Operator API for disabling/removing device tokens

[askfongjojo]

The issue of device token not being expired has been discussed in #2302 and #2587. While the work tracked there will tighten up system access security, we still need a way to immediately invalidate tokens similar to what operator can do for local user passwords.

The API request payload will probably be similar to that for set/invalidate password API.

[davepacheco]

This makes senses. I'm wondering how best to express it. These are not what I think of as API-managed tokens, so I wouldn't expect endpoints to list and remove them individually. (We've talked about implementing such API-managed tokens too, though.) We could have an endpoint to expire all of a user's tokens? Or maybe we do let you list "sessions" and report them as either web console or devices and let you expire them individually? I'm curious what established patterns exist for revoking these OAuth device tokens.

[askfongjojo]

Sorry I missed mentioning the expectation of which tokens to expire. Since the token create process doesn't capture a human-readable device id or name for user to easily identify the device involved, it may be necessary to expire all tokens associated with the user (hence the payload would only ask for silo and user_id).

Browser tokens aren't tracked in the device access token table AFAICT so there is still a small loophole where a user can exploit an active console session until it expires.

[david-crespo]

This has rolled over a bunch of times but we are not working on it, so I removed it from milestone 6 and the project board.