Skip to content

feat(auth): implement token revocation and purge mechanism#106

Merged
allisson merged 1 commit intomainfrom
revoke-auth-token
Mar 5, 2026
Merged

feat(auth): implement token revocation and purge mechanism#106
allisson merged 1 commit intomainfrom
revoke-auth-token

Conversation

@allisson
Copy link
Owner

@allisson allisson commented Mar 5, 2026

Adds support for individual and client-wide authentication token revocation with state management and audit logging. Includes a new CLI command for database maintenance.

API Changes:

  • DELETE /v1/token: Allows a client to revoke its current bearer token.
  • DELETE /v1/clients/:id/tokens: Allows an administrator (with delete capability) to revoke all tokens for a specific client.

Logic & Persistence:

  • Updated internal/auth/usecase interfaces (ClientUseCase, TokenUseCase) to include revocation and purge methods.
  • Added 'revoked_at' column and performance indexes (idx_tokens_expires_at, idx_tokens_revoked_at) to 'tokens' table in PostgreSQL and MySQL.
  • Implemented transaction-aware revocation and purge logic in repository layer.
  • Updated authentication middleware to reject revoked tokens.
  • Added HMAC-signed audit logs for all revocation events.

CLI:

  • Added 'purge-auth-tokens' command to permanently delete expired or revoked tokens older than a specified number of days (default 30).

Testing & Quality:

  • Added comprehensive unit tests for usecases and HTTP handlers using official mocks.
  • Refactored usecase tests to resolve import cycles.
  • Updated integration tests to verify end-to-end revocation flows on both databases.
  • Ensured 100% compliance with 'make lint' and 'make test-all'.

Documentation:

  • Updated CLI reference (docs/cli-commands.md).
  • Updated OpenAPI specification (docs/openapi.yaml).
  • Updated Policy Cookbook (docs/auth/policies.md) with revocation personas and examples.
  • Synchronized project definition (conductor/product.md).

@allisson
feat(auth): implement token revocation and purge mechanism
04913a2 
Adds support for individual and client-wide authentication token revocation
with state management and audit logging. Includes a new CLI command for
database maintenance.

API Changes:
- DELETE /v1/token: Allows a client to revoke its current bearer token.
- DELETE /v1/clients/:id/tokens: Allows an administrator (with delete capability)
  to revoke all tokens for a specific client.

Logic & Persistence:
- Updated internal/auth/usecase interfaces (ClientUseCase, TokenUseCase) to
  include revocation and purge methods.
- Added 'revoked_at' column and performance indexes (idx_tokens_expires_at,
  idx_tokens_revoked_at) to 'tokens' table in PostgreSQL and MySQL.
- Implemented transaction-aware revocation and purge logic in repository layer.
- Updated authentication middleware to reject revoked tokens.
- Added HMAC-signed audit logs for all revocation events.

CLI:
- Added 'purge-auth-tokens' command to permanently delete expired or revoked
  tokens older than a specified number of days (default 30).

Testing & Quality:
- Added comprehensive unit tests for usecases and HTTP handlers using official mocks.
- Refactored usecase tests to resolve import cycles.
- Updated integration tests to verify end-to-end revocation flows on both databases.
- Ensured 100% compliance with 'make lint' and 'make test-all'.

Documentation:
- Updated CLI reference (docs/cli-commands.md).
- Updated OpenAPI specification (docs/openapi.yaml).
- Updated Policy Cookbook (docs/auth/policies.md) with revocation personas and examples.
- Synchronized project definition (conductor/product.md).
@allisson allisson merged commit d0b208b into main Mar 5, 2026
3 checks passed
@allisson allisson deleted the revoke-auth-token branch March 5, 2026 19:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@allisson