coolify/app/Jobs/ApiTokenExpirationWarningJob.php

<?php

namespace App\Jobs;

use App\Models\PersonalAccessToken;
use App\Models\Team;
use App\Models\User;
use App\Notifications\ApiTokenExpiringNotification;
use Illuminate\Bus\Queueable;
use Illuminate\Contracts\Queue\ShouldBeEncrypted;
use Illuminate\Contracts\Queue\ShouldQueue;
use Illuminate\Foundation\Bus\Dispatchable;
use Illuminate\Queue\InteractsWithQueue;
use Illuminate\Queue\SerializesModels;
use Laravel\Horizon\Contracts\Silenced;

class ApiTokenExpirationWarningJob implements ShouldBeEncrypted, ShouldQueue, Silenced
{
    use Dispatchable, InteractsWithQueue, Queueable, SerializesModels;

    public $tries = 1;

    public $timeout = 120;

    public function handle(): void
    {
        PersonalAccessToken::query()
            ->whereNotNull('expires_at')
            ->where('expires_at', '>', now())
            ->where('expires_at', '<=', now()->addDay())
            ->whereNull('api_token_expiration_warning_sent_at')
            ->where('tokenable_type', User::class)
            ->chunkById(100, function ($tokens) {
                foreach ($tokens as $token) {
                    if (! $token->team_id) {
                        continue;
                    }

                    $team = Team::find($token->team_id);
                    if (! $team) {
                        continue;
                    }

                    $warningSentAt = now();

                    $team->notify(new ApiTokenExpiringNotification($token));

                    $markedAsSent = PersonalAccessToken::query()
                        ->whereKey($token->getKey())
                        ->whereNotNull('expires_at')
                        ->where('expires_at', '>', now())
                        ->where('expires_at', '<=', now()->addDay())
                        ->whereNull('api_token_expiration_warning_sent_at')
                        ->update(['api_token_expiration_warning_sent_at' => $warningSentAt]);

                    if ($markedAsSent !== 1) {
                        continue;
                    }

                    $token->forceFill(['api_token_expiration_warning_sent_at' => $warningSentAt]);
                }
            });
    }
}
feat(security): support expiration on API tokens with warning notifications Add optional expiration to personal API tokens. Users pick a duration (1/7/30/60/90 days or Never) at creation time. Expired tokens are rejected by Sanctum, pruned hourly by sanctum:prune-expired, and a team notification fires ~24h before expiry so owners can rotate before API calls start failing. - ApiTokens Livewire component stores expires_at from expiresInDays - Rework issued-tokens UI from card grid to table (matches other views) - New ApiTokenExpirationWarningJob scheduled hourly (idempotent via RateLimiter) - New ApiTokenExpiringNotification (email/discord/telegram/slack/pushover) - api_token_expiring added to alwaysSendEvents so users cannot silence expiry warnings from the per-event notification toggle UI - sanctum:prune-expired cadence moved from daily to hourly Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-04-20 12:28:38 +00:00			`<?php`

			`namespace App\Jobs;`

			`use App\Models\PersonalAccessToken;`
			`use App\Models\Team;`
			`use App\Models\User;`
			`use App\Notifications\ApiTokenExpiringNotification;`
			`use Illuminate\Bus\Queueable;`
			`use Illuminate\Contracts\Queue\ShouldBeEncrypted;`
			`use Illuminate\Contracts\Queue\ShouldQueue;`
			`use Illuminate\Foundation\Bus\Dispatchable;`
			`use Illuminate\Queue\InteractsWithQueue;`
			`use Illuminate\Queue\SerializesModels;`
			`use Laravel\Horizon\Contracts\Silenced;`

			`class ApiTokenExpirationWarningJob implements ShouldBeEncrypted, ShouldQueue, Silenced`
			`{`
			`use Dispatchable, InteractsWithQueue, Queueable, SerializesModels;`

			`public $tries = 1;`

			`public $timeout = 120;`

			`public function handle(): void`
			`{`
			`PersonalAccessToken::query()`
			`->whereNotNull('expires_at')`
			`->where('expires_at', '>', now())`
			`->where('expires_at', '<=', now()->addDay())`
fix(api-tokens): persist expiration warning state Track when expiration warnings are sent on personal access tokens so repeated job runs or cache flushes do not send duplicate notifications. 2026-05-13 08:11:40 +00:00			`->whereNull('api_token_expiration_warning_sent_at')`
feat(security): support expiration on API tokens with warning notifications Add optional expiration to personal API tokens. Users pick a duration (1/7/30/60/90 days or Never) at creation time. Expired tokens are rejected by Sanctum, pruned hourly by sanctum:prune-expired, and a team notification fires ~24h before expiry so owners can rotate before API calls start failing. - ApiTokens Livewire component stores expires_at from expiresInDays - Rework issued-tokens UI from card grid to table (matches other views) - New ApiTokenExpirationWarningJob scheduled hourly (idempotent via RateLimiter) - New ApiTokenExpiringNotification (email/discord/telegram/slack/pushover) - api_token_expiring added to alwaysSendEvents so users cannot silence expiry warnings from the per-event notification toggle UI - sanctum:prune-expired cadence moved from daily to hourly Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-04-20 12:28:38 +00:00			`->where('tokenable_type', User::class)`
			`->chunkById(100, function ($tokens) {`
			`foreach ($tokens as $token) {`
			`if (! $token->team_id) {`
			`continue;`
			`}`
fix(api-tokens): persist expiration warning state Track when expiration warnings are sent on personal access tokens so repeated job runs or cache flushes do not send duplicate notifications. 2026-05-13 08:11:40 +00:00
			`$team = Team::find($token->team_id);`
			`if (! $team) {`
			`continue;`
			`}`

			`$warningSentAt = now();`
fix(api-tokens): mark expiration warning after notification Ensure failed token expiration warning notifications do not persist the warning marker, allowing the job to retry later. 2026-05-13 08:28:32 +00:00
			`$team->notify(new ApiTokenExpiringNotification($token));`

fix(api-tokens): persist expiration warning state Track when expiration warnings are sent on personal access tokens so repeated job runs or cache flushes do not send duplicate notifications. 2026-05-13 08:11:40 +00:00			`$markedAsSent = PersonalAccessToken::query()`
			`->whereKey($token->getKey())`
			`->whereNotNull('expires_at')`
			`->where('expires_at', '>', now())`
			`->where('expires_at', '<=', now()->addDay())`
			`->whereNull('api_token_expiration_warning_sent_at')`
			`->update(['api_token_expiration_warning_sent_at' => $warningSentAt]);`

			`if ($markedAsSent !== 1) {`
			`continue;`
			`}`

			`$token->forceFill(['api_token_expiration_warning_sent_at' => $warningSentAt]);`
feat(security): support expiration on API tokens with warning notifications Add optional expiration to personal API tokens. Users pick a duration (1/7/30/60/90 days or Never) at creation time. Expired tokens are rejected by Sanctum, pruned hourly by sanctum:prune-expired, and a team notification fires ~24h before expiry so owners can rotate before API calls start failing. - ApiTokens Livewire component stores expires_at from expiresInDays - Rework issued-tokens UI from card grid to table (matches other views) - New ApiTokenExpirationWarningJob scheduled hourly (idempotent via RateLimiter) - New ApiTokenExpiringNotification (email/discord/telegram/slack/pushover) - api_token_expiring added to alwaysSendEvents so users cannot silence expiry warnings from the per-event notification toggle UI - sanctum:prune-expired cadence moved from daily to hourly Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-04-20 12:28:38 +00:00			`}`
			`});`
			`}`
			`}`