From 6d6b53270d8c5f1b23a4efbbd73d0b1801d33922 Mon Sep 17 00:00:00 2001
From: Scott McKendry <me@scottmckendry.tech>
Date: Sun, 17 May 2026 18:42:07 +1200
Subject: [PATCH] token cleanup consistency

---
 internal/repository/memory/memory_test.go  | 12 +++---------
 internal/repository/memory/oidc_queries.go |  2 +-
 2 files changed, 4 insertions(+), 10 deletions(-)

diff --git a/internal/repository/memory/memory_test.go b/internal/repository/memory/memory_test.go
index 59c802fb..16f20b13 100644
--- a/internal/repository/memory/memory_test.go
+++ b/internal/repository/memory/memory_test.go
@@ -402,16 +402,10 @@ func TestMemoryStore(t *testing.T) {
 		{
 			description: "Delete expired OIDC tokens",
 			run: func(t *testing.T, s repository.Store) {
-				// expired by TokenExpiresAt
+				// both expiries past
 				_, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{
 					Sub: "sub-1", AccessTokenHash: "at-1",
-					TokenExpiresAt: 10, RefreshTokenExpiresAt: 100,
-				})
-				require.NoError(t, err)
-				// expired by RefreshTokenExpiresAt
-				_, err = s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{
-					Sub: "sub-2", AccessTokenHash: "at-2",
-					TokenExpiresAt: 100, RefreshTokenExpiresAt: 10,
+					TokenExpiresAt: 10, RefreshTokenExpiresAt: 10,
 				})
 				require.NoError(t, err)
 				// valid
@@ -426,7 +420,7 @@ func TestMemoryStore(t *testing.T) {
 					RefreshTokenExpiresAt: 50,
 				})
 				require.NoError(t, err)
-				assert.Len(t, deleted, 2)
+				assert.Len(t, deleted, 1)
 
 				_, err = s.GetOidcToken(ctx, "at-3")
 				assert.NoError(t, err)
diff --git a/internal/repository/memory/oidc_queries.go b/internal/repository/memory/oidc_queries.go
index 80305fc0..d2798c3e 100644
--- a/internal/repository/memory/oidc_queries.go
+++ b/internal/repository/memory/oidc_queries.go
@@ -207,7 +207,7 @@ func (s *Store) DeleteExpiredOidcTokens(_ context.Context, arg repository.Delete
 	defer s.mu.Unlock()
 	var deleted []repository.OidcToken
 	for k, t := range s.oidcTokens {
-		if t.TokenExpiresAt < arg.TokenExpiresAt || t.RefreshTokenExpiresAt < arg.RefreshTokenExpiresAt {
+		if t.TokenExpiresAt < arg.TokenExpiresAt && t.RefreshTokenExpiresAt < arg.RefreshTokenExpiresAt {
 			deleted = append(deleted, t)
 			delete(s.oidcTokens, k)
 		}