this post was submitted on 10 Aug 2023
13 points (81.0% liked)
Lemmy Bots and Tools
449 readers
3 users here now
Welcome to the programming.dev lemmy development community! This is a place to discuss and show off bots, tools, front ends, etc. you're making that relate to lemmy
Theres another version of this community over at lemm.ee if you want to subscribe to that one as well
Icon base by DarkZaitzev under CC BY 3.0 with modifications to add a gradient
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I agree that this is a feature Lemmy lacks and would be great to have in the core. And thank you for taking the time to create it. However, asking for username and password is a security problem. I'm not attributing any ill intent to your work, but something like this can very well be used to harvest account credentials. So I would advise people to not use solutions like this.
Unfortunately Lemmy doesn't provide a better way to implement this kind of add-ons. Hopefully one day it will have a better Auth system. Until then, I think I will stick to the official UI and hope that this will come to core :)
I mean, if you use an app, or alternative Lemmy UI, you give it the same access. The minute Lemmy supports OAuth, I'm switching to it. Until then there's no other way.
It's open source if it's any help.
That's the main reason I don't use any apps. I don't think there is a real need to suspect the official UI. If one doesn't trust the instance admins, then they should rather migrate.
In case of an application running on a server, there is no reliable way to make sure that the source being shared is the source that is deployed. As I said, I don't think you have any ulterior motives. I'm only trying to raise awareness around a specific problem with Lemmy. Perhaps I should create a separate post about this in relevant communities, if it hasn't been done already.
Perhaps. Hopefully OAuth is supported soon. Don't get me wrong, I'm not particularly fond of having access to people's credentials as well because if I make a mistake and accidentally leak anything, a shitstorm awaits me.
Hmm.
You've made a good tool, but perhaps are conducting in the wrong marketing? If this tool were say, an easy-to-use Rasp. Pi and/or docker image that will post at the appropriate times, then it might avoid that issue?
Then again, I see the advantage of your web-centered approach. Eventually OAuth will be a thing for Lemmy, I'm sure, and then the workflow for a web tool like this would be perfect. Username/password is strictly a temporary measure until Lemmy matures and gets OAuth features.
Well, it's possible to self-host. Someone offered they will create a docker image for it.
Note that with OAuth nothing much will change - the app will still have access to the JWT token which is used to impersonate you. And that I don't do anything with the password you can see already in the source code:
The user will have the option to revoke access for your application.
True, forgot about that.