hazo_auth 7.0.1 → 8.0.1

package/dist/lib/auth/auth_types.js

@@ -1,13 +1,3 @@
-// file_description: Type definitions and error classes for hazo_get_auth utility
-//
-// Naming note (v6.0.0): the field previously called `organization` (and
-// `organization_id`) on `TenantAuthResult` was renamed to `selected_scope`
-// (and `selected_scope_id`), and the type `TenantOrganization` was renamed
-// to `SelectedScope`. The multi-tenancy model is scopes throughout; the
-// old name was a legacy synonym for "the currently selected scope" derived
-// from the scope-selection cookie/header. No deprecation shim is provided.
-//
-// section: types
 /**
  * Custom error class for permission denials
  * Includes technical and user-friendly error messages

package/dist/lib/auth/hazo_get_auth.server.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"hazo_get_auth.server.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/hazo_get_auth.server.ts"],"names":[],"mappings":"AAEA,OAAO,aAAa,CAAC;AAGrB,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAK1C,OAAO,KAAK,EACV,cAAc,EAEd,eAAe,EAGhB,MAAM,cAAc,CAAC;AA6CtB;;;;GAIG;AACH,wBAAgB,aAAa,CAAC,OAAO,EAAE,WAAW,GAAG,MAAM,CAU1D;AA4SD;;;;;;;;;GASG;AACH,wBAAsB,aAAa,CACjC,OAAO,EAAE,WAAW,EACpB,OAAO,CAAC,EAAE,eAAe,GACxB,OAAO,CAAC,cAAc,CAAC,CAmNzB"}
+{"version":3,"file":"hazo_get_auth.server.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/hazo_get_auth.server.ts"],"names":[],"mappings":"AAEA,OAAO,aAAa,CAAC;AAGrB,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAK1C,OAAO,KAAK,EACV,cAAc,EAEd,eAAe,EAGhB,MAAM,cAAc,CAAC;AA+DtB;;;;GAIG;AACH,wBAAgB,aAAa,CAAC,OAAO,EAAE,WAAW,GAAG,MAAM,CAU1D;AA6SD;;;;;;;;;GASG;AACH,wBAAsB,aAAa,CACjC,OAAO,EAAE,WAAW,EACpB,OAAO,CAAC,EAAE,eAAe,GACxB,OAAO,CAAC,cAAc,CAAC,CAmNzB"}

package/dist/lib/auth/hazo_get_auth.server.js

@@ -39,6 +39,24 @@ function parse_app_user_data(json_string) {
         return null;
     }
 }
+/**
+ * Parse raw legal_acceptance field from DB to LegalAcceptanceMap
+ * @param raw - Raw value from database (string or object)
+ * @returns Parsed LegalAcceptanceMap or null
+ */
+function parse_legal_acceptance(raw) {
+    if (!raw)
+        return null;
+    try {
+        const parsed = typeof raw === 'string' ? JSON.parse(raw) : raw;
+        if (typeof parsed !== 'object' || Array.isArray(parsed))
+            return null;
+        return parsed;
+    }
+    catch (_a) {
+        return null;
+    }
+}
 /**
  * Gets client IP address from request
  * @param request - NextRequest object
@@ -132,6 +150,7 @@ async function fetch_user_data_from_db(user_id) {
         profile_picture_url: user_db.profile_picture_url || null,
         managed_by_user_id: user_db.managed_by_user_id || null,
         app_user_data: parse_app_user_data(user_db.app_user_data),
+        legal_acceptance: parse_legal_acceptance(user_db.legal_acceptance),
     };
     // v5.x: Fetch user's roles from hazo_user_scopes (scope-based role assignments)
     // Each scope assignment has a role_id (string UUID)

package/dist/lib/auth/hazo_get_tenant_auth.server.d.ts

@@ -13,21 +13,20 @@ export declare function extract_scope_id_from_request(request: NextRequest, opti
  * Tenant-aware authentication function
  *
  * Extracts tenant/scope context from request headers or cookies,
- * validates access, and returns enriched result including the currently
- * selected scope.
+ * validates access, and returns enriched result with organization info.
  *
  * Header priority: X-Hazo-Scope-Id > Cookie
  *
  * @param request - NextRequest object
  * @param options - TenantAuthOptions for customization
- * @returns TenantAuthResult with user, permissions, selected_scope, and user_scopes
+ * @returns TenantAuthResult with user, permissions, organization, and user_scopes
  *
  * @example
  * ```typescript
  * const auth = await hazo_get_tenant_auth(request);
- * if (auth.authenticated && auth.selected_scope) {
+ * if (auth.authenticated && auth.organization) {
  *   // Access tenant-specific data
- *   const data = await getData(auth.selected_scope.id);
+ *   const data = await getData(auth.organization.id);
  * }
  * ```
  */
@@ -42,15 +41,15 @@ export declare function hazo_get_tenant_auth(request: NextRequest, options?: Ten
  *
  * @param request - NextRequest object
  * @param options - TenantAuthOptions for customization
- * @returns RequiredTenantAuthResult with guaranteed non-null selected_scope
+ * @returns RequiredTenantAuthResult with guaranteed non-null organization
  * @throws AuthenticationRequiredError, TenantRequiredError, TenantAccessDeniedError
  *
  * @example
  * ```typescript
  * try {
  *   const auth = await require_tenant_auth(request);
- *   // auth.selected_scope is guaranteed non-null here
- *   const data = await getData(auth.selected_scope.id);
+ *   // auth.organization is guaranteed non-null here
+ *   const data = await getData(auth.organization.id);
  * } catch (error) {
  *   if (error instanceof HazoAuthError) {
  *     return NextResponse.json(

package/dist/lib/auth/hazo_get_tenant_auth.server.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"hazo_get_tenant_auth.server.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/hazo_get_tenant_auth.server.ts"],"names":[],"mappings":"AAEA,OAAO,aAAa,CAAC;AAGrB,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAO1C,OAAO,KAAK,EACV,iBAAiB,EACjB,gBAAgB,EAChB,wBAAwB,EAGzB,MAAM,cAAc,CAAC;AAqBtB;;;;;;GAMG;AACH,wBAAgB,6BAA6B,CAC3C,OAAO,EAAE,WAAW,EACpB,OAAO,EAAE,iBAAiB,GACzB,MAAM,GAAG,SAAS,CAYpB;AAiCD;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAsB,oBAAoB,CACxC,OAAO,EAAE,WAAW,EACpB,OAAO,GAAE,iBAAsB,GAC9B,OAAO,CAAC,gBAAgB,CAAC,CA0F3B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,wBAAsB,mBAAmB,CACvC,OAAO,EAAE,WAAW,EACpB,OAAO,GAAE,iBAAsB,GAC9B,OAAO,CAAC,wBAAwB,CAAC,CA0BnC"}
+{"version":3,"file":"hazo_get_tenant_auth.server.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/hazo_get_tenant_auth.server.ts"],"names":[],"mappings":"AAEA,OAAO,aAAa,CAAC;AAGrB,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAO1C,OAAO,KAAK,EACV,iBAAiB,EACjB,gBAAgB,EAChB,wBAAwB,EAGzB,MAAM,cAAc,CAAC;AAqBtB;;;;;;GAMG;AACH,wBAAgB,6BAA6B,CAC3C,OAAO,EAAE,WAAW,EACpB,OAAO,EAAE,iBAAiB,GACzB,MAAM,GAAG,SAAS,CAYpB;AAiCD;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAsB,oBAAoB,CACxC,OAAO,EAAE,WAAW,EACpB,OAAO,GAAE,iBAAsB,GAC9B,OAAO,CAAC,gBAAgB,CAAC,CA0F3B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,wBAAsB,mBAAmB,CACvC,OAAO,EAAE,WAAW,EACpB,OAAO,GAAE,iBAAsB,GAC9B,OAAO,CAAC,wBAAwB,CAAC,CA0BnC"}

package/dist/lib/auth/hazo_get_tenant_auth.server.js

@@ -39,12 +39,12 @@ export function extract_scope_id_from_request(request, options) {
     return cookie_value;
 }
 /**
- * Builds SelectedScope from scope details and access info.
+ * Builds TenantOrganization from scope details and access info
  * @param scope_details - Full scope details from cache
  * @param is_super_admin - Whether user is accessing as super admin
- * @returns SelectedScope object
+ * @returns TenantOrganization object
  */
-function build_selected_scope(scope_details, is_super_admin) {
+function build_tenant_organization(scope_details, is_super_admin) {
     return {
         id: scope_details.id,
         name: scope_details.name,
@@ -67,21 +67,20 @@ function build_selected_scope(scope_details, is_super_admin) {
  * Tenant-aware authentication function
  *
  * Extracts tenant/scope context from request headers or cookies,
- * validates access, and returns enriched result including the currently
- * selected scope.
+ * validates access, and returns enriched result with organization info.
  *
  * Header priority: X-Hazo-Scope-Id > Cookie
  *
  * @param request - NextRequest object
  * @param options - TenantAuthOptions for customization
- * @returns TenantAuthResult with user, permissions, selected_scope, and user_scopes
+ * @returns TenantAuthResult with user, permissions, organization, and user_scopes
  *
  * @example
  * ```typescript
  * const auth = await hazo_get_tenant_auth(request);
- * if (auth.authenticated && auth.selected_scope) {
+ * if (auth.authenticated && auth.organization) {
  *   // Access tenant-specific data
- *   const data = await getData(auth.selected_scope.id);
+ *   const data = await getData(auth.organization.id);
  * }
  * ```
  */
@@ -99,8 +98,8 @@ export async function hazo_get_tenant_auth(request, options = {}) {
             user: null,
             permissions: [],
             permission_ok: false,
-            selected_scope: null,
-            selected_scope_id: null,
+            organization: null,
+            organization_id: null,
             user_scopes: [],
             scope_ok: false,
         };
@@ -111,20 +110,20 @@ export async function hazo_get_tenant_auth(request, options = {}) {
     const cached = cache.get(auth_result.user.id);
     // User scopes from cache or empty array
     const user_scopes = (cached === null || cached === void 0 ? void 0 : cached.scopes) || [];
-    // Build selected_scope info if scope access was successful
-    let selected_scope = null;
+    // Build organization info if scope access was successful
+    let organization = null;
     if (scope_id && auth_result.scope_ok && auth_result.scope_access_via) {
         // Find the scope in user's scopes that matches the access_via scope
         const access_scope = user_scopes.find((s) => { var _a; return s.id === ((_a = auth_result.scope_access_via) === null || _a === void 0 ? void 0 : _a.scope_id); });
         if (access_scope) {
-            selected_scope = build_selected_scope(access_scope, auth_result.scope_access_via.is_super_admin || false);
+            organization = build_tenant_organization(access_scope, auth_result.scope_access_via.is_super_admin || false);
         }
         else if (auth_result.scope_access_via.is_super_admin) {
             // Super admin accessing scope they're not assigned to - fetch scope details
             const hazoConnect = get_hazo_connect_instance();
             const scope_result = await get_scope_by_id(hazoConnect, scope_id);
             if (scope_result.success && scope_result.scope) {
-                selected_scope = {
+                organization = {
                     id: scope_result.scope.id,
                     name: scope_result.scope.name,
                     slug: null, // Could fetch from scope if slug column exists
@@ -149,8 +148,8 @@ export async function hazo_get_tenant_auth(request, options = {}) {
         permissions: auth_result.permissions,
         permission_ok: auth_result.permission_ok,
         missing_permissions: auth_result.missing_permissions,
-        selected_scope,
-        selected_scope_id: (selected_scope === null || selected_scope === void 0 ? void 0 : selected_scope.id) || null,
+        organization,
+        organization_id: (organization === null || organization === void 0 ? void 0 : organization.id) || null,
         user_scopes,
         scope_ok: auth_result.scope_ok,
         scope_access_via: auth_result.scope_access_via,
@@ -166,15 +165,15 @@ export async function hazo_get_tenant_auth(request, options = {}) {
  *
  * @param request - NextRequest object
  * @param options - TenantAuthOptions for customization
- * @returns RequiredTenantAuthResult with guaranteed non-null selected_scope
+ * @returns RequiredTenantAuthResult with guaranteed non-null organization
  * @throws AuthenticationRequiredError, TenantRequiredError, TenantAccessDeniedError
  *
  * @example
  * ```typescript
  * try {
  *   const auth = await require_tenant_auth(request);
- *   // auth.selected_scope is guaranteed non-null here
- *   const data = await getData(auth.selected_scope.id);
+ *   // auth.organization is guaranteed non-null here
+ *   const data = await getData(auth.organization.id);
  * } catch (error) {
  *   if (error instanceof HazoAuthError) {
  *     return NextResponse.json(
@@ -198,10 +197,10 @@ export async function require_tenant_auth(request, options = {}) {
     if (scope_id && !result.scope_ok) {
         throw new TenantAccessDeniedError(scope_id, result.user_scopes);
     }
-    // Check if scope context is required but missing
-    if (!result.selected_scope) {
-        throw new TenantRequiredError("No tenant scope context provided. Include X-Hazo-Scope-Id header or scope cookie.", result.user_scopes);
+    // Check if organization context is required but missing
+    if (!result.organization) {
+        throw new TenantRequiredError("No organization context provided. Include X-Hazo-Scope-Id header or scope cookie.", result.user_scopes);
     }
-    // Type assertion: at this point we know selected_scope is non-null
+    // Type assertion: at this point we know organization is non-null
     return result;
 }

package/dist/lib/auth/index.d.ts

@@ -4,12 +4,12 @@ export { get_authenticated_user, require_auth, is_authenticated, } from "./auth_
 export type { AuthResult, AuthUser } from "./auth_utils.server";
 export { ensure_anon_id } from "./ensure_anon_id.server.js";
 export { hazo_get_tenant_auth, require_tenant_auth, extract_scope_id_from_request, } from "./hazo_get_tenant_auth.server.js";
-export type { ScopeDetails, SelectedScope, TenantAuthOptions, TenantAuthResult, RequiredTenantAuthResult, } from "./auth_types";
+export type { ScopeDetails, TenantOrganization, TenantAuthOptions, TenantAuthResult, RequiredTenantAuthResult, } from "./auth_types";
 export { HazoAuthError, AuthenticationRequiredError, TenantRequiredError, TenantAccessDeniedError, } from "./auth_types.js";
 export { get_server_auth_user } from "./server_auth.js";
 export type { ServerAuthResult } from "./server_auth";
 export { withAuth, withOptionalAuth, hasPermission, hasAllPermissions, hasAnyPermission, requirePermission, requireAllPermissions, } from "./with_auth.server.js";
-export type { AuthenticatedTenantAuth, AuthenticatedTenantAuthWithSelectedScope, WithAuthOptions, } from "./with_auth.server";
+export type { AuthenticatedTenantAuth, AuthenticatedTenantAuthWithOrg, WithAuthOptions, } from "./with_auth.server";
 export { get_auth_cache, reset_auth_cache } from "./auth_cache.js";
 export { get_rate_limiter, reset_rate_limiter } from "./auth_rate_limiter.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/lib/auth/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/index.ts"],"names":[],"mappings":"AAEA,cAAc,cAAc,CAAC;AAG7B,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AACtE,OAAO,EACL,sBAAsB,EACtB,YAAY,EACZ,gBAAgB,GACjB,MAAM,qBAAqB,CAAC;AAC7B,YAAY,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,qBAAqB,CAAC;AAGhE,OAAO,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AAGzD,OAAO,EACL,oBAAoB,EACpB,mBAAmB,EACnB,6BAA6B,GAC9B,MAAM,+BAA+B,CAAC;AACvC,YAAY,EACV,YAAY,EACZ,aAAa,EACb,iBAAiB,EACjB,gBAAgB,EAChB,wBAAwB,GACzB,MAAM,cAAc,CAAC;AACtB,OAAO,EACL,aAAa,EACb,2BAA2B,EAC3B,mBAAmB,EACnB,uBAAuB,GACxB,MAAM,cAAc,CAAC;AAGtB,OAAO,EAAE,oBAAoB,EAAE,MAAM,eAAe,CAAC;AACrD,YAAY,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAC;AAGtD,OAAO,EACL,QAAQ,EACR,gBAAgB,EAChB,aAAa,EACb,iBAAiB,EACjB,gBAAgB,EAChB,iBAAiB,EACjB,qBAAqB,GACtB,MAAM,oBAAoB,CAAC;AAC5B,YAAY,EACV,uBAAuB,EACvB,wCAAwC,EACxC,eAAe,GAChB,MAAM,oBAAoB,CAAC;AAG5B,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAGhE,OAAO,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/index.ts"],"names":[],"mappings":"AAEA,cAAc,cAAc,CAAC;AAG7B,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AACtE,OAAO,EACL,sBAAsB,EACtB,YAAY,EACZ,gBAAgB,GACjB,MAAM,qBAAqB,CAAC;AAC7B,YAAY,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,qBAAqB,CAAC;AAGhE,OAAO,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AAGzD,OAAO,EACL,oBAAoB,EACpB,mBAAmB,EACnB,6BAA6B,GAC9B,MAAM,+BAA+B,CAAC;AACvC,YAAY,EACV,YAAY,EACZ,kBAAkB,EAClB,iBAAiB,EACjB,gBAAgB,EAChB,wBAAwB,GACzB,MAAM,cAAc,CAAC;AACtB,OAAO,EACL,aAAa,EACb,2BAA2B,EAC3B,mBAAmB,EACnB,uBAAuB,GACxB,MAAM,cAAc,CAAC;AAGtB,OAAO,EAAE,oBAAoB,EAAE,MAAM,eAAe,CAAC;AACrD,YAAY,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAC;AAGtD,OAAO,EACL,QAAQ,EACR,gBAAgB,EAChB,aAAa,EACb,iBAAiB,EACjB,gBAAgB,EAChB,iBAAiB,EACjB,qBAAqB,GACtB,MAAM,oBAAoB,CAAC;AAC5B,YAAY,EACV,uBAAuB,EACvB,8BAA8B,EAC9B,eAAe,GAChB,MAAM,oBAAoB,CAAC;AAG5B,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAGhE,OAAO,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC"}

package/dist/lib/auth/nextauth_config.d.ts

@@ -20,16 +20,6 @@ export type NextAuthCallbackProfile = {
     picture?: string;
     email_verified?: boolean;
 };
-export type FacebookCallbackProfile = {
-    id?: string;
-    name?: string;
-    email?: string;
-    picture?: {
-        data?: {
-            url: string;
-        };
-    } | string;
-};
 /**
  * Gets NextAuth.js configuration with enabled OAuth providers
  * Providers are dynamically configured based on hazo_auth_config.ini settings

package/dist/lib/auth/nextauth_config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"nextauth_config.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/nextauth_config.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,WAAW,EAAW,MAAM,WAAW,CAAC;AAatD,MAAM,MAAM,oBAAoB,GAAG;IACjC,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,IAAI,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACvB,CAAC;AAEF,MAAM,MAAM,uBAAuB,GAAG;IACpC,QAAQ,EAAE,MAAM,CAAC;IACjB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,uBAAuB,GAAG;IACpC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,cAAc,CAAC,EAAE,OAAO,CAAC;CAC1B,CAAC;AAEF,MAAM,MAAM,uBAAuB,GAAG;IACpC,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE;QAAE,IAAI,CAAC,EAAE;YAAE,GAAG,EAAE,MAAM,CAAA;SAAE,CAAA;KAAE,GAAG,MAAM,CAAC;CAC/C,CAAC;AAGF;;;;GAIG;AACH,wBAAgB,mBAAmB,IAAI,WAAW,CA+PjD;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,IAAI,OAAO,CAe7C"}
+{"version":3,"file":"nextauth_config.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/nextauth_config.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,WAAW,EAAW,MAAM,WAAW,CAAC;AAatD,MAAM,MAAM,oBAAoB,GAAG;IACjC,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,IAAI,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACvB,CAAC;AAEF,MAAM,MAAM,uBAAuB,GAAG;IACpC,QAAQ,EAAE,MAAM,CAAC;IACjB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,uBAAuB,GAAG;IACpC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,cAAc,CAAC,EAAE,OAAO,CAAC;CAC1B,CAAC;AAGF;;;;GAIG;AACH,wBAAgB,mBAAmB,IAAI,WAAW,CAkOjD;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,IAAI,OAAO,CAW7C"}

package/dist/lib/auth/nextauth_config.js

@@ -4,7 +4,7 @@ const GoogleProvider = GoogleProviderImport.default || GoogleProviderImport;
 import FacebookProviderImport from "next-auth/providers/facebook";
 const FacebookProvider = FacebookProviderImport.default || FacebookProviderImport;
 import { get_oauth_config } from "../oauth_config.server.js";
-import { handle_google_oauth_login, handle_facebook_oauth_login } from "../services/oauth_service.js";
+import { handle_google_oauth_login } from "../services/oauth_service.js";
 import { get_hazo_connect_instance } from "../hazo_connect_instance.server.js";
 import { create_app_logger } from "../app_logger.js";
 // section: config
@@ -34,16 +34,11 @@ export function get_nextauth_config() {
             }));
         }
     }
-    // Add Facebook provider if enabled and credentials are present
-    if (oauth_config.enable_facebook && oauth_config.facebook_client_id && oauth_config.facebook_client_secret) {
+    // Add Facebook provider if enabled
+    if (oauth_config.enable_facebook_oauth && oauth_config.facebook_app_id) {
         providers.push(FacebookProvider({
-            clientId: oauth_config.facebook_client_id,
-            clientSecret: oauth_config.facebook_client_secret,
-            authorization: {
-                params: {
-                    scope: "email,public_profile",
-                },
-            },
+            clientId: oauth_config.facebook_app_id,
+            clientSecret: oauth_config.facebook_app_secret,
         }));
     }
     return {
@@ -63,10 +58,8 @@ export function get_nextauth_config() {
                 console.log("[NextAuth redirect callback]", { url, baseUrl });
                 // Always redirect to our custom callback after sign-in to set hazo_auth cookies
                 // The callbackUrl from signIn() comes through as `url`
-                if (url.includes("/api/hazo_auth/oauth/google/callback")) {
-                    return url;
-                }
-                if (url.includes("/api/hazo_auth/oauth/facebook/callback")) {
+                if (url.includes("/api/hazo_auth/oauth/google/callback") ||
+                    url.includes("/api/hazo_auth/oauth/facebook/callback")) {
                     return url;
                 }
                 // If URL is relative or same origin, allow it
@@ -77,13 +70,16 @@ export function get_nextauth_config() {
                     return url;
                 }
                 // Default: redirect to our custom OAuth callback to set cookies
+                if (url.includes("facebook")) {
+                    return `${baseUrl}/api/hazo_auth/oauth/facebook/callback`;
+                }
                 return `${baseUrl}/api/hazo_auth/oauth/google/callback`;
             },
             /**
              * Sign-in callback - handle user creation/linking for Google OAuth
              */
             async signIn({ account, profile, user, }) {
-                var _a, _b, _c, _d, _e, _f;
+                var _a;
                 const logger = create_app_logger();
                 if ((account === null || account === void 0 ? void 0 : account.provider) === "google" && profile) {
                     try {
@@ -132,39 +128,22 @@ export function get_nextauth_config() {
                     try {
                         const fbProfile = profile;
                         const hazoConnect = get_hazo_connect_instance();
-                        const current_oauth_config = get_oauth_config();
-                        // Resolve profile picture URL from Facebook's nested structure
-                        let fb_picture_url;
-                        if (fbProfile.picture) {
-                            if (typeof fbProfile.picture === "string") {
-                                fb_picture_url = fbProfile.picture;
-                            }
-                            else if ((_c = (_b = fbProfile.picture) === null || _b === void 0 ? void 0 : _b.data) === null || _c === void 0 ? void 0 : _c.url) {
-                                fb_picture_url = fbProfile.picture.data.url;
-                            }
-                        }
-                        if (!fb_picture_url && user.image) {
-                            fb_picture_url = (_d = user.image) !== null && _d !== void 0 ? _d : undefined;
-                        }
+                        const { handle_facebook_oauth_login } = await import("../services/oauth_service");
                         logger.info("nextauth_facebook_signin_attempt", {
                             email: user.email,
-                            facebook_id: fbProfile.id,
-                            name: user.name,
+                            facebook_id: account.providerAccountId,
                         });
                         const result = await handle_facebook_oauth_login(hazoConnect, {
-                            facebook_id: fbProfile.id || account.providerAccountId,
-                            email: (_f = (_e = user.email) !== null && _e !== void 0 ? _e : fbProfile.email) !== null && _f !== void 0 ? _f : null,
+                            facebook_id: account.providerAccountId,
+                            email: user.email || fbProfile.email || "",
                             name: user.name || fbProfile.name || undefined,
-                            profile_picture_url: fb_picture_url,
-                        }, { auto_link_unverified: current_oauth_config.auto_link_unverified_accounts_facebook });
+                            profile_picture_url: user.image || undefined,
+                            // Facebook's email_verified is not exposed in the profile; default to false
+                            // for safety — the user will be auto-verified if email matches a verified hazo user.
+                            email_verified: false,
+                        });
                         if (!result.success) {
-                            logger.error("nextauth_facebook_signin_failed", {
-                                email: user.email,
-                                error: result.error,
-                            });
-                            if (result.error === "link_blocked_unverified") {
-                                return `/hazo_auth/login?error=link_blocked_unverified`;
-                            }
+                            logger.error("nextauth_facebook_signin_failed", { email: user.email, error: result.error });
                             return false;
                         }
                         logger.info("nextauth_facebook_signin_success", {
@@ -173,16 +152,11 @@ export function get_nextauth_config() {
                             is_new_user: result.is_new_user,
                             was_linked: result.was_linked,
                         });
-                        // Store user_id in account for the JWT callback to pick up
                         account.hazo_user_id = result.user_id;
                         return true;
                     }
-                    catch (error) {
-                        const errorMessage = error instanceof Error ? error.message : "Unknown error";
-                        logger.error("nextauth_facebook_signin_exception", {
-                            email: user.email,
-                            error: errorMessage,
-                        });
+                    catch (err) {
+                        logger.error("nextauth_facebook_signin_exception", { error: String(err) });
                         return false;
                     }
                 }
@@ -244,8 +218,5 @@ export function has_oauth_providers() {
         if (has_google_credentials)
             return true;
     }
-    if (oauth_config.enable_facebook && oauth_config.facebook_client_id && oauth_config.facebook_client_secret) {
-        return true;
-    }
     return false;
 }

package/dist/lib/auth/with_auth.server.d.ts

@@ -1,6 +1,6 @@
 import "server-only";
 import { NextRequest, NextResponse } from "next/server";
-import { type TenantAuthOptions, type TenantAuthResult, type SelectedScope, type HazoAuthUser, type ScopeDetails, type ScopeAccessInfo } from "./auth_types.js";
+import { type TenantAuthOptions, type TenantAuthResult, type TenantOrganization, type HazoAuthUser, type ScopeDetails, type ScopeAccessInfo } from "./auth_types.js";
 /**
  * Authenticated branch of TenantAuthResult - guaranteed authenticated: true
  */
@@ -10,18 +10,18 @@ export type AuthenticatedTenantAuth = {
     permissions: string[];
     permission_ok: boolean;
     missing_permissions?: string[];
-    selected_scope: SelectedScope | null;
-    selected_scope_id: string | null;
+    organization: TenantOrganization | null;
+    organization_id: string | null;
     user_scopes: ScopeDetails[];
     scope_ok?: boolean;
     scope_access_via?: ScopeAccessInfo;
 };
 /**
- * Authenticated branch with guaranteed non-null selected_scope
+ * Authenticated branch with guaranteed non-null organization
  */
-export type AuthenticatedTenantAuthWithSelectedScope = AuthenticatedTenantAuth & {
-    selected_scope: SelectedScope;
-    selected_scope_id: string;
+export type AuthenticatedTenantAuthWithOrg = AuthenticatedTenantAuth & {
+    organization: TenantOrganization;
+    organization_id: string;
 };
 /**
  * Options for withAuth/withOptionalAuth wrappers
@@ -29,8 +29,8 @@ export type AuthenticatedTenantAuthWithSelectedScope = AuthenticatedTenantAuth &
  */
 export type WithAuthOptions = TenantAuthOptions & {
     /**
-     * If true, requires tenant/scope context (403 if missing)
-     * Narrows auth type to AuthenticatedTenantAuthWithSelectedScope
+     * If true, requires organization context (403 if missing)
+     * Narrows auth type to AuthenticatedTenantAuthWithOrg
      */
     require_tenant?: boolean;
 };
@@ -47,7 +47,7 @@ type AuthenticatedHandler<TParams> = (request: NextRequest, auth: AuthenticatedT
 /**
  * Handler function signature for withAuth with require_tenant
  */
-type AuthenticatedTenantHandler<TParams> = (request: NextRequest, auth: AuthenticatedTenantAuthWithSelectedScope, params: TParams) => Promise<NextResponse> | NextResponse;
+type AuthenticatedTenantHandler<TParams> = (request: NextRequest, auth: AuthenticatedTenantAuthWithOrg, params: TParams) => Promise<NextResponse> | NextResponse;
 /**
  * Handler function signature for withOptionalAuth
  */
@@ -57,7 +57,7 @@ type OptionalAuthHandler<TParams> = (request: NextRequest, auth: TenantAuthResul
  *
  * - Calls `hazo_get_tenant_auth` and returns 401 if not authenticated
  * - Returns 403 if `required_permissions` are specified and not satisfied
- * - Returns 403 if `require_tenant: true` and no tenant/scope context
+ * - Returns 403 if `require_tenant: true` and no organization context
  * - Resolves `await context.params` (Next.js 15 pattern)
  * - Catches HazoAuthError, PermissionError, and unexpected errors
  *
@@ -80,8 +80,8 @@ type OptionalAuthHandler<TParams> = (request: NextRequest, auth: TenantAuthResul
  * // With tenant requirement
  * export const GET = withAuth<{ id: string }>(
  *   async (request, auth, { id }) => {
- *     // auth.selected_scope is guaranteed non-null
- *     const data = await getData(auth.selected_scope.id, id);
+ *     // auth.organization is guaranteed non-null
+ *     const data = await getData(auth.organization.id, id);
  *     return NextResponse.json(data);
  *   },
  *   { require_tenant: true }

package/dist/lib/auth/with_auth.server.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"with_auth.server.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/with_auth.server.ts"],"names":[],"mappings":"AAEA,OAAO,aAAa,CAAC;AAGrB,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAExD,OAAO,EAGL,KAAK,iBAAiB,EACtB,KAAK,gBAAgB,EACrB,KAAK,aAAa,EAClB,KAAK,YAAY,EACjB,KAAK,YAAY,EACjB,KAAK,eAAe,EACrB,MAAM,cAAc,CAAC;AAItB;;GAEG;AACH,MAAM,MAAM,uBAAuB,GAAG;IACpC,aAAa,EAAE,IAAI,CAAC;IACpB,IAAI,EAAE,YAAY,CAAC;IACnB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,aAAa,EAAE,OAAO,CAAC;IACvB,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC/B,cAAc,EAAE,aAAa,GAAG,IAAI,CAAC;IACrC,iBAAiB,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,WAAW,EAAE,YAAY,EAAE,CAAC;IAC5B,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,gBAAgB,CAAC,EAAE,eAAe,CAAC;CACpC,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,wCAAwC,GAAG,uBAAuB,GAAG;IAC/E,cAAc,EAAE,aAAa,CAAC;IAC9B,iBAAiB,EAAE,MAAM,CAAC;CAC3B,CAAC;AAEF;;;GAGG;AACH,MAAM,MAAM,eAAe,GAAG,iBAAiB,GAAG;IAChD;;;OAGG;IACH,cAAc,CAAC,EAAE,OAAO,CAAC;CAC1B,CAAC;AAEF;;GAEG;AACH,KAAK,YAAY,CAAC,OAAO,IAAI;IAC3B,MAAM,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;CAC1B,CAAC;AAEF;;GAEG;AACH,KAAK,oBAAoB,CAAC,OAAO,IAAI,CACnC,OAAO,EAAE,WAAW,EACpB,IAAI,EAAE,uBAAuB,EAC7B,MAAM,EAAE,OAAO,KACZ,OAAO,CAAC,YAAY,CAAC,GAAG,YAAY,CAAC;AAE1C;;GAEG;AACH,KAAK,0BAA0B,CAAC,OAAO,IAAI,CACzC,OAAO,EAAE,WAAW,EACpB,IAAI,EAAE,wCAAwC,EAC9C,MAAM,EAAE,OAAO,KACZ,OAAO,CAAC,YAAY,CAAC,GAAG,YAAY,CAAC;AAE1C;;GAEG;AACH,KAAK,mBAAmB,CAAC,OAAO,IAAI,CAClC,OAAO,EAAE,WAAW,EACpB,IAAI,EAAE,gBAAgB,EACtB,MAAM,EAAE,OAAO,KACZ,OAAO,CAAC,YAAY,CAAC,GAAG,YAAY,CAAC;AA+C1C;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmCG;AACH,wBAAgB,QAAQ,CAAC,OAAO,GAAG,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,EACtD,OAAO,EAAE,0BAA0B,CAAC,OAAO,CAAC,EAC5C,OAAO,EAAE,eAAe,GAAG;IAAE,cAAc,EAAE,IAAI,CAAA;CAAE,GAClD,CACD,OAAO,EAAE,WAAW,EACpB,OAAO,CAAC,EAAE,YAAY,CAAC,OAAO,CAAC,KAC5B,OAAO,CAAC,YAAY,CAAC,CAAC;AAE3B,wBAAgB,QAAQ,CAAC,OAAO,GAAG,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,EACtD,OAAO,EAAE,oBAAoB,CAAC,OAAO,CAAC,EACtC,OAAO,CAAC,EAAE,eAAe,GACxB,CACD,OAAO,EAAE,WAAW,EACpB,OAAO,CAAC,EAAE,YAAY,CAAC,OAAO,CAAC,KAC5B,OAAO,CAAC,YAAY,CAAC,CAAC;AAsE3B;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,gBAAgB,CAAC,OAAO,GAAG,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,EAC9D,OAAO,EAAE,mBAAmB,CAAC,OAAO,CAAC,EACrC,OAAO,GAAE,iBAAsB,GAC9B,CACD,OAAO,EAAE,WAAW,EACpB,OAAO,CAAC,EAAE,YAAY,CAAC,OAAO,CAAC,KAC5B,OAAO,CAAC,YAAY,CAAC,CAazB;AAID;;GAEG;AACH,wBAAgB,aAAa,CAC3B,IAAI,EAAE,uBAAuB,EAC7B,UAAU,EAAE,MAAM,GACjB,OAAO,CAET;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,IAAI,EAAE,uBAAuB,EAC7B,WAAW,EAAE,MAAM,EAAE,GACpB,OAAO,CAET;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAC9B,IAAI,EAAE,uBAAuB,EAC7B,WAAW,EAAE,MAAM,EAAE,GACpB,OAAO,CAET;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAC/B,IAAI,EAAE,uBAAuB,EAC7B,UAAU,EAAE,MAAM,GACjB,IAAI,CAQN;AAED;;;GAGG;AACH,wBAAgB,qBAAqB,CACnC,IAAI,EAAE,uBAAuB,EAC7B,WAAW,EAAE,MAAM,EAAE,GACpB,IAAI,CASN"}
+{"version":3,"file":"with_auth.server.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/with_auth.server.ts"],"names":[],"mappings":"AAEA,OAAO,aAAa,CAAC;AAGrB,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAExD,OAAO,EAGL,KAAK,iBAAiB,EACtB,KAAK,gBAAgB,EACrB,KAAK,kBAAkB,EACvB,KAAK,YAAY,EACjB,KAAK,YAAY,EACjB,KAAK,eAAe,EACrB,MAAM,cAAc,CAAC;AAItB;;GAEG;AACH,MAAM,MAAM,uBAAuB,GAAG;IACpC,aAAa,EAAE,IAAI,CAAC;IACpB,IAAI,EAAE,YAAY,CAAC;IACnB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,aAAa,EAAE,OAAO,CAAC;IACvB,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC/B,YAAY,EAAE,kBAAkB,GAAG,IAAI,CAAC;IACxC,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,WAAW,EAAE,YAAY,EAAE,CAAC;IAC5B,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,gBAAgB,CAAC,EAAE,eAAe,CAAC;CACpC,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,8BAA8B,GAAG,uBAAuB,GAAG;IACrE,YAAY,EAAE,kBAAkB,CAAC;IACjC,eAAe,EAAE,MAAM,CAAC;CACzB,CAAC;AAEF;;;GAGG;AACH,MAAM,MAAM,eAAe,GAAG,iBAAiB,GAAG;IAChD;;;OAGG;IACH,cAAc,CAAC,EAAE,OAAO,CAAC;CAC1B,CAAC;AAEF;;GAEG;AACH,KAAK,YAAY,CAAC,OAAO,IAAI;IAC3B,MAAM,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;CAC1B,CAAC;AAEF;;GAEG;AACH,KAAK,oBAAoB,CAAC,OAAO,IAAI,CACnC,OAAO,EAAE,WAAW,EACpB,IAAI,EAAE,uBAAuB,EAC7B,MAAM,EAAE,OAAO,KACZ,OAAO,CAAC,YAAY,CAAC,GAAG,YAAY,CAAC;AAE1C;;GAEG;AACH,KAAK,0BAA0B,CAAC,OAAO,IAAI,CACzC,OAAO,EAAE,WAAW,EACpB,IAAI,EAAE,8BAA8B,EACpC,MAAM,EAAE,OAAO,KACZ,OAAO,CAAC,YAAY,CAAC,GAAG,YAAY,CAAC;AAE1C;;GAEG;AACH,KAAK,mBAAmB,CAAC,OAAO,IAAI,CAClC,OAAO,EAAE,WAAW,EACpB,IAAI,EAAE,gBAAgB,EACtB,MAAM,EAAE,OAAO,KACZ,OAAO,CAAC,YAAY,CAAC,GAAG,YAAY,CAAC;AA+C1C;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmCG;AACH,wBAAgB,QAAQ,CAAC,OAAO,GAAG,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,EACtD,OAAO,EAAE,0BAA0B,CAAC,OAAO,CAAC,EAC5C,OAAO,EAAE,eAAe,GAAG;IAAE,cAAc,EAAE,IAAI,CAAA;CAAE,GAClD,CACD,OAAO,EAAE,WAAW,EACpB,OAAO,CAAC,EAAE,YAAY,CAAC,OAAO,CAAC,KAC5B,OAAO,CAAC,YAAY,CAAC,CAAC;AAE3B,wBAAgB,QAAQ,CAAC,OAAO,GAAG,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,EACtD,OAAO,EAAE,oBAAoB,CAAC,OAAO,CAAC,EACtC,OAAO,CAAC,EAAE,eAAe,GACxB,CACD,OAAO,EAAE,WAAW,EACpB,OAAO,CAAC,EAAE,YAAY,CAAC,OAAO,CAAC,KAC5B,OAAO,CAAC,YAAY,CAAC,CAAC;AAsE3B;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,gBAAgB,CAAC,OAAO,GAAG,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,EAC9D,OAAO,EAAE,mBAAmB,CAAC,OAAO,CAAC,EACrC,OAAO,GAAE,iBAAsB,GAC9B,CACD,OAAO,EAAE,WAAW,EACpB,OAAO,CAAC,EAAE,YAAY,CAAC,OAAO,CAAC,KAC5B,OAAO,CAAC,YAAY,CAAC,CAazB;AAID;;GAEG;AACH,wBAAgB,aAAa,CAC3B,IAAI,EAAE,uBAAuB,EAC7B,UAAU,EAAE,MAAM,GACjB,OAAO,CAET;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,IAAI,EAAE,uBAAuB,EAC7B,WAAW,EAAE,MAAM,EAAE,GACpB,OAAO,CAET;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAC9B,IAAI,EAAE,uBAAuB,EAC7B,WAAW,EAAE,MAAM,EAAE,GACpB,OAAO,CAET;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAC/B,IAAI,EAAE,uBAAuB,EAC7B,UAAU,EAAE,MAAM,GACjB,IAAI,CAQN;AAED;;;GAGG;AACH,wBAAgB,qBAAqB,CACnC,IAAI,EAAE,uBAAuB,EAC7B,WAAW,EAAE,MAAM,EAAE,GACpB,IAAI,CASN"}

package/dist/lib/auth/with_auth.server.js

@@ -50,9 +50,9 @@ export function withAuth(handler, options = {}) {
                 })), { status: 403 });
             }
             // Check tenant requirement
-            if (options.require_tenant && !auth.selected_scope) {
+            if (options.require_tenant && !auth.organization) {
                 return NextResponse.json({
-                    error: "Tenant scope context required",
+                    error: "Organization context required",
                     code: "TENANT_REQUIRED",
                 }, { status: 403 });
             }

package/dist/lib/config/default_config.d.ts

@@ -136,6 +136,14 @@ export declare const DEFAULT_OAUTH: {
     readonly skip_invitation_check: false;
     /** Redirect when skip_invitation_check=true and user has no scope */
     readonly no_scope_redirect: "/";
+    /** Enable Facebook OAuth login (requires HAZO_AUTH_FACEBOOK_APP_ID and HAZO_AUTH_FACEBOOK_APP_SECRET env vars) */
+    readonly enable_facebook_oauth: false;
+    /** Facebook App ID — set via env var HAZO_AUTH_FACEBOOK_APP_ID or config */
+    readonly facebook_app_id: "";
+    /** Facebook App Secret — set via env var HAZO_AUTH_FACEBOOK_APP_SECRET or config */
+    readonly facebook_app_secret: "";
+    /** Text displayed on the Facebook sign-in button */
+    readonly facebook_button_text: "Continue with Facebook";
 };
 export declare const DEFAULT_NAVBAR: {
     /** Enable navbar on auth pages */
@@ -362,6 +370,14 @@ export declare const HAZO_AUTH_DEFAULTS: {
         readonly skip_invitation_check: false;
         /** Redirect when skip_invitation_check=true and user has no scope */
         readonly no_scope_redirect: "/";
+        /** Enable Facebook OAuth login (requires HAZO_AUTH_FACEBOOK_APP_ID and HAZO_AUTH_FACEBOOK_APP_SECRET env vars) */
+        readonly enable_facebook_oauth: false;
+        /** Facebook App ID — set via env var HAZO_AUTH_FACEBOOK_APP_ID or config */
+        readonly facebook_app_id: "";
+        /** Facebook App Secret — set via env var HAZO_AUTH_FACEBOOK_APP_SECRET or config */
+        readonly facebook_app_secret: "";
+        /** Text displayed on the Facebook sign-in button */
+        readonly facebook_button_text: "Continue with Facebook";
     };
     readonly devLock: {
         /** Enable the development lock screen (also requires HAZO_AUTH_DEV_LOCK_ENABLED env var) */

package/dist/lib/config/default_config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"default_config.d.ts","sourceRoot":"","sources":["../../../src/lib/config/default_config.ts"],"names":[],"mappings":"AAKA,eAAO,MAAM,6BAA6B;;;;;;CAMhC,CAAC;AAGX,eAAO,MAAM,mBAAmB;;;;CAItB,CAAC;AAGX,eAAO,MAAM,uBAAuB;;;;;;;CAO1B,CAAC;AAGX,eAAO,MAAM,gBAAgB;;;;;;;;;CASnB,CAAC;AAGX,eAAO,MAAM,kBAAkB;;;CAGrB,CAAC;AAGX,eAAO,MAAM,gBAAgB;;;;;CAKnB,CAAC;AAGX,eAAO,MAAM,yBAAyB;;;;;;CAM5B,CAAC;AAGX,eAAO,MAAM,aAAa;4BACI,MAAM,GAAG,SAAS;;;;;;CAMtC,CAAC;AAGX,eAAO,MAAM,gBAAgB;4BACC,MAAM,GAAG,SAAS;;;;;CAKtC,CAAC;AAGX,eAAO,MAAM,uBAAuB;;;;CAI1B,CAAC;AAGX,eAAO,MAAM,sBAAsB;;;;CAIzB,CAAC;AAGX,eAAO,MAAM,0BAA0B;;;;;CAK7B,CAAC;AAGX,eAAO,MAAM,mBAAmB;;;;;CAKtB,CAAC;AAGX,eAAO,MAAM,uBAAuB;;;;CAI1B,CAAC;AAGX,eAAO,MAAM,oBAAoB;;;;CAIvB,CAAC;AAGX,eAAO,MAAM,gBAAgB;0BACE,YAAY,GAAG,cAAc;;;;;IAK1D,2DAA2D;;CAEnD,CAAC;AAGX,eAAO,MAAM,wBAAwB;;;;;;;;CAQ3B,CAAC;AAGX,eAAO,MAAM,iBAAiB;;CAEpB,CAAC;AAGX,eAAO,MAAM,aAAa;IACxB,kHAAkH;;IAElH,8CAA8C;;IAE9C,iGAAiG;;IAEjG,kDAAkD;;IAElD,0EAA0E;;IAE1E,4DAA4D;;IAE5D,2DAA2D;;IAE3D,gFAAgF;;IAEhF,+DAA+D;;IAE/D,sEAAsE;;IAEtE,qEAAqE;;CAE7D,CAAC;AAGX,eAAO,MAAM,cAAc;IACzB,kCAAkC;;IAElC,iEAAiE;;IAEjE,2BAA2B;;IAE3B,4BAA4B;;IAE5B,sDAAsD;;IAEtD,qBAAqB;;IAErB,sBAAsB;;IAEtB,qBAAqB;;IAErB,4DAA4D;;IAE5D,0CAA0C;;IAE1C,kEAAkE;;CAE1D,CAAC;AAGX,eAAO,MAAM,kBAAkB;IAC7B,iDAAiD;;IAEjD,2DAA2D;;CAEnD,CAAC;AAGX,eAAO,MAAM,qBAAqB;IAChC,wDAAwD;;IAExD,yDAAyD;;IAEzD,mDAAmD;;IAEnD,0DAA0D;;CAElD,CAAC;AAGX,eAAO,MAAM,qBAAqB;IAChC,qFAAqF;;IAErF,mEAAmE;;IAEnE,qEAAqE;;IAErE,gEAAgE;;IAEhE,+DAA+D;;IAE/D,+DAA+D;;CAEvD,CAAC;AAGX,eAAO,MAAM,gBAAgB;IAC3B,4FAA4F;;IAE5F,+BAA+B;;IAE/B,wCAAwC;;IAExC,iEAAiE;;IAEjE,2BAA2B;;IAE3B,4BAA4B;;IAE5B,4CAA4C;;IAE5C,mDAAmD;;IAEnD,sCAAsC;;IAEtC,yBAAyB;;IAEzB,2CAA2C;;IAE3C,6CAA6C;;IAE7C,8CAA8C;;CAEtC,CAAC;AAGX;;;GAGG;AACH,eAAO,MAAM,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;gCAnND,MAAM,GAAG,SAAS;;;;;;;;gCAUlB,MAAM,GAAG,SAAS;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;8BAqDjB,YAAY,GAAG,cAAc;;;;;QAK1D,2DAA2D;;;;;;;;;;;;;;;;QAsB3D,kHAAkH;;QAElH,8CAA8C;;QAE9C,iGAAiG;;QAEjG,kDAAkD;;QAElD,0EAA0E;;QAE1E,4DAA4D;;QAE5D,2DAA2D;;QAE3D,gFAAgF;;QAEhF,+DAA+D;;QAE/D,sEAAsE;;QAEtE,qEAAqE;;;;QAoErE,4FAA4F;;QAE5F,+BAA+B;;QAE/B,wCAAwC;;QAExC,iEAAiE;;QAEjE,2BAA2B;;QAE3B,4BAA4B;;QAE5B,4CAA4C;;QAE5C,mDAAmD;;QAEnD,sCAAsC;;QAEtC,yBAAyB;;QAEzB,2CAA2C;;QAE3C,6CAA6C;;QAE7C,8CAA8C;;;;QAtF9C,kCAAkC;;QAElC,iEAAiE;;QAEjE,2BAA2B;;QAE3B,4BAA4B;;QAE5B,sDAAsD;;QAEtD,qBAAqB;;QAErB,sBAAsB;;QAEtB,qBAAqB;;QAErB,4DAA4D;;QAE5D,0CAA0C;;QAE1C,kEAAkE;;;;QAMlE,iDAAiD;;QAEjD,2DAA2D;;;;QAM3D,wDAAwD;;QAExD,yDAAyD;;QAEzD,mDAAmD;;QAEnD,0DAA0D;;;;QAM1D,qFAAqF;;QAErF,mEAAmE;;QAEnE,qEAAqE;;QAErE,gEAAgE;;QAEhE,+DAA+D;;QAE/D,+DAA+D;;;CAgEvD,CAAC;AAGX;;GAEG;AACH,MAAM,MAAM,gBAAgB,GAAG,OAAO,kBAAkB,CAAC"}
+{"version":3,"file":"default_config.d.ts","sourceRoot":"","sources":["../../../src/lib/config/default_config.ts"],"names":[],"mappings":"AAKA,eAAO,MAAM,6BAA6B;;;;;;CAMhC,CAAC;AAGX,eAAO,MAAM,mBAAmB;;;;CAItB,CAAC;AAGX,eAAO,MAAM,uBAAuB;;;;;;;CAO1B,CAAC;AAGX,eAAO,MAAM,gBAAgB;;;;;;;;;CASnB,CAAC;AAGX,eAAO,MAAM,kBAAkB;;;CAGrB,CAAC;AAGX,eAAO,MAAM,gBAAgB;;;;;CAKnB,CAAC;AAGX,eAAO,MAAM,yBAAyB;;;;;;CAM5B,CAAC;AAGX,eAAO,MAAM,aAAa;4BACI,MAAM,GAAG,SAAS;;;;;;CAMtC,CAAC;AAGX,eAAO,MAAM,gBAAgB;4BACC,MAAM,GAAG,SAAS;;;;;CAKtC,CAAC;AAGX,eAAO,MAAM,uBAAuB;;;;CAI1B,CAAC;AAGX,eAAO,MAAM,sBAAsB;;;;CAIzB,CAAC;AAGX,eAAO,MAAM,0BAA0B;;;;;CAK7B,CAAC;AAGX,eAAO,MAAM,mBAAmB;;;;;CAKtB,CAAC;AAGX,eAAO,MAAM,uBAAuB;;;;CAI1B,CAAC;AAGX,eAAO,MAAM,oBAAoB;;;;CAIvB,CAAC;AAGX,eAAO,MAAM,gBAAgB;0BACE,YAAY,GAAG,cAAc;;;;;IAK1D,2DAA2D;;CAEnD,CAAC;AAGX,eAAO,MAAM,wBAAwB;;;;;;;;CAQ3B,CAAC;AAGX,eAAO,MAAM,iBAAiB;;CAEpB,CAAC;AAGX,eAAO,MAAM,aAAa;IACxB,kHAAkH;;IAElH,8CAA8C;;IAE9C,iGAAiG;;IAEjG,kDAAkD;;IAElD,0EAA0E;;IAE1E,4DAA4D;;IAE5D,2DAA2D;;IAE3D,gFAAgF;;IAEhF,+DAA+D;;IAE/D,sEAAsE;;IAEtE,qEAAqE;;IAErE,kHAAkH;;IAElH,4EAA4E;;IAE5E,oFAAoF;;IAEpF,oDAAoD;;CAE5C,CAAC;AAGX,eAAO,MAAM,cAAc;IACzB,kCAAkC;;IAElC,iEAAiE;;IAEjE,2BAA2B;;IAE3B,4BAA4B;;IAE5B,sDAAsD;;IAEtD,qBAAqB;;IAErB,sBAAsB;;IAEtB,qBAAqB;;IAErB,4DAA4D;;IAE5D,0CAA0C;;IAE1C,kEAAkE;;CAE1D,CAAC;AAGX,eAAO,MAAM,kBAAkB;IAC7B,iDAAiD;;IAEjD,2DAA2D;;CAEnD,CAAC;AAGX,eAAO,MAAM,qBAAqB;IAChC,wDAAwD;;IAExD,yDAAyD;;IAEzD,mDAAmD;;IAEnD,0DAA0D;;CAElD,CAAC;AAGX,eAAO,MAAM,qBAAqB;IAChC,qFAAqF;;IAErF,mEAAmE;;IAEnE,qEAAqE;;IAErE,gEAAgE;;IAEhE,+DAA+D;;IAE/D,+DAA+D;;CAEvD,CAAC;AAGX,eAAO,MAAM,gBAAgB;IAC3B,4FAA4F;;IAE5F,+BAA+B;;IAE/B,wCAAwC;;IAExC,iEAAiE;;IAEjE,2BAA2B;;IAE3B,4BAA4B;;IAE5B,4CAA4C;;IAE5C,mDAAmD;;IAEnD,sCAAsC;;IAEtC,yBAAyB;;IAEzB,2CAA2C;;IAE3C,6CAA6C;;IAE7C,8CAA8C;;CAEtC,CAAC;AAGX;;;GAGG;AACH,eAAO,MAAM,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;gCA3ND,MAAM,GAAG,SAAS;;;;;;;;gCAUlB,MAAM,GAAG,SAAS;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;8BAqDjB,YAAY,GAAG,cAAc;;;;;QAK1D,2DAA2D;;;;;;;;;;;;;;;;QAsB3D,kHAAkH;;QAElH,8CAA8C;;QAE9C,iGAAiG;;QAEjG,kDAAkD;;QAElD,0EAA0E;;QAE1E,4DAA4D;;QAE5D,2DAA2D;;QAE3D,gFAAgF;;QAEhF,+DAA+D;;QAE/D,sEAAsE;;QAEtE,qEAAqE;;QAErE,kHAAkH;;QAElH,4EAA4E;;QAE5E,oFAAoF;;QAEpF,oDAAoD;;;;QAoEpD,4FAA4F;;QAE5F,+BAA+B;;QAE/B,wCAAwC;;QAExC,iEAAiE;;QAEjE,2BAA2B;;QAE3B,4BAA4B;;QAE5B,4CAA4C;;QAE5C,mDAAmD;;QAEnD,sCAAsC;;QAEtC,yBAAyB;;QAEzB,2CAA2C;;QAE3C,6CAA6C;;QAE7C,8CAA8C;;;;QAtF9C,kCAAkC;;QAElC,iEAAiE;;QAEjE,2BAA2B;;QAE3B,4BAA4B;;QAE5B,sDAAsD;;QAEtD,qBAAqB;;QAErB,sBAAsB;;QAEtB,qBAAqB;;QAErB,4DAA4D;;QAE5D,0CAA0C;;QAE1C,kEAAkE;;;;QAMlE,iDAAiD;;QAEjD,2DAA2D;;;;QAM3D,wDAAwD;;QAExD,yDAAyD;;QAEzD,mDAAmD;;QAEnD,0DAA0D;;;;QAM1D,qFAAqF;;QAErF,mEAAmE;;QAEnE,qEAAqE;;QAErE,gEAAgE;;QAEhE,+DAA+D;;QAE/D,+DAA+D;;;CAgEvD,CAAC;AAGX;;GAEG;AACH,MAAM,MAAM,gBAAgB,GAAG,OAAO,kBAAkB,CAAC"}

package/dist/lib/config/default_config.js

@@ -158,6 +158,14 @@ export const DEFAULT_OAUTH = {
     skip_invitation_check: false,
     /** Redirect when skip_invitation_check=true and user has no scope */
     no_scope_redirect: "/",
+    /** Enable Facebook OAuth login (requires HAZO_AUTH_FACEBOOK_APP_ID and HAZO_AUTH_FACEBOOK_APP_SECRET env vars) */
+    enable_facebook_oauth: false,
+    /** Facebook App ID — set via env var HAZO_AUTH_FACEBOOK_APP_ID or config */
+    facebook_app_id: "",
+    /** Facebook App Secret — set via env var HAZO_AUTH_FACEBOOK_APP_SECRET or config */
+    facebook_app_secret: "",
+    /** Text displayed on the Facebook sign-in button */
+    facebook_button_text: "Continue with Facebook",
 };
 // section: navbar
 export const DEFAULT_NAVBAR = {

package/dist/lib/cookies_config.server.d.ts

@@ -9,10 +9,10 @@ export declare const BASE_COOKIE_NAMES: {
     readonly USER_ID: "hazo_auth_user_id";
     readonly USER_EMAIL: "hazo_auth_user_email";
     readonly SESSION: "hazo_auth_session";
-    readonly SESSION_KIND: "hazo_auth_session_kind";
     readonly DEV_LOCK: "hazo_auth_dev_lock";
     readonly SCOPE_ID: "hazo_auth_scope_id";
     readonly ANON_ID: "hazo_auth_anon_id";
+    readonly SESSION_KIND: "hazo_auth_session_kind";
 };
 /**
  * Reads cookie configuration from hazo_auth_config.ini file

package/dist/lib/cookies_config.server.js

@@ -14,10 +14,10 @@ export const BASE_COOKIE_NAMES = {
     USER_ID: "hazo_auth_user_id",
     USER_EMAIL: "hazo_auth_user_email",
     SESSION: "hazo_auth_session",
-    SESSION_KIND: "hazo_auth_session_kind", // v6.1: marks OTP-issued sessions so /me can apply sliding expiry
     DEV_LOCK: "hazo_auth_dev_lock",
     SCOPE_ID: "hazo_auth_scope_id", // v5.2: Tenant context cookie for multi-tenancy
     ANON_ID: "hazo_auth_anon_id", // v5.2: Stable opaque per-visitor ID for anonymous flows (e.g. hazo_feedback)
+    SESSION_KIND: "hazo_auth_session_kind", // v5.4: Sign-in method identifier (e.g. "otp", "google", "password")
 };
 // section: main_function
 /**

package/dist/lib/email_verification_config.server.d.ts

@@ -5,6 +5,9 @@ export type EmailVerificationConfig = {
     showReturnHomeButton: boolean;
     returnHomeButtonLabel: string;
     returnHomePath: string;
+    imageSrc: string;
+    imageAlt: string;
+    imageBackgroundColor: string;
 };
 /**
  * Reads email verification layout configuration from hazo_auth_config.ini file

package/dist/lib/email_verification_config.server.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"email_verification_config.server.d.ts","sourceRoot":"","sources":["../../src/lib/email_verification_config.server.ts"],"names":[],"mappings":"AAEA,OAAO,aAAa,CAAC;AAMrB,MAAM,MAAM,uBAAuB,GAAG;IACpC,sBAAsB,EAAE,MAAM,CAAC;IAC/B,gBAAgB,EAAE,OAAO,CAAC;IAC1B,oBAAoB,EAAE,OAAO,CAAC;IAC9B,qBAAqB,EAAE,MAAM,CAAC;IAC9B,cAAc,EAAE,MAAM,CAAC;CACxB,CAAC;AAGF;;;;GAIG;AACH,wBAAgB,6BAA6B,IAAI,uBAAuB,CAWvE"}
+{"version":3,"file":"email_verification_config.server.d.ts","sourceRoot":"","sources":["../../src/lib/email_verification_config.server.ts"],"names":[],"mappings":"AAEA,OAAO,aAAa,CAAC;AAYrB,MAAM,MAAM,uBAAuB,GAAG;IACpC,sBAAsB,EAAE,MAAM,CAAC;IAC/B,gBAAgB,EAAE,OAAO,CAAC;IAC1B,oBAAoB,EAAE,OAAO,CAAC;IAC9B,qBAAqB,EAAE,MAAM,CAAC;IAC9B,cAAc,EAAE,MAAM,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,oBAAoB,EAAE,MAAM,CAAC;CAC9B,CAAC;AAGF;;;;GAIG;AACH,wBAAgB,6BAA6B,IAAI,uBAAuB,CAoCvE"}