Skip to content

auth.md

Latest commit

 

History

History
86 lines (54 loc) · 2.81 KB

auth.md

File metadata and controls

86 lines (54 loc) · 2.81 KB

Authentication Guide

HackerNews requires authentication for write operations (upvote, comment, submit). Read operations (listing stories, searching, viewing profiles) work without auth.

Login with Username and Password

The simplest way to authenticate:

postcli-hn auth login

You will be prompted for your HN username and password. The password is not echoed to the terminal.

To skip the interactive prompts:

postcli-hn auth login -u myuser -p mypassword

On success, the session cookie is stored and you are ready to use write operations.

Manual Cookie Setup

If you prefer not to enter your password, you can paste a session cookie directly from your browser:

  1. Open news.ycombinator.com and log in
  2. Open browser DevTools (F12 or Cmd+Shift+I)
  3. Go to Application > Cookies > https://news.ycombinator.com
  4. Find the cookie named user and copy its value
  5. Run:
postcli-hn auth setup

Paste the cookie value when prompted. The tool validates it before saving.

How Cookies Work

HackerNews uses a single cookie named user for authentication. The value is a string in the format username&hash where hash is a server-generated session token.

PostCLI stores this cookie and sends it with web requests to news.ycombinator.com. The public Firebase API (used for read operations) does not require any authentication.

Verifying Your Connection

postcli-hn auth test

This fetches the HN front page with your stored cookie and checks if your username appears on the page. If authenticated, it prints your username. Otherwise, it reports read-only mode.

Logging Out

postcli-hn auth logout

This removes the HN_COOKIE line from ~/.config/postcli/.env. It does not invalidate the cookie on HN's server.

Storage and Security

Credentials are stored at:

~/.config/postcli/.env

The file is created with 0600 permissions (owner-only read/write). The cookie is stored as an environment variable:

HN_COOKIE=username&sessionhash

The config directory is created with 0700 permissions if it does not exist.

Recommendations

  • Do not share your .env file or commit it to version control
  • If you suspect your cookie has been compromised, change your HN password to invalidate all sessions
  • The cookie expires when HN's server decides to invalidate it (typically after a long period of inactivity or a password change)
  • Consider using auth login over auth setup since it validates credentials server-side before storing

Read-Only Mode

If no cookie is configured, PostCLI operates in read-only mode. All read commands work normally (stories, comments, search, user profiles). Write operations (upvote, comment, submit) will fail with a clear error message asking you to run postcli-hn auth login.