-
Notifications
You must be signed in to change notification settings - Fork 51
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Micropub token button breaks Mastodon auth #1342
Comments
Fwiw, Pleroma has the same problem: #1015 |
Hopefully fixed! @jonnybarnes @iamwebrocker if you disable and then re-enable publish on your Bridgy Mastodon user pages, they should hopefully work again. @jonnybarnes the Get token button now requests the same scopes you already have, so clicking it shouldn't drop them any more. |
Hi, thanks for looking into this. 🤗 Sadly doesn't work for me, I ran into the same problem as before. before that I logged into mastodon via bridgy (since on the user page there was this "paused" icon next to the handle) and then logged out via the bridgy user page. In otther tests before I disabled the image (because the error mentioned "api/media", but that made no difference. |
I just re-read what you wrote and logged into mastodon and then on bridgys user page disabled publishing (it was enabled as soon as I was logged into mastodon). Now when I click 'enable punlishing', I end up on a Mastodon error page "We're sorry, but something went wrong on our end", repeatedly. |
this is the url that returns the 'we're sorry' page (I redacted the ids and keys):
|
Sigh, yeah, that's #911, which is indeed a Mastodon/doorkeeper bug. One workaround is to log out of your Mastodon instance (mastodon/mastodon#12915 (comment)) before you click the enable publish button in Bridgy. Mind trying that? |
Just tried it, but makes no difference. I don't know if Mastodon "remembers" that I'm currently logged into the app on another device, but logging out from the web and then enabling "publishing" on bridgy returns that "we're sorry…" page, still. |
Evidently that workaround isn't 100% effective. Sorry for the difficulties here. I wish the doorkeeper and/or Mastodon people would decide how they want to fix that problem! |
I'll try to recreate the situation 6 days ago, when posting to both twitter and mastodon worked. I think the difference (not taking into account what may have been changed on mastodon's end) is that back then I wasn't logged into Mastodon at all, since I hadn't installed their app(s) yet, and "just" logged into via brid.gy to get the publish auth. |
This post https://jonnybarnes.uk/notes/NR got posted here https://mastodon.thebeeches.house/@jonny/109303734152437320 🎉🎉🎉 |
Woo, great news! And @iamwebrocker thanks for the kind words and behavior details on your end. Definitely feel free to follow up on #911, or better on mastodon/mastodon#12915 / doorkeeper-gem/doorkeeper#1554. |
The Micropub "Get token" button on user pages uses silo auth to check that you're the account owner before giving you a token. It only uses the minimal OAuth scopes it needs to confirm your account. That's fine, but for Mastodon, each auth gets a new token with the requested scopes, and oauth-dropins overwrites the existing token with the new one each time. So, when an existing user clicks that button, they lose all the permissions Bridgy needs. Ugh.
It'd take work to refactor oauth-dropins to not do that, so the quick fix is to have Bridgy include all the current scopes in that auth check.
cc @jonnybarnes, background:
The text was updated successfully, but these errors were encountered: