hazo_auth 4.2.0 → 4.4.0

package/cli-src/lib/dev_lock_config.server.ts

@@ -0,0 +1,148 @@
+// file_description: server-only helper to read dev lock configuration from hazo_auth_config.ini
+// section: imports
+import { get_config_value, get_config_boolean, get_config_number } from "./config/config_loader.server.js";
+import { DEFAULT_DEV_LOCK } from "./config/default_config.js";
+
+// section: types
+export type DevLockConfig = {
+  /** Enable the development lock screen */
+  enable: boolean;
+  /** Session duration in days */
+  session_duration_days: number;
+  /** Background color */
+  background_color: string;
+  /** Logo image path */
+  logo_path: string;
+  /** Logo width in pixels */
+  logo_width: number;
+  /** Logo height in pixels */
+  logo_height: number;
+  /** Application name displayed below logo */
+  application_name: string;
+  /** Limited access text displayed with lock icon */
+  limited_access_text: string;
+  /** Password input placeholder text */
+  password_placeholder: string;
+  /** Submit button text */
+  submit_button_text: string;
+  /** Error message for incorrect password */
+  error_message: string;
+  /** Text color for labels */
+  text_color: string;
+  /** Accent color for button */
+  accent_color: string;
+};
+
+// section: constants
+const SECTION_NAME = "hazo_auth__dev_lock";
+
+// section: helpers
+/**
+ * Reads dev lock configuration from hazo_auth_config.ini file
+ * Falls back to defaults if hazo_auth_config.ini is not found or section is missing
+ * @returns Dev lock configuration options
+ */
+export function get_dev_lock_config(): DevLockConfig {
+  const enable = get_config_boolean(
+    SECTION_NAME,
+    "enable",
+    DEFAULT_DEV_LOCK.enable
+  );
+
+  const session_duration_days = get_config_number(
+    SECTION_NAME,
+    "session_duration_days",
+    DEFAULT_DEV_LOCK.session_duration_days
+  );
+
+  const background_color = get_config_value(
+    SECTION_NAME,
+    "background_color",
+    DEFAULT_DEV_LOCK.background_color
+  );
+
+  const logo_path = get_config_value(
+    SECTION_NAME,
+    "logo_path",
+    DEFAULT_DEV_LOCK.logo_path
+  );
+
+  const logo_width = get_config_number(
+    SECTION_NAME,
+    "logo_width",
+    DEFAULT_DEV_LOCK.logo_width
+  );
+
+  const logo_height = get_config_number(
+    SECTION_NAME,
+    "logo_height",
+    DEFAULT_DEV_LOCK.logo_height
+  );
+
+  const application_name = get_config_value(
+    SECTION_NAME,
+    "application_name",
+    DEFAULT_DEV_LOCK.application_name
+  );
+
+  const limited_access_text = get_config_value(
+    SECTION_NAME,
+    "limited_access_text",
+    DEFAULT_DEV_LOCK.limited_access_text
+  );
+
+  const password_placeholder = get_config_value(
+    SECTION_NAME,
+    "password_placeholder",
+    DEFAULT_DEV_LOCK.password_placeholder
+  );
+
+  const submit_button_text = get_config_value(
+    SECTION_NAME,
+    "submit_button_text",
+    DEFAULT_DEV_LOCK.submit_button_text
+  );
+
+  const error_message = get_config_value(
+    SECTION_NAME,
+    "error_message",
+    DEFAULT_DEV_LOCK.error_message
+  );
+
+  const text_color = get_config_value(
+    SECTION_NAME,
+    "text_color",
+    DEFAULT_DEV_LOCK.text_color
+  );
+
+  const accent_color = get_config_value(
+    SECTION_NAME,
+    "accent_color",
+    DEFAULT_DEV_LOCK.accent_color
+  );
+
+  return {
+    enable,
+    session_duration_days,
+    background_color,
+    logo_path,
+    logo_width,
+    logo_height,
+    application_name,
+    limited_access_text,
+    password_placeholder,
+    submit_button_text,
+    error_message,
+    text_color,
+    accent_color,
+  };
+}
+
+/**
+ * Helper to check if dev lock is enabled in config
+ * Note: Also requires HAZO_AUTH_DEV_LOCK_ENABLED env var for actual enforcement
+ * @returns true if dev lock is enabled in config
+ */
+export function is_dev_lock_enabled(): boolean {
+  return get_config_boolean(SECTION_NAME, "enable", DEFAULT_DEV_LOCK.enable);
+}

package/cli-src/lib/email_verification_config.server.ts

@@ -0,0 +1,63 @@
+// file_description: server-only helper to read email verification layout configuration from hazo_auth_config.ini
+// section: imports
+import { get_already_logged_in_config } from "./already_logged_in_config.server.js";
+import { get_config_value } from "./config/config_loader.server.js";
+import verifyEmailDefaultImage from "../assets/images/verify_email_default.jpg.js";
+
+// section: types
+import type { StaticImageData } from "next/image";
+
+export type EmailVerificationConfig = {
+  alreadyLoggedInMessage: string;
+  showLogoutButton: boolean;
+  showReturnHomeButton: boolean;
+  returnHomeButtonLabel: string;
+  returnHomePath: string;
+  imageSrc: string | StaticImageData;
+  imageAlt: string;
+  imageBackgroundColor: string;
+};
+
+// section: helpers
+/**
+ * Reads email verification layout configuration from hazo_auth_config.ini file
+ * Falls back to defaults if hazo_auth_config.ini is not found or section is missing
+ * @returns Email verification configuration options
+ */
+export function get_email_verification_config(): EmailVerificationConfig {
+  const section = "hazo_auth__email_verification_layout";
+
+  // Get shared already logged in config
+  const alreadyLoggedInConfig = get_already_logged_in_config();
+
+  // Read image configuration
+  // If not set in config, falls back to default image from assets
+  const imageSrc = get_config_value(
+    section,
+    "image_src",
+    "" // Empty string means not set in config
+  ) || verifyEmailDefaultImage;
+
+  const imageAlt = get_config_value(
+    section,
+    "image_alt",
+    "Email verification illustration"
+  );
+  const imageBackgroundColor = get_config_value(
+    section,
+    "image_background_color",
+    "#f1f5f9"
+  );
+
+  return {
+    alreadyLoggedInMessage: alreadyLoggedInConfig.message,
+    showLogoutButton: alreadyLoggedInConfig.showLogoutButton,
+    showReturnHomeButton: alreadyLoggedInConfig.showReturnHomeButton,
+    returnHomeButtonLabel: alreadyLoggedInConfig.returnHomeButtonLabel,
+    returnHomePath: alreadyLoggedInConfig.returnHomePath,
+    imageSrc,
+    imageAlt,
+    imageBackgroundColor,
+  };
+}
+

package/cli-src/lib/file_types_config.server.ts

@@ -0,0 +1,25 @@
+// file_description: server-only helper to read file type configuration from hazo_auth_config.ini
+// section: imports
+import { get_config_array } from "./config/config_loader.server.js";
+
+// section: types
+export type FileTypesConfig = {
+  allowed_image_extensions: string[];
+  allowed_image_mime_types: string[];
+};
+
+// section: helpers
+/**
+ * Reads file type configuration from hazo_auth_config.ini file
+ * Falls back to defaults if hazo_auth_config.ini is not found or section is missing
+ * @returns File types configuration options
+ */
+export function get_file_types_config(): FileTypesConfig {
+  const section = "hazo_auth__file_types";
+
+  return {
+    allowed_image_extensions: get_config_array(section, "allowed_image_extensions", ["jpg", "jpeg", "png"]),
+    allowed_image_mime_types: get_config_array(section, "allowed_image_mime_types", ["image/jpeg", "image/jpg", "image/png"]),
+  };
+}
+

package/cli-src/lib/forgot_password_config.server.ts

@@ -0,0 +1,63 @@
+// file_description: server-only helper to read forgot password layout configuration from hazo_auth_config.ini
+// section: imports
+import { get_already_logged_in_config } from "./already_logged_in_config.server.js";
+import { get_config_value } from "./config/config_loader.server.js";
+import forgotPasswordDefaultImage from "../assets/images/forgot_password_default.jpg.js";
+
+// section: types
+import type { StaticImageData } from "next/image";
+
+export type ForgotPasswordConfig = {
+  alreadyLoggedInMessage: string;
+  showLogoutButton: boolean;
+  showReturnHomeButton: boolean;
+  returnHomeButtonLabel: string;
+  returnHomePath: string;
+  imageSrc: string | StaticImageData;
+  imageAlt: string;
+  imageBackgroundColor: string;
+};
+
+// section: helpers
+/**
+ * Reads forgot password layout configuration from hazo_auth_config.ini file
+ * Falls back to defaults if hazo_auth_config.ini is not found or section is missing
+ * @returns Forgot password configuration options
+ */
+export function get_forgot_password_config(): ForgotPasswordConfig {
+  const section = "hazo_auth__forgot_password_layout";
+
+  // Get shared already logged in config
+  const alreadyLoggedInConfig = get_already_logged_in_config();
+
+  // Read image configuration
+  // If not set in config, falls back to default image from assets
+  const imageSrc = get_config_value(
+    section,
+    "image_src",
+    "" // Empty string means not set in config
+  ) || forgotPasswordDefaultImage;
+
+  const imageAlt = get_config_value(
+    section,
+    "image_alt",
+    "Password recovery illustration"
+  );
+  const imageBackgroundColor = get_config_value(
+    section,
+    "image_background_color",
+    "#f1f5f9"
+  );
+
+  return {
+    alreadyLoggedInMessage: alreadyLoggedInConfig.message,
+    showLogoutButton: alreadyLoggedInConfig.showLogoutButton,
+    showReturnHomeButton: alreadyLoggedInConfig.showReturnHomeButton,
+    returnHomeButtonLabel: alreadyLoggedInConfig.returnHomeButtonLabel,
+    returnHomePath: alreadyLoggedInConfig.returnHomePath,
+    imageSrc,
+    imageAlt,
+    imageBackgroundColor,
+  };
+}
+

package/cli-src/lib/hazo_connect_instance.server.ts

@@ -0,0 +1,101 @@
+// file_description: singleton instance of hazo_connect adapter - initialized once and reused across all routes
+// This ensures all routes/components use the same database connection
+// Uses the new hazo_connect singleton API from hazo_connect/nextjs/setup
+// Reads configuration from hazo_auth_config.ini using hazo_config
+// section: imports
+import type { HazoConnectAdapter } from "hazo_connect";
+import { getHazoConnectSingleton } from "hazo_connect/nextjs/setup";
+import { create_sqlite_hazo_connect_server, get_hazo_connect_config_options } from "./hazo_connect_setup.server.js";
+import { initializeAdminService, getSqliteAdminService } from "hazo_connect/server";
+import { create_app_logger } from "./app_logger.js";
+
+// section: singleton_state
+let hazoConnectInstance: HazoConnectAdapter | null = null;
+let isInitialized = false;
+
+// section: helpers
+/**
+ * Gets or creates the singleton hazo_connect adapter instance
+ * This ensures all routes/components use the same database connection
+ * 
+ * Uses the new hazo_connect singleton API which:
+ * - Automatically reuses the adapter instance
+ * - Automatically registers SQLite adapters with the admin service
+ * - Is thread-safe for Next.js serverless environments
+ * - Reads configuration from hazo_auth_config.ini using hazo_config (falls back to environment variables)
+ * 
+ * Falls back to manual singleton if the new API is not available
+ * 
+ * @returns The singleton HazoConnectAdapter instance
+ */
+export function get_hazo_connect_instance(): HazoConnectAdapter {
+  // Use the new singleton API from hazo_connect
+  // This automatically handles:
+  // - Instance reuse
+  // - Admin service registration (via registerSqliteAdapter)
+  // - Thread-safety for Next.js serverless
+  // - Configuration from hazo_auth_config.ini (via hazo_config) or environment variables
+  try {
+    // Get configuration from hazo_auth_config.ini (falls back to environment variables)
+    const config_options = get_hazo_connect_config_options();
+    const logger = create_app_logger();
+    logger.debug("hazo_connect_singleton_attempt", {
+      filename: "hazo_connect_instance.server.ts",
+      line_number: 38,
+      config_options,
+      note: "Attempting to get singleton with these options",
+    });
+    return getHazoConnectSingleton(config_options);
+  } catch (error) {
+    const logger = create_app_logger();
+    const error_message = error instanceof Error ? error.message : "Unknown error";
+    logger.error("hazo_connect_singleton_failed", {
+      filename: "hazo_connect_instance.server.ts",
+      line_number: 45,
+      error: error_message,
+      error_stack: error instanceof Error ? error.stack : undefined,
+      note: "Falling back to manual singleton implementation",
+    });
+    
+    // Fallback: Manual singleton implementation if new API fails
+    // This should not happen with the updated package, but kept for safety
+    if (!hazoConnectInstance) {
+      // Get config options to determine database type
+      const config_options = get_hazo_connect_config_options();
+      const db_type = config_options.type;
+      
+      // Only initialize SQLite admin service for SQLite databases
+      if (db_type === "sqlite" && !isInitialized) {
+        initializeAdminService({ enable_admin_ui: true });
+        isInitialized = true;
+      }
+      
+      // Create the adapter instance (reads from hazo_auth_config.ini)
+      // Note: Despite the name, this function supports both SQLite and PostgREST
+      hazoConnectInstance = create_sqlite_hazo_connect_server();
+
+      // Note: Database migrations should be applied manually via SQLite Admin UI
+      // or through a separate migration script. The token_service has fallback
+      // logic to work without the token_type column if migration hasn't been applied.
+
+      // Finalize initialization by getting the admin service (only for SQLite)
+      if (db_type === "sqlite") {
+        try {
+          getSqliteAdminService();
+        } catch (adminError) {
+          const logger = create_app_logger();
+          const error_message = adminError instanceof Error ? adminError.message : "Unknown error";
+          logger.warn("hazo_connect_instance_admin_service_init_failed", {
+            filename: "hazo_connect_instance.server.ts",
+            line_number: 0,
+            error: error_message,
+            note: "Could not get SqliteAdminService during initialization, continuing...",
+          });
+        }
+      }
+    }
+    
+    return hazoConnectInstance;
+  }
+}
+

package/cli-src/lib/hazo_connect_setup.server.ts

@@ -0,0 +1,194 @@
+// file_description: server-only helper to create hazo_connect instance (imports server-side code)
+// This file should only be imported in server contexts (API routes, server components)
+// Reads configuration from hazo_auth_config.ini using hazo_config
+// section: imports
+import { createHazoConnect } from "hazo_connect/server";
+import { HazoConfig } from "hazo_config/dist/lib";
+import path from "path";
+import fs from "fs";
+import { create_app_logger } from "./app_logger.js";
+import { read_config_section } from "./config/config_loader.server.js";
+
+// section: helpers
+/**
+ * Reads hazo_connect configuration from hazo_auth_config.ini file
+ * Falls back to environment variables if hazo_auth_config.ini is not found or section is missing
+ * @returns Configuration options for hazo_connect
+ */
+function get_hazo_connect_config(): {
+  type: "sqlite" | "postgrest";
+  sqlitePath?: string;
+  enableAdminUi: boolean;
+  readOnly?: boolean;
+  postgrestUrl?: string;
+  postgrestApiKey?: string;
+} {
+  const default_config_path = path.resolve(process.cwd(), "hazo_auth_config.ini");
+  let hazo_connect_section: Record<string, string> | undefined;
+
+  // Try to read from hazo_auth_config.ini
+  const logger = create_app_logger();
+  hazo_connect_section = read_config_section("hazo_connect");
+
+  // Read type (defaults to sqlite)
+  const type = (
+    hazo_connect_section?.type ||
+    process.env.HAZO_CONNECT_TYPE ||
+    "sqlite"
+  ).toLowerCase() as "sqlite" | "postgrest";
+
+  // Read enable_admin_ui (defaults to true)
+  const enable_admin_ui_str =
+    hazo_connect_section?.enable_admin_ui ||
+    process.env.HAZO_CONNECT_ENABLE_ADMIN_UI ||
+    "true";
+  const enableAdminUi = enable_admin_ui_str.toLowerCase() === "true";
+
+  // Read read_only (defaults to false)
+  const read_only_str =
+    hazo_connect_section?.read_only ||
+    process.env.HAZO_CONNECT_SQLITE_READONLY ||
+    "false";
+  const readOnly = read_only_str.toLowerCase() === "true";
+
+  // SQLite configuration
+  if (type === "sqlite") {
+    const sqlite_path_config =
+      hazo_connect_section?.sqlite_path || process.env.HAZO_CONNECT_SQLITE_PATH;
+
+    let sqlite_path: string | undefined;
+
+    if (sqlite_path_config) {
+      // If path is absolute, use as-is; otherwise resolve relative to process.cwd()
+      sqlite_path = path.isAbsolute(sqlite_path_config)
+        ? sqlite_path_config
+        : path.resolve(process.cwd(), sqlite_path_config);
+
+      // Normalize the path to ensure consistency (resolves .., ., etc.)
+      sqlite_path = path.normalize(sqlite_path);
+    } else {
+      // Fallback to test fixture database
+      const fallback_sqlite_path = path.resolve(
+        process.cwd(),
+        "__tests__",
+        "fixtures",
+        "hazo_auth.sqlite"
+      );
+      sqlite_path = path.normalize(fallback_sqlite_path);
+    }
+
+    // Log the resolved path for debugging
+    logger.debug("hazo_connect_sqlite_path_resolved", {
+      filename: "hazo_connect_setup.server.ts",
+      line_number: 0,
+      sqlite_path,
+      process_cwd: process.cwd(),
+      config_source: hazo_connect_section ? "hazo_auth_config.ini" : "environment variables",
+    });
+
+    return {
+      type: "sqlite",
+      sqlitePath: sqlite_path,
+      enableAdminUi,
+      readOnly,
+    };
+  }
+
+  // PostgREST configuration
+  if (type === "postgrest") {
+    const postgrest_url =
+      hazo_connect_section?.postgrest_url ||
+      process.env.HAZO_CONNECT_POSTGREST_URL ||
+      process.env.POSTGREST_URL;
+    // API key must only come from environment variables for security
+    // Check multiple possible env var names for compatibility
+    const postgrest_api_key =
+      process.env.postgrest_api_key ||  // hazo_connect package expects this
+      process.env.HAZO_CONNECT_POSTGREST_API_KEY ||
+      process.env.POSTGREST_API_KEY;
+
+    if (!postgrest_url) {
+      throw new Error(
+        "PostgREST URL is required. Set postgrest_url in [hazo_connect] section of hazo_auth_config.ini or HAZO_CONNECT_POSTGREST_URL environment variable."
+      );
+    }
+
+    return {
+      type: "postgrest",
+      postgrestUrl: postgrest_url,
+      postgrestApiKey: postgrest_api_key,
+      enableAdminUi,
+    };
+  }
+
+  throw new Error(
+    `Unsupported HAZO_CONNECT_TYPE: ${type}. Supported types: sqlite, postgrest`
+  );
+}
+
+/**
+ * Server-only function to create hazo_connect adapter
+ * Reads configuration from hazo_auth_config.ini using hazo_config, falls back to environment variables
+ * This should only be called from server-side code (API routes, server components)
+ */
+export function create_sqlite_hazo_connect_server() {
+  const config = get_hazo_connect_config();
+
+  if (config.type === "sqlite") {
+    return createHazoConnect({
+      type: "sqlite",
+      database: config.sqlitePath!,
+      enable_admin_ui: config.enableAdminUi,
+    });
+  }
+
+  if (config.type === "postgrest") {
+    // Ensure we have a value (empty string if not set, for PostgREST instances without auth)
+    const apiKey = config.postgrestApiKey || "";
+    
+    return createHazoConnect({
+      type: "postgrest",
+      baseUrl: config.postgrestUrl!,
+      apiKey: apiKey, // Pass empty string if not set
+    });
+  }
+
+  throw new Error(`Unsupported database type: ${config.type}`);
+}
+
+/**
+ * Gets hazo_connect configuration options for use with singleton API
+ * Reads from hazo_auth_config.ini using hazo_config, falls back to environment variables
+ * @returns Configuration options compatible with getHazoConnectSingleton
+ */
+export function get_hazo_connect_config_options(): {
+  type?: "sqlite" | "postgrest";
+  sqlitePath?: string;
+  enableAdminUi?: boolean;
+  readOnly?: boolean;
+  baseUrl?: string;
+  apiKey?: string;
+} {
+  const config = get_hazo_connect_config();
+
+  if (config.type === "sqlite") {
+    return {
+      type: "sqlite",
+      sqlitePath: config.sqlitePath,
+      enableAdminUi: config.enableAdminUi,
+      readOnly: config.readOnly,
+    };
+  }
+
+  if (config.type === "postgrest") {
+    return {
+      type: "postgrest",
+      baseUrl: config.postgrestUrl, // Corrected from postgrestUrl
+      apiKey: config.postgrestApiKey || "", // Corrected from postgrestApiKey and ensured string value
+    };
+  }
+
+  // Fallback: return empty object to let it use environment variables
+  return {};
+}
+

package/cli-src/lib/hazo_connect_setup.ts

@@ -0,0 +1,54 @@
+// file_description: helper function to create hazo_connect instance with configuration from environment variables
+// This file provides a client-safe wrapper that returns a mock on client-side
+// section: imports
+// Note: We don't import server-side code here to avoid client-side bundling issues
+
+// section: helpers
+/**
+ * Creates a hazo_connect instance configured from environment variables
+ * 
+ * Environment variables:
+ * - HAZO_CONNECT_TYPE: Database type ("sqlite" | "postgrest") - defaults to "sqlite"
+ * - HAZO_CONNECT_SQLITE_PATH: Path to SQLite database file (relative to process.cwd() or absolute)
+ * - HAZO_CONNECT_POSTGREST_URL: PostgREST API URL (for postgrest type)
+ * - HAZO_CONNECT_POSTGREST_API_KEY: PostgREST API key (for postgrest type)
+ * 
+ * Falls back to test fixture database if HAZO_CONNECT_SQLITE_PATH is not set
+ * 
+ * Note: For client-side usage (Next.js pages), this returns a mock adapter
+ * since SQLite cannot run in browser environments. Use PostgREST for client-side database access.
+ */
+// Lazy loader for server module - prevents webpack from statically analyzing the require
+function loadServerModule() {
+  // Use Function constructor to create a dynamic require that webpack can't analyze
+  // eslint-disable-next-line no-new-func
+  const requireFunc = new Function('modulePath', 'return require(modulePath)');
+  return requireFunc('./hazo_connect_setup.server');
+}
+
+export function create_sqlite_hazo_connect() {
+  // Check if we're in a browser/client environment
+  if (typeof window !== "undefined") {
+    // Return a mock adapter for client-side usage
+    return create_client_mock_hazo_connect();
+  }
+
+  // Server-side: dynamically load server module
+  // Using Function constructor prevents webpack from statically analyzing the require
+  const serverModule = loadServerModule();
+  return serverModule.create_sqlite_hazo_connect_server();
+}
+
+/**
+ * Creates a mock hazo_connect adapter for client-side usage
+ * This satisfies the LayoutDataClient interface without requiring SQLite
+ */
+function create_client_mock_hazo_connect() {
+  return {
+    healthCheck: async () => {
+      // Mock health check for client-side - no-op
+      return Promise.resolve();
+    },
+  };
+}
+