Purge or prevent OAuth tokens with no user id
Following recent security update, I deleted all OAuth tokens but I noticed there was a huge amount (a bit more than 300k) tokens where user_id
is NULL
.
In comparison, I had slightly more than 3k valid OAuth tokens (with user_id
set).
You can find on your instance doing the following SQL select count(id) from oauth_tokens where user_id is null;
.
I’ve yet to understand why these tokens without user_id
exist.
@lanodan told me those exist because of Mastodon applications that don’t work with our MastoAPI implementation (citation needed).
We should prevent those to exist ideally in a first place, but in case we can’t, having a purge would be good. I’m not sure if this is a security issue, but still concerning nonetheless.