💾 Archived View for gemi.dev › gemini-mailing-list › 000480.gmi captured on 2024-05-12 at 16:07:27. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2023-12-28)
-=-=-=-=-=-=-
Hi all, long time lurker, first time caller. I was wondering how/if people are handling user authentication? I recognise that certificates could probably work, but these would authenticate a device rather than person. If the person loses the cert I imagine recovery would be difficult. Is this a problem that has already been solved and my grep-fu on the gemini archive is just too weak? Has anyone implemented user authentication on any Gemini tools? I had a look at flounder?s code on sourcehut but using the web to do user stuff on Gemini seems a little counterintuitive. I just wanted to see if it?s possible before I start writing stuff. It?s not unreasonable for Gemini to do things differently to the web. We just have to change our thinking to match. Cheers, Steve
On Thu Nov 19, 2020 at 11:21 AM EST, Steve Lord wrote: > I was wondering how/if people are handling user authentication? I > recognise that certificates could probably work, but these would > authenticate a device rather than person. If the person loses the cert I > imagine recovery would be difficult. I think we should normalize having to take care of your certificates, and user agents should provide easy tools for doing so. Certs are much better than, say, username & password. If it becomes a problem in practice, perhaps we could do something like handling certificate resets over email, similar to password resets are done on the web. Or you could just get in touch with the owner of the capsule if you get locked out. Gemini is small and the human touch is still there, and I'll be happy if we can hold the cold, unfeeling machine-governed interactions at bay for a bit longer.
On 19/11/2020 17:21, Steve Lord wrote: > Hi all, long time lurker, first time caller. > > I was wondering how/if people are handling user authentication? I recognise that certificates could probably work, but these would authenticate a device rather than person. If the person loses the cert I imagine recovery would be difficult. > > Is this a problem that has already been solved and my grep-fu on the gemini archive is just too weak? Has anyone implemented user authentication on any Gemini tools? I had a look at flounder?s code on sourcehut but using the web to do user stuff on Gemini seems a little counterintuitive. > > I just wanted to see if it?s possible before I start writing stuff. It?s not unreasonable for Gemini to do things differently to the web. We just have to change our thinking to match. > > Cheers, > Steve > The only examples I konow of is gemini://astrobotany.mozz.us/ which uses a user certificate for authentication and it works pretty nicely.
> The only examples I konow of is gemini://astrobotany.mozz.us/ which uses > a user certificate for authentication and it works pretty nicely. Astrobotany also supports setting a password to change certs if needed, which I think is pretty relevant here. Not really sure how it works though, maybe Mozz can chime in. makeworld
On Thu, Nov 19, 2020 at 1:11 PM <colecmac at protonmail.com> wrote: > > > The only examples I konow of is gemini://astrobotany.mozz.us/ which uses > > a user certificate for authentication and it works pretty nicely. > > Astrobotany also supports setting a password to change certs if needed, which > I think is pretty relevant here. Not really sure how it works though, maybe > Mozz can chime in. Here's how astrobotany is currently doing authentication. You create a self-signed certificate and make a request to astrobotany. The server detects that the cert is unrecognized, and asks you if you are a new user or an existing user. If you are a new user, you are prompted to enter a unique username. This name used to be pulled directly from the subject CN of the certificate, but that lead to some unfortunate UX issues with duplicate users so I changed it to be separate instead. At this point, your certificate is registered and you can access the application. Any future requests to the server with that certificate will automatically log you in. Everything past this point is strictly optional. Once logged in, you can open the astrobotany settings page where you can define a secret password. The password allows you to attach additional certificates to the same user account. Going back to step one, if you are an existing user and you provide an unrecognized certificate, the server will prompt you to enter your username and password from above. If verified, the new cert will be attached to your account. You can repeat this process as many times as you want to add new certificates. All of the certificates can be viewed and deleted from the settings inside of the application (with the exception that the currently active cert can't be deleted, to prevent lockout). My personal astrobotany user currently has two certificates; one on my laptop that I use with av-98 and one on my phone that I use with Petr Vernigorov's iOS gemini client (which is an awesome client that doesn't get enough praise). I like this method because otherwise there would be no way to copy an existing certificate into the iOS client. There was one time when somebody lost their astrobotany cert so they sent me an email. I was able to reset their password for them so they could generate and upload a new certificate. This was very straightforward and a lot easier than it would have been to pass certificates back and forth via email. - Michael
---
Previous Thread: [ANN] seirdy.one live on Geminispace (+questions)