hazo_auth 4.1.0 → 4.2.0

package/README.md

@@ -24,6 +24,7 @@ A reusable authentication UI component package powered by Next.js, TailwindCSS,
 - [Quick Start](#quick-start)
 - [Configuration Setup](#configuration-setup)
 - [Database Setup](#database-setup)
+- [Google OAuth Setup](#google-oauth-setup)
 - [Using Components](#using-components)
 - [Authentication Service](#authentication-service)
 - [Proxy/Middleware Authentication](#proxymiddleware-authentication)
@@ -366,6 +367,19 @@ cp node_modules/hazo_auth/hazo_notify_config.example.ini ./hazo_notify_config.in
 
 **Note:** `JWT_SECRET` is required for JWT session token functionality (used for Edge-compatible proxy/middleware authentication). Generate a secure random string at least 32 characters long.
 
+**For Google OAuth (optional):**
+```env
+# NextAuth.js configuration (required for OAuth)
+NEXTAUTH_SECRET=your_secure_random_string_at_least_32_characters
+NEXTAUTH_URL=http://localhost:3000  # Change to production URL in production
+
+# Google OAuth credentials (from Google Cloud Console)
+HAZO_AUTH_GOOGLE_CLIENT_ID=your_google_client_id
+HAZO_AUTH_GOOGLE_CLIENT_SECRET=your_google_client_secret
+```
+
+See [Google OAuth Setup](#google-oauth-setup) for detailed instructions.
+
 **Important:** The configuration files must be located in your project root directory (where `process.cwd()` points to), not inside `node_modules`. The package reads configuration from `process.cwd()` at runtime, so storing them elsewhere (including `node_modules/hazo_auth`) will break runtime access.
 
 ---
@@ -672,6 +686,222 @@ npx tsx scripts/apply_migration.ts
 
 ---
 
+## Google OAuth Setup
+
+hazo_auth supports Google Sign-In via NextAuth.js v4, allowing users to authenticate with their Google accounts.
+
+### Features
+
+- **Dual authentication**: Users can have BOTH Google OAuth and email/password login
+- **Auto-linking**: Automatically links Google login to existing unverified email/password accounts
+- **Graceful degradation**: Login page adapts based on enabled authentication methods
+- **Set password feature**: Google-only users can add a password later via My Settings
+- **Profile data**: Full name and profile picture automatically populated from Google
+
+### Step 1: Get Google OAuth Credentials
+
+1. Go to [Google Cloud Console](https://console.cloud.google.com/)
+2. Create a project or select an existing project
+3. Enable Google+ API (or Google Identity Services)
+4. Navigate to **Credentials** → **Create Credentials** → **OAuth 2.0 Client ID**
+5. Configure OAuth consent screen if prompted
+6. Set **Application type** to "Web application"
+7. Add **Authorized JavaScript origins**:
+   - Development: `http://localhost:3000`
+   - Production: `https://yourdomain.com`
+8. Add **Authorized redirect URIs**:
+   - Development: `http://localhost:3000/api/auth/callback/google`
+   - Production: `https://yourdomain.com/api/auth/callback/google`
+9. Copy the **Client ID** and **Client Secret**
+
+### Step 2: Add Environment Variables
+
+Add to your `.env.local`:
+
+```env
+# NextAuth.js configuration (REQUIRED for OAuth)
+NEXTAUTH_SECRET=your_secure_random_string_at_least_32_characters
+NEXTAUTH_URL=http://localhost:3000  # Change to production URL in production
+
+# Google OAuth credentials (from Google Cloud Console)
+HAZO_AUTH_GOOGLE_CLIENT_ID=your_google_client_id_from_step_1
+HAZO_AUTH_GOOGLE_CLIENT_SECRET=your_google_client_secret_from_step_1
+```
+
+**Generate NEXTAUTH_SECRET:**
+```bash
+openssl rand -base64 32
+```
+
+### Step 3: Run Database Migration
+
+Add OAuth fields to the `hazo_users` table:
+
+```bash
+npm run migrate migrations/005_add_oauth_fields_to_hazo_users.sql
+```
+
+This migration adds:
+- `google_id` - Google's unique user ID (TEXT, UNIQUE)
+- `auth_providers` - Tracks authentication methods: 'email', 'google', or 'email,google'
+- Index on `google_id` for fast OAuth lookups
+
+**Manual migration (if needed):**
+
+**PostgreSQL:**
+```sql
+ALTER TABLE hazo_users
+ADD COLUMN google_id TEXT UNIQUE;
+
+ALTER TABLE hazo_users
+ADD COLUMN auth_providers TEXT DEFAULT 'email';
+
+CREATE INDEX IF NOT EXISTS idx_hazo_users_google_id ON hazo_users(google_id);
+```
+
+**SQLite:**
+```sql
+ALTER TABLE hazo_users
+ADD COLUMN google_id TEXT;
+
+ALTER TABLE hazo_users
+ADD COLUMN auth_providers TEXT DEFAULT 'email';
+
+CREATE UNIQUE INDEX IF NOT EXISTS idx_hazo_users_google_id_unique ON hazo_users(google_id);
+CREATE INDEX IF NOT EXISTS idx_hazo_users_google_id ON hazo_users(google_id);
+```
+
+### Step 4: Configure OAuth in hazo_auth_config.ini
+
+```ini
+[hazo_auth__oauth]
+# Enable Google OAuth login (default: true)
+enable_google = true
+
+# Enable traditional email/password login (default: true)
+enable_email_password = true
+
+# Auto-link Google login to existing unverified email/password accounts (default: true)
+auto_link_unverified_accounts = true
+
+# Customize button text (optional)
+google_button_text = Continue with Google
+oauth_divider_text = or
+```
+
+### Step 5: Create NextAuth API Routes
+
+Create `app/api/auth/[...nextauth]/route.ts`:
+
+```typescript
+export { GET, POST } from "hazo_auth/server/routes/nextauth";
+```
+
+Create `app/api/hazo_auth/oauth/google/callback/route.ts`:
+
+```typescript
+export { GET } from "hazo_auth/server/routes/oauth_google_callback";
+```
+
+Create `app/api/hazo_auth/set_password/route.ts`:
+
+```typescript
+export { POST } from "hazo_auth/server/routes/set_password";
+```
+
+**Or use the CLI generator:**
+```bash
+npx hazo_auth generate-routes --oauth
+```
+
+### Step 6: Test Google OAuth
+
+1. Start your dev server: `npm run dev`
+2. Visit `http://localhost:3000/hazo_auth/login`
+3. You should see the "Sign in with Google" button
+4. Click it and authenticate with your Google account
+5. You'll be redirected back and logged in
+
+### User Flows
+
+**New User - Google Sign-In:**
+- User clicks "Sign in with Google"
+- Authenticates with Google
+- Account created with Google profile data (email, name, profile picture)
+- Email is automatically verified
+- User can log in with Google anytime
+
+**Existing Unverified User - Google Sign-In:**
+- User has email/password account but hasn't verified email
+- Clicks "Sign in with Google" with same email
+- System auto-links Google account (if `auto_link_unverified_accounts = true`)
+- Email becomes verified
+- User can now log in with EITHER Google OR email/password
+
+**Google-Only User Adds Password:**
+- Google-only user visits My Settings
+- "Set Password" section appears
+- User sets a password
+- User can now log in with EITHER method
+
+**Google-Only User Tries Forgot Password:**
+- User registered with Google tries "Forgot Password"
+- System shows: "You registered with Google. Please sign in with Google instead."
+
+### Configuration Options
+
+**Disable email/password login (Google-only):**
+```ini
+[hazo_auth__oauth]
+enable_google = true
+enable_email_password = false
+```
+
+**Disable Google OAuth (email/password only):**
+```ini
+[hazo_auth__oauth]
+enable_google = false
+enable_email_password = true
+```
+
+### API Response Changes
+
+The `/api/hazo_auth/me` endpoint now includes OAuth status:
+
+```typescript
+{
+  authenticated: true,
+  // ... existing fields
+  auth_providers: "email,google",  // NEW: Tracks authentication methods
+  has_password: true,              // NEW: Whether user has password set
+  google_connected: true,          // NEW: Whether Google account is linked
+}
+```
+
+### Dependencies
+
+Google OAuth adds one new dependency:
+- `next-auth@^4.24.11` - NextAuth.js for OAuth handling (automatically installed with hazo_auth)
+
+### Troubleshooting
+
+**"Sign in with Google" button not showing:**
+- Verify `enable_google = true` in `[hazo_auth__oauth]` section
+- Check `HAZO_AUTH_GOOGLE_CLIENT_ID` and `HAZO_AUTH_GOOGLE_CLIENT_SECRET` are set
+- Check `NEXTAUTH_URL` matches your current URL
+
+**OAuth callback error:**
+- Verify redirect URI in Google Cloud Console matches exactly: `http://localhost:3000/api/auth/callback/google`
+- Check `NEXTAUTH_SECRET` is set and at least 32 characters
+- Verify API routes are created: `/api/auth/[...nextauth]/route.ts` and `/api/hazo_auth/oauth/google/callback/route.ts`
+
+**User created but not logged in:**
+- Check browser console for errors
+- Verify `/api/hazo_auth/oauth/google/callback` route exists
+- Check server logs for errors during session creation
+
+---
+
 ## Using Components
 
 ### Package Exports

package/SETUP_CHECKLIST.md

@@ -492,6 +492,169 @@ This script will:
 
 ---
 
+## Phase 3.2: Google OAuth Setup (Optional)
+
+Google OAuth Sign-In allows users to authenticate with their Google accounts. This section is optional - skip if you don't need OAuth.
+
+### Step 3.2.1: Get Google OAuth Credentials
+
+1. Go to [Google Cloud Console](https://console.cloud.google.com/)
+2. Create a project or select an existing project
+3. Enable **Google+ API** (or Google Identity Services)
+4. Navigate to **Credentials** → **Create Credentials** → **OAuth 2.0 Client ID**
+5. Configure OAuth consent screen if prompted
+6. Set **Application type** to "Web application"
+7. Add **Authorized JavaScript origins**:
+   - Development: `http://localhost:3000`
+   - Production: `https://yourdomain.com`
+8. Add **Authorized redirect URIs**:
+   - Development: `http://localhost:3000/api/auth/callback/google`
+   - Production: `https://yourdomain.com/api/auth/callback/google`
+9. Copy the **Client ID** and **Client Secret**
+
+### Step 3.2.2: Add OAuth Environment Variables
+
+Add to your `.env.local`:
+
+```env
+# NextAuth.js configuration (REQUIRED for OAuth)
+NEXTAUTH_SECRET=your_secure_random_string_at_least_32_characters
+NEXTAUTH_URL=http://localhost:3000  # Change to production URL in production
+
+# Google OAuth credentials (from Google Cloud Console)
+HAZO_AUTH_GOOGLE_CLIENT_ID=your_google_client_id_from_step_1
+HAZO_AUTH_GOOGLE_CLIENT_SECRET=your_google_client_secret_from_step_1
+```
+
+**Generate NEXTAUTH_SECRET:**
+```bash
+openssl rand -base64 32
+```
+
+### Step 3.2.3: Run OAuth Database Migration
+
+Add OAuth fields to the `hazo_users` table:
+
+```bash
+npm run migrate migrations/005_add_oauth_fields_to_hazo_users.sql
+```
+
+**Verify migration applied:**
+
+**PostgreSQL:**
+```sql
+SELECT column_name FROM information_schema.columns
+WHERE table_name = 'hazo_users'
+  AND column_name IN ('google_id', 'auth_providers');
+-- Expected: 2 rows returned
+```
+
+**SQLite:**
+```bash
+sqlite3 data/hazo_auth.sqlite ".schema hazo_users" | grep -E "google_id|auth_providers"
+# Expected: google_id TEXT UNIQUE, auth_providers TEXT DEFAULT 'email'
+```
+
+**Manual migration (if needed):**
+
+**PostgreSQL:**
+```sql
+ALTER TABLE hazo_users ADD COLUMN google_id TEXT UNIQUE;
+ALTER TABLE hazo_users ADD COLUMN auth_providers TEXT DEFAULT 'email';
+CREATE INDEX IF NOT EXISTS idx_hazo_users_google_id ON hazo_users(google_id);
+```
+
+**SQLite:**
+```sql
+ALTER TABLE hazo_users ADD COLUMN google_id TEXT;
+ALTER TABLE hazo_users ADD COLUMN auth_providers TEXT DEFAULT 'email';
+CREATE UNIQUE INDEX IF NOT EXISTS idx_hazo_users_google_id_unique ON hazo_users(google_id);
+CREATE INDEX IF NOT EXISTS idx_hazo_users_google_id ON hazo_users(google_id);
+```
+
+### Step 3.2.4: Configure OAuth in hazo_auth_config.ini
+
+Add (or modify) the OAuth section:
+
+```ini
+[hazo_auth__oauth]
+# Enable Google OAuth login (default: true)
+enable_google = true
+
+# Enable traditional email/password login (default: true)
+enable_email_password = true
+
+# Auto-link Google login to existing unverified email/password accounts (default: true)
+auto_link_unverified_accounts = true
+
+# Customize button text (optional)
+google_button_text = Continue with Google
+oauth_divider_text = or
+```
+
+**Configuration Options:**
+
+- **Google-only authentication** (no email/password):
+  ```ini
+  enable_google = true
+  enable_email_password = false
+  ```
+
+- **Email/password only** (no OAuth):
+  ```ini
+  enable_google = false
+  enable_email_password = true
+  ```
+
+- **Both methods** (recommended):
+  ```ini
+  enable_google = true
+  enable_email_password = true
+  ```
+
+### Step 3.2.5: Create OAuth API Routes
+
+**Option A: Use CLI generator (Recommended):**
+```bash
+npx hazo_auth generate-routes --oauth
+```
+
+**Option B: Create manually:**
+
+Create `app/api/auth/[...nextauth]/route.ts`:
+```typescript
+export { GET, POST } from "hazo_auth/server/routes/nextauth";
+```
+
+Create `app/api/hazo_auth/oauth/google/callback/route.ts`:
+```typescript
+export { GET } from "hazo_auth/server/routes/oauth_google_callback";
+```
+
+Create `app/api/hazo_auth/set_password/route.ts`:
+```typescript
+export { POST } from "hazo_auth/server/routes/set_password";
+```
+
+### Step 3.2.6: Verify OAuth API Routes
+
+```bash
+ls app/api/auth/\[...nextauth\]/route.ts
+ls app/api/hazo_auth/oauth/google/callback/route.ts
+ls app/api/hazo_auth/set_password/route.ts
+# All files should exist
+```
+
+**OAuth Setup Checklist:**
+- [ ] Google OAuth credentials obtained
+- [ ] `NEXTAUTH_SECRET` and `NEXTAUTH_URL` set in `.env.local`
+- [ ] `HAZO_AUTH_GOOGLE_CLIENT_ID` and `HAZO_AUTH_GOOGLE_CLIENT_SECRET` set
+- [ ] OAuth migration applied (google_id and auth_providers columns added)
+- [ ] `[hazo_auth__oauth]` section configured in `hazo_auth_config.ini`
+- [ ] OAuth API routes created (`[...nextauth]`, `oauth/google/callback`, `set_password`)
+
+---
+
 ## Phase 4: API Routes
 
 Create API route files in your project. Each file re-exports handlers from hazo_auth.
@@ -956,6 +1119,45 @@ Visit each page and verify it loads:
 - [ ] `http://localhost:3000/hazo_auth/my_settings` - Settings page displays (after login)
 - [ ] `http://localhost:3000/hazo_auth/profile_stamp_test` - ProfileStamp component examples display
 
+### Test 7: Google OAuth (if configured)
+
+If you completed Phase 3.2 (Google OAuth Setup):
+
+**Check login page:**
+1. Visit `http://localhost:3000/hazo_auth/login`
+2. Verify "Sign in with Google" button appears
+3. Verify divider with "or" text (if email/password is also enabled)
+
+**Test Google sign-in:**
+1. Click "Sign in with Google" button
+2. You should be redirected to Google's login page
+3. Sign in with your Google account
+4. You should be redirected back to your app and logged in
+5. Visit `/hazo_auth/my_settings`
+6. Verify "Connected Accounts" section shows Google as connected
+
+**Test Google-only user features:**
+1. If you signed in with Google (and didn't have a password account first):
+2. Visit `/hazo_auth/my_settings`
+3. Verify "Set Password" section appears
+4. Set a password
+5. Log out and try logging in with email/password (should work)
+
+**Test forgot password with Google-only user:**
+1. Create a new user with Google OAuth only
+2. Try visiting `/hazo_auth/forgot_password`
+3. Enter the Google user's email
+4. Should show message: "You registered with Google. Please sign in with Google instead."
+
+**OAuth Test Checklist:**
+- [ ] "Sign in with Google" button appears on login page
+- [ ] OAuth divider appears (if both auth methods enabled)
+- [ ] Google OAuth flow completes successfully
+- [ ] User is logged in after OAuth callback
+- [ ] Connected Accounts section shows Google in My Settings
+- [ ] Set Password feature works for Google-only users
+- [ ] Forgot password shows appropriate message for Google-only users
+
 ---
 
 ## Phase 7: HRBAC Setup (Optional)

package/dist/app/api/hazo_auth/forgot_password/route.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"route.d.ts","sourceRoot":"","sources":["../../../../../src/app/api/hazo_auth/forgot_password/route.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAOxD,wBAAsB,IAAI,CAAC,OAAO,EAAE,WAAW;;;;;IAgG9C"}
+{"version":3,"file":"route.d.ts","sourceRoot":"","sources":["../../../../../src/app/api/hazo_auth/forgot_password/route.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAOxD,wBAAsB,IAAI,CAAC,OAAO,EAAE,WAAW;;;;;IAoH9C"}

package/dist/app/api/hazo_auth/forgot_password/route.js

@@ -49,6 +49,21 @@ export async function POST(request) {
                 message: "If an account with that email exists, a password reset link has been sent.",
             }, { status: 200 });
         }
+        // Check if this is a Google-only user (no password set)
+        if (result.no_password_set) {
+            logger.info("password_reset_no_password_set", {
+                filename: get_filename(),
+                line_number: get_line_number(),
+                email,
+                note: "User does not have a password set (OAuth-only account)",
+            });
+            // Return success to prevent email enumeration, but include flag for UI handling
+            return NextResponse.json({
+                success: true,
+                no_password_set: true,
+                message: "If an account with that email exists, a password reset link has been sent.",
+            }, { status: 200 });
+        }
         logger.info("password_reset_requested", {
             filename: get_filename(),
             line_number: get_line_number(),

package/dist/app/api/hazo_auth/logout/route.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"route.d.ts","sourceRoot":"","sources":["../../../../../src/app/api/hazo_auth/logout/route.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAOxD,wBAAsB,IAAI,CAAC,OAAO,EAAE,WAAW;;;;;IAmF9C"}
+{"version":3,"file":"route.d.ts","sourceRoot":"","sources":["../../../../../src/app/api/hazo_auth/logout/route.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAOxD,wBAAsB,IAAI,CAAC,OAAO,EAAE,WAAW;;;;;IAkH9C"}

package/dist/app/api/hazo_auth/logout/route.js

@@ -32,6 +32,37 @@ export async function POST(request) {
             expires: new Date(0),
             path: "/",
         });
+        // Clear NextAuth session cookies (for OAuth users)
+        response.cookies.set("next-auth.session-token", "", {
+            expires: new Date(0),
+            path: "/",
+        });
+        response.cookies.set("next-auth.csrf-token", "", {
+            expires: new Date(0),
+            path: "/",
+        });
+        response.cookies.set("next-auth.callback-url", "", {
+            expires: new Date(0),
+            path: "/",
+        });
+        // Also clear secure cookie variants (used in production with HTTPS)
+        response.cookies.set("__Secure-next-auth.session-token", "", {
+            expires: new Date(0),
+            path: "/",
+        });
+        response.cookies.set("__Secure-next-auth.csrf-token", "", {
+            expires: new Date(0),
+            path: "/",
+        });
+        response.cookies.set("__Secure-next-auth.callback-url", "", {
+            expires: new Date(0),
+            path: "/",
+        });
+        // Host-prefixed variants (for some NextAuth configurations)
+        response.cookies.set("__Host-next-auth.csrf-token", "", {
+            expires: new Date(0),
+            path: "/",
+        });
         // Invalidate user cache
         if (user_id) {
             try {

package/dist/app/api/hazo_auth/me/route.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"route.d.ts","sourceRoot":"","sources":["../../../../../src/app/api/hazo_auth/me/route.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AASxD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,wBAAsB,GAAG,CAAC,OAAO,EAAE,WAAW;;IA+E7C"}
+{"version":3,"file":"route.d.ts","sourceRoot":"","sources":["../../../../../src/app/api/hazo_auth/me/route.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AASxD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,wBAAsB,GAAG,CAAC,OAAO,EAAE,WAAW;;IA2F7C"}

package/dist/app/api/hazo_auth/me/route.js

@@ -65,6 +65,12 @@ export async function GET(request) {
         // Map database profile_source to UI representation
         const profile_source_db = user_db.profile_source;
         const profile_source_ui = profile_source_db ? map_db_source_to_ui(profile_source_db) : undefined;
+        // Parse auth_providers (comma-separated string to array)
+        const auth_providers_str = user_db.auth_providers || "email";
+        const auth_providers = auth_providers_str.split(",").map((p) => p.trim());
+        // Check if user has a password set
+        const password_hash = user_db.password_hash;
+        const has_password = password_hash !== null && password_hash !== undefined && password_hash !== "";
         // Return unified format with all fields
         const profile_pic = auth_result.user.profile_picture_url;
         return NextResponse.json({
@@ -81,6 +87,10 @@ export async function GET(request) {
             avatar_url: profile_pic,
             image: profile_pic,
             profile_source: profile_source_ui,
+            // OAuth-related fields
+            auth_providers,
+            has_password,
+            google_connected: auth_providers.includes("google"),
             // Permissions and user object (always included)
             user: auth_result.user,
             permissions: auth_result.permissions,

package/dist/components/layouts/forgot_password/hooks/use_forgot_password_form.d.ts

@@ -13,6 +13,8 @@ export type UseForgotPasswordFormResult = {
     isSubmitDisabled: boolean;
     isSubmitting: boolean;
     emailTouched: boolean;
+    /** True if the submitted email is for a Google-only account (no password set) */
+    isGoogleOnlyAccount: boolean;
     handleFieldChange: (fieldId: ForgotPasswordFieldId, value: string) => void;
     handleEmailBlur: () => void;
     handleSubmit: (event: React.FormEvent<HTMLFormElement>) => void;

package/dist/components/layouts/forgot_password/hooks/use_forgot_password_form.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"use_forgot_password_form.d.ts","sourceRoot":"","sources":["../../../../../src/components/layouts/forgot_password/hooks/use_forgot_password_form.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,sCAAsC,CAAC;AAC7E,OAAO,EAA6B,KAAK,qBAAqB,EAAE,MAAM,wCAAwC,CAAC;AAK/G,MAAM,MAAM,wBAAwB,GAAG,MAAM,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAC;AAC7E,MAAM,MAAM,wBAAwB,GAAG,OAAO,CAAC,MAAM,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAC,GAAG;IACtF,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB,CAAC;AAEF,MAAM,MAAM,2BAA2B,CAAC,OAAO,GAAG,OAAO,IAAI;IAC3D,UAAU,EAAE,gBAAgB,CAAC,OAAO,CAAC,CAAC;CACvC,CAAC;AAEF,MAAM,MAAM,2BAA2B,GAAG;IACxC,MAAM,EAAE,wBAAwB,CAAC;IACjC,MAAM,EAAE,wBAAwB,CAAC;IACjC,gBAAgB,EAAE,OAAO,CAAC;IAC1B,YAAY,EAAE,OAAO,CAAC;IACtB,YAAY,EAAE,OAAO,CAAC;IACtB,iBAAiB,EAAE,CAAC,OAAO,EAAE,qBAAqB,EAAE,KAAK,EAAE,MAAM,KAAK,IAAI,CAAC;IAC3E,eAAe,EAAE,MAAM,IAAI,CAAC;IAC5B,YAAY,EAAE,CAAC,KAAK,EAAE,KAAK,CAAC,SAAS,CAAC,eAAe,CAAC,KAAK,IAAI,CAAC;IAChE,YAAY,EAAE,MAAM,IAAI,CAAC;CAC1B,CAAC;AAQF,eAAO,MAAM,wBAAwB,GAAI,OAAO,EAAG,iBAEhD,2BAA2B,CAAC,OAAO,CAAC,KAAG,2BA4IzC,CAAC"}
+{"version":3,"file":"use_forgot_password_form.d.ts","sourceRoot":"","sources":["../../../../../src/components/layouts/forgot_password/hooks/use_forgot_password_form.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,sCAAsC,CAAC;AAC7E,OAAO,EAA6B,KAAK,qBAAqB,EAAE,MAAM,wCAAwC,CAAC;AAK/G,MAAM,MAAM,wBAAwB,GAAG,MAAM,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAC;AAC7E,MAAM,MAAM,wBAAwB,GAAG,OAAO,CAAC,MAAM,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAC,GAAG;IACtF,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB,CAAC;AAEF,MAAM,MAAM,2BAA2B,CAAC,OAAO,GAAG,OAAO,IAAI;IAC3D,UAAU,EAAE,gBAAgB,CAAC,OAAO,CAAC,CAAC;CACvC,CAAC;AAEF,MAAM,MAAM,2BAA2B,GAAG;IACxC,MAAM,EAAE,wBAAwB,CAAC;IACjC,MAAM,EAAE,wBAAwB,CAAC;IACjC,gBAAgB,EAAE,OAAO,CAAC;IAC1B,YAAY,EAAE,OAAO,CAAC;IACtB,YAAY,EAAE,OAAO,CAAC;IACtB,iFAAiF;IACjF,mBAAmB,EAAE,OAAO,CAAC;IAC7B,iBAAiB,EAAE,CAAC,OAAO,EAAE,qBAAqB,EAAE,KAAK,EAAE,MAAM,KAAK,IAAI,CAAC;IAC3E,eAAe,EAAE,MAAM,IAAI,CAAC;IAC5B,YAAY,EAAE,CAAC,KAAK,EAAE,KAAK,CAAC,SAAS,CAAC,eAAe,CAAC,KAAK,IAAI,CAAC;IAChE,YAAY,EAAE,MAAM,IAAI,CAAC;CAC1B,CAAC;AAQF,eAAO,MAAM,wBAAwB,GAAI,OAAO,EAAG,iBAEhD,2BAA2B,CAAC,OAAO,CAAC,KAAG,2BAqJzC,CAAC"}

package/dist/components/layouts/forgot_password/hooks/use_forgot_password_form.js

@@ -16,6 +16,7 @@ export const use_forgot_password_form = ({ dataClient, }) => {
     const [errors, setErrors] = useState({});
     const [emailTouched, setEmailTouched] = useState(false);
     const [isSubmitting, setIsSubmitting] = useState(false);
+    const [isGoogleOnlyAccount, setIsGoogleOnlyAccount] = useState(false);
     const isSubmitDisabled = useMemo(() => {
         if (isSubmitting) {
             return true;
@@ -72,6 +73,7 @@ export const use_forgot_password_form = ({ dataClient, }) => {
         }
         setIsSubmitting(true);
         setErrors({});
+        setIsGoogleOnlyAccount(false);
         try {
             const response = await fetch(`${apiBasePath}/forgot_password`, {
                 method: "POST",
@@ -86,6 +88,11 @@ export const use_forgot_password_form = ({ dataClient, }) => {
             if (!response.ok) {
                 throw new Error(data.error || "Password reset request failed");
             }
+            // Check if user is a Google-only account (no password set)
+            if (data.no_password_set) {
+                setIsGoogleOnlyAccount(true);
+                return;
+            }
             // Show success notification
             toast.success("Password reset link sent", {
                 description: "If an account with that email exists, a password reset link has been sent.",
@@ -121,6 +128,7 @@ export const use_forgot_password_form = ({ dataClient, }) => {
         isSubmitDisabled,
         isSubmitting,
         emailTouched,
+        isGoogleOnlyAccount,
         handleFieldChange,
         handleEmailBlur,
         handleSubmit,

package/dist/components/layouts/forgot_password/index.d.ts

@@ -16,6 +16,12 @@ export type ForgotPasswordLayoutProps<TClient = unknown> = {
     showReturnHomeButton?: boolean;
     returnHomeButtonLabel?: string;
     returnHomePath?: string;
+    /** Message shown when user's account is Google-only (no password set) */
+    googleOnlyAccountHeading?: string;
+    googleOnlyAccountMessage?: string;
+    googleOnlyAccountHelpText?: string;
+    mySettingsPath?: string;
+    mySettingsLabel?: string;
 };
-export default function forgot_password_layout<TClient>({ image_src, image_alt, image_background_color, field_overrides, labels, button_colors, data_client, sign_in_path, sign_in_label, alreadyLoggedInMessage, showLogoutButton, showReturnHomeButton, returnHomeButtonLabel, returnHomePath, }: ForgotPasswordLayoutProps<TClient>): import("react/jsx-runtime").JSX.Element;
+export default function forgot_password_layout<TClient>({ image_src, image_alt, image_background_color, field_overrides, labels, button_colors, data_client, sign_in_path, sign_in_label, alreadyLoggedInMessage, showLogoutButton, showReturnHomeButton, returnHomeButtonLabel, returnHomePath, googleOnlyAccountHeading, googleOnlyAccountMessage, googleOnlyAccountHelpText, mySettingsPath, mySettingsLabel, }: ForgotPasswordLayoutProps<TClient>): import("react/jsx-runtime").JSX.Element;
 //# sourceMappingURL=index.d.ts.map

package/dist/components/layouts/forgot_password/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/components/layouts/forgot_password/index.tsx"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAMlD,OAAO,EACL,KAAK,sBAAsB,EAC3B,KAAK,uBAAuB,EAC5B,KAAK,oBAAoB,EAC1B,MAAM,uCAAuC,CAAC;AAW/C,OAAO,EAAE,KAAK,gBAAgB,EAAE,MAAM,mCAAmC,CAAC;AAI1E,MAAM,MAAM,yBAAyB,CAAC,OAAO,GAAG,OAAO,IAAI;IACzD,SAAS,EAAE,MAAM,GAAG,eAAe,CAAC;IACpC,SAAS,EAAE,MAAM,CAAC;IAClB,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,eAAe,CAAC,EAAE,uBAAuB,CAAC;IAC1C,MAAM,CAAC,EAAE,oBAAoB,CAAC;IAC9B,aAAa,CAAC,EAAE,sBAAsB,CAAC;IACvC,WAAW,EAAE,gBAAgB,CAAC,OAAO,CAAC,CAAC;IACvC,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,oBAAoB,CAAC,EAAE,OAAO,CAAC;IAC/B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB,CAAC;AASF,MAAM,CAAC,OAAO,UAAU,sBAAsB,CAAC,OAAO,EAAE,EACtD,SAAS,EACT,SAAS,EACT,sBAAkC,EAClC,eAAe,EACf,MAAM,EACN,aAAa,EACb,WAAW,EACX,YAAiC,EACjC,aAAyB,EACzB,sBAAoD,EACpD,gBAAuB,EACvB,oBAA4B,EAC5B,qBAAqC,EACrC,cAAoB,GACrB,EAAE,yBAAyB,CAAC,OAAO,CAAC,2CA+GpC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/components/layouts/forgot_password/index.tsx"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAOlD,OAAO,EACL,KAAK,sBAAsB,EAC3B,KAAK,uBAAuB,EAC5B,KAAK,oBAAoB,EAC1B,MAAM,uCAAuC,CAAC;AAW/C,OAAO,EAAE,KAAK,gBAAgB,EAAE,MAAM,mCAAmC,CAAC;AAI1E,MAAM,MAAM,yBAAyB,CAAC,OAAO,GAAG,OAAO,IAAI;IACzD,SAAS,EAAE,MAAM,GAAG,eAAe,CAAC;IACpC,SAAS,EAAE,MAAM,CAAC;IAClB,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,eAAe,CAAC,EAAE,uBAAuB,CAAC;IAC1C,MAAM,CAAC,EAAE,oBAAoB,CAAC;IAC9B,aAAa,CAAC,EAAE,sBAAsB,CAAC;IACvC,WAAW,EAAE,gBAAgB,CAAC,OAAO,CAAC,CAAC;IACvC,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,oBAAoB,CAAC,EAAE,OAAO,CAAC;IAC/B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,yEAAyE;IACzE,wBAAwB,CAAC,EAAE,MAAM,CAAC;IAClC,wBAAwB,CAAC,EAAE,MAAM,CAAC;IAClC,yBAAyB,CAAC,EAAE,MAAM,CAAC;IACnC,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B,CAAC;AASF,MAAM,CAAC,OAAO,UAAU,sBAAsB,CAAC,OAAO,EAAE,EACtD,SAAS,EACT,SAAS,EACT,sBAAkC,EAClC,eAAe,EACf,MAAM,EACN,aAAa,EACb,WAAW,EACX,YAAiC,EACjC,aAAyB,EACzB,sBAAoD,EACpD,gBAAuB,EACvB,oBAA4B,EAC5B,qBAAqC,EACrC,cAAoB,EACpB,wBAAoD,EACpD,wBAA2G,EAC3G,yBAA0I,EAC1I,cAAyC,EACzC,eAAkC,GACnC,EAAE,yBAAyB,CAAC,OAAO,CAAC,2CAgJpC"}