| HN Mirror

Y	Hacker News new \| ask \| show \| jobs


	by dxld 1672 days ago
	Crazy idea: what if you use a random room ID as an OTP and recognize the user as signed-in as soon as they join that room via an invite or matrix.to link? I'm not sure if this fits within your constraints since it would need a backend but I think it'd be pretty neat :)

2 comments

kadoban 1672 days ago

That sounds like it would be dangerously MITM-able. Then any invite or link in matrix is equivalent to "let me log in as you" on some other random service.

link

dxld 1671 days ago

Ah you're right that would be pretty dangerous. I was hoping it'd be possible to avoid sending an OTP token the user has to paste but I suppose that's necessary to bind the two contexts together.

Then I guess I'd have the backend send the user a link with an auth token after joining, that way at least no pasting needs to happen.

link

ushakov 1672 days ago

i was considering somewhat similar approach, where if the user accepts a room invite i would authenticate them

but this doesn’t work, because there is only one standard method of authentication, which is by sending username/password

link

3np 1672 days ago

...Why?

A matrix bot could send the user a short-lived token they can paste to the site to authenticate. Optional QR for mobile.

No need for homeserver changes, changing protocols or touching any user credentials.

Since you’d rely on an existing matrix session, the bot could send the token e2ee, meaning after TOFU you could even protect against malicious homeserver operators.

You could also do the inverse, having the user send the token to the bot.

link

ushakov 1671 days ago

this is neat and i have thought of that

but it does not authenticate you against the homeserver and does not grant you the access token, meaning the application would not be able to access Matrix APIs on user's behalf

link

3np 1671 days ago

Why does a federated sign-in solution for a third-party web app need to authenticate to the homeserver or access Matrix APIs on the users behalf?!

That’s exactly what you want to avoid.

The bot can still get things shared by the user like username, avatar, 3pids and pubkeys.

Can you give me a use-case that my proposed solution is insufficient for due to inability to impersonate the user to the Matrix homeserver?

link