Feature request: Implement oauth2 provider for third party access

[alopix]

I'm a little worried about the latest additions to the API – especially the possibility to login using the username and password, which I think is a huge risk. Sharing your password with a 3rd party app, it will require a lot of trust for the 3rd party. I would suggest switching to OAuth2 instead so the user is secure and does not have to share the password with 3rd party API users

[ubergesundheit]

Hi @alopix,

could you please enlighten us which use case you have in mind specifically for third party access?

Currently username and password is only used to obtain a JSON web token which is then used to authenticate user routes. Server side, your password is stored as a bcrypt hash. There is no need to share your credentials with someone else.

[alopix]

When using the API as a 3rd party, I can either ask the user to enter the API auch key they received during the sign up process (if those old keys still work) or let him login via the provided API call, where the user basically has to share the username & password with the 3rd party (=me) as they will not call the POST request themselves. Otherwise creating an access token is not possible.

This is how the plain text password will be shared with 3rd parties, who can then just do whatever they want (if they were malicious).

[ubergesundheit]

The old api-keys are not used anymore.

Implementing an oauth2 provider is currently not on the roadmap, but I would be happy to review a pull request implementing such addition.

I'll change the title of this issue to "Feature request: Implement oauth2 provider for third party access"