Hacker News new | past | comments | ask | show | jobs | submit login
Show HN: Login with HN (Unofficially) (loginwithhn.com)
436 points by hardwaresofton on Jan 13, 2022 | hide | past | favorite | 149 comments



This is a smart implementation. I was worried it would be doing something uncouth like asking for your HN password or scraping some kind of unofficial API, but instead it gives you a token to embed in your public profile - so it's still scraping your profile page, but that feels like a very low-impact way of building this.

Suggestion: on the "Put the token below in your HackerNews Profile" page, rather than polling to see if the token has been added (which is a bit rude) add a button for "I have added this token to my profile" and only check once the user clicks that button.


I totally agree with you and I was also worried about uncouth behavior. That said, and not to undercut the smartness here, I have memories of this being the main mechanism to authenticate third party services to the SomethingAwful forums.

I have vague memories of thinking through how scraping could be used for much easier global authentication and then quickly how that was probably a dumb idea.


Reminds me of how I got users to verify their ownership of Minecraft accounts[0]. There is no profile to add a token, but they can switch their skin, and you can download a user’s skin without being in-world.

[0] http://zacstewart.com/2012/12/24/verifying-minecraft-user-ac...


Cool write-up! Wouldn't you need to generate a new random verification skin for everyone that tries to verify?


This is long dead, but yes that would be the next step. At least right now, you could only falsely claim someone’s account if they installed my verification skin, but you could wait for someone to do that and then quickly claim their account before they did.


Instead, the token (a text string) will be an "object" (a non fungible token) that you prove is in your wallet with zk proofs,

wallet being on whatever chain(s) decided upon as ubiquitous in the coming year.


I assume this is /s and I laughed when I read it. Well played.


It’s not sarcasm, and it is what some communities want to achieve with decentralized identification.

https://www.microsoft.com/en-us/security/business/identity-a...


Yep, I still do this with gbs.fm!


Ah the memories and nostalgia of seeing this comment are immense! I miss the good ol' days of the pre tech giant internet. I used to go to the in person NYC charity events and it was an awesome community.

:wave: other goon, hope you and all are well.


Have you considered playing more Journey? :^)


this site is the last place i thought i'd find a gbs.fm reference


Had to migrate somewhere!


What is gbs.fm if you dont mind me asking?


A community radio station where you have to be a somethingawful member to access.



"... I was worried it would be doing something uncouth like asking for your HN password or scraping some kind of unofficial API, but instead it gives you a token to embed in your public profile ..."

I have a side project I've been kicking around for a while that required some kind of reputation/login/accountability function and this was exactly what I considered doing: giving people a token to put into a public HN profile.

So anyway, great job Victor!


Hey if you don't mind I'd love to have you kick the tires -- there aren't any client apps (other than the website itself) right now, but I'll be opening that up soon, got some bits to batten down like audience and registration forms.


So, so pessimistic that I can carve enough time away from rsync.net to start this new initiative ... but we'll see ...


rsync.net is a massively awesome product, I think I can safely say the rest of the internet is hoping you don't get any time away :).


The tyranny of success.


> doing something uncouth like asking for your HN password

Yeah I was worried about this too, it's a disturbing trend.

Venmo was asking for my bank password a couple months ago, I was like fuck no. Who the HELL does that. Should be illegal to even ask.


I complained about that Venmo thing on Twitter and got an interesting conversation going about it, including with comments from the CTO of Plaid who are the company who built that integration.

https://twitter.com/simonw/status/1479174549266526209

Short version: OAuth for banks is finally starting to happen, but in the meantime the password anti-pattern fills the gap.


In the case of venmo (and many other of their customers), it was actually Plaid that was asking for your bank login credentials to connect your bank account to Venmo. They've been getting criticism regularly for that, unsurprisingly.


(And Plaid noted that they vastly prefer to oauth to banks, and do with many other banks, but that Venmo won’t accept oauth and demands credentials.)


No that’s not correct. Venmo is not forcing password auth, it’s banks not implementing the OAuth flow that causes this. I just went through with OAuth in Venmo with my bank (Capital One). They also offer traditional (deposit 50 cents and validate the amount) work flow too, they’re not forcing the Plaid model at all.


Erm, I don’t think we’re describing the same sides of the flow, but I trust you’re right anyways. Apologies for my confusion.


Yeah so now I need to give my password to not just Venmo but also some startup called Plaid that I need to trust?

Doubly fuck no.


Plaid is not some tiny startup... They're almost 10 years old and Visa tried to buy them for $5B a couple years ago.

That doesn't mean you should trust them (I don't), but just because you haven't heard of them doesn't mean they're not big.


Venmo offers the traditional verify a deposit amount validation method too, it just takes a few days. It’s an either or method.


To clarify -- Venmo doesn't get the credentials at all, only Plaid does. Venmo then uses an API to get the specific bank account data it needs from Plaid.


I still don't trust Plaid.

Venmo could also get the credentials if they want to, since they're launching it from within their own app. They could keylog everything in their app if they wanted to, including what happens inside Plaid.

Nobody should ask for passwords to anything but their own service. Period.

Asking for bank passwords should be made illegal. If I were the president I would have made that a federal law yesterday.


The president doesn't make legislation.

Plaid provides a useful service that's a stop gap for the poor infrastructure of banks. I honestly doubt that most banks would have even bothered to start the laborious process of OAuth without them being an extremely popular middle layer for services like YNAB. My company actually uses them to process recurring payments.


Yeah well I would have also made it a law for banks to support OAuth and hardware key 2FA, hand out 2 Yubikeys to every citizen and ban SMS, among other things.

Plaid is not useful if they need to ask for passwords.


This recently started happening with Paypal. Bank payments were my default, and recently when I tried to buy something paypal started demanding my bank login. Nope. Not now. Never. You do not need to know my balance and all my transactions for a $100 purchase, Paypal.


For all the obscure examples of prior art being given in this thread, this is also how Keybase did proofs with HN.


the exact user flow for a third party Auth system in Observablehq

https://observablehq.com/@endpointservices/login-with-commen...

all code is ISC licensed and both the server and client is embedded in a web notebook


This is very clever. On a side note, I wish HN offered two-factor authentication.


Just pick a good password and don’t reuse it elsewhere. HN is super aggressive about rate limiting attempts, so brute force isn’t really a risk.


2FA also protects me in case someone runs https://github.com/unode/firefox_decrypt on my computer, maybe as part of an NPM install script


Do you not stay logged in to HN?


Never! I log out EVERY... nah, you got me haha. I honestly wouldn't even care if someone stole this account. Just having fun nitpicking :)


Phishing is still an issue that could be prevented with security keys. That said, I don't see most HN accounts being very interesting to phishers.


+1, would be nice to have 2FA


What about a cryptographic signature? That might be nice.


Agreed, and it doesn't really matter but for some reason I felt compelled to mention, this same mechanism (putting token in profile page) has been in widespread usage for years so isn't novel. Keybase is one example.


Even before that, this is a common practice with DNS for decades to prove ownership of a domain.


SPF

DKIM

Let's Encrypt Certificates


Hey HN,

I wanted to be able to make apps that do social login with HN so I hacked it together.

It works like you would expect -- generating a code you can put in your profile. For convenience, you can then use either TOTP or Email (if you specify both, it will default to using TOTP) to login thereafter to make things quicker (it can take up to a minute until profiles update).

I generally wait about 5 seconds between checks of a profile, hopefully this isn't too much additional strain (especially since I expect most people to switch to something faster after the first login).

[EDIT] Also it's night time (well morning I guess) where I am so... spinning up some more instances and I'm going to sleep.

[EDIT2] My email is plastered all over the site, but please feel free to email me any bug reports!

[EDIT3] If you'd like to register an app, please check out https://mailing-list.vadosware.io/subscription/form ! Ignore all the other mailing list stuff and get on the "early adopters" list for LoginWithHN! Or just email me in my HN profile, whichever!


> I generally wait about 5 seconds between checks of a profile

If you're scraping HN, please wait 30 seconds (https://news.ycombinator.com/robots.txt) - our app server still runs on a single core, so we don't have a lot of performance to spare. (Hopefully that will change this year.)

If you need to check more frequently, https://github.com/HackerNews/API works fine and you can get JSON that way anyhow.


Hey Dang, so actually I DO wait 30 seconds -- what actually happens is that I check on the frontend every 5, but the backend checks every 30 (that's the default) interval. If you can believe it the code looks something like this:

    export const DEFAULT_HN_POLL_DELAY_MS = "30000";
    export const DEFAULT_HN_POLL_MAX_CHECKS = 10;
The code isn't F/OSS but I hope you can take my word on this, worst case what happens is that someone launches two intervals (I don't have any locking on that side) due to hitting two different machines.

I'll be switching to the API by the end today and worst case by the weekend.

[EDIT] Forgot to add this -- hope I didn't cause any disruption on your end. thanks for all the hard work as always.


That sounds fine!


> you can then use either TOTP or Email (if you specify both, it will default to using TOTP) to login thereafter to make things quicker (it can take up to a minute until profiles update).

I guess at this point it's more like login with loginwithhn?


Yup! LoginWithHN is the OAuth provider :) so the idea is if you have an app that you want people to use to login with HN, via LoginWithHN then you can use loginwithhn.com to make it happen


Nice work! If there was a similar yet less efficient implementation of your idea, I guess we’d call it “nlogn with hn”!


More like register with loginwithhn?


Rather than polling you can probably just subscribe (via Firebase[1] and the HN API) to changes to the user's profile e.g[2]

[1] https://firebase.google.com/docs/libraries#client-sdks

[2] https://hacker-news.firebaseio.com/v0/user/hardwaresofton/ab...


Hey thanks for the suggestion, I'll check this out as well -- I definitely don't mind having more ways to check so I can spread load and what not.


Using forums as pseudonymous identity providers is a very powerful idea. It's essentially community federation. There is of course risk that your IDP chucks your account and you lose access to the other ones, but that's solvable with a recovery scheme.

Lightweight, low assurance credentials probably have the biggest growth future, as if universal high assurance credentials were really that commercially desirable, we'd already have them. These are a kind of affinity credential, which has a lot of optionality.


It's a powerful idea but say I'm a website that wants to add "Sign In With HN". Me personally I've lost faith with "Sign In With Facebook/Google/etc.", nevermind some random site offering sign ins with random forum identities. As a website owner, I would have to trust that the "Sign In With HN" service would still be there in a month or two, nevermind a year or two. If I wanted to create such an SSO service, what kind of reasonable social/technical guarantees could I make to website owners so they'd be confident I'd be around for the long haul?

A better technical solution would be to offer an SDK that does the same thing that websites could integrate themselves, but then you have the explosion of languages and frameworks to support.


This is the good part. I'd rather avoid the SDK case, as I've run down that road before and it's fraught.

If you affinity federate to HN, (or even a subreddit), and you create a recovery process that enables the user to migrate their local identity on our app to a new IDP, realistically, you could just federate to anything someone can store a key on, if you wanted to. The security of the users account is up to the user.

If I want to bind my user account on your SaaS app to anything persistent online that I have control of, that should be sufficient for most low assurance purposes.

The lightweight security of it is that if I enroll/register for your app as motohagio@location.public_key, my password for your site becomes just a random string encrypted with my private key, as that proves my possession of the private complement used for registration when you decrypt the string using the contents of the public key location I provided during enrollment. A lot of protocols already essentially look something like this, they're just not described in a casual comment.

The lightweight security of the system isn't based on the secrecy of passwords, but rather, a combination of the secrecy of the users private key and the integrity of the registration pointer to that public key. It still works with browser passwords, as instead of a password string, you submit {randomstring, (randomstring)^privkey_privkey} and the RP app just looks up its registered public key pointer, and makes sure the random string in the ciphertext matches.

Problem it solves is net-net it shifts risk off your service, onto the user, and removes a single point of user compromise for all users at once. You can federate your service to any document on the internet that persists a public key, and account compromises don't scale the same way.

The most obvious vulnerability is the integrity and availability of the location and directory services of that public key location. But cacheing and recovery schemes could make it viable. (some people will be apopleptic at the mere mention of it, but it's a use case for the chains made of block)

I've done the high assurance use case design on a variety of other products, but maybe the low assurance case is the one that's actually useful. Irony is it may still require a password manager / authenticator client for most users, but in the majority of logins, you can still save this new token in your browser as a password.


>How does it work?

>[...]

>LoginWithHN generates a unique one-time-use code that the user must then put into their profile within 5 minutes

I like the implementation, but shouldn't the code be something more explicit? Otherwise it might be easy to social engineer someone into putting in the code. Currently it's

>Put the token below in your HackerNews Profile ↗

>[random letters]

I think Keybase does something more explicit, with something like "my keybase verification code is xyz"


I agree this is a concern, though more with phishing than social engineering.

An attacker site pretends to have their own "Login with HN" implementation, but asks users to put in a code generated from LoginWithHN.com itself.

If the user adds the code, then the attacker can impersonate the victim on any service that supports LoginWithHN.com (because of the special second-time login handling)

If the string was more explicit that it's for LoginWithHN.com, the victim is more likely to recognize that something phishy is going on.


Thanks for the suggestion, this is a great idea. The phishing angle is not one I had considered


You're right -- I will make this more explicit to hopefully prevent some phishing attempts


Wow, awesome! We've had a few startups ask for an HN integration at https://clerk.dev and we'll build this in ASAP.

It would be great if this could somehow verify whether an HN account has been part of YC cohort. A few requests we've received were with the hope of offering early access to YC founders-only before a public release.

Also, I love the OTP solution instead of asking for our HN passwords.


We have a solution here, email me: praful.mathur@gmail.com and we've worked out all the challenges with integrating with HN.


Hey thanks -- I will definitely be sending you an email soon!


For this you can use our membership token (which uses HN profile): https://opensea.io/collection/alumni-gems

Also we verify very similarly to you: https://badge.orangedao.xyz/


Great idea. If you need to add a code to your bio, another idea is putting a public key in your HN bio and signing a nonce message using some browser extension like Metamask.


Wouldn't it make more sense to store a blob containing the username, signed by loginwithhn in the profile. Something like HMAC(secret_kept_by_loginwithhn, username). Upon authorization, check if the blob is properly signed and matches the requested username. That way you'd only have to place it once and copying it between profiles isn't possible. I'm probably overlooking something.


Suppose you have logged into HN this way and so the token is in your profile. What would prevent me from logging in as dividuum?


Nothing. You are correct of course and my suggestion is fatally flawed. Can’t edit my comment unfortunately. Guess that’s a reminder not to do half-assed protocol engineering while watching Netflix :-}


This trusts loginwithhn. The metamask way can be used by any site and only need to trust hacker news.


Or just storing the key in browser with Web Crypto API (or localStorage cuz safari ffs). Ofc this means the key is only scoped to their domain.


Victor, congratulations on the launch! I am one of the maintainers at https://github.com/ory/hydra and it makes me super happy to see that Ory Hydra is being used for such innovative projects :)

If you’re interested to join Ory, we’d be excited to have you! Drop Aeneas a line and he’ll take it from there: aeneas@ory.sh

Hopefully we’ll talk soon :)


Hey I appreciate it! It's a tiny little hack but I'm glad people seem to like it! ORY Hydra was fantastic every step of the way, I originally started with a completely different tool/approach actually then switched to Hydra and rewrote things and it was way smoother. Thanks for the awesome tooling you make.


Appreciate the kind words! :)


Hey, i had to evaluate the ORY suite for multiple projects, and we always had to fallback to keycloak. Major reason was the completeness of the keycloak admin gui vis-à-vis of Ory.

Is there a gui in your plans, or a public repo? I want to contribute.


This site isn't really intended for high security. It doesn't matter that much since Hackernews login is only for this site and text posts here are not that valuable. If it was expanded in usage it could be disastrous.

The fact that the admins of this site do manual recovery for example is a terrible practice that no serious providers do. In fact the reason i'm 'AnotherGoodName' rather than my old AReallyGoodName is because i suffered account takeover on this site. The last three posts from AReallyGoodName promoting CoinRace are not me. The rest, including posts for my github projects (i still own my Github) are. https://news.ycombinator.com/item?id=16460663#16461236

I do not think for one second that Hackernews is ready to handle sign ins for things that need more security than this site itself.


Question - are you affiliated with HN/YC at all? If not, I would be concerned about the colors/branding on the homepage being the same as HN/YC. I see the word “unofficially”, but it feels like there still might be some confusion of how it relates to YC’s software.


Nope not affiliated at all! I thought "unofficially" was enough but I'll make it a bit more clear

[EDIT] I added another disclaimer


Very cool! That's what I had in mind.

Agreed that you added "unoffically", but you also created a new method todo login (vs cookies/oauth2/etc), so I wasn't sure how to map the "unoffically" word with your novel approach. Your disclamer makes it very clear. :)


Thanks for bringing it up, glad to correct it!


it seems like if this is OAuth2, the protocol is not giving an audience specifier? That would mean that any token is as good as any other, and say, authenticating to evilsite.com, the site could use the token its granted to itself log onto another ‘login with HN’ website as the victim. Thats the usual issue with OAuth as login


Thanks for pointing this out. Reading your comment just connected some dots in my head about the OAuth flow.


Ah yes, this is something I'm going to tighten up once we have OAuth2 clients signed up -- right now the only client is the actual loginwithhn site itself!


I can speak more freely on a forum if my logins are independent. If they are federated I have more to lose by saying the wrong thing. There are scarcely any values I can express without offending someone. For this purpose at least, it looks like a better strategy to have multiple isolated credentials. With a password manager the inconvenience almost disappears.


Right, in addition to that, I am currently in the process of de-Googlifying and de-Facebookfying all my logins. I prefer the tired and tried method of having a separate login and password for each account, and save them on KeePassXC.

There have been plenty of horror stories of people that lose access to their Google or Facebook account, and suddenly cannot access their connected accounts.


"I'm a yak shaver by trade"

Nice.

Do you have any sites that support the flow yet?


I’m not sure why this couldn’t function as oauth provider for HN. Why does it support a new flow?


Yup that's the hope/intention -- If you have an app I can add you as an OAuth2 App (the registration page isn't up yet, but it will be soon)!


Is the author a literal yak shaver, á la sheep-shearer, but for yaks? (Or is it perhaps another way of saying "I can't legally tell you what I do for a living"?)


It's a reference to https://en.wiktionary.org/wiki/yak_shaving

The author is saying "Yes, I know I've built something that's not very useful here"


Thank you! I'd never heard that particular phrase before.



None yet! If you would like to be the first please reach out or use this subscription form:

https://mailing-list.vadosware.io/subscription/form

(Ignore the mailing list bit). If you're able to log in there's a more direct form at the end of the flow!


It didn't appear to be working after a couple of attempts. Opening the console shows a lot of HTTP 500 responses coming from /api/v1/hn/poll/status


Shit good thing I didn't go to sleep, looking at it now

[EDIT] - OK just pushed a new version -- it looks like it was a load issue, were you able to get in?

[EDIT2] - Welp, looks like sleep isn't happening, looks like it's load triggered but there are some failures happening... I don't like this hug.

[EDIT3] - We got 'em boys. Found the bug, rolling out now.


+1 Having same issue here


Hey would you mind trying again?


The API is responding that the request completed successfully, but it doesn't appear to authenticate. I even tried replacing my entire About section so that it was only the code and it didn't appear to recognize it


Hey I'm sorry for the really shit experience, do you mind if I reach out once I'm sure I've fixed it? It works for me but I still see occasional errors so I'm wondering just who it is :).


I don't mind at all


Hi, I just wanted to say I have fond memories of using garrysmod.org to download add-ons for gmod back in 2008-2010 or so. They used the same authentication technique by giving the user a token to put on their Steam profile. I'm still wearing mine! As long as the entity in question (HN, Steam) isn't at risk of going bust, I think this is very practical. Best of luck.


Thanks, appreciate the note! I actually never got into garrysmod (I basically started with CS: Source then went to CS:GO) so I never saw that, but I'm glad it makes sense and there's some historical precedent I'm not afoul of.


Very cool, I was experimenting with a similar implementation of this a few years back. We were using a browser extension to handle the posting to the profile for you. However, we noticed that that profile was cached on the server so you would end up having to wait a long time to get a new version. I believe we tried appending a random query param to cache bust but the server didn't seem to care about that.

Have you ran into this? If so, how did you get around it?

[Edit] Here is a link to the now dead project :( http://web.archive.org/web/20161225152153/http://www.clap.ch... We briefly mention how it worked but didn't go into full detail


I'm doing something similar with my service https://aytwit.com/thoughter

There is a trick to busting the cache but I almost don't want to say it in case they fix it lol. Feel free to contact me directly.


Hey thanks for this note :)


Right now I'm actually just waiting a long time and checking somewhat slowly -- there's a note that it might take up to 1 min. I'm more concerned with not causing trouble for the staff, and usually it's about <1min so not the end of the world I think


Congrats on putting this together, it looks really cool.

One suggested feature that crossed my mind is to allow a minimum karma or account tenure requirement, in order to screen for throwaway accounts in cases where this mattered.


That's a fantastic idea, thank you, I'll implement that.


This is kind of reminiscent of how keybase verifies your ownership of social media accounts, domain names etc.


nice! I did a very similar thing many years ago for the video game website giantbomb.com. they have a wiki and you get points for making contributions, but there's nothing to do with the points, they don't do anything. so I made my own website where you could predict review scores they would give upcoming games, and "gamble" (a copy of) your giantbomb.com account's wiki points, which were scraped once you logged in with pretty much the exact same system (putting a generated hash into your account profile).

I've always thought that this is a neat idea and similar methods could be used to make all kinds of cross-account connection stuff work on various websites. if you're making any kind of social site like this, allow users to have an editable public bio!


Implementation idea: this method reminds me that we can post our public keys in bio, which means logging in could just mean signing a message that says "sign me in to %service%" and you wouldn't need to update your bio for each service you log in to


Nice. Its the equivalent of domain name verification using TXT records, but for HN profiles!


Hah I had the idea to do this but not using OpenID (show a token on an account to prove you own it) - kudos to using standards!

The use case was stealing the userbase from a stagnant competitor allowing everyone to keep their existing usernames on my platform.


Interesting. However, it requires your trust to the service. So probably the identity user shall build and host such service by themselves.

Or a more trusty solution is to make the identity verifiable. Oh, did I say Keybase(the former one not acquired by Zoom)?


I wonder if this concept could (and perhaps should) be extended to be OAuth provider, that lets you in based on ability to control content under arbitrary URL. Maybe even standardized somehow by exposing meta tags in the HTML header.


So the idea is that the site is an OAuth2/OpenID connect provider, but one that actually authorizes/authenticates for a site I obviously don't own (HN).

I'm not sure I fully understood your idea but setting this was exceedingly easy with the help of ORY Hydra[0], please check em out.

[0]: https://www.ory.sh/hydra/docs/concepts/login


The idea is that your OAuth site could let me login with https://example.com/it_is_me_i_swear as long as I am able to put the token you generated somewhere in that page. Not necessarily with https://news.ycombinator.com/user?id=lostmsu


Ahhh yep, I’ve actually got some plans for some other sites I could support!

If you’re referring more to the possibility of you owning the site itself that’s possible too


I'm doing something very similar with my service: https://aytwit.com/thoughter

To the author, there is a simple trick you can pull in order to make the confirmation instantaneous and avoid caching. Have you figured it out? Let me know!

I also use a residential proxy service for all my profile requests, regardless of the identity provider. For some sites like Twitter, Facebook, etc. this is required, and for something like Hacker News it's simply future-proofing in case they decide to block scrapers at some point in the future.

Good work!


>for something like Hacker News it's simply future-proofing in case they decide to block scrapers at some point in the future

Why are you scraping? We have an API, it's linked at the bottom of every page[0].

0: https://github.com/HackerNews/API


Good question, and thank you for the question. Both at the time of my initial development several years ago, and including now when I just tested it, scraping has faster response times (cache invalidations) to profile updates than the API. This saves the user of my site being frustrated that they put the code in their profile, but they keep smashing the "Check again" button to no avail.

To be fair the API's cache invalidation does seem to have improved since last time I tested it. It only takes up to 5-10 seconds now, but still this is an eternity to an impatient user.

Also since you imply you work for HN, I'll give you my little secret: If you randomly capitalize the letters in the HN username it invalidates the cache. Otherwise scraping the profile would indeed take as long as the API approach. I'm taking a risk with you fixing it now. :)

I hope that helps clarify and I look forward to your thoughts.


I don't work for HN. I meant "we" as in "we the people of HN"


Ah ok good, that means you won't fix the caching..."feature" that I found. :) Thanks for the discussion!


Honestly I need to use this API as well -- on the list of things to do. I left myself some abstraction to have different ways of checking and the easiest was scraping but honestly hitting the API would have been just as easy. Will fix this


Hey thanks for the helpful suggestion!


This is a smart, safe implementation. On a side note: I wish HN offered 2FA.


SAME. If they were into offering 2FA I could happily retire this little hack :)

I was a bit worried that what I was doing was against the spirit of HN (HN is very much not a social site in that way, and I think they strive not to be), but if they ever choose to add native 2FA I'll be over the moon.


This is neat. How do you protect against a third party scanning HN profiles for codes and stealing them?


Ah, so because the login challenge is unique, the person would have to have access to the browser that received the original login challenge -- there's a second second secret when you initiate login (that's part of the bit managed by ORY Hydra)


Hey this is neat. Great work, I really like such weird ideas and it looks so professional!


Thanks for the note :) yeah it was a really quick hack -- it only looks professional thanks to mvp.css[0]!

[0]: https://andybrewer.github.io/mvp/


This is awesome! I had this same idea just last week! Way to execute!


Would be interesting to come up with a nice use case now with this.


Well it's technically a usecase for itself... so there's that?


Great idea, I like the concept of using a code in your bio as the auth mechanism. As another poster replied, the api seems to be 500'ing


As far as I know, IndieAuth[0] is the open source solution for this.

I've wondered how well it would work on a forum like HN, both for account authentication (making the forum simpler by not requiring passwords) and for identity validation when necessary (for example, highlighting the owner of a project or site.)

[0]https://indieauth.com/


Hey would you mind giving it another shot?


Tried again, got a lot of 201s with:

``` {"status":"success","data":{"confirmed":false}} ```

Then a failure with a 502, I'll check it on a different network tomorrow to see if it's on my end


OK one more time! It's working for me right now -- I see the odd out of time error in the logs but the errors are mostly gone now:

    [Nest] 41  - 01/14/2022, 2:46:01 AM   DEBUG [V1HNController] received polling status request for display token [E7tvuXJkkt]
    [Nest] 41  - 01/14/2022, 2:46:06 AM   ERROR [LoginService] Error occurred while checking for HN profile page update: Error: Exceeded max checks [10] (delayMs: 30000)
    [Nest] 41  - 01/14/2022, 2:46:11 AM   DEBUG [V1HNController] received polling status request for display token [E7tvuXJkkt]
    [Nest] 41  - 01/14/2022, 2:46:36 AM   DEBUG [V1HNController] received polling status request for display token [E7tvuXJkkt]
    [Nest] 41  - 01/14/2022, 2:46:42 AM   DEBUG [V1HNController] received polling status request for display token [E7tvuXJkkt]
    [Nest] 41  - 01/14/2022, 2:46:51 AM   DEBUG [V1HNController] received polling status request for display token [unNyaItKHU]
    [Nest] 41  - 01/14/2022, 2:47:20 AM   DEBUG [V1HNController] received polling status request for display token [e4DMemS2HG]
    [Nest] 41  - 01/14/2022, 2:47:30 AM   DEBUG [V1HNController] received polling status request for display token [62553gB7GW]
    [Nest] 41  - 01/14/2022, 2:47:48 AM   DEBUG [V1HNController] received polling status request for display token [unNyaItKHU]
    [Nest] 41  - 01/14/2022, 2:47:57 AM   DEBUG [V1HNController] received polling status request for display token [dcKr3LelxA]
    [Nest] 41  - 01/14/2022, 2:48:22 AM   DEBUG [V1HNController] received polling status request for display token [dcKr3LelxA]
    [Nest] 41  - 01/14/2022, 2:48:37 AM   DEBUG [V1HNController] received polling status request for display token [dcKr3LelxA]
    [Nest] 41  - 01/14/2022, 2:48:52 AM   DEBUG [V1HNController] received polling status request for display token [dcKr3LelxA]


    [Nest] 41  - 01/14/2022, 2:49:15 AM   DEBUG [V1HNController] received polling status request for display token [e4DMemS2HG]
    [Nest] 41  - 01/14/2022, 2:49:22 AM   DEBUG [V1ConsentController] retrieving data for consent challenge request [<redacted>]
    [Nest] 41  - 01/14/2022, 2:49:22 AM   DEBUG [V1ConsentController] successful consent denial for user [hardwaresofton]
    [Nest] 41  - 01/14/2022, 2:50:30 AM   DEBUG [V1HNController] received polling status request for display token [62553gB7GW]
    [Nest] 41  - 01/14/2022, 2:50:50 AM   DEBUG [V1HNController] received polling status request for display token [ZAvILvhGhg]
    [Nest] 41  - 01/14/2022, 2:50:58 AM   DEBUG [V1HNController] received polling status request for display token [unNyaItKHU]
    [Nest] 41  - 01/14/2022, 2:51:49 AM   DEBUG [V1HNController] received polling status request for display token [qy4LrME0ny]
    [Nest] 41  - 01/14/2022, 2:52:24 AM   DEBUG [V1LoginController] received start login request [zzc]
    [Nest] 41  - 01/14/2022, 2:52:24 AM   DEBUG [V1LoginController] saved login request challenge with ID [<redacted>]
    [Nest] 41  - 01/14/2022, 2:52:26 AM   DEBUG [V1HNController] received polling status request for display token [lBEUPtqdVF]
    [Nest] 41  - 01/14/2022, 2:52:30 AM   DEBUG [V1HNController] received polling status request for display token [62553gB7GW
Really appreciate you trying again -- I just did it myself and it was a long ~1min but it did work (in fact you can see me deny the consent actually in the logs :).

And for the keen in here, yeah I'm running NestJS[0] -- this thing is over-engineered and some bugs still snuck through.

[0]: https://docs.nestjs.com


I think it’s in poor taste to theme your site to look like HN. Feels a little close to phishing.


I did think about it, but I don't think it's too bad -- the site is plastered with "unofficially" and the disclaimer to prevent that.

I love how minimal HN is and I don't think I've ever seen orange work this well on a site in my life to be honest, so I wanted to pay a little homage and also have people feel at home.

I'll definitely consider changing the theme, and I've already added a disclaimer.


Blocked by both Firefox and my company due to certificate issue.


Actually, looks like you are on a malware blacklist.


Could you tell me more about the blacklist? is it IP based? URL based? The servers are in Germany under Hetzner so maybe it's an IP ban that went in


Awesome documentation!




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: