fixes lol

database/init.sql

@@ -1198,4 +1198,28 @@ BEGIN
 END $$;
 
 -- Create index for pending_uberban lookups
-CREATE INDEX IF NOT EXISTS idx_users_pending_uberban ON users(pending_uberban) WHERE pending_uberban = true;
+CREATE INDEX IF NOT EXISTS idx_users_pending_uberban ON users(pending_uberban) WHERE pending_uberban = true;
+
+-- ============================================
+-- REFRESH TOKEN FAMILIES (JWT Token Rotation)
+-- ============================================
+
+-- Refresh token families table for secure token rotation
+-- Each login creates a new "family" - if an old token is reused, the whole family is revoked
+CREATE TABLE IF NOT EXISTS refresh_token_families (
+    id BIGSERIAL PRIMARY KEY,
+    user_id BIGINT NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+    family_id UUID NOT NULL UNIQUE,
+    current_token_hash VARCHAR(64) NOT NULL,  -- SHA256 of current valid refresh token
+    created_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+    expires_at TIMESTAMP WITH TIME ZONE NOT NULL,
+    revoked BOOLEAN DEFAULT FALSE,
+    revoked_at TIMESTAMP WITH TIME ZONE,
+    last_used_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP
+);
+
+-- Create indexes for refresh_token_families
+CREATE INDEX IF NOT EXISTS idx_refresh_families_user_id ON refresh_token_families(user_id);
+CREATE INDEX IF NOT EXISTS idx_refresh_families_family_id ON refresh_token_families(family_id);
+CREATE INDEX IF NOT EXISTS idx_refresh_families_active ON refresh_token_families(user_id, revoked) WHERE revoked = FALSE;
+CREATE INDEX IF NOT EXISTS idx_refresh_families_expires ON refresh_token_families(expires_at) WHERE revoked = FALSE;