pub enum LexeScope {
All,
GatewayProxy,
}Expand description
An infra-level scope which gates a bearer auth token’s access to Lexe-run services and resources.
This is distinct from the application-level authorization that determines
which node endpoints a given client credential may call; that lives with the
revocable client machinery, not here. A LexeScope answers “what may this
token do against Lexe’s infrastructure”, e.g. the backend or the gateway
CONNECT proxy.
Scopes form a lattice: a token granted a broader scope is accepted wherever
a narrower scope is required (see LexeScope::has_permission_for).
Variants§
All
Full access to all Lexe-run services. Short-lived (max 1 hour).
GatewayProxy
Authorizes the gateway to act as the user’s proxy, in either of two ways:
- a CONNECT tunnel to the user’s own node, or
- a request the gateway makes to the backend (
UserBackendApi) on the user’s behalf, using its own backend credentials.
This grants neither direct backend access nor forwarding of this token
to the backend; that’s LexeScope::All. May be long-lived (max 20
years), so it can back a long-lived client credential.