Allow clients to delete their own apptoken

Fixes #15480

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>

1 files changed, 23 insertions, 0 deletions

diff --git a/core/Controller/AppPasswordController.php b/core/Controller/AppPasswordController.php
index a858bb025d9..01ca1e2597b 100644
--- a/core/Controller/AppPasswordController.php
+++ b/core/Controller/AppPasswordController.php
@@ -24,6 +24,7 @@ declare(strict_types=1);
 
 namespace OC\Core\Controller;
 
+use OC\Authentication\Exceptions\InvalidTokenException;
 use OC\Authentication\Token\IProvider;
 use OC\Authentication\Token\IToken;
 use OCP\AppFramework\Http\DataResponse;
@@ -115,4 +116,26 @@ class AppPasswordController extends \OCP\AppFramework\OCSController {
 			'apppassword' => $token
 		]);
 	}
+
+	/**
+	 * @NoAdminRequired
+	 *
+	 * @return DataResponse
+	 */
+	public function deleteAppPassword() {
+		if (!$this->session->exists('app_password')) {
+			throw new OCSForbiddenException('no app password in use');
+		}
+
+		$appPassword = $this->session->get('app_password');
+
+		try {
+			$token = $this->tokenProvider->getToken($appPassword);
+		} catch (InvalidTokenException $e) {
+			throw new OCSForbiddenException('could not remove apptoken');
+		}
+
+		$this->tokenProvider->invalidateTokenById($token->getUID(), $token->getId());
+		return new DataResponse();
+	}
 }