Enforce and auto-document "access scopes"

[jankeromnes]

Today, many JSON API endpoints require specific "access scopes" to be associated with the authenticated credential, and otherwise return an error (for example, GitHub's OAuth2 access tokens are associated a list of access scopes)

There is currently no authentication code or scope-verification code in SelfAPI, so both of these features need to be implemented manually (for example, with a server-middleware that authenticates access scopes, and by manually verifying in each API endpoint handler if the required scope is authorized for the current request).

Maybe there is a useful way to integrate "access scopes" (both request-level authentication and handler-level verification) into SelfAPI? This would have the following benefits:

• API implementers don't need to write scope authentication and verification manually,
• The automatically-generated documentation can indicate which access scopes exists, and which API endpoints require them.