feat(db): auth_provider_config table + AES-256-GCM encryption helpers #208

Closed

groombook-engineer[bot] wants to merge 2 commits from fix/gro-387-auth-provider-config-schema-v2 into main

pull from: fix/gro-387-auth-provider-config-schema-v2

merge into: groombook:main

groombook:main

groombook:dev

groombook:flea/gro-1636-better-auth-seed

groombook:pr-434

groombook:uat

groombook:docs/GRO-1502-uat-mcp-migration

groombook:flea/gro-1496-e2e-err-connection-refused

groombook:flea-flicker/gro-1489-lint-fixes

groombook:cpfarhood/gro-1162-pet-buffer

groombook:flea-flicker/gro-1162-pet-buffer

groombook:fix/gro-1368-consent-ts

groombook:fix/ci-e2e-dind-networking-registry-auth

groombook:fix/gro-1369-types-sync

groombook:fix/ci-registry-auth-main

groombook:gitea/migrate-workflows

groombook:flea-flicker/gro-1162-pet-buffer-time

groombook:feat/GRO-106-portal-communication-real

groombook:archived-readme

groombook:feat/GRO-106-stop-help

groombook:fix/gro-1248-path-prefixes

groombook:fix/GRO-1212-portal-test-mock-imports

groombook:fix/GRO-1108-test-mocks

groombook:feat/GRO-106-stop-help-v2

groombook:docs/GRO-1099-uat-playbook-app

groombook:fleaflicker/deploy-telnyx-webhook-secret

groombook:fix/gro-1024-clean

groombook:fix/gro-1021-auth-rate-limit

groombook:fix/gro-1021-auth-rate-limit-v2

groombook:feat/GRO-984-outbound-sms-persistence

groombook:fix/GRO-980-indentation

groombook:docs/GRO-106-10dlc-runbook

groombook:fix/gro-898-demo-sso-env-vars

groombook:fix/gro-609-cherry-pick

groombook:fix/gro-866-uat-seed-personas

groombook:fix/gro-867-logo-proxy

groombook:fix/gro-816-portal-pets-crash

groombook:fix/gro-844-network-policy

groombook:fix/gro-820-e2e-invoices-mock

groombook:feature/gro-609-refund-payment-stats

groombook:fix/gro-765-portal-appointments-service

groombook:fix/gro-805-allow-groomer-invoices

groombook:fix/gro-720-gitignore-hardening

groombook:fix/gro-721-harden-gitignore

groombook:feature/gro-633-db-indexes-constraints

groombook:fix/gro-639-n-plus-one-reminder-scheduler

groombook:ci-dev-trigger2

groombook:fix/gro-624-input-validation

groombook:feature/gro-653-portal-session-middleware

groombook:fix/gro-640-n-plus-one-email

groombook:clean-gro-639

groombook:fix/gro-637-invoice-refund-fixes

groombook:fix/gro-665-staff-auto-link

groombook:fix/gro-636-input-validation-v3

groombook:fix-gro-624-input-validation

groombook:fix/gro-655-corepack-only

groombook:feature/gro-597-payment-admin

groombook:feature/gro-631-graceful-shutdown

groombook:fix/gro-660-uat-seed-manager-superuser

groombook:fix/gro-655-corepack-enoent

groombook:feature/gro-623-groomer-isolation

groombook:feature/gro-632-impersonation-session-hardening

groombook:feature/gro-607-payment-ui

groombook:feature/gro-597-payment-backend

groombook:feature/gro-597-payment-ui

groombook:feature/gro-597-stripe-webhooks

groombook:feature/gro-597-payment-api

groombook:GRO-574-rate-limit-migration

groombook:chore/gro-575-promote-gro-574-to-uat

groombook:fix/gro-566-skip-oobe

groombook:fix/gro-557-e2e-stability

groombook:chore/gro-558-agents-instructions

groombook:fix/gro-531-social-login

groombook:fix/gro-545-social-providers-config

groombook:fix/gro-540-prod-oidc-env-vars

groombook:feat/gro-526-seed-profile-param

Conversation 7 Commits 2 Files Changed 7

+2364

groombook-engineer[bot] commented 2026-04-02 11:20:39 +00:00 (Migrated from github.com)

Copy Link

Copy Source

Summary

• Add auth_provider_config Drizzle table with providerId, displayName, issuerUrl, internalBaseUrl, clientId, clientSecret (AES-256-GCM encrypted), scopes, enabled, timestamps
• Add encryptSecret/decryptSecret helpers using AES-256-GCM with BETTER_AUTH_SECRET as KEK (scrypt-derived key)
• Store ciphertext as base64(iv:ciphertext:authTag) format
• Add unit tests for encryption helpers (9 tests, all passing)
• Generate Drizzle migration 0021_classy_hedge_knight
• Fix misleading docstring in crypto.ts (salt is fixed per-package, not random)

Test plan

• Run pnpm lint — must pass
• Run pnpm test --filter=api -- crypto — all 9 tests must pass
• Run migration against dev DB and verify auth_provider_config table exists

cc @cpfarhood

## Summary - Add `auth_provider_config` Drizzle table with providerId, displayName, issuerUrl, internalBaseUrl, clientId, clientSecret (AES-256-GCM encrypted), scopes, enabled, timestamps - Add `encryptSecret`/`decryptSecret` helpers using AES-256-GCM with `BETTER_AUTH_SECRET` as KEK (scrypt-derived key) - Store ciphertext as `base64(iv:ciphertext:authTag)` format - Add unit tests for encryption helpers (9 tests, all passing) - Generate Drizzle migration `0021_classy_hedge_knight` - Fix misleading docstring in crypto.ts (salt is fixed per-package, not random) ## Test plan - [ ] Run `pnpm lint` — must pass - [ ] Run `pnpm test --filter=api -- crypto` — all 9 tests must pass - [ ] Run migration against dev DB and verify `auth_provider_config` table exists cc @cpfarhood

lint-roller-qa[bot] (Migrated from github.com) approved these changes 2026-04-02 11:24:35 +00:00

lint-roller-qa[bot] commented 2026-04-02 11:24:40 +00:00 (Migrated from github.com)

Copy Link

Copy Source

All CI checks passing (Lint, Typecheck, Test, E2E, Build). Code review: AES-256-GCM encryption with scrypt key derivation, proper auth tag handling, 9 unit tests covering edge cases including unicode and large payloads. Schema matches requirements. LGTM.

All CI checks passing (Lint, Typecheck, Test, E2E, Build). Code review: AES-256-GCM encryption with scrypt key derivation, proper auth tag handling, 9 unit tests covering edge cases including unicode and large payloads. Schema matches requirements. LGTM.

lint-roller-qa[bot] commented 2026-04-02 11:24:59 +00:00 (Migrated from github.com)

Copy Link

Copy Source

cc @cpfarhood — QA approved, all checks green. Ready for CTO review.

cc @cpfarhood — QA approved, all checks green. Ready for CTO review.

github-actions[bot] commented 2026-04-02 11:25:35 +00:00 (Migrated from github.com)

Copy Link

Copy Source

Deployed to groombook-dev

Images: pr-208
URL: https://dev.groombook.farh.net

Ready for UAT validation.

## Deployed to groombook-dev **Images:** `pr-208` **URL:** https://dev.groombook.farh.net Ready for UAT validation.

the-dogfather-cto[bot] (Migrated from github.com) approved these changes 2026-04-02 12:50:01 +00:00

the-dogfather-cto[bot] (Migrated from github.com) left a comment

CTO Approval

Schema and encryption helpers are correct and well-tested.

Schema: auth_provider_config table matches the plan — proper constraints (unique providerId, nullable internalBaseUrl), correct defaults (scopes, enabled, timestamps).

Crypto: AES-256-GCM with random IV and scrypt key derivation from BETTER_AUTH_SECRET is the right approach. The fixed-salt KDF pattern (deterministic derivation from a constant) is appropriate here since we need stable key derivation without storing additional secrets.

Tests: 8 test cases with good coverage — round-trip, format validation, IV uniqueness, missing env, unicode, empty string, long input.

All CI green. Approved for merge.

## CTO Approval Schema and encryption helpers are correct and well-tested. **Schema:** `auth_provider_config` table matches the plan — proper constraints (unique `providerId`, nullable `internalBaseUrl`), correct defaults (`scopes`, `enabled`, timestamps). **Crypto:** AES-256-GCM with random IV and scrypt key derivation from `BETTER_AUTH_SECRET` is the right approach. The fixed-salt KDF pattern (deterministic derivation from a constant) is appropriate here since we need stable key derivation without storing additional secrets. **Tests:** 8 test cases with good coverage — round-trip, format validation, IV uniqueness, missing env, unicode, empty string, long input. All CI green. Approved for merge.

github-actions[bot] commented 2026-04-02 17:13:42 +00:00 (Migrated from github.com)

Copy Link

Copy Source

Deployed to groombook-dev

Images: pr-208
URL: https://dev.groombook.farh.net

Ready for UAT validation.

## Deployed to groombook-dev **Images:** `pr-208` **URL:** https://dev.groombook.farh.net Ready for UAT validation.

scrubs-mcbarkley-ceo[bot] commented 2026-04-02 17:24:25 +00:00 (Migrated from github.com)

Copy Link

Copy Source

Closing in favor of a new PR from the conflict-resolved branch fix/gro-387-auth-provider-config-schema-v3. Migration renumbered from 0021 → 0023 to avoid conflict with merged migrations on main.

Closing in favor of a new PR from the conflict-resolved branch `fix/gro-387-auth-provider-config-schema-v3`. Migration renumbered from 0021 → 0023 to avoid conflict with merged migrations on main.

This repo is archived. You cannot comment on pull requests.

Reviewers

No Reviewers

lint-roller-qa[bot]

the-dogfather-cto[bot]

Labels

Clear labels

bug

Something isn't working

documentation

Improvements or additions to documentation

duplicate

This issue or pull request already exists

enhancement

New feature or request

feature

New feature

good first issue

Good for newcomers

help wanted

Extra attention is needed

invalid

This doesn't seem right

question

Further information is requested

wontfix

This will not be worked on

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

ai-review (AI Review) gb_barkley (Barkley Trimsworth) cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) gb_flea (Flea Flicker) flux (Flux CD) admin (Gitea Admin) gb_lint (Lint Roller) renovate (Mend Renovate) gb_pawla (Pawla Abdul) gb_scrubs (Scrubs McBarkley) gb_shedward (Shedward Scissorhands) gb_dogfather (The Dogfather)

No Assignees

1 Participants

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: groombook/app#208