Hacker News new | ask | show | jobs
by deaddodo 1214 days ago
I was digging through the comments for someone to point this out. I’m honestly curious why people are using these overly complex options when a solution has been built into the HTTP standard for decades (and, in fact, is heavily abused for many APIs).

And it’s superior in many ways, since the file is never delivered until authentication has been completed.
3 comments
chii 1214 days ago
with basic authentication, you cannot embed the decryption key into the url via a hash fragment.

This means you must have a secondary channel to communicate to the user about the password, and the server must also know the password.

So depending on your use-case, the basic auth isn't suitable. For example, mega : https://en.wikipedia.org/wiki/Mega_(service) , in which you want to ensure that the decrypted data is _not_ accessible to the server, so the key is not stored nor sent to the server!

link
deaddodo 1212 days ago
Sure you can, it’s been built-in to the HTTP spec since RFC1738[1]. You just do:

//<user>:<pass>@<url>[:<port>][/<location>]/

It doesn’t work on IE classic, but should still be perfectly valid on Chrome, Safari, Firefox, etc.

1 - https://www.ietf.org/rfc/rfc1738.txt

link
rvnx 1213 days ago
In a real-life scenario, the server can access the key and collect it back (just farming location.hash)
link
flippinburgers 1212 days ago
Person A doesn't know about basic auth - primarily because it isn't a hip way to solve the problem - so person A spends a bunch of time understanding, installing, and using something unnecessarily convoluted. When presented with evidence of a simpler solution, they balk because humans value things they have spent time on especially when it is their own solution, their own "discovery".
link
yoble 1213 days ago
Author here - the specific use case is when you _don't_ have or want server-side logic or a DB. For example on static hosting (hence the name StatiCrypt) like Github pages, Netlify, etc.

That means nothing to maintain, no server cost, no serverless functions to rely on, etc.

But when that's not a constraint there are many different options that might make more sense.

link
deaddodo 1212 days ago
Sure, I’ll give you that use case.

It’s just weird how many people are jumping on this as some new technique when Basic Auth is fully usable in many other cases.

link