potiuk commented on PR #23:
URL: https://github.com/apache/comdev/pull/23#issuecomment-4893531680

   Thanks @dave2wave — I dug into both `infrastructure-asfquart` and 
`tooling-trusted-releases` to see what's reusable, and wanted to share what I 
found so the discussion is grounded in the actual code.
   
   **What's in asfquart today** is the auth *seam*, not token management:
   
   - a bearer hook — `session.py` recognises `Authorization: Bearer <token>` 
and calls a pluggable `app.token_handler(token)` callback that returns a 
session dict;
   - a session model (`uid`, committees/projects, `isMember/isChair/isRoot`, 
`mfa`, `roleaccount`, plus a free-form `metadata` dict where scope lives by 
convention);
   - the `@asfquart.auth.require(...)` decorators with `Requirements` 
(committer/member/pmc_member/chair/root/mfa/roleacct).
   
   The one PAT example (`examples/snippets/personal_access_tokens.py`) is a 
static-YAML role-account lookup — no generation, hashing, storage, expiry, 
revocation, scope-intersection, caps or audit. So the token *lifecycle* PR #321 
implements isn't in asfquart; it's the plumbing where such a subsystem would 
plug in.
   
   **The richer machinery you described lives in ATR**, not asfquart — 
`atr/shared/tokens.py`, `storage/readers|writers/tokens.py`, 
`get|post/tokens.py`, `jwtoken.py`, the admin revoke templates and `api_auth` 
blueprint, on top of asfquart. That matches your "we're considering pushing 
more of this to `infrastructure-asfquart`" — i.e. it's not there yet, it's 
ATR-specific for now. One design difference worth flagging: ATR uses a 
long-lived PAT exchanged for a short-lived HS256 JWT per request, whereas #321 
uses an opaque token directly and re-intersects its scope with the owner's 
*current* permissions on every request. Both are valid; they make different 
revocation/latency trade-offs.
   
   **Practical catch for PonyMail:** asfquart is a Quart framework, and 
ponymail-foal's server is a hand-rolled aiohttp async app — so "use asfquart" 
isn't a drop-in; it'd mean reframing the server or just mirroring the pattern 
(which `session.py` already does in spirit).
   
   Given that, I don't think there's an asfquart token library to adopt today. 
The cheap, high-value alignment I'd suggest is matching asfquart's 
session/scope *shape* (`metadata["scope"]`, the roleaccount flag, 
`Requirements` semantics) so that if a shared asfquart token layer ever 
materialises — or PonyMail ever moves onto asfquart — the tokens are already 
compatible, without taking a Quart dependency now. Happy to do that in this PR 
if the PMC agrees it's worth it.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to