Admin Token API: Revoke incoming mail tokens

Proposal

The Admin Token API allows revoking arbitrary tokens. It can be used to identify what a token does, e.g. in the context of leaked tokens, and revoke it.

It currently lacks support to revoke incoming mail tokens. See the current implementation status. Identification is already supported.

Incoming mail tokens only support a reset, not a revocation, as they are attached to the User:

    Users::UpdateService.new(current_user, user: @user).execute! do |user|
      user.reset_incoming_email_token!
    end

Therefore the following request should reset the token.

DELETE /api/v4/admin/token

{"token": "glimt-..."}

Afterwards, retrieving the token should fail, because the token has been deleted.

References

• &15777
• https://docs.gitlab.com/ee/api/admin/token.html