diff --git a/CHANGELOG.md b/CHANGELOG.md
index d46e7a83..5e42d398 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -49,6 +49,7 @@ This version went through a major refactor, which resulted in a different arcite
- The web server is now decoupled from Playlet specific logic
- When not logged in, authenticated feed (like user Subscriptions and Playlists) show a "Login to view X" message, with a QR Code that redirects to the login screen
- [Breaking change] web apis changed a bit (for example the `/api/command` endpoint is removed) refer to the [Open API spec](docs/playlet-web-api.yml)
+- If the Invidious auth token is missing permissions (A token aquired using a previous version of Playlet) you will be auto logged out.
### Removed
diff --git a/playlet-app/src/components/BootstrapScene/BootstrapScene.bs b/playlet-app/src/components/BootstrapScene/BootstrapScene.bs
index 3639f499..7285c172 100644
--- a/playlet-app/src/components/BootstrapScene/BootstrapScene.bs
+++ b/playlet-app/src/components/BootstrapScene/BootstrapScene.bs
@@ -15,16 +15,16 @@ function Init() as void
end function
function GetPlayletLibUrls() as object
- savedUrls = GetPlayletLibUrlsFromRegistry()
- if savedUrls <> invalid
- m.shouldClearRegistryOnLoadFail = true
- return savedUrls
- end if
-
#if DEBUG
debug = { type: "debug", link: ReadManifestValue("playlet_lib_debug_url") }
return [debug]
#else
+ savedUrls = GetPlayletLibUrlsFromRegistry()
+ if savedUrls <> invalid
+ m.shouldClearRegistryOnLoadFail = true
+ return savedUrls
+ end if
+
github = { type: "github", link: ReadManifestValue("playlet_lib_remote_url") }
embedded = { type: "embedded", link: ReadManifestValue("playlet_lib_embedded_url") }
return [github, embedded]
diff --git a/playlet-lib/src/components/Services/Invidious/Invidious.bs b/playlet-lib/src/components/Services/Invidious/Invidious.bs
index 31385bfe..8ceddb99 100644
--- a/playlet-lib/src/components/Services/Invidious/Invidious.bs
+++ b/playlet-lib/src/components/Services/Invidious/Invidious.bs
@@ -14,10 +14,6 @@ function GetAuthorizeTokenLink(unused as dynamic) as dynamic
return m.service.GetAuthorizeTokenLink()
end function
-function Logout(unused as dynamic)
- m.service.Logout()
-end function
-
function SetAuthToken(token as string, instance as string, username as dynamic)
m.service.SetAuthToken(token, instance, username)
end function
diff --git a/playlet-lib/src/components/Services/Invidious/Invidious.xml b/playlet-lib/src/components/Services/Invidious/Invidious.xml
index 77f0a1c8..a8058855 100644
--- a/playlet-lib/src/components/Services/Invidious/Invidious.xml
+++ b/playlet-lib/src/components/Services/Invidious/Invidious.xml
@@ -9,7 +9,6 @@
-
diff --git a/playlet-lib/src/components/Services/Invidious/InvidiousService.bs b/playlet-lib/src/components/Services/Invidious/InvidiousService.bs
index 9fa5876f..2958276e 100644
--- a/playlet-lib/src/components/Services/Invidious/InvidiousService.bs
+++ b/playlet-lib/src/components/Services/Invidious/InvidiousService.bs
@@ -289,13 +289,21 @@ namespace Invidious
if tokenPayload = invalid
return invalid
end if
- authData = ParseJson(tokenPayload)
- ' TODO:P0 delete token if we're missing scope
- if authData = invalid or authData.instance = invalid or authData.token = invalid
+ authToken = ParseJson(tokenPayload)
+ if authToken = invalid or authToken.instance = invalid or authToken.token = invalid
RegistryUtils.Delete(RegistryUtils.INVIDIOUS_TOKEN)
return invalid
end if
- return authData
+ if not m.VerifyTokenScope(authToken.token)
+ ' TODO:P1 automatically logging out the user is not a good experience
+ ' We can at least show a message to the user on why they are logged out
+ ' TODO:P2 right now we're probably in a UI thread, and we can't unregister the token
+ ' So we're just going to ignore it for now
+ ' m.UnregisterToken(authToken)
+ RegistryUtils.Delete(RegistryUtils.INVIDIOUS_TOKEN)
+ return invalid
+ end if
+ return authToken
end function
function SetAuthToken(token as string, instance as string, username as dynamic)
@@ -311,6 +319,19 @@ namespace Invidious
m.node.authToken = obj
end function
+ function VerifyTokenScope(token as string) as boolean
+ tokenObject = ParseJson(token)
+ if tokenObject = invalid
+ return false
+ end if
+ if not IsArray(tokenObject.scopes)
+ return false
+ end if
+
+ scopes = tokenObject.scopes.join(",")
+ return scopes = Invidious.AUTH_SCOPES
+ end function
+
function DeleteAuthToken()
m.node.authToken = invalid
RegistryUtils.Delete(RegistryUtils.INVIDIOUS_TOKEN)
diff --git a/playlet-lib/src/source/services/HttpClient.bs b/playlet-lib/src/source/services/HttpClient.bs
index e4eabca9..3498a064 100644
--- a/playlet-lib/src/source/services/HttpClient.bs
+++ b/playlet-lib/src/source/services/HttpClient.bs
@@ -205,6 +205,11 @@ namespace HttpClient
end if
m.urlTransfer = m.CreateRoUrlTransfer()
+ if m.urlTransfer = invalid
+ m.log.error("Failed to create roUrlTransfer. We're probably not in a background thread.")
+ return m
+ end if
+
m.urlTransfer.setUrl(m.BuildUrl())
if m._headers <> invalid
m.urlTransfer.SetHeaders(m._headers)
@@ -321,6 +326,9 @@ namespace HttpClient
private function CreateRoUrlTransfer() as object
urlTransfer = CreateObject("roUrlTransfer")
+ if urlTransfer = invalid
+ return invalid
+ end if
urlTransfer.EnableEncodings(true)
urlTransfer.RetainBodyOnError(true)
if LCase(left(m._url, 6)).StartsWith("https:")