Collection project user filter management webapp with PKCE OAuth flow

Before I go attempt to write something like this, has anyone developed the idea to batch add users in the collection project filters any further? See @pisum’s suggestion (and example code for the OAuth stuff) to make a single-page app with PKCE OAuth flow here: https://forum.inaturalist.org/t/batch-add-users-to-collection-project-filters/8086/4

The iNat Discord has several projects managed by the Discord mod team. Whether or not the users actually follow the projects, if they indicated to us that they wanted to be included, we add them to our rules so their observations are included. Each year, we prune enrollment so it continues to reflect who is actively still participating on Discord.

Given that as background, “Project Members Only option” that @tiwane suggested wouldn’t work for our use case:

  • Our user rules are based on Discord activity, not project membership.
  • Our team would like to do periodic reviews of the iNat Discord server membership and handle changes to the Discord iNat project user rules based on their current status effortlessly.
  • I’d rather not have my iNaturalist Discord bot do any authenticated requests, but it could easily produce the list of iNat user_ids for the SPA to consider.

Therefore, I’m considering actually writing something like this, but don’t want to duplicate work already done. Any suggestions for existing code I could look at that resembles (even vaguely) a solution to this problem in any fashion?

a few thoughts:

  1. in that earlier thread, i mentioned that i didn’t think there was an endpoint that would allow you to modify project rules. i still don’t see a documented endpoint that would allow you to do this, but when i set some breakpoints on the collection project edit page to see what’s happening when i click the save button, i can see the changes to the rules are included in a PUT request to https://api.inaturalist.org/v1/projects/{id}. so i guess that’s the endpoint that would be used for what you’re describing… but, again, the endpoint is not documented (unless i’m just totally missing it). i’m not sure if the lack of documentation is on purpose (to indicate that we shouldn’t use that endpoint) or whether it’s just an oversight…
  2. the original reason i suggested the PKCE flow in that other conversation is that the original poster there seemed to be saying he wanted to make a single-page type of application (because that’s the kind of development he was comfortable with, i think). i don’t think you’re necessarily limited to this approach. so if you wanted to make another kind of application, you could employ other flows (or maybe even other ways to make authenticated requests).
  3. i personally haven’t made anything to mess with project setups.

Ideally I don’t want to write any (or very much) code outside of the bot, and the bot code would do most of the work. It’s just when it comes time to handle the auth, I don’t want the bot to actually store any credentials for the user.

It would be great if, apart from authenticating on the web and having the web page do the final authenticated submit of the request, I write very little JS at all. Are you suggesting there could some other way to do this without ever leaving my python bot code to do that last bit, the authenticated submit to the API (even if it is unofficial)?

But if JS code needs to be involved, it’s not like I haven’t written any before. In dayjob I do some Vue.js development. Also, visual presentation of a huge number of records at once really isn’t Discord’s strong suit. It tends to be done in a slow/klunky fashion. So maybe a web page that shows them all, perhaps with just a column of checkboxes to include/exclude individuals from the operation before the final review/submit, might not be a bad way to work around the klunkiness.

hmmm…

so just to make sure we’re on the same page, the only user that will be authenticated will be a project admin, right?

i’m not 100% sure how your bot works, but i assume that since it’s written in Python, you have a server for it that you can control (to securely store your app secret). if that’s true, then you can employ a more typical authorization flow, i think. my understanding is that PKCE is sort of a least bad option if you don’t have a means to securely store an app secret.

… but maybe this is horse before wagon stuff. first, if this is to work at all, you need confirmation / verification that you will be able to PUT to that endpoint.

True. I do need to sort out the PUT stuff first.

Yes, the only user to auth is a project admin. However, there are multiple project admins to share the workload (and more importantly, cover making changes that occur at different times of day in different timezones, as we are an international community). That’s why I was a bit concerned about handling credentials for all of them.

As for secure storage, no, I don’t have that. I do have a server that is under my administrative control that the bot runs on. The bot framework has this: https://docs.discord.red/en/latest/framework_apikeys.html . Any keys saved via this method are stored in plaintext in a json config file. If I wanted anything more secure than that, I’d have to store it some other way.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.