tenseleyflow/shithub / cf0e239

+-- SPDX-License-Identifier: AGPL-3.0-or-later

+--

+-- TOTP (time-based one-time password) secrets, one per user. The secret

+-- is encrypted at rest with chacha20poly1305 (key from config: secrets.totp_key).

+-- secret_nonce is the per-row 12-byte AEAD nonce; never reused for the same key.

+--

+-- last_used_counter is the highest TOTP step counter we've accepted; codes

+-- whose counter is <= this value are rejected to prevent replay (RFC 6238 §5.2).

+-- confirmed_at is NULL during enrollment until the user proves possession of

+-- the authenticator with a fresh code.

+

+-- +goose Up

+CREATE TABLE user_totp (

+    id                bigserial   PRIMARY KEY,

+    user_id           bigint      NOT NULL UNIQUE REFERENCES users(id) ON DELETE CASCADE,

+    secret_encrypted  bytea       NOT NULL,

+    secret_nonce      bytea       NOT NULL,

+    confirmed_at      timestamptz,

+    last_used_counter bigint      NOT NULL DEFAULT 0,

+    created_at        timestamptz NOT NULL DEFAULT now(),

+    updated_at        timestamptz NOT NULL DEFAULT now(),

+

+    CONSTRAINT user_totp_nonce_size CHECK (octet_length(secret_nonce) = 12)

+);

+

+CREATE TRIGGER set_updated_at BEFORE UPDATE ON user_totp

+    FOR EACH ROW EXECUTE FUNCTION tg_set_updated_at();

+

+-- +goose Down

+DROP TABLE IF EXISTS user_totp;

+-- SPDX-License-Identifier: AGPL-3.0-or-later

+--

+-- Recovery codes. Generated when the user enrolls TOTP, regenerated on

+-- demand. Stored as sha256 hashes — the plaintext is shown to the user

+-- exactly once at generation time. Single-use via used_at.

+

+-- +goose Up

+CREATE TABLE user_recovery_codes (

+    id           bigserial   PRIMARY KEY,

+    user_id      bigint      NOT NULL REFERENCES users(id) ON DELETE CASCADE,

+    code_hash    bytea       NOT NULL,

+    used_at      timestamptz,

+    generated_at timestamptz NOT NULL DEFAULT now(),

+    created_at   timestamptz NOT NULL DEFAULT now()

+);

+

+CREATE INDEX user_recovery_codes_user_id_idx ON user_recovery_codes (user_id);

+CREATE UNIQUE INDEX user_recovery_codes_hash_uidx ON user_recovery_codes (code_hash);

+

+-- +goose Down

+DROP TABLE IF EXISTS user_recovery_codes;

+-- SPDX-License-Identifier: AGPL-3.0-or-later

+--

+-- Generic audit log for security-relevant events. Schema is intentionally

+-- broad so future sprints can reuse it (S15 permissions, S30 org changes,

+-- S34 admin actions, S07 SSH key changes).

+--

+-- - actor_id: the user performing the action (NULL for unauthenticated /

+--   admin-CLI actions; admin actions populate meta->>'admin' instead).

+-- - action: short snake_case verb (e.g. '2fa_enabled', 'recovery_regenerated',

+--   'admin_cleared_2fa').

+-- - target_type, target_id: the entity affected (e.g. 'user', user.id).

+-- - meta: free-form JSON for action-specific detail (no secrets here).

+

+-- +goose Up

+CREATE TABLE auth_audit_log (

+    id          bigserial   PRIMARY KEY,

+    actor_id    bigint      REFERENCES users(id) ON DELETE SET NULL,

+    action      text        NOT NULL,

+    target_type text        NOT NULL,

+    target_id   bigint,

+    meta        jsonb       NOT NULL DEFAULT '{}'::jsonb,

+    created_at  timestamptz NOT NULL DEFAULT now()

+);

+

+CREATE INDEX auth_audit_log_actor_id_idx   ON auth_audit_log (actor_id);

+CREATE INDEX auth_audit_log_target_idx     ON auth_audit_log (target_type, target_id);

+CREATE INDEX auth_audit_log_action_idx     ON auth_audit_log (action);

+CREATE INDEX auth_audit_log_created_at_idx ON auth_audit_log (created_at DESC);

+

+-- +goose Down

+DROP TABLE IF EXISTS auth_audit_log;