hazo_auth 1.6.5 → 1.6.7

package/README.md

@@ -2,6 +2,10 @@
 
 A reusable authentication UI component package powered by Next.js, TailwindCSS, and shadcn. It integrates `hazo_config` for configuration management and `hazo_connect` for data access, enabling future components to stay aligned with platform conventions.
 
+### What's New (v1.6.6+)
+
+- **JWT Session Tokens for Edge-Compatible Authentication**: hazo_auth now issues JWT session tokens on login, enabling secure Edge Runtime authentication in Next.js proxy/middleware files. This provides better security than simple cookie checks while maintaining high performance. See [Proxy/Middleware Authentication](#proxymiddleware-authentication) for details.
+
 ## Table of Contents
 
 - [Installation](#installation)
@@ -10,6 +14,7 @@ A reusable authentication UI component package powered by Next.js, TailwindCSS,
 - [Database Setup](#database-setup)
 - [Using Components](#using-components)
 - [Authentication Service](#authentication-service)
+- [Proxy/Middleware Authentication](#proxymiddleware-authentication)
 - [Profile Picture Menu Widget](#profile-picture-menu-widget)
 - [User Profile Service](#user-profile-service)
 - [Local Development](#local-development)
@@ -108,6 +113,8 @@ import { hazo_get_auth } from "hazo_auth/lib/auth/hazo_get_auth.server";
 
 ## Required Dependencies
 
+**Note:** The `jose` package is now included as a dependency for Edge-compatible JWT operations. This is automatically installed when you run `npm install hazo_auth`.
+
 hazo_auth uses shadcn/ui components. Install the required dependencies in your project:
 
 ```bash
@@ -252,8 +259,11 @@ cp node_modules/hazo_auth/hazo_notify_config.example.ini ./hazo_notify_config.in
 
 - Create a `.env.local` file in your project root
 - Add `ZEPTOMAIL_API_KEY=your_api_key_here` (if using Zeptomail)
+- Add `JWT_SECRET=your_secure_random_string_at_least_32_characters` (required for JWT session tokens)
 - Add other sensitive configuration values as needed
 
+**Note:** `JWT_SECRET` is required for JWT session token functionality (used for Edge-compatible proxy/middleware authentication). Generate a secure random string at least 32 characters long.
+
 **Important:** The configuration files must be located in your project root directory (where `process.cwd()` points to), not inside `node_modules`. The package reads configuration from `process.cwd()` at runtime, so storing them elsewhere (including `node_modules/hazo_auth`) will break runtime access.
 
 ---
@@ -611,6 +621,9 @@ import { hazo_get_auth } from "hazo_auth/lib/auth/hazo_get_auth.server";
 
 // Server utilities
 import { ... } from "hazo_auth/server";
+
+// Edge-compatible proxy/middleware authentication (v1.6.6+)
+import { validate_session_cookie } from "hazo_auth/server/middleware";
 ```
 
 **Note:** The package uses relative imports internally. Consumers should only import from the exposed entry points listed above. Do not import from internal paths like `hazo_auth/components/ui/*` - these are internal modules.
@@ -795,6 +808,93 @@ if (data.authenticated) {
 
 **Note:** The `use_auth_status` hook automatically uses this endpoint and includes permissions in its return value.
 
+### Proxy/Middleware Authentication
+
+hazo_auth provides Edge-compatible authentication for Next.js proxy/middleware files. **Note:** Next.js is migrating from `middleware.ts` to `proxy.ts` (see [Next.js documentation](https://nextjs.org/docs/messages/middleware-to-proxy)), but the functionality remains the same.
+
+#### Edge Runtime Limitations
+
+Next.js proxy/middleware runs in Edge Runtime, which cannot use Node.js APIs (like SQLite). Therefore, `hazo_get_auth` cannot be used directly in proxy/middleware because it requires database access.
+
+#### JWT Session Tokens
+
+**New in v1.6.6+:** hazo_auth now issues JWT session tokens on login that can be validated in Edge Runtime:
+
+- **Cookie Name:** `hazo_auth_session`
+- **Token Type:** JWT (signed with `JWT_SECRET`)
+- **Expiry:** 30 days (configurable)
+- **Validation:** Signature and expiry checked without database access
+- **Backward Compatible:** Existing `hazo_auth_user_id` and `hazo_auth_user_email` cookies still work
+
+**Requirements:**
+- `JWT_SECRET` environment variable must be set (see [Configuration Setup](#configuration-setup))
+- The `jose` package is included as a dependency (Edge-compatible JWT library)
+
+#### Using in Proxy/Middleware
+
+**Recommended: Use JWT validation (Edge-compatible)**
+
+```typescript
+// proxy.ts (or middleware.ts - both work)
+import { NextResponse } from "next/server";
+import type { NextRequest } from "next/server";
+import { validate_session_cookie } from "hazo_auth/server/middleware";
+
+export async function proxy(request: NextRequest) {
+  const { pathname } = request.nextUrl;
+  
+  // Protect routes
+  if (pathname.startsWith("/members")) {
+    const { valid } = await validate_session_cookie(request);
+    
+    if (!valid) {
+      const login_url = new URL("/hazo_auth/login", request.url);
+      login_url.searchParams.set("redirect", pathname);
+      return NextResponse.redirect(login_url);
+    }
+  }
+  
+  return NextResponse.next();
+}
+
+export const config = {
+  matcher: ["/((?!api|_next/static|_next/image|favicon.ico).*)"],
+};
+```
+
+**Fallback: Simple cookie check (less secure, but works)**
+
+If JWT validation fails or you need a simpler check:
+
+```typescript
+// proxy.ts
+import { NextResponse } from "next/server";
+import type { NextRequest } from "next/server";
+
+export async function proxy(request: NextRequest) {
+  const { pathname } = request.nextUrl;
+  
+  if (pathname.startsWith("/members")) {
+    const user_id = request.cookies.get("hazo_auth_user_id")?.value;
+    const user_email = request.cookies.get("hazo_auth_user_email")?.value;
+    
+    if (!user_id || !user_email) {
+      const login_url = new URL("/hazo_auth/login", request.url);
+      login_url.searchParams.set("redirect", pathname);
+      return NextResponse.redirect(login_url);
+    }
+  }
+  
+  return NextResponse.next();
+}
+```
+
+**Important Notes:**
+- JWT validation provides better security (signature validation, tamper detection)
+- Simple cookie check is faster but doesn't validate token integrity
+- Full user status checks (e.g., deactivated accounts) happen in API routes/layouts
+- Both approaches work - JWT is recommended for production
+
 ### Server-Side Functions
 
 #### `hazo_get_auth` (Recommended)

package/SETUP_CHECKLIST.md

@@ -196,6 +196,7 @@ HAZO_CONNECT_POSTGREST_API_KEY=your_postgrest_api_key_here
 
 # Required for JWT authentication
 JWT_SECRET=your_secure_random_string_at_least_32_characters
+# Note: JWT_SECRET is required for JWT session token functionality (Edge-compatible proxy/middleware authentication)
 ```
 
 **Generate a secure JWT secret:**
@@ -216,7 +217,7 @@ from_name = Your App Name
 **Checklist:**
 - [ ] `.env.local` file created
 - [ ] `ZEPTOMAIL_API_KEY` set (or email will not work)
-- [ ] `JWT_SECRET` set
+- [ ] `JWT_SECRET` set (required for JWT session tokens - Edge-compatible proxy/middleware authentication)
 - [ ] `from_email` configured in `hazo_notify_config.ini`
 
 ---
@@ -678,6 +679,85 @@ export default function CustomLoginPage() {
 
 ---
 
+## Phase 5.1: Proxy/Middleware Setup (Optional)
+
+**Note:** Next.js is migrating from `middleware.ts` to `proxy.ts` (see [Next.js documentation](https://nextjs.org/docs/messages/middleware-to-proxy)). The functionality remains the same - both work, but `proxy.ts` is the new convention.
+
+If you want to protect routes at the Edge Runtime level (before pages load), create a proxy/middleware file:
+
+### Step 5.1.1: Create Proxy File (Recommended)
+
+Create `proxy.ts` in your project root (or `middleware.ts` - both work):
+
+```typescript
+// proxy.ts (or middleware.ts)
+import { NextResponse } from "next/server";
+import type { NextRequest } from "next/server";
+import { validate_session_cookie } from "hazo_auth/server/middleware";
+
+export async function proxy(request: NextRequest) {
+  const { pathname } = request.nextUrl;
+  
+  // Protect your routes (e.g., /members, /dashboard, etc.)
+  if (pathname.startsWith("/members")) {
+    const { valid } = await validate_session_cookie(request);
+    
+    if (!valid) {
+      const login_url = new URL("/hazo_auth/login", request.url);
+      login_url.searchParams.set("redirect", pathname);
+      return NextResponse.redirect(login_url);
+    }
+  }
+  
+  return NextResponse.next();
+}
+
+export const config = {
+  matcher: ["/((?!api|_next/static|_next/image|favicon.ico).*)"],
+};
+```
+
+### Step 5.1.2: Simple Cookie Check (Alternative)
+
+If you prefer a simpler approach without JWT validation:
+
+```typescript
+// proxy.ts
+import { NextResponse } from "next/server";
+import type { NextRequest } from "next/server";
+
+export async function proxy(request: NextRequest) {
+  const { pathname } = request.nextUrl;
+  
+  if (pathname.startsWith("/members")) {
+    const user_id = request.cookies.get("hazo_auth_user_id")?.value;
+    const user_email = request.cookies.get("hazo_auth_user_email")?.value;
+    
+    if (!user_id || !user_email) {
+      const login_url = new URL("/hazo_auth/login", request.url);
+      login_url.searchParams.set("redirect", pathname);
+      return NextResponse.redirect(login_url);
+    }
+  }
+  
+  return NextResponse.next();
+}
+```
+
+**Important Notes:**
+- Proxy/middleware runs in Edge Runtime (cannot use Node.js APIs like SQLite)
+- JWT validation (`validate_session_cookie`) provides better security
+- Simple cookie check is faster but doesn't validate token integrity
+- Full user validation (e.g., deactivated accounts) happens in API routes/layouts
+- Both `proxy.ts` and `middleware.ts` work - Next.js recommends `proxy.ts`
+
+**Checklist:**
+- [ ] Proxy/middleware file created (optional - only if you need route protection)
+- [ ] Protected routes configured
+- [ ] JWT validation used (recommended) or simple cookie check
+
+---
+
 ## Phase 6: Verification Tests
 
 Run these tests to verify your setup is working correctly.

package/dist/app/api/hazo_auth/login/route.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"route.d.ts","sourceRoot":"","sources":["../../../../../src/app/api/hazo_auth/login/route.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AASxD,wBAAsB,IAAI,CAAC,OAAO,EAAE,WAAW;;;;;;;;;IAwK9C"}
+{"version":3,"file":"route.d.ts","sourceRoot":"","sources":["../../../../../src/app/api/hazo_auth/login/route.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAUxD,wBAAsB,IAAI,CAAC,OAAO,EAAE,WAAW;;;;;;;;;IAgM9C"}

package/dist/app/api/hazo_auth/login/route.js

@@ -7,6 +7,7 @@ import { authenticate_user } from "../../../../lib/services/login_service";
 import { createCrudService } from "hazo_connect/server";
 import { get_filename, get_line_number } from "../../../../lib/utils/api_route_helpers";
 import { get_login_config } from "../../../../lib/login_config.server";
+import { create_session_token } from "../../../../lib/services/session_token_service";
 // section: api_handler
 export async function POST(request) {
     const logger = create_app_logger();
@@ -124,6 +125,30 @@ export async function POST(request) {
             path: "/",
             maxAge: 60 * 60 * 24 * 30, // 30 days
         });
+        // Create and set JWT session token (for Edge-compatible proxy/middleware)
+        try {
+            const session_token = await create_session_token(user_id, email);
+            response.cookies.set("hazo_auth_session", session_token, {
+                httpOnly: true,
+                secure: process.env.NODE_ENV === "production",
+                sameSite: "lax",
+                path: "/",
+                maxAge: 60 * 60 * 24 * 30, // 30 days
+            });
+        }
+        catch (token_error) {
+            // Log error but don't fail login if token creation fails
+            // Backward compatibility: existing cookies still work
+            const token_error_message = token_error instanceof Error ? token_error.message : "Unknown error";
+            logger.warn("login_session_token_creation_failed", {
+                filename: get_filename(),
+                line_number: get_line_number(),
+                user_id,
+                email,
+                error: token_error_message,
+                note: "Login succeeded but session token creation failed - using legacy cookies",
+            });
+        }
         return response;
     }
     catch (error) {

package/dist/app/api/hazo_auth/logout/route.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"route.d.ts","sourceRoot":"","sources":["../../../../../src/app/api/hazo_auth/logout/route.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAOxD,wBAAsB,IAAI,CAAC,OAAO,EAAE,WAAW;;;;;IA8E9C"}
+{"version":3,"file":"route.d.ts","sourceRoot":"","sources":["../../../../../src/app/api/hazo_auth/logout/route.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAOxD,wBAAsB,IAAI,CAAC,OAAO,EAAE,WAAW;;;;;IAmF9C"}

package/dist/app/api/hazo_auth/logout/route.js

@@ -27,6 +27,11 @@ export async function POST(request) {
             expires: new Date(0),
             path: "/",
         });
+        // Clear JWT session token cookie
+        response.cookies.set("hazo_auth_session", "", {
+            expires: new Date(0),
+            path: "/",
+        });
         // Invalidate user cache
         if (user_id) {
             try {

package/dist/components/layouts/register/hooks/use_register_form.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"use_register_form.d.ts","sourceRoot":"","sources":["../../../../../src/components/layouts/register/hooks/use_register_form.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,sCAAsC,CAAC;AAC7E,OAAO,KAAK,EAAE,0BAA0B,EAAE,4BAA4B,EAAE,MAAM,0CAA0C,CAAC;AACzH,OAAO,EAAsB,KAAK,eAAe,EAAE,MAAM,iCAAiC,CAAC;AAU3F,MAAM,MAAM,kBAAkB,GAAG,MAAM,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;AACjE,MAAM,MAAM,kBAAkB,GAAG,OAAO,CAAC,MAAM,CAAC,eAAe,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC,CAAC,GAAG;IACrF,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB,CAAC;AACF,MAAM,MAAM,uBAAuB,GAAG,MAAM,CAC1C,OAAO,CAAC,eAAe,EAAE,UAAU,GAAG,kBAAkB,CAAC,EACzD,OAAO,CACR,CAAC;AAEF,MAAM,MAAM,qBAAqB,CAAC,OAAO,GAAG,OAAO,IAAI;IACrD,aAAa,EAAE,OAAO,CAAC;IACvB,oBAAoB,EAAE,0BAA0B,CAAC;IACjD,4BAA4B,CAAC,EAAE,4BAA4B,CAAC;IAC5D,UAAU,EAAE,gBAAgB,CAAC,OAAO,CAAC,CAAC;IACtC,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,qBAAqB,GAAG;IAClC,MAAM,EAAE,kBAAkB,CAAC;IAC3B,MAAM,EAAE,kBAAkB,CAAC;IAC3B,kBAAkB,EAAE,uBAAuB,CAAC;IAC5C,gBAAgB,EAAE,OAAO,CAAC;IAC1B,YAAY,EAAE,OAAO,CAAC;IACtB,YAAY,EAAE,OAAO,CAAC;IACtB,iBAAiB,EAAE,CAAC,OAAO,EAAE,eAAe,EAAE,KAAK,EAAE,MAAM,KAAK,IAAI,CAAC;IACrE,eAAe,EAAE,MAAM,IAAI,CAAC;IAC5B,wBAAwB,EAAE,CAAC,OAAO,EAAE,UAAU,GAAG,kBAAkB,KAAK,IAAI,CAAC;IAC7E,YAAY,EAAE,CAAC,KAAK,EAAE,KAAK,CAAC,SAAS,CAAC,eAAe,CAAC,KAAK,IAAI,CAAC;IAChE,YAAY,EAAE,MAAM,IAAI,CAAC;CAC1B,CAAC;AAYF,eAAO,MAAM,iBAAiB,GAAI,OAAO,EAAG,kEAKzC,qBAAqB,CAAC,OAAO,CAAC,KAAG,qBAmNnC,CAAC"}
+{"version":3,"file":"use_register_form.d.ts","sourceRoot":"","sources":["../../../../../src/components/layouts/register/hooks/use_register_form.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,sCAAsC,CAAC;AAC7E,OAAO,KAAK,EAAE,0BAA0B,EAAE,4BAA4B,EAAE,MAAM,0CAA0C,CAAC;AACzH,OAAO,EAAsB,KAAK,eAAe,EAAE,MAAM,iCAAiC,CAAC;AAU3F,MAAM,MAAM,kBAAkB,GAAG,MAAM,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;AACjE,MAAM,MAAM,kBAAkB,GAAG,OAAO,CAAC,MAAM,CAAC,eAAe,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC,CAAC,GAAG;IACrF,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB,CAAC;AACF,MAAM,MAAM,uBAAuB,GAAG,MAAM,CAC1C,OAAO,CAAC,eAAe,EAAE,UAAU,GAAG,kBAAkB,CAAC,EACzD,OAAO,CACR,CAAC;AAEF,MAAM,MAAM,qBAAqB,CAAC,OAAO,GAAG,OAAO,IAAI;IACrD,aAAa,EAAE,OAAO,CAAC;IACvB,oBAAoB,EAAE,0BAA0B,CAAC;IACjD,4BAA4B,CAAC,EAAE,4BAA4B,CAAC;IAC5D,UAAU,EAAE,gBAAgB,CAAC,OAAO,CAAC,CAAC;IACtC,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,qBAAqB,GAAG;IAClC,MAAM,EAAE,kBAAkB,CAAC;IAC3B,MAAM,EAAE,kBAAkB,CAAC;IAC3B,kBAAkB,EAAE,uBAAuB,CAAC;IAC5C,gBAAgB,EAAE,OAAO,CAAC;IAC1B,YAAY,EAAE,OAAO,CAAC;IACtB,YAAY,EAAE,OAAO,CAAC;IACtB,iBAAiB,EAAE,CAAC,OAAO,EAAE,eAAe,EAAE,KAAK,EAAE,MAAM,KAAK,IAAI,CAAC;IACrE,eAAe,EAAE,MAAM,IAAI,CAAC;IAC5B,wBAAwB,EAAE,CAAC,OAAO,EAAE,UAAU,GAAG,kBAAkB,KAAK,IAAI,CAAC;IAC7E,YAAY,EAAE,CAAC,KAAK,EAAE,KAAK,CAAC,SAAS,CAAC,eAAe,CAAC,KAAK,IAAI,CAAC;IAChE,YAAY,EAAE,MAAM,IAAI,CAAC;CAC1B,CAAC;AAYF,eAAO,MAAM,iBAAiB,GAAI,OAAO,EAAG,kEAKzC,qBAAqB,CAAC,OAAO,CAAC,KAAG,qBAkPnC,CAAC"}

package/dist/components/layouts/register/hooks/use_register_form.js

@@ -18,7 +18,8 @@ const buildInitialValues = () => ({
 });
 // section: hook
 export const use_register_form = ({ showNameField, passwordRequirements, dataClient, urlOnLogon, }) => {
-    const [values, setValues] = useState(buildInitialValues);
+    const initialValues = useMemo(() => buildInitialValues(), []);
+    const [values, setValues] = useState(initialValues);
     const [errors, setErrors] = useState({});
     const [passwordVisibility, setPasswordVisibility] = useState({
         password: false,
@@ -26,19 +27,44 @@ export const use_register_form = ({ showNameField, passwordRequirements, dataCli
     });
     const [emailTouched, setEmailTouched] = useState(false);
     const [isSubmitting, setIsSubmitting] = useState(false);
+    // Check if form has been edited (changed from initial state)
+    const isFormEdited = useMemo(() => {
+        return Object.entries(values).some(([fieldId, fieldValue]) => {
+            if (fieldId === REGISTER_FIELD_IDS.NAME && !showNameField) {
+                return false;
+            }
+            return fieldValue.trim() !== initialValues[fieldId].trim();
+        });
+    }, [values, initialValues, showNameField]);
     const isSubmitDisabled = useMemo(() => {
+        // Disable if submitting
         if (isSubmitting) {
             return true;
         }
+        // Disable if form hasn't been edited
+        if (!isFormEdited) {
+            return true;
+        }
+        // Disable if there are validation errors (excluding submit errors)
+        const validationErrors = Object.assign({}, errors);
+        delete validationErrors.submit;
+        const hasErrors = Object.keys(validationErrors).length > 0;
+        if (hasErrors) {
+            return true;
+        }
+        // Disable if required fields are empty
         const hasEmptyField = Object.entries(values).some(([fieldId, fieldValue]) => {
             if (fieldId === REGISTER_FIELD_IDS.NAME && !showNameField) {
                 return false;
             }
             return fieldValue.trim() === "";
         });
-        const hasErrors = Object.keys(errors).length > 0;
-        return hasEmptyField || hasErrors;
-    }, [errors, showNameField, values, isSubmitting]);
+        if (hasEmptyField) {
+            return true;
+        }
+        // Enable if form is edited, has no errors, and all required fields are filled
+        return false;
+    }, [errors, showNameField, values, isSubmitting, isFormEdited]);
     const togglePasswordVisibility = useCallback((fieldId) => {
         setPasswordVisibility((previous) => (Object.assign(Object.assign({}, previous), { [fieldId]: !previous[fieldId] })));
     }, []);
@@ -136,7 +162,8 @@ export const use_register_form = ({ showNameField, passwordRequirements, dataCli
                 description: "Your account has been created successfully.",
             });
             // Reset form on success
-            setValues(buildInitialValues());
+            const resetValues = buildInitialValues();
+            setValues(resetValues);
             setErrors({});
             setPasswordVisibility({
                 password: false,
@@ -160,7 +187,8 @@ export const use_register_form = ({ showNameField, passwordRequirements, dataCli
         }
     }, [values, passwordRequirements, dataClient, urlOnLogon]);
     const handleCancel = useCallback(() => {
-        setValues(buildInitialValues());
+        const resetValues = buildInitialValues();
+        setValues(resetValues);
         setErrors({});
         setPasswordVisibility({
             password: false,

package/dist/components/layouts/user_management/index.js

@@ -133,7 +133,7 @@ export function UserManagementLayout({ className }) {
             return;
         setUsersActionLoading(true);
         try {
-            const response = await fetch("/api/user_management/users", {
+            const response = await fetch("/api/hazo_auth/user_management/users", {
                 method: "PATCH",
                 headers: {
                     "Content-Type": "application/json",
@@ -149,7 +149,7 @@ export function UserManagementLayout({ className }) {
                 setDeactivateDialogOpen(false);
                 setSelectedUser(null);
                 // Reload users
-                const reload_response = await fetch("/api/user_management/users");
+                const reload_response = await fetch("/api/hazo_auth/user_management/users");
                 const reload_data = await reload_response.json();
                 if (reload_data.success) {
                     setUsers(reload_data.users);
@@ -172,7 +172,7 @@ export function UserManagementLayout({ className }) {
             return;
         setUsersActionLoading(true);
         try {
-            const response = await fetch("/api/user_management/users", {
+            const response = await fetch("/api/hazo_auth/user_management/users", {
                 method: "POST",
                 headers: {
                     "Content-Type": "application/json",
@@ -224,7 +224,7 @@ export function UserManagementLayout({ className }) {
                     toast.info(`Skipped: ${data.skipped.join(", ")}`);
                 }
                 // Reload permissions
-                const reload_response = await fetch("/api/user_management/permissions");
+                const reload_response = await fetch("/api/hazo_auth/user_management/permissions");
                 const reload_data = await reload_response.json();
                 if (reload_data.success) {
                     const db_perms = reload_data.db_permissions.map((p) => ({
@@ -259,7 +259,7 @@ export function UserManagementLayout({ className }) {
             return;
         setPermissionsActionLoading(true);
         try {
-            const response = await fetch("/api/user_management/permissions", {
+            const response = await fetch("/api/hazo_auth/user_management/permissions", {
                 method: "PUT",
                 headers: {
                     "Content-Type": "application/json",
@@ -276,7 +276,7 @@ export function UserManagementLayout({ className }) {
                 setEditingPermission(null);
                 setEditDescription("");
                 // Reload permissions
-                const reload_response = await fetch("/api/user_management/permissions");
+                const reload_response = await fetch("/api/hazo_auth/user_management/permissions");
                 const reload_data = await reload_response.json();
                 if (reload_data.success) {
                     const db_perms = reload_data.db_permissions.map((p) => ({
@@ -313,7 +313,7 @@ export function UserManagementLayout({ className }) {
         }
         setPermissionsActionLoading(true);
         try {
-            const response = await fetch("/api/user_management/permissions", {
+            const response = await fetch("/api/hazo_auth/user_management/permissions", {
                 method: "POST",
                 headers: {
                     "Content-Type": "application/json",
@@ -330,7 +330,7 @@ export function UserManagementLayout({ className }) {
                 setNewPermissionName("");
                 setNewPermissionDescription("");
                 // Reload permissions
-                const reload_response = await fetch("/api/user_management/permissions");
+                const reload_response = await fetch("/api/hazo_auth/user_management/permissions");
                 const reload_data = await reload_response.json();
                 if (reload_data.success) {
                     const db_perms = reload_data.db_permissions.map((p) => ({
@@ -372,7 +372,7 @@ export function UserManagementLayout({ className }) {
             if (data.success) {
                 toast.success("Permission deleted successfully");
                 // Reload permissions
-                const reload_response = await fetch("/api/user_management/permissions");
+                const reload_response = await fetch("/api/hazo_auth/user_management/permissions");
                 const reload_data = await reload_response.json();
                 if (reload_data.success) {
                     const db_perms = reload_data.db_permissions.map((p) => ({

package/dist/lib/auth/hazo_get_auth.server.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"hazo_get_auth.server.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/hazo_get_auth.server.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAK1C,OAAO,KAAK,EAAE,cAAc,EAAgB,eAAe,EAAE,MAAM,cAAc,CAAC;AAkLlF;;;;;;;GAOG;AACH,wBAAsB,aAAa,CACjC,OAAO,EAAE,WAAW,EACpB,OAAO,CAAC,EAAE,eAAe,GACxB,OAAO,CAAC,cAAc,CAAC,CAuIzB"}
+{"version":3,"file":"hazo_get_auth.server.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/hazo_get_auth.server.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAK1C,OAAO,KAAK,EAAE,cAAc,EAAgB,eAAe,EAAE,MAAM,cAAc,CAAC;AAmLlF;;;;;;;GAOG;AACH,wBAAsB,aAAa,CACjC,OAAO,EAAE,WAAW,EACpB,OAAO,CAAC,EAAE,eAAe,GACxB,OAAO,CAAC,cAAc,CAAC,CAmKzB"}

package/dist/lib/auth/hazo_get_auth.server.js

@@ -6,6 +6,7 @@ import { PermissionError } from "./auth_types";
 import { get_auth_cache } from "./auth_cache";
 import { get_rate_limiter } from "./auth_rate_limiter";
 import { get_auth_utility_config } from "../auth_utility_config.server";
+import { validate_session_token } from "../services/session_token_service";
 // section: helpers
 /**
  * Gets client IP address from request
@@ -146,14 +147,41 @@ function get_friendly_error_message(missing_permissions, config) {
  * @throws PermissionError if strict mode and permissions are missing
  */
 export async function hazo_get_auth(request, options) {
-    var _a, _b;
+    var _a, _b, _c;
     const logger = create_app_logger();
     const config = get_auth_utility_config();
     const cache = get_auth_cache(config.cache_max_users, config.cache_ttl_minutes, config.cache_max_age_minutes);
     const rate_limiter = get_rate_limiter();
     // Fast path: Check for authentication cookies
-    const user_id = (_a = request.cookies.get("hazo_auth_user_id")) === null || _a === void 0 ? void 0 : _a.value;
-    const user_email = (_b = request.cookies.get("hazo_auth_user_email")) === null || _b === void 0 ? void 0 : _b.value;
+    // Priority: 1. JWT session token (new), 2. Simple cookies (backward compatibility)
+    let user_id;
+    let user_email;
+    // Check for JWT session token first
+    const session_token = (_a = request.cookies.get("hazo_auth_session")) === null || _a === void 0 ? void 0 : _a.value;
+    if (session_token) {
+        try {
+            const token_result = await validate_session_token(session_token);
+            if (token_result.valid && token_result.user_id && token_result.email) {
+                user_id = token_result.user_id;
+                user_email = token_result.email;
+            }
+        }
+        catch (token_error) {
+            // If token validation fails, fall back to simple cookies
+            const token_error_message = token_error instanceof Error ? token_error.message : "Unknown error";
+            logger.debug("auth_utility_jwt_validation_failed", {
+                filename: get_filename(),
+                line_number: get_line_number(),
+                error: token_error_message,
+                note: "Falling back to simple cookie check",
+            });
+        }
+    }
+    // Fall back to simple cookies if JWT not present or invalid (backward compatibility)
+    if (!user_id || !user_email) {
+        user_id = (_b = request.cookies.get("hazo_auth_user_id")) === null || _b === void 0 ? void 0 : _b.value;
+        user_email = (_c = request.cookies.get("hazo_auth_user_email")) === null || _c === void 0 ? void 0 : _c.value;
+    }
     if (!user_id || !user_email) {
         // Unauthenticated - check rate limit by IP
         const client_ip = get_client_ip(request);

package/dist/lib/auth/session_token_validator.edge.d.ts

@@ -0,0 +1,15 @@
+import type { NextRequest } from "next/server";
+export type ValidateSessionCookieResult = {
+    valid: boolean;
+    user_id?: string;
+    email?: string;
+};
+/**
+ * Validates session cookie from NextRequest (Edge-compatible)
+ * Extracts hazo_auth_session cookie and validates JWT signature and expiry
+ * Works in Edge Runtime (Next.js proxy/middleware)
+ * @param request - NextRequest object
+ * @returns Validation result with user_id and email if valid
+ */
+export declare function validate_session_cookie(request: NextRequest): Promise<ValidateSessionCookieResult>;
+//# sourceMappingURL=session_token_validator.edge.d.ts.map

package/dist/lib/auth/session_token_validator.edge.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session_token_validator.edge.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/session_token_validator.edge.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAG/C,MAAM,MAAM,2BAA2B,GAAG;IACxC,KAAK,EAAE,OAAO,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC;AAsBF;;;;;;GAMG;AACH,wBAAsB,uBAAuB,CAC3C,OAAO,EAAE,WAAW,GACnB,OAAO,CAAC,2BAA2B,CAAC,CAwCtC"}

package/dist/lib/auth/session_token_validator.edge.js

@@ -0,0 +1,64 @@
+// file_description: Edge-compatible JWT session token validator for Next.js proxy/middleware
+// Uses jose library which works in Edge Runtime
+// section: imports
+import { jwtVerify } from "jose";
+// section: helpers
+/**
+ * Gets JWT secret from environment variables
+ * Works in Edge Runtime (no Node.js APIs)
+ * @returns JWT secret as Uint8Array for jose library
+ */
+function get_jwt_secret() {
+    const jwt_secret = process.env.JWT_SECRET;
+    if (!jwt_secret) {
+        // In Edge Runtime, we can't use logger, so we just return null
+        // The validation will fail gracefully
+        return null;
+    }
+    // Convert string secret to Uint8Array for jose
+    return new TextEncoder().encode(jwt_secret);
+}
+// section: main_function
+/**
+ * Validates session cookie from NextRequest (Edge-compatible)
+ * Extracts hazo_auth_session cookie and validates JWT signature and expiry
+ * Works in Edge Runtime (Next.js proxy/middleware)
+ * @param request - NextRequest object
+ * @returns Validation result with user_id and email if valid
+ */
+export async function validate_session_cookie(request) {
+    var _a;
+    try {
+        // Extract session cookie
+        const session_cookie = (_a = request.cookies.get("hazo_auth_session")) === null || _a === void 0 ? void 0 : _a.value;
+        if (!session_cookie) {
+            return { valid: false };
+        }
+        // Get JWT secret
+        const secret = get_jwt_secret();
+        if (!secret) {
+            // JWT_SECRET not set - cannot validate
+            return { valid: false };
+        }
+        // Verify JWT signature and expiration
+        const { payload } = await jwtVerify(session_cookie, secret, {
+            algorithms: ["HS256"],
+        });
+        // Extract user_id and email from payload
+        const user_id = payload.user_id;
+        const email = payload.email;
+        if (!user_id || !email) {
+            return { valid: false };
+        }
+        return {
+            valid: true,
+            user_id,
+            email,
+        };
+    }
+    catch (error) {
+        // jose throws JWTExpired, JWTInvalid, etc. - these are expected for invalid tokens
+        // In Edge Runtime, we can't log, so we just return invalid
+        return { valid: false };
+    }
+}

package/dist/lib/services/session_token_service.d.ts

@@ -0,0 +1,27 @@
+export type SessionTokenPayload = {
+    user_id: string;
+    email: string;
+    iat: number;
+    exp: number;
+};
+export type ValidateSessionTokenResult = {
+    valid: boolean;
+    user_id?: string;
+    email?: string;
+};
+/**
+ * Creates a JWT session token for a user
+ * Token includes user_id, email, issued at time, and expiration
+ * @param user_id - User ID
+ * @param email - User email address
+ * @returns JWT token string
+ */
+export declare function create_session_token(user_id: string, email: string): Promise<string>;
+/**
+ * Validates a JWT session token
+ * Checks signature and expiration
+ * @param token - JWT token string
+ * @returns Validation result with user_id and email if valid
+ */
+export declare function validate_session_token(token: string): Promise<ValidateSessionTokenResult>;
+//# sourceMappingURL=session_token_service.d.ts.map

package/dist/lib/services/session_token_service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session_token_service.d.ts","sourceRoot":"","sources":["../../../src/lib/services/session_token_service.ts"],"names":[],"mappings":"AAQA,MAAM,MAAM,mBAAmB,GAAG;IAChC,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;IACd,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;CACb,CAAC;AAEF,MAAM,MAAM,0BAA0B,GAAG;IACvC,KAAK,EAAE,OAAO,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC;AAuCF;;;;;;GAMG;AACH,wBAAsB,oBAAoB,CACxC,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,MAAM,CAAC,CA0CjB;AAED;;;;;GAKG;AACH,wBAAsB,sBAAsB,CAC1C,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,0BAA0B,CAAC,CAgDrC"}

package/dist/lib/services/session_token_service.js

@@ -0,0 +1,130 @@
+// file_description: service for creating and validating JWT session tokens for authentication
+// Uses jose library for Edge-compatible JWT operations
+// section: imports
+import { SignJWT, jwtVerify } from "jose";
+import { create_app_logger } from "../app_logger";
+import { get_filename, get_line_number } from "../utils/api_route_helpers";
+// section: helpers
+/**
+ * Gets JWT secret from environment variables
+ * @returns JWT secret as Uint8Array for jose library
+ * @throws Error if JWT_SECRET is not set
+ */
+function get_jwt_secret() {
+    const jwt_secret = process.env.JWT_SECRET;
+    if (!jwt_secret) {
+        const logger = create_app_logger();
+        logger.error("session_token_jwt_secret_missing", {
+            filename: get_filename(),
+            line_number: get_line_number(),
+            error: "JWT_SECRET environment variable is required",
+        });
+        throw new Error("JWT_SECRET environment variable is required");
+    }
+    // Convert string secret to Uint8Array for jose
+    return new TextEncoder().encode(jwt_secret);
+}
+/**
+ * Gets session token expiry in seconds (default: 30 days)
+ * @returns Number of seconds until token expires
+ */
+function get_session_token_expiry_seconds() {
+    // Default: 30 days = 30 * 24 * 60 * 60 = 2,592,000 seconds
+    const default_expiry_seconds = 60 * 60 * 24 * 30;
+    // Could be extended to read from config in the future
+    // For now, use default 30 days to match cookie expiry
+    return default_expiry_seconds;
+}
+// section: main_functions
+/**
+ * Creates a JWT session token for a user
+ * Token includes user_id, email, issued at time, and expiration
+ * @param user_id - User ID
+ * @param email - User email address
+ * @returns JWT token string
+ */
+export async function create_session_token(user_id, email) {
+    const logger = create_app_logger();
+    try {
+        const secret = get_jwt_secret();
+        const now = Math.floor(Date.now() / 1000); // Current time in seconds
+        const expiry_seconds = get_session_token_expiry_seconds();
+        const exp = now + expiry_seconds;
+        const jwt = await new SignJWT({
+            user_id,
+            email,
+        })
+            .setProtectedHeader({ alg: "HS256" })
+            .setIssuedAt(now)
+            .setExpirationTime(exp)
+            .sign(secret);
+        logger.info("session_token_created", {
+            filename: get_filename(),
+            line_number: get_line_number(),
+            user_id,
+            email,
+            expires_in_seconds: expiry_seconds,
+        });
+        return jwt;
+    }
+    catch (error) {
+        const error_message = error instanceof Error ? error.message : "Unknown error";
+        const error_stack = error instanceof Error ? error.stack : undefined;
+        logger.error("session_token_creation_failed", {
+            filename: get_filename(),
+            line_number: get_line_number(),
+            user_id,
+            email,
+            error_message,
+            error_stack,
+        });
+        throw new Error("Failed to create session token");
+    }
+}
+/**
+ * Validates a JWT session token
+ * Checks signature and expiration
+ * @param token - JWT token string
+ * @returns Validation result with user_id and email if valid
+ */
+export async function validate_session_token(token) {
+    const logger = create_app_logger();
+    try {
+        const secret = get_jwt_secret();
+        const { payload } = await jwtVerify(token, secret, {
+            algorithms: ["HS256"],
+        });
+        // Extract user_id and email from payload
+        const user_id = payload.user_id;
+        const email = payload.email;
+        if (!user_id || !email) {
+            logger.warn("session_token_invalid_payload", {
+                filename: get_filename(),
+                line_number: get_line_number(),
+                error: "Token payload missing user_id or email",
+            });
+            return { valid: false };
+        }
+        logger.info("session_token_validated", {
+            filename: get_filename(),
+            line_number: get_line_number(),
+            user_id,
+            email,
+        });
+        return {
+            valid: true,
+            user_id,
+            email,
+        };
+    }
+    catch (error) {
+        const error_message = error instanceof Error ? error.message : "Unknown error";
+        // jose throws JWTExpired, JWTInvalid, etc. - these are expected for invalid tokens
+        logger.debug("session_token_validation_failed", {
+            filename: get_filename(),
+            line_number: get_line_number(),
+            error_message,
+        });
+        return { valid: false };
+    }
+}

package/dist/server/middleware.d.ts

@@ -0,0 +1,3 @@
+export { validate_session_cookie } from "../lib/auth/session_token_validator.edge.js";
+export type { ValidateSessionCookieResult } from "../lib/auth/session_token_validator.edge.js";
+//# sourceMappingURL=middleware.d.ts.map

package/dist/server/middleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../../src/server/middleware.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,uBAAuB,EAAE,MAAM,6CAA6C,CAAC;AACtF,YAAY,EAAE,2BAA2B,EAAE,MAAM,6CAA6C,CAAC"}

package/dist/server/middleware.js

@@ -0,0 +1,5 @@
+// file_description: utility module for Edge-compatible proxy/middleware authentication
+// This is a utility module, not a Next.js middleware/proxy file
+// Exports functions for use in consuming apps' proxy.ts or middleware.ts files
+// section: imports
+export { validate_session_cookie } from "../lib/auth/session_token_validator.edge.js";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "hazo_auth",
-  "version": "1.6.5",
+  "version": "1.6.7",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
   "type": "module",
@@ -60,6 +60,10 @@
       "types": "./dist/server/routes/index.d.ts",
       "import": "./dist/server/routes/index.js"
     },
+    "./server/middleware": {
+      "types": "./dist/server/middleware.d.ts",
+      "import": "./dist/server/middleware.js"
+    },
     "./pages": {
       "types": "./dist/page_components/index.d.ts",
       "import": "./dist/page_components/index.js"
@@ -145,6 +149,7 @@
     "hazo_notify": "^1.0.0",
     "helmet": "^8.1.0",
     "ini": "^6.0.0",
+    "jose": "^5.9.6",
     "jsonwebtoken": "^9.0.2",
     "lucide-react": "^0.553.0",
     "mime-types": "^3.0.1",