Previously, API authentication used Rodauth's login and jwt
features, which use a session-based approach, storing session
information in a JWT.
This expands API authentication to also support personal access
tokens. There can be multiple personal access tokens per account.
Personal access tokens are stored in the ApiKey model, using an
owner_table of accounts. This does not conflict with existing
ApiKey usage. I thought of using a separate database table and
model for this, but it would have been very similar to ApiKey,
and it seems simpler to expand ApiKey for this purpose than to
introduce a distinct but very similar concept.
I implemented this as a custom Rodauth feature, but the Rodauth
feature is only partially generic currently. Potentially, it could
be made fully generic and moved into Rodauth in the future. The
feature is stored in rodauth/features/personal_access_token.rb,
because storing it under lib caused issues with loader.rb's
eager loading.
Personal access tokens do not use sessions, though it does have
rodauth.session return an appropriate hash. As active_sessions
requires a session-based approach, this does not call
rodauth.check_active_session if a personal access token is used.
This is not a loss of security, because you can revoke a personal
access token just like you can revoke an active session.
This does not use custom authorization for personal access tokens.
That will come later.
f0a9f97e2e