feat: restrict certain endpoints from API tokens and/or read-only tokens

backend/routes/member/create_member.go

@@ -27,6 +27,10 @@ func (s *Server) createMember(w http.ResponseWriter, r *http.Request) (err error
 	ctx := r.Context()
 	claims, _ := server.ClaimsFromContext(ctx)
 
+	if !claims.TokenWrite {
+		return server.APIError{Code: server.ErrMissingPermissions, Details: "This token is read-only"}
+	}
+
 	u, err := s.DB.User(ctx, claims.UserID)
 	if err != nil {
 		return errors.Wrap(err, "getting user")

backend/routes/member/delete_member.go

@@ -17,6 +17,10 @@ func (s *Server) deleteMember(w http.ResponseWriter, r *http.Request) error {
 
 	claims, _ := server.ClaimsFromContext(ctx)
 
+	if !claims.TokenWrite {
+		return server.APIError{Code: server.ErrMissingPermissions, Details: "this token is read-only"}
+	}
+
 	id, err := xid.FromString(chi.URLParam(r, "memberRef"))
 	if err != nil {
 		return server.APIError{Code: server.ErrMemberNotFound}

backend/routes/member/patch_member.go

@@ -30,6 +30,10 @@ func (s *Server) patchMember(w http.ResponseWriter, r *http.Request) error {
 
 	claims, _ := server.ClaimsFromContext(ctx)
 
+	if !claims.TokenWrite {
+		return server.APIError{Code: server.ErrMissingPermissions, Details: "This token is read-only"}
+	}
+
 	id, err := xid.FromString(chi.URLParam(r, "memberRef"))
 	if err != nil {
 		return server.APIError{Code: server.ErrMemberNotFound}