by

Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
    Marcel Klehr
    @marcelklehr
    yep
    pogobanane
    @pogobanane
    i see
    Marcel Klehr
    @marcelklehr
    and because I think, given the CSRF issues it's unlikely for the cookie-hack to work with the public API
    I'm not sure if/how you can access the internal API from different domains, though
    and you'll definitely need to implement CSRF
    i.e. send the CSRF-token received from the last response for the next request
    Marcel Klehr
    @marcelklehr
    if need be, we can add a @CORS annotation to those internal routes, I'm not sure if that's necessary
    pogobanane
    @pogobanane
    As i understand, auth options on bookmarks/master are:
    1. public token; transmitted in url; for sharing bookmarks with the public
    2. basic Authorization header; big overhead because we log in & passwordVerify for every request; has CSRF issues right now
    3. ? bearer Authorization header
    pogobanane
    @pogobanane
    options for fixing CSRF for 2.:
    • disable cookie auth and require login for every request
    • implement CSRF tokens and require login for every request
    • go insane, implement csrf tokens in cookie-hack and bookmarks while still allowing session cookie auth
    Marcel Klehr
    @marcelklehr

    implement CSRF tokens and require login for every request

    CSRF tokens are only necessary when cookie auth is possible

    ? bearer Authorization header

    the bearer auth option is an alternative for passing the public token

    it is worth noting, though that the bookmarks app has two APIs
    an internal one and an external one
    pogobanane
    @pogobanane
    ah ok
    Marcel Klehr
    @marcelklehr
    the external one is where I'm running my own auth
    the internal API was only intended for the bookmarks UI, i.e. it assumes you have valid session cookies and a CSRF token -- I'm not sure if it even allows basic auth, but it might
    so, in order to still make use of the cookie hack, we could try to use the internal API instead
    instead of /apps/bookmarks/public/rest/v2/{endpoint} point requests at /apps/bookmarks/{endpoint} and send session cookies and CSRF-token
    pogobanane
    @pogobanane
    ah now i finally understand
    Marcel Klehr
    @marcelklehr
    :)
    the endpoints are essentially the same just the auth part is different
    pogobanane
    @pogobanane
    :thumbsup:
    Marcel Klehr
    @marcelklehr
    pogobanane
    @pogobanane
    cool. Do you have an opinion about it yet?
    Marcel Klehr
    @marcelklehr
    I think I'll replace travis with github,
    much more beautiful
    plus, I don't need saucelabs anymore which was very slow and error-prone
    dockerized selenium ftw
    pogobanane
    @pogobanane

    much more beautiful

    agreed

    :D
    Marcel Klehr
    @marcelklehr
    I recently read about it, yeah. Would be nice to implement it in floccus. see marcelklehr/floccus#297
    I doubt that will improve performance, though
    as that flow is just a nicer way to get an app password
    Marcel Klehr
    @marcelklehr
    still it's nice for people using 2FA
    pogobanane
    @pogobanane
    true, those obtained apppasswords should be stored just as secure as passwords.
    they are longer and more random than passwords though which means you need less protection against rainbow table creation -> apppasdwordVerify may be faster than passwordVerify.
    I will check that some time.
    Marcel Klehr
    @marcelklehr
    Nextcloud doesn't know upfront that it's an app password, though
    so it'll check against the normal password first I guess :/
    Leon
    @crazzzik_twitter
    Hey, I was wondering about syncing bookmarks to kiwi browser. It seems that in order to sync bookmarks to kiwi there need to be root folders already created, but there doesn't seem to be a way to do it. Is there a workaround for this?
    Marcel Klehr
    @marcelklehr
    @crazzzik_twitter Hey :wave:
    I'm not sure what you mean
    A common misconception is that floccus will sync all your bookmarks by default, which it doesn't.
    By default it will create a new folder for you and will sync only that folder.
    Leon
    @crazzzik_twitter
    I set it to root folder on desktop
    Marcel Klehr
    @marcelklehr
    ah, ok
    Leon
    @crazzzik_twitter
    But when I start the sync on kiwi, no new bookmarks appear
    It looks like it is because kiwi only has Mobile Bookmarks as root folder
    Marcel Klehr
    @marcelklehr
    in kiwi there is only one root folder?
    so it's
    > root
        > Mobile bookmarks
           > ....