-- name: CreatePasswordReset :exec INSERT INTO password_resets (token, user_id, expires_at) VALUES ($1, $2, $3); -- name: GetPasswordReset :one SELECT * FROM password_resets WHERE token = $1; -- name: UsePasswordReset :execrows -- Atomic claim: marks the token used only if currently unused -- and not expired. Returns rows-affected so the caller can -- distinguish "successful claim" (rows=1) from "already used / -- expired / nonexistent" (rows=0). UPDATE password_resets SET used_at = now() WHERE token = $1 AND used_at IS NULL AND expires_at > now(); -- name: DeleteExpiredPasswordResets :exec -- Cleanup: drop tokens that have been expired more than 7 days. -- Not wired in U3; useful to have for a future cron sweep. DELETE FROM password_resets WHERE expires_at < now() - interval '7 days';