webao/public/client.html, branch master WebAO fork Add passkey authentication (WebAuthn) 2026-04-18T16:52:23+00:00 Osmium Sorcerer os@sof.beauty 2026-04-07T13:19:40+00:00 aa4c30bb6d1e46b5019065fba6c0eb3c08aa1f34 Bring in the subprotocol (the same as what's used on the desktop client for public-key authentication) to carry the relevant messages: - AuthRequest: first step in the flow, the client sends it to signal the intent to authenticate to the server. - AssertCredential and AssertionFinish: server's challenge and client's response, respectively, to finalize the flow. - RegisterCredential and RegistrationFinish: same structure as the above. Unlike the simple public-key auth with an out-of-band setup, passkeys require user interaction to register. User must be authorized. Validate all relevant checks on the API side, and hand the data over to the server for it to verify attestations and assertions. Because it's a primary auth mechanism (not a second factor), require user verification. As we don't use any other method on web, add a passkey button as the only sign-in interface. Passkeys are discoverable, we don't even need a username. 
Bring in the subprotocol (the same as what's used on the desktop client
for public-key authentication) to carry the relevant messages:

- AuthRequest: first step in the flow, the client sends it to signal the
  intent to authenticate to the server.

- AssertCredential and AssertionFinish: server's challenge and client's
  response, respectively, to finalize the flow.

- RegisterCredential and RegistrationFinish: same structure as the
  above. Unlike the simple public-key auth with an out-of-band setup,
  passkeys require user interaction to register. User must be
  authorized.

Validate all relevant checks on the API side, and hand the data over to
the server for it to verify attestations and assertions.

Because it's a primary auth mechanism (not a second factor), require
user verification.

As we don't use any other method on web, add a passkey button as the
only sign-in interface. Passkeys are discoverable, we don't even need a
username.
Remove defunct CAPTCHA 2026-04-18T16:52:23+00:00 Osmium Sorcerer os@sof.beauty 2026-04-07T03:16:18+00:00 ae7ef2c6c76947ea12cbb1592152d9c80fd1a8f3 The hCaptcha integration has been abandoned for a while. It added yet another questionable third-party API (which also set a Cloudflare cookie), and its effectiveness is unclear considering its client-side nature. A custom CAPTCHA implementation (such as PoW challenge) is an interesting prospect, but it'll require proper server-side support. 
The hCaptcha integration has been abandoned for a while. It added yet
another questionable third-party API (which also set a Cloudflare
cookie), and its effectiveness is unclear considering its client-side
nature.

A custom CAPTCHA implementation (such as PoW challenge) is an
interesting prospect, but it'll require proper server-side support.
Replace cookies with localStorage 2026-04-18T16:52:23+00:00 Osmium Sorcerer os@sof.beauty 2026-04-07T02:55:26+00:00 4bd750ca1f3e446f68e0f88fabf0682fd4d61848 Cookies's use case is to store persistent data and send it to the server in subsequent requests, such as to remember logged-in sessions. WebAO is using them to store site settings like ad-hoc hash tables that require parsing and serialization. As a nasty side-effect of how cookies work, clients send all their settings every time they connect to the server. Server has absolutely no use for them, but each client sends them anyway, which is an uncalled-for privacy leak. Remove this mechanism entirely, switch to localStorage which serves exactly the purpose of per-origin store with data that never leaves the browser. 
Cookies's use case is to store persistent data and send it to the server
in subsequent requests, such as to remember logged-in sessions. WebAO is
using them to store site settings like ad-hoc hash tables that require
parsing and serialization.

As a nasty side-effect of how cookies work, clients send all their
settings every time they connect to the server. Server has absolutely no
use for them, but each client sends them anyway, which is an
uncalled-for privacy leak.

Remove this mechanism entirely, switch to localStorage which serves
exactly the purpose of per-origin store with data that never leaves the
browser.
Avoid bothering the upstream 2026-04-18T16:52:23+00:00 Osmium Sorcerer os@sof.beauty 2026-04-06T22:18:29+00:00 45b706909323ba82035c49eb9d2b2546eeab6a78 Delete reference to the AO2 Discord server so users don't accidentally complain there if I break something here. 
Delete reference to the AO2 Discord server so users don't accidentally
complain there if I break something here.
Add source code links in About section 2026-04-18T16:52:22+00:00 Osmium Sorcerer os@sof.beauty 2026-03-25T20:03:22+00:00 f628de1f9726fa734b1787cb587091013bbb518d 






bigger evidense description
2026-04-10T11:51:09+00:00

stonedDiscord
Tukz@gmx.de

2026-04-10T11:51:09+00:00

0fe5422373c60214c6d99931239fed00abcd7198












remove UI related changes
2026-03-28T13:09:06+00:00

David Skoland
davidskoland@gmail.com

2026-03-28T13:09:06+00:00

6f407b54c3251b90463bc508852b031d72b0c673












no initial text
2026-03-24T13:12:30+00:00

David Skoland
davidskoland@gmail.com

2026-03-24T13:12:30+00:00

95145c824e252b030a5e53950c9f1ed39774c79a












Add Connected and Disconnected notices
2026-03-24T11:35:41+00:00

David Skoland
davidskoland@gmail.com

2026-03-24T11:35:41+00:00

28a140dc8ab8adf32c783c6887e29c245981ab51












Add reconnect UI, disconnect button, and visual cleanup
2026-03-24T11:23:45+00:00

David Skoland
davidskoland@gmail.com

2026-03-24T11:23:45+00:00

1a1ed4e1d0568a1610d5f5da3d541a59afe2b863

- Redesign disconnect overlay as a full-screen modal with dark backdrop
- Add working Reconnect button that properly re-establishes WebSocket connection
- Add Disconnect button in Settings for testing
- Separate disconnect and ban/kick codepaths (no reconnect on ban)
- Log disconnect notice in IC log using hrtext style
- Refactor area list rendering from client state (renderAreaList)
- Extract appendICNotice for reusable IC log notices
- Clean up charselect: hide during loading, simplify toolbar layout
- Freshen loading screen and charselect styling
- Remove loading progress text updates (just show "Loading...")
- Guard against undefined client.chars and client.serv

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>





- Redesign disconnect overlay as a full-screen modal with dark backdrop
- Add working Reconnect button that properly re-establishes WebSocket connection
- Add Disconnect button in Settings for testing
- Separate disconnect and ban/kick codepaths (no reconnect on ban)
- Log disconnect notice in IC log using hrtext style
- Refactor area list rendering from client state (renderAreaList)
- Extract appendICNotice for reusable IC log notices
- Clean up charselect: hide during loading, simplify toolbar layout
- Freshen loading screen and charselect styling
- Remove loading progress text updates (just show "Loading...")
- Guard against undefined client.chars and client.serv

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>