Compare $user->tokenCan and $user->can

[quangpd]

I read when generate token with scope but default is *
But I think $user->tokenCan and $user->can have little confuse about permission on application flow

By default, user with token can do everything right?

[lonnie-vault]

Token scopes are a little different than user permissions. They can be used in a couple of ways.

If you have both an app and an API, you might want to have a different set of permissions on the API than your users would get as the use the web app on a daily basis. These would be the scopes. If you look at GitHub's Personal Access Token scopes that will give you an idea of one way to organize them. This would also allow a person - or your app - to provide different limits to the user when using your API than they would get using the web app.

If you were doing an SPA you might not need much in the way of scopes and just rely on the user permissions.

You could, if you really wanted to, use the user permissions as the scopes and either duplicate the permissions in both the user permissions and the token scopes for consistency, though that's not a setup I would recommend.

[datamweb]

Hi,
https://github.com/codeigniter4/shield/blob/develop/docs/guides/mobile_apps.md
and #195

[lonnieezell]

JWT implementation is still a work in progress and is not part of Shield just yet. Currently the only token solution are the Access Tokens mentioned above.

[kenjis]

PR #195 depends on the latest version of "firebase/php-jwt", so if your implementation requires a package that conflicts with it, there will be conflicts. However, such a situation is not very likely, so there is no need to worry about it.

Also, PR #195 has been implemented and should work.

[MGatner]

Why don't we just make our own JWT interface? Then we can fulfill it in dev with Firebase but people can bring whatever they want.

[lonnieezell]

That would be something for @kenjis to answer. I haven't explored JWT with Shield yet. Sorry.