feat: validate url as a Lemmy instance before making API requests #30
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes #14. This checks that a
getSite
call returns without error before allowingApi
queries to the URL. This ensures credentials are only sent to Lemmy instances and prevents simple attempts at stealing credentials by typosquatting.Creation of an
Api
now returns aResult
, as theApi
will fail to be created if the url does not return successfully from agetSite
query.I opted against checking the data returned from the
getSite
query - I figure any malicious actors who would spoof agetSite
query to seem like a Lemmy instance would just spin up a full Lemmy instance so any validation like that wouldn't be useful, let me know if I'm thinking about that the wrong way. I have ideas for providing a dropdown of common Lemmy instances to really try to mitigate typosquatting, but that's a future issue/PR.Let me know if you have alternate solutions in mind or anything else you'd like me to change!