feat: allow configurable tokens in nextjs app example #666
Conversation
| export const tokenPermissions: TokenScope = { | ||
| permissions: [ | ||
| { | ||
| role: CacheRole.ReadWrite, |
There was a problem hiding this comment.
This would actually be cool to be part of the api, maybe query params or something. The user could select a cache and a topic, and then we can make a request to get a scoped token for that specific cache and topic
There was a problem hiding this comment.
Would that be similar to this?
Would there need to be a way to stack multiple permissions though?
There was a problem hiding this comment.
Well I was thinking for the demo would be cool for it to just scope it down as low as possible. But we could also just accept a post body of all the permissions that the user wants the token to have
There was a problem hiding this comment.
I think the point of Anita's config file is to show app owners/maintainers how to restrict the scope (at app deploy time) so that the browser can't get tokens that have permissions to unexpected/unwanted caches. If we make it super dynamic then it's not really that different from just giving out an AllDataReadWrite token.
We can discuss this more for follow-up PRs, if there is something dynamic that is cool and worth demo'ing I'm open to talking about it! But for now this is more about showing how to make it secure.
There was a problem hiding this comment.
I think the issue that I see here is that now the demo only works if a user has a cause default-cache already created
There was a problem hiding this comment.
yeah I agree with that Matt, see my other comment and see if that addresses your concern
There was a problem hiding this comment.
tbh i wonder if we should just take the cache chooser out of the app. doesn't have to be in this PR but just thinking.
Addresses the first part of #385 but this time for the NextJS example app. Since we're really just setting two variables, I figured it would be overkill to try to extract the same code into a separate SDK function or library, but open to suggestions!
Similar to #663, I created a new config file where users can specify token permissions and expiry before deploying the token vending machine. Instructions are in the README and examples are in the
src/app/api/momento/token/config.tsfile. (I am also open to moving the config file out of the token directory. My first thought was that keeping them together would make more sense but if it seems too difficult for people to find, definitely open to moving it.)