What is Repl Identity?
Could you elaborate more on this question?
I have no idea what it is. The only reason I know it’s a thing is because Qwerty said
Repl Identity is a *BROKEN* Replit-provided CLI auth solution which is like replit auth in the web, but is a token which is signed by replit and can be hacked.
it’s nothing like replit auth in the web unless your saying that it’s trying to accomplish similar goals for different target audiences
repl identity in cli is essientally a way of creating anti-forwarding tokens that give 0 click auth for console repls. Futher, this means in more basic terms that it attempts to create a token that can be given to a server. The server can then decrypt your key (keep in mind that the vuln doesn’t happen here – it has like <0.1% chance of being hacked externally) and get the replId & the username. With this, you can supposedly verify the user. However, while some people will tell you that this is all it is, replit did itself market it was authenticification, which it fails to do due to some glaring issues that allow console repls to
- run code after the fact
- access env vars
both of which should IMO not happen? like just get your own repl to run, why are you running it on this repl//why do they need top secret env vars?