If mercure.publish:
- is not defined, then the publisher MUST NOT be authorized to dispatch any update
- contains an empty array, the publisher MUST NOT be authorized to publish private updates, but can publish public updates for all topics.
Current implementation of Token Factory makes every token contain an array under publish key.
In other words, the most restrictive token possible still allows publishing public updates for all topics.
We need a possibility to set publish to either null (and remove publish key form the token) or an empty array.
silverbackdan
commented
2 years ago
Based on mercure specification:
Current implementation of Token Factory makes every token contain an array under
publishkey. In other words, the most restrictive token possible still allows publishing public updates for all topics.We need a possibility to set publish to either null (and remove
publishkey form the token) or an empty array.