See PHI304. Requests to cycle/revoke credentials have been rare and we have limited support for automating it, but should improve support.
Currently, we have bin/auth revoke but it supports only Conduit revocations. This should be expanded; specifically:
- Add a temporary token revoker.
- Add a session revoker.
- Add an SSH key revoker.
- Password hashes are stored on the user object. VCS password hashes are stored in RepositoryVCSPassword. These would probably be better if moved to a central password table with a role column.
- Passwords can be removed, but can not be revoked (i.e., forcing users to change passwords). This table should also be able to store revoked passwords.
- Add a password revoker.
- Add a VCS password revoker.
Additionally (see T7148):
- When instances are exported from Phacility, we currently do not strip VCS passwords, but should.
- When instances are exported from Phacility, we currently do not strip Conduit tokens, but should.
- Ideally, this workflow should just use bin/auth revoke to reduce code duplication.
- Is AuthTemporaryToken->userPHID used by anything?
- VCS passwords should respect account.minimum-password-length.
- While I'm here, we could add a rate limit to "Change Password" to stop occasional researcher reports about this.
- When SSH keys are revoked with bin/auth revoke, the email should probably exclude the "your account may have been compromised" warning.
- Write some documentation.
- Carve a pathway forward on the legacy digest algorithms.