potiuk commented on PR #321:
URL: 
https://github.com/apache/incubator-ponymail-foal/pull/321#issuecomment-4892216011

   Pushed an update (amended the single commit):
   
   **Docs — clarified the permission model.** Made explicit in `API.md` that a 
scope is a *wish, not a stored grant*: the server re-intersects a token's 
scopes with the owner's **current** account permissions on every request, so a 
token is never a cached snapshot — lose a permission upstream and all your 
tokens lose it on their next request, nothing to evict. Also spelled out that 
tokens are opt-in/disabled by default and that enabling them on a shared 
instance is a deployment decision (for ASF, coordinate with Infra).
   
   **New — two ways to cut off all of a user's tokens** (for the "upstream 
credentials were reset/compromised" case):
   - `tokens.revoke_on_identity_change` (config, default **on**): on login, if 
the user's OAuth identity/permissions differ from what we stored, all their 
tokens are purged automatically. This is the "if the auth interface supports 
it, do it automatically" path — we detect it by comparing the stored OAuth 
payload (minus volatile secrets/timestamps) with the fresh one.
   - `mgmt.json` `token_purge` admin action (by `cid` or `email`): a manual 
override for when you can't wait for the next login. Audit-logged as 
`token_purge`.
   
   Both are least-surprise: neither depends on the cache TTL (immediate with 
the default `cache_ttl: 0`), and a token can never do more than the account 
currently can regardless. Unit tests added for the identity-fingerprint and 
purge helpers; `mypy` / `pylint` (10/10) / `pytest` green.
   
   Still a single source-only commit — generated build files remain out, as 
discussed above.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to