fluffy rambles: Isso comment privacy update

Isso comment privacy update

January 15, 2021 8:58 PM (3 years ago)

So the reason for my recent mini-rantle was that I found a hidden API in isso that would have made it pretty easy for folks to trivially scrape every comment on my website, including ones on private entries.

Fortunately the fix was really simple and it’s what I have deployed on my site right now.

But this brings up another issue, in that isso hasn’t had a proper release in quite a long time, so doing a pip-style installation (including poetry or pipenv) isn’t particularly a great process. So, here’s how I converted my installation to use a local build:

In my site files directory, I checked out the isso source (it has to be a subdirectory because of Poetry things I don’t understand the justification of) and pointed it to my fix branch

Build the Javascript, which is the most annoying part of all this:

cd isso
npm install requirejs uglify-js jade bower
PATH="$PATH:$PWD/node_modules/.bin" make init js

Go back into the sitefiles directory and run poetry remove isso werkzeug && poetry add ./isso (the werkzeug dependency was there to pin the version, because one of the many aspects of the old release is that it doesn’t work with the current version, which has been fixed in isso for ages now)
Restart my isso instance

And now comments still seem to be working, while individual comment fetches are now a 403, as they should be (but edits still work). As a bonus, a bunch of other bugfixes are now present (like, now code blocks get formatted correctly).

Anyway. isso is still a pretty decent comment system, but the lack of release frequency combined with the design being increasingly at odds with what I need from one still has me thinking about finally just building my own. There are so many other things I’d rather be working on, though.

If I do build my own comment system, I will probably start out by making it Publ-specific, with an eye towards eventually making it more generically usable in other Flask apps. From an API standpoint it’d be useful to be able to use whatever signin system the containing app has (e.g. Authl) and also use whatever fun bonus features it provides (e.g. display names, profiles, etc.), and also letting people set their commenter profiles or whatever. It’d at least help to build a sense of community, which is something sorely lacking in most comment systems these days.

On the other hand I’m very tempted to make a Publ-specific comment system which just works by turning comments into entries which get attached to other entries (similar to how comic transcripts work), but that opens up a whole other can of worms that I don’t really want to think about right now.