Authentication System

[jcbantuelle]

This came up in the Multiworld discord a few months ago, but I wanted to pin down what functionality would be desired here for an account/login/authentication feature on the site. If hammered out and approved, I would be happy to start working on a PR for it.

The primary issue I see being addressed by this is players losing their sessions and being unable to reconnect for whatever reason. This seems to come up regularly in the tech-support channel and it would be great to have a feature that enables reconnection.

It's also my understanding that there is a tension between the desire to have tons of sprites for the community to choose from, and the consequence of having an aggressively long dropdown list. I was thinking that an account system may allow for players to designate a "preferred" sprite list that would populate in the dropdown to simplify things and maybe help alleviate that tension.

There are obviously other benefits as well that are far less essential such as a session history, stat tracking of some sort, and I'm sure others I can't think of atm but I imagine it would be best to get a core set of features implemented and revisit for "nice-to-haves" later.

The biggest technical hurdle that comes to mind if this is implemented would be how account recovery is handled. Usually that's done with sending a recovery email to the address tied to the account, however I'm not aware of the site having any kind of mail relay currently. Since I believe the services are containerized it shouldn't be too bad to add an smtp service but wanted to get your feedback here instead of making any assumptions.

I also assume if this was implemented, that the existing functionality of use without login should be preserved.

Finally, from a privacy standpoint we would need to pin down what personal information should be captured, and whether there need to be any disclaimers or consent notices included. My thought would be that a username (for display to others), email (strictly for login/recovery purposes), and password (that gets encrypted for storage) would be all that needs to be captured for sign-up.

Sorry for the long-winded ticket, but hopefully this is the best avenue for discussing and documenting this feature. There's a lot of considerations, but I think it could be a great value add for the community and reduce tech support overhead. If you disagree with the idea, no worries at all, but if you feel this is worth pursuing then I look forward to your feedback and would love the opportunity to give back by starting development on it.

[tewtal]

I'm happy to get a discussion started regarding this since it's something that I feel would be a nice addition to help players out.
And you're right that there's a lot of fun stuff we can add to user accounts and it's something that's certainly worth exploring.

I've done some very basic experimentation with auth actually for the project as a proof of concept using IdentityServer4 as a base for Oauth2-based authentication and it worked reasonably well by having good support libraries and also giving us more or less a complete platform for "free" with login/registration and even support for third party accounts if we wanted to.

That's all in a private fork for now but I could publish that to github so you could review it if you think it'd be a reasonable thing to use.

I'm not an expert at all when it comes to web applications and authentication/authorization systems, but using IdentityServer made it easy to plug directly into the ASP.NET Core base already used so maybe that's one of the better ways to go.

If you have any other ideas or suggestions please let me know.

[jcbantuelle]

That'd be awesome if you could publish the auth work you've done. I do a lot of web dev professionally, but not much .NET so my first step would have been to dig into .NET auth systems anyway. It's very helpful that you've already done some of the legwork and at a cursory glance it seems great.