Allow tokens to delete themselves (#165)

OpenShock · Mar 9, 2025 · e083e12 · e083e12
1 parent 486f061
commit e083e12
Show file tree

Hide file tree

Showing 4 changed files with 83 additions and 30 deletions.
diff --git a/API/Controller/Tokens/TokenController.cs b/API/Controller/Tokens/TokenController.cs
@@ -1,14 +1,8 @@
 using System.ComponentModel.DataAnnotations;
-using System.Net;
 using System.Net.Mime;
-using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.EntityFrameworkCore;
 using OpenShock.API.Models.Response;
-using OpenShock.API.Utils;
-using OpenShock.Common;
-using OpenShock.Common.Authentication;
-using OpenShock.Common.Authentication.Attributes;
 using OpenShock.Common.Constants;
 using OpenShock.Common.Errors;
 using OpenShock.Common.Models;
@@ -72,30 +66,6 @@ public async Task<IActionResult> GetTokenById([FromRoute] Guid tokenId)
         return Ok(apiToken);
     }
 
-    /// <summary>
-    /// Revoke a token from the current user
-    /// </summary>
-    /// <param name="tokenId"></param>
-    /// <response code="200">Successfully deleted token</response>
-    /// <response code="404">The token does not exist or you do not have access to it.</response>
-    [HttpDelete("{tokenId}")]
-    [ProducesResponseType(StatusCodes.Status200OK)]
-    [ProducesResponseType<OpenShockProblem>(StatusCodes.Status404NotFound, MediaTypeNames.Application.ProblemJson)] // ApiTokenNotFound    
-    public async Task<IActionResult> DeleteToken([FromRoute] Guid tokenId)
-    {
-        var apiToken = await _db.ApiTokens
-            .Where(x => x.Id == tokenId)
-            .WhereIsUserOrPrivileged(x => x.User, CurrentUser)
-            .ExecuteDeleteAsync();
-
-        if (apiToken <= 0)
-        {
-            return Problem(ApiTokenError.ApiTokenNotFound);
-        }
-
-        return Ok();
-    }
-
     /// <summary>
     /// Create a new token
     /// </summary>

diff --git a/API/Controller/Tokens/TokenDeleteController.cs b/API/Controller/Tokens/TokenDeleteController.cs
@@ -0,0 +1,70 @@
+using System.Net.Mime;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.EntityFrameworkCore;
+using OpenShock.Common;
+using OpenShock.Common.Authentication;
+using OpenShock.Common.Authentication.ControllerBase;
+using OpenShock.Common.Errors;
+using OpenShock.Common.OpenShockDb;
+using OpenShock.Common.Problems;
+using OpenShock.Common.Utils;
+
+namespace OpenShock.API.Controller.Tokens;
+
+[ApiController]
+[Route("/{version:apiVersion}/tokens")]
+[Authorize(AuthenticationSchemes = OpenShockAuthSchemas.UserSessionApiTokenCombo)]
+public sealed class TokenDeleteController : AuthenticatedSessionControllerBase
+{
+    private readonly OpenShockContext _db;
+    private readonly ILogger<TokensController> _logger;
+
+    public TokenDeleteController(OpenShockContext db, ILogger<TokensController> logger)
+    {
+        _db = db;
+        _logger = logger;
+    }
+
+    /// <summary>
+    /// Revoke a token
+    /// </summary>
+    /// <param name="tokenId"></param>
+    /// <response code="200">Successfully deleted token</response>
+    /// <response code="404">The token does not exist or you do not have access to it.</response>
+    [HttpDelete("{tokenId}")]
+    [ProducesResponseType(StatusCodes.Status200OK)]
+    [ProducesResponseType<OpenShockProblem>(StatusCodes.Status404NotFound,
+        MediaTypeNames.Application.ProblemJson)] // ApiTokenNotFound    
+    public async Task<IActionResult> DeleteToken([FromRoute] Guid tokenId)
+    {
+        var auth = HttpContext.GetAuthenticationMethod();
+
+        var query = _db.ApiTokens.Where(x => x.Id == tokenId);
+
+
+        switch (auth)
+        {
+            case OpenShockAuthSchemas.UserSessionCookie:
+                query = query.WhereIsUserOrPrivileged(x => x.User, CurrentUser);
+                break;
+            case OpenShockAuthSchemas.ApiToken:
+            {
+                var requestTokenId = Guid.Parse(HttpContext.User.Claims.First(x => x.Type == OpenShockAuthClaims.ApiTokenId).Value);
+                if (requestTokenId != tokenId) return Problem(ApiTokenError.ApiTokenCanOnlyDelete);
+                break;
+            }
+            default:
+                throw new Exception("Unknown auth method");
+        }
+
+        var apiToken = await query.ExecuteDeleteAsync();
+
+        if (apiToken <= 0)
+        {
+            return Problem(ApiTokenError.ApiTokenNotFound);
+        }
+
+        return Ok();
+    }
+}
diff --git a/Common/Errors/ApiTokenError.cs b/Common/Errors/ApiTokenError.cs
@@ -6,4 +6,5 @@ namespace OpenShock.Common.Errors;
 public static class ApiTokenError
 {
     public static OpenShockProblem ApiTokenNotFound => new("ApiToken.NotFound", "Api token not found", HttpStatusCode.NotFound);
+    public static OpenShockProblem ApiTokenCanOnlyDelete => new("ApiToken.CanOnlyDelete own", "You can only delete your own api token in token authentication scope", HttpStatusCode.Forbidden);
 }
diff --git a/Common/Utils/AuthUtils.cs b/Common/Utils/AuthUtils.cs
@@ -1,5 +1,6 @@
 using OpenShock.Common.Constants;
 using System.Diagnostics.CodeAnalysis;
+using System.Security.Claims;
 
 namespace OpenShock.Common.Utils;
 
@@ -89,4 +90,15 @@ public static bool TryGetDeviceTokenFromHeader(this HttpContext context, [NotNul
         return false;
     }
 
+    public static string GetAuthenticationMethod(this HttpContext context)
+    {
+        var authMethodClaim = context.User.Claims.FirstOrDefault(x => x.Type == ClaimTypes.AuthenticationMethod);
+        if (authMethodClaim == null)
+        {
+            throw new Exception("No authentication method claim found, this should not happen and is a bug!");
+        }
+
+        return authMethodClaim.Value;
+    }
+
 }