You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
it sends two kinds of webfinger responses to stay compatible with
remotestorage.js.
The app-provided client_id is ignored, Origin of redirect_uri is used
for app identification.
Mysteryshack is set up to be tested against the official api test
suite automatically (in
Travis).
Mysteryshack's approach to concurrency is very simplistic. Only storage
operations are safe to perform concurrently. User creation and deletion, app
authorization and de-authorization are not, because it is assumed that the
user performing those operations is a single human with only two hands and
one keyboard.
Web admin sessions are stored inside signed cookies. The key is generated at
server startup. To log everybody out, restart the server.
OAuth tokens are JSON signed with a per-user key. The server stores a list
of client_ids the user has authorized, and checks if the token's
client_id claim is found in that list.
Mysteryshack violates the WebFinger RFC by returning bogus information for
nonexistent accounts. This is done to prevent account enumeration.
