#sandstorm on 2021-10-29 — irc logs at libera.irclog.whitequark.org

2021-05-26 15:17 ChanServ changed the topic of #sandstorm to: Welcome to #sandstorm: home of all things Sandstorm and Cap'n Proto. Say hi! | Have a question but no one is here? Try asking in the discussion group: https://groups.google.com/group/sandstorm-dev | Channel logs available at https://libera.irclog.whitequark.org/sandstorm

02:49 <ill_logic> So it seems like the purpose of a cookie secret is add signatures to session ids to make sure nobody can hijack another user.

02:50 <ill_logic> Seems like I wouldn't need to worry so much about that if it's packaged by Sandstorm?

02:51 <ill_logic> Hmm. Actually maybe not. if the app's session id is in a different cookie than Sandstorm's, a different sandstorm user might still try to hijack another session in the app?

04:50 <isd> Not familiar with etherpad's internals, but often those types of things are also used for CSRF tokens, which sandstorm does not totally obviate currently.

04:55 <ocdtrekkie> Yeah, the risk of someone impersonating another in an Etherpad document is probably low, but arguably technically a possibility?

05:05 <isd> I think it is prudent to assume the cookie secret is necessary even in Sandstorm.

10:29 TMM_ has quit [Quit: https://quassel-irc.org - Chat comfortably. Anywhere.]

10:29 TMM_ has joined #sandstorm

14:37 <ill_logic> 👍️

17:44 <ill_logic> Does anybody know/remember anything about API access to etherpad-sandstorm?

17:46 <ill_logic> There was a change allowing a few API functions, but no apiPath in pkgdef. Something incomplete that was never used?

17:47 <ill_logic> It doesn't seem to be called during normal use by the client. I'd assume they'd use sockets for that stuff.

17:47 <ill_logic> "there was a change" meaning in the previous version of etherpad-sandstorm

17:48 <ill_logic> If it's incomplete and unused, I'll just block API access instead.

18:05 <ocdtrekkie> I wasn't aware of any API use.

18:08 <ill_logic> Actually it's looking for x-sandstorm-permissions so it's not even assuming it's an API call.

18:12 <ill_logic> I'll just axe it with a comment then. Doesn't make any sense to me.

19:50 TMM_ has quit [Quit: https://quassel-irc.org - Chat comfortably. Anywhere.]

19:55 TMM_ has joined #sandstorm