1. [SQL] Fix username uniqueness constraint
- Changed from global unique to composite unique(tenant_id, username)
- Multi-tenant apps need same usernames across tenants (e.g., each tenant can have 'admin')
2. [Go] Fix inconsistent error handling in scanSession
- Now returns pgx.ErrNoRows when session not found (like scanUser)
- Allows proper 404 vs 500 error distinction in handlers
3. [Go] Add missing VerifyPassword function
- Implements bcrypt.CompareHashAndPassword for password verification
- Enables login flow with proper error handling for missing users
- Paired with existing GenerateFromPassword for secure password hashing
Security checks:
- SQL injection: All queries parameterized (no string interpolation)
- bcrypt: Cost factor 12 (production-recommended)
- Session tokens: PostgreSQL gen_random_uuid() (cryptographically secure)
- Password hashes: Protected with json:"-" tag (never exposed in responses)
- Error handling: Comprehensive, no silent failures
Build & Vet: All checks pass (go build ./..., go vet ./...)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
