I’m building [email protected] and can answer any questions. Each app and client handles differently, but for Lemmynade:
- You type in your instance, username/email, and password into Lemmynade and tap “Submit”
- After tapping submit, your username and password is sent to Lemmynade’s backend server to process securely (this is more secure than doing some of the next steps directly in your browser)
- Lemmynade’s backend server immediately verifies that your instance exists and that it’s a valid Lemmy instance (you don’t want to blindly send your password to some random server!)
- If the instance is a valid Lemmy instance, then your username and password is sent directly to your instance over an encrypted connection.
- If your username and password are valid, then your instance sends back a token (a bunch of random letters and numbers) to Lemmynade. This secure token can be used in place of your password so your actual password doesn’t have to be stored anywhere.
- Lemmynade then takes that token and saves it in in an http-only cookie on your own device. When it needs to authenticate or log in again, it uses this secure token to do it so you don’t have to keep typing in your password.
Throughout this process, nothing is stored, logged, or recorded anywhere. The only thing stored is the secure token, and that secure token is only saved on your own device. Lemmynade or anyone else cannot access your account unless they have access to your specific device.
There’s many more layers to this, but hopefully that explains the general idea. The main danger with the current method of authentication is that you are providing your raw password to a third party, meaning if someone wanted to be malicious it’s fairly easy to do.
A much better authentication method is called OAuth. With OAuth, you never give your password directly to the third party, so it’s far safer. A lot of us devs are pushing for this and hoping to see this down the road as it would give much more peace of mind to everyone. It’s only up from here!