• @rylin
    link
    English
    1
    edit-2
    1 year ago

    Does this mean that theoretically you could capture a user’s session token or credentials? Since they are passing through your proxy server and not directly going to a Lemmy instance for auth.

    Edit: By the way, love the app. It is by far the best for browsing Lemmy. I love the Apollo feel to it.

    Edit 2: I saw your comment on Github and I think the answer to my question is “yes, it is theoretically possible to steal the users session token.” I would also assume this security/privacy risk would exist for ALL Lemmy apps where you login.

    To be clear, I am building a web client for Lemmy called wefwef. https://github.com/aeharding/wefwef/ Currently, I have to proxy all requests to an intermediary server I control. This is not just extra work, but has security and privacy ramifications. So please, check out how Mastodon does it (you can inspect requests with Elk) and check out how it can directly connect to any Mastodon server, since they all allow CORS *. TLDR I think it’s actually more secure to have CORS * for all Lemmy instances, because it allows 3rd party web clients to directly connect to a Lemmy instance.

    Edit 3 (last and final): I am self hosting with docker now. At least until CORS * is implemented. I think this is the best solution for now.

    • @aehardingM
      link
      English
      31 year ago

      Yes, wefwef is forced to proxy requests due to Lemmy restrictions.

      I believe native apps don’t have CORS restrictions, so they can directly connect.

      The good news is you can self host if that is a concern. And the even better news is the next version of Lemmy should allow CORS * which should allow web clients like wefwef to directly connect like native apps do, so this problem should eventually go away!

      • @rylin
        link
        English
        21 year ago

        Awesome, thank you for the amazing app!