hazo_auth 10.0.0 → 10.1.0

package/dist/lib/services/google_token_service.js

@@ -0,0 +1,319 @@
+// file_description: stores, retrieves, refreshes, and revokes Google OAuth tokens with encrypted persistence
+// section: imports
+import { createCrudService } from "hazo_connect/server";
+import { get_hazo_connect_instance } from "../hazo_connect_instance.server.js";
+import { create_app_logger } from "../app_logger.js";
+import { optional_import } from "hazo_core";
+import { randomUUID } from "crypto";
+// section: errors
+export class GoogleTokenStorageUnconfigured extends Error {
+    constructor() {
+        super("Google token storage is not configured. Set HAZO_AUTH_OAUTH_KEY_CURRENT and HAZO_AUTH_OAUTH_KEY_<ID> env vars.");
+        this.name = "GoogleTokenStorageUnconfigured";
+    }
+}
+// section: cache
+const access_token_cache = new Map();
+// section: helpers
+function makeKeyProvider(LookupKeyProvider) {
+    return new LookupKeyProvider((name) => {
+        if (name === "current")
+            return process.env.HAZO_AUTH_OAUTH_KEY_CURRENT;
+        if (name.startsWith("key_")) {
+            const keyId = name.slice(4).toUpperCase();
+            return process.env[`HAZO_AUTH_OAUTH_KEY_${keyId}`];
+        }
+        return undefined;
+    });
+}
+async function load_crypto_module() {
+    const cryptoModule = await optional_import("hazo_secure/crypto");
+    if (!cryptoModule)
+        throw new GoogleTokenStorageUnconfigured();
+    return cryptoModule;
+}
+// section: store
+/**
+ * Stores (inserts or updates) Google OAuth tokens for a user, encrypting sensitive fields.
+ * Throws GoogleTokenStorageUnconfigured if hazo_secure/crypto is unavailable or keys are missing.
+ */
+export async function store_google_oauth_token(params) {
+    var _a, _b;
+    const logger = create_app_logger();
+    const { encryptField, decryptField: _decryptField, aadFor, LookupKeyProvider } = await load_crypto_module();
+    const keys = makeKeyProvider(LookupKeyProvider);
+    // Force-fail early if no key is configured
+    try {
+        await keys.current();
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        logger.error("google_token_service_key_provider_failed", {
+            filename: "google_token_service.ts",
+            error: msg,
+        });
+        throw new GoogleTokenStorageUnconfigured();
+    }
+    const refresh_enc = await encryptField(params.refresh_token, {
+        keys,
+        aad: aadFor("hazo_google_oauth_tokens", params.user_id, "refresh_token"),
+    });
+    const refresh_token_enc = JSON.stringify(refresh_enc);
+    let access_token_enc = null;
+    if (params.access_token) {
+        const access_enc = await encryptField(params.access_token, {
+            keys,
+            aad: aadFor("hazo_google_oauth_tokens", params.user_id, "access_token"),
+        });
+        access_token_enc = JSON.stringify(access_enc);
+    }
+    const adapter = get_hazo_connect_instance();
+    const service = createCrudService(adapter, "hazo_google_oauth_tokens");
+    const existing_rows = (await service.findBy({
+        user_id: params.user_id,
+        provider: "google",
+    }));
+    const now = new Date().toISOString();
+    if (existing_rows.length > 0) {
+        const existing = existing_rows[0];
+        await service.updateById(existing.id, {
+            refresh_token_enc,
+            access_token_enc,
+            scopes: params.scopes,
+            expires_at: (_a = params.expires_at) !== null && _a !== void 0 ? _a : null,
+            changed_at: now,
+        });
+        logger.info("google_token_service_token_updated", {
+            filename: "google_token_service.ts",
+            user_id: params.user_id,
+        });
+    }
+    else {
+        await service.insert({
+            id: randomUUID(),
+            user_id: params.user_id,
+            provider: "google",
+            refresh_token_enc,
+            access_token_enc,
+            scopes: params.scopes,
+            expires_at: (_b = params.expires_at) !== null && _b !== void 0 ? _b : null,
+            created_at: now,
+            changed_at: now,
+        });
+        logger.info("google_token_service_token_stored", {
+            filename: "google_token_service.ts",
+            user_id: params.user_id,
+        });
+    }
+}
+// section: get
+/**
+ * Returns a valid access token for the user, refreshing via Google if needed.
+ * Returns a typed error result instead of throwing for expected failure modes.
+ */
+export async function getGoogleToken(userId, opts) {
+    var _a, _b;
+    const logger = create_app_logger();
+    // Check in-memory cache first
+    const cached = access_token_cache.get(userId);
+    if (cached) {
+        const still_valid = new Date(cached.expires_at).getTime() - 60000 > Date.now();
+        if (still_valid) {
+            logger.info("google_token_service_cache_hit", {
+                filename: "google_token_service.ts",
+                user_id: userId,
+            });
+            // We need scopes from DB even on cache hit when scope check is requested
+            if (!((_a = opts === null || opts === void 0 ? void 0 : opts.scopes) === null || _a === void 0 ? void 0 : _a.length)) {
+                // No scope check needed — return cached token (scopes unknown from cache alone)
+                // Fall through to DB to get scopes for the result shape
+            }
+        }
+    }
+    const adapter = get_hazo_connect_instance();
+    const service = createCrudService(adapter, "hazo_google_oauth_tokens");
+    const rows = (await service.findBy({ user_id: userId, provider: "google" }));
+    if (rows.length === 0) {
+        return { ok: false, error: "not_connected" };
+    }
+    const row = rows[0];
+    // Scope check
+    if ((_b = opts === null || opts === void 0 ? void 0 : opts.scopes) === null || _b === void 0 ? void 0 : _b.length) {
+        const stored_scopes = row.scopes.split(" ").filter(Boolean);
+        const missing = opts.scopes.some((s) => !stored_scopes.includes(s));
+        if (missing) {
+            return { ok: false, error: "reconsent_required" };
+        }
+    }
+    // Return cached token now that we have the row (scope check passed)
+    if (cached) {
+        const still_valid = new Date(cached.expires_at).getTime() - 60000 > Date.now();
+        if (still_valid) {
+            return { ok: true, access_token: cached.token, scopes: row.scopes };
+        }
+    }
+    // Need to refresh — load crypto
+    let cryptoModule;
+    try {
+        cryptoModule = await load_crypto_module();
+    }
+    catch (_c) {
+        return { ok: false, error: "unconfigured" };
+    }
+    const { decryptField, aadFor, LookupKeyProvider } = cryptoModule;
+    const keys = makeKeyProvider(LookupKeyProvider);
+    let decrypted_refresh;
+    try {
+        decrypted_refresh = await decryptField(JSON.parse(row.refresh_token_enc), {
+            keys,
+            aad: aadFor("hazo_google_oauth_tokens", userId, "refresh_token"),
+        });
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        logger.error("google_token_service_decrypt_failed", {
+            filename: "google_token_service.ts",
+            user_id: userId,
+            error: msg,
+        });
+        return { ok: false, error: "refresh_failed" };
+    }
+    // Call Google token refresh endpoint
+    let resp;
+    try {
+        resp = await fetch("https://oauth2.googleapis.com/token", {
+            method: "POST",
+            headers: { "Content-Type": "application/x-www-form-urlencoded" },
+            body: new URLSearchParams({
+                grant_type: "refresh_token",
+                refresh_token: decrypted_refresh,
+                client_id: process.env.HAZO_AUTH_GOOGLE_CLIENT_ID,
+                client_secret: process.env.HAZO_AUTH_GOOGLE_CLIENT_SECRET,
+            }),
+        });
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        logger.error("google_token_service_refresh_fetch_failed", {
+            filename: "google_token_service.ts",
+            user_id: userId,
+            error: msg,
+        });
+        return { ok: false, error: "refresh_failed" };
+    }
+    if (!resp.ok) {
+        logger.warn("google_token_service_refresh_rejected", {
+            filename: "google_token_service.ts",
+            user_id: userId,
+            status: resp.status,
+        });
+        return { ok: false, error: "refresh_failed" };
+    }
+    const data = await resp.json();
+    // Persist new access token (encrypted)
+    const new_expires_at = new Date(Date.now() + data.expires_in * 1000).toISOString();
+    try {
+        const { encryptField } = cryptoModule;
+        const access_enc = await encryptField(data.access_token, {
+            keys,
+            aad: aadFor("hazo_google_oauth_tokens", userId, "access_token"),
+        });
+        const access_token_enc = JSON.stringify(access_enc);
+        await service.updateById(row.id, {
+            access_token_enc,
+            expires_at: new_expires_at,
+            changed_at: new Date().toISOString(),
+        });
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        logger.warn("google_token_service_persist_access_token_failed", {
+            filename: "google_token_service.ts",
+            user_id: userId,
+            error: msg,
+            note: "Access token refreshed successfully but could not be persisted",
+        });
+    }
+    // Update in-memory cache
+    access_token_cache.set(userId, { token: data.access_token, expires_at: new_expires_at });
+    logger.info("google_token_service_token_refreshed", {
+        filename: "google_token_service.ts",
+        user_id: userId,
+    });
+    return { ok: true, access_token: data.access_token, scopes: row.scopes };
+}
+// section: revoke
+/**
+ * Revokes the user's Google OAuth tokens — best-effort remote revocation, then deletes DB row.
+ */
+export async function revoke_google_oauth_token(userId) {
+    const logger = create_app_logger();
+    const adapter = get_hazo_connect_instance();
+    const service = createCrudService(adapter, "hazo_google_oauth_tokens");
+    const rows = (await service.findBy({ user_id: userId, provider: "google" }));
+    if (rows.length === 0) {
+        return { ok: false, error: "not_connected" };
+    }
+    const row = rows[0];
+    // Attempt remote revocation — best effort
+    try {
+        const { decryptField, aadFor, LookupKeyProvider } = await load_crypto_module();
+        const keys = makeKeyProvider(LookupKeyProvider);
+        const decrypted_refresh = await decryptField(JSON.parse(row.refresh_token_enc), {
+            keys,
+            aad: aadFor("hazo_google_oauth_tokens", userId, "refresh_token"),
+        });
+        const revoke_resp = await fetch(`https://oauth2.googleapis.com/revoke?token=${encodeURIComponent(decrypted_refresh)}`, { method: "POST" });
+        if (!revoke_resp.ok) {
+            logger.warn("google_token_service_revoke_remote_failed", {
+                filename: "google_token_service.ts",
+                user_id: userId,
+                status: revoke_resp.status,
+                note: "Google revocation returned non-OK status; proceeding to delete local record",
+            });
+        }
+        else {
+            logger.info("google_token_service_revoke_remote_ok", {
+                filename: "google_token_service.ts",
+                user_id: userId,
+            });
+        }
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        logger.warn("google_token_service_revoke_remote_error", {
+            filename: "google_token_service.ts",
+            user_id: userId,
+            error: msg,
+            note: "Remote revocation failed; proceeding to delete local record",
+        });
+    }
+    // Always delete the local row
+    await service.deleteById(row.id);
+    access_token_cache.delete(userId);
+    logger.info("google_token_service_revoked", {
+        filename: "google_token_service.ts",
+        user_id: userId,
+    });
+    return { ok: true };
+}
+// section: status
+/**
+ * Returns connection status and scope information for a user's Google OAuth connection.
+ * Does not decrypt or refresh tokens.
+ */
+export async function get_google_token_status(userId) {
+    var _a;
+    const adapter = get_hazo_connect_instance();
+    const service = createCrudService(adapter, "hazo_google_oauth_tokens");
+    const rows = (await service.findBy({ user_id: userId, provider: "google" }));
+    if (rows.length === 0) {
+        return { connected: false, scopes: "", expires_at: null };
+    }
+    const row = rows[0];
+    return {
+        connected: true,
+        scopes: row.scopes,
+        expires_at: (_a = row.expires_at) !== null && _a !== void 0 ? _a : null,
+    };
+}

package/dist/lib/services/index.d.ts

@@ -18,4 +18,5 @@ export * from "./scope_service.js";
 export * from "./user_scope_service.js";
 export * from "./oauth_service.js";
 export * from "./branding_service.js";
+export * from "./google_token_service.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/lib/services/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/lib/services/index.ts"],"names":[],"mappings":"AAEA,cAAc,iBAAiB,CAAC;AAChC,cAAc,8BAA8B,CAAC;AAC7C,cAAc,iBAAiB,CAAC;AAChC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,0BAA0B,CAAC;AACzC,cAAc,kCAAkC,CAAC;AACjD,cAAc,2BAA2B,CAAC;AAC1C,cAAc,iCAAiC,CAAC;AAChD,cAAc,wBAAwB,CAAC;AACvC,cAAc,iBAAiB,CAAC;AAChC,cAAc,yBAAyB,CAAC;AACxC,cAAc,uBAAuB,CAAC;AACtC,cAAc,yBAAyB,CAAC;AACxC,cAAc,sBAAsB,CAAC;AACrC,cAAc,gBAAgB,CAAC;AAC/B,cAAc,6BAA6B,CAAC;AAC5C,cAAc,iBAAiB,CAAC;AAChC,cAAc,sBAAsB,CAAC;AACrC,cAAc,iBAAiB,CAAC;AAChC,cAAc,oBAAoB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/lib/services/index.ts"],"names":[],"mappings":"AAEA,cAAc,iBAAiB,CAAC;AAChC,cAAc,8BAA8B,CAAC;AAC7C,cAAc,iBAAiB,CAAC;AAChC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,0BAA0B,CAAC;AACzC,cAAc,kCAAkC,CAAC;AACjD,cAAc,2BAA2B,CAAC;AAC1C,cAAc,iCAAiC,CAAC;AAChD,cAAc,wBAAwB,CAAC;AACvC,cAAc,iBAAiB,CAAC;AAChC,cAAc,yBAAyB,CAAC;AACxC,cAAc,uBAAuB,CAAC;AACtC,cAAc,yBAAyB,CAAC;AACxC,cAAc,sBAAsB,CAAC;AACrC,cAAc,gBAAgB,CAAC;AAC/B,cAAc,6BAA6B,CAAC;AAC5C,cAAc,iBAAiB,CAAC;AAChC,cAAc,sBAAsB,CAAC;AACrC,cAAc,iBAAiB,CAAC;AAChC,cAAc,oBAAoB,CAAC;AACnC,cAAc,wBAAwB,CAAC"}

package/dist/lib/services/index.js

@@ -20,3 +20,4 @@ export * from "./scope_service.js";
 export * from "./user_scope_service.js";
 export * from "./oauth_service.js";
 export * from "./branding_service.js";
+export * from "./google_token_service.js";

package/dist/server/routes/google_token.d.ts

@@ -0,0 +1,13 @@
+import type { NextRequest } from "next/server";
+/**
+ * GET /api/hazo_auth/google/token
+ * Returns the current Google OAuth token status for the authenticated user.
+ */
+export declare function GET(request: NextRequest): Promise<Response>;
+/**
+ * DELETE /api/hazo_auth/google/token
+ * Revokes the stored Google OAuth token for the authenticated user.
+ * Does NOT sign the user out.
+ */
+export declare function DELETE(request: NextRequest): Promise<Response>;
+//# sourceMappingURL=google_token.d.ts.map

package/dist/server/routes/google_token.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"google_token.d.ts","sourceRoot":"","sources":["../../../src/server/routes/google_token.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAS/C;;;GAGG;AACH,wBAAsB,GAAG,CAAC,OAAO,EAAE,WAAW,qBAuB7C;AAGD;;;;GAIG;AACH,wBAAsB,MAAM,CAAC,OAAO,EAAE,WAAW,qBAuBhD"}

package/dist/server/routes/google_token.js

@@ -0,0 +1,66 @@
+import { hazo_get_auth } from "../../lib/auth/hazo_get_auth.server.js";
+import { get_google_token_status, revoke_google_oauth_token, } from "../../lib/services/google_token_service.js";
+import { create_app_logger } from "../../lib/app_logger.js";
+// section: get_handler
+/**
+ * GET /api/hazo_auth/google/token
+ * Returns the current Google OAuth token status for the authenticated user.
+ */
+export async function GET(request) {
+    var _a;
+    const logger = create_app_logger();
+    try {
+        const auth = await hazo_get_auth(request);
+        if (!((_a = auth.user) === null || _a === void 0 ? void 0 : _a.id)) {
+            return new Response(JSON.stringify({ ok: false, error: "unauthenticated" }), {
+                status: 401,
+                headers: { "Content-Type": "application/json" },
+            });
+        }
+        const status = await get_google_token_status(auth.user.id);
+        return new Response(JSON.stringify({ ok: true, data: status }), {
+            status: 200,
+            headers: { "Content-Type": "application/json" },
+        });
+    }
+    catch (error) {
+        const msg = error instanceof Error ? error.message : String(error);
+        logger.error("google_token_get_error", { error: msg });
+        return new Response(JSON.stringify({ ok: false, error: "internal_error" }), {
+            status: 500,
+            headers: { "Content-Type": "application/json" },
+        });
+    }
+}
+// section: delete_handler
+/**
+ * DELETE /api/hazo_auth/google/token
+ * Revokes the stored Google OAuth token for the authenticated user.
+ * Does NOT sign the user out.
+ */
+export async function DELETE(request) {
+    var _a;
+    const logger = create_app_logger();
+    try {
+        const auth = await hazo_get_auth(request);
+        if (!((_a = auth.user) === null || _a === void 0 ? void 0 : _a.id)) {
+            return new Response(JSON.stringify({ ok: false, error: "unauthenticated" }), {
+                status: 401,
+                headers: { "Content-Type": "application/json" },
+            });
+        }
+        const result = await revoke_google_oauth_token(auth.user.id);
+        return new Response(JSON.stringify(result), {
+            status: result.ok ? 200 : 400,
+            headers: { "Content-Type": "application/json" },
+        });
+    }
+    catch (error) {
+        const msg = error instanceof Error ? error.message : String(error);
+        logger.error("google_token_delete_error", { error: msg });
+        return new Response(JSON.stringify({ ok: false, error: "internal_error" }), {
+            status: 500,
+            headers: { "Content-Type": "application/json" },
+        });
+    }
+}

package/dist/server/routes/index.d.ts

@@ -39,4 +39,5 @@ export { legalDocsAcceptPOST } from './legal_docs_accept.js';
 export { legalDocsPublishPOST } from './legal_docs_publish.js';
 export { consentMeGET } from "./consent_me.js";
 export { stringsDefaultsGET } from "./strings_defaults.js";
+export { GET as googleTokenGET, DELETE as googleTokenDELETE } from "./google_token.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/server/routes/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/server/routes/index.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,IAAI,IAAI,SAAS,EAAE,MAAM,SAAS,CAAC;AAC5C,OAAO,EAAE,IAAI,IAAI,YAAY,EAAE,MAAM,YAAY,CAAC;AAClD,OAAO,EAAE,IAAI,IAAI,UAAU,EAAE,MAAM,UAAU,CAAC;AAC9C,OAAO,EAAE,GAAG,IAAI,KAAK,EAAE,MAAM,MAAM,CAAC;AAGpC,OAAO,EAAE,IAAI,IAAI,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AAC/D,OAAO,EAAE,IAAI,IAAI,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAC7D,OAAO,EAAE,IAAI,IAAI,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AAC/D,OAAO,EAAE,GAAG,IAAI,qBAAqB,EAAE,MAAM,wBAAwB,CAAC;AAGtE,OAAO,EAAE,GAAG,IAAI,cAAc,EAAE,MAAM,gBAAgB,CAAC;AACvD,OAAO,EAAE,IAAI,IAAI,sBAAsB,EAAE,MAAM,uBAAuB,CAAC;AAGvE,OAAO,EAAE,KAAK,IAAI,eAAe,EAAE,MAAM,eAAe,CAAC;AACzD,OAAO,EAAE,IAAI,IAAI,wBAAwB,EAAE,MAAM,0BAA0B,CAAC;AAC5E,OAAO,EAAE,MAAM,IAAI,0BAA0B,EAAE,MAAM,0BAA0B,CAAC;AAChF,OAAO,EAAE,GAAG,IAAI,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AAC3D,OAAO,EAAE,GAAG,IAAI,eAAe,EAAE,MAAM,iBAAiB,CAAC;AACzD,OAAO,EAAE,GAAG,IAAI,yBAAyB,EAAE,MAAM,4BAA4B,CAAC;AAG9E,OAAO,EAAE,IAAI,IAAI,WAAW,EAAE,MAAM,YAAY,CAAC;AACjD,OAAO,EAAE,IAAI,IAAI,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAGjE,OAAO,EAAE,GAAG,IAAI,sBAAsB,EAAE,KAAK,IAAI,wBAAwB,EAAE,IAAI,IAAI,uBAAuB,EAAE,MAAM,IAAI,yBAAyB,EAAE,MAAM,yBAAyB,CAAC;AACjL,OAAO,EAAE,GAAG,IAAI,4BAA4B,EAAE,IAAI,IAAI,6BAA6B,EAAE,GAAG,IAAI,4BAA4B,EAAE,MAAM,IAAI,+BAA+B,EAAE,MAAM,+BAA+B,CAAC;AAC3M,OAAO,EAAE,GAAG,IAAI,sBAAsB,EAAE,IAAI,IAAI,uBAAuB,EAAE,GAAG,IAAI,sBAAsB,EAAE,MAAM,yBAAyB,CAAC;AACxI,OAAO,EAAE,GAAG,IAAI,2BAA2B,EAAE,IAAI,IAAI,4BAA4B,EAAE,GAAG,IAAI,2BAA2B,EAAE,MAAM,+BAA+B,CAAC;AAG7J,OAAO,EAAE,GAAG,IAAI,cAAc,EAAE,KAAK,IAAI,gBAAgB,EAAE,GAAG,IAAI,cAAc,EAAE,MAAM,IAAI,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AACvI,OAAO,EAAE,GAAG,IAAI,oBAAoB,EAAE,MAAM,wBAAwB,CAAC;AAGrE,OAAO,EAAE,GAAG,IAAI,cAAc,EAAE,IAAI,IAAI,eAAe,EAAE,KAAK,IAAI,gBAAgB,EAAE,MAAM,IAAI,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAGvI,OAAO,EAAE,IAAI,IAAI,cAAc,EAAE,MAAM,eAAe,CAAC;AAGvD,OAAO,EAAE,GAAG,IAAI,WAAW,EAAE,IAAI,IAAI,YAAY,EAAE,MAAM,YAAY,CAAC;AACtE,OAAO,EAAE,GAAG,IAAI,sBAAsB,EAAE,MAAM,yBAAyB,CAAC;AACxE,OAAO,EAAE,GAAG,IAAI,wBAAwB,EAAE,MAAM,2BAA2B,CAAC;AAC5E,OAAO,EAAE,IAAI,IAAI,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAGzD,OAAO,EAAE,GAAG,IAAI,gBAAgB,EAAE,IAAI,IAAI,iBAAiB,EAAE,KAAK,IAAI,kBAAkB,EAAE,MAAM,IAAI,mBAAmB,EAAE,MAAM,iBAAiB,CAAC;AACjJ,OAAO,EAAE,IAAI,IAAI,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AACnE,OAAO,EAAE,IAAI,IAAI,uBAAuB,EAAE,MAAM,wBAAwB,CAAC;AACzE,OAAO,EAAE,IAAI,IAAI,YAAY,EAAE,MAAM,aAAa,CAAC;AAGnD,OAAO,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAC/C,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAG7C,OAAO,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAChD,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAC1D,OAAO,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAG5D,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAG5C,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/server/routes/index.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,IAAI,IAAI,SAAS,EAAE,MAAM,SAAS,CAAC;AAC5C,OAAO,EAAE,IAAI,IAAI,YAAY,EAAE,MAAM,YAAY,CAAC;AAClD,OAAO,EAAE,IAAI,IAAI,UAAU,EAAE,MAAM,UAAU,CAAC;AAC9C,OAAO,EAAE,GAAG,IAAI,KAAK,EAAE,MAAM,MAAM,CAAC;AAGpC,OAAO,EAAE,IAAI,IAAI,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AAC/D,OAAO,EAAE,IAAI,IAAI,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAC7D,OAAO,EAAE,IAAI,IAAI,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AAC/D,OAAO,EAAE,GAAG,IAAI,qBAAqB,EAAE,MAAM,wBAAwB,CAAC;AAGtE,OAAO,EAAE,GAAG,IAAI,cAAc,EAAE,MAAM,gBAAgB,CAAC;AACvD,OAAO,EAAE,IAAI,IAAI,sBAAsB,EAAE,MAAM,uBAAuB,CAAC;AAGvE,OAAO,EAAE,KAAK,IAAI,eAAe,EAAE,MAAM,eAAe,CAAC;AACzD,OAAO,EAAE,IAAI,IAAI,wBAAwB,EAAE,MAAM,0BAA0B,CAAC;AAC5E,OAAO,EAAE,MAAM,IAAI,0BAA0B,EAAE,MAAM,0BAA0B,CAAC;AAChF,OAAO,EAAE,GAAG,IAAI,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AAC3D,OAAO,EAAE,GAAG,IAAI,eAAe,EAAE,MAAM,iBAAiB,CAAC;AACzD,OAAO,EAAE,GAAG,IAAI,yBAAyB,EAAE,MAAM,4BAA4B,CAAC;AAG9E,OAAO,EAAE,IAAI,IAAI,WAAW,EAAE,MAAM,YAAY,CAAC;AACjD,OAAO,EAAE,IAAI,IAAI,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAGjE,OAAO,EAAE,GAAG,IAAI,sBAAsB,EAAE,KAAK,IAAI,wBAAwB,EAAE,IAAI,IAAI,uBAAuB,EAAE,MAAM,IAAI,yBAAyB,EAAE,MAAM,yBAAyB,CAAC;AACjL,OAAO,EAAE,GAAG,IAAI,4BAA4B,EAAE,IAAI,IAAI,6BAA6B,EAAE,GAAG,IAAI,4BAA4B,EAAE,MAAM,IAAI,+BAA+B,EAAE,MAAM,+BAA+B,CAAC;AAC3M,OAAO,EAAE,GAAG,IAAI,sBAAsB,EAAE,IAAI,IAAI,uBAAuB,EAAE,GAAG,IAAI,sBAAsB,EAAE,MAAM,yBAAyB,CAAC;AACxI,OAAO,EAAE,GAAG,IAAI,2BAA2B,EAAE,IAAI,IAAI,4BAA4B,EAAE,GAAG,IAAI,2BAA2B,EAAE,MAAM,+BAA+B,CAAC;AAG7J,OAAO,EAAE,GAAG,IAAI,cAAc,EAAE,KAAK,IAAI,gBAAgB,EAAE,GAAG,IAAI,cAAc,EAAE,MAAM,IAAI,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AACvI,OAAO,EAAE,GAAG,IAAI,oBAAoB,EAAE,MAAM,wBAAwB,CAAC;AAGrE,OAAO,EAAE,GAAG,IAAI,cAAc,EAAE,IAAI,IAAI,eAAe,EAAE,KAAK,IAAI,gBAAgB,EAAE,MAAM,IAAI,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAGvI,OAAO,EAAE,IAAI,IAAI,cAAc,EAAE,MAAM,eAAe,CAAC;AAGvD,OAAO,EAAE,GAAG,IAAI,WAAW,EAAE,IAAI,IAAI,YAAY,EAAE,MAAM,YAAY,CAAC;AACtE,OAAO,EAAE,GAAG,IAAI,sBAAsB,EAAE,MAAM,yBAAyB,CAAC;AACxE,OAAO,EAAE,GAAG,IAAI,wBAAwB,EAAE,MAAM,2BAA2B,CAAC;AAC5E,OAAO,EAAE,IAAI,IAAI,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAGzD,OAAO,EAAE,GAAG,IAAI,gBAAgB,EAAE,IAAI,IAAI,iBAAiB,EAAE,KAAK,IAAI,kBAAkB,EAAE,MAAM,IAAI,mBAAmB,EAAE,MAAM,iBAAiB,CAAC;AACjJ,OAAO,EAAE,IAAI,IAAI,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AACnE,OAAO,EAAE,IAAI,IAAI,uBAAuB,EAAE,MAAM,wBAAwB,CAAC;AACzE,OAAO,EAAE,IAAI,IAAI,YAAY,EAAE,MAAM,aAAa,CAAC;AAGnD,OAAO,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAC/C,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAG7C,OAAO,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAChD,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAC1D,OAAO,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAG5D,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAG5C,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAGxD,OAAO,EAAE,GAAG,IAAI,cAAc,EAAE,MAAM,IAAI,iBAAiB,EAAE,MAAM,gBAAgB,CAAC"}

package/dist/server/routes/index.js

@@ -56,3 +56,5 @@ export { legalDocsPublishPOST } from './legal_docs_publish.js';
 export { consentMeGET } from "./consent_me.js";
 // Strings routes
 export { stringsDefaultsGET } from "./strings_defaults.js";
+// Google OAuth token routes (status + revoke)
+export { GET as googleTokenGET, DELETE as googleTokenDELETE } from "./google_token.js";

package/dist/server/routes/user_management_users.d.ts

@@ -26,7 +26,7 @@ export declare function GET(request: NextRequest): Promise<NextResponse<{
         profile_source: {} | null;
         user_type: string | null;
         app_user_data: Record<string, unknown> | null;
-        legal_acceptance_status: "none" | "current" | "outdated";
+        legal_acceptance_status: "current" | "none" | "outdated";
     }[];
 }>>;
 /**

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "hazo_auth",
-  "version": "10.0.0",
+  "version": "10.1.0",
   "description": "Zero-config authentication UI components for Next.js with RBAC, OAuth, scope-based multi-tenancy, and invitations",
   "keywords": [
     "authentication",
@@ -254,11 +254,12 @@
     "@radix-ui/react-tooltip": "^1.2.0",
     "hazo_api": "^2.3.1",
     "hazo_config": "^2.1.10",
-    "hazo_connect": "^3.4.1",
+    "hazo_connect": "^3.5.1",
     "hazo_core": "^1.1.0",
     "hazo_logs": "^2.0.3",
     "hazo_notify": "^6.1.3",
-    "hazo_ui": "^3.2.1",
+    "hazo_secure": "^1.1.0",
+    "hazo_ui": "^3.4.1",
     "input-otp": "^1.4.0",
     "lucide-react": "^0.553.0",
     "next": "^14.0.0",
@@ -287,6 +288,9 @@
     "hazo_notify": {
       "optional": true
     },
+    "hazo_secure": {
+      "optional": true
+    },
     "hazo_ui": {
       "optional": true
     },
@@ -390,11 +394,11 @@
     "eslint-plugin-storybook": "^10.0.6",
     "hazo_api": "^2.3.1",
     "hazo_config": "^2.1.10",
-    "hazo_connect": "^3.4.1",
+    "hazo_connect": "^3.5.1",
     "hazo_core": "^1.1.0",
     "hazo_logs": "^2.0.3",
     "hazo_notify": "^6.1.3",
-    "hazo_ui": "^3.2.1",
+    "hazo_ui": "^3.4.1",
     "input-otp": "^1.4.0",
     "jest": "^30.2.0",
     "jest-environment-jsdom": "^30.0.0",