Make it possible to embed input field on website

[jancborchardt]

It would be really cool if we could put an input field right on the website so people can join directly from there.

cc @m1guelpf @bnvk @simonv3 :)

[m1guelpf]

@jancborchardt Well, you could use the API to invite users to the organization... Also, I am planning on building a small one-file php version that contains only the join page and uses the API.

[jancborchardt]

Yeah I know I could, but I can’t cause I’m not that deep of a developer. ;) And I thought that’s maybe what orgmanager would be useful for too.

[jancborchardt]

There’s no way it could just be using JS? Cause that would be immensely helpful for static pages like ours.

[m1guelpf]

@jancborchardt Not without exposing your Orgmanager token, I think... I mean, if you don't mind exposing your API token, you can make a form, transform output to json and use the API. You migth want to take a look at the api docs... http://docs.orgmanager.miguelpiedrafita.com Also, stackoverflow about transforming form output to json: http://stackoverflow.com/questions/11338774/serialize-form-data-to-json

[m1guelpf]

@jancborchardt Maybe a form integration can be possible, but you need a way to keep the bots out, as you can't use your own recaptcha... Ideas?

[simonv3]

Could we just embed an iframe with the form?

[m1guelpf]

@simonv3 Chrome and Mozilla disabled iframes for security reasons. Also, iframes are deprecated for lots of security issues.

[simonv3]

Huh, when did that happen? I'm fairly sure that sandstorm makes extensive use of iframes, and I use it in Chrome.

Edit: I don't think I see anything here about them being insecure or being disabled: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe

[m1guelpf]

@simonv3 You're rigth. Iframes aren't deprecated. You may want to read about iframe security for pages that embed them. The problem I have is with the server-side validation. Orgmanager tries ro prevent bot signups, by providing a captcha on web request or requiring the admin's token on the API. Allowing forms would raise two security issues:

1. CSRF Protection. Orgmanager uses tokens to prevent Cross Site Request Forgery, and if I allow posting from the outside, I'd have to disable some routes, risking from malicious requests.

2. Bot prevention. As you can't add a dynamic token to static pages, there wouldn't be any bot prevention (or, at least, not any secure bot prevention).

I will make some tests with OrgManager and iframes as soon as I can and report results back.

[m1guelpf]

@jancborchardt Is this still a need? It is the last issue open tagged before v3.0, and now that you linked the join page on the opensourcedesign website, maybe this can be closed...

[simonv3]

I'll let @jancborchardt be the judge of that, he created the issue :)

[m1guelpf]

@jancborchardt What do you think?

[m1guelpf]

@jancborchardt @simonv3 I think I'm going to move this to v4 because I want to release v3 this week.

[jancborchardt]

It would really be cool still – as said on https://github.com/orgmanager/orgmanager/issues/56#issuecomment-295370555

That also gets everyone who lands on your page to get involved very quickly. Sure, with a button you could just link to the orgmanager page, but abstracting the whole thing away through just an input field or a button which launches Github auth would be even cooler.

[m1guelpf]

@jancborchardt So then, this can be closed in favour of #56?

[jancborchardt]

@m1guelpf :D I think https://github.com/orgmanager/orgmanager/issues/56 should be closed in favor of this, since this here is much clearer, and the other issue was a completely different one at the start. ;)