Avoiding all or nothing on “short-lived” partials

A sort of common trope I encounter in pbta games is moves with a partial that has you succeed but with the effect “lasting only a moment” (or some similar phrasing). The example I am going to work with is Zuko Style from Dungeon World. The text from that move reads:

When you bend a flame to your will, roll+WIS. On a 10+ it does as you command, taking the shape and movement you desire for as long as it has fuel on which to burn. On a 7-9 the effect is short-lived, lasting only a moment.

From the Dungeon World SRD

Some of these moves (all that I am aware of) tend to have a problem where this partial is sort of all or nothing. That is depending on what you are trying to do it either means a partial is indistinguishable from a success or it serves to do nothing (essentially a silent failure). For an example of an “all” case (in my experience most cases of ZS tend to fall into this category):

The players have a plan of attack, their comrades are in wait on a nearby hill and the party is finally in their place. The agreed upon signal is a burst of flame in the sky. When the time comes they pull a fire starter from their adventuring gear, set of a spark to bend it into a skyward burst. The dice hit the table and come up an 8.

Here we have an issue since the effect was only meant to last a moment the partial is no different than a success. There are plenty of interesting things that could happen here that would certainly make good partials but none that seem to fit the wording of the move.

Here is an example of a “nothing” case:

While the players were distracted fighting off the occultists the library of esoterica was caught in the blaze. Scorch-Skin jumps into action swiping their hand to extinguish the flames. The die are cast, and come up 8.

Here extinguishing the flames for a moment is about as useful as not extinguishing the flames at all. And to make matters worse what is almost certainly going to happen next is that Scorch-Skin is going to just try again. It amounts to pretty much just a silent failure.

What ways should a GM handle a partial on Zuko Style that exemplify the principles of Dungeon World? My goal i a solution I can use in any pbta game, but I have chosen to ground the question specifically in Zuko Style and the rules of Dungeon World, so anything beyond that is extra. I’m looking for answers that don’t involve modifying the move itself or breaking the rules of Dungeon World.

Is this security scheme using passwords, short-lived access JWTs, and long-lived refresh tokens a good way to secure a REST API?

I’m trying to secure a REST API that I’m using as a backend for a single-page application. The API provides access to read/create/modify/delete protected resources, based on a set of permissions managed by an administrator. What I’m thinking is the following:

  • All connections must be over HTTPS; plain HTTP requests will be redirected to HTTPS.
  • Users have a username and password, which they create.
  • A client submits a username/password to a /login route; if it’s a valid password for that user, the server will return a short-lived access token and a long-lived refresh token.
    • The access token will be a signed JWT that identifies the user and has an expiration time.
    • The refresh token will be a GUID corresponding to a row in a database table; this row will store the user ID
  • When accessing protected routes (everything but /login), an access token will be required. The server will verify the signature, and if valid, will check the expiration time. If the token is not expired, the user ID will be made available to server-side code for authorization logic.
  • If the access token is expired, the client will automatically submit the refresh token to a /refresh endpoint for requesting a new access token. The server will check the database; if a corresponding row still exists, a new access token will be returned to the client.

Does this scheme sound secure?