hazo_auth 5.1.29 → 5.1.31

package/README.md

@@ -1097,6 +1097,18 @@ enable_email_password = false
 show_create_account_link = false
 ```
 
+**Hide links by setting path/label to empty (v5.1.30+):**
+```ini
+[hazo_auth__login_layout]
+; Hide "Forgot password?" link
+forgot_password_path =
+forgot_password_label =
+
+; Hide "Create account" link (alternative to show_create_account_link = false)
+create_account_path =
+create_account_label =
+```
+
 **Disable Google OAuth (email/password only):**
 ```ini
 [hazo_auth__oauth]

package/cli-src/lib/config/config_loader.server.ts

@@ -82,6 +82,30 @@ export function get_config_value(
   return section[key].trim() || default_value;
 }
 
+/**
+ * Gets a single config value from a section, preserving empty strings.
+ * Unlike get_config_value, this returns "" when the INI key exists with an empty value,
+ * rather than falling back to the default. Useful for config keys where "" means
+ * "intentionally empty" (e.g., hiding a link by setting its path to empty).
+ * @param section_name - Name of the section
+ * @param key - Key name within the section
+ * @param default_value - Default value if key is not found in config
+ * @param file_path - Optional custom config file path
+ * @returns Config value as string, or "" if key exists but empty, or default_value if key missing
+ */
+export function get_config_value_allow_empty(
+  section_name: string,
+  key: string,
+  default_value: string,
+  file_path?: string,
+): string {
+  const section = read_config_section(section_name, file_path);
+  if (!section || section[key] === undefined) {
+    return default_value;
+  }
+  return section[key].trim();
+}
+
 /**
  * Gets a boolean config value from a section
  * @param section_name - Name of the section

package/cli-src/lib/login_config.server.ts

@@ -3,7 +3,7 @@
 import "server-only";
 
 // section: imports
-import { get_config_value } from "./config/config_loader.server.js";
+import { get_config_value, get_config_value_allow_empty } from "./config/config_loader.server.js";
 import { get_already_logged_in_config } from "./already_logged_in_config.server.js";
 import { get_oauth_config, type OAuthConfig } from "./oauth_config.server.js";
 
@@ -49,18 +49,19 @@ export function get_login_config(): LoginConfig {
   // Read success message (defaults to "Successfully logged in")
   const successMessage = get_config_value(section, "success_message", "Successfully logged in");
 
-  const forgotPasswordPath = get_config_value(
+  // Use allow_empty variant so that setting path/label to "" in config hides the link
+  const forgotPasswordPath = get_config_value_allow_empty(
     section,
     "forgot_password_path",
     "/hazo_auth/forgot_password"
   );
-  const forgotPasswordLabel = get_config_value(
+  const forgotPasswordLabel = get_config_value_allow_empty(
     section,
     "forgot_password_label",
     "Forgot password?"
   );
-  const createAccountPath = get_config_value(section, "create_account_path", "/hazo_auth/register");
-  const createAccountLabel = get_config_value(
+  const createAccountPath = get_config_value_allow_empty(section, "create_account_path", "/hazo_auth/register");
+  const createAccountLabel = get_config_value_allow_empty(
     section,
     "create_account_label",
     "Create account"

package/cli-src/lib/utils/get_origin_url.ts

@@ -0,0 +1,61 @@
+// file_description: Resolves the public-facing origin URL for constructing redirects
+// When running behind a reverse proxy (Cloudflare, nginx), request.url resolves to
+// the internal address (e.g. http://localhost:3000). This utility returns the correct
+// public origin using NEXTAUTH_URL, falling back to request.url.
+
+/**
+ * Gets the public-facing origin URL for redirect construction.
+ *
+ * Behind reverse proxies (Cloudflare, nginx, etc.), `request.url` contains the
+ * internal address (e.g. `http://localhost:3000`), not the public domain.
+ * This function returns the correct origin from environment variables.
+ *
+ * Priority: NEXTAUTH_URL > APP_DOMAIN_NAME > NEXT_PUBLIC_APP_URL > APP_URL > request.url
+ *
+ * @param request_url - The request.url to use as fallback
+ * @returns The origin URL (e.g. "https://gotimer.org")
+ */
+export function get_origin_url(request_url: string): string {
+  // NEXTAUTH_URL is the standard for NextAuth.js apps
+  const nextauth_url = process.env.NEXTAUTH_URL;
+  if (nextauth_url) {
+    return nextauth_url.replace(/\/$/, "");
+  }
+
+  // APP_DOMAIN_NAME (with protocol handling)
+  const app_domain = process.env.APP_DOMAIN_NAME;
+  if (app_domain) {
+    const domain = app_domain.trim();
+    if (domain.startsWith("http://") || domain.startsWith("https://")) {
+      return domain.replace(/\/$/, "");
+    }
+    return `https://${domain}`;
+  }
+
+  // Other common env vars
+  const env_url = process.env.NEXT_PUBLIC_APP_URL || process.env.APP_URL;
+  if (env_url) {
+    return env_url.replace(/\/$/, "");
+  }
+
+  // Fallback to request.url (works in development without a proxy)
+  try {
+    const url = new URL(request_url);
+    return url.origin;
+  } catch {
+    return request_url;
+  }
+}
+
+/**
+ * Creates a URL using the public-facing origin instead of request.url.
+ * Drop-in replacement for `new URL(path, request.url)` in route handlers.
+ *
+ * @param path - The path or relative URL (e.g. "/hazo_auth/login")
+ * @param request_url - The request.url (used as fallback only)
+ * @returns A URL object with the correct public origin
+ */
+export function create_redirect_url(path: string, request_url: string): URL {
+  const origin = get_origin_url(request_url);
+  return new URL(path, origin);
+}

package/dist/components/layouts/login/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/components/layouts/login/index.tsx"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAWlD,OAAO,EACL,KAAK,sBAAsB,EAC3B,KAAK,uBAAuB,EAC5B,KAAK,oBAAoB,EAC1B,MAAM,uCAAuC,CAAC;AAW/C,OAAO,EAAE,KAAK,gBAAgB,EAAE,MAAM,mCAAmC,CAAC;AAG1E,MAAM,MAAM,iBAAiB,GAAG;IAC9B,gCAAgC;IAChC,aAAa,EAAE,OAAO,CAAC;IACvB,8CAA8C;IAC9C,qBAAqB,EAAE,OAAO,CAAC;IAC/B,kDAAkD;IAClD,kBAAkB,EAAE,MAAM,CAAC;IAC3B,0EAA0E;IAC1E,kBAAkB,EAAE,MAAM,CAAC;CAC5B,CAAC;AAEF,MAAM,MAAM,gBAAgB,CAAC,OAAO,GAAG,OAAO,IAAI;IAChD,SAAS,EAAE,MAAM,GAAG,eAAe,CAAC;IACpC,SAAS,EAAE,MAAM,CAAC;IAClB,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,eAAe,CAAC,EAAE,uBAAuB,CAAC;IAC1C,MAAM,CAAC,EAAE,oBAAoB,CAAC;IAC9B,aAAa,CAAC,EAAE,sBAAsB,CAAC;IACvC,WAAW,EAAE,gBAAgB,CAAC,OAAO,CAAC,CAAC;IACvC,MAAM,CAAC,EAAE;QACP,IAAI,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,IAAI,CAAC;QAChE,KAAK,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,IAAI,CAAC;QACjE,IAAI,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,IAAI,CAAC;QAChE,KAAK,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,IAAI,CAAC;KAClE,CAAC;IACF,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,oBAAoB,CAAC,EAAE,OAAO,CAAC;IAC/B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,sDAAsD;IACtD,wBAAwB,CAAC,EAAE,OAAO,CAAC;IACnC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,0BAA0B;IAC1B,KAAK,CAAC,EAAE,iBAAiB,CAAC;CAC3B,CAAC;AAUF,MAAM,CAAC,OAAO,UAAU,YAAY,CAAC,OAAO,EAAE,EAC5C,SAAS,EACT,SAAS,EACT,sBAAkC,EAClC,eAAe,EACf,MAAM,EACN,aAAa,EACb,WAAW,EACX,MAAM,EACN,aAAa,EACb,cAAyC,EACzC,sBAAoD,EACpD,gBAAuB,EACvB,oBAA4B,EAC5B,qBAAqC,EACrC,cAAoB,EACpB,oBAAmD,EACnD,qBAA0C,EAC1C,mBAA2C,EAC3C,oBAAuC,EACvC,wBAA+B,EAC/B,UAAU,EACV,KAAK,GACN,EAAE,gBAAgB,CAAC,OAAO,CAAC,2CAmO3B"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/components/layouts/login/index.tsx"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAWlD,OAAO,EACL,KAAK,sBAAsB,EAC3B,KAAK,uBAAuB,EAC5B,KAAK,oBAAoB,EAC1B,MAAM,uCAAuC,CAAC;AAW/C,OAAO,EAAE,KAAK,gBAAgB,EAAE,MAAM,mCAAmC,CAAC;AAG1E,MAAM,MAAM,iBAAiB,GAAG;IAC9B,gCAAgC;IAChC,aAAa,EAAE,OAAO,CAAC;IACvB,8CAA8C;IAC9C,qBAAqB,EAAE,OAAO,CAAC;IAC/B,kDAAkD;IAClD,kBAAkB,EAAE,MAAM,CAAC;IAC3B,0EAA0E;IAC1E,kBAAkB,EAAE,MAAM,CAAC;CAC5B,CAAC;AAEF,MAAM,MAAM,gBAAgB,CAAC,OAAO,GAAG,OAAO,IAAI;IAChD,SAAS,EAAE,MAAM,GAAG,eAAe,CAAC;IACpC,SAAS,EAAE,MAAM,CAAC;IAClB,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,eAAe,CAAC,EAAE,uBAAuB,CAAC;IAC1C,MAAM,CAAC,EAAE,oBAAoB,CAAC;IAC9B,aAAa,CAAC,EAAE,sBAAsB,CAAC;IACvC,WAAW,EAAE,gBAAgB,CAAC,OAAO,CAAC,CAAC;IACvC,MAAM,CAAC,EAAE;QACP,IAAI,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,IAAI,CAAC;QAChE,KAAK,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,IAAI,CAAC;QACjE,IAAI,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,IAAI,CAAC;QAChE,KAAK,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,IAAI,CAAC;KAClE,CAAC;IACF,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,oBAAoB,CAAC,EAAE,OAAO,CAAC;IAC/B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,sDAAsD;IACtD,wBAAwB,CAAC,EAAE,OAAO,CAAC;IACnC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,0BAA0B;IAC1B,KAAK,CAAC,EAAE,iBAAiB,CAAC;CAC3B,CAAC;AAUF,MAAM,CAAC,OAAO,UAAU,YAAY,CAAC,OAAO,EAAE,EAC5C,SAAS,EACT,SAAS,EACT,sBAAkC,EAClC,eAAe,EACf,MAAM,EACN,aAAa,EACb,WAAW,EACX,MAAM,EACN,aAAa,EACb,cAAyC,EACzC,sBAAoD,EACpD,gBAAuB,EACvB,oBAA4B,EAC5B,qBAAqC,EACrC,cAAoB,EACpB,oBAAmD,EACnD,qBAA0C,EAC1C,mBAA2C,EAC3C,oBAAuC,EACvC,wBAA+B,EAC/B,UAAU,EACV,KAAK,GACN,EAAE,gBAAgB,CAAC,OAAO,CAAC,2CAuO3B"}

package/dist/components/layouts/login/index.js

@@ -79,5 +79,5 @@ export default function login_layout({ image_src, image_alt, image_background_co
     if (form.isSuccess) {
         return (_jsx(TwoColumnAuthLayout, { imageSrc: image_src, imageAlt: image_alt, imageBackgroundColor: image_background_color, formContent: _jsxs(_Fragment, { children: [_jsx(FormHeader, { heading: resolvedLabels.heading, subHeading: resolvedLabels.subHeading }), _jsxs("div", { className: "cls_login_layout_success flex flex-col items-center justify-center gap-4 p-8 text-center", children: [_jsx(CheckCircle, { className: "cls_login_layout_success_icon h-16 w-16 text-green-600", "aria-hidden": "true" }), _jsx("p", { className: "cls_login_layout_success_message text-lg font-medium text-slate-900", children: successMessage })] })] }) }));
     }
-    return (_jsx(AlreadyLoggedInGuard, { image_src: image_src, image_alt: image_alt, image_background_color: image_background_color, message: alreadyLoggedInMessage, showLogoutButton: showLogoutButton, showReturnHomeButton: showReturnHomeButton, returnHomeButtonLabel: returnHomeButtonLabel, returnHomePath: returnHomePath, children: _jsx(TwoColumnAuthLayout, { imageSrc: image_src, imageAlt: image_alt, imageBackgroundColor: image_background_color, formContent: _jsxs(_Fragment, { children: [_jsx(FormHeader, { heading: resolvedLabels.heading, subHeading: resolvedLabels.subHeading }), oauthError && (_jsxs("div", { className: "cls_login_layout_oauth_error flex items-center gap-2 rounded-md border border-red-200 bg-red-50 p-3 text-sm text-red-700", children: [_jsx(AlertCircle, { className: "h-4 w-4 shrink-0", "aria-hidden": "true" }), _jsx("span", { children: getOAuthErrorMessage(oauthError) })] })), oauthConfig.enable_google && (_jsx("div", { className: "cls_login_layout_oauth_section", children: _jsx(GoogleSignInButton, { label: oauthConfig.google_button_text }) })), oauthConfig.enable_google && oauthConfig.enable_email_password && (_jsx(OAuthDivider, { text: oauthConfig.oauth_divider_text })), oauthConfig.enable_email_password && (_jsxs("form", { className: "cls_login_layout_form_fields flex flex-col gap-5", onSubmit: form.handleSubmit, "aria-label": "Login form", children: [renderFields(form), _jsx(FormActionButtons, { submitLabel: resolvedLabels.submitButton, cancelLabel: resolvedLabels.cancelButton, buttonPalette: resolvedButtonPalette, isSubmitDisabled: form.isSubmitDisabled, onCancel: form.handleCancel, submitAriaLabel: "Submit login form", cancelAriaLabel: "Cancel login form" }), _jsxs("div", { className: "cls_login_layout_support_links flex flex-col gap-1 text-sm text-muted-foreground", children: [_jsx(Link, { href: forgot_password_path, className: "cls_login_layout_forgot_password_link text-primary underline-offset-4 hover:underline", "aria-label": "Go to forgot password page", children: forgot_password_label }), show_create_account_link && (_jsx(Link, { href: create_account_path, className: "cls_login_layout_create_account_link text-primary underline-offset-4 hover:underline", "aria-label": "Go to create account page", children: create_account_label }))] })] })), show_create_account_link && !oauthConfig.enable_email_password && oauthConfig.enable_google && (_jsx("div", { className: "cls_login_layout_support_links mt-4 text-center text-sm text-muted-foreground", children: _jsx(Link, { href: create_account_path, className: "cls_login_layout_create_account_link text-primary underline-offset-4 hover:underline", "aria-label": "Go to create account page", children: create_account_label }) }))] }) }) }));
+    return (_jsx(AlreadyLoggedInGuard, { image_src: image_src, image_alt: image_alt, image_background_color: image_background_color, message: alreadyLoggedInMessage, showLogoutButton: showLogoutButton, showReturnHomeButton: showReturnHomeButton, returnHomeButtonLabel: returnHomeButtonLabel, returnHomePath: returnHomePath, children: _jsx(TwoColumnAuthLayout, { imageSrc: image_src, imageAlt: image_alt, imageBackgroundColor: image_background_color, formContent: _jsxs(_Fragment, { children: [_jsx(FormHeader, { heading: resolvedLabels.heading, subHeading: resolvedLabels.subHeading }), oauthError && (_jsxs("div", { className: "cls_login_layout_oauth_error flex items-center gap-2 rounded-md border border-red-200 bg-red-50 p-3 text-sm text-red-700", children: [_jsx(AlertCircle, { className: "h-4 w-4 shrink-0", "aria-hidden": "true" }), _jsx("span", { children: getOAuthErrorMessage(oauthError) })] })), oauthConfig.enable_google && (_jsx("div", { className: "cls_login_layout_oauth_section", children: _jsx(GoogleSignInButton, { label: oauthConfig.google_button_text }) })), oauthConfig.enable_google && oauthConfig.enable_email_password && (_jsx(OAuthDivider, { text: oauthConfig.oauth_divider_text })), oauthConfig.enable_email_password && (_jsxs("form", { className: "cls_login_layout_form_fields flex flex-col gap-5", onSubmit: form.handleSubmit, "aria-label": "Login form", children: [renderFields(form), _jsx(FormActionButtons, { submitLabel: resolvedLabels.submitButton, cancelLabel: resolvedLabels.cancelButton, buttonPalette: resolvedButtonPalette, isSubmitDisabled: form.isSubmitDisabled, onCancel: form.handleCancel, submitAriaLabel: "Submit login form", cancelAriaLabel: "Cancel login form" }), ((forgot_password_path && forgot_password_label) || (show_create_account_link && create_account_path && create_account_label)) && (_jsxs("div", { className: "cls_login_layout_support_links flex flex-col gap-1 text-sm text-muted-foreground", children: [forgot_password_path && forgot_password_label && (_jsx(Link, { href: forgot_password_path, className: "cls_login_layout_forgot_password_link text-primary underline-offset-4 hover:underline", "aria-label": "Go to forgot password page", children: forgot_password_label })), show_create_account_link && create_account_path && create_account_label && (_jsx(Link, { href: create_account_path, className: "cls_login_layout_create_account_link text-primary underline-offset-4 hover:underline", "aria-label": "Go to create account page", children: create_account_label }))] }))] })), show_create_account_link && create_account_path && create_account_label && !oauthConfig.enable_email_password && oauthConfig.enable_google && (_jsx("div", { className: "cls_login_layout_support_links mt-4 text-center text-sm text-muted-foreground", children: _jsx(Link, { href: create_account_path, className: "cls_login_layout_create_account_link text-primary underline-offset-4 hover:underline", "aria-label": "Go to create account page", children: create_account_label }) }))] }) }) }));
 }

package/dist/lib/config/config_loader.server.d.ts

@@ -15,6 +15,18 @@ export declare function read_config_section(section_name: string, file_path?: st
  * @returns Config value as string or default value
  */
 export declare function get_config_value(section_name: string, key: string, default_value: string, file_path?: string): string;
+/**
+ * Gets a single config value from a section, preserving empty strings.
+ * Unlike get_config_value, this returns "" when the INI key exists with an empty value,
+ * rather than falling back to the default. Useful for config keys where "" means
+ * "intentionally empty" (e.g., hiding a link by setting its path to empty).
+ * @param section_name - Name of the section
+ * @param key - Key name within the section
+ * @param default_value - Default value if key is not found in config
+ * @param file_path - Optional custom config file path
+ * @returns Config value as string, or "" if key exists but empty, or default_value if key missing
+ */
+export declare function get_config_value_allow_empty(section_name: string, key: string, default_value: string, file_path?: string): string;
 /**
  * Gets a boolean config value from a section
  * @param section_name - Name of the section

package/dist/lib/config/config_loader.server.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"config_loader.server.d.ts","sourceRoot":"","sources":["../../../src/lib/config/config_loader.server.ts"],"names":[],"mappings":"AAEA,OAAO,aAAa,CAAC;AAwBrB;;;;;GAKG;AACH,wBAAgB,mBAAmB,CACjC,YAAY,EAAE,MAAM,EACpB,SAAS,CAAC,EAAE,MAAM,GACjB,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,SAAS,CAwBpC;AAED;;;;;;;GAOG;AACH,wBAAgB,gBAAgB,CAC9B,YAAY,EAAE,MAAM,EACpB,GAAG,EAAE,MAAM,EACX,aAAa,EAAE,MAAM,EACrB,SAAS,CAAC,EAAE,MAAM,GACjB,MAAM,CAQR;AAED;;;;;;;GAOG;AACH,wBAAgB,kBAAkB,CAChC,YAAY,EAAE,MAAM,EACpB,GAAG,EAAE,MAAM,EACX,aAAa,EAAE,OAAO,EACtB,SAAS,CAAC,EAAE,MAAM,GACjB,OAAO,CAST;AAED;;;;;;;GAOG;AACH,wBAAgB,iBAAiB,CAC/B,YAAY,EAAE,MAAM,EACpB,GAAG,EAAE,MAAM,EACX,aAAa,EAAE,MAAM,EACrB,SAAS,CAAC,EAAE,MAAM,GACjB,MAAM,CAeR;AAED;;;;;;;GAOG;AACH,wBAAgB,gBAAgB,CAC9B,YAAY,EAAE,MAAM,EACpB,GAAG,EAAE,MAAM,EACX,aAAa,EAAE,MAAM,EAAE,EACvB,SAAS,CAAC,EAAE,MAAM,GACjB,MAAM,EAAE,CAcV"}
+{"version":3,"file":"config_loader.server.d.ts","sourceRoot":"","sources":["../../../src/lib/config/config_loader.server.ts"],"names":[],"mappings":"AAEA,OAAO,aAAa,CAAC;AAwBrB;;;;;GAKG;AACH,wBAAgB,mBAAmB,CACjC,YAAY,EAAE,MAAM,EACpB,SAAS,CAAC,EAAE,MAAM,GACjB,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,SAAS,CAwBpC;AAED;;;;;;;GAOG;AACH,wBAAgB,gBAAgB,CAC9B,YAAY,EAAE,MAAM,EACpB,GAAG,EAAE,MAAM,EACX,aAAa,EAAE,MAAM,EACrB,SAAS,CAAC,EAAE,MAAM,GACjB,MAAM,CAQR;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,4BAA4B,CAC1C,YAAY,EAAE,MAAM,EACpB,GAAG,EAAE,MAAM,EACX,aAAa,EAAE,MAAM,EACrB,SAAS,CAAC,EAAE,MAAM,GACjB,MAAM,CAMR;AAED;;;;;;;GAOG;AACH,wBAAgB,kBAAkB,CAChC,YAAY,EAAE,MAAM,EACpB,GAAG,EAAE,MAAM,EACX,aAAa,EAAE,OAAO,EACtB,SAAS,CAAC,EAAE,MAAM,GACjB,OAAO,CAST;AAED;;;;;;;GAOG;AACH,wBAAgB,iBAAiB,CAC/B,YAAY,EAAE,MAAM,EACpB,GAAG,EAAE,MAAM,EACX,aAAa,EAAE,MAAM,EACrB,SAAS,CAAC,EAAE,MAAM,GACjB,MAAM,CAeR;AAED;;;;;;;GAOG;AACH,wBAAgB,gBAAgB,CAC9B,YAAY,EAAE,MAAM,EACpB,GAAG,EAAE,MAAM,EACX,aAAa,EAAE,MAAM,EAAE,EACvB,SAAS,CAAC,EAAE,MAAM,GACjB,MAAM,EAAE,CAcV"}

package/dist/lib/config/config_loader.server.js

@@ -67,6 +67,24 @@ export function get_config_value(section_name, key, default_value, file_path) {
     }
     return section[key].trim() || default_value;
 }
+/**
+ * Gets a single config value from a section, preserving empty strings.
+ * Unlike get_config_value, this returns "" when the INI key exists with an empty value,
+ * rather than falling back to the default. Useful for config keys where "" means
+ * "intentionally empty" (e.g., hiding a link by setting its path to empty).
+ * @param section_name - Name of the section
+ * @param key - Key name within the section
+ * @param default_value - Default value if key is not found in config
+ * @param file_path - Optional custom config file path
+ * @returns Config value as string, or "" if key exists but empty, or default_value if key missing
+ */
+export function get_config_value_allow_empty(section_name, key, default_value, file_path) {
+    const section = read_config_section(section_name, file_path);
+    if (!section || section[key] === undefined) {
+        return default_value;
+    }
+    return section[key].trim();
+}
 /**
  * Gets a boolean config value from a section
  * @param section_name - Name of the section

package/dist/lib/login_config.server.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"login_config.server.d.ts","sourceRoot":"","sources":["../../src/lib/login_config.server.ts"],"names":[],"mappings":"AAEA,OAAO,aAAa,CAAC;AAKrB,OAAO,EAAoB,KAAK,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAQ3E,MAAM,MAAM,WAAW,GAAG;IACxB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,cAAc,EAAE,MAAM,CAAC;IACvB,sBAAsB,EAAE,MAAM,CAAC;IAC/B,gBAAgB,EAAE,OAAO,CAAC;IAC1B,oBAAoB,EAAE,OAAO,CAAC;IAC9B,qBAAqB,EAAE,MAAM,CAAC;IAC9B,cAAc,EAAE,MAAM,CAAC;IACvB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,mBAAmB,EAAE,MAAM,CAAC;IAC5B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,kBAAkB,EAAE,MAAM,CAAC;IAC3B,qBAAqB,EAAE,OAAO,CAAC;IAC/B,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,oBAAoB,EAAE,MAAM,CAAC;IAC7B,0BAA0B;IAC1B,KAAK,EAAE,WAAW,CAAC;CACpB,CAAC;AAGF;;;;GAIG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAwE9C"}
+{"version":3,"file":"login_config.server.d.ts","sourceRoot":"","sources":["../../src/lib/login_config.server.ts"],"names":[],"mappings":"AAEA,OAAO,aAAa,CAAC;AAKrB,OAAO,EAAoB,KAAK,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAQ3E,MAAM,MAAM,WAAW,GAAG;IACxB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,cAAc,EAAE,MAAM,CAAC;IACvB,sBAAsB,EAAE,MAAM,CAAC;IAC/B,gBAAgB,EAAE,OAAO,CAAC;IAC1B,oBAAoB,EAAE,OAAO,CAAC;IAC9B,qBAAqB,EAAE,MAAM,CAAC;IAC9B,cAAc,EAAE,MAAM,CAAC;IACvB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,mBAAmB,EAAE,MAAM,CAAC;IAC5B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,kBAAkB,EAAE,MAAM,CAAC;IAC3B,qBAAqB,EAAE,OAAO,CAAC;IAC/B,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,oBAAoB,EAAE,MAAM,CAAC;IAC7B,0BAA0B;IAC1B,KAAK,EAAE,WAAW,CAAC;CACpB,CAAC;AAGF;;;;GAIG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAyE9C"}

package/dist/lib/login_config.server.js

@@ -2,7 +2,7 @@
 // section: server-only-guard
 import "server-only";
 // section: imports
-import { get_config_value } from "./config/config_loader.server.js";
+import { get_config_value, get_config_value_allow_empty } from "./config/config_loader.server.js";
 import { get_already_logged_in_config } from "./already_logged_in_config.server.js";
 import { get_oauth_config } from "./oauth_config.server.js";
 // Default image path - consuming apps should either:
@@ -22,10 +22,11 @@ export function get_login_config() {
     const redirectRoute = redirectRouteValue || undefined;
     // Read success message (defaults to "Successfully logged in")
     const successMessage = get_config_value(section, "success_message", "Successfully logged in");
-    const forgotPasswordPath = get_config_value(section, "forgot_password_path", "/hazo_auth/forgot_password");
-    const forgotPasswordLabel = get_config_value(section, "forgot_password_label", "Forgot password?");
-    const createAccountPath = get_config_value(section, "create_account_path", "/hazo_auth/register");
-    const createAccountLabel = get_config_value(section, "create_account_label", "Create account");
+    // Use allow_empty variant so that setting path/label to "" in config hides the link
+    const forgotPasswordPath = get_config_value_allow_empty(section, "forgot_password_path", "/hazo_auth/forgot_password");
+    const forgotPasswordLabel = get_config_value_allow_empty(section, "forgot_password_label", "Forgot password?");
+    const createAccountPath = get_config_value_allow_empty(section, "create_account_path", "/hazo_auth/register");
+    const createAccountLabel = get_config_value_allow_empty(section, "create_account_label", "Create account");
     const showCreateAccountLink = get_config_value(section, "show_create_account_link", "true") === "true";
     // Get shared already logged in config
     const alreadyLoggedInConfig = get_already_logged_in_config();

package/dist/lib/utils/get_origin_url.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Gets the public-facing origin URL for redirect construction.
+ *
+ * Behind reverse proxies (Cloudflare, nginx, etc.), `request.url` contains the
+ * internal address (e.g. `http://localhost:3000`), not the public domain.
+ * This function returns the correct origin from environment variables.
+ *
+ * Priority: NEXTAUTH_URL > APP_DOMAIN_NAME > NEXT_PUBLIC_APP_URL > APP_URL > request.url
+ *
+ * @param request_url - The request.url to use as fallback
+ * @returns The origin URL (e.g. "https://gotimer.org")
+ */
+export declare function get_origin_url(request_url: string): string;
+/**
+ * Creates a URL using the public-facing origin instead of request.url.
+ * Drop-in replacement for `new URL(path, request.url)` in route handlers.
+ *
+ * @param path - The path or relative URL (e.g. "/hazo_auth/login")
+ * @param request_url - The request.url (used as fallback only)
+ * @returns A URL object with the correct public origin
+ */
+export declare function create_redirect_url(path: string, request_url: string): URL;
+//# sourceMappingURL=get_origin_url.d.ts.map

package/dist/lib/utils/get_origin_url.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"get_origin_url.d.ts","sourceRoot":"","sources":["../../../src/lib/utils/get_origin_url.ts"],"names":[],"mappings":"AAKA;;;;;;;;;;;GAWG;AACH,wBAAgB,cAAc,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,CA8B1D;AAED;;;;;;;GAOG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,GAAG,CAG1E"}

package/dist/lib/utils/get_origin_url.js

@@ -0,0 +1,57 @@
+// file_description: Resolves the public-facing origin URL for constructing redirects
+// When running behind a reverse proxy (Cloudflare, nginx), request.url resolves to
+// the internal address (e.g. http://localhost:3000). This utility returns the correct
+// public origin using NEXTAUTH_URL, falling back to request.url.
+/**
+ * Gets the public-facing origin URL for redirect construction.
+ *
+ * Behind reverse proxies (Cloudflare, nginx, etc.), `request.url` contains the
+ * internal address (e.g. `http://localhost:3000`), not the public domain.
+ * This function returns the correct origin from environment variables.
+ *
+ * Priority: NEXTAUTH_URL > APP_DOMAIN_NAME > NEXT_PUBLIC_APP_URL > APP_URL > request.url
+ *
+ * @param request_url - The request.url to use as fallback
+ * @returns The origin URL (e.g. "https://gotimer.org")
+ */
+export function get_origin_url(request_url) {
+    // NEXTAUTH_URL is the standard for NextAuth.js apps
+    const nextauth_url = process.env.NEXTAUTH_URL;
+    if (nextauth_url) {
+        return nextauth_url.replace(/\/$/, "");
+    }
+    // APP_DOMAIN_NAME (with protocol handling)
+    const app_domain = process.env.APP_DOMAIN_NAME;
+    if (app_domain) {
+        const domain = app_domain.trim();
+        if (domain.startsWith("http://") || domain.startsWith("https://")) {
+            return domain.replace(/\/$/, "");
+        }
+        return `https://${domain}`;
+    }
+    // Other common env vars
+    const env_url = process.env.NEXT_PUBLIC_APP_URL || process.env.APP_URL;
+    if (env_url) {
+        return env_url.replace(/\/$/, "");
+    }
+    // Fallback to request.url (works in development without a proxy)
+    try {
+        const url = new URL(request_url);
+        return url.origin;
+    }
+    catch (_a) {
+        return request_url;
+    }
+}
+/**
+ * Creates a URL using the public-facing origin instead of request.url.
+ * Drop-in replacement for `new URL(path, request.url)` in route handlers.
+ *
+ * @param path - The path or relative URL (e.g. "/hazo_auth/login")
+ * @param request_url - The request.url (used as fallback only)
+ * @returns A URL object with the correct public origin
+ */
+export function create_redirect_url(path, request_url) {
+    const origin = get_origin_url(request_url);
+    return new URL(path, origin);
+}

package/dist/server/routes/oauth_google_callback.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"oauth_google_callback.d.ts","sourceRoot":"","sources":["../../../src/server/routes/oauth_google_callback.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAuBxD;;;;GAIG;AACH,wBAAsB,GAAG,CAAC,OAAO,EAAE,WAAW,kCAgJ7C"}
+{"version":3,"file":"oauth_google_callback.d.ts","sourceRoot":"","sources":["../../../src/server/routes/oauth_google_callback.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAwBxD;;;;GAIG;AACH,wBAAsB,GAAG,CAAC,OAAO,EAAE,WAAW,kCAgJ7C"}

package/dist/server/routes/oauth_google_callback.js

@@ -10,6 +10,7 @@ import { get_cookie_name, get_cookie_options, BASE_COOKIE_NAMES } from "../../li
 import { get_hazo_connect_instance } from "../../lib/hazo_connect_instance.server.js";
 import { get_post_login_redirect } from "../../lib/services/post_verification_service.js";
 import { get_oauth_config } from "../../lib/oauth_config.server.js";
+import { create_redirect_url } from "../../lib/utils/get_origin_url.js";
 // section: api_handler
 /**
  * Handles the OAuth callback after Google sign-in
@@ -36,7 +37,7 @@ export async function GET(request) {
                 note: "No NextAuth token found - user may not have completed Google sign-in",
             });
             // Redirect to login with error
-            const login_url = new URL("/hazo_auth/login", request.url);
+            const login_url = create_redirect_url("/hazo_auth/login", request.url);
             login_url.searchParams.set("error", "oauth_failed");
             return NextResponse.redirect(login_url);
         }
@@ -49,7 +50,7 @@ export async function GET(request) {
                 has_hazo_user_id: !!token.hazo_user_id,
                 has_google_id: !!token.google_id,
             });
-            const login_url = new URL("/hazo_auth/login", request.url);
+            const login_url = create_redirect_url("/hazo_auth/login", request.url);
             login_url.searchParams.set("error", "oauth_incomplete");
             return NextResponse.redirect(login_url);
         }
@@ -93,7 +94,7 @@ export async function GET(request) {
             invitation_table_error,
         });
         // Create redirect response
-        const redirect_url = new URL(determined_redirect, request.url);
+        const redirect_url = create_redirect_url(determined_redirect, request.url);
         const response = NextResponse.redirect(redirect_url);
         // Set authentication cookies (same as login route, with configurable prefix and domain)
         const base_cookie_options = {
@@ -133,7 +134,7 @@ export async function GET(request) {
             error_message,
             error_stack,
         });
-        const login_url = new URL("/hazo_auth/login", request.url);
+        const login_url = create_redirect_url("/hazo_auth/login", request.url);
         login_url.searchParams.set("error", "oauth_error");
         return NextResponse.redirect(login_url);
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "hazo_auth",
-  "version": "5.1.29",
+  "version": "5.1.31",
   "description": "Zero-config authentication UI components for Next.js with RBAC, OAuth, scope-based multi-tenancy, and invitations",
   "keywords": [
     "authentication",