Require contributors be logged in to improve security

[iandunn]

Auth tokens are used for companies, see #46. They're as secure as they can be, but not as secure as traditional accounts.

It seems like might not need to use them for contributors. Or that maybe we can use accounts on top of the tokens. See:

• https://github.com/WordPress/five-for-the-future/issues/10#issuecomment-546451245
• https://github.com/WordPress/five-for-the-future/issues/10#issuecomment-546455108

Move this from #10 since that's closed now, and this is a tangential discussion.

[iandunn]

Replying to @coreymckrill's comment, I don't have a strong opinion about how the UI for contributor/pledge management should be, and the issues discussed in #29. At a quick glance, though, I like your idea.

Mostly I'm focused on the security aspect, though, so am happy to implement that within whatever UI/flows we decide on in those other issues.

Does anyone have any concerns about requiring contributors to be logged in when they do the following?

• confirm their participation with a pledge
• remove their participation from a pledge
• make any other changes to their 5ftF data

[coreymckrill]

confirm their participation with a pledge remove their participation from a pledge

I can't think of anything. I'm assuming that people can log in without needing their account to actually be added on the 5ftF site itself.

make any other changes to their 5ftF data

The other data related to contributions happens over on profiles.wordpress.org (because its stored in BuddyPress xprofile tables). It might be confusing for contributors to have two separate places to change data, but as long as we provide a link to the right place in their Edit Profile page, I don't think this is a big deal.

[coreymckrill]

cc @melchoyce for design thoughts on a 5ftF page where logged in contributors can manage their links to pledges.

[coreymckrill]

Oops, #29 might be a better place to discuss design for this.

[iandunn]

without needing their account to actually be added on the 5ftF site itself.

That's a good question. I think by default it'll redirect them to Profiles, or show them a wp_die() message, depending on what they're trying to access. IIRC that's a mix of Core and custom w.org code. It might not matter on the front-end, though. Multisite allows you to be logged in to the network even if you don't have a role on a specific site, but we might need to setup an explicit redirect param on the login.w.org link.

[iandunn]

Another reason to use logins instead of tokens is because the tokens expire after 2 hours, but we can't assume that the contributors will open the email within that timeframe.

We can assume that w/ pledges, because the person creating the pledge is also the person receiving the email, but with contribution emails they're different people. So, the contributor could be asleep, on vacation, or just living with healthy boundaries and not checking their email every 5 seconds :)