This adds three new scheduled cleanup jobs that clear the last_active_ip
field from sessions that have been inactive for more than 30 days:
- CleanupInactiveOAuth2SessionIpsJob
- CleanupInactiveCompatSessionIpsJob
- CleanupInactiveUserSessionIpsJob
This helps with data minimization by not retaining IP addresses longer
Implements hard deletion of user/browser sessions that have been finished for more than 30 days, but only after all child sessions are cleaned up.
User sessions can only be deleted when no child sessions exist, ensuring backchannel logout propagation continues to work correctly.
Change compat_sessions.user_session_id FK from ON DELETE SET NULL to ON DELETE NO ACTION. This prevents deletion of user_sessions while compat_sessions still reference them, which is critical for backchannel logout propagation.
When an upstream IdP sends a backchannel logout, MAS must trace through:
upstream_oauth_authorization_sessions -> user_sessions -> compat_sessions
If user_session_id links are SET NULL, logout propagation fails.
Uses two-step migration (DROP+ADD NOT VALID, then VALIDATE) to minimize table locking during deployment.
Introduce a new trigger and a backfill migration to populate the
`user_session_id` column in `upstream_oauth_authorization_sessions`
based on `user_session_authentications`. This ensures historical data is
consistent and aids in backward compatibility.
This includes sessions that were never completed, and sessions where
user_session was cleaned up. This is to avoid breaking features like
OIDC Backchannel Logout after 30 days.
flow
The main goal of this is to allow tracking user sessions authed by an
upstream authorization session, but this also has the nice side effect
of allowing 'going back' in browser history within the registration flow
Add scheduled cleanup job that removes old completed and failed queue
jobs after 30 days. Jobs are kept for debugging purposes.
Includes migration to change the next_attempt_id FK constraint from NO
ACTION to SET NULL, allowing cleanup of retry chains without breaking
foreign key constraints.
One caveat is that cleanup is based on their creation time, *not* when
they got completed/failed. This means that if the job takes a long time
(as in, several days) to get scheduled, it might get cleared as soon as
it runs. This is fine for now, we may want to revisit this if we start
scheduling jobs far in the future
