1. 技术文章
  2. How to logout (ie, revoke, delete, or invalidate the tokens) for a user on an Aqueduct server?

How to logout (ie, revoke, delete, or invalidate the tokens) for a user on an Aqueduct server?

ぃ、小莉子 提交于 2020-05-11 01:51:17

问题


I know how to implement a route to register a user and also how to trade user credentials in for an access token. These are both covered in the official tutorial.

How do you invalidate the access token (and refresh token) for a registered user. This is necessary both for logging out and for limiting damage if a user's account is compromised.

I see there is a method

authServer.revokeAllGrantsForResourceOwner(identifier)

but I am still working on how to get the identifier from the user since the client app knows the username but not the user id in the server database. It would be nice to just pass in the current token and have the server cancel all the tokens for that user.


回答1:


If you want to revoke all tokens given a token, grab the user ID from the authorization token and run a delete query for that user's tokens:

class TokenManagerController extends ResourceController {
  @Operation.delete()
  Future<Response> deleteTokens() async {
    final userId = request.authorization.ownerID;

    final query = Query<ManagedAuthToken>(context)
      ..where((token) => token.resourceOwner).identifiedBy(userId);
    final count = await query.delete();

    return Response.ok({"userId": userId, "tokensDeleted": count});
  }
}

And make sure you link an authorizer:

router.route("/tokens")
      .link(() => Authorizer.bearer(authServer))
      .link(() => TokenManagerController(context));

FWIW, I recommend having a scope specifically for this action that is only granted for this scenario through an additional login. The UX is that the user has to enter their password again.

If you just want to delete one token, just run a delete query where access_token = the token in the authorization header.

class LogoutController extends ResourceController {
  @Operation.delete()
  Future<Response> deleteTokens(@Bind.header('authorization') String authHeader) async {

    final parser = AuthorizationBearerParser();
    final userToken = parser.parse(authHeader);

    final query = Query<ManagedAuthToken>(context)
      ..where((token) => token.accessToken).equalTo(userToken);
    final count = await query.delete();

    final userId = request.authorization.ownerID;
    return Response.ok({"userId": userId, "tokensDeleted": count});
  }
}


来源:https://stackoverflow.com/questions/56247509/how-to-logout-ie-revoke-delete-or-invalidate-the-tokens-for-a-user-on-an-aq

标签
dart
aqueduct
dart-server
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!