surreal raven
So, steps is
403"Invalid Origin. Register your new client (com.abc.app) as a new Android platform on your project console dashboard"
I think login should not work for project which have already been removed
half hemlock
So, steps is
1. first register your project
2. And then de-register
3. try to l...
Hmm..I don't think oauth has much to do with this...
Even if you don't register your client platform...i think you can still create an oauth2 session
surreal raven
Even if you don't register your client platform...i think you can still create a...
👀 oh didn't knew that... so what about login I guess then should be allowed too?
oh is possible to disable some-how to completely prevent such behaviour
half hemlock
👀 oh didn't knew that... so what about login I guess then should be allowed to...
login wouldn't be allowed
half hemlock
oh is possible to disable some-how to completely prevent such behaviour
not at the moment i don't think..
surreal raven
login wouldn't be allowed
actully I was able to login ( account was created and then I remeber removed the project)
I mean, OAuth login
half hemlock
actully I was able to login ( account was created and then I remeber removed th...
well ya...email/password login would only work if the platform was registered
surreal raven
mm, I guess will create the github issue
half hemlock
mm, I guess will create the github issue
for what?
surreal raven
umm, disallow OAuth 👀 from happening if project is not linked
half hemlock
umm, disallow OAuth 👀 from happening if project is not linked
the thing is oauth2 isn't really happening on the mobile device. it's happening on the appwrite server and then they're redirected into the app
surreal raven
the thing is oauth2 isn't really happening on the mobile device. it's happening ...
yaa mm, I mean it safe but still from not happening if somehow keys are exposed then some-one can use it to do this nasty things
half hemlock
yaa mm, I mean it safe but still from not happening if somehow keys are exposed ...
what keys?
surreal raven
client key may I is only need to trigger oAuth login ( of couse when google is enabled)
so, if Client Key exposed and as endpoint is always exposed
half hemlock
client key may I is only need to trigger oAuth login ( of couse when google is e...
what client key?
surreal raven
I mean project Id sorry
half hemlock
I mean project Id sorry
these are all non-sensitive
surreal raven
so some-one can create Appwrite instance and start OAuth login ( assuming if OAuth enable)
half hemlock
so some-one can create Appwrite instance and start OAuth login ( assuming if OAu...
not really because the redirect url is configured to point to your appwrite instance
surreal raven
not really because the redirect url is configured to point to your appwrite inst...
correct me if I am missing here,
and worst case if there are Fuction setup to trigger then that's another issue
half hemlock
3. If oauth enable can't some-one start creating fake OAUTH login
what do you mean by "fake OAUTH login"?
surreal raven
what do you mean by "fake OAUTH login"?
I mean some can create random gmail account ans start doing login attempts
half hemlock
I mean some can create random gmail account ans start doing login attempts
sure...but that has nothing to do with registered platforms
if you let people create accounts, they can create as many as rate limit allows. if you have oauth2 enabled, anyone can use it
surreal raven
if you let people create accounts, they can create as many as rate limit allows....
umm, so OAUTH is not bound to having project being register at first place mean
half hemlock
umm, so OAUTH is not bound to having project being register at first place mean
right...registered platforms isn't really directly connected