Tokens not checked on observe ?

[Toshbrown]

@jptmoore

I might be missing something but, are you verifying the token on the observe endpoint

https://github.com/jptmoore/zest/blob/master/src/server.re#L493

[jptmoore]

An observe request is just a GET with special options so it is just verified the same as a normal GET, being you are able to read anything from this path once verified. It does not take into account the source of the data being via the store database or the store router. I think it would be good to extend the verification process to take into account this difference and also have knowledge of when operations expire. Macaroon expiry I think would be useful for all operations not just an observe. What do you think?

[Toshbrown]

I think expiry is supported as a caveat in the macaron but were not using them yet

ACK, I said I might be missing something ;-) only if the token check passes does it get into the elseif