Don't ask bloggers for any scopes uniphil/commit--blog

... a change which should have meant simply removing the scope=user,public_repo query from the authorize URL's parameters. Unfortunately, it's not quite that simple.

1. GitHub rejects all authenticated requests for users which have not granted any scopes.

Yes, even for public endpoints. It's weird. They give you an oauth bearer_token for the user after authenticating and everything, but even though the endpoins are public, 401 sorry.

Instead, you have to make requests with your GitHub app's client_id and client_secret in the URL parameters.

2. Making rauth handle app-authenticated requests is awkward.

I'd like to still use it because it takes care of the base url and stuff. But getting those tokens injected into the URL, not getting the (useless) bearer token injected is tricky.

So as a compromise this commit awkwardly makes some subclasses for both the requests Session class and the rauth OAuth2Session class to make everythin play nicely. Within the app there are two session concepts for github now: a user-specific authenticated one (worthless except for logging in and out) and a more general app session for everything else. Both are attached to the gh blueprint.

Whatever man. It works.


Because I'm a bad git user I also snuck in a bit more refactoring and a mixin to set an app-specific user-agent into this commit.