feat: withdraw all QR codes when one is withdrawn

This is a preparation for expiring authentication tokens. If we make authentication token expire, we need to generate new authentication tokens each time QR code screen is opened in the UI, so authentication token is fresh. We however don't want to completely invalidate old authentication codes at the same time, e.g. they should still be valid for joining groups, just not result in a verification on the inviter side. Since a group now can have a lot of authentication tokens, it is easy to lose track of them without any way to remove them as they are not displayed anywhere in the UI. As a solution, we now remove all tokens corresponding to a group ID when one token is withdrawn, or all non-group tokens when a single non-group token is withdrawn. "Reset QR code" option already present in the UI which works by resetting current QR code will work without any UI changes, but will now result in invalidation of all previously created QR codes and invite links.
2026-04-29 11:26:29 +03:00 · 2025-09-03 03:56:33 +00:00
parent ab8aedf06e
commit 307a2eb6ec
4 changed files with 92 additions and 14 deletions
--- a/src/token.rs
+++ b/src/token.rs
@@ -104,13 +104,14 @@ pub async fn auth_foreign_key(context: &Context, token: &str) -> Result<Option<S
        .await
 }

-pub async fn delete(context: &Context, namespace: Namespace, token: &str) -> Result<()> {
+/// Resets all tokens corresponding to the `foreign_key`.
+///
+/// `foreign_key` is a group ID to reset all group tokens
+/// or empty string to reset all setup contact tokens.
+pub async fn delete(context: &Context, foreign_key: &str) -> Result<()> {
    context
        .sql
-        .execute(
-            "DELETE FROM tokens WHERE namespc=? AND token=?;",
-            (namespace, token),
-        )
+        .execute("DELETE FROM tokens WHERE foreign_key=?", (foreign_key,))
        .await?;
    Ok(())
 }