v3: added password change/reset feature

api/lib/jwt.ts

@@ -6,6 +6,8 @@ import {
   InvitePayload,
   isAuthPayload,
   isInvitePayload,
+  isPasswordResetPayload,
+  type PasswordResetPayload,
 } from "../model/interfaces.ts";
 import { JWT_SECRET } from "../config.ts";
 
@@ -38,6 +40,32 @@ export async function verifyInviteToken(
   }
 }
 
+// ── Password reset tokens ─────────────────────────────────────────────────────
+
+export async function createPasswordResetToken(
+  userId: string,
+): Promise<string> {
+  return await new SignJWT({ purpose: "password-reset", userId })
+    .setProtectedHeader({ alg: "HS256" })
+    .setJti(crypto.randomUUID())
+    .setExpirationTime("1h")
+    .sign(JWT_KEY);
+}
+
+export async function verifyPasswordResetToken(
+  token: string,
+): Promise<PasswordResetPayload | null> {
+  try {
+    const { payload } = await jwtVerify(token, JWT_KEY);
+    if (!isPasswordResetPayload(payload)) return null;
+    return payload as PasswordResetPayload;
+  } catch {
+    return null;
+  }
+}
+
+// ── Auth tokens ───────────────────────────────────────────────────────────────
+
 export async function createJWT(
   payload: Omit<AuthPayload, "exp">,
 ): Promise<string> {