Meta (lemm.ee)

3947 readers

25 users here now

lemm.ee Meta

This is a community for discussion about this particular Lemmy instance.

News and updates about lemm.ee will be posted here, so if that's something that interests you, make sure to subscribe!

Rules:

Support requests belong in !support
Only posts about topics directly related to lemm.ee are allowed
If you don't have anything constructive to add, then do not post/comment here. Low effort memes, trolling, etc is not allowed.
If you are from another instance, you may participate in discussions, but remain respectful. Realize that your comments will inevitably be associated with your instance by many lemm.ee users.

If you're a Discord user, you can also join our Discord server: https://discord.gg/XM9nZwUn9K

Discord is only a back-up channel, [email protected] will always be the main place for lemm.ee communications.

If you need help with anything, please post in !support instead.

founded 2 years ago

MODERATORS

[email protected]

How does lemmy implement Auth? (lemm.ee)

submitted 1 day ago* (last edited 1 day ago) by [email protected] to c/[email protected]

6 comments fedilink hide all child comments

Can somebody please tell me how lemmy implements auth? If I sign-up to an instance, who manages the login credentials for my account to validate login attempts? If it's with the instance manager, am I at the mercy of the instance to keep my login credentials safe? What about when logging in with 3rd party apps like voyager or alexandrite, are my login credentials passed to those 3rd party apps in clear text to validate with the instance that hosts my account.

Ideally, I would want the auth to be handled by one centralized authority that I can trust to keep my credentials safe, instead of trusting instance managers or 3rd party apps not only to store my credentials but to validate auth as well. Is that something that can be implemented for each ActivityPub software? As in auth for all instances of lemmy is handled by lemmy, mastodon by mastodon, misskey by misskey, etc.

E: I'm talking about user authentication, in case that wasn't clear.

E2: This discussion would be more suited on each software's development platform. But I will leave it here to get other people's perspectives.

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 9 points 1 day ago* (last edited 1 day ago) (2 children)

There is currently no OAuth, which sounds like what you're asking for.

Currently you need to trust the app and your instance. Most instances are implementing off-the-shelf lemmy but there is no way to confirm that.

Lemmy apps could steal your password if they wanted to, but if you use an open source app through say F-droid that compiles the apps from source, you can check the code if you have that skillset.

Ultimately the answer here though is not to trust your instance or app, but to instead not need to. Your account should be treated as disposable and (like every other site) you should be using a unique password not used anywhere else.

This way it doesn't matter if your instance steals your password, since they already know everything you've given them. Lemmy is all public anyway so there isn't much risk involved.

I'd argue the biggest risk is if your instance requires email validation, and it's easy enough to use a relay email (Firefox Relay, Simplelogin, Addy.io, etc) so that's unique as well.

[–] [email protected] 2 points 1 day ago (1 children)

Currently you need to trust the app and your instance. Most instances are implementing off-the-shelf lemmy but there is no way to confirm that.

Yes that is what I wanted to know. My question was more directed towards other fedi software where you might want to secure/recover your account instead of using completely disposable accounts. So providing an e-mail address to an instance manager is what I was worried about, in case the instance manager decides to doxx their user. It's just a possibility that needs to be taken into account when signing up on the fediverse, which is not what most people are used to.

Honestly didn't think about relay addresses which is a handy tip. But I asked because I wanted to use the alexandrite front end on my desktop browser and was wondering how safe it is to hand over my login credentials to lemmy skins. Since those are hosted on closed source servers, you can't really verify what's happening on the server side and how safe it is to hand over your login credentials to them if you're not using a disposable account and a unique password.

[–] [email protected] 3 points 23 hours ago

Whoever is running the Alexandrite frontend you are accessing definitely could modify it to steal your password, so it's another point of trust. To help reduce this risk, many instances will run their own Alexandrite (and other third party frontends). With a quick search I didn't find lemm.ee hosting any though.

I believe OAuth support is planned for Lemmy but not sure on the timeline or the exact implementation.

On the relay emails, I believe some instances block their use, but the benefit of having many instances is you can find one that aligns to your values.