User registration

[Ekhorn]

Description

As a user, I want to be able to register an account, so that I can log in to Spaced.

Acceptance criteria

• [ ] A username field should be present that will be used to identify the user to others.
• [ ] An email field should be present to identify the user to the system and used for communication.
• [ ] A password field should be present.
• [ ] A confirmation field should be present to guarantee the password is as expected.
• [ ] The fields should hover over a blurred background of the app.
• [ ] Conformation email should be sent, linking back to ensure the user owns the email address.
• [ ] A message should be shown with a resend link stating “To use Spaced you must verify your email address first.”
• [ ] Upon opening the link, the user should be logged in and places at the center of their space.

[Ekhorn]

For protected resource access, it will likely make most sense to use the following.

OAuth2.0

• Grant Type: Authorization code
• With PKCE

The token should be stored in a service worker, to mitigate the severity of XSS and intercept requests with a token. This needs to be tested how reliable it is and whether this works with Tauri. The architecture style would likely be a token-mediating backend.

The following resource was used to come to these conclusions: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps

The UI would use probably use some form of silent authentication, with a simple dialog to handle authentication.

Also, a CSP should be looked at to minimize attack vectors for XSS https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP.

[Ekhorn]

Todo

• [ ] Use Authorization code grant with PKCE, implemented via iframes for silent authentication.
• [ ] Store access_token in memory and access_token either in service worker or use a SameSite, HttpOnly Cookie.
• [ ] Properly handle token expiration logic on client.
• [ ] Optionally: token revocation.
• [ ] Convert unwraps to internal server errors.
• [ ] Unit-test entire authorization flow.