IBBoard/hotfix/twitter and mastodon session fixes

[IBBoard]

I don't know if this is all how you wanted it to go, but I wanted to start adding features and the newest branch seemed to be incomplete, so I've fixed up some bits.

Key bits to note:

• Twitter and Mastodon auth seems to work (I've set up both accounts - but passed the URL back manually from the command-line, because I'm not installing the app yet)
• There's an ugly "fix" in to avoid a CRITICAL from librest when it tries to check if our non-expiring offline access token has expired
• There's another ugly "fix" where we have a hard-coded app password for the client secret, since librest doesn't like the argument being null - at the very least, we need a strong password generated there
• Client creation didn't want to have a constructor, even though other SingleInstance classes do. I wonder whether it's because it's also split as a partial?
• I've had to change a couple of bits to a less pretty implementation because the nice Vala code (like the find function with a lambda) were giving segfaults and other issues because of how the C code was created
• I wanted to work out why Mastodon has to use the code, but I've not worked it out yet

.

[Edit] Actually... I've not got Twitter working yet. I had it working, but then I tried to fix Mastodon, and now I've only got my Mastodon account and can't add Twitter!

But they have both been independently working as read-only accounts!

[Edit] Working now. Apparently the examples in the Vala docs show behaviour that you can no longer rely on!

[CodedOre]

I don't know if this is all how you wanted it to go, but I wanted to start adding features and the newest branch seemed to be incomplete, so I've fixed up some bits.

I didn't looked at the project for while. IIRC, the ’backend-session‘ should have anything, aside of the rework of the authentication. I had an "finished" branch which added this, but I wasn't really happy with the code, so I wanted to see if I can rework it, but I had to prioritise university then. I'm also not at home currently, so I cant push this branch right now.

I'll look into the PR in detail later on.

[IBBoard]

I did wonder whether you might have some more code that you hadn't committed, but it had been a few months and this seemed like a way for me to get into the code again and work out how you were structuring it 🙂

I started off fixing CRITICALs on the main branch, before realising that this branch had 100+ more commits.

[IBBoard]

I just changed "password123" to "password12" in the Twitter server client secret and it still authenticated. I don't know whether that means I missed something, or whether it means that the client secret isn't used by Twitter and we could put any non-null value in there.

[CodedOre]

Well, for native applications, client secrets should no longer be a thing. To quote OAuth 2 Simplified:

If the developer is creating a “public” app (a mobile or single-page app), then you should not issue a client_secret to the app at all. This is the only way to ensure the developer won’t accidentally include it in their application. If it doesn’t exist, it can’t be leaked!

So, ideally Twitter should ignore it, and we can set it to an empty string.

Edit: It should be noted that Mastodon still needs the client secret though.

[IBBoard]

The bit that confuses me is that the "Client Secret" section suggests that there is still a per-app password (hence why I supplied something) but if I change it and it still works then is it used?

I assumed it was still needed, but defined with the server on a per-app basis rather than supplied within the binary (as we do at the moment).

[CodedOre]

As far as I understand it, Client Secrets are still used when you develop an application that is running only on controlled hardware, like an server. But since you could extract secrets from an binary, it was deprecated for so called native applications in favor of the new authentication mechanism.

So, for our case, Twitter should just ignore the value.

[CodedOre]

Just an status update: I'm not at home until the end of the week, so I will not review it until next week. Want to check how it looks compared to my current code first.

[IBBoard]

I've made some changes and pushed them. The only thing that's not working now is creating a Twitter account. I seem to get a segfault because the timezone on the token's expiry time is null and the date comparison assumes it isn't. Given that it's all managed by librest at that point then I don't have a clue what's going on.

[IBBoard]

Okay. That seems to be working now. Some of the bugs trashed my profiles a couple of times, so I know I can re-add Mastodon accounts. And I fixed #64 in the process.

Also stripped out Twitter because… well, what's the point in supporting it now?

[CodedOre]

If we drop the Twitter platform, we don't really need the structure of the library with Base module and extending platforms anymore, so I think we could restructure this a bit more than just to remove a platform. Unless we have a potential different platform for which we want to leave the possibility open.

[IBBoard]

I was just leaving the possibility open 🙂 Deleting Twitter is quick. Flattening everything just seemed like too much work.

[IBBoard]

I don't see any harm in keeping it for now. You never know, maybe Musk will get bored and Twitter will fix everything he broke. Or some ex-Twitter devs will create a Twitter-like app with a similar API. And it will keep us considering a more generic architecture.

I already saw someone on Mastodon suggesting a Twitter-compatibility layer so that all of those apps can port more easily! (Although I doubt it would work that easily because of some of the different design and architecture decisions).