Connecting to the Servers

[CodedOre]

I am currently working on adding the authentication workflow to the backend, and there are a few notes I want to share.

• To my current understanding, Mastodon requires the app registration at the server the user is on.
  This will likely mean that the backend will register an app locally, instead of us providing centralized app keys and secrets.

• We could, to improve the authentication workflow, implement the redirect urls to redirect to the client, automatically fetching the authentication code instead of requiring copy-paste by the user.
  This could work with an url like cawbird://authentication?code=0000000, redirecting to the application.
  To make this viable though we would likely need to open the auth site internally with WebKitGTK.

• I'm probably using only OAuth 1.0 for Twitter, with Mastodon using OAuth 2.0, as Twitter's v1 API don't work with OAuth 2.0.
  While this means one authentication is enough to use both Twitter backends, it will mean an re-do of the authentication should we want the v2 API-backend to switch to OAuth 2.0.

• I'm considering using libsecret to store the tokens. As the database in current Cawbird only stores id, names and tokens anyway, we could store these more secure with libsecret in the local password storage. Though I need to check how broad support for the freedesktop Secrets API is outside of GNOME.

[IBBoard]

libsecret seems like a good idea.

Per-server Mastadon registration seems awkward, but not entirely surprising. I guess the most obvious way to confirm that assumption is to see how Tootle works 🙂

I'm not sure whether a cawbird:// URL would work rather than "out of band". I'd always assumed that the authenticating server might make the request directly. IIRC, that's how Paypal works for online stores - you give it a postback and it sends some confirmation content back without it going through the user's browser (example). If that's the case then the server won't be able to use a custom URI.

[CodedOre]

I'm not sure whether a cawbird:// URL would work rather than "out of band". I'd always assumed that the authenticating server might make the request directly.

Good point.

I know that if you for example open the Zoom website for a meeting it would make Firefox attempt to open an app to handle the url zoom://, and you can in fact register an application to handle a certain url scheme, which brought me to that idea.

But it's just an idea right now.