Move authorization flow to external browser #87
Conversation
access token is received using deep link to application
JaCzekanski
changed the title
|
Very cool! Thanks a lot. A minor security comment though: please include a nonce in the callback url so noti can verify it generated the URL itself rather than a different application. |
|
I added secure nonce generation which will prevent reusing callback URIs. |
|
Just FYI, any (unsandboxed) app can write to an other app's defaults. defaults write io.jari.Noti nonce 1337
open "noti://redirect?nonce=1337#access_token=evil"I was more thinking about just keeping it in memory. About the codestyle, it's fine really. This is not exactly a great example on how to do swift development correctly as it was my first swift project as well 😛 |
|
You're right - storing nonce in memory would suffice. I'm happy with current solution - I'm able to log in and notification mirroring is working again for my phone. |
JaCzekanski
force-pushed
the
feature/auth-in-browser
branch
from
ca4c6d7 to
534980d
Compare
|
Sorry for the lack of activity - I completely forgot about this PR. |
JaCzekanski
force-pushed
the
feature/auth-in-browser
branch
from
58a6d99 to
0fb8a33
Compare
|
Where's this stand now? Seems like a great change to me! |
|
@jariz Is the project no longer maintained? I can fork and merge the pull request. |
Problem
Original flow of authentication using embedded Webview doesn't work for Google accounts that are secured using U2F key like Yubikey.
comment: WebKit does not support U2F api
Solution
Move authorization flow to default browser which will allow the user to sign to U2F secured accounts. Noti will receive access token using a deep link to schema
noti://redirect.To use different redirect_uri separate client_id for Pushbullet had to be generated.
Screenshots