• aeharding@lemmy.worldM
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    Hi there!

    wefwef never stores your password or any other account/credentialed information on wefwef servers. Your password, when submitted, is passed to your instance through wefwef, and then you instance provides a token that verifies your session, and then that token is passed back to your device.

    Your device persists this token locally. Whenever you make a request, this token is included to authenticate you.

    wefwef does not store, inspect or sell user data.

    Ideally, this communication would be directly between your device and Lemmy. Currently, duo to CORS limitations, wefwef is required to proxy data to overcome those limitations. You can read more here (hopefully this will change in a future release of Lemmy): https://github.com/LemmyNet/lemmy/issues/3109

    I hope that helps! 😊

    • rylin@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      edit-2
      1 year ago

      Does this mean that theoretically you could capture a user’s session token or credentials? Since they are passing through your proxy server and not directly going to a Lemmy instance for auth.

      Edit: By the way, love the app. It is by far the best for browsing Lemmy. I love the Apollo feel to it.

      Edit 2: I saw your comment on Github and I think the answer to my question is “yes, it is theoretically possible to steal the users session token.” I would also assume this security/privacy risk would exist for ALL Lemmy apps where you login.

      To be clear, I am building a web client for Lemmy called wefwef. https://github.com/aeharding/wefwef/ Currently, I have to proxy all requests to an intermediary server I control. This is not just extra work, but has security and privacy ramifications. So please, check out how Mastodon does it (you can inspect requests with Elk) and check out how it can directly connect to any Mastodon server, since they all allow CORS *. TLDR I think it’s actually more secure to have CORS * for all Lemmy instances, because it allows 3rd party web clients to directly connect to a Lemmy instance.

      • aeharding@lemmy.worldM
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        Yes, wefwef is forced to proxy requests due to Lemmy restrictions.

        I believe native apps don’t have CORS restrictions, so they can directly connect.

        The good news is you can self host if that is a concern. And the even better news is the next version of Lemmy should allow CORS * which should allow web clients like wefwef to directly connect like native apps do, so this problem should eventually go away!