feat: access tokens user management UI

[SychO9]

Picks up from #2651 and #2074

Changes proposed in this pull request:
Introduces the following:

• UI to manage access tokens (actor only).
  • Revoke developer tokens (only the actor can delete his own and no one else).
  • Create developer tokens (based on permission).
  • View developer token value.
  • See other active sessions (token values are not exposed from the API for sessions/system-created tokens).
    • Terminate a remote active session.
    • Terminate all other sessions (not including the current session, user should log out).

Reviewers should focus on:
After reading the above behavior ^, any opinions if anything should be done differently? such as:

• Should admins/permission-given-users be able to terminate/revoke other users' sessions/dev-tokens?
• Is this large enough to move to a separate bundled extension? (I personally think not).

Checkout integration tests method names for further behavior understanding.

Video
https://user-images.githubusercontent.com/20267363/183262689-0de50d68-91db-48d6-a5f9-c252d789c553.mp4

Screenshot

Necessity

• Has the problem that is being solved here been clearly explained?
• If applicable, have various options for solving this problem been considered?
• For core PRs, does this need to be in core, or could it be in an extension?
• Are we willing to maintain this for years / potentially forever?

Confirmed

• Frontend changes: tested on a local Flarum installation.
• Backend changes: tests are green (run composer test).
• Core developer confirmed locally this works as intended.
• Tests have been added, or are not appropriate here.

[clarkwinkelmann]

It looks really good!

I tried it out locally and didn't find anything major.

I would suggest adding a confirmation popup when Revoking a developer token. Maybe that would be useful for Terminate and Terminate all others as well.

In the developer tokens part I see the text says "on [...]" and then the string ends. Looking at the source it looks like it should describe the device. I did my test with cURL (UA curl/7.68.0). I think there should be some fallback "N/A" value or the raw UA?

I would also suggest replacing the hidden token value by a hard-coded number of stars. Showing **** would probably be enough, no need for such a long string.

And finally I'd suggest wrapping the revealed token value in <code></code> to make it stand out better and potentially make it easier to select in some browsers (?)

PS: video in first post doesn't play in Firefox. But works in Chrome

[SychO9]

Will do! thanks for the review!

[tankerkiller125]

• Should admins/permission-given-users be able to terminate/revoke other users' sessions/dev-tokens?

In my view the answer to this is yes, if the system get's compromised or something it would be good for it to be possible for the admin to revoke all sessions and/or tokens. HOWEVER, whether this should be a individual user view where the admin can close just a single users sessions, or just a button on the admin side that wipes all of the sessions is another matter.

I do think that token removal should be on an individual user level though in terms of admin deletion. As my view of it is that it's a way for admins to moderate tokens (if say someone is abusing them)

• Is this large enough to move to a separate bundled extension? (I personally think not).

It should not be a separate extension, I view it as a critical security feature that should be part of core.

[SychO9]

In my view the answer to this is yes, if the system get's compromised or something it would be good for it to be possible for the admin to revoke all sessions and/or tokens. HOWEVER, whether this should be a individual user view where the admin can close just a single users sessions, or just a button on the admin side that wipes all of the sessions is another matter.

I do think that token removal should be on an individual user level though in terms of admin deletion. As my view of it is that it's a way for admins to moderate tokens (if say someone is abusing them)

Then maybe we should create a moderate other users' sessions/tokens to allow a moderator group access to a user's list of sessions/tokens (but make sure to hide the actual token value of course from non-actors). We'd allow viewing basic information and allow terminating/revoking. Does that sound good?

[tankerkiller125]

That seems like a reasonable idea, I wouldn't want anyone seeing the values other than the users anyway. Most sites only allow the viewing of a token once anyway even for the users.

[davwheat]

This is amazing. Just a couple of things, really.

Also, I think the frontend additions need to be added to their respective compat files?

[davwheat]

I am having concerns about our bundle size nowadays. Could we potentially lazy-load this?

[SychO9]

good point, switched to parsing the UA on the backend side

[davwheat]

Maybe LabelValue-something?

[davwheat]

Overall, I think this is great. DataSegment could be renamed, but it's quite a difficult component to name imo.

[SychO9]

LabelValue is a lot better indeed

stale