Boards: User Sign-on

Okay, this week we’re going to work on getting the ability to log into the board game server, as well as letting people register for new accounts.  For now, we’ll have two levels of user — admin and player.  The other thing I want to do is to let people use external services as their identity provider.  That means I’m not storing anyone’s password, and therefore can’t leak them.   That works for me, plus, it gives me a chance to play around with OAuth, OpenID an FacebookConnect.

Now, last week, the people at Failbetter Games posted this article on how they are no longer authenticating only to Twitter and Facebook, but also allowing a user’s email address to be their login id (which means they’re now going to store a password as well.    Their game is a social one of sorts, and therefore, in their mind at least, they have the “stigma” of social games.  Particularly where they post things to your various streams without your consent, or at least annoy your friends.  By offering another option, they distance themselves from that stigma, even if they still could do those things if they had your Twitter or Facebook authority.  It’s more about perception than reality — I’ve played their game and it only tweets on my behalf when I specifically ask it to.  Sometimes I get DMs from them, but I can stop that by unfollowing them, so they are already somewhat ethical.

It still made me think about my plans here.  I’m not offering this same option, at least not right now, so that’s a consideration. I have no interest in tweeting or posting on facebook for people, although I have to admit, I don’t know how the invite system is going to work in the long run. Having access to a list of people in someone’s social web might make that easier, if they’ve also selected to play the game.  Still, it’s not really a requirement, nor do I want it to be.  I’m also allowing OpenID as a way to log in, and that’s pretty flexible and not really tied to a social network.  (Anyone with a WordPress blog can offer OpenID for themselves, or all their users, for instance.)

So, I think this is good, but might be something to revisit in the future.  For now, we’re going to start by doing OAuth with Twitter, and getting my account logged in.  Then we’ll go through the plan for registering accounts and get that working.   Then, as the last part of it, we’ll do logins via Google, OpenID, and possibly FacebookConnect.  I’m leaving that one to last as it may be prohibitive in some way (I’ve not researched it at all, yet).

The plan for now, is two tables:  a user table that will join to everything else for the purposes of doing things in the system, and a logins table that will link the secret and identifying info we get back from our web-based authenticator. This will mean we’ll probably need a user profile editor that will let them associate other connectors with their account (and log in with any of them).  This would just get us even more options for lists of friends to offer games to, etc.  And more flexibility for our users.

There’s a decent cakePHP Oauth component to be found here. It has a basic guide for Twitter, although it’ll need changes.  The main change I made to their sample code was to go to instead of .  It doesn’t give me any right to tweet on my users’ behalf — but for now this is good.

I captured the information it got back when I personally logged in, and I filled the code into my users controller to log me in.   This needs to be moved into a special authentication component plugin for AuthComponent, but I want to wait until I’ve got another couple methods implemented, and know what can be refactored out.  It’s also time to start checking security on the pages, and make sure people are logged in before they can do anything.

That’s the next step.  Once that’s done, we’ve got a couple of options: Google Login (which I need for my Hangout) and user registration (ditto!).  I’ll talk in more detail about how those work (and cover how I’m doing OAuth with those pieces), the tutorial for twitter with the cakePHP component is pretty good and I don’t need to walk back through those steps.

More on Wednesday