commit c027839f2f1337d1606de8d004753b524834996f · bretton.dev/coves

+124 -35

cmd/server/main.go

···

       3
        
       import (

     

       4
        
       	"Coves/internal/api/middleware"

     

       5
        
       	"Coves/internal/api/routes"

     

       6
       -
       	"Coves/internal/atproto/auth"

     

       7
        
       	"Coves/internal/atproto/identity"

     

       8
        
       	"Coves/internal/atproto/jetstream"

     

       0
        
       
     

       9
        
       	"Coves/internal/core/aggregators"

     

       10
        
       	"Coves/internal/core/blobs"

     

       11
        
       	"Coves/internal/core/comments"

     
···

       18
        
       	"Coves/internal/core/users"

     

       19
        
       	"bytes"

     

       20
        
       	"context"

     

       0
        
       
     

       21
        
       	"database/sql"

     

       0
        
       
     

       22
        
       	"encoding/json"

     

       23
        
       	"fmt"

     

       24
        
       	"io"

     
···

       38
        
       	commentsAPI "Coves/internal/api/handlers/comments"

     

       39
        
       

     

       40
        
       	postgresRepo "Coves/internal/db/postgres"

     

       41
       -
       

     

       42
       -
       	indigoIdentity "github.com/bluesky-social/indigo/atproto/identity"

     

       43
        
       )

     

       44
        
       

     

       45
        
       func main() {

     
···

       137
        
       

     

       138
        
       	identityResolver := identity.NewResolver(db, identityConfig)

     

       139
        
       

     

       140
       -
       	// Initialize atProto auth middleware for JWT validation

     

       141
       -
       	// Phase 1: Set skipVerify=true to test JWT parsing only

     

       142
       -
       	// Phase 2: Set skipVerify=false to enable full signature verification

     

       143
       -
       	skipVerify := os.Getenv("AUTH_SKIP_VERIFY") == "true"

     

       144
       -
       	if skipVerify {

     

       145
       -
       		log.Println("⚠️  WARNING: JWT signature verification is DISABLED (Phase 1 testing)")

     

       146
       -
       		log.Println("   Set AUTH_SKIP_VERIFY=false for production")

     

       147
       -
       	}

     

       148
       -
       

     

       149
       -
       	// Initialize Indigo directory for DID resolution (used by auth)

     

       150
        
       	plcURL := os.Getenv("PLC_DIRECTORY_URL")

     

       151
        
       	if plcURL == "" {

     

       152
        
       		plcURL = "https://plc.directory"

     

       153
        
       	}

     

       154
       -
       	indigoDir := &indigoIdentity.BaseDirectory{

     

       155
       -
       		PLCURL:     plcURL,

     

       156
       -
       		HTTPClient: http.Client{Timeout: 10 * time.Second},

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       157
        
       	}

     

       158
        
       

     

       159
       -
       	// Initialize JWT config early to cache HS256_ISSUERS and PDS_JWT_SECRET

     

       160
       -
       	// This avoids reading env vars on every request

     

       161
       -
       	auth.InitJWTConfig()

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       162
        
       

     

       163
       -
       	// Create combined key fetcher for both DID and URL issuers

     

       164
       -
       	// - DID issuers (did:plc:, did:web:) → resolved via DID document keys (ES256)

     

       165
       -
       	// - URL issuers → JWKS endpoint (fallback for legacy tokens)

     

       166
       -
       	jwksCacheTTL := 1 * time.Hour

     

       167
       -
       	jwksFetcher := auth.NewCachedJWKSFetcher(jwksCacheTTL)

     

       168
       -
       	keyFetcher := auth.NewCombinedKeyFetcher(indigoDir, jwksFetcher)

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       169
        
       

     

       170
       -
       	authMiddleware := middleware.NewAtProtoAuthMiddleware(keyFetcher, skipVerify)

     

       171
       -
       	log.Println("✅ atProto auth middleware initialized (DID + JWKS key resolution)")

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       172
        
       

     

       173
        
       	// Initialize repositories and services

     

       174
        
       	userRepo := postgresRepo.NewUserRepository(db)

     
···

       303
        
       	log.Println("  - Indexing: social.coves.community.profile (community profiles)")

     

       304
        
       	log.Println("  - Indexing: social.coves.community.subscription (user subscriptions)")

     

       305
        
       

     

       306
       -
       	// Start JWKS cache cleanup background job

     

       0
        
       
     

       307
        
       	go func() {

     

       308
        
       		ticker := time.NewTicker(1 * time.Hour)

     

       309
        
       		defer ticker.Stop()

     

       310
       -
       		for range ticker.C {

     

       311
       -
       			jwksFetcher.CleanupExpiredCache()

     

       312
       -
       			log.Println("JWKS cache cleanup completed")

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       313
        
       		}

     

       314
        
       	}()

     

       315
        
       

     

       316
       -
       	log.Println("Started JWKS cache cleanup background job (runs hourly)")

     

       317
        
       

     

       318
        
       	// Initialize aggregator service

     

       319
        
       	aggregatorRepo := postgresRepo.NewAggregatorRepository(db)

     
···

       494
        
       	log.Println("✅ Comment query API registered (20 req/min rate limit)")

     

       495
        
       	log.Println("  - GET /xrpc/social.coves.community.comment.getComments")

     

       496
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       497
        
       	// Health check endpoints

     

       498
        
       	healthHandler := func(w http.ResponseWriter, r *http.Request) {

     

       499
        
       		w.WriteHeader(http.StatusOK)

     
···

       540
        
       	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)

     

       541
        
       	defer cancel()

     

       542
        
       

     

       543
       -
       	// Stop auth middleware background goroutines (DPoP replay cache cleanup)

     

       544
       -
       	authMiddleware.Stop()

     

       545
       -
       	log.Println("Auth middleware stopped")

     

       546
        
       

     

       547
        
       	if err := server.Shutdown(ctx); err != nil {

     

       548
        
       		log.Fatalf("Server shutdown error: %v", err)

···

       3
        
       import (

     

       4
        
       	"Coves/internal/api/middleware"

     

       5
        
       	"Coves/internal/api/routes"

     

       0
        
       
     

       6
        
       	"Coves/internal/atproto/identity"

     

       7
        
       	"Coves/internal/atproto/jetstream"

     

       8
       +
       	"Coves/internal/atproto/oauth"

     

       9
        
       	"Coves/internal/core/aggregators"

     

       10
        
       	"Coves/internal/core/blobs"

     

       11
        
       	"Coves/internal/core/comments"

     
···

       18
        
       	"Coves/internal/core/users"

     

       19
        
       	"bytes"

     

       20
        
       	"context"

     

       21
       +
       	"crypto/rand"

     

       22
        
       	"database/sql"

     

       23
       +
       	"encoding/base64"

     

       24
        
       	"encoding/json"

     

       25
        
       	"fmt"

     

       26
        
       	"io"

     
···

       40
        
       	commentsAPI "Coves/internal/api/handlers/comments"

     

       41
        
       

     

       42
        
       	postgresRepo "Coves/internal/db/postgres"

     

       0
        
       
     

       0
        
       
     

       43
        
       )

     

       44
        
       

     

       45
        
       func main() {

     
···

       137
        
       

     

       138
        
       	identityResolver := identity.NewResolver(db, identityConfig)

     

       139
        
       

     

       140
       +
       	// Get PLC URL for OAuth and other services

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       141
        
       	plcURL := os.Getenv("PLC_DIRECTORY_URL")

     

       142
        
       	if plcURL == "" {

     

       143
        
       		plcURL = "https://plc.directory"

     

       144
        
       	}

     

       145
       +
       

     

       146
       +
       	// Initialize OAuth client for sealed session tokens

     

       147
       +
       	// Mobile apps authenticate via OAuth flow and receive sealed session tokens

     

       148
       +
       	// These tokens are encrypted references to OAuth sessions stored in the database

     

       149
       +
       	oauthSealSecret := os.Getenv("OAUTH_SEAL_SECRET")

     

       150
       +
       	if oauthSealSecret == "" {

     

       151
       +
       		if os.Getenv("IS_DEV_ENV") != "true" {

     

       152
       +
       			log.Fatal("OAUTH_SEAL_SECRET is required in production mode")

     

       153
       +
       		}

     

       154
       +
       		// Generate RANDOM secret for dev mode

     

       155
       +
       		randomBytes := make([]byte, 32)

     

       156
       +
       		if _, err := rand.Read(randomBytes); err != nil {

     

       157
       +
       			log.Fatal("Failed to generate random seal secret: ", err)

     

       158
       +
       		}

     

       159
       +
       		oauthSealSecret = base64.StdEncoding.EncodeToString(randomBytes)

     

       160
       +
       		log.Println("⚠️  DEV MODE: Generated random OAuth seal secret (won't persist across restarts)")

     

       161
        
       	}

     

       162
        
       

     

       163
       +
       	isDevMode := os.Getenv("IS_DEV_ENV") == "true"

     

       164
       +
       	oauthConfig := &oauth.OAuthConfig{

     

       165
       +
       		PublicURL:       os.Getenv("APPVIEW_PUBLIC_URL"),

     

       166
       +
       		SealSecret:      oauthSealSecret,

     

       167
       +
       		Scopes:          []string{"atproto", "transition:generic"},

     

       168
       +
       		DevMode:         isDevMode,

     

       169
       +
       		AllowPrivateIPs: isDevMode, // Allow private IPs only in dev mode

     

       170
       +
       		PLCURL:          plcURL,

     

       171
       +
       		// SessionTTL and SealedTokenTTL will use defaults if not set (7 days and 14 days)

     

       172
       +
       	}

     

       173
        
       

     

       174
       +
       	// Create PostgreSQL-backed OAuth session store (using default 7-day TTL)

     

       175
       +
       	baseOAuthStore := oauth.NewPostgresOAuthStore(db, 0)

     

       176
       +
       	// Wrap with MobileAwareStoreWrapper to capture OAuth state for mobile CSRF validation.

     

       177
       +
       	// This intercepts SaveAuthRequestInfo to save mobile CSRF data when present in context.

     

       178
       +
       	oauthStore := oauth.NewMobileAwareStoreWrapper(baseOAuthStore)

     

       179
       +
       

     

       180
       +
       	if oauthConfig.PublicURL == "" {

     

       181
       +
       		oauthConfig.PublicURL = "http://localhost:8080"

     

       182
       +
       		oauthConfig.DevMode = true // Force dev mode for localhost

     

       183
       +
       	}

     

       184
       +
       

     

       185
       +
       	// Optional: confidential client secret for production

     

       186
       +
       	oauthConfig.ClientSecret = os.Getenv("OAUTH_CLIENT_SECRET")

     

       187
       +
       	oauthConfig.ClientKID = os.Getenv("OAUTH_CLIENT_KID")

     

       188
        
       

     

       189
       +
       	oauthClient, err := oauth.NewOAuthClient(oauthConfig, oauthStore)

     

       190
       +
       	if err != nil {

     

       191
       +
       		log.Fatalf("Failed to initialize OAuth client: %v", err)

     

       192
       +
       	}

     

       193
       +
       

     

       194
       +
       	// Create OAuth handler for HTTP endpoints

     

       195
       +
       	oauthHandler := oauth.NewOAuthHandler(oauthClient, oauthStore)

     

       196
       +
       

     

       197
       +
       	// Create OAuth auth middleware

     

       198
       +
       	// Validates sealed session tokens and loads OAuth sessions from database

     

       199
       +
       	authMiddleware := middleware.NewOAuthAuthMiddleware(oauthClient, oauthStore)

     

       200
       +
       	log.Println("✅ OAuth auth middleware initialized (sealed session tokens)")

     

       201
        
       

     

       202
        
       	// Initialize repositories and services

     

       203
        
       	userRepo := postgresRepo.NewUserRepository(db)

     
···

       332
        
       	log.Println("  - Indexing: social.coves.community.profile (community profiles)")

     

       333
        
       	log.Println("  - Indexing: social.coves.community.subscription (user subscriptions)")

     

       334
        
       

     

       335
       +
       	// Start OAuth session cleanup background job with cancellable context

     

       336
       +
       	cleanupCtx, cleanupCancel := context.WithCancel(context.Background())

     

       337
        
       	go func() {

     

       338
        
       		ticker := time.NewTicker(1 * time.Hour)

     

       339
        
       		defer ticker.Stop()

     

       340
       +
       		for {

     

       341
       +
       			select {

     

       342
       +
       			case <-cleanupCtx.Done():

     

       343
       +
       				log.Println("OAuth cleanup job stopped")

     

       344
       +
       				return

     

       345
       +
       			case <-ticker.C:

     

       346
       +
       				// Check if store implements cleanup methods

     

       347
       +
       				// Use UnwrapPostgresStore to get the underlying store from the wrapper

     

       348
       +
       				if cleanupStore := oauthStore.UnwrapPostgresStore(); cleanupStore != nil {

     

       349
       +
       					sessions, sessErr := cleanupStore.CleanupExpiredSessions(cleanupCtx)

     

       350
       +
       					if sessErr != nil {

     

       351
       +
       						log.Printf("Error cleaning up expired OAuth sessions: %v", sessErr)

     

       352
       +
       					}

     

       353
       +
       					requests, reqErr := cleanupStore.CleanupExpiredAuthRequests(cleanupCtx)

     

       354
       +
       					if reqErr != nil {

     

       355
       +
       						log.Printf("Error cleaning up expired OAuth auth requests: %v", reqErr)

     

       356
       +
       					}

     

       357
       +
       					if sessions > 0 || requests > 0 {

     

       358
       +
       						log.Printf("OAuth cleanup: removed %d expired sessions, %d expired auth requests", sessions, requests)

     

       359
       +
       					}

     

       360
       +
       				}

     

       361
       +
       			}

     

       362
        
       		}

     

       363
        
       	}()

     

       364
        
       

     

       365
       +
       	log.Println("Started OAuth session cleanup background job (runs hourly)")

     

       366
        
       

     

       367
        
       	// Initialize aggregator service

     

       368
        
       	aggregatorRepo := postgresRepo.NewAggregatorRepository(db)

     
···

       543
        
       	log.Println("✅ Comment query API registered (20 req/min rate limit)")

     

       544
        
       	log.Println("  - GET /xrpc/social.coves.community.comment.getComments")

     

       545
        
       

     

       546
       +
       	// Configure allowed CORS origins for OAuth callback

     

       547
       +
       	// SECURITY: Never use wildcard "*" with credentials - only allow specific origins

     

       548
       +
       	var oauthAllowedOrigins []string

     

       549
       +
       	appviewPublicURL := os.Getenv("APPVIEW_PUBLIC_URL")

     

       550
       +
       	if appviewPublicURL == "" {

     

       551
       +
       		appviewPublicURL = "http://localhost:8080"

     

       552
       +
       	}

     

       553
       +
       	oauthAllowedOrigins = append(oauthAllowedOrigins, appviewPublicURL)

     

       554
       +
       

     

       555
       +
       	// In dev mode, also allow common localhost origins for testing

     

       556
       +
       	if oauthConfig.DevMode {

     

       557
       +
       		oauthAllowedOrigins = append(oauthAllowedOrigins,

     

       558
       +
       			"http://localhost:3000",

     

       559
       +
       			"http://localhost:3001",

     

       560
       +
       			"http://localhost:5173",

     

       561
       +
       			"http://127.0.0.1:8080",

     

       562
       +
       			"http://127.0.0.1:3000",

     

       563
       +
       			"http://127.0.0.1:3001",

     

       564
       +
       			"http://127.0.0.1:5173",

     

       565
       +
       		)

     

       566
       +
       		log.Printf("🧪 DEV MODE: OAuth CORS allows localhost origins for testing")

     

       567
       +
       	}

     

       568
       +
       	log.Printf("OAuth CORS allowed origins: %v", oauthAllowedOrigins)

     

       569
       +
       

     

       570
       +
       	// Register OAuth routes for authentication flow

     

       571
       +
       	routes.RegisterOAuthRoutes(r, oauthHandler, oauthAllowedOrigins)

     

       572
       +
       	log.Println("✅ OAuth endpoints registered")

     

       573
       +
       	log.Println("  - GET /oauth/client-metadata.json")

     

       574
       +
       	log.Println("  - GET /oauth/jwks.json")

     

       575
       +
       	log.Println("  - GET /oauth/login")

     

       576
       +
       	log.Println("  - GET /oauth/mobile/login")

     

       577
       +
       	log.Println("  - GET /oauth/callback")

     

       578
       +
       	log.Println("  - POST /oauth/logout")

     

       579
       +
       	log.Println("  - POST /oauth/refresh")

     

       580
       +
       

     

       581
       +
       	// Register well-known routes for mobile app deep linking

     

       582
       +
       	routes.RegisterWellKnownRoutes(r)

     

       583
       +
       	log.Println("✅ Well-known endpoints registered (mobile Universal Links & App Links)")

     

       584
       +
       	log.Println("  - GET /.well-known/apple-app-site-association (iOS Universal Links)")

     

       585
       +
       	log.Println("  - GET /.well-known/assetlinks.json (Android App Links)")

     

       586
       +
       

     

       587
        
       	// Health check endpoints

     

       588
        
       	healthHandler := func(w http.ResponseWriter, r *http.Request) {

     

       589
        
       		w.WriteHeader(http.StatusOK)

     
···

       630
        
       	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)

     

       631
        
       	defer cancel()

     

       632
        
       

     

       633
       +
       	// Stop OAuth cleanup background job

     

       634
       +
       	cleanupCancel()

     

       0
        
       
     

       635
        
       

     

       636
        
       	if err := server.Shutdown(ctx); err != nil {

     

       637
        
       		log.Fatalf("Server shutdown error: %v", err)

+71

internal/api/routes/oauth.go

···

       1
       +
       package routes

     

       2
       +
       

     

       3
       +
       import (

     

       4
       +
       	"Coves/internal/api/middleware"

     

       5
       +
       	"Coves/internal/atproto/oauth"

     

       6
       +
       	"net/http"

     

       7
       +
       	"time"

     

       8
       +
       

     

       9
       +
       	"github.com/go-chi/chi/v5"

     

       10
       +
       	"github.com/go-chi/cors"

     

       11
       +
       )

     

       12
       +
       

     

       13
       +
       // RegisterOAuthRoutes registers OAuth-related endpoints on the router with dedicated rate limiting

     

       14
       +
       // OAuth endpoints have stricter rate limits to prevent:

     

       15
       +
       // - Credential stuffing attacks on login endpoints

     

       16
       +
       // - OAuth state exhaustion

     

       17
       +
       // - Refresh token abuse

     

       18
       +
       func RegisterOAuthRoutes(r chi.Router, handler *oauth.OAuthHandler, allowedOrigins []string) {

     

       19
       +
       	// Create stricter rate limiters for OAuth endpoints

     

       20
       +
       	// Login endpoints: 10 req/min per IP (credential stuffing protection)

     

       21
       +
       	loginLimiter := middleware.NewRateLimiter(10, 1*time.Minute)

     

       22
       +
       

     

       23
       +
       	// Refresh endpoint: 20 req/min per IP (slightly higher for legitimate token refresh)

     

       24
       +
       	refreshLimiter := middleware.NewRateLimiter(20, 1*time.Minute)

     

       25
       +
       

     

       26
       +
       	// Logout endpoint: 10 req/min per IP

     

       27
       +
       	logoutLimiter := middleware.NewRateLimiter(10, 1*time.Minute)

     

       28
       +
       

     

       29
       +
       	// OAuth metadata endpoints - public, no extra rate limiting (use global limit)

     

       30
       +
       	r.Get("/oauth/client-metadata.json", handler.HandleClientMetadata)

     

       31
       +
       	r.Get("/oauth/jwks.json", handler.HandleJWKS)

     

       32
       +
       

     

       33
       +
       	// Alternative well-known paths for OAuth metadata

     

       34
       +
       	r.Get("/.well-known/oauth-jwks.json", handler.HandleJWKS)

     

       35
       +
       	r.Get("/.well-known/oauth-protected-resource", handler.HandleProtectedResourceMetadata)

     

       36
       +
       

     

       37
       +
       	// OAuth flow endpoints - stricter rate limiting for authentication attempts

     

       38
       +
       	r.With(loginLimiter.Middleware).Get("/oauth/login", handler.HandleLogin)

     

       39
       +
       	r.With(loginLimiter.Middleware).Get("/oauth/mobile/login", handler.HandleMobileLogin)

     

       40
       +
       

     

       41
       +
       	// OAuth callback - needs CORS for potential cross-origin redirects from PDS

     

       42
       +
       	// Use login limiter since callback completes the authentication flow

     

       43
       +
       	r.With(corsMiddleware(allowedOrigins), loginLimiter.Middleware).Get("/oauth/callback", handler.HandleCallback)

     

       44
       +
       

     

       45
       +
       	// Mobile Universal Link callback route

     

       46
       +
       	// This route is used for iOS Universal Links and Android App Links

     

       47
       +
       	// Path must match the path in .well-known/apple-app-site-association

     

       48
       +
       	// Uses the same handler as web callback - the system routes it to the mobile app

     

       49
       +
       	r.With(loginLimiter.Middleware).Get("/app/oauth/callback", handler.HandleCallback)

     

       50
       +
       

     

       51
       +
       	// Session management - dedicated rate limits

     

       52
       +
       	r.With(logoutLimiter.Middleware).Post("/oauth/logout", handler.HandleLogout)

     

       53
       +
       	r.With(refreshLimiter.Middleware).Post("/oauth/refresh", handler.HandleRefresh)

     

       54
       +
       }

     

       55
       +
       

     

       56
       +
       // corsMiddleware creates a CORS middleware for OAuth callback with specific allowed origins

     

       57
       +
       func corsMiddleware(allowedOrigins []string) func(next http.Handler) http.Handler {

     

       58
       +
       	return cors.Handler(cors.Options{

     

       59
       +
       		AllowedOrigins: allowedOrigins, // Only allow specific origins for OAuth callback

     

       60
       +
       		AllowedMethods: []string{"GET", "POST", "OPTIONS"},

     

       61
       +
       		AllowedHeaders: []string{

     

       62
       +
       			"Accept",

     

       63
       +
       			"Authorization",

     

       64
       +
       			"Content-Type",

     

       65
       +
       			"X-CSRF-Token",

     

       66
       +
       		},

     

       67
       +
       		ExposedHeaders:   []string{"Link"},

     

       68
       +
       		AllowCredentials: true,

     

       69
       +
       		MaxAge:           300, // 5 minutes

     

       70
       +
       	})

     

       71
       +
       }