hazo_auth 6.0.0 → 7.0.1

package/dist/page_components/login.js

@@ -21,10 +21,6 @@ import { useEffect, useState } from "react";
 import login_layout from "../components/layouts/login/index.js";
 import { createLayoutDataClient } from "../components/layouts/shared/data/layout_data_client.js";
 import { create_sqlite_hazo_connect } from "../lib/hazo_connect_setup.js";
-// section: constants
-const DEFAULT_IMAGE_SRC = "/hazo_auth/images/login_default.jpg";
-const DEFAULT_IMAGE_ALT = "Illustration of a globe representing secure authentication workflows";
-const DEFAULT_IMAGE_BG = "#f1f5f9";
 // section: component
 /**
  * Zero-config login page component
@@ -32,7 +28,7 @@ const DEFAULT_IMAGE_BG = "#f1f5f9";
  * @param props - Optional configuration overrides
  * @returns Login page component
  */
-export function LoginPage({ redirectRoute, successMessage = "Successfully logged in", alreadyLoggedInMessage = "You are already logged in", showLogoutButton = true, showReturnHomeButton = false, returnHomeButtonLabel = "Return home", returnHomePath = "/", forgotPasswordPath = "/hazo_auth/forgot_password", forgotPasswordLabel = "Forgot password?", createAccountPath = "/hazo_auth/register", createAccountLabel = "Create account", urlOnLogon, imageSrc = DEFAULT_IMAGE_SRC, imageAlt = DEFAULT_IMAGE_ALT, imageBackgroundColor = DEFAULT_IMAGE_BG, } = {}) {
+export function LoginPage({ redirectRoute, successMessage = "Successfully logged in", alreadyLoggedInMessage = "You are already logged in", showLogoutButton = true, showReturnHomeButton = false, returnHomeButtonLabel = "Return home", returnHomePath = "/", forgotPasswordPath = "/hazo_auth/forgot_password", forgotPasswordLabel = "Forgot password?", createAccountPath = "/hazo_auth/register", createAccountLabel = "Create account", urlOnLogon, } = {}) {
     const [dataClient, setDataClient] = useState(null);
     useEffect(() => {
         // Initialize hazo_connect on client side
@@ -45,6 +41,6 @@ export function LoginPage({ redirectRoute, successMessage = "Successfully logged
         return (_jsx("div", { className: "cls_login_page_loading flex items-center justify-center min-h-screen", children: _jsx("div", { className: "text-slate-600 animate-pulse", children: "Loading..." }) }));
     }
     const LoginLayout = login_layout;
-    return (_jsx(LoginLayout, { image_src: imageSrc, image_alt: imageAlt, image_background_color: imageBackgroundColor, data_client: dataClient, redirectRoute: redirectRoute, successMessage: successMessage, alreadyLoggedInMessage: alreadyLoggedInMessage, showLogoutButton: showLogoutButton, showReturnHomeButton: showReturnHomeButton, returnHomeButtonLabel: returnHomeButtonLabel, returnHomePath: returnHomePath, forgot_password_path: forgotPasswordPath, forgot_password_label: forgotPasswordLabel, create_account_path: createAccountPath, create_account_label: createAccountLabel, urlOnLogon: urlOnLogon }));
+    return (_jsx(LoginLayout, { data_client: dataClient, redirectRoute: redirectRoute, successMessage: successMessage, alreadyLoggedInMessage: alreadyLoggedInMessage, showLogoutButton: showLogoutButton, showReturnHomeButton: showReturnHomeButton, returnHomeButtonLabel: returnHomeButtonLabel, returnHomePath: returnHomePath, forgot_password_path: forgotPasswordPath, forgot_password_label: forgotPasswordLabel, create_account_path: createAccountPath, create_account_label: createAccountLabel, urlOnLogon: urlOnLogon }));
 }
 export default LoginPage;

package/dist/page_components/otp.d.ts

@@ -0,0 +1,4 @@
+import "server-only";
+export { default, OTPPage } from "../server_pages/otp.js";
+export type { OTPPageProps } from "../server_pages/otp";
+//# sourceMappingURL=otp.d.ts.map

package/dist/page_components/otp.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"otp.d.ts","sourceRoot":"","sources":["../../src/page_components/otp.tsx"],"names":[],"mappings":"AAEA,OAAO,aAAa,CAAC;AAGrB,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AACvD,YAAY,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC"}

package/dist/page_components/otp.js

@@ -0,0 +1,5 @@
+// file_description: zero-config OTP page component for hazo_auth
+// section: server-only-guard
+import "server-only";
+// section: imports
+export { default, OTPPage } from "../server_pages/otp.js";

package/dist/page_components/register.d.ts

@@ -10,9 +10,6 @@ export type RegisterPageProps = {
     signInPath?: string;
     signInLabel?: string;
     urlOnLogon?: string;
-    imageSrc?: string;
-    imageAlt?: string;
-    imageBackgroundColor?: string;
 };
 /**
  * Zero-config register page component
@@ -20,6 +17,6 @@ export type RegisterPageProps = {
  * @param props - Optional configuration overrides
  * @returns Register page component
  */
-export declare function RegisterPage({ showNameField, passwordRequirements, alreadyLoggedInMessage, showLogoutButton, showReturnHomeButton, returnHomeButtonLabel, returnHomePath, signInPath, signInLabel, urlOnLogon, imageSrc, imageAlt, imageBackgroundColor, }?: RegisterPageProps): import("react/jsx-runtime").JSX.Element;
+export declare function RegisterPage({ showNameField, passwordRequirements, alreadyLoggedInMessage, showLogoutButton, showReturnHomeButton, returnHomeButtonLabel, returnHomePath, signInPath, signInLabel, urlOnLogon, }?: RegisterPageProps): import("react/jsx-runtime").JSX.Element;
 export default RegisterPage;
 //# sourceMappingURL=register.d.ts.map

package/dist/page_components/register.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"register.d.ts","sourceRoot":"","sources":["../../src/page_components/register.tsx"],"names":[],"mappings":"AAwBA,OAAO,KAAK,EAAE,4BAA4B,EAAE,MAAM,0DAA0D,CAAC;AAgB7G,MAAM,MAAM,iBAAiB,GAAG;IAC9B,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,oBAAoB,CAAC,EAAE,4BAA4B,CAAC;IACpD,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,oBAAoB,CAAC,EAAE,OAAO,CAAC;IAC/B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,oBAAoB,CAAC,EAAE,MAAM,CAAC;CAC/B,CAAC;AAGF;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,EAC3B,aAAoB,EACpB,oBAAoD,EACpD,sBAAoD,EACpD,gBAAuB,EACvB,oBAA4B,EAC5B,qBAAqC,EACrC,cAAoB,EACpB,UAA+B,EAC/B,WAAuB,EACvB,UAAU,EACV,QAA4B,EAC5B,QAA4B,EAC5B,oBAAuC,GACxC,GAAE,iBAAsB,2CAwCxB;AAED,eAAe,YAAY,CAAC"}
+{"version":3,"file":"register.d.ts","sourceRoot":"","sources":["../../src/page_components/register.tsx"],"names":[],"mappings":"AAwBA,OAAO,KAAK,EAAE,4BAA4B,EAAE,MAAM,0DAA0D,CAAC;AAW7G,MAAM,MAAM,iBAAiB,GAAG;IAC9B,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,oBAAoB,CAAC,EAAE,4BAA4B,CAAC;IACpD,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,oBAAoB,CAAC,EAAE,OAAO,CAAC;IAC/B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC;AAGF;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,EAC3B,aAAoB,EACpB,oBAAoD,EACpD,sBAAoD,EACpD,gBAAuB,EACvB,oBAA4B,EAC5B,qBAAqC,EACrC,cAAoB,EACpB,UAA+B,EAC/B,WAAuB,EACvB,UAAU,GACX,GAAE,iBAAsB,2CAqCxB;AAED,eAAe,YAAY,CAAC"}

package/dist/page_components/register.js

@@ -21,10 +21,6 @@ import { useEffect, useState } from "react";
 import register_layout from "../components/layouts/register/index.js";
 import { createLayoutDataClient } from "../components/layouts/shared/data/layout_data_client.js";
 import { create_sqlite_hazo_connect } from "../lib/hazo_connect_setup.js";
-// section: constants
-const DEFAULT_IMAGE_SRC = "/hazo_auth/images/register_default.jpg";
-const DEFAULT_IMAGE_ALT = "Illustration of a globe representing secure authentication workflows";
-const DEFAULT_IMAGE_BG = "#e2e8f0";
 const DEFAULT_PASSWORD_REQUIREMENTS = {
     minimum_length: 8,
     require_uppercase: true,
@@ -39,7 +35,7 @@ const DEFAULT_PASSWORD_REQUIREMENTS = {
  * @param props - Optional configuration overrides
  * @returns Register page component
  */
-export function RegisterPage({ showNameField = true, passwordRequirements = DEFAULT_PASSWORD_REQUIREMENTS, alreadyLoggedInMessage = "You are already logged in", showLogoutButton = true, showReturnHomeButton = false, returnHomeButtonLabel = "Return home", returnHomePath = "/", signInPath = "/hazo_auth/login", signInLabel = "Sign in", urlOnLogon, imageSrc = DEFAULT_IMAGE_SRC, imageAlt = DEFAULT_IMAGE_ALT, imageBackgroundColor = DEFAULT_IMAGE_BG, } = {}) {
+export function RegisterPage({ showNameField = true, passwordRequirements = DEFAULT_PASSWORD_REQUIREMENTS, alreadyLoggedInMessage = "You are already logged in", showLogoutButton = true, showReturnHomeButton = false, returnHomeButtonLabel = "Return home", returnHomePath = "/", signInPath = "/hazo_auth/login", signInLabel = "Sign in", urlOnLogon, } = {}) {
     const [dataClient, setDataClient] = useState(null);
     useEffect(() => {
         // Initialize hazo_connect on client side
@@ -52,6 +48,6 @@ export function RegisterPage({ showNameField = true, passwordRequirements = DEFA
         return (_jsx("div", { className: "cls_register_page_loading flex items-center justify-center min-h-screen", children: _jsx("div", { className: "text-slate-600 animate-pulse", children: "Loading..." }) }));
     }
     const RegisterLayout = register_layout;
-    return (_jsx(RegisterLayout, { image_src: imageSrc, image_alt: imageAlt, image_background_color: imageBackgroundColor, password_requirements: passwordRequirements, show_name_field: showNameField, data_client: dataClient, alreadyLoggedInMessage: alreadyLoggedInMessage, showLogoutButton: showLogoutButton, showReturnHomeButton: showReturnHomeButton, returnHomeButtonLabel: returnHomeButtonLabel, returnHomePath: returnHomePath, signInPath: signInPath, signInLabel: signInLabel, urlOnLogon: urlOnLogon }));
+    return (_jsx(RegisterLayout, { password_requirements: passwordRequirements, show_name_field: showNameField, data_client: dataClient, alreadyLoggedInMessage: alreadyLoggedInMessage, showLogoutButton: showLogoutButton, showReturnHomeButton: showReturnHomeButton, returnHomeButtonLabel: returnHomeButtonLabel, returnHomePath: returnHomePath, signInPath: signInPath, signInLabel: signInLabel, urlOnLogon: urlOnLogon }));
 }
 export default RegisterPage;

package/dist/page_components/reset_password.d.ts

@@ -10,9 +10,6 @@ export type ResetPasswordPageProps = {
     showReturnHomeButton?: boolean;
     returnHomeButtonLabel?: string;
     returnHomePath?: string;
-    imageSrc?: string;
-    imageAlt?: string;
-    imageBackgroundColor?: string;
 };
 /**
  * Zero-config reset password page component
@@ -20,6 +17,6 @@ export type ResetPasswordPageProps = {
  * @param props - Optional configuration overrides
  * @returns Reset password page component
  */
-export declare function ResetPasswordPage({ errorMessage, successMessage, loginPath, forgotPasswordPath, passwordRequirements, alreadyLoggedInMessage, showLogoutButton, showReturnHomeButton, returnHomeButtonLabel, returnHomePath, imageSrc, imageAlt, imageBackgroundColor, }?: ResetPasswordPageProps): import("react/jsx-runtime").JSX.Element;
+export declare function ResetPasswordPage({ errorMessage, successMessage, loginPath, forgotPasswordPath, passwordRequirements, alreadyLoggedInMessage, showLogoutButton, showReturnHomeButton, returnHomeButtonLabel, returnHomePath, }?: ResetPasswordPageProps): import("react/jsx-runtime").JSX.Element;
 export default ResetPasswordPage;
 //# sourceMappingURL=reset_password.d.ts.map

package/dist/page_components/reset_password.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"reset_password.d.ts","sourceRoot":"","sources":["../../src/page_components/reset_password.tsx"],"names":[],"mappings":"AAwBA,OAAO,KAAK,EAAE,4BAA4B,EAAE,MAAM,0DAA0D,CAAC;AAgB7G,MAAM,MAAM,sBAAsB,GAAG;IACnC,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,oBAAoB,CAAC,EAAE,4BAA4B,CAAC;IACpD,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,oBAAoB,CAAC,EAAE,OAAO,CAAC;IAC/B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,oBAAoB,CAAC,EAAE,MAAM,CAAC;CAC/B,CAAC;AAGF;;;;;GAKG;AACH,wBAAgB,iBAAiB,CAAC,EAChC,YAAmE,EACnE,cAAwF,EACxF,SAA8B,EAC9B,kBAAiD,EACjD,oBAAoD,EACpD,sBAAoD,EACpD,gBAAuB,EACvB,oBAA4B,EAC5B,qBAAqC,EACrC,cAAoB,EACpB,QAA4B,EAC5B,QAA4B,EAC5B,oBAAuC,GACxC,GAAE,sBAA2B,2CAsC7B;AAED,eAAe,iBAAiB,CAAC"}
+{"version":3,"file":"reset_password.d.ts","sourceRoot":"","sources":["../../src/page_components/reset_password.tsx"],"names":[],"mappings":"AAwBA,OAAO,KAAK,EAAE,4BAA4B,EAAE,MAAM,0DAA0D,CAAC;AAW7G,MAAM,MAAM,sBAAsB,GAAG;IACnC,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,oBAAoB,CAAC,EAAE,4BAA4B,CAAC;IACpD,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,oBAAoB,CAAC,EAAE,OAAO,CAAC;IAC/B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB,CAAC;AAGF;;;;;GAKG;AACH,wBAAgB,iBAAiB,CAAC,EAChC,YAAmE,EACnE,cAAwF,EACxF,SAA8B,EAC9B,kBAAiD,EACjD,oBAAoD,EACpD,sBAAoD,EACpD,gBAAuB,EACvB,oBAA4B,EAC5B,qBAAqC,EACrC,cAAoB,GACrB,GAAE,sBAA2B,2CAmC7B;AAED,eAAe,iBAAiB,CAAC"}

package/dist/page_components/reset_password.js

@@ -21,10 +21,6 @@ import { useEffect, useState } from "react";
 import reset_password_layout from "../components/layouts/reset_password/index.js";
 import { createLayoutDataClient } from "../components/layouts/shared/data/layout_data_client.js";
 import { create_sqlite_hazo_connect } from "../lib/hazo_connect_setup.js";
-// section: constants
-const DEFAULT_IMAGE_SRC = "/hazo_auth/images/reset_password_default.jpg";
-const DEFAULT_IMAGE_ALT = "Illustration of a globe representing secure authentication workflows";
-const DEFAULT_IMAGE_BG = "#f1f5f9";
 const DEFAULT_PASSWORD_REQUIREMENTS = {
     minimum_length: 8,
     require_uppercase: true,
@@ -39,7 +35,7 @@ const DEFAULT_PASSWORD_REQUIREMENTS = {
  * @param props - Optional configuration overrides
  * @returns Reset password page component
  */
-export function ResetPasswordPage({ errorMessage = "Your password reset link has expired or is invalid", successMessage = "Password reset successful! You can now log in with your new password.", loginPath = "/hazo_auth/login", forgotPasswordPath = "/hazo_auth/forgot_password", passwordRequirements = DEFAULT_PASSWORD_REQUIREMENTS, alreadyLoggedInMessage = "You are already logged in", showLogoutButton = true, showReturnHomeButton = false, returnHomeButtonLabel = "Return home", returnHomePath = "/", imageSrc = DEFAULT_IMAGE_SRC, imageAlt = DEFAULT_IMAGE_ALT, imageBackgroundColor = DEFAULT_IMAGE_BG, } = {}) {
+export function ResetPasswordPage({ errorMessage = "Your password reset link has expired or is invalid", successMessage = "Password reset successful! You can now log in with your new password.", loginPath = "/hazo_auth/login", forgotPasswordPath = "/hazo_auth/forgot_password", passwordRequirements = DEFAULT_PASSWORD_REQUIREMENTS, alreadyLoggedInMessage = "You are already logged in", showLogoutButton = true, showReturnHomeButton = false, returnHomeButtonLabel = "Return home", returnHomePath = "/", } = {}) {
     const [dataClient, setDataClient] = useState(null);
     useEffect(() => {
         // Initialize hazo_connect on client side
@@ -52,6 +48,6 @@ export function ResetPasswordPage({ errorMessage = "Your password reset link has
         return (_jsx("div", { className: "cls_reset_password_page_loading flex items-center justify-center min-h-screen", children: _jsx("div", { className: "text-slate-600 animate-pulse", children: "Loading..." }) }));
     }
     const ResetPasswordLayout = reset_password_layout;
-    return (_jsx(ResetPasswordLayout, { image_src: imageSrc, image_alt: imageAlt, image_background_color: imageBackgroundColor, data_client: dataClient, errorMessage: errorMessage, successMessage: successMessage, password_requirements: passwordRequirements, alreadyLoggedInMessage: alreadyLoggedInMessage, showLogoutButton: showLogoutButton, showReturnHomeButton: showReturnHomeButton, returnHomeButtonLabel: returnHomeButtonLabel, returnHomePath: returnHomePath }));
+    return (_jsx(ResetPasswordLayout, { data_client: dataClient, errorMessage: errorMessage, successMessage: successMessage, password_requirements: passwordRequirements, alreadyLoggedInMessage: alreadyLoggedInMessage, showLogoutButton: showLogoutButton, showReturnHomeButton: showReturnHomeButton, returnHomeButtonLabel: returnHomeButtonLabel, returnHomePath: returnHomePath }));
 }
 export default ResetPasswordPage;

package/dist/page_components/verify_email.d.ts

@@ -6,9 +6,6 @@ export type VerifyEmailPageProps = {
     returnHomePath?: string;
     redirectDelay?: number;
     loginPath?: string;
-    imageSrc?: string;
-    imageAlt?: string;
-    imageBackgroundColor?: string;
 };
 /**
  * Zero-config verify email page component
@@ -16,6 +13,6 @@ export type VerifyEmailPageProps = {
  * @param props - Optional configuration overrides
  * @returns Verify email page component
  */
-export declare function VerifyEmailPage({ alreadyLoggedInMessage, showLogoutButton, showReturnHomeButton, returnHomeButtonLabel, returnHomePath, redirectDelay, loginPath, imageSrc, imageAlt, imageBackgroundColor, }?: VerifyEmailPageProps): import("react/jsx-runtime").JSX.Element;
+export declare function VerifyEmailPage({ alreadyLoggedInMessage, showLogoutButton, showReturnHomeButton, returnHomeButtonLabel, returnHomePath, redirectDelay, loginPath, }?: VerifyEmailPageProps): import("react/jsx-runtime").JSX.Element;
 export default VerifyEmailPage;
 //# sourceMappingURL=verify_email.d.ts.map

package/dist/page_components/verify_email.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"verify_email.d.ts","sourceRoot":"","sources":["../../src/page_components/verify_email.tsx"],"names":[],"mappings":"AA+BA,MAAM,MAAM,oBAAoB,GAAG;IACjC,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,oBAAoB,CAAC,EAAE,OAAO,CAAC;IAC/B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,oBAAoB,CAAC,EAAE,MAAM,CAAC;CAC/B,CAAC;AAGF;;;;;GAKG;AACH,wBAAgB,eAAe,CAAC,EAC9B,sBAAoD,EACpD,gBAAuB,EACvB,oBAA4B,EAC5B,qBAAqC,EACrC,cAAoB,EACpB,aAAoB,EACpB,SAA8B,EAC9B,QAA4B,EAC5B,QAA4B,EAC5B,oBAAuC,GACxC,GAAE,oBAAyB,2CAqC3B;AAED,eAAe,eAAe,CAAC"}
+{"version":3,"file":"verify_email.d.ts","sourceRoot":"","sources":["../../src/page_components/verify_email.tsx"],"names":[],"mappings":"AA0BA,MAAM,MAAM,oBAAoB,GAAG;IACjC,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,oBAAoB,CAAC,EAAE,OAAO,CAAC;IAC/B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC;AAGF;;;;;GAKG;AACH,wBAAgB,eAAe,CAAC,EAC9B,sBAAoD,EACpD,gBAAuB,EACvB,oBAA4B,EAC5B,qBAAqC,EACrC,cAAoB,EACpB,aAAoB,EACpB,SAA8B,GAC/B,GAAE,oBAAyB,2CAkC3B;AAED,eAAe,eAAe,CAAC"}

package/dist/page_components/verify_email.js

@@ -21,10 +21,6 @@ import { useEffect, useState } from "react";
 import email_verification_layout from "../components/layouts/email_verification/index.js";
 import { createLayoutDataClient } from "../components/layouts/shared/data/layout_data_client.js";
 import { create_sqlite_hazo_connect } from "../lib/hazo_connect_setup.js";
-// section: constants
-const DEFAULT_IMAGE_SRC = "/hazo_auth/images/verify_email_default.jpg";
-const DEFAULT_IMAGE_ALT = "Illustration of a globe representing secure authentication workflows";
-const DEFAULT_IMAGE_BG = "#f1f5f9";
 // section: component
 /**
  * Zero-config verify email page component
@@ -32,7 +28,7 @@ const DEFAULT_IMAGE_BG = "#f1f5f9";
  * @param props - Optional configuration overrides
  * @returns Verify email page component
  */
-export function VerifyEmailPage({ alreadyLoggedInMessage = "You are already logged in", showLogoutButton = true, showReturnHomeButton = false, returnHomeButtonLabel = "Return home", returnHomePath = "/", redirectDelay = 3000, loginPath = "/hazo_auth/login", imageSrc = DEFAULT_IMAGE_SRC, imageAlt = DEFAULT_IMAGE_ALT, imageBackgroundColor = DEFAULT_IMAGE_BG, } = {}) {
+export function VerifyEmailPage({ alreadyLoggedInMessage = "You are already logged in", showLogoutButton = true, showReturnHomeButton = false, returnHomeButtonLabel = "Return home", returnHomePath = "/", redirectDelay = 3000, loginPath = "/hazo_auth/login", } = {}) {
     const [dataClient, setDataClient] = useState(null);
     useEffect(() => {
         // Initialize hazo_connect on client side
@@ -45,6 +41,6 @@ export function VerifyEmailPage({ alreadyLoggedInMessage = "You are already logg
         return (_jsx("div", { className: "cls_verify_email_page_loading flex items-center justify-center min-h-screen", children: _jsx("div", { className: "text-slate-600 animate-pulse", children: "Loading..." }) }));
     }
     const EmailVerificationLayout = email_verification_layout;
-    return (_jsx(EmailVerificationLayout, { image_src: imageSrc, image_alt: imageAlt, image_background_color: imageBackgroundColor, data_client: dataClient, already_logged_in_message: alreadyLoggedInMessage, showLogoutButton: showLogoutButton, showReturnHomeButton: showReturnHomeButton, returnHomeButtonLabel: returnHomeButtonLabel, returnHomePath: returnHomePath, redirect_delay: redirectDelay, login_path: loginPath }));
+    return (_jsx(EmailVerificationLayout, { data_client: dataClient, already_logged_in_message: alreadyLoggedInMessage, showLogoutButton: showLogoutButton, showReturnHomeButton: showReturnHomeButton, returnHomeButtonLabel: returnHomeButtonLabel, returnHomePath: returnHomePath, redirect_delay: redirectDelay, login_path: loginPath }));
 }
 export default VerifyEmailPage;

package/dist/server/routes/index.d.ts

@@ -8,6 +8,8 @@ export { POST as changePasswordPOST } from "./change_password.js";
 export { GET as validateResetTokenGET } from "./validate_reset_token.js";
 export { GET as verifyEmailGET } from "./verify_email.js";
 export { POST as resendVerificationPOST } from "./resend_verification.js";
+export { otpRequestPOST } from "./otp/request.js";
+export { otpVerifyPOST } from "./otp/verify.js";
 export { PATCH as updateUserPATCH } from "./update_user.js";
 export { POST as uploadProfilePicturePOST } from "./upload_profile_picture.js";
 export { DELETE as removeProfilePictureDELETE } from "./remove_profile_picture.js";
@@ -26,6 +28,7 @@ export { GET as invitationsGET, POST as invitationsPOST, PATCH as invitationsPAT
 export { POST as createFirmPOST } from "./create_firm.js";
 export { GET as nextauthGET, POST as nextauthPOST } from "./nextauth.js";
 export { GET as oauthGoogleCallbackGET } from "./oauth_google_callback.js";
+export { facebookCallbackGET } from "./oauth_facebook_callback.js";
 export { POST as setPasswordPOST } from "./set_password.js";
 export { GET as relationshipsGET, POST as relationshipsPOST, PATCH as relationshipsPATCH, DELETE as relationshipsDELETE } from "./relationships.js";
 export { POST as relationshipSelfPOST } from "./relationship_self.js";

package/dist/server/routes/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/server/routes/index.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,IAAI,IAAI,SAAS,EAAE,MAAM,SAAS,CAAC;AAC5C,OAAO,EAAE,IAAI,IAAI,YAAY,EAAE,MAAM,YAAY,CAAC;AAClD,OAAO,EAAE,IAAI,IAAI,UAAU,EAAE,MAAM,UAAU,CAAC;AAC9C,OAAO,EAAE,GAAG,IAAI,KAAK,EAAE,MAAM,MAAM,CAAC;AAGpC,OAAO,EAAE,IAAI,IAAI,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AAC/D,OAAO,EAAE,IAAI,IAAI,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAC7D,OAAO,EAAE,IAAI,IAAI,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AAC/D,OAAO,EAAE,GAAG,IAAI,qBAAqB,EAAE,MAAM,wBAAwB,CAAC;AAGtE,OAAO,EAAE,GAAG,IAAI,cAAc,EAAE,MAAM,gBAAgB,CAAC;AACvD,OAAO,EAAE,IAAI,IAAI,sBAAsB,EAAE,MAAM,uBAAuB,CAAC;AAGvE,OAAO,EAAE,KAAK,IAAI,eAAe,EAAE,MAAM,eAAe,CAAC;AACzD,OAAO,EAAE,IAAI,IAAI,wBAAwB,EAAE,MAAM,0BAA0B,CAAC;AAC5E,OAAO,EAAE,MAAM,IAAI,0BAA0B,EAAE,MAAM,0BAA0B,CAAC;AAChF,OAAO,EAAE,GAAG,IAAI,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AAC3D,OAAO,EAAE,GAAG,IAAI,eAAe,EAAE,MAAM,iBAAiB,CAAC;AACzD,OAAO,EAAE,GAAG,IAAI,yBAAyB,EAAE,MAAM,4BAA4B,CAAC;AAG9E,OAAO,EAAE,IAAI,IAAI,WAAW,EAAE,MAAM,YAAY,CAAC;AACjD,OAAO,EAAE,IAAI,IAAI,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAGjE,OAAO,EAAE,GAAG,IAAI,sBAAsB,EAAE,KAAK,IAAI,wBAAwB,EAAE,IAAI,IAAI,uBAAuB,EAAE,MAAM,yBAAyB,CAAC;AAC5I,OAAO,EAAE,GAAG,IAAI,4BAA4B,EAAE,IAAI,IAAI,6BAA6B,EAAE,GAAG,IAAI,4BAA4B,EAAE,MAAM,IAAI,+BAA+B,EAAE,MAAM,+BAA+B,CAAC;AAC3M,OAAO,EAAE,GAAG,IAAI,sBAAsB,EAAE,IAAI,IAAI,uBAAuB,EAAE,GAAG,IAAI,sBAAsB,EAAE,MAAM,yBAAyB,CAAC;AACxI,OAAO,EAAE,GAAG,IAAI,2BAA2B,EAAE,IAAI,IAAI,4BAA4B,EAAE,GAAG,IAAI,2BAA2B,EAAE,MAAM,+BAA+B,CAAC;AAG7J,OAAO,EAAE,GAAG,IAAI,cAAc,EAAE,KAAK,IAAI,gBAAgB,EAAE,GAAG,IAAI,cAAc,EAAE,MAAM,IAAI,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AACvI,OAAO,EAAE,GAAG,IAAI,oBAAoB,EAAE,MAAM,wBAAwB,CAAC;AAGrE,OAAO,EAAE,GAAG,IAAI,cAAc,EAAE,IAAI,IAAI,eAAe,EAAE,KAAK,IAAI,gBAAgB,EAAE,MAAM,IAAI,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAGvI,OAAO,EAAE,IAAI,IAAI,cAAc,EAAE,MAAM,eAAe,CAAC;AAGvD,OAAO,EAAE,GAAG,IAAI,WAAW,EAAE,IAAI,IAAI,YAAY,EAAE,MAAM,YAAY,CAAC;AACtE,OAAO,EAAE,GAAG,IAAI,sBAAsB,EAAE,MAAM,yBAAyB,CAAC;AACxE,OAAO,EAAE,IAAI,IAAI,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAGzD,OAAO,EAAE,GAAG,IAAI,gBAAgB,EAAE,IAAI,IAAI,iBAAiB,EAAE,KAAK,IAAI,kBAAkB,EAAE,MAAM,IAAI,mBAAmB,EAAE,MAAM,iBAAiB,CAAC;AACjJ,OAAO,EAAE,IAAI,IAAI,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AACnE,OAAO,EAAE,IAAI,IAAI,uBAAuB,EAAE,MAAM,wBAAwB,CAAC;AACzE,OAAO,EAAE,IAAI,IAAI,YAAY,EAAE,MAAM,aAAa,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/server/routes/index.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,IAAI,IAAI,SAAS,EAAE,MAAM,SAAS,CAAC;AAC5C,OAAO,EAAE,IAAI,IAAI,YAAY,EAAE,MAAM,YAAY,CAAC;AAClD,OAAO,EAAE,IAAI,IAAI,UAAU,EAAE,MAAM,UAAU,CAAC;AAC9C,OAAO,EAAE,GAAG,IAAI,KAAK,EAAE,MAAM,MAAM,CAAC;AAGpC,OAAO,EAAE,IAAI,IAAI,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AAC/D,OAAO,EAAE,IAAI,IAAI,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAC7D,OAAO,EAAE,IAAI,IAAI,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AAC/D,OAAO,EAAE,GAAG,IAAI,qBAAqB,EAAE,MAAM,wBAAwB,CAAC;AAGtE,OAAO,EAAE,GAAG,IAAI,cAAc,EAAE,MAAM,gBAAgB,CAAC;AACvD,OAAO,EAAE,IAAI,IAAI,sBAAsB,EAAE,MAAM,uBAAuB,CAAC;AAGvE,OAAO,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAC/C,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAG7C,OAAO,EAAE,KAAK,IAAI,eAAe,EAAE,MAAM,eAAe,CAAC;AACzD,OAAO,EAAE,IAAI,IAAI,wBAAwB,EAAE,MAAM,0BAA0B,CAAC;AAC5E,OAAO,EAAE,MAAM,IAAI,0BAA0B,EAAE,MAAM,0BAA0B,CAAC;AAChF,OAAO,EAAE,GAAG,IAAI,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AAC3D,OAAO,EAAE,GAAG,IAAI,eAAe,EAAE,MAAM,iBAAiB,CAAC;AACzD,OAAO,EAAE,GAAG,IAAI,yBAAyB,EAAE,MAAM,4BAA4B,CAAC;AAG9E,OAAO,EAAE,IAAI,IAAI,WAAW,EAAE,MAAM,YAAY,CAAC;AACjD,OAAO,EAAE,IAAI,IAAI,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAGjE,OAAO,EAAE,GAAG,IAAI,sBAAsB,EAAE,KAAK,IAAI,wBAAwB,EAAE,IAAI,IAAI,uBAAuB,EAAE,MAAM,yBAAyB,CAAC;AAC5I,OAAO,EAAE,GAAG,IAAI,4BAA4B,EAAE,IAAI,IAAI,6BAA6B,EAAE,GAAG,IAAI,4BAA4B,EAAE,MAAM,IAAI,+BAA+B,EAAE,MAAM,+BAA+B,CAAC;AAC3M,OAAO,EAAE,GAAG,IAAI,sBAAsB,EAAE,IAAI,IAAI,uBAAuB,EAAE,GAAG,IAAI,sBAAsB,EAAE,MAAM,yBAAyB,CAAC;AACxI,OAAO,EAAE,GAAG,IAAI,2BAA2B,EAAE,IAAI,IAAI,4BAA4B,EAAE,GAAG,IAAI,2BAA2B,EAAE,MAAM,+BAA+B,CAAC;AAG7J,OAAO,EAAE,GAAG,IAAI,cAAc,EAAE,KAAK,IAAI,gBAAgB,EAAE,GAAG,IAAI,cAAc,EAAE,MAAM,IAAI,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AACvI,OAAO,EAAE,GAAG,IAAI,oBAAoB,EAAE,MAAM,wBAAwB,CAAC;AAGrE,OAAO,EAAE,GAAG,IAAI,cAAc,EAAE,IAAI,IAAI,eAAe,EAAE,KAAK,IAAI,gBAAgB,EAAE,MAAM,IAAI,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAGvI,OAAO,EAAE,IAAI,IAAI,cAAc,EAAE,MAAM,eAAe,CAAC;AAGvD,OAAO,EAAE,GAAG,IAAI,WAAW,EAAE,IAAI,IAAI,YAAY,EAAE,MAAM,YAAY,CAAC;AACtE,OAAO,EAAE,GAAG,IAAI,sBAAsB,EAAE,MAAM,yBAAyB,CAAC;AACxE,OAAO,EAAE,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AAChE,OAAO,EAAE,IAAI,IAAI,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAGzD,OAAO,EAAE,GAAG,IAAI,gBAAgB,EAAE,IAAI,IAAI,iBAAiB,EAAE,KAAK,IAAI,kBAAkB,EAAE,MAAM,IAAI,mBAAmB,EAAE,MAAM,iBAAiB,CAAC;AACjJ,OAAO,EAAE,IAAI,IAAI,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AACnE,OAAO,EAAE,IAAI,IAAI,uBAAuB,EAAE,MAAM,wBAAwB,CAAC;AACzE,OAAO,EAAE,IAAI,IAAI,YAAY,EAAE,MAAM,aAAa,CAAC"}

package/dist/server/routes/index.js

@@ -13,6 +13,9 @@ export { GET as validateResetTokenGET } from "./validate_reset_token.js";
 // Email verification routes
 export { GET as verifyEmailGET } from "./verify_email.js";
 export { POST as resendVerificationPOST } from "./resend_verification.js";
+// OTP routes (one-time password via email)
+export { otpRequestPOST } from "./otp/request.js";
+export { otpVerifyPOST } from "./otp/verify.js";
 // User profile routes
 export { PATCH as updateUserPATCH } from "./update_user.js";
 export { POST as uploadProfilePicturePOST } from "./upload_profile_picture.js";
@@ -38,6 +41,7 @@ export { POST as createFirmPOST } from "./create_firm.js";
 // OAuth routes
 export { GET as nextauthGET, POST as nextauthPOST } from "./nextauth.js";
 export { GET as oauthGoogleCallbackGET } from "./oauth_google_callback.js";
+export { facebookCallbackGET } from "./oauth_facebook_callback.js";
 export { POST as setPasswordPOST } from "./set_password.js";
 // Relationship routes (managed sub-profiles)
 export { GET as relationshipsGET, POST as relationshipsPOST, PATCH as relationshipsPATCH, DELETE as relationshipsDELETE } from "./relationships.js";

package/dist/server/routes/me.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"me.d.ts","sourceRoot":"","sources":["../../../src/server/routes/me.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAoBxD;;;;;GAKG;AACH,wBAAsB,GAAG,CAAC,OAAO,EAAE,WAAW;;IA+G7C"}
+{"version":3,"file":"me.d.ts","sourceRoot":"","sources":["../../../src/server/routes/me.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AA+BxD;;;;;GAKG;AACH,wBAAsB,GAAG,CAAC,OAAO,EAAE,WAAW;;IAqJ7C"}

package/dist/server/routes/me.js

@@ -1,6 +1,7 @@
 // file_description: API route handler to get current authenticated user information with permissions
 // section: imports
 import { NextResponse } from "next/server";
+import { jwtVerify } from "jose";
 import { hazo_get_auth } from "../../lib/auth/hazo_get_auth.server.js";
 import { get_hazo_connect_instance } from "../../lib/hazo_connect_instance.server.js";
 import { createCrudService } from "hazo_connect/server";
@@ -8,6 +9,9 @@ import { map_db_source_to_ui } from "../../lib/services/profile_picture_source_m
 import { create_app_logger } from "../../lib/app_logger.js";
 import { get_filename, get_line_number } from "../../lib/utils/api_route_helpers.js";
 import { is_user_types_enabled, get_user_type_by_key, } from "../../lib/user_types_config.server.js";
+import { get_cookie_name, get_cookie_options, BASE_COOKIE_NAMES, } from "../../lib/cookies_config.server.js";
+import { create_session_token } from "../../lib/services/session_token_service.js";
+import { get_otp_config, hazo_auth_otp_session_ttl_seconds, } from "../../lib/otp_config.server.js";
 // section: helpers
 function strip_sentinel_email(email) {
     if (!email)
@@ -24,6 +28,7 @@ function strip_sentinel_email(email) {
  * Always returns the same format to prevent downstream variations.
  */
 export async function GET(request) {
+    var _a, _b, _c, _d, _e, _f;
     const logger = create_app_logger();
     try {
         // Use hazo_get_auth to get user with permissions
@@ -70,7 +75,7 @@ export async function GET(request) {
         }
         // Return unified format with all fields
         const profile_pic = auth_result.user.profile_picture_url;
-        return NextResponse.json({
+        const response = NextResponse.json({
             authenticated: true,
             // Top-level fields for backward compatibility
             user_id: auth_result.user.id,
@@ -100,6 +105,43 @@ export async function GET(request) {
             permission_ok: auth_result.permission_ok,
             missing_permissions: auth_result.missing_permissions,
         }, { status: 200 });
+        // --- OTP sliding-session hook ---
+        const session_kind = (_a = request.cookies.get(get_cookie_name(BASE_COOKIE_NAMES.SESSION_KIND))) === null || _a === void 0 ? void 0 : _a.value;
+        if (session_kind === "otp") {
+            try {
+                const session_cookie = (_b = request.cookies.get(get_cookie_name(BASE_COOKIE_NAMES.SESSION))) === null || _b === void 0 ? void 0 : _b.value;
+                if (session_cookie) {
+                    const secret = new TextEncoder().encode((_c = process.env.JWT_SECRET) !== null && _c !== void 0 ? _c : "");
+                    const { payload } = await jwtVerify(session_cookie, secret);
+                    const exp = Number((_d = payload.exp) !== null && _d !== void 0 ? _d : 0);
+                    const now_seconds = Math.floor(Date.now() / 1000);
+                    const otp_cfg = get_otp_config();
+                    const seconds_until_exp = exp - now_seconds;
+                    if (seconds_until_exp > 0 && seconds_until_exp < otp_cfg.slide_when_within_seconds) {
+                        const ttl_seconds = hazo_auth_otp_session_ttl_seconds();
+                        const user_id = String((_e = payload.user_id) !== null && _e !== void 0 ? _e : "");
+                        const user_email = String((_f = payload.email) !== null && _f !== void 0 ? _f : "");
+                        const new_token = await create_session_token(user_id, user_email, undefined, ttl_seconds);
+                        const cookie_options = get_cookie_options({
+                            httpOnly: true,
+                            secure: process.env.NODE_ENV === "production",
+                            sameSite: "lax",
+                            path: "/",
+                            maxAge: ttl_seconds,
+                        });
+                        response.cookies.set(get_cookie_name(BASE_COOKIE_NAMES.SESSION), new_token, cookie_options);
+                        response.cookies.set(get_cookie_name(BASE_COOKIE_NAMES.USER_ID), user_id, cookie_options);
+                        response.cookies.set(get_cookie_name(BASE_COOKIE_NAMES.USER_EMAIL), user_email, cookie_options);
+                        response.cookies.set(get_cookie_name(BASE_COOKIE_NAMES.SESSION_KIND), "otp", cookie_options);
+                    }
+                }
+            }
+            catch (slide_err) {
+                // Slide is best-effort — never break /me for this
+            }
+        }
+        // --- end OTP sliding-session hook ---
+        return response;
     }
     catch (error) {
         const error_message = error instanceof Error ? error.message : "Unknown error";

package/dist/server/routes/oauth_facebook_callback.d.ts

@@ -0,0 +1,8 @@
+import { NextRequest, NextResponse } from "next/server";
+/**
+ * Handles the OAuth callback after Facebook sign-in
+ * The user creation/linking is done in NextAuth signIn callback
+ * This route just sets the hazo_auth session cookies
+ */
+export declare function facebookCallbackGET(original_request: NextRequest): Promise<NextResponse<unknown>>;
+//# sourceMappingURL=oauth_facebook_callback.d.ts.map

package/dist/server/routes/oauth_facebook_callback.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth_facebook_callback.d.ts","sourceRoot":"","sources":["../../../src/server/routes/oauth_facebook_callback.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAuBxD;;;;GAIG;AACH,wBAAsB,mBAAmB,CAAC,gBAAgB,EAAE,WAAW,kCAoKtE"}

package/dist/server/routes/oauth_facebook_callback.js

@@ -0,0 +1,157 @@
+// file_description: Custom OAuth callback handler that creates hazo_auth session after Facebook sign-in
+// section: imports
+import { NextResponse } from "next/server";
+import { getToken } from "next-auth/jwt";
+import { create_app_logger } from "../../lib/app_logger.js";
+import { create_session_token } from "../../lib/services/session_token_service.js";
+import { get_filename, get_line_number } from "../../lib/utils/api_route_helpers.js";
+import { get_login_config } from "../../lib/login_config.server.js";
+import { get_cookie_name, get_cookie_options, BASE_COOKIE_NAMES } from "../../lib/cookies_config.server.js";
+import { get_hazo_connect_instance } from "../../lib/hazo_connect_instance.server.js";
+import { get_post_login_redirect } from "../../lib/services/post_verification_service.js";
+import { get_oauth_config } from "../../lib/oauth_config.server.js";
+import { rewrite_request_for_proxy } from "../../lib/utils/proxy_request.js";
+// section: api_handler
+/**
+ * Handles the OAuth callback after Facebook sign-in
+ * The user creation/linking is done in NextAuth signIn callback
+ * This route just sets the hazo_auth session cookies
+ */
+export async function facebookCallbackGET(original_request) {
+    // Rewrite request.url to public origin when behind a reverse proxy.
+    const request = rewrite_request_for_proxy(original_request);
+    const logger = create_app_logger();
+    // Detect if request came through HTTPS proxy (Cloudflare tunnel, etc.)
+    const is_secure = original_request.headers.get("x-forwarded-proto") === "https" ||
+        request.url.startsWith("https://");
+    // Resolve the configured sign-in page up-front so early error redirects
+    // honour [hazo_auth__oauth] sign_in_page just like the success path.
+    const sign_in_page = get_oauth_config().sign_in_page;
+    try {
+        // Get the NextAuth token from the session
+        const token = (await getToken({
+            req: request,
+            secureCookie: is_secure,
+        }));
+        logger.debug("facebook_callback_token_received", {
+            filename: get_filename(),
+            line_number: get_line_number(),
+            has_token: !!token,
+            has_email: !!(token === null || token === void 0 ? void 0 : token.email),
+            has_hazo_user_id: !!(token === null || token === void 0 ? void 0 : token.hazo_user_id),
+        });
+        if (!token) {
+            logger.warn("facebook_callback_no_token", {
+                filename: get_filename(),
+                line_number: get_line_number(),
+                note: "No NextAuth token found - user may not have completed Facebook sign-in",
+            });
+            const login_url = new URL(sign_in_page, request.url);
+            login_url.searchParams.set("error", "oauth_failed");
+            return NextResponse.redirect(login_url.toString());
+        }
+        // Validate we have the required data
+        if (!token.email || !token.hazo_user_id) {
+            logger.warn("facebook_callback_missing_data", {
+                filename: get_filename(),
+                line_number: get_line_number(),
+                has_email: !!token.email,
+                has_hazo_user_id: !!token.hazo_user_id,
+            });
+            const login_url = new URL(sign_in_page, request.url);
+            login_url.searchParams.set("error", "oauth_incomplete");
+            return NextResponse.redirect(login_url.toString());
+        }
+        const user_id = token.hazo_user_id;
+        const email = token.email;
+        logger.debug("facebook_callback_success", {
+            filename: get_filename(),
+            line_number: get_line_number(),
+            user_id,
+            email,
+        });
+        // Get redirect URL based on user's scope/invitation status
+        const loginConfig = get_login_config();
+        const oauthConfig = get_oauth_config();
+        // Per-request override: same `?next=` pattern as Google callback.
+        const raw_next = request.nextUrl.searchParams.get("next");
+        const safe_next = raw_next &&
+            raw_next.startsWith("/") &&
+            !raw_next.startsWith("//") &&
+            !/^[a-z][a-z0-9+.\-]*:/i.test(raw_next)
+            ? raw_next
+            : null;
+        // Check if user needs onboarding
+        const hazoConnect = get_hazo_connect_instance();
+        const { redirect_url: determined_redirect, needs_onboarding, invitation_check_skipped, invitation_table_error, } = await get_post_login_redirect(hazoConnect, user_id, email, {
+            default_redirect: safe_next || oauthConfig.default_redirect || loginConfig.redirectRoute || "/",
+            create_firm_url: oauthConfig.create_firm_url,
+            skip_invitation_check: oauthConfig.skip_invitation_check,
+            no_scope_redirect: safe_next || oauthConfig.no_scope_redirect,
+        });
+        // Log warning if invitation table is missing
+        if (invitation_table_error) {
+            logger.warn("invitation_table_missing", {
+                filename: get_filename(),
+                line_number: get_line_number(),
+                user_id,
+                email,
+                note: "hazo_invitations table does not exist - run migration or set skip_invitation_check=true in [hazo_auth__oauth]",
+            });
+        }
+        logger.debug("facebook_callback_post_login_redirect", {
+            filename: get_filename(),
+            line_number: get_line_number(),
+            user_id,
+            email,
+            redirect_url: determined_redirect,
+            needs_onboarding,
+            invitation_check_skipped,
+            invitation_table_error,
+        });
+        // Create redirect response
+        const redirect_url = new URL(determined_redirect, request.url);
+        const response = NextResponse.redirect(redirect_url.toString());
+        // Set authentication cookies
+        const base_cookie_options = {
+            httpOnly: true,
+            secure: process.env.NODE_ENV === "production" || is_secure,
+            sameSite: "lax",
+            path: "/",
+            maxAge: 60 * 60 * 24 * 30, // 30 days
+        };
+        const cookie_options = get_cookie_options(base_cookie_options);
+        response.cookies.set(get_cookie_name(BASE_COOKIE_NAMES.USER_ID), user_id, cookie_options);
+        response.cookies.set(get_cookie_name(BASE_COOKIE_NAMES.USER_EMAIL), email, cookie_options);
+        // Create and set JWT session token
+        try {
+            const session_token = await create_session_token(user_id, email);
+            response.cookies.set(get_cookie_name(BASE_COOKIE_NAMES.SESSION), session_token, cookie_options);
+        }
+        catch (token_error) {
+            const token_error_message = token_error instanceof Error ? token_error.message : "Unknown error";
+            logger.warn("facebook_callback_session_token_creation_failed", {
+                filename: get_filename(),
+                line_number: get_line_number(),
+                user_id,
+                email,
+                error: token_error_message,
+                note: "OAuth login succeeded but session token creation failed - using legacy cookies",
+            });
+        }
+        return response;
+    }
+    catch (error) {
+        const error_message = error instanceof Error ? error.message : "Unknown error";
+        const error_stack = error instanceof Error ? error.stack : undefined;
+        logger.error("facebook_callback_error", {
+            filename: get_filename(),
+            line_number: get_line_number(),
+            error_message,
+            error_stack,
+        });
+        const login_url = new URL(sign_in_page, request.url);
+        login_url.searchParams.set("error", "oauth_error");
+        return NextResponse.redirect(login_url.toString());
+    }
+}

package/dist/server/routes/oauth_google_callback.js

@@ -172,7 +172,7 @@ export async function GET(original_request) {
             error_message,
             error_stack,
         });
-        const login_url = new URL("/hazo_auth/login", request.url);
+        const login_url = new URL(sign_in_page, request.url);
         login_url.searchParams.set("error", "oauth_error");
         return NextResponse.redirect(login_url.toString());
     }

package/dist/server/routes/otp/request.d.ts

@@ -0,0 +1,3 @@
+import { NextRequest, NextResponse } from "next/server";
+export declare function otpRequestPOST(request: NextRequest): Promise<NextResponse>;
+//# sourceMappingURL=request.d.ts.map

package/dist/server/routes/otp/request.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"request.d.ts","sourceRoot":"","sources":["../../../../src/server/routes/otp/request.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAYxD,wBAAsB,cAAc,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,YAAY,CAAC,CAsBhF"}

package/dist/server/routes/otp/request.js

@@ -0,0 +1,33 @@
+// file_description: API route handler for OTP request (sends OTP email to user)
+// section: imports
+import { NextResponse } from "next/server";
+import { z } from "zod";
+import { request_email_otp } from "../../../lib/services/otp_service.js";
+import { get_client_ip } from "../../../lib/auth/hazo_get_auth.server.js";
+import { create_app_logger } from "../../../lib/app_logger.js";
+// section: validation
+const RequestSchema = z.object({
+    email: z.string().email().max(254),
+});
+// section: api_handler
+export async function otpRequestPOST(request) {
+    const logger = create_app_logger();
+    try {
+        const body_raw = await request.json().catch(() => ({}));
+        const parsed = RequestSchema.safeParse(body_raw);
+        if (!parsed.success) {
+            return NextResponse.json({ ok: false, error: "invalid_email" }, { status: 400 });
+        }
+        const ip = get_client_ip(request);
+        const result = await request_email_otp({ email: parsed.data.email, ip });
+        if (result.ok === false && result.error === "rate_limited") {
+            return NextResponse.json(result, { status: 429 });
+        }
+        return NextResponse.json({ ok: true }, { status: 200 });
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        logger.error("otp_request_route_error", { error: msg });
+        return NextResponse.json({ ok: false, error: "server_error" }, { status: 500 });
+    }
+}

package/dist/server/routes/otp/verify.d.ts

@@ -0,0 +1,3 @@
+import { NextRequest, NextResponse } from "next/server";
+export declare function otpVerifyPOST(request: NextRequest): Promise<NextResponse>;
+//# sourceMappingURL=verify.d.ts.map

package/dist/server/routes/otp/verify.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify.d.ts","sourceRoot":"","sources":["../../../../src/server/routes/otp/verify.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAmBxD,wBAAsB,aAAa,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,YAAY,CAAC,CAmD/E"}