Summary
The default authuser role definition grants disavow:auth and clear:session, but neither scope gates anything any more:
disavow:auth — the POST /api/auth/disavow route is being changed to authenticated-only (no scope requirement), since logging out is self-authorising.
clear:session — there is no handler registered for /api/session/clear; the scope guarded a route that never existed.
Both are now dead weight in the default role.
Fix
Remove disavow:auth and clear:session from the default authuser role's scopes in conf/config.schema.json.
Note
This only affects freshly-seeded installs; roles already seeded in a database keep the (now harmless, unused) scopes.
Summary
The default
authuserrole definition grantsdisavow:authandclear:session, but neither scope gates anything any more:disavow:auth— thePOST /api/auth/disavowroute is being changed to authenticated-only (no scope requirement), since logging out is self-authorising.clear:session— there is no handler registered for/api/session/clear; the scope guarded a route that never existed.Both are now dead weight in the default role.
Fix
Remove
disavow:authandclear:sessionfrom the defaultauthuserrole's scopes inconf/config.schema.json.Note
This only affects freshly-seeded installs; roles already seeded in a database keep the (now harmless, unused) scopes.