Password retrieval system

[blindndangerous]

Would be nice to have a password retrieval system. I think the game already asks for an email address on account creation, but if some one forgets their password, either have it emailed or have a new one generated and asked to change it on successful login.

[Timtam]

nice idea, problem here is, we'd need to set up an external email server (at least smtp) to provide email support, otherwise we can't actually send mails. Will therefore be a long-time feature I guess.

[JessicaTegner]

Another option would also be, to pass the email (after mud validation) to a php script that then sends an email with php's mail function

[Timtam]

Same thing. First of all, that would require the entire PHP setup, that already makes it unnecessary and too blown up for my taste. That would however still require some sort of SMTP server already set up, 'cause otherwise PHP can't send mails either. And as soon as we have the SMTP server, Python can handle mails just as fine.

[JessicaTegner]

Not really. PHP has a build in mail function that can work without an smtp server as far as I know.

[Timtam]

It doesn't. mail() in php uses the local sendmail of the host you are on, which is a SMTP relay. Local mails also get filtered quite efficiently by mail spam protection mechanisms. Python could use sendmail as well, but the mail would still not properly be sent in like 50% if not even worse.

[JessicaTegner]

Okay then. Yes would complicate things. Why the heck are we even asking for an email on user registration in the first place

[Timtam]

Multiple reasons. First reason is to uniquely identify people (you can only use one mail address for one account, and also no trash mail addresses). Thats because we do have an emergency ban system we needed to add because of people insulting each other. Second reason is so that the admins can contact specific users if required, like when we want to set up a mail system so that we can inform users about updates in the game or such things. Who knows, maybe we'll set up a real smtp server one day and add a messaging system in here. We once had another issue which asked us to add an offline messaging system which could work together with mails as well.

[JessicaTegner]

Well. Offline and admin messages could also be done via a form of "mudmail" system, like ones seen on other muds, where you can send an offline player a message with a command, and then when that player logs in, he/she is informed, that the have unread mudmail.

[Timtam]

You could, but sending mails has the advantage that you can actively bring people back into the game, whereas informing them about offline messages only works if they decide on their own to come back into the game. Thats a major difference here, its all about advertising.

[JessicaTegner]

Aha I see. Yes, that would be a good idea. Could we maybe do it another way (ie with another media, like fx. twitter dms? )

[Timtam]

I don't like that idea. Everyone on the net has an email address, but not everyone wants to create a twitter account, facebook or whatever else. sending emails is the best way to reach out to everyone who might register in the game, and hooking into twitter or whatever would even be more complex than sending a mail, you'd need to register an account yourself, get api keys which cannot be used endlessly (most of them got a x requests per hour limit and such), which would need to be handled too.

[tspivey]

One way to solve this would be to hook up to Mailgun. The game is so small we'll never hit the free limit.

[JessicaTegner]

I like that idea. Mailgun gives you 10000 emails / month and we do not need the validation part (since we can do that ourselfs). Couple that with a 24 hour cooldown on password changes for an user and we should be all set.

[Timtam]

Thats right, I never used mailgun before, but it seems to be fine for our purpose. There are some alternate services as well like mailjet or whatever, we can pick the best one for our needs and stick with it I guess.

[JessicaTegner]

Hi.

If we are using an external service like MailGun, how are we going to store the api keys.

[Timtam]

Just show some creativity here ;). Most obvious ways would be to add a configuration file which contains all keys, but only placeholders while in the repo, so every user who wants to use the service needs to create an account an an own API key first. Other idea would be to feed the API key in via environment variable.

[JessicaTegner]

Well I know that :) Maybe I phrased it wrong. What would be the most optimal way to implement it here, given the current setup on the server. @tspivey any input here

[Timtam]

The server doesn't do anything else than we do locally except it has a job running which automatically starts it up as soon as it shuts down, pulling in all newest git changes if i'm not wrong. I'd recommend to set up a dual system here - permanently configurable api keys via configuration file, but environment variables with higher priority so that you can decide upon which way you want to go, but environment variables will be enough in case that you didn't prepare the configuration variables before booting up the server. The server needs to be independent from the emailing system as well, so that you can run the server without any mailgun account whatsoever if you don't want to use the email notifications.