clawbot 67446b36a1 feat: store auth tokens as SHA-256 hashes instead of plaintext (#69) ...

## Summary

Hash client auth tokens with SHA-256 before storing in the database. When validating tokens, hash the incoming token and compare against the stored hash. This prevents token exposure if the database is compromised.

Existing plaintext tokens are implicitly invalidated since they will not match the new hashed lookups — users will need to create new sessions.

## Changes

- **`internal/db/queries.go`**: Added `hashToken()` helper using `crypto/sha256`. Updated `CreateSession` to store hashed token. Updated `GetSessionByToken` to hash the incoming token before querying.
- **`internal/db/auth.go`**: Updated `RegisterUser` and `LoginUser` to store hashed tokens.

## Migration

No schema changes needed. The `token` column remains `TEXT` but now stores 64-char hex SHA-256 digests instead of 64-char hex random tokens. Existing plaintext tokens are effectively invalidated.

closes #34

Co-authored-by: user <user@Mac.lan guest wan>
Reviewed-on: #69
Co-authored-by: clawbot <clawbot@noreply.example.org>
Co-committed-by: clawbot <clawbot@noreply.example.org>

2026-03-10 12:44:29 +01:00

..

schema

refactor: replace HTTP error codes with IRC numeric replies (#56)

2026-03-09 22:21:30 +01:00

auth_test.go

Add tests for register and login endpoints

2026-02-27 05:00:51 -08:00

auth.go

feat: store auth tokens as SHA-256 hashes instead of plaintext (#69)

2026-03-10 12:44:29 +01:00

db.go

Rename app from chat to neoirc, binary to neoircd (closes #46) (#47)

2026-03-07 14:43:58 +01:00

errors.go

Replace string-matching error detection with typed SQLite errors (closes #39) (#66)

2026-03-10 11:54:27 +01:00

export_test.go

fix: address all PR #10 review findings

2026-02-26 21:21:49 -08:00

queries_test.go

refactor: replace HTTP error codes with IRC numeric replies (#56)

2026-03-09 22:21:30 +01:00

queries.go

feat: store auth tokens as SHA-256 hashes instead of plaintext (#69)

2026-03-10 12:44:29 +01:00