potiuk commented on PR #23: URL: https://github.com/apache/comdev/pull/23#issuecomment-4892216158
Rebased onto the latest `main` (picked up the `.json` endpoint changes from #21/#22; resolved the `apiFetch` / `auth_status` conflicts so bearer-token auth composes with the new `.json` POST vs `.lua` GET handling) and updated the README docs. Added an explicit clarification of the token permission model to the README: a scope is a *wish, not a stored grant*. The server re-intersects a token's scopes with the owner's **current** permissions on every request, so a token is never a cached snapshot of permissions — lose access upstream and every token loses it on its next request, with nothing to cache-evict. Also noted that tokens are disabled by default and that enabling them on an ASF instance is a per-deployment, Infra-coordinated decision (an instance may leave them off or cap their lifetime). This mirrors the docs clarification (and the new server-side admin/auto token-revocation) in the counterpart server PR apache/incubator-ponymail-foal#321. `npm test` green (65 tests). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
