Allow logging in with lobste.rs #365
Comments
|
CSRF token extraction has been implemented c1f1d67 |
I think the session cookie gets updated every successful request, so the month expiry only occurs if you've not made a request to lobsters with the existing cookie for a month. Keeps you logged in perpetually. You'll probably want to check the response headers for a new |
Oh, that shouldn't be too hard to implement. Thank you so much! |
|
Thinking about this some more, the session contains the CSRF token for rails to compare it against what's sent in the current request. I think your flow to submit a Post (well, non Get) request will need to be something like:
This will ensure the CSRF token value in the session cookie matches the one in the form you're submitting. (The reason this is considered secure is you can't tamper with the session cookie value without knowing the secret key that's held server-side. All you can do is request it & submit later.) |
After doing some digging into how lobste.rs makes requests from the web frontend, I believe it is wholly possible to execute authenticated operations from within Claw.
Authentication
lobsters_trapcookie is set that appears to be what is used to authenticate the user.Obtaining credentials
The cookie should be trivial to extract through a WebView, and there is an Accompanist WebView component to make it easy to deal with in Compose.
Extracting the CSRF token is more challenging, since it is sent as part of the webpage by Rails. One way to do that could be to load a fixed number of bytes of the lobste.rs front page when the app is launched and extracting the
metatag that contains the CSRF token.Dealing with cookie expiry
I have no idea what to do about this. The
lobsters_trapcookie is set to expire after 1 month which is fairly decent, but I don't have a way to refresh it without making the user log in again which is probably fine?The text was updated successfully, but these errors were encountered: