-
Notifications
You must be signed in to change notification settings - Fork 993
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixes #37936 - Invalidate jwt for any user or users(API) #10397
base: develop
Are you sure you want to change the base?
Conversation
end | ||
end | ||
|
||
api :DELETE, '/users/:id/registration_tokens', N_("Invalidate all JSON Web Tokens (JWTs) for a specific user.") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
api :DELETE, '/users/:id/registration_tokens', N_("Invalidate all JSON Web Tokens (JWTs) for a specific user.") | |
api :DELETE, '/users/:id/registration_tokens', N_("Invalidate all registration tokens for a specific user.") |
28cdc1b
to
85928e7
Compare
|
||
class Api::V2::RegistrationTokensControllerTest < ActionController::TestCase | ||
test 'user shall invalidate tokens for self' do | ||
user = User.create :login => "foo", :mail => "[email protected]", :auth_source => auth_sources(:one) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can use FactoryBot.create(:user)
here.
class Api::V2::RegistrationTokensControllerTest < ActionController::TestCase | ||
test 'user shall invalidate tokens for self' do | ||
user = User.create :login => "foo", :mail => "[email protected]", :auth_source => auth_sources(:one) | ||
FactoryBot.build(:jwt_secret, token: 'test_jwt_secret', user: user) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You probably want to create the token as part of the user creation, and use the create
method - to make sure the token is saved before the action.
end | ||
|
||
def find_resource(permission = :view_users) | ||
editing_self? ? User.find(User.current.id) : User.authorized(permission).except_hidden.find(params[:id]) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ekohl what do you think, should we block changes to hidden accounts here?
test 'invalidating jwt should fail without search params' do | ||
setup_user 'edit', 'users' | ||
user = users(:two) | ||
FactoryBot.create(:jwt_secret, token: 'test_jwt_secret', user: user) | ||
delete :invalidate_tokens | ||
user.reload | ||
assert_response :error | ||
end |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We expect an exception to be raised in this case, correct? If so, the test should be updated to reflect that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think using assert_response :error
is the way to handle that, do you have any specific assertion on mind
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can check if an exception was raised.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can inspect the response, that the error text is correct.
@girijaasoni In the UI PR, we used the term |
@nofaralfasi , we can handle that in the documentation. Registration tokens make more sense from user POV(specially from API POV), as we are creating a new controller. For UI, we are trying to use the existing controller where jwt is used as phrasing. |
end | ||
|
||
api :DELETE, "/registration_tokens", N_("Invalidate all JSON Web Tokens (JWTs) for multiple users.") | ||
param :search, String, :required => true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@girijaasoni could you please share an example for this query? What does the search
param should contain?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
curl --user test-user1:changeme -X DELETE http://localhost:3000/api/registration_tokens/remove_multiple?search=id%20%5E%20%281%2C2%2C3%29 -H 'Content-Type: application/json'
this is the command I'm using for a scoped search query id ^ ( 5 , 2, 3)
you will need to URL encode in the search params as curl does not accept brackets and operators.
Link to UI PR: #10357