garbage collect expired tfa tokens, fixes #2399

Closes #2399

Merge request studip/studip!1592

lib/cronjobs/garbage_collector.class.php

@@ -176,5 +176,11 @@ class GarbageCollectorJob extends CronJob
         if ($removed > 0 && $parameters['verbose']) {
             printf(_('Gelöschte Terminblöcke: %u') . "\n", $removed);
         }
+
+        // Remove expired tfa tokens
+        TFAToken::deleteBySQL(
+            'mkdate < UNIX_TIMESTAMP() - ?',
+            [TFASecret::getGreatestValidityDuration()]
+        );
     }
 }

lib/models/TFASecret.php

@@ -58,6 +58,24 @@ class TFASecret extends SimpleORMap
         $t = self::TYPES[$type];
         return $t['window'] * $t['period'];
     }
+
+    /**
+     * Returns the greatest validity duration for all defined types.
+     *
+     * @return int
+     */
+    public static function getGreatestValidityDuration(): int
+    {
+        $validity_duration = 0;
+        foreach (self::TYPES as $type) {
+            $duration = $type['window'] * $type['period'];
+            if ($duration > $validity_duration) {
+                $validity_duration = $duration;
+            }
+        }
+        return $validity_duration;
+    }
+
     /**
      * Overwrites the SORM setNew() method. This will create the secret string.
      *