hazo_auth 6.0.0 → 7.0.1

package/dist/lib/services/oauth_service.js

@@ -167,6 +167,161 @@ export async function handle_google_oauth_login(adapter, data) {
         };
     }
 }
+/**
+ * Handles Facebook OAuth login/registration flow
+ * 1. Check if user exists with facebook_id -> login
+ * 2. Check if user exists with email -> link Facebook account (respects auto_link_unverified)
+ * 3. Create new user with Facebook data (email_verified always false — never trust Facebook)
+ *
+ * @param adapter - The hazo_connect adapter instance
+ * @param data - Facebook OAuth user data
+ * @param opts - Options (auto_link_unverified: whether to link unverified accounts)
+ * @returns OAuth login result with user_id and status flags
+ */
+export async function handle_facebook_oauth_login(adapter, data, opts) {
+    const logger = create_app_logger();
+    try {
+        const { facebook_id, email, name, profile_picture_url } = data;
+        const users_service = createCrudService(adapter, "hazo_users");
+        const now = new Date().toISOString();
+        // Step 1: Check if user exists with this facebook_id
+        const users_by_facebook_id = await users_service.findBy({ facebook_id });
+        if (Array.isArray(users_by_facebook_id) && users_by_facebook_id.length > 0) {
+            const user = users_by_facebook_id[0];
+            await users_service.updateById(user.id, {
+                last_logon: now,
+                changed_at: now,
+            });
+            logger.info("oauth_service_facebook_login_existing_facebook_user", {
+                filename: "oauth_service.ts",
+                line_number: get_line_number(),
+                user_id: user.id,
+                email: user.email_address,
+            });
+            return {
+                success: true,
+                user_id: user.id,
+                is_new_user: false,
+                was_linked: false,
+                email: user.email_address,
+                name: user.name,
+            };
+        }
+        // Step 2: Check if user exists with this email
+        if (email) {
+            const users_by_email = await users_service.findBy({ email_address: email });
+            if (Array.isArray(users_by_email) && users_by_email.length > 0) {
+                const user = users_by_email[0];
+                const user_email_verified = user.email_verified;
+                if (!user_email_verified) {
+                    if (!(opts === null || opts === void 0 ? void 0 : opts.auto_link_unverified)) {
+                        return {
+                            success: false,
+                            error: "link_blocked_unverified",
+                        };
+                    }
+                    // auto_link_unverified=true: link but do NOT change email_verified status
+                }
+                // Link Facebook account to existing user
+                const current_auth_providers = user.auth_providers || "email";
+                const new_auth_providers = current_auth_providers.includes("facebook")
+                    ? current_auth_providers
+                    : `${current_auth_providers},facebook`;
+                const update_data = {
+                    facebook_id,
+                    auth_providers: new_auth_providers,
+                    last_logon: now,
+                    changed_at: now,
+                };
+                // Update name if not set and Facebook provides one
+                if (!user.name && name) {
+                    update_data.name = name;
+                }
+                // Update profile picture if not set and Facebook provides one
+                if (!user.profile_picture_url && profile_picture_url) {
+                    update_data.profile_picture_url = profile_picture_url;
+                    update_data.profile_source = "custom";
+                }
+                await users_service.updateById(user.id, update_data);
+                logger.info("oauth_service_facebook_linked_to_existing", {
+                    filename: "oauth_service.ts",
+                    line_number: get_line_number(),
+                    user_id: user.id,
+                    email,
+                    was_unverified: !user_email_verified,
+                });
+                return {
+                    success: true,
+                    user_id: user.id,
+                    is_new_user: false,
+                    was_linked: true,
+                    email: user.email_address,
+                    name: update_data.name || user.name,
+                };
+            }
+        }
+        // Step 3: Create new user with Facebook data
+        const user_id = randomUUID();
+        const insert_data = {
+            id: user_id,
+            email_address: email,
+            password_hash: "", // Empty string for Facebook-only users
+            email_verified: false, // Never trust Facebook's email_verified claim
+            status: "ACTIVE",
+            login_attempts: 0,
+            facebook_id,
+            auth_providers: "facebook",
+            created_at: now,
+            changed_at: now,
+            last_logon: now,
+        };
+        if (name) {
+            insert_data.name = name;
+        }
+        if (profile_picture_url) {
+            insert_data.profile_picture_url = profile_picture_url;
+            insert_data.profile_source = "custom";
+        }
+        const inserted_users = await users_service.insert(insert_data);
+        if (!Array.isArray(inserted_users) || inserted_users.length === 0) {
+            return {
+                success: false,
+                error: "Failed to create user account",
+            };
+        }
+        logger.info("oauth_service_facebook_new_user_created", {
+            filename: "oauth_service.ts",
+            line_number: get_line_number(),
+            user_id,
+            email,
+        });
+        return {
+            success: true,
+            user_id,
+            is_new_user: true,
+            was_linked: false,
+            email: email !== null && email !== void 0 ? email : undefined,
+            name,
+        };
+    }
+    catch (error) {
+        const user_friendly_error = sanitize_error_for_user(error, {
+            logToConsole: true,
+            logToLogger: true,
+            logger,
+            context: {
+                filename: "oauth_service.ts",
+                line_number: get_line_number(),
+                email: data.email,
+                operation: "handle_facebook_oauth_login",
+            },
+        });
+        return {
+            success: false,
+            error: user_friendly_error,
+        };
+    }
+}
 /**
  * Links a Google account to an existing user
  * @param adapter - The hazo_connect adapter instance

package/dist/lib/services/otp_service.d.ts

@@ -0,0 +1,46 @@
+import "server-only";
+/**
+ * Generates a cryptographically random 6-digit numeric OTP code (000000–999999).
+ * Uses crypto.randomInt for uniform distribution.
+ */
+export declare function generate_otp_code(): string;
+export declare function hash_otp_code(code: string): Promise<string>;
+export declare function verify_otp_code(otp_hash: string, code: string): Promise<boolean>;
+export type RequestEmailOTPResult = {
+    ok: true;
+} | {
+    ok: false;
+    error: "rate_limited";
+    retry_after_seconds: number;
+};
+/**
+ * Initiates an OTP sign-in flow for the given email address.
+ *
+ * Behaviour:
+ * 1. Per-email rate limit — rejects if too many requests in the sliding window.
+ * 2. Per-IP rate limit — rejects if too many requests from this IP.
+ * 3. Unknown email + auto_register=false — silent no-op (constant-time padding).
+ * 4. Unknown email + auto_register=true — inserts OTP row with user_id=null, dispatches email.
+ * 5. Known email — marks prior unconsumed rows consumed, inserts fresh OTP row, dispatches email.
+ *
+ * Never reveals whether an email address is registered (always returns ok:true on success).
+ */
+export declare function request_email_otp(args: {
+    email: string;
+    ip: string;
+}): Promise<RequestEmailOTPResult>;
+export type VerifyEmailOTPResult = {
+    ok: true;
+    user_id: string;
+    email: string;
+    session_token: string;
+} | {
+    ok: false;
+    error: "invalid_or_expired";
+};
+export declare function verify_email_otp(args: {
+    email: string;
+    code: string;
+    ip: string;
+}): Promise<VerifyEmailOTPResult>;
+//# sourceMappingURL=otp_service.d.ts.map

package/dist/lib/services/otp_service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"otp_service.d.ts","sourceRoot":"","sources":["../../../src/lib/services/otp_service.ts"],"names":[],"mappings":"AAAA,OAAO,aAAa,CAAC;AAUrB;;;GAGG;AACH,wBAAgB,iBAAiB,IAAI,MAAM,CAG1C;AAED,wBAAsB,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAEjE;AAED,wBAAsB,eAAe,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAMtF;AAID,MAAM,MAAM,qBAAqB,GAC7B;IAAE,EAAE,EAAE,IAAI,CAAA;CAAE,GACZ;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,cAAc,CAAC;IAAC,mBAAmB,EAAE,MAAM,CAAA;CAAE,CAAC;AAItE;;;;;;;;;;;GAWG;AACH,wBAAsB,iBAAiB,CAAC,IAAI,EAAE;IAC5C,KAAK,EAAE,MAAM,CAAC;IACd,EAAE,EAAE,MAAM,CAAC;CACZ,GAAG,OAAO,CAAC,qBAAqB,CAAC,CA8GjC;AAID,MAAM,MAAM,oBAAoB,GAC5B;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAC;IAAC,aAAa,EAAE,MAAM,CAAA;CAAE,GACnE;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,oBAAoB,CAAA;CAAE,CAAC;AAE/C,wBAAsB,gBAAgB,CAAC,IAAI,EAAE;IAC3C,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,EAAE,EAAE,MAAM,CAAC;CACZ,GAAG,OAAO,CAAC,oBAAoB,CAAC,CAsHhC"}

package/dist/lib/services/otp_service.js

@@ -0,0 +1,238 @@
+import "server-only";
+import crypto from "node:crypto";
+import argon2 from "argon2";
+import { createCrudService } from "hazo_connect/server";
+import { get_otp_config, hazo_auth_otp_session_ttl_seconds } from "../otp_config.server.js";
+import { get_hazo_connect_instance } from "../hazo_connect_instance.server.js";
+import { send_template_email } from "./email_service.js";
+import { create_app_logger } from "../app_logger.js";
+import { create_session_token } from "./session_token_service.js";
+/**
+ * Generates a cryptographically random 6-digit numeric OTP code (000000–999999).
+ * Uses crypto.randomInt for uniform distribution.
+ */
+export function generate_otp_code() {
+    const n = crypto.randomInt(0, 1000000);
+    return String(n).padStart(6, "0");
+}
+export async function hash_otp_code(code) {
+    return argon2.hash(code);
+}
+export async function verify_otp_code(otp_hash, code) {
+    try {
+        return await argon2.verify(otp_hash, code);
+    }
+    catch (_a) {
+        return false;
+    }
+}
+// section: request_email_otp
+/**
+ * Initiates an OTP sign-in flow for the given email address.
+ *
+ * Behaviour:
+ * 1. Per-email rate limit — rejects if too many requests in the sliding window.
+ * 2. Per-IP rate limit — rejects if too many requests from this IP.
+ * 3. Unknown email + auto_register=false — silent no-op (constant-time padding).
+ * 4. Unknown email + auto_register=true — inserts OTP row with user_id=null, dispatches email.
+ * 5. Known email — marks prior unconsumed rows consumed, inserts fresh OTP row, dispatches email.
+ *
+ * Never reveals whether an email address is registered (always returns ok:true on success).
+ */
+export async function request_email_otp(args) {
+    const logger = create_app_logger();
+    const cfg = get_otp_config();
+    const email = args.email.trim().toLowerCase();
+    const ip = args.ip;
+    const adapter = get_hazo_connect_instance();
+    const otp_table = createCrudService(adapter, "hazo_email_otps");
+    const users_table = createCrudService(adapter, "hazo_users");
+    // 1. Per-email rate limit
+    const email_window_ms = cfg.email_rate_limit_window_seconds * 1000;
+    const email_threshold = new Date(Date.now() - email_window_ms).toISOString();
+    const recent_for_email = await otp_table.list((qb) => qb
+        .select(["created_at"])
+        .where("email", "eq", email)
+        .where("created_at", "gte", email_threshold));
+    if (recent_for_email.length >= cfg.email_rate_limit_max) {
+        const oldest = recent_for_email
+            .map((r) => Date.parse(String(r.created_at)))
+            .sort((a, b) => a - b)[0];
+        const retry_after_seconds = Math.max(1, Math.ceil((oldest + email_window_ms - Date.now()) / 1000));
+        logger.warn("otp_request_email_rate_limited", { email, ip, retry_after_seconds });
+        return { ok: false, error: "rate_limited", retry_after_seconds };
+    }
+    // 2. Per-IP rate limit
+    const ip_window_ms = cfg.ip_rate_limit_window_seconds * 1000;
+    const ip_threshold = new Date(Date.now() - ip_window_ms).toISOString();
+    const recent_for_ip = await otp_table.list((qb) => qb
+        .select(["created_at"])
+        .where("requester_ip", "eq", ip)
+        .where("created_at", "gte", ip_threshold));
+    if (recent_for_ip.length >= cfg.ip_rate_limit_max) {
+        const oldest = recent_for_ip
+            .map((r) => Date.parse(String(r.created_at)))
+            .sort((a, b) => a - b)[0];
+        const retry_after_seconds = Math.max(1, Math.ceil((oldest + ip_window_ms - Date.now()) / 1000));
+        logger.warn("otp_request_ip_rate_limited", { email, ip, retry_after_seconds });
+        return { ok: false, error: "rate_limited", retry_after_seconds };
+    }
+    // 3. Lookup user
+    const existing_users = await users_table.findBy({ email_address: email });
+    const existing_user = existing_users.length > 0 ? existing_users[0] : null;
+    // 4. Unknown email + auto_register=false → silent no-op with constant-time padding
+    if (!existing_user && !cfg.auto_register) {
+        await argon2.hash("000000"); // constant-time padding — never stored
+        return { ok: true };
+    }
+    // 5. Mark any unconsumed rows for this email as superseded
+    try {
+        const unconsumed = await otp_table.list((qb) => qb
+            .select(["id"])
+            .where("email", "eq", email)
+            .where("consumed_at", "is", null));
+        for (const row of unconsumed) {
+            await otp_table.updateById(String(row.id), { consumed_at: new Date().toISOString() });
+        }
+    }
+    catch (_a) {
+        // IS NULL filter may not be supported in all adapter versions — not critical
+    }
+    // 6. Generate code + hash + insert row
+    const code = generate_otp_code();
+    const otp_hash = await hash_otp_code(code);
+    const expires_at = new Date(Date.now() + cfg.code_ttl_seconds * 1000).toISOString();
+    const row_id = crypto.randomUUID();
+    await otp_table.insert({
+        id: row_id,
+        user_id: existing_user ? String(existing_user.id) : null,
+        email,
+        otp_hash,
+        expires_at,
+        attempt_count: 0,
+        requester_ip: ip,
+    });
+    // 7. Dispatch email — fire-and-forget; errors are logged but do not surface to caller
+    try {
+        await send_template_email("otp_signin_code", email, {
+            otp_code: code,
+            expires_in_minutes: String(Math.round(cfg.code_ttl_seconds / 60)),
+        });
+    }
+    catch (err) {
+        logger.error("otp_request_email_dispatch_failed", {
+            email,
+            ip,
+            error: err instanceof Error ? err.message : String(err),
+        });
+        // Return ok:true to preserve no-enumeration property — caller cannot distinguish
+        // a missing user from a delivery failure.
+    }
+    return { ok: true };
+}
+export async function verify_email_otp(args) {
+    const logger = create_app_logger();
+    const cfg = get_otp_config();
+    const email = args.email.trim().toLowerCase();
+    const code = args.code.trim();
+    const adapter = get_hazo_connect_instance();
+    const otp_table = createCrudService(adapter, "hazo_email_otps");
+    const users_table = createCrudService(adapter, "hazo_users");
+    const user_scopes_table = createCrudService(adapter, "hazo_user_scopes");
+    const roles_table = createCrudService(adapter, "hazo_roles");
+    // 1. Find most-recent unconsumed row for this email
+    const now_iso = new Date().toISOString();
+    const candidates = await otp_table.list((qb) => qb
+        .select(["id", "user_id", "otp_hash", "expires_at", "attempt_count"])
+        .where("email", "eq", email)
+        .where("consumed_at", "is", null)
+        .order("created_at", "desc")
+        .limit(1));
+    const row = candidates.length > 0 ? candidates[0] : null;
+    if (!row) {
+        return { ok: false, error: "invalid_or_expired" };
+    }
+    // 2. Check expiry
+    const expires_at_ms = Date.parse(String(row.expires_at));
+    if (Number.isNaN(expires_at_ms) || expires_at_ms < Date.now()) {
+        return { ok: false, error: "invalid_or_expired" };
+    }
+    // 3. argon2 verify
+    const is_valid = await verify_otp_code(String(row.otp_hash), code);
+    if (!is_valid) {
+        const new_attempt_count = Number(row.attempt_count) + 1;
+        const updates = { attempt_count: new_attempt_count };
+        if (new_attempt_count >= cfg.max_verify_attempts) {
+            updates.consumed_at = now_iso; // poison
+        }
+        await otp_table.updateById(String(row.id), updates);
+        logger.info("otp_verify_invalid_code", {
+            email,
+            attempt_count: new_attempt_count,
+            poisoned: new_attempt_count >= cfg.max_verify_attempts,
+        });
+        return { ok: false, error: "invalid_or_expired" };
+    }
+    // 4. Mark consumed
+    await otp_table.updateById(String(row.id), { consumed_at: now_iso });
+    // 5. Resolve / create user
+    let user_id = row.user_id ? String(row.user_id) : null;
+    if (user_id) {
+        // Ensure email_verified=true
+        const user = await users_table.findById(user_id);
+        if (user && !user.email_verified) {
+            await users_table.updateById(user_id, { email_verified: true });
+        }
+    }
+    else if (cfg.auto_register) {
+        // Create user + bind scope/role
+        const new_user_id = crypto.randomUUID();
+        await users_table.insert({
+            id: new_user_id,
+            email_address: email,
+            email_verified: true,
+            password_hash: null,
+            name: null,
+        });
+        // Resolve role_id from name — try scope-specific first, then any
+        const scoped_roles = await roles_table.findBy({
+            name: cfg.auto_assign_role_name,
+            scope_id: cfg.auto_assign_scope_id,
+        });
+        let role_id = null;
+        if (scoped_roles.length > 0) {
+            role_id = String(scoped_roles[0].id);
+        }
+        else {
+            const any_roles = await roles_table.findBy({ name: cfg.auto_assign_role_name });
+            if (any_roles.length > 0) {
+                role_id = String(any_roles[0].id);
+            }
+        }
+        if (!role_id) {
+            logger.error("otp_verify_auto_register_role_not_found", {
+                email,
+                scope_id: cfg.auto_assign_scope_id,
+                role_name: cfg.auto_assign_role_name,
+            });
+            return { ok: false, error: "invalid_or_expired" };
+        }
+        await user_scopes_table.insert({
+            user_id: new_user_id,
+            scope_id: cfg.auto_assign_scope_id,
+            root_scope_id: cfg.auto_assign_scope_id,
+            role_id,
+        });
+        user_id = new_user_id;
+    }
+    else {
+        // Row exists but no user and auto_register=false — stale edge case
+        logger.warn("otp_verify_no_user_resolvable", { email });
+        return { ok: false, error: "invalid_or_expired" };
+    }
+    // 6. Issue session JWT with OTP TTL
+    const ttl_seconds = hazo_auth_otp_session_ttl_seconds();
+    const session_token = await create_session_token(user_id, email, undefined, ttl_seconds);
+    logger.info("otp_verify_ok", { email, user_id, ttl_seconds });
+    return { ok: true, user_id, email, session_token };
+}

package/dist/lib/services/session_token_service.d.ts

@@ -16,9 +16,11 @@ export type ValidateSessionTokenResult = {
  * Token includes user_id, email, issued at time, and expiration
  * @param user_id - User ID
  * @param email - User email address
+ * @param managed_by_user_id - Optional: ID of the managing user (for impersonation)
+ * @param ttl_seconds - Optional: token lifetime in seconds (default: 30 days). Use 604800 for 7-day OTP sessions.
  * @returns JWT token string
  */
-export declare function create_session_token(user_id: string, email: string, managed_by_user_id?: string): Promise<string>;
+export declare function create_session_token(user_id: string, email: string, managed_by_user_id?: string, ttl_seconds?: number): Promise<string>;
 /**
  * Validates a JWT session token
  * Checks signature and expiration

package/dist/lib/services/session_token_service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"session_token_service.d.ts","sourceRoot":"","sources":["../../../src/lib/services/session_token_service.ts"],"names":[],"mappings":"AAQA,MAAM,MAAM,mBAAmB,GAAG;IAChC,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;IACd,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;CACb,CAAC;AAEF,MAAM,MAAM,0BAA0B,GAAG;IACvC,KAAK,EAAE,OAAO,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B,CAAC;AAuCF;;;;;;GAMG;AACH,wBAAsB,oBAAoB,CACxC,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,EACb,kBAAkB,CAAC,EAAE,MAAM,GAC1B,OAAO,CAAC,MAAM,CAAC,CA4CjB;AAED;;;;;GAKG;AACH,wBAAsB,sBAAsB,CAC1C,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,0BAA0B,CAAC,CAkDrC"}
+{"version":3,"file":"session_token_service.d.ts","sourceRoot":"","sources":["../../../src/lib/services/session_token_service.ts"],"names":[],"mappings":"AAQA,MAAM,MAAM,mBAAmB,GAAG;IAChC,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;IACd,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;CACb,CAAC;AAEF,MAAM,MAAM,0BAA0B,GAAG;IACvC,KAAK,EAAE,OAAO,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B,CAAC;AAuCF;;;;;;;;GAQG;AACH,wBAAsB,oBAAoB,CACxC,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,EACb,kBAAkB,CAAC,EAAE,MAAM,EAC3B,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC,MAAM,CAAC,CA4CjB;AAED;;;;;GAKG;AACH,wBAAsB,sBAAsB,CAC1C,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,0BAA0B,CAAC,CAkDrC"}

package/dist/lib/services/session_token_service.js

@@ -41,14 +41,16 @@ function get_session_token_expiry_seconds() {
  * Token includes user_id, email, issued at time, and expiration
  * @param user_id - User ID
  * @param email - User email address
+ * @param managed_by_user_id - Optional: ID of the managing user (for impersonation)
+ * @param ttl_seconds - Optional: token lifetime in seconds (default: 30 days). Use 604800 for 7-day OTP sessions.
  * @returns JWT token string
  */
-export async function create_session_token(user_id, email, managed_by_user_id) {
+export async function create_session_token(user_id, email, managed_by_user_id, ttl_seconds) {
     const logger = create_app_logger();
     try {
         const secret = get_jwt_secret();
         const now = Math.floor(Date.now() / 1000); // Current time in seconds
-        const expiry_seconds = get_session_token_expiry_seconds();
+        const expiry_seconds = ttl_seconds !== null && ttl_seconds !== void 0 ? ttl_seconds : get_session_token_expiry_seconds();
         const exp = now + expiry_seconds;
         const payload = { user_id, email };
         if (managed_by_user_id) {

package/dist/page_components/create_firm.d.ts

@@ -2,7 +2,19 @@ import "server-only";
 export type CreateFirmPageProps = {
     /** Disable the navbar wrapper */
     disableNavbar?: boolean;
+    /**
+     * Optional theme that controls visual appearance and layout mode.
+     * When `theme.layout` is `"split"`, activates the two-column split layout
+     * with the brand panel on the left.
+     */
+    theme?: import("../theme/theme_types").HazoAuthTheme;
+    /** Override the page heading. Falls back to HazoAuthStringsProvider → DEFAULT_STRINGS. */
+    title?: string;
+    /** Override the page subtitle. Falls back to HazoAuthStringsProvider → DEFAULT_STRINGS. */
+    subtitle?: string;
+    /** Override the submit button label. Falls back to HazoAuthStringsProvider → DEFAULT_STRINGS. */
+    ctaText?: string;
 };
-export default function CreateFirmPage({ disableNavbar }?: CreateFirmPageProps): import("react/jsx-runtime").JSX.Element;
+export default function CreateFirmPage({ disableNavbar, theme, title, subtitle, ctaText }?: CreateFirmPageProps): import("react/jsx-runtime").JSX.Element;
 export { CreateFirmPage };
 //# sourceMappingURL=create_firm.d.ts.map

package/dist/page_components/create_firm.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"create_firm.d.ts","sourceRoot":"","sources":["../../src/page_components/create_firm.tsx"],"names":[],"mappings":"AAEA,OAAO,aAAa,CAAC;AAQrB,MAAM,MAAM,mBAAmB,GAAG;IAChC,iCAAiC;IACjC,aAAa,CAAC,EAAE,OAAO,CAAC;CACzB,CAAC;AAsDF,MAAM,CAAC,OAAO,UAAU,cAAc,CAAC,EAAE,aAAa,EAAE,GAAE,mBAAwB,2CAsBjF;AAGD,OAAO,EAAE,cAAc,EAAE,CAAC"}
+{"version":3,"file":"create_firm.d.ts","sourceRoot":"","sources":["../../src/page_components/create_firm.tsx"],"names":[],"mappings":"AAEA,OAAO,aAAa,CAAC;AASrB,MAAM,MAAM,mBAAmB,GAAG;IAChC,iCAAiC;IACjC,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB;;;;OAIG;IACH,KAAK,CAAC,EAAE,OAAO,sBAAsB,EAAE,aAAa,CAAC;IACrD,0FAA0F;IAC1F,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,2FAA2F;IAC3F,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,iGAAiG;IACjG,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB,CAAC;AAkCF,MAAM,CAAC,OAAO,UAAU,cAAc,CAAC,EAAE,aAAa,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,OAAO,EAAE,GAAE,mBAAwB,2CA6BlH;AAGD,OAAO,EAAE,cAAc,EAAE,CAAC"}

package/dist/page_components/create_firm.js

@@ -6,24 +6,28 @@ import "server-only";
 import CreateFirmLayout from "../components/layouts/create_firm/index.js";
 import { AuthPageShell } from "../components/layouts/shared/components/auth_page_shell.js";
 import { get_config_value } from "../lib/config/config_loader.server.js";
+import { DEFAULT_STRINGS, readStrings } from "../strings.js";
 // section: config_loader
 function get_create_firm_config() {
     return {
-        image_src: get_config_value("hazo_auth__create_firm", "image_src", "/hazo_auth/images/new_firm_default.jpg"),
-        heading: get_config_value("hazo_auth__create_firm", "heading", "Create Your Firm"),
-        sub_heading: get_config_value("hazo_auth__create_firm", "sub_heading", "Set up your organisation to get started"),
         firm_name_label: get_config_value("hazo_auth__create_firm", "firm_name_label", "Firm Name"),
         org_structure_label: get_config_value("hazo_auth__create_firm", "org_structure_label", "Organisation Structure"),
         org_structure_default: get_config_value("hazo_auth__create_firm", "org_structure_default", "Headquarters"),
-        submit_button_label: get_config_value("hazo_auth__create_firm", "submit_button_label", "Create Firm"),
         success_message: get_config_value("hazo_auth__create_firm", "success_message", "Your firm has been created successfully!"),
         redirect_route: get_config_value("hazo_auth__create_firm", "redirect_route", "/"),
     };
 }
 // section: component
-export default function CreateFirmPage({ disableNavbar } = {}) {
+export default function CreateFirmPage({ disableNavbar, theme, title, subtitle, ctaText } = {}) {
+    var _a, _b, _c;
+    // Resolve strings: prop > HazoAuthStringsProvider > DEFAULT_STRINGS
+    const strings = readStrings();
+    const cf_strings = strings.create_firm;
+    const resolved_title = (_a = title !== null && title !== void 0 ? title : cf_strings.title) !== null && _a !== void 0 ? _a : DEFAULT_STRINGS.create_firm.title;
+    const resolved_subtitle = (_b = subtitle !== null && subtitle !== void 0 ? subtitle : cf_strings.subtitle) !== null && _b !== void 0 ? _b : DEFAULT_STRINGS.create_firm.subtitle;
+    const resolved_cta = (_c = ctaText !== null && ctaText !== void 0 ? ctaText : cf_strings.ctaText) !== null && _c !== void 0 ? _c : DEFAULT_STRINGS.create_firm.ctaText;
     const config = get_create_firm_config();
-    const layoutContent = (_jsx(CreateFirmLayout, { image_src: config.image_src, heading: config.heading, sub_heading: config.sub_heading, firm_name_label: config.firm_name_label, org_structure_label: config.org_structure_label, default_org_structure: config.org_structure_default, submit_button_label: config.submit_button_label, success_message: config.success_message, redirect_route: config.redirect_route }));
+    const layoutContent = (_jsx(CreateFirmLayout, { heading: resolved_title, sub_heading: resolved_subtitle, firm_name_label: config.firm_name_label, org_structure_label: config.org_structure_label, default_org_structure: config.org_structure_default, submit_button_label: resolved_cta, success_message: config.success_message, redirect_route: config.redirect_route, theme: theme }));
     if (disableNavbar) {
         return layoutContent;
     }

package/dist/page_components/forgot_password.d.ts

@@ -4,9 +4,6 @@ export type ForgotPasswordPageProps = {
     showReturnHomeButton?: boolean;
     returnHomeButtonLabel?: string;
     returnHomePath?: string;
-    imageSrc?: string;
-    imageAlt?: string;
-    imageBackgroundColor?: string;
 };
 /**
  * Zero-config forgot password page component
@@ -14,6 +11,6 @@ export type ForgotPasswordPageProps = {
  * @param props - Optional configuration overrides
  * @returns Forgot password page component
  */
-export declare function ForgotPasswordPage({ alreadyLoggedInMessage, showLogoutButton, showReturnHomeButton, returnHomeButtonLabel, returnHomePath, imageSrc, imageAlt, imageBackgroundColor, }?: ForgotPasswordPageProps): import("react/jsx-runtime").JSX.Element;
+export declare function ForgotPasswordPage({ alreadyLoggedInMessage, showLogoutButton, showReturnHomeButton, returnHomeButtonLabel, returnHomePath, }?: ForgotPasswordPageProps): import("react/jsx-runtime").JSX.Element;
 export default ForgotPasswordPage;
 //# sourceMappingURL=forgot_password.d.ts.map

package/dist/page_components/forgot_password.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"forgot_password.d.ts","sourceRoot":"","sources":["../../src/page_components/forgot_password.tsx"],"names":[],"mappings":"AA+BA,MAAM,MAAM,uBAAuB,GAAG;IACpC,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,oBAAoB,CAAC,EAAE,OAAO,CAAC;IAC/B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,oBAAoB,CAAC,EAAE,MAAM,CAAC;CAC/B,CAAC;AAGF;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,EACjC,sBAAoD,EACpD,gBAAuB,EACvB,oBAA4B,EAC5B,qBAAqC,EACrC,cAAoB,EACpB,QAA4B,EAC5B,QAA4B,EAC5B,oBAAuC,GACxC,GAAE,uBAA4B,2CAmC9B;AAED,eAAe,kBAAkB,CAAC"}
+{"version":3,"file":"forgot_password.d.ts","sourceRoot":"","sources":["../../src/page_components/forgot_password.tsx"],"names":[],"mappings":"AA0BA,MAAM,MAAM,uBAAuB,GAAG;IACpC,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,oBAAoB,CAAC,EAAE,OAAO,CAAC;IAC/B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB,CAAC;AAGF;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,EACjC,sBAAoD,EACpD,gBAAuB,EACvB,oBAA4B,EAC5B,qBAAqC,EACrC,cAAoB,GACrB,GAAE,uBAA4B,2CAgC9B;AAED,eAAe,kBAAkB,CAAC"}

package/dist/page_components/forgot_password.js

@@ -21,10 +21,6 @@ import { useEffect, useState } from "react";
 import forgot_password_layout from "../components/layouts/forgot_password/index.js";
 import { createLayoutDataClient } from "../components/layouts/shared/data/layout_data_client.js";
 import { create_sqlite_hazo_connect } from "../lib/hazo_connect_setup.js";
-// section: constants
-const DEFAULT_IMAGE_SRC = "/hazo_auth/images/forgot_password_default.jpg";
-const DEFAULT_IMAGE_ALT = "Illustration of a globe representing secure authentication workflows";
-const DEFAULT_IMAGE_BG = "#f1f5f9";
 // section: component
 /**
  * Zero-config forgot password page component
@@ -32,7 +28,7 @@ const DEFAULT_IMAGE_BG = "#f1f5f9";
  * @param props - Optional configuration overrides
  * @returns Forgot password page component
  */
-export function ForgotPasswordPage({ alreadyLoggedInMessage = "You are already logged in", showLogoutButton = true, showReturnHomeButton = false, returnHomeButtonLabel = "Return home", returnHomePath = "/", imageSrc = DEFAULT_IMAGE_SRC, imageAlt = DEFAULT_IMAGE_ALT, imageBackgroundColor = DEFAULT_IMAGE_BG, } = {}) {
+export function ForgotPasswordPage({ alreadyLoggedInMessage = "You are already logged in", showLogoutButton = true, showReturnHomeButton = false, returnHomeButtonLabel = "Return home", returnHomePath = "/", } = {}) {
     const [dataClient, setDataClient] = useState(null);
     useEffect(() => {
         // Initialize hazo_connect on client side
@@ -45,6 +41,6 @@ export function ForgotPasswordPage({ alreadyLoggedInMessage = "You are already l
         return (_jsx("div", { className: "cls_forgot_password_page_loading flex items-center justify-center min-h-screen", children: _jsx("div", { className: "text-slate-600 animate-pulse", children: "Loading..." }) }));
     }
     const ForgotPasswordLayout = forgot_password_layout;
-    return (_jsx(ForgotPasswordLayout, { image_src: imageSrc, image_alt: imageAlt, image_background_color: imageBackgroundColor, data_client: dataClient, alreadyLoggedInMessage: alreadyLoggedInMessage, showLogoutButton: showLogoutButton, showReturnHomeButton: showReturnHomeButton, returnHomeButtonLabel: returnHomeButtonLabel, returnHomePath: returnHomePath }));
+    return (_jsx(ForgotPasswordLayout, { data_client: dataClient, alreadyLoggedInMessage: alreadyLoggedInMessage, showLogoutButton: showLogoutButton, showReturnHomeButton: showReturnHomeButton, returnHomeButtonLabel: returnHomeButtonLabel, returnHomePath: returnHomePath }));
 }
 export default ForgotPasswordPage;

package/dist/page_components/login.d.ts

@@ -15,9 +15,6 @@ export type LoginPageProps = {
     createAccountPath?: string;
     createAccountLabel?: string;
     urlOnLogon?: string;
-    imageSrc?: string;
-    imageAlt?: string;
-    imageBackgroundColor?: string;
 };
 /**
  * Zero-config login page component
@@ -25,6 +22,6 @@ export type LoginPageProps = {
  * @param props - Optional configuration overrides
  * @returns Login page component
  */
-export declare function LoginPage({ redirectRoute, successMessage, alreadyLoggedInMessage, showLogoutButton, showReturnHomeButton, returnHomeButtonLabel, returnHomePath, forgotPasswordPath, forgotPasswordLabel, createAccountPath, createAccountLabel, urlOnLogon, imageSrc, imageAlt, imageBackgroundColor, }?: LoginPageProps): import("react/jsx-runtime").JSX.Element;
+export declare function LoginPage({ redirectRoute, successMessage, alreadyLoggedInMessage, showLogoutButton, showReturnHomeButton, returnHomeButtonLabel, returnHomePath, forgotPasswordPath, forgotPasswordLabel, createAccountPath, createAccountLabel, urlOnLogon, }?: LoginPageProps): import("react/jsx-runtime").JSX.Element;
 export default LoginPage;
 //# sourceMappingURL=login.d.ts.map

package/dist/page_components/login.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"login.d.ts","sourceRoot":"","sources":["../../src/page_components/login.tsx"],"names":[],"mappings":"AA+BA;;;GAGG;AACH,MAAM,MAAM,cAAc,GAAG;IAC3B,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,oBAAoB,CAAC,EAAE,OAAO,CAAC;IAC/B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,oBAAoB,CAAC,EAAE,MAAM,CAAC;CAC/B,CAAC;AAGF;;;;;GAKG;AACH,wBAAgB,SAAS,CAAC,EACxB,aAAa,EACb,cAAyC,EACzC,sBAAoD,EACpD,gBAAuB,EACvB,oBAA4B,EAC5B,qBAAqC,EACrC,cAAoB,EACpB,kBAAiD,EACjD,mBAAwC,EACxC,iBAAyC,EACzC,kBAAqC,EACrC,UAAU,EACV,QAA4B,EAC5B,QAA4B,EAC5B,oBAAuC,GACxC,GAAE,cAAmB,2CA0CrB;AAED,eAAe,SAAS,CAAC"}
+{"version":3,"file":"login.d.ts","sourceRoot":"","sources":["../../src/page_components/login.tsx"],"names":[],"mappings":"AA0BA;;;GAGG;AACH,MAAM,MAAM,cAAc,GAAG;IAC3B,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,oBAAoB,CAAC,EAAE,OAAO,CAAC;IAC/B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC;AAGF;;;;;GAKG;AACH,wBAAgB,SAAS,CAAC,EACxB,aAAa,EACb,cAAyC,EACzC,sBAAoD,EACpD,gBAAuB,EACvB,oBAA4B,EAC5B,qBAAqC,EACrC,cAAoB,EACpB,kBAAiD,EACjD,mBAAwC,EACxC,iBAAyC,EACzC,kBAAqC,EACrC,UAAU,GACX,GAAE,cAAmB,2CAuCrB;AAED,eAAe,SAAS,CAAC"}