mod_tokenauth: Fix revoking a single token without revoking whole grant This appears to have been a copy-paste of the grant revocation function, or maybe the other way around. Either way, it deleted the whole grant instead of the individual token as might be expected.

author: Kim Alvefur <zash@zash.se>
date: Sun, 23 Jul 2023 02:54:49 +0200
parent: 13209:c8d949cf6b09
child: 13271:56c1d2498d66
--- a/plugins/mod_tokenauth.lua	Sat Jul 22 16:31:05 2023 +0200
+++ b/plugins/mod_tokenauth.lua	Sun Jul 23 02:54:49 2023 +0200
@@ -265,19 +265,33 @@
 end
 
 function revoke_token(token)
-	local token_id, token_user, token_host = parse_token(token);
-	if not token_id then
+	local grant_id, token_user, token_host, token_secret = parse_token(token);
+	if not grant_id then
 		module:log("warn", "Failed to verify access token: %s", token_user);
 		return nil, "invalid-token-format";
 	end
 	if token_host ~= module.host then
 		return nil, "invalid-host";
 	end
-	local ok, err = token_store:set_key(token_user, token_id, nil);
+	local grant, err = _get_validated_grant_info(token_user, grant_id);
+	if not grant then return grant, err; end
+	local secret_hash = "sha256:"..hashes.sha256(token_secret, true);
+	local token_info = grant.tokens[secret_hash];
+	if not grant or not token_info then
+		return nil, "item-not-found";
+	end
+	grant.tokens[secret_hash] = nil;
+	local ok, err = token_store:set_key(token_user, grant_id, grant);
 	if not ok then
 		return nil, err;
 	end
-	module:fire_event("token-grant-revoked", { id = token_id, username = token_user, host = token_host });
+	module:fire_event("token-revoked", {
+		grant_id = grant_id;
+		grant = grant;
+		info = token_info;
+		username = token_user;
+		host = token_host;
+	});
 	return true;
 end