feat: entpoint to delete login session by session id

consent/handler.go

@@ -70,7 +70,8 @@ func (h *Handler) SetRoutes(admin *x.RouterAdmin) {
 	admin.PUT(ConsentPath+"/accept", h.AcceptConsentRequest)
 	admin.PUT(ConsentPath+"/reject", h.RejectConsentRequest)
 
-	admin.DELETE(SessionsPath+"/login", h.DeleteLoginSession)
+	admin.DELETE(SessionsPath+"/login/:id", h.DeleteLoginSession)
+	admin.DELETE(SessionsPath+"/login", h.DeleteSubjectLoginSession)
 	admin.GET(SessionsPath+"/consent", h.GetConsentSessions)
 	admin.DELETE(SessionsPath+"/consent", h.DeleteConsentSession)
 
@@ -189,6 +190,38 @@ func (h *Handler) GetConsentSessions(w http.ResponseWriter, r *http.Request, ps
 	h.r.Writer().Write(w, r, a)
 }
 
+// swagger:route DELETE /oauth2/auth/sessions/login/{id} admin revokeAuthenticationSession
+//
+// Invalidates an Authentication Session
+//
+// This endpoint invalidates an authentication session by session id. After revoking the authentication session, the subject
+// has to re-authenticate at ORY Hydra. This endpoint does not invalidate any tokens and does not work with OpenID Connect
+// Front- or Back-channel logout.
+//
+//
+//     Consumes:
+//     - application/json
+//
+//     Produces:
+//     - application/json
+//
+//     Schemes: http, https
+//
+//     Responses:
+//       204: emptyResponse
+//       400: jsonError
+//       500: jsonError
+func (h *Handler) DeleteLoginSession(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
+	var loginSessionId = ps.ByName("id")
+
+	if err := h.r.ConsentManager().DeleteLoginSession(r.Context(), loginSessionId); err != nil && !errors.Is(err, x.ErrNotFound) {
+		h.r.Writer().WriteError(w, r, err)
+		return
+	}
+
+	w.WriteHeader(http.StatusNoContent)
+}
+
 // swagger:route DELETE /oauth2/auth/sessions/login admin revokeAuthenticationSession
 //
 // Invalidates All Login Sessions of a Certain User
@@ -211,7 +244,7 @@ func (h *Handler) GetConsentSessions(w http.ResponseWriter, r *http.Request, ps
 //       204: emptyResponse
 //       400: jsonError
 //       500: jsonError
-func (h *Handler) DeleteLoginSession(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
+func (h *Handler) DeleteSubjectLoginSession(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
 	subject := r.URL.Query().Get("subject")
 	if subject == "" {
 		h.r.Writer().WriteError(w, r, errorsx.WithStack(fosite.ErrInvalidRequest.WithHint(`Query parameter 'subject' is not defined but should have been.`)))

consent/handler_test.go

@@ -27,6 +27,11 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"testing"
+	"time"
+
+	"github.com/pborman/uuid"
+
+	"github.com/ory/x/sqlxx"
 
 	"github.com/ory/hydra/x"
 
@@ -213,3 +218,32 @@ func TestGetConsentRequest(t *testing.T) {
 		})
 	}
 }
+
+func TestDeleteLoginSession(t *testing.T) {
+	conf := internal.NewConfigurationWithDefaults()
+	reg := internal.NewRegistryMemory(t, conf)
+	loginSessionId := uuid.NewUUID().String()
+	require.NoError(t, reg.ConsentManager().CreateLoginSession(context.Background(), &LoginSession{
+		ID:              loginSessionId,
+		AuthenticatedAt: sqlxx.NullTime(time.Now().Round(time.Second).UTC()),
+		Subject:         fmt.Sprintf("subject-%s", loginSessionId),
+		Remember:        true,
+	}))
+	h := NewHandler(reg, conf)
+	r := x.NewRouterAdmin()
+	h.SetRoutes(r)
+	ts := httptest.NewServer(r)
+	defer ts.Close()
+	_, err := reg.ConsentManager().GetRememberedLoginSession(context.Background(), loginSessionId)
+	require.NoError(t, err)
+	c := &http.Client{}
+
+	req, err := http.NewRequest("DELETE", ts.URL+SessionsPath+"/login/"+loginSessionId, nil)
+
+	require.NoError(t, err)
+	resp, err := c.Do(req)
+	require.NoError(t, err)
+	require.EqualValues(t, http.StatusNoContent, resp.StatusCode)
+	_, err = reg.ConsentManager().GetRememberedLoginSession(context.Background(), loginSessionId)
+	require.EqualError(t, err, x.ErrNotFound.Error())
+}

spec/api.json

@@ -1518,6 +1518,52 @@
         }
       }
     },
+    "/oauth2/auth/sessions/login/{id}": {
+      "delete": {
+        "description": "This endpoint invalidates an authentication session by session id. After revoking the authentication session, the subject\nhas to re-authenticate at ORY Hydra. This endpoint does not invalidate any tokens and does not work with OpenID Connect\nFront- or Back-channel logout.",
+        "consumes": [
+          "application/json"
+        ],
+        "produces": [
+          "application/json"
+        ],
+        "schemes": [
+          "http",
+          "https"
+        ],
+        "tags": [
+          "admin"
+        ],
+        "summary": "Invalidates an Authentication Session",
+        "operationId": "revokeAuthenticationSessionById",
+        "parameters": [
+          {
+            "type": "string",
+            "description": "The id of the login session",
+            "name": "id",
+            "in": "path",
+            "required": true
+          }
+        ],
+        "responses": {
+          "204": {
+            "description": "Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is\ntypically 201."
+          },
+          "400": {
+            "description": "jsonError",
+            "schema": {
+              "$ref": "#/definitions/jsonError"
+            }
+          },
+          "500": {
+            "description": "jsonError",
+            "schema": {
+              "$ref": "#/definitions/jsonError"
+            }
+          }
+        }
+      }
+    },
     "/oauth2/auth/sessions/login": {
       "delete": {
         "description": "This endpoint invalidates a subject's authentication session. After revoking the authentication session, the subject\nhas to re-authenticate at ORY Hydra. This endpoint does not invalidate any tokens and does not work with OpenID Connect\nFront- or Back-channel logout.",
@@ -3465,4 +3511,4 @@
   },
   "x-forwarded-proto": "string",
   "x-request-id": "string"
-}
+}