Skip to content

Instantly share code, notes, and snippets.

@blast007

blast007/BZFlag_Web_2021_2022.md

Created November 14, 2021 16:33
Show Gist options
  • Save blast007/ff89e7186262ceef9dacd26a224eb5de to your computer and use it in GitHub Desktop.
Save blast007/ff89e7186262ceef9dacd26a224eb5de to your computer and use it in GitHub Desktop.
Download ZIP
Raw
BZFlag_Web_2021_2022.md

BZFlag Web 2021/2022

This is a rough plan to improve our account management, server list, web login, and social websites. Currently phpBB is being used to provide account registration and group management for the game along social functions (private messaging and forums). The primary goals of this is to create a new site for managing accounts and organizations/groups, create an improved server list for 2.6 that will function with IPv6, and to implement a replacement for our web login system that makes use of modern industry standards (OpenID Connect). A secondary goal that may be abandoned is to replace phpBB with a simple social site that has private messaging and forums.

Phases

  • Phase 1: Account Management site will be created with the ability to create and manage accounts in phpBB (with some additional data stored in the Account Management database)
  • Phase 2: Organization, group, and server key management added to Account Management site and the legacy server list will be updated to use these new DB tables
  • Phase 3: Create new IPv6-capable server list for 2.6
  • Phase 4: Create a basic social site with forums and private messaging
  • Phase 5: Convert phpBB data and import into the social site, and cease to use phpBB for account information. Convert the legacy server list, the new server list, and legacy weblogin to use the new tables for account information.
  • Phase 6: Implement new OpenID Connect web login system

Account Management (account.bzflag.org)

This site will handle the registration and management of accounts. It will also handle the creation and management of organizations, groups, and server keys.

  • Phase 1: Account registration will still create an account within phpBB using the phpBB External Integration extension
  • Phase 2: Organization, group, and server key management
  • Phase 5: Account registration will create all information within the account management site database
  • Phase 6: OpenID Connect web login system

Phase 1

Our phpBB External Integration extension will be used to provide a basic API to manage accounts in phpBB. The account management site will make use of this until phase 5. An additional extension will be created and used to modify some URLs in phpBB to point to the new Account Management site, which will help reduce the number of modifications we need to apply to phpBB core files.

Registration

This will provide multi-step branching forms for account registration. The initial form will ask for Date of Birth (either a text field or by asking if a user was born before or after a cutoff date). TODO: Decide if storing the DOB is necessary. The selection will be stored in a session for a period of time.

If the DOB indicates the user is under the age of 13, a form asking for a parent or guardian email address will be shown. When filled out, this will store the DOB (maybe), the guardian email (maybe) and a token. A link with the token will be emailed to the guardian email along with a PDF to be printed, signed, and scanned/photographed. The link will provide a way for the guardian to upload the scanned/photographed file, and provide the username, password, and email for the actual account. This will be manually verified by an admin.

If the DOB indicates that the user is at least 13, a form with username, password, and email will be shown and then an email.

In both cases, once the username, password, and email are provided, an activation email is sent with an activation link. The link will be valid for a limited amount of time (2 weeks?), after which the unactivated account is purged from the system.

Login

Login will ask for a username and password, and provide an option to remembering the login beyond this browser session.

A Forgot Password link will provide a form that will accept a username or email address. If the username is provided, a password reset link is sent to the email address on file. If an email is provided, the username and a password reset link is sent to the email. TODO: Should any negative feedback be shown if the username or email does not exist?

Session Management

Sessions will be stored in a database with a start time/date, last active time/date, a user ID, and other session data. There will be both a maximum session age and an idle session timeout, either of which will trigger the deletion of a session. There will also be a user interface for revoking a session.

Phase 2

An organization will have a founder and a unique short name (A-Z, up to 32 characters). A user may create up to 5 organizations. An organization can contain groups and server keys. Additional users beyond the founder may be added. Owners have equivalent access to the founder with the exceptions that they cannot delete/edit the organization itself and cannot add other owners. Hosting admins can view and create server hosting keys. Group managers are able to add/remove members to existing groups.

An organization may have up to 20 groups and 20 server keys. Groups will have a short name (A-Z, up to 32 characters), may be public (group and members visible), hidden (group and members hidden, unless you're in the group) or private (group and members hidden).

Phase 5

The users table in the account management site will be expanded to include fields such as the password and email address. Some changes to how account modification will also be reflected. With phpBB, for instance, changing the email address deactivates the account until the link that was sent to the new email is clicked. Instead, we'll have an additional field or table that tracks unapproved changes.

User account data from phpBB will be merged into the account management database. Some passwords in phpBB may still be using old encryption methods if the accounts have not been used recently. For those, if the account hasn't been used in the last year, we will store the password as NULL and force a password reset in order to use the account. For the rest, we will import them as-is and convert them to a newer algorithm on next login. If the account still hasn't been used a year later, any remaining passwords using an old algorithm will be NULL'ed. (NOTE: This may also be done on a rolling basis once accounts with old passwords have reached 1 year of inactivity.)

Phase 6

A new weblogin system will be added to the account management site that makes use of OpenID Connect. Ory Hydra will be used to help implement this, with a login and consent app being added to the account management site. They provide a PHP SDK and SDK documentation.

Social (social.bzflag.org)

This site will provide a basic forum and private messaging system. The private messaging system may lack formatting so that it could be easily used in-game. The text formatting library that phpBB uses is s9e/TextFormatter, and this could be used to replicate the BBCode formatting of phpBB.

  • Phase 4: Create a basic forum and private messaging system that can integrate with the game, noting that posts/messages made here will be deleted at a later time.
  • Phase 5: Purge posts/messages and convert phpBB data.

Legacy Server List (my.bzflag.org)

The old server list will be kept around for a while to support older versions of the game.

  • Phase 2: Update the legacy server list to support the new group/key tables and use the phpBB External Integration extension API
  • Phase 5: Use the new account information tables

New Server List

A new server list will be created to support BZFlag 2.6. It will use well-formed JSON and support IPv6.

  • Phase 3: Create the new server list for 2.6
  • Phase 5: Use the new account information tables
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment