Feature Request: Password protection for individual page

[blackary]

So that, for example, someone couldn't make /source go to whatever url they wanted to just by adding a "new record" with that id...

[thesephist]

Yeah... so this is a bad attempt at security by obscurity, since I haven't had the time to add this feature but it's definitely necessary :) and I've thought about it.

Basically, the change that would be required is:

• [x] Add an optional input field / check box in the main page for the "password"
• [x] When saving such a note, in the header of the note, sha256 the password and add it to the header
• [x] When adding a note to the same path, if the password field is empty, prompt the user for the password; if the password is wrong, return 403 Not Authorized.

There's also a world in which we could also add password-protected reads -- so hide a note behind a password, but that feels like feature creep for such a minimal tool by design.

This will be on my todos, but that list is quite a long one at least until the semester ends, so feel free to take a stab at a PR if you have time, haha.

[thesephist]

Took at stab at a solution in 8af944ddcbe3b823b74a4b1161e6bb1f6dc2e369

Now, you can optionally set a password when you either 1) create a new record or 2) edit a record that didn't have a password before. These records with passwords are referred to as "locked". (there isn't a way to change the password yet... not sure if that'll be necessary)

Passwords are salted and saved as SHA256 hashes. Keep in mind that they're plaintext in transit, so you'll really want to use HTTPS if you plan on using passwords.

When a record is "locked" with a password, you won't be able to update its contents unless you also enter in the same password to update it. If your browser has JavaScript enabled, the UI will helpfully tell you that the password is required, if you put in an ID that is password-protected in the ID field.

@blackary, this is now deployed on linus.zone and a few of the more popular URLs for me like /source, /in, and /projects should be password-protected. Let me know your thoughts!

[blackary]

@thesephist I just sat down to look at implementing this myself, but you beat me to it. Looks good to me.

By the way, I'd recommend also password protecting /tutor