mirror of
https://github.com/minetest/contentdb.git
synced 2024-12-22 22:12:24 +01:00
OAuth2: Add ability to revoke all tokens
This commit is contained in:
parent
e0553d0a50
commit
8b03ca6c63
@ -18,8 +18,8 @@ import urllib.parse as urlparse
|
||||
from typing import Optional
|
||||
from urllib.parse import urlencode
|
||||
|
||||
from flask import Blueprint, render_template, redirect, url_for, request, jsonify, abort, make_response
|
||||
from flask_babel import lazy_gettext
|
||||
from flask import Blueprint, render_template, redirect, url_for, request, jsonify, abort, make_response, flash
|
||||
from flask_babel import lazy_gettext, gettext
|
||||
from flask_login import current_user, login_required
|
||||
from flask_wtf import FlaskForm
|
||||
from wtforms import StringField, SubmitField, URLField
|
||||
@ -178,6 +178,8 @@ def create_edit_client(username, id_=None):
|
||||
client = None
|
||||
if id_ is not None:
|
||||
client = OAuthClient.query.get_or_404(id_)
|
||||
if client.owner != user:
|
||||
abort(403)
|
||||
|
||||
form = OAuthClientForm(formdata=request.form, obj=client)
|
||||
if form.validate_on_submit():
|
||||
@ -223,3 +225,28 @@ def delete_client(username, id_):
|
||||
db.session.commit()
|
||||
|
||||
return redirect(url_for("oauth.list_clients", username=username))
|
||||
|
||||
|
||||
@bp.route("/users/<username>/apps/<id_>/revoke-all/", methods=["POST"])
|
||||
@login_required
|
||||
def revoke_all(username, id_):
|
||||
user = User.query.filter_by(username=username).first_or_404()
|
||||
if not user.check_perm(current_user, Permission.CREATE_OAUTH_CLIENT):
|
||||
abort(403)
|
||||
|
||||
client = OAuthClient.query.get(id_)
|
||||
if client is None:
|
||||
abort(404)
|
||||
elif client.owner != user:
|
||||
abort(403)
|
||||
|
||||
add_audit_log(AuditSeverity.NORMAL, current_user,
|
||||
f"Revoked all user tokens for OAuth2 application {client.title} by {client.owner.username} [{client.id}]",
|
||||
url_for("oauth.create_edit_client", username=client.owner.username, id_=client.id))
|
||||
|
||||
client.tokens = []
|
||||
db.session.commit()
|
||||
|
||||
flash(gettext("Revoked all user tokens"), "success")
|
||||
|
||||
return redirect(url_for("oauth.create_edit_client", username=client.owner.username, id_=client.id))
|
||||
|
@ -21,11 +21,15 @@
|
||||
<h1 class="mt-0">{{ self.title() }}</h1>
|
||||
|
||||
{% if client %}
|
||||
<form class="card my-5" method="POST" action="{{ url_for("oauth.revoke_all", username=client.owner.username, id_=client.id) }}">
|
||||
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
|
||||
<div class="card-body d-flex flex-row align-items-center">
|
||||
<p class="col my-0">{{ _("Your application has %(count)d users", count=client.tokens.count()) }}</p>
|
||||
<input type="submit" class="btn btn-danger col-auto" value="{{ _('Revoke all user tokens') }}">
|
||||
</div>
|
||||
</form>
|
||||
<div class="card my-5">
|
||||
<div class="card-body">
|
||||
<p>
|
||||
{{ _("Your client has %(count)d users", count=client.tokens.count()) }}
|
||||
</p>
|
||||
<div class="form-group mb-3">
|
||||
<label class="form-label" for="client_id">client_id</label>
|
||||
<input class="form-control" type="text" id="client_id" name="client_id" value="{{ client.id }}" readonly>
|
||||
|
Loading…
Reference in New Issue
Block a user