[Feature] Web interface for new websites

[Juulsn]

Hey guys!

I was thinking about a web interface, which can be used to submit additional Websites. This could be sth like a form, where you have to give a source (screenshot and/or link) for your password rules, the website url, the password rule "generator" itself (similar the the generator on https://developer.apple.com/password-rules/) and if needed a list of shared-credentials sites. This form could create a PR on a second branch, e.g website-suggestions.

This provides the advantage to actually split suggestions from actual code changes, because I think it's kinda confused right now. Furthermore this is also a solution for alphabetical order (I'm aware of the GitHub Action in PR #130) In addition, people who don't know how to use the JSON syntax, can actually contribute to this Open-Source Project.

Give me some feedback on this!

[rmondello]

I’m open to such a thing, if it’s possible!

[Juulsn]

Awesome! I'll try to implement this via Git Pages. Would you mind to open the gh-pages branch to not mix this up with the master branch? Already have something on my mind, I will try it locally next week and let you now if it works :)

[cljazouli]

@DerJuulsn I am interested in helping you doing that. Please let me know how I can assist.

[Juulsn]

@cljazouli That would be great! I've already programmed the last few days almost the whole back-end stuff. But if you would like to help me on front-end side, like for the website, it would be amazing!

[cljazouli]

That sounds good! Are you working on a separate branch? Fell free to tag me on any issue you need help with on the FE

[Juulsn]

@cljazouli I've tagged you on an issue on my fork :)

[Juulsn]

Hey @all! I just wanna give an update on the web interface progress and explain how it will work.

Project Structure

First of all, we got 3 instances. The client side (website), server side (Node.js) and a GitHub "Bot" (password-manager-resources-bot) which acts as a replacement for the normal User, who would normally create a Pull Request.

A user visits the website and types in some rules via a rule generator, similar to one on https://developer.apple.com/password-rules/, but more detailed. You can select which character classes you want to be "required" / "allowed". We could also integrate a function like talked about on #80. The user also has to add a screenshot, which verifies the password rules he typed in.

After filling out the form, he submits these informations. The client sends it to the server, and he will create a new branch on the GitHub Bot's repo, commit these informations (added to the latest password-rules.json from the apple repo on master branch, even sorted) and also create a PR on the original repo. Now, as soon as the PR gets closed / merged, the branch on the GitHub Bot will be deleted.

Of course, the web interface is also easy extendable to other functions like for shared-credentials and all the cool stuff this repo gains in the future!

Questions

1. The Server

Where can we host the server?

2. Standalone

Should this interface stay "standalone" (leaving the code just on the GitHub "Bot") or should it get merged into the apple/password-manager-resources repo?

Progress

This project is already pretty much finished except for the website itself, however if you want to get involved, just reply in this conversation, I'm a noob on front-end :D

I'm sorry if there are some grammatical mistakes in this text :)

Thanks for reading this!

[igor-makarov]

I'm thinking that letting a bot account open the PRs may leave the repo open for abuse.

Right now, there's no shortage of PRs and I think the maintainers would prefer it be kept to a trickle.

Perhaps the website needs to authenticate the GitHub user and open the PR in their name?

[Juulsn]

@igor-makarov Well, if someone wants to spam Pull Requests, he can do this with any account.

Furthermore, the goal of this website was, to provide a website, where people can submit new website rules, even if they can't code. Therefore they probably don't have a GitHub account.

But sure, if there will be abuses, we can talk about force the user to sign in via GitHub.

[igor-makarov]

@DerJuulsn Spamming using a GitHub account is one thing, spamming using an unauthenticated website is way bigger.

Also, I think that non-developer users would have a hard time formulating the quirks corectly.

@rmondello I think it's critical to use GH auth to reduce the chance of abuse, what do you think?

[Juulsn]

@igor-makarov well, I still don't really agree :/

Hm, that's what the website is for. You just have to "select" if e.g. upper letters are required to use in the password.

[igor-makarov]

@DerJuulsn could you please post the website preview link possibly? Or DM it to me on Twitter? I wanna see what the UI looks like.

The reason I'm asking is that most password managers already use upper/lower mix anyway.
A non-dev user adding a rule without understanding the purpose of the rule list would be spamming the PRs, even though they might have good intentions.

[Juulsn]

@igor-makarov sure! I'll send you the link in a few hours, still have to figure a few things out ;)

[Juulsn]

@rmondello Hey! You've got an idea for the server hosting?

[rmondello]

Right now, there's no shortage of PRs and I think the maintainers would prefer it be kept to a trickle.

Nah! More PRs! Let’s fix password management for everyone! It might take us a little while to catch up (I think we’re mostly caught up right now), but we’re happy to keep vetting this data! And, at some point, I would like some of our most active contributors to be able to do this themselves, directly.

For me, what’s really at play here is that the experience of using such a tool needs to be better than the experience of doing development the “normal” way, including when taking into account the downsides around onboarding and maintenance.

[password-manager-resources-bot]

@rmondello @igor-makarov Hey! I'm happy to announce that the web-interface is now available at this link (Sometimes, there is an delay up to 5-10 seconds until the website is loading because the backend server has to start) The web-interface hasn't a great UI yet, but I hope others, like @cljazouli offered, can contribute to this.

The full source code is available at the bot's repo "password-manager-resources-webinterface" Just create a fork and, ah you know how it works :)

[igor-makarov]

Looks great!

I think some sort of identification field could be nice (email or something) because right now it's completely anonymous.

[cljazouli]

I think this is a good place to start @rmondello @igor-makarov, there is always room for improvement. Good job @DerJuulsn 👍 .

[Juulsn]

@igor-makarov Thanks! @cljazouli just refreshed the UI so take a look :) Sure.

@cljazouli Thank you!

[igor-makarov]

@DerJuulsn perhaps add an email field?

[Juulsn]

@igor-makarov Hmm, and then? Do you want to post it in the pull request comments? I have some privacy complains about that.

[igor-makarov]

You have a point about that. Let's hope the repo doesn't get spammed 😂

[cljazouli]

@DerJuulsn @igor-makarov You guys can restrict the number of entries per IP per hour

[Juulsn]

@cljazouli I also thought about that as well, but what if someone wants to add a bunch of websites?

[Juulsn]

Well on the other side, if you contribute on Wikipedia for example, they will post your IP address if you aren't logged in. We could do this as well and add a script which allows to close all PR's with a commit message which contains such a IP address. A IP address isn't that easy to abuse than a mail adress I think. Apart from a DDOS attack :)

We should just add a warning to the website like, "please use a firewall to prevent abuses, because your private ip address will be made public" haha

[Juulsn]

@rmondello Hey :) Are you happy with the current state of the interface? Is there anything you want to be changed or added?

[Cldfire]

I really like the idea here. Making it easier for the everyday person to see a need for a quirk on a site and go straight to suggesting that we add it here is an awesome idea!

Here are my thoughts:

• It might be best to have the bot create an issue instead of a PR. PRs can often end up needing some back-and-forth between the maintainers and the PR author, but if people that aren't active on GitHub start submitting rules this way it makes it difficult for that to occur. Opening issues means anyone can easily submit a suggestion without having to worry about getting the PR over the line, and it also avoids the issue of checking off the certificate of origin along with the PR.
• It would be awesome if the web interface displayed the password rule it's generating right there in the UI!
• It would be great if the tool were able to check the latest copy of the list of quirks and confirm there isn't already a rule for the site the user is trying to submit one for. It would be really cool if it could check open issues / PRs as well, although that seems more difficult to accomplish.

Thank you @DerJuulsn for all the work you've put into this so far, it really is a fantastic concept 😊

[Juulsn]

Hey @Cldfire, I agree an all points with you! I'll look into it in the following weeks. Sorry for responding that late, got a little disturbed the last months.

Thanks!