Create token with restricted permissions

[Sjmarf]

Requirements

• Is this a feature request? For questions or discussions use https://lemmy.ml/c/lemmy_support
• Did you check to see if this issue already exists?
• Is this only a feature request? Do not put multiple feature requests in one issue.
• Is this a backend issue? Use the lemmy-ui repo for UI / frontend issues.
• Do you agree to follow the rules in our Code of Conduct?

Is your proposal related to a problem?

In order for a mobile client to support push notifications, those notifications need to be sent from an external server. To do this, the server needs to store the user's token so that it can check for any new messages.

Despite only needing to read the user's inbox, the server will be able to perform any operation on behalf of the user (including deleting posts, comments, communities etc), aside from deleting the account itself. This isn't ideal - if there was a data breach, a lot of damage could be done.

Describe the solution you'd like.

Add an API endpoint that creates a read-only token. The Lemmy backend would return an error for any non-GET requests made using this token. When the user enables push notifications, the client could create a read-only token and send it to the server.

Describe alternatives you've considered.

Additional context

No response

[dessalines]

Lemmy currently has no push notif support, and we're going to use ntfy / unified push for that.

#2631

[Sjmarf]

Lemmy currently has no push notif support

I am aware of this. At the moment, Lemmy clients that support push notifications use their own servers - not the Lemmy backend - to send those push notifications. Currently, each one of those servers contains a database of the users' tokens. This isn't ideal.

we're going to use ntfy / unified push for that.

Cool 👍 Lemmy supporting push notifications directly in future would be great for Android clients.

Unfortunately, I don't think this implementation will eliminate the need for a central server for iOS users. This is because iOS requires that all notifications be forwarded through one of Apple's servers, and an authentication token specific to the app needs to be attached to each request.

If the Lemmy backend were to send notifications to an iOS client, it would need to:

1. Know which mobile client the user is using, if any
2. Know the auth token for that client

Implementing this seems infeasible. The end result is that I'd probably still need a central server, and I'd probably still need to store all of the user tokens on it. So I don't think the Lemmy backend using ntfy would solve my issue.

[Nutomic]

Makes sense. How do you think this could be implemented? I suppose a parameter login.read_only and then a form in Lemmy settings which calls this login endpoint, displaying the returned auth token. The token's read only state can be stored either in the db table LoginToken or in the jwt token (or both?)

[Sjmarf]

A read_only parameter in the user/login request sounds perfect!

[aeharding]

Implementing this seems infeasible. The end result is that I'd probably still need a central server, and I'd probably still need to store all of the user tokens on it. So I don't think the Lemmy backend using ntfy would solve my issue.

Have you looked at how the Mastodon iOS apps do it? Something like https://github.com/mastodon/webpush-apn-relay. Yes it is centralized but it is just a dumb relay that doesn't require storing user tokens.

and an authentication token specific to the app needs to be attached to each request.

Looking at how Mastodon apps do it, I don't think that's true.

[Nutomic]

This could probably be part of #1368 (scoped permissions).

[Sjmarf]

@aeharding

Looking at how Mastodon apps do it, I don't think that's true.

As I understand it, there are currently two ways of authenticating push notifications. If you want the server to be able to send notifications to multiple different iOS apps, you need to attach an authentication token to each request. If the Lemmy server was sending notifications directly, it would need to send them to more than one iOS app and so would need to attach this token.

If you are only sending to a single iOS app this isn't necessary - you can instead create a certificate and upload it to Apple through the developer portal. When you do this, you need to tie the certificate to a specific bundle ID. Then, APNS understands that any requests coming from your server are for your specific app. I don't think this authentication method would work for the Lemmy backend because you can only send notifications to one iOS app.

Have you looked at how the Mastodon iOS apps do it? Something like https://github.com/mastodon/webpush-apn-relay. Yes it is centralized but it is just a dumb relay that doesn't require storing user tokens.

I hadn't seen that repository before, thanks! That's super useful. I'd certainly look into doing it that way if Lemmy implements ntfy.

[aeharding]

If you want the server to be able to send notifications to multiple different iOS apps, you need to attach an authentication token to each request. If the Lemmy server was sending notifications directly, it would need to send them to more than one iOS app and so would need to attach this token.

I just tested it with Mastodon, logged into two separate apps (Mastodon iOS app and Ice Cubes iOS app, on same device) with a single Mastodon account, and all push notifications came thru just fine for each app :) Both Ice Cubes and Mastodon use Web Push behind the scenes, with a relay (as linked to before).

More info here: https://docs.joinmastodon.org/methods/push/

(It's worth noting that documentation is a bit outdated since Mastodon 4.4 will allow Android apps to directly push to FCM w/ decryption, pretty cool! LucasGGamerM/moshidon#588 also mastodon/mastodon#33528 and https://unifiedpush.org/news/20250131_push_for_decentralized/)

I hadn't seen that repository before, thanks! That's super useful. I'd certainly look into doing it that way if Lemmy implements ntfy.

It seems like the safest way. Lemmy would implement the standardized WebPush (RFC8030+RFC8291+RFC8292) which lemmy iOS apps would then use with their own relay to push to APN.

To be clear though, Ntfy is just the notification service for FOSS android push notifications. iOS and Google Play Android would not (well really, can't) use it.

Here's an example of what would happen when Lemmy generates a new push noti, for each platform:

lemmy instance -> [webpush protocol] -> user-chosen push server, typically ntfy instance -> my FOSS android app
lemmy instance -> [webpush protocol] -> Google FCM -> my Google Play android app
lemmy instance -> [webpush protocol] -> webpush-apn-relay -> apple APNS -> my iOS app
lemmy instance -> [webpush protocol] -> browser vendor push server -> my browser (chome, firefox etc)

There's some nice diagrams here: https://unifiedpush.org/

[Sjmarf]

Thanks so much, that's super useful! :)