hazo_auth 10.0.0 → 10.1.0

package/README.md

@@ -2,6 +2,64 @@
 
 A reusable authentication UI component package powered by Next.js, TailwindCSS, and shadcn. It integrates `hazo_config` for configuration management and `hazo_connect` for data access, enabling future components to stay aligned with platform conventions.
 
+### What's New in v10.1.0 🚀
+
+**Incremental Google OAuth Scopes & Server-Side Token Access** — Grant additional Google API scopes (Analytics, Sheets, Drive, etc.) without creating a separate OAuth app. Store encrypted tokens server-side and access them programmatically.
+
+**New Features:**
+- **`hazo_google_oauth_tokens` table** (migration 021) — Encrypted AES-256-GCM storage for Google OAuth tokens with scope tracking
+- **Token Service Exports** from `hazo_auth/server-lib`:
+  - `store_google_oauth_token(user_id, tokens, scopes)` — Save OAuth tokens after user grants new scopes
+  - `getGoogleToken(user_id, opts?)` — Get a fresh access token (refreshes if expired)
+  - `revoke_google_oauth_token(user_id)` — Permanently revoke stored token and forget scopes
+  - `get_google_token_status(user_id)` — Check connection status, scopes, and expiry
+- **Client Helper** — `requestGoogleScopes(scopes, opts?)` from `hazo_auth/client` triggers Google consent prompt for incremental scopes
+- **HTTP Routes:**
+  - `GET /api/hazo_auth/google/token` — Returns `{ connected, scopes, expires_at }`
+  - `DELETE /api/hazo_auth/google/token` — Revoke stored token without signing user out
+- **NextAuth Config Updates** — Captures `refresh_token` and adds `include_granted_scopes: true` parameter for incremental scope flow
+- **Route Handler Exports** from `hazo_auth/server/routes`:
+  - `googleTokenGET` — implements GET status endpoint
+  - `googleTokenDELETE` — implements DELETE revoke endpoint
+
+**Setup:**
+```bash
+# 1. Run the migration
+npm run migrate -- migrations/021_hazo_google_oauth_tokens.sql
+
+# 2. Set encryption environment variables
+HAZO_AUTH_OAUTH_KEY_CURRENT=v1
+HAZO_AUTH_OAUTH_KEY_V1=$(openssl rand -base64 32)
+
+# 3. Install optional peer (for token encryption)
+npm install hazo_secure
+```
+
+**Client Usage:**
+```tsx
+import { requestGoogleScopes } from "hazo_auth/client";
+
+<button onClick={() => requestGoogleScopes([
+  "https://www.googleapis.com/auth/analytics.readonly"
+])}>
+  Connect Google Analytics
+</button>
+```
+
+**Server Usage:**
+```ts
+import { getGoogleToken } from "hazo_auth/server-lib";
+
+const result = await getGoogleToken(userId, {
+  scopes: ["https://www.googleapis.com/auth/analytics.readonly"]
+});
+if (result.ok) {
+  // use result.access_token to call Google APIs
+}
+```
+
+See [Google API Access (Incremental Scopes)](#google-api-access-incremental-scopes) below for full details.
+
 ### What's New in v9.1.1 🔧
 
 **Dev-server noise fixes for Next.js 16 + Turbopack**
@@ -1251,6 +1309,48 @@ Google OAuth adds one new dependency:
 - Check logs for `invitation_table_missing` warnings
 - If using custom paths, set `create_firm_url` to your app's create firm page URL
 
+### Google API Access (Incremental Scopes)
+
+`hazo_auth` v10.1+ supports granting additional Google API scopes (Analytics, Sheets, etc.) without a separate OAuth app.
+
+**Setup:**
+1. Run the migration: `npm run migrate -- migrations/021_hazo_google_oauth_tokens.sql`
+2. Set encryption env vars:
+   ```bash
+   HAZO_AUTH_OAUTH_KEY_CURRENT=v1
+   HAZO_AUTH_OAUTH_KEY_V1=$(openssl rand -base64 32)
+   ```
+3. Install the optional peer: `npm install hazo_secure`
+
+**Usage:**
+
+```tsx
+// Client component — triggers Google consent for extra scopes
+import { requestGoogleScopes } from "hazo_auth/client";
+
+<button onClick={() => requestGoogleScopes([
+  "https://www.googleapis.com/auth/analytics.readonly"
+])}>
+  Connect Analytics
+</button>
+```
+
+```ts
+// Server action / API route — get a fresh access token
+import { getGoogleToken } from "hazo_auth/server-lib";
+
+const result = await getGoogleToken(userId, {
+  scopes: ["https://www.googleapis.com/auth/analytics.readonly"]
+});
+if (result.ok) {
+  // use result.access_token to call Google APIs
+}
+```
+
+The incremental scope token is stored and revoked independently of the user's sign-in session. `DELETE /api/hazo_auth/google/token` removes the stored token without signing the user out.
+
+**Status endpoint:** `GET /api/hazo_auth/google/token` returns `{ connected, scopes, expires_at }`.
+
 ---
 
 ## Using Components

package/SETUP_CHECKLIST.md

@@ -1133,6 +1133,24 @@ ls app/api/hazo_auth/set_password/route.ts
 - [ ] OAuth API routes created (`[...nextauth]`, `oauth/google/callback`, `set_password`)
 - [ ] Post-login redirect configured (if not using invitations, set `skip_invitation_check = true`)
 
+#### Google API Token Storage (optional — required for `getGoogleToken`)
+
+Only needed if you use `requestGoogleScopes` / `getGoogleToken` for Google API access beyond sign-in:
+
+1. Install optional peer: `npm install hazo_secure`
+2. Run migration: `npm run migrate -- migrations/021_hazo_google_oauth_tokens.sql`
+3. Set env vars:
+   ```env
+   HAZO_AUTH_OAUTH_KEY_CURRENT=v1
+   HAZO_AUTH_OAUTH_KEY_V1=<base64-32-bytes from: openssl rand -base64 32>
+   ```
+4. Wire the new routes in your Next.js app (same pattern as other hazo_auth routes):
+   ```ts
+   // app/api/hazo_auth/google/token/route.ts
+   export { GET as googleTokenGET, DELETE as googleTokenDELETE } from "hazo_auth/server/routes";
+   export const dynamic = "force-dynamic";
+   ```
+
 ---
 
 ## Phase 4: API Routes

package/cli-src/lib/auth/nextauth_config.ts

@@ -11,6 +11,7 @@ import { get_oauth_config } from "../oauth_config.server.js";
 import { handle_google_oauth_login } from "../services/oauth_service.js";
 import { get_hazo_connect_instance } from "../hazo_connect_instance.server.js";
 import { create_app_logger } from "../app_logger.js";
+import { store_google_oauth_token, GoogleTokenStorageUnconfigured } from "../services/google_token_service.js";
 
 // section: types
 export type NextAuthCallbackUser = {
@@ -27,6 +28,8 @@ export type NextAuthCallbackAccount = {
   access_token?: string;
   id_token?: string;
   expires_at?: number;
+  refresh_token?: string;
+  scope?: string;
 };
 
 export type NextAuthCallbackProfile = {
@@ -62,6 +65,7 @@ export function get_nextauth_config(): AuthOptions {
               prompt: "consent",
               access_type: "offline",
               response_type: "code",
+              include_granted_scopes: "true",
             },
           },
         })
@@ -170,6 +174,43 @@ export function get_nextauth_config(): AuthOptions {
             // Store user_id in account for the JWT callback to pick up
             (account as Record<string, unknown>).hazo_user_id = result.user_id;
 
+            // Capture refresh token when extra scopes were granted
+            const BASE_SCOPES = ["openid", "email", "profile"];
+            const granted_scopes = (account.scope ?? "").split(" ").filter(Boolean);
+            const has_extra_scopes = granted_scopes.some(s => !BASE_SCOPES.includes(s));
+
+            if (account.refresh_token && has_extra_scopes) {
+              try {
+                await store_google_oauth_token({
+                  user_id: result.user_id!,
+                  refresh_token: account.refresh_token,
+                  access_token: account.access_token,
+                  scopes: account.scope ?? "",
+                  expires_at: account.expires_at
+                    ? new Date(account.expires_at * 1000).toISOString()
+                    : undefined,
+                });
+                logger.info("nextauth_google_token_stored", {
+                  user_id: result.user_id,
+                  scopes: account.scope,
+                });
+              } catch (tokenError) {
+                if (tokenError instanceof GoogleTokenStorageUnconfigured) {
+                  logger.error("nextauth_google_token_storage_unconfigured", {
+                    user_id: result.user_id,
+                    error: tokenError.message,
+                  });
+                  return "/api/auth/error?error=GoogleTokenStorageUnconfigured";
+                }
+                const errorMsg = tokenError instanceof Error ? tokenError.message : String(tokenError);
+                logger.error("nextauth_google_token_store_failed", {
+                  user_id: result.user_id,
+                  error: errorMsg,
+                });
+                // Non-fatal: continue sign-in even if token storage fails
+              }
+            }
+
             return true;
           } catch (error) {
             const errorMessage = error instanceof Error ? error.message : "Unknown error";

package/cli-src/lib/auth/request_google_scopes.ts

@@ -0,0 +1,23 @@
+// file_description: client helper to trigger incremental Google OAuth scope consent
+"use client";
+
+import { signIn } from "next-auth/react";
+
+/**
+ * Triggers an incremental Google OAuth consent flow to grant additional scopes.
+ * Call from a client component when the user needs to grant extra Google API access
+ * (e.g. analytics, sheets). On completion, hazo_auth stores the refresh token.
+ */
+export function requestGoogleScopes(
+  scopes: string[],
+  opts?: { callbackUrl?: string }
+): ReturnType<typeof signIn> {
+  const scope = Array.from(
+    new Set(["openid", "email", "profile", ...scopes])
+  ).join(" ");
+  return signIn(
+    "google",
+    { callbackUrl: opts?.callbackUrl ?? "/" },
+    { scope, access_type: "offline", include_granted_scopes: "true", prompt: "consent" }
+  );
+}

package/cli-src/lib/schema/sqlite_schema.ts

@@ -161,4 +161,20 @@ CREATE INDEX IF NOT EXISTS idx_hazo_user_relationships_child ON hazo_user_relati
 -- Firm admin role (for firm creators)
 INSERT OR IGNORE INTO hazo_roles (id, role_name, created_at, changed_at)
 VALUES (lower(hex(randomblob(4)) || '-' || hex(randomblob(2)) || '-4' || substr(hex(randomblob(2)),2) || '-' || substr('89ab',abs(random()) % 4 + 1, 1) || substr(hex(randomblob(2)),2) || '-' || hex(randomblob(6))), 'firm_admin', datetime('now'), datetime('now'));
+
+-- Google OAuth tokens (encrypted refresh/access tokens for extra-scope API access)
+CREATE TABLE IF NOT EXISTS hazo_google_oauth_tokens (
+  id TEXT PRIMARY KEY,
+  user_id TEXT NOT NULL REFERENCES hazo_users(id) ON DELETE CASCADE,
+  provider TEXT NOT NULL DEFAULT 'google',
+  refresh_token_enc TEXT NOT NULL,
+  access_token_enc TEXT,
+  scopes TEXT NOT NULL DEFAULT '',
+  expires_at TEXT,
+  created_at TEXT NOT NULL DEFAULT (datetime('now')),
+  changed_at TEXT NOT NULL DEFAULT (datetime('now')),
+  UNIQUE(user_id, provider)
+);
+
+CREATE INDEX IF NOT EXISTS idx_hazo_google_oauth_tokens_user ON hazo_google_oauth_tokens(user_id);
 `;

package/cli-src/lib/services/google_token_service.ts

@@ -0,0 +1,408 @@
+// file_description: stores, retrieves, refreshes, and revokes Google OAuth tokens with encrypted persistence
+// section: imports
+import { createCrudService } from "hazo_connect/server";
+import { get_hazo_connect_instance } from "../hazo_connect_instance.server.js";
+import { create_app_logger } from "../app_logger.js";
+import { optional_import } from "hazo_core";
+import { randomUUID } from "crypto";
+
+// section: errors
+
+export class GoogleTokenStorageUnconfigured extends Error {
+  constructor() {
+    super(
+      "Google token storage is not configured. Set HAZO_AUTH_OAUTH_KEY_CURRENT and HAZO_AUTH_OAUTH_KEY_<ID> env vars."
+    );
+    this.name = "GoogleTokenStorageUnconfigured";
+  }
+}
+
+// section: types
+
+export type StoreGoogleOAuthTokenParams = {
+  user_id: string;
+  refresh_token: string;
+  access_token?: string;
+  scopes: string; // space-delimited
+  expires_at?: string; // ISO string for access token expiry
+};
+
+export type GoogleTokenResult =
+  | { ok: true; access_token: string; scopes: string }
+  | { ok: false; error: "not_connected" | "reconsent_required" | "refresh_failed" | "unconfigured" };
+
+export type GoogleTokenStatus = {
+  connected: boolean;
+  scopes: string;
+  expires_at: string | null;
+};
+
+// section: internal-types
+
+type GoogleOAuthRow = {
+  id: string;
+  user_id: string;
+  provider: string;
+  refresh_token_enc: string;
+  access_token_enc: string | null;
+  scopes: string;
+  expires_at: string | null;
+  created_at: string;
+  changed_at: string;
+};
+
+// section: cache
+
+const access_token_cache = new Map<string, { token: string; expires_at: string }>();
+
+// section: helpers
+
+function makeKeyProvider(
+  LookupKeyProvider: new (lookup: (name: string) => string | undefined) => unknown
+) {
+  return new LookupKeyProvider((name: string) => {
+    if (name === "current") return process.env.HAZO_AUTH_OAUTH_KEY_CURRENT;
+    if (name.startsWith("key_")) {
+      const keyId = name.slice(4).toUpperCase();
+      return process.env[`HAZO_AUTH_OAUTH_KEY_${keyId}`];
+    }
+    return undefined;
+  });
+}
+
+async function load_crypto_module() {
+  const cryptoModule = await optional_import<typeof import("hazo_secure/crypto")>(
+    "hazo_secure/crypto"
+  );
+  if (!cryptoModule) throw new GoogleTokenStorageUnconfigured();
+  return cryptoModule;
+}
+
+// section: store
+
+/**
+ * Stores (inserts or updates) Google OAuth tokens for a user, encrypting sensitive fields.
+ * Throws GoogleTokenStorageUnconfigured if hazo_secure/crypto is unavailable or keys are missing.
+ */
+export async function store_google_oauth_token(
+  params: StoreGoogleOAuthTokenParams
+): Promise<void> {
+  const logger = create_app_logger();
+
+  const { encryptField, decryptField: _decryptField, aadFor, LookupKeyProvider } = await load_crypto_module();
+
+  const keys = makeKeyProvider(LookupKeyProvider as new (lookup: (name: string) => string | undefined) => unknown) as Parameters<typeof encryptField>[1]["keys"];
+
+  // Force-fail early if no key is configured
+  try {
+    await (keys as unknown as { current(): Promise<unknown> }).current();
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    logger.error("google_token_service_key_provider_failed", {
+      filename: "google_token_service.ts",
+      error: msg,
+    });
+    throw new GoogleTokenStorageUnconfigured();
+  }
+
+  const refresh_enc = await encryptField(params.refresh_token, {
+    keys,
+    aad: aadFor("hazo_google_oauth_tokens", params.user_id, "refresh_token"),
+  });
+  const refresh_token_enc = JSON.stringify(refresh_enc);
+
+  let access_token_enc: string | null = null;
+  if (params.access_token) {
+    const access_enc = await encryptField(params.access_token, {
+      keys,
+      aad: aadFor("hazo_google_oauth_tokens", params.user_id, "access_token"),
+    });
+    access_token_enc = JSON.stringify(access_enc);
+  }
+
+  const adapter = get_hazo_connect_instance();
+  const service = createCrudService(adapter, "hazo_google_oauth_tokens");
+
+  const existing_rows = (await service.findBy({
+    user_id: params.user_id,
+    provider: "google",
+  })) as GoogleOAuthRow[];
+
+  const now = new Date().toISOString();
+
+  if (existing_rows.length > 0) {
+    const existing = existing_rows[0];
+    await service.updateById(existing.id, {
+      refresh_token_enc,
+      access_token_enc,
+      scopes: params.scopes,
+      expires_at: params.expires_at ?? null,
+      changed_at: now,
+    });
+    logger.info("google_token_service_token_updated", {
+      filename: "google_token_service.ts",
+      user_id: params.user_id,
+    });
+  } else {
+    await service.insert({
+      id: randomUUID(),
+      user_id: params.user_id,
+      provider: "google",
+      refresh_token_enc,
+      access_token_enc,
+      scopes: params.scopes,
+      expires_at: params.expires_at ?? null,
+      created_at: now,
+      changed_at: now,
+    });
+    logger.info("google_token_service_token_stored", {
+      filename: "google_token_service.ts",
+      user_id: params.user_id,
+    });
+  }
+}
+
+// section: get
+
+/**
+ * Returns a valid access token for the user, refreshing via Google if needed.
+ * Returns a typed error result instead of throwing for expected failure modes.
+ */
+export async function getGoogleToken(
+  userId: string,
+  opts?: { scopes?: string[] }
+): Promise<GoogleTokenResult> {
+  const logger = create_app_logger();
+
+  // Check in-memory cache first
+  const cached = access_token_cache.get(userId);
+  if (cached) {
+    const still_valid = new Date(cached.expires_at).getTime() - 60000 > Date.now();
+    if (still_valid) {
+      logger.info("google_token_service_cache_hit", {
+        filename: "google_token_service.ts",
+        user_id: userId,
+      });
+      // We need scopes from DB even on cache hit when scope check is requested
+      if (!opts?.scopes?.length) {
+        // No scope check needed — return cached token (scopes unknown from cache alone)
+        // Fall through to DB to get scopes for the result shape
+      }
+    }
+  }
+
+  const adapter = get_hazo_connect_instance();
+  const service = createCrudService(adapter, "hazo_google_oauth_tokens");
+
+  const rows = (await service.findBy({ user_id: userId, provider: "google" })) as GoogleOAuthRow[];
+  if (rows.length === 0) {
+    return { ok: false, error: "not_connected" };
+  }
+
+  const row = rows[0];
+
+  // Scope check
+  if (opts?.scopes?.length) {
+    const stored_scopes = row.scopes.split(" ").filter(Boolean);
+    const missing = opts.scopes.some((s) => !stored_scopes.includes(s));
+    if (missing) {
+      return { ok: false, error: "reconsent_required" };
+    }
+  }
+
+  // Return cached token now that we have the row (scope check passed)
+  if (cached) {
+    const still_valid = new Date(cached.expires_at).getTime() - 60000 > Date.now();
+    if (still_valid) {
+      return { ok: true, access_token: cached.token, scopes: row.scopes };
+    }
+  }
+
+  // Need to refresh — load crypto
+  let cryptoModule: Awaited<ReturnType<typeof load_crypto_module>>;
+  try {
+    cryptoModule = await load_crypto_module();
+  } catch {
+    return { ok: false, error: "unconfigured" };
+  }
+
+  const { decryptField, aadFor, LookupKeyProvider } = cryptoModule;
+  const keys = makeKeyProvider(LookupKeyProvider as new (lookup: (name: string) => string | undefined) => unknown) as Parameters<typeof cryptoModule.encryptField>[1]["keys"];
+
+  let decrypted_refresh: string;
+  try {
+    decrypted_refresh = await decryptField(JSON.parse(row.refresh_token_enc), {
+      keys,
+      aad: aadFor("hazo_google_oauth_tokens", userId, "refresh_token"),
+    });
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    logger.error("google_token_service_decrypt_failed", {
+      filename: "google_token_service.ts",
+      user_id: userId,
+      error: msg,
+    });
+    return { ok: false, error: "refresh_failed" };
+  }
+
+  // Call Google token refresh endpoint
+  let resp: Response;
+  try {
+    resp = await fetch("https://oauth2.googleapis.com/token", {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: new URLSearchParams({
+        grant_type: "refresh_token",
+        refresh_token: decrypted_refresh,
+        client_id: process.env.HAZO_AUTH_GOOGLE_CLIENT_ID!,
+        client_secret: process.env.HAZO_AUTH_GOOGLE_CLIENT_SECRET!,
+      }),
+    });
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    logger.error("google_token_service_refresh_fetch_failed", {
+      filename: "google_token_service.ts",
+      user_id: userId,
+      error: msg,
+    });
+    return { ok: false, error: "refresh_failed" };
+  }
+
+  if (!resp.ok) {
+    logger.warn("google_token_service_refresh_rejected", {
+      filename: "google_token_service.ts",
+      user_id: userId,
+      status: resp.status,
+    });
+    return { ok: false, error: "refresh_failed" };
+  }
+
+  const data = await resp.json() as { access_token: string; expires_in: number };
+
+  // Persist new access token (encrypted)
+  const new_expires_at = new Date(Date.now() + data.expires_in * 1000).toISOString();
+  try {
+    const { encryptField } = cryptoModule;
+    const access_enc = await encryptField(data.access_token, {
+      keys,
+      aad: aadFor("hazo_google_oauth_tokens", userId, "access_token"),
+    });
+    const access_token_enc = JSON.stringify(access_enc);
+    await service.updateById(row.id, {
+      access_token_enc,
+      expires_at: new_expires_at,
+      changed_at: new Date().toISOString(),
+    });
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    logger.warn("google_token_service_persist_access_token_failed", {
+      filename: "google_token_service.ts",
+      user_id: userId,
+      error: msg,
+      note: "Access token refreshed successfully but could not be persisted",
+    });
+  }
+
+  // Update in-memory cache
+  access_token_cache.set(userId, { token: data.access_token, expires_at: new_expires_at });
+
+  logger.info("google_token_service_token_refreshed", {
+    filename: "google_token_service.ts",
+    user_id: userId,
+  });
+
+  return { ok: true, access_token: data.access_token, scopes: row.scopes };
+}
+
+// section: revoke
+
+/**
+ * Revokes the user's Google OAuth tokens — best-effort remote revocation, then deletes DB row.
+ */
+export async function revoke_google_oauth_token(
+  userId: string
+): Promise<{ ok: boolean; error?: string }> {
+  const logger = create_app_logger();
+
+  const adapter = get_hazo_connect_instance();
+  const service = createCrudService(adapter, "hazo_google_oauth_tokens");
+
+  const rows = (await service.findBy({ user_id: userId, provider: "google" })) as GoogleOAuthRow[];
+  if (rows.length === 0) {
+    return { ok: false, error: "not_connected" };
+  }
+
+  const row = rows[0];
+
+  // Attempt remote revocation — best effort
+  try {
+    const { decryptField, aadFor, LookupKeyProvider } = await load_crypto_module();
+    const keys = makeKeyProvider(LookupKeyProvider as new (lookup: (name: string) => string | undefined) => unknown) as Parameters<typeof decryptField>[1]["keys"];
+
+    const decrypted_refresh = await decryptField(JSON.parse(row.refresh_token_enc), {
+      keys,
+      aad: aadFor("hazo_google_oauth_tokens", userId, "refresh_token"),
+    });
+
+    const revoke_resp = await fetch(
+      `https://oauth2.googleapis.com/revoke?token=${encodeURIComponent(decrypted_refresh)}`,
+      { method: "POST" }
+    );
+
+    if (!revoke_resp.ok) {
+      logger.warn("google_token_service_revoke_remote_failed", {
+        filename: "google_token_service.ts",
+        user_id: userId,
+        status: revoke_resp.status,
+        note: "Google revocation returned non-OK status; proceeding to delete local record",
+      });
+    } else {
+      logger.info("google_token_service_revoke_remote_ok", {
+        filename: "google_token_service.ts",
+        user_id: userId,
+      });
+    }
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    logger.warn("google_token_service_revoke_remote_error", {
+      filename: "google_token_service.ts",
+      user_id: userId,
+      error: msg,
+      note: "Remote revocation failed; proceeding to delete local record",
+    });
+  }
+
+  // Always delete the local row
+  await service.deleteById(row.id);
+  access_token_cache.delete(userId);
+
+  logger.info("google_token_service_revoked", {
+    filename: "google_token_service.ts",
+    user_id: userId,
+  });
+
+  return { ok: true };
+}
+
+// section: status
+
+/**
+ * Returns connection status and scope information for a user's Google OAuth connection.
+ * Does not decrypt or refresh tokens.
+ */
+export async function get_google_token_status(userId: string): Promise<GoogleTokenStatus> {
+  const adapter = get_hazo_connect_instance();
+  const service = createCrudService(adapter, "hazo_google_oauth_tokens");
+
+  const rows = (await service.findBy({ user_id: userId, provider: "google" })) as GoogleOAuthRow[];
+  if (rows.length === 0) {
+    return { connected: false, scopes: "", expires_at: null };
+  }
+
+  const row = rows[0];
+  return {
+    connected: true,
+    scopes: row.scopes,
+    expires_at: row.expires_at ?? null,
+  };
+}

package/cli-src/lib/services/index.ts

@@ -20,5 +20,5 @@ export * from "./scope_service.js";
 export * from "./user_scope_service.js";
 export * from "./oauth_service.js";
 export * from "./branding_service.js";
-
+export * from "./google_token_service.js";
 

package/dist/client.d.ts

@@ -9,4 +9,5 @@ export { use_firm_branding, use_current_user_branding } from "./components/layou
 export type { FirmBranding, UseFirmBrandingOptions, UseFirmBrandingResult } from "./components/layouts/shared/hooks/use_firm_branding";
 export { HAZO_AUTH_PERMISSIONS, ALL_ADMIN_PERMISSIONS, GLOBAL_ADMIN_PERMISSION } from "./lib/constants.js";
 export * from "./components/layouts/shared/utils/validation.js";
+export { requestGoogleScopes } from "./lib/auth/request_google_scopes.js";
 //# sourceMappingURL=client.d.ts.map

package/dist/client.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAYA,cAAc,oBAAoB,CAAC;AAInC,OAAO,EAAE,mBAAmB,EAAE,cAAc,EAAE,oBAAoB,EAAE,oBAAoB,EAAE,MAAM,kCAAkC,CAAC;AAInI,OAAO,EAAE,EAAE,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAIpD,cAAc,uBAAuB,CAAC;AAItC,OAAO,EAAE,eAAe,EAAE,2BAA2B,EAAE,MAAM,mDAAmD,CAAC;AACjH,OAAO,EAAE,aAAa,EAAE,yBAAyB,EAAE,MAAM,iDAAiD,CAAC;AAC3G,YAAY,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,MAAM,iDAAiD,CAAC;AAC7G,OAAO,EAAE,iBAAiB,EAAE,yBAAyB,EAAE,MAAM,qDAAqD,CAAC;AACnH,YAAY,EAAE,YAAY,EAAE,sBAAsB,EAAE,qBAAqB,EAAE,MAAM,qDAAqD,CAAC;AAGvI,OAAO,EAAE,qBAAqB,EAAE,qBAAqB,EAAE,uBAAuB,EAAE,MAAM,iBAAiB,CAAC;AAIxG,cAAc,8CAA8C,CAAC"}
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAYA,cAAc,oBAAoB,CAAC;AAInC,OAAO,EAAE,mBAAmB,EAAE,cAAc,EAAE,oBAAoB,EAAE,oBAAoB,EAAE,MAAM,kCAAkC,CAAC;AAInI,OAAO,EAAE,EAAE,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAIpD,cAAc,uBAAuB,CAAC;AAItC,OAAO,EAAE,eAAe,EAAE,2BAA2B,EAAE,MAAM,mDAAmD,CAAC;AACjH,OAAO,EAAE,aAAa,EAAE,yBAAyB,EAAE,MAAM,iDAAiD,CAAC;AAC3G,YAAY,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,MAAM,iDAAiD,CAAC;AAC7G,OAAO,EAAE,iBAAiB,EAAE,yBAAyB,EAAE,MAAM,qDAAqD,CAAC;AACnH,YAAY,EAAE,YAAY,EAAE,sBAAsB,EAAE,qBAAqB,EAAE,MAAM,qDAAqD,CAAC;AAGvI,OAAO,EAAE,qBAAqB,EAAE,qBAAqB,EAAE,uBAAuB,EAAE,MAAM,iBAAiB,CAAC;AAIxG,cAAc,8CAA8C,CAAC;AAG7D,OAAO,EAAE,mBAAmB,EAAE,MAAM,kCAAkC,CAAC"}

package/dist/client.js

@@ -29,3 +29,5 @@ export { HAZO_AUTH_PERMISSIONS, ALL_ADMIN_PERMISSIONS, GLOBAL_ADMIN_PERMISSION }
 // section: validation_exports
 // Client-side validation utilities
 export * from "./components/layouts/shared/utils/validation.js";
+// section: google_oauth_exports
+export { requestGoogleScopes } from "./lib/auth/request_google_scopes.js";