deleted by creator

Try the furry community

They’ve shown people using it with glasses, I imagine it won’t be much different than the Index, as long as you don’t have winged frames or otherwise large frames there’s a good chance they’ll fit. Or you can get inserts or use contacts. I’ve done all 3, glasses with my index, inserts with my beyond, and contacts with both.

They also forgot to change r/selfhosted from when they posted it to reddit… https://www.reddit.com/r/selfhosted/comments/1ter9n9/refearnapp_opensource_selfhosted_affiliate/

As well as: https://www.reddit.com/r/selfhosted/comments/1sk4oqw/refearnapp_selfhosted_opensource_affiliate/

Here’s their answers to “Expand the replies to this comment to learn how AI was used in this post/project”:

it is written by ai i give the idea then ai writes that

this post is written by ai. i only give it thought on what idea it should post and it generated everything.

Their post history contains a mixture of comments with grammar like the above as well as many comments with excellent grammar, often containing em dashes. It seems like they only post on Reddit using AI comments to karma farm so they can spam AI generated posts like this to try to get some people to pay for their hosting subscription for their vibe coded app.

I think you should make it clearer in this post that you are selling hosting services for this. It feels like this is self promotion but without transparency otherwise.

It sounds like it, on the homepage there’s a joke about prompting ai to build this

Where is that option? I’m only getting the option to create a new document for some reason, and to export documents created on cryptpad to docx. I assumed it was because they only figured out the conversion one way but maybe I’m just missing the button?

Is cryptpad able to open existing docx files? Last time I checked I couldn’t figure out how to do it. I mostly need to edit word documents that people send me, and send them back the same format.

Hmm yeah I’ve never seen anything from fedinsfw on my home feed, I assumed they were defederated or filtered from feeds by default. I do have nsfw enabled but blurred but I just don’t typically see anything from dedicated nsfw communities for some reason.

From what instances? I haven’t seen any and I don’t think I’ve blocked anything

I don’t which is why I use my selfhosted vaultwarden instance to store mine. I refuse to add passkeys to any service if they don’t properly invoke the standard passkey prompt in a way that’s compatible with bitwarden, otherwise I love passkeys and use them everywhere possible as long as I have complete control over them.

Do you have that factoid tucked away in your brain or did you look it up just for this comment?

I’m paying $300 tomorrow for like 4 routine blood tests because I lost my job and insurance.

Maybe you should state it in the first sentence of the post as well. I didn’t know it was even paid or closed source until I got to the bottom.

Idk about giving a comprehensive answer, but getting full marks on the nextcloud security scanner is a good start: https://scan.nextcloud.com/

I check mine periodically and make sure I’m on the latest version, use 2fa (passkey) and hope that does the trick.

Also there’s a plugin for brute force protection.

Yes that’s what I would like to advocate for. I did something similar with LunaSea, but often people suggest doing that with Jellyfin and are not aware that almost no apps support it, and that adding exceptions for the API makes you basically as secure as not having it. But people tend to get very defensive when you try to tell them that something won’t work, so I try to phrase it as a question to see if I can get them to understand what the limitations are in a way that’s less confrontational.

Yeah that’s fair and I think that’s a good move, my point is just that people are acting like this is not feasible to exploit. I’m at the point in my exploit testing excursion where I have a script that can generate a stream of potential IDs based on real torrent names being parsed and reformatted using radarr’s default naming pattern as well as the commonly used trash guides ones permuted with some common library paths used in the default docker compose examples, and it’s turning up actual ID matches with my jellyfin instance. All I have left to do is make it create API requests to test the IDs against the unauthenticated API instead of checking an exported list and there’s a proof of concept. 5 years is a long time for someone to figure that out.

That’s exactly the point I’m getting at. Putting an auth wall doesn’t work with many apps, and if you add exceptions to the API then you’re not really protecting anything.

What do you mean viable? The web UI is just an app that is delivered to your browser, it makes more or less the same API requests as an app would make, so IDK why the risk would be lower with an app?

If an attacker can access the login endpoint for example to brute force or dictionary attack, it doesn’t matter if the web UI is or isn’t accessible if the login endpoint it uses is exposed for an app. The attacker could serve their own copy of the web UI and proxy requests to the API your app connects to. Blocking the html from being served doesn’t make a difference.

Do you not do any renaming? That probably would make it even easier as you can just brute force with a database of filenames scraped from torrents. I already have a proof of concept that generates valid jellyfin IDs from any given file path, it only takes a few more steps before you can plug in a shodan scan of jellyfin instances and just shotgun a bunch of IDs generated from torrents.csv at them and find stuff you can stream without authentication.

People not bothering to rename, using the default radarr naming scheme, or everyone using the same naming pattern from trash guides just makes it easier.

Probably the only way to guarantee nobody can probe your media and stream it without authentication is to make sure to rename everything using a format that only you use or mount all your media under a path inside docker that contains a long randomly generated folder prefix.