Native clients (Android/Flatpak) can't manage Personal Access Tokens #386
Labels
No labels
area:auth
area:ci
area:db
area:infra
area:native
area:pwa
area:service
epic
feature
foundation
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
james/carol#386
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Problem
The PAT management endpoints —
GET/POST /api/account/tokensandDELETE /api/account/tokens/{id}— gate on a cookie session (getSession(req), session-only by ADR-0021). Native clients (Android, Linux Flatpak) authenticate with the native bearer access token (cat_…, ADR-0027) and have no cookie, so the account → tokens screen 401s on those platforms. The client UI (apps/client/app/(app)/account.tsx) exists and works on web; it's simply locked out natively.Why session-only was chosen, and why it's now too strict
ADR-0021's threat model is "a stolen PAT shouldn't infinitely re-provision itself" — so PAT auth is refused on token-management. That carve-out predates native access tokens (ADR-0027). The
cat_access token is the interactive-sign-in equivalent of a cookie session: short-lived (15-min TTL), minted only by thepasswordor OAuthauthorization_codegrant onPOST /api/auth/token. Admitting it preserves the threat model exactly — a stolen PAT still can't mint or revoke PATs.Fix
Accept interactive credentials (cookie session or native access token) on the three token-management handlers; keep rejecting PATs.
apps/api/lib/auth/identity.ts: addgetInteractiveIdentity(req)— returns the identity forsession/access_token, null forpatand unauthenticated.getSession→getInteractiveIdentity.accessTokenAuthscheme so the three routes advertise cookie or native access token, not PAT accurately; regenerateopenapi.json+@carol/api-client.tests/api/account-tokens.test.ts): access token can list/create/revoke; PAT bearer is rejected 401 on all three.No client change needed — the screen starts working natively once the endpoints accept the access token.