Jump to content

Call for participation: Lobby account password change functionality


Recommended Posts

Up to now 0ad doesn't offer the ability for users to change their passwords for the multiplayer lobby. However, that'd be a great feature to have and has in fact been already a feature request for several years (https://trac.wildfiregames.com/ticket/2543).

I had a quick look and believe this should be pretty straight forward to implement, as the server-side as well as the XMPP library used by 0ad already support that. So all left to implement it is to add some glue code to 0ad and build the UI for it.

If you're interested in helping out and implementing this feature or have any questions, please reply to this post or send me a PM.

  • Like 2
  • Thanks 2
Link to comment
Share on other sites

@Dunedan i tried to do what I can about this feature but i have a question, to avoid someone else resetting other person's account password. Is there a need to make some sort of extra verification to confirm the account really belongs to that specific user before allowing a user to go ahead and reset the password?. For example, "i forgot my password, i made a dummy ui which shows "Forgot password?" at the login screen, when a user clicks that,  passwordReset.xml (a sprite to handle the reset inputs )should open which should then have 3 input fields, username , new password , confirm new password. But what if i enter a username of another person, it will just ahead and allow me to reset so if there a need to confirm the identity of the person before even allowing to reset password? If we had info like email linked to all individual account we could just send something like OTP to verify users and would be easier but in this case that we don't. Even if i decide to use data from user.cfg and disable the username field with a default value from the config file, it can still be modified , what do you suggest?

Edited by rossenburg
Link to comment
Share on other sites

10 minutes ago, rossenburg said:

Is there a need to make some sort of extra verification to confirm the account really belongs to that specific user before allowing a user to go ahead and reset the password?

We currently don't collect enough information to implement a "forgot password" feature. This is for changing passwords after the account has already been authed. Which could be implemented via another tab to the prelobby page or something inside the lobby interface, I am not sure.

  • Thanks 1
Link to comment
Share on other sites

To make a better solution, we need some personal info from user like email id (although optional) while creating the account. User can use same email to reset password. But as discussed in many threads, @Stan` mentioned that we need to change T&C and complie with GDPR rules. Some workaround is required there. Not sure how much effort but @Stan` can comment on that.

Link to comment
Share on other sites

1 hour ago, smiley said:

We currently don't collect enough information to implement a "forgot password" feature. This is for changing passwords after the account has already been authed. Which could be implemented via another tab to the prelobby page or something inside the lobby interface, I am not sure.

i bet that should work, if this process is not about forgotten password but to allow an active user session to be able to reset their password ( whiles logged in ), then i guess it isn't a big deal. Thanks for clarifying but i guess it will be much better to focus on users who are logged out of their account since those who can already access their accounts are less likely to reset their passwords @smiley. And aside that, allowing users to change account passwords without any further verification (either there's active session or not) will just promote more stress on the server since i can change my password 10times in 2mins, unless maybe we think of adding something like throttle middleware or password reset cooldown to the whole process

Edited by rossenburg
Link to comment
Share on other sites

Sorry for being not clear about that, but as @smileyalready clarified I was talking about changing the password after successful authentication. So this thread is not about a "forgot password" feature or how to also collect a users email address during registration, as that would be much more effort, but solely for allowing an authenticated user to change his password. That should be, as mentioned in my initial post, pretty straight forward. Please stay on that topic here and discuss additional ideas in other threads.

Link to comment
Share on other sites

2 hours ago, rossenburg said:

And aside that, allowing users to change account passwords without any further verification (either there's active session or not) will just promote more stress on the server since i can change my password 10times in 2mins, unless maybe we think of adding something like throttle middleware or password reset cooldown to the whole process

Changing your password 10 times in 2 minutes does not stress the server running the lobby at all. Much more often might, but we have rating limiting against such DoS attacks in place, therefore considering any additional rate-limiting isn't necessary.

Link to comment
Share on other sites

Thanks for claifying. When this feature being deployed, warn players about not sharing their account details with other players becasuse after this feature, they can change the password and will never share credential with original player :p. 

Edited by Darkcity
Link to comment
Share on other sites

27 minutes ago, Darkcity said:

Thanks for claifying. When this feature being deployed, warn players about not sharing their account details with other players becasuse after this feature, they can change the password and will never share credential with original player :p. 

I believe that won't be necessary, as sharing accounts isn't permitted anyway and loosing access to a shared account does already happen right now when the account gets banned for any reason.

  • Like 1
Link to comment
Share on other sites

As far as I know some leaked account publicly were not banned for long time. If you need someone to act fast/er, shall I have a ban ability? :banana:(just joking)

Changing password is great step forward.

I want to publicly thanks to developers, we hate them more often, but they also deserve respect!

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...