Revoking one oauth token revokes all oauth tokens for that client

2025-10-17 15:03:02 +00:00 · 2018-04-16 11:28:11 +02:00
parent 33cb62c2ee
commit ce535b55bc
3 changed files with 21 additions and 12 deletions
--- a/jupyterhub/apihandlers/users.py
+++ b/jupyterhub/apihandlers/users.py
@@ -283,7 +283,17 @@ class UserTokenAPIHandler(APIHandler):
        if not user:
            raise web.HTTPError(404, "No such user: %s" % name)
        token = self.find_token_by_id(user, token_id)
-        self.db.delete(token)
+        # deleting an oauth token deletes *all* oauth tokens for that client
+        if isinstance(token, orm.OAuthAccessToken):
+            client_id = token.client_id
+            tokens = [
+                token for token in user.oauth_tokens
+                if token.client_id == client_id
+            ]
+        else:
+            tokens = [token]
+        for token in tokens:
+            self.db.delete(token)
        self.db.commit()
        self.set_header('Content-Type', 'text/plain')
        self.set_status(204)