Make mod-authtoken accept an override token.
The token will come in via a header (X-Okapi-Override?). It should be an encrypted token, potentially with an unencrypted header. All sensitive information should be opaque, to allow the token to be transmitted via chat, email, etc if desired.
The token should contain the following pieces of information:
- The user that is being granted the permissions
- The supervisor that has given the permissions
- The timestamp for when the permissions were granted
- The timestamp for when the permissions expire
- A list of permissions granted, or an indication that all of the supervisor's permissions should be granted
If the token is included in the request and found to be valid, the permissions (or all of the supervisor's permissions) are added to the current user's request. In addition, these permissions need to be passed on for any module tokens that are generated for the request.