roberthodgen / ndb_users Goto Github PK

Permit a config setting in config.py to override the request.host_url

Also see:

• users.create_password_change_url()
• users.create_logout_url()
• users.create_password_forgot_url()

Complete documentation page in example project.

Allow the "Account Activated" message to be bypassed and automatically redirect when a continue URL is specified.

This will:

• Prevent inconsistent UI from appearing to users
• Take the users directly to the continue URL

Doesn't notify when the current password is wrong; the users.template_values() is not injected into template.

Handle bounced account activation and password recovery emails.

What should be done with them????

Options:

• Delete account?
• Ban account/email?
• Notify user?
• Do nothing except wait X time period to send again?

Upon entering incorrect log in information (email and extended session) these options should be remembered on the error page.

When incorrect credentials are supplied (trying to return login_fail=True), a malformed JSON string will be returned.

Solution: add return None after writing out the response JSON.

The buttons (links) don't work (aren't supplied?) on the template displayed after logging in without a redirect.

Differentiate extended user sessions from standard sessions.

Limit the number of account activation/password recovery emails are sent to one user within the expiration time of each.

Create JSON API where users can login/logout and perform other account actions via JSON requests.

Let users request a password recovery email when they've forgotten their passwords.

See set_cookie: https://webapp-improved.appspot.com/guide/response.html?highlight=set_cookie

Rename user.create_password_reset_url() to create_password_forgot_url() to be more consistent with "forgot", "reset", and "recovery" referenced in #1.

The Login mechanism for JSON and form POST should check if there is a logged in user before verifying the credentials.

Correct JsonLoginAcivate to JsonLoginActivate; missing "t"

Fix it so user activation tokens expire after the UserActivation.expires property

password_change_uri and logout_uri are used instead of *_url

Instead of returning a URI return the full URL including http:// or https:// and FQDN

User.active (boolean/ndb.BooleanProperty) is unused and may be confusing, remote it!

The log in link on the create account success message does not link anywhere.

Create a method by which old user sessions, user recoveries, and user activations may be purged from the datastore (after expiring).

Don't reveal that a User's email address is found/not found in the password forgot mechanism. This, coupled with the login, could yield hints about which email addresses have accounts (something that we hide in the login mechanism by not saying if the email address is not found or the password is incorrect).