missing route DELETE /users/{username}/tokens

[markuman]

• Gitea version (or commit ref): 1.4.2
• Git version: 2.7.4
• Operating system: CentOS release 6.9 (Final)
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No
  • Not relevant
• Log gist:

Description

There are two API routes for the user auth token in the current swagger docs: https://try.gitea.io/api/swagger

GET /users/{username}/tokens 
    List the authenticated user's access tokens

POST /users/{username}/tokens 
    Create an access token

but DELETE a token for a user is missing.
See https://github.com/go-gitea/gitea/blob/908e8942ccae5b7966c7084780b3441e2190d9c1/routers/api/v1/user/app.go

So, what it needs (next to the swagger definitions) is, that the function
func DeleteAccessToken(ctx *context.APIContext)
in
gitea/routers/api/v1/user/app.go
is added, which calls models.DeleteAccessTokenByID(token_id, user_id), right?

Or is this route for some reason an unwanted feature?

[techknowlogick]

@markuman I've just opened up PR #4235 to resolve this

Please test to ensure it works for your use-case.

[markuman]

@techknowlogick I'm not sure what I did wrong.
I simply do git checkout pr-4235 and run TAGS="bindata" make generate build.

So the swagger docs display the delete route now. But when I try to list the tokens before delete, I got an unauthorized response.

I tried http://127.0.0.1:3000/api/v1/users/m/tokens?token=2062451fcf99a33eba0a2a0a6cc6b2877901b929 and also with bearer auth token.
See the screenshot

hm even on my running 1.4.2 gitea, listing tokens doesn't work.
Any ideas?

[markuman]

@techknowlogick here #3842 (comment) @bkcsoft pointed out, that basic auth is required for listing tokens.

$ curl --request GET --url https://m:mypassword@git.osuv.de/api/v1/users/m/tokens
[{"name":"test","sha1":"..."},{"name":"dev","sha1":"..."}]

I also noticed that the {username} in the url specification /users/{username}/tokens is completely irrelevant.

$ curl --request GET --url https://m:mypassword@git.osuv.de/api/v1/users/fasgdjfhgdsf/tokens
[{"name":"test","sha1":"..."},{"name":"dev","sha1":"..."}]

So the swagger specs should also be adjust (maybe with this merge request.