These are chat archives for codexa/firetext

29th
May 2015
Joshua Smith
@joshua-s
May 29 2015 03:44
So, it doesn't look like dropbox passes the token to the redirect url
On to the origin idea
I wish packaged hosted apps would be implemented soon :)
Daniel Huigens
@twiss
May 29 2015 10:20
Dropbox has two modes of OAuth2, one where it passes it in the query argumens and one where it passes it in the url fragment
http://tools.ietf.org/html/rfc6749#section-1.3 ("Authorization Code" and "Implicit")
Daniel Huigens
@twiss
May 29 2015 11:05
So, I sort of changed my mind and kept "Use Dropbox" for now, since it looks so much better on the button (Connect to Dropbox is just far too long).
Looks > functionality wasn't really the point of that PR, but oh well
Joshua Smith
@joshua-s
May 29 2015 15:00
I merged it!
Daniel Huigens
@twiss
May 29 2015 15:00
Cool!
Joshua Smith
@joshua-s
May 29 2015 15:03
We use implicit mode
(I don't think dropbox.js supports anything else)
Joshua Smith
@joshua-s
May 29 2015 15:16
We could use the "code" method if we implemented our own auth driver
Daniel Huigens
@twiss
May 29 2015 16:33
As a workaround you could redirect from a server-hosted page #a=1 to a virtual domain ?a=1; using origin sounds cleaner though
Joshua Smith
@joshua-s
May 29 2015 22:33
So, do you think it would be safe if I allow the following origins:
  • app://codexa.github.io/
  • localhost
  • file:///
Daniel Huigens
@twiss
May 29 2015 23:12
I think so, yes
Joshua Smith
@joshua-s
May 29 2015 23:15
Ok, I'll try that out
Daniel Huigens
@twiss
May 29 2015 23:18
Rip my dreams of using Firetext in a sandboxed iframe though
Joshua Smith
@joshua-s
May 29 2015 23:19
Why?
Daniel Huigens
@twiss
May 29 2015 23:19
I'll try to figure something out, but I might need to maintain a fork with OAuth1
It doesn't have an origin
Joshua Smith
@joshua-s
May 29 2015 23:19
Hmm, if we implement the auth code version, this issue would be moot
Daniel Huigens
@twiss
May 29 2015 23:20
How so?
Joshua Smith
@joshua-s
May 29 2015 23:21
IIRC in that mode, the user is given a code which they then input into the app
Daniel Huigens
@twiss
May 29 2015 23:21
O, yes, that's one possible way to implement it, and that would work
Joshua Smith
@joshua-s
May 29 2015 23:21
So we'd just launch the auth window and then present a text box
Daniel Huigens
@twiss
May 29 2015 23:21
But it's not very user friendly, and nobody else really does it that way AFAIK
Joshua Smith
@joshua-s
May 29 2015 23:22
Only issue: dropbox.js does not have a built in driver for it
That too. Although, I think the code is good for life
Daniel Huigens
@twiss
May 29 2015 23:24
Right
So do you know why in OAuth2 the origin is important and in OAuth1 it's not?
Or is that just a bug in OAuth1
Joshua Smith
@joshua-s
May 29 2015 23:28
Well, it is just for token transport security
But, we already send the token to a safe server (https://codexa.github.io/)
In the dropbox app dashboard, I have to manually whitelist redirect origins
And they are either localhost or https
Daniel Huigens
@twiss
May 29 2015 23:30
Well, I just don't understand enough about OAuth* currently, but can't we fix the problems we have with OAuth1?
Specifically, that we don't have an url to open a popup to
Can't we open a popup and redirect it once we have an url?
Daniel Huigens
@twiss
May 29 2015 23:41
Different question. So currently, with OAuth1, any app/website can request an url from our server and show a "Firetext wants to access Dropbox" popup right?
But that isn't really a problem since the user can see it's not Firetext (by the url of the website)
So, it should be equally an amount of a problem with OAuth2
Anyway, I'll think about it more tomorrow, you probably should just merge the thing with origin