Conversation

Notices

1. Tadano (tadano@mt.watamelon.win)'s status on Thursday, 12-Dec-2024 09:11:56 JST Tadano

   Kinda wondering how to get a forever session token in Mitra
   t. Sick of relogging into Husky once in a while

   • silverpill (silverpill@mitra.social)'s status on Thursday, 12-Dec-2024 09:11:55 JST silverpill

     in reply to

     @tadano

     authentication_token_lifetime in config.yaml

     https://codeberg.org/silverpill/mitra/src/commit/bdbf32d2c5c50e2777292842490a3f56114baf63/config.example.yaml#L53

   • silverpill (silverpill@mitra.social)'s status on Saturday, 14-Dec-2024 00:17:58 JST silverpill

     in reply to

     @tadano There is no such value, but you can just set it to some big number

     86400000 = 1000 days

   • Tadano (tadano@mt.watamelon.win)'s status on Saturday, 14-Dec-2024 00:17:59 JST Tadano

     in reply to

     • silverpill

     @silverpill What's the value for no expiry?

   • silverpill (silverpill@mitra.social)'s status on Saturday, 14-Dec-2024 03:19:50 JST silverpill

     in reply to

     @tadano I think default token lifetime can be increased, but generally tokens shouldn't be valid forever. I'm not sure why Mastodon and Pleroma don't expire sessions, this is basically like storing your password in local storage as plain text.

   • silverpill (silverpill@mitra.social)'s status on Saturday, 14-Dec-2024 04:14:54 JST silverpill

     in reply to

     • sapphire

     @sapphire @tadano Access token can be stolen from local storage if frontend has XSS vulnerabilities. Also people may log in from someone else's device and then forget to log out.

     I don't know what is the optimal value, that's why it is configurable, but I think a session that expires in 1 month or even in 1 year is strictly better than forever session.

   • sapphire (sapphire@shortstacksran.ch)'s status on Saturday, 14-Dec-2024 04:14:55 JST sapphire

     in reply to

     • silverpill
     @silverpill @tadano >this is basically like storing your password in local storage as plain text
     so it removes the security to physical device security and basic avoidance of escalation exploits? I do this already, this is not typically a security concern.
     
     t. tired of having to log into my work shit 3x a day because they don't understand this
   • sapphire (sapphire@shortstacksran.ch)'s status on Saturday, 14-Dec-2024 04:40:15 JST sapphire

     in reply to

     • silverpill
     @silverpill @tadano >access token can be stolen with XSS
     read: devs do this to cover their own incompetence
     >also people may log in with a public device and forget to sign out
     people may write their passwords on sticky notes, ban passwords
   • silverpill (silverpill@mitra.social)'s status on Saturday, 14-Dec-2024 04:40:15 JST silverpill

     in reply to

     • sapphire

     @sapphire @tadano

     >people may write their passwords on sticky notes, ban passwords

     https://passkeys.dev/

     They are coming for your passwords