Automatically Destroy IndieAuth Tokens

If you’re running WordPress and use the wonderful IndieAuth plugin to issue tokens for all of your IndieWeb services, here’s how you can automatically invalidate—destroy, in fact—these tokens.

Why? Some applications will automatically log you out after an hour or so, and request you again authorize the app to do its thing, resulting in a freshly issued token, and another one, and so on. Tokens never expire and the list grows quite long really fast.

While bulk removing them is possible, WP Admin may have a hard time deleting a very long list of tokens—because of query string limits, or simply because doing so consumes a lot of memory.

Anyway, below function runs daily and will destroy both unused tokens and any tokens issued over a month ago. (Make sure to replace username with, well, your username. The code goes into functions.php, or into a new plugin, of course.)

if ( false === wp_next_scheduled( 'clear_old_tokens' ) ) {
  wp_schedule_event( time(), 'daily', 'clear_old_tokens' );
}

add_action( 'clear_old_tokens', function() {
  $user = get_user_by( 'login', 'username' );

  if ( false === $user ) {
    return;
  }

  $diff   = MONTH_IN_SECONDS;
  $t      = new Token_User( '_indieauth_token_', $user->ID );
  $tokens = $t->get_all();

  if ( ! is_array( $tokens ) || empty( $tokens ) ) {
    return;
  }

  foreach ( $tokens as $key => $token ) {
    if ( ! isset( $token['last_accessed'] ) ) {
      $t->destroy( $key );
    } else {
      $time      = (int) $token['last_accessed'];
      $time_diff = time() - $time;

      if ( $time_diff > 0 && $time_diff > $diff ) {
        $t->destroy( $key );
      }
    }
  }
} );