hazo_auth 6.1.1 → 7.0.1

package/README.md

@@ -2,6 +2,28 @@
 
 A reusable authentication UI component package powered by Next.js, TailwindCSS, and shadcn. It integrates `hazo_config` for configuration management and `hazo_connect` for data access, enabling future components to stay aligned with platform conventions.
 
+## What's New in v7.0.0
+
+**Themes, cookie consent, text overrides, and Facebook OAuth.**
+
+### Highlights
+
+- **Pluggable theme system** — `createTheme` + `<HazoAuthThemeProvider>` (zero FOUC, compiles to shadcn CSS variables). Use a preset or build from scratch.
+- **Facebook OAuth** — `<FacebookSignInButton>` and `handle_facebook_oauth_login` service. Strict linking by default (verified accounts only).
+- **Cookie consent banner** — `<CookieConsentBanner>` from `hazo_auth/consent`. GTM optional, 4 categories, theme-driven.
+- **Text override system** — `<HazoAuthStringsProvider>` and per-page `title`/`subtitle`/`ctaText`/`legalText` props. INI text keys removed.
+- **Preset themes** — `preset_neutral` (default look, no config needed) and `preset_indigo_sunset` from `hazo_auth/themes`.
+
+### Breaking Changes Summary
+
+- Per-page `imageSrc`/`imageAlt`/`imageBackgroundColor` props removed — use `theme.brandPanel`.
+- INI text keys (`title`, `subtitle`, `cta_text`, `legal_text`) removed from layout sections — use `HazoAuthStringsProvider` or per-page props.
+- Facebook OAuth requires new env vars (`HAZO_AUTH_FACEBOOK_APP_ID`, `HAZO_AUTH_FACEBOOK_APP_SECRET`).
+
+> Full upgrade guide: [MIGRATION.md](./MIGRATION.md)
+
+---
+
 ## What's New in v6.1.0
 
 **Email-OTP sign-in** — a passwordless, OAuth-free way to sign in via a 6-digit code emailed to the user. Targeted at single-operator deployments that don't want to wire Google OAuth or manage passwords.
@@ -450,23 +472,30 @@ export default function Page() {
 }
 ```
 
-**Customizing Visual Appearance (Optional):**
+**Customizing Visual Appearance (v7.0+):**
 
-```typescript
-// All pages accept optional visual props
+Use `HazoAuthThemeProvider` instead of per-page image props (which were removed in v7.0):
+
+```tsx
+import { createTheme, HazoAuthThemeProvider } from "hazo_auth/theme";
 import { LoginPage } from "hazo_auth/pages/login";
 
+const theme = createTheme({
+  layout: "split",
+  brandPanel: { logoSrc: "/logo.svg", tagline: "Welcome.", backgroundGradient: "linear-gradient(135deg, #3730A3, #F59E0B)" },
+});
+
 export default function Page() {
   return (
-    <LoginPage
-      image_src="/custom-login-image.jpg"
-      image_alt="My company logo"
-      image_background_color="#f0f0f0"
-    />
+    <HazoAuthThemeProvider theme={theme}>
+      <LoginPage theme={theme} />
+    </HazoAuthThemeProvider>
   );
 }
 ```
 
+See the [Theming](#theming-v700) section for all options.
+
 **Embedding MySettings in Your Dashboard:**
 
 ```typescript
@@ -656,6 +685,132 @@ The dark class is typically added by next-themes or similar theme providers.
 
 ---
 
+## Theming (v7.0.0+)
+
+hazo_auth v7 ships a pluggable theme system. `<HazoAuthThemeProvider>` is a Server Component that injects CSS variables at `:root` with zero FOUC.
+
+### Option 1: Use a preset directly
+
+```tsx
+import { HazoAuthThemeProvider } from "hazo_auth/theme";
+import { preset_indigo_sunset } from "hazo_auth/themes";
+
+// app/layout.tsx
+export default function RootLayout({ children }) {
+  return (
+    <html>
+      <body>
+        <HazoAuthThemeProvider theme={preset_indigo_sunset}>
+          {children}
+        </HazoAuthThemeProvider>
+      </body>
+    </html>
+  );
+}
+```
+
+`preset_neutral` is the default look (slate-700 palette, centered layout). Auth pages render acceptably with no theme configuration at all.
+
+### Option 2: Customize a preset
+
+```tsx
+import { createTheme, HazoAuthThemeProvider } from "hazo_auth/theme";
+import { preset_indigo_sunset } from "hazo_auth/themes";
+
+const theme = createTheme({
+  ...preset_indigo_sunset,
+  brandPanel: { logoSrc: "/logo.svg", tagline: "Welcome." },
+});
+
+<HazoAuthThemeProvider theme={theme}>{children}</HazoAuthThemeProvider>
+```
+
+### Option 3: Build from scratch
+
+```tsx
+import { createTheme, HazoAuthThemeProvider } from "hazo_auth/theme";
+
+const theme = createTheme({
+  colors: { primary: "#2563EB", primaryForeground: "#ffffff" },
+  layout: "split",
+  brandPanel: {
+    logoSrc: "/logo.svg",
+    tagline: "Welcome to MyApp.",
+    backgroundGradient: "linear-gradient(135deg, #2563EB, #7C3AED)",
+  },
+});
+
+<HazoAuthThemeProvider theme={theme}>{children}</HazoAuthThemeProvider>
+```
+
+**Note:** `preset_indigo_sunset` uses `var(--font-display)` and `var(--font-body)`. Wire these in `app/layout.tsx` using `next/font`. See [MIGRATION.md §3](./MIGRATION.md).
+
+---
+
+## Cookie Consent (v7.0.0+)
+
+```tsx
+import { CookieConsentBanner } from "hazo_auth/consent";
+
+// In your root layout or a page:
+<CookieConsentBanner />
+
+// With GTM:
+<CookieConsentBanner enableGTM gtmContainerId="GTM-XXXX" />
+```
+
+Read consent server-side:
+
+```tsx
+import { read_consent } from "hazo_auth/consent";
+
+export async function GET(request: NextRequest) {
+  const consent = read_consent(request.headers);
+  if (consent.analytics) {
+    // Track event
+  }
+}
+```
+
+Use the `useConsent` hook client-side:
+
+```tsx
+"use client";
+import { useConsent } from "hazo_auth/consent";
+
+export function MyComponent() {
+  const { analytics, marketing } = useConsent();
+  // Syncs across tabs via custom event
+}
+```
+
+---
+
+## Strings & Text Overrides (v7.0.0+)
+
+INI text keys (`title`, `subtitle`, `cta_text`, `legal_text`) are removed in v7. Use `<HazoAuthStringsProvider>` or per-page props instead.
+
+### Global overrides (app/layout.tsx)
+
+```tsx
+import { HazoAuthStringsProvider } from "hazo_auth/strings";
+
+<HazoAuthStringsProvider strings={{ login: { title: "Sign in to MyApp" } }}>
+  {children}
+</HazoAuthStringsProvider>
+```
+
+### Per-page overrides
+
+```tsx
+<LoginPage title="Sign in to MyApp" subtitle="Access your workspace" />
+<RegisterPage title="Create your account" ctaText="Get started" />
+```
+
+`DEFAULT_STRINGS` is exported from `hazo_auth/strings` for reference.
+
+---
+
 ## Configuration Setup
 
 After installing the package, you need to set up configuration files in your project root:

package/SETUP_CHECKLIST.md

@@ -1535,6 +1535,154 @@ npm install input-otp
 
 ---
 
+## Phase 5.4: Theme Setup (v7.0.0+)
+
+### Step 5.4.1: Mount HazoAuthThemeProvider (Required for themed auth pages)
+
+Mount `<HazoAuthThemeProvider>` in `app/layout.tsx`. Use `preset_neutral` for the default look, or configure a custom theme.
+
+**Option A: Default look (no config needed)**
+```tsx
+import { HazoAuthThemeProvider } from "hazo_auth/theme";
+import { preset_neutral } from "hazo_auth/themes";
+
+export default function RootLayout({ children }) {
+  return (
+    <html>
+      <body>
+        <HazoAuthThemeProvider theme={preset_neutral}>
+          {children}
+        </HazoAuthThemeProvider>
+      </body>
+    </html>
+  );
+}
+```
+
+**Option B: Custom theme**
+```tsx
+import { createTheme, HazoAuthThemeProvider } from "hazo_auth/theme";
+
+const theme = createTheme({
+  colors: { primary: "#2563EB" },
+  layout: "split",
+  brandPanel: { logoSrc: "/logo.svg", tagline: "Welcome." },
+});
+
+<HazoAuthThemeProvider theme={theme}>{children}</HazoAuthThemeProvider>
+```
+
+**If using `preset_indigo_sunset` (custom fonts required):**
+
+Wire `next/font` in `app/layout.tsx` to expose `--font-display` and `--font-body` CSS variables. See [MIGRATION.md §3](./MIGRATION.md).
+
+```tsx
+import { Crimson_Pro, DM_Sans } from "next/font/google";
+const display = Crimson_Pro({ subsets: ["latin"], variable: "--font-display" });
+const body = DM_Sans({ subsets: ["latin"], variable: "--font-body" });
+
+export default function Layout({ children }) {
+  return <html className={`${display.variable} ${body.variable}`}>{children}</html>;
+}
+```
+
+**Checklist:**
+- [ ] `<HazoAuthThemeProvider>` mounted in `app/layout.tsx`
+- [ ] Preset or custom theme configured
+- [ ] If using `preset_indigo_sunset`: `next/font` wired for `--font-display` and `--font-body`
+
+---
+
+## Phase 5.5: Facebook OAuth Setup (Optional, v7.0.0+)
+
+### Step 5.5.1: Get Facebook App credentials
+
+1. Go to [Meta Developers](https://developers.facebook.com/)
+2. Create or select an app
+3. Add the **Facebook Login** product
+4. Set authorized redirect URIs: `http://localhost:3000/api/auth/callback/facebook` (dev) and your production URL
+5. Copy **App ID** and **App Secret**
+
+### Step 5.5.2: Add Facebook OAuth environment variables
+
+Add to your `.env.local`:
+```env
+HAZO_AUTH_FACEBOOK_APP_ID=your_app_id
+HAZO_AUTH_FACEBOOK_APP_SECRET=your_app_secret
+```
+
+The Facebook sign-in button is hidden when these vars are not set.
+
+### Step 5.5.3: Enable Facebook in config
+
+Add to `config/hazo_auth_config.ini`:
+```ini
+[hazo_auth__oauth]
+enable_facebook = true
+
+; Facebook: default false — stricter security posture
+; Set true only if you want to auto-link to unverified email accounts
+auto_link_unverified_accounts_facebook = false
+```
+
+### Step 5.5.4: Apply Facebook migration
+
+```bash
+npm run migrate migrations/016_facebook_oauth.sql
+```
+
+### Step 5.5.5: Create Facebook OAuth callback route
+
+```typescript
+// app/api/hazo_auth/oauth/facebook/callback/route.ts
+export { GET } from "hazo_auth/server/routes/oauth_facebook_callback";
+```
+
+**Facebook OAuth Checklist:**
+- [ ] Facebook App credentials obtained
+- [ ] `HAZO_AUTH_FACEBOOK_APP_ID` and `HAZO_AUTH_FACEBOOK_APP_SECRET` set in `.env.local`
+- [ ] `enable_facebook = true` in `[hazo_auth__oauth]`
+- [ ] Migration `016_facebook_oauth.sql` applied
+- [ ] Facebook callback route created
+
+---
+
+## Phase 5.6: Cookie Consent Setup (Optional, v7.0.0+)
+
+### Step 5.6.1: Mount CookieConsentBanner
+
+Mount `<CookieConsentBanner>` in your root layout:
+
+```tsx
+import { CookieConsentBanner } from "hazo_auth/consent";
+
+export default function RootLayout({ children }) {
+  return (
+    <html>
+      <body>
+        <HazoAuthThemeProvider theme={preset_neutral}>
+          {children}
+          <CookieConsentBanner />
+        </HazoAuthThemeProvider>
+      </body>
+    </html>
+  );
+}
+```
+
+**With GTM (optional):**
+```tsx
+<CookieConsentBanner enableGTM gtmContainerId="GTM-XXXX" />
+```
+
+See the README [Cookie Consent](#cookie-consent-v700) section for server-side `read_consent` usage.
+
+**Checklist:**
+- [ ] `<CookieConsentBanner>` mounted in root layout
+- [ ] GTM container ID configured (if using GTM)
+
+---
+
 ## Phase 6: Verification Tests
 
 Run these tests to verify your setup is working correctly.

package/cli-src/lib/auth/nextauth_config.ts

@@ -5,8 +5,10 @@ import type { JWT } from "next-auth/jwt";
 // ESM/CJS interop: next-auth providers are CommonJS, handle both export scenarios
 import GoogleProviderImport from "next-auth/providers/google";
 const GoogleProvider = (GoogleProviderImport as any).default || GoogleProviderImport;
+import FacebookProviderImport from "next-auth/providers/facebook";
+const FacebookProvider = (FacebookProviderImport as any).default || FacebookProviderImport;
 import { get_oauth_config } from "../oauth_config.server.js";
-import { handle_google_oauth_login } from "../services/oauth_service.js";
+import { handle_google_oauth_login, handle_facebook_oauth_login } from "../services/oauth_service.js";
 import { get_hazo_connect_instance } from "../hazo_connect_instance.server.js";
 import { create_app_logger } from "../app_logger.js";
 
@@ -35,6 +37,13 @@ export type NextAuthCallbackProfile = {
   email_verified?: boolean;
 };
 
+export type FacebookCallbackProfile = {
+  id?: string;
+  name?: string;
+  email?: string;
+  picture?: { data?: { url: string } } | string;
+};
+
 // section: config
 /**
  * Gets NextAuth.js configuration with enabled OAuth providers
@@ -67,6 +76,21 @@ export function get_nextauth_config(): AuthOptions {
     }
   }
 
+  // Add Facebook provider if enabled and credentials are present
+  if (oauth_config.enable_facebook && oauth_config.facebook_client_id && oauth_config.facebook_client_secret) {
+    providers.push(
+      FacebookProvider({
+        clientId: oauth_config.facebook_client_id,
+        clientSecret: oauth_config.facebook_client_secret,
+        authorization: {
+          params: {
+            scope: "email,public_profile",
+          },
+        },
+      })
+    );
+  }
+
   return {
     providers,
     pages: {
@@ -88,6 +112,9 @@ export function get_nextauth_config(): AuthOptions {
         if (url.includes("/api/hazo_auth/oauth/google/callback")) {
           return url;
         }
+        if (url.includes("/api/hazo_auth/oauth/facebook/callback")) {
+          return url;
+        }
 
         // If URL is relative or same origin, allow it
         if (url.startsWith("/")) {
@@ -162,6 +189,75 @@ export function get_nextauth_config(): AuthOptions {
             return false;
           }
         }
+
+        if (account?.provider === "facebook" && profile) {
+          try {
+            const fbProfile = profile as FacebookCallbackProfile;
+            const hazoConnect = get_hazo_connect_instance();
+            const current_oauth_config = get_oauth_config();
+
+            // Resolve profile picture URL from Facebook's nested structure
+            let fb_picture_url: string | undefined;
+            if (fbProfile.picture) {
+              if (typeof fbProfile.picture === "string") {
+                fb_picture_url = fbProfile.picture;
+              } else if (fbProfile.picture?.data?.url) {
+                fb_picture_url = fbProfile.picture.data.url;
+              }
+            }
+            if (!fb_picture_url && user.image) {
+              fb_picture_url = user.image ?? undefined;
+            }
+
+            logger.info("nextauth_facebook_signin_attempt", {
+              email: user.email,
+              facebook_id: fbProfile.id,
+              name: user.name,
+            });
+
+            const result = await handle_facebook_oauth_login(
+              hazoConnect,
+              {
+                facebook_id: fbProfile.id || account.providerAccountId,
+                email: user.email ?? fbProfile.email ?? null,
+                name: user.name || fbProfile.name || undefined,
+                profile_picture_url: fb_picture_url,
+              },
+              { auto_link_unverified: current_oauth_config.auto_link_unverified_accounts_facebook }
+            );
+
+            if (!result.success) {
+              logger.error("nextauth_facebook_signin_failed", {
+                email: user.email,
+                error: result.error,
+              });
+              if (result.error === "link_blocked_unverified") {
+                return `/hazo_auth/login?error=link_blocked_unverified`;
+              }
+              return false;
+            }
+
+            logger.info("nextauth_facebook_signin_success", {
+              user_id: result.user_id,
+              email: result.email,
+              is_new_user: result.is_new_user,
+              was_linked: result.was_linked,
+            });
+
+            // Store user_id in account for the JWT callback to pick up
+            (account as Record<string, unknown>).hazo_user_id = result.user_id;
+
+            return true;
+          } catch (error) {
+            const errorMessage = error instanceof Error ? error.message : "Unknown error";
+            logger.error("nextauth_facebook_signin_exception", {
+              email: user.email,
+              error: errorMessage,
+            });
+            return false;
+          }
+        }
+
         return true;
       },
       /**
@@ -225,5 +321,9 @@ export function has_oauth_providers(): boolean {
     if (has_google_credentials) return true;
   }
 
+  if (oauth_config.enable_facebook && oauth_config.facebook_client_id && oauth_config.facebook_client_secret) {
+    return true;
+  }
+
   return false;
 }

package/cli-src/lib/email_verification_config.server.ts

@@ -4,12 +4,6 @@ import "server-only";
 
 // section: imports
 import { get_already_logged_in_config } from "./already_logged_in_config.server.js";
-import { get_config_value } from "./config/config_loader.server.js";
-
-// Default image path - consuming apps should either:
-// 1. Configure their own image_src in hazo_auth_config.ini
-// 2. Copy the default images from node_modules/hazo_auth/public/hazo_auth/images/ to their public folder
-const DEFAULT_VERIFY_EMAIL_IMAGE_PATH = "/hazo_auth/images/verify_email_default.jpg";
 
 // section: types
 export type EmailVerificationConfig = {
@@ -18,9 +12,6 @@ export type EmailVerificationConfig = {
   showReturnHomeButton: boolean;
   returnHomeButtonLabel: string;
   returnHomePath: string;
-  imageSrc: string;
-  imageAlt: string;
-  imageBackgroundColor: string;
 };
 
 // section: helpers
@@ -30,40 +21,15 @@ export type EmailVerificationConfig = {
  * @returns Email verification configuration options
  */
 export function get_email_verification_config(): EmailVerificationConfig {
-  const section = "hazo_auth__email_verification_layout";
-
   // Get shared already logged in config
   const alreadyLoggedInConfig = get_already_logged_in_config();
 
-  // Read image configuration
-  // If not set in config, falls back to default path-based image
-  // Consuming apps should copy images to public/hazo_auth/images/ or configure their own image_src
-  const imageSrc = get_config_value(
-    section,
-    "image_src",
-    DEFAULT_VERIFY_EMAIL_IMAGE_PATH
-  );
-
-  const imageAlt = get_config_value(
-    section,
-    "image_alt",
-    "Email verification illustration"
-  );
-  const imageBackgroundColor = get_config_value(
-    section,
-    "image_background_color",
-    "#f1f5f9"
-  );
-
   return {
     alreadyLoggedInMessage: alreadyLoggedInConfig.message,
     showLogoutButton: alreadyLoggedInConfig.showLogoutButton,
     showReturnHomeButton: alreadyLoggedInConfig.showReturnHomeButton,
     returnHomeButtonLabel: alreadyLoggedInConfig.returnHomeButtonLabel,
     returnHomePath: alreadyLoggedInConfig.returnHomePath,
-    imageSrc,
-    imageAlt,
-    imageBackgroundColor,
   };
 }
 

package/cli-src/lib/forgot_password_config.server.ts

@@ -4,12 +4,6 @@ import "server-only";
 
 // section: imports
 import { get_already_logged_in_config } from "./already_logged_in_config.server.js";
-import { get_config_value } from "./config/config_loader.server.js";
-
-// Default image path - consuming apps should either:
-// 1. Configure their own image_src in hazo_auth_config.ini
-// 2. Copy the default images from node_modules/hazo_auth/public/hazo_auth/images/ to their public folder
-const DEFAULT_FORGOT_PASSWORD_IMAGE_PATH = "/hazo_auth/images/forgot_password_default.jpg";
 
 // section: types
 export type ForgotPasswordConfig = {
@@ -18,9 +12,6 @@ export type ForgotPasswordConfig = {
   showReturnHomeButton: boolean;
   returnHomeButtonLabel: string;
   returnHomePath: string;
-  imageSrc: string;
-  imageAlt: string;
-  imageBackgroundColor: string;
 };
 
 // section: helpers
@@ -30,40 +21,15 @@ export type ForgotPasswordConfig = {
  * @returns Forgot password configuration options
  */
 export function get_forgot_password_config(): ForgotPasswordConfig {
-  const section = "hazo_auth__forgot_password_layout";
-
   // Get shared already logged in config
   const alreadyLoggedInConfig = get_already_logged_in_config();
 
-  // Read image configuration
-  // If not set in config, falls back to default path-based image
-  // Consuming apps should copy images to public/hazo_auth/images/ or configure their own image_src
-  const imageSrc = get_config_value(
-    section,
-    "image_src",
-    DEFAULT_FORGOT_PASSWORD_IMAGE_PATH
-  );
-
-  const imageAlt = get_config_value(
-    section,
-    "image_alt",
-    "Password recovery illustration"
-  );
-  const imageBackgroundColor = get_config_value(
-    section,
-    "image_background_color",
-    "#f1f5f9"
-  );
-
   return {
     alreadyLoggedInMessage: alreadyLoggedInConfig.message,
     showLogoutButton: alreadyLoggedInConfig.showLogoutButton,
     showReturnHomeButton: alreadyLoggedInConfig.showReturnHomeButton,
     returnHomeButtonLabel: alreadyLoggedInConfig.returnHomeButtonLabel,
     returnHomePath: alreadyLoggedInConfig.returnHomePath,
-    imageSrc,
-    imageAlt,
-    imageBackgroundColor,
   };
 }
 

package/cli-src/lib/login_config.server.ts

@@ -7,11 +7,6 @@ import { get_config_value, get_config_value_allow_empty } from "./config/config_
 import { get_already_logged_in_config } from "./already_logged_in_config.server.js";
 import { get_oauth_config, type OAuthConfig } from "./oauth_config.server.js";
 
-// Default image path - consuming apps should either:
-// 1. Configure their own image_src in hazo_auth_config.ini
-// 2. Copy the default images from node_modules/hazo_auth/public/hazo_auth/images/ to their public folder
-const DEFAULT_LOGIN_IMAGE_PATH = "/hazo_auth/images/login_default.jpg";
-
 // section: types
 export type LoginConfig = {
   redirectRoute?: string;
@@ -26,9 +21,6 @@ export type LoginConfig = {
   createAccountPath: string;
   createAccountLabel: string;
   showCreateAccountLink: boolean;
-  imageSrc: string;
-  imageAlt: string;
-  imageBackgroundColor: string;
   /** OAuth configuration */
   oauth: OAuthConfig;
   /** Whether the OTP sign-in link is shown below the login form */
@@ -77,26 +69,6 @@ export function get_login_config(): LoginConfig {
   // Get shared already logged in config
   const alreadyLoggedInConfig = get_already_logged_in_config();
 
-  // Read image configuration
-  // If not set in config, falls back to default path-based image
-  // Consuming apps should copy images to public/hazo_auth/images/ or configure their own image_src
-  const imageSrc = get_config_value(
-    section,
-    "image_src",
-    DEFAULT_LOGIN_IMAGE_PATH
-  );
-
-  const imageAlt = get_config_value(
-    section,
-    "image_alt",
-    "Secure login illustration"
-  );
-  const imageBackgroundColor = get_config_value(
-    section,
-    "image_background_color",
-    "#f1f5f9"
-  );
-
   // Get OAuth configuration
   const oauth = get_oauth_config();
 
@@ -118,9 +90,6 @@ export function get_login_config(): LoginConfig {
     createAccountPath,
     createAccountLabel,
     showCreateAccountLink,
-    imageSrc,
-    imageAlt,
-    imageBackgroundColor,
     oauth,
     otpSigninEnabled,
     otpSigninLabel,