authz: clean up rows that have broken `auth_data` in `user_external_accounts`
Created by: unknwon
We're experiencing the error fetch user permissions: ... 401 Bad Credentials on Sourcegraph Cloud for many users on GitHub.com. My hunch is that those users were once authorized Sourcegraph GitHub app for sign in and revoked us later on (needs a local reproduce to verify my hypothesis).
Historically, we never did clean up broken OAuth credentials.
The problem only appears now is because:
- Repository permissions were never enforced on Sourcegraph Cloud as we only host public repositories.
- People can now add external services freely with private repos. Someone did and make Sourcegraph Cloud start enforcing repository permissions.
- Context: https://sourcegraph.slack.com/archives/C0J618TTM/p1602809501024200
- Related: https://github.com/sourcegraph/sourcegraph/issues/14884
For the solution, the repo-updater's PermsSyncer seems a good fit as the first thought, but I feel it is too coupled with repository permissions syncing because broken OAuth credentials should be cleaned up in an independent routine, as repository permissions syncing won't be the only consumer of it (e.g. campaigns might use it at some point).
TODO
-
Add
expired_atandlast_valid_atcolumns touser_external_accountstable. #15789 -
PermsSyncer should take in consideration of
expired_atwhen read, and mutate these columns when the OAuth token still valid or expired. #16067 - Have a background routine to periodically check OAuth tokens.