Hi Alex Beckert,
Thanks for the report and the suggestions. I'm developer for Minigalaxy
and your concerns make sense.
To address the suggested solutions. Using an external browser for
authentication is unfortunately not possible with Minigalaxy, because
after the login Minigalaxy takes the page URL to get the code which is
used to authenticate with the API. With an external browser retrieving
this would not be possible. Showing the URL of the browser window could
be implemented.
Some additional information about how the systems works at the moment:
- It uses the girl1.2-webkit2-4.0 package for the webkit engine.
- It uses HTTPS for all API calls and for the login screens. In the code
you can see HTTPS is used here:
https://github.com/sharkwouter/minigalaxy/blob/1.0.1/minigalaxy/api.py
Having said all that, this does not seem like a security issue to me.
Authentication happens using the same page the official GOG client for
Windows does. The user could be concerned, but there does not seem to be
an actual security risk.
Hopefully this helps understand how Minigalaxy does authentication a bit
better and makes you feel less worried. An issue has been created in our
issue tracker to address the visibility of the URL in the browser window.
Kind regards,
Wouter Wijsman