From b4d3f2e648db3c768cd07cdd42812cbafa7ae59f Mon Sep 17 00:00:00 2001
From: Toby Zerner <toby.zerner@gmail.com>
Date: Sat, 5 Dec 2015 15:24:05 +1030
Subject: [PATCH] Garbage-collect email/password/auth tokens. closes #217

---
 framework/core/src/Http/AbstractServer.php | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/framework/core/src/Http/AbstractServer.php b/framework/core/src/Http/AbstractServer.php
index e85f93d61..a2d5cd5d8 100644
--- a/framework/core/src/Http/AbstractServer.php
+++ b/framework/core/src/Http/AbstractServer.php
@@ -10,6 +10,9 @@
 
 namespace Flarum\Http;
 
+use Flarum\Core\AuthToken;
+use Flarum\Core\EmailToken;
+use Flarum\Core\PasswordToken;
 use Flarum\Foundation\Application;
 use Zend\Diactoros\Server;
 use Flarum\Foundation\AbstractServer as BaseAbstractServer;
@@ -45,6 +48,12 @@ abstract class AbstractServer extends BaseAbstractServer
     {
         if ($this->hitsLottery()) {
             AccessToken::whereRaw('last_activity <= ? - lifetime', [time()])->delete();
+
+            $earliestToKeep = date('Y-m-d H:i:s', time() - 24 * 60 * 60);
+
+            EmailToken::where('created_at', '<=', $earliestToKeep)->delete();
+            PasswordToken::where('created_at', '<=', $earliestToKeep)->delete();
+            AuthToken::where('created_at', '<=', $earliestToKeep)->delete();
         }
     }