[ ] allow role: facility-operators to add / remove users from per project long-lived token COU
[ ] add new endpoint /projects/{uuid}/extended-token-holders - details TBD ...
[ ] add logging event when a user is added / removed from long-lived token COU
[ ] TODO: figure out mechanism to remove user from COU {project_uuid}-tk if their token is revoked - requires facility-operators role, but could find alternative for CM if needed
Regarding long-lived tokens:
Max token lifetime to be set at 9 weeks until we try it for a bit - may set longer after a while
Long-lived token role should be within a project - like project member or project owner. Granting long-lived token role irrespective of a project is too open. The role should be granted by a facility operator. This way this role goes away when a project goes away.
Logging for user actions should include the hash of the token whenever a token is used in an API call (in addition to their email etc we have defined in the log format)
Revoking a token should be available to the token owner but also to a facility operator
mjstealey
commented
1 year ago
replaced by #41
Long-lived tokens
{project_uuid}-tkfacility-operatorsto add / remove users from per project long-lived token COU/projects/{uuid}/extended-token-holders- details TBD ...{project_uuid}-tkif their token is revoked - requiresfacility-operatorsrole, but could find alternative for CM if neededRegarding long-lived tokens: