REMINDER
Do I really have to learn to code to do anything useful?
-
Will there be more pre-built functions and code-snippet that I can access without having to learn to code from scratch?
I am a content writer, not a coder. and it seems that in order to have features like membership areas, discussion forums, product reviews etc I have to start learning to code and become a fullstack developer. I am missing something or is this more of tool for those who are more technical minded. I like the page builder functions but when I want to add a new feature I really have no interest in learning a whole programming language to do so. Thats why so many people use tools like wordpress where someone else designs the plugins that add functionality. Also I dont understand how building my own account area and membership login functionality is secure. I have no idea if the code that I am writing can be hacked or is vulnerable in another way. Seems like there should be a lot more pre-coded functionality available for me to use in the page builder.
I welcome your opinions...
-
You're right, this isn't a good system for those that can't code.
The point about rolling our own DIY authentication is a very valid point and concern, even if you do know how to code.
-
I thought about making an authentication plugin, but that would involve external infrastructure which would make it expensive (Since we cannot wire up a complete back-end when installing plugins in Appdrag).
It's annoying because Appdrag doesn't seem to want to solve it themselves by building it in from the get-go.
-
@ThomasD Thank you for your contribution. DIY modules are very risky. I have paid for a site to be built on a number of occasions and every time within a few months varios code exploits were identified and exploited. I simply wouldnt trust the security of a secure area that I built myself.
-
@Academy-for-Certification-Training-Ltd
And for good reason, security issues in the Video guide:
- The eMail input is not checked for validity.
- Token is not payload size checked (Doesn't matter in this case)
- Same with Password input (Probably checked on DB Layer)
- Token is always the same, should be unique for every session
- Token can be stolen via javascript (Example, any script you add to the site, like chat, can grab the token and re-use it to authenticate). Better would be a secure cookie, that cannot be stolen using scripting.
- Session lifetime is infinite, it never expires.
- Token is in plaintext, should be encrypted and hashed with secret internally to verify it's validity (Preferably use JWT instead).
- Protecting secret content with javascript, disable javascript and anyone can access the page content.
- eMail is not verified by link (As should be done with a one-time JWT token)
- Logins aren't rate-limited, so someone can brute-force it until you run out of API function time - thus, no one can login any more until you pay for more API time, rinse and repeat...
So why am I still using it?
Because we've built our own authentication system that we're going to use. -
@ThomasD FYI we do have plans to add a premade auth system for Authentication, but as ALL premade components it will be limited in terms of features and customization.
Our process is to always focus first on having fully customizable solutions with source code and with cloud backend
then later we do create plugins based on that. -
@Joseph-Benguira That's great! When I inquired about it the past xx times, it wasn't on the table. Glad to see it coming up
The customization is what what I love most about this system and why we choose it, but the majority of sites we'll create won't need customized authorization.
And I'm sure very few in total will need it. For example, being able to check if the user is currently logged in, inside of an API function, goes a long way and don't need custom authorization layer.
-
@Joseph-Benguira Are user discussion forums on the roadmap? Also is there a link to the roadmap, it might answer many more questions
-
@Academy-for-Certification-Training-Ltd
Forums is way too difficult to make usable, I'd rather they focus on what's currently in the system.
There's basically only two forums businesses host these days, NodeBB, PHPbb with vBulletin still hanging on. I always recommend NodeBB (Like Appdrag is using now), but it has to be properly managed.
-
@ThomasD There was a recent request for a How to section to be added to the community. I think the idea is sound for someone like me who is more interested in how to implement a specific feature, even if that means using a third party tool or software solution rather than getting instructions on how to code it myself. Having a learning academy is nice but ultimately I want the end result and not how to get to the end result.
-
@Academy-for-Certification-Training-Ltd
Yeah, I have a list of articles I'm meaning to add to the How-To section, that's why I suggested it.
Just need to finish the project I'm currently working on.
-
@ThomasD I wait with bated breath
-
@ThomasD Does NodeBB also apply to commenting on blog posts or is that something different?
-
@Academy-for-Certification-Training-Ltd That's different, I'd suggest adding Disqus script widget or the Facebook Comments script widget.
Facebook adds some advantages like marketing targets and segmentation based on visits, but it could also be blocked by Firefox and Adblockers these days.
