Kim Alvefur <zash@zash.se> [Tue, 28 Mar 2023 11:42:09 +0200] rev 13008
teal-src/README: Tweak markdown syntax
Matthew Wild <mwild1@gmail.com> [Tue, 28 Mar 2023 10:43:09 +0100] rev 13007
mod_tokenauth: Fire events on grant creation and revocation
Kim Alvefur <zash@zash.se> [Tue, 28 Mar 2023 11:27:05 +0200] rev 13006
teal-src: Add a README with a few pointers to get started
Matthew Wild <mwild1@gmail.com> [Tue, 28 Mar 2023 10:22:55 +0100] rev 13005
teal-src: Add keyval+ store type
Kim Alvefur <zash@zash.se> [Tue, 28 Mar 2023 00:30:18 +0200] rev 13004
mod_tokenauth: Fix storage API mistake in revocation
Matthew Wild <mwild1@gmail.com> [Mon, 27 Mar 2023 20:51:07 +0100] rev 13003
mod_tokenauth: Fix traceback when checking expiry of tokens with no expiry
Matthew Wild <mwild1@gmail.com> [Mon, 27 Mar 2023 18:35:57 +0100] rev 13002
mod_tokenauth: Refactor API to separate tokens and grants
This is another iteration on top of the previous sub-tokens work. Essentially,
the concept of a "parent token" has been replaced with the concept of a
"grant" to which all tokens now belong. The grant does not have any tokens
when first created, but the create_token() call can add them.
Matthew Wild <mwild1@gmail.com> [Sun, 26 Mar 2023 16:46:48 +0100] rev 13001
mod_tokenauth: Support for creating sub-tokens
Properties of sub-tokens:
- They share the same id as their parent token
- Sub-tokens may not have their own sub-tokens (but may have sibling tokens)
- They always have the same or shorter lifetime compared to their parent token
- Revoking a parent token revokes all sub-tokens
- Sub-tokens always have the same JID as the parent token
- They do not have their own 'accessed' property - accessing a sub-token
updates the parent token's accessed time
Although this is a generic API, it is designed to at least fill the needs of
OAuth2 refresh + access tokens (where the parent token is the refresh token
and the sub-tokens are access tokens).
Matthew Wild <mwild1@gmail.com> [Sun, 26 Mar 2023 15:53:27 +0100] rev 13000
mod_tokenauth: return error if storage of new token fails
Matthew Wild <mwild1@gmail.com> [Sun, 26 Mar 2023 14:06:04 +0100] rev 12999
moduleapi: Add 'peek' to :may() and new :could() helper to suppress logging
The current method logs scary "access denied" messages on failure - this is
generally very useful when debugging access control stuff, but in some cases
the call is simply a check to see if someone *could* perform an action, even
if they haven't requested it yet. One example is determining whether to show
the user as an admin in disco.
The 'peek' parameter, if true, will suppress such logging.
The :could() method is just a simple helper that can make the calling code a
bit more readable (suggested by Zash).