xTr1m/GameList
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update TASKS checklist for auth work

Browse Source
This commit is contained in:
Frank Tovar
2026-01-29 01:02:36 +01:00
parent f1534b7631
commit 81f688cf88
1 changed files with 7 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
TASKS.md
View File

@@ -1,10 +1,10 @@
# CoopGameChooser Task List
## Auth overhaul — username/password instead of random cookie
- [ ] Data model: add username + password hash/salt to `Player` (or a tiny `Account` table), enforce unique username, update `AppDbContext` config and create an EF migration; ensure factory reset seeds stay valid.
- [ ] Cookie pipeline: refactor `UsePlayerIdentity` into a reader that only trusts existing `player` cookies; add helper to issue/clear the cookie after login/register while keeping HttpOnly/SameSite/Secure semantics.
- [ ] Auth endpoints: add `/api/auth/register`, `/api/auth/login`, `/api/auth/logout`; registration should create the player, set the `player` cookie, and store display name; login validates password and reissues cookie; logout clears cookie.
- [ ] Endpoint auth guard: replace `GetOrCreatePlayer` with a `GetAuthenticatedPlayer` helper that returns 401 when unauthenticated; update all suggest/vote/state endpoints to depend on an authenticated player without creating one implicitly.
- [ ] Frontend UX: add login/register screen shown when `/api/me` returns 401; on success hide auth pane, preload name, then refresh phase data; include a logout control to clear local state.
- [ ] Docs: update `API.md` (and `SPEC.md` if needed) to document new auth flows, required auth for existing endpoints, and cookie token behavior.
- [ ] Ops/migration notes: generate/apply migration, note upgrade path for existing random-ID players (likely reset or manual backfill), and verify IIS/base-path configs still work.
- [x] Data model: add username + password hash/salt to `Player`, enforce unique username, update `AppDbContext` config and create an EF migration; ensure factory reset seeds stay valid.
- [x] Cookie pipeline: refactor `UsePlayerIdentity` into a reader that only trusts existing `player` cookies; add helper to issue/clear the cookie after login/register while keeping HttpOnly/SameSite/Secure semantics.
- [x] Auth endpoints: add `/api/auth/register`, `/api/auth/login`, `/api/auth/logout`; registration creates the player, sets the `player` cookie, and stores display name; login validates password and reissues cookie; logout clears cookie.
- [x] Endpoint auth guard: replace `GetOrCreatePlayer` with a `GetAuthenticatedPlayer` helper that returns 401 when unauthenticated; update all suggest/vote/state endpoints to depend on an authenticated player without creating one implicitly.
- [x] Frontend UX: add login/register screen shown when `/api/me` returns 401; on success hide auth pane, preload name, then refresh phase data; include a logout control to clear local state.
- [x] Docs: update `API.md` (and `SPEC.md`) to document new auth flows, required auth for existing endpoints, and cookie token behavior.
- [x] Ops/migration notes: generate/apply migration, legacy players auto-assigned `legacy-xxxxxxxx` usernames with blank hashes; expect fresh registration or factory reset; IIS/base-path unaffected.