Add API token revocation (#801)

Add first-class revocation for API tokens, distinct from expiration.
A revoked token is rejected at the authentication boundary, so a leaked
JWT stops working immediately rather than waiting for its TTL.

- New migration `token_revoked` adds a nullable `revoked` BIGINT column
  (mirroring the soft-delete pattern on organization/project) with a
  partial `WHERE revoked IS NULL` index for the hot path.
- `AuthUser::from_token` now looks up API-key JWTs in the token table
  and rejects any whose `revoked` column is set (client-audience JWTs
  for browser sessions are not persisted and skip the check).
- New `DELETE /v0/users/{user}/tokens/{token}` endpoint guarded by
  `same_user!`; token list hides revoked entries by default with a
  `?revoked=true` opt-in for audit.
- CLI: `bencher token revoke` and `bencher token list --revoked`.
- Console: Revoke button on the token detail page (terminal - no
  unrevoke) and a Revoked toggle on the list, mirroring the archived
  dimension UX. Revoked tokens show a warning notification with the
  revocation date.
- Integration tests cover revoke-hides-from-list, direct-GET-still-
  visible, auth-breaks-after-revoke, forbidden-for-other-user, and
  double-revoke-rejected. Seed test exercises the end-to-end CLI
  lifecycle.

Author: epompeii

Cargo.lock

@@ -10,11 +10,12 @@ publish = false
 default = []
 plus = ["bencher_endpoint/plus", "bencher_json/plus", "bencher_schema/plus"]
 sentry = ["bencher_schema/sentry"]
-otel = ["bencher_endpoint/otel", "bencher_schema/otel"]
+otel = ["dep:bencher_otel", "bencher_endpoint/otel", "bencher_schema/otel"]
 
 [dependencies]
 bencher_endpoint.workspace = true
 bencher_json = { workspace = true, features = ["server", "schema", "db"] }
+bencher_otel = { workspace = true, optional = true }
 bencher_schema.workspace = true
 diesel.workspace = true
 dropshot.workspace = true

lib/api_users/Cargo.toml

@@ -37,6 +37,7 @@ impl bencher_endpoint::Registrar for Api {
         api_description.register(tokens::user_token_post)?;
         api_description.register(tokens::user_token_get)?;
         api_description.register(tokens::user_token_patch)?;
+        api_description.register(tokens::user_token_delete)?;
 
         Ok(())
     }

lib/api_users/src/lib.rs

@@ -1,5 +1,6 @@
 use bencher_endpoint::{
-    CorsResponse, Endpoint, Get, Patch, Post, ResponseCreated, ResponseOk, TotalCount,
+    CorsResponse, Delete, Endpoint, Get, Patch, Post, ResponseCreated, ResponseDeleted, ResponseOk,
+    TotalCount,
 };
 use bencher_json::{
     JsonDirection, JsonNewToken, JsonPagination, JsonToken, JsonTokens, ResourceName, Search,
@@ -8,14 +9,14 @@ use bencher_json::{
 use bencher_schema::{
     auth_conn,
     context::ApiContext,
-    error::{resource_conflict_err, resource_not_found_err},
+    error::{conflict_error, resource_conflict_err, resource_not_found_err},
     model::user::{
         QueryUser, UserId,
         auth::{AuthUser, BearerToken},
         same_user,
         token::{InsertToken, QueryToken, UpdateToken},
     },
-    schema, write_conn,
+    schema, write_conn, write_transaction,
 };
 use diesel::{
     BoolExpressionMethods as _, ExpressionMethods as _, QueryDsl as _, RunQueryDsl as _,
@@ -48,6 +49,9 @@ pub struct UserTokensQuery {
     pub name: Option<ResourceName>,
     /// Search by token name, slug, or UUID.
     pub search: Option<Search>,
+    /// If set to `true`, only returns revoked tokens.
+    /// If not set or set to `false`, only returns non-revoked tokens.
+    pub revoked: Option<bool>,
 }
 
 #[endpoint {
@@ -139,6 +143,12 @@ fn get_ls_query<'q>(
         .filter(schema::token::user_id.eq(user_id))
         .into_boxed();
 
+    if let Some(true) = query_params.revoked {
+        query = query.filter(schema::token::revoked.is_not_null());
+    } else {
+        query = query.filter(schema::token::revoked.is_null());
+    }
+
     if let Some(name) = query_params.name.as_ref() {
         query = query.filter(schema::token::name.eq(name));
     }
@@ -211,6 +221,9 @@ async fn post_inner(
         .execute(write_conn!(context))
         .map_err(resource_conflict_err!(Token, insert_token))?;
 
+    #[cfg(feature = "otel")]
+    bencher_otel::ApiMeter::increment(bencher_otel::ApiCounter::UserTokenCreate);
+
     auth_conn!(context, |conn| {
         schema::token::table
             .filter(schema::token::uuid.eq(&insert_token.uuid))
@@ -237,7 +250,7 @@ pub async fn user_token_options(
     _rqctx: RequestContext<ApiContext>,
     _path_params: Path<UserTokenParams>,
 ) -> Result<CorsResponse, HttpError> {
-    Ok(Endpoint::cors(&[Get.into(), Patch.into()]))
+    Ok(Endpoint::cors(&[Get.into(), Patch.into(), Delete.into()]))
 }
 
 /// View a token
@@ -328,3 +341,55 @@ async fn patch_inner(
         QueryToken::get(conn, query_token.id)?.into_json(conn)
     })
 }
+
+/// Revoke a token
+///
+/// Revoke an API token for a user.
+/// Revocation is terminal: a revoked token can no longer authenticate any request,
+/// and the revocation cannot be undone (for security — a leaked JWT must not become valid again).
+/// Only the authenticated user themselves and server admins have access to this endpoint.
+#[endpoint {
+    method = DELETE,
+    path =  "/v0/users/{user}/tokens/{token}",
+    tags = ["users", "tokens"]
+}]
+pub async fn user_token_delete(
+    rqctx: RequestContext<ApiContext>,
+    bearer_token: BearerToken,
+    path_params: Path<UserTokenParams>,
+) -> Result<ResponseDeleted, HttpError> {
+    let auth_user = AuthUser::from_token(rqctx.context(), bearer_token).await?;
+    delete_inner(rqctx.context(), path_params.into_inner(), &auth_user).await?;
+    Ok(Delete::auth_response_deleted())
+}
+
+async fn delete_inner(
+    context: &ApiContext,
+    path_params: UserTokenParams,
+    auth_user: &AuthUser,
+) -> Result<(), HttpError> {
+    let query_user = QueryUser::from_resource_id(auth_conn!(context), &path_params.user)?;
+    same_user!(auth_user, context.rbac, query_user.uuid);
+
+    let query_token = QueryToken::get_user_token(
+        auth_conn!(context),
+        query_user.id,
+        &path_params.token.to_string(),
+    )?;
+
+    let now = context.clock.now();
+    let rows = write_transaction!(context, |conn| QueryToken::revoke(
+        conn,
+        query_token.id,
+        now
+    ))
+    .map_err(resource_conflict_err!(Token, (&query_user, &query_token)))?;
+    if rows == 0 {
+        return Err(conflict_error("Token has already been revoked"));
+    }
+
+    #[cfg(feature = "otel")]
+    bencher_otel::ApiMeter::increment(bencher_otel::ApiCounter::UserTokenRevoke);
+
+    Ok(())
+}

lib/api_users/src/tokens.rs

@@ -12,8 +12,9 @@ use bencher_schema::{
         admin::AdminUser,
         auth::{AuthUser, BearerToken},
         same_user,
+        token::QueryToken,
     },
-    schema, write_conn,
+    schema, write_conn, write_transaction,
 };
 use diesel::{
     BoolExpressionMethods as _, ExpressionMethods as _, QueryDsl as _, RunQueryDsl as _,
@@ -234,10 +235,27 @@ async fn patch_inner(
     }
 
     let update_user = UpdateUser::from(json_user.clone());
-    diesel::update(schema::user::table.filter(schema::user::id.eq(query_user.id)))
-        .set(&update_user)
-        .execute(write_conn!(context))
+
+    let email_changed = json_user
+        .email
+        .as_ref()
+        .is_some_and(|new_email| *new_email != query_user.email);
+
+    if email_changed {
+        let now = context.clock.now();
+        write_transaction!(context, |conn| {
+            diesel::update(schema::user::table.filter(schema::user::id.eq(query_user.id)))
+                .set(&update_user)
+                .execute(conn)?;
+            QueryToken::revoke_all(conn, query_user.id, now)
+        })
         .map_err(resource_conflict_err!(User, (&query_user, &json_user)))?;
+    } else {
+        diesel::update(schema::user::table.filter(schema::user::id.eq(query_user.id)))
+            .set(&update_user)
+            .execute(write_conn!(context))
+            .map_err(resource_conflict_err!(User, (&query_user, &json_user)))?;
+    }
 
     Ok(QueryUser::get(auth_conn!(context), query_user.id)?.into_json())
 }