Authentication System Enhancements Megathread

[GrifTheDev]

Notice

After a lot of work on the authentication system refactor (as described in #14), I have decided to open one issue that will host a list of non-critical authentication system parts. It is important to note that not critical simply marks that their completion is not required for the system to function in a "Most Viable Product" state. However, lots of these parts are vital to the system's public functioning and must be implemented before launch.

List

• Implement CSRF tokens on /login & /register respectively
  • The current idea is to have the +page.server.ts generate a random CSRF token (salted with secret and timestamp) on page load. This CSRF token will be stored until the users submits a login or register request. The API will check if the user's provided CSRF token is that which the server provided. If so, the authentication request can continue.
• Implement hidden field for bot detection. Implement a hidden field that, when pressed, will block the bot from using the site.
• Email verification
  • Upon sign up, the API will generate a link using the [] format in SvleteKit. Once this link receives a GET request, the API will mark an email verification field in the DB as true. This field should be checked on request for new token pairs. If it is set to false request email reverification.
• Simple region detection
  • If someone suddenly logs in from across the globe, trigger email verification.
• Verficiation codes on sign in (?)
• Move /login and /register route protection to hooks.server.ts.
• Ratelimit tokens by tracking their usage and generation.
• Change password/email options and token regen.
• Redesign login/register page
• Logout flow