PAT (personal access token) lifecycle leaves some authorization data behind on certain paths. Splitting these out from the broader cleanup so they can be fixed independently.
1. User delete doesn't remove the user's PATs
deleter.DeleteUser cleans the user's org/group memberships and platform relations, but does not delete the personal access tokens the user owns. Their policies rows and SpiceDB rolebinding tuples persist after the user is gone.
Fix: cascade user delete to the user's PATs (each PAT delete already cleans its own policies/relations via policy.Delete).
2. Expired PATs are never cleaned up
PAT expiry is enforced at auth time, but expired PAT rows and their policies/rolebinding tuples are never removed (no background sweep). They accumulate indefinitely.
Fix: a periodic cleanup that removes expired PATs through the existing PAT delete path.
Checklist
PAT (personal access token) lifecycle leaves some authorization data behind on certain paths. Splitting these out from the broader cleanup so they can be fixed independently.
1. User delete doesn't remove the user's PATs
deleter.DeleteUsercleans the user's org/group memberships and platform relations, but does not delete the personal access tokens the user owns. Theirpoliciesrows and SpiceDB rolebinding tuples persist after the user is gone.Fix: cascade user delete to the user's PATs (each PAT delete already cleans its own policies/relations via
policy.Delete).2. Expired PATs are never cleaned up
PAT expiry is enforced at auth time, but expired PAT rows and their policies/rolebinding tuples are never removed (no background sweep). They accumulate indefinitely.
Fix: a periodic cleanup that removes expired PATs through the existing PAT delete path.
Checklist