feat(xo-server/api): split token.delete to token.deleteOwn

So that the behavior is more consistent.

CHANGELOG.unreleased.md

@@ -27,4 +27,6 @@
 
 <!--packages-start-->
 
+- xo-server minor
+
 <!--packages-end-->

packages/xo-server/src/api/token.mjs

@@ -31,13 +31,37 @@ async function delete_({ pattern, tokens }) {
 
 export { delete_ as delete }
 
-delete_.description = 'delete an existing authentication token'
+delete_.description = 'delete matching authentication tokens for all users'
 
 delete_.params = {
   tokens: { type: 'array', optional: true, items: { type: 'string' } },
   pattern: { type: 'object', optional: true },
 }
 
+delete_.permission = 'admin'
+
+// -------------------------------------------------------------------
+
+export async function deleteOwn({ pattern, tokens }) {
+  await this.deleteAuthenticationTokens({
+    filter: {
+      __and: [
+        {
+          user_id: this.apiContext.user.id,
+        },
+        pattern ?? { id: { __or: tokens } },
+      ],
+    },
+  })
+}
+
+deleteOwn.description = 'delete matching authentication tokens for the current user'
+
+deleteOwn.params = {
+  tokens: { type: 'array', optional: true, items: { type: 'string' } },
+  pattern: { type: 'object', optional: true },
+}
+
 // -------------------------------------------------------------------
 
 export async function set({ id, ...props }) {

packages/xo-server/src/xo-mixins/authentication.mjs

@@ -210,14 +210,8 @@ export default class {
   }
 
   async deleteAuthenticationTokens({ filter }) {
-    let predicate
-    const { apiContext } = this._app
-    if (apiContext !== undefined && apiContext.permission !== 'admin') {
-      predicate = { user_id: apiContext.user.id }
-    }
-
     const db = this._tokens
-    return db.remove((await db.get(predicate)).filter(createPredicate(filter)).map(({ id }) => id))
+    await db.remove((await db.get()).filter(createPredicate(filter)).map(({ id }) => id))
   }
 
   async _getAuthenticationToken(id, properties) {