chore: Revoke Long-Lived Tokens when a User is Deactivated

determined-ai · Oct 3, 2024 · e27e580 · e27e580
1 parent 784e69d
commit e27e580
Showing 1 changed file with 20 additions and 0 deletions.
diff --git a/master/internal/user/postgres_users.go b/master/internal/user/postgres_users.go
@@ -131,6 +131,13 @@ func Update(
 				Where("id = ?", updated.ID).Exec(ctx); err != nil {
 				return fmt.Errorf("error setting active status of %q: %s", updated.Username, err)
 			}
+			// Revoke all access tokens of a user when it is deactivated.
+			if !updated.Active {
+				err := revokeUserAccessTokens(ctx, tx, updated.ID)
+				if err != nil {
+					return fmt.Errorf("error revoking active access token of %q: %s", updated.Username, err)
+				}
+			}
 		}
 
 		if slices.Contains(toUpdate, "password_hash") {
@@ -155,6 +162,19 @@ func Update(
 	})
 }
 
+// Revoke all access tokens of a user when it is deactivated.
+func revokeUserAccessTokens(ctx context.Context, tx bun.Tx, userID model.UserID) error {
+	_, err := tx.NewUpdate().
+		Table("user_sessions").
+		Set("revoked = ?", true).
+		Where("user_id = ?", userID).
+		Exec(ctx)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
 // SetActive changes multiple users' activation status.
 func SetActive(
 	ctx context.Context,