feat(provisioning-api): Add endpoint to invalidate user tokens

[printminion-co]

Summary

Introduce a core API endpoint for external user management systems to invalidate user tokens.
This action removes all tokens of the target user, effectively logging them out from all sessions (browser, apps) without wiping data on their devices.

# usage example
curl -s -X DELETE "$NEXTCLOUD_URL/ocs/v2.php/cloud/users/${testUserId}/sessions?format=json" \
	-u "$ADMIN_USERNAME:$ADMIN_PASSWORD" \
	-H "OCS-APIRequest: true" \
	-H "User-Agent: $USER_AGENT"

Test

• create user
• add 3 clients to the user
• log with user via new incognito browser session to NC
• check current token count
• make invalidate API call (as admin user)
• Observe
  • User is logged out in incognito browser window
  • User has no app tokens in the list
  • Observe user is logged out from all devices.
  • Observe data on devices was not wiped."

You can use following script

./test_token_invalidation_api.sh

test_token_invalidation_api.sh

#!/usr/bin/env bash

# This script tests the creation, authentication, and invalidation of user tokens
# in a Nextcloud instance via its OCS API. It performs the following steps:
# 1. Verifies admin credentials and API access.
# 2. Checks if a test user exists, creates the user if not present.
# 3. Generates three authentication tokens for the test user.
# 4. Prompts the user to manually verify tokens in the browser.
# 5. Invalidates all authentication tokens for the test user via the API.
# 6. Prompts the user to verify that the test user is logged out from all devices.


ADMIN_USERNAME="admin"
ADMIN_PASSWORD="admin"
USER_AGENT="HiDrive Next Test Client"

NEXTCLOUD_URL="http://localhost:8080"

# username to be tested on
testUserId="foo"
testUserPass="foo"

echo "[i] Testing user 'admin' credentials on API..."
response=$(curl -s -X GET "$NEXTCLOUD_URL/ocs/v2.php/cloud/user?format=json" \
	-u "$ADMIN_USERNAME:$ADMIN_PASSWORD" \
	-H "OCS-APIRequest: true" \
	-H "User-Agent: $USER_AGENT")

if echo "$response" | grep -q '"status":"ok"'; then
	echo "[i] User '$ADMIN_USERNAME' is logged on successfully."
else
	echo "[w] User '$ADMIN_USERNAME' does not exist or API request failed."
	echo "[w] Response: "
	echo "$response" | jq
	exit 1
fi

echo "[i] Testing user '${testUserId}' existence..."
isUserExists=false
response=$(curl -s -X GET "$NEXTCLOUD_URL/ocs/v1.php/cloud/users/${testUserId}?format=json" \
	-u "$ADMIN_USERNAME:$ADMIN_PASSWORD" \
	-H "OCS-APIRequest: true" \
	-H "User-Agent: $USER_AGENT")

if echo "$response" | grep -q '"status":"ok"'; then
	echo "[i] User '${testUserId}' exists."
	isUserExists=true
else
	echo "[i] User '${testUserId}' does not exist."
fi

if [ "$isUserExists" = false ]; then
	echo "[i] Creating user '${testUserId}'..."
	response=$(curl -s -X POST "$NEXTCLOUD_URL/ocs/v1.php/cloud/users?format=json" \
		-u "$ADMIN_USERNAME:$ADMIN_PASSWORD" \
		-H "OCS-APIRequest: true" \
		-H "User-Agent: $USER_AGENT" \
		-d "userid=${testUserId}&password=${testUserPass}")

	if echo "$response" | grep -q '"status":"ok"'; then
		echo "[i] User '${testUserId}' created successfully."
	else
		echo "[e] Failed to create user '${testUserId}'."
		echo "[e] Response: "
		echo "$response" | jq
	fi
fi

echo "[i] Creating user '${testUserId}' 3 auth-tokens..."
for i in {1..3}; do
	response=$(curl -s "$NEXTCLOUD_URL/ocs/v2.php/core/getapppassword?format=json" \
		-u "${testUserId}:${testUserPass}" \
		-H "OCS-APIRequest: true" \
		-H "User-Agent: $USER_AGENT")

	if echo "$response" | grep -q '"status":"ok"'; then
		echo "[i] Token ${i} created successfully."
	else
		echo "[e] Failed to create token ${i}."
		echo "[e] Response: "
		echo "$response" | jq
	fi
done

echo "[!] Open browser at ${NEXTCLOUD_URL} and login as '${testUserId}' with password '${testUserPass}'..."
echo "[!] Check tokens $NEXTCLOUD_URL/index.php/settings/user/security"
read -r -p "[?] Press any key to continue... " -n1 -s
echo

echo "[i] Invalidating user '${testUserId}' auth-tokens via API call..."
response=$(curl -s -X DELETE "$NEXTCLOUD_URL/ocs/v2.php/cloud/users/${testUserId}/sessions?format=json" \
	-u "$ADMIN_USERNAME:$ADMIN_PASSWORD" \
	-H "OCS-APIRequest: true" \
	-H "User-Agent: $USER_AGENT")

if echo "$response" | grep -q '"status":"ok"'; then
	echo "[i] User '${testUserId}' token invalidation is successful."
	echo "[i] Response: "
	echo "$response" | jq
else
	echo "[e] Failed to invalidate user '${testUserId}' tokens."
	echo "[e] Response: "
	echo "$response" | jq
fi

echo "[!] Reload browser and check if you are logged out."
echo "[!] User has no app tokens in the list"
echo "[!] Observe user is logged out from all devices."
echo "[!] Observe data on devices was *not* wiped."

Unitests

phpunit --configuration tests/phpunit-autotest-user-invalidate.xml

tests/phpunit-autotest-user-invalidate.xml

```xml ./lib/User/SessionTest.php ./lib/AppFramework/Middleware/Security/SecurityMiddlewareTest.php ./Core/Controller/ClientFlowLoginV2ControllerTest.php ./Core/Service/LoginFlowV2ServiceUnitTest.php ./Core/Controller/AppPasswordControllerTest.php ./Core/Controller/ClientFlowLoginControllerTest.php ./Core/Controller/WipeControllerTest.php ./Core/Controller/UserControllerTest.php ./lib/Authentication/Token/RemoteWipeTest.php ./lib/Authentication/Token/InvalidatorTest.php ../core/* ../lib/private/* ../**/ ../3rdparty/**/* ../apps/**/* ../apps-custom/**/* ../apps-external/** ../apps-custom/** ../build ../IONOS/**/* ../lib/composer ../vendor/**/* ../tests ```

phpunit --configuration tests/phpunit-autotest-external-provisioning_api.xml

tests/phpunit-autotest-user-invalidate.xml

```xml ../apps/provisioning_api/tests ../lib/private/Files/Storage/DAV.php ../apps/provisioning_api ../apps/provisioning_api/l10n ../apps/provisioning_api/3rdparty ../apps/provisioning_api/tests ```

Checklist

• Code is properly formatted
• Sign-off message is added to all commits
• Tests (unit, integration, api and/or acceptance) are included
• Screenshots before/after for front-end changes
• Documentation (manuals or wiki) has been updated or is not required
• Backports requested where applicable (ex: critical bugfixes)

[provokateurin]

Big no no if anyone can do this to any user!

[provokateurin]

Ok I see you still have a user check in place, but from the description it really sounds like you only want admins to do this.
That will not work with this PR, because you only allow every user to delete their own tokens and not the admin user as well.

[artonge]

Why not add that method to PublicKeyTokenProvider?

[printminion-co]

The PublicKeyTokenProvider has no imported IEventDispatcher.
We would like to be able to log events via the admin_audit app

[artonge]

Feel free to add it to the constructor arguments.

[come-nc]

Why?

[printminion-co]

Inspired by \OCA\Provisioning_API\Controller\UsersController::wipeUserDevices

server/apps/provisioning_api/lib/Controller/UsersController.php

Line 1255 in 826559d

throw new OCSException('', 101);

[come-nc]

I know we have the same kind of code in other places, but it’s inefficient, because it will try to see if the user is a subadmin even if he’s an admin, which may be expensive if groups are through a backend with subgroups and stuff.
So, please try to write this in a way where it only computes needed information.

[artonge]

In the context of this PR, I won't mind the copy past. If we want a better way of doing it, let's do it in another PR.

[come-nc]

Are these events listened to by anyone?
If the intent is that applications may listen to them, they should be part of OCP.

[printminion-co]

The idea was to consume it via admin_audit app

[come-nc]

Then it needs to be part of public API in OCP.

[artonge]

@printminion-co please move those events to the lib/public/Authentication/Events directory. And set their namespace to OCP\Authentication\Events;

[github-actions]

Hello there,
Thank you so much for taking the time and effort to create a pull request to our Nextcloud project.

We hope that the review process is going smooth and is helpful for you. We want to ensure your pull request is reviewed to your satisfaction. If you have a moment, our community management team would very much appreciate your feedback on your experience with this PR review process.

Your feedback is valuable to us as we continuously strive to improve our community developer experience. Please take a moment to complete our short survey by clicking on the following link: https://cloud.nextcloud.com/apps/forms/s/i9Ago4EQRZ7TWxjfmeEpPkf6

Thank you for contributing to Nextcloud and we hope to hear from you soon!

(If you believe you should not receive this message, you can add yourself to the blocklist.)

[printminion-co]

Our team has decided to deprioritize the approach outlined in that pull request.

If Nextcloud is interested in pursuing this feature, please feel free to maintain the PR. Otherwise, I will proceed to close it in the near future.