pe1uca @ pe1uca @lemmy.pe1uca.dev

Posts

37

Comments

239

Joined

2 yr. ago

I saw this project https://github.com/pablouser1/ProxiTok
Haven't been able to selfhost it (not sure what I'm doing wrong yet), but the public instances are working fine.

Syncthing is so great, I don't have to deal with things like a FTP server, sending files to a cloud drive, connecting via USB, or similar. I just point syncthing to the folder I want to replicate and my PC has it immediately and receives new files as soon as I connect to a WiFi (because of my configuration), and then at the PC I can easily backup the files.

Probably the federation is still trying to access matrix.example.com instead of just example.com to get the .well-known configuration.
I'm not sure how to make this work in general, you need a way for the federated instances to ask your instance for the configuration in the host you want.

I think they're talking about the link in their post, not the lemmy community.

Thanks for all the information and advises!

So in theory basic auth is enough when sent through HTTPS, right?
If this is the case then the user would need to handle their password and my API can keep storing just the hash.

In another comment JWT was suggested, maybe this could also be a solution?
I'm thinking the user can worry about generating and signing the token and we could only be storing the public key , which requires less strictness when handling it, this way we can validate the token has been signed by who we expect and the user will worry about the private key.

Oh I've only used JWTs with OIDC so I didn't thought about using them directly.
It could be a good solution since the user can generate them on their own and we can validate them with the correct information (secret or public key).

About the issue of long lived or not expiring JWT, maybe a custom restriction of valid tokens with lifespans of more than X amount of minutes are rejected?
Yeah, the token could be a valid one but we could say the payload is invalid for our API.

Completely agree with you, I made that comment, but most people agreed with the client '-.-

I agree, the token has a lifespan of some hours so it could be generated after that amount of time, which for a ~400ms call is not that much, but I was overruled .-.

The only thing I control is the API, the client's implementation is outside of my control (although I know is a backend service).

Someone want's me to implement a way to access a resource without having to make the extra HTTP calls required by OAuth, WSSE is a possibility since I saw it had some standards to send the credentials in a secure way.
I have been reading about WSSE for less than a week '-

Yeah, the idea would be the tokens used to generate the digest WSSE requires will live in our secure environment, and that's the question: how is a secure environment created to store tokens/API keys of users which will be used to authenticate them into my API?
I haven't implemented this kind of stuff so I don't know what are the best practices to store this kind of sensitive data.
So, I'd need to research password vaults to store my user's secrets so I can use them to authenticate them?

I went into WSSE since sending a client id + secret seems just rewording of basic authentication and well, sending the credentials in plain text seems more insecure than sending a hash.

Well, an "extra HTTP call" is any call besides the one required for the client to access my API, in this case is an extra call to generate an access token.
Why does it matter? In words of the client: "making a call to generate a token is slow"

Based on the title you're right, I asked about how to do X when probably I need to do Y, but the first and last paragraphs mention what's my requirement: a for of authentication which doesn't require to make an extra HTTP call to generate a token.

And what I mean by this is OAuth specifies the client needs to request an access token and an optional refresh token to the authorization server, afterwards the access token can be sent to the resource server (in this case my API), if the token expires the client can make another request to the authorization server with the refresh token.
Each call to the authorization server is that "extra http call" I mentioned.

Currently the only solution I found which seemed somewhat secure was WSSE, but again, I've only worked with OAuth2 and hashing passwords (or even better, using a dedicated service like keycloak), so I'm not sure what's the best option to store the data it requires or if there's a better solution.

I don't know how to be more clear, is there a way to authenticate a client to the resource server (my API) without making the client call endpoints to generate the tokens? Is there a way for the client to generate their own tokens and for me to validate them?

I remember there was an update to the [redacted]'s one to avoid spam, I don't know how it worked but it was in the lines of after some "here's your reminder" comments it stopped itslef from commenting and only sent PMs to the people commenting.
Just mentioning it in case it's also a desired improvement for this one.

The thing the others mentioned plus maybe it's easier to hide imperfections in the raw chicken once cooked?

Thanks for reminding me these exist, I also tried them some time ago and couldn't make them work, but somehow now I was able to deploy my own server to work with them!

I'll clean up my code and publish it later :D

I never understood this, it's your selfhosted server but you kind of don't own it and depend on them, so you just have an application which depends on a their service which means plex isn't 100% selfhostable, correct?

Damn, I wanted to answer with that joke...

I'd say I still procrastinate but less. The main factor is it make me feel anxious of not finishing stuff so I wanted a solution.
The way I'm improving is to look at big tasks into smaller steps which are easier and quicker to accomplish, this way I feel better since there's something I finished even when the big task might be still a long way of being finished.

I remember something about 2 minute tasks or something like that, but also I saw this from my job, splitting projects into epics and each epic into tasks and even then you could split them into sub tasks (taken from the Jira types at my job)

I'm not sure how nextcloud handles it, but as long as you can resolve the domain then you can put whatever you want.
You usually purchase a domain so it appears in the internet with the major DNS', but if you only have the site in your internal network then you can put whatever you want as long as you update your internal DNS.

Usually you can do this by manually updating the hosts file in your machines.
But a better way is to have something like PiHole, in which you can set your local DNS to resolve to your own IP.
After that the only annoyance are the SSL certificates which will be selfsigned since browsers show a warning but some services don't have a way to work with them.

Is it really encrypted?

I'm guessing it's only for the account recovery to reset your password which should be hashed.

Yeah, most people buy whatever product they see first or smell nice but they most probably are buying a deodorant.
When I noticed this and started looking for antiperspirants, it was a game changer, my days were more comfortable.

hashtags as they can be seen on mastodon.

I haven't seen the federation content exchanged, in the UI I've only seen hashtags from mastodon as links inside the content of the post.
For the implementation in lemmy I'd guess they need to be included in the metedata (as in one of the examples in the rfc), does mastodon already does this so lemmy can properly display them in a separate section in the ui?
Also, how would mastodon handle not having the hashtag in the content but only in the metadata?