praw.login() being deprecated

[andrewalexander]

When you set up this bot, you get the following deprecation warning:

/Library/Python/2.7/site-packages/praw/decorators.py:87: DeprecationWarning: Password-based authentication will stop working on 2015/08/03 and as a result will be removed in PRAW4.
For more information please see: https://www.reddit.com/comments/2ujhkr/
Pass `disable_warning=True` to `login` to disable this warning.
  warn(msg, DeprecationWarning)

As per the link contained in this warning, the answer seems to be to transition to using OAuth tokens. There does not appear to be any tracking of this development in this repo, and so I was planning on forking and adding in the necessary OAuth piece.

However, that would mean that out of the box, there will be a couple extra steps for the end user to configure their application to use OAuth tokens (they need to register an application and get the client id and secret key as described here). The README.md should be updated accordingly.

[Andygmb]

Thanks - I was hoping to leave the oauth stuff for a while untill I could get some time to do it with some other improvements, but any PRs with the required oauth changes would be accepted.

Regardless of any PRs though, the Oauth stuff will definitely be finished (and readme updated) before password auth is fully removed from PRAW/reddit.

[andrewalexander]

Okay. I have something working, but it will require an additional step in either the setup.py or an entirely new companion script. The problems are:

1. You have to authenticate through a web browser during initial setup, which can be a pain for something that is supposed to be automated.
2. The praw.ini must be created/updated with client id, secret access key, and a redirect_uri (which can be anything really since all we want is the code that is generated).
3. After you authenticate and get a refresh token, you must hard-code the refresh token somewhere (not sure where best to put it quite yet)

My solution at the moment is to have it open the browser and then prompt for the authentication code that you get from the redirect. Then it will print the refresh token to the terminal so you can do whatever you want with it. I would like some suggestions for how best to do this part, as there's lots of variables to consider (access can be revoked to bot, what host the bot is running on, and which level of praw.ini to write to are the ones that are sticking out right now)

[Andygmb]

I've yet to look into reddit's specific implementation of oauth, but is there anything stopping the automation of getting the secret keys? If not, it might just be easiest for any future users to do that in setup.py. I'll look into this more tonight when i'm home.

[Andygmb]

Will be working on this today or saturday. .

[Andygmb]

@andrewalexander - have you made any changes that you could push to your fork of the bot that I could check out? I'm working on the bot at the moment.

[andrewalexander]

I do, but I wanted to consult with you about how to proceed. I have two possible solutions in place - one is having a refresh token hard coded into the config.py; the other is to have it hard coded in the praw.ini (located at ~/.config/praw.ini, or overridden by using a praw.ini in the local directory).

The latter is more secure, but it varies based on platform, and is an additional step that the user must take. However, I am looking at writing something similar to this: https://github.com/x89/Shreddit/blob/master/get_secret.py to get the token and write to the praw.ini (one of the things in his todo). The trouble would be testing on all platforms.

The former solution would be easy to implement; it would just mean changing the import statements to from config import refresh_token, subreddit. But that would make it easier for people to accidentally commit their tokens.

Thoughts?

[andrewalexander]

I just submitted the PR. Let us continue this discussion there.