hazo_auth 5.3.1 → 6.1.1

package/dist/lib/services/otp_service.d.ts

@@ -0,0 +1,46 @@
+import "server-only";
+/**
+ * Generates a cryptographically random 6-digit numeric OTP code (000000–999999).
+ * Uses crypto.randomInt for uniform distribution.
+ */
+export declare function generate_otp_code(): string;
+export declare function hash_otp_code(code: string): Promise<string>;
+export declare function verify_otp_code(otp_hash: string, code: string): Promise<boolean>;
+export type RequestEmailOTPResult = {
+    ok: true;
+} | {
+    ok: false;
+    error: "rate_limited";
+    retry_after_seconds: number;
+};
+/**
+ * Initiates an OTP sign-in flow for the given email address.
+ *
+ * Behaviour:
+ * 1. Per-email rate limit — rejects if too many requests in the sliding window.
+ * 2. Per-IP rate limit — rejects if too many requests from this IP.
+ * 3. Unknown email + auto_register=false — silent no-op (constant-time padding).
+ * 4. Unknown email + auto_register=true — inserts OTP row with user_id=null, dispatches email.
+ * 5. Known email — marks prior unconsumed rows consumed, inserts fresh OTP row, dispatches email.
+ *
+ * Never reveals whether an email address is registered (always returns ok:true on success).
+ */
+export declare function request_email_otp(args: {
+    email: string;
+    ip: string;
+}): Promise<RequestEmailOTPResult>;
+export type VerifyEmailOTPResult = {
+    ok: true;
+    user_id: string;
+    email: string;
+    session_token: string;
+} | {
+    ok: false;
+    error: "invalid_or_expired";
+};
+export declare function verify_email_otp(args: {
+    email: string;
+    code: string;
+    ip: string;
+}): Promise<VerifyEmailOTPResult>;
+//# sourceMappingURL=otp_service.d.ts.map

package/dist/lib/services/otp_service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"otp_service.d.ts","sourceRoot":"","sources":["../../../src/lib/services/otp_service.ts"],"names":[],"mappings":"AAAA,OAAO,aAAa,CAAC;AAUrB;;;GAGG;AACH,wBAAgB,iBAAiB,IAAI,MAAM,CAG1C;AAED,wBAAsB,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAEjE;AAED,wBAAsB,eAAe,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAMtF;AAID,MAAM,MAAM,qBAAqB,GAC7B;IAAE,EAAE,EAAE,IAAI,CAAA;CAAE,GACZ;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,cAAc,CAAC;IAAC,mBAAmB,EAAE,MAAM,CAAA;CAAE,CAAC;AAItE;;;;;;;;;;;GAWG;AACH,wBAAsB,iBAAiB,CAAC,IAAI,EAAE;IAC5C,KAAK,EAAE,MAAM,CAAC;IACd,EAAE,EAAE,MAAM,CAAC;CACZ,GAAG,OAAO,CAAC,qBAAqB,CAAC,CA8GjC;AAID,MAAM,MAAM,oBAAoB,GAC5B;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAC;IAAC,aAAa,EAAE,MAAM,CAAA;CAAE,GACnE;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,oBAAoB,CAAA;CAAE,CAAC;AAE/C,wBAAsB,gBAAgB,CAAC,IAAI,EAAE;IAC3C,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,EAAE,EAAE,MAAM,CAAC;CACZ,GAAG,OAAO,CAAC,oBAAoB,CAAC,CAsHhC"}

package/dist/lib/services/otp_service.js

@@ -0,0 +1,238 @@
+import "server-only";
+import crypto from "node:crypto";
+import argon2 from "argon2";
+import { createCrudService } from "hazo_connect/server";
+import { get_otp_config, hazo_auth_otp_session_ttl_seconds } from "../otp_config.server.js";
+import { get_hazo_connect_instance } from "../hazo_connect_instance.server.js";
+import { send_template_email } from "./email_service.js";
+import { create_app_logger } from "../app_logger.js";
+import { create_session_token } from "./session_token_service.js";
+/**
+ * Generates a cryptographically random 6-digit numeric OTP code (000000–999999).
+ * Uses crypto.randomInt for uniform distribution.
+ */
+export function generate_otp_code() {
+    const n = crypto.randomInt(0, 1000000);
+    return String(n).padStart(6, "0");
+}
+export async function hash_otp_code(code) {
+    return argon2.hash(code);
+}
+export async function verify_otp_code(otp_hash, code) {
+    try {
+        return await argon2.verify(otp_hash, code);
+    }
+    catch (_a) {
+        return false;
+    }
+}
+// section: request_email_otp
+/**
+ * Initiates an OTP sign-in flow for the given email address.
+ *
+ * Behaviour:
+ * 1. Per-email rate limit — rejects if too many requests in the sliding window.
+ * 2. Per-IP rate limit — rejects if too many requests from this IP.
+ * 3. Unknown email + auto_register=false — silent no-op (constant-time padding).
+ * 4. Unknown email + auto_register=true — inserts OTP row with user_id=null, dispatches email.
+ * 5. Known email — marks prior unconsumed rows consumed, inserts fresh OTP row, dispatches email.
+ *
+ * Never reveals whether an email address is registered (always returns ok:true on success).
+ */
+export async function request_email_otp(args) {
+    const logger = create_app_logger();
+    const cfg = get_otp_config();
+    const email = args.email.trim().toLowerCase();
+    const ip = args.ip;
+    const adapter = get_hazo_connect_instance();
+    const otp_table = createCrudService(adapter, "hazo_email_otps");
+    const users_table = createCrudService(adapter, "hazo_users");
+    // 1. Per-email rate limit
+    const email_window_ms = cfg.email_rate_limit_window_seconds * 1000;
+    const email_threshold = new Date(Date.now() - email_window_ms).toISOString();
+    const recent_for_email = await otp_table.list((qb) => qb
+        .select(["created_at"])
+        .where("email", "eq", email)
+        .where("created_at", "gte", email_threshold));
+    if (recent_for_email.length >= cfg.email_rate_limit_max) {
+        const oldest = recent_for_email
+            .map((r) => Date.parse(String(r.created_at)))
+            .sort((a, b) => a - b)[0];
+        const retry_after_seconds = Math.max(1, Math.ceil((oldest + email_window_ms - Date.now()) / 1000));
+        logger.warn("otp_request_email_rate_limited", { email, ip, retry_after_seconds });
+        return { ok: false, error: "rate_limited", retry_after_seconds };
+    }
+    // 2. Per-IP rate limit
+    const ip_window_ms = cfg.ip_rate_limit_window_seconds * 1000;
+    const ip_threshold = new Date(Date.now() - ip_window_ms).toISOString();
+    const recent_for_ip = await otp_table.list((qb) => qb
+        .select(["created_at"])
+        .where("requester_ip", "eq", ip)
+        .where("created_at", "gte", ip_threshold));
+    if (recent_for_ip.length >= cfg.ip_rate_limit_max) {
+        const oldest = recent_for_ip
+            .map((r) => Date.parse(String(r.created_at)))
+            .sort((a, b) => a - b)[0];
+        const retry_after_seconds = Math.max(1, Math.ceil((oldest + ip_window_ms - Date.now()) / 1000));
+        logger.warn("otp_request_ip_rate_limited", { email, ip, retry_after_seconds });
+        return { ok: false, error: "rate_limited", retry_after_seconds };
+    }
+    // 3. Lookup user
+    const existing_users = await users_table.findBy({ email_address: email });
+    const existing_user = existing_users.length > 0 ? existing_users[0] : null;
+    // 4. Unknown email + auto_register=false → silent no-op with constant-time padding
+    if (!existing_user && !cfg.auto_register) {
+        await argon2.hash("000000"); // constant-time padding — never stored
+        return { ok: true };
+    }
+    // 5. Mark any unconsumed rows for this email as superseded
+    try {
+        const unconsumed = await otp_table.list((qb) => qb
+            .select(["id"])
+            .where("email", "eq", email)
+            .where("consumed_at", "is", null));
+        for (const row of unconsumed) {
+            await otp_table.updateById(String(row.id), { consumed_at: new Date().toISOString() });
+        }
+    }
+    catch (_a) {
+        // IS NULL filter may not be supported in all adapter versions — not critical
+    }
+    // 6. Generate code + hash + insert row
+    const code = generate_otp_code();
+    const otp_hash = await hash_otp_code(code);
+    const expires_at = new Date(Date.now() + cfg.code_ttl_seconds * 1000).toISOString();
+    const row_id = crypto.randomUUID();
+    await otp_table.insert({
+        id: row_id,
+        user_id: existing_user ? String(existing_user.id) : null,
+        email,
+        otp_hash,
+        expires_at,
+        attempt_count: 0,
+        requester_ip: ip,
+    });
+    // 7. Dispatch email — fire-and-forget; errors are logged but do not surface to caller
+    try {
+        await send_template_email("otp_signin_code", email, {
+            otp_code: code,
+            expires_in_minutes: String(Math.round(cfg.code_ttl_seconds / 60)),
+        });
+    }
+    catch (err) {
+        logger.error("otp_request_email_dispatch_failed", {
+            email,
+            ip,
+            error: err instanceof Error ? err.message : String(err),
+        });
+        // Return ok:true to preserve no-enumeration property — caller cannot distinguish
+        // a missing user from a delivery failure.
+    }
+    return { ok: true };
+}
+export async function verify_email_otp(args) {
+    const logger = create_app_logger();
+    const cfg = get_otp_config();
+    const email = args.email.trim().toLowerCase();
+    const code = args.code.trim();
+    const adapter = get_hazo_connect_instance();
+    const otp_table = createCrudService(adapter, "hazo_email_otps");
+    const users_table = createCrudService(adapter, "hazo_users");
+    const user_scopes_table = createCrudService(adapter, "hazo_user_scopes");
+    const roles_table = createCrudService(adapter, "hazo_roles");
+    // 1. Find most-recent unconsumed row for this email
+    const now_iso = new Date().toISOString();
+    const candidates = await otp_table.list((qb) => qb
+        .select(["id", "user_id", "otp_hash", "expires_at", "attempt_count"])
+        .where("email", "eq", email)
+        .where("consumed_at", "is", null)
+        .order("created_at", "desc")
+        .limit(1));
+    const row = candidates.length > 0 ? candidates[0] : null;
+    if (!row) {
+        return { ok: false, error: "invalid_or_expired" };
+    }
+    // 2. Check expiry
+    const expires_at_ms = Date.parse(String(row.expires_at));
+    if (Number.isNaN(expires_at_ms) || expires_at_ms < Date.now()) {
+        return { ok: false, error: "invalid_or_expired" };
+    }
+    // 3. argon2 verify
+    const is_valid = await verify_otp_code(String(row.otp_hash), code);
+    if (!is_valid) {
+        const new_attempt_count = Number(row.attempt_count) + 1;
+        const updates = { attempt_count: new_attempt_count };
+        if (new_attempt_count >= cfg.max_verify_attempts) {
+            updates.consumed_at = now_iso; // poison
+        }
+        await otp_table.updateById(String(row.id), updates);
+        logger.info("otp_verify_invalid_code", {
+            email,
+            attempt_count: new_attempt_count,
+            poisoned: new_attempt_count >= cfg.max_verify_attempts,
+        });
+        return { ok: false, error: "invalid_or_expired" };
+    }
+    // 4. Mark consumed
+    await otp_table.updateById(String(row.id), { consumed_at: now_iso });
+    // 5. Resolve / create user
+    let user_id = row.user_id ? String(row.user_id) : null;
+    if (user_id) {
+        // Ensure email_verified=true
+        const user = await users_table.findById(user_id);
+        if (user && !user.email_verified) {
+            await users_table.updateById(user_id, { email_verified: true });
+        }
+    }
+    else if (cfg.auto_register) {
+        // Create user + bind scope/role
+        const new_user_id = crypto.randomUUID();
+        await users_table.insert({
+            id: new_user_id,
+            email_address: email,
+            email_verified: true,
+            password_hash: null,
+            name: null,
+        });
+        // Resolve role_id from name — try scope-specific first, then any
+        const scoped_roles = await roles_table.findBy({
+            name: cfg.auto_assign_role_name,
+            scope_id: cfg.auto_assign_scope_id,
+        });
+        let role_id = null;
+        if (scoped_roles.length > 0) {
+            role_id = String(scoped_roles[0].id);
+        }
+        else {
+            const any_roles = await roles_table.findBy({ name: cfg.auto_assign_role_name });
+            if (any_roles.length > 0) {
+                role_id = String(any_roles[0].id);
+            }
+        }
+        if (!role_id) {
+            logger.error("otp_verify_auto_register_role_not_found", {
+                email,
+                scope_id: cfg.auto_assign_scope_id,
+                role_name: cfg.auto_assign_role_name,
+            });
+            return { ok: false, error: "invalid_or_expired" };
+        }
+        await user_scopes_table.insert({
+            user_id: new_user_id,
+            scope_id: cfg.auto_assign_scope_id,
+            root_scope_id: cfg.auto_assign_scope_id,
+            role_id,
+        });
+        user_id = new_user_id;
+    }
+    else {
+        // Row exists but no user and auto_register=false — stale edge case
+        logger.warn("otp_verify_no_user_resolvable", { email });
+        return { ok: false, error: "invalid_or_expired" };
+    }
+    // 6. Issue session JWT with OTP TTL
+    const ttl_seconds = hazo_auth_otp_session_ttl_seconds();
+    const session_token = await create_session_token(user_id, email, undefined, ttl_seconds);
+    logger.info("otp_verify_ok", { email, user_id, ttl_seconds });
+    return { ok: true, user_id, email, session_token };
+}

package/dist/lib/services/session_token_service.d.ts

@@ -16,9 +16,11 @@ export type ValidateSessionTokenResult = {
  * Token includes user_id, email, issued at time, and expiration
  * @param user_id - User ID
  * @param email - User email address
+ * @param managed_by_user_id - Optional: ID of the managing user (for impersonation)
+ * @param ttl_seconds - Optional: token lifetime in seconds (default: 30 days). Use 604800 for 7-day OTP sessions.
  * @returns JWT token string
  */
-export declare function create_session_token(user_id: string, email: string, managed_by_user_id?: string): Promise<string>;
+export declare function create_session_token(user_id: string, email: string, managed_by_user_id?: string, ttl_seconds?: number): Promise<string>;
 /**
  * Validates a JWT session token
  * Checks signature and expiration

package/dist/lib/services/session_token_service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"session_token_service.d.ts","sourceRoot":"","sources":["../../../src/lib/services/session_token_service.ts"],"names":[],"mappings":"AAQA,MAAM,MAAM,mBAAmB,GAAG;IAChC,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;IACd,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;CACb,CAAC;AAEF,MAAM,MAAM,0BAA0B,GAAG;IACvC,KAAK,EAAE,OAAO,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B,CAAC;AAuCF;;;;;;GAMG;AACH,wBAAsB,oBAAoB,CACxC,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,EACb,kBAAkB,CAAC,EAAE,MAAM,GAC1B,OAAO,CAAC,MAAM,CAAC,CA4CjB;AAED;;;;;GAKG;AACH,wBAAsB,sBAAsB,CAC1C,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,0BAA0B,CAAC,CAkDrC"}
+{"version":3,"file":"session_token_service.d.ts","sourceRoot":"","sources":["../../../src/lib/services/session_token_service.ts"],"names":[],"mappings":"AAQA,MAAM,MAAM,mBAAmB,GAAG;IAChC,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;IACd,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;CACb,CAAC;AAEF,MAAM,MAAM,0BAA0B,GAAG;IACvC,KAAK,EAAE,OAAO,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B,CAAC;AAuCF;;;;;;;;GAQG;AACH,wBAAsB,oBAAoB,CACxC,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,EACb,kBAAkB,CAAC,EAAE,MAAM,EAC3B,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC,MAAM,CAAC,CA4CjB;AAED;;;;;GAKG;AACH,wBAAsB,sBAAsB,CAC1C,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,0BAA0B,CAAC,CAkDrC"}

package/dist/lib/services/session_token_service.js

@@ -41,14 +41,16 @@ function get_session_token_expiry_seconds() {
  * Token includes user_id, email, issued at time, and expiration
  * @param user_id - User ID
  * @param email - User email address
+ * @param managed_by_user_id - Optional: ID of the managing user (for impersonation)
+ * @param ttl_seconds - Optional: token lifetime in seconds (default: 30 days). Use 604800 for 7-day OTP sessions.
  * @returns JWT token string
  */
-export async function create_session_token(user_id, email, managed_by_user_id) {
+export async function create_session_token(user_id, email, managed_by_user_id, ttl_seconds) {
     const logger = create_app_logger();
     try {
         const secret = get_jwt_secret();
         const now = Math.floor(Date.now() / 1000); // Current time in seconds
-        const expiry_seconds = get_session_token_expiry_seconds();
+        const expiry_seconds = ttl_seconds !== null && ttl_seconds !== void 0 ? ttl_seconds : get_session_token_expiry_seconds();
         const exp = now + expiry_seconds;
         const payload = { user_id, email };
         if (managed_by_user_id) {

package/dist/page_components/otp.d.ts

@@ -0,0 +1,4 @@
+import "server-only";
+export { default, OTPPage } from "../server_pages/otp.js";
+export type { OTPPageProps } from "../server_pages/otp";
+//# sourceMappingURL=otp.d.ts.map

package/dist/page_components/otp.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"otp.d.ts","sourceRoot":"","sources":["../../src/page_components/otp.tsx"],"names":[],"mappings":"AAEA,OAAO,aAAa,CAAC;AAGrB,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AACvD,YAAY,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC"}

package/dist/page_components/otp.js

@@ -0,0 +1,5 @@
+// file_description: zero-config OTP page component for hazo_auth
+// section: server-only-guard
+import "server-only";
+// section: imports
+export { default, OTPPage } from "../server_pages/otp.js";

package/dist/server/routes/index.d.ts

@@ -8,6 +8,8 @@ export { POST as changePasswordPOST } from "./change_password.js";
 export { GET as validateResetTokenGET } from "./validate_reset_token.js";
 export { GET as verifyEmailGET } from "./verify_email.js";
 export { POST as resendVerificationPOST } from "./resend_verification.js";
+export { otpRequestPOST } from "./otp/request.js";
+export { otpVerifyPOST } from "./otp/verify.js";
 export { PATCH as updateUserPATCH } from "./update_user.js";
 export { POST as uploadProfilePicturePOST } from "./upload_profile_picture.js";
 export { DELETE as removeProfilePictureDELETE } from "./remove_profile_picture.js";

package/dist/server/routes/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/server/routes/index.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,IAAI,IAAI,SAAS,EAAE,MAAM,SAAS,CAAC;AAC5C,OAAO,EAAE,IAAI,IAAI,YAAY,EAAE,MAAM,YAAY,CAAC;AAClD,OAAO,EAAE,IAAI,IAAI,UAAU,EAAE,MAAM,UAAU,CAAC;AAC9C,OAAO,EAAE,GAAG,IAAI,KAAK,EAAE,MAAM,MAAM,CAAC;AAGpC,OAAO,EAAE,IAAI,IAAI,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AAC/D,OAAO,EAAE,IAAI,IAAI,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAC7D,OAAO,EAAE,IAAI,IAAI,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AAC/D,OAAO,EAAE,GAAG,IAAI,qBAAqB,EAAE,MAAM,wBAAwB,CAAC;AAGtE,OAAO,EAAE,GAAG,IAAI,cAAc,EAAE,MAAM,gBAAgB,CAAC;AACvD,OAAO,EAAE,IAAI,IAAI,sBAAsB,EAAE,MAAM,uBAAuB,CAAC;AAGvE,OAAO,EAAE,KAAK,IAAI,eAAe,EAAE,MAAM,eAAe,CAAC;AACzD,OAAO,EAAE,IAAI,IAAI,wBAAwB,EAAE,MAAM,0BAA0B,CAAC;AAC5E,OAAO,EAAE,MAAM,IAAI,0BAA0B,EAAE,MAAM,0BAA0B,CAAC;AAChF,OAAO,EAAE,GAAG,IAAI,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AAC3D,OAAO,EAAE,GAAG,IAAI,eAAe,EAAE,MAAM,iBAAiB,CAAC;AACzD,OAAO,EAAE,GAAG,IAAI,yBAAyB,EAAE,MAAM,4BAA4B,CAAC;AAG9E,OAAO,EAAE,IAAI,IAAI,WAAW,EAAE,MAAM,YAAY,CAAC;AACjD,OAAO,EAAE,IAAI,IAAI,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAGjE,OAAO,EAAE,GAAG,IAAI,sBAAsB,EAAE,KAAK,IAAI,wBAAwB,EAAE,IAAI,IAAI,uBAAuB,EAAE,MAAM,yBAAyB,CAAC;AAC5I,OAAO,EAAE,GAAG,IAAI,4BAA4B,EAAE,IAAI,IAAI,6BAA6B,EAAE,GAAG,IAAI,4BAA4B,EAAE,MAAM,IAAI,+BAA+B,EAAE,MAAM,+BAA+B,CAAC;AAC3M,OAAO,EAAE,GAAG,IAAI,sBAAsB,EAAE,IAAI,IAAI,uBAAuB,EAAE,GAAG,IAAI,sBAAsB,EAAE,MAAM,yBAAyB,CAAC;AACxI,OAAO,EAAE,GAAG,IAAI,2BAA2B,EAAE,IAAI,IAAI,4BAA4B,EAAE,GAAG,IAAI,2BAA2B,EAAE,MAAM,+BAA+B,CAAC;AAG7J,OAAO,EAAE,GAAG,IAAI,cAAc,EAAE,KAAK,IAAI,gBAAgB,EAAE,GAAG,IAAI,cAAc,EAAE,MAAM,IAAI,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AACvI,OAAO,EAAE,GAAG,IAAI,oBAAoB,EAAE,MAAM,wBAAwB,CAAC;AAGrE,OAAO,EAAE,GAAG,IAAI,cAAc,EAAE,IAAI,IAAI,eAAe,EAAE,KAAK,IAAI,gBAAgB,EAAE,MAAM,IAAI,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAGvI,OAAO,EAAE,IAAI,IAAI,cAAc,EAAE,MAAM,eAAe,CAAC;AAGvD,OAAO,EAAE,GAAG,IAAI,WAAW,EAAE,IAAI,IAAI,YAAY,EAAE,MAAM,YAAY,CAAC;AACtE,OAAO,EAAE,GAAG,IAAI,sBAAsB,EAAE,MAAM,yBAAyB,CAAC;AACxE,OAAO,EAAE,IAAI,IAAI,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAGzD,OAAO,EAAE,GAAG,IAAI,gBAAgB,EAAE,IAAI,IAAI,iBAAiB,EAAE,KAAK,IAAI,kBAAkB,EAAE,MAAM,IAAI,mBAAmB,EAAE,MAAM,iBAAiB,CAAC;AACjJ,OAAO,EAAE,IAAI,IAAI,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AACnE,OAAO,EAAE,IAAI,IAAI,uBAAuB,EAAE,MAAM,wBAAwB,CAAC;AACzE,OAAO,EAAE,IAAI,IAAI,YAAY,EAAE,MAAM,aAAa,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/server/routes/index.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,IAAI,IAAI,SAAS,EAAE,MAAM,SAAS,CAAC;AAC5C,OAAO,EAAE,IAAI,IAAI,YAAY,EAAE,MAAM,YAAY,CAAC;AAClD,OAAO,EAAE,IAAI,IAAI,UAAU,EAAE,MAAM,UAAU,CAAC;AAC9C,OAAO,EAAE,GAAG,IAAI,KAAK,EAAE,MAAM,MAAM,CAAC;AAGpC,OAAO,EAAE,IAAI,IAAI,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AAC/D,OAAO,EAAE,IAAI,IAAI,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAC7D,OAAO,EAAE,IAAI,IAAI,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AAC/D,OAAO,EAAE,GAAG,IAAI,qBAAqB,EAAE,MAAM,wBAAwB,CAAC;AAGtE,OAAO,EAAE,GAAG,IAAI,cAAc,EAAE,MAAM,gBAAgB,CAAC;AACvD,OAAO,EAAE,IAAI,IAAI,sBAAsB,EAAE,MAAM,uBAAuB,CAAC;AAGvE,OAAO,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAC/C,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAG7C,OAAO,EAAE,KAAK,IAAI,eAAe,EAAE,MAAM,eAAe,CAAC;AACzD,OAAO,EAAE,IAAI,IAAI,wBAAwB,EAAE,MAAM,0BAA0B,CAAC;AAC5E,OAAO,EAAE,MAAM,IAAI,0BAA0B,EAAE,MAAM,0BAA0B,CAAC;AAChF,OAAO,EAAE,GAAG,IAAI,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AAC3D,OAAO,EAAE,GAAG,IAAI,eAAe,EAAE,MAAM,iBAAiB,CAAC;AACzD,OAAO,EAAE,GAAG,IAAI,yBAAyB,EAAE,MAAM,4BAA4B,CAAC;AAG9E,OAAO,EAAE,IAAI,IAAI,WAAW,EAAE,MAAM,YAAY,CAAC;AACjD,OAAO,EAAE,IAAI,IAAI,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAGjE,OAAO,EAAE,GAAG,IAAI,sBAAsB,EAAE,KAAK,IAAI,wBAAwB,EAAE,IAAI,IAAI,uBAAuB,EAAE,MAAM,yBAAyB,CAAC;AAC5I,OAAO,EAAE,GAAG,IAAI,4BAA4B,EAAE,IAAI,IAAI,6BAA6B,EAAE,GAAG,IAAI,4BAA4B,EAAE,MAAM,IAAI,+BAA+B,EAAE,MAAM,+BAA+B,CAAC;AAC3M,OAAO,EAAE,GAAG,IAAI,sBAAsB,EAAE,IAAI,IAAI,uBAAuB,EAAE,GAAG,IAAI,sBAAsB,EAAE,MAAM,yBAAyB,CAAC;AACxI,OAAO,EAAE,GAAG,IAAI,2BAA2B,EAAE,IAAI,IAAI,4BAA4B,EAAE,GAAG,IAAI,2BAA2B,EAAE,MAAM,+BAA+B,CAAC;AAG7J,OAAO,EAAE,GAAG,IAAI,cAAc,EAAE,KAAK,IAAI,gBAAgB,EAAE,GAAG,IAAI,cAAc,EAAE,MAAM,IAAI,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AACvI,OAAO,EAAE,GAAG,IAAI,oBAAoB,EAAE,MAAM,wBAAwB,CAAC;AAGrE,OAAO,EAAE,GAAG,IAAI,cAAc,EAAE,IAAI,IAAI,eAAe,EAAE,KAAK,IAAI,gBAAgB,EAAE,MAAM,IAAI,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAGvI,OAAO,EAAE,IAAI,IAAI,cAAc,EAAE,MAAM,eAAe,CAAC;AAGvD,OAAO,EAAE,GAAG,IAAI,WAAW,EAAE,IAAI,IAAI,YAAY,EAAE,MAAM,YAAY,CAAC;AACtE,OAAO,EAAE,GAAG,IAAI,sBAAsB,EAAE,MAAM,yBAAyB,CAAC;AACxE,OAAO,EAAE,IAAI,IAAI,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAGzD,OAAO,EAAE,GAAG,IAAI,gBAAgB,EAAE,IAAI,IAAI,iBAAiB,EAAE,KAAK,IAAI,kBAAkB,EAAE,MAAM,IAAI,mBAAmB,EAAE,MAAM,iBAAiB,CAAC;AACjJ,OAAO,EAAE,IAAI,IAAI,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AACnE,OAAO,EAAE,IAAI,IAAI,uBAAuB,EAAE,MAAM,wBAAwB,CAAC;AACzE,OAAO,EAAE,IAAI,IAAI,YAAY,EAAE,MAAM,aAAa,CAAC"}

package/dist/server/routes/index.js

@@ -13,6 +13,9 @@ export { GET as validateResetTokenGET } from "./validate_reset_token.js";
 // Email verification routes
 export { GET as verifyEmailGET } from "./verify_email.js";
 export { POST as resendVerificationPOST } from "./resend_verification.js";
+// OTP routes (one-time password via email)
+export { otpRequestPOST } from "./otp/request.js";
+export { otpVerifyPOST } from "./otp/verify.js";
 // User profile routes
 export { PATCH as updateUserPATCH } from "./update_user.js";
 export { POST as uploadProfilePicturePOST } from "./upload_profile_picture.js";

package/dist/server/routes/me.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"me.d.ts","sourceRoot":"","sources":["../../../src/server/routes/me.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAoBxD;;;;;GAKG;AACH,wBAAsB,GAAG,CAAC,OAAO,EAAE,WAAW;;IA+G7C"}
+{"version":3,"file":"me.d.ts","sourceRoot":"","sources":["../../../src/server/routes/me.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AA+BxD;;;;;GAKG;AACH,wBAAsB,GAAG,CAAC,OAAO,EAAE,WAAW;;IAqJ7C"}

package/dist/server/routes/me.js

@@ -1,6 +1,7 @@
 // file_description: API route handler to get current authenticated user information with permissions
 // section: imports
 import { NextResponse } from "next/server";
+import { jwtVerify } from "jose";
 import { hazo_get_auth } from "../../lib/auth/hazo_get_auth.server.js";
 import { get_hazo_connect_instance } from "../../lib/hazo_connect_instance.server.js";
 import { createCrudService } from "hazo_connect/server";
@@ -8,6 +9,9 @@ import { map_db_source_to_ui } from "../../lib/services/profile_picture_source_m
 import { create_app_logger } from "../../lib/app_logger.js";
 import { get_filename, get_line_number } from "../../lib/utils/api_route_helpers.js";
 import { is_user_types_enabled, get_user_type_by_key, } from "../../lib/user_types_config.server.js";
+import { get_cookie_name, get_cookie_options, BASE_COOKIE_NAMES, } from "../../lib/cookies_config.server.js";
+import { create_session_token } from "../../lib/services/session_token_service.js";
+import { get_otp_config, hazo_auth_otp_session_ttl_seconds, } from "../../lib/otp_config.server.js";
 // section: helpers
 function strip_sentinel_email(email) {
     if (!email)
@@ -24,6 +28,7 @@ function strip_sentinel_email(email) {
  * Always returns the same format to prevent downstream variations.
  */
 export async function GET(request) {
+    var _a, _b, _c, _d, _e, _f;
     const logger = create_app_logger();
     try {
         // Use hazo_get_auth to get user with permissions
@@ -70,7 +75,7 @@ export async function GET(request) {
         }
         // Return unified format with all fields
         const profile_pic = auth_result.user.profile_picture_url;
-        return NextResponse.json({
+        const response = NextResponse.json({
             authenticated: true,
             // Top-level fields for backward compatibility
             user_id: auth_result.user.id,
@@ -100,6 +105,43 @@ export async function GET(request) {
             permission_ok: auth_result.permission_ok,
             missing_permissions: auth_result.missing_permissions,
         }, { status: 200 });
+        // --- OTP sliding-session hook ---
+        const session_kind = (_a = request.cookies.get(get_cookie_name(BASE_COOKIE_NAMES.SESSION_KIND))) === null || _a === void 0 ? void 0 : _a.value;
+        if (session_kind === "otp") {
+            try {
+                const session_cookie = (_b = request.cookies.get(get_cookie_name(BASE_COOKIE_NAMES.SESSION))) === null || _b === void 0 ? void 0 : _b.value;
+                if (session_cookie) {
+                    const secret = new TextEncoder().encode((_c = process.env.JWT_SECRET) !== null && _c !== void 0 ? _c : "");
+                    const { payload } = await jwtVerify(session_cookie, secret);
+                    const exp = Number((_d = payload.exp) !== null && _d !== void 0 ? _d : 0);
+                    const now_seconds = Math.floor(Date.now() / 1000);
+                    const otp_cfg = get_otp_config();
+                    const seconds_until_exp = exp - now_seconds;
+                    if (seconds_until_exp > 0 && seconds_until_exp < otp_cfg.slide_when_within_seconds) {
+                        const ttl_seconds = hazo_auth_otp_session_ttl_seconds();
+                        const user_id = String((_e = payload.user_id) !== null && _e !== void 0 ? _e : "");
+                        const user_email = String((_f = payload.email) !== null && _f !== void 0 ? _f : "");
+                        const new_token = await create_session_token(user_id, user_email, undefined, ttl_seconds);
+                        const cookie_options = get_cookie_options({
+                            httpOnly: true,
+                            secure: process.env.NODE_ENV === "production",
+                            sameSite: "lax",
+                            path: "/",
+                            maxAge: ttl_seconds,
+                        });
+                        response.cookies.set(get_cookie_name(BASE_COOKIE_NAMES.SESSION), new_token, cookie_options);
+                        response.cookies.set(get_cookie_name(BASE_COOKIE_NAMES.USER_ID), user_id, cookie_options);
+                        response.cookies.set(get_cookie_name(BASE_COOKIE_NAMES.USER_EMAIL), user_email, cookie_options);
+                        response.cookies.set(get_cookie_name(BASE_COOKIE_NAMES.SESSION_KIND), "otp", cookie_options);
+                    }
+                }
+            }
+            catch (slide_err) {
+                // Slide is best-effort — never break /me for this
+            }
+        }
+        // --- end OTP sliding-session hook ---
+        return response;
     }
     catch (error) {
         const error_message = error instanceof Error ? error.message : "Unknown error";

package/dist/server/routes/otp/request.d.ts

@@ -0,0 +1,3 @@
+import { NextRequest, NextResponse } from "next/server";
+export declare function otpRequestPOST(request: NextRequest): Promise<NextResponse>;
+//# sourceMappingURL=request.d.ts.map

package/dist/server/routes/otp/request.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"request.d.ts","sourceRoot":"","sources":["../../../../src/server/routes/otp/request.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAYxD,wBAAsB,cAAc,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,YAAY,CAAC,CAsBhF"}

package/dist/server/routes/otp/request.js

@@ -0,0 +1,33 @@
+// file_description: API route handler for OTP request (sends OTP email to user)
+// section: imports
+import { NextResponse } from "next/server";
+import { z } from "zod";
+import { request_email_otp } from "../../../lib/services/otp_service.js";
+import { get_client_ip } from "../../../lib/auth/hazo_get_auth.server.js";
+import { create_app_logger } from "../../../lib/app_logger.js";
+// section: validation
+const RequestSchema = z.object({
+    email: z.string().email().max(254),
+});
+// section: api_handler
+export async function otpRequestPOST(request) {
+    const logger = create_app_logger();
+    try {
+        const body_raw = await request.json().catch(() => ({}));
+        const parsed = RequestSchema.safeParse(body_raw);
+        if (!parsed.success) {
+            return NextResponse.json({ ok: false, error: "invalid_email" }, { status: 400 });
+        }
+        const ip = get_client_ip(request);
+        const result = await request_email_otp({ email: parsed.data.email, ip });
+        if (result.ok === false && result.error === "rate_limited") {
+            return NextResponse.json(result, { status: 429 });
+        }
+        return NextResponse.json({ ok: true }, { status: 200 });
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        logger.error("otp_request_route_error", { error: msg });
+        return NextResponse.json({ ok: false, error: "server_error" }, { status: 500 });
+    }
+}

package/dist/server/routes/otp/verify.d.ts

@@ -0,0 +1,3 @@
+import { NextRequest, NextResponse } from "next/server";
+export declare function otpVerifyPOST(request: NextRequest): Promise<NextResponse>;
+//# sourceMappingURL=verify.d.ts.map

package/dist/server/routes/otp/verify.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify.d.ts","sourceRoot":"","sources":["../../../../src/server/routes/otp/verify.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAmBxD,wBAAsB,aAAa,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,YAAY,CAAC,CAmD/E"}

package/dist/server/routes/otp/verify.js

@@ -0,0 +1,58 @@
+// file_description: API route handler for OTP verify (validates code and issues session cookies)
+// section: imports
+import { NextResponse } from "next/server";
+import { z } from "zod";
+import { verify_email_otp } from "../../../lib/services/otp_service.js";
+import { hazo_auth_otp_session_ttl_seconds } from "../../../lib/otp_config.server.js";
+import { get_cookie_name, get_cookie_options, BASE_COOKIE_NAMES, } from "../../../lib/cookies_config.server.js";
+import { get_client_ip } from "../../../lib/auth/hazo_get_auth.server.js";
+import { create_app_logger } from "../../../lib/app_logger.js";
+// section: validation
+const VerifySchema = z.object({
+    email: z.string().email().max(254),
+    code: z.string().regex(/^\d{6}$/),
+});
+// section: api_handler
+export async function otpVerifyPOST(request) {
+    const logger = create_app_logger();
+    try {
+        const body_raw = await request.json().catch(() => ({}));
+        const parsed = VerifySchema.safeParse(body_raw);
+        if (!parsed.success) {
+            return NextResponse.json({ ok: false, error: "invalid_or_expired" }, { status: 400 });
+        }
+        const ip = get_client_ip(request);
+        const result = await verify_email_otp({
+            email: parsed.data.email,
+            code: parsed.data.code,
+            ip,
+        });
+        if (result.ok === false) {
+            return NextResponse.json({ ok: false, error: "invalid_or_expired" }, { status: 400 });
+        }
+        const ttl_seconds = hazo_auth_otp_session_ttl_seconds();
+        const base_cookie_options = {
+            httpOnly: true,
+            secure: process.env.NODE_ENV === "production",
+            sameSite: "lax",
+            path: "/",
+            maxAge: ttl_seconds,
+        };
+        const cookie_options = get_cookie_options(base_cookie_options);
+        const response = NextResponse.json({
+            ok: true,
+            user_id: result.user_id,
+            email: result.email,
+        });
+        response.cookies.set(get_cookie_name(BASE_COOKIE_NAMES.SESSION), result.session_token, cookie_options);
+        response.cookies.set(get_cookie_name(BASE_COOKIE_NAMES.USER_ID), result.user_id, cookie_options);
+        response.cookies.set(get_cookie_name(BASE_COOKIE_NAMES.USER_EMAIL), result.email, cookie_options);
+        response.cookies.set(get_cookie_name(BASE_COOKIE_NAMES.SESSION_KIND), "otp", cookie_options);
+        return response;
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        logger.error("otp_verify_route_error", { error: msg });
+        return NextResponse.json({ ok: false, error: "invalid_or_expired" }, { status: 400 });
+    }
+}

package/dist/server-lib.d.ts

@@ -24,6 +24,9 @@ export { get_oauth_config, is_google_oauth_enabled, is_email_password_enabled, }
 export type { OAuthConfig } from "./lib/oauth_config.server";
 export { get_branding_config, is_branding_enabled, is_allowed_logo_format, get_max_logo_size_bytes, } from "./lib/branding_config.server.js";
 export type { FirmBrandingConfig } from "./lib/branding_config.server";
+export { get_otp_config, hazo_auth_otp_session_ttl_seconds, OTP_CONFIG_DEFAULTS } from "./lib/otp_config.server.js";
+export type { OtpConfig } from "./lib/otp_config.server";
+export { request_email_otp, verify_email_otp } from "./lib/services/otp_service.js";
 export { create_sqlite_hazo_connect } from "./lib/hazo_connect_setup.js";
 export { get_hazo_connect_instance } from "./lib/hazo_connect_instance.server.js";
 export { create_app_logger } from "./lib/app_logger.js";

package/dist/server-lib.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"server-lib.d.ts","sourceRoot":"","sources":["../src/server-lib.ts"],"names":[],"mappings":"AAYA,OAAO,aAAa,CAAC;AAGrB,cAAc,kBAAkB,CAAC;AAGjC,cAAc,sBAAsB,CAAC;AACrC,OAAO,EAAE,2BAA2B,EAAE,MAAM,wCAAwC,CAAC;AAGrF,OAAO,EACL,gBAAgB,EAChB,iBAAiB,EACjB,kBAAkB,EAClB,gBAAgB,EAChB,mBAAmB,GACpB,MAAM,mCAAmC,CAAC;AAG3C,OAAO,EAAE,gBAAgB,EAAE,MAAM,2BAA2B,CAAC;AAC7D,OAAO,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC;AACnE,OAAO,EAAE,0BAA0B,EAAE,MAAM,qCAAqC,CAAC;AACjF,OAAO,EAAE,yBAAyB,EAAE,MAAM,oCAAoC,CAAC;AAC/E,OAAO,EAAE,6BAA6B,EAAE,MAAM,wCAAwC,CAAC;AACvF,OAAO,EAAE,sBAAsB,EAAE,MAAM,iCAAiC,CAAC;AACzE,OAAO,EAAE,0BAA0B,EAAE,MAAM,qCAAqC,CAAC;AACjF,OAAO,EAAE,0BAA0B,EAAE,MAAM,qCAAqC,CAAC;AACjF,OAAO,EAAE,2BAA2B,EAAE,MAAM,sCAAsC,CAAC;AACnF,OAAO,EAAE,4BAA4B,EAAE,MAAM,uCAAuC,CAAC;AACrF,OAAO,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC;AACnE,OAAO,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC;AACnE,OAAO,EAAE,uBAAuB,EAAE,MAAM,kCAAkC,CAAC;AAC3E,OAAO,EAAE,gCAAgC,EAAE,MAAM,2CAA2C,CAAC;AAC7F,OAAO,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC;AACnE,OAAO,EAAE,sBAAsB,EAAE,MAAM,iCAAiC,CAAC;AACzE,OAAO,EAAE,qBAAqB,EAAE,MAAM,gCAAgC,CAAC;AACvE,OAAO,EACL,gBAAgB,EAChB,uBAAuB,EACvB,yBAAyB,GAC1B,MAAM,2BAA2B,CAAC;AACnC,YAAY,EAAE,WAAW,EAAE,MAAM,2BAA2B,CAAC;AAC7D,OAAO,EACL,mBAAmB,EACnB,mBAAmB,EACnB,sBAAsB,EACtB,uBAAuB,GACxB,MAAM,8BAA8B,CAAC;AACtC,YAAY,EAAE,kBAAkB,EAAE,MAAM,8BAA8B,CAAC;AAGvE,OAAO,EAAE,0BAA0B,EAAE,MAAM,0BAA0B,CAAC;AACtE,OAAO,EAAE,yBAAyB,EAAE,MAAM,oCAAoC,CAAC;AAG/E,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAGrD,OAAO,EAAE,uBAAuB,EAAE,MAAM,6BAA6B,CAAC;AACtE,YAAY,EAAE,wBAAwB,EAAE,MAAM,6BAA6B,CAAC;AAC5E,cAAc,+BAA+B,CAAC"}
+{"version":3,"file":"server-lib.d.ts","sourceRoot":"","sources":["../src/server-lib.ts"],"names":[],"mappings":"AAYA,OAAO,aAAa,CAAC;AAGrB,cAAc,kBAAkB,CAAC;AAGjC,cAAc,sBAAsB,CAAC;AACrC,OAAO,EAAE,2BAA2B,EAAE,MAAM,wCAAwC,CAAC;AAGrF,OAAO,EACL,gBAAgB,EAChB,iBAAiB,EACjB,kBAAkB,EAClB,gBAAgB,EAChB,mBAAmB,GACpB,MAAM,mCAAmC,CAAC;AAG3C,OAAO,EAAE,gBAAgB,EAAE,MAAM,2BAA2B,CAAC;AAC7D,OAAO,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC;AACnE,OAAO,EAAE,0BAA0B,EAAE,MAAM,qCAAqC,CAAC;AACjF,OAAO,EAAE,yBAAyB,EAAE,MAAM,oCAAoC,CAAC;AAC/E,OAAO,EAAE,6BAA6B,EAAE,MAAM,wCAAwC,CAAC;AACvF,OAAO,EAAE,sBAAsB,EAAE,MAAM,iCAAiC,CAAC;AACzE,OAAO,EAAE,0BAA0B,EAAE,MAAM,qCAAqC,CAAC;AACjF,OAAO,EAAE,0BAA0B,EAAE,MAAM,qCAAqC,CAAC;AACjF,OAAO,EAAE,2BAA2B,EAAE,MAAM,sCAAsC,CAAC;AACnF,OAAO,EAAE,4BAA4B,EAAE,MAAM,uCAAuC,CAAC;AACrF,OAAO,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC;AACnE,OAAO,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC;AACnE,OAAO,EAAE,uBAAuB,EAAE,MAAM,kCAAkC,CAAC;AAC3E,OAAO,EAAE,gCAAgC,EAAE,MAAM,2CAA2C,CAAC;AAC7F,OAAO,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC;AACnE,OAAO,EAAE,sBAAsB,EAAE,MAAM,iCAAiC,CAAC;AACzE,OAAO,EAAE,qBAAqB,EAAE,MAAM,gCAAgC,CAAC;AACvE,OAAO,EACL,gBAAgB,EAChB,uBAAuB,EACvB,yBAAyB,GAC1B,MAAM,2BAA2B,CAAC;AACnC,YAAY,EAAE,WAAW,EAAE,MAAM,2BAA2B,CAAC;AAC7D,OAAO,EACL,mBAAmB,EACnB,mBAAmB,EACnB,sBAAsB,EACtB,uBAAuB,GACxB,MAAM,8BAA8B,CAAC;AACtC,YAAY,EAAE,kBAAkB,EAAE,MAAM,8BAA8B,CAAC;AACvE,OAAO,EAAE,cAAc,EAAE,iCAAiC,EAAE,mBAAmB,EAAE,MAAM,yBAAyB,CAAC;AACjH,YAAY,EAAE,SAAS,EAAE,MAAM,yBAAyB,CAAC;AACzD,OAAO,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,4BAA4B,CAAC;AAGjF,OAAO,EAAE,0BAA0B,EAAE,MAAM,0BAA0B,CAAC;AACtE,OAAO,EAAE,yBAAyB,EAAE,MAAM,oCAAoC,CAAC;AAG/E,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAGrD,OAAO,EAAE,uBAAuB,EAAE,MAAM,6BAA6B,CAAC;AACtE,YAAY,EAAE,wBAAwB,EAAE,MAAM,6BAA6B,CAAC;AAC5E,cAAc,+BAA+B,CAAC"}

package/dist/server-lib.js

@@ -37,6 +37,8 @@ export { get_user_fields_config } from "./lib/user_fields_config.server.js";
 export { get_file_types_config } from "./lib/file_types_config.server.js";
 export { get_oauth_config, is_google_oauth_enabled, is_email_password_enabled, } from "./lib/oauth_config.server.js";
 export { get_branding_config, is_branding_enabled, is_allowed_logo_format, get_max_logo_size_bytes, } from "./lib/branding_config.server.js";
+export { get_otp_config, hazo_auth_otp_session_ttl_seconds, OTP_CONFIG_DEFAULTS } from "./lib/otp_config.server.js";
+export { request_email_otp, verify_email_otp } from "./lib/services/otp_service.js";
 // section: hazo_connect_exports
 export { create_sqlite_hazo_connect } from "./lib/hazo_connect_setup.js";
 export { get_hazo_connect_instance } from "./lib/hazo_connect_instance.server.js";

package/dist/server_pages/forgot_password.d.ts

@@ -50,6 +50,6 @@ export type ForgotPasswordPageProps = {
  * @param props - Optional visual and navigation customization props
  * @returns Server-rendered forgot password page
  */
-export default function ForgotPasswordPage({ image_src, image_alt, image_background_color, sign_in_path, sign_in_label, }?: ForgotPasswordPageProps): import("react/jsx-runtime").JSX.Element;
+export default function ForgotPasswordPage(props: ForgotPasswordPageProps): import("react/jsx-runtime").JSX.Element;
 export { ForgotPasswordPage };
 //# sourceMappingURL=forgot_password.d.ts.map

package/dist/server_pages/forgot_password.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"forgot_password.d.ts","sourceRoot":"","sources":["../../src/server_pages/forgot_password.tsx"],"names":[],"mappings":"AAEA,OAAO,aAAa,CAAC;AAQrB,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAElD,MAAM,MAAM,uBAAuB,GAAG;IACpC;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,GAAG,eAAe,CAAC;IAErC;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB;;;OAGG;IACH,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAEhC;;;OAGG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB;;;OAGG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB,CAAC;AAGF;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,MAAM,CAAC,OAAO,UAAU,kBAAkB,CAAC,EACzC,SAAS,EACT,SAAS,EACT,sBAAsB,EACtB,YAAgD,EAChD,aAAkD,GACnD,GAAE,uBAA4B,2CA0B9B;AAGD,OAAO,EAAE,kBAAkB,EAAE,CAAC"}
+{"version":3,"file":"forgot_password.d.ts","sourceRoot":"","sources":["../../src/server_pages/forgot_password.tsx"],"names":[],"mappings":"AAEA,OAAO,aAAa,CAAC;AAQrB,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAElD,MAAM,MAAM,uBAAuB,GAAG;IACpC;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,GAAG,eAAe,CAAC;IAErC;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB;;;OAGG;IACH,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAEhC;;;OAGG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB;;;OAGG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB,CAAC;AAGF;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,MAAM,CAAC,OAAO,UAAU,kBAAkB,CAAC,KAAK,EAAE,uBAAuB,2CAiCxE;AAGD,OAAO,EAAE,kBAAkB,EAAE,CAAC"}

package/dist/server_pages/forgot_password.js

@@ -31,7 +31,8 @@ import { DEFAULT_FORGOT_PASSWORD } from "../lib/config/default_config.js";
  * @param props - Optional visual and navigation customization props
  * @returns Server-rendered forgot password page
  */
-export default function ForgotPasswordPage({ image_src, image_alt, image_background_color, sign_in_path = DEFAULT_FORGOT_PASSWORD.loginPath, sign_in_label = DEFAULT_FORGOT_PASSWORD.loginLabel, } = {}) {
+export default function ForgotPasswordPage(props) {
+    const { image_src, image_alt, image_background_color, sign_in_path = DEFAULT_FORGOT_PASSWORD.loginPath, sign_in_label = DEFAULT_FORGOT_PASSWORD.loginLabel, } = props !== null && props !== void 0 ? props : {};
     // Load configuration from INI file (with defaults including asset images)
     const config = get_forgot_password_config();
     // Use props if provided, otherwise fall back to config (which includes default asset image)