[Prisma] Why is token field unique?

[jlalmes]

Question 💬

The @next-auth/prisma-adapter docs show the required models and fields that must be added to your Prisma schema. The following is the VerificationToken model from that example schema:

model VerificationToken {
  identifier String
  token      String   @unique
  expires    DateTime

  @@unique([identifier, token])
}

Why is token given an @unique constraint when it is already included in the compound @@unique constraint with identifier?

One of the constraints should be removed, but which one?

How to reproduce ☕️

The setup docs 👉 https://next-auth.js.org/adapters/prisma#setup

Contributing 🙌🏽

Yes, I am willing to help answer this question in a PR

[balazsorban44]

In theory, token doesn't have to be, but it is likely safer. When we query a VerificationToken from the DB, we use the combination of identifier and token.

This constraint was introduced a while ago as part of a security vulnerability patch. GHSA-pg53-56cg-4m8q

If you think it is fine to drop the unique constraint on token itself, you can do so.

But do not remove the @@unique([identifier, token]) constraint!