bump reva to fix app token delete in UI

go.mod

@@ -63,7 +63,7 @@ require (
 	github.com/onsi/ginkgo/v2 v2.23.1
 	github.com/onsi/gomega v1.36.2
 	github.com/open-policy-agent/opa v1.2.0
-	github.com/opencloud-eu/reva/v2 v2.28.1-0.20250320105919-be91238e6b11
+	github.com/opencloud-eu/reva/v2 v2.28.1-0.20250320135948-a946c0d6d289
 	github.com/orcaman/concurrent-map v1.0.0
 	github.com/owncloud/libre-graph-api-go v1.0.5-0.20240829135935-80dc00d6f5ea
 	github.com/pkg/errors v0.9.1

go.sum

@@ -861,8 +861,8 @@ github.com/onsi/gomega v1.36.2 h1:koNYke6TVk6ZmnyHrCXba/T/MoLBXFjeC1PtvYgw0A8=
 github.com/onsi/gomega v1.36.2/go.mod h1:DdwyADRjrc825LhMEkD76cHR5+pUnjhUN8GlHlRPHzY=
 github.com/open-policy-agent/opa v1.2.0 h1:88NDVCM0of1eO6Z4AFeL3utTEtMuwloFmWWU7dRV1z0=
 github.com/open-policy-agent/opa v1.2.0/go.mod h1:30euUmOvuBoebRCcJ7DMF42bRBOPznvt0ACUMYDUGVY=
-github.com/opencloud-eu/reva/v2 v2.28.1-0.20250320105919-be91238e6b11 h1:MjfgrhEs73BezOXQZUgEtNTZsmXDVixFpGzZljR5lrk=
-github.com/opencloud-eu/reva/v2 v2.28.1-0.20250320105919-be91238e6b11/go.mod h1:iK0tNdLgqK0zBi0l7Q4uWSn9GPUbYtNxz3YAMfYvYNg=
+github.com/opencloud-eu/reva/v2 v2.28.1-0.20250320135948-a946c0d6d289 h1:gg37XG4j3Y7yWLrD+B+2uNQ72g4YasdvpzOKJnuQH1Y=
+github.com/opencloud-eu/reva/v2 v2.28.1-0.20250320135948-a946c0d6d289/go.mod h1:iK0tNdLgqK0zBi0l7Q4uWSn9GPUbYtNxz3YAMfYvYNg=
 github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
 github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs=
 github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=

vendor/github.com/opencloud-eu/reva/v2/pkg/appauth/manager/jsoncs3/jsoncs3.go

@@ -226,6 +226,15 @@ func (m *manager) InvalidateAppPassword(ctx context.Context, secret string) erro
 
 	updater := func(a map[string]*apppb.AppPassword) (map[string]*apppb.AppPassword, error) {
 		for key, pw := range a {
+			// Allow deleting a token using the password hash. This is needed because of
+			// some shortcomings of the CS3 APIs. On the API level tokens don't have IDs
+			// ListAppPasswords only returns the hashed password. So allowing to delete
+			// using the hashed password as the key is the only way to delete tokens for
+			// which the user does not remember the password.
+			if secret == pw.Password {
+				delete(a, key)
+				return a, nil
+			}
 			ok, err := argon2id.ComparePasswordAndHash(secret, pw.Password)
 			switch {
 			case err != nil:

vendor/modules.txt

@@ -1191,7 +1191,7 @@ github.com/open-policy-agent/opa/v1/types
 github.com/open-policy-agent/opa/v1/util
 github.com/open-policy-agent/opa/v1/util/decoding
 github.com/open-policy-agent/opa/v1/version
-# github.com/opencloud-eu/reva/v2 v2.28.1-0.20250320105919-be91238e6b11
+# github.com/opencloud-eu/reva/v2 v2.28.1-0.20250320135948-a946c0d6d289
 ## explicit; go 1.24.1
 github.com/opencloud-eu/reva/v2/cmd/revad/internal/grace
 github.com/opencloud-eu/reva/v2/cmd/revad/runtime