feat(db): auth_provider_config table + AES-256-GCM encryption helpers

Renumbered migration 0021 → 0023 to resolve conflict with pet_image and
logo_key migrations that landed on main after this branch was created.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

packages/db/src/crypto.ts

@@ -0,0 +1,82 @@
+import { createCipheriv, createDecipheriv, randomBytes, scryptSync } from "node:crypto";
+
+const ALGORITHM = "aes-256-gcm";
+const IV_LENGTH = 12; // 96-bit IV for GCM
+const AUTH_TAG_LENGTH = 16; // 128-bit auth tag
+const SALT_LENGTH = 16;
+
+/**
+ * Derives a 32-byte key from BETTER_AUTH_SECRET using scrypt.
+ * BETTER_AUTH_SECRET is used as the password, with a fixed salt derived from the package name.
+ */
+function deriveKey(secret: string): Buffer {
+  // Use a fixed salt derived from the package name for key derivation
+  // This gives us stable key derivation without storing an extra salt
+  const packageSalt = scryptSync("groombook-auth-provider-config", "", SALT_LENGTH);
+  return scryptSync(secret, packageSalt, 32);
+}
+
+/**
+ * Encrypts a plaintext string using AES-256-GCM.
+ * Returns a base64-encoded string in the format: iv:ciphertext:authTag
+ */
+export function encryptSecret(plaintext: string): string {
+  const secret = process.env.BETTER_AUTH_SECRET;
+  if (!secret) {
+    throw new Error("BETTER_AUTH_SECRET environment variable is required");
+  }
+
+  const key = deriveKey(secret);
+  const iv = randomBytes(IV_LENGTH);
+
+  const cipher = createCipheriv(ALGORITHM, key, iv, {
+    authTagLength: AUTH_TAG_LENGTH,
+  });
+
+  let ciphertext = cipher.update(plaintext, "utf8");
+  ciphertext = Buffer.concat([ciphertext, cipher.final()]);
+
+  const authTag = cipher.getAuthTag();
+
+  // Format: base64(iv):base64(ciphertext):base64(authTag)
+  return [
+    iv.toString("base64"),
+    ciphertext.toString("base64"),
+    authTag.toString("base64"),
+  ].join(":");
+}
+
+/**
+ * Decrypts a ciphertext string produced by encryptSecret.
+ * Expects the format: iv:ciphertext:authTag (all base64-encoded)
+ */
+export function decryptSecret(encrypted: string): string {
+  const secret = process.env.BETTER_AUTH_SECRET;
+  if (!secret) {
+    throw new Error("BETTER_AUTH_SECRET environment variable is required");
+  }
+
+  const parts = encrypted.split(":");
+  if (parts.length !== 3) {
+    throw new Error("Invalid encrypted value format: expected iv:ciphertext:authTag");
+  }
+
+  const ivBase64 = parts[0]!;
+  const ciphertextBase64 = parts[1]!;
+  const authTagBase64 = parts[2]!;
+  const iv = Buffer.from(ivBase64, "base64");
+  const ciphertext = Buffer.from(ciphertextBase64, "base64");
+  const authTag = Buffer.from(authTagBase64, "base64");
+
+  const key = deriveKey(secret);
+
+  const decipher = createDecipheriv(ALGORITHM, key, iv, {
+    authTagLength: AUTH_TAG_LENGTH,
+  });
+  decipher.setAuthTag(authTag);
+
+  let plaintext = decipher.update(ciphertext);
+  plaintext = Buffer.concat([plaintext, decipher.final()]);
+
+  return plaintext.toString("utf8");
+}

packages/db/src/index.ts

@@ -4,6 +4,7 @@ import * as schema from "./schema.js";
 
 export * from "./schema.js";
 export { and, asc, desc, eq, exists, gte, gt, ilike, inArray, lt, lte, ne, or, sql } from "drizzle-orm";
+export { encryptSecret, decryptSecret } from "./crypto.js";
 
 let _db: ReturnType<typeof drizzle> | null = null;
 

packages/db/src/schema.ts

@@ -135,7 +135,6 @@ export const pets = pgTable("pets", {
   customFields: jsonb("custom_fields").$type<Record<string, string>>().notNull().default({}),
   photoKey: text("photo_key"),
   photoUploadedAt: timestamp("photo_uploaded_at"),
-  image: text("image"),
   createdAt: timestamp("created_at").notNull().defaultNow(),
   updatedAt: timestamp("updated_at").notNull().defaultNow(),
 });
@@ -348,7 +347,6 @@ export const businessSettings = pgTable("business_settings", {
   businessName: text("business_name").notNull().default("GroomBook"),
   logoBase64: text("logo_base64"),
   logoMimeType: text("logo_mime_type"),
-  logoKey: text("logo_key"),
   primaryColor: text("primary_color").notNull().default("#4f8a6f"),
   accentColor: text("accent_color").notNull().default("#8b7355"),
   createdAt: timestamp("created_at").notNull().defaultNow(),
@@ -407,3 +405,19 @@ export const waitlistEntries = pgTable(
     index("idx_waitlist_status").on(t.status),
   ]
 );
+
+// ─── Auth Provider Config ──────────────────────────────────────────────────
+
+export const authProviderConfig = pgTable("auth_provider_config", {
+  id: uuid("id").primaryKey().defaultRandom(),
+  providerId: text("provider_id").notNull().unique(), // e.g. "authentik", "okta", "entra-id"
+  displayName: text("display_name").notNull(), // shown on login button
+  issuerUrl: text("issuer_url").notNull(), // OIDC issuer/discovery URL
+  internalBaseUrl: text("internal_base_url"), // for hairpin NAT / K8s internal routing
+  clientId: text("client_id").notNull(),
+  clientSecret: text("client_secret").notNull(), // AES-256-GCM encrypted using BETTER_AUTH_SECRET
+  scopes: text("scopes").notNull().default("openid profile email"),
+  enabled: boolean("enabled").notNull().default(true),
+  createdAt: timestamp("created_at").notNull().defaultNow(),
+  updatedAt: timestamp("updated_at").notNull().defaultNow(),
+});