workspace-server/internal/orgtoken/tokens.go

@@ -24,6 +24,7 @@ import (
 	"encoding/base64"
 	"errors"
 	"fmt"
+	"log"
 	"time"
 )
 
@@ -130,8 +131,10 @@ func Validate(ctx context.Context, db *sql.DB, plaintext string) (id, prefix, or
 	// Best-effort last_used_at bump. Failure here is acceptable — the
 	// request is already authenticated; we don't want a transient DB
 	// blip to flip a 200 into a 500.
-	_, _ = db.ExecContext(ctx,
-		`UPDATE org_api_tokens SET last_used_at = now() WHERE id = $1`, id)
+	if _, err := db.ExecContext(ctx,
+		`UPDATE org_api_tokens SET last_used_at = now() WHERE id = $1`, id); err != nil {
+		log.Printf("orgtoken: last_used_at bump failed for %s: %v", id, err)
+	}
 	return id, prefix, orgID, nil
 }
 

workspace-server/internal/wsauth/tokens.go

@@ -19,6 +19,7 @@ import (
 	"encoding/base64"
 	"errors"
 	"fmt"
+	"log"
 	"strings"
 )
 
@@ -124,8 +125,10 @@ func ValidateToken(ctx context.Context, db *sql.DB, expectedWorkspaceID, plainte
 
 	// Best-effort last_used_at update. A failure here (DB hiccup, etc.)
 	// must not cause an otherwise-valid request to 401.
-	_, _ = db.ExecContext(ctx,
-		`UPDATE workspace_auth_tokens SET last_used_at = now() WHERE id = $1`, tokenID)
+	if _, err := db.ExecContext(ctx,
+		`UPDATE workspace_auth_tokens SET last_used_at = now() WHERE id = $1`, tokenID); err != nil {
+		log.Printf("wsauth: last_used_at bump failed for %s: %v", tokenID, err)
+	}
 	return nil
 }
 
@@ -250,7 +253,9 @@ func ValidateAnyToken(ctx context.Context, db *sql.DB, plaintext string) error {
 	}
 
 	// Best-effort last_used_at update.
-	_, _ = db.ExecContext(ctx,
-		`UPDATE workspace_auth_tokens SET last_used_at = now() WHERE id = $1`, tokenID)
+	if _, err := db.ExecContext(ctx,
+		`UPDATE workspace_auth_tokens SET last_used_at = now() WHERE id = $1`, tokenID); err != nil {
+		log.Printf("wsauth: last_used_at bump failed for %s: %v", tokenID, err)
+	}
 	return nil
 }