Skip to content

First-class API tokens and SPA authentication #35

Description

@eaguad1337

Problem

API authentication is limited to a single JWT guard. There are no token abilities/scopes, no token lifecycle management, and no stateful guard for first-party single-page apps.

Proposal

First-class API tokens and SPA authentication:

  • Personal access tokens with scopes/abilities, stored and hashed, with issue / revoke / expire.
  • A token guard that authorizes requests by ability.
  • A stateful guard for first-party SPAs (session cookie + CSRF) so a same-domain frontend authenticates without bearer tokens.
  • Documented refresh patterns.

Scope

Token model + migration, guards, scope checks, management commands/API.

Definition of Done

  • Implementation building on the existing API guard and authentication layer.
  • pytest covers token issue/revoke/expiry, ability checks, and the stateful SPA guard (suite green).
  • Docs page + nav entry; security considerations documented.
  • Release notes entry.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area:authAuthentication & authorizationenhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions