User registration

[marcelbuesing]

Currently still missing server side:

• password validation, e.g. min length (non empty)...
• check if user already exists during registration, to avoid db constraint violations

Currently still missing client side:

• allow symbols in password
• proper error page/message in case of failed registration or login

[forgetaboutit]

For future reference: It might be necessary to invalidate user sessions later. For example if a user's device has been compromised, we need to be able to invalidate any existing sessions at least. It might also be desirable to invalidate particular sessions.

The general use case of invaliding all existing sessions could be covered easily by storing an invalidation date. Authentication would then reject any token issued before the invalidation date.

Invalidating individual sessions would be a lot more complicated however. As I see it, it wouldn't be possible without having server-side state and keeping track of any issued tokens.