Add authentication to website

[Marenthyu]

Adding some kind of oauth-flow to the website would allow us to let people use the website to pull packs, change their profile, etc...
This would help with people spamming the bot, as longer sprees can be done somewhere where it doesn't disturb streamers. Sure, people can still do it, but streamers can effectively tell them to do it on the website if they dont want the spam.

I am unexperienced with doing this properly, but i would assume that we should add a basic level of encryption and not just store the oauth token directly locally.

My idea: require an asymmetrically encrypted cookie that stores the oauth token, whcih gets send to the website to authenticate the user for any request which requires said token.

On the other hand: as we are using https already, i'm uncertain if we need to encrypt said token or if storing the oauth token directly would be enough.
Otherwise: Add a session token and only store the oauth token server-side, though i doubt this is worth the effort.

Thoughts/Ideas?

[Dabomstew]

Session token with the twitch oauth stored server-side is actually the most sane way to do this. Not sure how much effort it requires to implement basic sessions in node but there must be a billion modules out there for such a thing.

[Marenthyu]

To clarify: With "oauth-flow" i would mean using twitch's oauth flow to authenticate the user for their twitch account

[Marenthyu]

Sessions seem simple enough: https://www.npmjs.com/package/node-session

[Marenthyu]

To log:

[1:40 PM] Dabomstew: though dunno how many privileged actions should actually be available on the site
[1:40 PM] Marenthyu: definitely: show points, select boosters, disenchant cards.
[1:41 PM] Marenthyu: i also wouldn't mind a way to buy boosters and more interestingly, maybe spend points on wars if they are active

[xorhash]

Before everybody's rushing to action: May I ask what problem this is looking to solve? If it's about spamminess, the Nepnepbot channel and whispers exist.

If the bot goes overboard with embracing the web, it'll effectively become a web application with its current bot components being more of an aside than the one true way to interact with the bot.

---

Re authentication: Why care about the token? You only care if the authentication is successful. You're not taking any action on behalf of a user, after all. Thus, you can toss the token immediately.

[Marenthyu]

Good point. With that in mind, i can't immediately think of a good reason to have it - the main reason would be usability as normal users tend to be confused by commands, but all by itself, it removes the channel interaction, which should be the core of the bot "philosophy", i guess.

Feel free to add more to the discussion.

---

True, the token doesn't need to actually be stored if the session has been authorized once.

[Marenthyu]

Another QoL change that could be added with this: Remember the "main" user so you can always check your own hand without typing your name out again or keeping a tab open.
This could be done independently of any "authorization", however, as it's jsut a "favourite" setting.