Invalidate application password

[senna765]

Currently application passwords does not have any expiration. Due security issue as password is returned in query string and all GET requests are logged in webserver logs we need to invalidate those tokens programatically.

To revoke token we need to get uuid because it is not possible to delete token by appId. Currently there is endpoint GET /wp-json/wp/v2/users/me/application-passwords/introspect but because this is GET request method it is cached by litespeed cache plugin and returns cached results.

So my proposal would be to:

1. Add ability to revoke token based on appId as this is known value to application
2. Change request method to POST for wp-json/wp/v2/users/me/application-passwords/introspect as litespeed cache plugin is not caching POST requests

[TimothyBlynJacobs]

Hi @senna765,

Thanks for the ticket and welcome to Trac!

Add ability to revoke token based on appId as this is known value to application

I could see us adding this. Probably as a DELETE /wp/v2/users/me/application-passwords?app_id=blah.

Change request method to POST for wp-json/wp/v2/users/me/application-passwords/introspect as litespeed cache plugin is not caching POST requests

We wouldn't be making this change. This is a read action, it should not have POST semantics. If the Litespeed plugin is caching an authenticated route, that's incorrect. The REST API sends nocache headers on authenticated requests.