not-an-aardvark/reddit-oauth-helper

Add support for all three app types

not-an-aardvark opened this issue · 0 comments

not-an-aardvark commented

At the moment, only the "personal use script" app type is supported.

  • There should probably be a question at the beginning asking which script type is being used.
  • "installed app" app types are pretty much the same as "personal use", except that the client secret is always blank, so that question can be skipped.
  • "web app" app types are a bit trickier. The process itself is exactly the same as the "personal use script" process. However, it's possible that the app is already in use on a production server, in which case telling the user to change the redirect URI to a localhost address might not be a good idea.
    • Option 1: Prompt the user for a username/password, use cookie-based authentication to click the "accept" button, and then capture the code without going to the redirect URI.
      • Pros:
        • Simple for the user
        • No need to risk breaking a running webapp
      • Cons:
        • User might not want to enter their password into a command-line prompt
        • Using cookie-based authentication is technically against the reddit API rules, even if it's used in the process of getting an OAuth token
        • Making the user press the button on reddit ensures that they know exactly what they're granting access to
    • Option 2: Open the browser page as usual, but prompt user for the access code rather than listening for it on a local server
      • Pros:
        • The user is able to consciously grant access on the reddit site
        • No need to ask for a password
      • Cons:
        • Getting the one-time use code can be kind of a difficult process for the user -- it's passed as a querystring parameter to the redirect URI, but the server at the redirect URI might immediately redirect the user again and remove the querystring parameter.
    • Option 3: Don't change anything, require people to change the redirect URI on the web app
      • Pros:
        • Consistent process for everything, no unnecessary complications
      • Cons:
        • If the web app authenticates end-users through OAuth, this functionality will break for a short period of time while the redirect URI is different. (Granted, the entire process of using reddit-oauth-helper probably takes a maximum of 5 minutes, but the downtime is still undesirable.)