better-auth

Version:

The most comprehensive authentication framework for TypeScript.

1 lines • 15.8 kB

Source Map (JSON)

{"version":3,"file":"authorize.mjs","names":["query"],"sources":["../../../src/plugins/oidc-provider/authorize.ts"],"sourcesContent":["import type { GenericEndpointContext } from \"@better-auth/core\";\nimport { APIError } from \"better-call\";\nimport { getSessionFromCtx } from \"../../api\";\nimport { generateRandomString } from \"../../crypto\";\nimport { getClient } from \"./index\";\nimport type { AuthorizationQuery, OIDCOptions } from \"./types\";\nimport { parsePrompt } from \"./utils/prompt\";\n\nfunction formatErrorURL(url: string, error: string, description: string) {\n\treturn `${\n\t\turl.includes(\"?\") ? \"&\" : \"?\"\n\t}error=${error}&error_description=${description}`;\n}\n\nfunction getErrorURL(\n\tctx: GenericEndpointContext,\n\terror: string,\n\tdescription: string,\n) {\n\tconst baseURL =\n\t\tctx.context.options.onAPIError?.errorURL || `${ctx.context.baseURL}/error`;\n\tconst formattedURL = formatErrorURL(baseURL, error, description);\n\treturn formattedURL;\n}\n\nexport async function authorize(\n\tctx: GenericEndpointContext,\n\toptions: OIDCOptions,\n) {\n\tconst handleRedirect = (url: string) => {\n\t\tconst fromFetch = ctx.request?.headers.get(\"sec-fetch-mode\") === \"cors\";\n\t\tif (fromFetch) {\n\t\t\treturn ctx.json({\n\t\t\t\tredirect: true,\n\t\t\t\turl,\n\t\t\t});\n\t\t} else {\n\t\t\tthrow ctx.redirect(url);\n\t\t}\n\t};\n\n\tconst opts = {\n\t\tcodeExpiresIn: 600,\n\t\tdefaultScope: \"openid\",\n\t\t...options,\n\t\tscopes: [\n\t\t\t\"openid\",\n\t\t\t\"profile\",\n\t\t\t\"email\",\n\t\t\t\"offline_access\",\n\t\t\t...(options?.scopes || []),\n\t\t],\n\t};\n\tif (!ctx.request) {\n\t\tthrow new APIError(\"UNAUTHORIZED\", {\n\t\t\terror_description: \"request not found\",\n\t\t\terror: \"invalid_request\",\n\t\t});\n\t}\n\tconst session = await getSessionFromCtx(ctx);\n\tif (!session) {\n\t\t// Handle prompt=none per OIDC spec - must return error instead of redirecting\n\t\tconst query = ctx.query as AuthorizationQuery;\n\t\tconst promptSet = parsePrompt(query.prompt ?? \"\");\n\t\tif (promptSet.has(\"none\") && query.redirect_uri) {\n\t\t\treturn handleRedirect(\n\t\t\t\tformatErrorURL(\n\t\t\t\t\tquery.redirect_uri,\n\t\t\t\t\t\"login_required\",\n\t\t\t\t\t\"Authentication required but prompt is none\",\n\t\t\t\t),\n\t\t\t);\n\t\t}\n\n\t\t/**\n\t\t * If the user is not logged in, we need to redirect them to the\n\t\t * login page.\n\t\t */\n\t\tawait ctx.setSignedCookie(\n\t\t\t\"oidc_login_prompt\",\n\t\t\tJSON.stringify(ctx.query),\n\t\t\tctx.context.secret,\n\t\t\t{\n\t\t\t\tmaxAge: 600,\n\t\t\t\tpath: \"/\",\n\t\t\t\tsameSite: \"lax\",\n\t\t\t},\n\t\t);\n\t\tconst queryFromURL = ctx.request.url?.split(\"?\")[1]!;\n\t\treturn handleRedirect(`${options.loginPage}?${queryFromURL}`);\n\t}\n\n\tconst query = ctx.query as AuthorizationQuery;\n\tif (!query.client_id) {\n\t\tconst errorURL = getErrorURL(\n\t\t\tctx,\n\t\t\t\"invalid_client\",\n\t\t\t\"client_id is required\",\n\t\t);\n\t\tthrow ctx.redirect(errorURL);\n\t}\n\n\tif (!query.response_type) {\n\t\tconst errorURL = getErrorURL(\n\t\t\tctx,\n\t\t\t\"invalid_request\",\n\t\t\t\"response_type is required\",\n\t\t);\n\t\tthrow ctx.redirect(errorURL);\n\t}\n\n\tconst client = await getClient(\n\t\tctx.query.client_id,\n\t\toptions.trustedClients || [],\n\t);\n\tif (!client) {\n\t\tconst errorURL = getErrorURL(\n\t\t\tctx,\n\t\t\t\"invalid_client\",\n\t\t\t\"client_id is required\",\n\t\t);\n\t\tthrow ctx.redirect(errorURL);\n\t}\n\tconst redirectURI = client.redirectUrls.find(\n\t\t(url) => url === ctx.query.redirect_uri,\n\t);\n\n\tif (!redirectURI || !query.redirect_uri) {\n\t\t/**\n\t\t * show UI error here warning the user that the redirect URI is invalid\n\t\t */\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\tmessage: \"Invalid redirect URI\",\n\t\t});\n\t}\n\tif (client.disabled) {\n\t\tconst errorURL = getErrorURL(ctx, \"client_disabled\", \"client is disabled\");\n\t\tthrow ctx.redirect(errorURL);\n\t}\n\n\tif (query.response_type !== \"code\") {\n\t\tconst errorURL = getErrorURL(\n\t\t\tctx,\n\t\t\t\"unsupported_response_type\",\n\t\t\t\"unsupported response type\",\n\t\t);\n\t\tthrow ctx.redirect(errorURL);\n\t}\n\n\tconst requestScope =\n\t\tquery.scope?.split(\" \").filter((s) => s) ||\n\t\topts.defaultScope?.split(\" \") ||\n\t\t[];\n\tconst invalidScopes = requestScope.filter((scope) => {\n\t\treturn !opts.scopes.includes(scope);\n\t});\n\tif (invalidScopes.length) {\n\t\treturn handleRedirect(\n\t\t\tformatErrorURL(\n\t\t\t\tquery.redirect_uri,\n\t\t\t\t\"invalid_scope\",\n\t\t\t\t`The following scopes are invalid: ${invalidScopes.join(\", \")}`,\n\t\t\t),\n\t\t);\n\t}\n\n\tif (\n\t\t(!query.code_challenge || !query.code_challenge_method) &&\n\t\toptions.requirePKCE\n\t) {\n\t\treturn handleRedirect(\n\t\t\tformatErrorURL(query.redirect_uri, \"invalid_request\", \"pkce is required\"),\n\t\t);\n\t}\n\n\tif (!query.code_challenge_method) {\n\t\tquery.code_challenge_method = \"plain\";\n\t}\n\n\tif (\n\t\t![\n\t\t\t\"s256\",\n\t\t\toptions.allowPlainCodeChallengeMethod ? \"plain\" : \"s256\",\n\t\t].includes(query.code_challenge_method?.toLowerCase() || \"\")\n\t) {\n\t\treturn handleRedirect(\n\t\t\tformatErrorURL(\n\t\t\t\tquery.redirect_uri,\n\t\t\t\t\"invalid_request\",\n\t\t\t\t\"invalid code_challenge method\",\n\t\t\t),\n\t\t);\n\t}\n\n\tconst code = generateRandomString(32, \"a-z\", \"A-Z\", \"0-9\");\n\tconst codeExpiresInMs = opts.codeExpiresIn! * 1000;\n\tconst expiresAt = new Date(Date.now() + codeExpiresInMs);\n\n\t// Determine if consent is required\n\t// Consent is ALWAYS required unless:\n\t// 1. The client is trusted (skipConsent = true)\n\t// 2. The user has already consented and prompt is not \"consent\"\n\tconst skipConsentForTrustedClient = client.skipConsent;\n\tconst hasAlreadyConsented = await ctx.context.adapter\n\t\t.findOne<{\n\t\t\tconsentGiven: boolean;\n\t\t\tscopes: string;\n\t\t}>({\n\t\t\tmodel: \"oauthConsent\",\n\t\t\twhere: [\n\t\t\t\t{\n\t\t\t\t\tfield: \"clientId\",\n\t\t\t\t\tvalue: client.clientId,\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tfield: \"userId\",\n\t\t\t\t\tvalue: session.user.id,\n\t\t\t\t},\n\t\t\t],\n\t\t})\n\t\t.then((res) => {\n\t\t\tif (!res?.consentGiven) {\n\t\t\t\treturn false;\n\t\t\t}\n\t\t\tconst consentedScopes = res.scopes ? res.scopes.split(\" \") : [];\n\t\t\tconst hasConsented = requestScope.every((scope) =>\n\t\t\t\tconsentedScopes.includes(scope),\n\t\t\t);\n\t\t\treturn hasConsented;\n\t\t});\n\n\tconst promptSet = parsePrompt(query.prompt ?? \"\");\n\n\t// Handle prompt=none per OIDC spec 3.1.2.1\n\t// The Authorization Server MUST NOT display any authentication or consent UI\n\tif (promptSet.has(\"none\")) {\n\t\t// If consent is required, return consent_required error\n\t\tif (!skipConsentForTrustedClient && !hasAlreadyConsented) {\n\t\t\treturn handleRedirect(\n\t\t\t\tformatErrorURL(\n\t\t\t\t\tquery.redirect_uri,\n\t\t\t\t\t\"consent_required\",\n\t\t\t\t\t\"Consent required but prompt is none\",\n\t\t\t\t),\n\t\t\t);\n\t\t}\n\t\t// If we reach here, user is authenticated and consent is satisfied\n\t\t// Continue without any UI interaction\n\t}\n\n\t// Handle max_age parameter per OIDC spec 3.1.2.1\n\t// max_age=0 is equivalent to prompt=login\n\tlet requireLogin = promptSet.has(\"login\");\n\tif (query.max_age !== undefined) {\n\t\tconst maxAge = Number(query.max_age);\n\t\tif (Number.isInteger(maxAge) && maxAge >= 0) {\n\t\t\tconst sessionAge =\n\t\t\t\t(Date.now() - new Date(session.session.createdAt).getTime()) / 1000;\n\t\t\tif (sessionAge > maxAge) {\n\t\t\t\t// Session is older than max_age, force re-authentication\n\t\t\t\trequireLogin = true;\n\t\t\t}\n\t\t}\n\t\t// If max_age is invalid (not a non-negative integer), ignore it per OIDC spec\n\t}\n\n\tconst requireConsent =\n\t\t!skipConsentForTrustedClient &&\n\t\t(!hasAlreadyConsented || promptSet.has(\"consent\"));\n\n\ttry {\n\t\t/**\n\t\t * Save the code in the database\n\t\t */\n\t\tawait ctx.context.internalAdapter.createVerificationValue({\n\t\t\tvalue: JSON.stringify({\n\t\t\t\tclientId: client.clientId,\n\t\t\t\tredirectURI: query.redirect_uri,\n\t\t\t\tscope: requestScope,\n\t\t\t\tuserId: session.user.id,\n\t\t\t\tauthTime: new Date(session.session.createdAt).getTime(),\n\t\t\t\t/**\n\t\t\t\t * Consent is required per OIDC spec unless:\n\t\t\t\t * 1. Client is trusted (skipConsent = true)\n\t\t\t\t * 2. User has already consented (and prompt is not \"consent\")\n\t\t\t\t *\n\t\t\t\t * When consent is required, the code needs to be treated as a\n\t\t\t\t * consent request. Once the user consents, the code will be\n\t\t\t\t * updated with the actual authorization code.\n\t\t\t\t */\n\t\t\t\trequireConsent,\n\t\t\t\tstate: requireConsent ? query.state : null,\n\t\t\t\tcodeChallenge: query.code_challenge,\n\t\t\t\tcodeChallengeMethod: query.code_challenge_method,\n\t\t\t\tnonce: query.nonce,\n\t\t\t}),\n\t\t\tidentifier: code,\n\t\t\texpiresAt,\n\t\t});\n\t} catch {\n\t\treturn handleRedirect(\n\t\t\tformatErrorURL(\n\t\t\t\tquery.redirect_uri,\n\t\t\t\t\"server_error\",\n\t\t\t\t\"An error occurred while processing the request\",\n\t\t\t),\n\t\t);\n\t}\n\n\tif (requireLogin) {\n\t\tawait ctx.setSignedCookie(\n\t\t\t\"oidc_login_prompt\",\n\t\t\tJSON.stringify(ctx.query),\n\t\t\tctx.context.secret,\n\t\t\t{\n\t\t\t\tmaxAge: 600,\n\t\t\t\tpath: \"/\",\n\t\t\t\tsameSite: \"lax\",\n\t\t\t},\n\t\t);\n\t\tawait ctx.setSignedCookie(\"oidc_consent_prompt\", code, ctx.context.secret, {\n\t\t\tmaxAge: 600,\n\t\t\tpath: \"/\",\n\t\t\tsameSite: \"lax\",\n\t\t});\n\n\t\tconst loginURI = `${options.loginPage}?${new URLSearchParams({\n\t\t\tclient_id: client.clientId,\n\t\t\tcode,\n\t\t\tstate: query.state,\n\t\t}).toString()}`;\n\t\treturn handleRedirect(loginURI);\n\t}\n\n\t// If consent is not required, redirect with the code immediately\n\tif (!requireConsent) {\n\t\tconst redirectURIWithCode = new URL(redirectURI);\n\t\tredirectURIWithCode.searchParams.set(\"code\", code);\n\t\tredirectURIWithCode.searchParams.set(\"state\", ctx.query.state);\n\t\treturn handleRedirect(redirectURIWithCode.toString());\n\t}\n\n\t// Consent is required - redirect to consent page or show consent HTML\n\n\tif (options?.consentPage) {\n\t\t// Set cookie to support cookie-based consent flows\n\t\tawait ctx.setSignedCookie(\"oidc_consent_prompt\", code, ctx.context.secret, {\n\t\t\tmaxAge: 600,\n\t\t\tpath: \"/\",\n\t\t\tsameSite: \"lax\",\n\t\t});\n\n\t\t// Pass the consent code as a URL parameter to support URL-based consent flows\n\t\tconst urlParams = new URLSearchParams();\n\t\turlParams.set(\"consent_code\", code);\n\t\turlParams.set(\"client_id\", client.clientId);\n\t\turlParams.set(\"scope\", requestScope.join(\" \"));\n\t\tconst consentURI = `${options.consentPage}?${urlParams.toString()}`;\n\n\t\treturn handleRedirect(consentURI);\n\t}\n\tconst htmlFn = options?.getConsentHTML;\n\n\tif (!htmlFn) {\n\t\tthrow new APIError(\"INTERNAL_SERVER_ERROR\", {\n\t\t\tmessage: \"No consent page provided\",\n\t\t});\n\t}\n\n\treturn new Response(\n\t\thtmlFn({\n\t\t\tscopes: requestScope,\n\t\t\tclientMetadata: client.metadata,\n\t\t\tclientIcon: client?.icon,\n\t\t\tclientId: client.clientId,\n\t\t\tclientName: client.name,\n\t\t\tcode,\n\t\t}),\n\t\t{\n\t\t\theaders: {\n\t\t\t\t\"content-type\": \"text/html\",\n\t\t\t},\n\t\t},\n\t);\n}\n"],"mappings":";;;;;;;;;AAQA,SAAS,eAAe,KAAa,OAAe,aAAqB;AACxE,QAAO,GACN,IAAI,SAAS,IAAI,GAAG,MAAM,IAC1B,QAAQ,MAAM,qBAAqB;;AAGrC,SAAS,YACR,KACA,OACA,aACC;AAID,QADqB,eADpB,IAAI,QAAQ,QAAQ,YAAY,YAAY,GAAG,IAAI,QAAQ,QAAQ,SACvB,OAAO,YAAY;;AAIjE,eAAsB,UACrB,KACA,SACC;CACD,MAAM,kBAAkB,QAAgB;AAEvC,MADkB,IAAI,SAAS,QAAQ,IAAI,iBAAiB,KAAK,OAEhE,QAAO,IAAI,KAAK;GACf,UAAU;GACV;GACA,CAAC;MAEF,OAAM,IAAI,SAAS,IAAI;;CAIzB,MAAM,OAAO;EACZ,eAAe;EACf,cAAc;EACd,GAAG;EACH,QAAQ;GACP;GACA;GACA;GACA;GACA,GAAI,SAAS,UAAU,EAAE;GACzB;EACD;AACD,KAAI,CAAC,IAAI,QACR,OAAM,IAAI,SAAS,gBAAgB;EAClC,mBAAmB;EACnB,OAAO;EACP,CAAC;CAEH,MAAM,UAAU,MAAM,kBAAkB,IAAI;AAC5C,KAAI,CAAC,SAAS;EAEb,MAAMA,UAAQ,IAAI;AAElB,MADkB,YAAYA,QAAM,UAAU,GAAG,CACnC,IAAI,OAAO,IAAIA,QAAM,aAClC,QAAO,eACN,eACCA,QAAM,cACN,kBACA,6CACA,CACD;;;;;AAOF,QAAM,IAAI,gBACT,qBACA,KAAK,UAAU,IAAI,MAAM,EACzB,IAAI,QAAQ,QACZ;GACC,QAAQ;GACR,MAAM;GACN,UAAU;GACV,CACD;EACD,MAAM,eAAe,IAAI,QAAQ,KAAK,MAAM,IAAI,CAAC;AACjD,SAAO,eAAe,GAAG,QAAQ,UAAU,GAAG,eAAe;;CAG9D,MAAM,QAAQ,IAAI;AAClB,KAAI,CAAC,MAAM,WAAW;EACrB,MAAM,WAAW,YAChB,KACA,kBACA,wBACA;AACD,QAAM,IAAI,SAAS,SAAS;;AAG7B,KAAI,CAAC,MAAM,eAAe;EACzB,MAAM,WAAW,YAChB,KACA,mBACA,4BACA;AACD,QAAM,IAAI,SAAS,SAAS;;CAG7B,MAAM,SAAS,MAAM,UACpB,IAAI,MAAM,WACV,QAAQ,kBAAkB,EAAE,CAC5B;AACD,KAAI,CAAC,QAAQ;EACZ,MAAM,WAAW,YAChB,KACA,kBACA,wBACA;AACD,QAAM,IAAI,SAAS,SAAS;;CAE7B,MAAM,cAAc,OAAO,aAAa,MACtC,QAAQ,QAAQ,IAAI,MAAM,aAC3B;AAED,KAAI,CAAC,eAAe,CAAC,MAAM;;;;AAI1B,OAAM,IAAI,SAAS,eAAe,EACjC,SAAS,wBACT,CAAC;AAEH,KAAI,OAAO,UAAU;EACpB,MAAM,WAAW,YAAY,KAAK,mBAAmB,qBAAqB;AAC1E,QAAM,IAAI,SAAS,SAAS;;AAG7B,KAAI,MAAM,kBAAkB,QAAQ;EACnC,MAAM,WAAW,YAChB,KACA,6BACA,4BACA;AACD,QAAM,IAAI,SAAS,SAAS;;CAG7B,MAAM,eACL,MAAM,OAAO,MAAM,IAAI,CAAC,QAAQ,MAAM,EAAE,IACxC,KAAK,cAAc,MAAM,IAAI,IAC7B,EAAE;CACH,MAAM,gBAAgB,aAAa,QAAQ,UAAU;AACpD,SAAO,CAAC,KAAK,OAAO,SAAS,MAAM;GAClC;AACF,KAAI,cAAc,OACjB,QAAO,eACN,eACC,MAAM,cACN,iBACA,qCAAqC,cAAc,KAAK,KAAK,GAC7D,CACD;AAGF,MACE,CAAC,MAAM,kBAAkB,CAAC,MAAM,0BACjC,QAAQ,YAER,QAAO,eACN,eAAe,MAAM,cAAc,mBAAmB,mBAAmB,CACzE;AAGF,KAAI,CAAC,MAAM,sBACV,OAAM,wBAAwB;AAG/B,KACC,CAAC,CACA,QACA,QAAQ,gCAAgC,UAAU,OAClD,CAAC,SAAS,MAAM,uBAAuB,aAAa,IAAI,GAAG,CAE5D,QAAO,eACN,eACC,MAAM,cACN,mBACA,gCACA,CACD;CAGF,MAAM,OAAO,qBAAqB,IAAI,OAAO,OAAO,MAAM;CAC1D,MAAM,kBAAkB,KAAK,gBAAiB;CAC9C,MAAM,YAAY,IAAI,KAAK,KAAK,KAAK,GAAG,gBAAgB;CAMxD,MAAM,8BAA8B,OAAO;CAC3C,MAAM,sBAAsB,MAAM,IAAI,QAAQ,QAC5C,QAGE;EACF,OAAO;EACP,OAAO,CACN;GACC,OAAO;GACP,OAAO,OAAO;GACd,EACD;GACC,OAAO;GACP,OAAO,QAAQ,KAAK;GACpB,CACD;EACD,CAAC,CACD,MAAM,QAAQ;AACd,MAAI,CAAC,KAAK,aACT,QAAO;EAER,MAAM,kBAAkB,IAAI,SAAS,IAAI,OAAO,MAAM,IAAI,GAAG,EAAE;AAI/D,SAHqB,aAAa,OAAO,UACxC,gBAAgB,SAAS,MAAM,CAC/B;GAEA;CAEH,MAAM,YAAY,YAAY,MAAM,UAAU,GAAG;AAIjD,KAAI,UAAU,IAAI,OAAO,EAExB;MAAI,CAAC,+BAA+B,CAAC,oBACpC,QAAO,eACN,eACC,MAAM,cACN,oBACA,sCACA,CACD;;CAQH,IAAI,eAAe,UAAU,IAAI,QAAQ;AACzC,KAAI,MAAM,YAAY,QAAW;EAChC,MAAM,SAAS,OAAO,MAAM,QAAQ;AACpC,MAAI,OAAO,UAAU,OAAO,IAAI,UAAU,GAGzC;QADE,KAAK,KAAK,GAAG,IAAI,KAAK,QAAQ,QAAQ,UAAU,CAAC,SAAS,IAAI,MAC/C,OAEhB,gBAAe;;;CAMlB,MAAM,iBACL,CAAC,gCACA,CAAC,uBAAuB,UAAU,IAAI,UAAU;AAElD,KAAI;;;;AAIH,QAAM,IAAI,QAAQ,gBAAgB,wBAAwB;GACzD,OAAO,KAAK,UAAU;IACrB,UAAU,OAAO;IACjB,aAAa,MAAM;IACnB,OAAO;IACP,QAAQ,QAAQ,KAAK;IACrB,UAAU,IAAI,KAAK,QAAQ,QAAQ,UAAU,CAAC,SAAS;IAUvD;IACA,OAAO,iBAAiB,MAAM,QAAQ;IACtC,eAAe,MAAM;IACrB,qBAAqB,MAAM;IAC3B,OAAO,MAAM;IACb,CAAC;GACF,YAAY;GACZ;GACA,CAAC;SACK;AACP,SAAO,eACN,eACC,MAAM,cACN,gBACA,iDACA,CACD;;AAGF,KAAI,cAAc;AACjB,QAAM,IAAI,gBACT,qBACA,KAAK,UAAU,IAAI,MAAM,EACzB,IAAI,QAAQ,QACZ;GACC,QAAQ;GACR,MAAM;GACN,UAAU;GACV,CACD;AACD,QAAM,IAAI,gBAAgB,uBAAuB,MAAM,IAAI,QAAQ,QAAQ;GAC1E,QAAQ;GACR,MAAM;GACN,UAAU;GACV,CAAC;AAOF,SAAO,eALU,GAAG,QAAQ,UAAU,GAAG,IAAI,gBAAgB;GAC5D,WAAW,OAAO;GAClB;GACA,OAAO,MAAM;GACb,CAAC,CAAC,UAAU,GACkB;;AAIhC,KAAI,CAAC,gBAAgB;EACpB,MAAM,sBAAsB,IAAI,IAAI,YAAY;AAChD,sBAAoB,aAAa,IAAI,QAAQ,KAAK;AAClD,sBAAoB,aAAa,IAAI,SAAS,IAAI,MAAM,MAAM;AAC9D,SAAO,eAAe,oBAAoB,UAAU,CAAC;;AAKtD,KAAI,SAAS,aAAa;AAEzB,QAAM,IAAI,gBAAgB,uBAAuB,MAAM,IAAI,QAAQ,QAAQ;GAC1E,QAAQ;GACR,MAAM;GACN,UAAU;GACV,CAAC;EAGF,MAAM,YAAY,IAAI,iBAAiB;AACvC,YAAU,IAAI,gBAAgB,KAAK;AACnC,YAAU,IAAI,aAAa,OAAO,SAAS;AAC3C,YAAU,IAAI,SAAS,aAAa,KAAK,IAAI,CAAC;AAG9C,SAAO,eAFY,GAAG,QAAQ,YAAY,GAAG,UAAU,UAAU,GAEhC;;CAElC,MAAM,SAAS,SAAS;AAExB,KAAI,CAAC,OACJ,OAAM,IAAI,SAAS,yBAAyB,EAC3C,SAAS,4BACT,CAAC;AAGH,QAAO,IAAI,SACV,OAAO;EACN,QAAQ;EACR,gBAAgB,OAAO;EACvB,YAAY,QAAQ;EACpB,UAAU,OAAO;EACjB,YAAY,OAAO;EACnB;EACA,CAAC,EACF,EACC,SAAS,EACR,gBAAgB,aAChB,EACD,CACD"}