hazo_auth 10.2.0 → 10.2.1

package/README.md

@@ -54,6 +54,16 @@ HAZO_AUTH_OAUTH_KEY_V1=$(openssl rand -base64 32)
 npm install hazo_secure
 ```
 
+```js
+// 4. Add hazo_secure to serverExternalPackages in next.config.mjs / next.config.js
+//    so the bundler leaves the literal import("hazo_secure/crypto") as a native
+//    external import. Without this, Google sign-in fails with
+//    GoogleTokenStorageUnconfigured even when hazo_secure is installed.
+const nextConfig = {
+  serverExternalPackages: ["hazo_secure", /* ...existing entries */],
+};
+```
+
 **Client Usage:**
 ```tsx
 import { requestGoogleScopes } from "hazo_auth/client";
@@ -1340,6 +1350,10 @@ Google OAuth adds one new dependency:
    HAZO_AUTH_OAUTH_KEY_V1=$(openssl rand -base64 32)
    ```
 3. Install the optional peer: `npm install hazo_secure`
+4. Add `hazo_secure` to `serverExternalPackages` in `next.config.mjs` / `next.config.js`. The
+   service loads encryption via a literal `import("hazo_secure/crypto")`; if the bundler inlines
+   `hazo_secure` instead of treating it as an external import, Google sign-in fails with
+   `GoogleTokenStorageUnconfigured` even when the peer is installed and keys are set.
 
 **Usage:**
 

package/SETUP_CHECKLIST.md

@@ -13,6 +13,7 @@ const nextConfig = {
   serverExternalPackages: [
     "hazo_notify", "argon2",
     "hazo_core", "hazo_config",  // required for Next 16 + Turbopack
+    "hazo_secure",               // required if using Google API token storage (getGoogleToken)
   ],
 };
 ```
@@ -1138,13 +1139,17 @@ ls app/api/hazo_auth/set_password/route.ts
 Only needed if you use `requestGoogleScopes` / `getGoogleToken` for Google API access beyond sign-in:
 
 1. Install optional peer: `npm install hazo_secure`
-2. Run migration: `npm run migrate -- migrations/021_hazo_google_oauth_tokens.sql`
-3. Set env vars:
+2. Add `hazo_secure` to `serverExternalPackages` in `next.config.mjs` / `next.config.js`. The
+   service loads encryption via a literal `import("hazo_secure/crypto")`; if the bundler inlines
+   `hazo_secure` rather than leaving it as a native external import, Google sign-in fails with
+   `GoogleTokenStorageUnconfigured` even when the peer is installed and keys are configured.
+3. Run migration: `npm run migrate -- migrations/021_hazo_google_oauth_tokens.sql`
+4. Set env vars:
    ```env
    HAZO_AUTH_OAUTH_KEY_CURRENT=v1
    HAZO_AUTH_OAUTH_KEY_V1=<base64-32-bytes from: openssl rand -base64 32>
    ```
-4. Wire the new routes in your Next.js app (same pattern as other hazo_auth routes):
+5. Wire the new routes in your Next.js app (same pattern as other hazo_auth routes):
    ```ts
    // app/api/hazo_auth/google/token/route.ts
    export { GET as googleTokenGET, DELETE as googleTokenDELETE } from "hazo_auth/server/routes";

package/cli-src/lib/services/google_token_service.ts

@@ -3,7 +3,6 @@
 import { createCrudService } from "hazo_connect/server";
 import { get_hazo_connect_instance } from "../hazo_connect_instance.server.js";
 import { create_app_logger } from "../app_logger.js";
-import { optional_import } from "hazo_core";
 import { randomUUID } from "crypto";
 
 // section: errors
@@ -70,10 +69,32 @@ function makeKeyProvider(
   });
 }
 
+/**
+ * Indirection around the hazo_secure/crypto dynamic import.
+ *
+ * The import specifier MUST be a string literal. hazo_secure is an optional
+ * peer dep, so this used to go through hazo_core's `optional_import(pkg)` — but
+ * that performs a dynamic `import(variable)`, which Turbopack/webpack cannot
+ * statically resolve when consumers bundle their server. The import then fails
+ * unconditionally and sign-in dies on GoogleTokenStorageUnconfigured even when
+ * hazo_secure is installed. A literal `import("hazo_secure/crypto")` is left as
+ * a native external import and resolves at runtime (consumers must list
+ * hazo_secure in serverExternalPackages so it isn't bundled).
+ *
+ * Wrapped in an object so tests can stub `_cryptoLoader.load` without touching
+ * the literal specifier. Not part of the public API (underscore-prefixed).
+ */
+export const _cryptoLoader = {
+  load: (): Promise<typeof import("hazo_secure/crypto")> => import("hazo_secure/crypto"),
+};
+
 async function load_crypto_module() {
-  const cryptoModule = await optional_import<typeof import("hazo_secure/crypto")>(
-    "hazo_secure/crypto"
-  );
+  let cryptoModule: typeof import("hazo_secure/crypto") | null;
+  try {
+    cryptoModule = await _cryptoLoader.load();
+  } catch {
+    cryptoModule = null;
+  }
   if (!cryptoModule) throw new GoogleTokenStorageUnconfigured();
   return cryptoModule;
 }

package/dist/lib/services/google_token_service.d.ts

@@ -21,6 +21,24 @@ export type GoogleTokenStatus = {
     scopes: string;
     expires_at: string | null;
 };
+/**
+ * Indirection around the hazo_secure/crypto dynamic import.
+ *
+ * The import specifier MUST be a string literal. hazo_secure is an optional
+ * peer dep, so this used to go through hazo_core's `optional_import(pkg)` — but
+ * that performs a dynamic `import(variable)`, which Turbopack/webpack cannot
+ * statically resolve when consumers bundle their server. The import then fails
+ * unconditionally and sign-in dies on GoogleTokenStorageUnconfigured even when
+ * hazo_secure is installed. A literal `import("hazo_secure/crypto")` is left as
+ * a native external import and resolves at runtime (consumers must list
+ * hazo_secure in serverExternalPackages so it isn't bundled).
+ *
+ * Wrapped in an object so tests can stub `_cryptoLoader.load` without touching
+ * the literal specifier. Not part of the public API (underscore-prefixed).
+ */
+export declare const _cryptoLoader: {
+    load: () => Promise<typeof import("hazo_secure/crypto")>;
+};
 /**
  * Stores (inserts or updates) Google OAuth tokens for a user, encrypting sensitive fields.
  * Throws GoogleTokenStorageUnconfigured if hazo_secure/crypto is unavailable or keys are missing.

package/dist/lib/services/google_token_service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"google_token_service.d.ts","sourceRoot":"","sources":["../../../src/lib/services/google_token_service.ts"],"names":[],"mappings":"AAUA,qBAAa,8BAA+B,SAAQ,KAAK;;CAOxD;AAID,MAAM,MAAM,2BAA2B,GAAG;IACxC,OAAO,EAAE,MAAM,CAAC;IAChB,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,iBAAiB,GACzB;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,YAAY,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GAClD;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,eAAe,GAAG,oBAAoB,GAAG,gBAAgB,GAAG,cAAc,CAAA;CAAE,CAAC;AAErG,MAAM,MAAM,iBAAiB,GAAG;IAC9B,SAAS,EAAE,OAAO,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;CAC3B,CAAC;AA6CF;;;GAGG;AACH,wBAAsB,wBAAwB,CAC5C,MAAM,EAAE,2BAA2B,GAClC,OAAO,CAAC,IAAI,CAAC,CA0Ef;AAID;;;GAGG;AACH,wBAAsB,cAAc,CAClC,MAAM,EAAE,MAAM,EACd,IAAI,CAAC,EAAE;IAAE,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;CAAE,GAC3B,OAAO,CAAC,iBAAiB,CAAC,CA6I5B;AAID;;GAEG;AACH,wBAAsB,yBAAyB,CAC7C,MAAM,EAAE,MAAM,GACb,OAAO,CAAC;IAAE,EAAE,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CA6D1C;AAID;;;GAGG;AACH,wBAAsB,uBAAuB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAexF"}
+{"version":3,"file":"google_token_service.d.ts","sourceRoot":"","sources":["../../../src/lib/services/google_token_service.ts"],"names":[],"mappings":"AASA,qBAAa,8BAA+B,SAAQ,KAAK;;CAOxD;AAID,MAAM,MAAM,2BAA2B,GAAG;IACxC,OAAO,EAAE,MAAM,CAAC;IAChB,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,iBAAiB,GACzB;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,YAAY,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GAClD;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,eAAe,GAAG,oBAAoB,GAAG,gBAAgB,GAAG,cAAc,CAAA;CAAE,CAAC;AAErG,MAAM,MAAM,iBAAiB,GAAG;IAC9B,SAAS,EAAE,OAAO,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;CAC3B,CAAC;AAmCF;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,aAAa;gBACd,OAAO,CAAC,cAAc,oBAAoB,CAAC,CAAC;CACvD,CAAC;AAeF;;;GAGG;AACH,wBAAsB,wBAAwB,CAC5C,MAAM,EAAE,2BAA2B,GAClC,OAAO,CAAC,IAAI,CAAC,CA0Ef;AAID;;;GAGG;AACH,wBAAsB,cAAc,CAClC,MAAM,EAAE,MAAM,EACd,IAAI,CAAC,EAAE;IAAE,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;CAAE,GAC3B,OAAO,CAAC,iBAAiB,CAAC,CA6I5B;AAID;;GAEG;AACH,wBAAsB,yBAAyB,CAC7C,MAAM,EAAE,MAAM,GACb,OAAO,CAAC;IAAE,EAAE,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CA6D1C;AAID;;;GAGG;AACH,wBAAsB,uBAAuB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAexF"}

package/dist/lib/services/google_token_service.js

@@ -3,7 +3,6 @@
 import { createCrudService } from "hazo_connect/server";
 import { get_hazo_connect_instance } from "../hazo_connect_instance.server.js";
 import { create_app_logger } from "../app_logger.js";
-import { optional_import } from "hazo_core";
 import { randomUUID } from "crypto";
 // section: errors
 export class GoogleTokenStorageUnconfigured extends Error {
@@ -26,8 +25,32 @@ function makeKeyProvider(LookupKeyProvider) {
         return undefined;
     });
 }
+/**
+ * Indirection around the hazo_secure/crypto dynamic import.
+ *
+ * The import specifier MUST be a string literal. hazo_secure is an optional
+ * peer dep, so this used to go through hazo_core's `optional_import(pkg)` — but
+ * that performs a dynamic `import(variable)`, which Turbopack/webpack cannot
+ * statically resolve when consumers bundle their server. The import then fails
+ * unconditionally and sign-in dies on GoogleTokenStorageUnconfigured even when
+ * hazo_secure is installed. A literal `import("hazo_secure/crypto")` is left as
+ * a native external import and resolves at runtime (consumers must list
+ * hazo_secure in serverExternalPackages so it isn't bundled).
+ *
+ * Wrapped in an object so tests can stub `_cryptoLoader.load` without touching
+ * the literal specifier. Not part of the public API (underscore-prefixed).
+ */
+export const _cryptoLoader = {
+    load: () => import("hazo_secure/crypto"),
+};
 async function load_crypto_module() {
-    const cryptoModule = await optional_import("hazo_secure/crypto");
+    let cryptoModule;
+    try {
+        cryptoModule = await _cryptoLoader.load();
+    }
+    catch (_a) {
+        cryptoModule = null;
+    }
     if (!cryptoModule)
         throw new GoogleTokenStorageUnconfigured();
     return cryptoModule;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "hazo_auth",
-  "version": "10.2.0",
+  "version": "10.2.1",
   "description": "Zero-config authentication UI components for Next.js with RBAC, OAuth, scope-based multi-tenancy, and invitations",
   "keywords": [
     "authentication",
@@ -253,9 +253,9 @@
     "@radix-ui/react-tabs": "^1.1.0",
     "@radix-ui/react-tooltip": "^1.2.0",
     "hazo_api": "^2.4.0",
-    "hazo_config": "^2.1.10",
-    "hazo_connect": "^3.6.0",
-    "hazo_core": "^1.1.0",
+    "hazo_config": "^2.1.11",
+    "hazo_connect": "^3.7.0",
+    "hazo_core": "^1.2.0",
     "hazo_logs": "^2.0.3",
     "hazo_notify": "^6.1.3",
     "hazo_secure": "^1.1.0",
@@ -393,9 +393,9 @@
     "eslint-config-next": "^16.0.4",
     "eslint-plugin-storybook": "^10.0.6",
     "hazo_api": "^2.4.0",
-    "hazo_config": "^2.1.10",
-    "hazo_connect": "^3.6.0",
-    "hazo_core": "^1.1.0",
+    "hazo_config": "^2.1.11",
+    "hazo_connect": "^3.7.0",
+    "hazo_core": "^1.2.0",
     "hazo_logs": "^2.0.3",
     "hazo_notify": "^6.1.3",
     "hazo_ui": "^4.0.0",