{"version":3,"file":"static/js/969.fee85bad.chunk.js","mappings":"+gBAAO,MAAMA,UAA0BC,OAYvC,SAASC,EAAgBC,GACrB,IAAIC,EAASD,EAAIE,QAAQ,KAAM,KAAKA,QAAQ,KAAM,KAClD,OAAQD,EAAOE,OAAS,GACpB,KAAK,EACD,MACJ,KAAK,EACDF,GAAU,KACV,MACJ,KAAK,EACDA,GAAU,IACV,MACJ,QACI,MAAM,IAAIH,MAAM,8CAExB,IACI,OAxBR,SAA0BE,GACtB,OAAOI,mBAAmBC,KAAKL,GAAKE,QAAQ,QAAQ,CAACI,EAAGC,KACpD,IAAIC,EAAOD,EAAEE,WAAW,GAAGC,SAAS,IAAIC,cAIxC,OAHIH,EAAKL,OAAS,IACdK,EAAO,IAAMA,GAEV,IAAMA,CAAI,IAEzB,CAgBeI,CAAiBX,EAC5B,CACA,MAAOY,GACH,OAAOR,KAAKJ,EAChB,CACJ,CA9BAJ,EAAkBiB,UAAUC,KAAO,oBCanC,IAOIC,EACAC,EAoBaC,EA5BXC,EAAqB,CACvBC,MAAOA,KAAM,EACbC,KAAMA,KAAM,EACZC,KAAMA,KAAM,EACZC,MAAOA,KACX,GAUYC,EAAL,CAAKN,IACRA,EAAAA,EAAA,eACAA,EAAAA,EAAA,iBACAA,EAAAA,EAAA,eACAA,EAAAA,EAAA,eACAA,EAAAA,EAAA,iBALQA,GAAL,CAAKM,GAAA,KAaKN,EAAAM,IAAAA,EAAA,KACGC,MAAT,WACHT,EAAQ,EACRC,EAASE,CACb,EAEOD,EAASQ,SAAT,SAAkBC,GACrB,KAAM,GAAYA,GAASA,GAAS,GAChC,MAAM,IAAI7B,MAAM,qBAEpBkB,EAAQW,CACZ,EAEOT,EAASU,UAAT,SAAmBD,GACtBV,EAASU,CACb,EAQG,IAAME,EAAN,MAAMC,EAEFC,WAAAA,CAAoBC,GAAA,KAAAA,MAAAA,CAAgB,CAGpCZ,KAAAA,GACH,GAAIJ,GAAS,EAAW,SAAAiB,EAAAC,UAAA/B,OADZgC,EAAA,IAAAC,MAAAH,GAAAI,EAAA,EAAAA,EAAAJ,EAAAI,IAAAF,EAAAE,GAAAH,UAAAG,GAERpB,EAAOG,MAAMU,EAAOQ,QAAQC,KAAKP,MAAOO,KAAKC,YAAaL,EAC9D,CACJ,CACOd,IAAAA,GACH,GAAIL,GAAS,EAAU,SAAAyB,EAAAP,UAAA/B,OADZgC,EAAA,IAAAC,MAAAK,GAAAC,EAAA,EAAAA,EAAAD,EAAAC,IAAAP,EAAAO,GAAAR,UAAAQ,GAEPzB,EAAOI,KAAKS,EAAOQ,QAAQC,KAAKP,MAAOO,KAAKC,YAAaL,EAC7D,CACJ,CACOb,IAAAA,GACH,GAAIN,GAAS,EAAU,SAAA2B,EAAAT,UAAA/B,OADZgC,EAAA,IAAAC,MAAAO,GAAAC,EAAA,EAAAA,EAAAD,EAAAC,IAAAT,EAAAS,GAAAV,UAAAU,GAEP3B,EAAOK,KAAKQ,EAAOQ,QAAQC,KAAKP,MAAOO,KAAKC,YAAaL,EAC7D,CACJ,CACOZ,KAAAA,GACH,GAAIP,GAAS,EAAW,SAAA6B,EAAAX,UAAA/B,OADZgC,EAAA,IAAAC,MAAAS,GAAAC,EAAA,EAAAA,EAAAD,EAAAC,IAAAX,EAAAW,GAAAZ,UAAAY,GAER7B,EAAOM,MAAMO,EAAOQ,QAAQC,KAAKP,MAAOO,KAAKC,YAAaL,EAC9D,CACJ,CAGOY,MAAMlC,GAET,MADA0B,KAAKhB,MAAMV,GACLA,CACV,CAEOmC,MAAAA,CAAOC,GACV,MAAMC,EAAuBC,OAAOH,OAAOT,MAG3C,OAFAW,EAAaV,QAAUS,EACvBC,EAAa9B,MAAM,SACZ8B,CACX,CAEA,mBAAcE,CAAarC,EAAcsC,GACrC,MAAMC,EAAe,IAAIxB,EAAA,GAAAyB,OAAUxC,EAAI,KAAAwC,OAAIF,IAE3C,OADAC,EAAalC,MAAM,SACZkC,CACX,CAEA,cAAehB,CAAQvB,EAAckC,GACjC,MAAMO,EAAA,IAAAD,OAAaxC,EAAI,KACvB,OAAOkC,EAAA,GAAAM,OAAYC,EAAM,KAAAD,OAAIN,EAAM,KAAMO,CAC7C,CAIA,YAAcpC,CAAML,GAChB,GAAIC,GAAS,EAAW,SAAAyC,EAAAvB,UAAA/B,OADSgC,EAAA,IAAAC,MAAAqB,EAAA,EAAAA,EAAA,KAAAC,EAAA,EAAAA,EAAAD,EAAAC,IAAAvB,EAAAuB,EAAA,GAAAxB,UAAAwB,GAE7BzC,EAAOG,MAAMU,EAAOQ,QAAQvB,MAAUoB,EAC1C,CACJ,CACA,WAAcd,CAAKN,GACf,GAAIC,GAAS,EAAU,SAAA2C,EAAAzB,UAAA/B,OADSgC,EAAA,IAAAC,MAAAuB,EAAA,EAAAA,EAAA,KAAAC,EAAA,EAAAA,EAAAD,EAAAC,IAAAzB,EAAAyB,EAAA,GAAA1B,UAAA0B,GAE5B3C,EAAOI,KAAKS,EAAOQ,QAAQvB,MAAUoB,EACzC,CACJ,CACA,WAAcb,CAAKP,GACf,GAAIC,GAAS,EAAU,SAAA6C,EAAA3B,UAAA/B,OADSgC,EAAA,IAAAC,MAAAyB,EAAA,EAAAA,EAAA,KAAAC,EAAA,EAAAA,EAAAD,EAAAC,IAAA3B,EAAA2B,EAAA,GAAA5B,UAAA4B,GAE5B7C,EAAOK,KAAKQ,EAAOQ,QAAQvB,MAAUoB,EACzC,CACJ,CACA,YAAcZ,CAAMR,GAChB,GAAIC,GAAS,EAAW,SAAA+C,EAAA7B,UAAA/B,OADSgC,EAAA,IAAAC,MAAA2B,EAAA,EAAAA,EAAA,KAAAC,EAAA,EAAAA,EAAAD,EAAAC,IAAA7B,EAAA6B,EAAA,GAAA9B,UAAA8B,GAE7B/C,EAAOM,MAAMO,EAAOQ,QAAQvB,MAAUoB,EAC1C,CACJ,GAIJX,EAAIC,QC3IJ,IAEMwC,EAAYC,GACdC,KAAK,IAAI,IAAIC,WAAWF,IACnBG,KAAKC,GAAQC,OAAOC,aAAaF,KACjCG,KAAK,KAKDC,EAAN,MAAMC,EACT,kBAAeC,GACX,MAAMC,EAAM,IAAIC,YAAY,GAE5B,OADAC,OAAOC,gBAAgBH,GAChBA,EAAI,EACf,CAKA,qBAAcI,GAIV,MAxBiB,uCAqBa/E,QAAQ,UAAUgF,KAC1CA,EAAIP,EAAYC,cAAgB,KAAOM,EAAI,GAAGxE,SAAS,MAEjDR,QAAQ,KAAM,GAC9B,CAKA,2BAAciF,GACV,OAAOR,EAAYM,iBAAmBN,EAAYM,iBAAmBN,EAAYM,gBACrF,CAKA,kCAAoBG,CAAsBC,GACtC,IAAKN,OAAOO,OACR,MAAM,IAAIxF,MAAM,+DAGpB,IACI,MACMyF,GADU,IAAIC,aACCC,OAAOJ,GACtBK,QAAeX,OAAOO,OAAOK,OAAO,UAAWJ,GACrD,OAAOtB,EAASyB,GAAQxF,QAAQ,MAAO,KAAKA,QAAQ,MAAO,KAAKA,QAAQ,MAAO,GACnF,OACOW,GAEH,MADAgB,EAAON,MAAM,oCAAqCV,GAC5CA,CACV,CACJ,CAKA,wBAAc+E,CAAkBC,EAAmBC,GAC/C,MACMP,GADU,IAAIC,aACCC,OAAO,CAACI,EAAWC,GAAerB,KAAK,MAC5D,OAAOR,EAASsB,EACpB,GClDSQ,EAAN,MAKIhE,WAAAA,CAA+BC,GAAA,KAAAA,MAAAA,EAJtC,KAAmBgE,QAAU,IAAInE,EAAA,UAAA0B,OAAiBhB,KAAKP,MAAK,OAE5D,KAAQiE,WAAyC,EAEK,CAE/CC,UAAAA,CAAWC,GAEd,OADA5D,KAAK0D,WAAWG,KAAKD,GACd,IAAM5D,KAAK8D,cAAcF,EACpC,CAEOE,aAAAA,CAAcF,GACjB,MAAMG,EAAM/D,KAAK0D,WAAWM,YAAYJ,GACpCG,GAAO,GACP/D,KAAK0D,WAAWO,OAAOF,EAAK,EAEpC,CAEA,WAAaG,GAAuC,QAAAC,EAAAxE,UAAA/B,OAA9BwG,EAAA,IAAAvE,MAAAsE,GAAAE,EAAA,EAAAA,EAAAF,EAAAE,IAAAD,EAAAC,GAAA1E,UAAA0E,GAClBrE,KAAKyD,QAAQ5E,MAAM,YAAauF,GAChC,IAAK,MAAMR,KAAM5D,KAAK0D,iBACZE,KAAMQ,EAEpB,GC7BSE,EAAN,MAEH,aAAcC,CAAOC,GACjB,IACI,OJqBL,SAAmBA,EAAOC,GAC7B,GAAqB,kBAAVD,EACP,MAAM,IAAIlH,EAAkB,6CAEhCmH,IAAYA,EAAU,CAAC,GACvB,MAAMC,GAAyB,IAAnBD,EAAQE,OAAkB,EAAI,EACpCC,EAAOJ,EAAMK,MAAM,KAAKH,GAC9B,GAAoB,kBAATE,EACP,MAAM,IAAItH,EAAkB,0CAAD0D,OAA2C0D,EAAM,IAEhF,IAAII,EACJ,IACIA,EAAUtH,EAAgBoH,EAC9B,CACA,MAAOG,GACH,MAAM,IAAIzH,EAAkB,qDAAD0D,OAAsD0D,EAAM,EAAC,MAAA1D,OAAK+D,EAAEC,QAAO,KAC1G,CACA,IACI,OAAOC,KAAKC,MAAMJ,EACtB,CACA,MAAOC,GACH,MAAM,IAAIzH,EAAkB,mDAAD0D,OAAoD0D,EAAM,EAAC,MAAA1D,OAAK+D,EAAEC,QAAO,KACxG,CACJ,CI5CmBG,CAAqBX,EAChC,OACOlG,GAEH,MADAgB,EAAON,MAAM,kBAAmBV,GAC1BA,CACV,CACJ,GCIS8G,EAAN,MAMH,aAAOC,CAAAC,GAAkE,OAAtDC,GAASD,EA5BhC,IAAAE,EAkCQ,OALsB,MAAlBD,EAASE,QACTF,EAASE,MAAQ,OAAAD,EAAA,CAAC,IAAK,IAAK,IAAK,KAAKE,MAAKD,GAASA,GAASE,OAAOC,WAAa,SAAhEJ,EAA0E,KAC/F,MAAAD,EAASM,OAATN,EAASM,KAASC,KAAKC,IAAI,EAAGD,KAAKE,MAAML,OAAOM,SAAWN,OAAOC,WAAaL,EAASE,OAAS,KAC1E,MAAnBF,EAASW,SACT,MAAAX,EAASY,MAATZ,EAASY,IAAQL,KAAKC,IAAI,EAAGD,KAAKE,MAAML,OAAOS,SAAWT,OAAOU,YAAcd,EAASW,QAAU,MAC/FX,CACX,CAEA,gBAAOe,CAAUf,GACb,OAAO3E,OAAO2F,QAAQhB,GACjBiB,QAAOC,IAAA,IAAE,CAAErH,GAAKqH,EAAA,OAAe,MAATrH,CAAa,IACnC0C,KAAI4E,IAAA,IAAEC,EAAKvH,GAAKsH,EAAA,SAAA1F,OAAS2F,EAAG,KAAA3F,OAAqB,mBAAV5B,EAAsBA,EAAkBA,EAAQ,MAAQ,KAAI,IACnG8C,KAAK,IACd,GCjCS0E,EAAN,MAAMC,UAAcrD,EAApBhE,WAAAA,GAAA,SAAAG,WACH,KAAmB8D,QAAU,IAAInE,EAAA,UAAA0B,OAAiBhB,KAAKP,MAAK,OAC5D,KAAQqH,aAAsD,KAC9D,KAAQC,YAAc,EAyCtB,KAAUC,UAAY,KAClB,MAAMC,EAAOjH,KAAK+G,YAAcF,EAAMK,eACtClH,KAAKyD,QAAQ5E,MAAM,qBAAsBoI,GAErCjH,KAAK+G,aAAeF,EAAMK,iBAC1BlH,KAAKmH,SACAC,MAAMlD,QACf,CACJ,CA9CA,mBAAcgD,GACV,OAAOpB,KAAKuB,MAAMC,KAAKC,MAAQ,IACnC,CAEOC,IAAAA,CAAKC,GACR,MAAMC,EAAS1H,KAAKyD,QAAQhD,OAAO,QACnCgH,EAAoB3B,KAAKC,IAAID,KAAKuB,MAAMI,GAAoB,GAC5D,MAAME,EAAad,EAAMK,eAAiBO,EAC1C,GAAIzH,KAAK2H,aAAeA,GAAc3H,KAAK8G,aAGvC,YADAY,EAAO7I,MAAM,uDAAwDmB,KAAK2H,YAI9E3H,KAAKmH,SAELO,EAAO7I,MAAM,iBAAkB4I,GAC/BzH,KAAK+G,YAAcY,EAKnB,MAAMC,EAAyB9B,KAAK+B,IAAIJ,EAAmB,GAC3DzH,KAAK8G,aAAegB,YAAY9H,KAAKgH,UAAoC,IAAzBY,EACpD,CAEA,cAAWD,GACP,OAAO3H,KAAK+G,WAChB,CAEOI,MAAAA,GACHnH,KAAKyD,QAAQhD,OAAO,UAChBT,KAAK8G,eACLiB,cAAc/H,KAAK8G,cACnB9G,KAAK8G,aAAe,KAE5B,GC7CSkB,EAAN,MACH,iBAAcC,CAAWC,GAA4E,IAA/DC,EAAAxI,UAAA/B,OAAA,QAAAwK,IAAAzI,UAAA,GAAAA,UAAA,GAAqC,QACvE,IAAKuI,EAAK,MAAM,IAAIG,UAAU,eAE9B,MACMC,EADY,IAAIC,IAAIL,EAAK,oBACW,aAAjBC,EAA8B,OAAS,UAChE,OAAO,IAAIK,gBAAgBF,EAAOG,MAAM,GAC5C,GCFSC,EAAN,cAA4BnL,MAqBxBiC,WAAAA,CACHI,EAKgB+I,GAtCxB,IAAAnD,EAAAoD,EAAAC,EA0CQ,GAFAzB,MAAMxH,EAAKkJ,mBAAqBlJ,EAAKZ,OAAS,IAF9B,KAAA2J,KAAAA,EAzBpB,KAAgBnK,KAAe,iBA6BtBoB,EAAKZ,MAEN,MADAM,EAAON,MAAM,gBAAiB,mBACxB,IAAIzB,MAAM,mBAGpByC,KAAKhB,MAAQY,EAAKZ,MAClBgB,KAAK8I,kBAAoB,OAAAtD,EAAA5F,EAAKkJ,mBAALtD,EAA0B,KACnDxF,KAAK+I,UAAY,OAAAH,EAAAhJ,EAAKmJ,WAALH,EAAkB,KAEnC5I,KAAKgJ,MAAQpJ,EAAKqJ,UAClBjJ,KAAKkJ,cAAgB,OAAAL,EAAAjJ,EAAKsJ,eAALL,EAAsB,KAC3C7I,KAAKmJ,UAAYvJ,EAAKuJ,SAC1B,GC9CSC,EAAN,cAA2B7L,MAIvBiC,WAAAA,CAAYwF,GACfoC,MAAMpC,GAHV,KAAgBxG,KAAe,cAI/B,GCAS6K,EAAN,MAOI7J,WAAAA,CAAYI,GANnB,KAAmB6D,QAAU,IAAInE,EAAO,qBAExC,KAAiBgK,eAAiB,IAAI1C,EAAM,yBAC5C,KAAiB2C,cAAgB,IAAI3C,EAAM,wBAIvC5G,KAAKwJ,mCAAqC5J,EAAK6J,iCACnD,CAEOC,IAAAA,CAAKC,GACR,MAAMjC,EAAS1H,KAAKyD,QAAQhD,OAAO,QAEnC,GAAIkJ,EAAUC,mBAAyC,IAAzBD,EAAUE,WAA0B,CAC9D,MAAMC,EAAWH,EAAUE,WAG3B,GAFAnC,EAAO7I,MAAM,4CAA6CiL,GAEtDA,EAAW,EAAG,CAEd,IAAIC,EAAWD,EAAW9J,KAAKwJ,mCAC3BO,GAAY,IACZA,EAAW,GAGfrC,EAAO7I,MAAM,yCAA0CkL,EAAU,WACjE/J,KAAKsJ,eAAe9B,KAAKuC,EAC7B,MAEIrC,EAAO7I,MAAM,oEACbmB,KAAKsJ,eAAenC,SAIxB,MAAM6C,EAAUF,EAAW,EAC3BpC,EAAO7I,MAAM,wCAAyCmL,EAAS,WAC/DhK,KAAKuJ,cAAc/B,KAAKwC,EAC5B,MAEIhK,KAAKsJ,eAAenC,SACpBnH,KAAKuJ,cAAcpC,QAE3B,CAEO8C,MAAAA,GACHjK,KAAKyD,QAAQ5E,MAAM,kDACnBmB,KAAKsJ,eAAenC,SACpBnH,KAAKuJ,cAAcpC,QACvB,CAKO+C,sBAAAA,CAAuBtG,GAC1B,OAAO5D,KAAKsJ,eAAe3F,WAAWC,EAC1C,CAIOuG,yBAAAA,CAA0BvG,GAC7B5D,KAAKsJ,eAAexF,cAAcF,EACtC,CAKOwG,qBAAAA,CAAsBxG,GACzB,OAAO5D,KAAKuJ,cAAc5F,WAAWC,EACzC,CAIOyG,wBAAAA,CAAyBzG,GAC5B5D,KAAKuJ,cAAczF,cAAcF,EACrC,GChFS0G,EAAN,MAOI9K,WAAAA,CACKwH,EACAuD,EACRrC,EACQsC,EACAC,GAJA,KAAAzD,UAAAA,EACA,KAAAuD,WAAAA,EAEA,KAAAC,mBAAAA,EACA,KAAAC,aAAAA,EAXZ,KAAiBhH,QAAU,IAAInE,EAAO,sBAGtC,KAAQoL,OAAgD,KACxD,KAAQC,eAAgC,KAmCxC,KAAQC,SAAY7F,IACZA,EAAE8F,SAAW7K,KAAK8K,eAClB/F,EAAEgG,SAAW/K,KAAKgL,OAAOC,gBAEV,UAAXlG,EAAE/B,MACFhD,KAAKyD,QAAQzE,MAAM,8CACfgB,KAAKyK,cACLzK,KAAKkL,QAGO,YAAXnG,EAAE/B,MACPhD,KAAKyD,QAAQ5E,MAAM,gDACnBmB,KAAKkL,OACAlL,KAAKgH,aAGVhH,KAAKyD,QAAQ5E,MAAMkG,EAAE/B,KAAO,yCAEpC,EA5CA,MAAMmI,EAAY,IAAI5C,IAAIL,GAC1BlI,KAAK8K,cAAgBK,EAAUN,OAE/B7K,KAAKgL,OAASrF,OAAOyF,SAASC,cAAc,UAG5CrL,KAAKgL,OAAOM,MAAMC,WAAa,SAC/BvL,KAAKgL,OAAOM,MAAME,SAAW,QAC7BxL,KAAKgL,OAAOM,MAAMzF,KAAO,UACzB7F,KAAKgL,OAAOM,MAAMnF,IAAM,IACxBnG,KAAKgL,OAAOvF,MAAQ,IACpBzF,KAAKgL,OAAO9E,OAAS,IACrBlG,KAAKgL,OAAOS,IAAMN,EAAUO,IAChC,CAEOhC,IAAAA,GACH,OAAO,IAAIiC,SAAeC,IACtB5L,KAAKgL,OAAOa,OAAS,KACjBD,GAAS,EAGbjG,OAAOyF,SAASU,KAAKC,YAAY/L,KAAKgL,QACtCrF,OAAOqG,iBAAiB,UAAWhM,KAAK4K,UAAU,EAAM,GAEhE,CAuBOqB,KAAAA,CAAM/C,GACT,GAAIlJ,KAAK2K,iBAAmBzB,EACxB,OAGJlJ,KAAKyD,QAAQhD,OAAO,SAEpBT,KAAKkL,OAELlL,KAAK2K,eAAiBzB,EAEtB,MAAMgD,EAAOA,KACJlM,KAAKgL,OAAOC,eAAkBjL,KAAK2K,gBAIxC3K,KAAKgL,OAAOC,cAAckB,YAAYnM,KAAKuK,WAAa,IAAMvK,KAAK2K,eAAgB3K,KAAK8K,cAAc,EAI1GoB,IAGAlM,KAAK0K,OAAS5C,YAAYoE,EAAgC,IAA1BlM,KAAKwK,mBACzC,CAEOU,IAAAA,GACHlL,KAAKyD,QAAQhD,OAAO,QACpBT,KAAK2K,eAAiB,KAElB3K,KAAK0K,SAEL3C,cAAc/H,KAAK0K,QACnB1K,KAAK0K,OAAS,KAEtB,GChGS0B,EAAN,MAAA5M,WAAAA,GACH,KAAiBiE,QAAU,IAAInE,EAAO,sBACtC,KAAQ+M,MAAgC,CAAC,EAElCC,KAAAA,GACHtM,KAAKyD,QAAQhD,OAAO,SACpBT,KAAKqM,MAAQ,CAAC,CAClB,CAEOE,OAAAA,CAAQ5F,GAEX,OADA3G,KAAKyD,QAAQhD,OAAA,YAAAO,OAAmB2F,EAAG,OAC5B3G,KAAKqM,MAAM1F,EACtB,CAEO6F,OAAAA,CAAQ7F,EAAavH,GACxBY,KAAKyD,QAAQhD,OAAA,YAAAO,OAAmB2F,EAAG,OACnC3G,KAAKqM,MAAM1F,GAAOvH,CACtB,CAEOqN,UAAAA,CAAW9F,GACd3G,KAAKyD,QAAQhD,OAAA,eAAAO,OAAsB2F,EAAG,cAC/B3G,KAAKqM,MAAM1F,EACtB,CAEA,UAAW/I,GACP,OAAOgD,OAAO8L,oBAAoB1M,KAAKqM,OAAOzO,MAClD,CAEO+I,GAAAA,CAAIgG,GACP,OAAO/L,OAAO8L,oBAAoB1M,KAAKqM,OAAOM,EAClD,GCLSC,EAAN,MAKIpN,WAAAA,GAIL,IAHEqN,EAAAlN,UAAA/B,OAAA,QAAAwK,IAAAzI,UAAA,GAAAA,UAAA,GAAmC,GAC3BmN,EAAAnN,UAAA/B,OAAA,QAAAwK,IAAAzI,UAAA,GAAAA,UAAA,GAAiC,KACjCoN,EAAApN,UAAA/B,OAAA,QAAAwK,IAAAzI,UAAA,GAAAA,UAAA,GAA6C,CAAC,EAD9C,KAAAmN,YAAAA,EACA,KAAAC,cAAAA,EAPZ,KAAiBtJ,QAAU,IAAInE,EAAO,eAEtC,KAAQ0N,cAA0B,GAO9BhN,KAAKgN,cAAcnJ,QAAQgJ,EAAwB,oBAC/CC,GACA9M,KAAKgN,cAAcnJ,KAAK,kBAEhC,CAEA,sBAAgBoJ,CAAiBC,GAA4E,IAAxD1F,EAAA7H,UAAA/B,OAAA,QAAAwK,IAAAzI,UAAA,GAAAA,UAAA,GAAoD,CAAC,EACtG,MAAM,iBAAEwN,KAAqBC,GAAc5F,EAC3C,IAAK2F,EACD,aAAaE,MAAMH,EAAOE,GAG9B,MAAME,EAAa,IAAIC,gBACjBC,EAAYC,YAAW,IAAMH,EAAWI,SAA4B,IAAnBP,GAEvD,IAKI,aAJuBE,MAAMH,EAAO,IAC7B1F,EACHmG,OAAQL,EAAWK,QAG3B,OACOrP,GACH,GAAIA,aAAesP,cAA6B,eAAbtP,EAAIE,KACnC,MAAM,IAAI4K,EAAa,qBAE3B,MAAM9K,CACV,SAEIuP,aAAaL,EACjB,CACJ,CAEA,aAAaM,CAAQ5F,GAGkC,IAHrB,MAC9B1D,EAAA,YACAuJ,GACJpO,UAAA/B,OAAA,QAAAwK,IAAAzI,UAAA,GAAAA,UAAA,GAAiB,CAAC,EACd,MAAM+H,EAAS1H,KAAKyD,QAAQhD,OAAO,WAC7BuN,EAAuB,CACzB,OAAUhO,KAAKgN,cAAc9K,KAAK,OAStC,IAAI+L,EAPAzJ,IACAkD,EAAO7I,MAAM,8CACbmP,EAAuB,cAAI,UAAYxJ,GAG3CxE,KAAKkO,mBAAmBF,GAGxB,IACItG,EAAO7I,MAAM,OAAQqJ,GACrB+F,QAAiBjO,KAAKiN,iBAAiB/E,EAAK,CAAExH,OAAQ,MAAOsN,UAASD,eAC1E,OACOzP,GAEH,MADAoJ,EAAO1I,MAAM,iBACPV,CACV,CAEAoJ,EAAO7I,MAAM,iCAAkCoP,EAASE,QACxD,MAAMC,EAAcH,EAASD,QAAQK,IAAI,gBAIzC,GAHID,IAAgBpO,KAAKgN,cAActH,MAAK4I,GAAQF,EAAYG,WAAWD,MACvE5G,EAAOlH,MAAM,IAAIjD,MAAA,kCAAAyD,OAAyC,MAAAoN,EAAAA,EAAe,YAAY,gBAAApN,OAAekH,KAEpG+F,EAASO,IAAMxO,KAAK8M,cAAe,MAAAsB,OAAA,EAAAA,EAAaG,WAAW,oBAC3D,aAAavO,KAAK8M,kBAAkBmB,EAASQ,QAEjD,IAAIC,EACJ,IACIA,QAAaT,EAASS,MAC1B,OACOpQ,GAEH,GADAoJ,EAAO1I,MAAM,8BAA+BV,GACxC2P,EAASO,GAAI,MAAMlQ,EACvB,MAAM,IAAIf,MAAA,GAAAyD,OAASiN,EAASU,WAAU,MAAA3N,OAAKiN,EAASE,OAAM,KAC9D,CACA,IAAKF,EAASO,GAAI,CAEd,GADA9G,EAAO1I,MAAM,qBAAsB0P,GAC/BA,EAAK1P,MACL,MAAM,IAAI0J,EAAcgG,GAE5B,MAAM,IAAInR,MAAA,GAAAyD,OAASiN,EAASU,WAAU,MAAA3N,OAAKiN,EAASE,OAAM,OAAAnN,OAAMiE,KAAK2J,UAAUF,IACnF,CACA,OAAOA,CACX,CAEA,cAAaG,CAAS3G,EAAA4G,GAK6B,IALhB,KAC/BhD,EAAA,UACAiD,EAAA,iBACA5B,EAAA,gBACA6B,GACJF,EACI,MAAMpH,EAAS1H,KAAKyD,QAAQhD,OAAO,YAC7BuN,EAAuB,CACzB,OAAUhO,KAAKgN,cAAc9K,KAAK,MAClC,eAAgB,qCAQpB,IAAI+L,OANc,IAAdc,IACAf,EAAuB,cAAI,SAAWe,GAG1C/O,KAAKkO,mBAAmBF,GAGxB,IACItG,EAAO7I,MAAM,OAAQqJ,GACrB+F,QAAiBjO,KAAKiN,iBAAiB/E,EAAK,CAAExH,OAAQ,OAAQsN,UAASlC,OAAMqB,mBAAkBY,YAAaiB,GAChH,OACO1Q,GAEH,MADAoJ,EAAO1I,MAAM,iBACPV,CACV,CAEAoJ,EAAO7I,MAAM,iCAAkCoP,EAASE,QACxD,MAAMC,EAAcH,EAASD,QAAQK,IAAI,gBACzC,GAAID,IAAgBpO,KAAKgN,cAActH,MAAK4I,GAAQF,EAAYG,WAAWD,KACvE,MAAM,IAAI/Q,MAAA,kCAAAyD,OAAyC,MAAAoN,EAAAA,EAAe,YAAY,gBAAApN,OAAekH,IAGjG,MAAM+G,QAAqBhB,EAASQ,OAEpC,IAAIC,EAAgC,CAAC,EACrC,GAAIO,EACA,IACIP,EAAOzJ,KAAKC,MAAM+J,EACtB,OACO3Q,GAEH,GADAoJ,EAAO1I,MAAM,8BAA+BV,GACxC2P,EAASO,GAAI,MAAMlQ,EACvB,MAAM,IAAIf,MAAA,GAAAyD,OAASiN,EAASU,WAAU,MAAA3N,OAAKiN,EAASE,OAAM,KAC9D,CAGJ,IAAKF,EAASO,GAAI,CAEd,GADA9G,EAAO1I,MAAM,qBAAsB0P,GAC/BA,EAAK1P,MACL,MAAM,IAAI0J,EAAcgG,EAAM5C,GAElC,MAAM,IAAIvO,MAAA,GAAAyD,OAASiN,EAASU,WAAU,MAAA3N,OAAKiN,EAASE,OAAM,OAAAnN,OAAMiE,KAAK2J,UAAUF,IACnF,CAEA,OAAOA,CACX,CAEQR,kBAAAA,CACJF,GAEA,MAAMtG,EAAS1H,KAAKyD,QAAQhD,OAAO,sBAC7ByO,EAAatO,OAAOuO,KAAKnP,KAAK+M,eAC9BqC,EAAmB,CACrB,gBACA,SACA,gBAEsB,IAAtBF,EAAWtR,QAGfsR,EAAWG,SAASC,IAChB,GAAIF,EAAiBG,SAASD,EAAWE,qBAErC,YADA9H,EAAO3I,KAAK,2CAA4CuQ,EAAYF,GAGxE,MAAMK,EAAqD,oBAAnCzP,KAAK+M,cAAcuC,GACtCtP,KAAK+M,cAAcuC,KACpBtP,KAAK+M,cAAcuC,GACnBG,GAAuB,KAAZA,IACXzB,EAAQsB,GAAcG,EAC1B,GAER,GCvMSC,EAAN,MAUIlQ,WAAAA,CAA6BmQ,GAAA,KAAAA,UAAAA,EATpC,KAAiBlM,QAAU,IAAInE,EAAO,mBAKtC,KAAQsQ,aAAoC,KAC5C,KAAQC,UAA0C,KAI9C7P,KAAK8P,aAAe9P,KAAK2P,UAAUI,YACnC/P,KAAKgQ,aAAe,IAAIpD,EACpB,CAAC,4BACD,KACA5M,KAAK2P,UAAUM,cAEfjQ,KAAK2P,UAAUO,cACflQ,KAAKyD,QAAQ5E,MAAM,mCACnBmB,KAAK4P,aAAe5P,KAAK2P,UAAUO,aAGnClQ,KAAK2P,UAAUQ,WACfnQ,KAAKyD,QAAQ5E,MAAM,gCACnBmB,KAAK6P,UAAY7P,KAAK2P,UAAUQ,UAGhCnQ,KAAK2P,UAAUS,0BACfpQ,KAAKyD,QAAQ5E,MAAM,+CACnBmB,KAAKqQ,yBAA2BrQ,KAAK2P,UAAUS,wBAEvD,CAEOE,gBAAAA,GACHtQ,KAAK4P,aAAe,IACxB,CAEA,iBAAaW,GACT,MAAM7I,EAAS1H,KAAKyD,QAAQhD,OAAO,eACnC,GAAIT,KAAK6P,UAEL,OADAnI,EAAO7I,MAAM,uBACNmB,KAAK6P,UAGhB,IAAK7P,KAAK8P,aAEN,MADApI,EAAOlH,MAAM,IAAIjD,MAAM,uDACjB,KAGVmK,EAAO7I,MAAM,wBAAyBmB,KAAK8P,cAC3C,MAAMK,QAAiBnQ,KAAKgQ,aAAalC,QAAQ9N,KAAK8P,aAAc,CAAE/B,YAAa/N,KAAKqQ,2BAIxF,OAFA3I,EAAO7I,MAAM,0CACbmB,KAAK6P,UAAYjP,OAAO4P,OAAO,CAAC,EAAGxQ,KAAK2P,UAAUc,aAAcN,GACzDnQ,KAAK6P,SAChB,CAEOa,SAAAA,GACH,OAAO1Q,KAAK2Q,qBAAqB,SACrC,CAEOC,wBAAAA,GACH,OAAO5Q,KAAK2Q,qBAAqB,yBACrC,CAEOE,mBAAAA,GACH,OAAO7Q,KAAK2Q,qBAAqB,oBACrC,CAIOG,gBAAAA,GAA+D,IAA9CC,IAAApR,UAAA/B,OAAA,QAAAwK,IAAAzI,UAAA,KAAAA,UAAA,GACpB,OAAOK,KAAK2Q,qBAAqB,iBAAkBI,EACvD,CAEOC,qBAAAA,GACH,OAAOhR,KAAK2Q,qBAAqB,wBAAwB,EAC7D,CAEOM,qBAAAA,GACH,OAAOjR,KAAK2Q,qBAAqB,wBAAwB,EAC7D,CAIOO,qBAAAA,GAAoE,IAA9CH,IAAApR,UAAA/B,OAAA,QAAAwK,IAAAzI,UAAA,KAAAA,UAAA,GACzB,OAAOK,KAAK2Q,qBAAqB,sBAAuBI,EAC5D,CAIOI,eAAAA,GAA8D,IAA9CJ,IAAApR,UAAA/B,OAAA,QAAAwK,IAAAzI,UAAA,KAAAA,UAAA,GACnB,OAAOK,KAAK2Q,qBAAqB,WAAYI,EACjD,CAEA,0BAAgBJ,CAAqBnS,GAA4F,IAAlEuS,EAAApR,UAAA/B,OAAA,QAAAwK,IAAAzI,UAAA,IAAAA,UAAA,GAC3D,MAAM+H,EAAS1H,KAAKyD,QAAQhD,OAAA,yBAAAO,OAAgCxC,EAAI,OAE1D2R,QAAiBnQ,KAAKuQ,cAG5B,GAFA7I,EAAO7I,MAAM,iBAEU,IAAnBsR,EAAS3R,GAAqB,CAC9B,IAAiB,IAAbuS,EAEA,YADArJ,EAAO3I,KAAK,+CAIhB2I,EAAOlH,MAAM,IAAIjD,MAAM,sCAAwCiB,GACnE,CAEA,OAAO2R,EAAS3R,EACpB,CAEA,oBAAa4S,GACT,MAAM1J,EAAS1H,KAAKyD,QAAQhD,OAAO,kBACnC,GAAIT,KAAK4P,aAEL,OADAlI,EAAO7I,MAAM,oCACNmB,KAAK4P,aAGhB,MAAMyB,QAAiBrR,KAAKmR,iBAAgB,GAC5CzJ,EAAO7I,MAAM,eAAgBwS,GAE7B,MAAMC,QAAetR,KAAKgQ,aAAalC,QAAQuD,GAG/C,GAFA3J,EAAO7I,MAAM,cAAeyS,IAEvBzR,MAAM0R,QAAQD,EAAOnC,MAEtB,MADAzH,EAAOlH,MAAM,IAAIjD,MAAM,2BACjB,KAIV,OADAyC,KAAK4P,aAAe0B,EAAOnC,KACpBnP,KAAK4P,YAChB,GCvIS4B,EAAN,MAMIhS,WAAAA,GAGsD,IAH1C,OACfyB,EAAS,QAAO,MAChBwQ,EAAQC,cACZ/R,UAAA/B,OAAA,QAAAwK,IAAAzI,UAAA,GAAAA,UAAA,GAAyD,CAAC,EAR1D,KAAiB8D,QAAU,IAAInE,EAAO,wBASlCU,KAAK2R,OAASF,EACdzR,KAAK4R,QAAU3Q,CACnB,CAEA,SAAa4Q,CAAIlL,EAAavH,GAC1BY,KAAKyD,QAAQhD,OAAA,QAAAO,OAAe2F,EAAG,OAE/BA,EAAM3G,KAAK4R,QAAUjL,QACf3G,KAAK2R,OAAOnF,QAAQ7F,EAAKvH,EACnC,CAEA,SAAaiP,CAAI1H,GACb3G,KAAKyD,QAAQhD,OAAA,QAAAO,OAAe2F,EAAG,OAE/BA,EAAM3G,KAAK4R,QAAUjL,EAErB,aADmB3G,KAAK2R,OAAOpF,QAAQ5F,EAE3C,CAEA,YAAamL,CAAOnL,GAChB3G,KAAKyD,QAAQhD,OAAA,WAAAO,OAAkB2F,EAAG,OAElCA,EAAM3G,KAAK4R,QAAUjL,EACrB,MAAM2H,QAAatO,KAAK2R,OAAOpF,QAAQ5F,GAEvC,aADM3G,KAAK2R,OAAOlF,WAAW9F,GACtB2H,CACX,CAEA,gBAAayD,GACT/R,KAAKyD,QAAQhD,OAAO,cACpB,MAAMuR,QAAYhS,KAAK2R,OAAO/T,OAExBuR,EAAO,GACb,IAAK,IAAIxC,EAAQ,EAAGA,EAAQqF,EAAKrF,IAAS,CACtC,MAAMhG,QAAY3G,KAAK2R,OAAOhL,IAAIgG,GAC9BhG,GAAqC,IAA9BA,EAAIsL,QAAQjS,KAAK4R,UACxBzC,EAAKtL,KAAK8C,EAAIuL,OAAOlS,KAAK4R,QAAQhU,QAE1C,CACA,OAAOuR,CACX,GCpDEgD,EAAsB,OACtBC,EAAe,SACfC,EAA8B,qBAC9BC,EAAgC,IAwIzBC,EAAN,MA4CI/S,WAAAA,CAAAgT,GAwBgB,IAxBJ,UAEfC,EAAA,YAAW1C,EAAAI,SAAaA,EAAA,YAAUD,EAAA,aAAaO,EAAA,UAE/CnN,EAAA,cAAWC,EAAA,cAAemP,EAAgBP,EAAA,MAAqBQ,EAAQP,EAAA,aACvEQ,EAAA,yBAAcC,EAAA,sBACdC,EAAwBT,EAAA,OAExBU,EAAA,QAAQC,EAAA,QAASC,EAAA,WAASC,EAAA,WAAYC,EAAA,SAAYC,EAAA,cAAUC,EAAA,qBAE5DC,GAAuB,EAAI,aAC3BC,GAAe,EAAK,uBACpBC,EAAyBlB,EAAA,oBACzBmB,EAAsB,CAAEC,MAAO,WAAW,YAC1CC,GAAc,EAAK,WAEnBC,EAAA,kCACAC,EAAA,wBACAzD,EAAA,yBACA0D,EAAA,iBAEAC,EAAmB,CAAC,EAAC,iBACrBC,EAAmB,CAAC,EAAC,aACrB/D,EAAe,CAAC,GACpBuC,EA6CI,GA3CAxS,KAAKyS,UAAYA,EAEb1C,EACA/P,KAAK+P,YAAcA,GAEnB/P,KAAK+P,YAAc0C,EACfA,IACKzS,KAAK+P,YAAYkE,SAAS,OAC3BjU,KAAK+P,aAAe,KAExB/P,KAAK+P,aAAe,qCAI5B/P,KAAKmQ,SAAWA,EAChBnQ,KAAKyQ,aAAeA,EACpBzQ,KAAKkQ,YAAcA,EAEnBlQ,KAAKsD,UAAYA,EACjBtD,KAAKuD,cAAgBA,EACrBvD,KAAK0S,cAAgBA,EACrB1S,KAAK2S,MAAQA,EACb3S,KAAK4S,aAAeA,EACpB5S,KAAK6S,yBAA2BA,EAChC7S,KAAK8S,sBAAwBA,EAE7B9S,KAAK+S,OAASA,EACd/S,KAAKgT,QAAUA,EACfhT,KAAKiT,QAAUA,EACfjT,KAAKkT,WAAaA,EAClBlT,KAAKmT,WAAaA,EAClBnT,KAAKoT,SAAWA,EAChBpT,KAAKqT,cAAgBA,EAErBrT,KAAKsT,qBAAuB,MAAAA,GAAAA,EAC5BtT,KAAKuT,eAAiBA,EACtBvT,KAAKwT,uBAAyBA,EAC9BxT,KAAKyT,oBAAsBA,EAC3BzT,KAAK2T,cAAgBA,EACrB3T,KAAK6T,kCAAoCA,EAEzC7T,KAAKoQ,wBAA0BA,GAAoD,cAE/EwD,EACA5T,KAAK4T,WAAaA,MAEjB,CACD,MAAMnC,EAA0B,qBAAX9L,OAAyBA,OAAO+L,aAAe,IAAItF,EACxEpM,KAAK4T,WAAa,IAAIpC,EAAqB,CAAEC,SACjD,CAEAzR,KAAK8T,yBAA2BA,EAEhC9T,KAAK+T,iBAAmBA,EACxB/T,KAAKgU,iBAAmBA,EACxBhU,KAAKiQ,aAAeA,CACxB,GCrQSiE,EAAN,MAII1U,WAAAA,CAA6BmQ,EACfwE,GADe,KAAAxE,UAAAA,EACf,KAAAwE,iBAAAA,EAJrB,KAAmB1Q,QAAU,IAAInE,EAAO,mBA+BxC,KAAU8U,kBAAoBC,UAC1B,MAAM3M,EAAS1H,KAAKyD,QAAQhD,OAAO,qBACnC,IACI,MAAM6T,EAAUhQ,EAASC,OAAO0K,GAGhC,OAFAvH,EAAO7I,MAAM,2BAENyV,CACX,CAAE,MAAOhW,GAEL,MADAoJ,EAAO1I,MAAM,8BACPV,CACV,GAnCA0B,KAAKgQ,aAAe,IAAIpD,OACpB,EACA5M,KAAKoU,kBACLpU,KAAK2P,UAAUM,aAEvB,CAEA,eAAasE,CAAU/P,GACnB,MAAMkD,EAAS1H,KAAKyD,QAAQhD,OAAO,aAC9B+D,GACDxE,KAAKyD,QAAQjD,MAAM,IAAIjD,MAAM,oBAGjC,MAAM2K,QAAYlI,KAAKmU,iBAAiBtD,sBACxCnJ,EAAO7I,MAAM,mBAAoBqJ,GAEjC,MAAMsM,QAAexU,KAAKgQ,aAAalC,QAAQ5F,EAAK,CAChD1D,QACAuJ,YAAa/N,KAAK2P,UAAUS,0BAIhC,OAFA1I,EAAO7I,MAAM,aAAc2V,GAEpBA,CACX,GCoBSC,EAAN,MAIIjV,WAAAA,CACcmQ,EACAwE,GADA,KAAAxE,UAAAA,EACA,KAAAwE,iBAAAA,EALrB,KAAiB1Q,QAAU,IAAInE,EAAO,eAOlCU,KAAKgQ,aAAe,IAAIpD,EACpB5M,KAAK2P,UAAUkE,kCACf,KACA7T,KAAK2P,UAAUM,aAEvB,CAOA,kBAAayE,CAAAC,GAM0C,IAN7B,WACtBC,EAAa,qBAAoB,aACjChC,EAAe5S,KAAK2P,UAAUiD,aAAA,UAC9BtP,EAAYtD,KAAK2P,UAAUrM,UAAA,cAC3BC,EAAgBvD,KAAK2P,UAAUpM,iBAC5B3D,GACP+U,EACI,MAAMjN,EAAS1H,KAAKyD,QAAQhD,OAAO,gBAC9B6C,GACDoE,EAAOlH,MAAM,IAAIjD,MAAM,4BAEtBqV,GACDlL,EAAOlH,MAAM,IAAIjD,MAAM,+BAEtBqC,EAAK3B,MACNyJ,EAAOlH,MAAM,IAAIjD,MAAM,uBAG3B,MAAM+K,EAAS,IAAIE,gBAAgB,CAAEoM,aAAYhC,iBACjD,IAAK,MAAOjM,EAAKvH,KAAUwB,OAAO2F,QAAQ3G,GACzB,MAATR,GACAkJ,EAAOuJ,IAAIlL,EAAKvH,GAGxB,IAAI2P,EACJ,OAAQ/O,KAAK2P,UAAUmD,uBACnB,IAAK,sBACD,IAAKvP,EAED,MADAmE,EAAOlH,MAAM,IAAIjD,MAAM,gCACjB,KAEVwR,EAAY5M,EAAYkB,kBAAkBC,EAAWC,GACrD,MACJ,IAAK,qBACD+E,EAAOuM,OAAO,YAAavR,GACvBC,GACA+E,EAAOuM,OAAO,gBAAiBtR,GAK3C,MAAM2E,QAAYlI,KAAKmU,iBAAiBrD,kBAAiB,GACzDpJ,EAAO7I,MAAM,sBAEb,MAAMoP,QAAiBjO,KAAKgQ,aAAanB,SAAS3G,EAAK,CAAE4D,KAAMxD,EAAQyG,YAAWC,gBAAiBhP,KAAK2P,UAAUS,0BAGlH,OAFA1I,EAAO7I,MAAM,gBAENoP,CACX,CAOA,yBAAa6G,CAAAC,GAMiD,IAN7B,WAC7BH,EAAa,WAAU,UACvBtR,EAAYtD,KAAK2P,UAAUrM,UAAA,cAC3BC,EAAgBvD,KAAK2P,UAAUpM,cAAA,MAC/BoP,EAAQ3S,KAAK2P,UAAUgD,SACpB/S,GACPmV,EACI,MAAMrN,EAAS1H,KAAKyD,QAAQhD,OAAO,uBAE9B6C,GACDoE,EAAOlH,MAAM,IAAIjD,MAAM,4BAG3B,MAAM+K,EAAS,IAAIE,gBAAgB,CAAEoM,aAAYjC,UACjD,IAAK,MAAOhM,EAAKvH,KAAUwB,OAAO2F,QAAQ3G,GACzB,MAATR,GACAkJ,EAAOuJ,IAAIlL,EAAKvH,GAIxB,IAAI2P,EACJ,OAAQ/O,KAAK2P,UAAUmD,uBACnB,IAAK,sBACD,IAAKvP,EAED,MADAmE,EAAOlH,MAAM,IAAIjD,MAAM,gCACjB,KAEVwR,EAAY5M,EAAYkB,kBAAkBC,EAAWC,GACrD,MACJ,IAAK,qBACD+E,EAAOuM,OAAO,YAAavR,GACvBC,GACA+E,EAAOuM,OAAO,gBAAiBtR,GAK3C,MAAM2E,QAAYlI,KAAKmU,iBAAiBrD,kBAAiB,GACzDpJ,EAAO7I,MAAM,sBAEb,MAAMoP,QAAiBjO,KAAKgQ,aAAanB,SAAS3G,EAAK,CAAE4D,KAAMxD,EAAQyG,YAAWC,gBAAiBhP,KAAK2P,UAAUS,0BAGlH,OAFA1I,EAAO7I,MAAM,gBAENoP,CACX,CAOA,0BAAa+G,CAAAC,GAMkD,IAN7B,WAC9BL,EAAa,gBAAe,UAC5BtR,EAAYtD,KAAK2P,UAAUrM,UAAA,cAC3BC,EAAgBvD,KAAK2P,UAAUpM,cAAA,iBAC/B4J,KACGvN,GACPqV,EACI,MAAMvN,EAAS1H,KAAKyD,QAAQhD,OAAO,wBAC9B6C,GACDoE,EAAOlH,MAAM,IAAIjD,MAAM,4BAEtBqC,EAAKsV,eACNxN,EAAOlH,MAAM,IAAIjD,MAAM,gCAG3B,MAAM+K,EAAS,IAAIE,gBAAgB,CAAEoM,eACrC,IAAK,MAAOjO,EAAKvH,KAAUwB,OAAO2F,QAAQ3G,GAClCC,MAAM0R,QAAQnS,GACdA,EAAMiQ,SAAQ8F,GAAS7M,EAAOuM,OAAOlO,EAAKwO,KAE5B,MAAT/V,GACLkJ,EAAOuJ,IAAIlL,EAAKvH,GAGxB,IAAI2P,EACJ,OAAQ/O,KAAK2P,UAAUmD,uBACnB,IAAK,sBACD,IAAKvP,EAED,MADAmE,EAAOlH,MAAM,IAAIjD,MAAM,gCACjB,KAEVwR,EAAY5M,EAAYkB,kBAAkBC,EAAWC,GACrD,MACJ,IAAK,qBACD+E,EAAOuM,OAAO,YAAavR,GACvBC,GACA+E,EAAOuM,OAAO,gBAAiBtR,GAK3C,MAAM2E,QAAYlI,KAAKmU,iBAAiBrD,kBAAiB,GACzDpJ,EAAO7I,MAAM,sBAEb,MAAMoP,QAAiBjO,KAAKgQ,aAAanB,SAAS3G,EAAK,CAAE4D,KAAMxD,EAAQyG,YAAW5B,mBAAkB6B,gBAAiBhP,KAAK2P,UAAUS,0BAGpI,OAFA1I,EAAO7I,MAAM,gBAENoP,CACX,CAOA,YAAamH,CAAOxV,GAnPxB,IAAA4F,EAoPQ,MAAMkC,EAAS1H,KAAKyD,QAAQhD,OAAO,UAC9Bb,EAAK4E,OACNkD,EAAOlH,MAAM,IAAIjD,MAAM,wBAG3B,MAAM2K,QAAYlI,KAAKmU,iBAAiBjD,uBAAsB,GAE9DxJ,EAAO7I,MAAA,qCAAAmC,OAA2C,OAAAwE,EAAA5F,EAAKyV,iBAAL7P,EAAwB,uBAE1E,MAAM8C,EAAS,IAAIE,gBACnB,IAAK,MAAO7B,EAAKvH,KAAUwB,OAAO2F,QAAQ3G,GACzB,MAATR,GACAkJ,EAAOuJ,IAAIlL,EAAKvH,GAGxBkJ,EAAOuJ,IAAI,YAAa7R,KAAK2P,UAAUrM,WACnCtD,KAAK2P,UAAUpM,eACf+E,EAAOuJ,IAAI,gBAAiB7R,KAAK2P,UAAUpM,qBAGzCvD,KAAKgQ,aAAanB,SAAS3G,EAAK,CAAE4D,KAAMxD,IAC9CZ,EAAO7I,MAAM,eACjB,GCrPSyW,EAAN,MAKI9V,WAAAA,CACgBmQ,EACAwE,EACAoB,GAFA,KAAA5F,UAAAA,EACA,KAAAwE,iBAAAA,EACA,KAAAoB,eAAAA,EAPvB,KAAmB9R,QAAU,IAAInE,EAAO,qBACxC,KAAmBkW,iBAAmB,IAAItB,EAAgBlU,KAAK2P,UAAW3P,KAAKmU,kBAC/E,KAAmBsB,aAAe,IAAIhB,EAAYzU,KAAK2P,UAAW3P,KAAKmU,iBAMpE,CAEH,4BAAauB,CAAuBzH,EAA0BjF,GAC1D,MAAMtB,EAAS1H,KAAKyD,QAAQhD,OAAO,0BAEnCT,KAAK2V,oBAAoB1H,EAAUjF,GACnCtB,EAAO7I,MAAM,yBAEPmB,KAAK4V,aAAa3H,EAAUjF,GAClCtB,EAAO7I,MAAM,kBAEToP,EAAS4H,UACT7V,KAAK8V,2BAA2B7H,GAEpCvG,EAAO7I,MAAM,0BAEPmB,KAAK+V,eAAe9H,EAAU,MAAAjF,OAAA,EAAAA,EAAOgN,aAAc/H,EAAS4H,UAClEnO,EAAO7I,MAAM,mBACjB,CAEA,iCAAaoX,CAA4BhI,EAA0B+H,GAC/D,MAAMtO,EAAS1H,KAAKyD,QAAQhD,OAAO,+BAE/BwN,EAAS4H,UAAc5H,EAASiI,UAChClW,KAAK8V,2BAA2B7H,GAEpCvG,EAAO7I,MAAM,0BAEPmB,KAAK+V,eAAe9H,EAAU+H,EAAc/H,EAAS4H,UAC3DnO,EAAO7I,MAAM,mBACjB,CAEA,6BAAasX,CAAwBlI,EAA0BjF,GAC3D,MAAMtB,EAAS1H,KAAKyD,QAAQhD,OAAO,2BAEnCwN,EAAShF,UAAYD,EAAMhG,KAE3B,MAAAiL,EAAS/E,gBAAT+E,EAAS/E,cAAkBF,EAAME,eAEjC,MAAA+E,EAAS0E,QAAT1E,EAAS0E,MAAU3J,EAAM2J,OAIrB1E,EAAS4H,UAAc5H,EAASiI,WAChClW,KAAK8V,2BAA2B7H,EAAUjF,EAAMkN,UAChDxO,EAAO7I,MAAM,uBAGZoP,EAASiI,WAEVjI,EAASiI,SAAWlN,EAAMkN,SAE1BjI,EAASmI,QAAUpN,EAAMoN,SAG7B,MAAMC,EAAapI,EAAS4H,YAAc5H,EAASiI,eAC7ClW,KAAK+V,eAAe9H,GAAU,EAAOoI,GAC3C3O,EAAO7I,MAAM,mBACjB,CAEOyX,uBAAAA,CAAwBrI,EAA2BjF,GACtD,MAAMtB,EAAS1H,KAAKyD,QAAQhD,OAAO,2BAWnC,GAVIuI,EAAMuN,KAAOtI,EAASjF,OACtBtB,EAAOlH,MAAM,IAAIjD,MAAM,yBAM3BmK,EAAO7I,MAAM,mBACboP,EAAShF,UAAYD,EAAMhG,KAEvBiL,EAASjP,MAET,MADA0I,EAAO3I,KAAK,qBAAsBkP,EAASjP,OACrC,IAAI0J,EAAcuF,EAEhC,CAEU0H,mBAAAA,CAAoB1H,EAA0BjF,GACpD,MAAMtB,EAAS1H,KAAKyD,QAAQhD,OAAO,uBA8BnC,GA7BIuI,EAAMuN,KAAOtI,EAASjF,OACtBtB,EAAOlH,MAAM,IAAIjD,MAAM,yBAGtByL,EAAM1F,WACPoE,EAAOlH,MAAM,IAAIjD,MAAM,0BAGtByL,EAAMyJ,WACP/K,EAAOlH,MAAM,IAAIjD,MAAM,0BAIvByC,KAAK2P,UAAU8C,YAAczJ,EAAMyJ,WACnC/K,EAAOlH,MAAM,IAAIjD,MAAM,oDAEvByC,KAAK2P,UAAUrM,WAAatD,KAAK2P,UAAUrM,YAAc0F,EAAM1F,WAC/DoE,EAAOlH,MAAM,IAAIjD,MAAM,oDAM3BmK,EAAO7I,MAAM,mBACboP,EAAShF,UAAYD,EAAMhG,KAC3BiL,EAAS9E,UAAYH,EAAMG,UAE3B,MAAA8E,EAAS0E,QAAT1E,EAAS0E,MAAU3J,EAAM2J,OAErB1E,EAASjP,MAET,MADA0I,EAAO3I,KAAK,qBAAsBkP,EAASjP,OACrC,IAAI0J,EAAcuF,GAGxBjF,EAAMlG,gBAAkBmL,EAAShQ,MACjCyJ,EAAOlH,MAAM,IAAIjD,MAAM,6BAG/B,CAEA,oBAAgBwY,CAAe9H,GAAmF,IAAzD+H,EAAArW,UAAA/B,OAAA,QAAAwK,IAAAzI,UAAA,IAAAA,UAAA,GAAsB6W,IAAA7W,UAAA/B,OAAA,QAAAwK,IAAAzI,UAAA,KAAAA,UAAA,GAC3E,MAAM+H,EAAS1H,KAAKyD,QAAQhD,OAAO,kBAGnC,GAFAwN,EAASmI,QAAUpW,KAAKuV,eAAejC,qBAAqBrF,EAASmI,SAEjEJ,IAAiBhW,KAAK2P,UAAU4D,eAAiBtF,EAASrE,aAE1D,YADAlC,EAAO7I,MAAM,yBAIjB6I,EAAO7I,MAAM,qBACb,MAAM2V,QAAexU,KAAKwV,iBAAiBjB,UAAUtG,EAASrE,cAC9DlC,EAAO7I,MAAM,qDAET2X,GAAehC,EAAOiC,MAAQxI,EAASmI,QAAQK,KAC/C/O,EAAOlH,MAAM,IAAIjD,MAAM,sEAG3B0Q,EAASmI,QAAUpW,KAAKuV,eAAemB,YAAYzI,EAASmI,QAASpW,KAAKuV,eAAejC,qBAAqBkB,IAC9G9M,EAAO7I,MAAM,8CAA+CoP,EAASmI,QACzE,CAEA,kBAAgBR,CAAa3H,EAA0BjF,GACnD,MAAMtB,EAAS1H,KAAKyD,QAAQhD,OAAO,gBACnC,GAAIwN,EAAShQ,KAAM,CACfyJ,EAAO7I,MAAM,mBACb,MAAM8X,QAAsB3W,KAAKyV,aAAaf,aAAa,CACvDpR,UAAW0F,EAAM1F,UACjBC,cAAeyF,EAAMzF,cACrBtF,KAAMgQ,EAAShQ,KACf2U,aAAc5J,EAAM4J,aACpB9P,cAAekG,EAAMlG,iBAClBkG,EAAMgL,mBAEbpT,OAAO4P,OAAOvC,EAAU0I,EAC5B,MACIjP,EAAO7I,MAAM,qBAErB,CAEUiX,0BAAAA,CAA2B7H,EAA0B2I,GA7LnE,IAAApR,EA8LQ,MAAMkC,EAAS1H,KAAKyD,QAAQhD,OAAO,8BAEnCiH,EAAO7I,MAAM,yBACb,MAAMgY,EAAWvS,EAASC,OAAO,OAAAiB,EAAAyI,EAASiI,UAAT1Q,EAAqB,IAMtD,GAJKqR,EAASJ,KACV/O,EAAOlH,MAAM,IAAIjD,MAAM,wCAGvBqZ,EAAe,CACf,MAAME,EAAWxS,EAASC,OAAOqS,GAC7BC,EAASJ,MAAQK,EAASL,KAC1B/O,EAAOlH,MAAM,IAAIjD,MAAM,+CAEvBsZ,EAASE,WAAaF,EAASE,YAAcD,EAASC,WACtDrP,EAAOlH,MAAM,IAAIjD,MAAM,4DAEvBsZ,EAASG,KAAOH,EAASG,MAAQF,EAASE,KAC1CtP,EAAOlH,MAAM,IAAIjD,MAAM,iDAEtBsZ,EAASG,KAAOF,EAASE,KAC1BtP,EAAOlH,MAAM,IAAIjD,MAAM,yDAE/B,CAEA0Q,EAASmI,QAAUS,CACvB,GC/MSI,EAAN,MAAMC,EASF1X,WAAAA,CAAYI,GAOfI,KAAKuW,GAAK3W,EAAK2W,IAAMpU,EAAYO,iBACjC1C,KAAKgD,KAAOpD,EAAKoD,KAEbpD,EAAKuX,SAAWvX,EAAKuX,QAAU,EAC/BnX,KAAKmX,QAAUvX,EAAKuX,QAGpBnX,KAAKmX,QAAUvQ,EAAMM,eAEzBlH,KAAKoX,aAAexX,EAAKwX,aACzBpX,KAAKmJ,UAAYvJ,EAAKuJ,SAC1B,CAEOkO,eAAAA,GAEH,OADA,IAAI/X,EAAO,SAASmB,OAAO,mBACpBwE,KAAK2J,UAAU,CAClB2H,GAAIvW,KAAKuW,GACTvT,KAAMhD,KAAKgD,KACXmU,QAASnX,KAAKmX,QACdC,aAAcpX,KAAKoX,aACnBjO,UAAWnJ,KAAKmJ,WAExB,CAEA,wBAAcmO,CAAkBC,GAE5B,OADAjY,EAAOuB,aAAa,QAAS,qBACtB8K,QAAQC,QAAQ,IAAIsL,EAAMjS,KAAKC,MAAMqS,IAChD,CAEA,4BAAoBC,CAAgBC,EAAqBC,GACrD,MAAMhQ,EAASpI,EAAOuB,aAAa,QAAS,mBACtC8W,EAAS/Q,EAAMM,eAAiBwQ,EAEhCvI,QAAasI,EAAQ1F,aAC3BrK,EAAO7I,MAAM,WAAYsQ,GAEzB,IAAK,IAAIyI,EAAI,EAAGA,EAAIzI,EAAKvR,OAAQga,IAAK,CAClC,MAAMjR,EAAMwI,EAAKyI,GACXtJ,QAAamJ,EAAQpJ,IAAI1H,GAC/B,IAAImL,GAAS,EAEb,GAAIxD,EACA,IACI,MAAMtF,QAAckO,EAAMI,kBAAkBhJ,GAE5C5G,EAAO7I,MAAM,qBAAsB8H,EAAKqC,EAAMmO,SAC1CnO,EAAMmO,SAAWQ,IACjB7F,GAAS,EAEjB,OACOxT,GACHoJ,EAAO1I,MAAM,+BAAgC2H,EAAKrI,GAClDwT,GAAS,CACb,MAGApK,EAAO7I,MAAM,8BAA+B8H,GAC5CmL,GAAS,EAGTA,IACApK,EAAO7I,MAAM,wBAAyB8H,GACjC8Q,EAAQ3F,OAAOnL,GAE5B,CACJ,GCxDSkR,EAAN,MAAMC,UAAoBb,EAyBrBzX,WAAAA,CAAYI,GAChBwH,MAAMxH,GAENI,KAAK8C,cAAgBlD,EAAKkD,cAC1B9C,KAAK+X,eAAiBnY,EAAKmY,eAC3B/X,KAAKyS,UAAY7S,EAAK6S,UACtBzS,KAAKsD,UAAY1D,EAAK0D,UACtBtD,KAAK4S,aAAehT,EAAKgT,aACzB5S,KAAK2S,MAAQ/S,EAAK+S,MAClB3S,KAAKuD,cAAgB3D,EAAK2D,cAC1BvD,KAAKgU,iBAAmBpU,EAAKoU,iBAE7BhU,KAAKqT,cAAgBzT,EAAKyT,cAC1BrT,KAAKgW,aAAepW,EAAKoW,YAC7B,CAEA,mBAAoBvV,CAAOb,GACvB,MAAMkD,GAAuC,IAAvBlD,EAAKkD,cAAyBX,EAAYS,uBAA0BhD,EAAKkD,oBAAiB,EAC1GiV,EAAiBjV,QAAuBX,EAAYU,sBAAsBC,QAAkB,EAElG,OAAO,IAAIgV,EAAY,IAChBlY,EACHkD,gBACAiV,kBAER,CAEOV,eAAAA,GAEH,OADA,IAAI/X,EAAO,eAAemB,OAAO,mBAC1BwE,KAAK2J,UAAU,CAClB2H,GAAIvW,KAAKuW,GACTvT,KAAMhD,KAAKgD,KACXmU,QAASnX,KAAKmX,QACdC,aAAcpX,KAAKoX,aACnBjO,UAAWnJ,KAAKmJ,UAEhBrG,cAAe9C,KAAK8C,cACpB2P,UAAWzS,KAAKyS,UAChBnP,UAAWtD,KAAKsD,UAChBsP,aAAc5S,KAAK4S,aACnBD,MAAO3S,KAAK2S,MACZpP,cAAevD,KAAKuD,cACpByQ,iBAAmBhU,KAAKgU,iBACxBX,cAAerT,KAAKqT,cACpB2C,aAAchW,KAAKgW,cAE3B,CAEA,wBAAcsB,CAAkBC,GAC5BjY,EAAOuB,aAAa,cAAe,qBACnC,MAAMmC,EAAOiC,KAAKC,MAAMqS,GACxB,OAAOO,EAAYrX,OAAOuC,EAC9B,GC7DSgV,EAAN,MAAMA,EAMDxY,WAAAA,CAAYI,GAIhBI,KAAKkI,IAAMtI,EAAKsI,IAChBlI,KAAKgJ,MAAQpJ,EAAKoJ,KACtB,CAEA,mBAAoBvI,CAAAwX,GAWgC,IAXzB,IAEvB/P,EAAA,UAAKuK,EAAA,UAAWnP,EAAA,aAAWsP,EAAA,cAAcF,EAAA,MAAeC,EAAA,WAExDuF,EAAA,cAAY7E,EAAA,aAAe+D,EAAA,cAAc7T,EAAA,MAAe4U,EAAA,UAAOhP,EAAA,SAC/DiK,EAAA,aACA4C,EAAA,iBACAjC,EAAA,iBACAC,EAAA,YACAL,KACGyE,GACPH,EACI,IAAK/P,EAED,MADAlI,KAAKyD,QAAQzE,MAAM,yBACb,IAAIzB,MAAM,OAEpB,IAAK+F,EAED,MADAtD,KAAKyD,QAAQzE,MAAM,+BACb,IAAIzB,MAAM,aAEpB,IAAKqV,EAED,MADA5S,KAAKyD,QAAQzE,MAAM,kCACb,IAAIzB,MAAM,gBAEpB,IAAKmV,EAED,MADA1S,KAAKyD,QAAQzE,MAAM,mCACb,IAAIzB,MAAM,iBAEpB,IAAKoV,EAED,MADA3S,KAAKyD,QAAQzE,MAAM,2BACb,IAAIzB,MAAM,SAEpB,IAAKkV,EAED,MADAzS,KAAKyD,QAAQzE,MAAM,+BACb,IAAIzB,MAAM,aAGpB,MAAMyL,QAAc6O,EAAYpX,OAAO,CACnCuC,KAAMkV,EACNd,eACAjO,YACArG,eAAgB6Q,EAChBrQ,YAAWmP,YAAWG,eACtBS,gBACA9P,gBAAeoP,QAAOqB,mBACtBgC,iBAGE7K,EAAY,IAAI5C,IAAIL,GAC1BiD,EAAUkN,aAAaxD,OAAO,YAAavR,GAC3C6H,EAAUkN,aAAaxD,OAAO,eAAgBjC,GAC9CzH,EAAUkN,aAAaxD,OAAO,gBAAiBnC,GAC/CvH,EAAUkN,aAAaxD,OAAO,QAASlC,GACnCwF,GACAhN,EAAUkN,aAAaxD,OAAO,QAASsD,GAG3C,IAAIG,EAAatP,EAAMuN,GAUvB,GATIpN,IACAmP,EAAA,GAAAtX,OAAgBsX,GAAUtX,OfxGH,KewGyBA,OAAGmI,IAEvDgC,EAAUkN,aAAaxD,OAAO,QAASyD,GACnCtP,EAAM+O,iBACN5M,EAAUkN,aAAaxD,OAAO,iBAAkB7L,EAAM+O,gBACtD5M,EAAUkN,aAAaxD,OAAO,wBAAyB,SAGvDzB,EAAU,EAEQvT,MAAM0R,QAAQ6B,GAAYA,EAAW,CAACA,IAEnD/D,SAAQkJ,GAAKpN,EAAUkN,aAAaxD,OAAO,WAAY0D,IAChE,CAEA,IAAK,MAAO5R,EAAKvH,KAAUwB,OAAO2F,QAAQ,CAAE8M,mBAAkB+E,KAAmBrE,IAChE,MAAT3U,GACA+L,EAAUkN,aAAaxD,OAAOlO,EAAKvH,EAAMjB,YAIjD,OAAO,IAAI6Z,EAAc,CACrB9P,IAAKiD,EAAUO,KACf1C,SAER,GAlGSgP,EACevU,QAAU,IAAInE,EAAO,iBAD1C,IAAMkZ,EAANR,ECrCMS,EAAN,MAsCIjZ,WAAAA,CAAY8I,GAGf,GApBJ,KAAOsB,aAAe,GAEtB,KAAO8O,WAAa,GAapB,KAAOtC,QAAuB,CAAC,EAG3BpW,KAAKgJ,MAAQV,EAAO+F,IAAI,SACxBrO,KAAKkJ,cAAgBZ,EAAO+F,IAAI,iBAC5BrO,KAAKgJ,MAAO,CACZ,MAAM2P,EAAa9a,mBAAmBmC,KAAKgJ,OAAOnE,MhBpC3B,KgBqCvB7E,KAAKgJ,MAAQ2P,EAAW,GACpBA,EAAW/a,OAAS,IACpBoC,KAAKmJ,UAAYwP,EAAWlQ,MAAM,GAAGvG,KhBvClB,KgByC3B,CAEAlC,KAAKhB,MAAQsJ,EAAO+F,IAAI,SACxBrO,KAAK8I,kBAAoBR,EAAO+F,IAAI,qBACpCrO,KAAK+I,UAAYT,EAAO+F,IAAI,aAE5BrO,KAAK/B,KAAOqK,EAAO+F,IAAI,OAC3B,CAEA,cAAWxE,GACP,QAAwB,IAApB7J,KAAK4Y,WAGT,OAAO5Y,KAAK4Y,WAAahS,EAAMM,cACnC,CACA,cAAW2C,CAAWzK,GAEG,kBAAVA,IAAoBA,EAAQyZ,OAAOzZ,SAChC,IAAVA,GAAuBA,GAAS,IAChCY,KAAK4Y,WAAa9S,KAAKuB,MAAMjI,GAASwH,EAAMM,eAEpD,CAEA,YAAW2O,GAnFf,IAAArQ,EAoFQ,OAAO,OAAAA,EAAAxF,KAAK2S,YAAL,EAAAnN,EAAYX,MAAM,KAAK0K,SA9EpB,cA8E6CvP,KAAKkW,QAChE,GCxDS4C,EAAN,MAMItZ,WAAAA,CAAAuZ,GAGgB,IAHJ,IACf7Q,EAAA,WACAgQ,EAAA,cAAYc,EAAA,yBAAenG,EAAA,iBAA0BkB,EAAA,aAAkBqD,EAAA,UAAc9T,GACzFyV,EACI,GATJ,KAAiBtV,QAAU,IAAInE,EAAO,mBAS7B4I,EAED,MADAlI,KAAKyD,QAAQzE,MAAM,uBACb,IAAIzB,MAAM,OAGpB,MAAM4N,EAAY,IAAI5C,IAAIL,GACtB8Q,GACA7N,EAAUkN,aAAaxD,OAAO,gBAAiBmE,GAE/C1V,GACA6H,EAAUkN,aAAaxD,OAAO,YAAavR,GAG3CuP,IACA1H,EAAUkN,aAAaxD,OAAO,2BAA4BhC,GAEtDqF,IACAlY,KAAKgJ,MAAQ,IAAIiO,EAAM,CAAEjU,KAAMkV,EAAYd,iBAE3CjM,EAAUkN,aAAaxD,OAAO,QAAS7U,KAAKgJ,MAAMuN,MAI1D,IAAK,MAAO5P,EAAKvH,KAAUwB,OAAO2F,QAAQ,IAAKwN,IAC9B,MAAT3U,GACA+L,EAAUkN,aAAaxD,OAAOlO,EAAKvH,EAAMjB,YAIjD6B,KAAKkI,IAAMiD,EAAUO,IACzB,GC9DSuN,EAAN,MAcIzZ,WAAAA,CAAY8I,GACftI,KAAKgJ,MAAQV,EAAO+F,IAAI,SAExBrO,KAAKhB,MAAQsJ,EAAO+F,IAAI,SACxBrO,KAAK8I,kBAAoBR,EAAO+F,IAAI,qBACpCrO,KAAK+I,UAAYT,EAAO+F,IAAI,YAChC,GCVE6K,EAAwB,CAC1B,MACA,MACA,YACA,QACA,MACA,MACA,MACA,WASEC,EAAiC,CAAC,MAAO,MAAO,MAAO,MAAO,OAKvDC,EAAN,MAEI5Z,WAAAA,CACgBmQ,GAAA,KAAAA,UAAAA,EAFvB,KAAmBlM,QAAU,IAAInE,EAAO,gBAGrC,CAEIgU,oBAAAA,CAAqBkB,GACxB,MAAM6E,EAAS,IAAK7E,GAEpB,GAAIxU,KAAK2P,UAAU2D,qBAAsB,CACrC,IAAIgG,EAEAA,EADAzZ,MAAM0R,QAAQvR,KAAK2P,UAAU2D,sBACZtT,KAAK2P,UAAU2D,qBAEf4F,EAGrB,IAAK,MAAMK,KAASD,EACXH,EAA+B5J,SAASgK,WAClCF,EAAOE,EAG1B,CAEA,OAAOF,CACX,CAGO3C,WAAAA,CAAY8C,EAAsBC,GACrC,MAAMJ,EAAS,IAAKG,GACpB,IAAK,MAAOD,EAAOG,KAAW9Y,OAAO2F,QAAQkT,GACzC,GAAIJ,EAAOE,KAAWG,EAClB,GAAI7Z,MAAM0R,QAAQ8H,EAAOE,KAAW1Z,MAAM0R,QAAQmI,GAC9C,GAAgD,WAA5C1Z,KAAK2P,UAAU8D,oBAAoBC,MACnC2F,EAAOE,GAASG,MACb,CACH,MAAMC,EAAe9Z,MAAM0R,QAAQ8H,EAAOE,IAAUF,EAAOE,GAAsB,CAACF,EAAOE,IACzF,IAAK,MAAMna,KAASS,MAAM0R,QAAQmI,GAAUA,EAAS,CAACA,GAC7CC,EAAapK,SAASnQ,IACvBua,EAAa9V,KAAKzE,GAG1Bia,EAAOE,GAASI,CACpB,KACgC,kBAAlBN,EAAOE,IAAyC,kBAAXG,EACnDL,EAAOE,GAASvZ,KAAK0W,YAAY2C,EAAOE,GAAqBG,GAE7DL,EAAOE,GAASG,EAK5B,OAAOL,CACX,GCvBSO,EAAN,MAWIpa,WAAAA,CAAYqa,EAAwDC,GAT3E,KAAmBrW,QAAU,IAAInE,EAAO,cAUpCU,KAAK6Z,SAAWA,aAAoBtH,EAA0BsH,EAAW,IAAItH,EAAwBsH,GAErG7Z,KAAK8Z,gBAAkB,MAAAA,EAAAA,EAAmB,IAAIpK,EAAgB1P,KAAK6Z,UACnE7Z,KAAKuV,eAAiB,IAAI6D,EAAcpZ,KAAK6Z,UAC7C7Z,KAAK+Z,WAAa,IAAIzE,EAAkBtV,KAAK6Z,SAAU7Z,KAAK8Z,gBAAiB9Z,KAAKuV,gBAClFvV,KAAKyV,aAAe,IAAIhB,EAAYzU,KAAK6Z,SAAU7Z,KAAK8Z,gBAC5D,CAEA,yBAAaE,CAAAC,GAsBuC,IAtBnB,MAC7BjR,EAAA,QACAkR,EAAA,YACAC,EAAA,aACA/C,EAAA,cACA4B,EAAA,WACAoB,EAAA,aACApE,EAAA,MACAmC,EAAA,UACAhP,EAAA,cACAuJ,EAAgB1S,KAAK6Z,SAASnH,cAAA,MAC9BC,EAAQ3S,KAAK6Z,SAASlH,MAAA,aACtBC,EAAe5S,KAAK6Z,SAASjH,aAAA,OAC7BG,EAAS/S,KAAK6Z,SAAS9G,OAAA,QACvBC,EAAUhT,KAAK6Z,SAAS7G,QAAA,QACxBC,EAAUjT,KAAK6Z,SAAS5G,QAAA,WACxBC,EAAalT,KAAK6Z,SAAS3G,WAAA,WAC3BC,EAAanT,KAAK6Z,SAAS1G,WAAA,SAC3BC,EAAWpT,KAAK6Z,SAASzG,SAAA,cACzBC,EAAgBrT,KAAK6Z,SAASxG,cAAA,iBAC9BU,EAAmB/T,KAAK6Z,SAAS9F,iBAAA,iBACjCC,EAAmBhU,KAAK6Z,SAAS7F,kBACrCiG,EACI,MAAMvS,EAAS1H,KAAKyD,QAAQhD,OAAO,uBAEnC,GAAsB,SAAlBiS,EACA,MAAM,IAAInV,MAAM,6DAGpB,MAAM2K,QAAYlI,KAAK8Z,gBAAgBlJ,2BACvClJ,EAAO7I,MAAM,kCAAmCqJ,GAEhD,MAAMmS,QAAsB7B,EAAc/X,OAAO,CAC7CyH,MACAuK,UAAWzS,KAAK6Z,SAASpH,UACzBnP,UAAWtD,KAAK6Z,SAASvW,UACzBsP,eACAF,gBACAC,QACAuF,WAAYlP,EACZG,YACA4J,SAAQC,UAASC,UAASC,aAAY8F,gBAAeoB,aAAYjH,aACjEC,WAAU8G,UAASC,cAAapG,mBAAkBC,mBAAkBoD,eAAc/D,gBAClF9P,cAAevD,KAAK6Z,SAAStW,cAC7ByS,eACAmC,QACAxE,YAAa3T,KAAK6Z,SAASlG,oBAIzB3T,KAAKwX,kBAEX,MAAM8C,EAAcD,EAAcrR,MAElC,aADMhJ,KAAK6Z,SAASjG,WAAW/B,IAAIyI,EAAY/D,GAAI+D,EAAYjD,mBACxDgD,CACX,CAEA,6BAAaE,CAAwBrS,GAA6F,IAAhFsS,EAAA7a,UAAA/B,OAAA,QAAAwK,IAAAzI,UAAA,IAAAA,UAAA,GAC9C,MAAM+H,EAAS1H,KAAKyD,QAAQhD,OAAO,2BAE7BwN,EAAW,IAAIwK,EAAezQ,EAASC,WAAWC,EAAKlI,KAAK6Z,SAASxG,gBAC3E,IAAKpF,EAASjF,MAGV,MAFAtB,EAAOlH,MAAM,IAAIjD,MAAM,yBAEjB,KAGV,MAAMkd,QAA0Bza,KAAK6Z,SAASjG,WAAW4G,EAAc,SAAW,OAAOvM,EAASjF,OAClG,IAAKyR,EAED,MADA/S,EAAOlH,MAAM,IAAIjD,MAAM,uCACjB,KAIV,MAAO,CAAEyL,YADW6O,EAAYP,kBAAkBmD,GAClCxM,WACpB,CAEA,2BAAayM,CAAsBxS,GAC/B,MAAMR,EAAS1H,KAAKyD,QAAQhD,OAAO,0BAE7B,MAAEuI,EAAA,SAAOiF,SAAmBjO,KAAKua,wBAAwBrS,GAAK,GAGpE,OAFAR,EAAO7I,MAAM,0DACPmB,KAAK+Z,WAAWrE,uBAAuBzH,EAAUjF,GAChDiF,CACX,CAEA,6CAAa0M,CAAAC,GAK4D,IALpB,SACjDC,EAAA,SACAC,EAAA,aACA9E,GAAe,EAAK,iBACpBhC,EAAmB,CAAC,GACxB4G,EACI,MAAMjE,QAA+C3W,KAAKyV,aAAaX,oBAAoB,CAAE+F,WAAUC,cAAa9G,IAC9G+G,EAAiC,IAAItC,EAAe,IAAIjQ,iBAG9D,OAFA5H,OAAO4P,OAAOuK,EAAgBpE,SACxB3W,KAAK+Z,WAAW9D,4BAA4B8E,EAAgB/E,GAC3D+E,CACX,CAEA,qBAAaC,CAAAC,GAMoC,IANpB,MACzBjS,EAAA,aACA4J,EAAA,SACAQ,EAAA,iBACAjG,EAAA,iBACA6G,GACJiH,EAlMJ,IAAAzV,EAmMQ,MAAMkC,EAAS1H,KAAKyD,QAAQhD,OAAO,mBAKnC,IAAIkS,EACJ,QAA+C,IAA3C3S,KAAK6Z,SAAS/F,yBACdnB,EAAQ3J,EAAM2J,UACX,CACH,MAAMuI,EAAkBlb,KAAK6Z,SAAS/F,yBAAyBjP,MAAM,KAGrE8N,IAFuB,OAAAnN,EAAAwD,EAAM2J,YAAN,EAAAnN,EAAaX,MAAM,OAAQ,IAE3B2B,QAAO2U,GAAKD,EAAgB3L,SAAS4L,KAAIjZ,KAAK,IACzE,CAEA,MAAMmX,QAAerZ,KAAKyV,aAAaT,qBAAqB,CACxDE,cAAelM,EAAMkM,cAErBvC,QACAC,eACAQ,WACAjG,sBACG6G,IAED/F,EAAW,IAAIwK,EAAe,IAAIjQ,iBASxC,OARA5H,OAAO4P,OAAOvC,EAAUoL,GACxB3R,EAAO7I,MAAM,sBAAuBoP,SAC9BjO,KAAK+Z,WAAW5D,wBAAwBlI,EAAU,IACjDjF,EAGH2J,UAEG1E,CACX,CAEA,0BAAamN,GAO8C,IAPzB,MAC9BpS,EAAA,cACAgQ,EAAA,UACA1V,EAAA,aACA8T,EAAA,yBACAvE,EAA2B7S,KAAK6Z,SAAShH,yBAAA,iBACzCkB,EAAmB/T,KAAK6Z,SAAS9F,kBACrCpU,UAAA/B,OAAA,QAAAwK,IAAAzI,UAAA,GAAAA,UAAA,GAA8B,CAAC,EAC3B,MAAM+H,EAAS1H,KAAKyD,QAAQhD,OAAO,wBAE7ByH,QAAYlI,KAAK8Z,gBAAgB7I,wBACvC,IAAK/I,EAED,MADAR,EAAOlH,MAAM,IAAIjD,MAAM,4BACjB,KAGVmK,EAAO7I,MAAM,gCAAiCqJ,GAGzC5E,IAAauP,GAA6BmG,IAC3C1V,EAAYtD,KAAK6Z,SAASvW,WAG9B,MAAM4W,EAAU,IAAIpB,EAAe,CAC/B5Q,MACA8Q,gBACA1V,YACAuP,2BACAqF,WAAYlP,EACZ+K,mBACAqD,uBAIEpX,KAAKwX,kBAEX,MAAM6D,EAAenB,EAAQlR,MAM7B,OALIqS,IACA3T,EAAO7I,MAAM,8CACPmB,KAAK6Z,SAASjG,WAAW/B,IAAIwJ,EAAa9E,GAAI8E,EAAahE,oBAG9D6C,CACX,CAEA,8BAAaoB,CAAyBpT,GAAoG,IAAvFsS,EAAA7a,UAAA/B,OAAA,QAAAwK,IAAAzI,UAAA,IAAAA,UAAA,GAC/C,MAAM+H,EAAS1H,KAAKyD,QAAQhD,OAAO,4BAE7BwN,EAAW,IAAIgL,EAAgBjR,EAASC,WAAWC,EAAKlI,KAAK6Z,SAASxG,gBAC5E,IAAKpF,EAASjF,MAAO,CAGjB,GAFAtB,EAAO7I,MAAM,wBAEToP,EAASjP,MAET,MADA0I,EAAO3I,KAAK,sBAAuBkP,EAASjP,OACtC,IAAI0J,EAAcuF,GAG5B,MAAO,CAAEjF,WAAO,EAAWiF,WAC/B,CAEA,MAAMwM,QAA0Bza,KAAK6Z,SAASjG,WAAW4G,EAAc,SAAW,OAAOvM,EAASjF,OAClG,IAAKyR,EAED,MADA/S,EAAOlH,MAAM,IAAIjD,MAAM,uCACjB,KAIV,MAAO,CAAEyL,YADWiO,EAAMK,kBAAkBmD,GAC5BxM,WACpB,CAEA,4BAAasN,CAAuBrT,GAChC,MAAMR,EAAS1H,KAAKyD,QAAQhD,OAAO,2BAE7B,MAAEuI,EAAA,SAAOiF,SAAmBjO,KAAKsb,yBAAyBpT,GAAK,GAQrE,OAPIc,GACAtB,EAAO7I,MAAM,oDACbmB,KAAK+Z,WAAWzD,wBAAwBrI,EAAUjF,IAElDtB,EAAO7I,MAAM,uDAGVoP,CACX,CAEOuJ,eAAAA,GAEH,OADAxX,KAAKyD,QAAQhD,OAAO,mBACbwW,EAAMO,gBAAgBxX,KAAK6Z,SAASjG,WAAY5T,KAAK6Z,SAASrG,uBACzE,CAEA,iBAAagI,CAAYhX,EAAeiX,GAEpC,OADAzb,KAAKyD,QAAQhD,OAAO,qBACPT,KAAKyV,aAAaL,OAAO,CAClC5Q,QACA6Q,gBAAiBoG,GAEzB,GC3TSC,EAAN,MAMIlc,WAAAA,CAA6Bmc,GAAA,KAAAA,aAAAA,EALpC,KAAiBlY,QAAU,IAAInE,EAAO,kBAyCtC,KAAUsc,OAASvH,UAMf,MAAMnL,EAAgB2S,EAAK3S,cAC3B,IAAKA,EACD,OAEJ,MAAMxB,EAAS1H,KAAKyD,QAAQhD,OAAO,UAWnC,GATIob,EAAKzF,SACLpW,KAAK8b,KAAOD,EAAKzF,QAAQK,IACzB/O,EAAO7I,MAAM,gBAAiBqK,EAAe,QAASlJ,KAAK8b,QAG3D9b,KAAK8b,UAAO,EACZpU,EAAO7I,MAAM,gBAAiBqK,EAAe,qBAG7ClJ,KAAK+b,oBACL/b,KAAK+b,oBAAoB9P,MAAM/C,QAInC,IACI,MAAMhB,QAAYlI,KAAK2b,aAAa7B,gBAAgB9I,wBACpD,GAAI9I,EAAK,CACLR,EAAO7I,MAAM,qCAEb,MAAMyE,EAAYtD,KAAK2b,aAAa9B,SAASvW,UACvC0Y,EAAoBhc,KAAK2b,aAAa9B,SAASoC,8BAC/CC,EAAclc,KAAK2b,aAAa9B,SAASsC,wBAEzCC,EAAqB,IAAI9R,EAAmBtK,KAAKgH,UAAW1D,EAAW4E,EAAK8T,EAAmBE,SAC/FE,EAAmB1S,OACzB1J,KAAK+b,oBAAsBK,EAC3BA,EAAmBnQ,MAAM/C,EAC7B,MAEIxB,EAAO3I,KAAK,gDAEpB,OACOT,GAEHoJ,EAAO1I,MAAM,oCAAqCV,aAAef,MAAQe,EAAI0G,QAAU1G,EAC3F,GAGJ,KAAU+d,MAAQ,KACd,MAAM3U,EAAS1H,KAAKyD,QAAQhD,OAAO,SAOnC,GANAT,KAAK8b,UAAO,EAER9b,KAAK+b,qBACL/b,KAAK+b,oBAAoB7Q,OAGzBlL,KAAK2b,aAAa9B,SAASyC,wBAAyB,CAIpD,MAAMC,EAAczU,aAAYuM,UAC5BtM,cAAcwU,GAEd,IACI,MAAMC,QAAgBxc,KAAK2b,aAAac,qBACxC,GAAID,EAAS,CACT,MAAME,EAAU,CACZxT,cAAesT,EAAQtT,cACvBkN,QAASoG,EAAQ/F,IAAM,CACnBA,IAAK+F,EAAQ/F,KACb,MAEHzW,KAAK4b,OAAOc,EACrB,CACJ,OACOpe,GAEHoJ,EAAO1I,MAAM,gCAAiCV,aAAef,MAAQe,EAAI0G,QAAU1G,EACvF,IACD,IACP,GAGJ,KAAU0I,UAAYqN,UAClB,MAAM3M,EAAS1H,KAAKyD,QAAQhD,OAAO,aACnC,IACI,MAAM+b,QAAgBxc,KAAK2b,aAAac,qBACxC,IAAIE,GAAa,EAEbH,GAAWxc,KAAK+b,oBACZS,EAAQ/F,MAAQzW,KAAK8b,MACrBa,GAAa,EACb3c,KAAK+b,oBAAoB9P,MAAMuQ,EAAQtT,eAEvCxB,EAAO7I,MAAM,4GAA6G2d,EAAQtT,qBAC5HlJ,KAAK2b,aAAaiB,OAAOC,4BAG/BnV,EAAO7I,MAAM,mCAAoC2d,EAAQ/F,KAI7D/O,EAAO7I,MAAM,oCAGb8d,EACI3c,KAAK8b,WACC9b,KAAK2b,aAAaiB,OAAOE,4BAGzB9c,KAAK2b,aAAaiB,OAAOG,qBAGnCrV,EAAO7I,MAAM,mDAErB,OACOP,GACC0B,KAAK8b,OACLpU,EAAO7I,MAAM,oEAAqEP,SAC5E0B,KAAK2b,aAAaiB,OAAOE,sBAEvC,GA9JKnB,GACD3b,KAAKyD,QAAQjD,MAAM,IAAIjD,MAAM,2BAGjCyC,KAAK2b,aAAaiB,OAAOI,cAAchd,KAAK4b,QAC5C5b,KAAK2b,aAAaiB,OAAOK,gBAAgBjd,KAAKqc,OAE9Crc,KAAKkd,QAAQC,OAAO7e,IAEhB0B,KAAKyD,QAAQzE,MAAMV,EAAI,GAE/B,CAEA,WAAgB4e,GACZld,KAAKyD,QAAQhD,OAAO,SACpB,MAAMob,QAAa7b,KAAK2b,aAAayB,UAGrC,GAAIvB,EACK7b,KAAK4b,OAAOC,QACrB,GACS7b,KAAK2b,aAAa9B,SAASyC,wBAAyB,CACzD,MAAME,QAAgBxc,KAAK2b,aAAac,qBACxC,GAAID,EAAS,CACT,MAAME,EAAU,CACZxT,cAAesT,EAAQtT,cACvBkN,QAASoG,EAAQ/F,IAAM,CACnBA,IAAK+F,EAAQ/F,KACb,MAEHzW,KAAK4b,OAAOc,EACrB,CACJ,CACJ,GCnCSW,EAAN,MAAMC,EAuCF9d,WAAAA,CAAYI,GAvDvB,IAAA4F,EAmEQxF,KAAKkW,SAAWtW,EAAKsW,SACrBlW,KAAKkJ,cAAgB,OAAA1D,EAAA5F,EAAKsJ,eAAL1D,EAAsB,KAC3CxF,KAAK4J,aAAehK,EAAKgK,aACzB5J,KAAKkV,cAAgBtV,EAAKsV,cAE1BlV,KAAK0Y,WAAa9Y,EAAK8Y,WACvB1Y,KAAK2S,MAAQ/S,EAAK+S,MAClB3S,KAAKoW,QAAUxW,EAAKwW,QACpBpW,KAAK4Y,WAAahZ,EAAKgZ,WACvB5Y,KAAKgJ,MAAQpJ,EAAKqJ,UAClBjJ,KAAKmJ,UAAYvJ,EAAKuJ,SAC1B,CAGA,cAAWU,GACP,QAAwB,IAApB7J,KAAK4Y,WAGT,OAAO5Y,KAAK4Y,WAAahS,EAAMM,cACnC,CAEA,cAAW2C,CAAWzK,QACJ,IAAVA,IACAY,KAAK4Y,WAAa9S,KAAKuB,MAAMjI,GAASwH,EAAMM,eAEpD,CAGA,WAAW8C,GACP,MAAMH,EAAa7J,KAAK6J,WACxB,QAAmB,IAAfA,EAGJ,OAAOA,GAAc,CACzB,CAGA,UAAW0T,GAxGf,IAAA/X,EAAAoD,EAyGQ,OAAO,OAAAA,EAAA,OAAApD,EAAAxF,KAAK2S,YAAL,EAAAnN,EAAYX,MAAM,MAAlB+D,EAA0B,EACrC,CAEOyO,eAAAA,GAEH,OADA,IAAI/X,EAAO,QAAQmB,OAAO,mBACnBwE,KAAK2J,UAAU,CAClBsH,SAAUlW,KAAKkW,SACfhN,cAAelJ,KAAKkJ,cACpBU,aAAc5J,KAAK4J,aACnBsL,cAAelV,KAAKkV,cACpBwD,WAAY1Y,KAAK0Y,WACjB/F,MAAO3S,KAAK2S,MACZyD,QAASpW,KAAKoW,QACdwC,WAAY5Y,KAAK4Y,YAEzB,CAEA,wBAActB,CAAkBC,GAE5B,OADAjY,EAAOuB,aAAa,OAAQ,qBACrB,IAAIyc,EAAKrY,KAAKC,MAAMqS,GAC/B,GCvHEiG,EAAgB,cAcAC,EAAf,MAAAje,WAAAA,GAEH,KAAmBke,OAAS,IAAIla,EAAuB,6BACvD,KAAmBma,iBAAmB,IAAIC,IAE1C,KAAUC,QAA8B,KAExC,cAAaC,CAASxV,GAClB,MAAMZ,EAAS1H,KAAKyD,QAAQhD,OAAO,YACnC,IAAKT,KAAK6d,QACN,MAAM,IAAItgB,MAAM,8CAGpBmK,EAAO7I,MAAM,yBACbmB,KAAK6d,QAAQE,SAASpgB,QAAQ2K,EAAOJ,KAErC,MAAM,IAAEA,EAAA,SAAK8V,SAAmB,IAAIrS,SAAqB,CAACC,EAASqS,KAC/D,MAAMC,EAAYnZ,IArC9B,IAAAS,EAsCgB,MAAMxC,EAAgC+B,EAAE/B,KAClC6H,EAAS,OAAArF,EAAA8C,EAAO6V,cAAP3Y,EAAuBG,OAAOoY,SAASlT,OACtD,GAAI9F,EAAE8F,SAAWA,IAAU,MAAA7H,OAAA,EAAAA,EAAM+H,UAAWyS,EAA5C,CAIA,IACI,MAAMxU,EAAQhB,EAASC,WAAWjF,EAAKkF,IAAKI,EAAO+K,eAAehF,IAAI,SAItE,GAHKrF,GACDtB,EAAO3I,KAAK,kCAEZgG,EAAEgG,SAAW/K,KAAK6d,SAAW7U,IAAUV,EAAOU,MAG9C,MAER,OACO1K,GACH0B,KAAKoe,WACLH,EAAO,IAAI1gB,MAAM,gCACrB,CACAqO,EAAQ5I,EAhBR,CAgBa,EAEjB2C,OAAOqG,iBAAiB,UAAWkS,GAAU,GAC7Cle,KAAK2d,iBAAiBU,KAAI,IAAM1Y,OAAO2Y,oBAAoB,UAAWJ,GAAU,KAChFle,KAAK2d,iBAAiBU,IAAIre,KAAK0d,OAAO/Z,YAAY4a,IAC9Cve,KAAKoe,WACLH,EAAOM,EAAO,IACf,IASP,OAPA7W,EAAO7I,MAAM,4BACbmB,KAAKoe,WAEAJ,GACDhe,KAAKwe,QAGF,CAAEtW,MACb,CAIQkW,QAAAA,GACJpe,KAAKyD,QAAQhD,OAAO,YAEpB,IAAK,MAAMge,KAAWze,KAAK2d,iBACvBc,IAEJze,KAAK2d,iBAAiBrR,OAC1B,CAEA,oBAAiBoS,CAAcC,EAAgBzW,GAA4E,IAA/D8V,EAAAre,UAAA/B,OAAA,QAAAwK,IAAAzI,UAAA,IAAAA,UAAA,GAAkBif,EAAAjf,UAAA/B,OAAA,QAAAwK,IAAAzI,UAAA,GAAAA,UAAA,GAAegG,OAAOoY,SAASlT,OACzG8T,EAAOxS,YAAY,CACfpB,OAAQyS,EACRtV,MACA8V,YACcY,EACtB,GCvFSC,EAAkD,CAC3Dd,UAAU,EACVe,SAAS,EACT5Y,OAAQ,IACR6Y,gCAAiC,GAExBC,EAAqB,SAC5BC,EAAsD,GACtDC,EAAuC,EAChCC,EAAuC,GA4EvCC,GAAN,cAAuC7M,EA+BnC/S,WAAAA,CAAYI,GACf,MAAM,mBACFyf,EAAqBzf,EAAKgT,aAAA,+BAC1B0M,EAAiC1f,EAAKiT,yBAAA,oBACtC0M,EAAsBV,EAAA,kBACtBW,EAAoBR,EAAA,eACpBS,EAAiB,SAAQ,eACzBC,EAAiB,OAAM,yBAEvBC,EAA2B/f,EAAK+f,yBAAA,mBAChCC,EAAqBhgB,EAAKggB,mBAAA,oBAE1BC,EAAsBjgB,EAAKgT,aAAA,8BAC3BkN,EAAgCX,EAAA,qBAChCY,GAAuB,EAAI,yBAC3BC,GAA2B,EAAI,4BAC/BC,GAA8B,EAAK,eAEnCC,GAAiB,EAAK,wBACtB5D,GAA0B,EAAK,8BAC/BL,EAAgCiD,EAAA,2BAChCiB,EAA6B,OAAM,wBACnChE,GAA0B,EAAI,iBAE9BiE,EAAmB,CAAC,eAAgB,iBAAgB,sBACpDC,GAAwB,EAAK,8BAC7BC,GAAgC,EAAK,6CAErCC,EAA+CtB,EAAA,UAE/CuB,GACA5gB,EAgCJ,GA9BAwH,MAAMxH,GAENI,KAAKqf,mBAAqBA,EAC1Brf,KAAKsf,+BAAiCA,EACtCtf,KAAKuf,oBAAsBA,EAC3Bvf,KAAKwf,kBAAoBA,EACzBxf,KAAKyf,eAAiBA,EACtBzf,KAAK0f,eAAiBA,EAEtB1f,KAAK2f,yBAA2BA,EAChC3f,KAAK4f,mBAAqBA,EAE1B5f,KAAK6f,oBAAsBA,EAC3B7f,KAAK8f,8BAAgCA,EACrC9f,KAAK+f,qBAAuBA,EAC5B/f,KAAKggB,yBAA2BA,EAChChgB,KAAKigB,4BAA8BA,EAEnCjgB,KAAKkgB,eAAiBA,EACtBlgB,KAAKsc,wBAA0BA,EAC/Btc,KAAKic,8BAAgCA,EACrCjc,KAAKmc,wBAA0BA,EAC/Bnc,KAAKmgB,2BAA6BA,EAElCngB,KAAKogB,iBAAmBA,EACxBpgB,KAAKqgB,sBAAwBA,EAC7BrgB,KAAKsgB,8BAAgCA,EAErCtgB,KAAKugB,6CAA+CA,EAEhDC,EACAxgB,KAAKwgB,UAAYA,MAEhB,CACD,MAAM/O,EAA0B,qBAAX9L,OAAyBA,OAAO8a,eAAiB,IAAIrU,EAC1EpM,KAAKwgB,UAAY,IAAIhP,EAAqB,CAAEC,SAChD,CACJ,GC/KSiP,GAAN,MAAMC,UAAqBlD,EAKvBje,WAAAA,CAAAohB,GAEgB,IAFJ,8BACfd,EAAgCX,GACpCyB,EACIxZ,QAPJ,KAAmB3D,QAAU,IAAInE,EAAO,gBAQpCU,KAAK6gB,kBAAoBf,EAEzB9f,KAAKgL,OAAS2V,EAAaG,qBAC3B9gB,KAAK6d,QAAU7d,KAAKgL,OAAOC,aAC/B,CAEA,yBAAe6V,GACX,MAAMC,EAASpb,OAAOyF,SAASC,cAAc,UAW7C,OARA0V,EAAOzV,MAAMC,WAAa,SAC1BwV,EAAOzV,MAAME,SAAW,QACxBuV,EAAOzV,MAAMzF,KAAO,UACpBkb,EAAOzV,MAAMnF,IAAM,IACnB4a,EAAOtb,MAAQ,IACfsb,EAAO7a,OAAS,IAEhBP,OAAOyF,SAASU,KAAKC,YAAYgV,GAC1BA,CACX,CAEA,cAAajD,CAASxV,GAClBtI,KAAKyD,QAAQ5E,MAAM,8BAA+BmB,KAAK6gB,mBACvD,MAAMG,EAAQvT,YAAW,KAAWzN,KAAK0d,OAAOxZ,MAAM,IAAIkF,EAAa,uCAAuC,GAA2B,IAAzBpJ,KAAK6gB,mBAGrH,OAFA7gB,KAAK2d,iBAAiBU,KAAI,IAAMxQ,aAAamT,WAEhC5Z,MAAM0W,SAASxV,EAChC,CAEOkW,KAAAA,GAzDX,IAAAhZ,EA0DYxF,KAAKgL,SACDhL,KAAKgL,OAAOiW,aACZjhB,KAAKgL,OAAOgB,iBAAiB,QAAS5H,IA5DtD,IAAA8c,EA6DoB,MAAMC,EAAQ/c,EAAGgd,OACjB,OAAAF,EAAAC,EAAMF,aAANC,EAAkBG,YAAYF,GACzBnhB,KAAK0d,OAAOxZ,MAAM,IAAI3G,MAAM,2BAA2B,IAC7D,GACH,OAAAiI,EAAAxF,KAAKgL,OAAOC,gBAAZzF,EAA2BuY,SAASpgB,QAAQ,gBAEhDqC,KAAKgL,OAAS,MAElBhL,KAAK6d,QAAU,IACnB,CAEA,mBAAcyD,CAAapZ,EAAa0W,GACpC,OAAOxX,MAAMsX,cAAc/Y,OAAOgZ,OAAQzW,GAAK,EAAO0W,EAC1D,GC/DS2C,GAAN,MAGH/hB,WAAAA,CAAoBmQ,GAAA,KAAAA,UAAAA,EAFpB,KAAiBlM,QAAU,IAAInE,EAAO,kBAEoB,CAE1D,aAAakiB,CAAAC,GAEiC,IAFzB,8BACjB3B,EAAgC9f,KAAK2P,UAAUmQ,+BACnD2B,EACI,OAAO,IAAIf,GAAa,CAAEZ,iCAC9B,CAEA,cAAa4B,CAASxZ,GAClBlI,KAAKyD,QAAQhD,OAAO,YACpBigB,GAAaY,aAAapZ,EAAKlI,KAAK2P,UAAUgQ,yBAClD,GCHSgC,GAAN,cAA0BlE,EAKtBje,WAAAA,CAAAoiB,GAGe,IAHH,kBACfpC,EAAoBR,EAAA,oBACpBO,EAAsB,CAAC,GAC3BqC,EACIxa,QARJ,KAAmB3D,QAAU,IAAInE,EAAO,eASpC,MAAMuiB,EAAgBzc,EAAWC,OAAO,IAAKwZ,KAA+BU,IAC5Evf,KAAK6d,QAAUlY,OAAOmc,UAAK,EAAWtC,EAAmBpa,EAAWkB,UAAUub,IAC1EtC,EAAoBR,gCAAkCQ,EAAoBR,+BAAiC,GAC3GtR,YAAW,KACFzN,KAAK6d,SAA0C,mBAAxB7d,KAAK6d,QAAQkE,SAAwB/hB,KAAK6d,QAAQkE,OAK9E/hB,KAAKwe,QAJIxe,KAAK0d,OAAOxZ,MAAM,IAAI3G,MAAM,yBAIzB,GAhCb,IAiCAgiB,EAAoBR,+BAE/B,CAEA,cAAajB,CAASxV,GA9C1B,IAAA9C,EA+CQ,OAAAA,EAAAxF,KAAK6d,UAALrY,EAAcwc,QAEd,MAAMC,EAAsBna,aAAY,KAC/B9H,KAAK6d,UAAW7d,KAAK6d,QAAQkE,QACzB/hB,KAAK0d,OAAOxZ,MAAM,IAAI3G,MAAM,wBACrC,GA5CwB,KAgD5B,OAFAyC,KAAK2d,iBAAiBU,KAAI,IAAMtW,cAAcka,WAEjC7a,MAAM0W,SAASxV,EAChC,CAEOkW,KAAAA,GACCxe,KAAK6d,UACA7d,KAAK6d,QAAQkE,SACd/hB,KAAK6d,QAAQW,QACRxe,KAAK0d,OAAOxZ,MAAM,IAAI3G,MAAM,mBAGzCyC,KAAK6d,QAAU,IACnB,CAEA,mBAAcqE,CAAaha,EAAa8V,GACpC,IAAKrY,OAAOwc,OACR,MAAM,IAAI5kB,MAAM,kDAEpB,OAAO6J,MAAMsX,cAAc/Y,OAAOwc,OAAQja,EAAK8V,EACnD,GC/DSoE,GAAN,MAGH5iB,WAAAA,CAAoBmQ,GAAA,KAAAA,UAAAA,EAFpB,KAAiBlM,QAAU,IAAInE,EAAO,iBAEoB,CAE1D,aAAakiB,CAAAa,GAG+B,IAHvB,oBACjB9C,EAAsBvf,KAAK2P,UAAU4P,oBAAA,kBACrCC,EAAoBxf,KAAK2P,UAAU6P,mBACvC6C,EACI,OAAO,IAAIV,GAAY,CAAEpC,sBAAqBC,qBAClD,CAEA,cAAakC,CAASxZ,EAAAoa,GAAkD,IAArC,SAAEtE,GAAW,GAAMsE,EAClDtiB,KAAKyD,QAAQhD,OAAO,YAEpBkhB,GAAYO,aAAaha,EAAK8V,EAClC,GCRSuE,GAAN,MAGH/iB,WAAAA,CAAoBmQ,GAAA,KAAAA,UAAAA,EAFpB,KAAiBlM,QAAU,IAAInE,EAAO,oBAEoB,CAE1D,aAAakiB,CAAAgB,GAGwB,IAHhB,eACjB/C,EAAiBzf,KAAK2P,UAAU8P,eAAA,eAChCC,EAAiB1f,KAAK2P,UAAU+P,gBACpC8C,EA3BJ,IAAAhd,EA4BQxF,KAAKyD,QAAQhD,OAAO,WACpB,IAAIgiB,EAAe9c,OAAO+c,KAEH,QAAnBhD,IACA+C,EAAe,OAAAjd,EAAAG,OAAOQ,KAAPX,EAAcG,OAAO+c,MAGxC,MAAMC,EAAWF,EAAa1E,SAAS0B,GAAgBmD,KAAKH,EAAa1E,UACzE,IAAIrQ,EACJ,MAAO,CACHoQ,SAAUzJ,UACNrU,KAAKyD,QAAQhD,OAAO,YAEpB,MAAMoiB,EAAU,IAAIlX,SAAQ,CAACC,EAASqS,KAClCvQ,EAAQuQ,CAAA,IAGZ,OADA0E,EAASra,EAAOJ,WACF2a,CAAA,EAElBrE,MAAOA,KACHxe,KAAKyD,QAAQhD,OAAO,SACpB,MAAAiN,GAAAA,EAAQ,IAAInQ,MAAM,qBAClBklB,EAAavX,MAAM,EAG/B,CAEA,cAAawW,GAEb,GCrBSoB,GAAN,cAAgCzZ,EAU5B7J,WAAAA,CAAYqa,GACfzS,MAAM,CAAEqC,kCAAmCoQ,EAAS0G,+CAVxD,KAAmB9c,QAAU,IAAInE,EAAO,qBAExC,KAAiByjB,YAAc,IAAIvf,EAAc,eACjD,KAAiBwf,cAAgB,IAAIxf,EAAU,iBAC/C,KAAiByf,kBAAoB,IAAIzf,EAAe,sBACxD,KAAiB0f,cAAgB,IAAI1f,EAAU,kBAC/C,KAAiB2f,eAAiB,IAAI3f,EAAU,mBAChD,KAAiB4f,oBAAsB,IAAI5f,EAAU,uBAIrD,CAEA,UAAakG,CAAKmS,GAA4C,IAAhCc,IAAAhd,UAAA/B,OAAA,QAAAwK,IAAAzI,UAAA,KAAAA,UAAA,GAC1ByH,MAAMsC,KAAKmS,GACPc,SACM3c,KAAK+iB,YAAY7e,MAAM2X,EAErC,CACA,YAAa5R,GACT7C,MAAM6C,eACAjK,KAAKgjB,cAAc9e,OAC7B,CAKO8Y,aAAAA,CAAcpZ,GACjB,OAAO5D,KAAK+iB,YAAYpf,WAAWC,EACvC,CAIOyf,gBAAAA,CAAiBzf,GACpB,OAAO5D,KAAK+iB,YAAYjf,cAAcF,EAC1C,CAKOqZ,eAAAA,CAAgBrZ,GACnB,OAAO5D,KAAKgjB,cAAcrf,WAAWC,EACzC,CAIO0f,kBAAAA,CAAmB1f,GACtB,OAAO5D,KAAKgjB,cAAclf,cAAcF,EAC5C,CAKO2f,mBAAAA,CAAoB3f,GACvB,OAAO5D,KAAKijB,kBAAkBtf,WAAWC,EAC7C,CAIO4f,sBAAAA,CAAuB5f,GAC1B,OAAO5D,KAAKijB,kBAAkBnf,cAAcF,EAChD,CAIA,4BAAa6f,CAAuB1e,SAC1B/E,KAAKijB,kBAAkB/e,MAAMa,EACvC,CAMO2e,eAAAA,CAAgB9f,GACnB,OAAO5D,KAAKkjB,cAAcvf,WAAWC,EACzC,CAIO+f,kBAAAA,CAAmB/f,GACtB5D,KAAKkjB,cAAcpf,cAAcF,EACrC,CAIA,wBAAamZ,SACH/c,KAAKkjB,cAAchf,OAC7B,CAMO0f,gBAAAA,CAAiBhgB,GACpB,OAAO5D,KAAKmjB,eAAexf,WAAWC,EAC1C,CAIOigB,mBAAAA,CAAoBjgB,GACvB5D,KAAKmjB,eAAerf,cAAcF,EACtC,CAIA,yBAAakZ,SACH9c,KAAKmjB,eAAejf,OAC9B,CAMO4f,qBAAAA,CAAsBlgB,GACzB,OAAO5D,KAAKojB,oBAAoBzf,WAAWC,EAC/C,CAIOmgB,wBAAAA,CAAyBngB,GAC5B5D,KAAKojB,oBAAoBtf,cAAcF,EAC3C,CAIA,8BAAaiZ,SACH7c,KAAKojB,oBAAoBlf,OACnC,GCzJS8f,GAAN,MAKIxkB,WAAAA,CAAoBmc,GAAA,KAAAA,aAAAA,EAJ3B,KAAUlY,QAAU,IAAInE,EAAO,sBAC/B,KAAQ2kB,YAAa,EACrB,KAAiBC,YAAc,IAAItd,EAAM,sBAgCzC,KAAUud,eAAsC9P,UAC5C,MAAM3M,EAAS1H,KAAKyD,QAAQhD,OAAO,kBACnC,UACUT,KAAK2b,aAAayI,eACxB1c,EAAO7I,MAAM,kCACjB,OACOP,GACH,GAAIA,aAAe8K,EAIf,OAFA1B,EAAO3I,KAAK,kCAAmCT,EAAK,oBACpD0B,KAAKkkB,YAAY1c,KAAK,GAI1BE,EAAO1I,MAAM,2BAA4BV,SACnC0B,KAAK2b,aAAaiB,OAAO6G,uBAAuBnlB,EAC1D,EA9CmD,CAEvD,WAAa2N,GACT,MAAMvE,EAAS1H,KAAKyD,QAAQhD,OAAO,SACnC,IAAKT,KAAKikB,WAAY,CAClBjkB,KAAKikB,YAAa,EAClBjkB,KAAK2b,aAAaiB,OAAO1S,uBAAuBlK,KAAKmkB,gBACrDnkB,KAAKkkB,YAAYvgB,WAAW3D,KAAKmkB,gBAGjC,UACUnkB,KAAK2b,aAAayB,SAE5B,OACO9e,GAEHoJ,EAAO1I,MAAM,gBAAiBV,EAClC,CACJ,CACJ,CAEO4M,IAAAA,GACClL,KAAKikB,aACLjkB,KAAKkkB,YAAY/c,SACjBnH,KAAKkkB,YAAYpgB,cAAc9D,KAAKmkB,gBACpCnkB,KAAK2b,aAAaiB,OAAOzS,0BAA0BnK,KAAKmkB,gBACxDnkB,KAAKikB,YAAa,EAE1B,GClCSI,GAAN,MAUH7kB,WAAAA,CAAYI,GASRI,KAAKkV,cAAgBtV,EAAKsV,cAC1BlV,KAAKkW,SAAWtW,EAAKsW,SACrBlW,KAAKkJ,cAAgBtJ,EAAKsJ,cAC1BlJ,KAAK2S,MAAQ/S,EAAK+S,MAClB3S,KAAKoW,QAAUxW,EAAKwW,QAEpBpW,KAAKgD,KAAOpD,EAAKoJ,KAErB,GCyCSsb,GAAN,MAaI9kB,WAAAA,CAAYqa,EAA+B0K,EAAgCC,EAA6BC,GAV/G,KAAmBhhB,QAAU,IAAInE,EAAO,eAWpCU,KAAK6Z,SAAW,IAAIuF,GAAyBvF,GAE7C7Z,KAAK0kB,QAAU,IAAI9K,EAAWC,GAE9B7Z,KAAK2kB,mBAAqB,MAAAJ,EAAAA,EAAqB,IAAIhC,GAAkBviB,KAAK6Z,UAC1E7Z,KAAK4kB,gBAAkB,MAAAJ,EAAAA,EAAkB,IAAIpC,GAAepiB,KAAK6Z,UACjE7Z,KAAK6kB,iBAAmB,MAAAJ,EAAAA,EAAmB,IAAIlD,GAAgBvhB,KAAK6Z,UAEpE7Z,KAAK8kB,QAAU,IAAIhC,GAAkB9iB,KAAK6Z,UAC1C7Z,KAAK+kB,oBAAsB,IAAIf,GAAmBhkB,MAG9CA,KAAK6Z,SAASkG,sBACd/f,KAAKglB,mBAGThlB,KAAKilB,gBAAkB,KACnBjlB,KAAK6Z,SAASqG,iBACdlgB,KAAKilB,gBAAkB,IAAIvJ,EAAe1b,MAGlD,CAKA,UAAW4c,GACP,OAAO5c,KAAK8kB,OAChB,CAKA,mBAAWhL,GACP,OAAO9Z,KAAK0kB,QAAQ5K,eACxB,CAOA,aAAasD,GACT,MAAM1V,EAAS1H,KAAKyD,QAAQhD,OAAO,WAC7Bob,QAAa7b,KAAKklB,YACxB,OAAIrJ,GACAnU,EAAO5I,KAAK,qBACNkB,KAAK8kB,QAAQpb,KAAKmS,GAAM,GACvBA,IAGXnU,EAAO5I,KAAK,6BACL,KACX,CAOA,gBAAaqmB,GACT,MAAMzd,EAAS1H,KAAKyD,QAAQhD,OAAO,oBAC7BT,KAAKolB,UAAU,MACrB1d,EAAO5I,KAAK,mCACNkB,KAAK8kB,QAAQ7a,QACvB,CASA,oBAAaob,GAA6D,IAA9CzlB,EAAAD,UAAA/B,OAAA,QAAAwK,IAAAzI,UAAA,GAAAA,UAAA,GAA2B,CAAC,EACpDK,KAAKyD,QAAQhD,OAAO,kBACpB,MAAM,eACFgf,KACG6F,GACH1lB,EACE2lB,QAAevlB,KAAK2kB,mBAAmBnD,QAAQ,CAAE/B,yBACjDzf,KAAKwlB,aAAa,CACpBpO,aAAc,UACXkO,GACJC,EACP,CAUA,4BAAaE,GAAkE,IAA3Cvd,EAAAvI,UAAA/B,OAAA,QAAAwK,IAAAzI,UAAA,GAAAA,UAAA,GAAMgG,OAAOoY,SAASrS,KACtD,MAAMhE,EAAS1H,KAAKyD,QAAQhD,OAAO,0BAC7Bob,QAAa7b,KAAK0lB,WAAWxd,GAQnC,OAPI2T,EAAKzF,SAAWyF,EAAKzF,QAAQK,IAC7B/O,EAAO5I,KAAK,6BAA8B+c,EAAKzF,QAAQK,KAGvD/O,EAAO5I,KAAK,cAGT+c,CACX,CAQA,oCAAa8J,CAAAC,GAIyC,IAJV,SACxC/K,EAAA,SACAC,EAAA,aACA9E,GAAe,GACnB4P,EACI,MAAMle,EAAS1H,KAAKyD,QAAQhD,OAAO,iCAE7Bsa,QAAuB/a,KAAK0kB,QAAQ/J,wCAAwC,CAAEE,WAAUC,WAAU9E,eAAchC,iBAAkBhU,KAAK6Z,SAAS7F,mBACtJtM,EAAO7I,MAAM,uBAEb,MAAMgd,QAAa7b,KAAK6lB,WAAW9K,GAMnC,OALIc,EAAKzF,SAAWyF,EAAKzF,QAAQK,IAC7B/O,EAAO5I,KAAK,6BAA8B+c,EAAKzF,QAAQK,KAEvD/O,EAAO5I,KAAK,cAET+c,CACX,CAQA,iBAAaiK,GAAuD,IAA3ClmB,EAAAD,UAAA/B,OAAA,QAAAwK,IAAAzI,UAAA,GAAAA,UAAA,GAAwB,CAAC,EAC9C,MAAM+H,EAAS1H,KAAKyD,QAAQhD,OAAO,gBAC7B,oBACF8e,EAAA,kBACAC,KACG8F,GACH1lB,EACEsI,EAAMlI,KAAK6Z,SAASwF,mBACrBnX,GACDR,EAAOlH,MAAM,IAAIjD,MAAM,qCAG3B,MAAMgoB,QAAevlB,KAAK4kB,gBAAgBpD,QAAQ,CAAEjC,sBAAqBC,sBACnE3D,QAAa7b,KAAK+lB,QAAQ,CAC5B3O,aAAc,OACdxE,aAAc1K,EACd8K,QAAS,WACNsS,GACJC,GAUH,OATI1J,IACIA,EAAKzF,SAAWyF,EAAKzF,QAAQK,IAC7B/O,EAAO5I,KAAK,6BAA8B+c,EAAKzF,QAAQK,KAGvD/O,EAAO5I,KAAK,eAIb+c,CACX,CASA,yBAAamK,GAAiF,IAA7D9d,EAAAvI,UAAA/B,OAAA,QAAAwK,IAAAzI,UAAA,GAAAA,UAAA,GAAMgG,OAAOoY,SAASrS,KAAMsS,EAAAre,UAAA/B,OAAA,QAAAwK,IAAAzI,UAAA,IAAAA,UAAA,GACzD,MAAM+H,EAAS1H,KAAKyD,QAAQhD,OAAO,6BAC7BT,KAAK4kB,gBAAgBlD,SAASxZ,EAAK,CAAE8V,aAC3CtW,EAAO5I,KAAK,UAChB,CAOA,kBAAaslB,GAAgE,IAAnDxkB,EAAAD,UAAA/B,OAAA,QAAAwK,IAAAzI,UAAA,GAAAA,UAAA,GAAyB,CAAC,EAxRxD,IAAA6F,EAyRQ,MAAMkC,EAAS1H,KAAKyD,QAAQhD,OAAO,iBAC7B,8BACFqf,KACGwF,GACH1lB,EAEJ,IAAIic,QAAa7b,KAAKklB,YACtB,GAAI,MAAArJ,OAAA,EAAAA,EAAM3G,cAAe,CACrBxN,EAAO7I,MAAM,uBACb,MAAMmK,EAAQ,IAAIqb,GAAaxI,GAC/B,aAAa7b,KAAKimB,iBAAiB,CAC/Bjd,QACA4J,aAAc0S,EAAY1S,aAC1BQ,SAAUkS,EAAYlS,SACtBY,iBAAkBsR,EAAYtR,iBAC9B7G,iBAAkB2S,GAE1B,CAEA,MAAM5X,EAAMlI,KAAK6Z,SAASgG,oBAK1B,IAAIqG,EAJChe,GACDR,EAAOlH,MAAM,IAAIjD,MAAM,sCAIvBse,GAAQ7b,KAAK6Z,SAASmG,2BACtBtY,EAAO7I,MAAM,iCAAkCgd,EAAKzF,QAAQK,KAC5DyP,EAAYrK,EAAKzF,QAAQK,KAG7B,MAAM8O,QAAevlB,KAAK6kB,iBAAiBrD,QAAQ,CAAE1B,kCAiBrD,OAhBAjE,QAAa7b,KAAK+lB,QAAQ,CACtB3O,aAAc,OACdxE,aAAc1K,EACd6K,OAAQ,OACRiG,cAAehZ,KAAK6Z,SAASoG,4BAA8B,MAAApE,OAAA,EAAAA,EAAM3F,cAAW,KACzEoP,GACJC,EAAQW,GACPrK,KACI,OAAArW,EAAAqW,EAAKzF,cAAL,EAAA5Q,EAAciR,KACd/O,EAAO5I,KAAK,6BAA8B+c,EAAKzF,QAAQK,KAGvD/O,EAAO5I,KAAK,eAIb+c,CACX,CAEA,sBAAgBoK,CAAiBrmB,GAC7B,MAAMqO,QAAiBjO,KAAK0kB,QAAQ1J,gBAAgB,IAC7Cpb,EACHuN,iBAAkBnN,KAAK6Z,SAASiG,gCAE9BjE,EAAO,IAAIwB,EAAK,IAAKzd,EAAKoJ,SAAUiF,IAI1C,aAFMjO,KAAKolB,UAAUvJ,SACf7b,KAAK8kB,QAAQpb,KAAKmS,GACjBA,CACX,CAWA,0BAAasK,GAAgE,IAA3Cje,EAAAvI,UAAA/B,OAAA,QAAAwK,IAAAzI,UAAA,GAAAA,UAAA,GAAMgG,OAAOoY,SAASrS,KACpD,MAAMhE,EAAS1H,KAAKyD,QAAQhD,OAAO,8BAC7BT,KAAK6kB,iBAAiBnD,SAASxZ,GACrCR,EAAO5I,KAAK,UAChB,CAWA,oBAAasnB,GAAiE,IAAlDle,EAAAvI,UAAA/B,OAAA,QAAAwK,IAAAzI,UAAA,GAAAA,UAAA,GAAMgG,OAAOoY,SAASrS,KAC9C,MAAM,MAAE1C,SAAgBhJ,KAAK0kB,QAAQnK,wBAAwBrS,GAC7D,OAAQc,EAAMoO,cACV,IAAK,OACD,aAAapX,KAAKylB,uBAAuBvd,GAC7C,IAAK,OACD,aAAalI,KAAKgmB,oBAAoB9d,GAC1C,IAAK,OACD,aAAalI,KAAKmmB,qBAAqBje,GAC3C,QACI,MAAM,IAAI3K,MAAM,kCAE5B,CAWA,qBAAa8oB,GAA6E,IAA7Dne,EAAAvI,UAAA/B,OAAA,QAAAwK,IAAAzI,UAAA,GAAAA,UAAA,GAAMgG,OAAOoY,SAASrS,KAAMsS,EAAAre,UAAA/B,OAAA,QAAAwK,IAAAzI,UAAA,IAAAA,UAAA,GACrD,MAAM,MAAEqJ,SAAgBhJ,KAAK0kB,QAAQpJ,yBAAyBpT,GAC9D,GAAKc,EAIL,OAAQA,EAAMoO,cACV,IAAK,aACKpX,KAAKsmB,wBAAwBpe,GACnC,MACJ,IAAK,aACKlI,KAAKumB,qBAAqBre,EAAK8V,GACrC,MACJ,IAAK,aACKhe,KAAKwmB,sBAAsBte,GACjC,MACJ,QACI,MAAM,IAAI3K,MAAM,kCAE5B,CAOA,wBAAakf,GAAqF,IAAlE7c,EAAAD,UAAA/B,OAAA,QAAAwK,IAAAzI,UAAA,GAAAA,UAAA,GAA+B,CAAC,EAC5D,MAAM+H,EAAS1H,KAAKyD,QAAQhD,OAAO,uBAC7B,8BACFqf,KACGwF,GACH1lB,EACEsI,EAAMlI,KAAK6Z,SAASgG,oBACrB3X,GACDR,EAAOlH,MAAM,IAAIjD,MAAM,sCAG3B,MAAMse,QAAa7b,KAAKklB,YAClBK,QAAevlB,KAAK6kB,iBAAiBrD,QAAQ,CAAE1B,kCAC/C2G,QAAoBzmB,KAAKwlB,aAAa,CACxCpO,aAAc,OACdxE,aAAc1K,EACd6K,OAAQ,OACRiG,cAAehZ,KAAK6Z,SAASoG,4BAA8B,MAAApE,OAAA,EAAAA,EAAM3F,cAAW,EAC5ExD,cAAe1S,KAAK6Z,SAASsG,2BAC7BxN,MAAO,SACPqD,cAAc,KACXsP,GACJC,GACH,IACI,MAAMxK,QAAuB/a,KAAK0kB,QAAQhK,sBAAsB+L,EAAYve,KAG5E,OAFAR,EAAO7I,MAAM,uBAETkc,EAAe7R,eAAiB6R,EAAe3E,QAAQK,KACvD/O,EAAO5I,KAAK,sBAAuBic,EAAe3E,QAAQK,KACnD,CACHvN,cAAe6R,EAAe7R,cAC9BuN,IAAKsE,EAAe3E,QAAQK,OAIpC/O,EAAO5I,KAAK,mCACL,KACX,OACOR,GACH,GAAI0B,KAAK6Z,SAASyC,yBAA2Bhe,aAAeoK,EACxD,OAAQpK,EAAIU,OACR,IAAK,iBACL,IAAK,mBACL,IAAK,uBACL,IAAK,6BAED,OADA0I,EAAO5I,KAAK,8BACL,CAEHoK,cAAe5K,EAAI4K,eAInC,MAAM5K,CACV,CACJ,CAEA,aAAgBynB,CAAQnmB,EAA+B2lB,EAAiBW,GACpE,MAAMO,QAAoBzmB,KAAKwlB,aAAa5lB,EAAM2lB,GAClD,aAAavlB,KAAK0lB,WAAWe,EAAYve,IAAKge,EAClD,CACA,kBAAgBV,CAAa5lB,EAA+B2lB,GACxD,MAAM7d,EAAS1H,KAAKyD,QAAQhD,OAAO,gBAEnC,IACI,MAAM4Z,QAAsBra,KAAK0kB,QAAQ1K,oBAAoBpa,GAG7D,OAFA8H,EAAO7I,MAAM,4BAEA0mB,EAAOzH,SAAS,CACzB5V,IAAKmS,EAAcnS,IACnBc,MAAOqR,EAAcrR,MAAMuN,GAC3BlD,cAAegH,EAAcrR,MAAMqK,cACnC8K,aAAcne,KAAK6Z,SAAS+F,oBAEpC,OACOthB,GAGH,MAFAoJ,EAAO7I,MAAM,6DACb0mB,EAAO/G,QACDlgB,CACV,CACJ,CACA,gBAAgBonB,CAAWxd,EAAage,GACpC,MAAMxe,EAAS1H,KAAKyD,QAAQhD,OAAO,cAC7Bsa,QAAuB/a,KAAK0kB,QAAQhK,sBAAsBxS,GAChER,EAAO7I,MAAM,uBAGb,aADmBmB,KAAK6lB,WAAW9K,EAAgBmL,EAEvD,CAEA,gBAAgBL,CAAW9K,EAAgCmL,GACvD,MAAMxe,EAAS1H,KAAKyD,QAAQhD,OAAO,cAC7Bob,EAAO,IAAIwB,EAAKtC,GACtB,GAAImL,EAAW,CACX,GAAIA,IAAcrK,EAAKzF,QAAQK,IAE3B,MADA/O,EAAO7I,MAAM,0EAA2Egd,EAAKzF,QAAQK,KAC/F,IAAI/N,EAAc,IAAKqS,EAAgB/b,MAAO,mBAExD0I,EAAO7I,MAAM,iDACjB,CAMA,aAJMmB,KAAKolB,UAAUvJ,GACrBnU,EAAO7I,MAAM,qBACPmB,KAAK8kB,QAAQpb,KAAKmS,GAEjBA,CACX,CAOA,qBAAa6K,GAA+D,IAA/C9mB,EAAAD,UAAA/B,OAAA,QAAAwK,IAAAzI,UAAA,GAAAA,UAAA,GAA4B,CAAC,EACtD,MAAM+H,EAAS1H,KAAKyD,QAAQhD,OAAO,oBAC7B,eACFgf,KACG6F,GACH1lB,EACE2lB,QAAevlB,KAAK2kB,mBAAmBnD,QAAQ,CAAE/B,yBACjDzf,KAAK2mB,cAAc,CACrBvP,aAAc,OACdvE,yBAA0B7S,KAAK6Z,SAAShH,4BACrCyS,GACJC,GACH7d,EAAO5I,KAAK,UAChB,CAUA,6BAAawnB,GAA8E,IAAtDpe,EAAAvI,UAAA/B,OAAA,QAAAwK,IAAAzI,UAAA,GAAAA,UAAA,GAAMgG,OAAOoY,SAASrS,KACvD,MAAMhE,EAAS1H,KAAKyD,QAAQhD,OAAO,2BAC7BwN,QAAiBjO,KAAK4mB,YAAY1e,GAExC,OADAR,EAAO5I,KAAK,WACLmP,CACX,CAOA,kBAAa4Y,GAAyD,IAA5CjnB,EAAAD,UAAA/B,OAAA,QAAAwK,IAAAzI,UAAA,GAAAA,UAAA,GAAyB,CAAC,EAChD,MAAM+H,EAAS1H,KAAKyD,QAAQhD,OAAO,iBAC7B,oBACF8e,EAAA,kBACAC,KACG8F,GACH1lB,EACEsI,EAAMlI,KAAK6Z,SAASyF,+BAEpBiG,QAAevlB,KAAK4kB,gBAAgBpD,QAAQ,CAAEjC,sBAAqBC,4BACnExf,KAAK8mB,SAAS,CAChB1P,aAAc,OACdvE,yBAA0B3K,EAM1Bc,MAAc,MAAPd,OAAc,EAAY,CAAC,KAC/Bod,GACJC,GACH7d,EAAO5I,KAAK,UAChB,CAUA,0BAAaynB,GAAkF,IAA7Dre,EAAAvI,UAAA/B,OAAA,QAAAwK,IAAAzI,UAAA,GAAAA,UAAA,GAAMgG,OAAOoY,SAASrS,KAAMsS,EAAAre,UAAA/B,OAAA,QAAAwK,IAAAzI,UAAA,IAAAA,UAAA,GAC1D,MAAM+H,EAAS1H,KAAKyD,QAAQhD,OAAO,8BAC7BT,KAAK4kB,gBAAgBlD,SAASxZ,EAAK,CAAE8V,aAC3CtW,EAAO5I,KAAK,UAChB,CAEA,cAAgBgoB,CAASlnB,EAAgC2lB,GACrD,MAAMkB,QAAoBzmB,KAAK2mB,cAAc/mB,EAAM2lB,GACnD,aAAavlB,KAAK4mB,YAAYH,EAAYve,IAC9C,CACA,mBAAgBye,GAA+F,IAAjF/mB,EAAAD,UAAA/B,OAAA,QAAAwK,IAAAzI,UAAA,GAAAA,UAAA,GAAiC,CAAC,EAAG4lB,EAAA5lB,UAAA/B,OAAA,EAAA+B,UAAA,QAAAyI,EA7lBvE,IAAA5C,EA8lBQ,MAAMkC,EAAS1H,KAAKyD,QAAQhD,OAAO,iBAEnC,IACI,MAAMob,QAAa7b,KAAKklB,YACxBxd,EAAO7I,MAAM,oCAETmB,KAAK6Z,SAASwG,6BACRrgB,KAAK+mB,gBAAgBlL,GAG/B,MAAM3F,EAAWtW,EAAKoZ,eAAiB6C,GAAQA,EAAK3F,SAChDA,IACAxO,EAAO7I,MAAM,4CACbe,EAAKoZ,cAAgB9C,SAGnBlW,KAAKmlB,aACXzd,EAAO7I,MAAM,0CAEb,MAAMmoB,QAAuBhnB,KAAK0kB,QAAQtJ,qBAAqBxb,GAG/D,OAFA8H,EAAO7I,MAAM,6BAEA0mB,EAAOzH,SAAS,CACzB5V,IAAK8e,EAAe9e,IACpBc,MAAO,OAAAxD,EAAAwhB,EAAehe,YAAf,EAAAxD,EAAsB+Q,GAC7B4H,aAAcne,KAAK6Z,SAAS+F,oBAEpC,OACOthB,GAGH,MAFAoJ,EAAO7I,MAAM,6DACb0mB,EAAO/G,QACDlgB,CACV,CACJ,CACA,iBAAgBsoB,CAAY1e,GACxB,MAAMR,EAAS1H,KAAKyD,QAAQhD,OAAO,eAC7BwmB,QAAwBjnB,KAAK0kB,QAAQnJ,uBAAuBrT,GAGlE,OAFAR,EAAO7I,MAAM,wBAENooB,CACX,CAOA,mBAAaC,GAA2D,IAA7CtnB,EAAAD,UAAA/B,OAAA,QAAAwK,IAAAzI,UAAA,GAAAA,UAAA,GAA0B,CAAC,EA7oB1D,IAAA6F,EA8oBQ,MAAMkC,EAAS1H,KAAKyD,QAAQhD,OAAO,kBAC7B,8BACFqf,KACGwF,GACH1lB,EAEEoZ,EAAgBhZ,KAAK6Z,SAASyG,8BAC7B,OAAA9a,QAAMxF,KAAKklB,kBAAX,EAAA1f,EAAyB0Q,cAC1B,EAEAhO,EAAMlI,KAAK6Z,SAASyF,+BACpBiG,QAAevlB,KAAK6kB,iBAAiBrD,QAAQ,CAAE1B,wCAC/C9f,KAAK8mB,SAAS,CAChB1P,aAAc,OACdvE,yBAA0B3K,EAC1B8Q,mBACGsM,GACJC,GAEH7d,EAAO5I,KAAK,UAChB,CAUA,2BAAa0nB,GAAiE,IAA3Cte,EAAAvI,UAAA/B,OAAA,QAAAwK,IAAAzI,UAAA,GAAAA,UAAA,GAAMgG,OAAOoY,SAASrS,KACrD,MAAMhE,EAAS1H,KAAKyD,QAAQhD,OAAO,+BAC7BT,KAAK6kB,iBAAiBnD,SAASxZ,GACrCR,EAAO5I,KAAK,UAChB,CAEA,kBAAaqoB,CAAaC,GACtB,MAAMvL,QAAa7b,KAAKklB,kBAClBllB,KAAK+mB,gBAAgBlL,EAAMuL,EACrC,CAEA,qBAAgBL,CAAgBlL,GAA0E,IAAvDuL,EAAAznB,UAAA/B,OAAA,QAAAwK,IAAAzI,UAAA,GAAAA,UAAA,GAAQK,KAAK6Z,SAASuG,iBACrE,MAAM1Y,EAAS1H,KAAKyD,QAAQhD,OAAO,mBACnC,IAAKob,EAAM,OAEX,MAAMwL,EAAeD,EAAM5gB,QAAOiV,GAA8B,kBAAfI,EAAKJ,KAEtD,GAAK4L,EAAazpB,OAAlB,CAMA,IAAK,MAAM6d,KAAQ4L,QACTrnB,KAAK0kB,QAAQlJ,YACfK,EAAKJ,GACLA,GAEJ/T,EAAO5I,KAAA,GAAAkC,OAAQya,EAAI,0BACN,iBAATA,IACAI,EAAKJ,GAAQ,YAIfzb,KAAKolB,UAAUvJ,GACrBnU,EAAO7I,MAAM,qBACPmB,KAAK8kB,QAAQpb,KAAKmS,EAhBxB,MAFInU,EAAO7I,MAAM,uCAmBrB,CAKOmmB,gBAAAA,GACHhlB,KAAKyD,QAAQhD,OAAO,oBACfT,KAAK+kB,oBAAoB9Y,OAClC,CAKOqb,eAAAA,GACHtnB,KAAK+kB,oBAAoB7Z,MAC7B,CAEA,iBAAcqc,GACV,MAAO,QAAPvmB,OAAehB,KAAK6Z,SAASpH,UAAS,KAAAzR,OAAIhB,KAAK6Z,SAASvW,UAC5D,CAEA,eAAgB4hB,GACZ,MAAMxd,EAAS1H,KAAKyD,QAAQhD,OAAO,aAC7B8W,QAAsBvX,KAAK6Z,SAAS2G,UAAUnS,IAAIrO,KAAKunB,eAC7D,OAAIhQ,GACA7P,EAAO7I,MAAM,6BACNwe,EAAK/F,kBAAkBC,KAGlC7P,EAAO7I,MAAM,yBACN,KACX,CAEA,eAAaumB,CAAUvJ,GACnB,MAAMnU,EAAS1H,KAAKyD,QAAQhD,OAAO,aACnC,GAAIob,EAAM,CACNnU,EAAO7I,MAAM,gBACb,MAAM0Y,EAAgBsE,EAAKxE,wBACrBrX,KAAK6Z,SAAS2G,UAAU3O,IAAI7R,KAAKunB,cAAehQ,EAC1D,MAEIvX,KAAKyD,QAAQ5E,MAAM,uBACbmB,KAAK6Z,SAAS2G,UAAU1O,OAAO9R,KAAKunB,cAElD,CAKA,qBAAa/P,SACHxX,KAAK0kB,QAAQlN,iBACvB,GC9vBSgQ,GCJA,O","sources":["../node_modules/jwt-decode/build/esm/index.js","../node_modules/oidc-client-ts/src/utils/Logger.ts","../node_modules/oidc-client-ts/src/utils/CryptoUtils.ts","../node_modules/oidc-client-ts/src/utils/Event.ts","../node_modules/oidc-client-ts/src/utils/JwtUtils.ts","../node_modules/oidc-client-ts/src/utils/PopupUtils.ts","../node_modules/oidc-client-ts/src/utils/Timer.ts","../node_modules/oidc-client-ts/src/utils/UrlUtils.ts","../node_modules/oidc-client-ts/src/errors/ErrorResponse.ts","../node_modules/oidc-client-ts/src/errors/ErrorTimeout.ts","../node_modules/oidc-client-ts/src/AccessTokenEvents.ts","../node_modules/oidc-client-ts/src/CheckSessionIFrame.ts","../node_modules/oidc-client-ts/src/InMemoryWebStorage.ts","../node_modules/oidc-client-ts/src/JsonService.ts","../node_modules/oidc-client-ts/src/MetadataService.ts","../node_modules/oidc-client-ts/src/WebStorageStateStore.ts","../node_modules/oidc-client-ts/src/OidcClientSettings.ts","../node_modules/oidc-client-ts/src/UserInfoService.ts","../node_modules/oidc-client-ts/src/TokenClient.ts","../node_modules/oidc-client-ts/src/ResponseValidator.ts","../node_modules/oidc-client-ts/src/State.ts","../node_modules/oidc-client-ts/src/SigninState.ts","../node_modules/oidc-client-ts/src/SigninRequest.ts","../node_modules/oidc-client-ts/src/SigninResponse.ts","../node_modules/oidc-client-ts/src/SignoutRequest.ts","../node_modules/oidc-client-ts/src/SignoutResponse.ts","../node_modules/oidc-client-ts/src/ClaimsService.ts","../node_modules/oidc-client-ts/src/OidcClient.ts","../node_modules/oidc-client-ts/src/SessionMonitor.ts","../node_modules/oidc-client-ts/src/User.ts","../node_modules/oidc-client-ts/src/navigators/AbstractChildWindow.ts","../node_modules/oidc-client-ts/src/UserManagerSettings.ts","../node_modules/oidc-client-ts/src/navigators/IFrameWindow.ts","../node_modules/oidc-client-ts/src/navigators/IFrameNavigator.ts","../node_modules/oidc-client-ts/src/navigators/PopupWindow.ts","../node_modules/oidc-client-ts/src/navigators/PopupNavigator.ts","../node_modules/oidc-client-ts/src/navigators/RedirectNavigator.ts","../node_modules/oidc-client-ts/src/UserManagerEvents.ts","../node_modules/oidc-client-ts/src/SilentRenewService.ts","../node_modules/oidc-client-ts/src/RefreshState.ts","../node_modules/oidc-client-ts/src/UserManager.ts","../node_modules/oidc-client-ts/src/Version.ts","../node_modules/oidc-client-ts/package.json"],"sourcesContent":["export class InvalidTokenError extends Error {\n}\nInvalidTokenError.prototype.name = \"InvalidTokenError\";\nfunction b64DecodeUnicode(str) {\n return decodeURIComponent(atob(str).replace(/(.)/g, (m, p) => {\n let code = p.charCodeAt(0).toString(16).toUpperCase();\n if (code.length < 2) {\n code = \"0\" + code;\n }\n return \"%\" + code;\n }));\n}\nfunction base64UrlDecode(str) {\n let output = str.replace(/-/g, \"+\").replace(/_/g, \"/\");\n switch (output.length % 4) {\n case 0:\n break;\n case 2:\n output += \"==\";\n break;\n case 3:\n output += \"=\";\n break;\n default:\n throw new Error(\"base64 string is not of the correct length\");\n }\n try {\n return b64DecodeUnicode(output);\n }\n catch (err) {\n return atob(output);\n }\n}\nexport function jwtDecode(token, options) {\n if (typeof token !== \"string\") {\n throw new InvalidTokenError(\"Invalid token specified: must be a string\");\n }\n options || (options = {});\n const pos = options.header === true ? 0 : 1;\n const part = token.split(\".\")[pos];\n if (typeof part !== \"string\") {\n throw new InvalidTokenError(`Invalid token specified: missing part #${pos + 1}`);\n }\n let decoded;\n try {\n decoded = base64UrlDecode(part);\n }\n catch (e) {\n throw new InvalidTokenError(`Invalid token specified: invalid base64 for part #${pos + 1} (${e.message})`);\n }\n try {\n return JSON.parse(decoded);\n }\n catch (e) {\n throw new InvalidTokenError(`Invalid token specified: invalid json for part #${pos + 1} (${e.message})`);\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\n/**\n * Native interface\n *\n * @public\n */\nexport interface ILogger {\n debug(...args: unknown[]): void;\n info(...args: unknown[]): void;\n warn(...args: unknown[]): void;\n error(...args: unknown[]): void;\n}\n\nconst nopLogger: ILogger = {\n debug: () => undefined,\n info: () => undefined,\n warn: () => undefined,\n error: () => undefined,\n};\n\nlet level: number;\nlet logger: ILogger;\n\n/**\n * Log levels\n *\n * @public\n */\nexport enum Log {\n NONE,\n ERROR,\n WARN,\n INFO,\n DEBUG\n}\n\n/**\n * Log manager\n *\n * @public\n */\nexport namespace Log { // eslint-disable-line @typescript-eslint/no-namespace\n export function reset(): void {\n level = Log.INFO;\n logger = nopLogger;\n }\n\n export function setLevel(value: Log): void {\n if (!(Log.NONE <= value && value <= Log.DEBUG)) {\n throw new Error(\"Invalid log level\");\n }\n level = value;\n }\n\n export function setLogger(value: ILogger): void {\n logger = value;\n }\n}\n\n/**\n * Internal logger instance\n *\n * @public\n */\nexport class Logger {\n private _method?: string;\n public constructor(private _name: string) {}\n\n /* eslint-disable @typescript-eslint/no-unsafe-enum-comparison */\n public debug(...args: unknown[]): void {\n if (level >= Log.DEBUG) {\n logger.debug(Logger._format(this._name, this._method), ...args);\n }\n }\n public info(...args: unknown[]): void {\n if (level >= Log.INFO) {\n logger.info(Logger._format(this._name, this._method), ...args);\n }\n }\n public warn(...args: unknown[]): void {\n if (level >= Log.WARN) {\n logger.warn(Logger._format(this._name, this._method), ...args);\n }\n }\n public error(...args: unknown[]): void {\n if (level >= Log.ERROR) {\n logger.error(Logger._format(this._name, this._method), ...args);\n }\n }\n /* eslint-enable @typescript-eslint/no-unsafe-enum-comparison */\n\n public throw(err: Error): never {\n this.error(err);\n throw err;\n }\n\n public create(method: string): Logger {\n const methodLogger: Logger = Object.create(this);\n methodLogger._method = method;\n methodLogger.debug(\"begin\");\n return methodLogger;\n }\n\n public static createStatic(name: string, staticMethod: string): Logger {\n const staticLogger = new Logger(`${name}.${staticMethod}`);\n staticLogger.debug(\"begin\");\n return staticLogger;\n }\n\n private static _format(name: string, method?: string) {\n const prefix = `[${name}]`;\n return method ? `${prefix} ${method}:` : prefix;\n }\n\n /* eslint-disable @typescript-eslint/no-unsafe-enum-comparison */\n // helpers for static class methods\n public static debug(name: string, ...args: unknown[]): void {\n if (level >= Log.DEBUG) {\n logger.debug(Logger._format(name), ...args);\n }\n }\n public static info(name: string, ...args: unknown[]): void {\n if (level >= Log.INFO) {\n logger.info(Logger._format(name), ...args);\n }\n }\n public static warn(name: string, ...args: unknown[]): void {\n if (level >= Log.WARN) {\n logger.warn(Logger._format(name), ...args);\n }\n }\n public static error(name: string, ...args: unknown[]): void {\n if (level >= Log.ERROR) {\n logger.error(Logger._format(name), ...args);\n }\n }\n /* eslint-enable @typescript-eslint/no-unsafe-enum-comparison */\n}\n\nLog.reset();\n","import { Logger } from \"./Logger\";\n\nconst UUID_V4_TEMPLATE = \"10000000-1000-4000-8000-100000000000\";\n\nconst toBase64 = (val: ArrayBuffer): string =>\n btoa([...new Uint8Array(val)]\n .map((chr) => String.fromCharCode(chr))\n .join(\"\"));\n\n/**\n * @internal\n */\nexport class CryptoUtils {\n private static _randomWord(): number {\n const arr = new Uint32Array(1);\n crypto.getRandomValues(arr);\n return arr[0];\n }\n\n /**\n * Generates RFC4122 version 4 guid\n */\n public static generateUUIDv4(): string {\n const uuid = UUID_V4_TEMPLATE.replace(/[018]/g, c =>\n (+c ^ CryptoUtils._randomWord() & 15 >> +c / 4).toString(16),\n );\n return uuid.replace(/-/g, \"\");\n }\n\n /**\n * PKCE: Generate a code verifier\n */\n public static generateCodeVerifier(): string {\n return CryptoUtils.generateUUIDv4() + CryptoUtils.generateUUIDv4() + CryptoUtils.generateUUIDv4();\n }\n\n /**\n * PKCE: Generate a code challenge\n */\n public static async generateCodeChallenge(code_verifier: string): Promise<string> {\n if (!crypto.subtle) {\n throw new Error(\"Crypto.subtle is available only in secure contexts (HTTPS).\");\n }\n\n try {\n const encoder = new TextEncoder();\n const data = encoder.encode(code_verifier);\n const hashed = await crypto.subtle.digest(\"SHA-256\", data);\n return toBase64(hashed).replace(/\\+/g, \"-\").replace(/\\//g, \"_\").replace(/=+$/, \"\");\n }\n catch (err) {\n Logger.error(\"CryptoUtils.generateCodeChallenge\", err);\n throw err;\n }\n }\n\n /**\n * Generates a base64-encoded string for a basic auth header\n */\n public static generateBasicAuth(client_id: string, client_secret: string): string {\n const encoder = new TextEncoder();\n const data = encoder.encode([client_id, client_secret].join(\":\"));\n return toBase64(data);\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { Logger } from \"./Logger\";\n\n/**\n * @internal\n */\nexport type Callback<EventType extends unknown[]> = (...ev: EventType) => (Promise<void> | void);\n\n/**\n * @internal\n */\nexport class Event<EventType extends unknown[]> {\n protected readonly _logger = new Logger(`Event('${this._name}')`);\n\n private _callbacks: Array<Callback<EventType>> = [];\n\n public constructor(protected readonly _name: string) {}\n\n public addHandler(cb: Callback<EventType>): () => void {\n this._callbacks.push(cb);\n return () => this.removeHandler(cb);\n }\n\n public removeHandler(cb: Callback<EventType>): void {\n const idx = this._callbacks.lastIndexOf(cb);\n if (idx >= 0) {\n this._callbacks.splice(idx, 1);\n }\n }\n\n public async raise(...ev: EventType): Promise<void> {\n this._logger.debug(\"raise:\", ...ev);\n for (const cb of this._callbacks) {\n await cb(...ev);\n }\n }\n}\n","import { jwtDecode } from \"jwt-decode\";\n\nimport { Logger } from \"./Logger\";\nimport type { JwtClaims } from \"../Claims\";\n\n/**\n * @internal\n */\nexport class JwtUtils {\n // IMPORTANT: doesn't validate the token\n public static decode(token: string): JwtClaims {\n try {\n return jwtDecode<JwtClaims>(token);\n }\n catch (err) {\n Logger.error(\"JwtUtils.decode\", err);\n throw err;\n }\n }\n}\n","/**\n *\n * @public\n * @see https://developer.mozilla.org/en-US/docs/Web/API/Window/open#window_features\n */\nexport interface PopupWindowFeatures {\n left?: number;\n top?: number;\n width?: number;\n height?: number;\n menubar?: boolean | string;\n toolbar?: boolean | string;\n location?: boolean | string;\n status?: boolean | string;\n resizable?: boolean | string;\n scrollbars?: boolean | string;\n /** Close popup window after time in seconds, by default it is -1. To enable this feature set value greater than 0 */\n closePopupWindowAfterInSeconds?: number;\n\n [k: string]: boolean | string | number | undefined;\n}\n\nexport class PopupUtils {\n /**\n * Populates a map of window features with a placement centered in front of\n * the current window. If no explicit width is given, a default value is\n * binned into [800, 720, 600, 480, 360] based on the current window's width.\n */\n static center({ ...features }: PopupWindowFeatures): PopupWindowFeatures {\n if (features.width == null)\n features.width = [800, 720, 600, 480].find(width => width <= window.outerWidth / 1.618) ?? 360;\n features.left ??= Math.max(0, Math.round(window.screenX + (window.outerWidth - features.width) / 2));\n if (features.height != null)\n features.top ??= Math.max(0, Math.round(window.screenY + (window.outerHeight - features.height) / 2));\n return features;\n }\n\n static serialize(features: PopupWindowFeatures): string {\n return Object.entries(features)\n .filter(([, value]) => value != null)\n .map(([key, value]) => `${key}=${typeof value !== \"boolean\" ? value as string : value ? \"yes\" : \"no\"}`)\n .join(\",\");\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { Event } from \"./Event\";\nimport { Logger } from \"./Logger\";\n\n/**\n * @internal\n */\nexport class Timer extends Event<[void]> {\n protected readonly _logger = new Logger(`Timer('${this._name}')`);\n private _timerHandle: ReturnType<typeof setInterval> | null = null;\n private _expiration = 0;\n\n // get the time\n public static getEpochTime(): number {\n return Math.floor(Date.now() / 1000);\n }\n\n public init(durationInSeconds: number): void {\n const logger = this._logger.create(\"init\");\n durationInSeconds = Math.max(Math.floor(durationInSeconds), 1);\n const expiration = Timer.getEpochTime() + durationInSeconds;\n if (this.expiration === expiration && this._timerHandle) {\n // no need to reinitialize to same expiration, so bail out\n logger.debug(\"skipping since already initialized for expiration at\", this.expiration);\n return;\n }\n\n this.cancel();\n\n logger.debug(\"using duration\", durationInSeconds);\n this._expiration = expiration;\n\n // we're using a fairly short timer and then checking the expiration in the\n // callback to handle scenarios where the browser device sleeps, and then\n // the timers end up getting delayed.\n const timerDurationInSeconds = Math.min(durationInSeconds, 5);\n this._timerHandle = setInterval(this._callback, timerDurationInSeconds * 1000);\n }\n\n public get expiration(): number {\n return this._expiration;\n }\n\n public cancel(): void {\n this._logger.create(\"cancel\");\n if (this._timerHandle) {\n clearInterval(this._timerHandle);\n this._timerHandle = null;\n }\n }\n\n protected _callback = (): void => {\n const diff = this._expiration - Timer.getEpochTime();\n this._logger.debug(\"timer completes in\", diff);\n\n if (this._expiration <= Timer.getEpochTime()) {\n this.cancel();\n void super.raise();\n }\n };\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\n/**\n * @internal\n */\nexport class UrlUtils {\n public static readParams(url: string, responseMode: \"query\" | \"fragment\" = \"query\"): URLSearchParams {\n if (!url) throw new TypeError(\"Invalid URL\");\n // the base URL is irrelevant, it's just here to support relative url arguments\n const parsedUrl = new URL(url, \"http://127.0.0.1\");\n const params = parsedUrl[responseMode === \"fragment\" ? \"hash\" : \"search\"];\n return new URLSearchParams(params.slice(1));\n }\n}\n\n/**\n * @internal\n */\nexport const URL_STATE_DELIMITER = \";\";","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { Logger } from \"../utils\";\n\n/**\n * Error class thrown in case of an authentication error.\n *\n * @public\n * @see https://openid.net/specs/openid-connect-core-1_0.html#AuthError\n */\nexport class ErrorResponse extends Error {\n /** Marker to detect class: \"ErrorResponse\" */\n public readonly name: string = \"ErrorResponse\";\n\n /** An error code string that can be used to classify the types of errors that occur and to respond to errors. */\n public readonly error: string | null;\n /** additional information that can help a developer identify the cause of the error.*/\n public readonly error_description: string | null;\n /**\n * URI identifying a human-readable web page with information about the error, used to provide the client\n developer with additional information about the error.\n */\n public readonly error_uri: string | null;\n\n /** custom state data set during the initial signin request */\n public state?: unknown;\n\n public readonly session_state: string | null;\n\n public url_state?: string;\n\n public constructor(\n args: {\n error?: string | null; error_description?: string | null; error_uri?: string | null;\n userState?: unknown; session_state?: string | null; url_state?: string;\n },\n /** The x-www-form-urlencoded request body sent to the authority server */\n public readonly form?: URLSearchParams,\n ) {\n super(args.error_description || args.error || \"\");\n\n if (!args.error) {\n Logger.error(\"ErrorResponse\", \"No error passed\");\n throw new Error(\"No error passed\");\n }\n\n this.error = args.error;\n this.error_description = args.error_description ?? null;\n this.error_uri = args.error_uri ?? null;\n\n this.state = args.userState;\n this.session_state = args.session_state ?? null;\n this.url_state = args.url_state;\n }\n}\n","// Copyright (C) 2021 AuthTS Contributors\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\n/**\n * Error class thrown in case of network timeouts (e.g IFrame time out).\n *\n * @public\n */\nexport class ErrorTimeout extends Error {\n /** Marker to detect class: \"ErrorTimeout\" */\n public readonly name: string = \"ErrorTimeout\";\n\n public constructor(message?: string) {\n super(message);\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { Logger, Timer } from \"./utils\";\nimport type { User } from \"./User\";\n\n/**\n * @public\n */\nexport type AccessTokenCallback = (...ev: unknown[]) => (Promise<void> | void);\n\n/**\n * @public\n */\nexport class AccessTokenEvents {\n protected readonly _logger = new Logger(\"AccessTokenEvents\");\n\n private readonly _expiringTimer = new Timer(\"Access token expiring\");\n private readonly _expiredTimer = new Timer(\"Access token expired\");\n private readonly _expiringNotificationTimeInSeconds: number;\n\n public constructor(args: { expiringNotificationTimeInSeconds: number }) {\n this._expiringNotificationTimeInSeconds = args.expiringNotificationTimeInSeconds;\n }\n\n public load(container: User): void {\n const logger = this._logger.create(\"load\");\n // only register events if there's an access token and it has an expiration\n if (container.access_token && container.expires_in !== undefined) {\n const duration = container.expires_in;\n logger.debug(\"access token present, remaining duration:\", duration);\n\n if (duration > 0) {\n // only register expiring if we still have time\n let expiring = duration - this._expiringNotificationTimeInSeconds;\n if (expiring <= 0) {\n expiring = 1;\n }\n\n logger.debug(\"registering expiring timer, raising in\", expiring, \"seconds\");\n this._expiringTimer.init(expiring);\n }\n else {\n logger.debug(\"canceling existing expiring timer because we're past expiration.\");\n this._expiringTimer.cancel();\n }\n\n // if it's negative, it will still fire\n const expired = duration + 1;\n logger.debug(\"registering expired timer, raising in\", expired, \"seconds\");\n this._expiredTimer.init(expired);\n }\n else {\n this._expiringTimer.cancel();\n this._expiredTimer.cancel();\n }\n }\n\n public unload(): void {\n this._logger.debug(\"unload: canceling existing access token timers\");\n this._expiringTimer.cancel();\n this._expiredTimer.cancel();\n }\n\n /**\n * Add callback: Raised prior to the access token expiring.\n */\n public addAccessTokenExpiring(cb: AccessTokenCallback): () => void {\n return this._expiringTimer.addHandler(cb);\n }\n /**\n * Remove callback: Raised prior to the access token expiring.\n */\n public removeAccessTokenExpiring(cb: AccessTokenCallback): void {\n this._expiringTimer.removeHandler(cb);\n }\n\n /**\n * Add callback: Raised after the access token has expired.\n */\n public addAccessTokenExpired(cb: AccessTokenCallback): () => void {\n return this._expiredTimer.addHandler(cb);\n }\n /**\n * Remove callback: Raised after the access token has expired.\n */\n public removeAccessTokenExpired(cb: AccessTokenCallback): void {\n this._expiredTimer.removeHandler(cb);\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { Logger } from \"./utils\";\n\n/**\n * @internal\n */\nexport class CheckSessionIFrame {\n private readonly _logger = new Logger(\"CheckSessionIFrame\");\n private _frame_origin: string;\n private _frame: HTMLIFrameElement;\n private _timer: ReturnType<typeof setInterval> | null = null;\n private _session_state: string | null = null;\n\n public constructor(\n private _callback: () => Promise<void>,\n private _client_id: string,\n url: string,\n private _intervalInSeconds: number,\n private _stopOnError: boolean,\n ) {\n const parsedUrl = new URL(url);\n this._frame_origin = parsedUrl.origin;\n\n this._frame = window.document.createElement(\"iframe\");\n\n // shotgun approach\n this._frame.style.visibility = \"hidden\";\n this._frame.style.position = \"fixed\";\n this._frame.style.left = \"-1000px\";\n this._frame.style.top = \"0\";\n this._frame.width = \"0\";\n this._frame.height = \"0\";\n this._frame.src = parsedUrl.href;\n }\n\n public load(): Promise<void> {\n return new Promise<void>((resolve) => {\n this._frame.onload = () => {\n resolve();\n };\n\n window.document.body.appendChild(this._frame);\n window.addEventListener(\"message\", this._message, false);\n });\n }\n\n private _message = (e: MessageEvent<string>): void => {\n if (e.origin === this._frame_origin &&\n e.source === this._frame.contentWindow\n ) {\n if (e.data === \"error\") {\n this._logger.error(\"error message from check session op iframe\");\n if (this._stopOnError) {\n this.stop();\n }\n }\n else if (e.data === \"changed\") {\n this._logger.debug(\"changed message from check session op iframe\");\n this.stop();\n void this._callback();\n }\n else {\n this._logger.debug(e.data + \" message from check session op iframe\");\n }\n }\n };\n\n public start(session_state: string): void {\n if (this._session_state === session_state) {\n return;\n }\n\n this._logger.create(\"start\");\n\n this.stop();\n\n this._session_state = session_state;\n\n const send = () => {\n if (!this._frame.contentWindow || !this._session_state) {\n return;\n }\n\n this._frame.contentWindow.postMessage(this._client_id + \" \" + this._session_state, this._frame_origin);\n };\n\n // trigger now\n send();\n\n // and setup timer\n this._timer = setInterval(send, this._intervalInSeconds * 1000);\n }\n\n public stop(): void {\n this._logger.create(\"stop\");\n this._session_state = null;\n\n if (this._timer) {\n\n clearInterval(this._timer);\n this._timer = null;\n }\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { Logger } from \"./utils\";\n\n/**\n * @public\n */\nexport class InMemoryWebStorage implements Storage {\n private readonly _logger = new Logger(\"InMemoryWebStorage\");\n private _data: Record<string, string> = {};\n\n public clear(): void {\n this._logger.create(\"clear\");\n this._data = {};\n }\n\n public getItem(key: string): string {\n this._logger.create(`getItem('${key}')`);\n return this._data[key];\n }\n\n public setItem(key: string, value: string): void {\n this._logger.create(`setItem('${key}')`);\n this._data[key] = value;\n }\n\n public removeItem(key: string): void {\n this._logger.create(`removeItem('${key}')`);\n delete this._data[key];\n }\n\n public get length(): number {\n return Object.getOwnPropertyNames(this._data).length;\n }\n\n public key(index: number): string {\n return Object.getOwnPropertyNames(this._data)[index];\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { ErrorResponse, ErrorTimeout } from \"./errors\";\nimport type { ExtraHeader } from \"./OidcClientSettings\";\nimport { Logger } from \"./utils\";\n\n/**\n * @internal\n */\nexport type JwtHandler = (text: string) => Promise<Record<string, unknown>>;\n\n/**\n * @internal\n */\nexport interface GetJsonOpts {\n token?: string;\n credentials?: RequestCredentials;\n}\n\n/**\n * @internal\n */\nexport interface PostFormOpts {\n body: URLSearchParams;\n basicAuth?: string;\n timeoutInSeconds?: number;\n initCredentials?: \"same-origin\" | \"include\" | \"omit\";\n}\n\n/**\n * @internal\n */\nexport class JsonService {\n private readonly _logger = new Logger(\"JsonService\");\n\n private _contentTypes: string[] = [];\n\n public constructor(\n additionalContentTypes: string[] = [],\n private _jwtHandler: JwtHandler | null = null,\n private _extraHeaders: Record<string, ExtraHeader> = {},\n ) {\n this._contentTypes.push(...additionalContentTypes, \"application/json\");\n if (_jwtHandler) {\n this._contentTypes.push(\"application/jwt\");\n }\n }\n\n protected async fetchWithTimeout(input: RequestInfo, init: RequestInit & { timeoutInSeconds?: number } = {}) {\n const { timeoutInSeconds, ...initFetch } = init;\n if (!timeoutInSeconds) {\n return await fetch(input, initFetch);\n }\n\n const controller = new AbortController();\n const timeoutId = setTimeout(() => controller.abort(), timeoutInSeconds * 1000);\n\n try {\n const response = await fetch(input, {\n ...init,\n signal: controller.signal,\n });\n return response;\n }\n catch (err) {\n if (err instanceof DOMException && err.name === \"AbortError\") {\n throw new ErrorTimeout(\"Network timed out\");\n }\n throw err;\n }\n finally {\n clearTimeout(timeoutId);\n }\n }\n\n public async getJson(url: string, {\n token,\n credentials,\n }: GetJsonOpts = {}): Promise<Record<string, unknown>> {\n const logger = this._logger.create(\"getJson\");\n const headers: HeadersInit = {\n \"Accept\": this._contentTypes.join(\", \"),\n };\n if (token) {\n logger.debug(\"token passed, setting Authorization header\");\n headers[\"Authorization\"] = \"Bearer \" + token;\n }\n\n this.appendExtraHeaders(headers);\n\n let response: Response;\n try {\n logger.debug(\"url:\", url);\n response = await this.fetchWithTimeout(url, { method: \"GET\", headers, credentials });\n }\n catch (err) {\n logger.error(\"Network Error\");\n throw err;\n }\n\n logger.debug(\"HTTP response received, status\", response.status);\n const contentType = response.headers.get(\"Content-Type\");\n if (contentType && !this._contentTypes.find(item => contentType.startsWith(item))) {\n logger.throw(new Error(`Invalid response Content-Type: ${(contentType ?? \"undefined\")}, from URL: ${url}`));\n }\n if (response.ok && this._jwtHandler && contentType?.startsWith(\"application/jwt\")) {\n return await this._jwtHandler(await response.text());\n }\n let json: Record<string, unknown>;\n try {\n json = await response.json();\n }\n catch (err) {\n logger.error(\"Error parsing JSON response\", err);\n if (response.ok) throw err;\n throw new Error(`${response.statusText} (${response.status})`);\n }\n if (!response.ok) {\n logger.error(\"Error from server:\", json);\n if (json.error) {\n throw new ErrorResponse(json);\n }\n throw new Error(`${response.statusText} (${response.status}): ${JSON.stringify(json)}`);\n }\n return json;\n }\n\n public async postForm(url: string, {\n body,\n basicAuth,\n timeoutInSeconds,\n initCredentials,\n }: PostFormOpts): Promise<Record<string, unknown>> {\n const logger = this._logger.create(\"postForm\");\n const headers: HeadersInit = {\n \"Accept\": this._contentTypes.join(\", \"),\n \"Content-Type\": \"application/x-www-form-urlencoded\",\n };\n if (basicAuth !== undefined) {\n headers[\"Authorization\"] = \"Basic \" + basicAuth;\n }\n\n this.appendExtraHeaders(headers);\n\n let response: Response;\n try {\n logger.debug(\"url:\", url);\n response = await this.fetchWithTimeout(url, { method: \"POST\", headers, body, timeoutInSeconds, credentials: initCredentials });\n }\n catch (err) {\n logger.error(\"Network error\");\n throw err;\n }\n\n logger.debug(\"HTTP response received, status\", response.status);\n const contentType = response.headers.get(\"Content-Type\");\n if (contentType && !this._contentTypes.find(item => contentType.startsWith(item))) {\n throw new Error(`Invalid response Content-Type: ${(contentType ?? \"undefined\")}, from URL: ${url}`);\n }\n\n const responseText = await response.text();\n\n let json: Record<string, unknown> = {};\n if (responseText) {\n try {\n json = JSON.parse(responseText);\n }\n catch (err) {\n logger.error(\"Error parsing JSON response\", err);\n if (response.ok) throw err;\n throw new Error(`${response.statusText} (${response.status})`);\n }\n }\n\n if (!response.ok) {\n logger.error(\"Error from server:\", json);\n if (json.error) {\n throw new ErrorResponse(json, body);\n }\n throw new Error(`${response.statusText} (${response.status}): ${JSON.stringify(json)}`);\n }\n\n return json;\n }\n\n private appendExtraHeaders(\n headers: Record<string, string>,\n ): void {\n const logger = this._logger.create(\"appendExtraHeaders\");\n const customKeys = Object.keys(this._extraHeaders);\n const protectedHeaders = [\n \"authorization\",\n \"accept\",\n \"content-type\",\n ];\n if (customKeys.length === 0) {\n return;\n }\n customKeys.forEach((headerName) => {\n if (protectedHeaders.includes(headerName.toLocaleLowerCase())) {\n logger.warn(\"Protected header could not be overridden\", headerName, protectedHeaders);\n return;\n }\n const content = (typeof this._extraHeaders[headerName] === \"function\") ?\n (this._extraHeaders[headerName] as ()=>string)() :\n this._extraHeaders[headerName];\n if (content && content !== \"\") {\n headers[headerName] = content as string;\n }\n });\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { Logger } from \"./utils\";\nimport { JsonService } from \"./JsonService\";\nimport type { OidcClientSettingsStore, SigningKey } from \"./OidcClientSettings\";\nimport type { OidcMetadata } from \"./OidcMetadata\";\n\n/**\n * @public\n * @see https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata\n */\nexport class MetadataService {\n private readonly _logger = new Logger(\"MetadataService\");\n private readonly _jsonService;\n\n // cache\n private _metadataUrl: string;\n private _signingKeys: SigningKey[] | null = null;\n private _metadata: Partial<OidcMetadata> | null = null;\n private _fetchRequestCredentials: RequestCredentials | undefined;\n\n public constructor(private readonly _settings: OidcClientSettingsStore) {\n this._metadataUrl = this._settings.metadataUrl;\n this._jsonService = new JsonService(\n [\"application/jwk-set+json\"],\n null,\n this._settings.extraHeaders,\n );\n if (this._settings.signingKeys) {\n this._logger.debug(\"using signingKeys from settings\");\n this._signingKeys = this._settings.signingKeys;\n }\n\n if (this._settings.metadata) {\n this._logger.debug(\"using metadata from settings\");\n this._metadata = this._settings.metadata;\n }\n\n if (this._settings.fetchRequestCredentials) {\n this._logger.debug(\"using fetchRequestCredentials from settings\");\n this._fetchRequestCredentials = this._settings.fetchRequestCredentials;\n }\n }\n\n public resetSigningKeys(): void {\n this._signingKeys = null;\n }\n\n public async getMetadata(): Promise<Partial<OidcMetadata>> {\n const logger = this._logger.create(\"getMetadata\");\n if (this._metadata) {\n logger.debug(\"using cached values\");\n return this._metadata;\n }\n\n if (!this._metadataUrl) {\n logger.throw(new Error(\"No authority or metadataUrl configured on settings\"));\n throw null;\n }\n\n logger.debug(\"getting metadata from\", this._metadataUrl);\n const metadata = await this._jsonService.getJson(this._metadataUrl, { credentials: this._fetchRequestCredentials });\n\n logger.debug(\"merging remote JSON with seed metadata\");\n this._metadata = Object.assign({}, this._settings.metadataSeed, metadata);\n return this._metadata;\n }\n\n public getIssuer(): Promise<string> {\n return this._getMetadataProperty(\"issuer\") as Promise<string>;\n }\n\n public getAuthorizationEndpoint(): Promise<string> {\n return this._getMetadataProperty(\"authorization_endpoint\") as Promise<string>;\n }\n\n public getUserInfoEndpoint(): Promise<string> {\n return this._getMetadataProperty(\"userinfo_endpoint\") as Promise<string>;\n }\n\n public getTokenEndpoint(optional: false): Promise<string>;\n public getTokenEndpoint(optional?: true): Promise<string | undefined>;\n public getTokenEndpoint(optional = true): Promise<string | undefined> {\n return this._getMetadataProperty(\"token_endpoint\", optional) as Promise<string | undefined>;\n }\n\n public getCheckSessionIframe(): Promise<string | undefined> {\n return this._getMetadataProperty(\"check_session_iframe\", true) as Promise<string | undefined>;\n }\n\n public getEndSessionEndpoint(): Promise<string | undefined> {\n return this._getMetadataProperty(\"end_session_endpoint\", true) as Promise<string | undefined>;\n }\n\n public getRevocationEndpoint(optional: false): Promise<string>;\n public getRevocationEndpoint(optional?: true): Promise<string | undefined>;\n public getRevocationEndpoint(optional = true): Promise<string | undefined> {\n return this._getMetadataProperty(\"revocation_endpoint\", optional) as Promise<string | undefined>;\n }\n\n public getKeysEndpoint(optional: false): Promise<string>;\n public getKeysEndpoint(optional?: true): Promise<string | undefined>;\n public getKeysEndpoint(optional = true): Promise<string | undefined> {\n return this._getMetadataProperty(\"jwks_uri\", optional) as Promise<string | undefined>;\n }\n\n protected async _getMetadataProperty(name: keyof OidcMetadata, optional=false): Promise<string | boolean | string[] | undefined> {\n const logger = this._logger.create(`_getMetadataProperty('${name}')`);\n\n const metadata = await this.getMetadata();\n logger.debug(\"resolved\");\n\n if (metadata[name] === undefined) {\n if (optional === true) {\n logger.warn(\"Metadata does not contain optional property\");\n return undefined;\n }\n\n logger.throw(new Error(\"Metadata does not contain property \" + name));\n }\n\n return metadata[name];\n }\n\n public async getSigningKeys(): Promise<SigningKey[] | null> {\n const logger = this._logger.create(\"getSigningKeys\");\n if (this._signingKeys) {\n logger.debug(\"returning signingKeys from cache\");\n return this._signingKeys;\n }\n\n const jwks_uri = await this.getKeysEndpoint(false);\n logger.debug(\"got jwks_uri\", jwks_uri);\n\n const keySet = await this._jsonService.getJson(jwks_uri);\n logger.debug(\"got key set\", keySet);\n\n if (!Array.isArray(keySet.keys)) {\n logger.throw(new Error(\"Missing keys on keyset\"));\n throw null; // https://github.com/microsoft/TypeScript/issues/46972\n }\n\n this._signingKeys = keySet.keys;\n return this._signingKeys;\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { Logger } from \"./utils\";\nimport type { StateStore } from \"./StateStore\";\nimport type { AsyncStorage } from \"./AsyncStorage\";\n\n/**\n * @public\n */\nexport class WebStorageStateStore implements StateStore {\n private readonly _logger = new Logger(\"WebStorageStateStore\");\n\n private readonly _store: AsyncStorage | Storage;\n private readonly _prefix: string;\n\n public constructor({\n prefix = \"oidc.\",\n store = localStorage,\n }: { prefix?: string; store?: AsyncStorage | Storage } = {}) {\n this._store = store;\n this._prefix = prefix;\n }\n\n public async set(key: string, value: string): Promise<void> {\n this._logger.create(`set('${key}')`);\n\n key = this._prefix + key;\n await this._store.setItem(key, value);\n }\n\n public async get(key: string): Promise<string | null> {\n this._logger.create(`get('${key}')`);\n\n key = this._prefix + key;\n const item = await this._store.getItem(key);\n return item;\n }\n\n public async remove(key: string): Promise<string | null> {\n this._logger.create(`remove('${key}')`);\n\n key = this._prefix + key;\n const item = await this._store.getItem(key);\n await this._store.removeItem(key);\n return item;\n }\n\n public async getAllKeys(): Promise<string[]> {\n this._logger.create(\"getAllKeys\");\n const len = await this._store.length;\n\n const keys = [];\n for (let index = 0; index < len; index++) {\n const key = await this._store.key(index);\n if (key && key.indexOf(this._prefix) === 0) {\n keys.push(key.substr(this._prefix.length));\n }\n }\n return keys;\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { WebStorageStateStore } from \"./WebStorageStateStore\";\nimport type { OidcMetadata } from \"./OidcMetadata\";\nimport type { StateStore } from \"./StateStore\";\nimport { InMemoryWebStorage } from \"./InMemoryWebStorage\";\n\nconst DefaultResponseType = \"code\";\nconst DefaultScope = \"openid\";\nconst DefaultClientAuthentication = \"client_secret_post\";\nconst DefaultStaleStateAgeInSeconds = 60 * 15;\n\n/**\n * @public\n */\nexport type SigningKey = Record<string, string | string[]>;\n\n/**\n * @public\n */\nexport type ExtraHeader = string | (() => string);\n\n/**\n * The settings used to configure the {@link OidcClient}.\n *\n * @public\n */\nexport interface OidcClientSettings {\n /** The URL of the OIDC/OAuth2 provider */\n authority: string;\n metadataUrl?: string;\n /** Provide metadata when authority server does not allow CORS on the metadata endpoint */\n metadata?: Partial<OidcMetadata>;\n /** Can be used to seed or add additional values to the results of the discovery request */\n metadataSeed?: Partial<OidcMetadata>;\n /** Provide signingKeys when authority server does not allow CORS on the jwks uri */\n signingKeys?: SigningKey[];\n\n /** Your client application's identifier as registered with the OIDC/OAuth2 */\n client_id: string;\n client_secret?: string;\n /** The type of response desired from the OIDC/OAuth2 provider (default: \"code\") */\n response_type?: string;\n /** The scope being requested from the OIDC/OAuth2 provider (default: \"openid\") */\n scope?: string;\n /** The redirect URI of your client application to receive a response from the OIDC/OAuth2 provider */\n redirect_uri: string;\n /** The OIDC/OAuth2 post-logout redirect URI */\n post_logout_redirect_uri?: string;\n\n /**\n * Client authentication method that is used to authenticate when using the token endpoint (default: \"client_secret_post\")\n * - \"client_secret_basic\": using the HTTP Basic authentication scheme\n * - \"client_secret_post\": including the client credentials in the request body\n *\n * See https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication\n */\n client_authentication?: \"client_secret_basic\" | \"client_secret_post\";\n\n /** optional protocol param */\n prompt?: string;\n /** optional protocol param */\n display?: string;\n /** optional protocol param */\n max_age?: number;\n /** optional protocol param */\n ui_locales?: string;\n /** optional protocol param */\n acr_values?: string;\n /** optional protocol param */\n resource?: string | string[];\n\n /**\n * Optional protocol param\n * The response mode used by the authority server is defined by the response_type unless explicitly specified:\n * - Response mode for the OAuth 2.0 response type \"code\" is the \"query\" encoding\n * - Response mode for the OAuth 2.0 response type \"token\" is the \"fragment\" encoding\n *\n * @see https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#ResponseModes\n */\n response_mode?: \"query\" | \"fragment\";\n\n /**\n * Should optional OIDC protocol claims be removed from profile or specify the ones to be removed (default: true)\n * When true, the following claims are removed by default: [\"nbf\", \"jti\", \"auth_time\", \"nonce\", \"acr\", \"amr\", \"azp\", \"at_hash\"]\n * When specifying claims, the following claims are not allowed: [\"sub\", \"iss\", \"aud\", \"exp\", \"iat\"]\n */\n filterProtocolClaims?: boolean | string[];\n /** Flag to control if additional identity data is loaded from the user info endpoint in order to populate the user's profile (default: false) */\n loadUserInfo?: boolean;\n /** Number (in seconds) indicating the age of state entries in storage for authorize requests that are considered abandoned and thus can be cleaned up (default: 900) */\n staleStateAgeInSeconds?: number;\n\n /**\n * Indicates how objects returned from the user info endpoint as claims (e.g. `address`) are merged into the claims from the\n * id token as a single object. (default: `{ array: \"replace\" }`)\n * - array: \"replace\": natives (string, int, float) and arrays are replaced, objects are merged as distinct objects\n * - array: \"merge\": natives (string, int, float) are replaced, arrays and objects are merged as distinct objects\n */\n mergeClaimsStrategy?: { array: \"replace\" | \"merge\" };\n\n /**\n * Storage object used to persist interaction state (default: window.localStorage, InMemoryWebStorage iff no window).\n * E.g. `stateStore: new WebStorageStateStore({ store: window.localStorage })`\n */\n stateStore?: StateStore;\n\n /**\n * An object containing additional query string parameters to be including in the authorization request.\n * E.g, when using Azure AD to obtain an access token an additional resource parameter is required. extraQueryParams: `{resource:\"some_identifier\"}`\n */\n extraQueryParams?: Record<string, string | number | boolean>;\n\n extraTokenParams?: Record<string, unknown>;\n\n /**\n * An object containing additional header to be including in request.\n */\n extraHeaders?: Record<string, ExtraHeader>;\n\n /**\n * Will check the content type header of the response of the revocation endpoint to match these passed values (default: [])\n */\n revokeTokenAdditionalContentTypes?: string[];\n /**\n * Will disable PKCE validation, changing to true will not append to sign in request code_challenge and code_challenge_method. (default: false)\n */\n disablePKCE?: boolean;\n /**\n * Sets the credentials for fetch requests. (default: \"same-origin\")\n * Use this if you need to send cookies to the OIDC/OAuth2 provider or if you are using a proxy that requires cookies\n */\n fetchRequestCredentials?: RequestCredentials;\n\n /**\n * Only scopes in this list will be passed in the token refresh request.\n */\n refreshTokenAllowedScope?: string | undefined;\n}\n\n/**\n * The settings with defaults applied of the {@link OidcClient}.\n *\n * @public\n * @see {@link OidcClientSettings}\n */\nexport class OidcClientSettingsStore {\n // metadata\n public readonly authority: string;\n public readonly metadataUrl: string;\n public readonly metadata: Partial<OidcMetadata> | undefined;\n public readonly metadataSeed: Partial<OidcMetadata> | undefined;\n public readonly signingKeys: SigningKey[] | undefined;\n\n // client config\n public readonly client_id: string;\n public readonly client_secret: string | undefined;\n public readonly response_type: string;\n public readonly scope: string;\n public readonly redirect_uri: string;\n public readonly post_logout_redirect_uri: string | undefined;\n public readonly client_authentication: \"client_secret_basic\" | \"client_secret_post\";\n\n // optional protocol params\n public readonly prompt: string | undefined;\n public readonly display: string | undefined;\n public readonly max_age: number | undefined;\n public readonly ui_locales: string | undefined;\n public readonly acr_values: string | undefined;\n public readonly resource: string | string[] | undefined;\n public readonly response_mode: \"query\" | \"fragment\" | undefined;\n\n // behavior flags\n public readonly filterProtocolClaims: boolean | string[];\n public readonly loadUserInfo: boolean;\n public readonly staleStateAgeInSeconds: number;\n public readonly mergeClaimsStrategy: { array: \"replace\" | \"merge\" };\n\n public readonly stateStore: StateStore;\n\n // extra\n public readonly extraQueryParams: Record<string, string | number | boolean>;\n public readonly extraTokenParams: Record<string, unknown>;\n public readonly extraHeaders: Record<string, ExtraHeader>;\n\n public readonly revokeTokenAdditionalContentTypes?: string[];\n public readonly fetchRequestCredentials: RequestCredentials;\n public readonly refreshTokenAllowedScope: string | undefined;\n public readonly disablePKCE: boolean;\n\n public constructor({\n // metadata related\n authority, metadataUrl, metadata, signingKeys, metadataSeed,\n // client related\n client_id, client_secret, response_type = DefaultResponseType, scope = DefaultScope,\n redirect_uri, post_logout_redirect_uri,\n client_authentication = DefaultClientAuthentication,\n // optional protocol\n prompt, display, max_age, ui_locales, acr_values, resource, response_mode,\n // behavior flags\n filterProtocolClaims = true,\n loadUserInfo = false,\n staleStateAgeInSeconds = DefaultStaleStateAgeInSeconds,\n mergeClaimsStrategy = { array: \"replace\" },\n disablePKCE = false,\n // other behavior\n stateStore,\n revokeTokenAdditionalContentTypes,\n fetchRequestCredentials,\n refreshTokenAllowedScope,\n // extra\n extraQueryParams = {},\n extraTokenParams = {},\n extraHeaders = {},\n }: OidcClientSettings) {\n\n this.authority = authority;\n\n if (metadataUrl) {\n this.metadataUrl = metadataUrl;\n } else {\n this.metadataUrl = authority;\n if (authority) {\n if (!this.metadataUrl.endsWith(\"/\")) {\n this.metadataUrl += \"/\";\n }\n this.metadataUrl += \".well-known/openid-configuration\";\n }\n }\n\n this.metadata = metadata;\n this.metadataSeed = metadataSeed;\n this.signingKeys = signingKeys;\n\n this.client_id = client_id;\n this.client_secret = client_secret;\n this.response_type = response_type;\n this.scope = scope;\n this.redirect_uri = redirect_uri;\n this.post_logout_redirect_uri = post_logout_redirect_uri;\n this.client_authentication = client_authentication;\n\n this.prompt = prompt;\n this.display = display;\n this.max_age = max_age;\n this.ui_locales = ui_locales;\n this.acr_values = acr_values;\n this.resource = resource;\n this.response_mode = response_mode;\n\n this.filterProtocolClaims = filterProtocolClaims ?? true;\n this.loadUserInfo = !!loadUserInfo;\n this.staleStateAgeInSeconds = staleStateAgeInSeconds;\n this.mergeClaimsStrategy = mergeClaimsStrategy;\n this.disablePKCE = !!disablePKCE;\n this.revokeTokenAdditionalContentTypes = revokeTokenAdditionalContentTypes;\n\n this.fetchRequestCredentials = fetchRequestCredentials ? fetchRequestCredentials : \"same-origin\";\n\n if (stateStore) {\n this.stateStore = stateStore;\n }\n else {\n const store = typeof window !== \"undefined\" ? window.localStorage : new InMemoryWebStorage();\n this.stateStore = new WebStorageStateStore({ store });\n }\n\n this.refreshTokenAllowedScope = refreshTokenAllowedScope;\n\n this.extraQueryParams = extraQueryParams;\n this.extraTokenParams = extraTokenParams;\n this.extraHeaders = extraHeaders;\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { Logger, JwtUtils } from \"./utils\";\nimport { JsonService } from \"./JsonService\";\nimport type { MetadataService } from \"./MetadataService\";\nimport type { JwtClaims } from \"./Claims\";\nimport type { OidcClientSettingsStore } from \"./OidcClientSettings\";\n\n/**\n * @internal\n */\nexport class UserInfoService {\n protected readonly _logger = new Logger(\"UserInfoService\");\n private readonly _jsonService: JsonService;\n\n public constructor(private readonly _settings: OidcClientSettingsStore,\n private readonly _metadataService: MetadataService,\n ) {\n this._jsonService = new JsonService(\n undefined,\n this._getClaimsFromJwt,\n this._settings.extraHeaders,\n );\n }\n\n public async getClaims(token: string): Promise<JwtClaims> {\n const logger = this._logger.create(\"getClaims\");\n if (!token) {\n this._logger.throw(new Error(\"No token passed\"));\n }\n\n const url = await this._metadataService.getUserInfoEndpoint();\n logger.debug(\"got userinfo url\", url);\n\n const claims = await this._jsonService.getJson(url, {\n token,\n credentials: this._settings.fetchRequestCredentials,\n });\n logger.debug(\"got claims\", claims);\n\n return claims;\n }\n\n protected _getClaimsFromJwt = async (responseText: string): Promise<JwtClaims> => {\n const logger = this._logger.create(\"_getClaimsFromJwt\");\n try {\n const payload = JwtUtils.decode(responseText);\n logger.debug(\"JWT decoding successful\");\n\n return payload;\n } catch (err) {\n logger.error(\"Error parsing JWT response\");\n throw err;\n }\n };\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { CryptoUtils, Logger } from \"./utils\";\nimport { JsonService } from \"./JsonService\";\nimport type { MetadataService } from \"./MetadataService\";\nimport type { OidcClientSettingsStore } from \"./OidcClientSettings\";\n\n/**\n * @internal\n */\nexport interface ExchangeCodeArgs {\n client_id?: string;\n client_secret?: string;\n redirect_uri?: string;\n\n grant_type?: string;\n code: string;\n code_verifier?: string;\n}\n\n/**\n * @internal\n */\nexport interface ExchangeCredentialsArgs {\n client_id?: string;\n client_secret?: string;\n\n grant_type?: string;\n scope?: string;\n\n username: string;\n password: string;\n}\n\n/**\n * @internal\n */\nexport interface ExchangeRefreshTokenArgs {\n client_id?: string;\n client_secret?: string;\n redirect_uri?: string;\n\n grant_type?: string;\n refresh_token: string;\n scope?: string;\n resource?: string | string[];\n\n timeoutInSeconds?: number;\n}\n\n/**\n * @internal\n */\nexport interface RevokeArgs {\n token: string;\n token_type_hint?: \"access_token\" | \"refresh_token\";\n}\n\n/**\n * @internal\n */\nexport class TokenClient {\n private readonly _logger = new Logger(\"TokenClient\");\n private readonly _jsonService;\n\n public constructor(\n private readonly _settings: OidcClientSettingsStore,\n private readonly _metadataService: MetadataService,\n ) {\n this._jsonService = new JsonService(\n this._settings.revokeTokenAdditionalContentTypes,\n null,\n this._settings.extraHeaders,\n );\n }\n\n /**\n * Exchange code.\n *\n * @see https://www.rfc-editor.org/rfc/rfc6749#section-4.1.3\n */\n public async exchangeCode({\n grant_type = \"authorization_code\",\n redirect_uri = this._settings.redirect_uri,\n client_id = this._settings.client_id,\n client_secret = this._settings.client_secret,\n ...args\n }: ExchangeCodeArgs): Promise<Record<string, unknown>> {\n const logger = this._logger.create(\"exchangeCode\");\n if (!client_id) {\n logger.throw(new Error(\"A client_id is required\"));\n }\n if (!redirect_uri) {\n logger.throw(new Error(\"A redirect_uri is required\"));\n }\n if (!args.code) {\n logger.throw(new Error(\"A code is required\"));\n }\n\n const params = new URLSearchParams({ grant_type, redirect_uri });\n for (const [key, value] of Object.entries(args)) {\n if (value != null) {\n params.set(key, value);\n }\n }\n let basicAuth: string | undefined;\n switch (this._settings.client_authentication) {\n case \"client_secret_basic\":\n if (!client_secret) {\n logger.throw(new Error(\"A client_secret is required\"));\n throw null; // https://github.com/microsoft/TypeScript/issues/46972\n }\n basicAuth = CryptoUtils.generateBasicAuth(client_id, client_secret);\n break;\n case \"client_secret_post\":\n params.append(\"client_id\", client_id);\n if (client_secret) {\n params.append(\"client_secret\", client_secret);\n }\n break;\n }\n\n const url = await this._metadataService.getTokenEndpoint(false);\n logger.debug(\"got token endpoint\");\n\n const response = await this._jsonService.postForm(url, { body: params, basicAuth, initCredentials: this._settings.fetchRequestCredentials });\n logger.debug(\"got response\");\n\n return response;\n }\n\n /**\n * Exchange credentials.\n *\n * @see https://www.rfc-editor.org/rfc/rfc6749#section-4.3.2\n */\n public async exchangeCredentials({\n grant_type = \"password\",\n client_id = this._settings.client_id,\n client_secret = this._settings.client_secret,\n scope = this._settings.scope,\n ...args\n }: ExchangeCredentialsArgs): Promise<Record<string, unknown>> {\n const logger = this._logger.create(\"exchangeCredentials\");\n\n if (!client_id) {\n logger.throw(new Error(\"A client_id is required\"));\n }\n\n const params = new URLSearchParams({ grant_type, scope });\n for (const [key, value] of Object.entries(args)) {\n if (value != null) {\n params.set(key, value);\n }\n }\n\n let basicAuth: string | undefined;\n switch (this._settings.client_authentication) {\n case \"client_secret_basic\":\n if (!client_secret) {\n logger.throw(new Error(\"A client_secret is required\"));\n throw null; // https://github.com/microsoft/TypeScript/issues/46972\n }\n basicAuth = CryptoUtils.generateBasicAuth(client_id, client_secret);\n break;\n case \"client_secret_post\":\n params.append(\"client_id\", client_id);\n if (client_secret) {\n params.append(\"client_secret\", client_secret);\n }\n break;\n }\n\n const url = await this._metadataService.getTokenEndpoint(false);\n logger.debug(\"got token endpoint\");\n\n const response = await this._jsonService.postForm(url, { body: params, basicAuth, initCredentials: this._settings.fetchRequestCredentials });\n logger.debug(\"got response\");\n\n return response;\n }\n\n /**\n * Exchange a refresh token.\n *\n * @see https://www.rfc-editor.org/rfc/rfc6749#section-6\n */\n public async exchangeRefreshToken({\n grant_type = \"refresh_token\",\n client_id = this._settings.client_id,\n client_secret = this._settings.client_secret,\n timeoutInSeconds,\n ...args\n }: ExchangeRefreshTokenArgs): Promise<Record<string, unknown>> {\n const logger = this._logger.create(\"exchangeRefreshToken\");\n if (!client_id) {\n logger.throw(new Error(\"A client_id is required\"));\n }\n if (!args.refresh_token) {\n logger.throw(new Error(\"A refresh_token is required\"));\n }\n\n const params = new URLSearchParams({ grant_type });\n for (const [key, value] of Object.entries(args)) {\n if (Array.isArray(value)) {\n value.forEach(param => params.append(key, param));\n }\n else if (value != null) {\n params.set(key, value);\n }\n }\n let basicAuth: string | undefined;\n switch (this._settings.client_authentication) {\n case \"client_secret_basic\":\n if (!client_secret) {\n logger.throw(new Error(\"A client_secret is required\"));\n throw null; // https://github.com/microsoft/TypeScript/issues/46972\n }\n basicAuth = CryptoUtils.generateBasicAuth(client_id, client_secret);\n break;\n case \"client_secret_post\":\n params.append(\"client_id\", client_id);\n if (client_secret) {\n params.append(\"client_secret\", client_secret);\n }\n break;\n }\n\n const url = await this._metadataService.getTokenEndpoint(false);\n logger.debug(\"got token endpoint\");\n\n const response = await this._jsonService.postForm(url, { body: params, basicAuth, timeoutInSeconds, initCredentials: this._settings.fetchRequestCredentials });\n logger.debug(\"got response\");\n\n return response;\n }\n\n /**\n * Revoke an access or refresh token.\n *\n * @see https://datatracker.ietf.org/doc/html/rfc7009#section-2.1\n */\n public async revoke(args: RevokeArgs): Promise<void> {\n const logger = this._logger.create(\"revoke\");\n if (!args.token) {\n logger.throw(new Error(\"A token is required\"));\n }\n\n const url = await this._metadataService.getRevocationEndpoint(false);\n\n logger.debug(`got revocation endpoint, revoking ${args.token_type_hint ?? \"default token type\"}`);\n\n const params = new URLSearchParams();\n for (const [key, value] of Object.entries(args)) {\n if (value != null) {\n params.set(key, value);\n }\n }\n params.set(\"client_id\", this._settings.client_id);\n if (this._settings.client_secret) {\n params.set(\"client_secret\", this._settings.client_secret);\n }\n\n await this._jsonService.postForm(url, { body: params });\n logger.debug(\"got response\");\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { Logger, JwtUtils } from \"./utils\";\nimport { ErrorResponse } from \"./errors\";\nimport type { MetadataService } from \"./MetadataService\";\nimport { UserInfoService } from \"./UserInfoService\";\nimport { TokenClient } from \"./TokenClient\";\nimport type { OidcClientSettingsStore } from \"./OidcClientSettings\";\nimport type { SigninState } from \"./SigninState\";\nimport type { SigninResponse } from \"./SigninResponse\";\nimport type { State } from \"./State\";\nimport type { SignoutResponse } from \"./SignoutResponse\";\nimport type { UserProfile } from \"./User\";\nimport type { RefreshState } from \"./RefreshState\";\nimport type { IdTokenClaims } from \"./Claims\";\nimport type { ClaimsService } from \"./ClaimsService\";\n\n/**\n * @internal\n */\nexport class ResponseValidator {\n protected readonly _logger = new Logger(\"ResponseValidator\");\n protected readonly _userInfoService = new UserInfoService(this._settings, this._metadataService);\n protected readonly _tokenClient = new TokenClient(this._settings, this._metadataService);\n\n public constructor(\n protected readonly _settings: OidcClientSettingsStore,\n protected readonly _metadataService: MetadataService,\n protected readonly _claimsService: ClaimsService,\n ) {}\n\n public async validateSigninResponse(response: SigninResponse, state: SigninState): Promise<void> {\n const logger = this._logger.create(\"validateSigninResponse\");\n\n this._processSigninState(response, state);\n logger.debug(\"state processed\");\n\n await this._processCode(response, state);\n logger.debug(\"code processed\");\n\n if (response.isOpenId) {\n this._validateIdTokenAttributes(response);\n }\n logger.debug(\"tokens validated\");\n\n await this._processClaims(response, state?.skipUserInfo, response.isOpenId);\n logger.debug(\"claims processed\");\n }\n\n public async validateCredentialsResponse(response: SigninResponse, skipUserInfo: boolean): Promise<void> {\n const logger = this._logger.create(\"validateCredentialsResponse\");\n\n if (response.isOpenId && !!response.id_token) {\n this._validateIdTokenAttributes(response);\n }\n logger.debug(\"tokens validated\");\n\n await this._processClaims(response, skipUserInfo, response.isOpenId);\n logger.debug(\"claims processed\");\n }\n\n public async validateRefreshResponse(response: SigninResponse, state: RefreshState): Promise<void> {\n const logger = this._logger.create(\"validateRefreshResponse\");\n\n response.userState = state.data;\n // if there's no session_state on the response, copy over session_state from original request\n response.session_state ??= state.session_state;\n // if there's no scope on the response, then assume all scopes granted (per-spec) and copy over scopes from original request\n response.scope ??= state.scope;\n\n // OpenID Connect Core 1.0 says that id_token is optional in refresh response:\n // https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse\n if (response.isOpenId && !!response.id_token) {\n this._validateIdTokenAttributes(response, state.id_token);\n logger.debug(\"ID Token validated\");\n }\n\n if (!response.id_token) {\n // if there's no id_token on the response, copy over id_token from original request\n response.id_token = state.id_token;\n // and decoded part too\n response.profile = state.profile;\n }\n\n const hasIdToken = response.isOpenId && !!response.id_token;\n await this._processClaims(response, false, hasIdToken);\n logger.debug(\"claims processed\");\n }\n\n public validateSignoutResponse(response: SignoutResponse, state: State): void {\n const logger = this._logger.create(\"validateSignoutResponse\");\n if (state.id !== response.state) {\n logger.throw(new Error(\"State does not match\"));\n }\n\n // now that we know the state matches, take the stored data\n // and set it into the response so callers can get their state\n // this is important for both success & error outcomes\n logger.debug(\"state validated\");\n response.userState = state.data;\n\n if (response.error) {\n logger.warn(\"Response was error\", response.error);\n throw new ErrorResponse(response);\n }\n }\n\n protected _processSigninState(response: SigninResponse, state: SigninState): void {\n const logger = this._logger.create(\"_processSigninState\");\n if (state.id !== response.state) {\n logger.throw(new Error(\"State does not match\"));\n }\n\n if (!state.client_id) {\n logger.throw(new Error(\"No client_id on state\"));\n }\n\n if (!state.authority) {\n logger.throw(new Error(\"No authority on state\"));\n }\n\n // ensure we're using the correct authority\n if (this._settings.authority !== state.authority) {\n logger.throw(new Error(\"authority mismatch on settings vs. signin state\"));\n }\n if (this._settings.client_id && this._settings.client_id !== state.client_id) {\n logger.throw(new Error(\"client_id mismatch on settings vs. signin state\"));\n }\n\n // now that we know the state matches, take the stored data\n // and set it into the response so callers can get their state\n // this is important for both success & error outcomes\n logger.debug(\"state validated\");\n response.userState = state.data;\n response.url_state = state.url_state;\n // if there's no scope on the response, then assume all scopes granted (per-spec) and copy over scopes from original request\n response.scope ??= state.scope;\n\n if (response.error) {\n logger.warn(\"Response was error\", response.error);\n throw new ErrorResponse(response);\n }\n\n if (state.code_verifier && !response.code) {\n logger.throw(new Error(\"Expected code in response\"));\n }\n\n }\n\n protected async _processClaims(response: SigninResponse, skipUserInfo = false, validateSub = true): Promise<void> {\n const logger = this._logger.create(\"_processClaims\");\n response.profile = this._claimsService.filterProtocolClaims(response.profile);\n\n if (skipUserInfo || !this._settings.loadUserInfo || !response.access_token) {\n logger.debug(\"not loading user info\");\n return;\n }\n\n logger.debug(\"loading user info\");\n const claims = await this._userInfoService.getClaims(response.access_token);\n logger.debug(\"user info claims received from user info endpoint\");\n\n if (validateSub && claims.sub !== response.profile.sub) {\n logger.throw(new Error(\"subject from UserInfo response does not match subject in ID Token\"));\n }\n\n response.profile = this._claimsService.mergeClaims(response.profile, this._claimsService.filterProtocolClaims(claims as IdTokenClaims));\n logger.debug(\"user info claims received, updated profile:\", response.profile);\n }\n\n protected async _processCode(response: SigninResponse, state: SigninState): Promise<void> {\n const logger = this._logger.create(\"_processCode\");\n if (response.code) {\n logger.debug(\"Validating code\");\n const tokenResponse = await this._tokenClient.exchangeCode({\n client_id: state.client_id,\n client_secret: state.client_secret,\n code: response.code,\n redirect_uri: state.redirect_uri,\n code_verifier: state.code_verifier,\n ...state.extraTokenParams,\n });\n Object.assign(response, tokenResponse);\n } else {\n logger.debug(\"No code to process\");\n }\n }\n\n protected _validateIdTokenAttributes(response: SigninResponse, existingToken?: string): void {\n const logger = this._logger.create(\"_validateIdTokenAttributes\");\n\n logger.debug(\"decoding ID Token JWT\");\n const incoming = JwtUtils.decode(response.id_token ?? \"\");\n\n if (!incoming.sub) {\n logger.throw(new Error(\"ID Token is missing a subject claim\"));\n }\n\n if (existingToken) {\n const existing = JwtUtils.decode(existingToken);\n if (incoming.sub !== existing.sub) {\n logger.throw(new Error(\"sub in id_token does not match current sub\"));\n }\n if (incoming.auth_time && incoming.auth_time !== existing.auth_time) {\n logger.throw(new Error(\"auth_time in id_token does not match original auth_time\"));\n }\n if (incoming.azp && incoming.azp !== existing.azp) {\n logger.throw(new Error(\"azp in id_token does not match original azp\"));\n }\n if (!incoming.azp && existing.azp) {\n logger.throw(new Error(\"azp not in id_token, but present in original id_token\"));\n }\n }\n\n response.profile = incoming as UserProfile;\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { Logger, CryptoUtils, Timer } from \"./utils\";\nimport type { StateStore } from \"./StateStore\";\n\n/**\n * @public\n */\nexport class State {\n public readonly id: string;\n public readonly created: number;\n public readonly request_type: string | undefined;\n public readonly url_state: string | undefined;\n\n /** custom \"state\", which can be used by a caller to have \"data\" round tripped */\n public readonly data?: unknown;\n\n public constructor(args: {\n id?: string;\n data?: unknown;\n created?: number;\n request_type?: string;\n url_state?: string;\n }) {\n this.id = args.id || CryptoUtils.generateUUIDv4();\n this.data = args.data;\n\n if (args.created && args.created > 0) {\n this.created = args.created;\n }\n else {\n this.created = Timer.getEpochTime();\n }\n this.request_type = args.request_type;\n this.url_state = args.url_state;\n }\n\n public toStorageString(): string {\n new Logger(\"State\").create(\"toStorageString\");\n return JSON.stringify({\n id: this.id,\n data: this.data,\n created: this.created,\n request_type: this.request_type,\n url_state: this.url_state,\n });\n }\n\n public static fromStorageString(storageString: string): Promise<State> {\n Logger.createStatic(\"State\", \"fromStorageString\");\n return Promise.resolve(new State(JSON.parse(storageString)));\n }\n\n public static async clearStaleState(storage: StateStore, age: number): Promise<void> {\n const logger = Logger.createStatic(\"State\", \"clearStaleState\");\n const cutoff = Timer.getEpochTime() - age;\n\n const keys = await storage.getAllKeys();\n logger.debug(\"got keys\", keys);\n\n for (let i = 0; i < keys.length; i++) {\n const key = keys[i];\n const item = await storage.get(key);\n let remove = false;\n\n if (item) {\n try {\n const state = await State.fromStorageString(item);\n\n logger.debug(\"got item from key:\", key, state.created);\n if (state.created <= cutoff) {\n remove = true;\n }\n }\n catch (err) {\n logger.error(\"Error parsing state for key:\", key, err);\n remove = true;\n }\n }\n else {\n logger.debug(\"no item in storage for key:\", key);\n remove = true;\n }\n\n if (remove) {\n logger.debug(\"removed item for key:\", key);\n void storage.remove(key);\n }\n }\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { Logger, CryptoUtils } from \"./utils\";\nimport { State } from \"./State\";\n\n/** @public */\nexport interface SigninStateArgs {\n id?: string;\n data?: unknown;\n created?: number;\n request_type?: string;\n\n code_verifier?: string;\n code_challenge?: string;\n authority: string;\n client_id: string;\n redirect_uri: string;\n scope: string;\n client_secret?: string;\n extraTokenParams?: Record<string, unknown>;\n response_mode?: \"query\" | \"fragment\";\n skipUserInfo?: boolean;\n url_state?: string;\n}\n\n/** @public */\nexport type SigninStateCreateArgs = Omit<SigninStateArgs, \"code_verifier\"> & {\n code_verifier?: string | boolean;\n};\n\n/**\n * @public\n */\nexport class SigninState extends State {\n // isCode\n /** The same code_verifier that was used to obtain the authorization_code via PKCE. */\n public readonly code_verifier: string | undefined;\n /** Used to secure authorization code grants via Proof Key for Code Exchange (PKCE). */\n public readonly code_challenge: string | undefined;\n\n // to ensure state still matches settings\n /** @see {@link OidcClientSettings.authority} */\n public readonly authority: string;\n /** @see {@link OidcClientSettings.client_id} */\n public readonly client_id: string;\n /** @see {@link OidcClientSettings.redirect_uri} */\n public readonly redirect_uri: string;\n /** @see {@link OidcClientSettings.scope} */\n public readonly scope: string;\n /** @see {@link OidcClientSettings.client_secret} */\n public readonly client_secret: string | undefined;\n /** @see {@link OidcClientSettings.extraTokenParams} */\n public readonly extraTokenParams: Record<string, unknown> | undefined;\n /** @see {@link OidcClientSettings.response_mode} */\n public readonly response_mode: \"query\" | \"fragment\" | undefined;\n\n public readonly skipUserInfo: boolean | undefined;\n\n private constructor(args: SigninStateArgs) {\n super(args);\n\n this.code_verifier = args.code_verifier;\n this.code_challenge = args.code_challenge;\n this.authority = args.authority;\n this.client_id = args.client_id;\n this.redirect_uri = args.redirect_uri;\n this.scope = args.scope;\n this.client_secret = args.client_secret;\n this.extraTokenParams = args.extraTokenParams;\n\n this.response_mode = args.response_mode;\n this.skipUserInfo = args.skipUserInfo;\n }\n\n public static async create(args: SigninStateCreateArgs): Promise<SigninState> {\n const code_verifier = args.code_verifier === true ? CryptoUtils.generateCodeVerifier() : (args.code_verifier || undefined);\n const code_challenge = code_verifier ? (await CryptoUtils.generateCodeChallenge(code_verifier)) : undefined;\n\n return new SigninState({\n ...args,\n code_verifier,\n code_challenge,\n });\n }\n\n public toStorageString(): string {\n new Logger(\"SigninState\").create(\"toStorageString\");\n return JSON.stringify({\n id: this.id,\n data: this.data,\n created: this.created,\n request_type: this.request_type,\n url_state: this.url_state,\n\n code_verifier: this.code_verifier,\n authority: this.authority,\n client_id: this.client_id,\n redirect_uri: this.redirect_uri,\n scope: this.scope,\n client_secret: this.client_secret,\n extraTokenParams : this.extraTokenParams,\n response_mode: this.response_mode,\n skipUserInfo: this.skipUserInfo,\n });\n }\n\n public static fromStorageString(storageString: string): Promise<SigninState> {\n Logger.createStatic(\"SigninState\", \"fromStorageString\");\n const data = JSON.parse(storageString);\n return SigninState.create(data);\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { Logger, URL_STATE_DELIMITER } from \"./utils\";\nimport { SigninState } from \"./SigninState\";\n\n/**\n * @public\n * @see https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest\n */\nexport interface SigninRequestCreateArgs {\n // mandatory\n url: string;\n authority: string;\n client_id: string;\n redirect_uri: string;\n response_type: string;\n scope: string;\n\n // optional\n response_mode?: \"query\" | \"fragment\";\n nonce?: string;\n display?: string;\n prompt?: string;\n max_age?: number;\n ui_locales?: string;\n id_token_hint?: string;\n login_hint?: string;\n acr_values?: string;\n\n // other\n resource?: string | string[];\n request?: string;\n request_uri?: string;\n request_type?: string;\n extraQueryParams?: Record<string, string | number | boolean>;\n\n // special\n extraTokenParams?: Record<string, unknown>;\n client_secret?: string;\n skipUserInfo?: boolean;\n disablePKCE?: boolean;\n /** custom \"state\", which can be used by a caller to have \"data\" round tripped */\n state_data?: unknown;\n url_state?: string;\n}\n\n/**\n * @public\n */\nexport class SigninRequest {\n private static readonly _logger = new Logger(\"SigninRequest\");\n\n public readonly url: string;\n public readonly state: SigninState;\n\n private constructor(args: {\n url: string;\n state: SigninState;\n }) {\n this.url = args.url;\n this.state = args.state;\n }\n\n public static async create({\n // mandatory\n url, authority, client_id, redirect_uri, response_type, scope,\n // optional\n state_data, response_mode, request_type, client_secret, nonce, url_state,\n resource,\n skipUserInfo,\n extraQueryParams,\n extraTokenParams,\n disablePKCE,\n ...optionalParams\n }: SigninRequestCreateArgs): Promise<SigninRequest> {\n if (!url) {\n this._logger.error(\"create: No url passed\");\n throw new Error(\"url\");\n }\n if (!client_id) {\n this._logger.error(\"create: No client_id passed\");\n throw new Error(\"client_id\");\n }\n if (!redirect_uri) {\n this._logger.error(\"create: No redirect_uri passed\");\n throw new Error(\"redirect_uri\");\n }\n if (!response_type) {\n this._logger.error(\"create: No response_type passed\");\n throw new Error(\"response_type\");\n }\n if (!scope) {\n this._logger.error(\"create: No scope passed\");\n throw new Error(\"scope\");\n }\n if (!authority) {\n this._logger.error(\"create: No authority passed\");\n throw new Error(\"authority\");\n }\n\n const state = await SigninState.create({\n data: state_data,\n request_type,\n url_state,\n code_verifier: !disablePKCE,\n client_id, authority, redirect_uri,\n response_mode,\n client_secret, scope, extraTokenParams,\n skipUserInfo,\n });\n\n const parsedUrl = new URL(url);\n parsedUrl.searchParams.append(\"client_id\", client_id);\n parsedUrl.searchParams.append(\"redirect_uri\", redirect_uri);\n parsedUrl.searchParams.append(\"response_type\", response_type);\n parsedUrl.searchParams.append(\"scope\", scope);\n if (nonce) {\n parsedUrl.searchParams.append(\"nonce\", nonce);\n }\n\n let stateParam = state.id;\n if (url_state) {\n stateParam = `${stateParam}${URL_STATE_DELIMITER}${url_state}`;\n }\n parsedUrl.searchParams.append(\"state\", stateParam);\n if (state.code_challenge) {\n parsedUrl.searchParams.append(\"code_challenge\", state.code_challenge);\n parsedUrl.searchParams.append(\"code_challenge_method\", \"S256\");\n }\n\n if (resource) {\n // https://datatracker.ietf.org/doc/html/rfc8707\n const resources = Array.isArray(resource) ? resource : [resource];\n resources\n .forEach(r => parsedUrl.searchParams.append(\"resource\", r));\n }\n\n for (const [key, value] of Object.entries({ response_mode, ...optionalParams, ...extraQueryParams })) {\n if (value != null) {\n parsedUrl.searchParams.append(key, value.toString());\n }\n }\n\n return new SigninRequest({\n url: parsedUrl.href,\n state,\n });\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { Timer, URL_STATE_DELIMITER } from \"./utils\";\nimport type { UserProfile } from \"./User\";\n\nconst OidcScope = \"openid\";\n\n/**\n * @public\n * @see https://openid.net/specs/openid-connect-core-1_0.html#AuthResponse\n * @see https://openid.net/specs/openid-connect-core-1_0.html#AuthError\n */\nexport class SigninResponse {\n // props present in the initial callback response regardless of success\n public readonly state: string | null;\n /** @see {@link User.session_state} */\n public session_state: string | null;\n\n // error props\n /** @see {@link ErrorResponse.error} */\n public readonly error: string | null;\n /** @see {@link ErrorResponse.error_description} */\n public readonly error_description: string | null;\n /** @see {@link ErrorResponse.error_uri} */\n public readonly error_uri: string | null;\n\n // success props\n public readonly code: string | null;\n\n // props set after validation\n /** @see {@link User.id_token} */\n public id_token?: string;\n /** @see {@link User.access_token} */\n public access_token = \"\";\n /** @see {@link User.token_type} */\n public token_type = \"\";\n /** @see {@link User.refresh_token} */\n public refresh_token?: string;\n /** @see {@link User.scope} */\n public scope?: string;\n /** @see {@link User.expires_at} */\n public expires_at?: number;\n\n /** custom state data set during the initial signin request */\n public userState: unknown;\n public url_state?: string;\n\n /** @see {@link User.profile} */\n public profile: UserProfile = {} as UserProfile;\n\n public constructor(params: URLSearchParams) {\n this.state = params.get(\"state\");\n this.session_state = params.get(\"session_state\");\n if (this.state) {\n const splitState = decodeURIComponent(this.state).split(URL_STATE_DELIMITER);\n this.state = splitState[0];\n if (splitState.length > 1) {\n this.url_state = splitState.slice(1).join(URL_STATE_DELIMITER);\n }\n }\n\n this.error = params.get(\"error\");\n this.error_description = params.get(\"error_description\");\n this.error_uri = params.get(\"error_uri\");\n\n this.code = params.get(\"code\");\n }\n\n public get expires_in(): number | undefined {\n if (this.expires_at === undefined) {\n return undefined;\n }\n return this.expires_at - Timer.getEpochTime();\n }\n public set expires_in(value: number | undefined) {\n // spec expects a number, but normalize here just in case\n if (typeof value === \"string\") value = Number(value);\n if (value !== undefined && value >= 0) {\n this.expires_at = Math.floor(value) + Timer.getEpochTime();\n }\n }\n\n public get isOpenId(): boolean {\n return this.scope?.split(\" \").includes(OidcScope) || !!this.id_token;\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { Logger } from \"./utils\";\nimport { State } from \"./State\";\n\n/**\n * @public\n * @see https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout\n */\nexport interface SignoutRequestArgs {\n // mandatory\n url: string;\n\n // optional\n id_token_hint?: string;\n client_id?: string;\n post_logout_redirect_uri?: string;\n extraQueryParams?: Record<string, string | number | boolean>;\n\n // special\n request_type?: string;\n /** custom \"state\", which can be used by a caller to have \"data\" round tripped */\n state_data?: unknown;\n}\n\n/**\n * @public\n */\nexport class SignoutRequest {\n private readonly _logger = new Logger(\"SignoutRequest\");\n\n public readonly url: string;\n public readonly state?: State;\n\n public constructor({\n url,\n state_data, id_token_hint, post_logout_redirect_uri, extraQueryParams, request_type, client_id,\n }: SignoutRequestArgs) {\n if (!url) {\n this._logger.error(\"ctor: No url passed\");\n throw new Error(\"url\");\n }\n\n const parsedUrl = new URL(url);\n if (id_token_hint) {\n parsedUrl.searchParams.append(\"id_token_hint\", id_token_hint);\n }\n if (client_id) {\n parsedUrl.searchParams.append(\"client_id\", client_id);\n }\n\n if (post_logout_redirect_uri) {\n parsedUrl.searchParams.append(\"post_logout_redirect_uri\", post_logout_redirect_uri);\n\n if (state_data) {\n this.state = new State({ data: state_data, request_type });\n\n parsedUrl.searchParams.append(\"state\", this.state.id);\n }\n }\n\n for (const [key, value] of Object.entries({ ...extraQueryParams })) {\n if (value != null) {\n parsedUrl.searchParams.append(key, value.toString());\n }\n }\n\n this.url = parsedUrl.href;\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\n/**\n * @public\n * @see https://openid.net/specs/openid-connect-core-1_0.html#AuthError\n */\nexport class SignoutResponse {\n public readonly state: string | null;\n\n // error props\n /** @see {@link ErrorResponse.error} */\n public error: string | null;\n /** @see {@link ErrorResponse.error_description} */\n public error_description: string | null;\n /** @see {@link ErrorResponse.error_uri} */\n public error_uri: string | null;\n\n /** custom state data set during the initial signin request */\n public userState: unknown;\n\n public constructor(params: URLSearchParams) {\n this.state = params.get(\"state\");\n\n this.error = params.get(\"error\");\n this.error_description = params.get(\"error_description\");\n this.error_uri = params.get(\"error_uri\");\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport type { JwtClaims } from \"./Claims\";\nimport type { OidcClientSettingsStore } from \"./OidcClientSettings\";\nimport type { UserProfile } from \"./User\";\nimport { Logger } from \"./utils\";\n\n/**\n * Protocol claims that could be removed by default from profile.\n * Derived from the following sets of claims:\n * - {@link https://datatracker.ietf.org/doc/html/rfc7519.html#section-4.1}\n * - {@link https://openid.net/specs/openid-connect-core-1_0.html#IDToken}\n * - {@link https://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken}\n *\n * @internal\n */\nconst DefaultProtocolClaims = [\n \"nbf\",\n \"jti\",\n \"auth_time\",\n \"nonce\",\n \"acr\",\n \"amr\",\n \"azp\",\n \"at_hash\", // https://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken\n] as const;\n\n/**\n * Protocol claims that should never be removed from profile.\n * \"sub\" is needed internally and others should remain required as per the OIDC specs.\n *\n * @internal\n */\nconst InternalRequiredProtocolClaims = [\"sub\", \"iss\", \"aud\", \"exp\", \"iat\"];\n\n/**\n * @internal\n */\nexport class ClaimsService {\n protected readonly _logger = new Logger(\"ClaimsService\");\n public constructor(\n protected readonly _settings: OidcClientSettingsStore,\n ) {}\n\n public filterProtocolClaims(claims: UserProfile): UserProfile {\n const result = { ...claims };\n\n if (this._settings.filterProtocolClaims) {\n let protocolClaims;\n if (Array.isArray(this._settings.filterProtocolClaims)) {\n protocolClaims = this._settings.filterProtocolClaims;\n } else {\n protocolClaims = DefaultProtocolClaims;\n }\n\n for (const claim of protocolClaims) {\n if (!InternalRequiredProtocolClaims.includes(claim)) {\n delete result[claim];\n }\n }\n }\n\n return result;\n }\n\n public mergeClaims(claims1: JwtClaims, claims2: JwtClaims): UserProfile;\n public mergeClaims(claims1: UserProfile, claims2: JwtClaims): UserProfile {\n const result = { ...claims1 };\n for (const [claim, values] of Object.entries(claims2)) {\n if (result[claim] !== values) {\n if (Array.isArray(result[claim]) || Array.isArray(values)) {\n if (this._settings.mergeClaimsStrategy.array == \"replace\") {\n result[claim] = values;\n } else {\n const mergedValues = Array.isArray(result[claim]) ? result[claim] as unknown[] : [result[claim]];\n for (const value of Array.isArray(values) ? values : [values]) {\n if (!mergedValues.includes(value)) {\n mergedValues.push(value);\n }\n }\n result[claim] = mergedValues;\n }\n } else if (typeof result[claim] === \"object\" && typeof values === \"object\") {\n result[claim] = this.mergeClaims(result[claim] as JwtClaims, values as JwtClaims);\n } else {\n result[claim] = values;\n }\n }\n }\n\n return result;\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { Logger, UrlUtils } from \"./utils\";\nimport { ErrorResponse } from \"./errors\";\nimport { type OidcClientSettings, OidcClientSettingsStore } from \"./OidcClientSettings\";\nimport { ResponseValidator } from \"./ResponseValidator\";\nimport { MetadataService } from \"./MetadataService\";\nimport type { RefreshState } from \"./RefreshState\";\nimport { SigninRequest, type SigninRequestCreateArgs } from \"./SigninRequest\";\nimport { SigninResponse } from \"./SigninResponse\";\nimport { SignoutRequest, type SignoutRequestArgs } from \"./SignoutRequest\";\nimport { SignoutResponse } from \"./SignoutResponse\";\nimport { SigninState } from \"./SigninState\";\nimport { State } from \"./State\";\nimport { TokenClient } from \"./TokenClient\";\nimport { ClaimsService } from \"./ClaimsService\";\n\n/**\n * @public\n */\nexport interface CreateSigninRequestArgs\n extends Omit<SigninRequestCreateArgs, \"url\" | \"authority\" | \"client_id\" | \"redirect_uri\" | \"response_type\" | \"scope\" | \"state_data\"> {\n redirect_uri?: string;\n response_type?: string;\n scope?: string;\n\n /** custom \"state\", which can be used by a caller to have \"data\" round tripped */\n state?: unknown;\n}\n\n/**\n * @public\n */\nexport interface UseRefreshTokenArgs {\n redirect_uri?: string;\n resource?: string | string[];\n extraTokenParams?: Record<string, unknown>;\n timeoutInSeconds?: number;\n\n state: RefreshState;\n}\n\n/**\n * @public\n */\nexport type CreateSignoutRequestArgs = Omit<SignoutRequestArgs, \"url\" | \"state_data\"> & {\n /** custom \"state\", which can be used by a caller to have \"data\" round tripped */\n state?: unknown;\n};\n\n/**\n * @public\n */\nexport type ProcessResourceOwnerPasswordCredentialsArgs = {\n username: string;\n password: string;\n skipUserInfo?: boolean;\n extraTokenParams?: Record<string, unknown>;\n};\n\n/**\n * Provides the raw OIDC/OAuth2 protocol support for the authorization endpoint and the end session endpoint in the\n * authorization server. It provides a bare-bones protocol implementation and is used by the UserManager class.\n * Only use this class if you simply want protocol support without the additional management features of the\n * UserManager class.\n *\n * @public\n */\nexport class OidcClient {\n public readonly settings: OidcClientSettingsStore;\n protected readonly _logger = new Logger(\"OidcClient\");\n\n public readonly metadataService: MetadataService;\n protected readonly _claimsService: ClaimsService;\n protected readonly _validator: ResponseValidator;\n protected readonly _tokenClient: TokenClient;\n\n public constructor(settings: OidcClientSettings);\n public constructor(settings: OidcClientSettingsStore, metadataService: MetadataService);\n public constructor(settings: OidcClientSettings | OidcClientSettingsStore, metadataService?: MetadataService) {\n this.settings = settings instanceof OidcClientSettingsStore ? settings : new OidcClientSettingsStore(settings);\n\n this.metadataService = metadataService ?? new MetadataService(this.settings);\n this._claimsService = new ClaimsService(this.settings);\n this._validator = new ResponseValidator(this.settings, this.metadataService, this._claimsService);\n this._tokenClient = new TokenClient(this.settings, this.metadataService);\n }\n\n public async createSigninRequest({\n state,\n request,\n request_uri,\n request_type,\n id_token_hint,\n login_hint,\n skipUserInfo,\n nonce,\n url_state,\n response_type = this.settings.response_type,\n scope = this.settings.scope,\n redirect_uri = this.settings.redirect_uri,\n prompt = this.settings.prompt,\n display = this.settings.display,\n max_age = this.settings.max_age,\n ui_locales = this.settings.ui_locales,\n acr_values = this.settings.acr_values,\n resource = this.settings.resource,\n response_mode = this.settings.response_mode,\n extraQueryParams = this.settings.extraQueryParams,\n extraTokenParams = this.settings.extraTokenParams,\n }: CreateSigninRequestArgs): Promise<SigninRequest> {\n const logger = this._logger.create(\"createSigninRequest\");\n\n if (response_type !== \"code\") {\n throw new Error(\"Only the Authorization Code flow (with PKCE) is supported\");\n }\n\n const url = await this.metadataService.getAuthorizationEndpoint();\n logger.debug(\"Received authorization endpoint\", url);\n\n const signinRequest = await SigninRequest.create({\n url,\n authority: this.settings.authority,\n client_id: this.settings.client_id,\n redirect_uri,\n response_type,\n scope,\n state_data: state,\n url_state,\n prompt, display, max_age, ui_locales, id_token_hint, login_hint, acr_values,\n resource, request, request_uri, extraQueryParams, extraTokenParams, request_type, response_mode,\n client_secret: this.settings.client_secret,\n skipUserInfo,\n nonce,\n disablePKCE: this.settings.disablePKCE,\n });\n\n // house cleaning\n await this.clearStaleState();\n\n const signinState = signinRequest.state;\n await this.settings.stateStore.set(signinState.id, signinState.toStorageString());\n return signinRequest;\n }\n\n public async readSigninResponseState(url: string, removeState = false): Promise<{ state: SigninState; response: SigninResponse }> {\n const logger = this._logger.create(\"readSigninResponseState\");\n\n const response = new SigninResponse(UrlUtils.readParams(url, this.settings.response_mode));\n if (!response.state) {\n logger.throw(new Error(\"No state in response\"));\n // need to throw within this function's body for type narrowing to work\n throw null; // https://github.com/microsoft/TypeScript/issues/46972\n }\n\n const storedStateString = await this.settings.stateStore[removeState ? \"remove\" : \"get\"](response.state);\n if (!storedStateString) {\n logger.throw(new Error(\"No matching state found in storage\"));\n throw null; // https://github.com/microsoft/TypeScript/issues/46972\n }\n\n const state = await SigninState.fromStorageString(storedStateString);\n return { state, response };\n }\n\n public async processSigninResponse(url: string): Promise<SigninResponse> {\n const logger = this._logger.create(\"processSigninResponse\");\n\n const { state, response } = await this.readSigninResponseState(url, true);\n logger.debug(\"received state from storage; validating response\");\n await this._validator.validateSigninResponse(response, state);\n return response;\n }\n\n public async processResourceOwnerPasswordCredentials({\n username,\n password,\n skipUserInfo = false,\n extraTokenParams = {},\n }: ProcessResourceOwnerPasswordCredentialsArgs): Promise<SigninResponse> {\n const tokenResponse: Record<string, unknown> = await this._tokenClient.exchangeCredentials({ username, password, ...extraTokenParams });\n const signinResponse: SigninResponse = new SigninResponse(new URLSearchParams());\n Object.assign(signinResponse, tokenResponse);\n await this._validator.validateCredentialsResponse(signinResponse, skipUserInfo);\n return signinResponse;\n }\n\n public async useRefreshToken({\n state,\n redirect_uri,\n resource,\n timeoutInSeconds,\n extraTokenParams,\n }: UseRefreshTokenArgs): Promise<SigninResponse> {\n const logger = this._logger.create(\"useRefreshToken\");\n\n // https://github.com/authts/oidc-client-ts/issues/695\n // In some cases (e.g. AzureAD), not all granted scopes are allowed on token refresh requests.\n // Therefore, we filter all granted scopes by a list of allowable scopes.\n let scope;\n if (this.settings.refreshTokenAllowedScope === undefined) {\n scope = state.scope;\n } else {\n const allowableScopes = this.settings.refreshTokenAllowedScope.split(\" \");\n const providedScopes = state.scope?.split(\" \") || [];\n\n scope = providedScopes.filter(s => allowableScopes.includes(s)).join(\" \");\n }\n\n const result = await this._tokenClient.exchangeRefreshToken({\n refresh_token: state.refresh_token,\n // provide the (possible filtered) scope list\n scope,\n redirect_uri,\n resource,\n timeoutInSeconds,\n ...extraTokenParams,\n });\n const response = new SigninResponse(new URLSearchParams());\n Object.assign(response, result);\n logger.debug(\"validating response\", response);\n await this._validator.validateRefreshResponse(response, {\n ...state,\n // override the scope in the state handed over to the validator\n // so it can set the granted scope to the requested scope in case none is included in the response\n scope,\n });\n return response;\n }\n\n public async createSignoutRequest({\n state,\n id_token_hint,\n client_id,\n request_type,\n post_logout_redirect_uri = this.settings.post_logout_redirect_uri,\n extraQueryParams = this.settings.extraQueryParams,\n }: CreateSignoutRequestArgs = {}): Promise<SignoutRequest> {\n const logger = this._logger.create(\"createSignoutRequest\");\n\n const url = await this.metadataService.getEndSessionEndpoint();\n if (!url) {\n logger.throw(new Error(\"No end session endpoint\"));\n throw null; // https://github.com/microsoft/TypeScript/issues/46972\n }\n\n logger.debug(\"Received end session endpoint\", url);\n\n // specify the client identifier when post_logout_redirect_uri is used but id_token_hint is not\n if (!client_id && post_logout_redirect_uri && !id_token_hint) {\n client_id = this.settings.client_id;\n }\n\n const request = new SignoutRequest({\n url,\n id_token_hint,\n client_id,\n post_logout_redirect_uri,\n state_data: state,\n extraQueryParams,\n request_type,\n });\n\n // house cleaning\n await this.clearStaleState();\n\n const signoutState = request.state;\n if (signoutState) {\n logger.debug(\"Signout request has state to persist\");\n await this.settings.stateStore.set(signoutState.id, signoutState.toStorageString());\n }\n\n return request;\n }\n\n public async readSignoutResponseState(url: string, removeState = false): Promise<{ state: State | undefined; response: SignoutResponse }> {\n const logger = this._logger.create(\"readSignoutResponseState\");\n\n const response = new SignoutResponse(UrlUtils.readParams(url, this.settings.response_mode));\n if (!response.state) {\n logger.debug(\"No state in response\");\n\n if (response.error) {\n logger.warn(\"Response was error:\", response.error);\n throw new ErrorResponse(response);\n }\n\n return { state: undefined, response };\n }\n\n const storedStateString = await this.settings.stateStore[removeState ? \"remove\" : \"get\"](response.state);\n if (!storedStateString) {\n logger.throw(new Error(\"No matching state found in storage\"));\n throw null; // https://github.com/microsoft/TypeScript/issues/46972\n }\n\n const state = await State.fromStorageString(storedStateString);\n return { state, response };\n }\n\n public async processSignoutResponse(url: string): Promise<SignoutResponse> {\n const logger = this._logger.create(\"processSignoutResponse\");\n\n const { state, response } = await this.readSignoutResponseState(url, true);\n if (state) {\n logger.debug(\"Received state from storage; validating response\");\n this._validator.validateSignoutResponse(response, state);\n } else {\n logger.debug(\"No state from storage; skipping response validation\");\n }\n\n return response;\n }\n\n public clearStaleState(): Promise<void> {\n this._logger.create(\"clearStaleState\");\n return State.clearStaleState(this.settings.stateStore, this.settings.staleStateAgeInSeconds);\n }\n\n public async revokeToken(token: string, type?: \"access_token\" | \"refresh_token\"): Promise<void> {\n this._logger.create(\"revokeToken\");\n return await this._tokenClient.revoke({\n token,\n token_type_hint: type,\n });\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { Logger } from \"./utils\";\nimport { CheckSessionIFrame } from \"./CheckSessionIFrame\";\nimport type { UserManager } from \"./UserManager\";\nimport type { User } from \"./User\";\n\n/**\n * @public\n */\nexport class SessionMonitor {\n private readonly _logger = new Logger(\"SessionMonitor\");\n\n private _sub: string | undefined;\n private _checkSessionIFrame?: CheckSessionIFrame;\n\n public constructor(private readonly _userManager: UserManager) {\n if (!_userManager) {\n this._logger.throw(new Error(\"No user manager passed\"));\n }\n\n this._userManager.events.addUserLoaded(this._start);\n this._userManager.events.addUserUnloaded(this._stop);\n\n this._init().catch((err: unknown) => {\n // catch to suppress errors since we're in a ctor\n this._logger.error(err);\n });\n }\n\n protected async _init(): Promise<void> {\n this._logger.create(\"_init\");\n const user = await this._userManager.getUser();\n // doing this manually here since calling getUser\n // doesn't trigger load event.\n if (user) {\n void this._start(user);\n }\n else if (this._userManager.settings.monitorAnonymousSession) {\n const session = await this._userManager.querySessionStatus();\n if (session) {\n const tmpUser = {\n session_state: session.session_state,\n profile: session.sub ? {\n sub: session.sub,\n } : null,\n };\n void this._start(tmpUser);\n }\n }\n }\n\n protected _start = async (\n user: User | {\n session_state: string;\n profile: { sub: string } | null;\n },\n ): Promise<void> => {\n const session_state = user.session_state;\n if (!session_state) {\n return;\n }\n const logger = this._logger.create(\"_start\");\n\n if (user.profile) {\n this._sub = user.profile.sub;\n logger.debug(\"session_state\", session_state, \", sub\", this._sub);\n }\n else {\n this._sub = undefined;\n logger.debug(\"session_state\", session_state, \", anonymous user\");\n }\n\n if (this._checkSessionIFrame) {\n this._checkSessionIFrame.start(session_state);\n return;\n }\n\n try {\n const url = await this._userManager.metadataService.getCheckSessionIframe();\n if (url) {\n logger.debug(\"initializing check session iframe\");\n\n const client_id = this._userManager.settings.client_id;\n const intervalInSeconds = this._userManager.settings.checkSessionIntervalInSeconds;\n const stopOnError = this._userManager.settings.stopCheckSessionOnError;\n\n const checkSessionIFrame = new CheckSessionIFrame(this._callback, client_id, url, intervalInSeconds, stopOnError);\n await checkSessionIFrame.load();\n this._checkSessionIFrame = checkSessionIFrame;\n checkSessionIFrame.start(session_state);\n }\n else {\n logger.warn(\"no check session iframe found in the metadata\");\n }\n }\n catch (err) {\n // catch to suppress errors since we're in non-promise callback\n logger.error(\"Error from getCheckSessionIframe:\", err instanceof Error ? err.message : err);\n }\n };\n\n protected _stop = (): void => {\n const logger = this._logger.create(\"_stop\");\n this._sub = undefined;\n\n if (this._checkSessionIFrame) {\n this._checkSessionIFrame.stop();\n }\n\n if (this._userManager.settings.monitorAnonymousSession) {\n // using a timer to delay re-initialization to avoid race conditions during signout\n // TODO rewrite to use promise correctly\n // eslint-disable-next-line @typescript-eslint/no-misused-promises\n const timerHandle = setInterval(async () => {\n clearInterval(timerHandle);\n\n try {\n const session = await this._userManager.querySessionStatus();\n if (session) {\n const tmpUser = {\n session_state: session.session_state,\n profile: session.sub ? {\n sub: session.sub,\n } : null,\n };\n void this._start(tmpUser);\n }\n }\n catch (err) {\n // catch to suppress errors since we're in a callback\n logger.error(\"error from querySessionStatus\", err instanceof Error ? err.message : err);\n }\n }, 1000);\n }\n };\n\n protected _callback = async (): Promise<void> => {\n const logger = this._logger.create(\"_callback\");\n try {\n const session = await this._userManager.querySessionStatus();\n let raiseEvent = true;\n\n if (session && this._checkSessionIFrame) {\n if (session.sub === this._sub) {\n raiseEvent = false;\n this._checkSessionIFrame.start(session.session_state);\n\n logger.debug(\"same sub still logged in at OP, session state has changed, restarting check session iframe; session_state\", session.session_state);\n await this._userManager.events._raiseUserSessionChanged();\n }\n else {\n logger.debug(\"different subject signed into OP\", session.sub);\n }\n }\n else {\n logger.debug(\"subject no longer signed into OP\");\n }\n\n if (raiseEvent) {\n if (this._sub) {\n await this._userManager.events._raiseUserSignedOut();\n }\n else {\n await this._userManager.events._raiseUserSignedIn();\n }\n } else {\n logger.debug(\"no change in session detected, no event to raise\");\n }\n }\n catch (err) {\n if (this._sub) {\n logger.debug(\"Error calling queryCurrentSigninSession; raising signed out event\", err);\n await this._userManager.events._raiseUserSignedOut();\n }\n }\n };\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { Logger, Timer } from \"./utils\";\nimport type { IdTokenClaims } from \"./Claims\";\n\n/**\n * Holds claims represented by a combination of the `id_token` and the user info endpoint.\n *\n * @public\n */\nexport type UserProfile = IdTokenClaims;\n\n/**\n * @public\n */\nexport class User {\n /**\n * A JSON Web Token (JWT). Only provided if `openid` scope was requested.\n * The application can access the data decoded by using the `profile` property.\n */\n public id_token?: string;\n\n /** The session state value returned from the OIDC provider. */\n public session_state: string | null;\n\n /**\n * The requested access token returned from the OIDC provider. The application can use this token to\n * authenticate itself to the secured resource.\n */\n public access_token: string;\n\n /**\n * An OAuth 2.0 refresh token. The app can use this token to acquire additional access tokens after the\n * current access token expires. Refresh tokens are long-lived and can be used to maintain access to resources\n * for extended periods of time.\n */\n public refresh_token?: string;\n\n /** Typically \"Bearer\" */\n public token_type: string;\n\n /** The scopes that the requested access token is valid for. */\n public scope?: string;\n\n /** The claims represented by a combination of the `id_token` and the user info endpoint. */\n public profile: UserProfile;\n\n /** The expires at returned from the OIDC provider. */\n public expires_at?: number;\n\n /** custom state data set during the initial signin request */\n public readonly state: unknown;\n public readonly url_state?: string;\n\n public constructor(args: {\n id_token?: string;\n session_state?: string | null;\n access_token: string;\n refresh_token?: string;\n token_type: string;\n scope?: string;\n profile: UserProfile;\n expires_at?: number;\n userState?: unknown;\n url_state?: string;\n }) {\n this.id_token = args.id_token;\n this.session_state = args.session_state ?? null;\n this.access_token = args.access_token;\n this.refresh_token = args.refresh_token;\n\n this.token_type = args.token_type;\n this.scope = args.scope;\n this.profile = args.profile;\n this.expires_at = args.expires_at;\n this.state = args.userState;\n this.url_state = args.url_state;\n }\n\n /** Computed number of seconds the access token has remaining. */\n public get expires_in(): number | undefined {\n if (this.expires_at === undefined) {\n return undefined;\n }\n return this.expires_at - Timer.getEpochTime();\n }\n\n public set expires_in(value: number | undefined) {\n if (value !== undefined) {\n this.expires_at = Math.floor(value) + Timer.getEpochTime();\n }\n }\n\n /** Computed value indicating if the access token is expired. */\n public get expired(): boolean | undefined {\n const expires_in = this.expires_in;\n if (expires_in === undefined) {\n return undefined;\n }\n return expires_in <= 0;\n }\n\n /** Array representing the parsed values from the `scope`. */\n public get scopes(): string[] {\n return this.scope?.split(\" \") ?? [];\n }\n\n public toStorageString(): string {\n new Logger(\"User\").create(\"toStorageString\");\n return JSON.stringify({\n id_token: this.id_token,\n session_state: this.session_state,\n access_token: this.access_token,\n refresh_token: this.refresh_token,\n token_type: this.token_type,\n scope: this.scope,\n profile: this.profile,\n expires_at: this.expires_at,\n });\n }\n\n public static fromStorageString(storageString: string): User {\n Logger.createStatic(\"User\", \"fromStorageString\");\n return new User(JSON.parse(storageString));\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { Event, Logger, UrlUtils } from \"../utils\";\nimport type { IWindow, NavigateParams, NavigateResponse } from \"./IWindow\";\n\nconst messageSource = \"oidc-client\";\n\ninterface MessageData {\n source: string;\n url: string;\n keepOpen: boolean;\n}\n\n/**\n * Window implementation which resolves via communication from a child window\n * via the `Window.postMessage()` interface.\n *\n * @internal\n */\nexport abstract class AbstractChildWindow implements IWindow {\n protected abstract readonly _logger: Logger;\n protected readonly _abort = new Event<[reason: Error]>(\"Window navigation aborted\");\n protected readonly _disposeHandlers = new Set<() => void>();\n\n protected _window: WindowProxy | null = null;\n\n public async navigate(params: NavigateParams): Promise<NavigateResponse> {\n const logger = this._logger.create(\"navigate\");\n if (!this._window) {\n throw new Error(\"Attempted to navigate on a disposed window\");\n }\n\n logger.debug(\"setting URL in window\");\n this._window.location.replace(params.url);\n\n const { url, keepOpen } = await new Promise<MessageData>((resolve, reject) => {\n const listener = (e: MessageEvent) => {\n const data: MessageData | undefined = e.data;\n const origin = params.scriptOrigin ?? window.location.origin;\n if (e.origin !== origin || data?.source !== messageSource) {\n // silently discard events not intended for us\n return;\n }\n try {\n const state = UrlUtils.readParams(data.url, params.response_mode).get(\"state\");\n if (!state) {\n logger.warn(\"no state found in response url\");\n }\n if (e.source !== this._window && state !== params.state) {\n // MessageEvent source is a relatively modern feature, we can't rely on it\n // so we also inspect the payload for a matching state key as an alternative\n return;\n }\n }\n catch (err) {\n this._dispose();\n reject(new Error(\"Invalid response from window\"));\n }\n resolve(data);\n };\n window.addEventListener(\"message\", listener, false);\n this._disposeHandlers.add(() => window.removeEventListener(\"message\", listener, false));\n this._disposeHandlers.add(this._abort.addHandler((reason) => {\n this._dispose();\n reject(reason);\n }));\n });\n logger.debug(\"got response from window\");\n this._dispose();\n\n if (!keepOpen) {\n this.close();\n }\n\n return { url };\n }\n\n public abstract close(): void;\n\n private _dispose(): void {\n this._logger.create(\"_dispose\");\n\n for (const dispose of this._disposeHandlers) {\n dispose();\n }\n this._disposeHandlers.clear();\n }\n\n protected static _notifyParent(parent: Window, url: string, keepOpen = false, targetOrigin = window.location.origin): void {\n parent.postMessage({\n source: messageSource,\n url,\n keepOpen,\n } as MessageData, targetOrigin);\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { type OidcClientSettings, OidcClientSettingsStore } from \"./OidcClientSettings\";\nimport type { PopupWindowFeatures } from \"./utils/PopupUtils\";\nimport { WebStorageStateStore } from \"./WebStorageStateStore\";\nimport { InMemoryWebStorage } from \"./InMemoryWebStorage\";\n\nexport const DefaultPopupWindowFeatures: PopupWindowFeatures = {\n location: false,\n toolbar: false,\n height: 640,\n closePopupWindowAfterInSeconds: -1,\n};\nexport const DefaultPopupTarget = \"_blank\";\nconst DefaultAccessTokenExpiringNotificationTimeInSeconds = 60;\nconst DefaultCheckSessionIntervalInSeconds = 2;\nexport const DefaultSilentRequestTimeoutInSeconds = 10;\n\n/**\n * The settings used to configure the {@link UserManager}.\n *\n * @public\n */\nexport interface UserManagerSettings extends OidcClientSettings {\n /** The URL for the page containing the call to signinPopupCallback to handle the callback from the OIDC/OAuth2 */\n popup_redirect_uri?: string;\n popup_post_logout_redirect_uri?: string;\n /**\n * The features parameter to window.open for the popup signin window. By default, the popup is\n * placed centered in front of the window opener.\n * (default: \\{ location: false, menubar: false, height: 640, closePopupWindowAfterInSeconds: -1 \\})\n */\n popupWindowFeatures?: PopupWindowFeatures;\n /** The target parameter to window.open for the popup signin window (default: \"_blank\") */\n popupWindowTarget?: string;\n /** The methods window.location method used to redirect (default: \"assign\") */\n redirectMethod?: \"replace\" | \"assign\";\n /** The methods target window being redirected (default: \"self\") */\n redirectTarget?: \"top\" | \"self\";\n\n /** The target to pass while calling postMessage inside iframe for callback (default: window.location.origin) */\n iframeNotifyParentOrigin?: string;\n\n /** The script origin to check during 'message' callback execution while performing silent auth via iframe (default: window.location.origin) */\n iframeScriptOrigin?: string;\n\n /** The URL for the page containing the code handling the silent renew */\n silent_redirect_uri?: string;\n /** Number of seconds to wait for the silent renew to return before assuming it has failed or timed out (default: 10) */\n silentRequestTimeoutInSeconds?: number;\n /** Flag to indicate if there should be an automatic attempt to renew the access token prior to its expiration. The automatic renew attempt starts 1 minute before the access token expires (default: true) */\n automaticSilentRenew?: boolean;\n /** Flag to validate user.profile.sub in silent renew calls (default: true) */\n validateSubOnSilentRenew?: boolean;\n /** Flag to control if id_token is included as id_token_hint in silent renew calls (default: false) */\n includeIdTokenInSilentRenew?: boolean;\n\n /** Will raise events for when user has performed a signout at the OP (default: false) */\n monitorSession?: boolean;\n monitorAnonymousSession?: boolean;\n /** Interval in seconds to check the user's session (default: 2) */\n checkSessionIntervalInSeconds?: number;\n query_status_response_type?: string;\n stopCheckSessionOnError?: boolean;\n\n /**\n * The `token_type_hint`s to pass to the authority server by default (default: [\"access_token\", \"refresh_token\"])\n *\n * Token types will be revoked in the same order as they are given here.\n */\n revokeTokenTypes?: (\"access_token\" | \"refresh_token\")[];\n /** Will invoke the revocation endpoint on signout if there is an access token for the user (default: false) */\n revokeTokensOnSignout?: boolean;\n /** Flag to control if id_token is included as id_token_hint in silent signout calls (default: false) */\n includeIdTokenInSilentSignout?: boolean;\n\n /** The number of seconds before an access token is to expire to raise the accessTokenExpiring event (default: 60) */\n accessTokenExpiringNotificationTimeInSeconds?: number;\n\n /**\n * Storage object used to persist User for currently authenticated user (default: window.sessionStorage, InMemoryWebStorage iff no window).\n * E.g. `userStore: new WebStorageStateStore({ store: window.localStorage })`\n */\n userStore?: WebStorageStateStore;\n}\n\n/**\n * The settings with defaults applied of the {@link UserManager}.\n * @see {@link UserManagerSettings}\n *\n * @public\n */\nexport class UserManagerSettingsStore extends OidcClientSettingsStore {\n public readonly popup_redirect_uri: string;\n public readonly popup_post_logout_redirect_uri: string | undefined;\n public readonly popupWindowFeatures: PopupWindowFeatures;\n public readonly popupWindowTarget: string;\n public readonly redirectMethod: \"replace\" | \"assign\";\n public readonly redirectTarget: \"top\" | \"self\";\n\n public readonly iframeNotifyParentOrigin: string | undefined;\n public readonly iframeScriptOrigin: string | undefined;\n\n public readonly silent_redirect_uri: string;\n public readonly silentRequestTimeoutInSeconds: number;\n public readonly automaticSilentRenew: boolean;\n public readonly validateSubOnSilentRenew: boolean;\n public readonly includeIdTokenInSilentRenew: boolean;\n\n public readonly monitorSession: boolean;\n public readonly monitorAnonymousSession: boolean;\n public readonly checkSessionIntervalInSeconds: number;\n public readonly query_status_response_type: string;\n public readonly stopCheckSessionOnError: boolean;\n\n public readonly revokeTokenTypes: (\"access_token\" | \"refresh_token\")[];\n public readonly revokeTokensOnSignout: boolean;\n public readonly includeIdTokenInSilentSignout: boolean;\n\n public readonly accessTokenExpiringNotificationTimeInSeconds: number;\n\n public readonly userStore: WebStorageStateStore;\n\n public constructor(args: UserManagerSettings) {\n const {\n popup_redirect_uri = args.redirect_uri,\n popup_post_logout_redirect_uri = args.post_logout_redirect_uri,\n popupWindowFeatures = DefaultPopupWindowFeatures,\n popupWindowTarget = DefaultPopupTarget,\n redirectMethod = \"assign\",\n redirectTarget = \"self\",\n\n iframeNotifyParentOrigin = args.iframeNotifyParentOrigin,\n iframeScriptOrigin = args.iframeScriptOrigin,\n\n silent_redirect_uri = args.redirect_uri,\n silentRequestTimeoutInSeconds = DefaultSilentRequestTimeoutInSeconds,\n automaticSilentRenew = true,\n validateSubOnSilentRenew = true,\n includeIdTokenInSilentRenew = false,\n\n monitorSession = false,\n monitorAnonymousSession = false,\n checkSessionIntervalInSeconds = DefaultCheckSessionIntervalInSeconds,\n query_status_response_type = \"code\",\n stopCheckSessionOnError = true,\n\n revokeTokenTypes = [\"access_token\", \"refresh_token\"],\n revokeTokensOnSignout = false,\n includeIdTokenInSilentSignout = false,\n\n accessTokenExpiringNotificationTimeInSeconds = DefaultAccessTokenExpiringNotificationTimeInSeconds,\n\n userStore,\n } = args;\n\n super(args);\n\n this.popup_redirect_uri = popup_redirect_uri;\n this.popup_post_logout_redirect_uri = popup_post_logout_redirect_uri;\n this.popupWindowFeatures = popupWindowFeatures;\n this.popupWindowTarget = popupWindowTarget;\n this.redirectMethod = redirectMethod;\n this.redirectTarget = redirectTarget;\n\n this.iframeNotifyParentOrigin = iframeNotifyParentOrigin;\n this.iframeScriptOrigin = iframeScriptOrigin;\n\n this.silent_redirect_uri = silent_redirect_uri;\n this.silentRequestTimeoutInSeconds = silentRequestTimeoutInSeconds;\n this.automaticSilentRenew = automaticSilentRenew;\n this.validateSubOnSilentRenew = validateSubOnSilentRenew;\n this.includeIdTokenInSilentRenew = includeIdTokenInSilentRenew;\n\n this.monitorSession = monitorSession;\n this.monitorAnonymousSession = monitorAnonymousSession;\n this.checkSessionIntervalInSeconds = checkSessionIntervalInSeconds;\n this.stopCheckSessionOnError = stopCheckSessionOnError;\n this.query_status_response_type = query_status_response_type;\n\n this.revokeTokenTypes = revokeTokenTypes;\n this.revokeTokensOnSignout = revokeTokensOnSignout;\n this.includeIdTokenInSilentSignout = includeIdTokenInSilentSignout;\n\n this.accessTokenExpiringNotificationTimeInSeconds = accessTokenExpiringNotificationTimeInSeconds;\n\n if (userStore) {\n this.userStore = userStore;\n }\n else {\n const store = typeof window !== \"undefined\" ? window.sessionStorage : new InMemoryWebStorage();\n this.userStore = new WebStorageStateStore({ store });\n }\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { Logger } from \"../utils\";\nimport { ErrorTimeout } from \"../errors\";\nimport type { NavigateParams, NavigateResponse } from \"./IWindow\";\nimport { AbstractChildWindow } from \"./AbstractChildWindow\";\nimport { DefaultSilentRequestTimeoutInSeconds } from \"../UserManagerSettings\";\n\n/**\n * @public\n */\nexport interface IFrameWindowParams {\n silentRequestTimeoutInSeconds?: number;\n}\n\n/**\n * @internal\n */\nexport class IFrameWindow extends AbstractChildWindow {\n protected readonly _logger = new Logger(\"IFrameWindow\");\n private _frame: HTMLIFrameElement | null;\n private _timeoutInSeconds: number;\n\n public constructor({\n silentRequestTimeoutInSeconds = DefaultSilentRequestTimeoutInSeconds,\n }: IFrameWindowParams) {\n super();\n this._timeoutInSeconds = silentRequestTimeoutInSeconds;\n\n this._frame = IFrameWindow.createHiddenIframe();\n this._window = this._frame.contentWindow;\n }\n\n private static createHiddenIframe(): HTMLIFrameElement {\n const iframe = window.document.createElement(\"iframe\");\n\n // shotgun approach\n iframe.style.visibility = \"hidden\";\n iframe.style.position = \"fixed\";\n iframe.style.left = \"-1000px\";\n iframe.style.top = \"0\";\n iframe.width = \"0\";\n iframe.height = \"0\";\n\n window.document.body.appendChild(iframe);\n return iframe;\n }\n\n public async navigate(params: NavigateParams): Promise<NavigateResponse> {\n this._logger.debug(\"navigate: Using timeout of:\", this._timeoutInSeconds);\n const timer = setTimeout(() => void this._abort.raise(new ErrorTimeout(\"IFrame timed out without a response\")), this._timeoutInSeconds * 1000);\n this._disposeHandlers.add(() => clearTimeout(timer));\n\n return await super.navigate(params);\n }\n\n public close(): void {\n if (this._frame) {\n if (this._frame.parentNode) {\n this._frame.addEventListener(\"load\", (ev) => {\n const frame = ev.target as HTMLIFrameElement;\n frame.parentNode?.removeChild(frame);\n void this._abort.raise(new Error(\"IFrame removed from DOM\"));\n }, true);\n this._frame.contentWindow?.location.replace(\"about:blank\");\n }\n this._frame = null;\n }\n this._window = null;\n }\n\n public static notifyParent(url: string, targetOrigin?: string): void {\n return super._notifyParent(window.parent, url, false, targetOrigin);\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { Logger } from \"../utils\";\nimport type { UserManagerSettingsStore } from \"../UserManagerSettings\";\nimport { IFrameWindow, type IFrameWindowParams } from \"./IFrameWindow\";\nimport type { INavigator } from \"./INavigator\";\n\n/**\n * @internal\n */\nexport class IFrameNavigator implements INavigator {\n private readonly _logger = new Logger(\"IFrameNavigator\");\n\n constructor(private _settings: UserManagerSettingsStore) {}\n\n public async prepare({\n silentRequestTimeoutInSeconds = this._settings.silentRequestTimeoutInSeconds,\n }: IFrameWindowParams): Promise<IFrameWindow> {\n return new IFrameWindow({ silentRequestTimeoutInSeconds });\n }\n\n public async callback(url: string): Promise<void> {\n this._logger.create(\"callback\");\n IFrameWindow.notifyParent(url, this._settings.iframeNotifyParentOrigin);\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { Logger, PopupUtils, type PopupWindowFeatures } from \"../utils\";\nimport { DefaultPopupWindowFeatures, DefaultPopupTarget } from \"../UserManagerSettings\";\nimport { AbstractChildWindow } from \"./AbstractChildWindow\";\nimport type { NavigateParams, NavigateResponse } from \"./IWindow\";\n\nconst checkForPopupClosedInterval = 500;\nconst second = 1000;\n\n/**\n * @public\n */\nexport interface PopupWindowParams {\n popupWindowFeatures?: PopupWindowFeatures;\n popupWindowTarget?: string;\n}\n\n/**\n * @internal\n */\nexport class PopupWindow extends AbstractChildWindow {\n protected readonly _logger = new Logger(\"PopupWindow\");\n\n protected _window: WindowProxy | null;\n\n public constructor({\n popupWindowTarget = DefaultPopupTarget,\n popupWindowFeatures = {},\n }: PopupWindowParams) {\n super();\n const centeredPopup = PopupUtils.center({ ...DefaultPopupWindowFeatures, ...popupWindowFeatures });\n this._window = window.open(undefined, popupWindowTarget, PopupUtils.serialize(centeredPopup));\n if (popupWindowFeatures.closePopupWindowAfterInSeconds && popupWindowFeatures.closePopupWindowAfterInSeconds > 0) {\n setTimeout(() => {\n if (!this._window || typeof this._window.closed !== \"boolean\" || this._window.closed) {\n void this._abort.raise(new Error(\"Popup blocked by user\"));\n return;\n }\n\n this.close();\n }, popupWindowFeatures.closePopupWindowAfterInSeconds * second);\n }\n }\n\n public async navigate(params: NavigateParams): Promise<NavigateResponse> {\n this._window?.focus();\n\n const popupClosedInterval = setInterval(() => {\n if (!this._window || this._window.closed) {\n void this._abort.raise(new Error(\"Popup closed by user\"));\n }\n }, checkForPopupClosedInterval);\n this._disposeHandlers.add(() => clearInterval(popupClosedInterval));\n\n return await super.navigate(params);\n }\n\n public close(): void {\n if (this._window) {\n if (!this._window.closed) {\n this._window.close();\n void this._abort.raise(new Error(\"Popup closed\"));\n }\n }\n this._window = null;\n }\n\n public static notifyOpener(url: string, keepOpen: boolean): void {\n if (!window.opener) {\n throw new Error(\"No window.opener. Can't complete notification.\");\n }\n return super._notifyParent(window.opener, url, keepOpen);\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { Logger } from \"../utils\";\nimport { PopupWindow, type PopupWindowParams } from \"./PopupWindow\";\nimport type { INavigator } from \"./INavigator\";\nimport type { UserManagerSettingsStore } from \"../UserManagerSettings\";\n\n/**\n * @internal\n */\nexport class PopupNavigator implements INavigator {\n private readonly _logger = new Logger(\"PopupNavigator\");\n\n constructor(private _settings: UserManagerSettingsStore) {}\n\n public async prepare({\n popupWindowFeatures = this._settings.popupWindowFeatures,\n popupWindowTarget = this._settings.popupWindowTarget,\n }: PopupWindowParams): Promise<PopupWindow> {\n return new PopupWindow({ popupWindowFeatures, popupWindowTarget });\n }\n\n public async callback(url: string, { keepOpen = false }): Promise<void> {\n this._logger.create(\"callback\");\n\n PopupWindow.notifyOpener(url, keepOpen);\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { Logger } from \"../utils\";\nimport type { UserManagerSettingsStore } from \"../UserManagerSettings\";\nimport type { INavigator } from \"./INavigator\";\nimport type { IWindow } from \"./IWindow\";\n\n/**\n * @public\n */\nexport interface RedirectParams {\n redirectMethod?: \"replace\" | \"assign\";\n redirectTarget?: \"top\" | \"self\";\n}\n\n/**\n * @internal\n */\nexport class RedirectNavigator implements INavigator {\n private readonly _logger = new Logger(\"RedirectNavigator\");\n\n constructor(private _settings: UserManagerSettingsStore) {}\n\n public async prepare({\n redirectMethod = this._settings.redirectMethod,\n redirectTarget = this._settings.redirectTarget,\n }: RedirectParams): Promise<IWindow> {\n this._logger.create(\"prepare\");\n let targetWindow = window.self as Window;\n\n if (redirectTarget === \"top\") {\n targetWindow = window.top ?? window.self;\n }\n \n const redirect = targetWindow.location[redirectMethod].bind(targetWindow.location) as (url: string) => never;\n let abort: (reason: Error) => void;\n return {\n navigate: async (params): Promise<never> => {\n this._logger.create(\"navigate\");\n // We use a promise that never resolves to block the caller\n const promise = new Promise((resolve, reject) => {\n abort = reject;\n });\n redirect(params.url);\n return await (promise as Promise<never>);\n },\n close: () => {\n this._logger.create(\"close\");\n abort?.(new Error(\"Redirect aborted\"));\n targetWindow.stop();\n },\n };\n }\n\n public async callback(): Promise<void> {\n return;\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { Logger, Event } from \"./utils\";\nimport { AccessTokenEvents } from \"./AccessTokenEvents\";\nimport type { UserManagerSettingsStore } from \"./UserManagerSettings\";\nimport type { User } from \"./User\";\n\n/**\n * @public\n */\nexport type UserLoadedCallback = (user: User) => Promise<void> | void;\n/**\n * @public\n */\nexport type UserUnloadedCallback = () => Promise<void> | void;\n/**\n * @public\n */\nexport type SilentRenewErrorCallback = (error: Error) => Promise<void> | void;\n/**\n * @public\n */\nexport type UserSignedInCallback = () => Promise<void> | void;\n/**\n * @public\n */\nexport type UserSignedOutCallback = () => Promise<void> | void;\n/**\n * @public\n */\nexport type UserSessionChangedCallback = () => Promise<void> | void;\n\n/**\n * @public\n */\nexport class UserManagerEvents extends AccessTokenEvents {\n protected readonly _logger = new Logger(\"UserManagerEvents\");\n\n private readonly _userLoaded = new Event<[User]>(\"User loaded\");\n private readonly _userUnloaded = new Event<[]>(\"User unloaded\");\n private readonly _silentRenewError = new Event<[Error]>(\"Silent renew error\");\n private readonly _userSignedIn = new Event<[]>(\"User signed in\");\n private readonly _userSignedOut = new Event<[]>(\"User signed out\");\n private readonly _userSessionChanged = new Event<[]>(\"User session changed\");\n\n public constructor(settings: UserManagerSettingsStore) {\n super({ expiringNotificationTimeInSeconds: settings.accessTokenExpiringNotificationTimeInSeconds });\n }\n\n public async load(user: User, raiseEvent=true): Promise<void> {\n super.load(user);\n if (raiseEvent) {\n await this._userLoaded.raise(user);\n }\n }\n public async unload(): Promise<void> {\n super.unload();\n await this._userUnloaded.raise();\n }\n\n /**\n * Add callback: Raised when a user session has been established (or re-established).\n */\n public addUserLoaded(cb: UserLoadedCallback): () => void {\n return this._userLoaded.addHandler(cb);\n }\n /**\n * Remove callback: Raised when a user session has been established (or re-established).\n */\n public removeUserLoaded(cb: UserLoadedCallback): void {\n return this._userLoaded.removeHandler(cb);\n }\n\n /**\n * Add callback: Raised when a user session has been terminated.\n */\n public addUserUnloaded(cb: UserUnloadedCallback): () => void {\n return this._userUnloaded.addHandler(cb);\n }\n /**\n * Remove callback: Raised when a user session has been terminated.\n */\n public removeUserUnloaded(cb: UserUnloadedCallback): void {\n return this._userUnloaded.removeHandler(cb);\n }\n\n /**\n * Add callback: Raised when the automatic silent renew has failed.\n */\n public addSilentRenewError(cb: SilentRenewErrorCallback): () => void {\n return this._silentRenewError.addHandler(cb);\n }\n /**\n * Remove callback: Raised when the automatic silent renew has failed.\n */\n public removeSilentRenewError(cb: SilentRenewErrorCallback): void {\n return this._silentRenewError.removeHandler(cb);\n }\n /**\n * @internal\n */\n public async _raiseSilentRenewError(e: Error): Promise<void> {\n await this._silentRenewError.raise(e);\n }\n\n /**\n * Add callback: Raised when the user is signed in (when `monitorSession` is set).\n * @see {@link UserManagerSettings.monitorSession}\n */\n public addUserSignedIn(cb: UserSignedInCallback): () => void {\n return this._userSignedIn.addHandler(cb);\n }\n /**\n * Remove callback: Raised when the user is signed in (when `monitorSession` is set).\n */\n public removeUserSignedIn(cb: UserSignedInCallback): void {\n this._userSignedIn.removeHandler(cb);\n }\n /**\n * @internal\n */\n public async _raiseUserSignedIn(): Promise<void> {\n await this._userSignedIn.raise();\n }\n\n /**\n * Add callback: Raised when the user's sign-in status at the OP has changed (when `monitorSession` is set).\n * @see {@link UserManagerSettings.monitorSession}\n */\n public addUserSignedOut(cb: UserSignedOutCallback): () => void {\n return this._userSignedOut.addHandler(cb);\n }\n /**\n * Remove callback: Raised when the user's sign-in status at the OP has changed (when `monitorSession` is set).\n */\n public removeUserSignedOut(cb: UserSignedOutCallback): void {\n this._userSignedOut.removeHandler(cb);\n }\n /**\n * @internal\n */\n public async _raiseUserSignedOut(): Promise<void> {\n await this._userSignedOut.raise();\n }\n\n /**\n * Add callback: Raised when the user session changed (when `monitorSession` is set).\n * @see {@link UserManagerSettings.monitorSession}\n */\n public addUserSessionChanged(cb: UserSessionChangedCallback): () => void {\n return this._userSessionChanged.addHandler(cb);\n }\n /**\n * Remove callback: Raised when the user session changed (when `monitorSession` is set).\n */\n public removeUserSessionChanged(cb: UserSessionChangedCallback): void {\n this._userSessionChanged.removeHandler(cb);\n }\n /**\n * @internal\n */\n public async _raiseUserSessionChanged(): Promise<void> {\n await this._userSessionChanged.raise();\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { Logger, Timer } from \"./utils\";\nimport { ErrorTimeout } from \"./errors\";\nimport type { UserManager } from \"./UserManager\";\nimport type { AccessTokenCallback } from \"./AccessTokenEvents\";\n\n/**\n * @internal\n */\nexport class SilentRenewService {\n protected _logger = new Logger(\"SilentRenewService\");\n private _isStarted = false;\n private readonly _retryTimer = new Timer(\"Retry Silent Renew\");\n\n public constructor(private _userManager: UserManager) {}\n\n public async start(): Promise<void> {\n const logger = this._logger.create(\"start\");\n if (!this._isStarted) {\n this._isStarted = true;\n this._userManager.events.addAccessTokenExpiring(this._tokenExpiring);\n this._retryTimer.addHandler(this._tokenExpiring);\n\n // this will trigger loading of the user so the expiring events can be initialized\n try {\n await this._userManager.getUser();\n // deliberate nop\n }\n catch (err) {\n // catch to suppress errors since we're in a ctor\n logger.error(\"getUser error\", err);\n }\n }\n }\n\n public stop(): void {\n if (this._isStarted) {\n this._retryTimer.cancel();\n this._retryTimer.removeHandler(this._tokenExpiring);\n this._userManager.events.removeAccessTokenExpiring(this._tokenExpiring);\n this._isStarted = false;\n }\n }\n\n protected _tokenExpiring: AccessTokenCallback = async () => {\n const logger = this._logger.create(\"_tokenExpiring\");\n try {\n await this._userManager.signinSilent();\n logger.debug(\"silent token renewal successful\");\n }\n catch (err) {\n if (err instanceof ErrorTimeout) {\n // no response from authority server, e.g. IFrame timeout, ...\n logger.warn(\"ErrorTimeout from signinSilent:\", err, \"retry in 5s\");\n this._retryTimer.init(5);\n return;\n }\n\n logger.error(\"Error from signinSilent:\", err);\n await this._userManager.events._raiseSilentRenewError(err as Error);\n }\n };\n}\n","// Copyright (C) AuthTS Contributors\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport type { UserProfile } from \"./User\";\n\n/**\n * Fake state store implementation necessary for validating refresh token requests.\n *\n * @public\n */\nexport class RefreshState {\n /** custom \"state\", which can be used by a caller to have \"data\" round tripped */\n public readonly data?: unknown;\n\n public readonly refresh_token: string;\n public readonly id_token?: string;\n public readonly session_state: string | null;\n public readonly scope?: string;\n public readonly profile: UserProfile;\n\n constructor(args: {\n refresh_token: string;\n id_token?: string;\n session_state: string | null;\n scope?: string;\n profile: UserProfile;\n\n state?: unknown;\n }) {\n this.refresh_token = args.refresh_token;\n this.id_token = args.id_token;\n this.session_state = args.session_state;\n this.scope = args.scope;\n this.profile = args.profile;\n\n this.data = args.state;\n\n }\n}\n","// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.\n// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.\n\nimport { Logger } from \"./utils\";\nimport { ErrorResponse } from \"./errors\";\nimport { type NavigateResponse, type PopupWindowParams, type IWindow, type IFrameWindowParams, type RedirectParams, RedirectNavigator, PopupNavigator, IFrameNavigator, type INavigator } from \"./navigators\";\nimport { OidcClient, type CreateSigninRequestArgs, type CreateSignoutRequestArgs, type ProcessResourceOwnerPasswordCredentialsArgs, type UseRefreshTokenArgs } from \"./OidcClient\";\nimport { type UserManagerSettings, UserManagerSettingsStore } from \"./UserManagerSettings\";\nimport { User } from \"./User\";\nimport { UserManagerEvents } from \"./UserManagerEvents\";\nimport { SilentRenewService } from \"./SilentRenewService\";\nimport { SessionMonitor } from \"./SessionMonitor\";\nimport type { SessionStatus } from \"./SessionStatus\";\nimport type { SignoutResponse } from \"./SignoutResponse\";\nimport type { MetadataService } from \"./MetadataService\";\nimport { RefreshState } from \"./RefreshState\";\nimport type { SigninResponse } from \"./SigninResponse\";\n\n/**\n * @public\n */\nexport type ExtraSigninRequestArgs = Pick<CreateSigninRequestArgs, \"nonce\" | \"extraQueryParams\" | \"extraTokenParams\" | \"state\" | \"redirect_uri\" | \"prompt\" | \"acr_values\" | \"login_hint\" | \"scope\" | \"max_age\" | \"ui_locales\" | \"resource\" | \"url_state\">;\n/**\n * @public\n */\nexport type ExtraSignoutRequestArgs = Pick<CreateSignoutRequestArgs, \"extraQueryParams\" | \"state\" | \"id_token_hint\" | \"post_logout_redirect_uri\">;\n\n/**\n * @public\n */\nexport type RevokeTokensTypes = UserManagerSettings[\"revokeTokenTypes\"];\n\n/**\n * @public\n */\nexport type SigninRedirectArgs = RedirectParams & ExtraSigninRequestArgs;\n\n/**\n * @public\n */\nexport type SigninPopupArgs = PopupWindowParams & ExtraSigninRequestArgs;\n\n/**\n * @public\n */\nexport type SigninSilentArgs = IFrameWindowParams & ExtraSigninRequestArgs;\n\n/**\n * @public\n */\nexport type SigninResourceOwnerCredentialsArgs = ProcessResourceOwnerPasswordCredentialsArgs;\n\n/**\n * @public\n */\nexport type QuerySessionStatusArgs = IFrameWindowParams & ExtraSigninRequestArgs;\n\n/**\n * @public\n */\nexport type SignoutRedirectArgs = RedirectParams & ExtraSignoutRequestArgs;\n\n/**\n * @public\n */\nexport type SignoutPopupArgs = PopupWindowParams & ExtraSignoutRequestArgs;\n\n/**\n * @public\n */\nexport type SignoutSilentArgs = IFrameWindowParams & ExtraSignoutRequestArgs;\n\n/**\n * Provides a higher level API for signing a user in, signing out, managing the user's claims returned from the identity provider,\n * and managing an access token returned from the identity provider (OAuth2/OIDC).\n *\n * @public\n */\nexport class UserManager {\n /** Get the settings used to configure the `UserManager`. */\n public readonly settings: UserManagerSettingsStore;\n protected readonly _logger = new Logger(\"UserManager\");\n\n protected readonly _client: OidcClient;\n protected readonly _redirectNavigator: INavigator;\n protected readonly _popupNavigator: INavigator;\n protected readonly _iframeNavigator: INavigator;\n protected readonly _events: UserManagerEvents;\n protected readonly _silentRenewService: SilentRenewService;\n protected readonly _sessionMonitor: SessionMonitor | null;\n\n public constructor(settings: UserManagerSettings, redirectNavigator?: INavigator, popupNavigator?: INavigator, iframeNavigator?: INavigator) {\n this.settings = new UserManagerSettingsStore(settings);\n\n this._client = new OidcClient(settings);\n\n this._redirectNavigator = redirectNavigator ?? new RedirectNavigator(this.settings);\n this._popupNavigator = popupNavigator ?? new PopupNavigator(this.settings);\n this._iframeNavigator = iframeNavigator ?? new IFrameNavigator(this.settings);\n\n this._events = new UserManagerEvents(this.settings);\n this._silentRenewService = new SilentRenewService(this);\n\n // order is important for the following properties; these services depend upon the events.\n if (this.settings.automaticSilentRenew) {\n this.startSilentRenew();\n }\n\n this._sessionMonitor = null;\n if (this.settings.monitorSession) {\n this._sessionMonitor = new SessionMonitor(this);\n }\n\n }\n\n /**\n * Get object used to register for events raised by the `UserManager`.\n */\n public get events(): UserManagerEvents {\n return this._events;\n }\n\n /**\n * Get object used to access the metadata configuration of the identity provider.\n */\n public get metadataService(): MetadataService {\n return this._client.metadataService;\n }\n\n /**\n * Load the `User` object for the currently authenticated user.\n *\n * @returns A promise\n */\n public async getUser(): Promise<User | null> {\n const logger = this._logger.create(\"getUser\");\n const user = await this._loadUser();\n if (user) {\n logger.info(\"user loaded\");\n await this._events.load(user, false);\n return user;\n }\n\n logger.info(\"user not found in storage\");\n return null;\n }\n\n /**\n * Remove from any storage the currently authenticated user.\n *\n * @returns A promise\n */\n public async removeUser(): Promise<void> {\n const logger = this._logger.create(\"removeUser\");\n await this.storeUser(null);\n logger.info(\"user removed from storage\");\n await this._events.unload();\n }\n\n /**\n * Trigger a redirect of the current window to the authorization endpoint.\n *\n * @returns A promise\n *\n * @throws `Error` In cases of wrong authentication.\n */\n public async signinRedirect(args: SigninRedirectArgs = {}): Promise<void> {\n this._logger.create(\"signinRedirect\");\n const {\n redirectMethod,\n ...requestArgs\n } = args;\n const handle = await this._redirectNavigator.prepare({ redirectMethod });\n await this._signinStart({\n request_type: \"si:r\",\n ...requestArgs,\n }, handle);\n }\n\n /**\n * Process the response (callback) from the authorization endpoint.\n * It is recommend to use {@link UserManager.signinCallback} instead.\n *\n * @returns A promise containing the authenticated `User`.\n *\n * @see {@link UserManager.signinCallback}\n */\n public async signinRedirectCallback(url = window.location.href): Promise<User> {\n const logger = this._logger.create(\"signinRedirectCallback\");\n const user = await this._signinEnd(url);\n if (user.profile && user.profile.sub) {\n logger.info(\"success, signed in subject\", user.profile.sub);\n }\n else {\n logger.info(\"no subject\");\n }\n\n return user;\n }\n\n /**\n * Trigger the signin with user/password.\n *\n * @returns A promise containing the authenticated `User`.\n * @throws {@link ErrorResponse} In cases of wrong authentication.\n */\n public async signinResourceOwnerCredentials({\n username,\n password,\n skipUserInfo = false,\n }: SigninResourceOwnerCredentialsArgs): Promise<User> {\n const logger = this._logger.create(\"signinResourceOwnerCredential\");\n\n const signinResponse = await this._client.processResourceOwnerPasswordCredentials({ username, password, skipUserInfo, extraTokenParams: this.settings.extraTokenParams });\n logger.debug(\"got signin response\");\n\n const user = await this._buildUser(signinResponse);\n if (user.profile && user.profile.sub) {\n logger.info(\"success, signed in subject\", user.profile.sub);\n } else {\n logger.info(\"no subject\");\n }\n return user;\n }\n\n /**\n * Trigger a request (via a popup window) to the authorization endpoint.\n *\n * @returns A promise containing the authenticated `User`.\n * @throws `Error` In cases of wrong authentication.\n */\n public async signinPopup(args: SigninPopupArgs = {}): Promise<User> {\n const logger = this._logger.create(\"signinPopup\");\n const {\n popupWindowFeatures,\n popupWindowTarget,\n ...requestArgs\n } = args;\n const url = this.settings.popup_redirect_uri;\n if (!url) {\n logger.throw(new Error(\"No popup_redirect_uri configured\"));\n }\n\n const handle = await this._popupNavigator.prepare({ popupWindowFeatures, popupWindowTarget });\n const user = await this._signin({\n request_type: \"si:p\",\n redirect_uri: url,\n display: \"popup\",\n ...requestArgs,\n }, handle);\n if (user) {\n if (user.profile && user.profile.sub) {\n logger.info(\"success, signed in subject\", user.profile.sub);\n }\n else {\n logger.info(\"no subject\");\n }\n }\n\n return user;\n }\n /**\n * Notify the opening window of response (callback) from the authorization endpoint.\n * It is recommend to use {@link UserManager.signinCallback} instead.\n *\n * @returns A promise\n *\n * @see {@link UserManager.signinCallback}\n */\n public async signinPopupCallback(url = window.location.href, keepOpen = false): Promise<void> {\n const logger = this._logger.create(\"signinPopupCallback\");\n await this._popupNavigator.callback(url, { keepOpen });\n logger.info(\"success\");\n }\n\n /**\n * Trigger a silent request (via refresh token or an iframe) to the authorization endpoint.\n *\n * @returns A promise that contains the authenticated `User`.\n */\n public async signinSilent(args: SigninSilentArgs = {}): Promise<User | null> {\n const logger = this._logger.create(\"signinSilent\");\n const {\n silentRequestTimeoutInSeconds,\n ...requestArgs\n } = args;\n // first determine if we have a refresh token, or need to use iframe\n let user = await this._loadUser();\n if (user?.refresh_token) {\n logger.debug(\"using refresh token\");\n const state = new RefreshState(user as Required<User>);\n return await this._useRefreshToken({\n state,\n redirect_uri: requestArgs.redirect_uri,\n resource: requestArgs.resource,\n extraTokenParams: requestArgs.extraTokenParams,\n timeoutInSeconds: silentRequestTimeoutInSeconds,\n });\n }\n\n const url = this.settings.silent_redirect_uri;\n if (!url) {\n logger.throw(new Error(\"No silent_redirect_uri configured\"));\n }\n\n let verifySub: string | undefined;\n if (user && this.settings.validateSubOnSilentRenew) {\n logger.debug(\"subject prior to silent renew:\", user.profile.sub);\n verifySub = user.profile.sub;\n }\n\n const handle = await this._iframeNavigator.prepare({ silentRequestTimeoutInSeconds });\n user = await this._signin({\n request_type: \"si:s\",\n redirect_uri: url,\n prompt: \"none\",\n id_token_hint: this.settings.includeIdTokenInSilentRenew ? user?.id_token : undefined,\n ...requestArgs,\n }, handle, verifySub);\n if (user) {\n if (user.profile?.sub) {\n logger.info(\"success, signed in subject\", user.profile.sub);\n }\n else {\n logger.info(\"no subject\");\n }\n }\n\n return user;\n }\n\n protected async _useRefreshToken(args: UseRefreshTokenArgs): Promise<User> {\n const response = await this._client.useRefreshToken({\n ...args,\n timeoutInSeconds: this.settings.silentRequestTimeoutInSeconds,\n });\n const user = new User({ ...args.state, ...response });\n\n await this.storeUser(user);\n await this._events.load(user);\n return user;\n }\n\n /**\n *\n * Notify the parent window of response (callback) from the authorization endpoint.\n * It is recommend to use {@link UserManager.signinCallback} instead.\n *\n * @returns A promise\n *\n * @see {@link UserManager.signinCallback}\n */\n public async signinSilentCallback(url = window.location.href): Promise<void> {\n const logger = this._logger.create(\"signinSilentCallback\");\n await this._iframeNavigator.callback(url);\n logger.info(\"success\");\n }\n\n /**\n * Process any response (callback) from the authorization endpoint, by dispatching the request_type\n * and executing one of the following functions:\n * - {@link UserManager.signinRedirectCallback}\n * - {@link UserManager.signinPopupCallback}\n * - {@link UserManager.signinSilentCallback}\n *\n * @throws `Error` If request_type is unknown or signout can not processed.\n */\n public async signinCallback(url = window.location.href): Promise<User | void> {\n const { state } = await this._client.readSigninResponseState(url);\n switch (state.request_type) {\n case \"si:r\":\n return await this.signinRedirectCallback(url);\n case \"si:p\":\n return await this.signinPopupCallback(url);\n case \"si:s\":\n return await this.signinSilentCallback(url);\n default:\n throw new Error(\"invalid response_type in state\");\n }\n }\n\n /**\n * Process any response (callback) from the end session endpoint, by dispatching the request_type\n * and executing one of the following functions:\n * - {@link UserManager.signoutRedirectCallback}\n * - {@link UserManager.signoutPopupCallback}\n * - {@link UserManager.signoutSilentCallback}\n *\n * @throws `Error` If request_type is unknown or signout can not processed.\n */\n public async signoutCallback(url = window.location.href, keepOpen = false): Promise<void> {\n const { state } = await this._client.readSignoutResponseState(url);\n if (!state) {\n return;\n }\n\n switch (state.request_type) {\n case \"so:r\":\n await this.signoutRedirectCallback(url);\n break;\n case \"so:p\":\n await this.signoutPopupCallback(url, keepOpen);\n break;\n case \"so:s\":\n await this.signoutSilentCallback(url);\n break;\n default:\n throw new Error(\"invalid response_type in state\");\n }\n }\n\n /**\n * Query OP for user's current signin status.\n *\n * @returns A promise object with session_state and subject identifier.\n */\n public async querySessionStatus(args: QuerySessionStatusArgs = {}): Promise<SessionStatus | null> {\n const logger = this._logger.create(\"querySessionStatus\");\n const {\n silentRequestTimeoutInSeconds,\n ...requestArgs\n } = args;\n const url = this.settings.silent_redirect_uri;\n if (!url) {\n logger.throw(new Error(\"No silent_redirect_uri configured\"));\n }\n\n const user = await this._loadUser();\n const handle = await this._iframeNavigator.prepare({ silentRequestTimeoutInSeconds });\n const navResponse = await this._signinStart({\n request_type: \"si:s\", // this acts like a signin silent\n redirect_uri: url,\n prompt: \"none\",\n id_token_hint: this.settings.includeIdTokenInSilentRenew ? user?.id_token : undefined,\n response_type: this.settings.query_status_response_type,\n scope: \"openid\",\n skipUserInfo: true,\n ...requestArgs,\n }, handle);\n try {\n const signinResponse = await this._client.processSigninResponse(navResponse.url);\n logger.debug(\"got signin response\");\n\n if (signinResponse.session_state && signinResponse.profile.sub) {\n logger.info(\"success for subject\", signinResponse.profile.sub);\n return {\n session_state: signinResponse.session_state,\n sub: signinResponse.profile.sub,\n };\n }\n\n logger.info(\"success, user not authenticated\");\n return null;\n }\n catch (err) {\n if (this.settings.monitorAnonymousSession && err instanceof ErrorResponse) {\n switch (err.error) {\n case \"login_required\":\n case \"consent_required\":\n case \"interaction_required\":\n case \"account_selection_required\":\n logger.info(\"success for anonymous user\");\n return {\n // eslint-disable-next-line @typescript-eslint/no-non-null-assertion\n session_state: err.session_state!,\n };\n }\n }\n throw err;\n }\n }\n\n protected async _signin(args: CreateSigninRequestArgs, handle: IWindow, verifySub?: string): Promise<User> {\n const navResponse = await this._signinStart(args, handle);\n return await this._signinEnd(navResponse.url, verifySub);\n }\n protected async _signinStart(args: CreateSigninRequestArgs, handle: IWindow): Promise<NavigateResponse> {\n const logger = this._logger.create(\"_signinStart\");\n\n try {\n const signinRequest = await this._client.createSigninRequest(args);\n logger.debug(\"got signin request\");\n\n return await handle.navigate({\n url: signinRequest.url,\n state: signinRequest.state.id,\n response_mode: signinRequest.state.response_mode,\n scriptOrigin: this.settings.iframeScriptOrigin,\n });\n }\n catch (err) {\n logger.debug(\"error after preparing navigator, closing navigator window\");\n handle.close();\n throw err;\n }\n }\n protected async _signinEnd(url: string, verifySub?: string): Promise<User> {\n const logger = this._logger.create(\"_signinEnd\");\n const signinResponse = await this._client.processSigninResponse(url);\n logger.debug(\"got signin response\");\n\n const user = await this._buildUser(signinResponse, verifySub);\n return user;\n }\n\n protected async _buildUser(signinResponse: SigninResponse, verifySub?: string) {\n const logger = this._logger.create(\"_buildUser\");\n const user = new User(signinResponse);\n if (verifySub) {\n if (verifySub !== user.profile.sub) {\n logger.debug(\"current user does not match user returned from signin. sub from signin:\", user.profile.sub);\n throw new ErrorResponse({ ...signinResponse, error: \"login_required\" });\n }\n logger.debug(\"current user matches user returned from signin\");\n }\n\n await this.storeUser(user);\n logger.debug(\"user stored\");\n await this._events.load(user);\n\n return user;\n }\n\n /**\n * Trigger a redirect of the current window to the end session endpoint.\n *\n * @returns A promise\n */\n public async signoutRedirect(args: SignoutRedirectArgs = {}): Promise<void> {\n const logger = this._logger.create(\"signoutRedirect\");\n const {\n redirectMethod,\n ...requestArgs\n } = args;\n const handle = await this._redirectNavigator.prepare({ redirectMethod });\n await this._signoutStart({\n request_type: \"so:r\",\n post_logout_redirect_uri: this.settings.post_logout_redirect_uri,\n ...requestArgs,\n }, handle);\n logger.info(\"success\");\n }\n\n /**\n * Process response (callback) from the end session endpoint.\n * It is recommend to use {@link UserManager.signoutCallback} instead.\n *\n * @returns A promise containing signout response\n *\n * @see {@link UserManager.signoutCallback}\n */\n public async signoutRedirectCallback(url = window.location.href): Promise<SignoutResponse> {\n const logger = this._logger.create(\"signoutRedirectCallback\");\n const response = await this._signoutEnd(url);\n logger.info(\"success\");\n return response;\n }\n\n /**\n * Trigger a redirect of a popup window window to the end session endpoint.\n *\n * @returns A promise\n */\n public async signoutPopup(args: SignoutPopupArgs = {}): Promise<void> {\n const logger = this._logger.create(\"signoutPopup\");\n const {\n popupWindowFeatures,\n popupWindowTarget,\n ...requestArgs\n } = args;\n const url = this.settings.popup_post_logout_redirect_uri;\n\n const handle = await this._popupNavigator.prepare({ popupWindowFeatures, popupWindowTarget });\n await this._signout({\n request_type: \"so:p\",\n post_logout_redirect_uri: url,\n // we're putting a dummy entry in here because we\n // need a unique id from the state for notification\n // to the parent window, which is necessary if we\n // plan to return back to the client after signout\n // and so we can close the popup after signout\n state: url == null ? undefined : {},\n ...requestArgs,\n }, handle);\n logger.info(\"success\");\n }\n\n /**\n * Process response (callback) from the end session endpoint from a popup window.\n * It is recommend to use {@link UserManager.signoutCallback} instead.\n *\n * @returns A promise\n *\n * @see {@link UserManager.signoutCallback}\n */\n public async signoutPopupCallback(url = window.location.href, keepOpen = false): Promise<void> {\n const logger = this._logger.create(\"signoutPopupCallback\");\n await this._popupNavigator.callback(url, { keepOpen });\n logger.info(\"success\");\n }\n\n protected async _signout(args: CreateSignoutRequestArgs, handle: IWindow): Promise<SignoutResponse> {\n const navResponse = await this._signoutStart(args, handle);\n return await this._signoutEnd(navResponse.url);\n }\n protected async _signoutStart(args: CreateSignoutRequestArgs = {}, handle: IWindow): Promise<NavigateResponse> {\n const logger = this._logger.create(\"_signoutStart\");\n\n try {\n const user = await this._loadUser();\n logger.debug(\"loaded current user from storage\");\n\n if (this.settings.revokeTokensOnSignout) {\n await this._revokeInternal(user);\n }\n\n const id_token = args.id_token_hint || user && user.id_token;\n if (id_token) {\n logger.debug(\"setting id_token_hint in signout request\");\n args.id_token_hint = id_token;\n }\n\n await this.removeUser();\n logger.debug(\"user removed, creating signout request\");\n\n const signoutRequest = await this._client.createSignoutRequest(args);\n logger.debug(\"got signout request\");\n\n return await handle.navigate({\n url: signoutRequest.url,\n state: signoutRequest.state?.id,\n scriptOrigin: this.settings.iframeScriptOrigin,\n });\n }\n catch (err) {\n logger.debug(\"error after preparing navigator, closing navigator window\");\n handle.close();\n throw err;\n }\n }\n protected async _signoutEnd(url: string): Promise<SignoutResponse> {\n const logger = this._logger.create(\"_signoutEnd\");\n const signoutResponse = await this._client.processSignoutResponse(url);\n logger.debug(\"got signout response\");\n\n return signoutResponse;\n }\n\n /**\n * Trigger a silent request (via an iframe) to the end session endpoint.\n *\n * @returns A promise\n */\n public async signoutSilent(args: SignoutSilentArgs = {}): Promise<void> {\n const logger = this._logger.create(\"signoutSilent\");\n const {\n silentRequestTimeoutInSeconds,\n ...requestArgs\n } = args;\n\n const id_token_hint = this.settings.includeIdTokenInSilentSignout\n ? (await this._loadUser())?.id_token\n : undefined;\n\n const url = this.settings.popup_post_logout_redirect_uri;\n const handle = await this._iframeNavigator.prepare({ silentRequestTimeoutInSeconds });\n await this._signout({\n request_type: \"so:s\",\n post_logout_redirect_uri: url,\n id_token_hint: id_token_hint,\n ...requestArgs,\n }, handle);\n\n logger.info(\"success\");\n }\n\n /**\n * Notify the parent window of response (callback) from the end session endpoint.\n * It is recommend to use {@link UserManager.signoutCallback} instead.\n *\n * @returns A promise\n *\n * @see {@link UserManager.signoutCallback}\n */\n public async signoutSilentCallback(url = window.location.href): Promise<void> {\n const logger = this._logger.create(\"signoutSilentCallback\");\n await this._iframeNavigator.callback(url);\n logger.info(\"success\");\n }\n\n public async revokeTokens(types?: RevokeTokensTypes): Promise<void> {\n const user = await this._loadUser();\n await this._revokeInternal(user, types);\n }\n\n protected async _revokeInternal(user: User | null, types = this.settings.revokeTokenTypes): Promise<void> {\n const logger = this._logger.create(\"_revokeInternal\");\n if (!user) return;\n\n const typesPresent = types.filter(type => typeof user[type] === \"string\");\n\n if (!typesPresent.length) {\n logger.debug(\"no need to revoke due to no token(s)\");\n return;\n }\n\n // don't Promise.all, order matters\n for (const type of typesPresent) {\n await this._client.revokeToken(\n user[type]!, // eslint-disable-line @typescript-eslint/no-non-null-assertion\n type,\n );\n logger.info(`${type} revoked successfully`);\n if (type !== \"access_token\") {\n user[type] = null as never;\n }\n }\n\n await this.storeUser(user);\n logger.debug(\"user stored\");\n await this._events.load(user);\n }\n\n /**\n * Enables silent renew for the `UserManager`.\n */\n public startSilentRenew(): void {\n this._logger.create(\"startSilentRenew\");\n void this._silentRenewService.start();\n }\n\n /**\n * Disables silent renew for the `UserManager`.\n */\n public stopSilentRenew(): void {\n this._silentRenewService.stop();\n }\n\n protected get _userStoreKey(): string {\n return `user:${this.settings.authority}:${this.settings.client_id}`;\n }\n\n protected async _loadUser(): Promise<User | null> {\n const logger = this._logger.create(\"_loadUser\");\n const storageString = await this.settings.userStore.get(this._userStoreKey);\n if (storageString) {\n logger.debug(\"user storageString loaded\");\n return User.fromStorageString(storageString);\n }\n\n logger.debug(\"no user storageString\");\n return null;\n }\n\n public async storeUser(user: User | null): Promise<void> {\n const logger = this._logger.create(\"storeUser\");\n if (user) {\n logger.debug(\"storing user\");\n const storageString = user.toStorageString();\n await this.settings.userStore.set(this._userStoreKey, storageString);\n }\n else {\n this._logger.debug(\"removing user\");\n await this.settings.userStore.remove(this._userStoreKey);\n }\n }\n\n /**\n * Removes stale state entries in storage for incomplete authorize requests.\n */\n public async clearStaleState(): Promise<void> {\n await this._client.clearStaleState();\n }\n}\n","// @ts-expect-error avoid enabling resolveJsonModule to keep build process simple\nimport { version } from \"../package.json\";\n\n/**\n * @public\n */\nexport const Version: string = version;\n","{\n \"name\": \"oidc-client-ts\",\n \"version\": \"3.0.1\",\n \"description\": \"OpenID Connect (OIDC) & OAuth2 client library\",\n \"repository\": {\n \"type\": \"git\",\n \"url\": \"git+https://github.com/authts/oidc-client-ts.git\"\n },\n \"homepage\": \"https://github.com/authts/oidc-client-ts#readme\",\n \"license\": \"Apache-2.0\",\n \"main\": \"dist/umd/oidc-client-ts.js\",\n \"types\": \"dist/types/oidc-client-ts.d.ts\",\n \"exports\": {\n \".\": {\n \"types\": \"./dist/types/oidc-client-ts.d.ts\",\n \"import\": \"./dist/esm/oidc-client-ts.js\",\n \"require\": \"./dist/umd/oidc-client-ts.js\"\n },\n \"./package.json\": \"./package.json\"\n },\n \"files\": [\n \"dist\"\n ],\n \"keywords\": [\n \"authentication\",\n \"oauth2\",\n \"oidc\",\n \"openid\",\n \"OpenID Connect\"\n ],\n \"scripts\": {\n \"build\": \"node scripts/build.js && npm run build-types\",\n \"build-types\": \"tsc -p tsconfig.build.json && api-extractor run\",\n \"clean\": \"git clean -fdX dist lib *.tsbuildinfo\",\n \"prepack\": \"npm run build\",\n \"test\": \"tsc && jest\",\n \"typedoc\": \"typedoc\",\n \"lint\": \"eslint --max-warnings=0 --cache .\",\n \"prepare\": \"husky install\"\n },\n \"dependencies\": {\n \"jwt-decode\": \"^4.0.0\"\n },\n \"devDependencies\": {\n \"@microsoft/api-extractor\": \"^7.35.0\",\n \"@testing-library/jest-dom\": \"^6.0.0\",\n \"@types/jest\": \"^29.2.3\",\n \"@types/node\": \"^20.8.2\",\n \"@typescript-eslint/eslint-plugin\": \"^6.4.1\",\n \"@typescript-eslint/parser\": \"^6.4.1\",\n \"esbuild\": \"^0.20.0\",\n \"eslint\": \"^8.5.0\",\n \"eslint-plugin-testing-library\": \"^6.0.0\",\n \"http-proxy-middleware\": \"^2.0.1\",\n \"husky\": \"^9.0.6\",\n \"jest\": \"^29.3.1\",\n \"jest-environment-jsdom\": \"^29.3.1\",\n \"jest-mock\": \"^29.3.1\",\n \"lint-staged\": \"^15.0.1\",\n \"ts-jest\": \"^29.0.3\",\n \"typedoc\": \"^0.25.0\",\n \"typescript\": \"~5.3.3\",\n \"yn\": \"^5.0.0\"\n },\n \"engines\": {\n \"node\": \">=18\"\n },\n \"lint-staged\": {\n \"*.{js,jsx,ts,tsx}\": \"eslint --cache --fix\"\n }\n}\n"],"names":["InvalidTokenError","Error","base64UrlDecode","str","output","replace","length","decodeURIComponent","atob","m","p","code","charCodeAt","toString","toUpperCase","b64DecodeUnicode","err","prototype","name","level","logger","Log2","nopLogger","debug","info","warn","error","Log","reset","setLevel","value","setLogger","Logger","_Logger","constructor","_name","_len","arguments","args","Array","_key","_format","this","_method","_len2","_key2","_len3","_key3","_len4","_key4","throw","create","method","methodLogger","Object","createStatic","staticMethod","staticLogger","concat","prefix","_len5","_key5","_len6","_key6","_len7","_key7","_len8","_key8","toBase64","val","btoa","Uint8Array","map","chr","String","fromCharCode","join","CryptoUtils","_CryptoUtils","_randomWord","arr","Uint32Array","crypto","getRandomValues","generateUUIDv4","c","generateCodeVerifier","generateCodeChallenge","code_verifier","subtle","data","TextEncoder","encode","hashed","digest","generateBasicAuth","client_id","client_secret","Event","_logger","_callbacks","addHandler","cb","push","removeHandler","idx","lastIndexOf","splice","raise","_len9","ev","_key9","JwtUtils","decode","token","options","pos","header","part","split","decoded","e","message","JSON","parse","jwtDecode","PopupUtils","center","_ref","features","_a","width","find","window","outerWidth","left","Math","max","round","screenX","height","top","screenY","outerHeight","serialize","entries","filter","_ref2","_ref3","key","Timer","_Timer","_timerHandle","_expiration","_callback","diff","getEpochTime","cancel","super","floor","Date","now","init","durationInSeconds","logger2","expiration","timerDurationInSeconds","min","setInterval","clearInterval","UrlUtils","readParams","url","responseMode","undefined","TypeError","params","URL","URLSearchParams","slice","ErrorResponse","form","_b","_c","error_description","error_uri","state","userState","session_state","url_state","ErrorTimeout","AccessTokenEvents","_expiringTimer","_expiredTimer","_expiringNotificationTimeInSeconds","expiringNotificationTimeInSeconds","load","container","access_token","expires_in","duration","expiring","expired","unload","addAccessTokenExpiring","removeAccessTokenExpiring","addAccessTokenExpired","removeAccessTokenExpired","CheckSessionIFrame","_client_id","_intervalInSeconds","_stopOnError","_timer","_session_state","_message","origin","_frame_origin","source","_frame","contentWindow","stop","parsedUrl","document","createElement","style","visibility","position","src","href","Promise","resolve","onload","body","appendChild","addEventListener","start","send","postMessage","InMemoryWebStorage","_data","clear","getItem","setItem","removeItem","getOwnPropertyNames","index","JsonService","additionalContentTypes","_jwtHandler","_extraHeaders","_contentTypes","fetchWithTimeout","input","timeoutInSeconds","initFetch","fetch","controller","AbortController","timeoutId","setTimeout","abort","signal","DOMException","clearTimeout","getJson","credentials","headers","response","appendExtraHeaders","status","contentType","get","item","startsWith","ok","text","json","statusText","stringify","postForm","_ref4","basicAuth","initCredentials","responseText","customKeys","keys","protectedHeaders","forEach","headerName","includes","toLocaleLowerCase","content","MetadataService","_settings","_signingKeys","_metadata","_metadataUrl","metadataUrl","_jsonService","extraHeaders","signingKeys","metadata","fetchRequestCredentials","_fetchRequestCredentials","resetSigningKeys","getMetadata","assign","metadataSeed","getIssuer","_getMetadataProperty","getAuthorizationEndpoint","getUserInfoEndpoint","getTokenEndpoint","optional","getCheckSessionIframe","getEndSessionEndpoint","getRevocationEndpoint","getKeysEndpoint","getSigningKeys","jwks_uri","keySet","isArray","WebStorageStateStore","store","localStorage","_store","_prefix","set","remove","getAllKeys","len","indexOf","substr","DefaultResponseType","DefaultScope","DefaultClientAuthentication","DefaultStaleStateAgeInSeconds","OidcClientSettingsStore","_ref5","authority","response_type","scope","redirect_uri","post_logout_redirect_uri","client_authentication","prompt","display","max_age","ui_locales","acr_values","resource","response_mode","filterProtocolClaims","loadUserInfo","staleStateAgeInSeconds","mergeClaimsStrategy","array","disablePKCE","stateStore","revokeTokenAdditionalContentTypes","refreshTokenAllowedScope","extraQueryParams","extraTokenParams","endsWith","UserInfoService","_metadataService","_getClaimsFromJwt","async","payload","getClaims","claims","TokenClient","exchangeCode","_ref6","grant_type","append","exchangeCredentials","_ref7","exchangeRefreshToken","_ref8","refresh_token","param","revoke","token_type_hint","ResponseValidator","_claimsService","_userInfoService","_tokenClient","validateSigninResponse","_processSigninState","_processCode","isOpenId","_validateIdTokenAttributes","_processClaims","skipUserInfo","validateCredentialsResponse","id_token","validateRefreshResponse","profile","hasIdToken","validateSignoutResponse","id","validateSub","sub","mergeClaims","tokenResponse","existingToken","incoming","existing","auth_time","azp","State","_State","created","request_type","toStorageString","fromStorageString","storageString","clearStaleState","storage","age","cutoff","i","SigninState","_SigninState","code_challenge","_SigninRequest","_ref9","state_data","nonce","optionalParams","searchParams","stateParam","r","SigninRequest","SigninResponse","token_type","splitState","expires_at","Number","SignoutRequest","_ref10","id_token_hint","SignoutResponse","DefaultProtocolClaims","InternalRequiredProtocolClaims","ClaimsService","result","protocolClaims","claim","claims1","claims2","values","mergedValues","OidcClient","settings","metadataService","_validator","createSigninRequest","_ref11","request","request_uri","login_hint","signinRequest","signinState","readSigninResponseState","removeState","storedStateString","processSigninResponse","processResourceOwnerPasswordCredentials","_ref12","username","password","signinResponse","useRefreshToken","_ref13","allowableScopes","s","createSignoutRequest","signoutState","readSignoutResponseState","processSignoutResponse","revokeToken","type","SessionMonitor","_userManager","_start","user","_sub","_checkSessionIFrame","intervalInSeconds","checkSessionIntervalInSeconds","stopOnError","stopCheckSessionOnError","checkSessionIFrame","_stop","monitorAnonymousSession","timerHandle","session","querySessionStatus","tmpUser","raiseEvent","events","_raiseUserSessionChanged","_raiseUserSignedOut","_raiseUserSignedIn","addUserLoaded","addUserUnloaded","_init","catch","getUser","User","_User","scopes","messageSource","AbstractChildWindow","_abort","_disposeHandlers","Set","_window","navigate","location","keepOpen","reject","listener","scriptOrigin","_dispose","add","removeEventListener","reason","close","dispose","_notifyParent","parent","targetOrigin","DefaultPopupWindowFeatures","toolbar","closePopupWindowAfterInSeconds","DefaultPopupTarget","DefaultAccessTokenExpiringNotificationTimeInSeconds","DefaultCheckSessionIntervalInSeconds","DefaultSilentRequestTimeoutInSeconds","UserManagerSettingsStore","popup_redirect_uri","popup_post_logout_redirect_uri","popupWindowFeatures","popupWindowTarget","redirectMethod","redirectTarget","iframeNotifyParentOrigin","iframeScriptOrigin","silent_redirect_uri","silentRequestTimeoutInSeconds","automaticSilentRenew","validateSubOnSilentRenew","includeIdTokenInSilentRenew","monitorSession","query_status_response_type","revokeTokenTypes","revokeTokensOnSignout","includeIdTokenInSilentSignout","accessTokenExpiringNotificationTimeInSeconds","userStore","sessionStorage","IFrameWindow","_IFrameWindow","_ref14","_timeoutInSeconds","createHiddenIframe","iframe","timer","parentNode","_a2","frame","target","removeChild","notifyParent","IFrameNavigator","prepare","_ref15","callback","PopupWindow","_ref16","centeredPopup","open","closed","focus","popupClosedInterval","notifyOpener","opener","PopupNavigator","_ref17","_ref18","RedirectNavigator","_ref19","targetWindow","self","redirect","bind","promise","UserManagerEvents","_userLoaded","_userUnloaded","_silentRenewError","_userSignedIn","_userSignedOut","_userSessionChanged","removeUserLoaded","removeUserUnloaded","addSilentRenewError","removeSilentRenewError","_raiseSilentRenewError","addUserSignedIn","removeUserSignedIn","addUserSignedOut","removeUserSignedOut","addUserSessionChanged","removeUserSessionChanged","SilentRenewService","_isStarted","_retryTimer","_tokenExpiring","signinSilent","RefreshState","UserManager","redirectNavigator","popupNavigator","iframeNavigator","_client","_redirectNavigator","_popupNavigator","_iframeNavigator","_events","_silentRenewService","startSilentRenew","_sessionMonitor","_loadUser","removeUser","storeUser","signinRedirect","requestArgs","handle","_signinStart","signinRedirectCallback","_signinEnd","signinResourceOwnerCredentials","_ref20","_buildUser","signinPopup","_signin","signinPopupCallback","_useRefreshToken","verifySub","signinSilentCallback","signinCallback","signoutCallback","signoutRedirectCallback","signoutPopupCallback","signoutSilentCallback","navResponse","signoutRedirect","_signoutStart","_signoutEnd","signoutPopup","_signout","_revokeInternal","signoutRequest","signoutResponse","signoutSilent","revokeTokens","types","typesPresent","stopSilentRenew","_userStoreKey","Version"],"sourceRoot":""}