Revoke token

[wd15]

Can an existing token be revoked with the Surge CLI? surge token --help doesn't give any indications of possible sub-commands.

[danielfdsilva]

In light of Circle CI's security incident this would be really needed.

[brint]

I was digging through the code and found this:

surge/lib/middleware/util/helpers.js

Line 234 in 32eaaa2

'url': url.resolve(req.endpoint, "/token/reset/" + req.email),

By doing a password reset on my account, I was able to get a new token after the password reset.

[danielfdsilva]

@brint Unfortunately this does not revoke the old token.
Here's how I tested it:

Got a token with surge token, logged out and reset the password. Tried the previously issued token by doing surge list --token <token> and it was still working.

[alexgleason]

Bump

[mauricioklein]

I confirm that /token/reset doesn't reset the token.

curl -vvv -XPOST https://surge.surge.sh/token/reset/[my email here]

Got a 201 back (with no authentication whatsoever 🤯), but token remains the same.

If at least we got access to their API documentation, we would have a workaround until the CLI is fixed