Make sure Auth Delegation POST requests match the spec #298
Description
The current code won't work with the new POST requests. I haven't updated the docs yet, but here's the preview:
the callback will receive two requests. The first is from the bugzilla server and is a POST with the api key and login name. These have the same names as they did before.
Bugzilla will expect you to return a json object literal with a single key:
{ "result": "UNIQUE VALUE" }
Afterwards, bugzilla will redirect the client (the browser) to the callback with query string parameters client_api_login and callback_result. bzdeck will need to check the value of callback_result. This will ensure that the GET request is coming from whoever sent the POST.
Generating a good "UNIQUE VALUE" will require some plumbing... At least a bzdeck-side secret hashed with client_api_login, and at best some server-side token to prevent replay attacks.