# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1697493112 -7200
# Node ID a1c927323f06d71d9e33d06c83d4a967b025f9d6
# Parent  8535a6105919110c78161a49be396b875239881d
mod_tokenauth: Delete grants without tokens after period

Generally it is expected that a grant would have at least one token as
long as the grant is in active use.

Refresh tokens issued by mod_http_oauth2 have a lifetime of one week by
default, so the idea here is that if that refresh token expired and
another week goes by without the grant being used, then the whole grant
can be removed.

diff -r 8535a6105919 -r a1c927323f06 plugins/mod_tokenauth.lua
--- a/plugins/mod_tokenauth.lua	Mon Oct 09 20:28:37 2023 +0200
+++ b/plugins/mod_tokenauth.lua	Mon Oct 16 23:51:52 2023 +0200
@@ -9,6 +9,7 @@
 local token_store = module:open_store("auth_tokens", "keyval+");
 
 local access_time_granularity = module:get_option_period("token_auth_access_time_granularity", 60);
+local empty_grant_lifetime = module:get_option_period("tokenless_grant_ttl", "2w");
 
 local function select_role(username, host, role_name)
 	if not role_name then return end
@@ -171,6 +172,13 @@
 			grant.tokens[secret_hash] = nil;
 		end
 	end
+
+	if not grant.expires and next(grant.tokens) == nil and grant.accessed + empty_grant_lifetime < now then
+		module:log("debug", "Token grant has no tokens, discarding");
+		token_store:set_key(username, grant.id, nil);
+		return nil, "expired";
+	end
+
 	return grant;
 end