Let the OAuth form remember you
Mastodon has something like this:
Because Pleroma only deals with auth tokens and not sessions cookies, you have to log into the OAuth form every time, even if you're already logged into Pleroma FE or Soapbox FE:
The way I can imagine solving it is like this:
- When the user authenticates through the API, from any frontend, the server sends back a session cookie with the JSON response.
- The OAuth form reads the session to determine the user.
I don't have the specifics of this nailed down quite yet. I think it makes sense to set cookie the alongside a successful json response from POST /oauth/token
. Haven't decided whether it makes sense to set the user ID or the auth token in the cookie.