feat: better solution for user tokens without cert_id

Author: bitfl0wer

migrations/0007_api_keys.sql

@@ -4,13 +4,12 @@ CREATE TABLE IF NOT EXISTS api_keys (
     CONSTRAINT token_length CHECK (length(token) >= 24 AND length(token) <= 255)
 );
 
--- TODO: This should account for an "initial" token, like after registering successfully/logging in
--- the first time, without having any idcerts. another table could help
 CREATE TABLE IF NOT EXISTS user_tokens (
     token_hash VARCHAR(255) PRIMARY KEY,
-    cert_id BIGINT NOT NULL REFERENCES idcert (idcsr_id),
     uaid UUID NOT NULL REFERENCES actors (uaid) ON DELETE CASCADE,
-    valid_not_after TIMESTAMP NULL
+    valid_not_after TIMESTAMP NULL,
+    cert_id BIGINT NOT NULL REFERENCES idcert (idcsr_id),
+    UNIQUE NULLS NOT DISTINCT (uaid, cert_id)
 );
 
 COMMENT ON TABLE user_tokens IS 'User access token hashes. Cleans up expired tokens on each insert operation of this table. Use view filtering to exclude expired tokens on queries.';