OAuth 2 flow for imgur in Discourse plugin

Hi,

I’m building a very specific plugin for our discourse instance and had a few questions.

At some point, the plugin will have to send a collection of our discourse topic images to Imgur. The part that gathers those images is already done.

Now I’m trying to authenticate on Imgur API using their OAuth2 flow. I already created an admin UI for the plugin which allows you to press a button and authorize the plugin on your Imgur account. Once the user logs in, a callback url (setup as my discourse instance and a specific route I created in the plugin) is called with the access token (see example).

http://localhost:3000/admin/plugins/plugin_name/callback#access_token=<token>&...

My question is how can I get this token back? I have no idea where to begin.

My understanding is that since the token is returned in a hash parameter, it has to be done on the JS side. I tried to set up a controller and a route for my callback URL but cannot figure out how to read the URL (and the hash part in particular) from there. (I haven’t found anything helpful on Emberjs doc or Stackoverflow). I tried to setup different event listeners but they never seem to trigger.

My second question is, where should I store the token and refresh token? Can I save it as a system setting from the plugin? I heard about the PluginStore but it’s accessible only in Ruby (which would mean creating an endpoint for the client to send these tokens to the server). Also, is it safe from a security point of view?

Thanks!

Edit: I had a typo in my route filename, missing a s, that’s why nothing was fired…

You won’t be able to achieve this over http to localhost. You are recommended going to need to simulate https with a tool like https://ngrok.com/ or run your dev server in the cloud in https mode with a domain.

1 Like

I thought I’d need that too but I do get redirected properly to my local url and see the token in the url.

1 Like

Yes, you are right, the client can use http. The issue is that it can be intercepted and the tokens read, so there is no point in using OAuth2 in the first place :). I would personally also feel more comfortable working with the full final protocol in dev so I know my code works.

1 Like

Oh yeah I definitely agree, this was only for dev purposes at this point. Of course, in prod I’d use https :slight_smile:

1 Like