feat(backend): change DELETE /auth/tokens to invalidate *all* tokens

2023-03-30 16:05:10 +02:00 · 2023-03-30 16:05:10 +02:00 · abc78f3a9a
commit abc78f3a9a
parent 92243d58ac
2 changed files with 16 additions and 22 deletions
--- a/backend/routes/auth/routes.go
+++ b/backend/routes/auth/routes.go
@ -104,7 +104,7 @@ func Mount(srv *server.Server, r chi.Router) {
 		// tokens
 		r.With(server.MustAuth).Get("/tokens", server.WrapHandler(s.getTokens))
 		r.With(server.MustAuth).Post("/tokens", server.WrapHandler(s.createToken))
-		r.With(server.MustAuth).Delete("/tokens/{id}", server.WrapHandler(s.deleteToken))
+		r.With(server.MustAuth).Delete("/tokens", server.WrapHandler(s.deleteToken))

 		// cancel user delete
 		// uses a special token, so handled in the function itself
--- a/backend/routes/auth/tokens.go
+++ b/backend/routes/auth/tokens.go
@ -7,9 +7,7 @@ import (
 	"codeberg.org/u1f320/pronouns.cc/backend/db"
 	"codeberg.org/u1f320/pronouns.cc/backend/server"
 	"emperror.dev/errors"
-	"github.com/go-chi/chi/v5"
 	"github.com/go-chi/render"
-	"github.com/jackc/pgx/v4"
 	"github.com/rs/xid"
 )

@ -45,35 +43,31 @@ func (s *Server) getTokens(w http.ResponseWriter, r *http.Request) error {
 	return nil
 }

-type deleteTokenResponse struct {
-	TokenID     xid.ID    `json:"id"`
-	Invalidated bool      `json:"invalidated"`
-	Created     time.Time `json:"time"`
-}
-
 func (s *Server) deleteToken(w http.ResponseWriter, r *http.Request) error {
 	ctx := r.Context()
 	claims, _ := server.ClaimsFromContext(ctx)

-	tokenID, err := xid.FromString(chi.URLParam(r, "id"))
-	if err != nil {
-		return server.APIError{Code: server.ErrBadRequest}
+	if !claims.TokenWrite || claims.APIToken {
+		return server.APIError{Code: server.ErrInvalidToken}
 	}

-	t, err := s.DB.InvalidateToken(ctx, claims.UserID, tokenID)
+	tx, err := s.DB.Begin(ctx)
 	if err != nil {
-		if errors.Cause(err) == pgx.ErrNoRows {
-			return server.APIError{Code: server.ErrNotFound}
-		}
+		return errors.Wrap(err, "beginning transaction")
+	}
+	defer tx.Rollback(ctx)

-		return errors.Wrap(err, "invalidating token")
+	err = s.DB.InvalidateAllTokens(ctx, tx, claims.UserID)
+	if err != nil {
+		return errors.Wrap(err, "invalidating tokens")
 	}

-	render.JSON(w, r, deleteTokenResponse{
-		TokenID:     t.TokenID,
-		Invalidated: t.Invalidated,
-		Created:     t.Created,
-	})
+	err = tx.Commit(ctx)
+	if err != nil {
+		return errors.Wrap(err, "committing transaction")
+	}
+
+	render.NoContent(w, r)
 	return nil
 }