feat(caldav): add token_hash column and store SHA-256 hashed tokens

server/config/database.js

@@ -679,6 +679,12 @@ export async function initDatabase() {
     `);
   }
 
+  // CalDAV: add token_hash column for SHA-256 hashed token lookup
+  if (!(await db.columnExists('caldav_tokens', 'token_hash'))) {
+    await db.exec('ALTER TABLE caldav_tokens ADD COLUMN token_hash TEXT DEFAULT NULL');
+    await db.exec('CREATE INDEX IF NOT EXISTS idx_caldav_tokens_hash ON caldav_tokens(token_hash)');
+  }
+
   // ── OAuth tables ────────────────────────────────────────────────────────
   if (isPostgres) {
     await db.exec(`

server/routes/calendar.js

@@ -723,9 +723,10 @@ router.post('/caldav-tokens', authenticateToken, async (req, res) => {
       return res.status(400).json({ error: 'Maximum of 10 tokens allowed' });
     }
     const token = crypto.randomBytes(32).toString('hex');
+    const tokenHash = crypto.createHash('sha256').update(token).digest('hex');
     const result = await db.run(
-      'INSERT INTO caldav_tokens (user_id, token, name) VALUES (?, ?, ?)',
+      'INSERT INTO caldav_tokens (user_id, token, token_hash, name) VALUES (?, ?, ?, ?)',
-      [req.user.id, token, name.trim()],
+      [req.user.id, token, tokenHash, name.trim()],
     );
     res.status(201).json({
       token: { id: result.lastInsertRowid, name: name.trim() },