plush.city is one of the many independent Mastodon servers you can use to participate in the fediverse.
This is a space for soft friends and friends of soft friends to gather together to share compassion and care for one another! Please review our Code of Conduct prior signing up!

Administered by:

Server stats:

194
active users

@fluffy I'm fuzzy on your Fediverse login option. I like the OpenID feel, but it asks if I want to grant YOU access to my account, which sounds like a giant security risk. I'm sure you're a really nice person, but I barely trust myself to login to my account 😉

@mcrocker I only request the 'profile' scope (basically the bare minimum to see that you've logged in), and don't get any access to reading or writing your timeline. It also drops the permissions immediately. Unfortunately the Mastodon OAuth thing isn't terribly informative about that.

@mcrocker I don't know what it shows on your instance but on mine it shows that it's only requesting read-only access to "account" which is poorly-named.

I recognize that people are putting trust in it by authorizing the transaction and I can't do anything about how little information the permission request screen shows.

If only everyone supported IndieAuth this wouldn't be an issue.

@mcrocker Oh, my bad, actually it looks like I *am* requesting the 'account' scope instead of just 'profile.' I wonder if the scope names changed since I wrote the code. I'll work on fixing that, hopefully it'll seem friendlier!

@mcrocker Ah yeah the 'profile' scope is new to Mastodon 4.3. Unfortunately that means that it might not work for folks who haven't upgraded their instances yet. But the 'profile' scope is definitely the right one to request regardless.

@fluffy Agreed. It's not very clear. The text in mine is the same

> Authorization required
> busybee would like permission to access your account. Only approve this request if you recognize and trust this source.

> Review permissions
> Accounts
> Read-only access

@mcrocker I just updated Authl to only request `profile` scope and it seems to work with my Mastodon instance. So now this is what it looks like. Hopefully that clears up any confusion!

@fluffy Wow! Real time bug fixing 😎

I see it now, but it's very subtle. The only difference is one extra line before the last

> Your Mastodon profile

So instead of blanket read only access, which is basically the default even with no login, it's read only access to the profile. So good job! 💚

@mcrocker It was a pretty simple change in code I wrote to begin with, so not a big deal. Thanks for letting me know about the UX issue!