Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Internal user notes #6

Open
davidism opened this issue Jul 11, 2016 · 2 comments
Open

Internal user notes #6

davidism opened this issue Jul 11, 2016 · 2 comments
Assignees

Comments

@davidism
Copy link
Member

Add comments to each user, possibly referencing a specific message for context.

@kms70847
Copy link
Contributor

kms70847 commented Aug 3, 2016

Who should have the ability to read these user notes? Who should have the ability to create/edit these user notes?

I'm imagining that the primary method of access here is through a user script that adds these notes to the box that appears when you click on a user's name in the chat room, possibly popping out to a larger panel if there's a lot of data.

But if we do that, then it's not clear to me how we'd restrict access to only trusted users. The source code of both the user script and the server would be accessible to anyone looking at this repository. That allows attackers to thwart simple forms of authentication like "tell the server your user id", since they have full control over their own client's behavior and can easily impersonate others.

@davidism
Copy link
Member Author

davidism commented Aug 3, 2016

As discussed in chat:

  1. Generate a token: https://pythonhosted.org/itsdangerous/
  2. If the userscript can't find the token, ask the user to enter one
  3. Requests send this token as a header
  4. Server checks if the token is valid

@kms70847 kms70847 self-assigned this Aug 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants