From 83a0f40fcc6de44d5fc20d696d4da6afea086d84 Mon Sep 17 00:00:00 2001 From: zhangziqian Date: Tue, 23 Jun 2026 10:58:20 +0800 Subject: [PATCH] Revert "Fix(oauth2): enforce owner-scoped PAT deletion" --- .../app/src/OAuthPersonalAccessTokenController.mjs | 5 +---- .../app/src/OAuthPersonalAccessTokenManager.mjs | 9 ++------- 2 files changed, 3 insertions(+), 11 deletions(-) diff --git a/services/web/modules/oauth2-server/app/src/OAuthPersonalAccessTokenController.mjs b/services/web/modules/oauth2-server/app/src/OAuthPersonalAccessTokenController.mjs index be94826c1f..06428925cc 100644 --- a/services/web/modules/oauth2-server/app/src/OAuthPersonalAccessTokenController.mjs +++ b/services/web/modules/oauth2-server/app/src/OAuthPersonalAccessTokenController.mjs @@ -61,10 +61,7 @@ const PersonalAccessTokenController = { return res.status(400).json({ message: 'Token id is required' }) } - const result = await OAuthPersonalAccessTokenManager.removeToken(tokenId, user._id) - if (!result || result.deletedCount !== 1) { - return res.status(404).json({ message: 'Token not found' }) - } + await OAuthPersonalAccessTokenManager.removeToken(tokenId) return res.json({ message: 'Token deleted', diff --git a/services/web/modules/oauth2-server/app/src/OAuthPersonalAccessTokenManager.mjs b/services/web/modules/oauth2-server/app/src/OAuthPersonalAccessTokenManager.mjs index c48104d3d1..d63d17866a 100644 --- a/services/web/modules/oauth2-server/app/src/OAuthPersonalAccessTokenManager.mjs +++ b/services/web/modules/oauth2-server/app/src/OAuthPersonalAccessTokenManager.mjs @@ -87,15 +87,10 @@ const PersonalAccessTokenManager = { return accessToken }, - // Delete a personal access token owned by a specific user - async removeToken(tokenId, userId) { - if (!ObjectId.isValid(tokenId)) { - return { deletedCount: 0 } - } + // Delete a personal access token + async removeToken(tokenId) { const query = { _id: new ObjectId(tokenId), - user_id: userId, - type: 'personal_access_token', } // Delete token from database