{"version":3,"file":"static/js/vendors-2246825a.98123159.js","mappings":"mOAiDaA,EAmBTC,iBAAAA,GAEI,MADiC,CAACC,KAAKC,cAAeD,KAAKE,aAC1CC,KAAKC,EAAAA,GAAWC,qBAAqBC,a,CAM1DC,kBAAAA,GACI,OAAOT,EAAcU,wBAAwB,CACzCP,cAAeD,KAAKC,cACpBC,YAAaF,KAAKE,YAClBO,SAAUT,KAAKU,MACfC,SAAUX,KAAKW,SACfC,eAAgBZ,KAAKY,gB,CAO7BC,cAAAA,GACI,MAAO,CACHZ,cAAeD,KAAKC,cACpBC,YAAaF,KAAKE,YAClBO,SAAUT,KAAKU,MACfC,SAAUX,KAAKW,SACfC,eAAgBZ,KAAKY,eACrBE,KAAMd,KAAKc,KACXC,gBAAiBf,KAAKe,gBACtBC,cAAehB,KAAKgB,cAEpBC,eAAgB,IAAIC,KACflB,KAAKiB,gBAAkB,IAAIE,KAAKC,GACtB,CAACA,EAAcX,SAAUW,M,CAShDC,cAAAA,GACI,OAAQrB,KAAKiB,c,CAOjB,8BAAOT,CAAwBc,GAC3B,MAAMC,EAAeD,EAAiBrB,cAAcuB,MAAM,KAAK,GAO/D,MANmB,CACfF,EAAiBrB,cACjBqB,EAAiBpB,aAAe,GAChCqB,GAAgBD,EAAiBb,UAAY,IAG/BN,KAAKC,EAAAA,GAAWC,qBAAqBC,a,CAO3D,oBAAOmB,CACHC,EAUAC,EACAC,GAAwC,IAAAC,EAAAC,EAAAC,EAAAC,EAAAC,EAAAC,EAAAC,EAAAC,EAExC,MAAMC,EAAyB,IAAIvC,EAUnC,IAAIwC,EARAX,EAAUX,gBAAkBuB,EAAAA,EAAcC,KAC1CH,EAAQrB,cAAgByB,EAAAA,GAAiBC,kBAClCf,EAAUgB,eAAiBC,EAAAA,EAAaC,IAC/CR,EAAQrB,cAAgByB,EAAAA,GAAiBK,mBAEzCT,EAAQrB,cAAgByB,EAAAA,GAAiBM,qBAKzCrB,EAAeY,YAAcV,IAC7BU,GAAaU,EAAAA,EAAAA,GACTtB,EAAeY,WACfV,IAIRS,EAAQC,WAAaZ,EAAeY,WACpCD,EAAQpC,cAAgByB,EAAezB,cACvCoC,EAAQtB,gBAAkBW,EAAeX,gBAEzC,MAAMkC,EACFvB,EAAexB,aACdyB,GAAaA,EAAUuB,oBAE5B,IAAKD,EACD,MAAME,EAAAA,EAAAA,IACFC,EAAAA,IAIRf,EAAQnC,YAAc+C,EAEtBZ,EAAQ3B,OACM,QAAVmB,EAAAS,SAAU,IAAAT,OAAA,EAAVA,EAAYwB,QACZC,EAAAA,EAAAA,GAA6B5B,EAAe6B,gBAC5C,GAGJlB,EAAQzB,gBACM,QAAVkB,EAAAQ,SAAU,IAAAR,OAAA,EAAVA,EAAY0B,OACgB,QADbzB,EACfL,EAAe6B,qBAAa,IAAAxB,OAAA,EAA5BA,EAA8B0B,OACF,QADKzB,EACjCN,EAAe6B,qBAAa,IAAAvB,OAAA,EAA5BA,EAA8B0B,MAC9B,GAOJ,MAAMC,GAC0B,QAA5B1B,EAAAP,EAAe6B,qBAAa,IAAAtB,OAAA,EAA5BA,EAA8B2B,sBACF,QADoB1B,EAChDR,EAAe6B,qBAAa,IAAArB,OAAA,EAA5BA,EAA8B2B,KAC5BC,EAAoC,QAA5B3B,EAAAT,EAAe6B,qBAAa,IAAApB,GAA5BA,EAA8B4B,OACtCrC,EAAe6B,cAAcQ,OAAO,GACpC,KAQN,GANA1B,EAAQ1B,SAAWgD,GAAqBG,GAAS,GACjDzB,EAAQvB,MAAmC,QAA5BsB,EAAAV,EAAe6B,qBAAa,IAAAnB,OAAA,EAA5BA,EAA8BtB,OAAQ,GAErDuB,EAAQ2B,mBAAqBtC,EAAesC,mBAC5C3B,EAAQ4B,YAAcvC,EAAeuC,YAEjCvC,EAAeT,eACfoB,EAAQpB,eAAiBS,EAAeT,mBACrC,CACH,MAAMG,GAAgB8C,EAAAA,EAAAA,IAClBxC,EAAezB,cACfoC,EAAQzB,eACRyB,EAAQ3B,MACRgB,EAAe6B,eAEnBlB,EAAQpB,eAAiB,CAACG,EAC7B,CAED,OAAOiB,C,CAUX,4BAAO8B,CACHC,EACAJ,EACAC,GAAoB,IAAAI,EAEpB,MAAMhC,EAAyB,IAAIvC,EAqBnC,OAnBAuC,EAAQrB,cACJoD,EAAYpD,eAAiByB,EAAAA,GAAiBM,qBAClDV,EAAQpC,cAAgBmE,EAAYnE,cACpCoC,EAAQzB,eAAiBwD,EAAYxD,eACrCyB,EAAQtB,gBAAkBqD,EAAYrD,gBAEtCsB,EAAQ3B,MAAQ0D,EAAY3D,SAC5B4B,EAAQnC,YAAckE,EAAYlE,YAElCmC,EAAQ1B,SAAWyD,EAAYzD,SAC/B0B,EAAQvB,KAAOsD,EAAYtD,KAE3BuB,EAAQ2B,mBAAqBA,EAC7B3B,EAAQ4B,YAAcA,EAEtB5B,EAAQpB,eAAiBqD,MAAMC,MACD,QAA1BF,EAAAD,EAAYnD,sBAAc,IAAAoD,OAAA,EAA1BA,EAA4BG,WAAY,IAGrCnC,C,CAQX,4BAAOoC,CACHC,EACAC,EACAC,EACAC,EACAtB,GAGA,GAEQoB,IAAapC,EAAAA,EAAcC,MAC3BmC,IAAapC,EAAAA,EAAcuC,KAEjC,CAEE,GAAIJ,EACA,IACI,MAAMpC,GAAaU,EAAAA,EAAAA,GACf0B,EACAG,EAAUjD,cAEd,GAAIU,EAAWkB,KAAOlB,EAAWe,KAC7B,MAAO,GAAP0B,OAAUzC,EAAWkB,IAAG,KAAAuB,OAAIzC,EAAWe,KAE9C,CAAC,MAAO2B,GAAI,CAEjBJ,EAAOK,QAAQ,6BAClB,CAGD,OAAO1B,aAAa,EAAbA,EAAeG,MAAO,E,CAOjC,sBAAOwB,CAAgBC,GACnB,QAAKA,IAKDA,EAAOC,eAAe,kBACtBD,EAAOC,eAAe,gBACtBD,EAAOC,eAAe,UACtBD,EAAOC,eAAe,mBACtBD,EAAOC,eAAe,aACtBD,EAAOC,eAAe,iB,CAU9B,yBAAOC,CACHC,EACAC,EACAC,GAEA,IAAKF,IAAaC,EACd,OAAO,EAGX,IAAIE,GAAc,EAClB,GAAID,EAAe,CACf,MAAME,EAAkBJ,EAAS/B,eAC7B,CAAC,EACCoC,EAAkBJ,EAAShC,eAC7B,CAAC,EAGLkC,EACIC,EAAeE,MAAQD,EAAeC,KACtCF,EAAeG,QAAUF,EAAeE,KAC/C,CAED,OACIP,EAASrF,gBAAkBsF,EAAStF,eACpCqF,EAAS1E,iBAAmB2E,EAAS3E,gBACrC0E,EAAS3E,WAAa4E,EAAS5E,UAC/B2E,EAAS7E,WAAa8E,EAAS9E,UAC/B6E,EAASpF,cAAgBqF,EAASrF,aAClCoF,EAASvE,kBAAoBwE,EAASxE,iBACtC0E,C,4CC1VKK,EAUbC,WAAAA,CAAYC,EAAqCC,GAC7CjG,KAAKkG,MAAQF,EACbhG,KAAKiG,WAAaA,C,CAMtB,mBAAIE,GACA,OAAOnG,KAAKiG,U,CAMhB,cAAID,GACA,OAAOhG,KAAKkG,K,6lBCEd,SAAUE,EACZC,GAUA,MARsB,CAClBtG,EAAkBsG,GAClBC,EAAqBD,GACrBE,EAAeF,GACfG,EAAmBH,GACnBI,EAAeJ,IAGElG,KAAKC,EAAAA,GAAWC,qBAAqBC,aAC9D,CASM,SAAUoG,EACZzG,EACAC,EACAyG,EACAC,EACAnG,GAWA,MATqC,CACjCoG,eAAgBC,EAAAA,GAAeC,SAC/B9G,cAAeA,EACfC,YAAaA,EACb0G,SAAUA,EACVI,OAAQL,EACRjG,MAAOD,EAIf,CAagB,SAAAwG,EACZhH,EACAC,EACAgH,EACAN,EACAnG,EACA0G,EACAC,EACAC,EACAzF,EACA0F,EACAC,EACAC,EACAC,EACAC,EACAC,GAA4B,IAAAC,EAAAC,EAE5B,MAAMC,EAA8B,CAChC7H,cAAeA,EACf4G,eAAgBC,EAAAA,GAAeiB,aAC/Bf,OAAQE,EACRc,UAAUC,EAAAA,EAAAA,cAAuBC,WACjCd,UAAWA,EAAUc,WACrBC,kBAAmBd,EAAaa,WAChChI,YAAaA,EACb0G,SAAUA,EACVlG,MAAOD,EACP2H,OAAQjB,EACRI,UAAWA,GAAac,EAAAA,GAAqBC,QAoBjD,GAjBId,IACAM,EAASN,kBAAoBA,GAG7BF,IACAQ,EAASR,UAAYA,EAAUY,YAG/BR,IACAI,EAASJ,gBAAkBA,EAC3BI,EAASH,oBAAsBA,IAQb,QAAlBC,EAAAE,EAASP,iBAAS,IAAAK,OAAA,EAAlBA,EAAoBtH,iBACpB+H,EAAAA,GAAqBC,OAAOhI,cAG5B,OADAwH,EAASjB,eAAiBC,EAAAA,GAAeyB,8BACjCT,EAASP,WACb,KAAKc,EAAAA,GAAqBG,IAEtB,MAAMC,GAAkCC,EAAAA,EAAAA,oBACpCxB,EACAtF,GAEJ,GAAK6G,SAAgB,QAALZ,EAAXY,EAAaE,WAAG,IAAAd,IAAhBA,EAAkBe,IACnB,MAAMzF,EAAAA,EAAAA,IACF0F,EAAAA,IAGRf,EAASL,MAAQgB,EAAYE,IAAIC,IACjC,MACJ,KAAKP,EAAAA,GAAqBS,IACtBhB,EAASL,MAAQA,EAI7B,OAAOK,CACX,CASgB,SAAAiB,EACZ9I,EACAC,EACA8I,EACApC,EACAqC,EACAzB,EACAJ,GAEA,MAAM8B,EAA+B,CACjCrC,eAAgBC,EAAAA,GAAeqC,cAC/BlJ,cAAeA,EACfC,YAAaA,EACb0G,SAAUA,EACVI,OAAQgC,GAeZ,OAZIxB,IACA0B,EAAS1B,kBAAoBA,GAG7ByB,IACAC,EAASD,SAAWA,GAGpB7B,IACA8B,EAAS9B,UAAYA,EAAUc,YAG5BgB,CACX,CAEM,SAAUE,EAAmBjE,GAC/B,OACIA,EAAOC,eAAe,kBACtBD,EAAOC,eAAe,gBACtBD,EAAOC,eAAe,mBACtBD,EAAOC,eAAe,aACtBD,EAAOC,eAAe,SAE9B,CAMM,SAAUiE,EAAoBlE,GAChC,QAAKA,IAKDiE,EAAmBjE,IACnBA,EAAOC,eAAe,UACtBD,EAAOC,eAAe,YACrBD,EAAuB,iBAAM2B,EAAAA,GAAeiB,cACzC5C,EAAuB,iBACnB2B,EAAAA,GAAeyB,+BAE/B,CAMM,SAAUe,EAAgBnE,GAC5B,QAAKA,IAKDiE,EAAmBjE,IACnBA,EAAOC,eAAe,UACtBD,EAAuB,iBAAM2B,EAAAA,GAAeC,SAEpD,CAMM,SAAUwC,EAAqBpE,GACjC,QAAKA,IAKDiE,EAAmBjE,IACnBA,EAAuB,iBAAM2B,EAAAA,GAAeqC,cAEpD,CAKA,SAASpJ,EAAkBsG,GAKvB,MAJiC,CAC7BA,EAAiBpG,cACjBoG,EAAiBnG,aAEJC,KAAKC,EAAAA,GAAWC,qBAAqBC,aAC1D,CAKA,SAASgG,EAAqBD,GAC1B,MAAMmD,EACFnD,EAAiBQ,iBAAmBC,EAAAA,GAAeqC,eAC7C9C,EAAiB4C,UACjB5C,EAAiBO,SAO3B,MANoC,CAChCP,EAAiBQ,eACjB2C,EACAnD,EAAiB3F,OAAS,IAGVP,KAAKC,EAAAA,GAAWC,qBAAqBC,aAC7D,CAKA,SAASiG,EAAeF,GACpB,OAAQA,EAAiB+B,QAAU,IAAI9H,aAC3C,CAKA,SAASkG,EAAmBH,GACxB,OAAQA,EAAiBsB,qBAAuB,IAAIrH,aACxD,CAKA,SAASmG,EAAeJ,GAKpB,OAAOA,EAAiBkB,WACpBlB,EAAiBkB,UAAUjH,gBACvB+H,EAAAA,GAAqBC,OAAOhI,cAC9B+F,EAAiBkB,UAAUjH,cAC3B,EACV,CAOgB,SAAAmJ,EAAwBC,EAAavE,GACjD,MAAMwE,EACgD,IAAlDD,EAAIE,QAAQC,EAAAA,GAAuBC,WACvC,IAAIC,GAA0B,EAS9B,OAPI5E,IACA4E,EACI5E,EAAOC,eAAe,mBACtBD,EAAOC,eAAe,WACtBD,EAAOC,eAAe,cAGvBuE,GAAeI,CAC1B,CAOgB,SAAAC,EAAmBN,EAAavE,GAC5C,IAAIwE,GAAuB,EACvBD,IACAC,EAAqE,IAAvDD,EAAIE,QAAQK,EAAAA,GAAoBC,oBAGlD,IAAIH,GAA0B,EAK9B,OAJI5E,IACA4E,EAAiB5E,EAAOC,eAAe,iBAGpCuE,GAAeI,CAC1B,C,SAKgBI,EAAsBC,GAGlB,IAHmB,YACnClK,EAAW,SACX0G,GACgBwD,EAMhB,MAL2C,CACvCC,EAAAA,GACAnK,EACA0G,GAGCzG,KAAKC,EAAAA,GAAWC,qBAChBC,aACT,CAMgB,SAAAgK,EAAoBZ,EAAavE,GAC7C,QAAKA,IAK6B,IAA9BuE,EAAIE,QAAQS,EAAAA,KACZlF,EAAOC,eAAe,aACtBD,EAAOC,eAAe,eAE9B,CAMgB,SAAAmF,EACZb,EACAvE,GAEA,QAAKA,IAKuD,IAAxDuE,EAAIE,QAAQY,EAAAA,GAA6BV,YACzC3E,EAAOC,eAAe,YACtBD,EAAOC,eAAe,oBACtBD,EAAOC,eAAe,sBACtBD,EAAOC,eAAe,wBACtBD,EAAOC,eAAe,2BACtBD,EAAOC,eAAe,mBACtBD,EAAOC,eAAe,WACtBD,EAAOC,eAAe,uBACtBD,EAAOC,eAAe,yBACtBD,EAAOC,eAAe,cACtBD,EAAOC,eAAe,YAE9B,C,SAKgBqF,IACZ,OACIxC,EAAAA,EAAAA,cACAuC,EAAAA,GAA6BE,oBAErC,C,SAEgBC,EACZC,EACAC,EACAC,GAEAF,EAAkBG,uBACdF,EAAcE,uBAClBH,EAAkBI,eAAiBH,EAAcG,eACjDJ,EAAkBK,qBAAuBJ,EAAcI,qBACvDL,EAAkBM,OAASL,EAAcK,OACzCN,EAAkBO,qBAAuBL,EACzCF,EAAkBQ,SAAWP,EAAcO,QAC/C,C,SAEgBC,EACZT,EACAC,EACAC,GAEAF,EAAkBU,QAAUT,EAAcS,QAC1CV,EAAkBW,gBAAkBV,EAAcU,gBAClDX,EAAkBY,kBAAoBX,EAAcW,kBACpDZ,EAAkBa,mBAAqBX,CAC3C,CAKM,SAAUY,EACZC,GAEA,OAAOA,EAASC,YAAa3D,EAAAA,EAAAA,aACjC,C,waCzcO,MAAM4D,EAAY,YACZC,EAAe,eACfC,EAAgB,gBAChBC,EAAgB,gBAChBC,EAAa,aACbC,EAAS,SACTC,EAAQ,QAKRhD,EAAgB,gBAGhBiD,EAAQ,QACRC,EAAQ,QACRC,EAAS,SAGTC,EAAO,OACPC,EAAiB,iBACjBC,EAAwB,wBACxBC,EAAgB,gBAChBC,EAAoB,oBACpBC,EAAe,eACfC,EAAe,eACfC,EAAc,cACdC,EAAe,eACfC,EAAsB,6BACtBC,EAAsB,0BACtBC,EAAsB,sBACtBC,EAAa,aACbC,EAAY,YACZC,EAAkB,2BAClBC,EAAgB,gBAChBC,EAAc,cACdC,EAAgB,gBAChBC,EAAmB,mBACnBC,EAAwB,wBACxBC,EAAa,aACbC,EAAU,UACVC,EAAgB,YAChBC,EAAsB,sBAItBC,EAAkB,kBAClBC,EAAgB,eAChBC,EAAc,cACdC,EAAM,MACNC,EAAa,aACbC,EAAc,cACdC,EAAqB,oBACrBC,EAAmB,gBACnBC,EAAsB,kB,oGC7BnC,MAAMC,EACE,K,MAMKC,EAIT1I,WAAAA,CAAY2I,EAAsBC,GAC9B3O,KAAK0O,YAAcA,EACnB1O,KAAK2O,kBAAoBA,C,CAS7B,iBAAMC,CACFC,EACAjK,GAAc,IAAAkK,EAEQ,QAAtBA,EAAA9O,KAAK2O,yBAAiB,IAAAG,GAAtBA,EAAwBC,oBACpBC,EAAAA,GAAkBC,oBAClBJ,EAAQK,eAGZ,MAAMC,QAAeC,EAAAA,EAAAA,GACjBpP,KAAKqP,YAAYC,KAAKtP,MACtBgP,EAAAA,GAAkBC,oBAClBrK,EACA5E,KAAK2O,kBACLE,EAAQK,cALSE,CAMnBP,GACIU,EAAuBvP,KAAK0O,YAAYc,gBAC1CC,KAAKC,UAAUP,IAGnB,MAAO,CACHvG,IAAKuG,EAAOvG,IACZ2G,e,CASR,iBAAMF,CAAYR,GAAoC,IAAAc,EAC5B,QAAtBA,EAAA3P,KAAK2O,yBAAiB,IAAAgB,GAAtBA,EAAwBZ,oBACpBC,EAAAA,GAAkBY,oBAClBf,EAAQK,eAOZ,MAAO,CACHtG,UALwB5I,KAAK0O,YAAYmB,uBACzChB,GAKAiB,QAAStB,E,CAUjB,kBAAMuB,CACF7I,EACAO,EACAoH,GAEA,OAAO7O,KAAKgQ,YAAY9I,EAAaO,EAAOoH,E,CAWhD,iBAAMmB,CACFC,EACAxI,EACAoH,EACAqB,GAGA,MAAM,sBACFC,EAAqB,mBACrBC,EAAkB,UAClBC,EAAS,SACTC,EAAQ,WACRC,GACA1B,EAEE2B,EAAoBJ,EACpB,IAAIK,EAAAA,EAAUL,QACdM,EACAC,EAAwBH,aAAiB,EAAjBA,EAAmBI,mBACjD,OAAO5Q,KAAK0O,YAAYmC,SAAOC,EAAAA,EAAAA,GAAC,CAExBC,GAAId,EACJe,IAAI/I,EAAAA,EAAAA,cACJgJ,EAAGd,aAAqB,EAArBA,EAAuBe,cAC1BC,EAAGR,aAAqB,EAArBA,EAAuBS,gBAC1BvL,MAAOyK,GAAYtQ,KAAK0O,YAAY2C,gBACpCC,EAAGX,aAAqB,EAArBA,EAAuBY,aAC1BC,EAAGb,SAAAA,EAAuBc,YACpB,CAAC,GAAId,EAAsBc,kBAC3Bf,EACNgB,cAAerB,QAAaK,GACzBR,GAEPzI,EACA8I,EACA1B,EAAQK,c,4ECnJP,MAAAyC,EAAoB,CAC7B,CAACC,EAAAA,GAAiC,sCAClC,CAACC,EAAAA,GACG,wIASMD,EAAAA,EACAD,EAAkBC,EAAAA,GAGlBC,EAAAA,EACAF,EAAkBE,EAAAA,GAO1B,MAAOC,UAAkBC,MAqB3BhM,WAAAA,CAAYiM,EAAoBC,EAAuBC,GAInDC,MAHoBF,EAAY,GAAAlN,OACvBiN,EAAS,MAAAjN,OAAKkN,GACjBD,GAENI,OAAOC,eAAerS,KAAM8R,EAAUQ,WAEtCtS,KAAKgS,UAAYA,GAAaO,EAAAA,GAAUC,aACxCxS,KAAKiS,aAAeA,GAAgBM,EAAAA,GAAUC,aAC9CxS,KAAKyS,SAAWP,GAAYK,EAAAA,GAAUC,aACtCxS,KAAKc,KAAO,W,CAGhB4R,gBAAAA,CAAiBxD,GACblP,KAAKkP,cAAgBA,C,EAIb,SAAAyD,EACZC,EACAC,GAEA,OAAO,IAAIf,EACPc,EACAC,EAAiB,GAAA9N,OACR4M,EAAkBiB,GAAK,KAAA7N,OAAI8N,GAC9BlB,EAAkBiB,GAEhC,C,4CC1EO,MAAMhB,EAAkB,mBAClBC,EAAoB,qB,qDCDpB,MAAAiB,EAAqB,CAC9B,CAACC,EAAAA,GACG,mCACJ,CAACC,EAAAA,GACG,uDAMF,MAAOC,UAAmBlB,MAW5BhM,WAAAA,CAAYiM,EAAmBC,GAC3B,MAAMiB,EACFjB,IACCa,EAAmBd,GACdc,EAAmBd,GACnBc,EAAmBE,EAAAA,IAE7Bb,MAAM,GAADpN,OAAIiN,EAAS,MAAAjN,OAAKmO,IACvBd,OAAOC,eAAerS,KAAMiT,EAAWX,WAEvCtS,KAAKc,KAAO,aACZd,KAAKgS,UAAYA,EACjBhS,KAAKiS,aAAeiB,C,8CCpCrB,MAAMH,EAA8B,uBAC9BC,EAAwB,qB,0ECOxB,MAAAG,EAA0B,CACnC,CAACC,EAAAA,IACG,wDACJ,CAACC,EAAAA,IAA4C,4BAC7C,CAACC,EAAAA,IAAyC,yBAC1C,CAACC,EAAAA,IAAwC,6BACzC,CAACC,EAAAA,IACG,+BACJ,CAACC,EAAAA,IAAoC,yBACrC,CAACC,EAAAA,IACG,8IACJ,CAACC,EAAAA,IACG,gDACJ,CAACC,EAAAA,IAAoC,oCACrC,CAACC,EAAAA,IAAqC,uBACtC,CAACC,EAAAA,IAAqC,kBACtC,CAACC,EAAAA,IAAqC,uBACtC,CAACC,EAAAA,IACG,+NAGJ,CAACC,EAAAA,IACG,4FACJ,CAACC,EAAAA,IACG,oJAEJ,CAACC,EAAAA,IACG,4HACJ,CAACC,EAAAA,IACG,mIACJ,CAACC,EAAAA,IACG,4EACJ,CAACC,EAAAA,IACG,kDACJ,CAACC,EAAAA,IAA4C,yBAC7C,CAACC,EAAAA,IACG,2CACJ,CAACC,EAAAA,IACG,kHACJ,CAACC,EAAAA,IAAyC,0BAC1C,CAACC,EAAAA,IACG,mDACJ,CAACC,EAAAA,IACG,0FACJ,CAACC,EAAAA,IACG,6CACJ,CAACzR,EAAAA,IACG,4DACJ,CAAC0R,EAAAA,IACG,2CACJ,CAACC,EAAAA,IAAsC,6BACvC,CAACC,EAAAA,IACG,8BACJ,CAACC,EAAAA,IACG,2FACJ,CAACC,EAAAA,IACG,iKACJ,CAACC,EAAAA,IACG,qOACJ,CAACC,EAAAA,IACG,uDACJ,CAACvM,EAAAA,IACG,kEACJ,CAACwM,EAAAA,IACG,oEACJ,CAACC,EAAAA,IACG,8DACJ,CAACC,EAAAA,IACG,iDACJ,CAACC,EAAAA,IACG,wIACJ,CAACC,EAAAA,IACG,2DACJ,CAACC,EAAAA,IAAoC,2BACrC,CAACC,EAAAA,IACG,oHACJ,CAACC,EAAAA,IACG,uCACJ,CAACC,EAAAA,IACG,0CASMzC,EAAAA,GAEFA,EAAAA,GAIEC,EAAAA,GAEFA,EAAAA,GAIEC,EAAAA,GACwBA,EAAAA,GAGxBC,EAAAA,GACwBA,EAAAA,GAGxBC,EAAAA,GAEFA,EAAAA,GAIEC,EAAAA,GACwBA,EAAAA,GAGxBC,EAAAA,GACwBA,EAAAA,GAGxBC,EAAAA,GACwBA,EAAAA,GAGxBC,EAAAA,GACwBA,EAAAA,GAGxBC,EAAAA,GACwBA,EAAAA,GAGxBC,EAAAA,GACwBA,EAAAA,GAGxBC,EAAAA,GACwBA,EAAAA,GAGxBC,EAAAA,GACwBA,EAAAA,GAGxBC,EAAAA,GACwBA,EAAAA,GAGxBC,EAAAA,GAEFA,EAAAA,GAIEC,EAAAA,GAEFA,EAAAA,GAIEC,EAAAA,GAEFA,EAAAA,GAIEC,EAAAA,GACwBA,EAAAA,GAGxBC,EAAAA,GAEFA,EAAAA,GAIEC,EAAAA,GAEFA,EAAAA,GAIEC,EAAAA,GACwBA,EAAAA,GAGxBC,EAAAA,GAEFA,EAAAA,GAIEC,EAAAA,GACwBA,EAAAA,GAGxBC,EAAAA,GAEFA,EAAAA,GAIEC,EAAAA,GAEFA,EAAAA,GAIEC,EAAAA,GACwBA,EAAAA,GAGxBzR,EAAAA,GAEFA,EAAAA,GAIE0R,EAAAA,GACwBA,EAAAA,GAGxBC,EAAAA,GACwBA,EAAAA,GAGxBC,EAAAA,GAEFA,EAAAA,GAIEC,EAAAA,GACwBA,EAAAA,GAGxBC,EAAAA,GAEFA,EAAAA,GAIEC,EAAAA,GAEFA,EAAAA,GAIEC,EAAAA,GACwBA,EAAAA,GAGxBvM,EAAAA,GAEFA,EAAAA,GAIEwM,EAAAA,GAEFA,EAAAA,GAIEC,EAAAA,GAEFA,EAAAA,GAIEC,EAAAA,GAEFA,EAAAA,GAIEC,EAAAA,GACwBA,EAAAA,GAGxBC,EAAAA,GAEFA,EAAAA,GAIEC,EAAAA,GACwBA,EAAAA,GAGxBC,EAAAA,GAEFA,EAAAA,GAIEE,EAAAA,GAEFA,EAAAA,GAQN,MAAOC,UAAwBhE,EAAAA,GACjC/L,WAAAA,CAAYiM,EAAmBa,GAC3BV,MACIH,EACAa,EAAiB,GAAA9N,OACRoO,EAAwBnB,GAAU,MAAAjN,OAAK8N,GAC1CM,EAAwBnB,IAElChS,KAAKc,KAAO,kBAEZsR,OAAOC,eAAerS,KAAM8V,EAAgBxD,U,EAIpC,SAAAnP,EACZ6O,EACAa,GAEA,OAAO,IAAIiD,EAAgB9D,EAAWa,EAC1C,C,waC/UO,MAAMO,EAA0B,6BAC1BC,EAAuB,0BACvBC,EAAoB,sBACpBC,EAAmB,sBACnBC,EAA0B,6BAC1BC,EAAe,gBACfC,EAAoB,sBACpBC,EAAsB,wBACtBC,EAAe,gBACfC,EAAgB,iBAChBC,EAAgB,kBAChBC,EAAgB,iBAChBC,EAAmB,sBACnBC,EAAmB,qBACnBC,EAAyB,2BACzBC,EAA2B,6BAC3BC,EAA8B,gCAC9BC,EAAsB,yBACtBC,EAAyB,4BACzBC,EAAuB,yBACvBC,EAAqB,uBACrBC,EAA6B,gCAC7BC,EAAoB,sBACpBC,EAAyB,4BACzBC,EAA2B,+BAC3BC,EAAqB,uBACrBzR,EAA0B,4BAC1B0R,EAAiB,mBACjBC,EAAiB,mBACjBC,EAA2B,6BAC3BC,EAAmB,oBACnBC,EAA0B,4BAC1BC,EAAuB,yBACvBC,EAAqB,uBACrBvM,EACT,0CACSwM,EACT,kDACSC,EAAuB,0BACvBC,EACT,qCACSC,EAAe,iBACfC,EAAwB,0BACxBC,EAAe,gBACfC,EAAuB,0BACvBC,EAAuB,yBACvBC,EAA8B,iC,gEC1C9B,MAAAE,EAAmC,CAC5C,CAACC,EAAAA,IACG,mEACJ,CAACC,EAAAA,IACG,mDACJ,CAACC,EAAAA,IACG,4NACJ,CAACC,EAAAA,IACG,qDACJ,CAACC,EAAAA,IAA8C,yBAC/C,CAACC,EAAAA,IACG,iHACJ,CAACC,EAAAA,IACG,uLACJ,CAACC,EAAAA,IACG,4DACJ,CAACC,EAAAA,IACG,kDACJ,CAACC,EAAAA,IACG,4CACJ,CAACC,EAAAA,IACG,gFACJ,CAACC,EAAAA,IACG,sGACJ,CAACC,EAAAA,IACG,sIACJ,CAACC,EAAAA,IACG,0IACJ,CAACC,EAAAA,IACG,6HACJ,CAACC,EAAAA,IACG,8HACJ,CAACC,EAAAA,IACG,wJACJ,CAACC,EAAAA,IACG,iLACJ,CAACC,EAAAA,IACG,yCACJ,CAACC,EAAAA,IACG,8GACJ,CAACC,EAAAA,IACG,gFACJ,CAACC,EAAAA,IACG,oPASMrB,EAAAA,GAEFA,EAAAA,GAIEC,EAAAA,GAEFA,EAAAA,GAIEC,EAAAA,GAEFA,EAAAA,GAIEC,EAAAA,GAEFA,EAAAA,GAIEC,EAAAA,GAEFA,EAAAA,GAIEC,EAAAA,GAEFA,EAAAA,GAIEC,EAAAA,GAEFA,EAAAA,GAIEC,EAAAA,GAEFA,EAAAA,GAIEC,EAAAA,GAEFA,EAAAA,GAIEC,EAAAA,GAEFA,EAAAA,GAIEC,EAAAA,GAEFA,EAAAA,GAIEC,EAAAA,GAEFA,EAAAA,GAIEC,EAAAA,GAEFA,EAAAA,GAIEC,EAAAA,GAEFA,EAAAA,GAIEC,EAAAA,GAEFA,EAAAA,GAIEC,EAAAA,GAEFA,EAAAA,GAIEC,EAAAA,GAEFA,EAAAA,GAIEC,EAAAA,GAEFA,EAAAA,GAIEC,EAAAA,GAEFA,EAAAA,GAIEC,EAAAA,GAEFA,EAAAA,GAIEC,EAAAA,GAEFA,EAAAA,GAIEC,EAAAA,GAEFA,EAAAA,GAQN,MAAOC,UAAiCxF,EAAAA,GAC1C/L,WAAAA,CAAYiM,GACRG,MAAMH,EAAW+D,EAAiC/D,IAClDhS,KAAKc,KAAO,2BACZsR,OAAOC,eAAerS,KAAMsX,EAAyBhF,U,EAIvD,SAAUiF,EACZvF,GAEA,OAAO,IAAIsF,EAAyBtF,EACxC,C,iOC5MO,MAAMgE,EAAmB,qBACnBC,EAA4B,+BAC5BC,EAAuB,yBACvBC,EAAgB,kBAChBC,EAAgB,kBAChBC,EAAwB,2BACxBC,EAAqB,uBACrBC,EAAgB,iBAChBC,EAAoB,sBACpBC,EAAqB,uBACrBC,EAA6B,gCAC7BC,EAAoB,sBACpBC,EAAgC,mCAChCC,EAA2B,6BAC3BC,EAAqB,sBACrBC,EAAgB,kBAChBC,EAAgB,kBAChBC,EACT,sCACSC,EAA8B,gCAC9BC,EAAuB,yBACvBC,EAA0B,6BAC1BC,EAAoB,oB,8FCdpB,MAAAG,EAAwC,CACjDC,EAAAA,GACAC,EAAAA,GACAC,EAAAA,GACAC,EAAAA,IAGSC,EAAyC,YAClD,eACA,oBACA,eACA,wBACA,mBACA,aAAW,KAGTC,EAAuC,CACzC,CAACC,EAAAA,IACG,uDACJ,CAACC,EAAAA,GACG,sJACJ,CAACC,EAAAA,IACG,6BACJ,CAACL,EAAAA,IACG,iIASMG,EAAAA,GACAD,EACFC,EAAAA,IAIEC,EAAAA,EACAF,EACFE,EAAAA,GAIEJ,EAAAA,GACAE,EACFF,EAAAA,IAQN,MAAOM,UAAqCpG,EAAAA,GA2B9C/L,WAAAA,CACIiM,EACAC,EACAQ,EACA0F,EACAC,EACAlJ,EACAgB,EACAmI,GAEAlG,MAAMH,EAAWC,EAAcQ,GAC/BL,OAAOC,eAAerS,KAAMkY,EAA6B5F,WAEzDtS,KAAKmY,UAAYA,GAAa5F,EAAAA,GAAUC,aACxCxS,KAAKoY,QAAUA,GAAW7F,EAAAA,GAAUC,aACpCxS,KAAKkP,cAAgBA,GAAiBqD,EAAAA,GAAUC,aAChDxS,KAAKkQ,OAASA,GAAUqC,EAAAA,GAAUC,aAClCxS,KAAKc,KAAO,+BACZd,KAAKqY,QAAUA,C,WAUPC,EACZtG,EACAuG,EACA9F,GAEA,MAAM+F,IACAxG,GACFwF,EAAsC5N,QAAQoI,IAAc,EAC1DyG,IACAhG,GACFoF,EAAuCjO,QAAQ6I,IAAa,EAC1DiG,IACAH,GACFf,EAAsCmB,MAAMC,GACjCL,EAAY3O,QAAQgP,IAAgB,IAGnD,OACIJ,GACAE,GACAD,CAER,CAKM,SAAUI,EACZ7G,GAEA,OAAO,IAAIkG,EACPlG,EACA8F,EAAqC9F,GAE7C,C,0FCvJO,MAAM+F,EAAgB,kBAChBC,EAA2B,6BAC3BC,EAAsB,wBAGtBR,EAAsB,uBACtBC,EAAkB,mBAClBC,EAAgB,iBAChBC,EAAW,W,oDCJlB,MAAOkB,UAAoBhH,EAAAA,GAW7B/L,WAAAA,CACIiM,EACAC,EACAQ,EACA4F,EACAU,GAEA5G,MAAMH,EAAWC,EAAcQ,GAC/BzS,KAAKc,KAAO,cACZd,KAAKqY,QAAUA,EACfrY,KAAK+Y,OAASA,EAEd3G,OAAOC,eAAerS,KAAM8Y,EAAYxG,U,+qBC6DnC,MAAA0G,EAAyC,CAClD3H,cAAeA,KACX,MAAMlO,EAAAA,EAAAA,IAAsByS,EAAAA,GAA0C,EAE1EhU,aAAcA,KACV,MAAMuB,EAAAA,EAAAA,IAAsByS,EAAAA,GAA0C,EAE1EqD,aAAcA,KACV,MAAM9V,EAAAA,EAAAA,IAAsByS,EAAAA,GAA0C,EAE1EpG,gBAAiBA,KACb,MAAMrM,EAAAA,EAAAA,IAAsByS,EAAAA,GAA0C,EAE1EsD,UAAWA,KACP,MAAM/V,EAAAA,EAAAA,IAAsByS,EAAAA,GAA0C,EAE1E,4BAAM/F,GACF,MAAM1M,EAAAA,EAAAA,IAAsByS,EAAAA,G,EAEhC,2BAAMuD,GACF,MAAMhW,EAAAA,EAAAA,IAAsByS,EAAAA,G,EAEhC,mBAAMwD,GACF,MAAMjW,EAAAA,EAAAA,IAAsByS,EAAAA,G,EAEhC,aAAM/E,GACF,MAAM1N,EAAAA,EAAAA,IAAsByS,EAAAA,G,EAEhC,gBAAMyD,GACF,MAAMlW,EAAAA,EAAAA,IAAsByS,EAAAA,G,OCtGxB0D,E,aAAZ,SAAYA,GACRA,EAAAA,EAAA,iBACAA,EAAAA,EAAA,qBACAA,EAAAA,EAAA,eACAA,EAAAA,EAAA,qBACAA,EAAAA,EAAA,gBACH,CAND,CAAYA,IAAAA,EAMX,K,MAYYC,EAmBTxT,WAAAA,CACIyT,EACAC,EACAC,GAjBI,KAAAC,MAAkBL,EAASM,KAmB/B,MAGMC,EACFL,GAAiBD,EAAOO,6BAC5B9Z,KAAK+Z,cACDF,EAAiBG,gBANSC,MACpB,GAMVja,KAAKka,kBAAoBL,EAAiBK,oBAAqB,EAC/Dla,KAAK2Z,MACoC,iBAA9BE,EAAiBM,SAClBN,EAAiBM,SACjBb,EAASM,KACnB5Z,KAAKkP,cACD2K,EAAiB3K,eAAiBqD,EAAAA,GAAUC,aAChDxS,KAAKyZ,YAAcA,GAAelH,EAAAA,GAAUC,aAC5CxS,KAAK0Z,eAAiBA,GAAkBnH,EAAAA,GAAUC,Y,CAG9C,iCAAOsH,GACX,MAAO,CACHE,eAAgBA,OAGhBE,mBAAmB,EACnBC,SAAUb,EAASM,K,CAOpBQ,KAAAA,CACHX,EACAC,EACAxK,GAEA,OAAO,IAAIqK,EACP,CACIS,eAAgBha,KAAK+Z,cACrBG,kBAAmBla,KAAKka,kBACxBC,SAAUna,KAAK2Z,MACfzK,cAAeA,GAAiBlP,KAAKkP,eAEzCuK,EACAC,E,CAOAW,UAAAA,CACJA,EACAC,GAEA,GACIA,EAAQH,SAAWna,KAAK2Z,QACtB3Z,KAAKka,mBAAqBI,EAAQC,YAEpC,OAEJ,MAAMpC,GAAY,IAAIqC,MAAOC,cAGvBC,EAAY,IAAH3V,OAAOoT,EAAS,SAAApT,OAC3BuV,EAAQpL,eAAiBlP,KAAKkP,eAAiB,GACnD,KAEMyL,EAAM,GAAH5V,OAAM2V,EAAS,OAAA3V,OAAM/E,KAAKyZ,YAAW,KAAA1U,OAC1C/E,KAAK0Z,eACT,OAAA3U,OAAMuU,EAASgB,EAAQH,UAAS,OAAApV,OAAMsV,GAEtCra,KAAK4a,gBACDN,EAAQH,SACRQ,EACAL,EAAQC,cAAe,E,CAO/BK,eAAAA,CACIjB,EACAzG,EACAqH,GAEIva,KAAK+Z,eACL/Z,KAAK+Z,cAAcJ,EAAOzG,EAASqH,E,CAO3CM,KAAAA,CAAM3H,EAAiBhE,GACnBlP,KAAKqa,WAAWnH,EAAS,CACrBiH,SAAUb,EAASvH,MACnBwI,aAAa,EACbrL,cAAeA,GAAiBqD,EAAAA,GAAUC,c,CAOlDsI,QAAAA,CAAS5H,EAAiBhE,GACtBlP,KAAKqa,WAAWnH,EAAS,CACrBiH,SAAUb,EAASvH,MACnBwI,aAAa,EACbrL,cAAeA,GAAiBqD,EAAAA,GAAUC,c,CAOlDvN,OAAAA,CAAQiO,EAAiBhE,GACrBlP,KAAKqa,WAAWnH,EAAS,CACrBiH,SAAUb,EAASyB,QACnBR,aAAa,EACbrL,cAAeA,GAAiBqD,EAAAA,GAAUC,c,CAOlDwI,UAAAA,CAAW9H,EAAiBhE,GACxBlP,KAAKqa,WAAWnH,EAAS,CACrBiH,SAAUb,EAASyB,QACnBR,aAAa,EACbrL,cAAeA,GAAiBqD,EAAAA,GAAUC,c,CAOlDyI,IAAAA,CAAK/H,EAAiBhE,GAClBlP,KAAKqa,WAAWnH,EAAS,CACrBiH,SAAUb,EAASM,KACnBW,aAAa,EACbrL,cAAeA,GAAiBqD,EAAAA,GAAUC,c,CAOlD0I,OAAAA,CAAQhI,EAAiBhE,GACrBlP,KAAKqa,WAAWnH,EAAS,CACrBiH,SAAUb,EAASM,KACnBW,aAAa,EACbrL,cAAeA,GAAiBqD,EAAAA,GAAUC,c,CAOlD2I,OAAAA,CAAQjI,EAAiBhE,GACrBlP,KAAKqa,WAAWnH,EAAS,CACrBiH,SAAUb,EAAS8B,QACnBb,aAAa,EACbrL,cAAeA,GAAiBqD,EAAAA,GAAUC,c,CAOlD6I,UAAAA,CAAWnI,EAAiBhE,GACxBlP,KAAKqa,WAAWnH,EAAS,CACrBiH,SAAUb,EAAS8B,QACnBb,aAAa,EACbrL,cAAeA,GAAiBqD,EAAAA,GAAUC,c,CAOlD8I,KAAAA,CAAMpI,EAAiBhE,GACnBlP,KAAKqa,WAAWnH,EAAS,CACrBiH,SAAUb,EAASiC,MACnBhB,aAAa,EACbrL,cAAeA,GAAiBqD,EAAAA,GAAUC,c,CAOlDgJ,QAAAA,CAAStI,EAAiBhE,GACtBlP,KAAKqa,WAAWnH,EAAS,CACrBiH,SAAUb,EAASiC,MACnBhB,aAAa,EACbrL,cAAeA,GAAiBqD,EAAAA,GAAUC,c,CAOlDiJ,mBAAAA,GACI,OAAOzb,KAAKka,oBAAqB,C,oIChNnBwB,EAOlB3V,WAAAA,CACIa,EACA+U,EACA/W,EACAgX,GAEA5b,KAAK4G,SAAWA,EAChB5G,KAAK2b,WAAaA,EAClB3b,KAAK6b,aAAejX,EAAOwV,MAAMtZ,EAAAA,EAAMgb,EAAAA,GACvC9b,KAAK4b,uBAAyBA,C,CA2KlCG,cAAAA,CAAeC,GACX,OAAOhc,KAAKic,oBACRjc,KAAKkc,sBAAsBF,GAAiB,CAAC,GAC7CA,E,CAORG,wBAAAA,CAAyBH,GACrB,MAAMI,EAAcpc,KAAK+b,eAAeC,GACxC,GAAII,EAAYC,OAAS,EAAG,CAKxB,OAHuBD,EAAYE,MAAMja,GAC9BA,EAAQkB,eAAiB,EAAI,IAElB,EACzB,CAAM,OAA2B,IAAvB6Y,EAAYC,OAEZD,EAAY,GAEZ,I,CASfG,kBAAAA,CAAmBP,GACf,MAAMQ,EAAkBxc,KAAKkc,sBAAsBF,GACnD,OAAIQ,EAAgBH,OAAS,EAClBG,EAAgB,GAAG3b,iBAEnB,I,CAWPob,mBAAAA,CACJQ,EACAT,GAEA,OAAOS,EAAeC,SAASC,GACpB3c,KAAK4c,mCACRD,EACAX,aAAa,EAAbA,EAAevb,SACfub,I,CAKJa,8BAAAA,CACJzY,EACA0Y,EACA1b,EACA2b,GAEA,IACIxZ,EADAyZ,EAA0C,KAG9C,GAAID,IAEK/c,KAAKid,2BACF7b,EACA2b,GAGJ,OAAO,KAIf,MAAMpW,EAAU3G,KAAKkd,WACjB9Y,EACA0Y,EACA1b,EAAcX,UAGlB,OAAIkG,IACApD,GAAgBmF,EAAAA,EAAAA,oBACZ/B,EAAQK,OACRhH,KAAK2b,WAAW/Z,eAIf5B,KAAKmd,sCACF5Z,EACAwZ,IAIG,MAKfC,GAAsBI,EAAAA,EAAAA,IAClBhZ,EACAhD,EACAmC,EACAoD,aAAO,EAAPA,EAASK,QAGNgW,E,CAGHJ,kCAAAA,CACJD,EACAU,EACAN,GAEA,MAAM3Y,EAAcuY,EAAc9b,iBAClC,IAAIyc,EACAlZ,EAAYnD,gBAAkB,IAAIC,IACtC,MAAM4b,EAAY9c,KAAKud,eAGvB,GAAIF,EAAgB,CAChB,MAAMjc,EAAgBkc,EAAqBE,IAAIH,GAC/C,IAAIjc,EAOA,MAAO,GALPkc,EAAuB,IAAIpc,IAA2B,CAClD,CAACmc,EAAgBjc,IAM5B,CAED,MAAMqc,EAAwC,GAa9C,OAZAH,EAAqBI,SAAStc,IAC1B,MAAM4b,EAAsBhd,KAAK6c,+BAC7BzY,EACA0Y,EACA1b,EACA2b,GAEAC,GACAS,EAAuBE,KAAKX,EAC/B,IAGES,C,CAGHR,0BAAAA,CACJ7b,EACA2b,GAEA,QACMA,EAAoBnc,iBACrBZ,KAAK4d,qCACFxc,EACA2b,EAAoBnc,qBAOtBmc,EAAoBjc,MACpBM,EAAcN,OAASic,EAAoBjc,aAMR4P,IAArCqM,EAAoBc,cAClBzc,EAAcyc,eAAiBd,EAAoBc,c,CAQrDV,qCAAAA,CACJ5Z,EACAwZ,GAGA,GAAIA,EAAqB,CACrB,GACMA,EAAoBnc,iBACrBZ,KAAK8d,mCACFva,EACAwZ,EAAoBnc,gBAGxB,OAAO,EAGX,GACMmc,EAAoBgB,YACrB/d,KAAKge,8BACFza,EACAwZ,EAAoBgB,WAGxB,OAAO,EAGX,GACMhB,EAAoBpc,WACrBX,KAAKie,cACF1a,EAAcK,mBACdmZ,EAAoBpc,UAGxB,OAAO,EAGX,GACMoc,EAAoBjc,OACrBd,KAAKke,UAAU3a,EAAewZ,EAAoBjc,MAEnD,OAAO,EAGX,GACMic,EAAoBoB,MACrBne,KAAKoe,SAAS7a,EAAewZ,EAAoBoB,KAElD,OAAO,CAEd,CAED,OAAO,C,CASX,qBAAME,CACFC,EACAC,EACArP,GAEA,IAAKoP,EACD,MAAMnb,EAAAA,EAAAA,IACF0R,EAAAA,IAIR,IACUyJ,EAAYjc,SACdrC,KAAKwe,WAAWF,EAAYjc,SAG1Bic,EAAY3X,UAAqC,KAA1B4X,aAAY,EAAZA,EAAc5X,UACvC3G,KAAKye,qBAAqBH,EAAY3X,SAIpC2X,EAAYpX,cACgB,KAA9BqX,aAAY,EAAZA,EAAcrX,oBAERlH,KAAK0e,gBAAgBJ,EAAYpX,aAIrCoX,EAAYtV,eACiB,KAA/BuV,aAAY,EAAZA,EAAcvV,eAEdhJ,KAAK2e,0BAA0BL,EAAYtV,cAGzCsV,EAAYM,aACd5e,KAAK6e,eAAeP,EAAYM,YAEvC,CAAC,MAAO5Z,GAAY,IAAA8Z,EAuBVC,EArBP,GADiB,QAAjBD,EAAA9e,KAAK6b,oBAAY,IAAAiD,GAAjBA,EAAmBjE,MAAM,wCACrB7V,aAAa+M,MAAO,KAAAiN,EAUlBC,EAJF,GALiB,QAAjBD,EAAAhf,KAAK6b,oBAAY,IAAAmD,GAAjBA,EAAmBlE,SAAS,iCAAD/V,OACUC,EAAEkO,SACnChE,GAIW,uBAAXlK,EAAElE,MACS,+BAAXkE,EAAElE,MACFkE,EAAEkO,QAAQgM,SAAS,sBAMnB,MAJiB,QAAjBD,EAAAjf,KAAK6b,oBAAY,IAAAoD,GAAjBA,EAAmBpE,MAAM,uDAErB3L,GAEE,IAAI+D,EAAAA,GACNF,EAAAA,GAGJ,MAAM,IAAIE,EAAAA,GAAWjO,EAAElE,KAAMkE,EAAEkO,QAEtC,CAKG,MAJiB,QAAjB6L,EAAA/e,KAAK6b,oBAAY,IAAAkD,GAAjBA,EAAmBjE,SAAS,iCAAD/V,OACUC,GACjCkK,GAEE,IAAI+D,EAAAA,GAAWD,EAAAA,EAE5B,C,CAOG,qBAAM0L,CACVS,GAEA,MAAMC,EAAsC,CACxCxY,SAAUuY,EAAWvY,SACrBC,eAAgBsY,EAAWtY,eAC3B3G,YAAaif,EAAWjf,YACxBD,cAAekf,EAAWlf,cAC1BS,MAAOye,EAAWze,MAClB6G,UAAW4X,EAAW5X,UACtBI,oBAAqBwX,EAAWxX,qBAG9BmV,EAAY9c,KAAKud,eACjB8B,EAAgBC,EAAAA,EAASC,WAAWJ,EAAW/W,QAE/CoX,EAA4C,GAClD1C,EAAU5V,YAAYwW,SAAShU,IAC3B,IACK1J,KAAKyf,4BAA4B/V,EAAK0V,GAAmB,GAE1D,OAGJ,MAAMM,EAAc1f,KAAK2f,yBAAyBjW,GAElD,GACIgW,GACA1f,KAAK4f,wBAAwBF,EAAaN,GAC5C,CACwBE,EAAAA,EAASC,WAAWG,EAAYtX,QACpCyX,sBAAsBR,IACpCG,EAAoB7B,KAAK3d,KAAK8f,kBAAkBpW,GAEvD,WAECqW,QAAQC,IAAIR,GAClBxf,KAAKigB,yBAAyBd,E,CAQlCjD,qBAAAA,CAAsBF,GAClB,MAAMkE,EAAiBlgB,KAAKmgB,iBACtBC,EAAoC,GAsF1C,OArFAF,EAAexC,SAAS2C,IAAY,IAAAC,EAChC,IAAKtgB,KAAKugB,aAAaF,EAAUrE,EAAc/b,eAE3C,OAGJ,MAAMkF,EAA+BnF,KAAKwgB,WACtCH,EACArgB,KAAK6b,cAKT,IAAK1W,EACD,OAGJ,GACM6W,EAAc/b,gBACfD,KAAKygB,mBAAmBtb,EAAQ6W,EAAc/b,eAE/C,OAGJ,GACM+b,EAAcrb,WACfX,KAAKie,cAAc9Y,EAAOxE,SAAUqb,EAAcrb,UAEnD,OAGJ,GACMqb,EAAc9b,cACfF,KAAK0gB,iBAAiBvb,EAAQ6W,EAAc9b,aAE7C,OAGJ,GACM8b,EAActb,QACfV,KAAK2gB,WAAWxb,EAAQ6W,EAActb,OAEvC,OAGJ,GACMsb,EAAcjb,kBACff,KAAK4gB,qBACFzb,EACA6W,EAAcjb,iBAGlB,OAGJ,GACMib,EAAchb,gBACfhB,KAAK6gB,mBAAmB1b,EAAQ6W,EAAchb,eAE/C,OAIJ,MAAM+b,EAA2C,CAC7Cnc,eAAgBob,aAAa,EAAbA,EAAepb,eAC/BE,KAAMkb,aAAa,EAAbA,EAAelb,MAGnB2c,EAA8C,QAAxB6C,EAAGnb,EAAOlE,sBAAc,IAAAqf,OAAA,EAArBA,EAAuBQ,QACjD1f,GACUpB,KAAKid,2BACR7b,EACA2b,KAKRU,GAA4D,IAAlCA,EAAuBpB,QAKrD+D,EAAiBzC,KAAKxY,EAAO,IAG1Bib,C,CAUXG,YAAAA,CACI7W,EACAzJ,EACAQ,GAEA,QAAIiJ,EAAIlI,MAAMpB,EAAAA,GAAWC,qBAAqBgc,OAAS,OAMnDpc,IACCyJ,EAAIpJ,cAAc4e,SAASjf,EAAcK,mBAK1CG,IAAaiJ,EAAIpJ,cAAc4e,SAASze,EAASH,gB,CAazDygB,eAAAA,CAAgBrX,GACZ,GAAIA,EAAIlI,MAAMpB,EAAAA,GAAWC,qBAAqBgc,OAAS,EAEnD,OAAO,EAGX,MAAM2E,EAAetX,EAAIpJ,cAEzB,IAES,IADL0gB,EAAapX,QAAQ9C,EAAAA,GAAeC,SAASzG,iBAGxC,IADL0gB,EAAapX,QAAQ9C,EAAAA,GAAeiB,aAAazH,iBAI1C,IAFP0gB,EAAapX,QACT9C,EAAAA,GAAeyB,8BAA8BjI,iBAG5C,IADL0gB,EAAapX,QAAQ9C,EAAAA,GAAeqC,cAAc7I,eAGlD,OAAO,EAGX,GACI0gB,EAAapX,QAAQ9C,EAAAA,GAAeqC,cAAc7I,gBACjD,EACH,CAEE,MAAM2gB,EAAqB,GAAHlc,OAAM+B,EAAAA,GAAeqC,eAAapE,OAAG3E,EAAAA,GAAWC,qBAAmB0E,OAAG/E,KAAK4G,UAAQ7B,OAAG3E,EAAAA,GAAWC,qBACnH6gB,EAAqB,GAAHnc,OAAM+B,EAAAA,GAAeqC,eAAapE,OAAG3E,EAAAA,GAAWC,qBAAmB0E,OAAGoc,EAAAA,IAAapc,OAAG3E,EAAAA,GAAWC,qBACzH,IACgE,IAA5D2gB,EAAapX,QAAQqX,EAAmB3gB,iBACoB,IAA5D0gB,EAAapX,QAAQsX,EAAmB5gB,eAExC,OAAO,CAEd,MAAM,IAA2D,IAAvD0gB,EAAapX,QAAQ5J,KAAK4G,SAAStG,eAE1C,OAAO,EAGX,OAAO,C,CASXsf,uBAAAA,CACIza,EACA2b,GAEA,GAAMA,EAAOla,WAAa5G,KAAKohB,cAAcjc,EAAQ2b,EAAOla,UACxD,OAAO,EAGX,GACMka,EAAOtZ,oBACRxH,KAAKqhB,uBAAuBlc,EAAQ2b,EAAOtZ,mBAE5C,OAAO,EAOX,GACoC,iBAAzBsZ,EAAO7gB,gBACbD,KAAKygB,mBAAmBtb,EAAQ2b,EAAO7gB,eAExC,OAAO,EAGX,GACM6gB,EAAO5gB,cACRF,KAAK0gB,iBAAiBvb,EAAQ2b,EAAO5gB,aAEtC,OAAO,EAGX,GAAM4gB,EAAOpgB,QAAUV,KAAK2gB,WAAWxb,EAAQ2b,EAAOpgB,OAClD,OAAO,EAGX,GACMogB,EAAOja,iBACR7G,KAAKshB,oBAAoBnc,EAAQ2b,EAAOja,gBAEzC,OAAO,EAGX,GAAMia,EAAO7X,WAAajJ,KAAKuhB,cAAcpc,EAAQ2b,EAAO7X,UACxD,OAAO,EAOX,GAAM6X,EAAO1Y,SAAWpI,KAAKwhB,YAAYrc,EAAQ2b,EAAO1Y,QACpD,OAAO,EAIX,IAAI0Y,EAAOnZ,qBAAuBxC,EAAOwC,sBAEjCxC,EAAOwC,sBAAwBmZ,EAAOnZ,oBACtC,OAAO,EAKf,GACIxC,EAAO0B,iBACPC,EAAAA,GAAeyB,8BACjB,CACE,GACMuY,EAAOvZ,YACRvH,KAAKyhB,eAAetc,EAAQ2b,EAAOvZ,WAEpC,OAAO,EAIX,GAAIuZ,EAAOvZ,YAAcc,EAAAA,GAAqBS,KACtCgY,EAAOrZ,QAAUzH,KAAK0hB,WAAWvc,EAAQ2b,EAAOrZ,OAChD,OAAO,CAGlB,CAED,OAAO,C,CAOXka,wBAAAA,CAAyBb,GACrB,MAAMc,EAAe5hB,KAAK6hB,UACpBC,EAAwC,CAAC,EAgC/C,OA9BAF,EAAalE,SAAS2C,IAElB,IAAKrgB,KAAK+hB,cAAc1B,GACpB,OAIJ,MAAMlb,EAASnF,KAAKgiB,eAAe3B,GAE9Blb,IAKC2b,EAAO5gB,cACRF,KAAK0gB,iBAAiBvb,EAAQ2b,EAAO5gB,cAMpC4gB,EAAOla,WACR5G,KAAKohB,cAAcjc,EAAQ2b,EAAOla,YAKvCkb,EAAoBzB,GAAYlb,GAAM,IAGnC2c,C,CAOXG,2BAAAA,CAA4BC,GACxB,MAAMN,EAAe5hB,KAAKmiB,2BAC1B,IAAIC,EAAgB,KAyBpB,OAvBAR,EAAalE,SAAS2C,IAElB,IACKrgB,KAAKqiB,oBAAoBhC,KACW,IAArCA,EAASzW,QAAQ5J,KAAK4G,UAEtB,OAIJ,MAAMzB,EAASnF,KAAKsiB,qBAAqBjC,GAEpClb,IAIiC,IAAlCA,EAAOmG,QAAQ1B,QAAQsY,KAI3BE,EAAgBjd,EAAM,IAGnBid,C,CAMX,uBAAMG,GACF,MAAMrC,EAAiBlgB,KAAKmgB,iBACtBqC,EAAwC,GAE9CtC,EAAexC,SAAS2C,IACpBmC,EAAgB7E,KAAK3d,KAAKyiB,cAAcpC,GAAU,UAGhDN,QAAQC,IAAIwC,E,CAOtB,mBAAMC,CAAcC,GAChB,MAAMrgB,EAAUrC,KAAKwgB,WAAWkC,EAAY1iB,KAAK6b,cAC5CxZ,UAGCrC,KAAK2iB,qBAAqBtgB,GAChCrC,KAAK4iB,WAAWF,G,CAOpB,0BAAMC,CAAqBtgB,GACvB,MAAMwgB,EAAe7iB,KAAKud,eACpBuF,EAAYzgB,EAAQtC,oBACpBgjB,EAA2C,GAEjDF,EAAalc,QAAQ+W,SAAShU,IACK,IAA3BA,EAAIE,QAAQkZ,IACZ9iB,KAAKgjB,cAActZ,EACtB,IAGLmZ,EAAa3b,YAAYwW,SAAShU,IACC,IAA3BA,EAAIE,QAAQkZ,IACZC,EAAmBpF,KAAK3d,KAAK8f,kBAAkBpW,GAClD,IAGLmZ,EAAa7Z,aAAa0U,SAAShU,IACA,IAA3BA,EAAIE,QAAQkZ,IACZ9iB,KAAKijB,mBAAmBvZ,EAC3B,UAGCqW,QAAQC,IAAI+C,E,CAWZG,2BAAAA,CACNR,EACA/F,EACA/X,GAGA,GAAI+X,GAAiBA,EAActb,iBAAkB,KAAA8hB,EAChC,QAAjBA,EAAAnjB,KAAK6b,oBAAY,IAAAsH,GAAjBA,EAAmBhI,QACf,uIAIJ,MAAMiI,EAAsBpjB,KAAKmgB,iBAAiBW,QAC7CpX,GACUA,EAAI2Z,WAAW1G,EAAc1c,iBAKtCqjB,EAAmC,GACzCF,EAAoB1F,SAAShU,IACzB,MAAMrH,EAAUrC,KAAKujB,uBAAuB7Z,GACxCrH,GACAihB,EAAgB3F,KAAKtb,EACxB,IAIL,MAAMmhB,EACFF,EAAgBG,MAAMphB,IACXqhB,EAAAA,EAAAA,IACHrhB,EAAQ3B,MACR2B,EAAQpC,kBAEVqjB,EAAgB,GAG1BE,EAAYviB,eAAiBqiB,EAAgBniB,KACxCkB,IACU,CACH5B,SAAU4B,EAAQ3B,MAClBE,eAAgByB,EAAQzB,eACxBE,KAAMuB,EAAQvB,KACd+c,cAAc6F,EAAAA,EAAAA,IACVrhB,EAAQ3B,MACR2B,EAAQpC,mBAMxB,MAAM0jB,EAAiBjI,EAAakI,SAAS,IAAI9jB,EAAAA,GAAegR,EAAAA,EAAAA,GAAA,GACzD0S,IAGDK,EAAgBF,EAAepjB,qBAYrC,OATA6iB,EAAoB1F,SAAShU,IACrBA,IAAQma,GACR7jB,KAAK8jB,sBAAsBpB,EAC9B,IAIL1iB,KAAKwe,WAAWmF,GAChB/e,SAAAA,EAAQuW,QAAQ,mDACTwI,CACV,CAGD,OAAOhH,C,CAOX,uBAAMmD,CAAkBpW,GACpB,MAAMyV,EAAanf,KAAK2f,yBAAyBjW,GACjD,GAAKyV,EAAL,CAKA,GACIA,EAAWtY,eAAevG,gBAC1BwG,EAAAA,GAAeyB,8BAA8BjI,eAEzC6e,EAAW5X,YAAcc,EAAAA,GAAqBG,IAAK,CACnD,MAEMI,EADFuW,EACwC1X,MAE5C,GAAImB,EACA,UACU5I,KAAK2b,WAAWxC,sBAAsBvQ,EAC/C,CAAC,MAAOiS,GACL,MAAM1X,EAAAA,EAAAA,IACFmS,EAAAA,GAEP,CAER,CAGL,OAAOtV,KAAK4iB,WAAWlZ,EAxBtB,C,CA8BLqa,iBAAAA,GAQI,OAPqB/jB,KAAK6hB,UACbnE,SAAS2C,IACdrgB,KAAK+hB,cAAc1B,IACnBrgB,KAAK4iB,WAAWvC,EACnB,KAGE,C,CAOX2D,oBAAAA,CAAqB3hB,GACjB,MAAMqgB,EACF5iB,EAAAA,EAAcU,wBAAwB6B,GAC1C,OAAOrC,KAAKwgB,WAAWkC,EAAY1iB,KAAK6b,a,CAW5CqB,UAAAA,CACI7a,EACAya,EACAmH,EACAtV,EACAO,GAEAlP,KAAK6b,aAAaP,MAAM,oCACxB,MAAM4I,EAAkC,CACpCjkB,cAAeoC,EAAQpC,cACvBC,YAAamC,EAAQnC,YACrB2G,eAAgBC,EAAAA,GAAeC,SAC/BH,SAAU5G,KAAK4G,SACflG,MAAOujB,GAGLE,EAAyCnkB,KAAKokB,oBAChDF,EACApH,GAGEuH,EAAcF,EAAWG,KAE/B,GAAID,EAAc,EAEd,OADArkB,KAAK6b,aAAaZ,KAAK,4CAChB,KACJ,GAAIoJ,EAAc,EAAG,CACxB,IAAIE,EAAgDJ,EAEpD,IAAKF,EAAa,CACd,MAAMO,EAA6C,IAAItjB,IAIvDijB,EAAWzG,SAAQ,CAAC/W,EAAS+C,KACrB/C,EAAQjG,QAAU2B,EAAQ5B,UAC1B+jB,EAAeC,IAAI/a,EAAK/C,EAC3B,IAEL,MAAM+d,EAAkBF,EAAeF,KACvC,GAAII,EAAkB,EAIlB,OAHA1kB,KAAK6b,aAAaZ,KACd,kIAEGkJ,EAAW3f,SAASmgB,OAAOC,MAC/B,GAAwB,IAApBF,EAIP,OAHA1kB,KAAK6b,aAAaZ,KACd,qGAEGuJ,EAAehgB,SAASmgB,OAAOC,MAGtCL,EAAoBC,CAE3B,CAcD,OAZAxkB,KAAK6b,aAAaZ,KACd,8EAEJsJ,EAAkB7G,SAAQ,CAAC/W,EAAS+C,KAChC1J,KAAKgjB,cAActZ,EAAI,IAEvBiF,GAAqBO,GACrBP,EAAkBkW,UACd,CAAEC,eAAgBX,EAAWG,MAC7BpV,GAGD,IACV,CAGD,OADAlP,KAAK6b,aAAaZ,KAAK,gDAChBkJ,EAAW3f,SAASmgB,OAAOC,K,CAQtCR,mBAAAA,CACItD,EACAhE,GAEA,MAAMiI,EACDjI,GAAaA,EAAUnW,SAAY3G,KAAKud,eAAe5W,QAEtDqe,EAAuC,IAAI9jB,IAmBjD,OAfA6jB,EAAYrH,SAAShU,IACjB,IACK1J,KAAKilB,wBAAwBvb,GAAGoH,EAAAA,EAAAA,GAAA,CAC7BlK,SAAU5G,KAAK4G,UACZka,IAGP,OAEJ,MAAMna,EAAU3G,KAAKklB,qBAAqBxb,GACtC/C,GAAW3G,KAAK4f,wBAAwBjZ,EAASma,IACjDkE,EAASP,IAAI/a,EAAK/C,EACrB,IAGEqe,C,CASXC,uBAAAA,CACIE,EACArE,GAEA,MAAMpX,EAAMyb,EAAS7kB,cACrB,QACIwgB,EAAOla,WACyC,IAAhD8C,EAAIE,QAAQkX,EAAOla,SAAStG,mBAM5BwgB,EAAO7gB,gBAC8C,IAArDyJ,EAAIE,QAAQkX,EAAO7gB,cAAcK,e,CAYzC0iB,aAAAA,CAActZ,GACV1J,KAAK4iB,WAAWlZ,E,CAOpBuZ,kBAAAA,CAAmBvZ,GACf1J,KAAK4iB,WAAWlZ,E,CAWpB0b,cAAAA,CACI/iB,EACAwM,EACAiO,EACAmH,EACAtV,EACAO,GAEAlP,KAAK6b,aAAaP,MAAM,wCACxB,MAAMnU,EAASmY,EAAAA,EAAS+F,mBAAmBxW,EAAQ1H,QAC7Cme,EACFzW,EAAQ0W,sBAAwBld,EAAAA,GAAqBC,OAKnDzB,EACFye,GACAA,EAAWhlB,gBACP+H,EAAAA,GAAqBC,OAAOhI,cAC1BwG,EAAAA,GAAeyB,8BACfzB,EAAAA,GAAeiB,aAEnBqX,EAAsC,CACxCnf,cAAeoC,EAAQpC,cACvBC,YAAamC,EAAQnC,YACrB2G,eAAgBA,EAChBD,SAAU5G,KAAK4G,SACflG,MAAOujB,GAAe5hB,EAAQ5B,SAC9B2H,OAAQjB,EACRI,UAAW+d,EACX7d,MAAOoH,EAAQ2W,OACf7d,oBAAqBkH,EAAQlH,qBAG3B8d,EACD3I,GAAaA,EAAU5V,aACxBlH,KAAKud,eAAerW,YAClBwe,EAAoC,GAE1CD,EAAgB/H,SAAShU,IAErB,GACI1J,KAAKyf,4BAA4B/V,EAAK0V,GAAmB,GAC3D,CACE,MAAMlY,EAAclH,KAAK2f,yBAAyBjW,GAI9CxC,GACAlH,KAAK4f,wBAAwB1Y,EAAakY,IAE1CsG,EAAa/H,KAAKzW,EAEzB,KAGL,MAAMye,EAAkBD,EAAarJ,OACrC,OAAIsJ,EAAkB,GAClB3lB,KAAK6b,aAAaZ,KACd,gDAEG,MACA0K,EAAkB,GACzB3lB,KAAK6b,aAAaZ,KACd,6EAEJyK,EAAahI,SAASxW,IACblH,KAAK8f,mBAAkB1Z,EAAAA,EAAAA,uBAAsBc,GAAa,IAE/DyH,GAAqBO,GACrBP,EAAkBkW,UACd,CAAEe,eAAgBF,EAAarJ,QAC/BnN,GAGD,OAGXlP,KAAK6b,aAAaZ,KACd,wDAEGyK,EAAa,G,CAUxBjG,2BAAAA,CACI0F,EACArE,EACA+E,GAEA,MAAMnc,EAAMyb,EAAS7kB,cACrB,GACIwgB,EAAOla,WACyC,IAAhD8C,EAAIE,QAAQkX,EAAOla,SAAStG,eAE5B,OAAO,EAGX,GACIwgB,EAAO7gB,gBAC8C,IAArDyJ,EAAIE,QAAQkX,EAAO7gB,cAAcK,eAEjC,OAAO,EAGX,GAAIwgB,EAAOpgB,QAAsD,IAA7CgJ,EAAIE,QAAQkX,EAAOpgB,MAAMJ,eACzC,OAAO,EAGX,GACIwgB,EAAOnZ,sBACoD,IAA3D+B,EAAIE,QAAQkX,EAAOnZ,oBAAoBrH,eAEvC,OAAO,EAGX,GAAIwgB,EAAO1Y,OAAQ,CACf,MAAMjB,EAAS2Z,EAAO1Y,OAAO0d,UAC7B,IAAK,IAAIC,EAAI,EAAGA,EAAI5e,EAAOkV,OAAQ0J,IAAK,CACpC,GACIF,IACCnc,EAAIwV,SAAS/X,EAAO4e,GAAGzlB,eAGxB,OAAO,EACJ,IACFulB,GACDnc,EAAIwV,SAAS/X,EAAO4e,GAAGzlB,eAGvB,OAAO,CAEd,CACJ,CAED,OAAO,C,CAQX0lB,uBAAAA,CAAwBlF,GACpB,MAAMhE,EAAY9c,KAAKud,eAEjBmI,EAAoC,GAe1C,OAdA5I,EAAU5V,YAAYwW,SAAShU,IAC3B,IAAK1J,KAAKyf,4BAA4B/V,EAAKoX,GAAQ,GAC/C,OAGJ,MAAM5Z,EAAclH,KAAK2f,yBAAyBjW,GAE9CxC,GACAlH,KAAK4f,wBAAwB1Y,EAAa4Z,IAE1C4E,EAAa/H,KAAKzW,EACrB,IAGEwe,C,CAWXO,eAAAA,CACI5jB,EACA6jB,EACApJ,EACAnO,EACAO,GAEAlP,KAAK6b,aAAaP,MAAM,yCACxB,MAAM6K,EAAKD,EAAW/E,EAAAA,QAAgBzQ,EAChC0V,EAAuC,CACzCnmB,cAAeoC,EAAQpC,cACvBC,YAAamC,EAAQnC,YACrB2G,eAAgBC,EAAAA,GAAeqC,cAC/BvC,SAAU5G,KAAK4G,SACfqC,SAAUkd,GAGRE,EACDvJ,GAAaA,EAAU9T,cACxBhJ,KAAKud,eAAevU,aAClBsd,EAAsC,GAE5CD,EAAiB3I,SAAShU,IAEtB,GAAI1J,KAAKumB,6BAA6B7c,EAAK0c,GAAqB,CAC5D,MAAMpd,EAAehJ,KAAKwmB,0BAA0B9c,GAGhDV,GACAhJ,KAAK4f,wBACD5W,EACAod,IAGJE,EAAc3I,KAAK3U,EAE1B,KAGL,MAAMyd,EAAmBH,EAAcjK,OACvC,OAAIoK,EAAmB,GACnBzmB,KAAK6b,aAAaZ,KACd,0DAEG,OAIPwL,EAAmB,GAAK9X,GAAqBO,GAC7CP,EAAkBkW,UACd,CAAE6B,eAAgBD,GAClBvX,GAIRlP,KAAK6b,aAAaZ,KACd,0DAEGqL,EAAc,G,CAQzBC,4BAAAA,CACIpB,EACArE,GAEA,MAAMpX,EAAMyb,EAAS7kB,cACrB,QACIwgB,EAAO7X,WACyC,IAAhDS,EAAIE,QAAQkX,EAAO7X,SAAS3I,qBAO3BwgB,EAAO7X,UACR6X,EAAOla,WACyC,IAAhD8C,EAAIE,QAAQkX,EAAOla,SAAStG,mBAM5BwgB,EAAO7gB,gBAC8C,IAArDyJ,EAAIE,QAAQkX,EAAO7gB,cAAcK,gB,CAWzCqmB,wBAAAA,CAAyBzmB,GACrB,MAAM0mB,EAAuC,CACzC1mB,cACA0G,SAAU5G,KAAK4G,UAGbgY,EACF5e,KAAK2hB,yBAAyBiF,GAC5BC,EAA0CzU,OAAO0U,KACnDlI,GACFzd,KAAKuI,GAAQkV,EAAYlV,KAErBqd,EAAiBF,EAAmBxK,OAC1C,GAAI0K,EAAiB,EACjB,OAAO,KACJ,GAAIA,EAAiB,EACxB,MAAM5jB,EAAAA,EAAAA,IACFiR,EAAAA,IAIR,OAAOyS,EAAmB,E,CAQ9BG,iBAAAA,CAAkB9mB,GACd,MAAM0e,EAAc5e,KAAK2mB,yBAAyBzmB,GAClD,SAAU0e,GAAeA,EAAY3V,WAAakY,EAAAA,G,CAQ9CV,kBAAAA,CACJtb,EACAlF,GAEA,QACoC,iBAAzBkF,EAAOlF,eACdA,IAAkBkF,EAAOlF,c,CAUzB6d,kCAAAA,CACJrV,EACA7H,GAGA,OAAOA,KADuB6H,EAAYhF,KAAOgF,EAAY/E,I,CAIzDka,oCAAAA,CACJxc,EACAR,GAEA,OAAOQ,EAAcR,iBAAmBA,C,CASpCsd,SAAAA,CAAUhO,EAAqBpP,GAAY,IAAAmmB,EAC/C,QAAUnmB,EAAKR,iBAA6B,QAAhB2mB,EAAK/W,EAAOpP,YAAI,IAAAmmB,OAAA,EAAXA,EAAa3mB,e,CAS1C2d,aAAAA,CACJiJ,EACAC,GAEA,SACID,GAC0B,iBAAnBA,IACPC,aAAc,EAAdA,EAAgB7mB,iBAAkB4mB,EAAe5mB,c,CASjD+gB,sBAAAA,CACJlc,EACAqC,GAEA,SACIrC,EAAOqC,mBACPA,IAAsBrC,EAAOqC,kB,CAS7BkZ,gBAAAA,CACJvb,EACAjF,GAGA,GAAIF,KAAK4b,uBAAwB,CAC7B,MAAMwL,GAAgBC,EAAAA,EAAAA,IAClBrnB,KAAK4b,uBACL5b,KAAK6b,cAET,GACIuL,EAAclI,SAAShf,IACvBknB,EAAclI,SAAS/Z,EAAOjF,aAE9B,OAAO,CAEd,CAGD,MAAMonB,EAAgBtnB,KAAKiiB,4BAA4B/hB,GACvD,SACIonB,GACAA,EAAchc,QAAQ1B,QAAQzE,EAAOjF,cAAgB,E,CAYrDohB,mBAAAA,CACJnc,EACA0B,GAEA,OACI1B,EAAO0B,gBACPA,EAAevG,gBAAkB6E,EAAO0B,eAAevG,a,CASvD8gB,aAAAA,CACJjc,EACAyB,GAEA,SAAUzB,EAAOyB,UAAYA,IAAazB,EAAOyB,S,CAQ7C2a,aAAAA,CACJpc,EACA8D,GAEA,SAAU9D,EAAO8D,UAAYA,IAAa9D,EAAO8D,S,CAQ7C0X,UAAAA,CACJxb,EACAzE,GAAa,IAAA6mB,EAEb,SAAsB,QAAZA,EAAApiB,EAAOzE,aAAK,IAAA6mB,OAAA,EAAZA,EAAcjnB,iBAAkBI,EAAMJ,c,CAS5CsgB,oBAAAA,CACJzb,EACApE,GAEA,SACIoE,EAAOpE,iBAAmBA,IAAoBoE,EAAOpE,gB,CAarDid,6BAAAA,CACJvV,EACAsV,GAEA,OAAItV,EAAY+e,aAAezJ,IAI3BtV,EAAY7E,qBAAuBma,GAInCtV,EAAY5E,MAAQka,E,CAapBK,QAAAA,CAAS7a,EAA4B4a,GACzC,OAAO5a,EAAc4a,MAAQA,C,CAGzB0C,kBAAAA,CACJ1b,EACAnE,GAEA,SACImE,EAAOnE,eACPA,EAAcV,gBAAkB6E,EAAOnE,cAAcV,c,CASrDkhB,WAAAA,CAAYrc,EAA0BiD,GAM1C,GAJIjD,EAAO0B,iBAAmBC,EAAAA,GAAeiB,cACzC5C,EAAO0B,iBACHC,EAAAA,GAAeyB,gCAEYpD,EAAOiD,OACtC,OAAO,EAKX,OAFiCkX,EAAAA,EAASC,WAAWpa,EAAOiD,QAEtCqf,iBAAiBrf,E,CAQnCqZ,cAAAA,CACJtc,EACAoC,GAEA,SAAUpC,EAAOoC,WAAapC,EAAOoC,YAAcA,E,CAQ/Cma,UAAAA,CAAWvc,EAA0BsC,GACzC,SAAUtC,EAAOsC,OAAStC,EAAOsC,QAAUA,E,CAOvCsa,aAAAA,CAAcrY,GAClB,OAAsC,IAA/BA,EAAIE,QAAQS,EAAAA,G,CAObgY,mBAAAA,CAAoB3Y,GAC1B,OAAgE,IAAzDA,EAAIE,QAAQY,EAAAA,GAA6BV,U,CAMpD4d,iCAAAA,CAAkC/lB,GAC9B,MAAO,GAAPoD,OAAUyF,EAAAA,GAA6BV,UAAS,KAAA/E,OAAI/E,KAAK4G,SAAQ,KAAA7B,OAAIpD,E,CAQzE,eAAOiiB,CAAY+D,EAAQC,GACvB,IAAK,MAAMC,KAAgBD,EACvBD,EAAIE,GAAgBD,EAAKC,GAE7B,OAAOF,C,EAKT,MAAOG,UAA4BpM,EACrC8C,UAAAA,GACI,MAAMrb,EAAAA,EAAAA,IAAsByS,EAAAA,G,CAEhC4K,UAAAA,GACI,MAAMrd,EAAAA,EAAAA,IAAsByS,EAAAA,G,CAEhC2N,sBAAAA,GACI,MAAMpgB,EAAAA,EAAAA,IAAsByS,EAAAA,G,CAEhC6I,oBAAAA,GACI,MAAMtb,EAAAA,EAAAA,IAAsByS,EAAAA,G,CAEhCsP,oBAAAA,GACI,MAAM/hB,EAAAA,EAAAA,IAAsByS,EAAAA,G,CAEhCqK,wBAAAA,GACI,MAAM9c,EAAAA,EAAAA,IAAsByS,EAAAA,G,CAEhC+J,wBAAAA,GACI,MAAMxc,EAAAA,EAAAA,IAAsByS,EAAAA,G,CAEhC+I,yBAAAA,GACI,MAAMxb,EAAAA,EAAAA,IAAsByS,EAAAA,G,CAEhC4Q,yBAAAA,GACI,MAAMrjB,EAAAA,EAAAA,IAAsByS,EAAAA,G,CAEhCiJ,cAAAA,GACI,MAAM1b,EAAAA,EAAAA,IAAsByS,EAAAA,G,CAEhCoM,cAAAA,GACI,MAAM7e,EAAAA,EAAAA,IAAsByS,EAAAA,G,CAEhCmS,kBAAAA,GACI,MAAM5kB,EAAAA,EAAAA,IAAsByS,EAAAA,G,CAEhCoS,kBAAAA,GACI,MAAM7kB,EAAAA,EAAAA,IAAsByS,EAAAA,G,CAEhCqS,oBAAAA,GACI,MAAM9kB,EAAAA,EAAAA,IAAsByS,EAAAA,G,CAEhC0M,oBAAAA,GACI,MAAMnf,EAAAA,EAAAA,IAAsByS,EAAAA,G,CAEhCuM,wBAAAA,GACI,MAAMhf,EAAAA,EAAAA,IAAsByS,EAAAA,G,CAEhCsS,kBAAAA,GACI,MAAM/kB,EAAAA,EAAAA,IAAsByS,EAAAA,G,CAEhCuS,kBAAAA,GACI,MAAMhlB,EAAAA,EAAAA,IAAsByS,EAAAA,G,CAEhCgN,UAAAA,GACI,MAAMzf,EAAAA,EAAAA,IAAsByS,EAAAA,G,CAEhCiM,OAAAA,GACI,MAAM1e,EAAAA,EAAAA,IAAsByS,EAAAA,G,CAEhCuK,cAAAA,GACI,MAAMhd,EAAAA,EAAAA,IAAsByS,EAAAA,G,CAEhC2H,YAAAA,GACI,MAAMpa,EAAAA,EAAAA,IAAsByS,EAAAA,G,CAEhCwS,wBAAAA,GACI,MAAMjlB,EAAAA,EAAAA,IAAsByS,EAAAA,G,CAEhCkO,qBAAAA,GACI,MAAM3gB,EAAAA,EAAAA,IAAsByS,EAAAA,G,kBChzDvB,MAAAyS,EAAkD,CAC3DC,0BAA2BC,EAAAA,GAC3BC,sBAAsB,GAGpBC,EAAyD,CAC3DzO,eAAgBA,OAGhBE,mBAAmB,EACnBC,SAAUb,EAASM,KACnB1K,cAAeqD,EAAAA,GAAUC,cAGvBkW,EAAgD,CAClDC,2BAA2B,GAGzBC,EAAiD,CACnD,yBAAMC,GACF,MAAM1lB,EAAAA,EAAAA,IAAsByS,EAAAA,G,EAEhC,0BAAMkT,GACF,MAAM3lB,EAAAA,EAAAA,IAAsByS,EAAAA,G,GAI9BmT,EAAoC,CACtCC,IAAKzW,EAAAA,GAAU0W,IACfnN,QAASA,EAAAA,EACToN,IAAK3W,EAAAA,GAAUC,aACf2W,GAAI5W,EAAAA,GAAUC,cAGZ4W,EAAgD,CAClDC,aAAc9W,EAAAA,GAAUC,aACxB8W,qBAAiB5Y,GAGf6Y,EAAiD,CACnDC,mBAAoBC,EAAAA,EAAmBC,KACvCC,OAAQ,GAAF5kB,OAAKwN,EAAAA,GAAUqX,wBAGnBC,EAAwD,CAC1DC,YAAa,CACTC,QAAS,GACTC,WAAY,KAyEd,SAAUC,EAAmBC,GAC/B,OACIA,EAAOC,YAAYxoB,UAAU2Y,QAAQ3X,eAAiBC,EAAAA,EAAawnB,IAE3E,C,kFC/QaC,EAKT,mCAAOC,CAA6BC,GAChC,MAAO,GAAPxlB,OAAUkF,EAAAA,GAAoBC,kBAAiB,KAAAnF,OAAI0K,KAAKC,UACpD6a,G,CASR,iBAAOC,CACHC,EACAF,GAEA,MAAM7gB,EAAM2gB,EAAgBC,6BAA6BC,GACnD3F,EAAQ6F,EAAatC,mBAAmBze,GAE9C,GAAIkb,EAAO,KAAA8F,EACP,GAAI9F,EAAM+F,aAAenQ,KAAKoQ,MAE1B,YADAH,EAAa7H,WAAWlZ,GAG5B,MAAM,IAAIoP,EAAAA,GACU,QAAhB4R,EAAA9F,EAAMiG,kBAAU,IAAAH,OAAA,EAAhBA,EAAkBvqB,KAAK,OAAQoS,EAAAA,GAAUC,aACzCoS,EAAM3S,aACN2S,EAAMnS,SAEb,C,CASL,kBAAOqY,CACHL,EACAF,EACAQ,GAEA,GACIV,EAAgBW,oBAAoBD,IACpCV,EAAgBY,2BAA2BF,GAC7C,CACE,MAAMG,EAAoC,CACtCP,aAAcN,EAAgBc,sBAC1BC,SAASL,EAASM,QAAQC,EAAAA,GAAYC,eAE1C1Q,MAAOkQ,EAASS,KAAK3Q,MACrBgQ,WAAYE,EAASS,KAAKC,YAC1BxZ,aAAc8Y,EAASS,KAAKE,kBAC5BjZ,SAAUsY,EAASS,KAAKtZ,UAE5BuY,EAAavC,mBACTmC,EAAgBC,6BAA6BC,GAC7CW,EAEP,C,CAOL,0BAAOF,CACHD,GAEA,OACwB,MAApBA,EAAShS,QACRgS,EAAShS,QAAU,KAAOgS,EAAShS,OAAS,G,CAQrD,iCAAOkS,CACHF,GAEA,QAAIA,EAASM,UAELN,EAASM,QAAQjmB,eAAekmB,EAAAA,GAAYC,eAC3CR,EAAShS,OAAS,KAAOgS,EAAShS,QAAU,K,CAUzD,4BAAOoS,CAAsBR,GACzB,MAAMgB,EAAOhB,GAAgB,EAAI,EAAIA,EAE/BiB,EAAiBpR,KAAKoQ,MAAQ,IACpC,OAAOiB,KAAKC,MAMJ,IALJD,KAAKE,IACDH,GACKD,GAAQ1hB,EAAAA,GAAoB+hB,+BACjCJ,EACI3hB,EAAAA,GAAoBgiB,mC,CAKpC,qBAAOC,CACHzB,EACA7jB,EACAiI,EACAsd,GAEA,MAAM5B,EAAgC,CAClC3jB,SAAUA,EACVjF,UAAWkN,EAAQlN,UACnBwF,OAAQ0H,EAAQ1H,OAChBglB,sBAAuBA,EACvBjc,OAAQrB,EAAQqB,OAChBqV,qBAAsB1W,EAAQ0W,qBAC9BpV,sBAAuBtB,EAAQsB,sBAC/BC,mBAAoBvB,EAAQuB,mBAC5BC,UAAWxB,EAAQwB,UACnBmV,OAAQ3W,EAAQ2W,QAGd9b,EAAM1J,KAAKsqB,6BAA6BC,GAC9CE,EAAa7H,WAAWlZ,E,kBC/I1B,MAAO0iB,UAAqBta,EAAAA,GAK9B/L,WAAAA,CACI8U,EACAwR,EACAC,GAEAna,MAAM0I,EAAM7I,UAAW6I,EAAM5I,aAAc4I,EAAMpI,UAEjDL,OAAOC,eAAerS,KAAMosB,EAAa9Z,WACzCtS,KAAKc,KAAO,eACZd,KAAK6a,MAAQA,EACb7a,KAAKqsB,WAAaA,EAClBrsB,KAAKssB,gBAAkBA,C,WAWfC,EACZ1R,EACAwR,EACAC,GAEA,OAAO,IAAIF,EAAavR,EAAOwR,EAAYC,EAC/C,C,sBCCsBE,EAyBlBzmB,WAAAA,CACI0mB,EACA9d,GAGA3O,KAAKkqB,OHsJP,SAAkC9f,GAclB,IAblB+f,YAAauC,EACbC,cAAeC,EACfpT,cAAeqT,EACfC,aAAcC,EACdC,iBAAkBC,EAClBC,iBAAkBC,EAClBC,gBAAiBC,EACjBC,kBAAmBA,EACnBC,YAAaA,EACbC,UAAWA,EACXC,uBAAwBA,EACxBC,kBAAmBA,EACnBC,kBAAmBA,GACDvjB,EAClB,MAAMoP,GAAa1I,EAAAA,EAAAA,IAAAA,EAAAA,EAAAA,GAAA,GACZ2X,GACAoE,GAGP,MAAO,CACH1C,aA2BkBA,EA3BYuC,GA4BlC5b,EAAAA,EAAAA,GAAA,CACI8c,mBAAoB,GACpBC,kBAAmBtE,EACnBuE,4BAA4B,EAC5BC,eAAe,GACZ5D,IAhCHwC,eAAa7b,EAAAA,EAAAA,IAAAA,EAAAA,EAAAA,GAAA,GAAOuX,GAA2BuE,GAC/CpT,cAAeA,EACfsT,cAAYhc,EAAAA,EAAAA,IAAAA,EAAAA,EAAAA,GAAA,GAAO4X,GAA0BqE,GAC7CC,iBACIC,GACA,IAAInF,EACA4E,EAAgB9lB,SAChBoS,EACA,IAAIO,EAAOC,IAEnB0T,iBACIC,GAAyBvE,EAC7BwE,gBAAiBC,GAAwBrU,EACzCsU,kBAAmBA,GAAqBlE,EACxCmE,aAAWzc,EAAAA,EAAAA,IAAAA,EAAAA,EAAAA,GAAA,GAAOiY,GAAyBwE,GAC3CC,WAAS1c,EAAAA,EAAAA,IAAAA,EAAAA,EAAAA,GAAA,GAAO+Y,GAA8B2D,GAC9CC,uBAAwBA,GAA0B,KAClDC,kBAAmBA,GAAqB,KACxCC,kBAAmBA,GAAqB,MAQhD,IAA0BxD,CAN1B,CGhMsB6D,CAAyBvB,GAGvCzsB,KAAK4E,OAAS,IAAI2U,EAAOvZ,KAAKkqB,OAAO1Q,cAAe1Y,EAAAA,EAAMgb,EAAAA,GAG1D9b,KAAK0O,YAAc1O,KAAKkqB,OAAOkD,gBAG/BptB,KAAKyqB,aAAezqB,KAAKkqB,OAAO8C,iBAGhChtB,KAAKiuB,cAAgBjuB,KAAKkqB,OAAOgD,iBAGjCltB,KAAKytB,uBAAyBztB,KAAKkqB,OAAOuD,uBAG1CztB,KAAK2B,UAAY3B,KAAKkqB,OAAOC,YAAYxoB,UAGzC3B,KAAK2O,kBAAoBA,C,CAMnBuf,yBAAAA,CACNC,GAEA,MAAM9C,EAAkC,CAAC,EAEzC,GADAA,EAAQC,EAAAA,GAAY8C,cAAgB7b,EAAAA,GAAU8b,uBACzCruB,KAAKkqB,OAAOyC,cAAcnE,sBAAwB2F,EACnD,OAAQA,EAAQG,MACZ,KAAKC,EAAAA,EAAkBC,gBACnB,IACI,MAAMlsB,GAAamsB,EAAAA,EAAAA,GACfN,EAAQhP,YAEZkM,EACIC,EAAAA,GAAYoD,YACZ,OAAH3pB,OAAUzC,EAAWkB,IAAG,KAAAuB,OAAIzC,EAAWe,KAC3C,CAAC,MAAO2B,GACLhF,KAAK4E,OAAOuW,QACR,mDACInW,EAEX,CACD,MACJ,KAAKupB,EAAAA,EAAkBI,IACnBtD,EACIC,EAAAA,GAAYoD,YACZ,QAAH3pB,OAAWopB,EAAQhP,YAIhC,OAAOkM,C,CAUD,gCAAMuD,CACZC,EACAC,EACAzD,EACAd,EACArb,EACA6f,GAEiB,IAAAjgB,EAAbigB,IACsB,QAAtBjgB,EAAA9O,KAAK2O,yBAAiB,IAAAG,GAAtBA,EAAwBC,oBACpBggB,EACA7f,IAIR,MAAM6b,QACI/qB,KAAKgvB,gBACPzE,EACAsE,EACA,CAAErD,KAAMsD,EAAazD,QAASA,GAC9Bnc,GAYR,OARIlP,KAAKkqB,OAAOuD,wBACZ1C,EAAShS,OAAS,KACE,MAApBgS,EAAShS,QAGT/Y,KAAKkqB,OAAOuD,uBAAuBwB,sBAGhClE,C,CAUX,qBAAMiE,CACFzE,EACAsE,EACAvU,EACApL,GAIA,IAAI6b,EAFJV,EAAgBG,WAAWxqB,KAAKyqB,aAAcF,GAG9C,IAAI,IAAA5a,EAAAuf,EACAnE,QAAiB3b,EAAAA,EAAAA,GACbpP,KAAKiuB,cAAcnF,qBAAqBxZ,KACpCtP,KAAKiuB,eAETjf,EAAAA,GAAkBmgB,kCAClBnvB,KAAK4E,OACL5E,KAAK2O,kBACLO,EAPaE,CAQfyf,EAAevU,GACjB,MAAMgS,EAAkBvB,EAASM,SAAW,CAAC,EACvB,QAAtB1b,EAAA3P,KAAK2O,yBAAiB,IAAAgB,GAAtBA,EAAwBkV,UACpB,CACIuK,kBAA6C,QAA3BF,EAAAnE,EAASS,KAAK6D,qBAAa,IAAAH,OAAA,EAA3BA,EAA6B7S,SAAU,EACzDiT,aACIhD,EAAgBhB,EAAAA,GAAYiE,oBAAsB,GACtDC,UACIlD,EAAgBhB,EAAAA,GAAYmE,kBAAoB,IAExDvgB,EAEP,CAAC,MAAOlK,GACL,GAAIA,aAAaonB,EAAc,CAC3B,MAAME,EAAkBtnB,EAAEsnB,gBACL,IAAAoD,EAArB,GAAIpD,EACsB,QAAtBoD,EAAA1vB,KAAK2O,yBAAiB,IAAA+gB,GAAtBA,EAAwB7K,UACpB,CACIyK,aACIhD,EACIhB,EAAAA,GAAYiE,oBACX,GACTC,UACIlD,EAAgBhB,EAAAA,GAAYmE,kBAC5B,GACJE,kBACIrD,EAAgBhB,EAAAA,GAAY8C,oBAC5B1d,EACJkf,oBACItD,EAAgBhB,EAAAA,GAAYuE,sBAC5Bnf,EACJ2b,WAAYrnB,EAAEqnB,YAElBnd,GAGR,MAAMlK,EAAE6V,KACX,CACD,MAAI7V,aAAa8M,EAAAA,GACP9M,GAEA7B,EAAAA,EAAAA,IAAsBsQ,EAAAA,GAEnC,CAID,OAFA4W,EAAgBS,YAAY9qB,KAAKyqB,aAAcF,EAAYQ,GAEpDA,C,CAOX,qBAAM+E,CACFC,EACA7gB,GAAqB,IAAA8gB,EAEC,QAAtBA,EAAAhwB,KAAK2O,yBAAiB,IAAAqhB,GAAtBA,EAAwBjhB,oBACpBC,EAAAA,GAAkBihB,6BAClB/gB,GAEJ,MAAMghB,EAA4B,WAAHnrB,OAAcgrB,EAAqB,KAAAhrB,OAAI/E,KAAK2B,UAAUgoB,OAAM,KACrFwG,QAA+BC,EAAAA,EAAAA,GACjCF,EACAlwB,KAAKiuB,cACLjuB,KAAKyqB,aACLzqB,KAAK2B,UAAU2Y,QACfta,KAAK4E,OACLsK,EACAlP,KAAK2O,mBAET3O,KAAK2B,UAAYwuB,C,CAOrBE,0BAAAA,CAA2BxhB,GACvB,MAAMyhB,EAAmB,IAAIC,EAAAA,EACzB1hB,EAAQK,cACRlP,KAAK2O,mBAkBT,OAfIE,EAAQ2hB,kBACRF,EAAiBG,oBAAoB,CACjCC,eAAgB1wB,KAAKkqB,OAAOC,YAAYvjB,SACxC+pB,kBAAmB3wB,KAAKkqB,OAAOC,YAAYyG,cAI/C/hB,EAAQgiB,sBACRP,EAAiBQ,wBACbjiB,EAAQgiB,sBAIhBP,EAAiBS,iBAAiBliB,EAAQK,eAEnCohB,EAAiBU,mB,6HCjP1B,MAAOC,WAAgCzE,EAKzCzmB,WAAAA,CACI0mB,EACA9d,GAAsC,IAAAuiB,EAEtC/e,MAAMsa,EAAe9d,GAPf,KAAkBwiB,oBAAY,EAQpCnxB,KAAKoxB,kBACoD,QADnCF,EAClBlxB,KAAKkqB,OAAOC,YAAYxoB,UAAU2Y,QAAQ+W,mBAAW,IAAAH,OAAA,EAArDA,EAAuDI,a,CAa/D,oBAAMC,CACF1iB,GAAsC,IAAAC,EAEhB,QAAtBA,EAAA9O,KAAK2O,yBAAiB,IAAAG,GAAtBA,EAAwBC,oBACpBC,EAAAA,GAAkBwiB,eAClB3iB,EAAQK,eAGZ,MAAM4f,QAAoB1f,EAAAA,EAAAA,GACtBpP,KAAKyxB,6BAA6BniB,KAAKtP,MACvCgP,EAAAA,GAAkB0iB,4BAClB1xB,KAAK4E,OACL5E,KAAK2O,kBACLE,EAAQK,cALcE,CAMxBP,GAEF,OAAO4B,EAAAA,EAAUkhB,kBACb3xB,KAAK2B,UAAUiwB,sBACf9C,E,CASR,kBAAM+C,CACFhjB,EACAijB,GAA0C,IAAAniB,EAAAoiB,EAO1C,GALsB,QAAtBpiB,EAAA3P,KAAK2O,yBAAiB,IAAAgB,GAAtBA,EAAwBZ,oBACpBC,EAAAA,GAAkBgjB,uBAClBnjB,EAAQK,gBAGPL,EAAQ+D,KACT,MAAMzP,EAAAA,EAAAA,IACFkR,EAAAA,IAIR,MAAM4d,GAAehqB,EAAAA,EAAAA,cACf8iB,QAAiB3b,EAAAA,EAAAA,GACnBpP,KAAKkyB,oBAAoB5iB,KAAKtP,MAC9BgP,EAAAA,GAAkBmjB,8BAClBnyB,KAAK4E,OACL5E,KAAK2O,kBACLE,EAAQK,cALWE,CAMrBpP,KAAK2B,UAAWkN,GAGZ2gB,EAA4B,QAAnBuC,EAAGhH,EAASM,eAAO,IAAA0G,OAAA,EAAhBA,EAAmBzG,EAAAA,GAAYmE,iBAE3C2C,EAAkB,IAAIC,EAAAA,EACxBryB,KAAKkqB,OAAOC,YAAYvjB,SACxB5G,KAAKyqB,aACLzqB,KAAK0O,YACL1O,KAAK4E,OACL5E,KAAKkqB,OAAOyD,kBACZ3tB,KAAKkqB,OAAOwD,kBACZ1tB,KAAK2O,mBAMT,OAFAyjB,EAAgBE,sBAAsBvH,EAASS,OAExCpc,EAAAA,EAAAA,GACHgjB,EAAgBG,0BAA0BjjB,KAAK8iB,GAC/CpjB,EAAAA,GAAkBwjB,0BAClBxyB,KAAK4E,OACL5E,KAAK2O,kBACLE,EAAQK,cALLE,CAOH2b,EAASS,KACTxrB,KAAK2B,UACLswB,EACApjB,EACAijB,OACAphB,OACAA,OACAA,EACA8e,E,CASRiD,sBAAAA,CACIC,EACAC,GAmBA,GAhBwB,IAAIN,EAAAA,EACxBryB,KAAKkqB,OAAOC,YAAYvjB,SACxB5G,KAAKyqB,aACLzqB,KAAK0O,YACL1O,KAAK4E,OACL,KACA,MAIYguB,wCACZF,EACAC,IAICD,EAAa9f,KACd,MAAMzP,EAAAA,EAAAA,IACFkS,EAAAA,IAIR,OAAOqd,C,CAQXG,YAAAA,CAAaC,GAET,IAAKA,EACD,MAAMvb,EAAAA,EAAAA,IACFd,EAAAA,IAGR,MAAMqY,EAAc9uB,KAAK+yB,2BAA2BD,GAGpD,OAAOriB,EAAAA,EAAUkhB,kBACb3xB,KAAK2B,UAAUqxB,mBACflE,E,CASA,yBAAMoD,CACVvwB,EACAkN,GAAuC,IAAA6gB,EAAAuD,EAEjB,QAAtBvD,EAAA1vB,KAAK2O,yBAAiB,IAAA+gB,GAAtBA,EAAwB3gB,oBACpBC,EAAAA,GAAkBmjB,8BAClBtjB,EAAQK,eAGZ,MAAMgkB,EAAwBlzB,KAAKqwB,2BAA2BxhB,GACxDskB,EAAW1iB,EAAAA,EAAUkhB,kBACvBhwB,EAAUktB,cACVqE,GAGEE,QAAoBhkB,EAAAA,EAAAA,GACtBpP,KAAKqzB,uBAAuB/jB,KAAKtP,MACjCgP,EAAAA,GAAkBskB,iCAClBtzB,KAAK4E,OACL5E,KAAK2O,kBACLE,EAAQK,cALcE,CAMxBP,GAEF,IAAI0kB,EACJ,GAAI1kB,EAAQvM,WACR,IACI,MAAMA,GAAaU,EAAAA,EAAAA,GACf6L,EAAQvM,WACRtC,KAAK0O,YAAY9M,cAErB2xB,EAAgB,CACZpU,WAAY,GAAFpa,OAAKzC,EAAWkB,KAAGuB,OAAG3E,EAAAA,GAAWozB,uBAAqBzuB,OAAGzC,EAAWe,MAC9EirB,KAAMC,EAAAA,EAAkBC,gBAE/B,CAAC,MAAOxpB,GACLhF,KAAK4E,OAAOuW,QACR,+CAAiDnW,EAExD,CAEL,MAAMqmB,EAAkCrrB,KAAKkuB,0BACzCqF,GAAiB1kB,EAAQ0kB,eAGvBhJ,EAAgC,CAClC3jB,UAC+B,QAA3BqsB,EAAApkB,EAAQ4kB,2BAAmB,IAAAR,OAAA,EAA3BA,EAA6BrsB,WAC7B5G,KAAKkqB,OAAOC,YAAYvjB,SAC5BjF,UAAWA,EAAU+xB,mBACrBvsB,OAAQ0H,EAAQ1H,OAChB+I,OAAQrB,EAAQqB,OAChBqV,qBAAsB1W,EAAQ0W,qBAC9BpV,sBAAuBtB,EAAQsB,sBAC/BC,mBAAoBvB,EAAQuB,mBAC5BC,UAAWxB,EAAQwB,UACnBmV,OAAQ3W,EAAQ2W,QAGpB,OAAOpW,EAAAA,EAAAA,GACHpP,KAAK4uB,2BAA2Btf,KAAKtP,MACrCgP,EAAAA,GAAkB2kB,kDAClB3zB,KAAK4E,OACL5E,KAAK2O,kBACLE,EAAQK,cALLE,CAOH+jB,EACAC,EACA/H,EACAd,EACA1b,EAAQK,cACRF,EAAAA,GAAkB2kB,kD,CAQlB,4BAAMN,CACVxkB,GAAuC,IAAAmhB,EAAA4D,EAEjB,QAAtB5D,EAAAhwB,KAAK2O,yBAAiB,IAAAqhB,GAAtBA,EAAwBjhB,oBACpBC,EAAAA,GAAkBskB,iCAClBzkB,EAAQK,eAGZ,MAAMohB,EAAmB,IAAIC,EAAAA,EACzB1hB,EAAQK,cACRlP,KAAK2O,mBAqDT,GAlDA2hB,EAAiBuD,YACbhlB,EAAQ2hB,mBACuB,QADPoD,EACpB/kB,EAAQ4kB,2BAAmB,IAAAG,OAAA,EAA3BA,EAA8B/nB,EAAAA,MAC9B7L,KAAKkqB,OAAOC,YAAYvjB,UAO3B5G,KAAKmxB,mBAKNb,EAAiBwD,eAAejlB,EAAQ+hB,aAHxCmD,EAAAA,EAAiBC,oBAAoBnlB,EAAQ+hB,aAOjDN,EAAiB2D,UACbplB,EAAQ1H,QACR,EACAnH,KAAKoxB,mBAITd,EAAiB4D,qBAAqBrlB,EAAQ+D,MAG9C0d,EAAiB6D,eAAen0B,KAAKkqB,OAAOqD,aAC5C+C,EAAiB8D,wBACbp0B,KAAKkqB,OAAOsD,UAAU1D,aAE1BwG,EAAiB+D,gBAEbr0B,KAAKytB,yBAA2BxD,EAAmBjqB,KAAKkqB,SACxDoG,EAAiBgE,mBAAmBt0B,KAAKytB,wBAIzC5e,EAAQ0lB,cACRjE,EAAiBkE,gBAAgB3lB,EAAQ0lB,cAGzCv0B,KAAKkqB,OAAOoD,kBAAkBjE,cAC9BiH,EAAiBmE,gBACbz0B,KAAKkqB,OAAOoD,kBAAkBjE,cAIlCrpB,KAAKkqB,OAAOoD,kBAAkBhE,gBAAiB,CAC/C,MAAMA,EACFtpB,KAAKkqB,OAAOoD,kBAAkBhE,gBAElCgH,EAAiBoE,yBACPC,EAAAA,EAAAA,GACFrL,EAAgBsL,UAChB50B,KAAKkqB,OAAOC,YAAYvjB,SACxBiI,EAAQuB,qBAGhBkgB,EAAiBuE,uBACbvL,EAAgBwL,cAEvB,CAKD,GAHAxE,EAAiByE,aAAaC,EAAAA,GAAUC,0BACxC3E,EAAiB4E,gBAEbrmB,EAAQ0W,uBAAyBld,EAAAA,GAAqBG,IAAK,CAC3D,MAAM2sB,EAAoB,IAAI1mB,EAAAA,EAC1BzO,KAAK0O,YACL1O,KAAK2O,mBAGT,IAAIymB,EACJ,GAAKvmB,EAAQwmB,OAUTD,EAAap1B,KAAK0O,YAAYwK,UAAUrK,EAAQwmB,YAV/B,CAQjBD,SAPkChmB,EAAAA,EAAAA,GAC9B+lB,EAAkBvmB,YAAYU,KAAK6lB,GACnCnmB,EAAAA,GAAkBC,oBAClBjP,KAAK4E,OACL5E,KAAK2O,kBACLE,EAAQK,cALsBE,CAMhCP,EAAS7O,KAAK4E,SACiB2K,YACpC,CAKD+gB,EAAiBgF,YAAYF,EAChC,MAAM,GAAIvmB,EAAQ0W,uBAAyBld,EAAAA,GAAqBS,IAAK,CAClE,IAAI+F,EAAQ0mB,OAGR,MAAMhe,EAAAA,EAAAA,IACFR,EAAAA,IAHJuZ,EAAiBkF,UAAU3mB,EAAQ0mB,OAM1C,CAaD,IAAIpH,EACJ,KAXKsH,EAAAA,EAAYC,WAAW7mB,EAAQqB,SAC/BlQ,KAAKkqB,OAAOC,YAAYyD,oBACrB5tB,KAAKkqB,OAAOC,YAAYyD,mBAAmBvR,OAAS,IAExDiU,EAAiBqF,UACb9mB,EAAQqB,OACRlQ,KAAKkqB,OAAOC,YAAYyD,oBAK5B/e,EAAQvM,WACR,IACI,MAAMA,GAAaU,EAAAA,EAAAA,GACf6L,EAAQvM,WACRtC,KAAK0O,YAAY9M,cAErBusB,EAAU,CACNhP,WAAY,GAAFpa,OAAKzC,EAAWkB,KAAGuB,OAAG3E,EAAAA,GAAWozB,uBAAqBzuB,OAAGzC,EAAWe,MAC9EirB,KAAMC,EAAAA,EAAkBC,gBAE/B,CAAC,MAAOxpB,GACLhF,KAAK4E,OAAOuW,QACR,+CAAiDnW,EAExD,MAEDmpB,EAAUtf,EAAQ0kB,cAItB,GAAIvzB,KAAKkqB,OAAOyC,cAAcnE,sBAAwB2F,EAClD,OAAQA,EAAQG,MACZ,KAAKC,EAAAA,EAAkBC,gBACnB,IACI,MAAMlsB,GAAamsB,EAAAA,EAAAA,GACfN,EAAQhP,YAEZmR,EAAiBsF,UAAUtzB,EAC9B,CAAC,MAAO0C,GACLhF,KAAK4E,OAAOuW,QACR,mDACInW,EAEX,CACD,MACJ,KAAKupB,EAAAA,EAAkBI,IACnB2B,EAAiBuF,UAAU1H,EAAQhP,YA+B/C,OA1BItQ,EAAQ2hB,kBACRF,EAAiBG,oBAAoB,CACjCC,eAAgB1wB,KAAKkqB,OAAOC,YAAYvjB,SACxC+pB,kBAAmB3wB,KAAKkqB,OAAOC,YAAYyG,cAI/C/hB,EAAQ4kB,qBACRnD,EAAiBQ,wBACbjiB,EAAQ4kB,sBAMZ5kB,EAAQinB,4BACNjnB,EAAQ4kB,qBACL5kB,EAAQ4kB,oBACL1lB,EAAAA,KAGRuiB,EAAiBQ,wBAAwB,CACrC,CAAC/iB,EAAAA,IAAqC,MAIvCuiB,EAAiBU,mB,CAOpB,kCAAMS,CACV5iB,GAAsC,IAAAknB,EAAAC,EAGtC,MAAM9mB,EACFL,EAAQK,eACRlP,KAAKkqB,OAAOkD,gBAAgB/b,gBAEV,QAAtB0kB,EAAA/1B,KAAK2O,yBAAiB,IAAAonB,GAAtBA,EAAwBhnB,oBACpBC,EAAAA,GAAkB0iB,4BAClBxiB,GAGJ,MAAMohB,EAAmB,IAAIC,EAAAA,EACzBrhB,EACAlP,KAAK2O,mBAGT2hB,EAAiBuD,YACbhlB,EAAQ2hB,mBACwB,QADRwF,EACpBnnB,EAAQonB,4BAAoB,IAAAD,OAAA,EAA5BA,EAA+BnqB,EAAAA,MAC/B7L,KAAKkqB,OAAOC,YAAYvjB,UAGhC,MAAMsvB,EAAgB,IACdrnB,EAAQ1H,QAAU,MAClB0H,EAAQsnB,sBAAwB,IA0CxC,GAxCA7F,EAAiB2D,UAAUiC,GAAe,EAAMl2B,KAAKoxB,mBAGrDd,EAAiBwD,eAAejlB,EAAQ+hB,aAExCN,EAAiBS,iBAAiB7hB,GAGlCohB,EAAiB8F,gBAAgBvnB,EAAQwnB,cAGzC/F,EAAiBgG,sBAGjBhG,EAAiB6D,eAAen0B,KAAKkqB,OAAOqD,aACvCtD,EAAmBjqB,KAAKkqB,SACzBoG,EAAiB8D,wBACbp0B,KAAKkqB,OAAOsD,UAAU1D,aAK9BwG,EAAiB4E,gBAEbrmB,EAAQ0nB,eAAiB1nB,EAAQ2nB,qBACjClG,EAAiBmG,uBACb5nB,EAAQ0nB,cACR1nB,EAAQ2nB,qBAIZ3nB,EAAQ6nB,QACRpG,EAAiBqG,UAAU9nB,EAAQ6nB,QAGnC7nB,EAAQ+nB,YACRtG,EAAiBuG,cAAchoB,EAAQ+nB,YAIvC/nB,EAAQ6nB,SAAWI,EAAAA,GAAYC,eAE/B,GAAIloB,EAAQsP,KAAOtP,EAAQ6nB,SAAWI,EAAAA,GAAYE,KAE9Ch3B,KAAK4E,OAAOuW,QACR,yEAEJmV,EAAiB2G,OAAOpoB,EAAQsP,UAC7B,GAAItP,EAAQxM,QAAS,CACxB,MAAM60B,EAAal3B,KAAKm3B,kBAAkBtoB,EAAQxM,SAClD,IAAI+0B,EAAwBp3B,KAAKq3B,iBAC7BxoB,EAAQxM,SAWZ,GARI+0B,GAAyBvoB,EAAQ+nB,aACjC52B,KAAK4E,OAAOK,QAAQ,+JAGpBmyB,EAAwB,MAIxBA,EAAuB,CACvBp3B,KAAK4E,OAAOuW,QACR,qEAEJmV,EAAiBgH,aAAaF,GAC9B,IACI,MAAM90B,GAAamsB,EAAAA,EAAAA,GACf5f,EAAQxM,QAAQpC,eAEpBqwB,EAAiBsF,UAAUtzB,EAC9B,CAAC,MAAO0C,GACLhF,KAAK4E,OAAOuW,QACR,+EAEP,CACJ,MAAM,GAAI+b,GAAcroB,EAAQ6nB,SAAWI,EAAAA,GAAYE,KAAM,CAK1Dh3B,KAAK4E,OAAOuW,QACR,yEAEJmV,EAAiB2G,OAAOC,GACxB,IACI,MAAM50B,GAAamsB,EAAAA,EAAAA,GACf5f,EAAQxM,QAAQpC,eAEpBqwB,EAAiBsF,UAAUtzB,EAC9B,CAAC,MAAO0C,GACLhF,KAAK4E,OAAOuW,QACR,+EAEP,CACJ,MAAM,GAAItM,EAAQkP,UACf/d,KAAK4E,OAAOuW,QACR,gEAEJmV,EAAiBgH,aAAazoB,EAAQkP,WACtCuS,EAAiBuF,UAAUhnB,EAAQkP,gBAChC,GAAIlP,EAAQxM,QAAQ1B,SAAU,CAEjCX,KAAK4E,OAAOuW,QACR,gEAEJmV,EAAiBgH,aAAazoB,EAAQxM,QAAQ1B,UAC9C,IACI,MAAM2B,GAAamsB,EAAAA,EAAAA,GACf5f,EAAQxM,QAAQpC,eAEpBqwB,EAAiBsF,UAAUtzB,EAC9B,CAAC,MAAO0C,GACLhF,KAAK4E,OAAOuW,QACR,+EAEP,CACJ,CACJ,MAAUtM,EAAQkP,YACf/d,KAAK4E,OAAOuW,QACR,4EAEJmV,EAAiBgH,aAAazoB,EAAQkP,WACtCuS,EAAiBuF,UAAUhnB,EAAQkP,iBAGvC/d,KAAK4E,OAAOuW,QACR,kFAgCR,GA5BItM,EAAQhJ,OACRyqB,EAAiBiH,SAAS1oB,EAAQhJ,OAGlCgJ,EAAQ2oB,OACRlH,EAAiBmH,SAAS5oB,EAAQ2oB,QAIlC3oB,EAAQqB,QACPlQ,KAAKkqB,OAAOC,YAAYyD,oBACrB5tB,KAAKkqB,OAAOC,YAAYyD,mBAAmBvR,OAAS,IAExDiU,EAAiBqF,UACb9mB,EAAQqB,OACRlQ,KAAKkqB,OAAOC,YAAYyD,oBAI5B/e,EAAQ2hB,kBACRF,EAAiBG,oBAAoB,CACjCC,eAAgB1wB,KAAKkqB,OAAOC,YAAYvjB,SACxC+pB,kBAAmB3wB,KAAKkqB,OAAOC,YAAYyG,cAInD5wB,KAAK03B,oBAAoB7oB,EAASyhB,GAE9BzhB,EAAQ8oB,eAERrH,EAAiBsH,kBAGb/oB,EAAQ0W,uBAAyBld,EAAAA,GAAqBG,KAAK,CAC3D,MAAM2sB,EAAoB,IAAI1mB,EAAAA,EAC1BzO,KAAK0O,aAIT,IAAI0mB,EACJ,GAAKvmB,EAAQwmB,OAUTD,EAAap1B,KAAK0O,YAAYwK,UAAUrK,EAAQwmB,YAV/B,CAQjBD,SAPkChmB,EAAAA,EAAAA,GAC9B+lB,EAAkBvmB,YAAYU,KAAK6lB,GACnCnmB,EAAAA,GAAkBC,oBAClBjP,KAAK4E,OACL5E,KAAK2O,kBACLE,EAAQK,cALsBE,CAMhCP,EAAS7O,KAAK4E,SACiB2K,YACpC,CAGD+gB,EAAiBgF,YAAYF,EAChC,CAGL,OAAO9E,EAAiBU,mB,CAOpB+B,0BAAAA,CACJlkB,GAEA,MAAMyhB,EAAmB,IAAIC,EAAAA,EACzB1hB,EAAQK,cACRlP,KAAK2O,mBA2BT,OAxBIE,EAAQgpB,uBACRvH,EAAiBwH,yBACbjpB,EAAQgpB,uBAIZhpB,EAAQK,eACRohB,EAAiBS,iBAAiBliB,EAAQK,eAG1CL,EAAQkpB,aACRzH,EAAiB0H,eAAenpB,EAAQkpB,aAGxClpB,EAAQ2oB,OACRlH,EAAiBmH,SAAS5oB,EAAQ2oB,OAGlC3oB,EAAQopB,YACR3H,EAAiB4H,cAAcrpB,EAAQopB,YAG3Cj4B,KAAK03B,oBAAoB7oB,EAASyhB,GAE3BA,EAAiBU,mB,CAGpB0G,mBAAAA,CACJ7oB,EACAyhB,KAGIzhB,EAAQonB,sBACRpnB,EAAQonB,qBAAqB7wB,eAAe,oBAGhBpF,KAAKkqB,OAAOC,YAAY4D,gBACpDlf,EAAQonB,qBAAuBpnB,EAAQonB,sBAAwB,CAAC,EAChEpnB,EAAQonB,qBAAqC,eAAI,QAGjDpnB,EAAQonB,sBACR3F,EAAiBQ,wBACbjiB,EAAQonB,qB,CASZkB,iBAAAA,CAAkB90B,GAAoB,IAAA81B,EAC1C,OAA4B,QAArBA,EAAA91B,EAAQkB,qBAAa,IAAA40B,OAAA,EAArBA,EAAuBha,MAAO,I,CAGjCkZ,gBAAAA,CAAiBh1B,GAAoB,IAAA+1B,EACzC,OAA4B,QAArBA,EAAA/1B,EAAQkB,qBAAa,IAAA60B,OAAA,EAArBA,EAAuB5Q,aAAc,I,gCCjuB9C,MAAO6Q,WAA2B7L,EACpCzmB,WAAAA,CACI0mB,EACA9d,GAEAwD,MAAMsa,EAAe9d,E,CAElB,kBAAMkjB,CACThjB,GAAkC,IAAAC,EAAAijB,EAEZ,QAAtBjjB,EAAA9O,KAAK2O,yBAAiB,IAAAG,GAAtBA,EAAwBC,oBACpBC,EAAAA,GAAkBspB,+BAClBzpB,EAAQK,eAGZ,MAAM+iB,GAAehqB,EAAAA,EAAAA,cACf8iB,QAAiB3b,EAAAA,EAAAA,GACnBpP,KAAKkyB,oBAAoB5iB,KAAKtP,MAC9BgP,EAAAA,GAAkBupB,sCAClBv4B,KAAK4E,OACL5E,KAAK2O,kBACLE,EAAQK,cALWE,CAMrBP,EAAS7O,KAAK2B,WAGV6tB,EAA4B,QAAnBuC,EAAGhH,EAASM,eAAO,IAAA0G,OAAA,EAAhBA,EAAmBzG,EAAAA,GAAYmE,iBAC3C2C,EAAkB,IAAIC,EAAAA,EACxBryB,KAAKkqB,OAAOC,YAAYvjB,SACxB5G,KAAKyqB,aACLzqB,KAAK0O,YACL1O,KAAK4E,OACL5E,KAAKkqB,OAAOyD,kBACZ3tB,KAAKkqB,OAAOwD,mBAIhB,OAFA0E,EAAgBE,sBAAsBvH,EAASS,OAExCpc,EAAAA,EAAAA,GACHgjB,EAAgBG,0BAA0BjjB,KAAK8iB,GAC/CpjB,EAAAA,GAAkBwjB,0BAClBxyB,KAAK4E,OACL5E,KAAK2O,kBACLE,EAAQK,cALLE,CAOH2b,EAASS,KACTxrB,KAAK2B,UACLswB,EACApjB,OACA6B,OACAA,GACA,EACA7B,EAAQ2pB,WACRhJ,E,CAQD,gCAAMiJ,CACT5pB,GAAgC,IAAAc,EAGhC,IAAKd,EACD,MAAM0I,EAAAA,EAAAA,IACFf,EAAAA,IAUR,GANsB,QAAtB7G,EAAA3P,KAAK2O,yBAAiB,IAAAgB,GAAtBA,EAAwBZ,oBACpBC,EAAAA,GAAkB0pB,6CAClB7pB,EAAQK,gBAIPL,EAAQxM,QACT,MAAMc,EAAAA,EAAAA,IACFyR,EAAAA,IAUR,GALe5U,KAAKyqB,aAAazD,kBAC7BnY,EAAQxM,QAAQnC,aAKhB,IACI,aAAakP,EAAAA,EAAAA,GACTpP,KAAK24B,mCAAmCrpB,KAAKtP,MAC7CgP,EAAAA,GAAkB4pB,qDAClB54B,KAAK4E,OACL5E,KAAK2O,kBACLE,EAAQK,cALCE,CAMXP,GAAS,EACd,CAAC,MAAO7J,GACL,MAAM6zB,EACF7zB,aAAakT,GAAAA,IACblT,EAAEgN,YACE+F,GAAAA,GACF+gB,EACF9zB,aAAa8T,EAAAA,GACb9T,EAAEgN,YAAc+mB,EAAAA,EAAOC,qBACvBh0B,EAAEyN,WAAasmB,EAAAA,EAAOE,sBAG1B,GAAIJ,GAAqBC,EACrB,OAAO1pB,EAAAA,EAAAA,GACHpP,KAAK24B,mCAAmCrpB,KAAKtP,MAC7CgP,EAAAA,GAAkB4pB,qDAClB54B,KAAK4E,OACL5E,KAAK2O,kBACLE,EAAQK,cALLE,CAMLP,GAAS,GAGX,MAAM7J,CAEb,CAGL,OAAOoK,EAAAA,EAAAA,GACHpP,KAAK24B,mCAAmCrpB,KAAKtP,MAC7CgP,EAAAA,GAAkB4pB,qDAClB54B,KAAK4E,OACL5E,KAAK2O,kBACLE,EAAQK,cALLE,CAMLP,GAAS,E,CAOP,wCAAM8pB,CACV9pB,EACAqqB,GAAa,IAAAxJ,EAES,QAAtBA,EAAA1vB,KAAK2O,yBAAiB,IAAA+gB,GAAtBA,EAAwB3gB,oBACpBC,EAAAA,GAAkB4pB,qDAClB/pB,EAAQK,eAIZ,MAAMlG,GAAemwB,EAAAA,EAAAA,GACjBn5B,KAAKyqB,aAAaxE,gBAAgB3W,KAAKtP,KAAKyqB,cAC5Czb,EAAAA,GAAkBoqB,4BAClBp5B,KAAK4E,OACL5E,KAAK2O,kBACLE,EAAQK,cALSiqB,CAOjBtqB,EAAQxM,QACR62B,OACAxoB,EACA1Q,KAAK2O,kBACLE,EAAQK,eAGZ,IAAKlG,EACD,MAAM6P,EAAAA,GAAAA,IACFd,GAAAA,IAIR,GACI/O,EAAa5B,YACbiyB,EAAAA,EAAAA,gBACIrwB,EAAa5B,UACbyH,EAAQyqB,qCA/KgC,KAmL5C,MAAMzgB,EAAAA,GAAAA,IACFZ,GAAAA,IAKR,MAAMshB,GAAmBzoB,EAAAA,EAAAA,IAAAA,EAAAA,EAAAA,GAAA,GAClBjC,GAAO,IACV7F,aAAcA,EAAahC,OAC3Bue,qBACI1W,EAAQ0W,sBAAwBld,EAAAA,GAAqBC,OACzDirB,cAAe,CACXpU,WAAYtQ,EAAQxM,QAAQpC,cAC5BquB,KAAMC,EAAAA,EAAkBC,mBAIhC,IACI,aAAapf,EAAAA,EAAAA,GACTpP,KAAK6xB,aAAaviB,KAAKtP,MACvBgP,EAAAA,GAAkBspB,+BAClBt4B,KAAK4E,OACL5E,KAAK2O,kBACLE,EAAQK,cALCE,CAMXmqB,EACL,CAAC,MAAOv0B,GACL,GACIA,aAAakT,GAAAA,IACblT,EAAEyN,WAAamF,GAAAA,GACjB,CAEE5X,KAAK4E,OAAOuW,QACR,wEAEJ,MAAMqe,GAAqBpzB,EAAAA,EAAAA,uBAAsB4C,GACjDhJ,KAAKyqB,aAAaxH,mBAAmBuW,EACxC,CAED,MAAMx0B,CACT,C,CAQG,yBAAMktB,CACVrjB,EACAlN,GAAoB,IAAAquB,EAAAiD,EAEE,QAAtBjD,EAAAhwB,KAAK2O,yBAAiB,IAAAqhB,GAAtBA,EAAwBjhB,oBACpBC,EAAAA,GAAkBupB,sCAClB1pB,EAAQK,eAGZ,MAAMgkB,EAAwBlzB,KAAKqwB,2BAA2BxhB,GACxDskB,EAAW1iB,EAAAA,EAAUkhB,kBACvBhwB,EAAUktB,cACVqE,GAGEE,QAAoBhkB,EAAAA,EAAAA,GACtBpP,KAAKqzB,uBAAuB/jB,KAAKtP,MACjCgP,EAAAA,GAAkByqB,yCAClBz5B,KAAK4E,OACL5E,KAAK2O,kBACLE,EAAQK,cALcE,CAMxBP,GACIwc,EAAkCrrB,KAAKkuB,0BACzCrf,EAAQ0kB,eAENhJ,EAAgC,CAClC3jB,UAC+B,QAA3BqsB,EAAApkB,EAAQ4kB,2BAAmB,IAAAR,OAAA,EAA3BA,EAA6BrsB,WAC7B5G,KAAKkqB,OAAOC,YAAYvjB,SAC5BjF,UAAWA,EAAU+xB,mBACrBvsB,OAAQ0H,EAAQ1H,OAChB+I,OAAQrB,EAAQqB,OAChBqV,qBAAsB1W,EAAQ0W,qBAC9BpV,sBAAuBtB,EAAQsB,sBAC/BC,mBAAoBvB,EAAQuB,mBAC5BC,UAAWxB,EAAQwB,UACnBmV,OAAQ3W,EAAQ2W,QAGpB,OAAOpW,EAAAA,EAAAA,GACHpP,KAAK4uB,2BAA2Btf,KAAKtP,MACrCgP,EAAAA,GAAkB0qB,6CAClB15B,KAAK4E,OACL5E,KAAK2O,kBACLE,EAAQK,cALLE,CAOH+jB,EACAC,EACA/H,EACAd,EACA1b,EAAQK,cACRF,EAAAA,GAAkB0qB,6C,CAQlB,4BAAMrG,CACVxkB,GAAkC,IAAAknB,EAAAnC,EAAA1C,EAEZ,QAAtB6E,EAAA/1B,KAAK2O,yBAAiB,IAAAonB,GAAtBA,EAAwBhnB,oBACpBC,EAAAA,GAAkByqB,yCAClB5qB,EAAQK,eAGZ,MAAMA,EAAgBL,EAAQK,cACxBohB,EAAmB,IAAIC,EAAAA,EACzBrhB,EACAlP,KAAK2O,mBAyCT,GAtCA2hB,EAAiBuD,YACbhlB,EAAQ2hB,mBACuB,QADPoD,EACpB/kB,EAAQ4kB,2BAAmB,IAAAG,OAAA,EAA3BA,EAA8B/nB,EAAAA,MAC9B7L,KAAKkqB,OAAOC,YAAYvjB,UAG5BiI,EAAQ+hB,aACRN,EAAiBwD,eAAejlB,EAAQ+hB,aAG5CN,EAAiB2D,UACbplB,EAAQ1H,QACR,EACqD,QADjD+pB,EACJlxB,KAAKkqB,OAAOC,YAAYxoB,UAAU2Y,QAAQ+W,mBAAW,IAAAH,OAAA,EAArDA,EAAuDI,eAG3DhB,EAAiByE,aAAaC,EAAAA,GAAU2E,qBAExCrJ,EAAiB4E,gBAEjB5E,EAAiB6D,eAAen0B,KAAKkqB,OAAOqD,aAC5C+C,EAAiB8D,wBACbp0B,KAAKkqB,OAAOsD,UAAU1D,aAE1BwG,EAAiB+D,gBAEbr0B,KAAKytB,yBAA2BxD,EAAmBjqB,KAAKkqB,SACxDoG,EAAiBgE,mBAAmBt0B,KAAKytB,wBAG7C6C,EAAiBsJ,gBAAgB/qB,EAAQ7F,cAErChJ,KAAKkqB,OAAOoD,kBAAkBjE,cAC9BiH,EAAiBmE,gBACbz0B,KAAKkqB,OAAOoD,kBAAkBjE,cAIlCrpB,KAAKkqB,OAAOoD,kBAAkBhE,gBAAiB,CAC/C,MAAMA,EACFtpB,KAAKkqB,OAAOoD,kBAAkBhE,gBAElCgH,EAAiBoE,yBACPC,EAAAA,EAAAA,GACFrL,EAAgBsL,UAChB50B,KAAKkqB,OAAOC,YAAYvjB,SACxBiI,EAAQuB,qBAGhBkgB,EAAiBuE,uBACbvL,EAAgBwL,cAEvB,CAED,GAAIjmB,EAAQ0W,uBAAyBld,EAAAA,GAAqBG,IAAK,CAC3D,MAAM2sB,EAAoB,IAAI1mB,EAAAA,EAC1BzO,KAAK0O,YACL1O,KAAK2O,mBAGT,IAAIymB,EACJ,GAAKvmB,EAAQwmB,OAWTD,EAAap1B,KAAK0O,YAAYwK,UAAUrK,EAAQwmB,YAX/B,CASjBD,SARkChmB,EAAAA,EAAAA,GAC9B+lB,EAAkBvmB,YAAYU,KAAK6lB,GACnCnmB,EAAAA,GAAkBC,oBAClBjP,KAAK4E,OACL5E,KAAK2O,kBACLE,EAAQK,cALsBE,CAMhCP,EAAS7O,KAAK4E,SAEiB2K,YACpC,CAKD+gB,EAAiBgF,YAAYF,EAChC,MAAM,GAAIvmB,EAAQ0W,uBAAyBld,EAAAA,GAAqBS,IAAK,CAClE,IAAI+F,EAAQ0mB,OAGR,MAAMhe,EAAAA,EAAAA,IACFR,EAAAA,IAHJuZ,EAAiBkF,UAAU3mB,EAAQ0mB,OAM1C,CAaD,KAVKE,EAAAA,EAAYC,WAAW7mB,EAAQqB,SAC/BlQ,KAAKkqB,OAAOC,YAAYyD,oBACrB5tB,KAAKkqB,OAAOC,YAAYyD,mBAAmBvR,OAAS,IAExDiU,EAAiBqF,UACb9mB,EAAQqB,OACRlQ,KAAKkqB,OAAOC,YAAYyD,oBAK5B5tB,KAAKkqB,OAAOyC,cAAcnE,sBAC1B3Z,EAAQ0kB,cAER,OAAQ1kB,EAAQ0kB,cAAcjF,MAC1B,KAAKC,EAAAA,EAAkBC,gBACnB,IACI,MAAMlsB,GAAamsB,EAAAA,EAAAA,GACf5f,EAAQ0kB,cAAcpU,YAE1BmR,EAAiBsF,UAAUtzB,EAC9B,CAAC,MAAO0C,GACLhF,KAAK4E,OAAOuW,QACR,mDACInW,EAEX,CACD,MACJ,KAAKupB,EAAAA,EAAkBI,IACnB2B,EAAiBuF,UACbhnB,EAAQ0kB,cAAcpU,YAmBtC,OAbItQ,EAAQ2hB,kBACRF,EAAiBG,oBAAoB,CACjCC,eAAgB1wB,KAAKkqB,OAAOC,YAAYvjB,SACxC+pB,kBAAmB3wB,KAAKkqB,OAAOC,YAAYyG,cAI/C/hB,EAAQ4kB,qBACRnD,EAAiBQ,wBACbjiB,EAAQ4kB,qBAITnD,EAAiBU,mB,mBC7c1B,MAAO6I,WAAyBrN,EAClCzmB,WAAAA,CACI0mB,EACA9d,GAEAwD,MAAMsa,EAAe9d,E,CAQzB,kBAAMkjB,CACFhjB,GAEA,IAAI,IAAAirB,EACA,MAAOC,EAAcC,SAAsBh6B,KAAKi6B,oBAAkBnpB,EAAAA,EAAAA,IAAAA,EAAAA,EAAAA,GAAC,CAAC,EAC7DjC,GAAO,IACV1H,OAAsB,QAAd2yB,EAAAjrB,EAAQ1H,cAAM,IAAA2yB,GAAdA,EAAgBzd,OAClBxN,EAAQ1H,OACR,IAAI+yB,EAAAA,OAId,GAAIF,IAAiBG,EAAAA,GAAaC,sBAAuB,CACrDp6B,KAAK4E,OAAOqW,KACR,+IAIuB,IAAIod,GAC3Br4B,KAAKkqB,OACLlqB,KAAK2O,mBAIJ8pB,2BAA2B5pB,GAC3BwrB,OAAM,QAGd,CAGD,OAAON,CACV,CAAC,MAAO/0B,GACL,GACIA,aAAa8Q,EAAAA,IACb9Q,EAAEgN,YAAcmD,EAAAA,GAClB,CAKE,OAJ2B,IAAIkjB,GAC3Br4B,KAAKkqB,OACLlqB,KAAK2O,mBAEiB8pB,2BAA2B5pB,EACxD,CACG,MAAM7J,CAEb,C,CAOL,wBAAMi1B,CACFprB,GAAgC,IAAAC,EAEV,QAAtBA,EAAA9O,KAAK2O,yBAAiB,IAAAG,GAAtBA,EAAwBC,oBACpBC,EAAAA,GAAkBsrB,mCAClBzrB,EAAQK,eAEZ,IAAIqrB,EAAiCJ,EAAAA,GAAaK,eAElD,GACI3rB,EAAQ4rB,eACNz6B,KAAKkqB,OAAO4C,aAAanE,4BACtB8M,EAAAA,EAAYC,WAAW7mB,EAAQqB,QAOpC,MAJAlQ,KAAK06B,gBACDP,EAAAA,GAAaQ,wBACb9rB,EAAQK,gBAEN/L,EAAAA,EAAAA,IACFgS,EAAAA,IAKR,IAAKtG,EAAQxM,QACT,MAAMc,EAAAA,EAAAA,IACFyR,EAAAA,IAIR,MAAMgmB,EACF/rB,EAAQxM,QAAQ5B,WAChBo6B,EAAAA,GAAAA,IAA6BhsB,EAAQlN,WACnCmb,EAAY9c,KAAKyqB,aAAalN,eAC9Bud,EAAoB96B,KAAKyqB,aAAarF,eACxCvW,EAAQxM,QACRwM,EACAiO,EACA8d,EACA56B,KAAK2O,kBACLE,EAAQK,eAGZ,IAAK4rB,EAMD,MAJA96B,KAAK06B,gBACDP,EAAAA,GAAaY,uBACblsB,EAAQK,gBAEN/L,EAAAA,EAAAA,IACFgS,EAAAA,IAED,IACH6lB,EAAAA,EAAAA,oBAA6BF,EAAkB9yB,YAC/CqxB,EAAAA,EAAAA,gBACIyB,EAAkB1zB,UAClBpH,KAAKkqB,OAAOyC,cAAcrE,2BAQ9B,MAJAtoB,KAAK06B,gBACDP,EAAAA,GAAac,4BACbpsB,EAAQK,gBAEN/L,EAAAA,EAAAA,IACFgS,EAAAA,IAGJ2lB,EAAkBxzB,YAClB+xB,EAAAA,EAAAA,gBAAyByB,EAAkBxzB,UAAW,KAGtDizB,EAAmBJ,EAAAA,GAAaC,uBAKpC,MAAMl6B,EACF2O,EAAQlN,WAAa3B,KAAK2B,UAAUuB,oBAClCob,EAA2B,CAC7Bjc,QAASrC,KAAKyqB,aAAazG,qBAAqBnV,EAAQxM,SACxD6E,YAAa4zB,EACbn0B,QAAS3G,KAAKyqB,aAAavN,WACvBrO,EAAQxM,QACRya,EACA8d,EACA56B,KAAK2O,kBACLE,EAAQK,eAEZlG,aAAc,KACd4V,YACI5e,KAAKyqB,aAAa9D,yBAAyBzmB,IASnD,OANAF,KAAK06B,gBAAgBH,EAAkB1rB,EAAQK,eAE3ClP,KAAKkqB,OAAOuD,wBACZztB,KAAKkqB,OAAOuD,uBAAuByN,qBAGhC,OACG9rB,EAAAA,EAAAA,GACFpP,KAAKm7B,8BAA8B7rB,KAAKtP,MACxCgP,EAAAA,GAAkBosB,8CAClBp7B,KAAK4E,OACL5E,KAAK2O,kBACLE,EAAQK,cALNE,CAMJkP,EAAazP,GACf0rB,E,CAIAG,eAAAA,CACJV,EACA9qB,GAAqB,IAAAmsB,EAAA1rB,EAEM,QAA3B0rB,EAAAr7B,KAAKytB,8BAAsB,IAAA4N,GAA3BA,EAA6BX,gBAAgBV,GACvB,QAAtBrqB,EAAA3P,KAAK2O,yBAAiB,IAAAgB,GAAtBA,EAAwBkV,UACpB,CACImV,aAAcA,GAElB9qB,GAEA8qB,IAAiBG,EAAAA,GAAaK,gBAC9Bx6B,KAAK4E,OAAOqW,KAAK,mDAADlW,OACuCi1B,G,CASvD,mCAAMmB,CACV7c,EACAzP,GAAgC,IAAA6gB,EAMhC,IAAInsB,EASJ,GAbsB,QAAtBmsB,EAAA1vB,KAAK2O,yBAAiB,IAAA+gB,GAAtBA,EAAwB3gB,oBACpBC,EAAAA,GAAkBosB,8CAClBvsB,EAAQK,eAGRoP,EAAY3X,UACZpD,GAAgBmF,EAAAA,EAAAA,oBACZ4V,EAAY3X,QAAQK,OACpBhH,KAAKkqB,OAAOkD,gBAAgBxrB,eAKhCiN,EAAQysB,QAA6B,IAAnBzsB,EAAQysB,OAAc,KAAAC,EACxC,MAAMC,EAAwB,QAAhBD,EAAGh4B,SAAa,IAAAg4B,OAAA,EAAbA,EAAeE,UAChC,IAAKD,EACD,MAAMr4B,EAAAA,EAAAA,IACF6Q,EAAAA,KAIR0nB,EAAAA,EAAAA,aAAYF,EAAU3sB,EAAQysB,OACjC,CAED,OAAOjJ,EAAAA,EAAgBsJ,6BACnB37B,KAAK0O,YACL1O,KAAK2B,UACL2c,GACA,EACAzP,EACAtL,E,4BCtNC,MAAAq4B,GAAuC,CAChD/S,oBAAqBA,IACV9I,QAAQ8b,QACX14B,EAAAA,EAAAA,IAAsByS,EAAAA,KAG9BkT,qBAAsBA,IACX/I,QAAQ8b,QACX14B,EAAAA,EAAAA,IAAsByS,EAAAA,M,kECnD3B,MAAMkmB,GAAkB,oBAClBC,GAAkB,oBCGlBC,GAA0B,CACnC,CAACF,IACG,qJACJ,CAACC,IACG,0JAMF,MAAOE,WAAwBnqB,EAAAA,GACjC/L,WAAAA,CAAYiM,EAAmBC,GAC3BE,MAAMH,EAAWC,GACjBjS,KAAKc,KAAO,kBAEZsR,OAAOC,eAAerS,KAAMi8B,GAAgB3pB,U,EAK9C,SAAU4pB,GAAsBtpB,GAClC,OAAO,IAAIqpB,GAAgBrpB,EAAMopB,GAAwBppB,GAC7D,C,MCbaupB,GAKTp2B,WAAAA,CAAYuU,GACRta,KAAKo8B,IAAM9hB,EAAQ8hB,IACnBp8B,KAAKq8B,IAAM/hB,EAAQ+hB,IACnBr8B,KAAK4I,IAAM0R,EAAQ1R,G,CAWvB,yBAAO0zB,CAAmBC,GAEtB,IAAKA,EAAiB3zB,IAClB,MAAMszB,GAAsBJ,IAIhC,IAAKS,EAAiBF,IAClB,MAAMH,GAAsBH,IAGhC,MAAMS,EAAY,IAAIL,GAAW,CAE7BC,IAAKG,EAAiBH,KAAOK,EAAAA,GAAkBC,IAC/C9zB,IAAK2zB,EAAiB3zB,IACtByzB,IAAKE,EAAiBF,MAG1B,OAAO5sB,KAAKC,UAAU8sB,E","sources":["../node_modules/@azure/msal-common/src/cache/entities/AccountEntity.ts","../node_modules/@azure/msal-common/src/cache/persistence/TokenCacheContext.ts","../node_modules/@azure/msal-common/src/cache/utils/CacheHelpers.ts","../node_modules/@azure/msal-common/src/constants/AADServerParamKeys.ts","../node_modules/@azure/msal-common/src/crypto/PopTokenGenerator.ts","../node_modules/@azure/msal-common/src/error/AuthError.ts","../node_modules/@azure/msal-common/src/error/AuthErrorCodes.ts","../node_modules/@azure/msal-common/src/error/CacheError.ts","../node_modules/@azure/msal-common/src/error/CacheErrorCodes.ts","../node_modules/@azure/msal-common/src/error/ClientAuthError.ts","../node_modules/@azure/msal-common/src/error/ClientAuthErrorCodes.ts","../node_modules/@azure/msal-common/src/error/ClientConfigurationError.ts","../node_modules/@azure/msal-common/src/error/ClientConfigurationErrorCodes.ts","../node_modules/@azure/msal-common/src/error/InteractionRequiredAuthError.ts","../node_modules/@azure/msal-common/src/error/InteractionRequiredAuthErrorCodes.ts","../node_modules/@azure/msal-common/src/error/ServerError.ts","../node_modules/@azure/msal-common/src/crypto/ICrypto.ts","../node_modules/@azure/msal-common/src/logger/Logger.ts","../node_modules/@azure/msal-common/src/cache/CacheManager.ts","../node_modules/@azure/msal-common/src/config/ClientConfiguration.ts","../node_modules/@azure/msal-common/src/network/ThrottlingUtils.ts","../node_modules/@azure/msal-common/src/error/NetworkError.ts","../node_modules/@azure/msal-common/src/client/BaseClient.ts","../node_modules/@azure/msal-common/src/client/AuthorizationCodeClient.ts","../node_modules/@azure/msal-common/src/client/RefreshTokenClient.ts","../node_modules/@azure/msal-common/src/client/SilentFlowClient.ts","../node_modules/@azure/msal-common/src/network/INetworkModule.ts","../node_modules/@azure/msal-common/src/error/JoseHeaderErrorCodes.ts","../node_modules/@azure/msal-common/src/error/JoseHeaderError.ts","../node_modules/@azure/msal-common/src/crypto/JoseHeader.ts"],"sourcesContent":["/*\n * Copyright (c) Microsoft Corporation. All rights reserved.\n * Licensed under the MIT License.\n */\n\nimport { CacheAccountType, Separators } from \"../../utils/Constants.js\";\nimport { Authority } from \"../../authority/Authority.js\";\nimport { ICrypto } from \"../../crypto/ICrypto.js\";\nimport { ClientInfo, buildClientInfo } from \"../../account/ClientInfo.js\";\nimport {\n AccountInfo,\n TenantProfile,\n buildTenantProfile,\n} from \"../../account/AccountInfo.js\";\nimport {\n createClientAuthError,\n ClientAuthErrorCodes,\n} from \"../../error/ClientAuthError.js\";\nimport { AuthorityType } from \"../../authority/AuthorityType.js\";\nimport { Logger } from \"../../logger/Logger.js\";\nimport {\n TokenClaims,\n getTenantIdFromIdTokenClaims,\n} from \"../../account/TokenClaims.js\";\nimport { ProtocolMode } from \"../../authority/ProtocolMode.js\";\n\n/**\n * Type that defines required and optional parameters for an Account field (based on universal cache schema implemented by all MSALs).\n *\n * Key : Value Schema\n *\n * Key: --\n *\n * Value Schema:\n * {\n * homeAccountId: home account identifier for the auth scheme,\n * environment: entity that issued the token, represented as a full host\n * realm: Full tenant or organizational identifier that the account belongs to\n * localAccountId: Original tenant-specific accountID, usually used for legacy cases\n * username: primary username that represents the user, usually corresponds to preferred_username in the v2 endpt\n * authorityType: Accounts authority type as a string\n * name: Full name for the account, including given name and family name,\n * lastModificationTime: last time this entity was modified in the cache\n * lastModificationApp:\n * nativeAccountId: Account identifier on the native device\n * tenantProfiles: Array of tenant profile objects for each tenant that the account has authenticated with in the browser\n * }\n * @internal\n */\nexport class AccountEntity {\n homeAccountId: string;\n environment: string;\n realm: string;\n localAccountId: string;\n username: string;\n authorityType: string;\n clientInfo?: string;\n name?: string;\n lastModificationTime?: string;\n lastModificationApp?: string;\n cloudGraphHostName?: string;\n msGraphHost?: string;\n nativeAccountId?: string;\n tenantProfiles?: Array;\n\n /**\n * Generate Account Id key component as per the schema: -\n */\n generateAccountId(): string {\n const accountId: Array = [this.homeAccountId, this.environment];\n return accountId.join(Separators.CACHE_KEY_SEPARATOR).toLowerCase();\n }\n\n /**\n * Generate Account Cache Key as per the schema: --\n */\n generateAccountKey(): string {\n return AccountEntity.generateAccountCacheKey({\n homeAccountId: this.homeAccountId,\n environment: this.environment,\n tenantId: this.realm,\n username: this.username,\n localAccountId: this.localAccountId,\n });\n }\n\n /**\n * Returns the AccountInfo interface for this account.\n */\n getAccountInfo(): AccountInfo {\n return {\n homeAccountId: this.homeAccountId,\n environment: this.environment,\n tenantId: this.realm,\n username: this.username,\n localAccountId: this.localAccountId,\n name: this.name,\n nativeAccountId: this.nativeAccountId,\n authorityType: this.authorityType,\n // Deserialize tenant profiles array into a Map\n tenantProfiles: new Map(\n (this.tenantProfiles || []).map((tenantProfile) => {\n return [tenantProfile.tenantId, tenantProfile];\n })\n ),\n };\n }\n\n /**\n * Returns true if the account entity is in single tenant format (outdated), false otherwise\n */\n isSingleTenant(): boolean {\n return !this.tenantProfiles;\n }\n\n /**\n * Generates account key from interface\n * @param accountInterface\n */\n static generateAccountCacheKey(accountInterface: AccountInfo): string {\n const homeTenantId = accountInterface.homeAccountId.split(\".\")[1];\n const accountKey = [\n accountInterface.homeAccountId,\n accountInterface.environment || \"\",\n homeTenantId || accountInterface.tenantId || \"\",\n ];\n\n return accountKey.join(Separators.CACHE_KEY_SEPARATOR).toLowerCase();\n }\n\n /**\n * Build Account cache from IdToken, clientInfo and authority/policy. Associated with AAD.\n * @param accountDetails\n */\n static createAccount(\n accountDetails: {\n homeAccountId: string;\n idTokenClaims?: TokenClaims;\n clientInfo?: string;\n cloudGraphHostName?: string;\n msGraphHost?: string;\n environment?: string;\n nativeAccountId?: string;\n tenantProfiles?: Array;\n },\n authority: Authority,\n base64Decode?: (input: string) => string\n ): AccountEntity {\n const account: AccountEntity = new AccountEntity();\n\n if (authority.authorityType === AuthorityType.Adfs) {\n account.authorityType = CacheAccountType.ADFS_ACCOUNT_TYPE;\n } else if (authority.protocolMode === ProtocolMode.AAD) {\n account.authorityType = CacheAccountType.MSSTS_ACCOUNT_TYPE;\n } else {\n account.authorityType = CacheAccountType.GENERIC_ACCOUNT_TYPE;\n }\n\n let clientInfo: ClientInfo | undefined;\n\n if (accountDetails.clientInfo && base64Decode) {\n clientInfo = buildClientInfo(\n accountDetails.clientInfo,\n base64Decode\n );\n }\n\n account.clientInfo = accountDetails.clientInfo;\n account.homeAccountId = accountDetails.homeAccountId;\n account.nativeAccountId = accountDetails.nativeAccountId;\n\n const env =\n accountDetails.environment ||\n (authority && authority.getPreferredCache());\n\n if (!env) {\n throw createClientAuthError(\n ClientAuthErrorCodes.invalidCacheEnvironment\n );\n }\n\n account.environment = env;\n // non AAD scenarios can have empty realm\n account.realm =\n clientInfo?.utid ||\n getTenantIdFromIdTokenClaims(accountDetails.idTokenClaims) ||\n \"\";\n\n // How do you account for MSA CID here?\n account.localAccountId =\n clientInfo?.uid ||\n accountDetails.idTokenClaims?.oid ||\n accountDetails.idTokenClaims?.sub ||\n \"\";\n\n /*\n * In B2C scenarios the emails claim is used instead of preferred_username and it is an array.\n * In most cases it will contain a single email. This field should not be relied upon if a custom\n * policy is configured to return more than 1 email.\n */\n const preferredUsername =\n accountDetails.idTokenClaims?.preferred_username ||\n accountDetails.idTokenClaims?.upn;\n const email = accountDetails.idTokenClaims?.emails\n ? accountDetails.idTokenClaims.emails[0]\n : null;\n\n account.username = preferredUsername || email || \"\";\n account.name = accountDetails.idTokenClaims?.name || \"\";\n\n account.cloudGraphHostName = accountDetails.cloudGraphHostName;\n account.msGraphHost = accountDetails.msGraphHost;\n\n if (accountDetails.tenantProfiles) {\n account.tenantProfiles = accountDetails.tenantProfiles;\n } else {\n const tenantProfile = buildTenantProfile(\n accountDetails.homeAccountId,\n account.localAccountId,\n account.realm,\n accountDetails.idTokenClaims\n );\n account.tenantProfiles = [tenantProfile];\n }\n\n return account;\n }\n\n /**\n * Creates an AccountEntity object from AccountInfo\n * @param accountInfo\n * @param cloudGraphHostName\n * @param msGraphHost\n * @returns\n */\n static createFromAccountInfo(\n accountInfo: AccountInfo,\n cloudGraphHostName?: string,\n msGraphHost?: string\n ): AccountEntity {\n const account: AccountEntity = new AccountEntity();\n\n account.authorityType =\n accountInfo.authorityType || CacheAccountType.GENERIC_ACCOUNT_TYPE;\n account.homeAccountId = accountInfo.homeAccountId;\n account.localAccountId = accountInfo.localAccountId;\n account.nativeAccountId = accountInfo.nativeAccountId;\n\n account.realm = accountInfo.tenantId;\n account.environment = accountInfo.environment;\n\n account.username = accountInfo.username;\n account.name = accountInfo.name;\n\n account.cloudGraphHostName = cloudGraphHostName;\n account.msGraphHost = msGraphHost;\n // Serialize tenant profiles map into an array\n account.tenantProfiles = Array.from(\n accountInfo.tenantProfiles?.values() || []\n );\n\n return account;\n }\n\n /**\n * Generate HomeAccountId from server response\n * @param serverClientInfo\n * @param authType\n */\n static generateHomeAccountId(\n serverClientInfo: string,\n authType: AuthorityType,\n logger: Logger,\n cryptoObj: ICrypto,\n idTokenClaims?: TokenClaims\n ): string {\n // since ADFS/DSTS do not have tid and does not set client_info\n if (\n !(\n authType === AuthorityType.Adfs ||\n authType === AuthorityType.Dsts\n )\n ) {\n // for cases where there is clientInfo\n if (serverClientInfo) {\n try {\n const clientInfo = buildClientInfo(\n serverClientInfo,\n cryptoObj.base64Decode\n );\n if (clientInfo.uid && clientInfo.utid) {\n return `${clientInfo.uid}.${clientInfo.utid}`;\n }\n } catch (e) {}\n }\n logger.warning(\"No client info in response\");\n }\n\n // default to \"sub\" claim\n return idTokenClaims?.sub || \"\";\n }\n\n /**\n * Validates an entity: checks for all expected params\n * @param entity\n */\n static isAccountEntity(entity: object): boolean {\n if (!entity) {\n return false;\n }\n\n return (\n entity.hasOwnProperty(\"homeAccountId\") &&\n entity.hasOwnProperty(\"environment\") &&\n entity.hasOwnProperty(\"realm\") &&\n entity.hasOwnProperty(\"localAccountId\") &&\n entity.hasOwnProperty(\"username\") &&\n entity.hasOwnProperty(\"authorityType\")\n );\n }\n\n /**\n * Helper function to determine whether 2 accountInfo objects represent the same account\n * @param accountA\n * @param accountB\n * @param compareClaims - If set to true idTokenClaims will also be compared to determine account equality\n */\n static accountInfoIsEqual(\n accountA: AccountInfo | null,\n accountB: AccountInfo | null,\n compareClaims?: boolean\n ): boolean {\n if (!accountA || !accountB) {\n return false;\n }\n\n let claimsMatch = true; // default to true so as to not fail comparison below if compareClaims: false\n if (compareClaims) {\n const accountAClaims = (accountA.idTokenClaims ||\n {}) as TokenClaims;\n const accountBClaims = (accountB.idTokenClaims ||\n {}) as TokenClaims;\n\n // issued at timestamp and nonce are expected to change each time a new id token is acquired\n claimsMatch =\n accountAClaims.iat === accountBClaims.iat &&\n accountAClaims.nonce === accountBClaims.nonce;\n }\n\n return (\n accountA.homeAccountId === accountB.homeAccountId &&\n accountA.localAccountId === accountB.localAccountId &&\n accountA.username === accountB.username &&\n accountA.tenantId === accountB.tenantId &&\n accountA.environment === accountB.environment &&\n accountA.nativeAccountId === accountB.nativeAccountId &&\n claimsMatch\n );\n }\n}\n","/*\n * Copyright (c) Microsoft Corporation. All rights reserved.\n * Licensed under the MIT License.\n */\n\nimport { ISerializableTokenCache } from \"../interface/ISerializableTokenCache.js\";\n\n/**\n * This class instance helps track the memory changes facilitating\n * decisions to read from and write to the persistent cache\n */ export class TokenCacheContext {\n /**\n * boolean indicating cache change\n */\n hasChanged: boolean;\n /**\n * serializable token cache interface\n */\n cache: ISerializableTokenCache;\n\n constructor(tokenCache: ISerializableTokenCache, hasChanged: boolean) {\n this.cache = tokenCache;\n this.hasChanged = hasChanged;\n }\n\n /**\n * boolean which indicates the changes in cache\n */\n get cacheHasChanged(): boolean {\n return this.hasChanged;\n }\n\n /**\n * function to retrieve the token cache\n */\n get tokenCache(): ISerializableTokenCache {\n return this.cache;\n }\n}\n","/*\n * Copyright (c) Microsoft Corporation. All rights reserved.\n * Licensed under the MIT License.\n */\n\nimport { extractTokenClaims } from \"../../account/AuthToken.js\";\nimport { TokenClaims } from \"../../account/TokenClaims.js\";\nimport { CloudDiscoveryMetadata } from \"../../authority/CloudDiscoveryMetadata.js\";\nimport { OpenIdConfigResponse } from \"../../authority/OpenIdConfigResponse.js\";\nimport {\n ClientAuthErrorCodes,\n createClientAuthError,\n} from \"../../error/ClientAuthError.js\";\nimport {\n APP_METADATA,\n AUTHORITY_METADATA_CONSTANTS,\n AuthenticationScheme,\n CredentialType,\n SERVER_TELEM_CONSTANTS,\n Separators,\n ThrottlingConstants,\n} from \"../../utils/Constants.js\";\nimport * as TimeUtils from \"../../utils/TimeUtils.js\";\nimport { AccessTokenEntity } from \"../entities/AccessTokenEntity.js\";\nimport { AppMetadataEntity } from \"../entities/AppMetadataEntity.js\";\nimport { AuthorityMetadataEntity } from \"../entities/AuthorityMetadataEntity.js\";\nimport { CredentialEntity } from \"../entities/CredentialEntity.js\";\nimport { IdTokenEntity } from \"../entities/IdTokenEntity.js\";\nimport { RefreshTokenEntity } from \"../entities/RefreshTokenEntity.js\";\n\n/**\n * Cache Key: -------\n * IdToken Example: uid.utid-login.microsoftonline.com-idtoken-app_client_id-contoso.com\n * AccessToken Example: uid.utid-login.microsoftonline.com-accesstoken-app_client_id-contoso.com-scope1 scope2--pop\n * RefreshToken Example: uid.utid-login.microsoftonline.com-refreshtoken-1-contoso.com\n * @param credentialEntity\n * @returns\n */\nexport function generateCredentialKey(\n credentialEntity: CredentialEntity\n): string {\n const credentialKey = [\n generateAccountId(credentialEntity),\n generateCredentialId(credentialEntity),\n generateTarget(credentialEntity),\n generateClaimsHash(credentialEntity),\n generateScheme(credentialEntity),\n ];\n\n return credentialKey.join(Separators.CACHE_KEY_SEPARATOR).toLowerCase();\n}\n\n/**\n * Create IdTokenEntity\n * @param homeAccountId\n * @param authenticationResult\n * @param clientId\n * @param authority\n */\nexport function createIdTokenEntity(\n homeAccountId: string,\n environment: string,\n idToken: string,\n clientId: string,\n tenantId: string\n): IdTokenEntity {\n const idTokenEntity: IdTokenEntity = {\n credentialType: CredentialType.ID_TOKEN,\n homeAccountId: homeAccountId,\n environment: environment,\n clientId: clientId,\n secret: idToken,\n realm: tenantId,\n };\n\n return idTokenEntity;\n}\n\n/**\n * Create AccessTokenEntity\n * @param homeAccountId\n * @param environment\n * @param accessToken\n * @param clientId\n * @param tenantId\n * @param scopes\n * @param expiresOn\n * @param extExpiresOn\n */\nexport function createAccessTokenEntity(\n homeAccountId: string,\n environment: string,\n accessToken: string,\n clientId: string,\n tenantId: string,\n scopes: string,\n expiresOn: number,\n extExpiresOn: number,\n base64Decode: (input: string) => string,\n refreshOn?: number,\n tokenType?: AuthenticationScheme,\n userAssertionHash?: string,\n keyId?: string,\n requestedClaims?: string,\n requestedClaimsHash?: string\n): AccessTokenEntity {\n const atEntity: AccessTokenEntity = {\n homeAccountId: homeAccountId,\n credentialType: CredentialType.ACCESS_TOKEN,\n secret: accessToken,\n cachedAt: TimeUtils.nowSeconds().toString(),\n expiresOn: expiresOn.toString(),\n extendedExpiresOn: extExpiresOn.toString(),\n environment: environment,\n clientId: clientId,\n realm: tenantId,\n target: scopes,\n tokenType: tokenType || AuthenticationScheme.BEARER,\n };\n\n if (userAssertionHash) {\n atEntity.userAssertionHash = userAssertionHash;\n }\n\n if (refreshOn) {\n atEntity.refreshOn = refreshOn.toString();\n }\n\n if (requestedClaims) {\n atEntity.requestedClaims = requestedClaims;\n atEntity.requestedClaimsHash = requestedClaimsHash;\n }\n\n /*\n * Create Access Token With Auth Scheme instead of regular access token\n * Cast to lower to handle \"bearer\" from ADFS\n */\n if (\n atEntity.tokenType?.toLowerCase() !==\n AuthenticationScheme.BEARER.toLowerCase()\n ) {\n atEntity.credentialType = CredentialType.ACCESS_TOKEN_WITH_AUTH_SCHEME;\n switch (atEntity.tokenType) {\n case AuthenticationScheme.POP:\n // Make sure keyId is present and add it to credential\n const tokenClaims: TokenClaims | null = extractTokenClaims(\n accessToken,\n base64Decode\n );\n if (!tokenClaims?.cnf?.kid) {\n throw createClientAuthError(\n ClientAuthErrorCodes.tokenClaimsCnfRequiredForSignedJwt\n );\n }\n atEntity.keyId = tokenClaims.cnf.kid;\n break;\n case AuthenticationScheme.SSH:\n atEntity.keyId = keyId;\n }\n }\n\n return atEntity;\n}\n\n/**\n * Create RefreshTokenEntity\n * @param homeAccountId\n * @param authenticationResult\n * @param clientId\n * @param authority\n */\nexport function createRefreshTokenEntity(\n homeAccountId: string,\n environment: string,\n refreshToken: string,\n clientId: string,\n familyId?: string,\n userAssertionHash?: string,\n expiresOn?: number\n): RefreshTokenEntity {\n const rtEntity: RefreshTokenEntity = {\n credentialType: CredentialType.REFRESH_TOKEN,\n homeAccountId: homeAccountId,\n environment: environment,\n clientId: clientId,\n secret: refreshToken,\n };\n\n if (userAssertionHash) {\n rtEntity.userAssertionHash = userAssertionHash;\n }\n\n if (familyId) {\n rtEntity.familyId = familyId;\n }\n\n if (expiresOn) {\n rtEntity.expiresOn = expiresOn.toString();\n }\n\n return rtEntity;\n}\n\nexport function isCredentialEntity(entity: object): boolean {\n return (\n entity.hasOwnProperty(\"homeAccountId\") &&\n entity.hasOwnProperty(\"environment\") &&\n entity.hasOwnProperty(\"credentialType\") &&\n entity.hasOwnProperty(\"clientId\") &&\n entity.hasOwnProperty(\"secret\")\n );\n}\n\n/**\n * Validates an entity: checks for all expected params\n * @param entity\n */\nexport function isAccessTokenEntity(entity: object): boolean {\n if (!entity) {\n return false;\n }\n\n return (\n isCredentialEntity(entity) &&\n entity.hasOwnProperty(\"realm\") &&\n entity.hasOwnProperty(\"target\") &&\n (entity[\"credentialType\"] === CredentialType.ACCESS_TOKEN ||\n entity[\"credentialType\"] ===\n CredentialType.ACCESS_TOKEN_WITH_AUTH_SCHEME)\n );\n}\n\n/**\n * Validates an entity: checks for all expected params\n * @param entity\n */\nexport function isIdTokenEntity(entity: object): boolean {\n if (!entity) {\n return false;\n }\n\n return (\n isCredentialEntity(entity) &&\n entity.hasOwnProperty(\"realm\") &&\n entity[\"credentialType\"] === CredentialType.ID_TOKEN\n );\n}\n\n/**\n * Validates an entity: checks for all expected params\n * @param entity\n */\nexport function isRefreshTokenEntity(entity: object): boolean {\n if (!entity) {\n return false;\n }\n\n return (\n isCredentialEntity(entity) &&\n entity[\"credentialType\"] === CredentialType.REFRESH_TOKEN\n );\n}\n\n/**\n * Generate Account Id key component as per the schema: -\n */\nfunction generateAccountId(credentialEntity: CredentialEntity): string {\n const accountId: Array = [\n credentialEntity.homeAccountId,\n credentialEntity.environment,\n ];\n return accountId.join(Separators.CACHE_KEY_SEPARATOR).toLowerCase();\n}\n\n/**\n * Generate Credential Id key component as per the schema: --\n */\nfunction generateCredentialId(credentialEntity: CredentialEntity): string {\n const clientOrFamilyId =\n credentialEntity.credentialType === CredentialType.REFRESH_TOKEN\n ? credentialEntity.familyId || credentialEntity.clientId\n : credentialEntity.clientId;\n const credentialId: Array = [\n credentialEntity.credentialType,\n clientOrFamilyId,\n credentialEntity.realm || \"\",\n ];\n\n return credentialId.join(Separators.CACHE_KEY_SEPARATOR).toLowerCase();\n}\n\n/**\n * Generate target key component as per schema: \n */\nfunction generateTarget(credentialEntity: CredentialEntity): string {\n return (credentialEntity.target || \"\").toLowerCase();\n}\n\n/**\n * Generate requested claims key component as per schema: \n */\nfunction generateClaimsHash(credentialEntity: CredentialEntity): string {\n return (credentialEntity.requestedClaimsHash || \"\").toLowerCase();\n}\n\n/**\n * Generate scheme key componenet as per schema: \n */\nfunction generateScheme(credentialEntity: CredentialEntity): string {\n /*\n * PoP Tokens and SSH certs include scheme in cache key\n * Cast to lowercase to handle \"bearer\" from ADFS\n */\n return credentialEntity.tokenType &&\n credentialEntity.tokenType.toLowerCase() !==\n AuthenticationScheme.BEARER.toLowerCase()\n ? credentialEntity.tokenType.toLowerCase()\n : \"\";\n}\n\n/**\n * validates if a given cache entry is \"Telemetry\", parses \n * @param key\n * @param entity\n */\nexport function isServerTelemetryEntity(key: string, entity?: object): boolean {\n const validateKey: boolean =\n key.indexOf(SERVER_TELEM_CONSTANTS.CACHE_KEY) === 0;\n let validateEntity: boolean = true;\n\n if (entity) {\n validateEntity =\n entity.hasOwnProperty(\"failedRequests\") &&\n entity.hasOwnProperty(\"errors\") &&\n entity.hasOwnProperty(\"cacheHits\");\n }\n\n return validateKey && validateEntity;\n}\n\n/**\n * validates if a given cache entry is \"Throttling\", parses \n * @param key\n * @param entity\n */\nexport function isThrottlingEntity(key: string, entity?: object): boolean {\n let validateKey: boolean = false;\n if (key) {\n validateKey = key.indexOf(ThrottlingConstants.THROTTLING_PREFIX) === 0;\n }\n\n let validateEntity: boolean = true;\n if (entity) {\n validateEntity = entity.hasOwnProperty(\"throttleTime\");\n }\n\n return validateKey && validateEntity;\n}\n\n/**\n * Generate AppMetadata Cache Key as per the schema: appmetadata--\n */\nexport function generateAppMetadataKey({\n environment,\n clientId,\n}: AppMetadataEntity): string {\n const appMetaDataKeyArray: Array = [\n APP_METADATA,\n environment,\n clientId,\n ];\n return appMetaDataKeyArray\n .join(Separators.CACHE_KEY_SEPARATOR)\n .toLowerCase();\n}\n\n/*\n * Validates an entity: checks for all expected params\n * @param entity\n */\nexport function isAppMetadataEntity(key: string, entity: object): boolean {\n if (!entity) {\n return false;\n }\n\n return (\n key.indexOf(APP_METADATA) === 0 &&\n entity.hasOwnProperty(\"clientId\") &&\n entity.hasOwnProperty(\"environment\")\n );\n}\n\n/**\n * Validates an entity: checks for all expected params\n * @param entity\n */\nexport function isAuthorityMetadataEntity(\n key: string,\n entity: object\n): boolean {\n if (!entity) {\n return false;\n }\n\n return (\n key.indexOf(AUTHORITY_METADATA_CONSTANTS.CACHE_KEY) === 0 &&\n entity.hasOwnProperty(\"aliases\") &&\n entity.hasOwnProperty(\"preferred_cache\") &&\n entity.hasOwnProperty(\"preferred_network\") &&\n entity.hasOwnProperty(\"canonical_authority\") &&\n entity.hasOwnProperty(\"authorization_endpoint\") &&\n entity.hasOwnProperty(\"token_endpoint\") &&\n entity.hasOwnProperty(\"issuer\") &&\n entity.hasOwnProperty(\"aliasesFromNetwork\") &&\n entity.hasOwnProperty(\"endpointsFromNetwork\") &&\n entity.hasOwnProperty(\"expiresAt\") &&\n entity.hasOwnProperty(\"jwks_uri\")\n );\n}\n\n/**\n * Reset the exiresAt value\n */\nexport function generateAuthorityMetadataExpiresAt(): number {\n return (\n TimeUtils.nowSeconds() +\n AUTHORITY_METADATA_CONSTANTS.REFRESH_TIME_SECONDS\n );\n}\n\nexport function updateAuthorityEndpointMetadata(\n authorityMetadata: AuthorityMetadataEntity,\n updatedValues: OpenIdConfigResponse,\n fromNetwork: boolean\n): void {\n authorityMetadata.authorization_endpoint =\n updatedValues.authorization_endpoint;\n authorityMetadata.token_endpoint = updatedValues.token_endpoint;\n authorityMetadata.end_session_endpoint = updatedValues.end_session_endpoint;\n authorityMetadata.issuer = updatedValues.issuer;\n authorityMetadata.endpointsFromNetwork = fromNetwork;\n authorityMetadata.jwks_uri = updatedValues.jwks_uri;\n}\n\nexport function updateCloudDiscoveryMetadata(\n authorityMetadata: AuthorityMetadataEntity,\n updatedValues: CloudDiscoveryMetadata,\n fromNetwork: boolean\n): void {\n authorityMetadata.aliases = updatedValues.aliases;\n authorityMetadata.preferred_cache = updatedValues.preferred_cache;\n authorityMetadata.preferred_network = updatedValues.preferred_network;\n authorityMetadata.aliasesFromNetwork = fromNetwork;\n}\n\n/**\n * Returns whether or not the data needs to be refreshed\n */\nexport function isAuthorityMetadataExpired(\n metadata: AuthorityMetadataEntity\n): boolean {\n return metadata.expiresAt <= TimeUtils.nowSeconds();\n}\n","/*\n * Copyright (c) Microsoft Corporation. All rights reserved.\n * Licensed under the MIT License.\n */\n\nexport const CLIENT_ID = \"client_id\";\nexport const REDIRECT_URI = \"redirect_uri\";\nexport const RESPONSE_TYPE = \"response_type\";\nexport const RESPONSE_MODE = \"response_mode\";\nexport const GRANT_TYPE = \"grant_type\";\nexport const CLAIMS = \"claims\";\nexport const SCOPE = \"scope\";\nexport const ERROR = \"error\";\nexport const ERROR_DESCRIPTION = \"error_description\";\nexport const ACCESS_TOKEN = \"access_token\";\nexport const ID_TOKEN = \"id_token\";\nexport const REFRESH_TOKEN = \"refresh_token\";\nexport const EXPIRES_IN = \"expires_in\";\nexport const REFRESH_TOKEN_EXPIRES_IN = \"refresh_token_expires_in\";\nexport const STATE = \"state\";\nexport const NONCE = \"nonce\";\nexport const PROMPT = \"prompt\";\nexport const SESSION_STATE = \"session_state\";\nexport const CLIENT_INFO = \"client_info\";\nexport const CODE = \"code\";\nexport const CODE_CHALLENGE = \"code_challenge\";\nexport const CODE_CHALLENGE_METHOD = \"code_challenge_method\";\nexport const CODE_VERIFIER = \"code_verifier\";\nexport const CLIENT_REQUEST_ID = \"client-request-id\";\nexport const X_CLIENT_SKU = \"x-client-SKU\";\nexport const X_CLIENT_VER = \"x-client-VER\";\nexport const X_CLIENT_OS = \"x-client-OS\";\nexport const X_CLIENT_CPU = \"x-client-CPU\";\nexport const X_CLIENT_CURR_TELEM = \"x-client-current-telemetry\";\nexport const X_CLIENT_LAST_TELEM = \"x-client-last-telemetry\";\nexport const X_MS_LIB_CAPABILITY = \"x-ms-lib-capability\";\nexport const X_APP_NAME = \"x-app-name\";\nexport const X_APP_VER = \"x-app-ver\";\nexport const POST_LOGOUT_URI = \"post_logout_redirect_uri\";\nexport const ID_TOKEN_HINT = \"id_token_hint\";\nexport const DEVICE_CODE = \"device_code\";\nexport const CLIENT_SECRET = \"client_secret\";\nexport const CLIENT_ASSERTION = \"client_assertion\";\nexport const CLIENT_ASSERTION_TYPE = \"client_assertion_type\";\nexport const TOKEN_TYPE = \"token_type\";\nexport const REQ_CNF = \"req_cnf\";\nexport const OBO_ASSERTION = \"assertion\";\nexport const REQUESTED_TOKEN_USE = \"requested_token_use\";\nexport const ON_BEHALF_OF = \"on_behalf_of\";\nexport const FOCI = \"foci\";\nexport const CCS_HEADER = \"X-AnchorMailbox\";\nexport const RETURN_SPA_CODE = \"return_spa_code\";\nexport const NATIVE_BROKER = \"nativebroker\";\nexport const LOGOUT_HINT = \"logout_hint\";\nexport const SID = \"sid\";\nexport const LOGIN_HINT = \"login_hint\";\nexport const DOMAIN_HINT = \"domain_hint\";\nexport const X_CLIENT_EXTRA_SKU = \"x-client-xtra-sku\";\nexport const BROKER_CLIENT_ID = \"brk_client_id\";\nexport const BROKER_REDIRECT_URI = \"brk_redirect_uri\";\n","/*\n * Copyright (c) Microsoft Corporation. All rights reserved.\n * Licensed under the MIT License.\n */\n\nimport { ICrypto, SignedHttpRequestParameters } from \"./ICrypto.js\";\nimport * as TimeUtils from \"../utils/TimeUtils.js\";\nimport { UrlString } from \"../url/UrlString.js\";\nimport { IPerformanceClient } from \"../telemetry/performance/IPerformanceClient.js\";\nimport { PerformanceEvents } from \"../telemetry/performance/PerformanceEvent.js\";\nimport { invokeAsync } from \"../utils/FunctionWrappers.js\";\nimport { Logger } from \"../logger/Logger.js\";\n\n/**\n * See eSTS docs for more info.\n * - A kid element, with the value containing an RFC 7638-compliant JWK thumbprint that is base64 encoded.\n * - xms_ksl element, representing the storage location of the key's secret component on the client device. One of two values:\n * - sw: software storage\n * - uhw: hardware storage\n */\ntype ReqCnf = {\n kid: string;\n xms_ksl: KeyLocation;\n};\n\nexport type ReqCnfData = {\n kid: string;\n reqCnfString: string;\n};\n\nconst KeyLocation = {\n SW: \"sw\",\n UHW: \"uhw\",\n} as const;\nexport type KeyLocation = (typeof KeyLocation)[keyof typeof KeyLocation];\n\n/** @internal */\nexport class PopTokenGenerator {\n private cryptoUtils: ICrypto;\n private performanceClient?: IPerformanceClient;\n\n constructor(cryptoUtils: ICrypto, performanceClient?: IPerformanceClient) {\n this.cryptoUtils = cryptoUtils;\n this.performanceClient = performanceClient;\n }\n\n /**\n * Generates the req_cnf validated at the RP in the POP protocol for SHR parameters\n * and returns an object containing the keyid, the full req_cnf string and the req_cnf string hash\n * @param request\n * @returns\n */\n async generateCnf(\n request: SignedHttpRequestParameters,\n logger: Logger\n ): Promise {\n this.performanceClient?.addQueueMeasurement(\n PerformanceEvents.PopTokenGenerateCnf,\n request.correlationId\n );\n\n const reqCnf = await invokeAsync(\n this.generateKid.bind(this),\n PerformanceEvents.PopTokenGenerateCnf,\n logger,\n this.performanceClient,\n request.correlationId\n )(request);\n const reqCnfString: string = this.cryptoUtils.base64UrlEncode(\n JSON.stringify(reqCnf)\n );\n\n return {\n kid: reqCnf.kid,\n reqCnfString,\n };\n }\n\n /**\n * Generates key_id for a SHR token request\n * @param request\n * @returns\n */\n async generateKid(request: SignedHttpRequestParameters): Promise {\n this.performanceClient?.addQueueMeasurement(\n PerformanceEvents.PopTokenGenerateKid,\n request.correlationId\n );\n\n const kidThumbprint = await this.cryptoUtils.getPublicKeyThumbprint(\n request\n );\n\n return {\n kid: kidThumbprint,\n xms_ksl: KeyLocation.SW,\n };\n }\n\n /**\n * Signs the POP access_token with the local generated key-pair\n * @param accessToken\n * @param request\n * @returns\n */\n async signPopToken(\n accessToken: string,\n keyId: string,\n request: SignedHttpRequestParameters\n ): Promise {\n return this.signPayload(accessToken, keyId, request);\n }\n\n /**\n * Utility function to generate the signed JWT for an access_token\n * @param payload\n * @param kid\n * @param request\n * @param claims\n * @returns\n */\n async signPayload(\n payload: string,\n keyId: string,\n request: SignedHttpRequestParameters,\n claims?: object\n ): Promise {\n // Deconstruct request to extract SHR parameters\n const {\n resourceRequestMethod,\n resourceRequestUri,\n shrClaims,\n shrNonce,\n shrOptions,\n } = request;\n\n const resourceUrlString = resourceRequestUri\n ? new UrlString(resourceRequestUri)\n : undefined;\n const resourceUrlComponents = resourceUrlString?.getUrlComponents();\n return this.cryptoUtils.signJwt(\n {\n at: payload,\n ts: TimeUtils.nowSeconds(),\n m: resourceRequestMethod?.toUpperCase(),\n u: resourceUrlComponents?.HostNameAndPort,\n nonce: shrNonce || this.cryptoUtils.createNewGuid(),\n p: resourceUrlComponents?.AbsolutePath,\n q: resourceUrlComponents?.QueryString\n ? [[], resourceUrlComponents.QueryString]\n : undefined,\n client_claims: shrClaims || undefined,\n ...claims,\n },\n keyId,\n shrOptions,\n request.correlationId\n );\n }\n}\n","/*\n * Copyright (c) Microsoft Corporation. All rights reserved.\n * Licensed under the MIT License.\n */\n\nimport { Constants } from \"../utils/Constants.js\";\nimport * as AuthErrorCodes from \"./AuthErrorCodes.js\";\nexport { AuthErrorCodes };\n\nexport const AuthErrorMessages = {\n [AuthErrorCodes.unexpectedError]: \"Unexpected error in authentication.\",\n [AuthErrorCodes.postRequestFailed]:\n \"Post request failed from the network, could be a 4xx/5xx or a network unavailability. Please check the exact error code for details.\",\n};\n\n/**\n * AuthErrorMessage class containing string constants used by error codes and messages.\n * @deprecated Use AuthErrorCodes instead\n */\nexport const AuthErrorMessage = {\n unexpectedError: {\n code: AuthErrorCodes.unexpectedError,\n desc: AuthErrorMessages[AuthErrorCodes.unexpectedError],\n },\n postRequestFailed: {\n code: AuthErrorCodes.postRequestFailed,\n desc: AuthErrorMessages[AuthErrorCodes.postRequestFailed],\n },\n};\n\n/**\n * General error class thrown by the MSAL.js library.\n */\nexport class AuthError extends Error {\n /**\n * Short string denoting error\n */\n errorCode: string;\n\n /**\n * Detailed description of error\n */\n errorMessage: string;\n\n /**\n * Describes the subclass of an error\n */\n subError: string;\n\n /**\n * CorrelationId associated with the error\n */\n correlationId: string;\n\n constructor(errorCode?: string, errorMessage?: string, suberror?: string) {\n const errorString = errorMessage\n ? `${errorCode}: ${errorMessage}`\n : errorCode;\n super(errorString);\n Object.setPrototypeOf(this, AuthError.prototype);\n\n this.errorCode = errorCode || Constants.EMPTY_STRING;\n this.errorMessage = errorMessage || Constants.EMPTY_STRING;\n this.subError = suberror || Constants.EMPTY_STRING;\n this.name = \"AuthError\";\n }\n\n setCorrelationId(correlationId: string): void {\n this.correlationId = correlationId;\n }\n}\n\nexport function createAuthError(\n code: string,\n additionalMessage?: string\n): AuthError {\n return new AuthError(\n code,\n additionalMessage\n ? `${AuthErrorMessages[code]} ${additionalMessage}`\n : AuthErrorMessages[code]\n );\n}\n","/*\n * Copyright (c) Microsoft Corporation. All rights reserved.\n * Licensed under the MIT License.\n */\n\n/**\n * AuthErrorMessage class containing string constants used by error codes and messages.\n */\nexport const unexpectedError = \"unexpected_error\";\nexport const postRequestFailed = \"post_request_failed\";\n","/*\n * Copyright (c) Microsoft Corporation. All rights reserved.\n * Licensed under the MIT License.\n */\n\nimport * as CacheErrorCodes from \"./CacheErrorCodes.js\";\nexport { CacheErrorCodes };\n\nexport const CacheErrorMessages = {\n [CacheErrorCodes.cacheQuotaExceededErrorCode]:\n \"Exceeded cache storage capacity.\",\n [CacheErrorCodes.cacheUnknownErrorCode]:\n \"Unexpected error occurred when using cache storage.\",\n};\n\n/**\n * Error thrown when there is an error with the cache\n */\nexport class CacheError extends Error {\n /**\n * Short string denoting error\n */\n errorCode: string;\n\n /**\n * Detailed description of error\n */\n errorMessage: string;\n\n constructor(errorCode: string, errorMessage?: string) {\n const message =\n errorMessage ||\n (CacheErrorMessages[errorCode]\n ? CacheErrorMessages[errorCode]\n : CacheErrorMessages[CacheErrorCodes.cacheUnknownErrorCode]);\n\n super(`${errorCode}: ${message}`);\n Object.setPrototypeOf(this, CacheError.prototype);\n\n this.name = \"CacheError\";\n this.errorCode = errorCode;\n this.errorMessage = message;\n }\n}\n","/*\n * Copyright (c) Microsoft Corporation. All rights reserved.\n * Licensed under the MIT License.\n */\n\nexport const cacheQuotaExceededErrorCode = \"cache_quota_exceeded\";\nexport const cacheUnknownErrorCode = \"cache_error_unknown\";\n","/*\n * Copyright (c) Microsoft Corporation. All rights reserved.\n * Licensed under the MIT License.\n */\n\nimport { AuthError } from \"./AuthError.js\";\nimport * as ClientAuthErrorCodes from \"./ClientAuthErrorCodes.js\";\nexport { ClientAuthErrorCodes }; // Allow importing as \"ClientAuthErrorCodes\";\n\n/**\n * ClientAuthErrorMessage class containing string constants used by error codes and messages.\n */\n\nexport const ClientAuthErrorMessages = {\n [ClientAuthErrorCodes.clientInfoDecodingError]:\n \"The client info could not be parsed/decoded correctly\",\n [ClientAuthErrorCodes.clientInfoEmptyError]: \"The client info was empty\",\n [ClientAuthErrorCodes.tokenParsingError]: \"Token cannot be parsed\",\n [ClientAuthErrorCodes.nullOrEmptyToken]: \"The token is null or empty\",\n [ClientAuthErrorCodes.endpointResolutionError]:\n \"Endpoints cannot be resolved\",\n [ClientAuthErrorCodes.networkError]: \"Network request failed\",\n [ClientAuthErrorCodes.openIdConfigError]:\n \"Could not retrieve endpoints. Check your authority and verify the .well-known/openid-configuration endpoint returns the required endpoints.\",\n [ClientAuthErrorCodes.hashNotDeserialized]:\n \"The hash parameters could not be deserialized\",\n [ClientAuthErrorCodes.invalidState]: \"State was not the expected format\",\n [ClientAuthErrorCodes.stateMismatch]: \"State mismatch error\",\n [ClientAuthErrorCodes.stateNotFound]: \"State not found\",\n [ClientAuthErrorCodes.nonceMismatch]: \"Nonce mismatch error\",\n [ClientAuthErrorCodes.authTimeNotFound]:\n \"Max Age was requested and the ID token is missing the auth_time variable.\" +\n \" auth_time is an optional claim and is not enabled by default - it must be enabled.\" +\n \" See https://aka.ms/msaljs/optional-claims for more information.\",\n [ClientAuthErrorCodes.maxAgeTranspired]:\n \"Max Age is set to 0, or too much time has elapsed since the last end-user authentication.\",\n [ClientAuthErrorCodes.multipleMatchingTokens]:\n \"The cache contains multiple tokens satisfying the requirements. \" +\n \"Call AcquireToken again providing more requirements such as authority or account.\",\n [ClientAuthErrorCodes.multipleMatchingAccounts]:\n \"The cache contains multiple accounts satisfying the given parameters. Please pass more info to obtain the correct account\",\n [ClientAuthErrorCodes.multipleMatchingAppMetadata]:\n \"The cache contains multiple appMetadata satisfying the given parameters. Please pass more info to obtain the correct appMetadata\",\n [ClientAuthErrorCodes.requestCannotBeMade]:\n \"Token request cannot be made without authorization code or refresh token.\",\n [ClientAuthErrorCodes.cannotRemoveEmptyScope]:\n \"Cannot remove null or empty scope from ScopeSet\",\n [ClientAuthErrorCodes.cannotAppendScopeSet]: \"Cannot append ScopeSet\",\n [ClientAuthErrorCodes.emptyInputScopeSet]:\n \"Empty input ScopeSet cannot be processed\",\n [ClientAuthErrorCodes.deviceCodePollingCancelled]:\n \"Caller has cancelled token endpoint polling during device code flow by setting DeviceCodeRequest.cancel = true.\",\n [ClientAuthErrorCodes.deviceCodeExpired]: \"Device code is expired.\",\n [ClientAuthErrorCodes.deviceCodeUnknownError]:\n \"Device code stopped polling for unknown reasons.\",\n [ClientAuthErrorCodes.noAccountInSilentRequest]:\n \"Please pass an account object, silent flow is not supported without account information\",\n [ClientAuthErrorCodes.invalidCacheRecord]:\n \"Cache record object was null or undefined.\",\n [ClientAuthErrorCodes.invalidCacheEnvironment]:\n \"Invalid environment when attempting to create cache entry\",\n [ClientAuthErrorCodes.noAccountFound]:\n \"No account found in cache for given key.\",\n [ClientAuthErrorCodes.noCryptoObject]: \"No crypto object detected.\",\n [ClientAuthErrorCodes.unexpectedCredentialType]:\n \"Unexpected credential type.\",\n [ClientAuthErrorCodes.invalidAssertion]:\n \"Client assertion must meet requirements described in https://tools.ietf.org/html/rfc7515\",\n [ClientAuthErrorCodes.invalidClientCredential]:\n \"Client credential (secret, certificate, or assertion) must not be empty when creating a confidential client. An application should at most have one credential\",\n [ClientAuthErrorCodes.tokenRefreshRequired]:\n \"Cannot return token from cache because it must be refreshed. This may be due to one of the following reasons: forceRefresh parameter is set to true, claims have been requested, there is no cached access token or it is expired.\",\n [ClientAuthErrorCodes.userTimeoutReached]:\n \"User defined timeout for device code polling reached\",\n [ClientAuthErrorCodes.tokenClaimsCnfRequiredForSignedJwt]:\n \"Cannot generate a POP jwt if the token_claims are not populated\",\n [ClientAuthErrorCodes.authorizationCodeMissingFromServerResponse]:\n \"Server response does not contain an authorization code to proceed\",\n [ClientAuthErrorCodes.bindingKeyNotRemoved]:\n \"Could not remove the credential's binding key from storage.\",\n [ClientAuthErrorCodes.endSessionEndpointNotSupported]:\n \"The provided authority does not support logout\",\n [ClientAuthErrorCodes.keyIdMissing]:\n \"A keyId value is missing from the requested bound token's cache record and is required to match the token to it's stored binding key.\",\n [ClientAuthErrorCodes.noNetworkConnectivity]:\n \"No network connectivity. Check your internet connection.\",\n [ClientAuthErrorCodes.userCanceled]: \"User cancelled the flow.\",\n [ClientAuthErrorCodes.missingTenantIdError]:\n \"A tenant id - not common, organizations, or consumers - must be specified when using the client_credentials flow.\",\n [ClientAuthErrorCodes.methodNotImplemented]:\n \"This method has not been implemented\",\n [ClientAuthErrorCodes.nestedAppAuthBridgeDisabled]:\n \"The nested app auth bridge is disabled\",\n};\n\n/**\n * String constants used by error codes and messages.\n * @deprecated Use ClientAuthErrorCodes instead\n */\nexport const ClientAuthErrorMessage = {\n clientInfoDecodingError: {\n code: ClientAuthErrorCodes.clientInfoDecodingError,\n desc: ClientAuthErrorMessages[\n ClientAuthErrorCodes.clientInfoDecodingError\n ],\n },\n clientInfoEmptyError: {\n code: ClientAuthErrorCodes.clientInfoEmptyError,\n desc: ClientAuthErrorMessages[\n ClientAuthErrorCodes.clientInfoEmptyError\n ],\n },\n tokenParsingError: {\n code: ClientAuthErrorCodes.tokenParsingError,\n desc: ClientAuthErrorMessages[ClientAuthErrorCodes.tokenParsingError],\n },\n nullOrEmptyToken: {\n code: ClientAuthErrorCodes.nullOrEmptyToken,\n desc: ClientAuthErrorMessages[ClientAuthErrorCodes.nullOrEmptyToken],\n },\n endpointResolutionError: {\n code: ClientAuthErrorCodes.endpointResolutionError,\n desc: ClientAuthErrorMessages[\n ClientAuthErrorCodes.endpointResolutionError\n ],\n },\n networkError: {\n code: ClientAuthErrorCodes.networkError,\n desc: ClientAuthErrorMessages[ClientAuthErrorCodes.networkError],\n },\n unableToGetOpenidConfigError: {\n code: ClientAuthErrorCodes.openIdConfigError,\n desc: ClientAuthErrorMessages[ClientAuthErrorCodes.openIdConfigError],\n },\n hashNotDeserialized: {\n code: ClientAuthErrorCodes.hashNotDeserialized,\n desc: ClientAuthErrorMessages[ClientAuthErrorCodes.hashNotDeserialized],\n },\n invalidStateError: {\n code: ClientAuthErrorCodes.invalidState,\n desc: ClientAuthErrorMessages[ClientAuthErrorCodes.invalidState],\n },\n stateMismatchError: {\n code: ClientAuthErrorCodes.stateMismatch,\n desc: ClientAuthErrorMessages[ClientAuthErrorCodes.stateMismatch],\n },\n stateNotFoundError: {\n code: ClientAuthErrorCodes.stateNotFound,\n desc: ClientAuthErrorMessages[ClientAuthErrorCodes.stateNotFound],\n },\n nonceMismatchError: {\n code: ClientAuthErrorCodes.nonceMismatch,\n desc: ClientAuthErrorMessages[ClientAuthErrorCodes.nonceMismatch],\n },\n authTimeNotFoundError: {\n code: ClientAuthErrorCodes.authTimeNotFound,\n desc: ClientAuthErrorMessages[ClientAuthErrorCodes.authTimeNotFound],\n },\n maxAgeTranspired: {\n code: ClientAuthErrorCodes.maxAgeTranspired,\n desc: ClientAuthErrorMessages[ClientAuthErrorCodes.maxAgeTranspired],\n },\n multipleMatchingTokens: {\n code: ClientAuthErrorCodes.multipleMatchingTokens,\n desc: ClientAuthErrorMessages[\n ClientAuthErrorCodes.multipleMatchingTokens\n ],\n },\n multipleMatchingAccounts: {\n code: ClientAuthErrorCodes.multipleMatchingAccounts,\n desc: ClientAuthErrorMessages[\n ClientAuthErrorCodes.multipleMatchingAccounts\n ],\n },\n multipleMatchingAppMetadata: {\n code: ClientAuthErrorCodes.multipleMatchingAppMetadata,\n desc: ClientAuthErrorMessages[\n ClientAuthErrorCodes.multipleMatchingAppMetadata\n ],\n },\n tokenRequestCannotBeMade: {\n code: ClientAuthErrorCodes.requestCannotBeMade,\n desc: ClientAuthErrorMessages[ClientAuthErrorCodes.requestCannotBeMade],\n },\n removeEmptyScopeError: {\n code: ClientAuthErrorCodes.cannotRemoveEmptyScope,\n desc: ClientAuthErrorMessages[\n ClientAuthErrorCodes.cannotRemoveEmptyScope\n ],\n },\n appendScopeSetError: {\n code: ClientAuthErrorCodes.cannotAppendScopeSet,\n desc: ClientAuthErrorMessages[\n ClientAuthErrorCodes.cannotAppendScopeSet\n ],\n },\n emptyInputScopeSetError: {\n code: ClientAuthErrorCodes.emptyInputScopeSet,\n desc: ClientAuthErrorMessages[ClientAuthErrorCodes.emptyInputScopeSet],\n },\n DeviceCodePollingCancelled: {\n code: ClientAuthErrorCodes.deviceCodePollingCancelled,\n desc: ClientAuthErrorMessages[\n ClientAuthErrorCodes.deviceCodePollingCancelled\n ],\n },\n DeviceCodeExpired: {\n code: ClientAuthErrorCodes.deviceCodeExpired,\n desc: ClientAuthErrorMessages[ClientAuthErrorCodes.deviceCodeExpired],\n },\n DeviceCodeUnknownError: {\n code: ClientAuthErrorCodes.deviceCodeUnknownError,\n desc: ClientAuthErrorMessages[\n ClientAuthErrorCodes.deviceCodeUnknownError\n ],\n },\n NoAccountInSilentRequest: {\n code: ClientAuthErrorCodes.noAccountInSilentRequest,\n desc: ClientAuthErrorMessages[\n ClientAuthErrorCodes.noAccountInSilentRequest\n ],\n },\n invalidCacheRecord: {\n code: ClientAuthErrorCodes.invalidCacheRecord,\n desc: ClientAuthErrorMessages[ClientAuthErrorCodes.invalidCacheRecord],\n },\n invalidCacheEnvironment: {\n code: ClientAuthErrorCodes.invalidCacheEnvironment,\n desc: ClientAuthErrorMessages[\n ClientAuthErrorCodes.invalidCacheEnvironment\n ],\n },\n noAccountFound: {\n code: ClientAuthErrorCodes.noAccountFound,\n desc: ClientAuthErrorMessages[ClientAuthErrorCodes.noAccountFound],\n },\n noCryptoObj: {\n code: ClientAuthErrorCodes.noCryptoObject,\n desc: ClientAuthErrorMessages[ClientAuthErrorCodes.noCryptoObject],\n },\n unexpectedCredentialType: {\n code: ClientAuthErrorCodes.unexpectedCredentialType,\n desc: ClientAuthErrorMessages[\n ClientAuthErrorCodes.unexpectedCredentialType\n ],\n },\n invalidAssertion: {\n code: ClientAuthErrorCodes.invalidAssertion,\n desc: ClientAuthErrorMessages[ClientAuthErrorCodes.invalidAssertion],\n },\n invalidClientCredential: {\n code: ClientAuthErrorCodes.invalidClientCredential,\n desc: ClientAuthErrorMessages[\n ClientAuthErrorCodes.invalidClientCredential\n ],\n },\n tokenRefreshRequired: {\n code: ClientAuthErrorCodes.tokenRefreshRequired,\n desc: ClientAuthErrorMessages[\n ClientAuthErrorCodes.tokenRefreshRequired\n ],\n },\n userTimeoutReached: {\n code: ClientAuthErrorCodes.userTimeoutReached,\n desc: ClientAuthErrorMessages[ClientAuthErrorCodes.userTimeoutReached],\n },\n tokenClaimsRequired: {\n code: ClientAuthErrorCodes.tokenClaimsCnfRequiredForSignedJwt,\n desc: ClientAuthErrorMessages[\n ClientAuthErrorCodes.tokenClaimsCnfRequiredForSignedJwt\n ],\n },\n noAuthorizationCodeFromServer: {\n code: ClientAuthErrorCodes.authorizationCodeMissingFromServerResponse,\n desc: ClientAuthErrorMessages[\n ClientAuthErrorCodes.authorizationCodeMissingFromServerResponse\n ],\n },\n bindingKeyNotRemovedError: {\n code: ClientAuthErrorCodes.bindingKeyNotRemoved,\n desc: ClientAuthErrorMessages[\n ClientAuthErrorCodes.bindingKeyNotRemoved\n ],\n },\n logoutNotSupported: {\n code: ClientAuthErrorCodes.endSessionEndpointNotSupported,\n desc: ClientAuthErrorMessages[\n ClientAuthErrorCodes.endSessionEndpointNotSupported\n ],\n },\n keyIdMissing: {\n code: ClientAuthErrorCodes.keyIdMissing,\n desc: ClientAuthErrorMessages[ClientAuthErrorCodes.keyIdMissing],\n },\n noNetworkConnectivity: {\n code: ClientAuthErrorCodes.noNetworkConnectivity,\n desc: ClientAuthErrorMessages[\n ClientAuthErrorCodes.noNetworkConnectivity\n ],\n },\n userCanceledError: {\n code: ClientAuthErrorCodes.userCanceled,\n desc: ClientAuthErrorMessages[ClientAuthErrorCodes.userCanceled],\n },\n missingTenantIdError: {\n code: ClientAuthErrorCodes.missingTenantIdError,\n desc: ClientAuthErrorMessages[\n ClientAuthErrorCodes.missingTenantIdError\n ],\n },\n nestedAppAuthBridgeDisabled: {\n code: ClientAuthErrorCodes.nestedAppAuthBridgeDisabled,\n desc: ClientAuthErrorMessages[\n ClientAuthErrorCodes.nestedAppAuthBridgeDisabled\n ],\n },\n};\n\n/**\n * Error thrown when there is an error in the client code running on the browser.\n */\nexport class ClientAuthError extends AuthError {\n constructor(errorCode: string, additionalMessage?: string) {\n super(\n errorCode,\n additionalMessage\n ? `${ClientAuthErrorMessages[errorCode]}: ${additionalMessage}`\n : ClientAuthErrorMessages[errorCode]\n );\n this.name = \"ClientAuthError\";\n\n Object.setPrototypeOf(this, ClientAuthError.prototype);\n }\n}\n\nexport function createClientAuthError(\n errorCode: string,\n additionalMessage?: string\n): ClientAuthError {\n return new ClientAuthError(errorCode, additionalMessage);\n}\n","/*\n * Copyright (c) Microsoft Corporation. All rights reserved.\n * Licensed under the MIT License.\n */\n\nexport const clientInfoDecodingError = \"client_info_decoding_error\";\nexport const clientInfoEmptyError = \"client_info_empty_error\";\nexport const tokenParsingError = \"token_parsing_error\";\nexport const nullOrEmptyToken = \"null_or_empty_token\";\nexport const endpointResolutionError = \"endpoints_resolution_error\";\nexport const networkError = \"network_error\";\nexport const openIdConfigError = \"openid_config_error\";\nexport const hashNotDeserialized = \"hash_not_deserialized\";\nexport const invalidState = \"invalid_state\";\nexport const stateMismatch = \"state_mismatch\";\nexport const stateNotFound = \"state_not_found\";\nexport const nonceMismatch = \"nonce_mismatch\";\nexport const authTimeNotFound = \"auth_time_not_found\";\nexport const maxAgeTranspired = \"max_age_transpired\";\nexport const multipleMatchingTokens = \"multiple_matching_tokens\";\nexport const multipleMatchingAccounts = \"multiple_matching_accounts\";\nexport const multipleMatchingAppMetadata = \"multiple_matching_appMetadata\";\nexport const requestCannotBeMade = \"request_cannot_be_made\";\nexport const cannotRemoveEmptyScope = \"cannot_remove_empty_scope\";\nexport const cannotAppendScopeSet = \"cannot_append_scopeset\";\nexport const emptyInputScopeSet = \"empty_input_scopeset\";\nexport const deviceCodePollingCancelled = \"device_code_polling_cancelled\";\nexport const deviceCodeExpired = \"device_code_expired\";\nexport const deviceCodeUnknownError = \"device_code_unknown_error\";\nexport const noAccountInSilentRequest = \"no_account_in_silent_request\";\nexport const invalidCacheRecord = \"invalid_cache_record\";\nexport const invalidCacheEnvironment = \"invalid_cache_environment\";\nexport const noAccountFound = \"no_account_found\";\nexport const noCryptoObject = \"no_crypto_object\";\nexport const unexpectedCredentialType = \"unexpected_credential_type\";\nexport const invalidAssertion = \"invalid_assertion\";\nexport const invalidClientCredential = \"invalid_client_credential\";\nexport const tokenRefreshRequired = \"token_refresh_required\";\nexport const userTimeoutReached = \"user_timeout_reached\";\nexport const tokenClaimsCnfRequiredForSignedJwt =\n \"token_claims_cnf_required_for_signedjwt\";\nexport const authorizationCodeMissingFromServerResponse =\n \"authorization_code_missing_from_server_response\";\nexport const bindingKeyNotRemoved = \"binding_key_not_removed\";\nexport const endSessionEndpointNotSupported =\n \"end_session_endpoint_not_supported\";\nexport const keyIdMissing = \"key_id_missing\";\nexport const noNetworkConnectivity = \"no_network_connectivity\";\nexport const userCanceled = \"user_canceled\";\nexport const missingTenantIdError = \"missing_tenant_id_error\";\nexport const methodNotImplemented = \"method_not_implemented\";\nexport const nestedAppAuthBridgeDisabled = \"nested_app_auth_bridge_disabled\";\n","/*\n * Copyright (c) Microsoft Corporation. All rights reserved.\n * Licensed under the MIT License.\n */\n\nimport { AuthError } from \"./AuthError.js\";\nimport * as ClientConfigurationErrorCodes from \"./ClientConfigurationErrorCodes.js\";\nexport { ClientConfigurationErrorCodes };\n\nexport const ClientConfigurationErrorMessages = {\n [ClientConfigurationErrorCodes.redirectUriEmpty]:\n \"A redirect URI is required for all calls, and none has been set.\",\n [ClientConfigurationErrorCodes.claimsRequestParsingError]:\n \"Could not parse the given claims request object.\",\n [ClientConfigurationErrorCodes.authorityUriInsecure]:\n \"Authority URIs must use https. Please see here for valid authority configuration options: https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-js-initializing-client-applications#configuration-options\",\n [ClientConfigurationErrorCodes.urlParseError]:\n \"URL could not be parsed into appropriate segments.\",\n [ClientConfigurationErrorCodes.urlEmptyError]: \"URL was empty or null.\",\n [ClientConfigurationErrorCodes.emptyInputScopesError]:\n \"Scopes cannot be passed as null, undefined or empty array because they are required to obtain an access token.\",\n [ClientConfigurationErrorCodes.invalidPromptValue]:\n \"Please see here for valid configuration options: https://azuread.github.io/microsoft-authentication-library-for-js/ref/modules/_azure_msal_common.html#commonauthorizationurlrequest\",\n [ClientConfigurationErrorCodes.invalidClaims]:\n \"Given claims parameter must be a stringified JSON object.\",\n [ClientConfigurationErrorCodes.tokenRequestEmpty]:\n \"Token request was empty and not found in cache.\",\n [ClientConfigurationErrorCodes.logoutRequestEmpty]:\n \"The logout request was null or undefined.\",\n [ClientConfigurationErrorCodes.invalidCodeChallengeMethod]:\n 'code_challenge_method passed is invalid. Valid values are \"plain\" and \"S256\".',\n [ClientConfigurationErrorCodes.pkceParamsMissing]:\n \"Both params: code_challenge and code_challenge_method are to be passed if to be sent in the request\",\n [ClientConfigurationErrorCodes.invalidCloudDiscoveryMetadata]:\n \"Invalid cloudDiscoveryMetadata provided. Must be a stringified JSON object containing tenant_discovery_endpoint and metadata fields\",\n [ClientConfigurationErrorCodes.invalidAuthorityMetadata]:\n \"Invalid authorityMetadata provided. Must by a stringified JSON object containing authorization_endpoint, token_endpoint, issuer fields.\",\n [ClientConfigurationErrorCodes.untrustedAuthority]:\n \"The provided authority is not a trusted authority. Please include this authority in the knownAuthorities config parameter.\",\n [ClientConfigurationErrorCodes.missingSshJwk]:\n \"Missing sshJwk in SSH certificate request. A stringified JSON Web Key is required when using the SSH authentication scheme.\",\n [ClientConfigurationErrorCodes.missingSshKid]:\n \"Missing sshKid in SSH certificate request. A string that uniquely identifies the public SSH key is required when using the SSH authentication scheme.\",\n [ClientConfigurationErrorCodes.missingNonceAuthenticationHeader]:\n \"Unable to find an authentication header containing server nonce. Either the Authentication-Info or WWW-Authenticate headers must be present in order to obtain a server nonce.\",\n [ClientConfigurationErrorCodes.invalidAuthenticationHeader]:\n \"Invalid authentication header provided\",\n [ClientConfigurationErrorCodes.cannotSetOIDCOptions]:\n \"Cannot set OIDCOptions parameter. Please change the protocol mode to OIDC or use a non-Microsoft authority.\",\n [ClientConfigurationErrorCodes.cannotAllowNativeBroker]:\n \"Cannot set allowNativeBroker parameter to true when not in AAD protocol mode.\",\n [ClientConfigurationErrorCodes.authorityMismatch]:\n \"Authority mismatch error. Authority provided in login request or PublicClientApplication config does not match the environment of the provided account. Please use a matching account or make an interactive request to login to this authority.\",\n};\n\n/**\n * ClientConfigurationErrorMessage class containing string constants used by error codes and messages.\n * @deprecated Use ClientConfigurationErrorCodes instead\n */\nexport const ClientConfigurationErrorMessage = {\n redirectUriNotSet: {\n code: ClientConfigurationErrorCodes.redirectUriEmpty,\n desc: ClientConfigurationErrorMessages[\n ClientConfigurationErrorCodes.redirectUriEmpty\n ],\n },\n claimsRequestParsingError: {\n code: ClientConfigurationErrorCodes.claimsRequestParsingError,\n desc: ClientConfigurationErrorMessages[\n ClientConfigurationErrorCodes.claimsRequestParsingError\n ],\n },\n authorityUriInsecure: {\n code: ClientConfigurationErrorCodes.authorityUriInsecure,\n desc: ClientConfigurationErrorMessages[\n ClientConfigurationErrorCodes.authorityUriInsecure\n ],\n },\n urlParseError: {\n code: ClientConfigurationErrorCodes.urlParseError,\n desc: ClientConfigurationErrorMessages[\n ClientConfigurationErrorCodes.urlParseError\n ],\n },\n urlEmptyError: {\n code: ClientConfigurationErrorCodes.urlEmptyError,\n desc: ClientConfigurationErrorMessages[\n ClientConfigurationErrorCodes.urlEmptyError\n ],\n },\n emptyScopesError: {\n code: ClientConfigurationErrorCodes.emptyInputScopesError,\n desc: ClientConfigurationErrorMessages[\n ClientConfigurationErrorCodes.emptyInputScopesError\n ],\n },\n invalidPrompt: {\n code: ClientConfigurationErrorCodes.invalidPromptValue,\n desc: ClientConfigurationErrorMessages[\n ClientConfigurationErrorCodes.invalidPromptValue\n ],\n },\n invalidClaimsRequest: {\n code: ClientConfigurationErrorCodes.invalidClaims,\n desc: ClientConfigurationErrorMessages[\n ClientConfigurationErrorCodes.invalidClaims\n ],\n },\n tokenRequestEmptyError: {\n code: ClientConfigurationErrorCodes.tokenRequestEmpty,\n desc: ClientConfigurationErrorMessages[\n ClientConfigurationErrorCodes.tokenRequestEmpty\n ],\n },\n logoutRequestEmptyError: {\n code: ClientConfigurationErrorCodes.logoutRequestEmpty,\n desc: ClientConfigurationErrorMessages[\n ClientConfigurationErrorCodes.logoutRequestEmpty\n ],\n },\n invalidCodeChallengeMethod: {\n code: ClientConfigurationErrorCodes.invalidCodeChallengeMethod,\n desc: ClientConfigurationErrorMessages[\n ClientConfigurationErrorCodes.invalidCodeChallengeMethod\n ],\n },\n invalidCodeChallengeParams: {\n code: ClientConfigurationErrorCodes.pkceParamsMissing,\n desc: ClientConfigurationErrorMessages[\n ClientConfigurationErrorCodes.pkceParamsMissing\n ],\n },\n invalidCloudDiscoveryMetadata: {\n code: ClientConfigurationErrorCodes.invalidCloudDiscoveryMetadata,\n desc: ClientConfigurationErrorMessages[\n ClientConfigurationErrorCodes.invalidCloudDiscoveryMetadata\n ],\n },\n invalidAuthorityMetadata: {\n code: ClientConfigurationErrorCodes.invalidAuthorityMetadata,\n desc: ClientConfigurationErrorMessages[\n ClientConfigurationErrorCodes.invalidAuthorityMetadata\n ],\n },\n untrustedAuthority: {\n code: ClientConfigurationErrorCodes.untrustedAuthority,\n desc: ClientConfigurationErrorMessages[\n ClientConfigurationErrorCodes.untrustedAuthority\n ],\n },\n missingSshJwk: {\n code: ClientConfigurationErrorCodes.missingSshJwk,\n desc: ClientConfigurationErrorMessages[\n ClientConfigurationErrorCodes.missingSshJwk\n ],\n },\n missingSshKid: {\n code: ClientConfigurationErrorCodes.missingSshKid,\n desc: ClientConfigurationErrorMessages[\n ClientConfigurationErrorCodes.missingSshKid\n ],\n },\n missingNonceAuthenticationHeader: {\n code: ClientConfigurationErrorCodes.missingNonceAuthenticationHeader,\n desc: ClientConfigurationErrorMessages[\n ClientConfigurationErrorCodes.missingNonceAuthenticationHeader\n ],\n },\n invalidAuthenticationHeader: {\n code: ClientConfigurationErrorCodes.invalidAuthenticationHeader,\n desc: ClientConfigurationErrorMessages[\n ClientConfigurationErrorCodes.invalidAuthenticationHeader\n ],\n },\n cannotSetOIDCOptions: {\n code: ClientConfigurationErrorCodes.cannotSetOIDCOptions,\n desc: ClientConfigurationErrorMessages[\n ClientConfigurationErrorCodes.cannotSetOIDCOptions\n ],\n },\n cannotAllowNativeBroker: {\n code: ClientConfigurationErrorCodes.cannotAllowNativeBroker,\n desc: ClientConfigurationErrorMessages[\n ClientConfigurationErrorCodes.cannotAllowNativeBroker\n ],\n },\n authorityMismatch: {\n code: ClientConfigurationErrorCodes.authorityMismatch,\n desc: ClientConfigurationErrorMessages[\n ClientConfigurationErrorCodes.authorityMismatch\n ],\n },\n};\n\n/**\n * Error thrown when there is an error in configuration of the MSAL.js library.\n */\nexport class ClientConfigurationError extends AuthError {\n constructor(errorCode: string) {\n super(errorCode, ClientConfigurationErrorMessages[errorCode]);\n this.name = \"ClientConfigurationError\";\n Object.setPrototypeOf(this, ClientConfigurationError.prototype);\n }\n}\n\nexport function createClientConfigurationError(\n errorCode: string\n): ClientConfigurationError {\n return new ClientConfigurationError(errorCode);\n}\n","/*\n * Copyright (c) Microsoft Corporation. All rights reserved.\n * Licensed under the MIT License.\n */\n\nexport const redirectUriEmpty = \"redirect_uri_empty\";\nexport const claimsRequestParsingError = \"claims_request_parsing_error\";\nexport const authorityUriInsecure = \"authority_uri_insecure\";\nexport const urlParseError = \"url_parse_error\";\nexport const urlEmptyError = \"empty_url_error\";\nexport const emptyInputScopesError = \"empty_input_scopes_error\";\nexport const invalidPromptValue = \"invalid_prompt_value\";\nexport const invalidClaims = \"invalid_claims\";\nexport const tokenRequestEmpty = \"token_request_empty\";\nexport const logoutRequestEmpty = \"logout_request_empty\";\nexport const invalidCodeChallengeMethod = \"invalid_code_challenge_method\";\nexport const pkceParamsMissing = \"pkce_params_missing\";\nexport const invalidCloudDiscoveryMetadata = \"invalid_cloud_discovery_metadata\";\nexport const invalidAuthorityMetadata = \"invalid_authority_metadata\";\nexport const untrustedAuthority = \"untrusted_authority\";\nexport const missingSshJwk = \"missing_ssh_jwk\";\nexport const missingSshKid = \"missing_ssh_kid\";\nexport const missingNonceAuthenticationHeader =\n \"missing_nonce_authentication_header\";\nexport const invalidAuthenticationHeader = \"invalid_authentication_header\";\nexport const cannotSetOIDCOptions = \"cannot_set_OIDCOptions\";\nexport const cannotAllowNativeBroker = \"cannot_allow_native_broker\";\nexport const authorityMismatch = \"authority_mismatch\";\n","/*\n * Copyright (c) Microsoft Corporation. All rights reserved.\n * Licensed under the MIT License.\n */\n\nimport { Constants } from \"../utils/Constants.js\";\nimport { AuthError } from \"./AuthError.js\";\nimport * as InteractionRequiredAuthErrorCodes from \"./InteractionRequiredAuthErrorCodes.js\";\nexport { InteractionRequiredAuthErrorCodes };\n\n/**\n * InteractionRequiredServerErrorMessage contains string constants used by error codes and messages returned by the server indicating interaction is required\n */\nexport const InteractionRequiredServerErrorMessage = [\n InteractionRequiredAuthErrorCodes.interactionRequired,\n InteractionRequiredAuthErrorCodes.consentRequired,\n InteractionRequiredAuthErrorCodes.loginRequired,\n InteractionRequiredAuthErrorCodes.badToken,\n];\n\nexport const InteractionRequiredAuthSubErrorMessage = [\n \"message_only\",\n \"additional_action\",\n \"basic_action\",\n \"user_password_expired\",\n \"consent_required\",\n \"bad_token\",\n];\n\nconst InteractionRequiredAuthErrorMessages = {\n [InteractionRequiredAuthErrorCodes.noTokensFound]:\n \"No refresh token found in the cache. Please sign-in.\",\n [InteractionRequiredAuthErrorCodes.nativeAccountUnavailable]:\n \"The requested account is not available in the native broker. It may have been deleted or logged out. Please sign-in again using an interactive API.\",\n [InteractionRequiredAuthErrorCodes.refreshTokenExpired]:\n \"Refresh token has expired.\",\n [InteractionRequiredAuthErrorCodes.badToken]:\n \"Identity provider returned bad_token due to an expired or invalid refresh token. Please invoke an interactive API to resolve.\",\n};\n\n/**\n * Interaction required errors defined by the SDK\n * @deprecated Use InteractionRequiredAuthErrorCodes instead\n */\nexport const InteractionRequiredAuthErrorMessage = {\n noTokensFoundError: {\n code: InteractionRequiredAuthErrorCodes.noTokensFound,\n desc: InteractionRequiredAuthErrorMessages[\n InteractionRequiredAuthErrorCodes.noTokensFound\n ],\n },\n native_account_unavailable: {\n code: InteractionRequiredAuthErrorCodes.nativeAccountUnavailable,\n desc: InteractionRequiredAuthErrorMessages[\n InteractionRequiredAuthErrorCodes.nativeAccountUnavailable\n ],\n },\n bad_token: {\n code: InteractionRequiredAuthErrorCodes.badToken,\n desc: InteractionRequiredAuthErrorMessages[\n InteractionRequiredAuthErrorCodes.badToken\n ],\n },\n};\n\n/**\n * Error thrown when user interaction is required.\n */\nexport class InteractionRequiredAuthError extends AuthError {\n /**\n * The time the error occured at\n */\n timestamp: string;\n\n /**\n * TraceId associated with the error\n */\n traceId: string;\n\n /**\n * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-common/docs/claims-challenge.md\n *\n * A string with extra claims needed for the token request to succeed\n * web site: redirect the user to the authorization page and set the extra claims\n * web api: include the claims in the WWW-Authenticate header that are sent back to the client so that it knows to request a token with the extra claims\n * desktop application or browser context: include the claims when acquiring the token interactively\n * app to app context (client_credentials): include the claims in the AcquireTokenByClientCredential request\n */\n claims: string;\n\n /**\n * Server error number;\n */\n readonly errorNo?: string;\n\n constructor(\n errorCode?: string,\n errorMessage?: string,\n subError?: string,\n timestamp?: string,\n traceId?: string,\n correlationId?: string,\n claims?: string,\n errorNo?: string\n ) {\n super(errorCode, errorMessage, subError);\n Object.setPrototypeOf(this, InteractionRequiredAuthError.prototype);\n\n this.timestamp = timestamp || Constants.EMPTY_STRING;\n this.traceId = traceId || Constants.EMPTY_STRING;\n this.correlationId = correlationId || Constants.EMPTY_STRING;\n this.claims = claims || Constants.EMPTY_STRING;\n this.name = \"InteractionRequiredAuthError\";\n this.errorNo = errorNo;\n }\n}\n\n/**\n * Helper function used to determine if an error thrown by the server requires interaction to resolve\n * @param errorCode\n * @param errorString\n * @param subError\n */\nexport function isInteractionRequiredError(\n errorCode?: string,\n errorString?: string,\n subError?: string\n): boolean {\n const isInteractionRequiredErrorCode =\n !!errorCode &&\n InteractionRequiredServerErrorMessage.indexOf(errorCode) > -1;\n const isInteractionRequiredSubError =\n !!subError &&\n InteractionRequiredAuthSubErrorMessage.indexOf(subError) > -1;\n const isInteractionRequiredErrorDesc =\n !!errorString &&\n InteractionRequiredServerErrorMessage.some((irErrorCode) => {\n return errorString.indexOf(irErrorCode) > -1;\n });\n\n return (\n isInteractionRequiredErrorCode ||\n isInteractionRequiredErrorDesc ||\n isInteractionRequiredSubError\n );\n}\n\n/**\n * Creates an InteractionRequiredAuthError\n */\nexport function createInteractionRequiredAuthError(\n errorCode: string\n): InteractionRequiredAuthError {\n return new InteractionRequiredAuthError(\n errorCode,\n InteractionRequiredAuthErrorMessages[errorCode]\n );\n}\n","/*\n * Copyright (c) Microsoft Corporation. All rights reserved.\n * Licensed under the MIT License.\n */\n\n// Codes defined by MSAL\nexport const noTokensFound = \"no_tokens_found\";\nexport const nativeAccountUnavailable = \"native_account_unavailable\";\nexport const refreshTokenExpired = \"refresh_token_expired\";\n\n// Codes potentially returned by server\nexport const interactionRequired = \"interaction_required\";\nexport const consentRequired = \"consent_required\";\nexport const loginRequired = \"login_required\";\nexport const badToken = \"bad_token\";\n","/*\n * Copyright (c) Microsoft Corporation. All rights reserved.\n * Licensed under the MIT License.\n */\n\nimport { AuthError } from \"./AuthError.js\";\n\n/**\n * Error thrown when there is an error with the server code, for example, unavailability.\n */\nexport class ServerError extends AuthError {\n /**\n * Server error number;\n */\n readonly errorNo?: string;\n\n /**\n * Http status number;\n */\n readonly status?: number;\n\n constructor(\n errorCode?: string,\n errorMessage?: string,\n subError?: string,\n errorNo?: string,\n status?: number\n ) {\n super(errorCode, errorMessage, subError);\n this.name = \"ServerError\";\n this.errorNo = errorNo;\n this.status = status;\n\n Object.setPrototypeOf(this, ServerError.prototype);\n }\n}\n","/*\n * Copyright (c) Microsoft Corporation. All rights reserved.\n * Licensed under the MIT License.\n */\n\nimport {\n ClientAuthErrorCodes,\n createClientAuthError,\n} from \"../error/ClientAuthError.js\";\nimport { BaseAuthRequest } from \"../request/BaseAuthRequest.js\";\nimport { ShrOptions, SignedHttpRequest } from \"./SignedHttpRequest.js\";\n\n/**\n * The PkceCodes type describes the structure\n * of objects that contain PKCE code\n * challenge and verifier pairs\n */\nexport type PkceCodes = {\n verifier: string;\n challenge: string;\n};\n\nexport type SignedHttpRequestParameters = Pick<\n BaseAuthRequest,\n | \"resourceRequestMethod\"\n | \"resourceRequestUri\"\n | \"shrClaims\"\n | \"shrNonce\"\n | \"shrOptions\"\n> & {\n correlationId?: string;\n};\n\n/**\n * Interface for crypto functions used by library\n */\nexport interface ICrypto {\n /**\n * Creates a guid randomly.\n */\n createNewGuid(): string;\n /**\n * base64 Encode string\n * @param input\n */\n base64Encode(input: string): string;\n /**\n * base64 decode string\n * @param input\n */\n base64Decode(input: string): string;\n /**\n * base64 URL safe encoded string\n */\n base64UrlEncode(input: string): string;\n /**\n * Stringifies and base64Url encodes input public key\n * @param inputKid\n * @returns Base64Url encoded public key\n */\n encodeKid(inputKid: string): string;\n /**\n * Generates an JWK RSA S256 Thumbprint\n * @param request\n */\n getPublicKeyThumbprint(\n request: SignedHttpRequestParameters\n ): Promise;\n /**\n * Removes cryptographic keypair from key store matching the keyId passed in\n * @param kid\n */\n removeTokenBindingKey(kid: string): Promise;\n /**\n * Removes all cryptographic keys from IndexedDB storage\n */\n clearKeystore(): Promise;\n /**\n * Returns a signed proof-of-possession token with a given acces token that contains a cnf claim with the required kid.\n * @param accessToken\n */\n signJwt(\n payload: SignedHttpRequest,\n kid: string,\n shrOptions?: ShrOptions,\n correlationId?: string\n ): Promise;\n /**\n * Returns the SHA-256 hash of an input string\n * @param plainText\n */\n hashString(plainText: string): Promise;\n}\n\nexport const DEFAULT_CRYPTO_IMPLEMENTATION: ICrypto = {\n createNewGuid: (): string => {\n throw createClientAuthError(ClientAuthErrorCodes.methodNotImplemented);\n },\n base64Decode: (): string => {\n throw createClientAuthError(ClientAuthErrorCodes.methodNotImplemented);\n },\n base64Encode: (): string => {\n throw createClientAuthError(ClientAuthErrorCodes.methodNotImplemented);\n },\n base64UrlEncode: (): string => {\n throw createClientAuthError(ClientAuthErrorCodes.methodNotImplemented);\n },\n encodeKid: (): string => {\n throw createClientAuthError(ClientAuthErrorCodes.methodNotImplemented);\n },\n async getPublicKeyThumbprint(): Promise {\n throw createClientAuthError(ClientAuthErrorCodes.methodNotImplemented);\n },\n async removeTokenBindingKey(): Promise {\n throw createClientAuthError(ClientAuthErrorCodes.methodNotImplemented);\n },\n async clearKeystore(): Promise {\n throw createClientAuthError(ClientAuthErrorCodes.methodNotImplemented);\n },\n async signJwt(): Promise {\n throw createClientAuthError(ClientAuthErrorCodes.methodNotImplemented);\n },\n async hashString(): Promise {\n throw createClientAuthError(ClientAuthErrorCodes.methodNotImplemented);\n },\n};\n","/*\n * Copyright (c) Microsoft Corporation. All rights reserved.\n * Licensed under the MIT License.\n */\n\nimport { LoggerOptions } from \"../config/ClientConfiguration.js\";\nimport { Constants } from \"../utils/Constants.js\";\n\n/**\n * Options for logger messages.\n */\nexport type LoggerMessageOptions = {\n logLevel: LogLevel;\n containsPii?: boolean;\n context?: string;\n correlationId?: string;\n};\n\n/**\n * Log message level.\n */\nexport enum LogLevel {\n Error,\n Warning,\n Info,\n Verbose,\n Trace,\n}\n\n/**\n * Callback to send the messages to.\n */\nexport interface ILoggerCallback {\n (level: LogLevel, message: string, containsPii: boolean): void;\n}\n\n/**\n * Class which facilitates logging of messages to a specific place.\n */\nexport class Logger {\n // Correlation ID for request, usually set by user.\n private correlationId: string;\n\n // Current log level, defaults to info.\n private level: LogLevel = LogLevel.Info;\n\n // Boolean describing whether PII logging is allowed.\n private piiLoggingEnabled: boolean;\n\n // Callback to send messages to.\n private localCallback: ILoggerCallback;\n\n // Package name implementing this logger\n private packageName: string;\n\n // Package version implementing this logger\n private packageVersion: string;\n\n constructor(\n loggerOptions: LoggerOptions,\n packageName?: string,\n packageVersion?: string\n ) {\n const defaultLoggerCallback = () => {\n return;\n };\n const setLoggerOptions =\n loggerOptions || Logger.createDefaultLoggerOptions();\n this.localCallback =\n setLoggerOptions.loggerCallback || defaultLoggerCallback;\n this.piiLoggingEnabled = setLoggerOptions.piiLoggingEnabled || false;\n this.level =\n typeof setLoggerOptions.logLevel === \"number\"\n ? setLoggerOptions.logLevel\n : LogLevel.Info;\n this.correlationId =\n setLoggerOptions.correlationId || Constants.EMPTY_STRING;\n this.packageName = packageName || Constants.EMPTY_STRING;\n this.packageVersion = packageVersion || Constants.EMPTY_STRING;\n }\n\n private static createDefaultLoggerOptions(): LoggerOptions {\n return {\n loggerCallback: () => {\n // allow users to not set loggerCallback\n },\n piiLoggingEnabled: false,\n logLevel: LogLevel.Info,\n };\n }\n\n /**\n * Create new Logger with existing configurations.\n */\n public clone(\n packageName: string,\n packageVersion: string,\n correlationId?: string\n ): Logger {\n return new Logger(\n {\n loggerCallback: this.localCallback,\n piiLoggingEnabled: this.piiLoggingEnabled,\n logLevel: this.level,\n correlationId: correlationId || this.correlationId,\n },\n packageName,\n packageVersion\n );\n }\n\n /**\n * Log message with required options.\n */\n private logMessage(\n logMessage: string,\n options: LoggerMessageOptions\n ): void {\n if (\n options.logLevel > this.level ||\n (!this.piiLoggingEnabled && options.containsPii)\n ) {\n return;\n }\n const timestamp = new Date().toUTCString();\n\n // Add correlationId to logs if set, correlationId provided on log messages take precedence\n const logHeader = `[${timestamp}] : [${\n options.correlationId || this.correlationId || \"\"\n }]`;\n\n const log = `${logHeader} : ${this.packageName}@${\n this.packageVersion\n } : ${LogLevel[options.logLevel]} - ${logMessage}`;\n // debug(`msal:${LogLevel[options.logLevel]}${options.containsPii ? \"-Pii\": Constants.EMPTY_STRING}${options.context ? `:${options.context}` : Constants.EMPTY_STRING}`)(logMessage);\n this.executeCallback(\n options.logLevel,\n log,\n options.containsPii || false\n );\n }\n\n /**\n * Execute callback with message.\n */\n executeCallback(\n level: LogLevel,\n message: string,\n containsPii: boolean\n ): void {\n if (this.localCallback) {\n this.localCallback(level, message, containsPii);\n }\n }\n\n /**\n * Logs error messages.\n */\n error(message: string, correlationId?: string): void {\n this.logMessage(message, {\n logLevel: LogLevel.Error,\n containsPii: false,\n correlationId: correlationId || Constants.EMPTY_STRING,\n });\n }\n\n /**\n * Logs error messages with PII.\n */\n errorPii(message: string, correlationId?: string): void {\n this.logMessage(message, {\n logLevel: LogLevel.Error,\n containsPii: true,\n correlationId: correlationId || Constants.EMPTY_STRING,\n });\n }\n\n /**\n * Logs warning messages.\n */\n warning(message: string, correlationId?: string): void {\n this.logMessage(message, {\n logLevel: LogLevel.Warning,\n containsPii: false,\n correlationId: correlationId || Constants.EMPTY_STRING,\n });\n }\n\n /**\n * Logs warning messages with PII.\n */\n warningPii(message: string, correlationId?: string): void {\n this.logMessage(message, {\n logLevel: LogLevel.Warning,\n containsPii: true,\n correlationId: correlationId || Constants.EMPTY_STRING,\n });\n }\n\n /**\n * Logs info messages.\n */\n info(message: string, correlationId?: string): void {\n this.logMessage(message, {\n logLevel: LogLevel.Info,\n containsPii: false,\n correlationId: correlationId || Constants.EMPTY_STRING,\n });\n }\n\n /**\n * Logs info messages with PII.\n */\n infoPii(message: string, correlationId?: string): void {\n this.logMessage(message, {\n logLevel: LogLevel.Info,\n containsPii: true,\n correlationId: correlationId || Constants.EMPTY_STRING,\n });\n }\n\n /**\n * Logs verbose messages.\n */\n verbose(message: string, correlationId?: string): void {\n this.logMessage(message, {\n logLevel: LogLevel.Verbose,\n containsPii: false,\n correlationId: correlationId || Constants.EMPTY_STRING,\n });\n }\n\n /**\n * Logs verbose messages with PII.\n */\n verbosePii(message: string, correlationId?: string): void {\n this.logMessage(message, {\n logLevel: LogLevel.Verbose,\n containsPii: true,\n correlationId: correlationId || Constants.EMPTY_STRING,\n });\n }\n\n /**\n * Logs trace messages.\n */\n trace(message: string, correlationId?: string): void {\n this.logMessage(message, {\n logLevel: LogLevel.Trace,\n containsPii: false,\n correlationId: correlationId || Constants.EMPTY_STRING,\n });\n }\n\n /**\n * Logs trace messages with PII.\n */\n tracePii(message: string, correlationId?: string): void {\n this.logMessage(message, {\n logLevel: LogLevel.Trace,\n containsPii: true,\n correlationId: correlationId || Constants.EMPTY_STRING,\n });\n }\n\n /**\n * Returns whether PII Logging is enabled or not.\n */\n isPiiLoggingEnabled(): boolean {\n return this.piiLoggingEnabled || false;\n }\n}\n","/*\n * Copyright (c) Microsoft Corporation. All rights reserved.\n * Licensed under the MIT License.\n */\n\nimport {\n AccountFilter,\n CredentialFilter,\n ValidCredentialType,\n AppMetadataFilter,\n AppMetadataCache,\n TokenKeys,\n TenantProfileFilter,\n} from \"./utils/CacheTypes.js\";\nimport { CacheRecord } from \"./entities/CacheRecord.js\";\nimport {\n CredentialType,\n APP_METADATA,\n THE_FAMILY_ID,\n AUTHORITY_METADATA_CONSTANTS,\n AuthenticationScheme,\n Separators,\n} from \"../utils/Constants.js\";\nimport { CredentialEntity } from \"./entities/CredentialEntity.js\";\nimport { generateCredentialKey } from \"./utils/CacheHelpers.js\";\nimport { ScopeSet } from \"../request/ScopeSet.js\";\nimport { AccountEntity } from \"./entities/AccountEntity.js\";\nimport { AccessTokenEntity } from \"./entities/AccessTokenEntity.js\";\nimport { IdTokenEntity } from \"./entities/IdTokenEntity.js\";\nimport { RefreshTokenEntity } from \"./entities/RefreshTokenEntity.js\";\nimport { ICacheManager } from \"./interface/ICacheManager.js\";\nimport {\n createClientAuthError,\n ClientAuthErrorCodes,\n} from \"../error/ClientAuthError.js\";\nimport {\n AccountInfo,\n TenantProfile,\n tenantIdMatchesHomeTenant,\n updateAccountTenantProfileData,\n} from \"../account/AccountInfo.js\";\nimport { AppMetadataEntity } from \"./entities/AppMetadataEntity.js\";\nimport { ServerTelemetryEntity } from \"./entities/ServerTelemetryEntity.js\";\nimport { ThrottlingEntity } from \"./entities/ThrottlingEntity.js\";\nimport { extractTokenClaims } from \"../account/AuthToken.js\";\nimport { ICrypto } from \"../crypto/ICrypto.js\";\nimport { AuthorityMetadataEntity } from \"./entities/AuthorityMetadataEntity.js\";\nimport { BaseAuthRequest } from \"../request/BaseAuthRequest.js\";\nimport { Logger } from \"../logger/Logger.js\";\nimport { name, version } from \"../packageMetadata.js\";\nimport { StoreInCache } from \"../request/StoreInCache.js\";\nimport { getAliasesFromStaticSources } from \"../authority/AuthorityMetadata.js\";\nimport { StaticAuthorityOptions } from \"../authority/AuthorityOptions.js\";\nimport { TokenClaims } from \"../account/TokenClaims.js\";\nimport { IPerformanceClient } from \"../telemetry/performance/IPerformanceClient.js\";\nimport { CacheError, CacheErrorCodes } from \"../error/CacheError.js\";\n\n/**\n * Interface class which implement cache storage functions used by MSAL to perform validity checks, and store tokens.\n * @internal\n */\nexport abstract class CacheManager implements ICacheManager {\n protected clientId: string;\n protected cryptoImpl: ICrypto;\n // Instance of logger for functions defined in the msal-common layer\n private commonLogger: Logger;\n private staticAuthorityOptions?: StaticAuthorityOptions;\n\n constructor(\n clientId: string,\n cryptoImpl: ICrypto,\n logger: Logger,\n staticAuthorityOptions?: StaticAuthorityOptions\n ) {\n this.clientId = clientId;\n this.cryptoImpl = cryptoImpl;\n this.commonLogger = logger.clone(name, version);\n this.staticAuthorityOptions = staticAuthorityOptions;\n }\n\n /**\n * fetch the account entity from the platform cache\n * @param accountKey\n */\n abstract getAccount(\n accountKey: string,\n logger?: Logger\n ): AccountEntity | null;\n\n /**\n * Returns deserialized account if found in the cache, otherwiser returns null\n */\n abstract getCachedAccountEntity(accountKey: string): AccountEntity | null;\n\n /**\n * set account entity in the platform cache\n * @param account\n */\n abstract setAccount(account: AccountEntity): void;\n\n /**\n * remove account entity from the platform cache if it's outdated\n */\n abstract removeOutdatedAccount(accountKey: string): void;\n\n /**\n * fetch the idToken entity from the platform cache\n * @param idTokenKey\n */\n abstract getIdTokenCredential(idTokenKey: string): IdTokenEntity | null;\n\n /**\n * set idToken entity to the platform cache\n * @param idToken\n */\n abstract setIdTokenCredential(idToken: IdTokenEntity): void;\n\n /**\n * fetch the idToken entity from the platform cache\n * @param accessTokenKey\n */\n abstract getAccessTokenCredential(\n accessTokenKey: string\n ): AccessTokenEntity | null;\n\n /**\n * set idToken entity to the platform cache\n * @param accessToken\n */\n abstract setAccessTokenCredential(accessToken: AccessTokenEntity): void;\n\n /**\n * fetch the idToken entity from the platform cache\n * @param refreshTokenKey\n */\n abstract getRefreshTokenCredential(\n refreshTokenKey: string\n ): RefreshTokenEntity | null;\n\n /**\n * set idToken entity to the platform cache\n * @param refreshToken\n */\n abstract setRefreshTokenCredential(refreshToken: RefreshTokenEntity): void;\n\n /**\n * fetch appMetadata entity from the platform cache\n * @param appMetadataKey\n */\n abstract getAppMetadata(appMetadataKey: string): AppMetadataEntity | null;\n\n /**\n * set appMetadata entity to the platform cache\n * @param appMetadata\n */\n abstract setAppMetadata(appMetadata: AppMetadataEntity): void;\n\n /**\n * fetch server telemetry entity from the platform cache\n * @param serverTelemetryKey\n */\n abstract getServerTelemetry(\n serverTelemetryKey: string\n ): ServerTelemetryEntity | null;\n\n /**\n * set server telemetry entity to the platform cache\n * @param serverTelemetryKey\n * @param serverTelemetry\n */\n abstract setServerTelemetry(\n serverTelemetryKey: string,\n serverTelemetry: ServerTelemetryEntity\n ): void;\n\n /**\n * fetch cloud discovery metadata entity from the platform cache\n * @param key\n */\n abstract getAuthorityMetadata(key: string): AuthorityMetadataEntity | null;\n\n /**\n *\n */\n abstract getAuthorityMetadataKeys(): Array;\n\n /**\n * set cloud discovery metadata entity to the platform cache\n * @param key\n * @param value\n */\n abstract setAuthorityMetadata(\n key: string,\n value: AuthorityMetadataEntity\n ): void;\n\n /**\n * fetch throttling entity from the platform cache\n * @param throttlingCacheKey\n */\n abstract getThrottlingCache(\n throttlingCacheKey: string\n ): ThrottlingEntity | null;\n\n /**\n * set throttling entity to the platform cache\n * @param throttlingCacheKey\n * @param throttlingCache\n */\n abstract setThrottlingCache(\n throttlingCacheKey: string,\n throttlingCache: ThrottlingEntity\n ): void;\n\n /**\n * Function to remove an item from cache given its key.\n * @param key\n */\n abstract removeItem(key: string): void;\n\n /**\n * Function which retrieves all current keys from the cache.\n */\n abstract getKeys(): string[];\n\n /**\n * Function which retrieves all account keys from the cache\n */\n abstract getAccountKeys(): string[];\n\n /**\n * Function which retrieves all token keys from the cache\n */\n abstract getTokenKeys(): TokenKeys;\n\n /**\n * Function which updates an outdated credential cache key\n */\n abstract updateCredentialCacheKey(\n currentCacheKey: string,\n credential: ValidCredentialType\n ): string;\n\n /**\n * Returns all the accounts in the cache that match the optional filter. If no filter is provided, all accounts are returned.\n * @param accountFilter - (Optional) filter to narrow down the accounts returned\n * @returns Array of AccountInfo objects in cache\n */\n getAllAccounts(accountFilter?: AccountFilter): AccountInfo[] {\n return this.buildTenantProfiles(\n this.getAccountsFilteredBy(accountFilter || {}),\n accountFilter\n );\n }\n\n /**\n * Gets first tenanted AccountInfo object found based on provided filters\n */\n getAccountInfoFilteredBy(accountFilter: AccountFilter): AccountInfo | null {\n const allAccounts = this.getAllAccounts(accountFilter);\n if (allAccounts.length > 1) {\n // If one or more accounts are found, prioritize accounts that have an ID token\n const sortedAccounts = allAccounts.sort((account) => {\n return account.idTokenClaims ? -1 : 1;\n });\n return sortedAccounts[0];\n } else if (allAccounts.length === 1) {\n // If only one account is found, return it regardless of whether a matching ID token was found\n return allAccounts[0];\n } else {\n return null;\n }\n }\n\n /**\n * Returns a single matching\n * @param accountFilter\n * @returns\n */\n getBaseAccountInfo(accountFilter: AccountFilter): AccountInfo | null {\n const accountEntities = this.getAccountsFilteredBy(accountFilter);\n if (accountEntities.length > 0) {\n return accountEntities[0].getAccountInfo();\n } else {\n return null;\n }\n }\n\n /**\n * Matches filtered account entities with cached ID tokens that match the tenant profile-specific account filters\n * and builds the account info objects from the matching ID token's claims\n * @param cachedAccounts\n * @param accountFilter\n * @returns Array of AccountInfo objects that match account and tenant profile filters\n */\n private buildTenantProfiles(\n cachedAccounts: AccountEntity[],\n accountFilter?: AccountFilter\n ): AccountInfo[] {\n return cachedAccounts.flatMap((accountEntity) => {\n return this.getTenantProfilesFromAccountEntity(\n accountEntity,\n accountFilter?.tenantId,\n accountFilter\n );\n });\n }\n\n private getTenantedAccountInfoByFilter(\n accountInfo: AccountInfo,\n tokenKeys: TokenKeys,\n tenantProfile: TenantProfile,\n tenantProfileFilter?: TenantProfileFilter\n ): AccountInfo | null {\n let tenantedAccountInfo: AccountInfo | null = null;\n let idTokenClaims: TokenClaims | undefined;\n\n if (tenantProfileFilter) {\n if (\n !this.tenantProfileMatchesFilter(\n tenantProfile,\n tenantProfileFilter\n )\n ) {\n return null;\n }\n }\n\n const idToken = this.getIdToken(\n accountInfo,\n tokenKeys,\n tenantProfile.tenantId\n );\n\n if (idToken) {\n idTokenClaims = extractTokenClaims(\n idToken.secret,\n this.cryptoImpl.base64Decode\n );\n\n if (\n !this.idTokenClaimsMatchTenantProfileFilter(\n idTokenClaims,\n tenantProfileFilter\n )\n ) {\n // ID token sourced claims don't match so this tenant profile is not a match\n return null;\n }\n }\n\n // Expand tenant profile into account info based on matching tenant profile and if available matching ID token claims\n tenantedAccountInfo = updateAccountTenantProfileData(\n accountInfo,\n tenantProfile,\n idTokenClaims,\n idToken?.secret\n );\n\n return tenantedAccountInfo;\n }\n\n private getTenantProfilesFromAccountEntity(\n accountEntity: AccountEntity,\n targetTenantId?: string,\n tenantProfileFilter?: TenantProfileFilter\n ): AccountInfo[] {\n const accountInfo = accountEntity.getAccountInfo();\n let searchTenantProfiles: Map =\n accountInfo.tenantProfiles || new Map();\n const tokenKeys = this.getTokenKeys();\n\n // If a tenant ID was provided, only return the tenant profile for that tenant ID if it exists\n if (targetTenantId) {\n const tenantProfile = searchTenantProfiles.get(targetTenantId);\n if (tenantProfile) {\n // Reduce search field to just this tenant profile\n searchTenantProfiles = new Map([\n [targetTenantId, tenantProfile],\n ]);\n } else {\n // No tenant profile for search tenant ID, return empty array\n return [];\n }\n }\n\n const matchingTenantProfiles: AccountInfo[] = [];\n searchTenantProfiles.forEach((tenantProfile: TenantProfile) => {\n const tenantedAccountInfo = this.getTenantedAccountInfoByFilter(\n accountInfo,\n tokenKeys,\n tenantProfile,\n tenantProfileFilter\n );\n if (tenantedAccountInfo) {\n matchingTenantProfiles.push(tenantedAccountInfo);\n }\n });\n\n return matchingTenantProfiles;\n }\n\n private tenantProfileMatchesFilter(\n tenantProfile: TenantProfile,\n tenantProfileFilter: TenantProfileFilter\n ): boolean {\n if (\n !!tenantProfileFilter.localAccountId &&\n !this.matchLocalAccountIdFromTenantProfile(\n tenantProfile,\n tenantProfileFilter.localAccountId\n )\n ) {\n return false;\n }\n\n if (\n !!tenantProfileFilter.name &&\n !(tenantProfile.name === tenantProfileFilter.name)\n ) {\n return false;\n }\n\n if (\n tenantProfileFilter.isHomeTenant !== undefined &&\n !(tenantProfile.isHomeTenant === tenantProfileFilter.isHomeTenant)\n ) {\n return false;\n }\n\n return true;\n }\n\n private idTokenClaimsMatchTenantProfileFilter(\n idTokenClaims: TokenClaims,\n tenantProfileFilter?: TenantProfileFilter\n ): boolean {\n // Tenant Profile filtering\n if (tenantProfileFilter) {\n if (\n !!tenantProfileFilter.localAccountId &&\n !this.matchLocalAccountIdFromTokenClaims(\n idTokenClaims,\n tenantProfileFilter.localAccountId\n )\n ) {\n return false;\n }\n\n if (\n !!tenantProfileFilter.loginHint &&\n !this.matchLoginHintFromTokenClaims(\n idTokenClaims,\n tenantProfileFilter.loginHint\n )\n ) {\n return false;\n }\n\n if (\n !!tenantProfileFilter.username &&\n !this.matchUsername(\n idTokenClaims.preferred_username,\n tenantProfileFilter.username\n )\n ) {\n return false;\n }\n\n if (\n !!tenantProfileFilter.name &&\n !this.matchName(idTokenClaims, tenantProfileFilter.name)\n ) {\n return false;\n }\n\n if (\n !!tenantProfileFilter.sid &&\n !this.matchSid(idTokenClaims, tenantProfileFilter.sid)\n ) {\n return false;\n }\n }\n\n return true;\n }\n\n /**\n * saves a cache record\n * @param cacheRecord {CacheRecord}\n * @param storeInCache {?StoreInCache}\n * @param correlationId {?string} correlation id\n */\n async saveCacheRecord(\n cacheRecord: CacheRecord,\n storeInCache?: StoreInCache,\n correlationId?: string\n ): Promise {\n if (!cacheRecord) {\n throw createClientAuthError(\n ClientAuthErrorCodes.invalidCacheRecord\n );\n }\n\n try {\n if (!!cacheRecord.account) {\n this.setAccount(cacheRecord.account);\n }\n\n if (!!cacheRecord.idToken && storeInCache?.idToken !== false) {\n this.setIdTokenCredential(cacheRecord.idToken);\n }\n\n if (\n !!cacheRecord.accessToken &&\n storeInCache?.accessToken !== false\n ) {\n await this.saveAccessToken(cacheRecord.accessToken);\n }\n\n if (\n !!cacheRecord.refreshToken &&\n storeInCache?.refreshToken !== false\n ) {\n this.setRefreshTokenCredential(cacheRecord.refreshToken);\n }\n\n if (!!cacheRecord.appMetadata) {\n this.setAppMetadata(cacheRecord.appMetadata);\n }\n } catch (e: unknown) {\n this.commonLogger?.error(`CacheManager.saveCacheRecord: failed`);\n if (e instanceof Error) {\n this.commonLogger?.errorPii(\n `CacheManager.saveCacheRecord: ${e.message}`,\n correlationId\n );\n\n if (\n e.name === \"QuotaExceededError\" ||\n e.name === \"NS_ERROR_DOM_QUOTA_REACHED\" ||\n e.message.includes(\"exceeded the quota\")\n ) {\n this.commonLogger?.error(\n `CacheManager.saveCacheRecord: exceeded storage quota`,\n correlationId\n );\n throw new CacheError(\n CacheErrorCodes.cacheQuotaExceededErrorCode\n );\n } else {\n throw new CacheError(e.name, e.message);\n }\n } else {\n this.commonLogger?.errorPii(\n `CacheManager.saveCacheRecord: ${e}`,\n correlationId\n );\n throw new CacheError(CacheErrorCodes.cacheUnknownErrorCode);\n }\n }\n }\n\n /**\n * saves access token credential\n * @param credential\n */\n private async saveAccessToken(\n credential: AccessTokenEntity\n ): Promise {\n const accessTokenFilter: CredentialFilter = {\n clientId: credential.clientId,\n credentialType: credential.credentialType,\n environment: credential.environment,\n homeAccountId: credential.homeAccountId,\n realm: credential.realm,\n tokenType: credential.tokenType,\n requestedClaimsHash: credential.requestedClaimsHash,\n };\n\n const tokenKeys = this.getTokenKeys();\n const currentScopes = ScopeSet.fromString(credential.target);\n\n const removedAccessTokens: Array> = [];\n tokenKeys.accessToken.forEach((key) => {\n if (\n !this.accessTokenKeyMatchesFilter(key, accessTokenFilter, false)\n ) {\n return;\n }\n\n const tokenEntity = this.getAccessTokenCredential(key);\n\n if (\n tokenEntity &&\n this.credentialMatchesFilter(tokenEntity, accessTokenFilter)\n ) {\n const tokenScopeSet = ScopeSet.fromString(tokenEntity.target);\n if (tokenScopeSet.intersectingScopeSets(currentScopes)) {\n removedAccessTokens.push(this.removeAccessToken(key));\n }\n }\n });\n await Promise.all(removedAccessTokens);\n this.setAccessTokenCredential(credential);\n }\n\n /**\n * Retrieve account entities matching all provided tenant-agnostic filters; if no filter is set, get all account entities in the cache\n * Not checking for casing as keys are all generated in lower case, remember to convert to lower case if object properties are compared\n * @param accountFilter - An object containing Account properties to filter by\n */\n getAccountsFilteredBy(accountFilter: AccountFilter): AccountEntity[] {\n const allAccountKeys = this.getAccountKeys();\n const matchingAccounts: AccountEntity[] = [];\n allAccountKeys.forEach((cacheKey) => {\n if (!this.isAccountKey(cacheKey, accountFilter.homeAccountId)) {\n // Don't parse value if the key doesn't match the account filters\n return;\n }\n\n const entity: AccountEntity | null = this.getAccount(\n cacheKey,\n this.commonLogger\n );\n\n // Match base account fields\n\n if (!entity) {\n return;\n }\n\n if (\n !!accountFilter.homeAccountId &&\n !this.matchHomeAccountId(entity, accountFilter.homeAccountId)\n ) {\n return;\n }\n\n if (\n !!accountFilter.username &&\n !this.matchUsername(entity.username, accountFilter.username)\n ) {\n return;\n }\n\n if (\n !!accountFilter.environment &&\n !this.matchEnvironment(entity, accountFilter.environment)\n ) {\n return;\n }\n\n if (\n !!accountFilter.realm &&\n !this.matchRealm(entity, accountFilter.realm)\n ) {\n return;\n }\n\n if (\n !!accountFilter.nativeAccountId &&\n !this.matchNativeAccountId(\n entity,\n accountFilter.nativeAccountId\n )\n ) {\n return;\n }\n\n if (\n !!accountFilter.authorityType &&\n !this.matchAuthorityType(entity, accountFilter.authorityType)\n ) {\n return;\n }\n\n // If at least one tenant profile matches the tenant profile filter, add the account to the list of matching accounts\n const tenantProfileFilter: TenantProfileFilter = {\n localAccountId: accountFilter?.localAccountId,\n name: accountFilter?.name,\n };\n\n const matchingTenantProfiles = entity.tenantProfiles?.filter(\n (tenantProfile: TenantProfile) => {\n return this.tenantProfileMatchesFilter(\n tenantProfile,\n tenantProfileFilter\n );\n }\n );\n\n if (matchingTenantProfiles && matchingTenantProfiles.length === 0) {\n // No tenant profile for this account matches filter, don't add to list of matching accounts\n return;\n }\n\n matchingAccounts.push(entity);\n });\n\n return matchingAccounts;\n }\n\n /**\n * Returns true if the given key matches our account key schema. Also matches homeAccountId and/or tenantId if provided\n * @param key\n * @param homeAccountId\n * @param tenantId\n * @returns\n */\n isAccountKey(\n key: string,\n homeAccountId?: string,\n tenantId?: string\n ): boolean {\n if (key.split(Separators.CACHE_KEY_SEPARATOR).length < 3) {\n // Account cache keys contain 3 items separated by '-' (each item may also contain '-')\n return false;\n }\n\n if (\n homeAccountId &&\n !key.toLowerCase().includes(homeAccountId.toLowerCase())\n ) {\n return false;\n }\n\n if (tenantId && !key.toLowerCase().includes(tenantId.toLowerCase())) {\n return false;\n }\n\n // Do not check environment as aliasing can cause false negatives\n\n return true;\n }\n\n /**\n * Returns true if the given key matches our credential key schema.\n * @param key\n */\n isCredentialKey(key: string): boolean {\n if (key.split(Separators.CACHE_KEY_SEPARATOR).length < 6) {\n // Credential cache keys contain 6 items separated by '-' (each item may also contain '-')\n return false;\n }\n\n const lowerCaseKey = key.toLowerCase();\n // Credential keys must indicate what credential type they represent\n if (\n lowerCaseKey.indexOf(CredentialType.ID_TOKEN.toLowerCase()) ===\n -1 &&\n lowerCaseKey.indexOf(CredentialType.ACCESS_TOKEN.toLowerCase()) ===\n -1 &&\n lowerCaseKey.indexOf(\n CredentialType.ACCESS_TOKEN_WITH_AUTH_SCHEME.toLowerCase()\n ) === -1 &&\n lowerCaseKey.indexOf(CredentialType.REFRESH_TOKEN.toLowerCase()) ===\n -1\n ) {\n return false;\n }\n\n if (\n lowerCaseKey.indexOf(CredentialType.REFRESH_TOKEN.toLowerCase()) >\n -1\n ) {\n // Refresh tokens must contain the client id or family id\n const clientIdValidation = `${CredentialType.REFRESH_TOKEN}${Separators.CACHE_KEY_SEPARATOR}${this.clientId}${Separators.CACHE_KEY_SEPARATOR}`;\n const familyIdValidation = `${CredentialType.REFRESH_TOKEN}${Separators.CACHE_KEY_SEPARATOR}${THE_FAMILY_ID}${Separators.CACHE_KEY_SEPARATOR}`;\n if (\n lowerCaseKey.indexOf(clientIdValidation.toLowerCase()) === -1 &&\n lowerCaseKey.indexOf(familyIdValidation.toLowerCase()) === -1\n ) {\n return false;\n }\n } else if (lowerCaseKey.indexOf(this.clientId.toLowerCase()) === -1) {\n // Tokens must contain the clientId\n return false;\n }\n\n return true;\n }\n\n /**\n * Returns whether or not the given credential entity matches the filter\n * @param entity\n * @param filter\n * @returns\n */\n credentialMatchesFilter(\n entity: ValidCredentialType,\n filter: CredentialFilter\n ): boolean {\n if (!!filter.clientId && !this.matchClientId(entity, filter.clientId)) {\n return false;\n }\n\n if (\n !!filter.userAssertionHash &&\n !this.matchUserAssertionHash(entity, filter.userAssertionHash)\n ) {\n return false;\n }\n\n /*\n * homeAccountId can be undefined, and we want to filter out cached items that have a homeAccountId of \"\"\n * because we don't want a client_credential request to return a cached token that has a homeAccountId\n */\n if (\n typeof filter.homeAccountId === \"string\" &&\n !this.matchHomeAccountId(entity, filter.homeAccountId)\n ) {\n return false;\n }\n\n if (\n !!filter.environment &&\n !this.matchEnvironment(entity, filter.environment)\n ) {\n return false;\n }\n\n if (!!filter.realm && !this.matchRealm(entity, filter.realm)) {\n return false;\n }\n\n if (\n !!filter.credentialType &&\n !this.matchCredentialType(entity, filter.credentialType)\n ) {\n return false;\n }\n\n if (!!filter.familyId && !this.matchFamilyId(entity, filter.familyId)) {\n return false;\n }\n\n /*\n * idTokens do not have \"target\", target specific refreshTokens do exist for some types of authentication\n * Resource specific refresh tokens case will be added when the support is deemed necessary\n */\n if (!!filter.target && !this.matchTarget(entity, filter.target)) {\n return false;\n }\n\n // If request OR cached entity has requested Claims Hash, check if they match\n if (filter.requestedClaimsHash || entity.requestedClaimsHash) {\n // Don't match if either is undefined or they are different\n if (entity.requestedClaimsHash !== filter.requestedClaimsHash) {\n return false;\n }\n }\n\n // Access Token with Auth Scheme specific matching\n if (\n entity.credentialType ===\n CredentialType.ACCESS_TOKEN_WITH_AUTH_SCHEME\n ) {\n if (\n !!filter.tokenType &&\n !this.matchTokenType(entity, filter.tokenType)\n ) {\n return false;\n }\n\n // KeyId (sshKid) in request must match cached SSH certificate keyId because SSH cert is bound to a specific key\n if (filter.tokenType === AuthenticationScheme.SSH) {\n if (filter.keyId && !this.matchKeyId(entity, filter.keyId)) {\n return false;\n }\n }\n }\n\n return true;\n }\n\n /**\n * retrieve appMetadata matching all provided filters; if no filter is set, get all appMetadata\n * @param filter\n */\n getAppMetadataFilteredBy(filter: AppMetadataFilter): AppMetadataCache {\n const allCacheKeys = this.getKeys();\n const matchingAppMetadata: AppMetadataCache = {};\n\n allCacheKeys.forEach((cacheKey) => {\n // don't parse any non-appMetadata type cache entities\n if (!this.isAppMetadata(cacheKey)) {\n return;\n }\n\n // Attempt retrieval\n const entity = this.getAppMetadata(cacheKey);\n\n if (!entity) {\n return;\n }\n\n if (\n !!filter.environment &&\n !this.matchEnvironment(entity, filter.environment)\n ) {\n return;\n }\n\n if (\n !!filter.clientId &&\n !this.matchClientId(entity, filter.clientId)\n ) {\n return;\n }\n\n matchingAppMetadata[cacheKey] = entity;\n });\n\n return matchingAppMetadata;\n }\n\n /**\n * retrieve authorityMetadata that contains a matching alias\n * @param filter\n */\n getAuthorityMetadataByAlias(host: string): AuthorityMetadataEntity | null {\n const allCacheKeys = this.getAuthorityMetadataKeys();\n let matchedEntity = null;\n\n allCacheKeys.forEach((cacheKey) => {\n // don't parse any non-authorityMetadata type cache entities\n if (\n !this.isAuthorityMetadata(cacheKey) ||\n cacheKey.indexOf(this.clientId) === -1\n ) {\n return;\n }\n\n // Attempt retrieval\n const entity = this.getAuthorityMetadata(cacheKey);\n\n if (!entity) {\n return;\n }\n\n if (entity.aliases.indexOf(host) === -1) {\n return;\n }\n\n matchedEntity = entity;\n });\n\n return matchedEntity;\n }\n\n /**\n * Removes all accounts and related tokens from cache.\n */\n async removeAllAccounts(): Promise {\n const allAccountKeys = this.getAccountKeys();\n const removedAccounts: Array> = [];\n\n allAccountKeys.forEach((cacheKey) => {\n removedAccounts.push(this.removeAccount(cacheKey));\n });\n\n await Promise.all(removedAccounts);\n }\n\n /**\n * Removes the account and related tokens for a given account key\n * @param account\n */\n async removeAccount(accountKey: string): Promise {\n const account = this.getAccount(accountKey, this.commonLogger);\n if (!account) {\n return;\n }\n await this.removeAccountContext(account);\n this.removeItem(accountKey);\n }\n\n /**\n * Removes credentials associated with the provided account\n * @param account\n */\n async removeAccountContext(account: AccountEntity): Promise {\n const allTokenKeys = this.getTokenKeys();\n const accountId = account.generateAccountId();\n const removedCredentials: Array> = [];\n\n allTokenKeys.idToken.forEach((key) => {\n if (key.indexOf(accountId) === 0) {\n this.removeIdToken(key);\n }\n });\n\n allTokenKeys.accessToken.forEach((key) => {\n if (key.indexOf(accountId) === 0) {\n removedCredentials.push(this.removeAccessToken(key));\n }\n });\n\n allTokenKeys.refreshToken.forEach((key) => {\n if (key.indexOf(accountId) === 0) {\n this.removeRefreshToken(key);\n }\n });\n\n await Promise.all(removedCredentials);\n }\n\n /**\n * Migrates a single-tenant account and all it's associated alternate cross-tenant account objects in the\n * cache into a condensed multi-tenant account object with tenant profiles.\n * @param accountKey\n * @param accountEntity\n * @param logger\n * @returns\n */\n protected updateOutdatedCachedAccount(\n accountKey: string,\n accountEntity: AccountEntity | null,\n logger?: Logger\n ): AccountEntity | null {\n // Only update if account entity is defined and has no tenantProfiles object (is outdated)\n if (accountEntity && accountEntity.isSingleTenant()) {\n this.commonLogger?.verbose(\n \"updateOutdatedCachedAccount: Found a single-tenant (outdated) account entity in the cache, migrating to multi-tenant account entity\"\n );\n\n // Get keys of all accounts belonging to user\n const matchingAccountKeys = this.getAccountKeys().filter(\n (key: string) => {\n return key.startsWith(accountEntity.homeAccountId);\n }\n );\n\n // Get all account entities belonging to user\n const accountsToMerge: AccountEntity[] = [];\n matchingAccountKeys.forEach((key: string) => {\n const account = this.getCachedAccountEntity(key);\n if (account) {\n accountsToMerge.push(account);\n }\n });\n\n // Set base account to home account if available, any account if not\n const baseAccount =\n accountsToMerge.find((account) => {\n return tenantIdMatchesHomeTenant(\n account.realm,\n account.homeAccountId\n );\n }) || accountsToMerge[0];\n\n // Populate tenant profiles built from each account entity belonging to the user\n baseAccount.tenantProfiles = accountsToMerge.map(\n (account: AccountEntity) => {\n return {\n tenantId: account.realm,\n localAccountId: account.localAccountId,\n name: account.name,\n isHomeTenant: tenantIdMatchesHomeTenant(\n account.realm,\n account.homeAccountId\n ),\n };\n }\n );\n\n const updatedAccount = CacheManager.toObject(new AccountEntity(), {\n ...baseAccount,\n });\n\n const newAccountKey = updatedAccount.generateAccountKey();\n\n // Clear cache of legacy account objects that have been collpsed into tenant profiles\n matchingAccountKeys.forEach((key: string) => {\n if (key !== newAccountKey) {\n this.removeOutdatedAccount(accountKey);\n }\n });\n\n // Cache updated account object\n this.setAccount(updatedAccount);\n logger?.verbose(\"Updated an outdated account entity in the cache\");\n return updatedAccount;\n }\n\n // No update is necessary\n return accountEntity;\n }\n\n /**\n * returns a boolean if the given credential is removed\n * @param credential\n */\n async removeAccessToken(key: string): Promise {\n const credential = this.getAccessTokenCredential(key);\n if (!credential) {\n return;\n }\n\n // Remove Token Binding Key from key store for PoP Tokens Credentials\n if (\n credential.credentialType.toLowerCase() ===\n CredentialType.ACCESS_TOKEN_WITH_AUTH_SCHEME.toLowerCase()\n ) {\n if (credential.tokenType === AuthenticationScheme.POP) {\n const accessTokenWithAuthSchemeEntity =\n credential as AccessTokenEntity;\n const kid = accessTokenWithAuthSchemeEntity.keyId;\n\n if (kid) {\n try {\n await this.cryptoImpl.removeTokenBindingKey(kid);\n } catch (error) {\n throw createClientAuthError(\n ClientAuthErrorCodes.bindingKeyNotRemoved\n );\n }\n }\n }\n }\n\n return this.removeItem(key);\n }\n\n /**\n * Removes all app metadata objects from cache.\n */\n removeAppMetadata(): boolean {\n const allCacheKeys = this.getKeys();\n allCacheKeys.forEach((cacheKey) => {\n if (this.isAppMetadata(cacheKey)) {\n this.removeItem(cacheKey);\n }\n });\n\n return true;\n }\n\n /**\n * Retrieve AccountEntity from cache\n * @param account\n */\n readAccountFromCache(account: AccountInfo): AccountEntity | null {\n const accountKey: string =\n AccountEntity.generateAccountCacheKey(account);\n return this.getAccount(accountKey, this.commonLogger);\n }\n\n /**\n * Retrieve IdTokenEntity from cache\n * @param account {AccountInfo}\n * @param tokenKeys {?TokenKeys}\n * @param targetRealm {?string}\n * @param performanceClient {?IPerformanceClient}\n * @param correlationId {?string}\n */\n getIdToken(\n account: AccountInfo,\n tokenKeys?: TokenKeys,\n targetRealm?: string,\n performanceClient?: IPerformanceClient,\n correlationId?: string\n ): IdTokenEntity | null {\n this.commonLogger.trace(\"CacheManager - getIdToken called\");\n const idTokenFilter: CredentialFilter = {\n homeAccountId: account.homeAccountId,\n environment: account.environment,\n credentialType: CredentialType.ID_TOKEN,\n clientId: this.clientId,\n realm: targetRealm,\n };\n\n const idTokenMap: Map = this.getIdTokensByFilter(\n idTokenFilter,\n tokenKeys\n );\n\n const numIdTokens = idTokenMap.size;\n\n if (numIdTokens < 1) {\n this.commonLogger.info(\"CacheManager:getIdToken - No token found\");\n return null;\n } else if (numIdTokens > 1) {\n let tokensToBeRemoved: Map = idTokenMap;\n // Multiple tenant profiles and no tenant specified, pick home account\n if (!targetRealm) {\n const homeIdTokenMap: Map = new Map<\n string,\n IdTokenEntity\n >();\n idTokenMap.forEach((idToken, key) => {\n if (idToken.realm === account.tenantId) {\n homeIdTokenMap.set(key, idToken);\n }\n });\n const numHomeIdTokens = homeIdTokenMap.size;\n if (numHomeIdTokens < 1) {\n this.commonLogger.info(\n \"CacheManager:getIdToken - Multiple ID tokens found for account but none match account entity tenant id, returning first result\"\n );\n return idTokenMap.values().next().value;\n } else if (numHomeIdTokens === 1) {\n this.commonLogger.info(\n \"CacheManager:getIdToken - Multiple ID tokens found for account, defaulting to home tenant profile\"\n );\n return homeIdTokenMap.values().next().value;\n } else {\n // Multiple ID tokens for home tenant profile, remove all and return null\n tokensToBeRemoved = homeIdTokenMap;\n }\n }\n // Multiple tokens for a single tenant profile, remove all and return null\n this.commonLogger.info(\n \"CacheManager:getIdToken - Multiple matching ID tokens found, clearing them\"\n );\n tokensToBeRemoved.forEach((idToken, key) => {\n this.removeIdToken(key);\n });\n if (performanceClient && correlationId) {\n performanceClient.addFields(\n { multiMatchedID: idTokenMap.size },\n correlationId\n );\n }\n return null;\n }\n\n this.commonLogger.info(\"CacheManager:getIdToken - Returning ID token\");\n return idTokenMap.values().next().value;\n }\n\n /**\n * Gets all idTokens matching the given filter\n * @param filter\n * @returns\n */\n getIdTokensByFilter(\n filter: CredentialFilter,\n tokenKeys?: TokenKeys\n ): Map {\n const idTokenKeys =\n (tokenKeys && tokenKeys.idToken) || this.getTokenKeys().idToken;\n\n const idTokens: Map = new Map<\n string,\n IdTokenEntity\n >();\n idTokenKeys.forEach((key) => {\n if (\n !this.idTokenKeyMatchesFilter(key, {\n clientId: this.clientId,\n ...filter,\n })\n ) {\n return;\n }\n const idToken = this.getIdTokenCredential(key);\n if (idToken && this.credentialMatchesFilter(idToken, filter)) {\n idTokens.set(key, idToken);\n }\n });\n\n return idTokens;\n }\n\n /**\n * Validate the cache key against filter before retrieving and parsing cache value\n * @param key\n * @param filter\n * @returns\n */\n idTokenKeyMatchesFilter(\n inputKey: string,\n filter: CredentialFilter\n ): boolean {\n const key = inputKey.toLowerCase();\n if (\n filter.clientId &&\n key.indexOf(filter.clientId.toLowerCase()) === -1\n ) {\n return false;\n }\n\n if (\n filter.homeAccountId &&\n key.indexOf(filter.homeAccountId.toLowerCase()) === -1\n ) {\n return false;\n }\n\n return true;\n }\n\n /**\n * Removes idToken from the cache\n * @param key\n */\n removeIdToken(key: string): void {\n this.removeItem(key);\n }\n\n /**\n * Removes refresh token from the cache\n * @param key\n */\n removeRefreshToken(key: string): void {\n this.removeItem(key);\n }\n\n /**\n * Retrieve AccessTokenEntity from cache\n * @param account {AccountInfo}\n * @param request {BaseAuthRequest}\n * @param tokenKeys {?TokenKeys}\n * @param performanceClient {?IPerformanceClient}\n * @param correlationId {?string}\n */\n getAccessToken(\n account: AccountInfo,\n request: BaseAuthRequest,\n tokenKeys?: TokenKeys,\n targetRealm?: string,\n performanceClient?: IPerformanceClient,\n correlationId?: string\n ): AccessTokenEntity | null {\n this.commonLogger.trace(\"CacheManager - getAccessToken called\");\n const scopes = ScopeSet.createSearchScopes(request.scopes);\n const authScheme =\n request.authenticationScheme || AuthenticationScheme.BEARER;\n /*\n * Distinguish between Bearer and PoP/SSH token cache types\n * Cast to lowercase to handle \"bearer\" from ADFS\n */\n const credentialType =\n authScheme &&\n authScheme.toLowerCase() !==\n AuthenticationScheme.BEARER.toLowerCase()\n ? CredentialType.ACCESS_TOKEN_WITH_AUTH_SCHEME\n : CredentialType.ACCESS_TOKEN;\n\n const accessTokenFilter: CredentialFilter = {\n homeAccountId: account.homeAccountId,\n environment: account.environment,\n credentialType: credentialType,\n clientId: this.clientId,\n realm: targetRealm || account.tenantId,\n target: scopes,\n tokenType: authScheme,\n keyId: request.sshKid,\n requestedClaimsHash: request.requestedClaimsHash,\n };\n\n const accessTokenKeys =\n (tokenKeys && tokenKeys.accessToken) ||\n this.getTokenKeys().accessToken;\n const accessTokens: AccessTokenEntity[] = [];\n\n accessTokenKeys.forEach((key) => {\n // Validate key\n if (\n this.accessTokenKeyMatchesFilter(key, accessTokenFilter, true)\n ) {\n const accessToken = this.getAccessTokenCredential(key);\n\n // Validate value\n if (\n accessToken &&\n this.credentialMatchesFilter(accessToken, accessTokenFilter)\n ) {\n accessTokens.push(accessToken);\n }\n }\n });\n\n const numAccessTokens = accessTokens.length;\n if (numAccessTokens < 1) {\n this.commonLogger.info(\n \"CacheManager:getAccessToken - No token found\"\n );\n return null;\n } else if (numAccessTokens > 1) {\n this.commonLogger.info(\n \"CacheManager:getAccessToken - Multiple access tokens found, clearing them\"\n );\n accessTokens.forEach((accessToken) => {\n void this.removeAccessToken(generateCredentialKey(accessToken));\n });\n if (performanceClient && correlationId) {\n performanceClient.addFields(\n { multiMatchedAT: accessTokens.length },\n correlationId\n );\n }\n return null;\n }\n\n this.commonLogger.info(\n \"CacheManager:getAccessToken - Returning access token\"\n );\n return accessTokens[0];\n }\n\n /**\n * Validate the cache key against filter before retrieving and parsing cache value\n * @param key\n * @param filter\n * @param keyMustContainAllScopes\n * @returns\n */\n accessTokenKeyMatchesFilter(\n inputKey: string,\n filter: CredentialFilter,\n keyMustContainAllScopes: boolean\n ): boolean {\n const key = inputKey.toLowerCase();\n if (\n filter.clientId &&\n key.indexOf(filter.clientId.toLowerCase()) === -1\n ) {\n return false;\n }\n\n if (\n filter.homeAccountId &&\n key.indexOf(filter.homeAccountId.toLowerCase()) === -1\n ) {\n return false;\n }\n\n if (filter.realm && key.indexOf(filter.realm.toLowerCase()) === -1) {\n return false;\n }\n\n if (\n filter.requestedClaimsHash &&\n key.indexOf(filter.requestedClaimsHash.toLowerCase()) === -1\n ) {\n return false;\n }\n\n if (filter.target) {\n const scopes = filter.target.asArray();\n for (let i = 0; i < scopes.length; i++) {\n if (\n keyMustContainAllScopes &&\n !key.includes(scopes[i].toLowerCase())\n ) {\n // When performing a cache lookup a missing scope would be a cache miss\n return false;\n } else if (\n !keyMustContainAllScopes &&\n key.includes(scopes[i].toLowerCase())\n ) {\n // When performing a cache write, any token with a subset of requested scopes should be replaced\n return true;\n }\n }\n }\n\n return true;\n }\n\n /**\n * Gets all access tokens matching the filter\n * @param filter\n * @returns\n */\n getAccessTokensByFilter(filter: CredentialFilter): AccessTokenEntity[] {\n const tokenKeys = this.getTokenKeys();\n\n const accessTokens: AccessTokenEntity[] = [];\n tokenKeys.accessToken.forEach((key) => {\n if (!this.accessTokenKeyMatchesFilter(key, filter, true)) {\n return;\n }\n\n const accessToken = this.getAccessTokenCredential(key);\n if (\n accessToken &&\n this.credentialMatchesFilter(accessToken, filter)\n ) {\n accessTokens.push(accessToken);\n }\n });\n\n return accessTokens;\n }\n\n /**\n * Helper to retrieve the appropriate refresh token from cache\n * @param account {AccountInfo}\n * @param familyRT {boolean}\n * @param tokenKeys {?TokenKeys}\n * @param performanceClient {?IPerformanceClient}\n * @param correlationId {?string}\n */\n getRefreshToken(\n account: AccountInfo,\n familyRT: boolean,\n tokenKeys?: TokenKeys,\n performanceClient?: IPerformanceClient,\n correlationId?: string\n ): RefreshTokenEntity | null {\n this.commonLogger.trace(\"CacheManager - getRefreshToken called\");\n const id = familyRT ? THE_FAMILY_ID : undefined;\n const refreshTokenFilter: CredentialFilter = {\n homeAccountId: account.homeAccountId,\n environment: account.environment,\n credentialType: CredentialType.REFRESH_TOKEN,\n clientId: this.clientId,\n familyId: id,\n };\n\n const refreshTokenKeys =\n (tokenKeys && tokenKeys.refreshToken) ||\n this.getTokenKeys().refreshToken;\n const refreshTokens: RefreshTokenEntity[] = [];\n\n refreshTokenKeys.forEach((key) => {\n // Validate key\n if (this.refreshTokenKeyMatchesFilter(key, refreshTokenFilter)) {\n const refreshToken = this.getRefreshTokenCredential(key);\n // Validate value\n if (\n refreshToken &&\n this.credentialMatchesFilter(\n refreshToken,\n refreshTokenFilter\n )\n ) {\n refreshTokens.push(refreshToken);\n }\n }\n });\n\n const numRefreshTokens = refreshTokens.length;\n if (numRefreshTokens < 1) {\n this.commonLogger.info(\n \"CacheManager:getRefreshToken - No refresh token found.\"\n );\n return null;\n }\n // address the else case after remove functions address environment aliases\n\n if (numRefreshTokens > 1 && performanceClient && correlationId) {\n performanceClient.addFields(\n { multiMatchedRT: numRefreshTokens },\n correlationId\n );\n }\n\n this.commonLogger.info(\n \"CacheManager:getRefreshToken - returning refresh token\"\n );\n return refreshTokens[0] as RefreshTokenEntity;\n }\n\n /**\n * Validate the cache key against filter before retrieving and parsing cache value\n * @param key\n * @param filter\n */\n refreshTokenKeyMatchesFilter(\n inputKey: string,\n filter: CredentialFilter\n ): boolean {\n const key = inputKey.toLowerCase();\n if (\n filter.familyId &&\n key.indexOf(filter.familyId.toLowerCase()) === -1\n ) {\n return false;\n }\n\n // If familyId is used, clientId is not in the key\n if (\n !filter.familyId &&\n filter.clientId &&\n key.indexOf(filter.clientId.toLowerCase()) === -1\n ) {\n return false;\n }\n\n if (\n filter.homeAccountId &&\n key.indexOf(filter.homeAccountId.toLowerCase()) === -1\n ) {\n return false;\n }\n\n return true;\n }\n\n /**\n * Retrieve AppMetadataEntity from cache\n */\n readAppMetadataFromCache(environment: string): AppMetadataEntity | null {\n const appMetadataFilter: AppMetadataFilter = {\n environment,\n clientId: this.clientId,\n };\n\n const appMetadata: AppMetadataCache =\n this.getAppMetadataFilteredBy(appMetadataFilter);\n const appMetadataEntries: AppMetadataEntity[] = Object.keys(\n appMetadata\n ).map((key) => appMetadata[key]);\n\n const numAppMetadata = appMetadataEntries.length;\n if (numAppMetadata < 1) {\n return null;\n } else if (numAppMetadata > 1) {\n throw createClientAuthError(\n ClientAuthErrorCodes.multipleMatchingAppMetadata\n );\n }\n\n return appMetadataEntries[0] as AppMetadataEntity;\n }\n\n /**\n * Return the family_id value associated with FOCI\n * @param environment\n * @param clientId\n */\n isAppMetadataFOCI(environment: string): boolean {\n const appMetadata = this.readAppMetadataFromCache(environment);\n return !!(appMetadata && appMetadata.familyId === THE_FAMILY_ID);\n }\n\n /**\n * helper to match account ids\n * @param value\n * @param homeAccountId\n */\n private matchHomeAccountId(\n entity: AccountEntity | CredentialEntity,\n homeAccountId: string\n ): boolean {\n return !!(\n typeof entity.homeAccountId === \"string\" &&\n homeAccountId === entity.homeAccountId\n );\n }\n\n /**\n * helper to match account ids\n * @param entity\n * @param localAccountId\n * @returns\n */\n private matchLocalAccountIdFromTokenClaims(\n tokenClaims: TokenClaims,\n localAccountId: string\n ): boolean {\n const idTokenLocalAccountId = tokenClaims.oid || tokenClaims.sub;\n return localAccountId === idTokenLocalAccountId;\n }\n\n private matchLocalAccountIdFromTenantProfile(\n tenantProfile: TenantProfile,\n localAccountId: string\n ): boolean {\n return tenantProfile.localAccountId === localAccountId;\n }\n\n /**\n * helper to match names\n * @param entity\n * @param name\n * @returns true if the downcased name properties are present and match in the filter and the entity\n */\n private matchName(claims: TokenClaims, name: string): boolean {\n return !!(name.toLowerCase() === claims.name?.toLowerCase());\n }\n\n /**\n * helper to match usernames\n * @param entity\n * @param username\n * @returns\n */\n private matchUsername(\n cachedUsername?: string,\n filterUsername?: string\n ): boolean {\n return !!(\n cachedUsername &&\n typeof cachedUsername === \"string\" &&\n filterUsername?.toLowerCase() === cachedUsername.toLowerCase()\n );\n }\n\n /**\n * helper to match assertion\n * @param value\n * @param oboAssertion\n */\n private matchUserAssertionHash(\n entity: CredentialEntity,\n userAssertionHash: string\n ): boolean {\n return !!(\n entity.userAssertionHash &&\n userAssertionHash === entity.userAssertionHash\n );\n }\n\n /**\n * helper to match environment\n * @param value\n * @param environment\n */\n private matchEnvironment(\n entity: AccountEntity | CredentialEntity | AppMetadataEntity,\n environment: string\n ): boolean {\n // Check static authority options first for cases where authority metadata has not been resolved and cached yet\n if (this.staticAuthorityOptions) {\n const staticAliases = getAliasesFromStaticSources(\n this.staticAuthorityOptions,\n this.commonLogger\n );\n if (\n staticAliases.includes(environment) &&\n staticAliases.includes(entity.environment)\n ) {\n return true;\n }\n }\n\n // Query metadata cache if no static authority configuration has aliases that match enviroment\n const cloudMetadata = this.getAuthorityMetadataByAlias(environment);\n if (\n cloudMetadata &&\n cloudMetadata.aliases.indexOf(entity.environment) > -1\n ) {\n return true;\n }\n return false;\n }\n\n /**\n * helper to match credential type\n * @param entity\n * @param credentialType\n */\n private matchCredentialType(\n entity: CredentialEntity,\n credentialType: string\n ): boolean {\n return (\n entity.credentialType &&\n credentialType.toLowerCase() === entity.credentialType.toLowerCase()\n );\n }\n\n /**\n * helper to match client ids\n * @param entity\n * @param clientId\n */\n private matchClientId(\n entity: CredentialEntity | AppMetadataEntity,\n clientId: string\n ): boolean {\n return !!(entity.clientId && clientId === entity.clientId);\n }\n\n /**\n * helper to match family ids\n * @param entity\n * @param familyId\n */\n private matchFamilyId(\n entity: CredentialEntity | AppMetadataEntity,\n familyId: string\n ): boolean {\n return !!(entity.familyId && familyId === entity.familyId);\n }\n\n /**\n * helper to match realm\n * @param entity\n * @param realm\n */\n private matchRealm(\n entity: AccountEntity | CredentialEntity,\n realm: string\n ): boolean {\n return !!(entity.realm?.toLowerCase() === realm.toLowerCase());\n }\n\n /**\n * helper to match nativeAccountId\n * @param entity\n * @param nativeAccountId\n * @returns boolean indicating the match result\n */\n private matchNativeAccountId(\n entity: AccountEntity,\n nativeAccountId: string\n ): boolean {\n return !!(\n entity.nativeAccountId && nativeAccountId === entity.nativeAccountId\n );\n }\n\n /**\n * helper to match loginHint which can be either:\n * 1. login_hint ID token claim\n * 2. username in cached account object\n * 3. upn in ID token claims\n * @param entity\n * @param loginHint\n * @returns\n */\n private matchLoginHintFromTokenClaims(\n tokenClaims: TokenClaims,\n loginHint: string\n ): boolean {\n if (tokenClaims.login_hint === loginHint) {\n return true;\n }\n\n if (tokenClaims.preferred_username === loginHint) {\n return true;\n }\n\n if (tokenClaims.upn === loginHint) {\n return true;\n }\n\n return false;\n }\n\n /**\n * Helper to match sid\n * @param entity\n * @param sid\n * @returns true if the sid claim is present and matches the filter\n */\n private matchSid(idTokenClaims: TokenClaims, sid: string): boolean {\n return idTokenClaims.sid === sid;\n }\n\n private matchAuthorityType(\n entity: AccountEntity,\n authorityType: string\n ): boolean {\n return !!(\n entity.authorityType &&\n authorityType.toLowerCase() === entity.authorityType.toLowerCase()\n );\n }\n\n /**\n * Returns true if the target scopes are a subset of the current entity's scopes, false otherwise.\n * @param entity\n * @param target\n */\n private matchTarget(entity: CredentialEntity, target: ScopeSet): boolean {\n const isNotAccessTokenCredential =\n entity.credentialType !== CredentialType.ACCESS_TOKEN &&\n entity.credentialType !==\n CredentialType.ACCESS_TOKEN_WITH_AUTH_SCHEME;\n\n if (isNotAccessTokenCredential || !entity.target) {\n return false;\n }\n\n const entityScopeSet: ScopeSet = ScopeSet.fromString(entity.target);\n\n return entityScopeSet.containsScopeSet(target);\n }\n\n /**\n * Returns true if the credential's tokenType or Authentication Scheme matches the one in the request, false otherwise\n * @param entity\n * @param tokenType\n */\n private matchTokenType(\n entity: CredentialEntity,\n tokenType: AuthenticationScheme\n ): boolean {\n return !!(entity.tokenType && entity.tokenType === tokenType);\n }\n\n /**\n * Returns true if the credential's keyId matches the one in the request, false otherwise\n * @param entity\n * @param keyId\n */\n private matchKeyId(entity: CredentialEntity, keyId: string): boolean {\n return !!(entity.keyId && entity.keyId === keyId);\n }\n\n /**\n * returns if a given cache entity is of the type appmetadata\n * @param key\n */\n private isAppMetadata(key: string): boolean {\n return key.indexOf(APP_METADATA) !== -1;\n }\n\n /**\n * returns if a given cache entity is of the type authoritymetadata\n * @param key\n */\n protected isAuthorityMetadata(key: string): boolean {\n return key.indexOf(AUTHORITY_METADATA_CONSTANTS.CACHE_KEY) !== -1;\n }\n\n /**\n * returns cache key used for cloud instance metadata\n */\n generateAuthorityMetadataCacheKey(authority: string): string {\n return `${AUTHORITY_METADATA_CONSTANTS.CACHE_KEY}-${this.clientId}-${authority}`;\n }\n\n /**\n * Helper to convert serialized data to object\n * @param obj\n * @param json\n */\n static toObject(obj: T, json: object): T {\n for (const propertyName in json) {\n obj[propertyName] = json[propertyName];\n }\n return obj;\n }\n}\n\n/** @internal */\nexport class DefaultStorageClass extends CacheManager {\n setAccount(): void {\n throw createClientAuthError(ClientAuthErrorCodes.methodNotImplemented);\n }\n getAccount(): AccountEntity {\n throw createClientAuthError(ClientAuthErrorCodes.methodNotImplemented);\n }\n getCachedAccountEntity(): AccountEntity | null {\n throw createClientAuthError(ClientAuthErrorCodes.methodNotImplemented);\n }\n setIdTokenCredential(): void {\n throw createClientAuthError(ClientAuthErrorCodes.methodNotImplemented);\n }\n getIdTokenCredential(): IdTokenEntity {\n throw createClientAuthError(ClientAuthErrorCodes.methodNotImplemented);\n }\n setAccessTokenCredential(): void {\n throw createClientAuthError(ClientAuthErrorCodes.methodNotImplemented);\n }\n getAccessTokenCredential(): AccessTokenEntity {\n throw createClientAuthError(ClientAuthErrorCodes.methodNotImplemented);\n }\n setRefreshTokenCredential(): void {\n throw createClientAuthError(ClientAuthErrorCodes.methodNotImplemented);\n }\n getRefreshTokenCredential(): RefreshTokenEntity {\n throw createClientAuthError(ClientAuthErrorCodes.methodNotImplemented);\n }\n setAppMetadata(): void {\n throw createClientAuthError(ClientAuthErrorCodes.methodNotImplemented);\n }\n getAppMetadata(): AppMetadataEntity {\n throw createClientAuthError(ClientAuthErrorCodes.methodNotImplemented);\n }\n setServerTelemetry(): void {\n throw createClientAuthError(ClientAuthErrorCodes.methodNotImplemented);\n }\n getServerTelemetry(): ServerTelemetryEntity {\n throw createClientAuthError(ClientAuthErrorCodes.methodNotImplemented);\n }\n setAuthorityMetadata(): void {\n throw createClientAuthError(ClientAuthErrorCodes.methodNotImplemented);\n }\n getAuthorityMetadata(): AuthorityMetadataEntity | null {\n throw createClientAuthError(ClientAuthErrorCodes.methodNotImplemented);\n }\n getAuthorityMetadataKeys(): Array {\n throw createClientAuthError(ClientAuthErrorCodes.methodNotImplemented);\n }\n setThrottlingCache(): void {\n throw createClientAuthError(ClientAuthErrorCodes.methodNotImplemented);\n }\n getThrottlingCache(): ThrottlingEntity {\n throw createClientAuthError(ClientAuthErrorCodes.methodNotImplemented);\n }\n removeItem(): boolean {\n throw createClientAuthError(ClientAuthErrorCodes.methodNotImplemented);\n }\n getKeys(): string[] {\n throw createClientAuthError(ClientAuthErrorCodes.methodNotImplemented);\n }\n getAccountKeys(): string[] {\n throw createClientAuthError(ClientAuthErrorCodes.methodNotImplemented);\n }\n getTokenKeys(): TokenKeys {\n throw createClientAuthError(ClientAuthErrorCodes.methodNotImplemented);\n }\n updateCredentialCacheKey(): string {\n throw createClientAuthError(ClientAuthErrorCodes.methodNotImplemented);\n }\n removeOutdatedAccount(): void {\n throw createClientAuthError(ClientAuthErrorCodes.methodNotImplemented);\n }\n}\n","/*\n * Copyright (c) Microsoft Corporation. All rights reserved.\n * Licensed under the MIT License.\n */\n\nimport { INetworkModule } from \"../network/INetworkModule.js\";\nimport { DEFAULT_CRYPTO_IMPLEMENTATION, ICrypto } from \"../crypto/ICrypto.js\";\nimport { ILoggerCallback, Logger, LogLevel } from \"../logger/Logger.js\";\nimport {\n Constants,\n DEFAULT_TOKEN_RENEWAL_OFFSET_SEC,\n} from \"../utils/Constants.js\";\nimport { version } from \"../packageMetadata.js\";\nimport { Authority } from \"../authority/Authority.js\";\nimport { AzureCloudInstance } from \"../authority/AuthorityOptions.js\";\nimport { CacheManager, DefaultStorageClass } from \"../cache/CacheManager.js\";\nimport { ServerTelemetryManager } from \"../telemetry/server/ServerTelemetryManager.js\";\nimport { ICachePlugin } from \"../cache/interface/ICachePlugin.js\";\nimport { ISerializableTokenCache } from \"../cache/interface/ISerializableTokenCache.js\";\nimport { ClientCredentials } from \"../account/ClientCredentials.js\";\nimport { ProtocolMode } from \"../authority/ProtocolMode.js\";\nimport {\n ClientAuthErrorCodes,\n createClientAuthError,\n} from \"../error/ClientAuthError.js\";\n\n/**\n * Use the configuration object to configure MSAL Modules and initialize the base interfaces for MSAL.\n *\n * This object allows you to configure important elements of MSAL functionality:\n * - authOptions - Authentication for application\n * - cryptoInterface - Implementation of crypto functions\n * - libraryInfo - Library metadata\n * - telemetry - Telemetry options and data\n * - loggerOptions - Logging for application\n * - networkInterface - Network implementation\n * - storageInterface - Storage implementation\n * - systemOptions - Additional library options\n * - clientCredentials - Credentials options for confidential clients\n * @internal\n */\nexport type ClientConfiguration = {\n authOptions: AuthOptions;\n systemOptions?: SystemOptions;\n loggerOptions?: LoggerOptions;\n cacheOptions?: CacheOptions;\n storageInterface?: CacheManager;\n networkInterface?: INetworkModule;\n cryptoInterface?: ICrypto;\n clientCredentials?: ClientCredentials;\n libraryInfo?: LibraryInfo;\n telemetry?: TelemetryOptions;\n serverTelemetryManager?: ServerTelemetryManager | null;\n persistencePlugin?: ICachePlugin | null;\n serializableCache?: ISerializableTokenCache | null;\n};\n\nexport type CommonClientConfiguration = {\n authOptions: Required;\n systemOptions: Required;\n loggerOptions: Required;\n cacheOptions: Required;\n storageInterface: CacheManager;\n networkInterface: INetworkModule;\n cryptoInterface: Required;\n libraryInfo: LibraryInfo;\n telemetry: Required;\n serverTelemetryManager: ServerTelemetryManager | null;\n clientCredentials: ClientCredentials;\n persistencePlugin: ICachePlugin | null;\n serializableCache: ISerializableTokenCache | null;\n};\n\n/**\n * Use this to configure the auth options in the ClientConfiguration object\n *\n * - clientId - Client ID of your app registered with our Application registration portal : https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredAppsPreview in Microsoft Identity Platform\n * - authority - You can configure a specific authority, defaults to \" \" or \"https://login.microsoftonline.com/common\"\n * - knownAuthorities - An array of URIs that are known to be valid. Used in B2C scenarios.\n * - cloudDiscoveryMetadata - A string containing the cloud discovery response. Used in AAD scenarios.\n * - clientCapabilities - Array of capabilities which will be added to the claims.access_token.xms_cc request property on every network request.\n * - protocolMode - Enum that represents the protocol that msal follows. Used for configuring proper endpoints.\n * - skipAuthorityMetadataCache - A flag to choose whether to use or not use the local metadata cache during authority initialization. Defaults to false.\n * - instanceAware - A flag of whether the STS will send back additional parameters to specify where the tokens should be retrieved from.\n * - redirectUri - The redirect URI where authentication responses can be received by your application. It must exactly match one of the redirect URIs registered in the Azure portal.\n * @internal\n */\nexport type AuthOptions = {\n clientId: string;\n authority: Authority;\n redirectUri: string;\n clientCapabilities?: Array;\n azureCloudOptions?: AzureCloudOptions;\n skipAuthorityMetadataCache?: boolean;\n instanceAware?: boolean;\n};\n\n/**\n * Use this to configure token renewal info in the Configuration object\n *\n * - tokenRenewalOffsetSeconds - Sets the window of offset needed to renew the token before expiry\n */\nexport type SystemOptions = {\n tokenRenewalOffsetSeconds?: number;\n preventCorsPreflight?: boolean;\n};\n\n/**\n * Use this to configure the logging that MSAL does, by configuring logger options in the Configuration object\n *\n * - loggerCallback - Callback for logger\n * - piiLoggingEnabled - Sets whether pii logging is enabled\n * - logLevel - Sets the level at which logging happens\n * - correlationId - Sets the correlationId printed by the logger\n */\nexport type LoggerOptions = {\n loggerCallback?: ILoggerCallback;\n piiLoggingEnabled?: boolean;\n logLevel?: LogLevel;\n correlationId?: string;\n};\n\n/**\n * Use this to configure credential cache preferences in the ClientConfiguration object\n *\n * - claimsBasedCachingEnabled - Sets whether tokens should be cached based on the claims hash. Default is false.\n */\nexport type CacheOptions = {\n claimsBasedCachingEnabled?: boolean;\n};\n\n/**\n * Library-specific options\n */\nexport type LibraryInfo = {\n sku: string;\n version: string;\n cpu: string;\n os: string;\n};\n\n/**\n * AzureCloudInstance specific options\n *\n * - azureCloudInstance - string enum providing short notation for soverign and public cloud authorities\n * - tenant - provision to provide the tenant info\n */\nexport type AzureCloudOptions = {\n azureCloudInstance: AzureCloudInstance;\n tenant?: string;\n};\n\nexport type TelemetryOptions = {\n application: ApplicationTelemetry;\n};\n\n/**\n * Telemetry information sent on request\n * - appName: Unique string name of an application\n * - appVersion: Version of the application using MSAL\n */\nexport type ApplicationTelemetry = {\n appName: string;\n appVersion: string;\n};\n\nexport const DEFAULT_SYSTEM_OPTIONS: Required = {\n tokenRenewalOffsetSeconds: DEFAULT_TOKEN_RENEWAL_OFFSET_SEC,\n preventCorsPreflight: false,\n};\n\nconst DEFAULT_LOGGER_IMPLEMENTATION: Required = {\n loggerCallback: () => {\n // allow users to not set loggerCallback\n },\n piiLoggingEnabled: false,\n logLevel: LogLevel.Info,\n correlationId: Constants.EMPTY_STRING,\n};\n\nconst DEFAULT_CACHE_OPTIONS: Required = {\n claimsBasedCachingEnabled: false,\n};\n\nconst DEFAULT_NETWORK_IMPLEMENTATION: INetworkModule = {\n async sendGetRequestAsync(): Promise {\n throw createClientAuthError(ClientAuthErrorCodes.methodNotImplemented);\n },\n async sendPostRequestAsync(): Promise {\n throw createClientAuthError(ClientAuthErrorCodes.methodNotImplemented);\n },\n};\n\nconst DEFAULT_LIBRARY_INFO: LibraryInfo = {\n sku: Constants.SKU,\n version: version,\n cpu: Constants.EMPTY_STRING,\n os: Constants.EMPTY_STRING,\n};\n\nconst DEFAULT_CLIENT_CREDENTIALS: ClientCredentials = {\n clientSecret: Constants.EMPTY_STRING,\n clientAssertion: undefined,\n};\n\nconst DEFAULT_AZURE_CLOUD_OPTIONS: AzureCloudOptions = {\n azureCloudInstance: AzureCloudInstance.None,\n tenant: `${Constants.DEFAULT_COMMON_TENANT}`,\n};\n\nconst DEFAULT_TELEMETRY_OPTIONS: Required = {\n application: {\n appName: \"\",\n appVersion: \"\",\n },\n};\n\n/**\n * Function that sets the default options when not explicitly configured from app developer\n *\n * @param Configuration\n *\n * @returns Configuration\n */\nexport function buildClientConfiguration({\n authOptions: userAuthOptions,\n systemOptions: userSystemOptions,\n loggerOptions: userLoggerOption,\n cacheOptions: userCacheOptions,\n storageInterface: storageImplementation,\n networkInterface: networkImplementation,\n cryptoInterface: cryptoImplementation,\n clientCredentials: clientCredentials,\n libraryInfo: libraryInfo,\n telemetry: telemetry,\n serverTelemetryManager: serverTelemetryManager,\n persistencePlugin: persistencePlugin,\n serializableCache: serializableCache,\n}: ClientConfiguration): CommonClientConfiguration {\n const loggerOptions = {\n ...DEFAULT_LOGGER_IMPLEMENTATION,\n ...userLoggerOption,\n };\n\n return {\n authOptions: buildAuthOptions(userAuthOptions),\n systemOptions: { ...DEFAULT_SYSTEM_OPTIONS, ...userSystemOptions },\n loggerOptions: loggerOptions,\n cacheOptions: { ...DEFAULT_CACHE_OPTIONS, ...userCacheOptions },\n storageInterface:\n storageImplementation ||\n new DefaultStorageClass(\n userAuthOptions.clientId,\n DEFAULT_CRYPTO_IMPLEMENTATION,\n new Logger(loggerOptions)\n ),\n networkInterface:\n networkImplementation || DEFAULT_NETWORK_IMPLEMENTATION,\n cryptoInterface: cryptoImplementation || DEFAULT_CRYPTO_IMPLEMENTATION,\n clientCredentials: clientCredentials || DEFAULT_CLIENT_CREDENTIALS,\n libraryInfo: { ...DEFAULT_LIBRARY_INFO, ...libraryInfo },\n telemetry: { ...DEFAULT_TELEMETRY_OPTIONS, ...telemetry },\n serverTelemetryManager: serverTelemetryManager || null,\n persistencePlugin: persistencePlugin || null,\n serializableCache: serializableCache || null,\n };\n}\n\n/**\n * Construct authoptions from the client and platform passed values\n * @param authOptions\n */\nfunction buildAuthOptions(authOptions: AuthOptions): Required {\n return {\n clientCapabilities: [],\n azureCloudOptions: DEFAULT_AZURE_CLOUD_OPTIONS,\n skipAuthorityMetadataCache: false,\n instanceAware: false,\n ...authOptions,\n };\n}\n\n/**\n * Returns true if config has protocolMode set to ProtocolMode.OIDC, false otherwise\n * @param ClientConfiguration\n */\nexport function isOidcProtocolMode(config: ClientConfiguration): boolean {\n return (\n config.authOptions.authority.options.protocolMode === ProtocolMode.OIDC\n );\n}\n","/*\n * Copyright (c) Microsoft Corporation. All rights reserved.\n * Licensed under the MIT License.\n */\n\nimport { NetworkResponse } from \"./NetworkResponse.js\";\nimport { ServerAuthorizationTokenResponse } from \"../response/ServerAuthorizationTokenResponse.js\";\nimport {\n HeaderNames,\n ThrottlingConstants,\n Constants,\n} from \"../utils/Constants.js\";\nimport { CacheManager } from \"../cache/CacheManager.js\";\nimport { ServerError } from \"../error/ServerError.js\";\nimport { RequestThumbprint } from \"./RequestThumbprint.js\";\nimport { ThrottlingEntity } from \"../cache/entities/ThrottlingEntity.js\";\nimport { BaseAuthRequest } from \"../request/BaseAuthRequest.js\";\n\n/** @internal */\nexport class ThrottlingUtils {\n /**\n * Prepares a RequestThumbprint to be stored as a key.\n * @param thumbprint\n */\n static generateThrottlingStorageKey(thumbprint: RequestThumbprint): string {\n return `${ThrottlingConstants.THROTTLING_PREFIX}.${JSON.stringify(\n thumbprint\n )}`;\n }\n\n /**\n * Performs necessary throttling checks before a network request.\n * @param cacheManager\n * @param thumbprint\n */\n static preProcess(\n cacheManager: CacheManager,\n thumbprint: RequestThumbprint\n ): void {\n const key = ThrottlingUtils.generateThrottlingStorageKey(thumbprint);\n const value = cacheManager.getThrottlingCache(key);\n\n if (value) {\n if (value.throttleTime < Date.now()) {\n cacheManager.removeItem(key);\n return;\n }\n throw new ServerError(\n value.errorCodes?.join(\" \") || Constants.EMPTY_STRING,\n value.errorMessage,\n value.subError\n );\n }\n }\n\n /**\n * Performs necessary throttling checks after a network request.\n * @param cacheManager\n * @param thumbprint\n * @param response\n */\n static postProcess(\n cacheManager: CacheManager,\n thumbprint: RequestThumbprint,\n response: NetworkResponse\n ): void {\n if (\n ThrottlingUtils.checkResponseStatus(response) ||\n ThrottlingUtils.checkResponseForRetryAfter(response)\n ) {\n const thumbprintValue: ThrottlingEntity = {\n throttleTime: ThrottlingUtils.calculateThrottleTime(\n parseInt(response.headers[HeaderNames.RETRY_AFTER])\n ),\n error: response.body.error,\n errorCodes: response.body.error_codes,\n errorMessage: response.body.error_description,\n subError: response.body.suberror,\n };\n cacheManager.setThrottlingCache(\n ThrottlingUtils.generateThrottlingStorageKey(thumbprint),\n thumbprintValue\n );\n }\n }\n\n /**\n * Checks a NetworkResponse object's status codes against 429 or 5xx\n * @param response\n */\n static checkResponseStatus(\n response: NetworkResponse\n ): boolean {\n return (\n response.status === 429 ||\n (response.status >= 500 && response.status < 600)\n );\n }\n\n /**\n * Checks a NetworkResponse object's RetryAfter header\n * @param response\n */\n static checkResponseForRetryAfter(\n response: NetworkResponse\n ): boolean {\n if (response.headers) {\n return (\n response.headers.hasOwnProperty(HeaderNames.RETRY_AFTER) &&\n (response.status < 200 || response.status >= 300)\n );\n }\n return false;\n }\n\n /**\n * Calculates the Unix-time value for a throttle to expire given throttleTime in seconds.\n * @param throttleTime\n */\n static calculateThrottleTime(throttleTime: number): number {\n const time = throttleTime <= 0 ? 0 : throttleTime;\n\n const currentSeconds = Date.now() / 1000;\n return Math.floor(\n Math.min(\n currentSeconds +\n (time || ThrottlingConstants.DEFAULT_THROTTLE_TIME_SECONDS),\n currentSeconds +\n ThrottlingConstants.DEFAULT_MAX_THROTTLE_TIME_SECONDS\n ) * 1000\n );\n }\n\n static removeThrottle(\n cacheManager: CacheManager,\n clientId: string,\n request: BaseAuthRequest,\n homeAccountIdentifier?: string\n ): void {\n const thumbprint: RequestThumbprint = {\n clientId: clientId,\n authority: request.authority,\n scopes: request.scopes,\n homeAccountIdentifier: homeAccountIdentifier,\n claims: request.claims,\n authenticationScheme: request.authenticationScheme,\n resourceRequestMethod: request.resourceRequestMethod,\n resourceRequestUri: request.resourceRequestUri,\n shrClaims: request.shrClaims,\n sshKid: request.sshKid,\n };\n\n const key = this.generateThrottlingStorageKey(thumbprint);\n cacheManager.removeItem(key);\n }\n}\n","/*\n * Copyright (c) Microsoft Corporation. All rights reserved.\n * Licensed under the MIT License.\n */\n\nimport { AuthError } from \"./AuthError.js\";\n\n/**\n * Represents network related errors\n */\nexport class NetworkError extends AuthError {\n error: AuthError;\n httpStatus?: number;\n responseHeaders?: Record;\n\n constructor(\n error: AuthError,\n httpStatus?: number,\n responseHeaders?: Record\n ) {\n super(error.errorCode, error.errorMessage, error.subError);\n\n Object.setPrototypeOf(this, NetworkError.prototype);\n this.name = \"NetworkError\";\n this.error = error;\n this.httpStatus = httpStatus;\n this.responseHeaders = responseHeaders;\n }\n}\n\n/**\n * Creates NetworkError object for a failed network request\n * @param error - Error to be thrown back to the caller\n * @param httpStatus - Status code of the network request\n * @param responseHeaders - Response headers of the network request, when available\n * @returns NetworkError object\n */\nexport function createNetworkError(\n error: AuthError,\n httpStatus?: number,\n responseHeaders?: Record\n): NetworkError {\n return new NetworkError(error, httpStatus, responseHeaders);\n}\n","/*\n * Copyright (c) Microsoft Corporation. All rights reserved.\n * Licensed under the MIT License.\n */\n\nimport {\n ClientConfiguration,\n buildClientConfiguration,\n CommonClientConfiguration,\n} from \"../config/ClientConfiguration.js\";\nimport {\n INetworkModule,\n NetworkRequestOptions,\n} from \"../network/INetworkModule.js\";\nimport { NetworkResponse } from \"../network/NetworkResponse.js\";\nimport { ICrypto } from \"../crypto/ICrypto.js\";\nimport { Authority } from \"../authority/Authority.js\";\nimport { Logger } from \"../logger/Logger.js\";\nimport { Constants, HeaderNames } from \"../utils/Constants.js\";\nimport { ServerAuthorizationTokenResponse } from \"../response/ServerAuthorizationTokenResponse.js\";\nimport { CacheManager } from \"../cache/CacheManager.js\";\nimport { ServerTelemetryManager } from \"../telemetry/server/ServerTelemetryManager.js\";\nimport { RequestThumbprint } from \"../network/RequestThumbprint.js\";\nimport { version, name } from \"../packageMetadata.js\";\nimport { CcsCredential, CcsCredentialType } from \"../account/CcsCredential.js\";\nimport { buildClientInfoFromHomeAccountId } from \"../account/ClientInfo.js\";\nimport { IPerformanceClient } from \"../telemetry/performance/IPerformanceClient.js\";\nimport { RequestParameterBuilder } from \"../request/RequestParameterBuilder.js\";\nimport { BaseAuthRequest } from \"../request/BaseAuthRequest.js\";\nimport { createDiscoveredInstance } from \"../authority/AuthorityFactory.js\";\nimport { PerformanceEvents } from \"../telemetry/performance/PerformanceEvent.js\";\nimport { ThrottlingUtils } from \"../network/ThrottlingUtils.js\";\nimport { AuthError } from \"../error/AuthError.js\";\nimport {\n ClientAuthErrorCodes,\n createClientAuthError,\n} from \"../error/ClientAuthError.js\";\nimport { NetworkError } from \"../error/NetworkError.js\";\nimport { invokeAsync } from \"../utils/FunctionWrappers.js\";\n\n/**\n * Base application class which will construct requests to send to and handle responses from the Microsoft STS using the authorization code flow.\n * @internal\n */\nexport abstract class BaseClient {\n // Logger object\n public logger: Logger;\n\n // Application config\n protected config: CommonClientConfiguration;\n\n // Crypto Interface\n protected cryptoUtils: ICrypto;\n\n // Storage Interface\n protected cacheManager: CacheManager;\n\n // Network Interface\n protected networkClient: INetworkModule;\n\n // Server Telemetry Manager\n protected serverTelemetryManager: ServerTelemetryManager | null;\n\n // Default authority object\n public authority: Authority;\n\n // Performance telemetry client\n protected performanceClient?: IPerformanceClient;\n\n protected constructor(\n configuration: ClientConfiguration,\n performanceClient?: IPerformanceClient\n ) {\n // Set the configuration\n this.config = buildClientConfiguration(configuration);\n\n // Initialize the logger\n this.logger = new Logger(this.config.loggerOptions, name, version);\n\n // Initialize crypto\n this.cryptoUtils = this.config.cryptoInterface;\n\n // Initialize storage interface\n this.cacheManager = this.config.storageInterface;\n\n // Set the network interface\n this.networkClient = this.config.networkInterface;\n\n // Set TelemetryManager\n this.serverTelemetryManager = this.config.serverTelemetryManager;\n\n // set Authority\n this.authority = this.config.authOptions.authority;\n\n // set performance telemetry client\n this.performanceClient = performanceClient;\n }\n\n /**\n * Creates default headers for requests to token endpoint\n */\n protected createTokenRequestHeaders(\n ccsCred?: CcsCredential\n ): Record {\n const headers: Record = {};\n headers[HeaderNames.CONTENT_TYPE] = Constants.URL_FORM_CONTENT_TYPE;\n if (!this.config.systemOptions.preventCorsPreflight && ccsCred) {\n switch (ccsCred.type) {\n case CcsCredentialType.HOME_ACCOUNT_ID:\n try {\n const clientInfo = buildClientInfoFromHomeAccountId(\n ccsCred.credential\n );\n headers[\n HeaderNames.CCS_HEADER\n ] = `Oid:${clientInfo.uid}@${clientInfo.utid}`;\n } catch (e) {\n this.logger.verbose(\n \"Could not parse home account ID for CCS Header: \" +\n e\n );\n }\n break;\n case CcsCredentialType.UPN:\n headers[\n HeaderNames.CCS_HEADER\n ] = `UPN: ${ccsCred.credential}`;\n break;\n }\n }\n return headers;\n }\n\n /**\n * Http post to token endpoint\n * @param tokenEndpoint\n * @param queryString\n * @param headers\n * @param thumbprint\n */\n protected async executePostToTokenEndpoint(\n tokenEndpoint: string,\n queryString: string,\n headers: Record,\n thumbprint: RequestThumbprint,\n correlationId: string,\n queuedEvent?: string\n ): Promise> {\n if (queuedEvent) {\n this.performanceClient?.addQueueMeasurement(\n queuedEvent,\n correlationId\n );\n }\n\n const response =\n await this.sendPostRequest(\n thumbprint,\n tokenEndpoint,\n { body: queryString, headers: headers },\n correlationId\n );\n\n if (\n this.config.serverTelemetryManager &&\n response.status < 500 &&\n response.status !== 429\n ) {\n // Telemetry data successfully logged by server, clear Telemetry cache\n this.config.serverTelemetryManager.clearTelemetryCache();\n }\n\n return response;\n }\n\n /**\n * Wraps sendPostRequestAsync with necessary preflight and postflight logic\n * @param thumbprint - Request thumbprint for throttling\n * @param tokenEndpoint - Endpoint to make the POST to\n * @param options - Body and Headers to include on the POST request\n * @param correlationId - CorrelationId for telemetry\n */\n async sendPostRequest(\n thumbprint: RequestThumbprint,\n tokenEndpoint: string,\n options: NetworkRequestOptions,\n correlationId: string\n ): Promise> {\n ThrottlingUtils.preProcess(this.cacheManager, thumbprint);\n\n let response;\n try {\n response = await invokeAsync(\n this.networkClient.sendPostRequestAsync.bind(\n this.networkClient\n ),\n PerformanceEvents.NetworkClientSendPostRequestAsync,\n this.logger,\n this.performanceClient,\n correlationId\n )(tokenEndpoint, options);\n const responseHeaders = response.headers || {};\n this.performanceClient?.addFields(\n {\n refreshTokenSize: response.body.refresh_token?.length || 0,\n httpVerToken:\n responseHeaders[HeaderNames.X_MS_HTTP_VERSION] || \"\",\n requestId:\n responseHeaders[HeaderNames.X_MS_REQUEST_ID] || \"\",\n },\n correlationId\n );\n } catch (e) {\n if (e instanceof NetworkError) {\n const responseHeaders = e.responseHeaders;\n if (responseHeaders) {\n this.performanceClient?.addFields(\n {\n httpVerToken:\n responseHeaders[\n HeaderNames.X_MS_HTTP_VERSION\n ] || \"\",\n requestId:\n responseHeaders[HeaderNames.X_MS_REQUEST_ID] ||\n \"\",\n contentTypeHeader:\n responseHeaders[HeaderNames.CONTENT_TYPE] ||\n undefined,\n contentLengthHeader:\n responseHeaders[HeaderNames.CONTENT_LENGTH] ||\n undefined,\n httpStatus: e.httpStatus,\n },\n correlationId\n );\n }\n throw e.error;\n }\n if (e instanceof AuthError) {\n throw e;\n } else {\n throw createClientAuthError(ClientAuthErrorCodes.networkError);\n }\n }\n\n ThrottlingUtils.postProcess(this.cacheManager, thumbprint, response);\n\n return response;\n }\n\n /**\n * Updates the authority object of the client. Endpoint discovery must be completed.\n * @param updatedAuthority\n */\n async updateAuthority(\n cloudInstanceHostname: string,\n correlationId: string\n ): Promise {\n this.performanceClient?.addQueueMeasurement(\n PerformanceEvents.UpdateTokenEndpointAuthority,\n correlationId\n );\n const cloudInstanceAuthorityUri = `https://${cloudInstanceHostname}/${this.authority.tenant}/`;\n const cloudInstanceAuthority = await createDiscoveredInstance(\n cloudInstanceAuthorityUri,\n this.networkClient,\n this.cacheManager,\n this.authority.options,\n this.logger,\n correlationId,\n this.performanceClient\n );\n this.authority = cloudInstanceAuthority;\n }\n\n /**\n * Creates query string for the /token request\n * @param request\n */\n createTokenQueryParameters(request: BaseAuthRequest): string {\n const parameterBuilder = new RequestParameterBuilder(\n request.correlationId,\n this.performanceClient\n );\n\n if (request.embeddedClientId) {\n parameterBuilder.addBrokerParameters({\n brokerClientId: this.config.authOptions.clientId,\n brokerRedirectUri: this.config.authOptions.redirectUri,\n });\n }\n\n if (request.tokenQueryParameters) {\n parameterBuilder.addExtraQueryParameters(\n request.tokenQueryParameters\n );\n }\n\n parameterBuilder.addCorrelationId(request.correlationId);\n\n return parameterBuilder.createQueryString();\n }\n}\n","/*\n * Copyright (c) Microsoft Corporation. All rights reserved.\n * Licensed under the MIT License.\n */\n\nimport { BaseClient } from \"./BaseClient.js\";\nimport { CommonAuthorizationUrlRequest } from \"../request/CommonAuthorizationUrlRequest.js\";\nimport { CommonAuthorizationCodeRequest } from \"../request/CommonAuthorizationCodeRequest.js\";\nimport { Authority } from \"../authority/Authority.js\";\nimport { RequestParameterBuilder } from \"../request/RequestParameterBuilder.js\";\nimport {\n GrantType,\n AuthenticationScheme,\n PromptValue,\n Separators,\n HeaderNames,\n} from \"../utils/Constants.js\";\nimport * as AADServerParamKeys from \"../constants/AADServerParamKeys.js\";\nimport {\n ClientConfiguration,\n isOidcProtocolMode,\n} from \"../config/ClientConfiguration.js\";\nimport { ServerAuthorizationTokenResponse } from \"../response/ServerAuthorizationTokenResponse.js\";\nimport { NetworkResponse } from \"../network/NetworkResponse.js\";\nimport { ResponseHandler } from \"../response/ResponseHandler.js\";\nimport { AuthenticationResult } from \"../response/AuthenticationResult.js\";\nimport { StringUtils } from \"../utils/StringUtils.js\";\nimport {\n ClientAuthErrorCodes,\n createClientAuthError,\n} from \"../error/ClientAuthError.js\";\nimport { UrlString } from \"../url/UrlString.js\";\nimport { ServerAuthorizationCodeResponse } from \"../response/ServerAuthorizationCodeResponse.js\";\nimport { CommonEndSessionRequest } from \"../request/CommonEndSessionRequest.js\";\nimport { PopTokenGenerator } from \"../crypto/PopTokenGenerator.js\";\nimport { RequestThumbprint } from \"../network/RequestThumbprint.js\";\nimport { AuthorizationCodePayload } from \"../response/AuthorizationCodePayload.js\";\nimport * as TimeUtils from \"../utils/TimeUtils.js\";\nimport { AccountInfo } from \"../account/AccountInfo.js\";\nimport {\n buildClientInfoFromHomeAccountId,\n buildClientInfo,\n} from \"../account/ClientInfo.js\";\nimport { CcsCredentialType, CcsCredential } from \"../account/CcsCredential.js\";\nimport {\n createClientConfigurationError,\n ClientConfigurationErrorCodes,\n} from \"../error/ClientConfigurationError.js\";\nimport { RequestValidator } from \"../request/RequestValidator.js\";\nimport { IPerformanceClient } from \"../telemetry/performance/IPerformanceClient.js\";\nimport { PerformanceEvents } from \"../telemetry/performance/PerformanceEvent.js\";\nimport { invokeAsync } from \"../utils/FunctionWrappers.js\";\nimport { ClientAssertion } from \"../account/ClientCredentials.js\";\nimport { getClientAssertion } from \"../utils/ClientAssertionUtils.js\";\n\n/**\n * Oauth2.0 Authorization Code client\n * @internal\n */\nexport class AuthorizationCodeClient extends BaseClient {\n // Flag to indicate if client is for hybrid spa auth code redemption\n protected includeRedirectUri: boolean = true;\n private oidcDefaultScopes;\n\n constructor(\n configuration: ClientConfiguration,\n performanceClient?: IPerformanceClient\n ) {\n super(configuration, performanceClient);\n this.oidcDefaultScopes =\n this.config.authOptions.authority.options.OIDCOptions?.defaultScopes;\n }\n\n /**\n * Creates the URL of the authorization request letting the user input credentials and consent to the\n * application. The URL target the /authorize endpoint of the authority configured in the\n * application object.\n *\n * Once the user inputs their credentials and consents, the authority will send a response to the redirect URI\n * sent in the request and should contain an authorization code, which can then be used to acquire tokens via\n * acquireToken(AuthorizationCodeRequest)\n * @param request\n */\n async getAuthCodeUrl(\n request: CommonAuthorizationUrlRequest\n ): Promise {\n this.performanceClient?.addQueueMeasurement(\n PerformanceEvents.GetAuthCodeUrl,\n request.correlationId\n );\n\n const queryString = await invokeAsync(\n this.createAuthCodeUrlQueryString.bind(this),\n PerformanceEvents.AuthClientCreateQueryString,\n this.logger,\n this.performanceClient,\n request.correlationId\n )(request);\n\n return UrlString.appendQueryString(\n this.authority.authorizationEndpoint,\n queryString\n );\n }\n\n /**\n * API to acquire a token in exchange of 'authorization_code` acquired by the user in the first leg of the\n * authorization_code_grant\n * @param request\n */\n async acquireToken(\n request: CommonAuthorizationCodeRequest,\n authCodePayload?: AuthorizationCodePayload\n ): Promise {\n this.performanceClient?.addQueueMeasurement(\n PerformanceEvents.AuthClientAcquireToken,\n request.correlationId\n );\n\n if (!request.code) {\n throw createClientAuthError(\n ClientAuthErrorCodes.requestCannotBeMade\n );\n }\n\n const reqTimestamp = TimeUtils.nowSeconds();\n const response = await invokeAsync(\n this.executeTokenRequest.bind(this),\n PerformanceEvents.AuthClientExecuteTokenRequest,\n this.logger,\n this.performanceClient,\n request.correlationId\n )(this.authority, request);\n\n // Retrieve requestId from response headers\n const requestId = response.headers?.[HeaderNames.X_MS_REQUEST_ID];\n\n const responseHandler = new ResponseHandler(\n this.config.authOptions.clientId,\n this.cacheManager,\n this.cryptoUtils,\n this.logger,\n this.config.serializableCache,\n this.config.persistencePlugin,\n this.performanceClient\n );\n\n // Validate response. This function throws a server error if an error is returned by the server.\n responseHandler.validateTokenResponse(response.body);\n\n return invokeAsync(\n responseHandler.handleServerTokenResponse.bind(responseHandler),\n PerformanceEvents.HandleServerTokenResponse,\n this.logger,\n this.performanceClient,\n request.correlationId\n )(\n response.body,\n this.authority,\n reqTimestamp,\n request,\n authCodePayload,\n undefined,\n undefined,\n undefined,\n requestId\n );\n }\n\n /**\n * Handles the hash fragment response from public client code request. Returns a code response used by\n * the client to exchange for a token in acquireToken.\n * @param hashFragment\n */\n handleFragmentResponse(\n serverParams: ServerAuthorizationCodeResponse,\n cachedState: string\n ): AuthorizationCodePayload {\n // Handle responses.\n const responseHandler = new ResponseHandler(\n this.config.authOptions.clientId,\n this.cacheManager,\n this.cryptoUtils,\n this.logger,\n null,\n null\n );\n\n // Get code response\n responseHandler.validateServerAuthorizationCodeResponse(\n serverParams,\n cachedState\n );\n\n // throw when there is no auth code in the response\n if (!serverParams.code) {\n throw createClientAuthError(\n ClientAuthErrorCodes.authorizationCodeMissingFromServerResponse\n );\n }\n\n return serverParams as AuthorizationCodePayload;\n }\n\n /**\n * Used to log out the current user, and redirect the user to the postLogoutRedirectUri.\n * Default behaviour is to redirect the user to `window.location.href`.\n * @param authorityUri\n */\n getLogoutUri(logoutRequest: CommonEndSessionRequest): string {\n // Throw error if logoutRequest is null/undefined\n if (!logoutRequest) {\n throw createClientConfigurationError(\n ClientConfigurationErrorCodes.logoutRequestEmpty\n );\n }\n const queryString = this.createLogoutUrlQueryString(logoutRequest);\n\n // Construct logout URI\n return UrlString.appendQueryString(\n this.authority.endSessionEndpoint,\n queryString\n );\n }\n\n /**\n * Executes POST request to token endpoint\n * @param authority\n * @param request\n */\n private async executeTokenRequest(\n authority: Authority,\n request: CommonAuthorizationCodeRequest\n ): Promise> {\n this.performanceClient?.addQueueMeasurement(\n PerformanceEvents.AuthClientExecuteTokenRequest,\n request.correlationId\n );\n\n const queryParametersString = this.createTokenQueryParameters(request);\n const endpoint = UrlString.appendQueryString(\n authority.tokenEndpoint,\n queryParametersString\n );\n\n const requestBody = await invokeAsync(\n this.createTokenRequestBody.bind(this),\n PerformanceEvents.AuthClientCreateTokenRequestBody,\n this.logger,\n this.performanceClient,\n request.correlationId\n )(request);\n\n let ccsCredential: CcsCredential | undefined = undefined;\n if (request.clientInfo) {\n try {\n const clientInfo = buildClientInfo(\n request.clientInfo,\n this.cryptoUtils.base64Decode\n );\n ccsCredential = {\n credential: `${clientInfo.uid}${Separators.CLIENT_INFO_SEPARATOR}${clientInfo.utid}`,\n type: CcsCredentialType.HOME_ACCOUNT_ID,\n };\n } catch (e) {\n this.logger.verbose(\n \"Could not parse client info for CCS Header: \" + e\n );\n }\n }\n const headers: Record = this.createTokenRequestHeaders(\n ccsCredential || request.ccsCredential\n );\n\n const thumbprint: RequestThumbprint = {\n clientId:\n request.tokenBodyParameters?.clientId ||\n this.config.authOptions.clientId,\n authority: authority.canonicalAuthority,\n scopes: request.scopes,\n claims: request.claims,\n authenticationScheme: request.authenticationScheme,\n resourceRequestMethod: request.resourceRequestMethod,\n resourceRequestUri: request.resourceRequestUri,\n shrClaims: request.shrClaims,\n sshKid: request.sshKid,\n };\n\n return invokeAsync(\n this.executePostToTokenEndpoint.bind(this),\n PerformanceEvents.AuthorizationCodeClientExecutePostToTokenEndpoint,\n this.logger,\n this.performanceClient,\n request.correlationId\n )(\n endpoint,\n requestBody,\n headers,\n thumbprint,\n request.correlationId,\n PerformanceEvents.AuthorizationCodeClientExecutePostToTokenEndpoint\n );\n }\n\n /**\n * Generates a map for all the params to be sent to the service\n * @param request\n */\n private async createTokenRequestBody(\n request: CommonAuthorizationCodeRequest\n ): Promise {\n this.performanceClient?.addQueueMeasurement(\n PerformanceEvents.AuthClientCreateTokenRequestBody,\n request.correlationId\n );\n\n const parameterBuilder = new RequestParameterBuilder(\n request.correlationId,\n this.performanceClient\n );\n\n parameterBuilder.addClientId(\n request.embeddedClientId ||\n request.tokenBodyParameters?.[AADServerParamKeys.CLIENT_ID] ||\n this.config.authOptions.clientId\n );\n\n /*\n * For hybrid spa flow, there will be a code but no verifier\n * In this scenario, don't include redirect uri as auth code will not be bound to redirect URI\n */\n if (!this.includeRedirectUri) {\n // Just validate\n RequestValidator.validateRedirectUri(request.redirectUri);\n } else {\n // Validate and include redirect uri\n parameterBuilder.addRedirectUri(request.redirectUri);\n }\n\n // Add scope array, parameter builder will add default scopes and dedupe\n parameterBuilder.addScopes(\n request.scopes,\n true,\n this.oidcDefaultScopes\n );\n\n // add code: user set, not validated\n parameterBuilder.addAuthorizationCode(request.code);\n\n // Add library metadata\n parameterBuilder.addLibraryInfo(this.config.libraryInfo);\n parameterBuilder.addApplicationTelemetry(\n this.config.telemetry.application\n );\n parameterBuilder.addThrottling();\n\n if (this.serverTelemetryManager && !isOidcProtocolMode(this.config)) {\n parameterBuilder.addServerTelemetry(this.serverTelemetryManager);\n }\n\n // add code_verifier if passed\n if (request.codeVerifier) {\n parameterBuilder.addCodeVerifier(request.codeVerifier);\n }\n\n if (this.config.clientCredentials.clientSecret) {\n parameterBuilder.addClientSecret(\n this.config.clientCredentials.clientSecret\n );\n }\n\n if (this.config.clientCredentials.clientAssertion) {\n const clientAssertion: ClientAssertion =\n this.config.clientCredentials.clientAssertion;\n\n parameterBuilder.addClientAssertion(\n await getClientAssertion(\n clientAssertion.assertion,\n this.config.authOptions.clientId,\n request.resourceRequestUri\n )\n );\n parameterBuilder.addClientAssertionType(\n clientAssertion.assertionType\n );\n }\n\n parameterBuilder.addGrantType(GrantType.AUTHORIZATION_CODE_GRANT);\n parameterBuilder.addClientInfo();\n\n if (request.authenticationScheme === AuthenticationScheme.POP) {\n const popTokenGenerator = new PopTokenGenerator(\n this.cryptoUtils,\n this.performanceClient\n );\n\n let reqCnfData;\n if (!request.popKid) {\n const generatedReqCnfData = await invokeAsync(\n popTokenGenerator.generateCnf.bind(popTokenGenerator),\n PerformanceEvents.PopTokenGenerateCnf,\n this.logger,\n this.performanceClient,\n request.correlationId\n )(request, this.logger);\n reqCnfData = generatedReqCnfData.reqCnfString;\n } else {\n reqCnfData = this.cryptoUtils.encodeKid(request.popKid);\n }\n\n // SPA PoP requires full Base64Url encoded req_cnf string (unhashed)\n parameterBuilder.addPopToken(reqCnfData);\n } else if (request.authenticationScheme === AuthenticationScheme.SSH) {\n if (request.sshJwk) {\n parameterBuilder.addSshJwk(request.sshJwk);\n } else {\n throw createClientConfigurationError(\n ClientConfigurationErrorCodes.missingSshJwk\n );\n }\n }\n\n if (\n !StringUtils.isEmptyObj(request.claims) ||\n (this.config.authOptions.clientCapabilities &&\n this.config.authOptions.clientCapabilities.length > 0)\n ) {\n parameterBuilder.addClaims(\n request.claims,\n this.config.authOptions.clientCapabilities\n );\n }\n\n let ccsCred: CcsCredential | undefined = undefined;\n if (request.clientInfo) {\n try {\n const clientInfo = buildClientInfo(\n request.clientInfo,\n this.cryptoUtils.base64Decode\n );\n ccsCred = {\n credential: `${clientInfo.uid}${Separators.CLIENT_INFO_SEPARATOR}${clientInfo.utid}`,\n type: CcsCredentialType.HOME_ACCOUNT_ID,\n };\n } catch (e) {\n this.logger.verbose(\n \"Could not parse client info for CCS Header: \" + e\n );\n }\n } else {\n ccsCred = request.ccsCredential;\n }\n\n // Adds these as parameters in the request instead of headers to prevent CORS preflight request\n if (this.config.systemOptions.preventCorsPreflight && ccsCred) {\n switch (ccsCred.type) {\n case CcsCredentialType.HOME_ACCOUNT_ID:\n try {\n const clientInfo = buildClientInfoFromHomeAccountId(\n ccsCred.credential\n );\n parameterBuilder.addCcsOid(clientInfo);\n } catch (e) {\n this.logger.verbose(\n \"Could not parse home account ID for CCS Header: \" +\n e\n );\n }\n break;\n case CcsCredentialType.UPN:\n parameterBuilder.addCcsUpn(ccsCred.credential);\n break;\n }\n }\n\n if (request.embeddedClientId) {\n parameterBuilder.addBrokerParameters({\n brokerClientId: this.config.authOptions.clientId,\n brokerRedirectUri: this.config.authOptions.redirectUri,\n });\n }\n\n if (request.tokenBodyParameters) {\n parameterBuilder.addExtraQueryParameters(\n request.tokenBodyParameters\n );\n }\n\n // Add hybrid spa parameters if not already provided\n if (\n request.enableSpaAuthorizationCode &&\n (!request.tokenBodyParameters ||\n !request.tokenBodyParameters[\n AADServerParamKeys.RETURN_SPA_CODE\n ])\n ) {\n parameterBuilder.addExtraQueryParameters({\n [AADServerParamKeys.RETURN_SPA_CODE]: \"1\",\n });\n }\n\n return parameterBuilder.createQueryString();\n }\n\n /**\n * This API validates the `AuthorizationCodeUrlRequest` and creates a URL\n * @param request\n */\n private async createAuthCodeUrlQueryString(\n request: CommonAuthorizationUrlRequest\n ): Promise {\n // generate the correlationId if not set by the user and add\n const correlationId =\n request.correlationId ||\n this.config.cryptoInterface.createNewGuid();\n\n this.performanceClient?.addQueueMeasurement(\n PerformanceEvents.AuthClientCreateQueryString,\n correlationId\n );\n\n const parameterBuilder = new RequestParameterBuilder(\n correlationId,\n this.performanceClient\n );\n\n parameterBuilder.addClientId(\n request.embeddedClientId ||\n request.extraQueryParameters?.[AADServerParamKeys.CLIENT_ID] ||\n this.config.authOptions.clientId\n );\n\n const requestScopes = [\n ...(request.scopes || []),\n ...(request.extraScopesToConsent || []),\n ];\n parameterBuilder.addScopes(requestScopes, true, this.oidcDefaultScopes);\n\n // validate the redirectUri (to be a non null value)\n parameterBuilder.addRedirectUri(request.redirectUri);\n\n parameterBuilder.addCorrelationId(correlationId);\n\n // add response_mode. If not passed in it defaults to query.\n parameterBuilder.addResponseMode(request.responseMode);\n\n // add response_type = code\n parameterBuilder.addResponseTypeCode();\n\n // add library info parameters\n parameterBuilder.addLibraryInfo(this.config.libraryInfo);\n if (!isOidcProtocolMode(this.config)) {\n parameterBuilder.addApplicationTelemetry(\n this.config.telemetry.application\n );\n }\n\n // add client_info=1\n parameterBuilder.addClientInfo();\n\n if (request.codeChallenge && request.codeChallengeMethod) {\n parameterBuilder.addCodeChallengeParams(\n request.codeChallenge,\n request.codeChallengeMethod\n );\n }\n\n if (request.prompt) {\n parameterBuilder.addPrompt(request.prompt);\n }\n\n if (request.domainHint) {\n parameterBuilder.addDomainHint(request.domainHint);\n }\n\n // Add sid or loginHint with preference for login_hint claim (in request) -> sid -> loginHint (upn/email) -> username of AccountInfo object\n if (request.prompt !== PromptValue.SELECT_ACCOUNT) {\n // AAD will throw if prompt=select_account is passed with an account hint\n if (request.sid && request.prompt === PromptValue.NONE) {\n // SessionID is only used in silent calls\n this.logger.verbose(\n \"createAuthCodeUrlQueryString: Prompt is none, adding sid from request\"\n );\n parameterBuilder.addSid(request.sid);\n } else if (request.account) {\n const accountSid = this.extractAccountSid(request.account);\n let accountLoginHintClaim = this.extractLoginHint(\n request.account\n );\n\n if (accountLoginHintClaim && request.domainHint) {\n this.logger.warning(\n `AuthorizationCodeClient.createAuthCodeUrlQueryString: \"domainHint\" param is set, skipping opaque \"login_hint\" claim. Please consider not passing domainHint`\n );\n accountLoginHintClaim = null;\n }\n\n // If login_hint claim is present, use it over sid/username\n if (accountLoginHintClaim) {\n this.logger.verbose(\n \"createAuthCodeUrlQueryString: login_hint claim present on account\"\n );\n parameterBuilder.addLoginHint(accountLoginHintClaim);\n try {\n const clientInfo = buildClientInfoFromHomeAccountId(\n request.account.homeAccountId\n );\n parameterBuilder.addCcsOid(clientInfo);\n } catch (e) {\n this.logger.verbose(\n \"createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header\"\n );\n }\n } else if (accountSid && request.prompt === PromptValue.NONE) {\n /*\n * If account and loginHint are provided, we will check account first for sid before adding loginHint\n * SessionId is only used in silent calls\n */\n this.logger.verbose(\n \"createAuthCodeUrlQueryString: Prompt is none, adding sid from account\"\n );\n parameterBuilder.addSid(accountSid);\n try {\n const clientInfo = buildClientInfoFromHomeAccountId(\n request.account.homeAccountId\n );\n parameterBuilder.addCcsOid(clientInfo);\n } catch (e) {\n this.logger.verbose(\n \"createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header\"\n );\n }\n } else if (request.loginHint) {\n this.logger.verbose(\n \"createAuthCodeUrlQueryString: Adding login_hint from request\"\n );\n parameterBuilder.addLoginHint(request.loginHint);\n parameterBuilder.addCcsUpn(request.loginHint);\n } else if (request.account.username) {\n // Fallback to account username if provided\n this.logger.verbose(\n \"createAuthCodeUrlQueryString: Adding login_hint from account\"\n );\n parameterBuilder.addLoginHint(request.account.username);\n try {\n const clientInfo = buildClientInfoFromHomeAccountId(\n request.account.homeAccountId\n );\n parameterBuilder.addCcsOid(clientInfo);\n } catch (e) {\n this.logger.verbose(\n \"createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header\"\n );\n }\n }\n } else if (request.loginHint) {\n this.logger.verbose(\n \"createAuthCodeUrlQueryString: No account, adding login_hint from request\"\n );\n parameterBuilder.addLoginHint(request.loginHint);\n parameterBuilder.addCcsUpn(request.loginHint);\n }\n } else {\n this.logger.verbose(\n \"createAuthCodeUrlQueryString: Prompt is select_account, ignoring account hints\"\n );\n }\n\n if (request.nonce) {\n parameterBuilder.addNonce(request.nonce);\n }\n\n if (request.state) {\n parameterBuilder.addState(request.state);\n }\n\n if (\n request.claims ||\n (this.config.authOptions.clientCapabilities &&\n this.config.authOptions.clientCapabilities.length > 0)\n ) {\n parameterBuilder.addClaims(\n request.claims,\n this.config.authOptions.clientCapabilities\n );\n }\n\n if (request.embeddedClientId) {\n parameterBuilder.addBrokerParameters({\n brokerClientId: this.config.authOptions.clientId,\n brokerRedirectUri: this.config.authOptions.redirectUri,\n });\n }\n\n this.addExtraQueryParams(request, parameterBuilder);\n\n if (request.nativeBroker) {\n // signal ests that this is a WAM call\n parameterBuilder.addNativeBroker();\n\n // pass the req_cnf for POP\n if (request.authenticationScheme === AuthenticationScheme.POP) {\n const popTokenGenerator = new PopTokenGenerator(\n this.cryptoUtils\n );\n\n // req_cnf is always sent as a string for SPAs\n let reqCnfData;\n if (!request.popKid) {\n const generatedReqCnfData = await invokeAsync(\n popTokenGenerator.generateCnf.bind(popTokenGenerator),\n PerformanceEvents.PopTokenGenerateCnf,\n this.logger,\n this.performanceClient,\n request.correlationId\n )(request, this.logger);\n reqCnfData = generatedReqCnfData.reqCnfString;\n } else {\n reqCnfData = this.cryptoUtils.encodeKid(request.popKid);\n }\n parameterBuilder.addPopToken(reqCnfData);\n }\n }\n\n return parameterBuilder.createQueryString();\n }\n\n /**\n * This API validates the `EndSessionRequest` and creates a URL\n * @param request\n */\n private createLogoutUrlQueryString(\n request: CommonEndSessionRequest\n ): string {\n const parameterBuilder = new RequestParameterBuilder(\n request.correlationId,\n this.performanceClient\n );\n\n if (request.postLogoutRedirectUri) {\n parameterBuilder.addPostLogoutRedirectUri(\n request.postLogoutRedirectUri\n );\n }\n\n if (request.correlationId) {\n parameterBuilder.addCorrelationId(request.correlationId);\n }\n\n if (request.idTokenHint) {\n parameterBuilder.addIdTokenHint(request.idTokenHint);\n }\n\n if (request.state) {\n parameterBuilder.addState(request.state);\n }\n\n if (request.logoutHint) {\n parameterBuilder.addLogoutHint(request.logoutHint);\n }\n\n this.addExtraQueryParams(request, parameterBuilder);\n\n return parameterBuilder.createQueryString();\n }\n\n private addExtraQueryParams(\n request: CommonAuthorizationUrlRequest | CommonEndSessionRequest,\n parameterBuilder: RequestParameterBuilder\n ) {\n const hasRequestInstanceAware =\n request.extraQueryParameters &&\n request.extraQueryParameters.hasOwnProperty(\"instance_aware\");\n\n // Set instance_aware flag if config auth param is set\n if (!hasRequestInstanceAware && this.config.authOptions.instanceAware) {\n request.extraQueryParameters = request.extraQueryParameters || {};\n request.extraQueryParameters[\"instance_aware\"] = \"true\";\n }\n\n if (request.extraQueryParameters) {\n parameterBuilder.addExtraQueryParameters(\n request.extraQueryParameters\n );\n }\n }\n\n /**\n * Helper to get sid from account. Returns null if idTokenClaims are not present or sid is not present.\n * @param account\n */\n private extractAccountSid(account: AccountInfo): string | null {\n return account.idTokenClaims?.sid || null;\n }\n\n private extractLoginHint(account: AccountInfo): string | null {\n return account.idTokenClaims?.login_hint || null;\n }\n}\n","/*\n * Copyright (c) Microsoft Corporation. All rights reserved.\n * Licensed under the MIT License.\n */\n\nimport {\n ClientConfiguration,\n isOidcProtocolMode,\n} from \"../config/ClientConfiguration.js\";\nimport { BaseClient } from \"./BaseClient.js\";\nimport { CommonRefreshTokenRequest } from \"../request/CommonRefreshTokenRequest.js\";\nimport { Authority } from \"../authority/Authority.js\";\nimport { ServerAuthorizationTokenResponse } from \"../response/ServerAuthorizationTokenResponse.js\";\nimport { RequestParameterBuilder } from \"../request/RequestParameterBuilder.js\";\nimport {\n GrantType,\n AuthenticationScheme,\n Errors,\n HeaderNames,\n} from \"../utils/Constants.js\";\nimport * as AADServerParamKeys from \"../constants/AADServerParamKeys.js\";\nimport { ResponseHandler } from \"../response/ResponseHandler.js\";\nimport { AuthenticationResult } from \"../response/AuthenticationResult.js\";\nimport { PopTokenGenerator } from \"../crypto/PopTokenGenerator.js\";\nimport { StringUtils } from \"../utils/StringUtils.js\";\nimport { RequestThumbprint } from \"../network/RequestThumbprint.js\";\nimport { NetworkResponse } from \"../network/NetworkResponse.js\";\nimport { CommonSilentFlowRequest } from \"../request/CommonSilentFlowRequest.js\";\nimport {\n createClientConfigurationError,\n ClientConfigurationErrorCodes,\n} from \"../error/ClientConfigurationError.js\";\nimport {\n createClientAuthError,\n ClientAuthErrorCodes,\n} from \"../error/ClientAuthError.js\";\nimport { ServerError } from \"../error/ServerError.js\";\nimport * as TimeUtils from \"../utils/TimeUtils.js\";\nimport { UrlString } from \"../url/UrlString.js\";\nimport { CcsCredentialType } from \"../account/CcsCredential.js\";\nimport { buildClientInfoFromHomeAccountId } from \"../account/ClientInfo.js\";\nimport {\n InteractionRequiredAuthError,\n InteractionRequiredAuthErrorCodes,\n createInteractionRequiredAuthError,\n} from \"../error/InteractionRequiredAuthError.js\";\nimport { PerformanceEvents } from \"../telemetry/performance/PerformanceEvent.js\";\nimport { IPerformanceClient } from \"../telemetry/performance/IPerformanceClient.js\";\nimport { invoke, invokeAsync } from \"../utils/FunctionWrappers.js\";\nimport { generateCredentialKey } from \"../cache/utils/CacheHelpers.js\";\nimport { ClientAssertion } from \"../account/ClientCredentials.js\";\nimport { getClientAssertion } from \"../utils/ClientAssertionUtils.js\";\n\nconst DEFAULT_REFRESH_TOKEN_EXPIRATION_OFFSET_SECONDS = 300; // 5 Minutes\n\n/**\n * OAuth2.0 refresh token client\n * @internal\n */\nexport class RefreshTokenClient extends BaseClient {\n constructor(\n configuration: ClientConfiguration,\n performanceClient?: IPerformanceClient\n ) {\n super(configuration, performanceClient);\n }\n public async acquireToken(\n request: CommonRefreshTokenRequest\n ): Promise {\n this.performanceClient?.addQueueMeasurement(\n PerformanceEvents.RefreshTokenClientAcquireToken,\n request.correlationId\n );\n\n const reqTimestamp = TimeUtils.nowSeconds();\n const response = await invokeAsync(\n this.executeTokenRequest.bind(this),\n PerformanceEvents.RefreshTokenClientExecuteTokenRequest,\n this.logger,\n this.performanceClient,\n request.correlationId\n )(request, this.authority);\n\n // Retrieve requestId from response headers\n const requestId = response.headers?.[HeaderNames.X_MS_REQUEST_ID];\n const responseHandler = new ResponseHandler(\n this.config.authOptions.clientId,\n this.cacheManager,\n this.cryptoUtils,\n this.logger,\n this.config.serializableCache,\n this.config.persistencePlugin\n );\n responseHandler.validateTokenResponse(response.body);\n\n return invokeAsync(\n responseHandler.handleServerTokenResponse.bind(responseHandler),\n PerformanceEvents.HandleServerTokenResponse,\n this.logger,\n this.performanceClient,\n request.correlationId\n )(\n response.body,\n this.authority,\n reqTimestamp,\n request,\n undefined,\n undefined,\n true,\n request.forceCache,\n requestId\n );\n }\n\n /**\n * Gets cached refresh token and attaches to request, then calls acquireToken API\n * @param request\n */\n public async acquireTokenByRefreshToken(\n request: CommonSilentFlowRequest\n ): Promise {\n // Cannot renew token if no request object is given.\n if (!request) {\n throw createClientConfigurationError(\n ClientConfigurationErrorCodes.tokenRequestEmpty\n );\n }\n\n this.performanceClient?.addQueueMeasurement(\n PerformanceEvents.RefreshTokenClientAcquireTokenByRefreshToken,\n request.correlationId\n );\n\n // We currently do not support silent flow for account === null use cases; This will be revisited for confidential flow usecases\n if (!request.account) {\n throw createClientAuthError(\n ClientAuthErrorCodes.noAccountInSilentRequest\n );\n }\n\n // try checking if FOCI is enabled for the given application\n const isFOCI = this.cacheManager.isAppMetadataFOCI(\n request.account.environment\n );\n\n // if the app is part of the family, retrive a Family refresh token if present and make a refreshTokenRequest\n if (isFOCI) {\n try {\n return await invokeAsync(\n this.acquireTokenWithCachedRefreshToken.bind(this),\n PerformanceEvents.RefreshTokenClientAcquireTokenWithCachedRefreshToken,\n this.logger,\n this.performanceClient,\n request.correlationId\n )(request, true);\n } catch (e) {\n const noFamilyRTInCache =\n e instanceof InteractionRequiredAuthError &&\n e.errorCode ===\n InteractionRequiredAuthErrorCodes.noTokensFound;\n const clientMismatchErrorWithFamilyRT =\n e instanceof ServerError &&\n e.errorCode === Errors.INVALID_GRANT_ERROR &&\n e.subError === Errors.CLIENT_MISMATCH_ERROR;\n\n // if family Refresh Token (FRT) cache acquisition fails or if client_mismatch error is seen with FRT, reattempt with application Refresh Token (ART)\n if (noFamilyRTInCache || clientMismatchErrorWithFamilyRT) {\n return invokeAsync(\n this.acquireTokenWithCachedRefreshToken.bind(this),\n PerformanceEvents.RefreshTokenClientAcquireTokenWithCachedRefreshToken,\n this.logger,\n this.performanceClient,\n request.correlationId\n )(request, false);\n // throw in all other cases\n } else {\n throw e;\n }\n }\n }\n // fall back to application refresh token acquisition\n return invokeAsync(\n this.acquireTokenWithCachedRefreshToken.bind(this),\n PerformanceEvents.RefreshTokenClientAcquireTokenWithCachedRefreshToken,\n this.logger,\n this.performanceClient,\n request.correlationId\n )(request, false);\n }\n\n /**\n * makes a network call to acquire tokens by exchanging RefreshToken available in userCache; throws if refresh token is not cached\n * @param request\n */\n private async acquireTokenWithCachedRefreshToken(\n request: CommonSilentFlowRequest,\n foci: boolean\n ) {\n this.performanceClient?.addQueueMeasurement(\n PerformanceEvents.RefreshTokenClientAcquireTokenWithCachedRefreshToken,\n request.correlationId\n );\n\n // fetches family RT or application RT based on FOCI value\n const refreshToken = invoke(\n this.cacheManager.getRefreshToken.bind(this.cacheManager),\n PerformanceEvents.CacheManagerGetRefreshToken,\n this.logger,\n this.performanceClient,\n request.correlationId\n )(\n request.account,\n foci,\n undefined,\n this.performanceClient,\n request.correlationId\n );\n\n if (!refreshToken) {\n throw createInteractionRequiredAuthError(\n InteractionRequiredAuthErrorCodes.noTokensFound\n );\n }\n\n if (\n refreshToken.expiresOn &&\n TimeUtils.isTokenExpired(\n refreshToken.expiresOn,\n request.refreshTokenExpirationOffsetSeconds ||\n DEFAULT_REFRESH_TOKEN_EXPIRATION_OFFSET_SECONDS\n )\n ) {\n throw createInteractionRequiredAuthError(\n InteractionRequiredAuthErrorCodes.refreshTokenExpired\n );\n }\n // attach cached RT size to the current measurement\n\n const refreshTokenRequest: CommonRefreshTokenRequest = {\n ...request,\n refreshToken: refreshToken.secret,\n authenticationScheme:\n request.authenticationScheme || AuthenticationScheme.BEARER,\n ccsCredential: {\n credential: request.account.homeAccountId,\n type: CcsCredentialType.HOME_ACCOUNT_ID,\n },\n };\n\n try {\n return await invokeAsync(\n this.acquireToken.bind(this),\n PerformanceEvents.RefreshTokenClientAcquireToken,\n this.logger,\n this.performanceClient,\n request.correlationId\n )(refreshTokenRequest);\n } catch (e) {\n if (\n e instanceof InteractionRequiredAuthError &&\n e.subError === InteractionRequiredAuthErrorCodes.badToken\n ) {\n // Remove bad refresh token from cache\n this.logger.verbose(\n \"acquireTokenWithRefreshToken: bad refresh token, removing from cache\"\n );\n const badRefreshTokenKey = generateCredentialKey(refreshToken);\n this.cacheManager.removeRefreshToken(badRefreshTokenKey);\n }\n\n throw e;\n }\n }\n\n /**\n * Constructs the network message and makes a NW call to the underlying secure token service\n * @param request\n * @param authority\n */\n private async executeTokenRequest(\n request: CommonRefreshTokenRequest,\n authority: Authority\n ): Promise> {\n this.performanceClient?.addQueueMeasurement(\n PerformanceEvents.RefreshTokenClientExecuteTokenRequest,\n request.correlationId\n );\n\n const queryParametersString = this.createTokenQueryParameters(request);\n const endpoint = UrlString.appendQueryString(\n authority.tokenEndpoint,\n queryParametersString\n );\n\n const requestBody = await invokeAsync(\n this.createTokenRequestBody.bind(this),\n PerformanceEvents.RefreshTokenClientCreateTokenRequestBody,\n this.logger,\n this.performanceClient,\n request.correlationId\n )(request);\n const headers: Record = this.createTokenRequestHeaders(\n request.ccsCredential\n );\n const thumbprint: RequestThumbprint = {\n clientId:\n request.tokenBodyParameters?.clientId ||\n this.config.authOptions.clientId,\n authority: authority.canonicalAuthority,\n scopes: request.scopes,\n claims: request.claims,\n authenticationScheme: request.authenticationScheme,\n resourceRequestMethod: request.resourceRequestMethod,\n resourceRequestUri: request.resourceRequestUri,\n shrClaims: request.shrClaims,\n sshKid: request.sshKid,\n };\n\n return invokeAsync(\n this.executePostToTokenEndpoint.bind(this),\n PerformanceEvents.RefreshTokenClientExecutePostToTokenEndpoint,\n this.logger,\n this.performanceClient,\n request.correlationId\n )(\n endpoint,\n requestBody,\n headers,\n thumbprint,\n request.correlationId,\n PerformanceEvents.RefreshTokenClientExecutePostToTokenEndpoint\n );\n }\n\n /**\n * Helper function to create the token request body\n * @param request\n */\n private async createTokenRequestBody(\n request: CommonRefreshTokenRequest\n ): Promise {\n this.performanceClient?.addQueueMeasurement(\n PerformanceEvents.RefreshTokenClientCreateTokenRequestBody,\n request.correlationId\n );\n\n const correlationId = request.correlationId;\n const parameterBuilder = new RequestParameterBuilder(\n correlationId,\n this.performanceClient\n );\n\n parameterBuilder.addClientId(\n request.embeddedClientId ||\n request.tokenBodyParameters?.[AADServerParamKeys.CLIENT_ID] ||\n this.config.authOptions.clientId\n );\n\n if (request.redirectUri) {\n parameterBuilder.addRedirectUri(request.redirectUri);\n }\n\n parameterBuilder.addScopes(\n request.scopes,\n true,\n this.config.authOptions.authority.options.OIDCOptions?.defaultScopes\n );\n\n parameterBuilder.addGrantType(GrantType.REFRESH_TOKEN_GRANT);\n\n parameterBuilder.addClientInfo();\n\n parameterBuilder.addLibraryInfo(this.config.libraryInfo);\n parameterBuilder.addApplicationTelemetry(\n this.config.telemetry.application\n );\n parameterBuilder.addThrottling();\n\n if (this.serverTelemetryManager && !isOidcProtocolMode(this.config)) {\n parameterBuilder.addServerTelemetry(this.serverTelemetryManager);\n }\n\n parameterBuilder.addRefreshToken(request.refreshToken);\n\n if (this.config.clientCredentials.clientSecret) {\n parameterBuilder.addClientSecret(\n this.config.clientCredentials.clientSecret\n );\n }\n\n if (this.config.clientCredentials.clientAssertion) {\n const clientAssertion: ClientAssertion =\n this.config.clientCredentials.clientAssertion;\n\n parameterBuilder.addClientAssertion(\n await getClientAssertion(\n clientAssertion.assertion,\n this.config.authOptions.clientId,\n request.resourceRequestUri\n )\n );\n parameterBuilder.addClientAssertionType(\n clientAssertion.assertionType\n );\n }\n\n if (request.authenticationScheme === AuthenticationScheme.POP) {\n const popTokenGenerator = new PopTokenGenerator(\n this.cryptoUtils,\n this.performanceClient\n );\n\n let reqCnfData;\n if (!request.popKid) {\n const generatedReqCnfData = await invokeAsync(\n popTokenGenerator.generateCnf.bind(popTokenGenerator),\n PerformanceEvents.PopTokenGenerateCnf,\n this.logger,\n this.performanceClient,\n request.correlationId\n )(request, this.logger);\n\n reqCnfData = generatedReqCnfData.reqCnfString;\n } else {\n reqCnfData = this.cryptoUtils.encodeKid(request.popKid);\n }\n\n // SPA PoP requires full Base64Url encoded req_cnf string (unhashed)\n parameterBuilder.addPopToken(reqCnfData);\n } else if (request.authenticationScheme === AuthenticationScheme.SSH) {\n if (request.sshJwk) {\n parameterBuilder.addSshJwk(request.sshJwk);\n } else {\n throw createClientConfigurationError(\n ClientConfigurationErrorCodes.missingSshJwk\n );\n }\n }\n\n if (\n !StringUtils.isEmptyObj(request.claims) ||\n (this.config.authOptions.clientCapabilities &&\n this.config.authOptions.clientCapabilities.length > 0)\n ) {\n parameterBuilder.addClaims(\n request.claims,\n this.config.authOptions.clientCapabilities\n );\n }\n\n if (\n this.config.systemOptions.preventCorsPreflight &&\n request.ccsCredential\n ) {\n switch (request.ccsCredential.type) {\n case CcsCredentialType.HOME_ACCOUNT_ID:\n try {\n const clientInfo = buildClientInfoFromHomeAccountId(\n request.ccsCredential.credential\n );\n parameterBuilder.addCcsOid(clientInfo);\n } catch (e) {\n this.logger.verbose(\n \"Could not parse home account ID for CCS Header: \" +\n e\n );\n }\n break;\n case CcsCredentialType.UPN:\n parameterBuilder.addCcsUpn(\n request.ccsCredential.credential\n );\n break;\n }\n }\n\n if (request.embeddedClientId) {\n parameterBuilder.addBrokerParameters({\n brokerClientId: this.config.authOptions.clientId,\n brokerRedirectUri: this.config.authOptions.redirectUri,\n });\n }\n\n if (request.tokenBodyParameters) {\n parameterBuilder.addExtraQueryParameters(\n request.tokenBodyParameters\n );\n }\n\n return parameterBuilder.createQueryString();\n }\n}\n","/*\n * Copyright (c) Microsoft Corporation. All rights reserved.\n * Licensed under the MIT License.\n */\n\nimport { BaseClient } from \"./BaseClient.js\";\nimport { ClientConfiguration } from \"../config/ClientConfiguration.js\";\nimport { CommonSilentFlowRequest } from \"../request/CommonSilentFlowRequest.js\";\nimport { AuthenticationResult } from \"../response/AuthenticationResult.js\";\nimport * as TimeUtils from \"../utils/TimeUtils.js\";\nimport { RefreshTokenClient } from \"./RefreshTokenClient.js\";\nimport {\n ClientAuthError,\n ClientAuthErrorCodes,\n createClientAuthError,\n} from \"../error/ClientAuthError.js\";\nimport { ResponseHandler } from \"../response/ResponseHandler.js\";\nimport { CacheRecord } from \"../cache/entities/CacheRecord.js\";\nimport { CacheOutcome, OIDC_DEFAULT_SCOPES } from \"../utils/Constants.js\";\nimport { IPerformanceClient } from \"../telemetry/performance/IPerformanceClient.js\";\nimport { StringUtils } from \"../utils/StringUtils.js\";\nimport { checkMaxAge, extractTokenClaims } from \"../account/AuthToken.js\";\nimport { TokenClaims } from \"../account/TokenClaims.js\";\nimport { PerformanceEvents } from \"../telemetry/performance/PerformanceEvent.js\";\nimport { invokeAsync } from \"../utils/FunctionWrappers.js\";\nimport { getTenantFromAuthorityString } from \"../authority/Authority.js\";\n\n/** @internal */\nexport class SilentFlowClient extends BaseClient {\n constructor(\n configuration: ClientConfiguration,\n performanceClient?: IPerformanceClient\n ) {\n super(configuration, performanceClient);\n }\n\n /**\n * Retrieves a token from cache if it is still valid, or uses the cached refresh token to renew\n * the given token and returns the renewed token\n * @param request\n */\n async acquireToken(\n request: CommonSilentFlowRequest\n ): Promise {\n try {\n const [authResponse, cacheOutcome] = await this.acquireCachedToken({\n ...request,\n scopes: request.scopes?.length\n ? request.scopes\n : [...OIDC_DEFAULT_SCOPES],\n });\n\n // if the token is not expired but must be refreshed; get a new one in the background\n if (cacheOutcome === CacheOutcome.PROACTIVELY_REFRESHED) {\n this.logger.info(\n \"SilentFlowClient:acquireCachedToken - Cached access token's refreshOn property has been exceeded'. It's not expired, but must be refreshed.\"\n );\n\n // refresh the access token in the background\n const refreshTokenClient = new RefreshTokenClient(\n this.config,\n this.performanceClient\n );\n\n refreshTokenClient\n .acquireTokenByRefreshToken(request)\n .catch(() => {\n // do nothing, this is running in the background and no action is to be taken upon success or failure\n });\n }\n\n // return the cached token\n return authResponse;\n } catch (e) {\n if (\n e instanceof ClientAuthError &&\n e.errorCode === ClientAuthErrorCodes.tokenRefreshRequired\n ) {\n const refreshTokenClient = new RefreshTokenClient(\n this.config,\n this.performanceClient\n );\n return refreshTokenClient.acquireTokenByRefreshToken(request);\n } else {\n throw e;\n }\n }\n }\n\n /**\n * Retrieves token from cache or throws an error if it must be refreshed.\n * @param request\n */\n async acquireCachedToken(\n request: CommonSilentFlowRequest\n ): Promise<[AuthenticationResult, CacheOutcome]> {\n this.performanceClient?.addQueueMeasurement(\n PerformanceEvents.SilentFlowClientAcquireCachedToken,\n request.correlationId\n );\n let lastCacheOutcome: CacheOutcome = CacheOutcome.NOT_APPLICABLE;\n\n if (\n request.forceRefresh ||\n (!this.config.cacheOptions.claimsBasedCachingEnabled &&\n !StringUtils.isEmptyObj(request.claims))\n ) {\n // Must refresh due to present force_refresh flag.\n this.setCacheOutcome(\n CacheOutcome.FORCE_REFRESH_OR_CLAIMS,\n request.correlationId\n );\n throw createClientAuthError(\n ClientAuthErrorCodes.tokenRefreshRequired\n );\n }\n\n // We currently do not support silent flow for account === null use cases; This will be revisited for confidential flow usecases\n if (!request.account) {\n throw createClientAuthError(\n ClientAuthErrorCodes.noAccountInSilentRequest\n );\n }\n\n const requestTenantId =\n request.account.tenantId ||\n getTenantFromAuthorityString(request.authority);\n const tokenKeys = this.cacheManager.getTokenKeys();\n const cachedAccessToken = this.cacheManager.getAccessToken(\n request.account,\n request,\n tokenKeys,\n requestTenantId,\n this.performanceClient,\n request.correlationId\n );\n\n if (!cachedAccessToken) {\n // must refresh due to non-existent access_token\n this.setCacheOutcome(\n CacheOutcome.NO_CACHED_ACCESS_TOKEN,\n request.correlationId\n );\n throw createClientAuthError(\n ClientAuthErrorCodes.tokenRefreshRequired\n );\n } else if (\n TimeUtils.wasClockTurnedBack(cachedAccessToken.cachedAt) ||\n TimeUtils.isTokenExpired(\n cachedAccessToken.expiresOn,\n this.config.systemOptions.tokenRenewalOffsetSeconds\n )\n ) {\n // must refresh due to the expires_in value\n this.setCacheOutcome(\n CacheOutcome.CACHED_ACCESS_TOKEN_EXPIRED,\n request.correlationId\n );\n throw createClientAuthError(\n ClientAuthErrorCodes.tokenRefreshRequired\n );\n } else if (\n cachedAccessToken.refreshOn &&\n TimeUtils.isTokenExpired(cachedAccessToken.refreshOn, 0)\n ) {\n // must refresh (in the background) due to the refresh_in value\n lastCacheOutcome = CacheOutcome.PROACTIVELY_REFRESHED;\n\n // don't throw ClientAuthError.createRefreshRequiredError(), return cached token instead\n }\n\n const environment =\n request.authority || this.authority.getPreferredCache();\n const cacheRecord: CacheRecord = {\n account: this.cacheManager.readAccountFromCache(request.account),\n accessToken: cachedAccessToken,\n idToken: this.cacheManager.getIdToken(\n request.account,\n tokenKeys,\n requestTenantId,\n this.performanceClient,\n request.correlationId\n ),\n refreshToken: null,\n appMetadata:\n this.cacheManager.readAppMetadataFromCache(environment),\n };\n\n this.setCacheOutcome(lastCacheOutcome, request.correlationId);\n\n if (this.config.serverTelemetryManager) {\n this.config.serverTelemetryManager.incrementCacheHits();\n }\n\n return [\n await invokeAsync(\n this.generateResultFromCacheRecord.bind(this),\n PerformanceEvents.SilentFlowClientGenerateResultFromCacheRecord,\n this.logger,\n this.performanceClient,\n request.correlationId\n )(cacheRecord, request),\n lastCacheOutcome,\n ];\n }\n\n private setCacheOutcome(\n cacheOutcome: CacheOutcome,\n correlationId: string\n ): void {\n this.serverTelemetryManager?.setCacheOutcome(cacheOutcome);\n this.performanceClient?.addFields(\n {\n cacheOutcome: cacheOutcome,\n },\n correlationId\n );\n if (cacheOutcome !== CacheOutcome.NOT_APPLICABLE) {\n this.logger.info(\n `Token refresh is required due to cache outcome: ${cacheOutcome}`\n );\n }\n }\n\n /**\n * Helper function to build response object from the CacheRecord\n * @param cacheRecord\n */\n private async generateResultFromCacheRecord(\n cacheRecord: CacheRecord,\n request: CommonSilentFlowRequest\n ): Promise {\n this.performanceClient?.addQueueMeasurement(\n PerformanceEvents.SilentFlowClientGenerateResultFromCacheRecord,\n request.correlationId\n );\n let idTokenClaims: TokenClaims | undefined;\n if (cacheRecord.idToken) {\n idTokenClaims = extractTokenClaims(\n cacheRecord.idToken.secret,\n this.config.cryptoInterface.base64Decode\n );\n }\n\n // token max_age check\n if (request.maxAge || request.maxAge === 0) {\n const authTime = idTokenClaims?.auth_time;\n if (!authTime) {\n throw createClientAuthError(\n ClientAuthErrorCodes.authTimeNotFound\n );\n }\n\n checkMaxAge(authTime, request.maxAge);\n }\n\n return ResponseHandler.generateAuthenticationResult(\n this.cryptoUtils,\n this.authority,\n cacheRecord,\n true,\n request,\n idTokenClaims\n );\n }\n}\n","/*\n * Copyright (c) Microsoft Corporation. All rights reserved.\n * Licensed under the MIT License.\n */\n\nimport {\n ClientAuthErrorCodes,\n createClientAuthError,\n} from \"../error/ClientAuthError.js\";\nimport { NetworkResponse } from \"./NetworkResponse.js\";\n\n/**\n * Options allowed by network request APIs.\n */\nexport type NetworkRequestOptions = {\n headers?: Record;\n body?: string;\n};\n\n/**\n * Client network interface to send backend requests.\n * @interface\n */\nexport interface INetworkModule {\n /**\n * Interface function for async network \"GET\" requests. Based on the Fetch standard: https://fetch.spec.whatwg.org/\n * @param url\n * @param requestParams\n * @param enableCaching\n */\n sendGetRequestAsync(\n url: string,\n options?: NetworkRequestOptions,\n timeout?: number\n ): Promise>;\n\n /**\n * Interface function for async network \"POST\" requests. Based on the Fetch standard: https://fetch.spec.whatwg.org/\n * @param url\n * @param requestParams\n * @param enableCaching\n */\n sendPostRequestAsync(\n url: string,\n options?: NetworkRequestOptions\n ): Promise>;\n}\n\nexport const StubbedNetworkModule: INetworkModule = {\n sendGetRequestAsync: () => {\n return Promise.reject(\n createClientAuthError(ClientAuthErrorCodes.methodNotImplemented)\n );\n },\n sendPostRequestAsync: () => {\n return Promise.reject(\n createClientAuthError(ClientAuthErrorCodes.methodNotImplemented)\n );\n },\n};\n","/*\n * Copyright (c) Microsoft Corporation. All rights reserved.\n * Licensed under the MIT License.\n */\n\nexport const missingKidError = \"missing_kid_error\";\nexport const missingAlgError = \"missing_alg_error\";\n","/*\n * Copyright (c) Microsoft Corporation. All rights reserved.\n * Licensed under the MIT License.\n */\n\nimport { AuthError } from \"./AuthError.js\";\nimport * as JoseHeaderErrorCodes from \"./JoseHeaderErrorCodes.js\";\nexport { JoseHeaderErrorCodes };\n\nexport const JoseHeaderErrorMessages = {\n [JoseHeaderErrorCodes.missingKidError]:\n \"The JOSE Header for the requested JWT, JWS or JWK object requires a keyId to be configured as the 'kid' header claim. No 'kid' value was provided.\",\n [JoseHeaderErrorCodes.missingAlgError]:\n \"The JOSE Header for the requested JWT, JWS or JWK object requires an algorithm to be specified as the 'alg' header claim. No 'alg' value was provided.\",\n};\n\n/**\n * Error thrown when there is an error in the client code running on the browser.\n */\nexport class JoseHeaderError extends AuthError {\n constructor(errorCode: string, errorMessage?: string) {\n super(errorCode, errorMessage);\n this.name = \"JoseHeaderError\";\n\n Object.setPrototypeOf(this, JoseHeaderError.prototype);\n }\n}\n\n/** Returns JoseHeaderError object */\nexport function createJoseHeaderError(code: string): JoseHeaderError {\n return new JoseHeaderError(code, JoseHeaderErrorMessages[code]);\n}\n","/*\n * Copyright (c) Microsoft Corporation. All rights reserved.\n * Licensed under the MIT License.\n */\n\nimport {\n JoseHeaderErrorCodes,\n createJoseHeaderError,\n} from \"../error/JoseHeaderError.js\";\nimport { JsonWebTokenTypes } from \"../utils/Constants.js\";\n\nexport type JoseHeaderOptions = {\n typ?: JsonWebTokenTypes;\n alg?: string;\n kid?: string;\n};\n\n/** @internal */\nexport class JoseHeader {\n public typ?: JsonWebTokenTypes;\n public alg?: string;\n public kid?: string;\n\n constructor(options: JoseHeaderOptions) {\n this.typ = options.typ;\n this.alg = options.alg;\n this.kid = options.kid;\n }\n\n /**\n * Builds SignedHttpRequest formatted JOSE Header from the\n * JOSE Header options provided or previously set on the object and returns\n * the stringified header object.\n * Throws if keyId or algorithm aren't provided since they are required for Access Token Binding.\n * @param shrHeaderOptions\n * @returns\n */\n static getShrHeaderString(shrHeaderOptions: JoseHeaderOptions): string {\n // KeyID is required on the SHR header\n if (!shrHeaderOptions.kid) {\n throw createJoseHeaderError(JoseHeaderErrorCodes.missingKidError);\n }\n\n // Alg is required on the SHR header\n if (!shrHeaderOptions.alg) {\n throw createJoseHeaderError(JoseHeaderErrorCodes.missingAlgError);\n }\n\n const shrHeader = new JoseHeader({\n // Access Token PoP headers must have type pop, but the type header can be overriden for special cases\n typ: shrHeaderOptions.typ || JsonWebTokenTypes.Pop,\n kid: shrHeaderOptions.kid,\n alg: shrHeaderOptions.alg,\n });\n\n return JSON.stringify(shrHeader);\n }\n}\n"],"names":["AccountEntity","generateAccountId","this","homeAccountId","environment","join","Separators","CACHE_KEY_SEPARATOR","toLowerCase","generateAccountKey","generateAccountCacheKey","tenantId","realm","username","localAccountId","getAccountInfo","name","nativeAccountId","authorityType","tenantProfiles","Map","map","tenantProfile","isSingleTenant","accountInterface","homeTenantId","split","createAccount","accountDetails","authority","base64Decode","_clientInfo","_clientInfo2","_accountDetails$idTok","_accountDetails$idTok2","_accountDetails$idTok3","_accountDetails$idTok4","_accountDetails$idTok5","_accountDetails$idTok6","account","clientInfo","AuthorityType","Adfs","CacheAccountType","ADFS_ACCOUNT_TYPE","protocolMode","ProtocolMode","AAD","MSSTS_ACCOUNT_TYPE","GENERIC_ACCOUNT_TYPE","buildClientInfo","env","getPreferredCache","createClientAuthError","invalidCacheEnvironment","utid","getTenantIdFromIdTokenClaims","idTokenClaims","uid","oid","sub","preferredUsername","preferred_username","upn","email","emails","cloudGraphHostName","msGraphHost","buildTenantProfile","createFromAccountInfo","accountInfo","_accountInfo$tenantPr","Array","from","values","generateHomeAccountId","serverClientInfo","authType","logger","cryptoObj","Dsts","concat","e","warning","isAccountEntity","entity","hasOwnProperty","accountInfoIsEqual","accountA","accountB","compareClaims","claimsMatch","accountAClaims","accountBClaims","iat","nonce","TokenCacheContext","constructor","tokenCache","hasChanged","cache","cacheHasChanged","generateCredentialKey","credentialEntity","generateCredentialId","generateTarget","generateClaimsHash","generateScheme","createIdTokenEntity","idToken","clientId","credentialType","CredentialType","ID_TOKEN","secret","createAccessTokenEntity","accessToken","scopes","expiresOn","extExpiresOn","refreshOn","tokenType","userAssertionHash","keyId","requestedClaims","requestedClaimsHash","_atEntity$tokenType","_tokenClaims$cnf","atEntity","ACCESS_TOKEN","cachedAt","nowSeconds","toString","extendedExpiresOn","target","AuthenticationScheme","BEARER","ACCESS_TOKEN_WITH_AUTH_SCHEME","POP","tokenClaims","extractTokenClaims","cnf","kid","tokenClaimsCnfRequiredForSignedJwt","SSH","createRefreshTokenEntity","refreshToken","familyId","rtEntity","REFRESH_TOKEN","isCredentialEntity","isAccessTokenEntity","isIdTokenEntity","isRefreshTokenEntity","clientOrFamilyId","isServerTelemetryEntity","key","validateKey","indexOf","SERVER_TELEM_CONSTANTS","CACHE_KEY","validateEntity","isThrottlingEntity","ThrottlingConstants","THROTTLING_PREFIX","generateAppMetadataKey","_ref","APP_METADATA","isAppMetadataEntity","isAuthorityMetadataEntity","AUTHORITY_METADATA_CONSTANTS","generateAuthorityMetadataExpiresAt","REFRESH_TIME_SECONDS","updateAuthorityEndpointMetadata","authorityMetadata","updatedValues","fromNetwork","authorization_endpoint","token_endpoint","end_session_endpoint","issuer","endpointsFromNetwork","jwks_uri","updateCloudDiscoveryMetadata","aliases","preferred_cache","preferred_network","aliasesFromNetwork","isAuthorityMetadataExpired","metadata","expiresAt","CLIENT_ID","REDIRECT_URI","RESPONSE_TYPE","RESPONSE_MODE","GRANT_TYPE","CLAIMS","SCOPE","STATE","NONCE","PROMPT","CODE","CODE_CHALLENGE","CODE_CHALLENGE_METHOD","CODE_VERIFIER","CLIENT_REQUEST_ID","X_CLIENT_SKU","X_CLIENT_VER","X_CLIENT_OS","X_CLIENT_CPU","X_CLIENT_CURR_TELEM","X_CLIENT_LAST_TELEM","X_MS_LIB_CAPABILITY","X_APP_NAME","X_APP_VER","POST_LOGOUT_URI","ID_TOKEN_HINT","DEVICE_CODE","CLIENT_SECRET","CLIENT_ASSERTION","CLIENT_ASSERTION_TYPE","TOKEN_TYPE","REQ_CNF","OBO_ASSERTION","REQUESTED_TOKEN_USE","RETURN_SPA_CODE","NATIVE_BROKER","LOGOUT_HINT","SID","LOGIN_HINT","DOMAIN_HINT","X_CLIENT_EXTRA_SKU","BROKER_CLIENT_ID","BROKER_REDIRECT_URI","KeyLocation","PopTokenGenerator","cryptoUtils","performanceClient","generateCnf","request","_this$performanceClie","addQueueMeasurement","PerformanceEvents","PopTokenGenerateCnf","correlationId","reqCnf","invokeAsync","generateKid","bind","reqCnfString","base64UrlEncode","JSON","stringify","_this$performanceClie2","PopTokenGenerateKid","getPublicKeyThumbprint","xms_ksl","signPopToken","signPayload","payload","claims","resourceRequestMethod","resourceRequestUri","shrClaims","shrNonce","shrOptions","resourceUrlString","UrlString","undefined","resourceUrlComponents","getUrlComponents","signJwt","_objectSpread","at","ts","m","toUpperCase","u","HostNameAndPort","createNewGuid","p","AbsolutePath","q","QueryString","client_claims","AuthErrorMessages","unexpectedError","postRequestFailed","AuthError","Error","errorCode","errorMessage","suberror","super","Object","setPrototypeOf","prototype","Constants","EMPTY_STRING","subError","setCorrelationId","createAuthError","code","additionalMessage","CacheErrorMessages","cacheQuotaExceededErrorCode","cacheUnknownErrorCode","CacheError","message","ClientAuthErrorMessages","clientInfoDecodingError","clientInfoEmptyError","tokenParsingError","nullOrEmptyToken","endpointResolutionError","networkError","openIdConfigError","hashNotDeserialized","invalidState","stateMismatch","stateNotFound","nonceMismatch","authTimeNotFound","maxAgeTranspired","multipleMatchingTokens","multipleMatchingAccounts","multipleMatchingAppMetadata","requestCannotBeMade","cannotRemoveEmptyScope","cannotAppendScopeSet","emptyInputScopeSet","deviceCodePollingCancelled","deviceCodeExpired","deviceCodeUnknownError","noAccountInSilentRequest","invalidCacheRecord","noAccountFound","noCryptoObject","unexpectedCredentialType","invalidAssertion","invalidClientCredential","tokenRefreshRequired","userTimeoutReached","authorizationCodeMissingFromServerResponse","bindingKeyNotRemoved","endSessionEndpointNotSupported","keyIdMissing","noNetworkConnectivity","userCanceled","missingTenantIdError","methodNotImplemented","nestedAppAuthBridgeDisabled","ClientAuthError","ClientConfigurationErrorMessages","redirectUriEmpty","claimsRequestParsingError","authorityUriInsecure","urlParseError","urlEmptyError","emptyInputScopesError","invalidPromptValue","invalidClaims","tokenRequestEmpty","logoutRequestEmpty","invalidCodeChallengeMethod","pkceParamsMissing","invalidCloudDiscoveryMetadata","invalidAuthorityMetadata","untrustedAuthority","missingSshJwk","missingSshKid","missingNonceAuthenticationHeader","invalidAuthenticationHeader","cannotSetOIDCOptions","cannotAllowNativeBroker","authorityMismatch","ClientConfigurationError","createClientConfigurationError","InteractionRequiredServerErrorMessage","interactionRequired","consentRequired","loginRequired","badToken","InteractionRequiredAuthSubErrorMessage","InteractionRequiredAuthErrorMessages","noTokensFound","nativeAccountUnavailable","refreshTokenExpired","InteractionRequiredAuthError","timestamp","traceId","errorNo","isInteractionRequiredError","errorString","isInteractionRequiredErrorCode","isInteractionRequiredSubError","isInteractionRequiredErrorDesc","some","irErrorCode","createInteractionRequiredAuthError","ServerError","status","DEFAULT_CRYPTO_IMPLEMENTATION","base64Encode","encodeKid","removeTokenBindingKey","clearKeystore","hashString","LogLevel","Logger","loggerOptions","packageName","packageVersion","level","Info","setLoggerOptions","createDefaultLoggerOptions","localCallback","loggerCallback","defaultLoggerCallback","piiLoggingEnabled","logLevel","clone","logMessage","options","containsPii","Date","toUTCString","logHeader","log","executeCallback","error","errorPii","Warning","warningPii","info","infoPii","verbose","Verbose","verbosePii","trace","Trace","tracePii","isPiiLoggingEnabled","CacheManager","cryptoImpl","staticAuthorityOptions","commonLogger","version","getAllAccounts","accountFilter","buildTenantProfiles","getAccountsFilteredBy","getAccountInfoFilteredBy","allAccounts","length","sort","getBaseAccountInfo","accountEntities","cachedAccounts","flatMap","accountEntity","getTenantProfilesFromAccountEntity","getTenantedAccountInfoByFilter","tokenKeys","tenantProfileFilter","tenantedAccountInfo","tenantProfileMatchesFilter","getIdToken","idTokenClaimsMatchTenantProfileFilter","updateAccountTenantProfileData","targetTenantId","searchTenantProfiles","getTokenKeys","get","matchingTenantProfiles","forEach","push","matchLocalAccountIdFromTenantProfile","isHomeTenant","matchLocalAccountIdFromTokenClaims","loginHint","matchLoginHintFromTokenClaims","matchUsername","matchName","sid","matchSid","saveCacheRecord","cacheRecord","storeInCache","setAccount","setIdTokenCredential","saveAccessToken","setRefreshTokenCredential","appMetadata","setAppMetadata","_this$commonLogger","_this$commonLogger4","_this$commonLogger2","_this$commonLogger3","includes","credential","accessTokenFilter","currentScopes","ScopeSet","fromString","removedAccessTokens","accessTokenKeyMatchesFilter","tokenEntity","getAccessTokenCredential","credentialMatchesFilter","intersectingScopeSets","removeAccessToken","Promise","all","setAccessTokenCredential","allAccountKeys","getAccountKeys","matchingAccounts","cacheKey","_entity$tenantProfile","isAccountKey","getAccount","matchHomeAccountId","matchEnvironment","matchRealm","matchNativeAccountId","matchAuthorityType","filter","isCredentialKey","lowerCaseKey","clientIdValidation","familyIdValidation","THE_FAMILY_ID","matchClientId","matchUserAssertionHash","matchCredentialType","matchFamilyId","matchTarget","matchTokenType","matchKeyId","getAppMetadataFilteredBy","allCacheKeys","getKeys","matchingAppMetadata","isAppMetadata","getAppMetadata","getAuthorityMetadataByAlias","host","getAuthorityMetadataKeys","matchedEntity","isAuthorityMetadata","getAuthorityMetadata","removeAllAccounts","removedAccounts","removeAccount","accountKey","removeAccountContext","removeItem","allTokenKeys","accountId","removedCredentials","removeIdToken","removeRefreshToken","updateOutdatedCachedAccount","_this$commonLogger5","matchingAccountKeys","startsWith","accountsToMerge","getCachedAccountEntity","baseAccount","find","tenantIdMatchesHomeTenant","updatedAccount","toObject","newAccountKey","removeOutdatedAccount","removeAppMetadata","readAccountFromCache","targetRealm","idTokenFilter","idTokenMap","getIdTokensByFilter","numIdTokens","size","tokensToBeRemoved","homeIdTokenMap","set","numHomeIdTokens","next","value","addFields","multiMatchedID","idTokenKeys","idTokens","idTokenKeyMatchesFilter","getIdTokenCredential","inputKey","getAccessToken","createSearchScopes","authScheme","authenticationScheme","sshKid","accessTokenKeys","accessTokens","numAccessTokens","multiMatchedAT","keyMustContainAllScopes","asArray","i","getAccessTokensByFilter","getRefreshToken","familyRT","id","refreshTokenFilter","refreshTokenKeys","refreshTokens","refreshTokenKeyMatchesFilter","getRefreshTokenCredential","numRefreshTokens","multiMatchedRT","readAppMetadataFromCache","appMetadataFilter","appMetadataEntries","keys","numAppMetadata","isAppMetadataFOCI","_claims$name","cachedUsername","filterUsername","staticAliases","getAliasesFromStaticSources","cloudMetadata","_entity$realm","login_hint","containsScopeSet","generateAuthorityMetadataCacheKey","obj","json","propertyName","DefaultStorageClass","setServerTelemetry","getServerTelemetry","setAuthorityMetadata","setThrottlingCache","getThrottlingCache","updateCredentialCacheKey","DEFAULT_SYSTEM_OPTIONS","tokenRenewalOffsetSeconds","DEFAULT_TOKEN_RENEWAL_OFFSET_SEC","preventCorsPreflight","DEFAULT_LOGGER_IMPLEMENTATION","DEFAULT_CACHE_OPTIONS","claimsBasedCachingEnabled","DEFAULT_NETWORK_IMPLEMENTATION","sendGetRequestAsync","sendPostRequestAsync","DEFAULT_LIBRARY_INFO","sku","SKU","cpu","os","DEFAULT_CLIENT_CREDENTIALS","clientSecret","clientAssertion","DEFAULT_AZURE_CLOUD_OPTIONS","azureCloudInstance","AzureCloudInstance","None","tenant","DEFAULT_COMMON_TENANT","DEFAULT_TELEMETRY_OPTIONS","application","appName","appVersion","isOidcProtocolMode","config","authOptions","OIDC","ThrottlingUtils","generateThrottlingStorageKey","thumbprint","preProcess","cacheManager","_value$errorCodes","throttleTime","now","errorCodes","postProcess","response","checkResponseStatus","checkResponseForRetryAfter","thumbprintValue","calculateThrottleTime","parseInt","headers","HeaderNames","RETRY_AFTER","body","error_codes","error_description","time","currentSeconds","Math","floor","min","DEFAULT_THROTTLE_TIME_SECONDS","DEFAULT_MAX_THROTTLE_TIME_SECONDS","removeThrottle","homeAccountIdentifier","NetworkError","httpStatus","responseHeaders","createNetworkError","BaseClient","configuration","userAuthOptions","systemOptions","userSystemOptions","userLoggerOption","cacheOptions","userCacheOptions","storageInterface","storageImplementation","networkInterface","networkImplementation","cryptoInterface","cryptoImplementation","clientCredentials","libraryInfo","telemetry","serverTelemetryManager","persistencePlugin","serializableCache","clientCapabilities","azureCloudOptions","skipAuthorityMetadataCache","instanceAware","buildClientConfiguration","networkClient","createTokenRequestHeaders","ccsCred","CONTENT_TYPE","URL_FORM_CONTENT_TYPE","type","CcsCredentialType","HOME_ACCOUNT_ID","buildClientInfoFromHomeAccountId","CCS_HEADER","UPN","executePostToTokenEndpoint","tokenEndpoint","queryString","queuedEvent","sendPostRequest","clearTelemetryCache","_response$body$refres","NetworkClientSendPostRequestAsync","refreshTokenSize","refresh_token","httpVerToken","X_MS_HTTP_VERSION","requestId","X_MS_REQUEST_ID","_this$performanceClie3","contentTypeHeader","contentLengthHeader","CONTENT_LENGTH","updateAuthority","cloudInstanceHostname","_this$performanceClie4","UpdateTokenEndpointAuthority","cloudInstanceAuthorityUri","cloudInstanceAuthority","createDiscoveredInstance","createTokenQueryParameters","parameterBuilder","RequestParameterBuilder","embeddedClientId","addBrokerParameters","brokerClientId","brokerRedirectUri","redirectUri","tokenQueryParameters","addExtraQueryParameters","addCorrelationId","createQueryString","AuthorizationCodeClient","_this$config$authOpti","includeRedirectUri","oidcDefaultScopes","OIDCOptions","defaultScopes","getAuthCodeUrl","GetAuthCodeUrl","createAuthCodeUrlQueryString","AuthClientCreateQueryString","appendQueryString","authorizationEndpoint","acquireToken","authCodePayload","_response$headers","AuthClientAcquireToken","reqTimestamp","executeTokenRequest","AuthClientExecuteTokenRequest","responseHandler","ResponseHandler","validateTokenResponse","handleServerTokenResponse","HandleServerTokenResponse","handleFragmentResponse","serverParams","cachedState","validateServerAuthorizationCodeResponse","getLogoutUri","logoutRequest","createLogoutUrlQueryString","endSessionEndpoint","_request$tokenBodyPar","queryParametersString","endpoint","requestBody","createTokenRequestBody","AuthClientCreateTokenRequestBody","ccsCredential","CLIENT_INFO_SEPARATOR","tokenBodyParameters","canonicalAuthority","AuthorizationCodeClientExecutePostToTokenEndpoint","_request$tokenBodyPar2","addClientId","addRedirectUri","RequestValidator","validateRedirectUri","addScopes","addAuthorizationCode","addLibraryInfo","addApplicationTelemetry","addThrottling","addServerTelemetry","codeVerifier","addCodeVerifier","addClientSecret","addClientAssertion","getClientAssertion","assertion","addClientAssertionType","assertionType","addGrantType","GrantType","AUTHORIZATION_CODE_GRANT","addClientInfo","popTokenGenerator","reqCnfData","popKid","addPopToken","sshJwk","addSshJwk","StringUtils","isEmptyObj","addClaims","addCcsOid","addCcsUpn","enableSpaAuthorizationCode","_this$performanceClie5","_request$extraQueryPa","extraQueryParameters","requestScopes","extraScopesToConsent","addResponseMode","responseMode","addResponseTypeCode","codeChallenge","codeChallengeMethod","addCodeChallengeParams","prompt","addPrompt","domainHint","addDomainHint","PromptValue","SELECT_ACCOUNT","NONE","addSid","accountSid","extractAccountSid","accountLoginHintClaim","extractLoginHint","addLoginHint","addNonce","state","addState","addExtraQueryParams","nativeBroker","addNativeBroker","postLogoutRedirectUri","addPostLogoutRedirectUri","idTokenHint","addIdTokenHint","logoutHint","addLogoutHint","_account$idTokenClaim","_account$idTokenClaim2","RefreshTokenClient","RefreshTokenClientAcquireToken","RefreshTokenClientExecuteTokenRequest","forceCache","acquireTokenByRefreshToken","RefreshTokenClientAcquireTokenByRefreshToken","acquireTokenWithCachedRefreshToken","RefreshTokenClientAcquireTokenWithCachedRefreshToken","noFamilyRTInCache","clientMismatchErrorWithFamilyRT","Errors","INVALID_GRANT_ERROR","CLIENT_MISMATCH_ERROR","foci","invoke","CacheManagerGetRefreshToken","isTokenExpired","refreshTokenExpirationOffsetSeconds","refreshTokenRequest","badRefreshTokenKey","RefreshTokenClientCreateTokenRequestBody","RefreshTokenClientExecutePostToTokenEndpoint","REFRESH_TOKEN_GRANT","addRefreshToken","SilentFlowClient","_request$scopes","authResponse","cacheOutcome","acquireCachedToken","OIDC_DEFAULT_SCOPES","CacheOutcome","PROACTIVELY_REFRESHED","catch","SilentFlowClientAcquireCachedToken","lastCacheOutcome","NOT_APPLICABLE","forceRefresh","setCacheOutcome","FORCE_REFRESH_OR_CLAIMS","requestTenantId","getTenantFromAuthorityString","cachedAccessToken","NO_CACHED_ACCESS_TOKEN","wasClockTurnedBack","CACHED_ACCESS_TOKEN_EXPIRED","incrementCacheHits","generateResultFromCacheRecord","SilentFlowClientGenerateResultFromCacheRecord","_this$serverTelemetry","maxAge","_idTokenClaims","authTime","auth_time","checkMaxAge","generateAuthenticationResult","StubbedNetworkModule","reject","missingKidError","missingAlgError","JoseHeaderErrorMessages","JoseHeaderError","createJoseHeaderError","JoseHeader","typ","alg","getShrHeaderString","shrHeaderOptions","shrHeader","JsonWebTokenTypes","Pop"],"sourceRoot":""}