Add support for revoking Feed Tokens to Group Token Revocation Endpoint
Feed Tokens could leak. This issue is to add support for revocation to the Groups::AgnosticTokenRevocationService
https://docs.gitlab.com/ee/user/profile/contributions_calendar.html#reset-the-user-activity-feed-token
% curl -XPOST --header "PRIVATE-TOKEN: OWNER_PAT" https://gdk.test:3443/api/v4/groups/ID/tokens/revoke -H "Content-Type: application/json" --data '{"token":"FEED_TOKEN"}'
{"id":22,"username":"nm","name":"Nick Malcolm"}
- The feed token must NOT be a path-dependent feed token (https://docs.gitlab.com/ee/security/token_overview.html#feed-token)
- The caller must be an Owner of the affected group.
- The new token should not be returned in the API response (they can use the dedicated reset API if they want that: https://docs.gitlab.com/ee/user/profile/contributions_calendar.html#reset-the-user-activity-feed-token)
Solution Design
- A feed token belongs to a user; it's not a standalone model, so we can't return it in quite the same way. The
UserSafe
presenter seems like an OK fit? - A feed token can't be revoked, only rotated. So I guess we rotate it but don't return the value.
- A feed token can also be path dependent. I don't think we can support rotating these at the moment :/
- To validate the token you need to know the path for which it was generated. The token format is
PREFIX-#{hash(path, token)-USERID
. - If we just looked at user ID, someone could rotate an arbitrary user's feed token without actually knowing the token.
- To validate the token you need to know the path for which it was generated. The token format is
Edited by Nick Malcolm