Add revokeTokens route to Security Controller

[Yoann-Abbes]

What does this PR do ?

Add a revokeTokens route to the security controller, with tests and documentation page.

This route allows an administrator to revoke all of a user's tokens.

https://jira.kaliop.net/browse/KZL-507

How should this be manually tested?

unit/functional tests

[Aschen]

I'm thinking that we could both have revoke all tokens and revoke one token with this route.
User could provide an array of token that need to be revoked to revoke specific token.
If no array if provided, this route revoke all user tokens.

Also maybe this route could be useful in the auth controller to I think, so currently logued users can revoke their tokens

[scottinet]

@Aschen That would mean that an administrator would know what tokens to revoke beforehand and that does not sound practical to me. How do you propose to make that work? 🤔

[Aschen]

@Aschen That would mean that an administrator would know what tokens to revoke beforehand and that does not sound practical to me. How do you propose to make that work? thinking

I just thinking about and you're right, we would need a security:listToken before

[scottinet]

@Aschen I'm absolutely and completely against any addition to the API allowing tokens to be leaked to the outside.

[scottinet]

@Aschen > check out JIRA KZL-509, I described how we could let users manage their sessions, without ever leaking tokens. I think this is the way to go, and it would be easy to add API routes in the security controller to allow an administrator to manage another user's sessions.

[codecov]

Codecov Report

Merging #1374 into 1-dev will increase coverage by <.01%.
The diff coverage is 100%.

@@            Coverage Diff             @@
##            1-dev    #1374      +/-   ##
==========================================
+ Coverage   93.88%   93.88%   +<.01%     
==========================================
  Files         106      106              
  Lines        7291     7298       +7     
==========================================
+ Hits         6845     6852       +7     
  Misses        446      446

Impacted Files	Coverage Δ
lib/config/httpRoutes.js	100% <ø> (ø)	⬆️
lib/api/controllers/securityController.js	98.34% <100%> (+0.03%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ff651b3...2797a9a. Read the comment docs.

[codecov]

Codecov Report

Merging #1374 into 1-dev will increase coverage by <.01%.
The diff coverage is 100%.

@@            Coverage Diff             @@
##            1-dev    #1374      +/-   ##
==========================================
+ Coverage   93.92%   93.93%   +<.01%     
==========================================
  Files         106      106              
  Lines        7330     7337       +7     
==========================================
+ Hits         6885     6892       +7     
  Misses        445      445

Impacted Files	Coverage Δ
lib/config/httpRoutes.js	100% <ø> (ø)	⬆️
lib/api/controllers/securityController.js	98.38% <100%> (+0.03%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 3a69c80...ce5da7f. Read the comment docs.

[Aschen]

@Aschen > check out JIRA KZL-509, I described how we could let users manage their sessions, without ever leaking tokens. I think this is the way to go, and it would be easy to add API routes in the security controller to allow an administrator to manage another user's sessions.

Yes you're right, I have been thinking about it and it's not possible to have this kind of route.
Eventually the route could list token by another identifier but we would need to add metadata (like ip adress) to allow users to identify legitimate sessions.

And what do you think about a auth:revokeTokens to allow currently logged user to revoke his token ?

[Aschen]

I'm blocking this PR as long as #1333 is not merged so this code can use the errorManager

[Aschen]

The documentation indicate that this route return null but here you return the result of deleteByUserId