(this topic was solved - can a moderator close this?)
I’m not from Romania, but in general your admin dashboard (where you see and control user info) should be locked down with passwords, one time access codes etc. And passwords should be hashed and salted, also- the user should have the right to see what your collecting under GDPR regulations.
5 Likes
i mean, if you do not have a log-in system, you don’t need a privacy policy?
could you explain? any info collected from auth forms should be requestable by the user
Say I sign up to your site- I should have the right to ask for my IP, or my username and stuff like that. But only after I have gone through a thorough process to prove my identity
5 Likes
Follow these steps:
-
lock down the page where you can see user info- all passwords should be hashed and not be seen, not even by admins.
-
Allow people to request data you collect, discord for example offers users the option to see what info discord has collected. In this case make sure they can prove their identity
-
Make a privacy notice- tell people where and what their data is going to be used for.
Admins should be people who can be trusted not to disclose user info to the outside world
Might not apply: https://www.wired.co.uk/article/what-is-gdpr-uk-eu-legislation-compliance-summary-fines-2018
4 Likes
If you collect any user information, you should add a Privacy Policy and be specific on what info you collect.
Edit: I typed this before 17lwinn posted this so I don’t mean for this to be a duplicate
4 Likes
@no_one also, you should only collect relevant user data (passwords, usernames etc) and destroy them when they are no longer needed.
@aboutdavid thanks for the extra reply!
5 Likes
Also, you should hash your users passwords using something like bcrypt. And if you impersonate users you (possible, maybe) could be sued/your users could lose their trust in you.
5 Likes
From experience- even the tightest systems can be penetrated by a backdoor. Admin interfaces especially should be handled with caution.
2 Likes
I am collecting it in case someone forgets their password, or is hacked, so admins can run the users through a test to check if they actually are “themselves” so they can give the password back to them.
So i don’t think i can destroy the info…
Also, i am keeping them in the .env file
No, you should allow them to reset their password instead of giving it to them. If you store non-hashed passwords, then you are vulnerable to database breaches and your users will be really mad at you because you could have prevented it but you just didn’t hash passwords.
3 Likes
i don’t think i can do that.
firstly, never keep passwords in .env- projects can be hijacked and the .env is never 100% safe.
Always store in a safe place- like a hidden folder or external service like mongodb atlas.
5 Likes
how can i make a file allowed only for certain google accounts?
Just use Firebase Auth. It’s really easy to use and supports oAuth.
1 Like
Hey, also forgot- the glitch TOS REQUIRES contains what you must do with user data collected on a glitch site.
2 Likes
Can you link to that section? I auctally never saw it
1 Like
hang on let me find it…
3 Likes
ah here we are- section F privacy:
If you collect any Personal Information from a User, you agree that you will only use the Personal Information you gather for the purpose for which the User has authorized it. You agree that you will reasonably secure any Personal Information you have gathered from the Services, and you will respond promptly to complaints, removal requests, and ‘do not contact’ requests from us or Users.
2 Likes
Also if you really want good legal advice, you should probably ask in r/legaladvice as they have better legal advice then us
5 Likes
I don’t have reddit…
You can make an account and you can use a throwaway email
3 Likes
Ok, so i’ll use firebase for the authentication system
3 Likes
Idk how to set this up, help?
I’ve set everything in the autehntication page: sign-up method, templates, etc.
What in the world do i have to do next?
Think, can you successfully sign in/up without issues…
Is it as secure as humanly possible?
1 Like
Yes, the hash parameters are enough.
How do i make the log-in form and connect it to firebase 
2 Likes
@khalby786 may know- he has experience with firebase
5 Likes
I have been summoned!
This article should help you:
Give the article a thorough read before you start coding so that you understand what is happening. If you have any questions, feel free to ask here although I might be really slow to respond because in my timezone it’s time for me to sleep. But you can still ask, I’ll reply as soon as I wake up! Or you can DM me.
6 Likes
OK, lemme just construct a privacy policy…
Yep, a privacy policy is essential.
Another word of advice to live by is that if you don’t need to store it, don’t store it. If you don’t need user emails or IPs, don’t store them.
3 Likes
Yes because:
- Even if you have a database breach, you don’t have that much to leak
- Your users are less suspicious of you
3 Likes
If you don’t hash passwords, your users will have little to no trust in you.
4 Likes
Actually, i’ll store user’s emails and IPs in case i need to email them about an emergency (like a security issue) or someone damaging the website, so i can ban their IP using AbuseIPDB™
How do they know i am not hashing passwords
Not that i don’t, i try to keep my website secure.
It will be quite obvious when they find their password in a paste.
3 Likes
Why not use the API to set up automated reports?
2 Likes
Are you using Glitch?
yeah.
Also, I’m a bit confused on what the “Starter Template” is. Is it just an empty HTML skeleton…?
Speaking of Privacy Policies and storing passwords, if I use GitHub oAuth for login and the only data I collect are their email addresses, do I need a privacy policy?
I’d say so. You are collecting some of their personal information.
Github’s oAuth consent screen should tell users that their email will be shared, but you should also state that on your website.
6 Likes
quick question, can kids under 13 build (and publish) websites? I just need it for my privacy policy.
Me too, like a few hours before 12:00 AM, do you live in europe?
(I kinda skimmed through the comments.)
Yes, and no. This data should only be accessed by people you trust. By default every website you go to get your IP. It is how you send data. But if you are storing that IP in a database, then you should stop and remove it. If that database was ever leaked, everyone’s IP would be leaked as well. Leaving them vulnerable to attacks.
I’m gonna use the website security 101:
Everytime a new user makes an account, it’s gonna generate a new random string based on the password, i’m gonna decide how it will randomize it (like, turn the password upside down, and add the first letter in the middle, etc.)
That string will be stored in the database, along with the username. So the password won’t actually be stored in the database, instead, it’s going to be stored somewhere on my notepad, along with that string, so i know it. And everytime a user enters that password, it’s gonna do the same thing that it did the first time when the user entered their password.
This is a very secure method of saving passwords since hackers, even if they know that string, they cannot ever ever ever enter the account without having to do a trillion of math equations.
So that’s basically called a hash.
No no no. It brake the law. But you can of make it say to put parent email. But the kids of them selves cannot of sign up to websites.
1 Like
They can’t use Glitch in the first place.
1 Like
Yep, Glitch deletes <13 accounts.
Excuse me, what? You plan to store people’s passwords in your notebook?
3 Likes
I highly recommend that you do not attempt to DIY a hashing algorithm, unless you really know what you are doing. Just use bcrypt or something in the SHA family.
4 Likes
That is not how it should be done.
4 Likes
5 Likes
I know what i am doing…
That was just a joke, i will not plan to publicize user’s passwords
I meant other than glitch, like local hosting
I know, it was just an example.
I will scatter the letters everywhere around and add random characters
Please just use a hashing algorithm, I don’t think you know how encryption works.
5 Likes
That is also not how it should be done. 
5 Likes
The rules of law still apply
6 Likes
Ok well, I don’t really think its funny to store passwords in plaintext.
5 Likes
COPPA
6 Likes
Youse bycrpt. It my favorite
4 Likes
Yesss, I was searching for that! I thought it was named DMCA.
2 Likes
Ok. What they mean is, take the passwords, make a md5 or sha-256 hash of the password when they make the account. That is what you should store. Then when they login, hash the password they used in the same way you did when they made the account, and check if it matches.
6 Likes
What is DMCA?
1 Like
©
2 Likes
US Copyright Act.
4 Likes
Ok ok. I don’t know because I am not in us
5 Likes
It’s like a law about copyright.
If someone uses copyrighted content on your website, you can take it down.
It stands for, Digital Millennium Copyright Act.
3 Likes
In order to use abuseipdb in glitch you would have to setup a IP regex thing with express
5 Likes
Thats ok! Online, its just best to assume US law as a lot of tech firms are based here.
5 Likes
Yes yes. Glitch and replit and GitHub are in us
4 Likes
What backend language do you plan on using @no_one? PHP has a lot of encryption tools built on.
5 Likes
I suggest to use of the php. I like it and use it .
3 Likes
NPM also has some good tools too.
3 Likes
Sure, what do most of you specialize in?
I was asking you the question.
2 Likes
You asked about php…
I really suggest NPM (this reason is not because I hate PHP) because there are a bunch of resources. If one thing doesn’t work, try another. Everything on there is open-sourced so you can look at the code if you suspect that something doesn’t seem right.
3 Likes
I mean there is Packagist if you want to use PHP but thats a debate for another time…
3 Likes
I wouldn’t use that project right now. There are some security flaws. You can see every file from the client side.
Php is my best Freind.You should use of it
1 Like
?? Composer is npm for php and composer has a bunch of packages.
Belive it or not, you can link npm and composer.
2 Likes
Any ways this is getting very off the topic
2 Likes
I agree, shall we continue in the gallery topic?
https://support.glitch.com/t/cc0-templates-free-website-templates-for-everyone/33321/21
I get that, but if you look at my post above,
is the reason why I said that.
Well, you never did answer the original question, what backend language do you plan on using?
5 Likes
But what coding language you plan to use for of this project?
4 Likes
Yes, nobody can help you is you don’t tell us the language that you are making it. Stop evading the question because nobody can help you if you don’t tell us the language.
4 Likes
probably javascript.
*5
You cannot of make login with plain JavaScript
To be percise, please tell us what stack(combination of languages and frameworks) you will be using for this project.
1 Like
I think they only know/use html/css/js. @no_one is this of true?
3 Likes
We will be using all the launguages that the ones who posted in this thread knows, tell me what launguages you know!
yeah… true
Please stop spamming my messages, let’s stop posting here for a while.
Since people don’t want my posts, i’ll be deleting them.
asp for the win lol
1 Like
We are not spamming, we are just asking you some questions.
flask ftw- easy and in python.
1 Like
we’re going to be using flask and phyton.
Flask was easier for smaller projects(chat) but when I started to build a megaproject out of it, it sort of grew out of hand, then I realized that at that point building it in express might be easier
But you just said you didn’t know any other languages other than HTML, CSS, and JS?
1 Like
Flask may not be the best for this situation
1 Like
I am learning phyton tho
Do you want @random just to do all the work for you?
1 Like
yeah- it can be alright for some things. It does have ways of making auth pages,
No, why are you thinking that?
Because you just said you didn’t know python.
1 Like
I’m not doing all the work, i’ll provide links- not work
1 Like
guys, this is a topic about website login security (and data privacy), nobody cares what you use to run your websites
3 Likes
when did it say that?
Firebase auth is more designed for node.js
4 Likes
yeah, node would be a good option.
but i would personally use flask
Yeah I’ve tried flask-oauth2 once with google, i ended up alternating between a bunch of examples to piece together some code. in the end it worked pretty nicely
but passport is cool too since it supports a LOT of login protocols
1 Like
Please, get back on-topic, this is about to become a mega-thread.
3 Likes
I tried to tell them, but my post just got stuck trough all the chaos.
EVERYBODY TALK HERE:
https://support.glitch.com/t/cc0-templates-free-website-templates-for-everyone/33321
It’s already been done.
1 Like
i think i misread the post, hold on.
I updated the title to reflect the mega-thread status.
Thought I drop this here as we talk about backend frameworks:
Rust and C++ are actually the fastest frameworks, with the MEANstack at a lowly number 116. Postgresql makes it a little faster.
3 Likes
erm, think this might be closed
Also, personally i think flask may be better for you, but I think another reason I switched was every time I made a change I would always have to fix one to three syntax errors which ended up being annoying. For some reason javascript makes it harder for me to make syntax errors, probaly because I’ve been coding in Java for a bit which is typed
2 Likes
this is getting way too offtopic, can you guys listen?
Talk here please:
https://support.glitch.com/t/cc0-templates-free-website-templates-for-everyone/33321/
it would still be offtopic if we moved to that thread also.
it would actually be more relevant to stay in here
2 Likes
So are you admitting you just want people to do all of your work voluntarily?
4 Likes
if we switch- it’ll get out of control
1 Like
Based on his post history, it certainly seems so…
4 Likes
Wait, uh, can glitch_support merge threads? It would be nice if they move all the posts to the gallery topic.
No, i will do most of the work, the community will just suggest templates, and that’s it.
Well, how do you plan to make a login service client side?
6 Likes
oNLinE tUtOrIaLs
1 Like
You will need Node or the php or other languages
You say that mockingly yet you don’t want to do them.
3 Likes
trust-a-me i will put myself a deadline.
Ty
But I think it impossible to make login and signup in the vanilla of js
1 Like
phyton. i will be using phyton
Okay. Then start learning. Let’s not continue of this thread
4 Likes
Why don’t we not talk anywhere. This was resolved.
4 Likes
No, I think it’s best not to talk at all right now
I’m going to start of the flagging for off topic posts
4 Likes
look at my newest post i made in the topic
also by the way on topic of the “is it illegal…” didn’t someone mention r/legaladvice earlier? So you can go there for legal advice about passwords
7 Likes
Yes I tried to ask him to ask there but he won’t make an account.
4 Likes
Can we have this thread closed before we get to 300 replies?
6 Likes
no, at least not yet…I want to ask something…
@no_one, you said you’re making a website that needs to have a log in system, right? Well I am also trying to do that and I know that you need to use SQL to create a database to store all of the users’ information. So wouldn’t you know the password? I mean…how would you do it so that you can’t know a user’s password? It doesn’t make sense to me. (Sorry…I only just started learning JS and SQL…)
actually, JS is very much required in a login system…
ok, thanks, we’ll look at that when we get the time.
Please for the love of Octocat, do not bump.
5 Likes
Actually you don’t make a login system with vanilla JS - it would just be too hard and easily be hacked. You use HTML, and NodeJS.
Really and server side language works.
No, I mean HTML forms and you can use the attributes to send a Post request.
Wait tell me the situation before closing
1 Like
This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.