this post was submitted on 12 Mar 2024
12 points (87.5% liked)

Lemmy

12548 readers
26 users here now

Everything about Lemmy; bugs, gripes, praises, and advocacy.

For discussion about the lemmy.ml instance, go to !meta@lemmy.ml.

founded 4 years ago
MODERATORS
 

Is there a setting page on the lemmy instance where I can download all my data?

you are viewing a single comment's thread
view the rest of the comments
[–] 7heo@lemmy.ml 2 points 8 months ago* (last edited 8 months ago) (1 children)

One thing to be aware of is that there is ~~currently, AFAIK, no~~ now (since 0.19.3) a way to "disable" a JWT.

Before that, once you had created it, if you leaked it, your account was, as far as I can tell, definitely compromised.

Now, it is possible to logout, to mark the JWT as "invalid".

I will add, ~~as a disclaimer, that I have not checked if~~ that as Nutomic highlighted below, there are conditions (password change, etc) under which ~~any or~~ all JWT (user, ~~instance, etc~~) become invalid. ~~So do audit the code if this is something that concerns you. As far as I am concerned, I treat the JWTs as extra-sensitive information, and store them only on machines I own~~.

Edit: correct information in the light of Nutomic's comments.

[–] nutomic@lemmy.ml 2 points 8 months ago (1 children)

The jwt is invalidated once you logout. You can also change/reset your password to invalidate all login tokens for your account.

[–] 7heo@lemmy.ml 1 points 8 months ago* (last edited 8 months ago) (1 children)

The jwt is invalidated once you logout.

Invalidated how?

You can also change/reset your password to invalidate all login tokens for your account.

OK. I was afraid this would not be the case. Thanks for confirming.

[–] nutomic@lemmy.ml 2 points 8 months ago (1 children)

Invalidated how?

Well it's deleted from the database so you can't authenticate with it anymore.

[–] 7heo@lemmy.ml 3 points 8 months ago

OK there now is a LoginToken class. This was not the case last time I checked. Good. Thanks for your answers.