Making a Beeminder GPTs

patimen · November 9, 2023, 8:49pm

I’m looking into this, to do things like talk you through the goals, alternate visualizations, even “gate” goals (as in, you have to paste in a status report to the GPT to be able to increment a goal).
However, I’m having a hard time getting past the (previously discussed) bad decision to only support api auth over a url parameter.
Can we get the ability to pass it in via the Authorization header? Please?

bee · November 9, 2023, 11:45pm

Well, so the basics of doing this are pretty simple, but because we issue two different types of auth tokens (and look up & verify the owner in different ways based on the type of token), doing the header based authorization becomes more of a thinker. Currently we do it based on the key name passed with it (e.g. auth_token vs access_token).

Ideas:

try to look up user by both types of token {if (lookup A) else (lookup b)}
only allow one type of token in header auth
invent some new syntax where you have to include “Bearer access:” or “Bearer auth:” or whatever
shunt personal token auth into “basic auth”, where you use username:token concated together as if token was a password? and then the bearer token type is only for access tokens?
differentiate token-type based on characteristics of the token (brittle and we probably don’t want to commit to tokens staying the same indefinitely).

adamwolf · November 10, 2023, 3:00am

This might be silly, but maybe a different base URL?

Adam

theospears · November 10, 2023, 5:46am

My favorite solution would be:

Deprecate auth tokens
Give the user the ability to create an arbitrary number of named access tokens (which secretly create single-user oauth apps behind the scenes)
Only support access token in the authorization header.

I accept this is an unreasonable amount of scope creep, though.

bee · November 13, 2023, 9:41pm

What I’m leaning toward is to update v1 auth to accept only access_tokens in the header, with the intention of later deprecating auth_tokens and doing the arbitrary named access token thing. That makes it possible (though slightly more complicated) for @patimen to move on with making the Beeminder GPT, without doing something too egregiously gross/brittle/complex/ or scope-creepy right now.

bee · November 15, 2023, 1:00am

Okay, I updated things so that you can send access_tokens (but not your personal auth_token) in the Authorization header.