Has no one here heard of bitchute, odysee, rumble, brighteon? Come on man!

submitted by rubberbiscuit from i.imgur.com

sorted by:
top
newinsightfulfun
you are viewing a single comment's thread.

view the rest of the comments →

[–]Chipit 11 insightful - 4 fun11 insightful - 3 fun12 insightful - 4 fun -  (4 children)

Really went off the rails with that last point against Odysee. You also contradict yourself.

Your password manager should have a "generate password" option, which gives you a 16 digit password full of all the symbols, capital letters, and digits you need. And if you don't have a password manager? Well sheesh you should really have one.

[–]fschmidt 7 insightful - 4 fun7 insightful - 3 fun8 insightful - 4 fun -  (3 children)

Why should I have a password manager when Chrome already remembers my passwords? All the scum running Odysee would have to do is generate a password for me.

Actually the whole idea of passwords is retarded. On my sites one just enters one's email and gets a link with a hash that sets a persistent cookie. No need for annoying passwords.

[–]L_X_A 5 insightful - 4 fun5 insightful - 3 fun6 insightful - 4 fun -  (2 children)

On my sites one just enters one's email and gets a link with a hash that sets a persistent cookie. No need for annoying passwords.

That's a cool concept.

If I understood you correctly:

  1. The user first enters his email address on your site to login/register.
  2. Your server then generates a nonce (say, 128-bit, Base64 encoded) and associates it with that email address.
  3. The nonce is then sent to the user's email as the parameter of a hyperlinked URL (e.g. fschmidt.cool.site/authn/ZnNjaG1pZHQncyBzaXRl)
  4. Your server checks the nonce for a) an associated email, and b) the time elapsed since generating the nonce and the endpoint call (say, less than 10mins)
  5. If all checks pass, you produce a long(er) lived cookie to be used as a bearer token by the user agent (browser, app, etc.)

Which means that the user's email service is the de-facto (albeit indirect) authentication provider.

Cookies should not be valid indeterminately. You'd just be spreading that attack vector wide open. With that in mind, how would you deal with a user who has been inactive past the cookie's expiration date? Do you just send them a new URL containing a new nonce? How do you prevent an attack where nonces are requested repeatedly? Heuristically through API management or do you simply cap-and-throttle?

[–]JasonCarswell 1 insightful - 2 fun1 insightful - 1 fun2 insightful - 2 fun -  (1 child)

> That's a cool concept.

/u/d3rr, is this something that can be done on other platforms? Projex, Federated PeerTube, Lemmy, etc?

[–][deleted] 2 insightful - 2 fun2 insightful - 1 fun3 insightful - 2 fun -  (0 children)

Sure, you could hack an alternate account/login system into anything open source.