Add option to have Remember Me chedked by default

robinmoisson / staticrypt

Password protect a static HTML page, decrypted in-browser in JS with no dependency. No server logic needed.

https://robinmoisson.github.io/staticrypt/

MIT License

7.1k stars 431 forks source link

Add option to have Remember Me chedked by default #190

Closed RobLoach closed 9 months ago

RobLoach commented 10 months ago

This introduces a --template-remember-checked option that allows the "Remember me" checkbox to be toggled on by default.

robinmoisson commented 9 months ago

Thanks for the suggestion @RobLoach!

A couple of thoughts that make me hesitate:

since clearing the remember-me is non-trivial (you don't have a logout button and need to know to append #staticrypt_logout to the url, which as a user you won't know about) I think it's somewhat risky to have the Remember-me checked by default, since you can end up staying "logged-in" and having no idea how to logout
it's a bit late since we already have 20-ish CLI flags but if possible I'd want to keep the list relatively tight to make the tool simpler to use, and make sure to have clear reasons to add new ones

Could you share more about what use cases you have in mind for that option?

RobLoach commented 9 months ago

Largest motivation for the option is so that people unfamiliar with the tool don't constantly get asked to re-input the password if they miss seeing the checkbox.

Happy to keep the amount of options to a minimum. In order to save having to add another option, we could support using a negative number in the remember me expiration time.

-5 would indicate remember me for 5 days, with a default for the checkbox being toggled.

robinmoisson commented 9 months ago

Thanks for detailing the use case @RobLoach.

So where I stand so far is that it's a potentially dangerous option for people who didn't think it through, because it can lead to having the file auto-decrypted unintentionally and not knowing how to turn it off and that feels like a pretty big deal. I'd think that if the user doesn't see the checkbox the first few times, either they don't mind entering the password each time or they'll be frustrated enough that they'll read the password prompt enough to find the checkbox - it's a pretty standard pattern after all.

I feel like the drawbacks outweigh the benefits so I don't think it should be included in the CLI options. And if someone thought it through and really wants it they can always edit the password_template to make the checkbox checked by default.

Thanks for the PR and the suggestion nonetheless!