Micropub token button breaks Mastodon auth

[snarfed]

The Micropub "Get token" button on user pages uses silo auth to check that you're the account owner before giving you a token. It only uses the minimal OAuth scopes it needs to confirm your account. That's fine, but for Mastodon, each auth gets a new token with the requested scopes, and oauth-dropins overwrites the existing token with the new one each time. So, when an existing user clicks that button, they lose all the permissions Bridgy needs. Ugh.

It'd take work to refactor oauth-dropins to not do that, so the quick fix is to have Bridgy include all the current scopes in that auth check.

cc @jonnybarnes, background:

• https://chat.indieweb.org/dev/2022-11-05#t1667674331021300
• https://twitter.com/webrocker/status/1589195600469397507

[snarfed]

Fwiw, Pleroma has the same problem: #1015

[snarfed]

Hopefully fixed! @jonnybarnes @iamwebrocker if you disable and then re-enable publish on your Bridgy Mastodon user pages, they should hopefully work again. @jonnybarnes the Get token button now requests the same scopes you already have, so clicking it shouldn't drop them any more.

[iamwebrocker]

Hi, thanks for looking into this. 🤗

Sadly doesn't work for me, I ran into the same problem as before.

before that I logged into mastodon via bridgy (since on the user page there was this "paused" icon next to the handle) and then logged out via the bridgy user page.
then sent the webmention/publish again from my blog, which failed. Here is the log

https://brid.gy/log?start_time=1667802816&key=agdicmlkLWd5cmgLEg1QdWJsaXNoZWRQYWdlIkFodHRwczovL3d3dy53ZWJyb2NrZXIuZGUvMjAyMi8xMS8wNi9zeW5kaWNhdGlvbi12aWEtYnJpZC1neS10ZXN0LwwLEgdQdWJsaXNoGICAmP63s60KDA&module=default

In otther tests before I disabled the image (because the error mentioned "api/media", but that made no difference.

[iamwebrocker]

I just re-read what you wrote and logged into mastodon and then on bridgys user page disabled publishing (it was enabled as soon as I was logged into mastodon). Now when I click 'enable punlishing', I end up on a Mastodon error page "We're sorry, but something went wrong on our end", repeatedly.
Disable publishing worked, where I ended up on a Mastodon page with the access settings (read things etc).
I read in another issue, that making sure to be not logged into maston could make a difference, so I logged out even in the app. Then, after clicking 'enable publishing', I had to login into mastodon, only to end up on that same "We're sorry, but something went wrong" page. So maybe something is wrong on Mastodon's end, not Bridgy.

[iamwebrocker]

this is the url that returns the 'we're sorry' page (I redacted the ids and keys):

https://mastodon.social/oauth/authorize?response_type=code&client_id=XXXXXXXXXXXXXXXXXXXXXXXXXXXXX&client_secret=XXXXXXXXXXXXXXXXXXXXX&scope=read:accounts%20read:blocks%20read:notifications%20read:search%20read:statuses%20write:statuses%20write:favourites%20write:media&redirect_uri=https%3A%2F%2Fbrid.gy%2Fmastodon%2Fcallback&state=%7B%22app_key%22:%22XXXXXXXXXXXXXXXXXXXXXXX%22,%22state%22:%22%257B%2522feature%2522%253A%2522listen%252Cpublish%2522%252C%2522operation%2522%253A%2522add%2522%257D%22%7D

[snarfed]

Sigh, yeah, that's #911, which is indeed a Mastodon/doorkeeper bug. One workaround is to log out of your Mastodon instance (mastodon/mastodon#12915 (comment)) before you click the enable publish button in Bridgy. Mind trying that?

[iamwebrocker]

Sigh, yeah, that's #911, which is indeed a Mastodon/doorkeeper bug. One workaround is to log out of your Mastodon instance (mastodon/mastodon#12915 (comment)) before you click the enable publish button in Bridgy. Mind trying that?

Just tried it, but makes no difference. I don't know if Mastodon "remembers" that I'm currently logged into the app on another device, but logging out from the web and then enabling "publishing" on bridgy returns that "we're sorry…" page, still.

[snarfed]

Evidently that workaround isn't 100% effective. Sorry for the difficulties here. I wish the doorkeeper and/or Mastodon people would decide how they want to fix that problem!

[iamwebrocker]

Evidently that workaround isn't 100% effective. Sorry for the difficulties here. I wish the doorkeeper and/or Mastodon people would decide how they want to fix that problem!

I'll try to recreate the situation 6 days ago, when posting to both twitter and mastodon worked. I think the difference (not taking into account what may have been changed on mastodon's end) is that back then I wasn't logged into Mastodon at all, since I hadn't installed their app(s) yet, and "just" logged into via brid.gy to get the publish auth.
anyways there's absolutely no reason for you to be sorry. the work you do with bridgy and the indieweb in general is amazing, and I'm very very thankful for that. (blows kisses) :-)

[jonnybarnes]

This post https://jonnybarnes.uk/notes/NR got posted here https://mastodon.thebeeches.house/@jonny/109303734152437320 🎉🎉🎉

[snarfed]

Woo, great news! And @iamwebrocker thanks for the kind words and behavior details on your end. Definitely feel free to follow up on #911, or better on mastodon/mastodon#12915 / doorkeeper-gem/doorkeeper#1554.