Open notrab opened 2 months ago
If you create a group token with attach permissions, It loses the broad read/write permissions that a regular group token would have.
roa
rw
As a user, I would expect that group tokens (with additional attach perms) work as regular group tokens.
Example 1
turso group tokens create default
{ "gid": "ac4ad387-f52c-4172-bcf0-10e013fa9932", "iat": 1721565683 }
✅ Works as expected. Can read/write to DB great-apocalypse
Example 2
turso group tokens create default --attach turso-notes
{ "iat": 1721566104, "p": { "roa": { "ns": [ "396cda00-807a-4fcb-989c-0a715c52c9f9" ] }, "rw": { "tags": [ "ac4ad387-f52c-4172-bcf0-10e013fa9932" ] } } }
❌ {"error":"Namespaceecd40f9d-d3c4-47cc-9f19-30acd8fbef5adoesn't exist"}
{"error":"Namespace
doesn't exist"}
Example 3
turso group tokens create default --attach turso-notes,great-apocalypse
{ "iat": 1721566219, "p": { "roa": { "ns": [ "396cda00-807a-4fcb-989c-0a715c52c9f9", "ecd40f9d-d3c4-47cc-9f19-30acd8fbef5a" ] }, "rw": { "tags": [ "ac4ad387-f52c-4172-bcf0-10e013fa9932" ] } } }
❌ {"error":"Not authorized to execute query: Current session doesn't not have Write permission to namespace ecd40f9d-d3c4-47cc-9f19-30acd8fbef5a"}
{"error":"Not authorized to execute query: Current session doesn't not have Write permission to namespace ecd40f9d-d3c4-47cc-9f19-30acd8fbef5a"}
If you create a group token with attach permissions, It loses the broad read/write permissions that a regular group token would have.
roa
(read-only attach) permission is granted only for the specified databases.rw
(read-write) permission is still associated with the group, but it doesn't seem to grant full access as a regular group token would.As a user, I would expect that group tokens (with additional attach perms) work as regular group tokens.
Example 1
✅ Works as expected. Can read/write to DB great-apocalypse
Example 2
❌
{"error":"Namespace
ecd40f9d-d3c4-47cc-9f19-30acd8fbef5adoesn't exist"}
Example 3
❌
{"error":"Not authorized to execute query: Current session doesn't not have Write permission to namespace ecd40f9d-d3c4-47cc-9f19-30acd8fbef5a"}