Open tronghm88 opened 3 years ago
Agent comment from Zachery Converse in Zendesk ticket #13574:
Hello,
Thanks for reaching out to Stream! I'll look into this and get back to you.
Feel free to let us know if you have any additional information or questions.
Cheers,
-Zachery
Getstream.io
°°°
Agent comment from Zachery Converse in Zendesk ticket #13574:
Hi,
Tokens are unique to each user and not used to control permissions. Permissions are defined at a Feed Group level. invokeUserToken
does not exist for the feeds product.
These docs are quite good at explaining these premises.
It is possible to add expiration logic to a token: Token Expiration/Refreshing - Feeds
This article is also quite useful: I'm receiving HTTP 403 Errors in my Feeds App
Feel free to let me know if you have any questions.
Cheers,
-Zachery
Getstream.io
°°°
Thanks so much for your answer. But I'm still confuse.
not used to control permissions. Permissions are defined at a Feed Group level.
I read this document
https://getstream.io/activity-feeds/docs/javascript/auth_and_permissions/?language=javascript
and the Authentication section of the REST document
https://getstream.io/docs_rest/I understand that if we add Permission scopes to JWT tokens payload, we can control user permission if client use the tokens to call Stream API directly. Pardon me, but I haven't find a document about "Permissions are defined at a Feed Group level." Can you share me a link?
{ "resource": "*", "action": "read", "feed_id": "user1, user2" }
at this moment, client all read feed of both user 1 and user 2, right?
Because of our business, a day my Backend must deny above user that he can't read feed of user 2 anymore. So we must re-generate new token with below scope:
{ "resource": "*", "action": "read", "feed_id": "user1" }
and send to client
But somehow, we want the old token must be invalidated/revoked immediately, because it may take a day util the old token is expired. Looking forward you reply. Thank you so so much.
One more problem, if I use permission scope as above. Client can not use tokens with permission scope to get reaction of activities even if those activities are theirs.
Hi there. I'm facing a problem, that is I want to invoke an user token to make it to be disable to call Stream API from clients. I search your documents and see Chat Client has invokeUserToken function but Activities Feed Client doesn't. My context is:
First, i generate an user token on server-side and make it can READ 2 feed groups: GROUP_1 and GROUP_2. Then send the token to client to let client connect Stream API directly. Then I generate new token and make it can feed only a group, group 1. So I need to generate new token, then it to client one more time. About old token, I want to force it to expire or block it by any way to let user can not user old token to access group 2. Please tell me how I can implement this logic?
Thanks for super great thing.
gz#13574