getodk · matthew-white · Jul 20, 2023 · Jul 12, 2023 · Jul 20, 2023 · alxndrsn
diff --git a/docs/api.md b/docs/api.md
@@ -30,6 +30,12 @@ Finally, **system information and configuration** is available via a set of spec
 
 Here major and breaking changes to the API are listed by version.
 
+### ODK Central v2023.4
+
+**Added**:
+
+- [DELETE /sessions/current](/reference/authentication/session-authentication/logging-out-current-session) logs out the current session.
+
 ### ODK Central v2023.3
 
 **Added**:
@@ -392,6 +398,23 @@ Logging out is not strictly necessary for Web Users; all sessions expire 24 hour
 + Parameters
     + token: `lSpAIeksRu1CNZs7!qjAot2T17dPzkrw9B4iTtpj7OoIJBmXvnHM8z8Ka4QPEjR7` (string, required) - The session bearer token, obtained at login time.
 
++ Request
+    + Headers
+
+            Authorization: Bearer lSpAIeksRu1CNZs7!qjAot2T17dPzkrw9B4iTtpj7OoIJBmXvnHM8z8Ka4QPEjR7
+
++ Response 200 (application/json)
+    + Attributes (Success)
+
++ Response 403 (application/json)
+    + Attributes (Error 403)
+
+#### Logging out current session [DELETE /v1/sessions/current]
+
+This endpoint causes the current session to log itself out. Logging out is not strictly necessary for Web Users; all sessions expire 24 hours after they are created. But it can be a good idea, in case someone else manages to steal your token.
+
+Only the session that was used to authenticate the request is logged out. If the Actor associated with the session has other sessions as well, those are not logged out.
+
 + Request
     + Headers
 

diff --git a/lib/resources/sessions.js b/lib/resources/sessions.js
@@ -48,24 +48,30 @@ module.exports = (service, endpoint) => {
   service.get('/sessions/restore', endpoint((_, { auth }) =>
     auth.session.orElse(Problem.user.notFound())));
 
+  const logOut = (Sessions, auth, session) =>
+    auth.canOrReject('session.end', session.actor)
+      .then(() => Sessions.terminate(session))
+      .then(() => (_, response) => {
+        // revoke the cookie associated w the session, if the session was used to
+        // terminate itself.
+        // TODO: repetitive w above.
+        if (session.token === auth.session.map((s) => s.token).orNull())
+          response.cookie('__Host-session', 'null', { path: '/', expires: new Date(0),
+            httpOnly: true, secure: true, sameSite: 'strict' });
+
+        return success;
+      });
+
+  service.delete('/sessions/current', endpoint(({ Sessions }, { auth }) =>
+    auth.session.map(session => logOut(Sessions, auth, session))
+      .orElse(Problem.user.notFound())));
+
   // here we always throw a 403 even if the token doesn't exist to prevent
   // information leakage.
   // TODO: but a timing attack still exists here. :(
   service.delete('/sessions/:token', endpoint(({ Sessions }, { auth, params }) =>
     Sessions.getByBearerToken(params.token)
       .then(getOrReject(Problem.user.insufficientRights()))
-      .then((session) => auth.canOrReject('session.end', session.actor)
-        .then(() => Sessions.terminate(session))
-        .then(() => (_, response) => {
-          // revoke the cookie associated w the session, if the session was used to
-          // terminate itself.
-          // TODO: repetitive w above.
-          if (session.token === auth.session.map((s) => s.token).orNull())
-            response.cookie('__Host-session', 'null', { path: '/', expires: new Date(0),
-              httpOnly: true, secure: true, sameSite: 'strict' });
-
-          return success;
-        }))));
-
+      .then(session => logOut(Sessions, auth, session))));
 };
 
diff --git a/test/integration/api/sessions.js b/test/integration/api/sessions.js
@@ -269,6 +269,35 @@ describe('api: /sessions', () => {
             })))));
   });
 
+  describe('/current DELETE', () => {
+    it('should return a 404 if no token was specified', testService(service =>
+      service.delete('/v1/sessions/current')
+        .expect(404)));
+
+    it('should invalidate the token if successful', testService(async (service) => {
+      const { body: session } = await service.post('/v1/sessions')
+        .send({ email: 'alice@getodk.org', password: 'alice' })
+        .expect(200);
+      const { token } = session;
+      const { body } = await service.delete('/v1/sessions/current')
+        .set('Authorization', `Bearer ${token}`)
+        .expect(200);
+      body.should.eql({ success: true });
+      await service.get('/v1/users/current')
+        .set('Authorization', `Bearer ${token}`)
+        .expect(401);
+    }));
+
+    it('should not allow app users to delete their own sessions', testService(async (service) => {
+      const asBob = await service.login('bob');
+      const { body: appUser } = await asBob.post('/v1/projects/1/app-users')
+        .send({ displayName: 'test app user' })
+        .expect(200);
+      await service.delete(`/v1/key/${appUser.token}/sessions/current`)
+        .expect(403);
+    }));
+  });
+
   // this isn't exactly the right place for this but i just want to check the
   // whole stack in addition to the unit tests.
   describe('cookie CSRF auth', () => {