@edge-base/server 0.1.4 → 0.2.0

package/src/durable-objects/rooms-do.ts

@@ -115,6 +115,7 @@ const DEFAULT_MEMBER_RECONNECT_TIMEOUT_MS = 30000;
 const SIGNAL_DENIED = Symbol('rooms.signal.denied');
 const MEDIA_DENIED = Symbol('rooms.media.denied');
 const WEBSOCKET_OPEN = 1;
+const CLOUDFLARE_REALTIME_KIT_MEETING_STORAGE_KEY = 'cloudflareRealtimeKitMeetingId';
 
 function computeStateDelta(
   previous: Record<string, unknown>,
@@ -146,10 +147,16 @@ export class RoomsDO extends RoomRuntimeBaseDO {
   private readonly memberRoles = new Map<string, string>();
   private readonly memberMediaStates = new Map<string, RoomMemberMediaState>();
   private readonly memberRealtimeSessions = new Map<string, RoomMemberRealtimeSession>();
+  private cloudflareRealtimeKitMeetingId: string | null = null;
+  private cloudflareRealtimeKitMeetingIdPromise: Promise<string> | null = null;
 
   override async fetch(request: Request): Promise<Response> {
     const url = new URL(request.url);
 
+    if (url.pathname === '/media/cloudflare_realtimekit/session' && request.method === 'POST') {
+      return this.handleCloudflareRealtimeKitSessionCreate(request, url);
+    }
+
     if (url.pathname === '/media/realtime/session') {
       if (request.method === 'POST') return this.handleRealtimeSessionCreate(request, url);
       if (request.method === 'GET') return this.handleRealtimeSessionGet(request, url);
@@ -175,6 +182,53 @@ export class RoomsDO extends RoomRuntimeBaseDO {
     return super.fetch(request);
   }
 
+  private async handleCloudflareRealtimeKitSessionCreate(request: Request, url: URL): Promise<Response> {
+    try {
+      const body = await this.readJsonBody<{
+        connectionId?: string;
+        customParticipantId?: string;
+        name?: string;
+        picture?: string;
+      }>(request);
+      const { memberId, connectionId, meta } = await this.authenticateRealtimeRequest(
+        request,
+        url,
+        typeof body.connectionId === 'string' ? body.connectionId : undefined,
+      );
+      if (this.hasPublishedTracks(memberId)) {
+        return this.jsonResponse(409, {
+          code: 409,
+          message: 'Unpublish existing room media before creating a new Cloudflare RealtimeKit session',
+        });
+      }
+
+      const config = this.getCloudflareRealtimeKitConfig();
+      const meetingId = await this.ensureCloudflareRealtimeKitMeetingId(config);
+      const participant = await this.createCloudflareRealtimeKitParticipant(config, meetingId, {
+        customParticipantId: this.buildCloudflareRealtimeKitParticipantId(memberId, body.customParticipantId),
+        name: typeof body.name === 'string' && body.name.trim()
+          ? body.name.trim()
+          : meta.auth?.email ?? meta.userId ?? memberId,
+        picture: typeof body.picture === 'string' && body.picture.trim() ? body.picture.trim() : undefined,
+      });
+
+      return this.jsonResponse(200, {
+        sessionId: participant.id,
+        meetingId,
+        participantId: participant.id,
+        authToken: participant.token,
+        presetName: participant.presetName ?? config.presetName,
+        connectionId,
+        reused: false,
+      });
+    } catch (err) {
+      return this.jsonResponse(400, {
+        code: 400,
+        message: err instanceof Error ? err.message : 'Failed to create Cloudflare RealtimeKit session',
+      });
+    }
+  }
+
   private async handleRealtimeSessionCreate(request: Request, url: URL): Promise<Response> {
     try {
       const body = await this.readJsonBody<{
@@ -422,6 +476,154 @@ export class RoomsDO extends RoomRuntimeBaseDO {
     return createCloudflareRealtimeClient(this.env as unknown as Env);
   }
 
+  private getCloudflareRealtimeKitConfig(): {
+    accountId: string;
+    apiToken: string;
+    appId: string;
+    presetName: string;
+  } {
+    const env = this.env as unknown as Env;
+    const accountId = env.CF_ACCOUNT_ID?.trim();
+    const apiToken = env.CF_API_TOKEN?.trim();
+    const appId = env.CF_REALTIME_APP_ID?.trim();
+    const presetName = env.CF_REALTIME_PRESET_NAME?.trim() || 'group_call_participant';
+
+    if (!accountId || !apiToken || !appId) {
+      throw new Error(
+        'Cloudflare Realtime is not configured. Set CF_ACCOUNT_ID, CF_API_TOKEN, and CF_REALTIME_APP_ID.',
+      );
+    }
+
+    return { accountId, apiToken, appId, presetName };
+  }
+
+  private buildCloudflareRealtimeKitParticipantId(memberId: string, provided?: string): string {
+    const trimmed = typeof provided === 'string' ? provided.trim() : '';
+    if (trimmed) {
+      return trimmed;
+    }
+
+    return [
+      this.namespace ?? 'room',
+      this.roomId ?? 'unknown',
+      memberId,
+      Date.now().toString(36),
+    ].join(':');
+  }
+
+  private async ensureCloudflareRealtimeKitMeetingId(config: {
+    accountId: string;
+    apiToken: string;
+    appId: string;
+  }): Promise<string> {
+    if (this.cloudflareRealtimeKitMeetingId) {
+      return this.cloudflareRealtimeKitMeetingId;
+    }
+
+    if (this.cloudflareRealtimeKitMeetingIdPromise) {
+      return this.cloudflareRealtimeKitMeetingIdPromise;
+    }
+
+    this.cloudflareRealtimeKitMeetingIdPromise = (async () => {
+      const storedMeetingId = await this.ctx.storage.get<string>(CLOUDFLARE_REALTIME_KIT_MEETING_STORAGE_KEY);
+      if (storedMeetingId) {
+        this.cloudflareRealtimeKitMeetingId = storedMeetingId;
+        return storedMeetingId;
+      }
+
+      const response = await fetch(
+        `https://api.cloudflare.com/client/v4/accounts/${encodeURIComponent(config.accountId)}`
+          + `/realtime/kit/${encodeURIComponent(config.appId)}/meetings`,
+        {
+          method: 'POST',
+          headers: {
+            Authorization: `Bearer ${config.apiToken}`,
+            'Content-Type': 'application/json',
+          },
+          body: JSON.stringify({
+            title: `${this.namespace ?? 'room'}::${this.roomId ?? 'unknown'}`,
+          }),
+        },
+      );
+      const data = await this.parseCloudflareApiEnvelope<{ id: string }>(response);
+      this.cloudflareRealtimeKitMeetingId = data.id;
+      await this.ctx.storage.put(CLOUDFLARE_REALTIME_KIT_MEETING_STORAGE_KEY, data.id);
+      return data.id;
+    })();
+
+    try {
+      return await this.cloudflareRealtimeKitMeetingIdPromise;
+    } finally {
+      this.cloudflareRealtimeKitMeetingIdPromise = null;
+    }
+  }
+
+  private async createCloudflareRealtimeKitParticipant(
+    config: {
+      accountId: string;
+      apiToken: string;
+      appId: string;
+      presetName: string;
+    },
+    meetingId: string,
+    payload: {
+      customParticipantId: string;
+      name?: string;
+      picture?: string;
+    },
+  ): Promise<{ id: string; token: string; presetName?: string }> {
+    const response = await fetch(
+      `https://api.cloudflare.com/client/v4/accounts/${encodeURIComponent(config.accountId)}`
+        + `/realtime/kit/${encodeURIComponent(config.appId)}`
+        + `/meetings/${encodeURIComponent(meetingId)}/participants`,
+      {
+        method: 'POST',
+        headers: {
+          Authorization: `Bearer ${config.apiToken}`,
+          'Content-Type': 'application/json',
+        },
+        body: JSON.stringify({
+          custom_participant_id: payload.customParticipantId,
+          preset_name: config.presetName,
+          name: payload.name,
+          picture: payload.picture,
+        }),
+      },
+    );
+
+    const data = await this.parseCloudflareApiEnvelope<{
+      id: string;
+      token: string;
+      preset_name?: string;
+    }>(response);
+
+    return {
+      id: data.id,
+      token: data.token,
+      presetName: data.preset_name,
+    };
+  }
+
+  private async parseCloudflareApiEnvelope<T>(response: Response): Promise<T> {
+    const payload = (await response.json().catch(() => ({}))) as {
+      success?: boolean;
+      errors?: Array<{ message?: string }>;
+      messages?: Array<{ message?: string }>;
+      result?: T;
+      data?: T;
+    };
+
+    if (!response.ok || payload.success === false) {
+      const message =
+        payload.errors?.find((entry) => typeof entry.message === 'string')?.message
+        ?? payload.messages?.find((entry) => typeof entry.message === 'string')?.message
+        ?? `Cloudflare API request failed (${response.status})`;
+      throw new Error(message);
+    }
+
+    return (payload.data ?? payload.result ?? {}) as T;
+  }
+
   private async authenticateRealtimeRequest(
     request: Request,
     url: URL,

package/src/lib/internal-request.ts

@@ -2,17 +2,14 @@ import type { Context } from 'hono';
 import type { HonoEnv } from './hono.js';
 import type { Env } from '../types.js';
 
-export function isTrustedInternalRequestUrl(url: string): boolean {
-  try {
-    const host = new URL(url).host;
-    return host === 'internal' || host === 'do';
-  } catch {
-    return false;
-  }
+export function isTrustedInternalRequestUrl(_url: string): boolean {
+  // Requests are only trusted when the runtime marks them internal via context.
+  // URL hosts (including 'do' / 'internal') can be spoofed in self-hosted or proxy setups.
+  return false;
 }
 
 export function isTrustedInternalContext(c: Pick<Context<HonoEnv>, 'get' | 'req'>): boolean {
-  return c.get('isInternalRequest' as never) === true || isTrustedInternalRequestUrl(c.req.url);
+  return c.get('isInternalRequest' as never) === true;
 }
 
 export function buildInternalHandlerContext(options: {

package/src/lib/openapi.ts

@@ -49,6 +49,7 @@ const USER_BEARER_PATHS = new Set([
 
 const USER_BEARER_PREFIXES = [
   '/api/room/media/realtime/',
+  '/api/room/media/cloudflare_realtimekit/',
 ];
 
 const SERVICE_KEY_ONLY_PATHS = new Set([

package/src/routes/admin.ts

@@ -119,6 +119,15 @@ function quoteSqlIdentifier(identifier: string): string {
   return `"${identifier}"`;
 }
 
+function isPublicAdminSetupAllowed(env: Env): boolean {
+  try {
+    const config = parseConfig(env);
+    return config.release !== true;
+  } catch {
+    return false;
+  }
+}
+
 interface MonitoringStats {
   subsystem?: string;
   activeConnections: number;
@@ -361,7 +370,16 @@ const adminSetupStatus = createRoute({
 adminRoute.openapi(adminSetupStatus, async (c) => {
   await ensureAuthSchema(getAuthDb(c));
   const exists = await adminExists(getAuthDb(c));
-  return c.json({ needsSetup: !exists });
+  const needsSetup = !exists;
+  const publicSetupAllowed = needsSetup ? isPublicAdminSetupAllowed(c.env) : false;
+  return c.json({
+    needsSetup,
+    publicSetupAllowed,
+    setupMethod: needsSetup ? (publicSetupAllowed ? 'browser' : 'cli') : 'login',
+    message: needsSetup && !publicSetupAllowed
+      ? 'Public admin setup is disabled for this deployment. Run `npx edgebase admin bootstrap` with a Service Key, or use the deploy/docker bootstrap flow instead.'
+      : undefined,
+  });
 });
 
 // POST /admin/api/setup — create the first admin account
@@ -387,6 +405,7 @@ const adminSetup = createRoute({
   responses: {
     201: { description: 'Admin created', content: { 'application/json': { schema: jsonResponseSchema } } },
     400: { description: 'Bad request', content: { 'application/json': { schema: errorResponseSchema } } },
+    403: { description: 'Forbidden', content: { 'application/json': { schema: errorResponseSchema } } },
   },
 });
 
@@ -394,6 +413,14 @@ adminRoute.openapi(adminSetup, async (c) => {
   await ensureAuthSchema(getAuthDb(c));
   const exists = await adminExists(getAuthDb(c));
   if (exists) throw new EdgeBaseError(400, 'Admin account already exists. Use login instead.', undefined, 'already-exists');
+  if (!isPublicAdminSetupAllowed(c.env)) {
+    throw new EdgeBaseError(
+      403,
+      'Public admin setup is disabled for this deployment. Run `npx edgebase admin bootstrap` with a Service Key, or use the deploy/docker bootstrap flow instead.',
+      undefined,
+      'forbidden',
+    );
+  }
 
   const body = await c.req.json<{ email: string; password: string }>();
   if (!body.email || !body.password) throw new EdgeBaseError(400, 'Email and password are required.', undefined, 'validation-failed');

package/src/routes/auth.ts

@@ -29,7 +29,7 @@ import {
 } from '../lib/auth-redirect.js';
 import {
   signAccessToken, signRefreshToken, verifyRefreshTokenWithFallback,
-  parseDuration, decodeTokenUnsafe, TokenExpiredError,
+  parseDuration, TokenExpiredError,
 } from '../lib/jwt.js';
 import { generateId } from '../lib/uuid.js';
 import { captchaMiddleware } from '../middleware/captcha-verify.js';
@@ -108,6 +108,15 @@ authRoute.onError((err, c) => {
 
 // ─── Helpers ───
 
+function isReleaseMode(env: Env): boolean {
+  return parseConfig(env)?.release ?? false;
+}
+
+function shouldExposeAuthTestSecrets(env: Env): boolean {
+  return env.EDGEBASE_TEST === '1'
+    || env.EDGEBASE_TEST === 'true';
+}
+
 function requireAuth(auth: AuthContext | null): string {
   if (!auth) {
     throw new EdgeBaseError(401, 'Authentication required.', undefined, 'unauthenticated');
@@ -1288,6 +1297,7 @@ authRoute.openapi(signinMagicLink, async (c) => {
   const record = await lookupEmail(getAuthDb(c), body.email);
 
   const db = getAuthDb(c);
+  const exposeTestSecrets = shouldExposeAuthTestSecrets(c.env);
   let debugToken: string | undefined;
   let debugActionUrl: string | undefined;
 
@@ -1327,9 +1337,12 @@ authRoute.openapi(signinMagicLink, async (c) => {
       type: 'magic-link',
       state: redirect.state,
     });
+    if (exposeTestSecrets) {
+      debugToken = token;
+      debugActionUrl = magicLinkUrl;
+    }
     if (!provider) {
-      const release = config?.release ?? false;
-      if (!release) {
+      if (!isReleaseMode(c.env)) {
         console.warn('[MagicLink] Email provider not configured. Token:', token);
         debugToken = token;
         debugActionUrl = magicLinkUrl;
@@ -1417,6 +1430,10 @@ authRoute.openapi(signinMagicLink, async (c) => {
         type: 'magic-link',
         state: redirect.state,
       });
+      if (exposeTestSecrets) {
+        debugToken = token;
+        debugActionUrl = magicLinkUrl;
+      }
       if (provider) {
         const locale = resolveEmailLocale(c.env, reqLocale);
         const html = renderMagicLink({
@@ -1431,8 +1448,7 @@ authRoute.openapi(signinMagicLink, async (c) => {
           resolveSubject(c.env, 'magicLink', defaultSubject, locale), html, locale,
         ).catch(() => {});
       } else {
-        const release = config?.release ?? false;
-        if (!release) {
+        if (!isReleaseMode(c.env)) {
           debugToken = token;
           debugActionUrl = magicLinkUrl;
         }
@@ -1591,6 +1607,7 @@ authRoute.openapi(signinPhone, async (c) => {
   // Look up phone in D1
   const record = await lookupPhone(getAuthDb(c), phone);
 
+  const exposeTestSecrets = shouldExposeAuthTestSecrets(c.env);
   let devCode: string | undefined;
 
   const db = getAuthDb(c);
@@ -1602,6 +1619,7 @@ authRoute.openapi(signinPhone, async (c) => {
     if (!user) return c.json({ ok: true });
 
     const code = generateOTP();
+    if (exposeTestSecrets) devCode = code;
 
     // Store OTP in KV with 5 min TTL
     await c.env.KV.put(
@@ -1623,8 +1641,7 @@ authRoute.openapi(signinPhone, async (c) => {
         `Your ${appName} verification code is: ${code}. Valid for 5 minutes.`,
       );
     } else {
-      const release = parseConfig(c.env)?.release ?? false;
-      if (!release) {
+      if (!isReleaseMode(c.env)) {
         console.warn('[Phone] SMS provider not configured. OTP:', code);
         devCode = code;
       }
@@ -1654,6 +1671,7 @@ authRoute.openapi(signinPhone, async (c) => {
       await authService.updateUser(db, userId, { phone, phoneVerified: false });
 
       const code = generateOTP();
+      if (exposeTestSecrets) devCode = code;
 
       // Store OTP in KV
       await c.env.KV.put(
@@ -1675,8 +1693,7 @@ authRoute.openapi(signinPhone, async (c) => {
           `Your ${appName} verification code is: ${code}. Valid for 5 minutes.`,
         );
       } else {
-        const release = parseConfig(c.env)?.release ?? false;
-        if (!release) {
+        if (!isReleaseMode(c.env)) {
           console.warn('[Phone] SMS provider not configured. OTP:', code);
           devCode = code;
         }
@@ -1690,8 +1707,7 @@ authRoute.openapi(signinPhone, async (c) => {
   }
 
   // Return OTP code only in dev mode (SMS provider not configured) for testing
-  const release = parseConfig(c.env)?.release ?? false;
-  return c.json(devCode && !release ? { ok: true, code: devCode } : { ok: true });
+  return c.json(devCode ? { ok: true, code: devCode } : { ok: true });
 });
 
 // POST /verify-phone — verify OTP → create session
@@ -1871,6 +1887,7 @@ authRoute.openapi(linkPhone, async (c) => {
   }
 
   const code = generateOTP();
+  const exposeTestSecrets = shouldExposeAuthTestSecrets(c.env);
 
   // Store link OTP in KV (separate key pattern)
   await c.env.KV.put(
@@ -1891,14 +1908,13 @@ authRoute.openapi(linkPhone, async (c) => {
       phone,
       `Your ${appName} phone linking code is: ${code}. Valid for 5 minutes.`,
     );
-    return c.json({ ok: true });
+    return c.json(exposeTestSecrets ? { ok: true, code } : { ok: true });
   } else {
-    const release = parseConfig(c.env)?.release ?? false;
-    if (!release) {
+    if (!isReleaseMode(c.env)) {
       console.warn('[Phone] SMS provider not configured. Link OTP:', code);
       return c.json({ ok: true, code });
     }
-    return c.json({ ok: true });
+    return c.json(exposeTestSecrets ? { ok: true, code } : { ok: true });
   }
 });
 
@@ -2048,6 +2064,7 @@ authRoute.openapi(signinEmailOtp, async (c) => {
   // Look up email in D1
   const record = await lookupEmail(getAuthDb(c), email);
 
+  const exposeTestSecrets = shouldExposeAuthTestSecrets(c.env);
   let devCode: string | undefined;
 
   const db = getAuthDb(c);
@@ -2059,6 +2076,7 @@ authRoute.openapi(signinEmailOtp, async (c) => {
     if (!user) return c.json({ ok: true });
 
     const code = generateOTP();
+    if (exposeTestSecrets) devCode = code;
 
     // Store OTP in KV with 5 min TTL
     await c.env.KV.put(
@@ -2079,8 +2097,7 @@ authRoute.openapi(signinEmailOtp, async (c) => {
         resolveSubject(c.env, 'emailOtp', defaultSubject, locale), html, locale,
       );
     } else {
-      const release = parseConfig(c.env)?.release ?? false;
-      if (!release) {
+      if (!isReleaseMode(c.env)) {
         console.warn('[EmailOTP] Email provider not configured. OTP:', code);
         devCode = code;
       }
@@ -2117,6 +2134,7 @@ authRoute.openapi(signinEmailOtp, async (c) => {
       });
 
       const code = generateOTP();
+      if (exposeTestSecrets) devCode = code;
 
       // Store OTP in KV
       await c.env.KV.put(
@@ -2137,8 +2155,7 @@ authRoute.openapi(signinEmailOtp, async (c) => {
           resolveSubject(c.env, 'emailOtp', defaultSubject, locale), html, locale,
         );
       } else {
-        const release = parseConfig(c.env)?.release ?? false;
-        if (!release) {
+        if (!isReleaseMode(c.env)) {
           console.warn('[EmailOTP] Email provider not configured. OTP:', code);
           devCode = code;
         }
@@ -2152,8 +2169,7 @@ authRoute.openapi(signinEmailOtp, async (c) => {
   }
 
   // Return OTP code only in dev mode (email provider not configured) for testing
-  const release = parseConfig(c.env)?.release ?? false;
-  return c.json(devCode && !release ? { ok: true, code: devCode } : { ok: true });
+  return c.json(devCode ? { ok: true, code: devCode } : { ok: true });
 });
 
 // POST /verify-email-otp — verify OTP → create session
@@ -2754,11 +2770,27 @@ authRoute.openapi(signout, async (c) => {
     refreshToken: body.refreshToken,
   });
 
-  const payload = decodeTokenUnsafe(body.refreshToken);
-  if (!payload?.sub) throw new EdgeBaseError(401, 'Invalid refresh token.', undefined, 'invalid-refresh-token');
-
   const db = getAuthDb(c);
-  const userId = payload.sub as string;
+  let tokenPayload;
+  try {
+    tokenPayload = await verifyRefreshTokenWithFallback(
+      body.refreshToken,
+      getUserSecret(c.env),
+      c.env.JWT_USER_SECRET_OLD,
+      c.env.JWT_USER_SECRET_OLD_AT,
+    );
+  } catch (err) {
+    if (err instanceof TokenExpiredError) {
+      throw new EdgeBaseError(401, 'Refresh token expired.', undefined, 'refresh-token-expired');
+    }
+    throw new EdgeBaseError(401, 'Invalid refresh token.', undefined, 'invalid-refresh-token');
+  }
+
+  const userId = tokenPayload.sub;
+  const sessionResult = await authService.getSessionByRefreshToken(db, body.refreshToken, userId);
+  if (!sessionResult) {
+    throw new EdgeBaseError(401, 'Invalid refresh token.', undefined, 'invalid-refresh-token');
+  }
 
   // beforeSignOut hook — blocking
   await executeAuthHook(c.env, c.executionCtx, 'beforeSignOut', { userId }, { blocking: true, workerUrl: getWorkerUrl(c.req.url, c.env) });
@@ -2991,8 +3023,8 @@ authRoute.openapi(changeEmail, async (c) => {
     }
   }
 
-  const release = parseConfig(c.env)?.release ?? false;
-  if (!release) {
+  const exposeTestSecrets = shouldExposeAuthTestSecrets(c.env);
+  if (exposeTestSecrets || !isReleaseMode(c.env)) {
     const emailCfg = getEmailConfig(c.env);
     const fallbackVerifyUrl = emailCfg?.emailChangeUrl
       ? emailCfg.emailChangeUrl.replace('{token}', token)
@@ -3970,8 +4002,7 @@ authRoute.openapi(requestEmailVerification, async (c) => {
 
   const provider = createEmailProvider(getEmailConfig(c.env), c.env);
   if (!provider) {
-    const release = parseConfig(c.env)?.release ?? false;
-    if (!release) {
+    if (shouldExposeAuthTestSecrets(c.env) || !isReleaseMode(c.env)) {
       console.warn('[VerifyEmail] Email provider not configured. Verification email not sent. Token:', token);
       return c.json({ ok: true, message: 'Email provider not configured.', token, actionUrl: verifyUrl });
     }
@@ -3992,7 +4023,9 @@ authRoute.openapi(requestEmailVerification, async (c) => {
     resolveSubject(c.env, 'verification', defaultSubject, locale), html, locale,
   );
 
-  return c.json({ ok: result.success, messageId: result.messageId });
+  return c.json(shouldExposeAuthTestSecrets(c.env)
+    ? { ok: result.success, messageId: result.messageId, token, actionUrl: verifyUrl }
+    : { ok: result.success, messageId: result.messageId });
 });
 
 // POST /verify-email — KV token→shardId lookup → direct Shard call
@@ -4123,8 +4156,7 @@ authRoute.openapi(requestPasswordReset, async (c) => {
 
   const provider = createEmailProvider(getEmailConfig(c.env), c.env);
   if (!provider) {
-    const release = parseConfig(c.env)?.release ?? false;
-    if (!release) {
+    if (shouldExposeAuthTestSecrets(c.env) || !isReleaseMode(c.env)) {
       console.warn('[Auth] Email provider not configured. Reset email not sent. Token:', token);
       return c.json({ ok: true, message: 'Email provider not configured.', token, actionUrl: resetUrl });
     }
@@ -4145,7 +4177,9 @@ authRoute.openapi(requestPasswordReset, async (c) => {
     resolveSubject(c.env, 'passwordReset', defaultSubject, locale), html, locale,
   );
 
-  return c.json({ ok: result.success, messageId: result.messageId });
+  return c.json(shouldExposeAuthTestSecrets(c.env)
+    ? { ok: result.success, messageId: result.messageId, token, actionUrl: resetUrl }
+    : { ok: result.success, messageId: result.messageId });
 });
 
 // POST /reset-password — KV token→shardId lookup → direct Shard call

package/src/routes/room.ts

@@ -70,6 +70,12 @@ const roomRealtimeCreateSessionBodySchema = z.object({
   thirdparty: z.boolean().optional().openapi({ description: 'Forward Cloudflare Realtime thirdparty mode' }),
   sessionDescription: roomRealtimeSessionDescriptionSchema.optional(),
 });
+const roomCloudflareRealtimeKitCreateSessionBodySchema = z.object({
+  connectionId: z.string().optional().openapi({ description: 'Specific room connection ID to bind the Cloudflare RealtimeKit participant to' }),
+  customParticipantId: z.string().optional().openapi({ description: 'Optional custom participant identifier for the provisioned RealtimeKit participant' }),
+  name: z.string().optional().openapi({ description: 'Optional display name for the provisioned RealtimeKit participant' }),
+  picture: z.string().optional().openapi({ description: 'Optional avatar URL for the provisioned RealtimeKit participant' }),
+});
 const roomRealtimeCreateSessionResponseSchema = z.object({
   sessionId: z.string().openapi({ description: 'Realtime provider session ID' }),
   sessionDescription: roomRealtimeSessionDescriptionSchema.optional(),
@@ -78,6 +84,15 @@ const roomRealtimeCreateSessionResponseSchema = z.object({
   connectionId: z.string().optional().openapi({ description: 'Room connection ID associated with the session' }),
   reused: z.boolean().optional().openapi({ description: 'Whether an existing provider session was reused' }),
 });
+const roomCloudflareRealtimeKitCreateSessionResponseSchema = z.object({
+  sessionId: z.string().openapi({ description: 'Cloudflare RealtimeKit participant ID' }),
+  meetingId: z.string().openapi({ description: 'Cloudflare RealtimeKit meeting ID backing the room session' }),
+  participantId: z.string().openapi({ description: 'Cloudflare RealtimeKit participant ID' }),
+  authToken: z.string().openapi({ description: 'RealtimeKit auth token for the provisioned participant' }),
+  presetName: z.string().optional().openapi({ description: 'RealtimeKit preset used for the provisioned participant' }),
+  connectionId: z.string().optional().openapi({ description: 'Room connection ID associated with the session' }),
+  reused: z.boolean().optional().openapi({ description: 'Whether an existing provider participant was reused' }),
+});
 const roomRealtimeSessionStateSchema = z.object({
   sessionId: z.string().openapi({ description: 'Realtime provider session ID' }),
   connectionId: z.string().optional().openapi({ description: 'Room connection ID associated with the session' }),
@@ -525,6 +540,27 @@ const createRoomRealtimeSession = createRoute({
   },
 });
 
+const createRoomCloudflareRealtimeKitSession = createRoute({
+  operationId: 'createRoomCloudflareRealtimeKitSession',
+  method: 'post',
+  path: '/media/cloudflare_realtimekit/session',
+  tags: ['client'],
+  summary: 'Create a room Cloudflare RealtimeKit session',
+  description: 'Creates a Cloudflare RealtimeKit session for the authenticated room member.',
+  request: {
+    query: roomQuerySchema,
+    body: { content: { 'application/json': { schema: roomCloudflareRealtimeKitCreateSessionBodySchema } }, required: false },
+  },
+  responses: {
+    200: { description: 'Cloudflare RealtimeKit session created', content: { 'application/json': { schema: roomCloudflareRealtimeKitCreateSessionResponseSchema } } },
+    400: { description: 'Bad request', content: { 'application/json': { schema: errorResponseSchema } } },
+    401: { description: 'Authentication required', content: { 'application/json': { schema: errorResponseSchema } } },
+    403: { description: 'Forbidden', content: { 'application/json': { schema: errorResponseSchema } } },
+    404: { description: 'Room runtime not found', content: { 'application/json': { schema: errorResponseSchema } } },
+    409: { description: 'Conflicting existing published media', content: { 'application/json': { schema: errorResponseSchema } } },
+  },
+});
+
 const createRoomRealtimeIceServers = createRoute({
   operationId: 'createRoomRealtimeIceServers',
   method: 'post',
@@ -637,3 +673,9 @@ roomRoute.openapi(closeRoomRealtimeTracks, async (c) =>
     requireAuth: true,
     validatedJson: c.req.valid('json'),
   }));
+
+roomRoute.openapi(createRoomCloudflareRealtimeKitSession, async (c) =>
+  proxyRoomDoRequest(c, '/media/cloudflare_realtimekit/session', 'POST', {
+    requireAuth: true,
+    validatedJson: c.req.valid('json'),
+  }));