hazo_auth 4.3.0 → 4.4.1

package/cli-src/lib/already_logged_in_config.server.ts

@@ -1,6 +1,6 @@
 // file_description: server-only helper to read already logged in configuration from hazo_auth_config.ini
 // section: imports
-import { get_config_value, get_config_boolean } from "./config/config_loader.server";
+import { get_config_value, get_config_boolean } from "./config/config_loader.server.js";
 
 // section: types
 export type AlreadyLoggedInConfig = {

package/cli-src/lib/app_logger.ts

@@ -1,24 +1,14 @@
-// file_description: client-accessible wrapper for the main app logging service
+// file_description: client-accessible wrapper for the main app logging service using hazo_logs
 // section: imports
-import { create_logger_service } from "../server/logging/logger_service";
-
-// section: constants
-const APP_NAMESPACE = "hazo_auth_ui";
+import { createLogger } from "hazo_logs";
 
 // section: logger_instance
+// Create a singleton logger for the hazo_auth package
+const logger = createLogger("hazo_auth");
+
 /**
- * Creates a logger service instance for use in UI components
- * This uses the main app logging service and can be extended with an external logger
- * when provided as part of component setup
+ * Returns the hazo_auth logger instance
+ * Uses hazo_logs for consistent logging across hazo packages
  */
-export const create_app_logger = (
-  external_logger?: {
-    info?: (message: string, data?: Record<string, unknown>) => void;
-    error?: (message: string, data?: Record<string, unknown>) => void;
-    warn?: (message: string, data?: Record<string, unknown>) => void;
-    debug?: (message: string, data?: Record<string, unknown>) => void;
-  }
-) => {
-  return create_logger_service(APP_NAMESPACE, external_logger);
-};
+export const create_app_logger = () => logger;
 

package/cli-src/lib/auth/auth_types.ts

@@ -10,6 +10,13 @@ export type HazoAuthUser = {
   email_address: string;
   is_active: boolean;
   profile_picture_url: string | null;
+  // Multi-tenancy fields (only populated when multi-tenancy is enabled)
+  org_id?: string | null;
+  org_name?: string | null;
+  parent_org_id?: string | null;
+  parent_org_name?: string | null;
+  root_org_id?: string | null;
+  root_org_name?: string | null;
 };
 
 /**

package/cli-src/lib/auth/auth_utils.server.ts

@@ -1,9 +1,9 @@
 // file_description: server-side authentication utilities for checking login status in API routes
 // section: imports
 import { NextRequest, NextResponse } from "next/server";
-import { get_hazo_connect_instance } from "../hazo_connect_instance.server";
+import { get_hazo_connect_instance } from "../hazo_connect_instance.server.js";
 import { createCrudService } from "hazo_connect/server";
-import { map_db_source_to_ui } from "../services/profile_picture_source_mapper";
+import { map_db_source_to_ui } from "../services/profile_picture_source_mapper.js";
 
 // section: types
 export type AuthUser = {

package/cli-src/lib/auth/dev_lock_validator.edge.ts

@@ -0,0 +1,171 @@
+// file_description: Edge-compatible dev lock cookie validator for Next.js middleware
+// Uses Web Crypto API which works in Edge Runtime (no Node.js crypto module)
+// section: imports
+import type { NextRequest } from "next/server";
+
+// section: constants
+const COOKIE_NAME = "hazo_auth_dev_lock";
+const SEPARATOR = "|";
+
+// section: types
+export type DevLockValidationResult = {
+  valid: boolean;
+  expired?: boolean;
+};
+
+export type DevLockCookieData = {
+  value: string;
+  max_age: number;
+};
+
+// section: helpers
+/**
+ * Creates HMAC-SHA256 signature using Web Crypto API (Edge compatible)
+ * @param data - Data to sign
+ * @param secret - Secret key for signing
+ * @returns Hex string signature
+ */
+async function create_signature(data: string, secret: string): Promise<string> {
+  const encoder = new TextEncoder();
+  const key_data = encoder.encode(secret);
+  const message_data = encoder.encode(data);
+
+  const crypto_key = await crypto.subtle.importKey(
+    "raw",
+    key_data,
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign"]
+  );
+
+  const signature = await crypto.subtle.sign("HMAC", crypto_key, message_data);
+
+  // Convert ArrayBuffer to hex string
+  return Array.from(new Uint8Array(signature))
+    .map((b) => b.toString(16).padStart(2, "0"))
+    .join("");
+}
+
+/**
+ * Performs constant-time comparison of two strings
+ * Prevents timing attacks
+ * @param a - First string
+ * @param b - Second string
+ * @returns true if strings are equal
+ */
+function constant_time_compare(a: string, b: string): boolean {
+  if (a.length !== b.length) {
+    return false;
+  }
+
+  let result = 0;
+  for (let i = 0; i < a.length; i++) {
+    result |= a.charCodeAt(i) ^ b.charCodeAt(i);
+  }
+
+  return result === 0;
+}
+
+// section: main_functions
+/**
+ * Creates a signed dev lock cookie value
+ * Cookie format: timestamp|expiry_timestamp|signature
+ * @param password - The dev lock password (used as signing key)
+ * @param expiry_days - Number of days until cookie expires (default: 7)
+ * @returns Cookie value and max_age in seconds
+ */
+export async function create_dev_lock_cookie(
+  password: string,
+  expiry_days: number = 7
+): Promise<DevLockCookieData> {
+  const timestamp = Date.now();
+  const expiry_timestamp = timestamp + expiry_days * 24 * 60 * 60 * 1000;
+  const data = `${timestamp}${SEPARATOR}${expiry_timestamp}`;
+  const signature = await create_signature(data, password);
+
+  return {
+    value: `${data}${SEPARATOR}${signature}`,
+    max_age: expiry_days * 24 * 60 * 60, // in seconds
+  };
+}
+
+/**
+ * Validates dev lock cookie from request (Edge-compatible)
+ * Checks signature validity and expiration
+ * @param request - NextRequest object
+ * @returns Validation result with valid flag and optional expired flag
+ */
+export async function validate_dev_lock_cookie(
+  request: NextRequest
+): Promise<DevLockValidationResult> {
+  const password = process.env.HAZO_AUTH_DEV_LOCK_PASSWORD;
+
+  if (!password) {
+    // No password set - cannot validate
+    return { valid: false };
+  }
+
+  const cookie = request.cookies.get(COOKIE_NAME)?.value;
+
+  if (!cookie) {
+    return { valid: false };
+  }
+
+  try {
+    const parts = cookie.split(SEPARATOR);
+    if (parts.length !== 3) {
+      return { valid: false };
+    }
+
+    const [timestamp_str, expiry_str, signature] = parts;
+    const timestamp = parseInt(timestamp_str, 10);
+    const expiry_timestamp = parseInt(expiry_str, 10);
+
+    if (isNaN(timestamp) || isNaN(expiry_timestamp)) {
+      return { valid: false };
+    }
+
+    // Check expiry
+    if (Date.now() > expiry_timestamp) {
+      return { valid: false, expired: true };
+    }
+
+    // Verify signature
+    const data = `${timestamp}${SEPARATOR}${expiry_timestamp}`;
+    const expected_signature = await create_signature(data, password);
+
+    // Constant-time comparison to prevent timing attacks
+    if (!constant_time_compare(signature, expected_signature)) {
+      return { valid: false };
+    }
+
+    return { valid: true };
+  } catch {
+    return { valid: false };
+  }
+}
+
+/**
+ * Validates password against environment variable (for unlock endpoint)
+ * Uses constant-time comparison to prevent timing attacks
+ * @param password - Password to validate
+ * @returns true if password matches
+ */
+export function validate_dev_lock_password(password: string): boolean {
+  const expected = process.env.HAZO_AUTH_DEV_LOCK_PASSWORD;
+
+  if (!expected || !password) {
+    return false;
+  }
+
+  return constant_time_compare(password, expected);
+}
+
+/**
+ * Gets the dev lock cookie name
+ * Exported for use in API routes when setting the cookie
+ * @returns Cookie name string
+ */
+export function get_dev_lock_cookie_name(): string {
+  return COOKIE_NAME;
+}

package/cli-src/lib/auth/hazo_get_auth.server.ts

@@ -1,20 +1,22 @@
 // file_description: server-side implementation of hazo_get_auth utility for API routes
 // section: imports
 import { NextRequest } from "next/server";
-import { get_hazo_connect_instance } from "../hazo_connect_instance.server";
+import { get_hazo_connect_instance } from "../hazo_connect_instance.server.js";
 import { createCrudService } from "hazo_connect/server";
-import { create_app_logger } from "../app_logger";
-import { get_filename, get_line_number } from "../utils/api_route_helpers";
+import { create_app_logger } from "../app_logger.js";
+import { get_filename, get_line_number } from "../utils/api_route_helpers.js";
 import type { HazoAuthResult, HazoAuthUser, HazoAuthOptions, ScopeAccessInfo } from "./auth_types";
-import { PermissionError, ScopeAccessError } from "./auth_types";
-import { get_auth_cache } from "./auth_cache";
-import { get_scope_cache, type UserScopeEntry } from "./scope_cache";
-import { get_rate_limiter } from "./auth_rate_limiter";
-import { get_auth_utility_config } from "../auth_utility_config.server";
-import { validate_session_token } from "../services/session_token_service";
-import { is_hrbac_enabled, get_scope_hierarchy_config } from "../scope_hierarchy_config.server";
-import { check_user_scope_access, get_user_scopes, type UserScope } from "../services/user_scope_service";
-import { is_valid_scope_level, type ScopeLevel } from "../services/scope_service";
+import { PermissionError, ScopeAccessError } from "./auth_types.js";
+import { get_auth_cache } from "./auth_cache.js";
+import { get_scope_cache, type UserScopeEntry } from "./scope_cache.js";
+import { get_rate_limiter } from "./auth_rate_limiter.js";
+import { get_auth_utility_config } from "../auth_utility_config.server.js";
+import { validate_session_token } from "../services/session_token_service.js";
+import { is_hrbac_enabled, get_scope_hierarchy_config } from "../scope_hierarchy_config.server.js";
+import { check_user_scope_access, get_user_scopes, type UserScope } from "../services/user_scope_service.js";
+import { is_valid_scope_level, type ScopeLevel } from "../services/scope_service.js";
+import { is_multi_tenancy_enabled, get_multi_tenancy_config } from "../multi_tenancy_config.server.js";
+import { get_org_cache, type OrgCacheEntry } from "./org_cache.js";
 
 // section: helpers
 
@@ -70,7 +72,7 @@ async function fetch_user_data_from_db(user_id: string): Promise<{
     throw new Error("User is inactive");
   }
 
-  // Build user object
+  // Build user object with base fields
   const user: HazoAuthUser = {
     id: user_db.id as string,
     name: (user_db.name as string | null) || null,
@@ -80,6 +82,75 @@ async function fetch_user_data_from_db(user_id: string): Promise<{
       (user_db.profile_picture_url as string | null) || null,
   };
 
+  // Fetch org info if multi-tenancy is enabled and user has org_id
+  if (is_multi_tenancy_enabled() && user_db.org_id) {
+    const mt_config = get_multi_tenancy_config();
+    const org_cache = get_org_cache(
+      mt_config.org_cache_max_entries,
+      mt_config.org_cache_ttl_minutes,
+    );
+
+    const user_org_id = user_db.org_id as string;
+
+    // Check org cache first
+    let cached_org = org_cache.get(user_org_id);
+
+    if (!cached_org) {
+      // Fetch org info from database
+      const org_service = createCrudService(hazoConnect, "hazo_org");
+      const orgs = await org_service.findBy({ id: user_org_id });
+
+      if (Array.isArray(orgs) && orgs.length > 0) {
+        const org = orgs[0];
+        const org_entry: OrgCacheEntry = {
+          org_id: org.id as string,
+          org_name: org.name as string,
+          parent_org_id: (org.parent_org_id as string | null) || null,
+          parent_org_name: null,
+          root_org_id: (org.root_org_id as string | null) || null,
+          root_org_name: null,
+        };
+
+        // Fetch parent org name if exists
+        if (org_entry.parent_org_id) {
+          const parent_orgs = await org_service.findBy({ id: org_entry.parent_org_id });
+          if (Array.isArray(parent_orgs) && parent_orgs.length > 0) {
+            org_entry.parent_org_name = parent_orgs[0].name as string;
+          }
+        }
+
+        // Fetch root org name if exists
+        if (org_entry.root_org_id) {
+          const root_orgs = await org_service.findBy({ id: org_entry.root_org_id });
+          if (Array.isArray(root_orgs) && root_orgs.length > 0) {
+            org_entry.root_org_name = root_orgs[0].name as string;
+          }
+        } else if (user_db.root_org_id) {
+          // Fallback to user's root_org_id if org doesn't have one
+          const root_orgs = await org_service.findBy({ id: user_db.root_org_id });
+          if (Array.isArray(root_orgs) && root_orgs.length > 0) {
+            org_entry.root_org_id = root_orgs[0].id as string;
+            org_entry.root_org_name = root_orgs[0].name as string;
+          }
+        }
+
+        // Cache the org info
+        org_cache.set(user_org_id, org_entry);
+        cached_org = org_entry;
+      }
+    }
+
+    // Add org info to user object
+    if (cached_org) {
+      user.org_id = cached_org.org_id;
+      user.org_name = cached_org.org_name;
+      user.parent_org_id = cached_org.parent_org_id;
+      user.parent_org_name = cached_org.parent_org_name;
+      user.root_org_id = cached_org.root_org_id;
+      user.root_org_name = cached_org.root_org_name;
+    }
+  }
+
   // Fetch user roles
   const user_roles = await user_roles_service.findBy({ user_id });
   const role_ids: number[] = [];

package/cli-src/lib/auth/index.ts

@@ -3,21 +3,21 @@
 export * from "./auth_types";
 
 // section: server_exports
-export { hazo_get_auth } from "./hazo_get_auth.server";
+export { hazo_get_auth } from "./hazo_get_auth.server.js";
 export {
   get_authenticated_user,
   require_auth,
   is_authenticated,
-} from "./auth_utils.server";
+} from "./auth_utils.server.js";
 export type { AuthResult, AuthUser } from "./auth_utils.server";
 
 // section: client_exports
-export { get_server_auth_user } from "./server_auth";
+export { get_server_auth_user } from "./server_auth.js";
 export type { ServerAuthResult } from "./server_auth";
 
 // section: cache_exports
-export { get_auth_cache, reset_auth_cache } from "./auth_cache";
+export { get_auth_cache, reset_auth_cache } from "./auth_cache.js";
 
 // section: rate_limiter_exports
-export { get_rate_limiter, reset_rate_limiter } from "./auth_rate_limiter";
+export { get_rate_limiter, reset_rate_limiter } from "./auth_rate_limiter.js";
 

package/cli-src/lib/auth/nextauth_config.ts

@@ -3,10 +3,10 @@
 import type { AuthOptions, Session } from "next-auth";
 import type { JWT } from "next-auth/jwt";
 import GoogleProvider from "next-auth/providers/google";
-import { get_oauth_config } from "../oauth_config.server";
-import { handle_google_oauth_login } from "../services/oauth_service";
-import { get_hazo_connect_instance } from "../hazo_connect_instance.server";
-import { create_app_logger } from "../app_logger";
+import { get_oauth_config } from "../oauth_config.server.js";
+import { handle_google_oauth_login } from "../services/oauth_service.js";
+import { get_hazo_connect_instance } from "../hazo_connect_instance.server.js";
+import { create_app_logger } from "../app_logger.js";
 
 // section: types
 export type NextAuthCallbackUser = {

package/cli-src/lib/auth/org_cache.ts

@@ -0,0 +1,148 @@
+// file_description: LRU cache implementation for organization lookups with TTL and size limits
+// section: types
+
+/**
+ * Cached organization info for hazo_get_auth
+ */
+export type OrgCacheEntry = {
+  org_id: string;
+  org_name: string;
+  parent_org_id: string | null;
+  parent_org_name: string | null;
+  root_org_id: string | null;
+  root_org_name: string | null;
+};
+
+/**
+ * Internal cache entry with metadata
+ */
+type CacheItem = {
+  entry: OrgCacheEntry;
+  timestamp: number; // Unix timestamp in milliseconds
+};
+
+/**
+ * LRU cache implementation for organization lookups
+ * Uses Map to maintain insertion order for LRU eviction
+ */
+class OrgCache {
+  private cache: Map<string, CacheItem>;
+  private max_size: number;
+  private ttl_ms: number;
+
+  constructor(max_size: number, ttl_minutes: number) {
+    this.cache = new Map();
+    this.max_size = max_size;
+    this.ttl_ms = ttl_minutes * 60 * 1000;
+  }
+
+  /**
+   * Gets a cache entry for an organization
+   * Returns undefined if not found or expired
+   * @param org_id - Organization ID to look up
+   * @returns Cache entry or undefined
+   */
+  get(org_id: string): OrgCacheEntry | undefined {
+    const item = this.cache.get(org_id);
+
+    if (!item) {
+      return undefined;
+    }
+
+    const now = Date.now();
+    const age = now - item.timestamp;
+
+    // Check if entry is expired (TTL)
+    if (age > this.ttl_ms) {
+      this.cache.delete(org_id);
+      return undefined;
+    }
+
+    // Move to end (most recently used)
+    this.cache.delete(org_id);
+    this.cache.set(org_id, item);
+
+    return item.entry;
+  }
+
+  /**
+   * Sets a cache entry for an organization
+   * Evicts least recently used entries if cache is full
+   * @param org_id - Organization ID
+   * @param entry - Organization cache entry
+   */
+  set(org_id: string, entry: OrgCacheEntry): void {
+    // Evict LRU entries if cache is full
+    while (this.cache.size >= this.max_size) {
+      const first_key = this.cache.keys().next().value;
+      if (first_key) {
+        this.cache.delete(first_key);
+      } else {
+        break;
+      }
+    }
+
+    const item: CacheItem = {
+      entry,
+      timestamp: Date.now(),
+    };
+
+    this.cache.set(org_id, item);
+  }
+
+  /**
+   * Invalidates cache for a specific organization
+   * @param org_id - Organization ID to invalidate
+   */
+  invalidate(org_id: string): void {
+    this.cache.delete(org_id);
+  }
+
+  /**
+   * Invalidates all cache entries
+   */
+  invalidate_all(): void {
+    this.cache.clear();
+  }
+
+  /**
+   * Gets cache statistics
+   * @returns Object with cache size and max size
+   */
+  get_stats(): {
+    size: number;
+    max_size: number;
+  } {
+    return {
+      size: this.cache.size,
+      max_size: this.max_size,
+    };
+  }
+}
+
+// section: singleton
+// Global org cache instance (initialized with defaults, will be configured on first use)
+let org_cache_instance: OrgCache | null = null;
+
+/**
+ * Gets or creates the global org cache instance
+ * @param max_size - Maximum cache size (default: 1000)
+ * @param ttl_minutes - TTL in minutes (default: 15)
+ * @returns Org cache instance
+ */
+export function get_org_cache(
+  max_size: number = 1000,
+  ttl_minutes: number = 15,
+): OrgCache {
+  if (!org_cache_instance) {
+    org_cache_instance = new OrgCache(max_size, ttl_minutes);
+  }
+  return org_cache_instance;
+}
+
+/**
+ * Resets the global org cache instance (useful for testing)
+ */
+export function reset_org_cache(): void {
+  org_cache_instance = null;
+}

package/cli-src/lib/auth/server_auth.ts

@@ -1,9 +1,9 @@
 // file_description: server-side auth utilities for server components and pages
 // section: imports
 import { cookies } from "next/headers";
-import { get_hazo_connect_instance } from "../hazo_connect_instance.server";
+import { get_hazo_connect_instance } from "../hazo_connect_instance.server.js";
 import { createCrudService } from "hazo_connect/server";
-import { map_db_source_to_ui } from "../services/profile_picture_source_mapper";
+import { map_db_source_to_ui } from "../services/profile_picture_source_mapper.js";
 
 // section: types
 export type ServerAuthUser = {

package/cli-src/lib/auth/session_token_validator.edge.ts

@@ -89,3 +89,7 @@ export async function validate_session_cookie(
 
 
 
+
+
+
+

package/cli-src/lib/auth_utility_config.server.ts

@@ -5,7 +5,7 @@ import {
   get_config_number,
   get_config_boolean,
   get_config_array,
-} from "./config/config_loader.server";
+} from "./config/config_loader.server.js";
 
 // section: types
 

package/cli-src/lib/config/config_loader.server.ts

@@ -3,7 +3,7 @@
 import { HazoConfig } from "hazo_config/dist/lib";
 import path from "path";
 import fs from "fs";
-import { create_app_logger } from "../app_logger";
+import { create_app_logger } from "../app_logger.js";
 
 // section: constants
 const DEFAULT_CONFIG_FILE = "hazo_auth_config.ini";

package/cli-src/lib/config/default_config.ts

@@ -165,6 +165,48 @@ export const DEFAULT_OAUTH = {
   oauth_divider_text: "or continue with email",
 } as const;
 
+// section: multi_tenancy
+export const DEFAULT_MULTI_TENANCY = {
+  /** Enable multi-tenancy support (default: false) */
+  enable_multi_tenancy: false,
+  /** Cache TTL in minutes for org lookups (default: 15) */
+  org_cache_ttl_minutes: 15,
+  /** Maximum entries in org cache (default: 1000) */
+  org_cache_max_entries: 1000,
+  /** Default user limit per organization (0 = unlimited) */
+  default_user_limit: 0,
+} as const;
+
+// section: dev_lock
+export const DEFAULT_DEV_LOCK = {
+  /** Enable the development lock screen (also requires HAZO_AUTH_DEV_LOCK_ENABLED env var) */
+  enable: false,
+  /** Session duration in days */
+  session_duration_days: 7,
+  /** Background color (default: black) */
+  background_color: "#000000",
+  /** Logo image path (default: /logo.png in public folder) */
+  logo_path: "/logo.png",
+  /** Logo width in pixels */
+  logo_width: 120,
+  /** Logo height in pixels */
+  logo_height: 120,
+  /** Application name displayed below logo */
+  application_name: "",
+  /** Limited access text displayed with lock icon */
+  limited_access_text: "Limited Access",
+  /** Password input placeholder text */
+  password_placeholder: "Enter access password",
+  /** Submit button text */
+  submit_button_text: "Unlock",
+  /** Error message for incorrect password */
+  error_message: "Incorrect password",
+  /** Text color for labels (default: white) */
+  text_color: "#ffffff",
+  /** Accent color for button (default: blue) */
+  accent_color: "#3b82f6",
+} as const;
+
 // section: combined_defaults
 /**
  * All default configuration values combined in one object
@@ -190,6 +232,8 @@ export const HAZO_AUTH_DEFAULTS = {
   profilePicMenu: DEFAULT_PROFILE_PIC_MENU,
   apiPaths: DEFAULT_API_PATHS,
   oauth: DEFAULT_OAUTH,
+  devLock: DEFAULT_DEV_LOCK,
+  multiTenancy: DEFAULT_MULTI_TENANCY,
 } as const;
 
 // section: types