• Don't allow slurs.
• Don't allow them to impersonate admins.
• Style tags ("<" or ">")
• White space symbols like \n or \t

Any other idea?

I think it is worth to make this service the main service and only one needed to work. Right now we're doing hub visibility and server data using a different api which btw doesn't even have CRUDs and is quite unsafe.

• email: unique, not blank as login field
• password: set basic password rules
• account name: not unique, not blank
• character settings: understand how the character serialization is done currently

Explore implementing these:

• account karma: numeric, let players reward other players with karma
• playtime per job
• set some basic validations on account name to avoid gamer words

Exception in thread Thread-1 (sendConfirm_thread):,
Traceback (most recent call last):,
  File "/usr/local/lib/python3.10/threading.py", line 1016, in _bootstrap_inner,
    self.run(),
  File "/usr/local/lib/python3.10/threading.py", line 953, in run,
    self._target(*self._args, **self._kwargs),
  File "/usr/local/lib/python3.10/site-packages/django_email_verification/Confirm.py", line 73, in sendConfirm_thread,
    html = render_to_string(mail_html, {'link': link}),
  File "/usr/local/lib/python3.10/site-packages/django/template/loader.py", line 61, in render_to_string,
    template = get_template(template_name, using=using),
  File "/usr/local/lib/python3.10/site-packages/django/template/loader.py", line 19, in get_template,
    raise TemplateDoesNotExist(template_name, chain=chain),
django.template.exceptions.TemplateDoesNotExist: registration/confirmation_email.html

When creating a new account, the confirmation mail fails because there is no template at the provided path.

To fix this, go to settings.py and modify the TEMPLATES variable so it looks for a templates folder at the base directory.
Then make EMAIL_PAGE_TEMPLATE variable point to a newly created confirm_template.html file.

Please also write a simple but nice template.

test-account as a username is considered invalid when registering an account: regex issue.

Right now we use the main Python image which is done with Ubuntu as a base, leaving us with around 1 GB of bloat. I tried doing the Python:3.8-alpine one but kept getting errors when installing dependencies.

Fix the issues and use alpine or find an option to reduce the image size as much as possible.

1. Send a post call with your data to the endpoint
2. if fields are valid, you get the success response
3. your new account is immediately active and didn't require mail confirmation

Expected behavior:

1. Send a post call with your data to the endpoint
2. if fields are valid, you get the success response
3. your new account is inactive
4. new token is generated and you get an email to confirm your mail. Once that is done, account is finally active.

• We need a reset-password endpoint.

Right now the "active" property is used for this purpose. This is inconvenient because users are unable to login and don't get any prompt on why could that be. Instead use another bool property on Account to tag it as confirmed. While not confirmed, allow them to login but redirect them to a view telling them to confirm or resend the mail confirmation.

Releases stopped workjng. It is pulling from a ghost environmental variable DOCKER_IMAGE with value "unitystation/unitystaion_auth" which doesn't exist anymore. It also has an old node version.

As discussed on github, including the character information in both login responses. instead, add a new endpoint to get the characters for a unique identifier.

• Register a new account api/register
• Login into an account api/login
• Update account data api/update

For login, set the token generation and store on client machine. Read it again to keep them authenticated without asking for credentials. Set a sensible expiration time for the token.

• The error message when attempting a login on a disabled account could be improved:
  "error": "{'non_field_errors': [ErrorDetail(string='Unable to login with provided credentials.', code='invalid')]}
  "This account is disabled." would be more informative.