hazo_auth 5.1.40 → 5.3.0

package/cli-src/lib/services/email_template_manifest.ts

@@ -0,0 +1,104 @@
+// file_description: manifest of system email templates shipped by hazo_auth
+// section: server_only_guard
+import "server-only";
+
+// section: imports
+import fs from "fs";
+import path from "path";
+import { fileURLToPath } from "url";
+import type { SystemTemplateManifest } from "hazo_notify/template_manager";
+
+// section: constants
+const TEMPLATE_DIR = path.resolve(
+  path.dirname(fileURLToPath(import.meta.url)),
+  "email_templates"
+);
+
+const SYSTEM_CATEGORY = "Auth";
+
+// section: helpers
+function read_template(template_name: string, extension: "html" | "txt"): string {
+  const file_path = path.join(TEMPLATE_DIR, `${template_name}.${extension}`);
+  return fs.readFileSync(file_path, "utf-8");
+}
+
+// section: manifest
+/**
+ * System email templates shipped by hazo_auth.
+ *
+ * Consumers feed this into `init_template_manager({ manifests: [...hazo_auth_template_manifest] })`
+ * at boot. hazo_notify seeds/syncs the templates into its scope-aware database.
+ * Per-scope overrides are managed through the hazo_notify admin UI.
+ */
+export const hazo_auth_template_manifest: SystemTemplateManifest[] = [
+  {
+    template_name: "email_verification",
+    template_label: "Email verification",
+    category: SYSTEM_CATEGORY,
+    html: read_template("email_verification", "html"),
+    text: read_template("email_verification", "txt"),
+    variables: [
+      {
+        variable_name: "user_name",
+        variable_description: "Recipient display name",
+        default_value: "",
+      },
+      {
+        variable_name: "user_email",
+        variable_description: "Recipient email",
+      },
+      {
+        variable_name: "verification_url",
+        variable_description: "Verification link with embedded token",
+      },
+      {
+        variable_name: "token",
+        variable_description: "Raw verification token",
+      },
+    ],
+  },
+  {
+    template_name: "forgot_password",
+    template_label: "Forgot password",
+    category: SYSTEM_CATEGORY,
+    html: read_template("forgot_password", "html"),
+    text: read_template("forgot_password", "txt"),
+    variables: [
+      {
+        variable_name: "user_name",
+        variable_description: "Recipient display name",
+        default_value: "",
+      },
+      {
+        variable_name: "user_email",
+        variable_description: "Recipient email",
+      },
+      {
+        variable_name: "reset_url",
+        variable_description: "Password reset link",
+      },
+      {
+        variable_name: "token",
+        variable_description: "Raw reset token",
+      },
+    ],
+  },
+  {
+    template_name: "password_changed",
+    template_label: "Password changed",
+    category: SYSTEM_CATEGORY,
+    html: read_template("password_changed", "html"),
+    text: read_template("password_changed", "txt"),
+    variables: [
+      {
+        variable_name: "user_name",
+        variable_description: "Recipient display name",
+        default_value: "",
+      },
+      {
+        variable_name: "user_email",
+        variable_description: "Recipient email",
+      },
+    ],
+  },
+];

package/cli-src/lib/services/email_templates/email_verification.html

@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="UTF-8">
+  <title>Verify Your Email</title>
+</head>
+<body style="font-family: Arial, sans-serif; line-height: 1.6; color: #333; max-width: 600px; margin: 0 auto; padding: 20px;">
+  <h1 style="color: #0f172a;">Verify Your Email Address</h1>
+  <p>Thank you for registering! Please click the link below to verify your email address:</p>
+  <p style="margin: 20px 0;">
+    <a href="{{verification_url}}" style="display: inline-block; padding: 12px 24px; background-color: #0f172a; color: #ffffff; text-decoration: none; border-radius: 4px;">Verify Email Address</a>
+  </p>
+  <p>Or copy and paste this link into your browser:</p>
+  <p style="word-break: break-all; color: #666;">{{verification_url}}</p>
+  <p>This link will expire in 48 hours.</p>
+  <p style="margin-top: 30px; color: #666; font-size: 12px;">If you didn't create an account, you can safely ignore this email.</p>
+</body>
+</html>

package/cli-src/lib/services/email_templates/email_verification.txt

@@ -0,0 +1,9 @@
+Verify Your Email Address
+
+Thank you for registering! Please click the link below to verify your email address:
+
+{{verification_url}}
+
+This link will expire in 48 hours.
+
+If you didn't create an account, you can safely ignore this email.

package/cli-src/lib/services/email_templates/forgot_password.html

@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="UTF-8">
+  <title>Reset Your Password</title>
+</head>
+<body style="font-family: Arial, sans-serif; line-height: 1.6; color: #333; max-width: 600px; margin: 0 auto; padding: 20px;">
+  <h1 style="color: #0f172a;">Reset Your Password</h1>
+  <p>We received a request to reset your password. Click the link below to reset it:</p>
+  <p style="margin: 20px 0;">
+    <a href="{{reset_url}}" style="display: inline-block; padding: 12px 24px; background-color: #0f172a; color: #ffffff; text-decoration: none; border-radius: 4px;">Reset Password</a>
+  </p>
+  <p>Or copy and paste this link into your browser:</p>
+  <p style="word-break: break-all; color: #666;">{{reset_url}}</p>
+  <p>This link will expire in 10 minutes.</p>
+  <p style="margin-top: 30px; color: #666; font-size: 12px;">If you didn't request a password reset, you can safely ignore this email.</p>
+</body>
+</html>

package/cli-src/lib/services/email_templates/forgot_password.txt

@@ -0,0 +1,9 @@
+Reset Your Password
+
+We received a request to reset your password. Click the link below to reset it:
+
+{{reset_url}}
+
+This link will expire in 10 minutes.
+
+If you didn't request a password reset, you can safely ignore this email.

package/cli-src/lib/services/email_templates/password_changed.html

@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="UTF-8">
+  <title>Password Changed</title>
+</head>
+<body style="font-family: Arial, sans-serif; line-height: 1.6; color: #333; max-width: 600px; margin: 0 auto; padding: 20px;">
+  <h1 style="color: #0f172a;">Password Changed Successfully</h1>
+  <p>Hello {{user_name}},</p>
+  <p>This email confirms that your password has been changed successfully.</p>
+  <p>If you did not make this change, please contact support immediately to secure your account.</p>
+  <p style="margin-top: 30px; color: #666; font-size: 12px;">This is an automated notification. Please do not reply to this email.</p>
+</body>
+</html>

package/cli-src/lib/services/email_templates/password_changed.txt

@@ -0,0 +1,9 @@
+Password Changed Successfully
+
+Hello {{user_name}},
+
+This email confirms that your password has been changed successfully.
+
+If you did not make this change, please contact support immediately to secure your account.
+
+This is an automated notification. Please do not reply to this email.

package/cli-src/lib/services/session_token_service.ts

@@ -89,7 +89,7 @@ export async function create_session_token(
       .setExpirationTime(exp)
       .sign(secret);
     
-    logger.info("session_token_created", {
+    logger.debug("session_token_created", {
       filename: get_filename(),
       line_number: get_line_number(),
       user_id,
@@ -148,7 +148,7 @@ export async function validate_session_token(
       return { valid: false };
     }
     
-    logger.info("session_token_validated", {
+    logger.debug("session_token_validated", {
       filename: get_filename(),
       line_number: get_line_number(),
       user_id,

package/cli-src/lib/ui_shell_config.server.ts

@@ -55,15 +55,19 @@ export function get_ui_shell_config(): UiShellConfig {
     "standalone_content_class",
     "cls_standalone_shell_content w-full max-w-5xl shadow-xl rounded-2xl border bg-card"
   );
+  // Default to false: the package-default copy ("Welcome to hazo auth" /
+  // "Reuse the packaged authentication flows...") is dev/test placeholder
+  // text, not production-suitable. Consumers who want their own heading set
+  // standalone_heading + standalone_show_heading=true explicitly.
   const standalone_show_heading = get_config_value(
     section,
     "standalone_show_heading",
-    "true"
+    "false"
   ).toLowerCase() === "true";
   const standalone_show_description = get_config_value(
     section,
     "standalone_show_description",
-    "true"
+    "false"
   ).toLowerCase() === "true";
 
   const vertical_center = get_config_value(

package/dist/components/layouts/login/index.d.ts

@@ -12,8 +12,10 @@ export type OAuthLayoutConfig = {
     oauth_divider_text: string;
 };
 export type LoginLayoutProps<TClient = unknown> = {
-    image_src: string | StaticImageData;
-    image_alt: string;
+    /** Image source for the visual panel. Required when `layout` is `"two_column"` (the default); ignored when `"form_only"`. */
+    image_src?: string | StaticImageData;
+    /** Image alt text. Required when `layout` is `"two_column"` (the default); ignored when `"form_only"`. */
+    image_alt?: string;
     image_background_color?: string;
     field_overrides?: LayoutFieldMapOverrides;
     labels?: LayoutLabelOverrides;
@@ -41,6 +43,17 @@ export type LoginLayoutProps<TClient = unknown> = {
     urlOnLogon?: string;
     /** OAuth configuration */
     oauth?: OAuthLayoutConfig;
+    /**
+     * Layout mode (default: `"two_column"`).
+     * - `"two_column"` — renders the form inside the package's TwoColumnAuthLayout
+     *   with an image visual on the left. Backwards-compatible default.
+     * - `"form_only"` — renders just the form content (header, OAuth button,
+     *   divider, fields, action buttons, support links). For consumers who want
+     *   to wrap the form in their own brand chrome. The "already logged in"
+     *   guard is also skipped in this mode — handle that UX yourself if needed
+     *   (e.g. via `use_auth_status` from `hazo_auth/components/layouts/shared`).
+     */
+    layout?: "two_column" | "form_only";
 };
-export default function login_layout<TClient>({ image_src, image_alt, image_background_color, field_overrides, labels, button_colors, data_client, logger, redirectRoute, successMessage, alreadyLoggedInMessage, showLogoutButton, showReturnHomeButton, returnHomeButtonLabel, returnHomePath, forgot_password_path, forgot_password_label, create_account_path, create_account_label, show_create_account_link, urlOnLogon, oauth, }: LoginLayoutProps<TClient>): import("react/jsx-runtime").JSX.Element;
+export default function login_layout<TClient>({ image_src, image_alt, image_background_color, field_overrides, labels, button_colors, data_client, logger, redirectRoute, successMessage, alreadyLoggedInMessage, showLogoutButton, showReturnHomeButton, returnHomeButtonLabel, returnHomePath, forgot_password_path, forgot_password_label, create_account_path, create_account_label, show_create_account_link, urlOnLogon, oauth, layout, }: LoginLayoutProps<TClient>): import("react/jsx-runtime").JSX.Element;
 //# sourceMappingURL=index.d.ts.map

package/dist/components/layouts/login/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/components/layouts/login/index.tsx"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAWlD,OAAO,EACL,KAAK,sBAAsB,EAC3B,KAAK,uBAAuB,EAC5B,KAAK,oBAAoB,EAC1B,MAAM,uCAAuC,CAAC;AAW/C,OAAO,EAAE,KAAK,gBAAgB,EAAE,MAAM,mCAAmC,CAAC;AAG1E,MAAM,MAAM,iBAAiB,GAAG;IAC9B,gCAAgC;IAChC,aAAa,EAAE,OAAO,CAAC;IACvB,8CAA8C;IAC9C,qBAAqB,EAAE,OAAO,CAAC;IAC/B,kDAAkD;IAClD,kBAAkB,EAAE,MAAM,CAAC;IAC3B,0EAA0E;IAC1E,kBAAkB,EAAE,MAAM,CAAC;CAC5B,CAAC;AAEF,MAAM,MAAM,gBAAgB,CAAC,OAAO,GAAG,OAAO,IAAI;IAChD,SAAS,EAAE,MAAM,GAAG,eAAe,CAAC;IACpC,SAAS,EAAE,MAAM,CAAC;IAClB,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,eAAe,CAAC,EAAE,uBAAuB,CAAC;IAC1C,MAAM,CAAC,EAAE,oBAAoB,CAAC;IAC9B,aAAa,CAAC,EAAE,sBAAsB,CAAC;IACvC,WAAW,EAAE,gBAAgB,CAAC,OAAO,CAAC,CAAC;IACvC,MAAM,CAAC,EAAE;QACP,IAAI,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,IAAI,CAAC;QAChE,KAAK,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,IAAI,CAAC;QACjE,IAAI,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,IAAI,CAAC;QAChE,KAAK,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,IAAI,CAAC;KAClE,CAAC;IACF,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,oBAAoB,CAAC,EAAE,OAAO,CAAC;IAC/B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,sDAAsD;IACtD,wBAAwB,CAAC,EAAE,OAAO,CAAC;IACnC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,0BAA0B;IAC1B,KAAK,CAAC,EAAE,iBAAiB,CAAC;CAC3B,CAAC;AAUF,MAAM,CAAC,OAAO,UAAU,YAAY,CAAC,OAAO,EAAE,EAC5C,SAAS,EACT,SAAS,EACT,sBAAkC,EAClC,eAAe,EACf,MAAM,EACN,aAAa,EACb,WAAW,EACX,MAAM,EACN,aAAa,EACb,cAAyC,EACzC,sBAAoD,EACpD,gBAAuB,EACvB,oBAA4B,EAC5B,qBAAqC,EACrC,cAAoB,EACpB,oBAAmD,EACnD,qBAA0C,EAC1C,mBAA2C,EAC3C,oBAAuC,EACvC,wBAA+B,EAC/B,UAAU,EACV,KAAK,GACN,EAAE,gBAAgB,CAAC,OAAO,CAAC,2CAuO3B"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/components/layouts/login/index.tsx"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAWlD,OAAO,EACL,KAAK,sBAAsB,EAC3B,KAAK,uBAAuB,EAC5B,KAAK,oBAAoB,EAC1B,MAAM,uCAAuC,CAAC;AAW/C,OAAO,EAAE,KAAK,gBAAgB,EAAE,MAAM,mCAAmC,CAAC;AAG1E,MAAM,MAAM,iBAAiB,GAAG;IAC9B,gCAAgC;IAChC,aAAa,EAAE,OAAO,CAAC;IACvB,8CAA8C;IAC9C,qBAAqB,EAAE,OAAO,CAAC;IAC/B,kDAAkD;IAClD,kBAAkB,EAAE,MAAM,CAAC;IAC3B,0EAA0E;IAC1E,kBAAkB,EAAE,MAAM,CAAC;CAC5B,CAAC;AAEF,MAAM,MAAM,gBAAgB,CAAC,OAAO,GAAG,OAAO,IAAI;IAChD,6HAA6H;IAC7H,SAAS,CAAC,EAAE,MAAM,GAAG,eAAe,CAAC;IACrC,0GAA0G;IAC1G,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,eAAe,CAAC,EAAE,uBAAuB,CAAC;IAC1C,MAAM,CAAC,EAAE,oBAAoB,CAAC;IAC9B,aAAa,CAAC,EAAE,sBAAsB,CAAC;IACvC,WAAW,EAAE,gBAAgB,CAAC,OAAO,CAAC,CAAC;IACvC,MAAM,CAAC,EAAE;QACP,IAAI,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,IAAI,CAAC;QAChE,KAAK,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,IAAI,CAAC;QACjE,IAAI,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,IAAI,CAAC;QAChE,KAAK,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,IAAI,CAAC;KAClE,CAAC;IACF,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,oBAAoB,CAAC,EAAE,OAAO,CAAC;IAC/B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,sDAAsD;IACtD,wBAAwB,CAAC,EAAE,OAAO,CAAC;IACnC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,0BAA0B;IAC1B,KAAK,CAAC,EAAE,iBAAiB,CAAC;IAC1B;;;;;;;;;OASG;IACH,MAAM,CAAC,EAAE,YAAY,GAAG,WAAW,CAAC;CACrC,CAAC;AAUF,MAAM,CAAC,OAAO,UAAU,YAAY,CAAC,OAAO,EAAE,EAC5C,SAAS,EACT,SAAS,EACT,sBAAkC,EAClC,eAAe,EACf,MAAM,EACN,aAAa,EACb,WAAW,EACX,MAAM,EACN,aAAa,EACb,cAAyC,EACzC,sBAAoD,EACpD,gBAAuB,EACvB,oBAA4B,EAC5B,qBAAqC,EACrC,cAAoB,EACpB,oBAAmD,EACnD,qBAA0C,EAC1C,mBAA2C,EAC3C,oBAAuC,EACvC,wBAA+B,EAC/B,UAAU,EACV,KAAK,EACL,MAAqB,GACtB,EAAE,gBAAgB,CAAC,OAAO,CAAC,2CAqQ3B"}

package/dist/components/layouts/login/index.js

@@ -22,7 +22,8 @@ const ORDERED_FIELDS = [
     LOGIN_FIELD_IDS.PASSWORD,
 ];
 // section: component
-export default function login_layout({ image_src, image_alt, image_background_color = "#f1f5f9", field_overrides, labels, button_colors, data_client, logger, redirectRoute, successMessage = "Successfully logged in", alreadyLoggedInMessage = "You are already logged in", showLogoutButton = true, showReturnHomeButton = false, returnHomeButtonLabel = "Return home", returnHomePath = "/", forgot_password_path = "/hazo_auth/forgot_password", forgot_password_label = "Forgot password?", create_account_path = "/hazo_auth/register", create_account_label = "Create account", show_create_account_link = true, urlOnLogon, oauth, }) {
+export default function login_layout({ image_src, image_alt, image_background_color = "#f1f5f9", field_overrides, labels, button_colors, data_client, logger, redirectRoute, successMessage = "Successfully logged in", alreadyLoggedInMessage = "You are already logged in", showLogoutButton = true, showReturnHomeButton = false, returnHomeButtonLabel = "Return home", returnHomePath = "/", forgot_password_path = "/hazo_auth/forgot_password", forgot_password_label = "Forgot password?", create_account_path = "/hazo_auth/register", create_account_label = "Create account", show_create_account_link = true, urlOnLogon, oauth, layout = "two_column", }) {
+    var _a;
     // Default OAuth config: both enabled
     const oauthConfig = oauth || {
         enable_google: true,
@@ -33,6 +34,21 @@ export default function login_layout({ image_src, image_alt, image_background_co
     // Read OAuth error from URL query params (e.g., ?error=AccessDenied)
     const searchParams = useSearchParams();
     const oauthError = searchParams.get("error");
+    // Read post-auth redirect target from `?redirect=`. Used by both:
+    //   - Email/password form: `redirectRoute` prop falls back to this when the
+    //     parent didn't supply one.
+    //   - Google OAuth: appended to the GoogleSignInButton callback URL as
+    //     `?next=` so the OAuth callback handler can override its
+    //     default_redirect with the per-request value.
+    // Validation: must be a same-origin path (starts with `/`, not `//`, no
+    // protocol). Anything else is dropped — prevents open-redirect attacks
+    // via crafted invite links.
+    const rawRedirect = searchParams.get("redirect");
+    const safeRedirect = isSafeRedirectPath(rawRedirect) ? rawRedirect : null;
+    const oauthCallbackUrl = safeRedirect
+        ? `/api/hazo_auth/oauth/google/callback?next=${encodeURIComponent(safeRedirect)}`
+        : "/api/hazo_auth/oauth/google/callback";
+    const effectiveRedirectRoute = (_a = redirectRoute !== null && redirectRoute !== void 0 ? redirectRoute : safeRedirect) !== null && _a !== void 0 ? _a : undefined;
     const getOAuthErrorMessage = (error) => {
         switch (error) {
             case "AccessDenied":
@@ -51,7 +67,7 @@ export default function login_layout({ image_src, image_alt, image_background_co
     const form = use_login_form({
         dataClient: data_client,
         logger,
-        redirectRoute,
+        redirectRoute: effectiveRedirectRoute,
         successMessage,
         urlOnLogon: urlOnLogon,
     });
@@ -75,9 +91,37 @@ export default function login_layout({ image_src, image_alt, image_background_co
             return (_jsx(FormFieldWrapper, { fieldId: fieldDefinition.id, label: fieldDefinition.label, input: inputElement, errorMessage: shouldShowError }, fieldId));
         });
     };
-    // Show success message if login was successful and no redirect route is provided
+    // Form content — used in both layout modes. In "two_column" mode it's slotted
+    // into TwoColumnAuthLayout's `formContent`; in "form_only" mode it's returned
+    // as the entire output for the consumer to compose into their own chrome.
+    const successContent = (_jsxs(_Fragment, { children: [_jsx(FormHeader, { heading: resolvedLabels.heading, subHeading: resolvedLabels.subHeading }), _jsxs("div", { className: "cls_login_layout_success flex flex-col items-center justify-center gap-4 p-8 text-center", children: [_jsx(CheckCircle, { className: "cls_login_layout_success_icon h-16 w-16 text-green-600", "aria-hidden": "true" }), _jsx("p", { className: "cls_login_layout_success_message text-lg font-medium text-slate-900", children: successMessage })] })] }));
+    const mainContent = (_jsxs(_Fragment, { children: [_jsx(FormHeader, { heading: resolvedLabels.heading, subHeading: resolvedLabels.subHeading }), oauthError && (_jsxs("div", { className: "cls_login_layout_oauth_error flex items-center gap-2 rounded-md border border-red-200 bg-red-50 p-3 text-sm text-red-700", children: [_jsx(AlertCircle, { className: "h-4 w-4 shrink-0", "aria-hidden": "true" }), _jsx("span", { children: getOAuthErrorMessage(oauthError) })] })), oauthConfig.enable_google && (_jsx("div", { className: "cls_login_layout_oauth_section", children: _jsx(GoogleSignInButton, { label: oauthConfig.google_button_text, callbackUrl: oauthCallbackUrl }) })), oauthConfig.enable_google && oauthConfig.enable_email_password && (_jsx(OAuthDivider, { text: oauthConfig.oauth_divider_text })), oauthConfig.enable_email_password && (_jsxs("form", { className: "cls_login_layout_form_fields flex flex-col gap-5", onSubmit: form.handleSubmit, "aria-label": "Login form", children: [renderFields(form), _jsx(FormActionButtons, { submitLabel: resolvedLabels.submitButton, cancelLabel: resolvedLabels.cancelButton, buttonPalette: resolvedButtonPalette, isSubmitDisabled: form.isSubmitDisabled, onCancel: form.handleCancel, submitAriaLabel: "Submit login form", cancelAriaLabel: "Cancel login form" }), ((forgot_password_path && forgot_password_label) || (show_create_account_link && create_account_path && create_account_label)) && (_jsxs("div", { className: "cls_login_layout_support_links flex flex-col gap-1 text-sm text-muted-foreground", children: [forgot_password_path && forgot_password_label && (_jsx(Link, { href: forgot_password_path, className: "cls_login_layout_forgot_password_link text-primary underline-offset-4 hover:underline", "aria-label": "Go to forgot password page", children: forgot_password_label })), show_create_account_link && create_account_path && create_account_label && (_jsx(Link, { href: create_account_path, className: "cls_login_layout_create_account_link text-primary underline-offset-4 hover:underline", "aria-label": "Go to create account page", children: create_account_label }))] }))] })), show_create_account_link && create_account_path && create_account_label && !oauthConfig.enable_email_password && oauthConfig.enable_google && (_jsx("div", { className: "cls_login_layout_support_links mt-4 text-center text-sm text-muted-foreground", children: _jsx(Link, { href: create_account_path, className: "cls_login_layout_create_account_link text-primary underline-offset-4 hover:underline", "aria-label": "Go to create account page", children: create_account_label }) }))] }));
+    // Form-only mode: return the content directly. Consumer is expected to wrap
+    // it in their own page/brand chrome. We deliberately skip AlreadyLoggedInGuard
+    // here — its 2-col fallback would defeat the purpose of form_only. Consumer
+    // can wire `use_auth_status` themselves if they want that UX.
+    if (layout === "form_only") {
+        return form.isSuccess ? successContent : mainContent;
+    }
+    // Two-column mode (default): success state.
     if (form.isSuccess) {
-        return (_jsx(TwoColumnAuthLayout, { imageSrc: image_src, imageAlt: image_alt, imageBackgroundColor: image_background_color, formContent: _jsxs(_Fragment, { children: [_jsx(FormHeader, { heading: resolvedLabels.heading, subHeading: resolvedLabels.subHeading }), _jsxs("div", { className: "cls_login_layout_success flex flex-col items-center justify-center gap-4 p-8 text-center", children: [_jsx(CheckCircle, { className: "cls_login_layout_success_icon h-16 w-16 text-green-600", "aria-hidden": "true" }), _jsx("p", { className: "cls_login_layout_success_message text-lg font-medium text-slate-900", children: successMessage })] })] }) }));
+        return (_jsx(TwoColumnAuthLayout, { imageSrc: image_src, imageAlt: image_alt, imageBackgroundColor: image_background_color, formContent: successContent }));
     }
-    return (_jsx(AlreadyLoggedInGuard, { image_src: image_src, image_alt: image_alt, image_background_color: image_background_color, message: alreadyLoggedInMessage, showLogoutButton: showLogoutButton, showReturnHomeButton: showReturnHomeButton, returnHomeButtonLabel: returnHomeButtonLabel, returnHomePath: returnHomePath, children: _jsx(TwoColumnAuthLayout, { imageSrc: image_src, imageAlt: image_alt, imageBackgroundColor: image_background_color, formContent: _jsxs(_Fragment, { children: [_jsx(FormHeader, { heading: resolvedLabels.heading, subHeading: resolvedLabels.subHeading }), oauthError && (_jsxs("div", { className: "cls_login_layout_oauth_error flex items-center gap-2 rounded-md border border-red-200 bg-red-50 p-3 text-sm text-red-700", children: [_jsx(AlertCircle, { className: "h-4 w-4 shrink-0", "aria-hidden": "true" }), _jsx("span", { children: getOAuthErrorMessage(oauthError) })] })), oauthConfig.enable_google && (_jsx("div", { className: "cls_login_layout_oauth_section", children: _jsx(GoogleSignInButton, { label: oauthConfig.google_button_text }) })), oauthConfig.enable_google && oauthConfig.enable_email_password && (_jsx(OAuthDivider, { text: oauthConfig.oauth_divider_text })), oauthConfig.enable_email_password && (_jsxs("form", { className: "cls_login_layout_form_fields flex flex-col gap-5", onSubmit: form.handleSubmit, "aria-label": "Login form", children: [renderFields(form), _jsx(FormActionButtons, { submitLabel: resolvedLabels.submitButton, cancelLabel: resolvedLabels.cancelButton, buttonPalette: resolvedButtonPalette, isSubmitDisabled: form.isSubmitDisabled, onCancel: form.handleCancel, submitAriaLabel: "Submit login form", cancelAriaLabel: "Cancel login form" }), ((forgot_password_path && forgot_password_label) || (show_create_account_link && create_account_path && create_account_label)) && (_jsxs("div", { className: "cls_login_layout_support_links flex flex-col gap-1 text-sm text-muted-foreground", children: [forgot_password_path && forgot_password_label && (_jsx(Link, { href: forgot_password_path, className: "cls_login_layout_forgot_password_link text-primary underline-offset-4 hover:underline", "aria-label": "Go to forgot password page", children: forgot_password_label })), show_create_account_link && create_account_path && create_account_label && (_jsx(Link, { href: create_account_path, className: "cls_login_layout_create_account_link text-primary underline-offset-4 hover:underline", "aria-label": "Go to create account page", children: create_account_label }))] }))] })), show_create_account_link && create_account_path && create_account_label && !oauthConfig.enable_email_password && oauthConfig.enable_google && (_jsx("div", { className: "cls_login_layout_support_links mt-4 text-center text-sm text-muted-foreground", children: _jsx(Link, { href: create_account_path, className: "cls_login_layout_create_account_link text-primary underline-offset-4 hover:underline", "aria-label": "Go to create account page", children: create_account_label }) }))] }) }) }));
+    // Two-column mode (default): main flow with already-logged-in guard.
+    return (_jsx(AlreadyLoggedInGuard, { image_src: image_src, image_alt: image_alt, image_background_color: image_background_color, message: alreadyLoggedInMessage, showLogoutButton: showLogoutButton, showReturnHomeButton: showReturnHomeButton, returnHomeButtonLabel: returnHomeButtonLabel, returnHomePath: returnHomePath, children: _jsx(TwoColumnAuthLayout, { imageSrc: image_src, imageAlt: image_alt, imageBackgroundColor: image_background_color, formContent: mainContent }) }));
+}
+// Same-origin path validator for the `?redirect=` query param. Accepts
+// values like "/foo" or "/foo?bar". Rejects anything that could redirect
+// off-origin (`//`, schemes, javascript: URIs, fragments without leading
+// slash). Used by both login and register layouts.
+function isSafeRedirectPath(value) {
+    if (!value)
+        return false;
+    if (!value.startsWith("/"))
+        return false;
+    if (value.startsWith("//"))
+        return false;
+    if (/^[a-z][a-z0-9+.\-]*:/i.test(value))
+        return false;
+    return true;
 }

package/dist/components/layouts/register/index.d.ts

@@ -12,8 +12,10 @@ export type OAuthLayoutConfig = {
     oauth_divider_text: string;
 };
 export type RegisterLayoutProps<TClient = unknown> = {
-    image_src: string | StaticImageData;
-    image_alt: string;
+    /** Image source for the visual panel. Required when `layout` is `"two_column"` (the default); ignored when `"form_only"`. */
+    image_src?: string | StaticImageData;
+    /** Image alt text. Required when `layout` is `"two_column"` (the default); ignored when `"form_only"`. */
+    image_alt?: string;
     image_background_color?: string;
     field_overrides?: LayoutFieldMapOverrides;
     labels?: LayoutLabelOverrides;
@@ -31,6 +33,8 @@ export type RegisterLayoutProps<TClient = unknown> = {
     urlOnLogon?: string;
     /** OAuth configuration */
     oauth?: OAuthLayoutConfig;
+    /** Layout mode (default: `"two_column"`). See `LoginLayoutProps.layout` for the full description. */
+    layout?: "two_column" | "form_only";
 };
-export default function register_layout<TClient>({ image_src, image_alt, image_background_color, field_overrides, labels, button_colors, password_requirements, show_name_field, data_client, alreadyLoggedInMessage, showLogoutButton, showReturnHomeButton, returnHomeButtonLabel, returnHomePath, signInPath, signInLabel, urlOnLogon, oauth, }: RegisterLayoutProps<TClient>): import("react/jsx-runtime").JSX.Element;
+export default function register_layout<TClient>({ image_src, image_alt, image_background_color, field_overrides, labels, button_colors, password_requirements, show_name_field, data_client, alreadyLoggedInMessage, showLogoutButton, showReturnHomeButton, returnHomeButtonLabel, returnHomePath, signInPath, signInLabel, urlOnLogon, oauth, layout, }: RegisterLayoutProps<TClient>): import("react/jsx-runtime").JSX.Element;
 //# sourceMappingURL=index.d.ts.map

package/dist/components/layouts/register/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/components/layouts/register/index.tsx"],"names":[],"mappings":"AAiBA,OAAO,EACL,KAAK,sBAAsB,EAC3B,KAAK,uBAAuB,EAC5B,KAAK,oBAAoB,EACzB,KAAK,4BAA4B,EAClC,MAAM,uCAAuC,CAAC;AAY/C,OAAO,EAAE,KAAK,gBAAgB,EAAE,MAAM,mCAAmC,CAAC;AAC1E,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAGlD,MAAM,MAAM,iBAAiB,GAAG;IAC9B,gCAAgC;IAChC,aAAa,EAAE,OAAO,CAAC;IACvB,8CAA8C;IAC9C,qBAAqB,EAAE,OAAO,CAAC;IAC/B,kDAAkD;IAClD,kBAAkB,EAAE,MAAM,CAAC;IAC3B,0EAA0E;IAC1E,kBAAkB,EAAE,MAAM,CAAC;CAC5B,CAAC;AAEF,MAAM,MAAM,mBAAmB,CAAC,OAAO,GAAG,OAAO,IAAI;IACnD,SAAS,EAAE,MAAM,GAAG,eAAe,CAAC;IACpC,SAAS,EAAE,MAAM,CAAC;IAClB,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,eAAe,CAAC,EAAE,uBAAuB,CAAC;IAC1C,MAAM,CAAC,EAAE,oBAAoB,CAAC;IAC9B,aAAa,CAAC,EAAE,sBAAsB,CAAC;IACvC,qBAAqB,CAAC,EAAE,4BAA4B,CAAC;IACrD,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,WAAW,EAAE,gBAAgB,CAAC,OAAO,CAAC,CAAC;IACvC,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,oBAAoB,CAAC,EAAE,OAAO,CAAC;IAC/B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,0BAA0B;IAC1B,KAAK,CAAC,EAAE,iBAAiB,CAAC;CAC3B,CAAC;AAYF,MAAM,CAAC,OAAO,UAAU,eAAe,CAAC,OAAO,EAAE,EAC/C,SAAS,EACT,SAAS,EACT,sBAAkC,EAClC,eAAe,EACf,MAAM,EACN,aAAa,EACb,qBAAqB,EACrB,eAAsB,EACtB,WAAW,EACX,sBAAoD,EACpD,gBAAuB,EACvB,oBAA4B,EAC5B,qBAAqC,EACrC,cAAoB,EACpB,UAA+B,EAC/B,WAAuB,EACvB,UAAU,EACV,KAAK,GACN,EAAE,mBAAmB,CAAC,OAAO,CAAC,2CAgN9B"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/components/layouts/register/index.tsx"],"names":[],"mappings":"AAiBA,OAAO,EACL,KAAK,sBAAsB,EAC3B,KAAK,uBAAuB,EAC5B,KAAK,oBAAoB,EACzB,KAAK,4BAA4B,EAClC,MAAM,uCAAuC,CAAC;AAY/C,OAAO,EAAE,KAAK,gBAAgB,EAAE,MAAM,mCAAmC,CAAC;AAC1E,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAGlD,MAAM,MAAM,iBAAiB,GAAG;IAC9B,gCAAgC;IAChC,aAAa,EAAE,OAAO,CAAC;IACvB,8CAA8C;IAC9C,qBAAqB,EAAE,OAAO,CAAC;IAC/B,kDAAkD;IAClD,kBAAkB,EAAE,MAAM,CAAC;IAC3B,0EAA0E;IAC1E,kBAAkB,EAAE,MAAM,CAAC;CAC5B,CAAC;AAEF,MAAM,MAAM,mBAAmB,CAAC,OAAO,GAAG,OAAO,IAAI;IACnD,6HAA6H;IAC7H,SAAS,CAAC,EAAE,MAAM,GAAG,eAAe,CAAC;IACrC,0GAA0G;IAC1G,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,eAAe,CAAC,EAAE,uBAAuB,CAAC;IAC1C,MAAM,CAAC,EAAE,oBAAoB,CAAC;IAC9B,aAAa,CAAC,EAAE,sBAAsB,CAAC;IACvC,qBAAqB,CAAC,EAAE,4BAA4B,CAAC;IACrD,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,WAAW,EAAE,gBAAgB,CAAC,OAAO,CAAC,CAAC;IACvC,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,oBAAoB,CAAC,EAAE,OAAO,CAAC;IAC/B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,0BAA0B;IAC1B,KAAK,CAAC,EAAE,iBAAiB,CAAC;IAC1B,qGAAqG;IACrG,MAAM,CAAC,EAAE,YAAY,GAAG,WAAW,CAAC;CACrC,CAAC;AAYF,MAAM,CAAC,OAAO,UAAU,eAAe,CAAC,OAAO,EAAE,EAC/C,SAAS,EACT,SAAS,EACT,sBAAkC,EAClC,eAAe,EACf,MAAM,EACN,aAAa,EACb,qBAAqB,EACrB,eAAsB,EACtB,WAAW,EACX,sBAAoD,EACpD,gBAAuB,EACvB,oBAA4B,EAC5B,qBAAqC,EACrC,cAAoB,EACpB,UAA+B,EAC/B,WAAuB,EACvB,UAAU,EACV,KAAK,EACL,MAAqB,GACtB,EAAE,mBAAmB,CAAC,OAAO,CAAC,2CAqO9B"}

package/dist/components/layouts/register/index.js

@@ -24,7 +24,8 @@ const ORDERED_FIELDS = [
     REGISTER_FIELD_IDS.CONFIRM_PASSWORD,
 ];
 // section: component
-export default function register_layout({ image_src, image_alt, image_background_color = "#f1f5f9", field_overrides, labels, button_colors, password_requirements, show_name_field = true, data_client, alreadyLoggedInMessage = "You are already logged in", showLogoutButton = true, showReturnHomeButton = false, returnHomeButtonLabel = "Return home", returnHomePath = "/", signInPath = "/hazo_auth/login", signInLabel = "Sign in", urlOnLogon, oauth, }) {
+export default function register_layout({ image_src, image_alt, image_background_color = "#f1f5f9", field_overrides, labels, button_colors, password_requirements, show_name_field = true, data_client, alreadyLoggedInMessage = "You are already logged in", showLogoutButton = true, showReturnHomeButton = false, returnHomeButtonLabel = "Return home", returnHomePath = "/", signInPath = "/hazo_auth/login", signInLabel = "Sign in", urlOnLogon, oauth, layout = "two_column", }) {
+    var _a;
     // Default OAuth config: both enabled
     const oauthConfig = oauth || {
         enable_google: true,
@@ -35,6 +36,17 @@ export default function register_layout({ image_src, image_alt, image_background
     // Read OAuth error from URL query params (e.g., ?error=AccessDenied)
     const searchParams = useSearchParams();
     const oauthError = searchParams.get("error");
+    // `?redirect=` survives through both the email/password registration form
+    // (via `use_register_form`'s urlOnLogon flow) and the Google OAuth round-
+    // trip (encoded into the GoogleSignInButton callback URL as `?next=`).
+    // Same safety check as the login layout — must be a same-origin path so
+    // a hostile invite link can't pivot the user off-domain.
+    const rawRedirect = searchParams.get("redirect");
+    const safeRedirect = isSafeRedirectPath(rawRedirect) ? rawRedirect : null;
+    const oauthCallbackUrl = safeRedirect
+        ? `/api/hazo_auth/oauth/google/callback?next=${encodeURIComponent(safeRedirect)}`
+        : "/api/hazo_auth/oauth/google/callback";
+    const effectiveUrlOnLogon = (_a = urlOnLogon !== null && urlOnLogon !== void 0 ? urlOnLogon : safeRedirect) !== null && _a !== void 0 ? _a : undefined;
     const getOAuthErrorMessage = (error) => {
         switch (error) {
             case "AccessDenied":
@@ -55,7 +67,7 @@ export default function register_layout({ image_src, image_alt, image_background
         showNameField: show_name_field,
         passwordRequirements: resolvedPasswordRequirements,
         dataClient: data_client,
-        urlOnLogon: urlOnLogon,
+        urlOnLogon: effectiveUrlOnLogon,
     });
     const renderFields = (formState) => {
         const renderOrder = ORDERED_FIELDS.filter((fieldId) => show_name_field || fieldId !== REGISTER_FIELD_IDS.NAME);
@@ -80,5 +92,26 @@ export default function register_layout({ image_src, image_alt, image_background
             return (_jsx(FormFieldWrapper, { fieldId: fieldDefinition.id, label: fieldDefinition.label, input: inputElement, errorMessage: shouldShowError }, fieldId));
         });
     };
-    return (_jsx(AlreadyLoggedInGuard, { image_src: image_src, image_alt: image_alt, image_background_color: image_background_color, message: alreadyLoggedInMessage, showLogoutButton: showLogoutButton, showReturnHomeButton: showReturnHomeButton, returnHomeButtonLabel: returnHomeButtonLabel, returnHomePath: returnHomePath, children: _jsx(TwoColumnAuthLayout, { imageSrc: image_src, imageAlt: image_alt, imageBackgroundColor: image_background_color, formContent: _jsxs(_Fragment, { children: [_jsx(FormHeader, { heading: resolvedLabels.heading, subHeading: resolvedLabels.subHeading }), oauthError && (_jsxs("div", { className: "cls_register_layout_oauth_error flex items-center gap-2 rounded-md border border-red-200 bg-red-50 p-3 text-sm text-red-700", children: [_jsx(AlertCircle, { className: "h-4 w-4 shrink-0", "aria-hidden": "true" }), _jsx("span", { children: getOAuthErrorMessage(oauthError) })] })), oauthConfig.enable_google && (_jsx("div", { className: "cls_register_layout_oauth_section", children: _jsx(GoogleSignInButton, { label: oauthConfig.google_button_text }) })), oauthConfig.enable_google && oauthConfig.enable_email_password && (_jsx(OAuthDivider, { text: oauthConfig.oauth_divider_text })), oauthConfig.enable_email_password && (_jsxs("form", { className: "cls_register_layout_form_fields flex flex-col gap-5", onSubmit: form.handleSubmit, "aria-label": "Registration form", children: [renderFields(form), _jsx(FormActionButtons, { submitLabel: resolvedLabels.submitButton, cancelLabel: resolvedLabels.cancelButton, buttonPalette: resolvedButtonPalette, isSubmitDisabled: form.isSubmitDisabled, onCancel: form.handleCancel, submitAriaLabel: "Submit registration form", cancelAriaLabel: "Cancel registration form" }), _jsxs("div", { className: "cls_register_layout_sign_in_link flex items-center justify-center gap-1 text-sm text-muted-foreground", children: [_jsx("span", { children: "Already have an account?" }), _jsx(Link, { href: signInPath, className: "cls_register_layout_sign_in_link_text text-primary underline-offset-4 hover:underline", "aria-label": "Go to sign in page", children: signInLabel })] }), form.isSubmitting && (_jsx("div", { className: "cls_register_submitting_indicator text-sm text-slate-600 text-center", children: "Registering..." }))] })), !oauthConfig.enable_email_password && oauthConfig.enable_google && (_jsxs("div", { className: "cls_register_layout_sign_in_link mt-4 flex items-center justify-center gap-1 text-sm text-muted-foreground", children: [_jsx("span", { children: "Already have an account?" }), _jsx(Link, { href: signInPath, className: "cls_register_layout_sign_in_link_text text-primary underline-offset-4 hover:underline", "aria-label": "Go to sign in page", children: signInLabel })] }))] }) }) }));
+    // Form content — used in both layout modes. See `login_layout` for the
+    // rationale: keeps the form independent of TwoColumnAuthLayout / AuthPageShell
+    // so consumers can compose it into their own brand chrome.
+    const mainContent = (_jsxs(_Fragment, { children: [_jsx(FormHeader, { heading: resolvedLabels.heading, subHeading: resolvedLabels.subHeading }), oauthError && (_jsxs("div", { className: "cls_register_layout_oauth_error flex items-center gap-2 rounded-md border border-red-200 bg-red-50 p-3 text-sm text-red-700", children: [_jsx(AlertCircle, { className: "h-4 w-4 shrink-0", "aria-hidden": "true" }), _jsx("span", { children: getOAuthErrorMessage(oauthError) })] })), oauthConfig.enable_google && (_jsx("div", { className: "cls_register_layout_oauth_section", children: _jsx(GoogleSignInButton, { label: oauthConfig.google_button_text, callbackUrl: oauthCallbackUrl }) })), oauthConfig.enable_google && oauthConfig.enable_email_password && (_jsx(OAuthDivider, { text: oauthConfig.oauth_divider_text })), oauthConfig.enable_email_password && (_jsxs("form", { className: "cls_register_layout_form_fields flex flex-col gap-5", onSubmit: form.handleSubmit, "aria-label": "Registration form", children: [renderFields(form), _jsx(FormActionButtons, { submitLabel: resolvedLabels.submitButton, cancelLabel: resolvedLabels.cancelButton, buttonPalette: resolvedButtonPalette, isSubmitDisabled: form.isSubmitDisabled, onCancel: form.handleCancel, submitAriaLabel: "Submit registration form", cancelAriaLabel: "Cancel registration form" }), _jsxs("div", { className: "cls_register_layout_sign_in_link flex items-center justify-center gap-1 text-sm text-muted-foreground", children: [_jsx("span", { children: "Already have an account?" }), _jsx(Link, { href: signInPath, className: "cls_register_layout_sign_in_link_text text-primary underline-offset-4 hover:underline", "aria-label": "Go to sign in page", children: signInLabel })] }), form.isSubmitting && (_jsx("div", { className: "cls_register_submitting_indicator text-sm text-slate-600 text-center", children: "Registering..." }))] })), !oauthConfig.enable_email_password && oauthConfig.enable_google && (_jsxs("div", { className: "cls_register_layout_sign_in_link mt-4 flex items-center justify-center gap-1 text-sm text-muted-foreground", children: [_jsx("span", { children: "Already have an account?" }), _jsx(Link, { href: signInPath, className: "cls_register_layout_sign_in_link_text text-primary underline-offset-4 hover:underline", "aria-label": "Go to sign in page", children: signInLabel })] }))] }));
+    // form_only mode: emit just the form content. See login_layout for the
+    // rationale; AlreadyLoggedInGuard is intentionally skipped here.
+    if (layout === "form_only") {
+        return mainContent;
+    }
+    return (_jsx(AlreadyLoggedInGuard, { image_src: image_src, image_alt: image_alt, image_background_color: image_background_color, message: alreadyLoggedInMessage, showLogoutButton: showLogoutButton, showReturnHomeButton: showReturnHomeButton, returnHomeButtonLabel: returnHomeButtonLabel, returnHomePath: returnHomePath, children: _jsx(TwoColumnAuthLayout, { imageSrc: image_src, imageAlt: image_alt, imageBackgroundColor: image_background_color, formContent: mainContent }) }));
+}
+// Same-origin path validator. See login/index.tsx for the rationale.
+function isSafeRedirectPath(value) {
+    if (!value)
+        return false;
+    if (!value.startsWith("/"))
+        return false;
+    if (value.startsWith("//"))
+        return false;
+    if (/^[a-z][a-z0-9+.\-]*:/i.test(value))
+        return false;
+    return true;
 }

package/dist/components/layouts/shared/components/floating_home_link.d.ts

@@ -0,0 +1,20 @@
+export type FloatingHomeLinkProps = {
+    /** Path to navigate to. Defaults to "/" — the consuming app's root. */
+    path?: string;
+    /** Label shown next to the back arrow. */
+    label?: string;
+    /** Override classes on the anchor (positioning, colours, etc.). */
+    className?: string;
+};
+/**
+ * Floating "← Back to home" link. Renders fixed top-left of the viewport so
+ * users mid-auth-flow always have a way out. Use on auth pages that don't
+ * include the full `<AuthNavbar>` (e.g. when consumer wraps `LoginPage` or
+ * `RegisterPage` with `layout="form_only"` and their own brand chrome).
+ *
+ * Reads label/path from props so consumers can localise — the navbar config
+ * helper `get_navbar_config()` is the typical source on the server side.
+ */
+export declare function FloatingHomeLink({ path, label, className, }: FloatingHomeLinkProps): import("react/jsx-runtime").JSX.Element;
+export default FloatingHomeLink;
+//# sourceMappingURL=floating_home_link.d.ts.map

package/dist/components/layouts/shared/components/floating_home_link.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"floating_home_link.d.ts","sourceRoot":"","sources":["../../../../../src/components/layouts/shared/components/floating_home_link.tsx"],"names":[],"mappings":"AAUA,MAAM,MAAM,qBAAqB,GAAG;IAClC,uEAAuE;IACvE,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,0CAA0C;IAC1C,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,mEAAmE;IACnE,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC;AAGF;;;;;;;;GAQG;AACH,wBAAgB,gBAAgB,CAAC,EAC/B,IAAU,EACV,KAAsB,EACtB,SAAS,GACV,EAAE,qBAAqB,2CAoBvB;AAED,eAAe,gBAAgB,CAAC"}

package/dist/components/layouts/shared/components/floating_home_link.js

@@ -0,0 +1,29 @@
+// file_description: small "back to home" affordance pinned to the top-left of auth pages
+// section: client_directive
+"use client";
+import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
+// section: imports
+import Link from "next/link";
+import { ArrowLeft } from "lucide-react";
+import { cn } from "../../../../lib/utils.js";
+// section: component
+/**
+ * Floating "← Back to home" link. Renders fixed top-left of the viewport so
+ * users mid-auth-flow always have a way out. Use on auth pages that don't
+ * include the full `<AuthNavbar>` (e.g. when consumer wraps `LoginPage` or
+ * `RegisterPage` with `layout="form_only"` and their own brand chrome).
+ *
+ * Reads label/path from props so consumers can localise — the navbar config
+ * helper `get_navbar_config()` is the typical source on the server side.
+ */
+export function FloatingHomeLink({ path = "/", label = "Back to home", className, }) {
+    return (_jsxs(Link, { href: path, "aria-label": label, className: cn(
+        // Positioning: fixed top-left, above auth content, with a healthy
+        // safe-area margin so it never collides with brand-panel chrome.
+        "cls_floating_home_link fixed left-4 top-4 z-50 inline-flex items-center gap-1.5 rounded-md px-2.5 py-1.5 text-sm font-medium", 
+        // Visuals: subtle pill that adapts to whatever brand backdrop the
+        // consumer has rendered. Uses neutral text so it works on both light
+        // brand panels and dark ones.
+        "bg-background/70 text-foreground/80 shadow-sm backdrop-blur-sm transition-colors hover:bg-background hover:text-foreground", className), children: [_jsx(ArrowLeft, { className: "h-4 w-4", "aria-hidden": "true" }), _jsx("span", { children: label })] }));
+}
+export default FloatingHomeLink;

package/dist/components/layouts/shared/components/profile_pic_menu.d.ts

@@ -6,6 +6,14 @@ export type ProfilePicMenuProps = {
     register_path?: string;
     login_path?: string;
     settings_path?: string;
+    /**
+     * Where to navigate AFTER a successful logout (matches the navigation
+     * semantic of `login_path`/`register_path`/`settings_path`). Defaults to
+     * `router.refresh()` so the current page re-renders unauthenticated.
+     *
+     * Note: the logout API endpoint itself is always `${apiBasePath}/logout`
+     * — `logout_path` is purely a post-logout destination.
+     */
     logout_path?: string;
     custom_menu_items?: ProfilePicMenuMenuItem[];
     className?: string;

package/dist/components/layouts/shared/components/profile_pic_menu.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"profile_pic_menu.d.ts","sourceRoot":"","sources":["../../../../../src/components/layouts/shared/components/profile_pic_menu.tsx"],"names":[],"mappings":"AAqCA,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,gDAAgD,CAAC;AAI7F,MAAM,MAAM,mBAAmB,GAAG;IAChC,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,iBAAiB,CAAC,EAAE,sBAAsB,EAAE,CAAC;IAC7C,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE,SAAS,GAAG,IAAI,GAAG,IAAI,CAAC;IACtC,OAAO,CAAC,EAAE,UAAU,GAAG,SAAS,CAAC;IACjC,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B,CAAC;AAGF;;;;;;;;GAQG;AACH,wBAAgB,cAAc,CAAC,EAC7B,kBAA0B,EAC1B,aAAyB,EACzB,aAAyB,EACzB,aAAqC,EACrC,UAA+B,EAC/B,aAAwC,EACxC,WAAW,EACX,iBAAsB,EACtB,SAAS,EACT,WAAuB,EACvB,OAAoB,EACpB,mBAA+B,GAChC,EAAE,mBAAmB,2CA6erB"}
+{"version":3,"file":"profile_pic_menu.d.ts","sourceRoot":"","sources":["../../../../../src/components/layouts/shared/components/profile_pic_menu.tsx"],"names":[],"mappings":"AAqCA,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,gDAAgD,CAAC;AAI7F,MAAM,MAAM,mBAAmB,GAAG;IAChC,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB;;;;;;;OAOG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,iBAAiB,CAAC,EAAE,sBAAsB,EAAE,CAAC;IAC7C,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE,SAAS,GAAG,IAAI,GAAG,IAAI,CAAC;IACtC,OAAO,CAAC,EAAE,UAAU,GAAG,SAAS,CAAC;IACjC,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B,CAAC;AAGF;;;;;;;;GAQG;AACH,wBAAgB,cAAc,CAAC,EAC7B,kBAA0B,EAC1B,aAAyB,EACzB,aAAyB,EACzB,aAAqC,EACrC,UAA+B,EAC/B,aAAwC,EACxC,WAAW,EACX,iBAAsB,EACtB,SAAS,EACT,WAAuB,EACvB,OAAoB,EACpB,mBAA+B,GAChC,EAAE,mBAAmB,2CAsfrB"}