hazo_auth 6.0.0 → 7.0.1

package/cli-src/lib/email_verification_config.server.ts

@@ -4,12 +4,6 @@ import "server-only";
 
 // section: imports
 import { get_already_logged_in_config } from "./already_logged_in_config.server.js";
-import { get_config_value } from "./config/config_loader.server.js";
-
-// Default image path - consuming apps should either:
-// 1. Configure their own image_src in hazo_auth_config.ini
-// 2. Copy the default images from node_modules/hazo_auth/public/hazo_auth/images/ to their public folder
-const DEFAULT_VERIFY_EMAIL_IMAGE_PATH = "/hazo_auth/images/verify_email_default.jpg";
 
 // section: types
 export type EmailVerificationConfig = {
@@ -18,9 +12,6 @@ export type EmailVerificationConfig = {
   showReturnHomeButton: boolean;
   returnHomeButtonLabel: string;
   returnHomePath: string;
-  imageSrc: string;
-  imageAlt: string;
-  imageBackgroundColor: string;
 };
 
 // section: helpers
@@ -30,40 +21,15 @@ export type EmailVerificationConfig = {
  * @returns Email verification configuration options
  */
 export function get_email_verification_config(): EmailVerificationConfig {
-  const section = "hazo_auth__email_verification_layout";
-
   // Get shared already logged in config
   const alreadyLoggedInConfig = get_already_logged_in_config();
 
-  // Read image configuration
-  // If not set in config, falls back to default path-based image
-  // Consuming apps should copy images to public/hazo_auth/images/ or configure their own image_src
-  const imageSrc = get_config_value(
-    section,
-    "image_src",
-    DEFAULT_VERIFY_EMAIL_IMAGE_PATH
-  );
-
-  const imageAlt = get_config_value(
-    section,
-    "image_alt",
-    "Email verification illustration"
-  );
-  const imageBackgroundColor = get_config_value(
-    section,
-    "image_background_color",
-    "#f1f5f9"
-  );
-
   return {
     alreadyLoggedInMessage: alreadyLoggedInConfig.message,
     showLogoutButton: alreadyLoggedInConfig.showLogoutButton,
     showReturnHomeButton: alreadyLoggedInConfig.showReturnHomeButton,
     returnHomeButtonLabel: alreadyLoggedInConfig.returnHomeButtonLabel,
     returnHomePath: alreadyLoggedInConfig.returnHomePath,
-    imageSrc,
-    imageAlt,
-    imageBackgroundColor,
   };
 }
 

package/cli-src/lib/forgot_password_config.server.ts

@@ -4,12 +4,6 @@ import "server-only";
 
 // section: imports
 import { get_already_logged_in_config } from "./already_logged_in_config.server.js";
-import { get_config_value } from "./config/config_loader.server.js";
-
-// Default image path - consuming apps should either:
-// 1. Configure their own image_src in hazo_auth_config.ini
-// 2. Copy the default images from node_modules/hazo_auth/public/hazo_auth/images/ to their public folder
-const DEFAULT_FORGOT_PASSWORD_IMAGE_PATH = "/hazo_auth/images/forgot_password_default.jpg";
 
 // section: types
 export type ForgotPasswordConfig = {
@@ -18,9 +12,6 @@ export type ForgotPasswordConfig = {
   showReturnHomeButton: boolean;
   returnHomeButtonLabel: string;
   returnHomePath: string;
-  imageSrc: string;
-  imageAlt: string;
-  imageBackgroundColor: string;
 };
 
 // section: helpers
@@ -30,40 +21,15 @@ export type ForgotPasswordConfig = {
  * @returns Forgot password configuration options
  */
 export function get_forgot_password_config(): ForgotPasswordConfig {
-  const section = "hazo_auth__forgot_password_layout";
-
   // Get shared already logged in config
   const alreadyLoggedInConfig = get_already_logged_in_config();
 
-  // Read image configuration
-  // If not set in config, falls back to default path-based image
-  // Consuming apps should copy images to public/hazo_auth/images/ or configure their own image_src
-  const imageSrc = get_config_value(
-    section,
-    "image_src",
-    DEFAULT_FORGOT_PASSWORD_IMAGE_PATH
-  );
-
-  const imageAlt = get_config_value(
-    section,
-    "image_alt",
-    "Password recovery illustration"
-  );
-  const imageBackgroundColor = get_config_value(
-    section,
-    "image_background_color",
-    "#f1f5f9"
-  );
-
   return {
     alreadyLoggedInMessage: alreadyLoggedInConfig.message,
     showLogoutButton: alreadyLoggedInConfig.showLogoutButton,
     showReturnHomeButton: alreadyLoggedInConfig.showReturnHomeButton,
     returnHomeButtonLabel: alreadyLoggedInConfig.returnHomeButtonLabel,
     returnHomePath: alreadyLoggedInConfig.returnHomePath,
-    imageSrc,
-    imageAlt,
-    imageBackgroundColor,
   };
 }
 

package/cli-src/lib/login_config.server.ts

@@ -7,11 +7,6 @@ import { get_config_value, get_config_value_allow_empty } from "./config/config_
 import { get_already_logged_in_config } from "./already_logged_in_config.server.js";
 import { get_oauth_config, type OAuthConfig } from "./oauth_config.server.js";
 
-// Default image path - consuming apps should either:
-// 1. Configure their own image_src in hazo_auth_config.ini
-// 2. Copy the default images from node_modules/hazo_auth/public/hazo_auth/images/ to their public folder
-const DEFAULT_LOGIN_IMAGE_PATH = "/hazo_auth/images/login_default.jpg";
-
 // section: types
 export type LoginConfig = {
   redirectRoute?: string;
@@ -26,11 +21,14 @@ export type LoginConfig = {
   createAccountPath: string;
   createAccountLabel: string;
   showCreateAccountLink: boolean;
-  imageSrc: string;
-  imageAlt: string;
-  imageBackgroundColor: string;
   /** OAuth configuration */
   oauth: OAuthConfig;
+  /** Whether the OTP sign-in link is shown below the login form */
+  otpSigninEnabled: boolean;
+  /** Label for the OTP sign-in link */
+  otpSigninLabel: string;
+  /** href for the OTP sign-in link */
+  otpSigninHref: string;
 };
 
 // section: helpers
@@ -71,29 +69,14 @@ export function get_login_config(): LoginConfig {
   // Get shared already logged in config
   const alreadyLoggedInConfig = get_already_logged_in_config();
 
-  // Read image configuration
-  // If not set in config, falls back to default path-based image
-  // Consuming apps should copy images to public/hazo_auth/images/ or configure their own image_src
-  const imageSrc = get_config_value(
-    section,
-    "image_src",
-    DEFAULT_LOGIN_IMAGE_PATH
-  );
-
-  const imageAlt = get_config_value(
-    section,
-    "image_alt",
-    "Secure login illustration"
-  );
-  const imageBackgroundColor = get_config_value(
-    section,
-    "image_background_color",
-    "#f1f5f9"
-  );
-
   // Get OAuth configuration
   const oauth = get_oauth_config();
 
+  // OTP sign-in link
+  const otpSigninEnabled = get_config_value(section, "otp_signin_enabled", "false") === "true";
+  const otpSigninLabel = get_config_value(section, "otp_signin_label", "Sign in with email code");
+  const otpSigninHref = get_config_value(section, "otp_signin_href", "/hazo_auth/otp");
+
   return {
     redirectRoute,
     successMessage,
@@ -107,10 +90,10 @@ export function get_login_config(): LoginConfig {
     createAccountPath,
     createAccountLabel,
     showCreateAccountLink,
-    imageSrc,
-    imageAlt,
-    imageBackgroundColor,
     oauth,
+    otpSigninEnabled,
+    otpSigninLabel,
+    otpSigninHref,
   };
 }
 

package/cli-src/lib/my_settings_config.server.ts

@@ -34,7 +34,6 @@ export type MySettingsConfig = {
     user_photo_default_priority2?: "library" | "gravatar";
     library_photo_path: string;
   };
-  heading?: string;
   subHeading?: string;
   profilePhotoLabel?: string;
   profilePhotoRecommendation?: string;
@@ -95,7 +94,6 @@ export function get_my_settings_config(): MySettingsConfig {
   const fileTypes = get_file_types_config();
 
   // Read optional labels with defaults
-  const heading = get_config_value(section, "heading", "Account Settings");
   const subHeading = get_config_value(section, "sub_heading", "Manage your profile, password, and email preferences.");
   const profilePhotoLabel = get_config_value(section, "profile_photo_label", "Profile Photo");
   const profilePhotoRecommendation = get_config_value(section, "profile_photo_recommendation", "Recommended size: 200x200px. JPG, PNG.");
@@ -115,7 +113,6 @@ export function get_my_settings_config(): MySettingsConfig {
     userFields,
     passwordRequirements,
     profilePicture,
-    heading,
     subHeading,
     profilePhotoLabel,
     profilePhotoRecommendation,

package/cli-src/lib/oauth_config.server.ts

@@ -10,12 +10,20 @@ import { DEFAULT_OAUTH } from "./config/default_config.js";
 export type OAuthConfig = {
   /** Enable Google OAuth login */
   enable_google: boolean;
+  /** Enable Facebook OAuth login */
+  enable_facebook: boolean;
   /** Enable traditional email/password login */
   enable_email_password: boolean;
   /** Auto-link Google login to existing unverified email/password accounts */
   auto_link_unverified_accounts: boolean;
+  /** Auto-link Google login to existing unverified email/password accounts (per-provider override) */
+  auto_link_unverified_accounts_google: boolean;
+  /** Auto-link Facebook login to existing unverified email/password accounts */
+  auto_link_unverified_accounts_facebook: boolean;
   /** Text displayed on the Google sign-in button */
   google_button_text: string;
+  /** Text displayed on the Facebook sign-in button */
+  facebook_button_text: string;
   /** Text displayed on the divider between OAuth and email/password form */
   oauth_divider_text: string;
   /** NextAuth signIn page path */
@@ -30,6 +38,10 @@ export type OAuthConfig = {
   skip_invitation_check: boolean;
   /** Redirect when skip_invitation_check=true and user has no scope */
   no_scope_redirect: string;
+  /** Facebook App ID from env HAZO_AUTH_FACEBOOK_APP_ID */
+  facebook_client_id: string | undefined;
+  /** Facebook App Secret from env HAZO_AUTH_FACEBOOK_APP_SECRET */
+  facebook_client_secret: string | undefined;
 };
 
 // section: constants
@@ -48,24 +60,51 @@ export function get_oauth_config(): OAuthConfig {
     DEFAULT_OAUTH.enable_google
   );
 
+  const enable_facebook = get_config_boolean(
+    SECTION_NAME,
+    "enable_facebook",
+    false
+  );
+
   const enable_email_password = get_config_boolean(
     SECTION_NAME,
     "enable_email_password",
     DEFAULT_OAUTH.enable_email_password
   );
 
+  // Generic key (backward compat)
   const auto_link_unverified_accounts = get_config_boolean(
     SECTION_NAME,
     "auto_link_unverified_accounts",
     DEFAULT_OAUTH.auto_link_unverified_accounts
   );
 
+  // Per-provider Google key (falls back to generic)
+  const auto_link_unverified_accounts_google = get_config_boolean(
+    SECTION_NAME,
+    "auto_link_unverified_accounts_google",
+    auto_link_unverified_accounts
+  );
+
+  // Per-provider Facebook key (defaults to false — don't auto-link Facebook unverified)
+  const auto_link_unverified_accounts_facebook = get_config_boolean(
+    SECTION_NAME,
+    "auto_link_unverified_accounts_facebook",
+    false
+  );
+
   const google_button_text = get_config_value(
     SECTION_NAME,
     "google_button_text",
     DEFAULT_OAUTH.google_button_text
   );
 
+  const facebook_button_text = get_config_value(
+    SECTION_NAME,
+    "facebook_button_text",
+    "Continue with Facebook"
+  );
+
   const oauth_divider_text = get_config_value(
     SECTION_NAME,
     "oauth_divider_text",
@@ -108,11 +147,18 @@ export function get_oauth_config(): OAuthConfig {
     DEFAULT_OAUTH.no_scope_redirect
   );
 
+  const facebook_client_id = process.env.HAZO_AUTH_FACEBOOK_APP_ID;
+  const facebook_client_secret = process.env.HAZO_AUTH_FACEBOOK_APP_SECRET;
+
   return {
     enable_google,
+    enable_facebook,
     enable_email_password,
     auto_link_unverified_accounts,
+    auto_link_unverified_accounts_google,
+    auto_link_unverified_accounts_facebook,
     google_button_text,
+    facebook_button_text,
     oauth_divider_text,
     sign_in_page,
     error_page,
@@ -120,6 +166,8 @@ export function get_oauth_config(): OAuthConfig {
     default_redirect,
     skip_invitation_check,
     no_scope_redirect,
+    facebook_client_id,
+    facebook_client_secret,
   };
 }
 
@@ -142,3 +190,13 @@ export function is_email_password_enabled(): boolean {
     DEFAULT_OAUTH.enable_email_password
   );
 }
+
+/**
+ * Helper to check if Facebook OAuth is enabled and credentials are present
+ * @returns true if Facebook OAuth is enabled and env vars are set
+ */
+export function is_facebook_oauth_enabled(): boolean {
+  const enabled = get_config_boolean(SECTION_NAME, "enable_facebook", false);
+  if (!enabled) return false;
+  return !!(process.env.HAZO_AUTH_FACEBOOK_APP_ID && process.env.HAZO_AUTH_FACEBOOK_APP_SECRET);
+}

package/cli-src/lib/otp_config.server.ts

@@ -0,0 +1,91 @@
+// file_description: server-only helper to read OTP sign-in configuration from hazo_auth_config.ini
+// section: server-only-guard
+import "server-only";
+
+// section: imports
+import { get_config_value, get_config_boolean, get_config_number } from "./config/config_loader.server.js";
+
+// section: defaults
+export const OTP_CONFIG_DEFAULTS = {
+  auto_register: false,
+  code_ttl_seconds: 600,
+  session_ttl_seconds: 604800,
+  slide_when_within_seconds: 86400,
+  email_rate_limit_max: 3,
+  email_rate_limit_window_seconds: 900,
+  ip_rate_limit_max: 20,
+  ip_rate_limit_window_seconds: 3600,
+  max_verify_attempts: 5,
+  auto_assign_scope_id: "00000000-0000-0000-0000-000000000001",
+  auto_assign_role_name: "member",
+} as const;
+
+// section: types
+export type OtpConfig = {
+  /** Whether to automatically register a new user when an unrecognised email requests an OTP */
+  auto_register: boolean;
+  /** How long (seconds) a generated OTP code is valid */
+  code_ttl_seconds: number;
+  /** How long (seconds) the session created after successful OTP verification lasts */
+  session_ttl_seconds: number;
+  /** Slide the session expiry when the remaining TTL falls below this many seconds */
+  slide_when_within_seconds: number;
+  /** Maximum OTP requests allowed per email address within the rate-limit window */
+  email_rate_limit_max: number;
+  /** Rate-limit window (seconds) for per-email OTP requests */
+  email_rate_limit_window_seconds: number;
+  /** Maximum OTP requests allowed per IP address within the rate-limit window */
+  ip_rate_limit_max: number;
+  /** Rate-limit window (seconds) for per-IP OTP requests */
+  ip_rate_limit_window_seconds: number;
+  /** Maximum failed verify attempts before the OTP code is invalidated */
+  max_verify_attempts: number;
+  /** Scope ID to auto-assign a newly registered OTP user to */
+  auto_assign_scope_id: string;
+  /** Role name to assign within the auto-assign scope */
+  auto_assign_role_name: string;
+};
+
+// section: helpers
+/**
+ * Reads OTP configuration from hazo_auth_config.ini [hazo_auth__otp] section.
+ * Falls back to defaults if the config file or section is missing.
+ */
+export function get_otp_config(): OtpConfig {
+  const section = "hazo_auth__otp";
+  const d = OTP_CONFIG_DEFAULTS;
+
+  return {
+    auto_register: get_config_boolean(section, "otp_auto_register", d.auto_register),
+    code_ttl_seconds: get_config_number(section, "otp_code_ttl_seconds", d.code_ttl_seconds),
+    session_ttl_seconds: get_config_number(section, "otp_session_ttl_seconds", d.session_ttl_seconds),
+    slide_when_within_seconds: get_config_number(
+      section,
+      "otp_slide_when_within_seconds",
+      d.slide_when_within_seconds
+    ),
+    email_rate_limit_max: get_config_number(section, "otp_email_rate_limit_max", d.email_rate_limit_max),
+    email_rate_limit_window_seconds: get_config_number(
+      section,
+      "otp_email_rate_limit_window_seconds",
+      d.email_rate_limit_window_seconds
+    ),
+    ip_rate_limit_max: get_config_number(section, "otp_ip_rate_limit_max", d.ip_rate_limit_max),
+    ip_rate_limit_window_seconds: get_config_number(
+      section,
+      "otp_ip_rate_limit_window_seconds",
+      d.ip_rate_limit_window_seconds
+    ),
+    max_verify_attempts: get_config_number(section, "otp_max_verify_attempts", d.max_verify_attempts),
+    auto_assign_scope_id: get_config_value(section, "otp_auto_assign_scope_id", d.auto_assign_scope_id),
+    auto_assign_role_name: get_config_value(section, "otp_auto_assign_role_name", d.auto_assign_role_name),
+  };
+}
+
+/**
+ * Convenience accessor — returns just the session TTL seconds from OTP config.
+ * Suitable for passing to token-creation utilities.
+ */
+export function hazo_auth_otp_session_ttl_seconds(): number {
+  return get_otp_config().session_ttl_seconds;
+}

package/cli-src/lib/register_config.server.ts

@@ -9,11 +9,6 @@ import { get_already_logged_in_config } from "./already_logged_in_config.server.
 import { get_user_fields_config } from "./user_fields_config.server.js";
 import { get_oauth_config } from "./oauth_config.server.js";
 
-// Default image path - consuming apps should either:
-// 1. Configure their own image_src in hazo_auth_config.ini
-// 2. Copy the default images from node_modules/hazo_auth/public/hazo_auth/images/ to their public folder
-const DEFAULT_REGISTER_IMAGE_PATH = "/hazo_auth/images/register_default.jpg";
-
 // section: types
 export type RegisterConfig = {
   showNameField: boolean;
@@ -31,14 +26,13 @@ export type RegisterConfig = {
   returnHomePath: string;
   signInPath: string;
   signInLabel: string;
-  imageSrc: string;
-  imageAlt: string;
-  imageBackgroundColor: string;
   /** OAuth configuration */
   oauth: {
     enable_google: boolean;
+    enable_facebook: boolean;
     enable_email_password: boolean;
     google_button_text: string;
+    facebook_button_text: string;
     oauth_divider_text: string;
   };
 };
@@ -77,26 +71,6 @@ export function get_register_config(): RegisterConfig {
     "Sign in"
   );
 
-  // Read image configuration
-  // If not set in config, falls back to default path-based image
-  // Consuming apps should copy images to public/hazo_auth/images/ or configure their own image_src
-  const imageSrc = get_config_value(
-    "hazo_auth__register_layout",
-    "image_src",
-    DEFAULT_REGISTER_IMAGE_PATH
-  );
-
-  const imageAlt = get_config_value(
-    "hazo_auth__register_layout",
-    "image_alt",
-    "Modern building representing user registration"
-  );
-  const imageBackgroundColor = get_config_value(
-    "hazo_auth__register_layout",
-    "image_background_color",
-    "#e2e8f0"
-  );
-
   // Get OAuth configuration (shared with login)
   const oauthConfig = get_oauth_config();
 
@@ -107,6 +81,13 @@ export function get_register_config(): RegisterConfig {
     "Sign up with Google"
   );
 
+  // For the register page, default Facebook button text to "Sign up with Facebook" unless overridden
+  const registerFacebookButtonText = get_config_value(
+    "hazo_auth__oauth",
+    "facebook_button_text_register",
+    "Sign up with Facebook"
+  );
+
   return {
     showNameField,
     passwordRequirements,
@@ -117,13 +98,12 @@ export function get_register_config(): RegisterConfig {
     returnHomePath: alreadyLoggedInConfig.returnHomePath,
     signInPath,
     signInLabel,
-    imageSrc,
-    imageAlt,
-    imageBackgroundColor,
     oauth: {
       enable_google: oauthConfig.enable_google,
+      enable_facebook: oauthConfig.enable_facebook,
       enable_email_password: oauthConfig.enable_email_password,
       google_button_text: registerGoogleButtonText,
+      facebook_button_text: registerFacebookButtonText,
       oauth_divider_text: oauthConfig.oauth_divider_text,
     },
   };

package/cli-src/lib/reset_password_config.server.ts

@@ -7,11 +7,6 @@ import { get_config_value } from "./config/config_loader.server.js";
 import { get_already_logged_in_config } from "./already_logged_in_config.server.js";
 import { get_password_requirements_config } from "./password_requirements_config.server.js";
 
-// Default image path - consuming apps should either:
-// 1. Configure their own image_src in hazo_auth_config.ini
-// 2. Copy the default images from node_modules/hazo_auth/public/hazo_auth/images/ to their public folder
-const DEFAULT_RESET_PASSWORD_IMAGE_PATH = "/hazo_auth/images/reset_password_default.jpg";
-
 // section: types
 export type ResetPasswordConfig = {
   errorMessage: string;
@@ -30,9 +25,6 @@ export type ResetPasswordConfig = {
     require_number: boolean;
     require_special: boolean;
   };
-  imageSrc: string;
-  imageAlt: string;
-  imageBackgroundColor: string;
 };
 
 // section: helpers
@@ -70,26 +62,6 @@ export function get_reset_password_config(): ResetPasswordConfig {
   // Get shared password requirements
   const passwordRequirements = get_password_requirements_config();
 
-  // Read image configuration
-  // If not set in config, falls back to default path-based image
-  // Consuming apps should copy images to public/hazo_auth/images/ or configure their own image_src
-  const imageSrc = get_config_value(
-    section,
-    "image_src",
-    DEFAULT_RESET_PASSWORD_IMAGE_PATH
-  );
-
-  const imageAlt = get_config_value(
-    section,
-    "image_alt",
-    "Reset password illustration"
-  );
-  const imageBackgroundColor = get_config_value(
-    section,
-    "image_background_color",
-    "#f1f5f9"
-  );
-
   return {
     errorMessage,
     successMessage,
@@ -101,9 +73,6 @@ export function get_reset_password_config(): ResetPasswordConfig {
     returnHomeButtonLabel: alreadyLoggedInConfig.returnHomeButtonLabel,
     returnHomePath: alreadyLoggedInConfig.returnHomePath,
     passwordRequirements,
-    imageSrc,
-    imageAlt,
-    imageBackgroundColor,
   };
 }
 

package/cli-src/lib/services/email_service.ts

@@ -14,7 +14,7 @@ export type EmailOptions = {
   text_body?: string;
 };
 
-export type EmailTemplateType = "forgot_password" | "email_verification" | "password_changed";
+export type EmailTemplateType = "forgot_password" | "email_verification" | "password_changed" | "otp_signin_code";
 
 export type EmailTemplateData = {
   token?: string;
@@ -243,6 +243,8 @@ function get_email_subject(template_type: EmailTemplateType): string {
       return "Reset Your Password";
     case "password_changed":
       return "Password Changed Successfully";
+    case "otp_signin_code":
+      return "Your sign-in code";
     default:
       return "Email from hazo_auth";
   }

package/cli-src/lib/services/email_template_manifest.ts

@@ -101,4 +101,21 @@ export const hazo_auth_template_manifest: SystemTemplateManifest[] = [
       },
     ],
   },
+  {
+    template_name: "otp_signin_code",
+    template_label: "OTP sign-in code",
+    category: SYSTEM_CATEGORY,
+    html: read_template("otp_signin_code", "html"),
+    text: read_template("otp_signin_code", "txt"),
+    variables: [
+      {
+        variable_name: "otp_code",
+        variable_description: "6-digit OTP code for email sign-in (v6.1.0+)",
+      },
+      {
+        variable_name: "expires_in_minutes",
+        variable_description: "Number of minutes until the OTP code expires",
+      },
+    ],
+  },
 ];

package/cli-src/lib/services/email_templates/otp_signin_code.html

@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="UTF-8">
+  <title>Your sign-in code</title>
+</head>
+<body style="font-family: Arial, sans-serif; line-height: 1.6; color: #333; max-width: 600px; margin: 0 auto; padding: 20px;">
+  <p>Your sign-in code is:</p>
+  <p style="font-size: 28px; font-weight: bold; letter-spacing: 0.2em; font-family: monospace; margin: 16px 0;">{{otp_code}}</p>
+  <p>This code expires in {{expires_in_minutes}} minutes.</p>
+  <p style="color: #666; font-size: 12px;">If you didn't request this code, you can safely ignore this email.</p>
+</body>
+</html>

package/cli-src/lib/services/email_templates/otp_signin_code.txt

@@ -0,0 +1,5 @@
+Your sign-in code is: {{otp_code}}
+
+This code expires in {{expires_in_minutes}} minutes.
+
+If you didn't request this code, you can safely ignore this email.

package/cli-src/lib/services/index.ts

@@ -20,5 +20,11 @@ export * from "./scope_service.js";
 export * from "./user_scope_service.js";
 export * from "./oauth_service.js";
 export * from "./branding_service.js";
-
-
+export {
+  request_email_otp,
+  verify_email_otp,
+  generate_otp_code,
+  hash_otp_code,
+  verify_otp_code,
+} from "./otp_service.js";
+export type { RequestEmailOTPResult, VerifyEmailOTPResult } from "./otp_service";