| Age | Commit message (Collapse) | Author |
|---|
|
Bring in the subprotocol (the same as what's used on the desktop client
for public-key authentication) to carry the relevant messages:
- AuthRequest: first step in the flow, the client sends it to signal the
intent to authenticate to the server.
- AssertCredential and AssertionFinish: server's challenge and client's
response, respectively, to finalize the flow.
- RegisterCredential and RegistrationFinish: same structure as the
above. Unlike the simple public-key auth with an out-of-band setup,
passkeys require user interaction to register. User must be
authorized.
Validate all relevant checks on the API side, and hand the data over to
the server for it to verify attestations and assertions.
Because it's a primary auth mechanism (not a second factor), require
user verification.
As we don't use any other method on web, add a passkey button as the
only sign-in interface. Passkeys are discoverable, we don't even need a
username.
|
|
The hCaptcha integration has been abandoned for a while. It added yet
another questionable third-party API (which also set a Cloudflare
cookie), and its effectiveness is unclear considering its client-side
nature.
A custom CAPTCHA implementation (such as PoW challenge) is an
interesting prospect, but it'll require proper server-side support.
|
|
Cookies's use case is to store persistent data and send it to the server
in subsequent requests, such as to remember logged-in sessions. WebAO is
using them to store site settings like ad-hoc hash tables that require
parsing and serialization.
As a nasty side-effect of how cookies work, clients send all their
settings every time they connect to the server. Server has absolutely no
use for them, but each client sends them anyway, which is an
uncalled-for privacy leak.
Remove this mechanism entirely, switch to localStorage which serves
exactly the purpose of per-origin store with data that never leaves the
browser.
|
|
Delete reference to the AO2 Discord server so users don't accidentally
complain there if I break something here.
|
|
|
|
|
|
|
|
|
|
|
|
- Redesign disconnect overlay as a full-screen modal with dark backdrop
- Add working Reconnect button that properly re-establishes WebSocket connection
- Add Disconnect button in Settings for testing
- Separate disconnect and ban/kick codepaths (no reconnect on ban)
- Log disconnect notice in IC log using hrtext style
- Refactor area list rendering from client state (renderAreaList)
- Extract appendICNotice for reusable IC log notices
- Clean up charselect: hide during loading, simplify toolbar layout
- Freshen loading screen and charselect styling
- Remove loading progress text updates (just show "Loading...")
- Guard against undefined client.chars and client.serv
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
prep for onhover description
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Mobile view
|
|
|
|
|
|
|
|
|
|
This reverts commit 965e3e937065511fe9052ac687f54c1528a1e043, reversing
changes made to b288429cca94a461c8fa3d1936905d7e0e601d7f.
|
|
Use datalist in pairing to make it searchable
|
|
By using data list instead of select, we can easily make it
searchable and render a platform-native dropdown which
filters options based on the search.
This makes finding your pairing partner much easier,
especially in servers with many characters.
|
|
Currently, we use objection_button class for the shouts, but the
toggleShout function actually changes it to client_button
instead. This makes it change style (height) whenever
it is pressed. We can fix this by just using client_button.
That makes it look more like the rest of the buttons as well.
Since we don't use objection_button anymore, remove it from
the styles.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
