[x] allow role: facility-operators to add / remove users from COU {uuid}-tk on a per project basis
[x] new endpoints
[x] PATCH /projects/{uuid}/token-holders?operation=add - add a single user to long lived token holders role (return 204 or error)
[x] PATCH /projects/{uuid}/token-holders?operation=remove - remove a single user to long lived token holders role (return 204 or error)
[x] PATCH /projects/{uuid}/token-holders?operation=batch - batch update a set of users to long lived token holders role (return 204 or error)
[x] add logging event when a user is added / removed from long-lived token COU
[x] if user is no longer -pc, -pm, or -po then they cannot be in the COU -tk
Regarding long-lived tokens:
Max token lifetime to be set at 9 weeks until we try it for a bit - may set longer after a while
Long-lived token role should be within a project - like project member or project owner. Granting long-lived token role irrespective of a project is too open. The role should be granted by a facility operator. This way this role goes away when a project goes away.
Logging for user actions should include the hash of the token whenever a token is used in an API call (in addition to their email etc we have defined in the log format)
Revoking a token should be available to the token owner but also to a facility operator
mjstealey
commented
1 year ago
Long Lived Tokens
facility-operatorsto add / remove users from COU{uuid}-tkon a per project basis/projects/{uuid}/token-holders?operation=add- add a single user to long lived token holders role (return 204 or error)/projects/{uuid}/token-holders?operation=remove- remove a single user to long lived token holders role (return 204 or error)/projects/{uuid}/token-holders?operation=batch- batch update a set of users to long lived token holders role (return 204 or error)-pc,-pm, or-pothen they cannot be in the COU-tkRegarding long-lived tokens:
replaces #35