codeigniter4 · WaaaghNL · Sep 16, 2023 · Sep 19, 2023
diff --git a/docs/authentication.md b/docs/authentication.md
@@ -220,6 +220,12 @@ Typically, the plain text token is retrieved from the request's headers as part
 process. If you need to revoke the token for another user as an admin, and don't have access to the
 token, you would need to get the user's access tokens and delete them manually.
 
+If you dont have the raw token usable to remove the token there is the possibility to remove it using the tokens secret thats stored in the database. It's possible to get a list of all tokens with there secret using the `accessTokens()` function.
+
+```php
+$user->revokeAccessTokenBySecret($secret);
+```
+
 You can revoke all access tokens with the `revokeAllAccessTokens()` method.
 
 ```php

diff --git a/docs/guides/api_tokens.md b/docs/guides/api_tokens.md
@@ -46,10 +46,11 @@ if ($user->tokenCan('users-read')) {
 
 ### Revoking Tokens
 
-Tokens can be revoked by deleting them from the database with the `revokeAccessToken($rawToken)` or `revokeAllAccessTokens()` methods.
+Tokens can be revoked by deleting them from the database with the `revokeAccessToken($rawToken)`, `revokeAccessTokenBySecret($secret)` or `revokeAllAccessTokens()` methods.
 
 ```php
 $user->revokeAccessToken($rawToken);
+$user->revokeAccessTokenBySecret($secret);
 $user->revokeAllAccessTokens();
 ```
 

diff --git a/src/Authentication/Traits/HasAccessTokens.php b/src/Authentication/Traits/HasAccessTokens.php
@@ -47,6 +47,17 @@ public function revokeAccessToken(string $rawToken): void
         $identityModel->revokeAccessToken($this, $rawToken);
     }
 
+    /**
+     * Delete any access tokens for the given secret token.
+     */
+    public function revokeAccessTokenBySecret(string $secretToken): void
+    {
+        /** @var UserIdentityModel $identityModel */
+        $identityModel = model(UserIdentityModel::class);
+
+        $identityModel->revokeAccessTokenBySecret($this, $secretToken);
+    }
+
     /**
      * Revokes all access tokens for this user.
      */

diff --git a/src/Models/UserIdentityModel.php b/src/Models/UserIdentityModel.php
@@ -456,6 +456,21 @@ public function revokeAccessToken(User $user, string $rawToken): void
         $this->checkQueryReturn($return);
     }
 
+    /**
+     * Delete any access tokens for the given secret token.
+     */
+    public function revokeAccessTokenBySecret(User $user, string $secretToken): void
+    {
+        $this->checkUserId($user);
+
+        $return = $this->where('user_id', $user->id)
+            ->where('type', AccessTokens::ID_TYPE_ACCESS_TOKEN)
+            ->where('secret', $secretToken)
+            ->delete();
+
+        $this->checkQueryReturn($return);
+    }
+
     /**
      * Revokes all access tokens for this user.
      */

diff --git a/tests/Authentication/HasAccessTokensTest.php b/tests/Authentication/HasAccessTokensTest.php
@@ -101,6 +101,17 @@ public function testRevokeAccessToken(): void
         $this->assertCount(0, $this->user->accessTokens());
     }
 
+    public function testRevokeAccessTokenBySecret(): void
+    {
+        $token = $this->user->generateAccessToken('foo');
+
+        $this->assertCount(1, $this->user->accessTokens());
+
+        $this->user->revokeAccessTokenBySecret($token->secret);
+
+        $this->assertCount(0, $this->user->accessTokens());
+    }
+
     public function testRevokeAllAccessTokens(): void
     {
         $this->user->generateAccessToken('foo');