SimonWoolf
commented
2 months ago I originally had this as adding a new RSA7f and deprecating RSA7e for <=3.0.0. But I've changed my mind, now just editing RSA7e in-place. Having RSA7e claim to be valid for <=3.0.0 ignores the reality that no SDK actually implemented RSA7e as written, so may as well change it to just reflect what they actually do
Previous RSA7e said to only send clientId in the querystring & x-ably-clientid header in rest reqs if using basic auth. Which is just wrong, and not what any sdk does. (ably-js sends it unconditionally, ably-ruby sends it if token auth is used and it can see that the token has a wildcard client -- which is still wrong because the sdk might not know what the token clientId is if it's fed an opaque token string).
internal discussion: https://ably-real-time.slack.com/archives/C8SPU4589/p1720167508719079
(could argue this is a semver breaking change... but given no SDK actually implemented the previous spec as written, in practice it isn't)