Add ability to revoke OAuth clients

Add ability to revoke OAuth clients.

When a OAuth client has revoked: true property, we log them out and redirect to /login/token-revoked

Token was revoked

We're very sorry, but the token you were using was revoked.

You probably need to update your client, https://gitter.im/apps

---

Keep in mind we still have the same logic behind an invalid token. The following locations are just where we will actually redirect to /login/token-revoked instead of a generic 401.

• server/web/middlewares/configure-csrf.js for session
• server/web/middlewares/authenticate-bearer.js for ?access_token=xxx query parameter
• Any others that should be here? 🤔
  • server/web/middlewares/rememberme-middleware.js doesn't seem to deal directly with access tokens, just "auth token" hashes to match against. Not sure how/when this is applied as req.user was always in place and the logic here was skipped anyways 😕
  • server/web/passport.js is used for the API and we shouldn't do any redirecting, just give the normal 401 status
  • server/web/bayeux/authenticator.js is used for the WS bayeux API and we shouldn't do any redirecting, just give the normal 401 status

---

npm run mocha -- test/integration/services/oauth-service-test.js

---

db.oauthclients.insert({
    name: 'Random test client1',
    tag: 'random-test-client1',
    clientKey: 'random-test-client1-key',
    clientSecret: 'xxx',
});

db.oauthclients.update({ clientKey: 'random-test-client1-key' }, {
    $set: {
        revoked: true
    }
});

db.oauthaccesstokens.insert({
    token: 'xxx',
    userId: db.users.findOne({ username: 'MadLittleMods' })._id,
    clientId: db.oauthclients.findOne({ clientKey: 'random-test-client1-key' })._id,
});