fix: auth token lifecycle — expiry, consumption, and hash fixes (wd-2qc)

1. Verification tokens: add expires_at column, 24h expiry, delete after
   use (single-use), upgrade Hash() from MD5 to SHA-256
2. Remember-me logout: hash cookie value with SHA-256 before DB lookup
   (raw value was compared against stored hash — never matched)
3. RememberToken.createToken(): explicit SHA-256 instead of default MD5

Author: bpamiri

app/controllers/web/AuthController.cfc

@@ -367,8 +367,9 @@ component extends="app.Controllers.Controller" {
 
                 // Clear remember me token if exists
                 if (structKeyExists(cookie, "remember_me")) {
-                    var token = cookie.remember_me;
-                    var rememberToken = model("RememberToken").findOne(where="token = '#token#'");
+                    var rawToken = cookie.remember_me;
+                    var hashedToken = hash(rawToken, "SHA-256");
+                    var rememberToken = model("RememberToken").findOne(where="token = '#hashedToken#'");
                     if (isObject(rememberToken)) {
                         rememberToken.delete();
                     }
@@ -693,13 +694,14 @@ component extends="app.Controllers.Controller" {
             }
 
             // Generate and save verification token
-            var verificationToken = Hash(createUUID());
-            
+            var verificationToken = Hash(createUUID(), "SHA-256");
+
             var newToken = model("UserToken").new();
             newToken.token = verificationToken;
             newToken.user_id = userId; // Now a string, safe
             newToken.status = false;
-            
+            newToken.expiresAt = dateAdd("h", 24, now());
+
             if (!newToken.save()) {
                 model("Log").log(
                     category = "wheels.auth",
@@ -793,11 +795,12 @@ component extends="app.Controllers.Controller" {
 
             if (!isObject(existingToken)) {
                 // Generate a new verification token
-                var verificationToken = Hash(createUUID());
+                var verificationToken = Hash(createUUID(), "SHA-256");
                 var newToken = model("UserToken").new();
                 newToken.token = verificationToken;
                 newToken.user_id = user.id;
                 newToken.status = false; // Not verified
+                newToken.expiresAt = dateAdd("h", 24, now());
                 newToken.save();
             } else {
                 var verificationToken = existingToken.token;
@@ -825,12 +828,21 @@ component extends="app.Controllers.Controller" {
 
     private function verifyToken(required string token) {
         var message="";
-        var token = model("UserToken").findOne(where="token = '#token#'");
+        var tokenRecord = model("UserToken").findOne(where="token = '#token#'");
+
+        if (isObject(tokenRecord)) {
+            // Check if token has expired
+            if (isDate(tokenRecord.expiresAt) && dateCompare(now(), tokenRecord.expiresAt) > 0) {
+                tokenRecord.delete();
+                message = "false";
+                return message;
+            }
 
-        if (isObject(token)) {
-            var user = model("User").findByKey(include="Role", key='#token.user_id#');
+            var user = model("User").findByKey(include="Role", key='#tokenRecord.user_id#');
             if(isObject(user)){
                 user.update(status=SetActive(), roleId=2); // Activate user, set editor role
+                // Consume the token — single use only
+                tokenRecord.delete();
                 return user;
             }else{
                 message="false";

app/migrator/migrations/20260322160000_add_expires_at_to_user_tokens.cfc

@@ -0,0 +1,37 @@
+component extends="wheels.migrator.Migration" hint="add expires_at column to user_tokens for token expiry" {
+
+	function up() {
+		transaction {
+			try {
+				addColumn(table='user_tokens', columnType='datetime', columnName='expires_at', null=true);
+			} catch (any e) {
+				local.exception = e;
+			}
+
+			if (StructKeyExists(local, "exception")) {
+				transaction action="rollback";
+				Throw(errorCode = "1", detail = local.exception.detail, message = local.exception.message, type = "any");
+			} else {
+				transaction action="commit";
+			}
+		}
+	}
+
+	function down() {
+		transaction {
+			try {
+				removeColumn(table='user_tokens', columnName='expires_at');
+			} catch (any e) {
+				local.exception = e;
+			}
+
+			if (StructKeyExists(local, "exception")) {
+				transaction action="rollback";
+				Throw(errorCode = "1", detail = local.exception.detail, message = local.exception.message, type = "any");
+			} else {
+				transaction action="commit";
+			}
+		}
+	}
+
+}

app/models/RememberToken.cfc

@@ -67,15 +67,15 @@ component extends="app.Models.Model" {
     public function createToken(required numeric userId) {
         var token = new();
         token.userId = arguments.userId;
-        token.token = hash(createUUID() & arguments.userId & now());
+        token.token = hash(createUUID() & arguments.userId & now(), "SHA-256");
         token.expiresAt = dateAdd("d", 30, now());
         return token.save();
     }
 
-    // Find token by value
-    public function findByToken(required string token) {
+    // Find token by hashed value (caller must hash raw cookie value with SHA-256 first)
+    public function findByToken(required string hashedToken) {
         return findOne(
-            where="token = '#arguments.token#' AND expiresAt > '#dateTimeFormat(now(), "yyyy-MM-dd HH:nn:ss")#'"
+            where="token = '#arguments.hashedToken#' AND expiresAt > '#dateTimeFormat(now(), "yyyy-MM-dd HH:nn:ss")#'"
         );
     }
 

app/models/UserToken.cfc

@@ -9,7 +9,8 @@ component extends="app.Models.Model" {
         property(name="updatedAt", column="updatedat", dataType ="datetime", defaultValue = "");
         property(name="deletedAt", column="deletedat", dataType ="datetime", defaultValue = "");
         property(name="user_id", column="user_id", dataType ="string");
-        
+        property(name="expiresAt", column="expires_at", dataType ="datetime", defaultValue = "");
+
         belongsTo(name="User", foreignKey="user_id");
     }