So, a “Private project” is a project only members of the project can see. So if I had a private project, and added my friends Bob and Billy, they will be able to edit the project. If you look at your user data, you will see what projects you own and which you are a member of. So if I was invited to a private project or a public project, it would show where in the database the projects you are in are stored and show that project. I have honestly never really used the API much. Only for things such as adding people via a bot but that is it. Unless you add a robots.txt file, it will not show up in the web. Also, if your project is private, only members of the project can use search to find the projects. It will not show if the person searching is not a member. I hope I answered all your questions!
Okay that worked, I could see your projects and the code for instance. I joined Glitch and set two projects to “private code” and they no longer show up. So now it is limited to someone guessing the url of the website.
I’m not paranoid but there is a database there and a stranger could opt to just mess with it. OAuth isn’t really warranted but I can control it now so thanks.
As for the “private” setting. I assume that mean a person has to be logged in and operating the website from Glitch?
Appreciate the follow-up. The DB is however operated via an API so there is nothing Glitch people could do. I wasn’t suggesting someone could maliciously delete the file but anyone can use GET and POST per the documentation page.
If a project is marked as private the docs infer that the site can not be accessed except by people granted that access. So my question has always been what mechanism is used to determine that someone accessing an API has been granted access?
Possibly the URL isn’t visible unless one is logged in or perhaps the site just isn’t running until someone logged in actually starts it. I could test things but there must be some documentation.
When an unauthenticated user tries to visit the project site, they get a page that is equivalent to what they’d get in the “project not found” case. In both cases, there’s a “log in” button. That takes them through a procedure where they log in with their Glitch account and eventually the procedure sets a cookie on the project’s subdomain. Then Glitch checks for that cookie in a step before it forwards the request to your app. So indeed their access to the site is controlled by their Glitch account and their account’s membership in a private project.
If you need to access a private site as an API, you’ll need to devise a way to get this cookie set up in the API client.
For private projects, Glitch does not publicly list them, and in some places Glitch tries to make ‘private projects that you are not a member of’ indistinguishable from ‘project does not exist.’ Only project members have them in their “You’re a member” section in their dashboards. But again, there are access controls in place even if the URL isn’t secret.
These above information describes what I believe to be the security goals of the private project system. But there might be implementation problems.
As for the other comments in this thread, here’s why there are factual discrepancies:
Thanks everyone, I think I understand it now. I’ll have to see if I can get cookies working on the client app (that isn’t under my control). Introducing a similar mechanism while leaving the site public wouldn’t be difficult which for this project should be good enough.