User registration

[Ekhorn]

Description

As a user, I want to be able to register an account, so that I can log in to Spaced.

Acceptance criteria

• A username field should be present that will be used to identify the user to others.
• An email field should be present to identify the user to the system and used for communication.
• A password field should be present.
• A confirmation field should be present to guarantee the password is as expected.
• The fields should hover over a blurred background of the app.
• Conformation email should be sent, linking back to ensure the user owns the email address.
• A message should be shown with a resend link stating “To use Spaced you must verify your email address first.”
• Upon opening the link, the user should be logged in and places at the center of their space.

[Ekhorn]

For protected resource access, it will likely make most sense to use the following.

OAuth2.0

• Grant Type: Authorization code
• With PKCE

The token should be stored in a service worker, to mitigate the severity of XSS and intercept requests with a token. This needs to be tested how reliable it is and whether this works with Tauri. The architecture style would likely be a token-mediating backend.

The following resource was used to come to these conclusions: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps

The UI would use probably use some form of silent authentication, with a simple dialog to handle authentication.

Also, a CSP should be looked at to minimize attack vectors for XSS https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP.

[Ekhorn]

Todo

• Use Authorization code grant with PKCE, implemented via iframes for silent authentication.
• Store access_token in memory and access_token either in service worker or use a SameSite, HttpOnly Cookie.
• Properly handle token expiration logic on client.
• Optionally: token revocation.
• Convert unwraps to internal server errors.
• Unit-test entire authorization flow.