# `Sigra.Workers.TokenCleanup` [🔗](https://github.com/sztheory/sigra/blob/v1.20.0/lib/sigra/workers/token_cleanup.ex#L2) Oban cron worker for cleaning up expired tokens. Runs daily. Deletes tokens older than the maximum TTL for each context: - `"confirm"` / `"confirm_code"`: 48 hours - `"reset_password"`: 1 hour - `"magic_link"`: 15 minutes - `"session"`: 60 days Also callable directly via `cleanup_expired_tokens/2` for opportunistic cleanup during token verification (belt and suspenders). ## Threat Mitigation Uses conservative max TTL values to ensure only truly expired tokens are deleted (T-3-INFRA-02). Never deletes tokens within their TTL. # `cleanup_expired_sessions` ```elixir @spec cleanup_expired_sessions(Sigra.Config.t()) :: :ok ``` Deletes expired sessions from the database. Cleans up: - Standard sessions older than `absolute_timeout` - Remember-me sessions older than `remember_me_max_age` ## Parameters - `config` - `%Sigra.Config{}` struct with session configuration # `cleanup_expired_tokens` ```elixir @spec cleanup_expired_tokens(module(), module()) :: :ok ``` Deletes expired tokens from the database. Called by the Oban worker on schedule and optionally called opportunistically during token verification. ## Parameters - `repo` - The Ecto Repo module - `token_schema` - The token Ecto schema module # `cleanup_mfa_pending_sessions` ```elixir @spec cleanup_mfa_pending_sessions(Sigra.Config.t()) :: :ok ``` Deletes expired mfa_pending sessions from the database. Cleans up sessions with `type = "mfa_pending"` that are older than the configured `pending_timeout` (default: 300 seconds / 5 minutes). Emits `[:sigra, :mfa, :pending_expired]` telemetry event for each batch of expired sessions found. ## Parameters - `config` - `%Sigra.Config{}` struct with MFA and session configuration # `cleanup_refresh_tokens` *since 0.7.0* ```elixir @spec cleanup_refresh_tokens(module(), module()) :: :ok ``` Deletes superseded JWT refresh tokens past retention period. Cleans up tokens with context `"api_refresh"` older than 90 days. ## Parameters - `repo` - The Ecto Repo module - `token_schema` - The token Ecto schema module # `cleanup_revoked_api_tokens` *since 0.7.0* ```elixir @spec cleanup_revoked_api_tokens(Sigra.Config.t()) :: :ok ``` Deletes revoked and expired API tokens past the retention period. Retention period defaults to 90 days (configurable via `api_token[:cleanup_retention]`). ## Parameters - `config` - A `%Sigra.Config{}` struct with API token configuration --- *Consult [api-reference.md](api-reference.md) for complete listing*