Consider the idea of user/password or token key/secret based site saving

[simonbaird]

trafficstars

TiddlyWiki supports encrpyted passwords, and Tiddlyhost uses SSL, so the old user/password based method for saving sites is no longer as inherently insecure as it was on the old Tiddlyspot.com.

Perhaps it's worth bringing back a user/password based "save to web" mechanism that works even if you aren't logged in to Tiddlyhost.

Questions:

• Should we continue to support the existing session based auth for saving sites as well as a separate user/password mechanism for saving?
• Or, can we attempt a devise sign in with a given user/password right before the upload? (This would mean the user/pass required is the same as the users sign in credentials for Tiddlyhost itself, which might be okay.)
• Do we let users pick their own username and password for each site?
• Do we generate a token and secret?
• Does the token and secret expire, or does it last forever?
• What is the UX? Do users need to copy paste the password somewhere, or can we inject it automatically?
• What is the UX if the password does expire? Do we ask uses to login to create a new one? Is that too confusing?
• Could we create a long lived unique token and secret when a site is fetched by a signed in user, or when a site is created?
• What are the security implications?

Some of this was discussed on #55 in the context of how to replace a site with another TiddlyWiki by uploading it.

[dubiouscript]

keep getting auto logged out not shore what the time out is ,... but it is to short for slow ppl :wink:

this

"save to web" mechanism that works even if you aren't logged in to Tiddlyhost.

but with user 'API key or similar mechanism' similar to what was mentined @ https://github.com/simonbaird/tiddlyhost/issues/223

would save slow ppl from the auto logout time out