make sure we don't break something else

Signed-off-by: Marc 'risson' Schmitt <[email protected]>

authentik/core/models.py

@@ -805,7 +805,17 @@ def expire_action(self, *args, **kwargs):
     def filter_not_expired(cls, **kwargs) -> QuerySet["Token"]:
         """Filer for tokens which are not expired yet or are not expiring,
         and match filters in `kwargs`"""
-        return cls.objects.filter(expires__gte=now(), expiring=True).filter(**kwargs)
+        return cls.objects.filter(expires__gt=now(), expiring=True).filter(**kwargs)
+
+    @classmethod
+    def delete_expired(cls) -> int:
+        objects = (
+            cls.objects.all().exclude(expiring=False).exclude(expiring=True, expires__gt=now())
+        )
+        amount = objects.count()
+        for obj in objects:
+            obj.expire_action()
+        return amount
 
     @property
     def is_expired(self) -> bool:

authentik/core/tasks.py

@@ -30,12 +30,7 @@ def clean_expired_models(self: SystemTask):
     messages = []
     for cls in ExpiringModel.__subclasses__():
         cls: ExpiringModel
-        objects = (
-            cls.objects.all().exclude(expiring=False).exclude(expiring=True, expires__gt=now())
-        )
-        amount = objects.count()
-        for obj in objects:
-            obj.expire_action()
+        amount = cls.delete_expired()
         LOGGER.debug("Expired models", model=cls, amount=amount)
         messages.append(f"Expired {amount} {cls._meta.verbose_name_plural}")
     # Special case

authentik/stages/consent/stage.py

@@ -96,6 +96,8 @@ def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
         if PLAN_CONTEXT_PENDING_USER in self.executor.plan.context:
             user = self.executor.plan.context[PLAN_CONTEXT_PENDING_USER]
 
+        # Remove expired consents to prevent database unique constraints errors
+        UserConsent.delete_expired()
         consent: UserConsent | None = UserConsent.filter_not_expired(
             user=user, application=application
         ).first()