Clean up user_auth_token_logs?

RGJ · September 13, 2024, 5:30pm

We have a forum where user_auth_token_logs has 61 million rows (and growing).

There are only 25k user_auth_tokens.

Of the 61 million rows, 54 million rows refer to an user_auth_token that does not exist anymore (i.e. a database integrity issue). And of the 61 million rows, around 58 million are older than 2 months (i.e. seemingly useless?)

Questions:

Could we just clean this up without risking further integrity issues?
Would it be an idea to have a job clean this up automatically?

db=# select count(*) from user_auth_tokens;
 count 
-------
 25648

db=# select count(*) from user_auth_token_logs;
  count   
----------
 61415352

db=# select count(*) from user_auth_token_logs where user_auth_token_id not in (select id from user_auth_tokens);
  count   
----------
 54558442

db=# select count(*) from user_auth_token_logs where created_at < '2024-07-13';
  count   
----------
 58565943

pmusaraj · September 13, 2024, 6:22pm

Yes, user_auth_token_logs are there only for debugging purposes. All rows can be emptied, the only consequence will be that you won’t have any logs to debug.

This should be covered by:

github.com

discourse/discourse/blob/main/app/jobs/scheduled/weekly.rb#L13


      
          module Jobs
            # This job will run on a regular basis to update statistics and denormalized data.
            # If it does not run, the site will not function properly.
            class Weekly < ::Jobs::Scheduled
              every 1.week
          
              def execute(args)
                ScoreCalculator.new.calculate
                MiniScheduler::Stat.purge_old
                Draft.cleanup!
                UserAuthToken.cleanup!
                Email::Cleaner.delete_rejected!
                Notification.purge_old!
                Bookmark.cleanup!
              end
            end
          end

RGJ · September 13, 2024, 7:07pm

Thank you for that, I did not realize that was there.

So… the cleanup only runs when verbose_auth_token_logging is true (which is not the case on this instance)

but non-verbose logging always happens regardless of the setting

github.com

discourse/discourse/blob/main/app/models/user_auth_token.rb#L29-L35


      
          def self.log(info)
            UserAuthTokenLog.create!(info)
          end
          
          def self.log_verbose(info)
            log(info) if SiteSetting.verbose_auth_token_logging
          end

per 8fb823c

Moving this to bug

pmusaraj · September 13, 2024, 7:45pm

Ah yes, good catch. Looks like lines 214 to 217 need fixing as well.

I would be comfortable with a global cleanup after a certain timeframe. @osama (since you’re the author of the commit linked above), do you think we can clean up all of these logs after some time (and if so, after how long)? It sounds like we need to keep some of them for detecting suspicious logins.

RGJ · September 13, 2024, 10:16pm

Why does it need fixing? That piece of code is about cleaning up rotated UserAuthTokens, not about the log records?

Update: after enabling SiteSetting.verbose_auth_token_logging, triggering the weekly job and running VACUUM FULL user_auth_token_logs the table went from 16GB to 687MB

Saved some trees today

Osama · September 16, 2024, 8:15pm

Yes, I think we can clean up most of the logs, but some of them have to stay. Specifically, I think any records that have suspicious, generate, or rotate for action will need to be kept around because they’re used for detecting and generating reports for suspicious logins.

github.com

discourse/discourse/blob/501f07ab1fceafcfa56bbfc074951d03d7d30d22/app/models/concerns/reports/suspicious_logins.rb#L38


      
              title: I18n.t("reports.suspicious_logins.labels.login_time"),
            },
          ]
          
          report.data = []
          
          sql = <<~SQL
            SELECT u.id user_id, u.username, u.uploaded_avatar_id, t.client_ip, t.user_agent, t.created_at login_time
            FROM user_auth_token_logs t
            JOIN users u ON u.id = t.user_id
            WHERE t.action = 'suspicious'
              AND t.created_at >= :start_date
              AND t.created_at <= :end_date
            ORDER BY t.created_at DESC
          SQL
          
          DB
            .query(sql, start_date: report.start_date, end_date: report.end_date)
            .each do |row|
              data = {}

github.com

discourse/discourse/blob/501f07ab1fceafcfa56bbfc074951d03d7d30d22/app/models/user_auth_token.rb#L61


      
              Math.sin((lat2_rad - lat1_rad) / 2)**2 +
                Math.cos(lat1_rad) * Math.cos(lat2_rad) * Math.sin((lon2_rad - lon1_rad) / 2)**2
            c = 2 * Math.atan2(Math.sqrt(a), Math.sqrt(1 - a))
          
            c * EARTH_RADIUS_KM
          end
          
          def self.is_suspicious(user_id, user_ip)
            return false unless User.find_by(id: user_id)&.staff?
          
            ips = UserAuthTokenLog.where(user_id: user_id).pluck(:client_ip)
            ips.delete_at(ips.index(user_ip) || ips.length) # delete one occurrence (current)
            ips.uniq!
            return false if ips.empty? # first login is never suspicious
          
            if user_location = login_location(user_ip)
              ips.none? do |ip|
                if location = login_location(ip)
                  distance(user_location, location) < SiteSetting.max_suspicious_distance_km
                end
              end

JonahAragon1 · August 8, 2025, 4:11pm

I’m seeing on my forum this bug was never fixed

The suspicious logins report seems to only apply to staff members, is there a reason these logs need to be kept for non-admins?

For the report to work, does it need data from the beginning of the account’s history? Can the log be shortened to something like the past 6 months?

Right now there is no cleanup whatsoever, which is a privacy concern.

RGJ · August 8, 2025, 4:31pm

I don’t understand the above discussion either.

The bug is very simple: if the mode is not verbose, then no cleanup of UserAuthTokenLog is performed at all, ever. The if must go.

The original implementation only logged when SiteSetting.verbose_auth_token_logging is true. Which still had the problem that after disabling it, the most recent remaining logs would stay, but that’s a small thing.

But this change made the logging unconditional (“The generate, rotate and suspicious auth token logs are now always logged regardless of the verbose_auth_token_logging setting”).

TLDR; That change forgot to make the removal unconditional as well.

sam · August 11, 2025, 2:47am

Sure we will get it sorted over the next few weeks, if there is a rush feel free to shoot through a pr (that is tested and confirm this works as expected)

RGJ · August 13, 2025, 10:05am

I’ve made a PR Fix: cleanup UserAuthTokenLog unconditionally by communiteq · Pull Request #34288 · discourse/discourse · GitHub, would be cool if this made the cut for 3.5

RGJ · August 14, 2025, 5:23am

And it seems I was beaten to it

github.com/discourse/discourse

FIX: Automatically clean up user_auth_token_logs

main ← jonaharagon:patch-1

opened 04:11PM - 10 Aug 25 UTC

jonaharagon

+45 -25

Fixes: https://meta.discourse.org/t/clean-up-user-auth-token-logs/326397?u=jonah…aragon1 Currently (since 2021 when this logging was [made unconditional](https://github.com/discourse/discourse/commit/8fb823c30f7fd3086f4370c2dc6e4e3737ae6acf)) all user IP addresses and user agent strings for all forum users are continuously logged and never cleared. Keeping unnecessary PII is a massive liability for us, so I hope this can be merged ASAP. I observe (in my user archive download) this indefinite logging does not happen on Meta, presumably because you have _verbose_ logging enabled, but it does happen on virtually all Discourse-hosted and self-hosted sites, which indicates to me this is unintended behavior. I should not have to enable verbose logging to _decrease_ the amount of logging here, but that is what I had to do as a temporary solution. This change will keep the logs for a few months by default. I can find no reason the logs should be kept longer, _especially_ as they only seem to be used for a feature (suspicious login reporting) which currently only applies to staff accounts and not regular users. cc: @OsamaSayegh

pmusaraj · August 14, 2025, 5:13pm

Indeed, that PR is now merged thanks to @Osama. It addresses most types of user_auth_token_logs, but not all of them, we will follow up with a fix for the generate entries shortly. (See the discussion in the PR link above for more context).

I’m going to keep this topic open while we address the follow up.

Topic		Replies	Views
User anonymization and staff_action_logs Support	7	687	September 8, 2021
Logging checked_for_custom_avatar Bug	8	1081	January 2, 2015
How to remove admin logs Support	15	2455	November 15, 2023
Is there a limit to user_auth_token? Support	4	538	July 9, 2021
Reset all login tokens Feature	7	2153	May 20, 2016

Clean up user_auth_token_logs?

Related topics