Moin Vaxry and who it might concern =)
First of all: congratulations on going live!
Some feedback:
- Looks are cool around here.
- It took me quite some attempts to register. There’s next to no feedback about why it’s failing - figuring out that a username must be at least 3 characters long was the first hurdle (basically just noticed the register button becoming enabled when everything was filled and the username was long enough).
- Not sure, but i think the answer to that “captcha” is case sensitive? If so that’s a horrible idea, especially when some answers are just yes/no… or Yes/No? Apart from that, just as a hint from someone who dealt with this stuff for a long time: it’s always easier to let bots prove they’re bots than it is to get humans prove they’re human. I’d remove that awful captcha and replace it with some honeypots, session validation and maybe a proof of work.
- When registration fails the captcha should be reloaded automatically - that the user needs to refresh the whole page manually and start over is very unusual and feels cumbersome. JavaScript might be ugly, but it’s very easy to reload parts of the DOM with it
- The password drove me crazy. My standard passwords are at least 53 characters long and easily get to 70 characters and more - but there seems to be some limit on the length, which is only indicated by a red “invalid password” after the form has been submitted. I had no idea if it contained invalid characters or if it was the length (turned out to be this) or maybe it wasn’t complex enough? If you impose rules, please also do state them. Thanks!
On the topic of passwords i got a question:
The limitation on the password’s length got me thinking. Are you storing passwords in plain text/string/varchar? Because only then would a password’s length be relevant due to a possible field length limitation.
In general the length of the password and its containing characters should be absolutely irrelevant because you should never store a user’s password anyways. The least you should do is to hash the password and then store that hash. Also add a random salt, add it to the password and hash that, then store hash and salt in the db. On login you use the same method to salt+hash and forget about the password the user entered - only match the username and hash against your stored values.
So that’s my few cents. I’ll look around a bit and get a feeling for what’s up around here. Maybe i’ll even convert my monthly kofi donation into a subscription. But as i don’t rly need dotfiles it’s kinda up to you what you would prefer. I’d like to get the most of my donation into your pocket and iirc i’ve read something about personal donations not being taxed while your subscriptions go through some company-esque shit and get taxed? Hence i feel kofi donations yield more? Lemme know
Wish you the best of luck with your projects and may you never have to worry about spending coin on shit you need (or just want)..!