package models import ( "time" "gorm.io/gorm" ) // RefreshToken represents a server-side record of issued refresh tokens // to support rotation, revocation and reuse detection. type RefreshToken struct { gorm.Model UserID uint64 `gorm:"type:bigint unsigned;not null;index" json:"user_id"` TokenID string `gorm:"type:varchar(128);not null;uniqueIndex" json:"token_id"` // TokenHash is SHA-256 hex of the refresh token string (64 chars). // Stored instead of the raw token for security, while still allowing debug/lookup. TokenHash string `gorm:"type:char(64);index" json:"token_hash"` // TokenFingerprint is a masked representation (e.g. first6...last4) to help operators // visually correlate DB rows with logs without storing full token. TokenFingerprint string `gorm:"type:varchar(32);index" json:"token_fingerprint"` ExpiresAt time.Time `gorm:"index" json:"expires_at"` SessionExpiresAt *time.Time `gorm:"index" json:"session_expires_at,omitempty"` Revoked bool `gorm:"index" json:"revoked"` ReplacedByTokenID string `gorm:"type:varchar(128)" json:"replaced_by_token_id"` UserAgent string `gorm:"type:varchar(255)" json:"user_agent"` IP string `gorm:"type:varchar(64)" json:"ip"` }