search

ronilaukkarinen / fedionfire

Watch every Mastodon/Fediverse post in real-time - filter the firehose
https://fedionfire.stream
9 stars 1 forks source link

Security: Better way to use streaming API with access token #1

Closed ronilaukkarinen closed 11 months ago

ronilaukkarinen commented 11 months ago

Right now the token has only read:statuses permissions so no harm cannot be done by using it. But it is not a good thing to expose the API code anyway so need to figure out a better way to do this.

Ry3yr commented 11 months ago

For aes encryption this is your friend

<!DOCTYPE html>

It also salts it afaics Regrettably we can't have the passphrase out in the open like that. (Which is an issue when trying to access the accesstoken from the aes... Kind of a catch22)

Pagecrypt by Max (AES) requires a defacto password entry, but asking ppl to enter a password is out of question.

Maybe if a php could supply the token from outside ? Their (non html component) code cannot be viewed.

ronilaukkarinen commented 11 months ago

Thanks for the thoughts. Yes, doesn’t really solve the fact it’s out in the open.

Maybe if a php could supply the token from outside

Thought about this, but don’t know yet how to pass it to the event stream.