Show HN: A mobile-friendly Magic: the Gathering deckbuilding website
gracefulstats.comI can't find a "New deck" button anywhere. Is it because I'm not logged in? If so, why not? I should be able to do this while logged out.
I also see you're using good old username/password combos over plaintext. Please consider using third party authentication such as Persona (https://www.mozilla.org/en-US/persona/) or OpenID. (Persona gives you sign-in with gmail for free, how neat is that?) -- If you don't know why that's a good thing, reply to this comment and I'll be happy to explain.
Yes, you have to log in to create a deck. You're the second person I've seen suggest being able to make decks without being logged in. There's too many potential headaches as far as cookies expiring, losing the super secret url, etc. to make me actually want to implement this.
I am planning on turning on HTTPS soon, but I despise third party authentication as a rule. Feel free to try and convince me, but I have never seen the point in tying my uptime to the uptime of a third party, and allowing a third party to revoke my users account if they so wish.
> I have never seen the point in tying my uptime to the uptime of a third party, and allowing a third party to revoke my users account if they so wish.
Couldn't agree more. Which is why I recommended Persona! Persona is decentralized. Third party authentication done right. I highly encourage you to look into it, especially if you already know about the issues oauth2 and co have.
Third party authentication is still the right thing to do in 99 percent of cases. Users should not have to rely on the unknown first party they are sending their credentials to to do things the right way. Moreover, developers should not have to reimplement all these protections every time - 2FA, bcrypt, proper separation of authentication and data, etc etc they are not all cheap to set up and some of them are obscure.
Regarding making decks while logged in - my expectation is that the tool would let me share a URL that is not tied to an account. Something akin to the WoW talent calculators that used to be popular back in the days: http://eu.battle.net/wow/en/tool/talent-calculator
Sent some feelers out to devs I respect. Verdict is mostly negative on Persona.
Seems like Mozilla is merely providing bare bones support for Persona these days, and has stopped funding it: http://identity.mozilla.com/
Further, and this is the real nail in the coffin for me, it seems like if you wish to change your email address or lose access to it, there's no way to migrate all accounts at once. It's up to the implementor to support that: https://developer.mozilla.org/en-US/Persona/The_implementor_...
Fun note: Until recently, Email wasn't even required to sign up for GS. A Hacker News user pointed out that without this there's no way to let a user reset their password, so I made it required (though there's still no actual way to reset your password yet. Eeps!) https://news.ycombinator.com/item?id=8521505
Mozilla has stopped funding Persona but they have not stopped working on it.
Mozilla just doesn't know how to market their technical stuff properly...
I keep digging (since the site isn't breaking, yay!) but it just keeps not looking good.
On the github, in the last month, a total of four people have committed code eleven times. One committed more than all the others combined.
Also, I originally said:
> Feel free to try and convince me, but I have never seen the point in tying my uptime to the uptime of a third party, and allowing a third party to revoke my users account if they so wish.
How does Persona not fall foul of both of these? Let's say that I implement Persona and someone uses their Gmail to create an account. Gmail goes down. Can they sign into my site or is my site effectively down for all gmail users?
What if that same user is booted off of Gmail or closes their Gmail account for whatever reason? Are they not then booted off of my site by accident?
This person does a good job of explaining what I'm talking about: https://news.ycombinator.com/item?id=7243265
Persona is not necessarily tied to gmail. Persona offers a gmail gateway. As long as a user has a way of authenticating against the persona server using the provided email, they are fine. This could be their facebook account just as well.
Maybe you should talk to Dan Callahan, he'll be happy to answer your questions in more details I'm sure. I'm saying that because you sound like Persona could benefit you and Persona certainly could use more people like you criticizing it :)
So this comes back to tying accounts to emails: Well, this is the user's choice. They put their internet life into the hands of Google or Yahoo or whatever by choosing such an email provider that may go down at any time. It's completely reasonable and does not actually put YOU in a position where your sites locks users into a third party, you are just giving more choice.
As for activity: although it's not on git, there has been renewed interest in Persona lately. And until a better alternative comes by (which won't be for a long, long time) I'll defend persona tooth and nail because, it may not be perfect, but it is far better than what is currently taking over the entire web.
I know that it's not necessarily tied to Gmail. My point was that now my site is dependent on their relationship to whatever they authenticated against. It might be gmail, it might be Facebook, it might be anything. If that thing either goes away, or revokes their access, they're gone from my site as well. That doesn't sit well with me.
> They put their internet life into the hands of Google or Yahoo or whatever by choosing such an email provider that may go down at any time. It's completely reasonable and does not actually put YOU in a position where your sites locks users into a third party, you are just giving more choice.
It's not reasonable. Not to me anyway. And isn't putting your internet life into the hands of any single place exactly antithetical to the entire idea of decentralization?
> it may not be perfect, but it is far better than what is currently taking over the entire web.
It's better than Facebook Connect or things like that, sure. But we aren't comparing it to that, we're comparing it to individual logins. Individual logins put the relationship into the hands of the users and me. That's where it should be.
KeePass and apps like that provide all of the major benefits to users without any of the downsides.
You need to read up on Persona more, specifically on persona gateways. They are not what you think they are.
I meant what I said: talk to Dan. You'll find it interesting, I am sure.
I am not talking about the gateways. I am talking about the identity providers. If your identity provider goes out of business, revokes your access, or any number of other things, you lose your credentials to all sites.
For instance, here's a site with a guy trying to sell you on using IDPs from a big company rather than a small. One of his points though is that the IdP is a single point of failure, exactly my point:
https://www.tbray.org/ongoing/When/201x/2013/08/14/FC2-Singl...
Under the heading "Other Failures."
I'll look into Persona. It probably won't be today as I'm trying to be extra attentive to the site while I'm drumming up traffic, but it's on my list now.
In theory you could build it in one sitting then share it. And I suppose there's use there. I don't particularly like the idea of people not being (necessarily) able to edit after the fact. That might not be as big of a downside as I think it is though. I'll mull that over as well. It works for imgur, after all, and even though I have an account I fairly often use it without signing in...
I think this is mitigatable by allowing your users to merge their account into a new one. So this is functionality you can implement serverside, persona does not by itself prevent your users from changing their email - it just doesn't provide the possibility (right now?)