Authentication - Discord API

[Jewels2001]

Ideas:

• [ ] Discord mandatory? (Discord has 2FA)
• [ ] If email, need an Discord auth before admins can add points

• [ ] Cannot access without email ?

  To-Dos: front-end:

  • [ ] login / auth page

back-end:

• [ ] Discord API integration

[dustin-ward]

Proposed solution:

• Users will register for an account on the seekers guild website.
• A login route will be available for the user to request access.
• If the provided password hash matches the one stored on the server, the user will be provided with a JWT set to expire within a certain amount of time. (TBD)
• The user will provide this token with each request they make to the server.
• If at any point a request returns a status indicating the token is invalid, the user should be logged out of the client and redirected to the login page. The user will be provided a new token after successful login.
• If a user logs out, their token will be invalidated by the server.

This will handle login services and account permission levels

As for general API access it would most likely be sufficient to:

• Allow the user to request a long term JWT for API access.
• The token should be 'click-to-reveal' and should be able to be regenerated.

Questions:

• How do you prevent long term tokens from accessing account specific endpoints like logout? (Should logout invalidate a long term token?)
• Can long term tokens have admin perms?