Skip to content

use pk instead of id in clear expired tokens #1593

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
sahama wants to merge 2 commits into
base: master
Choose a base branch
from
Open

use pk instead of id in clear expired tokens #1593

sahama wants to merge 2 commits into from

Conversation

@sahama
Copy link
Contributor

@sahama sahama commented Sep 2, 2025
edited
Loading

Fixes #

Fixing error in clearing expired tokens when custom pk used.

Checklist

  • PR only contains one change (considered splitting up PR)
  • unit-test added
  • documentation updated
  • CHANGELOG.md updated (only for user relevant changes)
  • author name in AUTHORS

@codecov
Copy link

codecov bot commented Sep 2, 2025

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@dopry
Copy link
Member

dopry commented Oct 3, 2025

Thanks for creating this PR. To help me review this can you please describe the bug this fixes and provide a test demonstrating the scenario? Also don't forget to add your self to the Authors and update the changelog.

merito
merito reviewed Oct 25, 2025
View reviewed changes
oauth2_provider/models.py

with suppress(access_token_model.DoesNotExist):
access_token_model.objects.get(id=self.access_token_id).revoke()
access_token_model.objects.get(pk=self.access_token_id).revoke()
Copy link
Contributor

@merito merito Oct 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure if it will work

@dopry
Copy link
Member

dopry commented Oct 31, 2025

@sahama are you willing to complete the work on this PR or should we close it?

@dopry dopry force-pushed the BUGFIX/pk-instead-of-id branch from 4a82f7b to 7217311 Compare January 10, 2026 14:07
@dopry dopry requested a review from Copilot January 10, 2026 14:07
Copilot AI reviewed Jan 10, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request fixes a bug where the token clearing functionality fails when custom primary keys are used instead of the default id field. The fix changes hardcoded id references to use Django's pk shortcut, which works with any primary key field name.

Changes:

  • Updated AbstractRefreshToken.revoke() to use pk instead of id when revoking related access tokens
  • Updated clear_expired() batch_delete helper to use pk instead of id for token deletion queries

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

oauth2_provider/models.py
Comment on lines +818 to +820
flat_queryset = queryset.values_list("pk", flat=True)[:CLEAR_EXPIRED_TOKENS_BATCH_SIZE]
batch_length = flat_queryset.count()
queryset.model.objects.filter(id__in=list(flat_queryset)).delete()
queryset.model.objects.filter(pk__in=list(flat_queryset)).delete()
Copy link

Copilot AI Jan 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The changes from id to pk in the batch_delete function are correct for supporting custom primary keys. However, this functionality lacks test coverage for the specific case of custom primary keys. Consider adding a test that verifies the clear_expired function works correctly when models use custom primary key fields (not named 'id'). The existing tests in tests/test_models.py only test with the default BigAutoField primary key.

Copilot uses AI. Check for mistakes.
oauth2_provider/models.py

with suppress(access_token_model.DoesNotExist):
access_token_model.objects.get(id=self.access_token_id).revoke()
access_token_model.objects.get(pk=self.access_token_id).revoke()
Copy link

Copilot AI Jan 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The change from id to pk in the revoke method is correct for supporting custom primary keys. However, similar to the clear_expired function, there's no test coverage for the case where AccessToken uses a custom primary key field. Consider adding a test that verifies the refresh token revocation works correctly when the AccessToken model uses a custom primary key.

Copilot uses AI. Check for mistakes.
@dopry dopry force-pushed the BUGFIX/pk-instead-of-id branch from 7217311 to 071ec3b Compare January 10, 2026 21:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@merito merito merito left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sahama @dopry @merito