writefreely
/
writefreely
의 미러 https://github.com/writefreely/writefreely.git
2
0
포크 0
코드 이슈 릴리즈 25 위키 활동
A clean, Markdown-based publishing platform made for writers. Write together, and build a community. https://writefreely.org
25개 이상의 토픽을 선택하실 수 없습니다. Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1329 커밋
45 브랜치
187 MiB
 
 
 
 
 
브렌치: hotfix-0.13.2
브랜치 태그
${ item.name }
${ searchTerm } 브랜치 생성
from 'hotfix-0.13.2'
${ noResults }
writefreely/oauth.go

474 lines
17 KiB
Raw 고유링크 Blame 히스토리 

  1. /*

  2.  * Copyright © 2019-2021 Musing Studio LLC.

  3.  *

  4.  * This file is part of WriteFreely.

  5.  *

  6.  * WriteFreely is free software: you can redistribute it and/or modify

  7.  * it under the terms of the GNU Affero General Public License, included

  8.  * in the LICENSE file in this source code package.

  9.  */

  10. 

  11. package writefreely

  12. 

  13. import (

  14. 	"context"

  15. 	"encoding/json"

  16. 	"fmt"

  17. 	"io"

  18. 	"io/ioutil"

  19. 	"net/http"

  20. 	"net/url"

  21. 	"strings"

  22. 	"time"

  23. 

  24. 	"github.com/gorilla/mux"

  25. 	"github.com/gorilla/sessions"

  26. 	"github.com/writeas/impart"

  27. 	"github.com/writeas/web-core/log"

  28. 	"github.com/writefreely/writefreely/config"

  29. )

  30. 

  31. // OAuthButtons holds display information for different OAuth providers we support.

  32. type OAuthButtons struct {

  33. 	SlackEnabled       bool

  34. 	WriteAsEnabled     bool

  35. 	GitLabEnabled      bool

  36. 	GitLabDisplayName  string

  37. 	GiteaEnabled       bool

  38. 	GiteaDisplayName   string

  39. 	GenericEnabled     bool

  40. 	GenericDisplayName string

  41. }

  42. 

  43. // NewOAuthButtons creates a new OAuthButtons struct based on our app configuration.

  44. func NewOAuthButtons(cfg *config.Config) *OAuthButtons {

  45. 	return &OAuthButtons{

  46. 		SlackEnabled:       cfg.SlackOauth.ClientID != "",

  47. 		WriteAsEnabled:     cfg.WriteAsOauth.ClientID != "",

  48. 		GitLabEnabled:      cfg.GitlabOauth.ClientID != "",

  49. 		GitLabDisplayName:  config.OrDefaultString(cfg.GitlabOauth.DisplayName, gitlabDisplayName),

  50. 		GiteaEnabled:       cfg.GiteaOauth.ClientID != "",

  51. 		GiteaDisplayName:   config.OrDefaultString(cfg.GiteaOauth.DisplayName, giteaDisplayName),

  52. 		GenericEnabled:     cfg.GenericOauth.ClientID != "",

  53. 		GenericDisplayName: config.OrDefaultString(cfg.GenericOauth.DisplayName, genericOauthDisplayName),

  54. 	}

  55. }

  56. 

  57. // TokenResponse contains data returned when a token is created either

  58. // through a code exchange or using a refresh token.

  59. type TokenResponse struct {

  60. 	AccessToken  string `json:"access_token"`

  61. 	ExpiresIn    int    `json:"expires_in"`

  62. 	RefreshToken string `json:"refresh_token"`

  63. 	TokenType    string `json:"token_type"`

  64. 	Error        string `json:"error"`

  65. }

  66. 

  67. // InspectResponse contains data returned when an access token is inspected.

  68. type InspectResponse struct {

  69. 	ClientID    string    `json:"client_id"`

  70. 	UserID      string    `json:"user_id"`

  71. 	ExpiresAt   time.Time `json:"expires_at"`

  72. 	Username    string    `json:"username"`

  73. 	DisplayName string    `json:"-"`

  74. 	Email       string    `json:"email"`

  75. 	Error       string    `json:"error"`

  76. }

  77. 

  78. // tokenRequestMaxLen is the most bytes that we'll read from the /oauth/token

  79. // endpoint. One megabyte is plenty.

  80. const tokenRequestMaxLen = 1000000

  81. 

  82. // infoRequestMaxLen is the most bytes that we'll read from the

  83. // /oauth/inspect endpoint.

  84. const infoRequestMaxLen = 1000000

  85. 

  86. // OAuthDatastoreProvider provides a minimal interface of data store, config,

  87. // and session store for use with the oauth handlers.

  88. type OAuthDatastoreProvider interface {

  89. 	DB() OAuthDatastore

  90. 	Config() *config.Config

  91. 	SessionStore() sessions.Store

  92. }

  93. 

  94. // OAuthDatastore provides a minimal interface of data store methods used in

  95. // oauth functionality.

  96. type OAuthDatastore interface {

  97. 	GetIDForRemoteUser(context.Context, string, string, string) (int64, error)

  98. 	RecordRemoteUserID(context.Context, int64, string, string, string, string) error

  99. 	ValidateOAuthState(context.Context, string) (string, string, int64, string, error)

  100. 	GenerateOAuthState(context.Context, string, string, int64, string) (string, error)

  101. 

  102. 	CreateUser(*config.Config, *User, string, string) error

  103. 	GetUserByID(int64) (*User, error)

  104. }

  105. 

  106. type HttpClient interface {

  107. 	Do(req *http.Request) (*http.Response, error)

  108. }

  109. 

  110. type oauthClient interface {

  111. 	GetProvider() string

  112. 	GetClientID() string

  113. 	GetCallbackLocation() string

  114. 	buildLoginURL(state string) (string, error)

  115. 	exchangeOauthCode(ctx context.Context, code string) (*TokenResponse, error)

  116. 	inspectOauthAccessToken(ctx context.Context, accessToken string) (*InspectResponse, error)

  117. }

  118. 

  119. type callbackProxyClient struct {

  120. 	server           string

  121. 	callbackLocation string

  122. 	httpClient       HttpClient

  123. }

  124. 

  125. type oauthHandler struct {

  126. 	Config        *config.Config

  127. 	DB            OAuthDatastore

  128. 	Store         sessions.Store

  129. 	EmailKey      []byte

  130. 	oauthClient   oauthClient

  131. 	callbackProxy *callbackProxyClient

  132. }

  133. 

  134. func (h oauthHandler) viewOauthInit(app *App, w http.ResponseWriter, r *http.Request) error {

  135. 	ctx := r.Context()

  136. 

  137. 	var attachUser int64

  138. 	if attach := r.URL.Query().Get("attach"); attach == "t" {

  139. 		user, _ := getUserAndSession(app, r)

  140. 		if user == nil {

  141. 			return impart.HTTPError{http.StatusInternalServerError, "cannot attach auth to user: user not found in session"}

  142. 		}

  143. 		attachUser = user.ID

  144. 	}

  145. 

  146. 	state, err := h.DB.GenerateOAuthState(ctx, h.oauthClient.GetProvider(), h.oauthClient.GetClientID(), attachUser, r.FormValue("invite_code"))

  147. 	if err != nil {

  148. 		log.Error("viewOauthInit error: %s", err)

  149. 		return impart.HTTPError{http.StatusInternalServerError, "could not prepare oauth redirect url"}

  150. 	}

  151. 

  152. 	if h.callbackProxy != nil {

  153. 		if err := h.callbackProxy.register(ctx, state); err != nil {

  154. 			log.Error("viewOauthInit error: %s", err)

  155. 			return impart.HTTPError{http.StatusInternalServerError, "could not register state server"}

  156. 		}

  157. 	}

  158. 

  159. 	location, err := h.oauthClient.buildLoginURL(state)

  160. 	if err != nil {

  161. 		log.Error("viewOauthInit error: %s", err)

  162. 		return impart.HTTPError{http.StatusInternalServerError, "could not prepare oauth redirect url"}

  163. 	}

  164. 	return impart.HTTPError{http.StatusTemporaryRedirect, location}

  165. }

  166. 

  167. func configureSlackOauth(parentHandler *Handler, r *mux.Router, app *App) {

  168. 	if app.Config().SlackOauth.ClientID != "" {

  169. 		callbackLocation := app.Config().App.Host + "/oauth/callback/slack"

  170. 

  171. 		var stateRegisterClient *callbackProxyClient = nil

  172. 		if app.Config().SlackOauth.CallbackProxyAPI != "" {

  173. 			stateRegisterClient = &callbackProxyClient{

  174. 				server:           app.Config().SlackOauth.CallbackProxyAPI,

  175. 				callbackLocation: app.Config().App.Host + "/oauth/callback/slack",

  176. 				httpClient:       config.DefaultHTTPClient(),

  177. 			}

  178. 			callbackLocation = app.Config().SlackOauth.CallbackProxy

  179. 		}

  180. 		oauthClient := slackOauthClient{

  181. 			ClientID:         app.Config().SlackOauth.ClientID,

  182. 			ClientSecret:     app.Config().SlackOauth.ClientSecret,

  183. 			TeamID:           app.Config().SlackOauth.TeamID,

  184. 			HttpClient:       config.DefaultHTTPClient(),

  185. 			CallbackLocation: callbackLocation,

  186. 		}

  187. 		configureOauthRoutes(parentHandler, r, app, oauthClient, stateRegisterClient)

  188. 	}

  189. }

  190. 

  191. func configureWriteAsOauth(parentHandler *Handler, r *mux.Router, app *App) {

  192. 	if app.Config().WriteAsOauth.ClientID != "" {

  193. 		callbackLocation := app.Config().App.Host + "/oauth/callback/write.as"

  194. 

  195. 		var callbackProxy *callbackProxyClient = nil

  196. 		if app.Config().WriteAsOauth.CallbackProxy != "" {

  197. 			callbackProxy = &callbackProxyClient{

  198. 				server:           app.Config().WriteAsOauth.CallbackProxyAPI,

  199. 				callbackLocation: app.Config().App.Host + "/oauth/callback/write.as",

  200. 				httpClient:       config.DefaultHTTPClient(),

  201. 			}

  202. 			callbackLocation = app.Config().WriteAsOauth.CallbackProxy

  203. 		}

  204. 

  205. 		oauthClient := writeAsOauthClient{

  206. 			ClientID:         app.Config().WriteAsOauth.ClientID,

  207. 			ClientSecret:     app.Config().WriteAsOauth.ClientSecret,

  208. 			ExchangeLocation: config.OrDefaultString(app.Config().WriteAsOauth.TokenLocation, writeAsExchangeLocation),

  209. 			InspectLocation:  config.OrDefaultString(app.Config().WriteAsOauth.InspectLocation, writeAsIdentityLocation),

  210. 			AuthLocation:     config.OrDefaultString(app.Config().WriteAsOauth.AuthLocation, writeAsAuthLocation),

  211. 			HttpClient:       config.DefaultHTTPClient(),

  212. 			CallbackLocation: callbackLocation,

  213. 		}

  214. 		configureOauthRoutes(parentHandler, r, app, oauthClient, callbackProxy)

  215. 	}

  216. }

  217. 

  218. func configureGitlabOauth(parentHandler *Handler, r *mux.Router, app *App) {

  219. 	if app.Config().GitlabOauth.ClientID != "" {

  220. 		callbackLocation := app.Config().App.Host + "/oauth/callback/gitlab"

  221. 

  222. 		var callbackProxy *callbackProxyClient = nil

  223. 		if app.Config().GitlabOauth.CallbackProxy != "" {

  224. 			callbackProxy = &callbackProxyClient{

  225. 				server:           app.Config().GitlabOauth.CallbackProxyAPI,

  226. 				callbackLocation: app.Config().App.Host + "/oauth/callback/gitlab",

  227. 				httpClient:       config.DefaultHTTPClient(),

  228. 			}

  229. 			callbackLocation = app.Config().GitlabOauth.CallbackProxy

  230. 		}

  231. 

  232. 		address := config.OrDefaultString(app.Config().GitlabOauth.Host, gitlabHost)

  233. 		oauthClient := gitlabOauthClient{

  234. 			ClientID:         app.Config().GitlabOauth.ClientID,

  235. 			ClientSecret:     app.Config().GitlabOauth.ClientSecret,

  236. 			ExchangeLocation: address + "/oauth/token",

  237. 			InspectLocation:  address + "/api/v4/user",

  238. 			AuthLocation:     address + "/oauth/authorize",

  239. 			HttpClient:       config.DefaultHTTPClient(),

  240. 			CallbackLocation: callbackLocation,

  241. 		}

  242. 		configureOauthRoutes(parentHandler, r, app, oauthClient, callbackProxy)

  243. 	}

  244. }

  245. 

  246. func configureGenericOauth(parentHandler *Handler, r *mux.Router, app *App) {

  247. 	if app.Config().GenericOauth.ClientID != "" {

  248. 		callbackLocation := app.Config().App.Host + "/oauth/callback/generic"

  249. 

  250. 		var callbackProxy *callbackProxyClient = nil

  251. 		if app.Config().GenericOauth.CallbackProxy != "" {

  252. 			callbackProxy = &callbackProxyClient{

  253. 				server:           app.Config().GenericOauth.CallbackProxyAPI,

  254. 				callbackLocation: app.Config().App.Host + "/oauth/callback/generic",

  255. 				httpClient:       config.DefaultHTTPClient(),

  256. 			}

  257. 			callbackLocation = app.Config().GenericOauth.CallbackProxy

  258. 		}

  259. 

  260. 		oauthClient := genericOauthClient{

  261. 			ClientID:         app.Config().GenericOauth.ClientID,

  262. 			ClientSecret:     app.Config().GenericOauth.ClientSecret,

  263. 			ExchangeLocation: app.Config().GenericOauth.Host + app.Config().GenericOauth.TokenEndpoint,

  264. 			InspectLocation:  app.Config().GenericOauth.Host + app.Config().GenericOauth.InspectEndpoint,

  265. 			AuthLocation:     app.Config().GenericOauth.Host + app.Config().GenericOauth.AuthEndpoint,

  266. 			HttpClient:       config.DefaultHTTPClient(),

  267. 			CallbackLocation: callbackLocation,

  268. 			Scope:            config.OrDefaultString(app.Config().GenericOauth.Scope, "read_user"),

  269. 			MapUserID:        config.OrDefaultString(app.Config().GenericOauth.MapUserID, "user_id"),

  270. 			MapUsername:      config.OrDefaultString(app.Config().GenericOauth.MapUsername, "username"),

  271. 			MapDisplayName:   config.OrDefaultString(app.Config().GenericOauth.MapDisplayName, "-"),

  272. 			MapEmail:         config.OrDefaultString(app.Config().GenericOauth.MapEmail, "email"),

  273. 		}

  274. 		configureOauthRoutes(parentHandler, r, app, oauthClient, callbackProxy)

  275. 	}

  276. }

  277. 

  278. func configureGiteaOauth(parentHandler *Handler, r *mux.Router, app *App) {

  279. 	if app.Config().GiteaOauth.ClientID != "" {

  280. 		callbackLocation := app.Config().App.Host + "/oauth/callback/gitea"

  281. 

  282. 		var callbackProxy *callbackProxyClient = nil

  283. 		if app.Config().GiteaOauth.CallbackProxy != "" {

  284. 			callbackProxy = &callbackProxyClient{

  285. 				server:           app.Config().GiteaOauth.CallbackProxyAPI,

  286. 				callbackLocation: app.Config().App.Host + "/oauth/callback/gitea",

  287. 				httpClient:       config.DefaultHTTPClient(),

  288. 			}

  289. 			callbackLocation = app.Config().GiteaOauth.CallbackProxy

  290. 		}

  291. 

  292. 		oauthClient := giteaOauthClient{

  293. 			ClientID:         app.Config().GiteaOauth.ClientID,

  294. 			ClientSecret:     app.Config().GiteaOauth.ClientSecret,

  295. 			ExchangeLocation: app.Config().GiteaOauth.Host + "/login/oauth/access_token",

  296. 			InspectLocation:  app.Config().GiteaOauth.Host + "/login/oauth/userinfo",

  297. 			AuthLocation:     app.Config().GiteaOauth.Host + "/login/oauth/authorize",

  298. 			HttpClient:       config.DefaultHTTPClient(),

  299. 			CallbackLocation: callbackLocation,

  300. 			Scope:            "openid profile email",

  301. 			MapUserID:        "sub",

  302. 			MapUsername:      "login",

  303. 			MapDisplayName:   "full_name",

  304. 			MapEmail:         "email",

  305. 		}

  306. 		configureOauthRoutes(parentHandler, r, app, oauthClient, callbackProxy)

  307. 	}

  308. }

  309. 

  310. func configureOauthRoutes(parentHandler *Handler, r *mux.Router, app *App, oauthClient oauthClient, callbackProxy *callbackProxyClient) {

  311. 	handler := &oauthHandler{

  312. 		Config:        app.Config(),

  313. 		DB:            app.DB(),

  314. 		Store:         app.SessionStore(),

  315. 		oauthClient:   oauthClient,

  316. 		EmailKey:      app.keys.EmailKey,

  317. 		callbackProxy: callbackProxy,

  318. 	}

  319. 	r.HandleFunc("/oauth/"+oauthClient.GetProvider(), parentHandler.OAuth(handler.viewOauthInit)).Methods("GET")

  320. 	r.HandleFunc("/oauth/callback/"+oauthClient.GetProvider(), parentHandler.OAuth(handler.viewOauthCallback)).Methods("GET")

  321. 	r.HandleFunc("/oauth/signup", parentHandler.OAuth(handler.viewOauthSignup)).Methods("POST")

  322. }

  323. 

  324. func (h oauthHandler) viewOauthCallback(app *App, w http.ResponseWriter, r *http.Request) error {

  325. 	ctx := r.Context()

  326. 

  327. 	code := r.FormValue("code")

  328. 	state := r.FormValue("state")

  329. 

  330. 	provider, clientID, attachUserID, inviteCode, err := h.DB.ValidateOAuthState(ctx, state)

  331. 	if err != nil {

  332. 		log.Error("Unable to ValidateOAuthState: %s", err)

  333. 		return impart.HTTPError{http.StatusInternalServerError, err.Error()}

  334. 	}

  335. 

  336. 	tokenResponse, err := h.oauthClient.exchangeOauthCode(ctx, code)

  337. 	if err != nil {

  338. 		log.Error("Unable to exchangeOauthCode: %s", err)

  339. 		// TODO: show user friendly message if needed

  340. 		// TODO: show NO message for cases like user pressing "Cancel" on authorize step

  341. 		addSessionFlash(app, w, r, err.Error(), nil)

  342. 		if attachUserID > 0 {

  343. 			return impart.HTTPError{http.StatusFound, "/me/settings"}

  344. 		}

  345. 		return impart.HTTPError{http.StatusInternalServerError, err.Error()}

  346. 	}

  347. 

  348. 	// Now that we have the access token, let's use it real quick to make sure

  349. 	// it really really works.

  350. 	tokenInfo, err := h.oauthClient.inspectOauthAccessToken(ctx, tokenResponse.AccessToken)

  351. 	if err != nil {

  352. 		log.Error("Unable to inspectOauthAccessToken: %s", err)

  353. 		return impart.HTTPError{http.StatusInternalServerError, err.Error()}

  354. 	}

  355. 

  356. 	localUserID, err := h.DB.GetIDForRemoteUser(ctx, tokenInfo.UserID, provider, clientID)

  357. 	if err != nil {

  358. 		log.Error("Unable to GetIDForRemoteUser: %s", err)

  359. 		return impart.HTTPError{http.StatusInternalServerError, err.Error()}

  360. 	}

  361. 

  362. 	if localUserID != -1 && attachUserID > 0 {

  363. 		if err = addSessionFlash(app, w, r, "This OAuth account is already attached to another user.", nil); err != nil {

  364. 			return impart.HTTPError{Status: http.StatusInternalServerError, Message: err.Error()}

  365. 		}

  366. 		return impart.HTTPError{http.StatusFound, "/me/settings"}

  367. 	}

  368. 

  369. 	if localUserID != -1 {

  370. 		// Existing user, so log in now

  371. 		user, err := h.DB.GetUserByID(localUserID)

  372. 		if err != nil {

  373. 			log.Error("Unable to GetUserByID %d: %s", localUserID, err)

  374. 			return impart.HTTPError{http.StatusInternalServerError, err.Error()}

  375. 		}

  376. 		if err = loginOrFail(h.Store, w, r, user); err != nil {

  377. 			log.Error("Unable to loginOrFail %d: %s", localUserID, err)

  378. 			return impart.HTTPError{http.StatusInternalServerError, err.Error()}

  379. 		}

  380. 		return nil

  381. 	}

  382. 	if attachUserID > 0 {

  383. 		log.Info("attaching to user %d", attachUserID)

  384. 		log.Info("OAuth userid: %s", tokenInfo.UserID)

  385. 		err = h.DB.RecordRemoteUserID(r.Context(), attachUserID, tokenInfo.UserID, provider, clientID, tokenResponse.AccessToken)

  386. 		if err != nil {

  387. 			return impart.HTTPError{http.StatusInternalServerError, err.Error()}

  388. 		}

  389. 		return impart.HTTPError{http.StatusFound, "/me/settings"}

  390. 	}

  391. 

  392. 	// New user registration below.

  393. 	// First, verify that user is allowed to register

  394. 	if inviteCode != "" {

  395. 		// Verify invite code is valid

  396. 		i, err := app.db.GetUserInvite(inviteCode)

  397. 		if err != nil {

  398. 			return impart.HTTPError{http.StatusInternalServerError, err.Error()}

  399. 		}

  400. 		if !i.Active(app.db) {

  401. 			return impart.HTTPError{http.StatusNotFound, "Invite link has expired."}

  402. 		}

  403. 	} else if !app.cfg.App.OpenRegistration {

  404. 		addSessionFlash(app, w, r, ErrUserNotFound.Error(), nil)

  405. 		return impart.HTTPError{http.StatusFound, "/login"}

  406. 	}

  407. 

  408. 	displayName := tokenInfo.DisplayName

  409. 	if len(displayName) == 0 {

  410. 		displayName = tokenInfo.Username

  411. 	}

  412. 

  413. 	tp := &oauthSignupPageParams{

  414. 		AccessToken:     tokenResponse.AccessToken,

  415. 		TokenUsername:   tokenInfo.Username,

  416. 		TokenAlias:      tokenInfo.DisplayName,

  417. 		TokenEmail:      tokenInfo.Email,

  418. 		TokenRemoteUser: tokenInfo.UserID,

  419. 		Provider:        provider,

  420. 		ClientID:        clientID,

  421. 		InviteCode:      inviteCode,

  422. 	}

  423. 	tp.TokenHash = tp.HashTokenParams(h.Config.Server.HashSeed)

  424. 

  425. 	return h.showOauthSignupPage(app, w, r, tp, nil)

  426. }

  427. 

  428. func (r *callbackProxyClient) register(ctx context.Context, state string) error {

  429. 	form := url.Values{}

  430. 	form.Add("state", state)

  431. 	form.Add("location", r.callbackLocation)

  432. 	req, err := http.NewRequestWithContext(ctx, "POST", r.server, strings.NewReader(form.Encode()))

  433. 	if err != nil {

  434. 		return err

  435. 	}

  436. 	req.Header.Set("User-Agent", ServerUserAgent(""))

  437. 	req.Header.Set("Accept", "application/json")

  438. 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")

  439. 

  440. 	resp, err := r.httpClient.Do(req)

  441. 	if err != nil {

  442. 		return err

  443. 	}

  444. 	if resp.StatusCode != http.StatusCreated {

  445. 		return fmt.Errorf("unable register state location: %d", resp.StatusCode)

  446. 	}

  447. 

  448. 	return nil

  449. }

  450. 

  451. func limitedJsonUnmarshal(body io.ReadCloser, n int, thing interface{}) error {

  452. 	lr := io.LimitReader(body, int64(n+1))

  453. 	data, err := ioutil.ReadAll(lr)

  454. 	if err != nil {

  455. 		return err

  456. 	}

  457. 	if len(data) == n+1 {

  458. 		return fmt.Errorf("content larger than max read allowance: %d", n)

  459. 	}

  460. 	return json.Unmarshal(data, thing)

  461. }

  462. 

  463. func loginOrFail(store sessions.Store, w http.ResponseWriter, r *http.Request, user *User) error {

  464. 	// An error may be returned, but a valid session should always be returned.

  465. 	session, _ := store.Get(r, cookieName)

  466. 	session.Values[cookieUserVal] = user.Cookie()

  467. 	if err := session.Save(r, w); err != nil {

  468. 		fmt.Println("error saving session", err)

  469. 		return err

  470. 	}

  471. 	http.Redirect(w, r, "/", http.StatusTemporaryRedirect)

  472. 	return nil

  473. }