I love breaking things and I've noticed that user are able to intercept the UID / ID of the received messages in the Websocket and edit / spoof past messages from other users.

edit: And editing other user names and rooms settings.

Just letting you know. :)

Thanks for catching that! One thing I really wanted for the project was not having to sign in to use, but that's been causing a lot of security holes like this. Gonna try to fix everything soon

just tie it to the session cookie or a url identifier, no signup needed

Out of curiosity, what are the motivation(s) for not requiring users to sign in? Is it just lowering the barrier to entry, or are you concerned with privacy?

I’m curious to know how the solution would work.

If I would have been required to sign up, I would have closed the browser. Good choice!

I'm really not knowledgeable about firestore, firebase or even authentification systems but couldn't an user request a secret key that the user will use to authentificate itself when sending a message into the websocket (that will not be transmitted to the other users)?

For the login-gate, I'm pretty sure 99%+ of the visitor would have not created an account. Even without the login, the HN room shared in that thread was kind of inactive.

Since the rooms are "private' by default (secret token in the URL), authentification is now really necessary for casual usage.

Yes you could generate a rsa key pair in the browser and send a tuple of user id (or just a nonce) and public key to the server as a form of automatic registration. The client could prefix each chat with the user if/nonce and sign it with the private key before sending it to the server. From then on the server could simply retrieve the public key it has associated with the user id prefix and reject any messages that fail signature validation.

This could also work in a peer-to-peer context by only using the server for public key registration (i.e. by chat room). All messages would go directly between clients and the server would never receive chat messages.

A chat makes things way more interesting, but we need to be able to browse for rooms too (as long as the room's creator want his room public)

I'll def add it!

I really like this idea, is there a way to add soundcloud streams to it instead of youtube? I'd like to link this from my soundcloud page.

Check out https://turntable.fm/ you can stream from soundcloud and colab on playlists :)

Cool site! Created a room for the HN crowd here: https://lofi.chat/r/DEFI-45867b3a

Oh nice! Would be dope to integrate a chat on lofi.cafe itself, but it's still a bit beyond my programming skills.

I tried my hand at something similar using a sleep music themed YT channel and website. Couldn't get things to click. And FB ended up blocking my site on the sharing debugger.

is there a way to explore public rooms?

Show hn posts are already self-promotion so isn't it reasonable for other people to also be able to promote similar things they've created?

There are guidelines for what Show HN is supposed to be. This site pretty much fits the bill.

https://news.ycombinator.com/showhn.html

> Show HN is for something you've made that other people can play with. HN users can try it out, give you feedback, and ask questions in the thread.

> On topic: things people can run on their computers or hold in their hands. For hardware, you can post a video or detailed article. For books, a sample chapter is ok.

I am glad to see work from other hacker news members. When it isn't interesting to me, I find something else on the internet or IRL that is.

Great point. While not everything is appropriate to share in response to someone else's "Show HN" post, I've definitely seen (and appreciated) others linking similar projects. It usually is in the context of saying something like:

- I tried this too, and can appreciate that you solved way harder things than we expected to have to deal with - I had this idea too but like your execution

I think it's very fitting, especially since we are celebrating not just the idea, but the execution that someone did to be able to show it off here.

Same. I love it when I see two creators of similar projects mash up ideas in the comments. That's the spirit of HN imo.

Same, please keep sharing folks!

Sounds like a good solution - stop viewing them.

I want to know alternatives. Let them promote !

Just sharing for the fun of it! This was just a fun weekend project from a year ago, and I found the similarities too funny to pass up.

Maybe there should be a weekly/monthly “Show HN” (like the who’s hiring thread) where everyone can promote what they’re working on. Doesn’t have to be new things, even progressive updates would do.

Hey @dang, how does a free-for-all self promotion thread sound (minus the spam)