from Redditor /u/Kussie:
Should probably hash that Auth code as well. But basing it a username is an odd choice, why not make it a state stored on the user and as a result stored in the database. ie isGM = 1 as a field/value in the DB against the user/character.
Since the AuthCode is only ever used once, and is something that (for now, at least) I'm word-of-mouthing, why should I hash it?
What happens in the event your source code is stolen? Or your server is compromised? Or any other possibility out there.
Basing it off of username makes those two things not just possible, but easy. Putting it in the database makes an extra DB call (not an issue, really) and more code.
No extra DB call is needed at all, just add it to the session data when they login is one example of how it could be done.
I don't want "Just anyone" to be able to make a character identified as a GM
So don't let them use the GM prefix at all during registration, or limit to letters and numbers only.
from Redditor /u/Kussie: Should probably hash that Auth code as well. But basing it a username is an odd choice, why not make it a state stored on the user and as a result stored in the database. ie isGM = 1 as a field/value in the DB against the user/character.
Since the AuthCode is only ever used once, and is something that (for now, at least) I'm word-of-mouthing, why should I hash it? What happens in the event your source code is stolen? Or your server is compromised? Or any other possibility out there. Basing it off of username makes those two things not just possible, but easy. Putting it in the database makes an extra DB call (not an issue, really) and more code. No extra DB call is needed at all, just add it to the session data when they login is one example of how it could be done. I don't want "Just anyone" to be able to make a character identified as a GM So don't let them use the GM prefix at all during registration, or limit to letters and numbers only.
So, TL;DR -- Hash AuthCode