We made a chrome extension to notify you of new comments on your stories and comments.
Once installed, it adds a bell to HN's header and shows new notifications in real-time. Clicking on the bell loads a notification inbox with easy access to all your notifications with a clear distinction between the read/unread ones.
Unlike some other options like HN replies, here are the key differences
We don't ask for your email address - we use the HN cookie to identify you. There is no setup beyond adding the extension.
Apart from on-page notifications, you can also subscribe to web-push notifications.
We are using HN Firebase API to get a real-time feed of notifications, and our startup, [MagicBell (YC W21)](https://magicbell.io), to power the notification inbox. We built this extension because we found it hard to keep track of our [Launch HN thread](https://news.ycombinator.com/item?id=26037645) comments.
We want to build a version for Firefox & Safari, and if you'd like to know when they go live, please follow us on [Twitter](https://twitter.com/magicbell_io). Dozens of early users have tested the extension, but if you run into any issues, please tweet at us, and we'd be more than happy to help you with it. We'd also love to hear your ideas on additional functionality you'd like to see.
That sounds dangerous. By sending the full cookie you're allowing yourself to hijack any of your user's sessions. That's a big security risk. Is there a reason why you need to "validate" someone's login? If someone wants to get notified about my comments, so what? There's nothing secret about it, they can just go to https://news.ycombinator.com/threads?id=gruez and get a live feed.
While the comments themselves are open, their state in your MagicBell inbox isn’t. If we didn’t have a way to validate identity, we won’t be able to make sure your notifications can’t be deleted/marked read by someone else.
> That doesn’t prevent someone from being able to impersonate you.
But why is that a problem? If somebody wants to get notified of replies to my comments, let them.
I understand why you need a unique token so that collisions don't happen, but that token doesn't need to be one-to-one unique with Hackernews usernames. It's OK to have two unique tokens that are separate from my session cookie that point to me as a user, and to have the "read" status be per-token, not per-user.
More to the point, why does this read status and everything need to be stored serverside for a browser extension? Where are you putting this information where you're worried about collisions with random internet users, why have it leave the browser at all?
You don't need a unique token if you're not storing everything in a centralized location off-device, the browser profile that's using the extension is itself the unique token. Why does anything need to be transmitted anywhere? Let the extension store the read statuses locally on my device, then there's zero chance of them colliding with anybody else's installation. Even if someone turns on push notifications, the push API already sends you a unique, randomized device ID/key. What's the reason why you can't push an RSS-style feed out to the device using that ID?
I completely agree with all of this. It can be done without any of this server-side stuff.
But to answer the question:
> Why does anything need to be transmitted anywhere?
It's because the extension is written by, and "powered by", MagicBell. They are writing it to bring attention to their product concept, where notifications like this are all handled by them.
That's totally fair, but it raises a followup question because from what I can see, MagicBell has user accounts.
So that's also a unique identifier that they could use to prevent collisions. They could have a randomized ID generated locally for this "promotional" extension, and if a user creates an account on MagicBell at that point they could migrate them over to an official user ID.
If this is being tied to a real backend service, I'm almost more confused why it's important to transmit my session cookies around.
Aren't you (magicbell) gaining the persistent ability to impersonate any HN user who installs this extension? That seems like a much more serious problem than someone being able to impersonate your magicbell hn notifications. It sounds like you're saying that because HN has no fine-grained oauth delegation, it's ok to silently hijack users' HN accounts. That can't be right.
Perhaps you could hash the session id, with a secret salt on server side. Then you could discard the original and store and pass along the hashed session id. That way, anyone you send it to would not be able to impersonate the hn user. You could also hash with a different salt before sending to a 3rd party so that they would not be able to impersonate someone's account in your extension.
Just to be clear, we simply validate your session by requesting the page with your cookie and seeing if we get a logged in page. We never send your info to any third party.
For the purposes of authenticated interactions between HN and the user, you are the third party who now has full access to the user's account. App/extension stores generally take a dim view of/outright prohibit this because of its high abuse potential.
Also, your chrome web store page says "The publisher has disclosed that it will not collect or use your data". But you do collect and use users session cookie.
Sorry about the oversight in the chrome store page. We'll fix that asap. The privacy policy page has a link to the privacy policy hosted by Iubenda if you have Javascript disabled. If you have Javascript enabled, the privacy policy renders inline.
Really? Because I thought of one in the time it took to read this comment. Your extension has access to the page contents, which you can use to determine the username. It’s right in the nav. You can validate that it’s authenticated by a quick look at the profile link to see that it’s editable. Cache that boolean with a hash of the cookie for subsequent validation and you’re all done, without sending anything to your own server.
Why do you need a cookie at all? All the HN comments are public so once you’ve ascertained the handle you can query the API for any user to diff for changes.
We used this extension the other day for our LaunchHN [0] where we got 175ish comments. It was super useful, both to get notifications in macOS, but also to people able to page through the comments and see the read/unread ones. Definitely keeping this extension installed!
Thanks for sharing this! Replies to my comments are interesting but I've been curious about an efficient way to see new comments on a given article _that I haven't already read_. I think this site plus a good feed reader would do the trick.
Sometimes I come to a particularly interesting article in its early stages before there are many comments or I read through all the comments of a mature discussion that continues later. I'd like to be able to see what is new without rereading many comments.
My ideal would probably be an interface similar to mutt that shows all the threaded comments of an article. Keyboard driven, of course. Almost a bit like HN as newsgroups!
If you reply to this comment, I'll get a reply notification via Web Push. Blows my mind that adding a realtime feature like this through a little extension is even possible.
I only allow notifications from people I truly love and absolutely nothing else. If I don't remember to check something it's because it doesn't bring me joy, it's because I don't care about it. I would never want to give anyone or anything the power to interrupt me except for those who value my time nearly as much as I value it myself. It's one of the most baffling things about today's world that people will accept, or even seek such interruption.
I honestly believe the underlying concept here is slightly immoral, moreso because it's an attempt to SAASify something that cleary doesn't need a server, and steal your info while they're at it. Hmmm, now that I've written it out like that I guess I'll bump it up to clearly immoral.
I’ve always been curious, is there a stated reason why HN doesn’t have the feature natively? Is it meant to avoid too fast back and forth comments or something?
Yes, and generally avoiding tricks to increase engagement. I don't think it was consciously thought through—we just (going back to pg) have an instinctive aversion to that. Also, since HN isn't a startup that has to grow at all costs, we have the luxury of not needing to.
It fits with trying to optimize for (intellectual) curiosity: https://hn.algolia.com/?dateRange=all&page=0&prefix=true&sor.... If something is interesting enough, you'll be motivated to look at it. If you're not motivated, probably you're more interested in something else and should look at that instead.
I think this is one of the best features of HN. It reduces a lot of the energy around receiving replies to a comment on all sides, there's never this neon light going off "hey, you need to respond to this right now".
While I suppose it does accomplish the purpose of decreasing heat in threads, for me it's a big usability issue since what usually happens is, I would comment on something, then forget about it and only check back days later, at which point there are several relies to my comment. Then, at that point, if I do reply again, chances are the other person won't reply back because he has no knowledge of my reply.
I'd be curious to hear the official reason too! I don't miss the feature, really, I don't necessarily want push notifications for HN activity, but am just curious!
You are addressing the need gap - 'On-demand Hacker News notification'[1] posted on my problem validation platform. You're welcomed to explain how you're solving that problem with the link to your extension.
Thanks! Like you mention on that page, the ability to follow threads without having to comment on them would be great. It’s next on our list of features.
Sure, I meant you can post the link to your extension explaining what it does on the problem thread I shared above as those who want HN Notifications are checking it out.
Yes, absolutely! Working on that next. How do we notify you when it's ready? You can email me hana [at] magicbell.io and I'll email you just once when it's ready.
We made a chrome extension to notify you of new comments on your stories and comments.
Once installed, it adds a bell to HN's header and shows new notifications in real-time. Clicking on the bell loads a notification inbox with easy access to all your notifications with a clear distinction between the read/unread ones.
Unlike some other options like HN replies, here are the key differences
We don't ask for your email address - we use the HN cookie to identify you. There is no setup beyond adding the extension. Apart from on-page notifications, you can also subscribe to web-push notifications.
We are using HN Firebase API to get a real-time feed of notifications, and our startup, [MagicBell (YC W21)](https://magicbell.io), to power the notification inbox. We built this extension because we found it hard to keep track of our [Launch HN thread](https://news.ycombinator.com/item?id=26037645) comments.
We want to build a version for Firefox & Safari, and if you'd like to know when they go live, please follow us on [Twitter](https://twitter.com/magicbell_io). Dozens of early users have tested the extension, but if you run into any issues, please tweet at us, and we'd be more than happy to help you with it. We'd also love to hear your ideas on additional functionality you'd like to see.