Remove the unused OAuth `/client-tokens` API

[rfk]

The OAuth server exposes some API endpoints under /client-tokens that can be used for listing and deleting the OAuth clients attached to a user's account. We used to use these as part of the devices-and-apps list, but that has since switched over to using the new /attached_clients endpoint. Ripgrepping the code and inspecting request logs in bigquery, I don't think anything is using the /client-tokens endpoints any more.

We should remove them, which AFAICT would include:

• Deleting the fetchOAuthApps and deleteOAuthApp methods on the content-server's oauth-client.js.
• Removing the code for these routes in auth-server's ./lib/oauth/routes/client-tokens and the plumbing that hooks them up.
• Removing the getActiveClientsByUid method from the auth-server's OAuth DB object, since it is only used by these routes.
• Removing auth-server's lib/oauth/db/helpers.js since it only contains a single function and that function is only used by getActiveClientsByUid above.
• Removing the id property from auth-server's lib/oauth/db/accessToken.js, since it only exists so these objects can be passed to the helper above.

Not a bad potential cleanup overall!

┆Issue is synchronized with this Jira Task
┆Issue Number: FXA-1286

[imskr]

@rfk I would like to work on this! Assign me please.

[rfk]

@imskr great, thanks for your interest!

I suggest working through the items in the list above one-by-one in approximately that order, to make sure no tests unexpectedly break during the process.

[imskr]

@rfk In step 2: in file ./lib/oauth/routes/client-tokens there is only delete.js and list.js and how do i remove code for the fetchOAuthApps and deleteOAuthApp?

[rfk]

and how do i remove code for the fetchOAuthApps and deleteOAuthApp?

For this one, go into ./packages/fxa-content-server/app and search for the strings fetchOAuthApps and deleteOAuthApp. You should find that the only occurrences are the definitions of these methods in scripts/lib/oauth-client.js and their corresponding tests in tests/spec/lib/oauth-client.js, both of which can be deleted. After deleting them, try running the tests as described in README.txt just to check for any unexpected breakage.

In step 2: in file ./lib/oauth/routes/client-tokens there is only delete.js and list.js

Right, so I think both of those files can just be deleted. If you then go into ./packages/fxa-auth-server and search for the string client-tokens, you will find the code in lib/oauth/routes/index.js that connects them up to the app, a lot of tests for the routes, and some documentation that currently says they are deprecated. All of those things can also be removed.

[imskr]

Got it thanks @rfk