Fixing Libreddit - now Redlib

created on 2024-01-17

Have you heard of Libreddit? It's an awesome front-end for Reddit that is lightweight and respects your privacy by proxying all requests through the backend. I am (was?) a maintainer for it for most of last year.

If you have heard of it, maybe you know it's been subpar lately. All instances have been subject to an oppressive rate limit, meaning many instances (especially the most popular ones) regularly returned an error unless you were very lucky. This is a consequence of the tightening down that Reddit has done - they want to ban Reddit clients, scrapers, etc. Especially given the advent of enormous LLM training datasets that probably source from Reddit-based content... Reddit wants their money from these users.

But, if you know me, I wouldn't let that slide. No one gets between the privacy-preserving front-ends and their content!

See, that's funny, because I did unfortunately let it slide. For six months Libreddit largely didn't work. I made a PR fixing this, which keeps track of OAuth tokens and spoofs the most common clients from iOS and Android, respectively. I used the information from this HN comment and this Gist to create my first proof of concept. I sat on the PR for a while due to a number of factors, including possible legal objections to spoofing a mobile client, and the fact that Libreddit had a possible legal threat hanging over our heads due to the (looking back now, immediately obvious) trademark issue with the name. (Reddit only allows you to use their name if you use "XYZ For Reddit"). Not to mention, my semester was in full swing and my workload didn't ever let up enough for me to have a full day to go through all of the changes necessary.

But it's winter break! I'm relaxing at home with gads of free time, fingers twitching looking for a project to work on. So I patched up Libreddit, merged all of the outstanding PRs, merged my OAuth credential spoofing, and replaced every "Libreddit" with "Redlib". Here's what I did, and some of the interesting things I ran into.

  • I used mitmproxy on iOS and Android to intercept the token grabbing. The sample code was a great starting point, but I really wanted to match behavior best as possible. I had to sign into my Reddit account, though, as the Reddit app doesn't currently allow account-less browsing. It only offers "anonymous" browsing if you have an account.
    • The good news is, this anonymous browsing mode really is anonymous (or at least, the endpoint doesn't require an account login to create a token).
  • I wrote a bash script that scrapes the most recent iOS and Android app versions, to send along in the header.
  • I then tossed the iOS one, since much to my chagrin, telling Reddit you're an anonymous iOS user will mean they block all content not deemed appropriate. Sticking to spoofing the Android client for now.
  • I wrote code to refresh the auth token after the 24 hours it lasts, just as the Android app does.
  • I sent along as many of the official app's headers along for the ride, too, so there will be less of a chance of Reddit cracking down on Redlib's requests.

Thanks to these changes, Redlib now works as an alternative to Libreddit, and hopefully a viable alternative to visiting Reddit itself. Report any bugs you find, please!

There won't be an official instance, as I can't guarantee uptime, but you can access a list of instances here (and contribute your own if you're interested in supporting the project!).

Anyway, here's the link to the repo!