Shout - Private Messaging for Flarum

HD3D

Kyrne Your extension is absolutely amazing but it is really complicated for noob users on forums.
It can only be better and easier for everyone to use if the chat is enabled automatically and the password is optional.

Having e2e and secured chat extension is great but it should be easy to use too.

Kyrne

HD3D no offense but I'm going to stop responding to this. I'm going to maintain that it is not complicated nor hard to use, but maybe not as convenient.

askvortsov password could be snagged via login modal before the page refreshes, I'm going to look into this. It seems so obvious and me not doing it makes me think I had a good reason but can't remember.

luceos

Kyrne password could be snagged via login modal before the page refreshes, I'm going to look into this.

In the Bokt code base I use the CheckingPassword event to snag the password. In my scenario to run a fallback against the phpbb database. You could alternatively use a Middleware to check the log in route and use the payload. This won't work on sso though, but you already knew that.

So it's most definitely possible to get the raw password.

SnakePromise

askvortsov Hi I'm (obviously) not Kyrne, but although this would be nicer, it's also impossible. Flarum does not store your password.

Sure, that is a problem for existing accounts, what I meant was when a person signs up, have Shout set up automatically with the same password.

SnakePromise

Kyrne That sounds good! Again, any effort more than zero is going to lose me some users. Like load times, in principle there is no difference if my site loads in 1s or 2s, but I try to shave every ms off, because it annoys users.

Yes, people are willing to do more to secure their Whatsapp messages but forum messages are much less important for overwhelming majority.

Kyrne

SnakePromise cool, I'll take a look tomorrow to see if it's a secure way to do it. If so I'll implement it. This won't work with SSO regardless.

nexromant

Hello everyone don't take this as an impertinence - but what about optimizing for the mobile version? I have why the layout when sending messages as the crooked is displayed.

What about creating a separate page with scribes?

nexromant

Please tell me what I'm doing wrong. I install the extension, enable it in extensions, go to test how it works (I disabled password entry), when searching for a user, select my second account, where I already entered the password in previous versions, write a message and when I click the "Send" button, it is redirected to the user search window. v1.6

Kyrne

nexromant browser info?

nexromant

Kyrne chrome, Yandex.browser

Kyrne

nexromant can you confirm whether the issue occurs in vanilla chrome for Android?

Kyrne

luceos all crypto is done on browser side (server trust reasons) so I'm planning to just override the onsubmit method of the login and signupmodal.

nexromant

Kyrne unfortunately, I can't, because I don't know this browser, and I can't find it in google play

luceos

Kyrne you can store the generated hash in session and/or set it as user attribute after log in with the current user serializer. Then the hash would be available to the frontend code.

Kyrne

nexromant my bad, I meant just Google Chrome.

Kyrne

luceos I need the raw password for it. I do some pretty crazy hashing on the password different from laravel's built in hashing:

export function getPassphraseKey(passphrase, salt) {
  return new Promise((resolve, reject) => {
    window.crypto.subtle
      .importKey(
        "raw",
        new TextEncoder().encode(passphrase),
        {name: "PBKDF2"},
        false,
        ["deriveBits", "deriveKey"]
      )
      .then(key =>
        window.crypto.subtle.deriveKey(
          {
            name: "PBKDF2",
            salt,
            iterations: 128000,
            hash: "SHA-256"
          },
          key,
          {name: "AES-GCM", length: 256},
          true,
          ["encrypt", "decrypt"]
        )
      )
      .then(resolve, reject);
  });
}

luceos

Kyrne I need the raw password for it.

I am aware. I detailed the options above. Not behind a computer, but I can clarify and link to classes or show snippets privately when I am.

TOWUK_ru

infinity loading in first create two factor password...

Kyrne

TOWUK_ru check browser console

TOWUK_ru

Kyrne dont have problem! clear console!

« Previous Page Next Page »