npm - hazo_auth - Versions diffs - 4.2.0 → 4.4.0 - Mend

hazo_auth 4.2.0 → 4.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (136) hide show

package/bin/hazo_auth.mjs +35 -0
package/cli-src/assets/images/forgot_password_default.jpg +0 -0
package/cli-src/assets/images/login_default.jpg +0 -0
package/cli-src/assets/images/register_default.jpg +0 -0
package/cli-src/assets/images/reset_password_default.jpg +0 -0
package/cli-src/assets/images/verify_email_default.jpg +0 -0
package/cli-src/cli/generate.ts +276 -0
package/cli-src/cli/index.ts +207 -0
package/cli-src/cli/init.ts +254 -0
package/cli-src/cli/init_users.ts +376 -0
package/cli-src/cli/validate.ts +581 -0
package/cli-src/lib/already_logged_in_config.server.ts +46 -0
package/cli-src/lib/app_logger.ts +24 -0
package/cli-src/lib/auth/auth_cache.ts +220 -0
package/cli-src/lib/auth/auth_rate_limiter.ts +121 -0
package/cli-src/lib/auth/auth_types.ts +117 -0
package/cli-src/lib/auth/auth_utils.server.ts +196 -0
package/cli-src/lib/auth/dev_lock_validator.edge.ts +171 -0
package/cli-src/lib/auth/hazo_get_auth.server.ts +583 -0
package/cli-src/lib/auth/index.ts +23 -0
package/cli-src/lib/auth/nextauth_config.ts +227 -0
package/cli-src/lib/auth/org_cache.ts +148 -0
package/cli-src/lib/auth/scope_cache.ts +233 -0
package/cli-src/lib/auth/server_auth.ts +88 -0
package/cli-src/lib/auth/session_token_validator.edge.ts +92 -0
package/cli-src/lib/auth_utility_config.server.ts +136 -0
package/cli-src/lib/config/config_loader.server.ts +164 -0
package/cli-src/lib/config/default_config.ts +243 -0
package/cli-src/lib/dev_lock_config.server.ts +148 -0
package/cli-src/lib/email_verification_config.server.ts +63 -0
package/cli-src/lib/file_types_config.server.ts +25 -0
package/cli-src/lib/forgot_password_config.server.ts +63 -0
package/cli-src/lib/hazo_connect_instance.server.ts +101 -0
package/cli-src/lib/hazo_connect_setup.server.ts +194 -0
package/cli-src/lib/hazo_connect_setup.ts +54 -0
package/cli-src/lib/index.ts +46 -0
package/cli-src/lib/login_config.server.ts +106 -0
package/cli-src/lib/messages_config.server.ts +45 -0
package/cli-src/lib/migrations/apply_migration.ts +105 -0
package/cli-src/lib/multi_tenancy_config.server.ts +94 -0
package/cli-src/lib/my_settings_config.server.ts +135 -0
package/cli-src/lib/oauth_config.server.ts +87 -0
package/cli-src/lib/password_requirements_config.server.ts +40 -0
package/cli-src/lib/profile_pic_menu_config.server.ts +138 -0
package/cli-src/lib/profile_picture_config.server.ts +56 -0
package/cli-src/lib/register_config.server.ts +101 -0
package/cli-src/lib/reset_password_config.server.ts +103 -0
package/cli-src/lib/scope_hierarchy_config.server.ts +151 -0
package/cli-src/lib/services/email_service.ts +587 -0
package/cli-src/lib/services/email_verification_service.ts +270 -0
package/cli-src/lib/services/index.ts +16 -0
package/cli-src/lib/services/login_service.ts +150 -0
package/cli-src/lib/services/oauth_service.ts +494 -0
package/cli-src/lib/services/org_service.ts +965 -0
package/cli-src/lib/services/password_change_service.ts +154 -0
package/cli-src/lib/services/password_reset_service.ts +418 -0
package/cli-src/lib/services/profile_picture_remove_service.ts +120 -0
package/cli-src/lib/services/profile_picture_service.ts +451 -0
package/cli-src/lib/services/profile_picture_source_mapper.ts +62 -0
package/cli-src/lib/services/registration_service.ts +185 -0
package/cli-src/lib/services/scope_labels_service.ts +348 -0
package/cli-src/lib/services/scope_service.ts +778 -0
package/cli-src/lib/services/session_token_service.ts +178 -0
package/cli-src/lib/services/token_service.ts +240 -0
package/cli-src/lib/services/user_profiles_cache.ts +189 -0
package/cli-src/lib/services/user_profiles_service.ts +264 -0
package/cli-src/lib/services/user_scope_service.ts +554 -0
package/cli-src/lib/services/user_update_service.ts +141 -0
package/cli-src/lib/ui_shell_config.server.ts +73 -0
package/cli-src/lib/ui_sizes_config.server.ts +37 -0
package/cli-src/lib/user_fields_config.server.ts +31 -0
package/cli-src/lib/user_management_config.server.ts +39 -0
package/cli-src/lib/user_profiles_config.server.ts +55 -0
package/cli-src/lib/utils/api_route_helpers.ts +60 -0
package/cli-src/lib/utils/error_sanitizer.ts +75 -0
package/cli-src/lib/utils/password_validator.ts +65 -0
package/cli-src/lib/utils.ts +11 -0
package/cli-src/server/logging/logger_service.ts +56 -0
package/cli-src/server/types/app_types.ts +74 -0
package/cli-src/server/types/express.d.ts +16 -0
package/dist/cli/index.js +18 -0
package/dist/cli/init_users.d.ts +17 -0
package/dist/cli/init_users.d.ts.map +1 -0
package/dist/cli/init_users.js +307 -0
package/dist/components/layouts/dev_lock/index.d.ts +29 -0
package/dist/components/layouts/dev_lock/index.d.ts.map +1 -0
package/dist/components/layouts/dev_lock/index.js +60 -0
package/dist/components/layouts/index.d.ts +2 -0
package/dist/components/layouts/index.d.ts.map +1 -1
package/dist/components/layouts/index.js +1 -0
package/dist/components/layouts/org_management/index.d.ts +26 -0
package/dist/components/layouts/org_management/index.d.ts.map +1 -0
package/dist/components/layouts/org_management/index.js +75 -0
package/dist/components/layouts/shared/config/layout_customization.d.ts +2 -7
package/dist/components/layouts/shared/config/layout_customization.d.ts.map +1 -1
package/dist/components/layouts/user_management/components/org_hierarchy_tab.d.ts +13 -0
package/dist/components/layouts/user_management/components/org_hierarchy_tab.d.ts.map +1 -0
package/dist/components/layouts/user_management/components/org_hierarchy_tab.js +276 -0
package/dist/components/layouts/user_management/index.d.ts +3 -1
package/dist/components/layouts/user_management/index.d.ts.map +1 -1
package/dist/components/layouts/user_management/index.js +10 -4
package/dist/lib/auth/auth_types.d.ts +6 -0
package/dist/lib/auth/auth_types.d.ts.map +1 -1
package/dist/lib/auth/dev_lock_validator.edge.d.ts +38 -0
package/dist/lib/auth/dev_lock_validator.edge.d.ts.map +1 -0
package/dist/lib/auth/dev_lock_validator.edge.js +122 -0
package/dist/lib/auth/hazo_get_auth.server.d.ts.map +1 -1
package/dist/lib/auth/hazo_get_auth.server.js +61 -1
package/dist/lib/auth/org_cache.d.ts +65 -0
package/dist/lib/auth/org_cache.d.ts.map +1 -0
package/dist/lib/auth/org_cache.js +103 -0
package/dist/lib/config/default_config.d.ts +76 -0
package/dist/lib/config/default_config.d.ts.map +1 -1
package/dist/lib/config/default_config.js +42 -0
package/dist/lib/dev_lock_config.server.d.ts +41 -0
package/dist/lib/dev_lock_config.server.d.ts.map +1 -0
package/dist/lib/dev_lock_config.server.js +50 -0
package/dist/lib/multi_tenancy_config.server.d.ts +30 -0
package/dist/lib/multi_tenancy_config.server.d.ts.map +1 -0
package/dist/lib/multi_tenancy_config.server.js +41 -0
package/dist/lib/services/org_service.d.ts +191 -0
package/dist/lib/services/org_service.d.ts.map +1 -0
package/dist/lib/services/org_service.js +746 -0
package/dist/lib/utils/password_validator.d.ts +7 -1
package/dist/lib/utils/password_validator.d.ts.map +1 -1
package/dist/page_components/dev_lock.d.ts +11 -0
package/dist/page_components/dev_lock.d.ts.map +1 -0
package/dist/page_components/dev_lock.js +17 -0
package/dist/page_components/index.d.ts +1 -0
package/dist/page_components/index.d.ts.map +1 -1
package/dist/page_components/index.js +1 -0
package/dist/page_components/org_management.d.ts +27 -0
package/dist/page_components/org_management.d.ts.map +1 -0
package/dist/page_components/org_management.js +18 -0
package/hazo_auth_config.example.ini +30 -0
package/package.json +27 -3

package/cli-src/lib/auth/hazo_get_auth.server.ts ADDED Viewed

@@ -0,0 +1,583 @@
+// file_description: server-side implementation of hazo_get_auth utility for API routes
+// section: imports
+import { NextRequest } from "next/server";
+import { get_hazo_connect_instance } from "../hazo_connect_instance.server.js";
+import { createCrudService } from "hazo_connect/server";
+import { create_app_logger } from "../app_logger.js";
+import { get_filename, get_line_number } from "../utils/api_route_helpers.js";
+import type { HazoAuthResult, HazoAuthUser, HazoAuthOptions, ScopeAccessInfo } from "./auth_types";
+import { PermissionError, ScopeAccessError } from "./auth_types.js";
+import { get_auth_cache } from "./auth_cache.js";
+import { get_scope_cache, type UserScopeEntry } from "./scope_cache.js";
+import { get_rate_limiter } from "./auth_rate_limiter.js";
+import { get_auth_utility_config } from "../auth_utility_config.server.js";
+import { validate_session_token } from "../services/session_token_service.js";
+import { is_hrbac_enabled, get_scope_hierarchy_config } from "../scope_hierarchy_config.server.js";
+import { check_user_scope_access, get_user_scopes, type UserScope } from "../services/user_scope_service.js";
+import { is_valid_scope_level, type ScopeLevel } from "../services/scope_service.js";
+import { is_multi_tenancy_enabled, get_multi_tenancy_config } from "../multi_tenancy_config.server.js";
+import { get_org_cache, type OrgCacheEntry } from "./org_cache.js";
+// section: helpers
+/**
+ * Gets client IP address from request
+ * @param request - NextRequest object
+ * @returns IP address string
+ */
+function get_client_ip(request: NextRequest): string {
+  const forwarded = request.headers.get("x-forwarded-for");
+  if (forwarded) {
+    return forwarded.split(",")[0].trim();
+  }
+  const real_ip = request.headers.get("x-real-ip");
+  if (real_ip) {
+    return real_ip;
+  }
+  return "unknown";
+}
+/**
+ * Fetches user data and permissions from database
+ * @param user_id - User ID
+ * @returns Object with user, permissions, and role_ids
+ */
+async function fetch_user_data_from_db(user_id: string): Promise<{
+  user: HazoAuthUser;
+  permissions: string[];
+  role_ids: number[];
+}> {
+  const hazoConnect = get_hazo_connect_instance();
+  const users_service = createCrudService(hazoConnect, "hazo_users");
+  const user_roles_service = createCrudService(hazoConnect, "hazo_user_roles");
+  const role_permissions_service = createCrudService(
+    hazoConnect,
+    "hazo_role_permissions",
+  );
+  const permissions_service = createCrudService(
+    hazoConnect,
+    "hazo_permissions",
+  );
+  // Fetch user
+  const users = await users_service.findBy({ id: user_id });
+  if (!Array.isArray(users) || users.length === 0) {
+    throw new Error("User not found");
+  }
+  const user_db = users[0];
+  // Check if user is active
+  if (user_db.is_active === false) {
+    throw new Error("User is inactive");
+  }
+  // Build user object with base fields
+  const user: HazoAuthUser = {
+    id: user_db.id as string,
+    name: (user_db.name as string | null) || null,
+    email_address: user_db.email_address as string,
+    is_active: user_db.is_active === true,
+    profile_picture_url:
+      (user_db.profile_picture_url as string | null) || null,
+  };
+  // Fetch org info if multi-tenancy is enabled and user has org_id
+  if (is_multi_tenancy_enabled() && user_db.org_id) {
+    const mt_config = get_multi_tenancy_config();
+    const org_cache = get_org_cache(
+      mt_config.org_cache_max_entries,
+      mt_config.org_cache_ttl_minutes,
+    );
+    const user_org_id = user_db.org_id as string;
+    // Check org cache first
+    let cached_org = org_cache.get(user_org_id);
+    if (!cached_org) {
+      // Fetch org info from database
+      const org_service = createCrudService(hazoConnect, "hazo_org");
+      const orgs = await org_service.findBy({ id: user_org_id });
+      if (Array.isArray(orgs) && orgs.length > 0) {
+        const org = orgs[0];
+        const org_entry: OrgCacheEntry = {
+          org_id: org.id as string,
+          org_name: org.name as string,
+          parent_org_id: (org.parent_org_id as string | null) || null,
+          parent_org_name: null,
+          root_org_id: (org.root_org_id as string | null) || null,
+          root_org_name: null,
+        };
+        // Fetch parent org name if exists
+        if (org_entry.parent_org_id) {
+          const parent_orgs = await org_service.findBy({ id: org_entry.parent_org_id });
+          if (Array.isArray(parent_orgs) && parent_orgs.length > 0) {
+            org_entry.parent_org_name = parent_orgs[0].name as string;
+          }
+        }
+        // Fetch root org name if exists
+        if (org_entry.root_org_id) {
+          const root_orgs = await org_service.findBy({ id: org_entry.root_org_id });
+          if (Array.isArray(root_orgs) && root_orgs.length > 0) {
+            org_entry.root_org_name = root_orgs[0].name as string;
+          }
+        } else if (user_db.root_org_id) {
+          // Fallback to user's root_org_id if org doesn't have one
+          const root_orgs = await org_service.findBy({ id: user_db.root_org_id });
+          if (Array.isArray(root_orgs) && root_orgs.length > 0) {
+            org_entry.root_org_id = root_orgs[0].id as string;
+            org_entry.root_org_name = root_orgs[0].name as string;
+          }
+        }
+        // Cache the org info
+        org_cache.set(user_org_id, org_entry);
+        cached_org = org_entry;
+      }
+    }
+    // Add org info to user object
+    if (cached_org) {
+      user.org_id = cached_org.org_id;
+      user.org_name = cached_org.org_name;
+      user.parent_org_id = cached_org.parent_org_id;
+      user.parent_org_name = cached_org.parent_org_name;
+      user.root_org_id = cached_org.root_org_id;
+      user.root_org_name = cached_org.root_org_name;
+    }
+  }
+  // Fetch user roles
+  const user_roles = await user_roles_service.findBy({ user_id });
+  const role_ids: number[] = [];
+  if (Array.isArray(user_roles)) {
+    for (const ur of user_roles) {
+      const role_id = ur.role_id as number | undefined;
+      if (role_id !== undefined) {
+        role_ids.push(role_id);
+      }
+    }
+  }
+  // Fetch role permissions
+  const permissions_set = new Set<string>();
+  if (role_ids.length > 0) {
+    const role_permissions = await role_permissions_service.findBy({});
+    if (Array.isArray(role_permissions)) {
+      // Filter role_permissions for user's roles
+      const user_role_permissions = role_permissions.filter((rp) =>
+        role_ids.includes(rp.role_id as number),
+      );
+      // Get permission IDs
+      const permission_ids = new Set<number>();
+      for (const rp of user_role_permissions) {
+        const perm_id = rp.permission_id as number | undefined;
+        if (perm_id !== undefined) {
+          permission_ids.add(perm_id);
+        }
+      }
+      // Fetch permission names
+      if (permission_ids.size > 0) {
+        const permissions = await permissions_service.findBy({});
+        if (Array.isArray(permissions)) {
+          for (const perm of permissions) {
+            const perm_id = perm.id as number | undefined;
+            if (perm_id !== undefined && permission_ids.has(perm_id)) {
+              const perm_name = perm.permission_name as string | undefined;
+              if (perm_name) {
+                permissions_set.add(perm_name);
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+  const permissions = Array.from(permissions_set);
+  return { user, permissions, role_ids };
+}
+/**
+ * Checks if user has required permissions
+ * @param user_permissions - User's permissions
+ * @param required_permissions - Required permissions
+ * @returns Object with permission_ok and missing_permissions
+ */
+function check_permissions(
+  user_permissions: string[],
+  required_permissions: string[],
+): { permission_ok: boolean; missing_permissions: string[] } {
+  const user_perms_set = new Set(user_permissions);
+  const missing = required_permissions.filter(
+    (perm) => !user_perms_set.has(perm),
+  );
+  return {
+    permission_ok: missing.length === 0,
+    missing_permissions: missing,
+  };
+}
+/**
+ * Gets user-friendly error message for missing permissions
+ * @param missing_permissions - Array of missing permission names
+ * @param config - Auth utility config
+ * @returns User-friendly message or undefined
+ */
+function get_friendly_error_message(
+  missing_permissions: string[],
+  config: ReturnType<typeof get_auth_utility_config>,
+): string | undefined {
+  if (!config.enable_friendly_error_messages) {
+    return undefined;
+  }
+  // Try to get messages for each missing permission
+  const messages: string[] = [];
+  for (const perm of missing_permissions) {
+    const message = config.permission_error_messages.get(perm);
+    if (message) {
+      messages.push(message);
+    }
+  }
+  if (messages.length > 0) {
+    return messages.join(". ");
+  }
+  // Default message if no specific mapping
+  return "You don't have the required permissions to perform this action. Please contact your administrator.";
+}
+/**
+ * Gets user scopes with caching
+ * @param user_id - User ID
+ * @returns Array of user scope entries
+ */
+async function get_user_scopes_cached(user_id: string): Promise<UserScopeEntry[]> {
+  const scope_config = get_scope_hierarchy_config();
+  const scope_cache = get_scope_cache(
+    scope_config.scope_cache_max_entries,
+    scope_config.scope_cache_ttl_minutes,
+  );
+  // Check cache
+  const cached = scope_cache.get(user_id);
+  if (cached) {
+    return cached.scopes;
+  }
+  // Fetch from database
+  const hazoConnect = get_hazo_connect_instance();
+  const result = await get_user_scopes(hazoConnect, user_id);
+  if (!result.success || !result.scopes) {
+    return [];
+  }
+  // Convert to cache entry format and cache
+  const scopes: UserScopeEntry[] = result.scopes.map((s: UserScope) => ({
+    scope_type: s.scope_type as ScopeLevel,
+    scope_id: s.scope_id,
+    scope_seq: s.scope_seq,
+  }));
+  scope_cache.set(user_id, scopes);
+  return scopes;
+}
+/**
+ * Checks if user has access to a specific scope
+ * @param user_id - User ID
+ * @param scope_type - Scope level
+ * @param scope_id - Scope ID (optional)
+ * @param scope_seq - Scope seq (optional)
+ * @returns Object with scope_ok and access_via info
+ */
+async function check_scope_access(
+  user_id: string,
+  scope_type: string,
+  scope_id?: string,
+  scope_seq?: string,
+): Promise<{
+  scope_ok: boolean;
+  scope_access_via?: ScopeAccessInfo;
+  user_scopes: Array<{ scope_type: string; scope_id: string; scope_seq: string }>;
+}> {
+  const logger = create_app_logger();
+  // Validate scope_type
+  if (!is_valid_scope_level(scope_type)) {
+    logger.warn("auth_utility_invalid_scope_type", {
+      filename: get_filename(),
+      line_number: get_line_number(),
+      scope_type,
+      user_id,
+    });
+    return { scope_ok: false, user_scopes: [] };
+  }
+  const hazoConnect = get_hazo_connect_instance();
+  const result = await check_user_scope_access(
+    hazoConnect,
+    user_id,
+    scope_type as ScopeLevel,
+    scope_id,
+    scope_seq,
+  );
+  const user_scopes = (result.user_scopes || []).map((s) => ({
+    scope_type: s.scope_type,
+    scope_id: s.scope_id,
+    scope_seq: s.scope_seq,
+  }));
+  if (result.has_access && result.access_via) {
+    return {
+      scope_ok: true,
+      scope_access_via: {
+        scope_type: result.access_via.scope_type,
+        scope_id: result.access_via.scope_id,
+        scope_seq: result.access_via.scope_seq,
+      },
+      user_scopes,
+    };
+  }
+  return { scope_ok: false, user_scopes };
+}
+// section: main_function
+/**
+ * Main hazo_get_auth function for server-side use in API routes
+ * Returns user details, permissions, and checks required permissions
+ * Optionally checks HRBAC scope access when scope options are provided
+ * @param request - NextRequest object
+ * @param options - Optional parameters for permission checking and HRBAC scope checking
+ * @returns HazoAuthResult with user data, permissions, and optional scope access info
+ * @throws PermissionError if strict mode and permissions are missing
+ * @throws ScopeAccessError if strict mode and scope access is denied
+ */
+export async function hazo_get_auth(
+  request: NextRequest,
+  options?: HazoAuthOptions,
+): Promise<HazoAuthResult> {
+  const logger = create_app_logger();
+  const config = get_auth_utility_config();
+  const cache = get_auth_cache(
+    config.cache_max_users,
+    config.cache_ttl_minutes,
+    config.cache_max_age_minutes,
+  );
+  const rate_limiter = get_rate_limiter();
+  // Fast path: Check for authentication cookies
+  // Priority: 1. JWT session token (new), 2. Simple cookies (backward compatibility)
+  let user_id: string | undefined;
+  let user_email: string | undefined;
+  // Check for JWT session token first
+  const session_token = request.cookies.get("hazo_auth_session")?.value;
+  if (session_token) {
+    try {
+      const token_result = await validate_session_token(session_token);
+      if (token_result.valid && token_result.user_id && token_result.email) {
+        user_id = token_result.user_id;
+        user_email = token_result.email;
+      }
+    } catch (token_error) {
+      // If token validation fails, fall back to simple cookies
+      const token_error_message = token_error instanceof Error ? token_error.message : "Unknown error";
+      logger.debug("auth_utility_jwt_validation_failed", {
+        filename: get_filename(),
+        line_number: get_line_number(),
+        error: token_error_message,
+        note: "Falling back to simple cookie check",
+      });
+    }
+  }
+  // Fall back to simple cookies if JWT not present or invalid (backward compatibility)
+  if (!user_id || !user_email) {
+    user_id = request.cookies.get("hazo_auth_user_id")?.value;
+    user_email = request.cookies.get("hazo_auth_user_email")?.value;
+  }
+  if (!user_id || !user_email) {
+    // Unauthenticated - check rate limit by IP
+    const client_ip = get_client_ip(request);
+    const ip_key = `ip:${client_ip}`;
+    if (!rate_limiter.check(ip_key, config.rate_limit_per_ip)) {
+      logger.warn("auth_utility_rate_limit_exceeded_ip", {
+        filename: get_filename(),
+        line_number: get_line_number(),
+        ip: client_ip,
+      });
+      throw new Error("Rate limit exceeded. Please try again later.");
+    }
+    return {
+      authenticated: false,
+      user: null,
+      permissions: [],
+      permission_ok: false,
+    };
+  }
+  // Authenticated - check rate limit by user
+  const user_key = `user:${user_id}`;
+  if (!rate_limiter.check(user_key, config.rate_limit_per_user)) {
+    logger.warn("auth_utility_rate_limit_exceeded_user", {
+      filename: get_filename(),
+      line_number: get_line_number(),
+      user_id,
+    });
+    throw new Error("Rate limit exceeded. Please try again later.");
+  }
+  // Check cache
+  let cached_entry = cache.get(user_id);
+  let user: HazoAuthUser;
+  let permissions: string[];
+  let role_ids: number[];
+  if (cached_entry) {
+    // Cache hit
+    user = cached_entry.user;
+    permissions = cached_entry.permissions;
+    role_ids = cached_entry.role_ids;
+  } else {
+    // Cache miss - fetch from database
+    try {
+      const user_data = await fetch_user_data_from_db(user_id);
+      user = user_data.user;
+      permissions = user_data.permissions;
+      role_ids = user_data.role_ids;
+      // Update cache
+      cache.set(user_id, user, permissions, role_ids);
+    } catch (error) {
+      const error_message =
+        error instanceof Error ? error.message : "Unknown error";
+      logger.error("auth_utility_fetch_user_failed", {
+        filename: get_filename(),
+        line_number: get_line_number(),
+        user_id,
+        error: error_message,
+      });
+      return {
+        authenticated: false,
+        user: null,
+        permissions: [],
+        permission_ok: false,
+      };
+    }
+  }
+  // Check permissions if required
+  let permission_ok = true;
+  let missing_permissions: string[] | undefined;
+  if (options?.required_permissions && options.required_permissions.length > 0) {
+    const check_result = check_permissions(
+      permissions,
+      options.required_permissions,
+    );
+    permission_ok = check_result.permission_ok;
+    missing_permissions = check_result.missing_permissions;
+    // Log permission denial if enabled
+    if (!permission_ok && config.log_permission_denials) {
+      const client_ip = get_client_ip(request);
+      logger.warn("auth_utility_permission_denied", {
+        filename: get_filename(),
+        line_number: get_line_number(),
+        user_id,
+        requested_permissions: options.required_permissions,
+        missing_permissions,
+        user_permissions: permissions,
+        ip: client_ip,
+      });
+    }
+    // Throw error if strict mode
+    if (!permission_ok && options.strict) {
+      const friendly_message = get_friendly_error_message(
+        missing_permissions,
+        config,
+      );
+      throw new PermissionError(
+        missing_permissions,
+        permissions,
+        options.required_permissions,
+        friendly_message,
+      );
+    }
+  }
+  // Check HRBAC scope access if enabled and scope options provided
+  let scope_ok: boolean | undefined;
+  let scope_access_via: ScopeAccessInfo | undefined;
+  const hrbac_enabled = is_hrbac_enabled();
+  const has_scope_options = options?.scope_type && (options?.scope_id || options?.scope_seq);
+  if (hrbac_enabled && has_scope_options) {
+    const scope_result = await check_scope_access(
+      user.id,
+      options!.scope_type!,
+      options?.scope_id,
+      options?.scope_seq,
+    );
+    scope_ok = scope_result.scope_ok;
+    scope_access_via = scope_result.scope_access_via;
+    // Log scope denial if permission logging is enabled
+    if (!scope_ok && config.log_permission_denials) {
+      const client_ip = get_client_ip(request);
+      logger.warn("auth_utility_scope_access_denied", {
+        filename: get_filename(),
+        line_number: get_line_number(),
+        user_id: user.id,
+        scope_type: options!.scope_type,
+        scope_id: options?.scope_id,
+        scope_seq: options?.scope_seq,
+        user_scopes: scope_result.user_scopes,
+        ip: client_ip,
+      });
+    }
+    // Throw error if strict mode and scope access denied
+    if (!scope_ok && options?.strict) {
+      throw new ScopeAccessError(
+        options!.scope_type!,
+        options?.scope_id || options?.scope_seq || "unknown",
+        scope_result.user_scopes,
+      );
+    }
+  }
+  return {
+    authenticated: true,
+    user,
+    permissions,
+    permission_ok,
+    missing_permissions,
+    scope_ok,
+    scope_access_via,
+  };
+}

package/cli-src/lib/auth/index.ts ADDED Viewed

@@ -0,0 +1,23 @@
+// file_description: barrel export for auth utilities
+// section: type_exports
+export * from "./auth_types";
+// section: server_exports
+export { hazo_get_auth } from "./hazo_get_auth.server.js";
+export {
+  get_authenticated_user,
+  require_auth,
+  is_authenticated,
+} from "./auth_utils.server.js";
+export type { AuthResult, AuthUser } from "./auth_utils.server";
+// section: client_exports
+export { get_server_auth_user } from "./server_auth.js";
+export type { ServerAuthResult } from "./server_auth";
+// section: cache_exports
+export { get_auth_cache, reset_auth_cache } from "./auth_cache.js";
+// section: rate_limiter_exports
+export { get_rate_limiter, reset_rate_limiter } from "./auth_rate_limiter.js";