sebsel
commented
7 years ago From https://github.com/Inklings-io/selfauth/pull/16#discussion_r126312408:
the regex should be something like @^[\x21\x23-\x5B\x5D-\x7E]+( [\x21\x23-\x5B\x5D-\x7E]+)*$@.
Closed sebsel closed 7 years ago
sebsel
commented
7 years ago From https://github.com/Inklings-io/selfauth/pull/16#discussion_r126312408:
the regex should be something like @^[\x21\x23-\x5B\x5D-\x7E]+( [\x21\x23-\x5B\x5D-\x7E]+)*$@.
Zegnat
commented
7 years ago add the scope to the code when creating the code after successful password.
It should already be there. A code is expiry:hmac:data, in our use case the data is whatever scope value was given. So there are a few more checkboxes you can check 😉
Zegnat
commented
7 years ago All of this is now in the master branch! 🎉 Thanks for pushing for scope support, @sebsel!
I see no quick way to implement this, so let me list the things that I think need to be done in order to support scopes.
First off: Selfauth is an Auth Endpoint and the Auth Endpoint only lists the scopes the App requests, and if the User agrees to them, they are passed along with the code to the Token Endpoint. People can work with tokens.indieauth.com/token for now. Issuing the tokens is currently out of scope for Selfauth.
Few points to fix before supporting scopes:
@^[\x21\x23-\x5B\x5D-\x7E]+$@for this, but&scope=create+updatewill translate tocreate updateand the space is not in that range. Don't know how to go about that, because that regex came out of a spec (@Sknebel?)me=https://example.com/&scope=create+updatein the validating POST request. At this moment there is no way of knowing the scope the user agreed to at that point. I think the best way of doing it is to encode the given scopes in the signedcode(that's how IndieAuth.com does it with JWT). Therefore:After that, we can exchange the current warning about supporting scopes to 'this is not a token endpoint, you can use tokens.indieauth.com for now', or something the like.