hazo_auth 7.0.2 → 8.0.1

package/dist/server/routes/legal_docs_publish.js

@@ -0,0 +1,35 @@
+// file_description: POST /api/hazo_auth/legal_docs/publish — admin endpoint to publish a new required version of a legal doc
+import { NextResponse } from 'next/server';
+import { hazo_get_auth } from '../../lib/auth/hazo_get_auth.server.js';
+import { get_legal_docs_config } from '../../lib/legal/legal_docs_config.server.js';
+import { read_legal_doc } from '../../lib/legal/legal_docs_reader.server.js';
+import { publish_doc_version } from '../../lib/legal/legal_docs_service.js';
+import { get_hazo_connect_instance } from '../../lib/hazo_connect_instance.server.js';
+import { create_app_logger } from '../../lib/app_logger.js';
+export async function legalDocsPublishPOST(request) {
+    const logger = create_app_logger();
+    try {
+        const auth = await hazo_get_auth(request, { required_permissions: ['admin_user_management'] });
+        if (!auth.permission_ok) {
+            return NextResponse.json({ ok: false, error: 'Forbidden' }, { status: 403 });
+        }
+        const body = await request.json().catch(() => null);
+        const doc_key = body === null || body === void 0 ? void 0 : body.doc_key;
+        if (!doc_key || typeof doc_key !== 'string') {
+            return NextResponse.json({ ok: false, error: 'doc_key is required' }, { status: 400 });
+        }
+        const config = get_legal_docs_config();
+        const doc_config = config.docs.find(d => d.key === doc_key);
+        if (!doc_config) {
+            return NextResponse.json({ ok: false, error: `Unknown doc key: ${doc_key}` }, { status: 400 });
+        }
+        const { hash } = read_legal_doc(doc_config.path);
+        const adapter = get_hazo_connect_instance();
+        const { published_at } = await publish_doc_version(adapter, doc_key, hash, auth.user.id);
+        return NextResponse.json({ ok: true, data: { doc_key, required_hash: hash, published_at } });
+    }
+    catch (err) {
+        logger.error('legal_docs_publish: internal server error', { err });
+        return NextResponse.json({ ok: false, error: 'Internal server error' }, { status: 500 });
+    }
+}

package/dist/server/routes/register.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"register.d.ts","sourceRoot":"","sources":["../../../src/server/routes/register.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAQxD,wBAAsB,IAAI,CAAC,OAAO,EAAE,WAAW;;;;;;IAiG9C"}
+{"version":3,"file":"register.d.ts","sourceRoot":"","sources":["../../../src/server/routes/register.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAWxD,wBAAsB,IAAI,CAAC,OAAO,EAAE,WAAW;;;;;;IAgI9C"}

package/dist/server/routes/register.js

@@ -6,12 +6,17 @@ import { create_app_logger } from "../../lib/app_logger.js";
 import { register_user } from "../../lib/services/registration_service.js";
 import { get_filename, get_line_number } from "../../lib/utils/api_route_helpers.js";
 import { sanitize_error_for_user } from "../../lib/utils/error_sanitizer.js";
+import { get_legal_docs_config } from "../../lib/legal/legal_docs_config.server.js";
+import { read_legal_doc } from "../../lib/legal/legal_docs_reader.server.js";
+import { get_client_ip } from "../../lib/auth/hazo_get_auth.server.js";
 // section: api_handler
 export async function POST(request) {
+    var _a;
     const logger = create_app_logger();
     try {
         const body = await request.json();
         const { name, email, password, url_on_logon } = body;
+        const legal_accepted = body === null || body === void 0 ? void 0 : body.legal_accepted;
         // Validate input
         if (!email || !password) {
             logger.warn("registration_validation_failed", {
@@ -32,6 +37,24 @@ export async function POST(request) {
             });
             return NextResponse.json({ error: "Invalid email address format" }, { status: 400 });
         }
+        // Validate legal acceptance if docs are configured
+        const legal_config = get_legal_docs_config();
+        if (legal_config.docs.length > 0) {
+            const missing_keys = legal_config.docs
+                .map(d => d.key)
+                .filter(key => !(legal_accepted === null || legal_accepted === void 0 ? void 0 : legal_accepted[key]));
+            if (missing_keys.length > 0) {
+                return NextResponse.json({ ok: false, error: 'legal_acceptance_required', missing_keys }, { status: 400 });
+            }
+            // Validate hashes match current file content
+            for (const doc_config of legal_config.docs) {
+                const submitted_hash = (_a = legal_accepted[doc_config.key]) === null || _a === void 0 ? void 0 : _a.hash;
+                const { hash: current_hash } = read_legal_doc(doc_config.path);
+                if (submitted_hash !== current_hash) {
+                    return NextResponse.json({ ok: false, error: `Hash mismatch for "${doc_config.key}"` }, { status: 400 });
+                }
+            }
+        }
         // Get singleton hazo_connect instance (reuses same connection across all routes)
         const hazoConnect = get_hazo_connect_instance();
         // Register user using the registration service
@@ -40,6 +63,9 @@ export async function POST(request) {
             password,
             name,
             url_on_logon,
+            legal_accepted,
+            ip: get_client_ip(request),
+            user_agent: request.headers.get('user-agent'),
         });
         if (!result.success) {
             const status_code = result.error === "Email address already registered" ? 409 : 500;

package/dist/server/routes/user_management_users.d.ts

@@ -26,6 +26,7 @@ export declare function GET(request: NextRequest): Promise<NextResponse<{
         profile_source: {} | null;
         user_type: string | null;
         app_user_data: Record<string, unknown> | null;
+        legal_acceptance_status: "current" | "outdated" | "none";
     }[];
 }>>;
 /**
@@ -47,8 +48,7 @@ export declare function POST(request: NextRequest): Promise<NextResponse<{
 /**
  * DELETE - Hard-delete a user from hazo_users (cascades to all related rows).
  * Body: { user_id: string }
- * Requires: admin_user_management permission (enforced by UI, not here — same
- * pattern as PATCH/POST in this file which also don't re-auth).
+ * Requires: admin_user_management permission.
  */
 export declare function DELETE(request: NextRequest): Promise<NextResponse<{
     error: string;

package/dist/server/routes/user_management_users.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"user_management_users.d.ts","sourceRoot":"","sources":["../../../src/server/routes/user_management_users.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAexD,eAAO,MAAM,OAAO,kBAAkB,CAAC;AAGvC;;;GAGG;AACH,wBAAsB,GAAG,CAAC,OAAO,EAAE,WAAW;;;;;;;;;;;;;;;;;;;;;;;IAyF7C;AAED;;GAEG;AACH,wBAAsB,KAAK,CAAC,OAAO,EAAE,WAAW;;;;IAgI/C;AAED;;GAEG;AACH,wBAAsB,IAAI,CAAC,OAAO,EAAE,WAAW;;;;IA2E9C;AAED;;;;;GAKG;AACH,wBAAsB,MAAM,CAAC,OAAO,EAAE,WAAW;;;;IAuDhD"}
+{"version":3,"file":"user_management_users.d.ts","sourceRoot":"","sources":["../../../src/server/routes/user_management_users.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAkBxD,eAAO,MAAM,OAAO,kBAAkB,CAAC;AA+BvC;;;GAGG;AACH,wBAAsB,GAAG,CAAC,OAAO,EAAE,WAAW;;;;;;;;;;;;;;;;;;;;;;;;IAsG7C;AAED;;GAEG;AACH,wBAAsB,KAAK,CAAC,OAAO,EAAE,WAAW;;;;IAgI/C;AAED;;GAEG;AACH,wBAAsB,IAAI,CAAC,OAAO,EAAE,WAAW;;;;IA2E9C;AAED;;;;GAIG;AACH,wBAAsB,MAAM,CAAC,OAAO,EAAE,WAAW;;;;IAmEhD"}

package/dist/server/routes/user_management_users.js

@@ -9,8 +9,35 @@ import { request_password_reset } from "../../lib/services/password_reset_servic
 import { get_auth_cache } from "../../lib/auth/auth_cache.js";
 import { get_auth_utility_config } from "../../lib/auth_utility_config.server.js";
 import { is_user_types_enabled, get_all_user_types, get_user_types_config, } from "../../lib/user_types_config.server.js";
+import { get_required_versions } from "../../lib/legal/legal_docs_service.js";
+import { get_legal_docs_config } from "../../lib/legal/legal_docs_config.server.js";
+import { hazo_get_auth } from "../../lib/auth/hazo_get_auth.server.js";
 // section: route_config
 export const dynamic = 'force-dynamic';
+// section: helpers
+/**
+ * Compute a user's legal compliance status given their raw legal_acceptance JSON,
+ * the currently-required hashes, and the configured doc keys.
+ */
+function compute_legal_status(raw, required, docs) {
+    if (docs.length === 0)
+        return 'none';
+    if (Object.keys(required).length === 0)
+        return 'none';
+    let map = {};
+    try {
+        map = typeof raw === 'string' ? JSON.parse(raw) : (raw !== null && raw !== void 0 ? raw : {});
+    }
+    catch ( /* ignore */_a) { /* ignore */ }
+    const all_current = docs.every(doc => {
+        var _a;
+        const req = required[doc.key];
+        if (!req)
+            return true;
+        return ((_a = map[doc.key]) === null || _a === void 0 ? void 0 : _a.hash) === req.required_hash;
+    });
+    return all_current ? 'current' : 'outdated';
+}
 // section: api_handler
 /**
  * GET - Fetch all users with details or a specific user by id
@@ -42,6 +69,13 @@ export async function GET(request) {
                 badge_color: t.badge_color,
             }))
             : [];
+        // Load legal docs required versions for compliance status
+        const legal_config = get_legal_docs_config();
+        let required_versions = {};
+        if (legal_config.docs.length > 0) {
+            const adapter = get_hazo_connect_instance();
+            required_versions = await get_required_versions(adapter, legal_config.docs.map(d => d.key));
+        }
         return NextResponse.json({
             success: true,
             user_types_enabled,
@@ -74,6 +108,7 @@ export async function GET(request) {
                     profile_source: user.profile_source || null,
                     user_type: user.user_type || null,
                     app_user_data,
+                    legal_acceptance_status: compute_legal_status(user.legal_acceptance, required_versions, legal_config.docs),
                 };
             }),
         }, { status: 200 });
@@ -244,14 +279,23 @@ export async function POST(request) {
 /**
  * DELETE - Hard-delete a user from hazo_users (cascades to all related rows).
  * Body: { user_id: string }
- * Requires: admin_user_management permission (enforced by UI, not here — same
- * pattern as PATCH/POST in this file which also don't re-auth).
+ * Requires: admin_user_management permission.
  */
 export async function DELETE(request) {
     const logger = create_app_logger();
     try {
+        const auth = await hazo_get_auth(request, { required_permissions: ['admin_user_management'] });
+        if (!auth.user) {
+            return NextResponse.json({ error: 'Authentication required' }, { status: 401 });
+        }
+        if (!auth.permission_ok) {
+            return NextResponse.json({ error: 'Forbidden' }, { status: 403 });
+        }
         const body = await request.json();
         const { user_id } = body;
+        if (auth.user.id === user_id) {
+            return NextResponse.json({ error: 'Cannot delete your own account' }, { status: 400 });
+        }
         if (!user_id) {
             return NextResponse.json({ error: "user_id is required" }, { status: 400 });
         }

package/dist/strings.d.ts

@@ -0,0 +1,2 @@
+export * from "./strings/index.js";
+//# sourceMappingURL=strings.d.ts.map

package/dist/strings.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"strings.d.ts","sourceRoot":"","sources":["../src/strings.ts"],"names":[],"mappings":"AAEA,cAAc,iBAAiB,CAAC"}

package/dist/strings.js

@@ -0,0 +1,3 @@
+// Barrel — gives ESM consumers a flat `../strings.js` import path
+// that resolves correctly at runtime (the directory `strings/` does not).
+export * from "./strings/index.js";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "hazo_auth",
-  "version": "7.0.2",
+  "version": "8.0.1",
   "description": "Zero-config authentication UI components for Next.js with RBAC, OAuth, scope-based multi-tenancy, and invitations",
   "keywords": [
     "authentication",
@@ -157,26 +157,6 @@
       "types": "./dist/page_components/index.d.ts",
       "import": "./dist/page_components/index.js"
     },
-    "./page_components/login": {
-      "types": "./dist/page_components/login.d.ts",
-      "import": "./dist/page_components/login.js"
-    },
-    "./page_components/register": {
-      "types": "./dist/page_components/register.d.ts",
-      "import": "./dist/page_components/register.js"
-    },
-    "./page_components/forgot_password": {
-      "types": "./dist/page_components/forgot_password.d.ts",
-      "import": "./dist/page_components/forgot_password.js"
-    },
-    "./page_components/reset_password": {
-      "types": "./dist/page_components/reset_password.d.ts",
-      "import": "./dist/page_components/reset_password.js"
-    },
-    "./page_components/verify_email": {
-      "types": "./dist/page_components/verify_email.d.ts",
-      "import": "./dist/page_components/verify_email.js"
-    },
     "./page_components/dev_lock": {
       "types": "./dist/page_components/dev_lock.d.ts",
       "import": "./dist/page_components/dev_lock.js"
@@ -198,6 +178,8 @@
     "!dist/components/layouts/rbac_test/**/*",
     "!dist/components/layouts/auto_test/**/*",
     "!dist/components/layouts/test_scenarios/**/*",
+    "!dist/components/layouts/legal_docs_test/**/*",
+    "!dist/components/layouts/legal_register_test/**/*",
     "!dist/lib/auto_test/**/*",
     "bin/**/*",
     "cli-src/**/*",
@@ -238,6 +220,7 @@
     "jose": "^5.9.6",
     "jsonwebtoken": "^9.0.2",
     "mime-types": "^3.0.1",
+    "react-markdown": "^10.1.0",
     "server-only": "^0.0.1",
     "tailwind-merge": "^3.5.0",
     "tw-animate-css": "^1.4.0",
@@ -371,6 +354,7 @@
     "@storybook/addon-onboarding": "^10.0.6",
     "@storybook/addon-vitest": "^10.0.6",
     "@storybook/nextjs": "^10.0.6",
+    "@tailwindcss/postcss": "^4.2.4",
     "@testing-library/dom": "^10.4.1",
     "@testing-library/jest-dom": "^6.6.3",
     "@testing-library/react": "^16.0.1",
@@ -392,7 +376,6 @@
     "eslint": "^9.39.1",
     "eslint-config-next": "^16.0.4",
     "eslint-plugin-storybook": "^10.0.6",
-    "@tailwindcss/postcss": "^4.2.4",
     "hazo_config": "^2.1.0",
     "hazo_connect": "^2.4.0",
     "hazo_logs": "^1.0.13",