From 363d4edfed8361ba3121278eb5d7f5e5779e964c Mon Sep 17 00:00:00 2001
From: wikiapiserver
Date: Thu, 25 Jun 2026 12:47:38 +0200
Subject: refactor: store tokens in plaintext

Remove SHA-256 hashing of refresh_token and access_token.
Tokens are now stored and looked up as-is, matching the
Wikimedia API format.
---
 db/db.go | 14 ++++----------
 1 file changed, 4 insertions(+), 10 deletions(-)

diff --git a/db/db.go b/db/db.go
index 7c26c8c..50b1f17 100644
--- a/db/db.go
+++ b/db/db.go
@@ -3,7 +3,6 @@ package db
 import (
 	"context"
 	"crypto/rand"
-	"crypto/sha256"
 	"database/sql"
 	"encoding/hex"
 	"encoding/json"
@@ -73,11 +72,6 @@ func randomHex(n int) (string, error) {
 	return hex.EncodeToString(b), nil
 }
 
-func sha256hex(s string) string {
-	h := sha256.Sum256([]byte(s))
-	return hex.EncodeToString(h[:])
-}
-
 // WikimediaTokens holds the tokens returned by the Wikimedia auth API.
 type WikimediaTokens struct {
 	RefreshToken string `json:"refresh_token"`
@@ -139,8 +133,8 @@ func (d *DB) CreateAccount(ctx context.Context, username, plaintextPW string) (*
 		`INSERT INTO account (username, password, refresh_token, access_token, access_token_created)
 		 VALUES (?, ?, ?, ?, NOW())`,
 		username, plaintextPW,
-		sha256hex(tokens.RefreshToken),
-		sha256hex(tokens.AccessToken),
+		tokens.RefreshToken,
+		tokens.AccessToken,
 	)
 	if err != nil {
 		if isDupKeyError(err) {
@@ -205,7 +199,7 @@ func (d *DB) RotateTokens(ctx context.Context, id int64) (*Account, error) {
 	}
 
 	res, err := d.conn.ExecContext(ctx,
-		`UPDATE account SET refresh_token = SHA2(?, 256), access_token = SHA2(?, 256), access_token_created = NOW()
+		`UPDATE account SET refresh_token = ?, access_token = ?, access_token_created = NOW()
 		 WHERE id = ?`, rt, at, id)
 	if err != nil {
 		return nil, fmt.Errorf("rotate tokens: %w", err)
@@ -236,7 +230,7 @@ func (d *DB) RotateTokens(ctx context.Context, id int64) (*Account, error) {
 func (d *DB) RefreshByToken(ctx context.Context, refreshToken string) (*Account, error) {
 	var id int64
 	err := d.conn.QueryRowContext(ctx,
-		`SELECT id FROM account WHERE refresh_token = SHA2(?, 256)`, refreshToken,
+		`SELECT id FROM account WHERE refresh_token = ?`, refreshToken,
 	).Scan(&id)
 	if err != nil {
 		if errors.Is(err, sql.ErrNoRows) {
-- 
cgit v1.2.3