Allow cross-origin requests #3301
Conversation
|
I don't know the lemmy codebase, or how it works internally super well, but I do have a couple recommendations, if they make sense for lemmy.
|
|
@mollthecoder I'll test it when I'm back at a computer. It may be wanted to disable cors on the /user/register endpoint (so a random website can't register a new account and use it to post from your IP without your consent) and eventually /user/login if oauth gets implemented. I did not add a config option because I don't think it makes sense - why would an instance want to disable it? If an instance really doesn't want to support external clients, they'll have to add their own code to filter and block mobile apps as well. I believe it should be possible to block cross-origin requests by editing the nginx config, I can add an example of that somewhere. |
Yeah, I'd agree that sites shouldn't be allowed to register accounts. If the user lacks an account but requires one for the service, the site can simply redirect to the instance's official sign-up page. |
|
Couldnt this also be abused by other websites to make posts in the name of a user while he is logged in, or to request private data? Seems risky to change this and makes cors entirely useless. Although Im not familiar with cors so I might be wrong. |
I believe not. Doing so would require accessing the user's JWT, which should be stored in Lemmy's frontend local storage (not sure if this is actually the case). It would allow other websites to make requests to Lemmy on the user's browser, but it would still need the identifying token to actually act on their behalf. Disabling CORS should not affect this. I could be wrong, though. I'm no CORS expert and have a hard time with it myself. But without this change, my web client cannot work with Lemmy instances running v0.18 and later. |
|
The jwt is stored in a cookie, so I believe it will be sent automatically with any request to the Lemmy domain (even if triggered by another site). |
| .allow_any_origin() | ||
| .allow_any_method() | ||
| .allow_any_header() | ||
| .max_age(3600); |
There was a problem hiding this comment.
Why did you remove the debug section?
There was a problem hiding this comment.
The debug section isn't needed if cross-origin requests are always allowed - the only extra thing it enables is allowing credentials:true which lemmy-js-client doesn't use
The server should set a I believe the default behavior (
I think the main problem with this is that realistically, not many instances will actually do that, since it requires awareness of the issue (CORS is disabled--web clients won't work) and where to go to disable it. It simply doesn't make sense that Lemmy in particular doesn't work with web clients even though Mastodon does just fine. |
|
I'm marking this as a draft until I can test it properly and disable access to /auth/signup. I don't believe lemmy is vulnerable to csrf attacks right now, so allowing cors shouldn't have any security implications. |
|
Quick heads up: Beehaw currently uses 0.17.4, and checking its
In order for this PR to be ready, I think it should also change the Edit: I've also confirmed this with a v0.18.0 instance. |
|
It also might be best to leave the If we want to go ahead with allowing credentials, it's worth thinking about what would happen to existing cookies. Those might not get updated until the user accesses the main website, so they might have a chance of leaking(?). |
|
FYI the cookie is being saved here so thats the place to fix it: https://github.com/LemmyNet/lemmy-ui/blob/773176084cd380541bbe041de39a4a572554d1a3/src/shared/services/UserService.ts#L36 |
|
This isomorphic-cookie library seems very outdated. It doesn't allow adding a |
|
@Nutomic If |
This comment was marked as outdated.
This comment was marked as outdated.
|
I've made PR #3421 that replaces this PR. |
See: #3109
This enables cross-origin access to support external web clients without requiring a proxy. No oauth support yet, so you have to give clients your username and password unfortunately. This does not add any config option to disable cross-origin access, I don't think one is needed but if it's important I can add an environment variable to turn it off.
I haven't tested this yet because I'm on a phone