search

KitsuCommunity / kitsuawards-server

The server used for the Kitsu Awards
GNU Affero General Public License v3.0
1 stars 0 forks source link

New user-verification flow #4

Open Reinachan opened 1 year ago

Reinachan commented 1 year ago

NOTE: This issue serves as an overview of the new user-verification flow and to keep track of the various issues related to it. Broad discussions about the overall method goes here, specific discussions about implementation detail goes into the respective issues.

Description

Our current method for handling user verification is flawed as it requires the server to know the user's token and to verify directly. While this prevents request forgery, it requires us to save more data on the users than we should. Instead, we should verify through Kitsu that the user in question has access to the account.

Implementation

  1. user signs in directly with Kitsu
  2. user ID is sent to KitsuAwards
  3. server generates a unique message ( #5 )
  4. using that message, the client generates a post on Kitsu directed at a user we're in control of ( https://github.com/KitsuCommunity/kitsuawards-client/issues/211 )
  5. client links that post to the server
  6. server verifies that it's correct ( #6 )
  7. client deletes the post ( https://github.com/KitsuCommunity/kitsuawards-client/issues/212 )

We might want to tie the verification to an account on our side so we don't need to store their token and so we don't need to go through that process again each time the user gets a new token.

lunaisnotaboy commented 1 year ago

@Reinachan remind me to work on this and everything else before we actually setup the server