Maintaining anonymity discussion

[kimerran]

This is my initial idea on how do we go about maintaining anonymity of our users

1. user creates a post successfully

{
 "post_details": "this app sux",
 "email": "user1@email.com",
}

in the API, we generate UUID for the user
// the user

{
  "friendly_id": "pink-palaka",
  "uuid": "UUID-1A-ZUCKHERBIRD",
  "email": "hashed-user1@email.com", 
  "is_verified": false,
}

// the post

{
 "post_details": "this app sux",
 "email": "user1@email.com",
 "posted_by": "UUID-1A-ZUCKHERBIRD"
}

NOTE: we then send back and store UUID somewhere, like COOKIES for WEB

2. user clicks the verification link

if user, enters an e-mail,
we send him link to verify (own) the e-mail
if the user verifies the e-mail
// the user

{
  "friendly_id": "pink-palaka",
  "uuid": "1A-ZUCKHERBIRD",
  "email": "hashed-user1@email.com", 
  "is_verified": true,
}

3. for succeeding posts

we just match the UUID and hashed-email to a verified user
NOTE: at this point, we don't have any stored e-mail address, just a hash.

For added security

we can opt to send a verification link to the user for any new Post.

email message:
Verify this post

Further reading
Wikipedia

[TheoryOfNekomata]

Are you supposed to hand over the email upon making requests? Nonces are better.

[makoru-hikage]

Related to Issue #24

[makoru-hikage]

This shit can be used for decent anonymity: https://www.grc.com/sqrl/implementations.htm

[fgunz07]

what?