Also remove Web Push subscription on token revocation by origin for

julien4215 · julien4215 · commit e58cd54dd5e2 · 2025-07-12T14:27:22.000+02:00
mobile scope. This is because the mobile app can use Unified Push.
diff --git a/app/controllers/OAuth.scala b/app/controllers/OAuth.scala
@@ -111,7 +111,12 @@ final class OAuth(env: Env, apiC: => Api) extends LilaController(env):
   def revokeClient = AuthBody { ctx ?=> _ ?=>
     bindForm(lila.oauth.AccessTokenRequest.revokeClientForm)(
       _ => BadRequest,
-      origin => env.oAuth.tokenApi.revokeByClientOrigin(origin).inject(NoContent)
+      origin =>
+        for
+          tokens <- env.oAuth.tokenApi.revokeByClientOrigin(origin)
+          _      <- ctx.isMobileOauth.soFu:
+            tokens.traverse(token => env.push.webSubscriptionApi.unsubscribeBySession(token.value))
+        yield NoContent
     )
   }
 
diff --git a/modules/oauth/src/main/AccessTokenApi.scala b/modules/oauth/src/main/AccessTokenApi.scala
@@ -176,26 +176,29 @@ final class AccessTokenApi(
       .runWith(Sink.ignore)
       .void
 
-  def revokeByClientOrigin(clientOrigin: String)(using me: MyId): Funit =
-    coll
-      .find(
-        $doc(
-          F.userId       -> me,
-          F.clientOrigin -> clientOrigin
-        ),
-        $doc(F.id -> 1).some
-      )
-      .sort($sort.desc(F.usedAt))
-      .cursor[Bdoc]()
-      .list(100)
-      .flatMap: invalidate =>
-        coll.delete
-          .one:
-            $doc(
-              F.userId       -> me,
-              F.clientOrigin -> clientOrigin
-            )
-          .map(_ => invalidate.flatMap(_.getAsOpt[AccessToken.Id](F.id)).foreach(onRevoke))
+  def revokeByClientOrigin(clientOrigin: String)(using me: MyId): Fu[List[AccessToken.Id]] =
+    for
+      tokens <- coll
+        .find(
+          $doc(
+            F.userId       -> me,
+            F.clientOrigin -> clientOrigin
+          ),
+          $doc(F.id -> 1).some
+        )
+        .sort($sort.desc(F.usedAt))
+        .cursor[Bdoc]()
+        .list(100)
+        .flatMap: invalidate =>
+          coll.delete
+            .one:
+              $doc(
+                F.userId       -> me,
+                F.clientOrigin -> clientOrigin
+              )
+            .map(_ => invalidate.flatMap(_.getAsOpt[AccessToken.Id](F.id)))
+      _ = tokens.foreach(onRevoke(_))
+    yield tokens
 
   def revoke(bearer: Bearer) =
     val id = AccessToken.Id.from(bearer)

Original file line number	Diff line number	Diff line change
`@@ -111,7 +111,12 @@ final class OAuth(env: Env, apiC: => Api) extends LilaController(env):`
`111`	`111`	`def revokeClient = AuthBody { ctx ?=> _ ?=>`
`112`	`112`	`bindForm(lila.oauth.AccessTokenRequest.revokeClientForm)(`
`113`	`113`	`_ => BadRequest,`
`114`		`- origin => env.oAuth.tokenApi.revokeByClientOrigin(origin).inject(NoContent)`
	`114`	`+ origin =>`
	`115`	`+ for`
	`116`	`+ tokens <- env.oAuth.tokenApi.revokeByClientOrigin(origin)`
	`117`	`+ _ <- ctx.isMobileOauth.soFu:`
	`118`	`+ tokens.traverse(token => env.push.webSubscriptionApi.unsubscribeBySession(token.value))`
	`119`	`+ yield NoContent`
`115`	`120`	`)`
`116`	`121`	`}`
`117`	`122`