Skip to content

add user token invalidation rest api #159

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
printminion-co wants to merge 1 commit into
base: ionos-dev
Choose a base branch
from
Open

add user token invalidation rest api #159

printminion-co wants to merge 1 commit into from

Conversation

@printminion-co
Copy link

@printminion-co printminion-co commented Apr 16, 2025
edited
Loading

Summary

Adds app route to invalidate (similar to wipe) user tokens of target user by admin.
After call is made all target user tokens are removed. That means that user will be logged out from all sessions (browser, apps) without wiping data on used devices.

# usage example
curl -s -X POST "$NEXTCLOUD_URL/ocs/v2.php/cloud/users/${testUserId}/invalidate?format=json" \
	-u "$ADMIN_USERNAME:$ADMIN_PASSWORD" \
	-H "OCS-APIRequest: true" \
	-H "User-Agent: $USER_AGENT"

Test

  • create user
  • add 3 clients to the user
  • log with user via new incognito browser session to NC
  • check current token count
  • make invalidate API call (as admin user)
  • Observe
    • User is logged out in incognito browser window
    • User has no app tokens in the list
    • Observe user is logged out from all devices.
    • Observe data on devices was not wiped."

You can use following script

./test_token_invalidation_api.sh
test_token_invalidation_api.sh 
#!/usr/bin/env bash

# This script tests the creation, authentication, and invalidation of user tokens
# in a Nextcloud instance via its OCS API. It performs the following steps:
# 1. Verifies admin credentials and API access.
# 2. Checks if a test user exists, creates the user if not present.
# 3. Generates three authentication tokens for the test user.
# 4. Prompts the user to manually verify tokens in the browser.
# 5. Invalidates all authentication tokens for the test user via the API.
# 6. Prompts the user to verify that the test user is logged out from all devices.


ADMIN_USERNAME="admin"
ADMIN_PASSWORD="admin"
USER_AGENT="HiDrive Next Test Client"

NEXTCLOUD_URL="http://localhost:8080"

# username to be tested on
testUserId="foo"
testUserPass="foo"

echo "[i] Testing user 'admin' credentials on API..."
response=$(curl -s -X GET "$NEXTCLOUD_URL/ocs/v2.php/cloud/user?format=json" \
	-u "$ADMIN_USERNAME:$ADMIN_PASSWORD" \
	-H "OCS-APIRequest: true" \
	-H "User-Agent: $USER_AGENT")

if echo "$response" | grep -q '"status":"ok"'; then
	echo "[i] User '$ADMIN_USERNAME' is logged on successfully."
else
	echo "[w] User '$ADMIN_USERNAME' does not exist or API request failed."
	echo "[w] Response: "
	echo "$response" | jq
	exit 1
fi

echo "[i] Testing user '${testUserId}' existence..."
isUserExists=false
response=$(curl -s -X GET "$NEXTCLOUD_URL/ocs/v1.php/cloud/users/${testUserId}?format=json" \
	-u "$ADMIN_USERNAME:$ADMIN_PASSWORD" \
	-H "OCS-APIRequest: true" \
	-H "User-Agent: $USER_AGENT")

if echo "$response" | grep -q '"status":"ok"'; then
	echo "[i] User '${testUserId}' exists."
	isUserExists=true
else
	echo "[i] User '${testUserId}' does not exist."
fi

if [ "$isUserExists" = false ]; then
	echo "[i] Creating user '${testUserId}'..."
	response=$(curl -s -X POST "$NEXTCLOUD_URL/ocs/v1.php/cloud/users?format=json" \
		-u "$ADMIN_USERNAME:$ADMIN_PASSWORD" \
		-H "OCS-APIRequest: true" \
		-H "User-Agent: $USER_AGENT" \
		-d "userid=${testUserId}&password=${testUserPass}")

	if echo "$response" | grep -q '"status":"ok"'; then
		echo "[i] User '${testUserId}' created successfully."
	else
		echo "[e] Failed to create user '${testUserId}'."
		echo "[e] Response: "
		echo "$response" | jq
	fi
fi

echo "[i] Creating user '${testUserId}' 3 auth-tokens..."
for i in {1..3}; do
	response=$(curl -s "$NEXTCLOUD_URL/ocs/v2.php/core/getapppassword?format=json" \
		-u "${testUserId}:${testUserPass}" \
		-H "OCS-APIRequest: true" \
		-H "User-Agent: $USER_AGENT")

	if echo "$response" | grep -q '"status":"ok"'; then
		echo "[i] Token ${i} created successfully."
	else
		echo "[e] Failed to create token ${i}."
		echo "[e] Response: "
		echo "$response" | jq
	fi
done

echo "[!] Open browser at ${NEXTCLOUD_URL} and login as '${testUserId}' with password '${testUserPass}'..."
echo "[!] Check tokens $NEXTCLOUD_URL/index.php/settings/user/security"
read -r -p "[?] Press any key to continue... " -n1 -s
echo

echo "[i] Invalidating user '${testUserId}' auth-tokens via API call..."
response=$(curl -s -X POST "$NEXTCLOUD_URL/ocs/v2.php/cloud/users/${testUserId}/invalidate?format=json" \
	-u "$ADMIN_USERNAME:$ADMIN_PASSWORD" \
	-H "OCS-APIRequest: true" \
	-H "User-Agent: $USER_AGENT")

if echo "$response" | grep -q '"status":"ok"'; then
	echo "[i] User '${testUserId}' token invalidation is successful."
	echo "[i] Response: "
	echo "$response" | jq
else
	echo "[e] Failed to invalidate user '${testUserId}' tokens."
	echo "[e] Response: "
	echo "$response" | jq
fi

echo "[!] Reload browser and check if you are logged out."
echo "[!] User has no app tokens in the list"
echo "[!] Observe user is logged out from all devices."
echo "[!] Observe data on devices was *not* wiped."

Unitests

phpunit --configuration tests/phpunit-autotest-user-invalidate.xml
tests/phpunit-autotest-user-invalidate.xml ```xml ./lib/User/SessionTest.php ./lib/AppFramework/Middleware/Security/SecurityMiddlewareTest.php ./Core/Controller/ClientFlowLoginV2ControllerTest.php ./Core/Service/LoginFlowV2ServiceUnitTest.php ./Core/Controller/AppPasswordControllerTest.php ./Core/Controller/ClientFlowLoginControllerTest.php ./Core/Controller/WipeControllerTest.php ./Core/Controller/UserControllerTest.php ./lib/Authentication/Token/RemoteWipeTest.php ./lib/Authentication/Token/InvalidatorTest.php ../core/* ../lib/private/* ../**/ ../3rdparty/**/* ../apps/**/* ../apps-custom/**/* ../apps-external/** ../apps-custom/** ../build ../IONOS/**/* ../lib/composer ../vendor/**/* ../tests ``` 
phpunit --configuration tests/phpunit-autotest-external-provisioning_api.xml
tests/phpunit-autotest-user-invalidate.xml ```xml ../apps/provisioning_api/tests ../lib/private/Files/Storage/DAV.php ../apps/provisioning_api ../apps/provisioning_api/l10n ../apps/provisioning_api/3rdparty ../apps/provisioning_api/tests ```

Checklist

@printminion-co printminion-co force-pushed the mk/dev/add_rest_for_app_token_invalidation branch 2 times, most recently from 048c508 to f7e6f02 Compare April 16, 2025 15:19
@printminion-co printminion-co changed the title Mk/dev/add rest for app token invalidation add user token invalidation rest api Apr 16, 2025
@printminion-co printminion-co force-pushed the mk/dev/add_rest_for_app_token_invalidation branch 4 times, most recently from cb07f18 to 8040de3 Compare April 17, 2025 08:59
@printminion-co printminion-co force-pushed the mk/dev/add_rest_for_app_token_invalidation branch from 8040de3 to 64c8cd1 Compare April 17, 2025 09:28
@printminion-co printminion-co marked this pull request as ready for review April 17, 2025 12:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@printminion-co