From 4e84bc251a4b6ae298050dc0483d9cb58d0bfe48 Mon Sep 17 00:00:00 2001
From: "Daniel J. Summers" <daniel@bitbadger.solutions>
Date: Wed, 1 Sep 2021 22:23:18 -0400
Subject: [PATCH] WIP on multi-instance login (#22)

Something isn't lining up between the client and server (need to debug the URLs they're both using)
---
 src/JobsJobsJobs/Api/App.fs                   |   6 +-
 src/JobsJobsJobs/Api/Auth.fs                  |  48 +++----
 src/JobsJobsJobs/Api/Handlers.fs              | 128 ++++++++++++------
 src/JobsJobsJobs/Api/appsettings.json         |  22 ++-
 src/JobsJobsJobs/App/src/api/index.ts         |  29 +++-
 src/JobsJobsJobs/App/src/api/types.ts         |  12 ++
 src/JobsJobsJobs/App/src/router/index.ts      |   2 +-
 src/JobsJobsJobs/App/src/store/index.ts       |   4 +-
 .../App/src/views/citizen/Authorized.vue      |  46 ++++---
 .../App/src/views/citizen/LogOn.vue           |  64 +++++++--
 src/JobsJobsJobs/Domain/Domain.fsproj         |   1 +
 src/JobsJobsJobs/Domain/SharedTypes.fs        |  40 ++++++
 12 files changed, 291 insertions(+), 111 deletions(-)

diff --git a/src/JobsJobsJobs/Api/App.fs b/src/JobsJobsJobs/Api/App.fs
index ccf4b63..af8bd6e 100644
--- a/src/JobsJobsJobs/Api/App.fs
+++ b/src/JobsJobsJobs/Api/App.fs
@@ -30,6 +30,7 @@ open Microsoft.Extensions.Configuration
 open Microsoft.Extensions.Logging
 open Microsoft.IdentityModel.Tokens
 open System.Text
+open JobsJobsJobs.Domain.SharedTypes
 
 /// Configure dependency injection
 let configureServices (svc : IServiceCollection) =
@@ -57,10 +58,11 @@ let configureServices (svc : IServiceCollection) =
           ValidAudience    = "https://noagendacareers.com",
           ValidIssuer      = "https://noagendacareers.com",
           IssuerSigningKey = SymmetricSecurityKey (
-            Encoding.UTF8.GetBytes (cfg.GetSection("Auth").["ServerSecret"]))))
+            Encoding.UTF8.GetBytes (cfg.GetSection "Auth").["ServerSecret"])))
     |> ignore
   svc.AddAuthorization () |> ignore
-
+  svc.Configure<AuthOptions> (cfg.GetSection "Auth") |> ignore
+  
   let dbCfg = cfg.GetSection "Rethink"
   let log   = svcs.GetRequiredService<ILoggerFactory>().CreateLogger (nameof Data.Startup)
   let conn  = Data.Startup.createConnection dbCfg log
diff --git a/src/JobsJobsJobs/Api/Auth.fs b/src/JobsJobsJobs/Api/Auth.fs
index 376d3bc..d1a0a74 100644
--- a/src/JobsJobsJobs/Api/Auth.fs
+++ b/src/JobsJobsJobs/Api/Auth.fs
@@ -3,16 +3,16 @@ module JobsJobsJobs.Api.Auth
 
 open System.Text.Json.Serialization
 
-/// The variables we need from the account information we get from No Agenda Social
+/// The variables we need from the account information we get from Mastodon
 [<NoComparison; NoEquality; AllowNullLiteral>]
 type MastodonAccount () =
   /// The user name (what we store as naUser)
   [<JsonPropertyName "username">]
   member val Username = "" with get, set
-  /// The account name; will be the same as username for local (non-federated) accounts
+  /// The account name; will generally be the same as username for local accounts, which is all we can verify
   [<JsonPropertyName "acct">]
   member val AccountName = "" with get, set
-  /// The user's display name as it currently shows on No Agenda Social
+  /// The user's display name as it currently shows on Mastodon
   [<JsonPropertyName "display_name">]
   member val DisplayName = "" with get, set
   /// The user's profile URL
@@ -21,25 +21,29 @@ type MastodonAccount () =
 
 
 open FSharp.Control.Tasks
-open Microsoft.Extensions.Configuration
 open Microsoft.Extensions.Logging
 open System
 open System.Net.Http
 open System.Net.Http.Headers
 open System.Net.Http.Json
 open System.Text.Json
+open JobsJobsJobs.Domain.SharedTypes
+
+/// HTTP client to use to communication with Mastodon
+let private http = new HttpClient()
 
 /// Verify the authorization code with Mastodon and get the user's profile
-let verifyWithMastodon (authCode : string) (cfg : IConfigurationSection) (log : ILogger) = task {
+let verifyWithMastodon (authCode : string) (inst : MastodonInstance) rtnHost (log : ILogger) = task {
 
-  use http = new HttpClient()
+  // Function to create a URL for the given instance
+  let apiUrl = sprintf "%s/api/v1/%s" inst.Url
 
-  // Use authorization code to get an access token from NAS
+  // Use authorization code to get an access token from Mastodon
   use! codeResult =
-    http.PostAsJsonAsync("https://noagendasocial.com/oauth/token",
-      {|  client_id     = cfg.["ClientId"]
-          client_secret = cfg.["Secret"]
-          redirect_uri  = sprintf "%s/citizen/authorized" cfg.["ReturnHost"]
+    http.PostAsJsonAsync($"{inst.Url}/oauth/token",
+      {|  client_id     = inst.ClientId
+          client_secret = inst.Secret
+          redirect_uri  = $"{rtnHost}/citizen/{inst.Abbr}/authorized"
           grant_type    = "authorization_code"
           code          = authCode
           scope         = "read"
@@ -49,11 +53,10 @@ let verifyWithMastodon (authCode : string) (cfg : IConfigurationSection) (log :
       let! responseBytes = codeResult.Content.ReadAsByteArrayAsync ()
       use  tokenResponse = JsonSerializer.Deserialize<JsonDocument> (ReadOnlySpan<byte> responseBytes)
       match tokenResponse with
-      | null ->
-          return Error "Could not parse authorization code result"
+      | null -> return Error "Could not parse authorization code result"
       | _ ->
           // Use access token to get profile from NAS
-          use req = new HttpRequestMessage (HttpMethod.Get, sprintf "%saccounts/verify_credentials" cfg.["ApiUrl"])
+          use req = new HttpRequestMessage (HttpMethod.Get, apiUrl "accounts/verify_credentials")
           req.Headers.Authorization <- AuthenticationHeaderValue
             ("Bearer", tokenResponse.RootElement.GetProperty("access_token").GetString ())
           use! profileResult = http.SendAsync req
@@ -62,19 +65,13 @@ let verifyWithMastodon (authCode : string) (cfg : IConfigurationSection) (log :
           | true ->
               let! profileBytes = profileResult.Content.ReadAsByteArrayAsync ()
               match JsonSerializer.Deserialize<MastodonAccount>(ReadOnlySpan<byte> profileBytes) with
-              | null ->
-                  return Error "Could not parse profile result"
-              | x when x.Username <> x.AccountName ->
-                  return Error $"Profiles must be from noagendasocial.com; yours is {x.AccountName}"
-              | profile ->
-                  return Ok profile
-          | false ->
-              return Error $"Could not get profile ({profileResult.StatusCode:D}: {profileResult.ReasonPhrase})"
+              | null -> return Error "Could not parse profile result"
+              | profile -> return Ok profile
+          | false -> return Error $"Could not get profile ({profileResult.StatusCode:D}: {profileResult.ReasonPhrase})"
   | false ->
       let! err = codeResult.Content.ReadAsStringAsync ()
       log.LogError $"Could not get token result from Mastodon:\n  {err}"
       return Error $"Could not get token ({codeResult.StatusCode:D}: {codeResult.ReasonPhrase})"
-
   }
 
 
@@ -86,7 +83,7 @@ open System.Security.Claims
 open System.Text
 
 /// Create a JSON Web Token for this citizen to use for further requests to this API
-let createJwt (citizen : Citizen) (cfg : IConfigurationSection) =
+let createJwt (citizen : Citizen) (cfg : AuthOptions) =
 
   let tokenHandler = JwtSecurityTokenHandler ()
   let token =
@@ -100,8 +97,7 @@ let createJwt (citizen : Citizen) (cfg : IConfigurationSection) =
         Issuer   = "https://noagendacareers.com",
         Audience = "https://noagendacareers.com",
         SigningCredentials = SigningCredentials (
-          SymmetricSecurityKey (Encoding.UTF8.GetBytes cfg.["ServerSecret"]),
-          SecurityAlgorithms.HmacSha256Signature)
+          SymmetricSecurityKey (Encoding.UTF8.GetBytes cfg.ServerSecret), SecurityAlgorithms.HmacSha256Signature)
         )
       )
   tokenHandler.WriteToken token
diff --git a/src/JobsJobsJobs/Api/Handlers.fs b/src/JobsJobsJobs/Api/Handlers.fs
index bc24dd4..c2f7de3 100644
--- a/src/JobsJobsJobs/Api/Handlers.fs
+++ b/src/JobsJobsJobs/Api/Handlers.fs
@@ -23,23 +23,23 @@ module Error =
 
   /// URL prefixes for the Vue app
   let vueUrls = [
-    "/"; "/how-it-works"; "/privacy-policy"; "/terms-of-service"; "/citizen"; "/help-wanted"; "/listing"; "/profile"
+    "/how-it-works"; "/privacy-policy"; "/terms-of-service"; "/citizen"; "/help-wanted"; "/listing"; "/profile"
     "/so-long"; "/success-story"
     ]
 
   /// Handler that will return a status code 404 and the text "Not Found"
   let notFound : HttpHandler =
     fun next ctx -> task {
-      let fac = ctx.GetService<ILoggerFactory>()
-      let log = fac.CreateLogger("Handler")
+      let fac  = ctx.GetService<ILoggerFactory> ()
+      let log  = fac.CreateLogger "Handler"
+      let path = string ctx.Request.Path
       match [ "GET"; "HEAD" ] |> List.contains ctx.Request.Method with
-      | true when vueUrls |> List.exists (fun url -> ctx.Request.Path.ToString().StartsWith url) ->
+      | true when path = "/" || vueUrls |> List.exists path.StartsWith ->
           log.LogInformation "Returning Vue app"
           return! Vue.app next ctx
       | _ ->
           log.LogInformation "Returning 404"
-          return! RequestErrors.NOT_FOUND $"The URL {string ctx.Request.Path} was not recognized as a valid URL" next
-                    ctx
+          return! RequestErrors.NOT_FOUND $"The URL {path} was not recognized as a valid URL" next ctx
       }
   
   /// Handler that returns a 403 NOT AUTHORIZED response
@@ -58,6 +58,7 @@ module Helpers =
 
   open NodaTime
   open Microsoft.Extensions.Configuration
+  open Microsoft.Extensions.Options
   open RethinkDb.Driver.Net
   open System.Security.Claims
 
@@ -67,6 +68,9 @@ module Helpers =
   /// Get the application configuration from the request context
   let config (ctx : HttpContext) = ctx.GetService<IConfiguration> ()
 
+  /// Get the authorization configuration from the request context
+  let authConfig (ctx : HttpContext) = (ctx.GetService<IOptions<AuthOptions>> ()).Value
+
   /// Get the logger factory from the request context
   let logger (ctx : HttpContext) = ctx.GetService<ILoggerFactory> ()
 
@@ -104,46 +108,49 @@ module Helpers =
 module Citizen =
 
   // GET: /api/citizen/log-on/[code]
-  let logOn authCode : HttpHandler =
+  let logOn (abbr, authCode) : HttpHandler =
     fun next ctx -> task {
       // Step 1 - Verify with Mastodon
-      let cfg = (config ctx).GetSection "Auth"
-      let log = (logger ctx).CreateLogger (nameof JobsJobsJobs.Api.Auth)
+      let cfg = authConfig ctx
       
-      match! Auth.verifyWithMastodon authCode cfg log with
-      | Ok account ->
-          // Step 2 - Find / establish Jobs, Jobs, Jobs account
-          let  now     = (clock ctx).GetCurrentInstant ()
-          let  dbConn  = conn ctx
-          let! citizen = task {
-            match! Data.Citizen.findByNaUser account.Username dbConn with
-            | None ->
-                let it : Citizen =
-                  { id          = CitizenId.create ()
-                    naUser      = account.Username
-                    displayName = noneIfEmpty account.DisplayName
-                    realName    = None
-                    profileUrl  = account.Url
-                    joinedOn    = now
-                    lastSeenOn  = now
-                    }
-                do! Data.Citizen.add it dbConn
-                return it
-            | Some citizen ->
-                let it = { citizen with displayName = noneIfEmpty account.DisplayName; lastSeenOn = now }
-                do! Data.Citizen.logOnUpdate it dbConn
-                return it
-          }
+      match cfg.Instances |> Array.tryFind (fun it -> it.Abbr = abbr) with
+      | Some instance ->
+          let log = (logger ctx).CreateLogger (nameof JobsJobsJobs.Api.Auth)
           
-          // Step 3 - Generate JWT
-          return!
-            json
-              { jwt       = Auth.createJwt citizen cfg
-                citizenId = CitizenId.toString citizen.id
-                name      = Citizen.name citizen
-                } next ctx
-      | Error err ->
-          return! RequestErrors.BAD_REQUEST err next ctx
+          match! Auth.verifyWithMastodon authCode instance cfg.ReturnUrl log with
+          | Ok account ->
+              // Step 2 - Find / establish Jobs, Jobs, Jobs account
+              let  now     = (clock ctx).GetCurrentInstant ()
+              let  dbConn  = conn ctx
+              let! citizen = task {
+                match! Data.Citizen.findByNaUser account.Username dbConn with
+                | None ->
+                    let it : Citizen =
+                      { id          = CitizenId.create ()
+                        naUser      = account.Username
+                        displayName = noneIfEmpty account.DisplayName
+                        realName    = None
+                        profileUrl  = account.Url
+                        joinedOn    = now
+                        lastSeenOn  = now
+                        }
+                    do! Data.Citizen.add it dbConn
+                    return it
+                | Some citizen ->
+                    let it = { citizen with displayName = noneIfEmpty account.DisplayName; lastSeenOn = now }
+                    do! Data.Citizen.logOnUpdate it dbConn
+                    return it
+              }
+              
+              // Step 3 - Generate JWT
+              return!
+                json
+                  { jwt       = Auth.createJwt citizen cfg
+                    citizenId = CitizenId.toString citizen.id
+                    name      = Citizen.name citizen
+                    } next ctx
+          | Error err -> return! RequestErrors.BAD_REQUEST err next ctx
+      | None -> return! Error.notFound next ctx
       }
   
   // GET: /api/citizen/[id]
@@ -176,6 +183,33 @@ module Continent =
       }
 
 
+/// Handlers for /api/instances routes
+[<RequireQualifiedAccess>]
+module Instances =
+
+  /// Convert a Masotodon instance to the one we use in the API
+  let private toInstance (inst : MastodonInstance) =
+    { name     = inst.Name
+      url      = inst.Url
+      abbr     = inst.Abbr
+      clientId = inst.ClientId
+      }
+
+  // GET: /api/instances
+  let all : HttpHandler =
+    fun next ctx -> task {
+      return! json ((authConfig ctx).Instances |> Array.map toInstance) next ctx
+      }
+  
+  // GET: /api/instance/[abbr]
+  let byAbbr abbr : HttpHandler =
+    fun next ctx -> task {
+      match (authConfig ctx).Instances |> Array.tryFind (fun it -> it.Abbr = abbr) with
+      | Some inst -> return! json (toInstance inst) next ctx
+      | None -> return! Error.notFound next ctx
+      }
+
+
 /// Handlers for /api/listing[s] routes
 [<RequireQualifiedAccess>]
 module Listing =
@@ -489,12 +523,18 @@ let allEndpoints = [
   subRoute "/api" [
     subRoute "/citizen" [
       GET_HEAD [
-        routef "/log-on/%s" Citizen.logOn
-        routef "/%O"        Citizen.get
+        routef "/log-on/%s/%s" Citizen.logOn
+        routef "/%O"           Citizen.get
         ]
       DELETE [ route "" Citizen.delete ]
       ]
     GET_HEAD [ route "/continents" Continent.all ]
+    subRoute "/instance" [
+      GET_HEAD [
+        route  "s"   Instances.all
+        routef "/%s" Instances.byAbbr
+        ]
+      ]
     subRoute "/listing" [
       GET_HEAD [
         routef "/%O"      Listing.get
diff --git a/src/JobsJobsJobs/Api/appsettings.json b/src/JobsJobsJobs/Api/appsettings.json
index cbdb783..cb388fe 100644
--- a/src/JobsJobsJobs/Api/appsettings.json
+++ b/src/JobsJobsJobs/Api/appsettings.json
@@ -1,6 +1,24 @@
 {
   "Rethink": {
-    "Hostname": "localhost",
-    "Db": "jobsjobsjobs"
+  },
+  "Auth": {
+    "ReturnHost": "http://localhost:5000",
+    "Instances": {
+      "0": {
+        "Name": "No Agenda Social",
+        "Url": "https://noagendasocial.com",
+        "Abbr": "nas"
+      },
+      "1": {
+        "Name": "ITM Slaves!",
+        "Url": "https://itmslaves.com",
+        "Abbr": "itm"
+      },
+      "2": {
+        "Name": "Liberty Woof",
+        "Url": "https://libertywoof.com",
+        "Abbr": "lw"
+      }
+    }
   }
 }
\ No newline at end of file
diff --git a/src/JobsJobsJobs/App/src/api/index.ts b/src/JobsJobsJobs/App/src/api/index.ts
index 5b2c297..a0374da 100644
--- a/src/JobsJobsJobs/App/src/api/index.ts
+++ b/src/JobsJobsJobs/App/src/api/index.ts
@@ -2,6 +2,7 @@ import {
   Citizen,
   Continent,
   Count,
+  Instance,
   Listing,
   ListingExpireForm,
   ListingForm,
@@ -100,11 +101,12 @@ export default {
     /**
      * Log a citizen on
      *
-     * @param code The authorization code from No Agenda Social
+     * @param abbr The abbreviation of the Mastodon instance that issued the code
+     * @param code The authorization code from Mastodon
      * @returns The user result, or an error
      */
-    logOn: async (code : string) : Promise<LogOnSuccess | string> => {
-      const resp = await fetch(apiUrl(`citizen/log-on/${code}`), { method: "GET", mode: "cors" })
+    logOn: async (abbr : string, code : string) : Promise<LogOnSuccess | string> => {
+      const resp = await fetch(apiUrl(`citizen/log-on/${abbr}/${code}`), { method: "GET", mode: "cors" })
       if (resp.status === 200) return await resp.json() as LogOnSuccess
       return `Error logging on - ${await resp.text()}`
     },
@@ -141,6 +143,27 @@ export default {
       apiResult<Continent[]>(await fetch(apiUrl("continents"), { method: "GET" }), "retrieving continents")
   },
 
+  /** API functions for instances */
+  instances: {
+
+    /**
+     * Get all Mastodon instances we support
+     *
+     * @returns All instances, or an error
+     */
+    all: async () : Promise<Instance[] | string | undefined> =>
+      apiResult<Instance[]>(await fetch(apiUrl("instances"), { method: "GET" }), "retrieving Mastodon instances"),
+
+    /**
+     * Retrieve a Mastodon instance by its abbreviation
+     *
+     * @param abbr The abbreviation of the Mastodon instance to retrieve
+     * @returns The Mastodon instance (if found), undefined (if not found), or an error string
+     */
+    byAbbr: async (abbr : string) : Promise<Instance | string | undefined> =>
+      apiResult<Instance>(await fetch(apiUrl(`instance/${abbr}`), { method: "GET" }), "retrieving Mastodon instance")
+  },
+
   /** API functions for job listings */
   listings: {
 
diff --git a/src/JobsJobsJobs/App/src/api/types.ts b/src/JobsJobsJobs/App/src/api/types.ts
index b9cbd87..ea2ca27 100644
--- a/src/JobsJobsJobs/App/src/api/types.ts
+++ b/src/JobsJobsJobs/App/src/api/types.ts
@@ -31,6 +31,18 @@ export interface Count {
   count : number
 }
 
+/** The Mastodon instance data provided via the Jobs, Jobs, Jobs API */
+export interface Instance {
+  /** The name of the instance */
+  name : string
+  /** The URL for this instance */
+  url : string
+  /** The abbreviation used in the URL to distinguish this instance's return codes */
+  abbr : string
+  /** The client ID (assigned by the Mastodon server) */
+  clientId : string
+}
+
 /** A job listing */
 export interface Listing {
   /** The ID of the job listing */
diff --git a/src/JobsJobsJobs/App/src/router/index.ts b/src/JobsJobsJobs/App/src/router/index.ts
index 77f39c2..31c6418 100644
--- a/src/JobsJobsJobs/App/src/router/index.ts
+++ b/src/JobsJobsJobs/App/src/router/index.ts
@@ -53,7 +53,7 @@ const routes: Array<RouteRecordRaw> = [
     component: LogOn
   },
   {
-    path: "/citizen/authorized",
+    path: "/citizen/:abbr/authorized",
     name: "CitizenAuthorized",
     component: () => import(/* webpackChunkName: "dashboard" */ "../views/citizen/Authorized.vue")
   },
diff --git a/src/JobsJobsJobs/App/src/store/index.ts b/src/JobsJobsJobs/App/src/store/index.ts
index 7e1cda6..379110a 100644
--- a/src/JobsJobsJobs/App/src/store/index.ts
+++ b/src/JobsJobsJobs/App/src/store/index.ts
@@ -43,8 +43,8 @@ export default createStore({
     }
   },
   actions: {
-    async logOn ({ commit }, code: string) {
-      const logOnResult = await api.citizen.logOn(code)
+    async logOn ({ commit }, { abbr, code }) {
+      const logOnResult = await api.citizen.logOn(abbr, code)
       if (typeof logOnResult === "string") {
         commit("setLogOnState", logOnResult)
       } else {
diff --git a/src/JobsJobsJobs/App/src/views/citizen/Authorized.vue b/src/JobsJobsJobs/App/src/views/citizen/Authorized.vue
index e355163..9bd05f0 100644
--- a/src/JobsJobsJobs/App/src/views/citizen/Authorized.vue
+++ b/src/JobsJobsJobs/App/src/views/citizen/Authorized.vue
@@ -7,30 +7,44 @@ article
 
 <script setup lang="ts">
 import { computed, onMounted } from "vue"
-import { useRouter } from "vue-router"
+import { useRoute, useRouter } from "vue-router"
+import api from "@/api"
 import { useStore } from "@/store"
 import { AFTER_LOG_ON_URL } from "@/router"
 
-const router = useRouter()
 const store = useStore()
+const route = useRoute()
+const router = useRouter()
+
+/** The abbreviation of the instance from which we received the code */
+const abbr = route.params.abbr as string
+
+/** Set the message for this component */
+const setMessage = (msg : string) => store.commit("setLogOnState", msg)
 
 /** Pass the code to the API and exchange it for a user and a JWT */
 const logOn = async () => {
-  const code = router.currentRoute.value.query.code
-  if (code) {
-    await store.dispatch("logOn", code)
-    if (store.state.user !== undefined) {
-      const afterLogOnUrl = window.localStorage.getItem(AFTER_LOG_ON_URL)
-      if (afterLogOnUrl) {
-        window.localStorage.removeItem(AFTER_LOG_ON_URL)
-        router.push(afterLogOnUrl)
-      } else {
-        router.push("/citizen/dashboard")
-      }
-    }
+  const instance = await api.instances.byAbbr(abbr)
+  if (typeof instance === "string") {
+    setMessage(instance)
+  } else if (typeof instance === "undefined") {
+    setMessage(`Mastodon instance ${abbr} not found`)
   } else {
-    store.commit("setLogOnState",
-      "Did not receive a token from No Agenda Social (perhaps you clicked &ldquo;Cancel&rdquo;?)")
+    const code = route.query.code
+    if (code) {
+      await store.dispatch("logOn", { abbr, code })
+      if (store.state.user !== undefined) {
+        const afterLogOnUrl = window.localStorage.getItem(AFTER_LOG_ON_URL)
+        if (afterLogOnUrl) {
+          window.localStorage.removeItem(AFTER_LOG_ON_URL)
+          router.push(afterLogOnUrl)
+        } else {
+          router.push("/citizen/dashboard")
+        }
+      }
+    } else {
+      setMessage(`Did not receive a token from ${instance.name} (perhaps you clicked &ldquo;Cancel&rdquo;?)`)
+    }
   }
 }
 
diff --git a/src/JobsJobsJobs/App/src/views/citizen/LogOn.vue b/src/JobsJobsJobs/App/src/views/citizen/LogOn.vue
index 729905b..38b43c3 100644
--- a/src/JobsJobsJobs/App/src/views/citizen/LogOn.vue
+++ b/src/JobsJobsJobs/App/src/views/citizen/LogOn.vue
@@ -1,24 +1,58 @@
 <template lang="pug">
 article
   p &nbsp;
-  p.fst-italic Sending you over to No Agenda Social to log on; see you back in just a second&hellip;
+  load-data(:load="retrieveInstances")
+    p.fst-italic(v-if="selected") Sending you over to {{selected.name}} to log on; see you back in just a second&hellip;
+    template(v-else)
+      p.text-center Please select your No Agenda-affiliated Mastodon instance
+      p.text-center(v-for="it in instances" :key="it.abbr")
+        button.btn.btn-primary(@click.prevent="select(it.abbr)") {{it.name}}
 </template>
 
 <script setup lang="ts">
-/**
- * This component simply redirects the user to the No Agenda Social authorization page; it is separate here so that it
- * can be called from two different places, and allow the app to support direct links to authorized content.
- */
+import { computed, Ref, ref } from "vue"
+import api, { Instance } from "@/api"
+
+import LoadData from "@/components/LoadData.vue"
+
+/** The instances configured for Jobs, Jobs, Jobs */
+const instances : Ref<Instance[]> = ref([])
+
+/** Whether authorization is in progress */
+const selected : Ref<Instance | undefined> = ref(undefined)
 
 /** The authorization URL to which the user should be directed */
-const authUrl = (() => {
-  /** The client ID for Jobs, Jobs, Jobs at No Agenda Social */
-  const id = "k_06zlMy0N451meL4AqlwMQzs5PYr6g3d2Q_dCT-OjU"
-  const client = `client_id=${id}`
-  const scope = "scope=read:accounts"
-  const redirect = `redirect_uri=${document.location.origin}/citizen/authorized`
-  const respType = "response_type=code"
-  return `https://noagendasocial.com/oauth/authorize?${client}&${scope}&${redirect}&${respType}`
-})()
-document.location.assign(authUrl)
+const authUrl = computed(() => {
+  if (selected.value) {
+    /** The client ID for Jobs, Jobs, Jobs at No Agenda Social */
+    const client = `client_id=${selected.value.clientId}`
+    const scope = "scope=read:accounts"
+    const redirect = `redirect_uri=${document.location.origin}/citizen/${selected.value.abbr}/authorized`
+    const respType = "response_type=code"
+    return `${selected.value.url}/oauth/authorize?${client}&${scope}&${redirect}&${respType}`
+  }
+  return ""
+})
+
+/**
+ * Select a given Mastadon instance
+ *
+ * @param abbr The abbreviation of the instance being selected
+ */
+const select = (abbr : string) => {
+  selected.value = instances.value.find(it => it.abbr === abbr)
+  document.location.assign(authUrl.value)
+}
+
+/** Load the instances we have configured */
+const retrieveInstances = async (errors : string[]) => {
+  const instancesResp = await api.instances.all()
+  if (typeof instancesResp === "string") {
+    errors.push(instancesResp)
+  } else if (typeof instancesResp === "undefined") {
+    errors.push("No instances found (this should not happen)")
+  } else {
+    instances.value = instancesResp
+  }
+}
 </script>
diff --git a/src/JobsJobsJobs/Domain/Domain.fsproj b/src/JobsJobsJobs/Domain/Domain.fsproj
index 48c3782..dbac946 100644
--- a/src/JobsJobsJobs/Domain/Domain.fsproj
+++ b/src/JobsJobsJobs/Domain/Domain.fsproj
@@ -14,6 +14,7 @@
 
   <ItemGroup>
     <PackageReference Include="Markdig" Version="0.25.0" />
+    <PackageReference Include="Microsoft.Extensions.Options" Version="5.0.0" />
     <PackageReference Include="NodaTime" Version="3.0.5" />
   </ItemGroup>
 
diff --git a/src/JobsJobsJobs/Domain/SharedTypes.fs b/src/JobsJobsJobs/Domain/SharedTypes.fs
index 30acf2a..cf485f6 100644
--- a/src/JobsJobsJobs/Domain/SharedTypes.fs
+++ b/src/JobsJobsJobs/Domain/SharedTypes.fs
@@ -2,6 +2,7 @@
 module JobsJobsJobs.Domain.SharedTypes
 
 open JobsJobsJobs.Domain.Types
+open Microsoft.Extensions.Options
 open NodaTime
 
 // fsharplint:disable FieldNames
@@ -75,6 +76,45 @@ type Count = {
   }
 
 
+/// An instance of a Mastodon server which is configured to work with Jobs, Jobs, Jobs
+type MastodonInstance () =
+  /// The name of the instance
+  member val Name     = "" with get, set
+  /// The URL for this instance
+  member val Url      = "" with get, set
+  /// The abbreviation used in the URL to distinguish this instance's return codes
+  member val Abbr     = "" with get, set
+  /// The client ID (assigned by the Mastodon server)
+  member val ClientId = "" with get, set
+  /// The cryptographic secret (provided by the Mastodon server)
+  member val Secret   = "" with get, set
+
+
+/// The authorization options for Jobs, Jobs, Jobs
+type AuthOptions () =
+  /// The return URL for Mastodoon verification
+  member val ReturnUrl    = "" with get, set
+  /// The secret with which the server signs the JWTs for auth once we've verified with Mastodon
+  member val ServerSecret = "" with get, set
+  /// The instances configured for use
+  member val Instances    = Array.empty<MastodonInstance> with get, set
+  interface IOptions<AuthOptions> with
+    override this.Value = this
+
+
+/// The Mastodon instance data provided via the Jobs, Jobs, Jobs API
+type Instance = {
+  /// The name of the instance
+  name     : string
+  /// The URL for this instance
+  url      : string
+  /// The abbreviation used in the URL to distinguish this instance's return codes
+  abbr     : string
+  /// The client ID (assigned by the Mastodon server)
+  clientId : string
+  }
+
+
 /// The fields required for a skill
 type SkillForm = {
   /// The ID of this skill