potiuk commented on PR #23: URL: https://github.com/apache/comdev/pull/23#issuecomment-4893531680
Thanks @dave2wave — I dug into both `infrastructure-asfquart` and `tooling-trusted-releases` to see what's reusable, and wanted to share what I found so the discussion is grounded in the actual code. **What's in asfquart today** is the auth *seam*, not token management: - a bearer hook — `session.py` recognises `Authorization: Bearer <token>` and calls a pluggable `app.token_handler(token)` callback that returns a session dict; - a session model (`uid`, committees/projects, `isMember/isChair/isRoot`, `mfa`, `roleaccount`, plus a free-form `metadata` dict where scope lives by convention); - the `@asfquart.auth.require(...)` decorators with `Requirements` (committer/member/pmc_member/chair/root/mfa/roleacct). The one PAT example (`examples/snippets/personal_access_tokens.py`) is a static-YAML role-account lookup — no generation, hashing, storage, expiry, revocation, scope-intersection, caps or audit. So the token *lifecycle* PR #321 implements isn't in asfquart; it's the plumbing where such a subsystem would plug in. **The richer machinery you described lives in ATR**, not asfquart — `atr/shared/tokens.py`, `storage/readers|writers/tokens.py`, `get|post/tokens.py`, `jwtoken.py`, the admin revoke templates and `api_auth` blueprint, on top of asfquart. That matches your "we're considering pushing more of this to `infrastructure-asfquart`" — i.e. it's not there yet, it's ATR-specific for now. One design difference worth flagging: ATR uses a long-lived PAT exchanged for a short-lived HS256 JWT per request, whereas #321 uses an opaque token directly and re-intersects its scope with the owner's *current* permissions on every request. Both are valid; they make different revocation/latency trade-offs. **Practical catch for PonyMail:** asfquart is a Quart framework, and ponymail-foal's server is a hand-rolled aiohttp async app — so "use asfquart" isn't a drop-in; it'd mean reframing the server or just mirroring the pattern (which `session.py` already does in spirit). Given that, I don't think there's an asfquart token library to adopt today. The cheap, high-value alignment I'd suggest is matching asfquart's session/scope *shape* (`metadata["scope"]`, the roleaccount flag, `Requirements` semantics) so that if a shared asfquart token layer ever materialises — or PonyMail ever moves onto asfquart — the tokens are already compatible, without taking a Quart dependency now. Happy to do that in this PR if the PMC agrees it's worth it. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
