Feature: Support usernames, with database

[ExtremeScrotumExploder]

I've been looking for something that does authentication for my website and also does username and password, that I can also add my own users. I haven't been able to find it but I'm hoping this issue would be recognized. But there is many questions to this. Let me list a few that I think are applicable.

1. Can a static site with nothing but html and js read DB's? if not, this project's main idea is useless.
2. If there was Javascript code accessing the database, wouldn't that mean anyone can mess with it via the console window?

There are a bunch of issues with this but I am hoping people would help me brainstorm and find a way to add usernames natively without any vulnerabilities.

Thank you for your time, reader!

[robinmoisson]

What purpose do you want the multiple users to have and what would they be able to do?

If you want to connect to a database and interact with dynamic content StatiCrypt probably isn't a great fit. Either you embed the whole DB in the protected file, but then it's accessible by anyone with the password no user restriction (and you might as well embed a big JSON), or you have an external DB and then you want to authenticate the calls to the DB and staticrypt doesn't provide anything specifically for that.

You could password-protect general access to an SPA since it's a single HTML file but that's about it, and your calls to the DB would still need to be protected somehow. So a more traditional architecture might make more sense.

[ExtremeScrotumExploder]

No purpose really, just basic authentication. I have a password that has been leaked one too many times and I am looking for a system that uses username and password authentication. So if a account gets leaked it can be suspended. (or just removed entirely from wherever its stored). This would be useful so I would know where the source of the problem comes from and I get to keep everything centralized.

[robinmoisson]

Ok, I understand it better then. It looks similar to #158, allowing for multiple passwords so they can be invalidated separately. It would be a nice addition but I haven't looked into it yet and do not know if it's doable easily using webcrypto. So it's on the backlog but I don't expect it to come very soon.

The current workaround would be creating multiple encrypted files, each with a different password, and giving a different link to each of your users. That would look like encrypted_john/index.html, encrypted_mary/index.html, etc.

If you have only one file and it's inconvenient to create a new folder each time, I've been thinking about adding an option to pass an output filename instead of an output directory (that way you can have john.html, mary.html, instead of a folder for each). I don't know if that's a real need though, so let me know if that would help.

[ExtremeScrotumExploder]

Yes, I have seen #158 and have thought about passing different output files, but wouldn't fix my issue where I would need to suspend members.

If I just deleted their encrypted_name folder, they could go to their colleague or if Mary here is John's friend, he can just ask to share the password because he forgot his and I am currently unavailable, even though I suspended him from the application that is currently guarded.

I would absolutely love if you added this Username/Password feature, but if you can not, could you recommend me some Authentication similar to my post that I can use for static websites? Thank you very much for your time helping me!

[robinmoisson]

The thing is the problem with password sharing is going to be here independently of the solution you have, adding a username input on top of the password will not change that. Mary could just tell John to use her username as well as her password.

That's why I was asking what would having multiple users change for you: if it's only to have multiple passwords you can revoke independently (and not having the content of the page change dynamically, like saying "Hello John" and loading their specific data) then you're concerned with authorization only, and not authentication. So the combo username+password just acts as a password and you don't actually need the username, just a unique password you can revoke.

I had an idea which would make #158 pretty easy to implement, then you could then have one file which can be unlocked with different password. I don't know yet when I'll implement it.

In the meantime the recommendation if you want to use StatiCrypt is to encrypt your files with different passwords and different output folders (staticrypt test.html -p <john-password> -d john), and then you can send each user their URL https://example.com/john/test.html and their password. In a way the username input becomes the folder in the URL, and you can change the password by re-running the command. (I added this to the README).

---

I that doesn't fit your use case you can use a more traditional method - you can restrict access to pages by configuring apache or nginx, or having your content dynamically loaded or forbidden by using whatever server language you want.

[ExtremeScrotumExploder]

Alright sir, thank you! Even though my problem wasn't resolved your recommendation did help. I will keep this in use!