fix(auth): cascade-delete MFA recovery codes on user removal

2026-05-31 22:00:52 +02:00
parent e14e909700
commit f68fd22d2b
1 changed files with 15 additions and 0 deletions
@@ -16,6 +16,21 @@ create table if not exists public.mfa_recovery_codes (
 create index if not exists mfa_recovery_codes_user_id_idx
  on public.mfa_recovery_codes (user_id);

+-- Cascade-delete recovery codes when the owning auth user is removed, so no
+-- orphaned rows are left behind (e.g. on account deletion or MFA reset).
+do $$
+begin
+  if not exists (
+    select 1 from pg_constraint
+    where conname = 'mfa_recovery_codes_user_id_fkey'
+      and conrelid = 'public.mfa_recovery_codes'::regclass
+  ) then
+    alter table public.mfa_recovery_codes
+      add constraint mfa_recovery_codes_user_id_fkey
+      foreign key (user_id) references auth.users (id) on delete cascade;
+  end if;
+end $$;
+
 -- Fast lookup of an unused code by (user, hash) during redemption.
 create unique index if not exists mfa_recovery_codes_user_hash_uidx
  on public.mfa_recovery_codes (user_id, code_hash);