Add cleanup job for finished OAuth2 sessions

Implements hard deletion of OAuth2 sessions that have been finished for more than 30 days, including their associated access and refresh tokens.
2026-01-22 11:11:17 +01:00
parent 755268ba79
commit 3b0937ca8e
7 changed files with 201 additions and 5 deletions
--- a/crates/storage/src/oauth2/session.rs
+++ b/crates/storage/src/oauth2/session.rs
@@ -1,3 +1,4 @@
+// Copyright 2025, 2026 Element Creations Ltd.
 // Copyright 2024, 2025 New Vector Ltd.
 // Copyright 2022-2024 The Matrix.org Foundation C.I.C.
 //
@@ -461,6 +462,29 @@ pub trait OAuth2SessionRepository: Send + Sync {
        session: Session,
        human_name: Option<String>,
    ) -> Result<Session, Self::Error>;
+
+    /// Cleanup finished [`Session`]s
+    ///
+    /// Deletes sessions finished between `since` and `until`. Returns the
+    /// number of deleted sessions and the timestamp of the last deleted
+    /// session for pagination.
+    ///
+    /// # Parameters
+    ///
+    /// * `since`: The earliest finish time to delete (exclusive). If `None`,
+    ///   starts from the beginning.
+    /// * `until`: The latest finish time to delete (exclusive)
+    /// * `limit`: Maximum number of sessions to delete in this batch
+    ///
+    /// # Errors
+    ///
+    /// Returns [`Self::Error`] if the underlying repository fails
+    async fn cleanup_finished(
+        &mut self,
+        since: Option<DateTime<Utc>>,
+        until: DateTime<Utc>,
+        limit: usize,
+    ) -> Result<(usize, Option<DateTime<Utc>>), Self::Error>;
 }

 repository_impl!(OAuth2SessionRepository:
@@ -526,4 +550,11 @@ repository_impl!(OAuth2SessionRepository:
        session: Session,
        human_name: Option<String>,
    ) -> Result<Session, Self::Error>;
+
+    async fn cleanup_finished(
+        &mut self,
+        since: Option<DateTime<Utc>>,
+        until: DateTime<Utc>,
+        limit: usize,
+    ) -> Result<(usize, Option<DateTime<Utc>>), Self::Error>;
 );
--- a/crates/storage/src/queue/tasks.rs
+++ b/crates/storage/src/queue/tasks.rs
@@ -366,6 +366,14 @@ impl InsertableJob for CleanupFinishedCompatSessionsJob {
    const QUEUE_NAME: &'static str = "cleanup-finished-compat-sessions";
 }

+/// Cleanup finished OAuth 2.0 sessions
+#[derive(Serialize, Deserialize, Debug, Clone, Default)]
+pub struct CleanupFinishedOAuth2SessionsJob;
+
+impl InsertableJob for CleanupFinishedOAuth2SessionsJob {
+    const QUEUE_NAME: &'static str = "cleanup-finished-oauth2-sessions";
+}
+
 /// Cleanup old OAuth 2.0 authorization grants
 #[derive(Serialize, Deserialize, Debug, Clone, Default)]
 pub struct CleanupOAuthAuthorizationGrantsJob;