hazo_auth 1.0.2 → 1.0.3

package/hazo_auth_config.example.ini

@@ -19,6 +19,11 @@ enable_admin_ui = true
 
 # PostgREST configuration (uncomment if using postgrest type)
 # postgrest_url = 
+
+# PostgREST API Key (REQUIRED if PostgREST uses authentication)
+# IMPORTANT: API keys should ONLY be set in environment variables for security
+# Set HAZO_CONNECT_POSTGREST_API_KEY or POSTGREST_API_KEY in your .env file
+# DO NOT put API keys in this config file
 # postgrest_api_key = 
 
 [hazo_auth__register_layout]

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "hazo_auth",
-  "version": "1.0.2",
+  "version": "1.0.3",
   "files": [
     "src/**/*",
     "public/file.svg",
@@ -101,8 +101,8 @@
     "@types/react-dom": "^18",
     "better-sqlite3": "^12.4.1",
     "cross-env": "^10.1.0",
-    "eslint": "^8",
-    "eslint-config-next": "^14.2.7",
+    "eslint": "^9.0.0",
+    "eslint-config-next": "^16.0.3",
     "eslint-plugin-storybook": "^10.0.6",
     "jest": "^30.2.0",
     "jest-environment-jsdom": "^29.7.0",

package/src/app/api/hazo_auth/resend_verification/route.ts

@@ -52,20 +52,21 @@ export async function POST(request: NextRequest) {
     });
 
     if (!result.success) {
-      logger.warn("resend_verification_failed", {
+      logger.error("resend_verification_failed", {
         filename: get_filename(),
         line_number: get_line_number(),
         email,
         error: result.error,
       });
 
-      // Still return 200 OK to prevent email enumeration attacks
+      // Return error response (500) when email sending fails
+      // This is a technical error, not a security issue, so we can reveal it
       return NextResponse.json(
         {
-          success: true,
-          message: "If an account with that email exists and is not verified, a verification link has been sent.",
+          success: false,
+          error: result.error || "Failed to resend verification email",
         },
-        { status: 200 }
+        { status: 500 }
       );
     }
 

package/src/components/layouts/email_verification/hooks/use_email_verification.ts

@@ -155,10 +155,10 @@ export const use_email_verification = <TClient,>({
       return true;
     }
 
-    const hasEmptyField = Object.values(values).some((fieldValue) => fieldValue.trim() === "");
-    const hasErrors = Object.keys(errors).length > 0;
-    return hasEmptyField || hasErrors;
-  }, [errors, values, isSubmitting]);
+    // Only disable if there are active errors
+    const hasErrors = !!errors[EMAIL_VERIFICATION_FIELD_IDS.EMAIL];
+    return hasErrors;
+  }, [errors, isSubmitting]);
 
   const handleFieldChange = useCallback((fieldId: EmailVerificationFieldId, value: string) => {
     setValues((previousValues) => {
@@ -231,7 +231,13 @@ export const use_email_verification = <TClient,>({
           }),
         });
 
-        const data = await response.json();
+        let data;
+        try {
+          data = await response.json();
+        } catch (jsonError) {
+          // If JSON parsing fails, the response is likely HTML (e.g., error page)
+          throw new Error("Server returned an invalid response. Please try again later.");
+        }
 
         if (!response.ok) {
           throw new Error(data.error || "Failed to resend verification email");

package/src/lib/hazo_connect_instance.server.ts

@@ -38,36 +38,60 @@ export function get_hazo_connect_instance(): HazoConnectAdapter {
   try {
     // Get configuration from hazo_auth_config.ini (falls back to environment variables)
     const config_options = get_hazo_connect_config_options();
+    const logger = create_app_logger();
+    logger.debug("hazo_connect_singleton_attempt", {
+      filename: "hazo_connect_instance.server.ts",
+      line_number: 38,
+      config_options,
+      note: "Attempting to get singleton with these options",
+    });
     return getHazoConnectSingleton(config_options);
   } catch (error) {
+    const logger = create_app_logger();
+    const error_message = error instanceof Error ? error.message : "Unknown error";
+    logger.error("hazo_connect_singleton_failed", {
+      filename: "hazo_connect_instance.server.ts",
+      line_number: 45,
+      error: error_message,
+      error_stack: error instanceof Error ? error.stack : undefined,
+      note: "Falling back to manual singleton implementation",
+    });
+    
     // Fallback: Manual singleton implementation if new API fails
     // This should not happen with the updated package, but kept for safety
     if (!hazoConnectInstance) {
-      // Initialize admin service first (if not already done)
-      if (!isInitialized) {
+      // Get config options to determine database type
+      const config_options = get_hazo_connect_config_options();
+      const db_type = config_options.type;
+      
+      // Only initialize SQLite admin service for SQLite databases
+      if (db_type === "sqlite" && !isInitialized) {
         initializeAdminService({ enable_admin_ui: true });
         isInitialized = true;
       }
       
       // Create the adapter instance (reads from hazo_auth_config.ini)
+      // Note: Despite the name, this function supports both SQLite and PostgREST
       hazoConnectInstance = create_sqlite_hazo_connect_server();
 
       // Note: Database migrations should be applied manually via SQLite Admin UI
       // or through a separate migration script. The token_service has fallback
       // logic to work without the token_type column if migration hasn't been applied.
 
-      // Finalize initialization by getting the admin service.
-      try {
-        getSqliteAdminService();
-      } catch (adminError) {
-        const logger = create_app_logger();
-        const error_message = adminError instanceof Error ? adminError.message : "Unknown error";
-        logger.warn("hazo_connect_instance_admin_service_init_failed", {
-          filename: "hazo_connect_instance.server.ts",
-          line_number: 0,
-          error: error_message,
-          note: "Could not get SqliteAdminService during initialization, continuing...",
-        });
+      // Finalize initialization by getting the admin service (only for SQLite)
+      if (db_type === "sqlite") {
+        try {
+          getSqliteAdminService();
+        } catch (adminError) {
+          const logger = create_app_logger();
+          const error_message = adminError instanceof Error ? adminError.message : "Unknown error";
+          logger.warn("hazo_connect_instance_admin_service_init_failed", {
+            filename: "hazo_connect_instance.server.ts",
+            line_number: 0,
+            error: error_message,
+            note: "Could not get SqliteAdminService during initialization, continuing...",
+          });
+        }
       }
     }
     

package/src/lib/hazo_connect_setup.server.ts

@@ -100,8 +100,10 @@ function get_hazo_connect_config(): {
       hazo_connect_section?.postgrest_url ||
       process.env.HAZO_CONNECT_POSTGREST_URL ||
       process.env.POSTGREST_URL;
+    // API key must only come from environment variables for security
+    // Check multiple possible env var names for compatibility
     const postgrest_api_key =
-      hazo_connect_section?.postgrest_api_key ||
+      process.env.postgrest_api_key ||  // hazo_connect package expects this
       process.env.HAZO_CONNECT_POSTGREST_API_KEY ||
       process.env.POSTGREST_API_KEY;
 
@@ -141,10 +143,13 @@ export function create_sqlite_hazo_connect_server() {
   }
 
   if (config.type === "postgrest") {
+    // Ensure we have a value (empty string if not set, for PostgREST instances without auth)
+    const apiKey = config.postgrestApiKey || "";
+    
     return createHazoConnect({
       type: "postgrest",
       baseUrl: config.postgrestUrl!,
-      apiKey: config.postgrestApiKey,
+      apiKey: apiKey, // Pass empty string if not set
     });
   }
 
@@ -161,6 +166,8 @@ export function get_hazo_connect_config_options(): {
   sqlitePath?: string;
   enableAdminUi?: boolean;
   readOnly?: boolean;
+  postgrestUrl?: string;
+  postgrestApiKey?: string;
 } {
   const config = get_hazo_connect_config();
 
@@ -173,8 +180,15 @@ export function get_hazo_connect_config_options(): {
     };
   }
 
-  // PostgREST is not supported by the singleton API options yet
-  // Return empty object to let it use environment variables
+  if (config.type === "postgrest") {
+    return {
+      type: "postgrest",
+      baseUrl: config.postgrestUrl, // Corrected from postgrestUrl
+      apiKey: config.postgrestApiKey || "", // Corrected from postgrestApiKey and ensured string value
+    };
+  }
+
+  // Fallback: return empty object to let it use environment variables
   return {};
 }
 

package/src/lib/services/email_verification_service.ts

@@ -245,6 +245,12 @@ export async function resend_verification_email(
           error: email_result.error,
           note: "Verification token created but email failed to send",
         });
+        
+        // Return error if email sending failed (this is a technical error, not a security issue)
+        return {
+          success: false,
+          error: email_result.error || "Failed to send verification email",
+        };
       }
     }
 

package/src/middleware.ts

@@ -46,6 +46,7 @@ export async function middleware(request: NextRequest) {
     "/api/hazo_auth/reset_password",
     "/api/hazo_auth/verify_email",
     "/api/hazo_auth/validate_reset_token",
+    "/api/hazo_auth/resend_verification", // Allow resend verification email without auth
     "/api/hazo_auth/me", // Allow /api/hazo_auth/me to be public (returns authenticated: false if not logged in)
     "/hazo_connect/api/sqlite", // SQLite Admin API routes (admin tool, should be accessible)
     "/hazo_connect/sqlite_admin", // SQLite Admin UI page