From 46cfb73e21f42f009393efb900627530a8aac0cd Mon Sep 17 00:00:00 2001
From: Karl Persson <kalle.persson@grafana.com>
Date: Fri, 31 Mar 2023 16:44:08 +0200
Subject: [PATCH] AuthToken: client token rotation fix (#65709)

* AuthToken: respond with 401 if token is not found

* Set retry to one so we don't retry a failed token rotation
---
 pkg/api/user_token.go                   | 4 ++--
 pkg/api/user_token_test.go              | 4 ++--
 public/app/core/services/backend_srv.ts | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/pkg/api/user_token.go b/pkg/api/user_token.go
index 46e79069de5..5366d316388 100644
--- a/pkg/api/user_token.go
+++ b/pkg/api/user_token.go
@@ -86,7 +86,7 @@ func (hs *HTTPServer) RotateUserAuthToken(c *contextmodel.ReqContext) response.R
 		}
 
 		if errors.Is(err, auth.ErrUserTokenNotFound) {
-			return response.ErrOrFallback(http.StatusNotFound, http.StatusText(http.StatusFound), err)
+			return response.ErrOrFallback(http.StatusUnauthorized, http.StatusText(http.StatusUnauthorized), err)
 		}
 
 		return response.ErrOrFallback(http.StatusInternalServerError, http.StatusText(http.StatusInternalServerError), err)
@@ -234,7 +234,7 @@ func (hs *HTTPServer) revokeUserAuthTokenInternal(c *contextmodel.ReqContext, us
 		return response.Error(400, "Cannot revoke active user auth token", nil)
 	}
 
-	err = hs.AuthTokenService.RevokeToken(c.Req.Context(), token, true)
+	err = hs.AuthTokenService.RevokeToken(c.Req.Context(), token, false)
 	if err != nil {
 		if errors.Is(err, auth.ErrUserTokenNotFound) {
 			return response.Error(404, "User auth token not found", err)
diff --git a/pkg/api/user_token_test.go b/pkg/api/user_token_test.go
index 196d2f20c7f..c520a52fea3 100644
--- a/pkg/api/user_token_test.go
+++ b/pkg/api/user_token_test.go
@@ -171,10 +171,10 @@ func TestHTTPServer_RotateUserAuthToken(t *testing.T) {
 			expectedStatus:       http.StatusUnauthorized,
 		},
 		{
-			desc:           "Should return 404 and when token s not found",
+			desc:           "Should return 401 and when token not found",
 			cookie:         &http.Cookie{Name: "grafana_session", Value: "123", Path: "/"},
 			rotatedErr:     auth.ErrUserTokenNotFound,
-			expectedStatus: http.StatusNotFound,
+			expectedStatus: http.StatusUnauthorized,
 		},
 		{
 			desc:           "Should return 200 and but not set new cookie if token was not rotated",
diff --git a/public/app/core/services/backend_srv.ts b/public/app/core/services/backend_srv.ts
index b6e41ff9d87..d2e9b6c42f0 100644
--- a/public/app/core/services/backend_srv.ts
+++ b/public/app/core/services/backend_srv.ts
@@ -450,7 +450,7 @@ export class BackendSrv implements BackendService {
   }
 
   rotateToken() {
-    return this.request({ url: '/api/user/auth-tokens/rotate', method: 'POST' });
+    return this.request({ url: '/api/user/auth-tokens/rotate', method: 'POST', retry: 1 });
   }
 
   loginPing() {