auth/cleanup.ts

Periodic auth cleanup — sweeps expired sessions and permit offers.

Single entry point for consumers scheduling auth maintenance. Internally runs every known sweep and emits the corresponding audit events so consumer code only manages cadence, not per-task wiring.

The per-task primitives remain exported from their home modules (query_session_cleanup_expired, query_permit_offer_sweep_expired); cleanup_expired_permit_offers here wraps the latter with the required permit_offer_expire audit emission and is the piece most likely to be reused in a consumer's bespoke scheduler.

Idempotency: the audit log has no tombstone on permit_offer_expire, so concurrent sweep runs double-audit. The expected deployment pattern is a single scheduled invocation per instance — matching query_session_cleanup_expired.

Declarations
#

4 declarations

view source

AuthCleanupDeps
#

auth/cleanup.ts view source

AuthCleanupDeps

Dependencies for the cleanup helpers.

inheritance

extends:

log

type Logger

on_audit_event

Called after each audit event INSERT succeeds. Typically the same callback wired into AppDeps.on_audit_event (SSE broadcast). Omit to skip broadcast — the audit rows still land in the DB.

type ((event: AuditLogEvent) => void) | null

audit_log_config

Audit-log config. Only the builtin permit_offer_expire event type is emitted here, so omitting this is safe — the field exists so consumers threading the same AppDeps bundle to scheduled cleanup keep using their registered config (and consumer extensions to the permit_offer_expire metadata schema get validated).

type AuditLogConfig

AuthCleanupResult
#

auth/cleanup.ts view source

AuthCleanupResult

Result of run_auth_cleanup.

expired_sessions

Number of expired session rows deleted.

type number

expired_offers

Number of expired permit offer rows audit-stamped.

type number

cleanup_expired_permit_offers
#

auth/cleanup.ts view source

(deps: AuthCleanupDeps): Promise<number>

Sweep expired permit offers and emit one permit_offer_expire audit event per row.

Returns the count of offers audit-stamped. The offer rows themselves are preserved — offers carry audit value for the history view even after expiry, and accepted rows are the provenance for the resulting permit (deleting expired rows would not threaten that, but keeping them uniform with the retention policy for terminal rows is simpler).

deps

type AuthCleanupDeps

returns

Promise<number>

run_auth_cleanup
#

auth/cleanup.ts view source

(deps: AuthCleanupDeps): Promise<AuthCleanupResult>

Run every auth cleanup sweep — expired sessions and expired permit offers — and return the counts.

Consumers call this from a scheduled task (setInterval, cron, etc.) alongside their own domain cleanup. Errors from individual sweeps are re-thrown so the caller's scheduler can log/alert; use the per-task helpers (query_session_cleanup_expired, cleanup_expired_permit_offers) directly if you need finer error isolation.

deps

type AuthCleanupDeps

returns

Promise<AuthCleanupResult>

throws

  • Error - re-thrown from any sweep that fails (no per-sweep isolation here)

Depends on
#