Trakata

@Trakata@lemmy.ca

This is a remote user, information on this page may be incomplete. View at Source ↗

⁨Comment⁩ on ⁨App to schedule posts on Lemmy⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:

Where the hell did I lie?

Pretending to not store effective passwords and attempting to obfuscate the mechanism to less tech savvy users

Stop lying and making stuff up, please.

I haven’t, your code stores effective password access and gives you the ability to control other people’s accounts and you’ve done nothing to secure it in your little php framework and said “just trust me bro, I won’t use your account by proxy even thought this is exactly what this app does”

Literally go fuck yourself.
⁨Comment⁩ on ⁨App to schedule posts on Lemmy⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
No, thanks.
⁨Comment⁩ on ⁨App to schedule posts on Lemmy⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:

I don’t store your password if that’s what you’re asking! …

The JWT token is not stored on the server, it’s only in a cookie in your browser.

When you schedule a post, the post details, your instance, your username and your JWT token are stored in a job…

You’re simply storing secrets on the server and running it by proxy, nothing prevents you from extracting those JWTs from the job stores and actioning them against an arbitrary Lemmy API with crafted calls.