Shift towards an OAuth flow for API access

[tienne-B]

Having an OAuth flow for linking Tabbycat instances to add-ons would increase security and UX by not having what is essentially a password being re-used, and can have the apps request the specific permissions that they'd need. It would also be a smoother process for users who'd not need to find / copy their keys, rather being redirected to accept the request.

[teymour-aldridge]

I would be interested in implementing this.

Just to clarify I assume this is to allow Tabbycat to act as an OAuth provider (and not to allow people to log into Tabbycat using OAuth methods)?

[tienne-B]

allow Tabbycat to act as an OAuth provider

Correct! Another thing to point out is that we should be able to use the Permission enum in users/permissions.py as scopes, even if they can't be restricted by tournament.

There are plenty of libraries that should help with this project; it'd be good if the one you choose is still actively maintained.

[teymour-aldridge]

I had a look and django-rest-framework recommends django-oauth-toolkit.

In terms of OAuth scopes, I think there are at least two valid ways to proceed: have a read and write scope, or have a scope for each permission (so that users can grant individual scopes to apps). I think the first is probably simpler (with the individual scope granting I can imagine users running into more errors because a specific scope hasn't been granted, and this might be a bit tricky for some users to work out and edit) but not sure which you think is better?

[tienne-B]

Looks like a good library!

I'd recommend using the existing list of permissions as scopes. I see OAuth as primarily being for users to use external tools such as Tabtastic, where we'd want to tell them specifically what the integrations will do (and the end-user doesn't have to debug). When devs are working it through, we could add a list "required scopes" to the docs for each endpoint, or (inclusive) in 401 errors.

[teymour-aldridge]

Unfortunately I kind of got stuck here – I got a bit stuck working out how to get the subclassing to work. I will probably try to pick this up again in the future, but if anyone else is free in the meantime feel free to pick this up instead of me.