webao, branch master WebAO fork Add passkey authentication (WebAuthn) 2026-04-18T16:52:23+00:00 Osmium Sorcerer os@sof.beauty 2026-04-07T13:19:40+00:00 aa4c30bb6d1e46b5019065fba6c0eb3c08aa1f34 Bring in the subprotocol (the same as what's used on the desktop client for public-key authentication) to carry the relevant messages: - AuthRequest: first step in the flow, the client sends it to signal the intent to authenticate to the server. - AssertCredential and AssertionFinish: server's challenge and client's response, respectively, to finalize the flow. - RegisterCredential and RegistrationFinish: same structure as the above. Unlike the simple public-key auth with an out-of-band setup, passkeys require user interaction to register. User must be authorized. Validate all relevant checks on the API side, and hand the data over to the server for it to verify attestations and assertions. Because it's a primary auth mechanism (not a second factor), require user verification. As we don't use any other method on web, add a passkey button as the only sign-in interface. Passkeys are discoverable, we don't even need a username. 
Bring in the subprotocol (the same as what's used on the desktop client
for public-key authentication) to carry the relevant messages:

- AuthRequest: first step in the flow, the client sends it to signal the
  intent to authenticate to the server.

- AssertCredential and AssertionFinish: server's challenge and client's
  response, respectively, to finalize the flow.

- RegisterCredential and RegistrationFinish: same structure as the
  above. Unlike the simple public-key auth with an out-of-band setup,
  passkeys require user interaction to register. User must be
  authorized.

Validate all relevant checks on the API side, and hand the data over to
the server for it to verify attestations and assertions.

Because it's a primary auth mechanism (not a second factor), require
user verification.

As we don't use any other method on web, add a passkey button as the
only sign-in interface. Passkeys are discoverable, we don't even need a
username.
Remove defunct CAPTCHA 2026-04-18T16:52:23+00:00 Osmium Sorcerer os@sof.beauty 2026-04-07T03:16:18+00:00 ae7ef2c6c76947ea12cbb1592152d9c80fd1a8f3 The hCaptcha integration has been abandoned for a while. It added yet another questionable third-party API (which also set a Cloudflare cookie), and its effectiveness is unclear considering its client-side nature. A custom CAPTCHA implementation (such as PoW challenge) is an interesting prospect, but it'll require proper server-side support. 
The hCaptcha integration has been abandoned for a while. It added yet
another questionable third-party API (which also set a Cloudflare
cookie), and its effectiveness is unclear considering its client-side
nature.

A custom CAPTCHA implementation (such as PoW challenge) is an
interesting prospect, but it'll require proper server-side support.
Replace cookies with localStorage 2026-04-18T16:52:23+00:00 Osmium Sorcerer os@sof.beauty 2026-04-07T02:55:26+00:00 4bd750ca1f3e446f68e0f88fabf0682fd4d61848 Cookies's use case is to store persistent data and send it to the server in subsequent requests, such as to remember logged-in sessions. WebAO is using them to store site settings like ad-hoc hash tables that require parsing and serialization. As a nasty side-effect of how cookies work, clients send all their settings every time they connect to the server. Server has absolutely no use for them, but each client sends them anyway, which is an uncalled-for privacy leak. Remove this mechanism entirely, switch to localStorage which serves exactly the purpose of per-origin store with data that never leaves the browser. 
Cookies's use case is to store persistent data and send it to the server
in subsequent requests, such as to remember logged-in sessions. WebAO is
using them to store site settings like ad-hoc hash tables that require
parsing and serialization.

As a nasty side-effect of how cookies work, clients send all their
settings every time they connect to the server. Server has absolutely no
use for them, but each client sends them anyway, which is an
uncalled-for privacy leak.

Remove this mechanism entirely, switch to localStorage which serves
exactly the purpose of per-origin store with data that never leaves the
browser.
Update dependencies and ECMAScript target 2026-04-18T16:52:23+00:00 Osmium Sorcerer os@sof.beauty 2026-04-06T14:48:43+00:00 085204dbdf17f379c9a32ea11660accb51b4311d Fix relevant breaking changes. 
Fix relevant breaking changes.
Avoid bothering the upstream 2026-04-18T16:52:23+00:00 Osmium Sorcerer os@sof.beauty 2026-04-06T22:18:29+00:00 45b706909323ba82035c49eb9d2b2546eeab6a78 Delete reference to the AO2 Discord server so users don't accidentally complain there if I break something here. 
Delete reference to the AO2 Discord server so users don't accidentally
complain there if I break something here.
Remove attorneyMarkdown 2026-04-18T16:52:23+00:00 Osmium Sorcerer os@sof.beauty 2026-04-06T22:06:50+00:00 3e5eda1fd61ab057472c4e8734ba57e1a0c84a33 It only caused chat_config.ini to be requested a lot. 
It only caused chat_config.ini to be requested a lot.
Change extension of positions to WebP 2026-04-18T16:52:23+00:00 Osmium Sorcerer os@sof.beauty 2026-04-06T22:06:09+00:00 6a7a4f68711432d73fbf1355f15402fa6d31aafa These should obey the extension data, but instead they're hardcoded to predefined PNG and GIF files. 
These should obey the extension data, but instead they're hardcoded
to predefined PNG and GIF files.
Temporarily default to blips value "m" 2026-04-18T16:52:22+00:00 Osmium Sorcerer os@sof.beauty 2026-04-06T22:05:03+00:00 1c458e5841ae30bed8b6f3107d3f65353d9b731c Blips aren't handled correctly every time, resulting in a lot of 404 URLs and invalid blips. 
Blips aren't handled correctly every time, resulting in a lot of 404
URLs and invalid blips.
Guess WSS, not WS, if the schema isn't set 2026-04-18T16:52:22+00:00 Osmium Sorcerer os@sof.beauty 2026-03-31T14:23:41+00:00 14b8190d1e0efdfd7b2650923f7b014614dcf937 






Add source code links in About section
2026-04-18T16:52:22+00:00

Osmium Sorcerer
os@sof.beauty

2026-03-25T20:03:22+00:00

f628de1f9726fa734b1787cb587091013bbb518d