it has an expiration\n if (container.access_token && container.expires_in !== undefined) {\n const duration = container.expires_in;\n logger.debug(\"access token present, remaining duration:\", duration);\n\n if (duration > 0) {\n // only register expiring if we still have time\n let expiring = duration - this._expiringNotificationTimeInSeconds;\n if (expiring <= 0) {\n expiring = 1;\n }\n\n logger.debug(\"registering expiring timer, raising in\", expiring, \"seconds\");\n this._expiringTimer.init(expiring);\n }\n else {\n logger.debug(\"canceling existing expiring timer because we're past expiration.\");\n this._expiringTimer.cancel();\n }\n\n // if it's negative, it will still fire\n const expired = duration + 1;\n logger.debug(\"registering expired timer, raising in\", expired, \"seconds\");\n this._expiredTimer.init(expired);\n }\n else {\n this._expiringTimer.cancel();\n this._expiredTimer.cancel();\n }\n }\n\n public unload(): void {\n this._logger.debug(\"unload: canceling existing access token timers\");\n this._expiringTimer.cancel();\n this._expiredTimer.cancel();\n }\n\n /**\n * Add callback: Raised prior to the access token expiring.\n */\n public addAccessTokenExpiring(cb: AccessTokenCallback): () => void {\n return this._expiringTimer.addHandler(cb);\n }\n /**\n * Remove callback: Raised prior to the access token expiring.\n */\n public removeAccessTokenExpiring(cb: AccessTokenCallback): void {\n this._expiringTimer.removeHandler(cb);\n }\n\n /**\n * Add callback: Raised after the access token has expired.\n */\n public addAccessTokenExpired(cb: AccessTokenCallback): () => void {\n return this._expiredTimer.addHandler(cb);\n }\n /**\n * Remove callback: Raised after the access token has expired.\n */\n public removeAccessTokenExpired(cb: AccessTokenCallback): void {\n this._expiredTimer.removeHandler(cb);\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { Logger } from \"./utils\";\n\n/**\n * @internal\n */\nexport class CheckSessionIFrame {\n private readonly _logger = new Logger(\"CheckSessionIFrame\");\n private _frame_origin: string;\n private _frame: HTMLIFrameElement;\n private _timer: ReturnType<typeof setInterval> | null = null;\n private _session_state: string | null = null;\n\n public constructor(\n private _callback: () => Promise<void>,\n private _client_id: string,\n url: string,\n private _intervalInSeconds: number,\n private _stopOnError: boolean,\n ) {\n const parsedUrl = new URL(url);\n this._frame_origin = parsedUrl.origin;\n\n this._frame = window.document.createElement(\"iframe\");\n\n // shotgun approach\n this._frame.style.visibility = \"hidden\";\n this._frame.style.position = \"fixed\";\n this._frame.style.left = \"-1000px\";\n this._frame.style.top = \"0\";\n this._frame.width = \"0\";\n this._frame.height = \"0\";\n this._frame.src = parsedUrl.href;\n }\n\n public load(): Promise<void> {\n return new Promise<void>((resolve) => {\n this._frame.onload = () => {\n resolve();\n };\n\n window.document.body.appendChild(this._frame);\n window.addEventListener(\"message\", this._message, false);\n });\n }\n\n private _message = (e: MessageEvent<string>): void => {\n if (e.origin === this._frame_origin &&\n e.source === this._frame.contentWindow\n ) {\n if (e.data === \"error\") {\n this._logger.error(\"error message from check session op iframe\");\n if (this._stopOnError) {\n this.stop();\n }\n }\n else if (e.data === \"changed\") {\n this._logger.debug(\"changed message from check session op iframe\");\n this.stop();\n void this._callback();\n }\n else {\n this._logger.debug(e.data + \" message from check session op iframe\");\n }\n }\n };\n\n public start(session_state: string): void {\n if (this._session_state === session_state) {\n return;\n }\n\n this._logger.create(\"start\");\n\n this.stop();\n\n this._session_state = session_state;\n\n const send = () => {\n if (!this._frame.contentWindow || !this._session_state) {\n return;\n }\n\n this._frame.contentWindow.postMessage(this._client_id + \" \" + this._session_state, this._frame_origin);\n };\n\n // trigger now\n send();\n\n // and setup timer\n this._timer = setInterval(send, this._intervalInSeconds * 1000);\n }\n\n public stop(): void {\n this._logger.create(\"stop\");\n this._session_state = null;\n\n if (this._timer) {\n\n clearInterval(this._timer);\n this._timer = null;\n }\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { Logger } from \"./utils\";\n\n/**\n * @public\n */\nexport class InMemoryWebStorage implements Storage {\n private readonly _logger = new Logger(\"InMemoryWebStorage\");\n private _data: Record<string, string> = {};\n\n public clear(): void {\n this._logger.create(\"clear\");\n this._data = {};\n }\n\n public getItem(key: string): string {\n this._logger.create(`getItem('${key}')`);\n return this._data[key];\n }\n\n public setItem(key: string, value: string): void {\n this._logger.create(`setItem('${key}')`);\n this._data[key] = value;\n }\n\n public removeItem(key: string): void {\n this._logger.create(`removeItem('${key}')`);\n delete this._data[key];\n }\n\n public get length(): number {\n return Object.getOwnPropertyNames(this._data).length;\n }\n\n public key(index: number): string {\n return Object.getOwnPropertyNames(this._data)[index];\n }\n}\n","export class ErrorDPoPNonce extends Error {\n /** Marker to detect class: \"ErrorDPoPNonce\" */\n public readonly name: string = \"ErrorDPoPNonce\";\n public readonly nonce: string;\n\n public constructor(nonce: string, message?: string) {\n super(message);\n this.nonce = nonce;\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { ErrorResponse, ErrorTimeout } from \"./errors\";\nimport type { ExtraHeader } from \"./OidcClientSettings\";\nimport { Logger } from \"./utils\";\nimport { ErrorDPoPNonce } from \"./errors/ErrorDPoPNonce\";\n\n/**\n * @internal\n */\nexport type JwtHandler = (text: string) => Promise<Record<string, unknown>>;\n\n/**\n * @internal\n */\nexport interface GetJsonOpts {\n token?: string;\n credentials?: RequestCredentials;\n timeoutInSeconds?: number;\n}\n\n/**\n * @internal\n */\nexport interface PostFormOpts {\n body: URLSearchParams;\n basicAuth?: string;\n timeoutInSeconds?: number;\n initCredentials?: \"same-origin\" | \"include\" | \"omit\";\n extraHeaders?: Record<string, ExtraHeader>;\n}\n\n/**\n * @internal\n */\nexport class JsonService {\n private readonly _logger = new Logger(\"JsonService\");\n\n private _contentTypes: string[] = [];\n\n public constructor(\n additionalContentTypes: string[] = [],\n private _jwtHandler: JwtHandler | null = null,\n private _extraHeaders: Record<string, ExtraHeader> = {},\n ) {\n this._contentTypes.push(...additionalContentTypes, \"application/json\");\n if (_jwtHandler) {\n this._contentTypes.push(\"application/jwt\");\n }\n }\n\n protected async fetchWithTimeout(input: RequestInfo, init: RequestInit & { timeoutInSeconds?: number } = {}) {\n const { timeoutInSeconds, ...initFetch } = init;\n if (!timeoutInSeconds) {\n return await fetch(input, initFetch);\n }\n\n const controller = new AbortController();\n const timeoutId = setTimeout(() => controller.abort(), timeoutInSeconds * 1000);\n\n try {\n const response = await fetch(input, {\n ...init,\n signal: controller.signal,\n });\n return response;\n }\n catch (err) {\n if (err instanceof DOMException && err.name === \"AbortError\") {\n throw new ErrorTimeout(\"Network timed out\");\n }\n throw err;\n }\n finally {\n clearTimeout(timeoutId);\n }\n }\n\n public async getJson(url: string, {\n token,\n credentials,\n timeoutInSeconds,\n }: GetJsonOpts = {}): Promise<Record<string, unknown>> {\n const logger = this._logger.create(\"getJson\");\n const headers: HeadersInit = {\n \"Accept\": this._contentTypes.join(\", \"),\n };\n if (token) {\n logger.debug(\"token passed, setting Authorization header\");\n headers[\"Authorization\"] = \"Bearer \" + token;\n }\n\n this.appendExtraHeaders(headers);\n\n let response: Response;\n try {\n logger.debug(\"url:\", url);\n response = await this.fetchWithTimeout(url, { method: \"GET\", headers, timeoutInSeconds, credentials });\n }\n catch (err) {\n logger.error(\"Network Error\");\n throw err;\n }\n\n logger.debug(\"HTTP response received, status\", response.status);\n const contentType = response.headers.get(\"Content-Type\");\n if (contentType && !this._contentTypes.find(item => contentType.startsWith(item))) {\n logger.throw(new Error(`Invalid response Content-Type: ${(contentType ?? \"undefined\")}, from URL: ${url}`));\n }\n if (response.ok && this._jwtHandler && contentType?.startsWith(\"application/jwt\")) {\n return await this._jwtHandler(await response.text());\n }\n let json: Record<string, unknown>;\n try {\n json = await response.json();\n }\n catch (err) {\n logger.error(\"Error parsing JSON response\", err);\n if (response.ok) throw err;\n throw new Error(`${response.statusText} (${response.status})`);\n }\n if (!response.ok) {\n logger.error(\"Error from server:\", json);\n if (json.error) {\n throw new ErrorResponse(json);\n }\n throw new Error(`${response.statusText} (${response.status}): ${JSON.stringify(json)}`);\n }\n return json;\n }\n\n public async postForm(url: string, {\n body,\n basicAuth,\n timeoutInSeconds,\n initCredentials,\n extraHeaders,\n }: PostFormOpts): Promise<Record<string, unknown>> {\n const logger = this._logger.create(\"postForm\");\n const headers: HeadersInit = {\n \"Accept\": this._contentTypes.join(\", \"),\n \"Content-Type\": \"application/x-www-form-urlencoded\",\n ...extraHeaders,\n };\n if (basicAuth !== undefined) {\n headers[\"Authorization\"] = \"Basic \" + basicAuth;\n }\n\n this.appendExtraHeaders(headers);\n\n let response: Response;\n try {\n logger.debug(\"url:\", url);\n response = await this.fetchWithTimeout(url, { method: \"POST\", headers, body, timeoutInSeconds, credentials: initCredentials });\n }\n catch (err) {\n logger.error(\"Network error\");\n throw err;\n }\n\n logger.debug(\"HTTP response received, status\", response.status);\n const contentType = response.headers.get(\"Content-Type\");\n if (contentType && !this._contentTypes.find(item => contentType.startsWith(item))) {\n throw new Error(`Invalid response Content-Type: ${(contentType ?? \"undefined\")}, from URL: ${url}`);\n }\n\n const responseText = await response.text();\n\n let json: Record<string, unknown> = {};\n if (responseText) {\n try {\n json = JSON.parse(responseText);\n }\n catch (err) {\n logger.error(\"Error parsing JSON response\", err);\n if (response.ok) throw err;\n throw new Error(`${response.statusText} (${response.status})`);\n }\n }\n\n if (!response.ok) {\n logger.error(\"Error from server:\", json);\n if (response.headers.has(\"dpop-nonce\")) {\n const nonce = response.headers.get(\"dpop-nonce\") as string;\n throw new ErrorDPoPNonce(nonce, `${JSON.stringify(json)}`);\n }\n if (json.error) {\n throw new ErrorResponse(json, body);\n }\n throw new Error(`${response.statusText} (${response.status}): ${JSON.stringify(json)}`);\n }\n\n return json;\n }\n\n private appendExtraHeaders(\n headers: Record<string, string>,\n ): void {\n const logger = this._logger.create(\"appendExtraHeaders\");\n const customKeys = Object.keys(this._extraHeaders);\n const protectedHeaders = [\n \"authorization\",\n \"accept\",\n \"content-type\",\n ];\n if (customKeys.length === 0) {\n return;\n }\n customKeys.forEach((headerName) => {\n if (protectedHeaders.includes(headerName.toLocaleLowerCase())) {\n logger.warn(\"Protected header could not be overridden\", headerName, protectedHeaders);\n return;\n }\n const content = (typeof this._extraHeaders[headerName] === \"function\") ?\n (this._extraHeaders[headerName] as ()=>string)() :\n this._extraHeaders[headerName];\n if (content && content !== \"\") {\n headers[headerName] = content as string;\n }\n });\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { Logger } from \"./utils\";\nimport { JsonService } from \"./JsonService\";\nimport type { OidcClientSettingsStore, SigningKey } from \"./OidcClientSettings\";\nimport type { OidcMetadata } from \"./OidcMetadata\";\n\n/**\n * @public\n * @see https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata\n */\nexport class MetadataService {\n private readonly _logger = new Logger(\"MetadataService\");\n private readonly _jsonService;\n\n // cache\n private _metadataUrl: string;\n private _signingKeys: SigningKey[] | null = null;\n private _metadata: Partial<OidcMetadata> | null = null;\n private _fetchRequestCredentials: RequestCredentials | undefined;\n\n public constructor(private readonly _settings: OidcClientSettingsStore) {\n this._metadataUrl = this._settings.metadataUrl;\n this._jsonService = new JsonService(\n [\"application/jwk-set+json\"],\n null,\n this._settings.extraHeaders,\n );\n if (this._settings.signingKeys) {\n this._logger.debug(\"using signingKeys from settings\");\n this._signingKeys = this._settings.signingKeys;\n }\n\n if (this._settings.metadata) {\n this._logger.debug(\"using metadata from settings\");\n this._metadata = this._settings.metadata;\n }\n\n if (this._settings.fetchRequestCredentials) {\n this._logger.debug(\"using fetchRequestCredentials from settings\");\n this._fetchRequestCredentials = this._settings.fetchRequestCredentials;\n }\n }\n\n public resetSigningKeys(): void {\n this._signingKeys = null;\n }\n\n public async getMetadata(): Promise<Partial<OidcMetadata>> {\n const logger = this._logger.create(\"getMetadata\");\n if (this._metadata) {\n logger.debug(\"using cached values\");\n return this._metadata;\n }\n\n if (!this._metadataUrl) {\n logger.throw(new Error(\"No authority or metadataUrl configured on settings\"));\n throw null;\n }\n\n logger.debug(\"getting metadata from\", this._metadataUrl);\n const metadata = await this._jsonService.getJson(this._metadataUrl, { credentials: this._fetchRequestCredentials, timeoutInSeconds: this._settings.requestTimeoutInSeconds });\n\n logger.debug(\"merging remote JSON with seed metadata\");\n this._metadata = Object.assign({}, this._settings.metadataSeed, metadata);\n return this._metadata;\n }\n\n public getIssuer(): Promise<string> {\n return this._getMetadataProperty(\"issuer\") as Promise<string>;\n }\n\n public getAuthorizationEndpoint(): Promise<string> {\n return this._getMetadataProperty(\"authorization_endpoint\") as Promise<string>;\n }\n\n public getUserInfoEndpoint(): Promise<string> {\n return this._getMetadataProperty(\"userinfo_endpoint\") as Promise<string>;\n }\n\n public getTokenEndpoint(optional: false): Promise<string>;\n public getTokenEndpoint(optional?: true): Promise<string | undefined>;\n public getTokenEndpoint(optional = true): Promise<string | undefined> {\n return this._getMetadataProperty(\"token_endpoint\", optional) as Promise<string | undefined>;\n }\n\n public getCheckSessionIframe(): Promise<string | undefined> {\n return this._getMetadataProperty(\"check_session_iframe\", true) as Promise<string | undefined>;\n }\n\n public getEndSessionEndpoint(): Promise<string | undefined> {\n return this._getMetadataProperty(\"end_session_endpoint\", true) as Promise<string | undefined>;\n }\n\n public getRevocationEndpoint(optional: false): Promise<string>;\n public getRevocationEndpoint(optional?: true): Promise<string | undefined>;\n public getRevocationEndpoint(optional = true): Promise<string | undefined> {\n return this._getMetadataProperty(\"revocation_endpoint\", optional) as Promise<string | undefined>;\n }\n\n public getKeysEndpoint(optional: false): Promise<string>;\n public getKeysEndpoint(optional?: true): Promise<string | undefined>;\n public getKeysEndpoint(optional = true): Promise<string | undefined> {\n return this._getMetadataProperty(\"jwks_uri\", optional) as Promise<string | undefined>;\n }\n\n protected async _getMetadataProperty(name: keyof OidcMetadata, optional=false): Promise<string | boolean | string[] | undefined> {\n const logger = this._logger.create(`_getMetadataProperty('${name}')`);\n\n const metadata = await this.getMetadata();\n logger.debug(\"resolved\");\n\n if (metadata[name] === undefined) {\n if (optional === true) {\n logger.warn(\"Metadata does not contain optional property\");\n return undefined;\n }\n\n logger.throw(new Error(\"Metadata does not contain property \" + name));\n }\n\n return metadata[name];\n }\n\n public async getSigningKeys(): Promise<SigningKey[] | null> {\n const logger = this._logger.create(\"getSigningKeys\");\n if (this._signingKeys) {\n logger.debug(\"returning signingKeys from cache\");\n return this._signingKeys;\n }\n\n const jwks_uri = await this.getKeysEndpoint(false);\n logger.debug(\"got jwks_uri\", jwks_uri);\n\n const keySet = await this._jsonService.getJson(jwks_uri, { timeoutInSeconds: this._settings.requestTimeoutInSeconds });\n logger.debug(\"got key set\", keySet);\n\n if (!Array.isArray(keySet.keys)) {\n logger.throw(new Error(\"Missing keys on keyset\"));\n throw null; // https://github.com/microsoft/TypeScript/issues/46972\n }\n\n this._signingKeys = keySet.keys;\n return this._signingKeys;\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { Logger } from \"./utils\";\nimport type { StateStore } from \"./StateStore\";\nimport type { AsyncStorage } from \"./AsyncStorage\";\n\n/**\n * @public\n */\nexport class WebStorageStateStore implements StateStore {\n private readonly _logger = new Logger(\"WebStorageStateStore\");\n\n private readonly _store: AsyncStorage | Storage;\n private readonly _prefix: string;\n\n public constructor({\n prefix = \"oidc.\",\n store = localStorage,\n }: { prefix?: string; store?: AsyncStorage | Storage } = {}) {\n this._store = store;\n this._prefix = prefix;\n }\n\n public async set(key: string, value: string): Promise<void> {\n this._logger.create(`set('${key}')`);\n\n key = this._prefix + key;\n await this._store.setItem(key, value);\n }\n\n public async get(key: string): Promise<string | null> {\n this._logger.create(`get('${key}')`);\n\n key = this._prefix + key;\n const item = await this._store.getItem(key);\n return item;\n }\n\n public async remove(key: string): Promise<string | null> {\n this._logger.create(`remove('${key}')`);\n\n key = this._prefix + key;\n const item = await this._store.getItem(key);\n await this._store.removeItem(key);\n return item;\n }\n\n public async getAllKeys(): Promise<string[]> {\n this._logger.create(\"getAllKeys\");\n const len = await this._store.length;\n\n const keys = [];\n for (let index = 0; index < len; index++) {\n const key = await this._store.key(index);\n if (key && key.indexOf(this._prefix) === 0) {\n keys.push(key.substr(this._prefix.length));\n }\n }\n return keys;\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { WebStorageStateStore } from \"./WebStorageStateStore\";\nimport type { OidcMetadata } from \"./OidcMetadata\";\nimport type { StateStore } from \"./StateStore\";\nimport { InMemoryWebStorage } from \"./InMemoryWebStorage\";\nimport type { DPoPStore } from \"./DPoPStore\";\n\nconst DefaultResponseType = \"code\";\nconst DefaultScope = \"openid\";\nconst DefaultClientAuthentication = \"client_secret_post\";\nconst DefaultStaleStateAgeInSeconds = 60 * 15;\n\n/**\n * @public\n */\nexport type SigningKey = Record<string, string | string[]>;\n\n/**\n * @public\n */\nexport type ExtraHeader = string | (() => string);\n\n/**\n * Optional DPoP settings\n * @public\n */\nexport interface DPoPSettings {\n bind_authorization_code?: boolean;\n store: DPoPStore;\n}\n\n/**\n * The settings used to configure the {@link OidcClient}.\n *\n * @public\n */\nexport interface OidcClientSettings {\n /** The URL of the OIDC/OAuth2 provider */\n authority: string;\n metadataUrl?: string;\n /** Provide metadata when authority server does not allow CORS on the metadata endpoint */\n metadata?: Partial<OidcMetadata>;\n /** Can be used to seed or add additional values to the results of the discovery request */\n metadataSeed?: Partial<OidcMetadata>;\n /** Provide signingKeys when authority server does not allow CORS on the jwks uri */\n signingKeys?: SigningKey[];\n\n /** Your client application's identifier as registered with the OIDC/OAuth2 */\n client_id: string;\n client_secret?: string;\n /** The type of response desired from the OIDC/OAuth2 provider (default: \"code\") */\n response_type?: string;\n /** The scope being requested from the OIDC/OAuth2 provider (default: \"openid\") */\n scope?: string;\n /** The redirect URI of your client application to receive a response from the OIDC/OAuth2 provider */\n redirect_uri: string;\n /** The OIDC/OAuth2 post-logout redirect URI */\n post_logout_redirect_uri?: string;\n\n /**\n * Client authentication method that is used to authenticate when using the token endpoint (default: \"client_secret_post\")\n * - \"client_secret_basic\": using the HTTP Basic authentication scheme\n * - \"client_secret_post\": including the client credentials in the request body\n *\n * See https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication\n */\n client_authentication?: \"client_secret_basic\" | \"client_secret_post\";\n\n /** optional protocol param */\n prompt?: string;\n /** optional protocol param */\n display?: string;\n /** optional protocol param */\n max_age?: number;\n /** optional protocol param */\n ui_locales?: string;\n /** optional protocol param */\n acr_values?: string;\n /** optional protocol param */\n resource?: string | string[];\n\n /**\n * Optional protocol param\n * The response mode used by the authority server is defined by the response_type unless explicitly specified:\n * - Response mode for the OAuth 2.0 response type \"code\" is the \"query\" encoding\n * - Response mode for the OAuth 2.0 response type \"token\" is the \"fragment\" encoding\n *\n * @see https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#ResponseModes\n */\n response_mode?: \"query\" | \"fragment\";\n\n /**\n * Should optional OIDC protocol claims be removed from profile or specify the ones to be removed (default: true)\n * When true, the following claims are removed by default: [\"nbf\", \"jti\", \"auth_time\", \"nonce\", \"acr\", \"amr\", \"azp\", \"at_hash\"]\n * When specifying claims, the following claims are not allowed: [\"sub\", \"iss\", \"aud\", \"exp\", \"iat\"]\n */\n filterProtocolClaims?: boolean | string[];\n /** Flag to control if additional identity data is loaded from the user info endpoint in order to populate the user's profile (default: false) */\n loadUserInfo?: boolean;\n /** Number (in seconds) indicating the age of state entries in storage for authorize requests that are considered abandoned and thus can be cleaned up (default: 900) */\n staleStateAgeInSeconds?: number;\n\n /**\n * Indicates how objects returned from the user info endpoint as claims (e.g. `address`) are merged into the claims from the\n * id token as a single object. (default: `{ array: \"replace\" }`)\n * - array: \"replace\": natives (string, int, float) and arrays are replaced, objects are merged as distinct objects\n * - array: \"merge\": natives (string, int, float) are replaced, arrays and objects are merged as distinct objects\n */\n mergeClaimsStrategy?: { array: \"replace\" | \"merge\" };\n\n /**\n * Storage object used to persist interaction state (default: window.localStorage, InMemoryWebStorage iff no window).\n * E.g. `stateStore: new WebStorageStateStore({ store: window.localStorage })`\n */\n stateStore?: StateStore;\n\n /**\n * An object containing additional query string parameters to be including in the authorization request.\n * E.g, when using Azure AD to obtain an access token an additional resource parameter is required. extraQueryParams: `{resource:\"some_identifier\"}`\n */\n extraQueryParams?: Record<string, string | number | boolean>;\n\n extraTokenParams?: Record<string, unknown>;\n\n /**\n * An object containing additional header to be including in request.\n */\n extraHeaders?: Record<string, ExtraHeader>;\n\n /**\n * DPoP enabled or disabled\n */\n dpop?: DPoPSettings | undefined;\n\n /**\n * Will check the content type header of the response of the revocation endpoint to match these passed values (default: [])\n */\n revokeTokenAdditionalContentTypes?: string[];\n /**\n * Will disable PKCE validation, changing to true will not append to sign in request code_challenge and code_challenge_method. (default: false)\n */\n disablePKCE?: boolean;\n /**\n * Sets the credentials for fetch requests. (default: \"same-origin\")\n * Use this if you need to send cookies to the OIDC/OAuth2 provider or if you are using a proxy that requires cookies\n */\n fetchRequestCredentials?: RequestCredentials;\n\n /**\n * Only scopes in this list will be passed in the token refresh request.\n */\n refreshTokenAllowedScope?: string | undefined;\n\n /**\n * Defines request timeouts globally across all requests made to the authorisation server\n */\n requestTimeoutInSeconds?: number | undefined;\n\n /**\n * https://datatracker.ietf.org/doc/html/rfc6749#section-3.3 describes behavior when omitting scopes from sign in requests\n * If the IDP supports default scopes, this setting will ignore the scopes property passed to the config. (Default: false)\n */\n omitScopeWhenRequesting?: boolean;\n}\n\n/**\n * The settings with defaults applied of the {@link OidcClient}.\n *\n * @public\n * @see {@link OidcClientSettings}\n */\nexport class OidcClientSettingsStore {\n // metadata\n public readonly authority: string;\n public readonly metadataUrl: string;\n public readonly metadata: Partial<OidcMetadata> | undefined;\n public readonly metadataSeed: Partial<OidcMetadata> | undefined;\n public readonly signingKeys: SigningKey[] | undefined;\n\n // client config\n public readonly client_id: string;\n public readonly client_secret: string | undefined;\n public readonly response_type: string;\n public readonly scope: string;\n public readonly redirect_uri: string;\n public readonly post_logout_redirect_uri: string | undefined;\n public readonly client_authentication: \"client_secret_basic\" | \"client_secret_post\";\n\n // optional protocol params\n public readonly prompt: string | undefined;\n public readonly display: string | undefined;\n public readonly max_age: number | undefined;\n public readonly ui_locales: string | undefined;\n public readonly acr_values: string | undefined;\n public readonly resource: string | string[] | undefined;\n public readonly response_mode: \"query\" | \"fragment\" | undefined;\n\n // behavior flags\n public readonly filterProtocolClaims: boolean | string[];\n public readonly loadUserInfo: boolean;\n public readonly staleStateAgeInSeconds: number;\n public readonly mergeClaimsStrategy: { array: \"replace\" | \"merge\" };\n public readonly omitScopeWhenRequesting: boolean;\n\n public readonly stateStore: StateStore;\n\n // extra\n public readonly extraQueryParams: Record<string, string | number | boolean>;\n public readonly extraTokenParams: Record<string, unknown>;\n public readonly dpop: DPoPSettings | undefined;\n public readonly extraHeaders: Record<string, ExtraHeader>;\n\n public readonly revokeTokenAdditionalContentTypes?: string[];\n public readonly fetchRequestCredentials: RequestCredentials;\n public readonly refreshTokenAllowedScope: string | undefined;\n public readonly disablePKCE: boolean;\n public readonly requestTimeoutInSeconds: number | undefined;\n\n public constructor({\n // metadata related\n authority, metadataUrl, metadata, signingKeys, metadataSeed,\n // client related\n client_id, client_secret, response_type = DefaultResponseType, scope = DefaultScope,\n redirect_uri, post_logout_redirect_uri,\n client_authentication = DefaultClientAuthentication,\n // optional protocol\n prompt, display, max_age, ui_locales, acr_values, resource, response_mode,\n // behavior flags\n filterProtocolClaims = true,\n loadUserInfo = false,\n requestTimeoutInSeconds,\n staleStateAgeInSeconds = DefaultStaleStateAgeInSeconds,\n mergeClaimsStrategy = { array: \"replace\" },\n disablePKCE = false,\n // other behavior\n stateStore,\n revokeTokenAdditionalContentTypes,\n fetchRequestCredentials,\n refreshTokenAllowedScope,\n // extra\n extraQueryParams = {},\n extraTokenParams = {},\n extraHeaders = {},\n dpop,\n omitScopeWhenRequesting = false,\n }: OidcClientSettings) {\n\n this.authority = authority;\n\n if (metadataUrl) {\n this.metadataUrl = metadataUrl;\n } else {\n this.metadataUrl = authority;\n if (authority) {\n if (!this.metadataUrl.endsWith(\"/\")) {\n this.metadataUrl += \"/\";\n }\n this.metadataUrl += \".well-known/openid-configuration\";\n }\n }\n\n this.metadata = metadata;\n this.metadataSeed = metadataSeed;\n this.signingKeys = signingKeys;\n\n this.client_id = client_id;\n this.client_secret = client_secret;\n this.response_type = response_type;\n this.scope = scope;\n this.redirect_uri = redirect_uri;\n this.post_logout_redirect_uri = post_logout_redirect_uri;\n this.client_authentication = client_authentication;\n\n this.prompt = prompt;\n this.display = display;\n this.max_age = max_age;\n this.ui_locales = ui_locales;\n this.acr_values = acr_values;\n this.resource = resource;\n this.response_mode = response_mode;\n\n this.filterProtocolClaims = filterProtocolClaims ?? true;\n this.loadUserInfo = !!loadUserInfo;\n this.staleStateAgeInSeconds = staleStateAgeInSeconds;\n this.mergeClaimsStrategy = mergeClaimsStrategy;\n this.omitScopeWhenRequesting = omitScopeWhenRequesting;\n this.disablePKCE = !!disablePKCE;\n this.revokeTokenAdditionalContentTypes = revokeTokenAdditionalContentTypes;\n\n this.fetchRequestCredentials = fetchRequestCredentials ? fetchRequestCredentials : \"same-origin\";\n this.requestTimeoutInSeconds = requestTimeoutInSeconds;\n\n if (stateStore) {\n this.stateStore = stateStore;\n }\n else {\n const store = typeof window !== \"undefined\" ? window.localStorage : new InMemoryWebStorage();\n this.stateStore = new WebStorageStateStore({ store });\n }\n\n this.refreshTokenAllowedScope = refreshTokenAllowedScope;\n\n this.extraQueryParams = extraQueryParams;\n this.extraTokenParams = extraTokenParams;\n this.extraHeaders = extraHeaders;\n\n this.dpop = dpop;\n if (this.dpop && !this.dpop?.store) {\n throw new Error(\"A DPoPStore is required when dpop is enabled\");\n }\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { Logger, JwtUtils } from \"./utils\";\nimport { JsonService } from \"./JsonService\";\nimport type { MetadataService } from \"./MetadataService\";\nimport type { JwtClaims } from \"./Claims\";\nimport type { OidcClientSettingsStore } from \"./OidcClientSettings\";\n\n/**\n * @internal\n */\nexport class UserInfoService {\n protected readonly _logger = new Logger(\"UserInfoService\");\n private readonly _jsonService: JsonService;\n\n public constructor(private readonly _settings: OidcClientSettingsStore,\n private readonly _metadataService: MetadataService,\n ) {\n this._jsonService = new JsonService(\n undefined,\n this._getClaimsFromJwt,\n this._settings.extraHeaders,\n );\n }\n\n public async getClaims(token: string): Promise<JwtClaims> {\n const logger = this._logger.create(\"getClaims\");\n if (!token) {\n this._logger.throw(new Error(\"No token passed\"));\n }\n\n const url = await this._metadataService.getUserInfoEndpoint();\n logger.debug(\"got userinfo url\", url);\n\n const claims = await this._jsonService.getJson(url, {\n token,\n credentials: this._settings.fetchRequestCredentials,\n timeoutInSeconds: this._settings.requestTimeoutInSeconds,\n });\n logger.debug(\"got claims\", claims);\n\n return claims;\n }\n\n protected _getClaimsFromJwt = async (responseText: string): Promise<JwtClaims> => {\n const logger = this._logger.create(\"_getClaimsFromJwt\");\n try {\n const payload = JwtUtils.decode(responseText);\n logger.debug(\"JWT decoding successful\");\n\n return payload;\n } catch (err) {\n logger.error(\"Error parsing JWT response\");\n throw err;\n }\n };\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { CryptoUtils, Logger } from \"./utils\";\nimport { JsonService } from \"./JsonService\";\nimport type { MetadataService } from \"./MetadataService\";\nimport type { ExtraHeader, OidcClientSettingsStore } from \"./OidcClientSettings\";\n\n/**\n * @internal\n */\nexport interface ExchangeCodeArgs {\n client_id?: string;\n client_secret?: string;\n redirect_uri?: string;\n\n grant_type?: string;\n code: string;\n code_verifier?: string;\n\n extraHeaders?: Record<string, ExtraHeader>;\n}\n\n/**\n * @internal\n */\nexport interface ExchangeCredentialsArgs {\n client_id?: string;\n client_secret?: string;\n\n grant_type?: string;\n scope?: string;\n\n username: string;\n password: string;\n}\n\n/**\n * @internal\n */\nexport interface ExchangeRefreshTokenArgs {\n client_id?: string;\n client_secret?: string;\n redirect_uri?: string;\n\n grant_type?: string;\n refresh_token: string;\n scope?: string;\n resource?: string | string[];\n\n timeoutInSeconds?: number;\n\n extraHeaders?: Record<string, ExtraHeader>;\n}\n\n/**\n * @internal\n */\nexport interface RevokeArgs {\n token: string;\n token_type_hint?: \"access_token\" | \"refresh_token\";\n}\n\n/**\n * @internal\n */\nexport class TokenClient {\n private readonly _logger = new Logger(\"TokenClient\");\n private readonly _jsonService;\n\n public constructor(\n private readonly _settings: OidcClientSettingsStore,\n private readonly _metadataService: MetadataService,\n ) {\n this._jsonService = new JsonService(\n this._settings.revokeTokenAdditionalContentTypes,\n null,\n this._settings.extraHeaders,\n );\n }\n\n /**\n * Exchange code.\n *\n * @see https://www.rfc-editor.org/rfc/rfc6749#section-4.1.3\n */\n public async exchangeCode({\n grant_type = \"authorization_code\",\n redirect_uri = this._settings.redirect_uri,\n client_id = this._settings.client_id,\n client_secret = this._settings.client_secret,\n extraHeaders,\n ...args\n }: ExchangeCodeArgs): Promise<Record<string, unknown>> {\n const logger = this._logger.create(\"exchangeCode\");\n if (!client_id) {\n logger.throw(new Error(\"A client_id is required\"));\n }\n if (!redirect_uri) {\n logger.throw(new Error(\"A redirect_uri is required\"));\n }\n if (!args.code) {\n logger.throw(new Error(\"A code is required\"));\n }\n\n const params = new URLSearchParams({ grant_type, redirect_uri });\n for (const [key, value] of Object.entries(args)) {\n if (value != null) {\n params.set(key, value);\n }\n }\n let basicAuth: string | undefined;\n switch (this._settings.client_authentication) {\n case \"client_secret_basic\":\n if (!client_secret) {\n logger.throw(new Error(\"A client_secret is required\"));\n throw null; // https://github.com/microsoft/TypeScript/issues/46972\n }\n basicAuth = CryptoUtils.generateBasicAuth(client_id, client_secret);\n break;\n case \"client_secret_post\":\n params.append(\"client_id\", client_id);\n if (client_secret) {\n params.append(\"client_secret\", client_secret);\n }\n break;\n }\n\n const url = await this._metadataService.getTokenEndpoint(false);\n logger.debug(\"got token endpoint\");\n\n const response = await this._jsonService.postForm(url, {\n body: params,\n basicAuth,\n timeoutInSeconds: this._settings.requestTimeoutInSeconds,\n initCredentials: this._settings.fetchRequestCredentials,\n extraHeaders,\n });\n\n logger.debug(\"got response\");\n\n return response;\n }\n\n /**\n * Exchange credentials.\n *\n * @see https://www.rfc-editor.org/rfc/rfc6749#section-4.3.2\n */\n public async exchangeCredentials({\n grant_type = \"password\",\n client_id = this._settings.client_id,\n client_secret = this._settings.client_secret,\n scope = this._settings.scope,\n ...args\n }: ExchangeCredentialsArgs): Promise<Record<string, unknown>> {\n const logger = this._logger.create(\"exchangeCredentials\");\n\n if (!client_id) {\n logger.throw(new Error(\"A client_id is required\"));\n }\n\n const params = new URLSearchParams({ grant_type });\n if (!this._settings.omitScopeWhenRequesting) {\n params.set(\"scope\", scope);\n }\n for (const [key, value] of Object.entries(args)) {\n if (value != null) {\n params.set(key, value);\n }\n }\n\n let basicAuth: string | undefined;\n switch (this._settings.client_authentication) {\n case \"client_secret_basic\":\n if (!client_secret) {\n logger.throw(new Error(\"A client_secret is required\"));\n throw null; // https://github.com/microsoft/TypeScript/issues/46972\n }\n basicAuth = CryptoUtils.generateBasicAuth(client_id, client_secret);\n break;\n case \"client_secret_post\":\n params.append(\"client_id\", client_id);\n if (client_secret) {\n params.append(\"client_secret\", client_secret);\n }\n break;\n }\n\n const url = await this._metadataService.getTokenEndpoint(false);\n logger.debug(\"got token endpoint\");\n\n const response = await this._jsonService.postForm(url, { body: params, basicAuth, timeoutInSeconds: this._settings.requestTimeoutInSeconds, initCredentials: this._settings.fetchRequestCredentials });\n logger.debug(\"got response\");\n\n return response;\n }\n\n /**\n * Exchange a refresh token.\n *\n * @see https://www.rfc-editor.org/rfc/rfc6749#section-6\n */\n public async exchangeRefreshToken({\n grant_type = \"refresh_token\",\n client_id = this._settings.client_id,\n client_secret = this._settings.client_secret,\n timeoutInSeconds,\n extraHeaders,\n ...args\n }: ExchangeRefreshTokenArgs): Promise<Record<string, unknown>> {\n const logger = this._logger.create(\"exchangeRefreshToken\");\n if (!client_id) {\n logger.throw(new Error(\"A client_id is required\"));\n }\n if (!args.refresh_token) {\n logger.throw(new Error(\"A refresh_token is required\"));\n }\n\n const params = new URLSearchParams({ grant_type });\n for (const [key, value] of Object.entries(args)) {\n if (Array.isArray(value)) {\n value.forEach(param => params.append(key, param));\n }\n else if (value != null) {\n params.set(key, value);\n }\n }\n let basicAuth: string | undefined;\n switch (this._settings.client_authentication) {\n case \"client_secret_basic\":\n if (!client_secret) {\n logger.throw(new Error(\"A client_secret is required\"));\n throw null; // https://github.com/microsoft/TypeScript/issues/46972\n }\n basicAuth = CryptoUtils.generateBasicAuth(client_id, client_secret);\n break;\n case \"client_secret_post\":\n params.append(\"client_id\", client_id);\n if (client_secret) {\n params.append(\"client_secret\", client_secret);\n }\n break;\n }\n\n const url = await this._metadataService.getTokenEndpoint(false);\n logger.debug(\"got token endpoint\");\n\n const response = await this._jsonService.postForm(url, { body: params, basicAuth, timeoutInSeconds, initCredentials: this._settings.fetchRequestCredentials, extraHeaders });\n logger.debug(\"got response\");\n\n return response;\n }\n\n /**\n * Revoke an access or refresh token.\n *\n * @see https://datatracker.ietf.org/doc/html/rfc7009#section-2.1\n */\n public async revoke(args: RevokeArgs): Promise<void> {\n const logger = this._logger.create(\"revoke\");\n if (!args.token) {\n logger.throw(new Error(\"A token is required\"));\n }\n\n const url = await this._metadataService.getRevocationEndpoint(false);\n\n logger.debug(`got revocation endpoint, revoking ${args.token_type_hint ?? \"default token type\"}`);\n\n const params = new URLSearchParams();\n for (const [key, value] of Object.entries(args)) {\n if (value != null) {\n params.set(key, value);\n }\n }\n params.set(\"client_id\", this._settings.client_id);\n if (this._settings.client_secret) {\n params.set(\"client_secret\", this._settings.client_secret);\n }\n\n await this._jsonService.postForm(url, { body: params, timeoutInSeconds: this._settings.requestTimeoutInSeconds });\n logger.debug(\"got response\");\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { Logger, JwtUtils } from \"./utils\";\nimport { ErrorResponse } from \"./errors\";\nimport type { MetadataService } from \"./MetadataService\";\nimport { UserInfoService } from \"./UserInfoService\";\nimport { TokenClient } from \"./TokenClient\";\nimport type { ExtraHeader, OidcClientSettingsStore } from \"./OidcClientSettings\";\nimport type { SigninState } from \"./SigninState\";\nimport type { SigninResponse } from \"./SigninResponse\";\nimport type { State } from \"./State\";\nimport type { SignoutResponse } from \"./SignoutResponse\";\nimport type { UserProfile } from \"./User\";\nimport type { RefreshState } from \"./RefreshState\";\nimport type { IdTokenClaims } from \"./Claims\";\nimport type { ClaimsService } from \"./ClaimsService\";\n\n/**\n * @internal\n */\nexport class ResponseValidator {\n protected readonly _logger = new Logger(\"ResponseValidator\");\n protected readonly _userInfoService: UserInfoService;\n protected readonly _tokenClient: TokenClient;\n\n public constructor(\n protected readonly _settings: OidcClientSettingsStore,\n protected readonly _metadataService: MetadataService,\n protected readonly _claimsService: ClaimsService,\n ) {\n this._userInfoService = new UserInfoService(this._settings, this._metadataService);\n this._tokenClient = new TokenClient(this._settings, this._metadataService);\n }\n\n public async validateSigninResponse(response: SigninResponse, state: SigninState, extraHeaders?: Record<string, ExtraHeader>): Promise<void> {\n const logger = this._logger.create(\"validateSigninResponse\");\n\n this._processSigninState(response, state);\n logger.debug(\"state processed\");\n\n await this._processCode(response, state, extraHeaders);\n logger.debug(\"code processed\");\n\n if (response.isOpenId) {\n this._validateIdTokenAttributes(response);\n }\n logger.debug(\"tokens validated\");\n\n await this._processClaims(response, state?.skipUserInfo, response.isOpenId);\n logger.debug(\"claims processed\");\n }\n\n public async validateCredentialsResponse(response: SigninResponse, skipUserInfo: boolean): Promise<void> {\n const logger = this._logger.create(\"validateCredentialsResponse\");\n\n if (response.isOpenId && !!response.id_token) {\n this._validateIdTokenAttributes(response);\n }\n logger.debug(\"tokens validated\");\n\n await this._processClaims(response, skipUserInfo, response.isOpenId);\n logger.debug(\"claims processed\");\n }\n\n public async validateRefreshResponse(response: SigninResponse, state: RefreshState): Promise<void> {\n const logger = this._logger.create(\"validateRefreshResponse\");\n\n response.userState = state.data;\n // if there's no session_state on the response, copy over session_state from original request\n response.session_state ??= state.session_state;\n // if there's no scope on the response, then assume all scopes granted (per-spec) and copy over scopes from original request\n response.scope ??= state.scope;\n\n // OpenID Connect Core 1.0 says that id_token is optional in refresh response:\n // https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse\n if (response.isOpenId && !!response.id_token) {\n this._validateIdTokenAttributes(response, state.id_token);\n logger.debug(\"ID Token validated\");\n }\n\n if (!response.id_token) {\n // if there's no id_token on the response, copy over id_token from original request\n response.id_token = state.id_token;\n // and decoded part too\n response.profile = state.profile;\n }\n\n const hasIdToken = response.isOpenId && !!response.id_token;\n await this._processClaims(response, false, hasIdToken);\n logger.debug(\"claims processed\");\n }\n\n public validateSignoutResponse(response: SignoutResponse, state: State): void {\n const logger = this._logger.create(\"validateSignoutResponse\");\n if (state.id !== response.state) {\n logger.throw(new Error(\"State does not match\"));\n }\n\n // now that we know the state matches, take the stored data\n // and set it into the response so callers can get their state\n // this is important for both success & error outcomes\n logger.debug(\"state validated\");\n response.userState = state.data;\n\n if (response.error) {\n logger.warn(\"Response was error\", response.error);\n throw new ErrorResponse(response);\n }\n }\n\n protected _processSigninState(response: SigninResponse, state: SigninState): void {\n const logger = this._logger.create(\"_processSigninState\");\n if (state.id !== response.state) {\n logger.throw(new Error(\"State does not match\"));\n }\n\n if (!state.client_id) {\n logger.throw(new Error(\"No client_id on state\"));\n }\n\n if (!state.authority) {\n logger.throw(new Error(\"No authority on state\"));\n }\n\n // ensure we're using the correct authority\n if (this._settings.authority !== state.authority) {\n logger.throw(new Error(\"authority mismatch on settings vs. signin state\"));\n }\n if (this._settings.client_id && this._settings.client_id !== state.client_id) {\n logger.throw(new Error(\"client_id mismatch on settings vs. signin state\"));\n }\n\n // now that we know the state matches, take the stored data\n // and set it into the response so callers can get their state\n // this is important for both success & error outcomes\n logger.debug(\"state validated\");\n response.userState = state.data;\n response.url_state = state.url_state;\n // if there's no scope on the response, then assume all scopes granted (per-spec) and copy over scopes from original request\n response.scope ??= state.scope;\n\n if (response.error) {\n logger.warn(\"Response was error\", response.error);\n throw new ErrorResponse(response);\n }\n\n if (state.code_verifier && !response.code) {\n logger.throw(new Error(\"Expected code in response\"));\n }\n\n }\n\n protected async _processClaims(response: SigninResponse, skipUserInfo = false, validateSub = true): Promise<void> {\n const logger = this._logger.create(\"_processClaims\");\n response.profile = this._claimsService.filterProtocolClaims(response.profile);\n\n if (skipUserInfo || !this._settings.loadUserInfo || !response.access_token) {\n logger.debug(\"not loading user info\");\n return;\n }\n\n logger.debug(\"loading user info\");\n const claims = await this._userInfoService.getClaims(response.access_token);\n logger.debug(\"user info claims received from user info endpoint\");\n\n if (validateSub && claims.sub !== response.profile.sub) {\n logger.throw(new Error(\"subject from UserInfo response does not match subject in ID Token\"));\n }\n\n response.profile = this._claimsService.mergeClaims(response.profile, this._claimsService.filterProtocolClaims(claims as IdTokenClaims));\n logger.debug(\"user info claims received, updated profile:\", response.profile);\n }\n\n protected async _processCode(response: SigninResponse, state: SigninState, extraHeaders?: Record<string, ExtraHeader>): Promise<void> {\n const logger = this._logger.create(\"_processCode\");\n if (response.code) {\n logger.debug(\"Validating code\");\n const tokenResponse = await this._tokenClient.exchangeCode({\n client_id: state.client_id,\n client_secret: state.client_secret,\n code: response.code,\n redirect_uri: state.redirect_uri,\n code_verifier: state.code_verifier,\n extraHeaders: extraHeaders,\n ...state.extraTokenParams,\n });\n Object.assign(response, tokenResponse);\n } else {\n logger.debug(\"No code to process\");\n }\n }\n\n protected _validateIdTokenAttributes(response: SigninResponse, existingToken?: string): void {\n const logger = this._logger.create(\"_validateIdTokenAttributes\");\n\n logger.debug(\"decoding ID Token JWT\");\n const incoming = JwtUtils.decode(response.id_token ?? \"\");\n\n if (!incoming.sub) {\n logger.throw(new Error(\"ID Token is missing a subject claim\"));\n }\n\n if (existingToken) {\n const existing = JwtUtils.decode(existingToken);\n if (incoming.sub !== existing.sub) {\n logger.throw(new Error(\"sub in id_token does not match current sub\"));\n }\n if (incoming.auth_time && incoming.auth_time !== existing.auth_time) {\n logger.throw(new Error(\"auth_time in id_token does not match original auth_time\"));\n }\n if (incoming.azp && incoming.azp !== existing.azp) {\n logger.throw(new Error(\"azp in id_token does not match original azp\"));\n }\n if (!incoming.azp && existing.azp) {\n logger.throw(new Error(\"azp not in id_token, but present in original id_token\"));\n }\n }\n\n response.profile = incoming as UserProfile;\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { Logger, CryptoUtils, Timer } from \"./utils\";\nimport type { StateStore } from \"./StateStore\";\n\n/**\n * @public\n */\nexport class State {\n public readonly id: string;\n public readonly created: number;\n public readonly request_type: string | undefined;\n public readonly url_state: string | undefined;\n\n /** custom \"state\", which can be used by a caller to have \"data\" round tripped */\n public readonly data?: unknown;\n\n public constructor(args: {\n id?: string;\n data?: unknown;\n created?: number;\n request_type?: string;\n url_state?: string;\n }) {\n this.id = args.id || CryptoUtils.generateUUIDv4();\n this.data = args.data;\n\n if (args.created && args.created > 0) {\n this.created = args.created;\n }\n else {\n this.created = Timer.getEpochTime();\n }\n this.request_type = args.request_type;\n this.url_state = args.url_state;\n }\n\n public toStorageString(): string {\n new Logger(\"State\").create(\"toStorageString\");\n return JSON.stringify({\n id: this.id,\n data: this.data,\n created: this.created,\n request_type: this.request_type,\n url_state: this.url_state,\n });\n }\n\n public static fromStorageString(storageString: string): Promise<State> {\n Logger.createStatic(\"State\", \"fromStorageString\");\n return Promise.resolve(new State(JSON.parse(storageString)));\n }\n\n public static async clearStaleState(storage: StateStore, age: number): Promise<void> {\n const logger = Logger.createStatic(\"State\", \"clearStaleState\");\n const cutoff = Timer.getEpochTime() - age;\n\n const keys = await storage.getAllKeys();\n logger.debug(\"got keys\", keys);\n\n for (let i = 0; i < keys.length; i++) {\n const key = keys[i];\n const item = await storage.get(key);\n let remove = false;\n\n if (item) {\n try {\n const state = await State.fromStorageString(item);\n\n logger.debug(\"got item from key:\", key, state.created);\n if (state.created <= cutoff) {\n remove = true;\n }\n }\n catch (err) {\n logger.error(\"Error parsing state for key:\", key, err);\n remove = true;\n }\n }\n else {\n logger.debug(\"no item in storage for key:\", key);\n remove = true;\n }\n\n if (remove) {\n logger.debug(\"removed item for key:\", key);\n void storage.remove(key);\n }\n }\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { Logger, CryptoUtils } from \"./utils\";\nimport { State } from \"./State\";\n\n/** @public */\nexport interface SigninStateArgs {\n id?: string;\n data?: unknown;\n created?: number;\n request_type?: string;\n\n code_verifier?: string;\n code_challenge?: string;\n authority: string;\n client_id: string;\n redirect_uri: string;\n scope: string;\n client_secret?: string;\n extraTokenParams?: Record<string, unknown>;\n response_mode?: \"query\" | \"fragment\";\n skipUserInfo?: boolean;\n url_state?: string;\n}\n\n/** @public */\nexport type SigninStateCreateArgs = Omit<SigninStateArgs, \"code_verifier\"> & {\n code_verifier?: string | boolean;\n};\n\n/**\n * @public\n */\nexport class SigninState extends State {\n // isCode\n /** The same code_verifier that was used to obtain the authorization_code via PKCE. */\n public readonly code_verifier: string | undefined;\n /** Used to secure authorization code grants via Proof Key for Code Exchange (PKCE). */\n public readonly code_challenge: string | undefined;\n\n // to ensure state still matches settings\n /** @see {@link OidcClientSettings.authority} */\n public readonly authority: string;\n /** @see {@link OidcClientSettings.client_id} */\n public readonly client_id: string;\n /** @see {@link OidcClientSettings.redirect_uri} */\n public readonly redirect_uri: string;\n /** @see {@link OidcClientSettings.scope} */\n public readonly scope: string;\n /** @see {@link OidcClientSettings.client_secret} */\n public readonly client_secret: string | undefined;\n /** @see {@link OidcClientSettings.extraTokenParams} */\n public readonly extraTokenParams: Record<string, unknown> | undefined;\n /** @see {@link OidcClientSettings.response_mode} */\n public readonly response_mode: \"query\" | \"fragment\" | undefined;\n\n public readonly skipUserInfo: boolean | undefined;\n\n private constructor(args: SigninStateArgs) {\n super(args);\n\n this.code_verifier = args.code_verifier;\n this.code_challenge = args.code_challenge;\n this.authority = args.authority;\n this.client_id = args.client_id;\n this.redirect_uri = args.redirect_uri;\n this.scope = args.scope;\n this.client_secret = args.client_secret;\n this.extraTokenParams = args.extraTokenParams;\n\n this.response_mode = args.response_mode;\n this.skipUserInfo = args.skipUserInfo;\n }\n\n public static async create(args: SigninStateCreateArgs): Promise<SigninState> {\n const code_verifier = args.code_verifier === true ? CryptoUtils.generateCodeVerifier() : (args.code_verifier || undefined);\n const code_challenge = code_verifier ? (await CryptoUtils.generateCodeChallenge(code_verifier)) : undefined;\n\n return new SigninState({\n ...args,\n code_verifier,\n code_challenge,\n });\n }\n\n public toStorageString(): string {\n new Logger(\"SigninState\").create(\"toStorageString\");\n return JSON.stringify({\n id: this.id,\n data: this.data,\n created: this.created,\n request_type: this.request_type,\n url_state: this.url_state,\n\n code_verifier: this.code_verifier,\n authority: this.authority,\n client_id: this.client_id,\n redirect_uri: this.redirect_uri,\n scope: this.scope,\n client_secret: this.client_secret,\n extraTokenParams : this.extraTokenParams,\n response_mode: this.response_mode,\n skipUserInfo: this.skipUserInfo,\n });\n }\n\n public static fromStorageString(storageString: string): Promise<SigninState> {\n Logger.createStatic(\"SigninState\", \"fromStorageString\");\n const data = JSON.parse(storageString);\n return SigninState.create(data);\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { Logger, URL_STATE_DELIMITER } from \"./utils\";\nimport { SigninState } from \"./SigninState\";\n\n/**\n * @public\n * @see https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest\n */\nexport interface SigninRequestCreateArgs {\n // mandatory\n url: string;\n authority: string;\n client_id: string;\n redirect_uri: string;\n response_type: string;\n scope: string;\n\n // optional\n response_mode?: \"query\" | \"fragment\";\n nonce?: string;\n display?: string;\n dpopJkt?: string;\n prompt?: string;\n max_age?: number;\n ui_locales?: string;\n id_token_hint?: string;\n login_hint?: string;\n acr_values?: string;\n\n // other\n resource?: string | string[];\n request?: string;\n request_uri?: string;\n request_type?: string;\n extraQueryParams?: Record<string, string | number | boolean>;\n\n // special\n extraTokenParams?: Record<string, unknown>;\n client_secret?: string;\n skipUserInfo?: boolean;\n disablePKCE?: boolean;\n /** custom \"state\", which can be used by a caller to have \"data\" round tripped */\n state_data?: unknown;\n url_state?: string;\n omitScopeWhenRequesting?: boolean;\n}\n\n/**\n * @public\n */\nexport class SigninRequest {\n private static readonly _logger = new Logger(\"SigninRequest\");\n\n public readonly url: string;\n public readonly state: SigninState;\n\n private constructor(args: {\n url: string;\n state: SigninState;\n }) {\n this.url = args.url;\n this.state = args.state;\n }\n\n public static async create({\n // mandatory\n url, authority, client_id, redirect_uri, response_type, scope,\n // optional\n state_data, response_mode, request_type, client_secret, nonce, url_state,\n resource,\n skipUserInfo,\n extraQueryParams,\n extraTokenParams,\n disablePKCE,\n dpopJkt,\n omitScopeWhenRequesting,\n ...optionalParams\n }: SigninRequestCreateArgs): Promise<SigninRequest> {\n if (!url) {\n this._logger.error(\"create: No url passed\");\n throw new Error(\"url\");\n }\n if (!client_id) {\n this._logger.error(\"create: No client_id passed\");\n throw new Error(\"client_id\");\n }\n if (!redirect_uri) {\n this._logger.error(\"create: No redirect_uri passed\");\n throw new Error(\"redirect_uri\");\n }\n if (!response_type) {\n this._logger.error(\"create: No response_type passed\");\n throw new Error(\"response_type\");\n }\n if (!scope) {\n this._logger.error(\"create: No scope passed\");\n throw new Error(\"scope\");\n }\n if (!authority) {\n this._logger.error(\"create: No authority passed\");\n throw new Error(\"authority\");\n }\n\n const state = await SigninState.create({\n data: state_data,\n request_type,\n url_state,\n code_verifier: !disablePKCE,\n client_id, authority, redirect_uri,\n response_mode,\n client_secret, scope, extraTokenParams,\n skipUserInfo,\n });\n\n const parsedUrl = new URL(url);\n parsedUrl.searchParams.append(\"client_id\", client_id);\n parsedUrl.searchParams.append(\"redirect_uri\", redirect_uri);\n parsedUrl.searchParams.append(\"response_type\", response_type);\n if (!omitScopeWhenRequesting) {\n parsedUrl.searchParams.append(\"scope\", scope);\n }\n if (nonce) {\n parsedUrl.searchParams.append(\"nonce\", nonce);\n }\n\n if (dpopJkt) {\n parsedUrl.searchParams.append(\"dpop_jkt\", dpopJkt);\n }\n\n let stateParam = state.id;\n if (url_state) {\n stateParam = `${stateParam}${URL_STATE_DELIMITER}${url_state}`;\n }\n parsedUrl.searchParams.append(\"state\", stateParam);\n if (state.code_challenge) {\n parsedUrl.searchParams.append(\"code_challenge\", state.code_challenge);\n parsedUrl.searchParams.append(\"code_challenge_method\", \"S256\");\n }\n\n if (resource) {\n // https://datatracker.ietf.org/doc/html/rfc8707\n const resources = Array.isArray(resource) ? resource : [resource];\n resources\n .forEach(r => parsedUrl.searchParams.append(\"resource\", r));\n }\n\n for (const [key, value] of Object.entries({ response_mode, ...optionalParams, ...extraQueryParams })) {\n if (value != null) {\n parsedUrl.searchParams.append(key, value.toString());\n }\n }\n\n return new SigninRequest({\n url: parsedUrl.href,\n state,\n });\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { Timer, URL_STATE_DELIMITER } from \"./utils\";\nimport type { UserProfile } from \"./User\";\n\nconst OidcScope = \"openid\";\n\n/**\n * @public\n * @see https://openid.net/specs/openid-connect-core-1_0.html#AuthResponse\n * @see https://openid.net/specs/openid-connect-core-1_0.html#AuthError\n */\nexport class SigninResponse {\n // props present in the initial callback response regardless of success\n public readonly state: string | null;\n /** @see {@link User.session_state} */\n public session_state: string | null;\n\n // error props\n /** @see {@link ErrorResponse.error} */\n public readonly error: string | null;\n /** @see {@link ErrorResponse.error_description} */\n public readonly error_description: string | null;\n /** @see {@link ErrorResponse.error_uri} */\n public readonly error_uri: string | null;\n\n // success props\n public readonly code: string | null;\n\n // props set after validation\n /** @see {@link User.id_token} */\n public id_token?: string;\n /** @see {@link User.access_token} */\n public access_token = \"\";\n /** @see {@link User.token_type} */\n public token_type = \"\";\n /** @see {@link User.refresh_token} */\n public refresh_token?: string;\n /** @see {@link User.scope} */\n public scope?: string;\n /** @see {@link User.expires_at} */\n public expires_at?: number;\n\n /** custom state data set during the initial signin request */\n public userState: unknown;\n public url_state?: string;\n\n /** @see {@link User.profile} */\n public profile: UserProfile = {} as UserProfile;\n\n public constructor(params: URLSearchParams) {\n this.state = params.get(\"state\");\n this.session_state = params.get(\"session_state\");\n if (this.state) {\n const splitState = decodeURIComponent(this.state).split(URL_STATE_DELIMITER);\n this.state = splitState[0];\n if (splitState.length > 1) {\n this.url_state = splitState.slice(1).join(URL_STATE_DELIMITER);\n }\n }\n\n this.error = params.get(\"error\");\n this.error_description = params.get(\"error_description\");\n this.error_uri = params.get(\"error_uri\");\n\n this.code = params.get(\"code\");\n }\n\n public get expires_in(): number | undefined {\n if (this.expires_at === undefined) {\n return undefined;\n }\n return this.expires_at - Timer.getEpochTime();\n }\n public set expires_in(value: number | undefined) {\n // spec expects a number, but normalize here just in case\n if (typeof value === \"string\") value = Number(value);\n if (value !== undefined && value >= 0) {\n this.expires_at = Math.floor(value) + Timer.getEpochTime();\n }\n }\n\n public get isOpenId(): boolean {\n return this.scope?.split(\" \").includes(OidcScope) || !!this.id_token;\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { Logger } from \"./utils\";\nimport { State } from \"./State\";\n\n/**\n * @public\n * @see https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout\n */\nexport interface SignoutRequestArgs {\n // mandatory\n url: string;\n\n // optional\n id_token_hint?: string;\n client_id?: string;\n post_logout_redirect_uri?: string;\n extraQueryParams?: Record<string, string | number | boolean>;\n\n // special\n request_type?: string;\n /** custom \"state\", which can be used by a caller to have \"data\" round tripped */\n state_data?: unknown;\n}\n\n/**\n * @public\n */\nexport class SignoutRequest {\n private readonly _logger = new Logger(\"SignoutRequest\");\n\n public readonly url: string;\n public readonly state?: State;\n\n public constructor({\n url,\n state_data, id_token_hint, post_logout_redirect_uri, extraQueryParams, request_type, client_id,\n }: SignoutRequestArgs) {\n if (!url) {\n this._logger.error(\"ctor: No url passed\");\n throw new Error(\"url\");\n }\n\n const parsedUrl = new URL(url);\n if (id_token_hint) {\n parsedUrl.searchParams.append(\"id_token_hint\", id_token_hint);\n }\n if (client_id) {\n parsedUrl.searchParams.append(\"client_id\", client_id);\n }\n\n if (post_logout_redirect_uri) {\n parsedUrl.searchParams.append(\"post_logout_redirect_uri\", post_logout_redirect_uri);\n\n if (state_data) {\n this.state = new State({ data: state_data, request_type });\n\n parsedUrl.searchParams.append(\"state\", this.state.id);\n }\n }\n\n for (const [key, value] of Object.entries({ ...extraQueryParams })) {\n if (value != null) {\n parsedUrl.searchParams.append(key, value.toString());\n }\n }\n\n this.url = parsedUrl.href;\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\n/**\n * @public\n * @see https://openid.net/specs/openid-connect-core-1_0.html#AuthError\n */\nexport class SignoutResponse {\n public readonly state: string | null;\n\n // error props\n /** @see {@link ErrorResponse.error} */\n public error: string | null;\n /** @see {@link ErrorResponse.error_description} */\n public error_description: string | null;\n /** @see {@link ErrorResponse.error_uri} */\n public error_uri: string | null;\n\n /** custom state data set during the initial signin request */\n public userState: unknown;\n\n public constructor(params: URLSearchParams) {\n this.state = params.get(\"state\");\n\n this.error = params.get(\"error\");\n this.error_description = params.get(\"error_description\");\n this.error_uri = params.get(\"error_uri\");\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport type { JwtClaims } from \"./Claims\";\nimport type { OidcClientSettingsStore } from \"./OidcClientSettings\";\nimport type { UserProfile } from \"./User\";\nimport { Logger } from \"./utils\";\n\n/**\n * Protocol claims that could be removed by default from profile.\n * Derived from the following sets of claims:\n * - {@link https://datatracker.ietf.org/doc/html/rfc7519.html#section-4.1}\n * - {@link https://openid.net/specs/openid-connect-core-1_0.html#IDToken}\n * - {@link https://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken}\n *\n * @internal\n */\nconst DefaultProtocolClaims = [\n \"nbf\",\n \"jti\",\n \"auth_time\",\n \"nonce\",\n \"acr\",\n \"amr\",\n \"azp\",\n \"at_hash\", // https://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken\n] as const;\n\n/**\n * Protocol claims that should never be removed from profile.\n * \"sub\" is needed internally and others should remain required as per the OIDC specs.\n *\n * @internal\n */\nconst InternalRequiredProtocolClaims = [\"sub\", \"iss\", \"aud\", \"exp\", \"iat\"];\n\n/**\n * @internal\n */\nexport class ClaimsService {\n protected readonly _logger = new Logger(\"ClaimsService\");\n public constructor(\n protected readonly _settings: OidcClientSettingsStore,\n ) {}\n\n public filterProtocolClaims(claims: UserProfile): UserProfile {\n const result = { ...claims };\n\n if (this._settings.filterProtocolClaims) {\n let protocolClaims;\n if (Array.isArray(this._settings.filterProtocolClaims)) {\n protocolClaims = this._settings.filterProtocolClaims;\n } else {\n protocolClaims = DefaultProtocolClaims;\n }\n\n for (const claim of protocolClaims) {\n if (!InternalRequiredProtocolClaims.includes(claim)) {\n delete result[claim];\n }\n }\n }\n\n return result;\n }\n\n public mergeClaims(claims1: JwtClaims, claims2: JwtClaims): UserProfile;\n public mergeClaims(claims1: UserProfile, claims2: JwtClaims): UserProfile {\n const result = { ...claims1 };\n for (const [claim, values] of Object.entries(claims2)) {\n if (result[claim] !== values) {\n if (Array.isArray(result[claim]) || Array.isArray(values)) {\n if (this._settings.mergeClaimsStrategy.array == \"replace\") {\n result[claim] = values;\n } else {\n const mergedValues = Array.isArray(result[claim]) ? result[claim] as unknown[] : [result[claim]];\n for (const value of Array.isArray(values) ? values : [values]) {\n if (!mergedValues.includes(value)) {\n mergedValues.push(value);\n }\n }\n result[claim] = mergedValues;\n }\n } else if (typeof result[claim] === \"object\" && typeof values === \"object\") {\n result[claim] = this.mergeClaims(result[claim] as JwtClaims, values as JwtClaims);\n } else {\n result[claim] = values;\n }\n }\n }\n\n return result;\n }\n}\n","/**\n * @public\n */\nexport interface DPoPStore {\n set(key: string, value: DPoPState): Promise<void>;\n get(key: string): Promise<DPoPState>;\n remove(key: string): Promise<DPoPState>;\n getAllKeys(): Promise<string[]>;\n}\n\n/**\n * @public\n */\nexport class DPoPState {\n public constructor(\n public readonly keys: CryptoKeyPair,\n public nonce?: string,\n ) { }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { CryptoUtils, Logger, UrlUtils } from \"./utils\";\nimport { ErrorResponse } from \"./errors\";\nimport { type ExtraHeader, type OidcClientSettings, OidcClientSettingsStore } from \"./OidcClientSettings\";\nimport { ResponseValidator } from \"./ResponseValidator\";\nimport { MetadataService } from \"./MetadataService\";\nimport type { RefreshState } from \"./RefreshState\";\nimport { SigninRequest, type SigninRequestCreateArgs } from \"./SigninRequest\";\nimport { SigninResponse } from \"./SigninResponse\";\nimport { SignoutRequest, type SignoutRequestArgs } from \"./SignoutRequest\";\nimport { SignoutResponse } from \"./SignoutResponse\";\nimport { SigninState } from \"./SigninState\";\nimport { State } from \"./State\";\nimport { TokenClient } from \"./TokenClient\";\nimport { ClaimsService } from \"./ClaimsService\";\nimport { DPoPState, type DPoPStore } from \"./DPoPStore\";\nimport { ErrorDPoPNonce } from \"./errors/ErrorDPoPNonce\";\n\n/**\n * @public\n */\nexport interface CreateSigninRequestArgs\n extends Omit<SigninRequestCreateArgs, \"url\" | \"authority\" | \"client_id\" | \"redirect_uri\" | \"response_type\" | \"scope\" | \"state_data\"> {\n redirect_uri?: string;\n response_type?: string;\n scope?: string;\n dpopJkt?: string;\n\n /** custom \"state\", which can be used by a caller to have \"data\" round tripped */\n state?: unknown;\n}\n\n/**\n * @public\n */\nexport interface UseRefreshTokenArgs {\n redirect_uri?: string;\n resource?: string | string[];\n extraTokenParams?: Record<string, unknown>;\n timeoutInSeconds?: number;\n\n state: RefreshState;\n\n extraHeaders?: Record<string, ExtraHeader>;\n}\n\n/**\n * @public\n */\nexport type CreateSignoutRequestArgs = Omit<SignoutRequestArgs, \"url\" | \"state_data\"> & {\n /** custom \"state\", which can be used by a caller to have \"data\" round tripped */\n state?: unknown;\n};\n\n/**\n * @public\n */\nexport type ProcessResourceOwnerPasswordCredentialsArgs = {\n username: string;\n password: string;\n skipUserInfo?: boolean;\n extraTokenParams?: Record<string, unknown>;\n};\n\n/**\n * Provides the raw OIDC/OAuth2 protocol support for the authorization endpoint and the end session endpoint in the\n * authorization server. It provides a bare-bones protocol implementation and is used by the UserManager class.\n * Only use this class if you simply want protocol support without the additional management features of the\n * UserManager class.\n *\n * @public\n */\nexport class OidcClient {\n public readonly settings: OidcClientSettingsStore;\n protected readonly _logger = new Logger(\"OidcClient\");\n\n public readonly metadataService: MetadataService;\n protected readonly _claimsService: ClaimsService;\n protected readonly _validator: ResponseValidator;\n protected readonly _tokenClient: TokenClient;\n\n public constructor(settings: OidcClientSettings);\n public constructor(settings: OidcClientSettingsStore, metadataService: MetadataService);\n public constructor(settings: OidcClientSettings | OidcClientSettingsStore, metadataService?: MetadataService) {\n this.settings = settings instanceof OidcClientSettingsStore ? settings : new OidcClientSettingsStore(settings);\n\n this.metadataService = metadataService ?? new MetadataService(this.settings);\n this._claimsService = new ClaimsService(this.settings);\n this._validator = new ResponseValidator(this.settings, this.metadataService, this._claimsService);\n this._tokenClient = new TokenClient(this.settings, this.metadataService);\n }\n\n public async createSigninRequest({\n state,\n request,\n request_uri,\n request_type,\n id_token_hint,\n login_hint,\n skipUserInfo,\n nonce,\n url_state,\n response_type = this.settings.response_type,\n scope = this.settings.scope,\n redirect_uri = this.settings.redirect_uri,\n prompt = this.settings.prompt,\n display = this.settings.display,\n max_age = this.settings.max_age,\n ui_locales = this.settings.ui_locales,\n acr_values = this.settings.acr_values,\n resource = this.settings.resource,\n response_mode = this.settings.response_mode,\n extraQueryParams = this.settings.extraQueryParams,\n extraTokenParams = this.settings.extraTokenParams,\n dpopJkt,\n omitScopeWhenRequesting = this.settings.omitScopeWhenRequesting,\n }: CreateSigninRequestArgs): Promise<SigninRequest> {\n const logger = this._logger.create(\"createSigninRequest\");\n\n if (response_type !== \"code\") {\n throw new Error(\"Only the Authorization Code flow (with PKCE) is supported\");\n }\n\n const url = await this.metadataService.getAuthorizationEndpoint();\n logger.debug(\"Received authorization endpoint\", url);\n\n const signinRequest = await SigninRequest.create({\n url,\n authority: this.settings.authority,\n client_id: this.settings.client_id,\n redirect_uri,\n response_type,\n scope,\n state_data: state,\n url_state,\n prompt, display, max_age, ui_locales, id_token_hint, login_hint, acr_values, dpopJkt,\n resource, request, request_uri, extraQueryParams, extraTokenParams, request_type, response_mode,\n client_secret: this.settings.client_secret,\n skipUserInfo,\n nonce,\n disablePKCE: this.settings.disablePKCE,\n omitScopeWhenRequesting,\n });\n\n // house cleaning\n await this.clearStaleState();\n\n const signinState = signinRequest.state;\n await this.settings.stateStore.set(signinState.id, signinState.toStorageString());\n return signinRequest;\n }\n\n public async readSigninResponseState(url: string, removeState = false): Promise<{ state: SigninState; response: SigninResponse }> {\n const logger = this._logger.create(\"readSigninResponseState\");\n\n const response = new SigninResponse(UrlUtils.readParams(url, this.settings.response_mode));\n if (!response.state) {\n logger.throw(new Error(\"No state in response\"));\n // need to throw within this function's body for type narrowing to work\n throw null; // https://github.com/microsoft/TypeScript/issues/46972\n }\n\n const storedStateString = await this.settings.stateStore[removeState ? \"remove\" : \"get\"](response.state);\n if (!storedStateString) {\n logger.throw(new Error(\"No matching state found in storage\"));\n throw null; // https://github.com/microsoft/TypeScript/issues/46972\n }\n\n const state = await SigninState.fromStorageString(storedStateString);\n return { state, response };\n }\n\n public async processSigninResponse(url: string, extraHeaders?: Record<string, ExtraHeader>): Promise<SigninResponse> {\n const logger = this._logger.create(\"processSigninResponse\");\n\n const { state, response } = await this.readSigninResponseState(url, true);\n logger.debug(\"received state from storage; validating response\");\n\n if (this.settings.dpop && this.settings.dpop.store) {\n const dpopProof = await this.getDpopProof(this.settings.dpop.store);\n extraHeaders = { ...extraHeaders, \"DPoP\": dpopProof };\n }\n\n /**\n * The DPoP spec describes a method for Authorization Servers to supply a nonce value\n * in order to limit the lifetime of a given DPoP proof.\n * See https://datatracker.ietf.org/doc/html/rfc9449#name-authorization-server-provid\n * This involves the AS returning a 400 bad request with a DPoP-Nonce header containing\n * the nonce value. The client must then retry the request with a recomputed DPoP proof\n * containing the supplied nonce value.\n */\n try {\n await this._validator.validateSigninResponse(response, state, extraHeaders);\n }\n catch (err) {\n if (err instanceof ErrorDPoPNonce && this.settings.dpop) {\n const dpopProof = await this.getDpopProof(this.settings.dpop.store, err.nonce);\n extraHeaders![\"DPoP\"] = dpopProof;\n await this._validator.validateSigninResponse(response, state, extraHeaders);\n } else {\n throw err;\n }\n }\n\n return response;\n }\n\n async getDpopProof(dpopStore: DPoPStore, nonce?: string): Promise<string> {\n let keyPair: CryptoKeyPair;\n let dpopState: DPoPState;\n\n if (!(await dpopStore.getAllKeys()).includes(this.settings.client_id)) {\n keyPair = await CryptoUtils.generateDPoPKeys();\n dpopState = new DPoPState(keyPair, nonce);\n await dpopStore.set(this.settings.client_id, dpopState);\n } else {\n dpopState = await dpopStore.get(this.settings.client_id);\n\n // if the server supplied nonce has changed since the last request, update the nonce\n if (dpopState.nonce !== nonce && nonce) {\n dpopState.nonce = nonce;\n await dpopStore.set(this.settings.client_id, dpopState);\n }\n }\n\n return await CryptoUtils.generateDPoPProof({\n url: await this.metadataService.getTokenEndpoint(false),\n httpMethod: \"POST\",\n keyPair: dpopState.keys,\n nonce: dpopState.nonce,\n });\n }\n\n public async processResourceOwnerPasswordCredentials({\n username,\n password,\n skipUserInfo = false,\n extraTokenParams = {},\n }: ProcessResourceOwnerPasswordCredentialsArgs): Promise<SigninResponse> {\n const tokenResponse: Record<string, unknown> = await this._tokenClient.exchangeCredentials({ username, password, ...extraTokenParams });\n const signinResponse: SigninResponse = new SigninResponse(new URLSearchParams());\n Object.assign(signinResponse, tokenResponse);\n await this._validator.validateCredentialsResponse(signinResponse, skipUserInfo);\n return signinResponse;\n }\n\n public async useRefreshToken({\n state,\n redirect_uri,\n resource,\n timeoutInSeconds,\n extraHeaders,\n extraTokenParams,\n }: UseRefreshTokenArgs): Promise<SigninResponse> {\n const logger = this._logger.create(\"useRefreshToken\");\n\n // https://github.com/authts/oidc-client-ts/issues/695\n // In some cases (e.g. AzureAD), not all granted scopes are allowed on token refresh requests.\n // Therefore, we filter all granted scopes by a list of allowable scopes.\n let scope;\n if (this.settings.refreshTokenAllowedScope === undefined) {\n scope = state.scope;\n } else {\n const allowableScopes = this.settings.refreshTokenAllowedScope.split(\" \");\n const providedScopes = state.scope?.split(\" \") || [];\n\n scope = providedScopes.filter(s => allowableScopes.includes(s)).join(\" \");\n }\n\n if (this.settings.dpop && this.settings.dpop.store) {\n const dpopProof = await this.getDpopProof(this.settings.dpop.store);\n extraHeaders = { ...extraHeaders, \"DPoP\": dpopProof };\n }\n\n /**\n * The DPoP spec describes a method for Authorization Servers to supply a nonce value\n * in order to limit the lifetime of a given DPoP proof.\n * See https://datatracker.ietf.org/doc/html/rfc9449#name-authorization-server-provid\n * This involves the AS returning a 400 bad request with a DPoP-Nonce header containing\n * the nonce value. The client must then retry the request with a recomputed DPoP proof\n * containing the supplied nonce value.\n */\n let result;\n try {\n result = await this._tokenClient.exchangeRefreshToken({\n refresh_token: state.refresh_token,\n // provide the (possible filtered) scope list\n scope,\n redirect_uri,\n resource,\n timeoutInSeconds,\n extraHeaders,\n ...extraTokenParams,\n });\n } catch (err) {\n if (err instanceof ErrorDPoPNonce && this.settings.dpop) {\n extraHeaders![\"DPoP\"] = await this.getDpopProof(this.settings.dpop.store, err.nonce);\n result = await this._tokenClient.exchangeRefreshToken({\n refresh_token: state.refresh_token,\n // provide the (possible filtered) scope list\n scope,\n redirect_uri,\n resource,\n timeoutInSeconds,\n extraHeaders,\n ...extraTokenParams,\n });\n } else {\n throw err;\n }\n }\n\n const response = new SigninResponse(new URLSearchParams());\n Object.assign(response, result);\n logger.debug(\"validating response\", response);\n await this._validator.validateRefreshResponse(response, {\n ...state,\n // override the scope in the state handed over to the validator\n // so it can set the granted scope to the requested scope in case none is included in the response\n scope,\n });\n return response;\n }\n\n public async createSignoutRequest({\n state,\n id_token_hint,\n client_id,\n request_type,\n post_logout_redirect_uri = this.settings.post_logout_redirect_uri,\n extraQueryParams = this.settings.extraQueryParams,\n }: CreateSignoutRequestArgs = {}): Promise<SignoutRequest> {\n const logger = this._logger.create(\"createSignoutRequest\");\n\n const url = await this.metadataService.getEndSessionEndpoint();\n if (!url) {\n logger.throw(new Error(\"No end session endpoint\"));\n throw null; // https://github.com/microsoft/TypeScript/issues/46972\n }\n\n logger.debug(\"Received end session endpoint\", url);\n\n // specify the client identifier when post_logout_redirect_uri is used but id_token_hint is not\n if (!client_id && post_logout_redirect_uri && !id_token_hint) {\n client_id = this.settings.client_id;\n }\n\n const request = new SignoutRequest({\n url,\n id_token_hint,\n client_id,\n post_logout_redirect_uri,\n state_data: state,\n extraQueryParams,\n request_type,\n });\n\n // house cleaning\n await this.clearStaleState();\n\n const signoutState = request.state;\n if (signoutState) {\n logger.debug(\"Signout request has state to persist\");\n await this.settings.stateStore.set(signoutState.id, signoutState.toStorageString());\n }\n\n return request;\n }\n\n public async readSignoutResponseState(url: string, removeState = false): Promise<{ state: State | undefined; response: SignoutResponse }> {\n const logger = this._logger.create(\"readSignoutResponseState\");\n\n const response = new SignoutResponse(UrlUtils.readParams(url, this.settings.response_mode));\n if (!response.state) {\n logger.debug(\"No state in response\");\n\n if (response.error) {\n logger.warn(\"Response was error:\", response.error);\n throw new ErrorResponse(response);\n }\n\n return { state: undefined, response };\n }\n\n const storedStateString = await this.settings.stateStore[removeState ? \"remove\" : \"get\"](response.state);\n if (!storedStateString) {\n logger.throw(new Error(\"No matching state found in storage\"));\n throw null; // https://github.com/microsoft/TypeScript/issues/46972\n }\n\n const state = await State.fromStorageString(storedStateString);\n return { state, response };\n }\n\n public async processSignoutResponse(url: string): Promise<SignoutResponse> {\n const logger = this._logger.create(\"processSignoutResponse\");\n\n const { state, response } = await this.readSignoutResponseState(url, true);\n if (state) {\n logger.debug(\"Received state from storage; validating response\");\n this._validator.validateSignoutResponse(response, state);\n } else {\n logger.debug(\"No state from storage; skipping response validation\");\n }\n\n return response;\n }\n\n public clearStaleState(): Promise<void> {\n this._logger.create(\"clearStaleState\");\n return State.clearStaleState(this.settings.stateStore, this.settings.staleStateAgeInSeconds);\n }\n\n public async revokeToken(token: string, type?: \"access_token\" | \"refresh_token\"): Promise<void> {\n this._logger.create(\"revokeToken\");\n return await this._tokenClient.revoke({\n token,\n token_type_hint: type,\n });\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { Logger } from \"./utils\";\nimport { CheckSessionIFrame } from \"./CheckSessionIFrame\";\nimport type { UserManager } from \"./UserManager\";\nimport type { User } from \"./User\";\n\n/**\n * @public\n */\nexport class SessionMonitor {\n private readonly _logger = new Logger(\"SessionMonitor\");\n\n private _sub: string | undefined;\n private _checkSessionIFrame?: CheckSessionIFrame;\n\n public constructor(private readonly _userManager: UserManager) {\n if (!_userManager) {\n this._logger.throw(new Error(\"No user manager passed\"));\n }\n\n this._userManager.events.addUserLoaded(this._start);\n this._userManager.events.addUserUnloaded(this._stop);\n\n this._init().catch((err: unknown) => {\n // catch to suppress errors since we're in a ctor\n this._logger.error(err);\n });\n }\n\n protected async _init(): Promise<void> {\n this._logger.create(\"_init\");\n const user = await this._userManager.getUser();\n // doing this manually here since calling getUser\n // doesn't trigger load event.\n if (user) {\n void this._start(user);\n }\n else if (this._userManager.settings.monitorAnonymousSession) {\n const session = await this._userManager.querySessionStatus();\n if (session) {\n const tmpUser = {\n session_state: session.session_state,\n profile: session.sub ? {\n sub: session.sub,\n } : null,\n };\n void this._start(tmpUser);\n }\n }\n }\n\n protected _start = async (\n user: User | {\n session_state: string;\n profile: { sub: string } | null;\n },\n ): Promise<void> => {\n const session_state = user.session_state;\n if (!session_state) {\n return;\n }\n const logger = this._logger.create(\"_start\");\n\n if (user.profile) {\n this._sub = user.profile.sub;\n logger.debug(\"session_state\", session_state, \", sub\", this._sub);\n }\n else {\n this._sub = undefined;\n logger.debug(\"session_state\", session_state, \", anonymous user\");\n }\n\n if (this._checkSessionIFrame) {\n this._checkSessionIFrame.start(session_state);\n return;\n }\n\n try {\n const url = await this._userManager.metadataService.getCheckSessionIframe();\n if (url) {\n logger.debug(\"initializing check session iframe\");\n\n const client_id = this._userManager.settings.client_id;\n const intervalInSeconds = this._userManager.settings.checkSessionIntervalInSeconds;\n const stopOnError = this._userManager.settings.stopCheckSessionOnError;\n\n const checkSessionIFrame = new CheckSessionIFrame(this._callback, client_id, url, intervalInSeconds, stopOnError);\n await checkSessionIFrame.load();\n this._checkSessionIFrame = checkSessionIFrame;\n checkSessionIFrame.start(session_state);\n }\n else {\n logger.warn(\"no check session iframe found in the metadata\");\n }\n }\n catch (err) {\n // catch to suppress errors since we're in non-promise callback\n logger.error(\"Error from getCheckSessionIframe:\", err instanceof Error ? err.message : err);\n }\n };\n\n protected _stop = (): void => {\n const logger = this._logger.create(\"_stop\");\n this._sub = undefined;\n\n if (this._checkSessionIFrame) {\n this._checkSessionIFrame.stop();\n }\n\n if (this._userManager.settings.monitorAnonymousSession) {\n // using a timer to delay re-initialization to avoid race conditions during signout\n // TODO rewrite to use promise correctly\n // eslint-disable-next-line @typescript-eslint/no-misused-promises\n const timerHandle = setInterval(async () => {\n clearInterval(timerHandle);\n\n try {\n const session = await this._userManager.querySessionStatus();\n if (session) {\n const tmpUser = {\n session_state: session.session_state,\n profile: session.sub ? {\n sub: session.sub,\n } : null,\n };\n void this._start(tmpUser);\n }\n }\n catch (err) {\n // catch to suppress errors since we're in a callback\n logger.error(\"error from querySessionStatus\", err instanceof Error ? err.message : err);\n }\n }, 1000);\n }\n };\n\n protected _callback = async (): Promise<void> => {\n const logger = this._logger.create(\"_callback\");\n try {\n const session = await this._userManager.querySessionStatus();\n let raiseEvent = true;\n\n if (session && this._checkSessionIFrame) {\n if (session.sub === this._sub) {\n raiseEvent = false;\n this._checkSessionIFrame.start(session.session_state);\n\n logger.debug(\"same sub still logged in at OP, session state has changed, restarting check session iframe; session_state\", session.session_state);\n await this._userManager.events._raiseUserSessionChanged();\n }\n else {\n logger.debug(\"different subject signed into OP\", session.sub);\n }\n }\n else {\n logger.debug(\"subject no longer signed into OP\");\n }\n\n if (raiseEvent) {\n if (this._sub) {\n await this._userManager.events._raiseUserSignedOut();\n }\n else {\n await this._userManager.events._raiseUserSignedIn();\n }\n } else {\n logger.debug(\"no change in session detected, no event to raise\");\n }\n }\n catch (err) {\n if (this._sub) {\n logger.debug(\"Error calling queryCurrentSigninSession; raising signed out event\", err);\n await this._userManager.events._raiseUserSignedOut();\n }\n }\n };\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { Logger, Timer } from \"./utils\";\nimport type { IdTokenClaims } from \"./Claims\";\n\n/**\n * Holds claims represented by a combination of the `id_token` and the user info endpoint.\n *\n * @public\n */\nexport type UserProfile = IdTokenClaims;\n\n/**\n * @public\n */\nexport class User {\n /**\n * A JSON Web Token (JWT). Only provided if `openid` scope was requested.\n * The application can access the data decoded by using the `profile` property.\n */\n public id_token?: string;\n\n /** The session state value returned from the OIDC provider. */\n public session_state: string | null;\n\n /**\n * The requested access token returned from the OIDC provider. The application can use this token to\n * authenticate itself to the secured resource.\n */\n public access_token: string;\n\n /**\n * An OAuth 2.0 refresh token. The app can use this token to acquire additional access tokens after the\n * current access token expires. Refresh tokens are long-lived and can be used to maintain access to resources\n * for extended periods of time.\n */\n public refresh_token?: string;\n\n /** Typically \"Bearer\" */\n public token_type: string;\n\n /** The scopes that the requested access token is valid for. */\n public scope?: string;\n\n /** The claims represented by a combination of the `id_token` and the user info endpoint. */\n public profile: UserProfile;\n\n /** The expires at returned from the OIDC provider. */\n public expires_at?: number;\n\n /** custom state data set during the initial signin request */\n public readonly state: unknown;\n public readonly url_state?: string;\n\n public constructor(args: {\n id_token?: string;\n session_state?: string | null;\n access_token: string;\n refresh_token?: string;\n token_type: string;\n scope?: string;\n profile: UserProfile;\n expires_at?: number;\n userState?: unknown;\n url_state?: string;\n }) {\n this.id_token = args.id_token;\n this.session_state = args.session_state ?? null;\n this.access_token = args.access_token;\n this.refresh_token = args.refresh_token;\n\n this.token_type = args.token_type;\n this.scope = args.scope;\n this.profile = args.profile;\n this.expires_at = args.expires_at;\n this.state = args.userState;\n this.url_state = args.url_state;\n }\n\n /** Computed number of seconds the access token has remaining. */\n public get expires_in(): number | undefined {\n if (this.expires_at === undefined) {\n return undefined;\n }\n return this.expires_at - Timer.getEpochTime();\n }\n\n public set expires_in(value: number | undefined) {\n if (value !== undefined) {\n this.expires_at = Math.floor(value) + Timer.getEpochTime();\n }\n }\n\n /** Computed value indicating if the access token is expired. */\n public get expired(): boolean | undefined {\n const expires_in = this.expires_in;\n if (expires_in === undefined) {\n return undefined;\n }\n return expires_in <= 0;\n }\n\n /** Array representing the parsed values from the `scope`. */\n public get scopes(): string[] {\n return this.scope?.split(\" \") ?? [];\n }\n\n public toStorageString(): string {\n new Logger(\"User\").create(\"toStorageString\");\n return JSON.stringify({\n id_token: this.id_token,\n session_state: this.session_state,\n access_token: this.access_token,\n refresh_token: this.refresh_token,\n token_type: this.token_type,\n scope: this.scope,\n profile: this.profile,\n expires_at: this.expires_at,\n });\n }\n\n public static fromStorageString(storageString: string): User {\n Logger.createStatic(\"User\", \"fromStorageString\");\n return new User(JSON.parse(storageString));\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { Event, Logger, UrlUtils } from \"../utils\";\nimport type { IWindow, NavigateParams, NavigateResponse } from \"./IWindow\";\n\nconst messageSource = \"oidc-client\";\n\ninterface MessageData {\n source: string;\n url: string;\n keepOpen: boolean;\n}\n\n/**\n * Window implementation which resolves via communication from a child window\n * via the `Window.postMessage()` interface.\n *\n * @internal\n */\nexport abstract class AbstractChildWindow implements IWindow {\n protected abstract readonly _logger: Logger;\n protected readonly _abort = new Event<[reason: Error]>(\"Window navigation aborted\");\n protected readonly _disposeHandlers = new Set<() => void>();\n\n protected _window: WindowProxy | null = null;\n\n public async navigate(params: NavigateParams): Promise<NavigateResponse> {\n const logger = this._logger.create(\"navigate\");\n if (!this._window) {\n throw new Error(\"Attempted to navigate on a disposed window\");\n }\n\n logger.debug(\"setting URL in window\");\n this._window.location.replace(params.url);\n\n const { url, keepOpen } = await new Promise<MessageData>((resolve, reject) => {\n const listener = (e: MessageEvent) => {\n const data: MessageData | undefined = e.data;\n const origin = params.scriptOrigin ?? window.location.origin;\n if (e.origin !== origin || data?.source !== messageSource) {\n // silently discard events not intended for us\n return;\n }\n try {\n const state = UrlUtils.readParams(data.url, params.response_mode).get(\"state\");\n if (!state) {\n logger.warn(\"no state found in response url\");\n }\n if (e.source !== this._window && state !== params.state) {\n // MessageEvent source is a relatively modern feature, we can't rely on it\n // so we also inspect the payload for a matching state key as an alternative\n return;\n }\n }\n catch (err) {\n this._dispose();\n reject(new Error(\"Invalid response from window\"));\n }\n resolve(data);\n };\n window.addEventListener(\"message\", listener, false);\n this._disposeHandlers.add(() => window.removeEventListener(\"message\", listener, false));\n this._disposeHandlers.add(this._abort.addHandler((reason) => {\n this._dispose();\n reject(reason);\n }));\n });\n logger.debug(\"got response from window\");\n this._dispose();\n\n if (!keepOpen) {\n this.close();\n }\n\n return { url };\n }\n\n public abstract close(): void;\n\n private _dispose(): void {\n this._logger.create(\"_dispose\");\n\n for (const dispose of this._disposeHandlers) {\n dispose();\n }\n this._disposeHandlers.clear();\n }\n\n protected static _notifyParent(parent: Window, url: string, keepOpen = false, targetOrigin = window.location.origin): void {\n parent.postMessage({\n source: messageSource,\n url,\n keepOpen,\n } as MessageData, targetOrigin);\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { type OidcClientSettings, OidcClientSettingsStore } from \"./OidcClientSettings\";\nimport type { PopupWindowFeatures } from \"./utils/PopupUtils\";\nimport { WebStorageStateStore } from \"./WebStorageStateStore\";\nimport { InMemoryWebStorage } from \"./InMemoryWebStorage\";\n\nexport const DefaultPopupWindowFeatures: PopupWindowFeatures = {\n location: false,\n toolbar: false,\n height: 640,\n closePopupWindowAfterInSeconds: -1,\n};\nexport const DefaultPopupTarget = \"_blank\";\nconst DefaultAccessTokenExpiringNotificationTimeInSeconds = 60;\nconst DefaultCheckSessionIntervalInSeconds = 2;\nexport const DefaultSilentRequestTimeoutInSeconds = 10;\n\n/**\n * The settings used to configure the {@link UserManager}.\n *\n * @public\n */\nexport interface UserManagerSettings extends OidcClientSettings {\n /** The URL for the page containing the call to signinPopupCallback to handle the callback from the OIDC/OAuth2 */\n popup_redirect_uri?: string;\n popup_post_logout_redirect_uri?: string;\n /**\n * The features parameter to window.open for the popup signin window. By default, the popup is\n * placed centered in front of the window opener.\n * (default: \\{ location: false, menubar: false, height: 640, closePopupWindowAfterInSeconds: -1 \\})\n */\n popupWindowFeatures?: PopupWindowFeatures;\n /** The target parameter to window.open for the popup signin window (default: \"_blank\") */\n popupWindowTarget?: string;\n /** The methods window.location method used to redirect (default: \"assign\") */\n redirectMethod?: \"replace\" | \"assign\";\n /** The methods target window being redirected (default: \"self\") */\n redirectTarget?: \"top\" | \"self\";\n\n /** The target to pass while calling postMessage inside iframe for callback (default: window.location.origin) */\n iframeNotifyParentOrigin?: string;\n\n /** The script origin to check during 'message' callback execution while performing silent auth via iframe (default: window.location.origin) */\n iframeScriptOrigin?: string;\n\n /** The URL for the page containing the code handling the silent renew */\n silent_redirect_uri?: string;\n /** Number of seconds to wait for the silent renew to return before assuming it has failed or timed out (default: 10) */\n silentRequestTimeoutInSeconds?: number;\n /** Flag to indicate if there should be an automatic attempt to renew the access token prior to its expiration. The automatic renew attempt starts 1 minute before the access token expires (default: true) */\n automaticSilentRenew?: boolean;\n /** Flag to validate user.profile.sub in silent renew calls (default: true) */\n validateSubOnSilentRenew?: boolean;\n /** Flag to control if id_token is included as id_token_hint in silent renew calls (default: false) */\n includeIdTokenInSilentRenew?: boolean;\n\n /** Will raise events for when user has performed a signout at the OP (default: false) */\n monitorSession?: boolean;\n monitorAnonymousSession?: boolean;\n /** Interval in seconds to check the user's session (default: 2) */\n checkSessionIntervalInSeconds?: number;\n query_status_response_type?: string;\n stopCheckSessionOnError?: boolean;\n\n /**\n * The `token_type_hint`s to pass to the authority server by default (default: [\"access_token\", \"refresh_token\"])\n *\n * Token types will be revoked in the same order as they are given here.\n */\n revokeTokenTypes?: (\"access_token\" | \"refresh_token\")[];\n /** Will invoke the revocation endpoint on signout if there is an access token for the user (default: false) */\n revokeTokensOnSignout?: boolean;\n /** Flag to control if id_token is included as id_token_hint in silent signout calls (default: false) */\n includeIdTokenInSilentSignout?: boolean;\n\n /** The number of seconds before an access token is to expire to raise the accessTokenExpiring event (default: 60) */\n accessTokenExpiringNotificationTimeInSeconds?: number;\n\n /**\n * Storage object used to persist User for currently authenticated user (default: window.sessionStorage, InMemoryWebStorage iff no window).\n * E.g. `userStore: new WebStorageStateStore({ store: window.localStorage })`\n */\n userStore?: WebStorageStateStore;\n}\n\n/**\n * The settings with defaults applied of the {@link UserManager}.\n * @see {@link UserManagerSettings}\n *\n * @public\n */\nexport class UserManagerSettingsStore extends OidcClientSettingsStore {\n public readonly popup_redirect_uri: string;\n public readonly popup_post_logout_redirect_uri: string | undefined;\n public readonly popupWindowFeatures: PopupWindowFeatures;\n public readonly popupWindowTarget: string;\n public readonly redirectMethod: \"replace\" | \"assign\";\n public readonly redirectTarget: \"top\" | \"self\";\n\n public readonly iframeNotifyParentOrigin: string | undefined;\n public readonly iframeScriptOrigin: string | undefined;\n\n public readonly silent_redirect_uri: string;\n public readonly silentRequestTimeoutInSeconds: number;\n public readonly automaticSilentRenew: boolean;\n public readonly validateSubOnSilentRenew: boolean;\n public readonly includeIdTokenInSilentRenew: boolean;\n\n public readonly monitorSession: boolean;\n public readonly monitorAnonymousSession: boolean;\n public readonly checkSessionIntervalInSeconds: number;\n public readonly query_status_response_type: string;\n public readonly stopCheckSessionOnError: boolean;\n\n public readonly revokeTokenTypes: (\"access_token\" | \"refresh_token\")[];\n public readonly revokeTokensOnSignout: boolean;\n public readonly includeIdTokenInSilentSignout: boolean;\n\n public readonly accessTokenExpiringNotificationTimeInSeconds: number;\n\n public readonly userStore: WebStorageStateStore;\n\n public constructor(args: UserManagerSettings) {\n const {\n popup_redirect_uri = args.redirect_uri,\n popup_post_logout_redirect_uri = args.post_logout_redirect_uri,\n popupWindowFeatures = DefaultPopupWindowFeatures,\n popupWindowTarget = DefaultPopupTarget,\n redirectMethod = \"assign\",\n redirectTarget = \"self\",\n\n iframeNotifyParentOrigin = args.iframeNotifyParentOrigin,\n iframeScriptOrigin = args.iframeScriptOrigin,\n\n requestTimeoutInSeconds,\n silent_redirect_uri = args.redirect_uri,\n silentRequestTimeoutInSeconds,\n automaticSilentRenew = true,\n validateSubOnSilentRenew = true,\n includeIdTokenInSilentRenew = false,\n\n monitorSession = false,\n monitorAnonymousSession = false,\n checkSessionIntervalInSeconds = DefaultCheckSessionIntervalInSeconds,\n query_status_response_type = \"code\",\n stopCheckSessionOnError = true,\n\n revokeTokenTypes = [\"access_token\", \"refresh_token\"],\n revokeTokensOnSignout = false,\n includeIdTokenInSilentSignout = false,\n\n accessTokenExpiringNotificationTimeInSeconds = DefaultAccessTokenExpiringNotificationTimeInSeconds,\n\n userStore,\n } = args;\n\n super(args);\n\n this.popup_redirect_uri = popup_redirect_uri;\n this.popup_post_logout_redirect_uri = popup_post_logout_redirect_uri;\n this.popupWindowFeatures = popupWindowFeatures;\n this.popupWindowTarget = popupWindowTarget;\n this.redirectMethod = redirectMethod;\n this.redirectTarget = redirectTarget;\n\n this.iframeNotifyParentOrigin = iframeNotifyParentOrigin;\n this.iframeScriptOrigin = iframeScriptOrigin;\n\n this.silent_redirect_uri = silent_redirect_uri;\n this.silentRequestTimeoutInSeconds = silentRequestTimeoutInSeconds || requestTimeoutInSeconds || DefaultSilentRequestTimeoutInSeconds;\n this.automaticSilentRenew = automaticSilentRenew;\n this.validateSubOnSilentRenew = validateSubOnSilentRenew;\n this.includeIdTokenInSilentRenew = includeIdTokenInSilentRenew;\n\n this.monitorSession = monitorSession;\n this.monitorAnonymousSession = monitorAnonymousSession;\n this.checkSessionIntervalInSeconds = checkSessionIntervalInSeconds;\n this.stopCheckSessionOnError = stopCheckSessionOnError;\n this.query_status_response_type = query_status_response_type;\n\n this.revokeTokenTypes = revokeTokenTypes;\n this.revokeTokensOnSignout = revokeTokensOnSignout;\n this.includeIdTokenInSilentSignout = includeIdTokenInSilentSignout;\n\n this.accessTokenExpiringNotificationTimeInSeconds = accessTokenExpiringNotificationTimeInSeconds;\n\n if (userStore) {\n this.userStore = userStore;\n }\n else {\n const store = typeof window !== \"undefined\" ? window.sessionStorage : new InMemoryWebStorage();\n this.userStore = new WebStorageStateStore({ store });\n }\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { Logger } from \"../utils\";\nimport { ErrorTimeout } from \"../errors\";\nimport type { NavigateParams, NavigateResponse } from \"./IWindow\";\nimport { AbstractChildWindow } from \"./AbstractChildWindow\";\nimport { DefaultSilentRequestTimeoutInSeconds } from \"../UserManagerSettings\";\n\n/**\n * @public\n */\nexport interface IFrameWindowParams {\n silentRequestTimeoutInSeconds?: number;\n}\n\n/**\n * @internal\n */\nexport class IFrameWindow extends AbstractChildWindow {\n protected readonly _logger = new Logger(\"IFrameWindow\");\n private _frame: HTMLIFrameElement | null;\n private _timeoutInSeconds: number;\n\n public constructor({\n silentRequestTimeoutInSeconds = DefaultSilentRequestTimeoutInSeconds,\n }: IFrameWindowParams) {\n super();\n this._timeoutInSeconds = silentRequestTimeoutInSeconds;\n\n this._frame = IFrameWindow.createHiddenIframe();\n this._window = this._frame.contentWindow;\n }\n\n private static createHiddenIframe(): HTMLIFrameElement {\n const iframe = window.document.createElement(\"iframe\");\n\n // shotgun approach\n iframe.style.visibility = \"hidden\";\n iframe.style.position = \"fixed\";\n iframe.style.left = \"-1000px\";\n iframe.style.top = \"0\";\n iframe.width = \"0\";\n iframe.height = \"0\";\n\n window.document.body.appendChild(iframe);\n return iframe;\n }\n\n public async navigate(params: NavigateParams): Promise<NavigateResponse> {\n this._logger.debug(\"navigate: Using timeout of:\", this._timeoutInSeconds);\n const timer = setTimeout(() => void this._abort.raise(new ErrorTimeout(\"IFrame timed out without a response\")), this._timeoutInSeconds * 1000);\n this._disposeHandlers.add(() => clearTimeout(timer));\n\n return await super.navigate(params);\n }\n\n public close(): void {\n if (this._frame) {\n if (this._frame.parentNode) {\n this._frame.addEventListener(\"load\", (ev) => {\n const frame = ev.target as HTMLIFrameElement;\n frame.parentNode?.removeChild(frame);\n void this._abort.raise(new Error(\"IFrame removed from DOM\"));\n }, true);\n this._frame.contentWindow?.location.replace(\"about:blank\");\n }\n this._frame = null;\n }\n this._window = null;\n }\n\n public static notifyParent(url: string, targetOrigin?: string): void {\n return super._notifyParent(window.parent, url, false, targetOrigin);\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { Logger } from \"../utils\";\nimport type { UserManagerSettingsStore } from \"../UserManagerSettings\";\nimport { IFrameWindow, type IFrameWindowParams } from \"./IFrameWindow\";\nimport type { INavigator } from \"./INavigator\";\n\n/**\n * @internal\n */\nexport class IFrameNavigator implements INavigator {\n private readonly _logger = new Logger(\"IFrameNavigator\");\n\n constructor(private _settings: UserManagerSettingsStore) {}\n\n public async prepare({\n silentRequestTimeoutInSeconds = this._settings.silentRequestTimeoutInSeconds,\n }: IFrameWindowParams): Promise<IFrameWindow> {\n return new IFrameWindow({ silentRequestTimeoutInSeconds });\n }\n\n public async callback(url: string): Promise<void> {\n this._logger.create(\"callback\");\n IFrameWindow.notifyParent(url, this._settings.iframeNotifyParentOrigin);\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { Logger, PopupUtils, type PopupWindowFeatures } from \"../utils\";\nimport { DefaultPopupWindowFeatures, DefaultPopupTarget } from \"../UserManagerSettings\";\nimport { AbstractChildWindow } from \"./AbstractChildWindow\";\nimport type { NavigateParams, NavigateResponse } from \"./IWindow\";\n\nconst checkForPopupClosedInterval = 500;\nconst second = 1000;\n\n/**\n * @public\n */\nexport interface PopupWindowParams {\n popupWindowFeatures?: PopupWindowFeatures;\n popupWindowTarget?: string;\n /** An AbortSignal to set request's signal. */\n popupSignal?: AbortSignal | null;\n}\n\n/**\n * @internal\n */\nexport class PopupWindow extends AbstractChildWindow {\n protected readonly _logger = new Logger(\"PopupWindow\");\n\n protected _window: WindowProxy | null;\n\n public constructor({\n popupWindowTarget = DefaultPopupTarget,\n popupWindowFeatures = {},\n popupSignal,\n }: PopupWindowParams) {\n super();\n const centeredPopup = PopupUtils.center({ ...DefaultPopupWindowFeatures, ...popupWindowFeatures });\n this._window = window.open(undefined, popupWindowTarget, PopupUtils.serialize(centeredPopup));\n\n if (popupSignal) {\n popupSignal.addEventListener(\"abort\", () => {\n void this._abort.raise(new Error(popupSignal.reason ?? \"Popup aborted\"));\n });\n }\n\n if (popupWindowFeatures.closePopupWindowAfterInSeconds && popupWindowFeatures.closePopupWindowAfterInSeconds > 0) {\n setTimeout(() => {\n if (!this._window || typeof this._window.closed !== \"boolean\" || this._window.closed) {\n void this._abort.raise(new Error(\"Popup blocked by user\"));\n return;\n }\n\n this.close();\n }, popupWindowFeatures.closePopupWindowAfterInSeconds * second);\n }\n }\n\n public async navigate(params: NavigateParams): Promise<NavigateResponse> {\n this._window?.focus();\n\n const popupClosedInterval = setInterval(() => {\n if (!this._window || this._window.closed) {\n void this._abort.raise(new Error(\"Popup closed by user\"));\n }\n }, checkForPopupClosedInterval);\n this._disposeHandlers.add(() => clearInterval(popupClosedInterval));\n\n return await super.navigate(params);\n }\n\n public close(): void {\n if (this._window) {\n if (!this._window.closed) {\n this._window.close();\n void this._abort.raise(new Error(\"Popup closed\"));\n }\n }\n this._window = null;\n }\n\n public static notifyOpener(url: string, keepOpen: boolean): void {\n if (!window.opener) {\n throw new Error(\"No window.opener. Can't complete notification.\");\n }\n return super._notifyParent(window.opener, url, keepOpen);\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { Logger } from \"../utils\";\nimport { PopupWindow, type PopupWindowParams } from \"./PopupWindow\";\nimport type { INavigator } from \"./INavigator\";\nimport type { UserManagerSettingsStore } from \"../UserManagerSettings\";\n\n/**\n * @internal\n */\nexport class PopupNavigator implements INavigator {\n private readonly _logger = new Logger(\"PopupNavigator\");\n\n constructor(private _settings: UserManagerSettingsStore) { }\n\n public async prepare({\n popupWindowFeatures = this._settings.popupWindowFeatures,\n popupWindowTarget = this._settings.popupWindowTarget,\n popupSignal,\n }: PopupWindowParams): Promise<PopupWindow> {\n return new PopupWindow({ popupWindowFeatures, popupWindowTarget, popupSignal });\n }\n\n public async callback(url: string, { keepOpen = false }): Promise<void> {\n this._logger.create(\"callback\");\n\n PopupWindow.notifyOpener(url, keepOpen);\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { Logger } from \"../utils\";\nimport type { UserManagerSettingsStore } from \"../UserManagerSettings\";\nimport type { INavigator } from \"./INavigator\";\nimport type { IWindow } from \"./IWindow\";\n\n/**\n * @public\n */\nexport interface RedirectParams {\n redirectMethod?: \"replace\" | \"assign\";\n redirectTarget?: \"top\" | \"self\";\n}\n\n/**\n * @internal\n */\nexport class RedirectNavigator implements INavigator {\n private readonly _logger = new Logger(\"RedirectNavigator\");\n\n constructor(private _settings: UserManagerSettingsStore) {}\n\n public async prepare({\n redirectMethod = this._settings.redirectMethod,\n redirectTarget = this._settings.redirectTarget,\n }: RedirectParams): Promise<IWindow> {\n this._logger.create(\"prepare\");\n let targetWindow = window.self as Window;\n\n if (redirectTarget === \"top\") {\n targetWindow = window.top ?? window.self;\n }\n \n const redirect = targetWindow.location[redirectMethod].bind(targetWindow.location) as (url: string) => never;\n let abort: (reason: Error) => void;\n return {\n navigate: async (params): Promise<never> => {\n this._logger.create(\"navigate\");\n // We use a promise that never resolves to block the caller\n const promise = new Promise((resolve, reject) => {\n abort = reject;\n });\n redirect(params.url);\n return await (promise as Promise<never>);\n },\n close: () => {\n this._logger.create(\"close\");\n abort?.(new Error(\"Redirect aborted\"));\n targetWindow.stop();\n },\n };\n }\n\n public async callback(): Promise<void> {\n return;\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { Logger, Event } from \"./utils\";\nimport { AccessTokenEvents } from \"./AccessTokenEvents\";\nimport type { UserManagerSettingsStore } from \"./UserManagerSettings\";\nimport type { User } from \"./User\";\n\n/**\n * @public\n */\nexport type UserLoadedCallback = (user: User) => Promise<void> | void;\n/**\n * @public\n */\nexport type UserUnloadedCallback = () => Promise<void> | void;\n/**\n * @public\n */\nexport type SilentRenewErrorCallback = (error: Error) => Promise<void> | void;\n/**\n * @public\n */\nexport type UserSignedInCallback = () => Promise<void> | void;\n/**\n * @public\n */\nexport type UserSignedOutCallback = () => Promise<void> | void;\n/**\n * @public\n */\nexport type UserSessionChangedCallback = () => Promise<void> | void;\n\n/**\n * @public\n */\nexport class UserManagerEvents extends AccessTokenEvents {\n protected readonly _logger = new Logger(\"UserManagerEvents\");\n\n private readonly _userLoaded = new Event<[User]>(\"User loaded\");\n private readonly _userUnloaded = new Event<[]>(\"User unloaded\");\n private readonly _silentRenewError = new Event<[Error]>(\"Silent renew error\");\n private readonly _userSignedIn = new Event<[]>(\"User signed in\");\n private readonly _userSignedOut = new Event<[]>(\"User signed out\");\n private readonly _userSessionChanged = new Event<[]>(\"User session changed\");\n\n public constructor(settings: UserManagerSettingsStore) {\n super({ expiringNotificationTimeInSeconds: settings.accessTokenExpiringNotificationTimeInSeconds });\n }\n\n public async load(user: User, raiseEvent=true): Promise<void> {\n super.load(user);\n if (raiseEvent) {\n await this._userLoaded.raise(user);\n }\n }\n public async unload(): Promise<void> {\n super.unload();\n await this._userUnloaded.raise();\n }\n\n /**\n * Add callback: Raised when a user session has been established (or re-established).\n */\n public addUserLoaded(cb: UserLoadedCallback): () => void {\n return this._userLoaded.addHandler(cb);\n }\n /**\n * Remove callback: Raised when a user session has been established (or re-established).\n */\n public removeUserLoaded(cb: UserLoadedCallback): void {\n return this._userLoaded.removeHandler(cb);\n }\n\n /**\n * Add callback: Raised when a user session has been terminated.\n */\n public addUserUnloaded(cb: UserUnloadedCallback): () => void {\n return this._userUnloaded.addHandler(cb);\n }\n /**\n * Remove callback: Raised when a user session has been terminated.\n */\n public removeUserUnloaded(cb: UserUnloadedCallback): void {\n return this._userUnloaded.removeHandler(cb);\n }\n\n /**\n * Add callback: Raised when the automatic silent renew has failed.\n */\n public addSilentRenewError(cb: SilentRenewErrorCallback): () => void {\n return this._silentRenewError.addHandler(cb);\n }\n /**\n * Remove callback: Raised when the automatic silent renew has failed.\n */\n public removeSilentRenewError(cb: SilentRenewErrorCallback): void {\n return this._silentRenewError.removeHandler(cb);\n }\n /**\n * @internal\n */\n public async _raiseSilentRenewError(e: Error): Promise<void> {\n await this._silentRenewError.raise(e);\n }\n\n /**\n * Add callback: Raised when the user is signed in (when `monitorSession` is set).\n * @see {@link UserManagerSettings.monitorSession}\n */\n public addUserSignedIn(cb: UserSignedInCallback): () => void {\n return this._userSignedIn.addHandler(cb);\n }\n /**\n * Remove callback: Raised when the user is signed in (when `monitorSession` is set).\n */\n public removeUserSignedIn(cb: UserSignedInCallback): void {\n this._userSignedIn.removeHandler(cb);\n }\n /**\n * @internal\n */\n public async _raiseUserSignedIn(): Promise<void> {\n await this._userSignedIn.raise();\n }\n\n /**\n * Add callback: Raised when the user's sign-in status at the OP has changed (when `monitorSession` is set).\n * @see {@link UserManagerSettings.monitorSession}\n */\n public addUserSignedOut(cb: UserSignedOutCallback): () => void {\n return this._userSignedOut.addHandler(cb);\n }\n /**\n * Remove callback: Raised when the user's sign-in status at the OP has changed (when `monitorSession` is set).\n */\n public removeUserSignedOut(cb: UserSignedOutCallback): void {\n this._userSignedOut.removeHandler(cb);\n }\n /**\n * @internal\n */\n public async _raiseUserSignedOut(): Promise<void> {\n await this._userSignedOut.raise();\n }\n\n /**\n * Add callback: Raised when the user session changed (when `monitorSession` is set).\n * @see {@link UserManagerSettings.monitorSession}\n */\n public addUserSessionChanged(cb: UserSessionChangedCallback): () => void {\n return this._userSessionChanged.addHandler(cb);\n }\n /**\n * Remove callback: Raised when the user session changed (when `monitorSession` is set).\n */\n public removeUserSessionChanged(cb: UserSessionChangedCallback): void {\n this._userSessionChanged.removeHandler(cb);\n }\n /**\n * @internal\n */\n public async _raiseUserSessionChanged(): Promise<void> {\n await this._userSessionChanged.raise();\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { Logger, Timer } from \"./utils\";\nimport { ErrorTimeout } from \"./errors\";\nimport type { UserManager } from \"./UserManager\";\nimport type { AccessTokenCallback } from \"./AccessTokenEvents\";\n\n/**\n * @internal\n */\nexport class SilentRenewService {\n protected _logger = new Logger(\"SilentRenewService\");\n private _isStarted = false;\n private readonly _retryTimer = new Timer(\"Retry Silent Renew\");\n\n public constructor(private _userManager: UserManager) {}\n\n public async start(): Promise<void> {\n const logger = this._logger.create(\"start\");\n if (!this._isStarted) {\n this._isStarted = true;\n this._userManager.events.addAccessTokenExpiring(this._tokenExpiring);\n this._retryTimer.addHandler(this._tokenExpiring);\n\n // this will trigger loading of the user so the expiring events can be initialized\n try {\n await this._userManager.getUser();\n // deliberate nop\n }\n catch (err) {\n // catch to suppress errors since we're in a ctor\n logger.error(\"getUser error\", err);\n }\n }\n }\n\n public stop(): void {\n if (this._isStarted) {\n this._retryTimer.cancel();\n this._retryTimer.removeHandler(this._tokenExpiring);\n this._userManager.events.removeAccessTokenExpiring(this._tokenExpiring);\n this._isStarted = false;\n }\n }\n\n protected _tokenExpiring: AccessTokenCallback = async () => {\n const logger = this._logger.create(\"_tokenExpiring\");\n try {\n await this._userManager.signinSilent();\n logger.debug(\"silent token renewal successful\");\n }\n catch (err) {\n if (err instanceof ErrorTimeout) {\n // no response from authority server, e.g. IFrame timeout, ...\n logger.warn(\"ErrorTimeout from signinSilent:\", err, \"retry in 5s\");\n this._retryTimer.init(5);\n return;\n }\n\n logger.error(\"Error from signinSilent:\", err);\n await this._userManager.events._raiseSilentRenewError(err as Error);\n }\n };\n}\n","// Copyright (C) AuthTS Contributors\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport type { UserProfile } from \"./User\";\n\n/**\n * Fake state store implementation necessary for validating refresh token requests.\n *\n * @public\n */\nexport class RefreshState {\n /** custom \"state\", which can be used by a caller to have \"data\" round tripped */\n public readonly data?: unknown;\n\n public readonly refresh_token: string;\n public readonly id_token?: string;\n public readonly session_state: string | null;\n public readonly scope?: string;\n public readonly profile: UserProfile;\n\n constructor(args: {\n refresh_token: string;\n id_token?: string;\n session_state: string | null;\n scope?: string;\n profile: UserProfile;\n\n state?: unknown;\n }) {\n this.refresh_token = args.refresh_token;\n this.id_token = args.id_token;\n this.session_state = args.session_state;\n this.scope = args.scope;\n this.profile = args.profile;\n\n this.data = args.state;\n\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { CryptoUtils, Logger } from \"./utils\";\nimport { ErrorResponse } from \"./errors\";\nimport { type NavigateResponse, type PopupWindowParams, type IWindow, type IFrameWindowParams, type RedirectParams, RedirectNavigator, PopupNavigator, IFrameNavigator, type INavigator } from \"./navigators\";\nimport { OidcClient, type CreateSigninRequestArgs, type CreateSignoutRequestArgs, type ProcessResourceOwnerPasswordCredentialsArgs, type UseRefreshTokenArgs } from \"./OidcClient\";\nimport { type UserManagerSettings, UserManagerSettingsStore } from \"./UserManagerSettings\";\nimport { User } from \"./User\";\nimport { UserManagerEvents } from \"./UserManagerEvents\";\nimport { SilentRenewService } from \"./SilentRenewService\";\nimport { SessionMonitor } from \"./SessionMonitor\";\nimport type { SessionStatus } from \"./SessionStatus\";\nimport type { SignoutResponse } from \"./SignoutResponse\";\nimport type { MetadataService } from \"./MetadataService\";\nimport { RefreshState } from \"./RefreshState\";\nimport type { SigninResponse } from \"./SigninResponse\";\nimport type { ExtraHeader, DPoPSettings } from \"./OidcClientSettings\";\nimport { DPoPState } from \"./DPoPStore\";\n\n/**\n * @public\n */\nexport type ExtraSigninRequestArgs = Pick<CreateSigninRequestArgs, \"nonce\" | \"extraQueryParams\" | \"extraTokenParams\" | \"state\" | \"redirect_uri\" | \"prompt\" | \"acr_values\" | \"login_hint\" | \"scope\" | \"max_age\" | \"ui_locales\" | \"resource\" | \"url_state\">;\n/**\n * @public\n */\nexport type ExtraSignoutRequestArgs = Pick<CreateSignoutRequestArgs, \"extraQueryParams\" | \"state\" | \"id_token_hint\" | \"post_logout_redirect_uri\">;\n\n/**\n * @public\n */\nexport type RevokeTokensTypes = UserManagerSettings[\"revokeTokenTypes\"];\n\n/**\n * @public\n */\nexport type SigninRedirectArgs = RedirectParams & ExtraSigninRequestArgs;\n\n/**\n * @public\n */\nexport type SigninPopupArgs = PopupWindowParams & ExtraSigninRequestArgs;\n\n/**\n * @public\n */\nexport type SigninSilentArgs = IFrameWindowParams & ExtraSigninRequestArgs;\n\n/**\n * @public\n */\nexport type SigninResourceOwnerCredentialsArgs = ProcessResourceOwnerPasswordCredentialsArgs;\n\n/**\n * @public\n */\nexport type QuerySessionStatusArgs = IFrameWindowParams & ExtraSigninRequestArgs;\n\n/**\n * @public\n */\nexport type SignoutRedirectArgs = RedirectParams & ExtraSignoutRequestArgs;\n\n/**\n * @public\n */\nexport type SignoutPopupArgs = PopupWindowParams & ExtraSignoutRequestArgs;\n\n/**\n * @public\n */\nexport type SignoutSilentArgs = IFrameWindowParams & ExtraSignoutRequestArgs;\n\n/**\n * Provides a higher level API for signing a user in, signing out, managing the user's claims returned from the identity provider,\n * and managing an access token returned from the identity provider (OAuth2/OIDC).\n *\n * @public\n */\nexport class UserManager {\n /** Get the settings used to configure the `UserManager`. */\n public readonly settings: UserManagerSettingsStore;\n protected readonly _logger = new Logger(\"UserManager\");\n\n protected readonly _client: OidcClient;\n protected readonly _redirectNavigator: INavigator;\n protected readonly _popupNavigator: INavigator;\n protected readonly _iframeNavigator: INavigator;\n protected readonly _events: UserManagerEvents;\n protected readonly _silentRenewService: SilentRenewService;\n protected readonly _sessionMonitor: SessionMonitor | null;\n\n public constructor(settings: UserManagerSettings, redirectNavigator?: INavigator, popupNavigator?: INavigator, iframeNavigator?: INavigator) {\n this.settings = new UserManagerSettingsStore(settings);\n\n this._client = new OidcClient(settings);\n\n this._redirectNavigator = redirectNavigator ?? new RedirectNavigator(this.settings);\n this._popupNavigator = popupNavigator ?? new PopupNavigator(this.settings);\n this._iframeNavigator = iframeNavigator ?? new IFrameNavigator(this.settings);\n\n this._events = new UserManagerEvents(this.settings);\n this._silentRenewService = new SilentRenewService(this);\n\n // order is important for the following properties; these services depend upon the events.\n if (this.settings.automaticSilentRenew) {\n this.startSilentRenew();\n }\n\n this._sessionMonitor = null;\n if (this.settings.monitorSession) {\n this._sessionMonitor = new SessionMonitor(this);\n }\n }\n\n /**\n * Get object used to register for events raised by the `UserManager`.\n */\n public get events(): UserManagerEvents {\n return this._events;\n }\n\n /**\n * Get object used to access the metadata configuration of the identity provider.\n */\n public get metadataService(): MetadataService {\n return this._client.metadataService;\n }\n\n /**\n * Load the `User` object for the currently authenticated user.\n *\n * @returns A promise\n */\n public async getUser(): Promise<User | null> {\n const logger = this._logger.create(\"getUser\");\n const user = await this._loadUser();\n if (user) {\n logger.info(\"user loaded\");\n await this._events.load(user, false);\n return user;\n }\n\n logger.info(\"user not found in storage\");\n return null;\n }\n\n /**\n * Remove from any storage the currently authenticated user.\n *\n * @returns A promise\n */\n public async removeUser(): Promise<void> {\n const logger = this._logger.create(\"removeUser\");\n await this.storeUser(null);\n logger.info(\"user removed from storage\");\n await this._events.unload();\n }\n\n /**\n * Trigger a redirect of the current window to the authorization endpoint.\n *\n * @returns A promise\n *\n * @throws `Error` In cases of wrong authentication.\n */\n public async signinRedirect(args: SigninRedirectArgs = {}): Promise<void> {\n this._logger.create(\"signinRedirect\");\n const {\n redirectMethod,\n ...requestArgs\n } = args;\n\n let dpopJkt: string | undefined;\n if (this.settings.dpop?.bind_authorization_code) {\n dpopJkt = await this.generateDPoPJkt(this.settings.dpop);\n }\n\n const handle = await this._redirectNavigator.prepare({ redirectMethod });\n await this._signinStart({\n request_type: \"si:r\",\n dpopJkt,\n ...requestArgs,\n }, handle);\n }\n\n /**\n * Process the response (callback) from the authorization endpoint.\n * It is recommended to use {@link UserManager.signinCallback} instead.\n *\n * @returns A promise containing the authenticated `User`.\n *\n * @see {@link UserManager.signinCallback}\n */\n public async signinRedirectCallback(url = window.location.href): Promise<User> {\n const logger = this._logger.create(\"signinRedirectCallback\");\n const user = await this._signinEnd(url);\n if (user.profile && user.profile.sub) {\n logger.info(\"success, signed in subject\", user.profile.sub);\n }\n else {\n logger.info(\"no subject\");\n }\n\n return user;\n }\n\n /**\n * Trigger the signin with user/password.\n *\n * @returns A promise containing the authenticated `User`.\n * @throws {@link ErrorResponse} In cases of wrong authentication.\n */\n public async signinResourceOwnerCredentials({\n username,\n password,\n skipUserInfo = false,\n }: SigninResourceOwnerCredentialsArgs): Promise<User> {\n const logger = this._logger.create(\"signinResourceOwnerCredential\");\n\n const signinResponse = await this._client.processResourceOwnerPasswordCredentials({\n username,\n password,\n skipUserInfo,\n extraTokenParams: this.settings.extraTokenParams,\n });\n logger.debug(\"got signin response\");\n\n const user = await this._buildUser(signinResponse);\n if (user.profile && user.profile.sub) {\n logger.info(\"success, signed in subject\", user.profile.sub);\n } else {\n logger.info(\"no subject\");\n }\n return user;\n }\n\n /**\n * Trigger a request (via a popup window) to the authorization endpoint.\n *\n * @returns A promise containing the authenticated `User`.\n * @throws `Error` In cases of wrong authentication.\n */\n public async signinPopup(args: SigninPopupArgs = {}): Promise<User> {\n const logger = this._logger.create(\"signinPopup\");\n\n let dpopJkt: string | undefined;\n if (this.settings.dpop?.bind_authorization_code) {\n dpopJkt = await this.generateDPoPJkt(this.settings.dpop);\n }\n\n const {\n popupWindowFeatures,\n popupWindowTarget,\n popupSignal,\n ...requestArgs\n } = args;\n const url = this.settings.popup_redirect_uri;\n if (!url) {\n logger.throw(new Error(\"No popup_redirect_uri configured\"));\n }\n\n const handle = await this._popupNavigator.prepare({ popupWindowFeatures, popupWindowTarget, popupSignal });\n const user = await this._signin({\n request_type: \"si:p\",\n redirect_uri: url,\n display: \"popup\",\n dpopJkt,\n ...requestArgs,\n }, handle);\n if (user) {\n if (user.profile && user.profile.sub) {\n logger.info(\"success, signed in subject\", user.profile.sub);\n } else {\n logger.info(\"no subject\");\n }\n }\n\n return user;\n }\n\n /**\n * Notify the opening window of response (callback) from the authorization endpoint.\n * It is recommended to use {@link UserManager.signinCallback} instead.\n *\n * @returns A promise\n *\n * @see {@link UserManager.signinCallback}\n */\n public async signinPopupCallback(url = window.location.href, keepOpen = false): Promise<void> {\n const logger = this._logger.create(\"signinPopupCallback\");\n await this._popupNavigator.callback(url, { keepOpen });\n logger.info(\"success\");\n }\n\n /**\n * Trigger a silent request (via refresh token or an iframe) to the authorization endpoint.\n *\n * @returns A promise that contains the authenticated `User`.\n */\n public async signinSilent(args: SigninSilentArgs = {}): Promise<User | null> {\n const logger = this._logger.create(\"signinSilent\");\n const {\n silentRequestTimeoutInSeconds,\n ...requestArgs\n } = args;\n // first determine if we have a refresh token, or need to use iframe\n let user = await this._loadUser();\n if (user?.refresh_token) {\n logger.debug(\"using refresh token\");\n const state = new RefreshState(user as Required<User>);\n return await this._useRefreshToken({\n state,\n redirect_uri: requestArgs.redirect_uri,\n resource: requestArgs.resource,\n extraTokenParams: requestArgs.extraTokenParams,\n timeoutInSeconds: silentRequestTimeoutInSeconds,\n });\n }\n\n let dpopJkt: string | undefined;\n if (this.settings.dpop?.bind_authorization_code) {\n dpopJkt = await this.generateDPoPJkt(this.settings.dpop);\n }\n\n const url = this.settings.silent_redirect_uri;\n if (!url) {\n logger.throw(new Error(\"No silent_redirect_uri configured\"));\n }\n\n let verifySub: string | undefined;\n if (user && this.settings.validateSubOnSilentRenew) {\n logger.debug(\"subject prior to silent renew:\", user.profile.sub);\n verifySub = user.profile.sub;\n }\n\n const handle = await this._iframeNavigator.prepare({ silentRequestTimeoutInSeconds });\n user = await this._signin({\n request_type: \"si:s\",\n redirect_uri: url,\n prompt: \"none\",\n id_token_hint: this.settings.includeIdTokenInSilentRenew ? user?.id_token : undefined,\n dpopJkt,\n ...requestArgs,\n }, handle, verifySub);\n if (user) {\n if (user.profile?.sub) {\n logger.info(\"success, signed in subject\", user.profile.sub);\n }\n else {\n logger.info(\"no subject\");\n }\n }\n\n return user;\n }\n\n protected async _useRefreshToken(args: UseRefreshTokenArgs): Promise<User> {\n const response = await this._client.useRefreshToken({\n timeoutInSeconds: this.settings.silentRequestTimeoutInSeconds,\n ...args,\n });\n const user = new User({ ...args.state, ...response });\n\n await this.storeUser(user);\n await this._events.load(user);\n return user;\n }\n\n /**\n *\n * Notify the parent window of response (callback) from the authorization endpoint.\n * It is recommended to use {@link UserManager.signinCallback} instead.\n *\n * @returns A promise\n *\n * @see {@link UserManager.signinCallback}\n */\n public async signinSilentCallback(url = window.location.href): Promise<void> {\n const logger = this._logger.create(\"signinSilentCallback\");\n await this._iframeNavigator.callback(url);\n logger.info(\"success\");\n }\n\n /**\n * Process any response (callback) from the authorization endpoint, by dispatching the request_type\n * and executing one of the following functions:\n * - {@link UserManager.signinRedirectCallback}\n * - {@link UserManager.signinPopupCallback}\n * - {@link UserManager.signinSilentCallback}\n *\n * @throws `Error` If request_type is unknown or signin cannot be processed.\n */\n public async signinCallback(url = window.location.href): Promise<User | undefined> {\n const { state } = await this._client.readSigninResponseState(url);\n switch (state.request_type) {\n case \"si:r\":\n return await this.signinRedirectCallback(url);\n case \"si:p\":\n await this.signinPopupCallback(url);\n break;\n case \"si:s\":\n await this.signinSilentCallback(url);\n break;\n default:\n throw new Error(\"invalid response_type in state\");\n }\n return undefined;\n }\n\n /**\n * Process any response (callback) from the end session endpoint, by dispatching the request_type\n * and executing one of the following functions:\n * - {@link UserManager.signoutRedirectCallback}\n * - {@link UserManager.signoutPopupCallback}\n * - {@link UserManager.signoutSilentCallback}\n *\n * @throws `Error` If request_type is unknown or signout cannot be processed.\n */\n public async signoutCallback(url = window.location.href, keepOpen = false): Promise<SignoutResponse | undefined> {\n const { state } = await this._client.readSignoutResponseState(url);\n if (!state) {\n return undefined;\n }\n\n switch (state.request_type) {\n case \"so:r\":\n return await this.signoutRedirectCallback(url);\n case \"so:p\":\n await this.signoutPopupCallback(url, keepOpen);\n break;\n case \"so:s\":\n await this.signoutSilentCallback(url);\n break;\n default:\n throw new Error(\"invalid response_type in state\");\n }\n return undefined;\n }\n\n /**\n * Query OP for user's current signin status.\n *\n * @returns A promise object with session_state and subject identifier.\n */\n public async querySessionStatus(args: QuerySessionStatusArgs = {}): Promise<SessionStatus | null> {\n const logger = this._logger.create(\"querySessionStatus\");\n const {\n silentRequestTimeoutInSeconds,\n ...requestArgs\n } = args;\n const url = this.settings.silent_redirect_uri;\n if (!url) {\n logger.throw(new Error(\"No silent_redirect_uri configured\"));\n }\n\n const user = await this._loadUser();\n const handle = await this._iframeNavigator.prepare({ silentRequestTimeoutInSeconds });\n const navResponse = await this._signinStart({\n request_type: \"si:s\", // this acts like a signin silent\n redirect_uri: url,\n prompt: \"none\",\n id_token_hint: this.settings.includeIdTokenInSilentRenew ? user?.id_token : undefined,\n response_type: this.settings.query_status_response_type,\n scope: \"openid\",\n skipUserInfo: true,\n ...requestArgs,\n }, handle);\n try {\n const extraHeaders: Record<string, ExtraHeader> = {};\n const signinResponse = await this._client.processSigninResponse(navResponse.url, extraHeaders);\n logger.debug(\"got signin response\");\n\n if (signinResponse.session_state && signinResponse.profile.sub) {\n logger.info(\"success for subject\", signinResponse.profile.sub);\n return {\n session_state: signinResponse.session_state,\n sub: signinResponse.profile.sub,\n };\n }\n\n logger.info(\"success, user not authenticated\");\n return null;\n } catch (err) {\n if (this.settings.monitorAnonymousSession && err instanceof ErrorResponse) {\n switch (err.error) {\n case \"login_required\":\n case \"consent_required\":\n case \"interaction_required\":\n case \"account_selection_required\":\n logger.info(\"success for anonymous user\");\n return {\n // eslint-disable-next-line @typescript-eslint/no-non-null-assertion\n session_state: err.session_state!,\n };\n }\n }\n throw err;\n }\n }\n\n protected async _signin(args: CreateSigninRequestArgs, handle: IWindow, verifySub?: string): Promise<User> {\n const navResponse = await this._signinStart(args, handle);\n return await this._signinEnd(navResponse.url, verifySub);\n }\n\n protected async _signinStart(args: CreateSigninRequestArgs, handle: IWindow): Promise<NavigateResponse> {\n const logger = this._logger.create(\"_signinStart\");\n\n try {\n const signinRequest = await this._client.createSigninRequest(args);\n logger.debug(\"got signin request\");\n\n return await handle.navigate({\n url: signinRequest.url,\n state: signinRequest.state.id,\n response_mode: signinRequest.state.response_mode,\n scriptOrigin: this.settings.iframeScriptOrigin,\n });\n } catch (err) {\n logger.debug(\"error after preparing navigator, closing navigator window\");\n handle.close();\n throw err;\n }\n }\n\n protected async _signinEnd(url: string, verifySub?: string): Promise<User> {\n const logger = this._logger.create(\"_signinEnd\");\n const extraHeaders: Record<string, ExtraHeader> = {};\n const signinResponse = await this._client.processSigninResponse(url, extraHeaders);\n logger.debug(\"got signin response\");\n\n const user = await this._buildUser(signinResponse, verifySub);\n return user;\n }\n\n protected async _buildUser(signinResponse: SigninResponse, verifySub?: string) {\n const logger = this._logger.create(\"_buildUser\");\n const user = new User(signinResponse);\n if (verifySub) {\n if (verifySub !== user.profile.sub) {\n logger.debug(\"current user does not match user returned from signin. sub from signin:\", user.profile.sub);\n throw new ErrorResponse({ ...signinResponse, error: \"login_required\" });\n }\n logger.debug(\"current user matches user returned from signin\");\n }\n\n await this.storeUser(user);\n logger.debug(\"user stored\");\n await this._events.load(user);\n\n return user;\n }\n\n /**\n * Trigger a redirect of the current window to the end session endpoint.\n *\n * @returns A promise\n */\n public async signoutRedirect(args: SignoutRedirectArgs = {}): Promise<void> {\n const logger = this._logger.create(\"signoutRedirect\");\n const {\n redirectMethod,\n ...requestArgs\n } = args;\n const handle = await this._redirectNavigator.prepare({ redirectMethod });\n await this._signoutStart({\n request_type: \"so:r\",\n post_logout_redirect_uri: this.settings.post_logout_redirect_uri,\n ...requestArgs,\n }, handle);\n logger.info(\"success\");\n }\n\n /**\n * Process response (callback) from the end session endpoint.\n * It is recommended to use {@link UserManager.signoutCallback} instead.\n *\n * @returns A promise containing signout response\n *\n * @see {@link UserManager.signoutCallback}\n */\n public async signoutRedirectCallback(url = window.location.href): Promise<SignoutResponse> {\n const logger = this._logger.create(\"signoutRedirectCallback\");\n const response = await this._signoutEnd(url);\n logger.info(\"success\");\n return response;\n }\n\n /**\n * Trigger a redirect of a popup window to the end session endpoint.\n *\n * @returns A promise\n */\n public async signoutPopup(args: SignoutPopupArgs = {}): Promise<void> {\n const logger = this._logger.create(\"signoutPopup\");\n const {\n popupWindowFeatures,\n popupWindowTarget,\n popupSignal,\n ...requestArgs\n } = args;\n const url = this.settings.popup_post_logout_redirect_uri;\n\n const handle = await this._popupNavigator.prepare({ popupWindowFeatures, popupWindowTarget, popupSignal });\n await this._signout({\n request_type: \"so:p\",\n post_logout_redirect_uri: url,\n // we're putting a dummy entry in here because we\n // need a unique id from the state for notification\n // to the parent window, which is necessary if we\n // plan to return back to the client after signout\n // and so we can close the popup after signout\n state: url == null ? undefined : {},\n ...requestArgs,\n }, handle);\n logger.info(\"success\");\n }\n\n /**\n * Process response (callback) from the end session endpoint from a popup window.\n * It is recommended to use {@link UserManager.signoutCallback} instead.\n *\n * @returns A promise\n *\n * @see {@link UserManager.signoutCallback}\n */\n public async signoutPopupCallback(url = window.location.href, keepOpen = false): Promise<void> {\n const logger = this._logger.create(\"signoutPopupCallback\");\n await this._popupNavigator.callback(url, { keepOpen });\n logger.info(\"success\");\n }\n\n protected async _signout(args: CreateSignoutRequestArgs, handle: IWindow): Promise<SignoutResponse> {\n const navResponse = await this._signoutStart(args, handle);\n return await this._signoutEnd(navResponse.url);\n }\n\n protected async _signoutStart(args: CreateSignoutRequestArgs = {}, handle: IWindow): Promise<NavigateResponse> {\n const logger = this._logger.create(\"_signoutStart\");\n\n try {\n const user = await this._loadUser();\n logger.debug(\"loaded current user from storage\");\n\n if (this.settings.revokeTokensOnSignout) {\n await this._revokeInternal(user);\n }\n\n const id_token = args.id_token_hint || user && user.id_token;\n if (id_token) {\n logger.debug(\"setting id_token_hint in signout request\");\n args.id_token_hint = id_token;\n }\n\n await this.removeUser();\n logger.debug(\"user removed, creating signout request\");\n\n const signoutRequest = await this._client.createSignoutRequest(args);\n logger.debug(\"got signout request\");\n\n return await handle.navigate({\n url: signoutRequest.url,\n state: signoutRequest.state?.id,\n scriptOrigin: this.settings.iframeScriptOrigin,\n });\n } catch (err) {\n logger.debug(\"error after preparing navigator, closing navigator window\");\n handle.close();\n throw err;\n }\n }\n\n protected async _signoutEnd(url: string): Promise<SignoutResponse> {\n const logger = this._logger.create(\"_signoutEnd\");\n const signoutResponse = await this._client.processSignoutResponse(url);\n logger.debug(\"got signout response\");\n\n return signoutResponse;\n }\n\n /**\n * Trigger a silent request (via an iframe) to the end session endpoint.\n *\n * @returns A promise\n */\n public async signoutSilent(args: SignoutSilentArgs = {}): Promise<void> {\n const logger = this._logger.create(\"signoutSilent\");\n const {\n silentRequestTimeoutInSeconds,\n ...requestArgs\n } = args;\n\n const id_token_hint = this.settings.includeIdTokenInSilentSignout\n ? (await this._loadUser())?.id_token\n : undefined;\n\n const url = this.settings.popup_post_logout_redirect_uri;\n const handle = await this._iframeNavigator.prepare({ silentRequestTimeoutInSeconds });\n await this._signout({\n request_type: \"so:s\",\n post_logout_redirect_uri: url,\n id_token_hint: id_token_hint,\n ...requestArgs,\n }, handle);\n\n logger.info(\"success\");\n }\n\n /**\n * Notify the parent window of response (callback) from the end session endpoint.\n * It is recommended to use {@link UserManager.signoutCallback} instead.\n *\n * @returns A promise\n *\n * @see {@link UserManager.signoutCallback}\n */\n public async signoutSilentCallback(url = window.location.href): Promise<void> {\n const logger = this._logger.create(\"signoutSilentCallback\");\n await this._iframeNavigator.callback(url);\n logger.info(\"success\");\n }\n\n public async revokeTokens(types?: RevokeTokensTypes): Promise<void> {\n const user = await this._loadUser();\n await this._revokeInternal(user, types);\n }\n\n protected async _revokeInternal(user: User | null, types = this.settings.revokeTokenTypes): Promise<void> {\n const logger = this._logger.create(\"_revokeInternal\");\n if (!user) return;\n\n const typesPresent = types.filter(type => typeof user[type] === \"string\");\n\n if (!typesPresent.length) {\n logger.debug(\"no need to revoke due to no token(s)\");\n return;\n }\n\n // don't Promise.all, order matters\n for (const type of typesPresent) {\n await this._client.revokeToken(\n user[type]!, // eslint-disable-line @typescript-eslint/no-non-null-assertion\n type,\n );\n logger.info(`${type} revoked successfully`);\n if (type !== \"access_token\") {\n user[type] = null as never;\n }\n }\n\n await this.storeUser(user);\n logger.debug(\"user stored\");\n await this._events.load(user);\n }\n\n /**\n * Enables silent renew for the `UserManager`.\n */\n public startSilentRenew(): void {\n this._logger.create(\"startSilentRenew\");\n void this._silentRenewService.start();\n }\n\n /**\n * Disables silent renew for the `UserManager`.\n */\n public stopSilentRenew(): void {\n this._silentRenewService.stop();\n }\n\n protected get _userStoreKey(): string {\n return `user:${this.settings.authority}:${this.settings.client_id}`;\n }\n\n protected async _loadUser(): Promise<User | null> {\n const logger = this._logger.create(\"_loadUser\");\n const storageString = await this.settings.userStore.get(this._userStoreKey);\n if (storageString) {\n logger.debug(\"user storageString loaded\");\n return User.fromStorageString(storageString);\n }\n\n logger.debug(\"no user storageString\");\n return null;\n }\n\n public async storeUser(user: User | null): Promise<void> {\n const logger = this._logger.create(\"storeUser\");\n if (user) {\n logger.debug(\"storing user\");\n const storageString = user.toStorageString();\n await this.settings.userStore.set(this._userStoreKey, storageString);\n } else {\n this._logger.debug(\"removing user\");\n await this.settings.userStore.remove(this._userStoreKey);\n if (this.settings.dpop) {\n await this.settings.dpop.store.remove(this.settings.client_id);\n }\n }\n }\n\n /**\n * Removes stale state entries in storage for incomplete authorize requests.\n */\n public async clearStaleState(): Promise<void> {\n await this._client.clearStaleState();\n }\n\n /**\n * Dynamically generates a DPoP proof for a given user, URL and optional Http method.\n * This method is useful when you need to make a request to a resource server\n * with fetch or similar, and you need to include a DPoP proof in a DPoP header.\n * @param url - The URL to generate the DPoP proof for\n * @param user - The user to generate the DPoP proof for\n * @param httpMethod - Optional, defaults to \"GET\"\n * @param nonce - Optional nonce provided by the resource server\n *\n * @returns A promise containing the DPoP proof or undefined if DPoP is not enabled/no user is found.\n */\n public async dpopProof(url: string, user: User, httpMethod?: string, nonce?: string): Promise<string | undefined> {\n const dpopState = await this.settings.dpop?.store?.get(this.settings.client_id);\n if (dpopState) {\n return await CryptoUtils.generateDPoPProof({\n url,\n accessToken: user?.access_token,\n httpMethod: httpMethod,\n keyPair: dpopState.keys,\n nonce,\n });\n }\n return undefined;\n }\n\n async generateDPoPJkt(dpopSettings: DPoPSettings): Promise<string | undefined> {\n let dpopState = await dpopSettings.store.get(this.settings.client_id);\n if (!dpopState) {\n const dpopKeys = await CryptoUtils.generateDPoPKeys();\n dpopState = new DPoPState(dpopKeys);\n await dpopSettings.store.set(this.settings.client_id, dpopState);\n }\n return await CryptoUtils.generateDPoPJkt(dpopState.keys);\n }\n}\n","// @ts-expect-error avoid enabling resolveJsonModule to keep build process simple\nimport { version } from \"../package.json\";\n\n/**\n * @public\n */\nexport const Version: string = version;\n","{\n \"name\": \"oidc-client-ts\",\n \"version\": \"3.1.0\",\n \"description\": \"OpenID Connect (OIDC) & OAuth2 client library\",\n \"repository\": {\n \"type\": \"git\",\n \"url\": \"git+https://github.com/authts/oidc-client-ts.git\"\n },\n \"homepage\": \"https://github.com/authts/oidc-client-ts#readme\",\n \"license\": \"Apache-2.0\",\n \"main\": \"dist/umd/oidc-client-ts.js\",\n \"types\": \"dist/types/oidc-client-ts.d.ts\",\n \"exports\": {\n \".\": {\n \"types\": \"./dist/types/oidc-client-ts.d.ts\",\n \"import\": \"./dist/esm/oidc-client-ts.js\",\n \"require\": \"./dist/umd/oidc-client-ts.js\"\n },\n \"./package.json\": \"./package.json\"\n },\n \"files\": [\n \"dist\"\n ],\n \"keywords\": [\n \"authentication\",\n \"oauth2\",\n \"oidc\",\n \"openid\",\n \"OpenID Connect\"\n ],\n \"scripts\": {\n \"build\": \"node scripts/build.js && npm run build-types\",\n \"build-types\": \"tsc -p tsconfig.build.json && api-extractor run\",\n \"clean\": \"git clean -fdX dist lib *.tsbuildinfo\",\n \"prepack\": \"npm run build\",\n \"test\": \"tsc && jest\",\n \"typedoc\": \"typedoc\",\n \"lint\": \"eslint --max-warnings=0 --cache .\",\n \"prepare\": \"husky\"\n },\n \"dependencies\": {\n \"jwt-decode\": \"^4.0.0\"\n },\n \"devDependencies\": {\n \"@microsoft/api-extractor\": \"^7.47.2\",\n \"@testing-library/jest-dom\": \"^6.4.6\",\n \"@types/jest\": \"^29.5.12\",\n \"@types/node\": \"^22.4.1\",\n \"@typescript-eslint/eslint-plugin\": \"^7.16.1\",\n \"@typescript-eslint/parser\": \"^7.16.1\",\n \"esbuild\": \"^0.24.0\",\n \"eslint\": \"^8.57.0\",\n \"eslint-plugin-testing-library\": \"^6.2.2\",\n \"http-proxy-middleware\": \"^3.0.0\",\n \"fake-indexeddb\": \"^6.0.0\",\n \"husky\": \"^9.0.11\",\n \"jest\": \"^29.7.0\",\n \"jest-environment-jsdom\": \"^29.7.0\",\n \"jest-mock\": \"^29.7.0\",\n \"jose\": \"^5.6.3\",\n \"lint-staged\": \"^15.2.7\",\n \"ts-jest\": \"^29.2.2\",\n \"typedoc\": \"^0.26.4\",\n \"typescript\": \"~5.4.2\",\n \"yn\": \"^5.0.0\"\n },\n \"engines\": {\n \"node\": \">=18\"\n },\n \"lint-staged\": {\n \"*.{js,jsx,ts,tsx}\": \"eslint --cache --fix\"\n }\n}\n","import { DPoPState, type DPoPStore } from \"./DPoPStore\";\n\n/**\n * Provides a default implementation of the DPoP store using IndexedDB.\n *\n * @public\n */\nexport class IndexedDbDPoPStore implements DPoPStore {\n readonly _dbName: string = \"oidc\";\n readonly _storeName: string = \"dpop\";\n\n public async set(key: string, value: DPoPState): Promise<void> {\n const store = await this.createStore(this._dbName, this._storeName);\n await store(\"readwrite\", (str: IDBObjectStore) => {\n str.put(value, key);\n return this.promisifyRequest(str.transaction);\n });\n }\n\n public async get(key: string): Promise<DPoPState> {\n const store = await this.createStore(this._dbName, this._storeName);\n return await store(\"readonly\", (str) => {\n return this.promisifyRequest(str.get(key));\n }) as DPoPState;\n }\n\n public async remove(key: string): Promise<DPoPState> {\n const item = await this.get(key);\n const store = await this.createStore(this._dbName, this._storeName);\n await store(\"readwrite\", (str) => {\n return this.promisifyRequest(str.delete(key));\n });\n return item;\n }\n\n public async getAllKeys(): Promise<string[]> {\n const store = await this.createStore(this._dbName, this._storeName);\n return await store(\"readonly\", (str) => {\n return this.promisifyRequest(str.getAllKeys());\n }) as string[];\n }\n\n promisifyRequest<T = undefined>(\n request: IDBRequest<T> | IDBTransaction): Promise<T> {\n return new Promise<T>((resolve, reject) => {\n (request as IDBTransaction).oncomplete = (request as IDBRequest<T>).onsuccess = () => resolve((request as IDBRequest<T>).result);\n (request as IDBTransaction).onabort = (request as IDBRequest<T>).onerror = () => reject((request as IDBRequest<T>).error);\n });\n }\n\n async createStore<T>(\n dbName: string,\n storeName: string,\n ): Promise<(txMode: IDBTransactionMode, callback: (store: IDBObjectStore) => T | PromiseLike<T>) => Promise<T>> {\n const request = indexedDB.open(dbName);\n request.onupgradeneeded = () => request.result.createObjectStore(storeName);\n const db = await this.promisifyRequest<IDBDatabase>(request);\n\n return async (\n txMode: IDBTransactionMode,\n callback: (store: IDBObjectStore) => T | PromiseLike<T>,\n ) => {\n const tx = db.transaction(storeName, txMode);\n const store = tx.objectStore(storeName);\n return await callback(store);\n };\n }\n}\n"],"names":["InvalidTokenError","Error","base64UrlDecode","str","output","replace","length","decodeURIComponent","atob","m","p","code","charCodeAt","toString","toUpperCase","b64DecodeUnicode","err","prototype","name","level","logger","Log2","nopLogger","debug","info","warn","error","Log","reset","setLevel","value","setLogger","Logger","_Logger","constructor","_name","_len","arguments","args","Array","_key","_format","this","_method","_len2","_key2","_len3","_key3","_len4","_key4","throw","create","method","methodLogger","Object","createStatic","staticMethod","staticLogger","prefix","_len5","_key5","_len6","_key6","_len7","_key7","_len8","_key8","JwtUtils","decode","token","options","pos","header","part","split","decoded","e","message","JSON","parse","jwtDecode","generateSignedJwt","payload","privateKey","encodedToken","CryptoUtils","encodeBase64Url","TextEncoder","encode","stringify","signature","window","crypto","subtle","sign","hash","Uint8Array","toBase64","val","btoa","map","chr","String","fromCharCode","join","_CryptoUtils","_randomWord","arr","Uint32Array","getRandomValues","generateUUIDv4","c","generateCodeVerifier","generateCodeChallenge","code_verifier","data","hashed","digest","generateBasicAuth","client_id","client_secret","alg","msgUint8","hashBuffer","customCalculateJwkThumbprint","jwk","jsonObject","kty","n","crv","x","y","k","utf8encodedAndHashed","generateDPoPProof","_ref","hashedToken","encodedHash","url","accessToken","httpMethod","keyPair","nonce","randomUUID","Math","floor","Date","now","ath","publicJwk","exportKey","publicKey","TypeError","generateDPoPJkt","generateDPoPKeys","generateKey","namedCurve","input","Event","_callbacks","_logger","addHandler","cb","push","removeHandler","idx","lastIndexOf","splice","raise","_len9","ev","_key9","PopupUtils","center","_ref2","features","_a","width","find","outerWidth","left","max","round","screenX","height","top","screenY","outerHeight","serialize","entries","filter","_ref3","_ref4","key","Timer","_Timer","_timerHandle","_expiration","_callback","diff","getEpochTime","cancel","super","init","durationInSeconds","logger2","expiration","timerDurationInSeconds","min","setInterval","clearInterval","UrlUtils","readParams","responseMode","undefined","params","URL","URLSearchParams","slice","ErrorResponse","form","_b","_c","error_description","error_uri","state","userState","session_state","url_state","ErrorTimeout","AccessTokenEvents","_expiringTimer","_expiredTimer","_expiringNotificationTimeInSeconds","expiringNotificationTimeInSeconds","load","container","access_token","expires_in","duration","expiring","expired","unload","addAccessTokenExpiring","removeAccessTokenExpiring","addAccessTokenExpired","removeAccessTokenExpired","CheckSessionIFrame","_client_id","_intervalInSeconds","_stopOnError","_timer","_session_state","_message","origin","_frame_origin","source","_frame","contentWindow","stop","parsedUrl","document","createElement","style","visibility","position","src","href","Promise","resolve","onload","body","appendChild","addEventListener","start","send","postMessage","InMemoryWebStorage","_data","clear","getItem","setItem","removeItem","getOwnPropertyNames","index","ErrorDPoPNonce","JsonService","additionalContentTypes","_jwtHandler","_extraHeaders","_contentTypes","fetchWithTimeout","timeoutInSeconds","initFetch","fetch","controller","AbortController","timeoutId","setTimeout","abort","signal","DOMException","clearTimeout","getJson","credentials","headers","response","appendExtraHeaders","status","contentType","get","item","startsWith","ok","text","json","statusText","postForm","_ref5","basicAuth","initCredentials","extraHeaders","responseText","has","customKeys","keys","protectedHeaders","forEach","headerName","includes","toLocaleLowerCase","content","MetadataService","_settings","_signingKeys","_metadata","_metadataUrl","metadataUrl","_jsonService","signingKeys","metadata","fetchRequestCredentials","_fetchRequestCredentials","resetSigningKeys","getMetadata","requestTimeoutInSeconds","assign","metadataSeed","getIssuer","_getMetadataProperty","getAuthorizationEndpoint","getUserInfoEndpoint","getTokenEndpoint","optional","getCheckSessionIframe","getEndSessionEndpoint","getRevocationEndpoint","getKeysEndpoint","getSigningKeys","jwks_uri","keySet","isArray","WebStorageStateStore","store","localStorage","_store","_prefix","set","remove","getAllKeys","len","indexOf","substr","DefaultResponseType","DefaultScope","DefaultClientAuthentication","DefaultStaleStateAgeInSeconds","OidcClientSettingsStore","_ref6","authority","response_type","scope","redirect_uri","post_logout_redirect_uri","client_authentication","prompt","display","max_age","ui_locales","acr_values","resource","response_mode","filterProtocolClaims","loadUserInfo","staleStateAgeInSeconds","mergeClaimsStrategy","array","disablePKCE","stateStore","revokeTokenAdditionalContentTypes","refreshTokenAllowedScope","extraQueryParams","extraTokenParams","dpop","omitScopeWhenRequesting","endsWith","UserInfoService","_metadataService","_getClaimsFromJwt","async","getClaims","claims","TokenClient","exchangeCode","_ref7","grant_type","append","exchangeCredentials","_ref8","exchangeRefreshToken","_ref9","refresh_token","param","revoke","token_type_hint","ResponseValidator","_claimsService","_userInfoService","_tokenClient","validateSigninResponse","_processSigninState","_processCode","isOpenId","_validateIdTokenAttributes","_processClaims","skipUserInfo","validateCredentialsResponse","id_token","validateRefreshResponse","profile","hasIdToken","validateSignoutResponse","id","validateSub","sub","mergeClaims","tokenResponse","existingToken","incoming","existing","auth_time","azp","State","_State","created","request_type","toStorageString","fromStorageString","storageString","clearStaleState","storage","age","cutoff","i","SigninState","_SigninState","code_challenge","_SigninRequest","_ref10","state_data","dpopJkt","optionalParams","searchParams","stateParam","r","SigninRequest","SigninResponse","token_type","splitState","expires_at","Number","SignoutRequest","_ref11","id_token_hint","SignoutResponse","DefaultProtocolClaims","InternalRequiredProtocolClaims","ClaimsService","result","protocolClaims","claim","claims1","claims2","values","mergedValues","DPoPState","OidcClient","settings","metadataService","_validator","createSigninRequest","_ref12","request","request_uri","login_hint","signinRequest","signinState","readSigninResponseState","removeState","storedStateString","processSigninResponse","dpopProof","getDpopProof","dpopStore","dpopState","processResourceOwnerPasswordCredentials","_ref13","username","password","signinResponse","useRefreshToken","_ref14","allowableScopes","s","createSignoutRequest","signoutState","readSignoutResponseState","processSignoutResponse","revokeToken","type","SessionMonitor","_userManager","_start","user","_sub","_checkSessionIFrame","intervalInSeconds","checkSessionIntervalInSeconds","stopOnError","stopCheckSessionOnError","checkSessionIFrame","_stop","monitorAnonymousSession","timerHandle","session","querySessionStatus","tmpUser","raiseEvent","events","_raiseUserSessionChanged","_raiseUserSignedOut","_raiseUserSignedIn","addUserLoaded","addUserUnloaded","_init","catch","getUser","User","_User","scopes","messageSource","AbstractChildWindow","_abort","_disposeHandlers","Set","_window","navigate","location","keepOpen","reject","listener","scriptOrigin","_dispose","add","removeEventListener","reason","close","dispose","_notifyParent","parent","targetOrigin","DefaultPopupWindowFeatures","toolbar","closePopupWindowAfterInSeconds","DefaultPopupTarget","DefaultAccessTokenExpiringNotificationTimeInSeconds","DefaultCheckSessionIntervalInSeconds","DefaultSilentRequestTimeoutInSeconds","UserManagerSettingsStore","popup_redirect_uri","popup_post_logout_redirect_uri","popupWindowFeatures","popupWindowTarget","redirectMethod","redirectTarget","iframeNotifyParentOrigin","iframeScriptOrigin","silent_redirect_uri","silentRequestTimeoutInSeconds","automaticSilentRenew","validateSubOnSilentRenew","includeIdTokenInSilentRenew","monitorSession","query_status_response_type","revokeTokenTypes","revokeTokensOnSignout","includeIdTokenInSilentSignout","accessTokenExpiringNotificationTimeInSeconds","userStore","sessionStorage","IFrameWindow","_IFrameWindow","_ref15","_timeoutInSeconds","createHiddenIframe","iframe","timer","parentNode","_a2","frame","target","removeChild","notifyParent","IFrameNavigator","prepare","_ref16","callback","PopupWindow","_ref17","popupSignal","centeredPopup","open","closed","focus","popupClosedInterval","notifyOpener","opener","PopupNavigator","_ref18","_ref19","RedirectNavigator","_ref20","targetWindow","self","redirect","bind","promise","UserManagerEvents","_userLoaded","_userUnloaded","_silentRenewError","_userSignedIn","_userSignedOut","_userSessionChanged","removeUserLoaded","removeUserUnloaded","addSilentRenewError","removeSilentRenewError","_raiseSilentRenewError","addUserSignedIn","removeUserSignedIn","addUserSignedOut","removeUserSignedOut","addUserSessionChanged","removeUserSessionChanged","SilentRenewService","_isStarted","_retryTimer","_tokenExpiring","signinSilent","RefreshState","UserManager","redirectNavigator","popupNavigator","iframeNavigator","_client","_redirectNavigator","_popupNavigator","_iframeNavigator","_events","_silentRenewService","startSilentRenew","_sessionMonitor","_loadUser","removeUser","storeUser","signinRedirect","requestArgs","bind_authorization_code","handle","_signinStart","signinRedirectCallback","_signinEnd","signinResourceOwnerCredentials","_ref21","_buildUser","signinPopup","_signin","signinPopupCallback","_useRefreshToken","verifySub","signinSilentCallback","signinCallback","signoutCallback","signoutRedirectCallback","signoutPopupCallback","signoutSilentCallback","navResponse","signoutRedirect","_signoutStart","_signoutEnd","signoutPopup","_signout","_revokeInternal","signoutRequest","signoutResponse","signoutSilent","revokeTokens","types","typesPresent","stopSilentRenew","_userStoreKey","dpopSettings","dpopKeys","Version","IndexedDbDPoPStore","_dbName","_storeName","createStore","put","promisifyRequest","transaction","delete","oncomplete","onsuccess","onabort","onerror","dbName","storeName","indexedDB","onupgradeneeded","createObjectStore","db","txMode","objectStore"],"sourceRoot":""}