kanishka-linux / reminiscence

Self-Hosted Bookmark And Archive Manager
GNU Affero General Public License v3.0
1.78k stars 86 forks source link

Way to save bookmark via Javascript bookmark #51

Open GraysonAdams opened 4 years ago

GraysonAdams commented 4 years ago

Bookmarking should be a quick and easy task.

To have to navigate to Reminiscence and paste in the URL is a lot of labor, especially on mobile.

Is there a solution in place for this that I did not see, or is this something that could be added at some point?

s3h10r commented 4 years ago

For Firefox & Chromium there are AddOns available On (moblie) platforms like iPad/iPhone it should be relatively easy to use something like Pythonista and using the REST-API provided by Reminiscence to quickly build a "share with reminiscence instance"-functionality imho.

s3h10r commented 4 years ago

Hi,

anyone working on this or/and has any suggestions?

For me working with the existing FF/Chrome-Extension works fine on any Desktop (Linux,Mac,Windows). On iOS i use a dirty Pythonista-Script to call via iOS-Apps 'share with...'-menu - but on Android mobiles i am stuck at the moment. :-/

It would be great if a more generic solution could be implemented directly into Reminiscence.

What are you guys thinking about implementing it as a Bookmarklet? IMHO asking the user for giving his/her user-credentials somewhere else than on the (trusted) login-page of the app (for making the requests to get the AuthToken) is not rly user-friendly.

So i am thinking about allowing (Browser-)Session-based Auth beside the Token-based one. That's for example how Twitter allows sending Tweets. Very easy to use and transparent for users - the user just needs to authenticate via Browser to the frontend (Session) and to call the Bookmarklet (which posts the url to the Application via HTTP-GET).

Wrote a quick patch (f6a4ad144a92054e920f7d065cafe11229a11f88) to try this out:

  1. [x] allow Session-Auth as Auth-method for API-Calls too (config-change: REST_FRAMEWORK DEFAULT_AUTHENTICATION_CLASSES) (this allows to talk to the API without token if the user is logged in via same webbrowser-session)

  2. [x] allow HTTP-GET-Request for add-url API-calls, e.g. : http://127.0.0.1:800/restapi/add-url?url=<url>&directory=AddToReminiscence (allows testing without having clumsy bookmarklet/js-code ready yet and is also a handy solution for manual adding without one)

  3. [ ] provide a simple bookmarklet-code (+ doc how to use it, especially on mobile-devices (iOS, Android))

Your suggestions in refining this would be cool. Same if someone is already working on a even simpler solution and whants to discuss / share it of course. Thx!

Greetings, Sven

kanishka-linux commented 4 years ago

Hi,

asking the user for giving his/her user-credentials

Yeah.. to be honest.. I'm also not fan of sending username/password via browser extensions. But I'm also wary of any extension which tries to read session information :)

So, I think token based auth is still better..

What I was thinking of earlier is, giving a way to generate tokens via Reminiscence frontend for a fixed expiry time, which then can be used within extension.. so that there won't be any need to input username/password inside extension. OR we can also think of using JWT, in case we need more security.

I'm open to suggestions though, for any flexible, convenient and secure auth based system for developing extensions.

On iOS i use a dirty Pythonista-Script to call via iOS-Apps 'share with...'-menu

that's cool. If possible can you share link to the snippet/instructions? I'll add it to the browser addons wiki, in case anyone needs it.

Android mobiles i am stuck at the moment.

I'm also not good with android development.. So I'm also not sure how to solve the issue here..

Anyway thanks for starting inititive Sven.

I'll also try to look into the issue whenever possible.

s3h10r commented 4 years ago

Hi,

thanks for your reply. Just to clarify in case there is a misunderstanding about the bookmarklet approach i had in mind - it's conceptually straightforward / simple:

// --- bookmarklet-AddToReminiscence POC/WIP 

(function(){                                                                                                                                                                      window.open(
        `http://localhost/restapi/add-url/?url=${document.location.href}&directory=AddToReminiscence`
    )       
})();   

But I'm also wary of any extension which tries to read session information :)

No need to do any complicated javascript-foo to interfere with the Session here (see above demo-code) - handling the Session is completely done by the webbrowser, isn't it? Using session-auth is also supported by the Django-REST-Framework out-of-the-box, so it's well tested. And it's already used to log into the app - so what is lost?

What I was thinking of earlier is, giving a way to generate tokens via Reminiscence frontend for a fixed expiry time, which then can be used within extension.. so that there won't be any need to input username/password inside extension.

Any Browser-Extensions & hacks (like mine for iOS) for browsers which supports bookmarklets would be obsolete if we implemet it as a Bookmarklet using Session-Auth i hope (at least that's the idea - i may be terribly wrong, wouldn't be the first time ;). Anyways: producing valid Tokens with expiry time over the frontend would be great in lotso cases imho - i personally don't feel so good to have to use user-credentials in scripts which are calling the API too.

The UX i thought of (and updated the patch accordingly) is: when the bookmarklet is called (a one-cklick operation) it opens a new tab where the currently visited page is transmitted to the API (or prepopulate a add-url-view).

  1. [x] provide a simple bookmarklet-demo-code (/static/bookmarklet/index.html)

bookmarklet-usage

example-results (success):

bookmarklet-result

Of course this is only my oppinion / suggestion. Not grumpy if you disagree :)

I'll also try to look into the issue whenever possible.

Cool! Looking forward to a solution which makes it into vanilla.

On iOS i use a dirty Pythonista-Script to call via iOS-Apps 'share with...'-menu

that's cool. If possible can you share link to the snippet/instructions? I'll add it to the browser addons wiki, in case anyone needs it.

Of course. I'll put in on github the next days if you/anybody is interested.

Anyway thanks for starting inititive Sven.

Thank you for your awesome work. I use Reminiscence nearly every day since months and are very happy with it! :)

kanishka-linux commented 4 years ago

I think, I don't know much about bookmarklet and I think I still have some confusion around DRF's session based auth. Will check about it in weekends.. Thanks for detailed explanation.

I use Reminiscence nearly every day since months and are very happy with it

It is really great to read that you are using it regularly, awesome :)

s3h10r commented 4 years ago

FYIO : put the iOS/Pythonista-Hook here https://github.com/s3h10r/sharewith-iOS

s3h10r commented 4 years ago

Hi, i started a version of the bookmarklet-idea which doesn't require the discussed API change here. It's just a Django-App which can be plugged into reminiscence without needing to patch it. I thought that's maybe better than code-changes? it provides 3 simple new views:

bookmarklet/         : shows doc
bookmarklet/get      : returns the bookmarklet (javascript)
bookmarklet/add-url/ : adds given url to the reminiscence-instance
                       (called by the bookmarklet, can also be used manually (HTTP-GET))

source: https://github.com/s3h10r/reminiscence-bookmarklet

Greetings, Sven

kanishka-linux commented 4 years ago

Hi,

For bookmarklet-idea, there are couple of issues

  1. Using GET method to modify resources or changing state at the backend is not recommended as per REST guidelines

  2. If DRF is using seesion based auth, then for every ajax style call, one needs to pass csrf token too, since csrf has been enabled at the backend. Sending links via bookmarklet is still a cross-site request.. So I don't think it will be a secure way to send links to reminiscence instance in this manner.

Anyway, Thanks for iOS/Pythonista-Hook.., updated the wiki. :)

s3h10r commented 4 years ago

Hi, okidoki, thanks for thinking about it! :) Looking forward what solution makes it into vanilla.