Fixes #37936 - As a user, I want to invalidate jwt for specific user

app/controllers/api/v2/users_controller.rb

@@ -96,7 +96,7 @@ def create
       api :PUT, "/users/:id/", N_("Update a user")
       description <<-DOC
         Adds role 'Default role' to the user if it is not already present.
-        Only another admin can change the admin account attribute.
+      Only another admin can change the admin account attribute.
       DOC
       param :id, String, :required => true
       param_group :user_update
@@ -111,6 +111,23 @@ def update
         end
       end
 
+      api :PATCH, "/users/:id/invalidate_jwt", N_("Get vm attributes of host")
+      param :id, String, :required => true
+      description <<~EOS
+        Invalidate JWT for a specific user
+      EOS
+
+      def invalidate_jwt
+        @user = User.find(params[:id])
+        if !@user 
+          render :json => { :error => _("User %s does not exist.") % @user.login}
+        elsif  !@user.can?(:edit_users)
+          deny_access N_("User %s does not have permissions to invalidate" % @user.login)
+        else @user.can?(:edit_users) && @user.invalidate_jwt.blank?
+          process_success _('Successfully invalidated the tokens.')
+        end
+      end
+
       api :DELETE, "/users/:id/", N_("Delete a user")
       param :id, String, :required => true
 

app/controllers/users_controller.rb

@@ -92,6 +92,15 @@ def impersonate
       redirect_to users_path
     end
   end
+
+  def invalidate_jwt   
+    @user = find_resource(:edit_users)
+    if @user.invalidate_jwt.blank?
+      process_success(
+          :success_msg => _('Successfully invalidated JWT for %s.') % @user.login,
+        )
+    end
+  end
 
   def stop_impersonation
     if session[:impersonated_by].present?

app/helpers/users_helper.rb

@@ -33,14 +33,22 @@ def user_action_buttons(user, additional_actions = [])
         :method => :post,
         :data => { :no_turbolink => true })
     end
+
+    if user != User.current
+      additional_actions <<  display_link_if_authorized(_("Invalidate JWT"),
+      hash_for_invalidate_jwt_user_path(:id => user).merge(:auth_object => user,:permission => 'edit_users'),
+      :method => :patch, :id => user.id,
+      :data => { :confirm => _("Invalidate tokens for %s?") % user.name })
+    end
 
     delete_btn = display_delete_if_authorized(
       hash_for_user_path(:id => user).merge(:auth_object => user, :authorizer => authorizer),
       :data => { :confirm => _("Delete %s?") % user.name })
 
-    action_buttons(*([display_delete_unless_impersonator(delete_btn, user)] + additional_actions))
+    action_buttons(*([display_delete_unless_impersonator(delete_btn, user)] + additional_actions ))
   end
 
+
   def display_delete_unless_impersonator(link, user)
     (user.id == session[:impersonated_by]) ? "" : link
   end

app/models/concerns/jwt_auth.rb

@@ -7,7 +7,10 @@ module JwtAuth
     def jwt_secret!
       jwt_secret || create_jwt_secret!
     end
-
+
+    def invalidate_jwt
+      User.find_by(id: id).jwt_secret&.destroy
+    end
     # expiration:  integer, eg: 4.hours.to_i
     # scope:       example: [{ controller: :registration, actions: [:global, :host] }]
     def jwt_token!(expiration: nil, scope: [])

config/routes.rb

@@ -256,6 +256,7 @@
     end
     member do
       post 'impersonate'
+      patch 'invalidate_jwt'
     end
     resources :ssh_keys, only: [:new, :create, :destroy]
   end

config/routes/api/v2.rb

@@ -218,6 +218,7 @@
           resources :mail_notifications, :only => [:create, :destroy, :update]
           get 'mail_notifications', :to => 'mail_notifications#user_mail_notifications', :on => :member
           get 'extlogin', :to => 'users#extlogin', :on => :collection
+          patch 'invalidate_jwt', :to => 'users#invalidate_jwt', :on => :member
         end
       end