[bug] scripts/auth-flow.sh does not work as described

[9ssi7]

Describe the bug with a clear and concise description of what the bug is.

In its simplest definition;

• I clone the project
• I go to the examples folder and run the docker compose up -d command
• Then I run the scripts/auth-flow.sh file from the root directory.
• Then an error like the following appears:

{
  "error": "Unauthorized: application not supplied"
}

I tried this in different ways. However, there seems to be an error in the token generation or verification part. I got an error like above in a few different ways and I can't take action.

What's your GoToSocial Version?

v0.12.2 / latest

GoToSocial Arch

arm64 Docker

What happened?

No response

What you expected to happen?

No response

How to reproduce it?

No response

Anything else we need to know?

No response

[tsmethurst]

Oh, I remember discussing this a while back as well, let me scroll back up through the chat and see if I can find what I thought was causing it...

EDIT: Right, I remember. It's a combination of two things:

1. Weird order in which we check for authorized applications/clients giving a misleading error message.
2. Email of the created user is not marked as confirmed yet when the token is created, so the verify_credentials check fails.

I hacked around it on a branch (e7dc1c1) but didn't pull any changes into main yet.

[9ssi7]

Any progress? If the work to be done is clear, I can contribute. Or if you could explain if something different needs to be done to fix it, I would appreciate it.

[tsmethurst]

No progress, but it's pretty low priority since it's just an example script. The way to fix it at least in the example is to use the admin CLI to 'confirm' the account after it's been created, then restart the instance.

We'll probably rejig this entire part of the code when we properly implement self-registration of new accounts. This current endpoint that we have now is essentially just a stub for what will come then.

But it will likely never be the case that people can self-register via the API and then immediately start using a token to post on the instance etc, without at least having to confirm their email address first. I don't think there's any fedi software that does that, and for good reason :P

[NyaaaWhatsUpDoc]

i'm going to remove this from the v0.14.0 milestone as the new authentication workflow doc better handles what this script handled initially re: teaching a user about how to authenticate an application with an account.

though i'll leave this issue open as i think this script should either be removed / improved when working on the registration flow as @tsmethurst previously mentioned. though i don't think there should be any logic changes done to how we always require email confirmation (though useful to note somewhere, if not already, this can be worked around via admin CLI commands), again as @tsmethurst mentions there's good reason for this.

[tsmethurst]

I think we can just remove that script, and close the issue. We now have the auth flow documented anyways, so the script doesn't add that much -- https://docs.gotosocial.org/en/latest/api/authentication/