2026-05-05 11:01:44 +01:00
1 changed files with 16 additions and 0 deletions
@@ -0,0 +1,16 @@
+-- 0018_user_setup_tokens.sql
+--
+-- One outstanding setup token per user (PRIMARY KEY on user_id).
+-- Regenerating a link is INSERT OR REPLACE — old token immediately
+-- invalid. Token is stored as sha256(raw) hex, never the raw token,
+-- so a DB leak doesn't leak active links.
+
+CREATE TABLE user_setup_tokens (
+  user_id     TEXT PRIMARY KEY REFERENCES users(id) ON DELETE CASCADE,
+  token_hash  TEXT NOT NULL,
+  expires_at  TEXT NOT NULL,
+  created_at  TEXT NOT NULL,
+  created_by  TEXT REFERENCES users(id) ON DELETE SET NULL
+);
+
+CREATE INDEX user_setup_tokens_expires ON user_setup_tokens(expires_at);