Comment by makach

4 days ago

I got it to save, after fiddeling a little bit with the template and saving it.

I am curious though, when you get the token - theoretically can you access all my synchronized files and notes? How do you protect the token?

regards

3 comments

makach

Reply
0xferruccio  4 days ago

Theoretically yes - the authorization allows read/write access to articles on the device as unfortunately there's no API with write-only permissions for the reMarkable. I store tokens securely on my VPS that hosts the site in a SQLite DB.

I've made it very easy to both disconnect devices and void tokens, as well as delete your account completely. I'm considering adding logic to automatically disconnect devices after 90 days of inactivity to minimize the number of active tokens.

This is a personal project I made for fun, but I still made sure to follow as many best practices as possible to keep the servers safe (like setting up ufw and disabling logins with passwords)

  • makach  4 days ago

    Thank you for the honest answer. It is a definitive show-stopper for me to continue using your service considering how much access you will accumulate in your database - I am sure your current setup is technically more secure than any enterprise solution - however - considering my notes and remarkable are sensitive information, and contain (c) documents I cannot risk it.

    I think remarkable should consider opening/widening their API.

    have you investigating using the browser extension/word/ppt "send to remarkable" API?

    if you have a patreon or community I'd love to support because the idea is great!

    • 0xferruccio  3 days ago

      Thanks for the kind words! I completely understand your concerns about data security - it's exactly the kind of thoughtful consideration I was hoping users would have.

      I'm actually considering open sourcing the entire project, which would allow security-conscious users like yourself to self-host the service. Alternatively I could also build a "self-hostable reMarkable gateway" that could issue write-only tokens, though this would require some architectural changes.

      Regarding the browser extensions - unfortunately those wouldn't work for my use case since they require the user's browser to be running to execute any actions. The service needs to be able to run on its own schedule.

      I don't have a Patreon set up, but your offer of support means a lot! The best way to help right now would be to probably support the development of building a more privacy focused integration once I open source the app sometime over the weekend