bhollis
commented
1 year ago OK, I fixed a bug. So 30 days from now it should be good.
Open bhollis opened 1 year ago
bhollis
commented
1 year ago OK, I fixed a bug. So 30 days from now it should be good.
bhollis
commented
1 year ago All tokens have been regenerated with the list of profile IDs included in the JWT - we can now safely start relying on that info.
It turns out that users can relink their Destiny profiles to different Bungie.net accounts, and in fact they may do this without knowing (perhaps by choosing different login options? IDK). Unfortunately all data in DIM Sync is stored under (bungie membership id, profile membership id) keys, so this makes their data inaccessible after the change.
To fix this, we could switch to storing only by profile membership ID. Then, we'd need to change the auth token to include a list of all profile membership IDs accessible from the logged in account, and use that to validate access to each bit of data. This has one glaring downside, which is that if the user links a different profile to the same Bungie.net account, they won't see it. Remember that users can still have multiple profiles if cross-save is off! However, this may be worth it, vs "my loadouts suddenly disappeared" as a logout/login will fix it.