From 2256ec248bf7fcfd09ecba6aeb4083687bba9e52 Mon Sep 17 00:00:00 2001
From: Hugo David-Boyet <hugodb@amazon.com>
Date: Mon, 11 Nov 2019 17:03:50 +0100
Subject: [PATCH] Add cognito-at-edge library

---
 .eslintrc.json          |  21 +++
 .gitignore              |   3 +
 README.md               |  70 +++++++-
 __tests__/index.test.js | 346 ++++++++++++++++++++++++++++++++++++++++
 doc/architecture.png    | Bin 0 -> 32245 bytes
 index.js                | 227 ++++++++++++++++++++++++++
 package.json            |  41 +++++
 7 files changed, 701 insertions(+), 7 deletions(-)
 create mode 100644 .eslintrc.json
 create mode 100644 .gitignore
 create mode 100644 __tests__/index.test.js
 create mode 100644 doc/architecture.png
 create mode 100644 index.js
 create mode 100644 package.json

diff --git a/.eslintrc.json b/.eslintrc.json
new file mode 100644
index 0000000..b91696c
--- /dev/null
+++ b/.eslintrc.json
@@ -0,0 +1,21 @@
+{
+  "env": {
+    "es6": true,
+    "node": true,
+    "amd": true,
+    "jest": true
+  },
+  "extends": "eslint:recommended",
+  "parserOptions": {
+    "ecmaVersion": 2018
+  },
+  "rules": {
+    "indent": ["error", 2],
+    "linebreak-style": ["error", "unix"],
+    "quotes": ["error", "single", { "avoidEscape": true }],
+    "camelcase": [2, { "properties": "never" }],
+    "semi": ["error", "always"],
+    "comma-dangle": ["error", "always-multiline"],
+    "no-console": "off"
+  }
+}
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..200aa91
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,3 @@
+node_modules
+package-lock.json
+output-template.yml
diff --git a/README.md b/README.md
index 8f46b7c..735343f 100644
--- a/README.md
+++ b/README.md
@@ -1,13 +1,69 @@
-## My Project
+## cognito-at-edge
+*Serverless authentication solution to protect your website or Amplify application.*
 
-TODO: Fill this README out!
+![Architecture](./doc/architecture.png)
+This NodeJS library authenticate CloudFront requests with Lambda@Edge based and a Cognito UserPool.
 
-Be sure to:
+### Requirements
+* NodeJS v10+ (install with [NVM](https://github.com/nvm-sh/nvm))
+* aws-cli installed and configured ([installation guide](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html))
 
-* Change the title in this README
-* Edit your repository description on GitHub
+### Usage
 
-## License
+Install the `cognito-at-edge` package:
+```
+npm install --save cognito-at-edge
+```
 
-This project is licensed under the Apache-2.0 License.
+Create the a Lambda@Edge function with the following content and modify the parameters based on your configuration:
+```
+const { Authenticator } = require('cognito-at-edge');
+
+const authenticator = new Authenticator({
+  region: 'us-east-1', // user pool region
+  userPoolId: 'us-east-1_tyo1a1FHH',
+  userPoolAppId: '63gcbm2jmskokurt5ku9fhejc6',
+  userPoolDomain: 'domain.auth.us-east-1.amazoncognito.com',
+  logLevel: 'error',
+});
+
+exports.handler = async (request) => authenticator.handle(request);
+```
+
+**Every `request` will be authenticated by the `Authenticator.handle` function.**
+
+### Getting started
+
+Based on your requirements you can use of the solution below. They all provide the complete infrastructure leveraging `cognito-at-edge` to protect a website or an Amplify application.
+
+*WIP*
 
+
+### Reference
+#### Authenticator Class
+##### Authenticator(params)
+* `params` *Object* Authenticator parameters:
+  * `region` *string* Cognito UserPool region (eg: `us-east-1`)
+  * `userPoolId` *string* Cognito UserPool ID (eg: `us-east-1_tyo1a1FHH`)
+  * `userPoolAppId` *string* Cognito UserPool Application ID (eg: `63gcbm2jmskokurt5ku9fhejc6`)
+  * `userPoolDomain` *string* Cognito UserPool domain (eg: `your-domain.auth.us-east-1.amazoncognito.com`)
+  * `cookieExpirationDays` *number* (Optional) Number of day to set cookies expiration date, default to 365 days (eg: `365`)
+  * `logLevel` *string* (Optional) Logging level. Default: `'silent'`. One of `'fatal'`, `'error'`, `'warn'`, `'info'`, `'debug'`, `'trace'` or `'silent'`.
+
+*This is the class constructor.*
+
+##### handle(request)
+* `request` *Object* Lambda@Edge request Object
+  * cf AWS doc for details: [Lambda@Edge events](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-event-structure.html)
+
+Use it as your Lambda Handler. It will authenticate each query.
+```
+const authenticator = new Authenticator( ... );
+exports.handler = async (request) => authenticator.handle(request);
+```
+
+### Contact
+Please fill an issue in the Github repository ([Open issues](https://github.com/awslabs/cognito-at-edge/issues)).
+
+## License
+This project is licensed under the Apache-2.0 License.
diff --git a/__tests__/index.test.js b/__tests__/index.test.js
new file mode 100644
index 0000000..d299f39
--- /dev/null
+++ b/__tests__/index.test.js
@@ -0,0 +1,346 @@
+const axios = require('axios');
+const jwt = require('jsonwebtoken');
+
+jest.mock('axios');
+jest.mock('jwk-to-pem');
+jest.mock('jsonwebtoken');
+
+const { Authenticator } = require('../index');
+
+const DATE = new Date('2017');
+global.Date = class extends Date {
+  constructor() {
+    return DATE;
+  }
+};
+
+describe('private functions', () => {
+  let authenticator;
+
+  beforeEach(() => {
+    authenticator = new Authenticator({
+      region: 'us-east-1',
+      userPoolId: 'us-east-1_abcdef123',
+      userPoolAppId: '123456789qwertyuiop987abcd',
+      userPoolDomain: 'my-cognito-domain.auth.us-east-1.amazoncognito.com',
+      cookieExpirationDays: 365,
+      logLevel: 'error',
+    });
+  });
+
+  test('JWKS should be false by default', () => {
+    expect(authenticator._jwks).toBeFalsy();
+  });
+
+  test('should fetch JWKS', () => {
+    axios.get.mockResolvedValue({ data: jwksData });
+    return authenticator._fetchJWKS('http://something')
+      .then(() => {
+        expect(authenticator._jwks).toEqual({
+          '1234example=': { 'kid': '1234example=', 'alg': 'RS256', 'kty': 'RSA', 'e': 'AQAB', 'n': '1234567890', 'use': 'sig' },
+          '5678example=': { 'kid': '5678example=', 'alg': 'RS256', 'kty': 'RSA', 'e': 'AQAB', 'n': '987654321', 'use': 'sig' },
+        });
+      });
+  });
+
+  test('should get valid decoded token', () => {
+    authenticator._jwks = {};
+    jwt.decode.mockReturnValueOnce({ header: { kid: 'kid' } });
+    jwt.verify.mockReturnValueOnce({ token_use: 'id', attribute: 'valid' });
+    expect(authenticator._getVerifiedToken('valid-token')).toEqual({ token_use: 'id', attribute: 'valid' });
+  });
+
+  test('should fetch token', () => {
+    axios.request.mockResolvedValue({ data: tokenData });
+
+    return authenticator._fetchTokensFromCode('htt://redirect', 'AUTH_CODE')
+      .then(res => {
+        expect(res).toEqual(tokenData);
+      });
+  });
+
+  test('should getRedirectResponse', () => {
+    const username = 'toto';
+    const domain = 'example.com';
+    const path = '/test';
+    jest.spyOn(authenticator, '_getVerifiedToken');
+    authenticator._getVerifiedToken.mockReturnValueOnce({ token_use: 'id', 'cognito:username': username });
+
+    const response = authenticator._getRedirectResponse(tokenData, domain, path);
+    expect(response).toMatchObject({
+      status: '302',
+      headers: {
+        location: [{
+          key: 'Location',
+          value: path,
+        }],
+      },
+    });
+    expect(response.headers['set-cookie']).toEqual(expect.arrayContaining([
+      {key: 'Set-Cookie', value: `CognitoIdentityServiceProvider.123456789qwertyuiop987abcd.${username}.accessToken=${tokenData.access_token}; Domain=${domain}; Expires=${DATE}; Secure`},
+      {key: 'Set-Cookie', value: `CognitoIdentityServiceProvider.123456789qwertyuiop987abcd.${username}.refreshToken=${tokenData.refresh_token}; Domain=${domain}; Expires=${DATE}; Secure`},
+      {key: 'Set-Cookie', value: `CognitoIdentityServiceProvider.123456789qwertyuiop987abcd.${username}.tokenScopesString=phone email profile openid aws.cognito.signin.user.admin; Domain=${domain}; Expires=${DATE}; Secure`},
+      {key: 'Set-Cookie', value: `CognitoIdentityServiceProvider.123456789qwertyuiop987abcd.${username}.idToken=${tokenData.id_token}; Domain=${domain}; Expires=${DATE}; Secure`},
+      {key: 'Set-Cookie', value: `CognitoIdentityServiceProvider.123456789qwertyuiop987abcd.LastAuthUser=${username}; Domain=${domain}; Expires=${DATE}; Secure`},
+    ]));
+    expect(authenticator._getVerifiedToken).toHaveBeenCalled();
+  });
+
+  test('should getIdTokenFromCookie', () => {
+    expect(
+      authenticator._getIdTokenFromCookie([{
+        key: 'Cookie',
+        value: `CognitoIdentityServiceProvider.5uka3k8840tap1g1i1617jh8pi.MyFederation_toto123.idToken=wrong; CognitoIdentityServiceProvider.123456789qwertyuiop987abcd.MyFederation_toto123.idToken=${tokenData.id_token}; CognitoIdentityServiceProvider.123456789qwertyuiop987abcd.MyFederation_toto123.idToken=${tokenData.id_token}; CognitoIdentityServiceProvider.5ukasw8840tap1g1i1617jh8pi.MyFederation_toto123.idToken=wrong;`,
+      }]),
+    ).toBe(tokenData.id_token);
+  });
+
+  test('should getIdTokenFromCookie throw on cookies', () => {
+    expect(() => authenticator._getIdTokenFromCookie()).toThrow('Id token');
+    expect(() => authenticator._getIdTokenFromCookie('')).toThrow('Id token');
+    expect(() => authenticator._getIdTokenFromCookie([])).toThrow('Id token');
+  });
+});
+
+describe('createAuthenticator', () => {
+  let params;
+
+  beforeEach(() => {
+    params = {
+      region: 'us-east-1',
+      userPoolId: 'us-east-1_abcdef123',
+      userPoolAppId: '123456789qwertyuiop987abcd',
+      userPoolDomain: 'my-cognito-domain.auth.us-east-1.amazoncognito.com',
+      cookieExpirationDays: 365,
+    };
+  });
+
+  test('should create authenticator', () => {
+    expect(typeof new Authenticator(params)).toBe('object');
+  });
+
+  test('should create authenticator without cookieExpirationDay', () => {
+    delete params.cookieExpirationDays;
+    expect(typeof new Authenticator(params)).toBe('object');
+  });
+
+  test('should fail when creating authenticator without params', () => {
+    expect(() => new Authenticator()).toThrow('Expected params');
+    expect(() => new Authenticator()).toThrow('Expected params');
+  });
+
+  test('should fail when creating authenticator without region', () => {
+    delete params.region;
+    expect(() => new Authenticator(params)).toThrow('region');
+  });
+
+  test('should fail when creating authenticator without userPoolId', () => {
+    delete params.userPoolId;
+    expect(() => new Authenticator(params)).toThrow('userPoolId');
+  });
+
+  test('should fail when creating authenticator without userPoolAppId', () => {
+    delete params.userPoolAppId;
+    expect(() => new Authenticator(params)).toThrow('userPoolAppId');
+  });
+
+  test('should fail when creating authenticator without userPoolDomain', () => {
+    delete params.userPoolDomain;
+    expect(() => new Authenticator(params)).toThrow('userPoolDomain');
+  });
+
+  test('should fail when creating authenticator with invalid region', () => {
+    params.region = 123;
+    expect(() => new Authenticator(params)).toThrow('region');
+  });
+
+  test('should fail when creating authenticator with invalid userPoolId', () => {
+    params.userPoolId = 123;
+    expect(() => new Authenticator(params)).toThrow('userPoolId');
+  });
+
+  test('should fail when creating authenticator with invalid userPoolAppId', () => {
+    params.userPoolAppId = 123;
+    expect(() => new Authenticator(params)).toThrow('userPoolAppId');
+  });
+
+  test('should fail when creating authenticator with invalid userPoolDomain', () => {
+    params.userPoolDomain = 123;
+    expect(() => new Authenticator(params)).toThrow('userPoolDomain');
+  });
+
+  test('should fail when creating authenticator with invalid cookieExpirationDay', () => {
+    params.cookieExpirationDays = '123';
+    expect(() => new Authenticator(params)).toThrow('cookieExpirationDays');
+  });
+});
+
+describe('handle', () => {
+  let authenticator;
+
+  beforeEach(() => {
+    authenticator = new Authenticator({
+      region: 'us-east-1',
+      userPoolId: 'us-east-1_abcdef123',
+      userPoolAppId: '123456789qwertyuiop987abcd',
+      userPoolDomain: 'my-cognito-domain.auth.us-east-1.amazoncognito.com',
+      cookieExpirationDays: 365,
+      logLevel: 'debug',
+    });
+    authenticator._jwks = jwksData;
+    jest.spyOn(authenticator, '_fetchJWKS');
+    jest.spyOn(authenticator, '_getVerifiedToken');
+    jest.spyOn(authenticator, '_getIdTokenFromCookie');
+    jest.spyOn(authenticator, '_fetchTokensFromCode');
+    jest.spyOn(authenticator, '_getRedirectResponse');
+  });
+
+  test('should fetch JWKS if not present', () => {
+    authenticator._jwks = undefined;
+    authenticator._fetchJWKS.mockResolvedValueOnce(jwksData);
+    return authenticator.handle(getCloudfrontRequest())
+      .catch(err => err)
+      .finally(() => expect(authenticator._fetchJWKS).toHaveBeenCalled());
+  });
+
+  test('should forward request if authenticated', () => {
+    authenticator._getVerifiedToken.mockReturnValueOnce({});
+    return expect(authenticator.handle(getCloudfrontRequest())).resolves.toEqual(getCloudfrontRequest().Records[0].cf.request)
+      .then(() => {
+        expect(authenticator._getIdTokenFromCookie).toHaveBeenCalled();
+        expect(authenticator._getVerifiedToken).toHaveBeenCalled();
+      });
+  });
+
+  test('should fetch and set token if code is present', () => {
+    authenticator._getVerifiedToken.mockImplementationOnce(() => { throw new Error();});
+    authenticator._fetchTokensFromCode.mockResolvedValueOnce(tokenData);
+    authenticator._getRedirectResponse.mockReturnValueOnce({ response: 'toto' });
+    const request = getCloudfrontRequest();
+    request.Records[0].cf.request.querystring = 'code=54fe5f4e&state=/lol';
+    return expect(authenticator.handle(request)).resolves.toEqual({ response: 'toto' })
+      .then(() => {
+        expect(authenticator._getVerifiedToken).toHaveBeenCalled();
+        expect(authenticator._fetchTokensFromCode).toHaveBeenCalled();
+        expect(authenticator._getRedirectResponse).toHaveBeenCalledWith(tokenData, 'd111111abcdef8.cloudfront.net', '/lol');
+      });
+  });
+
+  test('should redirect to auth domain if unauthenticated and no code', () => {
+    authenticator._getVerifiedToken.mockImplementationOnce(() => { throw new Error();});
+    return expect(authenticator.handle(getCloudfrontRequest())).resolves.toEqual(
+      {
+        status: 302,
+        headers: {
+          location: [{
+            key: 'Location',
+            value: 'https://my-cognito-domain.auth.us-east-1.amazoncognito.com/authorize?redirect_uri=https://d111111abcdef8.cloudfront.net&response_type=code&client_id=123456789qwertyuiop987abcd&state=/lol',
+          }],
+        },
+      },
+    )
+      .then(() => {
+        expect(authenticator._getVerifiedToken).toHaveBeenCalled();
+      });
+  });
+});
+
+/* eslint-disable quotes, comma-dangle */
+
+const jwksData = {
+  "keys": [
+    { "kid": "1234example=", "alg": "RS256", "kty": "RSA", "e": "AQAB", "n": "1234567890", "use": "sig" },
+    { "kid": "5678example=", "alg": "RS256", "kty": "RSA", "e": "AQAB", "n": "987654321", "use": "sig" },
+  ]
+};
+
+const tokenData = {
+  "access_token":"eyJz9sdfsdfsdfsd",
+  "refresh_token":"dn43ud8uj32nk2je",
+  "id_token":"dmcxd329ujdmkemkd349r",
+  "token_type":"Bearer",
+  'expires_in':3600,
+};
+
+const getCloudfrontRequest = () => ({
+  "Records": [
+    {
+      "cf": {
+        "config": {
+          "distributionDomainName": "d123.cloudfront.net",
+          "distributionId": "EDFDVBD6EXAMPLE",
+          "eventType": "viewer-request",
+          "requestId": "MRVMF7KydIvxMWfJIglgwHQwZsbG2IhRJ07sn9AkKUFSHS9EXAMPLE=="
+        },
+        "request": {
+          "body": {
+            "action": "read-only",
+            "data": "eyJ1c2VybmFtZSI6IkxhbWJkYUBFZGdlIiwiY29tbWVudCI6IlRoaXMgaXMgcmVxdWVzdCBib2R5In0=",
+            "encoding": "base64",
+            "inputTruncated": false
+          },
+          "clientIp": "2001:0db8:85a3:0:0:8a2e:0370:7334",
+          "querystring": "",
+          "uri": "/lol",
+          "method": "GET",
+          "headers": {
+            "host": [
+              {
+                "key": "Host",
+                "value": "d111111abcdef8.cloudfront.net"
+              }
+            ],
+            "user-agent": [
+              {
+                "key": "User-Agent",
+                "value": "curl/7.51.0"
+              },
+            ],
+            "cookie": [
+              {
+                key: 'cookie',
+                value: `CognitoIdentityServiceProvider.123456789qwertyuiop987abcd.toto.idToken=${tokenData.access_token};`
+              }
+            ]
+          },
+          "origin": {
+            "custom": {
+              "customHeaders": {
+                "my-origin-custom-header": [
+                  {
+                    "key": "My-Origin-Custom-Header",
+                    "value": "Test"
+                  }
+                ]
+              },
+              "domainName": "example.com",
+              "keepaliveTimeout": 5,
+              "path": "/custom_path",
+              "port": 443,
+              "protocol": "https",
+              "readTimeout": 5,
+              "sslProtocols": [
+                "TLSv1",
+                "TLSv1.1"
+              ]
+            },
+            "s3": {
+              "authMethod": "origin-access-identity",
+              "customHeaders": {
+                "my-origin-custom-header": [
+                  {
+                    "key": "My-Origin-Custom-Header",
+                    "value": "Test"
+                  }
+                ]
+              },
+              "domainName": "my-bucket.s3.amazonaws.com",
+              "path": "/s3_path",
+              "region": "us-east-1"
+            }
+          }
+        }
+      }
+    }
+  ]
+});
diff --git a/doc/architecture.png b/doc/architecture.png
new file mode 100644
index 0000000000000000000000000000000000000000..d539346a4facfe431632e3d2a0b02671f4cdfe2a
GIT binary patch
literal 32245
zcmaI8b97`+)HWJT?1^pLHYUl$>DZarp4hf++t$RkZQD+6|GxXa>;ChtTfKUnUe(pL
zPSx3a*R!9!cZVs+Ng}}Fz=D8)AV~cZQvv}2QwIS7rGth9_7L(<CIc^!hBA_3Am9JJ
za=S_rfITpFzcd^{K;VA<_XY(?&%^?DLODsvibL)Hz(gWt?gIVU2?9a{A|)oQ@^|eb
z%hgk5aBaA!#7c^zYhDDV3r0yyNLU3~K{)(Uye?0z>+Eq&7zM3XZ_pk6aScvgSV)M6
zBv<8>9r+j7Y1hS7+H=fLj=<#2KR>}HVy0hfGx$xXGP$Su?lVlY-3Y{?iDUn_-QcRM
zLZJRni`SR>^*_y@ocMnlOmg7=HZt}9-;u=s-_ZZ-$Y1}rN&l}SUl7`@z``71pjz6v
z8Yjtd`y|=S3g&C0RG_|mdCjRM=9E^EyQiLTAB8O!Bss*;>*$^7*O6)x5Ozs5hjo8t
zv@)1t_O3M>anh=OiW?Zjc?Jv<GcoznzCGoe?@QD(e?*F|Yk#~Nm05+-2%*w_|NEsG
zZn=10Ph8G~CFKurwi4`&&f)Z;!tGOY>O8+7QAgruj$6IQ7{zqO>3n$efG3!VDP!cP
z#qG~QCJKzbR0wiOh`pq?Z$1}Tg?BEidCSu8dU^AR*LDj7{z{RNA()b|Ta6=l`z`!c
zzVF#3;U=d$xr&<m6noYy-e8e>^Vrq@akpgquRu)OrG#e7uh_~rEGk&5?WPd(9M64o
zMycA54THjeQom&U|ESl)kWVpvNY^getX#ZqT+iw9-7-qy$psVt%kF|wZ?qx@@u~XG
zsLtXY366{9GL_&FZ}t<rY@i*zI7g#>r0rE&bST=hgBSrWh6~Rxdpez>!1$%A2HKpW
z#-igt3GgO=1>lpbCmHN-uQLVOZ*>U)6x(t|aj8d-sWq6!#B{O1imXucrRBU3$8&O^
zc=}<!R5ECCHP8NZNG<5p?^q+i_j}#tp#6}YovJXN&?HsIe8iQOFj;b=eThTat<-%;
zSO95ajo~#C8v~F)!vn&si+`fmpx~9E;N_7(Km?Ye9pX^I9vI^s7`I9Z?i}6dVg_+T
zw##w{49G;=d<FR5%%kSzYr$YWfkO<vT;hj){0TRK2jA2@UX#tYITsLx-Ux<ESq}rW
zpkU60w#G_8toN4@u0f!MBG}l?NmUcWBOc?60MH!5S)|70ckOIYPhY7IFii6*Fq|g+
z%S%mjH>V8!ld=*#bQ5TII(@#@ng|v!G!&RNzyJU<$Fe92Om*|MQGfms*B^?Rwzaka
z2?J3@R$8k52GA<9W$b&TRZz}OkQ+8=n)el!xf{54moJJOH{2!fA6muhc8Ys6#fpEy
z=#3b1jjbecf+=VC+QB(Cua-UVM>Ynd`*Bxt+7hxtIO}<>S<}mnW-HmZY)sjESt1?Y
zUH+<5dAUFTyL8F92eX}Z_I`CHE|M#`_&gr)EW|4khoonyckDfM(bWFKd+0W0C~Ti6
ztQ+j7w3OCw$gYBa5$!-?f}~_Vzb=un#R0iRI8nVwZl$dbybP*?AGq(mTK=N)dA<^@
z$mMD9Fvyi~6{_Q@)p<glirUU!sXSI2=0BEFeZ-wTWf&}mnqkco+{Ae<Q0~`Ncg|2-
zK0-G&fbNak2%rjA+Fg|3F|0FF^|vCXqKw;r3B?$YY%INLsiO9&qp)W_k59HIa>R7u
z-zi*PT7^-v-mbMTfb8Tkzi=bHiAebtHg}1>cx@^xvb2-lqeE%D#ud8GzzZC-DB-)l
zA;8QLObTmI&n-nC9xPyhZ3htN`$=f~2bpA9v0ZB0d|KGYMPXpBjtJllgxA2WbQVHK
z$d;`F)sC>I-0x^2$Awv%oxQo}UIzj`I~ZpTtLsr;`yFE;O^uQKW}=q~J~KFBTuW~l
zy((m$rg@%vdNaE{dms{@%=nUmoic2plWgu@iOK~%nf{u(wA`f+jy(_;8A~J=gt-?X
z6t-M4ptcye*j$6ZV6voIC>U6WZN=7I)s0olN$U*WkstARsuyYF7d<^Y`b)YO$?ZLH
z)k`o-ugzLgS5xI)<kl}509xO5>QGA?gO#7V5R%Ca<SELvHgd!n80c|!c~RpMP~gZJ
zx%VdzSl;gBA(ylfGj!o4s)t{L{u5}J8q^HUbo6~1B%#*D^QU7%YubjxDCMXa750xk
zA}5YA$by}T;%7FdLG=eas;-AK*E2#Yj%|fbmmw=qoniS<`W+YInY<<egEV?8+{{Za
zau-2NwPzd>k1v?uYny*b${0tDW%q2Y1Rf~0l$YZ(vqHri@+#ba$i(NDLa6(Dw!7Nc
zbF>YvUdV0-|9iM}z?HLd2f@dE$n^?{Xw5Z{$4Sv>^0&&<UVM_Mw(uYwT@CYWGokUh
z$ckx7mq{}HM9m8nyG%#=kdF@$AdsjaIK=1X+?<?ayjy83#fm^c6W^`TgH`8kiT!d7
znW@X+?!b9dryB2>Re$snpn~l~=8}QvV@k`g0n9l45dX0WIeW{q`^X07Pn+HwKnjrP
z!5fVR3{H5`uScrWVyogO3lGZItKBvzZ8|vP4o2h<?~JL<8m<)#>iP4!O>$32Pc!!3
z8;e{!@wT<S3u4>v@}qxc15$@Rs#w+Q9VtTUp9~rx{^Cu?kSl(15SWEW7oS3d;v!WW
zip~*!On<VdZc0oCf@-fBGG*aDLgsp_|0Fp7<_U2`x*O`FTy_5QGrfG7yEg$sW=~t0
z8Coz13<a$3{5;Z|8CENoyEX{}?#L&$e<<iEK5LMIh6;BVW5SI$1K}R7)xZ-Xy}I_U
zgAWbRYZx$Yi&SK7%iF$4XS+RwdL%zi&bt`Il&eF?3!_8x#(SZmCbIve>Qo_8LEu90
z!Imta^P7@(^^h~0T={T8v7YEd&t{bHn|LQ&O-Ql!IYZ>@n?d+?Zdf9}dYZlq1v%)(
zmnxg^4u-k+k>6)CwlTiu+cN{G$|(BwzF;nvJ8APsu<A~<V7=EKM|DoejOxy~;Om<M
zQJYu&#Zbt&bFrA!@BTm5yN|QTrxP_A2Cz@dfnZ~#Zc+w|LAc}#5poOn>~;O^HHa?N
z<Zb?RNqKq)4MFLd%k49{Uu<DnL1muB`MpAsGIRX_4EMPcfAXTG{?$VY<@^X^t}!7B
z0S<PxvoN%<s>qC|v|Z$zInU{eFqB?l_lmP1?OhiU_Xsoh%)!HB6ZhnUaon2~%M2qt
zMRs7z6wKYzws9r8mDMGaHS@s}qjT)fLFx7U`LfUTYE}!qGk(qY6NLFIwYmzNOGLjX
zX1)!7X7O1o0%y<1=a20wj~q+J)+k<g0l#7k?Nt-5Sz-Ig95*Nq8T~92zBYcTJv?QW
z{I!sVmE7x6WTZBhjhoAR><KT<3O*%I@(^S&ag;wrtqRVqmq`u|O>X8W4cnt8n>9c1
z*qaf&i6U2udBS`!S>1lI+?O22wwItqAgD}wR<~W7+%7g?XFC8lO?q3Am@5LIhp#2j
z2a2bs2el`uLZR`4T)ysUTu-c3`cw6oMz8`+_`B|18E<gPkOJv*L9|-nbDy2y`^uyq
zc5W73=GCKgKSals$!8p1!poBxip3Rlrc9Bsx@(7Hd%Qvzh}!HC&r-_2Y3Z4<ob<3T
zkvP2&U>)GM+G&Hla3d6*x5qgGcj9sV`DNU41k#2kI9Xmi>_P8~jqjIqs9SYR7<)dV
zku%95mp~L2evT_SbJZ55mbH{9#2T?QM1(*wpL8=x%S2l6x8SXRzzjb0-YqNsJj8(<
ztSAQ4H)lp>uT1+szr1&pma%$t(mVWSuvm+k@r4Ev(7pu|w0?oe7}S;Bv_Jad-YnvK
znN*m&iwA8jTNk9Jp)X}!lSie4F(07e)t2i$YzcDM6@mgWhsx}9^I!>TlSmqOO2%qD
zHRkEO*46qww}grYxK*cwb=aW$ra<z2Y39(DQ#4NtYJ;@h%Kp6u%G$ja1dgxmtyQYF
zEWN+DO1JFosTeLjyJyO;2hNb=Z`bjMG-p3~{^lRn^l8s^wrO!ScYpHu8G%i|tkRM$
zh*dHOyjWIUru2Usx>gIHgJgi^bakD3e4~%l_O{czP%qV_cqoe1_p^t_%@ij6@Z}By
zJ4Bkl38|*UO|2P>kT3O&Sc5+VYQC)p+(4zNI^H<T+}~%epm+?ONE((}_njDI>1nwD
zLM-RiSR@Pwz5C!oY`Sb(_fx>8p9*QiWeHzFTXW=5=esxP_UNi_ArrjR%vs`utT&$P
z_#t9<pBN%=c^=!-r**jeVVAUwsyxkOyi_DDyB?jDi(2S2nIp4k2<BL9fl<CQBktm^
z-ip=t6bh+GDb`4W0pHVyYxnViro}JN$GlrGI-N!hL}Zal`(=VzwelFH&ud8AlFUN)
z2$j{<eaaSfF`V)0ElVznp}4luw_)HD7L*GCQ}{_i7yA{V<>4jeI1SO{T2#4-htvaT
zCo+9p?)ESGMWC<#vM(w3bvzg8w{|(22m;ccgno30_8JCF%D{n`Z4JupKXGg@%o~!y
z3+spW6>$cE*y+o_q+fk{1!7}`JrgpW!`Tg2)EUc2&Go-bgy;2mCX7X}g$tpf=X}{E
zzo>LmjpQC&pMtD(Y{0nBU_bQ6mzpoSa#6PRkt13%O>2J=e0Nwgt2JUr&tDFlIxNi=
z2?cz_^Q8|r9+&wkzdk$_HCDMA1RZmywjlv#&m+$g3~<P%dNnei`G+piw7*s0n}r;!
zZ(mtMsHrP;vwzE~y$r8EQc<IJdQA%_duC0Fi~7$x1<f)J)VpbbLbaqIFV2XhRQU6o
zI~{q)?%EeVANs-FZ+Nm&M`h%&=NPRRDgO4^g-%D>#U<-1ufWh4ybsRTEBl~tL#!lw
z574FBDn?OshQ){+T-tR90ek0{>8+8^Ep@o^T4Jf3M|dfhbN8lE6t*WTz9yn$3a|b5
zYfl8%UT^z$W7(AtH(s^g{hH+KxAvId#HPA)2X<Q*2PZLAv2D`$rPw^3lf_?@u5_ea
z`SA*vS{|BA9@l$Lcq?0pJo$+gjUSGk@N6{1yNvjbR)od6{z)ACldaSl7{?8+UW!Tk
z($uMOtAwdbAd;oQr10(tNXCaq+@2rmu&$pa0^wknjLtJ(bK%l^9Vv5Moi%9URcl?Y
zpBf`;diN&|048g9NF~PJu{g1k=W<aNI>C67Z~C_Iy-cIRakwCY?Vnxtw%Q>}?p{cw
zv~hD;J%-k9=%AQ_V!a=AreuRD+Qm=92lerzIr)xEmW067qa|b5Js*Q(uf1|exL}Jq
z+3|z$u%AhlNbt9nOwapb`#R~pAvROgkaF|Jd13R~<1(;`O9B8Y;^Kftnoe7AptsQ%
zWPsI*fQceJ%NAxP)o`-Z7<wsm-YU0%Wa&9~Zfg4$UbEaO1DqMDmnXF;rCqe<Kdob2
zj0~GY?TwPp=&;z3>y@`HG&0dD)l6~3wR;|av<plhGdbm4rTe77jgTdF)}v<B?#U7U
z4lM*c3xW9q;5n`I0RQ@?8%Ct<4Y2%k6_WD#wn=9zcqU$LA@ScJ4Vq{-UYy`-w&D*&
z{mr=B7scxpI&Uq}Jg_Y6E>6dtQczc(snIs03%(=%_}IbxO)HR9tU8$Xh!0Ix14Xtw
zRYqgTzW8?fjoQT2#@Dq&9WE_B1<J$To*IlYsi2VB;sz;L^_>`4%Avh<q{(2*n)pld
z)uz87@VtGhC1t#*A@tzl^ACD)oN}VLg&ZnFOTxp4N+L@ewR2Leaw0%tW9%GVABGGl
zc0?Y~K<z^4%Rt@@C8nXOo|DvWGX))YoiZMc);LK=2PmG-y`WBCOQm^u<=~Bwi@?AT
zo+PE<U-*yX2a2WX=pSjFDl~Vs&`{B1Y;Y72Fw0JWcvqMn)!sDxcB<Gbi>Xk#na4G6
zl}3PX;r7<Bf(<X9Y3<57&xs_bT^#ix<U0Uo=CM(Iw&7X+<V}yI%6jqwTm6#ED^zPj
z6dZDzt3>;JjB|~YYuP>F#gN(8HLJtinOZr0>~Jmmh+?(>kxbEL|9~&qYx`5t=^WdP
zGwkeCfQDQhiuD;3*$}B8xp=DK+z)STYx>xyb2MaJkE9Pp^!;t~WTuw3YM*D8rrIdT
z;UXC%UAzTSb9v<+D2}zSGdVzjjftC}TE}k8uR0lCe5%gYA$frt$VvN7H$pu@GJ|vA
z*dYaERCbMBZ-+w43TJY+sT`N}<<cYA9UW?U%a2?QTl20b4cM*?-?}cel}9F8=4&BK
zDHp^Qdkt&2VxdK6$~{2*h-v(YIW(Q%^tX%iX%>wyKeXSr&?Nry!>Mf%j0Oj}5qz^q
z)mb<eR(L6?wf=>T?luCoga7N7IbAJ0+es=FZbRww#npGM3mY!7Lms2hdN;ZD*bzsf
zelJS}bZ-QvmtR65q7RBxV@WdzehEtnR6Nt0JZ=SXAy5`oqn?Ef&NFplBao)gGIde|
z!DXn!04fevSU<+^So(pI_9G1AIK6lolU@`S*l0T<N2Ib<DKe7_GG-&pqH06Bbab62
zA`lM^*i0j-!gaejs!nQs1|*Ae-I9S{sB~fXwm2ao8QF+^`x7_N5dza}3EXO<o<#~Z
zX-Tval7C0mO!pJ&)&Mo*%4n&)^Z^WNLHbP<k)CwHQlw7?P45D&r>g3AvKY(!c%pwR
z<$x1CRWp`rKaTZQxro<N=(kdTc+vQE5%evc(Ja(bV6~0v>gl$dVplIrp4ea7YYX`K
zlQa6&xNVa4@C5iDXWi>59T7|)LmJ3($7eWbewrv&saL8xz&4CfYmX<3TB3;PLvz~f
zN?<`kg7q_TLTNbD0*w=8r#wLM*VsmgW^;w4GCNw)Mu?2^_-Ct%%Eg<ai1V4LLz@m8
z9jQ7sw^V6qx2pg#X`9Tizg2~_5w8ah*iP8`Q_Vo|lg`Zz2*-DBtX$WloBs7ZC5V)(
zg_g5#N=-B2PKn^_iyQ?91))ZNmF&yj;AqD!TQqAd1kI45`0A|WWHAs5s0hiA@6pdM
zK@?W&^0njb>ej7;jOToYaa3<wfjP17Ib9Bj3~=T^c^``o(0J!x9tavzV<xKfFF#RN
z!Byo4=^*%(%bqG^$<%H^+QC#28Jk3?@goglRfPX|^+BjI9bcy@UzIt(bNn*jK&*jf
zuN4!pSb;vF283^67Kqm6kk%gQ9WSbr6AW7Q6@9Tp5MH*3&vd<B{M<?LA_Z0&Gtc`q
zdX7{R?52L;!(zL1%;hT4gVnVbCLH<#CCCn;6<#QOtaXKA<|siv-tfL%{m?3smCwtt
zLGe|Nb}0z|gu%0isi-Rl-(+UXx=#RK)5cuXbfZu}7hV~DSHRK{B^V;mEx9g%<=K4`
zvMDJD02D9B8EFPN52p*QD~L81T|~)%D0h$6&EQw;UVr(y*Q>>TD~-6}Z5c-|n&X##
zL*>+aKl4FY_*t`g)>`R9Un&oVpP0JX7lY19E>qq=F>=igKHnNkaH2sIkZoF)muXd@
z+#Iu6phA4@E_5VhelBrSIO6a?jX6BChnt0uL%rS{GQkJr&xuIu6tPpV+7sVq4{xV5
zH%yIY11Z(xExc+}hlLN3d3QkK@zKncVGVS|x-l|F!TfnUQ}8Emv;b$|&-H=u{C`7(
z+@7zVEbU1aD0IXSK2wv$jVti;GskbxndA~lV^Ui>zrCB&Iyv(i3Nq2MkFd$7Y-|p>
zVOglxZmOgfI-(`&AYYxlX5VU<Vdp@h3AnHe3WXdh8wTAEgKTD0q6*>Xkt%e}_-y($
zth)faR29R5Zvulc-`c|&oYT49e~rGk3NFmhW*6>1fcCvyTTiN%jO>GHfLjJ$(}g{Y
zvgIQ?W>IzZE*G2Ba;0bg<#|{Z+s>2?Qx~Q0utm)Ndp)Y{`*KLV5;nd1r54TgtlvUS
z{mvN@<klKI)WWPxi5nxM?+IWMo}H`%-lcAncvJGSDE)?PO8tb`uLxc+mi#jIVWg7P
z*|yKO2y-R~YJjDiQlXB2kgQV^#PM&*+pLN&0j+<H_&Ge^EqNXYkCe^=a<bLjz&06%
z^xio{dA6m^gt)BFoDJ7bxC0?2-m+pj>ELETVzYe;r{dg!tC^zxu@5~D4b9<Naj~uq
zeRev{NblnKE)#V!C%E7k<9~6d!h@i->UNM|f@RZhD{VB0l$L$h@qol`wD?laworcz
z4(88}XOP}Vuz+JRtVewl9|GNRt86$#P7<itn=+P^BzD`(4Z`KViBvvFsaM$tASB5&
zDUFToWi(7gTM%Io!G@}6z9<=8h2m2ifLMN}y;MX`B7pe>SxIdia?J6rs-a#tKgoG-
z-C#(UXaU<%P$l_~mFOt@Pm)r-xx2Vqy&W@-7Xo<0Y1j!{F44vA<%$O_pWnc;acZMr
z`dw~b4%gLRirOOgpch*$en(OYJ2}V9p$2T8%bqJwpZ8HSl&-Pt_TnGbHJ)*{WO;`v
z@EBwPm@>r!wI8+HlFG05(UW=5CZ(?~O8B+|YW}W~8Eo~T{<_+@1v#0ms%^et#O=DO
z5U6p*C8TQ52W1O4Q!T<DFX73wDJi)q&Akh~F?!>h^7_n{P_Am-xT3k<c)HjTpnz0$
za6v842e=(Kk*Ob3XUb9PdA%1{K@%|w=1g~|?`9Qq52CCWX6j#VD~0Z2h%L6v)K>&d
zrG(hMmQpcb6Znmr@6fQfI{hg$ZyK||-RePA1k|pf(W$0B-=Z{Eje+m%S@uy;JG>iL
ziOuiSxE(PFRp=B+d3XTTW>xFLZE1y~dF)9i2P4OeJ)rZ$lR7|mMBkbYiN}3InK;kU
z?%Nbu&NRp|vuvGewQGS)KZQS-3U{GXr+QqE1Kl9i+mjfa(jXCI@q;BVvDe~E;5r%{
z`>?JSCy4UJc~ef@XsY-WgbmtODbF1!hJB1k)(5wKj6V&LhEE+-Uj-OiG9-or&1TTL
zrntX=QH_wWMadlRLD`ngasNRX;{bi0*y(iEoVbD^rqB1Z?sH6H=qQeW2%KR3xy+?b
zrWyn!pVWUR$2iP;ac>VD+~G2k5_>MN8w|qQ*u+{bL{OH#N_l*n<+a{<ZCdgz<$+>n
z-t)@mm`T@Q7j{y=l9FK%T5_qjwWr__m-#c|y=GbGdvZoc6pd2ZO~0_EKs-6d^koz1
z3dnL|{iZV<wByxG>Xl&HFHokV6^Mmqtq-OMwB-8U_;q)mrAMPp$ZdQ7B%BPp_RrPI
zL<!(3K~|K#cYdenWkys?%q>vWQwKABVDJb70J^V_)LXhQd>Kep#z$|AZYLGEFOJ&|
z@;WtEoQbE;RR@D{g!44j;6X*NhlqE&Uk#@mPLm7AP%KZWwD*7yN|+@#iAtO9O95}4
z+LZ(@<vlFO9}_PIOQT6q$j}Cv4|W|t@{HS{003gDi-R!u4F=^^tiGGppcB;}26%eS
zrLn<7hipL8JVTY055_9`QFf-ZYS4=CWXtSTy7mOmur7PD?ng2*$wZHgVvn&=t=uws
zOS&;DY(0e3K-1U}h{>W}pa6Zr0=sCSsoK!p{ZsADW`1nJhp$gV$?qWPLNDrm=gp{6
zn_OU%)^?XR+m<+h(uhmO@=~e@{;mAIld>Vb+~cDb2(9)xHoVEl+bwpFAN6jg871zH
zY=5pMcg78uY!8LHGMLOZ>+u1uwjPwWK6*|)J+7}GYy~4xO<{s}H_3<uNP3m!M1E(`
z*bc-R;7r+5g*$-N@hojCCy~MV{`2)Ua{dPHNPZ@TVa-1(M^S2eju%T^4#BRZiAGA)
zG|zcNg3Fe)5O-U{kC{vL3)pmVgKLR-%<^-<ZmV`apC*ff%FfZA<s=&S>ng*YqYjtM
z4|&fm|6|kUyzR-^Tq>;K>nz=Q^yX@gs-Mia9B5Ur;iA3T%@7+yv(_6WJZjvpxy70J
zpGEN5N{~r7P7a*m_t4mUqm8=g#>%Z<y!EC6=3C2#!?W++1I)*??nJ9Ssj7714aiQT
z;OO2p8@u>-7(Ix-U5Dr=iu4v2tI?2=i7e{kZOUjhNde_%cvLcJKMCXXH5)!`k|822
zgnKs(sw#N6gEW4pzcNC8mw<0qzs}tMdhFkGdnl)-^Y-Kf8X$>Sc8C&6@1@akL7ZOv
zopd=)=6Ah}ljS3ea2dERBul-148^pFT0|myAJhar_fH682eh`f*GN2e366zP%2jCM
z)Z2bKlMk*4luZKuqS0kLIDe5z{6K1th*yU(P%D>3$7U1I$$a<Ucj=H3J+cKlHOO?T
zLBn6mnbSGE|Guik#g-cGeD-ma1bZjWx~(L5R5L_EWG2w~gbjE;C5LBxoZxAF#`K>;
z%7EM5ZFh+8bHscTtq!8;Vqfba>Nh<OD~W<uZqWK;jJj9_8#@hnXU%l%;ap{h55?<O
zNq0v<@ZFxWTo{V1&vh+?{sdcCzL~50ij~4>HZKIOPr{A0!GQ?g*&ju=ev7+pm4Day
zv`;-|3Q(c(+2T6Mm1#e8SMm5vx5)e%J+ORddJ}$qKTx18?mZ97Oi%1ZD;gETt14c(
zZ>@}28bubLT*z;WUSkv|bc|p2Y0_E=<(A`+UnvQw-?7+!KjHPaN18ZYLxtIi6_n#}
zI`u^0wr>xv4J3JXnBdU5(hr!_<q#oB8tG#P;{q0IPgJvUK4=1Xbf<fIx(6+Fv=Y!{
zP%C+SDWY(17r(a-8){5amn!y=QBemZue-drS`x+&_ljqqvxP{|&?FE$g3m+r#%=ZR
zKoN7a3CsNb@zhpL6##M_UkttjlRqk7h_kl(^Fytzj%Q;uv+Z>6vPrz(@0c($#)=QQ
zJ=qUI_(Q~I3$xnZYmaAsxg$pXnO&AleK(*fFaFy^%5UzGckCE|0eZ0&d)>hDGscra
z?|*Xvf?qv<a5JDiE==QKV^2jg7Bd4)HP9L*uT~G6m(~cnA?Yj^!K;!4w87~Tl~4p1
z$Ak3&RYt83@Ovx#J74{xv{}F2B#Qhjd0N4$my3Zwba$<WFTP4WU?lsMOwo0M$>-Xh
zGU&Yf)?42mJ)y?|N0@&YdB&c~!VWK=sQ(&V`HvVEYxiG`F@5yItA-@o_dl`R?P8@=
zuzt-utUKGq`itN%#``Uv9Y>_@O|AaGhamoJk^(kUBqiU@b}D6H4%)EfGx;DWcwlG4
z!m$~>&cr7ZX#N`F_V(`a_w?->WjA!sUt;t1E62xf-{(D5wU%|H_5jrY-xnDyVz4i(
z!1k!(yK5YvrmH%8N0Jo*N<~LgZkB~&_gQP1c6-QHP3UdCY9*o4ZUw0ir_iN&uI3zc
zT|%&zf+Ux1|26HF*7+5qbE3Lfu)#q$YH;@1k;-DhdyZ-BHg)N$44+`yLYbEUZfbt$
zM~EOA>pk+2X1=xsJoaCbp%;yj=SQxH6O%UKcHVZ4FS#$)SaKlk=blnn{#sz8L9*8e
znpnEPB)ebAo-b}3D>!+$ZIrX?=^tbmi1t;d1$MONifC8(KW^_&Nin>8u}Ii=Bi)uc
zIhe@b@VTz!9*@mkzi`JGuHJPe_Lh%j*>*#F#9Z7YViV3*Cg<;Gds5FDAQ<+40r=h~
z&4Pbl4slkLq*1&03RMK)GPFlrf47ClT&MOsV{S?NlKWC9(ock$9qGChS{<!%w%6*9
zPZvi*2H)S}H%w+mn9jibC+)%eVaXe9&V7Z)g=0nji$`p7+pFd#B?w`SiA6DGA2U_8
zf8J0CPFv!pDJbqfaiLy6UO)L*|FG)yB&rlYM0X5<X@tnUdd`7Tz;E|;PafT6FIGD|
zk59Hbd+xLJIi0=H&=gXn=V2ITtk`h}#YA8AiBioc$S5q#H%{71AH4|64f#HZL*9BI
zV(-#XT%3(&_c>z9(#yxv3DrR+u#Zm&m-6J>Idv3?@T+JstxEbJg;UgyM+q#>>!ix|
z>TQGUoOr{9(+_-4yWthWzfrh$b3EtO7jA(>k)Td_hEobH(;c86-+b+*oZgGDX1{(3
zEKz)2m6?vWK7HJWm!!RqY&VuKgZggtS!vr~ia-x}xgt4octcSwAVri|&dW@h6+*U&
zsSk%ORdL49xjyl2KSt!+P3C@WxZjV^=pwC3PE?J83a7WJ99M;HndhF;_|%lPz7&|3
zG%#m)YyW6t*lM+<yz~fSd0VAWzof}xfGaRw*8i_Fjk<{P5p%}r*Ou1rcilX(0S)F2
z$XvJWwklXq;iFf#v}&5B)yMuC_7uYIbYj;=cj^H4yvE1Y<`q=;w55t4HU9Zob}=7G
zgs9$|<E2l?eIdUod?t@en~CI$?o_>`Uuu^X!24l3j(*&Izcqh6OPB2NtoHB)6jVq}
zh(JYAo(~Um7b)uj=w5-qspLJn;Rz6Ya1n5bQ8`lVY{O#P0#R$Y42EHwBWorEq2}72
zZOOa+JAj2yY<f&+y+UL4$pZ1uMHO-$L9VVDI0vD&7JF|3M&*5g*`{Yd(<-u%oq|Hq
zL3#bj5w*woXSyMdMpt;KuF}EL?z5)DCn<vY0!^;8;v&6j5b(&kTiB7c(lC#2{HGsP
zm(!9r7$j_B7Mh@);$6$9UdsRL@ihA}eT{#)_=5g{r0lWG{(O=Y1`#%%<s=CHjo&t>
zBC*!8<Zt-&t23<sPuFon`&j;SjfBh)4x-xm8(3%HarEcY@T*#qgCcixQDAW~$vL#I
z$28;8ZnP`+q$xe(#xq&C=3q*aHCenVHr`ru=RAac=+Z@*azdSQVP4umN?^PCD|FZP
z@c^hvx3AaNnKvi5ag!%;GbscxUi>~<%|_k-hufCVj20uiq@z@iTIc2i{Ut9GeL)ko
z&eLk9Ko+G5<?cL5EfooNE!Z7$T9Z88c;&|J2RtNVG=PLP;sw>8!%8O%Z)Ys=+ud%V
z&%nE?O(|Zuir>{_<z~^h<MnC&7)zo5T)<^z4(gwgZI-F0r*)nf`po0+Zt@uS7^q8c
zJhtYZ`M4qbL*#m?s2{o+(vvFF<UI(OAIj|ynPn{W!xZ{l<5)epRK)iclFLF+4K??j
zc)i-Yo00tdCsBXNDRKZ2@-yFa!u;^fR3A0nHgk^kDDHpw@HNB7WMm<N$_2wi(PlDl
zDFwR0(IJiB7DcY)JQMS8#$@>XX(InOe57TGh)r=qpEjl+F%Jwr{s*@pIDr4NUUZ-1
zP|Wzaed7!Tm3YP))@MS>bUWFT;58SaUEE*=903M)IgOtlTb8kAdKX-L;$<2XZLy^Y
zrQdkwC|@50)=}rcgs1L@MTs>hj8C7Sj7Hxj$wm5IW<Xj)4%8vr_&|GB<?1vFvlDD`
zsR=|QuGna`@nMe^_-OhkABt#+e$_If*1Zfhf9=xw)Zy<<x!Y>v6)kP)lcbn<c1y5u
z3VzwMk%_sIR=M=@Izb~&os6e^@4rBT!g=X{EJ~09a;dMX2ieT|W|5FEkvxF|yv(Bf
z$g3l365{*>k=*xFD&+4;SXe#luLZ0@9-WgPo5i)(vJ5)ap}G6y2A)qJ0#?!Ut^@9}
z<1ngYTYK}-w%w6EAxLPf-YXQ@Z<YAHyF9|g=^8$uHYvHzEyy@6_B$@vcq_UiPlAqh
z1V3BOov5f?=AZTyK$@#Y#apP83Ik)&Dw=<FGb(`hLDSrOjOl&;$mc?m<F%tYpz{m}
zB~B1h48wW@3!!ipspFP=^LS~RPPlUyM2pxQN9mV1nwD4oR!nFN(!Pami`W7Ye36iX
zc?j5eT?nOtngdeQf8Znlj}88M*nLC-bMUjVaXFC2<A>?_1^A**U0%rzTmI<i*bGH_
z`Eq910H6Y=L(npbl^8^T%poRaHg}f3smh1YQ@a=-Eqtgh=7V8QZ$5B-N)F!6cR<yt
zqo+H=?^R1p@*|!}#-*I@Rry#`Ug{s7%HcG@-z+!|=d_htkmE>3+ju7l_rR<4$*wF;
zyLX#Rc`iBG)Kpq6iY#T01|oSwT7J5$Xgw8?-A>=Bc}`qE1!k+`It{q}Em<Z}=yXLd
zlESU!I1_uxwf{5iQ75uzK3Y3<@i2!83~b$b+Mq6OH2hId*=3P7$1_H){KWQ{QK^!+
z2YPz`KbX$fV_qEI<k8Twee8eZ`GIaYpCi;iFUR|rS;5#&b~@R3m&1VQyi2mY7l@W*
z`r_IMn<Zj5@!Z>m4I_=^*d@2V8m|e{aRiy*`~TgEQl;c)<PtHxFuhFk95<PZw)Ymy
zLxArcRFhQuyEUd-8Hl&}A^%VTBi@8Ew?46>P`gX1&0R*7&WW;sUVq#r{jy^U5{ktW
zB+B?K5DY>6XWD1-{{KACw<~9=_Qei&4Y1J{H@?R&?w{f<sB_2Oci!LX-S<4qZ4a06
zqG^YLGy)`feb4Q%CF9~Ek!7UMCD+2r4`+`pI4WLE618iM7E^_$1W8#!dy&(7zzC9d
z^5Bn@;Q8wzb??9LLP3R-=u_xmTK{GhpyXKfO=TZ`p=TCBK7S9Z;1vx*5=L$g78`3&
z(L7+GO<w+-&{+TcHXlq-tKl`y(qRzJ*=6>9&9rF|O0r>Tf(|-+(}(FN`Z%-CzQz`e
zlANs+cmN&Iz2PxX6Ns#m;%tn4!xCRbADjNNrZG_C6VvYiJ&BvNJI1?f|LE&E-ut~C
zK+fYAYDp2>aDuO*l}iXr?W3Sf88))jbgP|x+l~6YsXBbDnO?qIoAy-%HRoDDCEY~P
zwPyvx=6)eMR=w9n6W7sdp^xF3F1on$tRXpp9V}k-?mMEKZQ1&xch`N;6(G7E$B2V<
zYH#QBzP-NM#E{}kgy4}o^hS>D`IecM$xgQ>5;4_VLU-IZ-p9|}?VaO1;I#VRtnv__
zD9!)ue!3K;eb?Bni)2c=yt{arqkvYur9avy?TkrrGZgqqFI|jg^GND)!t@_Lw0jO>
zhz-RU`^kWdKzILb^bukIwb1y+TRmQJfR?^Wu~&d<hby5IxuCGi1#};Yn7!niIO~_l
zK6q-ZXDh>w?<d-N>?d<+q2UnXlzi~&fhL*zxh0`FL+o;54+w6__}c<Y-#CIl3Q#JJ
z3JnC)8alXayp;nC5cbkjWw^-2ZGiTKc&GL4gPAgFc3+lO)$?5F$(EOy(?F`OH!3Dg
zN`X~LdZm_Zo;HWMP3*)c9*`B$55?!6`8amuoCd3JxdyJ~X?p*bHtlC4xa+Q{`FrXv
z2D<A&4lgSt|Hq&{nu!}djGNCC(OWR*jEGSf-Wwk`?N^9JO5NNPUB{j54VySAvll1k
zfNO!&A4hElO4Uux62b;y_0Hq_-igme(<9SyR0BIZWG{EUfjRUFP^|lZ2}&ol!Z}-*
zD0p;9@jX(i#<f4nC(@G#E~hyt>${_LMU7r8h2O%Asln9Bc3*8&>SgM9!0!~#lN=JM
z2wZcF!m_vq9iKWWa3o7tt9;z2wcipCPU#Z#Oqq8BCJuY!2YRTav?B~3x575;Fn)4d
z)l1gaANTkfa*yVgS^SyG{B=U^3Wm)5z&$6>b8Y7CFP*m*AocCWSJ%=VgMlNXu#AFc
z^9AVs*ASwYmWMO<Y$xo=i6h1~WZjCKkNA^ru(1(;u$#1__N=*mtmcEz?4hSdK2KLW
zGSP)m0hks1-7O%_5!jO!o-$m%D#_Od^L-s=(wa$0Ap<}gq2Z<E+VI~6x)LR@{)Jh^
z;$t|uv-Qe$LEAydKm|N>oA}g{|7}PE4}5rRphUb?iR?YaqmOB<9CHBX-8u#6t`AVO
zO(zri?^_KtnOu2e_46juTyfiZ_s4OxnaUErWt~{rt#n&Z=(fLT;ruHl9)}Fy5Cv42
zz9%S*r~*68B#;6cyU>^SNQ?=hGPAc4C$Dx?;U=1XzALfriLKJ-4|loiOlH~``FXiy
zNF}@F^S9QYS8o<|Cv@M=kb0A;qjyP`T$#ziB>eR>>S~4s1*gl$h7ySQbhw3(Xpy_d
zEp;n^Ee}Ipd9MwW&HNi5dA9wClqVJFhqBUGuK_Z3AZrm!+{v)5R+*MFRa$~NLr;U$
zGap@sWNmzYW~Cy#+vgp(@l|>15u0)PXL(4QuKCWrJ=33gy5)iEpyzqOh0bO1ynU?h
zazYc8Z#fwa*=_PKNM?wuV(lTPiab0mW3_7%DtD*nT=L_&C0^7|Cx-}Mxwn{U)Q!!J
zLp=M(`9h!P#AR+s^ooGUwCSH-{j?`>QDLp_7o+EgE^!SPq(G3)(^8rK-q+oDr+^Se
zk{+vblmNiob>QYF#&IdKkyLK9=&%ZHV4gXdB&|6-id&X0OW|TA%}n{jX>TcTp7Lj|
z%@(37WT4(%m&fCKs>)9H2!-`3k^Y|(S4|mW8P&~H!MdB7g%%x0lH~U~fk7tMlB|~*
z9ERl}woitQfm2ssqg|C=ywu*3r&C1c%7Q%#A82ovL;++fZ{b`wZit2BU!7$CG^3f>
z?jEUXjLtA7c-EKoQ^=|bQ8cUcfP#IZzPC-8H>7Ezz+LC82F&l2Slt#w%az^4<5JMP
zc%enu(Yw#|fkyu9>8OJAgr@K5c9~juOxgVOj7PccDAnPBf-&tt)Z>+ZN9%%<zzn6X
z|2WUVzJA*#awf3~yD7iR!>I!xf0uK;JKl5YV|+U#s%6J3TV+qzMl)j1{MsB<ctKlf
zC#%pp)w5*<C#2|?ft0-!ZF1X1PxfKnclXH@eiw#gQaosHOqtN~RB}f)vZa0P;8qPa
zlFFV|-%65nfYlhwQLu4`X8)+p1b=;At+^t2OX9Lo4d80t%6-{lKy701gkt^4uf`cB
zoy%}d%m&XH*J~2l^Lg3<jDoahLMTfN$NiT8Rf9qC<L~Vh!tak_xbkAAuZSr=heaBv
zh_vLRf6;u?Z7}%$QnGZFZ8l~9rkYki3YKAco}!8J3fkaYkK6ISbkl-t6oCoi5rD@D
z^<l5MQODN^R~sQ}nHFVQ3e2#C9<kkyN2b<uyN4MrpbCCA0I8Xrtq2S>S-a)kVu1PT
zH<PrqLg&P=YJ7V}-=z$U)n-U&#h2_G(oY4pYgP;@caU%byG(ZSXD)2z&XX|I#X4QU
zV0wa9W&|)DXPJ&I+9KKj8m-8tJAz`Co<HXqe{~=8Jc$bzJj!OXJA!lTGu4<@ZQr4-
z=z-AMPN%^18P4sY*TZbRJ;*9HJ$>Nyult!Fi9kkugw}8~5!XgvU`+?p?vb-uyNGvn
z#Kwe@2uWq*Im%Q#q4ErSlSD<01{%j__UID(DuuZi@;aAq-ZPs70A1j(J8mx1ZpBof
zSSsRdj_j&9a8?y@L>1@W;2pTgc(9nqQK|`w<L7CwyRJUFpX^rt$ChvMKZO@N^>i1k
z3n#H8_f1t(RV)2sV!3_Fw|~WOT9a^lS5*ikq*m~RnRl2IEC&apMA>6AIMuK~E(qXA
zuswMSq&D?TjsK2{M4cCSO}Dh|j1V7Jm3DB((`MitSN$4o;@lcsc>bcq9k_;-&~MLs
zccBW`UzMkx_@smJeVYVxd#aei3icZ;ul=mS1JQJbD{36kDe`!62$axpJIF$GI>ijj
zhlLkqdT9=Jx+auerp*sE|6}@*l2x`nffsn}ojg#VqojbQIOs99JDF3EDWAdlgKJIK
zk9{iBuITdxFMM%V89RJY*sMnDcf>%st^Kj_YiC-M*)~u3bJY)`yYxD&qM|Q2yfb6o
zUkmv=N%%nDgwfhHEvS@RuBAc3Mf!c;40UtkzR?5e`a!-eQ(W%q9)n@Oi1SNp*A`_r
z4=ebBzq~v)EouMtYw0~_rrj6}oS{eM3{vnswOnW(y|||?1tdgbd-u_NW}=t2=Rv>k
z`*TnaZvJFTFx^)uOI1f?wTHjwh(K8A+S15;lRa`tr~l;{;G+<GzBl|$F?WvR2xC4M
zX_I}Q;+Zq?!1-j@Q~}_09lvrL`VAA@5PGs({3z8bJ*xepr=k~62^Ua$KIG9|>?H`w
zwte3~y#x~N`Av5l^W~qf1>N(ZTc6_XDX}J&Z&DdZx#$rtr<6vh>iI_*$jjs-;?xFG
zA<ZgW(B-dah~?6k%0(1y!z=}2>OOlCF#jQ9luPWDh#5|p?jCU!oc^&BW~!G6Q6X1~
z{ZqB0k21kkDfQZ9=0qY;O#Sa+3c+u$6WeKSe#oI(TT6y=O;#EEL2;Wm#0sQ;SF&w?
zN>cRe$_ptm>+IbiF||=oxm~A9q<-hLLuKd`O_}iVGwya-t)x5kZZ%d&MSG{KBqy#y
ztt!z6K6gO*b|N_1nUH&=p}mQrP_1;v#xG>8>}jI%Tk)mcS7aM0;GH{?m*?at_GOG3
zFTUMYFI;9%8~E)OqgO=tp1RDDt&yn%#aR&`czIGSym-7!-nRifi{@BCL!-jt56;m3
z+V3R{45ezF-QUA;#V0f14#qr;A?Is`3>M#PYIVH+sZWCj%%gpMx=2b#OjezHg)9zh
zSg5=UQ1S*Mvzh-CvuouRs!mNZ<Y~tBf7i89^V9ZXaf90KY67N{m3?^?oxIo=Uw#^J
z$%GMb%sN^RZE%i*MZ0G-C?Gpqw`KFQe3~oJ19a&XD-okTwUUiy2!5XwwY(Z1iW3=a
zE}ebM4e#qq<d=jFDNddrQ1k%<N3!F|(5}TcqH1(s)E$t!YW_`@@~<*yORr$m7bU%e
zn;m}z2!G2ZAt(*!YN)7A{5IGaSwur`9jnwbaaCjw5?EfWh(qbU#DK?I9J%-EU6ul>
zTK{^4$NZ->tEh;gUxYoWT7#hpFqkBv$*m=Y;Y;35EqwV78Y}QFSZvhJC^mFS;xN+#
zO109Q7@w%K=pr?$!~4_ph#16BLLj7rtH;7POJ67Mpd8VG7NYj_ACEk@vh62Cg-t)Q
zGv%$LqB$`VB9@F*srjm4Z1-}bzG4e^vR(>wj1G(9Lc=niwt~V)&#>HH&0~hb;u(^@
zOGlK?rU!3-2t1Do5xwh|+Cep=Afi=Y2~k){5Lie;_={=J;l{HFZ~FtSJSh9emkG4~
zDN@Kx6^*w?P`F4<Z*k6IT!46I$Agjx>9}J+m5x)OYtEYCSma*Mz`RJbT@zyeA(_b^
zAg|n*qc_lE%qD!W<KxkdpZx_d&3<1G3Z(xK<$Z#KzhAKUxx!-!IAeRfT^1!g!!(T_
z0awG}eY|kGyI-_~qzsJ&KEF368wZtN?QT`>BJRtxu4|+}MX}IQFzf*(d3+py{Y|0r
z#xM6W1O;w$rg(5k+j1sTAI7xkwBI`P#y$5|Q%+_-MQ|1(5)icEmcV_c;Lv|;xnJ0(
zHzMrjE%Trf7?G0ojp0u>9yQlhr9K;@(jFJqnmRHxgCNK%dzJ^}`|e^SqII+#MN?$=
z471U>I!*B?^#P0b;#%34Bd5t>6!9^HuJ`oKdzk~B@WF(JYzc|9ZO{lQoPrw?Px4HB
zXY#$ysn!}07efkXN<^Q+ZA&@N0FAlOhBZFfnMw1r7s3KhqK^YEWtE#`<)*#m`ML@U
ze=WD*R_I)=&fY;lj2JvZnN#=&+6UMtHg8C2T^S5K?o6yOcrhmTO#6NP=XJu@FGZH=
zAI!XA0(cONex=~fM28(F1EJ@mt*(@}efKujhsNQ7H$!e~VWY$tzbBavYUP?Dt2d=p
zdUb3gYYbGi_Rt{se(P87k=Qbl&>|Y-7S8lPt$k_+yE+$p9Ns0<23HvdDA(hCI(AaS
z3U@aNxqf8m{)bD8nGN9xxV~Q}$kNN+vs@xHJd`Emn9QG(n;*=a=ovbq^GP@)YVozN
zuDKPzi#G-k7`I<tU)D{LZ7BOLyA&iIdY1Pmy#KyIpjrBEQ(%@)_U>Z;EcJQMP%qen
zx#A1`kcIPX5K2r|IT1~24nxagU5l_z1}UD(nurACuzt0toGhNPfG}9iWx-`QJ!iHE
z*t2IK*$^>XBWWSokdVJ4htwky1quNsb|%`(bM&Kl+Us{XHn93~rJTTKd+XT3Ekp`J
zhn#F2P+;olX$RVAdbTDT#cl6~Hbz(Inj0ik$$HDhM~eQf)#)x4IuBbYYjjXWZJQR&
zJl<iw!B<^t@HFx|x$Ee}=&CK>XXa#RgqKqn;?wj|X|*{8o&<`o)<R|TC_Sx-ORB#q
zv-r^S`ETYKH7!;yO5+SzxaKNXA@(t{@2g@DzOs4UVb=Vl%eWr@w^hmyLQdT=^1j|u
zII~6MI6J)X-jkwO>4LL$Ph1r8yfd!Z%Cvz_ho&@e_O+n|U{h*9Vm|6W4}%Xs3XZTf
zQYbk$!%!wb>u^knIN3PJPlzQ700s_J0LIsG1?E;0;o^|u`?Wuakpp>2x~iw+t?yr*
z`=>u1mN|j7FRGhIK03}E5)Oj4C7>nfx>B`Md&_FOh#Vn9+Z8M;wIm3#YA4*K1ec8A
zg+?_au&Sl8(DObtR1Xj9M{o{VR&V?PlNGG$+>}3BWPo7?ju46f-|PTzotq%Fl=B}R
z$e=Kr<(?f2w!;OQ_}-YFgQ!AhuG5OwN7QD*yATl0RqhF`IxLAEQ4v|+o-EFbB60>C
z*NmQ7oIYNDwf~^oDYSpb9Hq>(*>kS3o!E&qx&jno9K}Fp%IdD`>jk|SGZL2WUFRT|
zu5<?92H4e|Y1>V1Uwjt_$drk^YAw(=+nxR_)%3h}ZNTv~CPiuC7HH9@8?niPg3_9n
z)Own*0I8z9IMwt<m|}x_A`-((v4J&|U?Q$QX<ZZQ@bXx<*3^mqLA;GD`MqX72Nr2y
z4rT+Nd|STDx@`VZI_vXv&ZyNU+@fL4lC^Zq1?h8*Ub)UxS?uk($I3phe$95dML-7F
z)dw95rVokuMdigHEQbt;_!LR9t=>SrHJp9Bw0(OP#A<*!poadj9~bp1l#GHc8i*Mc
z<>S7Ugo)YTk>y$vyv#f7+p>T`W*H?3k`PCwS~FF;^dCC&C_+MM;!jo>891csruPmj
zlcXUt-PW{Am77As!itX&y3l9CgTU}(1&YXsai1nLL1r35nT5V<DbT#F)Col3pEn4l
z=3%1!-lhexr%1EOmem?eTq#(3a*&?_tjBgv-`niketn(jK}T9_{!#>>$p}q$2~PI)
zntwyIRN&x?(%+*i7s4;K?krl-()a>e3>T}Q4Qlz_Sl1IcJ-nT<OHzKyF3QpT=zWTX
zH9Bg`{{WT(iv$Gl=QK1pPFZMNu2i$*uQydQ&uJ(qoV;2!sTVrjXqloo+k|Y+!fYy@
zCpskl3Tt1qL2asR03@9Slb|(`|0}0}={!(NS`t!jl%}Pg8tT@>gjQ`RzRjK<SFI*y
zrOgPvVWNH={_hhIS-W?)Sk5bPgzF_msvJ9j@Xd=*WeCIOS@qrHd+U+l@#PXW9MgmC
z<a>)^d)?bHm~BJ0taDxCY5~xjuT~}{bG*)9*MZg8zo-+XCH6A?NsM>^O+d4q_wwi0
z2TjZRsz|MF24D0c?Q(2JN({2UeD{Z3_djJKCL-Tuil_tx;-m@gsy|bb{)}46a*<P^
z8>14H$_~I9>Y{TVTFj4s{75l}&w^j^w%2H_xn7ptZ!h##sufo7JxDf6<0HM76CA~O
zCxyt_X%vZ3>M07O9nhC9xH;X=IMij5>YX1*(S^n%n~tg7!gb7w4_C8E5(wuqrxn!b
zq>`N6?W0GDT-QUGQWq6#Hm2ykJmK#4%o}_Tp`HP#O~D*Gq}UW0dD52@yMz!;r!ah)
z$7e-Uu)tgjF$sx<QK`^X8&rV!^O3Xi)l{@gMV<iVfs>wyh{#^&zyC6$ZU@;`fjJ0G
zAOH?OVA1_R8#psR@a+13{}&+UbbA^?@u>&+#s3t|FAhf%nh+yTyx1pO!Nb7(mpKV+
z<q-v{wBm||=rSVt$v}nuuW!me@}q~Da^N<xTm6_(wMKVxqs`I2W7Fw$F31lY%CKP-
zgo>WtcqkIvYOOJ>wUz6t^Ii^kUvipLN0S+^2MO}fh=>%7j7Z{&&`3z81EDC5RvMr1
z<T+kX*u1V+e`a!pA1>UUto>s#=wM)A!W^+En^dJ}m)s&G3B3}B2|OZkZCd?0uG%A#
zXw?i`*7<uvLPGXkI<Pry@Fp`jDcRT(7Zw&0k{3JO9N(U=rvqVrrgGVnAPIgj(Q7pq
z0xDGLbURzuobfrVuy|cAcAmF=o?q9lHaqTjLkP2Ho0p~!CJ8+*nEe9+Mn^|?d!Yym
z?e~XTH*Nl(#@;e4sxNFG1yMjr>FyBe?odP#5R~qauAy5Pq&q~qq(r)5=nervLOP_o
zn<35`fA4#pbN<))a6T}gGkfo~*Lt4&xz}3vy(i<-@mqb5HA18>ad94dHIu*jB0(#5
za*JUiY=SH-p~I5*X%)u3{TXgi##^I#Y}(c6YHC~4Rm>Xt9;T7QUl7MuR#nxnM2P}p
zywFwz&LD~9(b19E<zN3}ne;%R^XBjQ`6t&qWjQ-{8f7j0+l>b;1C0kzg&d~G4<At*
z2fjD#iLQeAT-Nw_tQ(t>{`JG)FdYB!A^sdKbf(w3thpyc+{<F3m=p>4<ak)siw|$^
z{%9C*n}m?+Z>3n5(n?5VbcYi=jlC00f1fZ9VHOb~LkjNv+__{3M&WdKIxbrBE@^<H
zu~^#$>&X*38k)8o`snzIl~(HL@^Y?@jv;#v69?4TxHx*GqfQ*jkkL_P+5p^>jbUQn
zsY=su+?VM2V=NNaoAgI_@PqI#U%td8#3d#&zm6cG)%UqF&D=R`L%~6pVqju=66%Dn
zn6FZ8G4e8kT2g;^woYkxszQ3s>!A4oZlmj7VZx1Ske}a!5ip3{b_-(QGBPqU9~YWD
z9^hVGUC{{(YcVi0htJLFj<k5g$*lb$^9`YvW8dEz{h+0Q>z^DS2N;p?J5n2%p4~=E
z;J4FeEsqYMg+0A@n|$1xZ=fi-<>ItH_;kL}jW|)yHJOCZB8G&^(AWLus8{J~u(#h)
zQ88+Bq9j%0_C+>u<xY3SDM@&AEGjWoovi=D&&tZmIJz>?tb?QrWytYa{FaI!7gR*2
z?E<kDP`X2Pd(uZAjV=Y^Y|7~_fnDd-#!z~9Uo5>0;&-Ir!sgXpf)3=U51zzr{E+7Q
zbc;R!_v6k)Nw(9*(8tTerEI-M*N@lEDjCd58EkZPbgzQ3DZAn|^jX#ilbv4ATt{e^
zgM`{#Y?XxG9HC9>xltnVnhkza$ydC&IT^0Doh8zn)PmX5B2p^lyIQ}aclQ@Yd5gss
zal7U-qOz9j!nB1ne{j>d^sgffm%Bm<&CXK=Z0R^Tqd|&lX!$&sHZ(MRB;WJX?9&?u
zo7<a65$;scV252V5Eg|M@XNxT{gxFXeeWX=DxbeprBq@`sgTA*QUe9)q}Oa|9FvbH
z=R9{xG)vS0Jm@VQc%APqeUaxdx;kEq?>{b3e;9RugI5zx?Q{9L-5>2F^Zq7S$F4d4
zL(c1we5K4M6W<006<$YE{VLUKOcJmqBMQ$Ob)<&gILOJ#X;yrEgo27`IGXzwNesSQ
z#b(e#VXdVN(=hOkKWKrMcDOHqqn@bO<lGtd8qe0+=H}+&5)-3Ifj@ut_0iDLb?^;7
ze*(WaFb4t0rVERiwQIf2O&Fi)AiZcO<1s;(yt~ZVfDfgM*2DK3S#S0ZmpUy{dTMQF
zVTT<Uq}(4L?#<Sj19T(oms3(QZ}UZV-kplYrWA?E%!JN(4X2AHE_DVw&Dz!-ozL27
zT-qM5{tO5V<n}zZxIW*L2P66XtJd@Zo(qbWmKK|4xi3g^c);R!rA!~WH-kBqt}Bs(
zqxDYa(PD~eLQliHm$hc0rz3AZ5Ck&HC%BjD)!L9gefsotYb+Rz`ct_dw6oxMjkQJ)
z7I_cMVdcGAJZN<E0B0*jc=t;XZAv=%Ig^O2(si9SeFi3q`psgdO36HdHP(~Ib56q}
ztx)LtP&$y6V<IpBlR_vaOFDQIoUyX9Qt|2zQolxohmUVLSxOm}eYoIt;8C&@l_(k9
z`NB{Nsi8C{p<WyFc~Nh-_+4u=96P#DZcgY<d~EdXgNM1YQiZ;c2sB+Z9*uX);O2$w
zggsJaE2iB2mc5x>+VC7k$M&Q&L{0@fismes5|@o{%Maa>A(=sC|LT_8NR}qB{IT)^
z&al|<U^DMUM!i#VlhaWB#tp4Dw(nznCS3G~NnAz`5cL8yTkK?z7l{utm*jD>&h38q
z*Ku*B!DR<_b3Cv$mOt!s51neh8{{2cJs#l92Op`nTg(7p-8AlDuyE0$dW)7{lkhf<
z31Bz&kObUD#C2D5TNreZ8F<i5v2Ohr(S4YIqJdBS=$^#g<%-zpZ)t^ek@!a#M2Azx
z(K3_5QB`gOTBmor(^W_AVk7o7aJ##O6am}*sS4u)gI1qY7o=$MbCS9_M+~<)2Q+SO
z?wgC&`^bIcgIg-KcL5XHjiv)c7*ib`FH_^=P0Q-n$p8S(Sj4YHQHt)C8+F<o{fQEw
zr>DQxZiCFhMzpQ>zP<35<FA-==%uXHse=&i!;7niDnU58PL}Esm4mc0Dmc^7bqKTt
z|E`}cwrRe(a}^ZU_-?{~y6<E?-{6u*bpWZ|UubSj7xQp**7NjixCM2&xMm{gB`wAj
zsH@u6wx@H?rx_|6<-9k4XSp8!ZAbjnzKNz9IlEZ!Dtq_tU8F<{D1Xn{$C@t|tj9)2
zvv;C|*GWW;dm=Vh031()lvHDWh4s9sAUAiXtX0Aj3Xtx+>12rYELjjTCv-ivb2bC=
zU&p#+zT8N<U{C#2Ph<MZ?dP|w^ZmvHjyj4SlGMaR;`t%JM;N=r2A_<`LCLmNZ#eE}
z9S~1M!z3}ZYuNg}dEMV%b#V<!0mf9c#PyGH4}HX_&M&<C+!zgXXD0)n?z}JN%|WMX
z=biX~5|WqTvNuyR?q(Lp^e%fbIgVMW7K}EB8{8iitJ2ca5^?p~t*xz*HN;zh1PG8|
z&J-83A%@4v$tg!K^n79CV9Bkl-D>>D)3<Nm4yFmmf#Sn$|5qwS&@Kw-J#Q}-&1b4D
zbv?K8;PL95^{ZbtT{)Xim5JCi-|zc$E^&d#Wng3s%*|yO5?aB`fZkmx4?9o<0|J%M
z_^W?nV9D}=v(W5UicDfUcyC0zD9k7FS28bJ-RwJ1D3E34<g&pPP4~?Qlei-&guet+
zd4~A;`E4G*fA*@?=QcaKH=5eOGWliJ`|4!Mzc|oKlvF`G4z-@e+sU~P`xU)Z;Xcq`
zN!<Q~tm<E{2fZ#9#+I7ir3&1vaYB)4#KkFn4Y@S8-1JO041_3_N8V7gS5eH?*)ao}
z6A<uF-}_9>^L+O$2roc%Fgk;<!UbkQ*-5aSt&R8KxW7Gs=KuI%(Rwer+bqG&9sB)V
zD&BKQL-DScL1C#;XAqoEl$n_sa5k1_&%T)tXXH(oo0zE9d$lj*NOpI3FI~WMqU&s?
z@tPL_5c2Ty%8Nq*SdTchIZ*7^Z%|QrpMC)30tSE+X%k#uSXkIyEW?60<o;$u5)_0_
zna5w<2u<FJGLUrwpdW7XIO*%_3%Ls><1$17_1hSX{+#<tWD^J^z#>jIbE01tb-sxt
zBeb2IZ=82^gZdtq@?C-?eP?6C2J%+^G+ODW+0WZ~GqrOTGy{OE$WtI<>tC4LO;1n5
zBj8_RV%`_B<cWcnfD<NatLx(%{q*_3m`dVyPg`h}EO&kj7;^AxK+BsV1L$o$Di#@+
z+rDmt^HxU~A#0MLoqpiP&xL4t)Yan_x96hwVNWo)dcJB!?e6YwUcmq>u#ilg-`Jig
z(aC{Qkn>r*U$6hPThW_fl~GzO7GE+vG*o&D`qm7z43kpiD=0w5C2QTp1`MF{K`MSw
zRqX;bpqJdP=|wb^_+{%oT(T#Uyccld_v^J`VPT+qkiLEU<_nUj7Bb)OGO5?ArlCjZ
ztq(p;0(f<^=h?^Y@d7~HzQo7N(BOUpp>n!28I7pkr(;UIfT4lfAdX=AH$IYqfq^Eb
zrXSwFZyQYJwH(QQB<^*-T0N#{{I~5h;wXUM<u=niJyDbcpcOfi3O+YSZzL}Nq9913
zKJ@m?-=`QS)S=w-V*gi~u#;Ti7Yxp(7_BNZnO527@<olJb$hjrYjPhye(c8*QIfpn
zLvRD<n<yNKOB%8!*CLx#wfTICPatvAK<?y8OwKE-sAyGNd`Ql+IWSO_yg5Wk7jY>(
zozw)?_}pU;)QUpJXX>io3-2lt{WpThA%6k8We^unrxN!B`&rr$=7rl2BNvLM8;j?*
zI+g%JlGiL2nuGyodVpYEBL}a1Ia@C2W>`EfoSyTT4JO@Q-@l)}E*w|xyZgiT=m9dw
zmY=IX<C4KdBtP9%`&5*Ti7ALu)HNnK`RC?Hj#i^9dwqR9NTJ%ny%MdeAVeXv8h^Im
zdhdhiCeeeYPB3`wU7`3n!w3{~Tl5y>Y&v`Z5bNXV=E$expUfjpmH=N*4;C{=a^A#c
zW>Qm1Tkp@+S3~Agq-ff}0lk1QwEg&y14t+8qW1+QB2DYhXRJwi%`jOtO4-itKi*s(
zf%vTggQM@YSF^b1OO0pS;p+{~F0c0hbBb8sowmUSjAE_bVv7JP>i~x??6-g=*nbF`
z14Kfn)yEsYo@zH^*K*av1oB|^uEFFd-YnpB%AFDfgoHA1fz^$TH}ExZqZ5j$0wsgC
z>b3gVSWEU(wN`)nqbP(&Ayeh;96GgwcUwx(u=CJq?=3hAju`IkF8plAysYV1E;TjP
z+5p6f4xlod=NaDTT3*Yc%rjtWH`PlGotr3B8yHIAXZ4gwcjzH?1@!D3{C72gs46g-
zbOo4PTVDQ~h=^zgL`&O)iGzz-0Gr+%#;sf5Q+I!7N!yy4nH9LK#TTqv-}tni!EevO
zEUP@{O?0hKtK^KG8K4`kcQ;q(fX|M+{qXDjPPfi(5rX*P<>A>)HqWqh+nq8(hEM3&
zO}p$&OiSJ!fkSVv!Ich9t_TSTrdFaQ7ZlS){-FB5(9zViKyI`gV*+(f1Hi4vMrO@~
zzWtHG0DExFgzM(-cAvYejR|dQ&W24oukC{T8U1F@>62l}#ahd;p7VpnMO6RxCyP!#
zJ}u&4X3fg3WMs4?u>%;bD<B5*%HBi+@C9PwaY`PQHL;^Ed;|;3E6nJPAnlBymCjCl
zfHIgVnF*?92q-n&&YSNIhyQwkO3MvujPZ1(>FM^La1OnO-74x{2iRWiY)E+c%5peo
z)CAI}vp*W3^q^!8zj1Wrshf8t2cft;uA-DD6HWvsKJJ<ShL#<Jn8T#q?@?D**Y7$z
zgD60*l{cbSgq#l+(!rD)g$p1D5r?iU$Rs&6H<YHk>z!iF3O`UIxV^8P1t4>MU`P-U
zf&^;yN5EWkz0dw2+6)S|<66AN$C60wp`^ID&b34Xs%AOdzo77LfVmnnoyPH;4}350
zTt_`wuI0Pe#lDHTd6n~)vR^w5;s(=2-M;_$5t5(b`6RlxbFXeOY9Q||MWKp}Kg1RA
zd3ny}uV68O7sPgxKIbj`!W_(!Kx&MEf+TTsD2+5EexZw4`v9}ML-_5S$3{A$e?du)
zO-_EBub6(hm7n?iwv=_}rg1Gn2WHy!j48@140?Bx3IA#gVyIZBE=omFI4~jtQ<sC-
z!@~n$tFophOexM(#(!PFdLjbkdqu~wuE$z@H6SMqAcW55KArq>-k(bj#b<V$&@xxM
zZ02<QF{T?p2wM(g723*;LyQr&MRQ1BR_^^`X@N6#2beV2gAhX0I3B|`Bv3X%<w8L$
zhJZ&nD%3=u@SF6-D66E97^4TiT#NF0<_P;8Vz=hL8v7<m+)E&wh&}s-KPp@S|NXS*
z)7Z`ry-}3YE#9JK&F5r@LHB9R1T2*Y@KUlZT`FSYH;Ej2vS3=Y)*lb%Hd0G+QRs#3
zcu$4pc9pOaLR4{Fx^Thl<wG0Z|MB|t5gYiQ|JUm@XX~s~j?NRxmO&SEZ3{wkA&CW<
zw8rJPUwHi!Og*s4!zq--gQ}G0ay|JfDnmj-o*5p+EiN7Xdhv<FpWI!NJOazfL62D6
zs_`gkG>b*hB>7k;gwu&Kf}5d%X1Jm$j&!|X<r6??(3aR7VZ*@Uwds-<R$fLnyqpkY
z%@rJ8+c!ydJQNbMYg|ngi8Bkb7TU1~hvNw}5Mv?H>Fz)mv0P6qQU8QS!G|8EKsZEp
zb^10eB&2VIyxj3+f*%)V;YPcjuF4;tg<sxVkc8DB4@<A4*$Fg~k*R@{2LlliTrN$B
zGkdm(^Q*Zu2h}<R*&VaL=v{UxAd-Le>J>H?T5}wH=v#Y|Y-Ulji-IF>ZF2MsmHQ{B
z7*bLr5eAYBA&&2=u$dBDKV<9276LM$1BFvi5*8~+XiC$>nH!cOv^f+U_9lc2)`kl+
zmZNMKihUWua>5&@wqvq#sq(b<rw+B9qR9zkUocr91Cj!0)B1{pYFUwNf>x9S|MkkB
z=cO_I&*_b9S)4D2&uQ2{VoeGh9-Ht|J8;0vy?r})3JYo<od*bjYsX4=zc^UU*yh)?
z*3vVyBrs;Fj3M_+e=(q<BTe$n0ka9l@5{}h-9^^I>C0UEkR)b3r<8bk9(RYQm=$xy
zg~c!wblwN5a#!=LI@h427W^la*|#M~VjP{zdPK(TxIJY4y=}uXLEJiiQ_E)UCUvx&
zHkK5|_G~c1O3+=a7Ed%Mw0*ETtXl&$W2s5ms@q=DQ&&g38C47p*Pbf6IDF8amhrSu
ziE(*^twFuAw(&BU`nW@=r<?_8viPyR89VXqs2G{EDma&q8~*|tE3*k{vvA-14odN<
zXqx`OyG#)d%-D*O>j{?=qXg-ufdukWq<yR1Zez^MwSfA{jMNMly5Z*UE#U$V97G%1
zcXv*{#C5389G$hYKzQExSXHB1dt`K~v_3o{19!j9Swr7AfTLr!i+Q4NMv_?})MIa*
z(<frRR5ZtRQboC}_q(n%^?L=!Cl1(;sBl4E3Lg%8cS%+S%mj{_xwH%$bm7DPbDGR`
z?Sx{iLknJNmvLc4-1wmJtNYi~bK#Y4Uttc{9m;ePO8L$Ho-)6D)@!7gAbmn&@j;Ah
zg0=M#>AiK5OJKsmZ33EL;H8Klrqr+q)koa~^V*;*c64ZIl{ue#G)5`p?^+fU)f{S2
z8AeP#^1r^8eWHn97cA@8DVcJ07|$K~?!E!?k_a=1oXivXS!F`B(>az5r!B?`fg7Y%
z?3Z)~N>oi+Vx`?tbfn9XR0FXwrW0@Hb$|>QwLWxBBkO5ZSiX88TM53druEw+-1I47
zLDh37l!;1F*Yw!ko=C=N<9<r4JCe+Bf@o9ktQ;jxaGy~TzH0(O0uJS)c0V!V=N0Ps
zI34+o)X@b9iEx_#(u!b8zpa^L5^3seBsJ<FaSf!cO0&IBqGqBu5u#nl``=SM;>yiR
ze9+7D$=f&5>kotQ#PRwNZUqw$=hBIeKazXo(x_)1d|t=8zN7+8!@-~^nUprA$CrE{
zEy6n$sdbKUy}+Pj{7ADwjVl^4%6&$}<p7qTd?$F7TvjR}8$OR;TUQ-Z^r63uR>euo
zufJk{xVZlM<y5B1e1zq8mU&^gkIQ_7^-`XtO>R;d1P8B!t2it1dqt3vtMJ3{V3R53
zP5Z?lq!lQZ%A&P9*Zi9Zd5xzCm}%F@>Es(fsdq08jGlB2xDpZ_{BlFn>rN|9q}y}2
zF$4M3!z0Su72b+^<)(~@yCwaHv&8v)09})4U9*9q;m02TY2n_|Rtc^C;?w0F-C*5b
z!wOyP$zSya`xcRjh+Anlv(ZY=u=16(NzU9m)PEgf=n!2fl$aNbW92pXDSqQHn1MKP
z^5ieC0MA(@cL0SvQfD8Q%r0g}rd9pady^}6T&<SIoKKk|RElM5&riYtKz+W0HU@2}
z=#PHJ6-LLN(G56)NN0*bJaZdJ8U&=I%V>x8KI&zeMq(L9EQRX^b2_1roDXWj8ZXpy
z>k`(+bc2Nwmo6U?7hzB=>&9l$%oSGrLvMD&JtAi$jE!8_R>C%u3HuAQ<BkNV4R$53
z4UCO_)Y&2;ye1Gk+>t_rvCUuy9^&+Q@>L4SeLZ8Jn~%I^oOn36TiVrc(Z=Phm^~!g
zU4+qX5KIS%bjomd-*<`Pn!!QLqkICKJv_{CH{o0u`=r3>mu2oQm_jvF?L-r00`Ir)
z9spKHbm2{Y&Bm}Y28FX-owcu<0&}xn1N5nMank0&bW2;A@4VgnEgsn58gupFRwsx@
zhJl0VTFd<P{nrShf9mTe79==ul$IVWP0|nu9llcGe7shDzc*wNr3U+VpF)O=F#5(p
zPIJ2TcY)Yrt^rfx!b9|_{%eXeO}vH`6U$@&wSy0>xM87hb9Zrlk341FJjmTbC8V4`
z!gkyEl`)Q%5zI+1rp)nzvc~&u3rY`e&J#rO6%L>{mC$_5VX?^zYU6k5?5u>@a=u|B
z_17Wkw4Fy4_R{p6p@=T|C7D|9ew>KAQX81u%sUw9GFSc1z9Q>)Wg(KHJP#RM4w0Mt
zzNQgN>#z0q^{M}6VA0Yj=cvu1bdoh}C24xzwW*dZWjW)7J9aeH(+^^_27Q*bRWBsx
zDBBpxe}*VfZfy^K9Pr*$)kjm`VAEo3asOuM31rFNXdEDE`0g&mJN;|@<pAdkS$nOS
z9_v+C(E1N;VRGjrAkIoht>=1v^9}vxQ>0D<QB2X`e47q_hdfC5KVP3ADh{9x|MzR3
zk1${G3j-Gnn^Y7MSu521Pv4Xfw}VX{tdEs|@0Sqm&-qxah6aXG+nV$59fI=0LG433
z-<k_QR#dV@BnSpAaWV8&=GT8`R!inCzkV@w&Ore2XPWe5Z4vtP$Z*WvTN~VDwr|ZM
zTlop=)Dhvs=JNHszT=gBv^o?cjMU6v`z7Rq?7mESbytpB)Wx34`Z(Bq-t>rId}7=?
znkMsTQFWjGAMpM4{l@*}0T-WiZ*aaRn*3?y%VaN;WRv<YA5^vmR#V|7Vw1FCNJ@Tc
z^Gf1fdYj?x$R=qzIoD|K^{LA}yo~&?Y$FsJu{K{eL0oor(qnz#FnTq~vtH3FR1<1e
zOoZsw!na0}417U7w{2w4jyq<8>2^}YF&A)!h-zE00(Iy<7e9COS)NTl+p>4mOW?d(
z`rDL$xdPkxj0W4RUI`;!UBS^zp_<GUiXa7zRL*fcIi9Lvb;JnlFr+1T@+NU@eQk>-
zbR72r%u8S2LcHn(MlZG_<Fd};-ybNIZ+G`qz9;J93##U=s9!XCQv2CKx?S$aWWHSE
z)zQf#8zq|_nZ2>377O-`G>4DQ^T!v=yzqS7U&eJO#{+T6@S{XN3$N#)cLqr!9(cU#
zJ|SfbM|^MPkz5b^N{of~qw|mNSXYuH;L?>%F2XHu$&gx0blMB&goecG8Dj>jF2tmS
zZln23#5tRUB6W3(uRUooB-}H#d)>^Bpj3Z%A_x>A(=^%{KaGQ`giHBL$eDI_31aVm
zRtuVQpKlQ--44N<_)jRg4kseql5Y3mgFXk|6upk4kN2Fvy|QXM(D66LWb;NnY#SZ<
z8|5z`_~!YKFtPIUk-o7Mar9bTt{6DGi8tY6bGYSIoxE_t?c;H)v5fJE1FbuqP&$~{
zP35WH!c~^9d?_p_Zo9pDgL)-T%V4bLfaY$LCB0sS>97dj!^g(2la=$`TJ8zQTEoEo
zU<yt?_tkBlX|wPg6;6+DzN=Gd>ptGcTc06vXJ)r~(Xcpj5|P_1-XirI*ajo%VigZ_
zJV!p?NHPoEebo!-9`%(3f489ATwV8$%qlvD=ETcq)CtW<$cB5EHs@p(!VeWb<#MWj
zrk;rMpSu2SXvh%rNUz*Sb@lG9PqW>P)Wu@4Rv^hUZH^=KAi+mtn<axO{c_eoF&{E7
z;w-+Rdb7lbinA{t=UD?DiAW0TtT$PEov{<}AWhI7y(DEk=f#Pl?m`g;YwJzQlg34I
z!Tn32h?=gh?x)n$;j>cL1?g`GuRjxt(ka1>u5fZQ#zQ@=#0g@pM(>yPr<#3Yw5_+G
z4xE$}vGhEKq$rsYU3mCcfopOdxz!QH)=<eQLley6%-$Eza8eermJC;2KHHYt_W10X
zT?r1zLcHiKyQ7t?7C%!bveE1AKXp*sLjO~sgQF88GlWd(f9)($fjy82#c7LPWY0hO
znZH>KuFU(*&JHsVT0@G7a(zD0{#1DRK|)PTJ+}I<_J@=-nCWl!w4l3J?~7zs3p>7H
z_;_MQprtHOX;Jf)A648=#dcO6sH>cwe0&{6@e^zyk_w*4f5ezPo=<pR(-i-n<{=a6
zB63TMQ?TNvR%c-XFlUeQbQY6PGtUcAE&5WUS=fvx`~@X}`*5Tg_x$D5qoXZ*-QiK>
z;)<1Dlt@UF`iSocm`B0o2;(D!c#<CrNX4<XG02oYbADNVG#$3`hjZ~r#f;7W02+fv
zJ?Bl{&4T64rd7L(6b?ZrM$L&%EYp0ce6pVVGM9-%x8}SVWJb2b(8b`D{Ua>JEd}=U
zI6CED*)^K#H5znpT-#=<NoqO61DNx1?=JgVkl9M;$0b?u+Wfc=RgTKB*!LfG;5r))
zJVf7!pI!3aI%Z_36^rfJA01E<xiXnx*OMDTrsT%SRJbROj`a3p?vWU3Tr_iddoL@b
zATOV1F@Q(q<)KK3Z7Y^8Dro*w!(c2gE(J{{*X*<vMojcaKa_&4N81|bTAw)`tDZEL
zRV&5W4}&@3hymkj_HVOO+ukE3bj4J3OTE84KIPVWCSNalHl)M3P4{~;QzKVGnYkfl
zs7?01#d<z?D$3=7SC^d}%6RlBP?7eRj>rCBAz#LmeF}Gax}Jd{f7xZva92-hbZ<Ra
zSfaq!a0-t+Q#N9flHCdHP73XlSTS~$v$CcpbrF1QLPd{@s|kl`7hIk{`Q%X~xw0e(
zFgSx1r+vCkW;NuoR-#_#X#wY!R0zex4F3i}Yojajm<#g1e)dR1(5$9iw8vOk;4!0I
zD2E+kvA=Dpswo~XVj?jU)i$GG1xw92z;(4qGQTRHf1j67RtcBZ(0y5Or@~>!R=`rh
z7`8;q$nR3Nxj`pUp`L82SX^U%Q>dM%zriG2vwNpD&;k!S&v#aV;R!zoXw^}4zdDva
zn5^c$DH?eDFkfNq;!;nK^dgjbSz_x|x>UBWi|>8sQWZDQ#lj;~+VY{Zb)my}$$zgR
zh_gD;r-XP%m%JxA%N<a24Ia8Qyy)4$J?t39>3Cd5;fe;`OFZC){?zul%JWU7`b`|(
z_w;Fb0w=SODR@wAEdyQ7GR2p>pa%)h3@OWpGeX9-|CC~dzKu1lzdP=nx)_#9?9KWW
zdDz)Xvl+Bz{OxC;{mnB?X93u!n2LuylEE`jBr8YU0)jiw+cSpAf{cdmOnXZC8lCuW
z3ss^CG8JFP(toZ|BSX`YqY#Xx|JiOG-w(%9R|-5ere%4mTYI_w)tlF7>W=-UmSDyJ
zg}a7E75%fW=8;g>_ZK;>uYIB)edc$Yw1+)79DOF9{>tENw>L4SqoP-UiBW$`ZWTT3
ziI;K$1P+ycEFZ;&R)#uY`t1VRHa$#Xf^1A%tGIfUxfqna+ZR6HU0=SJ{yUeGgjf?T
zO)B@b{Hs;BNX;i0ptz&Sf6`uc{kFU<1Ic@tiepuSpi05Y4a%m2pQ!}@t(>rkGEYe#
zKX2|_f`uYjjqD?%7q1A)U%krp9E-Oq|0*YgEFUcO>eZFpmE0?2aPF9>C-C{qJ_j0H
zAs)QsSuBagd*`|Tj<`vCZ)wPrL_+N#jk>buDbVAU1SKSwb{}I3Gi#L|DHcwG!3xos
z)>sj1Ik70%7^u3D<R7d@A4W`it=@23E>bDM&o76zUhn^^GyX&t_x@iy$g0$2uKK~F
z=Xs9uEMQN3Zn3fmS=(GL6)zwkjgQVQc}u?%G^LB;3!aia(a#_teb_+8Q-EM@eIGK*
zpHrc+ejg4TnMt4X+Rw3Q?+u39M%S#0pJB3;DRhi|=XcP+?2z1FRNINmV?|j-Um2yv
zeOhqW_F<i!pl7xM1!-xo^~331aBNC(rw>)TEPDd<ruE{+({8e~e->Bx%MVofSGgip
zglmFs)As0YD?PDrQMZrc`zcr+Q7Tn-6MGyrt-r6&yr?|I)vV4{y6_NdRs~#BUuR!g
zu-6KmPW5NNCAp-QO9YMa@U8Z}8*~YVJQCaL<lB<^yq*MJ90+|SMwj{54>#rIP|^-<
zF8&zS<x+}QHjCj_H?}=#Uf8YabC2U<-k;OHH~a7Or8a5{QaN6nb@BR6?!I$Oo|8X^
zq9(Z1i1G2mLnB$RLlsZOzj{I^)GZ&Fn{xjfjDEa{ySxyxevK*d&)an>N}UXh@%MA(
z{_M~F>`8P{#i$e%6arI~n)b=?g7m8nyq;AU6u(F>M?}P{LUyD0$qS2vwc4Q4Z>(BQ
zCM(Na6&0ori@5fgdcU}z5nc`nQEE6k=H^_d@L!q__S|2SC&8w8{G-{qkDH9yOP4Qj
z3x3V$q2`C(4ty<N?aMYI1G9lzbdo2r?wu~<-X|^}?;U*@bdgE?^VL|bB4PfXCySlq
za;3^A+1<}LLJ3sBI-#sf5V3qWzh-xlf-c3v`QA6wbz0~AygiS<UrRq!wbRt>H^c?p
zdFKo~SxA55zM~#7EWevM-0eNc4IAB7KA2Cok%a5oaKR2z+1ACg#F->Gj>E;dD@<kz
zm9Y{y=m-!4C;YA4P~Q3GoMJLUB+j7ps8UE%w{gI@&1?Dbh&`cpYeu?;zW*7V-dI~p
zerPIRmco(0211Go5oA%4e9;q=MPi`vbC*EvqDG@1TK43fBY_HjR*39bPtg+yS|-Z}
zCUW%mI|qWV)dM<rVa~X<<y<^C%ll8K@$ve+OrKnpHDgN+vQQog*y(S3Cs_#-1@|01
zEnq>cl@<)St7+jIRs3x@Gl~90qJr`+;E4E~?yf^0Nk}nNaWkrWa>)eAk-6CqOZ01U
zf*6%!hId9lD|SRcv1IxS`|X_(T-D>fTY*DI-R^e*Oe~=y!(ybr)UE!z?ShFIwev7M
zw_BeF0~)HfFIR5~oU{{p23ATnI2+gwSCj~`QLRpnADf#lDZc9-<D(?Ueq+^e?n(do
zAi+2cu3xXBBG;tG|FnPP-MaufIy6@Ic;Vj`?}Ej3)LV+2i&=MsU}3>-&-foH%FJqH
z;~@gFAnTP%d&#T*P*?HFKR&GSPI9~S)oY2H%Tr?whSFJ%bxW3xY)l-Zr^K2yB0Rd%
zjI*5LF>vIsdjBG_e^6t$#jkW%XN%3udR3igYnSS9OglXEXc@X8j<oD$;M-{Azx=%k
zPmoRV1#(SqL=>d+e%}jTb33ZCrh0U{HU1A93;0Yv9Mw41zP4jTy{R@Ec1%nyHqQtz
z6*Zek?MibHS!xnXlS0b>fi9*$%G4yQ5FCfp=jFwu*aB^>HHbI<wu81No3FS}NB1YC
z^tr{p<9V27RAfZq!Uf&j*^Zi}V9$=}WWd{4BclH2(x)x>-Zs*-x<^L=wUF+ya@w91
z+P!3Ehe{`O+nI+F)GY!f^0tMWvw1=?$hr;{@pg+9a5sv6Q3!x}Iyz-D#UC`RU)2Vr
zpDA?6G=~ajdB<PGi>|c_JqnEfnhy&qC=Z#rz-Hd6l)vzZVr3*X=znb5(lSJk^TiSV
z%ck`cSC&ETKCequw<=e;)t{);e=}cIT%vR1w4nLul5Rq3=wGAKLGSp|x0PAASY`^H
zlMQOl4(CoQecosM%lD)Hu(5`}kSQc)bK=ixMJ$(>_#YKTVsnwbk0@qI-1cVpKDnWa
zLK+C~^E3BqyqUFwMm5;9$E)Q2L0iM9+Lf`q@K-C^YDE)RfWc5J7tf}7{JF6MBV&R%
zY1MqyAj`AWsf&%jwmuX{fs1TLaDGAG6<_YvUrF!wPwQxReFqH1sJMc%*B0Z%?-=pm
zr*yWvBuJwfaP!rgT4!oD<AJ_tY_*~UWg>h;BC|*`PaVH;?A<37o+ps3C0brC<hmWy
zPtJ|-jxQFLYu-7xfc2-JGl}k#2eQ&ikd6BGi3LC|Bxd=Jj#h{7W3tyIe_!5CBaKtv
zbGkN5G{0(d%s!ZG-=B1Nb}<z~@xqx9<TX}T@ol4i>Gx9lIeM2VEF=PUcogMDRD^=H
zaZzo_@3Pq`*KS-SKXO65ncB!3w~b|k@^bgW%;WWE<1PV?rvP?BWckfmbza~v?Yq>%
zLUDVS3*!k&UObQE7Md0|WbfJN?CK>B#si2`@mXr?_G`txt$$f>S1<Kpx91}R=s;~z
zu<{`^oLirILd3AWtLt^$Rsf~Vho=FZQ-(jR;L1J!%7t(Y0JZVsq~%@#+;1bf&=u=H
zl^yROB0IVr$<qvJ_vWKiJ~R!VdT()J1)UTFANAc`3<$}{kU0H~B<k7AI^412Zb@1m
z+*mNzSlYFjsM$jzQLw@6S(~V*`4^g$(}jLT8*;x&o6N09$uZSi=9gnfZDFTPz5*1b
z)%VI1;hg^5XnC1&EDkazYUlY9n%RgQ2SUccW6}D=Bs{Z=uOdA=v?m5D_IcmGQftpq
zb$DE9TC-?YeqG!r4XwfMfj!f#td3xDKcB-X)|M7BCuR~@kCFVJ%n&zfhaEy2+*>oL
zW^OR*Q=tX!ag6)Kw}-~L^w*zJN$^RLGu|gn;m@vEdx<T)#%h-`>}2vQntTtt@j7(p
zqN?-zf=CA0cP2&0spusx{q8o_xtJsH9^C$E!pD-PsL%XaSqgTSsKUZR#IG2v3<LuL
zoEp_&2nESccL>F2HES-wkyOq8LCUl!iz=5(1k3!RqSX~Ej!sAo$M(CDaL>g1@%JJ8
zzh;f`&QH^Md_$vimRd8J?;^&|trJ7Vhv+MMJytodzZ%$)MzKFHoY7Hf`LEOqv3*S>
zO7o_kY-8xniWt1*w0iMkb-M>|?XVW|_IkF=-+EXrSa@ua=_0+JfJ5)K5HCh?w@Rx7
zH*+=pmfy+SeJD55WAoe4l@{Hu@5oU4a;wOpNB<Z>%8;H}X76{@^SIk>>i}LJP}1WQ
z3!dRpdLp+?7CzeIU7V^aVJWLJJ~h_tZ6}ESvnD4O*463v;7Q9h>ivd6<!uXE!TqK`
z!^NKe(UolG6)HLBu9D%Iw)f$`@x8YWDYOV9Atw#NFIUVx@1KyuB7z9kA3!w&HyX<)
zmgN)}yeBd&?FDei{Gdm~u~(1vN{<J$b;r(jLg0O=_q37vpRj#TwZ^o(wy7PCkI#2t
zp%icV)S^OUYl4d%ArPF;?^2ON#9R0kxis&<_ua6k9c)Y$#AP2CjTw}6-LDD$J>R_$
zu=ncIxnxO2!wQ8U-bLSlvqDS$LqEKV{wC5yqsh4oWN`C*?v9vCb9x~1g=7NxeX81}
z>P_Xh9k97e=yQG^+)N7H7<fyoZAeuM8Pb6EnnYwGNh$0kFq{dY{gQe1hTK?<la)@{
z)>TY2Dq^E2v2o!DE)2P&_&8e|%E78xS*#j-oT6O4ZeEMkinhWo9^t3*UMgG$JV9;p
z>tU&`dZztzCZ<}sS=a7vy!+sxRqtwCU5Jelt?h(Q^pOY4jRWJ3m#(H!X1RzU7USN*
z<j%t{^g-8v(5n`O!PV-QSEk&z2y<HnlBZl_V+bdYR{b?Z%okaSn<L4WL`zwaL^H{8
zTEK!6z9}Y2S>g)OV7E%XfKDmp>-~;sS|B@7l6=#=REIZPi<R*j>+#;;kHi1w3w_9e
zkF49TF)pu~Fl0r_M1P8V88$8WD;KtX|JBWJ$~a&yySu=D{mi^)_jv#%iasa1#1)d;
zo+=XF&>eoG#3k;^QH=O4`!-f9p>LN{!<XA@=XA1v0fL5Ga$Yo6+uhY2d$IM=QS$Ee
zTf#7bn|5?U*W)*-tmz#uAEeg(l~Z854N{o)e@kKzYHx~}ta3Ln@f7E8Sa`QKy3O??
z@+U@OR3Ei#+k(;^Q(ykkl8NHmUge-u-ea-8x9eGx_)+KGkBj}rIx|eYtlPb5#6^IF
z;i?0}{s3E-@j8dREHNR|$2VUU)<CUcvzu|T9(mgOz<yHhIV9ti_uSf#Z)9vwW33c5
zg2$RXCmiT#AD1uLJ4~|+?7qK9DH2|9SqgA9D_<{`Tp=JL3TCBdmxPzA!mdp(Z(~!6
zzMRky+2Oa<h#J=0J}OXM?aM-(Z2Ol61&_bZ-taFNIt0#t9Nwt7CreXFRP5jADre#`
zFT&@w!*3%LapY-vHl2}D6rpiH!0EOS&MIJ*X*>HK{eb%n+5Y&ZyEnh7a&tVEKHLh-
z<*aB7C<W#qVFHi`ZIi2-T&1#CdXQT28<PETRV#y;%qf8qi|g%&h<;LOJkPM_ztPvN
za4>B(&m^|<H%5APW69_)wx$$NqVgt+>mT1-4{?Fr4#0O$EVl56MCcplx_T<t&Kvu5
zPDznMp(6Ck^ro1kWi34kq6h6=JqeBTx%=jC>QXQM2*z3l^k3zNF#f9zA6i6qAs(6D
zQCKq9a(Q}!Bsv6BV;|;;JBM%YUN5DH#|fA>U6bkThm7mS*S*sr`8M=zfG(I}H|FB!
zN33;@H-!9PTT9igMP#stq8uWatYVNqM3@-se4gA@Z7V%8lX;=borK%F4H37zi5?*+
z(d#|m=vfJiWWV<&3lRt3kfb*p@v!n<p}k8@%)Q_^p2AYqpOH=(pLU0<Vac)LEVg3g
zxGqWJQU0^{bX>19syr^eZ_Y<^!A|lqYgSq|(k}zJlCzf%^%dF#Ox5GxJvn~c>ZeK&
z%>U-g4xV4xmY(u5HF{(Dp}$utI-Brc3z^x+sFo*3x^o4wthj=Up2PwKGp&yQHWXx&
zufk;UmyFy{d{X%WcZCm-ac3I{ZCiB%8Wkzi>|vvmqDx%+A}$v2HM);Fbq{EE_NI4}
zuCIL#4F0j+s3uAD3hv^@ZBJKk7%tLcMWjXR>Al6x;jR1jc+by^#KK6x-4t7>L5x`3
z{PwOkxQ1Rv**=sSn#0kA&U5K<bBmNaswy+PfiQGVs&h@A(wx8~dF3y9r`YMW|Bz;H
z`$evvcu3oX?Pa3Ro4<*+u}Bj?kdG)8J0{Ct6xiC--y7Ao9^#e4V7HP)g&qH~i;wt3
zARAXEq0O>Asl0EY+uT;^xB0T)tfmYzxzv=;n{cL_H@pLQc)~Uqs@49N&+01((RmWo
zW47;!YL4AIiq)tT%wN3xGQ9Iz;bg_0nE?rR=t2eNNZ3f^^KxCM3f<JyxJjSudw;Lg
z(SMY(BiDXa7uURfhw*D_Z`8elDZKT*Dj$c)mz$&vEpd|ku`Jc_=V;{b0sjr!SB7Hc
zt6q0;l7kkgK%u#z8YA1kD){81U$)<J{67Z3&-|$91#diJ(u-IT`JZ(X>?7yAfIQXb
z|Ki!3`^DHc<)H)qe+PH?jr#SCC^{kbUPDxQ{~+L)-nzu99Q%LJQ#RQu{RoZnA*JBc
zh(E)q2tkBZo&+HDh^?9b^VRV$f>!p?_8naCdK{Yw*v`E2^b{f1wMUL57c4!xU0++{
zHti<}!lu-=s;?n3j*uXUz0E~{iu7Q$<(LrAp(8Z;K-QK6l<NqMAJ7N=xonv%GZ-FI
zlBD!*`q=#>g8PXEomwtp298Zzq+XH@RGUIkD$mCeE)j$fGfzH|>aZ3km&gjJVymtG
zgaIiW%0f`zh%7&7ac~R}5{?1!p7%=y@P0Cnsod!iaIeS$W!dIfKF&sl7e~7xS3{}W
z!2+M<XaMkCIPR3xeT*;yN^ufn;Bjgr=>)=W#VWI3Ts=VVI%na&JyT=tyoj(}WruUn
z;iCVpG9Ol6E3~)=+hL4!j<Q;nCXa!XkIe}<VD_?UZT=LhAv_Yvyym0LUTz4{6%x>#
zb2vIWPE}jt192GxFK--B%O3%0KMHVQ;JmtaFEMD%s9W?&rIijsGK?@<>IfXU&CAQ<
zcG*__BtZ>C!yLTkL&eVjbIHEx%sWMVCWXI1&=)GvvY8#OS#9wY2_bNT!e<w=cTlk@
zWIucuk(ebBvZq1HPjh?%q;>3W23hZa$iaybOfXhj5y+ynnmt_thkp(ZGJtQpy>`F2
zwHH!wb#*OpsQ?Qoin$cj)HuGgd!>$~1G7-zE|QS?@6cf&Z$#*1FCNPPM^YA0&mke4
zbo|y6uO|1fO(1otKwwpA^`~&N0fff#5yfSQ7^C$VP(`!OK^+|{C8T0MlA(dcJlxT2
z8H|NbC+`r}gRd+q7Bkf>K)$s+V_jx?w*5!bnpDz9%yy<a3urfU^YR@2sA(WHc1RgM
z*OnsAn{7b47&^IQ+7a+LuR~j1od|cUEh8ZTs82<ap0Tkp2ne`lo&ixjsD41F*2j{c
z)&ZPz21|D`xtG16L6*2rg-<VUeV7!}`hX_R0t6?pOn4NW0co4q{mseh+L{B<>x}{?
zz1e_J)){p?932}2T3TVjIeQd@CKpL?-WeaX)EKCk5!N1r+HJg4FBPa)>7&IufD<CS
zeP`M{vzw$dKhvilXkw*-(tUHhKqc>g#(}<nxjP)Ve7<Rv=_6rMOQhKg4FWM>fj|9!
zEaW4Qr6HU%_=-ZGfz%m90|>u~&tRJqp+^&L+Is#H{QfsC^oeAI|5id*p?ua8Y>Gll
z4<oqKoQ8x)9P)vPUkWIPEk<)64}*xT*>^fx?oRXEE+8@9{8L1{k>-RATm%RQ)cu$%
z&{|4cSv>~=(g`%yH{xeth36{$7jOx+-kp_=aQ|?H13{%`xgqk!oRd<`ffMjZr8$qj
z&9fSug9rkR9wz9OF=V@oFxJv<-tcpT((u}F?Z@}euVr5Om@nDG2G_FQqxU*wNAvRX
zB8C|F<aFJa0)Z=uyJ3IcZE+3YK^{<|>bm?<Ljvv#QG|3e&0{@zyhJAvB-WRVj3FTQ
zR$G_2zwDK)bU#|QXag<=Duk%Iz;<7KLFCqqIP^VO-Rd)<0oev5+fLJ_i3qhQLZDq~
zI)Jn}Sw;;I0-<X}ga?oTBSnes3;A4cA-sR>2-!Kn0Qd80^MUzZ;6xKz3cyD~*w^fu
zj!=P{gmYqMQ-D>6neOR7vEVCG<81zy1Bsl>92`+h?@|mSmU5ycmXnO5i~t@qolWSB
zZ0G@*xY*5MXVcYsDgw%YZ!Io8{TKM$lQtl|)VHGU494jN=n4i8Vd~j$fkV_wb$_PX
zwUExQ16SlPd?m4Vprlp0*q<NJa|5ocZRvkdFU$wiE#*nw1=b1Y?DeW)iBx11)W44P
zLMsuxFyP&^m~Y?*chj+RHVQP)9ZOsj+C#z{6hMuhJ!`qx;(h8fkiag#w{p}=4NMOC
zs&B4=;Vul|UZSTy0JTdXkd}S>mc=doA5oy-L6~M7ot!STTEHGC84%lhive>CLY@yo
zbqn+?KC>diDgq1{R+Vebb!(3Ci{xD-(!dN?V9LV6vbwtZRXZUwa~PO9<N+|&@4U+G
zx)-H<@HBRDa(`&s>mu57Gb<Q@*hmQb-%3v;3Z3`2(w1whi82GFgN0^fV5*Zjbz#o@
z#FLzyJc6XA-sadizm|{>fIXno2q8h<tgLt1;4$gL<$(S5bDZ2;Fp!xg64pj6nXlp=
z0@1D0PsT)hpep}R2hl680d~kJup>q@iYe&0Dhpgw#=sT;w4xiCP%7U{pX*T2rN0Z+
zSb>gw2uSS}K<!icuCN3wj_nQ<$0sKqOM%2lm!L{r!58nbrG_)aNrfF5fM%CNEd#`5
z?A<MVtWd4ULb43_^3-7vphO<b5KmQ-xC#JHI3D1`@h*299~A;s?9F3qTW1=Trv+MI
z1@x(~w$BGv-G93y|Ev7?H$nXWClC4m_~`#rJ@Vh*|9wc79}fMh=3)HqGx;0v1?@<0
NWfWhPzBKgvzW^pg`o{nO

literal 0
HcmV?d00001

diff --git a/index.js b/index.js
new file mode 100644
index 0000000..6c70b69
--- /dev/null
+++ b/index.js
@@ -0,0 +1,227 @@
+const jwt = require('jsonwebtoken');
+const jwkToPem = require('jwk-to-pem');
+const assert = require('assert');
+const axios = require('axios');
+const querystring = require('querystring');
+const pino = require('pino');
+
+class Authenticator {
+  constructor(params) {
+    this._verifyParams(params);
+    this._region = params.region;
+    this._userPoolId = params.userPoolId;
+    this._userPoolAppId = params.userPoolAppId;
+    this._userPoolDomain = params.userPoolDomain;
+    this._cookieExpirationDays = params.cookieExpirationDays || 365;
+
+    this._issuer = `https://cognito-idp.${params.region}.amazonaws.com/${params.userPoolId}`;
+    this._cookieBase = `CognitoIdentityServiceProvider.${params.userPoolAppId}`;
+    this._logger = pino({
+      level: params.logLevel || 'silent', // Default to silent
+      base: null, //Remove pid, hostname and name logging as not usefull for Lambda
+    });
+  }
+
+  /**
+   * Verify that constructor parameters are corrects.
+   * @param  {object} params constructor params
+   * @return {void} throw an exception if params are incorects.
+   */
+  _verifyParams(params) {
+    if (typeof params !== 'object') {
+      throw new Error('Expected params to be an object');
+    }
+    [ 'region', 'userPoolId', 'userPoolAppId', 'userPoolDomain' ].forEach(param => {
+      if (typeof params[param] !== 'string') {
+        throw new Error(`Expected params.${param} to be a string`);
+      }
+    });
+    if (params.cookieExpirationDays && typeof params.cookieExpirationDays !== 'number') {
+      throw new Error('Expected params.cookieExpirationDays to be a number');
+    }
+  }
+
+  /**
+   * Download JSON Web Key Set (JWKS) from the UserPool.
+   * @param  {String} issuer URI of the UserPool.
+   * @return {Promise} Request.
+   */
+  _fetchJWKS() {
+    this._jwks = {};
+    const URL = `${this._issuer}/.well-known/jwks.json`;
+    this._logger.debug(`Fetching JWKS from ${URL}`);
+    return axios.get(URL)
+      .then(resp => {
+        resp.data.keys.forEach(key => this._jwks[key.kid] = key);
+      })
+      .catch(err => {
+        this._logger.error(`Unable to fetch JWKS from ${URL}`);
+        throw err;
+      });
+  }
+
+  /**
+   * Verify that the current token is valid. Throw an error if not.
+   * @param  {String} token Token to verify.
+   * @return {Object} Decoded token.
+   */
+  _getVerifiedToken(token) {
+    this._logger.debug({ msg: 'Verifying token...', token });
+    const decoded = jwt.decode(token, {complete: true});
+    const kid = decoded.header.kid;
+    const verified = jwt.verify(token, jwkToPem(this._jwks[kid]), { audience: this._userPoolAppId, issuer: this._issuer });
+    assert.strictEqual(verified.token_use, 'id');
+    return verified;
+  }
+
+  /**
+   * Exchange authorization code for tokens.
+   * @param  {String} redirectURI Redirection URI.
+   * @param  {String} code        Authorization code.
+   * @return {Promise} Authenticated user tokens.
+   */
+  _fetchTokensFromCode(redirectURI, code) {
+    const request = {
+      url: `https://${this._userPoolDomain}/oauth2/token`,
+      method: 'post',
+      headers: {'Content-Type': 'application/x-www-form-urlencoded'},
+      data: querystring.stringify({
+        client_id:	this._userPoolAppId,
+        code:	code,
+        grant_type:	'authorization_code',
+        redirect_uri:	redirectURI,
+      }),
+    };
+    this._logger.debug({ msg: 'Fetching tokens from grant code...', request, code });
+    return axios.request(request)
+      .then(resp => {
+        this._logger.debug({ msg: 'Fetched tokens', tokens: resp.data });
+        return resp.data;
+      })
+      .catch(err => {
+        this._logger.error({ msg: 'Unable to fetch tokens from grant code', request, code });
+        throw err;
+      });
+  }
+
+  /**
+   * Create a Lambda@Edge redirection response to set the tokens on the user's browser cookies.
+   * @param  {Object} tokens   Cognito User Pool tokens.
+   * @param  {String} domain   Website domain.
+   * @param  {String} location Path to redirection.
+   * @return {Object} Lambda@Edge response.
+   */
+  _getRedirectResponse(tokens, domain, location) {
+    const decoded = this._getVerifiedToken(tokens.id_token);
+    const username = decoded['cognito:username'];
+    const usernameBase = `${this._cookieBase}.${username}`;
+    const directives = `Domain=${domain}; Expires=${new Date(new Date() * 1 + this._cookieExpirationDays * 864e+5)}; Secure`;
+
+    const response = {
+      status: '302' ,
+      headers: {
+        'location': [{ key: 'Location', 'value': location }],
+        'set-cookie': [
+          {
+            key: 'Set-Cookie',
+            value: `${usernameBase}.accessToken=${tokens.access_token}; ${directives}`,
+          },
+          {
+            key: 'Set-Cookie',
+            value: `${usernameBase}.idToken=${tokens.id_token}; ${directives}`,
+          },
+          {
+            key: 'Set-Cookie',
+            value: `${usernameBase}.refreshToken=${tokens.refresh_token}; ${directives}`,
+          },
+          {
+            key: 'Set-Cookie',
+            value: `${usernameBase}.tokenScopesString=phone email profile openid aws.cognito.signin.user.admin; ${directives}`,
+          },
+          {
+            key: 'Set-Cookie',
+            value: `${this._cookieBase}.LastAuthUser=${username}; ${directives}`,
+          },
+        ],
+      },
+    };
+
+    this._logger.debug({ msg: 'Generated set-cookie response', response });
+
+    return response;
+  }
+
+  /**
+   * Extract value of the authentication token from the request cookies.
+   * @param  {Array}  cookies Request cookies.
+   * @return {String} Extracted access token. Throw if not found.
+   */
+  _getIdTokenFromCookie(cookies) {
+    this._logger.debug({ msg: 'Extracting authentication token from request cookie', cookies });
+    // eslint-disable-next-line no-useless-escape
+    const regex = new RegExp(`${this._userPoolAppId}\.[A-z0-9_]*\.idToken=(.*?);`);
+    if (cookies) {
+      for (let i = 0; i < cookies.length; i++) {
+        const matches = cookies[i].value.match(regex);
+        if (matches && matches.length > 1) {
+          this._logger.debug({ msg: '  Found token in cookie', token: matches[1] });
+          return matches[1];
+        }
+      }
+    }
+    this._logger.debug("  idToken wasn't present in request cookies");
+    throw new Error("Id token isn't present in the request cookies");
+  }
+
+  /**
+   * Handle Lambda@Edge event:
+   *   * if authentication cookie is present and valid: forward the request
+   *   * if ?code=<grant code> is present: set cookies with new tokens
+   *   * else redirect to the Cognito UserPool to authenticate the user
+   * @param  {Object}  event Lambda@Edge event.
+   * @return {Promise} CloudFront response.
+   */
+  async handle(event) {
+    this._logger.debug({ msg: 'Handling Lambda@Edge event', event });
+
+    if (!this._jwks) {
+      await this._fetchJWKS();
+    }
+
+    const { request } = event.Records[0].cf;
+    const requestParams = querystring.parse(request.querystring);
+    const cfDomain = request.headers.host[0].value;
+    const redirectURI = `https://${cfDomain}`;
+
+    try {
+      const token = this._getIdTokenFromCookie(request.headers.cookie);
+      const user = this._getVerifiedToken(token);
+      this._logger.info({ msg: 'Forwading request', path: request.uri, user });
+      return request;
+    } catch (err) {
+      this._logger.debug("User isn't authenticated");
+      if (requestParams.code) {
+        return this._fetchTokensFromCode(redirectURI, requestParams.code)
+          .then(tokens => this._getRedirectResponse(tokens, cfDomain, decodeURIComponent(requestParams.state)));
+      } else {
+        let redirectPath = request.uri;
+        if (request.querystring && request.querystring !== '') {
+          redirectPath += encodeURIComponent('?' + request.querystring);
+        }
+        const userPoolUrl = `https://${this._userPoolDomain}/authorize?redirect_uri=${redirectURI}&response_type=code&client_id=${this._userPoolAppId}&state=${redirectPath}`;
+        this._logger.debug(`Redirecting user to Cognito User Pool URL ${userPoolUrl}`);
+        return {
+          status: 302,
+          headers: {
+            location: [{
+              key: 'Location',
+              value: userPoolUrl,
+            }],
+          },
+        };
+      }
+    }
+  }
+}
+
+module.exports.Authenticator = Authenticator;
diff --git a/package.json b/package.json
new file mode 100644
index 0000000..ee829be
--- /dev/null
+++ b/package.json
@@ -0,0 +1,41 @@
+{
+  "name": "cognito-at-edge",
+  "version": "1.0.0",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/awslabs/cognito-at-edge"
+  },
+  "description": "Serverless authentication solution to protect your website or Amplify application.",
+  "author": "Hugo David-Boyet <hugodb@amazon.com>",
+  "license": "Apache-2.0",
+  "main": "index.js",
+  "files": [
+    "index.js"
+  ],
+  "scripts": {
+    "test": "jest"
+  },
+  "dependencies": {
+    "axios": "^0.18.0",
+    "jsonwebtoken": "^8.2.1",
+    "jwk-to-pem": "^2.0.0",
+    "pino": "^5.13.2"
+  },
+  "devDependencies": {
+    "eslint": "^6.2.2",
+    "jest": "^24.8.0"
+  },
+  "engines": {
+    "node": ">=8.0.0"
+  },
+  "keywords": [
+    "aws",
+    "cognito",
+    "userpool",
+    "cloudfront",
+    "lambda",
+    "edge",
+    "private",
+    "website"
+  ]
+}