web dev and digital artist making !lemmynade@lemm.ee

  • 4 Posts
  • 22 Comments
Joined 1 year ago
Cake day: June 15th, 2023
  • silas@programming.devtoLemmy Apps@lemmy.worldHow do the different Lemmy apps/frontends process login info?English
    6·
    10 months ago

    Yep, that’s OAuth you’re talking about! It needs to be implemented into Lemmy directly first before any apps or clients can upgrade to it. I’m not too clear where we are in the conversation, but I know one point discussed is that OAuth (and especially another method called OIDC) lean towards something centralized for authentication, and that goes against the decentralized nature of Lemmy.

    For now, the best things you can do as a user is:

    1. Decide which apps, clients, and developers you trust. Inspect privacy policies, ask questions, and review code if possible
    2. Enable 2-factor authentication
    3. Use a throwaway or aliased email (through SimpleLogin or similar)
    4. Use a unique password—one that isn’t used for any other accounts you have
  • silas@programming.devtoLemmy Apps@lemmy.worldHow do the different Lemmy apps/frontends process login info?English
    13·
    10 months ago

    I’m building !lemmynade@lemm.ee and can answer any questions. Each app and client handles differently, but for Lemmynade:

    1. You type in your instance, username/email, and password into Lemmynade and tap “Submit”
    2. After tapping submit, your username and password is sent to Lemmynade’s backend server to process securely (this is more secure than doing some of the next steps directly in your browser)
    3. Lemmynade’s backend server immediately verifies that your instance exists and that it’s a valid Lemmy instance (you don’t want to blindly send your password to some random server!)
    4. If the instance is a valid Lemmy instance, then your username and password is sent directly to your instance over an encrypted connection.
    5. If your username and password are valid, then your instance sends back a token (a bunch of random letters and numbers) to Lemmynade. This secure token can be used in place of your password so your actual password doesn’t have to be stored anywhere.
    6. Lemmynade then takes that token and saves it in in an http-only cookie on your own device. When it needs to authenticate or log in again, it uses this secure token to do it so you don’t have to keep typing in your password.

    Throughout this process, nothing is stored, logged, or recorded anywhere. The only thing stored is the secure token, and that secure token is only saved on your own device. Lemmynade or anyone else cannot access your account unless they have access to your specific device.

    There’s many more layers to this, but hopefully that explains the general idea. The main danger with the current method of authentication is that you are providing your raw password to a third party, meaning if someone wanted to be malicious it’s fairly easy to do.

    A much better authentication method is called OAuth. With OAuth, you never give your password directly to the third party, so it’s far safer. A lot of us devs are pushing for this and hoping to see this down the road as it would give much more peace of mind to everyone. It’s only up from here!

  • silas@programming.devtoFree and Open Source Software@beehaw.orgDoes a FOSS App need TOS and Privacy Policy?English
    25·
    10 months ago

    Definitely take this all with a grain of salt—I am by no means a legal expert, this is just my advice.

    Privacy Policy

    Required by law in Germany if you are collecting any sort of data about your users (even if it is being collected by a third party through your app, or if it is entirely anonymous data).

    Data Processing Agreement

    Required by law in Germany for the same reasons as the Privacy Policy. This agreement makes it clear how your users’ data is used.

    Cookie Policy

    Required by law in Germany if your application uses cookies of any kind (mostly applies to web app and web technologies)

    Terms of Service

    Highly recommended. This may protect you immensely if and when you end up in a legal situation down the road.

    Other

    Otherwise, you should look into these as well if applicable:

    • EULA (if distributing your app to be run on someone else’s device)
    • DCMA Policy (if you host and share any user-generated content)
    • Return Policy (if you are selling anything)

    These documents matter most if (1) there is money involved or (2) when you are receiving, processing, storing, or sharing user-submitted content or any data about your users. This is because you are less likely to end up in a legal mess if you’re not taking people’s money or data.

    Starting out, you can find templates for these online. A template will be better than nothing at all. Then, if you are able down the road, you can hire a legal professional to write and review your documents for you. A legal professional might recommend more specific documents or different versions of the same document as well.

    Not sure about Germany, but in the United States it’s fairly inexpensive to start an LLC. You can then put legal documents under that new entity instead of your own personal name. This can protect you and your own belongings from any unfortunate financial or legal situations.

    Again, if you’re not receiving money or any user data, you don’t have to worry quite as much. However, it never hurts to play it safe. Mistakes happen and anyone can get sued.