Open IreneKnapp opened 11 years ago
I think that we definitely need local user accounts, not only GitHub-federated accounts, though we can absolutely support those too. Rather than give people usernames, we should treat email addresses as identifying accounts, and they should be in a many-one relationship with accounts. This allows us to treat OAuth providers as simply one type of login credential that an account may have.
As an aside, here is a feature that would be scope creep and that we are not going to do: HOTP/TOTP two-factor authentication. Nice thought, but too much low-level code for version one.
A sub-topic of this is issue #10.
Are user accounts in-scope? What is their nature?
Specifically, do we have both user and organization accounts? I think that we must. Is there any sort of privilege system to allow users to be designated as curators of all or part of the package tree? If so, what are its specifics?