PLT-3745 - Deauthorize OAuth Apps (#3852)

* Deauthorize OAuth APIs

* Deautorize OAuth Apps Account Settings

* Fix typo in client method

* Fix issues found by PM

* Show help text only when there is at least one authorized app

1 files changed, 69 insertions, 0 deletions

diff --git a/api/oauth.go b/api/oauth.go
index 546b0bdca..6e7649d8d 100644
--- a/api/oauth.go
+++ b/api/oauth.go
@@ -29,7 +29,9 @@ func InitOAuth() {
 	BaseRoutes.OAuth.Handle("/list", ApiUserRequired(getOAuthApps)).Methods("GET")
 	BaseRoutes.OAuth.Handle("/app/{client_id}", ApiUserRequired(getOAuthAppInfo)).Methods("GET")
 	BaseRoutes.OAuth.Handle("/allow", ApiUserRequired(allowOAuth)).Methods("GET")
+	BaseRoutes.OAuth.Handle("/authorized", ApiUserRequired(getAuthorizedApps)).Methods("GET")
 	BaseRoutes.OAuth.Handle("/delete", ApiUserRequired(deleteOAuthApp)).Methods("POST")
+	BaseRoutes.OAuth.Handle("/{id:[A-Za-z0-9]+}/deauthorize", AppHandlerIndependent(deauthorizeOAuthApp)).Methods("POST")
 	BaseRoutes.OAuth.Handle("/{service:[A-Za-z0-9]+}/complete", AppHandlerIndependent(completeOAuth)).Methods("GET")
 	BaseRoutes.OAuth.Handle("/{service:[A-Za-z0-9]+}/login", AppHandlerIndependent(loginWithOAuth)).Methods("GET")
 	BaseRoutes.OAuth.Handle("/{service:[A-Za-z0-9]+}/signup", AppHandlerIndependent(signupWithOAuth)).Methods("GET")
@@ -227,6 +229,28 @@ func allowOAuth(c *Context, w http.ResponseWriter, r *http.Request) {
 	w.Write([]byte(model.MapToJson(responseData)))
 }
 
+func getAuthorizedApps(c *Context, w http.ResponseWriter, r *http.Request) {
+	if !utils.Cfg.ServiceSettings.EnableOAuthServiceProvider {
+		c.Err = model.NewLocAppError("getAuthorizedApps", "api.oauth.allow_oauth.turn_off.app_error", nil, "")
+		c.Err.StatusCode = http.StatusNotImplemented
+		return
+	}
+
+	ochan := Srv.Store.OAuth().GetAuthorizedApps(c.Session.UserId)
+	if result := <-ochan; result.Err != nil {
+		c.Err = result.Err
+		return
+	} else {
+		apps := result.Data.([]*model.OAuthApp)
+		for k, a := range apps {
+			a.Sanitize()
+			apps[k] = a
+		}
+
+		w.Write([]byte(model.OAuthAppListToJson(apps)))
+	}
+}
+
 func RevokeAccessToken(token string) *model.AppError {
 
 	schan := Srv.Store.Session().Remove(token)
@@ -879,6 +903,51 @@ func deleteOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) {
 	ReturnStatusOK(w)
 }
 
+func deauthorizeOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) {
+	if !utils.Cfg.ServiceSettings.EnableOAuthServiceProvider {
+		c.Err = model.NewLocAppError("deleteOAuthApp", "api.oauth.allow_oauth.turn_off.app_error", nil, "")
+		c.Err.StatusCode = http.StatusNotImplemented
+		return
+	}
+
+	params := mux.Vars(r)
+	id := params["id"]
+
+	if len(id) == 0 {
+		c.SetInvalidParam("deauthorizeOAuthApp", "id")
+		return
+	}
+
+	// revoke app sessions
+	if result := <-Srv.Store.OAuth().GetAccessDataByUserForApp(c.Session.UserId, id); result.Err != nil {
+		c.Err = result.Err
+		return
+	} else {
+		accessData := result.Data.([]*model.AccessData)
+
+		for _, a := range accessData {
+			if err := RevokeAccessToken(a.Token); err != nil {
+				c.Err = err
+				return
+			}
+
+			if rad := <-Srv.Store.OAuth().RemoveAccessData(a.Token); rad.Err != nil {
+				c.Err = rad.Err
+				return
+			}
+		}
+	}
+
+	// Deauthorize the app
+	if err := (<-Srv.Store.Preference().Delete(c.Session.UserId, model.PREFERENCE_CATEGORY_AUTHORIZED_OAUTH_APP, id)).Err; err != nil {
+		c.Err = err
+		return
+	}
+
+	c.LogAudit("success")
+	ReturnStatusOK(w)
+}
+
 func newSession(appName string, user *model.User) (*model.Session, *model.AppError) {
 	// set new token an session
 	session := &model.Session{UserId: user.Id, Roles: user.Roles, IsOAuth: true}