When the docs say: * Private limits both your code and live site to project members
by what mechanism would Glitch determine who is a project member if their code is simply accessing the API?
And has anyone used this? Any feedback?
Oh… are project names discoverable and/or listed anywhere? I imagine they are somewhat hidden if they are oddly named.
Thanks.
So, a “Private project” is a project only members of the project can see. So if I had a private project, and added my friends Bob and Billy, they will be able to edit the project. If you look at your user data, you will see what projects you own and which you are a member of. So if I was invited to a private project or a public project, it would show where in the database the projects you are in are stored and show that project. I have honestly never really used the API much. Only for things such as adding people via a bot but that is it. Unless you add a robots.txt file, it will not show up in the web. Also, if your project is private, only members of the project can use search to find the projects. It will not show if the person searching is not a member. I hope I answered all your questions!
It helped but I’m not quite getting it.
Can I for instance find your public projects without knowing their names? Or for that matter can you find mine without my explicitly giving you the URL?
If I was to make it private (ignoring the code) would access to the running site be restricted? I don’t understand how a publicly accessible site and “members only” could work.
I got it… can you point me to a “public” example and a “private” example. I should be able to see the public one but not the private one correct?
Public projects are accessible by anyone. Private projects are not accessible on the web unless you are a member (that is optional) and the code is private.
Glitch does some backend work before your project gets the request.
If I go to your Glitch user page, https://glitch.com/@tleylan, then I see your public projects.
Public/Private in Glitch terms is about who can see the source code and make remixes, rather than who can access the URL of the site as a user.
Private projects can still be visited (as a user) by anyone on the internet. If you want to add access control to your application, that’s up to you, using known web mechanisms like OAuth.
Hope it helps 
Okay that worked, I could see your projects and the code for instance. I joined Glitch and set two projects to “private code” and they no longer show up. So now it is limited to someone guessing the url of the website.
I’m not paranoid but there is a database there and a stranger could opt to just mess with it. OAuth isn’t really warranted but I can control it now so thanks.
As for the “private” setting. I assume that mean a person has to be logged in and operating the website from Glitch?
Thanks.
Correct!
Odds of that happening are slim. Millions of websites use DBs and Glitch has people working around the clock to make sure that it is okay.
What do you mean by “Operating the website from Glitch”?
Appreciate the follow-up. The DB is however operated via an API so there is nothing Glitch people could do. I wasn’t suggesting someone could maliciously delete the file but anyone can use GET and POST per the documentation page.
If a project is marked as private the docs infer that the site can not be accessed except by people granted that access. So my question has always been what mechanism is used to determine that someone accessing an API has been granted access?
Possibly the URL isn’t visible unless one is logged in or perhaps the site just isn’t running until someone logged in actually starts it. I could test things but there must be some documentation.
Thanks.
If you set a project to private, all requests to the URL for that project (so even if someone finds the URL) required the user to be authorized (invited to the project)
You’ll notice if you go to a private project there is an error screen that asks you to log in, that allows us to validate that you’re a member of the project, before we expose it to the user.
Here’s this other set of answers:
When an unauthenticated user tries to visit the project site, they get a page that is equivalent to what they’d get in the “project not found” case. In both cases, there’s a “log in” button. That takes them through a procedure where they log in with their Glitch account and eventually the procedure sets a cookie on the project’s subdomain. Then Glitch checks for that cookie in a step before it forwards the request to your app. So indeed their access to the site is controlled by their Glitch account and their account’s membership in a private project.
If you need to access a private site as an API, you’ll need to devise a way to get this cookie set up in the API client.
For private projects, Glitch does not publicly list them, and in some places Glitch tries to make ‘private projects that you are not a member of’ indistinguishable from ‘project does not exist.’ Only project members have them in their “You’re a member” section in their dashboards. But again, there are access controls in place even if the URL isn’t secret.
These above information describes what I believe to be the security goals of the private project system. But there might be implementation problems.
As for the other comments in this thread, here’s why there are factual discrepancies:
That’s now outdated. The newest update https://glitch.happyfox.com/kb/article/57-omg-the-whole-world-can-see-my-project-s-code-can-i-make-it-private/ to private projects does control who can access the site as a user. You don’t have to set up OAuth yourself when you make a project private this way, although you don’t get the details of who the user is, only that they are an authorized project member.
Thanks everyone, I think I understand it now. I’ll have to see if I can get cookies working on the client app (that isn’t under my control). Introducing a similar mechanism while leaving the site public wouldn’t be difficult which for this project should be good enough.
My bad, thanks for the correction wh0
This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.