Feature/6222 - Endpoint /api/v1/users/sign_out revokes access token and refresh token on request by xihai01 · Pull Request #6241 · rubyforgood/casa

xihai01 · 2025-02-24T20:47:28Z

What github issue is this PR for, if any?

Resolves #6222

What changed, and why?

Added /api/v1/users/sign_out endpoint so both the access and refresh tokens for that user is cleared from the api_credentials table and set to nil.

Added request and model specs for the sign out route
Generated and updated swagger file
Added helper function to api credential model to clear tokens
Added sign out to routes and session controller
Added seed data for populating tokens in api credential table in dev environment

Why?: for added security - tokens should be removed from api_credentials table because user is no longer signed in.

How is this tested? (please write tests!) 💖💪

Token Destroyer Helper Function tests (2 in total) → spec/models/api_credential_spec.rb
Sign Out Request Test for 200 and 401 Response Cases → spec/requests/api/v1/users/sessions_spec.rb

Screenshots please :)

Testing sign out with postman on localhost

Steps:
First we sign in to fetch the refresh token
Lastly we sign out and pass in refresh token in the request authorization header

Feelings gif (optional)

compwron · 2025-02-26T04:50:20Z

👀

app/models/api_credential.rb

spec/models/api_credential_spec.rb

spec/swagger_helper.rb

swagger/v1/swagger.yaml

7riumph · 2025-02-26T18:54:42Z

spec/requests/api/v1/users/sessions_spec.rb

+      let(:casa_org) { create(:casa_org) }
+      let(:volunteer) { create(:volunteer, casa_org: casa_org) }
+      let(:api_credential) { create(:api_credential, user: volunteer) }
+      let(:refresh_token) { api_credential.return_new_refresh_token![:refresh_token] }


Er, is this regenerating a refresh token a 2nd time?

I think when you create the api credential table for the first time, the token digest fields are nil - at least in dev environment and so that is why I created the seed file to populate them.

I also need the plain text refresh token to be passed in the authorization header for the sign out.

Sure thing, will make note this for future issues (Keep unresolved for now)

7riumph

Looks good so far, as mentioned on the issues acceptance criteria and in our discussions. Still need to...

Add the sign_in route to routes.rb ( session#destroy )
Add a destroy function to the sessions_controller.rb using the revocation function(s) helper you made
Address comments, test route with whatever you'd like to use though my preference is curl, then should lgtm 😎

app/models/api_credential.rb

db/seeds/api_credential_data.rb

spec/models/api_credential_spec.rb

app/controllers/api/v1/users/sessions_controller.rb

7riumph · 2025-03-01T18:50:12Z

@xihai01 Additionally, can you make edits to the app's sign out button itself, especially utilizing the dual token additions here

Implementing it should remove any confusion.

xihai01 · 2025-03-04T20:32:58Z

@xihai01 Additionally, can you make edits to the app's sign out button itself, especially utilizing the dual token additions here

Implementing it should remove any confusion.

Do we have a separate issue for the sign out button?

7riumph · 2025-03-04T21:11:17Z

@xihai01 Additionally, can you make edits to the app's sign out button itself, especially utilizing the dual token additions here
Implementing it should remove any confusion.

Do we have a separate issue for the sign out button?

No but can defiantly make one. This is the current AccountScreen with a Sign-out button.

Current behaviour is just a console log onPress={console.log('For Sign out')} would make a function using the auth base.

xihai01 · 2025-03-04T22:09:13Z

@xihai01 Additionally, can you make edits to the app's sign out button itself, especially utilizing the dual token additions here
Implementing it should remove any confusion.

Do we have a separate issue for the sign out button?

No but can defiantly make one. This is the current AccountScreen with a Sign-out button.

Current behaviour is just a console log onPress={console.log('For Sign out')} would make a function using the auth base.

ok I got it. I can work on this issue. Let me know if you havn't already and I will create an issue for it.

7riumph · 2025-03-04T22:34:38Z

@xihai01 Additionally, can you make edits to the app's sign out button itself, especially utilizing the dual token additions here
Implementing it should remove any confusion.

Do we have a separate issue for the sign out button?

No but can defiantly make one. This is the current AccountScreen with a Sign-out button.
Current behaviour is just a console log onPress={console.log('For Sign out')} would make a function using the auth base.

ok I got it. I can work on this issue. Let me know if you havn't already and I will create an issue for it.

Thanks, all good, here's the issue for end-to-end implementation.

7riumph

Fantastic, and thank you for the iOS side implementation here

add rspec tests and generate new swagger file

8e03865

xihai01 added the codethechange for codethechange developers label Feb 24, 2025

xihai01 requested a review from 7riumph February 24, 2025 20:47

xihai01 self-assigned this Feb 24, 2025

github-actions bot added ruby Pull requests that update Ruby code Tests! 🎉💖👏 labels Feb 24, 2025

add helper function in api_credential table to clear tokens

c787435

xihai01 added 2 commits February 26, 2025 11:43

add sign out route to controller

bf2d43d

seed api credential with token data in dev

bb13f87