Closed eburgueno closed 5 years ago
vsoch
commented
5 years ago Done! The code is updated, and I'll get this live when we have the next server certificates update. That looks like it won't be for a couple of months, but rest assured it's coming :)
vsoch
commented
5 years ago All set! Look at this beautiful profile page that I can see without being logged in :P
https://www.singularity-hub.org/u/vsoch
Thanks for your patience!
eburgueno
commented
5 years ago Hi @vsoch, it seems that the latest release introduced a regression because I can no longer browse profile pages without login in :(
vsoch
commented
5 years ago That’s not a regression - all views now require login. Are you using the page to share containers with others? What I’d consider doing is lifting the login requirement but rate limiting the page. Let me know your thoughts.
eburgueno
commented
5 years ago Yes, we advertise it in our GitHub org, but we don't expect a massive surge of visitors :)
I truly believe that you get more value out of showing newcomers what collections are available than ring-fencing the hub only to those who use it for publishing images. Forcing a casual user to authenticate with their GitHub credentials and authorize the OAuth application to access their repositories, just so that they can browse what's available seems too onerous to me.
But I totally understand the challenges you have ensuring a sustainable service. Rate-limiting the page should be definitely fine.
vsoch
commented
5 years ago It was an oversight on my part to forget about this issue (sorry about that!). My incentive was, after the malicious pulls, to do my best to hide the containers that were available on Singularity Hub. I've opened up the profile again for anoymous access: E.g., try https://singularity-hub.org/u/vsoch in a browser where you aren't logged in, and the rate limit is 25 views per day. If we start to see bulk pulls from known groups of collection owners I'll need to close it up again, but I agree that some visibility is okay.
vsoch
commented
5 years ago The views for containers themselves will still need login. This shows metadata and sizes so that I don't want to open up for non authenticated viewing.
eburgueno
commented
5 years ago Security and sustainability are often at odds with usability, so finding the balance is hard! You're doing a great job at walking the fine line between both sides.
I am happy with the new settings and hiding the containers themselves behind authentication seems reasonable. Thank you for the incredibly fast implementation!
vsoch
commented
5 years ago Thanks! Always a pleasure @eburgueno.
Feature-request for Singularity Hub
It would be great if I could share a link to all of the collections that I am creating, without demanding authentication.
Right now, the link to my collections is behind GitHub auth, which by default demands "the keys to the kingdom". This is unnecessary for a casual user that just wants to browse what others have done. In fact, browsing a collection directly does not require authentication (example).