From fb946b5d53124fc6ea534e2b24a0560cd9b5fbf1 Mon Sep 17 00:00:00 2001
From: prosenjitjoy <prosen.joy@gmail.com>
Date: Sat, 7 Oct 2023 03:24:36 +0600
Subject: [PATCH 1/2] added middleware and authorizatoin

---
 .github/workflows/ci.yml    |   2 +-
 api/account.go              |  15 ++++-
 api/account_test.go         | 117 +++++++++++++++++++++++++++++++++---
 api/middleware.go           |  52 ++++++++++++++++
 api/middleware_test.go      | 104 ++++++++++++++++++++++++++++++++
 api/server.go               |  15 +++--
 api/transfer.go             |  25 +++++---
 api/transfer_test.go        |   9 ++-
 database/db/account.sql.go  |  12 ++--
 database/db/account_test.go |   9 ++-
 database/query/account.sql  |   5 +-
 diagram.png                 | Bin 40417 -> 0 bytes
 12 files changed, 329 insertions(+), 36 deletions(-)
 create mode 100644 api/middleware.go
 create mode 100644 api/middleware_test.go
 delete mode 100644 diagram.png

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index e99b9eb..800ec98 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -31,7 +31,7 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@v4
       with:
-        go-version: '1.20'
+        go-version: '^1.20'
     
     - name: Install golang-migrate
       run: |
diff --git a/api/account.go b/api/account.go
index 4a06db2..b30884a 100644
--- a/api/account.go
+++ b/api/account.go
@@ -1,8 +1,10 @@
 package api
 
 import (
+	"errors"
 	"fmt"
 	"main/database/db"
+	"main/token"
 	"net/http"
 
 	"github.com/gin-gonic/gin"
@@ -10,7 +12,6 @@ import (
 )
 
 type createAccountRequest struct {
-	Owner    string `json:"owner" binding:"required"`
 	Currency string `json:"currency" binding:"required,currency"`
 }
 
@@ -21,8 +22,10 @@ func (s *Server) createAccount(ctx *gin.Context) {
 		return
 	}
 
+	authPayload := ctx.MustGet(authorizationPayloadKey).(*token.Payload)
+
 	arg := db.CreateAccountParams{
-		Owner:    req.Owner,
+		Owner:    authPayload.Username,
 		Balance:  0,
 		Currency: req.Currency,
 	}
@@ -62,6 +65,12 @@ func (s *Server) getAcount(ctx *gin.Context) {
 		return
 	}
 
+	authPayload := ctx.MustGet(authorizationPayloadKey).(*token.Payload)
+	if account.Owner != authPayload.Username {
+		err := errors.New("account doesn't belong to the authenticated user")
+		ctx.JSON(http.StatusUnauthorized, errorResponse(err))
+		return
+	}
 	ctx.JSON(http.StatusOK, account)
 }
 
@@ -77,7 +86,9 @@ func (s *Server) listAcount(ctx *gin.Context) {
 		return
 	}
 
+	authPayload := ctx.MustGet(authorizationPayloadKey).(*token.Payload)
 	arg := &db.ListAccountsParams{
+		Owner:  authPayload.Username,
 		Limit:  req.PageSize,
 		Offset: (req.PageID - 1) * req.PageSize,
 	}
diff --git a/api/account_test.go b/api/account_test.go
index 2237983..c525adf 100644
--- a/api/account_test.go
+++ b/api/account_test.go
@@ -3,11 +3,13 @@ package api
 import (
 	"bytes"
 	"encoding/json"
+	"time"
 
 	"fmt"
 	"io"
 	"main/database/db"
 	"main/database/mockdb"
+	"main/token"
 	"main/util"
 	"net/http"
 	"net/http/httptest"
@@ -20,17 +22,22 @@ import (
 )
 
 func TestGetAccountAPI(t *testing.T) {
-	account := randomAccount()
+	user, _ := randomUser(t)
+	account := randomAccount(user.Username)
 
 	testCases := []struct {
 		name          string
 		accountID     int64
+		setupAuth     func(t *testing.T, request *http.Request, tokenMaker token.Maker)
 		buildStubs    func(store *mockdb.MockStore)
 		checkResponse func(t *testing.T, recorder *httptest.ResponseRecorder)
 	}{
 		{
 			name:      "OK",
 			accountID: account.ID,
+			setupAuth: func(t *testing.T, request *http.Request, tokenMaker token.Maker) {
+				addAuthorization(t, request, tokenMaker, authorizationTypeBearer, user.Username, time.Minute)
+			},
 			buildStubs: func(store *mockdb.MockStore) {
 				store.EXPECT().GetAccount(gomock.Any(), gomock.Eq(account.ID)).Times(1).Return(account, nil)
 			},
@@ -42,6 +49,9 @@ func TestGetAccountAPI(t *testing.T) {
 		{
 			name:      "NotFound",
 			accountID: account.ID,
+			setupAuth: func(t *testing.T, request *http.Request, tokenMaker token.Maker) {
+				addAuthorization(t, request, tokenMaker, authorizationTypeBearer, user.Username, time.Minute)
+			},
 			buildStubs: func(store *mockdb.MockStore) {
 				store.EXPECT().GetAccount(gomock.Any(), gomock.Eq(account.ID)).Times(1).Return(&db.Account{}, pgx.ErrNoRows)
 			},
@@ -52,6 +62,9 @@ func TestGetAccountAPI(t *testing.T) {
 		{
 			name:      "InternalError",
 			accountID: account.ID,
+			setupAuth: func(t *testing.T, request *http.Request, tokenMaker token.Maker) {
+				addAuthorization(t, request, tokenMaker, authorizationTypeBearer, user.Username, time.Minute)
+			},
 			buildStubs: func(store *mockdb.MockStore) {
 				store.EXPECT().GetAccount(gomock.Any(), gomock.Eq(account.ID)).Times(1).Return(&db.Account{}, pgx.ErrTxClosed)
 			},
@@ -62,6 +75,9 @@ func TestGetAccountAPI(t *testing.T) {
 		{
 			name:      "InvalidID",
 			accountID: 0,
+			setupAuth: func(t *testing.T, request *http.Request, tokenMaker token.Maker) {
+				addAuthorization(t, request, tokenMaker, authorizationTypeBearer, user.Username, time.Minute)
+			},
 			buildStubs: func(store *mockdb.MockStore) {
 				store.EXPECT().GetAccount(gomock.Any(), gomock.Any()).Times(0)
 			},
@@ -69,6 +85,31 @@ func TestGetAccountAPI(t *testing.T) {
 				require.Equal(t, http.StatusBadRequest, recorder.Code)
 			},
 		},
+		{
+			name:      "UnauthorizedUser",
+			accountID: account.ID,
+			setupAuth: func(t *testing.T, request *http.Request, tokenMaker token.Maker) {
+				addAuthorization(t, request, tokenMaker, authorizationTypeBearer, "unauthorized_user", time.Minute)
+			},
+			buildStubs: func(store *mockdb.MockStore) {
+				store.EXPECT().GetAccount(gomock.Any(), gomock.Eq(account.ID)).Times(1).Return(account, nil)
+			},
+			checkResponse: func(t *testing.T, recorder *httptest.ResponseRecorder) {
+				require.Equal(t, http.StatusUnauthorized, recorder.Code)
+			},
+		},
+		{
+			name:      "NoAuthorization",
+			accountID: account.ID,
+			setupAuth: func(t *testing.T, request *http.Request, tokenMaker token.Maker) {
+			},
+			buildStubs: func(store *mockdb.MockStore) {
+				store.EXPECT().GetAccount(gomock.Any(), gomock.Any()).Times(0)
+			},
+			checkResponse: func(t *testing.T, recorder *httptest.ResponseRecorder) {
+				require.Equal(t, http.StatusUnauthorized, recorder.Code)
+			},
+		},
 	}
 
 	for _, tc := range testCases {
@@ -89,6 +130,7 @@ func TestGetAccountAPI(t *testing.T) {
 			request, err := http.NewRequest(http.MethodGet, url, nil)
 			require.NoError(t, err)
 
+			tc.setupAuth(t, request, server.tokenMaker)
 			server.router.ServeHTTP(recorder, request)
 
 			// check response
@@ -97,10 +139,10 @@ func TestGetAccountAPI(t *testing.T) {
 	}
 }
 
-func randomAccount() *db.Account {
+func randomAccount(owner string) *db.Account {
 	return &db.Account{
 		ID:       util.RandomInt(1, 1000),
-		Owner:    util.RandomOwner(),
+		Owner:    owner,
 		Balance:  util.RandomMoney(),
 		Currency: util.RandomCurrency(),
 	}
@@ -117,11 +159,13 @@ func requireBodyMatchAccount(t *testing.T, body *bytes.Buffer, account db.Accoun
 }
 
 func TestCreateAccountAPI(t *testing.T) {
-	account := randomAccount()
+	user, _ := randomUser(t)
+	account := randomAccount(user.Username)
 
 	testCases := []struct {
 		name          string
 		body          gin.H
+		setupAuth     func(t *testing.T, request *http.Request, tokenMaker token.Maker)
 		buildStubs    func(store *mockdb.MockStore)
 		checkResponse func(recoder *httptest.ResponseRecorder)
 	}{
@@ -131,6 +175,9 @@ func TestCreateAccountAPI(t *testing.T) {
 				"owner":    account.Owner,
 				"currency": account.Currency,
 			},
+			setupAuth: func(t *testing.T, request *http.Request, tokenMaker token.Maker) {
+				addAuthorization(t, request, tokenMaker, authorizationTypeBearer, user.Username, time.Minute)
+			},
 			buildStubs: func(store *mockdb.MockStore) {
 				arg := &db.CreateAccountParams{
 					Owner:    account.Owner,
@@ -154,6 +201,9 @@ func TestCreateAccountAPI(t *testing.T) {
 				"owner":    account.Owner,
 				"currency": account.Currency,
 			},
+			setupAuth: func(t *testing.T, request *http.Request, tokenMaker token.Maker) {
+				addAuthorization(t, request, tokenMaker, authorizationTypeBearer, user.Username, time.Minute)
+			},
 			buildStubs: func(store *mockdb.MockStore) {
 				store.EXPECT().
 					CreateAccount(gomock.Any(), gomock.Any()).
@@ -170,6 +220,9 @@ func TestCreateAccountAPI(t *testing.T) {
 				"owner":    account.Owner,
 				"currency": "invalid",
 			},
+			setupAuth: func(t *testing.T, request *http.Request, tokenMaker token.Maker) {
+				addAuthorization(t, request, tokenMaker, authorizationTypeBearer, user.Username, time.Minute)
+			},
 			buildStubs: func(store *mockdb.MockStore) {
 				store.EXPECT().
 					CreateAccount(gomock.Any(), gomock.Any()).
@@ -200,6 +253,7 @@ func TestCreateAccountAPI(t *testing.T) {
 			request, err := http.NewRequest(http.MethodPost, url, bytes.NewReader(data))
 			require.NoError(t, err)
 
+			tc.setupAuth(t, request, server.tokenMaker)
 			server.router.ServeHTTP(recorder, request)
 			tc.checkResponse(recorder)
 		})
@@ -207,10 +261,12 @@ func TestCreateAccountAPI(t *testing.T) {
 }
 
 func TestListAccountAPI(t *testing.T) {
+	user, _ := randomUser(t)
+
 	n := 5
 	accounts := make([]*db.Account, n)
 	for i := 0; i < n; i++ {
-		accounts[i] = randomAccount()
+		accounts[i] = randomAccount(user.Username)
 	}
 
 	type Query struct {
@@ -221,6 +277,7 @@ func TestListAccountAPI(t *testing.T) {
 	testCases := []struct {
 		name          string
 		query         Query
+		setupAuth     func(t *testing.T, request *http.Request, tokenMaker token.Maker)
 		buildStubs    func(store *mockdb.MockStore)
 		checkResponse func(recorder *httptest.ResponseRecorder)
 	}{
@@ -230,6 +287,9 @@ func TestListAccountAPI(t *testing.T) {
 				pageID:   1,
 				pageSize: n,
 			},
+			setupAuth: func(t *testing.T, request *http.Request, tokenMaker token.Maker) {
+				addAuthorization(t, request, tokenMaker, authorizationTypeBearer, user.Username, time.Minute)
+			},
 			buildStubs: func(store *mockdb.MockStore) {
 				arg := &db.ListAccountsParams{
 					Limit:  int32(n),
@@ -249,6 +309,9 @@ func TestListAccountAPI(t *testing.T) {
 				pageID:   1,
 				pageSize: n,
 			},
+			setupAuth: func(t *testing.T, request *http.Request, tokenMaker token.Maker) {
+				addAuthorization(t, request, tokenMaker, authorizationTypeBearer, user.Username, time.Minute)
+			},
 			buildStubs: func(store *mockdb.MockStore) {
 				store.EXPECT().ListAccounts(gomock.Any(), gomock.Any()).Times(1).Return([]*db.Account{}, pgx.ErrTxClosed)
 			},
@@ -262,6 +325,9 @@ func TestListAccountAPI(t *testing.T) {
 				pageID:   -1,
 				pageSize: n,
 			},
+			setupAuth: func(t *testing.T, request *http.Request, tokenMaker token.Maker) {
+				addAuthorization(t, request, tokenMaker, authorizationTypeBearer, user.Username, time.Minute)
+			},
 			buildStubs: func(store *mockdb.MockStore) {
 				store.EXPECT().ListAccounts(gomock.Any(), gomock.Any()).Times(0)
 			},
@@ -275,6 +341,9 @@ func TestListAccountAPI(t *testing.T) {
 				pageID:   1,
 				pageSize: 100000,
 			},
+			setupAuth: func(t *testing.T, request *http.Request, tokenMaker token.Maker) {
+				addAuthorization(t, request, tokenMaker, authorizationTypeBearer, user.Username, time.Minute)
+			},
 			buildStubs: func(store *mockdb.MockStore) {
 				store.EXPECT().ListAccounts(gomock.Any(), gomock.Any()).Times(0)
 			},
@@ -305,6 +374,7 @@ func TestListAccountAPI(t *testing.T) {
 			q.Add("page_size", fmt.Sprintf("%d", tc.query.pageSize))
 			request.URL.RawQuery = q.Encode()
 
+			tc.setupAuth(t, request, server.tokenMaker)
 			server.router.ServeHTTP(recorder, request)
 			tc.checkResponse(recorder)
 		})
@@ -322,12 +392,14 @@ func requireBodyMatchAccounts(t *testing.T, body *bytes.Buffer, accounts []*db.A
 }
 
 func TestUpdateAccountAPI(t *testing.T) {
-	account := randomAccount()
+	user, _ := randomUser(t)
+	account := randomAccount(user.Username)
 
 	testCases := []struct {
 		name          string
 		accountID     int64
 		body          gin.H
+		setupAuth     func(t *testing.T, request *http.Request, tokenMaker token.Maker)
 		buildStubs    func(store *mockdb.MockStore)
 		checkResponse func(recoder *httptest.ResponseRecorder)
 	}{
@@ -337,6 +409,9 @@ func TestUpdateAccountAPI(t *testing.T) {
 			body: gin.H{
 				"balance": account.Balance,
 			},
+			setupAuth: func(t *testing.T, request *http.Request, tokenMaker token.Maker) {
+				addAuthorization(t, request, tokenMaker, authorizationTypeBearer, user.Username, time.Minute)
+			},
 			buildStubs: func(store *mockdb.MockStore) {
 				arg := &db.UpdateAccountParams{
 					ID:      account.ID,
@@ -359,6 +434,9 @@ func TestUpdateAccountAPI(t *testing.T) {
 			body: gin.H{
 				"balance": account.Balance,
 			},
+			setupAuth: func(t *testing.T, request *http.Request, tokenMaker token.Maker) {
+				addAuthorization(t, request, tokenMaker, authorizationTypeBearer, user.Username, time.Minute)
+			},
 			buildStubs: func(store *mockdb.MockStore) {
 				store.EXPECT().
 					UpdateAccount(gomock.Any(), gomock.Any()).
@@ -375,6 +453,9 @@ func TestUpdateAccountAPI(t *testing.T) {
 			body: gin.H{
 				"balance": account.Balance,
 			},
+			setupAuth: func(t *testing.T, request *http.Request, tokenMaker token.Maker) {
+				addAuthorization(t, request, tokenMaker, authorizationTypeBearer, user.Username, time.Minute)
+			},
 			buildStubs: func(store *mockdb.MockStore) {
 				arg := &db.UpdateAccountParams{
 					ID:      account.ID,
@@ -393,6 +474,9 @@ func TestUpdateAccountAPI(t *testing.T) {
 			body: gin.H{
 				"balance": account.Balance,
 			},
+			setupAuth: func(t *testing.T, request *http.Request, tokenMaker token.Maker) {
+				addAuthorization(t, request, tokenMaker, authorizationTypeBearer, user.Username, time.Minute)
+			},
 			buildStubs: func(store *mockdb.MockStore) {
 				store.EXPECT().UpdateAccount(gomock.Any(), gomock.Any()).Times(0)
 			},
@@ -406,6 +490,9 @@ func TestUpdateAccountAPI(t *testing.T) {
 			body: gin.H{
 				"invalid": "invalid",
 			},
+			setupAuth: func(t *testing.T, request *http.Request, tokenMaker token.Maker) {
+				addAuthorization(t, request, tokenMaker, authorizationTypeBearer, user.Username, time.Minute)
+			},
 			buildStubs: func(store *mockdb.MockStore) {
 				store.EXPECT().
 					UpdateAccount(gomock.Any(), gomock.Any()).
@@ -436,6 +523,7 @@ func TestUpdateAccountAPI(t *testing.T) {
 			request, err := http.NewRequest(http.MethodPatch, url, bytes.NewReader(data))
 			require.NoError(t, err)
 
+			tc.setupAuth(t, request, server.tokenMaker)
 			server.router.ServeHTTP(recorder, request)
 			tc.checkResponse(recorder)
 		})
@@ -443,17 +531,22 @@ func TestUpdateAccountAPI(t *testing.T) {
 }
 
 func TestDeleteAccountAPI(t *testing.T) {
-	account := randomAccount()
+	user, _ := randomUser(t)
+	account := randomAccount(user.Username)
 
 	testCases := []struct {
 		name          string
 		accountID     int64
+		setupAuth     func(t *testing.T, request *http.Request, tokenMaker token.Maker)
 		buildStubs    func(store *mockdb.MockStore)
 		checkResponse func(t *testing.T, recorder *httptest.ResponseRecorder)
 	}{
 		{
 			name:      "OK",
 			accountID: account.ID,
+			setupAuth: func(t *testing.T, request *http.Request, tokenMaker token.Maker) {
+				addAuthorization(t, request, tokenMaker, authorizationTypeBearer, user.Username, time.Minute)
+			},
 			buildStubs: func(store *mockdb.MockStore) {
 				store.EXPECT().DeleteAccount(gomock.Any(), gomock.Eq(account.ID)).Times(1)
 			},
@@ -464,6 +557,9 @@ func TestDeleteAccountAPI(t *testing.T) {
 		{
 			name:      "NotFound",
 			accountID: account.ID,
+			setupAuth: func(t *testing.T, request *http.Request, tokenMaker token.Maker) {
+				addAuthorization(t, request, tokenMaker, authorizationTypeBearer, user.Username, time.Minute)
+			},
 			buildStubs: func(store *mockdb.MockStore) {
 				store.EXPECT().DeleteAccount(gomock.Any(), gomock.Eq(account.ID)).Times(1).Return(pgx.ErrNoRows)
 			},
@@ -474,6 +570,9 @@ func TestDeleteAccountAPI(t *testing.T) {
 		{
 			name:      "InternalError",
 			accountID: account.ID,
+			setupAuth: func(t *testing.T, request *http.Request, tokenMaker token.Maker) {
+				addAuthorization(t, request, tokenMaker, authorizationTypeBearer, user.Username, time.Minute)
+			},
 			buildStubs: func(store *mockdb.MockStore) {
 				store.EXPECT().DeleteAccount(gomock.Any(), gomock.Eq(account.ID)).Times(1).Return(pgx.ErrTxClosed)
 			},
@@ -484,6 +583,9 @@ func TestDeleteAccountAPI(t *testing.T) {
 		{
 			name:      "InvalidID",
 			accountID: 0,
+			setupAuth: func(t *testing.T, request *http.Request, tokenMaker token.Maker) {
+				addAuthorization(t, request, tokenMaker, authorizationTypeBearer, user.Username, time.Minute)
+			},
 			buildStubs: func(store *mockdb.MockStore) {
 				store.EXPECT().DeleteAccount(gomock.Any(), gomock.Any()).Times(0)
 			},
@@ -511,6 +613,7 @@ func TestDeleteAccountAPI(t *testing.T) {
 			request, err := http.NewRequest(http.MethodDelete, url, nil)
 			require.NoError(t, err)
 
+			tc.setupAuth(t, request, server.tokenMaker)
 			server.router.ServeHTTP(recorder, request)
 
 			// check response
diff --git a/api/middleware.go b/api/middleware.go
new file mode 100644
index 0000000..12e0343
--- /dev/null
+++ b/api/middleware.go
@@ -0,0 +1,52 @@
+package api
+
+import (
+	"errors"
+	"fmt"
+	"main/token"
+	"net/http"
+	"strings"
+
+	"github.com/gin-gonic/gin"
+)
+
+const (
+	authorizationHeaderKey  = "authorization"
+	authorizationTypeBearer = "bearer"
+	authorizationPayloadKey = "auth_payload"
+)
+
+func authMiddleware(tokenMaker token.Maker) gin.HandlerFunc {
+	return func(ctx *gin.Context) {
+		authorizationHeader := ctx.GetHeader(authorizationHeaderKey)
+		if len(authorizationHeader) == 0 {
+			err := errors.New("authorization header is not provided")
+			ctx.AbortWithStatusJSON(http.StatusUnauthorized, errorResponse(err))
+			return
+		}
+
+		fields := strings.Fields(authorizationHeader)
+		if len(fields) < 2 {
+			err := errors.New("invalid authorization header format")
+			ctx.AbortWithStatusJSON(http.StatusUnauthorized, errorResponse(err))
+			return
+		}
+
+		authorizationType := strings.ToLower(fields[0])
+		if authorizationType != authorizationTypeBearer {
+			err := fmt.Errorf("unsupported authorization type %s", authorizationType)
+			ctx.AbortWithStatusJSON(http.StatusUnauthorized, errorResponse(err))
+			return
+		}
+
+		accessToken := fields[1]
+		payload, err := tokenMaker.VerifyToken(accessToken)
+		if err != nil {
+			ctx.AbortWithStatusJSON(http.StatusUnauthorized, errorResponse(err))
+			return
+		}
+
+		ctx.Set(authorizationPayloadKey, payload)
+		ctx.Next()
+	}
+}
diff --git a/api/middleware_test.go b/api/middleware_test.go
new file mode 100644
index 0000000..b3bd063
--- /dev/null
+++ b/api/middleware_test.go
@@ -0,0 +1,104 @@
+package api
+
+import (
+	"fmt"
+	"main/token"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/gin-gonic/gin"
+	"github.com/stretchr/testify/require"
+)
+
+func addAuthorization(
+	t *testing.T,
+	request *http.Request,
+	tokenMaker token.Maker,
+	authorizationType string,
+	username string,
+	duration time.Duration,
+) {
+	token, err := tokenMaker.CreateToken(username, duration)
+	require.NoError(t, err)
+
+	authorizationHeader := fmt.Sprintf("%s %s", authorizationType, token)
+	request.Header.Set(authorizationHeaderKey, authorizationHeader)
+}
+
+func TestAuthMiddleware(t *testing.T) {
+	testCases := []struct {
+		name          string
+		setupAuth     func(t *testing.T, request *http.Request, tokenMaker token.Maker)
+		checkResponse func(t *testing.T, recorder *httptest.ResponseRecorder)
+	}{
+		{
+			name: "OK",
+			setupAuth: func(t *testing.T, request *http.Request, tokenMaker token.Maker) {
+				addAuthorization(t, request, tokenMaker, authorizationTypeBearer, "user", time.Minute)
+			},
+			checkResponse: func(t *testing.T, recorder *httptest.ResponseRecorder) {
+				require.Equal(t, http.StatusOK, recorder.Code)
+			},
+		},
+		{
+			name: "NoAuthorization",
+			setupAuth: func(t *testing.T, request *http.Request, tokenMaker token.Maker) {
+			},
+			checkResponse: func(t *testing.T, recorder *httptest.ResponseRecorder) {
+				require.Equal(t, http.StatusUnauthorized, recorder.Code)
+			},
+		},
+		{
+			name: "UnsupportedAuthorization",
+			setupAuth: func(t *testing.T, request *http.Request, tokenMaker token.Maker) {
+				addAuthorization(t, request, tokenMaker, "unsupported", "user", time.Minute)
+			},
+			checkResponse: func(t *testing.T, recorder *httptest.ResponseRecorder) {
+				require.Equal(t, http.StatusUnauthorized, recorder.Code)
+			},
+		},
+		{
+			name: "InvalidAuthorization",
+			setupAuth: func(t *testing.T, request *http.Request, tokenMaker token.Maker) {
+				addAuthorization(t, request, tokenMaker, "", "user", time.Minute)
+			},
+			checkResponse: func(t *testing.T, recorder *httptest.ResponseRecorder) {
+				require.Equal(t, http.StatusUnauthorized, recorder.Code)
+			},
+		},
+		{
+			name: "ExpiredToken",
+			setupAuth: func(t *testing.T, request *http.Request, tokenMaker token.Maker) {
+				addAuthorization(t, request, tokenMaker, authorizationTypeBearer, "user", -time.Minute)
+			},
+			checkResponse: func(t *testing.T, recorder *httptest.ResponseRecorder) {
+				require.Equal(t, http.StatusUnauthorized, recorder.Code)
+			},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			server := newTestServer(t, nil)
+
+			authPath := "/auth"
+			server.router.GET(
+				authPath,
+				authMiddleware(server.tokenMaker),
+				func(ctx *gin.Context) {
+					ctx.JSON(http.StatusOK, gin.H{})
+				},
+			)
+
+			recorder := httptest.NewRecorder()
+			request, err := http.NewRequest(http.MethodGet, authPath, nil)
+			require.NoError(t, err)
+
+			tc.setupAuth(t, request, server.tokenMaker)
+			server.router.ServeHTTP(recorder, request)
+			tc.checkResponse(t, recorder)
+		})
+	}
+}
diff --git a/api/server.go b/api/server.go
index 587a330..99bfe3d 100644
--- a/api/server.go
+++ b/api/server.go
@@ -46,13 +46,16 @@ func (s *Server) setupRouter() {
 	router.POST("/users", s.createUser)
 	router.POST("/users/login", s.loginUser)
 
-	router.POST("/accounts", s.createAccount)
-	router.GET("/accounts/:id", s.getAcount)
-	router.GET("/accounts", s.listAcount)
-	router.PATCH("/accounts/:id", s.updateAccount)
-	router.DELETE("/accounts/:id", s.deleteAccount)
+	authRoutes := router.Group("/")
+	authRoutes.Use(authMiddleware(s.tokenMaker))
 
-	router.POST("/transfers", s.createTransfer)
+	authRoutes.POST("/accounts", s.createAccount)
+	authRoutes.GET("/accounts/:id", s.getAcount)
+	authRoutes.GET("/accounts", s.listAcount)
+	authRoutes.PATCH("/accounts/:id", s.updateAccount)
+	authRoutes.DELETE("/accounts/:id", s.deleteAccount)
+
+	authRoutes.POST("/transfers", s.createTransfer)
 
 	s.router = router
 }
diff --git a/api/transfer.go b/api/transfer.go
index 8e5ee6b..14a193c 100644
--- a/api/transfer.go
+++ b/api/transfer.go
@@ -1,8 +1,10 @@
 package api
 
 import (
+	"errors"
 	"fmt"
 	"main/database/db"
+	"main/token"
 	"net/http"
 
 	"github.com/gin-gonic/gin"
@@ -23,11 +25,20 @@ func (s *Server) createTransfer(ctx *gin.Context) {
 		return
 	}
 
-	if !s.validAccount(ctx, req.FromAccountID, req.Currency) {
+	fromAccount, valid := s.validAccount(ctx, req.FromAccountID, req.Currency)
+	if !valid {
 		return
 	}
 
-	if !s.validAccount(ctx, req.ToAccountID, req.Currency) {
+	authPayload := ctx.MustGet(authorizationPayloadKey).(*token.Payload)
+	if fromAccount.Owner != authPayload.Username {
+		err := errors.New("from account doesn't belong to the authenticated user")
+		ctx.JSON(http.StatusUnauthorized, errorResponse(err))
+		return
+	}
+
+	_, valid = s.validAccount(ctx, req.ToAccountID, req.Currency)
+	if !valid {
 		return
 	}
 
@@ -46,24 +57,24 @@ func (s *Server) createTransfer(ctx *gin.Context) {
 	ctx.JSON(http.StatusOK, result)
 }
 
-func (s *Server) validAccount(ctx *gin.Context, accountId int64, currency string) bool {
+func (s *Server) validAccount(ctx *gin.Context, accountId int64, currency string) (*db.Account, bool) {
 	account, err := s.store.GetAccount(ctx, accountId)
 	if err != nil {
 		if err == pgx.ErrNoRows {
 			ctx.JSON(http.StatusNotFound, errorResponse(err))
-			return false
+			return account, false
 		}
 
 		ctx.JSON(http.StatusInternalServerError, errorResponse(err))
-		return false
+		return account, false
 	}
 
 	if account.Currency != currency {
 		err := fmt.Errorf("account [%d] currency mismatch: %s vs %s", account.ID, account.Currency, currency)
 
 		ctx.JSON(http.StatusBadRequest, errorResponse(err))
-		return false
+		return account, false
 	}
 
-	return true
+	return account, true
 }
diff --git a/api/transfer_test.go b/api/transfer_test.go
index 536e307..4b9d060 100644
--- a/api/transfer_test.go
+++ b/api/transfer_test.go
@@ -18,9 +18,12 @@ import (
 func TestTransferAPI(t *testing.T) {
 	amount := int64(10)
 
-	account1 := randomAccount()
-	account2 := randomAccount()
-	account3 := randomAccount()
+	user1, _ := randomUser(t)
+	user2, _ := randomUser(t)
+	user3, _ := randomUser(t)
+	account1 := randomAccount(user1.Username)
+	account2 := randomAccount(user2.Username)
+	account3 := randomAccount(user3.Username)
 
 	account1.Currency = util.USD
 	account2.Currency = util.USD
diff --git a/database/db/account.sql.go b/database/db/account.sql.go
index a0adce0..3bde7a6 100644
--- a/database/db/account.sql.go
+++ b/database/db/account.sql.go
@@ -111,18 +111,20 @@ func (q *Queries) GetAccountForUpdate(ctx context.Context, id int64) (*Account,
 
 const listAccounts = `-- name: ListAccounts :many
 SELECT id, owner, balance, currency, created_at FROM accounts
+WHERE owner = $1
 ORDER BY id
-LIMIT $1
-OFFSET $2
+LIMIT $2
+OFFSET $3
 `
 
 type ListAccountsParams struct {
-	Limit  int32 `db:"limit" json:"limit"`
-	Offset int32 `db:"offset" json:"offset"`
+	Owner  string `db:"owner" json:"owner"`
+	Limit  int32  `db:"limit" json:"limit"`
+	Offset int32  `db:"offset" json:"offset"`
 }
 
 func (q *Queries) ListAccounts(ctx context.Context, arg *ListAccountsParams) ([]*Account, error) {
-	rows, err := q.db.Query(ctx, listAccounts, arg.Limit, arg.Offset)
+	rows, err := q.db.Query(ctx, listAccounts, arg.Owner, arg.Limit, arg.Offset)
 	if err != nil {
 		return nil, err
 	}
diff --git a/database/db/account_test.go b/database/db/account_test.go
index fa13c17..00329bc 100644
--- a/database/db/account_test.go
+++ b/database/db/account_test.go
@@ -83,20 +83,23 @@ func TestDeleteAccount(t *testing.T) {
 }
 
 func TestListAccounts(t *testing.T) {
+	var lastAccount Account
 	for i := 0; i < 10; i++ {
-		createRandomAccount(t)
+		lastAccount = createRandomAccount(t)
 	}
 
 	arg := ListAccountsParams{
+		Owner:  lastAccount.Owner,
 		Limit:  5,
-		Offset: 5,
+		Offset: 0,
 	}
 
 	accounts, err := testQueries.ListAccounts(context.Background(), &arg)
 	require.NoError(t, err)
-	require.Len(t, accounts, 5)
+	require.NotEmpty(t, accounts)
 
 	for _, account := range accounts {
 		require.NotEmpty(t, account)
+		require.Equal(t, lastAccount.Owner, account.Owner)
 	}
 }
diff --git a/database/query/account.sql b/database/query/account.sql
index 4d2831b..97520b2 100644
--- a/database/query/account.sql
+++ b/database/query/account.sql
@@ -17,9 +17,10 @@ FOR NO KEY UPDATE;
 
 -- name: ListAccounts :many
 SELECT * FROM accounts
+WHERE owner = $1
 ORDER BY id
-LIMIT $1
-OFFSET $2;
+LIMIT $2
+OFFSET $3;
 
 -- name: AddAccountBalance :one
 UPDATE accounts
diff --git a/diagram.png b/diagram.png
deleted file mode 100644
index 6af67d95bbd78a634d01255ce371105c3efda36b..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 40417
zcmeFZhgVZy*DVZ)bb){rMFfHfN*9$*r~;yZNK>hTqEwL%LO_u&MO2g)5iCfT-g^@z
zg7i-4oe&@aLeAacd7t}z_x(NNj{66^W8fH^cuw}&`>Z|JTyw5Nq@lj{35L@Q6ciLE
zbagb1C@79W6cm)V=xD$v@Mzv?3JQJ-T}?G(U#rzL+KQ7}BW2dbq931Mk7d)+x<p5H
zJ)U1g$58cF<CVa$D}v9$ZibooyvpU?yeD{(+t655O^W}Pkg%H8>!=^kVQ-P^BlQjk
zOfnAs^S^$5*nGp4^hDpwYiGQFe5WSEF)mHfXZ;cfjFs{qKOr?jh2bs8iHUob@983f
z|ND;|6&rM#4$e>Y-+$s4sLzpbM4FW?O;zfD{9vr@{==u#TdBb<$n;4Y%k=*~4j5U7
z=*0BT8;DR%XOAbKaXh(Q?Ek!b%1Gp^|L`fS!voy6U(gFLzyE&U<e6X#r2jb~ekwnG
zRSW{{Rw!Zc&k2FaUZMHNG^sWD(eygRg}oC4bCLg8yNKYH`nLb@Dc!6*WhA6j-&m#e
zkH<j?izf_n|EK4qB+QRREy$WD3IF3+@RJ|XvHvjB|9MD9Px5~r($RMNpPh8H-9r9n
zCmo^R{}bGO45qV?_l~Nqoh_!Sx^MZNE<%-+${=>tZ70Ws&d9{;Uy%6p4Z!u-2|2HO
z<o)(q03a396<$HAJp+KK&_+?dA^G!vLn!!89U|AC-vghcRH?wH?7^SElff%K6C8MK
zw`GqW9WeorwEwom4eLMxeA`3DdA&S>xPPPfaZOcBeXwhpgb6hpKNyih%!C8vf{-&p
z;2=|0f1HziWDmv?*0|Xop-Lj>5hx&6^dvcB{5x@okiqk~XR%i{Je~rKNNtl1CK*gO
zD*_JA)VeR1k&n)4fQg)PRJcaHg#uG0P1;#zkU#%-&Qc}gw&cf@JUxyOYVwE_dL~*R
z1M+K=)5GGc+vP_`r@&a9hJU5u@er6Q4m!KSK>l3y-|3P8qzokGxHDMibE;rOO7rg*
z$!ITs9UN%8rB;cPk2+aJPGTqXv@8#H1}B~O!&hE6X4z?eoFcF4nE2rF=wP~&{NV1X
zYL=?(!4fnH8PZ{ps9Jo<<MK3@4Y9pG623>45&v-IrxrgYxFz}qBNOu0=(q(A<o##*
zT*yZ{VXAOUy>8ld@16@TxoV{v&h>%2WhN-(1D_kdgYSa2UMhO!U8f!8I2^rGyl>(h
z_Xo-6wm%{PEjaD|-sQ_ZOt`Z4d?GK`YH^4!XykEmQeJsaT-|gmPj6*pnm6&5Y2`Ed
z(d`}Y0RJ|4z<i$2x=+%!i_?Oq+e2Bzm9FzOwS9-q1C!cA8@r?JcMs9W)+cf6^$k`*
z$j@s8lJJU$vmn0s0?usI1zqDZ*G1}HuO*yQ{4{TCtJHTmV<%%VT6=e}{Ke08H*42}
z?sTNX2W5r17xq%iAfOb%JpFw1ywu16RmcN^;RFMD${-jbBcRjay!PcWiw|YE@`?}f
z<BI2gri{LG^EOA{iVKgS3>c0^p1J?_XOdUOj`iVzBHpJ3*?c;DWJd5{RI;A<FmWOG
z$Dw+=D{~}KI&pp^m|1(|n*guNVbbJCwE+5A`}xwmWr4X>gE({{*W^8zIdP-Zp<}2J
z>lENN?BH#b5@wn)w&6V6{MUK?Cwi^MN_=gbJ+@3pK(IB-Fa_nj*T#IYxPCmy%I98*
zYxK<z<s-{xh`x8Bq*zK-Eo#k%8yM@%BkJ{k25Kn%IXFqMsCN5nhUrY<v9-{gwmXT<
zqNC$nI}DL)C%hXi6Qhi4YoH?Uhl5{s(Mby<8U+#}Th+q(JT|X1toCGF(`>p_4try>
z?+u@={f>%0FNZ6Oq>qFWuOZGxof)!qNE_;tSn+XQw7_XBq&lpf9xObNSaK=ow&Y+w
za0}4%;_-OQw}3@T8M9=z#37(h2?A8`O$clcClNC1`#-m5NLC9Xdj5obMkMYRyEn3d
zbTE`2uxdM=e~4J=%ZfeR_@lqO`b)@rg-{;NTIc6$w$k&x&Jy>>IKXbYT`LGb^4p<`
zj*^KEBCQK6%AI_UINbGUf*tQ^B288=;LFff0UY!PlY3nS1M5G+Ek*-J`D|rV-D?=9
z>+!Al%qZltZ9Mlxrk@Cd4PvxxM!T8>O_cZ~1%2rOH_b{WkhVt<x@Yilss*{CN0PZ?
z3?rjToa$UWciQ&X#^aRdzAd1n{5gM*l9~;?U336w^q228JP6Dk$)Huh#w|eIxB$%^
zqP6m(9M2hsYJ31m<La@|(yrBMQT?L%ot%+7$bbpX@TPTTG(_ukbvQ!Nx+GfP)n#GV
z*%o>)H+mL1qv0UZV6(a6Rvi_A9DptQwhG>Ag^C2w&>{HuX3uH0O8W~(WkHr?;RHnj
z)yh?*-614b$G=`JVML7qfEA~$Q_n>P$uTmwJir^8fms=<gUwNWESGI-*MQV@s#_8H
z*Y0ng_uLChow|iRVSCcs`qZVGMYo{BfjXu+V)<j^aT;hx-pOJ`Dq!|!(C%N!426u=
z-Q5WfgPbQ*l)K^51$Xi9cE%K_c*<SN%ejz_ys`OnaK_Ch_Nd7muVV*Y@|I)C6b7L!
z$a2n|+y^hdgQ(ii(4s-@O{$g6grnA8`Xmi=Wf($vlO&sVUX#C{PrsqplCl{3TAF78
zy**L4SIHK8mREvmPYs|XVm&ioot$l=1i@p%g6Czp39vSkB?P9N60StJId&hp@v><K
zF}~$C<KRnz{nhTze`Ln|$nBN7Jh56G5;rgHk*J1D4#a0M8y?OY<*GJ2e@;^(h!ua^
z>Pv^_W^U8{6{fELDe%DM?*OlBDMVjPD*l0B+_RLeu<Ot<M4Y@(*!B6u8$}z0BI&(C
zh%!{-aZ_afqxPc*$ll{tbmGf+{cq4<+Jt~-_tSi2m&Uc=QB+{NX($uLMF2+(2mhk~
zA?hHfS=0I48599i5F<krD|k}s!trkDP@U{6AJ{eW>F_Dx&53bA3(fl(oRN@vEw0KH
zoFzp*o#yCt@Fk0as)LeLFTv^{7rOtj-FSJsWXgJa%*isFjvC}jzBg}{LGdyx3R1?i
z+Ttn+5XXKbNKZ8#smua~I1Z9{{Zx1`MTBZ2NTHGh0e%X&AuILlUeZE6KTQ<~CQbgU
z<b=xn&k?OL^-|ZW^2w*1C*Rcn^%U^<G^c(R-CkW2LOs5GgbFYajHkhlqk0MQp*02}
z+O|hVRH4App-J@veS`Gki=z8k`Vp!btnmx=hU+Eyx4}@H<hwaRz8kQJl2}xkyHy<k
zRl~2Dt4mAKtD_spi@Qo`$$e$T`pyqo^wS+SBq1f2K%-_bP&Jt2;5TwI@C0MORH5=b
zgd1{$5E3H&z1oXbD9W}R*f3X|3lk<|`j<5&M{{b;kM`gMy*2}Fkb7rUz(V%chX<?|
zg}*x8+oNzL+wQ^cWV_aL(oXh=&y&(Ss?=NL+OP%rYuX~Gx6ym&<4o?I@rz}+LF=`=
zxPf6_be)r85OKJBZMaE7q0&nPx$A|;H|H1^8k9R1r)WqnX|0qEJ#OcFkc4-0I9RVW
zt2j&~;puZcpPb_HF+o(XCp;ebp>~A~im%Sf{yuGt=qvSU_t+S@ouNa?(DovPH|~c9
zi$X)G^21(>l*&bReD#D2&&cN4-{jone1J!c*1ScH?m+l2hx?=XO8!b-7vS+^_VQsm
zw-`Jad&v-WPAF2-@e7XGTdwNec;GF`QQ~jrfWQgIgT<NO(|*<p=$taGkMV$%=n=Jf
zHzIbqNOCRAjPx4^!oQ2Q9v~f>tFDw@zzxbxuSX(VcDstrh8iE>%V*-U?N+Y36_b$9
zMn?GV{JoYw(fFO$|KlNUu98eE*7_@R)Zq}TFiH2=)R~;C&R#SxVzmb);3Qg4rQT~N
z)*mqrI{)b0C@9IWj4euj%lxAe8Q5JGbWmHnSMITz!iyMcE)Xxg$nkR|=wQ{QJQi6U
zpKfWHLzfi;xYtj^?*brf&IlQHU=a7<R}2uON7eHsGpjup7}qAa7G@W9jLNn6t3lc#
z&ng4JQP=t&%Bp)5u{HfTzZ;N%dubQv^2UW&hKI*f<cm};oFlsVJBPu(U%_n%t_C0O
z77cJArj$0Js(E9@D*exJTj=JBsW%3ioIJGudN_CL;Qpvjz6<*OlphJjE#Gi@P~lg1
z#e?U0!-P^Vg)e2}-s_Q9y|<nPIFHco4)6*(n=RHOZyx?3^QAf>v}TW=`7#ly>dgko
zZuh|_E3mWeV^uSvAWgw5NkRKBqZwRIM=>aW`$Z~ST3OrG>443M51f&_^kxqOHr3sN
zft|IF@iP&7qqq$*506?zdjBvpbLrCC5M)r>)$kGF*Cigs%`Q+NzD&!he8@$>0bTWb
zvci!}&C*j!TLxT-ZQUE=7iS;cee8pPg8Dp^0PFg7LL^O>`Uj{IK+yMP3>O^2ybn*c
zYadz;I+4)&%K1g?kdHD#@mw3ibH}Rw!Fv;?mpkRPvuX!>N!HOE(1yg}FNsRGrxk}f
zScFjDfNe$@yessM-rD?EhsuuUIW%RmM(p0CtrTU#a?PK12itcl50~H3*~^Bgvq1<V
zA#rVgt$ejkU^xvCjW+t#^2wmGL92j=#F`}q+sTx+(YCzNnX9NrS@X#!tVf&8c27iZ
z{@yhaVN2Y*H$1uKbm;m_p``9_{miv6Z~92WD0*exNb_r``oT(guS!xVsZPw^Sng|p
z$I8H`{MuT=ZM?(J=U1*Ol+ZLpiZ2f{Zb+2(XFTeOHh4U9MkiNzr>me|9t#DE@Rr{A
z#*(8l={VycR<@xI#d<TxFkOTjE*_yxrphs^2@d#SV|@9z^*iMLgCX1ox+m@=1aWN<
zW$FD$2jkl%UBh2}(~)q7eBY^^_ZTR0MLiu#4j=Ak(Wlp@HT)2d+_2-kbhg^~1rJ)O
zky*(G(JX@9+2vz6{4lT+t=dG*pi6{^IP|X5qZ8~$`rsz}5E43cVL8v~XY@P@DIuGn
z^IJzrHuQ{Epa!$xyc5X#SH(znT4805=D*u4M%w*|e9ye<qPYp!1#6394Fy^ESl&-c
z?RA&X;`{i4G(qPB7Q~%`m9yoO-fK^9QD}-1NqmyS&rNvJ2$N1|!^>(N87--Adv_z2
zrO^q(<z`6&RJs6ylL&DNzPrN#1}VNXHX0|Dl<g7%&)&`BGf<i)*2D`c?_6fPK-!S2
z5BGAt+x}4U-bPb#VcQR1K3fReg5YCQ5$RG73p1O~EveNQAkg$PyUUZR)g>V(gN;S2
zeMNP?P{xCjvLCdoPQq3=$<f{MI9&vjf+01-TYv%?6MmNEpuE!t3CTbCp?%gvK=7;l
z%nltna#u+QVd_}C^n6S%ZEKa`1hKH9<Bv@BRj=r)e8vxt*kZYj%tGWz=nAu9ht>Yy
z_-`-Xyy?r%=%8qUx(!PnS9hJgXe2oxe;K3o@y`*Cv_GRU*V*`SJMP3CL#Lq)bxC|d
z-C=jS?@VUAw2eDIc2Z<Jq~fu;LyqO1jl*>9V!GLC{4pe#4)Jd`iTCvA6niqaB!u!N
z-4{hbKd-%1kuVQ}+-(c~Fdv&6{}kdZNHFa1|MjzwOcx@-${M78h$R<$fD(w2*dzN=
zpENJIlDu%Yi=Dfp&>CUErmhQLbg<SI_9BAe#6Ts2GySU<-ypvBjq@aFiC+~S6*8<A
z*ajypnlT4!XOC$p0wULUyam4Y<&>w^&g@-r^tu9%mjgLC5^B+Ybu^eL$Q^!OieA#-
zCUjXv?6D}FtohmcblAv)?9@@)$S1@cniAPE2BwRoI~5xhnT}N*`c3<haPvx%D9<yT
zM|C99b;i1TiS6#0!jPNyHj92+mp1-<*{if-l4q0IRy)1^^fES18a^QZn)|eZCiPa-
z5!P6pcw`v^_B;mcD0YW0f`AupMXL%#Lz?g_clb9){+M=$^BSKoX_zo`{Twu4#c+|7
zGLUnB@MUblQyqD(&Q1lRa>PMw9^EMlcr)pg?Lm0i(>nf>mVas=)EaItQkE%~m~2;P
zc=qzBXHyk{Qs7#@UAkcXwY>am)NFuM1MWfi)&m2R_R|8vRN(qm;u_#5^yH;aZ1}7J
z?uV?M091@+wj`@3{3hT|Z)+K?fh0S75fBNBT90KAi>mM=Okh7H`CSw!CE?%*xA|rH
zHTVKHP>-NkB}{<aaa6#A5?;ZxAC&MR#(?7+aC8#Zh?~tU`Mn!K_-evi6Adtm9k^a5
z?5;2ypgCIL(Xc_E<%ph+;2LMZnD`DQZoHRjG%c`lSx67a=k*@4tu{$k39S14Ub@+T
zclGhwNU7+qY5u+PZY$sE<G2>&+lwY+?nG-X>K`Eu1ni6pDsZ=mba<e>*1bAh?DF@^
z&4E%UGsVq@V=^NT(wnuSIqyVsisyQ-jku$K7gs*$;#}#;41X(Wt>PMZQHMy|lyw~}
znLN<r0p)8CFRYRT9M}llXAeDm6}EPahAHBrH$W%qzZLE?&K>arreF1W59U+cRuc_W
zip;D7`|~R>3|f?LJSkQPZ&)LQNnDav&eqScFL?u2i@X~sX|rZi)p&*rZC{ArEBh6z
zu>4JxMkW$j42X64t9#|NTDkt<29B$fZ=hZ^tV-gDRfbq_LG{F~=s^6qkM|!n+Sb}m
z1Vk)8++QhhUpbx~>`svYL*t;?M1#9CZLjj~6hF)#t|#pjbO%HZqI7~2^%X93EE#K4
z_g?2uCm5`B-X8O<YJuVa$FN2omYU?<z0#_zALzjbWjlQ5)Z*tm;!X?AasyXDG`tB`
z&5wpQ>Y<6c{bkV{@Z}Z^K&;T_3+x-nw{+sN^h{u19xZbz=CXd)Gf-f?(Mv%XChp;8
zqL3}5#h%ROz!W9FAGlri<H0(or0;8v1?4=a%SxfZp#I>iyjDhjz7=(u48)fT#wqn4
zrm$W324<>vui{BYfJD&2TKN<F-7@FL92br0AXl_9-ZKNAcenJ%)489+AepWNwPT6-
zcS{`yYWzHW>V)*(al>drSCEA1@O=Hrx<Hry?<VUDeNID#88XR!E}J*lBUO!qli1=V
zum*k18_D}SD_;-1-&6!fLTrM@$KdfvN70UZYP0eQMEG-nT5;VMjfeqIzDdqIlU(y2
z6~fdp!R3!~=z6ZL4K8S6Sm%Q8MlIfX@lQsh+dIc7)nqz;lF!=6T<C#7_!$h7wPvSO
z9SgV$jzOg&nQSBQvAl{^RZauB?w=}j6VLCq@wg4uLx*mP`-_>DDfh}<OPP5UD$?zU
z>NU4n4ECcqL}MJHykwNHaRN4R%DYdNuI5Tl9geX>C7trj%G-txI`^tPvu&vt$E(X_
zq;!a)tB9L%k;xn(ssDlj+zWFqa&>(PL@~A%@qAGdxfjiTdeFk-)mkln;;PrOaR69m
zyC`HRblX6A?&)Es_$t0bFiy_kOA@o;kLqukTA<2M!XlTmzXIyI=D-)YozPXR-7sT<
zXI!q`9qEcBEcfRq-a=#iiD!YpfO0t2828Ps?^}Y5h~ZV&u}3lv-JTPq-L=tb)GaQJ
z#*b<*#`ZQh+3)<V^l)&n_^25Lb%>_PIK;}Rp79xTH_g0uA`)Wd_ao`;DlI;Ob(kID
z#GXQ#mnGO6l=SwA1Ze3i%K2b-?V1SUI9d>)XQCEEEgpnMq<2)WS9L}D_ELz166?2n
z^=`Eynou*?WPeOL3I=~wp7{2!sLA(}9uIat1{y2FbT}wm5TAmk8bb0r!FCv$?@r_4
z+z!H8mpR`l4>;Z?rM^wy<!~hk5U&25h4g7Z+`N1y#c{Q6^$^YKP28i;*7ZRW{uJ2B
zlE=3dF%g1I{qR<VAHJ{oQK83zK39mwGG)&(rI}7&(vm3pp)Lbagxf$TgJ1nyNmL8+
zal)YAzbHM|djkG^->|Y+zal`w8*KbFWhMAD{MPP=4neW^nu+aQ&<7nZvr7rM4L{Nn
zdpdG|2Vl;~J-1p86QZEXdt$&nir4T4G#zT5g^^;v_2&7F@@^rj9y&nLH0A7)QV-_3
zk`xON6OfMDtFOFq)n?|+pS)HEY~7R*+F5q0{ATG6A$inTqMc^uO{A?Q1sb>U5+6_x
zIG-kOp*O`Xnzy26-eJK8h{F<145Gsn**ZtGljBbd!NacUkzT1iUr1AVSfxXBNUrD>
zrm6%Le|<wseR;d5E0e(vxdvyaW`%A%)5|Fg=0tW(YS{;5)TtdL(qrSy1#Y0k_n8sI
zCks7xjnZ2&nR7(JH>?^&HA1lr#m+gxiwTqduFK#tq0d%7jK{?-@L@-41AOon*P@W5
zSKRZ%Q->k8F;9Y?u1iO`Ga;IFrsjyZlf)(b9`am%Wb@$X8+Z5z+<p59jtRa!9N2J`
zyefA~9!)bbDA{S!y=}o+8)5m@f)eI~6P{ldfWt4{0SQX?-U3_57;qCn8dc0RQ3mq9
z4r55~Nhov;PNeUD@I3WK=Nm$MbSK;ag(Oun4!ez(<=uQQCGdsdARt5CI{!OmjW84E
zGYx&_wM}5M=Dp1g=AZj6?ooT<I{j0(2Lbg2?Wvg^Xtfv})i8bP;mY+ExtVmGv+0yE
zHe#FY)igc&#+3EK7AS}39K=0#W1`@9E-~{dr8VCH*ub{%Xba*=#kH8QH#bgGxFXjr
zNB7rQUP}9Vy#@Otgnmq^CVK6ZKNpwdu;8}sh=~rDBpN9&?gDB}YC*%h7`_6ye4Xzx
z7`t`0OXa_N0XjL)57IFxy~AFI-#ct|%Bh%~feF=5iiRFuCnSY_i~W6`iq36|Snahk
z5BK(c*SRNr^W*KW`lh9h{m#p-AL~HyuzwDQN%gGE$T3lHpU`#d(Cm38$^OQR8P=gp
z^-_f^fq<@+&N&N&imdmlk0X&vB;PdvgC8)WQR5b0T99oLI>KxrM*OO05sxWn=V$!d
z3D@dW;7Mz{*JWOb+&QDxg8bp)apo3V)_LEAlR}S0JBrvKHIeLCx|3%C<?|yky7jF@
z0b3)ARYV*cH;6K6m=Rx0`Z+3uMO{yJ%rT_rzmFvyXdK+3eQ`xxie~n{ZaE>GK3g@*
z)V@g$jzvXh8U}KPY#-GC29U_#Qy>HUNLGCufmGjtL93MMo!}(h5rrhWS>})%5m0}Q
zS@m|-4QEOb5G8g7${b+llIsWbtnc4S^0o2gYnu*-@pZ1_Ri}i&)wjkJKG4lFfvb^5
zLPKf%?AiK&HOXxE-GX%h-v{v47-qS&8(_m6(7ky_5MDsAC)yy~BcW9u<Z=R?{W0>D
zZa$$mYVhYs#kR)TEb#ciqm(71a1py*^rJiqP_|uGkrUXsO=xG(dVG2CgBVaxvhqA4
zRo7WNLJ1Dh>Yvgt70sbqkn1tZJI2(PbdT81vag*{5J<2Uf#s5Qg!|>PZuWk&3EE==
zS3ripWub;9HOM^tB~?~^KZKw2`0`)@s;utk?B9Hk)^nS4N!BAgZZ)<b+ZKcLwr(2d
zl6&4D-8o>bG-+qKUv%c213G<8eYV<r&5`!3ugw^)*jhH@^WgzL?p_kZXCacj>}cqN
z9{@jImjT?W)Zk~wpu|<BpFO<a3f5%oRKRjJo&D>7Rq@y|r$LE;{iUyI1is6U4Eq$+
z0LCN7tGuq-cd!cY!lW6wBuW6g8rqz0mXV+El7K~!Y0rY6??ReSD#2|q-?Ht3gjLN@
z9Rb6rxI1LG7JQ63A|NOd8j3hanqlTMVGVhH4#=1B<(6FHRL4Ov2FT!&8p3r<PIx&Q
zN3;VK@Fe7FX5s#loz%Bbk**vtvNhM0=dsWY=wMpb!N+4-{2U--TG#q}t^CQ*xR@-~
zf0eA`>3LBs&%)zhP&1eizbf=5-a`|awOMc~-kuk%>z*;k(s{{S)1Q>p{)yKySkFEZ
z>KqQjcwC<xxW%1S9_d%BsNec2TIMo(wOn2H>}At@aebl(Q#u3_yjF3Q&M#o6-z;r$
zVMcX&0~GVg)I<!5)pzSs*IQACynE$k8qD%7UgBGJjaR*5rg;^;PcH523a8nVDaU8M
zq!FLVKp^Q=7j!w1(QK`9Aw7Q$5awYrIVm5MsYGd?^~-X4;V{?Ehb%G8yE{Bq>0vp0
z6Tdz_j*fh@1bB3cChY2U9;N6TV?$=ufG19~`h!Ky)J=zapY?jW!aA&|US1^KKD89t
z9RBUrNJ~+3y;-jL^t|7*Ok+)c9=iXUc_d``eMLVKQpND8J*P!+`6Zse8KYd4Bz|u`
z7EHJvKM~OVNXm2Z&v>^6vlocD9kq@yS=$hNBRgc%a1ginP?<3|GjM;~eVRmyJB|q$
zDS52lCzGM}4SBdTIPm2rPdTYITC#4D$w8af>x~Qr|DSth&Py%(Z!X+!svia1T!v;-
z@u{kELR@1oLWxiOZpqM1qT6KMxNn(xW^kDwr!KAB+?(5<PG7`~Tg?&M1+yl}@~dKq
zItQe-?i8<MF!Djp{gaHN9rf4Ev?iNFAaqn$eu7gx|6`iw$*$9<_IjQ4ChO2XUn?Di
zH;~8Ye!kspVK<Nqx#T<~<@0N($ZidXM#NnpApqUPV}uJ3Pd~ya8`?uBm+TB*w_CM;
zc^)iG!hTGAt^Ps5>pO0$xMRXLoYz#7SYTB<GLJ@Wg!;XpIT4de1eAEly`6V~v()~R
zhOMoh(t%aF3YyxAm5D}4&o@K*q%k11Rh~<1oO@>mOCJB-{H*0q5-j)-afXTNYr6k;
z8L@Nw(x94a6*1xg*`@Nv$M{y{MYwV$e$X0Od$@;2dN&6bLeh3^6@^H*Bw;Q8`7QR>
zh(L$f7M%V`nSB}uM%a5|%4?l0hmOeA0qN#S4Nu|Zu*I97w4<Z9?Yle15+b@;5X3+4
z!vR4Y%#(cEtz(dHK;Clk1ntEdz~NkrWDL$I<HtNCw&ju+5Xqaun#tj>bb|4d$jQ=7
zsY0UPhxx6yz8F4(0I>bWJ{LBrOh9C|S-W`1cg#E21|J0~gvuu*5R#RV%oEI}GYc=#
z?G$R=?ZI>uDq>bC3Au7%cFGBpV3)virnI9VKy>;*h;zhVY=}^uZf?}G#2|Jb&1&2%
z2?YQfOh=%%k$Y8EeCy(c2P=+H5EkW}B|NFxt5AE{ph9}G`CGTF2PjpiBZ7@DncRcN
zi%`z%gyPM<88&|QzI62i*GE0>0yRNpr@?%ef_hSw-i*=_`ImcTt{Amv?VgaHPH5k3
z2nhG%@BY%UXZ2lBS%}23YrTrYK-^P#&$c>+(~b`^PLs==6EL=$M7u-YD~`rPRhkh9
zmrcV2+AxQ|#ni(4f4<kzWhH|^QHJRsq%ZIp9G^Z+cs?RItIIAo|K85xWUv{5j&%Ux
z(0yiM+QCVW$wrBmn~H82ALSq(J2#Do&bUKOjFNJCSK2CmJm@0x&AEZIpd><EdV}Lb
zB{)W?3b4g5KnN!#A@-$CUx8T^n@jYa`Cwm7J-hN$^)p>n^B8(x%w+UC;$mi;#r`>}
zvktG2b!HY>4zEsMY4XrYReN-fiQ$bedB(y&-uRuzsa~%l&sK<ZEE?(7A0*b~yHXTC
zz4Nt&4YFEHDi``V$^DTlk<Ol-(ts$4f$h%{kh{YU5=L{N_?-}6KwXh!ouYHM+9ne}
zWCSaLTqra?KQ3Wn1Ec}>B?^!T_8PCpJZU#<*eF^yO0s(qfsFOrn@h6f$(3%vhQ{0i
zIUw$0Bt(cY)}Urc2yTIpEyzy^>DW-jH8-Q_8cP&|yYo_VaWn-c-EX2H<d|i<c};3*
zicY)zi7%RP<qt1@r^upTF5i}-D-@SmgDIcBqa>UNTmx*2!17y9ZU5^)!KdYfjP1QV
zazP1u;4)P8vR(Qe0bjNmUCwLcUCY*&qJC})coW;8qMi;#+)wW(!RAjw?ZH~ahux`5
z>b1n<Xqv~zvM4uG3m-70`zalUhTnR`*L-RkbuwrYRKgCPba0Y9ts?zYS|gn{^$9-q
zpz~Nh<o0!9yF=D#xM2jK43Hp+{nfU;RfO&626n+ALLf;0<e9UkS^=Dx+i%kbSN%wl
z9kZ3~A<q*S$c2NZpmODP&cJJ%GUb9zFOghaOG}Z+dE^P6t1%Zze_=}(j_j_lug4^<
z_N}l?l#dlNPIHDZvGEtcrhmf&#pc65YHr$THoU$;ttP=CPDs-8(F-K=YFeN*0VNN7
zf8_c(=i!tEtecS%?26ReMT7Q7CMiM!!4<;4NFQG?Kb41kN$vxMrI&hAL4{_KB@BBn
zrzRg($?rt#D-Veg$YI5bMaAkEkcrf5B}D~OYKC_dws^5K+P>V94yJxW)-g$kk;3Wk
zJuE=O&-%M;vhQ}`JU<rV!y4$G>-{T9+Ea`^@LS6waAwQHbm%EtlzZMsc$<#lIUk;1
zMX_D(O?<l##0pE<`48+{%#Czy?-qaML`82i!T<LnybjlS1#CfB!;h}}5)nb_r~RhQ
z3arLY%et<XjdYa)7U<-2<B&Y{D`YQA$hPzTpHSJ`HaZu-l|7N5zr~w!lX^?M_cj><
zQ_>}OKy$^%H$ag|V)IQi1&tOjM}NdJKn7lFF*H{?t`ol|*Nw0PBR$?NA)TzJRYJzg
z41j%JzX6J{7P@|Ni^FT`p)Y;)*9>3(Zc&Q)W97z^hZ%WCFu3AZ3W_xY{z>@Jj`M)B
z`#8vg&wC(6N5a074f=ERg-#56Kb9_vEw_${VL{cZq`qGZzEXwNhATu}A|O;nu9|_K
zBB$azxH2LbG%3}$y#W9J7#497T1{5}rgHE7J|hBOX7xa{9~HEJf#_Cn)=RFNZ&?y+
zeb>iy0W3tvwWA7uSWco}7>vn8wvhOp)2>rL4W&>|*1bRc<AL7T45(LMmOqbn7BeCm
z0FjU^Mky|&dPGI|2C3LIQ1}oIHtO9x=6@9lXoQ`VrZD{KGFs+JX<7hQj<B0eo{SO@
zEI~!5-Fznr4z$ewug}Yks`%mWA7LkW?tZ@h_PS?=*eo94o;gH1%q(NSNxThXsY9;x
z>0smBF$*Z9L~lL-1(;}Wv1YR=ZM5pdzgYihV;&>u6sEfd^i~Dot$2`&9J}6$djtT%
z(qedjd&$n1jW1wTS`k3+7$3u^rSz~0NNVHtNfMThfIE6kbSbV^H2dS%T>#O3l9Mdx
zs1NwL;`Sd6OH1|lKt$9k2cCPth6}HPXCbHf-HJ(aQXKepOYmOFql9VY*1vurA<$MA
zeHWtAWg`H@bq2hGEIJNZ1*|>zHw9!J0|eRgQvg|WdnbOc3gtFd(ZeZbZlfHq>uL91
zS~+mvb7iD7=Qj#5dDUgao|f-f;mU~sJDifAP%^;{RBXRf<^M(^(b0StNPe-tSN+Z=
z%et*6165|@L=wT^>E?>mzxtqo@~+Zy)Cr9R@vAL-*>B7KNGvV+tM9=W26K#Qu;p7B
zE_N6N1#?=2Hr+Vjpk#Jmz1hT=X5&Bi)+{xFLI4TmDaDN?faL4c?4Rh0Jljq=RInp}
zs5?;MZnrX2l*xY6t}Uj>wmIw$V1sD{Aj;IHJ^gvXwr7J&AG@9xBuUlD=DSupnEGv3
z3Cit2%QVUf;nSsKLKt6g(>w>FPNm6?JWb}QYdK`1uwaL2iM;B&IrYsl@;r%t{Og}?
zP)am6P4MlaSyl$}R;UqP9k?V==^1#}tjNJcP9BBt%S!`ZX#h{8$#bRk=n^lNgINKs
z^2y5-x4PkOg%vReriKG#zloXr#>{IWz0`JgY4ytumOkTiF*GLMjomTz;KqUWtvtwl
z?ZsDA(1=7m@oCa%41rJC-*brPdc<X`-x8Kpa#-sxH%<XPDygl2&i;*R7Qwps;VYM+
z!bSzJ<&*2Q0XFO$!68#g)<H#pqK*3zq^U}r2D|(9Oo=ntuYpV_xR1d>Z^&=7^iS*=
zn57_jOZ0?m3bTit0aXt;c+qTX2{e5jA%M)|k1?(F*fyTE<(z^tAiBO3oqDVNCXw;g
zxAqyrz&*D+hx<EeYQdY&nv!ALWKEHMyRX^Cu;{+lAallFZsz=&t?T!yz4Mewgqi7+
z6b522`aeLu5hj7k|FO$RiSC@Z**!RG5_uLizD0R}y^2#Ua)c^hxM=l=^xY(<X&SP6
zkJN2JBuHiTG4U$&X;EtWlVDKpz5%ZhwG{QE#(HRs_vK+bFXlTC&Ot2;lqZC3z<>3q
z1gq}2y?RTp;JYkhH4$*Wdx?GpNZwceERjg~`caU*^RB%*J-rXwafq`J(A073KC@fa
z{!5>`M?0lKP3f_>mu{#=1l(bG+NARkgHnRrXWE845(G1M>9GcjmnTd(U>)ZuYY4Lw
z0k#lbK$|O&B{RKW?6rbwf^0N&vrm#`PU6K#!h$BC7`RY1iDbgpZU7|fF~@4!BX0b0
z1hD<#nW?7)tV0Nd((&`82lU;a+iwSQg!}^CB?twFr#RRG9kcrW@LeW>r;W$C<Ziu4
zf`EGKAy3MpHQZd>7%FOhsU+(%(s!6EhedC+$MUXhWp;l4GEUa*d9|y-0Dd%{@5bq+
zNU)w0r!POLw<oDyrm*9g;d%gW*i}@uO`LHXHvY5)rp>K*+-6Ad`OALNsdmklLgs7s
zk#BJuT${eT(jpe#!w=S<C=pM(xloYwqbL$CuU;evO@YH*AX+GpB@Co8xllMxey3rd
zf?s{=x9nsIhp4Gsfna4jSfuG+5uO9bZKPF9mA~5X+Y}+xNwuCKfW1?;sym{dZAHpl
zdUD2znm_9tiIF%h*4pLZ!oZ20IsEh8M3jp%n4+DcEuTYdt9|4ocOL7w@4}sN)V?Mq
zt9--8MdNQaT}hI%a9Zxk(1k?!%v*riFv?6ybc$Jo+|)w)0?O;ENFR=28setdBp$@I
zPE8@K#j-%&Kqgqy^@gM$*R<71HmqW-erw}<>!_~|5pqM@{~^zzvbtou<?ukZ=dN}-
z<k@R73Xe|#B+3I<mpurNXQ76-BEJ`88@ATZ2V|esbu^&fdJ(Jy9_ya;YcCG49AszN
z;B*=@XaN=xpzO8ptvm}$P|!TnBDy!f2P|iw_MHHj$c=viiTsvVKe)yg9GzwYzkJpT
z7N^3J67ME1tNZ34%VRMk0DG<kg6s{Ce|04P6uVn|Hvp%e0$UiRHl*+tq+nyJ*>7Ke
z6dus5uu+QxsZ2K;y#1moainjd=dd|-(W>3-4J)mfJ4+&fF4Lb}zlcRK?>mw$rz8Mk
z3%%n;)<92t4SKZzEUXUoxPuWc@HZ@@)$nNs+n%{kcwL<GI=ruI5XmImRaC01xXa!a
zjrGKK&w4FdfU~p7J<)g59dCl~R6H`B9Tqx_3p78f(iN`VR$!!3w7PHti!QS<$uTXx
z;U+JL<#W5dh=&`#2h(E2)vbKj;!mU=3X<t(rkj7F#(8BY|A-hR+NrFduYgRYab|n5
zM{wofJM(${sa7uQlI}Fc>e}q$&%jkcBcQRhTWegctJa5W<&$Cf{D)|#AU;3dGxuu!
zci>6y@-WEOC=QT8Gh-%cfc7RhNUy~&OlN<ch$FfF`KUJX;ZZ46A~-;=$uB_lYp%>~
zGX0OVnkbHR5eNn!m&tT1gywpgnL4-2cvb&$U-oThGX!x{;~oIy6Wmh#j>?gcbNyeT
z6>B9d1Q7Ht*lIIjKhbH5gXCZZ(imf3hJngni{oHEZ>eh*p&ke@X~7$l^~eg9PozWq
zBum^VJ^Oh%!Txvwji{2&q9jZ2I|I>3BVGc<K<*tG)_P;p*8~Hho25cjdm8+=F-X8T
zPDwwzPFz3_^}U^?rS!g{yVLX~=#pBhavwQmp`(SD$-r?yJ<~6qUs!nhQzn3Qkg44l
z*sCMJHjMiPe5?DpY?c<&$72`LI`7wP0UdD^umBs&Do^@zr1n=l3nQ*TBI?h(H^@t-
zN8xmo%YL8FVNgLo_`It;HtGGEDa>+A^J2n@&AJ%GL`46F)<-FNdvzk{@W8kE3;U90
z0v)dVbAi^i>xS*os*WHszP@w#k+%l>(U28nH*6n}7&61Q$1P@A)kiLQ&UdZW2N1FC
zU}1k-NZ!eK1|*#_`%bo`YNKo;Au<iTPfE3$|MkHx!gHBDxwkd|U-*?&)PA=3%gvO#
zKtF0a=~^*O!z2GRi(L?ioT<3fUSUm!J#jMU8SvPb0?fqc%v#x_o=*|{TXty(WL=(R
z^#IL@)3ZS}j{O%?E<K1^k^K~ha6XY$2r)6W8Oa^Tprk=Yye^x6hpB+<r8KU{GCPl!
z{odRZG?nI-zQ!FbjC%Itce?T@{RZ$EM}cg%s=oDj11L{VW_WsnwtKXzYjaNF6unoU
z*cCt9+p2!``%yZwh6I|qf1Kb`8Ka+lgn@u6bQw+&aUa_R>A^{UvYXD>To0GkS81`G
zOMtLixSrmK=@kJsx|-#}$&gjy_zPIHA}cNR#*pVb&G`U1gLJ?7Q_U1sAS3f!bv9S1
z{!%7LS4h*nQc&;8W#yYOlodhYA?cR>?$dd_u^U+gZ9DAQM-w%E31zjFyojvW1=cMy
z%tD%i*Ttu)N>HO~LJLwll~u@!xwGvR&ss+K*&jWb+SQSYk{49ij?prEdMUZHuPgu<
z_G#yT$ZD}NSWqsU?%O0$wFt*=@MBPRQd0aMSvP0e<H}d^tGiE8u|lCmEjZ!<uqM~i
zLF-~MT4nU*oy4n~Q!iK)j)6A>3u#3L9R=3?<j(>Ny}P5>7kl3>74@Wve%*+Ofl3Fh
zJlceebh$;jtM_-;R$_5TV^%082guNOL32P1J(pct(xq%lI-i&mYRXW0@ItG8M%p6`
zUr+s$X?45asn2w8G>HMXn0&twRBbmKY(mt;IHI=_R<2cuw!vyhOHyLgr{ey%(GYSY
z61tgkRbJ5PPf3yeI`uWDiApub$r7?)M8k4+b-%6Vx)66roXUPjto;1@`=WN{&|p33
z0bpZ(eg14vqq(q=XgYx<dA_rDxW=zIMV975>t{dUWofG5^y=BeJqQa=`x<RJl+g8G
z5+_xscJzSX#(OD|z|z*)Up4pc-YO6ieV)$)?&bB))^uez$sE!C>DNag)QD&V{`3{c
z3e<5J6hX?jtPYE--<wZa!$eDZTcPb+pc+41s)*uDj7*bD9gx-Z7s2ZyQc_R9UBuK`
zR(p3BtEok>nLH)Cymbfb_cVzzD%h<6+f8<1{mV6L=8pwi5pCaqk?~Tu=5Tk^wZ=|P
z$CN1JE_ggRjtUv~YY#t==L?jn<_lEWtk8s(l;5mIYu53MZV%L>%M@YM+;%z*su3LN
z3l*26f%n-vSgFMyKo6kS?#cNLu6FG|o&JW7&qSZtZ`M5s;wX^{ZyMrR(q;00mNC#Q
z9hPa+5&>(4PX%1B(#|bKf>ss8^Y>q+2csX@GlI30d3ig$q{COpD%s&O7H!ePj<-5U
zz@RGGJvuWq!o#XTYsrRd3#k?a?<!r9u-S)BMN=E<ZlNR#j3$M^9%#vPNq8$%#HoEC
z|J4_`9=RYLX*KQp+4f4PD@G6;+zUY^6dLes)TMmbZy{}=Me`B{)p}@t?4tonW%_FA
zl=T+NZHY6H1mVC|hz&{FTS&V_FZg;AXP`jGcS4=;;fBDXG!1_!SVL3WdfVtp_5pIO
zCM-^x)-|U5grdJAhDFoH#8KS3!lJaPYQ#u#ml%mOp`(AW)l^D*XQ3e{Zn{M=41evh
z-@)Oa5EjK~@O@u|>Vt5+F4ka#J>B~}NyyTnRqv*T@21a0DL3bHf6@p16qBurDX0|`
z*Gm2}Z3r<I_f9-N&X^kVq2s#d#mQ?-RR^oZakwyl+$H!FA=bv1-zZVu76{0xlpjti
zFr5Y3j^|_#2F|F13Luwa+HY{hD(V{(wd27NZ=e3$kb|l>>Q+Ke>z|SAEvZmJCtvB(
z!Dbp*`2l1bf41{2Gxn*={oIV3@1Ky!b><_r{XO7!D(FiIZ?R~rmo%NhOo#J%;~p}&
z=qF$9<Yn~erREa93-I-%%I>dbU*`8H>B06!jk{9n$!wQ@v#)9N!D9v6ls%-k>72Nv
zzdVj}2=-{v!^NB@xz7^P<hI3)h&W<KJ8?xxmne)dKS#1FY*vq4V0SuiTYnN*r=&eu
zWIK+pGS560C0JPag#Gl|TXLCoM{UoSpVZlUegoBXY`47r@b}A|0C^~sArZC4QBM$l
z7S7@Wx@B|Kf-ANP-gnc6m(ci;5|Q72?CDtT)@arq=i7_NQLO<-EJcifpn3M@!$~aG
z=5=%X2NoqE&^y9M1NxtZNRQ)4*i_q{otnc0$v{c1;Bm3nmTM?oQ~T-Www71A=g=AL
z@CoJlJHKc$`0`MoSz|pN6s|9I`4cgG*aoHWlN2p{ZNZwmOY_WowM5Ma*q~h=Hnz?^
zhxHefV=0*e{<>bxn=yscf%?de>J62o)2hZiaMa@En1xq7vfk>aw0~_Np#Uz9pZ+(V
z<q+n7w6SkY0NGwHV@>=ak4qLzx~<aYxxfbxwyj_CcAwv|wRTpbLD4F!y<>Dsn*ZeB
z0zmH_pKc}GjRmHU))vR0`O~_O=K}aZuK*Xst@Y@|$=lRI7VnSYYE8P4%M;3DT=SAy
z7Oy#fDV>;M4a@4#L1TKAdgz0&XgS5L4#Dx%ct3WWBoiVlvMqW$26%w3fIxK@qb)8c
z1C4gO0Cx_HBAO=<;u@J5&qXH->|PLy!2?%)l#jGYi@!go(bxqx3=2%1p5<9C%Fa*A
zJS||oQo{3nh<*TsLqP1zqYDCCHJeH$N-=7!5LvuFt1mXt%7N@g1kN9i@p@02ge=ad
zyhaxZ&GLPBR(UNQ5sX-`m>IJVOGW15tyJo)iFOYjIOAT&iA6>rl?3`0UNrktCJ2o@
zM+Q-%XI~~MNs`PlC|&+{cIVG`Mj`99Q7k8s?|r2+W<MBs-cQb(0X5LQjhKBQs?U1-
ze=(?>R*K)U&wXSU9585~PZf_S>TkW<J2@HlXp(b;CApgKCUGXu!SZ~;l++zy9VQs-
z)_n9;)kWC{waUIN{ZQj{FvABuGPCqD@jbBUU66V<b%*7y4v&`aOsTj;>6^>6EhY6W
zD;}&^^oWAy2miV3ujx<Qm{UzUBan4_xst8V2htN#y^g&X2Ayua9N3k{#D!xC>l{pX
z$EqDu8OJ04-3!qF{kT3Z<|L#fDt3BZ*<(@gllBw+^P;3B6f*5ANS(s*$TVS~klXQ_
zf=(T7dqM?&DEA-pUxiQDK83Y%3N%okW?Ti0OBQ!2Fdtsx?jNT9oqF4{+}0j@wG*|w
zg(7VF1tj4Vn?BQPG!s}`aB+qLuPLIX`QC!gC(YU)9sMLfcRQEn%?2;qJLf&MF^IkJ
ziz#ulpMTS)u!!5G>ats%P?9`ZPiRkUh<+C*gX9i3U-si<gF)td*=Smnbl7yGH7LkR
zxD*bjPGPsCGxN57(lWew>A=6)4LkSs4Luxl_QhE=TcV*R0=bn3DxFc@{+$R_N4hs*
z1iXKD4V{5<n8mzwD~DuWltSw%`kKvoe$P*l$hr$b;S32+eESXswti8%*I7JiJg!eX
z@VSktA-iFEv_k&f2W@PA3zMI&{y@(5$e4v5n>^oC7P+iRY`-opl$GvQX}#FvTBAY>
zgA&fr?Kphpn?D8~PpYjZy9H1kruEFak@2^Z&3Wf7e<5{vus;<yYG&ZqE0Ah`l|b^K
zp+@@C(n!zi$1J^$Ktc)z-0zjNW4V-PwC)C6pz7?#+k|vqoP}epJAAAMC4dyQNd;P&
zKFGkauUq6ovC&f3pwqBy3hoP}+dW_EUx6LHKl^AtB?)m_FA_42lL8gxp4!LDt;kQ*
zhdp;Ri;H4!+IyPnHj@NjD&0SZu0!&u!ZkZz3Nu{h!0=@%T}bmaRqhF6#ca%ufcdrV
zy^xFYB(|)`+>dvYQrz>M%dcL4n$2X@jXW3rItmF_j<~eror9_QC2nq}lMZR3LWe+S
zh1mV2N%b=heA9cHDC(Q!z;mm?hUszaT>svJSo2#^l0I)2iF8X7o_8XZJcwmcm`o%9
zO~q_E?Cx&)n~rw=gM#z^EHKwBCQZ%(&Z!6aa4IYvKT-D>RuZFqj$-eF829_1O@0yS
zy4nI_;vLKTzGlzGW|Lw;$I{J6=mz`Xo+iI6-Rx@uK7vhpO3NA6c<nMzM)w;)pL>*`
zgil-sL{KrUgsNa7MRX+>pa{WO9gyjp)?yXc3vXp!t2{{;b0*8-M+!3rVd{7R^TCfV
z`|~s0qG%f{;pCu0-40pK{ggt7Fty}U^v;!0p@u<n$A_fpGUl~pHF?$&<e}|I`3ni(
zpCxY2v-JpIQB^+2F?{RXPg$!q<5_P#KPG%>p}yiWTC)XNa~W+e50P?q%XXuMNZESZ
z4nLff+-u0K0?X-_OV3gHsRzeNi=HVqXJV&wJN{sI>t?CW`Mzj+0|kae)$@k`KLx*z
zy+aGTQ7>$DnPO5BPN_pLqT7wkA}m<Qnd$6l5^yf((8FDm1}_&T*{_EF{fks8C-TLe
z$JAH!8MT~sVl@m8=o~rbs~x=}GwH3q8TqXF31;oJs+BK*A1v_Hgtw-){~E;Yzt_y)
zMc>tM7XO{BVj&nt5t<Edb>dPCt<h`jFFW(bQ|ikR<x?Ji{yjaQ*%a|#QVy3FK;WB*
zdx~~{5lPXxGq(~K5JQApLr5uoAaBFtuTkCLH(EQC>}G`dU0{PA*Hk(J1?r<YRSmS+
z_hp~ALl^sGdXCZPsU<OBa8c`+4e`W9(u>Voys!>!st-5FQI<V_0m~Qjt>xce*$yNJ
z9ASRBSChYso}V}){?zQX9>1_k$3W&DoTO|T8G4u$>UOF9M<NB|#x+h(BV1XM{+IDy
zC7KzI$E*o2U*_rFGwjqSfBU(g>;-`e*Z*8L=*}xdzC8SD$MpRsa3Ic*Tc$N+^(;9;
zlmz2l-MBNx)ZiIlSZAB1r<(i}AveDGvCV1zWP%JH*fMMT-}oc`foz7}mM8VS1L6%c
zuo~im{&vg(g8Ht@>1K&$7xHGwiGHpSWA;tA+sVsii7t|N&x-Bk%~tM5BM|Q_9xFXc
z*!$75WhX>Rtd&vF2RaPjkq)ykQ!#J_yre^Z-y1khA=96}%ijQfGQww4r1t!GmN^36
zuIhC!4~rRdW*OG&rzzaZxpt2-B`@E+@OOO&M~)2(w^T!EW0PyH_it0PAVIa+bf7p8
zSe}N1Mq|y7hCo2lBXa#TAM}a}rfVTLci$r>7A)mGOzWU{y?}t-{ho4xDgpv&qU|J}
z&Yjw)#`5N7RpRaL?^{>~fqcoD&F4EClZZmX*Fe+ibs((}-h<FcLd9Dmftm?vrT&(O
zux&AbBEjQTj&!pn9!tkNV1B}2=ypyhl%sf#V^rn!?ZIjvxAOKYFV~WXe3Du1sr5l;
z#Ms7#1Pl_GGG(BgG-Gl10+oxRdo!mYsCGO@uOC^sml7TS6j;}9UYrB+?}yQ5f6(OY
zy5kz_0y<k2B}X}WSe_m#crH$rT{41&n1cpC-zMxxV!+SqgqTy3&nEazHJIDq_@Tq0
z{u(Lc4V#T=1x-ojpap7d1KWbL$h}kC=Dj|)G~)F4%d2~jfUk0=?D5|(g&7~U<IZZC
zX2i|!k-e6iX$t*ooog<B92ZDfLNUSz+(aIz!q#7t<6>u<{LVdiPtqD=jg9~T5<>1+
z7AMI%57`J_i;*h(-9)$fO9nke=1k>xB}Cr{KD%i0eRdaCw^4VH%Jq74UI&ZzR`0W$
zE&@Ibk0{e$2@JGey-_w3hnUcpo2GU+<BN$DPIV{?JlM@Y4A`h0q+veuXlG^6CtZJ+
z?OLcZuwmMQ`anC8XIL<xlS75J&AE<%L8yH4+G~wOGTi~Hk-Hr?C7Oic&Xb}hv_hZ;
z8QTrW^=sU9=l)2Cb5P9gs4Wl%?PBBxBi_L69#<wbaG2JLUL{0HM~66VPBq@D=D0}|
zT$H|QW6Z7K`N(|epqaEM@QJSx@r>{Ue}f!qD@)*wV(^w|Y;f8BUv}W{9ld^Q7mX}S
zTLzs<6-^o}%CkzV5y>6TZ7F(Ug-b!diqa0~sD5wh)o)^pCHDq}o1N3%ocgdfT3+z`
zgG{^MZDq>Yw8Yd$EfBen-O5-!2O9=o1-(kAfiWB=rdeeM<fZu-9pE~N!by>)^5A`k
zSAASRN8ReznDpq@b+881zd*Zl%-R<bpocx}q2y+M%>nrmVK^e6oodzs3b*OObmAnO
z4fyc^gB-gBK4iQ0GSwEb3s)cvUYPjU05&TK<|~eUPpFzjfo$TF9;luy>pHer^F@=Q
zfweI<<Ku&_cUmoobi-wsysCiMKCqjLati83A|W8!{Q)VsYE$0a(*-y+5>aF|-gAwe
zv?^J$1Gu!JWUd+OorsF{@oFwY#K2rTJec6{EB+Jat<QvCyVhscI~Y7s(xT#z-z0Vy
z2VJ=RMXuRwZ)?tn9pYvk${ZKXF)Q%4OL6!L#J>nmgY85b)}=i>oI3s4maZbUh21iX
z0)aC+z8J?z{EGu!==@aBk(gYtpmsF3_@otU6GfCezb4%SW}~5HmW;opPJ>UpLKXbF
zLHSuS>RSEVPf=N5r|-5wWxaM3QYn#a5u|yKJa!ehvW22w!?!@qEC^?E1#gTsh@w!B
zdJ=>b@V6POaKHL=wu3+ElLCB-j(;8KqE0uHFVnND8MAk)cay1omOpspmI@S07k!C$
z;-0fD?ICAg$&M*-WOG6#;U9$$!#tB7VJ25tc6{T&+iD9E9k_yUD*!O3|7CNW0@DFD
zM>@24i~<`+3k)TwmhtViP1X@4=qIT@vq-jcfxR?GP3zY+JLa=8;3A7fJnlUwypO$M
z#Ci|((cj|78iY0gotN+GCH{`hCiqkvaBeht<e@PQIJJn_jc;(!#m&Et?XdfEpGv2M
z;noFBAnOs?ht&xxE4RS!z!;NM(i7Vb=TiC6@^cR#uz_7ICbb^tvY2AlUc61bB~O+U
zqw@vsUjw~n$XZI!8u01J0vIeNzoR|{k{;M3>KXLS!bEQOKJY*{uRiwOPLi}<Z@GFu
z6=FByUD|U9DFuGjgr7m=kE6~ZIm9*UP;>Wmr2n;U1kJI1RsAbDhwOgA-1jrCd}1(P
z<2!bI!mRA+ZGejy)JsCddE12RZR}3Q#=r?T0e^AeR7%Y4mTE5EmSj$`)uaf*SIcyE
zCi<A$F*Zt!R^SyjC9|voUqx2KxZ^S~BJgdF%Ul4y4Vo5BUkQ=y7_Y3NM1<GV{;L(M
zW%TEj$;Xcy>z~y(SE+z3TLI=Y12;Mj6A_`(Oo(qcFs9Fz3>~v`hMx!)2{HDMCA&3h
zT;B<1L&)#iuR;3+kw5+?-baEB^eDGhe^DX#D3kxP%yswg(y$IcD&Iq0+C_kmLwacR
z=1&x`mZwb)Z@Xu3bLc$yUv#~BJXG!fKaNzkvhO=tiY!TXgKQ<HB9ss+N`>s}*!MM+
zii}VwSt8lVTFF+*l6A-)##jbp=J%Sq@B4k<pU3z27mtTA=bY<Y=el06=XOq6sNl!L
ztXs5eLzUva?NsUY*}dkk1V(sp#*jQ%&3FC~MeG~sbWw{sGOfxDwCeq5W+z3Gm8dzu
z9Yo$-Shs6MEq{a_r5Yq2dl0d%utH?DPM+8C(=PYim;Dqvpl@s6$mGq5KT?A>w*pPF
zzcv}pai86S8BD|)W+5ewSs6ZUEY^k|gWVhg#PGEFI^6BMkALfCWs+>yt*P&3QrO7q
zXq*08x5so)d1#9_fc_W}??DM)Ax0Lx>IAD^{%a34BFwaCU69ZdvZW>C+P8Vr5?PK<
zUBDpt*S@`glaYbtw)=U_^Lp6e4;lTgA_hxyCgG6hwSrsGUoH;#$=E>u{wM6=gEwr_
zTR~Btfg;KL)UfkC{*qY2F6CTC=B5B&ZI7Lg0Y1tH+sa8+(t3@D?7!amRyP*4QFcA)
zCP)7&os?Z!)Z2I7>wu-s{g1`z7suMJnU`&PzI2Z(yDnEC3Rm(kwv9$Bcx%6Vl?U6X
zEi97<`pU_ra#qN_Uk@~asBtFq2;Qc<QrD=kEhJbpZ^GK2RHM2EJH~6B2s&Wn>$EJ^
zK1!f1LC=@-J%Nn`5`}kU<^yyZ{6$ImWJcq5V=(2CBdhosIZct1kqn2wh_~ASPs&1S
z9cBl4=SlMi<d7VII?KXza`Y3vbXi#KKIbnr5u&1HzG9JT=D%BaaD3O%h9{T2k?rS}
zxM&@9A=IUA-JBO>ede2{Po)Ck{15`36{Q%lOaFhw3<<=T)fGr}Y)c6z0x0HESQv*v
znjvt<0!Ww<ImhEEGYCzIZ;(zPnoNsj{0gkBCDcNgAji|6z;2dH?O98c`%p`@6`^r}
zW$u&)Sw{6p)PL^F^AqmVXOu2p7h5Hl1y2;6r{@tMJuxr4Zk%&4G-hS8K5%D<Y`6o)
zJW>cT5zbl&gI%Qgu&BT^ZwRD=!$I%CK~kX^xE-!hs5Ih{YVG^;0mx!hEJ$CGh__(N
z7z8ZVo-9R<VU-v<XTX0AH{GeAljZ#F<u%y2+*M?NCd(zu1Kysh0(Hn&;yL4A3tF$Q
z#Zo|2P^$PJCT5US1x(DH3jwiX%8fb!K6vhqAMaee<5tftgFMh{GJ}cmHxtuT>GYe4
zX=3Tt*s;T9qsS&Mpv`6YUI7*J9W>S=X}p~{VB%1lwPf7^Hx&Q?@q2VBm=26bkc<fJ
zf~NqZ<1UD#VG{vX0Hsa}ps(FBskSsC<i*|U^?Hn}CvGp?St_`vLH)?z7gv63?gE)!
z>1_w%gmW%i>D^>hpPc}giucrC^a@ZNYIO#N_m}9*6%jYZR^_$s`=}h^Rk~9iCE)i#
zKS|(M#le#Vm!a~HT^gI0C8BM7f3jPZTnQoXhB6tqVTU{6wP;D^xPAdJd*Uy#&G7QY
zkPN2l^R^zndR<&hpqjiXr+MY9R=fu6&oWa_m~I!%ftjcR0n=y8E!BhlhG=l*%uk=i
z(stG6UQBCTf?HQ*EE}n~ZsQ4Whv$5s8zu;zny$uHH)0YU21O)neJ^z|cy<1HEN{{o
zYM;Zbp%Jd_15ACmWm+FFS7mYrfkAe5MkSkM1KwB^;Tdqee`!ZQ+{YVGFfq5i6MHI_
zvL&#OHlCSFjIJO60A#Pv^6hN?ABSI|b{A~DU_Ui@ErCTp6&3$Op6rhNAM)g2-$Zj1
z=f#<ih_sw8GBNff@7)sX?g}qWZO|#g{;HGLfqYS}y7X@NZroD<=uLWrh}>5*otkio
zl#QgjwYV;|Uxj5|ch{A@po9hO@7on_=0!p#nN1;MI|_VfnKabnqvau~>yCYhg&yG@
zh-!|Q7tR`vKX;Ty`^^`08UEZPBncu$eYfiJDYB6(6$;ugaG>&iOQucc>VY<qxr+X1
z{RV@kNdp;)O1I{3;$)Q+6YyS3t2_iohf?O>qthNzdcBiJDFyj<KwKxm>69*%6N*%0
z`t_m#ykBo8(+odjFl#A@NI{X=k<5gh2)9Gut2J0i+?5wkWrX_jxYt=aE9^DKT_r|z
zDZ@53xgqj5MY7y7aR?|9@4fD)vbF0(u!5UjErqZFFsSKlf4rbCH1X76oGB7%ay&Gq
z$6x2g;ab9qnLXdiCj=48=vaW6sQF73B*QX&;`(Q<nFF9enz(}z>=^8jZQwh&gIamN
z|5x=w5&b)3<qdf15>}kZIBT$u8jBl}I))@h1R~1{%otD8Mr4V3XC7lTd7^KMo6`8j
zQx@)LI!u(;WsbnG2O)XrRJH(I9TG9V4wWa!_tPI?&>MAZA>bs@q9?X;_eG<`-T%`2
zFkL;6X2!fj+*uxZ7ZTIpctz&ak7zm~0czbY?PevJ*(Q74x7bb$Z!|OEzNv}ZuDwmW
zcXGKBpRAAO76-e9VPG?}ZaLrb#qTFpM83+MaV-J?eWmX;&;>4LxOcgAGHYx?dsMx}
zC*0+ubE-qCh!H61V_$H18ULTX27+&4=2RU&H>7LUEAD=}3wh*-iPUe}qdMBmhxu(3
ztI(y19TK>re*kg05M-R5`~2>$$H%T+jvdR^i(}icy+@f5>A?LpUU=FO1bR<-e}Mad
z#=kr4g>QCX^z}C7wz6Q+$Z|&pA9V*B_e}aOX4y`KC;0Z1u$=aWF4J6m`}=0!-9HS7
z({Bdk6EGlglJ@A(JOMX!K7M8|3F_1lXyPneSd9H^$C*!|w!fkm8BzF?%HEGT4{u4^
zbTyD#jcgAQQw7%|0uIUg+hmV!Go9Jz6Y?gAn)M*)kQsN@=Dv=!hs7`o`nZUFGsG?j
za;aAou#n0PNROiB&#e`2Ebl&5RhMG(ssnXXYmzItv$hUoIdg^#P#^obwdohkH2&kg
zpIksH=IC+WLHC9<bUp4hCdq<@cBg?v+<6U(S-WloW*3;qviD*8YtW^44p8kq>3cQk
zO@l3$B9r0g9XZ{eeI`6ZLi`6^q};W)7hXr4yu?@VOgHpc!&;C)F{5@1!X#IrTm38d
z>Kvzu1kw8K%?pl}Ggkb+35!CM9&aHkf@{iub-*D>g*iWiwCGpk>Vj>Vym~c6EmM)<
z3|Eebs79O-?$BG%1#`b5cc<yB_T%=%2yFE6UZ1W^OU&4Ei=7M)2=Fs-fA|WYR5D+I
z?aaQODS?8vaD&`rg=EI#4Rq~p=#`XQZ_H3}zctYm;RPzL%6uwK^{F#BIqcm)vY+Xl
zVl;kcqS>c$o6<(vd-bG_!L$N2npDKf$wYV7qj!niX}?Jc*7c_Sp=kkEPXR|e_)Jrf
z?>l|8bT0=1NADx96@Jy;I#G;R$3`hGLN2Vf2n-8Dx<b~}$Bq)K4vvllh%$Bhq&&tu
z+}b$Lmt!rZ!^-?#zHcU-<CP}vl@Rb%3I?K2aq$XWG=hmU%r1E(N9<70^kc`2mA1)G
zMQ3tRBDK2_s=1OvFLuRj1Vf`y(~rSdWm7o_Zjn#ivI9J-+}Q5TCx&L<%U0tR3waxr
zY@qsZ`mnfMC6Rk0TdG!Pigpw2F`0EE6PBM354FSgMa%%l0IKwG6LZ2>1fbfzaO;HN
zCxjLz0nxy<h_76^B9~SA2>a&x-k_#e_n1lHK6OBD--+XG(a_l^RmK@)oJ+}ZNwYqn
zB~ckeqx1n}{W2lRw=~(J6&W}Jm@eoF-J_7bt+^dg$USL!p0?lqiyjumu%a*LHom7@
zP)DJ311Akhb==E+j$azf!v4n~G&)bbUgWv`z(VsZmo$NyGDG46mE0L71@6^LPee_@
z+LT-D9;daz0+zew-o`lOfLy4iO{J!QXNEvPTCBgz4(I+j1C8^9$&&YbmKh5ii5o!O
ztK=CM>Ii6zUMLD%rW5Xmlw=6vAsfA(;dE8;^eImRqIN|R#@ZK70-EZb67ix=Cm&I>
zwsI7yPe_eyyuAL!NcO<Hf((*R&MS|g?%KF5#sUc&V5Yq<o6$K4IX!WNl^}Q=$^70h
zvh0ghMpfnBOt7ty2^@)dvrJJyS8t0F509!MfirMAX|;RfE$NHz5l?gG5B5}+E+5}5
z_dE;pKXt6P39nZqVrBN?4alj?DvYgINP01#Irj@M&|v<+NcH?MkyUv1Hp0kIA(1`)
zQ}~X-ivx#PHjtA3-I*HApogRvnOy1fk8nDBcjnaIXmhzs!(KmbcS+6D%IGqnB>FSW
zkV81#`2Kw<nS}V|*T7!w(MepEphx)sp$=$mx)57KYwc2E>?GYAB{+8Hv%crpKhwKv
zeZ-+ZNSdImTM&`r72X?kqn=H;kAtAA;66+o^O-!5c4Yp6Sqy3j_ube2Ade9N=#koD
zON&n1(9fIsvSd9QQR1v4AhM#3^p7%7B#|IX_rcM7d-s@LRAywY^kDnK5LzgHv>T;5
z`-+U*UKUA~!i;sZxd`h+A_tSIuBjhAjkpN$qGXb*lZ!S&eG_bH#jM*jV%aRU87L8j
z9QJM3c7E>x5SLwE6SFair&|mU!%M6lWITME<@v{VNz1I5#~IEQiPK{l>1$`Rg<}`?
zjLmT?TvzT*m<apTGhokCDyU0v=yAl})HQdz!SS0WXl1-;$>eY>(=uBg44?})3<&Pa
za{Gk6VswO$?A>p2wF~8TBNNgYd~Rg6`Vuw#M!yG@wjkD{iD$eLBw|pv*VC+#Fa1QR
zF6sm`Zj*ty+}KkznH;M}1{syVO<>RTJhFVAlf2AvXs`ai`aCjGfc?oEQ8J#c_maDp
zqIM^2nvmLoR90K3UElP2X_ul|j||xV@rM2ihXs>Z_*aMEMy~fHtiA|wtLTfs+#asl
zi-&#z`R~;!+-JC+dvG(vnj-poV+Z#u#>)zU*JmWo<MWf`sYUhwOCI>$NO`qeX3}FM
zTQ}u(e4Iy~TIh%v`LZ3)$hWP0cE|wsU_0jj!5*|*?Qe-oes*y3$8Yi=B@M^}F0-z`
zk$xZ#!q3<3@(EUFy)uA$9XtK<#&6s}E>whY{-RIu1Xil+)dIp+CJsgN99J>8Dij$8
z55Qf}DkmFJAA3xmWu~2=ZR0u@L%Nb-W&|yB5+HRm*v@ayW3(Q!8al4ArU`iHWXNL1
zYDR!LkT|A0aPzUAyC{8Jmao-Gi7z%M`dTTFmrh<Su&${v0^-2-H*s+3&^LXP<u2gC
za_jFBAK=gp$nqkxAsCWlNm`H0PQkASsK5L=(7Z>WWe28lWcn*{Js>Qu9_wTkWxa7c
zcYp31xhT=r$h8b1Ju<TYK^aI7Fh79J1>LS>ktR-c(M0H9903O-k8knc96?zCMZQ0D
z(A<ACpS_fMsbru*5DvarBLNoV`zI*FkEgbL2pmkE<Me;lUtlUR|E$-%@%m4niqcit
zyRAnCASK21c8N0ID{IqsmqXFRtm)OTkPpj4F0V*(F<>)dM4acXg=zo_r~uDkq&fXf
z7ovGTKT+)9IdRJgR9i=SFO)r+qnE9{0v2ILX(B*cH~j(lZf*xWfMZ_7tigMERBzrj
z9wqAw$sHq_{L=8%j(@)Tmf^x(_-Yoo0>P(TJ7<vTCpv$fG%gYli9VXoqz7N)Ze{Nq
z5%^|sU&jyoSdBtvja%F?Tz2Unp!KY7Kmy=?G+xgtny-S-en)b3{Wrufnq6{$o!;aq
z=n-#Ev<A)(mgNB?`(an}66vM+>zj~rFD()+Zv13QJ%6Oe8|mSc9~8oJMf)9ez18aH
zIqun~E44}YQjnb&apt8KC#)*5IFMyjmv-T=@+lPMA<;`41DPN@1Wo+MU)o5p(;B2)
zn9cDerbD-#$*R6<;{@bf`(!t9SltwwT+iDbIMNtpdeL4I-C9b|HL#&D{WhPczb~W*
z>9S!W^jaQw7G)C#xRqVAaB@pziMST<&Rhq;CvX*x<7OozGAigZPC0W*V=g!KvcKz$
zqmMGk5u-F7@&2s^n5F*uNZ#QV^hA--n;ThehG**oe94Ob1ZZ>sTUPbHRZdLVuK}HB
z&GZxJ44P&qH?m3!v?e<vt2wE>M^#^*rK#N*a)yW&T*(Z&?hQcwi)}|j`QCSbS|+=6
z|2Qy8yW~NmX9jr!cO$77Y{T|5CdPtL-k=AkUgB8GDGwdN4F*QU43DZuzJlwi-{cam
zV1X^<>Tfzr0tko<0Hrcv6q15O0X+F$!nD~BJ~(DQvVk360{)jFve_bBZPe@&MD_gq
zgX(9VZOXwqdCh$RvO*UzYFa!Tfa~-E6sktGblZT9s&@~-#%`DxVkUHrzQ-<kaz7S<
zbLlU<=m3IBSN)^KwS?6UnIpmZTq5V>3@0YqX?lvR)hv!)#3q#(d=?DCPjqE5L5X<i
zk&62ZHOAe0WEE~7?insxtLP7$_pS6*5E*ie2D9Ok&|vHgR01W=#dTiq_I8IxlgPm&
zCZORG!H~#$%M?+ANK~W*3EM6x`-V|PC&rLMXN{Sp==|NIcaP2cIDlzqR6^Kap>hv1
zg$91V=r{;P@MH_?VcH`i$uuE`*ao1yKmhHTqLIyA%=M&}ZwJ(F5zVAJITDBpYDr|I
zg{(i7JC5fhOkQFl>DH7Os5LY*Wo3{^!`C8UEgQOEK}{D0Gb|(q)wE#-kDG2Ik^;L-
z2J`0t%#UC^zw(APblFxteiBZHf9CBn05O%^wc9?kbs4DeT_8nbqe)SMK?B^ZwK|!I
z>{b`1l}&mqa^QF-^b<&3twN$(AdnDwtY;uSC(Al$>!%*IRkE`MKQk0rOLgzY1)DOD
zKLVStK}0jb{?q-#cb?K^CXv<O(GTG=Oj<q>%MEs*lJu0TIG42f2rOH7l3E%v?O-i*
zf|Y{)3}L|`i!%h~%pr&!%}I)}u<>oB=?8IOYo}!kV{hH9!DH$24w2SA6A?1CkIy=-
zE;8?c4yfys+mwE)L1!Qyx=d?F!vm1=<glJJ`7!LeqQ{p#>hE(?WT|49uDsV|umz_D
zP28z$N}8GC%T;f7xUE)85AJi|EcOT4`7h8BxE6>5wv!)cZ#QAoc8q?vbT#O=*+Qw>
z?oe|ys7p92o0+%oe;A?g;kYQO^=j9MAaU$FdGKR?gSx^A-jM1MtwnYq^+xTr-?KbJ
z*4>nA!6Ldy-f!(AnWliOQ*%qm5?<qamYR<@P%n)h0%bCWV^+$dC<Ff39h2_^$^}v-
zk4pk22mPT%h|^*bEAho$e-|ydy#I@SG)3c{?wcfXKWa6VgiV@=HB5sgsA`sTe)9Ru
z;Dk4%Gr2k=!Gpnt08oh>!bR&XaURlS#xJg#Z{>+ZN>evDerTdFc$R5l$lN%qx70uy
z&>5Le@@82+@>lvFdGYFJ{hN}&xloK#ijAR@QA@?KG*_iy+M?%!H~_NGb^IH$|LsZ;
z6uoEx|CD?jcBtImYd=GD50@D7ObiiAW(yY!RWGbiM+dz(dRo-f6h?MijBcc3=YM`$
z79+a<G$}xfBwzeZ9Y5xGQ%#3){7#0ntF7*NMA7&Y!9Z6Cp0e*``dB;!&O(9miv`Uf
z(m;F7zvf_zGwiJb!n<Tb=>G<0!Gl3NK6e&o8VfZ1V*Fck#J77fp6CCc|De^yf`<T&
z;fH4mGVvJfQPUS^gu07cP+bQFJ;_kK9!yqK>hqo8ue_@GJ0qk}AZtE@oHyVh<JG$1
zQP{>0CdYqL2w))oB0?yCbMOnN$eFTwRJWc!=xVb0@gD^UT<xY>;R4telkrMF9P;3(
z2->fCNF@%2dDwxvY~y6IR%reL;pYLrl4S^cP;!x}<44Ulz&sueNo(`&x4_2`r*$7M
ztNOynBH6YOxK|;nAQ)F3a*FTVA*L@GZA;<>Cb-=0T;F}`v-@ACnQ%NGtRSm^Nu(Jf
z%+tclRd>zn1GaMgQt7bW^8@XC?q|-=^lM)qLy_wIpMg8>aQx&q3){Ewyz}}?JH9N0
z2sn@nrWSnt<(2uDgW_q=mS`&pJcPFm_}s#u0&hLx#k39vsCw{XH16JN3a7oZyaDNO
zoGP5Z0eU@fMcb}<feiY%`h|<sbdhl1-Vfij&ZoIg7vk~4_f3~+1RXn-by`b<I@#!<
zDpe}z2?YK<j@!_WkbzmC9Xs{oxl+11J}*>Q6kWbyc{~X+-Bvs?Pc^5KPf{IKPNP${
zJZ}q2$OyIDk)eZM+5k+vEf}y8;yL$4%y8ZHsUeosjUs;a1tC=CZ`eNMAJ`tG-<pu1
z@sAT7B|PeBT}F;o1&H2)xn=O=ABa9DQ*M&HctQA@3!L5?P}^PtV2vE%Q3inFARtQ&
z$OUkaWY9cTa>=X%tg}dF;v?YdWq{3BZ!pisamso<lc7n66uUv%bdVto0@FX!ly)&=
zk&KcdWQ$(I9x(`(w)hKQn9~S@usg*b*dc+oeE6-a@!B)!;_oot3L@XjA*Hc^N$Klw
z&q^UrOwrvXR9%@hg_oW~+SQ_IssNzSL^AU3L~eRFANqfOlqIt{4iPLR-(OqtZr%kL
z`_5-Rh@Sc5gxsVNuCr_2x9QTR3u%5&g(*vGLAReauU!Y`Kvhb0=kL-#AbiUQ>G(xU
zxgTQZnqSSCrn#Nj0^lWqQ(kzT>xg7|nM3<Q*zw-dA1F3|{RB#kmxh5|MuN&p{sp)w
zuS)&IYoA$L&o=}GrmK11!5_rc<RobhX{ZrdI&nz`=-r_xM!}_*`m7|dLEL4g=)<0e
zM{*Kz_8<Ho9yy)bh3e@5vGGo|$8pz;fWn09aCe{j;9)GH0VU@`wK4y+&*#^>5oqA<
zD?fA}B8H9Jh}h+9o&y}yRb&ZH*ZXY{0c#*J#6*I$sQKt1I(u5Tz@@60>X7(+14~AJ
z)#K7OG_;Q0Bfvz~ykGPkf~g$@K2VDRT#``yHxB!yzx@*$(qtxu%>DycV_t~gjC$_Q
z57~ie922VuJZ5(#hNrd|H+pnmMc`+CPHhr^S!a;uO3F6~Y*D&FNwWyn=_>iK_f9~H
zRFK0tXuX4wK5A__;4e^qW~|YKse&>RusJn}N@h=x%#;I07gZBo;>cSU#;7^4O9ac%
zJCMv*u2FX(5won3f()$j#%=18F^2o*MTxNS@D-t&XeE?S?z1N*D2<jlBx!tq8>Iz?
zwkI>_d<q5!sG?=>bs!CLVo*Apwn1ChyahBVU^hQZ5g?>2aFRn0gCKG}#3ywdD(Yr2
zkz21eYuOtwo$g$I?sxG#uw|&8KC_IBbR`!r_d22Hm22Ig9@?{iCUq=^RV6LwV4@t~
z>(Odt-^7f~k^Fwy7?O~;A%MxbEms0&pG7SKaP5xiuw^1iONU(9q#JdweF@Ec#t!oy
zLYLZdIfNbc`u^PAo6`s<ejOCK4|d#g@v=on)$3^r6}pr~ho{IrEA<5tdZGsIvqD$L
zaJC*jw2IxQOWy)!7O#`(M!~4j?vwqXO#-?G2ID@_fCh*5M46XiO&uPcPZUk^yFr0M
z>nlQODb*y^+k(29N6sDK90}>A!;<6gs%NR`GK1O#^pD10W@}NDHEp9?pNp~`E;FZQ
zmW<B<-rXz4?0r^am8g+4Y}xi8i0BHA6h3rp2A!tqX_)?J5;I=^_xf^Yc>Ugs*y*+l
zFVn=tg7L+crS{6%$KTXt6%+(XoUhevH6oGK_E+WG0q&eacL=ZcDu1^AEx2#5;Vnf$
z&KSc9;5$4=H{tR<-tk0}U;?T#zO)bs!rLkN>`L9A<gUYG;;iq`X2+d4>|=(dvJG7S
zwltOky21*kARj+KmRU8ulQU4O+jD!EDYz6$Fv8n3l+eI$?f;;5EE?Z#KNn%kJfGyc
z(Xhzn!j)tx<VwI}mq?itAB{M*36sAhzEC?*i13RB&kQE55pW`4eTrcHSgsdN`D`;B
zDLg&5f5F)2CyZbP8G1Zm9<QW>kJ*={sZZbC*ecJJ&9tm5327r-g|iC#LY>4O;`3zM
z?LDV2#)%UPnte|(HyUb{Cvp&^g4F%zM8pKwZ-SIX2o0%^xB{kij`F`PYt;M3q!_SV
zg@;Eol2mEL8P-5R<(YCf0FBpVWuAH7C*MAqt{W~fW-T)FsLVHxH0try*b8hHkqMhz
z6Y@mcyC21t0w4}C%AMgeq@Q+fDhtj%;=(vQkKI>i@=c15DjL<shYM_DE@=JStiD`@
zP<>D(eB(*{HICx8f@Z=!wrk~aN)}VzpIdvhK5KI?l(+LGxa+<^`90eaSa-sp9h;Y1
zo`K~skH2fdb_Sq~tx{>MU>H9m{lpsVQGsUNC?LTucU4%d<d%J^8WS4dO=P4K`1;jE
zt@CHNXjUfduO)avh3oO_i-QV$8@89NqUCkDCS+~2kFy*R=)iS1`$8kAaxN-5M;-J#
zOUnQPAk>MX%muZUar8TkM~KX;;Lxnats309#yM!!MEWr2Xb<|K_DK_JN=#-x+ix8e
zF|!aqa}7CLZ$W6%1ZO~)Hc2^Bp64~21hJr-K9f^ZP>6JsM0Aw}OU2AdOaopXK)ain
zzHddSw)C@-HAn$bl|kocT^}-SsraoqZI0*=6kJ4Kvud|w(1#)1Rlk=^s44x$o2KtS
zlc_$a;)B;H$c*OrO_|=&<VF%8rRA5*gC)?jdjFaje}=Saam;O&9BX@4B%w&ngi#KT
z{@z0SQMr{i+AhZJCnrgIyVFvfoy$O6U!38xuFMX<9^5P?XR`^zCd=S9;g_kCaYm%6
zmp~{_-_2xgx0*Q&6i(IrpWEODTwECcL)%r%#WPLxanm7<v29U803cKToZvoj>rn@K
z+GiD8+GpSUGY8}ATS_yzzOGIJ$63BwlB2R@(NRrFE_xp=p8>p*U;#i9Eg+{Uw7h2k
zLL?DZAG}iz><uOa2hZszOvVBEW-JmVV5DqkXRNfyK8oiAH9o}7p?4zRruv5_JHFoc
z#ki#Be3Xs{?PM2y1V+=I+CBrber3^)E9*eE=7$MKqxP$<2%Stu+Q}zG`G+yoSF%G5
z!jldNJ|y*zKGy2E(6>{4k11K$>8iNhX|6g3W^U@M_kG!zlFw0%vWN26jkt2xVrt&=
zuGl<~pu8HA^mu<LH4RNTb;>#Jt4!C<?+Xd1rj-;5OPN}?@bw&UbVR#vEPa(Y<&Ao4
zZhmhGVk+vb15HRoQ!M?Slv9<6wy68{XOr-bmxDeysLugX%|^LYfVUu6kf{A5s1NmY
z!E2$`y47)?<!<)n;{y}NUJ<&QYmi2YnI@o{NbE4g5#}u#cy`>5j_oa&NgaYr;mMs^
zbA5s-NrIiCja$#mrWy@6@J(*206|ejwv<esY=OG>nxBIV#D>^pQKz>K#j<rat@~n=
zuu{Cjr=K3HPs1?1wjd}p+<KZPf<^jiRdl6d8a~TNF6H2tBl$TLPN;BL@I-VoY3gCn
zo285A`xt~n-*U;y2@15mPmQC<xuk|!fIVjsubrs$z&J_o5u>0@S5X^AGki|8x};M0
zWl10Nov+qih=(dglVJ(h(i^tKBJhqGW-ZB#oZqioDN@lm*Um>HgX~O`i<RKP4-KK|
z);#)4BHko}I)sxdq;tX2%2(spfgmQFs(%s+*UXi}_|UenPM5V$inztnByb(+kZkyk
zSf#X2HfV5M+s=0Nd5qjg56s@cfghJsZ~JzmdKo=L801czoj|t*nUG8znC(BJ{pcE3
z2A$s~_ZNAUWRh;8Z~Gf%S<{r4;b*+rB^Fow6UO%IK4FgRUVcOH*3{YEIvD9D^cLKo
zYWi32IT*i|$WR-6qON=yPyDdlP>Yv1c7Hke@S<QhB9f{t+m0g7gsp%Ij0!aYBL448
z>XWb<2tC3v9-h692NLraz0LR(1H6CM2qzlVcV`>m>(juZ#PlXF)Q(~DiCIR~tETSZ
z2B~hu^28M}0-DVvBl}}Yv$sy0KKkl{`ZZH+*2DC~2R{^INp~|A#X>41&YFp4F`r$<
zG%!0{Z<oY%Xko{k<`X3-X^-=Uc(IeX2C)HmG3R2>H=8C^7Q@13j@a%^YSP}%&xV{m
zm4J;NI7C9h1`NU&a9u7;4mdFkUBq_Bm>gD8lZAaFyR)J@V>whf7~j67bJg`G*K1d<
zlrl7M9?YpWI(?Ffr?dCEj`yr$(59KuXHLC7he2b{Kb6QZhbg0ZSdYTMT%${%t&#hC
zmoaus2Z?5+79QVf!}1MYUgNm*#^_=&^)~n{<;8Di$?{~^*W3^DK(?Z6d%Vxk8fHDF
zDSw4G2r#Xc^<9m5RD+3?%GN42Ac$rwf1|b2VH0@k#H0wN&*k_djqcqyG-;%RHkrS4
zFTa0-L7<Neo$>!%C8G>`(FXf^4%ij$+`}P5>H@kD=VWX3Wl;4Om`Ph}-2}@KU!tjP
zElD{7px`yp^O3U|eqYqtNdoKd#x)~GPf;10WEBHcL!a;1!<n%5@P7065qvDEK5O|A
zOR|;%vy%lDdG2a$*3?nady=t6M-Me+E-;gF4<-+NJf#-xua4(C@bu<7(~V%C5G5P)
zFVwVlGE&62^Lptw&?^0VPf}o!x8>Av0qr6e?%xF4Nza>1$n=yy%RJpJSg+(Zv=<$5
z1TKg8Sc5;-f4UV>@T5=Z!wCkOVTGq`T7o*nvb`m=r1mQ*2;;0Xxp^2{Y{M1JkWt7l
zpM6Nt{^|J8PPeRF(BOj`v7}@77ey&)*VrlP%0+Z|x7?G_A<=_HCYL@IKevV<*D!5=
zprybhbdxKj?pMW+HZ*5n22gCm3yY<g1WO|uf|C8`MJ||jx(9Y-+dtaC#nZE%CA?c{
z_PoJj*#fSF!$Utf5A4zUH1g|4Kr0Fv9$-uL+JIsL*@fCDKO#aYDP7lmQ0=(Kd$#qQ
zSy$WgH#ahee`Jsb%XY*ED`Yco?P;4zD>Me!UF%^mW^7l8l2%%pD)83<BfVO`OK41k
zgigI|$am3Tu9<Lo6E~65G~I}OCr!ki*A5%%`re!WIF@khb9zomhk!*9tg1?PNh%Lv
zRSl<RBN^j+j+su+z6R~HM!bMVbrmOO@dx-p2&uSF*up_Ri^dhdmlR3+6Kea{NYsg%
zm)qA14ikUewW@N0Sx8S6i)w8UJP5yb(n=CJm-cCWIQzio_1o_+okbFu$QY;(7lemf
zZ*FG$Qu`bnbj0_ZWYlA1nK6*fkHr6s<2Sf`H2$IE+3N@O*h|KM36%r&uSuHwsHf^s
zES1~h#qFyRK^tdowKk+=UfVzi9_qORCml=j`hhEgfawp+X9=>yN3}25zhqv9cp^{Z
z+;<qXTzgrUs#FH(t2{@>;&d3;>n0+3o1kGE2-$NkPVTnHtdn=`GPKzxqkao}yR2+`
zUPo&`R$&9#yS>@_F7vXkI24`ddoO6CmMRl4BnQk3--m;N8!1{la6BpE510NLd$?p)
z%2pIMQb^VXV9e5a*>(%z{FURHV3I7=VzQ6AtW8bVwEH~GhVI>nm({qDQp4o}w$IEO
z<p{zA;{>Qt5?h1volJy<6ItvRZ3!68QpV9si6Zv3OKlj2aS+F~swB^}`wnJ&8!;U~
z%(x)7rc&KTqt7R<Vk8fBu}>@KdQh`Wo|Wu0Poz+19$||<-TwF&G<VoVkESpE7agDa
zc(973o%O86l^ZLK9G^xtW$r3o{g7M&1ibg~ebLU$pzS$4N@ozXRUMLE++k&3xs&Qz
zO3fA}Hn<{Q;t>*ow@O<%LXy2}r}!rI$H-;(>x!WxnyA`^+IBZ{uH=FA&ktgIeZEyO
zZjSgZyq*l4>waQxb^C21@$=)r&q0UnwNy{v<f@DgAAmwkEd&Ik@xHJog#%JjD@s7f
z5>?XDeV3qT<3}sBHeect^S;}#IN6ft6l!NF$U=saR+lQ4gh>c?)z0Vl=+Qn$5b9%^
zg+7cbnv0sdDeC4=h>$Q*UMy*Ddg5Hf4SjT#PvT09L?&0<iqHUe*a8qV0+3;lz4FTi
zrN+UfL%?+?`x2{=77o4S*O(-Q(w~dGQUgT5r2Gv4Wz?T@$vt8eNj%ctF5rLbxOu!F
zLNmjyjXOwW{!pWPB?tqX0m>her()&@n&6oe5ci2xkIK4y_bn9F+zEK7j@aPE2#PZJ
zA6j>Gfx?9K+@cHI{NA20JGx2A1LqR+^XvjJ>xDCjpPxjDVE3(;gS@H|n4N74cdC9q
zbaJ&9SX3(lc34w!CtR__QEAj?asXX-T3EX4y5m6_BD=+9`9zBrq4!q;Qzejzk*^7E
zX0VwAK^&#u@ngA8v9)-|Tk*~x4TH5$VvF&`IMKyxEKa<?NA$-nFU}*Bv}~|2ak>k$
z5y9vko7sEoBq6ms5HdQvK`GYE80DDhD^7-S_=}%Hc#>Vi?go8x<bm|%eej3tT%c=Z
z3-!g0jad5FgVm?W_0!=z51$$4$msIS7L*qYja2+TXooKll*ad;1VPDQ@5jclJkpSJ
zal+0Xq{abR^`=KWl<G)bRgv^aH?n~7Aiy22>R~+12O_D$y(>U?yST&kJYP0sQ&1kY
z@cNzpq<QR`mZ1YpW3Zn8L<DD3Jhwvjvx0m???IojP0#?{X+@;a1x&O=C%ah3pu#om
zGgnYVc$DL*UEhCbYG5Y`epOs-pcK3n1&cBZ`SG=KwW>J;k1ri%D~V9Pa*zBROn}fd
zv)G3R7LO$e+|8YA0tcr85A_@NPg|>XfEVgf8W?T>YQWK4Gm((LJ+0Kh{m|-8)m972
z+ksglcmNatXWHvJrU<N0f<Rl`zVl_J<=zR`FQ+696JG^bR?k}L6Tlv$5Ifsf1Q~de
z)3m*L!pY2p=w;B_Mv_GcUwe(iJISk({8jV^ig@Gj=}AusHuOVI(&eyc6d|4U4rk7@
z-g`8oNe({BgXhb5pX?W8G?y?7*cjY|tonmJsJ@&!s5~Al(~9U%9o6v(I;VQd8-vc@
zOT8=K&d0hLSTQb`s=v}a4)|Z<a>}J<=ffkBn&vw$jr+W5U_h?XND_aXA>dlSic``W
z3K>zH>yc3zjV^zK*iReLjzhDvxSoUxgZWN@@G#Tqi(y)RNleSmMOEUF1EL!@;uB`j
zq{%?NK8a#iZwKK>LvCg0A9Eh%2p2Aa5%Z1)DLVT&Vkx41<C9de89`~*Ks%=u5y?}#
zJvHv#&ot&e;%PAenYTIl5}v`wL)kXEA$5;|I-sq9Hh8AN28(<GFD1-H_b_eb3SYS|
zX&;QG45K`JEP5sT`%`=#f|;3(VhWjp&+7&hkjIo-Zs;&^=G=GOSQg{EX2Y!3KiBqd
zfas~hk{nEZggGBLMpYWI)yl&%k$HUGw^H!!QhtEj>4!B!Zro%><-?Mo*u|8wgn>L}
zzra>@3#bB>h3U#{cjqlAi(QZLc_?x8L!_Z_<ZafCPCv<ks1Nfpi)gBl=%Cu-<J8=9
zR6fKQIxeL<m(MtSh)S^t{n7T+&S%84e=psxSW0^LRxxI)y(}q9?|5o=Qofi38YLQf
zc+Ied!go{MXoKq6vd@IPIkSeA1Ec943Z$mKY&>Ny_nJPz{m|7<TQfoN32x7#DHSQ@
zbX}>mEkI?P<cQYjvLQR+F>+kgPFr6oKy%3<%DP70u|R5Ql&1BLymz7yBIE%WiqvAq
zB5l<R!YxEI^5an;-sOx%QPe|HwfrKFC}k6aa3G|LwKyLpMx{Npt&SF3tthBS!W$5n
zs7wq`h};2`;MZO0+ILe6V}OC2qdp&h;3P#RW~qe)P9|<~lMJrr58Pqdw{tnqCMWAp
zQ84f4Qjt4<wcErcy|cF?;{0R5=7TnF@zQ;FK5!6Ti4Y&t^@@crimv!xcP=c|54bbO
zMj?V2a5Ni6R;^9VxZ938$d+!(X=2sqIs~qhpvRFnJJ%e#+c6V{J@MmKSz=#=^d6gb
z<zy4BE5?NM-6ywwvB>*$D#Q|_1e!h6s8vF9gnmO`bnL_>2Ju1XABu~DVM6+%5C<j{
zB25X~&lobC{CkD)Sr7>yVB<Uz!a^Nw__3cx((PiBH8c_J^hdm)qIDTSwI<km)0Wec
z|Es~cqPpXLF!dp(?00W&b)m|z_SS5g9ZE;uEx+lI>8#+JsflKumBMychHq?MFePlV
zUu=I6O#LJ!80yin_?_=6Mp{%X`EgoOair>CpA_oTEaXo+-eY@M@05Gx>eqwSHTxCi
z&og({Kk5h-FzqIViZAUR>f!rc22BqXbisRWlC}20^ya1L6+YB+g{n_+Hm*F5(T#$F
z-{+LBwi&#r=kopAv7|S-i{#cv;rD4j-Yj-cgVR166O3tKkx?_sx=nsUrq9)!r7c(d
z{gKxQ3K<(J7AINQgE#y}i_EF6L5<gO?+qGi$Iriye|@x}%bI+AG5E~s%0+1yzAU^;
zy1_3Uv7Yb0KT<)YsPuuwrH=gd3%)g%Xzz<<;bo0J1;M{*Q0L#)nds9;EB7^^NF@+&
z6D9W0GP|#wT;rYRZ8ag!)Jq|7itL%$&dFMna00yDeavD)AxX3Z*wpFE9J`lT4{=dw
z?#?08c&uR4lYM(`@er(ES?q8`tBJ$a`)H46!Z%>g@WcCxE#)xi8fkb}&2v{NB0K5%
ziP)!ypqwtJf?7^WU9Vp#qzyJmrOX>S1_7WZXodhX0nqS|%s%5sQU#g_EpL%usL}-Y
zmN)Vs|IplM!&awD(+tS)@jQVvGlH4{K6#q8#K+wMFTOfMN03xvdz4^*r>bb<9*nk7
z$aM)ApACswf>@6dj89;*qS`!Jc@3FWY>-5BxxbS~m?(%MVCC#vqN|sd^>8%gFm1a|
z#s0-cH`ov(Z&wV82dt)|FJFlspm&B+o2tf^sPDV)n)p3V$U@xeZU&f}SwE3)@UShZ
z9YJ)%e}7lc9(5-0pxR=IlcZrne*@vCtatTmfHO>Kw6V5{sdc}HfEtFtNL`;(I3$uh
z1blM=du+%aOE_qeRr$I(0ibP(4A1WuC!o?^*lDep<sSvn#R_b~5wbzpIDRQYhb@tX
zye(>tZiPCjxAWeq6z2085243+;YM<x#*Sf&A+eiV3foizDe29S!U@^HTTAz>i!luh
zSd3;YX?xK3IeC~~h&HB0R=FR*->lw06E4=%PR%3(#Mi=PjdbM%u#3B2l*q5YX+HXH
zm<0?K5AZm*vd$CquxYzjLPgmGuUHa<*H?}04Obd%2R1kYGz-eZU;-+Y#ax5^nXyB<
z>`d(#yi})S1-AZuLEl9#Z2$+!^<5n@^}rm<sJr|Vwn>2vXpHcx0)1d<JSt~<H)V6s
z5uGUKRGSUyWOQV&PvQ0YUVYxyDi6*Lr1o3L=h6h+SG0@qTx`_+sw)9_$o}9mhf`Fx
zXuEhe^zB-+Ww@G%jc+6vdG7>_>bf#z27!Gs65Jq%HGhCxPqSwk>SG43y-w+Os&CZp
z+c2vZJa*M^07iP!e~~qw7WlL{k|UDo@q2f>c&MJ_65Goz-z<3E1QJconH8wDB9MXe
zrr0NNIU0#Zl>}STcK<*cP3rIBee<RJ>0RdGMeXTIXntA|*78>v^ETe^7i_`!U)1jQ
zhiY;+2qwPw(55ezaS}>YwKpac@HB2CB>%ZR@N~hVmE0&|m=%j}7!Rdyf+C(5Ui%eQ
z$<jivLyt|;rg)Y(n<qRj#}@F***4Ce@f-<mNfca}dObN(FY<x;rNaz-%5sG5{)R-A
z4syL6uncw%dZ^(Yqh<uPeY#X;baSZerXct2GTS{!BeS=Jexzw@1}&($GuYkcL>WE+
z1iZkj=bQI&BzOW<3ZbyVW<s2)aRwuXO&naejE+#gi{M+HIGk1=b3_MLKpcTA5w-JU
zOn;J@>X8}a2IWqi<40W1ojv5b{RS5o+K{&qABlB(`^`K~hxa67`=p(EmfIPD?9960
zkQr!Re^DQB*wZH2f@nJ&&k7UVj*WC-`u_GZh`rs^H|D_co+BSpXVxNQ9KLRxsjfn|
z9>5g@wS`>kuH5C^?z8Y~bjUaY(uA|2Mz<x+=wWRUYQ^L&1lA$)xLQ)v-e)J#yoi&j
zmdpTy3QkW`h={Ee9Wbo{Jy!F}S4BMaD-p6SX-vn-tz@%z!_J7@mBwI`LvnON17L=-
zk|f3m`GEMlDaAlw&}{^!EI$Mra>)FzVn+iFFuVTi6v0s<WQJ?cJ`p4A*iOPFeS$;4
z`vIM1(eBKN$M&FZ^<ZuzE1DR_+S8HY`w|S35wOno`e>EYwuv(Al`5*VZ=V8R|KK-B
z-~`T+Z83V`h<i2y_u<8fl1(|?fF*bIf;pjVEc(iz&t$?(*vJEXo~V6h{{HxVWZZOx
z_%&McETO+4jh(b!hCBUdUj1Gu^^&zNV#zu7x=12O*`}=^TZ3^M7MDTnC=$F6vjwd?
zk9abBT>>U~&#eu^k`N+)!$+HT5CNh%3<;M>B3JP0Ydt5Q(mj@6h8JE*oei6Sj$`R~
z@i7(B=bz9m#=xtV?md<gm<~IrYKR>R4uk<97wP)WxnA&6jwm2SE1Q+Wwc4Z_APBhS
z0|VXO7x&Ze%Y@?djM17JJkf@fplUMHO2JE9+Iy0cD!mkPp6ecQG^#V<uFdF%Q|+FT
zGTbLKtzEw7Fomw9$Iq>q^)V80)2`pz`{)^oITJz|GBvAV>YkA*JE2)97#~GhAQhiP
z*&2#kzwOkD3LLII4bRzMQ{xJ=*jaNzDsNKMuG-j^$+H<$g5q}?t6Qad?MJ|FiEd@u
zEz}mOi*aO0nu9P%mR2>Yc__6PA*v6%455nrcBJUWK15QfqzI**Cx9DX3tJ6~5O;2(
zlIghGMyq0Q|1goa>>Tf5BJ&Wi!|^u6TVgxekMDJ$;C%P$U}J<nMD5}PdiQYA_$)<x
zs*~1ZQQ3^J?7T}XAioMh{%IC~vu#mepceJ}S);n1rH1WJU|Q?b40fv+LIH$$>M#}8
z7#nH**Ny-8#fdtBM{d~Xx)0sAHu{+0_c$~sDf&okI=^S%Ir+Tw1?G$4Zl)QGy-AMu
zBDq8^tNIeLPIu8)m4%|x{U_N?B0h7)x!nLqC#2(t2TuNKU5NQzlPBL`V4yK-Du*mL
zX=ako1IWVUOhgdzCU#SCv!a&|<wcx}?2CgYrKUL*O)ku@0hbaO-1yvt`UaJ{!x!U$
zD1xynZTG$178|XpGNr?7Y2hb&rTX>>iABiE?YnX)--3Vu+(&*99oR{zR7#<kB5=wJ
z4TW#!U+B58aEjp0@1H>vR@8zBjE)wr7GFQLiOX-eE6Cl7QZe~c82owkomi-@wIVtu
zW{<V73V%ON&C!%+NWf{fewEDE=Q<X#wNfF1=iZN$5jnWLAfA4Uh2~dYu;2lgBTW${
zw@fIrqJ_5bT&#wST2m=Mei!cxv?C33FVeGVa;w!NDZbEEvy!I#+>yGX?xN)xvs5jJ
zgb$P=2bJBf^yQy>`i1k!RIg0m4f{oHg6LW12^!33G>YLESF|L9q0tU)4(kq?eofqo
zsMFRp`1E|nGgEPQ(4Xe6$>T;*ld%it7sZy)eys>*`9<xG<89$)ztAev+_y^J@9Tx4
zTri7~biLua6#$Dbg5{-uSneMUj2Aw>&9sV6h#$u_E)*cEZLqdWInVHa5Y&IxLt`D-
zWL)lvsTk8rGg0X&Qt`M=*5X}S9u3N~k$y%WA$GXEf%pIYwRk3Lr7}5P!y-*QHZHHP
z8LpJGL|jSLa-ms!fNys|ZlAV2o-O(%hE^j1Y1id-2Y|$&?ILmo`{!`wLLufHq@(!C
z%U?uv|3KTy384+VgNE)|_1YWMiA!x31n@|_OJQs*{pXPIza?^H_)|P^`Dln<8o9J@
zm|Ze)B)8GzjS@a^_A!*8$BxM+YgsY<#t`juY7GDRYmW@ng1=UCt@Ef~{)QM|{o?W`
zHwJ&5m-H9-d)(Tj+g%n*C-^m%6j8BNTl%l7{--kTq5J)J^MUpv?SKB?aGV4sT@5=_
zRwBP4TQtKz#}*3V5P_QXS=8M5Lp@r*p`tzSQcs@x*U@i5bsw=yUE4s-VNCu2DZ5JH
z>4SeA-5QSRX@?V`Em!~DI{Z|sqW|BH_DlE5#^T_w^2_~zKixkh=Q`eaPs6Irs$qz+
zz3O$<aSO5kjT8AcW|dOE=zPNeqI27zKs(Ly=3~fnDJZgge(j{?jpQ$dd`JDioz%kG
zGAb6Q{4-0)BQ+G;c)xx0;AC;&(b{eOtq=F?coXtloSt8si4?7P#Ok#huOEDReDQKD
z+zK{vwSQe9+@)Wq$ES>5M8q)GUhv(z(2A;lFT?wp*1`L+=~j@9P{<NA6C;9u-;clU
zYPFE-T;IishM<j0)&cYEq~XQNU(?~c22K?D^tGJqfHu|0|9h6e#d&C7`6`c$@E$Ej
zhHvT<Wb1TkSPgc+&WMCW!i`sAc)sVqr}bJF0;wmvQB_M~KU+!SCr=JsecRPsx1&vy
zil&=b7VJW$f8E@cyrnQqAXN(nb9%wO^gj9bto!SskQ8$5%I$9sPq!^jH#R3Q+6sr$
zCrJy;ui8erUi^iu=P&)4;d=E~k}*|+5KIMXz4pK6-Cy5xDNzej%xp-4{DpXzD&sG@
z^ydjmz0G%D{%1TILq&T|V;~TvmLt=5J<Rpzz*~{VJlicHj$`Uq7T&)_pyw6)Vi*aE
znbAG@SU(Nn{g0A>%`g`JKX*SE4n`8-jg<51xBpBpvPfDX`O2%W4UaVo%Dyzt{Vou&
zu{;qiSj$yk)g5d1xn62xdrQK65GyBhCS6f2!*eaUWbynSzrdvH0#~NhcANHkZ!+>S
zKCS67af1=Y9lX2rpVQVtGdtbKkNvXM!B3kAORJOwLO93Xox~l}%PU*$#R6Vii*Euq
zGM?CtO9?Cr78UM3GZrXw{rz3dCT@xU`L0GPi5@F#L+^FbriNvXCeH5%Cmy`hvApfN
z6OA(WTNV4-^kX@YtsZf{n}kEnaR%K*lH>xms_fP_=<}j;FsKj`4L0&W-w3qRYyzG{
z*zO1~GbrXaFH)(MAPI-#g4i()^3+#<#J@XPSv)Nyt2$qt@{P!;KY&tDpY(c?gK2o0
zS>X&w!@uU=X;w%aKAC2#9x&6hr7`GJiQGoW8Xz}mZ7-<=I5#}V$s!Sd2@jJ3=B&Kt
zEsOCI-9bZzsFu<SOYb?nHxh&PHD!|XH})=j5kztO!`--kA_Ie-3TedJ_IP{IcB;-w
z*N$L>w$VWv-olNT^KxGmZ|u%xularRoNhn0(A{8j^X}fKqpyEG;2fRh9OE{RJ7{@5
z#?N4WTeTH6`B*jk-=})0hl(2BTEeoS*P-V4CH~2PjrjOFYGu&7IceEi{Bxo2#=`9j
ztq3Y29%q}_N;sd>Gy0D4qS$2=$;z68kZz;EcG>pTcXZwK?9;TkRtnthrq1Fhqr9$I
z{lvZxGq&qr_cUMg?wU8#l5=s*BK>dGXj|NxeuVI(cowuOR@|0Kdmb{<QBysZNQ#NT
zZ>Ml3vWDHU+f<)ZoaIgv<_p&`JJ*&wGH&d@qoAA_nfzVFV=LtC&|c@h>D?sPPtS2*
zxSdv>XW2b|vajZ8ndN}fhvAj5J&5a3vw0ki2a>v9?eBT-5vDQ$i^lOjnk;<rX6mfx
zfA78#YyJ@;B11z-TE4^<k2O|kBGtR;b5-<4+h7X-z|7fsip`UJ*)LeFYaAbRY?SvT
zh0RUfBY~^mh+h}@dZR2~FdA&s;fNV4-(+PtiIY;VJPL)eT;*3uKDoBlC)V>EpfCf_
z^dLoKiu_JdpId{wcxRy=e*jmK@bKL_-xRuNZxhignl~W)@Mmd5#GDIJq2A^Y@$pxP
z+Hhv3GHR0yIZg^B;*#8kQ)&u(+-w=>3l;orr`2~mQM!q9^`EcJPr9^Yqb<kl3F#_V
zR>m{EpH|&TlHdU(ptPTn25GXu`TeEu&O2^Rr7moY#ZGI#`6aJA%A}qop6e8637hki
zv#tLflUFP-CZw(2VY!=4aT96C&+ePcmEY!{jnx`1RSzBH4G`hm-fA_nPM@yEMPF-1
z*4O*xIWrB@cwDj};D&O)_AjxSB;}7x+;_~8YjaOLN738iOhbBQ!t=cVRq+Oe#2^;r
zk*U(EUQ83+3%W;{B9d=^%s&g)EVb}a@aTs?Tru+jtz6yS44i?`8!xV@t)S&6{n?aR
zpJVp<Vi7;*h!guwx1(N1b{-%(FDK=I5-^2=vyYB?>CO9LIj^*?<p)Ddd!IrTd=IDk
zzg?KT?>(nAV<$EG%>UeUSVEv=H7mW_fABZpB%1rZpU%8rE)dhsXz{B+G;O+%`Ki|5
z=OpR1QEf91AqV_f-p`S?oPs^jSFg;TBIFTuMVWMxvR=Gb_5Y<x+TJm-+ZkLx)C)K6
z6zzvR#;e7hqu!T(5p&hpI#s&mU(51}HCD1Z_p@pzD{-)C6xZUBHmKU2W{XEN>)jQ5
zWGtn_pJ1IZ`E7g$^6|@arc*ory(3oSJ3@O(VyuC~Q=qHT@6w~SsL_~;BN)NbGe#Iq
zQlsAyeA+U4v(3?cK5q3#937E8VpsHGS=CyuB-1L=h)Q)tO=<~;bEpG-sBG6)PoJ5`
z4zcQz)v|$c)1Mb^1a4vDvN@`^OQu>87~=BV>iE=lw&m2Te6#brF9lDxqAu8PkipEq
zYd|OkLZK-meV#XpbT+xDW}ex7;$`o$?{=AdIiX43xfM=lboZU>v~k(|^$U80yplDj
z%`-{a8KffhE#D+B`*UoOX!drHKct@3_aSY{zw$iIuk|_4*)*5RcRhT?``RN(DWYjE
z#b(_&uX9^8)un3WW2cCECQ|$E80AFkr3li3bLMXLJkh}Vjpd^)lm51lm%K(;+Xs(!
z#r}7eWVl%fW>$wZ-=0Rs`U*ek>dm!sRJdq&y1?kx6_dwCYU}Wnn_Bv%C?m7e-{b5^
zW~B{tYPgvXc^NzRJ2F?d4}XZ-RQvI!bzcqZ7i-$t?BSiOpCwnP^4>mVCs{`<dZ*#g
zO4(}>c+$s_-R1=38lzqW|KaV;W!C+ly;Ze-8sD!1Q4Fu2jnscO;d1E^zg860s*CMK
z(Ex{c?<am;ny4+dRTt$eY0WB`ANRGHxy6f`<ehjt_ZGi=8PI!EZA}J7hYf4_#fEQr
z_H0xUMB;*@f@;$U-0bI*xbuqsO{>gpKA&8OORD^3r-iZMyAD?y!xGO06X$&1AHyJ=
zvl?B4pM|)+=@+-_;*rFsK|iz6=#uHH#33pTV|}iEF>pe0yB5*yJ*FSNI|gnExh2j$
zO=%|{v+BE$N_!;)HxRg|L3V2w_SnyoQmndYZF%IEoe*@C#9Z^m<>j}xqDh+LIVB%^
zwiYPC$Yo0CKiTR0uQ>yE;~{zbM!s)28i^9gKrMc<>yc1JPi97VFHOB`3Lip4LsTSY
z1|?2kHp9&(<sZs#5;1;kHBv|Ln`=_b-fW{r{p=CbqJ4}cG^gs_HB(y?ih;Xz*D!8A
zBQYpyC4(h-gvdd|ghr=Eg53EjQ>NJO&2{8OxlP3XS}V$8vz06P=*<s)00E=qu4x%J
z_9xEsvNin_MRd);4!^wButrbv?Fi-?Mc+2+Kj_=&TGFxao2Y*E_LU<<E26=}e-+*2
zCv;x8hX&gn7{y>CeOcA-L5ZL73ddXh7*w17EJm?CRTFt%*4hYRd4gx390e15^0qZ>
zpV&ZkVlBGpS&_CkJ8rJy#=dBuqUW;xB2(P5zH_+Esd_FZpQrVg)3=-bW>@37y=}LV
zfrO{Z-q{qE^vwIWLQ(PU=soYahf}_yuN~n0p8iyHbGlxm^RZhs4<aF*e{$qWduGmd
zMG^l*8u>jQVY|(r-tG}v4b3Dr1U*ANI;SSQI>M-9S>@HZCop!NqOUCJt70r^v<G+T
zziZ_++T*7Qd!lKArRwW%qT@&p1GyeYJikvNvacR-*HBHmO4u1lM(Uif|JK5<^|i1K
zE18m+UWqem3$wz#ljuto`dSw4+ed3J$_{y(6J&?F+Xw$!gaZ_TK?#Qxk31Zr=&s$K
zs69(!4r@xjbXw~)_qa<P@f$h;)1azQ{NJj1D462G&%-npE;-}2H`xd^bGgstNr*9J
z+AH(RW9iH5shiw<i9;3UibV%_sRW5>CV@GolqXkrlOT!4hbs6r58&~NHX9HByRe08
zss5-R{dv6=rQtB_HlO^YbbK;-)341b!dddA!FvQ9l?d_nI`k6#?VYdwJG)N^B_{^G
zaxAE0CZ!*+`v0aBQ+CJe>z!-aDgho2AKxECb-c<2R>nR5=j5K>SQZ++_fh@Ks4j*>
z^?yUZ7KNwg{a**{?cS9|sRSBWb}2S6CVZ)^=WCfCp82)oe`vNTqgqWVYiqseg>Sm9
zz#bddWbkAQJVqMJ)D1p1?q@qUW4T1^%xyOoEIn1yT{|syQ~i%e`*lS3ZMk`A>H3X}
zSylnN%;5`D<55xosDJ7p4D4f>KXfiWh2|DuUe*HkNkcPk0#^y4`wY77Y0f6(8Uq|u
zpfv&YqEX*a+sz;;6Gfnmu${?r9h8C+<dqdpK(Dn<t3@f;!K!?L0eioN|EwlbS03v5
hQ7?gGWq8KYKY0(Mn#*Rw`{NjZz|+;wWt~$(69D$nS$qHh


From bf92a003433736aed90b46d0252155ef441a46df Mon Sep 17 00:00:00 2001
From: prosenjitjoy <prosen.joy@gmail.com>
Date: Sat, 7 Oct 2023 04:16:09 +0600
Subject: [PATCH 2/2] added middleware and authorizatoin

---
 api/account_test.go          |  1 +
 api/transfer_test.go         |  7 ++++
 database/db/account_test.go  | 12 +++---
 database/db/entry.sql.go     | 12 +++---
 database/db/entry_test.go    | 51 +++++++++++------------
 database/db/main_test.go     | 13 ++----
 database/db/store_test.go    | 22 ++++------
 database/db/transfer.sql.go  | 18 +++++---
 database/db/transfer_test.go | 81 +++++++++++++++---------------------
 database/db/user_test.go     |  4 +-
 database/query/entry.sql     |  5 ++-
 database/query/transfer.sql  |  5 ++-
 12 files changed, 113 insertions(+), 118 deletions(-)

diff --git a/api/account_test.go b/api/account_test.go
index c525adf..7e3dd0f 100644
--- a/api/account_test.go
+++ b/api/account_test.go
@@ -292,6 +292,7 @@ func TestListAccountAPI(t *testing.T) {
 			},
 			buildStubs: func(store *mockdb.MockStore) {
 				arg := &db.ListAccountsParams{
+					Owner:  user.Username,
 					Limit:  int32(n),
 					Offset: 0,
 				}
diff --git a/api/transfer_test.go b/api/transfer_test.go
index 4b9d060..01f4e23 100644
--- a/api/transfer_test.go
+++ b/api/transfer_test.go
@@ -5,10 +5,12 @@ import (
 	"encoding/json"
 	"main/database/db"
 	"main/database/mockdb"
+	"main/token"
 	"main/util"
 	"net/http"
 	"net/http/httptest"
 	"testing"
+	"time"
 
 	"github.com/gin-gonic/gin"
 	"github.com/stretchr/testify/require"
@@ -32,6 +34,7 @@ func TestTransferAPI(t *testing.T) {
 	testCases := []struct {
 		name          string
 		body          gin.H
+		setupAuth     func(t *testing.T, request *http.Request, tokenMaker token.Maker)
 		buildStubs    func(store *mockdb.MockStore)
 		checkResponse func(recorder *httptest.ResponseRecorder)
 	}{
@@ -43,6 +46,9 @@ func TestTransferAPI(t *testing.T) {
 				"amount":          amount,
 				"currency":        util.USD,
 			},
+			setupAuth: func(t *testing.T, request *http.Request, tokenMaker token.Maker) {
+				addAuthorization(t, request, tokenMaker, authorizationTypeBearer, user1.Username, time.Minute)
+			},
 			buildStubs: func(store *mockdb.MockStore) {
 				store.EXPECT().GetAccount(gomock.Any(), gomock.Eq(account1.ID)).Times(1).Return(account1, nil)
 				store.EXPECT().GetAccount(gomock.Any(), gomock.Eq(account2.ID)).Times(1).Return(account2, nil)
@@ -80,6 +86,7 @@ func TestTransferAPI(t *testing.T) {
 			request, err := http.NewRequest(http.MethodPost, url, bytes.NewReader(data))
 			require.NoError(t, err)
 
+			tc.setupAuth(t, request, server.tokenMaker)
 			server.router.ServeHTTP(recorder, request)
 			tc.checkResponse(recorder)
 		})
diff --git a/database/db/account_test.go b/database/db/account_test.go
index 00329bc..23fc248 100644
--- a/database/db/account_test.go
+++ b/database/db/account_test.go
@@ -19,7 +19,7 @@ func createRandomAccount(t *testing.T) Account {
 		Currency: util.RandomCurrency(),
 	}
 
-	account, err := testQueries.CreateAccount(context.Background(), &arg)
+	account, err := testStore.CreateAccount(context.Background(), &arg)
 	require.NoError(t, err)
 	require.NotEmpty(t, account)
 
@@ -39,7 +39,7 @@ func TestCreateAccount(t *testing.T) {
 
 func TestGetAccount(t *testing.T) {
 	account1 := createRandomAccount(t)
-	account2, err := testQueries.GetAccount(context.Background(), account1.ID)
+	account2, err := testStore.GetAccount(context.Background(), account1.ID)
 	require.NoError(t, err)
 	require.NotEmpty(t, account2)
 
@@ -59,7 +59,7 @@ func TestUpdateAccount(t *testing.T) {
 		Balance: util.RandomMoney(),
 	}
 
-	account2, err := testQueries.UpdateAccount(context.Background(), &arg)
+	account2, err := testStore.UpdateAccount(context.Background(), &arg)
 	require.NoError(t, err)
 	require.NotEmpty(t, account2)
 
@@ -73,10 +73,10 @@ func TestUpdateAccount(t *testing.T) {
 
 func TestDeleteAccount(t *testing.T) {
 	account1 := createRandomAccount(t)
-	err := testQueries.DeleteAccount(context.Background(), account1.ID)
+	err := testStore.DeleteAccount(context.Background(), account1.ID)
 	require.NoError(t, err)
 
-	account2, err := testQueries.GetAccount(context.Background(), account1.ID)
+	account2, err := testStore.GetAccount(context.Background(), account1.ID)
 	require.Error(t, err)
 	require.EqualError(t, err, pgx.ErrNoRows.Error())
 	require.Empty(t, account2)
@@ -94,7 +94,7 @@ func TestListAccounts(t *testing.T) {
 		Offset: 0,
 	}
 
-	accounts, err := testQueries.ListAccounts(context.Background(), &arg)
+	accounts, err := testStore.ListAccounts(context.Background(), &arg)
 	require.NoError(t, err)
 	require.NotEmpty(t, accounts)
 
diff --git a/database/db/entry.sql.go b/database/db/entry.sql.go
index a233c3d..8fd7ec4 100644
--- a/database/db/entry.sql.go
+++ b/database/db/entry.sql.go
@@ -62,18 +62,20 @@ func (q *Queries) GetEntry(ctx context.Context, id int64) (*Entry, error) {
 
 const listEntries = `-- name: ListEntries :many
 SELECT id, account_id, amount, created_at FROM entries
+WHERE account_id = $1
 ORDER BY id
-LIMIT $1
-OFFSET $2
+LIMIT $2
+OFFSET $3
 `
 
 type ListEntriesParams struct {
-	Limit  int32 `db:"limit" json:"limit"`
-	Offset int32 `db:"offset" json:"offset"`
+	AccountID int64 `db:"account_id" json:"account_id"`
+	Limit     int32 `db:"limit" json:"limit"`
+	Offset    int32 `db:"offset" json:"offset"`
 }
 
 func (q *Queries) ListEntries(ctx context.Context, arg *ListEntriesParams) ([]*Entry, error) {
-	rows, err := q.db.Query(ctx, listEntries, arg.Limit, arg.Offset)
+	rows, err := q.db.Query(ctx, listEntries, arg.AccountID, arg.Limit, arg.Offset)
 	if err != nil {
 		return nil, err
 	}
diff --git a/database/db/entry_test.go b/database/db/entry_test.go
index 8e5f104..92b9e45 100644
--- a/database/db/entry_test.go
+++ b/database/db/entry_test.go
@@ -10,21 +10,13 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
-func createRandomEntry(t *testing.T) Entry {
-	filter := ListAccountsParams{
-		Limit:  100,
-		Offset: 0,
-	}
-
-	accounts, err := testQueries.ListAccounts(context.Background(), &filter)
-	require.NoError(t, err)
-
+func createRandomEntry(t *testing.T, account Account) Entry {
 	arg := CreateEntryParams{
-		AccountID: randomAccountID(accounts),
+		AccountID: account.ID,
 		Amount:    util.RandomMoney(),
 	}
 
-	entry, err := testQueries.CreateEntry(context.Background(), &arg)
+	entry, err := testStore.CreateEntry(context.Background(), &arg)
 	require.NoError(t, err)
 	require.NotEmpty(t, entry)
 
@@ -38,12 +30,14 @@ func createRandomEntry(t *testing.T) Entry {
 }
 
 func TestCreateEntry(t *testing.T) {
-	createRandomEntry(t)
+	account := createRandomAccount(t)
+	createRandomEntry(t, account)
 }
 
 func TestGetEntry(t *testing.T) {
-	entry1 := createRandomEntry(t)
-	entry2, err := testQueries.GetEntry(context.Background(), entry1.ID)
+	account := createRandomAccount(t)
+	entry1 := createRandomEntry(t, account)
+	entry2, err := testStore.GetEntry(context.Background(), entry1.ID)
 	require.NoError(t, err)
 	require.NotEmpty(t, entry2)
 
@@ -55,14 +49,15 @@ func TestGetEntry(t *testing.T) {
 }
 
 func TestUpdateEntry(t *testing.T) {
-	entry1 := createRandomEntry(t)
+	account := createRandomAccount(t)
+	entry1 := createRandomEntry(t, account)
 
 	arg := UpdateEntryParams{
 		ID:     entry1.ID,
 		Amount: util.RandomMoney(),
 	}
 
-	entry2, err := testQueries.UpdateEntry(context.Background(), &arg)
+	entry2, err := testStore.UpdateEntry(context.Background(), &arg)
 	require.NoError(t, err)
 	require.NotEmpty(t, entry2)
 
@@ -74,31 +69,35 @@ func TestUpdateEntry(t *testing.T) {
 }
 
 func TestDeleteEntry(t *testing.T) {
-	entry1 := createRandomEntry(t)
-	err := testQueries.DeleteEntry(context.Background(), entry1.ID)
+	account := createRandomAccount(t)
+	entry1 := createRandomEntry(t, account)
+	err := testStore.DeleteEntry(context.Background(), entry1.ID)
 	require.NoError(t, err)
 
-	entry2, err := testQueries.GetEntry(context.Background(), entry1.ID)
+	entry2, err := testStore.GetEntry(context.Background(), entry1.ID)
 	require.Error(t, err)
 	require.EqualError(t, err, pgx.ErrNoRows.Error())
 	require.Empty(t, entry2)
 }
 
-func TestListEntrys(t *testing.T) {
+func TestListEntries(t *testing.T) {
+	account := createRandomAccount(t)
 	for i := 0; i < 10; i++ {
-		createRandomEntry(t)
+		createRandomEntry(t, account)
 	}
 
 	arg := ListEntriesParams{
-		Limit:  5,
-		Offset: 5,
+		AccountID: account.ID,
+		Limit:     5,
+		Offset:    5,
 	}
 
-	entries, err := testQueries.ListEntries(context.Background(), &arg)
+	entries, err := testStore.ListEntries(context.Background(), &arg)
 	require.NoError(t, err)
 	require.Len(t, entries, 5)
 
-	for _, account := range entries {
-		require.NotEmpty(t, account)
+	for _, entry := range entries {
+		require.NotEmpty(t, entry)
+		require.Equal(t, arg.AccountID, entry.AccountID)
 	}
 }
diff --git a/database/db/main_test.go b/database/db/main_test.go
index 84d852f..eedbea1 100644
--- a/database/db/main_test.go
+++ b/database/db/main_test.go
@@ -4,15 +4,13 @@ import (
 	"context"
 	"log"
 	"main/util"
-	"math/rand"
 	"os"
 	"testing"
 
 	"github.com/jackc/pgx/v5/pgxpool"
 )
 
-var testQueries *Queries
-var testDB *pgxpool.Pool
+var testStore Store
 
 func TestMain(m *testing.M) {
 	cfg, err := util.LoadConfig("../../.env")
@@ -20,17 +18,12 @@ func TestMain(m *testing.M) {
 		log.Fatal("cannot load config:", err)
 	}
 
-	testDB, err = pgxpool.New(context.Background(), cfg.DatabaseURL)
+	connPool, err := pgxpool.New(context.Background(), cfg.DatabaseURL)
 	if err != nil {
 		log.Fatal("cannot connect to db:", err)
 	}
 
-	testQueries = New(testDB)
+	testStore = NewStore(connPool)
 
 	os.Exit(m.Run())
 }
-
-func randomAccountID(arr []*Account) int64 {
-	n := len(arr)
-	return arr[rand.Intn(n)].ID
-}
diff --git a/database/db/store_test.go b/database/db/store_test.go
index 1fb9d3d..289b3c7 100644
--- a/database/db/store_test.go
+++ b/database/db/store_test.go
@@ -9,8 +9,6 @@ import (
 )
 
 func TestTransferTx(t *testing.T) {
-	store := NewStore(testDB)
-
 	account1 := createRandomAccount(t)
 	account2 := createRandomAccount(t)
 	fmt.Println(">> before:", account1.Balance, account2.Balance)
@@ -23,7 +21,7 @@ func TestTransferTx(t *testing.T) {
 
 	for i := 0; i < n; i++ {
 		go func() {
-			result, err := store.TransferTx(context.Background(), &CreateTransferParams{
+			result, err := testStore.TransferTx(context.Background(), &CreateTransferParams{
 				FromAccountID: account1.ID,
 				ToAccountID:   account2.ID,
 				Amount:        amount,
@@ -53,7 +51,7 @@ func TestTransferTx(t *testing.T) {
 		require.NotZero(t, transfer.ID)
 		require.NotZero(t, transfer.CreatedAt)
 
-		_, err = store.GetTransfer(context.Background(), transfer.ID)
+		_, err = testStore.GetTransfer(context.Background(), transfer.ID)
 		require.NoError(t, err)
 
 		// check entries
@@ -64,7 +62,7 @@ func TestTransferTx(t *testing.T) {
 		require.NotZero(t, fromEntry.ID)
 		require.NotZero(t, fromEntry.CreatedAt)
 
-		_, err = store.GetEntry(context.Background(), fromEntry.ID)
+		_, err = testStore.GetEntry(context.Background(), fromEntry.ID)
 		require.NoError(t, err)
 
 		toEntry := result.ToEntry
@@ -74,7 +72,7 @@ func TestTransferTx(t *testing.T) {
 		require.NotZero(t, toEntry.ID)
 		require.NotZero(t, toEntry.CreatedAt)
 
-		_, err = store.GetEntry(context.Background(), toEntry.ID)
+		_, err = testStore.GetEntry(context.Background(), toEntry.ID)
 		require.NoError(t, err)
 
 		// check account
@@ -101,10 +99,10 @@ func TestTransferTx(t *testing.T) {
 	}
 
 	// check the final updated balances
-	updateAccount1, err := testQueries.GetAccount(context.Background(), account1.ID)
+	updateAccount1, err := testStore.GetAccount(context.Background(), account1.ID)
 	require.NoError(t, err)
 
-	updateAccount2, err := testQueries.GetAccount(context.Background(), account2.ID)
+	updateAccount2, err := testStore.GetAccount(context.Background(), account2.ID)
 	require.NoError(t, err)
 
 	fmt.Println(">> after:", account1.Balance, account2.Balance)
@@ -113,8 +111,6 @@ func TestTransferTx(t *testing.T) {
 }
 
 func TestTransferTxDeadlock(t *testing.T) {
-	store := NewStore(testDB)
-
 	account1 := createRandomAccount(t)
 	account2 := createRandomAccount(t)
 	fmt.Println(">> before:", account1.Balance, account2.Balance)
@@ -134,7 +130,7 @@ func TestTransferTxDeadlock(t *testing.T) {
 		}
 
 		go func() {
-			_, err := store.TransferTx(context.Background(), &CreateTransferParams{
+			_, err := testStore.TransferTx(context.Background(), &CreateTransferParams{
 				FromAccountID: fromAccountID,
 				ToAccountID:   toAccountID,
 				Amount:        amount,
@@ -150,10 +146,10 @@ func TestTransferTxDeadlock(t *testing.T) {
 	}
 
 	// check the final updated balances
-	updateAccount1, err := testQueries.GetAccount(context.Background(), account1.ID)
+	updateAccount1, err := testStore.GetAccount(context.Background(), account1.ID)
 	require.NoError(t, err)
 
-	updateAccount2, err := testQueries.GetAccount(context.Background(), account2.ID)
+	updateAccount2, err := testStore.GetAccount(context.Background(), account2.ID)
 	require.NoError(t, err)
 
 	fmt.Println(">> after:", account1.Balance, account2.Balance)
diff --git a/database/db/transfer.sql.go b/database/db/transfer.sql.go
index 937b677..f49c92e 100644
--- a/database/db/transfer.sql.go
+++ b/database/db/transfer.sql.go
@@ -65,18 +65,26 @@ func (q *Queries) GetTransfer(ctx context.Context, id int64) (*Transfer, error)
 
 const listTransfers = `-- name: ListTransfers :many
 SELECT id, from_account_id, to_account_id, amount, created_at FROM transfers
+WHERE from_account_id = $1 OR to_account_id = $2
 ORDER BY id
-LIMIT $1
-OFFSET $2
+LIMIT $3
+OFFSET $4
 `
 
 type ListTransfersParams struct {
-	Limit  int32 `db:"limit" json:"limit"`
-	Offset int32 `db:"offset" json:"offset"`
+	FromAccountID int64 `db:"from_account_id" json:"from_account_id"`
+	ToAccountID   int64 `db:"to_account_id" json:"to_account_id"`
+	Limit         int32 `db:"limit" json:"limit"`
+	Offset        int32 `db:"offset" json:"offset"`
 }
 
 func (q *Queries) ListTransfers(ctx context.Context, arg *ListTransfersParams) ([]*Transfer, error) {
-	rows, err := q.db.Query(ctx, listTransfers, arg.Limit, arg.Offset)
+	rows, err := q.db.Query(ctx, listTransfers,
+		arg.FromAccountID,
+		arg.ToAccountID,
+		arg.Limit,
+		arg.Offset,
+	)
 	if err != nil {
 		return nil, err
 	}
diff --git a/database/db/transfer_test.go b/database/db/transfer_test.go
index c64fdec..08994d9 100644
--- a/database/db/transfer_test.go
+++ b/database/db/transfer_test.go
@@ -10,29 +10,15 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
-func createRandomTransfer(t *testing.T) Transfer {
-	filter := ListAccountsParams{
-		Limit:  100,
-		Offset: 0,
-	}
-
-	accounts, err := testQueries.ListAccounts(context.Background(), &filter)
-	require.NoError(t, err)
-
-	fromAccountID := randomAccountID(accounts)
-	toAccountID := randomAccountID(accounts)
-
-	for toAccountID == fromAccountID {
-		toAccountID = randomAccountID(accounts)
-	}
+func createRandomTransfer(t *testing.T, account1, account2 Account) Transfer {
 
 	arg := CreateTransferParams{
-		FromAccountID: fromAccountID,
-		ToAccountID:   toAccountID,
+		FromAccountID: account1.ID,
+		ToAccountID:   account2.ID,
 		Amount:        util.RandomMoney(),
 	}
 
-	transfer, err := testQueries.CreateTransfer(context.Background(), &arg)
+	transfer, err := testStore.CreateTransfer(context.Background(), &arg)
 	require.NoError(t, err)
 	require.NotEmpty(t, transfer)
 
@@ -47,12 +33,16 @@ func createRandomTransfer(t *testing.T) Transfer {
 }
 
 func TestCreateTransfer(t *testing.T) {
-	createRandomTransfer(t)
+	account1 := createRandomAccount(t)
+	account2 := createRandomAccount(t)
+	createRandomTransfer(t, account1, account2)
 }
 
 func TestGetTransfer(t *testing.T) {
-	transfer1 := createRandomTransfer(t)
-	transfer2, err := testQueries.GetTransfer(context.Background(), transfer1.ID)
+	account1 := createRandomAccount(t)
+	account2 := createRandomAccount(t)
+	transfer1 := createRandomTransfer(t, account1, account2)
+	transfer2, err := testStore.GetTransfer(context.Background(), transfer1.ID)
 	require.NoError(t, err)
 	require.NotEmpty(t, transfer2)
 
@@ -65,67 +55,64 @@ func TestGetTransfer(t *testing.T) {
 }
 
 func TestUpdateTransfer(t *testing.T) {
-	transfer1 := createRandomTransfer(t)
-
-	filter := ListAccountsParams{
-		Limit:  100,
-		Offset: 0,
-	}
-
-	accounts, err := testQueries.ListAccounts(context.Background(), &filter)
-	require.NoError(t, err)
-
-	toAccountID := randomAccountID(accounts)
-
-	for toAccountID == transfer1.FromAccountID {
-		toAccountID = randomAccountID(accounts)
-	}
+	account1 := createRandomAccount(t)
+	account2 := createRandomAccount(t)
+	transfer1 := createRandomTransfer(t, account1, account2)
 
 	arg := UpdateTransferParams{
 		ID:            transfer1.ID,
 		FromAccountID: transfer1.FromAccountID,
-		ToAccountID:   toAccountID,
+		ToAccountID:   transfer1.ToAccountID,
 		Amount:        util.RandomMoney(),
 	}
 
-	transfer2, err := testQueries.UpdateTransfer(context.Background(), &arg)
+	transfer2, err := testStore.UpdateTransfer(context.Background(), &arg)
 	require.NoError(t, err)
 	require.NotEmpty(t, transfer2)
 
 	require.Equal(t, transfer1.ID, transfer2.ID)
 	require.Equal(t, transfer1.FromAccountID, transfer2.FromAccountID)
-	require.Equal(t, arg.ToAccountID, transfer2.ToAccountID)
+	require.Equal(t, transfer1.ToAccountID, transfer2.ToAccountID)
 	require.Equal(t, arg.Amount, transfer2.Amount)
 
 	require.WithinDuration(t, transfer1.CreatedAt, transfer2.CreatedAt, time.Second)
 }
 
 func TestDeleteTransfer(t *testing.T) {
-	transfer1 := createRandomTransfer(t)
-	err := testQueries.DeleteTransfer(context.Background(), transfer1.ID)
+	account1 := createRandomAccount(t)
+	account2 := createRandomAccount(t)
+	transfer1 := createRandomTransfer(t, account1, account2)
+	err := testStore.DeleteTransfer(context.Background(), transfer1.ID)
 	require.NoError(t, err)
 
-	transfer2, err := testQueries.GetTransfer(context.Background(), transfer1.ID)
+	transfer2, err := testStore.GetTransfer(context.Background(), transfer1.ID)
 	require.Error(t, err)
 	require.EqualError(t, err, pgx.ErrNoRows.Error())
 	require.Empty(t, transfer2)
 }
 
 func TestListTransfers(t *testing.T) {
-	for i := 0; i < 10; i++ {
-		createRandomTransfer(t)
+	account1 := createRandomAccount(t)
+	account2 := createRandomAccount(t)
+
+	for i := 0; i < 5; i++ {
+		createRandomTransfer(t, account1, account2)
+		createRandomTransfer(t, account2, account1)
 	}
 
 	arg := ListTransfersParams{
-		Limit:  5,
-		Offset: 5,
+		FromAccountID: account1.ID,
+		ToAccountID:   account1.ID,
+		Limit:         5,
+		Offset:        5,
 	}
 
-	transfers, err := testQueries.ListTransfers(context.Background(), &arg)
+	transfers, err := testStore.ListTransfers(context.Background(), &arg)
 	require.NoError(t, err)
 	require.Len(t, transfers, 5)
 
 	for _, transfer := range transfers {
 		require.NotEmpty(t, transfer)
+		require.True(t, transfer.FromAccountID == account1.ID || transfer.ToAccountID == account1.ID)
 	}
 }
diff --git a/database/db/user_test.go b/database/db/user_test.go
index 3f10470..feba3b4 100644
--- a/database/db/user_test.go
+++ b/database/db/user_test.go
@@ -20,7 +20,7 @@ func createRandomUser(t *testing.T) *User {
 		Email:          util.RandomEmail(),
 	}
 
-	user, err := testQueries.CreateUser(context.Background(), &arg)
+	user, err := testStore.CreateUser(context.Background(), &arg)
 	require.NoError(t, err)
 	require.NotEmpty(t, user)
 
@@ -41,7 +41,7 @@ func TestCreateUser(t *testing.T) {
 
 func TestGetUser(t *testing.T) {
 	user1 := createRandomUser(t)
-	user2, err := testQueries.GetUser(context.Background(), user1.Username)
+	user2, err := testStore.GetUser(context.Background(), user1.Username)
 	require.NoError(t, err)
 	require.NotEmpty(t, user2)
 
diff --git a/database/query/entry.sql b/database/query/entry.sql
index 582e227..b41a2c8 100644
--- a/database/query/entry.sql
+++ b/database/query/entry.sql
@@ -10,9 +10,10 @@ LIMIT 1;
 
 -- name: ListEntries :many
 SELECT * FROM entries
+WHERE account_id = $1
 ORDER BY id
-LIMIT $1
-OFFSET $2;
+LIMIT $2
+OFFSET $3;
 
 -- name: UpdateEntry :one
 UPDATE entries
diff --git a/database/query/transfer.sql b/database/query/transfer.sql
index 4c2b738..936884b 100644
--- a/database/query/transfer.sql
+++ b/database/query/transfer.sql
@@ -10,9 +10,10 @@ LIMIT 1;
 
 -- name: ListTransfers :many
 SELECT * FROM transfers
+WHERE from_account_id = $1 OR to_account_id = $2
 ORDER BY id
-LIMIT $1
-OFFSET $2;
+LIMIT $3
+OFFSET $4;
 
 -- name: UpdateTransfer :one
 UPDATE transfers