Just witnessed the new authentication flow on matrix.org in Element and it's so bad it managed to scare me that I somehow got phished, doesn't handle multiple profiles and doesn't work at all when there's no handler registered in the user's browser (there's no fallback!). I'm also amazed at how it launches the auth flow in an external browser (causing all these issues) despite of Electron being... a browser.
@dos Eh, that's just SSO/OAuth2, I don't really see the problem with it?
@bart It's how it only implements the happy path and fails to consider anything deviating from it. I literally couldn't login today without hacking up a script to point the browser to because there was no way to pass the token back to the running Element instance.
@bart And that's just the beginning - just clicking on the button that initiated the passing of the token was enough for it to consider it consumed, so it errored out on retry - but that did not stop it from considering the session active and listing it in the panel, with "last activity" suggesting that the authentication actually succeeded somewhere else 😱
@bart Compare it to, for example, the flow in Tuba and Mastodon, which tries to do the same thing by default, but recognizes that it may not work and gives you the option to copy the authorization token back to the app manually. No such thing in Element.
@bart It turned out to be just a careless OAuth implementation, but it did manage to scare me for a moment.