Using Permissions on individual Sanctum Tokens

[nilskretschmer]

Hello,

I have a use case in my application that requires individual permissions on Laravel Sanctum tokens. The tokens belong to the same user (service account), but each token has different permissions.

As I already integrated this package I am thinking about how to solve the problem using roles and permissions on individual tokens. I have a lot of fine-grained permissions based on the wildcard permissions feature (permissions on model instances). Laravel Sanctum already includes a database field abilities for each Sanctum token. But this is a text-column and I am not sure if it is suited for fine-grained permissions.

I think the following approach would be nice, but I am not sure if this is possible using this package:

1. Associate permissions with Sanctum tokens
   These permissions can be already existing permissions that are shared with the default web guard/routes
2. Check against permissions on the token using Laravel defaults like model policies, gates and can-methods

Some problems I already found on investigating this package and Laravel Sanctum:

1. The Sanctum token class' signature is this:
   class PersonalAccessToken extends Model implements HasAbilities
   This already enforces the implementation of a can-method that is a bit different from the can--method of Laravel's Authorizable-Trait.
2. The Sanctum token can't use the Authorizable-Trait, because it distinguishes from the HasAbilities-Interface
3. This package requires models that can be associated with permissions to use the Authorizable-Trait

So the question is:
How could I integrate Spatie Permissions on individual Sanctum tokens?