Need token cleanup #3922
Description
We don't have anything clearing out old password reset or project invite tokens. From #3920 (review):
An issue that should be fixed is to think about how these email tokens are invalidated. Right now a token is only invalidated when it is used and it's still valid. That means if a token is never used, or it's used once it's expired it will never be deleted. Cleaning up a token when it's used but expired is pretty easy, but cleaning up an expired token which you never hear from is a little more difficult. Basically you need a function like CleanupAllExpiredTokens(), and then this function should be call periodically. The simple solution is to call that function somewhere you're already touching tokens, eg when a new token is created also cleanup tokens, or maybe when validating/fetching a token from the db. The downside is that if this function is slow it will directly effect the user experience, it will also likely run far more often than needed. The other solution which I would use is to create an aspnet HostedService and just run an infinite loop which a n day delay which calls CleanupAllExpiredTokens, I'd also make sure it runs that function at startup.