hazo_auth 5.1.12 → 5.1.14

package/cli-src/cli/generate.ts

@@ -59,6 +59,11 @@ const ROUTES: RouteDefinition[] = [
   { name: "user_management_users_roles", path: "api/hazo_auth/user_management/users/roles", method: "GET", export_name: "userManagementUsersRolesGET" },
   { name: "user_management_users_roles_post", path: "api/hazo_auth/user_management/users/roles", method: "POST", export_name: "userManagementUsersRolesPOST" },
   { name: "user_management_users_roles_put", path: "api/hazo_auth/user_management/users/roles", method: "PUT", export_name: "userManagementUsersRolesPUT" },
+  // OAuth routes
+  { name: "nextauth", path: "api/auth/[...nextauth]", method: "GET", export_name: "nextauthGET" },
+  { name: "nextauth_post", path: "api/auth/[...nextauth]", method: "POST", export_name: "nextauthPOST" },
+  { name: "oauth_google_callback", path: "api/hazo_auth/oauth/google/callback", method: "GET", export_name: "oauthGoogleCallbackGET" },
+  { name: "set_password", path: "api/hazo_auth/set_password", method: "POST", export_name: "setPasswordPOST" },
 ];
 
 const PAGES: PageDefinition[] = [

package/cli-src/lib/auth/auth_types.ts

@@ -167,6 +167,8 @@ export type TenantAuthResult =
       permission_ok: boolean;
       missing_permissions?: string[];
       organization: TenantOrganization | null;
+      /** Shorthand for organization?.id - commonly used for DB query filters */
+      organization_id: string | null;
       user_scopes: ScopeDetails[];
       scope_ok?: boolean;
       scope_access_via?: ScopeAccessInfo;
@@ -177,6 +179,8 @@ export type TenantAuthResult =
       permissions: [];
       permission_ok: false;
       organization: null;
+      /** Shorthand for organization?.id - commonly used for DB query filters */
+      organization_id: null;
       user_scopes: [];
       scope_ok?: false;
     };

package/cli-src/lib/auth/hazo_get_tenant_auth.server.ts

@@ -134,6 +134,7 @@ export async function hazo_get_tenant_auth(
       permissions: [],
       permission_ok: false,
       organization: null,
+      organization_id: null,
       user_scopes: [],
       scope_ok: false,
     };
@@ -197,6 +198,7 @@ export async function hazo_get_tenant_auth(
     permission_ok: auth_result.permission_ok,
     missing_permissions: auth_result.missing_permissions,
     organization,
+    organization_id: organization?.id || null,
     user_scopes,
     scope_ok: auth_result.scope_ok,
     scope_access_via: auth_result.scope_access_via,

package/dist/cli/generate.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"generate.d.ts","sourceRoot":"","sources":["../../src/cli/generate.ts"],"names":[],"mappings":"AAqBA,MAAM,MAAM,eAAe,GAAG;IAC5B,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,GAAG,CAAC,EAAE,OAAO,CAAC;CACf,CAAC;AA4LF,wBAAgB,eAAe,CAAC,OAAO,GAAE,eAAoB,GAAG,IAAI,CA8DnE"}
+{"version":3,"file":"generate.d.ts","sourceRoot":"","sources":["../../src/cli/generate.ts"],"names":[],"mappings":"AAqBA,MAAM,MAAM,eAAe,GAAG;IAC5B,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,GAAG,CAAC,EAAE,OAAO,CAAC;CACf,CAAC;AAiMF,wBAAgB,eAAe,CAAC,OAAO,GAAE,eAAoB,GAAG,IAAI,CA8DnE"}

package/dist/cli/generate.js

@@ -36,6 +36,11 @@ const ROUTES = [
     { name: "user_management_users_roles", path: "api/hazo_auth/user_management/users/roles", method: "GET", export_name: "userManagementUsersRolesGET" },
     { name: "user_management_users_roles_post", path: "api/hazo_auth/user_management/users/roles", method: "POST", export_name: "userManagementUsersRolesPOST" },
     { name: "user_management_users_roles_put", path: "api/hazo_auth/user_management/users/roles", method: "PUT", export_name: "userManagementUsersRolesPUT" },
+    // OAuth routes
+    { name: "nextauth", path: "api/auth/[...nextauth]", method: "GET", export_name: "nextauthGET" },
+    { name: "nextauth_post", path: "api/auth/[...nextauth]", method: "POST", export_name: "nextauthPOST" },
+    { name: "oauth_google_callback", path: "api/hazo_auth/oauth/google/callback", method: "GET", export_name: "oauthGoogleCallbackGET" },
+    { name: "set_password", path: "api/hazo_auth/set_password", method: "POST", export_name: "setPasswordPOST" },
 ];
 const PAGES = [
     { name: "login", path: "hazo_auth/login", component_name: "LoginPage", import_path: "hazo_auth/pages/login" },

package/dist/lib/auth/auth_types.d.ts

@@ -144,6 +144,8 @@ export type TenantAuthResult = {
     permission_ok: boolean;
     missing_permissions?: string[];
     organization: TenantOrganization | null;
+    /** Shorthand for organization?.id - commonly used for DB query filters */
+    organization_id: string | null;
     user_scopes: ScopeDetails[];
     scope_ok?: boolean;
     scope_access_via?: ScopeAccessInfo;
@@ -153,6 +155,8 @@ export type TenantAuthResult = {
     permissions: [];
     permission_ok: false;
     organization: null;
+    /** Shorthand for organization?.id - commonly used for DB query filters */
+    organization_id: null;
     user_scopes: [];
     scope_ok?: false;
 };

package/dist/lib/auth/auth_types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth_types.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/auth_types.ts"],"names":[],"mappings":"AAGA;;GAEG;AACH,MAAM,MAAM,YAAY,GAAG;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,OAAO,CAAC;IACnB,mBAAmB,EAAE,MAAM,GAAG,IAAI,CAAC;IAEnC,aAAa,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;CAC/C,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,eAAe,GAAG;IAC5B,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,cAAc,CAAC,EAAE,OAAO,CAAC;CAC1B,CAAC;AAEF;;;;GAIG;AACH,MAAM,MAAM,cAAc,GACtB;IACE,aAAa,EAAE,IAAI,CAAC;IACpB,IAAI,EAAE,YAAY,CAAC;IACnB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,aAAa,EAAE,OAAO,CAAC;IACvB,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAE/B,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,gBAAgB,CAAC,EAAE,eAAe,CAAC;CACpC,GACD;IACE,aAAa,EAAE,KAAK,CAAC;IACrB,IAAI,EAAE,IAAI,CAAC;IACX,WAAW,EAAE,EAAE,CAAC;IAChB,aAAa,EAAE,KAAK,CAAC;IACrB,QAAQ,CAAC,EAAE,KAAK,CAAC;CAClB,CAAC;AAEN;;GAEG;AACH,MAAM,MAAM,eAAe,GAAG;IAC5B;;;OAGG;IACH,oBAAoB,CAAC,EAAE,MAAM,EAAE,CAAC;IAChC;;;OAGG;IACH,MAAM,CAAC,EAAE,OAAO,CAAC;IAEjB;;;OAGG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF;;;;GAIG;AACH,qBAAa,eAAgB,SAAQ,KAAK;IAE/B,mBAAmB,EAAE,MAAM,EAAE;IAC7B,gBAAgB,EAAE,MAAM,EAAE;IAC1B,oBAAoB,EAAE,MAAM,EAAE;IAC9B,qBAAqB,CAAC,EAAE,MAAM;IAC9B,uBAAuB,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC;gBAJ7C,mBAAmB,EAAE,MAAM,EAAE,EAC7B,gBAAgB,EAAE,MAAM,EAAE,EAC1B,oBAAoB,EAAE,MAAM,EAAE,EAC9B,qBAAqB,CAAC,EAAE,MAAM,YAAA,EAC9B,uBAAuB,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,YAAA;CAKvD;AAED;;;GAGG;AACH,qBAAa,gBAAiB,SAAQ,KAAK;IAEhC,QAAQ,EAAE,MAAM;IAChB,WAAW,EAAE,KAAK,CAAC;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,UAAU,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;gBAD7D,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE,KAAK,CAAC;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,UAAU,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;CAKvE;AAID;;;GAGG;AACH,MAAM,MAAM,YAAY,GAAG;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,OAAO,EAAE,MAAM,CAAC;IAEhB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;CACxB,CAAC;AAEF;;;GAGG;AACH,MAAM,MAAM,kBAAkB,GAAG;IAC/B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,cAAc,EAAE,OAAO,CAAC;IACxB,QAAQ,CAAC,EAAE;QACT,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;QACxB,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;QAC7B,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;QAC/B,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;KACxB,CAAC;CACH,CAAC;AAEF;;;GAGG;AACH,MAAM,MAAM,iBAAiB,GAAG,eAAe,GAAG;IAChD;;OAEG;IACH,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B;;OAEG;IACH,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B,CAAC;AAEF;;;GAGG;AACH,MAAM,MAAM,gBAAgB,GACxB;IACE,aAAa,EAAE,IAAI,CAAC;IACpB,IAAI,EAAE,YAAY,CAAC;IACnB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,aAAa,EAAE,OAAO,CAAC;IACvB,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC/B,YAAY,EAAE,kBAAkB,GAAG,IAAI,CAAC;IACxC,WAAW,EAAE,YAAY,EAAE,CAAC;IAC5B,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,gBAAgB,CAAC,EAAE,eAAe,CAAC;CACpC,GACD;IACE,aAAa,EAAE,KAAK,CAAC;IACrB,IAAI,EAAE,IAAI,CAAC;IACX,WAAW,EAAE,EAAE,CAAC;IAChB,aAAa,EAAE,KAAK,CAAC;IACrB,YAAY,EAAE,IAAI,CAAC;IACnB,WAAW,EAAE,EAAE,CAAC;IAChB,QAAQ,CAAC,EAAE,KAAK,CAAC;CAClB,CAAC;AAEN;;;GAGG;AACH,MAAM,MAAM,wBAAwB,GAAG,gBAAgB,GAAG;IACxD,aAAa,EAAE,IAAI,CAAC;IACpB,YAAY,EAAE,kBAAkB,CAAC;CAClC,CAAC;AAIF;;;GAGG;AACH,qBAAa,aAAc,SAAQ,KAAK;aAGpB,IAAI,EAAE,MAAM;aACZ,WAAW,EAAE,MAAM;gBAFnC,OAAO,EAAE,MAAM,EACC,IAAI,EAAE,MAAM,EACZ,WAAW,EAAE,MAAM;CAKtC;AAED;;GAEG;AACH,qBAAa,2BAA4B,SAAQ,aAAa;gBAChD,OAAO,GAAE,MAAkC;CAIxD;AAED;;GAEG;AACH,qBAAa,mBAAoB,SAAQ,aAAa;aAGlC,WAAW,EAAE,YAAY,EAAE;gBAD3C,OAAO,GAAE,MAAkC,EAC3B,WAAW,GAAE,YAAY,EAAO;CAKnD;AAED;;GAEG;AACH,qBAAa,uBAAwB,SAAQ,aAAa;aAEtC,QAAQ,EAAE,MAAM;aAChB,WAAW,EAAE,YAAY,EAAE;gBAD3B,QAAQ,EAAE,MAAM,EAChB,WAAW,GAAE,YAAY,EAAO;CAKnD"}
+{"version":3,"file":"auth_types.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/auth_types.ts"],"names":[],"mappings":"AAGA;;GAEG;AACH,MAAM,MAAM,YAAY,GAAG;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,OAAO,CAAC;IACnB,mBAAmB,EAAE,MAAM,GAAG,IAAI,CAAC;IAEnC,aAAa,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;CAC/C,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,eAAe,GAAG;IAC5B,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,cAAc,CAAC,EAAE,OAAO,CAAC;CAC1B,CAAC;AAEF;;;;GAIG;AACH,MAAM,MAAM,cAAc,GACtB;IACE,aAAa,EAAE,IAAI,CAAC;IACpB,IAAI,EAAE,YAAY,CAAC;IACnB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,aAAa,EAAE,OAAO,CAAC;IACvB,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAE/B,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,gBAAgB,CAAC,EAAE,eAAe,CAAC;CACpC,GACD;IACE,aAAa,EAAE,KAAK,CAAC;IACrB,IAAI,EAAE,IAAI,CAAC;IACX,WAAW,EAAE,EAAE,CAAC;IAChB,aAAa,EAAE,KAAK,CAAC;IACrB,QAAQ,CAAC,EAAE,KAAK,CAAC;CAClB,CAAC;AAEN;;GAEG;AACH,MAAM,MAAM,eAAe,GAAG;IAC5B;;;OAGG;IACH,oBAAoB,CAAC,EAAE,MAAM,EAAE,CAAC;IAChC;;;OAGG;IACH,MAAM,CAAC,EAAE,OAAO,CAAC;IAEjB;;;OAGG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF;;;;GAIG;AACH,qBAAa,eAAgB,SAAQ,KAAK;IAE/B,mBAAmB,EAAE,MAAM,EAAE;IAC7B,gBAAgB,EAAE,MAAM,EAAE;IAC1B,oBAAoB,EAAE,MAAM,EAAE;IAC9B,qBAAqB,CAAC,EAAE,MAAM;IAC9B,uBAAuB,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC;gBAJ7C,mBAAmB,EAAE,MAAM,EAAE,EAC7B,gBAAgB,EAAE,MAAM,EAAE,EAC1B,oBAAoB,EAAE,MAAM,EAAE,EAC9B,qBAAqB,CAAC,EAAE,MAAM,YAAA,EAC9B,uBAAuB,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,YAAA;CAKvD;AAED;;;GAGG;AACH,qBAAa,gBAAiB,SAAQ,KAAK;IAEhC,QAAQ,EAAE,MAAM;IAChB,WAAW,EAAE,KAAK,CAAC;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,UAAU,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;gBAD7D,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE,KAAK,CAAC;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,UAAU,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;CAKvE;AAID;;;GAGG;AACH,MAAM,MAAM,YAAY,GAAG;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,OAAO,EAAE,MAAM,CAAC;IAEhB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;CACxB,CAAC;AAEF;;;GAGG;AACH,MAAM,MAAM,kBAAkB,GAAG;IAC/B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,cAAc,EAAE,OAAO,CAAC;IACxB,QAAQ,CAAC,EAAE;QACT,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;QACxB,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;QAC7B,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;QAC/B,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;KACxB,CAAC;CACH,CAAC;AAEF;;;GAGG;AACH,MAAM,MAAM,iBAAiB,GAAG,eAAe,GAAG;IAChD;;OAEG;IACH,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B;;OAEG;IACH,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B,CAAC;AAEF;;;GAGG;AACH,MAAM,MAAM,gBAAgB,GACxB;IACE,aAAa,EAAE,IAAI,CAAC;IACpB,IAAI,EAAE,YAAY,CAAC;IACnB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,aAAa,EAAE,OAAO,CAAC;IACvB,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC/B,YAAY,EAAE,kBAAkB,GAAG,IAAI,CAAC;IACxC,0EAA0E;IAC1E,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,WAAW,EAAE,YAAY,EAAE,CAAC;IAC5B,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,gBAAgB,CAAC,EAAE,eAAe,CAAC;CACpC,GACD;IACE,aAAa,EAAE,KAAK,CAAC;IACrB,IAAI,EAAE,IAAI,CAAC;IACX,WAAW,EAAE,EAAE,CAAC;IAChB,aAAa,EAAE,KAAK,CAAC;IACrB,YAAY,EAAE,IAAI,CAAC;IACnB,0EAA0E;IAC1E,eAAe,EAAE,IAAI,CAAC;IACtB,WAAW,EAAE,EAAE,CAAC;IAChB,QAAQ,CAAC,EAAE,KAAK,CAAC;CAClB,CAAC;AAEN;;;GAGG;AACH,MAAM,MAAM,wBAAwB,GAAG,gBAAgB,GAAG;IACxD,aAAa,EAAE,IAAI,CAAC;IACpB,YAAY,EAAE,kBAAkB,CAAC;CAClC,CAAC;AAIF;;;GAGG;AACH,qBAAa,aAAc,SAAQ,KAAK;aAGpB,IAAI,EAAE,MAAM;aACZ,WAAW,EAAE,MAAM;gBAFnC,OAAO,EAAE,MAAM,EACC,IAAI,EAAE,MAAM,EACZ,WAAW,EAAE,MAAM;CAKtC;AAED;;GAEG;AACH,qBAAa,2BAA4B,SAAQ,aAAa;gBAChD,OAAO,GAAE,MAAkC;CAIxD;AAED;;GAEG;AACH,qBAAa,mBAAoB,SAAQ,aAAa;aAGlC,WAAW,EAAE,YAAY,EAAE;gBAD3C,OAAO,GAAE,MAAkC,EAC3B,WAAW,GAAE,YAAY,EAAO;CAKnD;AAED;;GAEG;AACH,qBAAa,uBAAwB,SAAQ,aAAa;aAEtC,QAAQ,EAAE,MAAM;aAChB,WAAW,EAAE,YAAY,EAAE;gBAD3B,QAAQ,EAAE,MAAM,EAChB,WAAW,GAAE,YAAY,EAAO;CAKnD"}

package/dist/lib/auth/hazo_get_tenant_auth.server.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"hazo_get_tenant_auth.server.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/hazo_get_tenant_auth.server.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAO1C,OAAO,KAAK,EACV,iBAAiB,EACjB,gBAAgB,EAChB,wBAAwB,EAGzB,MAAM,cAAc,CAAC;AAqBtB;;;;;;GAMG;AACH,wBAAgB,6BAA6B,CAC3C,OAAO,EAAE,WAAW,EACpB,OAAO,EAAE,iBAAiB,GACzB,MAAM,GAAG,SAAS,CAYpB;AAiCD;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAsB,oBAAoB,CACxC,OAAO,EAAE,WAAW,EACpB,OAAO,GAAE,iBAAsB,GAC9B,OAAO,CAAC,gBAAgB,CAAC,CAwF3B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,wBAAsB,mBAAmB,CACvC,OAAO,EAAE,WAAW,EACpB,OAAO,GAAE,iBAAsB,GAC9B,OAAO,CAAC,wBAAwB,CAAC,CA0BnC"}
+{"version":3,"file":"hazo_get_tenant_auth.server.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/hazo_get_tenant_auth.server.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAO1C,OAAO,KAAK,EACV,iBAAiB,EACjB,gBAAgB,EAChB,wBAAwB,EAGzB,MAAM,cAAc,CAAC;AAqBtB;;;;;;GAMG;AACH,wBAAgB,6BAA6B,CAC3C,OAAO,EAAE,WAAW,EACpB,OAAO,EAAE,iBAAiB,GACzB,MAAM,GAAG,SAAS,CAYpB;AAiCD;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAsB,oBAAoB,CACxC,OAAO,EAAE,WAAW,EACpB,OAAO,GAAE,iBAAsB,GAC9B,OAAO,CAAC,gBAAgB,CAAC,CA0F3B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,wBAAsB,mBAAmB,CACvC,OAAO,EAAE,WAAW,EACpB,OAAO,GAAE,iBAAsB,GAC9B,OAAO,CAAC,wBAAwB,CAAC,CA0BnC"}

package/dist/lib/auth/hazo_get_tenant_auth.server.js

@@ -96,6 +96,7 @@ export async function hazo_get_tenant_auth(request, options = {}) {
             permissions: [],
             permission_ok: false,
             organization: null,
+            organization_id: null,
             user_scopes: [],
             scope_ok: false,
         };
@@ -145,6 +146,7 @@ export async function hazo_get_tenant_auth(request, options = {}) {
         permission_ok: auth_result.permission_ok,
         missing_permissions: auth_result.missing_permissions,
         organization,
+        organization_id: (organization === null || organization === void 0 ? void 0 : organization.id) || null,
         user_scopes,
         scope_ok: auth_result.scope_ok,
         scope_access_via: auth_result.scope_access_via,

package/dist/server/routes/index.d.ts

@@ -24,4 +24,7 @@ export { GET as appUserDataGET, PATCH as appUserDataPATCH, PUT as appUserDataPUT
 export { GET as appUserDataSchemaGET } from "./app_user_data_schema.js";
 export { GET as invitationsGET, POST as invitationsPOST, PATCH as invitationsPATCH, DELETE as invitationsDELETE } from "./invitations.js";
 export { POST as createFirmPOST } from "./create_firm.js";
+export { GET as nextauthGET, POST as nextauthPOST } from "./nextauth.js";
+export { GET as oauthGoogleCallbackGET } from "./oauth_google_callback.js";
+export { POST as setPasswordPOST } from "./set_password.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/server/routes/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/server/routes/index.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,IAAI,IAAI,SAAS,EAAE,MAAM,YAAY,CAAC;AAC/C,OAAO,EAAE,IAAI,IAAI,YAAY,EAAE,MAAM,eAAe,CAAC;AACrD,OAAO,EAAE,IAAI,IAAI,UAAU,EAAE,MAAM,aAAa,CAAC;AACjD,OAAO,EAAE,GAAG,IAAI,KAAK,EAAE,MAAM,SAAS,CAAC;AAGvC,OAAO,EAAE,IAAI,IAAI,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAClE,OAAO,EAAE,IAAI,IAAI,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AAChE,OAAO,EAAE,IAAI,IAAI,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAClE,OAAO,EAAE,GAAG,IAAI,qBAAqB,EAAE,MAAM,2BAA2B,CAAC;AAGzE,OAAO,EAAE,GAAG,IAAI,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAC1D,OAAO,EAAE,IAAI,IAAI,sBAAsB,EAAE,MAAM,0BAA0B,CAAC;AAG1E,OAAO,EAAE,KAAK,IAAI,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAC5D,OAAO,EAAE,IAAI,IAAI,wBAAwB,EAAE,MAAM,6BAA6B,CAAC;AAC/E,OAAO,EAAE,MAAM,IAAI,0BAA0B,EAAE,MAAM,6BAA6B,CAAC;AACnF,OAAO,EAAE,GAAG,IAAI,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AAC9D,OAAO,EAAE,GAAG,IAAI,eAAe,EAAE,MAAM,oBAAoB,CAAC;AAC5D,OAAO,EAAE,GAAG,IAAI,yBAAyB,EAAE,MAAM,+BAA+B,CAAC;AAGjF,OAAO,EAAE,IAAI,IAAI,WAAW,EAAE,MAAM,eAAe,CAAC;AACpD,OAAO,EAAE,IAAI,IAAI,mBAAmB,EAAE,MAAM,uBAAuB,CAAC;AAGpE,OAAO,EAAE,GAAG,IAAI,sBAAsB,EAAE,KAAK,IAAI,wBAAwB,EAAE,IAAI,IAAI,uBAAuB,EAAE,MAAM,4BAA4B,CAAC;AAC/I,OAAO,EAAE,GAAG,IAAI,4BAA4B,EAAE,IAAI,IAAI,6BAA6B,EAAE,GAAG,IAAI,4BAA4B,EAAE,MAAM,IAAI,+BAA+B,EAAE,MAAM,kCAAkC,CAAC;AAC9M,OAAO,EAAE,GAAG,IAAI,sBAAsB,EAAE,IAAI,IAAI,uBAAuB,EAAE,GAAG,IAAI,sBAAsB,EAAE,MAAM,4BAA4B,CAAC;AAC3I,OAAO,EAAE,GAAG,IAAI,2BAA2B,EAAE,IAAI,IAAI,4BAA4B,EAAE,GAAG,IAAI,2BAA2B,EAAE,MAAM,kCAAkC,CAAC;AAGhK,OAAO,EAAE,GAAG,IAAI,cAAc,EAAE,KAAK,IAAI,gBAAgB,EAAE,GAAG,IAAI,cAAc,EAAE,MAAM,IAAI,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AAC1I,OAAO,EAAE,GAAG,IAAI,oBAAoB,EAAE,MAAM,2BAA2B,CAAC;AAGxE,OAAO,EAAE,GAAG,IAAI,cAAc,EAAE,IAAI,IAAI,eAAe,EAAE,KAAK,IAAI,gBAAgB,EAAE,MAAM,IAAI,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAG1I,OAAO,EAAE,IAAI,IAAI,cAAc,EAAE,MAAM,kBAAkB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/server/routes/index.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,IAAI,IAAI,SAAS,EAAE,MAAM,YAAY,CAAC;AAC/C,OAAO,EAAE,IAAI,IAAI,YAAY,EAAE,MAAM,eAAe,CAAC;AACrD,OAAO,EAAE,IAAI,IAAI,UAAU,EAAE,MAAM,aAAa,CAAC;AACjD,OAAO,EAAE,GAAG,IAAI,KAAK,EAAE,MAAM,SAAS,CAAC;AAGvC,OAAO,EAAE,IAAI,IAAI,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAClE,OAAO,EAAE,IAAI,IAAI,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AAChE,OAAO,EAAE,IAAI,IAAI,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAClE,OAAO,EAAE,GAAG,IAAI,qBAAqB,EAAE,MAAM,2BAA2B,CAAC;AAGzE,OAAO,EAAE,GAAG,IAAI,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAC1D,OAAO,EAAE,IAAI,IAAI,sBAAsB,EAAE,MAAM,0BAA0B,CAAC;AAG1E,OAAO,EAAE,KAAK,IAAI,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAC5D,OAAO,EAAE,IAAI,IAAI,wBAAwB,EAAE,MAAM,6BAA6B,CAAC;AAC/E,OAAO,EAAE,MAAM,IAAI,0BAA0B,EAAE,MAAM,6BAA6B,CAAC;AACnF,OAAO,EAAE,GAAG,IAAI,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AAC9D,OAAO,EAAE,GAAG,IAAI,eAAe,EAAE,MAAM,oBAAoB,CAAC;AAC5D,OAAO,EAAE,GAAG,IAAI,yBAAyB,EAAE,MAAM,+BAA+B,CAAC;AAGjF,OAAO,EAAE,IAAI,IAAI,WAAW,EAAE,MAAM,eAAe,CAAC;AACpD,OAAO,EAAE,IAAI,IAAI,mBAAmB,EAAE,MAAM,uBAAuB,CAAC;AAGpE,OAAO,EAAE,GAAG,IAAI,sBAAsB,EAAE,KAAK,IAAI,wBAAwB,EAAE,IAAI,IAAI,uBAAuB,EAAE,MAAM,4BAA4B,CAAC;AAC/I,OAAO,EAAE,GAAG,IAAI,4BAA4B,EAAE,IAAI,IAAI,6BAA6B,EAAE,GAAG,IAAI,4BAA4B,EAAE,MAAM,IAAI,+BAA+B,EAAE,MAAM,kCAAkC,CAAC;AAC9M,OAAO,EAAE,GAAG,IAAI,sBAAsB,EAAE,IAAI,IAAI,uBAAuB,EAAE,GAAG,IAAI,sBAAsB,EAAE,MAAM,4BAA4B,CAAC;AAC3I,OAAO,EAAE,GAAG,IAAI,2BAA2B,EAAE,IAAI,IAAI,4BAA4B,EAAE,GAAG,IAAI,2BAA2B,EAAE,MAAM,kCAAkC,CAAC;AAGhK,OAAO,EAAE,GAAG,IAAI,cAAc,EAAE,KAAK,IAAI,gBAAgB,EAAE,GAAG,IAAI,cAAc,EAAE,MAAM,IAAI,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AAC1I,OAAO,EAAE,GAAG,IAAI,oBAAoB,EAAE,MAAM,2BAA2B,CAAC;AAGxE,OAAO,EAAE,GAAG,IAAI,cAAc,EAAE,IAAI,IAAI,eAAe,EAAE,KAAK,IAAI,gBAAgB,EAAE,MAAM,IAAI,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAG1I,OAAO,EAAE,IAAI,IAAI,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAG1D,OAAO,EAAE,GAAG,IAAI,WAAW,EAAE,IAAI,IAAI,YAAY,EAAE,MAAM,eAAe,CAAC;AACzE,OAAO,EAAE,GAAG,IAAI,sBAAsB,EAAE,MAAM,4BAA4B,CAAC;AAC3E,OAAO,EAAE,IAAI,IAAI,eAAe,EAAE,MAAM,mBAAmB,CAAC"}

package/dist/server/routes/index.js

@@ -35,3 +35,7 @@ export { GET as appUserDataSchemaGET } from "./app_user_data_schema.js";
 export { GET as invitationsGET, POST as invitationsPOST, PATCH as invitationsPATCH, DELETE as invitationsDELETE } from "./invitations.js";
 // Create firm routes (for new users creating their firm)
 export { POST as createFirmPOST } from "./create_firm.js";
+// OAuth routes
+export { GET as nextauthGET, POST as nextauthPOST } from "./nextauth.js";
+export { GET as oauthGoogleCallbackGET } from "./oauth_google_callback.js";
+export { POST as setPasswordPOST } from "./set_password.js";

package/dist/server/routes/nextauth.d.ts

@@ -0,0 +1,9 @@
+type NextAuthContext = {
+    params: Promise<{
+        nextauth: string[];
+    }>;
+};
+export declare function GET(request: Request, context: NextAuthContext): Promise<any>;
+export declare function POST(request: Request, context: NextAuthContext): Promise<any>;
+export {};
+//# sourceMappingURL=nextauth.d.ts.map

package/dist/server/routes/nextauth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"nextauth.d.ts","sourceRoot":"","sources":["../../../src/server/routes/nextauth.ts"],"names":[],"mappings":"AAMA,KAAK,eAAe,GAAG;IACrB,MAAM,EAAE,OAAO,CAAC;QAAE,QAAQ,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC,CAAC;CACzC,CAAC;AA8BF,wBAAsB,GAAG,CAAC,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,eAAe,gBAGnE;AAED,wBAAsB,IAAI,CAAC,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,eAAe,gBAGpE"}

package/dist/server/routes/nextauth.js

@@ -0,0 +1,36 @@
+// file_description: NextAuth.js route handler for OAuth authentication (for re-export by consuming apps)
+// section: imports
+import NextAuth from "next-auth";
+import { get_nextauth_config } from "../../lib/auth/nextauth_config.js";
+// section: handler
+// Get config lazily to ensure environment variables are available
+function getHandler() {
+    var _a;
+    const config = get_nextauth_config();
+    // Debug logging (remove in production)
+    if (process.env.NODE_ENV === "development") {
+        console.log("[NextAuth] Creating handler with providers:", ((_a = config.providers) === null || _a === void 0 ? void 0 : _a.length) || 0);
+        console.log("[NextAuth] Google Client ID set:", !!process.env.HAZO_AUTH_GOOGLE_CLIENT_ID);
+        console.log("[NextAuth] Google Client Secret set:", !!process.env.HAZO_AUTH_GOOGLE_CLIENT_SECRET);
+        console.log("[NextAuth] NEXTAUTH_SECRET set:", !!process.env.NEXTAUTH_SECRET);
+        console.log("[NextAuth] NEXTAUTH_URL:", process.env.NEXTAUTH_URL);
+    }
+    return NextAuth(config);
+}
+// Create handler lazily
+let cachedHandler = null;
+function getOrCreateHandler() {
+    if (!cachedHandler) {
+        cachedHandler = getHandler();
+    }
+    return cachedHandler;
+}
+// section: exports
+export async function GET(request, context) {
+    const handler = getOrCreateHandler();
+    return handler(request, context);
+}
+export async function POST(request, context) {
+    const handler = getOrCreateHandler();
+    return handler(request, context);
+}

package/dist/server/routes/oauth_google_callback.d.ts

@@ -0,0 +1,8 @@
+import { NextRequest, NextResponse } from "next/server";
+/**
+ * Handles the OAuth callback after Google sign-in
+ * The user creation/linking is done in NextAuth signIn callback
+ * This route just sets the hazo_auth session cookies
+ */
+export declare function GET(request: NextRequest): Promise<NextResponse<unknown>>;
+//# sourceMappingURL=oauth_google_callback.d.ts.map

package/dist/server/routes/oauth_google_callback.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth_google_callback.d.ts","sourceRoot":"","sources":["../../../src/server/routes/oauth_google_callback.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAsBxD;;;;GAIG;AACH,wBAAsB,GAAG,CAAC,OAAO,EAAE,WAAW,kCA8H7C"}

package/dist/server/routes/oauth_google_callback.js

@@ -0,0 +1,122 @@
+// file_description: Custom OAuth callback handler that creates hazo_auth session after Google sign-in
+// section: imports
+import { NextResponse } from "next/server";
+import { getToken } from "next-auth/jwt";
+import { create_app_logger } from "../../lib/app_logger.js";
+import { create_session_token } from "../../lib/services/session_token_service.js";
+import { get_filename, get_line_number } from "../../lib/utils/api_route_helpers.js";
+import { get_login_config } from "../../lib/login_config.server.js";
+import { get_cookie_name, get_cookie_options, BASE_COOKIE_NAMES } from "../../lib/cookies_config.server.js";
+import { get_hazo_connect_instance } from "../../lib/hazo_connect_instance.server.js";
+import { get_post_login_redirect } from "../../lib/services/post_verification_service.js";
+// section: api_handler
+/**
+ * Handles the OAuth callback after Google sign-in
+ * The user creation/linking is done in NextAuth signIn callback
+ * This route just sets the hazo_auth session cookies
+ */
+export async function GET(request) {
+    const logger = create_app_logger();
+    try {
+        // Get the NextAuth token from the session
+        const token = (await getToken({ req: request }));
+        logger.debug("google_callback_token_received", {
+            filename: get_filename(),
+            line_number: get_line_number(),
+            has_token: !!token,
+            has_email: !!(token === null || token === void 0 ? void 0 : token.email),
+            has_hazo_user_id: !!(token === null || token === void 0 ? void 0 : token.hazo_user_id),
+            has_google_id: !!(token === null || token === void 0 ? void 0 : token.google_id),
+        });
+        if (!token) {
+            logger.warn("google_callback_no_token", {
+                filename: get_filename(),
+                line_number: get_line_number(),
+                note: "No NextAuth token found - user may not have completed Google sign-in",
+            });
+            // Redirect to login with error
+            const login_url = new URL("/hazo_auth/login", request.url);
+            login_url.searchParams.set("error", "oauth_failed");
+            return NextResponse.redirect(login_url);
+        }
+        // Validate we have the required data
+        if (!token.email || !token.hazo_user_id) {
+            logger.warn("google_callback_missing_data", {
+                filename: get_filename(),
+                line_number: get_line_number(),
+                has_email: !!token.email,
+                has_hazo_user_id: !!token.hazo_user_id,
+                has_google_id: !!token.google_id,
+            });
+            const login_url = new URL("/hazo_auth/login", request.url);
+            login_url.searchParams.set("error", "oauth_incomplete");
+            return NextResponse.redirect(login_url);
+        }
+        const user_id = token.hazo_user_id;
+        const email = token.email;
+        logger.info("google_callback_success", {
+            filename: get_filename(),
+            line_number: get_line_number(),
+            user_id,
+            email,
+        });
+        // Get redirect URL based on user's scope/invitation status
+        const loginConfig = get_login_config();
+        const default_redirect = loginConfig.redirectRoute || "/";
+        // Check if user needs onboarding (no scope, no invitation = create firm)
+        const hazoConnect = get_hazo_connect_instance();
+        const { redirect_url: determined_redirect, needs_onboarding } = await get_post_login_redirect(hazoConnect, user_id, email, default_redirect);
+        logger.info("google_callback_post_login_redirect", {
+            filename: get_filename(),
+            line_number: get_line_number(),
+            user_id,
+            email,
+            redirect_url: determined_redirect,
+            needs_onboarding,
+        });
+        // Create redirect response
+        const redirect_url = new URL(determined_redirect, request.url);
+        const response = NextResponse.redirect(redirect_url);
+        // Set authentication cookies (same as login route, with configurable prefix and domain)
+        const base_cookie_options = {
+            httpOnly: true,
+            secure: process.env.NODE_ENV === "production",
+            sameSite: "lax",
+            path: "/",
+            maxAge: 60 * 60 * 24 * 30, // 30 days
+        };
+        const cookie_options = get_cookie_options(base_cookie_options);
+        response.cookies.set(get_cookie_name(BASE_COOKIE_NAMES.USER_ID), user_id, cookie_options);
+        response.cookies.set(get_cookie_name(BASE_COOKIE_NAMES.USER_EMAIL), email, cookie_options);
+        // Create and set JWT session token
+        try {
+            const session_token = await create_session_token(user_id, email);
+            response.cookies.set(get_cookie_name(BASE_COOKIE_NAMES.SESSION), session_token, cookie_options);
+        }
+        catch (token_error) {
+            const token_error_message = token_error instanceof Error ? token_error.message : "Unknown error";
+            logger.warn("google_callback_session_token_creation_failed", {
+                filename: get_filename(),
+                line_number: get_line_number(),
+                user_id,
+                email,
+                error: token_error_message,
+                note: "OAuth login succeeded but session token creation failed - using legacy cookies",
+            });
+        }
+        return response;
+    }
+    catch (error) {
+        const error_message = error instanceof Error ? error.message : "Unknown error";
+        const error_stack = error instanceof Error ? error.stack : undefined;
+        logger.error("google_callback_error", {
+            filename: get_filename(),
+            line_number: get_line_number(),
+            error_message,
+            error_stack,
+        });
+        const login_url = new URL("/hazo_auth/login", request.url);
+        login_url.searchParams.set("error", "oauth_error");
+        return NextResponse.redirect(login_url);
+    }
+}

package/dist/server/routes/set_password.d.ts

@@ -0,0 +1,13 @@
+import { NextRequest, NextResponse } from "next/server";
+/**
+ * POST /api/hazo_auth/set_password
+ * Allows OAuth-only users (e.g., Google sign-in users) to set a password
+ * This enables them to use email/password login in addition to OAuth
+ */
+export declare function POST(request: NextRequest): Promise<NextResponse<{
+    error: string;
+}> | NextResponse<{
+    success: boolean;
+    message: string;
+}>>;
+//# sourceMappingURL=set_password.d.ts.map

package/dist/server/routes/set_password.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"set_password.d.ts","sourceRoot":"","sources":["../../../src/server/routes/set_password.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAYxD;;;;GAIG;AACH,wBAAsB,IAAI,CAAC,OAAO,EAAE,WAAW;;;;;IA4G9C"}

package/dist/server/routes/set_password.js

@@ -0,0 +1,88 @@
+// file_description: API route for setting password for OAuth-only users
+// section: imports
+import { NextResponse } from "next/server";
+import argon2 from "argon2";
+import { get_hazo_connect_instance } from "../../lib/hazo_connect_instance.server.js";
+import { create_app_logger } from "../../lib/app_logger.js";
+import { hazo_get_auth } from "../../lib/auth/hazo_get_auth.server.js";
+import { user_has_password, set_user_password } from "../../lib/services/oauth_service.js";
+import { get_password_requirements_config } from "../../lib/password_requirements_config.server.js";
+import { validate_password } from "../../lib/utils/password_validator.js";
+import { get_filename, get_line_number } from "../../lib/utils/api_route_helpers.js";
+import { get_auth_cache } from "../../lib/auth/auth_cache.js";
+// section: api_handler
+/**
+ * POST /api/hazo_auth/set_password
+ * Allows OAuth-only users (e.g., Google sign-in users) to set a password
+ * This enables them to use email/password login in addition to OAuth
+ */
+export async function POST(request) {
+    const logger = create_app_logger();
+    try {
+        // Require authentication using hazo_get_auth
+        const auth_result = await hazo_get_auth(request);
+        if (!auth_result.authenticated) {
+            return NextResponse.json({ error: "Authentication required" }, { status: 401 });
+        }
+        const user_id = auth_result.user.id;
+        // Parse request body
+        const body = await request.json();
+        const { new_password } = body;
+        // Validate input
+        if (!new_password) {
+            return NextResponse.json({ error: "New password is required" }, { status: 400 });
+        }
+        // Get hazo_connect instance
+        const hazoConnect = get_hazo_connect_instance();
+        // Check if user already has a password set
+        const has_password = await user_has_password(hazoConnect, user_id);
+        if (has_password) {
+            return NextResponse.json({
+                error: "Password already set. Use Change Password instead.",
+                has_password: true,
+            }, { status: 400 });
+        }
+        // Validate password against requirements
+        const password_config = get_password_requirements_config();
+        const validation_result = validate_password(new_password, password_config);
+        if (!validation_result.valid) {
+            return NextResponse.json({ error: validation_result.errors.join(". ") }, { status: 400 });
+        }
+        // Hash the new password
+        const password_hash = await argon2.hash(new_password);
+        // Set the password
+        const result = await set_user_password(hazoConnect, user_id, password_hash);
+        if (!result.success) {
+            logger.error("set_password_failed", {
+                filename: get_filename(),
+                line_number: get_line_number(),
+                user_id,
+                error: result.error,
+            });
+            return NextResponse.json({ error: result.error || "Failed to set password" }, { status: 500 });
+        }
+        // Invalidate auth cache for this user
+        const auth_cache = get_auth_cache();
+        auth_cache.invalidate_user(user_id);
+        logger.info("set_password_success", {
+            filename: get_filename(),
+            line_number: get_line_number(),
+            user_id,
+        });
+        return NextResponse.json({
+            success: true,
+            message: "Password set successfully. You can now sign in with email and password.",
+        }, { status: 200 });
+    }
+    catch (error) {
+        const error_message = error instanceof Error ? error.message : "Unknown error";
+        const error_stack = error instanceof Error ? error.stack : undefined;
+        logger.error("set_password_error", {
+            filename: get_filename(),
+            line_number: get_line_number(),
+            error_message,
+            error_stack,
+        });
+        return NextResponse.json({ error: "Failed to set password. Please try again." }, { status: 500 });
+    }
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "hazo_auth",
-  "version": "5.1.12",
+  "version": "5.1.14",
   "description": "Zero-config authentication UI components for Next.js with RBAC, OAuth, scope-based multi-tenancy, and invitations",
   "keywords": [
     "authentication",