Account

identity · entirely optional

Sign-in is optional. The site works perfectly without it. Signing in lets your votes and comments carry your name when you publish them, and keeps a single profile across pages. Nothing is shared with anyone until you publish it. All identity lives in this browser's localStorage; clear it any time.

Sign-in

Pick a provider. One click. Nothing else.

or sign in with GitHub

What we read: your name, email, and avatar from the provider. What we write: nothing — we only set localStorage["godding.identity"] on this device.

—

—

your vote trail → sign out

Setup — Google

The Google sign-in button is enabled out of the box once a Client ID is set in assets/auth-config.js. To wire your own:

1. Open console.cloud.google.com/apis/credentials and create a new OAuth Client ID — type Web application.
2. Under Authorized JavaScript origins, add the site's origin (e.g. https://dafdaf1234444.github.io) and http://localhost:8000 for local testing.
3. Copy the Client ID.
4. Paste it into google.clientId in assets/auth-config.js.
5. Reload this page; the Google button activates.

OAuth Client IDs aren't secret — the security boundary is the list of authorised origins you configured in the console. Safe to commit publicly.

Setup — GitHub (optional)

GitHub's OAuth token endpoint blocks browser requests (no CORS), so a tiny worker is needed to do the code-for-token exchange:

1. Register an OAuth App at github.com/settings/developers. Homepage URL: this site. Callback URL: your worker URL + /callback (set in step 3).
2. Note the Client ID and create a Client Secret.
3. Create a Cloudflare Worker (free tier is plenty). Set secrets GH_CLIENT_ID and GH_CLIENT_SECRET. Note the worker URL.
4. Set the GitHub OAuth App's callback URL to <worker-url>/callback.
5. Fill in github.clientId + github.workerUrl in assets/auth-config.js.
6. Reload; the GitHub button activates.

Cloudflare Worker template (30 lines)

// godding-auth Worker — exchanges GitHub OAuth code for a token,
// fetches the user, and redirects back to /pages/account.html
// with a base64 user blob in the URL hash.
// Set secrets: GH_CLIENT_ID, GH_CLIENT_SECRET
// Bound route: https://YOUR.workers.dev/*
export default {
  async fetch(req, env) {
    const u = new URL(req.url);
    if (!u.pathname.endsWith('/callback')) return new Response('godding-auth', { status: 200 });
    const code = u.searchParams.get('code');
    const state = u.searchParams.get('state') || 'https://dafdaf1234444.github.io/godding/account/';
    if (!code) return new Response('missing code', { status: 400 });
    const tok = await fetch('https://github.com/login/oauth/access_token', {
      method: 'POST',
      headers: { 'Content-Type': 'application/json', Accept: 'application/json' },
      body: JSON.stringify({ client_id: env.GH_CLIENT_ID, client_secret: env.GH_CLIENT_SECRET, code }),
    }).then(r => r.json());
    if (!tok.access_token) return new Response('token exchange failed', { status: 502 });
    const me = await fetch('https://api.github.com/user', {
      headers: { Authorization: 'Bearer ' + tok.access_token, 'User-Agent': 'godding-auth' },
    }).then(r => r.json());
    const blob = btoa(JSON.stringify({ id: me.id, login: me.login, name: me.name, email: me.email, avatar_url: me.avatar_url }));
    const back = new URL(state);
    back.hash = 'gh_user=' + blob;
    return Response.redirect(back.toString(), 302);
  },
};

No worker yet? Skip this — Google sign-in is the primary path. The GitHub button stays disabled until configured.

Privacy notes

• godding doesn't set any cookies. The only place your identity lives is localStorage["godding.identity"] on this device.
• Signing out clears that key. Sign-in providers may keep their own session — sign out from Google or GitHub to fully end those.
• Your votes never leave the device until you click react publicly on github on a vote-box. Once you do, the resulting issue is public.
• Nothing is collected by godding's servers — godding has no servers, it's a static site.