Version 0.1 by celeron55, 2015-10-10, RFC
An API that relieves browser-integrated password managers from having to understand complex javascript-based forms.
Each website that supports the Unified Website Login API provides this global object.
Websites are identified by methods already in use by password managers - i.e. protocols, domains and path names.
username
: Username, email or whatever the website uses to distinguish users. A corresponding field is commonly found in password managers.
password
: Password, passphrase or some kind of a secret string the website requires for letting a user distinguished by username
to log in. A corresponding field is commonly found in password managers.
callback
: Callback for returning the result of the operation. It is called as function(err)
.
When logging in is possible, this must be provided by the website. A human-usable login form should be available at the same time.
Must be left undefined when logging in onto a website is not possible.
When called, the website should authenticate the user by eg. a secure AJAX call.
When the login fails, callback(err)
is called, with err
set to an object. err.toString() should return something that makes sense in English. (TBD: Localizable error codes)
When the login succeeds, the site can opt to do one or both of two things:
-
Redirect to another page. This forces the user software to re-check the login status of the website and if the login succeeded, it will behave appropriately.
-
Call
callback(null)
. This indicates the user is now succesfully logged in.
Optional.
If a user is currently logged in, this is the username of the user.
If nobody is currently logged in, this is null
.
If the website does not implement the current
functionality or does not want to show who is logged in at the moment, this is undefined
.
Optional.
May be provided by a password manager.
If available, can be called by a website when registering a new user or changing a password.
Asks the current password manager to store a username-password combination.
The password manager should ask for permission from the user to avoid unwanted saving of the username and password.
Maybe the website could optionally allow changing passwords with something like
UWLAPI.changePassword(username, oldPassword, newPassword, callback)
.