hazo_auth 0.1.2 → 1.0.0

package/hazo_auth_config.example.ini

@@ -251,6 +251,81 @@ enable_admin_ui = true
 # Login path (redirect target in unauthorized message)
 # login_path = /login
 
+[hazo_auth__user_management]
+# User Management configuration
+# Application permission list defaults (comma-separated)
+# These permissions will be shown in the Permissions tab and can be migrated to the database
+# Example: application_permission_list_defaults = PERM_ONE,PERM_TWO,PERM_THREE
+# application_permission_list_defaults = 
+
+[hazo_auth__auth_utility]
+# Authentication utility configuration
+
+# Cache settings
+# Maximum number of users to cache (LRU eviction, default: 10000)
+# cache_max_users = 10000
+
+# Cache TTL in minutes (default: 15)
+# cache_ttl_minutes = 15
+
+# Force cache refresh if older than this many minutes (default: 30)
+# cache_max_age_minutes = 30
+
+# Rate limiting for /api/auth/get_auth endpoint
+# Per-user rate limit (requests per minute, default: 100)
+# rate_limit_per_user = 100
+
+# Per-IP rate limit for unauthenticated requests (default: 200)
+# rate_limit_per_ip = 200
+
+# Permission check behavior
+# Log all permission denials for security audit (default: true)
+# log_permission_denials = true
+
+# User-friendly error messages
+# Enable mapping of technical permissions to user-friendly messages (default: true)
+# enable_friendly_error_messages = true
+
+# Permission message mappings (optional, comma-separated: permission_name:user_message)
+# Example: admin_user_management:You don't have access to user management,admin_role_management:You don't have access to role management
+# permission_error_messages = 
+
+[hazo_auth__profile_pic_menu]
+# Profile picture menu configuration
+# This component can be used in navbar or sidebar to show user profile picture or sign up/sign in buttons
+
+# Button configuration for unauthenticated users
+# Show only "Sign Up" button when true, show both "Sign Up" and "Sign In" buttons when false (default)
+# show_single_button = false
+
+# Sign up button label
+# sign_up_label = Sign Up
+
+# Sign in button label
+# sign_in_label = Sign In
+
+# Register page path
+# register_path = /register
+
+# Login page path
+# login_path = /login
+
+# Settings page path (shown in dropdown menu when authenticated)
+# settings_path = /my_settings
+
+# Logout API endpoint path
+# logout_path = /api/auth/logout
+
+# Custom menu items (optional)
+# Format: "type:label:value_or_href:order" for info/link, or "separator:order" for separator
+# Examples:
+#   - Info item: "info:Phone:+1234567890:3"
+#   - Link item: "link:My Account:/account:4"
+#   - Separator: "separator:2"
+# Custom items are added to the default menu items (name, email, separator, Settings, Logout)
+# Items are sorted by type (info first, then separators, then links) and then by order within each type
+# custom_menu_items = 
+
 [hazo_auth__profile_picture]
 # Profile picture configuration
 # This configuration is used by:

package/instrumentation.ts

@@ -9,7 +9,7 @@ export async function register() {
       const hazo_notify_module = await import("hazo_notify");
       
       // Step 2: Load hazo_notify emailer configuration
-      // This reads from hazo_notify_config.ini in the ui_component directory (same location as hazo_auth_config.ini)
+      // This reads from hazo_notify_config.ini in the project root (same location as hazo_auth_config.ini)
       const { load_emailer_config } = hazo_notify_module;
       const notify_config = load_emailer_config();
       

package/next.config.mjs

@@ -1,4 +1,4 @@
-// file_description: configure next.js application settings for the ui_component project
+// file_description: configure next.js application settings for the hazo_auth project
 // section: imports
 import path from "path";
 import { fileURLToPath } from "url";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "hazo_auth",
-  "version": "0.1.2",
+  "version": "1.0.0",
   "files": [
     "src/**/*",
     "public/file.svg",
@@ -35,8 +35,11 @@
     "test:watch": "cross-env NODE_ENV=test POSTGREST_URL=http://209.38.26.241:4402 POSTGREST_API_KEY=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoiYXBpX3VzZXIifQ.zBoUGymrxTUk1DNYIGUCtQU4HFaWEHlbE9_8Y3hUaTw jest --watch"
   },
   "dependencies": {
+    "@radix-ui/react-alert-dialog": "^1.1.15",
     "@radix-ui/react-avatar": "^1.1.11",
+    "@radix-ui/react-checkbox": "^1.3.3",
     "@radix-ui/react-dialog": "^1.1.15",
+    "@radix-ui/react-dropdown-menu": "^2.1.16",
     "@radix-ui/react-label": "^2.1.8",
     "@radix-ui/react-separator": "^1.1.8",
     "@radix-ui/react-slot": "^1.2.4",

package/src/app/api/{auth → hazo_auth/auth}/upload_profile_picture/route.ts

@@ -160,7 +160,7 @@ export async function POST(request: NextRequest) {
     // Generate URL (relative to public or absolute)
     // For Next.js, we'll serve from a public route or use absolute path
     // For now, use a relative path that can be served via API or static file serving
-    const profilePictureUrl = `/api/auth/profile_picture/${fileName}`;
+    const profilePictureUrl = `/api/hazo_auth/profile_picture/${fileName}`;
 
     // Update user record
     const updateResult = await update_user_profile_picture(
@@ -198,7 +198,7 @@ export async function POST(request: NextRequest) {
       // Only delete if the old profile picture was an uploaded file
       if (oldSourceUI === "upload") {
         try {
-          // Extract filename from URL (e.g., /api/auth/profile_picture/user_id.jpg)
+          // Extract filename from URL (e.g., /api/hazo_auth/profile_picture/user_id.jpg)
           const oldFileName = oldProfilePictureUrl.split("/").pop();
           
           if (oldFileName) {

package/src/app/api/{auth → hazo_auth}/change_password/route.ts

@@ -6,6 +6,8 @@ import { create_app_logger } from "@/lib/app_logger";
 import { change_password } from "@/lib/services/password_change_service";
 import { get_filename, get_line_number } from "@/lib/utils/api_route_helpers";
 import { require_auth } from "@/lib/auth/auth_utils.server";
+import { get_auth_cache } from "@/lib/auth/auth_cache";
+import { get_auth_utility_config } from "@/lib/auth_utility_config.server";
 
 // section: api_handler
 export async function POST(request: NextRequest) {
@@ -75,6 +77,27 @@ export async function POST(request: NextRequest) {
       );
     }
 
+    // Invalidate user cache after password change
+    try {
+      const config = get_auth_utility_config();
+      const cache = get_auth_cache(
+        config.cache_max_users,
+        config.cache_ttl_minutes,
+        config.cache_max_age_minutes,
+      );
+      cache.invalidate_user(user_id);
+    } catch (cache_error) {
+      // Log but don't fail password change if cache invalidation fails
+      const cache_error_message =
+        cache_error instanceof Error ? cache_error.message : "Unknown error";
+      logger.warn("password_change_cache_invalidation_failed", {
+        filename: get_filename(),
+        line_number: get_line_number(),
+        user_id,
+        error: cache_error_message,
+      });
+    }
+
     logger.info("password_change_successful", {
       filename: get_filename(),
       line_number: get_line_number(),

package/src/app/api/hazo_auth/get_auth/route.ts

@@ -0,0 +1,89 @@
+// file_description: API route for hazo_get_auth utility (client-side calls)
+// section: imports
+import { NextRequest, NextResponse } from "next/server";
+import { hazo_get_auth } from "@/lib/auth/hazo_get_auth.server";
+import { PermissionError } from "@/lib/auth/auth_types";
+import { create_app_logger } from "@/lib/app_logger";
+import { get_filename, get_line_number } from "@/lib/utils/api_route_helpers";
+
+// section: route_config
+export const dynamic = "force-dynamic";
+
+// section: api_handler
+/**
+ * POST - Get authentication status and permissions
+ * Body: { required_permissions?: string[], strict?: boolean }
+ */
+export async function POST(request: NextRequest) {
+  const logger = create_app_logger();
+
+  try {
+    const body = await request.json();
+    const { required_permissions, strict } = body;
+
+    // Validate required_permissions if provided
+    if (
+      required_permissions !== undefined &&
+      (!Array.isArray(required_permissions) ||
+        !required_permissions.every((p) => typeof p === "string"))
+    ) {
+      return NextResponse.json(
+        { error: "required_permissions must be an array of strings" },
+        { status: 400 },
+      );
+    }
+
+    // Validate strict if provided
+    if (strict !== undefined && typeof strict !== "boolean") {
+      return NextResponse.json(
+        { error: "strict must be a boolean" },
+        { status: 400 },
+      );
+    }
+
+    // Call hazo_get_auth
+    const result = await hazo_get_auth(request, {
+      required_permissions,
+      strict,
+    });
+
+    return NextResponse.json(result, { status: 200 });
+  } catch (error) {
+    // Handle PermissionError (strict mode)
+    if (error instanceof PermissionError) {
+      logger.warn("auth_utility_permission_error", {
+        filename: get_filename(),
+        line_number: get_line_number(),
+        missing_permissions: error.missing_permissions,
+        required_permissions: error.required_permissions,
+      });
+
+      return NextResponse.json(
+        {
+          error: "Permission denied",
+          missing_permissions: error.missing_permissions,
+          user_friendly_message: error.user_friendly_message,
+        },
+        { status: 403 },
+      );
+    }
+
+    // Handle other errors
+    const error_message =
+      error instanceof Error ? error.message : "Unknown error";
+    const error_stack = error instanceof Error ? error.stack : undefined;
+
+    logger.error("auth_utility_api_error", {
+      filename: get_filename(),
+      line_number: get_line_number(),
+      error_message,
+      error_stack,
+    });
+
+    return NextResponse.json(
+      { error: error_message },
+      { status: 500 },
+    );
+  }
+}
+

package/src/app/api/hazo_auth/invalidate_cache/route.ts

@@ -0,0 +1,139 @@
+// file_description: API route for manual cache invalidation (admin endpoint)
+// section: imports
+import { NextRequest, NextResponse } from "next/server";
+import { get_auth_cache } from "@/lib/auth/auth_cache";
+import { get_auth_utility_config } from "@/lib/auth_utility_config.server";
+import { create_app_logger } from "@/lib/app_logger";
+import { get_filename, get_line_number } from "@/lib/utils/api_route_helpers";
+import { hazo_get_auth } from "@/lib/auth/hazo_get_auth.server";
+
+// section: route_config
+export const dynamic = "force-dynamic";
+
+// section: api_handler
+/**
+ * POST - Manually invalidate auth cache
+ * Body: { user_id?: string, role_ids?: number[], invalidate_all?: boolean }
+ * Requires admin permission (checked via hazo_get_auth)
+ */
+export async function POST(request: NextRequest) {
+  const logger = create_app_logger();
+
+  try {
+    // Check authentication and admin permission
+    const auth_result = await hazo_get_auth(request, {
+      required_permissions: ["admin_user_management"], // Require admin permission
+      strict: true, // Throw error if not authorized
+    });
+
+    if (!auth_result.authenticated) {
+      return NextResponse.json(
+        { error: "Authentication required" },
+        { status: 401 },
+      );
+    }
+
+    const body = await request.json();
+    const { user_id, role_ids, invalidate_all } = body;
+
+    // Validate input
+    if (invalidate_all !== undefined && typeof invalidate_all !== "boolean") {
+      return NextResponse.json(
+        { error: "invalidate_all must be a boolean" },
+        { status: 400 },
+      );
+    }
+
+    if (user_id !== undefined && typeof user_id !== "string") {
+      return NextResponse.json(
+        { error: "user_id must be a string" },
+        { status: 400 },
+      );
+    }
+
+    if (
+      role_ids !== undefined &&
+      (!Array.isArray(role_ids) ||
+        !role_ids.every((id) => typeof id === "number"))
+    ) {
+      return NextResponse.json(
+        { error: "role_ids must be an array of numbers" },
+        { status: 400 },
+      );
+    }
+
+    const config = get_auth_utility_config();
+    const cache = get_auth_cache(
+      config.cache_max_users,
+      config.cache_ttl_minutes,
+      config.cache_max_age_minutes,
+    );
+
+    // Perform invalidation
+    if (invalidate_all === true) {
+      cache.invalidate_all();
+      logger.info("auth_cache_invalidated_all", {
+        filename: get_filename(),
+        line_number: get_line_number(),
+        user_id: auth_result.user.id,
+      });
+    } else if (user_id) {
+      cache.invalidate_user(user_id);
+      logger.info("auth_cache_invalidated_user", {
+        filename: get_filename(),
+        line_number: get_line_number(),
+        invalidated_user_id: user_id,
+        admin_user_id: auth_result.user.id,
+      });
+    } else if (role_ids && role_ids.length > 0) {
+      cache.invalidate_by_roles(role_ids);
+      logger.info("auth_cache_invalidated_roles", {
+        filename: get_filename(),
+        line_number: get_line_number(),
+        role_ids,
+        admin_user_id: auth_result.user.id,
+      });
+    } else {
+      return NextResponse.json(
+        {
+          error:
+            "Must provide user_id, role_ids, or invalidate_all=true",
+        },
+        { status: 400 },
+      );
+    }
+
+    return NextResponse.json(
+      {
+        success: true,
+        message: "Cache invalidated successfully",
+      },
+      { status: 200 },
+    );
+  } catch (error) {
+    // Handle PermissionError (strict mode)
+    if (error instanceof Error && error.name === "PermissionError") {
+      return NextResponse.json(
+        { error: "Permission denied. Admin access required." },
+        { status: 403 },
+      );
+    }
+
+    const error_message =
+      error instanceof Error ? error.message : "Unknown error";
+    const error_stack = error instanceof Error ? error.stack : undefined;
+
+    logger.error("auth_cache_invalidation_error", {
+      filename: get_filename(),
+      line_number: get_line_number(),
+      error_message,
+      error_stack,
+    });
+
+    return NextResponse.json(
+      { error: "Failed to invalidate cache" },
+      { status: 500 },
+    );
+  }
+}
+

package/src/app/api/{auth → hazo_auth}/library_photos/route.ts

@@ -5,6 +5,9 @@ import { get_library_categories, get_library_photos } from "@/lib/services/profi
 import { create_app_logger } from "@/lib/app_logger";
 import { get_filename, get_line_number } from "@/lib/utils/api_route_helpers";
 
+// section: route_config
+export const dynamic = 'force-dynamic';
+
 // section: api_handler
 export async function GET(request: NextRequest) {
   const logger = create_app_logger();

package/src/app/api/{auth → hazo_auth}/logout/route.ts

@@ -3,6 +3,8 @@
 import { NextRequest, NextResponse } from "next/server";
 import { create_app_logger } from "@/lib/app_logger";
 import { get_filename, get_line_number } from "@/lib/utils/api_route_helpers";
+import { get_auth_cache } from "@/lib/auth/auth_cache";
+import { get_auth_utility_config } from "@/lib/auth_utility_config.server";
 
 // section: api_handler
 export async function POST(request: NextRequest) {
@@ -32,6 +34,31 @@ export async function POST(request: NextRequest) {
       path: "/",
     });
 
+    // Invalidate user cache
+    if (user_id) {
+      try {
+        const config = get_auth_utility_config();
+        const cache = get_auth_cache(
+          config.cache_max_users,
+          config.cache_ttl_minutes,
+          config.cache_max_age_minutes,
+        );
+        cache.invalidate_user(user_id);
+      } catch (cache_error) {
+        // Log but don't fail logout if cache invalidation fails
+        const cache_error_message =
+          cache_error instanceof Error
+            ? cache_error.message
+            : "Unknown error";
+        logger.warn("logout_cache_invalidation_failed", {
+          filename: get_filename(),
+          line_number: get_line_number(),
+          user_id,
+          error: cache_error_message,
+        });
+      }
+    }
+
     if (user_email || user_id) {
       logger.info("logout_successful", {
         filename: get_filename(),