Comments (11)
I've decided to abandon implementation of this feature for now because it would be far too easy to abuse. We have plenty of authentication strategies and we can obtain OAuth keys to add even more. I might consider adding this feature if people actually express a need for it in the future if we combine it with a CAPTCHA or add a bunch of code to monitor creation of accounts from various OpenID providers so we could blacklist the bad ones. I just don't feel like opening the site up to a game of wack-a-mole right now.
from openuserjs.org.
This issue has been reopened because someone has expressed an interest in this issue (#88).
As I stated above, the reason I closed this issue in the first place was because lack of interest by others, that I didn't see an immediate need with all of the existing authentication methods available, and the great potential for abuse since anyone would set up a OpenID provider and use it to easily create a limitless number of phony users.
I might allow this feature, but require the OpenID provider to use HTTPS, keep which providers were used to create an account with OpenID (so we can detect abuse), and also require a CAPTCHA (or some other form of anti-bot measure at registration).
from openuserjs.org.
I don't get it. What's the problem with "phony users"? And what prevents me now from creating as many imgur or reddit users as I want?
from openuserjs.org.
I don't get it. What's the problem with "phony users"?
If you can create many phony users very quickly you can use them to post spam and malicious scripts faster than we can moderate and remove them (userscripts.org is a good example of this).
And what prevents me now from creating as many imgur or reddit users as I want?
For one, I know the reddit uses a captcha at registration and limits the number of users you can create on an IP in a certain duration. We inherit all the protections our providers use to prevent registration of many phony users. OpenID would be much easier to abuse if we added it.
Is there some particular reason you want OpenID? Is the current list of authenticators not sufficient for your needs? Is this a matter of privacy?
from openuserjs.org.
If you can create many phony users very quickly you can use them to post spam and malicious scripts faster than we can moderate and remove them
Do new users have limits for posting?
For one, I know the reddit uses a captcha at registration and limits the number of users you can create on an IP in a certain duration.
Use captcha for new users as well. If spammers are determined enough to spend money on solving captcha - reddit won't save you. Right?
from openuserjs.org.
Do new users have limits for posting?
Not yet. I'm not crazy about doing this since many new users just want to dump their scripts on the site. I was hoping to avoid dealing with this issue until the site is more popular. But yes, we'll probably have to do this.
Use captcha for new users as well.
I also intend to do this once the site becomes more popular. But at this point I want to make it really easy for new users to sign up. I will probably add OpenID once we reach this point. I'm not going to promise it right now because I need to think about it more and consult the other project members.
You still didn't answer my questions:
Is there some particular reason you want OpenID? Is the current list of authenticators not sufficient for your needs? Is this a matter of privacy?
from openuserjs.org.
Not yet. I'm not crazy about doing this since many new users just want to dump their scripts on the site.
See? A spammer doesn't even need those accounts you are worried about, since nothing stops a single phony user from posting thousands of malicious scripts and messages.
You still didn't answer my questions
Sorry about that. Let me answer them now.
Is there some particular reason you want OpenID? Is the current list of authenticators not sufficient for your needs? Is this a matter of privacy?
It's a matter of several factors. I believe decentralization is a good thing, and OpenID is perfect for decentralization. I hate the idea of being dependent on a single service, like github or reddit, for being able to login to a completely unrelated website, like OUJO. And yes, most of my userscripts are hosted on Bitbucket, which is not an option for logging in for now.
In my opinion, this is handled best on stackexchange network sites (like stackoverflow.com). There you can login using several services (including plain OpenID), but most importantly - you can link several login methods to a single account. This frees you from being tied to a single service and makes you stop worrying about third-party services being down.
All in all, I think you are too worried about spammers now. I understand that having the case of USO right in front of your eyes, you want to make every thing possible from preventing this happening to OUJO, but I'm not sure you should be concerned right now. The audience of OUJO is small and it is unlikely it will be targeted by spammers now. Later you could take measures according to the situation, maybe including community help (like it is done in stackexchange).
These are just my thoughts, I hope they will be somehow helpful, sorry if not :) And thank you for the work you are doing.
from openuserjs.org.
Is the current list of authenticators not sufficient for your needs?
If this is a bug I'll open one... but I added goo to my list of authentications, reset GH back to primary, made sure I restarted my browser to remove any cookies, logged into goo, and OUJS still prompted me for GH credentials... I'm not quite entirely sure if this is how these are supposed to work or not.
As far as adding in an OUJS site captcha it might be a good idea to route all requests, save for login/logout, to a captcha dummy routine... not necessarily adding a captcha in but the possibility for it if it is needed in the future.
I'm neither here nor there on OpenID... privacy on OpenID is a lot less than it is with most other systems across the internet.
from openuserjs.org.
Is this closable now with the new UI? We refer to OpenID in the main /login page so I assume so?
Possible Reference:
from openuserjs.org.
This issue is about allowing pure OpenID authentication on the site. I
still haven't made up my mind (which is why I left it open). I'd like to
hear what others think.
from openuserjs.org.
Decided it is unnecessary.
from openuserjs.org.
Related Issues (20)
- Otter Browser HOT 2
- String.prototype.substr() deprecation
- `text/javascript` only
- Include rating in meta JSON HOT 16
- *bootstrap-markdown* and *marked* appear not compatible any more HOT 2
- Make the 400 "missing license" page more informative HOT 2
- The Donate button does not work on this page HOT 3
- Site reach problem HOT 1
- can't reach openuserjs.org website. HOT 2
- Fetching raw source (with Unicode) is broken HOT 3
- Support login using Keyoxide HOT 2
- [Off topic] spam HOT 2
- `@icon` has no data HOT 1
- Need to use GitHub as an authentication type is hidden behind having GitHub as an authentication type. HOT 1
- Unsure how to remove an authentication type. HOT 1
- 不会使用方便教一下吗?
- Specified file does not contain the proper metadata blocks when in fact it does HOT 3
- Too many redirects 429 when logging in via GH or user search HOT 1
- RSS Feeds for updated & new userscripts and forum HOT 4
- Login is prompted all the time : 429 Too many requests. Please retry after approximately 86460 seconds. HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from openuserjs.org.