Implement cleanup job for OAuth2 authorization grants

Add cleanup job that removes authorization grants older than 7 days. Uses ULID cursor-based pagination for efficiency. - Add cleanup method to OAuth2AuthorizationGrantRepository trait - Add CleanupOAuthAuthorizationGrantsJob task - Register handler and schedule to run hourly
2026-01-16 12:30:19 +01:00
parent 1b7fe64165
commit fc07a32a8c
6 changed files with 178 additions and 2 deletions
--- a/crates/storage/src/oauth2/authorization_grant.rs
+++ b/crates/storage/src/oauth2/authorization_grant.rs
@@ -1,3 +1,4 @@
+// Copyright 2025, 2026 Element Creations Ltd.
 // Copyright 2024, 2025 New Vector Ltd.
 // Copyright 2021-2024 The Matrix.org Foundation C.I.C.
 //
@@ -127,6 +128,30 @@ pub trait OAuth2AuthorizationGrantRepository: Send + Sync {
        clock: &dyn Clock,
        authorization_grant: AuthorizationGrant,
    ) -> Result<AuthorizationGrant, Self::Error>;
+
+    /// Cleanup old authorization grants
+    ///
+    /// This will delete authorization grants with IDs up to and including
+    /// `until`. Uses ULID cursor-based pagination for efficiency.
+    ///
+    /// Returns the number of grants deleted and the cursor for the next batch
+    ///
+    /// # Parameters
+    ///
+    /// * `since`: The cursor to start from (exclusive), or `None` to start from
+    ///   the beginning
+    /// * `until`: The maximum ULID to delete (inclusive upper bound)
+    /// * `limit`: The maximum number of grants to delete in this batch
+    ///
+    /// # Errors
+    ///
+    /// Returns [`Self::Error`] if the underlying repository fails
+    async fn cleanup(
+        &mut self,
+        since: Option<Ulid>,
+        until: Ulid,
+        limit: usize,
+    ) -> Result<(usize, Option<Ulid>), Self::Error>;
 }

 repository_impl!(OAuth2AuthorizationGrantRepository:
@@ -163,4 +188,11 @@ repository_impl!(OAuth2AuthorizationGrantRepository:
        clock: &dyn Clock,
        authorization_grant: AuthorizationGrant,
    ) -> Result<AuthorizationGrant, Self::Error>;
+
+    async fn cleanup(
+        &mut self,
+        since: Option<Ulid>,
+        until: Ulid,
+        limit: usize,
+    ) -> Result<(usize, Option<Ulid>), Self::Error>;
 );
--- a/crates/storage/src/queue/tasks.rs
+++ b/crates/storage/src/queue/tasks.rs
@@ -366,6 +366,14 @@ impl InsertableJob for CleanupFinishedCompatSessionsJob {
    const QUEUE_NAME: &'static str = "cleanup-finished-compat-sessions";
 }

+/// Cleanup old OAuth 2.0 authorization grants
+#[derive(Serialize, Deserialize, Debug, Clone, Default)]
+pub struct CleanupOAuthAuthorizationGrantsJob;
+
+impl InsertableJob for CleanupOAuthAuthorizationGrantsJob {
+    const QUEUE_NAME: &'static str = "cleanup-oauth-authorization-grants";
+}
+
 /// Scheduled job to expire inactive sessions
 ///
 /// This job will trigger jobs to expire inactive compat, oauth and user