Skip to content

Add DELETE /api/v1/trusted_publishing/tokens API endpoint #11234

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 24 commits into
base: main
Choose a base branch
from
Draft

Add DELETE /api/v1/trusted_publishing/tokens API endpoint #11234

wants to merge 24 commits into from

Conversation

Turbo87
Copy link
Member

@Turbo87 Turbo87 commented May 24, 2025
edited
Loading

This PR adds an endpoint to revoke a temporary access token from the Trusted Publishing flow.

The DELETE /api/v1/trusted_publishing/tokens endpoint expects the token to be handed over in the Authorization header as a Bearer token, similar to how it will be used in the publish endpoint.

This PR is based upon (and currently includes the changes of) #11131, which implements the API endpoint to create a temporary access token (from a JWT).

Related:

Turbo87 added 24 commits May 23, 2025 17:00
@Turbo87
database: Add NewUsedJti data access object
1bd578a
@Turbo87
database: Add NewToken data access object
1d78c55
@Turbo87
diesel_helpers: Adjust lower() fn to also accept NULL
6d45fba
@Turbo87
trustpub: Implement load_jwks() fn
f5f4f8f
@Turbo87
trustpub: Add GITHUB_ISSUER_URL constant
e30464d
@Turbo87
trustpub: Add OidcKeyStore trait
f616378
@Turbo87
trustpub: Implement OidcKeyStore trait
6aa902b
@Turbo87
trustpub: Add mock OidcKeyStore implementation
18620db
@Turbo87
trustpub: Add RSA keys for testing purposes
ad807dd
@Turbo87
trustpub: Add MockOidcKeyStore::with_test_key() fn
e564382
@Turbo87
trustpub: Implement extract_workflow_filename() fn
442b044
@Turbo87
trustpub: Implement UnverifiedClaims::decode() fn
b250ad3 
This fn can be used to decode a JSON web token without verifying it's signature or claims. Only the `iss` claim will actually be decoded, since we use that to find the correct decoding key for the JWT issuer.
@Turbo87
trustpub: Implement GitHubClaims struct
2cee44f
@Turbo87
trustpub: Implement FullGitHubClaims struct for testing purposes
6bdddd0
@Turbo87
trustpub: Implement AccessToken struct
4f023de
@Turbo87
config: Add TRUSTPUB_AUDIENCE setting
c616048 
This defaults to the domain name (crates.io / staging.crates.io) and controls the expected `aud` claim of the OIDC JWT in the Trusted Publishing token exchange.
@Turbo87
App: Add oidc_key_stores hashmap
155dd4a
@Turbo87
AppBuilder: Add trustpub_providers() fn
452ea96
@Turbo87
bin/server: Use TRUSTPUB_PROVIDERS env var to configure Trusted Pub…
706bfbc 
…lishing providers
@Turbo87
tests/TestAppBuilder: Add with_oidc_keystore() fn
4075594
@Turbo87
Implement PUT /api/v1/trusted_publishing/tokens API endpoint
e77f9af
@Turbo87
tests/util: Change MockTokenUser::token to be optional
e672882
@Turbo87
tests/util: Add MockTokenUser::with_auth_header() fn
6eea728 
This makes it possible to construct `MockTokenUser` instances from an existing plaintext token or other random header value.
@Turbo87
Add DELETE /api/v1/trusted_publishing/tokens API endpoint
5699949
@Turbo87 Turbo87 added C-enhancement ✨ Category: Adding new behavior or a change to the way an existing feature works A-backend ⚙️ labels May 24, 2025
@Turbo87 Turbo87 mentioned this pull request May 23, 2025
Open
18 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
A-backend ⚙️ C-enhancement ✨ Category: Adding new behavior or a change to the way an existing feature works
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@Turbo87