

Show HN: A mobile-friendly Magic: the Gathering deckbuilding website - negativeview
http://www.gracefulstats.com

======
scrollaway
I can't find a "New deck" button anywhere. Is it because I'm not logged in? If
so, why not? I should be able to do this while logged out.

I also see you're using good old username/password combos over plaintext.
Please consider using third party authentication such as Persona
([https://www.mozilla.org/en-US/persona/](https://www.mozilla.org/en-
US/persona/)) or OpenID. (Persona gives you sign-in with gmail for free, how
neat is that?) -- If you don't know why that's a good thing, reply to this
comment and I'll be happy to explain.

~~~
negativeview
Yes, you have to log in to create a deck. You're the second person I've seen
suggest being able to make decks without being logged in. There's too many
potential headaches as far as cookies expiring, losing the super secret url,
etc. to make me actually want to implement this.

I am planning on turning on HTTPS soon, but I despise third party
authentication as a rule. Feel free to try and convince me, but I have never
seen the point in tying my uptime to the uptime of a third party, and allowing
a third party to revoke my users account if they so wish.

~~~
scrollaway
> I have never seen the point in tying my uptime to the uptime of a third
> party, and allowing a third party to revoke my users account if they so
> wish.

Couldn't agree more. Which is why I recommended Persona! Persona is
decentralized. Third party authentication done right. I highly encourage you
to look into it, especially if you already know about the issues oauth2 and co
have.

Third party authentication is still the right thing to do in 99 percent of
cases. Users should not have to rely on the unknown first party they are
sending their credentials to to do things the right way. Moreover, developers
should not have to reimplement all these protections every time - 2FA, bcrypt,
proper separation of authentication and data, etc etc they are not all cheap
to set up and some of them are obscure.

Regarding making decks while logged in - my expectation is that the tool would
let me share a URL that is not tied to an account. Something akin to the WoW
talent calculators that used to be popular back in the days:
[http://eu.battle.net/wow/en/tool/talent-
calculator](http://eu.battle.net/wow/en/tool/talent-calculator)

~~~
negativeview
Sent some feelers out to devs I respect. Verdict is mostly negative on
Persona.

Seems like Mozilla is merely providing bare bones support for Persona these
days, and has stopped funding it:
[http://identity.mozilla.com/](http://identity.mozilla.com/)

Further, and this is the real nail in the coffin for me, it seems like if you
wish to change your email address or lose access to it, there's no way to
migrate all accounts at once. It's up to the implementor to support that:
[https://developer.mozilla.org/en-
US/Persona/The_implementor_...](https://developer.mozilla.org/en-
US/Persona/The_implementor_s_guide/Enabling_users_to_change_their_email_address)

Fun note: Until recently, Email wasn't even required to sign up for GS. A
Hacker News user pointed out that without this there's no way to let a user
reset their password, so I made it required (though there's still no actual
way to reset your password yet. Eeps!)
[https://news.ycombinator.com/item?id=8521505](https://news.ycombinator.com/item?id=8521505)

~~~
scrollaway
Mozilla has stopped funding Persona but they have not stopped working on it.

Mozilla just doesn't know how to market their technical stuff properly...

~~~
negativeview
I keep digging (since the site isn't breaking, yay!) but it just keeps not
looking good.

On the github, in the last month, a total of four people have committed code
eleven times. One committed more than all the others combined.

Also, I originally said:

> Feel free to try and convince me, but I have never seen the point in tying
> my uptime to the uptime of a third party, and allowing a third party to
> revoke my users account if they so wish.

How does Persona not fall foul of both of these? Let's say that I implement
Persona and someone uses their Gmail to create an account. Gmail goes down.
Can they sign into my site or is my site effectively down for all gmail users?

What if that same user is booted off of Gmail or closes their Gmail account
for whatever reason? Are they not then booted off of my site by accident?

This person does a good job of explaining what I'm talking about:
[https://news.ycombinator.com/item?id=7243265](https://news.ycombinator.com/item?id=7243265)

~~~
scrollaway
Persona is not necessarily tied to gmail. Persona offers a gmail gateway. As
long as a user has a way of authenticating against the persona server using
the provided email, they are fine. This could be their facebook account just
as well.

Maybe you should talk to Dan Callahan, he'll be happy to answer your questions
in more details I'm sure. I'm saying that because you sound like Persona could
benefit you and Persona certainly could use more people like you criticizing
it :)

So this comes back to tying accounts to emails: Well, this is the user's
choice. They put their internet life into the hands of Google or Yahoo or
whatever by choosing such an email provider that may go down at any time. It's
completely reasonable and does not actually put YOU in a position where your
sites locks users into a third party, you are just giving more choice.

As for activity: although it's not on git, there has been renewed interest in
Persona lately. And until a better alternative comes by (which won't be for a
long, long time) I'll defend persona tooth and nail because, it may not be
perfect, but it is far better than what is currently taking over the entire
web.

~~~
negativeview
I know that it's not necessarily tied to Gmail. My point was that now my site
is dependent on their relationship to whatever they authenticated against. It
might be gmail, it might be Facebook, it might be anything. If that thing
either goes away, or revokes their access, they're gone from my site as well.
That doesn't sit well with me.

> They put their internet life into the hands of Google or Yahoo or whatever
> by choosing such an email provider that may go down at any time. It's
> completely reasonable and does not actually put YOU in a position where your
> sites locks users into a third party, you are just giving more choice.

It's not reasonable. Not to me anyway. And isn't putting your internet life
into the hands of any single place exactly antithetical to the entire idea of
decentralization?

> it may not be perfect, but it is far better than what is currently taking
> over the entire web.

It's better than Facebook Connect or things like that, sure. But we aren't
comparing it to that, we're comparing it to individual logins. Individual
logins put the relationship into the hands of the users and me. That's where
it should be.

KeePass and apps like that provide all of the major benefits to users without
any of the downsides.

~~~
scrollaway
You need to read up on Persona more, specifically on persona gateways. They
are not what you think they are.

I meant what I said: talk to Dan. You'll find it interesting, I am sure.

~~~
negativeview
I am not talking about the gateways. I am talking about the identity
providers. If your identity provider goes out of business, revokes your
access, or any number of other things, you lose your credentials to all sites.

For instance, here's a site with a guy trying to sell you on using IDPs from a
big company rather than a small. One of his points though is that the IdP is a
single point of failure, exactly my point:

[https://www.tbray.org/ongoing/When/201x/2013/08/14/FC2-Singl...](https://www.tbray.org/ongoing/When/201x/2013/08/14/FC2-Single-
Point-of-Failure)

Under the heading "Other Failures."

