Gregory's ServerSo... I'm developing this frontend. To set it up to make it work, I used my account to register an application, which gave me a client_id and a secret. I used those to get an access token, which I put into my app.
Then, I used that app to log in as myself with a password grant. So far, so good.
The thing that makes me kind of uncomfortable is the realization that I can see my timeline stuff when I'm logged out...which shouldn't be happening. I put a bullshit piece of login logic up to steer anonymous users from private statuses, but this seems wrong.
So, here's my question: did I accidentally scope my entire application to access everything a single authenticated user should access? If so, what do I need to do to make this properly multi-tenant? I feel like maybe I should somehow maybe save the resulting token a user gets after logging in to localstorage or something, and somehow make the API requests for an authenticated user access that?
#Mastodon #Pleroma #Fediverse
Then, I used that app to log in as myself with a password grant. So far, so good.
The thing that makes me kind of uncomfortable is the realization that I can see my timeline stuff when I'm logged out...which shouldn't be happening. I put a bullshit piece of login logic up to steer anonymous users from private statuses, but this seems wrong.
So, here's my question: did I accidentally scope my entire application to access everything a single authenticated user should access? If so, what do I need to do to make this properly multi-tenant? I feel like maybe I should somehow maybe save the resulting token a user gets after logging in to localstorage or something, and somehow make the API requests for an authenticated user access that?
#Mastodon #Pleroma #Fediverse
@sean if I'm understanding you right, yes, the localstorage method is how I handle it