store: user_setup_tokens CRUD + cleanup-expired

internal/store/setup_tokens.go

@@ -0,0 +1,93 @@
+package store
+
+import (
+	"context"
+	"database/sql"
+	"errors"
+	"fmt"
+	"time"
+)
+
+// SetSetupToken inserts a row, replacing any existing token for
+// this user (single-outstanding invariant). Caller passes a hash —
+// raw tokens are never persisted.
+func (s *Store) SetSetupToken(ctx context.Context, t SetupToken) error {
+	_, err := s.db.ExecContext(ctx,
+		`INSERT OR REPLACE INTO user_setup_tokens
+		   (user_id, token_hash, expires_at, created_at, created_by)
+		 VALUES (?, ?, ?, ?, ?)`,
+		t.UserID, t.TokenHash,
+		t.ExpiresAt.UTC().Format(time.RFC3339Nano),
+		t.CreatedAt.UTC().Format(time.RFC3339Nano),
+		nullable(t.CreatedBy))
+	if err != nil {
+		return fmt.Errorf("store: set setup token: %w", err)
+	}
+	return nil
+}
+
+// LookupSetupToken resolves a token hash to its row. Returns
+// ErrNotFound for missing tokens. Expiry is NOT checked here —
+// callers must compare ExpiresAt themselves so they can record
+// 'expired' as a distinct outcome (audit-able) from 'never existed'.
+func (s *Store) LookupSetupToken(ctx context.Context, tokenHash string) (*SetupToken, error) {
+	row := s.db.QueryRowContext(ctx,
+		`SELECT user_id, token_hash, expires_at, created_at, created_by
+		 FROM user_setup_tokens WHERE token_hash = ?`, tokenHash)
+	return scanSetupToken(row.Scan)
+}
+
+// GetSetupTokenByUserID returns the row for one user. Used by the
+// edit page to know whether a 'Regenerate setup link' button should
+// show as 'Generate' or 'Regenerate'. Returns ErrNotFound when no
+// outstanding token exists.
+func (s *Store) GetSetupTokenByUserID(ctx context.Context, userID string) (*SetupToken, error) {
+	row := s.db.QueryRowContext(ctx,
+		`SELECT user_id, token_hash, expires_at, created_at, created_by
+		 FROM user_setup_tokens WHERE user_id = ?`, userID)
+	return scanSetupToken(row.Scan)
+}
+
+// DeleteSetupToken removes the row for a user (single-use cleanup
+// after /setup completes successfully).
+func (s *Store) DeleteSetupToken(ctx context.Context, userID string) error {
+	_, err := s.db.ExecContext(ctx,
+		`DELETE FROM user_setup_tokens WHERE user_id = ?`, userID)
+	if err != nil {
+		return fmt.Errorf("store: delete setup token: %w", err)
+	}
+	return nil
+}
+
+// CleanupExpiredSetupTokens removes rows whose expires_at has passed.
+// Returns the number of rows deleted. Called from the maintenance
+// ticker every minute.
+func (s *Store) CleanupExpiredSetupTokens(ctx context.Context, now time.Time) (int64, error) {
+	res, err := s.db.ExecContext(ctx,
+		`DELETE FROM user_setup_tokens WHERE expires_at < ?`,
+		now.UTC().Format(time.RFC3339Nano))
+	if err != nil {
+		return 0, fmt.Errorf("store: cleanup setup tokens: %w", err)
+	}
+	n, _ := res.RowsAffected()
+	return n, nil
+}
+
+func scanSetupToken(scan func(...any) error) (*SetupToken, error) {
+	var t SetupToken
+	var createdBy sql.NullString
+	var expiresAt, createdAt string
+	if err := scan(&t.UserID, &t.TokenHash, &expiresAt, &createdAt, &createdBy); err != nil {
+		if errors.Is(err, sql.ErrNoRows) {
+			return nil, ErrNotFound
+		}
+		return nil, fmt.Errorf("store: scan setup token: %w", err)
+	}
+	t.ExpiresAt, _ = time.Parse(time.RFC3339Nano, expiresAt)
+	t.CreatedAt, _ = time.Parse(time.RFC3339Nano, createdAt)
+	if createdBy.Valid {
+		v := createdBy.String
+		t.CreatedBy = &v
+	}
+	return &t, nil
+}