-
Notifications
You must be signed in to change notification settings - Fork 14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
remoteStorage as sync backend #87
Comments
There are two issues here:
Either way, any particular WebDAV server you had in mind? I don't think that speaking about all of them at the same time makes sense here, despite the standardized protocol. |
Thanks for the explanations. Maybe this should be another issue, but do you think to other non proprietary, self hostable backends? |
It seems that sabre is the prevalent WebDAV implementation, both Owncloud and Nextcloud are based on it. By itself, sabre supports In fact, WebDAV is way overdimensioned for this use case. So one consideration would be a simple PfP-specific server. A Python-based implementation wouldn't be a big deal, anybody could install it on their server then. |
I fully agree. However, I wonder if we cannot adopt an already existing storage backend to avoid having to install something specific to pfp. What do you think? |
Looks good. Clean spec, everything necessary seems to be present. I morphed this issue into a request to support remoteStorage, should be easy to implement. |
👍 |
For reference: according to remotestorage/design#3 (comment), there is no logo+text combination for remoteStorage. The recommendation is to use the page's own font. I'll need to see whether it makes sense to do the same for Dropbox and Google Drive, to have things look consistently. |
Supporting remoteStorage in the web client is problematic, a flow that would involve copying and pasting the token manually is not supported. I created remotestorage/spec#174 to ask for this possibility to be added. In the meantime, I solved this by redirecting to https://pfp.works/oauth-endpoint/. This is not optimal as it adds one more place which could be compromised. But at least this webpage will only see the token but not the user address it belongs to. |
Also, at least 5apps.com made quite a mess with the OAuth authentication. Once you authorize an app, |
I do the same for rs-backup (source), which is a terminal client for backing up and restoring RS accounts. The web server actually doesn't see the token at all, because with OAuth it is sent in a URL fragment and not in a query parameter. This also prevents it from appearing in access logs and such. |
Sure, the web server won't see anything - as long as this page isn't modified. If the server is compromised, the web page could be modified to log the token. Meaning an unnecessary point of failure. |
The spec says:
Looking at how this is implemented in various servers:
|
That's the very security model of OAuth redirect flow, RS, origins, Web Storage, and so on. Of course you want the trusted origin, which is authorized to acquire tokens on behalf of the user, to not be compromised. When there's no client registration, this is also the only way for storage providers to direct the user to a place that can tell them what the app and who the app provider is, of course. |
IIRC that is exactly what the OAuth specs require. The redirect URI is the entire URI btw, so it's very easy to use multiple different ones for different clients (which is also recommended for RS, because of the missing client registration). |
The authentication behavior of 5apps.com is problematic because:
Note how none of this would be an issue if 5apps.com used the origin of |
I think I'm done. As things are now, it should work with any remoteStorage servers. It has only really been tested against 5apps.com however, and there are significant differences between implementations. |
I understand the issue now, and it's actually quite surprising to me, because I do not remember it working this way. Looks like a fairly recent change in preparation for the new dashboard caused this bug. We will fix it asap and require client ID to be the same as redirect URI again. (For historic context: we were actually one of the first projects doing just that, and arguing for it to be a reasonable choice for open web apps. In the meantime, others have validated this opinion.) |
... by the way, be sure to add this app to the list on the RS wiki, whenever RS support is released: https://wiki.remotestorage.io/Apps Looks promising! Looking forward to trying it out myself. |
Done (release came out two days ago). Filed #104 on an outstanding issue here but otherwise everything seems to be working fine. |
current sync server are all proprietary.
Sync over a standardized protocol could be interesting.
Actually, I read #85, and I deduce that the way webdav manage authentication is not acceptable for pfp? (why it is?)
The text was updated successfully, but these errors were encountered: