hazo_auth 4.1.0 → 4.3.0

package/cli-src/lib/auth/nextauth_config.ts

@@ -0,0 +1,227 @@
+// file_description: NextAuth.js configuration for OAuth providers
+// section: imports
+import type { AuthOptions, Session } from "next-auth";
+import type { JWT } from "next-auth/jwt";
+import GoogleProvider from "next-auth/providers/google";
+import { get_oauth_config } from "../oauth_config.server";
+import { handle_google_oauth_login } from "../services/oauth_service";
+import { get_hazo_connect_instance } from "../hazo_connect_instance.server";
+import { create_app_logger } from "../app_logger";
+
+// section: types
+export type NextAuthCallbackUser = {
+  id?: string;
+  email?: string | null;
+  name?: string | null;
+  image?: string | null;
+};
+
+export type NextAuthCallbackAccount = {
+  provider: string;
+  providerAccountId: string;
+  type: string;
+  access_token?: string;
+  id_token?: string;
+  expires_at?: number;
+};
+
+export type NextAuthCallbackProfile = {
+  sub?: string;
+  name?: string;
+  email?: string;
+  picture?: string;
+  email_verified?: boolean;
+};
+
+// section: config
+/**
+ * Gets NextAuth.js configuration with enabled OAuth providers
+ * Providers are dynamically configured based on hazo_auth_config.ini settings
+ * @returns NextAuth configuration object
+ */
+export function get_nextauth_config(): AuthOptions {
+  const oauth_config = get_oauth_config();
+  const providers = [];
+
+  // Add Google provider if enabled
+  if (oauth_config.enable_google) {
+    const client_id = process.env.HAZO_AUTH_GOOGLE_CLIENT_ID;
+    const client_secret = process.env.HAZO_AUTH_GOOGLE_CLIENT_SECRET;
+
+    if (client_id && client_secret) {
+      providers.push(
+        GoogleProvider({
+          clientId: client_id,
+          clientSecret: client_secret,
+          authorization: {
+            params: {
+              prompt: "consent",
+              access_type: "offline",
+              response_type: "code",
+            },
+          },
+        })
+      );
+    }
+  }
+
+  return {
+    providers,
+    pages: {
+      // Use hazo_auth login page for sign-in errors
+      signIn: "/hazo_auth/login",
+      error: "/hazo_auth/login",
+    },
+    callbacks: {
+      /**
+       * Redirect callback - controls where users go after authentication
+       * We redirect to our custom callback handler to create hazo_auth session
+       */
+      async redirect({ url, baseUrl }: { url: string; baseUrl: string }) {
+        // Log for debugging
+        console.log("[NextAuth redirect callback]", { url, baseUrl });
+
+        // Always redirect to our custom callback after sign-in to set hazo_auth cookies
+        // The callbackUrl from signIn() comes through as `url`
+        if (url.includes("/api/hazo_auth/oauth/google/callback")) {
+          return url;
+        }
+
+        // If URL is relative or same origin, allow it
+        if (url.startsWith("/")) {
+          return `${baseUrl}${url}`;
+        }
+        if (url.startsWith(baseUrl)) {
+          return url;
+        }
+
+        // Default: redirect to our custom OAuth callback to set cookies
+        return `${baseUrl}/api/hazo_auth/oauth/google/callback`;
+      },
+      /**
+       * Sign-in callback - handle user creation/linking for Google OAuth
+       */
+      async signIn({
+        account,
+        profile,
+        user,
+      }: {
+        account: NextAuthCallbackAccount | null;
+        profile?: NextAuthCallbackProfile;
+        user: NextAuthCallbackUser;
+      }) {
+        const logger = create_app_logger();
+
+        if (account?.provider === "google" && profile) {
+          try {
+            const googleProfile = profile as NextAuthCallbackProfile;
+            const hazoConnect = get_hazo_connect_instance();
+
+            logger.info("nextauth_google_signin_attempt", {
+              email: user.email,
+              google_id: googleProfile.sub,
+              name: user.name,
+            });
+
+            // Handle the Google OAuth login (create user or link account)
+            const result = await handle_google_oauth_login(hazoConnect, {
+              google_id: googleProfile.sub || account.providerAccountId,
+              email: user.email || googleProfile.email || "",
+              name: user.name || googleProfile.name || undefined,
+              profile_picture_url: user.image || googleProfile.picture || undefined,
+              email_verified: googleProfile.email_verified ?? true,
+            });
+
+            if (!result.success) {
+              logger.error("nextauth_google_signin_failed", {
+                email: user.email,
+                error: result.error,
+              });
+              return false;
+            }
+
+            logger.info("nextauth_google_signin_success", {
+              user_id: result.user_id,
+              email: result.email,
+              is_new_user: result.is_new_user,
+              was_linked: result.was_linked,
+            });
+
+            // Store user_id in account for the JWT callback to pick up
+            (account as Record<string, unknown>).hazo_user_id = result.user_id;
+
+            return true;
+          } catch (error) {
+            const errorMessage = error instanceof Error ? error.message : "Unknown error";
+            logger.error("nextauth_google_signin_exception", {
+              email: user.email,
+              error: errorMessage,
+            });
+            return false;
+          }
+        }
+        return true;
+      },
+      /**
+       * JWT callback - add OAuth provider info to the token
+       */
+      async jwt({ token, account, profile }) {
+        if (account && profile) {
+          (token as Record<string, unknown>).provider = account.provider;
+          (token as Record<string, unknown>).providerAccountId = account.providerAccountId;
+
+          // Store hazo_user_id from signIn callback
+          if ((account as Record<string, unknown>).hazo_user_id) {
+            (token as Record<string, unknown>).hazo_user_id = (account as Record<string, unknown>).hazo_user_id;
+          }
+
+          // For Google, store additional profile data
+          if (account.provider === "google") {
+            const googleProfile = profile as NextAuthCallbackProfile;
+            (token as Record<string, unknown>).google_id = googleProfile.sub;
+            (token as Record<string, unknown>).email_verified = googleProfile.email_verified;
+          }
+        }
+        return token;
+      },
+      /**
+       * Session callback - pass provider info to session
+       */
+      async session({ session, token }: { session: Session; token: JWT }) {
+        if (token) {
+          const extSession = session as Session & Record<string, unknown>;
+          const extToken = token as JWT & Record<string, unknown>;
+          extSession.provider = extToken.provider;
+          extSession.providerAccountId = extToken.providerAccountId;
+          extSession.google_id = extToken.google_id;
+          extSession.email_verified = extToken.email_verified;
+        }
+        return session;
+      },
+    },
+    // Use JWT strategy - we don't need a database adapter since we manage users ourselves
+    session: {
+      strategy: "jwt",
+      maxAge: 60 * 10, // 10 minutes - short lived since we create our own session
+    },
+    // Disable debug in production
+    debug: process.env.NODE_ENV === "development",
+  };
+}
+
+/**
+ * Checks if any OAuth providers are configured and enabled
+ * @returns true if at least one OAuth provider is available
+ */
+export function has_oauth_providers(): boolean {
+  const oauth_config = get_oauth_config();
+
+  if (oauth_config.enable_google) {
+    const has_google_credentials =
+      process.env.HAZO_AUTH_GOOGLE_CLIENT_ID &&
+      process.env.HAZO_AUTH_GOOGLE_CLIENT_SECRET;
+    if (has_google_credentials) return true;
+  }
+
+  return false;
+}

package/cli-src/lib/auth/scope_cache.ts

@@ -0,0 +1,233 @@
+// file_description: LRU cache implementation for HRBAC scope lookups with TTL and size limits
+// section: imports
+import type { ScopeLevel } from "../services/scope_service";
+
+// section: types
+
+/**
+ * User scope assignment record
+ */
+export type UserScopeEntry = {
+  scope_type: ScopeLevel;
+  scope_id: string;
+  scope_seq: string;
+};
+
+/**
+ * Cache entry structure for user scopes
+ */
+type ScopeCacheEntry = {
+  user_id: string;
+  scopes: UserScopeEntry[];
+  timestamp: number; // Unix timestamp in milliseconds
+  cache_version: number; // Version number for smart invalidation
+};
+
+/**
+ * LRU cache implementation for user scope lookups
+ * Uses Map to maintain insertion order for LRU eviction
+ */
+class ScopeCache {
+  private cache: Map<string, ScopeCacheEntry>;
+  private max_size: number;
+  private ttl_ms: number;
+  private scope_version_map: Map<string, number>; // Track version per scope for smart invalidation
+
+  constructor(max_size: number, ttl_minutes: number) {
+    this.cache = new Map();
+    this.max_size = max_size;
+    this.ttl_ms = ttl_minutes * 60 * 1000;
+    this.scope_version_map = new Map();
+  }
+
+  /**
+   * Gets a cache entry for a user's scopes
+   * Returns undefined if not found or expired
+   * @param user_id - User ID to look up
+   * @returns Cache entry or undefined
+   */
+  get(user_id: string): ScopeCacheEntry | undefined {
+    const entry = this.cache.get(user_id);
+
+    if (!entry) {
+      return undefined;
+    }
+
+    const now = Date.now();
+    const age = now - entry.timestamp;
+
+    // Check if entry is expired (TTL)
+    if (age > this.ttl_ms) {
+      this.cache.delete(user_id);
+      return undefined;
+    }
+
+    // Check if any of user's scopes have been invalidated
+    const max_scope_version = this.get_max_scope_version(entry.scopes);
+    if (max_scope_version > entry.cache_version) {
+      this.cache.delete(user_id);
+      return undefined;
+    }
+
+    // Move to end (most recently used)
+    this.cache.delete(user_id);
+    this.cache.set(user_id, entry);
+
+    return entry;
+  }
+
+  /**
+   * Sets a cache entry for a user's scopes
+   * Evicts least recently used entries if cache is full
+   * @param user_id - User ID
+   * @param scopes - User's scope assignments
+   */
+  set(user_id: string, scopes: UserScopeEntry[]): void {
+    // Evict LRU entries if cache is full
+    while (this.cache.size >= this.max_size) {
+      const first_key = this.cache.keys().next().value;
+      if (first_key) {
+        this.cache.delete(first_key);
+      } else {
+        break;
+      }
+    }
+
+    // Get current cache version for user's scopes
+    const cache_version = this.get_max_scope_version(scopes);
+
+    const entry: ScopeCacheEntry = {
+      user_id,
+      scopes,
+      timestamp: Date.now(),
+      cache_version,
+    };
+
+    this.cache.set(user_id, entry);
+  }
+
+  /**
+   * Invalidates cache for a specific user
+   * @param user_id - User ID to invalidate
+   */
+  invalidate_user(user_id: string): void {
+    this.cache.delete(user_id);
+  }
+
+  /**
+   * Invalidates cache for all users with a specific scope
+   * Uses cache version to determine if invalidation is needed
+   * @param scope_type - Scope level
+   * @param scope_id - Scope ID to invalidate
+   */
+  invalidate_by_scope(scope_type: ScopeLevel, scope_id: string): void {
+    const scope_key = `${scope_type}:${scope_id}`;
+    const current_version = this.scope_version_map.get(scope_key) || 0;
+    this.scope_version_map.set(scope_key, current_version + 1);
+
+    // Remove entries where cache version is older than scope version
+    const entries_to_remove: string[] = [];
+    for (const [user_id, entry] of this.cache.entries()) {
+      // Check if user has this scope
+      const has_scope = entry.scopes.some(
+        (s) => s.scope_type === scope_type && s.scope_id === scope_id
+      );
+      if (has_scope) {
+        entries_to_remove.push(user_id);
+      }
+    }
+
+    for (const user_id of entries_to_remove) {
+      this.cache.delete(user_id);
+    }
+  }
+
+  /**
+   * Invalidates cache for all users with any scope of a specific level
+   * @param scope_type - Scope level to invalidate
+   */
+  invalidate_by_scope_level(scope_type: ScopeLevel): void {
+    const entries_to_remove: string[] = [];
+    for (const [user_id, entry] of this.cache.entries()) {
+      // Check if user has any scope of this level
+      const has_level = entry.scopes.some((s) => s.scope_type === scope_type);
+      if (has_level) {
+        entries_to_remove.push(user_id);
+      }
+    }
+
+    for (const user_id of entries_to_remove) {
+      this.cache.delete(user_id);
+    }
+  }
+
+  /**
+   * Invalidates all cache entries
+   */
+  invalidate_all(): void {
+    this.cache.clear();
+    this.scope_version_map.clear();
+  }
+
+  /**
+   * Gets the maximum cache version for a set of scopes
+   * Used to determine if cache entry is stale
+   * @param scopes - Array of scope entries
+   * @returns Maximum version number
+   */
+  private get_max_scope_version(scopes: UserScopeEntry[]): number {
+    if (scopes.length === 0) {
+      return 0;
+    }
+
+    let max_version = 0;
+    for (const scope of scopes) {
+      const scope_key = `${scope.scope_type}:${scope.scope_id}`;
+      const version = this.scope_version_map.get(scope_key) || 0;
+      max_version = Math.max(max_version, version);
+    }
+
+    return max_version;
+  }
+
+  /**
+   * Gets cache statistics
+   * @returns Object with cache size and max size
+   */
+  get_stats(): {
+    size: number;
+    max_size: number;
+  } {
+    return {
+      size: this.cache.size,
+      max_size: this.max_size,
+    };
+  }
+}
+
+// section: singleton
+// Global scope cache instance (initialized with defaults, will be configured on first use)
+let scope_cache_instance: ScopeCache | null = null;
+
+/**
+ * Gets or creates the global scope cache instance
+ * @param max_size - Maximum cache size (default: 5000)
+ * @param ttl_minutes - TTL in minutes (default: 15)
+ * @returns Scope cache instance
+ */
+export function get_scope_cache(
+  max_size: number = 5000,
+  ttl_minutes: number = 15
+): ScopeCache {
+  if (!scope_cache_instance) {
+    scope_cache_instance = new ScopeCache(max_size, ttl_minutes);
+  }
+  return scope_cache_instance;
+}
+
+/**
+ * Resets the global scope cache instance (useful for testing)
+ */
+export function reset_scope_cache(): void {
+  scope_cache_instance = null;
+}

package/cli-src/lib/auth/server_auth.ts

@@ -0,0 +1,88 @@
+// file_description: server-side auth utilities for server components and pages
+// section: imports
+import { cookies } from "next/headers";
+import { get_hazo_connect_instance } from "../hazo_connect_instance.server";
+import { createCrudService } from "hazo_connect/server";
+import { map_db_source_to_ui } from "../services/profile_picture_source_mapper";
+
+// section: types
+export type ServerAuthUser = {
+  authenticated: true;
+  user_id: string;
+  email: string;
+  name?: string;
+  email_verified: boolean;
+  is_active: boolean;
+  last_logon?: string;
+  profile_picture_url?: string;
+  profile_source?: "upload" | "library" | "gravatar" | "custom";
+};
+
+export type ServerAuthResult = 
+  | ServerAuthUser
+  | { authenticated: false };
+
+// section: functions
+/**
+ * Gets authenticated user in server components/pages
+ * Uses Next.js cookies() function to read authentication cookies
+ * @returns ServerAuthResult with user info or authenticated: false
+ */
+export async function get_server_auth_user(): Promise<ServerAuthResult> {
+  const cookie_store = await cookies();
+  const user_id = cookie_store.get("hazo_auth_user_id")?.value;
+  const user_email = cookie_store.get("hazo_auth_user_email")?.value;
+
+  if (!user_id || !user_email) {
+    return { authenticated: false };
+  }
+
+  try {
+    const hazoConnect = get_hazo_connect_instance();
+    const users_service = createCrudService(hazoConnect, "hazo_users");
+    
+    const users = await users_service.findBy({
+      id: user_id,
+      email_address: user_email,
+    });
+
+    if (!Array.isArray(users) || users.length === 0) {
+      return { authenticated: false };
+    }
+
+    const user = users[0];
+
+    // Check if user is active
+    if (user.is_active === false) {
+      return { authenticated: false };
+    }
+
+    // Map database profile_source to UI representation
+    const profile_source_db = user.profile_source as string | null | undefined;
+    const profile_source_ui = profile_source_db ? map_db_source_to_ui(profile_source_db) : undefined;
+
+    return {
+      authenticated: true,
+      user_id: user.id as string,
+      email: user.email_address as string,
+      name: (user.name as string | null | undefined) || undefined,
+      email_verified: user.email_verified === true,
+      is_active: user.is_active === true,
+      last_logon: (user.last_logon as string | null | undefined) || undefined,
+      profile_picture_url: (user.profile_picture_url as string | null | undefined) || undefined,
+      profile_source: profile_source_ui,
+    };
+  } catch (error) {
+    return { authenticated: false };
+  }
+}
+
+/**
+ * Checks if user is authenticated in server components/pages (simple boolean check)
+ * @returns true if authenticated, false otherwise
+ */
+export async function is_server_authenticated(): Promise<boolean> {
+  const result = await get_server_auth_user();
+  return result.authenticated;
+}
+

package/cli-src/lib/auth/session_token_validator.edge.ts

@@ -0,0 +1,91 @@
+// file_description: Edge-compatible JWT session token validator for Next.js proxy/middleware
+// Uses jose library which works in Edge Runtime
+// section: imports
+import { jwtVerify } from "jose";
+import type { NextRequest } from "next/server";
+
+// section: types
+export type ValidateSessionCookieResult = {
+  valid: boolean;
+  user_id?: string;
+  email?: string;
+};
+
+// section: helpers
+/**
+ * Gets JWT secret from environment variables
+ * Works in Edge Runtime (no Node.js APIs)
+ * @returns JWT secret as Uint8Array for jose library
+ */
+function get_jwt_secret(): Uint8Array | null {
+  const jwt_secret = process.env.JWT_SECRET;
+  
+  if (!jwt_secret) {
+    // In Edge Runtime, we can't use logger, so we just return null
+    // The validation will fail gracefully
+    return null;
+  }
+  
+  // Convert string secret to Uint8Array for jose
+  return new TextEncoder().encode(jwt_secret);
+}
+
+// section: main_function
+/**
+ * Validates session cookie from NextRequest (Edge-compatible)
+ * Extracts hazo_auth_session cookie and validates JWT signature and expiry
+ * Works in Edge Runtime (Next.js proxy/middleware)
+ * @param request - NextRequest object
+ * @returns Validation result with user_id and email if valid
+ */
+export async function validate_session_cookie(
+  request: NextRequest,
+): Promise<ValidateSessionCookieResult> {
+  try {
+    // Extract session cookie
+    const session_cookie = request.cookies.get("hazo_auth_session")?.value;
+    
+    if (!session_cookie) {
+      return { valid: false };
+    }
+    
+    // Get JWT secret
+    const secret = get_jwt_secret();
+    
+    if (!secret) {
+      // JWT_SECRET not set - cannot validate
+      return { valid: false };
+    }
+    
+    // Verify JWT signature and expiration
+    const { payload } = await jwtVerify(session_cookie, secret, {
+      algorithms: ["HS256"],
+    });
+    
+    // Extract user_id and email from payload
+    const user_id = payload.user_id as string;
+    const email = payload.email as string;
+    
+    if (!user_id || !email) {
+      return { valid: false };
+    }
+    
+    return {
+      valid: true,
+      user_id,
+      email,
+    };
+  } catch (error) {
+    // jose throws JWTExpired, JWTInvalid, etc. - these are expected for invalid tokens
+    // In Edge Runtime, we can't log, so we just return invalid
+    return { valid: false };
+  }
+}
+
+
+
+
+
+
+
+