Require authentication to create Via links

[lyzadanger]

It might not slow people down too much, but we could track the origins of malign links and potentially disable them, or have a few other levers at our disposal.

[esanzgar]

One possible implementation for this:

• allow serving requests through via if referrer is bouncer or via
• if the referrer is different then allow the request only if the link was created using the form in via

At the point of creating a link using the form in via the URL could be saved in a database of allowed URL that can be served without referrer.

Using the form could only be allowed to only authenticated users.

[seanh]

An easier way to do this might be to only allow Via links to pages that have at least one annotation in the h DB (a question that's conveniently answerable by h's badge endpoint). That way, in order to generate a new Via link, you need to sign up for a Hypothesis account, verify your email, and create an annotation on the page.

Unauthenticated users trying to follow a Via link to an unannotated page could be presented with a page along the lines of example.com hasn't been annotated yet. Be the first! [Sign up] [Log in] (and Via would not proxy example.com at all until the user is logged in or the page has an annotation).

After all, we don't really need to allow unauthenticated users to proxy unannotated pages through Via, do we?

[lyzadanger]

@seanh Your idea is quite intriguing.

After all, we don't really need to allow unauthenticated users to proxy unannotated pages through Via, do we?

I think there might be a chicken and egg situation here in which a user (who maybe isn't using the extension, e.g.) wants to be able to annotate a page in the first place. That is: the use case in which Via is providing the actual annotation mechanism for someone...

[seanh]

I think there might be a chicken and egg situation here in which a user (who maybe isn't using the extension, e.g.) wants to be able to annotate a page in the first place

I think the suggestion actually improves this situation. Given a unauthenticated user going to an unannotated page in Via:

• Currently on master the user will be presented with the page, plus a thin grey line down the right hand side which they may not even notice or understand what it is. If they do notice the bucket bar they can click on it to open the sidebar. The sidebar will instruct them to create an annotation by selecting text and clicking annotate. If they do that, they will get an error message because they aren't logged in, and their work of selecting the text and clicking annotate is lost. They can now click sign up or log in.

• With the suggested change: instead of the proxied page the user will be presented with a replacement page saying something to the effect of "example.com hasn't been annotated yet. Be the first! Sign up Log in." So they're immediately presented with what they actually need to do (sign up or log in) and once they've done that the page can change so that they can annotate

I'd say that's a significant improvement to the experience of an unauthenticated user trying to annotate an as-yet unannotated page in Via, even regardless of the security benefits

[jon-betts]

This is probably less important as a result of the idea of allow listing, which serves as a first line of defence. We should revisit this once we've done that

[seanh]

I'm gonna close this issue as I think the decision to move public Via to an allow-list changes this fundamentally. I've opened another issue that's sort of a remix of this idea in the context of an allow-list: Allow authenticated users to bypass the allow-list

[seanh]

Also added another new issue that tries to capture @lyzadanger 's original idea here a bit better, in the context of an allow-list: Allow certain users to create "blessed" Via links that bypass the allow-list