This is similar to gdonato's answer, but scopes in doorkeeper are better used for managing which permissions are being given to the authenticated app (i.e. "Give this app permission to read X and write Y on your behalf").

So if I just forward the cookie header (which contains the access-token), wouldn't that be just what I am not supposed to do. I mean what's the point of using 'HttpOnly' flag if I return the token to the client-side js on every request.

I use a mutator and use it's changeValue function to 'change' the value of the relevant field (I supply the same value). This in turn notifies all relevant parties of the change to the form's state, and a validation is triggered.

Use the same value that was submitted, which ensures that a 'change' is triggered even though the value itself doesn't change. Therefore, the same value gets validated again.

  mutateValue([name], state, { changeValue }) {
    // change the value to the same value, thus
    // triggering a revalidation of the same value
    changeValue(state, name, value => value);
  }

I discovered that a solution can be hacked using an {#if}, but a proper one would be nice:

But of course this could be overused.

<p>{(x *= 4)} {(x *= x)} {(x *= x)}</p>

This reactive statement is just used to have the store automatically subscribed and unsubscribed.

One thing I considered was abusing a custom store for this kind of thing.

the code is a bit verbose/convoluted

Using another reactive statement with $effect we have Svelte automatically handle subscribing and unsubscribing to the store

For my point of view, and I've been annoyingly consistent in this for as long as people have been asking for this feature or something like it, style encapsulation is one of the core principles of Svelte's component model and this feature fundamentally breaks that. It would be too easy for people to use this feature and it would definitely get abused removing the style safety that Svelte previously provided.

Besides, this will just end up being reported as a security bug to the security list if left as is, cause docker will eat up all your disk space due to a single call site flooding STDERR forcing logs to grow forever.

Creating and calling a default proc is a waste of time, and Cramming everything into one line using tortured constructs doesn't make the code more efficient--it just makes the code harder to understand.

As serious leaks become more common, surely we can expect tougher laws. But these laws are also making it difficult for those of us who wish to improve security by studying actual data. For years we have fought increasingly restrictive laws but the government’s argument has always been that it would only affect criminals.

Another approach I toyed with (very transiently) was blocking entire countries from accessing the API. I was always really hesitant to do this, but when 90% of the API traffic was suddenly coming from a country in West Africa, for example, that was a pretty quick win.

Well, as a home user, I also belong to an investment club with 10 members. I also have a medium size family who I like to send photo's to, and my son is on a soccer team. all those have greater than 5 people on the list. sooooooooo..... once again, the people with valid use of the internet have to 'deal' with those that abuse it.