fix(revocation): avoid revoking expired tokens and fail gracefully (#95)
Fixes #72 If an Actions job is long enough, more than an hour can pass between creating and revoking the App token in the post-job clean up step. Since the token itself is used to authenticate with the revoke API, an expired token will fail to be revoked. This PR saves the token expiration in the actions state and uses that in the post step to determine if the token can be revoked. I've also added error handling to the revoke token API call, as it's unlikely that users would want their job to fail if the token can't be revoked.
This commit is contained in:
@@ -103,6 +103,7 @@ export async function main(
|
||||
// Make token accessible to post function (so we can invalidate it)
|
||||
if (!skipTokenRevoke) {
|
||||
core.saveState("token", authentication.token);
|
||||
core.setOutput("expiresAt", authentication.expiresAt);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
32
lib/post.js
32
lib/post.js
@@ -21,11 +21,31 @@ export async function post(core, request) {
|
||||
return;
|
||||
}
|
||||
|
||||
await request("DELETE /installation/token", {
|
||||
headers: {
|
||||
authorization: `token ${token}`,
|
||||
},
|
||||
});
|
||||
const expiresAt = core.getState("expiresAt");
|
||||
if (expiresAt && tokenExpiresIn(expiresAt) < 0) {
|
||||
core.info("Token expired, skipping token revocation");
|
||||
return;
|
||||
}
|
||||
|
||||
core.info("Token revoked");
|
||||
try {
|
||||
await request("DELETE /installation/token", {
|
||||
headers: {
|
||||
authorization: `token ${token}`,
|
||||
},
|
||||
});
|
||||
core.info("Token revoked");
|
||||
} catch (error) {
|
||||
core.warning(
|
||||
`Token revocation failed: ${error.message}`)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* @param {string} expiresAt
|
||||
*/
|
||||
function tokenExpiresIn(expiresAt) {
|
||||
const now = new Date();
|
||||
const expiresAtDate = new Date(expiresAt);
|
||||
|
||||
return Math.round((expiresAtDate.getTime() - now.getTime()) / 1000);
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user