Move login to oauth.

This unifies Mastodon and Pleroma logins and makes it easier to implement SSO schemes.

added 1 commit

• 60b3e4f4 - Fix linting.

Compare with previous version

added 1 commit

• 0aa5fe9d - Remove gonsole.logg :DD

Compare with previous version

I moved the state persistence stuff around a bit so that the state will be completely loaded before the app is initialized, so we won't have those late-loading issues anymore.

added 6 commits

• 0aa5fe9d...2f11ec29 - 5 commits from branch develop
• fbe30b49 - Merge remote-tracking branch 'origin/develop' into oauth

Compare with previous version

Except for replacing login form with a button it...

At the very least I'd keep both methods for now, this feels like a downgrade, UX-wise.

I think this probably breaks login after registration, though.

I suppose it could do that.

I think I'll test it around a bit soon enough to see how broken it becomes.

We could always merge it as-is and fix it afterwards, but I don't see it as an improvement that much. SSO only somewhat matters to those who jump to and fro masto/pleromafe, and they usually do that because something is missing from FE, so i guess it's mostly for mastofe users.

Having it external simplifies development process but it really should be internal for UX reasons (it's simply more neat this way and doesn't break the state/flow), as well having it external could lead to losing opened conversation (like, trying to access the DM thread directly by URL gives you an error)

In my opinion we should either add oauth with password login form or keep old login form, with external oauth being a backup, just so if we add 2fa users opted-in to it can use external form for that until pleroma-fe adds that.

typo: should be immediately instead of immedeatly.

SSO in this case is handling scenarios where Pleroma BE brokers an authentication with a third party service (IndieAuth or perhaps some organizational SSO system like active directory). In those cases Pleroma BE isn't managing the 2FA flow, hince why the redirect-based flow is needed.

Overall I agree that such a use case is non-typical so perhaps we can default to password flow.

Either way, serious +1 for killing http basic auth.

(another commonly discussed usecase for this OAuth SSO stuff is enabling setups like pawoo, where you log into your pixiv account to gain access. this is asked about from time to time.)

added 2 commits

• b6cd4ff3 - Fix typo.
• 4d9680e7 - Re-activate registration, use oauth password flow to fetch token.

Compare with previous version

added 1 commit

• bcbaf5d7 - Linting.

Compare with previous version

This reactivates registration, which will then use the password flow to get a token and log you in immediately. With SSO schemes we can't do registration, so it won't matter that the password flow doesn't support SSO.

can we get password form back then?