Show HN: Login with HN (Unofficially)

(loginwithhn.com)

435 points | by hardwaresofton 7 days ago

35 comments

  • simonw 7 days ago
    This is a smart implementation. I was worried it would be doing something uncouth like asking for your HN password or scraping some kind of unofficial API, but instead it gives you a token to embed in your public profile - so it's still scraping your profile page, but that feels like a very low-impact way of building this.

    Suggestion: on the "Put the token below in your HackerNews Profile" page, rather than polling to see if the token has been added (which is a bit rude) add a button for "I have added this token to my profile" and only check once the user clicks that button.

    • johnkpaul 7 days ago
      I totally agree with you and I was also worried about uncouth behavior. That said, and not to undercut the smartness here, I have memories of this being the main mechanism to authenticate third party services to the SomethingAwful forums.

      I have vague memories of thinking through how scraping could be used for much easier global authentication and then quickly how that was probably a dumb idea.

      • eloisius 6 days ago
        Reminds me of how I got users to verify their ownership of Minecraft accounts[0]. There is no profile to add a token, but they can switch their skin, and you can download a user’s skin without being in-world.

        [0] http://zacstewart.com/2012/12/24/verifying-minecraft-user-ac...

        • timvdalen 6 days ago
          Cool write-up! Wouldn't you need to generate a new random verification skin for everyone that tries to verify?
          • eloisius 5 days ago
            This is long dead, but yes that would be the next step. At least right now, you could only falsely claim someone’s account if they installed my verification skin, but you could wait for someone to do that and then quickly claim their account before they did.
        • tata71 7 days ago
          Instead, the token (a text string) will be an "object" (a non fungible token) that you prove is in your wallet with zk proofs,

          wallet being on whatever chain(s) decided upon as ubiquitous in the coming year.

        • nvr219 7 days ago
          Yep, I still do this with gbs.fm!
          • johnkpaul 6 days ago
            Ah the memories and nostalgia of seeing this comment are immense! I miss the good ol' days of the pre tech giant internet. I used to go to the in person NYC charity events and it was an awesome community.

            :wave: other goon, hope you and all are well.

            • Lorin 6 days ago
              Have you considered playing more Journey? :^)
              • tomphoolery 6 days ago
                this site is the last place i thought i'd find a gbs.fm reference
                • Lorin 3 days ago
                  Had to migrate somewhere!
              • dmix 7 days ago
                What is gbs.fm if you dont mind me asking?
          • rsync 7 days ago
            "... I was worried it would be doing something uncouth like asking for your HN password or scraping some kind of unofficial API, but instead it gives you a token to embed in your public profile ..."

            I have a side project I've been kicking around for a while that required some kind of reputation/login/accountability function and this was exactly what I considered doing: giving people a token to put into a public HN profile.

            So anyway, great job Victor!

            • hardwaresofton 7 days ago
              Hey if you don't mind I'd love to have you kick the tires -- there aren't any client apps (other than the website itself) right now, but I'll be opening that up soon, got some bits to batten down like audience and registration forms.
              • rsync 7 days ago
                So, so pessimistic that I can carve enough time away from rsync.net to start this new initiative ... but we'll see ...
                • hardwaresofton 7 days ago
                  rsync.net is a massively awesome product, I think I can safely say the rest of the internet is hoping you don't get any time away :).
          • dheera 7 days ago
            > doing something uncouth like asking for your HN password

            Yeah I was worried about this too, it's a disturbing trend.

            Venmo was asking for my bank password a couple months ago, I was like fuck no. Who the HELL does that. Should be illegal to even ask.

            • simonw 7 days ago
              I complained about that Venmo thing on Twitter and got an interesting conversation going about it, including with comments from the CTO of Plaid who are the company who built that integration.

              https://twitter.com/simonw/status/1479174549266526209

              Short version: OAuth for banks is finally starting to happen, but in the meantime the password anti-pattern fills the gap.

              • KoftaBob 7 days ago
                In the case of venmo (and many other of their customers), it was actually Plaid that was asking for your bank login credentials to connect your bank account to Venmo. They've been getting criticism regularly for that, unsurprisingly.
                • floatingatoll 7 days ago
                  (And Plaid noted that they vastly prefer to oauth to banks, and do with many other banks, but that Venmo won’t accept oauth and demands credentials.)
                  • Operyl 7 days ago
                    No that’s not correct. Venmo is not forcing password auth, it’s banks not implementing the OAuth flow that causes this. I just went through with OAuth in Venmo with my bank (Capital One). They also offer traditional (deposit 50 cents and validate the amount) work flow too, they’re not forcing the Plaid model at all.
                    • floatingatoll 6 days ago
                      Erm, I don’t think we’re describing the same sides of the flow, but I trust you’re right anyways. Apologies for my confusion.
                  • dheera 7 days ago
                    Yeah so now I need to give my password to not just Venmo but also some startup called Plaid that I need to trust?

                    Doubly fuck no.

                    • zwily 7 days ago
                      Plaid is not some tiny startup... They're almost 10 years old and Visa tried to buy them for $5B a couple years ago.

                      That doesn't mean you should trust them (I don't), but just because you haven't heard of them doesn't mean they're not big.

                      • Operyl 6 days ago
                        Venmo offers the traditional verify a deposit amount validation method too, it just takes a few days. It’s an either or method.
                        • phoenixy1 7 days ago
                          To clarify -- Venmo doesn't get the credentials at all, only Plaid does. Venmo then uses an API to get the specific bank account data it needs from Plaid.
                          • dheera 6 days ago
                            I still don't trust Plaid.

                            Venmo could also get the credentials if they want to, since they're launching it from within their own app. They could keylog everything in their app if they wanted to, including what happens inside Plaid.

                            Nobody should ask for passwords to anything but their own service. Period.

                            Asking for bank passwords should be made illegal. If I were the president I would have made that a federal law yesterday.

                            • Larrikin 6 days ago
                              The president doesn't make legislation.

                              Plaid provides a useful service that's a stop gap for the poor infrastructure of banks. I honestly doubt that most banks would have even bothered to start the laborious process of OAuth without them being an extremely popular middle layer for services like YNAB. My company actually uses them to process recurring payments.

                              • dheera 6 days ago
                                Yeah well I would have also made it a law for banks to support OAuth and hardware key 2FA, hand out 2 Yubikeys to every citizen and ban SMS, among other things.

                                Plaid is not useful if they need to ask for passwords.

                      • neither_color 6 days ago
                        This recently started happening with Paypal. Bank payments were my default, and recently when I tried to buy something paypal started demanding my bank login. Nope. Not now. Never. You do not need to know my balance and all my transactions for a $100 purchase, Paypal.
                      • sattoshi 7 days ago
                        For all the obscure examples of prior art being given in this thread, this is also how Keybase did proofs with HN.
                        • tlarkworthy 7 days ago
                          the exact user flow for a third party Auth system in Observablehq

                          https://observablehq.com/@endpointservices/login-with-commen...

                          all code is ISC licensed and both the server and client is embedded in a web notebook

                          • clay-dreidels 7 days ago
                            This is very clever. On a side note, I wish HN offered two-factor authentication.
                            • kogir 6 days ago
                              Just pick a good password and don’t reuse it elsewhere. HN is super aggressive about rate limiting attempts, so brute force isn’t really a risk.
                              • maxwell_xander 6 days ago
                                2FA also protects me in case someone runs https://github.com/unode/firefox_decrypt on my computer, maybe as part of an NPM install script
                                • MajesticHobo2 6 days ago
                                  Do you not stay logged in to HN?
                                  • maxwell_xander 6 days ago
                                    Never! I log out EVERY... nah, you got me haha. I honestly wouldn't even care if someone stole this account. Just having fun nitpicking :)
                                • MajesticHobo2 6 days ago
                                  Phishing is still an issue that could be prevented with security keys. That said, I don't see most HN accounts being very interesting to phishers.
                                • iyn 6 days ago
                                  +1, would be nice to have 2FA
                                • waffle_maniac 6 days ago
                                  What about a cryptographic signature? That might be nice.
                                  • freedomben 7 days ago
                                    Agreed, and it doesn't really matter but for some reason I felt compelled to mention, this same mechanism (putting token in profile page) has been in widespread usage for years so isn't novel. Keybase is one example.
                                    • tiffanyh 7 days ago
                                      Even before that, this is a common practice with DNS for decades to prove ownership of a domain.
                                • hardwaresofton 7 days ago
                                  Hey HN,

                                  I wanted to be able to make apps that do social login with HN so I hacked it together.

                                  It works like you would expect -- generating a code you can put in your profile. For convenience, you can then use either TOTP or Email (if you specify both, it will default to using TOTP) to login thereafter to make things quicker (it can take up to a minute until profiles update).

                                  I generally wait about 5 seconds between checks of a profile, hopefully this isn't too much additional strain (especially since I expect most people to switch to something faster after the first login).

                                  [EDIT] Also it's night time (well morning I guess) where I am so... spinning up some more instances and I'm going to sleep.

                                  [EDIT2] My email is plastered all over the site, but please feel free to email me any bug reports!

                                  [EDIT3] If you'd like to register an app, please check out https://mailing-list.vadosware.io/subscription/form ! Ignore all the other mailing list stuff and get on the "early adopters" list for LoginWithHN! Or just email me in my HN profile, whichever!

                                  • dang 6 days ago
                                    > I generally wait about 5 seconds between checks of a profile

                                    If you're scraping HN, please wait 30 seconds (https://news.ycombinator.com/robots.txt) - our app server still runs on a single core, so we don't have a lot of performance to spare. (Hopefully that will change this year.)

                                    If you need to check more frequently, https://github.com/HackerNews/API works fine and you can get JSON that way anyhow.

                                    • hardwaresofton 6 days ago
                                      Hey Dang, so actually I DO wait 30 seconds -- what actually happens is that I check on the frontend every 5, but the backend checks every 30 (that's the default) interval. If you can believe it the code looks something like this:

                                          export const DEFAULT_HN_POLL_DELAY_MS = "30000";
                                          export const DEFAULT_HN_POLL_MAX_CHECKS = 10;
                                      
                                      The code isn't F/OSS but I hope you can take my word on this, worst case what happens is that someone launches two intervals (I don't have any locking on that side) due to hitting two different machines.

                                      I'll be switching to the API by the end today and worst case by the weekend.

                                      [EDIT] Forgot to add this -- hope I didn't cause any disruption on your end. thanks for all the hard work as always.

                                      • dang 6 days ago
                                        That sounds fine!
                                    • will0 7 days ago
                                      > you can then use either TOTP or Email (if you specify both, it will default to using TOTP) to login thereafter to make things quicker (it can take up to a minute until profiles update).

                                      I guess at this point it's more like login with loginwithhn?

                                      • hardwaresofton 7 days ago
                                        Yup! LoginWithHN is the OAuth provider :) so the idea is if you have an app that you want people to use to login with HN, via LoginWithHN then you can use loginwithhn.com to make it happen
                                        • timoteostewart 6 days ago
                                          Nice work! If there was a similar yet less efficient implementation of your idea, I guess we’d call it “nlogn with hn”!
                                        • shreddit 7 days ago
                                          More like register with loginwithhn?
                                        • somishere 6 days ago
                                          Rather than polling you can probably just subscribe (via Firebase[1] and the HN API) to changes to the user's profile e.g[2]

                                          [1] https://firebase.google.com/docs/libraries#client-sdks

                                          [2] https://hacker-news.firebaseio.com/v0/user/hardwaresofton/ab...

                                          • hardwaresofton 6 days ago
                                            Hey thanks for the suggestion, I'll check this out as well -- I definitely don't mind having more ways to check so I can spread load and what not.
                                        • Using forums as pseudonymous identity providers is a very powerful idea. It's essentially community federation. There is of course risk that your IDP chucks your account and you lose access to the other ones, but that's solvable with a recovery scheme.

                                          Lightweight, low assurance credentials probably have the biggest growth future, as if universal high assurance credentials were really that commercially desirable, we'd already have them. These are a kind of affinity credential, which has a lot of optionality.

                                          • dougk16 7 days ago
                                            It's a powerful idea but say I'm a website that wants to add "Sign In With HN". Me personally I've lost faith with "Sign In With Facebook/Google/etc.", nevermind some random site offering sign ins with random forum identities. As a website owner, I would have to trust that the "Sign In With HN" service would still be there in a month or two, nevermind a year or two. If I wanted to create such an SSO service, what kind of reasonable social/technical guarantees could I make to website owners so they'd be confident I'd be around for the long haul?

                                            A better technical solution would be to offer an SDK that does the same thing that websites could integrate themselves, but then you have the explosion of languages and frameworks to support.

                                            • This is the good part. I'd rather avoid the SDK case, as I've run down that road before and it's fraught.

                                              If you affinity federate to HN, (or even a subreddit), and you create a recovery process that enables the user to migrate their local identity on our app to a new IDP, realistically, you could just federate to anything someone can store a key on, if you wanted to. The security of the users account is up to the user.

                                              If I want to bind my user account on your SaaS app to anything persistent online that I have control of, that should be sufficient for most low assurance purposes.

                                              The lightweight security of it is that if I enroll/register for your app as motohagio@location.public_key, my password for your site becomes just a random string encrypted with my private key, as that proves my possession of the private complement used for registration when you decrypt the string using the contents of the public key location I provided during enrollment. A lot of protocols already essentially look something like this, they're just not described in a casual comment.

                                              The lightweight security of the system isn't based on the secrecy of passwords, but rather, a combination of the secrecy of the users private key and the integrity of the registration pointer to that public key. It still works with browser passwords, as instead of a password string, you submit {randomstring, (randomstring)^privkey_privkey} and the RP app just looks up its registered public key pointer, and makes sure the random string in the ciphertext matches.

                                              Problem it solves is net-net it shifts risk off your service, onto the user, and removes a single point of user compromise for all users at once. You can federate your service to any document on the internet that persists a public key, and account compromises don't scale the same way.

                                              The most obvious vulnerability is the integrity and availability of the location and directory services of that public key location. But cacheing and recovery schemes could make it viable. (some people will be apopleptic at the mere mention of it, but it's a use case for the chains made of block)

                                              I've done the high assurance use case design on a variety of other products, but maybe the low assurance case is the one that's actually useful. Irony is it may still require a password manager / authenticator client for most users, but in the majority of logins, you can still save this new token in your browser as a password.

                                          • gruez 7 days ago
                                            >How does it work?

                                            >[...]

                                            >LoginWithHN generates a unique one-time-use code that the user must then put into their profile within 5 minutes

                                            I like the implementation, but shouldn't the code be something more explicit? Otherwise it might be easy to social engineer someone into putting in the code. Currently it's

                                            >Put the token below in your HackerNews Profile ↗

                                            >[random letters]

                                            I think Keybase does something more explicit, with something like "my keybase verification code is xyz"

                                            • colinclerk 7 days ago
                                              I agree this is a concern, though more with phishing than social engineering.

                                              An attacker site pretends to have their own "Login with HN" implementation, but asks users to put in a code generated from LoginWithHN.com itself.

                                              If the user adds the code, then the attacker can impersonate the victim on any service that supports LoginWithHN.com (because of the special second-time login handling)

                                              If the string was more explicit that it's for LoginWithHN.com, the victim is more likely to recognize that something phishy is going on.

                                              • hardwaresofton 7 days ago
                                                Thanks for the suggestion, this is a great idea. The phishing angle is not one I had considered
                                              • hardwaresofton 7 days ago
                                                You're right -- I will make this more explicit to hopefully prevent some phishing attempts
                                              • colinclerk 7 days ago
                                                Wow, awesome! We've had a few startups ask for an HN integration at https://clerk.dev and we'll build this in ASAP.

                                                It would be great if this could somehow verify whether an HN account has been part of YC cohort. A few requests we've received were with the hope of offering early access to YC founders-only before a public release.

                                                Also, I love the OTP solution instead of asking for our HN passwords.

                                                • hardwaresofton 7 days ago
                                                  Hey thanks -- I will definitely be sending you an email soon!
                                                • Visayer 7 days ago
                                                  Victor, congratulations on the launch! I am one of the maintainers at https://github.com/ory/hydra and it makes me super happy to see that Ory Hydra is being used for such innovative projects :)

                                                  If you’re interested to join Ory, we’d be excited to have you! Drop Aeneas a line and he’ll take it from there: aeneas@ory.sh

                                                  Hopefully we’ll talk soon :)

                                                  • hardwaresofton 7 days ago
                                                    Hey I appreciate it! It's a tiny little hack but I'm glad people seem to like it! ORY Hydra was fantastic every step of the way, I originally started with a completely different tool/approach actually then switched to Hydra and rewrote things and it was way smoother. Thanks for the awesome tooling you make.
                                                    • Visayer 7 days ago
                                                      Appreciate the kind words! :)
                                                    • bobberkarl 6 days ago
                                                      Hey, i had to evaluate the ORY suite for multiple projects, and we always had to fallback to keycloak. Major reason was the completeness of the keycloak admin gui vis-à-vis of Ory.

                                                      Is there a gui in your plans, or a public repo? I want to contribute.

                                                    • udbhavs 7 days ago
                                                      Great idea. If you need to add a code to your bio, another idea is putting a public key in your HN bio and signing a nonce message using some browser extension like Metamask.
                                                      • dividuum 7 days ago
                                                        Wouldn't it make more sense to store a blob containing the username, signed by loginwithhn in the profile. Something like HMAC(secret_kept_by_loginwithhn, username). Upon authorization, check if the blob is properly signed and matches the requested username. That way you'd only have to place it once and copying it between profiles isn't possible. I'm probably overlooking something.
                                                        • rgovostes 6 days ago
                                                          Suppose you have logged into HN this way and so the token is in your profile. What would prevent me from logging in as dividuum?
                                                          • dividuum 6 days ago
                                                            Nothing. You are correct of course and my suggestion is fatally flawed. Can’t edit my comment unfortunately. Guess that’s a reminder not to do half-assed protocol engineering while watching Netflix :-}
                                                          • jtsiskin 7 days ago
                                                            This trusts loginwithhn. The metamask way can be used by any site and only need to trust hacker news.
                                                          • Anunayj 7 days ago
                                                            Or just storing the key in browser with Web Crypto API (or localStorage cuz safari ffs). Ofc this means the key is only scoped to their domain.
                                                          • This site isn't really intended for high security. It doesn't matter that much since Hackernews login is only for this site and text posts here are not that valuable. If it was expanded in usage it could be disastrous.

                                                            The fact that the admins of this site do manual recovery for example is a terrible practice that no serious providers do. In fact the reason i'm 'AnotherGoodName' rather than my old AReallyGoodName is because i suffered account takeover on this site. The last three posts from AReallyGoodName promoting CoinRace are not me. The rest, including posts for my github projects (i still own my Github) are. https://news.ycombinator.com/item?id=16460663#16461236

                                                            I do not think for one second that Hackernews is ready to handle sign ins for things that need more security than this site itself.

                                                            • tomhallett 7 days ago
                                                              Question - are you affiliated with HN/YC at all? If not, I would be concerned about the colors/branding on the homepage being the same as HN/YC. I see the word “unofficially”, but it feels like there still might be some confusion of how it relates to YC’s software.
                                                              • hardwaresofton 7 days ago
                                                                Nope not affiliated at all! I thought "unofficially" was enough but I'll make it a bit more clear

                                                                [EDIT] I added another disclaimer

                                                                • tomhallett 7 days ago
                                                                  Very cool! That's what I had in mind.

                                                                  Agreed that you added "unoffically", but you also created a new method todo login (vs cookies/oauth2/etc), so I wasn't sure how to map the "unoffically" word with your novel approach. Your disclamer makes it very clear. :)

                                                            • zemnmez 7 days ago
                                                              it seems like if this is OAuth2, the protocol is not giving an audience specifier? That would mean that any token is as good as any other, and say, authenticating to evilsite.com, the site could use the token its granted to itself log onto another ‘login with HN’ website as the victim. Thats the usual issue with OAuth as login
                                                              • rank0 7 days ago
                                                                Thanks for pointing this out. Reading your comment just connected some dots in my head about the OAuth flow.
                                                                • hardwaresofton 7 days ago
                                                                  Ah yes, this is something I'm going to tighten up once we have OAuth2 clients signed up -- right now the only client is the actual loginwithhn site itself!
                                                                • hirundo 7 days ago
                                                                  I can speak more freely on a forum if my logins are independent. If they are federated I have more to lose by saying the wrong thing. There are scarcely any values I can express without offending someone. For this purpose at least, it looks like a better strategy to have multiple isolated credentials. With a password manager the inconvenience almost disappears.
                                                                  • xtracto 7 days ago
                                                                    Right, in addition to that, I am currently in the process of de-Googlifying and de-Facebookfying all my logins. I prefer the tired and tried method of having a separate login and password for each account, and save them on KeePassXC.

                                                                    There have been plenty of horror stories of people that lose access to their Google or Facebook account, and suddenly cannot access their connected accounts.

                                                                  • kotrunga 7 days ago
                                                                    "I'm a yak shaver by trade"

                                                                    Nice.

                                                                    Do you have any sites that support the flow yet?

                                                                  • Minor49er 7 days ago
                                                                    It didn't appear to be working after a couple of attempts. Opening the console shows a lot of HTTP 500 responses coming from /api/v1/hn/poll/status
                                                                    • hardwaresofton 7 days ago
                                                                      Shit good thing I didn't go to sleep, looking at it now

                                                                      [EDIT] - OK just pushed a new version -- it looks like it was a load issue, were you able to get in?

                                                                      [EDIT2] - Welp, looks like sleep isn't happening, looks like it's load triggered but there are some failures happening... I don't like this hug.

                                                                      [EDIT3] - We got 'em boys. Found the bug, rolling out now.

                                                                      • jmkim 7 days ago
                                                                        +1 Having same issue here
                                                                        • hardwaresofton 7 days ago
                                                                          Hey would you mind trying again?
                                                                          • Minor49er 6 days ago
                                                                            The API is responding that the request completed successfully, but it doesn't appear to authenticate. I even tried replacing my entire About section so that it was only the code and it didn't appear to recognize it
                                                                            • hardwaresofton 6 days ago
                                                                              Hey I'm sorry for the really shit experience, do you mind if I reach out once I'm sure I've fixed it? It works for me but I still see occasional errors so I'm wondering just who it is :).
                                                                    • voussoir 6 days ago
                                                                      Hi, I just wanted to say I have fond memories of using garrysmod.org to download add-ons for gmod back in 2008-2010 or so. They used the same authentication technique by giving the user a token to put on their Steam profile. I'm still wearing mine! As long as the entity in question (HN, Steam) isn't at risk of going bust, I think this is very practical. Best of luck.
                                                                      • hardwaresofton 6 days ago
                                                                        Thanks, appreciate the note! I actually never got into garrysmod (I basically started with CS: Source then went to CS:GO) so I never saw that, but I'm glad it makes sense and there's some historical precedent I'm not afoul of.
                                                                      • todd3834 7 days ago
                                                                        Very cool, I was experimenting with a similar implementation of this a few years back. We were using a browser extension to handle the posting to the profile for you. However, we noticed that that profile was cached on the server so you would end up having to wait a long time to get a new version. I believe we tried appending a random query param to cache bust but the server didn't seem to care about that.

                                                                        Have you ran into this? If so, how did you get around it?

                                                                        [Edit] Here is a link to the now dead project :( http://web.archive.org/web/20161225152153/http://www.clap.ch... We briefly mention how it worked but didn't go into full detail

                                                                        • dougk16 7 days ago
                                                                          I'm doing something similar with my service https://aytwit.com/thoughter

                                                                          There is a trick to busting the cache but I almost don't want to say it in case they fix it lol. Feel free to contact me directly.

                                                                        • hardwaresofton 7 days ago
                                                                          Right now I'm actually just waiting a long time and checking somewhat slowly -- there's a note that it might take up to 1 min. I'm more concerned with not causing trouble for the staff, and usually it's about <1min so not the end of the world I think
                                                                        • version_five 7 days ago
                                                                          Congrats on putting this together, it looks really cool.

                                                                          One suggested feature that crossed my mind is to allow a minimum karma or account tenure requirement, in order to screen for throwaway accounts in cases where this mattered.

                                                                          • hardwaresofton 7 days ago
                                                                            That's a fantastic idea, thank you, I'll implement that.
                                                                          • hnarn 7 days ago
                                                                            This is kind of reminiscent of how keybase verifies your ownership of social media accounts, domain names etc.
                                                                            • adamrezich 6 days ago
                                                                              nice! I did a very similar thing many years ago for the video game website giantbomb.com. they have a wiki and you get points for making contributions, but there's nothing to do with the points, they don't do anything. so I made my own website where you could predict review scores they would give upcoming games, and "gamble" (a copy of) your giantbomb.com account's wiki points, which were scraped once you logged in with pretty much the exact same system (putting a generated hash into your account profile).

                                                                              I've always thought that this is a neat idea and similar methods could be used to make all kinds of cross-account connection stuff work on various websites. if you're making any kind of social site like this, allow users to have an editable public bio!

                                                                              • quickthrower2 6 days ago
                                                                                Nice. Its the equivalent of domain name verification using TXT records, but for HN profiles!
                                                                                • nailer 6 days ago
                                                                                  Hah I had the idea to do this but not using OpenID (show a token on an account to prove you own it) - kudos to using standards!

                                                                                  The use case was stealing the userbase from a stagnant competitor allowing everyone to keep their existing usernames on my platform.

                                                                                  • outloudvi 7 days ago
                                                                                    Interesting. However, it requires your trust to the service. So probably the identity user shall build and host such service by themselves.

                                                                                    Or a more trusty solution is to make the identity verifiable. Oh, did I say Keybase(the former one not acquired by Zoom)?

                                                                                    • lostmsu 6 days ago
                                                                                      I wonder if this concept could (and perhaps should) be extended to be OAuth provider, that lets you in based on ability to control content under arbitrary URL. Maybe even standardized somehow by exposing meta tags in the HTML header.
                                                                                    • dougk16 7 days ago
                                                                                      I'm doing something very similar with my service: https://aytwit.com/thoughter

                                                                                      To the author, there is a simple trick you can pull in order to make the confirmation instantaneous and avoid caching. Have you figured it out? Let me know!

                                                                                      I also use a residential proxy service for all my profile requests, regardless of the identity provider. For some sites like Twitter, Facebook, etc. this is required, and for something like Hacker News it's simply future-proofing in case they decide to block scrapers at some point in the future.

                                                                                      Good work!

                                                                                      • diogenesjunior 7 days ago
                                                                                        >for something like Hacker News it's simply future-proofing in case they decide to block scrapers at some point in the future

                                                                                        Why are you scraping? We have an API, it's linked at the bottom of every page[0].

                                                                                        0: https://github.com/HackerNews/API

                                                                                        • dougk16 7 days ago
                                                                                          Good question, and thank you for the question. Both at the time of my initial development several years ago, and including now when I just tested it, scraping has faster response times (cache invalidations) to profile updates than the API. This saves the user of my site being frustrated that they put the code in their profile, but they keep smashing the "Check again" button to no avail.

                                                                                          To be fair the API's cache invalidation does seem to have improved since last time I tested it. It only takes up to 5-10 seconds now, but still this is an eternity to an impatient user.

                                                                                          Also since you imply you work for HN, I'll give you my little secret: If you randomly capitalize the letters in the HN username it invalidates the cache. Otherwise scraping the profile would indeed take as long as the API approach. I'm taking a risk with you fixing it now. :)

                                                                                          I hope that helps clarify and I look forward to your thoughts.

                                                                                          • diogenesjunior 6 days ago
                                                                                            I don't work for HN. I meant "we" as in "we the people of HN"
                                                                                            • dougk16 6 days ago
                                                                                              Ah ok good, that means you won't fix the caching..."feature" that I found. :) Thanks for the discussion!
                                                                                          • hardwaresofton 7 days ago
                                                                                            Honestly I need to use this API as well -- on the list of things to do. I left myself some abstraction to have different ways of checking and the easiest was scraping but honestly hitting the API would have been just as easy. Will fix this
                                                                                          • hardwaresofton 7 days ago
                                                                                            Hey thanks for the helpful suggestion!
                                                                                          • clay-dreidels 7 days ago
                                                                                            This is a smart, safe implementation. On a side note: I wish HN offered 2FA.
                                                                                            • hardwaresofton 6 days ago
                                                                                              SAME. If they were into offering 2FA I could happily retire this little hack :)

                                                                                              I was a bit worried that what I was doing was against the spirit of HN (HN is very much not a social site in that way, and I think they strive not to be), but if they ever choose to add native 2FA I'll be over the moon.

                                                                                            • ulucs 6 days ago
                                                                                              Implementation idea: this method reminds me that we can post our public keys in bio, which means logging in could just mean signing a message that says "sign me in to %service%" and you wouldn't need to update your bio for each service you log in to
                                                                                              • paxys 7 days ago
                                                                                                This is neat. How do you protect against a third party scanning HN profiles for codes and stealing them?
                                                                                                • hardwaresofton 7 days ago
                                                                                                  Ah, so because the login challenge is unique, the person would have to have access to the browser that received the original login challenge -- there's a second second secret when you initiate login (that's part of the bit managed by ORY Hydra)
                                                                                                • zeepzeep 6 days ago
                                                                                                  Hey this is neat. Great work, I really like such weird ideas and it looks so professional!
                                                                                                • jrs235 6 days ago
                                                                                                  This is awesome! I had this same idea just last week! Way to execute!
                                                                                                  • ramon 7 days ago
                                                                                                    Would be interesting to come up with a nice use case now with this.
                                                                                                    • hardwaresofton 7 days ago
                                                                                                      Well it's technically a usecase for itself... so there's that?
                                                                                                    • Great idea, I like the concept of using a code in your bio as the auth mechanism. As another poster replied, the api seems to be 500'ing
                                                                                                      • krapp 6 days ago
                                                                                                        As far as I know, IndieAuth[0] is the open source solution for this.

                                                                                                        I've wondered how well it would work on a forum like HN, both for account authentication (making the forum simpler by not requiring passwords) and for identity validation when necessary (for example, highlighting the owner of a project or site.)

                                                                                                        [0]https://indieauth.com/

                                                                                                        • hardwaresofton 7 days ago
                                                                                                          Hey would you mind giving it another shot?
                                                                                                          • Tried again, got a lot of 201s with:

                                                                                                            ``` {"status":"success","data":{"confirmed":false}} ```

                                                                                                            Then a failure with a 502, I'll check it on a different network tomorrow to see if it's on my end

                                                                                                            • hardwaresofton 6 days ago
                                                                                                              OK one more time! It's working for me right now -- I see the odd out of time error in the logs but the errors are mostly gone now:

                                                                                                                  [Nest] 41  - 01/14/2022, 2:46:01 AM   DEBUG [V1HNController] received polling status request for display token [E7tvuXJkkt]
                                                                                                                  [Nest] 41  - 01/14/2022, 2:46:06 AM   ERROR [LoginService] Error occurred while checking for HN profile page update: Error: Exceeded max checks [10] (delayMs: 30000)
                                                                                                                  [Nest] 41  - 01/14/2022, 2:46:11 AM   DEBUG [V1HNController] received polling status request for display token [E7tvuXJkkt]
                                                                                                                  [Nest] 41  - 01/14/2022, 2:46:36 AM   DEBUG [V1HNController] received polling status request for display token [E7tvuXJkkt]
                                                                                                                  [Nest] 41  - 01/14/2022, 2:46:42 AM   DEBUG [V1HNController] received polling status request for display token [E7tvuXJkkt]
                                                                                                                  [Nest] 41  - 01/14/2022, 2:46:51 AM   DEBUG [V1HNController] received polling status request for display token [unNyaItKHU]
                                                                                                                  [Nest] 41  - 01/14/2022, 2:47:20 AM   DEBUG [V1HNController] received polling status request for display token [e4DMemS2HG]
                                                                                                                  [Nest] 41  - 01/14/2022, 2:47:30 AM   DEBUG [V1HNController] received polling status request for display token [62553gB7GW]
                                                                                                                  [Nest] 41  - 01/14/2022, 2:47:48 AM   DEBUG [V1HNController] received polling status request for display token [unNyaItKHU]
                                                                                                                  [Nest] 41  - 01/14/2022, 2:47:57 AM   DEBUG [V1HNController] received polling status request for display token [dcKr3LelxA]
                                                                                                                  [Nest] 41  - 01/14/2022, 2:48:22 AM   DEBUG [V1HNController] received polling status request for display token [dcKr3LelxA]
                                                                                                                  [Nest] 41  - 01/14/2022, 2:48:37 AM   DEBUG [V1HNController] received polling status request for display token [dcKr3LelxA]
                                                                                                                  [Nest] 41  - 01/14/2022, 2:48:52 AM   DEBUG [V1HNController] received polling status request for display token [dcKr3LelxA]
                                                                                                              
                                                                                                              
                                                                                                                  [Nest] 41  - 01/14/2022, 2:49:15 AM   DEBUG [V1HNController] received polling status request for display token [e4DMemS2HG]
                                                                                                                  [Nest] 41  - 01/14/2022, 2:49:22 AM   DEBUG [V1ConsentController] retrieving data for consent challenge request [<redacted>]
                                                                                                                  [Nest] 41  - 01/14/2022, 2:49:22 AM   DEBUG [V1ConsentController] successful consent denial for user [hardwaresofton]
                                                                                                                  [Nest] 41  - 01/14/2022, 2:50:30 AM   DEBUG [V1HNController] received polling status request for display token [62553gB7GW]
                                                                                                                  [Nest] 41  - 01/14/2022, 2:50:50 AM   DEBUG [V1HNController] received polling status request for display token [ZAvILvhGhg]
                                                                                                                  [Nest] 41  - 01/14/2022, 2:50:58 AM   DEBUG [V1HNController] received polling status request for display token [unNyaItKHU]
                                                                                                                  [Nest] 41  - 01/14/2022, 2:51:49 AM   DEBUG [V1HNController] received polling status request for display token [qy4LrME0ny]
                                                                                                                  [Nest] 41  - 01/14/2022, 2:52:24 AM   DEBUG [V1LoginController] received start login request [zzc]
                                                                                                                  [Nest] 41  - 01/14/2022, 2:52:24 AM   DEBUG [V1LoginController] saved login request challenge with ID [<redacted>]
                                                                                                                  [Nest] 41  - 01/14/2022, 2:52:26 AM   DEBUG [V1HNController] received polling status request for display token [lBEUPtqdVF]
                                                                                                                  [Nest] 41  - 01/14/2022, 2:52:30 AM   DEBUG [V1HNController] received polling status request for display token [62553gB7GW
                                                                                                              
                                                                                                              Really appreciate you trying again -- I just did it myself and it was a long ~1min but it did work (in fact you can see me deny the consent actually in the logs :).

                                                                                                              And for the keen in here, yeah I'm running NestJS[0] -- this thing is over-engineered and some bugs still snuck through.

                                                                                                              [0]: https://docs.nestjs.com

                                                                                                        • schwede 6 days ago
                                                                                                          I think it’s in poor taste to theme your site to look like HN. Feels a little close to phishing.
                                                                                                          • hardwaresofton 6 days ago
                                                                                                            I did think about it, but I don't think it's too bad -- the site is plastered with "unofficially" and the disclaimer to prevent that.

                                                                                                            I love how minimal HN is and I don't think I've ever seen orange work this well on a site in my life to be honest, so I wanted to pay a little homage and also have people feel at home.

                                                                                                            I'll definitely consider changing the theme, and I've already added a disclaimer.

                                                                                                          • metabagel 7 days ago
                                                                                                            Blocked by both Firefox and my company due to certificate issue.
                                                                                                            • metabagel 7 days ago
                                                                                                              Actually, looks like you are on a malware blacklist.
                                                                                                              • hardwaresofton 7 days ago
                                                                                                                Could you tell me more about the blacklist? is it IP based? URL based? The servers are in Germany under Hetzner so maybe it's an IP ban that went in
                                                                                                            • maliker 7 days ago
                                                                                                              Awesome documentation!