Was curious about whether someone could extract my password from Jerboa on my phone but didn’t get any response there. Maybe you guys have some idea? Does Lemmy even offer an auth mechanism that could prevent this, is one in the works?
cross-posted from: https://lemmy.ca/post/652328
I noticed that Jeroba didn’t seem to switch to a different site the way Relay passed through to Reddit so I could log in and link it via OAuth. From that I take it that when I authenticate in Jeroba I’m entrusting it with the cleartext password for my lemmy account which it’s storing on my phone?
I’m sorta okay with that especially for now (eg. alpha) so I proceeded with things but maybe it should be more clear up front that’s what’s happening? And really, any of the other apps could probably have faked that OAuth page anyhow so it’s dubious if you were really trusting the app all that much less in that case.
However, one thing OAuth had going for it was that would make it a lot harder for someone who steals my phone to permanently take control of my Reddit account whereas they could extract my password from Jeroba and use it to take over my lemmy account?
The session cookie is stored in your app’s data, which is sandboxed by default
Oh nice, it’s not storing the pw then? The session is just perpetual and doesn’t expire or has my app been refreshing it along the way? How do I invalidate the session if eg. I lose my phone?
That gives me a feature request for mlem and memmy anyway; the option to log in / sign up via passkeys, which should work with iOS but also everything Apple/Microsoft/Google. And it’s the private solution because you can choose to manage the keypair yourself instead of letting the AMG do it, or for those who don’t grok that, they can just let Apple handle it for them.
Shit, I didn’t even considered this…