It occurred to me today that if I’m going to build a game that I expect other people to play, that they’re going to have to log in to… I’m going to need an SSL certificate.
That’s down the road, of course, but it would be foolish to have any data transferring between individuals and my site without using the HTTPS protocol.
That’s not the only complexity. I was thinking about how to best go about a registration/login process and it dawned on me — I need to figure out password hashing, salting and that kind of stuff. I already know stuff like “md5 is bad” and we used bcrypt in my PHP II class, in conjunction with the password_hash function which (when using PHP 7, which I am) adds a salt. But is that going to be enough? My reading suggests yes, but it’s still not fully solidified in my head, so more reading is required.
Additionally, password resets! My reading recommends a one-time, short-expiry token to allow people to log in from the email sent out to them. While I think I know how to pull that off, thanks to PHP II, I suspect this is going to be a pain. Still, I want to make certain that people’s accounts aren’t easily compromised, so I’m inclined to spend more time than less when it comes to this kind of thing. And I’ll need more time because all of this is also still fuzzy in my head.
Still, in order to make any kind of forward progress in terms of gameplay, I need to make sure I have a login functioning properly, even if I don’t do a registration yet and just populate the user table with a couple of user accounts when I spin up my Docker containers. That means I definitely need to get the password hashing stuff figured out and understood properly before I implement something. Then, maybe I can move forward in the rest of things.
I knew this was going to be a hell of a big project to undertake. I may have underestimated it a little bit. Still, all of this learning is pretty great. More of it to come, clearly.