I've decided to use OAuth 2 and OpenID Connect to restrict access to certain parts of the website. Also, I've started a new section because this won't have much to do with Instagram - it's going to be a general mechanism which I'm hoping to use in a generic way. Here's 'the flow I have in mind:

1. Restricted parts of the website can be full pages, or something as granular as a single image or a file.
2. When a Visitor tries to access such a restricted part of the website, they are presented with the well known "log in with google / facebook / twitter / what have you" form.
3. After completing the flow, the Visitor is put on the waitlist, of which I'm notified.
4. I can then decide if I want to let the person in or not. If I do, they get an email notifying them that they are not in the waitlist anymore, and they can see the content.

It seems the simplest to start with using a well maintained auth library such as authlib, so that's what I'm going to do, at least for the prototype. Going forward, I would like to invest into rebuilding that using Common Lisp. I'm also going to use this tutorial to setup everything.

To start, the program is going to be simple. The program will keep a list of ids retrieved from OIDC providers in memory, with a backup as a single text file, and cookies will be used to store encrypted session data necessary to decide if access restrictions should apply. I haven't used cookies in a while due to the whole world moving to "stateless", so maybe this is not how it should be done. I am expecting to find some problems with session durations and the opportunity for sessions to be stolen, but that bridge will be crossed later.

Authlib seems really nice. The example they give for integrating OAuth 2.0 login with Flask just works. I've created a page here which I'm going to use for testing. Feel free to take a look while you can!

Sometimes I feel like I understand Git, and then it just knocks me down with it dark magicks. Why is something like git config receive.denyCurrentBranch updateInstead regarded as - sane? Have a look at the documentation, then think about the time your team fought over naming, and be glad none of your teammates suggested anything as ridiculous as this. Why am I talking about Git arcana? I just want to push the auth server code to the server.

In other news, old tricks for quick development cycles still work. Whenever I need to integrate with webhook APIs or something like an OAuth 2.0 provider I'm integrating with now, I just make an SSH tunnel using ssh -N -R 8000:127.0.0.1:5000 vydd.space, and let nginx forward traffic I want to handle to 8000. Easy.

Not much progress today. I've updated Python on this server to 3.8 - a more recent version needs an update to the operating system itself. I've also written a script for manual user approval. It's nothing spectacular; it outputs emails of people who are in the waiting state, and it approves those whose emails I type in.

Following is working! Now I need to set up the auth server service so that it always runs in the background and that it's restarted when it inevitably crashes. Gunicorn has extensive deployment docs, so I'm just going to try to copy that. If it wasn't obvious already, I would completely fail at this without a search engine.

I managed to stop myself from adding a random image depicting success. You are going to get a random code dump though:

          
            $ service space.vydd.auth status
            ● space.vydd.auth.service - vydd.space auth server
          
        

This means that my auth service is happily serving auth logic, supervised by systemd. Remember that page I linked before? If you try accessing it now, you'll be greeted with a rudimentary follow page which will let you use your Google account to get on the waiting list. As there is no notification system set up yet, you will need to notify me that you are on the list manually. While you are waiting to see the page, I'll continue working on migrating photos from Instagram.