Job to clean up old challenges

tonkku107 · tonkku107 · commit ac9cf37196fd · 2025-03-15T15:40:10.000+02:00
diff --git a/crates/storage-pg/.sqlx/query-8977b2a7dfb1de2cdb917be1a07b3f660e90d610aa74813ac0fdd2a3439a2e99.json b/crates/storage-pg/.sqlx/query-8977b2a7dfb1de2cdb917be1a07b3f660e90d610aa74813ac0fdd2a3439a2e99.json
diff --git a/crates/storage-pg/src/user/passkey.rs b/crates/storage-pg/src/user/passkey.rs
@@ -4,7 +4,7 @@
 // Please see LICENSE in the repository root for full details.
 
 use async_trait::async_trait;
-use chrono::{DateTime, Utc};
+use chrono::{DateTime, Duration, Utc};
 use mas_data_model::{BrowserSession, User, UserPasskey, UserPasskeyChallenge};
 use mas_storage::{
     Clock, Page, Pagination,
@@ -600,4 +600,29 @@ impl UserPasskeyRepository for PgUserPasskeyRepository<'_> {
         user_passkey_challenge.completed_at = Some(completed_at);
         Ok(user_passkey_challenge)
     }
+
+    #[tracing::instrument(
+        name = "db.user_passkey.cleanup_challenges",
+        skip_all,
+        fields(
+            db.query.text,
+        ),
+        err,
+    )]
+    async fn cleanup_challenges(&mut self, clock: &dyn Clock) -> Result<usize, Self::Error> {
+        // Cleanup challenges that were created more than an hour ago
+        let threshold = clock.now() - Duration::microseconds(60 * 60 * 1000 * 1000);
+        let res = sqlx::query!(
+            r#"
+                DELETE FROM user_passkey_challenges
+                WHERE created_at < $1
+            "#,
+            threshold,
+        )
+        .traced()
+        .execute(&mut *self.conn)
+        .await?;
+
+        Ok(res.rows_affected().try_into().unwrap_or(usize::MAX))
+    }
 }
diff --git a/crates/storage/src/queue/tasks.rs b/crates/storage/src/queue/tasks.rs
@@ -325,6 +325,14 @@ impl InsertableJob for CleanupExpiredTokensJob {
     const QUEUE_NAME: &'static str = "cleanup-expired-tokens";
 }
 
+/// Cleanup old passkey challenges
+#[derive(Serialize, Deserialize, Debug, Clone, Default)]
+pub struct CleanupOldPasskeyChallenges;
+
+impl InsertableJob for CleanupOldPasskeyChallenges {
+    const QUEUE_NAME: &'static str = "cleanup-old-passkey-challenges";
+}
+
 /// Scheduled job to expire inactive sessions
 ///
 /// This job will trigger jobs to expire inactive compat, oauth and user
diff --git a/crates/storage/src/user/passkey.rs b/crates/storage/src/user/passkey.rs
@@ -254,6 +254,19 @@ pub trait UserPasskeyRepository: Send + Sync {
         clock: &dyn Clock,
         user_passkey_challenge: UserPasskeyChallenge,
     ) -> Result<UserPasskeyChallenge, Self::Error>;
+
+    /// Cleanup old challenges
+    ///
+    /// Returns the number of challenges that were cleaned up
+    ///
+    /// # Parameters
+    ///
+    /// * `clock`: The clock used to get the current time
+    ///
+    /// # Errors
+    ///
+    /// Returns [`Self::Error`] if the underlying repository fails
+    async fn cleanup_challenges(&mut self, clock: &dyn Clock) -> Result<usize, Self::Error>;
 }
 
 repository_impl!(UserPasskeyRepository:
@@ -314,4 +327,6 @@ repository_impl!(UserPasskeyRepository:
         clock: &dyn Clock,
         user_passkey_challenge: UserPasskeyChallenge,
     ) -> Result<UserPasskeyChallenge, Self::Error>;
+
+    async fn cleanup_challenges(&mut self, clock: &dyn Clock) -> Result<usize, Self::Error>;
 );
diff --git a/crates/tasks/src/database.rs b/crates/tasks/src/database.rs
@@ -7,7 +7,9 @@
 //! Database-related tasks
 
 use async_trait::async_trait;
-use mas_storage::queue::{CleanupExpiredTokensJob, PruneStalePolicyDataJob};
+use mas_storage::queue::{
+    CleanupExpiredTokensJob, CleanupOldPasskeyChallenges, PruneStalePolicyDataJob,
+};
 use tracing::{debug, info};
 
 use crate::{
@@ -63,3 +65,27 @@ impl RunnableJob for PruneStalePolicyDataJob {
         Ok(())
     }
 }
+
+#[async_trait]
+impl RunnableJob for CleanupOldPasskeyChallenges {
+    #[tracing::instrument(name = "job.cleanup_old_passkey_challenges", skip_all, err)]
+    async fn run(&self, state: &State, _context: JobContext) -> Result<(), JobError> {
+        let clock = state.clock();
+        let mut repo = state.repository().await.map_err(JobError::retry)?;
+
+        let count = repo
+            .user_passkey()
+            .cleanup_challenges(&clock)
+            .await
+            .map_err(JobError::retry)?;
+        repo.save().await.map_err(JobError::retry)?;
+
+        if count == 0 {
+            debug!("no challenges to clean up");
+        } else {
+            info!(count, "cleaned up old challenges");
+        }
+
+        Ok(())
+    }
+}
diff --git a/crates/tasks/src/lib.rs b/crates/tasks/src/lib.rs
@@ -144,6 +144,7 @@ pub async fn init(
         .register_handler::<mas_storage::queue::ExpireInactiveOAuthSessionsJob>()
         .register_handler::<mas_storage::queue::ExpireInactiveUserSessionsJob>()
         .register_handler::<mas_storage::queue::PruneStalePolicyDataJob>()
+        .register_handler::<mas_storage::queue::CleanupOldPasskeyChallenges>()
         .add_schedule(
             "cleanup-expired-tokens",
             "0 0 * * * *".parse()?,
@@ -160,6 +161,11 @@ pub async fn init(
             // Run once a day
             "0 0 2 * * *".parse()?,
             mas_storage::queue::PruneStalePolicyDataJob,
+        )
+        .add_schedule(
+            "cleanup-old-passkey-challenges",
+            "0 0 * * * *".parse()?,
+            mas_storage::queue::CleanupOldPasskeyChallenges,
         );
 
     task_tracker.spawn(worker.run());
