Support bearer authentication
Opened this issue · 2 comments
Pushl should be able to support private webmentions by supporting AutoAuth or some other bearer token mechanism.
For the actual implementation it probably makes the most sense to be able to provide a bearer token, and have a separate helper app that can fetch one. (Which is also nice for my use case because it's trivial for me to just generate a bearer token locally instead of having to go through my IndieAuth endpoint.)
Some thoughts on this: maybe add a --bearer parameter which specifies a script to call. When pushl gets a WWW-Authenticate header in a response, it does token_endpoint discovery (via <link> tag and/or Link: header) and calls the script with e.g.
bearerScript attemptedUrl scope endpointwhere scope and/or endpoint could be empty strings. Then the script can return status 0 and a bearer token to use, or status non-zero and an error message to propagate to the user. If the script provides a token, Pushl retries the content retrieval with it. Pushl should also cache the token on a per-domain basis, and provide that in the initial request.