Password protect links

Hey, I am self-hosting, I would like a bit more opsec here. Is there an easy way to set a random password on links I share or tie view permissions to account(s) or email domains?

I would also love to have an admin view of people/IPs that are hitting links/recordings, I am seeing view numbers that are way too high for stuff only shared with 1 other person.

Hey @gcs8 :wave:

I plan to update the recording visibility options to something like this:

  • public - listed, anyone can view
  • unlisted - only those who you share the link with can view (this is what today is called “secret”)
  • private - only the author can access - requires login

This would lay out the foundation for more granular control like sharing with specific users or people whose email matches a domain. This granular control is not something that people requested often for so not at the top of my priority list, but I like the idea and I can see how useful it would be for self-hosted setups.

Regarding view of people/IPs that are hitting the recordings: the server doesn’t collect this information. It uses a simple counter + a cookie (so the same viewer/browser is counted once in a 24h window). I’m not sure if I’d like to start tracking this more aggressively… I’m a “if you don’t absolutely need it then don’t collect” guy :slight_smile: Right now your best option would likely be to aggregate view stats from a web server logs (Caddy, or whichever you deployed in from of asciinema server).

Hey @ku1ik , thanks for the reply.

I am a bit of a data nut, so more is better, just with a dial of how much you want, lol. For me, the ext ip/cookie/session is part of OpSec, if I am seeing 30+ views on a link I only shared with 1 person, I want to know WTF, then I can just add blocking to the WAF/Firewall as needed. I would be fine if it was admin only as a global view and object touched that was just kept in /tmp or piped out via syslog so I can injust it with Splunk.

As far as the auth for an unlisted or private cast, I can totally live with just a randomly generated 8+ pass just as a challenge/response to validate that it is a human who should have access and not the 9001 bots that are in every site/chat client/email now a day.

Also, as long as I am thinking about it, maybe for the self-hosters, add an option besides true/false to “SIGN_UP_DISABLED=” that is “curated” or something, guess it would make more sense to have a new env var that is something like “SIGN_UP_MODE=Moderated” or something that an admin can approve or reject?

View count is currently saved in the database, so if you have easy access to this database you can run a query like this to get top 10 watched recordings:

select id, secret_token, views_count from asciicasts where views_count > 10 order by views_count desc limit 10;

I guess we could have a simple admin page with a table showing this. Is this something you were thinking about?

I like how Mastodon does it with regards to sign up configuration: Signing up for an account - Mastodon documentation - open, invitation, or approval-based.

So, I fixed some of the odd view issues with Cloudflare and just hard-core blocking AWS, bots, and some other random things, but I would still want a layer beyond you just need the link if I have something that is a bit more sensitive.

I think others might like a top 10 stats thing, but, for me, I would want to be able to track down abuse issues, for example, someone flooding hundreds or thousands of uploads or views.

I think I am down with the open / invitation / approval-based account creation, think thats an easy thumbs up.

We now have 3 level visibility control on

User settings:

Recording settings:

The previous “secret” is now called “unlisted”, and there’s new “private” level, which is only accessible to the recording owner (must be logged in).

This should give a better control than before.