npm - hazo_auth - Versions diffs - 4.2.0 → 4.4.0 - Mend

hazo_auth 4.2.0 → 4.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (136) hide show

package/bin/hazo_auth.mjs +35 -0
package/cli-src/assets/images/forgot_password_default.jpg +0 -0
package/cli-src/assets/images/login_default.jpg +0 -0
package/cli-src/assets/images/register_default.jpg +0 -0
package/cli-src/assets/images/reset_password_default.jpg +0 -0
package/cli-src/assets/images/verify_email_default.jpg +0 -0
package/cli-src/cli/generate.ts +276 -0
package/cli-src/cli/index.ts +207 -0
package/cli-src/cli/init.ts +254 -0
package/cli-src/cli/init_users.ts +376 -0
package/cli-src/cli/validate.ts +581 -0
package/cli-src/lib/already_logged_in_config.server.ts +46 -0
package/cli-src/lib/app_logger.ts +24 -0
package/cli-src/lib/auth/auth_cache.ts +220 -0
package/cli-src/lib/auth/auth_rate_limiter.ts +121 -0
package/cli-src/lib/auth/auth_types.ts +117 -0
package/cli-src/lib/auth/auth_utils.server.ts +196 -0
package/cli-src/lib/auth/dev_lock_validator.edge.ts +171 -0
package/cli-src/lib/auth/hazo_get_auth.server.ts +583 -0
package/cli-src/lib/auth/index.ts +23 -0
package/cli-src/lib/auth/nextauth_config.ts +227 -0
package/cli-src/lib/auth/org_cache.ts +148 -0
package/cli-src/lib/auth/scope_cache.ts +233 -0
package/cli-src/lib/auth/server_auth.ts +88 -0
package/cli-src/lib/auth/session_token_validator.edge.ts +92 -0
package/cli-src/lib/auth_utility_config.server.ts +136 -0
package/cli-src/lib/config/config_loader.server.ts +164 -0
package/cli-src/lib/config/default_config.ts +243 -0
package/cli-src/lib/dev_lock_config.server.ts +148 -0
package/cli-src/lib/email_verification_config.server.ts +63 -0
package/cli-src/lib/file_types_config.server.ts +25 -0
package/cli-src/lib/forgot_password_config.server.ts +63 -0
package/cli-src/lib/hazo_connect_instance.server.ts +101 -0
package/cli-src/lib/hazo_connect_setup.server.ts +194 -0
package/cli-src/lib/hazo_connect_setup.ts +54 -0
package/cli-src/lib/index.ts +46 -0
package/cli-src/lib/login_config.server.ts +106 -0
package/cli-src/lib/messages_config.server.ts +45 -0
package/cli-src/lib/migrations/apply_migration.ts +105 -0
package/cli-src/lib/multi_tenancy_config.server.ts +94 -0
package/cli-src/lib/my_settings_config.server.ts +135 -0
package/cli-src/lib/oauth_config.server.ts +87 -0
package/cli-src/lib/password_requirements_config.server.ts +40 -0
package/cli-src/lib/profile_pic_menu_config.server.ts +138 -0
package/cli-src/lib/profile_picture_config.server.ts +56 -0
package/cli-src/lib/register_config.server.ts +101 -0
package/cli-src/lib/reset_password_config.server.ts +103 -0
package/cli-src/lib/scope_hierarchy_config.server.ts +151 -0
package/cli-src/lib/services/email_service.ts +587 -0
package/cli-src/lib/services/email_verification_service.ts +270 -0
package/cli-src/lib/services/index.ts +16 -0
package/cli-src/lib/services/login_service.ts +150 -0
package/cli-src/lib/services/oauth_service.ts +494 -0
package/cli-src/lib/services/org_service.ts +965 -0
package/cli-src/lib/services/password_change_service.ts +154 -0
package/cli-src/lib/services/password_reset_service.ts +418 -0
package/cli-src/lib/services/profile_picture_remove_service.ts +120 -0
package/cli-src/lib/services/profile_picture_service.ts +451 -0
package/cli-src/lib/services/profile_picture_source_mapper.ts +62 -0
package/cli-src/lib/services/registration_service.ts +185 -0
package/cli-src/lib/services/scope_labels_service.ts +348 -0
package/cli-src/lib/services/scope_service.ts +778 -0
package/cli-src/lib/services/session_token_service.ts +178 -0
package/cli-src/lib/services/token_service.ts +240 -0
package/cli-src/lib/services/user_profiles_cache.ts +189 -0
package/cli-src/lib/services/user_profiles_service.ts +264 -0
package/cli-src/lib/services/user_scope_service.ts +554 -0
package/cli-src/lib/services/user_update_service.ts +141 -0
package/cli-src/lib/ui_shell_config.server.ts +73 -0
package/cli-src/lib/ui_sizes_config.server.ts +37 -0
package/cli-src/lib/user_fields_config.server.ts +31 -0
package/cli-src/lib/user_management_config.server.ts +39 -0
package/cli-src/lib/user_profiles_config.server.ts +55 -0
package/cli-src/lib/utils/api_route_helpers.ts +60 -0
package/cli-src/lib/utils/error_sanitizer.ts +75 -0
package/cli-src/lib/utils/password_validator.ts +65 -0
package/cli-src/lib/utils.ts +11 -0
package/cli-src/server/logging/logger_service.ts +56 -0
package/cli-src/server/types/app_types.ts +74 -0
package/cli-src/server/types/express.d.ts +16 -0
package/dist/cli/index.js +18 -0
package/dist/cli/init_users.d.ts +17 -0
package/dist/cli/init_users.d.ts.map +1 -0
package/dist/cli/init_users.js +307 -0
package/dist/components/layouts/dev_lock/index.d.ts +29 -0
package/dist/components/layouts/dev_lock/index.d.ts.map +1 -0
package/dist/components/layouts/dev_lock/index.js +60 -0
package/dist/components/layouts/index.d.ts +2 -0
package/dist/components/layouts/index.d.ts.map +1 -1
package/dist/components/layouts/index.js +1 -0
package/dist/components/layouts/org_management/index.d.ts +26 -0
package/dist/components/layouts/org_management/index.d.ts.map +1 -0
package/dist/components/layouts/org_management/index.js +75 -0
package/dist/components/layouts/shared/config/layout_customization.d.ts +2 -7
package/dist/components/layouts/shared/config/layout_customization.d.ts.map +1 -1
package/dist/components/layouts/user_management/components/org_hierarchy_tab.d.ts +13 -0
package/dist/components/layouts/user_management/components/org_hierarchy_tab.d.ts.map +1 -0
package/dist/components/layouts/user_management/components/org_hierarchy_tab.js +276 -0
package/dist/components/layouts/user_management/index.d.ts +3 -1
package/dist/components/layouts/user_management/index.d.ts.map +1 -1
package/dist/components/layouts/user_management/index.js +10 -4
package/dist/lib/auth/auth_types.d.ts +6 -0
package/dist/lib/auth/auth_types.d.ts.map +1 -1
package/dist/lib/auth/dev_lock_validator.edge.d.ts +38 -0
package/dist/lib/auth/dev_lock_validator.edge.d.ts.map +1 -0
package/dist/lib/auth/dev_lock_validator.edge.js +122 -0
package/dist/lib/auth/hazo_get_auth.server.d.ts.map +1 -1
package/dist/lib/auth/hazo_get_auth.server.js +61 -1
package/dist/lib/auth/org_cache.d.ts +65 -0
package/dist/lib/auth/org_cache.d.ts.map +1 -0
package/dist/lib/auth/org_cache.js +103 -0
package/dist/lib/config/default_config.d.ts +76 -0
package/dist/lib/config/default_config.d.ts.map +1 -1
package/dist/lib/config/default_config.js +42 -0
package/dist/lib/dev_lock_config.server.d.ts +41 -0
package/dist/lib/dev_lock_config.server.d.ts.map +1 -0
package/dist/lib/dev_lock_config.server.js +50 -0
package/dist/lib/multi_tenancy_config.server.d.ts +30 -0
package/dist/lib/multi_tenancy_config.server.d.ts.map +1 -0
package/dist/lib/multi_tenancy_config.server.js +41 -0
package/dist/lib/services/org_service.d.ts +191 -0
package/dist/lib/services/org_service.d.ts.map +1 -0
package/dist/lib/services/org_service.js +746 -0
package/dist/lib/utils/password_validator.d.ts +7 -1
package/dist/lib/utils/password_validator.d.ts.map +1 -1
package/dist/page_components/dev_lock.d.ts +11 -0
package/dist/page_components/dev_lock.d.ts.map +1 -0
package/dist/page_components/dev_lock.js +17 -0
package/dist/page_components/index.d.ts +1 -0
package/dist/page_components/index.d.ts.map +1 -1
package/dist/page_components/index.js +1 -0
package/dist/page_components/org_management.d.ts +27 -0
package/dist/page_components/org_management.d.ts.map +1 -0
package/dist/page_components/org_management.js +18 -0
package/hazo_auth_config.example.ini +30 -0
package/package.json +27 -3

package/cli-src/lib/services/oauth_service.ts ADDED Viewed

@@ -0,0 +1,494 @@
+// file_description: service for OAuth authentication operations using hazo_connect
+// section: imports
+import type { HazoConnectAdapter } from "hazo_connect";
+import { createCrudService } from "hazo_connect/server";
+import { randomUUID } from "crypto";
+import { create_app_logger } from "../app_logger.js";
+import { sanitize_error_for_user } from "../utils/error_sanitizer.js";
+import { get_line_number } from "../utils/api_route_helpers.js";
+import { get_oauth_config } from "../oauth_config.server.js";
+// section: types
+export type GoogleOAuthData = {
+  /** Google's unique user ID (sub claim from JWT) */
+  google_id: string;
+  /** User's email address from Google */
+  email: string;
+  /** User's full name from Google profile */
+  name?: string;
+  /** User's profile picture URL from Google */
+  profile_picture_url?: string;
+  /** Whether Google has verified this email */
+  email_verified: boolean;
+};
+export type OAuthLoginResult = {
+  success: boolean;
+  user_id?: string;
+  /** True if this was a newly created account */
+  is_new_user?: boolean;
+  /** True if Google was linked to an existing account */
+  was_linked?: boolean;
+  /** The user's email address */
+  email?: string;
+  /** The user's name */
+  name?: string;
+  error?: string;
+};
+export type LinkGoogleResult = {
+  success: boolean;
+  error?: string;
+};
+export type AuthProvidersResult = {
+  success: boolean;
+  auth_providers?: string[];
+  has_password?: boolean;
+  error?: string;
+};
+// section: helpers
+/**
+ * Handles Google OAuth login/registration flow
+ * 1. Check if user exists with google_id -> login
+ * 2. Check if user exists with email -> link Google account
+ * 3. Create new user with Google data
+ *
+ * @param adapter - The hazo_connect adapter instance
+ * @param data - Google OAuth user data
+ * @returns OAuth login result with user_id and status flags
+ */
+export async function handle_google_oauth_login(
+  adapter: HazoConnectAdapter,
+  data: GoogleOAuthData
+): Promise<OAuthLoginResult> {
+  const logger = create_app_logger();
+  try {
+    const { google_id, email, name, profile_picture_url, email_verified } = data;
+    const oauth_config = get_oauth_config();
+    const users_service = createCrudService(adapter, "hazo_users");
+    const now = new Date().toISOString();
+    // Step 1: Check if user exists with this google_id
+    const users_by_google_id = await users_service.findBy({ google_id });
+    if (Array.isArray(users_by_google_id) && users_by_google_id.length > 0) {
+      const user = users_by_google_id[0];
+      // Update last_logon timestamp
+      await users_service.updateById(user.id, {
+        last_logon: now,
+        changed_at: now,
+      });
+      logger.info("oauth_service_google_login_existing_google_user", {
+        filename: "oauth_service.ts",
+        line_number: get_line_number(),
+        user_id: user.id,
+        email: user.email_address,
+      });
+      return {
+        success: true,
+        user_id: user.id as string,
+        is_new_user: false,
+        was_linked: false,
+        email: user.email_address as string,
+        name: user.name as string | undefined,
+      };
+    }
+    // Step 2: Check if user exists with this email
+    const users_by_email = await users_service.findBy({ email_address: email });
+    if (Array.isArray(users_by_email) && users_by_email.length > 0) {
+      const user = users_by_email[0];
+      const user_email_verified = user.email_verified as boolean;
+      // Check if auto-linking is enabled for unverified accounts
+      if (!user_email_verified && !oauth_config.auto_link_unverified_accounts) {
+        return {
+          success: false,
+          error: "An account with this email exists but is not verified. Please verify your email first.",
+        };
+      }
+      // Link Google account to existing user
+      const current_auth_providers = (user.auth_providers as string) || "email";
+      const new_auth_providers = current_auth_providers.includes("google")
+        ? current_auth_providers
+        : `${current_auth_providers},google`;
+      const update_data: Record<string, unknown> = {
+        google_id,
+        auth_providers: new_auth_providers,
+        last_logon: now,
+        changed_at: now,
+      };
+      // If user was unverified and Google verified the email, mark as verified
+      if (!user_email_verified && email_verified) {
+        update_data.email_verified = true;
+        logger.info("oauth_service_auto_verified_email", {
+          filename: "oauth_service.ts",
+          line_number: get_line_number(),
+          user_id: user.id,
+          email,
+        });
+      }
+      // Update name if not set and Google provides one
+      if (!user.name && name) {
+        update_data.name = name;
+      }
+      // Update profile picture if not set and Google provides one
+      if (!user.profile_picture_url && profile_picture_url) {
+        update_data.profile_picture_url = profile_picture_url;
+        update_data.profile_source = "custom"; // Use 'custom' for external URLs (Google profile pics)
+      }
+      await users_service.updateById(user.id, update_data);
+      logger.info("oauth_service_google_linked_to_existing", {
+        filename: "oauth_service.ts",
+        line_number: get_line_number(),
+        user_id: user.id,
+        email,
+        was_unverified: !user_email_verified,
+      });
+      return {
+        success: true,
+        user_id: user.id as string,
+        is_new_user: false,
+        was_linked: true,
+        email: user.email_address as string,
+        name: (update_data.name as string) || (user.name as string | undefined),
+      };
+    }
+    // Step 3: Create new user with Google data
+    const user_id = randomUUID();
+    const insert_data: Record<string, unknown> = {
+      id: user_id,
+      email_address: email,
+      password_hash: "", // Empty string for Google-only users
+      email_verified: email_verified, // Trust Google's verification
+      is_active: true,
+      login_attempts: 0,
+      google_id,
+      auth_providers: "google",
+      created_at: now,
+      changed_at: now,
+      last_logon: now,
+    };
+    if (name) {
+      insert_data.name = name;
+    }
+    if (profile_picture_url) {
+      insert_data.profile_picture_url = profile_picture_url;
+      insert_data.profile_source = "custom"; // Use 'custom' for external URLs (Google profile pics)
+    }
+    const inserted_users = await users_service.insert(insert_data);
+    if (!Array.isArray(inserted_users) || inserted_users.length === 0) {
+      return {
+        success: false,
+        error: "Failed to create user account",
+      };
+    }
+    logger.info("oauth_service_google_new_user_created", {
+      filename: "oauth_service.ts",
+      line_number: get_line_number(),
+      user_id,
+      email,
+    });
+    return {
+      success: true,
+      user_id,
+      is_new_user: true,
+      was_linked: false,
+      email,
+      name,
+    };
+  } catch (error) {
+    const user_friendly_error = sanitize_error_for_user(error, {
+      logToConsole: true,
+      logToLogger: true,
+      logger,
+      context: {
+        filename: "oauth_service.ts",
+        line_number: get_line_number(),
+        email: data.email,
+        operation: "handle_google_oauth_login",
+      },
+    });
+    return {
+      success: false,
+      error: user_friendly_error,
+    };
+  }
+}
+/**
+ * Links a Google account to an existing user
+ * @param adapter - The hazo_connect adapter instance
+ * @param user_id - The user's ID
+ * @param google_id - Google's unique user ID
+ * @returns Result indicating success or failure
+ */
+export async function link_google_account(
+  adapter: HazoConnectAdapter,
+  user_id: string,
+  google_id: string
+): Promise<LinkGoogleResult> {
+  const logger = create_app_logger();
+  try {
+    const users_service = createCrudService(adapter, "hazo_users");
+    const now = new Date().toISOString();
+    // Get current user
+    const users = await users_service.findBy({ id: user_id });
+    if (!Array.isArray(users) || users.length === 0) {
+      return {
+        success: false,
+        error: "User not found",
+      };
+    }
+    const user = users[0];
+    // Check if Google is already linked
+    if (user.google_id) {
+      return {
+        success: false,
+        error: "Google account is already linked",
+      };
+    }
+    // Update auth_providers
+    const current_auth_providers = (user.auth_providers as string) || "email";
+    const new_auth_providers = current_auth_providers.includes("google")
+      ? current_auth_providers
+      : `${current_auth_providers},google`;
+    await users_service.updateById(user_id, {
+      google_id,
+      auth_providers: new_auth_providers,
+      changed_at: now,
+    });
+    logger.info("oauth_service_google_account_linked", {
+      filename: "oauth_service.ts",
+      line_number: get_line_number(),
+      user_id,
+    });
+    return { success: true };
+  } catch (error) {
+    const user_friendly_error = sanitize_error_for_user(error, {
+      logToConsole: true,
+      logToLogger: true,
+      logger,
+      context: {
+        filename: "oauth_service.ts",
+        line_number: get_line_number(),
+        user_id,
+        operation: "link_google_account",
+      },
+    });
+    return {
+      success: false,
+      error: user_friendly_error,
+    };
+  }
+}
+/**
+ * Checks if a user has a password set (non-empty password_hash)
+ * @param adapter - The hazo_connect adapter instance
+ * @param user_id - The user's ID
+ * @returns True if user has a password set
+ */
+export async function user_has_password(
+  adapter: HazoConnectAdapter,
+  user_id: string
+): Promise<boolean> {
+  try {
+    const users_service = createCrudService(adapter, "hazo_users");
+    const users = await users_service.findBy({ id: user_id });
+    if (!Array.isArray(users) || users.length === 0) {
+      return false;
+    }
+    const password_hash = users[0].password_hash as string;
+    return password_hash !== null && password_hash !== undefined && password_hash !== "";
+  } catch {
+    return false;
+  }
+}
+/**
+ * Checks if a user has a password set by email
+ * @param adapter - The hazo_connect adapter instance
+ * @param email - The user's email address
+ * @returns True if user has a password set
+ */
+export async function user_has_password_by_email(
+  adapter: HazoConnectAdapter,
+  email: string
+): Promise<boolean> {
+  try {
+    const users_service = createCrudService(adapter, "hazo_users");
+    const users = await users_service.findBy({ email_address: email });
+    if (!Array.isArray(users) || users.length === 0) {
+      return false;
+    }
+    const password_hash = users[0].password_hash as string;
+    return password_hash !== null && password_hash !== undefined && password_hash !== "";
+  } catch {
+    return false;
+  }
+}
+/**
+ * Gets a user's authentication providers and password status
+ * @param adapter - The hazo_connect adapter instance
+ * @param user_id - The user's ID
+ * @returns Auth providers array and has_password flag
+ */
+export async function get_user_auth_providers(
+  adapter: HazoConnectAdapter,
+  user_id: string
+): Promise<AuthProvidersResult> {
+  try {
+    const users_service = createCrudService(adapter, "hazo_users");
+    const users = await users_service.findBy({ id: user_id });
+    if (!Array.isArray(users) || users.length === 0) {
+      return {
+        success: false,
+        error: "User not found",
+      };
+    }
+    const user = users[0];
+    const auth_providers_str = (user.auth_providers as string) || "email";
+    const auth_providers = auth_providers_str.split(",").map((p) => p.trim());
+    const password_hash = user.password_hash as string;
+    const has_password = password_hash !== null && password_hash !== undefined && password_hash !== "";
+    return {
+      success: true,
+      auth_providers,
+      has_password,
+    };
+  } catch (error) {
+    const logger = create_app_logger();
+    const user_friendly_error = sanitize_error_for_user(error, {
+      logToConsole: true,
+      logToLogger: true,
+      logger,
+      context: {
+        filename: "oauth_service.ts",
+        line_number: get_line_number(),
+        user_id,
+        operation: "get_user_auth_providers",
+      },
+    });
+    return {
+      success: false,
+      error: user_friendly_error,
+    };
+  }
+}
+/**
+ * Sets a password for a user who doesn't have one (e.g., Google-only users)
+ * @param adapter - The hazo_connect adapter instance
+ * @param user_id - The user's ID
+ * @param password_hash - The hashed password to set
+ * @returns Result indicating success or failure
+ */
+export async function set_user_password(
+  adapter: HazoConnectAdapter,
+  user_id: string,
+  password_hash: string
+): Promise<{ success: boolean; error?: string }> {
+  const logger = create_app_logger();
+  try {
+    const users_service = createCrudService(adapter, "hazo_users");
+    const now = new Date().toISOString();
+    // Get current user
+    const users = await users_service.findBy({ id: user_id });
+    if (!Array.isArray(users) || users.length === 0) {
+      return {
+        success: false,
+        error: "User not found",
+      };
+    }
+    const user = users[0];
+    // Update password and auth_providers
+    const current_auth_providers = (user.auth_providers as string) || "";
+    const new_auth_providers = current_auth_providers.includes("email")
+      ? current_auth_providers
+      : current_auth_providers
+        ? `${current_auth_providers},email`
+        : "email";
+    await users_service.updateById(user_id, {
+      password_hash,
+      auth_providers: new_auth_providers,
+      changed_at: now,
+    });
+    logger.info("oauth_service_password_set", {
+      filename: "oauth_service.ts",
+      line_number: get_line_number(),
+      user_id,
+    });
+    return { success: true };
+  } catch (error) {
+    const user_friendly_error = sanitize_error_for_user(error, {
+      logToConsole: true,
+      logToLogger: true,
+      logger,
+      context: {
+        filename: "oauth_service.ts",
+        line_number: get_line_number(),
+        user_id,
+        operation: "set_user_password",
+      },
+    });
+    return {
+      success: false,
+      error: user_friendly_error,
+    };
+  }
+}