Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixes #37936 - Invalidate jwt for any user or users(API) #10397

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from

Conversation

girijaasoni
Copy link
Contributor

@girijaasoni girijaasoni commented Dec 4, 2024

Link to UI PR: #10357

@girijaasoni girijaasoni changed the title Fixes #37936 - As a user, I want to invalidate jwt for specific user(… Fixes #37936 - Invalidate jwt for any user or users(API) Dec 4, 2024
end
end

api :DELETE, '/users/:id/registration_tokens', N_("Invalidate all JSON Web Tokens (JWTs) for a specific user.")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
api :DELETE, '/users/:id/registration_tokens', N_("Invalidate all JSON Web Tokens (JWTs) for a specific user.")
api :DELETE, '/users/:id/registration_tokens', N_("Invalidate all registration tokens for a specific user.")


class Api::V2::RegistrationTokensControllerTest < ActionController::TestCase
test 'user shall invalidate tokens for self' do
user = User.create :login => "foo", :mail => "[email protected]", :auth_source => auth_sources(:one)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can use FactoryBot.create(:user) here.

class Api::V2::RegistrationTokensControllerTest < ActionController::TestCase
test 'user shall invalidate tokens for self' do
user = User.create :login => "foo", :mail => "[email protected]", :auth_source => auth_sources(:one)
FactoryBot.build(:jwt_secret, token: 'test_jwt_secret', user: user)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You probably want to create the token as part of the user creation, and use the create method - to make sure the token is saved before the action.

end

def find_resource(permission = :view_users)
editing_self? ? User.find(User.current.id) : User.authorized(permission).except_hidden.find(params[:id])
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ekohl what do you think, should we block changes to hidden accounts here?

Comment on lines +30 to +37
test 'invalidating jwt should fail without search params' do
setup_user 'edit', 'users'
user = users(:two)
FactoryBot.create(:jwt_secret, token: 'test_jwt_secret', user: user)
delete :invalidate_tokens
user.reload
assert_response :error
end
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We expect an exception to be raised in this case, correct? If so, the test should be updated to reflect that.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think using assert_response :error is the way to handle that, do you have any specific assertion on mind

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can check if an exception was raised.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can inspect the response, that the error text is correct.

@nofaralfasi
Copy link
Contributor

@girijaasoni In the UI PR, we used the term JWT token for the phrasing. Why are we referring to it as a registration token here? Wouldn't that create confusion?

@girijaasoni
Copy link
Contributor Author

girijaasoni commented Dec 19, 2024

@girijaasoni In the UI PR, we used the term JWT token for the phrasing. Why are we referring to it as a registration token here? Wouldn't that create confusion?

@nofaralfasi , we can handle that in the documentation. Registration tokens make more sense from user POV(specially from API POV), as we are creating a new controller. For UI, we are trying to use the existing controller where jwt is used as phrasing.

end

api :DELETE, "/registration_tokens", N_("Invalidate all JSON Web Tokens (JWTs) for multiple users.")
param :search, String, :required => true
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@girijaasoni could you please share an example for this query? What does the search param should contain?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

curl --user test-user1:changeme -X DELETE http://localhost:3000/api/registration_tokens/remove_multiple?search=id%20%5E%20%281%2C2%2C3%29 -H 'Content-Type: application/json'

this is the command I'm using for a scoped search query id ^ ( 5 , 2, 3) you will need to URL encode in the search params as curl does not accept brackets and operators.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants