Hey, I am self-hosting, I would like a bit more opsec here. Is there an easy way to set a random password on links I share or tie view permissions to account(s) or email domains?
I would also love to have an admin view of people/IPs that are hitting links/recordings, I am seeing view numbers that are way too high for stuff only shared with 1 other person.
Hey @gcs8 
I plan to update the recording visibility options to something like this:
This would lay out the foundation for more granular control like sharing with specific users or people whose email matches a domain. This granular control is not something that people requested often for asciinema.org so not at the top of my priority list, but I like the idea and I can see how useful it would be for self-hosted setups.
Regarding view of people/IPs that are hitting the recordings: the server doesn’t collect this information. It uses a simple counter + a cookie (so the same viewer/browser is counted once in a 24h window). I’m not sure if I’d like to start tracking this more aggressively… I’m a “if you don’t absolutely need it then don’t collect” guy 
Right now your best option would likely be to aggregate view stats from a web server logs (Caddy, or whichever you deployed in from of asciinema server).
Hey @ku1ik , thanks for the reply.
I am a bit of a data nut, so more is better, just with a dial of how much you want, lol. For me, the ext ip/cookie/session is part of OpSec, if I am seeing 30+ views on a link I only shared with 1 person, I want to know WTF, then I can just add blocking to the WAF/Firewall as needed. I would be fine if it was admin only as a global view and object touched that was just kept in /tmp or piped out via syslog so I can injust it with Splunk.
As far as the auth for an unlisted or private cast, I can totally live with just a randomly generated 8+ pass just as a challenge/response to validate that it is a human who should have access and not the 9001 bots that are in every site/chat client/email now a day.
Also, as long as I am thinking about it, maybe for the self-hosters, add an option besides true/false to “SIGN_UP_DISABLED=” that is “curated” or something, guess it would make more sense to have a new env var that is something like “SIGN_UP_MODE=Moderated” or something that an admin can approve or reject?
View count is currently saved in the database, so if you have easy access to this database you can run a query like this to get top 10 watched recordings:
select id, secret_token, views_count from asciicasts where views_count > 10 order by views_count desc limit 10;
I guess we could have a simple admin page with a table showing this. Is this something you were thinking about?
I like how Mastodon does it with regards to sign up configuration: Signing up for an account - Mastodon documentation - open, invitation, or approval-based.
So, I fixed some of the odd view issues with Cloudflare and just hard-core blocking AWS, bots, and some other random things, but I would still want a layer beyond you just need the link if I have something that is a bit more sensitive.
I think others might like a top 10 stats thing, but, for me, I would want to be able to track down abuse issues, for example, someone flooding hundreds or thousands of uploads or views.
I think I am down with the open / invitation / approval-based account creation, think thats an easy thumbs up.
We now have 3 level visibility control on asciinema.org:
User settings:
Recording settings:
The previous “secret” is now called “unlisted”, and there’s new “private” level, which is only accessible to the recording owner (must be logged in).
This should give a better control than before.
