Too eager app and app token creation and no clean up #429

New issue

Open

opened 2025-01-28 18:21:19 +00:00 by Oneric · 0 comments

Oneric commented

2025-01-28 18:21:19 +00:00

Member

I was wondering about an ever growing amount of null-user oauth_tokens and registrations as well as apps in the database.

As it turns out ever since switching to Mastodon API for registrations, akkoma-fe/pleroma-fe creates an app and requests an app-token on page load even if no login or registration attempt is ever made. This means, each visitor just looking at a post creates a new app, oauth_authorisation token and oauth_token in the database.
Additionally it seems like app tokens aren’t being revoked on logout unlike user-level tokens.
(oauth_authorisations being created at all for this and also never being cleaned up are backend inefficiencies though, but the main issue is in the frontend)

Afaict registration is the only time app tokens actually get used, so imho akkoma-fe should:

only create an app on login/registration
only create an app token on registration
only create a user-level token on login
clean up both user-level and app token on logout if present

iceshrimp.NET’s soft-fork happens to include a patch to delay app creation to login, which isn’t a full fix but brings some relief, though this might break registrations (idk if iceshrimp.NET even supports registration via akkoma-fe): 0e25b94186

I was wondering about an ever growing amount of null-user oauth_tokens and registrations as well as apps in the database. As it turns out ever since switching to Mastodon API for registrations, akkoma-fe/pleroma-fe creates an app and requests an app-token on page load even if no login or registration attempt is ever made. This means, each visitor just looking at a post creates a new app, oauth_authorisation token and oauth_token in the database. Additionally it seems like app tokens aren’t being revoked on logout unlike user-level tokens. *(oauth_authorisations being created at all for this and also never being cleaned up are backend inefficiencies though, but the main issue is in the frontend)* Afaict registration is the only time app tokens actually get used, so imho akkoma-fe should: - only create an app on login/registration - only create an app token on registration - only create a user-level token on login - clean up _both_ user-level and app token on logout if present iceshrimp.NET’s soft-fork happens to include a patch to delay app creation to login, which isn’t a full fix but brings some relief, though this might break registrations *(idk if iceshrimp.NET even supports registration via akkoma-fe)*: https://iceshrimp.dev/iceshrimp/akkoma-fe/commit/0e25b94186436c420fbd55d9316c9c7ed555bcff

Oneric changed title from ~~Too eager app and app token creation and never cleans them up~~ to Too eager app and app token creation and no clean up

2025-01-28 19:00:00 +00:00