feat(db): add sessions table for /api/* auth
Stores sha256(token) plus user_agent + last_seen_at so future active-sessions UI doesn't need another migration. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
@@ -0,0 +1,2 @@
|
|||||||
|
DROP INDEX IF EXISTS sessions_user_id_idx;
|
||||||
|
DROP TABLE IF EXISTS sessions;
|
||||||
@@ -0,0 +1,18 @@
|
|||||||
|
-- Session tokens authenticate /api/* requests. We store sha256(token) so a
|
||||||
|
-- read-only DB leak doesn't grant active sessions; the raw token lives only
|
||||||
|
-- in the client's cookie (web) or bearer header (Flutter).
|
||||||
|
--
|
||||||
|
-- last_seen_at enables an "active sessions" UI later (not wired in this plan)
|
||||||
|
-- without schema churn. user_agent is captured at issue time for the same
|
||||||
|
-- reason — free metadata now, no migration later.
|
||||||
|
|
||||||
|
CREATE TABLE sessions (
|
||||||
|
id uuid PRIMARY KEY DEFAULT gen_random_uuid(),
|
||||||
|
user_id uuid NOT NULL REFERENCES users(id) ON DELETE CASCADE,
|
||||||
|
token_hash bytea NOT NULL UNIQUE,
|
||||||
|
user_agent text NOT NULL DEFAULT '',
|
||||||
|
created_at timestamptz NOT NULL DEFAULT now(),
|
||||||
|
last_seen_at timestamptz NOT NULL DEFAULT now()
|
||||||
|
);
|
||||||
|
|
||||||
|
CREATE INDEX sessions_user_id_idx ON sessions (user_id);
|
||||||
Reference in New Issue
Block a user