Made member token scope authoritative

[9larsons]

Summary

Member identity and entitlement tokens are issued by the same service with the same signature, issuer, and audience, and were only differentiated by a descriptive scope claim that nothing enforced.

This makes scope the source of truth for a token's purpose:

• identity tokens now declare scope: members:identity
• the identity decode path (decodeToken) requires that scope and rejects anything else

The change is additive to the entitlement token payload, so anything verifying it via the JWKS is unaffected. This feels like a more correct pattern than assuming tokens can act as members, which was the prior behavior.

Tests

Updated the token-service unit tests to cover the identity/entitlement scopes and the decode-path enforcement.

[coderabbitai]

Walkthrough

This PR introduces standardized JWT scope handling in TokenService. Two module-level constants define the allowed scopes: members:identity for identity tokens and members:entitlements:read for entitlement tokens. Token encoding methods now use these constants instead of hardcoded strings. The decodeToken method was updated with documentation describing scope-based token differentiation and validation logic that rejects any token lacking the required identity scope by throwing a jwt.JsonWebTokenError. Tests were enhanced to verify exact JWT claim values and add comprehensive decoding validation scenarios.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Made member token scope authoritative' directly captures the main change: introducing scope enforcement for member tokens.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The pull request description clearly explains the changes made to member token scope, the enforcement mechanism, and the backward compatibility considerations.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch member-identity-token-scope

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}