hazo_auth 0.3.0 → 1.0.0

package/hazo_auth_config.example.ini

@@ -251,6 +251,45 @@ enable_admin_ui = true
 # Login path (redirect target in unauthorized message)
 # login_path = /login
 
+[hazo_auth__user_management]
+# User Management configuration
+# Application permission list defaults (comma-separated)
+# These permissions will be shown in the Permissions tab and can be migrated to the database
+# Example: application_permission_list_defaults = PERM_ONE,PERM_TWO,PERM_THREE
+# application_permission_list_defaults = 
+
+[hazo_auth__auth_utility]
+# Authentication utility configuration
+
+# Cache settings
+# Maximum number of users to cache (LRU eviction, default: 10000)
+# cache_max_users = 10000
+
+# Cache TTL in minutes (default: 15)
+# cache_ttl_minutes = 15
+
+# Force cache refresh if older than this many minutes (default: 30)
+# cache_max_age_minutes = 30
+
+# Rate limiting for /api/auth/get_auth endpoint
+# Per-user rate limit (requests per minute, default: 100)
+# rate_limit_per_user = 100
+
+# Per-IP rate limit for unauthenticated requests (default: 200)
+# rate_limit_per_ip = 200
+
+# Permission check behavior
+# Log all permission denials for security audit (default: true)
+# log_permission_denials = true
+
+# User-friendly error messages
+# Enable mapping of technical permissions to user-friendly messages (default: true)
+# enable_friendly_error_messages = true
+
+# Permission message mappings (optional, comma-separated: permission_name:user_message)
+# Example: admin_user_management:You don't have access to user management,admin_role_management:You don't have access to role management
+# permission_error_messages = 
+
 [hazo_auth__profile_pic_menu]
 # Profile picture menu configuration
 # This component can be used in navbar or sidebar to show user profile picture or sign up/sign in buttons

package/instrumentation.ts

@@ -9,7 +9,7 @@ export async function register() {
       const hazo_notify_module = await import("hazo_notify");
       
       // Step 2: Load hazo_notify emailer configuration
-      // This reads from hazo_notify_config.ini in the ui_component directory (same location as hazo_auth_config.ini)
+      // This reads from hazo_notify_config.ini in the project root (same location as hazo_auth_config.ini)
       const { load_emailer_config } = hazo_notify_module;
       const notify_config = load_emailer_config();
       

package/next.config.mjs

@@ -1,4 +1,4 @@
-// file_description: configure next.js application settings for the ui_component project
+// file_description: configure next.js application settings for the hazo_auth project
 // section: imports
 import path from "path";
 import { fileURLToPath } from "url";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "hazo_auth",
-  "version": "0.3.0",
+  "version": "1.0.0",
   "files": [
     "src/**/*",
     "public/file.svg",
@@ -35,7 +35,9 @@
     "test:watch": "cross-env NODE_ENV=test POSTGREST_URL=http://209.38.26.241:4402 POSTGREST_API_KEY=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoiYXBpX3VzZXIifQ.zBoUGymrxTUk1DNYIGUCtQU4HFaWEHlbE9_8Y3hUaTw jest --watch"
   },
   "dependencies": {
+    "@radix-ui/react-alert-dialog": "^1.1.15",
     "@radix-ui/react-avatar": "^1.1.11",
+    "@radix-ui/react-checkbox": "^1.3.3",
     "@radix-ui/react-dialog": "^1.1.15",
     "@radix-ui/react-dropdown-menu": "^2.1.16",
     "@radix-ui/react-label": "^2.1.8",

package/src/app/api/{auth → hazo_auth/auth}/upload_profile_picture/route.ts

@@ -160,7 +160,7 @@ export async function POST(request: NextRequest) {
     // Generate URL (relative to public or absolute)
     // For Next.js, we'll serve from a public route or use absolute path
     // For now, use a relative path that can be served via API or static file serving
-    const profilePictureUrl = `/api/auth/profile_picture/${fileName}`;
+    const profilePictureUrl = `/api/hazo_auth/profile_picture/${fileName}`;
 
     // Update user record
     const updateResult = await update_user_profile_picture(
@@ -198,7 +198,7 @@ export async function POST(request: NextRequest) {
       // Only delete if the old profile picture was an uploaded file
       if (oldSourceUI === "upload") {
         try {
-          // Extract filename from URL (e.g., /api/auth/profile_picture/user_id.jpg)
+          // Extract filename from URL (e.g., /api/hazo_auth/profile_picture/user_id.jpg)
           const oldFileName = oldProfilePictureUrl.split("/").pop();
           
           if (oldFileName) {

package/src/app/api/{auth → hazo_auth}/change_password/route.ts

@@ -6,6 +6,8 @@ import { create_app_logger } from "@/lib/app_logger";
 import { change_password } from "@/lib/services/password_change_service";
 import { get_filename, get_line_number } from "@/lib/utils/api_route_helpers";
 import { require_auth } from "@/lib/auth/auth_utils.server";
+import { get_auth_cache } from "@/lib/auth/auth_cache";
+import { get_auth_utility_config } from "@/lib/auth_utility_config.server";
 
 // section: api_handler
 export async function POST(request: NextRequest) {
@@ -75,6 +77,27 @@ export async function POST(request: NextRequest) {
       );
     }
 
+    // Invalidate user cache after password change
+    try {
+      const config = get_auth_utility_config();
+      const cache = get_auth_cache(
+        config.cache_max_users,
+        config.cache_ttl_minutes,
+        config.cache_max_age_minutes,
+      );
+      cache.invalidate_user(user_id);
+    } catch (cache_error) {
+      // Log but don't fail password change if cache invalidation fails
+      const cache_error_message =
+        cache_error instanceof Error ? cache_error.message : "Unknown error";
+      logger.warn("password_change_cache_invalidation_failed", {
+        filename: get_filename(),
+        line_number: get_line_number(),
+        user_id,
+        error: cache_error_message,
+      });
+    }
+
     logger.info("password_change_successful", {
       filename: get_filename(),
       line_number: get_line_number(),

package/src/app/api/hazo_auth/get_auth/route.ts

@@ -0,0 +1,89 @@
+// file_description: API route for hazo_get_auth utility (client-side calls)
+// section: imports
+import { NextRequest, NextResponse } from "next/server";
+import { hazo_get_auth } from "@/lib/auth/hazo_get_auth.server";
+import { PermissionError } from "@/lib/auth/auth_types";
+import { create_app_logger } from "@/lib/app_logger";
+import { get_filename, get_line_number } from "@/lib/utils/api_route_helpers";
+
+// section: route_config
+export const dynamic = "force-dynamic";
+
+// section: api_handler
+/**
+ * POST - Get authentication status and permissions
+ * Body: { required_permissions?: string[], strict?: boolean }
+ */
+export async function POST(request: NextRequest) {
+  const logger = create_app_logger();
+
+  try {
+    const body = await request.json();
+    const { required_permissions, strict } = body;
+
+    // Validate required_permissions if provided
+    if (
+      required_permissions !== undefined &&
+      (!Array.isArray(required_permissions) ||
+        !required_permissions.every((p) => typeof p === "string"))
+    ) {
+      return NextResponse.json(
+        { error: "required_permissions must be an array of strings" },
+        { status: 400 },
+      );
+    }
+
+    // Validate strict if provided
+    if (strict !== undefined && typeof strict !== "boolean") {
+      return NextResponse.json(
+        { error: "strict must be a boolean" },
+        { status: 400 },
+      );
+    }
+
+    // Call hazo_get_auth
+    const result = await hazo_get_auth(request, {
+      required_permissions,
+      strict,
+    });
+
+    return NextResponse.json(result, { status: 200 });
+  } catch (error) {
+    // Handle PermissionError (strict mode)
+    if (error instanceof PermissionError) {
+      logger.warn("auth_utility_permission_error", {
+        filename: get_filename(),
+        line_number: get_line_number(),
+        missing_permissions: error.missing_permissions,
+        required_permissions: error.required_permissions,
+      });
+
+      return NextResponse.json(
+        {
+          error: "Permission denied",
+          missing_permissions: error.missing_permissions,
+          user_friendly_message: error.user_friendly_message,
+        },
+        { status: 403 },
+      );
+    }
+
+    // Handle other errors
+    const error_message =
+      error instanceof Error ? error.message : "Unknown error";
+    const error_stack = error instanceof Error ? error.stack : undefined;
+
+    logger.error("auth_utility_api_error", {
+      filename: get_filename(),
+      line_number: get_line_number(),
+      error_message,
+      error_stack,
+    });
+
+    return NextResponse.json(
+      { error: error_message },
+      { status: 500 },
+    );
+  }
+}
+

package/src/app/api/hazo_auth/invalidate_cache/route.ts

@@ -0,0 +1,139 @@
+// file_description: API route for manual cache invalidation (admin endpoint)
+// section: imports
+import { NextRequest, NextResponse } from "next/server";
+import { get_auth_cache } from "@/lib/auth/auth_cache";
+import { get_auth_utility_config } from "@/lib/auth_utility_config.server";
+import { create_app_logger } from "@/lib/app_logger";
+import { get_filename, get_line_number } from "@/lib/utils/api_route_helpers";
+import { hazo_get_auth } from "@/lib/auth/hazo_get_auth.server";
+
+// section: route_config
+export const dynamic = "force-dynamic";
+
+// section: api_handler
+/**
+ * POST - Manually invalidate auth cache
+ * Body: { user_id?: string, role_ids?: number[], invalidate_all?: boolean }
+ * Requires admin permission (checked via hazo_get_auth)
+ */
+export async function POST(request: NextRequest) {
+  const logger = create_app_logger();
+
+  try {
+    // Check authentication and admin permission
+    const auth_result = await hazo_get_auth(request, {
+      required_permissions: ["admin_user_management"], // Require admin permission
+      strict: true, // Throw error if not authorized
+    });
+
+    if (!auth_result.authenticated) {
+      return NextResponse.json(
+        { error: "Authentication required" },
+        { status: 401 },
+      );
+    }
+
+    const body = await request.json();
+    const { user_id, role_ids, invalidate_all } = body;
+
+    // Validate input
+    if (invalidate_all !== undefined && typeof invalidate_all !== "boolean") {
+      return NextResponse.json(
+        { error: "invalidate_all must be a boolean" },
+        { status: 400 },
+      );
+    }
+
+    if (user_id !== undefined && typeof user_id !== "string") {
+      return NextResponse.json(
+        { error: "user_id must be a string" },
+        { status: 400 },
+      );
+    }
+
+    if (
+      role_ids !== undefined &&
+      (!Array.isArray(role_ids) ||
+        !role_ids.every((id) => typeof id === "number"))
+    ) {
+      return NextResponse.json(
+        { error: "role_ids must be an array of numbers" },
+        { status: 400 },
+      );
+    }
+
+    const config = get_auth_utility_config();
+    const cache = get_auth_cache(
+      config.cache_max_users,
+      config.cache_ttl_minutes,
+      config.cache_max_age_minutes,
+    );
+
+    // Perform invalidation
+    if (invalidate_all === true) {
+      cache.invalidate_all();
+      logger.info("auth_cache_invalidated_all", {
+        filename: get_filename(),
+        line_number: get_line_number(),
+        user_id: auth_result.user.id,
+      });
+    } else if (user_id) {
+      cache.invalidate_user(user_id);
+      logger.info("auth_cache_invalidated_user", {
+        filename: get_filename(),
+        line_number: get_line_number(),
+        invalidated_user_id: user_id,
+        admin_user_id: auth_result.user.id,
+      });
+    } else if (role_ids && role_ids.length > 0) {
+      cache.invalidate_by_roles(role_ids);
+      logger.info("auth_cache_invalidated_roles", {
+        filename: get_filename(),
+        line_number: get_line_number(),
+        role_ids,
+        admin_user_id: auth_result.user.id,
+      });
+    } else {
+      return NextResponse.json(
+        {
+          error:
+            "Must provide user_id, role_ids, or invalidate_all=true",
+        },
+        { status: 400 },
+      );
+    }
+
+    return NextResponse.json(
+      {
+        success: true,
+        message: "Cache invalidated successfully",
+      },
+      { status: 200 },
+    );
+  } catch (error) {
+    // Handle PermissionError (strict mode)
+    if (error instanceof Error && error.name === "PermissionError") {
+      return NextResponse.json(
+        { error: "Permission denied. Admin access required." },
+        { status: 403 },
+      );
+    }
+
+    const error_message =
+      error instanceof Error ? error.message : "Unknown error";
+    const error_stack = error instanceof Error ? error.stack : undefined;
+
+    logger.error("auth_cache_invalidation_error", {
+      filename: get_filename(),
+      line_number: get_line_number(),
+      error_message,
+      error_stack,
+    });
+
+    return NextResponse.json(
+      { error: "Failed to invalidate cache" },
+      { status: 500 },
+    );
+  }
+}
+

package/src/app/api/{auth → hazo_auth}/logout/route.ts

@@ -3,6 +3,8 @@
 import { NextRequest, NextResponse } from "next/server";
 import { create_app_logger } from "@/lib/app_logger";
 import { get_filename, get_line_number } from "@/lib/utils/api_route_helpers";
+import { get_auth_cache } from "@/lib/auth/auth_cache";
+import { get_auth_utility_config } from "@/lib/auth_utility_config.server";
 
 // section: api_handler
 export async function POST(request: NextRequest) {
@@ -32,6 +34,31 @@ export async function POST(request: NextRequest) {
       path: "/",
     });
 
+    // Invalidate user cache
+    if (user_id) {
+      try {
+        const config = get_auth_utility_config();
+        const cache = get_auth_cache(
+          config.cache_max_users,
+          config.cache_ttl_minutes,
+          config.cache_max_age_minutes,
+        );
+        cache.invalidate_user(user_id);
+      } catch (cache_error) {
+        // Log but don't fail logout if cache invalidation fails
+        const cache_error_message =
+          cache_error instanceof Error
+            ? cache_error.message
+            : "Unknown error";
+        logger.warn("logout_cache_invalidation_failed", {
+          filename: get_filename(),
+          line_number: get_line_number(),
+          user_id,
+          error: cache_error_message,
+        });
+      }
+    }
+
     if (user_email || user_id) {
       logger.info("logout_successful", {
         filename: get_filename(),

package/src/app/api/hazo_auth/upload_profile_picture/route.ts

@@ -0,0 +1,268 @@
+// file_description: API route for uploading profile pictures
+// section: imports
+import { NextRequest, NextResponse } from "next/server";
+import { get_hazo_connect_instance } from "@/lib/hazo_connect_instance.server";
+import { create_app_logger } from "@/lib/app_logger";
+import { get_profile_picture_config } from "@/lib/profile_picture_config.server";
+import { get_file_types_config } from "@/lib/file_types_config.server";
+import { update_user_profile_picture } from "@/lib/services/profile_picture_service";
+import { createCrudService } from "hazo_connect/server";
+import { map_db_source_to_ui } from "@/lib/services/profile_picture_source_mapper";
+import { get_filename, get_line_number } from "@/lib/utils/api_route_helpers";
+import fs from "fs";
+import path from "path";
+
+// section: api_handler
+export async function POST(request: NextRequest) {
+  const logger = create_app_logger();
+
+  try {
+    // Use centralized auth check
+    let user_id: string;
+    try {
+      const { require_auth } = await import("@/lib/auth/auth_utils.server");
+      const user = await require_auth(request);
+      user_id = user.user_id;
+    } catch (error) {
+      if (error instanceof Error && error.message === "Authentication required") {
+        logger.warn("profile_picture_upload_authentication_failed", {
+          filename: get_filename(),
+          line_number: get_line_number(),
+          error: "User not authenticated",
+        });
+
+        return NextResponse.json(
+          { error: "Authentication required" },
+          { status: 401 }
+        );
+      }
+      throw error;
+    }
+
+    // Check if upload is enabled
+    const config = get_profile_picture_config();
+    if (!config.allow_photo_upload) {
+      logger.warn("profile_picture_upload_disabled", {
+        filename: get_filename(),
+        line_number: get_line_number(),
+        user_id,
+      });
+
+      return NextResponse.json(
+        { error: "Photo upload is not enabled" },
+        { status: 403 }
+      );
+    }
+
+    if (!config.upload_photo_path) {
+      logger.warn("profile_picture_upload_path_not_configured", {
+        filename: get_filename(),
+        line_number: get_line_number(),
+        user_id,
+      });
+
+      return NextResponse.json(
+        { error: "Upload path is not configured" },
+        { status: 500 }
+      );
+    }
+
+    // Get FormData
+    const formData = await request.formData();
+    const file = formData.get("file") as File | null;
+
+    if (!file) {
+      logger.warn("profile_picture_upload_no_file", {
+        filename: get_filename(),
+        line_number: get_line_number(),
+        user_id,
+      });
+
+      return NextResponse.json(
+        { error: "No file provided" },
+        { status: 400 }
+      );
+    }
+
+    // Validate file type
+    const fileTypes = get_file_types_config();
+    const fileType = file.type;
+    if (!fileTypes.allowed_image_mime_types.includes(fileType)) {
+      logger.warn("profile_picture_upload_invalid_type", {
+        filename: get_filename(),
+        line_number: get_line_number(),
+        user_id,
+        fileType,
+      });
+
+      return NextResponse.json(
+        { error: "Invalid file type. Only JPG and PNG files are allowed." },
+        { status: 400 }
+      );
+    }
+
+    // Validate file size (should already be compressed client-side, but check server-side too)
+    const fileSize = file.size;
+    if (fileSize > config.max_photo_size) {
+      logger.warn("profile_picture_upload_too_large", {
+        filename: get_filename(),
+        line_number: get_line_number(),
+        user_id,
+        fileSize,
+        maxSize: config.max_photo_size,
+      });
+
+      return NextResponse.json(
+        { error: `File size exceeds maximum allowed size of ${config.max_photo_size} bytes` },
+        { status: 400 }
+      );
+    }
+
+    // Get current user profile picture info before updating
+    const hazoConnect = get_hazo_connect_instance();
+    const users_service = createCrudService(hazoConnect, "hazo_users");
+    const current_users = await users_service.findBy({ id: user_id });
+
+    let oldProfilePictureUrl: string | null = null;
+    let oldProfileSource: string | null = null;
+
+    if (Array.isArray(current_users) && current_users.length > 0) {
+      const current_user = current_users[0];
+      oldProfilePictureUrl = (current_user.profile_picture_url as string) || null;
+      oldProfileSource = (current_user.profile_source as string) || null;
+    }
+
+    // Determine file extension from MIME type
+    const mimeToExt: Record<string, string> = {
+      "image/jpeg": "jpg",
+      "image/jpg": "jpg",
+      "image/png": "png",
+    };
+    const fileExtension = mimeToExt[fileType] || "jpg";
+    const fileName = `${user_id}.${fileExtension}`;
+
+    // Resolve upload path
+    const uploadPath = path.isAbsolute(config.upload_photo_path)
+      ? config.upload_photo_path
+      : path.resolve(process.cwd(), config.upload_photo_path);
+
+    // Create upload directory if it doesn't exist
+    if (!fs.existsSync(uploadPath)) {
+      fs.mkdirSync(uploadPath, { recursive: true });
+    }
+
+    // Save file
+    const filePath = path.join(uploadPath, fileName);
+    const arrayBuffer = await file.arrayBuffer();
+    const buffer = Buffer.from(arrayBuffer);
+    fs.writeFileSync(filePath, buffer);
+
+    // Generate URL (relative to public or absolute)
+    // For Next.js, we'll serve from a public route or use absolute path
+    // For now, use a relative path that can be served via API or static file serving
+    const profilePictureUrl = `/api/hazo_auth/profile_picture/${fileName}`;
+
+    // Update user record
+    const updateResult = await update_user_profile_picture(
+      hazoConnect,
+      user_id,
+      profilePictureUrl,
+      "upload",
+    );
+
+    if (!updateResult.success) {
+      // Clean up uploaded file
+      try {
+        fs.unlinkSync(filePath);
+      } catch (error) {
+        // Ignore cleanup errors
+      }
+
+      logger.warn("profile_picture_upload_update_failed", {
+        filename: get_filename(),
+        line_number: get_line_number(),
+        user_id,
+        error: updateResult.error,
+      });
+
+      return NextResponse.json(
+        { error: updateResult.error || "Failed to update profile picture" },
+        { status: 500 }
+      );
+    }
+
+    // Delete old profile picture file if it exists and was an uploaded file
+    if (oldProfilePictureUrl && oldProfileSource) {
+      const oldSourceUI = map_db_source_to_ui(oldProfileSource);
+      
+      // Only delete if the old profile picture was an uploaded file
+      if (oldSourceUI === "upload") {
+        try {
+          // Extract filename from URL (e.g., /api/hazo_auth/profile_picture/user_id.jpg)
+          const oldFileName = oldProfilePictureUrl.split("/").pop();
+          
+          if (oldFileName) {
+            // Check if it's a user-specific file (starts with user_id)
+            if (oldFileName.startsWith(user_id)) {
+              const oldFilePath = path.join(uploadPath, oldFileName);
+              
+              // Only delete if it's a different file (different extension)
+              if (oldFilePath !== filePath && fs.existsSync(oldFilePath)) {
+                fs.unlinkSync(oldFilePath);
+                
+                logger.info("profile_picture_old_file_deleted", {
+                  filename: get_filename(),
+                  line_number: get_line_number(),
+                  user_id,
+                  oldFileName,
+                });
+              }
+            }
+          }
+        } catch (error) {
+          // Log error but don't fail the request
+          logger.warn("profile_picture_old_file_delete_failed", {
+            filename: get_filename(),
+            line_number: get_line_number(),
+            user_id,
+            oldProfilePictureUrl,
+            error: error instanceof Error ? error.message : "Unknown error",
+          });
+        }
+      }
+    }
+
+    logger.info("profile_picture_upload_successful", {
+      filename: get_filename(),
+      line_number: get_line_number(),
+      user_id,
+      fileName,
+      fileSize,
+    });
+
+    return NextResponse.json(
+      {
+        success: true,
+        profile_picture_url: profilePictureUrl,
+        message: "Profile picture uploaded successfully",
+      },
+      { status: 200 }
+    );
+  } catch (error) {
+    const error_message = error instanceof Error ? error.message : "Unknown error";
+    const error_stack = error instanceof Error ? error.stack : undefined;
+
+    logger.error("profile_picture_upload_error", {
+      filename: get_filename(),
+      line_number: get_line_number(),
+      error_message,
+      error_stack,
+    });
+
+    return NextResponse.json(
+      { error: "Failed to upload profile picture. Please try again." },
+      { status: 500 }
+    );
+  }
+}
+