potiuk commented on PR #23:
URL: https://github.com/apache/comdev/pull/23#issuecomment-4892216158

   Rebased onto the latest `main` (picked up the `.json` endpoint changes from 
#21/#22; resolved the `apiFetch` / `auth_status` conflicts so bearer-token auth 
composes with the new `.json` POST vs `.lua` GET handling) and updated the 
README docs.
   
   Added an explicit clarification of the token permission model to the README: 
a scope is a *wish, not a stored grant*. The server re-intersects a token's 
scopes with the owner's **current** permissions on every request, so a token is 
never a cached snapshot of permissions — lose access upstream and every token 
loses it on its next request, with nothing to cache-evict. Also noted that 
tokens are disabled by default and that enabling them on an ASF instance is a 
per-deployment, Infra-coordinated decision (an instance may leave them off or 
cap their lifetime).
   
   This mirrors the docs clarification (and the new server-side admin/auto 
token-revocation) in the counterpart server PR 
apache/incubator-ponymail-foal#321. `npm test` green (65 tests).
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to