From d2cfe2fed7649721c6d3832da86f06f69e6cb97c Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Sun, 23 Jul 2023 02:54:49 +0200
Subject: mod_tokenauth: Fix revoking a single token without revoking whole
 grant

This appears to have been a copy-paste of the grant revocation function,
or maybe the other way around. Either way, it deleted the whole grant
instead of the individual token as might be expected.
---
 plugins/mod_tokenauth.lua | 22 ++++++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

(limited to 'plugins/mod_tokenauth.lua')

diff --git a/plugins/mod_tokenauth.lua b/plugins/mod_tokenauth.lua
index 89b2a81e..cf34b48c 100644
--- a/plugins/mod_tokenauth.lua
+++ b/plugins/mod_tokenauth.lua
@@ -265,19 +265,33 @@ function get_token_session(token, resource)
 end
 
 function revoke_token(token)
-	local token_id, token_user, token_host = parse_token(token);
-	if not token_id then
+	local grant_id, token_user, token_host, token_secret = parse_token(token);
+	if not grant_id then
 		module:log("warn", "Failed to verify access token: %s", token_user);
 		return nil, "invalid-token-format";
 	end
 	if token_host ~= module.host then
 		return nil, "invalid-host";
 	end
-	local ok, err = token_store:set_key(token_user, token_id, nil);
+	local grant, err = _get_validated_grant_info(token_user, grant_id);
+	if not grant then return grant, err; end
+	local secret_hash = "sha256:"..hashes.sha256(token_secret, true);
+	local token_info = grant.tokens[secret_hash];
+	if not grant or not token_info then
+		return nil, "item-not-found";
+	end
+	grant.tokens[secret_hash] = nil;
+	local ok, err = token_store:set_key(token_user, grant_id, grant);
 	if not ok then
 		return nil, err;
 	end
-	module:fire_event("token-grant-revoked", { id = token_id, username = token_user, host = token_host });
+	module:fire_event("token-revoked", {
+		grant_id = grant_id;
+		grant = grant;
+		info = token_info;
+		username = token_user;
+		host = token_host;
+	});
 	return true;
 end
 
-- 
cgit v1.2.3