Mastodon: preserve scopes or update features during re-auth from user page

[MegaKeegMan]

Articles published on site have failed to post via bridgy for about the past month. In the error log, it appears that bridgy is somehow constructing a url based on the text in our photo caption, but it is not apparent why this would be happening. Here is the error:

404 Client Error: Not Found for url: https://portside.org/2023-07-11/The%20Trinity%20test%20of%20the%20Manhattan%20Project,%20the%20first%20detonation%20of%20a%20nuclear%20device,%20that%20later%20caused%20Oppenheimer%20to%20quote%20the%20Bhagavad%20Gita:%20%E2%80%9CNow%20I%20am%20become%20Death,%20the%20destroyer%20of%20worlds.%E2%80%9D%20,U.S.%20Department%20of%20Energy

That above is absolutely not the source link for my post.

However, this is the actual link of the post, and what is in the href of the u-url anchor: https://portside.org/2023-07-11/j-robert-oppenheimers-tragedy-and-ours-0

Furthermore, indiewebify seems to be validating the markup of this post: https://indiewebify.me/validate-h-entry/?url=https%3A%2F%2Fportside.org%2F2023-07-11%2Fj-robert-oppenheimers-tragedy-and-ours-0

And I can verify that our markup has not changed since January. This leads me to suspect that maybe there is an issue with bridgy's parser, or there have been changes that I am unaware of that would require me to update my markup.

[snarfed]

Hi! Looks like the issue in that post is the u-photo, which Bridgy fetches in order to attach it to your Mastodon post. You have it on a div that includes both the img and the caption, so they both end up in the parsed photo property. You can see that here: https://pin13.net/mf2/?url=https://portside.org/2023-07-11/j-robert-oppenheimers-tragedy-and-ours-0

A u-* property should generally be directly on an element with href or src. More background: https://indieweb.org/photo#How_to_markup . If you move u-photo here to the img, it should work.

[MegaKeegMan]

I will try it out and report back here by the end of the day. Thanks for the quick reply.

[MegaKeegMan]

This looks to have fixed our 404 issues, but unfortunately I have unlocked a new error (or an old one) that appears to have been the topic of this other issue: #894

W 2023-08-04 17:00:08.306322+00:00 Error 403, response body: '{"error":"This action is outside the authorized scopes"}'

I am not sure if you want to re-open this other issue or if I should open a new one.

[snarfed]

Looks like your Mastodon account is disconnected: https://brid.gy/mastodon/@portside@mastodon.social . Try clicking the button to re-enable publishing?

[MegaKeegMan]

I had reconnected it just before trying this. Not sure if it did not connect properly or if it disconnected while or after this attempt?

[snarfed]

Looks like this one is a bug. Thanks for reporting! Will fix.

[snarfed]

@MegaKeegMan in the meantime, if you click on the right button on https://brid.gy/mastodon/@portside@portside.social instead of the left, that one should get you the right Mastodon permissions you need to upload pictures and post.

[snarfed]

Note to myself: the bug here is that we don't clear features when we re-auth with Mastodon. We need to do that because every time we auth with Mastodon and get an access token, it resets the approved OAuth scopes to just the ones in that latest request, ignoring any previously authed scopes. We handle this when we get a micropub token, below, but not in normal auth.

(Specifically here, this account had both listen and publish, then got disconnected, then re-authed with just listen, but features stayed the same.)

https://github.com/snarfed/bridgy/blob/b26c8859c6db927a7a30fe1fa1a8f7d4123aa06b/micropub.py#L222-L233

[snarfed]

This may have also hit https://brid.gy/mastodon/@pablo@social.lifeofpablo.com , https://console.cloud.google.com/errors/detail/CJevo86yq8qpxAE;time=P30D?project=brid-gy

[snarfed]

OK, this one was tricky, I tried a number of different paths that didn't pan out, but I think it's finally squashed now:

• when adding backfeed to an existing user, include publish feature if it's already on. this makes sure we request scopes for both.
• if SCOPES_RESET is True, when re-authing, only turn on the feature we added. don't merge in any of the others since we didn't request scopes for them.
• warn in util.maybe_add_or_delete_source that it redirects, so any code after it won't run.
• c4cff766146a0eb103cf5ebdd38c7b0ed0a4070e: show already logged in accounts on Mastodon login "choose instance" page. this should minimize unnecessary re-auths when someone's just trying to find their existing user page.

Thanks for your patience, all!