definitely not single handedly but I’m not goign to pretend they aren’t helping quite a bit. All the foss parts mostly existed before valve got involved

Yeah, I think they are hitting the db.

https://github.com/LemmyNet/lemmy/pull/1493

If I’m understanding correctly, they are storing the last password change timestamp in the db: local_user.validator_time and then when they fetch the logged-in user details for a request they compare the timestamp of the token to that validator_time and reject the jwt if it’s greater.

I don’t think lemmy is using jwt because they really needed the low overhead, most of these requests need to hit the db regardless, they are (IMO) just using it because it was simple to use initially.

This does make me wonder if there are some API requests which don’t call check_validator_time() and would still be usable after a pw change

much as I hate to say it: it’s s

after years and years of microsoft being awful I finally got a few of my techy gamer friends onto linux in the past ~3 years, and they’re running with it!

The EU countries investing in FOSS may also make a dent

Glad I piped up then

Yeah its a 4chan thing mainly, and right wing militia types have picked it up

https://github.com/LemmyNet/lemmy/issues/3499

You must be looking at hexbear

lemmygrad.ml is running the latest upstream (0.18.2) and it is being sent in the URL for each API call

your pfp oh my god

The websocket thing is going away when we update to the latest version (soon, I think the rebase is already done). you can look at basically any federated lemmy instance if you want to see what the network traffic looks like for the HTTP API, its pretty straightforward iirc, and there is some documentation, though it leaves a lot to be desired lol

What I mean about the cookie is that they are (or were? haven’t checked recently) literally encoding it into the URL iirc, like instead of just sending the cookie along in the headers or putting it in the request body somewhere the URL would be /api/v3/endpoint?auth=<your-JWT-here>

And then some error pages would have the URL in the error message, so you had users posting their whole tokens when they asked for support Not sure if that’s fixed or not

These are really funny, and maybe we’ve already had this struggle session, but can we not call people glowies? You know its short for “glow n-words” right?

I tested it on hexbear, it does seem to get invalidated on password change. I saw the relevant GitHub commit last night but I didn’t read into the exact implementation. They might somehow be adding in a password hash to the mix? Or maintaining a blocklist of invalidated jwts but that would be ugly

But yeah. I kinda get why JWTs are like that now, but Lemmy isn’t a massively distributed system and the tokens are valid for a nearly indefinite period lol. And baked into request URLs

It seems like by the time you implement all the shit people are suggesting in the GitHub you’ve completely defeated any simplicity JWTs once had and would be better off just tracking it all in the db