letro/letro-authentication-service
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity
NaN Commits 2 Branches 1 Tag
9afb0dd4ce03acdebf0aa6092585d749e190f2af
Commit Graph

2676 Commits

Author SHA1 Message Date
Quentin Gliech
9afb0dd4ce Clean up leftovers in the database schema, part 2 (#5408) 2026-01-23 18:13:29 +01:00
Quentin Gliech
82ba74d34f Clean up unsupported threepids from already deactivated users (#5407) 2026-01-23 17:42:46 +01:00
Quentin Gliech
2425ebda71 Disable cleanup of upstream OAuth sessions 
This job is temporarily disabled due to pending database backfill work.
It will be re-enabled in a future release.
 2026-01-21 12:28:19 +01:00
Quentin Gliech
39e417b461 Only cleanup orphan upstream authorization sessions 
This includes sessions that were never completed, and sessions where
user_session was cleaned up. This is to avoid breaking features like
OIDC Backchannel Logout after 30 days.
 2026-01-21 12:25:42 +01:00
Quentin Gliech
63f02c4dea Track user session authenticated through upstream auth sessions 
This will help us avoid clearing upstream authorization sessions that
might still be useful to keep around for OIDC Backchannel Logouts
 2026-01-21 12:19:05 +01:00
Quentin Gliech
eb76e8d3ae Consume upstream authorization sessions later in the user registration 
flow

The main goal of this is to allow tracking user sessions authed by an
upstream authorization session, but this also has the nice side effect
of allowing 'going back' in browser history within the registration flow
 2026-01-21 12:15:09 +01:00
Quentin Gliech
b9441ba975 Add support for the unstable prefix of MSC3824 (#5434) 2026-01-20 16:32:43 +01:00
Quentin Gliech
7b97321531 Fix foreign key constraint when cleaning up upstream OAuth 2.0 links (#5432) 2026-01-20 16:30:41 +01:00
olivierdelcroix
244ab94e5e add unstable prefix for MSC3824 2026-01-20 15:34:47 +01:00
Quentin Gliech
be00483fb4 Handle deleted and invalid post-auth actions 2026-01-20 14:42:02 +01:00
Quentin Gliech
e7c1f126be Fix foreign key constraint when cleaning up upstream OAuth 2.0 links 
https://sentry.tools.element.io/organizations/element/issues/11222736/
 2026-01-20 14:29:27 +01:00
Quentin Gliech
1254d9f8f0 Mark the next attempt foreign key as initially not valid 2026-01-19 15:44:22 +01:00
Quentin Gliech
1253bbd498 Implement cleanup job for queue jobs 
Add scheduled cleanup job that removes old completed and failed queue
jobs after 30 days. Jobs are kept for debugging purposes.

Includes migration to change the next_attempt_id FK constraint from NO
ACTION to SET NULL, allowing cleanup of retry chains without breaking
foreign key constraints.

One caveat is that cleanup is based on their creation time, *not* when
they got completed/failed. This means that if the job takes a long time
(as in, several days) to get scheduled, it might get cleared as soon as
it runs. This is fine for now, we may want to revisit this if we start
scheduling jobs far in the future
 2026-01-19 12:25:04 +01:00
Quentin Gliech
e7c07a8f88 Implement cleanup jobs for upstream OAuth sessions and links 
Add two cleanup jobs scheduled hourly:

1. Upstream OAuth authorization sessions - removes sessions after 30 days
2. Orphaned upstream OAuth links - removes links after 7 days where user_id IS NULL. These are links created during upstream OAuth 2.0 login but never associated with a user
 2026-01-19 12:24:13 +01:00
Quentin Gliech
f350b94918 Implement cleanup job for email authentications 
Add scheduled cleanup job that removes old user email authentications
after 7 days. Runs every hour.
 2026-01-16 17:56:16 +01:00
Quentin Gliech
e6e793f46f Implement cleanup job for user recovery sessions 
Add scheduled cleanup job that removes old user recovery sessions after
7 days. Runs hourly.

Implementation uses ULID cursor-based pagination with no additional
indexes needed. Child tickets cascade-delete automatically.
 2026-01-16 17:46:01 +01:00
Quentin Gliech
67a0d0e92e Implement cleanup job for OAuth2 device code grants 
Add cleanup job that removes device code grants older than 7 days.
Uses ULID cursor-based pagination for efficiency.

- Add cleanup method to OAuth2DeviceCodeGrantRepository
- Add CleanupOAuthDeviceCodeGrantsJob task
- Register handler and schedule to run hourly
 2026-01-16 17:40:11 +01:00
Quentin Gliech
fc07a32a8c Implement cleanup job for OAuth2 authorization grants 
Add cleanup job that removes authorization grants older than 7 days.
Uses ULID cursor-based pagination for efficiency.

- Add cleanup method to OAuth2AuthorizationGrantRepository trait
- Add CleanupOAuthAuthorizationGrantsJob task
- Register handler and schedule to run hourly
 2026-01-16 17:39:38 +01:00
Quentin Gliech
90a46e2a35 Allow hourly cleanup jobs to run for longer 2026-01-16 11:25:28 +01:00
Quentin Gliech
87f4ec3e80 Cleanup finished compat sessions after 30 days 2026-01-15 12:29:43 +01:00
Quentin Gliech
e8f1ca4038 Adjust the retention period for user registrations to 30 days 2026-01-14 17:51:55 +01:00
Quentin Gliech
3fa53d285e Cleanup old user registrations from the database 2026-01-14 14:01:10 +01:00
Quentin Gliech
d4d4cd7cd1 Remove imported unsupported threepids when deactivating a user (#5406) 2026-01-13 17:30:20 +01:00
Quentin Gliech
186a887125 Hard delete expired, revoked and consumed OAuth 2.0 tokens after some time (#5409) 2026-01-13 17:23:16 +01:00
Quentin Gliech
291accc37d Fix typo in comment 
Co-authored-by: Olivier 'reivilibre' <oliverw@element.io>
 2026-01-13 17:22:48 +01:00
Quentin Gliech
5bfdb4514f Clean up leftovers in the database schema, part 1 (#5405) 2026-01-13 17:22:32 +01:00
Olivier 'reivilibre
74f4e13c61 Support for stable MSC4191 account management actions (#5312) 2026-01-12 12:14:16 +00:00
Olivier 'reivilibre
bb6b5cee93 Support for stable MSC3824 (OAuth 2.0 API aware clients) values (#5321) 2026-01-12 12:08:23 +00:00
Quentin Gliech
5827883979 Apply suggestions from code review 2026-01-12 11:58:19 +01:00
Quentin Gliech
6915878bc6 Apply suggestions from code review 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
 2026-01-12 11:57:42 +01:00
Quentin Gliech
f98957617e Cleanup consumed refresh tokens 2026-01-12 11:18:18 +01:00
Quentin Gliech
ab25c23829 Replace the FK constraint on the refresh token chain to nullify the 
field on deletion

This will make garbage collecting refresh tokens easier
 2026-01-12 09:36:52 +01:00
Quentin Gliech
3e521a105d Cleanup revoked refresh tokens 2026-01-09 18:37:09 +01:00
Quentin Gliech
7aad841e04 Handle garbage-collected access tokens in the refresh token logic 
We check if the access token was used when a double-refresh happened,
but can't do that reliably as we started garbage-collecting expired
access tokens
 2026-01-09 18:09:05 +01:00
Quentin Gliech
991c60255e Setup recurring jobs schedules when running in tests 2026-01-09 18:07:44 +01:00
Quentin Gliech
04cbafbc5f Cleanup expired OAuth 2.0 access tokens 2026-01-09 13:38:50 +01:00
Quentin Gliech
73e838ff08 Rename the cleanup revoked access tokens job 
"cleanup-expired-tokens" was not accurate, and since the plan is to have
different jobs for the different kind of tokens, we renamed this job to
use a more accurate description
 2026-01-09 13:36:46 +01:00
Quentin Gliech
ad1910c22e Introduce a way to clear jobs from a deprecated queue 2026-01-09 12:08:20 +01:00
Quentin Gliech
bf2ad55b5c Speed up access token cleanup with an index 2026-01-08 19:03:09 +01:00
Quentin Gliech
fa742bc992 Clean up revoked access tokens in batches 2026-01-08 19:03:09 +01:00
Quentin Gliech
1ac6f9c5ee Allow jobs to declare a timeout and cancel them 2026-01-08 19:03:09 +01:00
Quentin Gliech
1ff44b957b Clean up unused oauth2_consents table 2026-01-08 16:02:07 +01:00
Quentin Gliech
73cfee575d Clean up unsupported threepids from already deactivated users 2026-01-08 15:42:42 +01:00
Quentin Gliech
8c9add00f4 Remove imported unsupported threepids when deactivating a user 2026-01-08 15:33:50 +01:00
Quentin Gliech
215ad75ab2 Cleanup id_token_claims trigger 2026-01-08 15:17:37 +01:00
Quentin Gliech
bc1ca15833 Remove leftovers from OAuth 2.0 consent tracking cleanup 2026-01-08 15:17:37 +01:00
Quentin Gliech
5cdf938129 Remove leftovers from the old email verification system 2026-01-08 15:17:37 +01:00
Quentin Gliech
5067e420c6 Remove leftover in the scheam from apalis 2026-01-08 15:17:25 +01:00
Quentin Gliech
2519f4f229 Don't include integrity attributes on fetch and image preloads 2026-01-05 15:09:41 +01:00
Quentin Gliech
889545fed4 Simplify compat login SSO redirect URI building 2026-01-05 14:44:03 +01:00