Allow revoking personal access tokens.

app/assets/stylesheets/pages/profile.scss

@@ -205,3 +205,6 @@
     text-align: center;
   }
 }
+.personal-access-tokens-revoked-label {
+  color: #bbb;
+}

app/controllers/profiles/personal_access_tokens_controller.rb

@@ -1,7 +1,11 @@
 class Profiles::PersonalAccessTokensController < ApplicationController
   def index
     @user = current_user
-    @personal_access_token = current_user.personal_access_tokens.new
+
+    # Prefer this to `@user.personal_access_tokens.new`, because it
+    # litters the view's call to `@user.personal_access_tokens` with
+    # this stub personal access token.
+    @personal_access_token = PersonalAccessToken.new(user: @user)
   end
 
   def create
@@ -14,6 +18,16 @@ class Profiles::PersonalAccessTokensController < ApplicationController
     end
   end
 
+  def revoke
+    @personal_access_token = current_user.personal_access_tokens.find(params[:id])
+
+    if @personal_access_token.revoke!
+      redirect_to profile_personal_access_tokens_path, notice: "Revoked personal access token #{@personal_access_token.name}!"
+    else
+      render :index
+    end
+  end
+
   private
 
   def personal_access_token_params

app/models/personal_access_token.rb

@@ -1,9 +1,16 @@
 class PersonalAccessToken < ActiveRecord::Base
   belongs_to :user
 
+  scope :active, -> { where.not(revoked: true) }
+
   def self.generate(params)
     personal_access_token = self.new(params)
     personal_access_token.token = Devise.friendly_token(50)
     personal_access_token
   end
+
+  def revoke!
+    self.revoked = true
+    self.save
+  end
 end

app/views/profiles/personal_access_tokens/index.html.haml

@@ -34,11 +34,18 @@
               %th Name
               %th Token
               %th Created At
+              %th Actions
           %tbody
-            - @user.personal_access_tokens.each do |token|
+            - @user.personal_access_tokens.order(:revoked).each do |token|
               %tr
                 %td= token.name
                 %td= token.token
                 %td= token.created_at
+                - if token.revoked?
+                  %td
+                    %span.personal-access-tokens-revoked-label Revoked
+                - else
+                  %td= link_to "Revoke", revoke_profile_personal_access_token_path(token), method: :put, class: "btn btn-danger", data: {confirm: t('profile.personal_access_tokens.revoke.confirmation')}
+
     - else
       %span You don't have any tokens yet.

config/locales/en.yml

@@ -12,3 +12,7 @@ en:
     pagination:
       previous: "Prev"
       next: "Next"
+  profile:
+    personal_access_tokens:
+      revoke:
+        confirmation: "Are you sure? This cannot be undone."

config/routes.rb

@@ -333,7 +333,11 @@ Rails.application.routes.draw do
       resources :keys
       resources :emails, only: [:index, :create, :destroy]
       resource :avatar, only: [:destroy]
-      resources :personal_access_tokens, only: [:index, :create]
+      resources :personal_access_tokens, only: [:index, :create] do
+        member do
+          put :revoke
+        end
+      end
       resource :two_factor_auth, only: [:new, :create, :destroy] do
         member do
           post :codes

db/migrate/20160415144643_add_column_revoked_to_personal_access_tokens.rb

@@ -0,0 +1,5 @@
+class AddColumnRevokedToPersonalAccessTokens < ActiveRecord::Migration
+  def change
+    add_column :personal_access_tokens, :revoked, :boolean, default: false
+  end
+end

lib/api/helpers/authentication.rb

@@ -15,7 +15,7 @@ module API
 
       def find_user_by_personal_access_token
         personal_access_token_string = (params[PERSONAL_ACCESS_TOKEN_PARAM] || env[PERSONAL_ACCESS_TOKEN_HEADER]).to_s
-        personal_access_token = PersonalAccessToken.find_by_token(personal_access_token_string)
+        personal_access_token = PersonalAccessToken.active.find_by_token(personal_access_token_string)
         personal_access_token.user if personal_access_token
       end