Gabriel Radureau c878619478 ✨ feat(user): magic_link_tokens table + repository (ADR-0028 Phase A.3) ...

Adds the persistence layer for the passwordless-auth flow. The token VALUE is
never stored — only its sha256 hex digest, mirroring ADR-0021 secret retention
via fingerprint. Plaintext is generated server-side, emailed once, and rehashed
on consume.

Repository methods : Create / GetByHash / MarkConsumed / DeleteExpired.
AutoMigrate wired in both PostgresRepository init paths (DSN-built + cfg-built).

Tests :
- 5 unit tests : token generation shape, URL-safety, uniqueness, hash stability
- 5 integration tests (build tag `integration`) : end-to-end against real Postgres,
  cover the happy path, missing-hash, consume idempotency, expired-cleanup,
  and the unique-index defensive check

2026-05-05 11:21:05 +02:00

5.3 KiB

Raw Blame History

View Raw