New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add revokeTokens route to Security Controller #1374
Conversation
I'm thinking that we could both have revoke all tokens and revoke one token with this route. Also maybe this route could be useful in the auth controller to I think, so currently logued users can revoke their tokens |
@Aschen That would mean that an administrator would know what tokens to revoke beforehand and that does not sound practical to me. How do you propose to make that work? 🤔 |
I just thinking about and you're right, we would need a |
@Aschen I'm absolutely and completely against any addition to the API allowing tokens to be leaked to the outside. |
@Aschen > check out JIRA KZL-509, I described how we could let users manage their sessions, without ever leaking tokens. I think this is the way to go, and it would be easy to add API routes in the security controller to allow an administrator to manage another user's sessions. |
Codecov Report
@@ Coverage Diff @@
## 1-dev #1374 +/- ##
==========================================
+ Coverage 93.88% 93.88% +<.01%
==========================================
Files 106 106
Lines 7291 7298 +7
==========================================
+ Hits 6845 6852 +7
Misses 446 446
Continue to review full report at Codecov.
|
Codecov Report
@@ Coverage Diff @@
## 1-dev #1374 +/- ##
==========================================
+ Coverage 93.92% 93.93% +<.01%
==========================================
Files 106 106
Lines 7330 7337 +7
==========================================
+ Hits 6885 6892 +7
Misses 445 445
Continue to review full report at Codecov.
|
Yes you're right, I have been thinking about it and it's not possible to have this kind of route. And what do you think about a |
Co-Authored-By: Adrien Maret <amaret93@gmail.com>
Co-Authored-By: Adrien Maret <amaret93@gmail.com>
…kuzzle into KZL-507-add-revokeTokens-route
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm blocking this PR as long as #1333 is not merged so this code can use the errorManager
if (!user) { | ||
errorsManager.throw('user_not_found', userId); | ||
} | ||
return this.kuzzle.repositories.token.deleteByUserId(userId); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The documentation indicate that this route return null
but here you return the result of deleteByUserId
Adds a revokeTokens route to the security controller, with tests and documentation page
What does this PR do ?
Add a
revokeTokens
route to the security controller, with tests and documentation page.This route allows an administrator to revoke all of a user's tokens.
https://jira.kaliop.net/browse/KZL-507
How should this be manually tested?
unit/functional tests