Oh, one more thing about Sign-in with Mastodon I plan...

Oh, one more thing about Sign-in with Mastodon

I plan to update the code to revoke the oauth token immediately after logging in so it can't be used by admins to access your account.

The whole web works on trust, but I figure its worth mentioning that when you use Sign-in with Mastodon, the Pixelfed server you're doing this on will have a copy of your Mastodon token. If you don't trust this, then hold off until I ship this!

Everything will be publicly auditable as it's open source ✨

Like 18 Jul 2023 at 13:53 | Open on mastodon.social

4 comments

dansup

I'll do this as soon as I'm done work later today, gunna get some sleep before work in a few hours 😅

18 Jul 2023 at 13:54 | Open on mastodon.social

podycust👨‍💻

@dansup is there a way to change the default instances that appear on the sign in with mastodon screen? So I put my own instance others for example.

18 Jul 2023 at 14:07 | Open on mastodon.podycust.co.uk

Dirk Haun

@dansup Hmm, so a malicious admin could remove the code for revocation and keep the token? Is that an attack vector? 🤔

18 Jul 2023 at 19:15 | Open on tinycities.net

Ellie

@dansup Is that token limited to the minimum scope necessary to prove account ownership? Or does it grant full impersonation?

19 Jul 2023 at 2:19 | Open on ellieayla.net