tenseleyflow/shithub / 3baee64

+-- SPDX-License-Identifier: AGPL-3.0-or-later

+

+-- name: InsertDeviceAuthorization :one

+INSERT INTO device_authorizations (

+    device_code_hash, user_code, client_id, scopes,

+    interval_seconds, expires_at

+) VALUES ($1, $2, $3, $4, $5, $6)

+RETURNING id, device_code_hash, user_code, client_id, scopes, user_id,

+          approved_at, denied_at, issued_token_id, interval_seconds,

+          expires_at, last_polled_at, created_at;

+

+-- name: GetDeviceAuthorizationByCodeHash :one

+-- Hot path for the polling /access_token endpoint. The middleware

+-- enforces interval_seconds via last_polled_at downstream.

+SELECT id, device_code_hash, user_code, client_id, scopes, user_id,

+       approved_at, denied_at, issued_token_id, interval_seconds,

+       expires_at, last_polled_at, created_at

+FROM device_authorizations

+WHERE device_code_hash = $1;

+

+-- name: GetDeviceAuthorizationByUserCode :one

+-- Lookup path for the verification page. Returns even non-pending rows

+-- so the handler can render a clean "already approved" / "expired" page

+-- instead of a generic 404.

+SELECT id, device_code_hash, user_code, client_id, scopes, user_id,

+       approved_at, denied_at, issued_token_id, interval_seconds,

+       expires_at, last_polled_at, created_at

+FROM device_authorizations

+WHERE user_code = $1;

+

+-- name: ApproveDeviceAuthorization :exec

+-- Records the user's approval and links the freshly minted PAT.

+-- Idempotency is preserved by the caller — the orchestrator only

+-- calls this once per row.

+UPDATE device_authorizations

+SET user_id = $2,

+    approved_at = now(),

+    issued_token_id = $3

+WHERE id = $1

+  AND approved_at IS NULL

+  AND denied_at IS NULL

+  AND expires_at > now();

+

+-- name: DenyDeviceAuthorization :exec

+UPDATE device_authorizations

+SET denied_at = now()

+WHERE id = $1

+  AND approved_at IS NULL

+  AND denied_at IS NULL;

+

+-- name: TouchDeviceAuthorizationPoll :exec

+UPDATE device_authorizations

+SET last_polled_at = now()

+WHERE id = $1;

+

+-- name: DeleteExpiredDeviceAuthorizations :exec

+-- Janitor invocation: a small forensics window past expiry is fine,

+-- but eventually drop the row so the user_code index stays small.

+DELETE FROM device_authorizations

+WHERE expires_at < now() - interval '24 hours';

+// Code generated by sqlc. DO NOT EDIT.

+// versions:

+//   sqlc v1.31.1

+// source: device_authorizations.sql

+

+package usersdb

+

+import (

+	"context"

+

+	"github.com/jackc/pgx/v5/pgtype"

+)

+

+const approveDeviceAuthorization = `-- name: ApproveDeviceAuthorization :exec

+UPDATE device_authorizations

+SET user_id = $2,

+    approved_at = now(),

+    issued_token_id = $3

+WHERE id = $1

+  AND approved_at IS NULL

+  AND denied_at IS NULL

+  AND expires_at > now()

+`

+

+type ApproveDeviceAuthorizationParams struct {

+	ID            int64

+	UserID        pgtype.Int8

+	IssuedTokenID pgtype.Int8

+}

+

+// Records the user's approval and links the freshly minted PAT.

+// Idempotency is preserved by the caller — the orchestrator only

+// calls this once per row.

+func (q *Queries) ApproveDeviceAuthorization(ctx context.Context, db DBTX, arg ApproveDeviceAuthorizationParams) error {

+	_, err := db.Exec(ctx, approveDeviceAuthorization, arg.ID, arg.UserID, arg.IssuedTokenID)

+	return err

+}

+

+const deleteExpiredDeviceAuthorizations = `-- name: DeleteExpiredDeviceAuthorizations :exec

+DELETE FROM device_authorizations

+WHERE expires_at < now() - interval '24 hours'

+`

+

+// Janitor invocation: a small forensics window past expiry is fine,

+// but eventually drop the row so the user_code index stays small.

+func (q *Queries) DeleteExpiredDeviceAuthorizations(ctx context.Context, db DBTX) error {

+	_, err := db.Exec(ctx, deleteExpiredDeviceAuthorizations)

+	return err

+}

+

+const denyDeviceAuthorization = `-- name: DenyDeviceAuthorization :exec

+UPDATE device_authorizations

+SET denied_at = now()

+WHERE id = $1

+  AND approved_at IS NULL

+  AND denied_at IS NULL

+`

+

+func (q *Queries) DenyDeviceAuthorization(ctx context.Context, db DBTX, id int64) error {

+	_, err := db.Exec(ctx, denyDeviceAuthorization, id)

+	return err

+}

+

+const getDeviceAuthorizationByCodeHash = `-- name: GetDeviceAuthorizationByCodeHash :one

+SELECT id, device_code_hash, user_code, client_id, scopes, user_id,

+       approved_at, denied_at, issued_token_id, interval_seconds,

+       expires_at, last_polled_at, created_at

+FROM device_authorizations

+WHERE device_code_hash = $1

+`

+

+// Hot path for the polling /access_token endpoint. The middleware

+// enforces interval_seconds via last_polled_at downstream.

+func (q *Queries) GetDeviceAuthorizationByCodeHash(ctx context.Context, db DBTX, deviceCodeHash []byte) (DeviceAuthorization, error) {

+	row := db.QueryRow(ctx, getDeviceAuthorizationByCodeHash, deviceCodeHash)

+	var i DeviceAuthorization

+	err := row.Scan(

+		&i.ID,

+		&i.DeviceCodeHash,

+		&i.UserCode,

+		&i.ClientID,

+		&i.Scopes,

+		&i.UserID,

+		&i.ApprovedAt,

+		&i.DeniedAt,

+		&i.IssuedTokenID,

+		&i.IntervalSeconds,

+		&i.ExpiresAt,

+		&i.LastPolledAt,

+		&i.CreatedAt,

+	)

+	return i, err

+}

+

+const getDeviceAuthorizationByUserCode = `-- name: GetDeviceAuthorizationByUserCode :one

+SELECT id, device_code_hash, user_code, client_id, scopes, user_id,

+       approved_at, denied_at, issued_token_id, interval_seconds,

+       expires_at, last_polled_at, created_at

+FROM device_authorizations

+WHERE user_code = $1

+`

+

+// Lookup path for the verification page. Returns even non-pending rows

+// so the handler can render a clean "already approved" / "expired" page

+// instead of a generic 404.

+func (q *Queries) GetDeviceAuthorizationByUserCode(ctx context.Context, db DBTX, userCode string) (DeviceAuthorization, error) {

+	row := db.QueryRow(ctx, getDeviceAuthorizationByUserCode, userCode)

+	var i DeviceAuthorization

+	err := row.Scan(

+		&i.ID,

+		&i.DeviceCodeHash,

+		&i.UserCode,

+		&i.ClientID,

+		&i.Scopes,

+		&i.UserID,

+		&i.ApprovedAt,

+		&i.DeniedAt,

+		&i.IssuedTokenID,

+		&i.IntervalSeconds,

+		&i.ExpiresAt,

+		&i.LastPolledAt,

+		&i.CreatedAt,

+	)

+	return i, err

+}

+

+const insertDeviceAuthorization = `-- name: InsertDeviceAuthorization :one

+

+INSERT INTO device_authorizations (

+    device_code_hash, user_code, client_id, scopes,

+    interval_seconds, expires_at

+) VALUES ($1, $2, $3, $4, $5, $6)

+RETURNING id, device_code_hash, user_code, client_id, scopes, user_id,

+          approved_at, denied_at, issued_token_id, interval_seconds,

+          expires_at, last_polled_at, created_at

+`

+

+type InsertDeviceAuthorizationParams struct {

+	DeviceCodeHash  []byte

+	UserCode        string

+	ClientID        string

+	Scopes          []string

+	IntervalSeconds int32

+	ExpiresAt       pgtype.Timestamptz

+}

+

+// SPDX-License-Identifier: AGPL-3.0-or-later

+func (q *Queries) InsertDeviceAuthorization(ctx context.Context, db DBTX, arg InsertDeviceAuthorizationParams) (DeviceAuthorization, error) {

+	row := db.QueryRow(ctx, insertDeviceAuthorization,

+		arg.DeviceCodeHash,

+		arg.UserCode,

+		arg.ClientID,

+		arg.Scopes,

+		arg.IntervalSeconds,

+		arg.ExpiresAt,

+	)

+	var i DeviceAuthorization

+	err := row.Scan(

+		&i.ID,

+		&i.DeviceCodeHash,

+		&i.UserCode,

+		&i.ClientID,

+		&i.Scopes,

+		&i.UserID,

+		&i.ApprovedAt,

+		&i.DeniedAt,

+		&i.IssuedTokenID,

+		&i.IntervalSeconds,

+		&i.ExpiresAt,

+		&i.LastPolledAt,

+		&i.CreatedAt,

+	)

+	return i, err

+}

+

+const touchDeviceAuthorizationPoll = `-- name: TouchDeviceAuthorizationPoll :exec

+UPDATE device_authorizations

+SET last_polled_at = now()

+WHERE id = $1

+`

+

+func (q *Queries) TouchDeviceAuthorizationPoll(ctx context.Context, db DBTX, id int64) error {

+	_, err := db.Exec(ctx, touchDeviceAuthorizationPoll, id)

+	return err

+}

+type DeviceAuthorization struct {

+	ID              int64

+	DeviceCodeHash  []byte

+	UserCode        string

+	ClientID        string

+	Scopes          []string

+	UserID          pgtype.Int8

+	ApprovedAt      pgtype.Timestamptz

+	DeniedAt        pgtype.Timestamptz

+	IssuedTokenID   pgtype.Int8

+	IntervalSeconds int32

+	ExpiresAt       pgtype.Timestamptz

+	LastPolledAt    pgtype.Timestamptz

+	CreatedAt       pgtype.Timestamptz

+}

+

+	// Records the user's approval and links the freshly minted PAT.

+	// Idempotency is preserved by the caller — the orchestrator only

+	// calls this once per row.

+	ApproveDeviceAuthorization(ctx context.Context, db DBTX, arg ApproveDeviceAuthorizationParams) error

+	// Janitor invocation: a small forensics window past expiry is fine,

+	// but eventually drop the row so the user_code index stays small.

+	DeleteExpiredDeviceAuthorizations(ctx context.Context, db DBTX) error

+	DenyDeviceAuthorization(ctx context.Context, db DBTX, id int64) error

+	// Hot path for the polling /access_token endpoint. The middleware

+	// enforces interval_seconds via last_polled_at downstream.

+	GetDeviceAuthorizationByCodeHash(ctx context.Context, db DBTX, deviceCodeHash []byte) (DeviceAuthorization, error)

+	// Lookup path for the verification page. Returns even non-pending rows

+	// so the handler can render a clean "already approved" / "expired" page

+	// instead of a generic 404.

+	GetDeviceAuthorizationByUserCode(ctx context.Context, db DBTX, userCode string) (DeviceAuthorization, error)

+	InsertDeviceAuthorization(ctx context.Context, db DBTX, arg InsertDeviceAuthorizationParams) (DeviceAuthorization, error)

+	// SPDX-License-Identifier: AGPL-3.0-or-later

+	TouchDeviceAuthorizationPoll(ctx context.Context, db DBTX, id int64) error