protected
This article is a stub. You can help the IndieWeb wiki by expanding it.
protected is a type of account or post that requires at least signing-in to view, and typically only allows a specific set of people to view (like friends-only posts) and possibly interact with.
Use Cases
Partial Page Privacy
During IndieWebCamp Online 2014, the question was raised of how to indicate that some or all of a page was not for public consumption.
The Use Case for this came during Ben Roberts's review of his contact page, which displays additional contacts to logged in users. The question was raised of how you would tell a logged in user that you did not want them to share contacts which were not public, as many sites, systems would automatically log in.
The proposed solution was suggested in marking up the information appropriately. Possible parameters might include
- For Eyes Only - Indicating that the information should not be distributed
- For Specified Group - Indicating some group it may be shared with
- The Absence of such markup would suggest public information
Public Page Upgrading
On IRC it was discussed 2015-09-15 about how to indicate the availability of possible private content for authenticated users on an otherwise public page.
It was suggested to respond with a "WWW-Authenticate" header, like the one used in private-webmention, to indicate the upgrade possibility:
WWW-Authenticate: IndieAuth
It was also discussed that the response could include a unique URL as a rel-self to enable realtime Pubsubhubbub updates on said content.
This would enable block mechanisms based on eg. block lists to advertise both some blocked items to public and additional ones privately to certain trusted users and to have changes propagate in realtime to all clients, such as Webmention endpoints, that might have use for such data to eg. block mentions from being shown.
It can also be used to upgrade a public h-feed with private posts when subscribing to it in a reader.
Sharing only with approved followers
The ability to share posts only with approved followers (instead of publicly viewable) is a common silo feature, either as an aspect of a private account, or sometimes as part of sharing to "friends only".
Such posts are sometimes also called a "follower-only post" or a "follower-only message".
Sharing With Fewer Friends
There are many times when you may want to share something, like something vulnerable, with only a few friends, a small subset of your "friends" on any particular social media or other service.
Thoughts from (unattributed) private (but not person-specific) messages of specific examples of such times, some ambiguities added:
Where does one go / post when one feels lost or in need of connection or understanding?
...
Where do you post when your significant other breaks up with you and you're friends with them and their friends too on every social network?
...
Where do you go for support for a problem you're having with someone else in your friend group? Especially when we're so interlinked.
...
We're so interlinked superficially. Linked yet feeling disconnected.
...
In public or even friends only posts we are compelled to put on an air of invulnerability, of strength, of bouncing back from anything for fear that if we don't we won't seem attractive to others we may be dating or want to date. Or to get a job or funded or whatever we are seeking approval for.
Should you even use the indieweb / web for this?
How could private posts be better than a simple group txt message where you add the people you want to share, then share?
Or are those the same thing with just different UIs?
Would it be a goal of this use-case to replace group txt messages?
Examples
Kyle Mahan
Red Wind has rudimentary support for protected posts based on a simple list of the domains of people authorized to view a private post. The posts are viewable only if the IndieAuthed user is in the audience list.
Example note from Kyle Mahan's site:
Aaron Parecki
p3k (v1) has support for protected posts by specifying a list of the domains of people authorized to view a private post. To view the post, the user must identify themselves with IndieAuth by signing in to the site. After signing in, a session cookie is set which identifies the user.
Ben Roberts
postly has support for protected posts as of 2015-11-30, more data forthcoming.
Becky Stern
Becky Stern supports protected posts on her site with an "Unlock with Patreon" login wall as of 2019-06-01. These allow her to post backers-only content for her Patreon on her personal site, rather than locking the content to patreon.com. This feature is provided by an official Patreon Connect plugin for WordPress.
- Example post from 2019-06-01
Eddie Hinkle
Eddie Hinkle supports protected posts on his site as of 2019-06-16.
- Posts with Protected visibility only appear if a user is authenticated, but they are unrestricted beyond that.
- Example: Protected Post Example
- Posts with Private visibility only appear if a user is authenticated AND they are in the audience list
- Example: Private Post with Audience Example
- If you want access to the above post for testing purposes, reach out to me in chat
- Example: Private Post with Audience Example
- Currently Eddie supports authentication with his website through IndieAuth
- Other forms of authentication Eddie is working on:
- AutoAuth
- Email Magic Link
- Twitter Login
fluffy
Publ has support for protected posts as of 2019-07-13, using Authl as the authentication broker. This supports both IndieWeb and silo users (via Twitter, Mastodon), as well as login-by-email.
Users can be put into hierarchical groups, and posts can have their visibility made based on groups and individuals. See entry auth and user/group configuration for more information.
Publ also now (as of 2020-08-14) provides a mechanism for retrieving a bearer token to provide to a feed reader; this can be seen on fluffy's site, although at present no known feed readers support this (but it is tested working in cURL, at least).
Past Examples
gRegor Morrill
gRegor Morrill previously added basic support for making a page protected as of 2016-09-27, as part of work on private Webmentions. This never really went beyond an experiment and I eventually removed the support for it.
- https://gregorlove.com/2016/09/this-is-a-test-private/
- Returns HTTP 401 Unauthorized
- Returns WWW-Authenticate: Bearer header
- Returns Link: header for token endpoint, for authentication
- See my private webmention notes for more details
TODO:
- uid for slug so no private information is leaked through the slug
See Also
- Silo Example: https://twitter.com/falcontest is a "protected" Twitter account and it says "These Tweets are protected / Only approved followers can see @falcontestβs Tweets. To request access, click Follow. Learn more"
- ^ "Learn more" links to About public and protected Tweets, which despite the "protected tweets" framing, is really about a protected vs public accounts, since flipping that setting affects all your tweets at once.
- private <- this needs to be refactored and the "protected" aspects of the private page need to be extracted and moved to here (protected page)