hazo_auth 5.1.16 → 5.1.17

package/README.md

@@ -921,6 +921,19 @@ auto_link_unverified_accounts = true
 # Customize button text (optional)
 google_button_text = Continue with Google
 oauth_divider_text = or
+
+# Post-Login Redirect Configuration (v5.1.16+)
+# URL for users who need to create a firm (default: /hazo_auth/create_firm)
+# create_firm_url = /hazo_auth/create_firm
+
+# Default redirect after OAuth login for users with scopes (default: /)
+# default_redirect = /
+
+# Skip invitation table check (set true if not using invitations)
+# skip_invitation_check = false
+
+# Redirect when skip_invitation_check=true and user has no scope (default: /)
+# no_scope_redirect = /
 ```
 
 ### Step 5: Create NextAuth API Routes
@@ -1034,6 +1047,13 @@ Google OAuth adds one new dependency:
 - Verify `/api/hazo_auth/oauth/google/callback` route exists
 - Check server logs for errors during session creation
 
+**404 after Google OAuth login (v5.1.16+ fix):**
+- If users get 404 after Google OAuth, the `hazo_invitations` table may be missing
+- **Option 1:** Run migration `009_scope_consolidation.sql` to create the table
+- **Option 2:** Set `skip_invitation_check = true` in `[hazo_auth__oauth]` if not using invitations
+- Check logs for `invitation_table_missing` warnings
+- If using custom paths, set `create_firm_url` to your app's create firm page URL
+
 ---
 
 ## Using Components

package/SETUP_CHECKLIST.md

@@ -723,6 +723,19 @@ auto_link_unverified_accounts = true
 # Customize button text (optional)
 google_button_text = Continue with Google
 oauth_divider_text = or
+
+# Post-Login Redirect Configuration (v5.1.16+)
+# URL for users who need to create a firm (default: /hazo_auth/create_firm)
+# create_firm_url = /hazo_auth/create_firm
+
+# Default redirect after OAuth login for users with scopes (default: /)
+# default_redirect = /
+
+# Skip invitation table check (set true if not using invitations)
+# skip_invitation_check = false
+
+# Redirect when skip_invitation_check=true and user has no scope (default: /)
+# no_scope_redirect = /
 ```
 
 **Configuration Options:**
@@ -785,6 +798,7 @@ ls app/api/hazo_auth/set_password/route.ts
 - [ ] OAuth migration applied (google_id and auth_providers columns added)
 - [ ] `[hazo_auth__oauth]` section configured in `hazo_auth_config.ini`
 - [ ] OAuth API routes created (`[...nextauth]`, `oauth/google/callback`, `set_password`)
+- [ ] Post-login redirect configured (if not using invitations, set `skip_invitation_check = true`)
 
 ---
 
@@ -1957,6 +1971,31 @@ curl -H "Cookie: hazo_auth_session=YOUR_TOKEN; hazo_auth_scope_id=SCOPE_UUID" \
 2. Check cookies are being set (inspect browser devtools > Application > Cookies)
 3. Ensure API routes are on same domain (no CORS issues)
 
+### Issue: 404 after Google OAuth login
+
+**Symptoms:** User completes Google sign-in but gets redirected to 404 page (typically `/hazo_auth/create_firm`).
+
+**Solutions:**
+1. **If not using invitations system:** Set `skip_invitation_check = true` in `[hazo_auth__oauth]`:
+   ```ini
+   [hazo_auth__oauth]
+   skip_invitation_check = true
+   no_scope_redirect = /
+   ```
+
+2. **If using invitations system:** Run the migration to create `hazo_invitations` table:
+   ```bash
+   npm run migrate migrations/009_scope_consolidation.sql
+   ```
+
+3. **If using custom paths:** Set `create_firm_url` to your app's create firm page:
+   ```ini
+   [hazo_auth__oauth]
+   create_firm_url = /my-app/create-organization
+   ```
+
+4. **Check logs** for `invitation_table_missing` warnings - this indicates the table doesn't exist
+
 ### Issue: Navbar logo or company name not showing
 
 **Symptoms:** Navbar appears but logo and/or company name are missing.

package/cli-src/lib/config/default_config.ts

@@ -165,6 +165,14 @@ export const DEFAULT_OAUTH = {
   google_button_text: "Continue with Google",
   /** Text displayed on the divider between OAuth and email/password form */
   oauth_divider_text: "or continue with email",
+  /** URL for users who need to create a firm (default: /hazo_auth/create_firm) */
+  create_firm_url: "/hazo_auth/create_firm",
+  /** Default redirect after OAuth login for users with scopes */
+  default_redirect: "/",
+  /** Skip invitation table check (set true if not using invitations) */
+  skip_invitation_check: false,
+  /** Redirect when skip_invitation_check=true and user has no scope */
+  no_scope_redirect: "/",
 } as const;
 
 // section: navbar

package/cli-src/lib/oauth_config.server.ts

@@ -15,6 +15,14 @@ export type OAuthConfig = {
   google_button_text: string;
   /** Text displayed on the divider between OAuth and email/password form */
   oauth_divider_text: string;
+  /** URL for users who need to create a firm (default: /hazo_auth/create_firm) */
+  create_firm_url: string;
+  /** Default redirect after OAuth login for users with scopes */
+  default_redirect: string;
+  /** Skip invitation table check (set true if not using invitations) */
+  skip_invitation_check: boolean;
+  /** Redirect when skip_invitation_check=true and user has no scope */
+  no_scope_redirect: string;
 };
 
 // section: constants
@@ -57,12 +65,40 @@ export function get_oauth_config(): OAuthConfig {
     DEFAULT_OAUTH.oauth_divider_text
   );
 
+  const create_firm_url = get_config_value(
+    SECTION_NAME,
+    "create_firm_url",
+    DEFAULT_OAUTH.create_firm_url
+  );
+
+  const default_redirect = get_config_value(
+    SECTION_NAME,
+    "default_redirect",
+    DEFAULT_OAUTH.default_redirect
+  );
+
+  const skip_invitation_check = get_config_boolean(
+    SECTION_NAME,
+    "skip_invitation_check",
+    DEFAULT_OAUTH.skip_invitation_check
+  );
+
+  const no_scope_redirect = get_config_value(
+    SECTION_NAME,
+    "no_scope_redirect",
+    DEFAULT_OAUTH.no_scope_redirect
+  );
+
   return {
     enable_google,
     enable_email_password,
     auto_link_unverified_accounts,
     google_button_text,
     oauth_divider_text,
+    create_firm_url,
+    default_redirect,
+    skip_invitation_check,
+    no_scope_redirect,
   };
 }
 

package/cli-src/lib/services/invitation_service.ts

@@ -29,6 +29,8 @@ export type InvitationServiceResult = {
   invitation?: InvitationRecord;
   invitations?: InvitationRecord[];
   error?: string;
+  /** Set to true when the hazo_invitations table doesn't exist */
+  table_missing?: boolean;
 };
 
 export type CreateInvitationData = {
@@ -172,6 +174,33 @@ export async function get_pending_invitation_by_email(
     };
   } catch (error) {
     const logger = create_app_logger();
+
+    // Check if the error indicates the table doesn't exist
+    const error_string = error instanceof Error ? error.message : String(error);
+    const is_table_missing =
+      // SQLite: "no such table: hazo_invitations"
+      error_string.toLowerCase().includes("no such table") ||
+      // PostgreSQL: 'relation "hazo_invitations" does not exist'
+      (error_string.toLowerCase().includes("relation") && error_string.toLowerCase().includes("does not exist")) ||
+      // PostgREST: 404 response for missing table
+      (error_string.includes("404") && error_string.includes("hazo_invitations"));
+
+    if (is_table_missing) {
+      logger.warn("invitation_table_missing", {
+        filename: "invitation_service.ts",
+        line_number: 0,
+        operation: "get_pending_invitation_by_email",
+        email_address,
+        note: "hazo_invitations table does not exist - run migration or set skip_invitation_check=true",
+      });
+
+      return {
+        success: false,
+        error: "Invitation table not found",
+        table_missing: true,
+      };
+    }
+
     const error_message = sanitize_error_for_user(error, {
       logToConsole: true,
       logToLogger: true,

package/cli-src/lib/services/post_verification_service.ts

@@ -27,6 +27,28 @@ export type PostVerificationOptions = {
   create_firm_url?: string; // Default: "/hazo_auth/create_firm"
 };
 
+export type PostLoginRedirectOptions = {
+  /** Default redirect for users with scopes (default: "/") */
+  default_redirect?: string;
+  /** URL for users who need to create a firm (default: "/hazo_auth/create_firm") */
+  create_firm_url?: string;
+  /** Skip invitation table check (set true if not using invitations) */
+  skip_invitation_check?: boolean;
+  /** Redirect when skip_invitation_check=true and user has no scope */
+  no_scope_redirect?: string;
+};
+
+export type PostLoginRedirectResult = {
+  /** The URL to redirect the user to */
+  redirect_url: string;
+  /** True if user needs onboarding (no scope, create firm, etc.) */
+  needs_onboarding: boolean;
+  /** True if invitation check was skipped due to config */
+  invitation_check_skipped?: boolean;
+  /** True if invitation table query failed (table missing) */
+  invitation_table_error?: boolean;
+};
+
 // section: constants
 
 const DEFAULT_REDIRECT_URL = "/";
@@ -181,36 +203,71 @@ export async function needs_onboarding(
 
 /**
  * Gets the appropriate redirect URL for a user after login
- * Takes into account scope status and url_on_logon
+ * Takes into account scope status, invitations, and url_on_logon
+ *
+ * @param adapter - HazoConnect adapter
+ * @param user_id - User ID
+ * @param user_email - User email (for invitation lookup)
+ * @param options - Configuration options (or string for backwards compatibility)
  */
 export async function get_post_login_redirect(
   adapter: HazoConnectAdapter,
   user_id: string,
   user_email: string,
-  default_redirect: string = DEFAULT_REDIRECT_URL,
-): Promise<{ redirect_url: string; needs_onboarding: boolean }> {
+  options?: PostLoginRedirectOptions | string,
+): Promise<PostLoginRedirectResult> {
+  // Handle backwards compatibility: if options is a string, treat it as default_redirect
+  const opts: PostLoginRedirectOptions = typeof options === "string"
+    ? { default_redirect: options }
+    : options || {};
+
+  const default_redirect = opts.default_redirect || DEFAULT_REDIRECT_URL;
+  const create_firm_url = opts.create_firm_url || CREATE_FIRM_URL;
+  const skip_invitation_check = opts.skip_invitation_check || false;
+  const no_scope_redirect = opts.no_scope_redirect || DEFAULT_REDIRECT_URL;
+
   try {
     // Check if user has scope
     const has_scope = await user_has_any_scope(adapter, user_id);
 
     if (!has_scope) {
+      // User has no scope - check invitations (unless skipped)
+      if (skip_invitation_check) {
+        // Invitation check skipped via config - redirect to no_scope_redirect
+        return {
+          redirect_url: no_scope_redirect,
+          needs_onboarding: true,
+          invitation_check_skipped: true,
+        };
+      }
+
       // Check for invitation
       const invitation_result = await get_pending_invitation_by_email(
         adapter,
         user_email,
       );
 
+      // Check if invitation table is missing
+      if (invitation_result.table_missing) {
+        // Table doesn't exist - redirect to create_firm_url but flag the error
+        return {
+          redirect_url: create_firm_url,
+          needs_onboarding: true,
+          invitation_table_error: true,
+        };
+      }
+
       if (invitation_result.success && invitation_result.invitation) {
         // Has invitation - they need to complete the flow
         return {
-          redirect_url: CREATE_FIRM_URL,
+          redirect_url: create_firm_url,
           needs_onboarding: true,
         };
       }
 
       // No scope, no invitation - needs to create firm
       return {
-        redirect_url: CREATE_FIRM_URL,
+        redirect_url: create_firm_url,
         needs_onboarding: true,
       };
     }

package/config/hazo_auth_config.ini

@@ -158,6 +158,20 @@ auto_link_unverified_accounts = true
 # Text displayed on the divider between OAuth and email/password form
 # oauth_divider_text = or continue with email
 
+# Post-Login Redirect Configuration
+# URL for users who need to create a firm/organization (default: /hazo_auth/create_firm)
+# create_firm_url = /hazo_auth/create_firm
+
+# Default redirect after OAuth login for users with scopes (default: /)
+# default_redirect = /
+
+# Skip invitation table check (set true if not using invitations)
+# When enabled, users without scopes will redirect to no_scope_redirect instead of checking invitations
+# skip_invitation_check = false
+
+# Redirect when skip_invitation_check=true and user has no scope (default: /)
+# no_scope_redirect = /
+
 [hazo_auth__login_layout]
 # Image configuration
 # If image_src is commented out or empty, the default image from package assets will be used

package/dist/lib/config/default_config.d.ts

@@ -124,6 +124,14 @@ export declare const DEFAULT_OAUTH: {
     readonly google_button_text: "Continue with Google";
     /** Text displayed on the divider between OAuth and email/password form */
     readonly oauth_divider_text: "or continue with email";
+    /** URL for users who need to create a firm (default: /hazo_auth/create_firm) */
+    readonly create_firm_url: "/hazo_auth/create_firm";
+    /** Default redirect after OAuth login for users with scopes */
+    readonly default_redirect: "/";
+    /** Skip invitation table check (set true if not using invitations) */
+    readonly skip_invitation_check: false;
+    /** Redirect when skip_invitation_check=true and user has no scope */
+    readonly no_scope_redirect: "/";
 };
 export declare const DEFAULT_NAVBAR: {
     /** Enable navbar on auth pages */
@@ -314,6 +322,14 @@ export declare const HAZO_AUTH_DEFAULTS: {
         readonly google_button_text: "Continue with Google";
         /** Text displayed on the divider between OAuth and email/password form */
         readonly oauth_divider_text: "or continue with email";
+        /** URL for users who need to create a firm (default: /hazo_auth/create_firm) */
+        readonly create_firm_url: "/hazo_auth/create_firm";
+        /** Default redirect after OAuth login for users with scopes */
+        readonly default_redirect: "/";
+        /** Skip invitation table check (set true if not using invitations) */
+        readonly skip_invitation_check: false;
+        /** Redirect when skip_invitation_check=true and user has no scope */
+        readonly no_scope_redirect: "/";
     };
     readonly devLock: {
         /** Enable the development lock screen (also requires HAZO_AUTH_DEV_LOCK_ENABLED env var) */

package/dist/lib/config/default_config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"default_config.d.ts","sourceRoot":"","sources":["../../../src/lib/config/default_config.ts"],"names":[],"mappings":"AAKA,eAAO,MAAM,6BAA6B;;;;;;CAMhC,CAAC;AAGX,eAAO,MAAM,mBAAmB;;;;CAItB,CAAC;AAGX,eAAO,MAAM,uBAAuB;;;;;;;CAO1B,CAAC;AAGX,eAAO,MAAM,gBAAgB;;;;;;;;;CASnB,CAAC;AAGX,eAAO,MAAM,kBAAkB;;;CAGrB,CAAC;AAGX,eAAO,MAAM,gBAAgB;;;;;CAKnB,CAAC;AAGX,eAAO,MAAM,yBAAyB;;;;;;CAM5B,CAAC;AAGX,eAAO,MAAM,aAAa;4BACI,MAAM,GAAG,SAAS;;;;;;CAMtC,CAAC;AAGX,eAAO,MAAM,gBAAgB;4BACC,MAAM,GAAG,SAAS;;;;;CAKtC,CAAC;AAGX,eAAO,MAAM,uBAAuB;;;;CAI1B,CAAC;AAGX,eAAO,MAAM,sBAAsB;;;;CAIzB,CAAC;AAGX,eAAO,MAAM,0BAA0B;;;;;CAK7B,CAAC;AAGX,eAAO,MAAM,mBAAmB;;;;;CAKtB,CAAC;AAGX,eAAO,MAAM,uBAAuB;;;;CAI1B,CAAC;AAGX,eAAO,MAAM,oBAAoB;;;;CAIvB,CAAC;AAGX,eAAO,MAAM,gBAAgB;0BACE,YAAY,GAAG,cAAc;;;;;IAK1D,2DAA2D;;CAEnD,CAAC;AAGX,eAAO,MAAM,wBAAwB;;;;;;;;CAQ3B,CAAC;AAGX,eAAO,MAAM,iBAAiB;;CAEpB,CAAC;AAGX,eAAO,MAAM,aAAa;IACxB,kHAAkH;;IAElH,8CAA8C;;IAE9C,iGAAiG;;IAEjG,kDAAkD;;IAElD,0EAA0E;;CAElE,CAAC;AAGX,eAAO,MAAM,cAAc;IACzB,kCAAkC;;IAElC,iEAAiE;;IAEjE,2BAA2B;;IAE3B,4BAA4B;;IAE5B,sDAAsD;;IAEtD,qBAAqB;;IAErB,sBAAsB;;IAEtB,qBAAqB;;IAErB,4DAA4D;;IAE5D,0CAA0C;;IAE1C,kEAAkE;;CAE1D,CAAC;AAGX,eAAO,MAAM,kBAAkB;IAC7B,iDAAiD;;IAEjD,2DAA2D;;CAEnD,CAAC;AAGX,eAAO,MAAM,gBAAgB;IAC3B,4FAA4F;;IAE5F,+BAA+B;;IAE/B,wCAAwC;;IAExC,iEAAiE;;IAEjE,2BAA2B;;IAE3B,4BAA4B;;IAE5B,4CAA4C;;IAE5C,mDAAmD;;IAEnD,sCAAsC;;IAEtC,yBAAyB;;IAEzB,2CAA2C;;IAE3C,6CAA6C;;IAE7C,8CAA8C;;CAEtC,CAAC;AAGX;;;GAGG;AACH,eAAO,MAAM,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;gCA3KD,MAAM,GAAG,SAAS;;;;;;;;gCAUlB,MAAM,GAAG,SAAS;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;8BAqDjB,YAAY,GAAG,cAAc;;;;;QAK1D,2DAA2D;;;;;;;;;;;;;;;;QAsB3D,kHAAkH;;QAElH,8CAA8C;;QAE9C,iGAAiG;;QAEjG,kDAAkD;;QAElD,0EAA0E;;;;QAwC1E,4FAA4F;;QAE5F,+BAA+B;;QAE/B,wCAAwC;;QAExC,iEAAiE;;QAEjE,2BAA2B;;QAE3B,4BAA4B;;QAE5B,4CAA4C;;QAE5C,mDAAmD;;QAEnD,sCAAsC;;QAEtC,yBAAyB;;QAEzB,2CAA2C;;QAE3C,6CAA6C;;QAE7C,8CAA8C;;;;QA1D9C,kCAAkC;;QAElC,iEAAiE;;QAEjE,2BAA2B;;QAE3B,4BAA4B;;QAE5B,sDAAsD;;QAEtD,qBAAqB;;QAErB,sBAAsB;;QAEtB,qBAAqB;;QAErB,4DAA4D;;QAE5D,0CAA0C;;QAE1C,kEAAkE;;;;QAMlE,iDAAiD;;QAEjD,2DAA2D;;;CA8DnD,CAAC;AAGX;;GAEG;AACH,MAAM,MAAM,gBAAgB,GAAG,OAAO,kBAAkB,CAAC"}
+{"version":3,"file":"default_config.d.ts","sourceRoot":"","sources":["../../../src/lib/config/default_config.ts"],"names":[],"mappings":"AAKA,eAAO,MAAM,6BAA6B;;;;;;CAMhC,CAAC;AAGX,eAAO,MAAM,mBAAmB;;;;CAItB,CAAC;AAGX,eAAO,MAAM,uBAAuB;;;;;;;CAO1B,CAAC;AAGX,eAAO,MAAM,gBAAgB;;;;;;;;;CASnB,CAAC;AAGX,eAAO,MAAM,kBAAkB;;;CAGrB,CAAC;AAGX,eAAO,MAAM,gBAAgB;;;;;CAKnB,CAAC;AAGX,eAAO,MAAM,yBAAyB;;;;;;CAM5B,CAAC;AAGX,eAAO,MAAM,aAAa;4BACI,MAAM,GAAG,SAAS;;;;;;CAMtC,CAAC;AAGX,eAAO,MAAM,gBAAgB;4BACC,MAAM,GAAG,SAAS;;;;;CAKtC,CAAC;AAGX,eAAO,MAAM,uBAAuB;;;;CAI1B,CAAC;AAGX,eAAO,MAAM,sBAAsB;;;;CAIzB,CAAC;AAGX,eAAO,MAAM,0BAA0B;;;;;CAK7B,CAAC;AAGX,eAAO,MAAM,mBAAmB;;;;;CAKtB,CAAC;AAGX,eAAO,MAAM,uBAAuB;;;;CAI1B,CAAC;AAGX,eAAO,MAAM,oBAAoB;;;;CAIvB,CAAC;AAGX,eAAO,MAAM,gBAAgB;0BACE,YAAY,GAAG,cAAc;;;;;IAK1D,2DAA2D;;CAEnD,CAAC;AAGX,eAAO,MAAM,wBAAwB;;;;;;;;CAQ3B,CAAC;AAGX,eAAO,MAAM,iBAAiB;;CAEpB,CAAC;AAGX,eAAO,MAAM,aAAa;IACxB,kHAAkH;;IAElH,8CAA8C;;IAE9C,iGAAiG;;IAEjG,kDAAkD;;IAElD,0EAA0E;;IAE1E,gFAAgF;;IAEhF,+DAA+D;;IAE/D,sEAAsE;;IAEtE,qEAAqE;;CAE7D,CAAC;AAGX,eAAO,MAAM,cAAc;IACzB,kCAAkC;;IAElC,iEAAiE;;IAEjE,2BAA2B;;IAE3B,4BAA4B;;IAE5B,sDAAsD;;IAEtD,qBAAqB;;IAErB,sBAAsB;;IAEtB,qBAAqB;;IAErB,4DAA4D;;IAE5D,0CAA0C;;IAE1C,kEAAkE;;CAE1D,CAAC;AAGX,eAAO,MAAM,kBAAkB;IAC7B,iDAAiD;;IAEjD,2DAA2D;;CAEnD,CAAC;AAGX,eAAO,MAAM,gBAAgB;IAC3B,4FAA4F;;IAE5F,+BAA+B;;IAE/B,wCAAwC;;IAExC,iEAAiE;;IAEjE,2BAA2B;;IAE3B,4BAA4B;;IAE5B,4CAA4C;;IAE5C,mDAAmD;;IAEnD,sCAAsC;;IAEtC,yBAAyB;;IAEzB,2CAA2C;;IAE3C,6CAA6C;;IAE7C,8CAA8C;;CAEtC,CAAC;AAGX;;;GAGG;AACH,eAAO,MAAM,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;gCAnLD,MAAM,GAAG,SAAS;;;;;;;;gCAUlB,MAAM,GAAG,SAAS;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;8BAqDjB,YAAY,GAAG,cAAc;;;;;QAK1D,2DAA2D;;;;;;;;;;;;;;;;QAsB3D,kHAAkH;;QAElH,8CAA8C;;QAE9C,iGAAiG;;QAEjG,kDAAkD;;QAElD,0EAA0E;;QAE1E,gFAAgF;;QAEhF,+DAA+D;;QAE/D,sEAAsE;;QAEtE,qEAAqE;;;;QAwCrE,4FAA4F;;QAE5F,+BAA+B;;QAE/B,wCAAwC;;QAExC,iEAAiE;;QAEjE,2BAA2B;;QAE3B,4BAA4B;;QAE5B,4CAA4C;;QAE5C,mDAAmD;;QAEnD,sCAAsC;;QAEtC,yBAAyB;;QAEzB,2CAA2C;;QAE3C,6CAA6C;;QAE7C,8CAA8C;;;;QA1D9C,kCAAkC;;QAElC,iEAAiE;;QAEjE,2BAA2B;;QAE3B,4BAA4B;;QAE5B,sDAAsD;;QAEtD,qBAAqB;;QAErB,sBAAsB;;QAEtB,qBAAqB;;QAErB,4DAA4D;;QAE5D,0CAA0C;;QAE1C,kEAAkE;;;;QAMlE,iDAAiD;;QAEjD,2DAA2D;;;CA8DnD,CAAC;AAGX;;GAEG;AACH,MAAM,MAAM,gBAAgB,GAAG,OAAO,kBAAkB,CAAC"}

package/dist/lib/config/default_config.js

@@ -146,6 +146,14 @@ export const DEFAULT_OAUTH = {
     google_button_text: "Continue with Google",
     /** Text displayed on the divider between OAuth and email/password form */
     oauth_divider_text: "or continue with email",
+    /** URL for users who need to create a firm (default: /hazo_auth/create_firm) */
+    create_firm_url: "/hazo_auth/create_firm",
+    /** Default redirect after OAuth login for users with scopes */
+    default_redirect: "/",
+    /** Skip invitation table check (set true if not using invitations) */
+    skip_invitation_check: false,
+    /** Redirect when skip_invitation_check=true and user has no scope */
+    no_scope_redirect: "/",
 };
 // section: navbar
 export const DEFAULT_NAVBAR = {

package/dist/lib/oauth_config.server.d.ts

@@ -9,6 +9,14 @@ export type OAuthConfig = {
     google_button_text: string;
     /** Text displayed on the divider between OAuth and email/password form */
     oauth_divider_text: string;
+    /** URL for users who need to create a firm (default: /hazo_auth/create_firm) */
+    create_firm_url: string;
+    /** Default redirect after OAuth login for users with scopes */
+    default_redirect: string;
+    /** Skip invitation table check (set true if not using invitations) */
+    skip_invitation_check: boolean;
+    /** Redirect when skip_invitation_check=true and user has no scope */
+    no_scope_redirect: string;
 };
 /**
  * Reads OAuth configuration from hazo_auth_config.ini file

package/dist/lib/oauth_config.server.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"oauth_config.server.d.ts","sourceRoot":"","sources":["../../src/lib/oauth_config.server.ts"],"names":[],"mappings":"AAMA,MAAM,MAAM,WAAW,GAAG;IACxB,gCAAgC;IAChC,aAAa,EAAE,OAAO,CAAC;IACvB,8CAA8C;IAC9C,qBAAqB,EAAE,OAAO,CAAC;IAC/B,4EAA4E;IAC5E,6BAA6B,EAAE,OAAO,CAAC;IACvC,kDAAkD;IAClD,kBAAkB,EAAE,MAAM,CAAC;IAC3B,0EAA0E;IAC1E,kBAAkB,EAAE,MAAM,CAAC;CAC5B,CAAC;AAMF;;;;GAIG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAsC9C;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,IAAI,OAAO,CAEjD;AAED;;;GAGG;AACH,wBAAgB,yBAAyB,IAAI,OAAO,CAMnD"}
+{"version":3,"file":"oauth_config.server.d.ts","sourceRoot":"","sources":["../../src/lib/oauth_config.server.ts"],"names":[],"mappings":"AAMA,MAAM,MAAM,WAAW,GAAG;IACxB,gCAAgC;IAChC,aAAa,EAAE,OAAO,CAAC;IACvB,8CAA8C;IAC9C,qBAAqB,EAAE,OAAO,CAAC;IAC/B,4EAA4E;IAC5E,6BAA6B,EAAE,OAAO,CAAC;IACvC,kDAAkD;IAClD,kBAAkB,EAAE,MAAM,CAAC;IAC3B,0EAA0E;IAC1E,kBAAkB,EAAE,MAAM,CAAC;IAC3B,gFAAgF;IAChF,eAAe,EAAE,MAAM,CAAC;IACxB,+DAA+D;IAC/D,gBAAgB,EAAE,MAAM,CAAC;IACzB,sEAAsE;IACtE,qBAAqB,EAAE,OAAO,CAAC;IAC/B,qEAAqE;IACrE,iBAAiB,EAAE,MAAM,CAAC;CAC3B,CAAC;AAMF;;;;GAIG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAkE9C;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,IAAI,OAAO,CAEjD;AAED;;;GAGG;AACH,wBAAgB,yBAAyB,IAAI,OAAO,CAMnD"}

package/dist/lib/oauth_config.server.js

@@ -16,12 +16,20 @@ export function get_oauth_config() {
     const auto_link_unverified_accounts = get_config_boolean(SECTION_NAME, "auto_link_unverified_accounts", DEFAULT_OAUTH.auto_link_unverified_accounts);
     const google_button_text = get_config_value(SECTION_NAME, "google_button_text", DEFAULT_OAUTH.google_button_text);
     const oauth_divider_text = get_config_value(SECTION_NAME, "oauth_divider_text", DEFAULT_OAUTH.oauth_divider_text);
+    const create_firm_url = get_config_value(SECTION_NAME, "create_firm_url", DEFAULT_OAUTH.create_firm_url);
+    const default_redirect = get_config_value(SECTION_NAME, "default_redirect", DEFAULT_OAUTH.default_redirect);
+    const skip_invitation_check = get_config_boolean(SECTION_NAME, "skip_invitation_check", DEFAULT_OAUTH.skip_invitation_check);
+    const no_scope_redirect = get_config_value(SECTION_NAME, "no_scope_redirect", DEFAULT_OAUTH.no_scope_redirect);
     return {
         enable_google,
         enable_email_password,
         auto_link_unverified_accounts,
         google_button_text,
         oauth_divider_text,
+        create_firm_url,
+        default_redirect,
+        skip_invitation_check,
+        no_scope_redirect,
     };
 }
 /**

package/dist/lib/services/invitation_service.d.ts

@@ -17,6 +17,8 @@ export type InvitationServiceResult = {
     invitation?: InvitationRecord;
     invitations?: InvitationRecord[];
     error?: string;
+    /** Set to true when the hazo_invitations table doesn't exist */
+    table_missing?: boolean;
 };
 export type CreateInvitationData = {
     email_address: string;

package/dist/lib/services/invitation_service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"invitation_service.d.ts","sourceRoot":"","sources":["../../../src/lib/services/invitation_service.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AASvD,MAAM,MAAM,gBAAgB,GAAG,SAAS,GAAG,UAAU,GAAG,SAAS,GAAG,SAAS,CAAC;AAE9E,MAAM,MAAM,gBAAgB,GAAG;IAC7B,EAAE,EAAE,MAAM,CAAC;IACX,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,gBAAgB,CAAC;IACzB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;CACpB,CAAC;AAEF,MAAM,MAAM,uBAAuB,GAAG;IACpC,OAAO,EAAE,OAAO,CAAC;IACjB,UAAU,CAAC,EAAE,gBAAgB,CAAC;IAC9B,WAAW,CAAC,EAAE,gBAAgB,EAAE,CAAC;IACjC,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAAG;IACjC,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B,CAAC;AASF;;GAEG;AACH,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,kBAAkB,EAC3B,IAAI,EAAE,oBAAoB,GACzB,OAAO,CAAC,uBAAuB,CAAC,CAyElC;AAED;;;GAGG;AACH,wBAAsB,+BAA+B,CACnD,OAAO,EAAE,kBAAkB,EAC3B,aAAa,EAAE,MAAM,GACpB,OAAO,CAAC,uBAAuB,CAAC,CAuDlC;AAED;;GAEG;AACH,wBAAsB,oBAAoB,CACxC,OAAO,EAAE,kBAAkB,EAC3B,aAAa,EAAE,MAAM,GACpB,OAAO,CAAC,uBAAuB,CAAC,CAmClC;AAED;;GAEG;AACH,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,kBAAkB,EAC3B,aAAa,EAAE,MAAM,EACrB,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,uBAAuB,CAAC,CA8FlC;AAED;;GAEG;AACH,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,kBAAkB,EAC3B,aAAa,EAAE,MAAM,GACpB,OAAO,CAAC,uBAAuB,CAAC,CA0DlC;AAED;;GAEG;AACH,wBAAsB,yBAAyB,CAC7C,OAAO,EAAE,kBAAkB,EAC3B,QAAQ,EAAE,MAAM,EAChB,MAAM,CAAC,EAAE,gBAAgB,GACxB,OAAO,CAAC,uBAAuB,CAAC,CAoClC;AAED;;GAEG;AACH,wBAAsB,oBAAoB,CACxC,OAAO,EAAE,kBAAkB,EAC3B,MAAM,CAAC,EAAE,gBAAgB,GACxB,OAAO,CAAC,uBAAuB,CAAC,CAmClC;AAED;;;GAGG;AACH,wBAAsB,sBAAsB,CAC1C,OAAO,EAAE,kBAAkB,GAC1B,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,aAAa,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CA0CvE"}
+{"version":3,"file":"invitation_service.d.ts","sourceRoot":"","sources":["../../../src/lib/services/invitation_service.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AASvD,MAAM,MAAM,gBAAgB,GAAG,SAAS,GAAG,UAAU,GAAG,SAAS,GAAG,SAAS,CAAC;AAE9E,MAAM,MAAM,gBAAgB,GAAG;IAC7B,EAAE,EAAE,MAAM,CAAC;IACX,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,gBAAgB,CAAC;IACzB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;CACpB,CAAC;AAEF,MAAM,MAAM,uBAAuB,GAAG;IACpC,OAAO,EAAE,OAAO,CAAC;IACjB,UAAU,CAAC,EAAE,gBAAgB,CAAC;IAC9B,WAAW,CAAC,EAAE,gBAAgB,EAAE,CAAC;IACjC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,gEAAgE;IAChE,aAAa,CAAC,EAAE,OAAO,CAAC;CACzB,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAAG;IACjC,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B,CAAC;AASF;;GAEG;AACH,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,kBAAkB,EAC3B,IAAI,EAAE,oBAAoB,GACzB,OAAO,CAAC,uBAAuB,CAAC,CAyElC;AAED;;;GAGG;AACH,wBAAsB,+BAA+B,CACnD,OAAO,EAAE,kBAAkB,EAC3B,aAAa,EAAE,MAAM,GACpB,OAAO,CAAC,uBAAuB,CAAC,CAkFlC;AAED;;GAEG;AACH,wBAAsB,oBAAoB,CACxC,OAAO,EAAE,kBAAkB,EAC3B,aAAa,EAAE,MAAM,GACpB,OAAO,CAAC,uBAAuB,CAAC,CAmClC;AAED;;GAEG;AACH,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,kBAAkB,EAC3B,aAAa,EAAE,MAAM,EACrB,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,uBAAuB,CAAC,CA8FlC;AAED;;GAEG;AACH,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,kBAAkB,EAC3B,aAAa,EAAE,MAAM,GACpB,OAAO,CAAC,uBAAuB,CAAC,CA0DlC;AAED;;GAEG;AACH,wBAAsB,yBAAyB,CAC7C,OAAO,EAAE,kBAAkB,EAC3B,QAAQ,EAAE,MAAM,EAChB,MAAM,CAAC,EAAE,gBAAgB,GACxB,OAAO,CAAC,uBAAuB,CAAC,CAoClC;AAED;;GAEG;AACH,wBAAsB,oBAAoB,CACxC,OAAO,EAAE,kBAAkB,EAC3B,MAAM,CAAC,EAAE,gBAAgB,GACxB,OAAO,CAAC,uBAAuB,CAAC,CAmClC;AAED;;;GAGG;AACH,wBAAsB,sBAAsB,CAC1C,OAAO,EAAE,kBAAkB,GAC1B,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,aAAa,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CA0CvE"}

package/dist/lib/services/invitation_service.js

@@ -112,6 +112,29 @@ export async function get_pending_invitation_by_email(adapter, email_address) {
     }
     catch (error) {
         const logger = create_app_logger();
+        // Check if the error indicates the table doesn't exist
+        const error_string = error instanceof Error ? error.message : String(error);
+        const is_table_missing = 
+        // SQLite: "no such table: hazo_invitations"
+        error_string.toLowerCase().includes("no such table") ||
+            // PostgreSQL: 'relation "hazo_invitations" does not exist'
+            (error_string.toLowerCase().includes("relation") && error_string.toLowerCase().includes("does not exist")) ||
+            // PostgREST: 404 response for missing table
+            (error_string.includes("404") && error_string.includes("hazo_invitations"));
+        if (is_table_missing) {
+            logger.warn("invitation_table_missing", {
+                filename: "invitation_service.ts",
+                line_number: 0,
+                operation: "get_pending_invitation_by_email",
+                email_address,
+                note: "hazo_invitations table does not exist - run migration or set skip_invitation_check=true",
+            });
+            return {
+                success: false,
+                error: "Invitation table not found",
+                table_missing: true,
+            };
+        }
         const error_message = sanitize_error_for_user(error, {
             logToConsole: true,
             logToLogger: true,

package/dist/lib/services/post_verification_service.d.ts

@@ -11,6 +11,26 @@ export type PostVerificationOptions = {
     default_redirect_url?: string;
     create_firm_url?: string;
 };
+export type PostLoginRedirectOptions = {
+    /** Default redirect for users with scopes (default: "/") */
+    default_redirect?: string;
+    /** URL for users who need to create a firm (default: "/hazo_auth/create_firm") */
+    create_firm_url?: string;
+    /** Skip invitation table check (set true if not using invitations) */
+    skip_invitation_check?: boolean;
+    /** Redirect when skip_invitation_check=true and user has no scope */
+    no_scope_redirect?: string;
+};
+export type PostLoginRedirectResult = {
+    /** The URL to redirect the user to */
+    redirect_url: string;
+    /** True if user needs onboarding (no scope, create firm, etc.) */
+    needs_onboarding: boolean;
+    /** True if invitation check was skipped due to config */
+    invitation_check_skipped?: boolean;
+    /** True if invitation table query failed (table missing) */
+    invitation_table_error?: boolean;
+};
 /**
  * Handles the post-email-verification flow
  *
@@ -36,10 +56,12 @@ export declare function handle_post_verification(adapter: HazoConnectAdapter, us
 export declare function needs_onboarding(adapter: HazoConnectAdapter, user_id: string): Promise<boolean>;
 /**
  * Gets the appropriate redirect URL for a user after login
- * Takes into account scope status and url_on_logon
+ * Takes into account scope status, invitations, and url_on_logon
+ *
+ * @param adapter - HazoConnect adapter
+ * @param user_id - User ID
+ * @param user_email - User email (for invitation lookup)
+ * @param options - Configuration options (or string for backwards compatibility)
  */
-export declare function get_post_login_redirect(adapter: HazoConnectAdapter, user_id: string, user_email: string, default_redirect?: string): Promise<{
-    redirect_url: string;
-    needs_onboarding: boolean;
-}>;
+export declare function get_post_login_redirect(adapter: HazoConnectAdapter, user_id: string, user_email: string, options?: PostLoginRedirectOptions | string): Promise<PostLoginRedirectResult>;
 //# sourceMappingURL=post_verification_service.d.ts.map

package/dist/lib/services/post_verification_service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"post_verification_service.d.ts","sourceRoot":"","sources":["../../../src/lib/services/post_verification_service.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAYvD,MAAM,MAAM,sBAAsB,GAAG,UAAU,GAAG,aAAa,CAAC;AAEhE,MAAM,MAAM,sBAAsB,GAAG;IACnC,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,sBAAsB,CAAC;IAC/B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC;AAEF,MAAM,MAAM,uBAAuB,GAAG;IACpC,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B,CAAC;AA8BF;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAsB,wBAAwB,CAC5C,OAAO,EAAE,kBAAkB,EAC3B,OAAO,EAAE,MAAM,EACf,UAAU,EAAE,MAAM,EAClB,OAAO,CAAC,EAAE,uBAAuB,GAChC,OAAO,CAAC,sBAAsB,CAAC,CAqFjC;AAED;;;GAGG;AACH,wBAAsB,gBAAgB,CACpC,OAAO,EAAE,kBAAkB,EAC3B,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,OAAO,CAAC,CAMlB;AAED;;;GAGG;AACH,wBAAsB,uBAAuB,CAC3C,OAAO,EAAE,kBAAkB,EAC3B,OAAO,EAAE,MAAM,EACf,UAAU,EAAE,MAAM,EAClB,gBAAgB,GAAE,MAA6B,GAC9C,OAAO,CAAC;IAAE,YAAY,EAAE,MAAM,CAAC;IAAC,gBAAgB,EAAE,OAAO,CAAA;CAAE,CAAC,CAwC9D"}
+{"version":3,"file":"post_verification_service.d.ts","sourceRoot":"","sources":["../../../src/lib/services/post_verification_service.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAYvD,MAAM,MAAM,sBAAsB,GAAG,UAAU,GAAG,aAAa,CAAC;AAEhE,MAAM,MAAM,sBAAsB,GAAG;IACnC,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,sBAAsB,CAAC;IAC/B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC;AAEF,MAAM,MAAM,uBAAuB,GAAG;IACpC,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B,CAAC;AAEF,MAAM,MAAM,wBAAwB,GAAG;IACrC,4DAA4D;IAC5D,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,kFAAkF;IAClF,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,sEAAsE;IACtE,qBAAqB,CAAC,EAAE,OAAO,CAAC;IAChC,qEAAqE;IACrE,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B,CAAC;AAEF,MAAM,MAAM,uBAAuB,GAAG;IACpC,sCAAsC;IACtC,YAAY,EAAE,MAAM,CAAC;IACrB,kEAAkE;IAClE,gBAAgB,EAAE,OAAO,CAAC;IAC1B,yDAAyD;IACzD,wBAAwB,CAAC,EAAE,OAAO,CAAC;IACnC,4DAA4D;IAC5D,sBAAsB,CAAC,EAAE,OAAO,CAAC;CAClC,CAAC;AA8BF;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAsB,wBAAwB,CAC5C,OAAO,EAAE,kBAAkB,EAC3B,OAAO,EAAE,MAAM,EACf,UAAU,EAAE,MAAM,EAClB,OAAO,CAAC,EAAE,uBAAuB,GAChC,OAAO,CAAC,sBAAsB,CAAC,CAqFjC;AAED;;;GAGG;AACH,wBAAsB,gBAAgB,CACpC,OAAO,EAAE,kBAAkB,EAC3B,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,OAAO,CAAC,CAMlB;AAED;;;;;;;;GAQG;AACH,wBAAsB,uBAAuB,CAC3C,OAAO,EAAE,kBAAkB,EAC3B,OAAO,EAAE,MAAM,EACf,UAAU,EAAE,MAAM,EAClB,OAAO,CAAC,EAAE,wBAAwB,GAAG,MAAM,GAC1C,OAAO,CAAC,uBAAuB,CAAC,CAsElC"}

package/dist/lib/services/post_verification_service.js

@@ -126,25 +126,56 @@ export async function needs_onboarding(adapter, user_id) {
 }
 /**
  * Gets the appropriate redirect URL for a user after login
- * Takes into account scope status and url_on_logon
+ * Takes into account scope status, invitations, and url_on_logon
+ *
+ * @param adapter - HazoConnect adapter
+ * @param user_id - User ID
+ * @param user_email - User email (for invitation lookup)
+ * @param options - Configuration options (or string for backwards compatibility)
  */
-export async function get_post_login_redirect(adapter, user_id, user_email, default_redirect = DEFAULT_REDIRECT_URL) {
+export async function get_post_login_redirect(adapter, user_id, user_email, options) {
+    // Handle backwards compatibility: if options is a string, treat it as default_redirect
+    const opts = typeof options === "string"
+        ? { default_redirect: options }
+        : options || {};
+    const default_redirect = opts.default_redirect || DEFAULT_REDIRECT_URL;
+    const create_firm_url = opts.create_firm_url || CREATE_FIRM_URL;
+    const skip_invitation_check = opts.skip_invitation_check || false;
+    const no_scope_redirect = opts.no_scope_redirect || DEFAULT_REDIRECT_URL;
     try {
         // Check if user has scope
         const has_scope = await user_has_any_scope(adapter, user_id);
         if (!has_scope) {
+            // User has no scope - check invitations (unless skipped)
+            if (skip_invitation_check) {
+                // Invitation check skipped via config - redirect to no_scope_redirect
+                return {
+                    redirect_url: no_scope_redirect,
+                    needs_onboarding: true,
+                    invitation_check_skipped: true,
+                };
+            }
             // Check for invitation
             const invitation_result = await get_pending_invitation_by_email(adapter, user_email);
+            // Check if invitation table is missing
+            if (invitation_result.table_missing) {
+                // Table doesn't exist - redirect to create_firm_url but flag the error
+                return {
+                    redirect_url: create_firm_url,
+                    needs_onboarding: true,
+                    invitation_table_error: true,
+                };
+            }
             if (invitation_result.success && invitation_result.invitation) {
                 // Has invitation - they need to complete the flow
                 return {
-                    redirect_url: CREATE_FIRM_URL,
+                    redirect_url: create_firm_url,
                     needs_onboarding: true,
                 };
             }
             // No scope, no invitation - needs to create firm
             return {
-                redirect_url: CREATE_FIRM_URL,
+                redirect_url: create_firm_url,
                 needs_onboarding: true,
             };
         }

package/dist/server/routes/oauth_google_callback.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"oauth_google_callback.d.ts","sourceRoot":"","sources":["../../../src/server/routes/oauth_google_callback.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAsBxD;;;;GAIG;AACH,wBAAsB,GAAG,CAAC,OAAO,EAAE,WAAW,kCA8H7C"}
+{"version":3,"file":"oauth_google_callback.d.ts","sourceRoot":"","sources":["../../../src/server/routes/oauth_google_callback.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAuBxD;;;;GAIG;AACH,wBAAsB,GAAG,CAAC,OAAO,EAAE,WAAW,kCAgJ7C"}

package/dist/server/routes/oauth_google_callback.js

@@ -9,6 +9,7 @@ import { get_login_config } from "../../lib/login_config.server.js";
 import { get_cookie_name, get_cookie_options, BASE_COOKIE_NAMES } from "../../lib/cookies_config.server.js";
 import { get_hazo_connect_instance } from "../../lib/hazo_connect_instance.server.js";
 import { get_post_login_redirect } from "../../lib/services/post_verification_service.js";
+import { get_oauth_config } from "../../lib/oauth_config.server.js";
 // section: api_handler
 /**
  * Handles the OAuth callback after Google sign-in
@@ -62,10 +63,25 @@ export async function GET(request) {
         });
         // Get redirect URL based on user's scope/invitation status
         const loginConfig = get_login_config();
-        const default_redirect = loginConfig.redirectRoute || "/";
+        const oauthConfig = get_oauth_config();
         // Check if user needs onboarding (no scope, no invitation = create firm)
         const hazoConnect = get_hazo_connect_instance();
-        const { redirect_url: determined_redirect, needs_onboarding } = await get_post_login_redirect(hazoConnect, user_id, email, default_redirect);
+        const { redirect_url: determined_redirect, needs_onboarding, invitation_check_skipped, invitation_table_error, } = await get_post_login_redirect(hazoConnect, user_id, email, {
+            default_redirect: oauthConfig.default_redirect || loginConfig.redirectRoute || "/",
+            create_firm_url: oauthConfig.create_firm_url,
+            skip_invitation_check: oauthConfig.skip_invitation_check,
+            no_scope_redirect: oauthConfig.no_scope_redirect,
+        });
+        // Log warning if invitation table is missing
+        if (invitation_table_error) {
+            logger.warn("invitation_table_missing", {
+                filename: get_filename(),
+                line_number: get_line_number(),
+                user_id,
+                email,
+                note: "hazo_invitations table does not exist - run migration or set skip_invitation_check=true in [hazo_auth__oauth]",
+            });
+        }
         logger.info("google_callback_post_login_redirect", {
             filename: get_filename(),
             line_number: get_line_number(),
@@ -73,6 +89,8 @@ export async function GET(request) {
             email,
             redirect_url: determined_redirect,
             needs_onboarding,
+            invitation_check_skipped,
+            invitation_table_error,
         });
         // Create redirect response
         const redirect_url = new URL(determined_redirect, request.url);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "hazo_auth",
-  "version": "5.1.16",
+  "version": "5.1.17",
   "description": "Zero-config authentication UI components for Next.js with RBAC, OAuth, scope-based multi-tenancy, and invitations",
   "keywords": [
     "authentication",