Mastodon handler about authl HOT 5 CLOSED

Some problems to deal with:

• The callback URI is, at present, only known at the time of login. There is no way to provide a callback URI that allows additional redirection parameters. This is intentional.
• At least in manual testing I don't seem to able to successfully do a full OAuth flow; even if I specify a fixed callback URL I only get a "The redirect uri included is not valid" error.
• why can't mastodon just heckin' support OIDC/IndieAuth/whatever argh

from authl.

once again I find myself wishing mastodon/mastodon#4800 to be resolved

from authl.

probably what I'll have to do is regsiter a new app with the full callback URL at the time of initiate_auth and mastodon can just deal with it

from authl.

got a working session:

>>> client_id,client_secret=Mastodon.create_app('asdf',scopes=['read'],redirect_uris=['https://mew.lvh.me/wibble'])
>>> client=Mastodon(client_id=client_id,client_secret=client_secret)
>>> client.auth_request_url(redirect_uris='https://mew.lvh.me/wibble',scopes=['read'])
'https://mastodon.social/oauth/authorize?client_id=xxx&response_type=code&redirect_uri=https%3A%2F%2Fmew.lvh.me%2Fwibble&scope=&force_login=False'

This resulted in a client redirect to https://mew.lvh.me/wibble?code=xxx. Passing that code into client.log_in(code='xxx',scopes=['read'],redirect_uri='https://mew.lvh.me/wibble') returned an OAuth token, and after that point, client.account_verify_credentials()` returns a dict that includes the URL.

Phew.

TBD: is there a scope which ONLY gives me account info?

from authl.

Okay so it looks like the scope read:accounts gives the minimal information necessary, and then after getting that information it's possible to revoke the token as well.

However, mastodon.py does not provide built-in revocation/logout.

The actual core parts of Mastodon login don't really seem to need the entirety of Mastodon.py anyway - this could probably be handled much more simply. For example, we can probably just determine if the server is Mastodon-compatible by doing a GET on /api/v1/instance and see if it returns a JSON blob with uri and version fields. If so, we know this is Mastodon-esque-enough.

Then, in initiate_auth we register an application with our callback URL, and then follow the authorization flow with a scope of read:accounts. Finally, we get the account information with GET /api/v1/accounts/verify_credentials and then POST /oauth/revoke now that we have the info we need.

from authl.