Hardcoded client_id breaks authentication

[Jickelsen]

When trying to authenticate with a domain that uses Micro.blog as an IndieAuth provider I get the error The redirect URL and client URL must use the same hostname. from Micro.blog instead of being redirected back to my own domain.

The url-encoded params are

client_id=https%3A%2F%2Fp83.nl%2Fmicrosub-client me=https%3A%2F%2Fmichelsen.se redirect_uri=https%3A%2F%2Fmicrosub.michelsen.se%2Fsession%2Fcallback

According to the spec the client_id and redirect_uri must indeed use the same hostname, unless the client_id url maintains a list of whitelisted domains. However, I see that client_id is hardcoded to https://p83.nl/microsub-client. I'm assuming this was done for a reason as there is a specific commit dealing with this but I am not familiar enough with the IndieAuth authentication flow to be sure why.

[pstuifzand]

Thanks for the report. This makes sense. I will make the client_id equal to the EKSTER_BASEURL. That should do it.

It should be possible to use the microsub server without logging in on the frontend. It should be possible to use the server with something like Monocle or Together. Together has a way to preview and follow feeds in the frontend.

[pstuifzand]

I released a new version of the image to Docker Hub. I uses the specified baseurl as the clientID in the requests.

[Jickelsen]

That did it! Thanks for fixing this so quickly ✨