Show HN: Markdown HN profiles at {user}.at.hn (at.hn)

459 points by padolsey ↗ HN
Very opportunistic toy project as I saw the domain was up for grabs: 'at.hn' is a little site where people can have their own subdomains for whatever their HN username is (opt-in only by adding a slug to your bio). It doesn't really do much. Just shows your HN bio rendered as markdown plus meta stuff. I'm thinking of adding an aggregated user listing on the homepage so people can explore profiles. There's a bunch of interesting people on HN but discoverability is a bit longwinded. I'm wondering what other features people want. Otherwise shall likely leave it as-is. I remember hnbadges was a thing for a while, but can't remember what happened to it. Did people like that? Anyway, at.hn's on github if people want to contribute. - https://github.com/padolsey/at.hn

168 comments

[ 2.6 ms ] story [ 161 ms ] thread
This is awesome! How are you handling the addition of subdomains?
I'm not the author but anything like this is likely done with a wildcard DNS entry. So basically *.at.hn points to a server app. This app can then see which domain was requested and do whatever it wants with this string, like treat it as a username.
In Cloudflare (for example) you can put in:

    example.com -> 1.2.3.4
    *.example.com -> CNAME example.com
I'm getting Internal server error 34. Which is one I'd never seen before. ;)
Same here... HN kiss of death maybe? Too bad. Looks fun.
All three of us have capital letters in our usernames and empty profiles, and an internal server error.
When I refresh I get

> Internal Server Error 34

Cool idea though, will try again later.

(comment deleted)
Does this not work with upper case letters? I only get "Internal Server Error 34".
Yikes you're right. I need to come up with a way to solve that. Maybe a param or path to lock in the username like abc.at.hn/Abc ... I'll have a go. EDIT: for now I'm tired and off to bed but if someone has a graceful/simple way to handle the non-lowercase usernames, please come forward.
> if someone has a graceful/simple way to handle the non-lowercase usernames, please come forward.

Graceful? No. But simple? Yes.

Scrape every single username on HN to some local storage (even a file on disk would be enough, HN is relatively tiny), then lowercase all of them into a second column in the file. Refresh this file once per day.

Now you have a map of UserName <> username that you can use for lookups :)

HN seems to support using lowercased names for the /user?id=(lowercased-name) ... if you just need to translate for lookup. Not sure about things like underscores or other characters.
That's a cool idea, I like it. Will check it out when it's up and running again.

If this slips of the first page, I hope you get to resub when things are a little more stable.

Nice project, just wanted to mention that Ducky looks like he has quite a personality!

Btw what do you mean by > Note: Outgoing links are rel=nofollow unless you're >200 karma (anti spam)?

I guess the links aren't hyperlinked or something?

nofollow is basically just a hint to search engines that site A doesn't necessarily endorse site B by linking to it
There seems to be some weird encoding issues and failure to convert URLs to links properly, for my profile - https://mike-cardwell.at.hn/ - Also, some of the indenting and white space is broken making the PGP signature invalid
Whoops. Yeh I'm working on the encoding thing atm. Thank you for flagging! EDIT: I'm relying on the 'marked' npm package for markdown and it is handling the linkification of URLs, sometimes badly. Shall work on it.
Since marked doesn't do it for you, make sure you sanitize the user input (the text on the user profiles) before rendering it to visitors.

Some libraries for doing that with good defaults:

- https://github.com/cure53/DOMPurify

- https://github.com/apostrophecms/sanitize-html

- https://github.com/bevacqua/insane

(right now your site looks vulnerable to XSS)

Yeh I'm sanitizing already thankfully. I've fixed the decoding issue, but I'm expecting some % of users to be borked for a whole other variety of quirky reasons.
Nice :)

Ah, I bet you discovered that subdomains aren't case-sensitive while HN usernames are case-sensitive, didn't you? :)

HN usernames aren't case-sensitive:

> That username conflicts with an existing one. Names are case-insensitive. Please choose another.

They're case-sensitive for the purpose of scraping a profile page.

https://news.ycombinator.com/user?id=Retr0id - 200

https://news.ycombinator.com/user?id=retr0id - 404 (Edit: 200 now?)

That second one doesn't give me a 404 but correctly shows your profile.
Weird, it also works for me now, I could've sworn it didn't work before.

The firebase API on the other hand remains case-sensitive:

https://hacker-news.firebaseio.com/v0/user/Retr0id.json => full response

https://hacker-news.firebaseio.com/v0/user/retr0id.json => null

maybe wrap it in three backticks on a line before and after?
For example...

    Markdown Content
    ...
    ```
    -- BEGIN PGP...
    https://news.ycombinator.com/user?id=yourname
    yourname.at.hn
    --- signature
    ```
> opt-in only by adding a slug to your bio

I really like this. It’s respectful of people’s wishes to not be added to any random site, and at the same time the way to give consent advertises the service.

Ethical and effective business practice? Yes, please. If only all things posted to HN were like this.

PS: It says something about my disillusionment with most software projects these days that I have nothing but praise to give to this one, yet all the while I can’t shake the feeling of “I hope I don’t regret those words”. Anyway, that’s a “me” problem. Congratulations on the launch, and best of luck.

> It says something about my disillusionment with most software projects

My disillusionment is I don't trust any of you. My devices have so few apps, that it could almost be mistaken for a clean install. In coding, I use very few libraries because I don't trust anyone. I don't have time to read all of the code of the dependencies. Also, by using libraries, I don't learn how to do what is needed to be done. I hate black boxes. Between bad packages including malicious/bad dependencies in an otherwise acceptable package or flat out devs pushing something that looks useful for the sole purpose of pushing bad code, it's just not worth my time.

Not sure if disillusionment is the right word though. It's close, but the lack of trust doesn't come through.

(comment deleted)
I updated my profile but I don't see any change on my at.hn page - how long does it cache for?
You failed at step 1 of instructions...

> To opt-in, paste "{your username}.at.hn" anywhere in your profile's 'about' section.

And are you prepared to respond to GDPR and other jurisdiction requirements of data collection and management?
Aren't you jumping the gun a little bit? While it's a valid question, it's very premature.
It's not premature; it's something to consider whenever sharing people's personal data on the internet.

The GDPR does not apply "in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity" [1].

However, that does not extend to generally sharing the information on the internet [2] as that's no longer purely personal.

[1] https://gdpr-text.com/read/recital-18/

[2] https://law.stackexchange.com/questions/92229/what-does-hous...

How does the fact that the user opts-in for the service by manually adding the tag to their profile so that information they personally added could be shared get considered by the GDPR?
Not sure and IANAL but the GDPR text is a bit weird on that. Article 9 has section e) which says that information 'manifestly made public' relating to 'special categories' is excluded.

What's weird is there seems to be no such exclusion for personal information which does not relate to special categories.

Having this 'opt-in' certainly seems to tick the box for consent.

However, if reproducing information from a publicly available bio would fall foul of GDPR requirements, then I think there are bigger fish to fry than a hobby project made by a guy who at least seems to trying to respect people's preferences.

Although I wrote "it's something to consider", from what I can see the developer has already considered this sufficiently for the scale of the project.
My hope is that, since it's opt-in, and people are publicly publishing this stuff, It'd be alright. Dunno.
You will get haters and armchair lawyers no matter what you do. Ignore the trolls.
Usual note that IANAL, but looks like this service is opt-in, and only relists data which is already public on a user's HN profile.

If a user removes the reference from their bio, then the user's profile will be essentially inaccessible through the service (although technically the cached version would still be on the server. Adding a check to delete the file which matches the user's hashed ID here[0] would take care of profile deletions on subsequent accesses.

Failing all that, a user could request deletion and OP could delete the user's file manually.

There's nothing that seems overly onerous to implement to be (at least) GDPR compliant.

[0]https://github.com/padolsey/at.hn/blob/d4ca6702c558edf736652...

No action is needed if OP doesn’t store unnecessary info or use spyware
The 2 letter domain must have been a premium.

Cool project.

$100 but worth it for the fun!
that's a steal. I can spend that in a single night at the pub, so yeah, for what it is it is a no-brainer.

the only hesitation is how stable is the 'hn' TLD?

Edited for ID10T too early in the morning issue

Looks like it's $64 on Regery.
(comment deleted)
Fun idea!

- The first bullet point does not seem to be recognised (on your profile and mine). - webp images do not work?

Bullet point issue ~fixed just now. Thanks for flagging! Webp, hmm, looks visible here..
(comment deleted)
[flagged]
By attention he means it redirects to adult content.
Not really, unless you have visited the site before. I guess you already have accepted the warning on their front page lol.

Sad that you are a party pooper tho! I was being nice and warned you and here you are, removing the fun.

It's not fun when people end up with that domain in their history on corporate networks. Fun would be redirecting to a rickroll, what you did is malicious.
C'mon mate, it's just a redirect to a nsfw website. Not the end of the world. I also did warn about it so if you work in such a crappy environment and click on a link with a warning you'll have to suit yourself.
Well played, thankfully I know the keyboard shortcut to close a tab rapido!
Well I mean... I like the idea of you having autonomy over your own bio .. :P I kinda want to see how this xss vuln plays out.
Haha yeah, I realized he fixed the obvious one with javascript injection but since markdown doesn't convert html I figured a normal html redirect would work and it did!
Has this already been cleaned up? I opened the link and it did not redirect. I viewed source and I do not see "<meta http-equiv="refresh"...." in there.

(Using Firefox)

EDIT: nvm I see my sibling comment just now.

Kinda minor thing, but the generated HTML isn't technically valid. The meta and style tags are supposed be inside the head tag (as supported by the MDN docs on the tags and the errors shown when you view source in Firefox).
Don't worry, WebKit devs will update Quirks.cpp soon!
so perhaps some kind of collaborative filtering or cohort graph or AI summary can be added on top of this? What other users often comment on the same kinds of stories? Who often replies etc? What kind of stories do they engage with? Etc.
Man, that is a costly domain TLD to be playing around with. Nice 2-character domain you got. Best of luck and have fun.
.hn is a tld of Honduras.

Renewal and registration fees seems to be the same, so it's not bad.

.hn is an expensive tld, and none of the 2-character repeating domains are available either.
Watch out and take care!
I got a 3-character domain, rio.hn, just to spell my name as an e-mail (using the @ as 'a' :)
Usernames in domains means, in many cases, the ISP learns peoples usernames.
instead of going to dang.at.hn directly, I am archiving it at https://archive.ph/wip/0acmv so only me, and the fine folks at archive.today, and of course everyone on HN will have access to dang's username :D
> so only me, and the fine folks at archive.today, and of course everyone on HN

+ the rest of the ~20 organizations/domains being called from that page: https://i.imgur.com/CYSDJp0.png

might be slightly easier to set up DoH with a service you trust as the provider. Most browsers have a setting for it.
It looks like dang has a page despite having no slug on his profile page:

https://dang.at.hn/

https://news.ycombinator.com/user?id=dang

Unless of course he added it, and later removed it?

(comment deleted)
The wording of:

> To opt-in, paste "{your username}.at.hn" anywhere in your profile's 'about' section.

Is slightly incorrect, I think.

Everyone seems to visible by default, opted-in or not.

However, the ?refresh thing is locked down so you need to opt-in before. But by default, every user page is accessible on at.hn, even if you don't have the link in your profile.

Mine is not visible, and I did not opt-in.
Mine is visible, oddly. I didn't opt in, either.
(comment deleted)
i think the dev of at.hn just added him for testing reasons.
pg was added too, first one I tried. I had assumed it was a growth-strategy thing, but testing makes more sense.

Surprised to see one of these kinds of sites be opt-in. Most things I see using HN data are real loosey goosey about it.

OP here. Ugh yeh it was an error to add those as, for a brief time, the line checking that their bio had the slug in it was commented out, so for around an hour last night, if people checked those profiles, they succeeded. But those states are stale now, or should be soon.
,op living between bj and london,,which part of bj?
I assume his profile was used by @padolsey as a test and manually opted-in
How hard is it to export all of the comments someone has written on HN? I have been thinking about converting my HN comment history into something like a blog. Each entry would show the title of the submission, link if applicable, and the comment and link to comment thread.

Maybe you could provide that service for a small fee.

https://github.com/runvnc/hncomments

too hard? too easy? i dont know?
Using the algolia api

https://hn.algolia.com/api/v1/search?tags=author_ilaksh,comm...

You'll need to paginate it, as it's limited to 50 results per page, like so:

  https://hn.algolia.com/api/v1/search?tags=author_ilaksh,comment&hitsPerPage=50&page=1
Or HN's actual API, which isn't rate limited: https://github.com/HackerNews/API
Yes, but with the algolia API, you'll need to make way fewer requests, as you'll get up to 50 comments per API call + you also get the title and URL of the post where this comment was posted in the same call.
I wrote a simple program a while ago to just download all of https://news.ycombinator.com/threads?id=arp242, with my cookie set. Upshot of this is that it will include scores and flagged comments, which public sources won't have. It's useful to filter comments.

To be honest I don't remember what the exact status is; it should work because I have a large TOML file with all my comments. But I don't recall if there's anything "TODO" or if I just forgot to publish it.

Need to put your cookie in the variable at the top.

https://gist.github.com/arp242/4f88069cdc8166d21aa26daac7ffe...

> export all of the comments someone has written

Please remember that users gave a license to their content only to HN, not everyone. Using their data without their consent might come afoul of copyright laws.

There are already numerous third party sites that crawl HN and use its API. Your comments here are public, no one needs your permission to use them.
So if you put a photo up on instagram I can yoink it and use it as I see fit?

I suggest reading the legal print: https://www.ycombinator.com/legal/

> By uploading any User Content you hereby grant and will grant Y Combinator and its affiliated companies a nonexclusive, worldwide, royalty free, fully paid up, transferable, sublicensable, perpetual, irrevocable license to copy, display, upload, perform, distribute, store, modify and otherwise use your User Content for any Y Combinator-related purpose in any form, medium or technology now known or later developed.

It says here I grant Y combinator (and its affiliated companies; hm...) a licence, not that I grant it to some rando with a scrapper (or using an API). Anyone that's not Y combinator (and its affiliated companies; hm....) that's using my content posted here is doing so without any licence to do so from me, potentially violating my copyright rights.

>So if you put a photo up on instagram I can yoink it and use it as I see fit?

We're talking about Hacker News, not Instagram.

>It says here I grant Y combinator (and its affiliated companies; hm...) a licence, not that I grant it to some rando with a scrapper (or using an API).

And yet Hacker News has an API and plenty of people use it, implying that Hacker News considers the use of its own API to be valid within the context of its "license" and by extension any application also using the API.

Feel free to lawyer up and sue, though, and let us know how it goes. I don't think it'll go as well as you seem to believe.

Sure, HN is not instagram, but user content is user content. And user content is subjected to copyright laws.

The mere fact the API exist doesn't necessarily mean it's legal or that it respect copyright laws. It just means nobody legally tested it yet.

My suspicion is that a licence granted to entity only extends to that entity, even if that entity provides content via html or json.

(comment deleted)
Write an GDPR request … and wait.
Also would be interesting to see my downvotes to upvotes ratio, compared with others.
Is there notification mechanism for hn when someone comments after you or @you?