fix(coderd): ensure that user API keys are deleted when a user is (#7270)

Fixes an issue where API tokens belonging to a deleted user were
not invalidated:
- Adds a trigger to delete rows from the api_key stable when the
  column deleted is set to true in the users table.
- Adds a trigger to the api_keys table to ensure that new rows
  may not be added where user_id corresponds to a deleted user.
- Adds a migration to delete all API keys from deleted users.
- Adds tests + dbfake implementation for the above.

coderd/users_test.go

@@ -285,7 +285,7 @@ func TestDeleteUser(t *testing.T) {
 		user := coderdtest.CreateFirstUser(t, client)
 		authz := coderdtest.AssertRBAC(t, api, client)
 
-		_, another := coderdtest.CreateAnotherUser(t, client, user.OrganizationID)
+		anotherClient, another := coderdtest.CreateAnotherUser(t, client, user.OrganizationID)
 		err := client.DeleteUser(context.Background(), another.ID)
 		require.NoError(t, err)
 		// Attempt to create a user with the same email and username, and delete them again.
@@ -299,6 +299,13 @@ func TestDeleteUser(t *testing.T) {
 		err = client.DeleteUser(context.Background(), another.ID)
 		require.NoError(t, err)
 
+		// IMPORTANT: assert that the deleted user's session is no longer valid.
+		_, err = anotherClient.User(context.Background(), codersdk.Me)
+		require.Error(t, err)
+		var apiErr *codersdk.Error
+		require.ErrorAs(t, err, &apiErr)
+		require.Equal(t, http.StatusUnauthorized, apiErr.StatusCode())
+
 		// RBAC checks
 		authz.AssertChecked(t, rbac.ActionCreate, rbac.ResourceUser)
 		authz.AssertChecked(t, rbac.ActionDelete, another)