hazo_auth 7.0.1 → 8.0.1

package/cli-src/lib/auth/nextauth_config.ts

@@ -8,7 +8,7 @@ const GoogleProvider = (GoogleProviderImport as any).default || GoogleProviderIm
 import FacebookProviderImport from "next-auth/providers/facebook";
 const FacebookProvider = (FacebookProviderImport as any).default || FacebookProviderImport;
 import { get_oauth_config } from "../oauth_config.server.js";
-import { handle_google_oauth_login, handle_facebook_oauth_login } from "../services/oauth_service.js";
+import { handle_google_oauth_login } from "../services/oauth_service.js";
 import { get_hazo_connect_instance } from "../hazo_connect_instance.server.js";
 import { create_app_logger } from "../app_logger.js";
 
@@ -37,13 +37,6 @@ export type NextAuthCallbackProfile = {
   email_verified?: boolean;
 };
 
-export type FacebookCallbackProfile = {
-  id?: string;
-  name?: string;
-  email?: string;
-  picture?: { data?: { url: string } } | string;
-};
-
 // section: config
 /**
  * Gets NextAuth.js configuration with enabled OAuth providers
@@ -76,17 +69,12 @@ export function get_nextauth_config(): AuthOptions {
     }
   }
 
-  // Add Facebook provider if enabled and credentials are present
-  if (oauth_config.enable_facebook && oauth_config.facebook_client_id && oauth_config.facebook_client_secret) {
+  // Add Facebook provider if enabled
+  if (oauth_config.enable_facebook_oauth && oauth_config.facebook_app_id) {
     providers.push(
       FacebookProvider({
-        clientId: oauth_config.facebook_client_id,
-        clientSecret: oauth_config.facebook_client_secret,
-        authorization: {
-          params: {
-            scope: "email,public_profile",
-          },
-        },
+        clientId: oauth_config.facebook_app_id,
+        clientSecret: oauth_config.facebook_app_secret,
       })
     );
   }
@@ -109,10 +97,10 @@ export function get_nextauth_config(): AuthOptions {
 
         // Always redirect to our custom callback after sign-in to set hazo_auth cookies
         // The callbackUrl from signIn() comes through as `url`
-        if (url.includes("/api/hazo_auth/oauth/google/callback")) {
-          return url;
-        }
-        if (url.includes("/api/hazo_auth/oauth/facebook/callback")) {
+        if (
+          url.includes("/api/hazo_auth/oauth/google/callback") ||
+          url.includes("/api/hazo_auth/oauth/facebook/callback")
+        ) {
           return url;
         }
 
@@ -125,6 +113,9 @@ export function get_nextauth_config(): AuthOptions {
         }
 
         // Default: redirect to our custom OAuth callback to set cookies
+        if (url.includes("facebook")) {
+          return `${baseUrl}/api/hazo_auth/oauth/facebook/callback`;
+        }
         return `${baseUrl}/api/hazo_auth/oauth/google/callback`;
       },
       /**
@@ -192,48 +183,27 @@ export function get_nextauth_config(): AuthOptions {
 
         if (account?.provider === "facebook" && profile) {
           try {
-            const fbProfile = profile as FacebookCallbackProfile;
+            const fbProfile = profile as NextAuthCallbackProfile;
             const hazoConnect = get_hazo_connect_instance();
-            const current_oauth_config = get_oauth_config();
-
-            // Resolve profile picture URL from Facebook's nested structure
-            let fb_picture_url: string | undefined;
-            if (fbProfile.picture) {
-              if (typeof fbProfile.picture === "string") {
-                fb_picture_url = fbProfile.picture;
-              } else if (fbProfile.picture?.data?.url) {
-                fb_picture_url = fbProfile.picture.data.url;
-              }
-            }
-            if (!fb_picture_url && user.image) {
-              fb_picture_url = user.image ?? undefined;
-            }
+            const { handle_facebook_oauth_login } = await import("../services/oauth_service");
 
             logger.info("nextauth_facebook_signin_attempt", {
               email: user.email,
-              facebook_id: fbProfile.id,
-              name: user.name,
+              facebook_id: account.providerAccountId,
             });
 
-            const result = await handle_facebook_oauth_login(
-              hazoConnect,
-              {
-                facebook_id: fbProfile.id || account.providerAccountId,
-                email: user.email ?? fbProfile.email ?? null,
-                name: user.name || fbProfile.name || undefined,
-                profile_picture_url: fb_picture_url,
-              },
-              { auto_link_unverified: current_oauth_config.auto_link_unverified_accounts_facebook }
-            );
+            const result = await handle_facebook_oauth_login(hazoConnect, {
+              facebook_id: account.providerAccountId,
+              email: user.email || fbProfile.email || "",
+              name: user.name || fbProfile.name || undefined,
+              profile_picture_url: user.image || undefined,
+              // Facebook's email_verified is not exposed in the profile; default to false
+              // for safety — the user will be auto-verified if email matches a verified hazo user.
+              email_verified: false,
+            });
 
             if (!result.success) {
-              logger.error("nextauth_facebook_signin_failed", {
-                email: user.email,
-                error: result.error,
-              });
-              if (result.error === "link_blocked_unverified") {
-                return `/hazo_auth/login?error=link_blocked_unverified`;
-              }
+              logger.error("nextauth_facebook_signin_failed", { email: user.email, error: result.error });
               return false;
             }
 
@@ -244,16 +214,10 @@ export function get_nextauth_config(): AuthOptions {
               was_linked: result.was_linked,
             });
 
-            // Store user_id in account for the JWT callback to pick up
             (account as Record<string, unknown>).hazo_user_id = result.user_id;
-
             return true;
-          } catch (error) {
-            const errorMessage = error instanceof Error ? error.message : "Unknown error";
-            logger.error("nextauth_facebook_signin_exception", {
-              email: user.email,
-              error: errorMessage,
-            });
+          } catch (err) {
+            logger.error("nextauth_facebook_signin_exception", { error: String(err) });
             return false;
           }
         }
@@ -321,9 +285,5 @@ export function has_oauth_providers(): boolean {
     if (has_google_credentials) return true;
   }
 
-  if (oauth_config.enable_facebook && oauth_config.facebook_client_id && oauth_config.facebook_client_secret) {
-    return true;
-  }
-
   return false;
 }

package/cli-src/lib/auth/with_auth.server.ts

@@ -10,7 +10,7 @@ import {
   PermissionError,
   type TenantAuthOptions,
   type TenantAuthResult,
-  type SelectedScope,
+  type TenantOrganization,
   type HazoAuthUser,
   type ScopeDetails,
   type ScopeAccessInfo,
@@ -27,19 +27,19 @@ export type AuthenticatedTenantAuth = {
   permissions: string[];
   permission_ok: boolean;
   missing_permissions?: string[];
-  selected_scope: SelectedScope | null;
-  selected_scope_id: string | null;
+  organization: TenantOrganization | null;
+  organization_id: string | null;
   user_scopes: ScopeDetails[];
   scope_ok?: boolean;
   scope_access_via?: ScopeAccessInfo;
 };
 
 /**
- * Authenticated branch with guaranteed non-null selected_scope
+ * Authenticated branch with guaranteed non-null organization
  */
-export type AuthenticatedTenantAuthWithSelectedScope = AuthenticatedTenantAuth & {
-  selected_scope: SelectedScope;
-  selected_scope_id: string;
+export type AuthenticatedTenantAuthWithOrg = AuthenticatedTenantAuth & {
+  organization: TenantOrganization;
+  organization_id: string;
 };
 
 /**
@@ -48,8 +48,8 @@ export type AuthenticatedTenantAuthWithSelectedScope = AuthenticatedTenantAuth &
  */
 export type WithAuthOptions = TenantAuthOptions & {
   /**
-   * If true, requires tenant/scope context (403 if missing)
-   * Narrows auth type to AuthenticatedTenantAuthWithSelectedScope
+   * If true, requires organization context (403 if missing)
+   * Narrows auth type to AuthenticatedTenantAuthWithOrg
    */
   require_tenant?: boolean;
 };
@@ -75,7 +75,7 @@ type AuthenticatedHandler<TParams> = (
  */
 type AuthenticatedTenantHandler<TParams> = (
   request: NextRequest,
-  auth: AuthenticatedTenantAuthWithSelectedScope,
+  auth: AuthenticatedTenantAuthWithOrg,
   params: TParams,
 ) => Promise<NextResponse> | NextResponse;
 
@@ -138,7 +138,7 @@ async function resolve_params<TParams>(
  *
  * - Calls `hazo_get_tenant_auth` and returns 401 if not authenticated
  * - Returns 403 if `required_permissions` are specified and not satisfied
- * - Returns 403 if `require_tenant: true` and no tenant/scope context
+ * - Returns 403 if `require_tenant: true` and no organization context
  * - Resolves `await context.params` (Next.js 15 pattern)
  * - Catches HazoAuthError, PermissionError, and unexpected errors
  *
@@ -161,8 +161,8 @@ async function resolve_params<TParams>(
  * // With tenant requirement
  * export const GET = withAuth<{ id: string }>(
  *   async (request, auth, { id }) => {
- *     // auth.selected_scope is guaranteed non-null
- *     const data = await getData(auth.selected_scope.id, id);
+ *     // auth.organization is guaranteed non-null
+ *     const data = await getData(auth.organization.id, id);
  *     return NextResponse.json(data);
  *   },
  *   { require_tenant: true }
@@ -227,10 +227,10 @@ export function withAuth<TParams = Record<string, never>>(
       }
 
       // Check tenant requirement
-      if (options.require_tenant && !auth.selected_scope) {
+      if (options.require_tenant && !auth.organization) {
         return NextResponse.json(
           {
-            error: "Tenant scope context required",
+            error: "Organization context required",
             code: "TENANT_REQUIRED",
           },
           { status: 403 },

package/cli-src/lib/config/default_config.ts

@@ -177,6 +177,14 @@ export const DEFAULT_OAUTH = {
   skip_invitation_check: false,
   /** Redirect when skip_invitation_check=true and user has no scope */
   no_scope_redirect: "/",
+  /** Enable Facebook OAuth login (requires HAZO_AUTH_FACEBOOK_APP_ID and HAZO_AUTH_FACEBOOK_APP_SECRET env vars) */
+  enable_facebook_oauth: false,
+  /** Facebook App ID — set via env var HAZO_AUTH_FACEBOOK_APP_ID or config */
+  facebook_app_id: "",
+  /** Facebook App Secret — set via env var HAZO_AUTH_FACEBOOK_APP_SECRET or config */
+  facebook_app_secret: "",
+  /** Text displayed on the Facebook sign-in button */
+  facebook_button_text: "Continue with Facebook",
 } as const;
 
 // section: navbar

package/cli-src/lib/cookies_config.server.ts

@@ -27,10 +27,10 @@ export const BASE_COOKIE_NAMES = {
   USER_ID: "hazo_auth_user_id",
   USER_EMAIL: "hazo_auth_user_email",
   SESSION: "hazo_auth_session",
-  SESSION_KIND: "hazo_auth_session_kind", // v6.1: marks OTP-issued sessions so /me can apply sliding expiry
   DEV_LOCK: "hazo_auth_dev_lock",
   SCOPE_ID: "hazo_auth_scope_id", // v5.2: Tenant context cookie for multi-tenancy
   ANON_ID: "hazo_auth_anon_id", // v5.2: Stable opaque per-visitor ID for anonymous flows (e.g. hazo_feedback)
+  SESSION_KIND: "hazo_auth_session_kind", // v5.4: Sign-in method identifier (e.g. "otp", "google", "password")
 } as const;
 
 // section: main_function

package/cli-src/lib/email_verification_config.server.ts

@@ -4,6 +4,12 @@ import "server-only";
 
 // section: imports
 import { get_already_logged_in_config } from "./already_logged_in_config.server.js";
+import { get_config_value } from "./config/config_loader.server.js";
+
+// Default image path - consuming apps should either:
+// 1. Configure their own image_src in hazo_auth_config.ini
+// 2. Copy the default images from node_modules/hazo_auth/public/hazo_auth/images/ to their public folder
+const DEFAULT_VERIFY_EMAIL_IMAGE_PATH = "/hazo_auth/images/verify_email_default.jpg";
 
 // section: types
 export type EmailVerificationConfig = {
@@ -12,6 +18,9 @@ export type EmailVerificationConfig = {
   showReturnHomeButton: boolean;
   returnHomeButtonLabel: string;
   returnHomePath: string;
+  imageSrc: string;
+  imageAlt: string;
+  imageBackgroundColor: string;
 };
 
 // section: helpers
@@ -21,15 +30,40 @@ export type EmailVerificationConfig = {
  * @returns Email verification configuration options
  */
 export function get_email_verification_config(): EmailVerificationConfig {
+  const section = "hazo_auth__email_verification_layout";
+
   // Get shared already logged in config
   const alreadyLoggedInConfig = get_already_logged_in_config();
 
+  // Read image configuration
+  // If not set in config, falls back to default path-based image
+  // Consuming apps should copy images to public/hazo_auth/images/ or configure their own image_src
+  const imageSrc = get_config_value(
+    section,
+    "image_src",
+    DEFAULT_VERIFY_EMAIL_IMAGE_PATH
+  );
+
+  const imageAlt = get_config_value(
+    section,
+    "image_alt",
+    "Email verification illustration"
+  );
+  const imageBackgroundColor = get_config_value(
+    section,
+    "image_background_color",
+    "#f1f5f9"
+  );
+
   return {
     alreadyLoggedInMessage: alreadyLoggedInConfig.message,
     showLogoutButton: alreadyLoggedInConfig.showLogoutButton,
     showReturnHomeButton: alreadyLoggedInConfig.showReturnHomeButton,
     returnHomeButtonLabel: alreadyLoggedInConfig.returnHomeButtonLabel,
     returnHomePath: alreadyLoggedInConfig.returnHomePath,
+    imageSrc,
+    imageAlt,
+    imageBackgroundColor,
   };
 }
 

package/cli-src/lib/forgot_password_config.server.ts

@@ -4,6 +4,12 @@ import "server-only";
 
 // section: imports
 import { get_already_logged_in_config } from "./already_logged_in_config.server.js";
+import { get_config_value } from "./config/config_loader.server.js";
+
+// Default image path - consuming apps should either:
+// 1. Configure their own image_src in hazo_auth_config.ini
+// 2. Copy the default images from node_modules/hazo_auth/public/hazo_auth/images/ to their public folder
+const DEFAULT_FORGOT_PASSWORD_IMAGE_PATH = "/hazo_auth/images/forgot_password_default.jpg";
 
 // section: types
 export type ForgotPasswordConfig = {
@@ -12,6 +18,9 @@ export type ForgotPasswordConfig = {
   showReturnHomeButton: boolean;
   returnHomeButtonLabel: string;
   returnHomePath: string;
+  imageSrc: string;
+  imageAlt: string;
+  imageBackgroundColor: string;
 };
 
 // section: helpers
@@ -21,15 +30,40 @@ export type ForgotPasswordConfig = {
  * @returns Forgot password configuration options
  */
 export function get_forgot_password_config(): ForgotPasswordConfig {
+  const section = "hazo_auth__forgot_password_layout";
+
   // Get shared already logged in config
   const alreadyLoggedInConfig = get_already_logged_in_config();
 
+  // Read image configuration
+  // If not set in config, falls back to default path-based image
+  // Consuming apps should copy images to public/hazo_auth/images/ or configure their own image_src
+  const imageSrc = get_config_value(
+    section,
+    "image_src",
+    DEFAULT_FORGOT_PASSWORD_IMAGE_PATH
+  );
+
+  const imageAlt = get_config_value(
+    section,
+    "image_alt",
+    "Password recovery illustration"
+  );
+  const imageBackgroundColor = get_config_value(
+    section,
+    "image_background_color",
+    "#f1f5f9"
+  );
+
   return {
     alreadyLoggedInMessage: alreadyLoggedInConfig.message,
     showLogoutButton: alreadyLoggedInConfig.showLogoutButton,
     showReturnHomeButton: alreadyLoggedInConfig.showReturnHomeButton,
     returnHomeButtonLabel: alreadyLoggedInConfig.returnHomeButtonLabel,
     returnHomePath: alreadyLoggedInConfig.returnHomePath,
+    imageSrc,
+    imageAlt,
+    imageBackgroundColor,
   };
 }
 

package/cli-src/lib/legal/legal_docs_config.server.ts

@@ -0,0 +1,61 @@
+// file_description: server-only helper to read legal docs configuration from hazo_auth_config.ini
+// section: server-only-guard
+import 'server-only';
+
+// section: imports
+import { read_config_section } from '../config/config_loader.server.js';
+import type { LegalDocConfig, LegalDocsConfig } from './legal_docs_types';
+
+// section: constants
+const SECTION_NAME = 'hazo_auth__legal_docs';
+
+// section: cache
+// Cached after first load — INI changes require server restart anyway
+let _cached: LegalDocsConfig | null = null;
+
+// section: exports
+
+/**
+ * Reads legal docs configuration from hazo_auth_config.ini.
+ * Returns an empty docs array if the section is absent (legal docs disabled).
+ *
+ * Expected INI shape:
+ *   [hazo_auth__legal_docs]
+ *   display_mode = separate   ; or: combined
+ *   doc_1_key   = terms
+ *   doc_1_title = Terms of Service
+ *   doc_1_path  = legal/terms.md
+ *   doc_2_key   = privacy
+ *   doc_2_title = Privacy Policy
+ *   doc_2_path  = legal/privacy.md
+ */
+export function get_legal_docs_config(): LegalDocsConfig {
+  if (_cached) return _cached;
+
+  const section = read_config_section(SECTION_NAME) ?? {};
+
+  const docs: LegalDocConfig[] = [];
+  let i = 1;
+  while (section[`doc_${i}_key`]) {
+    docs.push({
+      key: section[`doc_${i}_key`],
+      title: section[`doc_${i}_title`] ?? section[`doc_${i}_key`],
+      path: section[`doc_${i}_path`],
+    });
+    i++;
+  }
+
+  _cached = {
+    docs,
+    display_mode: section['display_mode'] === 'combined' ? 'combined' : 'separate',
+  };
+
+  return _cached;
+}
+
+/**
+ * Call this in tests to clear the cache between runs.
+ */
+export function _reset_legal_docs_config_cache(): void {
+  _cached = null;
+}

package/cli-src/lib/legal/legal_docs_reader.server.ts

@@ -0,0 +1,36 @@
+// file_description: server-only utility that reads a legal document from disk and returns its content + SHA-256 hash
+// section: server-only-guard
+import 'server-only';
+
+// section: imports
+import * as fs from 'fs';
+import * as path from 'path';
+import { createHash } from 'crypto';
+
+// section: types
+
+export interface ReadDocResult {
+  content: string;
+  hash: string; // "sha256:<hex>"
+}
+
+// section: exports
+
+/**
+ * Reads a legal document from the filesystem and returns its text content
+ * together with a deterministic SHA-256 hash of that content.
+ *
+ * @param doc_path - Absolute path, or a path relative to process.cwd().
+ * @returns { content, hash } where hash is formatted as "sha256:<hex>".
+ * @throws If the file cannot be read.
+ */
+export function read_legal_doc(doc_path: string): ReadDocResult {
+  const abs_path = path.isAbsolute(doc_path)
+    ? doc_path
+    : path.join(process.cwd(), doc_path);
+
+  const content = fs.readFileSync(abs_path, 'utf-8');
+  const hex = createHash('sha256').update(content).digest('hex');
+
+  return { content, hash: `sha256:${hex}` };
+}