FITstagram

I created a small LQIP (low-quality image placeholder) script on https://vitapavlik.cz/fekt_mapa/

Phase 1: ~60 kB of resources are loaded
Phase 2: ~250 kB of resources are loaded
Phase 3: ~8000 kB of resources are loaded

The middle step could be omitted for people with fast internet, but oh well.

Aditionally, I converted all images to webp (previously it was ~12 MB of jpgs and pngs).

Now the page will be usable for people with slow connection. And because that site, just like FITstagram, allows both HTTP/2 and HTTP/3, there is no head-of-line blocking and people with fast connection will likely notice no difference 😎

FITstagram allows you to login with QR code.

The way this works is you scan the code with your phone and open the contained link in your phone's browser, where you're logged in. You then click "yes" and bam, you're logged in on the other machine.

Issues:
When I tested this, aiming my Samsung camera app at the QR code and tapping "open in browser" made it seem I was not logged in even though I was... The solution was to instead tap "copy link" and paste that into the browser. Then it worked as expected. This may be a security feature, I don't know.

How does this work?
The login page opens a websocket and waits for the server's response. Once you scan the QR code and confirm the login, server responds to that new device that the login was confirmed.

Fun fact: this is FITstagram's first use of websockets.

🚬

From now on, you can search on FITstagram.

Search returns posts for which the search query is contained in either the post name, descriptions or the comments.

Right now, only a table with the post names is returned. But you can preview the image when hovering over the post name.

Unfortunately, mobile users cannot use this preview functionality yet.

Newest posts are on top.

FITstagram now supports passkeys!

Features:
- Unlimited number of passkeys
- You can name each passkey
- For each passkey, you can allow it for passwordless sign-in (otherwise it's just an alternative to TOTP-based 2FA)

Limitations:
- Unlike TOTP, passkey 2nd factor isn't required for a password change. If you don't have TOTP-based two-factor authentication, then someone could hijack your session and change your password without a second factor, even if you have a passkey.
- You cannot have a passkey for optional paswordless sign-in (if you have passkeys in your account, you're always going to need a second factor to log in: either TOTP or one of the passkeys).

These limitations are the reason why only users with TOTP two-factor authentication can create passkeys.

Picture by Freepik: https://www.freepik.com/free-vector/3d-cartoon-style-bunch-keys-icon-white-background-realistic-modern-keys-new-apartment-house-hotel-room-ring-flat-vector-illustration-entrance-security-property-concept_42331751.htm

https://vitapavlik.cz/hiddenfiles/fitstagram-admin-pgp-key-declaration-2025-08-14.pdf

In this file, I declare that the PGP key I currently use to sign pictures on FITstagram is mine.

This file is signed with my other, more trustworthy identity. It carries a certificate issued to me by the Czech PostSignum authority. According to the European regulation eIDAS, it has the equivalent legal effect as a handwritten signature.

Verify the signature by opening the file in an apropriate pdf viewer (for example Microsoft Edge or Adobe Acrobat). Alternatively, use https://verifysignature.eu/

More information on Qualified Electronic Signatures (QES): https://en.wikipedia.org/wiki/Qualified_electronic_signature