better-auth

Version:

The most comprehensive authentication framework for TypeScript.

1 lines • 17.7 kB

Source Map (JSON)

{"version":3,"file":"index.mjs","names":[],"sources":["../../../src/plugins/two-factor/index.ts"],"sourcesContent":["import type { BetterAuthPlugin } from \"@better-auth/core\";\nimport {\n\tcreateAuthEndpoint,\n\tcreateAuthMiddleware,\n} from \"@better-auth/core/api\";\nimport { BASE_ERROR_CODES } from \"@better-auth/core/error\";\nimport { createHMAC } from \"@better-auth/utils/hmac\";\nimport { createOTP } from \"@better-auth/utils/otp\";\nimport { APIError } from \"better-call\";\nimport * as z from \"zod\";\nimport { sessionMiddleware } from \"../../api\";\nimport { deleteSessionCookie, setSessionCookie } from \"../../cookies\";\nimport { symmetricEncrypt } from \"../../crypto\";\nimport { generateRandomString } from \"../../crypto/random\";\nimport { mergeSchema } from \"../../db/schema\";\nimport { validatePassword } from \"../../utils/password\";\nimport type { BackupCodeOptions } from \"./backup-codes\";\nimport { backupCode2fa, generateBackupCodes } from \"./backup-codes\";\nimport {\n\tTRUST_DEVICE_COOKIE_MAX_AGE,\n\tTRUST_DEVICE_COOKIE_NAME,\n\tTWO_FACTOR_COOKIE_NAME,\n} from \"./constant\";\nimport { TWO_FACTOR_ERROR_CODES } from \"./error-code\";\nimport { otp2fa } from \"./otp\";\nimport { schema } from \"./schema\";\nimport { totp2fa } from \"./totp\";\nimport type { TwoFactorOptions, UserWithTwoFactor } from \"./types\";\n\nexport * from \"./error-code\";\n\nconst enableTwoFactorBodySchema = z.object({\n\tpassword: z.string().meta({\n\t\tdescription: \"User password\",\n\t}),\n\tissuer: z\n\t\t.string()\n\t\t.meta({\n\t\t\tdescription: \"Custom issuer for the TOTP URI\",\n\t\t})\n\t\t.optional(),\n});\n\nconst disableTwoFactorBodySchema = z.object({\n\tpassword: z.string().meta({\n\t\tdescription: \"User password\",\n\t}),\n});\n\nexport const twoFactor = <O extends TwoFactorOptions>(options?: O) => {\n\tconst opts = {\n\t\ttwoFactorTable: \"twoFactor\",\n\t};\n\tconst backupCodeOptions = {\n\t\tstoreBackupCodes: \"encrypted\",\n\t\t...options?.backupCodeOptions,\n\t} satisfies BackupCodeOptions;\n\tconst totp = totp2fa(options?.totpOptions);\n\tconst backupCode = backupCode2fa(backupCodeOptions);\n\tconst otp = otp2fa(options?.otpOptions);\n\n\treturn {\n\t\tid: \"two-factor\",\n\t\tendpoints: {\n\t\t\t...totp.endpoints,\n\t\t\t...otp.endpoints,\n\t\t\t...backupCode.endpoints,\n\t\t\t/**\n\t\t\t * ### Endpoint\n\t\t\t *\n\t\t\t * POST `/two-factor/enable`\n\t\t\t *\n\t\t\t * ### API Methods\n\t\t\t *\n\t\t\t * **server:**\n\t\t\t * `auth.api.enableTwoFactor`\n\t\t\t *\n\t\t\t * **client:**\n\t\t\t * `authClient.twoFactor.enable`\n\t\t\t *\n\t\t\t * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/2fa#api-method-two-factor-enable)\n\t\t\t */\n\t\t\tenableTwoFactor: createAuthEndpoint(\n\t\t\t\t\"/two-factor/enable\",\n\t\t\t\t{\n\t\t\t\t\tmethod: \"POST\",\n\t\t\t\t\tbody: enableTwoFactorBodySchema,\n\t\t\t\t\tuse: [sessionMiddleware],\n\t\t\t\t\tmetadata: {\n\t\t\t\t\t\topenapi: {\n\t\t\t\t\t\t\tsummary: \"Enable two factor authentication\",\n\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\"Use this endpoint to enable two factor authentication. This will generate a TOTP URI and backup codes. Once the user verifies the TOTP URI, the two factor authentication will be enabled.\",\n\t\t\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\t\t200: {\n\t\t\t\t\t\t\t\t\tdescription: \"Successful response\",\n\t\t\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\t\t\ttotpURI: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"TOTP URI\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tbackupCodes: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"array\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\titems: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Backup codes\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tasync (ctx) => {\n\t\t\t\t\tconst user = ctx.context.session.user as UserWithTwoFactor;\n\t\t\t\t\tconst { password, issuer } = ctx.body;\n\t\t\t\t\tconst isPasswordValid = await validatePassword(ctx, {\n\t\t\t\t\t\tpassword,\n\t\t\t\t\t\tuserId: user.id,\n\t\t\t\t\t});\n\t\t\t\t\tif (!isPasswordValid) {\n\t\t\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\t\t\tmessage: BASE_ERROR_CODES.INVALID_PASSWORD,\n\t\t\t\t\t\t});\n\t\t\t\t\t}\n\t\t\t\t\tconst secret = generateRandomString(32);\n\t\t\t\t\tconst encryptedSecret = await symmetricEncrypt({\n\t\t\t\t\t\tkey: ctx.context.secret,\n\t\t\t\t\t\tdata: secret,\n\t\t\t\t\t});\n\t\t\t\t\tconst backupCodes = await generateBackupCodes(\n\t\t\t\t\t\tctx.context.secret,\n\t\t\t\t\t\tbackupCodeOptions,\n\t\t\t\t\t);\n\t\t\t\t\tif (options?.skipVerificationOnEnable) {\n\t\t\t\t\t\tconst updatedUser = await ctx.context.internalAdapter.updateUser(\n\t\t\t\t\t\t\tuser.id,\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\ttwoFactorEnabled: true,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t);\n\t\t\t\t\t\tconst newSession = await ctx.context.internalAdapter.createSession(\n\t\t\t\t\t\t\tupdatedUser.id,\n\t\t\t\t\t\t\tfalse,\n\t\t\t\t\t\t\tctx.context.session.session,\n\t\t\t\t\t\t);\n\t\t\t\t\t\t/**\n\t\t\t\t\t\t * Update the session cookie with the new user data\n\t\t\t\t\t\t */\n\t\t\t\t\t\tawait setSessionCookie(ctx, {\n\t\t\t\t\t\t\tsession: newSession,\n\t\t\t\t\t\t\tuser: updatedUser,\n\t\t\t\t\t\t});\n\n\t\t\t\t\t\t//remove current session\n\t\t\t\t\t\tawait ctx.context.internalAdapter.deleteSession(\n\t\t\t\t\t\t\tctx.context.session.session.token,\n\t\t\t\t\t\t);\n\t\t\t\t\t}\n\t\t\t\t\t//delete existing two factor\n\t\t\t\t\tawait ctx.context.adapter.deleteMany({\n\t\t\t\t\t\tmodel: opts.twoFactorTable,\n\t\t\t\t\t\twhere: [\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tfield: \"userId\",\n\t\t\t\t\t\t\t\tvalue: user.id,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t],\n\t\t\t\t\t});\n\n\t\t\t\t\tawait ctx.context.adapter.create({\n\t\t\t\t\t\tmodel: opts.twoFactorTable,\n\t\t\t\t\t\tdata: {\n\t\t\t\t\t\t\tsecret: encryptedSecret,\n\t\t\t\t\t\t\tbackupCodes: backupCodes.encryptedBackupCodes,\n\t\t\t\t\t\t\tuserId: user.id,\n\t\t\t\t\t\t},\n\t\t\t\t\t});\n\t\t\t\t\tconst totpURI = createOTP(secret, {\n\t\t\t\t\t\tdigits: options?.totpOptions?.digits || 6,\n\t\t\t\t\t\tperiod: options?.totpOptions?.period,\n\t\t\t\t\t}).url(issuer || options?.issuer || ctx.context.appName, user.email);\n\t\t\t\t\treturn ctx.json({ totpURI, backupCodes: backupCodes.backupCodes });\n\t\t\t\t},\n\t\t\t),\n\t\t\t/**\n\t\t\t * ### Endpoint\n\t\t\t *\n\t\t\t * POST `/two-factor/disable`\n\t\t\t *\n\t\t\t * ### API Methods\n\t\t\t *\n\t\t\t * **server:**\n\t\t\t * `auth.api.disableTwoFactor`\n\t\t\t *\n\t\t\t * **client:**\n\t\t\t * `authClient.twoFactor.disable`\n\t\t\t *\n\t\t\t * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/2fa#api-method-two-factor-disable)\n\t\t\t */\n\t\t\tdisableTwoFactor: createAuthEndpoint(\n\t\t\t\t\"/two-factor/disable\",\n\t\t\t\t{\n\t\t\t\t\tmethod: \"POST\",\n\t\t\t\t\tbody: disableTwoFactorBodySchema,\n\t\t\t\t\tuse: [sessionMiddleware],\n\t\t\t\t\tmetadata: {\n\t\t\t\t\t\topenapi: {\n\t\t\t\t\t\t\tsummary: \"Disable two factor authentication\",\n\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\"Use this endpoint to disable two factor authentication.\",\n\t\t\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\t\t200: {\n\t\t\t\t\t\t\t\t\tdescription: \"Successful response\",\n\t\t\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\t\t\tstatus: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"boolean\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tasync (ctx) => {\n\t\t\t\t\tconst user = ctx.context.session.user as UserWithTwoFactor;\n\t\t\t\t\tconst { password } = ctx.body;\n\t\t\t\t\tconst isPasswordValid = await validatePassword(ctx, {\n\t\t\t\t\t\tpassword,\n\t\t\t\t\t\tuserId: user.id,\n\t\t\t\t\t});\n\t\t\t\t\tif (!isPasswordValid) {\n\t\t\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\t\t\tmessage: BASE_ERROR_CODES.INVALID_PASSWORD,\n\t\t\t\t\t\t});\n\t\t\t\t\t}\n\t\t\t\t\tconst updatedUser = await ctx.context.internalAdapter.updateUser(\n\t\t\t\t\t\tuser.id,\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\ttwoFactorEnabled: false,\n\t\t\t\t\t\t},\n\t\t\t\t\t);\n\t\t\t\t\tawait ctx.context.adapter.delete({\n\t\t\t\t\t\tmodel: opts.twoFactorTable,\n\t\t\t\t\t\twhere: [\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tfield: \"userId\",\n\t\t\t\t\t\t\t\tvalue: updatedUser.id,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t],\n\t\t\t\t\t});\n\t\t\t\t\tconst newSession = await ctx.context.internalAdapter.createSession(\n\t\t\t\t\t\tupdatedUser.id,\n\t\t\t\t\t\tfalse,\n\t\t\t\t\t\tctx.context.session.session,\n\t\t\t\t\t);\n\t\t\t\t\t/**\n\t\t\t\t\t * Update the session cookie with the new user data\n\t\t\t\t\t */\n\t\t\t\t\tawait setSessionCookie(ctx, {\n\t\t\t\t\t\tsession: newSession,\n\t\t\t\t\t\tuser: updatedUser,\n\t\t\t\t\t});\n\t\t\t\t\t//remove current session\n\t\t\t\t\tawait ctx.context.internalAdapter.deleteSession(\n\t\t\t\t\t\tctx.context.session.session.token,\n\t\t\t\t\t);\n\t\t\t\t\treturn ctx.json({ status: true });\n\t\t\t\t},\n\t\t\t),\n\t\t},\n\t\toptions: options as NoInfer<O>,\n\t\thooks: {\n\t\t\tafter: [\n\t\t\t\t{\n\t\t\t\t\tmatcher(context) {\n\t\t\t\t\t\treturn (\n\t\t\t\t\t\t\tcontext.path === \"/sign-in/email\" ||\n\t\t\t\t\t\t\tcontext.path === \"/sign-in/username\" ||\n\t\t\t\t\t\t\tcontext.path === \"/sign-in/phone-number\"\n\t\t\t\t\t\t);\n\t\t\t\t\t},\n\t\t\t\t\thandler: createAuthMiddleware(async (ctx) => {\n\t\t\t\t\t\tconst data = ctx.context.newSession;\n\t\t\t\t\t\tif (!data) {\n\t\t\t\t\t\t\treturn;\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tif (!data?.user.twoFactorEnabled) {\n\t\t\t\t\t\t\treturn;\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tconst trustDeviceCookieAttrs = ctx.context.createAuthCookie(\n\t\t\t\t\t\t\tTRUST_DEVICE_COOKIE_NAME,\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tmaxAge: TRUST_DEVICE_COOKIE_MAX_AGE,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t);\n\t\t\t\t\t\t// Check for trust device cookie\n\t\t\t\t\t\tconst trustDeviceCookie = await ctx.getSignedCookie(\n\t\t\t\t\t\t\ttrustDeviceCookieAttrs.name,\n\t\t\t\t\t\t\tctx.context.secret,\n\t\t\t\t\t\t);\n\n\t\t\t\t\t\tif (trustDeviceCookie) {\n\t\t\t\t\t\t\tconst [token, sessionToken] = trustDeviceCookie.split(\"!\");\n\t\t\t\t\t\t\tconst expectedToken = await createHMAC(\n\t\t\t\t\t\t\t\t\"SHA-256\",\n\t\t\t\t\t\t\t\t\"base64urlnopad\",\n\t\t\t\t\t\t\t).sign(ctx.context.secret, `${data.user.id}!${sessionToken}`);\n\n\t\t\t\t\t\t\t// Checks if the token is signed correctly, not that its the current session token\n\t\t\t\t\t\t\tif (token === expectedToken) {\n\t\t\t\t\t\t\t\t// Trust device cookie is valid, refresh it and skip 2FA\n\t\t\t\t\t\t\t\tconst newTrustDeviceCookie = ctx.context.createAuthCookie(\n\t\t\t\t\t\t\t\t\tTRUST_DEVICE_COOKIE_NAME,\n\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\tmaxAge: TRUST_DEVICE_COOKIE_MAX_AGE,\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t);\n\t\t\t\t\t\t\t\tconst newToken = await createHMAC(\n\t\t\t\t\t\t\t\t\t\"SHA-256\",\n\t\t\t\t\t\t\t\t\t\"base64urlnopad\",\n\t\t\t\t\t\t\t\t).sign(\n\t\t\t\t\t\t\t\t\tctx.context.secret,\n\t\t\t\t\t\t\t\t\t`${data.user.id}!${data.session.token}`,\n\t\t\t\t\t\t\t\t);\n\t\t\t\t\t\t\t\tawait ctx.setSignedCookie(\n\t\t\t\t\t\t\t\t\tnewTrustDeviceCookie.name,\n\t\t\t\t\t\t\t\t\t`${newToken}!${data.session.token}`,\n\t\t\t\t\t\t\t\t\tctx.context.secret,\n\t\t\t\t\t\t\t\t\ttrustDeviceCookieAttrs.attributes,\n\t\t\t\t\t\t\t\t);\n\t\t\t\t\t\t\t\treturn;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\t/**\n\t\t\t\t\t\t * remove the session cookie. It's set by the sign in credential\n\t\t\t\t\t\t */\n\t\t\t\t\t\tdeleteSessionCookie(ctx, true);\n\t\t\t\t\t\tawait ctx.context.internalAdapter.deleteSession(data.session.token);\n\t\t\t\t\t\tconst maxAge = (options?.otpOptions?.period ?? 3) * 60; // 3 minutes\n\t\t\t\t\t\tconst twoFactorCookie = ctx.context.createAuthCookie(\n\t\t\t\t\t\t\tTWO_FACTOR_COOKIE_NAME,\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tmaxAge,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t);\n\t\t\t\t\t\tconst identifier = `2fa-${generateRandomString(20)}`;\n\t\t\t\t\t\tawait ctx.context.internalAdapter.createVerificationValue({\n\t\t\t\t\t\t\tvalue: data.user.id,\n\t\t\t\t\t\t\tidentifier,\n\t\t\t\t\t\t\texpiresAt: new Date(Date.now() + maxAge * 1000),\n\t\t\t\t\t\t});\n\t\t\t\t\t\tawait ctx.setSignedCookie(\n\t\t\t\t\t\t\ttwoFactorCookie.name,\n\t\t\t\t\t\t\tidentifier,\n\t\t\t\t\t\t\tctx.context.secret,\n\t\t\t\t\t\t\ttwoFactorCookie.attributes,\n\t\t\t\t\t\t);\n\t\t\t\t\t\treturn ctx.json({\n\t\t\t\t\t\t\ttwoFactorRedirect: true,\n\t\t\t\t\t\t});\n\t\t\t\t\t}),\n\t\t\t\t},\n\t\t\t],\n\t\t},\n\t\tschema: mergeSchema(schema, options?.schema),\n\t\trateLimit: [\n\t\t\t{\n\t\t\t\tpathMatcher(path) {\n\t\t\t\t\treturn path.startsWith(\"/two-factor/\");\n\t\t\t\t},\n\t\t\t\twindow: 10,\n\t\t\t\tmax: 3,\n\t\t\t},\n\t\t],\n\t\t$ERROR_CODES: TWO_FACTOR_ERROR_CODES,\n\t} satisfies BetterAuthPlugin;\n};\n\nexport * from \"./client\";\nexport * from \"./types\";\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;AA+BA,MAAM,4BAA4B,EAAE,OAAO;CAC1C,UAAU,EAAE,QAAQ,CAAC,KAAK,EACzB,aAAa,iBACb,CAAC;CACF,QAAQ,EACN,QAAQ,CACR,KAAK,EACL,aAAa,kCACb,CAAC,CACD,UAAU;CACZ,CAAC;AAEF,MAAM,6BAA6B,EAAE,OAAO,EAC3C,UAAU,EAAE,QAAQ,CAAC,KAAK,EACzB,aAAa,iBACb,CAAC,EACF,CAAC;AAEF,MAAa,aAAyC,YAAgB;CACrE,MAAM,OAAO,EACZ,gBAAgB,aAChB;CACD,MAAM,oBAAoB;EACzB,kBAAkB;EAClB,GAAG,SAAS;EACZ;CACD,MAAM,OAAO,QAAQ,SAAS,YAAY;CAC1C,MAAM,aAAa,cAAc,kBAAkB;CACnD,MAAM,MAAM,OAAO,SAAS,WAAW;AAEvC,QAAO;EACN,IAAI;EACJ,WAAW;GACV,GAAG,KAAK;GACR,GAAG,IAAI;GACP,GAAG,WAAW;GAgBd,iBAAiB,mBAChB,sBACA;IACC,QAAQ;IACR,MAAM;IACN,KAAK,CAAC,kBAAkB;IACxB,UAAU,EACT,SAAS;KACR,SAAS;KACT,aACC;KACD,WAAW,EACV,KAAK;MACJ,aAAa;MACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;OACP,MAAM;OACN,YAAY;QACX,SAAS;SACR,MAAM;SACN,aAAa;SACb;QACD,aAAa;SACZ,MAAM;SACN,OAAO,EACN,MAAM,UACN;SACD,aAAa;SACb;QACD;OACD,EACD,EACD;MACD,EACD;KACD,EACD;IACD,EACD,OAAO,QAAQ;IACd,MAAM,OAAO,IAAI,QAAQ,QAAQ;IACjC,MAAM,EAAE,UAAU,WAAW,IAAI;AAKjC,QAAI,CAJoB,MAAM,iBAAiB,KAAK;KACnD;KACA,QAAQ,KAAK;KACb,CAAC,CAED,OAAM,IAAI,SAAS,eAAe,EACjC,SAAS,iBAAiB,kBAC1B,CAAC;IAEH,MAAM,SAAS,qBAAqB,GAAG;IACvC,MAAM,kBAAkB,MAAM,iBAAiB;KAC9C,KAAK,IAAI,QAAQ;KACjB,MAAM;KACN,CAAC;IACF,MAAM,cAAc,MAAM,oBACzB,IAAI,QAAQ,QACZ,kBACA;AACD,QAAI,SAAS,0BAA0B;KACtC,MAAM,cAAc,MAAM,IAAI,QAAQ,gBAAgB,WACrD,KAAK,IACL,EACC,kBAAkB,MAClB,CACD;;;;AASD,WAAM,iBAAiB,KAAK;MAC3B,SATkB,MAAM,IAAI,QAAQ,gBAAgB,cACpD,YAAY,IACZ,OACA,IAAI,QAAQ,QAAQ,QACpB;MAMA,MAAM;MACN,CAAC;AAGF,WAAM,IAAI,QAAQ,gBAAgB,cACjC,IAAI,QAAQ,QAAQ,QAAQ,MAC5B;;AAGF,UAAM,IAAI,QAAQ,QAAQ,WAAW;KACpC,OAAO,KAAK;KACZ,OAAO,CACN;MACC,OAAO;MACP,OAAO,KAAK;MACZ,CACD;KACD,CAAC;AAEF,UAAM,IAAI,QAAQ,QAAQ,OAAO;KAChC,OAAO,KAAK;KACZ,MAAM;MACL,QAAQ;MACR,aAAa,YAAY;MACzB,QAAQ,KAAK;MACb;KACD,CAAC;IACF,MAAM,UAAU,UAAU,QAAQ;KACjC,QAAQ,SAAS,aAAa,UAAU;KACxC,QAAQ,SAAS,aAAa;KAC9B,CAAC,CAAC,IAAI,UAAU,SAAS,UAAU,IAAI,QAAQ,SAAS,KAAK,MAAM;AACpE,WAAO,IAAI,KAAK;KAAE;KAAS,aAAa,YAAY;KAAa,CAAC;KAEnE;GAgBD,kBAAkB,mBACjB,uBACA;IACC,QAAQ;IACR,MAAM;IACN,KAAK,CAAC,kBAAkB;IACxB,UAAU,EACT,SAAS;KACR,SAAS;KACT,aACC;KACD,WAAW,EACV,KAAK;MACJ,aAAa;MACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;OACP,MAAM;OACN,YAAY,EACX,QAAQ,EACP,MAAM,WACN,EACD;OACD,EACD,EACD;MACD,EACD;KACD,EACD;IACD,EACD,OAAO,QAAQ;IACd,MAAM,OAAO,IAAI,QAAQ,QAAQ;IACjC,MAAM,EAAE,aAAa,IAAI;AAKzB,QAAI,CAJoB,MAAM,iBAAiB,KAAK;KACnD;KACA,QAAQ,KAAK;KACb,CAAC,CAED,OAAM,IAAI,SAAS,eAAe,EACjC,SAAS,iBAAiB,kBAC1B,CAAC;IAEH,MAAM,cAAc,MAAM,IAAI,QAAQ,gBAAgB,WACrD,KAAK,IACL,EACC,kBAAkB,OAClB,CACD;AACD,UAAM,IAAI,QAAQ,QAAQ,OAAO;KAChC,OAAO,KAAK;KACZ,OAAO,CACN;MACC,OAAO;MACP,OAAO,YAAY;MACnB,CACD;KACD,CAAC;;;;AASF,UAAM,iBAAiB,KAAK;KAC3B,SATkB,MAAM,IAAI,QAAQ,gBAAgB,cACpD,YAAY,IACZ,OACA,IAAI,QAAQ,QAAQ,QACpB;KAMA,MAAM;KACN,CAAC;AAEF,UAAM,IAAI,QAAQ,gBAAgB,cACjC,IAAI,QAAQ,QAAQ,QAAQ,MAC5B;AACD,WAAO,IAAI,KAAK,EAAE,QAAQ,MAAM,CAAC;KAElC;GACD;EACQ;EACT,OAAO,EACN,OAAO,CACN;GACC,QAAQ,SAAS;AAChB,WACC,QAAQ,SAAS,oBACjB,QAAQ,SAAS,uBACjB,QAAQ,SAAS;;GAGnB,SAAS,qBAAqB,OAAO,QAAQ;IAC5C,MAAM,OAAO,IAAI,QAAQ;AACzB,QAAI,CAAC,KACJ;AAGD,QAAI,CAAC,MAAM,KAAK,iBACf;IAGD,MAAM,yBAAyB,IAAI,QAAQ,iBAC1C,0BACA,EACC,QAAQ,6BACR,CACD;IAED,MAAM,oBAAoB,MAAM,IAAI,gBACnC,uBAAuB,MACvB,IAAI,QAAQ,OACZ;AAED,QAAI,mBAAmB;KACtB,MAAM,CAAC,OAAO,gBAAgB,kBAAkB,MAAM,IAAI;AAO1D,SAAI,UANkB,MAAM,WAC3B,WACA,iBACA,CAAC,KAAK,IAAI,QAAQ,QAAQ,GAAG,KAAK,KAAK,GAAG,GAAG,eAAe,EAGhC;MAE5B,MAAM,uBAAuB,IAAI,QAAQ,iBACxC,0BACA,EACC,QAAQ,6BACR,CACD;MACD,MAAM,WAAW,MAAM,WACtB,WACA,iBACA,CAAC,KACD,IAAI,QAAQ,QACZ,GAAG,KAAK,KAAK,GAAG,GAAG,KAAK,QAAQ,QAChC;AACD,YAAM,IAAI,gBACT,qBAAqB,MACrB,GAAG,SAAS,GAAG,KAAK,QAAQ,SAC5B,IAAI,QAAQ,QACZ,uBAAuB,WACvB;AACD;;;;;;AAOF,wBAAoB,KAAK,KAAK;AAC9B,UAAM,IAAI,QAAQ,gBAAgB,cAAc,KAAK,QAAQ,MAAM;IACnE,MAAM,UAAU,SAAS,YAAY,UAAU,KAAK;IACpD,MAAM,kBAAkB,IAAI,QAAQ,iBACnC,wBACA,EACC,QACA,CACD;IACD,MAAM,aAAa,OAAO,qBAAqB,GAAG;AAClD,UAAM,IAAI,QAAQ,gBAAgB,wBAAwB;KACzD,OAAO,KAAK,KAAK;KACjB;KACA,WAAW,IAAI,KAAK,KAAK,KAAK,GAAG,SAAS,IAAK;KAC/C,CAAC;AACF,UAAM,IAAI,gBACT,gBAAgB,MAChB,YACA,IAAI,QAAQ,QACZ,gBAAgB,WAChB;AACD,WAAO,IAAI,KAAK,EACf,mBAAmB,MACnB,CAAC;KACD;GACF,CACD,EACD;EACD,QAAQ,YAAY,QAAQ,SAAS,OAAO;EAC5C,WAAW,CACV;GACC,YAAY,MAAM;AACjB,WAAO,KAAK,WAAW,eAAe;;GAEvC,QAAQ;GACR,KAAK;GACL,CACD;EACD,cAAc;EACd"}