@jeff why do you think so about client certificates? I'm curious
@solene I feel like they are a bizarrely complicated solution to the issue of identity.
@jeff it's no more than a token file to identify someone instead of a bunch of text. I suppose this may seem different if you were asking to provide the file for authenticating instead of managing the cert in the client
@solene the second option, yes. "/login.gmi" requests a username, that redirects to "/login/<username>/password.gmi" that requests a password. If validated, a session is then assigned.
If you can follow the spaghetti code, the auth is handled in "external_input_request_gemini:"
https://git.approximatrix.com/cgit.cgi/levitating/tree/captain/external.f90
@jeff the code seems fine, I don't know fortran but a quick look for a few things didn't bring horrors to me 
Maybe when you visit loginfailed.gmi you could make use of a status code? I suppose there is a status code for failed login.
@jeff no problem, I was just curious
so on Gemini you input the login and password concatenated or you use first an input for the login, load a new page and ask for the password?