funman300
b129664344
Adds a `refresh_tokens` table (migration 003) with one row per live refresh token, keyed by UUID jti. On every POST /api/auth/refresh the old jti row is deleted and a new token pair is issued and stored. Using a consumed token returns 401. Expired rows are pruned inline on each successful rotation. Server: Claims gains an optional `jti` field; make_refresh_token now returns (jwt, jti); register/login insert the jti row; RefreshResponse now carries both tokens. Client: stores the rotated refresh token from the response. ARCHITECTURE.md: API table + Security Model updated. Three new integration tests cover rotation, consumed-token rejection, and chained rotations. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Database Migrations
Migrations are run automatically at server startup via sqlx::migrate!("./migrations").
Naming convention
NNN_description.sql
NNN— zero-padded three-digit sequence number (001,002, …)description— snake_case description of what the migration does
Examples:
001_initial.sql
002_add_user_display_name.sql
003_weekly_goals_table.sql
sqlx tracks which migrations have run in the _sqlx_migrations table and only applies new ones. Never edit or delete an existing migration file after it has been applied to any database — add a new migration instead.
Adding a migration
- Create
migrations/NNN_description.sqlwhereNNNis the next available number. - Write idempotent SQL (
CREATE TABLE IF NOT EXISTS,ALTER TABLE … ADD COLUMN IF NOT EXISTS, etc.) where possible. - Update the sqlx offline query cache so the server builds without a live DB:
export DATABASE_URL=sqlite://solitaire.db sqlx database create sqlx migrate run --source solitaire_server/migrations cargo sqlx prepare --workspace - Commit both the migration file and the updated
.sqlx/query cache together.
Current schema
See 001_initial.sql for the full initial schema: users, sync_state, daily_challenges, leaderboard.