npm - hazo_auth - Versions diffs - 4.2.0 → 4.4.0 - Mend

hazo_auth 4.2.0 → 4.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (136) hide show

package/bin/hazo_auth.mjs +35 -0
package/cli-src/assets/images/forgot_password_default.jpg +0 -0
package/cli-src/assets/images/login_default.jpg +0 -0
package/cli-src/assets/images/register_default.jpg +0 -0
package/cli-src/assets/images/reset_password_default.jpg +0 -0
package/cli-src/assets/images/verify_email_default.jpg +0 -0
package/cli-src/cli/generate.ts +276 -0
package/cli-src/cli/index.ts +207 -0
package/cli-src/cli/init.ts +254 -0
package/cli-src/cli/init_users.ts +376 -0
package/cli-src/cli/validate.ts +581 -0
package/cli-src/lib/already_logged_in_config.server.ts +46 -0
package/cli-src/lib/app_logger.ts +24 -0
package/cli-src/lib/auth/auth_cache.ts +220 -0
package/cli-src/lib/auth/auth_rate_limiter.ts +121 -0
package/cli-src/lib/auth/auth_types.ts +117 -0
package/cli-src/lib/auth/auth_utils.server.ts +196 -0
package/cli-src/lib/auth/dev_lock_validator.edge.ts +171 -0
package/cli-src/lib/auth/hazo_get_auth.server.ts +583 -0
package/cli-src/lib/auth/index.ts +23 -0
package/cli-src/lib/auth/nextauth_config.ts +227 -0
package/cli-src/lib/auth/org_cache.ts +148 -0
package/cli-src/lib/auth/scope_cache.ts +233 -0
package/cli-src/lib/auth/server_auth.ts +88 -0
package/cli-src/lib/auth/session_token_validator.edge.ts +92 -0
package/cli-src/lib/auth_utility_config.server.ts +136 -0
package/cli-src/lib/config/config_loader.server.ts +164 -0
package/cli-src/lib/config/default_config.ts +243 -0
package/cli-src/lib/dev_lock_config.server.ts +148 -0
package/cli-src/lib/email_verification_config.server.ts +63 -0
package/cli-src/lib/file_types_config.server.ts +25 -0
package/cli-src/lib/forgot_password_config.server.ts +63 -0
package/cli-src/lib/hazo_connect_instance.server.ts +101 -0
package/cli-src/lib/hazo_connect_setup.server.ts +194 -0
package/cli-src/lib/hazo_connect_setup.ts +54 -0
package/cli-src/lib/index.ts +46 -0
package/cli-src/lib/login_config.server.ts +106 -0
package/cli-src/lib/messages_config.server.ts +45 -0
package/cli-src/lib/migrations/apply_migration.ts +105 -0
package/cli-src/lib/multi_tenancy_config.server.ts +94 -0
package/cli-src/lib/my_settings_config.server.ts +135 -0
package/cli-src/lib/oauth_config.server.ts +87 -0
package/cli-src/lib/password_requirements_config.server.ts +40 -0
package/cli-src/lib/profile_pic_menu_config.server.ts +138 -0
package/cli-src/lib/profile_picture_config.server.ts +56 -0
package/cli-src/lib/register_config.server.ts +101 -0
package/cli-src/lib/reset_password_config.server.ts +103 -0
package/cli-src/lib/scope_hierarchy_config.server.ts +151 -0
package/cli-src/lib/services/email_service.ts +587 -0
package/cli-src/lib/services/email_verification_service.ts +270 -0
package/cli-src/lib/services/index.ts +16 -0
package/cli-src/lib/services/login_service.ts +150 -0
package/cli-src/lib/services/oauth_service.ts +494 -0
package/cli-src/lib/services/org_service.ts +965 -0
package/cli-src/lib/services/password_change_service.ts +154 -0
package/cli-src/lib/services/password_reset_service.ts +418 -0
package/cli-src/lib/services/profile_picture_remove_service.ts +120 -0
package/cli-src/lib/services/profile_picture_service.ts +451 -0
package/cli-src/lib/services/profile_picture_source_mapper.ts +62 -0
package/cli-src/lib/services/registration_service.ts +185 -0
package/cli-src/lib/services/scope_labels_service.ts +348 -0
package/cli-src/lib/services/scope_service.ts +778 -0
package/cli-src/lib/services/session_token_service.ts +178 -0
package/cli-src/lib/services/token_service.ts +240 -0
package/cli-src/lib/services/user_profiles_cache.ts +189 -0
package/cli-src/lib/services/user_profiles_service.ts +264 -0
package/cli-src/lib/services/user_scope_service.ts +554 -0
package/cli-src/lib/services/user_update_service.ts +141 -0
package/cli-src/lib/ui_shell_config.server.ts +73 -0
package/cli-src/lib/ui_sizes_config.server.ts +37 -0
package/cli-src/lib/user_fields_config.server.ts +31 -0
package/cli-src/lib/user_management_config.server.ts +39 -0
package/cli-src/lib/user_profiles_config.server.ts +55 -0
package/cli-src/lib/utils/api_route_helpers.ts +60 -0
package/cli-src/lib/utils/error_sanitizer.ts +75 -0
package/cli-src/lib/utils/password_validator.ts +65 -0
package/cli-src/lib/utils.ts +11 -0
package/cli-src/server/logging/logger_service.ts +56 -0
package/cli-src/server/types/app_types.ts +74 -0
package/cli-src/server/types/express.d.ts +16 -0
package/dist/cli/index.js +18 -0
package/dist/cli/init_users.d.ts +17 -0
package/dist/cli/init_users.d.ts.map +1 -0
package/dist/cli/init_users.js +307 -0
package/dist/components/layouts/dev_lock/index.d.ts +29 -0
package/dist/components/layouts/dev_lock/index.d.ts.map +1 -0
package/dist/components/layouts/dev_lock/index.js +60 -0
package/dist/components/layouts/index.d.ts +2 -0
package/dist/components/layouts/index.d.ts.map +1 -1
package/dist/components/layouts/index.js +1 -0
package/dist/components/layouts/org_management/index.d.ts +26 -0
package/dist/components/layouts/org_management/index.d.ts.map +1 -0
package/dist/components/layouts/org_management/index.js +75 -0
package/dist/components/layouts/shared/config/layout_customization.d.ts +2 -7
package/dist/components/layouts/shared/config/layout_customization.d.ts.map +1 -1
package/dist/components/layouts/user_management/components/org_hierarchy_tab.d.ts +13 -0
package/dist/components/layouts/user_management/components/org_hierarchy_tab.d.ts.map +1 -0
package/dist/components/layouts/user_management/components/org_hierarchy_tab.js +276 -0
package/dist/components/layouts/user_management/index.d.ts +3 -1
package/dist/components/layouts/user_management/index.d.ts.map +1 -1
package/dist/components/layouts/user_management/index.js +10 -4
package/dist/lib/auth/auth_types.d.ts +6 -0
package/dist/lib/auth/auth_types.d.ts.map +1 -1
package/dist/lib/auth/dev_lock_validator.edge.d.ts +38 -0
package/dist/lib/auth/dev_lock_validator.edge.d.ts.map +1 -0
package/dist/lib/auth/dev_lock_validator.edge.js +122 -0
package/dist/lib/auth/hazo_get_auth.server.d.ts.map +1 -1
package/dist/lib/auth/hazo_get_auth.server.js +61 -1
package/dist/lib/auth/org_cache.d.ts +65 -0
package/dist/lib/auth/org_cache.d.ts.map +1 -0
package/dist/lib/auth/org_cache.js +103 -0
package/dist/lib/config/default_config.d.ts +76 -0
package/dist/lib/config/default_config.d.ts.map +1 -1
package/dist/lib/config/default_config.js +42 -0
package/dist/lib/dev_lock_config.server.d.ts +41 -0
package/dist/lib/dev_lock_config.server.d.ts.map +1 -0
package/dist/lib/dev_lock_config.server.js +50 -0
package/dist/lib/multi_tenancy_config.server.d.ts +30 -0
package/dist/lib/multi_tenancy_config.server.d.ts.map +1 -0
package/dist/lib/multi_tenancy_config.server.js +41 -0
package/dist/lib/services/org_service.d.ts +191 -0
package/dist/lib/services/org_service.d.ts.map +1 -0
package/dist/lib/services/org_service.js +746 -0
package/dist/lib/utils/password_validator.d.ts +7 -1
package/dist/lib/utils/password_validator.d.ts.map +1 -1
package/dist/page_components/dev_lock.d.ts +11 -0
package/dist/page_components/dev_lock.d.ts.map +1 -0
package/dist/page_components/dev_lock.js +17 -0
package/dist/page_components/index.d.ts +1 -0
package/dist/page_components/index.d.ts.map +1 -1
package/dist/page_components/index.js +1 -0
package/dist/page_components/org_management.d.ts +27 -0
package/dist/page_components/org_management.d.ts.map +1 -0
package/dist/page_components/org_management.js +18 -0
package/hazo_auth_config.example.ini +30 -0
package/package.json +27 -3

package/cli-src/lib/auth/dev_lock_validator.edge.ts ADDED Viewed

@@ -0,0 +1,171 @@
+// file_description: Edge-compatible dev lock cookie validator for Next.js middleware
+// Uses Web Crypto API which works in Edge Runtime (no Node.js crypto module)
+// section: imports
+import type { NextRequest } from "next/server";
+// section: constants
+const COOKIE_NAME = "hazo_auth_dev_lock";
+const SEPARATOR = "|";
+// section: types
+export type DevLockValidationResult = {
+  valid: boolean;
+  expired?: boolean;
+};
+export type DevLockCookieData = {
+  value: string;
+  max_age: number;
+};
+// section: helpers
+/**
+ * Creates HMAC-SHA256 signature using Web Crypto API (Edge compatible)
+ * @param data - Data to sign
+ * @param secret - Secret key for signing
+ * @returns Hex string signature
+ */
+async function create_signature(data: string, secret: string): Promise<string> {
+  const encoder = new TextEncoder();
+  const key_data = encoder.encode(secret);
+  const message_data = encoder.encode(data);
+  const crypto_key = await crypto.subtle.importKey(
+    "raw",
+    key_data,
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign"]
+  );
+  const signature = await crypto.subtle.sign("HMAC", crypto_key, message_data);
+  // Convert ArrayBuffer to hex string
+  return Array.from(new Uint8Array(signature))
+    .map((b) => b.toString(16).padStart(2, "0"))
+    .join("");
+}
+/**
+ * Performs constant-time comparison of two strings
+ * Prevents timing attacks
+ * @param a - First string
+ * @param b - Second string
+ * @returns true if strings are equal
+ */
+function constant_time_compare(a: string, b: string): boolean {
+  if (a.length !== b.length) {
+    return false;
+  }
+  let result = 0;
+  for (let i = 0; i < a.length; i++) {
+    result |= a.charCodeAt(i) ^ b.charCodeAt(i);
+  }
+  return result === 0;
+}
+// section: main_functions
+/**
+ * Creates a signed dev lock cookie value
+ * Cookie format: timestamp|expiry_timestamp|signature
+ * @param password - The dev lock password (used as signing key)
+ * @param expiry_days - Number of days until cookie expires (default: 7)
+ * @returns Cookie value and max_age in seconds
+ */
+export async function create_dev_lock_cookie(
+  password: string,
+  expiry_days: number = 7
+): Promise<DevLockCookieData> {
+  const timestamp = Date.now();
+  const expiry_timestamp = timestamp + expiry_days * 24 * 60 * 60 * 1000;
+  const data = `${timestamp}${SEPARATOR}${expiry_timestamp}`;
+  const signature = await create_signature(data, password);
+  return {
+    value: `${data}${SEPARATOR}${signature}`,
+    max_age: expiry_days * 24 * 60 * 60, // in seconds
+  };
+}
+/**
+ * Validates dev lock cookie from request (Edge-compatible)
+ * Checks signature validity and expiration
+ * @param request - NextRequest object
+ * @returns Validation result with valid flag and optional expired flag
+ */
+export async function validate_dev_lock_cookie(
+  request: NextRequest
+): Promise<DevLockValidationResult> {
+  const password = process.env.HAZO_AUTH_DEV_LOCK_PASSWORD;
+  if (!password) {
+    // No password set - cannot validate
+    return { valid: false };
+  }
+  const cookie = request.cookies.get(COOKIE_NAME)?.value;
+  if (!cookie) {
+    return { valid: false };
+  }
+  try {
+    const parts = cookie.split(SEPARATOR);
+    if (parts.length !== 3) {
+      return { valid: false };
+    }
+    const [timestamp_str, expiry_str, signature] = parts;
+    const timestamp = parseInt(timestamp_str, 10);
+    const expiry_timestamp = parseInt(expiry_str, 10);
+    if (isNaN(timestamp) || isNaN(expiry_timestamp)) {
+      return { valid: false };
+    }
+    // Check expiry
+    if (Date.now() > expiry_timestamp) {
+      return { valid: false, expired: true };
+    }
+    // Verify signature
+    const data = `${timestamp}${SEPARATOR}${expiry_timestamp}`;
+    const expected_signature = await create_signature(data, password);
+    // Constant-time comparison to prevent timing attacks
+    if (!constant_time_compare(signature, expected_signature)) {
+      return { valid: false };
+    }
+    return { valid: true };
+  } catch {
+    return { valid: false };
+  }
+}
+/**
+ * Validates password against environment variable (for unlock endpoint)
+ * Uses constant-time comparison to prevent timing attacks
+ * @param password - Password to validate
+ * @returns true if password matches
+ */
+export function validate_dev_lock_password(password: string): boolean {
+  const expected = process.env.HAZO_AUTH_DEV_LOCK_PASSWORD;
+  if (!expected || !password) {
+    return false;
+  }
+  return constant_time_compare(password, expected);
+}
+/**
+ * Gets the dev lock cookie name
+ * Exported for use in API routes when setting the cookie
+ * @returns Cookie name string
+ */
+export function get_dev_lock_cookie_name(): string {
+  return COOKIE_NAME;
+}