Revoke viewer session

docker-compose.yaml

@@ -199,7 +199,7 @@ services:
     restart: "on-failure"
 
   admin-portal:
-    image: boxyhq/jackson:1.11.0
+    image: boxyhq/jackson:1.13.0
     ports:
       - "5225:5225"
     networks:

integration/test/viewer/createsavedexport.ts

@@ -138,6 +138,7 @@ describe("Viewer API", function () {
                 const desc = {
                   environmentId: Env.EnvironmentID,
                   groupId: groupID,
+                  id: token,
                 };
                 const tkn = jwt.sign(desc, process.env.HMAC_SECRET_VIEWER);
                 chai

src/handlers/revokeViewerSessions.ts

@@ -0,0 +1,31 @@
+import Authenticator from "../security/Authenticator";
+import modelDeleteViewerDescriptors from "../models/viewer_descriptor/delete";
+import { RawResponse } from "../router";
+
+export default async function handlerRaw(req): Promise<RawResponse> {
+  const auth = req.get("Authorization");
+  const projectId = req.params.projectId;
+  const groupId = req.params.groupId;
+  const actorId = req.params.actorId;
+  await revokeViewerSessions(auth, projectId, actorId, groupId);
+  return {
+    status: 200,
+    body: "",
+  };
+}
+
+export async function revokeViewerSessions(
+  auth: string,
+  projectId: string,
+  actorId: string,
+  groupId: string
+): Promise<void> {
+  const apiToken = await Authenticator.default().getApiTokenOr401(auth, projectId);
+
+  await modelDeleteViewerDescriptors({
+    projectId,
+    environmentId: apiToken.environmentId,
+    groupId,
+    actorId,
+  });
+}

src/models/viewer_descriptor/delete.ts

@@ -0,0 +1,22 @@
+import getPgPool from "../../persistence/pg";
+
+const pgPool = getPgPool();
+
+export interface Options {
+  projectId: string;
+  environmentId: string;
+  groupId: string;
+  actorId: string;
+}
+
+export default async function modelDeleteViewerDescriptors(opts: Options): Promise<void> {
+  const q = `
+        DELETE FROM viewer_descriptors
+        WHERE project_id = $1 AND
+            environment_id = $2 AND
+            group_id = $3 AND
+            actor_id = $4`;
+  const values = [opts.projectId, opts.environmentId, opts.groupId, opts.actorId];
+
+  await pgPool.query(q, values);
+}

src/routes.ts

@@ -1,6 +1,7 @@
 // core
 import createViewerSession from "./handlers/createViewerSession";
 import getInvite from "./handlers/getInvite";
+import revokeViewerSessions from "./handlers/revokeViewerSessions";
 import graphQL from "./handlers/graphql";
 
 // admin
@@ -179,6 +180,11 @@ export default {
     method: "post",
     handler: createViewerSession,
   },
+  revokeViewerSessions: {
+    path: "/viewer/v1/project/:projectId/group/:groupId/actor/:actorId/viewersessions",
+    method: "delete",
+    handler: revokeViewerSessions,
+  },
   viewerCreateEitapiToken: {
     path: "/viewer/v1/project/:projectId/eitapi_token",
     method: "post",

src/security/vouchers.ts

@@ -2,6 +2,7 @@ import jwt from "jsonwebtoken";
 import config from "../config";
 
 import ViewerDescriptor from "../models/viewer_descriptor/def";
+import getViewerToken from "../models/viewer_descriptor/get";
 
 export interface AdminClaims {
   userId: string;
@@ -31,13 +32,23 @@ export async function validateAdminVoucher(voucher: string): Promise<AdminClaims
 }
 
 export async function validateViewerDescriptorVoucher(voucher: string): Promise<ViewerDescriptor> {
-  return new Promise<ViewerDescriptor>((resolve, reject) => {
-    jwt.verify(voucher, config.HMAC_SECRET_VIEWER, (err, claims) => {
+  const claims = await new Promise<ViewerDescriptor>((resolve, reject) => {
+    jwt.verify(voucher, config.HMAC_SECRET_VIEWER, (err, claimsObj) => {
       if (err) {
         reject(err);
         return;
       }
-      resolve(claims);
+      resolve(claimsObj);
     });
   });
+
+  const token = await getViewerToken({
+    id: claims.id,
+  });
+
+  if (!token) {
+    throw new Error("Invalid token");
+  }
+
+  return claims;
 }