Two-step authentication

[panpawn]

I guess there wasn't an issue already open for this? This has been talked about for as long as I can remember. Basically, two-step authentication is another layer between you logging in, by means of using another source to verify your identity (email, for example).

[Zarel]

Basically I'd just support Google login.

[Zarel]

This is, incidentally, a feature anyone can implement; we already have an email field in ntbb_users you can use for this.

[Zarel]

PS's web server is written in PHP, not Node.

[panpawn]

What about something like this: https://www.npmjs.com/package/node-2fa

[Zarel]

I literally just said that PS's login server is written in PHP, not Node.........

[kotarou3]

Time to rewrite it to not-PHP then!

[Zarel]

Languages/frameworks since PHP tend to do a horrible job of replacing what's good about PHP. It may be pretty bad as a language, but deployment is utterly straightforward and boilerplate is nearly nonexistent.

[Morfent]

Would there be any legal complications involved when using OAuth with something like Google if they comply with COPPA and we don't?

[Zarel]

No...?

[Morfent]

...oh.

Personally I'm not a huge fan of using your account from another site as authentication. I wouldn't say we shouldn't have it just because I don't like it, since I understand why people would find it desirable. As long as there's the option to log in the same way we do now I'm fairly neutral on this

[wgranados]

I just want to give an update on the the state of this issue. Also linking similar issue on client (Zarel/Pokemon-Showdown-Client#972) so it's easier to navigate to this discussion from there.

So after talking with Zarel and doing some research on Google's API, I've boiled down the steps for implementing this feature to the following:

1. Setup Google login credentials
   • $25 USD one time fee associated with getting access to Google Development API
   • Through their development API, setup a proper project under PokemonShowdown (https://developers.google.com/identity/sign-in/web/devconsole-project)
2. Incorporating the Google sign in button into the PS UI
   • Include the relevant google js resources for their button (https://developers.google.com/identity/sign-in/web/sign-in)
   • Put Google sign in button on login prompt screen, may have to adjust it so that the colour scheme works with PS normal css, and dark mode css. Make sure to follow the following guidelines (https://developers.google.com/identity/branding-guidelines)
   • Under the menu generated by the options button (gear icon), we'll need to put a button which allows users to link their Gmail accounts with their PS nick.
3. User authentication
   • Retrieving data from the Google authentication process and sending this data to the server (https://github.com/Zarel/Pokemon-Showdown/blob/master/loginserver.js)
   • Handle authentication process between the server and the login server.
4. User authentication on login server (mainly Zarel will handle this)
   • Handle user authentication on login server (https://developers.google.com/identity/sign-in/web/backend-auth) and send confirmation back to the server

Zarel mentioned making use of some sql email fields on the client, but I don't remember the details too well. If there any steps I may have misinterpreted or missed feel free to make a correction.

[Zarel]

I actually just started moving this way up on the priority list. The sim server should not be involved; it should be entirely done on the web server.