[weasyl] api-key authentication

[Korvox]

Fixes this comment

Required to download NSFW images.

[Korvox]

Now I'm getting into it to actually see how usernames behave and I'm finding a whole lot of... edge cases? I just went down the front page looking for usernames with weird glyphs in them. Heres one with an underscore: https://www.weasyl.com/~anubiswerewolf. Its cut from every URL which is good and what we would hope would happen because we don't match on underscore. But heres one with dashes: https://www.weasyl.com/~thezombiecat. They get removed too, but we are matching on dashes. The API docs say a login name is:

"A user’s username, lowercase, and omitting all non-alphanumeric, non-ASCII characters."

Which doesn't actually hold as Importaste reported, the url names can contain tildes. Specifically ONLY on the userpages suffixed with a tilde. Everywhere else they are removed. It looks like pattern matching on dashes isn't necessary because Weasyl is formatting them out, as it does with underscores, but not with tildes.

What you can do, however, is add underscores and tildes. https://www.weasyl.com/~anubis_wer_ewo_lf is valid and won't redirect or update its url. You can get pretty wild with this: https://www.weasyl.com/~the-z@~o_!m-$.b%60|i(&e-*,c$a%5Et and it will STILL resolve. So Weasyl is back end filtering out nonalphanumerics from its requests when routing probably using the same sanitizer they use to generate owner_logins.

That seems to mean that we should be matching on anything but http control characters in the username, the only characters that seem to not work are #, %, /, and \.