EDIT: As pointed out by @[email protected] in this comment, communities set to local are not viewable by guests. TIL!
This makes this whole idea redundant, since it solves the issue perfectly.
I wish Lemmy had better documentation 😬
Thanks again to Styrocrow for taking the time to explain this to me!
I’m seriously thinking of creating an API gateway that would drop API requests to privated communities (that we may choose) coming from guest users. This could potentially take me 1-2 weeks of development since i regrettably still have a day job that i need to attend to.
Since Lemmy development is somewhat erratic and we can’t really rely on developers to release lemmy 1.0 in a timely manner, i was thinking of just DIY’ing a custom solution for this instance only.
I would not normally suggest this solution, as it means basically swimming “against the current” of how lemmy works internally and potentially delivering a bad user experience to lurkers, but since the consensus in our userbase seems to be that privacy and opsec should be our number one priority, i think that beating around the bush with this problem is only going to generate pain and discomfort for everyone down the line.
Please vote on the strawpoll if this focus seems reasonable to you, even if it means pushing other features / fixes back for the meantime (Self ban feature, auto purge posts by request, web ui fixes)…
Thanks for your participation!
So basically making it impossible for guests to see or participate in communities we declare as “private”. We would have a list of communities, and i would create a program that reads every request that the server receives and checks the request against the list of private communities. If the request comes from a guest user and it is addressed to a community whose name is on the private list, the program will simply drop the request.
We’ll be basically programming a “bouncer” that sits between users and the lemmy service. The problem is that lemmy us supposed to be “open for all” and such, so it’s very likely that the ui could freak out and show weird errors to guest users because no lemmy ui is used to this “bouncer” guy existing in between the user and the lemmy service.
Oh, I see. That sounds great!
how would that program be able to tell if the user is a guest tho? looking at it seems lemmy uses jwt so i guess if you could copy the secret key into the program?
Yes, it would decode the jwt with the secret and then check if it’s a valid one.
should be very easy then tbh
in theory yes, but i would need to see how well it interacts with various clients etc… could slightly grow in complexity depending on that
ok no its not easy what is this disgusting code and api
are you talking about the lemmy source code? 🤣
i was just looking at fetch requests this page makes, its a mess
ok it seems requests to the actual api like /list and /post do send a “authorization” header so like
Yep, basically. Thing is, some request would successfully pass and some would fail. Some frontends will 100% display errored stated for guests whenever they try to navigate to private communities.