Alex on Nostr: Mastodon's Web Push API sends back your own OAuth access token on every single ...
Mastodon's Web Push API sends back your own OAuth access token on every single push... that's insanity.
>The access_token is included because that's the only way to make API requests from the service worker in JS.
(Narrator: it isn't)
https://github.com/mastodon/mastodon/pull/7521Published at
2024-10-02 17:59:19Event JSON
{
"id": "0c68010d10b0af86b291bc388166ca6613b7a85d42cd8956fb60fd9c0ae9dbe5",
"pubkey": "0461fcbecc4c3374439932d6b8f11269ccdb7cc973ad7a50ae362db135a474dd",
"created_at": 1727891959,
"kind": 1,
"tags": [
[
"r",
"https://github.com/mastodon/mastodon/pull/7521"
]
],
"content": "Mastodon's Web Push API sends back your own OAuth access token on every single push... that's insanity.\n\n\u003eThe access_token is included because that's the only way to make API requests from the service worker in JS.\n\n(Narrator: it isn't)\n\nhttps://github.com/mastodon/mastodon/pull/7521",
"sig": "60a648f6d330473e425858fa9e5e69881f46a5985a98080ff93e22d874528ab7c4386443d240a8d3e61fdc30f5a6520118e6fa827e9f28a353893be38f11dcd7"
}