See PHI304. Requests to cycle/revoke credentials have been rare and we have limited support for automating it, but should improve support.
Currently, we have `bin/auth revoke` but it supports only Conduit revocations. This should be expanded; specifically:
- Add a temporary token revoker.
- Add a session revoker.
- Add an SSH key revoker.
Then:
- Password hashes are stored on the user object. VCS password hashes are stored in `RepositoryVCSPassword`. These would probably be better if moved to a central password table with a `role` column.
- Passwords can be removed, but can not be //revoked// (i.e., forcing users to change passwords). This table should also be able to store revoked passwords.
- Add a password revoker.
- Add a VCS password revoker.
Additionally (see T7148):
- When instances are exported from Phacility, we currently do not strip VCS passwords, but should.
- When instances are exported from Phacility, we currently do not strip Conduit tokens, but should.
- Ideally, this workflow should just use `bin/auth revoke` to reduce code duplication.
Errata:
- Is `AuthTemporaryToken->userPHID` used by anything?
- VCS passwords should respect `account.minimum-password-length`.
- While I'm here, we could add a rate limit to "Change Password" to stop occasional researcher reports about this.
- When SSH keys are revoked with `bin/auth revoke`, the email should probably exclude the "your account may have been compromised" warning.
- Write some documentation.