elliott5
commented
7 years ago Agreed. For non-technical users, having to keep typing their user/password would discourage them using this innovative system.
Open danielo515 opened 7 years ago
elliott5
commented
7 years ago Agreed. For non-technical users, having to keep typing their user/password would discourage them using this innovative system.
diego898
commented
6 years ago just wanted to bump this one!
danielo515
commented
6 years ago I just want you to know that this is almost done. With the latest we are storing the username and password. However, from the configuration panel only username can be configured. Password is only stored if using the new login system I'm working on. Also username is not automatically picked on login, so we can consider this 70% complete :smile:
schnittchen
commented
3 years ago This got me so frustrated I wrote a very cludgey workaround: a javascript tiddler that would try to refresh the couchdb session every 8 minutes. It takes the credentials from localStorage, simply because that's easier to handle than cookies.
It sometimes fails to refresh the connection early enough on initial load of the page, which is solved by a reload. And it looks like (some?) browsers throw away localStorage content unless the page is installed as a "PWA", simply adding a manifest.json and installing it on the home screen works around that.
So, it's quirky, but reduces the pain significantly. If anyone is interested in it I can paste it here or link to it.
elliott5
commented
3 years ago It's certainly a quirky workaround, but could be very useful in some contexts.
So well worth sharing here @schnittchen, as a gift to posterity.
schnittchen
commented
3 years ago EDIT: Storing your credentials in the client like this is insecure if the content you load from the domain cannot fully trusted!
The main part is this tiddler of type application/javascript with module-type=startup:
(function(){
var createSession = function() {
var couch = window.localStorage.getItem("stay-signed-in-couchdb-url");
var creds = window.localStorage.getItem("stay-signed-in-couchdb-creds") ;
if (!creds || !couch) { return; }
console.log("stay-signed-in-couchdb: creating session");
var request = new XMLHttpRequest();
request.withCredentials = true;
request.open('POST', couch + "_session", true);
request.setRequestHeader('Content-type','application/x-www-form-urlencoded; charset=UTF-8');
request.send(creds);
};
createSession();
setInterval(createSession, 480000);
setTimeout(function(){
$tw.rootWidget.addEventListener('stay-signed-in-couchdb-set-url', function (e) {
window.localStorage.setItem("stay-signed-in-couchdb-url", e.param);
});
$tw.rootWidget.addEventListener('stay-signed-in-couchdb-set-creds', function (e) {
window.localStorage.setItem("stay-signed-in-couchdb-creds", e.param);
});
}, 7000);
})();This tiddler then helps saving the data to localStorage:
<label>The couchdb URL (with a trailing slash):
<$edit-text tiddler="$:/temp/stay-signed-in-couchdb/url" tag="input" default=""/>
</label>
<$button>
<$action-sendmessage $message="stay-signed-in-couchdb-set-url" $param={{$:/temp/stay-signed-in-couchdb/url}}/>
Store in browser
</$button>
<label>The couchdb credentials (URL-encoded):
<$edit-text tiddler="$:/temp/stay-signed-in-couchdb/creds" tag="input" default="name=NAME&password=PASSWORD"/>
</label>
<$button>
<$action-sendmessage $message="stay-signed-in-couchdb-set-creds" $param={{$:/temp/stay-signed-in-couchdb/creds}}/>
Store in browser
</$button>As mentioned, some browsers wipe localStorage quite often under normal circumstances (I experienced this on mobile). A manifest.json and installing on the home screen seems to help. Noteself already serves a manifest.json, if you self-host, place this next to your tiddlywiki html file:
{
"background_color": "#000",
"scope": "the url to your wiki, but only the directory part",
"display": "standalone",
"icons": [
{
"src": "icon.png",
"sizes": "256x256",
"type": "image/png"
}
],
"name": "My TiddlyWiki",
"orientation": "any",
"short_name": "My TiddlyWiki",
"theme_color": "#f7c48a"
}Hello I appreciate the writeup and especially the code. But keeping the session is something that is responsibility of the server side. This is more than possible by setting an http only cookie by the server, which is not readable by the client. Storing a token on local storage is a security vulnerability, not to mention storing plain credentials, that is the equivalent of putting a post-it on your laptop with your session password. People tend to think that, if nobody but you are opening your wiki then it is fine, but XSS attacks and code injections are more common than people think. For those reasons not tiddlypouch nor noteself will ever store credentials client side. I may offer help configuring servers to do proper cookies setup, but will not implement this on client side.
Regards
On Sun, Jun 6, 2021 at 11:34 AM Schnittchen @.***> wrote:
As mentioned, some browsers wipe localStorage quite often under normal circumstances (I experienced this on mobile). A manifest.json and installing on the home screen seems to help. Noteself already serves a manifest.json, if you self-host, place this next to your tiddlywiki html file:
{ "background_color": "#000", "scope": "the url to your wiki, but only the directory part", "display": "standalone", "icons": [ { "src": "icon.png", "sizes": "256x256", "type": "image/png" } ], "name": "My TiddlyWiki", "orientation": "any", "short_name": "My TiddlyWiki", "theme_color": "#f7c48a" }
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/danielo515/tiddlypouch/issues/69#issuecomment-855368976, or unsubscribe https://github.com/notifications/unsubscribe-auth/AARKJWJI5QWJLJDVHECD4NDTRM6JNANCNFSM4DIHT22A .
schnittchen
commented
3 years ago Thank you, I should have put a warning atop it initially. I added a warning just now.
As I said this is not a proper solution. Your help with a secure way of keeping signed in to the couchdb would be appreciated a lot.
At first I didn't wanted to store the credentials on the password vault for two reasons:
However it's happening to me that 99% of the time I am using the same remote database and those times that I access to differe databases I often do it with the same user and password. Because we don't store credentials it is required to login each time you want to sync changes . This is unpleasant and annoying .
I think the best option is to store credentials by default (a cookie when possible ) and provide an option to NOT store them .