Migrating to OAuth Authentication

[Silarn]

This supplants #2302

This replaces the old API key authorization loop in favor of the newer OAuth authentication system.

For backwards compatibility, it is still able to load and use the old API key if set but will prefer any stored OAuth credentials.

It is still possible to manually enter an API key if desired.

So far as I can tell, all the v1 endpoints are functional with the OAuth token (with the exception of the 'validation' endpoint that requires an API key).

This is also a stepping stone to being able to use the GraphQL and v3 REST APIs which should allow us to implement collections fetching as well...

[Al12rs]

Should we not still have the equivalent of these methods for the API key?
I think these are currently doing a mix for both?

[Al12rs]

I think this was probably meant to be an OR

Suggested change

	return !m_accessToken.isEmpty() && !m_apiKey.isEmpty();
	return !m_accessToken.isEmpty() || !m_apiKey.isEmpty();

[Al12rs]

We should add a m_refreshing guard to avoid having multiple API calls refreshing the token simultaneously, we could end up saving the wrong token or weird shenanigans.

[Al12rs]

if (m_tokens.accessToken.isEmpty()) was already checked a few lines above, unless it can have changed in the mentime?

[Silarn]

This can probably be folded into an 'else'. We can only reach this point assuming at least one access token or api key is available. So some of these checks are to determine which flow we're using. Of course, if we separate these flows further that isn't needed.

[Al12rs]

Should we revoke the tokens as well?

[Silarn]

Well, they will also expire after a while but I suppose that's probably a good idea.

[Silarn]

@Al12rs A couple questions. The original code (as well as Vortex when I checked it) indicated there would be a 'token_type' attribute, but when I was getting the values from the response I didn't see that anywhere. Does this still get sent?

Also, are there API limits with OAuth / GraphQL? I didn't see any headers like the V1 API includes. But if they do still exist it would be good to make sure we're accounting for them.

[Silarn]

From @Al12rs on discord:

The refresh POST in refreshTokensBlocking, the PKCE injection in the login, and some of the expiry/token tracking duplicate stuff that QOAuth2AuthorizationCodeFlow already does for us out of the box (especially on Qt 6.11, PKCE is automatic and the flow can add the bearer header to outbound requests itself).

My preference would be to lean on QOAuth2AuthorizationCodeFlow as the source of truth, keep a single long lived flow instance, seed it from storage on startup, and let it handle refresh and header injection. We'd still need some custom code for the legacy APIKEY fallback and single flight guard, but a lot of the manual HTTP would just go away.

@aglowinthefield 's original PR was based on 2.5.2 and old Qt so was probably mostly accurate for the time. I'll admit I didn't look that much into how those classes had changed over the past several Qt versions. That being said, there's certainly some Qt version checking we don't need to maintain, and I'll take a look at the QOAuth2AuthorizationCodeFlow stuff when I have time.

[Silarn]

I wasn't sure how long the token would last but it looks like it expired now and I ran into issues on startup so let me look at this and fix it up. I'll try to clean up the 'login' class considering the above.

[Silarn]

We're still doing CI on 6.7.3 - I'm using functions added in 6.9.0, so mob will need to be updated to 6.11.0.

[Pickysaurus]

Noting original ticket here: #2276
I am in the process of getting an OAuth client ID added for MO2 on the Nexus Mods side.

You will need to add PKCE if you haven't already: https://modding.wiki/en/api/oauth2-guide

[Silarn]

@Pickysaurus Well the original PR implemented it manually, but implementing PKCE is the default behavior in Qt as of 6.8.

This PR functions, I've been using it.

As of now the applicaition ID is set to default to 'modorganizer2' though it can be set by an environment variable. If you want to use something else let us know.

modorganizer/src/nexusoauthconfig.cpp

Line 40 in 72bce4c

return envOrDefault("MO2_NEXUS_CLIENT_ID", QStringLiteral("modorganizer2"));

[Al12rs]

This function is very confusing. From the name I would have no idea it is doing something with the API key.

We should definitely not use OAuth if we are also talking about API key.

I would suggest using nexusAuthCredentials if we have to refer to both OAuth token and API key.

But to be honest, I don't know why we would not have two separate methods. I would have one for API key and one for the token. We can leave the API key where it was before, why migrate it. Unless I'm missing something.

[Silarn]

I don't know. You end up just requiring multiple credential calls or separate storage either way, so you're adding complexity in one direction or the other. But at the end of the day I think I just rolled with the original PR removing the API key altogether initially, and then thought we might need to fetch / generate the key to call the old validate function. So they ended up tied together.

But with the separate users API to validate with, now it functions mostly as a fallback / backwards compatibility measure.

I suppose I can roll back those particular changes and keep both storage methods.

[Pickysaurus]

Your OAuth client data has now been set up on the Nexus Mods side.

• Client ID: modorganizer2
• Callback URI : http://127.0.0.1:28635/callback (Note, we had a previous entry registered with port 5000, but I don't know who requested that or when, so this overwrites it)

As previously mentioned, you'll need to use PKCE, which protects the login session from being hijacked.

[Silarn]

@Pickysaurus As I've stated I believe Qt versions since 6.8 automatically use a PKCE flow, but just to be sure I set it manually here:

modorganizer/src/nxmaccessmanager.cpp

Line 939 in a404cee

m_NexusOAuth->setPkceMethod(QOAuth2AuthorizationCodeFlow::PkceMethod::S256);

I'm already using this OAuth login locally. @Al12rs did give us some of this info on Discord. It wasn't clear to me if the secret key was actually being used anywhere. I don't know if you have any info on that.

[Silarn]

I'm going to separate the credentials tonight and I think the PR will be ready.

I suppose my only personal critique would be that it might be nice to serve a slightly more visually appealing HTML page on success. It's pretty plain at the moment.

[Pickysaurus]

@Pickysaurus As I've stated I believe Qt versions since 6.8 automatically use a PKCE flow, but just to be sure I set it manually here:

modorganizer/src/nxmaccessmanager.cpp

Line 939 in a404cee

m_NexusOAuth->setPkceMethod(QOAuth2AuthorizationCodeFlow::PkceMethod::S256);

I'm already using this OAuth login locally. @Al12rs did give us some of this info on Discord. It wasn't clear to me if the secret key was actually being used anywhere. I don't know if you have any info on that.

The secret is only used for private applications (i.e. a web server that makes requests on behalf of a user). Mod managers are public apps as they make API requests directly.

Essentially for public apps you use PKCE to verify, whereas private apps don't need that and just send their client secret.

[Silarn]

@Pickysaurus I suddenly find I don't seem to be receiving an expiration time for my OAuth tokens. Is this something that changed when you registered MO2?

Nevermind. I changed around how various functions triggered, and it turns out the tokenChanged signal fires before all of the response data is parsed. It's working if I wait until the 'granted' signal fires.