Lemmy App Development

693 readers

1 users here now

A place for Lemmy builders to chat about building apps, clients, tools and bots for the Lemmy platform.

On-Topic:

programming questions related to the Lemmy platform
sharing your ideas, WIP, or released Lemmy-related work

Off-Topic:

general programming questions unrelated to Lemmy
feature requests for developers
sharing or promoting work not related to Lemmy

founded 1 year ago

MODERATORS

[email protected]

Lemmy API Security Tip: Verify that the instance is a valid Lemmy instance first before sending your user’s login details (self.lemmydev)

submitted 1 year ago* (last edited 1 year ago) by silas to c/[email protected]

5 comments fedilink hide all child comments

I hope this is obvious, but I wanted to get it out there because of how important it is.

If your client allows user-entered Lemmy instances, ALWAYS verify that the instance is a valid Lemmy instance before sending credentials over. Otherwise, the user may have entered a url to an unknown server or site, and you will be sending their login credentials to a server that may be logging and storing the request or even intentionally trying to capture these credentials.

Instead, call getSite at the very least, or use a public list of verified servers before making the login request.

I would not be surprised if down the road malicious sites with similar domains to popular instances will be created to get login details of users who mis-typed their instance domain. It’s partially our responsibility to make sure our users are safe, so let’s keep this discussion going as we learn new ways to handle security concerns!

top 5 comments

sorted by: hot top controversial new old

[–] canpolat 5 points 1 year ago (1 children)

I think this may also be a problem with malicious clients. Currently the user enters the username and password via the client's login dialog. It's an effective way to collect credentials.

[–] silas 5 points 1 year ago (1 children)

Yes you’re right, implementing OAuth or similar would fix this

[–] [email protected] 4 points 1 year ago

I really hope we get OAuth support soon. Other fediverse apps (ie Mastodon) already implement this so that should help roadmap a path forward for Lemmy.

[–] [email protected] 4 points 1 year ago

Good tip. Wrote this up as a bug against my project. It's not a full-proof solution (malicious attacker could have setup a lemmy instance modified to save off credentials) but it's probably a good idea.

[–] [email protected] 2 points 1 year ago

thanks a lot for this