Hi everyone, I was toying with the idea of writing an open source client for Lemmy in React Native.

However, using lemmy-js-client, I’m getting CORS issue when trying to hit the APIs for lemmy.world (and also lemmy.ml) from the browser.

I could write a proxy server or a full backend, but that feels contrary to the fediverse philosophy of not being dependant on one instance etc. Not to mention users would have to trust me, some random person, with their logins / passwords for Lemmy.

Is there a way we can have CORS enabled from * for the APIs of lemmy.world?

  • laszlok@infosec.pub
    link
    fedilink
    English
    arrow-up
    6
    ·
    1 year ago

    That’s not a good idea, because that would allow any website a logged in user visits to impersonate them (e.g. link to a malicious site posted somewhere, users click on it, JS on the site starts posting the same link in their name, more users click on it, …).

    But react native doesn’t restrict cross-domain access like browsers do, so it shouldn’t be an issue in your case: https://reactnative.dev/docs/network#using-other-networking-libraries

    • iraldir@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      0
      ·
      1 year ago

      I planned on exporting a web version as well and I was testing there first hence the issue.

      How would this allow any website to impersonate you though? The login is made via a jwt which would not be accessible if you go in another website. If I login on mysuperlemmyclient.com and then visit maliciouswebsite.com, how can maliciouswebsite access the jwt that is stored likely in a cookie of mysuperlemmyclient.com?

      • laszlok@infosec.pub
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        The user’s browser will send it along with the request depending on the samesite cookie settings.

        The best solution would be if lemmy used federated identity (e.g. OIDC), not sure why they aren’t doing that.