What is Repl Identity?

SnakeyKing · August 6, 2023, 3:41am

Question:
What is Repl Identity?

NateDhaliwal · August 6, 2023, 3:42am

Could you elaborate more on this question?

SnakeyKing · August 6, 2023, 3:46am

I have no idea what it is. The only reason I know it’s a thing is because Qwerty said

python660 · August 6, 2023, 5:00am

Repl Identity is a *BROKEN* Replit-provided CLI auth solution which is like replit auth in the web, but is a token which is signed by replit and can be hacked.

bigminiboss · August 6, 2023, 3:41pm

it’s nothing like replit auth in the web unless your saying that it’s trying to accomplish similar goals for different target audiences

bigminiboss · August 6, 2023, 3:58pm

repl identity in cli is essientally a way of creating anti-forwarding tokens that give 0 click auth for console repls. Futher, this means in more basic terms that it attempts to create a token that can be given to a server. The server can then decrypt your key (keep in mind that the vuln doesn’t happen here – it has like <0.1% chance of being hacked externally) and get the replId & the username. With this, you can supposedly verify the user. However, while some people will tell you that this is all it is, replit did itself market it was authenticification, which it fails to do due to some glaring issues that allow console repls to

run code after the fact
access env vars

both of which should IMO not happen? like just get your own repl to run, why are you running it on this repl//why do they need top secret env vars?