chore: extract token generation logic to its own package (#2135)

## Summary

Extracted common token operations from the existing `/token` endpoint to
a new `internal/tokens` package to enable code reuse for the upcoming
`/oauth/token` endpoint implementation.

## Backward Compatibility
- Type aliases: AccessTokenClaims = tokens.AccessTokenClaims in
`internal/api/token.go` to keep the changes low
- Method preservation: All existing API methods work unchanged
- Feature parity: AsRedirectURL(), hooks, validation - everything
preserved

Note on request object dependency: The service requires the HTTP
`request` object for audit log entries (`models.NewAuditLogEntry`).
While ideally the service would extract only needed context, the current
audit logging implementation requires the full request object.

Author: cemalkilic

internal/api/api.go

@@ -18,6 +18,7 @@ import (
 	"github.com/supabase/auth/internal/models"
 	"github.com/supabase/auth/internal/observability"
 	"github.com/supabase/auth/internal/storage"
+	"github.com/supabase/auth/internal/tokens"
 	"github.com/supabase/auth/internal/utilities"
 	"github.com/supabase/hibp"
 )
@@ -36,9 +37,10 @@ type API struct {
 	config  *conf.GlobalConfiguration
 	version string
 
-	hooksMgr    *v0hooks.Manager
-	hibpClient  *hibp.PwnedClient
-	oauthServer *oauthserver.Server
+	hooksMgr     *v0hooks.Manager
+	hibpClient   *hibp.PwnedClient
+	oauthServer  *oauthserver.Server
+	tokenService *tokens.Service
 
 	// overrideTime can be used to override the clock used by handlers. Should only be used in tests!
 	overrideTime func() time.Time
@@ -48,6 +50,7 @@ type API struct {
 
 func (a *API) GetConfig() *conf.GlobalConfiguration { return a.config }
 func (a *API) GetDB() *storage.Connection           { return a.db }
+func (a *API) GetTokenService() *tokens.Service     { return a.tokenService }
 
 func (a *API) Version() string {
 	return a.version
@@ -100,6 +103,15 @@ func NewAPIWithVersion(globalConfig *conf.GlobalConfiguration, db *storage.Conne
 		pgfuncDr := hookspgfunc.New(db)
 		api.hooksMgr = v0hooks.NewManager(globalConfig, httpDr, pgfuncDr)
 	}
+
+	// Initialize token service if not provided via options
+	if api.tokenService == nil {
+		api.tokenService = tokens.NewService(globalConfig, api.hooksMgr)
+	}
+
+	// Connect token service to API's time function (supports test overrides)
+	api.tokenService.SetTimeFunc(api.Now)
+
 	if api.config.Password.HIBP.Enabled {
 		httpClient := &http.Client{
 			// all HIBP API requests should finish quickly to avoid

internal/api/external.go

@@ -19,6 +19,7 @@ import (
 	"github.com/supabase/auth/internal/models"
 	"github.com/supabase/auth/internal/observability"
 	"github.com/supabase/auth/internal/storage"
+	"github.com/supabase/auth/internal/tokens"
 	"github.com/supabase/auth/internal/utilities"
 	"golang.org/x/oauth2"
 )
@@ -109,7 +110,7 @@ func (a *API) GetExternalProviderRedirectURL(w http.ResponseWriter, r *http.Requ
 		claims.LinkingTargetID = linkingTargetUser.ID.String()
 	}
 
-	tokenString, err := signJwt(&config.JWT, claims)
+	tokenString, err := tokens.SignJWT(&config.JWT, claims)
 	if err != nil {
 		return "", apierrors.NewInternalServerError("Error creating state").WithInternalError(err)
 	}

internal/api/jwks.go

@@ -3,10 +3,8 @@ package api
 import (
 	"net/http"
 
-	jwt "github.com/golang-jwt/jwt/v5"
 	"github.com/lestrrat-go/jwx/v2/jwa"
 	jwk "github.com/lestrrat-go/jwx/v2/jwk"
-	"github.com/supabase/auth/internal/conf"
 )
 
 type JwksResponse struct {
@@ -30,32 +28,3 @@ func (a *API) Jwks(w http.ResponseWriter, r *http.Request) error {
 	w.Header().Set("Cache-Control", "public, max-age=600")
 	return sendJSON(w, http.StatusOK, resp)
 }
-
-func signJwt(config *conf.JWTConfiguration, claims jwt.Claims) (string, error) {
-	signingJwk, err := conf.GetSigningJwk(config)
-	if err != nil {
-		return "", err
-	}
-	signingMethod := conf.GetSigningAlg(signingJwk)
-	token := jwt.NewWithClaims(signingMethod, claims)
-	if token.Header == nil {
-		token.Header = make(map[string]interface{})
-	}
-
-	if _, ok := token.Header["kid"]; !ok {
-		if kid := signingJwk.KeyID(); kid != "" {
-			token.Header["kid"] = kid
-		}
-	}
-	// this serializes the aud claim to a string
-	jwt.MarshalSingleStringAsArray = false
-	signingKey, err := conf.GetSigningKey(signingJwk)
-	if err != nil {
-		return "", err
-	}
-	signed, err := token.SignedString(signingKey)
-	if err != nil {
-		return "", err
-	}
-	return signed, nil
-}

internal/api/options.go

@@ -7,6 +7,7 @@ import (
 	"github.com/didip/tollbooth/v5/limiter"
 	"github.com/supabase/auth/internal/conf"
 	"github.com/supabase/auth/internal/ratelimit"
+	"github.com/supabase/auth/internal/tokens"
 )
 
 type Option interface {
@@ -36,6 +37,19 @@ type LimiterOptions struct {
 
 func (lo *LimiterOptions) apply(a *API) { a.limiterOpts = lo }
 
+// TokenServiceOption allows injecting a custom token service
+type TokenServiceOption struct {
+	service *tokens.Service
+}
+
+func WithTokenService(service *tokens.Service) *TokenServiceOption {
+	return &TokenServiceOption{service: service}
+}
+
+func (tso *TokenServiceOption) apply(a *API) {
+	a.tokenService = tso.service
+}
+
 func NewLimiterOptions(gc *conf.GlobalConfiguration) *LimiterOptions {
 	o := &LimiterOptions{}
 

internal/api/ssoadmin_test.go

@@ -55,22 +55,22 @@ func TestE2EAdmin(t *testing.T) {
 			}
 			getTestAttributes := func() map[string]models.SAMLAttribute {
 				return map[string]models.SAMLAttribute{
-					"TestE2EAdmin": models.SAMLAttribute{
+					"TestE2EAdmin": {
 						Default: true,
 					},
-					"customAttr": models.SAMLAttribute{
+					"customAttr": {
 						Default: "somevalue",
 					},
-					"email": models.SAMLAttribute{
+					"email": {
 						Name: "user.email",
 					},
-					"first_name": models.SAMLAttribute{
+					"first_name": {
 						Name: "user.firstName",
 					},
-					"last_name": models.SAMLAttribute{
+					"last_name": {
 						Name: "user.lastName",
 					},
-					"user_name": models.SAMLAttribute{
+					"user_name": {
 						Name: "user.login",
 					},
 				}