npm - hazo_auth - Versions diffs - 4.2.0 → 4.4.0 - Mend

hazo_auth 4.2.0 → 4.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (136) hide show

package/bin/hazo_auth.mjs +35 -0
package/cli-src/assets/images/forgot_password_default.jpg +0 -0
package/cli-src/assets/images/login_default.jpg +0 -0
package/cli-src/assets/images/register_default.jpg +0 -0
package/cli-src/assets/images/reset_password_default.jpg +0 -0
package/cli-src/assets/images/verify_email_default.jpg +0 -0
package/cli-src/cli/generate.ts +276 -0
package/cli-src/cli/index.ts +207 -0
package/cli-src/cli/init.ts +254 -0
package/cli-src/cli/init_users.ts +376 -0
package/cli-src/cli/validate.ts +581 -0
package/cli-src/lib/already_logged_in_config.server.ts +46 -0
package/cli-src/lib/app_logger.ts +24 -0
package/cli-src/lib/auth/auth_cache.ts +220 -0
package/cli-src/lib/auth/auth_rate_limiter.ts +121 -0
package/cli-src/lib/auth/auth_types.ts +117 -0
package/cli-src/lib/auth/auth_utils.server.ts +196 -0
package/cli-src/lib/auth/dev_lock_validator.edge.ts +171 -0
package/cli-src/lib/auth/hazo_get_auth.server.ts +583 -0
package/cli-src/lib/auth/index.ts +23 -0
package/cli-src/lib/auth/nextauth_config.ts +227 -0
package/cli-src/lib/auth/org_cache.ts +148 -0
package/cli-src/lib/auth/scope_cache.ts +233 -0
package/cli-src/lib/auth/server_auth.ts +88 -0
package/cli-src/lib/auth/session_token_validator.edge.ts +92 -0
package/cli-src/lib/auth_utility_config.server.ts +136 -0
package/cli-src/lib/config/config_loader.server.ts +164 -0
package/cli-src/lib/config/default_config.ts +243 -0
package/cli-src/lib/dev_lock_config.server.ts +148 -0
package/cli-src/lib/email_verification_config.server.ts +63 -0
package/cli-src/lib/file_types_config.server.ts +25 -0
package/cli-src/lib/forgot_password_config.server.ts +63 -0
package/cli-src/lib/hazo_connect_instance.server.ts +101 -0
package/cli-src/lib/hazo_connect_setup.server.ts +194 -0
package/cli-src/lib/hazo_connect_setup.ts +54 -0
package/cli-src/lib/index.ts +46 -0
package/cli-src/lib/login_config.server.ts +106 -0
package/cli-src/lib/messages_config.server.ts +45 -0
package/cli-src/lib/migrations/apply_migration.ts +105 -0
package/cli-src/lib/multi_tenancy_config.server.ts +94 -0
package/cli-src/lib/my_settings_config.server.ts +135 -0
package/cli-src/lib/oauth_config.server.ts +87 -0
package/cli-src/lib/password_requirements_config.server.ts +40 -0
package/cli-src/lib/profile_pic_menu_config.server.ts +138 -0
package/cli-src/lib/profile_picture_config.server.ts +56 -0
package/cli-src/lib/register_config.server.ts +101 -0
package/cli-src/lib/reset_password_config.server.ts +103 -0
package/cli-src/lib/scope_hierarchy_config.server.ts +151 -0
package/cli-src/lib/services/email_service.ts +587 -0
package/cli-src/lib/services/email_verification_service.ts +270 -0
package/cli-src/lib/services/index.ts +16 -0
package/cli-src/lib/services/login_service.ts +150 -0
package/cli-src/lib/services/oauth_service.ts +494 -0
package/cli-src/lib/services/org_service.ts +965 -0
package/cli-src/lib/services/password_change_service.ts +154 -0
package/cli-src/lib/services/password_reset_service.ts +418 -0
package/cli-src/lib/services/profile_picture_remove_service.ts +120 -0
package/cli-src/lib/services/profile_picture_service.ts +451 -0
package/cli-src/lib/services/profile_picture_source_mapper.ts +62 -0
package/cli-src/lib/services/registration_service.ts +185 -0
package/cli-src/lib/services/scope_labels_service.ts +348 -0
package/cli-src/lib/services/scope_service.ts +778 -0
package/cli-src/lib/services/session_token_service.ts +178 -0
package/cli-src/lib/services/token_service.ts +240 -0
package/cli-src/lib/services/user_profiles_cache.ts +189 -0
package/cli-src/lib/services/user_profiles_service.ts +264 -0
package/cli-src/lib/services/user_scope_service.ts +554 -0
package/cli-src/lib/services/user_update_service.ts +141 -0
package/cli-src/lib/ui_shell_config.server.ts +73 -0
package/cli-src/lib/ui_sizes_config.server.ts +37 -0
package/cli-src/lib/user_fields_config.server.ts +31 -0
package/cli-src/lib/user_management_config.server.ts +39 -0
package/cli-src/lib/user_profiles_config.server.ts +55 -0
package/cli-src/lib/utils/api_route_helpers.ts +60 -0
package/cli-src/lib/utils/error_sanitizer.ts +75 -0
package/cli-src/lib/utils/password_validator.ts +65 -0
package/cli-src/lib/utils.ts +11 -0
package/cli-src/server/logging/logger_service.ts +56 -0
package/cli-src/server/types/app_types.ts +74 -0
package/cli-src/server/types/express.d.ts +16 -0
package/dist/cli/index.js +18 -0
package/dist/cli/init_users.d.ts +17 -0
package/dist/cli/init_users.d.ts.map +1 -0
package/dist/cli/init_users.js +307 -0
package/dist/components/layouts/dev_lock/index.d.ts +29 -0
package/dist/components/layouts/dev_lock/index.d.ts.map +1 -0
package/dist/components/layouts/dev_lock/index.js +60 -0
package/dist/components/layouts/index.d.ts +2 -0
package/dist/components/layouts/index.d.ts.map +1 -1
package/dist/components/layouts/index.js +1 -0
package/dist/components/layouts/org_management/index.d.ts +26 -0
package/dist/components/layouts/org_management/index.d.ts.map +1 -0
package/dist/components/layouts/org_management/index.js +75 -0
package/dist/components/layouts/shared/config/layout_customization.d.ts +2 -7
package/dist/components/layouts/shared/config/layout_customization.d.ts.map +1 -1
package/dist/components/layouts/user_management/components/org_hierarchy_tab.d.ts +13 -0
package/dist/components/layouts/user_management/components/org_hierarchy_tab.d.ts.map +1 -0
package/dist/components/layouts/user_management/components/org_hierarchy_tab.js +276 -0
package/dist/components/layouts/user_management/index.d.ts +3 -1
package/dist/components/layouts/user_management/index.d.ts.map +1 -1
package/dist/components/layouts/user_management/index.js +10 -4
package/dist/lib/auth/auth_types.d.ts +6 -0
package/dist/lib/auth/auth_types.d.ts.map +1 -1
package/dist/lib/auth/dev_lock_validator.edge.d.ts +38 -0
package/dist/lib/auth/dev_lock_validator.edge.d.ts.map +1 -0
package/dist/lib/auth/dev_lock_validator.edge.js +122 -0
package/dist/lib/auth/hazo_get_auth.server.d.ts.map +1 -1
package/dist/lib/auth/hazo_get_auth.server.js +61 -1
package/dist/lib/auth/org_cache.d.ts +65 -0
package/dist/lib/auth/org_cache.d.ts.map +1 -0
package/dist/lib/auth/org_cache.js +103 -0
package/dist/lib/config/default_config.d.ts +76 -0
package/dist/lib/config/default_config.d.ts.map +1 -1
package/dist/lib/config/default_config.js +42 -0
package/dist/lib/dev_lock_config.server.d.ts +41 -0
package/dist/lib/dev_lock_config.server.d.ts.map +1 -0
package/dist/lib/dev_lock_config.server.js +50 -0
package/dist/lib/multi_tenancy_config.server.d.ts +30 -0
package/dist/lib/multi_tenancy_config.server.d.ts.map +1 -0
package/dist/lib/multi_tenancy_config.server.js +41 -0
package/dist/lib/services/org_service.d.ts +191 -0
package/dist/lib/services/org_service.d.ts.map +1 -0
package/dist/lib/services/org_service.js +746 -0
package/dist/lib/utils/password_validator.d.ts +7 -1
package/dist/lib/utils/password_validator.d.ts.map +1 -1
package/dist/page_components/dev_lock.d.ts +11 -0
package/dist/page_components/dev_lock.d.ts.map +1 -0
package/dist/page_components/dev_lock.js +17 -0
package/dist/page_components/index.d.ts +1 -0
package/dist/page_components/index.d.ts.map +1 -1
package/dist/page_components/index.js +1 -0
package/dist/page_components/org_management.d.ts +27 -0
package/dist/page_components/org_management.d.ts.map +1 -0
package/dist/page_components/org_management.js +18 -0
package/hazo_auth_config.example.ini +30 -0
package/package.json +27 -3

package/cli-src/lib/services/email_verification_service.ts ADDED Viewed

@@ -0,0 +1,270 @@
+// file_description: service for email verification operations using hazo_connect
+// section: imports
+import type { HazoConnectAdapter } from "hazo_connect";
+import { createCrudService } from "hazo_connect/server";
+import argon2 from "argon2";
+import { create_token } from "./token_service.js";
+import { send_template_email } from "./email_service.js";
+import { create_app_logger } from "../app_logger.js";
+// section: types
+export type EmailVerificationTokenData = {
+  token: string;
+};
+export type EmailVerificationResult = {
+  success: boolean;
+  user_id?: string;
+  email?: string;
+  error?: string;
+};
+export type ResendVerificationData = {
+  email: string;
+};
+export type ResendVerificationResult = {
+  success: boolean;
+  error?: string;
+};
+// section: helpers
+/**
+ * Verifies an email verification token
+ * Updates email_verified to true in hazo_users and deletes the token
+ * @param adapter - The hazo_connect adapter instance
+ * @param data - Email verification token data (token)
+ * @returns Email verification result with success status, user_id, email, or error
+ */
+export async function verify_email_token(
+  adapter: HazoConnectAdapter,
+  data: EmailVerificationTokenData,
+): Promise<EmailVerificationResult> {
+  try {
+    const { token } = data;
+    // Create CRUD service for hazo_refresh_tokens table
+    const tokens_service = createCrudService(adapter, "hazo_refresh_tokens");
+    // Find all email verification tokens
+    // If token_type column doesn't exist, query all tokens and filter manually
+    let all_tokens: unknown[] = [];
+    try {
+      all_tokens = (await tokens_service.findBy({
+        token_type: "email_verification",
+      })) as unknown[];
+    } catch (error) {
+      // If token_type column doesn't exist, get all tokens and we'll verify each one
+      const logger = create_app_logger();
+      const error_message = error instanceof Error ? error.message : "Unknown error";
+      logger.warn("email_verification_service_token_type_column_missing", {
+        filename: "email_verification_service.ts",
+        line_number: 0,
+        error: error_message,
+        note: "token_type column may not exist, querying all tokens",
+      });
+      try {
+        // Query all tokens (will need to verify each one)
+        all_tokens = (await tokens_service.findBy({})) as unknown[];
+      } catch (fallbackError) {
+        const fallback_error_message = fallbackError instanceof Error ? fallbackError.message : "Unknown error";
+        logger.error("email_verification_service_query_tokens_failed", {
+          filename: "email_verification_service.ts",
+          line_number: 0,
+          error: fallback_error_message,
+        });
+        return {
+          success: false,
+          error: "Invalid or expired verification token",
+        };
+      }
+    }
+    if (!Array.isArray(all_tokens) || all_tokens.length === 0) {
+      return {
+        success: false,
+        error: "Invalid or expired verification token",
+      };
+    }
+    // Find the matching token by verifying the hash
+    let matching_token = null;
+    let user_id: string | null = null;
+    for (const stored_token of all_tokens) {
+      try {
+        const token_hash = (stored_token as { token_hash: string }).token_hash;
+        const is_valid = await argon2.verify(token_hash, token);
+        if (is_valid) {
+          matching_token = stored_token;
+          user_id = (stored_token as { user_id: string }).user_id;
+          break;
+        }
+      } catch {
+        // Continue to next token if verification fails
+        continue;
+      }
+    }
+    if (!matching_token || !user_id) {
+      return {
+        success: false,
+        error: "Invalid or expired verification token",
+      };
+    }
+    // Check if token has expired
+    const expires_at = new Date((matching_token as { expires_at: string }).expires_at);
+    const now = new Date();
+    if (expires_at < now) {
+      // Delete expired token
+      await tokens_service.deleteById((matching_token as { id: string }).id);
+      return {
+        success: false,
+        error: "Verification token has expired",
+      };
+    }
+    // Get user email before updating
+    const users_service = createCrudService(adapter, "hazo_users");
+    const users = await users_service.findBy({
+      id: user_id,
+    });
+    if (!Array.isArray(users) || users.length === 0) {
+      return {
+        success: false,
+        error: "User not found",
+      };
+    }
+    const user = users[0];
+    const email = user.email_address as string;
+    // Update user's email_verified status
+    const now_iso = new Date().toISOString();
+    await users_service.updateById(
+      user_id,
+      {
+        email_verified: true,
+        changed_at: now_iso,
+      },
+    );
+    // Delete the used token
+    await tokens_service.deleteById((matching_token as { id: string }).id);
+    return {
+      success: true,
+      user_id,
+      email,
+    };
+  } catch (error) {
+    const error_message =
+      error instanceof Error ? error.message : "Unknown error";
+    return {
+      success: false,
+      error: error_message,
+    };
+  }
+}
+/**
+ * Resends an email verification token for a user
+ * Creates a new email verification token and stores it in hazo_refresh_tokens
+ * Invalidates any existing email verification tokens for the user before creating a new one
+ * @param adapter - The hazo_connect adapter instance
+ * @param data - Resend verification data (email)
+ * @returns Resend verification result with success status or error
+ */
+export async function resend_verification_email(
+  adapter: HazoConnectAdapter,
+  data: ResendVerificationData,
+): Promise<ResendVerificationResult> {
+  try {
+    const { email } = data;
+    // Create CRUD service for hazo_users table
+    const users_service = createCrudService(adapter, "hazo_users");
+    // Find user by email
+    const users = await users_service.findBy({
+      email_address: email,
+    });
+    // If user not found, return success anyway (to prevent email enumeration)
+    if (!Array.isArray(users) || users.length === 0) {
+      return {
+        success: true,
+      };
+    }
+    const user = users[0];
+    const user_id = user.id as string;
+    // Check if email is already verified
+    if (user.email_verified === true) {
+      return {
+        success: true,
+      };
+    }
+    // Create email verification token using shared token service
+    const token_result = await create_token({
+      adapter,
+      user_id,
+      token_type: "email_verification",
+    });
+    if (!token_result.success) {
+      return {
+        success: false,
+        error: token_result.error || "Failed to create email verification token",
+      };
+    }
+    // Send verification email if token was created successfully
+    if (token_result.raw_token) {
+      const email_result = await send_template_email("email_verification", email, {
+        token: token_result.raw_token,
+        user_email: email,
+        user_name: user.name as string | undefined,
+      });
+      if (!email_result.success) {
+        const logger = create_app_logger();
+        logger.error("email_verification_service_email_send_failed", {
+          filename: "email_verification_service.ts",
+          line_number: 0,
+          user_id,
+          email,
+          error: email_result.error,
+          note: "Verification token created but email failed to send",
+        });
+        // Return error if email sending failed (this is a technical error, not a security issue)
+        return {
+          success: false,
+          error: email_result.error || "Failed to send verification email",
+        };
+      }
+    }
+    return {
+      success: true,
+    };
+  } catch (error) {
+    const error_message =
+      error instanceof Error ? error.message : "Unknown error";
+    return {
+      success: false,
+      error: error_message,
+    };
+  }
+}

package/cli-src/lib/services/index.ts ADDED Viewed

@@ -0,0 +1,16 @@
+// file_description: barrel export for all services
+// section: service_exports
+export * from "./email_service";
+export * from "./email_verification_service";
+export * from "./login_service";
+export * from "./password_change_service";
+export * from "./password_reset_service";
+export * from "./profile_picture_remove_service";
+export * from "./profile_picture_service";
+export * from "./profile_picture_source_mapper";
+export * from "./registration_service";
+export * from "./token_service";
+export * from "./user_profiles_service";
+export * from "./user_update_service";

package/cli-src/lib/services/login_service.ts ADDED Viewed

@@ -0,0 +1,150 @@
+// file_description: service for user login operations using hazo_connect
+// section: imports
+import type { HazoConnectAdapter } from "hazo_connect";
+import { createCrudService } from "hazo_connect/server";
+import argon2 from "argon2";
+import { create_app_logger } from "../app_logger.js";
+import { sanitize_error_for_user } from "../utils/error_sanitizer.js";
+import { get_filename, get_line_number } from "../utils/api_route_helpers.js";
+// section: types
+export type LoginData = {
+  email: string;
+  password: string;
+};
+export type LoginResult = {
+  success: boolean;
+  user_id?: string;
+  error?: string;
+  email_not_verified?: boolean;
+  stored_url_on_logon?: string | null;
+};
+// section: helpers
+/**
+ * Authenticates a user by verifying email and password against hazo_users table
+ * @param adapter - The hazo_connect adapter instance
+ * @param data - Login data (email, password)
+ * @returns Login result with success status and user_id or error
+ */
+export async function authenticate_user(
+  adapter: HazoConnectAdapter,
+  data: LoginData,
+): Promise<LoginResult> {
+  try {
+    const { email, password } = data;
+    // Create CRUD service for hazo_users table
+    const users_service = createCrudService(adapter, "hazo_users");
+    // Find user by email
+    const users = await users_service.findBy({
+      email_address: email,
+    });
+    // Check if user exists
+    if (!Array.isArray(users) || users.length === 0) {
+      return {
+        success: false,
+        error: "Invalid email or password",
+      };
+    }
+    const user = users[0];
+    // Check if user is active
+    if (user.is_active === false) {
+      return {
+        success: false,
+        error: "Account is inactive. Please contact support.",
+      };
+    }
+    // Check if user has a password set (Google-only users have empty password_hash)
+    const password_hash = user.password_hash as string;
+    if (!password_hash || password_hash === "") {
+      // Check if user has Google linked
+      const auth_providers = (user.auth_providers as string) || "";
+      if (auth_providers.includes("google")) {
+        return {
+          success: false,
+          error: "This account uses Google Sign-In. Please log in with Google instead.",
+        };
+      }
+      return {
+        success: false,
+        error: "Invalid email or password",
+      };
+    }
+    // Verify password using argon2
+    const is_password_valid = await argon2.verify(password_hash, password);
+    if (!is_password_valid) {
+      // Increment login attempts on failed password
+      const current_attempts = (user.login_attempts as number) || 0;
+      const now = new Date().toISOString();
+      await users_service.updateById(
+        user.id,
+        {
+          login_attempts: current_attempts + 1,
+          changed_at: now,
+        }
+      );
+      return {
+        success: false,
+        error: "Invalid email or password",
+      };
+    }
+    // Check if email is verified
+    const email_verified = user.email_verified as boolean;
+    if (!email_verified) {
+      return {
+        success: false,
+        error: "Email address not verified. Please verify your email before logging in.",
+        email_not_verified: true,
+      };
+    }
+    // Password is valid and email is verified - update last_logon and reset login_attempts
+    const now = new Date().toISOString();
+    await users_service.updateById(
+      user.id,
+      {
+        last_logon: now,
+        login_attempts: 0,
+        changed_at: now,
+        url_on_logon: null, // Clear the stored redirect URL after successful login
+      }
+    );
+    return {
+      success: true,
+      user_id: user.id as string,
+      stored_url_on_logon: user.url_on_logon as string | null | undefined,
+    };
+  } catch (error) {
+    const logger = create_app_logger();
+    const user_friendly_error = sanitize_error_for_user(error, {
+      logToConsole: true,
+      logToLogger: true,
+      logger,
+      context: {
+        filename: "login_service.ts",
+        line_number: get_line_number(),
+        email: data.email,
+        operation: "authenticate_user",
+      },
+    });
+    return {
+      success: false,
+      error: user_friendly_error,
+    };
+  }
+}