Password protect links

Hey, I am self-hosting, I would like a bit more opsec here. Is there an easy way to set a random password on links I share or tie view permissions to account(s) or email domains?

I would also love to have an admin view of people/IPs that are hitting links/recordings, I am seeing view numbers that are way too high for stuff only shared with 1 other person.

Hey @gcs8 :wave:

I plan to update the recording visibility options to something like this:

  • public - listed, anyone can view
  • unlisted - only those who you share the link with can view (this is what today is called “secret”)
  • private - only the author can access - requires login

This would lay out the foundation for more granular control like sharing with specific users or people whose email matches a domain. This granular control is not something that people requested often for asciinema.org so not at the top of my priority list, but I like the idea and I can see how useful it would be for self-hosted setups.

Regarding view of people/IPs that are hitting the recordings: the server doesn’t collect this information. It uses a simple counter + a cookie (so the same viewer/browser is counted once in a 24h window). I’m not sure if I’d like to start tracking this more aggressively… I’m a “if you don’t absolutely need it then don’t collect” guy :slight_smile: Right now your best option would likely be to aggregate view stats from a web server logs (Caddy, or whichever you deployed in from of asciinema server).

Hey @ku1ik , thanks for the reply.

I am a bit of a data nut, so more is better, just with a dial of how much you want, lol. For me, the ext ip/cookie/session is part of OpSec, if I am seeing 30+ views on a link I only shared with 1 person, I want to know WTF, then I can just add blocking to the WAF/Firewall as needed. I would be fine if it was admin only as a global view and object touched that was just kept in /tmp or piped out via syslog so I can injust it with Splunk.

As far as the auth for an unlisted or private cast, I can totally live with just a randomly generated 8+ pass just as a challenge/response to validate that it is a human who should have access and not the 9001 bots that are in every site/chat client/email now a day.

Also, as long as I am thinking about it, maybe for the self-hosters, add an option besides true/false to “SIGN_UP_DISABLED=” that is “curated” or something, guess it would make more sense to have a new env var that is something like “SIGN_UP_MODE=Moderated” or something that an admin can approve or reject?