hazo_auth 7.0.1 → 8.0.1

package/dist/server/routes/legal_docs_accept.js

@@ -0,0 +1,43 @@
+// file_description: POST /api/hazo_auth/legal_docs/accept — records a user's acceptance of one or more legal docs
+import { NextResponse } from 'next/server';
+import { hazo_get_auth } from '../../lib/auth/hazo_get_auth.server.js';
+import { get_client_ip } from '../../lib/auth/hazo_get_auth.server.js';
+import { get_legal_docs_config } from '../../lib/legal/legal_docs_config.server.js';
+import { read_legal_doc } from '../../lib/legal/legal_docs_reader.server.js';
+import { write_legal_acceptance } from '../../lib/legal/legal_docs_service.js';
+import { get_hazo_connect_instance } from '../../lib/hazo_connect_instance.server.js';
+import { create_app_logger } from '../../lib/app_logger.js';
+export async function legalDocsAcceptPOST(request) {
+    const logger = create_app_logger();
+    try {
+        const auth = await hazo_get_auth(request);
+        if (!auth.user) {
+            return NextResponse.json({ ok: false, error: 'Authentication required' }, { status: 401 });
+        }
+        const body = await request.json().catch(() => null);
+        const accepted = body === null || body === void 0 ? void 0 : body.accepted;
+        if (!accepted || typeof accepted !== 'object' || Object.keys(accepted).length === 0) {
+            return NextResponse.json({ ok: false, error: 'accepted is required' }, { status: 400 });
+        }
+        const config = get_legal_docs_config();
+        for (const [doc_key, { hash }] of Object.entries(accepted)) {
+            const doc_config = config.docs.find(d => d.key === doc_key);
+            if (!doc_config) {
+                return NextResponse.json({ ok: false, error: `Unknown doc key: ${doc_key}` }, { status: 400 });
+            }
+            const { hash: current_hash } = read_legal_doc(doc_config.path);
+            if (hash !== current_hash) {
+                return NextResponse.json({ ok: false, error: `Hash mismatch for "${doc_key}" — user may have seen a stale version` }, { status: 400 });
+            }
+        }
+        const ip = get_client_ip(request);
+        const user_agent = request.headers.get('user-agent');
+        const adapter = get_hazo_connect_instance();
+        await write_legal_acceptance(adapter, auth.user.id, accepted, ip, user_agent);
+        return NextResponse.json({ ok: true });
+    }
+    catch (err) {
+        logger.error('legal_docs_accept: internal server error', { err });
+        return NextResponse.json({ ok: false, error: 'Internal server error' }, { status: 500 });
+    }
+}

package/dist/server/routes/legal_docs_get.d.ts

@@ -0,0 +1,3 @@
+import { NextRequest, NextResponse } from 'next/server';
+export declare function legalDocsGET(_request: NextRequest): Promise<NextResponse>;
+//# sourceMappingURL=legal_docs_get.d.ts.map

package/dist/server/routes/legal_docs_get.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"legal_docs_get.d.ts","sourceRoot":"","sources":["../../../src/server/routes/legal_docs_get.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAOxD,wBAAsB,YAAY,CAAC,QAAQ,EAAE,WAAW,GAAG,OAAO,CAAC,YAAY,CAAC,CA8C/E"}

package/dist/server/routes/legal_docs_get.js

@@ -0,0 +1,49 @@
+// file_description: GET /api/hazo_auth/legal_docs — returns configured legal docs with content and required version info
+import { NextResponse } from 'next/server';
+import { get_legal_docs_config } from '../../lib/legal/legal_docs_config.server.js';
+import { read_legal_doc } from '../../lib/legal/legal_docs_reader.server.js';
+import { get_required_versions } from '../../lib/legal/legal_docs_service.js';
+import { get_hazo_connect_instance } from '../../lib/hazo_connect_instance.server.js';
+import { create_app_logger } from '../../lib/app_logger.js';
+export async function legalDocsGET(_request) {
+    const logger = create_app_logger();
+    try {
+        const config = get_legal_docs_config();
+        if (config.docs.length === 0) {
+            return NextResponse.json({ ok: true, data: { display_mode: config.display_mode, docs: [] } });
+        }
+        const doc_results = config.docs.map((doc_config) => {
+            try {
+                const { content, hash } = read_legal_doc(doc_config.path);
+                return { ok: true, key: doc_config.key, title: doc_config.title, content, hash };
+            }
+            catch (err) {
+                logger.error('legal_docs_get: failed to read legal doc file', { err, key: doc_config.key, path: doc_config.path });
+                return { ok: false, key: doc_config.key, error: `File not found: ${doc_config.path}` };
+            }
+        });
+        const failed = doc_results.find(d => !d.ok);
+        if (failed) {
+            return NextResponse.json({ ok: false, error: `Legal doc "${failed.key}" could not be read. Check hazo_auth_config.ini path.` }, { status: 500 });
+        }
+        const adapter = get_hazo_connect_instance();
+        const keys = config.docs.map(d => d.key);
+        const required_versions = await get_required_versions(adapter, keys);
+        const docs = doc_results.map((d) => {
+            var _a, _b, _c, _d;
+            return ({
+                key: d.key,
+                title: d.title,
+                content: d.content,
+                hash: d.hash,
+                required_hash: (_b = (_a = required_versions[d.key]) === null || _a === void 0 ? void 0 : _a.required_hash) !== null && _b !== void 0 ? _b : null,
+                required_published_at: (_d = (_c = required_versions[d.key]) === null || _c === void 0 ? void 0 : _c.published_at) !== null && _d !== void 0 ? _d : null,
+            });
+        });
+        return NextResponse.json({ ok: true, data: { display_mode: config.display_mode, docs } });
+    }
+    catch (err) {
+        logger.error('legal_docs_get: internal server error', { err });
+        return NextResponse.json({ ok: false, error: 'Internal server error' }, { status: 500 });
+    }
+}

package/dist/server/routes/legal_docs_publish.d.ts

@@ -0,0 +1,3 @@
+import { NextRequest, NextResponse } from 'next/server';
+export declare function legalDocsPublishPOST(request: NextRequest): Promise<NextResponse>;
+//# sourceMappingURL=legal_docs_publish.d.ts.map

package/dist/server/routes/legal_docs_publish.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"legal_docs_publish.d.ts","sourceRoot":"","sources":["../../../src/server/routes/legal_docs_publish.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAQxD,wBAAsB,oBAAoB,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,YAAY,CAAC,CA+BtF"}

package/dist/server/routes/legal_docs_publish.js

@@ -0,0 +1,35 @@
+// file_description: POST /api/hazo_auth/legal_docs/publish — admin endpoint to publish a new required version of a legal doc
+import { NextResponse } from 'next/server';
+import { hazo_get_auth } from '../../lib/auth/hazo_get_auth.server.js';
+import { get_legal_docs_config } from '../../lib/legal/legal_docs_config.server.js';
+import { read_legal_doc } from '../../lib/legal/legal_docs_reader.server.js';
+import { publish_doc_version } from '../../lib/legal/legal_docs_service.js';
+import { get_hazo_connect_instance } from '../../lib/hazo_connect_instance.server.js';
+import { create_app_logger } from '../../lib/app_logger.js';
+export async function legalDocsPublishPOST(request) {
+    const logger = create_app_logger();
+    try {
+        const auth = await hazo_get_auth(request, { required_permissions: ['admin_user_management'] });
+        if (!auth.permission_ok) {
+            return NextResponse.json({ ok: false, error: 'Forbidden' }, { status: 403 });
+        }
+        const body = await request.json().catch(() => null);
+        const doc_key = body === null || body === void 0 ? void 0 : body.doc_key;
+        if (!doc_key || typeof doc_key !== 'string') {
+            return NextResponse.json({ ok: false, error: 'doc_key is required' }, { status: 400 });
+        }
+        const config = get_legal_docs_config();
+        const doc_config = config.docs.find(d => d.key === doc_key);
+        if (!doc_config) {
+            return NextResponse.json({ ok: false, error: `Unknown doc key: ${doc_key}` }, { status: 400 });
+        }
+        const { hash } = read_legal_doc(doc_config.path);
+        const adapter = get_hazo_connect_instance();
+        const { published_at } = await publish_doc_version(adapter, doc_key, hash, auth.user.id);
+        return NextResponse.json({ ok: true, data: { doc_key, required_hash: hash, published_at } });
+    }
+    catch (err) {
+        logger.error('legal_docs_publish: internal server error', { err });
+        return NextResponse.json({ ok: false, error: 'Internal server error' }, { status: 500 });
+    }
+}

package/dist/server/routes/me.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"me.d.ts","sourceRoot":"","sources":["../../../src/server/routes/me.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AA+BxD;;;;;GAKG;AACH,wBAAsB,GAAG,CAAC,OAAO,EAAE,WAAW;;IAqJ7C"}
+{"version":3,"file":"me.d.ts","sourceRoot":"","sources":["../../../src/server/routes/me.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAoBxD;;;;;GAKG;AACH,wBAAsB,GAAG,CAAC,OAAO,EAAE,WAAW;;IA+G7C"}

package/dist/server/routes/me.js

@@ -1,7 +1,6 @@
 // file_description: API route handler to get current authenticated user information with permissions
 // section: imports
 import { NextResponse } from "next/server";
-import { jwtVerify } from "jose";
 import { hazo_get_auth } from "../../lib/auth/hazo_get_auth.server.js";
 import { get_hazo_connect_instance } from "../../lib/hazo_connect_instance.server.js";
 import { createCrudService } from "hazo_connect/server";
@@ -9,9 +8,6 @@ import { map_db_source_to_ui } from "../../lib/services/profile_picture_source_m
 import { create_app_logger } from "../../lib/app_logger.js";
 import { get_filename, get_line_number } from "../../lib/utils/api_route_helpers.js";
 import { is_user_types_enabled, get_user_type_by_key, } from "../../lib/user_types_config.server.js";
-import { get_cookie_name, get_cookie_options, BASE_COOKIE_NAMES, } from "../../lib/cookies_config.server.js";
-import { create_session_token } from "../../lib/services/session_token_service.js";
-import { get_otp_config, hazo_auth_otp_session_ttl_seconds, } from "../../lib/otp_config.server.js";
 // section: helpers
 function strip_sentinel_email(email) {
     if (!email)
@@ -28,7 +24,6 @@ function strip_sentinel_email(email) {
  * Always returns the same format to prevent downstream variations.
  */
 export async function GET(request) {
-    var _a, _b, _c, _d, _e, _f;
     const logger = create_app_logger();
     try {
         // Use hazo_get_auth to get user with permissions
@@ -75,7 +70,7 @@ export async function GET(request) {
         }
         // Return unified format with all fields
         const profile_pic = auth_result.user.profile_picture_url;
-        const response = NextResponse.json({
+        return NextResponse.json({
             authenticated: true,
             // Top-level fields for backward compatibility
             user_id: auth_result.user.id,
@@ -105,43 +100,6 @@ export async function GET(request) {
             permission_ok: auth_result.permission_ok,
             missing_permissions: auth_result.missing_permissions,
         }, { status: 200 });
-        // --- OTP sliding-session hook ---
-        const session_kind = (_a = request.cookies.get(get_cookie_name(BASE_COOKIE_NAMES.SESSION_KIND))) === null || _a === void 0 ? void 0 : _a.value;
-        if (session_kind === "otp") {
-            try {
-                const session_cookie = (_b = request.cookies.get(get_cookie_name(BASE_COOKIE_NAMES.SESSION))) === null || _b === void 0 ? void 0 : _b.value;
-                if (session_cookie) {
-                    const secret = new TextEncoder().encode((_c = process.env.JWT_SECRET) !== null && _c !== void 0 ? _c : "");
-                    const { payload } = await jwtVerify(session_cookie, secret);
-                    const exp = Number((_d = payload.exp) !== null && _d !== void 0 ? _d : 0);
-                    const now_seconds = Math.floor(Date.now() / 1000);
-                    const otp_cfg = get_otp_config();
-                    const seconds_until_exp = exp - now_seconds;
-                    if (seconds_until_exp > 0 && seconds_until_exp < otp_cfg.slide_when_within_seconds) {
-                        const ttl_seconds = hazo_auth_otp_session_ttl_seconds();
-                        const user_id = String((_e = payload.user_id) !== null && _e !== void 0 ? _e : "");
-                        const user_email = String((_f = payload.email) !== null && _f !== void 0 ? _f : "");
-                        const new_token = await create_session_token(user_id, user_email, undefined, ttl_seconds);
-                        const cookie_options = get_cookie_options({
-                            httpOnly: true,
-                            secure: process.env.NODE_ENV === "production",
-                            sameSite: "lax",
-                            path: "/",
-                            maxAge: ttl_seconds,
-                        });
-                        response.cookies.set(get_cookie_name(BASE_COOKIE_NAMES.SESSION), new_token, cookie_options);
-                        response.cookies.set(get_cookie_name(BASE_COOKIE_NAMES.USER_ID), user_id, cookie_options);
-                        response.cookies.set(get_cookie_name(BASE_COOKIE_NAMES.USER_EMAIL), user_email, cookie_options);
-                        response.cookies.set(get_cookie_name(BASE_COOKIE_NAMES.SESSION_KIND), "otp", cookie_options);
-                    }
-                }
-            }
-            catch (slide_err) {
-                // Slide is best-effort — never break /me for this
-            }
-        }
-        // --- end OTP sliding-session hook ---
-        return response;
     }
     catch (error) {
         const error_message = error instanceof Error ? error.message : "Unknown error";

package/dist/server/routes/oauth_facebook_callback.d.ts

@@ -4,5 +4,5 @@ import { NextRequest, NextResponse } from "next/server";
  * The user creation/linking is done in NextAuth signIn callback
  * This route just sets the hazo_auth session cookies
  */
-export declare function facebookCallbackGET(original_request: NextRequest): Promise<NextResponse<unknown>>;
+export declare function GET(original_request: NextRequest): Promise<NextResponse<unknown>>;
 //# sourceMappingURL=oauth_facebook_callback.d.ts.map

package/dist/server/routes/oauth_facebook_callback.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"oauth_facebook_callback.d.ts","sourceRoot":"","sources":["../../../src/server/routes/oauth_facebook_callback.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAuBxD;;;;GAIG;AACH,wBAAsB,mBAAmB,CAAC,gBAAgB,EAAE,WAAW,kCAoKtE"}
+{"version":3,"file":"oauth_facebook_callback.d.ts","sourceRoot":"","sources":["../../../src/server/routes/oauth_facebook_callback.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAuBxD;;;;GAIG;AACH,wBAAsB,GAAG,CAAC,gBAAgB,EAAE,WAAW,kCAiLtD"}

package/dist/server/routes/oauth_facebook_callback.js

@@ -17,7 +17,7 @@ import { rewrite_request_for_proxy } from "../../lib/utils/proxy_request.js";
  * The user creation/linking is done in NextAuth signIn callback
  * This route just sets the hazo_auth session cookies
  */
-export async function facebookCallbackGET(original_request) {
+export async function GET(original_request) {
     // Rewrite request.url to public origin when behind a reverse proxy.
     const request = rewrite_request_for_proxy(original_request);
     const logger = create_app_logger();
@@ -139,6 +139,13 @@ export async function facebookCallbackGET(original_request) {
                 note: "OAuth login succeeded but session token creation failed - using legacy cookies",
             });
         }
+        // Set session kind cookie so downstream can identify sign-in method
+        response.cookies.set(get_cookie_name(BASE_COOKIE_NAMES.SESSION_KIND), "facebook", cookie_options);
+        logger.info("facebook_callback_session_created", {
+            filename: get_filename(),
+            user_id,
+            email,
+        });
         return response;
     }
     catch (error) {

package/dist/server/routes/oauth_google_callback.js

@@ -172,7 +172,7 @@ export async function GET(original_request) {
             error_message,
             error_stack,
         });
-        const login_url = new URL(sign_in_page, request.url);
+        const login_url = new URL("/hazo_auth/login", request.url);
         login_url.searchParams.set("error", "oauth_error");
         return NextResponse.redirect(login_url.toString());
     }

package/dist/server/routes/otp/verify.js

@@ -28,7 +28,7 @@ export async function otpVerifyPOST(request) {
             ip,
         });
         if (result.ok === false) {
-            return NextResponse.json({ ok: false, error: "invalid_or_expired" }, { status: 400 });
+            return NextResponse.json({ ok: false, error: result.error }, { status: 401 });
         }
         const ttl_seconds = hazo_auth_otp_session_ttl_seconds();
         const base_cookie_options = {
@@ -53,6 +53,6 @@ export async function otpVerifyPOST(request) {
     catch (err) {
         const msg = err instanceof Error ? err.message : String(err);
         logger.error("otp_verify_route_error", { error: msg });
-        return NextResponse.json({ ok: false, error: "invalid_or_expired" }, { status: 400 });
+        return NextResponse.json({ ok: false, error: "invalid_or_expired" }, { status: 401 });
     }
 }

package/dist/server/routes/register.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"register.d.ts","sourceRoot":"","sources":["../../../src/server/routes/register.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAQxD,wBAAsB,IAAI,CAAC,OAAO,EAAE,WAAW;;;;;;IAiG9C"}
+{"version":3,"file":"register.d.ts","sourceRoot":"","sources":["../../../src/server/routes/register.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAWxD,wBAAsB,IAAI,CAAC,OAAO,EAAE,WAAW;;;;;;IAgI9C"}

package/dist/server/routes/register.js

@@ -6,12 +6,17 @@ import { create_app_logger } from "../../lib/app_logger.js";
 import { register_user } from "../../lib/services/registration_service.js";
 import { get_filename, get_line_number } from "../../lib/utils/api_route_helpers.js";
 import { sanitize_error_for_user } from "../../lib/utils/error_sanitizer.js";
+import { get_legal_docs_config } from "../../lib/legal/legal_docs_config.server.js";
+import { read_legal_doc } from "../../lib/legal/legal_docs_reader.server.js";
+import { get_client_ip } from "../../lib/auth/hazo_get_auth.server.js";
 // section: api_handler
 export async function POST(request) {
+    var _a;
     const logger = create_app_logger();
     try {
         const body = await request.json();
         const { name, email, password, url_on_logon } = body;
+        const legal_accepted = body === null || body === void 0 ? void 0 : body.legal_accepted;
         // Validate input
         if (!email || !password) {
             logger.warn("registration_validation_failed", {
@@ -32,6 +37,24 @@ export async function POST(request) {
             });
             return NextResponse.json({ error: "Invalid email address format" }, { status: 400 });
         }
+        // Validate legal acceptance if docs are configured
+        const legal_config = get_legal_docs_config();
+        if (legal_config.docs.length > 0) {
+            const missing_keys = legal_config.docs
+                .map(d => d.key)
+                .filter(key => !(legal_accepted === null || legal_accepted === void 0 ? void 0 : legal_accepted[key]));
+            if (missing_keys.length > 0) {
+                return NextResponse.json({ ok: false, error: 'legal_acceptance_required', missing_keys }, { status: 400 });
+            }
+            // Validate hashes match current file content
+            for (const doc_config of legal_config.docs) {
+                const submitted_hash = (_a = legal_accepted[doc_config.key]) === null || _a === void 0 ? void 0 : _a.hash;
+                const { hash: current_hash } = read_legal_doc(doc_config.path);
+                if (submitted_hash !== current_hash) {
+                    return NextResponse.json({ ok: false, error: `Hash mismatch for "${doc_config.key}"` }, { status: 400 });
+                }
+            }
+        }
         // Get singleton hazo_connect instance (reuses same connection across all routes)
         const hazoConnect = get_hazo_connect_instance();
         // Register user using the registration service
@@ -40,6 +63,9 @@ export async function POST(request) {
             password,
             name,
             url_on_logon,
+            legal_accepted,
+            ip: get_client_ip(request),
+            user_agent: request.headers.get('user-agent'),
         });
         if (!result.success) {
             const status_code = result.error === "Email address already registered" ? 409 : 500;

package/dist/server/routes/strings_defaults.d.ts

@@ -0,0 +1,4 @@
+import "server-only";
+import { NextResponse } from "next/server";
+export declare function stringsDefaultsGET(): Promise<NextResponse>;
+//# sourceMappingURL=strings_defaults.d.ts.map

package/dist/server/routes/strings_defaults.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"strings_defaults.d.ts","sourceRoot":"","sources":["../../../src/server/routes/strings_defaults.ts"],"names":[],"mappings":"AACA,OAAO,aAAa,CAAC;AACrB,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAG3C,wBAAsB,kBAAkB,IAAI,OAAO,CAAC,YAAY,CAAC,CAEhE"}

package/dist/server/routes/strings_defaults.js

@@ -0,0 +1,7 @@
+// file_description: Route handler returning the DEFAULT_STRINGS object for introspection and testing
+import "server-only";
+import { NextResponse } from "next/server";
+import { DEFAULT_STRINGS } from "../../strings/default_strings.js";
+export async function stringsDefaultsGET() {
+    return NextResponse.json(DEFAULT_STRINGS, { status: 200 });
+}

package/dist/server/routes/user_management_users.d.ts

@@ -26,6 +26,7 @@ export declare function GET(request: NextRequest): Promise<NextResponse<{
         profile_source: {} | null;
         user_type: string | null;
         app_user_data: Record<string, unknown> | null;
+        legal_acceptance_status: "current" | "outdated" | "none";
     }[];
 }>>;
 /**
@@ -44,4 +45,14 @@ export declare function POST(request: NextRequest): Promise<NextResponse<{
 }> | NextResponse<{
     success: boolean;
 }>>;
+/**
+ * DELETE - Hard-delete a user from hazo_users (cascades to all related rows).
+ * Body: { user_id: string }
+ * Requires: admin_user_management permission.
+ */
+export declare function DELETE(request: NextRequest): Promise<NextResponse<{
+    error: string;
+}> | NextResponse<{
+    success: boolean;
+}>>;
 //# sourceMappingURL=user_management_users.d.ts.map

package/dist/server/routes/user_management_users.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"user_management_users.d.ts","sourceRoot":"","sources":["../../../src/server/routes/user_management_users.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAexD,eAAO,MAAM,OAAO,kBAAkB,CAAC;AAGvC;;;GAGG;AACH,wBAAsB,GAAG,CAAC,OAAO,EAAE,WAAW;;;;;;;;;;;;;;;;;;;;;;;IAyF7C;AAED;;GAEG;AACH,wBAAsB,KAAK,CAAC,OAAO,EAAE,WAAW;;;;IAgI/C;AAED;;GAEG;AACH,wBAAsB,IAAI,CAAC,OAAO,EAAE,WAAW;;;;IA2E9C"}
+{"version":3,"file":"user_management_users.d.ts","sourceRoot":"","sources":["../../../src/server/routes/user_management_users.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAkBxD,eAAO,MAAM,OAAO,kBAAkB,CAAC;AA+BvC;;;GAGG;AACH,wBAAsB,GAAG,CAAC,OAAO,EAAE,WAAW;;;;;;;;;;;;;;;;;;;;;;;;IAsG7C;AAED;;GAEG;AACH,wBAAsB,KAAK,CAAC,OAAO,EAAE,WAAW;;;;IAgI/C;AAED;;GAEG;AACH,wBAAsB,IAAI,CAAC,OAAO,EAAE,WAAW;;;;IA2E9C;AAED;;;;GAIG;AACH,wBAAsB,MAAM,CAAC,OAAO,EAAE,WAAW;;;;IAmEhD"}

package/dist/server/routes/user_management_users.js

@@ -9,8 +9,35 @@ import { request_password_reset } from "../../lib/services/password_reset_servic
 import { get_auth_cache } from "../../lib/auth/auth_cache.js";
 import { get_auth_utility_config } from "../../lib/auth_utility_config.server.js";
 import { is_user_types_enabled, get_all_user_types, get_user_types_config, } from "../../lib/user_types_config.server.js";
+import { get_required_versions } from "../../lib/legal/legal_docs_service.js";
+import { get_legal_docs_config } from "../../lib/legal/legal_docs_config.server.js";
+import { hazo_get_auth } from "../../lib/auth/hazo_get_auth.server.js";
 // section: route_config
 export const dynamic = 'force-dynamic';
+// section: helpers
+/**
+ * Compute a user's legal compliance status given their raw legal_acceptance JSON,
+ * the currently-required hashes, and the configured doc keys.
+ */
+function compute_legal_status(raw, required, docs) {
+    if (docs.length === 0)
+        return 'none';
+    if (Object.keys(required).length === 0)
+        return 'none';
+    let map = {};
+    try {
+        map = typeof raw === 'string' ? JSON.parse(raw) : (raw !== null && raw !== void 0 ? raw : {});
+    }
+    catch ( /* ignore */_a) { /* ignore */ }
+    const all_current = docs.every(doc => {
+        var _a;
+        const req = required[doc.key];
+        if (!req)
+            return true;
+        return ((_a = map[doc.key]) === null || _a === void 0 ? void 0 : _a.hash) === req.required_hash;
+    });
+    return all_current ? 'current' : 'outdated';
+}
 // section: api_handler
 /**
  * GET - Fetch all users with details or a specific user by id
@@ -42,6 +69,13 @@ export async function GET(request) {
                 badge_color: t.badge_color,
             }))
             : [];
+        // Load legal docs required versions for compliance status
+        const legal_config = get_legal_docs_config();
+        let required_versions = {};
+        if (legal_config.docs.length > 0) {
+            const adapter = get_hazo_connect_instance();
+            required_versions = await get_required_versions(adapter, legal_config.docs.map(d => d.key));
+        }
         return NextResponse.json({
             success: true,
             user_types_enabled,
@@ -74,6 +108,7 @@ export async function GET(request) {
                     profile_source: user.profile_source || null,
                     user_type: user.user_type || null,
                     app_user_data,
+                    legal_acceptance_status: compute_legal_status(user.legal_acceptance, required_versions, legal_config.docs),
                 };
             }),
         }, { status: 200 });
@@ -241,3 +276,62 @@ export async function POST(request) {
         return NextResponse.json({ error: "Failed to send password reset email" }, { status: 500 });
     }
 }
+/**
+ * DELETE - Hard-delete a user from hazo_users (cascades to all related rows).
+ * Body: { user_id: string }
+ * Requires: admin_user_management permission.
+ */
+export async function DELETE(request) {
+    const logger = create_app_logger();
+    try {
+        const auth = await hazo_get_auth(request, { required_permissions: ['admin_user_management'] });
+        if (!auth.user) {
+            return NextResponse.json({ error: 'Authentication required' }, { status: 401 });
+        }
+        if (!auth.permission_ok) {
+            return NextResponse.json({ error: 'Forbidden' }, { status: 403 });
+        }
+        const body = await request.json();
+        const { user_id } = body;
+        if (auth.user.id === user_id) {
+            return NextResponse.json({ error: 'Cannot delete your own account' }, { status: 400 });
+        }
+        if (!user_id) {
+            return NextResponse.json({ error: "user_id is required" }, { status: 400 });
+        }
+        const hazoConnect = get_hazo_connect_instance();
+        const users_service = createCrudService(hazoConnect, "hazo_users");
+        // Verify user exists before deleting
+        const users = await users_service.findBy({ id: user_id });
+        if (!Array.isArray(users) || users.length === 0) {
+            return NextResponse.json({ error: "User not found" }, { status: 404 });
+        }
+        // Invalidate auth cache first
+        try {
+            const auth_config = get_auth_utility_config();
+            const auth_cache = get_auth_cache(auth_config.cache_max_users, auth_config.cache_ttl_minutes, auth_config.cache_max_age_minutes);
+            auth_cache.invalidate_user(user_id);
+        }
+        catch (_a) {
+            // Non-fatal
+        }
+        await users_service.deleteById(user_id);
+        logger.info("user_management_user_deleted", {
+            filename: get_filename(),
+            line_number: get_line_number(),
+            user_id,
+        });
+        return NextResponse.json({ success: true }, { status: 200 });
+    }
+    catch (error) {
+        const error_message = error instanceof Error ? error.message : "Unknown error";
+        const error_stack = error instanceof Error ? error.stack : undefined;
+        logger.error("user_management_user_delete_error", {
+            filename: get_filename(),
+            line_number: get_line_number(),
+            error_message,
+            error_stack,
+        });
+        return NextResponse.json({ error: "Failed to delete user" }, { status: 500 });
+    }
+}

package/dist/server-lib.d.ts

@@ -24,9 +24,6 @@ export { get_oauth_config, is_google_oauth_enabled, is_email_password_enabled, }
 export type { OAuthConfig } from "./lib/oauth_config.server";
 export { get_branding_config, is_branding_enabled, is_allowed_logo_format, get_max_logo_size_bytes, } from "./lib/branding_config.server.js";
 export type { FirmBrandingConfig } from "./lib/branding_config.server";
-export { get_otp_config, hazo_auth_otp_session_ttl_seconds, OTP_CONFIG_DEFAULTS } from "./lib/otp_config.server.js";
-export type { OtpConfig } from "./lib/otp_config.server";
-export { request_email_otp, verify_email_otp } from "./lib/services/otp_service.js";
 export { create_sqlite_hazo_connect } from "./lib/hazo_connect_setup.js";
 export { get_hazo_connect_instance } from "./lib/hazo_connect_instance.server.js";
 export { create_app_logger } from "./lib/app_logger.js";

package/dist/server-lib.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"server-lib.d.ts","sourceRoot":"","sources":["../src/server-lib.ts"],"names":[],"mappings":"AAYA,OAAO,aAAa,CAAC;AAGrB,cAAc,kBAAkB,CAAC;AAGjC,cAAc,sBAAsB,CAAC;AACrC,OAAO,EAAE,2BAA2B,EAAE,MAAM,wCAAwC,CAAC;AAGrF,OAAO,EACL,gBAAgB,EAChB,iBAAiB,EACjB,kBAAkB,EAClB,gBAAgB,EAChB,mBAAmB,GACpB,MAAM,mCAAmC,CAAC;AAG3C,OAAO,EAAE,gBAAgB,EAAE,MAAM,2BAA2B,CAAC;AAC7D,OAAO,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC;AACnE,OAAO,EAAE,0BAA0B,EAAE,MAAM,qCAAqC,CAAC;AACjF,OAAO,EAAE,yBAAyB,EAAE,MAAM,oCAAoC,CAAC;AAC/E,OAAO,EAAE,6BAA6B,EAAE,MAAM,wCAAwC,CAAC;AACvF,OAAO,EAAE,sBAAsB,EAAE,MAAM,iCAAiC,CAAC;AACzE,OAAO,EAAE,0BAA0B,EAAE,MAAM,qCAAqC,CAAC;AACjF,OAAO,EAAE,0BAA0B,EAAE,MAAM,qCAAqC,CAAC;AACjF,OAAO,EAAE,2BAA2B,EAAE,MAAM,sCAAsC,CAAC;AACnF,OAAO,EAAE,4BAA4B,EAAE,MAAM,uCAAuC,CAAC;AACrF,OAAO,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC;AACnE,OAAO,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC;AACnE,OAAO,EAAE,uBAAuB,EAAE,MAAM,kCAAkC,CAAC;AAC3E,OAAO,EAAE,gCAAgC,EAAE,MAAM,2CAA2C,CAAC;AAC7F,OAAO,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC;AACnE,OAAO,EAAE,sBAAsB,EAAE,MAAM,iCAAiC,CAAC;AACzE,OAAO,EAAE,qBAAqB,EAAE,MAAM,gCAAgC,CAAC;AACvE,OAAO,EACL,gBAAgB,EAChB,uBAAuB,EACvB,yBAAyB,GAC1B,MAAM,2BAA2B,CAAC;AACnC,YAAY,EAAE,WAAW,EAAE,MAAM,2BAA2B,CAAC;AAC7D,OAAO,EACL,mBAAmB,EACnB,mBAAmB,EACnB,sBAAsB,EACtB,uBAAuB,GACxB,MAAM,8BAA8B,CAAC;AACtC,YAAY,EAAE,kBAAkB,EAAE,MAAM,8BAA8B,CAAC;AACvE,OAAO,EAAE,cAAc,EAAE,iCAAiC,EAAE,mBAAmB,EAAE,MAAM,yBAAyB,CAAC;AACjH,YAAY,EAAE,SAAS,EAAE,MAAM,yBAAyB,CAAC;AACzD,OAAO,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,4BAA4B,CAAC;AAGjF,OAAO,EAAE,0BAA0B,EAAE,MAAM,0BAA0B,CAAC;AACtE,OAAO,EAAE,yBAAyB,EAAE,MAAM,oCAAoC,CAAC;AAG/E,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAGrD,OAAO,EAAE,uBAAuB,EAAE,MAAM,6BAA6B,CAAC;AACtE,YAAY,EAAE,wBAAwB,EAAE,MAAM,6BAA6B,CAAC;AAC5E,cAAc,+BAA+B,CAAC"}
+{"version":3,"file":"server-lib.d.ts","sourceRoot":"","sources":["../src/server-lib.ts"],"names":[],"mappings":"AAYA,OAAO,aAAa,CAAC;AAGrB,cAAc,kBAAkB,CAAC;AAGjC,cAAc,sBAAsB,CAAC;AACrC,OAAO,EAAE,2BAA2B,EAAE,MAAM,wCAAwC,CAAC;AAGrF,OAAO,EACL,gBAAgB,EAChB,iBAAiB,EACjB,kBAAkB,EAClB,gBAAgB,EAChB,mBAAmB,GACpB,MAAM,mCAAmC,CAAC;AAG3C,OAAO,EAAE,gBAAgB,EAAE,MAAM,2BAA2B,CAAC;AAC7D,OAAO,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC;AACnE,OAAO,EAAE,0BAA0B,EAAE,MAAM,qCAAqC,CAAC;AACjF,OAAO,EAAE,yBAAyB,EAAE,MAAM,oCAAoC,CAAC;AAC/E,OAAO,EAAE,6BAA6B,EAAE,MAAM,wCAAwC,CAAC;AACvF,OAAO,EAAE,sBAAsB,EAAE,MAAM,iCAAiC,CAAC;AACzE,OAAO,EAAE,0BAA0B,EAAE,MAAM,qCAAqC,CAAC;AACjF,OAAO,EAAE,0BAA0B,EAAE,MAAM,qCAAqC,CAAC;AACjF,OAAO,EAAE,2BAA2B,EAAE,MAAM,sCAAsC,CAAC;AACnF,OAAO,EAAE,4BAA4B,EAAE,MAAM,uCAAuC,CAAC;AACrF,OAAO,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC;AACnE,OAAO,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC;AACnE,OAAO,EAAE,uBAAuB,EAAE,MAAM,kCAAkC,CAAC;AAC3E,OAAO,EAAE,gCAAgC,EAAE,MAAM,2CAA2C,CAAC;AAC7F,OAAO,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC;AACnE,OAAO,EAAE,sBAAsB,EAAE,MAAM,iCAAiC,CAAC;AACzE,OAAO,EAAE,qBAAqB,EAAE,MAAM,gCAAgC,CAAC;AACvE,OAAO,EACL,gBAAgB,EAChB,uBAAuB,EACvB,yBAAyB,GAC1B,MAAM,2BAA2B,CAAC;AACnC,YAAY,EAAE,WAAW,EAAE,MAAM,2BAA2B,CAAC;AAC7D,OAAO,EACL,mBAAmB,EACnB,mBAAmB,EACnB,sBAAsB,EACtB,uBAAuB,GACxB,MAAM,8BAA8B,CAAC;AACtC,YAAY,EAAE,kBAAkB,EAAE,MAAM,8BAA8B,CAAC;AAGvE,OAAO,EAAE,0BAA0B,EAAE,MAAM,0BAA0B,CAAC;AACtE,OAAO,EAAE,yBAAyB,EAAE,MAAM,oCAAoC,CAAC;AAG/E,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAGrD,OAAO,EAAE,uBAAuB,EAAE,MAAM,6BAA6B,CAAC;AACtE,YAAY,EAAE,wBAAwB,EAAE,MAAM,6BAA6B,CAAC;AAC5E,cAAc,+BAA+B,CAAC"}

package/dist/server-lib.js

@@ -37,8 +37,6 @@ export { get_user_fields_config } from "./lib/user_fields_config.server.js";
 export { get_file_types_config } from "./lib/file_types_config.server.js";
 export { get_oauth_config, is_google_oauth_enabled, is_email_password_enabled, } from "./lib/oauth_config.server.js";
 export { get_branding_config, is_branding_enabled, is_allowed_logo_format, get_max_logo_size_bytes, } from "./lib/branding_config.server.js";
-export { get_otp_config, hazo_auth_otp_session_ttl_seconds, OTP_CONFIG_DEFAULTS } from "./lib/otp_config.server.js";
-export { request_email_otp, verify_email_otp } from "./lib/services/otp_service.js";
 // section: hazo_connect_exports
 export { create_sqlite_hazo_connect } from "./lib/hazo_connect_setup.js";
 export { get_hazo_connect_instance } from "./lib/hazo_connect_instance.server.js";

package/dist/server_pages/forgot_password.d.ts

@@ -1,5 +1,21 @@
 import "server-only";
+import type { StaticImageData } from "next/image";
 export type ForgotPasswordPageProps = {
+    /**
+     * Optional image source for the visual panel
+     * Defaults from hazo_auth_config.ini or package default image
+     */
+    image_src?: string | StaticImageData;
+    /**
+     * Optional image alt text
+     * Defaults to "Password recovery illustration"
+     */
+    image_alt?: string;
+    /**
+     * Optional image background color
+     * Defaults to "#f1f5f9"
+     */
+    image_background_color?: string;
     /**
      * Optional sign in path
      * Defaults from DEFAULT_FORGOT_PASSWORD.loginPath
@@ -10,18 +26,6 @@ export type ForgotPasswordPageProps = {
      * Defaults from DEFAULT_FORGOT_PASSWORD.loginLabel
      */
     sign_in_label?: string;
-    /**
-     * Optional theme that controls visual appearance and layout mode.
-     * When `theme.layout` is `"split"`, activates the two-column split layout
-     * with the brand panel on the left.
-     */
-    theme?: import("../theme/theme_types").HazoAuthTheme;
-    /** Override the page heading. Falls back to HazoAuthStringsProvider → DEFAULT_STRINGS. */
-    title?: string;
-    /** Override the page subtitle. Falls back to HazoAuthStringsProvider → DEFAULT_STRINGS. */
-    subtitle?: string;
-    /** Override the submit button label. Falls back to HazoAuthStringsProvider → DEFAULT_STRINGS. */
-    ctaText?: string;
 };
 /**
  * Zero-config ForgotPasswordPage server component
@@ -43,9 +47,9 @@ export type ForgotPasswordPageProps = {
  *
  * Zero configuration required - works out of the box!
  *
- * @param props - Optional navigation customization props
+ * @param props - Optional visual and navigation customization props
  * @returns Server-rendered forgot password page
  */
-export default function ForgotPasswordPage(props: ForgotPasswordPageProps): import("react/jsx-runtime").JSX.Element;
+export default function ForgotPasswordPage({ image_src, image_alt, image_background_color, sign_in_path, sign_in_label, }?: ForgotPasswordPageProps): import("react/jsx-runtime").JSX.Element;
 export { ForgotPasswordPage };
 //# sourceMappingURL=forgot_password.d.ts.map

package/dist/server_pages/forgot_password.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"forgot_password.d.ts","sourceRoot":"","sources":["../../src/server_pages/forgot_password.tsx"],"names":[],"mappings":"AAEA,OAAO,aAAa,CAAC;AAUrB,MAAM,MAAM,uBAAuB,GAAG;IACpC;;;OAGG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB;;;OAGG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;IAEvB;;;;OAIG;IACH,KAAK,CAAC,EAAE,OAAO,sBAAsB,EAAE,aAAa,CAAC;IACrD,0FAA0F;IAC1F,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,2FAA2F;IAC3F,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,iGAAiG;IACjG,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB,CAAC;AAGF;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,MAAM,CAAC,OAAO,UAAU,kBAAkB,CAAC,KAAK,EAAE,uBAAuB,2CAoCxE;AAGD,OAAO,EAAE,kBAAkB,EAAE,CAAC"}
+{"version":3,"file":"forgot_password.d.ts","sourceRoot":"","sources":["../../src/server_pages/forgot_password.tsx"],"names":[],"mappings":"AAEA,OAAO,aAAa,CAAC;AASrB,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAElD,MAAM,MAAM,uBAAuB,GAAG;IACpC;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,GAAG,eAAe,CAAC;IAErC;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB;;;OAGG;IACH,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAEhC;;;OAGG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB;;;OAGG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB,CAAC;AAGF;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,MAAM,CAAC,OAAO,UAAU,kBAAkB,CAAC,EACzC,SAAS,EACT,SAAS,EACT,sBAAsB,EACtB,YAAgD,EAChD,aAAkD,GACnD,GAAE,uBAA4B,2CAkC9B;AAGD,OAAO,EAAE,kBAAkB,EAAE,CAAC"}