I'm not sure how that would work for third party projects that are just front ends hosted on a github page, like reddit as outlook (https://one-loop.github.io/redlookit/). The requests are made by the users themselves there, we can't give them an api key.
We can do a "login with reddit" button approach, show them an iFrame so they can enter their user/password safely and grant us the rights to use their premium to make requests on our web page and such. The iFrame would need to be passed a nonce so we can ask reddit for updates on the user's login process and get a session token at the end, but even then although we've offloaded all the user data handling to reddit, at minima we can leak the session token to some server we own, and get to use their account's session to do whatever the permissions we asked for allow us to do including scrap reddit on their dime
We used to just be able to get the read-only stuff for free and we never needed to ask users to log in or to have an account... I wish they could just load ads in their API responses and kindly ask us to load them in the middle of the posts. We would. But I have a feeling that no advertiser would be OK having their product displayed on third party pages
Wouldn't this be mitigated by having a generous cap on the requests a Premium user could conceivably consume for typical usage? Per your leaked session scenario, Reddit could build some protections if the cap is exceeded. If credentials are compromised a user could request they be cycled and prudent decisions made at Reddit to provide them.
The user still gets shafted for that month because I used all of its data for myself
User could choose "per app" how much data it can use too
They already have something implemented in their API to have permissions granted in your account for third party apps. "Now for reddit" has permissions for reading my dms, upvoting, posting, ... basically anything you can do.
We can do a "login with reddit" button approach, show them an iFrame so they can enter their user/password safely and grant us the rights to use their premium to make requests on our web page and such. The iFrame would need to be passed a nonce so we can ask reddit for updates on the user's login process and get a session token at the end, but even then although we've offloaded all the user data handling to reddit, at minima we can leak the session token to some server we own, and get to use their account's session to do whatever the permissions we asked for allow us to do including scrap reddit on their dime
We used to just be able to get the read-only stuff for free and we never needed to ask users to log in or to have an account... I wish they could just load ads in their API responses and kindly ask us to load them in the middle of the posts. We would. But I have a feeling that no advertiser would be OK having their product displayed on third party pages