delete project via API

[vetrivelavan]

We want to delete projects via API, currently the Delete /v2/projects/:projectId endpoint . uses @RequiresSuperAuthentication (super admin token) for authentication Can we use @AllowApiAccess(tokenType = AuthTokenType.ONLY_PAT) instead superadmin

if so should i change in this file backend/api/src/main/kotlin/io/tolgee/api/v2/controllers/V2ProjectsController.kt.

[JanCizmar]

Hey! I guess we have to reconsider how the API security works. We wanted to protect this kind of sensitive operations so attacker cannot perform them when the key leaks, but maybe this is not the way it should be designed.

Maybe we can add some "allow sensitive operations" to PAT? @cyyynthia

[cyyynthia]

If we add such capabilities to PATs, I think the PATs should have a new scope allowing for super operations to be done, and must have an expiry date set (no "super" PAT without an expiry of that expires in a very long time)

Such expiry restrictions may be annoying for some automations, though 🤔

[JanCizmar]

There no scopes to PATs so far.

[vetrivelavan]

Thanks for the reply since there is no scope for PAT here, and it is a very rare use case in our project we decided to delete it manually