hazo_auth 5.3.1 → 6.1.1

package/cli-src/lib/auth/with_auth.server.ts

@@ -10,7 +10,7 @@ import {
   PermissionError,
   type TenantAuthOptions,
   type TenantAuthResult,
-  type TenantOrganization,
+  type SelectedScope,
   type HazoAuthUser,
   type ScopeDetails,
   type ScopeAccessInfo,
@@ -27,19 +27,19 @@ export type AuthenticatedTenantAuth = {
   permissions: string[];
   permission_ok: boolean;
   missing_permissions?: string[];
-  organization: TenantOrganization | null;
-  organization_id: string | null;
+  selected_scope: SelectedScope | null;
+  selected_scope_id: string | null;
   user_scopes: ScopeDetails[];
   scope_ok?: boolean;
   scope_access_via?: ScopeAccessInfo;
 };
 
 /**
- * Authenticated branch with guaranteed non-null organization
+ * Authenticated branch with guaranteed non-null selected_scope
  */
-export type AuthenticatedTenantAuthWithOrg = AuthenticatedTenantAuth & {
-  organization: TenantOrganization;
-  organization_id: string;
+export type AuthenticatedTenantAuthWithSelectedScope = AuthenticatedTenantAuth & {
+  selected_scope: SelectedScope;
+  selected_scope_id: string;
 };
 
 /**
@@ -48,8 +48,8 @@ export type AuthenticatedTenantAuthWithOrg = AuthenticatedTenantAuth & {
  */
 export type WithAuthOptions = TenantAuthOptions & {
   /**
-   * If true, requires organization context (403 if missing)
-   * Narrows auth type to AuthenticatedTenantAuthWithOrg
+   * If true, requires tenant/scope context (403 if missing)
+   * Narrows auth type to AuthenticatedTenantAuthWithSelectedScope
    */
   require_tenant?: boolean;
 };
@@ -75,7 +75,7 @@ type AuthenticatedHandler<TParams> = (
  */
 type AuthenticatedTenantHandler<TParams> = (
   request: NextRequest,
-  auth: AuthenticatedTenantAuthWithOrg,
+  auth: AuthenticatedTenantAuthWithSelectedScope,
   params: TParams,
 ) => Promise<NextResponse> | NextResponse;
 
@@ -138,7 +138,7 @@ async function resolve_params<TParams>(
  *
  * - Calls `hazo_get_tenant_auth` and returns 401 if not authenticated
  * - Returns 403 if `required_permissions` are specified and not satisfied
- * - Returns 403 if `require_tenant: true` and no organization context
+ * - Returns 403 if `require_tenant: true` and no tenant/scope context
  * - Resolves `await context.params` (Next.js 15 pattern)
  * - Catches HazoAuthError, PermissionError, and unexpected errors
  *
@@ -161,8 +161,8 @@ async function resolve_params<TParams>(
  * // With tenant requirement
  * export const GET = withAuth<{ id: string }>(
  *   async (request, auth, { id }) => {
- *     // auth.organization is guaranteed non-null
- *     const data = await getData(auth.organization.id, id);
+ *     // auth.selected_scope is guaranteed non-null
+ *     const data = await getData(auth.selected_scope.id, id);
  *     return NextResponse.json(data);
  *   },
  *   { require_tenant: true }
@@ -227,10 +227,10 @@ export function withAuth<TParams = Record<string, never>>(
       }
 
       // Check tenant requirement
-      if (options.require_tenant && !auth.organization) {
+      if (options.require_tenant && !auth.selected_scope) {
         return NextResponse.json(
           {
-            error: "Organization context required",
+            error: "Tenant scope context required",
             code: "TENANT_REQUIRED",
           },
           { status: 403 },

package/cli-src/lib/cookies_config.server.ts

@@ -27,6 +27,7 @@ export const BASE_COOKIE_NAMES = {
   USER_ID: "hazo_auth_user_id",
   USER_EMAIL: "hazo_auth_user_email",
   SESSION: "hazo_auth_session",
+  SESSION_KIND: "hazo_auth_session_kind", // v6.1: marks OTP-issued sessions so /me can apply sliding expiry
   DEV_LOCK: "hazo_auth_dev_lock",
   SCOPE_ID: "hazo_auth_scope_id", // v5.2: Tenant context cookie for multi-tenancy
   ANON_ID: "hazo_auth_anon_id", // v5.2: Stable opaque per-visitor ID for anonymous flows (e.g. hazo_feedback)

package/cli-src/lib/login_config.server.ts

@@ -31,6 +31,12 @@ export type LoginConfig = {
   imageBackgroundColor: string;
   /** OAuth configuration */
   oauth: OAuthConfig;
+  /** Whether the OTP sign-in link is shown below the login form */
+  otpSigninEnabled: boolean;
+  /** Label for the OTP sign-in link */
+  otpSigninLabel: string;
+  /** href for the OTP sign-in link */
+  otpSigninHref: string;
 };
 
 // section: helpers
@@ -94,6 +100,11 @@ export function get_login_config(): LoginConfig {
   // Get OAuth configuration
   const oauth = get_oauth_config();
 
+  // OTP sign-in link
+  const otpSigninEnabled = get_config_value(section, "otp_signin_enabled", "false") === "true";
+  const otpSigninLabel = get_config_value(section, "otp_signin_label", "Sign in with email code");
+  const otpSigninHref = get_config_value(section, "otp_signin_href", "/hazo_auth/otp");
+
   return {
     redirectRoute,
     successMessage,
@@ -111,6 +122,9 @@ export function get_login_config(): LoginConfig {
     imageAlt,
     imageBackgroundColor,
     oauth,
+    otpSigninEnabled,
+    otpSigninLabel,
+    otpSigninHref,
   };
 }
 

package/cli-src/lib/otp_config.server.ts

@@ -0,0 +1,91 @@
+// file_description: server-only helper to read OTP sign-in configuration from hazo_auth_config.ini
+// section: server-only-guard
+import "server-only";
+
+// section: imports
+import { get_config_value, get_config_boolean, get_config_number } from "./config/config_loader.server.js";
+
+// section: defaults
+export const OTP_CONFIG_DEFAULTS = {
+  auto_register: false,
+  code_ttl_seconds: 600,
+  session_ttl_seconds: 604800,
+  slide_when_within_seconds: 86400,
+  email_rate_limit_max: 3,
+  email_rate_limit_window_seconds: 900,
+  ip_rate_limit_max: 20,
+  ip_rate_limit_window_seconds: 3600,
+  max_verify_attempts: 5,
+  auto_assign_scope_id: "00000000-0000-0000-0000-000000000001",
+  auto_assign_role_name: "member",
+} as const;
+
+// section: types
+export type OtpConfig = {
+  /** Whether to automatically register a new user when an unrecognised email requests an OTP */
+  auto_register: boolean;
+  /** How long (seconds) a generated OTP code is valid */
+  code_ttl_seconds: number;
+  /** How long (seconds) the session created after successful OTP verification lasts */
+  session_ttl_seconds: number;
+  /** Slide the session expiry when the remaining TTL falls below this many seconds */
+  slide_when_within_seconds: number;
+  /** Maximum OTP requests allowed per email address within the rate-limit window */
+  email_rate_limit_max: number;
+  /** Rate-limit window (seconds) for per-email OTP requests */
+  email_rate_limit_window_seconds: number;
+  /** Maximum OTP requests allowed per IP address within the rate-limit window */
+  ip_rate_limit_max: number;
+  /** Rate-limit window (seconds) for per-IP OTP requests */
+  ip_rate_limit_window_seconds: number;
+  /** Maximum failed verify attempts before the OTP code is invalidated */
+  max_verify_attempts: number;
+  /** Scope ID to auto-assign a newly registered OTP user to */
+  auto_assign_scope_id: string;
+  /** Role name to assign within the auto-assign scope */
+  auto_assign_role_name: string;
+};
+
+// section: helpers
+/**
+ * Reads OTP configuration from hazo_auth_config.ini [hazo_auth__otp] section.
+ * Falls back to defaults if the config file or section is missing.
+ */
+export function get_otp_config(): OtpConfig {
+  const section = "hazo_auth__otp";
+  const d = OTP_CONFIG_DEFAULTS;
+
+  return {
+    auto_register: get_config_boolean(section, "otp_auto_register", d.auto_register),
+    code_ttl_seconds: get_config_number(section, "otp_code_ttl_seconds", d.code_ttl_seconds),
+    session_ttl_seconds: get_config_number(section, "otp_session_ttl_seconds", d.session_ttl_seconds),
+    slide_when_within_seconds: get_config_number(
+      section,
+      "otp_slide_when_within_seconds",
+      d.slide_when_within_seconds
+    ),
+    email_rate_limit_max: get_config_number(section, "otp_email_rate_limit_max", d.email_rate_limit_max),
+    email_rate_limit_window_seconds: get_config_number(
+      section,
+      "otp_email_rate_limit_window_seconds",
+      d.email_rate_limit_window_seconds
+    ),
+    ip_rate_limit_max: get_config_number(section, "otp_ip_rate_limit_max", d.ip_rate_limit_max),
+    ip_rate_limit_window_seconds: get_config_number(
+      section,
+      "otp_ip_rate_limit_window_seconds",
+      d.ip_rate_limit_window_seconds
+    ),
+    max_verify_attempts: get_config_number(section, "otp_max_verify_attempts", d.max_verify_attempts),
+    auto_assign_scope_id: get_config_value(section, "otp_auto_assign_scope_id", d.auto_assign_scope_id),
+    auto_assign_role_name: get_config_value(section, "otp_auto_assign_role_name", d.auto_assign_role_name),
+  };
+}
+
+/**
+ * Convenience accessor — returns just the session TTL seconds from OTP config.
+ * Suitable for passing to token-creation utilities.
+ */
+export function hazo_auth_otp_session_ttl_seconds(): number {
+  return get_otp_config().session_ttl_seconds;
+}

package/cli-src/lib/services/email_service.ts

@@ -14,7 +14,7 @@ export type EmailOptions = {
   text_body?: string;
 };
 
-export type EmailTemplateType = "forgot_password" | "email_verification" | "password_changed";
+export type EmailTemplateType = "forgot_password" | "email_verification" | "password_changed" | "otp_signin_code";
 
 export type EmailTemplateData = {
   token?: string;
@@ -243,6 +243,8 @@ function get_email_subject(template_type: EmailTemplateType): string {
       return "Reset Your Password";
     case "password_changed":
       return "Password Changed Successfully";
+    case "otp_signin_code":
+      return "Your sign-in code";
     default:
       return "Email from hazo_auth";
   }

package/cli-src/lib/services/email_template_manifest.ts

@@ -101,4 +101,21 @@ export const hazo_auth_template_manifest: SystemTemplateManifest[] = [
       },
     ],
   },
+  {
+    template_name: "otp_signin_code",
+    template_label: "OTP sign-in code",
+    category: SYSTEM_CATEGORY,
+    html: read_template("otp_signin_code", "html"),
+    text: read_template("otp_signin_code", "txt"),
+    variables: [
+      {
+        variable_name: "otp_code",
+        variable_description: "6-digit OTP code for email sign-in (v6.1.0+)",
+      },
+      {
+        variable_name: "expires_in_minutes",
+        variable_description: "Number of minutes until the OTP code expires",
+      },
+    ],
+  },
 ];

package/cli-src/lib/services/email_templates/otp_signin_code.html

@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="UTF-8">
+  <title>Your sign-in code</title>
+</head>
+<body style="font-family: Arial, sans-serif; line-height: 1.6; color: #333; max-width: 600px; margin: 0 auto; padding: 20px;">
+  <p>Your sign-in code is:</p>
+  <p style="font-size: 28px; font-weight: bold; letter-spacing: 0.2em; font-family: monospace; margin: 16px 0;">{{otp_code}}</p>
+  <p>This code expires in {{expires_in_minutes}} minutes.</p>
+  <p style="color: #666; font-size: 12px;">If you didn't request this code, you can safely ignore this email.</p>
+</body>
+</html>

package/cli-src/lib/services/email_templates/otp_signin_code.txt

@@ -0,0 +1,5 @@
+Your sign-in code is: {{otp_code}}
+
+This code expires in {{expires_in_minutes}} minutes.
+
+If you didn't request this code, you can safely ignore this email.

package/cli-src/lib/services/index.ts

@@ -20,5 +20,11 @@ export * from "./scope_service.js";
 export * from "./user_scope_service.js";
 export * from "./oauth_service.js";
 export * from "./branding_service.js";
-
-
+export {
+  request_email_otp,
+  verify_email_otp,
+  generate_otp_code,
+  hash_otp_code,
+  verify_otp_code,
+} from "./otp_service.js";
+export type { RequestEmailOTPResult, VerifyEmailOTPResult } from "./otp_service";

package/cli-src/lib/services/otp_service.ts

@@ -0,0 +1,295 @@
+import "server-only";
+import crypto from "node:crypto";
+import argon2 from "argon2";
+import { createCrudService } from "hazo_connect/server";
+import { get_otp_config, hazo_auth_otp_session_ttl_seconds } from "../otp_config.server.js";
+import { get_hazo_connect_instance } from "../hazo_connect_instance.server.js";
+import { send_template_email } from "./email_service.js";
+import { create_app_logger } from "../app_logger.js";
+import { create_session_token } from "./session_token_service.js";
+
+/**
+ * Generates a cryptographically random 6-digit numeric OTP code (000000–999999).
+ * Uses crypto.randomInt for uniform distribution.
+ */
+export function generate_otp_code(): string {
+  const n = crypto.randomInt(0, 1_000_000);
+  return String(n).padStart(6, "0");
+}
+
+export async function hash_otp_code(code: string): Promise<string> {
+  return argon2.hash(code);
+}
+
+export async function verify_otp_code(otp_hash: string, code: string): Promise<boolean> {
+  try {
+    return await argon2.verify(otp_hash, code);
+  } catch {
+    return false;
+  }
+}
+
+// section: types
+
+export type RequestEmailOTPResult =
+  | { ok: true }
+  | { ok: false; error: "rate_limited"; retry_after_seconds: number };
+
+// section: request_email_otp
+
+/**
+ * Initiates an OTP sign-in flow for the given email address.
+ *
+ * Behaviour:
+ * 1. Per-email rate limit — rejects if too many requests in the sliding window.
+ * 2. Per-IP rate limit — rejects if too many requests from this IP.
+ * 3. Unknown email + auto_register=false — silent no-op (constant-time padding).
+ * 4. Unknown email + auto_register=true — inserts OTP row with user_id=null, dispatches email.
+ * 5. Known email — marks prior unconsumed rows consumed, inserts fresh OTP row, dispatches email.
+ *
+ * Never reveals whether an email address is registered (always returns ok:true on success).
+ */
+export async function request_email_otp(args: {
+  email: string;
+  ip: string;
+}): Promise<RequestEmailOTPResult> {
+  const logger = create_app_logger();
+  const cfg = get_otp_config();
+  const email = args.email.trim().toLowerCase();
+  const ip = args.ip;
+
+  const adapter = get_hazo_connect_instance();
+  const otp_table = createCrudService(adapter, "hazo_email_otps");
+  const users_table = createCrudService(adapter, "hazo_users");
+
+  // 1. Per-email rate limit
+  const email_window_ms = cfg.email_rate_limit_window_seconds * 1000;
+  const email_threshold = new Date(Date.now() - email_window_ms).toISOString();
+  const recent_for_email = await otp_table.list((qb) =>
+    qb
+      .select(["created_at"])
+      .where("email", "eq", email)
+      .where("created_at", "gte", email_threshold)
+  );
+  if (recent_for_email.length >= cfg.email_rate_limit_max) {
+    const oldest = recent_for_email
+      .map((r) => Date.parse(String(r.created_at)))
+      .sort((a, b) => a - b)[0];
+    const retry_after_seconds = Math.max(
+      1,
+      Math.ceil((oldest + email_window_ms - Date.now()) / 1000),
+    );
+    logger.warn("otp_request_email_rate_limited", { email, ip, retry_after_seconds });
+    return { ok: false, error: "rate_limited", retry_after_seconds };
+  }
+
+  // 2. Per-IP rate limit
+  const ip_window_ms = cfg.ip_rate_limit_window_seconds * 1000;
+  const ip_threshold = new Date(Date.now() - ip_window_ms).toISOString();
+  const recent_for_ip = await otp_table.list((qb) =>
+    qb
+      .select(["created_at"])
+      .where("requester_ip", "eq", ip)
+      .where("created_at", "gte", ip_threshold)
+  );
+  if (recent_for_ip.length >= cfg.ip_rate_limit_max) {
+    const oldest = recent_for_ip
+      .map((r) => Date.parse(String(r.created_at)))
+      .sort((a, b) => a - b)[0];
+    const retry_after_seconds = Math.max(
+      1,
+      Math.ceil((oldest + ip_window_ms - Date.now()) / 1000),
+    );
+    logger.warn("otp_request_ip_rate_limited", { email, ip, retry_after_seconds });
+    return { ok: false, error: "rate_limited", retry_after_seconds };
+  }
+
+  // 3. Lookup user
+  const existing_users = await users_table.findBy({ email_address: email });
+  const existing_user = existing_users.length > 0 ? existing_users[0] : null;
+
+  // 4. Unknown email + auto_register=false → silent no-op with constant-time padding
+  if (!existing_user && !cfg.auto_register) {
+    await argon2.hash("000000"); // constant-time padding — never stored
+    return { ok: true };
+  }
+
+  // 5. Mark any unconsumed rows for this email as superseded
+  try {
+    const unconsumed = await otp_table.list((qb) =>
+      qb
+        .select(["id"])
+        .where("email", "eq", email)
+        .where("consumed_at", "is", null)
+    );
+    for (const row of unconsumed) {
+      await otp_table.updateById(String(row.id), { consumed_at: new Date().toISOString() });
+    }
+  } catch {
+    // IS NULL filter may not be supported in all adapter versions — not critical
+  }
+
+  // 6. Generate code + hash + insert row
+  const code = generate_otp_code();
+  const otp_hash = await hash_otp_code(code);
+  const expires_at = new Date(Date.now() + cfg.code_ttl_seconds * 1000).toISOString();
+  const row_id = crypto.randomUUID();
+
+  await otp_table.insert({
+    id: row_id,
+    user_id: existing_user ? String(existing_user.id) : null,
+    email,
+    otp_hash,
+    expires_at,
+    attempt_count: 0,
+    requester_ip: ip,
+  });
+
+  // 7. Dispatch email — fire-and-forget; errors are logged but do not surface to caller
+  try {
+    await send_template_email("otp_signin_code", email, {
+      otp_code: code,
+      expires_in_minutes: String(Math.round(cfg.code_ttl_seconds / 60)),
+    });
+  } catch (err) {
+    logger.error("otp_request_email_dispatch_failed", {
+      email,
+      ip,
+      error: err instanceof Error ? err.message : String(err),
+    });
+    // Return ok:true to preserve no-enumeration property — caller cannot distinguish
+    // a missing user from a delivery failure.
+  }
+
+  return { ok: true };
+}
+
+// section: verify_email_otp
+
+export type VerifyEmailOTPResult =
+  | { ok: true; user_id: string; email: string; session_token: string }
+  | { ok: false; error: "invalid_or_expired" };
+
+export async function verify_email_otp(args: {
+  email: string;
+  code: string;
+  ip: string;
+}): Promise<VerifyEmailOTPResult> {
+  const logger = create_app_logger();
+  const cfg = get_otp_config();
+  const email = args.email.trim().toLowerCase();
+  const code = args.code.trim();
+
+  const adapter = get_hazo_connect_instance();
+  const otp_table = createCrudService(adapter, "hazo_email_otps");
+  const users_table = createCrudService(adapter, "hazo_users");
+  const user_scopes_table = createCrudService(adapter, "hazo_user_scopes");
+  const roles_table = createCrudService(adapter, "hazo_roles");
+
+  // 1. Find most-recent unconsumed row for this email
+  const now_iso = new Date().toISOString();
+  const candidates = await otp_table.list((qb) =>
+    qb
+      .select(["id", "user_id", "otp_hash", "expires_at", "attempt_count"])
+      .where("email", "eq", email)
+      .where("consumed_at", "is", null)
+      .order("created_at", "desc")
+      .limit(1)
+  );
+  const row = candidates.length > 0 ? candidates[0] : null;
+
+  if (!row) {
+    return { ok: false, error: "invalid_or_expired" };
+  }
+
+  // 2. Check expiry
+  const expires_at_ms = Date.parse(String(row.expires_at));
+  if (Number.isNaN(expires_at_ms) || expires_at_ms < Date.now()) {
+    return { ok: false, error: "invalid_or_expired" };
+  }
+
+  // 3. argon2 verify
+  const is_valid = await verify_otp_code(String(row.otp_hash), code);
+  if (!is_valid) {
+    const new_attempt_count = Number(row.attempt_count) + 1;
+    const updates: Record<string, unknown> = { attempt_count: new_attempt_count };
+    if (new_attempt_count >= cfg.max_verify_attempts) {
+      updates.consumed_at = now_iso; // poison
+    }
+    await otp_table.updateById(String(row.id), updates);
+    logger.info("otp_verify_invalid_code", {
+      email,
+      attempt_count: new_attempt_count,
+      poisoned: new_attempt_count >= cfg.max_verify_attempts,
+    });
+    return { ok: false, error: "invalid_or_expired" };
+  }
+
+  // 4. Mark consumed
+  await otp_table.updateById(String(row.id), { consumed_at: now_iso });
+
+  // 5. Resolve / create user
+  let user_id: string | null = row.user_id ? String(row.user_id) : null;
+
+  if (user_id) {
+    // Ensure email_verified=true
+    const user = await users_table.findById(user_id);
+    if (user && !user.email_verified) {
+      await users_table.updateById(user_id, { email_verified: true });
+    }
+  } else if (cfg.auto_register) {
+    // Create user + bind scope/role
+    const new_user_id = crypto.randomUUID();
+    await users_table.insert({
+      id: new_user_id,
+      email_address: email,
+      email_verified: true,
+      password_hash: null,
+      name: null,
+    });
+
+    // Resolve role_id from name — try scope-specific first, then any
+    const scoped_roles = await roles_table.findBy({
+      name: cfg.auto_assign_role_name,
+      scope_id: cfg.auto_assign_scope_id,
+    });
+    let role_id: string | null = null;
+    if (scoped_roles.length > 0) {
+      role_id = String(scoped_roles[0].id);
+    } else {
+      const any_roles = await roles_table.findBy({ name: cfg.auto_assign_role_name });
+      if (any_roles.length > 0) {
+        role_id = String(any_roles[0].id);
+      }
+    }
+
+    if (!role_id) {
+      logger.error("otp_verify_auto_register_role_not_found", {
+        email,
+        scope_id: cfg.auto_assign_scope_id,
+        role_name: cfg.auto_assign_role_name,
+      });
+      return { ok: false, error: "invalid_or_expired" };
+    }
+
+    await user_scopes_table.insert({
+      user_id: new_user_id,
+      scope_id: cfg.auto_assign_scope_id,
+      root_scope_id: cfg.auto_assign_scope_id,
+      role_id,
+    });
+
+    user_id = new_user_id;
+  } else {
+    // Row exists but no user and auto_register=false — stale edge case
+    logger.warn("otp_verify_no_user_resolvable", { email });
+    return { ok: false, error: "invalid_or_expired" };
+  }
+
+  // 6. Issue session JWT with OTP TTL
+  const ttl_seconds = hazo_auth_otp_session_ttl_seconds();
+  const session_token = await create_session_token(user_id, email, undefined, ttl_seconds);
+
+  logger.info("otp_verify_ok", { email, user_id, ttl_seconds });
+  return { ok: true, user_id, email, session_token };
+}

package/cli-src/lib/services/session_token_service.ts

@@ -63,19 +63,22 @@ function get_session_token_expiry_seconds(): number {
  * Token includes user_id, email, issued at time, and expiration
  * @param user_id - User ID
  * @param email - User email address
+ * @param managed_by_user_id - Optional: ID of the managing user (for impersonation)
+ * @param ttl_seconds - Optional: token lifetime in seconds (default: 30 days). Use 604800 for 7-day OTP sessions.
  * @returns JWT token string
  */
 export async function create_session_token(
   user_id: string,
   email: string,
   managed_by_user_id?: string,
+  ttl_seconds?: number,
 ): Promise<string> {
   const logger = create_app_logger();
 
   try {
     const secret = get_jwt_secret();
     const now = Math.floor(Date.now() / 1000); // Current time in seconds
-    const expiry_seconds = get_session_token_expiry_seconds();
+    const expiry_seconds = ttl_seconds ?? get_session_token_expiry_seconds();
     const exp = now + expiry_seconds;
 
     const payload: Record<string, unknown> = { user_id, email };

package/config/hazo_auth_config.example.ini

@@ -159,6 +159,11 @@ enable_admin_ui = true
 # Success message (shown when no redirect route is provided)
 # success_message = Successfully logged in
 
+; OTP sign-in link in the login layout.
+otp_signin_enabled = false
+otp_signin_label = Sign in with email code
+otp_signin_href = /hazo_auth/otp
+
 [hazo_auth__forgot_password_layout]
 # Image configuration
 # image_src = /globe.svg
@@ -729,3 +734,36 @@ company_name = My Company
 #   [hazo_auth__login_layout]
 #   image_src = /your-custom-image.jpg
 
+[hazo_auth__otp]
+; Email-OTP sign-in configuration (v6.1.0+).
+;
+; Whether /otp/verify may create new hazo_users rows for unknown emails.
+;   false (default): /otp/request silently no-ops for unknown emails.
+;   true:            /otp/verify creates a user row on first successful code match.
+otp_auto_register = false
+
+; OTP code lifetime in seconds (default 600 = 10 minutes).
+otp_code_ttl_seconds = 600
+
+; OTP session lifetime in seconds (default 604800 = 7 days).
+otp_session_ttl_seconds = 604800
+
+; Sliding-session threshold: if a /me call lands and the JWT exp is within
+; this many seconds, re-issue the session for another otp_session_ttl_seconds.
+otp_slide_when_within_seconds = 86400
+
+; Per-email rate limit for /otp/request.
+otp_email_rate_limit_max = 3
+otp_email_rate_limit_window_seconds = 900
+
+; Per-IP rate limit for /otp/request.
+otp_ip_rate_limit_max = 20
+otp_ip_rate_limit_window_seconds = 3600
+
+; Wrong-guess limit per code; row is poisoned after this many failures.
+otp_max_verify_attempts = 5
+
+; Scope binding for newly auto-registered users (only used when otp_auto_register=true).
+otp_auto_assign_scope_id = 00000000-0000-0000-0000-000000000001
+otp_auto_assign_role_name = member
+

package/dist/cli/generate.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"generate.d.ts","sourceRoot":"","sources":["../../src/cli/generate.ts"],"names":[],"mappings":"AAqBA,MAAM,MAAM,eAAe,GAAG;IAC5B,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,GAAG,CAAC,EAAE,OAAO,CAAC;CACf,CAAC;AAiMF,wBAAgB,eAAe,CAAC,OAAO,GAAE,eAAoB,GAAG,IAAI,CA8DnE"}
+{"version":3,"file":"generate.d.ts","sourceRoot":"","sources":["../../src/cli/generate.ts"],"names":[],"mappings":"AAqBA,MAAM,MAAM,eAAe,GAAG;IAC5B,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,GAAG,CAAC,EAAE,OAAO,CAAC;CACf,CAAC;AA0MF,wBAAgB,eAAe,CAAC,OAAO,GAAE,eAAoB,GAAG,IAAI,CA8DnE"}