vc-authn-oidc
vc-authn-oidc copied to clipboard
bcgov
Consider mongo DB auth_session document clean up
For each presentation request that is created an auth_session document is created in the Mongo store. As the page is left open, the refresh of expired requests creates a new one each refresh as well.
If a VC Authn instance gets very high usage (or people leave the page open forever) this collection could get large. While Mongo should be able to handle this, we might have concerns about PVC size blowing up keeping all these records around.
Could consider
- This is not a problem, just let disk space get high (they are small records so it would need lots of usage)
- Instead of keeping the
expiredproof_status ones around delete them? (might not be accommodated on the frontend...) But then there's still all theverifiedand other status once staying around forever - Some cleanup job?
Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}
I plan to make use of MongoDB's time to live collection feature to ensure that we only keep one for a configurable time interval. For now an hour should be more than enough. We can fine tune this later to better fit our user requirements.
Add TTL to authsession document
https://www.mongodb.com/docs/manual/tutorial/expire-data/
AuthSessionCRUD
diff --git a/oidc-controller/api/authSessions/models.py b/oidc-controller/api/authSessions/models.py
index 65fe13d..72284fd 100644
--- a/oidc-controller/api/authSessions/models.py
+++ b/oidc-controller/api/authSessions/models.py
@@ -29,7 +29,7 @@ class AuthSessionBase(BaseModel):
pyop_auth_code: str
response_url: str
presentation_request_msg: Optional[dict] = None
-
+ created_at: datetime = Field(default=datetime.now())
model_config = ConfigDict(populate_by_name=True)
diff --git a/oidc-controller/api/db/session.py b/oidc-controller/api/db/session.py
index b7c88d0..2316cd4 100644
--- a/oidc-controller/api/db/session.py
+++ b/oidc-controller/api/db/session.py
@@ -22,6 +22,7 @@ async def init_db():
auth_session = db.get_collection(COLLECTION_NAMES.AUTH_SESSION)
auth_session.create_index([("pres_exch_id", ASCENDING)], unique=True)
auth_session.create_index([("pyop_auth_code", ASCENDING)], unique=True)
+ auth_session.create_index([("created_at", ASCENDING)], expireAfterSeconds=3600)
async def get_db():
Filtering based on status
We may want to keep the verified proof requests https://www.mongodb.com/docs/manual/tutorial/expire-data/
db.foo.createIndex(
{ F: 1 },
{
name: "Partial-TTL-Index",
partialFilterExpression: { D : 1 },
expireAfterSeconds: 10
}
)
Here we create a filter witch matches for when D==1
Here we create the index with a filter. In our case we would filter with proofstatus is AuthSessionState.EXPIRED
This way we are only discarding the expired auth sessions.
we could create an additional index that will also match against
partialFilterExpression={ "proof_status": { "$not": { "$eq": AuthSessionState.VERIFIED } } }