Publ: Development Blog

Authl v0.2.0, now in beta status!

Posted (3 months ago)

I’ve released Authl v0.2.0. Changes since v0.1.8:

  • Added support for Twitter
  • Big ol' refactor to support Twitter (see the fuller discussion below the cut!)
  • Released to beta!

And changes from v0.1.7 to v0.1.8 (which I didn’t bother to post an announcement about):

  • Fixed an incredibly minor security issue in the Mastodon client (the client_secret was leaking but in the context of Mastodon that couldn’t really be used for anything anyway)
  • Centralize/refactor the login token management, allowing for future flexibility in the service stack
  • Make callback IDs protocol-stable, which helps with some stricter services (e.g. Twitter)

So, the big ol' refactor: Previously the redirection target wasn’t part of the actual auth flow; the intention was that the site would just encode the redirection target into the callback_url parameter. This was an artifact of how the original Authl prototype was using signed URLs for the email handler, and based on a common mechanism that’s used in a lot of newer APIs in general.

However, it has a few problems:

  • Twitter (and probably other OAuth providers) require a strict match on the callback URL
  • It leaks information about what people are logging in to see
  • It assumes that the app is built in a Flasky way

So, as part of this refactor, the handler.initiate_auth() method now takes an additional parameter, redir, and it’s up to the handler to keep track of that value as part of its flow. And then that value is passed back to the app when an identity is verified, and it’s up to the application to use that value. Which ends up actually being a lot cleaner anyway, and it simplified a bunch of stuff in the default Flask handlers.

This does mean that the API has now changed in an incompatible way, thus the minor version bump, although it only affects anyone who was using Authl outside of Flask, and if anyone was using Authl outside of Flask I’d be pretty surprised. (For that matter I doubt if anyone’s been using Authl inside Flask except me!)

Anyway, another facet of the Twitter handler is that it provides the URL as https://twitter.com/username#id; for example, mine is https://twitter.com/fluffy#993171. The reason for this is that if someone changes their username, someone else could set their username to be able to log in as you. Unfortunately this does mean that if someone changes their Twitter username, their Authl user ID will also change, meaning that they will lose access to whatever access is granted to the old username. I have some ideas on how to make this work a bit better, although that’ll be part of normalizing how user profiles work (and currently user profiles aren’t actually consumed by Publ, for whatever it’s worth).

Of course in a Publ context it’s easy enough to just see that the user ID hasn’t changed and update the ACLs accordingly. It’s annoying but it’s possible (and straightforward and secure).

Anyway, I’d like to thank Kyle Mahan for having written silo.pub, as I used its Twitter handler as a reference for this implementation. And also Kevin Marks for pointing me towards it as a reference in the first place. Because holy heck it’s hard to find useful information on providing web-based Twitter login in Python!