FAQ | This is a LIVE service | Changelog

Automated cleanup of stale Lockout records

As a developer, I would like stale lockout records to be automatically cleared 
after a defined period 
so that the database does not grow indefinitely with obsolete lockout entries.

Background

Currently, the Lockout model retains all failed login attempts indefinitely unless a user successfully authenticates, in which case their record is removed. However, failed attempts that never match a valid account will accumulate over time, leading to unnecessary database growth.

To mitigate this, a scheduled/background task should be implemented to periodically remove Lockout records where lockout_until has expired.

Acceptance Criteria

  • A background task or management command is implemented to clear Lockout records where lockout_until is in the past.
  • Logs are generated for cleanup actions, including the number of records removed.
  • Configuration options allow specifying the retention period for stale lockouts.