dxenes1
commented
1 year ago This view isn't used by the management console?
No the management console uses a separate token implementation that differs slightly in how the GET and POST functions are written.
https://github.com/jhuapl-boss/boss/blob/master/django/mgmt/views.py#L199
In the view I remove in this PR, you're able to revoke a token with a GET request through an HTML page. (Check out api.bossdb.io/token). This was going through a separate route than /v1/mgmt/token which renders the correct console page and protects against the public token being reset
This Token view is separate from the one present in the management console hidden inside the Boss API views page. It allowed users to access tokens on api.bossdb.io/token and revoke them through a GET request.
The following PR removes the ability for tokens to be revoked if they username is public-access. If this route is not used for anything critical, I recommend we remove it entirely however.