Kiran Jonnalagadda
Kiran Jonnalagadda
The `UserEmail` and `UserEmailClaim` fields store a md5sum hash with a unique constraint. However, md5sum is not safe anymore and a (small) risk of collision exists. We need to use...
It is possible to have a user account that has a phone number (or claim) associated with it, but no email address. The password reset form in such a case...
Apps will have terms of service agreements and Lastuser could be a central place to get users to agree. ToS documents are held inside Lastuser and versioned and users will...
Gmail supports [one click actions](https://developers.google.com/gmail/markup/reference/one-click-action). Lastuser needs one click actions for the various times it sends email: 1. Confirm email address 2. Password reset 3. ???
Client app resource namespaces (see #90) are currently required to match the website URL's base domain (from #117). For eg, if the client app's website is `https://funnel.hasgeek.com/`, the namespace is...
In addition to the password requirements of #111, account merger should require the _other_ user's password. This is to protect from accidental merger when a shared external id (Twitter, etc)...
When a user removes an email address (which was verified), preserve it in a new UserPastEmail (or similar) model, with no unique constraint on the email address. Past emails can...
Some client apps may need login sessions to be shorter than browser sessions for security reasons. LastUser should: 1. Record the datetime when a user authenticated 2. In an app's...
The `login` resource should require a user to be logged in with a specific login provider. `login/linkedin`, for instance, mandates LinkedIn login. The `/auth` endpoint will refuse to let the...
UserExternalId should store the refresh token and expiry date for services that use them (like LinkedIn).