From ceda71a1f687cdce24796c641ea97acabbd83aff Mon Sep 17 00:00:00 2001
From: "Molecule AI Dev Engineer A (Kimi)"
 <dev-engineer-a-kimi@agents.moleculesai.app>
Date: Tue, 26 May 2026 15:45:14 +0000
Subject: [PATCH] fix(orgtoken,wsauth): log ignored last_used_at update errors

Best-effort last_used_at bumps in token validation paths were silently
ignoring DB errors. Log them without changing the non-failing behavior.

- orgtoken/tokens.go: log org_api_tokens last_used_at bump error
- wsauth/tokens.go: log workspace_auth_tokens last_used_at bump errors
  (two call sites)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 workspace-server/internal/orgtoken/tokens.go |  7 +++++--
 workspace-server/internal/wsauth/tokens.go   | 13 +++++++++----
 2 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/workspace-server/internal/orgtoken/tokens.go b/workspace-server/internal/orgtoken/tokens.go
index 48f98a2d7..acef57bec 100644
--- a/workspace-server/internal/orgtoken/tokens.go
+++ b/workspace-server/internal/orgtoken/tokens.go
@@ -24,6 +24,7 @@ import (
 	"encoding/base64"
 	"errors"
 	"fmt"
+	"log"
 	"time"
 )
 
@@ -130,8 +131,10 @@ func Validate(ctx context.Context, db *sql.DB, plaintext string) (id, prefix, or
 	// Best-effort last_used_at bump. Failure here is acceptable — the
 	// request is already authenticated; we don't want a transient DB
 	// blip to flip a 200 into a 500.
-	_, _ = db.ExecContext(ctx,
-		`UPDATE org_api_tokens SET last_used_at = now() WHERE id = $1`, id)
+	if _, err := db.ExecContext(ctx,
+		`UPDATE org_api_tokens SET last_used_at = now() WHERE id = $1`, id); err != nil {
+		log.Printf("orgtoken: last_used_at bump failed for %s: %v", id, err)
+	}
 	return id, prefix, orgID, nil
 }
 
diff --git a/workspace-server/internal/wsauth/tokens.go b/workspace-server/internal/wsauth/tokens.go
index b8e86bc7f..cf1829f94 100644
--- a/workspace-server/internal/wsauth/tokens.go
+++ b/workspace-server/internal/wsauth/tokens.go
@@ -19,6 +19,7 @@ import (
 	"encoding/base64"
 	"errors"
 	"fmt"
+	"log"
 	"strings"
 )
 
@@ -124,8 +125,10 @@ func ValidateToken(ctx context.Context, db *sql.DB, expectedWorkspaceID, plainte
 
 	// Best-effort last_used_at update. A failure here (DB hiccup, etc.)
 	// must not cause an otherwise-valid request to 401.
-	_, _ = db.ExecContext(ctx,
-		`UPDATE workspace_auth_tokens SET last_used_at = now() WHERE id = $1`, tokenID)
+	if _, err := db.ExecContext(ctx,
+		`UPDATE workspace_auth_tokens SET last_used_at = now() WHERE id = $1`, tokenID); err != nil {
+		log.Printf("wsauth: last_used_at bump failed for %s: %v", tokenID, err)
+	}
 	return nil
 }
 
@@ -250,7 +253,9 @@ func ValidateAnyToken(ctx context.Context, db *sql.DB, plaintext string) error {
 	}
 
 	// Best-effort last_used_at update.
-	_, _ = db.ExecContext(ctx,
-		`UPDATE workspace_auth_tokens SET last_used_at = now() WHERE id = $1`, tokenID)
+	if _, err := db.ExecContext(ctx,
+		`UPDATE workspace_auth_tokens SET last_used_at = now() WHERE id = $1`, tokenID); err != nil {
+		log.Printf("wsauth: last_used_at bump failed for %s: %v", tokenID, err)
+	}
 	return nil
 }
-- 
2.52.0