2

Hey everyone,

Sorry that private messaging is still down. It's one of the main features that is being implemented through Dazah. Unfortunately, it wasn't until sticking it into a production environment when I realized that its performance is subpar and the algorithms need a major overhaul. That's what I've been spending most of today on, and hopefully I should be done by the end of tomorrow or Saturday.

8
Contributors
21
Replies
114
Views
1 Year
Discussion Span
Last Post by Dani
Featured Replies
  • OK/ I'm back. Phew. Read More

  • 1
    Dani 1,638   1 Year Ago

    1. You went to Dazah settings and see that you previously granted DaniWeb permission. 2. You click Deauthorize and DaniWeb loses permission to access or modify your Dazah account. 3. You log out of Dazah. 4. You're redirected to Dazah's homepage from the settings page upon being logged out. 5. … Read More

0

That would be a lot more interesting if I could access my account to send or receive PMs
I just spent another hour plus trying to find a way to log in to my account (deleting cookies etc) but now things are worse. On my main machine I now can't log in at all, not even via this dummy account. Clicking on login just refreshes the page. (I'm sending this from my iPad)

I see from recent activity that a couple of old timers have got back online, but the vast vast majority are silent - maybe because they can't access the system?

0

I'm trying to remember how I did it now :)

Essentially, as Dani didn't copy passwords over to Dazah along with email addresses associated to DaniWeb, you need to reset your password - on Dazah. If I recall correctly, and I admit to being in a bit of a medicated fog so excuse me if not, I went to Dazah.com and disassociated the email/account from DaniWeb. Then (from the Dazah settings page - tab at top somewhere) I did a password reset having made sure I was using the right email address for my DaniWeb account. This prompted an email link to be sent that let me reset the password. Then I came back to DaniWeb, made sure I was logged out (in my case I had managed to associate another email address with another DaniWeb account of mine) and logging in with the right email address then just went smoothly.

I'm not logging out though, in case I can't get back in :)

0

I did the reset password routine and can successfully login to Dazah but that's as far as I get on my old account. Maybe not having all my profile fields filled out means that logging in lands me in a utopian galaxy instead of Daniweb.

0

I now seem to have a login at dazah, with the email for my dw account, but I can't login to dw... It asked me to approve using dazah, which I did, but then it bounced me back to dw not logged in. Since then if I click login it just refreshes the screen. I'm still sending this from my iPad hoping I won't get logged off here and left with zero access of any sort. This is a tragedy... Why didn't her friends stop Dani from launching a totally re-written system without proper QC, testing, or warning?

0

@Nobody_1/JC, what you are describing is exactly what happens to me with my original account. I'm sure there are many other members stuck in the same predicament - arghh

0

It asked me to approve using dazah, which I did, but then it bounced me back to dw not logged in.

Oooooooooohh!! I didn't realize that was the behavior everyone was experiencing! I think I know what's wrong.

0

Oooooooooohh!! I didn't realize that was the behavior everyone was experiencing! I think I know what's wrong.

Unfortunately I tried to reproduce what I thought the problem was, and it turned out not to be what I thought. The only thing I can think of is clearing cookies? :-/ Obviously this is a huge issue, so I'll keep working at it. :(

Edited by Dani: Test

0

Clearing cookies could certainly be something. I did this (almost on autopilot) at the outset of my problems with logging in, and had no hassle once I did the reset password thing.

0

Clearing cookies was in my autopilot too. I still need to do it to prevent automatic login to the previously-logged in user. I'm not at all happy with that automatic logon - there's a password on my account for a reason. If I chose to bypass that protection by using a password manager on my machine that's up to me.

0

To prevent automatic login, you need to log out of Dazah. Keep in mind that DaniWeb now uses "Login with Dazah" the same way that a site would use Log In with Facebook, etc.

If you logged into legacy DaniWeb, or any third party app, with Facebook, you wouldn't expect that logging out of DaniWeb would also log you out of Facebook as well. You're only logging out of the single app.

If you are already logged into Facebook on your computer, the benefit of clicking log in with Facebook on a third party app is single-click sign-in. If you log out of the app, you can log back into it with a single click as well.

The same rule applies here. :)

What I can do in the future is offer a checkbox on the Dazah sign-in page asking whether you want to stay logged in or have cookies cleared after every use.

3

If you are already logged into Facebook on your computer, the benefit of clicking log in with Facebook on a third party app is single-click sign-in. If you log out of the app, you can log back into it with a single click as well.

Usually it's TWO clicks when logging in via Facebook in my experience. Use Disqus as an example. First click is Disqus login. A window pops up with login options, one of which is a Facebook logo. Click that and you're in, provided you're already logged into Facebook. I'm not crazy about the two-click method either, but at least there's that popup and second click so I know that I'm logging in via Facebook. Maybe if you could ONLY log in via Facebook, that popup wouldn't show up and it would only be one click and you wouldn't know why. At minimum, I think you should implement something like that when logging into Daniweb. A "Log in through Dazah" popup so panic doesn't set in with the one click and we know to log OUT of Dazah if we want to be secure. I'm not going to remember to check Dazah in a month if I stay logged in. Facebook is common enough that, as I'm puzzling why I logged back in so easily, I think "Oh yeah, Facebook" and check that. With the new Daniweb, I just assumed single-click login was a huge bug. Turns out it's a feature. :)

If you logged into legacy DaniWeb, or any third party app, with Facebook, you wouldn't expect that logging out of DaniWeb would also log you out of Facebook as well. You're only logging out of the single app.

This new trend redefines the entire concept of "logging out". I realize you didn't start this trend, but it's a troubling one. In the old days, If I wanted the "benefit" of single-click login, Chrome offers to remember the username/password for Daniweb so I don't have to keep typing it. Click "Log In" and there's a nice popup from Chrome asking if I want to use my stored Daniweb username and password, I clicked "Yes", and voila, I'm in. It might have been three clicks, not one though. To use the Facebook example, suppose I've logged into five forums using Facebook. I want to SECURELY log out of Disqus. I now have to log out of Facebook, which logs me out of Facebook and all the other forums. Now I log back into Facebook and retype my password, then log back in to the other four forums. And I'm still stuck with the two-step login from Disqus AFTER I re-login into Facebook. That's a benefit and convenience I can do without. Which is why I don't use forums that REQUIRE me to log in through Facebook or anything else. Because once Facebook is breached, everything using Facebook as a login is breached. I know I'm paranoid. Facebook would never violate privacy and is immune to security breaches.

What I can do in the future is offer a checkbox on the Dazah sign-in page asking whether you want to stay logged in or have cookies cleared after every use.

If Dazah takes off like you hope, that same "must log out of five forums to log out of one" benefit will be there for Dazah too.

Anyway, this is just one guy's opinion. Control freak that I am, I like being able to pick and choose what is done automatically for my benefit. And I don't mind clicking three times. I need the exercise.

Votes + Comments
Conceptually, I agree. However, in practice, I think it makes sense for us to follow just industry-wide practice and keep within the OAuth standard.
I really agree with this. I want to control my security myself
0

Usually it's TWO clicks when logging in via Facebook in my experience. Use Disqus as an example. First click is Disqus login. A window pops up with login options, one of which is a Facebook logo. Click that and you're in, provided you're already logged into Facebook.

Maybe if you could ONLY log in via Facebook, that popup wouldn't show up and it would only be one click and you wouldn't know why.

So that's what's going on here where you can ONLY log in via Dazah, so there's no option to choose which way you want to log in. The first time you try to log in, you need to authenticate DaniWeb with Dazah, and you go through the Dazah process. After that, it's seamless because it's the only login method.

Suffice to say, we follow the exact standard when it comes to this, so my hope is that what is going on is understood out of seeing the same behavior elsewhere.

3

I think it makes sense for us to follow just industry-wide practice and keep within the OAuth standard.

we follow the exact standard when it comes to this, so my hope is that what is going on is understood out of seeing the same behavior elsewhere.

Glad to hear this. I agree that you should follow the industry standard, particularly a small (one programmer!) shop like yourself. It sounds like the reason that you did not migrate the passwords was because you felt the old way was not secure enough? Or security was good enough, but you wanted to make it better? Regardless, beefing up password storage can only be a good thing, so bravo on that.

I think a lot of this could have been avoided by keeping us in the loop and explaining what was going on before rolling things out. A little thread in advance explaining what Dazah was (briefly), that e-mail addresses were being migrated over to Dazah, but passwords were not, so we would all have to reset the passwords, that the Daniweb login was now through Dazah, what permissions we were giving Dazah and why, what was the minimum level of permissions required, etc., plus if you offer an option to revoke those privileges, then they need to be revokable. I've explained this in other posts. When things are vague, people get nervous. If I've learned one thing in damage control/prevention, it's that perception is often reality. Your site could be the most secure site in the world, but if people don't know that, you have problems and when in doubt, users assume the worst. I had an engine rebuilt. The mechanic left greasy thumbprints all over the place. Never trusted the car after that. Turns out he did an excellent job, but I was always thinking "If he couldn't be bothered to wipe off the dirty fingerprints, where else did he take shortcuts that I can't see..."

Just food for thought for future rollouts coming from a guy who has personally learned the hard way that, running on fumes or not, tight deadlines or not, transparency and notifying everyone ahead of time of what is going on and why, along with non-vague error messages is essential. YOU may know that you have everything under control security-wise and YOU may know that you aren't going to abuse our contacts/messaging/groups/information, but WE don't know that, so if you don't explain, I got the same feeling I get when I download a Solitaire game and the program requires Admin access and wants to control my webcam and microphone or when the guy ringing up my burger order says he needs my birthdate, social security number, and mother's maiden name. Hmmm... That you were requiring access to my DAZAH contacts and not my GMAIL contacts didn't click for me. I couldn't think of any legitimate reason you'd want any control over my gmail account. In lieu of an explanation, my mind wandered to dark places.

I've been making the same points ad nauseum so I'll stop. Thank you for the clarifications. I think some more are needed, but it's no longer an emergency (as all security/privacy concerns are), so can wait till it's all debugged and you're no longer running on fumes. On one final, final note, you are a one-person show, but your product is an online forum populated by programmers, so I think you might be pleasantly surprised if you throw out an appeal for volunteer beta testers/document writers or even programming help next time.

Votes + Comments
Agree
agreed
Absolutely right
0

It sounds like the reason that you did not migrate the passwords was because you felt the old way was not secure enough?

Yes, precisely.

I think a lot of this could have been avoided by keeping us in the loop and explaining what was going on before rolling things out.

The thread explaining what Dazah is exists here, and was a discussion that started about 5 months ago: https://www.daniweb.com/community-center/daniweb-community-feedback/area-51/threads/502148/future-direction-of-daniweb

e-mail addresses were being migrated over to Dazah, but passwords were not

I mentioned that somewhere a few days ago (https://www.daniweb.com/community-center/daniweb-community-feedback/threads/504951/i-ll-have-to-stop-using-the-forum-why-the-change-to-dazah-#post2205749) but, in retrospect, I should have been a lot more transparent about it.

plus if you offer an option to revoke those privileges, then they need to be revokable.

Privileges can be revoked here: https://www.dazah.com/users/settings

Just food for thought for future rollouts coming from a guy who has personally learned the hard way that, running on fumes or not, tight deadlines or not, transparency and notifying everyone ahead of time of what is going on and why, along with non-vague error messages is essential.

Essentially what it comes down to is that I rolled things out too early, I knew that going in, and so I wanted to spend the next few days squashing my todo list and getting all my ducks in a row before making a big happy announcement about it. Especially when it's something I've been going on talking about for a year. I didn't count on so many loyal users being so flustered so quickly.

. That you were requiring access to my DAZAH contacts and not my GMAIL contacts didn't click for me.

I guess it just needs to click that the login is the Dazah OAuth flow, which works just like any other OAuth flow out there. ;) I guess I assumed that because I was following industry standards, the auth page would be easily recognizable as an OAuth auth page. After all, we've all clicked on a Facebook app and been presented with "App XYZ is requesting the following Facebook privileges...".

On one final, final note, you are a one-person show, but your product is an online forum populated by programmers, so I think you might be pleasantly surprised if you throw out an appeal for volunteer beta testers/document writers or even programming help next time.

Once I get all my ducks in a row, that's the next step ;) ;), when I start looking for volunteers excited to write their own apps on top of Dazah, much the same way DaniWeb is written on top of Dazah!! It's a REALLY powerful OAuth-based API, and, as you can see, I'm eating my own dogfood here.

0

Privileges can be revoked here: https://www.dazah.com/users/settings

  1. Navigated to https://www.dazah.com/users/settings
  2. Permissions are granted, according to text. Clicked "Deauthorize". Permissions dissappear.
  3. Clicked "Log Out"
  4. Redirected to https://www.dazah.com
  5. I see no option to log in or log out on this page ( https://www.dazah.com)
  6. I navigate to www.daniweb.com. I appear to be logged into Daniweb as AssertNull still.
  7. I view my profile, still see myself logged in as AssertNull.
  8. I try to EDIT my profile, which kicks me to the Dazah login page, so I must be logged out of Daniweb now.
  9. I login to Dazah and see that Dazah wants the permissions again.
  10. I see a "Continue as Fred" button, which I click.
  11. I then get a popup at Daniweb saying "You do not have permissions required to access this page".
  12. There is a "Go Back" button, which I press. This brings me to the Dazah login page again.
  13. Same page as before, asking for the same permissions. I push "Continue as Fred" again.
  14. Now I'm at Daniweb again, logged in as AssertNull.
  15. Navigate to https://www.dazah.com/users/settings again.
  16. Permissions previously deauthorized are now listed as authorized again.

Was I not supposed to click "Continue as Fred"? Apparently that resets the permissions?

I am on Windows 10 using Google Chrome. I didn't clear cookies.

1
  1. You went to Dazah settings and see that you previously granted DaniWeb permission.
  2. You click Deauthorize and DaniWeb loses permission to access or modify your Dazah account.
  3. You log out of Dazah.
  4. You're redirected to Dazah's homepage from the settings page upon being logged out.
  5. At this time, you can't log in to Dazah directly. You can only log in through a third-party app such as DaniWeb. This will change, but there's no loss of functionality in the meantime.
  6. Revoking DaniWeb's permissions or logging out of Dazah do not log you out of DaniWeb. Similarly, if you click "Log In with Facebook" in legacy DaniWeb, and you now have your DaniWeb cookies set, logging out of Facebook in the future or revoking DaniWeb's permissions from FB does not have anything to do with your DaniWeb cookies.
  7. You view your profile, you're still a logged in DaniWeb member with DaniWeb cookies.
  8. You go to edit your profile, which is one of the places on this site that requires access to your Dazah account. (Other places include messaging, etc.) We notice you revoked your permissions, so we send you to reauthorize us again. However, because you logged out of Dazah as well, you have to log back into Dazah before you can reauthorize us again.
  9. Yes, we want permission again, because you are trying to edit your profile, which is one of our Dazah-based features, and you revoked permission. So you must give it back to us before we can let you edit your profile.
  10. Continue as yourself.
  11. This is a bug. You should have landed back on the edit profile page, where you started.
  12. Continuation of bug.
  13. Continuation of bug.
  14. You're at DaniWeb again, but what page did it put you back on?
  15. OK ...
  16. They are authorized again because when you clicked "Continue as Fred", that is reauthorizing DaniWeb. That's why the page says "Do you authorize DaniWeb?" and then has a button "Continue". In this sense, "Continue" means yes, I authorize, go ahead.

Edited by Dani

Votes + Comments
Makes sense. Thanks.
0

Just to clarify, at no time during the process were you logged out of DaniWeb. Your DaniWeb cookies existed all along. When you were thrown back to the Dazah authorization page, it was because DaniWeb needed Dazah permissions to continue. This is similar to the experience the first time you log in when you haven't granted Dazah permissions yet the first time around either.

More information about OAuth can be found at: https://en.wikipedia.org/wiki/OAuth

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.