Should we DIY a private community feature next? - StrawPoll
strawpoll.com
What is your opinion? Vote now: Yes! Please focus all efforts on this., No! We should instead prioritize other features before considering this.

EDIT: As pointed out by @[email protected] in this comment, communities set to local are not viewable by guests. TIL!

This makes this whole idea redundant, since it solves the issue perfectly.

I wish Lemmy had better documentation 😬

Thanks again to Styrocrow for taking the time to explain this to me!

I’m seriously thinking of creating an API gateway that would drop API requests to privated communities (that we may choose) coming from guest users. This could potentially take me 1-2 weeks of development since i regrettably still have a day job that i need to attend to.

Since Lemmy development is somewhat erratic and we can’t really rely on developers to release lemmy 1.0 in a timely manner, i was thinking of just DIY’ing a custom solution for this instance only.

I would not normally suggest this solution, as it means basically swimming “against the current” of how lemmy works internally and potentially delivering a bad user experience to lurkers, but since the consensus in our userbase seems to be that privacy and opsec should be our number one priority, i think that beating around the bush with this problem is only going to generate pain and discomfort for everyone down the line.

Please vote on the strawpoll if this focus seems reasonable to you, even if it means pushing other features / fixes back for the meantime (Self ban feature, auto purge posts by request, web ui fixes)…

Thanks for your participation!

  • paula
    1·
    1 month ago

    how would that program be able to tell if the user is a guest tho? looking at it seems lemmy uses jwt so i guess if you could copy the secret key into the program?

    • chemOPMA
      1·
      1 month ago

      Yes, it would decode the jwt with the secret and then check if it’s a valid one.

        • chemOPMA
          1·
          1 month ago

          in theory yes, but i would need to see how well it interacts with various clients etc… could slightly grow in complexity depending on that

          • paula
            2·
            1 month ago

            ok no its not easy what is this disgusting code and api

            • chemOPMA
              1·
              1 month ago

              are you talking about the lemmy source code? 🤣

              • paula
                1·
                1 month ago

                i was just looking at fetch requests this page makes, its a mess

                ok it seems requests to the actual api like /list and /post do send a “authorization” header so like

                • parse request
                • check if url is for the api
                • check the community and verify if it should be private (seems non trivial at what im looking)
                • validate the auth with jwt secret key
                • forward the request if its valid
                • chemOPMA
                  1·
                  1 month ago

                  Yep, basically. Thing is, some request would successfully pass and some would fail. Some frontends will 100% display errored stated for guests whenever they try to navigate to private communities.

                  • paula
                    2·
                    1 month ago

                    surely frontend can handle failed requests, idk just return 404 and is good

                  • paula
                    1·
                    1 month ago

                    im trying to find docs for the api but cant find a list of endpoints, i did find that although the quests this page makes uses the v3 api, the most up to date lemmy code has an api v4, always annoying