utterances icon indicating copy to clipboard operation
utterances copied to clipboard
verified publisher icon utterance

Anonymous comments - [Feature request]

Open marlluslustosa opened this issue 4 years ago • 3 comments

Is it possible to add anonymous comments functionality? My idea was to create some device in the application to add an account on github already created just to make anonymous comments.

This would also work for readers who do not have a github account. So, the frontend application would have a field for name, one for email and one for comment, so, when clicking on comment, this anonymous account would write in the body of the issue comment the name, email and respective comment.

One issue I consider is the security of the password for this anonymous account. So, I think I would solve this problem by creating a Personal Access Token with minimal permissions, like commenting on issues.

What do you think?

marlluslustosa avatar Jun 11 '21 16:06 marlluslustosa

I think it's a great idea , but there is an issue about that. May be I will fork and do some change. I got and idea from other repo which is shown below

I have seen an update based on this idea used in gitalk . The repo that implement the idea is gitalk-new His method is that saving accessToken in the file ,when visitor who want to comment , it will send the comment to the designated servers, let server to finish the comment's creation , and return to the front 。Here is how it can be done

Create a new github account for anonymous comments

get Personal access token

Account–>Settings–>Developer settings–>Personal access tokens–>Generate new token

Your must select the repo and user options in Scope. the app finally get the access token,and we will save it in the server。

Post Message for anonymous comments

when you set the anonymous_api,if user click on the button for anonymous comment , it will send a post request to anonymous_api

Url: anonymous_api

Method: POST

Content-type: application/x-www-form-urlencoded  // prevent the preflight request because of the cross site 

Body: postUrl=issueUrl&content=comment

Authentication Request message

when people click to sign in , it will switch to this website

http://oauthapi.com?origin=window.location.href

if it is succesfully authenticated it will return to the blog page with the perameter access_token which will be stored in localStorage and immediately delete it in the url

this is how it work in gitalk-new. May it help the build of utterances

dingiso avatar Jun 13 '21 10:06 dingiso

Both the user logged into github and anonymous (through a bot) manage to open issues, so there is the problem of spam (as reported here) in both cases.

To solve this, a possible solution to alleviate and let the task be automated is to create a workflow (github actions) so that it will look for specific keywords in the comment and will mark (or even remove it) automatically. This workflow would be triggered every time a comment appears in the repository (issue.comment).

Another solution would be to pass a github user and a PAT (Personal Access Token) in the frontend to the bot to comment anonymously using an account created by the user. This would reduce the liability issue of the official utterance bot.

Another solution to reduce the chances of the bot creating messages without moderation would be like this: every time the reader wanted to comment anonymously, by checking in a checkbox or simply clicking on a "send anonymously" button, the utterance bot would create a comment as encrypted text followed by a tag, then a workflow that would be looking at new issues would trigger in the repository, which would look for the tag and decrypt the text at runtime. Then, the workflow would use a PAT of a user configured in the repository and create a comment (then enter the aforementioned spam analysis) based on the encrypted text and remove the official comment from the bot. Encrypted text would reduce the risk of the bot being reported as abuse, even if the user did not create the workflow file.

To prevent a user from making multiple comments (flood), something some catpcha + IP/cokie session based timer per post would reduce the effect of this problem.

I'm trying my hardest to think of something to stick to existing levels of infrastructure, trying to take advantage of the utterance service itself.

Using another backend server (as here) for this would be out of scope, after all, if I have a server available, better use https://commento.io, no?

marlluslustosa avatar Jun 13 '21 17:06 marlluslustosa

@dingiso I found the repository of the backend code of the user you quoted. https://github.com/xingty/gitalk-anonmously-comment

marlluslustosa avatar Jun 15 '21 17:06 marlluslustosa