feat(auth): add password_hash column + bcrypt helper for Auth.js Credentials provider

- Migration 0002 adds nullable password_hash to users (idempotent)
- src/lib/passwords.ts: encode/verify with self-describing format
  (algo$N$salt$hash) so we can migrate to a stronger KDF later
- Schema adds passwordHash column; OAuth-only users leave it null
This commit is contained in:
2026-06-07 01:36:27 +00:00
parent 7cd0603cfb
commit 720ffe5262
3 changed files with 95 additions and 0 deletions
+21
View File
@@ -0,0 +1,21 @@
-- 0002_admin_password.sql
--
-- Adds a `password_hash` column to `users` so the Auth.js Credentials
-- provider can verify email + password against the database.
--
-- Idempotent: uses `ADD COLUMN IF NOT EXISTS`. The column is nullable
-- because OAuth-only users (Google) never set a password.
--
-- The Credentials provider's `authorize` function is documented in
-- `src/lib/auth.ts` — it queries this column and runs `verifyPassword`
-- (see `src/lib/passwords.ts`) before returning the user.
BEGIN;
ALTER TABLE users
ADD COLUMN IF NOT EXISTS password_hash TEXT;
-- Update the updated_at trigger tracking — no new triggers needed since
-- `users` already has `set_updated_at` from migration 0001.
COMMIT;
+7
View File
@@ -35,6 +35,13 @@ export const users = pgTable(
email: text("email").unique(),
name: text("name"),
image: text("image"),
/**
* Bcrypt / scrypt / argon2 hash, or null for OAuth-only users.
* Format is self-describing (algorithm$N$salt$hash) so we can
* migrate to a stronger KDF later without losing existing hashes.
* See `src/lib/passwords.ts` for the encoder/decoder.
*/
passwordHash: text("password_hash"),
authProvider: text("auth_provider", { enum: authProviderEnum })
.notNull()
.default("dev"),