Plugin removed from Obsidian plugin directory — Remove default server configuration

[liamcain]

Hi, @Alt-er, the Obsidian team received a report that some users might accidentally be using the default server configuration to sync real, private notes. The server does not seem to require any authentication, and users are pressing sync in their private vaults and receiving files from other users using the same default configuration.

As a precaution, we ask that you remove the default configuration from the plugin and add a warning that this server is not to be used with any private data. We can add the plugin back to the plugin list once this issue is resolved. Thanks!

[Alt-er]

Hi, @Alt-er, the Obsidian team received a report that some users might accidentally be using the default server configuration to sync real, private notes. The server does not seem to require any authentication, and users are pressing sync in their private vaults and receiving files from other users using the same default configuration.

As a precaution, we ask that you remove the default configuration from the plugin and add a warning that this server is not to be used with any private data. We can add the plugin back to the plugin list once this issue is resolved. Thanks!

I don't understand why users can get files uploaded by other users. Although the default value for the service address is , the service has permission verification. If you do not provide the same account and password, you will not be able to obtain files uploaded by others.

[Alt-er]

I am using this default service. Others cannot get the files I uploaded without my account and password, unless the user happens to use someone else's account and password. Under normal usage conditions The probability of this happening is extremely low

[Alt-er]

Reasons for setting default service configuration:

1. Let users experience the effect of the plug-in faster. If they like it, they can build the service themselves. If they don’t like it, they can delete it immediately without having to go through troublesome and time-consuming processes such as back-end deployment.
2. Provide a sharing service for users who do not have their own servers to share notes.
3. When submitting the plug-in for the first time, in order to facilitate the obsdian official staff to test the plug-in function, the default address was written.

As for what you said about ‘The server does not seem to require any authentication,’, I don’t know where to start because I have a complete account and password verification function.

If you feel that the plugin should not provide this default service, please let me know and I will remove the default service configuration immediately.

[Alt-er]

@liamcain

[Alt-er]

@liamcain

[liamcain]

Hi @Alt-er, sorry for not responding last week. I appreciate your patience.

After further investigation of the security report, and additional testing of the plugin, I was not able to reproduce the reported issue. I did uncover 2 things that I think are worth fixing though:

1. Your user authentication flow combines login and signup. Which means that new users without an account could unknowingly sign up using the same username and password and not know if they were logging in or creating a new account. Likewise, a user that forgets their username/password combo could accidentally create a new account instead of showing them a failed authentication screen. For these reasons, I highly suggest you change this user flow and create dedicated sign-up and sign-in forms.
2. There is nothing in the plugin code that gates the syncNotesByDiff from hitting the backend without a user token. If there is no auth token present, users should not be able to hit the backend endpoint at all.

I am going to add the plugin back to the plugin directory now, but I advice you to make those fixes to avoid other similar issues from happening in the future.

[Alt-er]

Thank you very much, I will fix the above problem in a later version