Group tokens with attach permissions lose broader read/write permissions

[notrab]

If you create a group token with attach permissions, It loses the broad read/write permissions that a regular group token would have.

• The roa (read-only attach) permission is granted only for the specified databases.
• The rw (read-write) permission is still associated with the group, but it doesn't seem to grant full access as a regular group token would.

As a user, I would expect that group tokens (with additional attach perms) work as regular group tokens.

Example 1

turso group tokens create default

{
  "gid": "ac4ad387-f52c-4172-bcf0-10e013fa9932",
  "iat": 1721565683
}

✅ Works as expected. Can read/write to DB great-apocalypse

Example 2

turso group tokens create default --attach turso-notes

{
  "iat": 1721566104,
  "p": {
    "roa": {
      "ns": [
        "396cda00-807a-4fcb-989c-0a715c52c9f9"
      ]
    },
    "rw": {
      "tags": [
        "ac4ad387-f52c-4172-bcf0-10e013fa9932"
      ]
    }
  }
}

❌ {"error":"Namespace ecd40f9d-d3c4-47cc-9f19-30acd8fbef5a doesn't exist"}

Example 3

turso group tokens create default --attach turso-notes,great-apocalypse

{
  "iat": 1721566219,
  "p": {
    "roa": {
      "ns": [
        "396cda00-807a-4fcb-989c-0a715c52c9f9",
        "ecd40f9d-d3c4-47cc-9f19-30acd8fbef5a"
      ]
    },
    "rw": {
      "tags": [
        "ac4ad387-f52c-4172-bcf0-10e013fa9932"
      ]
    }
  }
}

❌ {"error":"Not authorized to execute query: Current session doesn't not have Write permission to namespace ecd40f9d-d3c4-47cc-9f19-30acd8fbef5a"}