OAuth works for login but, deleting seesion doesn't if project is removed.
well ya...email/password login would only work if the platform was registered
mm, I guess will create the github issue
for what?
umm, disallow OAuth π from happening if project is not linked
the thing is oauth2 isn't really happening on the mobile device. it's happening on the appwrite server and then they're redirected into the app
yaa mm, I mean it safe but still from not happening if somehow keys are exposed then some-one can use it to do this nasty things
what keys?
client key may I is only need to trigger oAuth login ( of couse when google is enabled)
so, if Client Key exposed and as endpoint is always exposed
what client key?
I mean project Id sorry
these are all non-sensitive
so some-one can create Appwrite instance and start OAuth login ( assuming if OAuth enable)
not really because the redirect url is configured to point to your appwrite instance
correct me if I am missing here,
- if someone know endpoint
- some-one know project Id
- If oauth enable can't some-one start creating fake OAUTH login
and worst case if there are Fuction setup to trigger then that's another issue
what do you mean by "fake OAUTH login"?
I mean some can create random gmail account ans start doing login attempts
sure...but that has nothing to do with registered platforms
if you let people create accounts, they can create as many as rate limit allows. if you have oauth2 enabled, anyone can use it
umm, so OAUTH is not bound to having project being register at first place mean
right...registered platforms isn't really directly connected
ahh got it mm, anyway till it's not a vulnerability then it's fine
