Accounts are not secured (Login, Delete)

[PcoteStudio]

Anybody can delete any account or log into any account to change its current streak. I believe there should be an actual account management with passwords, or simply use the existing username of the current Anki user, if possible.

[ThoreBor]

Yes, I haven't decided yet what do to about that. Just so you know, if somebody else should use or delete your account the next time you sync your account everything would be back to normal. Only if you delete it it would be permanently gone. Using the existing username could cause problems because of duplicates. It would be possible to check if the Anki profile name matches your leaderboard username if you login or delete your account. I want to try to avoid dealing with password management, because I can't guarantee that it would be secure and I don't think that it would be worth the effort for such a small project.

[PcoteStudio]

Is there any unique user ID available from Anki? If so, you could allow a single account per user ID, but with the option Change Username. You would not even need to ask the user to login, he would keep his base username per default.

[ThoreBor]

As far as I know there's no unique Anki id.

[zjosua]

Is there any unique user ID available from Anki?

AnkiWeb uses e-mail addresses. These are unique. But the way the data is currently stored in a freely accessible text file, using the e-mail addresses is not a good idea.

I am not at all familiar with pythonanywhere.com or django. Can you use a database with the free subscription on pythonanywhere?

My idea for a quick fix would be to store a randomly generated hash in the user list and in Anki's local add-on config. Then compare the hashes before syncing or account deletion. Since the hash would be readable from the user list, one could still manipulate other users' data, if they know a little about python coding. But at least, cheating through the add-on's UI wouldn't be possible anymore.

[ThoreBor]

Sorry, I somehow overlooked this comment. I had the same idea, though. Starting from v1.5.1, the add-on will create a hash (SHA1) from the ids in the revlog table, store it in the config table, and sync it to the server. Users can only sync if the token matches and can only delete their own account. The token is not public, it will not show up on /getdata/ (and the old API /getreviews/ etc.)