Add OAuth2 or somehow simplify login/getting and differentiating API keys

[rugk]

See Traewelldroid/traewelldroid#334 for backstory.

Ideas

• Best would be to have a real OAuth2 workflow or something similar.
• Another idea would be to have a page for the generation of a specific token, apps can link to. Also, apps should specify, which token they want and not let the user search for the correct one. (Like https://travelynx.de/account/api/travel for the travel API.)

Also:

• Tokens seem to have a fixed (or maybe not so fixed) prefix? Could this be documented? Note here I speculated about the reason.
• Also, if we are using fixed prefixes, could not we also use an additional prefix or so for differentiating between the different prefixes/use cases?
• Also, like GitHub tokens, if you really want to allow secret scanning with them, you may also make them more humanreadable, like TRAVLYX-travel-tokenhere.

[deingithub]

As an API consumer, I much prefer not dealing with the conceptual and implementation overhead of OAuth. But I agree that the UI for creating and revoking tokens could definitely use some polishing and perhaps less technical explanations. For my project interfacing with traxelynx I've written some user guidance with a screenshot that looks like this, maybe something in that direction would be helpful for träwelldroid too in the meantime?

[rugk]

Yeah, Traewelldroid has OAuth already implemented (for Traewelling), but yeah of course UI improvements would be the first step IMHO.

[derf]

I'm not 100% happy with the current API myself, so I might look into improving it at some point. That may or may not include OAuth2 support in addition to the current token system. We'll see :)