this post was submitted on 16 Jun 2023
12 points (100.0% liked)

Lemmy.World Announcements

29150 readers
201 users here now

This Community is intended for posts about the Lemmy.world server by the admins.

Follow us for server news ๐Ÿ˜

Outages ๐Ÿ”ฅ

https://status.lemmy.world

For support with issues at Lemmy.world, go to the Lemmy.world Support community.

Support e-mail

Any support requests are best sent to [email protected] e-mail.

Report contact

Donations ๐Ÿ’—

If you would like to make a donation to support the cost of running this platform, please do so at the following donation URLs.

If you can, please use / switch to Ko-Fi, it has the lowest fees for us

Ko-Fi (Donate)

Bunq (Donate)

Open Collective backers and sponsors

Patreon

Join the team

founded 2 years ago
MODERATORS
 

Hi everyone, I was toying with the idea of writing an open source client for Lemmy in React Native.

However, using lemmy-js-client, I'm getting CORS issue when trying to hit the APIs for lemmy.world (and also lemmy.ml) from the browser.

I could write a proxy server or a full backend, but that feels contrary to the fediverse philosophy of not being dependant on one instance etc. Not to mention users would have to trust me, some random person, with their logins / passwords for Lemmy.

Is there a way we can have CORS enabled from * for the APIs of lemmy.world?

top 7 comments
sorted by: hot top controversial new old
[โ€“] [email protected] 7 points 2 years ago (1 children)

That's not a good idea, because that would allow any website a logged in user visits to impersonate them (e.g. link to a malicious site posted somewhere, users click on it, JS on the site starts posting the same link in their name, more users click on it, ...).

But react native doesn't restrict cross-domain access like browsers do, so it shouldn't be an issue in your case: https://reactnative.dev/docs/network#using-other-networking-libraries

[โ€“] iraldir 1 points 2 years ago (1 children)

I planned on exporting a web version as well and I was testing there first hence the issue.

How would this allow any website to impersonate you though? The login is made via a jwt which would not be accessible if you go in another website. If I login on mysuperlemmyclient.com and then visit maliciouswebsite.com, how can maliciouswebsite access the jwt that is stored likely in a cookie of mysuperlemmyclient.com?

[โ€“] [email protected] 1 points 2 years ago

The user's browser will send it along with the request depending on the samesite cookie settings.

The best solution would be if lemmy used federated identity (e.g. OIDC), not sure why they aren't doing that.

[โ€“] MomentsInTruth 4 points 2 years ago

Hey, looks like someone has the same idea - unless this is also you. :)

https://github.com/LemmyNet/lemmy/issues/3109

[โ€“] [email protected] 3 points 2 years ago (1 children)

The headers are set inside the Lemmy binary/docker image. So unless lemmy.world would use its own build, this has to be fixed inside the LemmyNet source code. This would probably make Lemmy vulnerable to cross-site scripting, so the security aspects should probably be discussed in on the Github project.

[โ€“] [email protected] 2 points 2 years ago* (last edited 2 years ago)

I just did some more research into this:

When a client tries to log in, the server sends a response back with a JWT token inside the body. The client then stores this token inside an isomorphic cookie. This cookie is then used to identify the user by adding it to all requests after that.

I haven't really checked post requests, but if it is the same So let's say you visit website X, that has nothing to do with Lemmy, they could do a Fetch request in the background to lemmy.world to post spam on your behalf. Even a CSRF token could no longer protect you, as the website could just do a fetch request first to get a CSRF token.

I hope I'm wrong in some way, but to me this feels like a huge security risk.

[โ€“] saucyloggins 2 points 2 years ago

Wouldn't the real process here to just make your own instance with a different front end? Either that or make it an electron app etc.

There's a lot of security issues by disabling CORS.

load more comments
view more: next โ€บ