[feature] scope based auth tokens
ANF-Studios opened this issue · 8 comments
is your feature request related to a problem? please describe.
I've been wondering; what if the user wants to only provide specific permissions through their authorization token. For example; say if I want the auth token to not have permission delete pastes due to security reasons, the user would simply untick that permission from their auth key.
describe the solution you'd like
A specific set of permissions that the user token has that it can do. Maybe with even multiple different tokens.
describe alternatives you've considered
I'm also wondering how would you go about implementing a password based auth system. There would be a base token like the current one with every permission and you can make new permission based paswords which are the same thing as tokens except they are a password with specific permissions including max.
additional context
Some inspiration can be gained from github's user auth system.
i dont really have any experience with that github user auth system thing but what exactly would one benefit? i mean isnt the key supposed to be kept a secret anyway. so like only you would know it, and why would you want to limit yourself like that? not sure if i misunderstood or missed something so sorry if i did
Please see that example I mentioned initially. The main advantage for this would be security, nothing more. I personally think this issue should be implemented in v3.X.0 though.
yeah i read that but i was asking which benefits it would have. i cant seem to think of a use case for that, so thats why i was asking.
If you had an application that got all your user pastes in order of most stars to least using tokens, all it would need is access to paste data. Now, if the application is closed source, it could pose a security risk; what if the application did something malicious with the ability of accessing all aspects of your account. But, if you generated a token which only allowed for access to a user's paste data, that eliminates that security risk. I think thats what ANF was trying to get at, and to be frank, I agree with this being added in the v3 api.
This is an issue of what an API token actually is, and it's implemented in a "poor" way currently.
API tokens usually just identify the user/program who wants to call the API, and not the user of your application.
The way this should have been done is with OAuth for apps, so your custom app that uses pastemyst will open the browser through which the user will authenticate and allow the app to access the users profile (with specific permissions). And this is probably how it will be done in v3.
For now the API token will continue being all powerful.
yes but wouldnt it be better to just be able to add applications then with a token so you dont limit your personal token? and perhaps just remove the personal token completely then
yes that's how its gonna work