this post was submitted on 06 Dec 2023
19 points (95.2% liked)

Lemmy Apps

5485 readers
6 users here now

A home for discussion of Lemmy apps and tools for all platforms.

RULES:


An extensive list of Lemmy apps is available here:

LemmyApps.com

or lemmyapps.netlify.app


Visit our partner Communities!

Lemmy Plugins and Userscripts is a great place to enhance the Lemmy browsing experience. [email protected]

Lemmy Integrations is a community about all integrations with the lemmy API. Bots, Scripts, New Apps, etc. [email protected]

Lemmy Bots and Tools is a place to discuss and show off bots, tools, front ends, etc. you’re making that relate to lemmy. [email protected]

Lemmy App Development is a place for Lemmy builders to chat about building apps, clients, tools and bots for the Lemmy platform. [email protected]

founded 1 year ago
MODERATORS
 

Have been wondering about this in terms of how safe/secure it may be to use them. Not that a Lemmy account is exactly something to fret a ton over, but I always appreciate a little more peace of mind.

Searching through here I found where Alexandrite's dev gives a rundown to someone asking in regards to their work, but I didn't surface similar for others. I've tried running some broader searches but haven't had a ton of luck, so thought I'd ask.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 6 points 11 months ago

I'm the developer of a (still beta) mobile app for Lemmy and I don't have a backend, the credentials are inserted by the user in the app and are sent to the Lemmy instance they are using directly with no steps in between.

Instance name verification is done by just calling a public (non authenticated) API like the community list and seeing if this healthcheck passes, whereas authentication is done by the Lemmy instance itself which returns an error if the user does not exist or the password is wrong.

The login API provides a token, as explained by other devs in this thread, which is saved in the app database (but the database is encrypted with a key randomly generated on a per-install base on the device and local to that device only). This token is appended to the body (where specified) or auth header of the subsequent authenticated API calls, which are in turn encrypted too since it's HTTPS.