hazo_auth 6.1.1 → 7.0.2

package/dist/lib/services/oauth_service.d.ts

@@ -11,6 +11,14 @@ export type GoogleOAuthData = {
     /** Whether Google has verified this email */
     email_verified: boolean;
 };
+export type FacebookOAuthData = {
+    facebook_id: string;
+    email: string;
+    name?: string;
+    profile_picture_url?: string;
+    /** Facebook does not always verify emails — only link when hazo user is verified */
+    email_verified: boolean;
+};
 export type OAuthLoginResult = {
     success: boolean;
     user_id?: string;
@@ -45,6 +53,11 @@ export type AuthProvidersResult = {
  * @returns OAuth login result with user_id and status flags
  */
 export declare function handle_google_oauth_login(adapter: HazoConnectAdapter, data: GoogleOAuthData): Promise<OAuthLoginResult>;
+/**
+ * Handles Facebook OAuth login: find-by-facebook_id → find-by-email+link → create new.
+ * Mirrors handle_google_oauth_login exactly. Uses auto_link_unverified_accounts gate.
+ */
+export declare function handle_facebook_oauth_login(adapter: HazoConnectAdapter, data: FacebookOAuthData): Promise<OAuthLoginResult>;
 /**
  * Links a Google account to an existing user
  * @param adapter - The hazo_connect adapter instance

package/dist/lib/services/oauth_service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"oauth_service.d.ts","sourceRoot":"","sources":["../../../src/lib/services/oauth_service.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AASvD,MAAM,MAAM,eAAe,GAAG;IAC5B,mDAAmD;IACnD,SAAS,EAAE,MAAM,CAAC;IAClB,uCAAuC;IACvC,KAAK,EAAE,MAAM,CAAC;IACd,2CAA2C;IAC3C,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,6CAA6C;IAC7C,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,6CAA6C;IAC7C,cAAc,EAAE,OAAO,CAAC;CACzB,CAAC;AAEF,MAAM,MAAM,gBAAgB,GAAG;IAC7B,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,+CAA+C;IAC/C,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,uDAAuD;IACvD,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,+BAA+B;IAC/B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,sBAAsB;IACtB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC;AAEF,MAAM,MAAM,gBAAgB,GAAG;IAC7B,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG;IAChC,OAAO,EAAE,OAAO,CAAC;IACjB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC;AAGF;;;;;;;;;GASG;AACH,wBAAsB,yBAAyB,CAC7C,OAAO,EAAE,kBAAkB,EAC3B,IAAI,EAAE,eAAe,GACpB,OAAO,CAAC,gBAAgB,CAAC,CAiL3B;AAED;;;;;;GAMG;AACH,wBAAsB,mBAAmB,CACvC,OAAO,EAAE,kBAAkB,EAC3B,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,gBAAgB,CAAC,CAgE3B;AAED;;;;;GAKG;AACH,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,kBAAkB,EAC3B,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,OAAO,CAAC,CAclB;AAED;;;;;GAKG;AACH,wBAAsB,0BAA0B,CAC9C,OAAO,EAAE,kBAAkB,EAC3B,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,OAAO,CAAC,CAclB;AAED;;;;;GAKG;AACH,wBAAsB,uBAAuB,CAC3C,OAAO,EAAE,kBAAkB,EAC3B,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,mBAAmB,CAAC,CA2C9B;AAED;;;;;;GAMG;AACH,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,kBAAkB,EAC3B,OAAO,EAAE,MAAM,EACf,aAAa,EAAE,MAAM,GACpB,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CA0D/C"}
+{"version":3,"file":"oauth_service.d.ts","sourceRoot":"","sources":["../../../src/lib/services/oauth_service.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AASvD,MAAM,MAAM,eAAe,GAAG;IAC5B,mDAAmD;IACnD,SAAS,EAAE,MAAM,CAAC;IAClB,uCAAuC;IACvC,KAAK,EAAE,MAAM,CAAC;IACd,2CAA2C;IAC3C,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,6CAA6C;IAC7C,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,6CAA6C;IAC7C,cAAc,EAAE,OAAO,CAAC;CACzB,CAAC;AAEF,MAAM,MAAM,iBAAiB,GAAG;IAC9B,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,oFAAoF;IACpF,cAAc,EAAE,OAAO,CAAC;CACzB,CAAC;AAEF,MAAM,MAAM,gBAAgB,GAAG;IAC7B,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,+CAA+C;IAC/C,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,uDAAuD;IACvD,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,+BAA+B;IAC/B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,sBAAsB;IACtB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC;AAEF,MAAM,MAAM,gBAAgB,GAAG;IAC7B,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG;IAChC,OAAO,EAAE,OAAO,CAAC;IACjB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC;AAGF;;;;;;;;;GASG;AACH,wBAAsB,yBAAyB,CAC7C,OAAO,EAAE,kBAAkB,EAC3B,IAAI,EAAE,eAAe,GACpB,OAAO,CAAC,gBAAgB,CAAC,CAiL3B;AAED;;;GAGG;AACH,wBAAsB,2BAA2B,CAC/C,OAAO,EAAE,kBAAkB,EAC3B,IAAI,EAAE,iBAAiB,GACtB,OAAO,CAAC,gBAAgB,CAAC,CA6H3B;AAED;;;;;;GAMG;AACH,wBAAsB,mBAAmB,CACvC,OAAO,EAAE,kBAAkB,EAC3B,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,gBAAgB,CAAC,CAgE3B;AAED;;;;;GAKG;AACH,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,kBAAkB,EAC3B,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,OAAO,CAAC,CAclB;AAED;;;;;GAKG;AACH,wBAAsB,0BAA0B,CAC9C,OAAO,EAAE,kBAAkB,EAC3B,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,OAAO,CAAC,CAclB;AAED;;;;;GAKG;AACH,wBAAsB,uBAAuB,CAC3C,OAAO,EAAE,kBAAkB,EAC3B,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,mBAAmB,CAAC,CA2C9B;AAED;;;;;;GAMG;AACH,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,kBAAkB,EAC3B,OAAO,EAAE,MAAM,EACf,aAAa,EAAE,MAAM,GACpB,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CA0D/C"}

package/dist/lib/services/oauth_service.js

@@ -167,6 +167,128 @@ export async function handle_google_oauth_login(adapter, data) {
         };
     }
 }
+/**
+ * Handles Facebook OAuth login: find-by-facebook_id → find-by-email+link → create new.
+ * Mirrors handle_google_oauth_login exactly. Uses auto_link_unverified_accounts gate.
+ */
+export async function handle_facebook_oauth_login(adapter, data) {
+    const logger = create_app_logger();
+    try {
+        const { facebook_id, email, name, profile_picture_url, email_verified } = data;
+        const oauth_config = get_oauth_config();
+        const users_service = createCrudService(adapter, "hazo_users");
+        const now = new Date().toISOString();
+        // Step 1: existing user with this facebook_id
+        const users_by_fb_id = await users_service.findBy({ facebook_id });
+        if (Array.isArray(users_by_fb_id) && users_by_fb_id.length > 0) {
+            const user = users_by_fb_id[0];
+            await users_service.updateById(user.id, { last_logon: now, changed_at: now });
+            logger.info("oauth_service_facebook_login_existing_fb_user", {
+                filename: "oauth_service.ts",
+                user_id: user.id,
+                email: user.email_address,
+            });
+            return {
+                success: true,
+                user_id: user.id,
+                is_new_user: false,
+                was_linked: false,
+                email: user.email_address,
+                name: user.name,
+            };
+        }
+        // Step 2: existing user with matching email
+        const users_by_email = await users_service.findBy({ email_address: email });
+        if (Array.isArray(users_by_email) && users_by_email.length > 0) {
+            const user = users_by_email[0];
+            const user_email_verified = user.email_verified;
+            if (!user_email_verified && !oauth_config.auto_link_unverified_accounts) {
+                return {
+                    success: false,
+                    error: "An account with this email exists but is not verified. Please verify your email first.",
+                };
+            }
+            const current_auth_providers = user.auth_providers || "email";
+            const new_auth_providers = current_auth_providers.includes("facebook")
+                ? current_auth_providers
+                : `${current_auth_providers},facebook`;
+            const update_data = {
+                facebook_id,
+                auth_providers: new_auth_providers,
+                last_logon: now,
+                changed_at: now,
+            };
+            if (!user_email_verified && email_verified) {
+                update_data.email_verified = true;
+            }
+            if (!user.name && name)
+                update_data.name = name;
+            if (!user.profile_picture_url && profile_picture_url) {
+                update_data.profile_picture_url = profile_picture_url;
+                update_data.profile_source = "custom";
+            }
+            await users_service.updateById(user.id, update_data);
+            logger.info("oauth_service_facebook_linked_to_existing", {
+                filename: "oauth_service.ts",
+                user_id: user.id,
+                email,
+                was_unverified: !user_email_verified,
+            });
+            return {
+                success: true,
+                user_id: user.id,
+                is_new_user: false,
+                was_linked: true,
+                email: user.email_address,
+                name: user.name,
+            };
+        }
+        // Step 3: create new user
+        const user_id = randomUUID();
+        const insert_data = {
+            id: user_id,
+            email_address: email,
+            facebook_id,
+            auth_providers: "facebook",
+            email_verified: email_verified,
+            last_logon: now,
+            created_at: now,
+            changed_at: now,
+        };
+        if (name)
+            insert_data.name = name;
+        if (profile_picture_url) {
+            insert_data.profile_picture_url = profile_picture_url;
+            insert_data.profile_source = "custom";
+        }
+        const inserted = await users_service.insert(insert_data);
+        if (!Array.isArray(inserted) || inserted.length === 0) {
+            return { success: false, error: "Failed to create user account" };
+        }
+        logger.info("oauth_service_facebook_new_user_created", {
+            filename: "oauth_service.ts",
+            user_id,
+            email,
+        });
+        return {
+            success: true,
+            user_id,
+            is_new_user: true,
+            was_linked: false,
+            email,
+            name,
+        };
+    }
+    catch (error) {
+        const user_friendly_error = sanitize_error_for_user(error, {
+            logToConsole: true,
+            logToLogger: true,
+            logger,
+            context: { filename: "oauth_service.ts", email: data.email, operation: "handle_facebook_oauth_login" },
+        });
+        return { success: false, error: user_friendly_error };
+    }
+}
 /**
  * Links a Google account to an existing user
  * @param adapter - The hazo_connect adapter instance

package/dist/lib/services/otp_service.d.ts

@@ -36,7 +36,7 @@ export type VerifyEmailOTPResult = {
     session_token: string;
 } | {
     ok: false;
-    error: "invalid_or_expired";
+    error: "invalid_or_expired" | "expired";
 };
 export declare function verify_email_otp(args: {
     email: string;

package/dist/lib/services/otp_service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"otp_service.d.ts","sourceRoot":"","sources":["../../../src/lib/services/otp_service.ts"],"names":[],"mappings":"AAAA,OAAO,aAAa,CAAC;AAUrB;;;GAGG;AACH,wBAAgB,iBAAiB,IAAI,MAAM,CAG1C;AAED,wBAAsB,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAEjE;AAED,wBAAsB,eAAe,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAMtF;AAID,MAAM,MAAM,qBAAqB,GAC7B;IAAE,EAAE,EAAE,IAAI,CAAA;CAAE,GACZ;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,cAAc,CAAC;IAAC,mBAAmB,EAAE,MAAM,CAAA;CAAE,CAAC;AAItE;;;;;;;;;;;GAWG;AACH,wBAAsB,iBAAiB,CAAC,IAAI,EAAE;IAC5C,KAAK,EAAE,MAAM,CAAC;IACd,EAAE,EAAE,MAAM,CAAC;CACZ,GAAG,OAAO,CAAC,qBAAqB,CAAC,CA8GjC;AAID,MAAM,MAAM,oBAAoB,GAC5B;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAC;IAAC,aAAa,EAAE,MAAM,CAAA;CAAE,GACnE;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,oBAAoB,CAAA;CAAE,CAAC;AAE/C,wBAAsB,gBAAgB,CAAC,IAAI,EAAE;IAC3C,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,EAAE,EAAE,MAAM,CAAC;CACZ,GAAG,OAAO,CAAC,oBAAoB,CAAC,CAsHhC"}
+{"version":3,"file":"otp_service.d.ts","sourceRoot":"","sources":["../../../src/lib/services/otp_service.ts"],"names":[],"mappings":"AAAA,OAAO,aAAa,CAAC;AAUrB;;;GAGG;AACH,wBAAgB,iBAAiB,IAAI,MAAM,CAG1C;AAED,wBAAsB,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAEjE;AAED,wBAAsB,eAAe,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAMtF;AAID,MAAM,MAAM,qBAAqB,GAC7B;IAAE,EAAE,EAAE,IAAI,CAAA;CAAE,GACZ;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,cAAc,CAAC;IAAC,mBAAmB,EAAE,MAAM,CAAA;CAAE,CAAC;AAItE;;;;;;;;;;;GAWG;AACH,wBAAsB,iBAAiB,CAAC,IAAI,EAAE;IAC5C,KAAK,EAAE,MAAM,CAAC;IACd,EAAE,EAAE,MAAM,CAAC;CACZ,GAAG,OAAO,CAAC,qBAAqB,CAAC,CAmHjC;AAID,MAAM,MAAM,oBAAoB,GAC5B;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAC;IAAC,aAAa,EAAE,MAAM,CAAA;CAAE,GACnE;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,oBAAoB,GAAG,SAAS,CAAA;CAAE,CAAC;AAE3D,wBAAsB,gBAAgB,CAAC,IAAI,EAAE;IAC3C,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,EAAE,EAAE,MAAM,CAAC;CACZ,GAAG,OAAO,CAAC,oBAAoB,CAAC,CAsHhC"}

package/dist/lib/services/otp_service.js

@@ -111,6 +111,11 @@ export async function request_email_otp(args) {
         expires_at,
         attempt_count: 0,
         requester_ip: ip,
+        // Explicitly pass created_at in JS ISO format ("2024-01-01T00:00:00.000Z") rather
+        // than relying on SQLite's DEFAULT (datetime('now') = "2024-01-01 00:00:00").
+        // The space-separated SQLite format compares as less-than the T-separated JS ISO
+        // threshold used in rate-limit WHERE clauses, causing the counter to always read 0.
+        created_at: new Date().toISOString(),
     });
     // 7. Dispatch email — fire-and-forget; errors are logged but do not surface to caller
     try {
@@ -155,7 +160,7 @@ export async function verify_email_otp(args) {
     // 2. Check expiry
     const expires_at_ms = Date.parse(String(row.expires_at));
     if (Number.isNaN(expires_at_ms) || expires_at_ms < Date.now()) {
-        return { ok: false, error: "invalid_or_expired" };
+        return { ok: false, error: "expired" };
     }
     // 3. argon2 verify
     const is_valid = await verify_otp_code(String(row.otp_hash), code);

package/dist/lib/services/session_token_service.d.ts

@@ -16,8 +16,6 @@ export type ValidateSessionTokenResult = {
  * Token includes user_id, email, issued at time, and expiration
  * @param user_id - User ID
  * @param email - User email address
- * @param managed_by_user_id - Optional: ID of the managing user (for impersonation)
- * @param ttl_seconds - Optional: token lifetime in seconds (default: 30 days). Use 604800 for 7-day OTP sessions.
  * @returns JWT token string
  */
 export declare function create_session_token(user_id: string, email: string, managed_by_user_id?: string, ttl_seconds?: number): Promise<string>;

package/dist/lib/services/session_token_service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"session_token_service.d.ts","sourceRoot":"","sources":["../../../src/lib/services/session_token_service.ts"],"names":[],"mappings":"AAQA,MAAM,MAAM,mBAAmB,GAAG;IAChC,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;IACd,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;CACb,CAAC;AAEF,MAAM,MAAM,0BAA0B,GAAG;IACvC,KAAK,EAAE,OAAO,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B,CAAC;AAuCF;;;;;;;;GAQG;AACH,wBAAsB,oBAAoB,CACxC,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,EACb,kBAAkB,CAAC,EAAE,MAAM,EAC3B,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC,MAAM,CAAC,CA4CjB;AAED;;;;;GAKG;AACH,wBAAsB,sBAAsB,CAC1C,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,0BAA0B,CAAC,CAkDrC"}
+{"version":3,"file":"session_token_service.d.ts","sourceRoot":"","sources":["../../../src/lib/services/session_token_service.ts"],"names":[],"mappings":"AAQA,MAAM,MAAM,mBAAmB,GAAG;IAChC,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;IACd,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;CACb,CAAC;AAEF,MAAM,MAAM,0BAA0B,GAAG;IACvC,KAAK,EAAE,OAAO,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B,CAAC;AAuCF;;;;;;GAMG;AACH,wBAAsB,oBAAoB,CACxC,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,EACb,kBAAkB,CAAC,EAAE,MAAM,EAC3B,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC,MAAM,CAAC,CA4CjB;AAED;;;;;GAKG;AACH,wBAAsB,sBAAsB,CAC1C,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,0BAA0B,CAAC,CAkDrC"}

package/dist/lib/services/session_token_service.js

@@ -41,8 +41,6 @@ function get_session_token_expiry_seconds() {
  * Token includes user_id, email, issued at time, and expiration
  * @param user_id - User ID
  * @param email - User email address
- * @param managed_by_user_id - Optional: ID of the managing user (for impersonation)
- * @param ttl_seconds - Optional: token lifetime in seconds (default: 30 days). Use 604800 for 7-day OTP sessions.
  * @returns JWT token string
  */
 export async function create_session_token(user_id, email, managed_by_user_id, ttl_seconds) {

package/dist/server/routes/assets.d.ts

@@ -0,0 +1,8 @@
+import "server-only";
+import { NextRequest, NextResponse } from "next/server";
+export declare function assetGET(_request: NextRequest, { params }: {
+    params: {
+        name: string;
+    };
+}): Promise<NextResponse>;
+//# sourceMappingURL=assets.d.ts.map

package/dist/server/routes/assets.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"assets.d.ts","sourceRoot":"","sources":["../../../src/server/routes/assets.ts"],"names":[],"mappings":"AACA,OAAO,aAAa,CAAC;AACrB,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAoBxD,wBAAsB,QAAQ,CAC5B,QAAQ,EAAE,WAAW,EACrB,EAAE,MAAM,EAAE,EAAE;IAAE,MAAM,EAAE;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,CAAA;CAAE,GACvC,OAAO,CAAC,YAAY,CAAC,CAuBvB"}

package/dist/server/routes/assets.js

@@ -0,0 +1,38 @@
+// file_description: Route handler serving static assets from the package dist directory
+import "server-only";
+import { NextResponse } from "next/server";
+import path from "path";
+import fs from "fs";
+const ASSETS_DIR = path.join(path.dirname(require.resolve("hazo_auth/package.json")), "dist", "assets", "images");
+const MIME = {
+    ".jpg": "image/jpeg",
+    ".jpeg": "image/jpeg",
+    ".png": "image/png",
+    ".webp": "image/webp",
+    ".svg": "image/svg+xml",
+    ".gif": "image/gif",
+};
+export async function assetGET(_request, { params }) {
+    const name = params.name;
+    // Reject path traversal
+    if (name.includes("..") || name.includes("/") || name.includes("\\")) {
+        return new NextResponse("Not found", { status: 404 });
+    }
+    const ext = path.extname(name).toLowerCase();
+    const mime = MIME[ext];
+    if (!mime) {
+        return new NextResponse("Not found", { status: 404 });
+    }
+    const file_path = path.join(ASSETS_DIR, name);
+    if (!fs.existsSync(file_path)) {
+        return new NextResponse("Not found", { status: 404 });
+    }
+    const buffer = fs.readFileSync(file_path);
+    return new NextResponse(buffer, {
+        status: 200,
+        headers: {
+            "Content-Type": mime,
+            "Cache-Control": "public, max-age=31536000, immutable",
+        },
+    });
+}

package/dist/server/routes/consent_me.d.ts

@@ -0,0 +1,4 @@
+import "server-only";
+import { NextRequest, NextResponse } from "next/server";
+export declare function consentMeGET(request: NextRequest): Promise<NextResponse>;
+//# sourceMappingURL=consent_me.d.ts.map

package/dist/server/routes/consent_me.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"consent_me.d.ts","sourceRoot":"","sources":["../../../src/server/routes/consent_me.ts"],"names":[],"mappings":"AACA,OAAO,aAAa,CAAC;AACrB,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAYxD,wBAAsB,YAAY,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,YAAY,CAAC,CAG9E"}

package/dist/server/routes/consent_me.js

@@ -0,0 +1,15 @@
+// file_description: Route handler returning the current user's parsed consent state
+import "server-only";
+import { NextResponse } from "next/server";
+import { read_consent } from "../../consent/read_consent.js";
+const DEFAULT_CONSENT = {
+    necessary: true,
+    functional: false,
+    analytics: false,
+    marketing: false,
+    version: 1,
+};
+export async function consentMeGET(request) {
+    const consent = read_consent(request.headers);
+    return NextResponse.json(consent !== null && consent !== void 0 ? consent : DEFAULT_CONSENT, { status: 200 });
+}

package/dist/server/routes/index.d.ts

@@ -8,8 +8,6 @@ export { POST as changePasswordPOST } from "./change_password.js";
 export { GET as validateResetTokenGET } from "./validate_reset_token.js";
 export { GET as verifyEmailGET } from "./verify_email.js";
 export { POST as resendVerificationPOST } from "./resend_verification.js";
-export { otpRequestPOST } from "./otp/request.js";
-export { otpVerifyPOST } from "./otp/verify.js";
 export { PATCH as updateUserPATCH } from "./update_user.js";
 export { POST as uploadProfilePicturePOST } from "./upload_profile_picture.js";
 export { DELETE as removeProfilePictureDELETE } from "./remove_profile_picture.js";
@@ -18,7 +16,7 @@ export { GET as libraryPhotoGET } from "./library_photo.js";
 export { GET as profilePictureFilenameGET } from "./profile_picture_filename.js";
 export { POST as getAuthPOST } from "./get_auth.js";
 export { POST as invalidateCachePOST } from "./invalidate_cache.js";
-export { GET as userManagementUsersGET, PATCH as userManagementUsersPATCH, POST as userManagementUsersPOST } from "./user_management_users.js";
+export { GET as userManagementUsersGET, PATCH as userManagementUsersPATCH, POST as userManagementUsersPOST, DELETE as userManagementUsersDELETE } from "./user_management_users.js";
 export { GET as userManagementPermissionsGET, POST as userManagementPermissionsPOST, PUT as userManagementPermissionsPUT, DELETE as userManagementPermissionsDELETE } from "./user_management_permissions.js";
 export { GET as userManagementRolesGET, POST as userManagementRolesPOST, PUT as userManagementRolesPUT } from "./user_management_roles.js";
 export { GET as userManagementUsersRolesGET, POST as userManagementUsersRolesPOST, PUT as userManagementUsersRolesPUT } from "./user_management_users_roles.js";
@@ -28,9 +26,14 @@ export { GET as invitationsGET, POST as invitationsPOST, PATCH as invitationsPAT
 export { POST as createFirmPOST } from "./create_firm.js";
 export { GET as nextauthGET, POST as nextauthPOST } from "./nextauth.js";
 export { GET as oauthGoogleCallbackGET } from "./oauth_google_callback.js";
+export { GET as oauthFacebookCallbackGET } from "./oauth_facebook_callback.js";
 export { POST as setPasswordPOST } from "./set_password.js";
 export { GET as relationshipsGET, POST as relationshipsPOST, PATCH as relationshipsPATCH, DELETE as relationshipsDELETE } from "./relationships.js";
 export { POST as relationshipSelfPOST } from "./relationship_self.js";
 export { POST as relationshipUpgradePOST } from "./relationship_upgrade.js";
 export { POST as pinLoginPOST } from "./pin_login.js";
+export { otpRequestPOST } from "./otp/request.js";
+export { otpVerifyPOST } from "./otp/verify.js";
+export { consentMeGET } from "./consent_me.js";
+export { stringsDefaultsGET } from "./strings_defaults.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/server/routes/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/server/routes/index.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,IAAI,IAAI,SAAS,EAAE,MAAM,SAAS,CAAC;AAC5C,OAAO,EAAE,IAAI,IAAI,YAAY,EAAE,MAAM,YAAY,CAAC;AAClD,OAAO,EAAE,IAAI,IAAI,UAAU,EAAE,MAAM,UAAU,CAAC;AAC9C,OAAO,EAAE,GAAG,IAAI,KAAK,EAAE,MAAM,MAAM,CAAC;AAGpC,OAAO,EAAE,IAAI,IAAI,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AAC/D,OAAO,EAAE,IAAI,IAAI,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAC7D,OAAO,EAAE,IAAI,IAAI,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AAC/D,OAAO,EAAE,GAAG,IAAI,qBAAqB,EAAE,MAAM,wBAAwB,CAAC;AAGtE,OAAO,EAAE,GAAG,IAAI,cAAc,EAAE,MAAM,gBAAgB,CAAC;AACvD,OAAO,EAAE,IAAI,IAAI,sBAAsB,EAAE,MAAM,uBAAuB,CAAC;AAGvE,OAAO,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAC/C,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAG7C,OAAO,EAAE,KAAK,IAAI,eAAe,EAAE,MAAM,eAAe,CAAC;AACzD,OAAO,EAAE,IAAI,IAAI,wBAAwB,EAAE,MAAM,0BAA0B,CAAC;AAC5E,OAAO,EAAE,MAAM,IAAI,0BAA0B,EAAE,MAAM,0BAA0B,CAAC;AAChF,OAAO,EAAE,GAAG,IAAI,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AAC3D,OAAO,EAAE,GAAG,IAAI,eAAe,EAAE,MAAM,iBAAiB,CAAC;AACzD,OAAO,EAAE,GAAG,IAAI,yBAAyB,EAAE,MAAM,4BAA4B,CAAC;AAG9E,OAAO,EAAE,IAAI,IAAI,WAAW,EAAE,MAAM,YAAY,CAAC;AACjD,OAAO,EAAE,IAAI,IAAI,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAGjE,OAAO,EAAE,GAAG,IAAI,sBAAsB,EAAE,KAAK,IAAI,wBAAwB,EAAE,IAAI,IAAI,uBAAuB,EAAE,MAAM,yBAAyB,CAAC;AAC5I,OAAO,EAAE,GAAG,IAAI,4BAA4B,EAAE,IAAI,IAAI,6BAA6B,EAAE,GAAG,IAAI,4BAA4B,EAAE,MAAM,IAAI,+BAA+B,EAAE,MAAM,+BAA+B,CAAC;AAC3M,OAAO,EAAE,GAAG,IAAI,sBAAsB,EAAE,IAAI,IAAI,uBAAuB,EAAE,GAAG,IAAI,sBAAsB,EAAE,MAAM,yBAAyB,CAAC;AACxI,OAAO,EAAE,GAAG,IAAI,2BAA2B,EAAE,IAAI,IAAI,4BAA4B,EAAE,GAAG,IAAI,2BAA2B,EAAE,MAAM,+BAA+B,CAAC;AAG7J,OAAO,EAAE,GAAG,IAAI,cAAc,EAAE,KAAK,IAAI,gBAAgB,EAAE,GAAG,IAAI,cAAc,EAAE,MAAM,IAAI,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AACvI,OAAO,EAAE,GAAG,IAAI,oBAAoB,EAAE,MAAM,wBAAwB,CAAC;AAGrE,OAAO,EAAE,GAAG,IAAI,cAAc,EAAE,IAAI,IAAI,eAAe,EAAE,KAAK,IAAI,gBAAgB,EAAE,MAAM,IAAI,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAGvI,OAAO,EAAE,IAAI,IAAI,cAAc,EAAE,MAAM,eAAe,CAAC;AAGvD,OAAO,EAAE,GAAG,IAAI,WAAW,EAAE,IAAI,IAAI,YAAY,EAAE,MAAM,YAAY,CAAC;AACtE,OAAO,EAAE,GAAG,IAAI,sBAAsB,EAAE,MAAM,yBAAyB,CAAC;AACxE,OAAO,EAAE,IAAI,IAAI,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAGzD,OAAO,EAAE,GAAG,IAAI,gBAAgB,EAAE,IAAI,IAAI,iBAAiB,EAAE,KAAK,IAAI,kBAAkB,EAAE,MAAM,IAAI,mBAAmB,EAAE,MAAM,iBAAiB,CAAC;AACjJ,OAAO,EAAE,IAAI,IAAI,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AACnE,OAAO,EAAE,IAAI,IAAI,uBAAuB,EAAE,MAAM,wBAAwB,CAAC;AACzE,OAAO,EAAE,IAAI,IAAI,YAAY,EAAE,MAAM,aAAa,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/server/routes/index.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,IAAI,IAAI,SAAS,EAAE,MAAM,SAAS,CAAC;AAC5C,OAAO,EAAE,IAAI,IAAI,YAAY,EAAE,MAAM,YAAY,CAAC;AAClD,OAAO,EAAE,IAAI,IAAI,UAAU,EAAE,MAAM,UAAU,CAAC;AAC9C,OAAO,EAAE,GAAG,IAAI,KAAK,EAAE,MAAM,MAAM,CAAC;AAGpC,OAAO,EAAE,IAAI,IAAI,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AAC/D,OAAO,EAAE,IAAI,IAAI,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAC7D,OAAO,EAAE,IAAI,IAAI,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AAC/D,OAAO,EAAE,GAAG,IAAI,qBAAqB,EAAE,MAAM,wBAAwB,CAAC;AAGtE,OAAO,EAAE,GAAG,IAAI,cAAc,EAAE,MAAM,gBAAgB,CAAC;AACvD,OAAO,EAAE,IAAI,IAAI,sBAAsB,EAAE,MAAM,uBAAuB,CAAC;AAGvE,OAAO,EAAE,KAAK,IAAI,eAAe,EAAE,MAAM,eAAe,CAAC;AACzD,OAAO,EAAE,IAAI,IAAI,wBAAwB,EAAE,MAAM,0BAA0B,CAAC;AAC5E,OAAO,EAAE,MAAM,IAAI,0BAA0B,EAAE,MAAM,0BAA0B,CAAC;AAChF,OAAO,EAAE,GAAG,IAAI,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AAC3D,OAAO,EAAE,GAAG,IAAI,eAAe,EAAE,MAAM,iBAAiB,CAAC;AACzD,OAAO,EAAE,GAAG,IAAI,yBAAyB,EAAE,MAAM,4BAA4B,CAAC;AAG9E,OAAO,EAAE,IAAI,IAAI,WAAW,EAAE,MAAM,YAAY,CAAC;AACjD,OAAO,EAAE,IAAI,IAAI,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAGjE,OAAO,EAAE,GAAG,IAAI,sBAAsB,EAAE,KAAK,IAAI,wBAAwB,EAAE,IAAI,IAAI,uBAAuB,EAAE,MAAM,IAAI,yBAAyB,EAAE,MAAM,yBAAyB,CAAC;AACjL,OAAO,EAAE,GAAG,IAAI,4BAA4B,EAAE,IAAI,IAAI,6BAA6B,EAAE,GAAG,IAAI,4BAA4B,EAAE,MAAM,IAAI,+BAA+B,EAAE,MAAM,+BAA+B,CAAC;AAC3M,OAAO,EAAE,GAAG,IAAI,sBAAsB,EAAE,IAAI,IAAI,uBAAuB,EAAE,GAAG,IAAI,sBAAsB,EAAE,MAAM,yBAAyB,CAAC;AACxI,OAAO,EAAE,GAAG,IAAI,2BAA2B,EAAE,IAAI,IAAI,4BAA4B,EAAE,GAAG,IAAI,2BAA2B,EAAE,MAAM,+BAA+B,CAAC;AAG7J,OAAO,EAAE,GAAG,IAAI,cAAc,EAAE,KAAK,IAAI,gBAAgB,EAAE,GAAG,IAAI,cAAc,EAAE,MAAM,IAAI,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AACvI,OAAO,EAAE,GAAG,IAAI,oBAAoB,EAAE,MAAM,wBAAwB,CAAC;AAGrE,OAAO,EAAE,GAAG,IAAI,cAAc,EAAE,IAAI,IAAI,eAAe,EAAE,KAAK,IAAI,gBAAgB,EAAE,MAAM,IAAI,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAGvI,OAAO,EAAE,IAAI,IAAI,cAAc,EAAE,MAAM,eAAe,CAAC;AAGvD,OAAO,EAAE,GAAG,IAAI,WAAW,EAAE,IAAI,IAAI,YAAY,EAAE,MAAM,YAAY,CAAC;AACtE,OAAO,EAAE,GAAG,IAAI,sBAAsB,EAAE,MAAM,yBAAyB,CAAC;AACxE,OAAO,EAAE,GAAG,IAAI,wBAAwB,EAAE,MAAM,2BAA2B,CAAC;AAC5E,OAAO,EAAE,IAAI,IAAI,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAGzD,OAAO,EAAE,GAAG,IAAI,gBAAgB,EAAE,IAAI,IAAI,iBAAiB,EAAE,KAAK,IAAI,kBAAkB,EAAE,MAAM,IAAI,mBAAmB,EAAE,MAAM,iBAAiB,CAAC;AACjJ,OAAO,EAAE,IAAI,IAAI,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AACnE,OAAO,EAAE,IAAI,IAAI,uBAAuB,EAAE,MAAM,wBAAwB,CAAC;AACzE,OAAO,EAAE,IAAI,IAAI,YAAY,EAAE,MAAM,aAAa,CAAC;AAGnD,OAAO,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAC/C,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAG7C,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAG5C,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC"}

package/dist/server/routes/index.js

@@ -13,9 +13,6 @@ export { GET as validateResetTokenGET } from "./validate_reset_token.js";
 // Email verification routes
 export { GET as verifyEmailGET } from "./verify_email.js";
 export { POST as resendVerificationPOST } from "./resend_verification.js";
-// OTP routes (one-time password via email)
-export { otpRequestPOST } from "./otp/request.js";
-export { otpVerifyPOST } from "./otp/verify.js";
 // User profile routes
 export { PATCH as updateUserPATCH } from "./update_user.js";
 export { POST as uploadProfilePicturePOST } from "./upload_profile_picture.js";
@@ -27,7 +24,7 @@ export { GET as profilePictureFilenameGET } from "./profile_picture_filename.js"
 export { POST as getAuthPOST } from "./get_auth.js";
 export { POST as invalidateCachePOST } from "./invalidate_cache.js";
 // User management routes
-export { GET as userManagementUsersGET, PATCH as userManagementUsersPATCH, POST as userManagementUsersPOST } from "./user_management_users.js";
+export { GET as userManagementUsersGET, PATCH as userManagementUsersPATCH, POST as userManagementUsersPOST, DELETE as userManagementUsersDELETE } from "./user_management_users.js";
 export { GET as userManagementPermissionsGET, POST as userManagementPermissionsPOST, PUT as userManagementPermissionsPUT, DELETE as userManagementPermissionsDELETE } from "./user_management_permissions.js";
 export { GET as userManagementRolesGET, POST as userManagementRolesPOST, PUT as userManagementRolesPUT } from "./user_management_roles.js";
 export { GET as userManagementUsersRolesGET, POST as userManagementUsersRolesPOST, PUT as userManagementUsersRolesPUT } from "./user_management_users_roles.js";
@@ -41,9 +38,17 @@ export { POST as createFirmPOST } from "./create_firm.js";
 // OAuth routes
 export { GET as nextauthGET, POST as nextauthPOST } from "./nextauth.js";
 export { GET as oauthGoogleCallbackGET } from "./oauth_google_callback.js";
+export { GET as oauthFacebookCallbackGET } from "./oauth_facebook_callback.js";
 export { POST as setPasswordPOST } from "./set_password.js";
 // Relationship routes (managed sub-profiles)
 export { GET as relationshipsGET, POST as relationshipsPOST, PATCH as relationshipsPATCH, DELETE as relationshipsDELETE } from "./relationships.js";
 export { POST as relationshipSelfPOST } from "./relationship_self.js";
 export { POST as relationshipUpgradePOST } from "./relationship_upgrade.js";
 export { POST as pinLoginPOST } from "./pin_login.js";
+// OTP sign-in routes
+export { otpRequestPOST } from "./otp/request.js";
+export { otpVerifyPOST } from "./otp/verify.js";
+// Consent routes
+export { consentMeGET } from "./consent_me.js";
+// Strings routes
+export { stringsDefaultsGET } from "./strings_defaults.js";

package/dist/server/routes/me.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"me.d.ts","sourceRoot":"","sources":["../../../src/server/routes/me.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AA+BxD;;;;;GAKG;AACH,wBAAsB,GAAG,CAAC,OAAO,EAAE,WAAW;;IAqJ7C"}
+{"version":3,"file":"me.d.ts","sourceRoot":"","sources":["../../../src/server/routes/me.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAoBxD;;;;;GAKG;AACH,wBAAsB,GAAG,CAAC,OAAO,EAAE,WAAW;;IA+G7C"}

package/dist/server/routes/me.js

@@ -1,7 +1,6 @@
 // file_description: API route handler to get current authenticated user information with permissions
 // section: imports
 import { NextResponse } from "next/server";
-import { jwtVerify } from "jose";
 import { hazo_get_auth } from "../../lib/auth/hazo_get_auth.server.js";
 import { get_hazo_connect_instance } from "../../lib/hazo_connect_instance.server.js";
 import { createCrudService } from "hazo_connect/server";
@@ -9,9 +8,6 @@ import { map_db_source_to_ui } from "../../lib/services/profile_picture_source_m
 import { create_app_logger } from "../../lib/app_logger.js";
 import { get_filename, get_line_number } from "../../lib/utils/api_route_helpers.js";
 import { is_user_types_enabled, get_user_type_by_key, } from "../../lib/user_types_config.server.js";
-import { get_cookie_name, get_cookie_options, BASE_COOKIE_NAMES, } from "../../lib/cookies_config.server.js";
-import { create_session_token } from "../../lib/services/session_token_service.js";
-import { get_otp_config, hazo_auth_otp_session_ttl_seconds, } from "../../lib/otp_config.server.js";
 // section: helpers
 function strip_sentinel_email(email) {
     if (!email)
@@ -28,7 +24,6 @@ function strip_sentinel_email(email) {
  * Always returns the same format to prevent downstream variations.
  */
 export async function GET(request) {
-    var _a, _b, _c, _d, _e, _f;
     const logger = create_app_logger();
     try {
         // Use hazo_get_auth to get user with permissions
@@ -75,7 +70,7 @@ export async function GET(request) {
         }
         // Return unified format with all fields
         const profile_pic = auth_result.user.profile_picture_url;
-        const response = NextResponse.json({
+        return NextResponse.json({
             authenticated: true,
             // Top-level fields for backward compatibility
             user_id: auth_result.user.id,
@@ -105,43 +100,6 @@ export async function GET(request) {
             permission_ok: auth_result.permission_ok,
             missing_permissions: auth_result.missing_permissions,
         }, { status: 200 });
-        // --- OTP sliding-session hook ---
-        const session_kind = (_a = request.cookies.get(get_cookie_name(BASE_COOKIE_NAMES.SESSION_KIND))) === null || _a === void 0 ? void 0 : _a.value;
-        if (session_kind === "otp") {
-            try {
-                const session_cookie = (_b = request.cookies.get(get_cookie_name(BASE_COOKIE_NAMES.SESSION))) === null || _b === void 0 ? void 0 : _b.value;
-                if (session_cookie) {
-                    const secret = new TextEncoder().encode((_c = process.env.JWT_SECRET) !== null && _c !== void 0 ? _c : "");
-                    const { payload } = await jwtVerify(session_cookie, secret);
-                    const exp = Number((_d = payload.exp) !== null && _d !== void 0 ? _d : 0);
-                    const now_seconds = Math.floor(Date.now() / 1000);
-                    const otp_cfg = get_otp_config();
-                    const seconds_until_exp = exp - now_seconds;
-                    if (seconds_until_exp > 0 && seconds_until_exp < otp_cfg.slide_when_within_seconds) {
-                        const ttl_seconds = hazo_auth_otp_session_ttl_seconds();
-                        const user_id = String((_e = payload.user_id) !== null && _e !== void 0 ? _e : "");
-                        const user_email = String((_f = payload.email) !== null && _f !== void 0 ? _f : "");
-                        const new_token = await create_session_token(user_id, user_email, undefined, ttl_seconds);
-                        const cookie_options = get_cookie_options({
-                            httpOnly: true,
-                            secure: process.env.NODE_ENV === "production",
-                            sameSite: "lax",
-                            path: "/",
-                            maxAge: ttl_seconds,
-                        });
-                        response.cookies.set(get_cookie_name(BASE_COOKIE_NAMES.SESSION), new_token, cookie_options);
-                        response.cookies.set(get_cookie_name(BASE_COOKIE_NAMES.USER_ID), user_id, cookie_options);
-                        response.cookies.set(get_cookie_name(BASE_COOKIE_NAMES.USER_EMAIL), user_email, cookie_options);
-                        response.cookies.set(get_cookie_name(BASE_COOKIE_NAMES.SESSION_KIND), "otp", cookie_options);
-                    }
-                }
-            }
-            catch (slide_err) {
-                // Slide is best-effort — never break /me for this
-            }
-        }
-        // --- end OTP sliding-session hook ---
-        return response;
     }
     catch (error) {
         const error_message = error instanceof Error ? error.message : "Unknown error";

package/dist/server/routes/oauth_facebook_callback.d.ts

@@ -0,0 +1,8 @@
+import { NextRequest, NextResponse } from "next/server";
+/**
+ * Handles the OAuth callback after Facebook sign-in
+ * The user creation/linking is done in NextAuth signIn callback
+ * This route just sets the hazo_auth session cookies
+ */
+export declare function GET(original_request: NextRequest): Promise<NextResponse<unknown>>;
+//# sourceMappingURL=oauth_facebook_callback.d.ts.map

package/dist/server/routes/oauth_facebook_callback.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth_facebook_callback.d.ts","sourceRoot":"","sources":["../../../src/server/routes/oauth_facebook_callback.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAuBxD;;;;GAIG;AACH,wBAAsB,GAAG,CAAC,gBAAgB,EAAE,WAAW,kCAiLtD"}