From b1a0bb16dbfdb782fc9c6f974c2fe3e602070451 Mon Sep 17 00:00:00 2001
From: Jakob Ackermann <jakob.ackermann@overleaf.com>
Date: Mon, 18 May 2026 10:28:35 +0200
Subject: [PATCH] [migrations] delete expired oauth access tokens after 24h
 (#33575)

Co-authored-by: Brian Gough <brian.gough@overleaf.com>
GitOrigin-RevId: 7f67a7e6949472c66f5f75a6053161d8e359f5df
---
 ...0260511104500_expire_oauthAccessTokens.mjs | 29 +++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 tools/migrations/20260511104500_expire_oauthAccessTokens.mjs

diff --git a/tools/migrations/20260511104500_expire_oauthAccessTokens.mjs b/tools/migrations/20260511104500_expire_oauthAccessTokens.mjs
new file mode 100644
index 0000000000..103d9e9f96
--- /dev/null
+++ b/tools/migrations/20260511104500_expire_oauthAccessTokens.mjs
@@ -0,0 +1,29 @@
+import Helpers from './lib/helpers.mjs'
+
+const tags = ['server-ce', 'server-pro', 'saas']
+
+// Distinguish between access token not found and access token expired for 24h after expiry.
+const oneDayInSeconds = 24 * 60 * 60
+
+const indexes = [
+  {
+    name: 'accessTokenExpiresAt_1',
+    key: { accessTokenExpiresAt: 1 },
+    partialFilterExpression: { accessTokenExpiresAt: { $exists: true } },
+    expireAfterSeconds: oneDayInSeconds,
+  },
+]
+
+const migrate = async ({ db }) => {
+  await Helpers.addIndexesToCollection(db.oauthAccessTokens, indexes)
+}
+
+const rollback = async ({ db }) => {
+  await Helpers.dropIndexesFromCollection(db.oauthAccessTokens, indexes)
+}
+
+export default {
+  tags,
+  migrate,
+  rollback,
+}