🚀[Feature]: Add functions to revoke tokens + remove some functions (#432)

Copilot · MariusStorhaug · web-flow · commit a2e49c237703 · 2025-07-01T11:00:47.000+02:00
This pull request introduces new functionality for revoking GitHub access tokens, enhances the `Disconnect-GitHubAccount` command to revoke tokens, and refactors or removes outdated examples and tests. These changes improve security and streamline token management. - Fixes #414 ### Hiding some functions that were public previously - New-GitHubAppInstallationAccessToken - Get-GitHubAppJSONWebToken ### New Features for Token Revocation * Added `Revoke-GitHubAppInstallationAccessToken` (private) function to revoke installation access tokens for GitHub Apps. This invalidates tokens and ensures they cannot be reused. * Introduced `Revoke-GitHubAccessToken` (public) function to revoke a list of exposed or unused credentials. Supports batch processing for up to 1000 tokens per request. ### Enhancements to Existing Commands * Updated `Disconnect-GitHubAccount` to revoke access tokens during disconnection, improving security by preventing token reuse for Installation Access Tokens. ### Refactoring and Cleanup * Removed outdated examples from `CallingAPIs.ps1` related to JWT and installation access tokens. * Refactored tests in `Apps.Tests.ps1` by removing redundant JWT and installation token tests, and added a test to verify that revoked tokens fail API calls. --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: MariusStorhaug <17722253+MariusStorhaug@users.noreply.github.com> Co-authored-by: Marius Storhaug <marstor@hotmail.com>
diff --git a/examples/CallingAPIs.ps1 b/examples/CallingAPIs.ps1
@@ -26,12 +26,6 @@ Get-GitHubApp
 # More complex example - output is parts of the web response
 Invoke-GitHubAPI -ApiEndpoint /app
 
-# Most complex example - output is the entire web response
-$context = Get-GitHubContext
-$jwt = Get-GitHubAppJSONWebToken -ClientId $context.ClientID -PrivateKey $context.Token
-Invoke-RestMethod -Uri "$($context.ApiBaseUri)/app" -Token ($jwt.token) -Authentication Bearer
-Invoke-WebRequest -Uri "$($context.ApiBaseUri)/app" -Token ($jwt.token) -Authentication Bearer
-
 #endregion
 
 
diff --git a/src/functions/private/Apps/GitHub Apps/Get-GitHubAppJSONWebToken.ps1 b/src/functions/private/Apps/GitHub Apps/Get-GitHubAppJSONWebToken.ps1
diff --git a/src/functions/private/Apps/GitHub Apps/New-GitHubAppInstallationAccessToken.ps1 b/src/functions/private/Apps/GitHub Apps/New-GitHubAppInstallationAccessToken.ps1
diff --git a/src/functions/private/Apps/GitHub Apps/Revoke-GitHubAppInstallationAccessToken.ps1 b/src/functions/private/Apps/GitHub Apps/Revoke-GitHubAppInstallationAccessToken.ps1
@@ -0,0 +1,46 @@
+function Revoke-GitHubAppInstallationAccessToken {
+    <#
+        .SYNOPSIS
+        Revoke an installation access token.
+
+        .DESCRIPTION
+        Revokes the installation token you're using to authenticate as an installation and access this endpoint.
+        Once an installation token is revoked, the token is invalidated and cannot be used. Other endpoints that require the revoked installation
+        token must have a new installation token to work. You can create a new token using the `Connect-GitHubApp` function.
+
+        .LINK
+        https://psmodule.io/GitHub/Functions/Apps/GitHub%20App/Revoke-GitHubAppInstallationAccessToken
+
+        .NOTES
+        [Revoke an installation access token](https://docs.github.com/rest/apps/installations#revoke-an-installation-access-token)
+    #>
+    [CmdletBinding(SupportsShouldProcess)]
+    param(
+        # The context to run the command in. Used to get the details for the API call.
+        # Can be either a string or a GitHubContext object.
+        [Parameter(Mandatory)]
+        [object] $Context
+    )
+
+    begin {
+        $stackPath = Get-PSCallStackPath
+        Write-Debug "[$stackPath] - Start"
+        Assert-GitHubContext -Context $Context -AuthType IAT
+    }
+
+    process {
+        $InputObject = @{
+            Method      = 'DELETE'
+            APIEndpoint = '/installation/token'
+            Context     = $Context
+        }
+
+        if ($PSCmdlet.ShouldProcess('GitHub App installation access token', 'Revoke')) {
+            Invoke-GitHubAPI @InputObject
+        }
+    }
+
+    end {
+        Write-Debug "[$stackPath] - End"
+    }
+}
diff --git a/src/functions/public/Auth/Disconnect-GitHubAccount.ps1 b/src/functions/public/Auth/Disconnect-GitHubAccount.ps1
@@ -4,7 +4,8 @@
         Disconnects from GitHub and removes the GitHub context.
 
         .DESCRIPTION
-        Disconnects from GitHub and removes the GitHub context.
+        Disconnects from GitHub and removes the GitHub context. Optionally revokes the access token
+        to ensure it cannot be used after disconnection.
 
         .EXAMPLE
         Disconnect-GitHubAccount
@@ -16,6 +17,16 @@
 
         Disconnects from GitHub and removes the context 'github.com/Octocat'.
 
+        .EXAMPLE
+        Disconnect-GitHubAccount -RevokeToken
+
+        Disconnects from GitHub, revokes the access token, and removes the default GitHub context.
+
+        .EXAMPLE
+        Disconnect-GithubAccount -Context 'github.com/Octocat' -RevokeToken
+
+        Disconnects from GitHub, revokes the access token, and removes the context 'github.com/Octocat'.
+
         .LINK
         https://psmodule.io/GitHub/Functions/Auth/Disconnect-GitHubAccount
     #>
@@ -46,6 +57,13 @@
         }
         foreach ($contextItem in $Context) {
             $contextItem = Resolve-GitHubContext -Context $contextItem
+
+            $contextToken = Get-GitHubAccessToken -Context $contextItem -AsPlainText
+            $isGitHubToken = $contextToken -eq (Get-GitHubToken | ConvertFrom-SecureString -AsPlainText)
+            if (-not $isGitHubToken -and $contextItem.AuthType -eq 'IAT') {
+                Revoke-GitHubAppInstallationAccessToken -Context $contextItem
+            }
+
             Remove-GitHubContext -Context $contextItem
             $isDefaultContext = $contextItem.Name -eq $script:GitHub.Config.DefaultContext
             if ($isDefaultContext) {
diff --git a/src/functions/public/Auth/Revoke-GitHubAccessToken.ps1 b/src/functions/public/Auth/Revoke-GitHubAccessToken.ps1
@@ -0,0 +1,53 @@
+﻿function Revoke-GitHubAccessToken {
+    <#
+        .SYNOPSIS
+        Revoke a list of tokens.
+
+        .DESCRIPTION
+        Submit a list of credentials to be revoked. This endpoint is intended to revoke credentials the caller does not own and may have found
+        exposed on GitHub.com or elsewhere. It can also be used for credentials associated with an old user account that you no longer have access to.
+        Credential owners will be notified of the revocation.
+
+        .LINK
+        https://psmodule.io/GitHub/Functions/Auth/Revoke-GitHubAccessToken/
+
+        .NOTES
+        [Revoke a list of credentials](https://docs.github.com/rest/credentials/revoke#revoke-a-list-of-credentials)
+    #>
+    [CmdletBinding(SupportsShouldProcess)]
+    param(
+        # An array of tokens to revoke.
+        [Parameter(Mandatory, ValueFromPipeline, ValueFromPipelineByPropertyName)]
+        [string[]] $Token
+    )
+
+    begin {
+        $stackPath = Get-PSCallStackPath
+        Write-Debug "[$stackPath] - Start"
+        $tokenList = [System.Collections.ArrayList]::new()
+    }
+
+    process {
+        $Token | ForEach-Object {
+            $tokenList.Add($_)
+        }
+    }
+
+    end {
+        for ($i = 0; $i -lt $tokenList.Count; $i += 1000) {
+            $batch = $tokenList[$i..([Math]::Min($i + 999, $tokenList.Count - 1))]
+            $body = @{ credentials = $batch }
+            $InputObject = @{
+                Method      = 'POST'
+                APIEndpoint = '/credentials/revoke'
+                Body        = $body
+                Anonymous   = $true
+            }
+            if ($PSCmdlet.ShouldProcess('Tokens', 'Revoke')) {
+                Invoke-GitHubAPI @InputObject
+            }
+        }
+        Write-Debug "[$stackPath] - End"
+    }
+}
+#SkipTest:FunctionTest:Will add a test for this function in a future PR
diff --git a/tests/Apps.Tests.ps1 b/tests/Apps.Tests.ps1
@@ -61,14 +61,6 @@ Describe 'Apps' {
                     $app.Installations | Should -Not -BeNullOrEmpty
                 }
 
-                It 'Get-GitHubAppJSONWebToken - Can get a JWT for the app' {
-                    $jwt = Get-GitHubAppJSONWebToken @connectParams
-                    LogGroup 'JWT' {
-                        Write-Host ($jwt | Format-Table | Out-String)
-                    }
-                    $jwt | Should -Not -BeNullOrEmpty
-                }
-
                 It 'Get-GitHubAppInstallationRequest - Can get installation requests' {
                     $installationRequests = Get-GitHubAppInstallationRequest
                     LogGroup 'Installation requests' {
@@ -104,17 +96,6 @@ Describe 'Apps' {
                     }
                 }
 
-                It 'New-GitHubAppInstallationAccessToken - Can get app installation access tokens' {
-                    $installations = Get-GitHubAppInstallation
-                    LogGroup 'Tokens' {
-                        $installations | ForEach-Object {
-                            $token = New-GitHubAppInstallationAccessToken -InstallationID $_.id
-                            Write-Host ($token | Format-List | Out-String)
-                        }
-                        $token | Should -Not -BeNullOrEmpty
-                    }
-                }
-
                 It 'Get-GitHubAppInstallation - <ownerType>' {
                     $githubApp = Get-GitHubApp
                     $installation = Get-GitHubAppInstallation | Where-Object { ($_.Target.Name -eq $owner) -and ($_.Type -eq $ownerType) }
@@ -183,37 +164,53 @@ Describe 'Apps' {
                     }
                 }
             }
-            It 'Connect-GitHubApp - Connects as a GitHub App to <Owner>' {
-                $githubApp = Get-GitHubApp
-                $config = Get-GitHubConfig
-                $context = Connect-GitHubApp @connectAppParams -PassThru -Silent
-                LogGroup 'Context' {
-                    Write-Host ($context | Format-List | Out-String)
+
+            Context 'Installation' {
+                BeforeAll {
+                    $githubApp = Get-GitHubApp
+                    $config = Get-GitHubConfig
+                    $context = Connect-GitHubApp @connectAppParams -PassThru -Silent
+                    LogGroup 'Context' {
+                        Write-Host ($context | Format-List | Out-String)
+                    }
+                }
+
+                It 'Connect-GitHubApp - Connects as a GitHub App to <Owner>' {
+                    $context | Should -BeOfType 'InstallationGitHubContext'
+                    $context.ClientID | Should -Be $githubApp.ClientID
+                    $context.TokenExpirationDate | Should -BeOfType [datetime]
+                    $context.InstallationID | Should -BeOfType [uint64]
+                    $context.InstallationID | Should -BeGreaterThan 0
+                    $context.Permissions | Should -BeOfType [PSCustomObject]
+                    $context.Events | Should -BeOfType 'string'
+                    $context.InstallationType | Should -Be $ownertype
+                    $context.InstallationName | Should -Be $owner
+                    $context.ID | Should -Be "$($config.HostName)/$($githubApp.Slug)/$ownertype/$owner"
+                    $context.Name | Should -Be "$($config.HostName)/$($githubApp.Slug)/$ownertype/$owner"
+                    $context.DisplayName | Should -Be $githubApp.Name
+                    $context.Type | Should -Be 'Installation'
+                    $context.HostName | Should -Be $config.HostName
+                    $context.ApiBaseUri | Should -Be $config.ApiBaseUri
+                    $context.ApiVersion | Should -Be $config.ApiVersion
+                    $context.AuthType | Should -Be 'IAT'
+                    $context.NodeID | Should -Not -BeNullOrEmpty
+                    $context.DatabaseID | Should -Not -BeNullOrEmpty
+                    $context.UserName | Should -Be $githubApp.Slug
+                    $context.Token | Should -BeOfType [System.Security.SecureString]
+                    $context.TokenType | Should -Be 'ghs'
+                    $context.HttpVersion | Should -Be $config.HttpVersion
+                    $context.PerPage | Should -Be $config.PerPage
+                }
+
+                It 'Revoked GitHub App token should fail on API call' -Skip:($TokenType -eq 'GITHUB_TOKEN') {
+                    $org = Get-GitHubOrganization -Name PSModule -Context $context
+                    $org | Should -Not -BeNullOrEmpty
+                    $context | Disconnect-GitHub
+
+                    {
+                        Invoke-RestMethod -Method Get -Uri "$($context.ApiBaseUri)/orgs/PSModule" -Authentication Bearer -Token $context.token
+                    } | Should -Throw
                 }
-                $context | Should -BeOfType 'InstallationGitHubContext'
-                $context.ClientID | Should -Be $githubApp.ClientID
-                $context.TokenExpirationDate | Should -BeOfType [datetime]
-                $context.InstallationID | Should -BeOfType [uint64]
-                $context.InstallationID | Should -BeGreaterThan 0
-                $context.Permissions | Should -BeOfType [PSCustomObject]
-                $context.Events | Should -BeOfType 'string'
-                $context.InstallationType | Should -Be $ownertype
-                $context.InstallationName | Should -Be $owner
-                $context.ID | Should -Be "$($config.HostName)/$($githubApp.Slug)/$ownertype/$owner"
-                $context.Name | Should -Be "$($config.HostName)/$($githubApp.Slug)/$ownertype/$owner"
-                $context.DisplayName | Should -Be $githubApp.Name
-                $context.Type | Should -Be 'Installation'
-                $context.HostName | Should -Be $config.HostName
-                $context.ApiBaseUri | Should -Be $config.ApiBaseUri
-                $context.ApiVersion | Should -Be $config.ApiVersion
-                $context.AuthType | Should -Be 'IAT'
-                $context.NodeID | Should -Not -BeNullOrEmpty
-                $context.DatabaseID | Should -Not -BeNullOrEmpty
-                $context.UserName | Should -Be $githubApp.Slug
-                $context.Token | Should -BeOfType [System.Security.SecureString]
-                $context.TokenType | Should -Be 'ghs'
-                $context.HttpVersion | Should -Be $config.HttpVersion
-                $context.PerPage | Should -Be $config.PerPage
             }
         }
 
