Add REST API for creating an account #9572
Conversation
| @@ -68,7 +68,7 @@ def current_user | |||
| end | |||
|
|
|||
| def require_user! | |||
| if current_user && !current_user.disabled? | |||
| if current_user && !current_user.disabled? && current_user.confirmed? | |||
There was a problem hiding this comment.
This condition was unneccessary before because unconfirmed users had no way to obtain an access token.
| @@ -16,6 +17,16 @@ def show | |||
| render json: @account, serializer: REST::AccountSerializer | |||
| end | |||
|
|
|||
| def create | |||
| token = AppSignUpService.new.call(doorkeeper_token.application, account_params) | |||
| response = Doorkeeper::OAuth::TokenResponse.new(token) | |||
There was a problem hiding this comment.
This mirrors the usage of this class by Doorkeeper controllers.
|
This looks great. The only downside I can foresee is that (as you pointed out), the username and password are exposed to the app. But I don't see any way around that. Having the app show a temporary screen saying "please go click a link in your inbox" is fine, but it's a bit odd that that link will go to the main Mastodon frontend, and there's no way for the app to intercept it or at least be notified that the user is now verified. Maybe the API could accept a redirect URL as well, and the Mastodon frontend could display some text like, "Thanks for confirming your email. Application FooApp would like you to continue your signup here." |
Hm... So far it was possible to implement this PR without changing data structures or requiring apps to re-register, but I don't think an extra redirect could be made with existing parts... Need to save information that a user was created by an app to be able to do that... Plus add an extra redirect URI to apps... Unless it would be OK to redirect users to the already saved OAuth redirect URI... |
|
Hmmm, redirecting to the already saved OAuth URL would probably be fine. The app can just poke the API at |
Gargron
force-pushed
the
feature-app-sign-up
branch
from
8245896 to
322869a
Compare
|
Done |
|
I think that we need to check the rules and terms and the conditions of it instance before creating an account. What do you think? Also, how about making it possible to switch by setting ON/OFF of this API? |
An app could implement a web view to /about/more. Since rules are HTML, with potentially complex things, images, iframes, you would end up needing to render a web page anyway.
Maybe. Apps must already deal with this API missing from older versions, so there is no consistency to lose. |
Fediverse have also instances for specific topics. I think that it is heavy to let app developers handle all the measures to prevent them. This is one idea:
(I think that it is necessary to delete the registration unique ID expired periodically by cron job etc.) I think it is in vain to send it link (/about, etc.) because it is already known. |
Several servers seem to be adding reCAPTCHA to account registration of WebUI. Therefore, it seems that they want an option to disable this API. (I do not introduce reCAPTCHA, because that is difficult for me to break through.) |
The method is available to apps with a token obtained via the client credentials grant. It creates a user and account records, as well as an access token for the app that initiated the request. The user is unconfirmed, and an e-mail is sent as usual. The method returns the access token, which the app should save for later. The REST API is not available to users with unconfirmed accounts, so the app must be smart to wait for the user to click a link in their e-mail inbox. The method is rate-limited by IP to 5 requests per 30 minutes.
Gargron
force-pushed
the
feature-app-sign-up
branch
from
ddb6e5a to
232e3dc
Compare
There is no guarantee that an app will show anything to the user, it could just send the ID back straight away. Likewise, even without the ID an app could make the user read through that page and click "Agree"
I have been thinking about the on/off switch for this feature, and I think the admin settings UI has become too complex. Everything is in one form, that doesn't work well. I wouldn't want to add one more checkbox to it. :( |
|
Could you implement Boolean "confirmed to terms" parameter for creation API? |
I agree with that. However, WebUI has the following notation: I think that if there is no equivalent to this API, if a registered user causes trouble, it will be considered "This response is unjust because you are not showing such a document". I think that this complaint will be directed to the instance administrator, not to the application developer.
I think that there are really many items... |
Gargron
force-pushed
the
feature-app-sign-up
branch
from
b88d7d3 to
2c09d30
Compare
|
Okay, I have added required |
|
Thank you for considering! |
|
thanks a lot! |
Gargron
force-pushed
the
feature-app-sign-up
branch
from
2c09d30 to
fa5f165
Compare
Gargron
force-pushed
the
feature-app-sign-up
branch
from
fa5f165 to
2bf7bb5
Compare
|
I confirmed that I can create an account using this API. I think that it is necessary to carefully write a document, such as handling "agreement" flag later. |
* Add REST API for creating an account The method is available to apps with a token obtained via the client credentials grant. It creates a user and account records, as well as an access token for the app that initiated the request. The user is unconfirmed, and an e-mail is sent as usual. The method returns the access token, which the app should save for later. The REST API is not available to users with unconfirmed accounts, so the app must be smart to wait for the user to click a link in their e-mail inbox. The method is rate-limited by IP to 5 requests per 30 minutes. * Redirect users back to app from confirmation if they were created with an app * Add tests * Return 403 on the method if registrations are not open * Require agreement param to be true in the API when creating an account
The method is available to apps with a token obtained via the client credentials grant. It creates a user and account records, as well as an access token for the app that initiated the request. The user is
unconfirmed, and an e-mail is sent as usual.
The method returns the access token, which the app should save for later. The REST API is not available to users with unconfirmed accounts, so the app must be smart to wait for the user to click a
link in their e-mail inbox.
The method is rate-limited by IP to 5 requests per 30 minutes.
Motivation: Multiple app developers have requested this. Currently an end-user cannot just install a mobile app and start using Mastodon, they must visit the website first. This, on the other hand, would allow a fully immersive sign-up process. The mobile app can implement a server picker, etc...
Risks: The API can be used to create spam bots. However, it is just as easy for a dedicated spammer to use the HTML form to create spam bots, and this API method actually has a higher rate limit (5/30 min here vs 25/30 min). E-mail confirmation is still required, so nothing changes there...