hazo_auth 7.0.1 → 7.0.2

package/cli-src/lib/register_config.server.ts

@@ -9,6 +9,11 @@ import { get_already_logged_in_config } from "./already_logged_in_config.server.
 import { get_user_fields_config } from "./user_fields_config.server.js";
 import { get_oauth_config } from "./oauth_config.server.js";
 
+// Default image path - consuming apps should either:
+// 1. Configure their own image_src in hazo_auth_config.ini
+// 2. Copy the default images from node_modules/hazo_auth/public/hazo_auth/images/ to their public folder
+const DEFAULT_REGISTER_IMAGE_PATH = "/hazo_auth/images/register_default.jpg";
+
 // section: types
 export type RegisterConfig = {
   showNameField: boolean;
@@ -26,14 +31,17 @@ export type RegisterConfig = {
   returnHomePath: string;
   signInPath: string;
   signInLabel: string;
+  imageSrc: string;
+  imageAlt: string;
+  imageBackgroundColor: string;
   /** OAuth configuration */
   oauth: {
     enable_google: boolean;
-    enable_facebook: boolean;
     enable_email_password: boolean;
     google_button_text: string;
-    facebook_button_text: string;
     oauth_divider_text: string;
+    enable_facebook_oauth: boolean;
+    facebook_button_text: string;
   };
 };
 
@@ -71,6 +79,26 @@ export function get_register_config(): RegisterConfig {
     "Sign in"
   );
 
+  // Read image configuration
+  // If not set in config, falls back to default path-based image
+  // Consuming apps should copy images to public/hazo_auth/images/ or configure their own image_src
+  const imageSrc = get_config_value(
+    "hazo_auth__register_layout",
+    "image_src",
+    DEFAULT_REGISTER_IMAGE_PATH
+  );
+
+  const imageAlt = get_config_value(
+    "hazo_auth__register_layout",
+    "image_alt",
+    "Modern building representing user registration"
+  );
+  const imageBackgroundColor = get_config_value(
+    "hazo_auth__register_layout",
+    "image_background_color",
+    "#e2e8f0"
+  );
+
   // Get OAuth configuration (shared with login)
   const oauthConfig = get_oauth_config();
 
@@ -81,13 +109,6 @@ export function get_register_config(): RegisterConfig {
     "Sign up with Google"
   );
 
-  // For the register page, default Facebook button text to "Sign up with Facebook" unless overridden
-  const registerFacebookButtonText = get_config_value(
-    "hazo_auth__oauth",
-    "facebook_button_text_register",
-    "Sign up with Facebook"
-  );
-
   return {
     showNameField,
     passwordRequirements,
@@ -98,13 +119,16 @@ export function get_register_config(): RegisterConfig {
     returnHomePath: alreadyLoggedInConfig.returnHomePath,
     signInPath,
     signInLabel,
+    imageSrc,
+    imageAlt,
+    imageBackgroundColor,
     oauth: {
       enable_google: oauthConfig.enable_google,
-      enable_facebook: oauthConfig.enable_facebook,
       enable_email_password: oauthConfig.enable_email_password,
       google_button_text: registerGoogleButtonText,
-      facebook_button_text: registerFacebookButtonText,
       oauth_divider_text: oauthConfig.oauth_divider_text,
+      enable_facebook_oauth: oauthConfig.enable_facebook_oauth,
+      facebook_button_text: oauthConfig.facebook_button_text,
     },
   };
 }

package/cli-src/lib/reset_password_config.server.ts

@@ -7,6 +7,11 @@ import { get_config_value } from "./config/config_loader.server.js";
 import { get_already_logged_in_config } from "./already_logged_in_config.server.js";
 import { get_password_requirements_config } from "./password_requirements_config.server.js";
 
+// Default image path - consuming apps should either:
+// 1. Configure their own image_src in hazo_auth_config.ini
+// 2. Copy the default images from node_modules/hazo_auth/public/hazo_auth/images/ to their public folder
+const DEFAULT_RESET_PASSWORD_IMAGE_PATH = "/hazo_auth/images/reset_password_default.jpg";
+
 // section: types
 export type ResetPasswordConfig = {
   errorMessage: string;
@@ -25,6 +30,9 @@ export type ResetPasswordConfig = {
     require_number: boolean;
     require_special: boolean;
   };
+  imageSrc: string;
+  imageAlt: string;
+  imageBackgroundColor: string;
 };
 
 // section: helpers
@@ -62,6 +70,26 @@ export function get_reset_password_config(): ResetPasswordConfig {
   // Get shared password requirements
   const passwordRequirements = get_password_requirements_config();
 
+  // Read image configuration
+  // If not set in config, falls back to default path-based image
+  // Consuming apps should copy images to public/hazo_auth/images/ or configure their own image_src
+  const imageSrc = get_config_value(
+    section,
+    "image_src",
+    DEFAULT_RESET_PASSWORD_IMAGE_PATH
+  );
+
+  const imageAlt = get_config_value(
+    section,
+    "image_alt",
+    "Reset password illustration"
+  );
+  const imageBackgroundColor = get_config_value(
+    section,
+    "image_background_color",
+    "#f1f5f9"
+  );
+
   return {
     errorMessage,
     successMessage,
@@ -73,6 +101,9 @@ export function get_reset_password_config(): ResetPasswordConfig {
     returnHomeButtonLabel: alreadyLoggedInConfig.returnHomeButtonLabel,
     returnHomePath: alreadyLoggedInConfig.returnHomePath,
     passwordRequirements,
+    imageSrc,
+    imageAlt,
+    imageBackgroundColor,
   };
 }
 

package/cli-src/lib/services/email_template_manifest.ts

@@ -101,21 +101,4 @@ export const hazo_auth_template_manifest: SystemTemplateManifest[] = [
       },
     ],
   },
-  {
-    template_name: "otp_signin_code",
-    template_label: "OTP sign-in code",
-    category: SYSTEM_CATEGORY,
-    html: read_template("otp_signin_code", "html"),
-    text: read_template("otp_signin_code", "txt"),
-    variables: [
-      {
-        variable_name: "otp_code",
-        variable_description: "6-digit OTP code for email sign-in (v6.1.0+)",
-      },
-      {
-        variable_name: "expires_in_minutes",
-        variable_description: "Number of minutes until the OTP code expires",
-      },
-    ],
-  },
 ];

package/cli-src/lib/services/index.ts

@@ -20,11 +20,5 @@ export * from "./scope_service.js";
 export * from "./user_scope_service.js";
 export * from "./oauth_service.js";
 export * from "./branding_service.js";
-export {
-  request_email_otp,
-  verify_email_otp,
-  generate_otp_code,
-  hash_otp_code,
-  verify_otp_code,
-} from "./otp_service.js";
-export type { RequestEmailOTPResult, VerifyEmailOTPResult } from "./otp_service";
+
+

package/cli-src/lib/services/oauth_service.ts

@@ -22,6 +22,15 @@ export type GoogleOAuthData = {
   email_verified: boolean;
 };
 
+export type FacebookOAuthData = {
+  facebook_id: string;
+  email: string;
+  name?: string;
+  profile_picture_url?: string;
+  /** Facebook does not always verify emails — only link when hazo user is verified */
+  email_verified: boolean;
+};
+
 export type OAuthLoginResult = {
   success: boolean;
   user_id?: string;
@@ -36,18 +45,6 @@ export type OAuthLoginResult = {
   error?: string;
 };
 
-export type FacebookOAuthData = {
-  /** Facebook's unique user ID */
-  facebook_id: string;
-  /** User's email address from Facebook (may be null if user denied email permission) */
-  email: string | null;
-  /** User's full name from Facebook profile */
-  name?: string;
-  /** User's profile picture URL from Facebook */
-  profile_picture_url?: string;
-  // NOTE: no email_verified — we never trust Facebook's email_verified claim
-};
-
 export type LinkGoogleResult = {
   success: boolean;
   error?: string;
@@ -254,47 +251,31 @@ export async function handle_google_oauth_login(
 }
 
 /**
- * Handles Facebook OAuth login/registration flow
- * 1. Check if user exists with facebook_id -> login
- * 2. Check if user exists with email -> link Facebook account (respects auto_link_unverified)
- * 3. Create new user with Facebook data (email_verified always false — never trust Facebook)
- *
- * @param adapter - The hazo_connect adapter instance
- * @param data - Facebook OAuth user data
- * @param opts - Options (auto_link_unverified: whether to link unverified accounts)
- * @returns OAuth login result with user_id and status flags
+ * Handles Facebook OAuth login: find-by-facebook_id → find-by-email+link → create new.
+ * Mirrors handle_google_oauth_login exactly. Uses auto_link_unverified_accounts gate.
  */
 export async function handle_facebook_oauth_login(
   adapter: HazoConnectAdapter,
-  data: FacebookOAuthData,
-  opts?: { auto_link_unverified?: boolean }
+  data: FacebookOAuthData
 ): Promise<OAuthLoginResult> {
   const logger = create_app_logger();
 
   try {
-    const { facebook_id, email, name, profile_picture_url } = data;
-
+    const { facebook_id, email, name, profile_picture_url, email_verified } = data;
+    const oauth_config = get_oauth_config();
     const users_service = createCrudService(adapter, "hazo_users");
     const now = new Date().toISOString();
 
-    // Step 1: Check if user exists with this facebook_id
-    const users_by_facebook_id = await users_service.findBy({ facebook_id });
-
-    if (Array.isArray(users_by_facebook_id) && users_by_facebook_id.length > 0) {
-      const user = users_by_facebook_id[0];
-
-      await users_service.updateById(user.id, {
-        last_logon: now,
-        changed_at: now,
-      });
-
-      logger.info("oauth_service_facebook_login_existing_facebook_user", {
+    // Step 1: existing user with this facebook_id
+    const users_by_fb_id = await users_service.findBy({ facebook_id });
+    if (Array.isArray(users_by_fb_id) && users_by_fb_id.length > 0) {
+      const user = users_by_fb_id[0];
+      await users_service.updateById(user.id, { last_logon: now, changed_at: now });
+      logger.info("oauth_service_facebook_login_existing_fb_user", {
         filename: "oauth_service.ts",
-        line_number: get_line_number(),
         user_id: user.id,
         email: user.email_address,
       });
-
       return {
         success: true,
         user_id: user.id as string,
@@ -305,117 +286,91 @@ export async function handle_facebook_oauth_login(
       };
     }
 
-    // Step 2: Check if user exists with this email
-    if (email) {
-      const users_by_email = await users_service.findBy({ email_address: email });
-
-      if (Array.isArray(users_by_email) && users_by_email.length > 0) {
-        const user = users_by_email[0];
-        const user_email_verified = user.email_verified as boolean;
-
-        if (!user_email_verified) {
-          if (!opts?.auto_link_unverified) {
-            return {
-              success: false,
-              error: "link_blocked_unverified",
-            };
-          }
-          // auto_link_unverified=true: link but do NOT change email_verified status
-        }
-
-        // Link Facebook account to existing user
-        const current_auth_providers = (user.auth_providers as string) || "email";
-        const new_auth_providers = current_auth_providers.includes("facebook")
-          ? current_auth_providers
-          : `${current_auth_providers},facebook`;
-
-        const update_data: Record<string, unknown> = {
-          facebook_id,
-          auth_providers: new_auth_providers,
-          last_logon: now,
-          changed_at: now,
-        };
-
-        // Update name if not set and Facebook provides one
-        if (!user.name && name) {
-          update_data.name = name;
-        }
+    // Step 2: existing user with matching email
+    const users_by_email = await users_service.findBy({ email_address: email });
+    if (Array.isArray(users_by_email) && users_by_email.length > 0) {
+      const user = users_by_email[0];
+      const user_email_verified = user.email_verified as boolean;
 
-        // Update profile picture if not set and Facebook provides one
-        if (!user.profile_picture_url && profile_picture_url) {
-          update_data.profile_picture_url = profile_picture_url;
-          update_data.profile_source = "custom";
-        }
+      if (!user_email_verified && !oauth_config.auto_link_unverified_accounts) {
+        return {
+          success: false,
+          error: "An account with this email exists but is not verified. Please verify your email first.",
+        };
+      }
 
-        await users_service.updateById(user.id, update_data);
+      const current_auth_providers = (user.auth_providers as string) || "email";
+      const new_auth_providers = current_auth_providers.includes("facebook")
+        ? current_auth_providers
+        : `${current_auth_providers},facebook`;
 
-        logger.info("oauth_service_facebook_linked_to_existing", {
-          filename: "oauth_service.ts",
-          line_number: get_line_number(),
-          user_id: user.id,
-          email,
-          was_unverified: !user_email_verified,
-        });
+      const update_data: Record<string, unknown> = {
+        facebook_id,
+        auth_providers: new_auth_providers,
+        last_logon: now,
+        changed_at: now,
+      };
 
-        return {
-          success: true,
-          user_id: user.id as string,
-          is_new_user: false,
-          was_linked: true,
-          email: user.email_address as string,
-          name: (update_data.name as string) || (user.name as string | undefined),
-        };
+      if (!user_email_verified && email_verified) {
+        update_data.email_verified = true;
+      }
+      if (!user.name && name) update_data.name = name;
+      if (!user.profile_picture_url && profile_picture_url) {
+        update_data.profile_picture_url = profile_picture_url;
+        update_data.profile_source = "custom";
       }
+
+      await users_service.updateById(user.id, update_data);
+      logger.info("oauth_service_facebook_linked_to_existing", {
+        filename: "oauth_service.ts",
+        user_id: user.id,
+        email,
+        was_unverified: !user_email_verified,
+      });
+      return {
+        success: true,
+        user_id: user.id as string,
+        is_new_user: false,
+        was_linked: true,
+        email: user.email_address as string,
+        name: user.name as string | undefined,
+      };
     }
 
-    // Step 3: Create new user with Facebook data
+    // Step 3: create new user
     const user_id = randomUUID();
-
     const insert_data: Record<string, unknown> = {
       id: user_id,
       email_address: email,
-      password_hash: "", // Empty string for Facebook-only users
-      email_verified: false, // Never trust Facebook's email_verified claim
-      status: "ACTIVE",
-      login_attempts: 0,
       facebook_id,
       auth_providers: "facebook",
+      email_verified: email_verified,
+      last_logon: now,
       created_at: now,
       changed_at: now,
-      last_logon: now,
     };
-
-    if (name) {
-      insert_data.name = name;
-    }
-
+    if (name) insert_data.name = name;
     if (profile_picture_url) {
       insert_data.profile_picture_url = profile_picture_url;
       insert_data.profile_source = "custom";
     }
 
-    const inserted_users = await users_service.insert(insert_data);
-
-    if (!Array.isArray(inserted_users) || inserted_users.length === 0) {
-      return {
-        success: false,
-        error: "Failed to create user account",
-      };
+    const inserted = await users_service.insert(insert_data);
+    if (!Array.isArray(inserted) || inserted.length === 0) {
+      return { success: false, error: "Failed to create user account" };
     }
 
     logger.info("oauth_service_facebook_new_user_created", {
       filename: "oauth_service.ts",
-      line_number: get_line_number(),
       user_id,
       email,
     });
-
     return {
       success: true,
       user_id,
       is_new_user: true,
       was_linked: false,
-      email: email ?? undefined,
+      email,
       name,
     };
   } catch (error) {
@@ -423,18 +378,9 @@ export async function handle_facebook_oauth_login(
       logToConsole: true,
       logToLogger: true,
       logger,
-      context: {
-        filename: "oauth_service.ts",
-        line_number: get_line_number(),
-        email: data.email,
-        operation: "handle_facebook_oauth_login",
-      },
+      context: { filename: "oauth_service.ts", email: data.email, operation: "handle_facebook_oauth_login" },
     });
-
-    return {
-      success: false,
-      error: user_friendly_error,
-    };
+    return { success: false, error: user_friendly_error };
   }
 }
 

package/cli-src/lib/services/otp_service.ts

@@ -143,6 +143,11 @@ export async function request_email_otp(args: {
     expires_at,
     attempt_count: 0,
     requester_ip: ip,
+    // Explicitly pass created_at in JS ISO format ("2024-01-01T00:00:00.000Z") rather
+    // than relying on SQLite's DEFAULT (datetime('now') = "2024-01-01 00:00:00").
+    // The space-separated SQLite format compares as less-than the T-separated JS ISO
+    // threshold used in rate-limit WHERE clauses, causing the counter to always read 0.
+    created_at: new Date().toISOString(),
   });
 
   // 7. Dispatch email — fire-and-forget; errors are logged but do not surface to caller
@@ -168,7 +173,7 @@ export async function request_email_otp(args: {
 
 export type VerifyEmailOTPResult =
   | { ok: true; user_id: string; email: string; session_token: string }
-  | { ok: false; error: "invalid_or_expired" };
+  | { ok: false; error: "invalid_or_expired" | "expired" };
 
 export async function verify_email_otp(args: {
   email: string;
@@ -205,7 +210,7 @@ export async function verify_email_otp(args: {
   // 2. Check expiry
   const expires_at_ms = Date.parse(String(row.expires_at));
   if (Number.isNaN(expires_at_ms) || expires_at_ms < Date.now()) {
-    return { ok: false, error: "invalid_or_expired" };
+    return { ok: false, error: "expired" };
   }
 
   // 3. argon2 verify

package/cli-src/lib/services/session_token_service.ts

@@ -63,8 +63,6 @@ function get_session_token_expiry_seconds(): number {
  * Token includes user_id, email, issued at time, and expiration
  * @param user_id - User ID
  * @param email - User email address
- * @param managed_by_user_id - Optional: ID of the managing user (for impersonation)
- * @param ttl_seconds - Optional: token lifetime in seconds (default: 30 days). Use 604800 for 7-day OTP sessions.
  * @returns JWT token string
  */
 export async function create_session_token(

package/config/hazo_auth_config.example.ini

@@ -74,9 +74,11 @@ enable_admin_ui = true
 # image_alt = Illustration of a globe representing secure authentication workflows
 # image_background_color = #e2e8f0
 
-; Page text is no longer configured via INI.
-; Use HazoAuthStringsProvider or per-page props instead.
-; See MIGRATION.md for details.
+# Labels
+# heading = Create your hazo account
+# sub_heading = Secure your access with editable fields powered by shadcn components.
+# submit_button = Register
+# cancel_button = Cancel
 
 # Field labels (defaults shown, uncomment to override)
 # name_label = Full name
@@ -127,9 +129,11 @@ enable_admin_ui = true
 # image_alt = Illustration of a globe representing secure authentication workflows
 # image_background_color = #e2e8f0
 
-; Page text is no longer configured via INI.
-; Use HazoAuthStringsProvider or per-page props instead.
-; See MIGRATION.md for details.
+# Labels
+# heading = Sign in to your account
+# sub_heading = Enter your credentials to access your secure workspace.
+# submit_button = Login
+# cancel_button = Cancel
 
 # Field labels (defaults shown, uncomment to override)
 # email_label = Email address
@@ -155,20 +159,17 @@ enable_admin_ui = true
 # Success message (shown when no redirect route is provided)
 # success_message = Successfully logged in
 
-; OTP sign-in link in the login layout.
-otp_signin_enabled = false
-otp_signin_label = Sign in with email code
-otp_signin_href = /hazo_auth/otp
-
 [hazo_auth__forgot_password_layout]
 # Image configuration
 # image_src = /globe.svg
 # image_alt = Illustration of a globe representing secure authentication workflows
 # image_background_color = #e2e8f0
 
-; Page text is no longer configured via INI.
-; Use HazoAuthStringsProvider or per-page props instead.
-; See MIGRATION.md for details.
+# Labels
+# heading = Forgot your password?
+# sub_heading = Enter your email address and we'll send you a link to reset your password.
+# submit_button = Send reset link
+# cancel_button = Cancel
 
 [hazo_auth__reset_password_layout]
 # Image configuration
@@ -176,9 +177,11 @@ otp_signin_href = /hazo_auth/otp
 # image_alt = Illustration of a globe representing secure authentication workflows
 # image_background_color = #e2e8f0
 
-; Page text is no longer configured via INI.
-; Use HazoAuthStringsProvider or per-page props instead.
-; See MIGRATION.md for details.
+# Labels
+# heading = Reset your password
+# sub_heading = Enter your new password below.
+# submit_button = Reset password
+# cancel_button = Cancel
 
 # Field labels (defaults shown, uncomment to override)
 # password_label = New password
@@ -210,9 +213,22 @@ otp_signin_href = /hazo_auth/otp
 # image_alt = Illustration of a globe representing secure authentication workflows
 # image_background_color = #e2e8f0
 
-; Page text is no longer configured via INI.
-; Use HazoAuthStringsProvider or per-page props instead.
-; See MIGRATION.md for details.
+# Labels (verifying state)
+# heading = Email verification
+# sub_heading = Verifying your email address...
+# submit_button = Resend verification email
+# cancel_button = Cancel
+
+# Success labels
+# success_heading = Email verified successfully
+# success_message = Your email address has been verified. You can now log in to your account.
+# success_redirect_message = Redirecting to login page in
+# success_go_to_login_button = Go to login
+
+# Error labels
+# error_heading = Verification failed
+# error_message = The verification link is invalid or has expired.
+# error_resend_form_heading = Resend verification email
 
 # Field labels (defaults shown, uncomment to override)
 # email_label = Email address
@@ -254,9 +270,11 @@ otp_signin_href = /hazo_auth/otp
 # - [hazo_auth__password_requirements] for password validation rules
 # - [hazo_auth__profile_picture] for profile picture settings and prioritization
 
-; Page heading text is no longer configured via INI.
-; Use HazoAuthStringsProvider or the title prop on MySettingsPage instead.
-; See MIGRATION.md for details.
+# Heading
+# heading = Account Settings
+
+# Sub heading
+# sub_heading = Manage your profile, password, and email preferences.
 
 # Profile Photo section
 # profile_photo_label = Profile Photo
@@ -579,26 +597,6 @@ application_permission_list_defaults = admin_user_management,admin_role_manageme
 # Redirect when skip_invitation_check=true and user has no scope
 # no_scope_redirect = /
 
-[hazo_auth__create_firm]
-; heading, sub_heading, and submit_button_label are no longer configured via INI in v7.0.0.
-; Use HazoAuthStringsProvider or the title/subtitle/ctaText props on CreateFirmPage instead.
-; See MIGRATION.md for details.
-
-; Firm name field label
-# firm_name_label = Firm Name
-
-; Organisation structure field label
-# org_structure_label = Organisation Structure
-
-; Default organisation structure value
-# org_structure_default = Headquarters
-
-; Success message shown after firm creation
-# success_message = Your firm has been created successfully!
-
-; Route to redirect to after firm creation
-# redirect_route = /
-
 [hazo_auth__multi_tenancy]
 # Multi-tenancy configuration for organization hierarchy
 # Enables hierarchical organization structures for company-wide access control
@@ -731,36 +729,3 @@ company_name = My Company
 #   [hazo_auth__login_layout]
 #   image_src = /your-custom-image.jpg
 
-[hazo_auth__otp]
-; Email-OTP sign-in configuration (v6.1.0+).
-;
-; Whether /otp/verify may create new hazo_users rows for unknown emails.
-;   false (default): /otp/request silently no-ops for unknown emails.
-;   true:            /otp/verify creates a user row on first successful code match.
-otp_auto_register = false
-
-; OTP code lifetime in seconds (default 600 = 10 minutes).
-otp_code_ttl_seconds = 600
-
-; OTP session lifetime in seconds (default 604800 = 7 days).
-otp_session_ttl_seconds = 604800
-
-; Sliding-session threshold: if a /me call lands and the JWT exp is within
-; this many seconds, re-issue the session for another otp_session_ttl_seconds.
-otp_slide_when_within_seconds = 86400
-
-; Per-email rate limit for /otp/request.
-otp_email_rate_limit_max = 3
-otp_email_rate_limit_window_seconds = 900
-
-; Per-IP rate limit for /otp/request.
-otp_ip_rate_limit_max = 20
-otp_ip_rate_limit_window_seconds = 3600
-
-; Wrong-guess limit per code; row is poisoned after this many failures.
-otp_max_verify_attempts = 5
-
-; Scope binding for newly auto-registered users (only used when otp_auto_register=true).
-otp_auto_assign_scope_id = 00000000-0000-0000-0000-000000000001
-otp_auto_assign_role_name = member
-