headless_lms_server::controllers::main_frontend::oauth::revoke

Function revoke

pub async fn revoke(
    pool: Data<PgPool>,
    __arg1: OAuthValidated<RevokeQuery>,
    app_conf: Data<ApplicationConfiguration>,
) -> ControllerResult<HttpResponse>

Expand description

Handles the /revoke endpoint for OAuth 2.0 token revocation (RFC 7009).

This endpoint allows clients to revoke access tokens or refresh tokens.

§Security Features

Client authentication is required (client_id and client_secret)
Always returns 200 OK even for invalid/expired/already-revoked tokens to prevent token enumeration attacks
Validates that the token belongs to the authenticated client before revoking

§Request Parameters

token (required): The token to be revoked
token_type_hint (optional): Hint about token type (“access_token” or “refresh_token”)

Follows RFC 7009 — OAuth 2.0 Token Revocation.

§Example

POST /api/v0/main-frontend/oauth/revoke HTTP/1.1
Content-Type: application/x-www-form-urlencoded

token=ACCESS_TOKEN_TO_REVOKE&token_type_hint=access_token&client_id=test-client-id&client_secret=test-secret

Response (always 200 OK):

HTTP/1.1 200 OK

Function revokeCopy item path

§Security Features

§Request Parameters

§Example

Function revoke