Oh, one more thing about Sign-in with Mastodon

I plan to update the code to revoke the oauth token immediately after logging in so it can't be used by admins to access your account.

The whole web works on trust, but I figure its worth mentioning that when you use Sign-in with Mastodon, the Pixelfed server you're doing this on will have a copy of your Mastodon token. If you don't trust this, then hold off until I ship this!

Everything will be publicly auditable as it's open source ✨

4
Share
Share on Mastodon
Share on Twitter
Share on Facebook
Share on Linkedin
dansup

I'll do this as soon as I'm done work later today, gunna get some sleep before work in a few hours 😅

0
1y
podycust👨‍💻

@dansup is there a way to change the default instances that appear on the sign in with mastodon screen? So I put my own instance others for example.

0
1y
Dirk Haun

@dansup Hmm, so a malicious admin could remove the code for revocation and keep the token? Is that an attack vector? 🤔

0
1y
Ellie

@dansup Is that token limited to the minimum scope necessary to prove account ownership? Or does it grant full impersonation?

0
1y
Replies