Skip to content

Comments

feat(sdk): support token revoke in java sdk#17

Merged
IgorHorta merged 6 commits intomainfrom
ENG-4562
Feb 19, 2026
Merged

feat(sdk): support token revoke in java sdk#17
IgorHorta merged 6 commits intomainfrom
ENG-4562

Conversation

@IgorHorta
Copy link
Contributor

@IgorHorta IgorHorta commented Feb 16, 2026

ENG-4562 – Add token revocation support

Adds support for revoking machine identity access tokens:

  • AuthClient: RevokeToken(accessToken) (Universal Auth) and RevokeTokenById(tokenId) (Token Auth)ßå
  • Models: RevokeTokenInput, RevokeTokenResponse
  • Tests: RevokeTokenInputTest, AuthClientTest (unit tests with Mockito; no real credentials)
  • Docker: test service in docker-compose to run the above unit tests

Existing tests and files (e.g. InfisicalSdkTest, EnvironmentVariables) are unchanged.

@linear
Copy link

linear bot commented Feb 16, 2026

ENG-4562 revoke token with JavaSDK

@greptile-apps
Copy link

greptile-apps bot commented Feb 16, 2026

Greptile Summary

Adds token revocation support to the Java SDK with two new methods on AuthClient: RevokeToken(accessToken) for Universal Auth and RevokeTokenById(tokenId) for Token Auth. Includes new model classes (RevokeTokenInput, RevokeTokenResponse), a no-body post overload on ApiClient, Mockito test dependencies, unit tests, and a Docker Compose test service.

  • Security concern: RevokeTokenById interpolates tokenId directly into the URL path without URL-encoding or format validation. A malicious or malformed tokenId (e.g., containing / or ../) could alter the target endpoint. This pattern exists elsewhere in the codebase but is worth addressing for security-sensitive operations.
  • Documentation: No /docs folder or README updates were found. How will customers discover the new RevokeToken and RevokeTokenById methods?

Confidence Score: 3/5

  • This PR is generally safe but has an input sanitization gap in RevokeTokenById that should be addressed before merge.
  • The changes are well-structured and follow existing SDK conventions, with good test coverage for the new methods. However, the tokenId parameter is used directly in URL path construction without encoding or validation, which is a security concern for a token revocation endpoint. The code is otherwise correct and the new ApiClient.post overload is consistent with the existing codebase.
  • Pay close attention to src/main/java/com/infisical/sdk/resources/AuthClient.java — the RevokeTokenById method needs input sanitization for the tokenId parameter used in URL path construction.

Important Files Changed

Filename Overview
src/main/java/com/infisical/sdk/resources/AuthClient.java Adds RevokeToken and RevokeTokenById methods. tokenId is interpolated into the URL path without encoding/validation, posing a path manipulation risk.
src/main/java/com/infisical/sdk/api/ApiClient.java Adds a no-body post overload that sends an empty JSON object. Implementation is consistent with the existing post method, with added handling for empty response bodies.
src/main/java/com/infisical/sdk/models/RevokeTokenInput.java New model class with accessToken field and validation. Follows existing patterns (@Data, @Builder, validate()).
src/main/java/com/infisical/sdk/models/RevokeTokenResponse.java Simple response model with a message field. No issues.
src/test/java/com/infisical/sdk/resources/AuthClientTest.java Unit tests for RevokeToken and RevokeTokenById covering null/empty validation and correct API call verification using Mockito.
src/test/java/com/infisical/sdk/models/RevokeTokenInputTest.java Unit tests for RevokeTokenInput.validate() covering valid, null, empty, and whitespace cases.
pom.xml Adds Mockito 5.8.0 test dependencies. Compatible with CI (Java 21) and docker-compose (Java 11) environments.
docker-compose.yaml Adds a test service using Java 11 to run the new unit tests. No issues.

Last reviewed commit: 717b6fb

greptile-apps[bot]
greptile-apps bot reviewed Feb 16, 2026
View reviewed changes
Copy link

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

8 files reviewed, 2 comments

Edit Code Review Agent Settings | Greptile

varonix0
varonix0 requested changes Feb 17, 2026
View reviewed changes
@IgorHorta IgorHorta requested a review from varonix0 February 18, 2026 17:30
IgorHorta and others added 6 commits February 18, 2026 21:10
@IgorHorta
feat(sdk): support token revoke in java sdk
96c29d2
@IgorHorta
Simplifies token revocation process.
4551287 
Removes `RevokeTokenResponse` and updates `AuthClient` and related tests to use `Void` for token revocation. This streamlines the API calls and simplifies the overall process, as no specific response data is required.
@IgorHorta
Refactors ApiClient POST method.
5a761d0 
Removes an unused, duplicated `post` method in `ApiClient`. Introduces a convenience overload that calls `post(String url, Object body, Class<R> responseType)` with an empty Map as the body. This cleans up the API and provides a simple way to make POST requests with an empty JSON body.
@IgorHorta
Removes unused Helper dependency from AuthClient.
cd0d036
@IgorHorta
Uses Collections.emptyMap() for empty POST body.
783af22
@varonix0 @IgorHorta
Update ApiClient.java
c000d25
@IgorHorta IgorHorta merged commit 284c040 into main Feb 19, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@varonix0 varonix0 varonix0 approved these changes

+1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@IgorHorta @varonix0