Feature/6222 - Endpoint /api/v1/users/sign_out revokes access token and refresh token on request

[xihai01]

What github issue is this PR for, if any?

Resolves #6222

What changed, and why?

Added /api/v1/users/sign_out endpoint so both the access and refresh tokens for that user is cleared from the api_credentials table and set to nil.

• Added request and model specs for the sign out route
• Generated and updated swagger file
• Added helper function to api credential model to clear tokens
• Added sign out to routes and session controller
• Added seed data for populating tokens in api credential table in dev environment

Why?: for added security - tokens should be removed from api_credentials table because user is no longer signed in.

How is this tested? (please write tests!) 💖💪

Token Destroyer Helper Function tests (2 in total) → spec/models/api_credential_spec.rb
Sign Out Request Test for 200 and 401 Response Cases → spec/requests/api/v1/users/sessions_spec.rb

Screenshots please :)

Testing sign out with postman on localhost

Steps:
First we sign in to fetch the refresh token
Lastly we sign out and pass in refresh token in the request authorization header

Feelings gif (optional)

[compwron]

👀

[7riumph]

Er, is this regenerating a refresh token a 2nd time?

[xihai01]

I think when you create the api credential table for the first time, the token digest fields are nil - at least in dev environment and so that is why I created the seed file to populate them.

I also need the plain text refresh token to be passed in the authorization header for the sign out.

[7riumph]

Looks good so far, as mentioned on the issues acceptance criteria and in our discussions. Still need to...

1. Add the sign_in route to routes.rb ( session#destroy )
2. Add a destroy function to the sessions_controller.rb using the revocation function(s) helper you made
3. Address comments, test route with whatever you'd like to use though my preference is curl, then should lgtm 😎

[7riumph]

Consider how we are structuring the response from the iOS app. If we're using the header, it's the access token or "api_token" that would go there, while the refresh token is in the body.

You'll need both in order to check whose tokens to revoke or set to nil on sign_out.

[7riumph]

api_credential = ApiCredential searches user based on only one token, instead do.

 user_credentials = ApiCredential.find_by(
    api_token_digest: Digest::SHA256.hexdigest(access_token),
    refresh_token_digest: Digest::SHA256.hexdigest(refresh_token)
  )
  
if user_credentials
  user_credentials.revoke_api_token
  user_credentials.revoke_refresh_token
  render json: {message: "Signed out successfully."}, status: 200
else
  ...

[xihai01]

I'm not sure if we should use the api_token for checking because it expires every 7 hours. Using the refresh token is more reliable because it has a longer lifespan. If we want an additional check, we can pass along the user id in the request body as well.
So we would have something like .find_by(user_id, refresh_token_digest). Let me know what you think.

[7riumph]

I see, traditionally though, it's the access token/our api_token that goes in the header on every response. Having it expire frequently is the point.

This goes beyond just sign-out and will reflect the shape of our responses from the client past sign-in for every request so should scope this.

But if we're going to sign the user out based on just one token value it should be the access token because that value is valid for less time/more secure.

[xihai01]

Ah I see. That makes sense now.
Then let's put the access token in the header and use that for sign out.

[7riumph]

@xihai01 Additionally, can you make edits to the app's sign out button itself, especially utilizing the dual token additions here

Implementing it should remove any confusion.

[xihai01]

@xihai01 Additionally, can you make edits to the app's sign out button itself, especially utilizing the dual token additions here

Implementing it should remove any confusion.

Do we have a separate issue for the sign out button?

[7riumph]

@xihai01 Additionally, can you make edits to the app's sign out button itself, especially utilizing the dual token additions here
Implementing it should remove any confusion.

Do we have a separate issue for the sign out button?

No but can defiantly make one. This is the current AccountScreen with a Sign-out button.

Current behaviour is just a console log onPress={console.log('For Sign out')} would make a function using the auth base.

[xihai01]

@xihai01 Additionally, can you make edits to the app's sign out button itself, especially utilizing the dual token additions here
Implementing it should remove any confusion.

Do we have a separate issue for the sign out button?

No but can defiantly make one. This is the current AccountScreen with a Sign-out button.

Current behaviour is just a console log onPress={console.log('For Sign out')} would make a function using the auth base.

ok I got it. I can work on this issue. Let me know if you havn't already and I will create an issue for it.

[7riumph]

@xihai01 Additionally, can you make edits to the app's sign out button itself, especially utilizing the dual token additions here
Implementing it should remove any confusion.

Do we have a separate issue for the sign out button?

No but can defiantly make one. This is the current AccountScreen with a Sign-out button.
Current behaviour is just a console log onPress={console.log('For Sign out')} would make a function using the auth base.

ok I got it. I can work on this issue. Let me know if you havn't already and I will create an issue for it.

Thanks, all good, here's the issue for end-to-end implementation.