Shout - Private Messaging for Flarum

[deleted]

And if you do clear your cache, this is what password managers are built for. Seriously guys - it's a one time exercise. I did it on my pc first as a test, then on my phone which imported all my conversations.

This extension is so cool it even has a back off timer to stop you from spamming users with messages until they respond. Now that, you have to admit, is cool.

[deleted]

For anyone who thinks that having to set a password once to use the instant messaging features is annoying, take a look at Signal. This application will ask you to verify your passcode every 14 days maximum

https://support.signal.org/hc/en-us/articles/360007059792-Signal-PINs

Now that, folks, IS annoying. Here, you're doing it one time only.

Mark73

[deleted] I'm not saying it's annoying, just trying to state that having a wide variety of options is always a good choice. It's a different case for each of us, we run different communities and go through different circumstances, that's why keeping the options open and letting each of us decide how we run our forums is what I'm asking for. As I mentioned eariler, it's a different case for each of us, so we shouldn't all be forced to take the same path, if you get what I mean. I'm aware it's not that big of a deal, but there is always a room for improvements

askvortsov

I think that a good compromise here would be eventually implementing non-encrypted private messages, but I realize that might not work with your vision for the project

SnakePromise

The misunderstanding I see is that Kyrne has written a beautiful extension that works great for messaging, but has added a feature (encryption) he feels very strongly about yet many of potential users are not interested in or even find it onerous.

@Kyrne, you have to understand that any extra effort means that a certain percentage of users won't use this feature on my site or even will just go to another easier to use forum. It just is so statistically. No amount of explaining that setting up yet another password on a site you just have registered at isn't a problem for you will change it for them. It's like if you said you don't like ice cream and I tried to explain you why you should. It doesn't work that way, explanations don't change what you like or not.

It's your extension so you of course are entitled to do whatever you want with it, but I think you are limiting its usefulness for others. The best way would be if Shout was set up automatically using account password and ready to use with zero extra action from user, and afterwards if the user wants he could change the password for Shout.

Or just have no encryption as an option, but it seems that cryptography is your thing.

Kyrne

SnakePromise as an alternative for forums without SSO, if there was a way for me to immediately grab the password on login, would that make it better?

askvortsov

SnakePromise set up automatically using account password

Hi I'm (obviously) not Kyrne, but although this would be nicer, it's also impossible. Flarum does not store your password. With regards to security that's probably one of the worst practices available. So the password isn't available to Shout. Now, a hashed/salted version of the password is stored (which can't be deciphered back), but if that was used for encryption instead of the password, that defeats the whole point of e2ee in the first place, as that hashed and salted password is available to admins.

HD3D

Kyrne Your extension is absolutely amazing but it is really complicated for noob users on forums.
It can only be better and easier for everyone to use if the chat is enabled automatically and the password is optional.

Having e2e and secured chat extension is great but it should be easy to use too.

SnakePromise

Kyrne That sounds good! Again, any effort more than zero is going to lose me some users. Like load times, in principle there is no difference if my site loads in 1s or 2s, but I try to shave every ms off, because it annoys users.

Yes, people are willing to do more to secure their Whatsapp messages but forum messages are much less important for overwhelming majority.

Kyrne

HD3D no offense but I'm going to stop responding to this. I'm going to maintain that it is not complicated nor hard to use, but maybe not as convenient.

askvortsov password could be snagged via login modal before the page refreshes, I'm going to look into this. It seems so obvious and me not doing it makes me think I had a good reason but can't remember.

SnakePromise

askvortsov Hi I'm (obviously) not Kyrne, but although this would be nicer, it's also impossible. Flarum does not store your password.

Sure, that is a problem for existing accounts, what I meant was when a person signs up, have Shout set up automatically with the same password.

luceos

Kyrne password could be snagged via login modal before the page refreshes, I'm going to look into this.

In the Bokt code base I use the CheckingPassword event to snag the password. In my scenario to run a fallback against the phpbb database. You could alternatively use a Middleware to check the log in route and use the payload. This won't work on sso though, but you already knew that.

So it's most definitely possible to get the raw password.

Kyrne

SnakePromise cool, I'll take a look tomorrow to see if it's a secure way to do it. If so I'll implement it. This won't work with SSO regardless.

nexromant

Hello everyone don't take this as an impertinence - but what about optimizing for the mobile version? I have why the layout when sending messages as the crooked is displayed.

What about creating a separate page with scribes?

nexromant

Please tell me what I'm doing wrong. I install the extension, enable it in extensions, go to test how it works (I disabled password entry), when searching for a user, select my second account, where I already entered the password in previous versions, write a message and when I click the "Send" button, it is redirected to the user search window. v1.6

Kyrne

nexromant browser info?

nexromant

Kyrne chrome, Yandex.browser

Kyrne

nexromant can you confirm whether the issue occurs in vanilla chrome for Android?

Kyrne

luceos all crypto is done on browser side (server trust reasons) so I'm planning to just override the onsubmit method of the login and signupmodal.

nexromant

Kyrne unfortunately, I can't, because I don't know this browser, and I can't find it in google play

luceos

Kyrne you can store the generated hash in session and/or set it as user attribute after log in with the current user serializer. Then the hash would be available to the frontend code.

Kyrne

nexromant my bad, I meant just Google Chrome.

« Previous Page Next Page »