Remove plain text token from everywhere

db/migrate/20251230005248_remove_plaintext_token_from_oidc_access_tokens.rb

@@ -0,0 +1,10 @@
+class RemovePlaintextTokenFromOidcAccessTokens < ActiveRecord::Migration[8.1]
+  def change
+    # Remove the unique index first
+    remove_index :oidc_access_tokens, :token, if_exists: true
+
+    # Remove the plaintext token column - no longer needed
+    # Tokens are now stored as BCrypt-hashed token_digest with HMAC token_prefix
+    remove_column :oidc_access_tokens, :token, :string
+  end
+end

db/schema.rb

@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema[8.1].define(version: 2025_12_29_220739) do
+ActiveRecord::Schema[8.1].define(version: 2025_12_30_005248) do
   create_table "active_storage_attachments", force: :cascade do |t|
     t.bigint "blob_id", null: false
     t.datetime "created_at", null: false
@@ -100,7 +100,6 @@ ActiveRecord::Schema[8.1].define(version: 2025_12_29_220739) do
     t.datetime "expires_at", null: false
     t.datetime "revoked_at"
     t.string "scope"
-    t.string "token"
     t.string "token_digest"
     t.string "token_prefix", limit: 8
     t.datetime "updated_at", null: false
@@ -109,7 +108,6 @@ ActiveRecord::Schema[8.1].define(version: 2025_12_29_220739) do
     t.index ["application_id"], name: "index_oidc_access_tokens_on_application_id"
     t.index ["expires_at"], name: "index_oidc_access_tokens_on_expires_at"
     t.index ["revoked_at"], name: "index_oidc_access_tokens_on_revoked_at"
-    t.index ["token"], name: "index_oidc_access_tokens_on_token", unique: true
     t.index ["token_digest"], name: "index_oidc_access_tokens_on_token_digest", unique: true
     t.index ["token_prefix"], name: "index_oidc_access_tokens_on_token_prefix"
     t.index ["user_id"], name: "index_oidc_access_tokens_on_user_id"