Trammell Hudson

now I'm at a loss as to how the tests are working... by moving the `import` statements for the mozilla oidc modules above `class User` in `models/user.py`, it created a...

when the token times out, the notification API endpoint gets redirected to the OIDC refresh endpoint, except that the XHR doesn't honor the redirect. ``` web_1 | id token is...

Looks like this might be the way to handle it: https://mozilla-django-oidc.readthedocs.io/en/stable/xhr.html Unfortunately the code in `bookwyrm/static/js/bookwyrm.js` that fetches `/api/updates/notifications` gets the 302 and then errors since there is a CORS...

I thought the client secret was for bookwyrm to authenticate to the SSO system and is never revealed to the users, so I'm not sure where the threat of leaking...

allauth looks like it is much more general purpose and maybe more useful for some sites that want more flexibility in allowing external logins. One downside is that it requires...

Looks like the `fetch()` should get a 403, rather than a 302. the OIDC middelware is expecting the `"X-Requested-With": "XMLHttpRequest"` headers, which aren't sent anymore? https://github.com/mozilla/mozilla-django-oidc/blob/10a279a1421948b2a8dd95f7ac4910c9a081f4ea/mozilla_django_oidc/middleware.py#L161