Update the query used for authorizations pruning to exclude all authorizations that still have tokens attached

kevinchalet · kevinchalet · commit 6cb8af00d9ea · 2025-02-12T22:05:19.000+01:00
diff --git a/src/OpenIddict.Abstractions/Managers/IOpenIddictAuthorizationManager.cs b/src/OpenIddict.Abstractions/Managers/IOpenIddictAuthorizationManager.cs
@@ -347,12 +347,11 @@ IAsyncEnumerable<TResult> ListAsync<TState, TResult>(
     ValueTask PopulateAsync(object authorization, OpenIddictAuthorizationDescriptor descriptor, CancellationToken cancellationToken = default);
 
     /// <summary>
-    /// Removes the authorizations that are marked as invalid and the ad-hoc ones that have no token attached.
+    /// Removes the authorizations that are marked as invalid and don't have any token attached.
     /// Only authorizations created before the specified <paramref name="threshold"/> are removed.
     /// </summary>
     /// <remarks>
-    /// To ensure ad-hoc authorizations that no longer have any valid/non-expired token
-    /// attached are correctly removed, the tokens should always be pruned first.
+    /// Since authorizations with tokens still attached are not deleted, tokens should always be pruned first.
     /// </remarks>
     /// <param name="threshold">The date before which authorizations are not pruned.</param>
     /// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
diff --git a/src/OpenIddict.Abstractions/Stores/IOpenIddictAuthorizationStore.cs b/src/OpenIddict.Abstractions/Stores/IOpenIddictAuthorizationStore.cs
@@ -232,12 +232,11 @@ IAsyncEnumerable<TResult> ListAsync<TState, TResult>(
         TState state, CancellationToken cancellationToken);
 
     /// <summary>
-    /// Removes the authorizations that are marked as invalid and the ad-hoc ones that have no token attached.
+    /// Removes the authorizations that are marked as invalid and don't have any token attached.
     /// Only authorizations created before the specified <paramref name="threshold"/> are removed.
     /// </summary>
     /// <remarks>
-    /// To ensure ad-hoc authorizations that no longer have any valid/non-expired token
-    /// attached are correctly removed, the tokens should always be pruned first.
+    /// Since authorizations with tokens still attached are not deleted, tokens should always be pruned first.
     /// </remarks>
     /// <param name="threshold">The date before which authorizations are not pruned.</param>
     /// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
diff --git a/src/OpenIddict.EntityFramework/Stores/OpenIddictEntityFrameworkAuthorizationStore.cs b/src/OpenIddict.EntityFramework/Stores/OpenIddictEntityFrameworkAuthorizationStore.cs
@@ -521,8 +521,8 @@ public virtual async ValueTask<long> PruneAsync(DateTimeOffset threshold, Cancel
             var authorizations =
                 await (from authorization in Authorizations.Include(authorization => authorization.Tokens)
                        where authorization.CreationDate < date
-                       where authorization.Status != Statuses.Valid ||
-                            (authorization.Type == AuthorizationTypes.AdHoc && !authorization.Tokens.Any())
+                       where authorization.Status != Statuses.Valid || authorization.Type == AuthorizationTypes.AdHoc
+                       where !authorization.Tokens.Any()
                        orderby authorization.Id
                        select authorization).Take(1_000).ToListAsync(cancellationToken);
 
diff --git a/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictEntityFrameworkCoreAuthorizationStore.cs b/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictEntityFrameworkCoreAuthorizationStore.cs
@@ -605,8 +605,8 @@ public virtual async ValueTask<long> PruneAsync(DateTimeOffset threshold, Cancel
                     var count = await
                         (from authorization in Authorizations
                          where authorization.CreationDate < date
-                         where authorization.Status != Statuses.Valid ||
-                              (authorization.Type == AuthorizationTypes.AdHoc && !authorization.Tokens.Any())
+                         where authorization.Status != Statuses.Valid || authorization.Type == AuthorizationTypes.AdHoc
+                         where !authorization.Tokens.Any()
                          orderby authorization.Id
                          select authorization).Take(1_000).ExecuteDeleteAsync(cancellationToken);
 
@@ -643,8 +643,8 @@ orderby authorization.Id
                     var authorizations = await
                         (from authorization in Authorizations.Include(authorization => authorization.Tokens).AsTracking()
                          where authorization.CreationDate < date
-                         where authorization.Status != Statuses.Valid ||
-                              (authorization.Type == AuthorizationTypes.AdHoc && !authorization.Tokens.Any())
+                         where authorization.Status != Statuses.Valid || authorization.Type == AuthorizationTypes.AdHoc
+                         where !authorization.Tokens.Any()
                          orderby authorization.Id
                          select authorization).Take(1_000).ToListAsync(cancellationToken);
 
diff --git a/src/OpenIddict.MongoDb/Stores/OpenIddictMongoDbAuthorizationStore.cs b/src/OpenIddict.MongoDb/Stores/OpenIddictMongoDbAuthorizationStore.cs
@@ -422,8 +422,8 @@ public virtual async ValueTask<long> PruneAsync(DateTimeOffset threshold, Cancel
                    join token in database.GetCollection<OpenIddictMongoDbToken>(Options.CurrentValue.TokensCollectionName).AsQueryable()
                               on authorization.Id equals token.AuthorizationId into tokens
                    where authorization.CreationDate < threshold.UtcDateTime
-                   where authorization.Status != Statuses.Valid ||
-                        (authorization.Type == AuthorizationTypes.AdHoc && !tokens.Any())
+                   where authorization.Status != Statuses.Valid || authorization.Type == AuthorizationTypes.AdHoc
+                   where !tokens.Any()
                    select authorization.Id).ToListAsync(cancellationToken);
 
         // Note: to avoid generating delete requests with very large filters, a buffer is used here and the
diff --git a/src/OpenIddict.Quartz/OpenIddictQuartzJob.cs b/src/OpenIddict.Quartz/OpenIddictQuartzJob.cs
@@ -59,10 +59,8 @@ public async Task Execute(IJobExecutionContext context)
 
         try
         {
-            // Note: this background task is responsible for automatically removing orphaned tokens/authorizations
-            // (i.e tokens that are no longer valid and ad-hoc authorizations that have no valid tokens associated).
-            // Import: since tokens associated to ad-hoc authorizations are not removed as part of the same operation,
-            // the tokens MUST be deleted before removing the ad-hoc authorizations that no longer have any token.
+            // Important: since authorizations that still have tokens attached are never
+            // pruned, the tokens MUST be deleted before deleting the authorizations.
 
             if (!_options.CurrentValue.DisableTokenPruning)
             {

Original file line number	Diff line number	Diff line change
`@@ -59,10 +59,8 @@ public async Task Execute(IJobExecutionContext context)`
`59`	`59`
`60`	`60`	`try`
`61`	`61`	`{`
`62`		`- // Note: this background task is responsible for automatically removing orphaned tokens/authorizations`
`63`		`- // (i.e tokens that are no longer valid and ad-hoc authorizations that have no valid tokens associated).`
`64`		`- // Import: since tokens associated to ad-hoc authorizations are not removed as part of the same operation,`
`65`		`- // the tokens MUST be deleted before removing the ad-hoc authorizations that no longer have any token.`
	`62`	`+ // Important: since authorizations that still have tokens attached are never`
	`63`	`+ // pruned, the tokens MUST be deleted before deleting the authorizations.`
`66`	`64`
`67`	`65`	`if (!_options.CurrentValue.DisableTokenPruning)`
`68`	`66`	`{`