chore: keep refresh_token table trimmed

We don't need to keep the full family tree of a refresh_token. We only need the current active token and its parent. Delete the oldToken's parent from the refresh_token table when a new token is minted.
supabase · Jan 30, 2025 · 1bb3e9b · 1bb3e9b
1 parent 1f06f58
commit 1bb3e9b
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/internal/models/refresh_token.go b/internal/models/refresh_token.go
@@ -159,6 +159,15 @@ func createRefreshToken(tx *storage.Connection, user *User, oldToken *RefreshTok
 		return nil, errors.Wrap(err, "error creating refresh token")
 	}
 
+	// destroy the parent of the oldToken to keep the token_family tree trimmed
+	// there only ever needs to be two entries, the current token and its parent
+	if oldToken != nil && oldToken.Parent.String() != "" {
+		tablename := (&pop.Model{Value: RefreshToken{}}).TableName()
+		if err := tx.RawQuery(`delete from `+tablename+` where session_id = ? and token = ?;`, token.SessionId, oldToken.Parent.String()).Exec(); err != nil {
+			return nil, errors.Wrap(err, "error removing expired refresh_token parent")
+		}
+	}
+
 	if err := user.UpdateLastSignInAt(tx); err != nil {
 		return nil, errors.Wrap(err, "error update user`s last_sign_in field")
 	}