a user is not able to come back automatically authenticated after a while.

repro steps:

• authenticate with simple example
• leave the app
• wait for the authentication token to expire
• re launch the app
• BUG: our authentication doesn't refresh so requests fail.
• EXPECTED: authentication detects it's epired, refreshes then we're smoothly back to authenticated.

proposed solution:

• when app launches with a token, check for its expiration
• check if refresh token logic is OK (see #29)
• optionally: request a simple route to make sure our token wasn't revoked remotely.

    -- TODO: We don't want to immediately delete a refresh token, so we can detect refresh token reuse, maybe due to malicious usage.

undefined

• Add a contributing.md
• devcontainer ?

• argon2 ?
• ability to modify one. (+ mail confirmation)
• send reset password (+ mail confirmation)

We need at least 2 games to showcase this repository.

Those would be as simple as possible.

A first step:

• a shared currency where a game A gains, and another game B spends.

Game A

• gain currency on click, once each day, a minimalistic clicker
• any clicker game can be inspirational to build on that if it's interesting

Game B

• avoid enemies to gain score
• use shared currency to speed up the score progress, but no unfair advantage (NO "pay to win", NO "grind to win").
• See https://github.com/Vrixyz/backpack/blob/main/crates/example-game-lazy/doc/game_design.md

To ease client implementation, a library could help with interfacing with server.

Reading through the book, here is my todo list to implement in backpack

• logs
• tests
  • signup signin
  • create app
  • create item
  • modify item
  • get items
  • cannot modify item for other user (yet)
• deploy

• authentication token
• refresh token

I'd like to get oauth working on web and native.

• web can be "easily" implemented because oauth partner redirect in browser, to our website.
• native is trickier because we have to redirect to our native app.
  • 🔴 We could embed a browser and catch the URL, but that comes at a maintenance cost, filesize bloat and the user cannot use her own preferred browser.
  • 🟢 I'd like to make a proper url redirection, so we can leverage user preferred browser.
    • https://github.com/maidsafe-archive/system_uri is a good starting point to understand how it could work. unfortunately the project is archived so it needs updating.
    • https://github.com/burtonageo/cargo-bundle can help with providing app authorization files (url schemes on iOS for example)

other references: tauri-apps/tauri#323
https://github.com/robjtede/actix-examples-oauth-github

    // FIXME: check refresh token is not expired!

undefined

trait with async fn could help eliminate redundant code from backpack_client_bevy within: bevy_login, bevy_signup...

https://github.com/Vrixyz/backpack/blob/e9eb2837c7e00989ed7f4272156c4ee58ec34f01/crates/example-game-lazy/src/game/mod.rs#L394

To announce the project, I'd want to:

• finish #11
• solid first game
  • sign up, sign in, sign out
    • save credentials locally
    • have correct biscuit implementation with expiration and token regeneration
  • anonymous play
    • not logged in
    • or temporary signup
  • somewhat fun
    • easy the first 10 seconds, harder to impossible after 2 minutes. 5(?) currencies should bring you to hard-enough state
    • a minimal polish
      • gameplay: rotations toward movement, delay on death, bigger play space
      • UI: bigger UI and buttons, no egui moving parts (fixed panels?), tested on mobile...
• minimal second game
  • clicker/idle game to gain currencies on the first game
    • wait 1h to be allowed to click a button to gain 1 currency.
    • show particles depending on the currency amount (for a minimal polish)

• client tests
• do not revoke a refresh authentication token immediately to allow for the client cache to catch up (a few frames of delay can be observed).

Follow docs from openAPI to get more details about current state.

This document follows the same layout.

Items with "🧠" are more complex or lacking a clear way to implementation

Unauthenticated

• Sign in
  • via email/password
    • possibility to input a custom password ?
  • via github
• Sign up
  • via email/password
  • via github

Admin

• Create an app
  • delete an app
  • modify an app name
  • change app's owner
• Create an item, with an app owner
  • delete an item
  • modify an item's name
  • app rights for items: A user who is app admin can allow other apps to read/add/subtract to it.

User

• Get another user's items amounts
• Get items from an app
• Reset password (mail + confirmation link)
• Delete authenticated user
• 🧠 A way to discover other users

User's items modifications as "Lazy System"

"Lazy system" refers to direct items modifications through clients API calls, better suited for "non critical" items.

• Increase/decrease an item amount
• Give item's amount to another player

🧠 User's items modifications as "Secure System"

• Increase/decrease an item amount
• Give item's amount to another player

TODO:

• short expiration for our biscuits
• send a refresh token too
• new table for refresh tokens:
  • store a random string + user owning the refresh token
• new route to refresh ; then create a new biscuit taking some infos from the one which was sent (user_id, scope (admin or user(app)))
• server tests

CREATE TABLE refresh_tokens (
    token_id SERIAL PRIMARY KEY,
    refresh_token VARCHAR(255) NOT NULL,
    user_id INT NOT NULL,
    expiration_date TIMESTAMP NOT NULL,
    revoked BOOLEAN NOT NULL DEFAULT FALSE,
    created_at TIMESTAMP NOT NULL,

    FOREIGN KEY (user_id) REFERENCES users(user_id)
);

Routes tested via swagger editor https://editor-next.swagger.io/:

• login
• signup
• app
  • create
  • get
  • delete
• app items
  • get: 🚧 get ALL apps having rights to this item
• item
  • post (create)
  • get details (placeholder before having a more complicated rights system)
  • delete: #9
  • /modify (by amount : +x or -x)
    • security check: is item modifiable by app ?
    • security check: is item modifiable by user ?
• user items
  • get: (get user's items)

For users to connect as admin, an official way to connect to the server is needed.
I want it to:

• be available on the web.
• support oauth. I'd really like to support custom url schemes, to avoid embedding a web browser.
• perhaps as a first implementation, supporting email/passwords would be easier and help unblock parallel work.

    // TODO: refresh token should be revoked and returned in a same DB request.

undefined