@dansup
What's going to stop a man in the middle style attack and allow some to grab email / password pairs?
Conversation
Notices
-
Embed this notice
Unattributed 👤 ☑ (unatributed@mastodon.social)'s status on Monday, 29-Apr-2024 17:28:57 JST 
Unattributed 👤 ☑
-
Embed this notice
dansup (dansup@mastodon.social)'s status on Monday, 29-Apr-2024 17:37:27 JST 
dansup
@cairobraga Eventually, yes, but for now we are focused on our open source mobile app!
-
Embed this notice
Cairo Braga (cairobraga@toot.cairobraga.com)'s status on Monday, 29-Apr-2024 17:37:28 JST 
Cairo Braga
@dansup will Loops work as a Web app/PWA?
-
Embed this notice
dansup (dansup@mastodon.social)'s status on Monday, 29-Apr-2024 17:41:28 JST
dansup
@Unatributed Good point, perhaps we could just do a two step form where user enters the email then we open a web browser to the instance where they enter their password (with pre-filled email using url params).
Wdyt?
-
Embed this notice
Evan Prodromou (evan@cosocial.ca)'s status on Monday, 29-Apr-2024 21:20:44 JST 
Evan Prodromou
@dansup hey, Dan! The minor difficulty for users in entering their server name is vastly outweighed by having a SPOF in the central auth server. I'd say, don't do this.
-
Embed this notice
Unattributed 👤 ☑ (unatributed@mastodon.social)'s status on Tuesday, 30-Apr-2024 03:36:49 JST
Unattributed 👤 ☑
@dansup definitely better, but as has been pointed out might be gdpr issue.
-
Embed this notice
Unattributed 👤 ☑ (unatributed@mastodon.social)'s status on Tuesday, 30-Apr-2024 03:57:56 JST
Unattributed 👤 ☑
@dansup second thought... What if you just asked for the user ID, then have an API that broadcasts to all registered servers, if one of them acknowledges having the ID redirect to that server for password prompt.
Could also shortcut this by seeing a cookie with the url of the server the use is registered on as well.
-
Embed this notice
All GNU social JP content and data are available under the