hazo_auth 5.1.40 → 5.3.0

package/dist/server/routes/oauth_google_callback.js

@@ -25,10 +25,18 @@ export async function GET(original_request) {
     // Detect if request came through HTTPS proxy (Cloudflare tunnel, etc.)
     const is_secure = original_request.headers.get("x-forwarded-proto") === "https" ||
         request.url.startsWith("https://");
+    // Resolve the configured sign-in page up-front so the early error redirects
+    // (no token / missing data) honour [hazo_auth__oauth] sign_in_page just like
+    // the success path. Defaults to `/hazo_auth/login` for back-compat.
+    const sign_in_page = get_oauth_config().sign_in_page;
     try {
         // Get the NextAuth token from the session
         // When behind HTTPS proxy, next-auth uses __Secure- cookie prefix
         const token = (await getToken({
+            // next-auth@4 was typed against an older next/server NextRequest that
+            // still carried `geo`, `ip`, and the `[INTERNALS]` symbol. Next 16
+            // dropped those, leaving the two NextRequest types structurally
+            // incompatible at the type level even though the runtime shape is fine.
             req: request,
             secureCookie: is_secure,
         }));
@@ -47,7 +55,7 @@ export async function GET(original_request) {
                 note: "No NextAuth token found - user may not have completed Google sign-in",
             });
             // Redirect to login with error — use .toString() to ensure absolute URL
-            const login_url = new URL("/hazo_auth/login", request.url);
+            const login_url = new URL(sign_in_page, request.url);
             login_url.searchParams.set("error", "oauth_failed");
             return NextResponse.redirect(login_url.toString());
         }
@@ -60,13 +68,13 @@ export async function GET(original_request) {
                 has_hazo_user_id: !!token.hazo_user_id,
                 has_google_id: !!token.google_id,
             });
-            const login_url = new URL("/hazo_auth/login", request.url);
+            const login_url = new URL(sign_in_page, request.url);
             login_url.searchParams.set("error", "oauth_incomplete");
             return NextResponse.redirect(login_url.toString());
         }
         const user_id = token.hazo_user_id;
         const email = token.email;
-        logger.info("google_callback_success", {
+        logger.debug("google_callback_success", {
             filename: get_filename(),
             line_number: get_line_number(),
             user_id,
@@ -75,13 +83,32 @@ export async function GET(original_request) {
         // Get redirect URL based on user's scope/invitation status
         const loginConfig = get_login_config();
         const oauthConfig = get_oauth_config();
+        // Per-request override: the login/register layouts can encode a
+        // `?next=<path>` query param into the GoogleSignInButton callback URL,
+        // letting consumer flows (e.g. invite-link landings) keep the user on
+        // their original target after the OAuth round-trip rather than
+        // bouncing through the static `oauthConfig.default_redirect`.
+        //
+        // Validation: must be a same-origin path (starts with `/`, not `//`,
+        // no protocol). Anything else is dropped — prevents an open-redirect
+        // attack where a hostile referrer crafts a `next=//evil.com` URL.
+        const raw_next = request.nextUrl.searchParams.get("next");
+        const safe_next = raw_next &&
+            raw_next.startsWith("/") &&
+            !raw_next.startsWith("//") &&
+            !/^[a-z][a-z0-9+.\-]*:/i.test(raw_next)
+            ? raw_next
+            : null;
         // Check if user needs onboarding (no scope, no invitation = create firm)
         const hazoConnect = get_hazo_connect_instance();
         const { redirect_url: determined_redirect, needs_onboarding, invitation_check_skipped, invitation_table_error, } = await get_post_login_redirect(hazoConnect, user_id, email, {
-            default_redirect: oauthConfig.default_redirect || loginConfig.redirectRoute || "/",
+            default_redirect: safe_next || oauthConfig.default_redirect || loginConfig.redirectRoute || "/",
             create_firm_url: oauthConfig.create_firm_url,
             skip_invitation_check: oauthConfig.skip_invitation_check,
-            no_scope_redirect: oauthConfig.no_scope_redirect,
+            // When a per-request next= is set, override no_scope_redirect too.
+            // Otherwise an invite recipient (no scope yet) would still get
+            // bounced to /onboarding instead of back to the invite landing.
+            no_scope_redirect: safe_next || oauthConfig.no_scope_redirect,
         });
         // Log warning if invitation table is missing
         if (invitation_table_error) {
@@ -93,7 +120,7 @@ export async function GET(original_request) {
                 note: "hazo_invitations table does not exist - run migration or set skip_invitation_check=true in [hazo_auth__oauth]",
             });
         }
-        logger.info("google_callback_post_login_redirect", {
+        logger.debug("google_callback_post_login_redirect", {
             filename: get_filename(),
             line_number: get_line_number(),
             user_id,

package/dist/server-lib.d.ts

@@ -1,6 +1,7 @@
 import "server-only";
 export * from "./lib/auth/index.js";
 export * from "./lib/services/index.js";
+export { hazo_auth_template_manifest } from "./lib/services/email_template_manifest.js";
 export { get_config_value, get_config_number, get_config_boolean, get_config_array, read_config_section, } from "./lib/config/config_loader.server.js";
 export { get_login_config } from "./lib/login_config.server.js";
 export { get_register_config } from "./lib/register_config.server.js";

package/dist/server-lib.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"server-lib.d.ts","sourceRoot":"","sources":["../src/server-lib.ts"],"names":[],"mappings":"AAYA,OAAO,aAAa,CAAC;AAGrB,cAAc,kBAAkB,CAAC;AAGjC,cAAc,sBAAsB,CAAC;AAGrC,OAAO,EACL,gBAAgB,EAChB,iBAAiB,EACjB,kBAAkB,EAClB,gBAAgB,EAChB,mBAAmB,GACpB,MAAM,mCAAmC,CAAC;AAG3C,OAAO,EAAE,gBAAgB,EAAE,MAAM,2BAA2B,CAAC;AAC7D,OAAO,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC;AACnE,OAAO,EAAE,0BAA0B,EAAE,MAAM,qCAAqC,CAAC;AACjF,OAAO,EAAE,yBAAyB,EAAE,MAAM,oCAAoC,CAAC;AAC/E,OAAO,EAAE,6BAA6B,EAAE,MAAM,wCAAwC,CAAC;AACvF,OAAO,EAAE,sBAAsB,EAAE,MAAM,iCAAiC,CAAC;AACzE,OAAO,EAAE,0BAA0B,EAAE,MAAM,qCAAqC,CAAC;AACjF,OAAO,EAAE,0BAA0B,EAAE,MAAM,qCAAqC,CAAC;AACjF,OAAO,EAAE,2BAA2B,EAAE,MAAM,sCAAsC,CAAC;AACnF,OAAO,EAAE,4BAA4B,EAAE,MAAM,uCAAuC,CAAC;AACrF,OAAO,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC;AACnE,OAAO,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC;AACnE,OAAO,EAAE,uBAAuB,EAAE,MAAM,kCAAkC,CAAC;AAC3E,OAAO,EAAE,gCAAgC,EAAE,MAAM,2CAA2C,CAAC;AAC7F,OAAO,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC;AACnE,OAAO,EAAE,sBAAsB,EAAE,MAAM,iCAAiC,CAAC;AACzE,OAAO,EAAE,qBAAqB,EAAE,MAAM,gCAAgC,CAAC;AACvE,OAAO,EACL,gBAAgB,EAChB,uBAAuB,EACvB,yBAAyB,GAC1B,MAAM,2BAA2B,CAAC;AACnC,YAAY,EAAE,WAAW,EAAE,MAAM,2BAA2B,CAAC;AAC7D,OAAO,EACL,mBAAmB,EACnB,mBAAmB,EACnB,sBAAsB,EACtB,uBAAuB,GACxB,MAAM,8BAA8B,CAAC;AACtC,YAAY,EAAE,kBAAkB,EAAE,MAAM,8BAA8B,CAAC;AAGvE,OAAO,EAAE,0BAA0B,EAAE,MAAM,0BAA0B,CAAC;AACtE,OAAO,EAAE,yBAAyB,EAAE,MAAM,oCAAoC,CAAC;AAG/E,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAGrD,OAAO,EAAE,uBAAuB,EAAE,MAAM,6BAA6B,CAAC;AACtE,YAAY,EAAE,wBAAwB,EAAE,MAAM,6BAA6B,CAAC;AAC5E,cAAc,+BAA+B,CAAC"}
+{"version":3,"file":"server-lib.d.ts","sourceRoot":"","sources":["../src/server-lib.ts"],"names":[],"mappings":"AAYA,OAAO,aAAa,CAAC;AAGrB,cAAc,kBAAkB,CAAC;AAGjC,cAAc,sBAAsB,CAAC;AACrC,OAAO,EAAE,2BAA2B,EAAE,MAAM,wCAAwC,CAAC;AAGrF,OAAO,EACL,gBAAgB,EAChB,iBAAiB,EACjB,kBAAkB,EAClB,gBAAgB,EAChB,mBAAmB,GACpB,MAAM,mCAAmC,CAAC;AAG3C,OAAO,EAAE,gBAAgB,EAAE,MAAM,2BAA2B,CAAC;AAC7D,OAAO,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC;AACnE,OAAO,EAAE,0BAA0B,EAAE,MAAM,qCAAqC,CAAC;AACjF,OAAO,EAAE,yBAAyB,EAAE,MAAM,oCAAoC,CAAC;AAC/E,OAAO,EAAE,6BAA6B,EAAE,MAAM,wCAAwC,CAAC;AACvF,OAAO,EAAE,sBAAsB,EAAE,MAAM,iCAAiC,CAAC;AACzE,OAAO,EAAE,0BAA0B,EAAE,MAAM,qCAAqC,CAAC;AACjF,OAAO,EAAE,0BAA0B,EAAE,MAAM,qCAAqC,CAAC;AACjF,OAAO,EAAE,2BAA2B,EAAE,MAAM,sCAAsC,CAAC;AACnF,OAAO,EAAE,4BAA4B,EAAE,MAAM,uCAAuC,CAAC;AACrF,OAAO,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC;AACnE,OAAO,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC;AACnE,OAAO,EAAE,uBAAuB,EAAE,MAAM,kCAAkC,CAAC;AAC3E,OAAO,EAAE,gCAAgC,EAAE,MAAM,2CAA2C,CAAC;AAC7F,OAAO,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC;AACnE,OAAO,EAAE,sBAAsB,EAAE,MAAM,iCAAiC,CAAC;AACzE,OAAO,EAAE,qBAAqB,EAAE,MAAM,gCAAgC,CAAC;AACvE,OAAO,EACL,gBAAgB,EAChB,uBAAuB,EACvB,yBAAyB,GAC1B,MAAM,2BAA2B,CAAC;AACnC,YAAY,EAAE,WAAW,EAAE,MAAM,2BAA2B,CAAC;AAC7D,OAAO,EACL,mBAAmB,EACnB,mBAAmB,EACnB,sBAAsB,EACtB,uBAAuB,GACxB,MAAM,8BAA8B,CAAC;AACtC,YAAY,EAAE,kBAAkB,EAAE,MAAM,8BAA8B,CAAC;AAGvE,OAAO,EAAE,0BAA0B,EAAE,MAAM,0BAA0B,CAAC;AACtE,OAAO,EAAE,yBAAyB,EAAE,MAAM,oCAAoC,CAAC;AAG/E,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAGrD,OAAO,EAAE,uBAAuB,EAAE,MAAM,6BAA6B,CAAC;AACtE,YAAY,EAAE,wBAAwB,EAAE,MAAM,6BAA6B,CAAC;AAC5E,cAAc,+BAA+B,CAAC"}

package/dist/server-lib.js

@@ -14,6 +14,7 @@ import "server-only";
 export * from "./lib/auth/index.js";
 // section: service_exports
 export * from "./lib/services/index.js";
+export { hazo_auth_template_manifest } from "./lib/services/email_template_manifest.js";
 // section: config_exports
 export { get_config_value, get_config_number, get_config_boolean, get_config_array, read_config_section, } from "./lib/config/config_loader.server.js";
 // section: config_server_exports

package/dist/server_pages/login.d.ts

@@ -16,6 +16,18 @@ export type LoginPageProps = {
      * Defaults to "#f1f5f9"
      */
     image_background_color?: string;
+    /**
+     * Layout mode (default: `"two_column"`).
+     * - `"two_column"` — full server-rendered page with the package's
+     *   TwoColumnAuthLayout (image on the left, form on the right) wrapped in
+     *   the standalone AuthPageShell. Backwards-compatible.
+     * - `"form_only"` — emits just the form content (no AuthPageShell, no
+     *   TwoColumnAuthLayout). Use when wrapping the form in your own brand
+     *   chrome (e.g. a custom split-panel layout or an existing app shell).
+     *   `image_src` / `image_alt` / `image_background_color` are ignored in
+     *   this mode.
+     */
+    layout?: "two_column" | "form_only";
 };
 /**
  * Zero-config LoginPage server component
@@ -40,6 +52,6 @@ export type LoginPageProps = {
  * @param props - Optional visual customization props
  * @returns Server-rendered login page
  */
-export default function LoginPage({ image_src, image_alt, image_background_color, }?: LoginPageProps): import("react/jsx-runtime").JSX.Element;
+export default function LoginPage({ image_src, image_alt, image_background_color, layout, }?: LoginPageProps): import("react/jsx-runtime").JSX.Element;
 export { LoginPage };
 //# sourceMappingURL=login.d.ts.map

package/dist/server_pages/login.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"login.d.ts","sourceRoot":"","sources":["../../src/server_pages/login.tsx"],"names":[],"mappings":"AAEA,OAAO,aAAa,CAAC;AAOrB,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAElD,MAAM,MAAM,cAAc,GAAG;IAC3B;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,GAAG,eAAe,CAAC;IAErC;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB;;;OAGG;IACH,sBAAsB,CAAC,EAAE,MAAM,CAAC;CACjC,CAAC;AAGF;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,MAAM,CAAC,OAAO,UAAU,SAAS,CAAC,EAChC,SAAS,EACT,SAAS,EACT,sBAAsB,GACvB,GAAE,cAAmB,2CAqCrB;AAGD,OAAO,EAAE,SAAS,EAAE,CAAC"}
+{"version":3,"file":"login.d.ts","sourceRoot":"","sources":["../../src/server_pages/login.tsx"],"names":[],"mappings":"AAEA,OAAO,aAAa,CAAC;AASrB,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAElD,MAAM,MAAM,cAAc,GAAG;IAC3B;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,GAAG,eAAe,CAAC;IAErC;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB;;;OAGG;IACH,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAEhC;;;;;;;;;;OAUG;IACH,MAAM,CAAC,EAAE,YAAY,GAAG,WAAW,CAAC;CACrC,CAAC;AAGF;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,MAAM,CAAC,OAAO,UAAU,SAAS,CAAC,EAChC,SAAS,EACT,SAAS,EACT,sBAAsB,EACtB,MAAqB,GACtB,GAAE,cAAmB,2CA2DrB;AAGD,OAAO,EAAE,SAAS,EAAE,CAAC"}

package/dist/server_pages/login.js

@@ -1,11 +1,13 @@
-import { jsx as _jsx } from "react/jsx-runtime";
+import { jsx as _jsx, Fragment as _Fragment, jsxs as _jsxs } from "react/jsx-runtime";
 // file_description: Zero-config LoginPage server component - drop in and use with no configuration required
 // section: server-only-guard
 import "server-only";
 // section: imports
 import { get_login_config } from "../lib/login_config.server.js";
+import { get_navbar_config } from "../lib/navbar_config.server.js";
 import { LoginClientWrapper } from "./login_client_wrapper.js";
 import { AuthPageShell } from "../components/layouts/shared/components/auth_page_shell.js";
+import { FloatingHomeLink } from "../components/layouts/shared/components/floating_home_link.js";
 // section: component
 /**
  * Zero-config LoginPage server component
@@ -30,20 +32,34 @@ import { AuthPageShell } from "../components/layouts/shared/components/auth_page
  * @param props - Optional visual customization props
  * @returns Server-rendered login page
  */
-export default function LoginPage({ image_src, image_alt, image_background_color, } = {}) {
+export default function LoginPage({ image_src, image_alt, image_background_color, layout = "two_column", } = {}) {
     // Load configuration from INI file (with defaults including asset images)
     const config = get_login_config();
     // Use props if provided, otherwise fall back to config (which includes default asset image)
     const finalImageSrc = image_src || config.imageSrc;
     const finalImageAlt = image_alt || config.imageAlt;
     const finalImageBackgroundColor = image_background_color || config.imageBackgroundColor;
-    // Pass serializable config to client wrapper, wrapped in AuthPageShell for navbar support
-    return (_jsx(AuthPageShell, { children: _jsx(LoginClientWrapper, { image_src: finalImageSrc, image_alt: finalImageAlt, image_background_color: finalImageBackgroundColor, redirectRoute: config.redirectRoute, successMessage: config.successMessage, alreadyLoggedInMessage: config.alreadyLoggedInMessage, showLogoutButton: config.showLogoutButton, showReturnHomeButton: config.showReturnHomeButton, returnHomeButtonLabel: config.returnHomeButtonLabel, returnHomePath: config.returnHomePath, forgotPasswordPath: config.forgotPasswordPath, forgotPasswordLabel: config.forgotPasswordLabel, createAccountPath: config.createAccountPath, createAccountLabel: config.createAccountLabel, showCreateAccountLink: config.showCreateAccountLink, oauth: {
-                enable_google: config.oauth.enable_google,
-                enable_email_password: config.oauth.enable_email_password,
-                google_button_text: config.oauth.google_button_text,
-                oauth_divider_text: config.oauth.oauth_divider_text,
-            } }) }));
+    const wrapper = (_jsx(LoginClientWrapper, { image_src: finalImageSrc, image_alt: finalImageAlt, image_background_color: finalImageBackgroundColor, redirectRoute: config.redirectRoute, successMessage: config.successMessage, alreadyLoggedInMessage: config.alreadyLoggedInMessage, showLogoutButton: config.showLogoutButton, showReturnHomeButton: config.showReturnHomeButton, returnHomeButtonLabel: config.returnHomeButtonLabel, returnHomePath: config.returnHomePath, forgotPasswordPath: config.forgotPasswordPath, forgotPasswordLabel: config.forgotPasswordLabel, createAccountPath: config.createAccountPath, createAccountLabel: config.createAccountLabel, showCreateAccountLink: config.showCreateAccountLink, oauth: {
+            enable_google: config.oauth.enable_google,
+            enable_email_password: config.oauth.enable_email_password,
+            google_button_text: config.oauth.google_button_text,
+            oauth_divider_text: config.oauth.oauth_divider_text,
+        }, layout: layout }));
+    // form_only mode: skip AuthPageShell so the consumer's own page chrome
+    // (e.g. a split-panel AuthLayout) hosts the form without our standalone
+    // wrapper interfering. Two-column mode keeps the existing AuthPageShell
+    // wrap for navbar/centering support.
+    //
+    // The navbar config's home_link is also surfaced here in form_only mode
+    // so users mid-auth-flow always have a way out — without this, the only
+    // exit is the browser back button. Rendered as a fixed-position "Back to
+    // home" pill (top-left). Disabled by setting `[hazo_auth__navbar]
+    // show_home_link = false` or by hiding it CSS-side at the consumer.
+    if (layout === "form_only") {
+        const navbar = get_navbar_config();
+        return (_jsxs(_Fragment, { children: [navbar.show_home_link && (_jsx(FloatingHomeLink, { path: navbar.home_path, label: navbar.home_label })), wrapper] }));
+    }
+    return _jsx(AuthPageShell, { children: wrapper });
 }
 // Named export for direct imports
 export { LoginPage };

package/dist/server_pages/login_client_wrapper.d.ts

@@ -2,17 +2,19 @@ import type { LoginConfig } from "../lib/login_config.server";
 import type { OAuthLayoutConfig } from "../components/layouts/login/index";
 import type { StaticImageData } from "next/image";
 export type LoginClientWrapperProps = Omit<LoginConfig, 'imageSrc' | 'imageAlt' | 'imageBackgroundColor' | 'oauth' | 'showCreateAccountLink'> & {
-    image_src: string | StaticImageData;
-    image_alt: string;
-    image_background_color: string;
+    image_src?: string | StaticImageData;
+    image_alt?: string;
+    image_background_color?: string;
     /** Show/hide "Create account" link (default: true) */
     showCreateAccountLink?: boolean;
     /** OAuth configuration */
     oauth?: OAuthLayoutConfig;
+    /** Layout mode — see LoginLayoutProps.layout. Default `"two_column"`. */
+    layout?: "two_column" | "form_only";
 };
 /**
  * Client wrapper for LoginLayout
  * Initializes hazo_connect data client on client side and passes config from server
  */
-export declare function LoginClientWrapper({ image_src, image_alt, image_background_color, redirectRoute, successMessage, alreadyLoggedInMessage, showLogoutButton, showReturnHomeButton, returnHomeButtonLabel, returnHomePath, forgotPasswordPath, forgotPasswordLabel, createAccountPath, createAccountLabel, showCreateAccountLink, oauth, }: LoginClientWrapperProps): import("react/jsx-runtime").JSX.Element;
+export declare function LoginClientWrapper({ image_src, image_alt, image_background_color, redirectRoute, successMessage, alreadyLoggedInMessage, showLogoutButton, showReturnHomeButton, returnHomeButtonLabel, returnHomePath, forgotPasswordPath, forgotPasswordLabel, createAccountPath, createAccountLabel, showCreateAccountLink, oauth, layout, }: LoginClientWrapperProps): import("react/jsx-runtime").JSX.Element;
 //# sourceMappingURL=login_client_wrapper.d.ts.map

package/dist/server_pages/login_client_wrapper.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"login_client_wrapper.d.ts","sourceRoot":"","sources":["../../src/server_pages/login_client_wrapper.tsx"],"names":[],"mappings":"AASA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,4BAA4B,CAAC;AAC9D,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,mCAAmC,CAAC;AAG3E,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAElD,MAAM,MAAM,uBAAuB,GAAG,IAAI,CAAC,WAAW,EAAE,UAAU,GAAG,UAAU,GAAG,sBAAsB,GAAG,OAAO,GAAG,uBAAuB,CAAC,GAAG;IAC9I,SAAS,EAAE,MAAM,GAAG,eAAe,CAAC;IACpC,SAAS,EAAE,MAAM,CAAC;IAClB,sBAAsB,EAAE,MAAM,CAAC;IAC/B,sDAAsD;IACtD,qBAAqB,CAAC,EAAE,OAAO,CAAC;IAChC,0BAA0B;IAC1B,KAAK,CAAC,EAAE,iBAAiB,CAAC;CAC3B,CAAC;AAGF;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,EACjC,SAAS,EACT,SAAS,EACT,sBAAsB,EACtB,aAAa,EACb,cAAc,EACd,sBAAsB,EACtB,gBAAgB,EAChB,oBAAoB,EACpB,qBAAqB,EACrB,cAAc,EACd,kBAAkB,EAClB,mBAAmB,EACnB,iBAAiB,EACjB,kBAAkB,EAClB,qBAA4B,EAC5B,KAAK,GACN,EAAE,uBAAuB,2CAyCzB"}
+{"version":3,"file":"login_client_wrapper.d.ts","sourceRoot":"","sources":["../../src/server_pages/login_client_wrapper.tsx"],"names":[],"mappings":"AASA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,4BAA4B,CAAC;AAC9D,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,mCAAmC,CAAC;AAG3E,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAElD,MAAM,MAAM,uBAAuB,GAAG,IAAI,CAAC,WAAW,EAAE,UAAU,GAAG,UAAU,GAAG,sBAAsB,GAAG,OAAO,GAAG,uBAAuB,CAAC,GAAG;IAC9I,SAAS,CAAC,EAAE,MAAM,GAAG,eAAe,CAAC;IACrC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,sDAAsD;IACtD,qBAAqB,CAAC,EAAE,OAAO,CAAC;IAChC,0BAA0B;IAC1B,KAAK,CAAC,EAAE,iBAAiB,CAAC;IAC1B,yEAAyE;IACzE,MAAM,CAAC,EAAE,YAAY,GAAG,WAAW,CAAC;CACrC,CAAC;AAGF;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,EACjC,SAAS,EACT,SAAS,EACT,sBAAsB,EACtB,aAAa,EACb,cAAc,EACd,sBAAsB,EACtB,gBAAgB,EAChB,oBAAoB,EACpB,qBAAqB,EACrB,cAAc,EACd,kBAAkB,EAClB,mBAAmB,EACnB,iBAAiB,EACjB,kBAAkB,EAClB,qBAA4B,EAC5B,KAAK,EACL,MAAqB,GACtB,EAAE,uBAAuB,2CA0CzB"}

package/dist/server_pages/login_client_wrapper.js

@@ -11,7 +11,7 @@ import { create_sqlite_hazo_connect } from "../lib/hazo_connect_setup.js";
  * Client wrapper for LoginLayout
  * Initializes hazo_connect data client on client side and passes config from server
  */
-export function LoginClientWrapper({ image_src, image_alt, image_background_color, redirectRoute, successMessage, alreadyLoggedInMessage, showLogoutButton, showReturnHomeButton, returnHomeButtonLabel, returnHomePath, forgotPasswordPath, forgotPasswordLabel, createAccountPath, createAccountLabel, showCreateAccountLink = true, oauth, }) {
+export function LoginClientWrapper({ image_src, image_alt, image_background_color, redirectRoute, successMessage, alreadyLoggedInMessage, showLogoutButton, showReturnHomeButton, returnHomeButtonLabel, returnHomePath, forgotPasswordPath, forgotPasswordLabel, createAccountPath, createAccountLabel, showCreateAccountLink = true, oauth, layout = "two_column", }) {
     const [dataClient, setDataClient] = useState(null);
     useEffect(() => {
         // Initialize hazo_connect on client side
@@ -23,5 +23,5 @@ export function LoginClientWrapper({ image_src, image_alt, image_background_colo
     if (!dataClient) {
         return (_jsx("div", { className: "cls_login_page_loading flex items-center justify-center min-h-screen", children: _jsx("div", { className: "text-slate-600 animate-pulse", children: "Loading..." }) }));
     }
-    return (_jsx(LoginLayout, { image_src: image_src, image_alt: image_alt, image_background_color: image_background_color, data_client: dataClient, redirectRoute: redirectRoute, successMessage: successMessage, alreadyLoggedInMessage: alreadyLoggedInMessage, showLogoutButton: showLogoutButton, showReturnHomeButton: showReturnHomeButton, returnHomeButtonLabel: returnHomeButtonLabel, returnHomePath: returnHomePath, forgot_password_path: forgotPasswordPath, forgot_password_label: forgotPasswordLabel, create_account_path: createAccountPath, create_account_label: createAccountLabel, show_create_account_link: showCreateAccountLink, oauth: oauth }));
+    return (_jsx(LoginLayout, { image_src: image_src, image_alt: image_alt, image_background_color: image_background_color, data_client: dataClient, redirectRoute: redirectRoute, successMessage: successMessage, alreadyLoggedInMessage: alreadyLoggedInMessage, showLogoutButton: showLogoutButton, showReturnHomeButton: showReturnHomeButton, returnHomeButtonLabel: returnHomeButtonLabel, returnHomePath: returnHomePath, forgot_password_path: forgotPasswordPath, forgot_password_label: forgotPasswordLabel, create_account_path: createAccountPath, create_account_label: createAccountLabel, show_create_account_link: showCreateAccountLink, oauth: oauth, layout: layout }));
 }

package/dist/server_pages/register.d.ts

@@ -16,6 +16,12 @@ export type RegisterPageProps = {
      * Defaults from hazo_auth_config.ini or "#e2e8f0"
      */
     image_background_color?: string;
+    /**
+     * Layout mode (default: `"two_column"`). See `LoginPageProps.layout` for the
+     * full description. `"form_only"` skips both AuthPageShell and
+     * TwoColumnAuthLayout so the consumer's brand chrome can wrap the form.
+     */
+    layout?: "two_column" | "form_only";
 };
 /**
  * Zero-config RegisterPage server component
@@ -42,6 +48,6 @@ export type RegisterPageProps = {
  * @param props - Optional visual customization props
  * @returns Server-rendered register page
  */
-export default function RegisterPage({ image_src, image_alt, image_background_color, }?: RegisterPageProps): import("react/jsx-runtime").JSX.Element;
+export default function RegisterPage({ image_src, image_alt, image_background_color, layout, }?: RegisterPageProps): import("react/jsx-runtime").JSX.Element;
 export { RegisterPage };
 //# sourceMappingURL=register.d.ts.map

package/dist/server_pages/register.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"register.d.ts","sourceRoot":"","sources":["../../src/server_pages/register.tsx"],"names":[],"mappings":"AAEA,OAAO,aAAa,CAAC;AAOrB,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAElD,MAAM,MAAM,iBAAiB,GAAG;IAC9B;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,GAAG,eAAe,CAAC;IAErC;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB;;;OAGG;IACH,sBAAsB,CAAC,EAAE,MAAM,CAAC;CACjC,CAAC;AAIF;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,MAAM,CAAC,OAAO,UAAU,YAAY,CAAC,EACnC,SAAS,EACT,SAAS,EACT,sBAAsB,GACvB,GAAE,iBAAsB,2CAkCxB;AAGD,OAAO,EAAE,YAAY,EAAE,CAAC"}
+{"version":3,"file":"register.d.ts","sourceRoot":"","sources":["../../src/server_pages/register.tsx"],"names":[],"mappings":"AAEA,OAAO,aAAa,CAAC;AASrB,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAElD,MAAM,MAAM,iBAAiB,GAAG;IAC9B;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,GAAG,eAAe,CAAC;IAErC;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB;;;OAGG;IACH,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAEhC;;;;OAIG;IACH,MAAM,CAAC,EAAE,YAAY,GAAG,WAAW,CAAC;CACrC,CAAC;AAIF;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,MAAM,CAAC,OAAO,UAAU,YAAY,CAAC,EACnC,SAAS,EACT,SAAS,EACT,sBAAsB,EACtB,MAAqB,GACtB,GAAE,iBAAsB,2CAiDxB;AAGD,OAAO,EAAE,YAAY,EAAE,CAAC"}

package/dist/server_pages/register.js

@@ -1,11 +1,13 @@
-import { jsx as _jsx } from "react/jsx-runtime";
+import { jsx as _jsx, Fragment as _Fragment, jsxs as _jsxs } from "react/jsx-runtime";
 // file_description: Zero-config RegisterPage server component - drop in and use with no configuration required
 // section: server-only-guard
 import "server-only";
 // section: imports
 import { get_register_config } from "../lib/register_config.server.js";
+import { get_navbar_config } from "../lib/navbar_config.server.js";
 import { RegisterClientWrapper } from "./register_client_wrapper.js";
 import { AuthPageShell } from "../components/layouts/shared/components/auth_page_shell.js";
+import { FloatingHomeLink } from "../components/layouts/shared/components/floating_home_link.js";
 // section: component
 /**
  * Zero-config RegisterPage server component
@@ -32,20 +34,27 @@ import { AuthPageShell } from "../components/layouts/shared/components/auth_page
  * @param props - Optional visual customization props
  * @returns Server-rendered register page
  */
-export default function RegisterPage({ image_src, image_alt, image_background_color, } = {}) {
+export default function RegisterPage({ image_src, image_alt, image_background_color, layout = "two_column", } = {}) {
     // Load configuration from INI file (with defaults including asset images)
     const config = get_register_config();
     // Use props if provided, otherwise fall back to config (which includes default asset image)
     const finalImageSrc = image_src || config.imageSrc;
     const finalImageAlt = image_alt || config.imageAlt;
     const finalImageBackgroundColor = image_background_color || config.imageBackgroundColor;
-    // Pass serializable config to client wrapper, wrapped in AuthPageShell for navbar support
-    return (_jsx(AuthPageShell, { children: _jsx(RegisterClientWrapper, { image_src: finalImageSrc, image_alt: finalImageAlt, image_background_color: finalImageBackgroundColor, showNameField: config.showNameField, passwordRequirements: config.passwordRequirements, alreadyLoggedInMessage: config.alreadyLoggedInMessage, showLogoutButton: config.showLogoutButton, showReturnHomeButton: config.showReturnHomeButton, returnHomeButtonLabel: config.returnHomeButtonLabel, returnHomePath: config.returnHomePath, signInPath: config.signInPath, signInLabel: config.signInLabel, oauth: {
-                enable_google: config.oauth.enable_google,
-                enable_email_password: config.oauth.enable_email_password,
-                google_button_text: config.oauth.google_button_text,
-                oauth_divider_text: config.oauth.oauth_divider_text,
-            } }) }));
+    const wrapper = (_jsx(RegisterClientWrapper, { image_src: finalImageSrc, image_alt: finalImageAlt, image_background_color: finalImageBackgroundColor, showNameField: config.showNameField, passwordRequirements: config.passwordRequirements, alreadyLoggedInMessage: config.alreadyLoggedInMessage, showLogoutButton: config.showLogoutButton, showReturnHomeButton: config.showReturnHomeButton, returnHomeButtonLabel: config.returnHomeButtonLabel, returnHomePath: config.returnHomePath, signInPath: config.signInPath, signInLabel: config.signInLabel, oauth: {
+            enable_google: config.oauth.enable_google,
+            enable_email_password: config.oauth.enable_email_password,
+            google_button_text: config.oauth.google_button_text,
+            oauth_divider_text: config.oauth.oauth_divider_text,
+        }, layout: layout }));
+    // form_only mode: skip AuthPageShell so the consumer's own page chrome
+    // hosts the form. See LoginPage for the full rationale, including the
+    // FloatingHomeLink rendering rule below.
+    if (layout === "form_only") {
+        const navbar = get_navbar_config();
+        return (_jsxs(_Fragment, { children: [navbar.show_home_link && (_jsx(FloatingHomeLink, { path: navbar.home_path, label: navbar.home_label })), wrapper] }));
+    }
+    return _jsx(AuthPageShell, { children: wrapper });
 }
 // Named export for direct imports
 export { RegisterPage };

package/dist/server_pages/register_client_wrapper.d.ts

@@ -2,15 +2,17 @@ import type { RegisterConfig } from "../lib/register_config.server";
 import type { OAuthLayoutConfig } from "../components/layouts/register/index";
 import type { StaticImageData } from "next/image";
 export type RegisterClientWrapperProps = Omit<RegisterConfig, 'imageSrc' | 'imageAlt' | 'imageBackgroundColor' | 'oauth'> & {
-    image_src: string | StaticImageData;
-    image_alt: string;
-    image_background_color: string;
+    image_src?: string | StaticImageData;
+    image_alt?: string;
+    image_background_color?: string;
     /** OAuth configuration */
     oauth?: OAuthLayoutConfig;
+    /** Layout mode — see RegisterLayoutProps.layout. Default `"two_column"`. */
+    layout?: "two_column" | "form_only";
 };
 /**
  * Client wrapper for RegisterLayout
  * Initializes hazo_connect data client on client side and passes config from server
  */
-export declare function RegisterClientWrapper({ image_src, image_alt, image_background_color, showNameField, passwordRequirements, alreadyLoggedInMessage, showLogoutButton, showReturnHomeButton, returnHomeButtonLabel, returnHomePath, signInPath, signInLabel, oauth, }: RegisterClientWrapperProps): import("react/jsx-runtime").JSX.Element;
+export declare function RegisterClientWrapper({ image_src, image_alt, image_background_color, showNameField, passwordRequirements, alreadyLoggedInMessage, showLogoutButton, showReturnHomeButton, returnHomeButtonLabel, returnHomePath, signInPath, signInLabel, oauth, layout, }: RegisterClientWrapperProps): import("react/jsx-runtime").JSX.Element;
 //# sourceMappingURL=register_client_wrapper.d.ts.map

package/dist/server_pages/register_client_wrapper.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"register_client_wrapper.d.ts","sourceRoot":"","sources":["../../src/server_pages/register_client_wrapper.tsx"],"names":[],"mappings":"AASA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,+BAA+B,CAAC;AACpE,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,sCAAsC,CAAC;AAG9E,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAElD,MAAM,MAAM,0BAA0B,GAAG,IAAI,CAAC,cAAc,EAAE,UAAU,GAAG,UAAU,GAAG,sBAAsB,GAAG,OAAO,CAAC,GAAG;IAC1H,SAAS,EAAE,MAAM,GAAG,eAAe,CAAC;IACpC,SAAS,EAAE,MAAM,CAAC;IAClB,sBAAsB,EAAE,MAAM,CAAC;IAC/B,0BAA0B;IAC1B,KAAK,CAAC,EAAE,iBAAiB,CAAC;CAC3B,CAAC;AAGF;;;GAGG;AACH,wBAAgB,qBAAqB,CAAC,EACpC,SAAS,EACT,SAAS,EACT,sBAAsB,EACtB,aAAa,EACb,oBAAoB,EACpB,sBAAsB,EACtB,gBAAgB,EAChB,oBAAoB,EACpB,qBAAqB,EACrB,cAAc,EACd,UAAU,EACV,WAAW,EACX,KAAK,GACN,EAAE,0BAA0B,2CAsC5B"}
+{"version":3,"file":"register_client_wrapper.d.ts","sourceRoot":"","sources":["../../src/server_pages/register_client_wrapper.tsx"],"names":[],"mappings":"AASA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,+BAA+B,CAAC;AACpE,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,sCAAsC,CAAC;AAG9E,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAElD,MAAM,MAAM,0BAA0B,GAAG,IAAI,CAAC,cAAc,EAAE,UAAU,GAAG,UAAU,GAAG,sBAAsB,GAAG,OAAO,CAAC,GAAG;IAC1H,SAAS,CAAC,EAAE,MAAM,GAAG,eAAe,CAAC;IACrC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,0BAA0B;IAC1B,KAAK,CAAC,EAAE,iBAAiB,CAAC;IAC1B,4EAA4E;IAC5E,MAAM,CAAC,EAAE,YAAY,GAAG,WAAW,CAAC;CACrC,CAAC;AAGF;;;GAGG;AACH,wBAAgB,qBAAqB,CAAC,EACpC,SAAS,EACT,SAAS,EACT,sBAAsB,EACtB,aAAa,EACb,oBAAoB,EACpB,sBAAsB,EACtB,gBAAgB,EAChB,oBAAoB,EACpB,qBAAqB,EACrB,cAAc,EACd,UAAU,EACV,WAAW,EACX,KAAK,EACL,MAAqB,GACtB,EAAE,0BAA0B,2CAuC5B"}

package/dist/server_pages/register_client_wrapper.js

@@ -11,7 +11,7 @@ import { create_sqlite_hazo_connect } from "../lib/hazo_connect_setup.js";
  * Client wrapper for RegisterLayout
  * Initializes hazo_connect data client on client side and passes config from server
  */
-export function RegisterClientWrapper({ image_src, image_alt, image_background_color, showNameField, passwordRequirements, alreadyLoggedInMessage, showLogoutButton, showReturnHomeButton, returnHomeButtonLabel, returnHomePath, signInPath, signInLabel, oauth, }) {
+export function RegisterClientWrapper({ image_src, image_alt, image_background_color, showNameField, passwordRequirements, alreadyLoggedInMessage, showLogoutButton, showReturnHomeButton, returnHomeButtonLabel, returnHomePath, signInPath, signInLabel, oauth, layout = "two_column", }) {
     const [dataClient, setDataClient] = useState(null);
     useEffect(() => {
         // Initialize hazo_connect on client side
@@ -23,5 +23,5 @@ export function RegisterClientWrapper({ image_src, image_alt, image_background_c
     if (!dataClient) {
         return (_jsx("div", { className: "cls_register_page_loading flex items-center justify-center min-h-screen", children: _jsx("div", { className: "text-slate-600 animate-pulse", children: "Loading..." }) }));
     }
-    return (_jsx(RegisterLayout, { image_src: image_src, image_alt: image_alt, image_background_color: image_background_color, data_client: dataClient, show_name_field: showNameField, password_requirements: passwordRequirements, alreadyLoggedInMessage: alreadyLoggedInMessage, showLogoutButton: showLogoutButton, showReturnHomeButton: showReturnHomeButton, returnHomeButtonLabel: returnHomeButtonLabel, returnHomePath: returnHomePath, signInPath: signInPath, signInLabel: signInLabel, oauth: oauth }));
+    return (_jsx(RegisterLayout, { image_src: image_src, image_alt: image_alt, image_background_color: image_background_color, data_client: dataClient, show_name_field: showNameField, password_requirements: passwordRequirements, alreadyLoggedInMessage: alreadyLoggedInMessage, showLogoutButton: showLogoutButton, showReturnHomeButton: showReturnHomeButton, returnHomeButtonLabel: returnHomeButtonLabel, returnHomePath: returnHomePath, signInPath: signInPath, signInLabel: signInLabel, oauth: oauth, layout: layout }));
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "hazo_auth",
-  "version": "5.1.40",
+  "version": "5.3.0",
   "description": "Zero-config authentication UI components for Next.js with RBAC, OAuth, scope-based multi-tenancy, and invitations",
   "keywords": [
     "authentication",
@@ -89,6 +89,10 @@
       "types": "./dist/lib/auth/hazo_get_auth.server.d.ts",
       "import": "./dist/lib/auth/hazo_get_auth.server.js"
     },
+    "./lib/auth/ensure_anon_id.server": {
+      "types": "./dist/lib/auth/ensure_anon_id.server.d.ts",
+      "import": "./dist/lib/auth/ensure_anon_id.server.js"
+    },
     "./server": {
       "types": "./dist/server/index.d.ts",
       "import": "./dist/server/index.js"
@@ -189,6 +193,7 @@
     "dev": "next dev",
     "build": "next build",
     "build:pkg": "tsc --jsx react-jsx --skipLibCheck -p tsconfig.build.json && tsx scripts/copy_assets.ts",
+    "prepare": "npm run build:pkg",
     "prepublishOnly": "npm run build:pkg",
     "validate": "tsx scripts/validate_setup.ts",
     "generate-routes": "tsx scripts/generate_routes.ts",
@@ -214,8 +219,8 @@
     "jsonwebtoken": "^9.0.2",
     "mime-types": "^3.0.1",
     "server-only": "^0.0.1",
-    "tailwind-merge": "^3.4.0",
-    "tailwindcss-animate": "^1.0.7",
+    "tailwind-merge": "^3.5.0",
+    "tw-animate-css": "^1.4.0",
     "zod": "^4.1.12"
   },
   "optionalDependencies": {
@@ -244,18 +249,18 @@
     "@radix-ui/react-switch": "^1.2.0",
     "@radix-ui/react-tabs": "^1.1.0",
     "@radix-ui/react-tooltip": "^1.2.0",
-    "hazo_config": "^1.4.0 || ^2.0.0",
+    "hazo_config": "^2.1.0",
     "hazo_connect": "^2.4.0",
-    "hazo_logs": "^1.0.10",
-    "hazo_notify": "^1.0.0",
-    "hazo_ui": "^2.0.0",
-    "lucide-react": ">=0.400.0",
+    "hazo_logs": "^1.0.13",
+    "hazo_notify": "^3.0.0",
+    "hazo_ui": "^2.7.0",
+    "lucide-react": "^0.553.0",
     "next": ">=14.0.0",
     "next-auth": "^4.24.0",
     "next-themes": "^0.4.0",
     "react": "^18.0.0 || ^19.0.0",
     "react-dom": "^18.0.0 || ^19.0.0",
-    "sonner": "^2.0.0"
+    "sonner": "^2.0.7"
   },
   "peerDependenciesMeta": {
     "hazo_config": {
@@ -359,36 +364,37 @@
     "@types/jsonwebtoken": "^9.0.10",
     "@types/multer": "^2.0.0",
     "@types/node": "^20.19.24",
-    "@types/react": "^18",
-    "@types/react-dom": "^18",
+    "@types/react": "^18.3.3",
+    "@types/react-dom": "^18.3.0",
     "better-sqlite3": "^12.4.1",
     "cross-env": "^10.1.0",
     "dotenv": "^17.4.2",
     "eslint": "^9.39.1",
     "eslint-config-next": "^16.0.4",
     "eslint-plugin-storybook": "^10.0.6",
-    "hazo_config": "^1.4.2",
-    "hazo_connect": "^2.4.2",
-    "hazo_logs": "^1.0.10",
-    "hazo_notify": "^1.0.0",
-    "hazo_ui": "^2.0.0",
+    "@tailwindcss/postcss": "^4.2.4",
+    "hazo_config": "^2.1.0",
+    "hazo_connect": "^2.4.0",
+    "hazo_logs": "^1.0.13",
+    "hazo_notify": "^3.0.0",
+    "hazo_ui": "^2.7.0",
     "jest": "^30.2.0",
-    "jest-environment-jsdom": "^29.7.0",
+    "jest-environment-jsdom": "^30.0.0",
     "lucide-react": "^0.553.0",
     "next": "^16.0.7",
     "next-auth": "^4.24.13",
     "next-themes": "^0.4.6",
     "patch-package": "^8.0.1",
     "playwright": "^1.57.0",
-    "postcss": "^8",
+    "postcss": "^8.4.49",
     "react": "^18.3.1",
     "react-dom": "^18.3.1",
     "sonner": "^2.0.7",
     "storybook": "^10.0.6",
     "supertest": "^7.1.4",
-    "tailwindcss": "^3.4.1",
+    "tailwindcss": "^4.2.4",
     "ts-jest": "^29.4.5",
     "tsx": "^4.20.6",
-    "typescript": "^5"
+    "typescript": "^5.7.2"
   }
 }