@valentinkolb/cloud 0.3.1 → 0.5.0

package/src/services/ipa/profile.ts

@@ -1,8 +1,9 @@
 /**
  * Centralized profile calculation for IPA-backed users.
  *
- * The calculation uses the local mirrored IPA group tree only and treats
- * `auth.groups.id` as the canonical group identity.
+ * Full sync writes `auth.ipa_user_effective_groups` from FreeIPA group_find.
+ * Local group mutations keep that projection as source of truth; the local
+ * display mirror is only a bootstrap fallback before the first full sync.
  */
 
 import { sql } from "bun";
@@ -37,6 +38,17 @@ export const getAllUserGroups = async (userId: string): Promise<string[]> => {
   return rows.map((row) => row.name as string);
 };
 
+export const getEffectiveUserGroups = async (userId: string): Promise<string[]> => {
+  const rows: DbRow[] = await sql`
+    SELECT group_name
+    FROM auth.ipa_user_effective_groups
+    WHERE user_id = ${userId}::uuid
+    ORDER BY group_name
+  `;
+
+  return rows.map((row) => row.group_name as string);
+};
+
 /**
  * Calculate canonical IPA profile from effective group names. Reads
  * `freeipa.groups.base_ipa_realm` from settings (cache-aside).
@@ -54,11 +66,41 @@ export const calculateIpaProfileFromLocalDb = async (userId: string): Promise<"u
   return calculateIpaProfile(groups);
 };
 
+export const calculateIpaProfileFromEffectiveProjection = async (userId: string): Promise<"user" | "guest"> => {
+  const groups = await getEffectiveUserGroups(userId);
+  return calculateIpaProfile(groups);
+};
+
+const rebuildEffectiveProjectionFromLocalMirror = async (userId: string): Promise<string[]> => {
+  const groups = await getAllUserGroups(userId);
+  await sql`
+    DELETE FROM auth.ipa_user_effective_groups
+    WHERE user_id = ${userId}::uuid
+  `;
+
+  for (const group of groups) {
+    await sql`
+      INSERT INTO auth.ipa_user_effective_groups (user_id, group_name)
+      VALUES (${userId}::uuid, ${group})
+      ON CONFLICT DO NOTHING
+    `;
+  }
+
+  return groups;
+};
+
+const getEffectiveUserGroupsWithMirrorFallback = async (userId: string): Promise<string[]> => {
+  const projectedGroups = await getEffectiveUserGroups(userId);
+  if (projectedGroups.length > 0) return projectedGroups;
+  return rebuildEffectiveProjectionFromLocalMirror(userId);
+};
+
 /**
  * Update one IPA-backed user's canonical profile projection.
  */
 export const updateUserIpaProfile = async (userId: string): Promise<void> => {
-  const profile = await calculateIpaProfileFromLocalDb(userId);
+  const groups = await getEffectiveUserGroupsWithMirrorFallback(userId);
+  const profile = await calculateIpaProfile(groups);
   await sql`
     UPDATE auth.users
     SET provider = 'ipa',

package/src/services/ipa/search.ts

@@ -63,11 +63,9 @@ export const search = async (query: string, options: SearchOptions): Promise<{ u
       SELECT u.id, u.uid, u.provider, u.profile, u.given_name, u.sn, u.display_name, u.mail,
         EXISTS(
           SELECT 1
-          FROM auth.user_groups_v2 ug_admin
-          JOIN auth.groups g_admin ON g_admin.id = ug_admin.group_id
-          WHERE ug_admin.user_id = u.id
-            AND g_admin.provider = 'ipa'
-            AND g_admin.name = ANY(${toPgTextArray(groupsAdmin)}::text[])
+          FROM auth.ipa_user_effective_groups eg
+          WHERE eg.user_id = u.id
+            AND eg.group_name = ANY(${toPgTextArray(groupsAdmin)}::text[])
         ) AS effective_admin
       FROM auth.users u
       WHERE u.provider = 'ipa'

package/src/services/ipa/service-account.ts

@@ -0,0 +1,15 @@
+import type { MutationResult } from "../../contracts/shared";
+import { providers } from "../providers";
+import { getFreeIpaConfig } from "../freeipa-config";
+
+export const getServiceIpaSession = async (): Promise<MutationResult<string>> => {
+  if (!(await getFreeIpaConfig()).enabled) {
+    return { ok: false, error: "FreeIPA is disabled.", status: 400 };
+  }
+
+  try {
+    return { ok: true, data: await providers.ipa.auth.getServiceSession() };
+  } catch {
+    return { ok: false, error: "Internal FreeIPA service session unavailable.", status: 500 };
+  }
+};

package/src/services/ipa/sync-planning.test.ts

@@ -0,0 +1,32 @@
+import { describe, expect, test } from "bun:test";
+import { selectStaleLocalIpaRows } from "./sync-planning";
+
+describe("selectStaleLocalIpaRows", () => {
+  test("keeps unchanged active IPA users out of stale transitions", () => {
+    const stale = selectStaleLocalIpaRows({
+      localRows: [{ uid: "eva", mail: "eva@example.test" }],
+      activeRemoteUsers: [{ uid: "eva", mail: "eva@example.test" }],
+    });
+
+    expect(stale).toEqual([]);
+  });
+
+  test("keeps UID-renamed IPA users out of stale transitions when mail still matches", () => {
+    const stale = selectStaleLocalIpaRows({
+      localRows: [{ uid: "old-eva", mail: "eva@example.test" }],
+      activeRemoteUsers: [{ uid: "new-eva", mail: "eva@example.test" }],
+    });
+
+    expect(stale).toEqual([]);
+  });
+
+  test("returns IPA users with no active UID or mail match as stale", () => {
+    const local = { uid: "old-eva", mail: "old-eva@example.test" };
+    const stale = selectStaleLocalIpaRows({
+      localRows: [local],
+      activeRemoteUsers: [{ uid: "new-eva", mail: "eva@example.test" }],
+    });
+
+    expect(stale).toEqual([local]);
+  });
+});

package/src/services/ipa/sync-planning.ts

@@ -0,0 +1,22 @@
+export type IpaIdentity = {
+  uid: string;
+  mail: string | null;
+};
+
+export const selectStaleLocalIpaRows = <T extends IpaIdentity>(params: {
+  localRows: T[];
+  activeRemoteUsers: IpaIdentity[];
+}): T[] => {
+  const activeUids = new Set(params.activeRemoteUsers.map((user) => user.uid));
+  const activeMails = new Set(
+    params.activeRemoteUsers
+      .map((user) => user.mail)
+      .filter((mail): mail is string => Boolean(mail)),
+  );
+
+  return params.localRows.filter((row) => {
+    if (activeUids.has(row.uid)) return false;
+    if (row.mail && activeMails.has(row.mail)) return false;
+    return true;
+  });
+};

package/src/services/ipa/sync.ts

@@ -1,6 +1,7 @@
 import { sql } from "bun";
 import { applyIpaAccountTransitionPolicy } from "../accounts/switching";
 import {
+  calculateIpaProfileFromGroupNames,
   parseIpaAccountTransitionPolicy,
   parseIpaMatchMode,
 } from "../account-model";
@@ -10,9 +11,12 @@ import * as settings from "../settings";
 import { session } from "../session";
 import { freeipa } from "../../server/services";
 import { getFreeIpaConfig } from "../freeipa-config";
-import { calculateIpaProfile, calculateIpaProfileFromLocalDb } from "./profile";
+import { buildEffectiveIpaGroupsByUid } from "./effective-groups";
+import { calculateIpaProfileFromEffectiveProjection, getEffectiveUserGroups } from "./profile";
+import { selectStaleLocalIpaRows } from "./sync-planning";
 
 type DbRow = Record<string, unknown>;
+type LocalIpaRow = DbRow & { uid: string; mail: string | null };
 
 const log = logger("auth:ipa:sync");
 
@@ -148,7 +152,7 @@ const transformSyncUser = (raw: Record<string, unknown>): SyncUser => {
  * `excludedGroupsSet` is hoisted to the caller so we don't re-read settings
  * once per group.
  */
-const transformSyncGroup = (raw: Record<string, unknown>, excludedGroupsSet: Set<string>): SyncGroup => ({
+const transformSyncGroup = (raw: Record<string, unknown>, excludedGroupsSet: Set<string> = new Set()): SyncGroup => ({
   cn: freeipa.util.str(raw.cn),
   description: freeipa.util.str(raw.description) || null,
   gidnumber: freeipa.util.num(raw.gidnumber),
@@ -224,15 +228,13 @@ export const syncFromIpa = async (): Promise<void> => {
   ]);
 
   const allRawUsers = readIpaList({ response: usersRes, entity: "users" });
-
-  const users = allRawUsers
-    .filter((raw) => {
-      const groups = (raw.memberof_group as string[]) ?? [];
-      return config.groupsBaseSync.some((g) => groups.includes(g));
-    })
-    .map(transformSyncUser);
-
+  const allUsers = allRawUsers.map(transformSyncUser);
   const allRawGroups = readIpaList({ response: groupsRes, entity: "groups" });
+  const effectiveGroupsByUid = buildEffectiveIpaGroupsByUid(allRawGroups.map((raw) => transformSyncGroup(raw)));
+  const users = allUsers.filter((user) => {
+    const effectiveGroups = effectiveGroupsByUid.get(user.uid) ?? [];
+    return config.groupsBaseSync.some((group) => effectiveGroups.includes(group));
+  });
   const groups = allRawGroups.map((raw) => transformSyncGroup(raw, excludedGroupsSet)).filter((g) => !excludedGroupsSet.has(g.cn));
 
   const activeUsers = users.filter((u) => !isExpired(u));
@@ -241,7 +243,7 @@ export const syncFromIpa = async (): Promise<void> => {
   // stale/transition branch so their local mirror is either demoted or deleted per policy,
   // and their sessions are revoked. Treating expired users as in-scope would leave a stale
   // unexpired local row plus live sessions.
-  const inScopeUids = new Set(activeUsers.map((u) => u.uid));
+  const remoteGroupCns = new Set(allRawGroups.map((raw) => freeipa.util.str(raw.cn)).filter(Boolean));
   const groupCns = new Set(groups.map((g) => g.cn));
   const matchMode = parseIpaMatchMode(await settings.get<string | null>("freeipa.user_match_mode"));
   const transitionPolicy = parseIpaAccountTransitionPolicy(
@@ -269,7 +271,7 @@ export const syncFromIpa = async (): Promise<void> => {
   if (activeUsers.length === 0 && localIpaUsers > 0) {
     throw new Error(`Refusing IPA sync: remote active users list is empty while local has ${localIpaUsers} IPA users`);
   }
-  if (groupCns.size === 0 && localGroups > 0) {
+  if (remoteGroupCns.size === 0 && localGroups > 0) {
     throw new Error(`Refusing IPA sync: remote groups list is empty while local has ${localGroups} groups`);
   }
 
@@ -279,20 +281,65 @@ export const syncFromIpa = async (): Promise<void> => {
     WHERE provider = 'ipa'
     ORDER BY uid
   `;
-  const staleLocalUsers = localIpaRows.filter((row) => !inScopeUids.has(row.uid as string));
+  const currentProfileByUid = new Map(
+    localIpaRows.map((row) => [row.uid as string, row.profile as "user" | "guest"]),
+  );
+  let profileDriftCount = 0;
+  const profileDriftSamples: string[] = [];
+  let profilesPromoted = 0;
+  let profilesDemoted = 0;
+  for (const user of activeUsers) {
+    const effectiveGroups = effectiveGroupsByUid.get(user.uid) ?? [];
+    const graphProfile = calculateIpaProfileFromGroupNames(effectiveGroups, config.groupsBaseIpaRealm);
+    const userSideProfile = calculateIpaProfileFromGroupNames(user.memberofGroup, config.groupsBaseIpaRealm);
+    if (graphProfile !== userSideProfile) {
+      profileDriftCount += 1;
+      if (profileDriftSamples.length < 10) profileDriftSamples.push(user.uid);
+    }
+
+    const previousProfile = currentProfileByUid.get(user.uid);
+    if (previousProfile === "guest" && graphProfile === "user") profilesPromoted += 1;
+    if (previousProfile === "user" && graphProfile === "guest") profilesDemoted += 1;
+  }
+
+  const localIpaIdentityRows: LocalIpaRow[] = localIpaRows.map((row) => ({
+    ...row,
+    uid: row.uid as string,
+    mail: (row.mail as string | null) ?? null,
+  }));
+  const staleLocalUsers = selectStaleLocalIpaRows({
+    localRows: localIpaIdentityRows,
+    activeRemoteUsers: activeUsers.map((user) => ({ uid: user.uid, mail: user.mail })),
+  });
   const staleLimit = Math.max(10, Math.ceil(Math.max(localIpaUsers, 1) * 0.2));
   if (staleLocalUsers.length > staleLimit) {
     throw new Error(
       `Refusing IPA sync: ${staleLocalUsers.length} local IPA users disappeared from sync scope (limit ${staleLimit})`,
     );
   }
+  if (profilesDemoted > staleLimit) {
+    throw new Error(
+      `Refusing IPA sync: ${profilesDemoted} IPA users would be downgraded from user to guest (limit ${staleLimit})`,
+    );
+  }
+  if (profilesDemoted > 0) {
+    log.warn("IPA sync will downgrade user profiles", { profilesDemoted, limit: staleLimit });
+  }
+  if (profileDriftCount > 0) {
+    log.warn("IPA user memberOf drift detected; using group graph projection", {
+      profileDriftCount,
+      sampleUids: profileDriftSamples,
+    });
+  }
 
   const staleDemotedUsers: Array<{ id: string; uid: string }> = [];
+  let effectiveGroupsRebuilt = 0;
   await sql.begin(async (tx) => {
     // 1. Upsert active IPA users
     //    Match order: mail (existing IPA user, handles UID renames) → mail (guest promotion) → uid (new or unchanged)
     for (const u of activeUsers) {
-      const profile = await calculateIpaProfile(u.memberofGroup);
+      const effectiveGroups = effectiveGroupsByUid.get(u.uid) ?? [];
+      const profile = calculateIpaProfileFromGroupNames(effectiveGroups, config.groupsBaseIpaRealm);
       const provider = "ipa";
 
       if (u.mail) {
@@ -473,6 +520,23 @@ export const syncFromIpa = async (): Promise<void> => {
     const userIdRows: DbRow[] = await tx`SELECT id, uid FROM auth.users WHERE provider = 'ipa'`;
     const uidToId = new Map<string, string>(userIdRows.map((r) => [r.uid as string, r.id as string]));
 
+    await tx`
+      DELETE FROM auth.ipa_user_effective_groups
+      WHERE user_id IN (SELECT id FROM auth.users WHERE provider = 'ipa')
+    `;
+    const effectiveGroupRows: { user_id: string; group_name: string }[] = [];
+    for (const [uid, groupNames] of effectiveGroupsByUid) {
+      const userId = uidToId.get(uid);
+      if (!userId) continue;
+      for (const groupName of groupNames) {
+        effectiveGroupRows.push({ user_id: userId, group_name: groupName });
+      }
+    }
+    if (effectiveGroupRows.length > 0) {
+      await tx`INSERT INTO auth.ipa_user_effective_groups ${sql(effectiveGroupRows, "user_id", "group_name")} ON CONFLICT DO NOTHING`;
+    }
+    effectiveGroupsRebuilt = effectiveGroupRows.length;
+
     // Bulk INSERT helper. Bun's `sql(rows)` only generates valid VALUES
     // syntax when fed an array of OBJECTS (it derives the column list from
     // object keys). Passing array-of-arrays produces broken SQL like
@@ -541,6 +605,11 @@ export const syncFromIpa = async (): Promise<void> => {
     skippedLocalMailConflicts,
     skippedLocalUidConflicts,
     staleUsersDemoted: staleDemotedUsers.length,
+    scopeTransitions: staleDemotedUsers.length,
+    profileDriftCount,
+    profilesPromoted,
+    profilesDemoted,
+    effectiveGroupsRebuilt,
     upsertedUsersByUid,
     insertedUsersByUid,
     updatedUsersByUid,
@@ -566,8 +635,9 @@ export type SyncUserOutcome =
 
 /**
  * Reconcile a local IPA mirror row after discovering the remote user is no
- * longer in sync scope (expired or removed from base-sync groups). Applies the
- * configured account-transition policy and revokes all sessions for the user.
+ * longer valid because the IPA account is expired. Full sync also uses this
+ * transition policy for graph-derived out-of-scope users; single-user sync does
+ * not demote based on FreeIPA user-side memberOf data.
  */
 const reconcileOutOfScopeUser = async (params: {
   userId: string;
@@ -632,12 +702,13 @@ const reconcileOutOfScopeUser = async (params: {
  * Called on login to ensure time-sensitive data is up-to-date.
  *
  * IMPORTANT: Only syncs user attributes (name, mail, expiry, aliases).
- * Does NOT sync group memberships - those are only synced via periodic syncFromIpa().
- * Realm is calculated from LOCAL DB group memberships (optimistically updated by mutations).
+ * Does NOT sync group memberships. Scope/profile come from the last full-sync
+ * effective group projection; user-side memberOf drift is logged but never used
+ * for destructive transitions here.
  *
  * Returns a typed outcome so callers (notably `authFlows.ipa.login`) can decide
- * whether to grant a session. Non-`synced` outcomes reconcile local mirror state
- * where possible (expired / out_of_scope → transition policy + session revocation).
+ * whether to grant a session. Expired users are reconciled immediately; group
+ * scope changes are handled by full sync.
  */
 export const syncUser = async (username: string): Promise<SyncUserOutcome> => {
   const config = await getFreeIpaConfig();
@@ -697,29 +768,30 @@ export const syncUser = async (username: string): Promise<SyncUserOutcome> => {
     return { status: "expired", userId: existingUserId };
   }
 
-  const inSyncGroups = config.groupsBaseSync.some((g) => user.memberofGroup.includes(g));
-  if (!inSyncGroups) {
-    log.warn("User not in sync groups during single-user sync", { username });
-    if (existingUserId) {
-      await reconcileOutOfScopeUser({
-        userId: existingUserId,
-        uid: user.uid,
-        mail: (existingRow?.mail as string | null) ?? user.mail,
-        displayName: (existingRow?.display_name as string | null) ?? user.displayName,
-        previousProfile,
-        reason: "sync_out_of_scope_demoted",
-        meta: { reason: "missing_from_ipa_sync_scope" },
-      });
-    }
-    return { status: "out_of_scope", userId: existingUserId };
-  }
-
   if (!existingUserId) {
     log.warn("User not found in local DB during single-user sync", { username });
     return { status: "not_found_local" };
   }
 
-  const profile = await calculateIpaProfileFromLocalDb(existingUserId);
+  const effectiveGroups = await getEffectiveUserGroups(existingUserId);
+  const inSyncGroups = config.groupsBaseSync.some((g) => effectiveGroups.includes(g));
+  if (!inSyncGroups) {
+    log.warn("User not in projected sync groups during single-user sync", {
+      username,
+      reason: "missing_from_last_full_sync_projection",
+    });
+    return { status: "out_of_scope", userId: existingUserId };
+  }
+
+  const profile = await calculateIpaProfileFromEffectiveProjection(existingUserId);
+  const userSideProfile = calculateIpaProfileFromGroupNames(user.memberofGroup, config.groupsBaseIpaRealm);
+  if (profile !== userSideProfile) {
+    log.warn("IPA user memberOf drift detected during single-user sync", {
+      username,
+      projectedProfile: profile,
+      userSideProfile,
+    });
+  }
   const provider = "ipa";
 
   // Update user attributes only (no group sync!)

package/src/services/oauth-tokens.ts

@@ -0,0 +1,104 @@
+import { sql } from "bun";
+import * as jose from "jose";
+import { accounts } from "./accounts";
+import * as settings from "./settings";
+import { serviceAccounts, type ServiceAccount } from "./service-accounts";
+import type { User } from "../contracts/shared";
+
+type DbKey = {
+  public_key: string;
+  kid: string;
+};
+
+const parseScopeClaim = (payload: jose.JWTPayload): string[] => {
+  const value = payload.scope;
+  if (typeof value !== "string") return [];
+  return value
+    .split(/\s+/)
+    .map((scope) => scope.trim())
+    .filter(Boolean);
+};
+
+export type AuthenticatedOAuthToken =
+  | {
+      kind: "user";
+      payload: jose.JWTPayload;
+      user: User;
+    }
+  | {
+      kind: "service_account";
+      payload: jose.JWTPayload;
+      serviceAccount: ServiceAccount;
+      delegatedUser: User | null;
+      scopes: string[];
+    };
+
+const getIssuer = async (): Promise<string> => {
+  const appUrl = await settings.get<string>("app.url");
+  return appUrl.startsWith("http") ? appUrl : `https://${appUrl}`;
+};
+
+const getCurrentPublicKey = async (): Promise<CryptoKey | null> => {
+  const [row] = await sql<DbKey[]>`
+    SELECT public_key, kid
+    FROM oauth.keys
+    WHERE id = 'current'
+  `;
+  if (!row) return null;
+  return jose.importSPKI(row.public_key, "RS256");
+};
+
+const getStringClaim = (payload: jose.JWTPayload, key: string): string | null => {
+  const value = payload[key];
+  return typeof value === "string" && value.length > 0 ? value : null;
+};
+
+export const verifyAccessToken = async (token: string): Promise<AuthenticatedOAuthToken | null> => {
+  const publicKey = await getCurrentPublicKey();
+  if (!publicKey) return null;
+
+  let payload: jose.JWTPayload;
+  try {
+    const result = await jose.jwtVerify(token, publicKey, {
+      issuer: await getIssuer(),
+      audience: "cloud",
+    });
+    payload = result.payload;
+  } catch {
+    return null;
+  }
+
+  if (payload.token_use !== "access") return null;
+
+  const serviceAccountId = getStringClaim(payload, "service_account_id");
+  if (serviceAccountId) {
+    const serviceAccount = await serviceAccounts.get({ id: serviceAccountId });
+    if (!serviceAccount || serviceAccount.status !== "active") return null;
+
+    const delegatedUser = serviceAccount.delegatedUserId ? await accounts.users.get({ id: serviceAccount.delegatedUserId }) : null;
+    if (serviceAccount.kind === "user_delegated" && !delegatedUser) return null;
+
+    return {
+      kind: "service_account",
+      payload,
+      serviceAccount,
+      delegatedUser,
+      scopes: parseScopeClaim(payload),
+    };
+  }
+
+  const userId = getStringClaim(payload, "id");
+  const uid = getStringClaim(payload, "uid") ?? (typeof payload.sub === "string" ? payload.sub : null);
+  const user = userId ? await accounts.users.get({ id: userId }) : uid ? await accounts.users.get({ uid }) : null;
+  if (!user) return null;
+
+  return {
+    kind: "user",
+    payload,
+    user,
+  };
+};
+
+export const oauthTokens = {
+  verifyAccessToken,
+};

package/src/services/postgres.ts

@@ -35,17 +35,32 @@ export const parsePgJsonRecord = (value: unknown): Record<string, unknown> | nul
 };
 
 /**
- * Classify a thrown Postgres error. Bun's sql driver surfaces the canonical
- * SQLSTATE on `.code`. Use this at service boundaries to turn
- * unique-constraint violations into typed 409 results instead of bubbling up
- * raw DB errors to API clients.
+ * Classify a thrown Postgres error. Use at service boundaries to turn
+ * unique-constraint violations into typed 409 results instead of bubbling
+ * up raw DB errors to API clients.
+ *
+ * Two driver shapes coexist in this repo:
+ *   - postgres.js: `e.code = "23505"` (the SQLSTATE directly)
+ *   - bun.sql:     `e.code = "ERR_POSTGRES_SERVER_ERROR"`, SQLSTATE on `e.errno`
+ *
+ * Checking only `e.code` silently fails on Bun (the Wave-1.1 migration
+ * idempotence bug had the same root cause). Treat either field carrying
+ * "23505" as a unique violation so the helper works regardless of which
+ * driver instantiated the error.
  */
-export type PgError = { code?: string; constraint_name?: string; detail?: string; message?: string };
+export type PgError = {
+  code?: string;
+  errno?: string;
+  constraint_name?: string;
+  detail?: string;
+  message?: string;
+};
 
 export const isUniqueViolation = (error: unknown, constraintName?: string): boolean => {
   if (!error || typeof error !== "object") return false;
   const e = error as PgError;
-  if (e.code !== "23505") return false;
+  const sqlstate = e.code === "23505" || e.errno === "23505";
+  if (!sqlstate) return false;
   if (!constraintName) return true;
   return e.constraint_name === constraintName;
 };

package/src/services/providers/local/auth.test.ts

@@ -0,0 +1,22 @@
+import { describe, expect, test } from "bun:test";
+import {
+  consumePasswordResetToken,
+  createPasswordResetToken,
+} from "./auth";
+
+describe("local auth password reset tokens", () => {
+  test("consumes password reset tokens only once", async () => {
+    const payload = {
+      userId: crypto.randomUUID(),
+      uid: `reset-${crypto.randomUUID()}`,
+      email: `reset-${crypto.randomUUID()}@example.test`,
+    };
+    const token = await createPasswordResetToken({
+      ...payload,
+      ttlSeconds: 30,
+    });
+
+    expect(await consumePasswordResetToken(token)).toEqual(payload);
+    expect(await consumePasswordResetToken(token)).toBeNull();
+  });
+});

package/src/services/providers/local/auth.ts

@@ -1,13 +1,56 @@
 import { redis } from "bun";
 
-export const createMagicLinkToken = async (params: { email: string; ttlSeconds?: number }): Promise<string> => {
+export const createMagicLinkToken = async (params: {
+  email: string;
+  ttlSeconds?: number;
+}): Promise<string> => {
   const token = crypto.randomUUID();
-  await redis.set(`email-login:${token}`, JSON.stringify({ email: params.email }), "EX", params.ttlSeconds ?? 300);
+  await redis.set(
+    `email-login:${token}`,
+    JSON.stringify({ email: params.email }),
+    "EX",
+    params.ttlSeconds ?? 300
+  );
   return token;
 };
 
-export const consumeMagicLinkToken = async (token: string): Promise<{ email: string } | null> => {
+export const consumeMagicLinkToken = async (
+  token: string
+): Promise<{ email: string } | null> => {
   const raw = await redis.getdel(`email-login:${token}`);
   if (!raw) return null;
   return JSON.parse(raw) as { email: string };
 };
+
+type PasswordResetPayload = {
+  userId: string;
+  uid: string;
+  email: string;
+};
+
+const passwordResetTokenKey = (token: string) => `password-reset:${token}`;
+
+export const createPasswordResetToken = async (
+  params: PasswordResetPayload & { ttlSeconds?: number }
+): Promise<string> => {
+  const token = crypto.randomUUID();
+  await redis.set(
+    passwordResetTokenKey(token),
+    JSON.stringify({
+      userId: params.userId,
+      uid: params.uid,
+      email: params.email,
+    }),
+    "EX",
+    params.ttlSeconds ?? 900
+  );
+  return token;
+};
+
+export const consumePasswordResetToken = async (
+  token: string
+): Promise<PasswordResetPayload | null> => {
+  const raw = await redis.getdel(passwordResetTokenKey(token));
+  if (!raw) return null;
+  return JSON.parse(raw) as PasswordResetPayload;
+};

package/src/services/secrets.ts

@@ -0,0 +1,10 @@
+import { decryptValue, encryptValue } from "./settings/crypto";
+
+export const encryptSecret = async (value: unknown): Promise<string> => encryptValue(value);
+
+export const decryptSecret = async <T = unknown>(value: string): Promise<T> => (await decryptValue(value)) as T;
+
+export const secrets = {
+  encrypt: encryptSecret,
+  decrypt: decryptSecret,
+};