Comments (5)
rhin0cer0s
commented on June 2, 2024
We can't protect users from malicious server owners storing a user's password
Like any other web service. The other problem would be "how to know that a server is really the one it annonces ?" and the best solution today remains PKI based even if it is far from enough. Anyway, this introduction is clearly acceptable.
We could use sqlite but it seems overkill
I agree. If you managed to avoid the use of a DBMS so far let's keep it that way.
The global server password will be re-purposed ...
Yep, a password just to access the server is definitely a great idea. I will be glad to offer a PR regarding the password storage and verification (as discuted in #52).
QUESTION: The primary key for the user account would then be its username. ...
I have absolutely no idea for this one. Fixing something is generaly not a good thing but here it doesn't seem really serious. If someone really wants to change its name why not just add a field "nickname" which can be modified freely ?
No access to anything (not even the list of projects)
? So no access to the server ?
This list makes me think : is there an activity log somewhere ?
from superpowers-core.
elisee
commented on June 2, 2024
Thanks for the feedback!
? So no access to the server ?
Ah right, I had something in mind but didn't explain it. The idea would be that the person was invited to sign up, and once they've done it, the server owner defines which project they can access after the fact. It's useful if you want to let a user join a single project and nothing else.
(... We might want to have a more elaborate invite link system that comes with predefined access rights for a particular project at some point.)
This list makes me think : is there an activity log somewhere ?
There is not. We might want to build one though, it seems useful. At the very list it could log connections, maybe high-level changes like project creation or even more detailed like asset tree changes, etc.
from superpowers-core.
Xstoudi
commented on June 2, 2024
QUESTION: The primary key for the user account would then be its username. Is that a bad thing? Do we care about renaming accounts on servers? If so, where will we reference user accounts in Superpowers? do we need to have a never-changing user ID instead?
I think primary key should never be a concret information. Create an unique user ID can prevent many problems.
from superpowers-core.
elisee
commented on June 2, 2024
@Xstoudi yeah alright, let's do that. It's probably for the best.
from superpowers-core.
elisee
commented on June 2, 2024
A much simpler version of this spec has been implemented:
- We now use
passport-localfor managing user sessions. The server password is no longer stored in a cookie for each user, which was a terrible temporary hack that stayed around for way too long. - We're sticking to just a global server password for now, since it has proven good enough. We might do access rights some day, but for now it's not a priority for anyone AFAICT.
- Per-server user settings have been implemented using
localStorage. It's good enough and much simpler than trying to synchronize them across all servers. We can improve on that later if needed.
So I think we can close this!
from superpowers-core.
Related Issues (20)
- Systematically disconnected when trying to modify a script HOT 3
- Server management cancel buttons are missing text HOT 1
- local rotations are global HOT 1
- Typescript error checking is extremely slow HOT 6
- Add superpowers to IndieDB HOT 1
- Attempting to edit script from cloned git repo results in being disconnected from server HOT 2
- Loadscreen - legal HOT 1
- Can not move in the scene editor HOT 1
- Why the software history was not kept? HOT 2
- Sup.exit() HOT 1
- Pas de prévisualisation sur serveur externe HOT 2
- Prevent creating a project if no system is installed.
- Error - only a single primitive is supported - Importing 3D asset. HOT 4
- Possible bug in ArcadeBody2D HOT 1
- Can't create a project: this server doesn't have any systems installed yet. HOT 2
- Linux Mint 18.1 64 bit can't use buttons/load graphics
- [FEATURE] game and editor is working on glitch
- Possible bug in installation (or installation tutorial) HOT 3
- Keep super powers alive
- Is the engine dead? HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from superpowers-core.