From 729eae08d1e06166b6c1d5fc39cff91b4a6f919f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marko=20Mili=C4=87?= <marko@tesobe.com>
Date: Wed, 15 Feb 2023 08:31:30 +0100
Subject: [PATCH] feature/Add endpoint selfRevokeConsent v5.1.0

---
 .../main/scala/code/api/util/APIUtil.scala    | 11 +++++
 .../scala/code/api/v5_1_0/APIMethods510.scala | 48 +++++++++++++++++++
 2 files changed, 59 insertions(+)

diff --git a/obp-api/src/main/scala/code/api/util/APIUtil.scala b/obp-api/src/main/scala/code/api/util/APIUtil.scala
index d9091a2ee..4e2b4b389 100644
--- a/obp-api/src/main/scala/code/api/util/APIUtil.scala
+++ b/obp-api/src/main/scala/code/api/util/APIUtil.scala
@@ -244,6 +244,17 @@ object APIUtil extends MdcLoggable with CustomJsonFormats{
       }
     }
   }
+
+  /**
+   * Purpose of this helper function is to get the Consent-JWT value from a Request Headers.
+   * @return the Consent-JWT value from a Request Header as a String
+   */
+  def getConsentIdRequestHeaderValue(requestHeaders: List[HTTPParam]): Option[String] = {
+    requestHeaders.toSet.filter(_.name == RequestHeader.`Consent-Id`).toList match {
+      case x :: Nil => Some(x.values.mkString(", "))
+      case _ => None
+    }
+  }
   /**
    * Purpose of this helper function is to get the PSD2-CERT value from a Request Headers.
    * @return the PSD2-CERT value from a Request Header as a String
diff --git a/obp-api/src/main/scala/code/api/v5_1_0/APIMethods510.scala b/obp-api/src/main/scala/code/api/v5_1_0/APIMethods510.scala
index de159c2c4..0901f9c1f 100644
--- a/obp-api/src/main/scala/code/api/v5_1_0/APIMethods510.scala
+++ b/obp-api/src/main/scala/code/api/v5_1_0/APIMethods510.scala
@@ -160,6 +160,54 @@ trait APIMethods510 {
           }
       }
     }
+    
+   staticResourceDocs += ResourceDoc(
+     selfRevokeConsent,
+      implementedInApiVersion,
+      nameOf(selfRevokeConsent),
+      "DELETE",
+      "/my/consent/revoke",
+      "Revoke Consent at Current Call",
+      s"""
+         |Revoke Consent specified by Consent-Id at Request Header
+         |
+         |There are a few reasons you might need to revoke an application’s access to a user’s account:
+         |  - The user explicitly wishes to revoke the application’s access
+         |  - You as the service provider have determined an application is compromised or malicious, and want to disable it
+         |  - etc.
+         ||
+         |OBP as a resource server stores access tokens in a database, then it is relatively easy to revoke some token that belongs to a particular user.
+         |The status of the token is changed to "REVOKED" so the next time the revoked client makes a request, their token will fail to validate.
+         |
+         |${authenticationRequiredMessage(true)}
+         |
+      """.stripMargin,
+      EmptyBody,
+      revokedConsentJsonV310,
+      List(
+        UserNotLoggedIn,
+        BankNotFound,
+        UnknownError
+      ),
+      List(apiTagConsent, apiTagPSD2AIS, apiTagPsd2, apiTagNewStyle)
+    )
+    lazy val selfRevokeConsent: OBPEndpoint = {
+      case "my" :: "consent" :: "revoke" :: Nil JsonDelete _ => {
+        cc =>
+          for {
+            (Full(user), callContext) <- authenticatedAccess(cc)
+            consentId = getConsentIdRequestHeaderValue(cc.requestHeaders).getOrElse("")
+            _ <- Future(Consents.consentProvider.vend.getConsentByConsentId(consentId)) map {
+              unboxFullOrFail(_, callContext, ConsentNotFound)
+            }
+            consent <- Future(Consents.consentProvider.vend.revoke(consentId)) map {
+              i => connectorEmptyResponse(i, callContext)
+            }
+          } yield {
+            (ConsentJsonV310(consent.consentId, consent.jsonWebToken, consent.status), HttpCode.`200`(callContext))
+          }
+      }
+    }
 
 
     staticResourceDocs += ResourceDoc(