potiuk commented on PR #321: URL: https://github.com/apache/incubator-ponymail-foal/pull/321#issuecomment-4892216011
Pushed an update (amended the single commit): **Docs — clarified the permission model.** Made explicit in `API.md` that a scope is a *wish, not a stored grant*: the server re-intersects a token's scopes with the owner's **current** account permissions on every request, so a token is never a cached snapshot — lose a permission upstream and all your tokens lose it on their next request, nothing to evict. Also spelled out that tokens are opt-in/disabled by default and that enabling them on a shared instance is a deployment decision (for ASF, coordinate with Infra). **New — two ways to cut off all of a user's tokens** (for the "upstream credentials were reset/compromised" case): - `tokens.revoke_on_identity_change` (config, default **on**): on login, if the user's OAuth identity/permissions differ from what we stored, all their tokens are purged automatically. This is the "if the auth interface supports it, do it automatically" path — we detect it by comparing the stored OAuth payload (minus volatile secrets/timestamps) with the fresh one. - `mgmt.json` `token_purge` admin action (by `cid` or `email`): a manual override for when you can't wait for the next login. Audit-logged as `token_purge`. Both are least-surprise: neither depends on the cache TTL (immediate with the default `cache_ttl: 0`), and a token can never do more than the account currently can regardless. Unit tests added for the identity-fingerprint and purge helpers; `mypy` / `pylint` (10/10) / `pytest` green. Still a single source-only commit — generated build files remain out, as discussed above. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
