Pinafore - Alternative web client for Mastodon
-
@timconsidine nice!
It looks like this is just a static app. Do you know if the upstream already provides a built "bundle" ? If so, I wonder if it's worth publishing this as an app or should we try to ask people to just download the bundle and upload it to surfer ?
Thoughts?
-
@robi said in Pinafore - Alternative web client for Mastodon:
@girish that won't help with updates and app store availability.
yes, that's true.
Also, it seems there is no way to lock down this app - https://github.com/nolanlawson/pinafore/issues/35 . This essentially makes it available for public use. We should probably wait till that is fixed.
-
@girish it seems that won't happen without a PR to get this going.
There are many ways to "lock it down" if necessary..
We can always set up basic/realm auth via the webserver it runs on, or use a small ldap front end to gate access.
Not sure this is a big concern though as most apps we have run on subdomains (CNAMEs) and those don't get a lot of traffic from bots/scanners etc.
Besides, you still have to log into the social network, the client is just the app UI. Hence minimal risk.
-
@robi said in Pinafore - Alternative web client for Mastodon:
Besides, you still have to log into the social network, the client is just the app UI. Hence minimal risk.
yeah, you actially login to a masto instance, can't do anything on pinafore without doing that, so nothing really to lock down
-
@girish said in Pinafore - Alternative web client for Mastodon:
it seems there is no way to lock down this app
I was bit concerned too at first.
But as you have to log into a Mastodon instance, I concluded that there is not much security risk about someone else reading my feed.
As it's federated content, I think the only real issue is the privacy aspect of who I am following (maybe who is following me). And we're relying on Mastodon security to manage these aspects.There is however a risk of a personal Pinafore instance being used by anyone for their feed, effectively increasing the traffic and resources needed by the instance. Is this a concern? I'm not sure.
Security by obscurity (nobody finding the instance) is usually a poor approach. But often it's sufficient
Is it enough to add some basic HTTP auth to the instance as improvement on relying on obscurity ?
-
@timconsidine seems like my custom package is copying unnecessary files into the deployment. Just FYI to anyone bothered. I will look at fixing this.
-
@Staff It'd be great to the package @timconsidine put together polished up and in the app store
-
Haven't looked at in a while and I'm sure there are improvements to be made.
Was done a long time a go.
But would be a good addition to the official App Store .... IMHO