fix(coderd): ensure that user API keys are deleted when a user is (#7270)

Fixes an issue where API tokens belonging to a deleted user were
not invalidated:
- Adds a trigger to delete rows from the api_key stable when the
  column deleted is set to true in the users table.
- Adds a trigger to the api_keys table to ensure that new rows
  may not be added where user_id corresponds to a deleted user.
- Adds a migration to delete all API keys from deleted users.
- Adds tests + dbfake implementation for the above.

coderd/apikey_test.go

@@ -195,7 +195,7 @@ func TestSessionExpiry(t *testing.T) {
 	}
 }
 
-func TestAPIKey(t *testing.T) {
+func TestAPIKey_OK(t *testing.T) {
 	t.Parallel()
 	ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
 	defer cancel()
@@ -206,3 +206,20 @@ func TestAPIKey(t *testing.T) {
 	require.NoError(t, err)
 	require.Greater(t, len(res.Key), 2)
 }
+
+func TestAPIKey_Deleted(t *testing.T) {
+	t.Parallel()
+	ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+	defer cancel()
+	client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+	user := coderdtest.CreateFirstUser(t, client)
+	_, anotherUser := coderdtest.CreateAnotherUser(t, client, user.OrganizationID)
+	require.NoError(t, client.DeleteUser(context.Background(), anotherUser.ID))
+
+	// Attempt to create an API key for the deleted user. This should fail.
+	_, err := client.CreateAPIKey(ctx, anotherUser.Username)
+	require.Error(t, err)
+	var apiErr *codersdk.Error
+	require.ErrorAs(t, err, &apiErr)
+	require.Equal(t, http.StatusBadRequest, apiErr.StatusCode())
+}