Cleanup revoked tokens instead of expired ones

If we continue deleting expired tokens, we might not record whether the
token was used or not, and not know what to do in case of
a double-refresh.

Revoked tokens are safe to delete.

This also reduces the frequency of the cleanup job to once an hour.

Author: sandhose

crates/storage-pg/.sqlx/query-1a8701f5672de052bb766933f60b93249acc7237b996e8b93cd61b9f69c902ff.json renamed to crates/storage-pg/.sqlx/query-c68b28232b42a62907709403caafe1cc5267780232cd615468d50f5c0af2bedb.json

@@ -250,20 +250,20 @@ impl OAuth2AccessTokenRepository for PgOAuth2AccessTokenRepository<'_> {
     }
 
     #[tracing::instrument(
-        name = "db.oauth2_access_token.cleanup_expired",
+        name = "db.oauth2_access_token.cleanup_revoked",
         skip_all,
         fields(
             db.query.text,
         ),
         err,
     )]
-    async fn cleanup_expired(&mut self, clock: &dyn Clock) -> Result<usize, Self::Error> {
-        // Cleanup token which expired more than 15 minutes ago
-        let threshold = clock.now() - Duration::microseconds(15 * 60 * 1000 * 1000);
+    async fn cleanup_revoked(&mut self, clock: &dyn Clock) -> Result<usize, Self::Error> {
+        // Cleanup token that were revoked more than an hour ago
+        let threshold = clock.now() - Duration::microseconds(60 * 60 * 1000 * 1000);
         let res = sqlx::query!(
             r#"
                 DELETE FROM oauth2_access_tokens
-                WHERE expires_at < $1
+                WHERE revoked_at < $1
             "#,
             threshold,
         )

crates/storage-pg/src/oauth2/access_token.rs

@@ -107,7 +107,7 @@ pub trait OAuth2AccessTokenRepository: Send + Sync {
         access_token: AccessToken,
     ) -> Result<AccessToken, Self::Error>;
 
-    /// Cleanup expired access tokens
+    /// Cleanup revoked access tokens
     ///
     /// Returns the number of access tokens that were cleaned up
     ///
@@ -118,7 +118,7 @@ pub trait OAuth2AccessTokenRepository: Send + Sync {
     /// # Errors
     ///
     /// Returns [`Self::Error`] if the underlying repository fails
-    async fn cleanup_expired(&mut self, clock: &dyn Clock) -> Result<usize, Self::Error>;
+    async fn cleanup_revoked(&mut self, clock: &dyn Clock) -> Result<usize, Self::Error>;
 }
 
 repository_impl!(OAuth2AccessTokenRepository:
@@ -150,5 +150,5 @@ repository_impl!(OAuth2AccessTokenRepository:
         access_token: AccessToken,
     ) -> Result<AccessToken, Self::Error>;
 
-    async fn cleanup_expired(&mut self, clock: &dyn Clock) -> Result<usize, Self::Error>;
+    async fn cleanup_revoked(&mut self, clock: &dyn Clock) -> Result<usize, Self::Error>;
 );

crates/storage/src/oauth2/access_token.rs

@@ -24,15 +24,15 @@ impl RunnableJob for CleanupExpiredTokensJob {
 
         let count = repo
             .oauth2_access_token()
-            .cleanup_expired(&clock)
+            .cleanup_revoked(&clock)
             .await
             .map_err(JobError::retry)?;
         repo.save().await.map_err(JobError::retry)?;
 
         if count == 0 {
             debug!("no token to clean up");
         } else {
-            info!(count, "cleaned up expired tokens");
+            info!(count, "cleaned up revoked tokens");
         }
 
         Ok(())

crates/tasks/src/database.rs

@@ -121,7 +121,7 @@ pub async fn init(
         .register_handler::<mas_storage::queue::VerifyEmailJob>()
         .add_schedule(
             "cleanup-expired-tokens",
-            "*/15 * * * * *".parse()?,
+            "0 0 * * * *".parse()?,
             mas_storage::queue::CleanupExpiredTokensJob,
         );