Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unlisted and password-protected pages #1636

Open
jace opened this issue Dec 3, 2024 · 3 comments
Open

Unlisted and password-protected pages #1636

jace opened this issue Dec 3, 2024 · 3 comments
Labels
enhancement New feature or request

Comments

@jace
Copy link

jace commented Dec 3, 2024

Is your feature request related to a problem? Please describe.

Sometimes I'd like to get feedback on a draft before I make it public. The easiest way to circulate a draft is by putting it on the website without announcing it, as an unlisted page -- it's not in the feed and it's not linked from any other page and doesn't appear in the graph. It's only accessible through the URL. Additionally, if the content is sensitive, I may want to password-protect it.

Describe the solution you'd like

Two new properties in the front-matter:

  1. unlisted: boolean flag. This sits alongside the existing draft and publish flags and doesn't affect their workflow. It only removes autogenerated links to and from this page (graph view, backlinks, explorer).
  2. password: a string password or a list of passwords. This will cause the static page to have encrypted content (AES 256 or whatever is reasonable), needing one of the passwords to decrypt it client side.

Since encrypted content still leaks (a) content length information and (b) is vulnerable to offline brute forcing, the implementation could store the encrypted content in a separate file with a randomised name, only storing this filename in the page, also encrypted.

Build process, if password is present in front-matter (could be a plugin that does this):

  1. Generate a random encryption key.
  2. Encrypt page content using this key.
  3. Store this content as JSON in the page, or generate a random UUID and store JSON blob in original-file-name-random-uuid.json in the same folder.
  4. For each password, encrypt the random random encryption key and the data JSON filename with the password and store these as a JSON list in the page.
  5. Generate static page including a script that implements content decoding.

Render process:

  1. Included script renders a password dialog in the page.
  2. If the URL has a password (eg, /secret-page#password=secret-key), autofill the dialog and submit.
  3. On submit, test the password against the stored list sequentially, looking for a match. If one of the lines can be decoded to retrieve the encryption key (and data filename, if stored externally), fetch the JSON blob (from within current page or from server), decrypt contents and render the page.

The author can share distinct passwords with different collaborators and revoke them anytime by removing them from the front-matter. When the password field is removed, the page is no longer encrypted. Password protected pages may or may not be unlisted – those flags are separate.

Describe alternatives you've considered

My current workflow is to share .md files over chat for review, which is sub-optimal. Most people will read it as unrendered plain text, I have no control over the file's subsequent life, and it's hard to keep sharing revisions. When I need interactive collaboration, I copy the content in a Google Doc, but after this it's no longer Markdown and no longer lives in the vault, so there's a final reverse copy and reformat to Markdown required.

Additional context

WordPress supports password-protected pages and this has long been used for similar workflow needs.

@jace jace added the enhancement New feature or request label Dec 3, 2024
@xkjjx
Copy link

xkjjx commented Dec 6, 2024

I really like the password protection idea - there is a lot of content that I would like to have hosted that I wouldn't necessarily want everyone to read.

@halavah
Copy link

halavah commented Dec 20, 2024

Request for Password Protection at Startup @jackyzha0

@saberzero1
Copy link
Collaborator

Request for Password Protection at Startup

#1481

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

4 participants