2 files changed, 19 insertions, 1 deletions

diff --git a/src/token/app.rs b/src/token/app.rs
index 332473d..4a08877 100644
--- a/src/token/app.rs
+++ b/src/token/app.rs
@@ -10,7 +10,7 @@ use super::{
     extract::Identity,
     repo::{self, Provider as _},
 };
-use crate::{clock::DateTime, db::NotFound as _, name};
+use crate::{clock::DateTime, db::NotFound as _, name, push::repo::Provider as _};
 
 pub struct Tokens {
     db: SqlitePool,
@@ -112,6 +112,7 @@ impl Tokens {
 
     pub async fn logout(&self, token: &Token) -> Result<(), ValidateError> {
         let mut tx = self.db.begin().await?;
+        tx.push().unsubscribe_token(token).await?;
         tx.tokens().revoke(token).await?;
         tx.commit().await?;
 
diff --git a/src/token/repo/token.rs b/src/token/repo/token.rs
index 52a3987..33c33af 100644
--- a/src/token/repo/token.rs
+++ b/src/token/repo/token.rs
@@ -89,6 +89,23 @@ impl Tokens<'_> {
     // Expire and delete all tokens that haven't been used more recently than
     // `expire_at`.
     pub async fn expire(&mut self, expire_at: &DateTime) -> Result<Vec<Id>, sqlx::Error> {
+        // This lives here, rather than in the `push` repository, to ensure that the criteria for
+        // stale tokens don't drift apart between the two queries. That would be a larger risk if
+        // the queries lived in very separate parts of the codebase.
+        sqlx::query!(
+            r#"
+                with stale_tokens as (
+                    select id from token
+                    where last_used_at < $1
+                )
+                delete from push_subscription
+                where token in stale_tokens
+            "#,
+            expire_at,
+        )
+        .execute(&mut *self.0)
+        .await?;
+
         let tokens = sqlx::query_scalar!(
             r#"
                 delete