Sigra.Workers.TokenCleanup (Sigra v1.20.0)

Oban cron worker for cleaning up expired tokens.

Runs daily. Deletes tokens older than the maximum TTL for each context:

Also callable directly via cleanup_expired_tokens/2 for opportunistic cleanup during token verification (belt and suspenders).

Threat Mitigation

Uses conservative max TTL values to ensure only truly expired tokens are deleted (T-3-INFRA-02). Never deletes tokens within their TTL.

Deletes expired sessions from the database.

Deletes expired tokens from the database.

Deletes expired mfa_pending sessions from the database.

Deletes superseded JWT refresh tokens past retention period.

Deletes revoked and expired API tokens past the retention period.

@spec cleanup_expired_sessions(Sigra.Config.t()) :: :ok

Deletes expired sessions from the database.

Cleans up:

@spec cleanup_expired_tokens(module(), module()) :: :ok

Deletes expired tokens from the database.

Called by the Oban worker on schedule and optionally called opportunistically during token verification.

@spec cleanup_mfa_pending_sessions(Sigra.Config.t()) :: :ok

Deletes expired mfa_pending sessions from the database.

Cleans up sessions with type = "mfa_pending" that are older than the configured pending_timeout (default: 300 seconds / 5 minutes).

Emits [:sigra, :mfa, :pending_expired] telemetry event for each batch of expired sessions found.

(since 0.7.0)

@spec cleanup_refresh_tokens(module(), module()) :: :ok

Deletes superseded JWT refresh tokens past retention period.

Cleans up tokens with context "api_refresh" older than 90 days.

(since 0.7.0)

@spec cleanup_revoked_api_tokens(Sigra.Config.t()) :: :ok

Deletes revoked and expired API tokens past the retention period.

Retention period defaults to 90 days (configurable via api_token[:cleanup_retention]).