NicolasConstant
commented
1 year ago Hi!
Indeed it would be a very bad practice to ask for the login/password of the user, that's why Sengi also rely on the OAuth workflow and use the token after that. 😉
What you're seeing in the screen is the login page of your instance, the token is retrieved automatically after that. You can verify it by opening the console (Ctrl + Shift + I) or testing Sengi via its webapp. Also, after login you'll be able to see the issued token in your instance's settings panel. 🙂
nekohayo
Hi there, I downloaded and executed the appimage version of Sengi out of curiosity, and when you try to add an account, after specifying the server, you get this login prompt:
That's quite different from other Mastodon clients I've tested so far, in that it asks for the user's password. Why not open the user's browser with a token request, to let the server handle the authorization of this app, wouldn't it be safer to only have some token that the server can revoke at will (including, for example, if the device is lost/stolen/etc.)?
I'm not technical enough to be able to help with code, but it seems this would be the relevant documentation on this topic: https://docs.joinmastodon.org/client/token/ and https://docs.joinmastodon.org/client/authorized/ and probably pages over there...