rprospero
commented
8 years ago I've put this issue in partially because I've already started work on this project, but I wanted to get other people's opinions before I went to far down the rabbit hole.
1) Do we expire the oauth tokens?
By default, the access tokens only last for an hour. This is a security feature, as a leaked token only has a short lifespan from which it can be used to compromise an account. On the other hand, it's also a bit of a usability nightmare. While an emacs session could conceivable have a timer to continue renewing the token, having emacs closed for over an hour would mean performing the sign in process again, which is a bit clunky, despite my efforts. Plus, I'm not sure how happy I am about setting up a timed renewal within emacs.
2) How do we store tokens?
If we are using the permanent tokens, how do we store them? The simple solution there would be using the customize framework. However, this means that getting access to a user's .emacs file would also grant you access to their reddit account. Considering how common it is to put .emacs files under version control on public servers, that seems like a bad idea.
The second idea would be to store the token in the netrc file somehow. These are usually kept secret and commonly encrypted, so it would be more secure. Plus, it's at least trying to follow standard processes.
alphapapa
K0HAX
Being able to log in to the users reddit account has obvious advantages
Obviously, these are all going to be feature requests for the future, but none of them can proceed until we can log in.