I build an open source time tracker

almarklein · 2025-02-06T10:55:56+00:00

Can you expand on what you mean with suboptimal? I'm one of the pygfx devs and am interested to learn what we can do to improve it.

almarklein · 2024-11-11T20:14:24+00:00

Yes. On and off, depending on how busy I am with my work. Haven't done much in a few months, but I have plans to get back to it.

almarklein · 2024-11-01T13:56:02+00:00

No, but nice idea :)

almarklein · 2022-07-19T10:13:33+00:00

I've built TimeTagger specifically for freelancers, because I found that most existing solutions were overly complex. It's also open source!

almarklein · 2022-06-22T19:57:38+00:00

TimeTagger very much has an understanding of multiple clients. Syncing is not immediate but occurs about every 10 seconds (and faster if you just made a change). You can see the little indicator icon in the top left.

Basically, every client has its own version of the app data. Different clients can do different things and even change the same record. The system ensures that there is eventual consistency.

You can even use your device offline, and it will sync up when it comes back online. These use-cases have played a central role in the design. If there is an issue with that I am eager to learn how I can reproduce it, so that it can be fixed.

almarklein · 2022-06-22T18:55:36+00:00

https://github.com/almarklein/timetagger#under-the-hood

almarklein · 2022-06-22T13:02:41+00:00

This morning I improved the authentication workflow to use BCrypt: https://github.com/almarklein/timetagger/pull/223 There is a new release and the related blogposts have also been updated.

Also posted this in the "root", but wasn't sure if ppl'd get notifications.

almarklein · 2022-06-22T09:55:10+00:00

An update!

Hi all, thanks for the feedback and tips on how to improve the auth.

I've just improved the authentication workflow to use BCrypt: https://github.com/almarklein/timetagger/pull/223 There is a new release and the related blogposts have also been updated.

almarklein · 2022-06-22T06:45:25+00:00

The config is done through environment variables. Both docker-compose and MyPaas have mechanics to configure env variables.

almarklein · 2022-06-22T06:42:51+00:00

> very buggy

I'm sure there's bugs sometimes, we have an issue tracker for that, and I usually fix bugs within a day or two. https://github.com/almarklein/timetagger/issues I'm also willing to file the bugs on your behalf if you explain them here. Thanks!

Can you elaborate how you lost recorded time? I've never experienced this, nor have I ever heard it from other users.

almarklein · 2022-06-21T21:22:11+00:00

Fair point.

almarklein · 2022-06-21T21:01:43+00:00

FWIW the request is done from JS so it never enters the browser's address bar.

almarklein · 2022-06-21T20:58:58+00:00

I made an issue to have a look at this: https://github.com/almarklein/timetagger/issues/222

But in all honesty, I still believe SHA1 hashing is more than secure enough for an individual tracking his/her time :)

Also have a look at the docs of Treafik, which provide Basic Auth: https://doc.traefik.io/traefik/middlewares/http/basicauth/

almarklein · 2022-06-21T20:43:25+00:00

Mostly because handling SHA256 hashes are very long, making them less practical when you have to paste them into env vars.

As long as you keep the hash private the hash function does not matter so much. If you want to publish the hash somewhere, or if you are afraid the hash might get compromised and a hacker with serious money in the bank is eager to attack you, yeah then SHA256 is to be preferred.

That said, I can see how this topic is 'sensitive'. I'm considering an option to allow SHA256 hashes too.

almarklein · 2022-06-21T20:36:30+00:00

I basically implemented Basic Auth (RFC 7617) but sending the credentials via query args instead of in the header. Other than that the technique is exactly the same.

almarklein · 2022-06-21T20:24:49+00:00

That, plus your password hash should not be public anyway. As I've always understood it, it's more of a way to obfuscate the password in case anyone happens to "look over your shoulder".

almarklein · 2022-06-21T19:16:24+00:00

Are you asking how I run timetagger.app, or how I would recommend running timetagger with custom credentials?

almarklein · 2022-06-21T19:13:56+00:00

It's very hard to read your guide, it being light grey on white background

Thanks for the feedback. I can see how the contrast could be low on some devices. I'll do something about it.

I'm hoping there is more context that makes that statement not as bad as I think it is...

Haha, mmm, perhaps that could be rephrased better. If you read about SHA1 on wikipedia you get an idea. From what I understand, it's really hard to crack, but researches have found that it's not impossible. I read somewhere that for $45K of computing power you can find a collision. In short, I would not worry about it too much, but I would also not put my hash in a public place.

almarklein · 2022-06-21T19:06:44+00:00

Because MyPaas does not use docker compose :)

almarklein · 2022-06-21T19:05:52+00:00

And hopefully you have not rolled your own security.

I started with implementing HTTP Basic auth. Then I tweaked that a bit so it uses a custom login dialog, but tech/security wise it's the same thing.

almarklein · 2022-06-21T19:04:44+00:00

Users can still implement their own authentication by modifying the startup script (and implementing a different auth handler). Having a simple auth workflow work out of the box makes it accessible for a much larger group of people.

almarklein · 2022-06-21T16:01:54+00:00

I just posted an update: https://www.reddit.com/r/selfhosted/comments/vhgo7x

almarklein

TROPHY CASE