hazo_auth 4.2.0 → 4.4.0

package/cli-src/lib/index.ts

@@ -0,0 +1,46 @@
+// file_description: barrel export for lib utilities
+// section: auth_exports
+export * from "./auth/index";
+
+// section: service_exports
+export * from "./services/index";
+
+// section: utility_exports
+export { cn, merge_class_names } from "./utils.js";
+
+// section: config_exports
+export { get_config_value, get_config_number, get_config_boolean, get_config_array, read_config_section } from "./config/config_loader.server.js";
+
+// section: hazo_connect_exports
+export { create_sqlite_hazo_connect } from "./hazo_connect_setup.js";
+export { get_hazo_connect_instance } from "./hazo_connect_instance.server.js";
+
+// section: logger_exports
+export { create_app_logger } from "./app_logger.js";
+
+// section: config_server_exports
+export { get_login_config } from "./login_config.server.js";
+export { get_register_config } from "./register_config.server.js";
+export { get_forgot_password_config } from "./forgot_password_config.server.js";
+export { get_reset_password_config } from "./reset_password_config.server.js";
+export { get_email_verification_config } from "./email_verification_config.server.js";
+export { get_my_settings_config } from "./my_settings_config.server.js";
+export { get_user_management_config } from "./user_management_config.server.js";
+export { get_profile_picture_config } from "./profile_picture_config.server.js";
+export { get_profile_pic_menu_config } from "./profile_pic_menu_config.server.js";
+export { get_already_logged_in_config } from "./already_logged_in_config.server.js";
+export { get_ui_shell_config } from "./ui_shell_config.server.js";
+export { get_ui_sizes_config } from "./ui_sizes_config.server.js";
+export { get_auth_utility_config } from "./auth_utility_config.server.js";
+export { get_password_requirements_config } from "./password_requirements_config.server.js";
+export { get_messages_config } from "./messages_config.server.js";
+export { get_user_fields_config } from "./user_fields_config.server.js";
+export { get_file_types_config } from "./file_types_config.server.js";
+export { get_oauth_config, is_google_oauth_enabled, is_email_password_enabled } from "./oauth_config.server.js";
+export type { OAuthConfig } from "./oauth_config.server";
+
+// section: util_exports
+export { sanitize_error_for_user } from "./utils/error_sanitizer.js";
+export type { ErrorSanitizationOptions } from "./utils/error_sanitizer";
+export * from "./utils/api_route_helpers";
+

package/cli-src/lib/login_config.server.ts

@@ -0,0 +1,106 @@
+// file_description: server-only helper to read login layout configuration from hazo_auth_config.ini
+// section: imports
+import { get_config_value } from "./config/config_loader.server.js";
+import { get_already_logged_in_config } from "./already_logged_in_config.server.js";
+import { get_oauth_config, type OAuthConfig } from "./oauth_config.server.js";
+import loginDefaultImage from "../assets/images/login_default.jpg.js";
+
+// section: types
+import type { StaticImageData } from "next/image";
+
+export type LoginConfig = {
+  redirectRoute?: string;
+  successMessage: string;
+  alreadyLoggedInMessage: string;
+  showLogoutButton: boolean;
+  showReturnHomeButton: boolean;
+  returnHomeButtonLabel: string;
+  returnHomePath: string;
+  forgotPasswordPath: string;
+  forgotPasswordLabel: string;
+  createAccountPath: string;
+  createAccountLabel: string;
+  imageSrc: string | StaticImageData;
+  imageAlt: string;
+  imageBackgroundColor: string;
+  /** OAuth configuration */
+  oauth: OAuthConfig;
+};
+
+// section: helpers
+/**
+ * Reads login layout configuration from hazo_auth_config.ini file
+ * Falls back to defaults if hazo_auth_config.ini is not found or section is missing
+ * @returns Login configuration options
+ */
+export function get_login_config(): LoginConfig {
+  const section = "hazo_auth__login_layout";
+
+  // Read redirect route (optional)
+  const redirectRouteValue = get_config_value(section, "redirect_route_on_successful_login", "");
+  const redirectRoute = redirectRouteValue || undefined;
+
+  // Read success message (defaults to "Successfully logged in")
+  const successMessage = get_config_value(section, "success_message", "Successfully logged in");
+
+  const forgotPasswordPath = get_config_value(
+    section,
+    "forgot_password_path",
+    "/hazo_auth/forgot_password"
+  );
+  const forgotPasswordLabel = get_config_value(
+    section,
+    "forgot_password_label",
+    "Forgot password?"
+  );
+  const createAccountPath = get_config_value(section, "create_account_path", "/hazo_auth/register");
+  const createAccountLabel = get_config_value(
+    section,
+    "create_account_label",
+    "Create account"
+  );
+
+  // Get shared already logged in config
+  const alreadyLoggedInConfig = get_already_logged_in_config();
+
+  // Read image configuration
+  // If not set in config, falls back to default image from assets
+  const imageSrc = get_config_value(
+    section,
+    "image_src",
+    "" // Empty string means not set in config
+  ) || loginDefaultImage;
+
+  const imageAlt = get_config_value(
+    section,
+    "image_alt",
+    "Secure login illustration"
+  );
+  const imageBackgroundColor = get_config_value(
+    section,
+    "image_background_color",
+    "#f1f5f9"
+  );
+
+  // Get OAuth configuration
+  const oauth = get_oauth_config();
+
+  return {
+    redirectRoute,
+    successMessage,
+    alreadyLoggedInMessage: alreadyLoggedInConfig.message,
+    showLogoutButton: alreadyLoggedInConfig.showLogoutButton,
+    showReturnHomeButton: alreadyLoggedInConfig.showReturnHomeButton,
+    returnHomeButtonLabel: alreadyLoggedInConfig.returnHomeButtonLabel,
+    returnHomePath: alreadyLoggedInConfig.returnHomePath,
+    forgotPasswordPath,
+    forgotPasswordLabel,
+    createAccountPath,
+    createAccountLabel,
+    imageSrc,
+    imageAlt,
+    imageBackgroundColor,
+    oauth,
+  };
+}
+

package/cli-src/lib/messages_config.server.ts

@@ -0,0 +1,45 @@
+// file_description: server-only helper to read user-facing messages from hazo_auth_config.ini
+// section: imports
+import { get_config_value } from "./config/config_loader.server.js";
+
+// section: types
+export type MessagesConfig = {
+  photo_upload_disabled_message: string;
+  gravatar_setup_message: string;
+  gravatar_no_account_message: string;
+  library_tooltip_message: string;
+};
+
+// section: helpers
+/**
+ * Reads user-facing messages from hazo_auth_config.ini file
+ * Falls back to defaults if hazo_auth_config.ini is not found or section is missing
+ * @returns Messages configuration options
+ */
+export function get_messages_config(): MessagesConfig {
+  const section = "hazo_auth__messages";
+
+  return {
+    photo_upload_disabled_message: get_config_value(
+      section,
+      "photo_upload_disabled_message",
+      "Photo upload is not enabled. Please contact your administrator."
+    ),
+    gravatar_setup_message: get_config_value(
+      section,
+      "gravatar_setup_message",
+      "To set up your Gravatar:"
+    ),
+    gravatar_no_account_message: get_config_value(
+      section,
+      "gravatar_no_account_message",
+      "You don't have a Gravatar account set up for this email address."
+    ),
+    library_tooltip_message: get_config_value(
+      section,
+      "library_tooltip_message",
+      "Select another tab image style to remove this image"
+    ),
+  };
+}
+

package/cli-src/lib/migrations/apply_migration.ts

@@ -0,0 +1,105 @@
+// file_description: helper to apply database migrations using hazo_connect
+// section: imports
+import type { HazoConnectAdapter } from "hazo_connect";
+import { createCrudService } from "hazo_connect/server";
+import fs from "fs";
+import path from "path";
+
+// section: helpers
+/**
+ * Applies a SQL migration file to the database
+ * For SQLite, we need to execute raw SQL statements
+ * @param adapter - The hazo_connect adapter instance
+ * @param migration_file_path - Path to the SQL migration file
+ * @returns Success status and error message if any
+ */
+export async function apply_migration(
+  adapter: HazoConnectAdapter,
+  migration_file_path: string,
+): Promise<{ success: boolean; error?: string }> {
+  try {
+    // Read the migration file
+    const migration_sql = fs.readFileSync(migration_file_path, "utf-8");
+
+    // Split SQL statements by semicolon and execute each one
+    // Remove comments and empty statements
+    const statements = migration_sql
+      .split(";")
+      .map((stmt) => stmt.trim())
+      .filter((stmt) => stmt.length > 0 && !stmt.startsWith("--"));
+
+    // Execute each statement
+    // For SQLite via hazo_connect, we may need to use a raw query method
+    // Since hazo_connect doesn't expose raw SQL execution directly,
+    // we'll try to use the adapter's internal methods or skip migration
+    // and rely on the fallback in token_service
+    
+    // For now, we'll log that migration should be applied manually
+    // The token_service has fallback logic to work without token_type column
+    if (process.env.NODE_ENV === "development") {
+      console.log(
+        `[migrations] Migration file found: ${migration_file_path}`,
+        "\n[migrations] Note: Raw SQL execution not available via hazo_connect adapter.",
+        "\n[migrations] Please apply migration manually or ensure token_type column exists."
+      );
+    }
+
+    // Try to check if token_type column already exists by querying the schema
+    // If it doesn't exist, we'll rely on the fallback in token_service
+    return { success: true };
+  } catch (error) {
+    const error_message =
+      error instanceof Error ? error.message : "Unknown error";
+
+    return {
+      success: false,
+      error: error_message,
+    };
+  }
+}
+
+/**
+ * Applies all migrations in the migrations directory
+ * @param adapter - The hazo_connect adapter instance
+ * @returns Success status and error message if any
+ */
+export async function apply_all_migrations(
+  adapter: HazoConnectAdapter,
+): Promise<{ success: boolean; error?: string }> {
+  try {
+    const migrations_dir = path.resolve(process.cwd(), "migrations");
+
+    if (!fs.existsSync(migrations_dir)) {
+      return { success: true }; // No migrations directory, nothing to apply
+    }
+
+    // Get all SQL files in migrations directory, sorted by name
+    const migration_files = fs
+      .readdirSync(migrations_dir)
+      .filter((file) => file.endsWith(".sql"))
+      .sort();
+
+    for (const migration_file of migration_files) {
+      const migration_path = path.join(migrations_dir, migration_file);
+      const result = await apply_migration(adapter, migration_path);
+
+      if (!result.success) {
+        return {
+          success: false,
+          error: `Failed to apply migration ${migration_file}: ${result.error}`,
+        };
+      }
+    }
+
+    return { success: true };
+  } catch (error) {
+    const error_message =
+      error instanceof Error ? error.message : "Unknown error";
+
+    return {
+      success: false,
+      error: error_message,
+    };
+  }
+}
+

package/cli-src/lib/multi_tenancy_config.server.ts

@@ -0,0 +1,94 @@
+// file_description: server-only helper to read multi-tenancy configuration from hazo_auth_config.ini
+// section: imports
+import {
+  get_config_value,
+  get_config_number,
+  get_config_boolean,
+} from "./config/config_loader.server.js";
+import { DEFAULT_MULTI_TENANCY } from "./config/default_config.js";
+
+// section: types
+
+/**
+ * Multi-tenancy configuration options
+ */
+export type MultiTenancyConfig = {
+  /** Whether multi-tenancy is enabled (default: false) */
+  enable_multi_tenancy: boolean;
+  /** Cache TTL in minutes for org lookups (default: 15) */
+  org_cache_ttl_minutes: number;
+  /** Maximum entries in org cache (default: 1000) */
+  org_cache_max_entries: number;
+  /** Default user limit per organization (0 = unlimited) */
+  default_user_limit: number;
+};
+
+// section: constants
+
+const SECTION_NAME = "hazo_auth__multi_tenancy";
+
+// section: helpers
+
+/**
+ * Reads multi-tenancy configuration from hazo_auth_config.ini file
+ * Falls back to defaults if config file is not found or section is missing
+ * @returns Multi-tenancy configuration options
+ */
+export function get_multi_tenancy_config(): MultiTenancyConfig {
+  // Core multi-tenancy enablement
+  const enable_multi_tenancy = get_config_boolean(
+    SECTION_NAME,
+    "enable_multi_tenancy",
+    DEFAULT_MULTI_TENANCY.enable_multi_tenancy,
+  );
+
+  // Cache settings
+  const org_cache_ttl_minutes = get_config_number(
+    SECTION_NAME,
+    "org_cache_ttl_minutes",
+    DEFAULT_MULTI_TENANCY.org_cache_ttl_minutes,
+  );
+  const org_cache_max_entries = get_config_number(
+    SECTION_NAME,
+    "org_cache_max_entries",
+    DEFAULT_MULTI_TENANCY.org_cache_max_entries,
+  );
+
+  // Default user limit
+  const default_user_limit = get_config_number(
+    SECTION_NAME,
+    "default_user_limit",
+    DEFAULT_MULTI_TENANCY.default_user_limit,
+  );
+
+  return {
+    enable_multi_tenancy,
+    org_cache_ttl_minutes,
+    org_cache_max_entries,
+    default_user_limit,
+  };
+}
+
+/**
+ * Checks if multi-tenancy is enabled in the configuration
+ * Convenience function for quick checks
+ */
+export function is_multi_tenancy_enabled(): boolean {
+  return get_config_boolean(
+    SECTION_NAME,
+    "enable_multi_tenancy",
+    DEFAULT_MULTI_TENANCY.enable_multi_tenancy,
+  );
+}
+
+/**
+ * Gets the default user limit from config
+ * Returns 0 if not configured (unlimited)
+ */
+export function get_default_user_limit(): number {
+  return get_config_number(
+    SECTION_NAME,
+    "default_user_limit",
+    DEFAULT_MULTI_TENANCY.default_user_limit,
+  );
+}

package/cli-src/lib/my_settings_config.server.ts

@@ -0,0 +1,135 @@
+// file_description: server-only helper to read my settings layout configuration from hazo_auth_config.ini
+// section: imports
+import { get_config_value } from "./config/config_loader.server.js";
+import { get_user_fields_config } from "./user_fields_config.server.js";
+import { get_password_requirements_config } from "./password_requirements_config.server.js";
+import { get_profile_picture_config } from "./profile_picture_config.server.js";
+import { get_messages_config } from "./messages_config.server.js";
+import { get_ui_sizes_config } from "./ui_sizes_config.server.js";
+import { get_file_types_config } from "./file_types_config.server.js";
+
+// section: types
+export type MySettingsConfig = {
+  userFields: {
+    show_name_field: boolean;
+    show_email_field: boolean;
+    show_password_field: boolean;
+  };
+  passwordRequirements: {
+    minimum_length: number;
+    require_uppercase: boolean;
+    require_lowercase: boolean;
+    require_number: boolean;
+    require_special: boolean;
+  };
+  profilePicture: {
+    allow_photo_upload: boolean;
+    upload_photo_path?: string;
+    max_photo_size: number;
+    user_photo_default: boolean;
+    user_photo_default_priority1: "gravatar" | "library";
+    user_photo_default_priority2?: "library" | "gravatar";
+    library_photo_path: string;
+  };
+  heading?: string;
+  subHeading?: string;
+  profilePhotoLabel?: string;
+  profilePhotoRecommendation?: string;
+  uploadPhotoButtonLabel?: string;
+  removePhotoButtonLabel?: string;
+  profileInformationLabel?: string;
+  passwordLabel?: string;
+  currentPasswordLabel?: string;
+  newPasswordLabel?: string;
+  confirmPasswordLabel?: string;
+  savePasswordButtonLabel?: string;
+  unauthorizedMessage?: string;
+  loginButtonLabel?: string;
+  loginPath?: string;
+  messages: {
+    photo_upload_disabled_message: string;
+    gravatar_setup_message: string;
+    gravatar_no_account_message: string;
+    library_tooltip_message: string;
+  };
+  uiSizes: {
+    gravatar_size: number;
+    profile_picture_size: number;
+    tooltip_icon_size_default: number;
+    tooltip_icon_size_small: number;
+    library_photo_grid_columns: number;
+    library_photo_preview_size: number;
+    image_compression_max_dimension: number;
+    upload_file_hard_limit_bytes: number;
+  };
+  fileTypes: {
+    allowed_image_extensions: string[];
+    allowed_image_mime_types: string[];
+  };
+};
+
+// section: helpers
+/**
+ * Reads my settings layout configuration from hazo_auth_config.ini file
+ * Falls back to defaults if hazo_auth_config.ini is not found or section is missing
+ * @returns My settings configuration options
+ */
+export function get_my_settings_config(): MySettingsConfig {
+  const section = "hazo_auth__my_settings_layout";
+
+  // Get shared user fields config
+  const userFields = get_user_fields_config();
+
+  // Get shared password requirements
+  const passwordRequirements = get_password_requirements_config();
+
+  // Get profile picture configuration
+  const profilePicture = get_profile_picture_config();
+
+  // Get messages, UI sizes, and file types configuration
+  const messages = get_messages_config();
+  const uiSizes = get_ui_sizes_config();
+  const fileTypes = get_file_types_config();
+
+  // Read optional labels with defaults
+  const heading = get_config_value(section, "heading", "Account Settings");
+  const subHeading = get_config_value(section, "sub_heading", "Manage your profile, password, and email preferences.");
+  const profilePhotoLabel = get_config_value(section, "profile_photo_label", "Profile Photo");
+  const profilePhotoRecommendation = get_config_value(section, "profile_photo_recommendation", "Recommended size: 200x200px. JPG, PNG.");
+  const uploadPhotoButtonLabel = get_config_value(section, "upload_photo_button_label", "Upload New Photo");
+  const removePhotoButtonLabel = get_config_value(section, "remove_photo_button_label", "Remove");
+  const profileInformationLabel = get_config_value(section, "profile_information_label", "Profile Information");
+  const passwordLabel = get_config_value(section, "password_label", "Password");
+  const currentPasswordLabel = get_config_value(section, "current_password_label", "Current Password");
+  const newPasswordLabel = get_config_value(section, "new_password_label", "New Password");
+  const confirmPasswordLabel = get_config_value(section, "confirm_password_label", "Confirm Password");
+  const savePasswordButtonLabel = get_config_value(section, "save_password_button_label", "Save Password");
+  const unauthorizedMessage = get_config_value(section, "unauthorized_message", "You must be logged in to access this page.");
+  const loginButtonLabel = get_config_value(section, "login_button_label", "Go to login");
+  const loginPath = get_config_value(section, "login_path", "/hazo_auth/login");
+
+  return {
+    userFields,
+    passwordRequirements,
+    profilePicture,
+    heading,
+    subHeading,
+    profilePhotoLabel,
+    profilePhotoRecommendation,
+    uploadPhotoButtonLabel,
+    removePhotoButtonLabel,
+    profileInformationLabel,
+    passwordLabel,
+    currentPasswordLabel,
+    newPasswordLabel,
+    confirmPasswordLabel,
+    savePasswordButtonLabel,
+    unauthorizedMessage,
+    loginButtonLabel,
+    loginPath,
+    messages,
+    uiSizes,
+    fileTypes,
+  };
+}
+

package/cli-src/lib/oauth_config.server.ts

@@ -0,0 +1,87 @@
+// file_description: server-only helper to read OAuth configuration from hazo_auth_config.ini
+// section: imports
+import { get_config_value, get_config_boolean } from "./config/config_loader.server.js";
+import { DEFAULT_OAUTH } from "./config/default_config.js";
+
+// section: types
+export type OAuthConfig = {
+  /** Enable Google OAuth login */
+  enable_google: boolean;
+  /** Enable traditional email/password login */
+  enable_email_password: boolean;
+  /** Auto-link Google login to existing unverified email/password accounts */
+  auto_link_unverified_accounts: boolean;
+  /** Text displayed on the Google sign-in button */
+  google_button_text: string;
+  /** Text displayed on the divider between OAuth and email/password form */
+  oauth_divider_text: string;
+};
+
+// section: constants
+const SECTION_NAME = "hazo_auth__oauth";
+
+// section: helpers
+/**
+ * Reads OAuth configuration from hazo_auth_config.ini file
+ * Falls back to defaults if hazo_auth_config.ini is not found or section is missing
+ * @returns OAuth configuration options
+ */
+export function get_oauth_config(): OAuthConfig {
+  const enable_google = get_config_boolean(
+    SECTION_NAME,
+    "enable_google",
+    DEFAULT_OAUTH.enable_google
+  );
+
+  const enable_email_password = get_config_boolean(
+    SECTION_NAME,
+    "enable_email_password",
+    DEFAULT_OAUTH.enable_email_password
+  );
+
+  const auto_link_unverified_accounts = get_config_boolean(
+    SECTION_NAME,
+    "auto_link_unverified_accounts",
+    DEFAULT_OAUTH.auto_link_unverified_accounts
+  );
+
+  const google_button_text = get_config_value(
+    SECTION_NAME,
+    "google_button_text",
+    DEFAULT_OAUTH.google_button_text
+  );
+
+  const oauth_divider_text = get_config_value(
+    SECTION_NAME,
+    "oauth_divider_text",
+    DEFAULT_OAUTH.oauth_divider_text
+  );
+
+  return {
+    enable_google,
+    enable_email_password,
+    auto_link_unverified_accounts,
+    google_button_text,
+    oauth_divider_text,
+  };
+}
+
+/**
+ * Helper to check if Google OAuth is enabled
+ * @returns true if Google OAuth is enabled in config
+ */
+export function is_google_oauth_enabled(): boolean {
+  return get_config_boolean(SECTION_NAME, "enable_google", DEFAULT_OAUTH.enable_google);
+}
+
+/**
+ * Helper to check if email/password login is enabled
+ * @returns true if email/password login is enabled in config
+ */
+export function is_email_password_enabled(): boolean {
+  return get_config_boolean(
+    SECTION_NAME,
+    "enable_email_password",
+    DEFAULT_OAUTH.enable_email_password
+  );
+}

package/cli-src/lib/password_requirements_config.server.ts

@@ -0,0 +1,40 @@
+// file_description: server-only helper to read shared password requirements configuration from hazo_auth_config.ini
+// section: imports
+import { get_config_number, get_config_boolean } from "./config/config_loader.server.js";
+import { DEFAULT_PASSWORD_REQUIREMENTS } from "./config/default_config.js";
+
+// section: types
+export type PasswordRequirementsConfig = {
+  minimum_length: number;
+  require_uppercase: boolean;
+  require_lowercase: boolean;
+  require_number: boolean;
+  require_special: boolean;
+};
+
+// section: helpers
+/**
+ * Reads shared password requirements configuration from hazo_auth_config.ini file
+ * Falls back to centralized defaults if hazo_auth_config.ini is not found or section is missing
+ * This configuration is used by both register and reset password layouts
+ * @returns Password requirements configuration options
+ */
+export function get_password_requirements_config(): PasswordRequirementsConfig {
+  const section = "hazo_auth__password_requirements";
+
+  // Read password requirements with centralized defaults
+  const minimum_length = get_config_number(section, "minimum_length", DEFAULT_PASSWORD_REQUIREMENTS.minimum_length);
+  const require_uppercase = get_config_boolean(section, "require_uppercase", DEFAULT_PASSWORD_REQUIREMENTS.require_uppercase);
+  const require_lowercase = get_config_boolean(section, "require_lowercase", DEFAULT_PASSWORD_REQUIREMENTS.require_lowercase);
+  const require_number = get_config_boolean(section, "require_number", DEFAULT_PASSWORD_REQUIREMENTS.require_number);
+  const require_special = get_config_boolean(section, "require_special", DEFAULT_PASSWORD_REQUIREMENTS.require_special);
+
+  return {
+    minimum_length,
+    require_uppercase,
+    require_lowercase,
+    require_number,
+    require_special,
+  };
+}
+