From a1d307fafabc8d69a97f7c5406546fe61605e122 Mon Sep 17 00:00:00 2001
From: Steve Cliff <steve@devcloud.guru>
Date: Tue, 5 May 2026 09:00:35 +0100
Subject: [PATCH] =?UTF-8?q?store:=20migration=200018=20=E2=80=94=20user=5F?=
 =?UTF-8?q?setup=5Ftokens?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../store/migrations/0018_user_setup_tokens.sql  | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 create mode 100644 internal/store/migrations/0018_user_setup_tokens.sql

diff --git a/internal/store/migrations/0018_user_setup_tokens.sql b/internal/store/migrations/0018_user_setup_tokens.sql
new file mode 100644
index 0000000..a308cfb
--- /dev/null
+++ b/internal/store/migrations/0018_user_setup_tokens.sql
@@ -0,0 +1,16 @@
+-- 0018_user_setup_tokens.sql
+--
+-- One outstanding setup token per user (PRIMARY KEY on user_id).
+-- Regenerating a link is INSERT OR REPLACE — old token immediately
+-- invalid. Token is stored as sha256(raw) hex, never the raw token,
+-- so a DB leak doesn't leak active links.
+
+CREATE TABLE user_setup_tokens (
+  user_id     TEXT PRIMARY KEY REFERENCES users(id) ON DELETE CASCADE,
+  token_hash  TEXT NOT NULL,
+  expires_at  TEXT NOT NULL,
+  created_at  TEXT NOT NULL,
+  created_by  TEXT REFERENCES users(id) ON DELETE SET NULL
+);
+
+CREATE INDEX user_setup_tokens_expires ON user_setup_tokens(expires_at);