MedievaLands [closed source] is a a recreation of an early MMORPG. The desktop client runs on .NET Framework on Windows and macOS. The server runs on .NET Core on Linux. The website is written in PHP and runs on Apache on Linux. 126,500 lines of C#.
[ ] account icon (silhouette of person) next to "online". White for not logged in, green for logged in.
[ ] Clicking on account icon takes you to login page, or account page if not logged in.
[ ] Login page: username, password.
[ ] Login attempts are highly throttled, by IP and attempted username.
Access token and refresh token
[x] access token is comprised of: header-base64(type|version).payload-base64(encrypt(expiration_date|account_name|access_rights|salt)).signature-base64(header64,payload64,secret). Payload is encrypted and signature is a cryptographic hash. If the server can unencrypt it and it matches the signature and the encrypted expiration date is still ok, it is valid.
[x] access token good for 1 hour.
[ ] refresh token is same as access token except it also has a unique refresh id. Refresh IDs are stored in the account data.
[ ] refresh token good for 60 days.
[ ] if the access token is expired, or deleted (by the browser because it expired), the server validates the refresh token and then issues a new access token.
[ ] if refresh token will expire within 30 days, issue new refresh token.
logged in pages
[ ] Add new "restricted" characteristic for webpage. Webpages have an access right threshold. Trying to access a page with no token / an invalid token / insufficient access rights redirects to 401 not authorized.
Login UI
Access token and refresh token
logged in pages