hazo_auth 6.0.0 → 7.0.1

package/dist/components/ui/input-otp.js

@@ -0,0 +1,44 @@
+"use client";
+var __rest = (this && this.__rest) || function (s, e) {
+    var t = {};
+    for (var p in s) if (Object.prototype.hasOwnProperty.call(s, p) && e.indexOf(p) < 0)
+        t[p] = s[p];
+    if (s != null && typeof Object.getOwnPropertySymbols === "function")
+        for (var i = 0, p = Object.getOwnPropertySymbols(s); i < p.length; i++) {
+            if (e.indexOf(p[i]) < 0 && Object.prototype.propertyIsEnumerable.call(s, p[i]))
+                t[p[i]] = s[p[i]];
+        }
+    return t;
+};
+import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
+import * as React from "react";
+import { OTPInput, OTPInputContext } from "input-otp";
+import { Minus } from "lucide-react";
+import { cn } from "../../lib/utils.js";
+const InputOTP = React.forwardRef((_a, ref) => {
+    var { className, containerClassName } = _a, props = __rest(_a, ["className", "containerClassName"]);
+    return (_jsx(OTPInput, Object.assign({ ref: ref, containerClassName: cn("flex items-center gap-2 has-[:disabled]:opacity-50", containerClassName), className: cn("disabled:cursor-not-allowed", className) }, props)));
+});
+InputOTP.displayName = "InputOTP";
+const InputOTPGroup = React.forwardRef((_a, ref) => {
+    var { className } = _a, props = __rest(_a, ["className"]);
+    return (_jsx("div", Object.assign({ ref: ref, className: cn("flex items-center", className) }, props)));
+});
+InputOTPGroup.displayName = "InputOTPGroup";
+const InputOTPSlot = React.forwardRef((_a, ref) => {
+    var _b;
+    var { index, className } = _a, props = __rest(_a, ["index", "className"]);
+    const inputOTPContext = React.useContext(OTPInputContext);
+    const slot = (_b = inputOTPContext === null || inputOTPContext === void 0 ? void 0 : inputOTPContext.slots) === null || _b === void 0 ? void 0 : _b[index];
+    const char = slot === null || slot === void 0 ? void 0 : slot.char;
+    const hasFakeCaret = slot === null || slot === void 0 ? void 0 : slot.hasFakeCaret;
+    const isActive = slot === null || slot === void 0 ? void 0 : slot.isActive;
+    return (_jsxs("div", Object.assign({ ref: ref, className: cn("relative flex h-10 w-10 items-center justify-center border-y border-r border-input text-sm transition-all first:rounded-l-md first:border-l last:rounded-r-md", isActive && "z-10 ring-2 ring-ring ring-offset-background", className) }, props, { children: [char, hasFakeCaret && (_jsx("div", { className: "pointer-events-none absolute inset-0 flex items-center justify-center", children: _jsx("div", { className: "h-4 w-px animate-caret-blink bg-foreground duration-1000" }) }))] })));
+});
+InputOTPSlot.displayName = "InputOTPSlot";
+const InputOTPSeparator = React.forwardRef((_a, ref) => {
+    var props = __rest(_a, []);
+    return (_jsx("div", Object.assign({ ref: ref, role: "separator" }, props, { children: _jsx(Minus, {}) })));
+});
+InputOTPSeparator.displayName = "InputOTPSeparator";
+export { InputOTP, InputOTPGroup, InputOTPSlot, InputOTPSeparator };

package/dist/consent/consent_state.d.ts

@@ -0,0 +1,18 @@
+export interface ConsentState {
+    necessary: true;
+    functional: boolean;
+    analytics: boolean;
+    marketing: boolean;
+    version: 1;
+}
+export declare const HAZO_CONSENT_COOKIE_NAME = "hazo_consent_v1";
+/**
+ * Parse a URL-encoded JSON cookie value into a ConsentState.
+ * Returns null if the value is invalid or has an unexpected shape.
+ */
+export declare function parse_consent(value: string): ConsentState | null;
+/**
+ * Serialize a ConsentState to a URL-encoded JSON string suitable for cookie storage.
+ */
+export declare function serialize_consent(state: ConsentState): string;
+//# sourceMappingURL=consent_state.d.ts.map

package/dist/consent/consent_state.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"consent_state.d.ts","sourceRoot":"","sources":["../../src/consent/consent_state.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,YAAY;IAC3B,SAAS,EAAE,IAAI,CAAC;IAChB,UAAU,EAAE,OAAO,CAAC;IACpB,SAAS,EAAE,OAAO,CAAC;IACnB,SAAS,EAAE,OAAO,CAAC;IACnB,OAAO,EAAE,CAAC,CAAC;CACZ;AAED,eAAO,MAAM,wBAAwB,oBAAoB,CAAC;AAE1D;;;GAGG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,YAAY,GAAG,IAAI,CAgBhE;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,YAAY,GAAG,MAAM,CAE7D"}

package/dist/consent/consent_state.js

@@ -0,0 +1,29 @@
+// file_description: isomorphic consent state types, parser, and serializer — no Node.js or browser-specific imports
+export const HAZO_CONSENT_COOKIE_NAME = "hazo_consent_v1";
+/**
+ * Parse a URL-encoded JSON cookie value into a ConsentState.
+ * Returns null if the value is invalid or has an unexpected shape.
+ */
+export function parse_consent(value) {
+    try {
+        const decoded = decodeURIComponent(value);
+        const parsed = JSON.parse(decoded);
+        // Validate shape
+        if (parsed.version !== 1 ||
+            parsed.necessary !== true ||
+            typeof parsed.functional !== "boolean" ||
+            typeof parsed.analytics !== "boolean" ||
+            typeof parsed.marketing !== "boolean")
+            return null;
+        return parsed;
+    }
+    catch (_a) {
+        return null;
+    }
+}
+/**
+ * Serialize a ConsentState to a URL-encoded JSON string suitable for cookie storage.
+ */
+export function serialize_consent(state) {
+    return encodeURIComponent(JSON.stringify(state));
+}

package/dist/consent/cookie_consent_banner.d.ts

@@ -0,0 +1,11 @@
+import { type ConsentState } from "./consent_state.js";
+interface CookieConsentBannerProps {
+    enableGTM?: boolean;
+    gtmContainerId?: string;
+    onChange?: (state: ConsentState) => void;
+    /** Default: "bottom" */
+    position?: "bottom" | "top";
+}
+export declare function CookieConsentBanner({ enableGTM, gtmContainerId, onChange, position, }: CookieConsentBannerProps): import("react/jsx-runtime").JSX.Element;
+export {};
+//# sourceMappingURL=cookie_consent_banner.d.ts.map

package/dist/consent/cookie_consent_banner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cookie_consent_banner.d.ts","sourceRoot":"","sources":["../../src/consent/cookie_consent_banner.tsx"],"names":[],"mappings":"AAIA,OAAO,EAAE,KAAK,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAKpD,UAAU,wBAAwB;IAChC,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,EAAE,CAAC,KAAK,EAAE,YAAY,KAAK,IAAI,CAAC;IACzC,wBAAwB;IACxB,QAAQ,CAAC,EAAE,QAAQ,GAAG,KAAK,CAAC;CAC7B;AAED,wBAAgB,mBAAmB,CAAC,EAClC,SAAS,EACT,cAAc,EACd,QAAQ,EACR,QAAmB,GACpB,EAAE,wBAAwB,2CA4E1B"}

package/dist/consent/cookie_consent_banner.js

@@ -0,0 +1,40 @@
+"use client";
+import { jsx as _jsx, jsxs as _jsxs, Fragment as _Fragment } from "react/jsx-runtime";
+// file_description: cookie consent banner — shown until the user makes a consent choice; renders manage modal afterward
+import { useEffect, useRef } from "react";
+import { useConsent } from "./use_consent.js";
+import { ConsentManageModal } from "./manage_modal.js";
+import { to_gtm_signals, gtm_default_payload } from "./gtm_mapping.js";
+export function CookieConsentBanner({ enableGTM, gtmContainerId, onChange, position = "bottom", }) {
+    const { consent, set_consent, open_manager } = useConsent();
+    const gtm_default_pushed = useRef(false);
+    // Push consent_default to GTM on first mount (before user has consented)
+    useEffect(() => {
+        if (!enableGTM || !gtmContainerId)
+            return;
+        if (gtm_default_pushed.current)
+            return;
+        gtm_default_pushed.current = true;
+        window.dataLayer = window.dataLayer || [];
+        window.dataLayer.push(Object.assign({ event: "consent_default" }, gtm_default_payload()));
+        // eslint-disable-next-line react-hooks/exhaustive-deps
+    }, []); // only on mount
+    // Push consent_update to GTM whenever the user's consent changes
+    useEffect(() => {
+        if (!consent)
+            return; // no state yet — don't push
+        onChange === null || onChange === void 0 ? void 0 : onChange(consent);
+        if (enableGTM && gtmContainerId) {
+            window.dataLayer = window.dataLayer || [];
+            window.dataLayer.push(Object.assign({ event: "consent_update" }, to_gtm_signals(consent)));
+        }
+        // onChange is intentionally excluded to avoid infinite loops with unstable prop refs
+        // eslint-disable-next-line react-hooks/exhaustive-deps
+    }, [consent, enableGTM, gtmContainerId]);
+    // Consent already captured — only render the modal so open_manager() still works
+    if (consent !== null) {
+        return _jsx(ConsentManageModal, {});
+    }
+    const positionClass = position === "top" ? "top-0" : "bottom-0";
+    return (_jsxs(_Fragment, { children: [_jsxs("div", { className: `fixed ${positionClass} left-0 right-0 z-40 bg-primary text-primary-foreground p-4 flex flex-wrap items-center gap-3 justify-between`, children: [_jsx("p", { className: "text-sm flex-1 min-w-[200px]", children: "We use cookies to improve your experience. By continuing, you agree to our use of cookies." }), _jsxs("div", { className: "flex gap-2 flex-wrap", children: [_jsx("button", { onClick: () => set_consent({ functional: false, analytics: false, marketing: false }), className: "px-3 py-1.5 text-xs bg-primary-foreground/20 hover:bg-primary-foreground/30 rounded text-primary-foreground", children: "Decline all" }), _jsx("button", { onClick: () => open_manager(), className: "px-3 py-1.5 text-xs bg-primary-foreground/20 hover:bg-primary-foreground/30 rounded text-primary-foreground", children: "Manage" }), _jsx("button", { onClick: () => set_consent({ functional: true, analytics: true, marketing: true }), className: "px-3 py-1.5 text-xs bg-primary-foreground rounded text-primary font-medium", children: "Accept all" })] })] }), _jsx(ConsentManageModal, {})] }));
+}

package/dist/consent/gtm_mapping.d.ts

@@ -0,0 +1,13 @@
+import type { ConsentState } from "./consent_state";
+export type GtmSignal = "security_storage" | "functionality_storage" | "personalization_storage" | "analytics_storage" | "ad_storage" | "ad_user_data" | "ad_personalization";
+/**
+ * Maps a ConsentState to GTM consent signals.
+ * security_storage is always granted; other signals follow the user's category choices.
+ */
+export declare function to_gtm_signals(state: ConsentState): Record<GtmSignal, "granted" | "denied">;
+/**
+ * Default GTM consent payload before the user has made a choice.
+ * security_storage is granted; all others are denied.
+ */
+export declare function gtm_default_payload(): Record<GtmSignal, "granted" | "denied">;
+//# sourceMappingURL=gtm_mapping.d.ts.map

package/dist/consent/gtm_mapping.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"gtm_mapping.d.ts","sourceRoot":"","sources":["../../src/consent/gtm_mapping.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAEpD,MAAM,MAAM,SAAS,GACjB,kBAAkB,GAClB,uBAAuB,GACvB,yBAAyB,GACzB,mBAAmB,GACnB,YAAY,GACZ,cAAc,GACd,oBAAoB,CAAC;AAEzB;;;GAGG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,YAAY,GAAG,MAAM,CAAC,SAAS,EAAE,SAAS,GAAG,QAAQ,CAAC,CAU3F;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,IAAI,MAAM,CAAC,SAAS,EAAE,SAAS,GAAG,QAAQ,CAAC,CAU7E"}

package/dist/consent/gtm_mapping.js

@@ -0,0 +1,30 @@
+/**
+ * Maps a ConsentState to GTM consent signals.
+ * security_storage is always granted; other signals follow the user's category choices.
+ */
+export function to_gtm_signals(state) {
+    return {
+        security_storage: "granted", // always granted
+        functionality_storage: state.functional ? "granted" : "denied",
+        personalization_storage: state.functional ? "granted" : "denied",
+        analytics_storage: state.analytics ? "granted" : "denied",
+        ad_storage: state.marketing ? "granted" : "denied",
+        ad_user_data: state.marketing ? "granted" : "denied",
+        ad_personalization: state.marketing ? "granted" : "denied",
+    };
+}
+/**
+ * Default GTM consent payload before the user has made a choice.
+ * security_storage is granted; all others are denied.
+ */
+export function gtm_default_payload() {
+    return {
+        security_storage: "granted",
+        functionality_storage: "denied",
+        personalization_storage: "denied",
+        analytics_storage: "denied",
+        ad_storage: "denied",
+        ad_user_data: "denied",
+        ad_personalization: "denied",
+    };
+}

package/dist/consent/index.d.ts

@@ -0,0 +1,7 @@
+export * from "./consent_state.js";
+export * from "./cookie_consent_banner.js";
+export * from "./use_consent.js";
+export * from "./read_consent.js";
+export * from "./gtm_mapping.js";
+export * from "./manage_modal.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/consent/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/consent/index.ts"],"names":[],"mappings":"AACA,cAAc,iBAAiB,CAAC;AAChC,cAAc,yBAAyB,CAAC;AACxC,cAAc,eAAe,CAAC;AAC9B,cAAc,gBAAgB,CAAC;AAC/B,cAAc,eAAe,CAAC;AAC9B,cAAc,gBAAgB,CAAC"}

package/dist/consent/index.js

@@ -0,0 +1,7 @@
+// file_description: barrel export for the hazo_auth consent module
+export * from "./consent_state.js";
+export * from "./cookie_consent_banner.js";
+export * from "./use_consent.js";
+export * from "./read_consent.js";
+export * from "./gtm_mapping.js";
+export * from "./manage_modal.js";

package/dist/consent/manage_modal.d.ts

@@ -0,0 +1,2 @@
+export declare function ConsentManageModal(): import("react/jsx-runtime").JSX.Element;
+//# sourceMappingURL=manage_modal.d.ts.map

package/dist/consent/manage_modal.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"manage_modal.d.ts","sourceRoot":"","sources":["../../src/consent/manage_modal.tsx"],"names":[],"mappings":"AAOA,wBAAgB,kBAAkB,4CA0GjC"}

package/dist/consent/manage_modal.js

@@ -0,0 +1,33 @@
+"use client";
+import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
+// file_description: modal dialog for managing individual cookie consent categories
+import { useEffect, useState } from "react";
+import * as Dialog from "@radix-ui/react-dialog";
+import { useConsent } from "./use_consent.js";
+export function ConsentManageModal() {
+    const { consent, set_consent } = useConsent();
+    const [open, setOpen] = useState(false);
+    const [local, setLocal] = useState({
+        functional: false,
+        analytics: false,
+        marketing: false,
+    });
+    // Listen for the open event dispatched by open_manager()
+    useEffect(() => {
+        const handle = () => {
+            setLocal({
+                functional: !!(consent === null || consent === void 0 ? void 0 : consent.functional),
+                analytics: !!(consent === null || consent === void 0 ? void 0 : consent.analytics),
+                marketing: !!(consent === null || consent === void 0 ? void 0 : consent.marketing),
+            });
+            setOpen(true);
+        };
+        window.addEventListener("hazo_auth:open_consent_manager", handle);
+        return () => window.removeEventListener("hazo_auth:open_consent_manager", handle);
+    }, [consent]);
+    const save = () => {
+        set_consent(Object.assign(Object.assign({}, local), { necessary: true, version: 1 }));
+        setOpen(false);
+    };
+    return (_jsx(Dialog.Root, { open: open, onOpenChange: setOpen, children: _jsxs(Dialog.Portal, { children: [_jsx(Dialog.Overlay, { className: "fixed inset-0 bg-black/50 z-50" }), _jsxs(Dialog.Content, { className: "fixed top-1/2 left-1/2 -translate-x-1/2 -translate-y-1/2 bg-background rounded-lg p-6 z-50 w-full max-w-md shadow-lg", children: [_jsx(Dialog.Title, { className: "text-lg font-semibold mb-4", children: "Cookie preferences" }), _jsxs("div", { className: "flex items-center justify-between py-3 border-b", children: [_jsxs("div", { children: [_jsx("p", { className: "font-medium", children: "Necessary" }), _jsx("p", { className: "text-sm text-muted-foreground", children: "Required for the site to function" })] }), _jsx("input", { type: "checkbox", checked: true, disabled: true, className: "h-4 w-4" })] }), _jsxs("div", { className: "flex items-center justify-between py-3 border-b", children: [_jsxs("div", { children: [_jsx("p", { className: "font-medium", children: "Functional" }), _jsx("p", { className: "text-sm text-muted-foreground", children: "Remembers your preferences" })] }), _jsx("input", { type: "checkbox", checked: local.functional, onChange: (e) => setLocal((p) => (Object.assign(Object.assign({}, p), { functional: e.target.checked }))), className: "h-4 w-4" })] }), _jsxs("div", { className: "flex items-center justify-between py-3 border-b", children: [_jsxs("div", { children: [_jsx("p", { className: "font-medium", children: "Analytics" }), _jsx("p", { className: "text-sm text-muted-foreground", children: "Helps us understand how you use the site" })] }), _jsx("input", { type: "checkbox", checked: local.analytics, onChange: (e) => setLocal((p) => (Object.assign(Object.assign({}, p), { analytics: e.target.checked }))), className: "h-4 w-4" })] }), _jsxs("div", { className: "flex items-center justify-between py-3", children: [_jsxs("div", { children: [_jsx("p", { className: "font-medium", children: "Marketing" }), _jsx("p", { className: "text-sm text-muted-foreground", children: "Used for targeted advertising" })] }), _jsx("input", { type: "checkbox", checked: local.marketing, onChange: (e) => setLocal((p) => (Object.assign(Object.assign({}, p), { marketing: e.target.checked }))), className: "h-4 w-4" })] }), _jsxs("div", { className: "mt-6 flex gap-3 justify-end", children: [_jsx("button", { className: "px-4 py-2 text-sm border rounded-md hover:bg-muted", onClick: () => setOpen(false), children: "Cancel" }), _jsx("button", { className: "px-4 py-2 text-sm bg-primary text-primary-foreground rounded-md hover:opacity-90", onClick: save, children: "Save preferences" })] })] })] }) }));
+}

package/dist/consent/read_consent.d.ts

@@ -0,0 +1,15 @@
+import { type ConsentState } from "./consent_state.js";
+/** Structural type covering both `Headers` and Next.js `ReadonlyHeaders`. */
+type AnyHeaders = {
+    get(name: string): string | null;
+};
+/**
+ * Reads the consent state from request headers (server-side).
+ * Returns null if the consent cookie is absent or contains invalid data.
+ *
+ * Prefix support (Phase 7): when cookie_prefix config is set, the cookie name
+ * is `${prefix}hazo_consent_v1`. Currently uses the base name only.
+ */
+export declare function read_consent(headers: AnyHeaders): ConsentState | null;
+export {};
+//# sourceMappingURL=read_consent.d.ts.map

package/dist/consent/read_consent.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"read_consent.d.ts","sourceRoot":"","sources":["../../src/consent/read_consent.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,KAAK,YAAY,EAA2C,MAAM,iBAAiB,CAAC;AAE7F,6EAA6E;AAC7E,KAAK,UAAU,GAAG;IAAE,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAAA;CAAE,CAAC;AAEvD;;;;;;GAMG;AACH,wBAAgB,YAAY,CAAC,OAAO,EAAE,UAAU,GAAG,YAAY,GAAG,IAAI,CAcrE"}

package/dist/consent/read_consent.js

@@ -0,0 +1,23 @@
+// file_description: server-side helper that reads consent state from request headers
+import { HAZO_CONSENT_COOKIE_NAME, parse_consent } from "./consent_state.js";
+/**
+ * Reads the consent state from request headers (server-side).
+ * Returns null if the consent cookie is absent or contains invalid data.
+ *
+ * Prefix support (Phase 7): when cookie_prefix config is set, the cookie name
+ * is `${prefix}hazo_consent_v1`. Currently uses the base name only.
+ */
+export function read_consent(headers) {
+    const cookie_header = headers.get("cookie");
+    if (!cookie_header)
+        return null;
+    const cookie_name = HAZO_CONSENT_COOKIE_NAME;
+    const match = cookie_header
+        .split(";")
+        .map((c) => c.trim())
+        .find((c) => c.startsWith(`${cookie_name}=`));
+    if (!match)
+        return null;
+    const value = match.slice(cookie_name.length + 1);
+    return parse_consent(value);
+}

package/dist/consent/use_consent.d.ts

@@ -0,0 +1,7 @@
+import { type ConsentState } from "./consent_state.js";
+export declare function useConsent(): {
+    consent: ConsentState | null;
+    set_consent: (patch: Partial<ConsentState>) => void;
+    open_manager: () => void;
+};
+//# sourceMappingURL=use_consent.d.ts.map

package/dist/consent/use_consent.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"use_consent.d.ts","sourceRoot":"","sources":["../../src/consent/use_consent.ts"],"names":[],"mappings":"AAIA,OAAO,EACL,KAAK,YAAY,EAIlB,MAAM,iBAAiB,CAAC;AAmBzB,wBAAgB,UAAU,IAAI;IAC5B,OAAO,EAAE,YAAY,GAAG,IAAI,CAAC;IAC7B,WAAW,EAAE,CAAC,KAAK,EAAE,OAAO,CAAC,YAAY,CAAC,KAAK,IAAI,CAAC;IACpD,YAAY,EAAE,MAAM,IAAI,CAAC;CAC1B,CAyCA"}

package/dist/consent/use_consent.js

@@ -0,0 +1,55 @@
+"use client";
+// file_description: client hook to read and update the user's cookie consent state
+import { useState, useEffect, useCallback } from "react";
+import { HAZO_CONSENT_COOKIE_NAME, parse_consent, serialize_consent, } from "./consent_state.js";
+function read_from_cookie() {
+    if (typeof document === "undefined")
+        return null;
+    const match = document.cookie
+        .split(";")
+        .map((c) => c.trim())
+        .find((c) => c.startsWith(`${HAZO_CONSENT_COOKIE_NAME}=`));
+    if (!match)
+        return null;
+    return parse_consent(match.slice(HAZO_CONSENT_COOKIE_NAME.length + 1));
+}
+function write_cookie(state) {
+    const value = serialize_consent(state);
+    const maxAge = 13 * 30 * 24 * 60 * 60; // ~13 months in seconds
+    const secure = location.protocol === "https:" ? "; Secure" : "";
+    document.cookie = `${HAZO_CONSENT_COOKIE_NAME}=${value}; Max-Age=${maxAge}; SameSite=Lax; Path=/${secure}`;
+}
+export function useConsent() {
+    const [consent, setConsent] = useState(null);
+    useEffect(() => {
+        // Hydrate from cookie on mount
+        setConsent(read_from_cookie());
+        // Subscribe to cross-component updates dispatched by other useConsent instances.
+        // Read state from event.detail to avoid a redundant cookie parse and prevent
+        // a double re-render when the same hook instance dispatches the event itself.
+        const handle_update = (e) => {
+            const detail = e.detail;
+            setConsent(detail);
+        };
+        window.addEventListener("hazo_auth:consent_update", handle_update);
+        return () => window.removeEventListener("hazo_auth:consent_update", handle_update);
+    }, []);
+    const set_consent = useCallback((patch) => {
+        const base = consent !== null && consent !== void 0 ? consent : {
+            necessary: true,
+            functional: false,
+            analytics: false,
+            marketing: false,
+            version: 1,
+        };
+        // necessary and version are always forced to their fixed values
+        const next = Object.assign(Object.assign(Object.assign({}, base), patch), { necessary: true, version: 1 });
+        write_cookie(next);
+        setConsent(next);
+        window.dispatchEvent(new CustomEvent("hazo_auth:consent_update", { detail: next }));
+    }, [consent]);
+    const open_manager = useCallback(() => {
+        window.dispatchEvent(new CustomEvent("hazo_auth:open_consent_manager"));
+    }, []);
+    return { consent, set_consent, open_manager };
+}

package/dist/lib/auth/nextauth_config.d.ts

@@ -20,6 +20,16 @@ export type NextAuthCallbackProfile = {
     picture?: string;
     email_verified?: boolean;
 };
+export type FacebookCallbackProfile = {
+    id?: string;
+    name?: string;
+    email?: string;
+    picture?: {
+        data?: {
+            url: string;
+        };
+    } | string;
+};
 /**
  * Gets NextAuth.js configuration with enabled OAuth providers
  * Providers are dynamically configured based on hazo_auth_config.ini settings

package/dist/lib/auth/nextauth_config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"nextauth_config.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/nextauth_config.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,WAAW,EAAW,MAAM,WAAW,CAAC;AAWtD,MAAM,MAAM,oBAAoB,GAAG;IACjC,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,IAAI,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACvB,CAAC;AAEF,MAAM,MAAM,uBAAuB,GAAG;IACpC,QAAQ,EAAE,MAAM,CAAC;IACjB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,uBAAuB,GAAG;IACpC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,cAAc,CAAC,EAAE,OAAO,CAAC;CAC1B,CAAC;AAGF;;;;GAIG;AACH,wBAAgB,mBAAmB,IAAI,WAAW,CAwKjD;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,IAAI,OAAO,CAW7C"}
+{"version":3,"file":"nextauth_config.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/nextauth_config.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,WAAW,EAAW,MAAM,WAAW,CAAC;AAatD,MAAM,MAAM,oBAAoB,GAAG;IACjC,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,IAAI,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACvB,CAAC;AAEF,MAAM,MAAM,uBAAuB,GAAG;IACpC,QAAQ,EAAE,MAAM,CAAC;IACjB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,uBAAuB,GAAG;IACpC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,cAAc,CAAC,EAAE,OAAO,CAAC;CAC1B,CAAC;AAEF,MAAM,MAAM,uBAAuB,GAAG;IACpC,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE;QAAE,IAAI,CAAC,EAAE;YAAE,GAAG,EAAE,MAAM,CAAA;SAAE,CAAA;KAAE,GAAG,MAAM,CAAC;CAC/C,CAAC;AAGF;;;;GAIG;AACH,wBAAgB,mBAAmB,IAAI,WAAW,CA+PjD;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,IAAI,OAAO,CAe7C"}

package/dist/lib/auth/nextauth_config.js

@@ -1,8 +1,10 @@
 // ESM/CJS interop: next-auth providers are CommonJS, handle both export scenarios
 import GoogleProviderImport from "next-auth/providers/google";
 const GoogleProvider = GoogleProviderImport.default || GoogleProviderImport;
+import FacebookProviderImport from "next-auth/providers/facebook";
+const FacebookProvider = FacebookProviderImport.default || FacebookProviderImport;
 import { get_oauth_config } from "../oauth_config.server.js";
-import { handle_google_oauth_login } from "../services/oauth_service.js";
+import { handle_google_oauth_login, handle_facebook_oauth_login } from "../services/oauth_service.js";
 import { get_hazo_connect_instance } from "../hazo_connect_instance.server.js";
 import { create_app_logger } from "../app_logger.js";
 // section: config
@@ -32,6 +34,18 @@ export function get_nextauth_config() {
             }));
         }
     }
+    // Add Facebook provider if enabled and credentials are present
+    if (oauth_config.enable_facebook && oauth_config.facebook_client_id && oauth_config.facebook_client_secret) {
+        providers.push(FacebookProvider({
+            clientId: oauth_config.facebook_client_id,
+            clientSecret: oauth_config.facebook_client_secret,
+            authorization: {
+                params: {
+                    scope: "email,public_profile",
+                },
+            },
+        }));
+    }
     return {
         providers,
         pages: {
@@ -52,6 +66,9 @@ export function get_nextauth_config() {
                 if (url.includes("/api/hazo_auth/oauth/google/callback")) {
                     return url;
                 }
+                if (url.includes("/api/hazo_auth/oauth/facebook/callback")) {
+                    return url;
+                }
                 // If URL is relative or same origin, allow it
                 if (url.startsWith("/")) {
                     return `${baseUrl}${url}`;
@@ -66,7 +83,7 @@ export function get_nextauth_config() {
              * Sign-in callback - handle user creation/linking for Google OAuth
              */
             async signIn({ account, profile, user, }) {
-                var _a;
+                var _a, _b, _c, _d, _e, _f;
                 const logger = create_app_logger();
                 if ((account === null || account === void 0 ? void 0 : account.provider) === "google" && profile) {
                     try {
@@ -111,6 +128,64 @@ export function get_nextauth_config() {
                         return false;
                     }
                 }
+                if ((account === null || account === void 0 ? void 0 : account.provider) === "facebook" && profile) {
+                    try {
+                        const fbProfile = profile;
+                        const hazoConnect = get_hazo_connect_instance();
+                        const current_oauth_config = get_oauth_config();
+                        // Resolve profile picture URL from Facebook's nested structure
+                        let fb_picture_url;
+                        if (fbProfile.picture) {
+                            if (typeof fbProfile.picture === "string") {
+                                fb_picture_url = fbProfile.picture;
+                            }
+                            else if ((_c = (_b = fbProfile.picture) === null || _b === void 0 ? void 0 : _b.data) === null || _c === void 0 ? void 0 : _c.url) {
+                                fb_picture_url = fbProfile.picture.data.url;
+                            }
+                        }
+                        if (!fb_picture_url && user.image) {
+                            fb_picture_url = (_d = user.image) !== null && _d !== void 0 ? _d : undefined;
+                        }
+                        logger.info("nextauth_facebook_signin_attempt", {
+                            email: user.email,
+                            facebook_id: fbProfile.id,
+                            name: user.name,
+                        });
+                        const result = await handle_facebook_oauth_login(hazoConnect, {
+                            facebook_id: fbProfile.id || account.providerAccountId,
+                            email: (_f = (_e = user.email) !== null && _e !== void 0 ? _e : fbProfile.email) !== null && _f !== void 0 ? _f : null,
+                            name: user.name || fbProfile.name || undefined,
+                            profile_picture_url: fb_picture_url,
+                        }, { auto_link_unverified: current_oauth_config.auto_link_unverified_accounts_facebook });
+                        if (!result.success) {
+                            logger.error("nextauth_facebook_signin_failed", {
+                                email: user.email,
+                                error: result.error,
+                            });
+                            if (result.error === "link_blocked_unverified") {
+                                return `/hazo_auth/login?error=link_blocked_unverified`;
+                            }
+                            return false;
+                        }
+                        logger.info("nextauth_facebook_signin_success", {
+                            user_id: result.user_id,
+                            email: result.email,
+                            is_new_user: result.is_new_user,
+                            was_linked: result.was_linked,
+                        });
+                        // Store user_id in account for the JWT callback to pick up
+                        account.hazo_user_id = result.user_id;
+                        return true;
+                    }
+                    catch (error) {
+                        const errorMessage = error instanceof Error ? error.message : "Unknown error";
+                        logger.error("nextauth_facebook_signin_exception", {
+                            email: user.email,
+                            error: errorMessage,
+                        });
+                        return false;
+                    }
+                }
                 return true;
             },
             /**
@@ -169,5 +244,8 @@ export function has_oauth_providers() {
         if (has_google_credentials)
             return true;
     }
+    if (oauth_config.enable_facebook && oauth_config.facebook_client_id && oauth_config.facebook_client_secret) {
+        return true;
+    }
     return false;
 }

package/dist/lib/cookies_config.server.d.ts

@@ -9,6 +9,7 @@ export declare const BASE_COOKIE_NAMES: {
     readonly USER_ID: "hazo_auth_user_id";
     readonly USER_EMAIL: "hazo_auth_user_email";
     readonly SESSION: "hazo_auth_session";
+    readonly SESSION_KIND: "hazo_auth_session_kind";
     readonly DEV_LOCK: "hazo_auth_dev_lock";
     readonly SCOPE_ID: "hazo_auth_scope_id";
     readonly ANON_ID: "hazo_auth_anon_id";

package/dist/lib/cookies_config.server.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"cookies_config.server.d.ts","sourceRoot":"","sources":["../../src/lib/cookies_config.server.ts"],"names":[],"mappings":"AAEA,OAAO,aAAa,CAAC;AAMrB,MAAM,MAAM,aAAa,GAAG;IAC1B,6FAA6F;IAC7F,aAAa,EAAE,MAAM,CAAC;IACtB,6EAA6E;IAC7E,aAAa,EAAE,MAAM,CAAC;CACvB,CAAC;AAYF,eAAO,MAAM,iBAAiB;;;;;;;CAOpB,CAAC;AAGX;;;;GAIG;AACH,wBAAgB,kBAAkB,IAAI,aAAa,CAoBlD;AAED;;;;GAIG;AACH,wBAAgB,eAAe,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,CAGzD;AAED;;;;GAIG;AACH,wBAAgB,kBAAkB,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,OAAO,EAAE,CAAC,GAAG,CAAC,GAAG;IAAE,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAQzG;AAKD;;;GAGG;AACH,wBAAgB,yBAAyB,IAAI,aAAa,CAKzD;AAED;;GAEG;AACH,wBAAgB,0BAA0B,IAAI,IAAI,CAEjD"}
+{"version":3,"file":"cookies_config.server.d.ts","sourceRoot":"","sources":["../../src/lib/cookies_config.server.ts"],"names":[],"mappings":"AAEA,OAAO,aAAa,CAAC;AAMrB,MAAM,MAAM,aAAa,GAAG;IAC1B,6FAA6F;IAC7F,aAAa,EAAE,MAAM,CAAC;IACtB,6EAA6E;IAC7E,aAAa,EAAE,MAAM,CAAC;CACvB,CAAC;AAYF,eAAO,MAAM,iBAAiB;;;;;;;;CAQpB,CAAC;AAGX;;;;GAIG;AACH,wBAAgB,kBAAkB,IAAI,aAAa,CAoBlD;AAED;;;;GAIG;AACH,wBAAgB,eAAe,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,CAGzD;AAED;;;;GAIG;AACH,wBAAgB,kBAAkB,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,OAAO,EAAE,CAAC,GAAG,CAAC,GAAG;IAAE,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAQzG;AAKD;;;GAGG;AACH,wBAAgB,yBAAyB,IAAI,aAAa,CAKzD;AAED;;GAEG;AACH,wBAAgB,0BAA0B,IAAI,IAAI,CAEjD"}

package/dist/lib/cookies_config.server.js

@@ -14,6 +14,7 @@ export const BASE_COOKIE_NAMES = {
     USER_ID: "hazo_auth_user_id",
     USER_EMAIL: "hazo_auth_user_email",
     SESSION: "hazo_auth_session",
+    SESSION_KIND: "hazo_auth_session_kind", // v6.1: marks OTP-issued sessions so /me can apply sliding expiry
     DEV_LOCK: "hazo_auth_dev_lock",
     SCOPE_ID: "hazo_auth_scope_id", // v5.2: Tenant context cookie for multi-tenancy
     ANON_ID: "hazo_auth_anon_id", // v5.2: Stable opaque per-visitor ID for anonymous flows (e.g. hazo_feedback)

package/dist/lib/email_verification_config.server.d.ts

@@ -5,9 +5,6 @@ export type EmailVerificationConfig = {
     showReturnHomeButton: boolean;
     returnHomeButtonLabel: string;
     returnHomePath: string;
-    imageSrc: string;
-    imageAlt: string;
-    imageBackgroundColor: string;
 };
 /**
  * Reads email verification layout configuration from hazo_auth_config.ini file

package/dist/lib/email_verification_config.server.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"email_verification_config.server.d.ts","sourceRoot":"","sources":["../../src/lib/email_verification_config.server.ts"],"names":[],"mappings":"AAEA,OAAO,aAAa,CAAC;AAYrB,MAAM,MAAM,uBAAuB,GAAG;IACpC,sBAAsB,EAAE,MAAM,CAAC;IAC/B,gBAAgB,EAAE,OAAO,CAAC;IAC1B,oBAAoB,EAAE,OAAO,CAAC;IAC9B,qBAAqB,EAAE,MAAM,CAAC;IAC9B,cAAc,EAAE,MAAM,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,oBAAoB,EAAE,MAAM,CAAC;CAC9B,CAAC;AAGF;;;;GAIG;AACH,wBAAgB,6BAA6B,IAAI,uBAAuB,CAoCvE"}
+{"version":3,"file":"email_verification_config.server.d.ts","sourceRoot":"","sources":["../../src/lib/email_verification_config.server.ts"],"names":[],"mappings":"AAEA,OAAO,aAAa,CAAC;AAMrB,MAAM,MAAM,uBAAuB,GAAG;IACpC,sBAAsB,EAAE,MAAM,CAAC;IAC/B,gBAAgB,EAAE,OAAO,CAAC;IAC1B,oBAAoB,EAAE,OAAO,CAAC;IAC9B,qBAAqB,EAAE,MAAM,CAAC;IAC9B,cAAc,EAAE,MAAM,CAAC;CACxB,CAAC;AAGF;;;;GAIG;AACH,wBAAgB,6BAA6B,IAAI,uBAAuB,CAWvE"}

package/dist/lib/email_verification_config.server.js

@@ -3,11 +3,6 @@
 import "server-only";
 // section: imports
 import { get_already_logged_in_config } from "./already_logged_in_config.server.js";
-import { get_config_value } from "./config/config_loader.server.js";
-// Default image path - consuming apps should either:
-// 1. Configure their own image_src in hazo_auth_config.ini
-// 2. Copy the default images from node_modules/hazo_auth/public/hazo_auth/images/ to their public folder
-const DEFAULT_VERIFY_EMAIL_IMAGE_PATH = "/hazo_auth/images/verify_email_default.jpg";
 // section: helpers
 /**
  * Reads email verification layout configuration from hazo_auth_config.ini file
@@ -15,23 +10,13 @@ const DEFAULT_VERIFY_EMAIL_IMAGE_PATH = "/hazo_auth/images/verify_email_default.
  * @returns Email verification configuration options
  */
 export function get_email_verification_config() {
-    const section = "hazo_auth__email_verification_layout";
     // Get shared already logged in config
     const alreadyLoggedInConfig = get_already_logged_in_config();
-    // Read image configuration
-    // If not set in config, falls back to default path-based image
-    // Consuming apps should copy images to public/hazo_auth/images/ or configure their own image_src
-    const imageSrc = get_config_value(section, "image_src", DEFAULT_VERIFY_EMAIL_IMAGE_PATH);
-    const imageAlt = get_config_value(section, "image_alt", "Email verification illustration");
-    const imageBackgroundColor = get_config_value(section, "image_background_color", "#f1f5f9");
     return {
         alreadyLoggedInMessage: alreadyLoggedInConfig.message,
         showLogoutButton: alreadyLoggedInConfig.showLogoutButton,
         showReturnHomeButton: alreadyLoggedInConfig.showReturnHomeButton,
         returnHomeButtonLabel: alreadyLoggedInConfig.returnHomeButtonLabel,
         returnHomePath: alreadyLoggedInConfig.returnHomePath,
-        imageSrc,
-        imageAlt,
-        imageBackgroundColor,
     };
 }

package/dist/lib/forgot_password_config.server.d.ts

@@ -5,9 +5,6 @@ export type ForgotPasswordConfig = {
     showReturnHomeButton: boolean;
     returnHomeButtonLabel: string;
     returnHomePath: string;
-    imageSrc: string;
-    imageAlt: string;
-    imageBackgroundColor: string;
 };
 /**
  * Reads forgot password layout configuration from hazo_auth_config.ini file

package/dist/lib/forgot_password_config.server.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"forgot_password_config.server.d.ts","sourceRoot":"","sources":["../../src/lib/forgot_password_config.server.ts"],"names":[],"mappings":"AAEA,OAAO,aAAa,CAAC;AAYrB,MAAM,MAAM,oBAAoB,GAAG;IACjC,sBAAsB,EAAE,MAAM,CAAC;IAC/B,gBAAgB,EAAE,OAAO,CAAC;IAC1B,oBAAoB,EAAE,OAAO,CAAC;IAC9B,qBAAqB,EAAE,MAAM,CAAC;IAC9B,cAAc,EAAE,MAAM,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,oBAAoB,EAAE,MAAM,CAAC;CAC9B,CAAC;AAGF;;;;GAIG;AACH,wBAAgB,0BAA0B,IAAI,oBAAoB,CAoCjE"}
+{"version":3,"file":"forgot_password_config.server.d.ts","sourceRoot":"","sources":["../../src/lib/forgot_password_config.server.ts"],"names":[],"mappings":"AAEA,OAAO,aAAa,CAAC;AAMrB,MAAM,MAAM,oBAAoB,GAAG;IACjC,sBAAsB,EAAE,MAAM,CAAC;IAC/B,gBAAgB,EAAE,OAAO,CAAC;IAC1B,oBAAoB,EAAE,OAAO,CAAC;IAC9B,qBAAqB,EAAE,MAAM,CAAC;IAC9B,cAAc,EAAE,MAAM,CAAC;CACxB,CAAC;AAGF;;;;GAIG;AACH,wBAAgB,0BAA0B,IAAI,oBAAoB,CAWjE"}