[4.x] Clean up expired impersonation tokens instead of just aborting, add command for cleaning up expired tokens (#1387)

This PR makes the expired/invalid tenant impersonation tokens get deleted instead of just aborting with 403. The PR also adds a command (ClearExpiredImpersonationTokens) used like `php artisan tenants:purge-impersonation-tokens`. As the name suggests, it clears all expired impersonation tokens (= tokens older than `UserImpersonation::$ttl`). Resolves #1348 --------- Co-authored-by: Samuel Štancl <samuel@archte.ch>
2025-12-12 20:34:03 +00:00 · 2025-10-28 14:14:52 +01:00 · 2025-10-28 14:14:52 +01:00 · 0dc187510b
commit 0dc187510b
parent 469595534e
4 changed files with 161 additions and 2 deletions
--- a/src/Commands/PurgeImpersonationTokens.php
+++ b/src/Commands/PurgeImpersonationTokens.php
@ -0,0 +1,38 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Stancl\Tenancy\Commands;
+
+use Illuminate\Console\Command;
+use Stancl\Tenancy\Features\UserImpersonation;
+
+/**
+ * Clears expired impersonation tokens.
+ *
+ * Tokens older than UserImpersonation::$ttl are considered expired.
+ *
+ * @see Stancl\Tenancy\Features\UserImpersonation
+ */
+class PurgeImpersonationTokens extends Command
+{
+    protected $signature = 'tenants:purge-impersonation-tokens';
+
+    protected $description = 'Clear expired impersonation tokens.';
+
+    public function handle(): int
+    {
+        $this->components->info('Deleting expired impersonation tokens.');
+
+        $expirationDate = now()->subSeconds(UserImpersonation::$ttl);
+
+        $impersonationTokenModel = UserImpersonation::modelClass();
+
+        $deletedTokenCount = $impersonationTokenModel::where('created_at', '<', $expirationDate)
+            ->delete();
+
+        $this->components->info($deletedTokenCount . ' expired impersonation ' . str('token')->plural($deletedTokenCount) . ' deleted.');
+
+        return 0;
+    }
+}
--- a/src/Features/UserImpersonation.php
+++ b/src/Features/UserImpersonation.php
@ -44,12 +44,20 @@ class UserImpersonation implements Feature

        $tokenExpired = $token->created_at->diffInSeconds(now()) > $ttl;

-        abort_if($tokenExpired, 403);
+        if ($tokenExpired) {
+            $token->delete();
+
+            abort(403);
+        }

        $tokenTenantId = (string) $token->getAttribute(Tenancy::tenantKeyColumn());
        $currentTenantId = (string) tenant()->getTenantKey();

-        abort_unless($tokenTenantId === $currentTenantId, 403);
+        if ($tokenTenantId !== $currentTenantId) {
+            $token->delete();
+
+            abort(403);
+        }

        Auth::guard($token->auth_guard)->loginUsingId($token->user_id, $token->remember);

--- a/src/TenancyServiceProvider.php
+++ b/src/TenancyServiceProvider.php
@ -119,6 +119,7 @@ class TenancyServiceProvider extends ServiceProvider
            Commands\MigrateFresh::class,
            Commands\ClearPendingTenants::class,
            Commands\CreatePendingTenants::class,
+            Commands\PurgeImpersonationTokens::class,
            Commands\CreateUserWithRLSPolicies::class,
        ]);