I think it gets a ton of hate because people generally associate it with VB6 and older versions of the language. Lua and Ruby use a similar “word-based” syntax instead of brackets everywhere and they don’t get the hate that VB.NET gets.

I did, I also tried Opera Unite back in the day. Opera Unite was far simpler and even if you didn’t know html or programming you could use it, it wasn’t P2P so if your computer was off so was your website. Beaker requires some html and programming knowledge (and knowing their JavaScript APIs* if you want to build something relatively complex) but if you publish interesting enough content other people may also contribute bandwidth and host your website so in theory you could turn off your computer and the site will remain online. In practice I’ve found that for most sites there’s simply no interest so they are offline most of the time. I haven’t tested it recently, when I tried there was a requirement of a Twitter account if you wanted your website to be on their list of websites, I hope they could get rid of that. I should probably try it again and see how things have improved.

* I tested this a year or two ago, I just installed the latest version and it seems to have changed a lot, it used to work with an “index.json” file and several JavaScript components but it seems that those old websites are now broken so I’ll have to test the new way of building websites with Beaker.

Shouldn’t it be a 404 error instead of a timeout when the user doesn’t exist?

Sorry to bother you again, it took me some time to find this again on GitHub. This login bug I was experiencing was introduced when fixing this other login bug, you can see in that commit that eq was changed to ilike but now your new pull request reintroduces that old bug with the case-sensitiveness of the usernames during login. I think the solution to both bugs would be converting to uppercase before comparing with eq (and having a computed uppercased column indexed on the database). I don’t know enough Rust to propose code changes or send a pull request, I hope my description of the solution is good enough for someone more knowledgeable to write the code.

You need to know the exact length of the account name (it seems that % is filtered because it is not allowed in usernames and only underscores can be used as placeholders). The risk is minimal, the only possible exploit that comes to mind is trying a list of compromised/common passwords and testing each with underscore usernames of different lengths. That way you will be able to log in as the first person (by database query sort order) using a compromised/common password whose username (or email) has the same amount of characters as underscores you tried. So the usual advice applies: don’t use a compromised or common password and you will be safe, use a password manager and let it generate a random password for you if you can. Also this is easy to detect server side and if there is any kind of rate limiting the attack won’t work, I wouldn’t worry about this bug.

I think this is a backend error, with my poor Rust reading skills I arrived to this find_by_email_or_name function where I believe the problem is: https://github.com/LemmyNet/lemmy/blob/f24999027e26fc77cc3808674f4f37fb1883c20f/crates/db_views/src/local_user_view.rs#L85

It uses ilike which in SQL should allow things like % and _ to be used as placeholders for matching any character(s): https://www.postgresql.org/docs/14/functions-matching.html#FUNCTIONS-LIKE