Allow registering (POST /api/v1/accounts) without an app token
To register an account on Pleroma, one must POST /api/v1/accounts
. However, this endpoint requires an Authorization header containing an app access token.
To get that token and support registrations, the frontend must follow these steps:
- POST
/api/v1/apps
to create an app. - POST
/oauth/token
with the app to get a token.
Finally, we have the ability to register an account:
- POST
/api/v1/accounts
with the token to register.
This has a number of problems. If repeat these steps on every pageload like pleroma-fe does, you'll end up with 100Ks of apps in your database. If you store the app in localStorage like soapbox-fe, you'll have to handle failures of expired app credentials by writing code to deal with all kinds of cases.
I contend that the Authorization
field on POST /api/v1/accounts
brings no additional value to this endpoint. It's just extraneous HTTP requests that makes the frontend slower to load. The main concern with POSTing accounts is spam, but the new captcha-by-default feature mitigates that, and creating an app was never a solution anyway since you can create apps unauthenticated.
With !2430 (merged) returning the vapid key in /api/v1/instance
, there's now even less of a reason to create an app.
So what I'm proposing is this: Allow POSTing to /api/v1/accounts
unauthenticated, without an Authorization header or app token.