Why a glitch login API is needed

So, I would like to start this by saying that the glitch website is a fantastic website, however the one place we keep having trouble is login.

Currently we do the following when a student tries to log in to glitch:

  1. Trigger api to get a anon token for requesting login email.
  2. Trigger login email to be sent to ${studentID}@domain.com
  3. All emails from any domain going to @domain.com forward to a single gmail address. (This has had issues before.)
    The following is server side:
  4. Repeatedly check gmail to see if email has come through.
  5. Get email. (This has been a problem but due to gmail api changing behavior with the new email format)
  6. Parse email.
  7. Provide student link to login. (Server to client)

Now obviously this takes some time to process, and sometimes doesn’t work due to parts of the chain simply breaking.

Our students do not have Google, Facebook, or GitHub account’s (or their own emails, private or public) so those options are out.

Regretfully we can not set up our own mail server to receive the messages because port 25 is blocked. If it was not the solution would be to use something like mailin to simply forward the messages to our express server.

In a ideal world this is what we would be hoping for:

  1. Secret is chosen, hashed, and posted as a txt record for the domain name.
    The following is server side:
  2. Get anon api token for api calls?
  3. Get login code using anon token and secret to endpoint.
  4. Forward login code to student. (Server to client)

Far less that can unexpectedly go wrong like this. From other forum topics it seems that we are not the only org that has issues with handling mass logins. I figured that this would be a good middle ground since it involves only one new api endpoint. (secrets could be hashed with something like SHA3-512 which while not the most secure, would suffice for educational settings, which is where this is most useful.)

I fully understand why this may be on the back burner however the class I teach is normally under 10 students and when there is a problem in the chain I have problems getting students signed in, I can’t imagine that classes where you may have 20 or more students is any better. This feature would help a lot of teachers (in cases like mine, daily.)

So, your system is being a middleman, taking ownership of the login, rather than giving ownership to the student.

To me, this goes against the intent of the login system, of having people encouraged to learn by building something that is theirs.

Plus students controlled in this way miss out on access to the email support.

It also breaches the Terms of Service in the following ways:

3 . Use of the Services
(f) interfere with, or disrupt or attempt to interfere with or disrupt, the access of any User, host or network,

5 . Content and Intellectual Property Rights
Ownership: “You own your stuff, and we own our stuff.”
you retain ownership of all intellectual property rights in your User Content

Very unusual students, why are they so quarantined from the rest of the world? Given that there are many free email services available.

1 Like

I have a question, you’re doing all this just to login to Glitch? And I agree with @mishavee, you are breaching the Terms Of Service which could prevent you from using Glitch.

Seriously? It’s an educational setting, so why not let the students create at least a GitHub account which is educational and can be used for development, unlike Google or Facebook account? I’m thirteen years old and at school, we used GitHub accounts linked with our emails and those who didn’t have a personal email, it would be at least linked to our parents account, but that is rare because which student doesn’t have at least an email, let alone Facebook or a Google account now?

1 Like

like, just let them create an account or email. or use gsuite

Back in august I ended up having a video call with a rep from glitch and this was actually the recommended way of handling student logins. Have the student login with a email. (Initially we had them copy-paste the email address, that became part of the button. Again, initially we would give login links verbally, however since we want students to be able to access stuff from home, we got a automated way of providing those links.)

I don’t think we are violating the terms of service? We are not forging any requests. (Honestly did try doing that before realizing that CORS among other things made that a lost cause) All requests to glitch are done in the student’s browser and (assuming glitch were reading the http headers) are from a non-glitch origin.

As far as setting up a GitHub account, that’s kinda like moving the goal-posts. Now the problem is getting them signed in to GitHub at the start of class, then into glitch. (Which is actually is worse then the current solution.) The entire point is to enable single sign on in educational functions. We do let student’s use their own email if they want to, no one does because most don’t have one. (I think we have a few that has their own emails, but they doesn’t use it because it’s too much hassle.)

None of the local schools provide G-Suite emails. (Shocked me to find that out) And no one has a Facebook account. It’s not that they can’t get emails for most, they just don’t care enough to get emails for most. (Same with Facebook I presume.)

Again, I can see why this might not get implemented. Only reason I even replied was regarding the TOS section, but I figured I could reply to the rest at the same time.

Thanks for the input though, it is greatly appreciated.

2 Likes

Thank you @jcc10 for providing the further details. If Glitch approve of the email method, then of course its okay :slight_smile:

I still don’t like the idea of another system having control over users logins, it introduces the possibility of your system removing access for breach of your terms, or to clean up old logins, or the system being retired, where access should be decided by Glitch’s terms.

In my opinion, ideally this would be done with the same authentication (OAuth) method Glitch uses for facebook, github, etc. and your system would be registered with Glitch as a Service Provider.

The nice thing about this method is the access and permissions level is confirmed by the user, which avoids people creating fleets of bot accounts using a fully automated API.

This raises the usability issue of having your system show up as a sign in option for the thousands of users that won’t be using it … perhaps a workaround is to have a custom url for custom service providers, such as https://glitch.com/signin/educationrocks instead of just https://glitch.com/signin .

Edit - hmmm Glitch does depend on the OAuth service returning an email address, so OAuth doesn’t get rid of every issue.

Good luck!

1 Like