Skip to content

Bug: Expired tokens not being deleted with .where('expires_at', '<=', new Date()) #71

New issue
New issue
Open
Bug
Open
Bug: Expired tokens not being deleted with .where('expires_at', '<=', new Date())#71
Bug
Assignees
SOG-web
Labels
authbugSomething isn't working
@SOG-web

Description

@SOG-web
SOG-web
opened on Apr 11, 2025

Description

In the JoseJwtSessionManager class, there's an issue with the cleanup of expired refresh tokens. The query to delete expired tokens is not working properly:

await this.knex(AuthRefreshTokensTable)
  .where('expires_at', '<=', new Date())
  .delete();

This query is not successfully deleting expired tokens, likely due to issues with how JavaScript's Date objects are being converted to the database's date format.

Location

File: libs/auth/src/session/jose-jwt.ts
Lines: 152-158, 248-253, 285-290

Expected Behavior

Expired tokens should be deleted from the database when they expire.

Current Behavior

Expired tokens are not being deleted from the database, causing token accumulation over time.

Possible Fixes

  1. Use a raw SQL query with proper date formatting:
await this.knex.raw(`DELETE FROM ${AuthRefreshTokensTable} WHERE expires_at <= ?`, [new Date()]);
  1. Use Knex's date formatting functions:
await this.knex(AuthRefreshTokensTable)
  .where('expires_at', '<=', this.knex.fn.now())
  .delete();
  1. Format the date explicitly before using it in the query:
const now = new Date();
await this.knex(AuthRefreshTokensTable)
  .where('expires_at', '<=', now.toISOString())
  .delete();

Impact

This issue can lead to database bloat as expired tokens accumulate over time. It may also impact performance of token-related operations and potentially cause memory issues if the table grows too large.

Metadata

Metadata

Assignees

Labels

authbugSomething isn't working

Type

Bug

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions