Peertube: Automatically log in after creating account

In this case I would like to see an option which will set that behavior.
From security reasons, I'd prefer that credentials are not prefilled after the registration at all.

What are your security objections to implementing auto sign in after sign up, and consider that such a feature does not involve any "prefilling" of credentials, only that the server returns an auth token along with the successful registration request instead. I actually think for a number of reasons auto-sign-in after sign up is actually slightly more secure.

When the user register himself for example in Internet café a just after installation he have to go away - will he leave uknown computer with his account logged in?
Don't think it's secure.
At least I don't want this solution on my server.

@KRtekTM ehm … the problem is that currently it’s not secure either. Cause in your case someone else could at the moment already simply go to the computer, click »log in« and the fields would be prefilled.

Automatic log in would at least make it very obvious that you are logged in, and then you can log out if you don’t want to.

As I said, I'd prefer that credentials are not prefilled at all. Why does it behave like that?

That’s standard browser behavior. Nothing to do with Peertube.

No, that's not standard browser behavior :D you should check your computer for malware.

As I told, prefilling credentials is security risk. Can't imagine that authors of any service (webbrowser, webapplication) will prefill so sensitive data into non-encrypted channel (as the input form in browser is).

I tried the registration on some PeerTube instance using Waterfox 56.2.1 (64bit) and no credentials are prefilled at all (even the username). Just in username field you can see what strings was submitted so there was also my username - can be solved by registration via browser's private tab.

So please DO NOTHING about this issue.
PeerTube is working correctly and there is no need to change it unless you want to make your instance less secure. In that case I supposed to block all registration to your server, because it will prevent many many many problems in the future.

From now, this ticket is complete nonsense for me.

Let's separate two things here. For one, browsers like Chrome, Firefox, Edge, oh, pretty much all of them do provide the ability to remember your password for future visits.

And PeerTube's current behavior is to drop the user back to a non logged in state after signup.

The second thing is this feature. It's perfectly possible for PeerTube's server to return an auth token along with a successful response to a sign up request. After the sign up occurs the user is immediately logged in. That would not require "prefilling" any passwords. The contention is that someone may inadvertently leave themselves logged in on a shared computer, but I contend that the first thing almost all users would do is to log in on that machine after signing in, in which case inhibiting that would not solve any problems.

Yes, modern browser can store your credentials but only if you allowed it. Then it makes sense to auto-log in the user.
But are you able to check that user stored its password in the browser on the server side? I think that no.

So for me the conclusion is: if this feature (autolog-in) will be introduced in the future, I hope that it will be opt-in feature and will be possible to disable it in administration area.

If you meant auto log in feature where user check checkbox with "keep me signed in for two weeks" or something, this option I don't want on my instance either because you'll need to keep some info in the browser (like cookie).
And cookie usage in the European Union needs to be notified to user by some bars etc., which I don't want to have on my website.

PeerTube already uses localStorage to store the auth token for the current user. Local storage is no different from cookies in the eyes of GDPR. There is no way to have a logged in user without a cookie.

I think you misunderstand. The browser autofilling behavior is completely and totally separate from this feature.

This feature merely saves the user the extra step of retyping the credentials they just set up.

With email verification of https://github.com/Chocobozzz/PeerTube/issues/718, I don't think we will be able to automatically log in users after registrations.

I presume requiring email confirmation would be an option. When the option is off, autologin on signup could work.

~I don't think it will be an option. Options increase the work (write the code, manual tests, unit tests etc) and in this particular situation I don't think it would be very useful (email confirmation is important for notifications, recover our password etc).~

EDIT: I changed my mind, it needs to be an option because all administrators do not configure their email system.

OK fair enough, we can at least make it a smooth process to sign up, confirm, and be signed up. So perhaps the heart of the matter is signing the user in automatically after they've confirmed their email

:+1:

Implemented in https://github.com/Chocobozzz/PeerTube/commit/43e9d2af7d3525bc709e4c6d15fe85f65795f5fa