Skip to content

Commit 9620b75

Browse files
cupakromercupakromer
committed
Add task to clean up old OAuth credentials
This is a helper task to clean up old OAuth tokens. There are potentially two types of tokens: - expired tokens - legacy tokens (those without an expiration; these are not personal tokens) We are phasing out the legacy tokens for security reasons. In the future all OAuth tokens will have fixed expiration windows. This simply means we'll expect OAuth apps to have the user re-authenticate every so often. Looking at other companies policies: - [Facebook uses 90 days](https://developers.facebook.com/docs/facebook-login/access-tokens/refreshing) - [Google uses 6 months](https://developers.google.com/identity/protocols/OAuth2#expiration) At this time we feel 90 days is a good default. The task is configurable depending on the app's requirements.
1 parent 2c68039 commit 9620b75

File tree

2 files changed

+28
-6
lines changed

2 files changed

+28
-6
lines changed

lib/tasks/kracken.rake

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
# frozen_string_literal: true
2+
3+
namespace :kracken do
4+
namespace :sweep do
5+
desc "Remove expired credentials after threshold days " \
6+
"(default threshold is 90 days)"
7+
task :credentials, %i[threshold] => :environment do |_t, args|
8+
threshold = args.fetch(:threshold) { 90 }.to_i.days
9+
timestamp = threshold.ago
10+
Rails.logger.info "Clearing expired `Credentials` older than " \
11+
"#{threshold.inspect} (#{timestamp})"
12+
expired = Credentials.where(expires: true)
13+
.where("expires_at < ?", timestamp)
14+
.destroy_all
15+
.size
16+
Rails.logger.info "Removed: #{expired} credentials"
17+
threshold *= 2
18+
timestamp = threshold.ago
19+
Rails.logger.info "Clearing legacy `Credentials` older than " \
20+
"#{threshold.inspect} (#{timestamp})"
21+
legacy = Credentials.where(expires: [nil, false])
22+
.where("updated_at < ?", timestamp)
23+
.destroy_all
24+
.size
25+
Rails.logger.info "Removed: #{legacy} credentials"
26+
end
27+
end
28+
end

lib/tasks/kracken_tasks.rake

Lines changed: 0 additions & 6 deletions
This file was deleted.

0 commit comments

Comments
 (0)