Gerhard Scheikl
31 lines
1.4 KiB
SQL
31 lines
1.4 KiB
SQL
-- 0002_mfa_recovery.sql
|
|
-- Additive, idempotent migration for mandatory-MFA recovery codes.
|
|
-- Safe to run multiple times.
|
|
|
|
-- 1. Recovery codes -------------------------------------------------------
|
|
-- One row per single-use recovery code. We only ever store a SHA-256 hash of
|
|
-- the code; the plaintext is shown to the user exactly once at generation.
|
|
create table if not exists public.mfa_recovery_codes (
|
|
id bigint generated always as identity primary key,
|
|
user_id uuid not null,
|
|
code_hash text not null,
|
|
used_at timestamptz,
|
|
created_at timestamptz not null default now()
|
|
);
|
|
|
|
create index if not exists mfa_recovery_codes_user_id_idx
|
|
on public.mfa_recovery_codes (user_id);
|
|
|
|
-- Fast lookup of an unused code by (user, hash) during redemption.
|
|
create unique index if not exists mfa_recovery_codes_user_hash_uidx
|
|
on public.mfa_recovery_codes (user_id, code_hash);
|
|
|
|
-- 2. Lock down with RLS, NO policies ---------------------------------------
|
|
-- RLS enabled with NO policies so anon/authenticated roles cannot read or
|
|
-- write recovery codes at all. The application generates and redeems codes
|
|
-- exclusively through the service-role client, which bypasses RLS.
|
|
alter table public.mfa_recovery_codes enable row level security;
|
|
|
|
comment on table public.mfa_recovery_codes is
|
|
'Single-use MFA recovery codes (SHA-256 hashed). RLS enabled with no policies: service-role only.';
|