How do to bearer token authentication with token refresh?

[ncot-tech]

I'm trying to make a shortcut that lets me send a URL to Wallabag (a self hosted place to store web pages for reading later, kind of like Pocket). I'm stuck on how to authenticate with the server. It uses quite short lived bearer tokens (if that's the correct name for them, I'm literally learning about this while writing this out...)

They have an API documented here https://app.wallabag.it/api/doc/ but I don't understand how to authenticate.

The instructions lead me through creating a client ID and secret, which I then need to...

Now, create your token (replace client_id, client_secret, username and password with the good values):

http POST https://wallabag.server.foo/oauth/v2/token \
    grant_type=password \
    client_id=12_5um6nz50ceg4088c0840wwc0kgg44g00kk84og044ggkscso0k \
    client_secret=3qd12zpeaxes8cwg8c0404g888co4wo8kc4gcw0occww8cgw4k \
    username=yourUsername \
    password=yourPassw0rd
The API will return a response like this:

HTTP/1.1 200 OK
Cache-Control: no-store, private
Connection: close
Content-Type: application/json
Date: Tue, 06 Oct 2015 18:24:03 GMT
Host: localhost:8000
Pragma: no-cache
X-Debug-Token: be00a1
X-Debug-Token-Link: /profiler/be00a1
X-Powered-By: PHP/5.5.9-1ubuntu4.13
{
    "access_token": "ZWFjNjA3ZWMwYWVmYzRkYTBlMmQ3NTllYmVhOGJiZDE0ZTg1NjE4MjczOTVlNzM0ZTRlMWQ0MmRlMmYwNTk5Mw",
    "expires_in": 3600,
    "refresh_token": "ODBjODU1NWUwNmUzZTBkNDQ5YWVlZTVlMjQ2Y2I0OWM2NTM1ZGM2M2Y3MDhjMTViM2U2MzYxYzRkMDk5ODRlZg",
    "scope": null,
    "token_type": "bearer"
}
The access_token is useful to do a call to the API endpoint. For example:

http GET https://wallabag.server.foo/api/entries.json \
    "Authorization:Bearer ZWFjNjA3ZWMwYWVmYzRkYTBlMmQ3NTllYmVhOGJiZDE0ZTg1NjE4MjczOTVlNzM0ZTRlMWQ0MmRlMmYwNTk5Mw"
This call will return all the entries for your user.

The bit I don't understand is how to get the tokens in the first place, and then how to get a new token when the current one expires (and how to work out it has expired). The actual process of using a token and the API I can probably figure out myself.

[Waboodoo]

I'm not familiar with Wallabag, but here's what I'd try given this documentation:

1. Create a static variable to store the token, let's call it "myToken". You can do this from the Variables screen found in the app's main menu.
2. Create a shortcut for the actual endpoint that you want to use, let's call it "myShortcut". In the shortcut editor, go to the Authentication screen, set the Authentication Method to "Bearer Authentication" and use the {} button to insert your "myToken" into the field. Save all changes.
3. Create another shortcut which will call the token endpoint, let's call it "tokenShortcut". The easiest way to do this is by using the cURL import feature and the following cURL command: curl "https://localhost:8000/oauth/v2/token?grant_type=password&client_id=...&client_secret=...&username=...&password=...". Make sure to fill in the client id, client secret, username and password.
4. Go to the Scripting section in the shortcut editor for the tokenShortcut and add the following code into the "Run on Success" block:

const token = JSON.parse(response.body).access_token;
setVariable("myToken", token);

This will extract the token from the response and store it into our variable from earlier.

Now if you run the tokenShortcut, it should fetch a token and store it. After that, you should be able to run the myShortcut that you created. It will keep working until the token expires (which seems to be after 1 hour). I'm not sure how the token-refresh is supposed to work either, but you can probably just re-run the token request and get a new token.

Not sure what the proper way would be to detect that the token has expired, but it can probably be detected by checking the response status code, which is likely going to be a 403 or 401 in this case. You could try to do the following:
In your shortcut (not the token one), go to the Scripting screen and add the following code into the "Run on Failure" block:

if (response && (response.code == 401 || response.code == 403)) {
    executeShortcut("tokenShortcut");
    enqueueShortcut();
}

This will check the HTTP status code for an auth failure, and if it detects one it immediately runs the "tokenShortcut" and then schedules the current shortcut (i.e. myShortcut) to run again afterwards.

This is largely just some educated guesses from my side, but I hope it will help you figure out the rest. Some tweaks might be required, in particular to the expiration detection.

You can find more details about the Scripting feature of the app here: https://http-shortcuts.rmy.ch/scripting