From ad6b1f3138cd3cd953f9caa6ab5483f0d1ac03eb Mon Sep 17 00:00:00 2001
From: wikiapiserver
Date: Thu, 25 Jun 2026 12:36:15 +0200
Subject: refactor: remove token generation from register

Register only saves username and plaintext password.
Token fields are left empty until set by the Wikimedia API.
---
 db/db.go | 22 +++++++---------------
 1 file changed, 7 insertions(+), 15 deletions(-)

diff --git a/db/db.go b/db/db.go
index acb4437..4439be4 100644
--- a/db/db.go
+++ b/db/db.go
@@ -82,21 +82,13 @@ func isDupKeyError(err error) bool {
 
 // --- queries ---
 
-// CreateAccount inserts a new row with plaintext password and fresh tokens.
+// CreateAccount inserts a new account with username and plaintext password.
+// Tokens are not generated here; they are set later via the Wikimedia API.
 func (d *DB) CreateAccount(ctx context.Context, username, plaintextPW string) (*Account, error) {
-	rt, err := randomHex(tokenLength)
-	if err != nil {
-		return nil, err
-	}
-	at, err := randomHex(tokenLength)
-	if err != nil {
-		return nil, err
-	}
-
 	res, err := d.conn.ExecContext(ctx,
 		`INSERT INTO account (username, password, refresh_token, access_token, access_token_created)
-		 VALUES (?, ?, SHA2(?, 256), SHA2(?, 256), NOW())`,
-		username, plaintextPW, rt, at,
+		 VALUES (?, ?, '', '', NOW())`,
+		username, plaintextPW,
 	)
 	if err != nil {
 		if isDupKeyError(err) {
@@ -114,9 +106,9 @@ func (d *DB) CreateAccount(ctx context.Context, username, plaintextPW string) (*
 	return &Account{
 		ID:                id,
 		Username:          username,
-		RefreshToken:      rt,
-		AccessToken:       at,
-		AccessTokenExpiry: now.Add(accessTokenTTL),
+		RefreshToken:      "",
+		AccessToken:       "",
+		AccessTokenExpiry: now,
 		CreatedAt:         now,
 	}, nil
 }
-- 
cgit v1.2.3