Skip to content

feat: anonymous fall-through for JWT-mode public access (KYTE-#229)#37

Merged
kennethphough merged 1 commit into
masterfrom
feature/jwt-anonymous-fallthrough
Jun 11, 2026
Merged

feat: anonymous fall-through for JWT-mode public access (KYTE-#229)#37
kennethphough merged 1 commit into
masterfrom
feature/jwt-anonymous-fallthrough

Conversation

@kennethphough

Copy link
Copy Markdown
Member

Client half of #229. When a JWT-mode client has no access token AND no refresh token (never logged in), _jwtEnsureFreshAccessToken now issues the request anonymously (x-kyte-appid only) instead of failing closed — enabling public browsing of requireAuth=false controllers via the server's AppContextStrategy. Present-but-stale token w/ no refresh still fails to login (unchanged). Pairs with kyte-php v4.11.0.

🤖 Generated with Claude Code

When a JWT-mode client has no access token AND no refresh token (a visitor
who never logged in), _jwtEnsureFreshAccessToken now issues the request
anonymously (x-kyte-appid only, no Authorization header) instead of failing
closed. This enables public/anonymous browsing of requireAuth=false
controllers served by the server's new AppContextStrategy.

A present-but-stale access token with no refresh token still fails so the
caller destroys state + bounces to login (unchanged). issueRequest already
omits the Authorization header when no token is present and always sends
x-kyte-appid, so the anonymous request shape was already supported — it was
just unreachable. Pairs with kyte-php v4.11.0 (KYTE-#229).
@kennethphough
kennethphough merged commit 620d0fe into master Jun 11, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant