hazo_auth 7.0.1 → 7.0.2

package/cli-src/lib/auth/nextauth_config.ts

@@ -8,7 +8,7 @@ const GoogleProvider = (GoogleProviderImport as any).default || GoogleProviderIm
 import FacebookProviderImport from "next-auth/providers/facebook";
 const FacebookProvider = (FacebookProviderImport as any).default || FacebookProviderImport;
 import { get_oauth_config } from "../oauth_config.server.js";
-import { handle_google_oauth_login, handle_facebook_oauth_login } from "../services/oauth_service.js";
+import { handle_google_oauth_login } from "../services/oauth_service.js";
 import { get_hazo_connect_instance } from "../hazo_connect_instance.server.js";
 import { create_app_logger } from "../app_logger.js";
 
@@ -37,13 +37,6 @@ export type NextAuthCallbackProfile = {
   email_verified?: boolean;
 };
 
-export type FacebookCallbackProfile = {
-  id?: string;
-  name?: string;
-  email?: string;
-  picture?: { data?: { url: string } } | string;
-};
-
 // section: config
 /**
  * Gets NextAuth.js configuration with enabled OAuth providers
@@ -76,17 +69,12 @@ export function get_nextauth_config(): AuthOptions {
     }
   }
 
-  // Add Facebook provider if enabled and credentials are present
-  if (oauth_config.enable_facebook && oauth_config.facebook_client_id && oauth_config.facebook_client_secret) {
+  // Add Facebook provider if enabled
+  if (oauth_config.enable_facebook_oauth && oauth_config.facebook_app_id) {
     providers.push(
       FacebookProvider({
-        clientId: oauth_config.facebook_client_id,
-        clientSecret: oauth_config.facebook_client_secret,
-        authorization: {
-          params: {
-            scope: "email,public_profile",
-          },
-        },
+        clientId: oauth_config.facebook_app_id,
+        clientSecret: oauth_config.facebook_app_secret,
       })
     );
   }
@@ -109,10 +97,10 @@ export function get_nextauth_config(): AuthOptions {
 
         // Always redirect to our custom callback after sign-in to set hazo_auth cookies
         // The callbackUrl from signIn() comes through as `url`
-        if (url.includes("/api/hazo_auth/oauth/google/callback")) {
-          return url;
-        }
-        if (url.includes("/api/hazo_auth/oauth/facebook/callback")) {
+        if (
+          url.includes("/api/hazo_auth/oauth/google/callback") ||
+          url.includes("/api/hazo_auth/oauth/facebook/callback")
+        ) {
           return url;
         }
 
@@ -125,6 +113,9 @@ export function get_nextauth_config(): AuthOptions {
         }
 
         // Default: redirect to our custom OAuth callback to set cookies
+        if (url.includes("facebook")) {
+          return `${baseUrl}/api/hazo_auth/oauth/facebook/callback`;
+        }
         return `${baseUrl}/api/hazo_auth/oauth/google/callback`;
       },
       /**
@@ -192,48 +183,27 @@ export function get_nextauth_config(): AuthOptions {
 
         if (account?.provider === "facebook" && profile) {
           try {
-            const fbProfile = profile as FacebookCallbackProfile;
+            const fbProfile = profile as NextAuthCallbackProfile;
             const hazoConnect = get_hazo_connect_instance();
-            const current_oauth_config = get_oauth_config();
-
-            // Resolve profile picture URL from Facebook's nested structure
-            let fb_picture_url: string | undefined;
-            if (fbProfile.picture) {
-              if (typeof fbProfile.picture === "string") {
-                fb_picture_url = fbProfile.picture;
-              } else if (fbProfile.picture?.data?.url) {
-                fb_picture_url = fbProfile.picture.data.url;
-              }
-            }
-            if (!fb_picture_url && user.image) {
-              fb_picture_url = user.image ?? undefined;
-            }
+            const { handle_facebook_oauth_login } = await import("../services/oauth_service");
 
             logger.info("nextauth_facebook_signin_attempt", {
               email: user.email,
-              facebook_id: fbProfile.id,
-              name: user.name,
+              facebook_id: account.providerAccountId,
             });
 
-            const result = await handle_facebook_oauth_login(
-              hazoConnect,
-              {
-                facebook_id: fbProfile.id || account.providerAccountId,
-                email: user.email ?? fbProfile.email ?? null,
-                name: user.name || fbProfile.name || undefined,
-                profile_picture_url: fb_picture_url,
-              },
-              { auto_link_unverified: current_oauth_config.auto_link_unverified_accounts_facebook }
-            );
+            const result = await handle_facebook_oauth_login(hazoConnect, {
+              facebook_id: account.providerAccountId,
+              email: user.email || fbProfile.email || "",
+              name: user.name || fbProfile.name || undefined,
+              profile_picture_url: user.image || undefined,
+              // Facebook's email_verified is not exposed in the profile; default to false
+              // for safety — the user will be auto-verified if email matches a verified hazo user.
+              email_verified: false,
+            });
 
             if (!result.success) {
-              logger.error("nextauth_facebook_signin_failed", {
-                email: user.email,
-                error: result.error,
-              });
-              if (result.error === "link_blocked_unverified") {
-                return `/hazo_auth/login?error=link_blocked_unverified`;
-              }
+              logger.error("nextauth_facebook_signin_failed", { email: user.email, error: result.error });
               return false;
             }
 
@@ -244,16 +214,10 @@ export function get_nextauth_config(): AuthOptions {
               was_linked: result.was_linked,
             });
 
-            // Store user_id in account for the JWT callback to pick up
             (account as Record<string, unknown>).hazo_user_id = result.user_id;
-
             return true;
-          } catch (error) {
-            const errorMessage = error instanceof Error ? error.message : "Unknown error";
-            logger.error("nextauth_facebook_signin_exception", {
-              email: user.email,
-              error: errorMessage,
-            });
+          } catch (err) {
+            logger.error("nextauth_facebook_signin_exception", { error: String(err) });
             return false;
           }
         }
@@ -321,9 +285,5 @@ export function has_oauth_providers(): boolean {
     if (has_google_credentials) return true;
   }
 
-  if (oauth_config.enable_facebook && oauth_config.facebook_client_id && oauth_config.facebook_client_secret) {
-    return true;
-  }
-
   return false;
 }

package/cli-src/lib/auth/with_auth.server.ts

@@ -10,7 +10,7 @@ import {
   PermissionError,
   type TenantAuthOptions,
   type TenantAuthResult,
-  type SelectedScope,
+  type TenantOrganization,
   type HazoAuthUser,
   type ScopeDetails,
   type ScopeAccessInfo,
@@ -27,19 +27,19 @@ export type AuthenticatedTenantAuth = {
   permissions: string[];
   permission_ok: boolean;
   missing_permissions?: string[];
-  selected_scope: SelectedScope | null;
-  selected_scope_id: string | null;
+  organization: TenantOrganization | null;
+  organization_id: string | null;
   user_scopes: ScopeDetails[];
   scope_ok?: boolean;
   scope_access_via?: ScopeAccessInfo;
 };
 
 /**
- * Authenticated branch with guaranteed non-null selected_scope
+ * Authenticated branch with guaranteed non-null organization
  */
-export type AuthenticatedTenantAuthWithSelectedScope = AuthenticatedTenantAuth & {
-  selected_scope: SelectedScope;
-  selected_scope_id: string;
+export type AuthenticatedTenantAuthWithOrg = AuthenticatedTenantAuth & {
+  organization: TenantOrganization;
+  organization_id: string;
 };
 
 /**
@@ -48,8 +48,8 @@ export type AuthenticatedTenantAuthWithSelectedScope = AuthenticatedTenantAuth &
  */
 export type WithAuthOptions = TenantAuthOptions & {
   /**
-   * If true, requires tenant/scope context (403 if missing)
-   * Narrows auth type to AuthenticatedTenantAuthWithSelectedScope
+   * If true, requires organization context (403 if missing)
+   * Narrows auth type to AuthenticatedTenantAuthWithOrg
    */
   require_tenant?: boolean;
 };
@@ -75,7 +75,7 @@ type AuthenticatedHandler<TParams> = (
  */
 type AuthenticatedTenantHandler<TParams> = (
   request: NextRequest,
-  auth: AuthenticatedTenantAuthWithSelectedScope,
+  auth: AuthenticatedTenantAuthWithOrg,
   params: TParams,
 ) => Promise<NextResponse> | NextResponse;
 
@@ -138,7 +138,7 @@ async function resolve_params<TParams>(
  *
  * - Calls `hazo_get_tenant_auth` and returns 401 if not authenticated
  * - Returns 403 if `required_permissions` are specified and not satisfied
- * - Returns 403 if `require_tenant: true` and no tenant/scope context
+ * - Returns 403 if `require_tenant: true` and no organization context
  * - Resolves `await context.params` (Next.js 15 pattern)
  * - Catches HazoAuthError, PermissionError, and unexpected errors
  *
@@ -161,8 +161,8 @@ async function resolve_params<TParams>(
  * // With tenant requirement
  * export const GET = withAuth<{ id: string }>(
  *   async (request, auth, { id }) => {
- *     // auth.selected_scope is guaranteed non-null
- *     const data = await getData(auth.selected_scope.id, id);
+ *     // auth.organization is guaranteed non-null
+ *     const data = await getData(auth.organization.id, id);
  *     return NextResponse.json(data);
  *   },
  *   { require_tenant: true }
@@ -227,10 +227,10 @@ export function withAuth<TParams = Record<string, never>>(
       }
 
       // Check tenant requirement
-      if (options.require_tenant && !auth.selected_scope) {
+      if (options.require_tenant && !auth.organization) {
         return NextResponse.json(
           {
-            error: "Tenant scope context required",
+            error: "Organization context required",
             code: "TENANT_REQUIRED",
           },
           { status: 403 },

package/cli-src/lib/config/default_config.ts

@@ -177,6 +177,14 @@ export const DEFAULT_OAUTH = {
   skip_invitation_check: false,
   /** Redirect when skip_invitation_check=true and user has no scope */
   no_scope_redirect: "/",
+  /** Enable Facebook OAuth login (requires HAZO_AUTH_FACEBOOK_APP_ID and HAZO_AUTH_FACEBOOK_APP_SECRET env vars) */
+  enable_facebook_oauth: false,
+  /** Facebook App ID — set via env var HAZO_AUTH_FACEBOOK_APP_ID or config */
+  facebook_app_id: "",
+  /** Facebook App Secret — set via env var HAZO_AUTH_FACEBOOK_APP_SECRET or config */
+  facebook_app_secret: "",
+  /** Text displayed on the Facebook sign-in button */
+  facebook_button_text: "Continue with Facebook",
 } as const;
 
 // section: navbar

package/cli-src/lib/cookies_config.server.ts

@@ -27,10 +27,10 @@ export const BASE_COOKIE_NAMES = {
   USER_ID: "hazo_auth_user_id",
   USER_EMAIL: "hazo_auth_user_email",
   SESSION: "hazo_auth_session",
-  SESSION_KIND: "hazo_auth_session_kind", // v6.1: marks OTP-issued sessions so /me can apply sliding expiry
   DEV_LOCK: "hazo_auth_dev_lock",
   SCOPE_ID: "hazo_auth_scope_id", // v5.2: Tenant context cookie for multi-tenancy
   ANON_ID: "hazo_auth_anon_id", // v5.2: Stable opaque per-visitor ID for anonymous flows (e.g. hazo_feedback)
+  SESSION_KIND: "hazo_auth_session_kind", // v5.4: Sign-in method identifier (e.g. "otp", "google", "password")
 } as const;
 
 // section: main_function

package/cli-src/lib/email_verification_config.server.ts

@@ -4,6 +4,12 @@ import "server-only";
 
 // section: imports
 import { get_already_logged_in_config } from "./already_logged_in_config.server.js";
+import { get_config_value } from "./config/config_loader.server.js";
+
+// Default image path - consuming apps should either:
+// 1. Configure their own image_src in hazo_auth_config.ini
+// 2. Copy the default images from node_modules/hazo_auth/public/hazo_auth/images/ to their public folder
+const DEFAULT_VERIFY_EMAIL_IMAGE_PATH = "/hazo_auth/images/verify_email_default.jpg";
 
 // section: types
 export type EmailVerificationConfig = {
@@ -12,6 +18,9 @@ export type EmailVerificationConfig = {
   showReturnHomeButton: boolean;
   returnHomeButtonLabel: string;
   returnHomePath: string;
+  imageSrc: string;
+  imageAlt: string;
+  imageBackgroundColor: string;
 };
 
 // section: helpers
@@ -21,15 +30,40 @@ export type EmailVerificationConfig = {
  * @returns Email verification configuration options
  */
 export function get_email_verification_config(): EmailVerificationConfig {
+  const section = "hazo_auth__email_verification_layout";
+
   // Get shared already logged in config
   const alreadyLoggedInConfig = get_already_logged_in_config();
 
+  // Read image configuration
+  // If not set in config, falls back to default path-based image
+  // Consuming apps should copy images to public/hazo_auth/images/ or configure their own image_src
+  const imageSrc = get_config_value(
+    section,
+    "image_src",
+    DEFAULT_VERIFY_EMAIL_IMAGE_PATH
+  );
+
+  const imageAlt = get_config_value(
+    section,
+    "image_alt",
+    "Email verification illustration"
+  );
+  const imageBackgroundColor = get_config_value(
+    section,
+    "image_background_color",
+    "#f1f5f9"
+  );
+
   return {
     alreadyLoggedInMessage: alreadyLoggedInConfig.message,
     showLogoutButton: alreadyLoggedInConfig.showLogoutButton,
     showReturnHomeButton: alreadyLoggedInConfig.showReturnHomeButton,
     returnHomeButtonLabel: alreadyLoggedInConfig.returnHomeButtonLabel,
     returnHomePath: alreadyLoggedInConfig.returnHomePath,
+    imageSrc,
+    imageAlt,
+    imageBackgroundColor,
   };
 }
 

package/cli-src/lib/forgot_password_config.server.ts

@@ -4,6 +4,12 @@ import "server-only";
 
 // section: imports
 import { get_already_logged_in_config } from "./already_logged_in_config.server.js";
+import { get_config_value } from "./config/config_loader.server.js";
+
+// Default image path - consuming apps should either:
+// 1. Configure their own image_src in hazo_auth_config.ini
+// 2. Copy the default images from node_modules/hazo_auth/public/hazo_auth/images/ to their public folder
+const DEFAULT_FORGOT_PASSWORD_IMAGE_PATH = "/hazo_auth/images/forgot_password_default.jpg";
 
 // section: types
 export type ForgotPasswordConfig = {
@@ -12,6 +18,9 @@ export type ForgotPasswordConfig = {
   showReturnHomeButton: boolean;
   returnHomeButtonLabel: string;
   returnHomePath: string;
+  imageSrc: string;
+  imageAlt: string;
+  imageBackgroundColor: string;
 };
 
 // section: helpers
@@ -21,15 +30,40 @@ export type ForgotPasswordConfig = {
  * @returns Forgot password configuration options
  */
 export function get_forgot_password_config(): ForgotPasswordConfig {
+  const section = "hazo_auth__forgot_password_layout";
+
   // Get shared already logged in config
   const alreadyLoggedInConfig = get_already_logged_in_config();
 
+  // Read image configuration
+  // If not set in config, falls back to default path-based image
+  // Consuming apps should copy images to public/hazo_auth/images/ or configure their own image_src
+  const imageSrc = get_config_value(
+    section,
+    "image_src",
+    DEFAULT_FORGOT_PASSWORD_IMAGE_PATH
+  );
+
+  const imageAlt = get_config_value(
+    section,
+    "image_alt",
+    "Password recovery illustration"
+  );
+  const imageBackgroundColor = get_config_value(
+    section,
+    "image_background_color",
+    "#f1f5f9"
+  );
+
   return {
     alreadyLoggedInMessage: alreadyLoggedInConfig.message,
     showLogoutButton: alreadyLoggedInConfig.showLogoutButton,
     showReturnHomeButton: alreadyLoggedInConfig.showReturnHomeButton,
     returnHomeButtonLabel: alreadyLoggedInConfig.returnHomeButtonLabel,
     returnHomePath: alreadyLoggedInConfig.returnHomePath,
+    imageSrc,
+    imageAlt,
+    imageBackgroundColor,
   };
 }
 

package/cli-src/lib/login_config.server.ts

@@ -7,6 +7,9 @@ import { get_config_value, get_config_value_allow_empty } from "./config/config_
 import { get_already_logged_in_config } from "./already_logged_in_config.server.js";
 import { get_oauth_config, type OAuthConfig } from "./oauth_config.server.js";
 
+// Assets served via the package's own API route — no manual copy needed.
+const DEFAULT_LOGIN_IMAGE_PATH = "/api/hazo_auth/assets/login_default.jpg";
+
 // section: types
 export type LoginConfig = {
   redirectRoute?: string;
@@ -21,14 +24,11 @@ export type LoginConfig = {
   createAccountPath: string;
   createAccountLabel: string;
   showCreateAccountLink: boolean;
+  imageSrc: string;
+  imageAlt: string;
+  imageBackgroundColor: string;
   /** OAuth configuration */
   oauth: OAuthConfig;
-  /** Whether the OTP sign-in link is shown below the login form */
-  otpSigninEnabled: boolean;
-  /** Label for the OTP sign-in link */
-  otpSigninLabel: string;
-  /** href for the OTP sign-in link */
-  otpSigninHref: string;
 };
 
 // section: helpers
@@ -69,14 +69,29 @@ export function get_login_config(): LoginConfig {
   // Get shared already logged in config
   const alreadyLoggedInConfig = get_already_logged_in_config();
 
+  // Read image configuration
+  // If not set in config, falls back to default path-based image
+  // Consuming apps should copy images to public/hazo_auth/images/ or configure their own image_src
+  const imageSrc = get_config_value(
+    section,
+    "image_src",
+    DEFAULT_LOGIN_IMAGE_PATH
+  );
+
+  const imageAlt = get_config_value(
+    section,
+    "image_alt",
+    "Secure login illustration"
+  );
+  const imageBackgroundColor = get_config_value(
+    section,
+    "image_background_color",
+    "#f1f5f9"
+  );
+
   // Get OAuth configuration
   const oauth = get_oauth_config();
 
-  // OTP sign-in link
-  const otpSigninEnabled = get_config_value(section, "otp_signin_enabled", "false") === "true";
-  const otpSigninLabel = get_config_value(section, "otp_signin_label", "Sign in with email code");
-  const otpSigninHref = get_config_value(section, "otp_signin_href", "/hazo_auth/otp");
-
   return {
     redirectRoute,
     successMessage,
@@ -90,10 +105,10 @@ export function get_login_config(): LoginConfig {
     createAccountPath,
     createAccountLabel,
     showCreateAccountLink,
+    imageSrc,
+    imageAlt,
+    imageBackgroundColor,
     oauth,
-    otpSigninEnabled,
-    otpSigninLabel,
-    otpSigninHref,
   };
 }
 

package/cli-src/lib/my_settings_config.server.ts

@@ -34,6 +34,7 @@ export type MySettingsConfig = {
     user_photo_default_priority2?: "library" | "gravatar";
     library_photo_path: string;
   };
+  heading?: string;
   subHeading?: string;
   profilePhotoLabel?: string;
   profilePhotoRecommendation?: string;
@@ -94,6 +95,7 @@ export function get_my_settings_config(): MySettingsConfig {
   const fileTypes = get_file_types_config();
 
   // Read optional labels with defaults
+  const heading = get_config_value(section, "heading", "Account Settings");
   const subHeading = get_config_value(section, "sub_heading", "Manage your profile, password, and email preferences.");
   const profilePhotoLabel = get_config_value(section, "profile_photo_label", "Profile Photo");
   const profilePhotoRecommendation = get_config_value(section, "profile_photo_recommendation", "Recommended size: 200x200px. JPG, PNG.");
@@ -113,6 +115,7 @@ export function get_my_settings_config(): MySettingsConfig {
     userFields,
     passwordRequirements,
     profilePicture,
+    heading,
     subHeading,
     profilePhotoLabel,
     profilePhotoRecommendation,

package/cli-src/lib/oauth_config.server.ts

@@ -10,20 +10,12 @@ import { DEFAULT_OAUTH } from "./config/default_config.js";
 export type OAuthConfig = {
   /** Enable Google OAuth login */
   enable_google: boolean;
-  /** Enable Facebook OAuth login */
-  enable_facebook: boolean;
   /** Enable traditional email/password login */
   enable_email_password: boolean;
   /** Auto-link Google login to existing unverified email/password accounts */
   auto_link_unverified_accounts: boolean;
-  /** Auto-link Google login to existing unverified email/password accounts (per-provider override) */
-  auto_link_unverified_accounts_google: boolean;
-  /** Auto-link Facebook login to existing unverified email/password accounts */
-  auto_link_unverified_accounts_facebook: boolean;
   /** Text displayed on the Google sign-in button */
   google_button_text: string;
-  /** Text displayed on the Facebook sign-in button */
-  facebook_button_text: string;
   /** Text displayed on the divider between OAuth and email/password form */
   oauth_divider_text: string;
   /** NextAuth signIn page path */
@@ -38,10 +30,14 @@ export type OAuthConfig = {
   skip_invitation_check: boolean;
   /** Redirect when skip_invitation_check=true and user has no scope */
   no_scope_redirect: string;
-  /** Facebook App ID from env HAZO_AUTH_FACEBOOK_APP_ID */
-  facebook_client_id: string | undefined;
-  /** Facebook App Secret from env HAZO_AUTH_FACEBOOK_APP_SECRET */
-  facebook_client_secret: string | undefined;
+  /** Enable Facebook OAuth login */
+  enable_facebook_oauth: boolean;
+  /** Facebook App ID (env: HAZO_AUTH_FACEBOOK_APP_ID overrides config) */
+  facebook_app_id: string;
+  /** Facebook App Secret (env: HAZO_AUTH_FACEBOOK_APP_SECRET overrides config) */
+  facebook_app_secret: string;
+  /** Text displayed on the Facebook sign-in button */
+  facebook_button_text: string;
 };
 
 // section: constants
@@ -60,51 +56,24 @@ export function get_oauth_config(): OAuthConfig {
     DEFAULT_OAUTH.enable_google
   );
 
-  const enable_facebook = get_config_boolean(
-    SECTION_NAME,
-    "enable_facebook",
-    false
-  );
-
   const enable_email_password = get_config_boolean(
     SECTION_NAME,
     "enable_email_password",
     DEFAULT_OAUTH.enable_email_password
   );
 
-  // Generic key (backward compat)
   const auto_link_unverified_accounts = get_config_boolean(
     SECTION_NAME,
     "auto_link_unverified_accounts",
     DEFAULT_OAUTH.auto_link_unverified_accounts
   );
 
-  // Per-provider Google key (falls back to generic)
-  const auto_link_unverified_accounts_google = get_config_boolean(
-    SECTION_NAME,
-    "auto_link_unverified_accounts_google",
-    auto_link_unverified_accounts
-  );
-
-  // Per-provider Facebook key (defaults to false — don't auto-link Facebook unverified)
-  const auto_link_unverified_accounts_facebook = get_config_boolean(
-    SECTION_NAME,
-    "auto_link_unverified_accounts_facebook",
-    false
-  );
-
   const google_button_text = get_config_value(
     SECTION_NAME,
     "google_button_text",
     DEFAULT_OAUTH.google_button_text
   );
 
-  const facebook_button_text = get_config_value(
-    SECTION_NAME,
-    "facebook_button_text",
-    "Continue with Facebook"
-  );
-
   const oauth_divider_text = get_config_value(
     SECTION_NAME,
     "oauth_divider_text",
@@ -147,18 +116,31 @@ export function get_oauth_config(): OAuthConfig {
     DEFAULT_OAUTH.no_scope_redirect
   );
 
-  const facebook_client_id = process.env.HAZO_AUTH_FACEBOOK_APP_ID;
-  const facebook_client_secret = process.env.HAZO_AUTH_FACEBOOK_APP_SECRET;
+  const enable_facebook_oauth = get_config_boolean(
+    SECTION_NAME,
+    "enable_facebook_oauth",
+    false
+  );
+
+  const facebook_app_id =
+    process.env.HAZO_AUTH_FACEBOOK_APP_ID ||
+    get_config_value(SECTION_NAME, "facebook_app_id", "");
+
+  const facebook_app_secret =
+    process.env.HAZO_AUTH_FACEBOOK_APP_SECRET ||
+    get_config_value(SECTION_NAME, "facebook_app_secret", "");
+
+  const facebook_button_text = get_config_value(
+    SECTION_NAME,
+    "facebook_button_text",
+    "Continue with Facebook"
+  );
 
   return {
     enable_google,
-    enable_facebook,
     enable_email_password,
     auto_link_unverified_accounts,
-    auto_link_unverified_accounts_google,
-    auto_link_unverified_accounts_facebook,
     google_button_text,
-    facebook_button_text,
     oauth_divider_text,
     sign_in_page,
     error_page,
@@ -166,8 +148,10 @@ export function get_oauth_config(): OAuthConfig {
     default_redirect,
     skip_invitation_check,
     no_scope_redirect,
-    facebook_client_id,
-    facebook_client_secret,
+    enable_facebook_oauth,
+    facebook_app_id,
+    facebook_app_secret,
+    facebook_button_text,
   };
 }
 
@@ -190,13 +174,3 @@ export function is_email_password_enabled(): boolean {
     DEFAULT_OAUTH.enable_email_password
   );
 }
-
-/**
- * Helper to check if Facebook OAuth is enabled and credentials are present
- * @returns true if Facebook OAuth is enabled and env vars are set
- */
-export function is_facebook_oauth_enabled(): boolean {
-  const enabled = get_config_boolean(SECTION_NAME, "enable_facebook", false);
-  if (!enabled) return false;
-  return !!(process.env.HAZO_AUTH_FACEBOOK_APP_ID && process.env.HAZO_AUTH_FACEBOOK_APP_SECRET);
-}