Admin Token API: Revoke GitLab session cookies
Proposal
The Admin Token API allows revoking arbitrary tokens. It can be used to identify what a token does, e.g. in the context of leaked tokens, and revoke it.
It currently lacks support to revoke session cookies. See the current implementation status. Identification is already supported.
Session cookies are currently deleted, when a user calls revoke in the UI (User settings > Active Sessions > Revoke)
ActiveSession.destroy_session(current_user, params[:id])Therefore, the following request should delete the token and return a 204.
DELETE /api/v4/admin/token
{"token": "_gitlab_session=.."}Afterwards, retrieving the token should fail, because the token has been deleted.