hazo_auth 4.0.0 → 4.2.0

package/dist/lib/auth/nextauth_config.js

@@ -0,0 +1,171 @@
+import GoogleProvider from "next-auth/providers/google";
+import { get_oauth_config } from "../oauth_config.server";
+import { handle_google_oauth_login } from "../services/oauth_service";
+import { get_hazo_connect_instance } from "../hazo_connect_instance.server";
+import { create_app_logger } from "../app_logger";
+// section: config
+/**
+ * Gets NextAuth.js configuration with enabled OAuth providers
+ * Providers are dynamically configured based on hazo_auth_config.ini settings
+ * @returns NextAuth configuration object
+ */
+export function get_nextauth_config() {
+    const oauth_config = get_oauth_config();
+    const providers = [];
+    // Add Google provider if enabled
+    if (oauth_config.enable_google) {
+        const client_id = process.env.HAZO_AUTH_GOOGLE_CLIENT_ID;
+        const client_secret = process.env.HAZO_AUTH_GOOGLE_CLIENT_SECRET;
+        if (client_id && client_secret) {
+            providers.push(GoogleProvider({
+                clientId: client_id,
+                clientSecret: client_secret,
+                authorization: {
+                    params: {
+                        prompt: "consent",
+                        access_type: "offline",
+                        response_type: "code",
+                    },
+                },
+            }));
+        }
+    }
+    return {
+        providers,
+        pages: {
+            // Use hazo_auth login page for sign-in errors
+            signIn: "/hazo_auth/login",
+            error: "/hazo_auth/login",
+        },
+        callbacks: {
+            /**
+             * Redirect callback - controls where users go after authentication
+             * We redirect to our custom callback handler to create hazo_auth session
+             */
+            async redirect({ url, baseUrl }) {
+                // Log for debugging
+                console.log("[NextAuth redirect callback]", { url, baseUrl });
+                // Always redirect to our custom callback after sign-in to set hazo_auth cookies
+                // The callbackUrl from signIn() comes through as `url`
+                if (url.includes("/api/hazo_auth/oauth/google/callback")) {
+                    return url;
+                }
+                // If URL is relative or same origin, allow it
+                if (url.startsWith("/")) {
+                    return `${baseUrl}${url}`;
+                }
+                if (url.startsWith(baseUrl)) {
+                    return url;
+                }
+                // Default: redirect to our custom OAuth callback to set cookies
+                return `${baseUrl}/api/hazo_auth/oauth/google/callback`;
+            },
+            /**
+             * Sign-in callback - handle user creation/linking for Google OAuth
+             */
+            async signIn({ account, profile, user, }) {
+                var _a;
+                const logger = create_app_logger();
+                if ((account === null || account === void 0 ? void 0 : account.provider) === "google" && profile) {
+                    try {
+                        const googleProfile = profile;
+                        const hazoConnect = get_hazo_connect_instance();
+                        logger.info("nextauth_google_signin_attempt", {
+                            email: user.email,
+                            google_id: googleProfile.sub,
+                            name: user.name,
+                        });
+                        // Handle the Google OAuth login (create user or link account)
+                        const result = await handle_google_oauth_login(hazoConnect, {
+                            google_id: googleProfile.sub || account.providerAccountId,
+                            email: user.email || googleProfile.email || "",
+                            name: user.name || googleProfile.name || undefined,
+                            profile_picture_url: user.image || googleProfile.picture || undefined,
+                            email_verified: (_a = googleProfile.email_verified) !== null && _a !== void 0 ? _a : true,
+                        });
+                        if (!result.success) {
+                            logger.error("nextauth_google_signin_failed", {
+                                email: user.email,
+                                error: result.error,
+                            });
+                            return false;
+                        }
+                        logger.info("nextauth_google_signin_success", {
+                            user_id: result.user_id,
+                            email: result.email,
+                            is_new_user: result.is_new_user,
+                            was_linked: result.was_linked,
+                        });
+                        // Store user_id in account for the JWT callback to pick up
+                        account.hazo_user_id = result.user_id;
+                        return true;
+                    }
+                    catch (error) {
+                        const errorMessage = error instanceof Error ? error.message : "Unknown error";
+                        logger.error("nextauth_google_signin_exception", {
+                            email: user.email,
+                            error: errorMessage,
+                        });
+                        return false;
+                    }
+                }
+                return true;
+            },
+            /**
+             * JWT callback - add OAuth provider info to the token
+             */
+            async jwt({ token, account, profile }) {
+                if (account && profile) {
+                    token.provider = account.provider;
+                    token.providerAccountId = account.providerAccountId;
+                    // Store hazo_user_id from signIn callback
+                    if (account.hazo_user_id) {
+                        token.hazo_user_id = account.hazo_user_id;
+                    }
+                    // For Google, store additional profile data
+                    if (account.provider === "google") {
+                        const googleProfile = profile;
+                        token.google_id = googleProfile.sub;
+                        token.email_verified = googleProfile.email_verified;
+                    }
+                }
+                return token;
+            },
+            /**
+             * Session callback - pass provider info to session
+             */
+            async session({ session, token }) {
+                if (token) {
+                    const extSession = session;
+                    const extToken = token;
+                    extSession.provider = extToken.provider;
+                    extSession.providerAccountId = extToken.providerAccountId;
+                    extSession.google_id = extToken.google_id;
+                    extSession.email_verified = extToken.email_verified;
+                }
+                return session;
+            },
+        },
+        // Use JWT strategy - we don't need a database adapter since we manage users ourselves
+        session: {
+            strategy: "jwt",
+            maxAge: 60 * 10, // 10 minutes - short lived since we create our own session
+        },
+        // Disable debug in production
+        debug: process.env.NODE_ENV === "development",
+    };
+}
+/**
+ * Checks if any OAuth providers are configured and enabled
+ * @returns true if at least one OAuth provider is available
+ */
+export function has_oauth_providers() {
+    const oauth_config = get_oauth_config();
+    if (oauth_config.enable_google) {
+        const has_google_credentials = process.env.HAZO_AUTH_GOOGLE_CLIENT_ID &&
+            process.env.HAZO_AUTH_GOOGLE_CLIENT_SECRET;
+        if (has_google_credentials)
+            return true;
+    }
+    return false;
+}

package/dist/lib/config/default_config.d.ts

@@ -111,6 +111,18 @@ export declare const DEFAULT_PROFILE_PIC_MENU: {
 export declare const DEFAULT_API_PATHS: {
     readonly apiBasePath: "/api/hazo_auth";
 };
+export declare const DEFAULT_OAUTH: {
+    /** Enable Google OAuth login (requires HAZO_AUTH_GOOGLE_CLIENT_ID and HAZO_AUTH_GOOGLE_CLIENT_SECRET env vars) */
+    readonly enable_google: true;
+    /** Enable traditional email/password login */
+    readonly enable_email_password: true;
+    /** Auto-link Google login to existing unverified email/password accounts and mark as verified */
+    readonly auto_link_unverified_accounts: true;
+    /** Text displayed on the Google sign-in button */
+    readonly google_button_text: "Continue with Google";
+    /** Text displayed on the divider between OAuth and email/password form */
+    readonly oauth_divider_text: "or continue with email";
+};
 /**
  * All default configuration values combined in one object
  * This makes it easy to see all defaults at a glance and export them as needed
@@ -229,6 +241,18 @@ export declare const HAZO_AUTH_DEFAULTS: {
     readonly apiPaths: {
         readonly apiBasePath: "/api/hazo_auth";
     };
+    readonly oauth: {
+        /** Enable Google OAuth login (requires HAZO_AUTH_GOOGLE_CLIENT_ID and HAZO_AUTH_GOOGLE_CLIENT_SECRET env vars) */
+        readonly enable_google: true;
+        /** Enable traditional email/password login */
+        readonly enable_email_password: true;
+        /** Auto-link Google login to existing unverified email/password accounts and mark as verified */
+        readonly auto_link_unverified_accounts: true;
+        /** Text displayed on the Google sign-in button */
+        readonly google_button_text: "Continue with Google";
+        /** Text displayed on the divider between OAuth and email/password form */
+        readonly oauth_divider_text: "or continue with email";
+    };
 };
 /**
  * Type representing the complete default configuration structure

package/dist/lib/config/default_config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"default_config.d.ts","sourceRoot":"","sources":["../../../src/lib/config/default_config.ts"],"names":[],"mappings":"AAKA,eAAO,MAAM,6BAA6B;;;;;;CAMhC,CAAC;AAGX,eAAO,MAAM,mBAAmB;;;;CAItB,CAAC;AAGX,eAAO,MAAM,uBAAuB;;;;;;;CAO1B,CAAC;AAGX,eAAO,MAAM,gBAAgB;;;;;;;;;CASnB,CAAC;AAGX,eAAO,MAAM,kBAAkB;;;CAGrB,CAAC;AAGX,eAAO,MAAM,gBAAgB;;;;;CAKnB,CAAC;AAGX,eAAO,MAAM,yBAAyB;;;;;;CAM5B,CAAC;AAGX,eAAO,MAAM,aAAa;4BACI,MAAM,GAAG,SAAS;;;;;;CAMtC,CAAC;AAGX,eAAO,MAAM,gBAAgB;4BACC,MAAM,GAAG,SAAS;;;;;CAKtC,CAAC;AAGX,eAAO,MAAM,uBAAuB;;;;CAI1B,CAAC;AAGX,eAAO,MAAM,sBAAsB;;;;CAIzB,CAAC;AAGX,eAAO,MAAM,0BAA0B;;;;;CAK7B,CAAC;AAGX,eAAO,MAAM,mBAAmB;;;;;CAKtB,CAAC;AAGX,eAAO,MAAM,uBAAuB;;;;CAI1B,CAAC;AAGX,eAAO,MAAM,oBAAoB;;;;CAIvB,CAAC;AAGX,eAAO,MAAM,gBAAgB;0BACE,YAAY,GAAG,cAAc;;;;;CAKlD,CAAC;AAGX,eAAO,MAAM,wBAAwB;;;;;;;;CAQ3B,CAAC;AAGX,eAAO,MAAM,iBAAiB;;CAEpB,CAAC;AAGX;;;GAGG;AACH,eAAO,MAAM,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;gCA3FD,MAAM,GAAG,SAAS;;;;;;;;gCAUlB,MAAM,GAAG,SAAS;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;8BAqDjB,YAAY,GAAG,cAAc;;;;;;;;;;;;;;;;;;CA+ClD,CAAC;AAGX;;GAEG;AACH,MAAM,MAAM,gBAAgB,GAAG,OAAO,kBAAkB,CAAC"}
+{"version":3,"file":"default_config.d.ts","sourceRoot":"","sources":["../../../src/lib/config/default_config.ts"],"names":[],"mappings":"AAKA,eAAO,MAAM,6BAA6B;;;;;;CAMhC,CAAC;AAGX,eAAO,MAAM,mBAAmB;;;;CAItB,CAAC;AAGX,eAAO,MAAM,uBAAuB;;;;;;;CAO1B,CAAC;AAGX,eAAO,MAAM,gBAAgB;;;;;;;;;CASnB,CAAC;AAGX,eAAO,MAAM,kBAAkB;;;CAGrB,CAAC;AAGX,eAAO,MAAM,gBAAgB;;;;;CAKnB,CAAC;AAGX,eAAO,MAAM,yBAAyB;;;;;;CAM5B,CAAC;AAGX,eAAO,MAAM,aAAa;4BACI,MAAM,GAAG,SAAS;;;;;;CAMtC,CAAC;AAGX,eAAO,MAAM,gBAAgB;4BACC,MAAM,GAAG,SAAS;;;;;CAKtC,CAAC;AAGX,eAAO,MAAM,uBAAuB;;;;CAI1B,CAAC;AAGX,eAAO,MAAM,sBAAsB;;;;CAIzB,CAAC;AAGX,eAAO,MAAM,0BAA0B;;;;;CAK7B,CAAC;AAGX,eAAO,MAAM,mBAAmB;;;;;CAKtB,CAAC;AAGX,eAAO,MAAM,uBAAuB;;;;CAI1B,CAAC;AAGX,eAAO,MAAM,oBAAoB;;;;CAIvB,CAAC;AAGX,eAAO,MAAM,gBAAgB;0BACE,YAAY,GAAG,cAAc;;;;;CAKlD,CAAC;AAGX,eAAO,MAAM,wBAAwB;;;;;;;;CAQ3B,CAAC;AAGX,eAAO,MAAM,iBAAiB;;CAEpB,CAAC;AAGX,eAAO,MAAM,aAAa;IACxB,kHAAkH;;IAElH,8CAA8C;;IAE9C,iGAAiG;;IAEjG,kDAAkD;;IAElD,0EAA0E;;CAElE,CAAC;AAGX;;;GAGG;AACH,eAAO,MAAM,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;gCAzGD,MAAM,GAAG,SAAS;;;;;;;;gCAUlB,MAAM,GAAG,SAAS;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;8BAqDjB,YAAY,GAAG,cAAc;;;;;;;;;;;;;;;;;;;QAyB1D,kHAAkH;;QAElH,8CAA8C;;QAE9C,iGAAiG;;QAEjG,kDAAkD;;QAElD,0EAA0E;;;CA6BlE,CAAC;AAGX;;GAEG;AACH,MAAM,MAAM,gBAAgB,GAAG,OAAO,kBAAkB,CAAC"}

package/dist/lib/config/default_config.js

@@ -132,6 +132,19 @@ export const DEFAULT_PROFILE_PIC_MENU = {
 export const DEFAULT_API_PATHS = {
     apiBasePath: "/api/hazo_auth",
 };
+// section: oauth
+export const DEFAULT_OAUTH = {
+    /** Enable Google OAuth login (requires HAZO_AUTH_GOOGLE_CLIENT_ID and HAZO_AUTH_GOOGLE_CLIENT_SECRET env vars) */
+    enable_google: true,
+    /** Enable traditional email/password login */
+    enable_email_password: true,
+    /** Auto-link Google login to existing unverified email/password accounts and mark as verified */
+    auto_link_unverified_accounts: true,
+    /** Text displayed on the Google sign-in button */
+    google_button_text: "Continue with Google",
+    /** Text displayed on the divider between OAuth and email/password form */
+    oauth_divider_text: "or continue with email",
+};
 // section: combined_defaults
 /**
  * All default configuration values combined in one object
@@ -156,4 +169,5 @@ export const HAZO_AUTH_DEFAULTS = {
     uiShell: DEFAULT_UI_SHELL,
     profilePicMenu: DEFAULT_PROFILE_PIC_MENU,
     apiPaths: DEFAULT_API_PATHS,
+    oauth: DEFAULT_OAUTH,
 };

package/dist/lib/index.d.ts

@@ -22,6 +22,8 @@ export { get_password_requirements_config } from "./password_requirements_config
 export { get_messages_config } from "./messages_config.server";
 export { get_user_fields_config } from "./user_fields_config.server";
 export { get_file_types_config } from "./file_types_config.server";
+export { get_oauth_config, is_google_oauth_enabled, is_email_password_enabled } from "./oauth_config.server";
+export type { OAuthConfig } from "./oauth_config.server";
 export { sanitize_error_for_user } from "./utils/error_sanitizer";
 export type { ErrorSanitizationOptions } from "./utils/error_sanitizer";
 export * from "./utils/api_route_helpers";

package/dist/lib/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/lib/index.ts"],"names":[],"mappings":"AAEA,cAAc,cAAc,CAAC;AAG7B,cAAc,kBAAkB,CAAC;AAGjC,OAAO,EAAE,EAAE,EAAE,iBAAiB,EAAE,MAAM,SAAS,CAAC;AAGhD,OAAO,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,MAAM,+BAA+B,CAAC;AAG/I,OAAO,EAAE,0BAA0B,EAAE,MAAM,sBAAsB,CAAC;AAClE,OAAO,EAAE,yBAAyB,EAAE,MAAM,gCAAgC,CAAC;AAG3E,OAAO,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAGjD,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AACzD,OAAO,EAAE,mBAAmB,EAAE,MAAM,0BAA0B,CAAC;AAC/D,OAAO,EAAE,0BAA0B,EAAE,MAAM,iCAAiC,CAAC;AAC7E,OAAO,EAAE,yBAAyB,EAAE,MAAM,gCAAgC,CAAC;AAC3E,OAAO,EAAE,6BAA6B,EAAE,MAAM,oCAAoC,CAAC;AACnF,OAAO,EAAE,sBAAsB,EAAE,MAAM,6BAA6B,CAAC;AACrE,OAAO,EAAE,0BAA0B,EAAE,MAAM,iCAAiC,CAAC;AAC7E,OAAO,EAAE,0BAA0B,EAAE,MAAM,iCAAiC,CAAC;AAC7E,OAAO,EAAE,2BAA2B,EAAE,MAAM,kCAAkC,CAAC;AAC/E,OAAO,EAAE,4BAA4B,EAAE,MAAM,mCAAmC,CAAC;AACjF,OAAO,EAAE,mBAAmB,EAAE,MAAM,0BAA0B,CAAC;AAC/D,OAAO,EAAE,mBAAmB,EAAE,MAAM,0BAA0B,CAAC;AAC/D,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AACvE,OAAO,EAAE,gCAAgC,EAAE,MAAM,uCAAuC,CAAC;AACzF,OAAO,EAAE,mBAAmB,EAAE,MAAM,0BAA0B,CAAC;AAC/D,OAAO,EAAE,sBAAsB,EAAE,MAAM,6BAA6B,CAAC;AACrE,OAAO,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAC;AAGnE,OAAO,EAAE,uBAAuB,EAAE,MAAM,yBAAyB,CAAC;AAClE,YAAY,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AACxE,cAAc,2BAA2B,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/lib/index.ts"],"names":[],"mappings":"AAEA,cAAc,cAAc,CAAC;AAG7B,cAAc,kBAAkB,CAAC;AAGjC,OAAO,EAAE,EAAE,EAAE,iBAAiB,EAAE,MAAM,SAAS,CAAC;AAGhD,OAAO,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,MAAM,+BAA+B,CAAC;AAG/I,OAAO,EAAE,0BAA0B,EAAE,MAAM,sBAAsB,CAAC;AAClE,OAAO,EAAE,yBAAyB,EAAE,MAAM,gCAAgC,CAAC;AAG3E,OAAO,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAGjD,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AACzD,OAAO,EAAE,mBAAmB,EAAE,MAAM,0BAA0B,CAAC;AAC/D,OAAO,EAAE,0BAA0B,EAAE,MAAM,iCAAiC,CAAC;AAC7E,OAAO,EAAE,yBAAyB,EAAE,MAAM,gCAAgC,CAAC;AAC3E,OAAO,EAAE,6BAA6B,EAAE,MAAM,oCAAoC,CAAC;AACnF,OAAO,EAAE,sBAAsB,EAAE,MAAM,6BAA6B,CAAC;AACrE,OAAO,EAAE,0BAA0B,EAAE,MAAM,iCAAiC,CAAC;AAC7E,OAAO,EAAE,0BAA0B,EAAE,MAAM,iCAAiC,CAAC;AAC7E,OAAO,EAAE,2BAA2B,EAAE,MAAM,kCAAkC,CAAC;AAC/E,OAAO,EAAE,4BAA4B,EAAE,MAAM,mCAAmC,CAAC;AACjF,OAAO,EAAE,mBAAmB,EAAE,MAAM,0BAA0B,CAAC;AAC/D,OAAO,EAAE,mBAAmB,EAAE,MAAM,0BAA0B,CAAC;AAC/D,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AACvE,OAAO,EAAE,gCAAgC,EAAE,MAAM,uCAAuC,CAAC;AACzF,OAAO,EAAE,mBAAmB,EAAE,MAAM,0BAA0B,CAAC;AAC/D,OAAO,EAAE,sBAAsB,EAAE,MAAM,6BAA6B,CAAC;AACrE,OAAO,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAC;AACnE,OAAO,EAAE,gBAAgB,EAAE,uBAAuB,EAAE,yBAAyB,EAAE,MAAM,uBAAuB,CAAC;AAC7G,YAAY,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAGzD,OAAO,EAAE,uBAAuB,EAAE,MAAM,yBAAyB,CAAC;AAClE,YAAY,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AACxE,cAAc,2BAA2B,CAAC"}

package/dist/lib/index.js

@@ -30,6 +30,7 @@ export { get_password_requirements_config } from "./password_requirements_config
 export { get_messages_config } from "./messages_config.server";
 export { get_user_fields_config } from "./user_fields_config.server";
 export { get_file_types_config } from "./file_types_config.server";
+export { get_oauth_config, is_google_oauth_enabled, is_email_password_enabled } from "./oauth_config.server";
 // section: util_exports
 export { sanitize_error_for_user } from "./utils/error_sanitizer";
 export * from "./utils/api_route_helpers";

package/dist/lib/login_config.server.d.ts

@@ -1,3 +1,4 @@
+import { type OAuthConfig } from "./oauth_config.server";
 import type { StaticImageData } from "next/image";
 export type LoginConfig = {
     redirectRoute?: string;
@@ -14,6 +15,8 @@ export type LoginConfig = {
     imageSrc: string | StaticImageData;
     imageAlt: string;
     imageBackgroundColor: string;
+    /** OAuth configuration */
+    oauth: OAuthConfig;
 };
 /**
  * Reads login layout configuration from hazo_auth_config.ini file

package/dist/lib/login_config.server.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"login_config.server.d.ts","sourceRoot":"","sources":["../../src/lib/login_config.server.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAElD,MAAM,MAAM,WAAW,GAAG;IACxB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,cAAc,EAAE,MAAM,CAAC;IACvB,sBAAsB,EAAE,MAAM,CAAC;IAC/B,gBAAgB,EAAE,OAAO,CAAC;IAC1B,oBAAoB,EAAE,OAAO,CAAC;IAC9B,qBAAqB,EAAE,MAAM,CAAC;IAC9B,cAAc,EAAE,MAAM,CAAC;IACvB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,mBAAmB,EAAE,MAAM,CAAC;IAC5B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,kBAAkB,EAAE,MAAM,CAAC;IAC3B,QAAQ,EAAE,MAAM,GAAG,eAAe,CAAC;IACnC,QAAQ,EAAE,MAAM,CAAC;IACjB,oBAAoB,EAAE,MAAM,CAAC;CAC9B,CAAC;AAGF;;;;GAIG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAiE9C"}
+{"version":3,"file":"login_config.server.d.ts","sourceRoot":"","sources":["../../src/lib/login_config.server.ts"],"names":[],"mappings":"AAIA,OAAO,EAAoB,KAAK,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAI3E,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAElD,MAAM,MAAM,WAAW,GAAG;IACxB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,cAAc,EAAE,MAAM,CAAC;IACvB,sBAAsB,EAAE,MAAM,CAAC;IAC/B,gBAAgB,EAAE,OAAO,CAAC;IAC1B,oBAAoB,EAAE,OAAO,CAAC;IAC9B,qBAAqB,EAAE,MAAM,CAAC;IAC9B,cAAc,EAAE,MAAM,CAAC;IACvB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,mBAAmB,EAAE,MAAM,CAAC;IAC5B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,kBAAkB,EAAE,MAAM,CAAC;IAC3B,QAAQ,EAAE,MAAM,GAAG,eAAe,CAAC;IACnC,QAAQ,EAAE,MAAM,CAAC;IACjB,oBAAoB,EAAE,MAAM,CAAC;IAC7B,0BAA0B;IAC1B,KAAK,EAAE,WAAW,CAAC;CACpB,CAAC;AAGF;;;;GAIG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAqE9C"}

package/dist/lib/login_config.server.js

@@ -2,6 +2,7 @@
 // section: imports
 import { get_config_value } from "./config/config_loader.server";
 import { get_already_logged_in_config } from "./already_logged_in_config.server";
+import { get_oauth_config } from "./oauth_config.server";
 import loginDefaultImage from "../assets/images/login_default.jpg";
 // section: helpers
 /**
@@ -28,6 +29,8 @@ export function get_login_config() {
     ) || loginDefaultImage;
     const imageAlt = get_config_value(section, "image_alt", "Secure login illustration");
     const imageBackgroundColor = get_config_value(section, "image_background_color", "#f1f5f9");
+    // Get OAuth configuration
+    const oauth = get_oauth_config();
     return {
         redirectRoute,
         successMessage,
@@ -43,5 +46,6 @@ export function get_login_config() {
         imageSrc,
         imageAlt,
         imageBackgroundColor,
+        oauth,
     };
 }

package/dist/lib/oauth_config.server.d.ts

@@ -0,0 +1,29 @@
+export type OAuthConfig = {
+    /** Enable Google OAuth login */
+    enable_google: boolean;
+    /** Enable traditional email/password login */
+    enable_email_password: boolean;
+    /** Auto-link Google login to existing unverified email/password accounts */
+    auto_link_unverified_accounts: boolean;
+    /** Text displayed on the Google sign-in button */
+    google_button_text: string;
+    /** Text displayed on the divider between OAuth and email/password form */
+    oauth_divider_text: string;
+};
+/**
+ * Reads OAuth configuration from hazo_auth_config.ini file
+ * Falls back to defaults if hazo_auth_config.ini is not found or section is missing
+ * @returns OAuth configuration options
+ */
+export declare function get_oauth_config(): OAuthConfig;
+/**
+ * Helper to check if Google OAuth is enabled
+ * @returns true if Google OAuth is enabled in config
+ */
+export declare function is_google_oauth_enabled(): boolean;
+/**
+ * Helper to check if email/password login is enabled
+ * @returns true if email/password login is enabled in config
+ */
+export declare function is_email_password_enabled(): boolean;
+//# sourceMappingURL=oauth_config.server.d.ts.map

package/dist/lib/oauth_config.server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth_config.server.d.ts","sourceRoot":"","sources":["../../src/lib/oauth_config.server.ts"],"names":[],"mappings":"AAMA,MAAM,MAAM,WAAW,GAAG;IACxB,gCAAgC;IAChC,aAAa,EAAE,OAAO,CAAC;IACvB,8CAA8C;IAC9C,qBAAqB,EAAE,OAAO,CAAC;IAC/B,4EAA4E;IAC5E,6BAA6B,EAAE,OAAO,CAAC;IACvC,kDAAkD;IAClD,kBAAkB,EAAE,MAAM,CAAC;IAC3B,0EAA0E;IAC1E,kBAAkB,EAAE,MAAM,CAAC;CAC5B,CAAC;AAMF;;;;GAIG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAsC9C;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,IAAI,OAAO,CAEjD;AAED;;;GAGG;AACH,wBAAgB,yBAAyB,IAAI,OAAO,CAMnD"}

package/dist/lib/oauth_config.server.js

@@ -0,0 +1,40 @@
+// file_description: server-only helper to read OAuth configuration from hazo_auth_config.ini
+// section: imports
+import { get_config_value, get_config_boolean } from "./config/config_loader.server";
+import { DEFAULT_OAUTH } from "./config/default_config";
+// section: constants
+const SECTION_NAME = "hazo_auth__oauth";
+// section: helpers
+/**
+ * Reads OAuth configuration from hazo_auth_config.ini file
+ * Falls back to defaults if hazo_auth_config.ini is not found or section is missing
+ * @returns OAuth configuration options
+ */
+export function get_oauth_config() {
+    const enable_google = get_config_boolean(SECTION_NAME, "enable_google", DEFAULT_OAUTH.enable_google);
+    const enable_email_password = get_config_boolean(SECTION_NAME, "enable_email_password", DEFAULT_OAUTH.enable_email_password);
+    const auto_link_unverified_accounts = get_config_boolean(SECTION_NAME, "auto_link_unverified_accounts", DEFAULT_OAUTH.auto_link_unverified_accounts);
+    const google_button_text = get_config_value(SECTION_NAME, "google_button_text", DEFAULT_OAUTH.google_button_text);
+    const oauth_divider_text = get_config_value(SECTION_NAME, "oauth_divider_text", DEFAULT_OAUTH.oauth_divider_text);
+    return {
+        enable_google,
+        enable_email_password,
+        auto_link_unverified_accounts,
+        google_button_text,
+        oauth_divider_text,
+    };
+}
+/**
+ * Helper to check if Google OAuth is enabled
+ * @returns true if Google OAuth is enabled in config
+ */
+export function is_google_oauth_enabled() {
+    return get_config_boolean(SECTION_NAME, "enable_google", DEFAULT_OAUTH.enable_google);
+}
+/**
+ * Helper to check if email/password login is enabled
+ * @returns true if email/password login is enabled in config
+ */
+export function is_email_password_enabled() {
+    return get_config_boolean(SECTION_NAME, "enable_email_password", DEFAULT_OAUTH.enable_email_password);
+}

package/dist/lib/services/login_service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"login_service.d.ts","sourceRoot":"","sources":["../../../src/lib/services/login_service.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAQvD,MAAM,MAAM,SAAS,GAAG;IACtB,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,MAAM,MAAM,WAAW,GAAG;IACxB,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,mBAAmB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACrC,CAAC;AAGF;;;;;GAKG;AACH,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,kBAAkB,EAC3B,IAAI,EAAE,SAAS,GACd,OAAO,CAAC,WAAW,CAAC,CAmGtB"}
+{"version":3,"file":"login_service.d.ts","sourceRoot":"","sources":["../../../src/lib/services/login_service.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAQvD,MAAM,MAAM,SAAS,GAAG;IACtB,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,MAAM,MAAM,WAAW,GAAG;IACxB,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,mBAAmB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACrC,CAAC;AAGF;;;;;GAKG;AACH,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,kBAAkB,EAC3B,IAAI,EAAE,SAAS,GACd,OAAO,CAAC,WAAW,CAAC,CAmHtB"}

package/dist/lib/services/login_service.js

@@ -34,8 +34,23 @@ export async function authenticate_user(adapter, data) {
                 error: "Account is inactive. Please contact support.",
             };
         }
-        // Verify password using argon2
+        // Check if user has a password set (Google-only users have empty password_hash)
         const password_hash = user.password_hash;
+        if (!password_hash || password_hash === "") {
+            // Check if user has Google linked
+            const auth_providers = user.auth_providers || "";
+            if (auth_providers.includes("google")) {
+                return {
+                    success: false,
+                    error: "This account uses Google Sign-In. Please log in with Google instead.",
+                };
+            }
+            return {
+                success: false,
+                error: "Invalid email or password",
+            };
+        }
+        // Verify password using argon2
         const is_password_valid = await argon2.verify(password_hash, password);
         if (!is_password_valid) {
             // Increment login attempts on failed password

package/dist/lib/services/oauth_service.d.ts

@@ -0,0 +1,88 @@
+import type { HazoConnectAdapter } from "hazo_connect";
+export type GoogleOAuthData = {
+    /** Google's unique user ID (sub claim from JWT) */
+    google_id: string;
+    /** User's email address from Google */
+    email: string;
+    /** User's full name from Google profile */
+    name?: string;
+    /** User's profile picture URL from Google */
+    profile_picture_url?: string;
+    /** Whether Google has verified this email */
+    email_verified: boolean;
+};
+export type OAuthLoginResult = {
+    success: boolean;
+    user_id?: string;
+    /** True if this was a newly created account */
+    is_new_user?: boolean;
+    /** True if Google was linked to an existing account */
+    was_linked?: boolean;
+    /** The user's email address */
+    email?: string;
+    /** The user's name */
+    name?: string;
+    error?: string;
+};
+export type LinkGoogleResult = {
+    success: boolean;
+    error?: string;
+};
+export type AuthProvidersResult = {
+    success: boolean;
+    auth_providers?: string[];
+    has_password?: boolean;
+    error?: string;
+};
+/**
+ * Handles Google OAuth login/registration flow
+ * 1. Check if user exists with google_id -> login
+ * 2. Check if user exists with email -> link Google account
+ * 3. Create new user with Google data
+ *
+ * @param adapter - The hazo_connect adapter instance
+ * @param data - Google OAuth user data
+ * @returns OAuth login result with user_id and status flags
+ */
+export declare function handle_google_oauth_login(adapter: HazoConnectAdapter, data: GoogleOAuthData): Promise<OAuthLoginResult>;
+/**
+ * Links a Google account to an existing user
+ * @param adapter - The hazo_connect adapter instance
+ * @param user_id - The user's ID
+ * @param google_id - Google's unique user ID
+ * @returns Result indicating success or failure
+ */
+export declare function link_google_account(adapter: HazoConnectAdapter, user_id: string, google_id: string): Promise<LinkGoogleResult>;
+/**
+ * Checks if a user has a password set (non-empty password_hash)
+ * @param adapter - The hazo_connect adapter instance
+ * @param user_id - The user's ID
+ * @returns True if user has a password set
+ */
+export declare function user_has_password(adapter: HazoConnectAdapter, user_id: string): Promise<boolean>;
+/**
+ * Checks if a user has a password set by email
+ * @param adapter - The hazo_connect adapter instance
+ * @param email - The user's email address
+ * @returns True if user has a password set
+ */
+export declare function user_has_password_by_email(adapter: HazoConnectAdapter, email: string): Promise<boolean>;
+/**
+ * Gets a user's authentication providers and password status
+ * @param adapter - The hazo_connect adapter instance
+ * @param user_id - The user's ID
+ * @returns Auth providers array and has_password flag
+ */
+export declare function get_user_auth_providers(adapter: HazoConnectAdapter, user_id: string): Promise<AuthProvidersResult>;
+/**
+ * Sets a password for a user who doesn't have one (e.g., Google-only users)
+ * @param adapter - The hazo_connect adapter instance
+ * @param user_id - The user's ID
+ * @param password_hash - The hashed password to set
+ * @returns Result indicating success or failure
+ */
+export declare function set_user_password(adapter: HazoConnectAdapter, user_id: string, password_hash: string): Promise<{
+    success: boolean;
+    error?: string;
+}>;
+//# sourceMappingURL=oauth_service.d.ts.map

package/dist/lib/services/oauth_service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth_service.d.ts","sourceRoot":"","sources":["../../../src/lib/services/oauth_service.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AASvD,MAAM,MAAM,eAAe,GAAG;IAC5B,mDAAmD;IACnD,SAAS,EAAE,MAAM,CAAC;IAClB,uCAAuC;IACvC,KAAK,EAAE,MAAM,CAAC;IACd,2CAA2C;IAC3C,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,6CAA6C;IAC7C,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,6CAA6C;IAC7C,cAAc,EAAE,OAAO,CAAC;CACzB,CAAC;AAEF,MAAM,MAAM,gBAAgB,GAAG;IAC7B,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,+CAA+C;IAC/C,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,uDAAuD;IACvD,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,+BAA+B;IAC/B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,sBAAsB;IACtB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC;AAEF,MAAM,MAAM,gBAAgB,GAAG;IAC7B,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG;IAChC,OAAO,EAAE,OAAO,CAAC;IACjB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC;AAGF;;;;;;;;;GASG;AACH,wBAAsB,yBAAyB,CAC7C,OAAO,EAAE,kBAAkB,EAC3B,IAAI,EAAE,eAAe,GACpB,OAAO,CAAC,gBAAgB,CAAC,CAiL3B;AAED;;;;;;GAMG;AACH,wBAAsB,mBAAmB,CACvC,OAAO,EAAE,kBAAkB,EAC3B,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,gBAAgB,CAAC,CAgE3B;AAED;;;;;GAKG;AACH,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,kBAAkB,EAC3B,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,OAAO,CAAC,CAclB;AAED;;;;;GAKG;AACH,wBAAsB,0BAA0B,CAC9C,OAAO,EAAE,kBAAkB,EAC3B,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,OAAO,CAAC,CAclB;AAED;;;;;GAKG;AACH,wBAAsB,uBAAuB,CAC3C,OAAO,EAAE,kBAAkB,EAC3B,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,mBAAmB,CAAC,CA2C9B;AAED;;;;;;GAMG;AACH,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,kBAAkB,EAC3B,OAAO,EAAE,MAAM,EACf,aAAa,EAAE,MAAM,GACpB,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CA0D/C"}