Revert "Revert "Allow admins to revoke a user's Personal Access Token""

This reverts commit d8a626f.

Author: amvanbaren

server/build.gradle

@@ -86,6 +86,8 @@ dependencies {
     implementation "org.springframework.boot:spring-boot-starter-actuator"
     implementation "org.springframework.boot:spring-boot-starter-cache"
     implementation "org.springframework.boot:spring-boot-starter-aop"
+    implementation "org.springframework.boot:spring-boot-starter-mail"
+    implementation "org.springframework.boot:spring-boot-starter-thymeleaf"
     implementation "org.springframework.security:spring-security-oauth2-client"
     implementation "org.springframework.security:spring-security-oauth2-jose"
     implementation "org.springframework.session:spring-session-jdbc"

server/src/dev/resources/application.yml

@@ -162,3 +162,8 @@ ovsx:
   storage:
     local:
       directory: /tmp
+  mail:
+    from: [email protected]
+    revoked-access-tokens:
+      subject: 'Open VSX Access Tokens Revoked'
+      template: 'revoked-access-tokens.html'

server/src/main/java/org/eclipse/openvsx/admin/AdminAPI.java

@@ -483,4 +483,18 @@ public ResponseEntity<ResultJson> revokePublisherContributions(@PathVariable Str
             return exc.toResponseEntity();
         }
     }
+
+    @PostMapping(
+            path = "/admin/publisher/{provider}/{loginName}/tokens/revoke",
+            produces = MediaType.APPLICATION_JSON_VALUE
+    )
+    public ResponseEntity<ResultJson> revokePublisherTokens(@PathVariable String loginName, @PathVariable String provider) {
+        try {
+            var adminUser = admins.checkAdminUser();
+            var result = admins.revokePublisherTokens(provider, loginName, adminUser);
+            return ResponseEntity.ok(result);
+        } catch (ErrorResultException exc) {
+            return exc.toResponseEntity();
+        }
+    }
 }

server/src/main/java/org/eclipse/openvsx/admin/AdminService.java

@@ -19,6 +19,7 @@
 import org.eclipse.openvsx.eclipse.EclipseService;
 import org.eclipse.openvsx.entities.*;
 import org.eclipse.openvsx.json.*;
+import org.eclipse.openvsx.mail.MailService;
 import org.eclipse.openvsx.migration.HandlerJobRequest;
 import org.eclipse.openvsx.repositories.RepositoryService;
 import org.eclipse.openvsx.search.SearchUtilService;
@@ -52,6 +53,7 @@ public class AdminService {
     private final StorageUtilService storageUtil;
     private final CacheService cache;
     private final JobRequestScheduler scheduler;
+    private final MailService mail;
 
     public AdminService(
             RepositoryService repositories,
@@ -63,7 +65,8 @@ public AdminService(
             EclipseService eclipse,
             StorageUtilService storageUtil,
             CacheService cache,
-            JobRequestScheduler scheduler
+            JobRequestScheduler scheduler,
+            MailService mail
     ) {
         this.repositories = repositories;
         this.extensions = extensions;
@@ -75,6 +78,7 @@ public AdminService(
         this.storageUtil = storageUtil;
         this.cache = cache;
         this.scheduler = scheduler;
+        this.mail = mail;
     }
 
     @EventListener
@@ -388,6 +392,20 @@ public ResultJson revokePublisherContributions(String provider, String loginName
         return result;
     }
 
+    @Transactional(rollbackOn = ErrorResultException.class)
+    public ResultJson revokePublisherTokens(String provider, String loginName, UserData admin) {
+        var user = repositories.findUserByLoginName(provider, loginName);
+        if (user == null) {
+            throw new ErrorResultException(userNotFoundMessage(loginName), HttpStatus.NOT_FOUND);
+        }
+
+        var deactivatedTokenCount = repositories.deactivateAccessTokens(user);
+        var result = ResultJson.success("Deactivated " + deactivatedTokenCount + " tokens of user " + provider + "/" + loginName + ".");
+        logAdminAction(admin, result);
+        mail.scheduleRevokedAccessTokensMail(user);
+        return result;
+    }
+
     public UserData checkAdminUser() {
         return checkAdminUser(users.findLoggedInUser());
     }

server/src/main/java/org/eclipse/openvsx/mail/MailConfig.java

@@ -0,0 +1,30 @@
+/** ******************************************************************************
+ * Copyright (c) 2025 Precies. Software OU and others
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ * ****************************************************************************** */
+package org.eclipse.openvsx.mail;
+
+import org.springframework.context.ApplicationContext;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.thymeleaf.spring6.templateresolver.SpringResourceTemplateResolver;
+import org.thymeleaf.templatemode.TemplateMode;
+
+@Configuration
+public class MailConfig {
+
+    @Bean
+    public SpringResourceTemplateResolver templateResolver(ApplicationContext applicationContext){
+        var templateResolver = new SpringResourceTemplateResolver();
+        templateResolver.setApplicationContext(applicationContext);
+        templateResolver.setPrefix("classpath:/mail-templates/");
+        templateResolver.setSuffix(".html");
+        templateResolver.setTemplateMode(TemplateMode.HTML);
+        return templateResolver;
+    }
+}

server/src/main/java/org/eclipse/openvsx/mail/MailService.java

@@ -0,0 +1,53 @@
+/** ******************************************************************************
+ * Copyright (c) 2025 Precies. Software OU and others
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ * ****************************************************************************** */
+package org.eclipse.openvsx.mail;
+
+import org.eclipse.openvsx.entities.UserData;
+import org.jobrunr.scheduling.JobRequestScheduler;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.mail.javamail.JavaMailSender;
+import org.springframework.stereotype.Component;
+
+import java.util.Map;
+
+@Component
+public class MailService {
+
+    private final boolean disabled;
+    private final JobRequestScheduler scheduler;
+
+    @Value("${ovsx.mail.revoked-access-tokens.subject:}")
+    String revokedAccessTokensSubject;
+
+    @Value("${ovsx.mail.revoked-access-tokens.template:}")
+    String revokedAccessTokensTemplate;
+
+    public MailService(@Autowired(required = false) JavaMailSender sender, JobRequestScheduler scheduler) {
+        this.disabled = sender == null;
+        this.scheduler = scheduler;
+    }
+
+    public void scheduleRevokedAccessTokensMail(UserData user) {
+        if(disabled) {
+            return;
+        }
+
+        var variables = Map.<String, Object>of("name", user.getFullName());
+        var jobRequest = new SendMailJobRequest(
+                user.getEmail(),
+                revokedAccessTokensSubject,
+                revokedAccessTokensTemplate,
+                variables
+        );
+
+        scheduler.enqueue(jobRequest);
+    }
+}

server/src/main/java/org/eclipse/openvsx/mail/SendMailJobRequest.java

@@ -0,0 +1,74 @@
+/** ******************************************************************************
+ * Copyright (c) 2025 Precies. Software OU and others
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ * ****************************************************************************** */
+package org.eclipse.openvsx.mail;
+
+import org.jobrunr.jobs.lambdas.JobRequest;
+import org.jobrunr.jobs.lambdas.JobRequestHandler;
+
+import java.util.Map;
+
+public class SendMailJobRequest implements JobRequest {
+
+    private String to;
+    private String subject;
+    private String template;
+    private Map<String,Object> variables;
+
+    public SendMailJobRequest() {}
+
+    public SendMailJobRequest(
+            String to,
+            String subject,
+            String template,
+            Map<String,Object> variables
+    ) {
+        this.to = to;
+        this.subject = subject;
+        this.template = template;
+        this.variables = variables;
+    }
+
+    public String getTo() {
+        return to;
+    }
+
+    public void setTo(String to) {
+        this.to = to;
+    }
+
+    public String getSubject() {
+        return subject;
+    }
+
+    public void setSubject(String subject) {
+        this.subject = subject;
+    }
+
+    public String getTemplate() {
+        return template;
+    }
+
+    public void setTemplate(String template) {
+        this.template = template;
+    }
+
+    public Map<String, Object> getVariables() {
+        return variables;
+    }
+
+    public void setVariables(Map<String, Object> variables) {
+        this.variables = variables;
+    }
+
+    @Override
+    public Class<? extends JobRequestHandler> getJobRequestHandler() {
+        return SendMailJobRequestHandler.class;
+    }
+}

server/src/main/java/org/eclipse/openvsx/mail/SendMailJobRequestHandler.java

@@ -0,0 +1,51 @@
+/** ******************************************************************************
+ * Copyright (c) 2025 Precies. Software OU and others
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ * ****************************************************************************** */
+package org.eclipse.openvsx.mail;
+
+import org.jobrunr.jobs.lambdas.JobRequestHandler;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.mail.javamail.JavaMailSender;
+import org.springframework.mail.javamail.MimeMessageHelper;
+import org.springframework.stereotype.Component;
+import org.thymeleaf.TemplateEngine;
+import org.thymeleaf.context.Context;
+
+import java.nio.charset.StandardCharsets;
+
+@Component
+public class SendMailJobRequestHandler implements JobRequestHandler<SendMailJobRequest> {
+
+    private final JavaMailSender sender;
+    private final TemplateEngine templateEngine;
+
+    @Value("${ovsx.mail.from:}")
+    String from;
+
+    public SendMailJobRequestHandler(@Autowired(required = false) JavaMailSender sender, TemplateEngine templateEngine) {
+        this.sender = sender;
+        this.templateEngine = templateEngine;
+    }
+
+    @Override
+    public void run(SendMailJobRequest request) throws Exception {
+        var context = new Context();
+        context.setVariables(request.getVariables());
+        var htmlContent = templateEngine.process(request.getTemplate(), context);
+
+        var message = sender.createMimeMessage();
+        var helper = new MimeMessageHelper(message, StandardCharsets.UTF_8.name());
+        helper.setFrom(from);
+        helper.setTo(request.getTo());
+        helper.setSubject(request.getSubject());
+        helper.setText(htmlContent, true);
+        sender.send(message);
+    }
+}

server/src/main/java/org/eclipse/openvsx/repositories/PersonalAccessTokenRepository.java

@@ -11,6 +11,8 @@
 
 import org.eclipse.openvsx.entities.PersonalAccessToken;
 import org.eclipse.openvsx.entities.UserData;
+import org.springframework.data.jpa.repository.Modifying;
+import org.springframework.data.jpa.repository.Query;
 import org.springframework.data.repository.Repository;
 import org.springframework.data.util.Streamable;
 
@@ -29,4 +31,8 @@ public interface PersonalAccessTokenRepository extends Repository<PersonalAccess
     PersonalAccessToken findByValue(String value);
 
     PersonalAccessToken findByUserAndDescriptionAndActiveTrue(UserData user, String description);
+
+    @Modifying
+    @Query("update PersonalAccessToken t set t.active = false where t.user = ?1 and t.active = true")
+    int updateActiveSetFalse(UserData user);
 }

server/src/main/java/org/eclipse/openvsx/repositories/RepositoryService.java

@@ -571,6 +571,10 @@ public void deactivateKeyPairs() {
         signatureKeyPairRepo.updateActiveSetFalse();
     }
 
+    public int deactivateAccessTokens(UserData user) {
+        return tokenRepo.updateActiveSetFalse(user);
+    }
+
     public List<String> findActiveExtensionNames(Namespace namespace) {
         return extensionJooqRepo.findActiveExtensionNames(namespace);
     }