public IActionResult RevokeToken(RevokeTokenRequestViewModel model)
{
// accept token from request body or cookie
var token = model.Token ?? Request.Cookies["refreshToken"];
if (string.IsNullOrEmpty(token))
{
return(BadRequest(new { message = "Token is required" }));
}
// users can revoke their own tokens and admins can revoke any tokens
if (!Account.OwnsToken(token) && Account.Role != Role.Admin)
{
return(Unauthorized(new { message = "Unauthorized" }));
}
_accountService.RevokeToken(token, ipAddress());
return(Ok(new { message = "Token revoked" }));
}
