Password expiry management in Couchbase collection

I am not sure if this a right place to ask but want see if anyone else had this use case before. I am storing my app users info in one of the collections ( such as name, id, encrypted password, create date, is_enabled, password expire date etc). I just want to see if there is any way to have a Couchbase job that runs every night, looks at password expire date for each user account, and if it’s past the date on that field, it changes the enabled field on that account from true to false

What you’re asking for sounds like a job for the Eventing service’s timers. This example:
may guide you to achieve what you’re after.

There isn’t a user job scheduler in the Query service.

Alternatively you could look to write a standard application that your server systems’ job scheduler could run (e.g. cronjob on Linux).


1 Like

Hi @kshetty1990

Let’s say you have a doc with a key: user:808780298

{  "name": "Ted Smith", 
   "id": 808780298, 
   "encrypted_password": "ugj%%ufg&*&Hk", 
   "create date": "2022-10-19T21:03:21.364Z",
   "is_enabled": true,
   "password_expire_date": "2022-12-19T21:03:21.364Z"

You can indeed use Eventing to create and manage a timer refer to the example: Function: Advanced Document Controlled Expiry | Couchbase Docs

Now there is another method that should also work without timers an Eventing function litens to a source keyspace and when the document saye user:808780298 mutates (update or delete) it takes an action.

  • OnUpdate you upsert a “shadow” document with a TTL set. Make the key of this shadow doc based on the primary document like shadow:808780298
  • OnDelete you also delete the “shadow” document with a TTL set. Make the key of this shadow doc based on the primary document like shadow:808780298

The Eventing function also sees the shadow:* docs when they mutate

  • OnDelete (in this case an expire) you might see shadow:808780298 create a string for the key user:808780298 and set “enabled”: false via a bucket accessor.


Jon Strabala
Principal Product Manager - Server‌

If you want keep two entity separate you can also do this.

WHERE is_enabled = true AND password_expire_date <= NOW_STR();

If you are just looking for a means to make the password unavailable after a certain date-time, you could set the expiration on the document.

Thank you all! I haven’t explored much around Eventing space and it sounds like that’s way to go in this case.
@mreiche I want to also be able to send off a notification based on is_enabled flag to user when it’s false

I just needed a clarification on this point. do we need a second shadow:808780298?
we already have shadow:808780298 created during OnUpdate with a TTL (which is equal to user:808780298.password_expire_date). We can just update the is_enabled flag of user:808780298 using Bucket accessor when shadow:808780298 expires?

Yes, the OnDelete handler will receive a mutation you can tell it it is a true delete or an expiry.

function OnDelete(meta,options) {
    if (options.expired) {
        log("Document expired",;
    } else {
        log("Document deleted",;

So your shadow document shadow:808780298 expiresyou take (which is the key) and build up a string user:808780298 by looking a as follows:

    var shadow_key =;
    var user_key = shadow_key.replace('shadow', 'user');
    var usr_doc = src_keyspace_alias[user_key];
    usr_doc.is_enabled = false;
    src_keyspace_alias[user_key] = usr_doc;


Jon Strabala
Principal Product Manager - Server‌

Thanks! Is there a way I could trigger an email without any custom methods/scripts once the doc is updated ?
usr_doc.is_enabled = false;
src_keyspace_alias[user_key] = usr_doc;

Follow Up …

Triggering Email form Eventing does require some scripting and then perhaps a retry if your target mailer is down. Refer to Couchbase Eventing Handling Errors and Retries - The Couchbase Blog ignore the name it is all about high pewrfomance reliable email from Eventing.


Jon Strabala
Principal Product Manager - Server‌