this post was submitted on 06 Dec 2023
19 points (95.2% liked)

Lemmy Apps

4992 readers
1 users here now

A home for discussion of Lemmy apps and tools for all platforms.

RULES:

An extensive list of Lemmy apps is available here:

LemmyApps.com

or lemmyapps.netlify.app

Visit our partner Communities!

Lemmy Plugins and Userscripts is a great place to enhance the Lemmy browsing experience. [email protected]

Lemmy Integrations is a community about all integrations with the lemmy API. Bots, Scripts, New Apps, etc. [email protected]

Lemmy Bots and Tools is a place to discuss and show off bots, tools, front ends, etc. you’re making that relate to lemmy. [email protected]

Lemmy App Development is a place for Lemmy builders to chat about building apps, clients, tools and bots for the Lemmy platform. [email protected]

founded 1 year ago
MODERATORS
[email protected]
19
How do the different Lemmy apps/frontends process login info? (lemm.ee)
submitted 11 months ago by [email protected] to c/[email protected]
6 comments fedilink hide all child comments
 

Have been wondering about this in terms of how safe/secure it may be to use them. Not that a Lemmy account is exactly something to fret a ton over, but I always appreciate a little more peace of mind.

Searching through here I found where Alexandrite's dev gives a rundown to someone asking in regards to their work, but I didn't surface similar for others. I've tried running some broader searches but haven't had a ton of luck, so thought I'd ask.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 5 points 11 months ago (1 children)

Thanks! Appreciate this for Lemmynade's specific process.

The main danger with the current method of authentication is that you are providing your raw password to a third party, meaning if someone wanted to be malicious it’s fairly easy to do.

I was thinking that might be the case, but wasn't sure if it might be some slight tech-paranoia on my part. Was particularly surprised when the apps I've looked into didn't have a redirect to your chosen instance to sign in via browser or something and do a sort of hand off back to the app, but I'm guessing that may have something to do with the current state of Lemmy's development.

[–] silas 6 points 11 months ago* (last edited 11 months ago)

Yep, that’s OAuth you’re talking about! It needs to be implemented into Lemmy directly first before any apps or clients can upgrade to it. I’m not too clear where we are in the conversation, but I know one point discussed is that OAuth (and especially another method called OIDC) lean towards something centralized for authentication, and that goes against the decentralized nature of Lemmy.

For now, the best things you can do as a user is:

  1. Decide which apps, clients, and developers you trust. Inspect privacy policies, ask questions, and review code if possible
  2. Enable 2-factor authentication
  3. Use a throwaway or aliased email (through SimpleLogin or similar)
  4. Use a unique password—one that isn’t used for any other accounts you have