obsidian 1.4.5 supported? - yes #19
Comments
|
Downloading and testing in a moment |
my obsidian updated to 1.4.5 automatically it seems losing the connection with the remote vault and can not see any error log ... |
|
Looks like they added mitigations to prevent the requests from being intercepted. It's also not working for me |
|
They obfuscated the URL a bit... |
is it easy to fix? |
The URL obfuscation is just funny. I'm still trying things out. |
|
Looks like the main problem is that plugins are now loaded after this line of code runs: var mn = "obsidian-account"
, gn = window.fetch;which ensures that even if I override window.fetch, they maintain a copy of it It's somewhat obvious they are intentionally trying to stop this from working (I guess it is a security issue if plugins can intercept requests) |
|
Things are complicated now, maybe we just stay at version 1.3.7. 😅 |
seems llike the iOS and the jailbreakers. so the current solution is to stay at 1.3.7 if I want to use custom sync. maybe this should be added to the readme. |
|
CC @CzBiX. They're much more experienced in JavaScript. Maybe there is a way. Until then, you'll need to stay at 1.3.7 |
|
Is that possible to register or change service worker js? If so, you can intercept fetch from service worker |
I'm not sure. When trying to register a service worker: Trying |
|
I haven't found a reliable solution yet. but this recent update shows the official stance on these things. |
|
For flatpak to downgrade: |
|
Note: If you had already signed in & connected to a vault, it stays connected despite upgrading to 1.4.5. It seems the mitigations are only at the login section. |
|
I lost sync on all my devices that updated to 1.4.5. iOS and MacOS both are unable to connect to the vault that was previously connected. The only thing that changed was Obsidian version, so it seems at least I lost access after upgrade without logging in from scratch. Funny thing for them to do, considering the CEO was so nice and received so much praise. It's not that they did this just as security either, the string obfuscation was clearly aimed at these plugins. Business moves: say one thing, do the other. |
For MacOS, it is still possible to manually patch the obsidian.asar file within Obsidian.app. You can also download the previous DMG from https://github.com/obsidianmd/obsidian-releases/releases/tag/v1.3.7 IOS, I have no idea. |
how about Android and win? it this possible to patch apk and exe installer?(seems we are going too far away ...) |
You can also patch those since you can sideload rather than being forced through an app store. You can either replace the URL directly (so no need for plugin) or replace their copy of window.fetch with just window.fetch Or just downgrade the app (get apk/exe from obsidian-releases) |
|
Found multiple solutions that don't require modifying the official app, but I won't share them here. |
Perhaps most of us will have to buy the official sync service which will make the official side much more confident they make the right choice. |
|
Obsidian's CEO @kepano stated, days ago:
Empashis on |
I think that might have a been a hint lol |
I'm also planning on moving over to Logseq. I thought I would give Obsidian a try despite it being closed source due to its reputation as community driven & friendly. Since I've only installed Obsidian for a week or so, I'm not too heavily invested yet. |
|
From Logseq:
Looks like Logseq is also lacking a self-hostable sync option. Well, there's my next project I guess. Since the client is open source, it should be much much easier. Edit: Looks like it's actually possible to reuse this server and just write a compatible plugin |
|
Very sad to hear. I've been a Obsidian Sync customer and I'm debating on cancelling my subscription now and just using Syncthing. If they're going to pull stuff like this, then I'm going to throw them in the category just as the other ass companies. I wanted this as a secondary solution to back up the vault to a local database and make it easier but also keep Obsidian Sync on another device. Hopefully it gets fixed, for now, I'm not upgrading Obsidian. |
|
We were able to patch some vulnerabilities with 1.4.5 — but that doesn't mean you can't keep trying! What we're okay with:
What we're not okay with:
For reference here's what I sent to @acheong08 via email on Aug 29
|
I think rev-obsidian-sync or obi-sync are somewhat reasonable. I also make it quite clear that this is unofficial.
I suppose this is valid. Plugins intercepting and modifying requests could be a nightmare if not fully reviewed (causing issues with official features etc)
This is by no means commercial nor have I copied your code.
My initial reason for wanting to self host was for privacy & data integrity reasons. It gives more control over backup & data is only sent to a place I control. |
Thanks for changing it. Previously it was less clear since the repo was called "Obsidian Sync".
I want to note that your solution isn't exactly an "open-source Obsidian Sync alternative". It is a Sync server emulator with a plugin that tricks the Obsidian Sync client to connect to the emulated server, making full use of the Obsidian Sync client in a way that is unintended by us. It takes over the account system in a way that presents the user the identical interface for the official account system. It then also uses the official Sync plugin, including the syncing code and the interfaces to setup and manage the synchronization. This is dangerous because a non-technical user (someone who doesn't understand that this system works by taking over the real account system) using this system could run into data loss due to bugs in the emulated server, and be led to think that Obsidian Sync is buggy. What we did in the update is to prevent plugins from taking over the account system and pretending to be the official Obsidian account, and official Obsidian Sync client. It is indeed a security vulnerability that we felt necessary to address.
Apologies, I didn't mean to imply that your tool has commercial intent — I was trying to be exhaustive about the cases where reverse engineering can be a problem. |
Although I doubt a non-technical user would be able to set up the sync server & manage plugins not in the official list etc, I somewhat recognize the concerns. I won't be working on the plugin anymore & will be moving on to trying to bring compatibility with this API to Logseq so that this project isn't a complete waste. (still feel like users should at least have the choice to do whatever dangerous thing they want, perhaps an option to allow override with big red warnings - not a recommendation, just a dream) |
|
there is no need to discuss any more,issue closed. |
|
@acheong08 the work you have done is awesome. https://github.com/t3chguy/rev-obsidian-sync-plugin seems to almost work on 1.4.5. It lets me auth & connect to a vault but the websocket connection fails. Will give it another go sometime soon.
|
|
Switched
Aaaaand it works.
acheong08/rev-obsidian-sync-plugin@master...t3chguy:rev-obsidian-sync-plugin:master |
|
Huh I wonder if there's an even easier way to do this - by injecting a custom vault into the IDB. (truncated as a lazy redact even though there's no secrets in this test vault)
|
|
As a little cherry on top - Publish works too https://notes.bit.ovh/published/4ff438d1-1dfe-4182-b1d6-cf90022aace5/Vehicles/BMW%20F650GS%20-%20HV58%20KMA.md |
|
If anyone wants to run the app in
|
|
@t3chguy Thank you! |
|
Verified that everything works perfectly https://github.com/acheong08/rev-obsidian-sync-plugin/releases/tag/1.1.0 |
obsidian 1.4.5 supported?
The text was updated successfully, but these errors were encountered: