Closed rjrudman closed 6 years ago
double-fault
commented
6 years ago Wouldn't it be better if you made users sign up with a username, email and password and then do SE auth? Splitting it out into two different models would make it a lot more simpler.
You can always store both the chat id and the main site id. The main site id is available from the SE API. For the chat id, just use something like this.
rjrudman
commented
6 years ago @Fortunate-MAN I'd like to avoid storing any credentials of users on the server unless absolutely necessary. Currently, we get them to login via SE, make one api call on their behalf (/users/me to identify them), and throw away their token.
The problem we've got here is that:
Planning on storing chat id & main id separately. That was more of a note to myself (as I was also thinking about situations where this may run on different chat servers, etc).
double-fault
commented
6 years ago Hmm, it does make sense not to store SE auth tokens if you are not gonna use them, but, what is wrong with a simple username and password? You'll need some sort of user management and admins otherwise people can abuse the system. Creation of bots and usage of api should be restricted, preferably through keys, which users with the admin role can generate. You can always ask the user creating the key to put the name of the bot, which could be used to display the bot name.
double-fault
commented
6 years ago Not storing creds makes sense and would make users trust the system even more, but IMHO, it is unavoidable.
rjrudman
commented
6 years ago Yeah - the abuse part of it is primary reason for not managing users ourself. By relying on SE accounts - and taking advantage of their spamram, we can reduce the amount of throwaway/abusive accounts being created. We could also implement a policy of requiring an account on SE for x amount of days, if we find it to be a problem. Or, we could require an admin to approve the account once it's registered.
If people would prefer to have a username/password setup, that can be implemented, but for now it makes things more complicated, and I think relying on SE will be more beneficial in the long run.
For now, every user is granted permission to everything, while we're still in development. Bot creation will most definitely only be available to admins :)
double-fault
commented
6 years ago Oh, okay! Thanks for the clarification! I thought there would be no admins/regulars, and all users would be given privs for everything. If that is only for dev, I guess I'm fine.
The best solution for account creation IMO is to provide users both options. But the SE auth solution for account creation should suffice, and I do agree it'll be simpler and more efficient in the long run.
jdd-software
commented
6 years ago Related to unkown users, maybe the bot could also send the current display name in feedback call, hence you could have "backup" name by bot.
rjrudman
commented
6 years ago @jdd-software That's one of the approaches I thought about. It's definitely a way we can do it. Ideally, though, I'd want to investigate if we can have Higgs manage it all, to make it as simple as possible for bots to integrate
jdd-software
commented
6 years ago You could query SE api https://api.stackexchange.com/docs/users-by-ids, with 1 query you can get 100 users passing id's of interest, maybe a function executing 1 query per day would be enough
rjrudman
commented
6 years ago Conversation related to Petter's suggestion for using the API:
https://chat.stackoverflow.com/transcript/111347?m=42121419#42121419
If a user hasn't ever logged into Higgs, should we still try to grab their display name?
Also, how are we going to handle differing IDs between chat and the main site?