In between working on FIRES yesterday, I also finished up a rather substantial contribution to @hollo that I'd been working on.

https://github.com/fedify-dev/hollo/pull/130

It's an OAuth thing, which to end users shouldn't really change anything, but internally it helps pave the way for supporting PKCE and Device Code Authorization Grant Flow, the first shipped in Mastodon 4.3, the second I want to land in a future version of Mastodon (it's a low priority on the oauth roadmap but just because of a dependency issue)

This also increases the test coverage of Hollo too, which is neat.

Admittedly we're able to take some shortcuts in Hollo, like only supporting Bearer tokens and not access_token query parameter, because the latter really shouldn't be used.

We do currently only support client_secret_post as a client authentication mechanism, not client_secret_basic and none, so those need to be added too, to be more compatible.