feat(root): move email auth flow into api

Add API-owned email registration and login with bcrypt hashing,
issue backend JWE tokens directly, and update the web app to use
backend auth state for email sessions while keeping social auth
bridging in place.

Co-Authored-By: First Fluke <our.first.fluke@gmail.com>

Author: gracefullight

apps/api/alembic/env.py

@@ -8,9 +8,7 @@
 from alembic import context
 from src.lib.config import settings
 from src.lib.database import Base
-
-# Import all models here for autogenerate
-# from src.users.models import User
+from src.users import model as users_model  # noqa: F401
 
 config = context.config
 

apps/api/alembic/versions/20260405_000001_add_password_hash_to_users.py

@@ -0,0 +1,26 @@
+"""add password hash column to users
+
+Revision ID: 20260405_000001
+Revises:
+Create Date: 2026-04-05 01:00:01
+"""
+
+from collections.abc import Sequence
+
+import sqlalchemy as sa
+
+from alembic import op
+
+# revision identifiers, used by Alembic.
+revision: str = "20260405_000001"
+down_revision: str | None = None
+branch_labels: Sequence[str] | None = None
+depends_on: Sequence[str] | None = None
+
+
+def upgrade() -> None:
+    op.add_column("users", sa.Column("password_hash", sa.String(length=255), nullable=True))
+
+
+def downgrade() -> None:
+    op.drop_column("users", "password_hash")

apps/api/openapi.json

@@ -70,19 +70,111 @@
         }
       }
     },
+    "/api/auth/register": {
+      "post": {
+        "tags": [
+          "authentication"
+        ],
+        "summary": "Register",
+        "description": "Register with email/password and issue backend tokens.",
+        "operationId": "register_api_auth_register_post",
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/RegisterRequest"
+              }
+            }
+          },
+          "required": true
+        },
+        "responses": {
+          "201": {
+            "description": "Successful Response",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/TokenResponse"
+                }
+              }
+            }
+          },
+          "422": {
+            "description": "Validation Error",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/HTTPValidationError"
+                }
+              }
+            }
+          }
+        }
+      }
+    },
     "/api/auth/login": {
       "post": {
         "tags": [
           "authentication"
         ],
         "summary": "Login",
-        "description": "OAuth login endpoint.\n\nVerify OAuth token, create/update user, and issue JWE tokens.",
+        "description": "Login with OAuth or email/password and issue backend tokens.\n\nVerify OAuth token, create/update user, and issue JWE tokens.",
         "operationId": "login_api_auth_login_post",
         "requestBody": {
           "content": {
             "application/json": {
               "schema": {
-                "$ref": "#/components/schemas/OAuthLoginRequest"
+                "anyOf": [
+                  {
+                    "$ref": "#/components/schemas/OAuthLoginRequest"
+                  },
+                  {
+                    "$ref": "#/components/schemas/EmailLoginRequest"
+                  }
+                ],
+                "title": "Request"
+              }
+            }
+          },
+          "required": true
+        },
+        "responses": {
+          "200": {
+            "description": "Successful Response",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/TokenResponse"
+                }
+              }
+            }
+          },
+          "422": {
+            "description": "Validation Error",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/HTTPValidationError"
+                }
+              }
+            }
+          }
+        }
+      }
+    },
+    "/api/auth/session-exchange": {
+      "post": {
+        "tags": [
+          "authentication"
+        ],
+        "summary": "Session Exchange",
+        "description": "Exchange better-auth session token for backend JWE tokens.\n\nUsed by email/password auth users who have no OAuth provider token.\nVerifies session with better-auth server, then issues backend tokens.",
+        "operationId": "session_exchange_api_auth_session_exchange_post",
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/SessionExchangeRequest"
               }
             }
           },
@@ -168,10 +260,51 @@
           }
         }
       }
+    },
+    "/api/auth/me": {
+      "get": {
+        "tags": [
+          "authentication"
+        ],
+        "summary": "Get Me",
+        "description": "Return the current authenticated user.",
+        "operationId": "get_me_api_auth_me_get",
+        "responses": {
+          "200": {
+            "description": "Successful Response",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/UserResponse"
+                }
+              }
+            }
+          }
+        }
+      }
     }
   },
   "components": {
     "schemas": {
+      "EmailLoginRequest": {
+        "properties": {
+          "email": {
+            "type": "string",
+            "title": "Email"
+          },
+          "password": {
+            "type": "string",
+            "title": "Password"
+          }
+        },
+        "type": "object",
+        "required": [
+          "email",
+          "password"
+        ],
+        "title": "EmailLoginRequest",
+        "description": "Email/password login request."
+      },
       "HTTPValidationError": {
         "properties": {
           "detail": {
@@ -271,6 +404,36 @@
         "title": "RefreshTokenRequest",
         "description": "Refresh token request."
       },
+      "RegisterRequest": {
+        "properties": {
+          "email": {
+            "type": "string",
+            "title": "Email"
+          },
+          "password": {
+            "type": "string",
+            "title": "Password"
+          },
+          "name": {
+            "anyOf": [
+              {
+                "type": "string"
+              },
+              {
+                "type": "null"
+              }
+            ],
+            "title": "Name"
+          }
+        },
+        "type": "object",
+        "required": [
+          "email",
+          "password"
+        ],
+        "title": "RegisterRequest",
+        "description": "Email/password registration request."
+      },
       "ServiceStatus": {
         "properties": {
           "status": {
@@ -311,6 +474,20 @@
         "title": "ServiceStatus",
         "description": "Individual service health status."
       },
+      "SessionExchangeRequest": {
+        "properties": {
+          "session_token": {
+            "type": "string",
+            "title": "Session Token"
+          }
+        },
+        "type": "object",
+        "required": [
+          "session_token"
+        ],
+        "title": "SessionExchangeRequest",
+        "description": "Exchange better-auth session token for backend JWE tokens."
+      },
       "TokenResponse": {
         "properties": {
           "access_token": {
@@ -335,6 +512,64 @@
         "title": "TokenResponse",
         "description": "Token response."
       },
+      "UserResponse": {
+        "properties": {
+          "id": {
+            "type": "string",
+            "title": "Id"
+          },
+          "email": {
+            "type": "string",
+            "title": "Email"
+          },
+          "name": {
+            "anyOf": [
+              {
+                "type": "string"
+              },
+              {
+                "type": "null"
+              }
+            ],
+            "title": "Name"
+          },
+          "image": {
+            "anyOf": [
+              {
+                "type": "string"
+              },
+              {
+                "type": "null"
+              }
+            ],
+            "title": "Image"
+          },
+          "email_verified": {
+            "type": "boolean",
+            "title": "Email Verified",
+            "default": false
+          },
+          "created_at": {
+            "type": "string",
+            "format": "date-time",
+            "title": "Created At"
+          },
+          "updated_at": {
+            "type": "string",
+            "format": "date-time",
+            "title": "Updated At"
+          }
+        },
+        "type": "object",
+        "required": [
+          "id",
+          "email",
+          "created_at",
+          "updated_at"
+        ],
+        "title": "UserResponse",
+        "description": "User response model."
+      },
       "ValidationError": {
         "properties": {
           "loc": {

apps/api/pyproject.toml

@@ -24,6 +24,7 @@ dependencies = [
     "opentelemetry-exporter-otlp>=1.28.0",
     "jwcrypto>=1.5.6",
     "psycopg2-binary>=2.9.9",
+    "bcrypt>=5.0.0",
 ]
 
 [dependency-groups]
@@ -35,7 +36,7 @@ dev = [
     "pytest-asyncio>=0.26.0",
     "pytest-cov>=6.1.1",
     "factory-boy>=3.3.3",
-
+    "aiosqlite>=0.22.1",
 ]
 
 [tool.uv]