tuskyapp / Tusky

An Android client for the microblogging server Mastodon
https://tusky.app
GNU General Public License v3.0
2.49k stars 390 forks source link

Revert to using browser redirects for auth (or at least provide the option) #2767

Closed virtualdxs closed 1 year ago

virtualdxs commented 2 years ago

Asking users to enter third-party credentials inside a webview is bad practice for a few reasons:

The first two were mentioned in the commit message for 4d8289b2. Providing the option to use a browser redirect would resolve some of these, but ideally the webview auth feature is removed entirely as it is considered bad practice for security and UX reasons.

It has also been mentioned that reverting this would help work around issues such as #2462.

Related: PR #2371 which introduced the change


connyduck commented 1 year ago

Yes we need to do something, logging in with the WebView seems to cause all kind of problems. Logging in with the browser was also not perfect, mainly because it only worked with Chrome or Firefox. So we will probably need some kind of option or automatic detection.

virtualdxs commented 1 year ago

Interesting, do you know why it doesn't work with other browsers?

As a stopgap, I'd suggesting adding a menu option to the current webview that redirects to the browser.

connyduck commented 1 year ago

They did not redirect back to Tusky

virtualdxs commented 1 year ago

Looks like the official app uses Custom Tabs. Seems like a good solution - wide browser support, callback whenever a navigation event happens, and shares cookies etc. with the user's browser.

connyduck commented 1 year ago

We had that as well https://github.com/tuskyapp/Tusky/blob/841373e94700a65594b5f194a550e22949cb8380/app/src/main/java/com/keylesspalace/tusky/LoginActivity.kt#L339-L363

virtualdxs commented 1 year ago

If you were using custom tabs, why did you need the browser to redirect back to you? From my understanding as long as they stay in the custom tab you should be able to capture the final redirect event, grab the token from it, and close the custom tab. (Apologies if I'm going off an incorrect assumption; I've never worked with this myself)

charlag commented 1 year ago

I think we can actually get navigation even which is nice

https://developer.android.com/reference/androidx/browser/customtabs/CustomTabsCallback#onNavigationEvent(int,android.os.Bundle)

Tak commented 1 year ago

Implemented in #3165