When the clipper was released and from time to time afterwards, the topic of how to implement the authentication workflows comes up. For example:
One possible option might be to use e.g. an AES cipher to encrypt the communication (which could then continue working over HTTPS). You would need to pre-share a key, but that could be well automated, I think. It could then work like this: the user installs the web clipper extension and clicks 'connect to Joplin' Joplin displays a popup, something to the effect of 'attempted connection to Web Clipper endpoint, do you want to allow it?' The user clicks 'yes'. A random encryption key is geneā¦
Just beeing curious here. Today, I was a bit buffled being able to write new Joplin notes despite not having passed the authentication token, which lead to the source code research. A more consequent (in my eyes better) strategy would be: const whiteList = [['GET', 'ping']]; Though I only use the REST API from an external application, so I cannot say anything about Webclipper.