Problem
API authentication is limited to a single JWT guard. There are no token abilities/scopes, no token lifecycle management, and no stateful guard for first-party single-page apps.
Proposal
First-class API tokens and SPA authentication:
- Personal access tokens with scopes/abilities, stored and hashed, with issue / revoke / expire.
- A token guard that authorizes requests by ability.
- A stateful guard for first-party SPAs (session cookie + CSRF) so a same-domain frontend authenticates without bearer tokens.
- Documented refresh patterns.
Scope
Token model + migration, guards, scope checks, management commands/API.
Definition of Done
Problem
API authentication is limited to a single JWT guard. There are no token abilities/scopes, no token lifecycle management, and no stateful guard for first-party single-page apps.
Proposal
First-class API tokens and SPA authentication:
Scope
Token model + migration, guards, scope checks, management commands/API.
Definition of Done
pytestcovers token issue/revoke/expiry, ability checks, and the stateful SPA guard (suite green).