tenseleyflow/shithub / 562bd24

+-- SPDX-License-Identifier: AGPL-3.0-or-later

+--

+-- Enable the citext extension. Used by users.username and user_emails.email

+-- so case-insensitive uniqueness is enforced at the type level (no

+-- lower(col) functional indexes, no application-side normalization).

+

+-- +goose Up

+CREATE EXTENSION IF NOT EXISTS citext;

+

+-- +goose Down

+-- Intentionally left empty: dropping citext would cascade across columns

+-- created in later migrations. If a full down-migration is required, drop

+-- the dependent tables first.

+-- SPDX-License-Identifier: AGPL-3.0-or-later

+--

+-- Core users table. username is citext for case-insensitive uniqueness;

+-- display casing is preserved for UI rendering. password_hash stores a

+-- PHC-encoded argon2id string; password_algo identifies the encoding so

+-- we can roll forward later without DB-side migration.

+--

+-- primary_email_id is a forward-reference to user_emails.id (FK added

+-- after that table exists in 0004 to avoid circular DDL).

+

+-- +goose Up

+CREATE TABLE users (

+    id                  bigserial   PRIMARY KEY,

+    username            citext      NOT NULL UNIQUE,

+    display_name        text        NOT NULL DEFAULT '',

+    primary_email_id    bigint,

+    password_hash       text        NOT NULL,

+    password_algo       text        NOT NULL DEFAULT 'argon2id-v1',

+    password_updated_at timestamptz NOT NULL DEFAULT now(),

+    email_verified      boolean     NOT NULL DEFAULT false,

+    last_login_at       timestamptz,

+    suspended_at        timestamptz,

+    suspended_reason    text,

+    deleted_at          timestamptz,

+    created_at          timestamptz NOT NULL DEFAULT now(),

+    updated_at          timestamptz NOT NULL DEFAULT now(),

+

+    CONSTRAINT users_username_length CHECK (char_length(username::text) BETWEEN 1 AND 39),

+    CONSTRAINT users_password_algo CHECK (password_algo IN ('argon2id-v1'))

+);

+

+CREATE INDEX users_deleted_at_idx ON users (deleted_at) WHERE deleted_at IS NOT NULL;

+CREATE INDEX users_suspended_at_idx ON users (suspended_at) WHERE suspended_at IS NOT NULL;

+

+CREATE TRIGGER set_updated_at BEFORE UPDATE ON users

+    FOR EACH ROW EXECUTE FUNCTION tg_set_updated_at();

+

+-- +goose Down

+DROP TABLE IF EXISTS users;

+-- SPDX-License-Identifier: AGPL-3.0-or-later

+--

+-- User email addresses. Users can have multiple emails; exactly one is

+-- the primary at any time (enforced by a partial unique index).

+-- email is citext + globally unique across all users (an email address

+-- can belong to at most one shithub account).

+

+-- +goose Up

+CREATE TABLE user_emails (

+    id                       bigserial   PRIMARY KEY,

+    user_id                  bigint      NOT NULL REFERENCES users(id) ON DELETE CASCADE,

+    email                    citext      NOT NULL UNIQUE,

+    is_primary               boolean     NOT NULL DEFAULT false,

+    verified                 boolean     NOT NULL DEFAULT false,

+    verification_token_hash  bytea,

+    verification_sent_at     timestamptz,

+    verified_at              timestamptz,

+    created_at               timestamptz NOT NULL DEFAULT now(),

+

+    CONSTRAINT user_emails_email_length CHECK (char_length(email::text) BETWEEN 3 AND 254),

+    CONSTRAINT user_emails_email_shape  CHECK (email::text LIKE '%@%')

+);

+

+-- At most one primary email per user.

+CREATE UNIQUE INDEX user_emails_one_primary_per_user

+    ON user_emails (user_id) WHERE is_primary;

+

+CREATE INDEX user_emails_user_id_idx ON user_emails (user_id);

+

+-- Now that user_emails exists, attach the FK from users.primary_email_id.

+ALTER TABLE users

+    ADD CONSTRAINT users_primary_email_fk

+        FOREIGN KEY (primary_email_id) REFERENCES user_emails(id)

+        ON DELETE SET NULL DEFERRABLE INITIALLY DEFERRED;

+

+-- +goose Down

+ALTER TABLE users DROP CONSTRAINT IF EXISTS users_primary_email_fk;

+DROP TABLE IF EXISTS user_emails;

+-- SPDX-License-Identifier: AGPL-3.0-or-later

+--

+-- Password reset tokens. The token itself is high-entropy random; only its

+-- sha256 hash is stored. used_at marks single-use consumption (replay

+-- protection). expires_at is set to created_at + 1 hour at insert time.

+

+-- +goose Up

+CREATE TABLE password_resets (

+    id          bigserial   PRIMARY KEY,

+    user_id     bigint      NOT NULL REFERENCES users(id) ON DELETE CASCADE,

+    token_hash  bytea       NOT NULL UNIQUE,

+    expires_at  timestamptz NOT NULL,

+    used_at     timestamptz,

+    created_at  timestamptz NOT NULL DEFAULT now()

+);

+

+CREATE INDEX password_resets_user_id_idx ON password_resets (user_id);

+CREATE INDEX password_resets_expires_at_idx ON password_resets (expires_at);

+

+-- +goose Down

+DROP TABLE IF EXISTS password_resets;

+-- SPDX-License-Identifier: AGPL-3.0-or-later

+--

+-- Email verification tokens. Same pattern as password_resets but keyed

+-- to a specific user_email row (a user with multiple emails verifies

+-- each one separately). TTL 24h. Single-use via used_at.

+

+-- +goose Up

+CREATE TABLE email_verifications (

+    id            bigserial   PRIMARY KEY,

+    user_email_id bigint      NOT NULL REFERENCES user_emails(id) ON DELETE CASCADE,

+    token_hash    bytea       NOT NULL UNIQUE,

+    expires_at    timestamptz NOT NULL,

+    used_at       timestamptz,

+    created_at    timestamptz NOT NULL DEFAULT now()

+);

+

+CREATE INDEX email_verifications_email_id_idx ON email_verifications (user_email_id);

+CREATE INDEX email_verifications_expires_at_idx ON email_verifications (expires_at);

+

+-- +goose Down

+DROP TABLE IF EXISTS email_verifications;

+-- SPDX-License-Identifier: AGPL-3.0-or-later

+--

+-- Generic counter table for auth-related rate limits. The (scope, identifier)

+-- pair is unique. window_started_at is the start of the current window;

+-- callers reset hits to 1 when the window has elapsed.

+--

+-- Examples of (scope, identifier):

+--   ('login',  '1.2.3.4|alice')

+--   ('signup', 'ip:1.2.3.4')

+--   ('signup', 'email:foo@bar')

+--   ('reset',  'email:foo@bar')

+

+-- +goose Up

+CREATE TABLE auth_throttle (

+    id                 bigserial   PRIMARY KEY,

+    scope              text        NOT NULL,

+    identifier         text        NOT NULL,

+    hits               integer     NOT NULL DEFAULT 0,

+    window_started_at  timestamptz NOT NULL DEFAULT now(),

+

+    UNIQUE (scope, identifier)

+);

+

+CREATE INDEX auth_throttle_window_started_idx ON auth_throttle (window_started_at);

+

+-- +goose Down

+DROP TABLE IF EXISTS auth_throttle;

+-- SPDX-License-Identifier: AGPL-3.0-or-later

+--

+-- Username change history. When a user changes their username (S10), the

+-- old name is recorded here so:

+--   1. URLs to /<old-username>/* can 301 to the new username.

+--   2. The old name is reserved for a 30-day cooldown — the redirect

+--      record itself acts as the reservation; the signup flow checks

+--      this table in addition to users.username when validating new names.

+

+-- +goose Up

+CREATE TABLE username_redirects (

+    old_username text        PRIMARY KEY,

+    user_id      bigint      NOT NULL REFERENCES users(id) ON DELETE CASCADE,

+    changed_at   timestamptz NOT NULL DEFAULT now()

+);

+

+CREATE INDEX username_redirects_user_id_idx ON username_redirects (user_id);

+CREATE INDEX username_redirects_changed_at_idx ON username_redirects (changed_at);

+

+-- +goose Down

+DROP TABLE IF EXISTS username_redirects;