feat: make regular api tokens revocable

.env.example

@@ -63,3 +63,6 @@ S3_ACCESS_KEY_ID=your_s3_access_key_id_here
 S3_SECRET_ACCESS_KEY=your_s3_secret_access_key_here
 S3_BUCKET=your_s3_bucket_name_here
 S3_ENDPOINT=https://<ACCOUNT_ID>.r2.cloudflarestorage.com
+
+# Revocation key for token revocation
+HKA_REVOCATION_KEY=your_hka_revocation_key_here

app/controllers/api/internal/revocations_controller.rb

@@ -1,26 +1,58 @@
 module Api
   module Internal
     class RevocationsController < Api::Internal::ApplicationController
+      REGULAR_KEY_REGEX = /\A[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\z/i
+      ADMIN_KEY_REGEX = /\Ahka_[0-9a-f]{64}\z/
+
       def create
         token = params[:token]
 
         return head 400 unless token.present?
 
-        admin_api_key = AdminApiKey.active.find_by(token:)
-
-        return render json: { success: false } unless admin_api_key.present?
+        key, user = revocable_key_and_owner(token)
 
-        admin_api_key.revoke!
-
-        user = admin_api_key.user
+        return render json: { success: false } unless key.present?
+        return render json: { success: false } unless revoke_key!(key)
 
         render json: {
           success: true,
           owner_email: user.email_addresses.first&.email,
-          key_name: admin_api_key.name
+          key_name: key.name
         }.compact_blank
       end
 
+      private
+
+      def revocable_key_and_owner(token)
+        if token.match?(ADMIN_KEY_REGEX)
+          key = AdminApiKey.active.find_by(token:)
+          return [ key, key&.user ]
+        end
+
+        if token.match?(REGULAR_KEY_REGEX)
+          # TODO: ApiKey currently has no active/revoked scope.
+          # If one is added, prefer ApiKey.active here for consistency.
+          key = ApiKey.find_by(token:)
+          return [ key, key&.user ]
+        end
+
+        [ nil, nil ]
+      end
+
+      def revoke_key!(key)
+        if key.is_a?(AdminApiKey)
+          key.revoke!
+        else
+          key.update(
+            token: SecureRandom.uuid_v4,
+            name: "#{key.name}_revoked_#{SecureRandom.hex(8)}"
+          )
+        end
+      rescue ActiveRecord::ActiveRecordError => e
+        Rails.logger.error("Revocation failed for #{key.class}##{key.id}: #{e.class} #{e.message}")
+        false
+      end
+
       private def authenticate!
         res = authenticate_with_http_token do |token, _|
           ActiveSupport::SecurityUtils.secure_compare(token, ENV["HKA_REVOCATION_KEY"])

test/controllers/api/internal/revocations_controller_test.rb

@@ -0,0 +1,97 @@
+require "test_helper"
+
+class Api::Internal::RevocationsControllerTest < ActionDispatch::IntegrationTest
+  setup do
+    @previous_revocation_key = ENV["HKA_REVOCATION_KEY"]
+    ENV["HKA_REVOCATION_KEY"] = "test-revocation-key"
+  end
+
+  teardown do
+    ENV["HKA_REVOCATION_KEY"] = @previous_revocation_key
+  end
+
+  test "revokes regular ApiKey by rolling token" do
+    user = User.create!(timezone: "UTC")
+    original_token = SecureRandom.uuid_v4
+    key = user.api_keys.create!(name: "Desktop", token: original_token)
+
+    post "/api/internal/revoke", params: { token: original_token }, headers: auth_headers, as: :json
+
+    assert_response :success
+    assert_equal true, response.parsed_body["success"]
+
+    key.reload
+    assert_not_equal original_token, key.token
+    assert_nil ApiKey.find_by(token: original_token)
+
+    post "/api/internal/revoke", params: { token: original_token }, headers: auth_headers, as: :json
+
+    assert_response :success
+    assert_equal({ "success" => false }, response.parsed_body)
+  end
+
+  test "returns success false for valid regular UUID token that does not exist" do
+    token = SecureRandom.uuid_v4
+
+    post "/api/internal/revoke", params: { token: token }, headers: auth_headers, as: :json
+
+    assert_response :success
+    assert_equal({ "success" => false }, response.parsed_body)
+  end
+
+  test "returns success false for token that matches neither regex" do
+    post "/api/internal/revoke", params: { token: "not-a-valid-token" }, headers: auth_headers, as: :json
+
+    assert_response :success
+    assert_equal({ "success" => false }, response.parsed_body)
+  end
+
+  test "returns success false when regular key revoke update fails" do
+    user = User.create!(timezone: "UTC")
+    colliding_token = SecureRandom.uuid_v4
+    user.api_keys.create!(name: "Existing", token: colliding_token)
+
+    key = user.api_keys.create!(name: "Desktop")
+    original_token = key.token
+
+    with_stubbed_uuid_v4(colliding_token) do
+      post "/api/internal/revoke", params: { token: original_token }, headers: auth_headers, as: :json
+    end
+
+    assert_response :success
+    assert_equal({ "success" => false }, response.parsed_body)
+
+    key.reload
+    assert_equal original_token, key.token
+  end
+
+  test "revokes admin key" do
+    user = User.create!(timezone: "UTC")
+    admin_key = user.admin_api_keys.create!(name: "Infra", token: "hka_#{SecureRandom.hex(32)}")
+
+    post "/api/internal/revoke", params: { token: admin_key.token }, headers: auth_headers, as: :json
+
+    assert_response :success
+    assert_equal true, response.parsed_body["success"]
+
+    admin_key.reload
+    assert_not_nil admin_key.revoked_at
+    assert_includes admin_key.name, "_revoked_"
+  end
+
+  private
+
+  def with_stubbed_uuid_v4(value)
+    original_uuid_v4 = SecureRandom.method(:uuid_v4)
+    SecureRandom.define_singleton_method(:uuid_v4) { value }
+    yield
+  ensure
+    SecureRandom.define_singleton_method(:uuid_v4, original_uuid_v4)
+  end
+
+  def auth_headers
+    {
+      "Authorization" => ActionController::HttpAuthentication::Token.encode_credentials(ENV.fetch("HKA_REVOCATION_KEY"))
+    }
+  end
+end