From 2d919cdc673a1613b45a65b005a966639f2d0e97 Mon Sep 17 00:00:00 2001 From: Michelle Date: Wed, 4 Mar 2026 09:17:31 +0100 Subject: [PATCH] feat(caldav): add token_hash column and store SHA-256 hashed tokens --- server/config/database.js | 6 ++++++ server/routes/calendar.js | 5 +++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/server/config/database.js b/server/config/database.js index 1cb48b4..e057b9a 100644 --- a/server/config/database.js +++ b/server/config/database.js @@ -679,6 +679,12 @@ export async function initDatabase() { `); } + // CalDAV: add token_hash column for SHA-256 hashed token lookup + if (!(await db.columnExists('caldav_tokens', 'token_hash'))) { + await db.exec('ALTER TABLE caldav_tokens ADD COLUMN token_hash TEXT DEFAULT NULL'); + await db.exec('CREATE INDEX IF NOT EXISTS idx_caldav_tokens_hash ON caldav_tokens(token_hash)'); + } + // ── OAuth tables ──────────────────────────────────────────────────────── if (isPostgres) { await db.exec(` diff --git a/server/routes/calendar.js b/server/routes/calendar.js index 6f6092f..5bbb9a1 100644 --- a/server/routes/calendar.js +++ b/server/routes/calendar.js @@ -723,9 +723,10 @@ router.post('/caldav-tokens', authenticateToken, async (req, res) => { return res.status(400).json({ error: 'Maximum of 10 tokens allowed' }); } const token = crypto.randomBytes(32).toString('hex'); + const tokenHash = crypto.createHash('sha256').update(token).digest('hex'); const result = await db.run( - 'INSERT INTO caldav_tokens (user_id, token, name) VALUES (?, ?, ?)', - [req.user.id, token, name.trim()], + 'INSERT INTO caldav_tokens (user_id, token, token_hash, name) VALUES (?, ?, ?, ?)', + [req.user.id, token, tokenHash, name.trim()], ); res.status(201).json({ token: { id: result.lastInsertRowid, name: name.trim() },