Commit e846215e authored by Eugen Rochko's avatar Eugen Rochko

Update content/posts/2019-10-04_App-sign-up-how-to.md

parent 4bea58cc
Pipeline #849 passed with stages
in 20 seconds
...@@ -19,20 +19,20 @@ To proceed, your app must already be registered / self-register with the given s ...@@ -19,20 +19,20 @@ To proceed, your app must already be registered / self-register with the given s
As a refresher, given that you have already registered the app to get a `client_id` and `client_secret`, to obtain a "client credentials" grant, you just have to perform a `POST /oauth/token` request with the params `grant_type=client_credentials`, your `client_id` and `client_secret`, and `scope=write:accounts` (or whatever scopes you need). As a refresher, given that you have already registered the app to get a `client_id` and `client_secret`, to obtain a "client credentials" grant, you just have to perform a `POST /oauth/token` request with the params `grant_type=client_credentials`, your `client_id` and `client_secret`, and `scope=write:accounts` (or whatever scopes you need).
You then need to collect the following information from your user: You then need to collect the following information from the new user:
- `username` - `username`
- `email` - `email`
- `password` - `password`
You must ask the user to agree to the server's terms of use and privacy policy, and record that agreement in the boolean `agreement` param. If you know what the user's language is, you can pass that information in the `locale` param. You must ask the user to agree to the server's terms of use and privacy policy, and record that agreement in the boolean `agreement` param. The URLs for the terms and privacy policy are `/about/more` and `/terms` so you can just let the user open them in a browser, or render them in a web view. If you know what the user's language is, you can pass that information in the `locale` param (but make sure the locale is something Mastodon supports, otherwise the API request will fail with a HTTP 422 error).
If the `GET /api/v1/instance` API has returned a true `approval_required` attribute, there is an additional piece of information you should ask from the user: `reason`. Because the user's sign-up will be reviewed by the server's staff before being allowed, you must give the user an opportunity to describe themselves and why they should be allowed onto the server. If the `GET /api/v1/instance` API has returned a true `approval_required` attribute, there is an additional piece of information you should ask from the user: `reason`. Because the user's sign-up will be reviewed by the server's staff before being allowed, you must give the user an opportunity to describe themselves and why they should be allowed onto the server.
You must then submit those params to `POST /api/v1/accounts` (authenticated with the app's access token). You must then submit those params to `POST /api/v1/accounts` (authenticated with the app's access token). You will need to handle a potential HTTP 422 response from the API in case the user has entered invalid information (like an already taken username).
What you will receive in return will be an access token, identical to what you would get from a standard OAuth authorization procedure. The access token allows your application to use the API of the server on behalf of the registered user. On success, what you will receive in return will be an access token, identical to what you would get from a standard OAuth authorization procedure. The access token allows your application to use the API of the server on behalf of the registered user.
However, the token will be **inactive** until the user confirms their e-mail. The link in the confirmation e-mail will actually redirect them back to your application when possible. Of course, if staff approval is required, the token will remain unusable until the account has been approved. However, the token will be **inactive** until the user confirms their e-mail. The link in the confirmation e-mail will actually redirect them back to your application when possible. Of course, if staff approval is required, the token will remain unusable until the account has been approved.
Trying to use an inactive access token will return a HTTP 403 error. Trying to use an inactive access token will result in a HTTP 403 error.
\ No newline at end of file \ No newline at end of file
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment