Authenticate iNat import

[JoeCohen]

Authenticate iNat imports with iNat API Key and user handshake. For details and documentation see https://github.com/MushroomObserver/mushroom-observer/issues/1955#issuecomment-2016029239

Tasks

• [x] Review Authentication (How to get authentication to retrieve iNat private data.)
• [x] Create CallBack route/Redirect URI for local testing -- an MO uri to which iNat redirects when the user authorizes MO. Id.
• [x] Create iNat application
• [x] Split import workflow into pre-authentication, authentication
• [x] Revise forms: new button name => Submit or Continue
• [x] Test redirecting to iNat authorize url
• [x] Add skeleton iNatImport model
• [x] Confirm that iNat won't allow changes to the callback url
• [x] Fix saving and recovery of inat_id_array
• [x] create iNatImport instance
• [x] update its status appropriately
• [x] Unit test authorization
• [x] Deal with authorization denied.
• [x] Proceed with import flow once authenticated
• [x] Add token to iNat API requests
• [ ] Manual test of request in Httparty command line interface httparty https://api.stackexchange.com/2.2/questions?site=stackoverflow
• [ ] Flash when done with imports
• [ ] #2240
• [ ] Consider: Don't authorize/authenticate if user has an unexpired token

[JoeCohen]

Pulk's Mirror. https://github.com/JacobPulk/mirror

[JoeCohen]

rough outline:

1. you redirect your user to iNat,
2. the user is offered the choice to authorize your app with access to their iNat data, and
3. If they agree, they are redirected to the redirect_uri you specified with an access_token in the params.

https://www.inaturalist.org/pages/api+reference#authorization_code_flow

[JoeCohen]

Questions:

• How can I make my personal iNat credentials available to other MO admins and to the MO app? The problem is that I am the owner of the iNat MushroomObserver application.
• Am I doing the right thing with, do I really need Rails.application.credentials.inat.inat_secret? Can/Must I use Rails.application.credentials.secret_key_base
• How can MO associate the authentication with a particular iNatImport request?
• Could I use the same uri & iNat "app" for imports and exports?
• What about require rest_client see https://www.inaturalist.org/pages/api+reference#authorization_code_flow

[JoeCohen]

Created iNat application https://www.inaturalist.org/oauth/applications/851

[JoeCohen]

params in the callback action If iNat user approves the request:

(rdbg) params
#<ActionController::Parameters {"code"=>"NtX2QvCzQuwXAyKL0uDtvZLcWDLQpo4i5QWkAtTMT1g", "controller"=>"observations/inat_imports", "action"=>"auth"} permitted: false>

If iNat user denies the request:

(rdbg) params
#<ActionController::Parameters {"error"=>"access_denied", "error_description"=>"The resource owner or authorization server denied the request.", "controller"=>"observations/inat_imports", "action"=>"auth"} permitted: false>

[JoeCohen]

How to proceed after receiving code from iNat at the callback url? @nwilson-eol's suggestion:

• (earlier) in InatImport#create create an InatImport model object with a status attribute
  • status would be things like requesting_authorization request_token, etc.
• When iNat hits the redirect url, User.current should be the same. So we can figure out which MO user it is (and other stuff, e.g., iNat Observation ids that are stored with the InatImport object for that user.
• update the status,
• get the token, store it with the InatImport object
• proceed with the import, making the iNat API requests as shown in https://www.inaturalist.org/pages/api+reference#authorization_code_flow

[JoeCohen]

httparty readme

[JoeCohen]

20240719 0720 Pacific Not working as expected as of #29809c667b67d86d13445496aa4d59333f8f2a2

Update API request to === iNat docs

- fixes headers
- uses RestClient instead of Httparty
See https://www.inaturalist.org/pages/api+reference#authorization_code_flow

The response does not include private location. Probably because authentication isn't working. But there's a slim chance that iNat doesn't include private location even if the request is authenticated. But I tried setting a breakpoint in inat_search_observations right after ::Inat.new ... then manually

RestClient.get("#{API_BASE}/users/me", headers)
RestClient::Unauthorized: 401 Unauthorized
    from /Users/joe/mushroom-observer/app/classes/inat.rb:15:in `initialize'

I don't understand this. But I've been stuck on this a while. So I'll put it aside for the moment, and work on things that depend on authentication.

[JoeCohen]

Link to an old iNat app that imported MO Observations: https://www.inaturalist.org/posts/20053-18-mushroom-observer-api-key