FITstagram

FITstagram allows you to login with QR code.

The way this works is you scan the code with your phone and open the contained link in your phone's browser, where you're logged in. You then click "yes" and bam, you're logged in on the other machine.

Issues:
When I tested this, aiming my Samsung camera app at the QR code and tapping "open in browser" made it seem I was not logged in even though I was... The solution was to instead tap "copy link" and paste that into the browser. Then it worked as expected. This may be a security feature, I don't know.

How does this work?
The login page opens a websocket and waits for the server's response. Once you scan the QR code and confirm the login, server responds to that new device that the login was confirmed.

Fun fact: this is FITstagram's first use of websockets.

From now on, you can search on FITstagram.

Search returns posts for which the search query is contained in either the post name, descriptions or the comments.

Right now, only a table with the post names is returned. But you can preview the image when hovering over the post name.

Unfortunately, mobile users cannot use this preview functionality yet.

Newest posts are on top.

FITstagram now supports passkeys!

Features:
- Unlimited number of passkeys
- You can name each passkey
- For each passkey, you can allow it for passwordless sign-in (otherwise it's just an alternative to TOTP-based 2FA)

Limitations:
- Unlike TOTP, passkey 2nd factor isn't required for a password change. If you don't have TOTP-based two-factor authentication, then someone could hijack your session and change your password without a second factor, even if you have a passkey.
- You cannot have a passkey for optional paswordless sign-in (if you have passkeys in your account, you're always going to need a second factor to log in: either TOTP or one of the passkeys).

These limitations are the reason why only users with TOTP two-factor authentication can create passkeys.

Picture by Freepik: https://www.freepik.com/free-vector/3d-cartoon-style-bunch-keys-icon-white-background-realistic-modern-keys-new-apartment-house-hotel-room-ring-flat-vector-illustration-entrance-security-property-concept_42331751.htm

FITstagram was configured to allow HTTP/3. Not only that, it advertises the HTTP/3 capability with a Alt-Svc header. This is whats called Application Layer Protocol Negotiation (ALPN). This means that the browser first accesses the site via HTTP/1.1 or HTTP/2, but after that, the follow-up resources are accessed via HTTP/3. Upon reload, the whole site is accessed via HTTP/3.

FITstagram's Alt-Svc header can be seen here https://iis.vitapavlik.cz/p/9849f4b689324304b286924cab056961

Alt-Svc header on MDN docs https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Alt-Svc

ALPN on MDN docs https://developer.mozilla.org/en-US/docs/Glossary/ALPN

FITstagram recently moved to a new cloud provider with IPv6 connectivity. Therefore it is now IPv6 enabled 🎉

Notice the remote address in the screenshot is an IPv6 address.

⭐
From now on, you can add PGP public keys in your account settings.

https://iis.vitapavlik.cz/usersettings

⭐
After adding your public key (in account settings), you'll be able to sign your own posts.

⭐
What you're actually signing is a short piece of text that looks something like this:

I, admin, hereby sign xxx.jpg with hash XXX.

⭐
How to create a PGP key pair using gpg:

- gpg --full-generate-key

- go through the interactive prompt

- after that, the key pair is stored in your gpg key ring

- look at the fingerprint of your key using gpg --list-keys

- export ascii-armored public key using gpg --export --armor FINGERPRINT

⭐
Notes:

- as of now, signatures cannot be removed

- you can only sign your own posts

- you can only add one signature to a post (using any of your keys)

- removing a key in your account settings removes all the signatures made with that key (all posts signed with that key will apper unsigned again)

- the website will prepare a command to create a signature using a specific key (the gpg -u option) and it chooses the first key it finds in db, for this reason it is beneficial to only upload one key (this is yet to be improved)

⭐
Picture: Maximilianovich on Pixabay
https://pixabay.com/photos/man-sign-paper-write-document-5710164/

File size information was moved under the picture + picture dimension information was added.

When you upload a picture to fitstagram, the server tries to compress it, sometimes converting between image formats when doing so.

You can find out the original file size and format (and the compression ratio) when you hover over the file size (sorry mobile users you have no way of doing that).

But actually you do: https://www.view-page-source.com/

Original file size information is only available to pictures uploaded after 25. 11. 2024 04:51:53 EET. Until then pictures weren't compressed automatically.

Nyní si nejde nastavit 2FA pokud nezadáte kód takže už by nikdo neměl ztrati přístup ke svému účtu (což se povedlo zatím jednomu ze 3 lidí ale to je pořád task succes rate 66 % not bad eh? 😄)

A taky když se přihlašujete tak už tam není políčko na 2FA kód ale pokud ho máte nastavený tak vám to vrátí ještě stránku se separátním formulářem :kalm:

nyní je k dispozici tlačítko na které když kliknete tak se obsah popisku obrázku vloží do schránky

nyní stačí najet na číslo ukazující počet lajků a ukáže se vám kdo to lajknul