hazo_auth 1.2.0 → 1.4.0

package/dist/lib/auth/auth_types.d.ts

@@ -0,0 +1,53 @@
+/**
+ * User data structure returned by hazo_get_auth
+ */
+export type HazoAuthUser = {
+    id: string;
+    name: string | null;
+    email_address: string;
+    is_active: boolean;
+    profile_picture_url: string | null;
+};
+/**
+ * Result type for hazo_get_auth function
+ * Returns authenticated state with user data and permissions, or unauthenticated state
+ */
+export type HazoAuthResult = {
+    authenticated: true;
+    user: HazoAuthUser;
+    permissions: string[];
+    permission_ok: boolean;
+    missing_permissions?: string[];
+} | {
+    authenticated: false;
+    user: null;
+    permissions: [];
+    permission_ok: false;
+};
+/**
+ * Options for hazo_get_auth function
+ */
+export type HazoAuthOptions = {
+    /**
+     * Array of required permissions to check
+     * If provided, permission_ok will be set based on whether user has all required permissions
+     */
+    required_permissions?: string[];
+    /**
+     * If true, throws PermissionError when user lacks required permissions
+     * If false (default), returns permission_ok: false without throwing
+     */
+    strict?: boolean;
+};
+/**
+ * Custom error class for permission denials
+ * Includes technical and user-friendly error messages
+ */
+export declare class PermissionError extends Error {
+    missing_permissions: string[];
+    user_permissions: string[];
+    required_permissions: string[];
+    user_friendly_message?: string | undefined;
+    constructor(missing_permissions: string[], user_permissions: string[], required_permissions: string[], user_friendly_message?: string | undefined);
+}
+//# sourceMappingURL=auth_types.d.ts.map

package/dist/lib/auth/auth_types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth_types.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/auth_types.ts"],"names":[],"mappings":"AAGA;;GAEG;AACH,MAAM,MAAM,YAAY,GAAG;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,OAAO,CAAC;IACnB,mBAAmB,EAAE,MAAM,GAAG,IAAI,CAAC;CACpC,CAAC;AAEF;;;GAGG;AACH,MAAM,MAAM,cAAc,GACtB;IACE,aAAa,EAAE,IAAI,CAAC;IACpB,IAAI,EAAE,YAAY,CAAC;IACnB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,aAAa,EAAE,OAAO,CAAC;IACvB,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;CAChC,GACD;IACE,aAAa,EAAE,KAAK,CAAC;IACrB,IAAI,EAAE,IAAI,CAAC;IACX,WAAW,EAAE,EAAE,CAAC;IAChB,aAAa,EAAE,KAAK,CAAC;CACtB,CAAC;AAEN;;GAEG;AACH,MAAM,MAAM,eAAe,GAAG;IAC5B;;;OAGG;IACH,oBAAoB,CAAC,EAAE,MAAM,EAAE,CAAC;IAChC;;;OAGG;IACH,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB,CAAC;AAEF;;;GAGG;AACH,qBAAa,eAAgB,SAAQ,KAAK;IAE/B,mBAAmB,EAAE,MAAM,EAAE;IAC7B,gBAAgB,EAAE,MAAM,EAAE;IAC1B,oBAAoB,EAAE,MAAM,EAAE;IAC9B,qBAAqB,CAAC,EAAE,MAAM;gBAH9B,mBAAmB,EAAE,MAAM,EAAE,EAC7B,gBAAgB,EAAE,MAAM,EAAE,EAC1B,oBAAoB,EAAE,MAAM,EAAE,EAC9B,qBAAqB,CAAC,EAAE,MAAM,YAAA;CAKxC"}

package/dist/lib/auth/auth_types.js

@@ -0,0 +1,16 @@
+// file_description: Type definitions and error classes for hazo_get_auth utility
+// section: types
+/**
+ * Custom error class for permission denials
+ * Includes technical and user-friendly error messages
+ */
+export class PermissionError extends Error {
+    constructor(missing_permissions, user_permissions, required_permissions, user_friendly_message) {
+        super(`Missing permissions: ${missing_permissions.join(", ")}`);
+        this.missing_permissions = missing_permissions;
+        this.user_permissions = user_permissions;
+        this.required_permissions = required_permissions;
+        this.user_friendly_message = user_friendly_message;
+        this.name = "PermissionError";
+    }
+}

package/dist/lib/auth/auth_utils.server.d.ts

@@ -0,0 +1,47 @@
+import { NextRequest, NextResponse } from "next/server";
+export type AuthUser = {
+    authenticated: true;
+    user_id: string;
+    email: string;
+    name?: string;
+    email_verified: boolean;
+    is_active: boolean;
+    last_logon?: string;
+    profile_picture_url?: string;
+    profile_source?: "upload" | "library" | "gravatar" | "custom";
+};
+export type AuthResult = AuthUser | {
+    authenticated: false;
+};
+/**
+ * Checks if a user is authenticated from request cookies
+ * Validates user exists, is active, and cookies match
+ * @param request - NextRequest object
+ * @returns AuthResult with user info or authenticated: false
+ */
+export declare function get_authenticated_user(request: NextRequest): Promise<AuthResult>;
+/**
+ * Checks if user is authenticated (simple boolean check)
+ * @param request - NextRequest object
+ * @returns true if authenticated, false otherwise
+ */
+export declare function is_authenticated(request: NextRequest): Promise<boolean>;
+/**
+ * Requires authentication - throws error if not authenticated
+ * Use in API routes that require authentication
+ * @param request - NextRequest object
+ * @returns AuthUser (never returns authenticated: false, throws instead)
+ * @throws Error if not authenticated
+ */
+export declare function require_auth(request: NextRequest): Promise<AuthUser>;
+/**
+ * Gets authenticated user and returns response with cleared cookies if invalid
+ * Useful for /api/auth/me endpoint that needs to clear cookies on invalid auth
+ * @param request - NextRequest object
+ * @returns Object with auth_result and response (with cleared cookies if invalid)
+ */
+export declare function get_authenticated_user_with_response(request: NextRequest): Promise<{
+    auth_result: AuthResult;
+    response?: NextResponse;
+}>;
+//# sourceMappingURL=auth_utils.server.d.ts.map

package/dist/lib/auth/auth_utils.server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth_utils.server.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/auth_utils.server.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAMxD,MAAM,MAAM,QAAQ,GAAG;IACrB,aAAa,EAAE,IAAI,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,cAAc,EAAE,OAAO,CAAC;IACxB,SAAS,EAAE,OAAO,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,cAAc,CAAC,EAAE,QAAQ,GAAG,SAAS,GAAG,UAAU,GAAG,QAAQ,CAAC;CAC/D,CAAC;AAEF,MAAM,MAAM,UAAU,GAClB,QAAQ,GACR;IAAE,aAAa,EAAE,KAAK,CAAA;CAAE,CAAC;AAqB7B;;;;;GAKG;AACH,wBAAsB,sBAAsB,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,UAAU,CAAC,CA8CtF;AAED;;;;GAIG;AACH,wBAAsB,gBAAgB,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,OAAO,CAAC,CAG7E;AAED;;;;;;GAMG;AACH,wBAAsB,YAAY,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,QAAQ,CAAC,CAQ1E;AAED;;;;;GAKG;AACH,wBAAsB,oCAAoC,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC;IACxF,WAAW,EAAE,UAAU,CAAC;IACxB,QAAQ,CAAC,EAAE,YAAY,CAAC;CACzB,CAAC,CA6DD"}

package/dist/lib/auth/auth_utils.server.js

@@ -0,0 +1,150 @@
+// file_description: server-side authentication utilities for checking login status in API routes
+// section: imports
+import { NextResponse } from "next/server";
+import { get_hazo_connect_instance } from "hazo_auth/lib/hazo_connect_instance.server";
+import { createCrudService } from "hazo_connect/server";
+import { map_db_source_to_ui } from "hazo_auth/lib/services/profile_picture_source_mapper";
+// section: helpers
+/**
+ * Clears authentication cookies from response
+ * @param response - NextResponse object to clear cookies from
+ * @returns The response with cleared cookies
+ */
+function clear_auth_cookies(response) {
+    response.cookies.set("hazo_auth_user_email", "", {
+        expires: new Date(0),
+        path: "/",
+    });
+    response.cookies.set("hazo_auth_user_id", "", {
+        expires: new Date(0),
+        path: "/",
+    });
+    return response;
+}
+// section: functions
+/**
+ * Checks if a user is authenticated from request cookies
+ * Validates user exists, is active, and cookies match
+ * @param request - NextRequest object
+ * @returns AuthResult with user info or authenticated: false
+ */
+export async function get_authenticated_user(request) {
+    var _a, _b;
+    const user_id = (_a = request.cookies.get("hazo_auth_user_id")) === null || _a === void 0 ? void 0 : _a.value;
+    const user_email = (_b = request.cookies.get("hazo_auth_user_email")) === null || _b === void 0 ? void 0 : _b.value;
+    if (!user_id || !user_email) {
+        return { authenticated: false };
+    }
+    try {
+        const hazoConnect = get_hazo_connect_instance();
+        const users_service = createCrudService(hazoConnect, "hazo_users");
+        const users = await users_service.findBy({
+            id: user_id,
+            email_address: user_email,
+        });
+        if (!Array.isArray(users) || users.length === 0) {
+            return { authenticated: false };
+        }
+        const user = users[0];
+        // Check if user is active
+        if (user.is_active === false) {
+            return { authenticated: false };
+        }
+        // Map database profile_source to UI representation
+        const profile_source_db = user.profile_source;
+        const profile_source_ui = profile_source_db ? map_db_source_to_ui(profile_source_db) : undefined;
+        return {
+            authenticated: true,
+            user_id: user.id,
+            email: user.email_address,
+            name: user.name || undefined,
+            email_verified: user.email_verified === true,
+            is_active: user.is_active === true,
+            last_logon: user.last_logon || undefined,
+            profile_picture_url: user.profile_picture_url || undefined,
+            profile_source: profile_source_ui,
+        };
+    }
+    catch (error) {
+        return { authenticated: false };
+    }
+}
+/**
+ * Checks if user is authenticated (simple boolean check)
+ * @param request - NextRequest object
+ * @returns true if authenticated, false otherwise
+ */
+export async function is_authenticated(request) {
+    const result = await get_authenticated_user(request);
+    return result.authenticated;
+}
+/**
+ * Requires authentication - throws error if not authenticated
+ * Use in API routes that require authentication
+ * @param request - NextRequest object
+ * @returns AuthUser (never returns authenticated: false, throws instead)
+ * @throws Error if not authenticated
+ */
+export async function require_auth(request) {
+    const result = await get_authenticated_user(request);
+    if (!result.authenticated) {
+        throw new Error("Authentication required");
+    }
+    return result;
+}
+/**
+ * Gets authenticated user and returns response with cleared cookies if invalid
+ * Useful for /api/auth/me endpoint that needs to clear cookies on invalid auth
+ * @param request - NextRequest object
+ * @returns Object with auth_result and response (with cleared cookies if invalid)
+ */
+export async function get_authenticated_user_with_response(request) {
+    var _a, _b;
+    const user_id = (_a = request.cookies.get("hazo_auth_user_id")) === null || _a === void 0 ? void 0 : _a.value;
+    const user_email = (_b = request.cookies.get("hazo_auth_user_email")) === null || _b === void 0 ? void 0 : _b.value;
+    if (!user_id || !user_email) {
+        return { auth_result: { authenticated: false } };
+    }
+    try {
+        const hazoConnect = get_hazo_connect_instance();
+        const users_service = createCrudService(hazoConnect, "hazo_users");
+        const users = await users_service.findBy({
+            id: user_id,
+            email_address: user_email,
+        });
+        if (!Array.isArray(users) || users.length === 0) {
+            // User not found - clear cookies
+            const response = NextResponse.json({ authenticated: false }, { status: 200 });
+            clear_auth_cookies(response);
+            return { auth_result: { authenticated: false }, response };
+        }
+        const user = users[0];
+        // Check if user is still active
+        if (user.is_active === false) {
+            // User is inactive - clear cookies
+            const response = NextResponse.json({ authenticated: false }, { status: 200 });
+            clear_auth_cookies(response);
+            return { auth_result: { authenticated: false }, response };
+        }
+        // Map database profile_source to UI representation
+        const profile_source_db = user.profile_source;
+        const profile_source_ui = profile_source_db ? map_db_source_to_ui(profile_source_db) : undefined;
+        return {
+            auth_result: {
+                authenticated: true,
+                user_id: user.id,
+                email: user.email_address,
+                name: user.name || undefined,
+                email_verified: user.email_verified === true,
+                is_active: user.is_active === true,
+                last_logon: user.last_logon || undefined,
+                profile_picture_url: user.profile_picture_url || undefined,
+                profile_source: profile_source_ui,
+            },
+        };
+    }
+    catch (error) {
+        // On error, assume not authenticated
+        return { auth_result: { authenticated: false } };
+    }
+}

package/dist/lib/auth/hazo_get_auth.server.d.ts

@@ -0,0 +1,12 @@
+import { NextRequest } from "next/server";
+import type { HazoAuthResult, HazoAuthOptions } from "hazo_auth/lib/auth/auth_types";
+/**
+ * Main hazo_get_auth function for server-side use in API routes
+ * Returns user details, permissions, and checks required permissions
+ * @param request - NextRequest object
+ * @param options - Optional parameters for permission checking
+ * @returns HazoAuthResult with user data and permissions
+ * @throws PermissionError if strict mode and permissions are missing
+ */
+export declare function hazo_get_auth(request: NextRequest, options?: HazoAuthOptions): Promise<HazoAuthResult>;
+//# sourceMappingURL=hazo_get_auth.server.d.ts.map

package/dist/lib/auth/hazo_get_auth.server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hazo_get_auth.server.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/hazo_get_auth.server.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAK1C,OAAO,KAAK,EAAE,cAAc,EAAgB,eAAe,EAAE,MAAM,+BAA+B,CAAC;AAkLnG;;;;;;;GAOG;AACH,wBAAsB,aAAa,CACjC,OAAO,EAAE,WAAW,EACpB,OAAO,CAAC,EAAE,eAAe,GACxB,OAAO,CAAC,cAAc,CAAC,CAuIzB"}

package/dist/lib/auth/hazo_get_auth.server.js

@@ -0,0 +1,256 @@
+import { get_hazo_connect_instance } from "hazo_auth/lib/hazo_connect_instance.server";
+import { createCrudService } from "hazo_connect/server";
+import { create_app_logger } from "hazo_auth/lib/app_logger";
+import { get_filename, get_line_number } from "hazo_auth/lib/utils/api_route_helpers";
+import { PermissionError } from "hazo_auth/lib/auth/auth_types";
+import { get_auth_cache } from "hazo_auth/lib/auth/auth_cache";
+import { get_rate_limiter } from "hazo_auth/lib/auth/auth_rate_limiter";
+import { get_auth_utility_config } from "hazo_auth/lib/auth_utility_config.server";
+// section: helpers
+/**
+ * Gets client IP address from request
+ * @param request - NextRequest object
+ * @returns IP address string
+ */
+function get_client_ip(request) {
+    const forwarded = request.headers.get("x-forwarded-for");
+    if (forwarded) {
+        return forwarded.split(",")[0].trim();
+    }
+    const real_ip = request.headers.get("x-real-ip");
+    if (real_ip) {
+        return real_ip;
+    }
+    return "unknown";
+}
+/**
+ * Fetches user data and permissions from database
+ * @param user_id - User ID
+ * @returns Object with user, permissions, and role_ids
+ */
+async function fetch_user_data_from_db(user_id) {
+    const hazoConnect = get_hazo_connect_instance();
+    const users_service = createCrudService(hazoConnect, "hazo_users");
+    const user_roles_service = createCrudService(hazoConnect, "hazo_user_roles");
+    const role_permissions_service = createCrudService(hazoConnect, "hazo_role_permissions");
+    const permissions_service = createCrudService(hazoConnect, "hazo_permissions");
+    // Fetch user
+    const users = await users_service.findBy({ id: user_id });
+    if (!Array.isArray(users) || users.length === 0) {
+        throw new Error("User not found");
+    }
+    const user_db = users[0];
+    // Check if user is active
+    if (user_db.is_active === false) {
+        throw new Error("User is inactive");
+    }
+    // Build user object
+    const user = {
+        id: user_db.id,
+        name: user_db.name || null,
+        email_address: user_db.email_address,
+        is_active: user_db.is_active === true,
+        profile_picture_url: user_db.profile_picture_url || null,
+    };
+    // Fetch user roles
+    const user_roles = await user_roles_service.findBy({ user_id });
+    const role_ids = [];
+    if (Array.isArray(user_roles)) {
+        for (const ur of user_roles) {
+            const role_id = ur.role_id;
+            if (role_id !== undefined) {
+                role_ids.push(role_id);
+            }
+        }
+    }
+    // Fetch role permissions
+    const permissions_set = new Set();
+    if (role_ids.length > 0) {
+        const role_permissions = await role_permissions_service.findBy({});
+        if (Array.isArray(role_permissions)) {
+            // Filter role_permissions for user's roles
+            const user_role_permissions = role_permissions.filter((rp) => role_ids.includes(rp.role_id));
+            // Get permission IDs
+            const permission_ids = new Set();
+            for (const rp of user_role_permissions) {
+                const perm_id = rp.permission_id;
+                if (perm_id !== undefined) {
+                    permission_ids.add(perm_id);
+                }
+            }
+            // Fetch permission names
+            if (permission_ids.size > 0) {
+                const permissions = await permissions_service.findBy({});
+                if (Array.isArray(permissions)) {
+                    for (const perm of permissions) {
+                        const perm_id = perm.id;
+                        if (perm_id !== undefined && permission_ids.has(perm_id)) {
+                            const perm_name = perm.permission_name;
+                            if (perm_name) {
+                                permissions_set.add(perm_name);
+                            }
+                        }
+                    }
+                }
+            }
+        }
+    }
+    const permissions = Array.from(permissions_set);
+    return { user, permissions, role_ids };
+}
+/**
+ * Checks if user has required permissions
+ * @param user_permissions - User's permissions
+ * @param required_permissions - Required permissions
+ * @returns Object with permission_ok and missing_permissions
+ */
+function check_permissions(user_permissions, required_permissions) {
+    const user_perms_set = new Set(user_permissions);
+    const missing = required_permissions.filter((perm) => !user_perms_set.has(perm));
+    return {
+        permission_ok: missing.length === 0,
+        missing_permissions: missing,
+    };
+}
+/**
+ * Gets user-friendly error message for missing permissions
+ * @param missing_permissions - Array of missing permission names
+ * @param config - Auth utility config
+ * @returns User-friendly message or undefined
+ */
+function get_friendly_error_message(missing_permissions, config) {
+    if (!config.enable_friendly_error_messages) {
+        return undefined;
+    }
+    // Try to get messages for each missing permission
+    const messages = [];
+    for (const perm of missing_permissions) {
+        const message = config.permission_error_messages.get(perm);
+        if (message) {
+            messages.push(message);
+        }
+    }
+    if (messages.length > 0) {
+        return messages.join(". ");
+    }
+    // Default message if no specific mapping
+    return "You don't have the required permissions to perform this action. Please contact your administrator.";
+}
+// section: main_function
+/**
+ * Main hazo_get_auth function for server-side use in API routes
+ * Returns user details, permissions, and checks required permissions
+ * @param request - NextRequest object
+ * @param options - Optional parameters for permission checking
+ * @returns HazoAuthResult with user data and permissions
+ * @throws PermissionError if strict mode and permissions are missing
+ */
+export async function hazo_get_auth(request, options) {
+    var _a, _b;
+    const logger = create_app_logger();
+    const config = get_auth_utility_config();
+    const cache = get_auth_cache(config.cache_max_users, config.cache_ttl_minutes, config.cache_max_age_minutes);
+    const rate_limiter = get_rate_limiter();
+    // Fast path: Check for authentication cookies
+    const user_id = (_a = request.cookies.get("hazo_auth_user_id")) === null || _a === void 0 ? void 0 : _a.value;
+    const user_email = (_b = request.cookies.get("hazo_auth_user_email")) === null || _b === void 0 ? void 0 : _b.value;
+    if (!user_id || !user_email) {
+        // Unauthenticated - check rate limit by IP
+        const client_ip = get_client_ip(request);
+        const ip_key = `ip:${client_ip}`;
+        if (!rate_limiter.check(ip_key, config.rate_limit_per_ip)) {
+            logger.warn("auth_utility_rate_limit_exceeded_ip", {
+                filename: get_filename(),
+                line_number: get_line_number(),
+                ip: client_ip,
+            });
+            throw new Error("Rate limit exceeded. Please try again later.");
+        }
+        return {
+            authenticated: false,
+            user: null,
+            permissions: [],
+            permission_ok: false,
+        };
+    }
+    // Authenticated - check rate limit by user
+    const user_key = `user:${user_id}`;
+    if (!rate_limiter.check(user_key, config.rate_limit_per_user)) {
+        logger.warn("auth_utility_rate_limit_exceeded_user", {
+            filename: get_filename(),
+            line_number: get_line_number(),
+            user_id,
+        });
+        throw new Error("Rate limit exceeded. Please try again later.");
+    }
+    // Check cache
+    let cached_entry = cache.get(user_id);
+    let user;
+    let permissions;
+    let role_ids;
+    if (cached_entry) {
+        // Cache hit
+        user = cached_entry.user;
+        permissions = cached_entry.permissions;
+        role_ids = cached_entry.role_ids;
+    }
+    else {
+        // Cache miss - fetch from database
+        try {
+            const user_data = await fetch_user_data_from_db(user_id);
+            user = user_data.user;
+            permissions = user_data.permissions;
+            role_ids = user_data.role_ids;
+            // Update cache
+            cache.set(user_id, user, permissions, role_ids);
+        }
+        catch (error) {
+            const error_message = error instanceof Error ? error.message : "Unknown error";
+            logger.error("auth_utility_fetch_user_failed", {
+                filename: get_filename(),
+                line_number: get_line_number(),
+                user_id,
+                error: error_message,
+            });
+            return {
+                authenticated: false,
+                user: null,
+                permissions: [],
+                permission_ok: false,
+            };
+        }
+    }
+    // Check permissions if required
+    let permission_ok = true;
+    let missing_permissions;
+    if ((options === null || options === void 0 ? void 0 : options.required_permissions) && options.required_permissions.length > 0) {
+        const check_result = check_permissions(permissions, options.required_permissions);
+        permission_ok = check_result.permission_ok;
+        missing_permissions = check_result.missing_permissions;
+        // Log permission denial if enabled
+        if (!permission_ok && config.log_permission_denials) {
+            const client_ip = get_client_ip(request);
+            logger.warn("auth_utility_permission_denied", {
+                filename: get_filename(),
+                line_number: get_line_number(),
+                user_id,
+                requested_permissions: options.required_permissions,
+                missing_permissions,
+                user_permissions: permissions,
+                ip: client_ip,
+            });
+        }
+        // Throw error if strict mode
+        if (!permission_ok && options.strict) {
+            const friendly_message = get_friendly_error_message(missing_permissions, config);
+            throw new PermissionError(missing_permissions, permissions, options.required_permissions, friendly_message);
+        }
+    }
+    return {
+        authenticated: true,
+        user,
+        permissions,
+        permission_ok,
+        missing_permissions,
+    };
+}

package/dist/lib/auth/index.d.ts

@@ -0,0 +1,9 @@
+export * from "./auth_types";
+export { hazo_get_auth } from "./hazo_get_auth.server";
+export { get_authenticated_user, require_auth, is_authenticated, } from "./auth_utils.server";
+export type { AuthResult, AuthUser } from "./auth_utils.server";
+export { get_server_auth_user } from "./server_auth";
+export type { ServerAuthResult } from "./server_auth";
+export { get_auth_cache, reset_auth_cache } from "./auth_cache";
+export { get_rate_limiter, reset_rate_limiter } from "./auth_rate_limiter";
+//# sourceMappingURL=index.d.ts.map

package/dist/lib/auth/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/index.ts"],"names":[],"mappings":"AAEA,cAAc,cAAc,CAAC;AAG7B,OAAO,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AACvD,OAAO,EACL,sBAAsB,EACtB,YAAY,EACZ,gBAAgB,GACjB,MAAM,qBAAqB,CAAC;AAC7B,YAAY,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,qBAAqB,CAAC;AAGhE,OAAO,EAAE,oBAAoB,EAAE,MAAM,eAAe,CAAC;AACrD,YAAY,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAC;AAGtD,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAGhE,OAAO,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC"}

package/dist/lib/auth/index.js

@@ -0,0 +1,12 @@
+// file_description: barrel export for auth utilities
+// section: type_exports
+export * from "./auth_types";
+// section: server_exports
+export { hazo_get_auth } from "./hazo_get_auth.server";
+export { get_authenticated_user, require_auth, is_authenticated, } from "./auth_utils.server";
+// section: client_exports
+export { get_server_auth_user } from "./server_auth";
+// section: cache_exports
+export { get_auth_cache, reset_auth_cache } from "./auth_cache";
+// section: rate_limiter_exports
+export { get_rate_limiter, reset_rate_limiter } from "./auth_rate_limiter";

package/dist/lib/auth/server_auth.d.ts

@@ -0,0 +1,26 @@
+export type ServerAuthUser = {
+    authenticated: true;
+    user_id: string;
+    email: string;
+    name?: string;
+    email_verified: boolean;
+    is_active: boolean;
+    last_logon?: string;
+    profile_picture_url?: string;
+    profile_source?: "upload" | "library" | "gravatar" | "custom";
+};
+export type ServerAuthResult = ServerAuthUser | {
+    authenticated: false;
+};
+/**
+ * Gets authenticated user in server components/pages
+ * Uses Next.js cookies() function to read authentication cookies
+ * @returns ServerAuthResult with user info or authenticated: false
+ */
+export declare function get_server_auth_user(): Promise<ServerAuthResult>;
+/**
+ * Checks if user is authenticated in server components/pages (simple boolean check)
+ * @returns true if authenticated, false otherwise
+ */
+export declare function is_server_authenticated(): Promise<boolean>;
+//# sourceMappingURL=server_auth.d.ts.map

package/dist/lib/auth/server_auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"server_auth.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/server_auth.ts"],"names":[],"mappings":"AAQA,MAAM,MAAM,cAAc,GAAG;IAC3B,aAAa,EAAE,IAAI,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,cAAc,EAAE,OAAO,CAAC;IACxB,SAAS,EAAE,OAAO,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,cAAc,CAAC,EAAE,QAAQ,GAAG,SAAS,GAAG,UAAU,GAAG,QAAQ,CAAC;CAC/D,CAAC;AAEF,MAAM,MAAM,gBAAgB,GACxB,cAAc,GACd;IAAE,aAAa,EAAE,KAAK,CAAA;CAAE,CAAC;AAG7B;;;;GAIG;AACH,wBAAsB,oBAAoB,IAAI,OAAO,CAAC,gBAAgB,CAAC,CA+CtE;AAED;;;GAGG;AACH,wBAAsB,uBAAuB,IAAI,OAAO,CAAC,OAAO,CAAC,CAGhE"}

package/dist/lib/auth/server_auth.js

@@ -0,0 +1,62 @@
+// file_description: server-side auth utilities for server components and pages
+// section: imports
+import { cookies } from "next/headers";
+import { get_hazo_connect_instance } from "hazo_auth/lib/hazo_connect_instance.server";
+import { createCrudService } from "hazo_connect/server";
+import { map_db_source_to_ui } from "hazo_auth/lib/services/profile_picture_source_mapper";
+// section: functions
+/**
+ * Gets authenticated user in server components/pages
+ * Uses Next.js cookies() function to read authentication cookies
+ * @returns ServerAuthResult with user info or authenticated: false
+ */
+export async function get_server_auth_user() {
+    var _a, _b;
+    const cookie_store = await cookies();
+    const user_id = (_a = cookie_store.get("hazo_auth_user_id")) === null || _a === void 0 ? void 0 : _a.value;
+    const user_email = (_b = cookie_store.get("hazo_auth_user_email")) === null || _b === void 0 ? void 0 : _b.value;
+    if (!user_id || !user_email) {
+        return { authenticated: false };
+    }
+    try {
+        const hazoConnect = get_hazo_connect_instance();
+        const users_service = createCrudService(hazoConnect, "hazo_users");
+        const users = await users_service.findBy({
+            id: user_id,
+            email_address: user_email,
+        });
+        if (!Array.isArray(users) || users.length === 0) {
+            return { authenticated: false };
+        }
+        const user = users[0];
+        // Check if user is active
+        if (user.is_active === false) {
+            return { authenticated: false };
+        }
+        // Map database profile_source to UI representation
+        const profile_source_db = user.profile_source;
+        const profile_source_ui = profile_source_db ? map_db_source_to_ui(profile_source_db) : undefined;
+        return {
+            authenticated: true,
+            user_id: user.id,
+            email: user.email_address,
+            name: user.name || undefined,
+            email_verified: user.email_verified === true,
+            is_active: user.is_active === true,
+            last_logon: user.last_logon || undefined,
+            profile_picture_url: user.profile_picture_url || undefined,
+            profile_source: profile_source_ui,
+        };
+    }
+    catch (error) {
+        return { authenticated: false };
+    }
+}
+/**
+ * Checks if user is authenticated in server components/pages (simple boolean check)
+ * @returns true if authenticated, false otherwise
+ */
+export async function is_server_authenticated() {
+    const result = await get_server_auth_user();
+    return result.authenticated;
+}