. /../On the registration process.../ 1
lost, not forgotten
written by Alex on Aug 16, 2021 13:16
About an observation by Albey Amakiir that caught me a little by surprise because I didn't remember how 80.style handled username and password between checking whether a username is available and effectively creating the account.

The password is not re-transmitted; most importantly, it isn't stored server-side in a non-hashed form. Transmission occurs via HTTPS, hence it might be less of a problem, but it's not even retransmitted, to be honest.

What happens is that the client UI scr*pt, running in the browser, remembers the username/password pair between the first transmission that sends them to the server to check whether they match an existing account, and the subsequent confirmation, when the username is still available, that triggers account creation.

Here's the full branch that handles the exchange:

The relevant line is:

return nav.to (null, 'sys/username/available', { path: 'sys/account/creation', username: tb (username), password: tb (password) });
...in which the username and password, "grabbed" by text fields on top of the "case" branch, are brought over as part of a js object to the next dynamic load.

Dynamic loads and "popstate" events are handled by a function called "nav.to", where that object, its third argument, is called "pairs". When nav.to receives those two fields to actually tell the server to create the account, it receives them as pairs.username and pairs.password, but they're not transmitted back by the server, they keep "circulating" in the browser's memory, client-side.

It is a bit convoluted, I'll admit, especially in that it likes to use the same exact form to both register accounts and allow people to log back in: that MAY be a little less safe, because it could raise the probability that someone wishing to register a new account could stumble into an existing username AND, out of random chance, pick the same password. But... on the other hand, this simplifies how the login process works: we don't need separate "verbs" for a user to "learn about"; this way, the sole thing a user has to learn is "enter".

No matter if existing or returning for a regular login, it's always "enter". That's the rationale behind that choice.
reading this thread
no members are reading this thread
. /../On the registration process.../ 1
16686, 10 queries, 0.039 s.this frame is part of the AnyNowhere network